Sunday, October 30, 2016

OIM 11G R2 PS3 (11.1.2.3.0) Administration Guide - Doc Notes

Note:
Identity Auditor mode can be enabled after installing Oracle Identity Manager. See "Enabling Identity Audit" in Performing Self Service Tasks with Oracle Identity Manager for information about enabling the Identity Auditor mode.


Note:
Workflows can be disabled in all modes. However, certain features require workflows. See "Running Oracle Identity Manager Without Workflows" for information about disabling workflows and the impact of doing so on various Oracle Identity Manager features.

See "Configuring Auditing" for information about auditing.

Note:
Oracle recommends that you use REST services instead of SPML.

Note:
The application name, sysadmin, is case-sensitive.

----------------------------------------------- Administration Guide - Managing Workflows -----------------------------------------------

Note:
Approval policies have been deprecated in favour of workflow policies. Request generation and approval is governed by workflow policies, as described in this document.
However, if you have upgraded Oracle Identity Manager from an earlier release, then approval policies continue to work as described in the following URL:

https://docs.oracle.com/cd/E40329_01/admin.1112/e27149/appr_policies.htm#OMADM2264

Note:
The rules in Table 4-2 are only for backward compatibility. You must remove these and create your own rules.

Note:
The workflow rules listed in Table 4-3 are configured ahead (in terms of order) of the default rules listed in Table 4-2. Therefore, these rules would be evaluated before the default rules. See "Understanding Approval Workflow Rule Evaluation" for more information about workflow rule evaluation.
For example, the Assign Roles operation has two rules configured by default in the following order:

Assign Roles IdentityAuditorEnabled Rule
Assign Roles Default Rule
To determine the approval workflow to be initiated for an Assign Roles operation, the Assign Roles IdentityAuditorEnabled Rule rule is evaluated first. If the rule does not match (evaluates to true), then Assign Roles Default Rule is evaluated.

Note:
When multiple rule conditions are specified in an approval workflow policy, the order in which rules are evaluated is based on the order in which they are configured in the policy. The order cannot be changed after the rules have been created. Therefore, the rules must be created in the order in which you want them to be evaluated.

Note:
If you are aware of the exact object and attribute name, then you can enter the condition in the first field, for example requester.Organization Name, instead of clicking the search icon.

Note:
From any screen of the Condition Builder dialog box, you can click Start to come back to the first screen in which you can start specifying a fresh condition by selecting the object.


Note:
You can group only two conditions at a time. If you select more than two conditions, then the Group button is disabled. Alternatively, the Ungroup button is enabled only when you select one of the conditions that is grouped, but it is disabled when you select more than one group.

A maximum of two conditions can be grouped together. Therefore, if you create a rule with four conditions that are grouped together with the AND operator, then the conditions are grouped into two sets. But if one of the conditions are grouped with the OR operator, then rule is updated correctly.


Note:
When Risk attributes are used to define the conditions in a rule, for the rule to be evaluated correctly, the Risk Aggregation Job scheduled job must be run before the request is made.

For application instances, there is no mechanism to filter out the attributes. All the attributes for application instances are displayed in the Condition Builder with which a rule can be written. For roles, select the role name to display the list of attributes for the role entities. You can select the asterisk (*) wildcard character to display the list of attributes.


----------------------------------------------- Administration Guide - Managing Access Policies -----------------------------------------------

Note:
During an upgrade to Oracle Identity Manager 11g Release 2 (11.1.2.3.0), policies which had the Revoke if no longer applies option deselected is converted to Disable if no longer applies. Users associated with these policies will not be updated, but any future updates to the policy will result in the user being marked with a Disable if no longer applies flag.

Note:
If a resource is denied by an access policy, then the resource is always denied, even if a different policy provisions it. Denying of resources is irrespective of access policy priority. Even if an access policy with lower priority denies a resource, it takes precedence over an access policy with higher priority.


Note:
In 11g Release 2 (11.1.2.3.0), after the role is applicable to the user, you must run the Evaluate User Policies scheduled job to make access policy applicable.

Note:
Identity Audit policies (SoD) are not evaluated during the creation of an access policy.

The association of a role to an access policy is done as part of role management and not via the access policy UI.


Note:
The following special characters are not allowed in the access policy name:
Semicolon (;)

Hash (#)

Percentage (%)

Equal to (=)

Bar (|)

Plus (+)

Comma (,)

Forward slash (/)

Back slash (\)

Single quote (')

Double quote (")

Less than (<)

Greater than (>)


Note:
Oracle recommends that you do not specify policy defaults for passwords and encrypted attributes.

Note:
The Policy Owner Type and Policy Owner fields are displayed only if values for these fields have been specified, as described in step 5.

Note:
When you create an access policy on a resource having a process form with Password field, the password policy is not evaluated. For information about password policies, see .


Note:
You can change the Revoke if no longer applies and Disable if no longer applies options as a part of the access policy modification. See "Revoking or Disabling the Policy" and "Evaluating Policies" for information about the effects of changing these options in access policies.

The IT Resources field cannot be edited from the access policy details page.


Note:
You must create a prepopulate adapter associated with the process form to generate the values for User ID so that unique values are generated for this field.

Note:
Display the process form default for ITResource. It is mandatory to display it. By doing so, you can successfully provision an application instance via access policy.


Note:
Account discriminator values that are different only in casing (for example, abc and aBc) are also treated as different values. With this data, two accounts are provisioned to the end user.


----------------------------------------------- Administration Guide - Managing Forms -----------------------------------------------

Note:
Before you start performing the procedures described in this section, it is recommended that you review the "Managing Sandboxes" section of Oracle Fusion Middleware Developing and Customizing Applications for Oracle Identity Manager.


Note:
The Generate Entitlement Forms option is displayed only for complex entitlements. A complex entitlement is represented by child object having at least two attributes, one of them marked as Entitlement attribute.


Note:
If you have upgraded Oracle Identity Manager to release 11.1.2.2.0, then you must regenerate all the forms to use this feature.

The Generate Entitlement Forms option is displayed only for complex entitlements. A complex entitlement is represented by child object having at least two attributes, one of them marked as Entitlement attribute.


----------------------------------------------- Administration Guide - Configuring Custom Attributes -----------------------------------------------


Note:
Before you start performing the procedures described in this section, it is recommended that you review the "Managing Sandboxes" section of Oracle Fusion Middleware Developing and Customizing Applications for Oracle Identity Manager.


Note:
Do not use ParentAccountId as a form field name. ParentAccountId is used to store system information.


Note:
After you create a UDF for dependent lookups (a lookup field that is created with the Constrain list by parent field value selection option selected), you must set the partialTriggers property through WebCenter composer to refresh the values in the dependent lookup. To do so, see the procedure described in "Creating Cascaded LOVs".
If you create a UDF in the User Details page, then the UDF is recommended to be in read-only mode. If the UDF is of drop-down or checkbox type, then you must customize it to read-only mode explicitly. To do so:

In the User Details page, click Customize to open WebCenter Composer. The page opens in customization mode.

Click the drop-down or checkbox region to edit its properties. In the pop-up window, click Edit.

In the Component Properties window, select the Read Only checkbox and click OK.

Click Close to close the page in customization mode.

Do not add drop-down UDF as outputText to a page if the value of the Meaning field has to be displayed.



Note:
You must ensure that sandbox in which the application instance form for which you are creating the child form must be published. If it is not published, then you must perform the procedure described in this section in the same sandbox in which the application instance form was created.


Note:
Do not use ParentAccountId as a form field name. ParentAccountId is used to store system information.


Note:
Adding a custom attribute is always in relation to one of the following entities: User, Organization, Role, or Catalog.

When catalog UDFs are customized to show in the first page of the Create Role wizard, they are also shown in the summary page of the wizard. But when role UDFs are customized to show in first page of the Create Role wizard, they are not shown in the summary page of the wizard. The summary page must be separately customized for these role UDFs to be displayed.


Note:
After adding a UDF through the User form, logout of both Oracle Identity System Administration and Oracle Identity Self Service, and then login again to be able to see the newly added UDF and use it for customization.


Note:
Adding VO as tables is not supported.


Note:
If two attribute labels are displayed for the same field, then add the attribute that does not end with __C.


Note:
You must ensure that sandbox in which the application instance form for which you are adding a custom child attribute must be published. If it is not published, then you must perform the procedure described in this section in the same sandbox in which the application instance form was created.


Note:
Before you perform these procedures, ensure that you do not have any popup blockers enabled in your browser and that you have a supported Java Runtime Environment (JRE) installed in the browser. This is because the Deployment Manager uses a popup window and it requires JRE to be installed in the browser.


Note:
The sandbox exported here must be the same, which has been used while creating and adding custom UDFs.

The sandbox must not have been published before exporting, because there is no way to export the published sandbox.

Note:
LDAP synchronization can be enabled during or any time after installing Oracle Identity Manager. See "Enabling LDAP Synchronization in Oracle Identity Manager" in the Oracle Fusion Middleware Integration Guide for Oracle Identity Management Suite for information about enabling postinstallation LDAP synchronization in Oracle Identity Manager.

While creating/modifying an attribute using Form Designer, provide a value against LDAP Attribute. This is the value of LDAP attribute name against which the user-defined field (UDF) is synchronized, and applicable only in LDAP sync enabled environment.

If you are using an OUD LDAP directory, then the Oracle Identity Manager custom attribute name must not contain a space. OUD does not allow creating a custom attribute with space in the attribute name.


