tivoli identity manager - ibmpublib.boulder.ibm.com/tividd/td/itim/sc32-9919-00/en_us/pdf/... ·...
TRANSCRIPT
Tivoli® Identity Manager
Directory Integrator- Based Oracle eBS Adapter Installation and Configuration
Guide
Version 4.6
SC23-9919-00
���
Tivoli® Identity Manager
Directory Integrator- Based Oracle eBS Adapter Installation and Configuration
Guide
Version 4.6
SC23-9919-00
���
Note:
Before using this information and the product it supports, read the information in Appendix F, “Notices,” on page 45.
This edition applies to version 4.6 of this adapter and to all subsequent releases and modifications until otherwise
indicated in new editions.
© Copyright International Business Machines Corporation 2008. All rights reserved.
US Government Users Restricted Rights – Use, duplication or disclosure restricted by GSA ADP Schedule Contract
with IBM Corp.
Contents
Preface . . . . . . . . . . . . . . . v
About this book . . . . . . . . . . . . . v
Intended audience for this book . . . . . . . . v
Publications and related information . . . . . . v
Tivoli Identity Manager library . . . . . . . v
Prerequisite product publications . . . . . . vii
Related publications . . . . . . . . . . viii
Accessing terminology online . . . . . . . viii
Accessing publications online . . . . . . . viii
Ordering publications . . . . . . . . . . ix
Accessibility . . . . . . . . . . . . . . ix
Tivoli technical training . . . . . . . . . . ix
Support information . . . . . . . . . . . ix
Conventions used in this book . . . . . . . . ix
Typeface conventions . . . . . . . . . . x
Operating system-dependent variables and paths x
Definitions for HOME and other directory
variables . . . . . . . . . . . . . . . x
Chapter 1. Overview of the Oracle eBS
Adapter . . . . . . . . . . . . . . . 1
Features of the adapter . . . . . . . . . . . 1
Architecture of the adapter . . . . . . . . . 1
Supported configurations . . . . . . . . . . 2
Chapter 2. Installing the Oracle eBS
Adapter . . . . . . . . . . . . . . . 3
Prerequisites . . . . . . . . . . . . . . 3
Tivoli Directory Integrator adapters solution directory 4
Installing the adapter . . . . . . . . . . . 4
Running the installer . . . . . . . . . . 5
Importing the adapter profile into the Tivoli Identity
Manager server . . . . . . . . . . . . . 5
Creating an Oracle eBS Adapter service . . . . . 6
Starting and stopping the adapter service . . . . . 7
Chapter 3. Configuring the Oracle eBS
Adapter . . . . . . . . . . . . . . . 9
Customizing the Oracle eBS Adapter profile . . . . 9
Configuration properties of the adapter . . . . . 10
Changing the port number for the RMI Dispatcher 11
Configuring logging for the adapter . . . . . . 11
Naming the log file . . . . . . . . . . . 12
Sizing the log file . . . . . . . . . . . 12
Configuring logging levels . . . . . . . . 12
Displaying logs in the user interface . . . . . 13
Appending information to an existing log file . . 13
Managing passwords when restoring accounts . . . 13
Chapter 4. Configuring SSL
authentication for the Oracle eBS
Adapter . . . . . . . . . . . . . . 15
SSL terminology . . . . . . . . . . . . . 15
SSL configurations . . . . . . . . . . . . 16
Configuring for one-way SSL authentication . . 16
Configuring for two-way SSL authentication . . 17
Task performed on the SSL server (Tivoli Directory
Integrator server workstation) . . . . . . . . 18
Creating a keystore for the Tivoli Directory
Integrator server . . . . . . . . . . . . 18
Creating a truststore for the Tivoli Directory
Integrator server . . . . . . . . . . . . 19
Creating a server-signed certificate for the Tivoli
Directory Integrator server . . . . . . . . 19
Creating a CA certificate for Tivoli Directory
Integrator . . . . . . . . . . . . . . 20
Importing the WebSphere Application Server CA
certificate into the Tivoli Directory Integrator
truststore . . . . . . . . . . . . . . 20
Configure Tivoli Directory Integrator to use the
keystores . . . . . . . . . . . . . . 20
Configure Tivoli Directory Integrator to use the
truststores . . . . . . . . . . . . . . 21
Enabling the adapter service to use SSL . . . . 21
Tasks performed on the SSL client (Tivoli Identity
Manager and WebSphere Application Server
workstation) . . . . . . . . . . . . . . 21
Creating a signed certificate for the Tivoli
Identity Manager server . . . . . . . . . 21
Creating a WebSphere Application Server CA
certificate for Tivoli Identity Manager . . . . . 22
Importing the Tivoli Identity Manager CA
certificate into the WebSphere Application Server
truststore . . . . . . . . . . . . . . 22
Chapter 5. Verifying the Oracle eBS
Adapter profile installation . . . . . . 23
Chapter 6. Troubleshooting the Oracle
eBS Adapter . . . . . . . . . . . . 25
Warning and error messages . . . . . . . . . 25
Logging information format . . . . . . . . . 25
Installer problems on UNIX and Linux platforms . . 26
Symptoms . . . . . . . . . . . . . . 26
Corrective action . . . . . . . . . . . 26
Chapter 7. Uninstalling the Oracle eBS