Note:
In Oracle Identity Manager 11g Release 2 (11.1.2.3.0) or later, LOVs cannot be added on the Self-Registration Page.


Note:
For any LOV, the user details page displays the lookup code as the output text value. To display the LOV lookup value on the user details page, create a searchable picklist (ADF name input list of value), and then make it read-only.


Note:
Multiple documents can be set in the doc location while invoking operations exportMetaData or importMetaData.


----------------------------------------------- Administration Guide - Managing IT Resources  -----------------------------------------------

Note:
The IT resource type is created before the IT resource can be created. The IT resource type can be created either by using the Design Console, or by importing the IT resource type using the Deployment Manager. See "IT Resources Type Definition Form" in Developing and Customizing Applications for Oracle Identity Manager for information about defining an IT resource type.


Note:
If you select Remote Manager from the IT Resource Type list, then you must not select a remote manager from the Remote Manager list.


Note:
You cannot modify the access permissions of the SYSTEM ADMINISTRATORS role. You can modify the access permissions of only other roles that you assign to the IT resource.


Note:
You cannot unassign the SYSTEM ADMINISTRATORS role. You can unassign only other roles that you assign to the IT resource.


Note:
If no errors are encountered, then the label of the button is Create, not Continue.


Note:
When you click Unassign, the administrative roles that you select are immediately unassigned from the IT resource. You are not prompted to confirm that you want to unassign the selected administrative roles.

You cannot unassign the SYSTEM ADMINISTRATORS role.


Note:
You cannot change the access permissions of the SYSTEM ADMINISTRATORS role.

Note:
Deleting IT resource instances soft-deletes the corresponding application instances.



----------------------------------------------- Administration Guide - Managing Generic Connectors  -----------------------------------------------

Note:
In an Oracle Identity Manager deployment that is integrated with Access Manager (OAM), the OIMSignatureAuthenticator authentication provider is not configured by default. If you use Oracle Identity Manager 9.x connectors, such as GTC, or if your custom code uses signature-based OIMClient login, then you must enable the OIMSignatureAuthenticator authentication provider.
For information about enabling OIMSignatureAuthenticator, see "OIMSignatureAuthenticator Not Configured for Oracle Identity Manager Domain Security Realm" in the Oracle Fusion Middleware Release Notes.


Note:
An error message is displayed if you specify a name that is the same as the name of an existing connector. However, an error message is not displayed if you specify a name that is the same as the name of an existing connector object. Therefore, you must ensure that the name you want to specify is not the same as the name of any existing connector object.



Note:
If you select the shared drive reconciliation transport provider, you must also select the CSV reconciliation format provider because all the parameters of this provider are bundled with the parameters of the shared drive reconciliation transport provider.


Note:
If you select the Trusted Source Reconciliation check box, the Provisioning region of the page is disabled. This is because you cannot provision to a target system that you designate as a trusted source. You can only reconcile data from a trusted source.


Note:
If you do not select the Reconciliation option on the previous page, these reconciliation-specific design parameters are not displayed on this page.


Note:
The Stop Reconciliation Threshold parameter is used during reconciliation only if you select validation Providers on the Step 3: Modify Connector Configuration page.

If reconciliation is stopped because the actual percentage of failed records exceeds the specified percentage, the records that have already been reconciled into Oracle Identity Manager are not removed.



Note:
The Stop Threshold Minimum Records parameter is used during reconciliation only if you select validation Providers on the Step 3: Modify Connector Configuration page.

You must specify a value for the Stop Threshold Minimum Records parameter if you specify a value for the Stop Reconciliation Threshold parameter.


Note:
The outcome of both full and incremental reconciliation is the same: target system records that are created or updated after the last reconciliation run are reconciled into Oracle Identity Manager.


Note:
If you want the source date format to be used in date validation, while performing the procedure described in "Adding or Editing Fields in Data Sets", you must:
Map date fields of the Source data sets to date fields of the reconciliation staging data sets.

Edit each date field of the reconciliation staging data sets and set its data type to the Date data type.


Note:
If you do not select the Provisioning option on the previous page, this provisioning-specific design parameter is not displayed.


Note:
If any value that you provide on this page is not correct, an error message is displayed at the top of the page after you click Continue. If this happens, fix the parameter value and click Continue again.



Note:
In the generic technology connector context, the term metadata detection refers to the process in which sample user data is read from the target system and the corresponding metadata (identity field names) is displayed on the Step 3: Modify Connector Configuration page.



Note:
If you select the Trusted Source Reconciliation option on the Step 1: Provide Basic Information Page, all the fields of the OIM - User data set are displayed and you cannot use the arrow icon to minimize the display.



Note:
Data set and field names that take up more than a certain amount of space are truncated and dots are displayed after the truncated part of the names. For example, the Deprovisioning Date field of the OIM - User data set is displayed as follows:
Deprovisioning Da..

To view the full name of a field, you can click the edit icon for that field or the field to which that field is mapped. In the pop-up window, the field name that you want to view is on either the first page or the second page, depending on the data set to which the field belongs.


Note:
Metadata detection does not take place if any of the following conditions are true:
Sample target system data (including metadata) is not available.

The Transport and format providers that you select are not capable of detecting metadata from sample target system data.



Note:
These actions are described in detail in the procedure that follows this list. The procedure also describes the conditions that must be fulfilled before you can perform some of these actions.


Note:
Oracle Identity Manager can recognize date values fetched during reconciliation only if you set the Date data type for fields of the reconciliation staging data sets. In addition, if you have specified a value for the Source Date Format parameter on the Step 2: Specify Parameter Values page, you must map date fields of the Source data sets to the corresponding date fields of the reconciliation staging data sets


Note:
The display of the GUI elements and pages described in the following steps depends on the data set in which you are adding or editing a field. For example, the Required and Encrypted check boxes are not displayed if you are adding or editing a field in a Source data set.


Note:
You must create matching-only mappings for both parent and child data sets.


Note:
If you select the Trusted Source Reconciliation check box on the Step 1: Provide Basic Information page, this check box (in selected or deselected state) is ignored. This is because the reconciliation of multivalued (child) data is not supported in trusted source reconciliation.


Note:
If you select the Encrypted and Password Field check boxes, see "Password-Like Fields" in Developing and Customizing Applications for Oracle Identity Manager for information about guidelines that you must follow.


Note:
If the destination field itself is the source field for another mapping, that mapping is not removed.



Note:
If you select the Trusted Source Reconciliation option on the Step 1: Provide Basic Information page, the OIM - Account data set and its child data sets are not created. Therefore, this page is not displayed if you select the Trusted Source Reconciliation option.


Note:
You cannot revisit this page, so ensure that the form names that you specify meet all the requirements before you click Continue.


Note:
If the creation process fails, objects that are created are not automatically deleted.

Note:
If you select only the Provisioning option on the Step 1: Provide Basic Information page, you can skip this section because you need not configure reconciliation.


Note:
The name of the scheduled task is in the following format:
GTC_Name_GTC

For example, if the name of the generic technology connector is WebConn, the name of the scheduled task is WebConn_GTC.


Note:
If you select only the Reconciliation option on the Step 1: Provide Basic Information page, you can skip this section because you need not configure provisioning.


Note:
To view a provisioned account in the new UI, the process form should have a field for IT resource. The value for this IT resource field should be populated during a reconciliation run.



Note:
The only difference between this procedure and the procedure that you follow to create the generic technology connector procedure is that automatic metadata detection does not take place when you modify an existing generic technology connector.


Note:
These values are not copied in the connector XML file when you export it.


----------------------------------------------- Administration Guide - Managing Application Instances  -----------------------------------------------



Note:
If the request is coming from an authorizer, then it may not require approval, where as a request coming from an end user needs approval by approver.

Note:
To reconcile entitlements created in the target system into Oracle Identity Manager, you must first run the scheduled job for lookup field synchronization, and then run the Entitlement List scheduled job.


Note:
The Catalog Synchronization Job should be run preferably in Incremental mode so that changes, such as add, update, and delete, in base entity application instance and entitlements are synced to catalog DB.

Note:
An administrator user can publish an entity to any organization that the administrator can view. For example, an Entitlement Administrator can publish entitlements with administrative permissions to any organization on which the Entitlement Administrator has view permission.


Note:
If you are using Oracle Identity System Administration in French on Google Chrome web browser, the right arrow may be missing or truncated in the search panel of the Select Organizations dialog box. To fix this issue, verify the display language setting in Chrome and change it to French if necessary.


Note:
The Application Instance Post Delete Processing Job scheduled job can be run after deleting each application instance.

Note:
The Catalog Synchronization Job scheduled job run is independent of the Application Instance Post Delete Processing Job run. This means that the Catalog Synchronization Job scheduled job removes the soft-deleted application instances from the catalog even if Application Instance Post Delete Processing Job is not run after soft-deleting the application instances.

Catalog Synchronization Job should be run preferably in Incremental mode so that changes, such as add, update, and delete, in base entity application instance and entitlements are synced to catalog DB.


Note:
You cannot create forms directly. Before creating forms, you must create a sandbox and activate it. See "Managing Sandboxes" in the Oracle Fusion Middleware Developing and Customizing Applications for Oracle Identity Manager for information about creating and activating a sandbox.

Note:
If you have upgraded Oracle Identity Manager to release 11.1.2.2.0, then you must regenerate all the forms to use this feature.

Note:
BizEditorBundle.xlf file  may not exist in MDS. If it does not exist, then create a new one, but the path must be the same.

Note:
If you are using the SAP User Management connector release 9.x with this release of Oracle Identity Manager, then perform the following steps for the Roles and Profiles entitlements to work correctly:
In the Role Child Form, from the Role System Name field, remove the Entitlement and Required properties.

In the Profiles Child Form, from the Profile System Name field, remove the Entitlement and Required properties.


Note:
If you use a predefined connector to integrate the target system, then you can use scheduled tasks to fetch entitlement data into this table.


Note:
You must mark the entitlement attribute in each child process form to enable the process described in these steps. The procedure is described later in this chapter.

Make sure that the parent form has the latest child form version. It does not automatically happen when you create, edit, and activate the child parent without doing the same with the parent form. The Entitlement field can be marked from the Form Designer, which takes care of activating the parent/child forms.

Note:
Oracle recommends configuring both the entitlement attribute and the key attribute for the child data in reconciliation field mappings to enable effective duplicate entitlement or child data validation.

Note:
In-flight requests that have references to soft-deleted Entitlements will fail.

Access Policies having deleted Entitlements should be manually updated to remove the same.


Note:
The Mode flag must be set to Delete, and not Revoke, when you want to compensate for the post deletion of the entitlements. If you want that the entitlements being deleted from the backend through the Design Console should also be removed from the request details, and the Grand task and the Revoke task should not appear in the user's inbox, then you must run the Entitlement Post Delete Processing Job scheduled job with the Mode flag set to Delete.


Note:
These triggers are created by the Entitlement Assignments scheduled task.


Note:
You must be a member of the ADMINISTRATORS group to be able to view these reports.

Duplicate assignments of the same entitlement to a particular user are suppressed in the reports because they are not copied to the ENT_ tables. For example, if user John Doe has been assigned the Sales Superintendent role twice on a target system, then the reports show only one instance of this entitlement.

Note:
You must create a new sandbox before creating the application instance. You must publish the sandbox after creating the application instance. See "Managing Sandboxes" in the Oracle Fusion Middleware Developing and Customizing Applications for Oracle Identity Manager for information about creating and publishing a sandbox.


Note:
IT resource type definition parameters are for future use and the values for the same need not be set.

Note:
You must not select the Disconnected option, as this will create artifacts including the resource object and IT resource in the backend.

Note:
The "<FORM_NAME> Updated" task is inserted irrespective of whether updates are to a single process form field or multiple process form field. This behavior is different from that of a connected resource. In addition, note that the individual process form field update tasks need not be configured for a disconnected resource.


Note:
Before creating child forms, create and activate a sandbox.

Note:
It is mandatory that you must select Searchable, Entitlement, and Searchable Picklist check boxes to create an entitlement field on the child form.

Note:
Customization of the provisioning process is not supported, but you can customize the Disconnected Provisioning Composite.

Note:
You must install the version of JDeveloper that is compatible with the Oracle Identity Manager deployment. In addition, install any patches for JDeveloper so that JDeveloper works correctly with the SOA composites.

-----------------------------Managing Connector Lifecycle-------------------------------------------------------


Note:
Upgrading connectors preserve the existing customizations in a connector.


Note:
Uninstalling a connector is performed in the development environment and not in production environment.


Note:
Some of the preceding terms can be combined to provide a shortened description of the type of connector that is under discussion. For example, a custom source release is a connector that you had created, customized, or reconfigured and now want to upgrade to a target release.


Note:
In this release of Oracle Identity Manager, the connector lifecycle management functionality have been introduced such as defining, cloning, upgrading, and uninstalling connectors. For all these features, complete connector DM-XML is required in the database, and this is the source for all the connector lifecycle management activities.
When Oracle Identity Manager is upgraded from earlier releases, such as Release 9.1.x or 11g Release 1 (11.1.1.5), to 11g Release 2 (11.1.2.3.0), you must define the connector so that all the lifecycle management operations on the connector are possible to perform. Without defining the connector, it is not possible to search for the installed connector, upgrade the installed connector, clone the connector, and uninstall the connector. See "Defining Connectors" for information about defining connectors.



Note:
To determine whether you can install an Oracle-released connector by using the Install Connectors feature, see the connector guide.


Note:
You manually perform the remaining tasks. Connector documentation provides instructions.


Note:
Re-installing a connector is not supported. You cannot install a connector version that had already been installed in Oracle Identity Manager. However, if the installation process is not successful, Oracle Identity Manager allows you to reinstall the connector.

Before installing a connector, create a backup of your environment. This is because, if the installation fails, then the connector cannot be uninstalled. There is no solution for reverting the environment to the previous state or finalizing the connector install.


Note:
The Install progress screens might flash and show blank page. This does not have any impact on functionality and can be ignored.


Note:
There are no prerequisites for some connectors.

Note:
You must add only those Oracle Identity Manager artifacts that are specific to the connector and do not add default objects or any other connector objects that are shared across connectors. The defined XML is the source for life cycle operations such as upgrade, clone, and uninstall. If an object is used in define and is shared across connectors or a default Oracle Identity Manager object, then there is un-intended behavior. For example, a Lookup Definition which is there by default in Oracle Identity Manager is added as a part of define, then clone operation will create another copy of the object, which is not required. The uninstall will delete this default object from Oracle Identity Manager as it is defined specific to a connector. Such incorrect definition will have impact on Oracle Identity Manager functionality. Therefore, you must be careful while adding an object while defining a connector.


Note:
You can define the connector XML definitions in the form of an XML file. See the "Exporting Connector Object Definitions in Connector XML Format" section of the connector guide for more information. You can then use this connector XML file to build the installation package for installing the connector on a different Oracle Identity Manager installation.

Oracle recommends defining a connector immediately after customizing the connector or updating the DM XML file with the customization changes.

Note:
You can continue to use a connector without defining it after you customize or reconfigure a connector or after you upgrade Oracle Identity Manager. However, if you want to upgrade, clone, or uninstall the connector, then you must first define it.


Note:
To determine whether you can define a particular release of a connector by using the Oracle Identity System Administration, see the documentation for that release of the connector.


Note:
For an Oracle-released connector, the adapters that are part of the connector are listed in the connector guide. Select the check boxes for those adapters.


Note:
Make sure that you have added all the Oracle Identity Manager connector objects specific to defining connector. If you do not have a specific connector object while defining the connector, then upgrade, clone, or uninstall may not handle the undefined object.
The following are Oracle Identity Manager artifacts that are generally associated with almost all the connectors:

Resource objects
Event handlers
Process forms
IT resources
Data object definitions
Prepopulate adapters
Processes
IT resource type definitions
Task adapters
Lookups
Scheduled tasks


Note:
In this guide, the term Clone Connectors feature refers to the set of Oracle Identity Self Service pages that you can use to clone connectors

Note:
Oracle Identity Manager offers a different feature for using a single connector to integrate:
Multiple installations of a particular target system with Oracle Identity Manager

A target system that stores data about multiple user types (for example, employee and contractor) and requires Oracle Identity Manager to provide a different resource object for each user type

See the connector guide for information about how to use access policies to create resource objects for different user types on a particular target system.


Note:
You can install the clone connector on either the same or a different Oracle Identity Manager installation.


Note:
Connector lifecycle management does not support the upgrade of a trusted connector if the source connector uses the Xellerate User resource object for trusted source configuration. Therefore, you must manually upgrade the connector. Contact Oracle Support for more information.

Connector lifecycle management does not support the upgrade of a connector from the target mode (source version) to the trusted mode (target version). Similarly, upgrading from trusted mode to the target mode is also not supported.


Note:
An upgrade operation works on only the active version of the process form. No changes are made to earlier versions.

The existing process form cannot be renamed.

Note:
Existing lookup definitions are not deleted during an upgrade operation.


Note:
Existing adapters are not deleted during an upgrade operation.


Note:
The procedure explained in this chapter is based on the best practice in which you first perform the upgrade in a test development environment. All functional use cases need to be tested before applying the upgrade in production server. Wizard mode upgrade should not be used in production, only silent mode need to be used in production server.


Note:
Keep the SOA server running during the upgrade process.

Note:
You need to perform preupgrade and post upgrade steps while performing wizard mode upgrade.

Note:
Set APP_SERVER, OIM_ORACLE_HOME, JAVA_HOME, MW_HOME, WL_HOME, and DOMAIN_HOME before running the scripts.

Note:
There is only one XML file for both trusted source reconciliation and target resource reconciliation for all the ICF based connectors. If you have more than one XML file, that is one for trusted source reconciliation and another for target resource reconciliation, you need to select the XML file for target resource reconciliation. Refer the connector guide (CI-XML) for the XML file name.


Note:
If you are upgrading from an Oracle-released source connector to an Oracle-released target connector, then see the connector guide for information about the mappings that you must create.


Note:
If the Connector Management - Upgrading wizard is opened by using Microsoft Internet Explorer, then all the fields and buttons on the Step 13: Select Connector Objects to Be Upgraded page might not be visible. There is no scroll bar available in the page. Therefore, maximize the window to display all the controls in the page.

Note:
For an Oracle-released connector, see the connector guide for information about the changes to be made.

Note:
If the upgrade fails, then perform the following steps:
Look at the exception and take suitable action.
Restore the Oracle Identity Manager database and MDS.
Proceed for the upgrade.

Note:
You need to perform preupgrade and post upgrade steps while performing silent mode upgrade.

Note:
There is only one XML file for both trusted source reconciliation and target resource reconciliation for all the ICF based connectors. If you have more than one XML file, that is one for trusted source reconciliation and another for target resource reconciliation, you need to select the XML file for target resource reconciliation. Refer the connector guide (CI-XML) for the XML file name.

Note:
Before running this utility, set APP_SERVER, OIM_ORACLE_HOME, JAVA_HOME, MW_HOME, WL_HOME, and DOMAIN_HOME.

Note:
Before running this utility, set APP_SERVER, OIM_ORACLE_HOME, JAVA_HOME, MW_HOME, WL_HOME, and DOMAIN_HOME.

Note:
Repeat the procedure for all the prepopulated fields of all the process forms of the connector. If there are any entity adapter, then check the adapter variables mapping for these adapters in Data Object Manager.

Note:
Before running the uninstall utility:
You cannot delete data that are already archived.

You must ensure that you have the latest Oracle Identity Manager schema and MDS backup, which will help to restore if uninstall utility does not complete successfully.

You must ensure that your UNDO tablespace is sized properly. This is required if your development/test environment has significant amount of data to be deleted.

Note:
If the uninstall utility fails with errors, then check the ConnectorUninstall.log and ConnectorUninstall_Error.log and take suitable action. Then, run the uninstall utility again.

Note:
Before running this utility uninstallConnector, set APP_SERVER, OIM_ORACLE_HOME, JAVA_HOME, MW_HOME, WL_HOME, and DOMAIN_HOME.


-----------------------------------------Managing Reconciliation------------------------------------------------------------


Note:
If the user login is not passed for trusted reconciliation, then the login handler generates the user login. The password is generated in postprocessing event handler, and notification is sent for the same.


Note:
A reconciliation connector is a component developed to reconcile identities or accounts from a specific target system. Typically, a reconciliation connector is configured to be run as a scheduled task. However, there are push-based connectors, such as the PeopleSoft HR connector, for which there is no scheduled task to trigger the reconciliation.


Note:
When the value of the XL.UserProfileAuditDataCollection property is set to an audit data collection level, then the account reconciliation performs the matching in the database layer at a batch-level and performs the event action by using the provisioning APIs. This in turn triggers the audit event handlers for account reconciliation. By default, the value of this property is set to Resource Form. See "Administering System Properties" for information about system properties in Oracle Identity Manager in the Oracle Fusion Middleware Administering Oracle Identity Manager.

Note:
If you create an entity on an external system and then modify it a short time later, reconciliation processes the create entity step, but the modify entity step fails with the Creation Failed event status. This is because reconciliation cannot process a create and a modify action for the same entity in the same batch process.
However, the entity modification action can be resubmitted for reconciliation at a later time by one of the following built-in mechanisms:

The "Automated Retry of Failed Async Task" scheduled task will run to re-process the failed events without any manual intervention.

The failed event is re-processed if the "Manual Retry Error Handling Mechanism" is triggered.

Reconciliation failure messages that are caused by processing conflicts within the same batch process should be regarded as transitory failures only.


Note:
Reconciliation service refers to the collection of reconciliation engine, reconciliation APIs, and the associated metadata and schema.


Note:
The actions on the event can be manually performed through the UI, or they can be automatic actions.

Note:
You can also create the reconciliation events directly by using the reconciliation APIs.

Note:
The mode of reconciliation depends on the connector implementation. For information about connector implementation, see "Connector for Reconciliation" in the Oracle Fusion Middleware Developing and Customizing Applications for Oracle Identity Manager.


Note:
In simple search, you cannot perform the search by event dates.

Note:
Simple Search is paginated, meaning it only displays search results 64 rows at a time. This is to improve performance. Scrolling down past the 64th row in the UI triggers another page fetched from the database and so on for every 64 rows beyond that.

Note:
Oracle Identity Manager does not support translation of the reconciliation field names.


Note:
The preprocess validation lists the events that are valid and those that are invalid for re-evaluation. If you click Reevaluate, then only the valid events are re-evaluated.

All event actions are tracked in the Event History table.


Note:
If closing an event is not a valid option, then en error message is displayed in the Close Event dialog box.

Note:
All event actions are tracked in the Event History table.

The close event operation needs a justification to be entered. Therefore, when multiple events are closed at a time by performing bulk action, all the closed events will have the same justification.

Note:
In manual linking, you select a match from a list of matches found by the reconciliation engine instead of selecting from a list of all Oracle Identity Manager users.

------------------------------------- Managing the Access Request Catalog---------------------------------------------

Note:
You cannot leave Category field blank for a catalog item. Therefore, you must ensure that a value is present for the category.

Note:
The Catalog System Administrator must have the System Configuration Administrator admin role for running the Catalog Synchronization Job.

Note:
Job entitlement list loader should be executed before executing the Catalog Synchronization Job scheduled job.

Note:
If new custom attribute (UDF) is made Searachable, it is recommended to create a normal index on the database column of the custom attribute for optimal search performance.You can find the database columns of custom attributes in CATALOG table of Oracle Identity Manager schema.

Note:
If its a first time harvesting, then you should set the parameter to Full.

If the parameter mode is Incremental, then only those entities are picked by scheduled task for processing, whose create date is greater than update date for creation, and update date is greater than update date value.

Note:
If you are running the job for the first time and the Mode is set to Full, then you must not provide any value in the Update Date parameter.

Note:
If you are running the job for the first time and the Mode is set to Full, then you must not provide any value in the Update Date parameter.

Note:
If you are running the job for the first time and the Mode is set to Full, then you must not provide any value in the Update Date parameter.

Note:
Name, Display Name, and Description cannot be edited on the catalog screen. These are base level attributes and you cannot edit from Catalog UI.
When editing a Catalog Item, for list of values (LOV) type of fields, it is recommended to select and specify values by picking from the associated lists, instead of typing the values into the fields directly.

Note:
Auditing takes place only for those entities that can be modified through the Catalog UI. Audit does not happen for entities that are modified in the catalog through synchronization. In addition, auditing is not supported for User Defined Tags.


Note:
The child entitlements are not requestable in the access catalog. The hierarchical entitlements feature is meant for display purpose only.

Note:
Catalog Synchronization Job and Access Request Catalog should be down when these one-time optimizations are applied.


Note:
The Text index optimization can be done when the server is up and search of Access Request Catalog takes place.

Note:
In the request catalog, only String type of UDF can be created. If you mark that attribute as searchable attribute, it is of size 256 Char. If it is not a searchable attribute, then it is of size 2000 Char. You cannot mark a non-searchable attributes to searchable.

Note:
In scenarios where you need to switch between the Self Service (or Identity) and System Administration consoles and the Oracle Identity Manager 11g R2 deployment is not protected by Single Sign On, you must log out of one console before logging in into another.

Note:
Make sure that you do not have any popup blockers enabled in your browser and that you have a supported Java Runtime Environment (JRE) installed in the browser. This is because the Deployment Manager uses a popup window and it requires JRE to be installed in the browser.

Note:
Perform the following optional steps as a best practice:
Backup/Check-in the sandbox zip file and the Deployment Manager XML as a single file into a source code control system like Subversion, SourceSafe, and so on.

Repeat the steps above in the target (Production) environment and backup the Catalog entity and the Catalog UI.


Note:
In scenarios where you need to switch between the Self Service (or Identity) and System Administration consoles and the Oracle Identity Manager 11g R2 deployment is not protected by Single Sign on, you must log out of one console before logging in into another.


Note:
Harvesting job picks up the data for harvesting on the basis of the Update date parameter. If the update is blank, then all the records are fetched for processing.However, if the user has specified some date in the Update date parameter, only that data is processed which is created or updated after the given date.


Note:
The Oracle Identity Manager Roles role category is meant for Oracle Identity Manager usage only. Customers should not use this category for their enterprise Roles.


Note:
Search Criteria for Catalog API's findCatalog method supports only AND conjunction operator.

------------------------14 Managing Home Organization Policy-----------------------------------------------------


IF user.User Login  Equals  $(user.User Login) THEN organization equals "Xellerate Users"

IF user.Nickname Starts with "Test" THEN organization equals "testOrg2"


IF user.Nickname Starts with "Test" AND user.Display Name Ends with "User" THEN organization equals "testOrg3"


Note:
This list varies based on the type of attribute. The list above is for text type. Number type attributes can have values Greater than, Lesser than and so on.


-------------------------15 Managing Self Service Capability Policy---------------------------------------------

If user.Role Equal Contractor THEN capability Equal selfModifyUser


If user.Role Equal Full-time AND user.Department Number Equal Sales
THEN
capability Equal addSelfRoles
AND
capability Equal selfModifyUser


If user.Role Equal Full-time AND user.Country Not Equal USA
THEN
capability Equal selfModifyUser
AND
deniedAttribute Equal Middle Name



Note:
This list varies based on the type of attribute. The list above is for text type. Number type attributes can have values Greater than, Lesser than and so on.


Note:
This field is case sensitive.


Note:
Mandatory attributes and System generated attributes like Status, Display name, User Login and so on cannot be included in denied attributes list.

When denied attributes are specified, the user will not be able to view or modify those attributes.






-----------------------------------------------16 Managing Lookups--------------------------------------


Note:
Meaning is the decoded value, and Code is the encoded value. The value in the Meaning field is a humanly readable description of the field. The value in the Code field is the actual code value that is used for provisioning. For example, decoded value can be a LDAP group name, and encoded value is the LDAP group GUID.

Note:
To specify the search criteria, you can use the percent (%) wildcard character.

Note:
There are multiple ways in which lookups are used. One way is to populate some form with data via the lookup icon on some process form to provision to a target system. Many lookups, such as lookups for most connectors, contain some configuration information. These lookups do not honor the checkbox in the Disabled column and assume that all configuration settings are valid.
Task triggering based on lookup.usr_process_triggers, does not take into account or depend upon enabling and disabling of lookup value. If an entry is made into the lookup and the corresponding task is defined, then the task is triggered.

To workaround this, either change the task name at process definition or change the value in the lookup definition level for task name. Oracle recommends changing the value in the lookup definition level for task name as a better approach.


Note:
PurgeCache utility must be run after updating lookup definition, without which you must re-save lookup UDF in a sandbox before the new lookup values can be used. This is also applicable to predefined fields and their lookup definitions. Therefore, PurgeCache utility must be run to purge cache for all categories.
See Oracle Fusion Middleware Performance and Tuning Guide for information about purging the cache.


----------------------------------------17 Managing Role Categories-------------------------------------------


Note:
The default role categories cannot be localized.

--------------------------------------18 Managing the Scheduler-------------------------------------------------

Note:
You can add new configurable child elements. For the information about new child elements, refer to the following URL:
http://www.quartz-scheduler.org/

Note:
You need to have Scheduler Admin role to start or stop the scheduler.

In a clustered environment, you must perform this procedure on each node of the cluster.


Note:
After modifying the scheduler.disabled system property, you must start the Managed Server by using the Node Manager.

Note:
The procedure described in this section assumes that the XML file for the scheduled task, which contains the job description is available in the OIM_HOME/metadata/file directory.


Note:
For all the schedule types, if you want the job to be saved run immediately, then click Save and Run Now.
A message confirming that the job has been successfully created and triggered is displayed.

Note:
No value is displayed in this field if the Schedule Type is No pre-defined schedule.


Note:
If you want to run the job, then click the job name in the first column of the search results table and then click Run Now. After you click Run Now, you need not perform the rest of the steps in this procedure. However, if you want to modify the job and then run it, then perform the next step and click Run Now.


Note:
By default, the status of all jobs is STOPPED unless a job is running.


--------------------------------19 Managing Notification Service---------------------------------------------------


Note:
You can find the oracle.wsm.security map as follows:
In Oracle Enterprise Manager, expand WebLogic Domain.

Right-click the base domain, and select Security, Credentials. The Credentials page is displayed.

In the Credential column, expand the oracle.wsm.security map.

Note:
For more details on configuring UMS to connect to a mail server with SSL, see "Configuring Oracle User Messaging Service" in the Oracle Fusion Middleware Administrator's Guide for Oracle SOA Suite and Oracle Business Process Management Suite.


Note:
Corresponding to each event that happens, you have to configure an XML file. The XML file defines the behavior of each event. You must first configure the XML for an event. After this is done, you can create a notification template for that event.
For information about creating the event XML file, see "Defining Event Metadata" in the Oracle Fusion Middleware Developing and Customizing Applications for Oracle Identity Manager.


Note:
The Description Text field cannot be translated and is available only in English.

Note:
The Default Locale information is stored in the PTY table and is fetched from there.

Note:
Notification can be sent in all the locales that are added to the notification template. A user receives notification in the same locale specified in the user preferences. If a locale is not specified in the user preferences, then the notification is sent in the default locale. The default locale is to be specified in the PTY table in Oracle Identity Manager database at the time of installation.


Note:
You must not remove default locale to ensure that a notification is sent every time when there is no user preferred locale is set or when notification template does not contain a locale template matching to user preferred locale.


Note:
If you successfully added the proxy, you (John Doe in this case) will receive an email notification message similar to the following:
"You have been made the proxy for Jane Doe [JANED] from April 9, 2012 12:00:00 AM to April 30, 2010 12:00:00 AM".


Note:
Save a local copy of the EventHandlers.xml (/metadata/iam-features-selfservice/event-definition/EventHandlers.xml file ) for future reference.

------------------------------------20 Configuring Oracle Identity Manager------------------------------------------


Note:
In this release of Oracle Identity Manager, the XL.MAXLOGINATTEMPTS and XL.MAXPASSWORDRESETATTEMPTS system properties have been removed.
The function of the XL.MAXLOGINATTEMPTS system property has been replaced with the Maximum Incorrect Login attempts counter field in the password policy details page. The function of the XL.MAXPASSWORDRESETATTEMPTS system property has been replaced with the Lock User After Attempts field in the Challenge Options section of the password policy details page. For information about these fields, see "Managing Password Policies" in Oracle Fusion Middleware Performing Self Service Tasks with Oracle Identity Manager.

Note:
It is imperative to de-provision all accounts associated with a deleted user, because if you create a new user with the same user name as that of the deleted user by setting the XL.UserIDReuse property to TRUE, then the new user might get access to offline accounts of the deleted user that was not deleted as part of the de-provisioning process.


-----------------------------------21 Moving From Test to Production-------------------------------------------------


Note:
Movement scripts support only Oracle WebLogic Application Server, and full T2P of Oracle Identity Manager on other application servers is not supported.


Note:
In addition to the Deployment Manager, you can use the sandbox feature to migrate configurations and customizations from one deployment to another. See "Managing Sandboxes" in Developing and Customizing Applications for Oracle Identity Manager for information about working with sandboxes.

Note:
Importing and exporting deployments by using the Deployment Manager can only be performed by the System Administrator.

Note:
On the source, the following artifacts that are being exported might contain references to specific users, roles, application instances, entitlements, or organizations:

Certification definitions
Policies
Identity Audit configurations
Identity Audit scan definitions
These specific references are scrubbed while exporting the artifacts and then importing them on the target setup. On the target, the artifact must be opened and updated for selection of these entities on the target. The artifacts cannot be used unless they are updated and will result in errors if used without updating. Any artifact that is generic and do not contain specific references can be used as it is after importing. For example, remediator name for Identity Audit policy is scrubbed off while export, and must be reselected on the target environment.

All rules other than Identity Audit Rules are exported and imported implicitly with their policy by using Policy export/import and cannot be exported/imported independently because their existence is with their policy only.


Note:
Application instances are exported and imported without the datasets. The datasets are migrated as a part of UI customization.


Note:
When user-defined fields are associated with a specific resource object, during the export process one of the following events can occur:
If the user-defined fields contain values (entered information), then the Deployment Manager will consider them to be dependencies.

If the user-defined fields contain no values (the fields are blank), then the Deployment Manager will not consider them to be dependencies.


Note:
To open the Deployment Manager by using Mozilla Firefox Web browser, an additional authentication dialog box might be displayed. Providing authentication in this dialog box allows access to the Deployment Manager. To avoid this additional authentication:

In Mozilla Firefox Web browser, from the Tools menu, select Options. The Options dialog box is displayed.

Click Privacy.

Select the Accept third-party cookies option.

Click OK.

The additional authentication is not required when the Deployment Manager is opened by using Microsoft Internet Explorer, Google Chrome, and Apple Safari web browsers.

Apple Safari web browser overrides the applet security settings to impose restrictions on unsafe behavior, which stops any file reads/writes by applets. Therefore, run the applet in unsafe mode.


Note:
If a user belongs to a group to which the Import menu item has been assigned, then that user must also have the necessary permissions for the objects that the user wants to import. Without these object-specific permissions, the Import operation fails. The user must be a Deployment Manager Administrator to be able to see Deployment Manager menu items on the UI based on menu permissioning model.

When more than 1000 resources, process definitions, parent forms, child forms, access policies, roles, and rules are imported by using the Deployment Manager, the size of the EIF table increases. The data can be truncated from this table by running a simple SQL query such as Delete from EIF.


Note:
Before importing data that contains references to menu items, you must first create the menu items in the target system.


Note:
To open the Deployment Manager by using Mozilla Firefox Web browser, an additional authentication dialog box might be displayed. Providing authentication in this dialog box allows access to the Deployment Manager. To avoid this additional authentication:
In Mozilla Firefox, from the Tools menu, select Options. The Options dialog box is displayed.

Click Privacy.

Select the Accept third-party cookies option.

Click OK.

The additional authentication is not required when the Deployment Manager is opened by using Microsoft Internet Explorer, Google Chrome, and Apple Safari Web browsers.


Note:
When you export a resource, groups with Data Object permissions on that form are not exported with the resource.

Note:
When you import forms and user-defined fields, you add entries to the database. These database entries cannot be rolled back or deleted. Before each import operation, ensure that the correct form version is active.


Note:
When exporting/importing large volumes of data, timeouts can occur in the UI.


Note:
Before proceeding with migrating a source Oracle Identity Manager setup to a target setup, you can refer to "Limitations in Moving from Test to Production" in the Oracle Fusion Middleware Release Notes for information about the limitations and known issues related to moving from test to production. In addition, see "Troubleshooting Movement From Test to Production Environment Using Movement Scripts" for information about the issues that you might encounter while migrating a source Oracle Identity Manager setup and the possible solutions.
For information about troubleshooting T2P issues applicable to an upgraded environment, see rows 6, 7, and 8 in Table 21-3, "Troubleshooting Movement From Test to Production Environment Using Movement Scripts".


Note:
Before proceeding with migrating a source Oracle Identity Manager setup to a target setup, you can refer to "Limitations in Moving from Test to Production" in the Oracle Fusion Middleware Release Notes for information about the limitations and known issues related to moving from test to production. In addition, see "Troubleshooting Movement From Test to Production Environment Using Movement Scripts" for information about the issues that you might encounter while migrating a source Oracle Identity Manager setup and the possible solutions.
For information about troubleshooting T2P issues applicable to an upgraded environment, see rows 6, 7, and 8 in Table 21-3, "Troubleshooting Movement From Test to Production Environment Using Movement Scripts".



Note:
On Microsoft Windows, run the commands with .cmd extension, such as copyBinary.cmd and pasteBinary.cmd. For example, the copyBinary script is ORACLE_COMMON_HOME/bin/copyBinary.sh for UNIX and ORACLE_COMMON_HOME/bin/copyBinary.cmd for Microsoft Windows.

Some arguments might be invalid for Windows operating system. For example, the -ipl PATH_TO_ORACLE_INVENTORY_POINTER argument does not work in Windows.

This document provides the syntax for running the copyBinary, copyConfig, extractMovePlan, and pasteBinary scripts. For detailed information about these scripts, parameters, and example usages, see "Using the Movement Scripts" in the Oracle Fusion Middleware Administrator's Guide.

Note:
While editing the moveplan, provide the listen address of the target in the Oracle Identity Manager Managed Server details.

The datasource JDBC URL coming from source to the moveplan can either be in SID format, which is "jdbc:oracle:thin:@HOST:PORT:SID", or in service name format, which is "jdbc:oracle:thin:HOST:PORT/SERVICE_NAME". But you must always provide the JDBC URL in the datasource details in the service name format.


Note:
You might need to change the permissions on the TARGET_MIDDLEWARE_HOME and the target directory on which the JAR has been placed.

Provide consistent directory paths for each of the parameters. For example, if you are using absolute path for MIDDLEWARE_HOME, then specify this path in the same way at all places.


---------------------------------22 Configuring Auditing-----------------------------------------------


Note:
When you change a role name by using Oracle Identity Self Service, the User Profile Audit (UPA) tables in the database are not updated with the change until the next snapshot of the user.


Note:
The initial audit snapshots for default users in Oracle Identity Manager is not UTF-8 encoded. However, auditing of subsequent modifications to these users have UTF-8 encoded snapshots.

Note:
For more information about the User Profile Audits tables, such as column names and how to use them, refer to the schema documentation provided with Oracle Identity Manager.

Note:
The UPA_UD_FORMS and UPA_UD_FORMFIELDS tables together store the audit trail of changes to the user's account profile in a de-normalized format. These tables can be used in various audit-related reports.

The UPA_UD_FORMS and UPA_UD_FORMFIELDS tables are populated only if the XL.EnableExceptionReports system property is set to TRUE. For more information about this property, see "System Properties in Oracle Identity Manager" in the Oracle Fusion Middleware Administering Oracle Identity Manager.

The Form Upgrade Job schedule task updates the form version to the latest active version and the form data to the value specified during the field's creation for all accounts. If this scheduled task is not run, then the form version and data is incorrect in the audit snapshot and the reporting tables.


----------------------------------------23 Using Reporting Features-------------------------------------------


Note:
After completion of initial target reconciliation, all account-related activities performed directly on a target resource are tracked as exception activity. Account-related activities include account creation, account modification, and entitlement assignment/revocation. The exception reports should be used only if the organization policies enforce that all account-related activities in target resources would always be initiated in Oracle Identity Manager. In addition, remember that exception detection and recording are an extension of account data reconciliation and, therefore, may result in a drop in performance during reconciliation.

All the exception reports depend on reconciliation data. Therefore, these reports will not display any data if the corresponding reconciliation events are archived.

Note:
Before running this report, you must populate data for account audit and reconciliation exceptions.


----------------------------------24 Using the Archival and Purge Utilities for Controlling Data Growth---------------------------


Note:
Oracle recommends that you use the real-time purge and archival option rather than the command-line utilities.


Note:
The real-time purge and archival solution provides data purge capabilities on a continuous basis. In addition, you can use the command-line archival utilities periodically to archive data, if required. There is no such categorization of entities in their command-line archive purge utilities version. They essentially archive prior to purge. For details about the command-line archival utilities, see "Using Command-Line Option of the Archival Purge Utilities in Oracle Identity Manager".


Note:
Real-time purge supports online mode only. Command-line Archival Purge Utilities support both online and offline modes based on the user input.


Note:
By default, the 'OIM Data Purge Job' scheduled job is available in the enabled state with a retention period of 90 days. You must revisit the job parameters to disable or to change the purge interval as required.


Note:
For Real-time Archival Purge operation via Scheduled Task interface, Retention Period must not be specified as ZERO as this can cause inconsistencies in purge operation.

Simultaneous runs of multiple 'OIM Data Purge Job' scheduled jobs is not supported via instantiation of the Scheduled Task functionality.

There should be no overlap of archival/purge utility run for an entity from both modes in Oracle Identity Manager, which are scheduled task and command-line modes.

For details of the purge internals, such as tables that undergo purge for Request, Reconciliation, and Provisioning Tasks, refer to the subsequent sections of the command-line utilities. Both real-time scheduled job-based purge and command-line archival utilities purge data from the same set of table for an entity.



Note:
Orchestration purge is available only in online mode and via the scheduled job interface.


Note:
You can use the Reconciliation Archival utility, the Task Archival utility, and the Requests Archival utility in both offline and online modes.


Note:
Data from RECON_EXCEPTION table will not be archived and purged. This is due to Oracle Identity Manager predefined BIP Report dependency.


Note:
You must replace ORADATA in the preceding sample command with the full path to your ORADATA directory.

You must set LD_LIBRARY_PATH to start Oracle utilities such as SQL*Plus in the environment where you want to run Oracle Identity Manager utilities.

Data that has been archived from the active reconciliation tables to the archive reconciliation tables will no longer be available through Oracle Identity Manager. To access this data, you must query the archive reconciliation tables in your Oracle Identity Manager database.


Note:
Oracle recommends that you run the Reconciliation Archival utility during off-peak hours.

Note:
When you change the date and time format, the change is applied to all the applications running on the Microsoft Windows platform.

Minimal validation is done on date before calling the utility, and you can scan logs files for any ORA-18xx errors for invalid date-related errors.

Note:
Batch size is a value for the number of records to be processed in a single iteration of archival/purge, also as an internal commit at the database level. You must provide the batch size as an input parameter value while starting the operation of Archival Utilities at run time.
This batch size by default is 5000. When purging greater than few hundred thousand recon_events, a higher batch size can be opted for. This may need more resources from RDBMS, such as more space from the TEMP and UNDO tablespaces.


Note:
Data that has been archived from the active task tables to the archive task tables will no longer be available through Oracle Identity Manager. To access this data, you must query the archive task tables in your Oracle Identity Manager database.


Note:
Oracle recommends that you allocate a large UNDO tablespace when archiving large amounts of data. In addition, turn on parallel execution by configuring the parallel_max_servers and parallel_min_servers initialization parameters. Parallel execution helps improve the performance of the archival process.


Note:
You must set LD_LIBRARY_PATH to start Oracle utilities such as SQL*Plus in the environment where you want to run Oracle Identity Manager utilities.


Note:
Oracle recommends that you run the Task Archival utility during off-peak hours.


Note:
When you change the date and time format, the change is applied to all the applications running on the Microsoft Windows platform

Minimal validation is done on date before calling the utility, and you can scan logs files for any ORA-18xx errors for invalid date-related errors

Note:
You must enter the value of Y or N when prompted. If you press Enter without selecting a value, then the utility again counts the number of tasks to be archived and prompts you without beginning the archive.

Note:
You must analyze the active task tables and their indexes for updated statistics, because the data from active task tables is removed. Perform this step only if you are using Oracle Database as the database for Oracle Identity Manager.


Note:
These error log files are deleted when you run the utility again.

Note:
It is recommended that you run the Requests Archival utility during off-peak hours.


Note:
Batch size is a value for the number of records to be processed in a single iteration of archival/purge also an internal commit at the database level. You must provide the batch size as an input parameter value while starting the operation of Archival Utilities at run time.
This batch size by default is 2000. A higher batch size can be opted for, but this might require more resources from the database, such as more space from the TEMP and UNDO tablespaces.

Note:
The audit archival and purge solution is only applicable to the UPA table. It is not applicable to audit reporting tables, which are tables with the UPA_ prefix.

The utility is compatible with Oracle Identity Manager release 9.1.0 and later.


Note:
The partitioning feature of Oracle Database Enterprise Edition is required for implementing audit archival and purge.

Note:
UPA_NON_PART or temporary non-partitioned table must be created on same tablespace as the partition to be exchanged.


Note:
Using hint /*+parallel*/ in the INSERT statement is optional and you can use other hints also to improve performance according to the available resources.


Note:
The global non-partitioned index is created to support the primary key. Global index becomes unusable every time a partition is touched. You must rebuild the index when required.


Note:
Global statistics must be gathered by default. Oracle 11g includes improvements to statistics collection for partitioned objects so untouched partitions are not rescanned. This significantly increases the speed of statistics collection on large tables where some of the partitions contain static data. When a new partition is added to the table, you need to collect statistics only for the new partition. The global statistics is automatically updated by aggregating the new partition synopsis with the existing partitions synopsis.


Note:
The current year contains two partitions named UPA_2011_PART1 and UPA_2011_PART2. When current year becomes an old year and the data for that is ready to be archived or purged, make sure to archive or purge these two partitions.

It is your responsibility to restore the archived data later, if required.

Note:
Certification purge is available only in online mode and via the scheduled job interface. Data from CERTD_STATS, CERT_DEFN, CERT_EVT_LSNR and CERT_EVT_TRIG tables will not be archived and purged.


Note:
By default, the OIM Certification Purge Job is available in the enabled state with a retention period of 180 days. You must revisit the job parameters to disable or to change the purge interval as required.


Note:
For Certification Real-Time Purge operation via Scheduled Task interface, Retention Period must not be specified as ZERO as this can cause inconsistencies in purge operation.
Simultaneously running multiple instances of the OIM Data Purge Job and the OIM Certification Purge Job is not supported via instantiation of the Scheduled Task functionality.


----------------------------------25 Handling Lifecycle Management Changes----------------------------------


Note:
When additional Oracle Identity Manager nodes are added or removed, perform the procedures described in these sections to configure Oracle Identity Manager host and port changes.

When Oracle Identity Manager managed server is enabled for SSL port, perform the procedures described in these sections to change the Oracle Identity Manager port and protocol, such as t3 to t3s and http to https.

Note:
In a clustered deployment, the change to the OimFrontEndURL must be made on each server in the cluster.


Note:
SPML clients store Oracle Identity Manager URL for invoking SPML and sending callback response. Therefore, changes are required corresponding to this. In addition, if Oracle Identity Manager is integrated with OAM, OAAM, or Oracle Identity Navigator (OIN), there may be corresponding changes necessary. For more information, refer to OAM, OAAM, and OIN documentation in the Oracle Technology Network (OTN) Web site.


Note:
The value of the BackOfficeURL attribute must be empty for Oracle Identity Manager nonclustered and clustered deployments.

For SSL-enabled Oracle Identity Manager setup, BackOfficeURL attribute must be populated with the correct URL, for example:

t3s://OIM_HOST:OIM_SSL_PORT


Note:
Before making changes to the database host and port, shutdown the managed servers hosting Oracle Identity Manager. But you can keep the Oracle WebLogic Administrative Server running.

When Oracle Identity Manager database is enabled for SSL port, perform this procedure to change the Oracle Identity Manager database URL and properties accordingly.


Note:
This step is required only if database host and port of MDS schema is changed.


Note:
If Service Oriented Architecture (SOA) and Oracle Web Services Manager (OWSM) undergo configuration changes, then you must make similar changes for datasources related to SOA or OWSM.

For SSL-enabled database, the changes described in this section are not applicable.

For DB changes related to SSL, follow the instructions provided in "Updating Oracle Identity Manager Authenticators".


Note:
Whenever Oracle Identity Manager application configuration information is to be changed by using OIM App Config MBeans from the Enterprise Management (EM) console, at least one of the Oracle Identity Manager Managed Servers must be running. Otherwise, you cannot figure out any of the OIM App Config MBeans from the EM console.


Note:
When Oracle Identity Manager single instance deployment is changed to Oracle Real Application Clusters (Oracle RAC) or Oracle RAC is changed to single instance deployment, change the oimJMSStoreDS, oimOperationsDB, and mds-oim datasources. In addition to the generic changes to make these datasources to multidatasource configuration, change the OIMAuthenticationProvider and domain credential store configurations to reflect the Oracle RAC URL. For information about these generic changes, see Oracle Fusion Middleware High Availability Guide.
See "Oracle Identity Manager Database Host and Port Changes" for information about changing the port at the database.


Note:
When additional SOA nodes are added or removed, perform this procedure to change the SOA host and port.

When SOA managed server is enabled for SSL port, perform the procedure described in this section to change the SOA port and protocol, such as t3 to t3s and http to https.


Note:
If OAM or OAAM is integrated with Oracle Identity Manager, then you must make corresponding changes in those applications. For more information, refer to OAM and OAAM documentation in the Oracle Technology Network (OTN) Web site by using the following URL:
http://www.oracle.com/technetwork/indexes/documentation/index.html


Note:
Other properties, such as LDAPURL, LDAPADMINUSER, and OIM_ADMIN_LDAP_DN can be ignored as they are used only in an integrated setup between Oracle Identity Manager and Access Manager.


Note:
The warning messages that are displayed while running the oimadminpasswd_wls.sh script can be ignored.


Note:
The warning messages that are displayed while running the oimadminpasswd_wls.sh script can be ignored.

The xelsysadm password expiry setting is not set to expire until 2035. During integration between Oracle Identity Manager and Access Manager, the obpasswordexpirydate setting for the xelsysadm user is set to "2035-01-01T00:00:00Z". If this value has been changed, then revert it to "2035-01-01T00:00:00Z" for xelsysadm. This value is initially loaded from a following template LDIF file:

$OIM_ORACLE_HOME/idmtools/templates/oid/idm_xelsysadmin_user.ldif


Note:
Before changing the database password, shutdown the managed servers that host Oracle Identity Manager. However, you can keep the Oracle WebLogic Administrative Server running.

Note:
For Oracle Identity Manager deployments with Oracle Real Application Clusters (Oracle RAC) configuration, you might have to make changes in all the datasources under the respective multi-datasource configurations.

You might have to make similar changes for datasources related to SOA or OWSM, if required.


Note:
Sections "Generating Keys (Optional)" through "Importing the Certificate (Optional)" provide example commands that are used later in the document. These are for reference and not part of the mandatory steps of configuration.

For configuring Oracle User Messaging Service (UMS) notification that is SSL-based, see "Using UMS for Notification".

For more details on configuring UMS to connect to a mail server with SSL, see "Configuring Oracle User Messaging Service" in the Oracle Fusion Middleware Administrator's Guide for Oracle SOA Suite and Oracle Business Process Management Suite.


Note:
The procedures described in sections "Generating Keys (Optional)" to "Importing the Certificate (Optional)" are optional. These steps are required if you have custom identity and trust store for WebLogic servers.
SSL can be enabled with default identity and trust store as well.


Note:
Change the parameter values passed to the keytool command according to your requirements. Ensure that there is no line break in the keytool argument.

If JDK 7u40 or later is used, then the value of the keysize option must be greater than or equal to 1024. For more information about this limitation, see "Default x.509 Certificates Have Longer Key Length" at the following URL:

http://www.oracle.com/technetwork/java/javase/7u40-relnotes-2004172.html


Note:
Change the parameter values passed to the keytool command according to your requirements. Ensure that there is no line break in the keytool argument.


Note:
Change the parameter values passed to the keytool command according to your requirements. Ensure that there is no line break in the keytool argument.


Note:
Change the parameter values passed to the keytool command according to your requirements. Ensure that there is no line break in the keytool argument.

This command loads a trusted CA certificate into a keystore. If the keystore does not exist, it is created.


Note:
If JDK 7u40 or later is used, then the value of the keysize option must be greater than or equal to 1024. For more information about this limitation, see "Default x.509 Certificates Have Longer Key Length" at the following URL:

http://www.oracle.com/technetwork/java/javase/7u40-relnotes-2004172.html

If JDK 7u40 or later is used and SSL is configured by using the default certificates as described in "Enabling SSL for Oracle Identity Manager By Using Default Setting", then apply patch 13964737. You can download this patch from the My Oracle Support web site at:

https://support.oracle.com/cd/E40329_01/admin



Note:
If you have created only custom identity and using java standard trust, then select the Custom Identity, Java Standard Trust option.
If you have created custom identity and custom trust, then select the Custom identity and custom trust option.



Note:
The trust keystore created at DOMAIN_HOME/config/fmwconfig/ by Oracle Identity Manager during installation is default-keystore.jks.

If you are using a different name for truststore than the default name, which is default-keystore.jks, then perform the following steps:

Add Oracle Identity Manager Credential store map key. If you are using any other name, such as client_store.jks, then create a key in the credential store by using Oracle Enterprise Manager as default-keystore.jks is created with Oracle Identity Manager configuration by default. To create a key in the credential store:

Login to Oracle Enterprise Manager.
Expand Weblogic Domain, DOMAIN_NAME. Right-click DOMAIN_NAME, and select Security, Credentials.
In the Credential Store Provider table, click oim
Create key in this oim map.
Change DirectDB config in the oim-Config.xml file either by exporting/importing this file from MDS or by using Enterprise Manager. For the latter, navigate to oracle.iam, XMLConfig, DirectDB, SSLConfig in Application Defined MBeans section of System Mbean Browser, and then change the SSL parameters, for example:

SSLConfig dBTrustStore="client_store.jks"SSLconfig.DBTrustStorePasswordKey=Name_of_the_CSF_key_created_in_step_a
If you are creating a custom trust keystore, then perform the steps 6 to 9 of this section for custom trust keystore field as well.



Note:
The default password for Java's Standard truststore (JAVA_HOME/jre/lib/security/cacerts) is changeit.


Note:
While starting Oracle Identity Manager server, set the following environment variable:
setenv JAVA_OPTIONS -DproviderURL=t3s://HOST_NAME:SSL_PORT
Optionally, you can set the parameters in step 17 to startWeblogic.sh as well as startmanagedWeblogic.sh to start the server via these scripts.



Note:
In a clustered deployment, the change to the OimFrontEndURL must be made on each server in the cluster.


Note:
Fusion Apps or SPML clients store Oracle Identity Manager URL for invoking SPML and also send callback response. Therefore, there are changes needed corresponding to this. Also, if Oracle Identity Manager is integrated with OAM/OAAM/OIN, there may be corresponding changes necessary.


Note:
Rmiurl is used for accessing SOA EJBs deployed on SOA managed servers.


Note:
Soapurl is used to access SOA web services deployed on SOA managed servers. This is the web server/load balancer URL, in case of a SOA cluster front ended with web server/load balancer. In case of single SOA server, it can be application server URL.


Note:
Wallets and KeyStores are interchangeably used and they both mean the same. These refer to a repository of public/private keys and self-signed/trusted certificates.

Note:
You can also use Oracle PKCS12 wallet as the client keystore.

Note:
For custom trust keystore, import the self-signed CA trusted certificate to that, for example:
JAVA_HOME/jre/bin/keytool -import -trustcacerts -alias dbtrusted -noprompt -keystore client_store.jks -file self_si

Note:
Before performing changes to database host/port, you must shutdown the managed servers hosting Oracle Identity Manager application. However, you can keep the WebLogic Admin Server up and running.


Note:
For custom trust keystore, provide the path of the same in the javax.net.ssl.trustStore property, for example:
javax.net.ssl.trustStore=Domain_Home/config/fmwconfig/client_store.jks


Note:
You might have to perform similar updates for datasources related to SOA/OWSM/OPSS, if required.


Note:
You must select the Listener Type as LDAP.


Note:
You must not use the restart option.

Note:
Here, copying $MW_HOME/modules/cryptoj.jar to the $OIM_HOME/designconsole/ext/ directory is a mandatory step. Setting the permission is necessary if xl.policy does not contain the default grant policy for all.


Note:
See "Configuring SSL for Design Console" for details about setting the TRUSTSTORE_LOCATION environment variable to the location of the 'Trust keystore' location.

Note:
Change the value of the Djavax.net.ssl.trustStore parameter to point to the truststore used to configure SSL.
See "Configuring SSL for Design Console" for information about the location of the trust store used in WebLogic to configure SSL.

------------------------26 Securing a Deployment-----------------------------------------------------------------


Note:
You can ignore the following error while updating the deployment plan for iam.console.identity.self-service.ear and oracle.iam.console.identity.sysadmin.ear:
'weblogic.management.DeploymentException:  The application oracle.iam.console.identity.self-service.ear#V2.0 cannot have the resource WEB-INF/weblogic.xml updated dynamically. Either:
1.) The resource does not exist. 
 or 
2) The resource cannot be changed dynamically.


-----------------------------------------------27 Using Enterprise Manager for Managing Oracle Identity Manager--------------------------


Note:
Orchestration Process ID is a unique combination of two fields, a long type ID and a string type Name. Either of the two can be provided to the Mbean operations to get results. You can provide both for exact record match.


Note:
If the findProcess operation of the MBean for a particular process ID returns nothing, then it means that either the provided ID is incorrect or the particular process completed successfully and does not exist in the database. Information for such a process ID is available only in the log files.


Note:
If you are not getting the volume of output that you expect in a log, then verify that the level attribute for both the logger and the log handler are set appropriately. For example, if the logger is set to TRACE and the log handler is set to WARN, then the handler does not generate messages more detailed than WARN.


Note:
You must have a basic understanding of XML syntax before you attempt to modify the logging.xml file.


-----------------------------------------B Configuring SSO Providers for Oracle Identity Manager--------------------------


Note:
For a clustered deployment of Oracle Identity Manager, install the policy agent on each Oracle Identity Manager Managed Server.

Note:
For a clustered deployment of Oracle Identity Manager, OpenSSO policy agent must be configured on each Oracle Identity Manager Managed Server.

Note:
The corresponding deployment-descriptors are located at:
IDM_ORACLE_HOME/server/apps/oim.ear/iam-consoles-faces.war/WEB-INF/web.xml
IDM_ORACLE_HOME/server/apps/oracle.iam.console.identity.self-service.ear/oracle.iam.console.identity.self-service.war/WEB-INF/web.xml
IDM_ORACLE_HOME/server/apps/oracle.iam.console.identity.sysadmin.ear/oracle.iam.console.identity.sysadmin.war/WEB-INF/web.xml


Note:
Ensure that after performing steps iii and iv, the only difference between the modified EAR files and the original EAR files is in the web.xml files.


Note:
Ensure that all the Oracle Identity Manager users are synchronized with the LDAP server to which the authenticator points to.


Note:
If you cannot use TAMIdentityAsserter, then you can use the OAMIdentityAsserter, as described in "Simplifying Third-Party SSO Integration"

Note:
The connect() call will ask for Admin server URL and WebLogic Admin username and password.


Note:
Performing the procedure provided in this section only enables basic SSO. Use a LDAP connector to provision passwords and also do additional configuration so that the lock status can be propagated to the directory.


Note:
OIDAuthenticator is used as a reference in this procedure. If you have any other LDAP Server, such as AD, ODSEE, or OUD, then create appropriate WebLogic LDAP Authentication providers.


Note:
The connect() call prompts for Admin server URL and WebLogic administrator username and password.

Note:
This step configures the security providers in OIM domain in such a way that the SSO login, and OIM-client based login works fine. For this, OAMIDAsserter and OIDAuthenticator must be setup. OIDAuthenticator is configured to authenticate/assert users against OID. To authenticate/assert users against any other Directory server, which is also used by OAM for authentication, corresponding authenticator must to be configured instead of OIDAuthenticator.

Note:
This asserter currently supports third-party SSO providers, such as IBM Tivoli Access Manager and CA Siteminder.

Note:
SM_USER and iv-user are mentioned as these seem to be the default SSO headers set by CA Siteminder and IBM Tivoli Access Manager respectively.

For some reason, if the SSO header does not contain the username value that maps to OIM User Login field, then it is recommended to configure SSO provider to return the username as part of a header named OAM_REMOTE_USER. In this case, select OAM_REMOTE_USER as Chosen Active type in step 4, and skip step 5.


Note:
LDAPAuthenticator must be replaced by the appropriate authenticator that can authenticate against the LDAP provider being used by the SSO provider, for example OIDAuthenticator.


Note:
It is not recommended to use this configuration in an Oracle Identity Manager deployment that is not integrated with SSO providers.

This solution is recommended if your Oracle Identity Manager deployment is integrated with third-party SSO providers, and you want to allow users to login with an attribute other than User Login.

It is not recommended to use this solution when Oracle Identity Manager is integrated with OAM. It is possible to configure OAM to allow users to login with multiple attributes, yet assert the User Login equivalent attribute. With that configuration, although the user performs SSO login using email, the JAAS subject is populated with User Login attribute.


Note:
If loginIdAttribute is configured to Email, then all users must have a valid email ID, and the values must be unique across all the Oracle Identity Manager users.


Note:
User From Name Filter contains an OR condition to be able to lookup users either by using uid attribute (which is the default) or by using mail (if loginIdAttribute is configured as Email).
However, it is recommended that you perform API client-based login only by using loginIdAttribute (mail for example), if configured.


Note:
If the loginIdAttribute is set to some other unique attribute in Oracle Identity Manager, then the corresponding mapping attribute in LDAP must be set as SYSTEM_ADMINISTRATOR.


Note:
The values for USER_NAME and USER_ID properties must be the field-mapping corresponding to loginIdAttribute. So if loginIdAttribute is configured as Email, then USER_NAME and USER_ID properties should be set to USR_EMAIL, since Email attribute maps to USR_EMAIL column.


Note:
Ensure the following while developing custom SOA composites, when a custom loginIdAttribute (say Email) is configured:
When Oracle Identity Manager initiates SOA composites for approval, it passes RequesterDetails, BeneficiaryDetails as part of the payload.

The Login and ManagerLogin fields within these would be set to Email instead of User Login.

Ensure that you use the loginIdAttribute value as the task assignee.

In order to fetch the loginIdAttribute value for a user (given user key), you can use the getUserDetails operation of RequestDataService in the BPEL process.

The same applies to already existing custom SOA composites.


----------------------------D Enabling Transparent Data Encryption---------------------------------------------


Note:
For detailed information about TDE, see Oracle Database Advanced Security Guide.

Note:
Before exporting the Oracle Identity Manager schema, capture and retain the system and object grants on it by using the following SQL commands (to be run as SYS user):
SELECT DBMS_METADATA.GET_GRANTED_DDL ('SYSTEM_GRANT','OIM_SCHEMA_NAME') FROM DUAL;
SELECT DBMS_METADATA.GET_GRANTED_DDL ('OBJECT_GRANT', 'OIM_SCHEMA_NAME') FROM DUAL;
Copy the output of the SQL commands and edit it for appending semicolon (;) after each statement. The retained grants are required to be run post Step 10.


Note:
A backup of the wallet location must be maintained along with the regular backups.


Note:
You can close the wallet by running the following command:
ALTER system SET encryption wallet CLOSE IDENTIFIED BY "myPassword";


Note:
Datafile path can be referred from the following command:
Select name from v$datafile;

Note:
After importing the Oracle Identity Manager schema, execute the preserved grants, as suggested in step 4.

After importing the Oracle Identity Manager schema, compile all the objects in the schema by using the following command (to be run as SYS user):

BEGIN
 UTL_RECOMP.recomp_serial('OIM_SCHEMA_NAME');
END;
Here, replace OIM_SCHEMA_NAME with the Oracle Identity Manager database schema name.


------------------------E Troubleshooting Clustered OIM and Eclipselink Cache Coordination-------------------------------


Note:
If the hosts are not within the number of network hops specified in Time To Live (TTL), then you can change the ttl by adding -ttl 10 to the command.


Note:
If a second NIC is used for multicast, then specify the interface with the -local attribute, such as:
multicast-test.sh -local UNICAST_ADDRESS -group IP_ADDRESS:12345

Where UNICAST_ADDRESS is the unicast address on the interface used for the multicast network. For more information see Tech note "How To Verify that Multicast Communication Works Correctly Between Machines the Coherence Cluster Members Are Running On (Doc ID 1936452.1)" on the My Oracle Support web site at:

https://support.oracle.com