Adapter . . . . . . . . . . . . . . 29
Uninstalling the adapter from the Tivoli Directory
Integrator server . . . . . . . . . . . . . 29
Removing the adapter profile from the Tivoli
Identity Manager server . . . . . . . . . . 29
Appendix A. Adapter attributes . . . . 31
Attribute descriptions . . . . . . . . . . . 31
Attributes by Oracle eBS Adapter actions . . . . 32
System Login Add . . . . . . . . . . . 32
System Login Change . . . . . . . . . . 32
© Copyright IBM Corp. 2008 iii
System Login Delete . . . . . . . . . . 32
System Login Suspend . . . . . . . . . 33
System Login Restore . . . . . . . . . . 33
Test . . . . . . . . . . . . . . . . 33
Reconciliation . . . . . . . . . . . . 33
Appendix B. Installing on a zOS
operating system . . . . . . . . . . 35
RMI Dispatcher installation: . . . . . . . . . 35
Appendix C. Running in Federal
Information Processing Standards
compliance mode . . . . . . . . . . 37
Appendix D. Accessibility features for
the Oracle eBS Adapter . . . . . . . 39
Accessibility features . . . . . . . . . . . 39
Keyboard navigation . . . . . . . . . . . 39
IBM and accessibility . . . . . . . . . . . 39
Appendix E. Support information . . . 41
Searching knowledge bases . . . . . . . . . 41
Search the information center on your local
system or network . . . . . . . . . . . 41
Search the Internet . . . . . . . . . . . 41
Contacting IBM Software Support . . . . . . . 41
Determine the business impact of your problem 42
Describe your problem and gather background
information . . . . . . . . . . . . . 43
Submit your problem to IBM Software Support 43
Appendix F. Notices . . . . . . . . . 45
Trademarks . . . . . . . . . . . . . . 46
Index . . . . . . . . . . . . . . . 49
iv IBM Tivoli Identity Manager: Directory Integrator- Based Oracle eBS Adapter Installation and Configuration Guide
Preface
About this book
This installation guide provides the basic information that you need to install and
configure the IBM® Tivoli® Identity Manager Directory-Based Oracle E-Business
Suite Adapter (Oracle eBS Adapter). The Oracle eBS Adapter enables connectivity
between the Tivoli Identity Manager server and a managed resource . The Tivoli
Identity Manager server is the server for your Tivoli Identity Manager product.
Intended audience for this book
This book is intended for Oracle eBS security administrators responsible for
installing software on their site’s computer systems. Readers are expected to
understand operating system concepts. The person completing the Oracle eBS
Adapter installation procedure must also be familiar with their site’s system
standards. Readers should be able to perform routine security administration tasks.
Publications and related information
This section lists publications in the IBM Tivoli Identity Manager library and
related documents. The section also describes how to access Tivoli publications
online and how to order Tivoli publications.
Read the descriptions of the IBM Tivoli Identity Manager library. To determine
which additional publications you might find helpful, read the “Prerequisite
product publications” on page vii and the “Related publications” on page viii.
After you determine the publications you need, refer to the instructions in
“Accessing publications online” on page viii.
Tivoli Identity Manager library
The publications in the technical documentation library for your product are
organized into the following categories:
v Release information
v Online user assistance
v Server installation and configuration
v Problem determination
v Technical supplements
v Adapter installation and configuration
Release Information:
v Release Notes
Provides software and hardware requirements for the product, and additional
fix, patch, and other support information.
v Read This First card
Lists the publications for the product.
Online user assistance:
Provides online help topics and an information center for administrative tasks.
© Copyright IBM Corp. 2008 v
Server installation and configuration:
Provides installation and configuration information for the product server.
Problem determination:
Provides problem determination, logging, and message information for the
product.
Technical supplements:
The following technical supplements are provided by developers or by other
groups who are interested in this product:
v Performance and tuning information
Provides information needed to tune your production environment, available on
the Web at:
http://publib.boulder.ibm.com/tividd/td/tdprodlist.html
Click the I character in the A-Z product list to locate IBM Tivoli Identity
Manager products. Click the link for your product, and then browse the
information center for the Technical Supplements section.
v IBM Redbooks® and white papers are available on the Web at:
http://www.ibm.com/software/sysmgmt/products/support/IBMTivoliIdentityManager.html
Browse to the Self Help section, in the Learn category, and click the Redbooks
link.
v Technotes are available on the Web at:
http://www.redbooks.ibm.com/redbooks.nsf/tips/
v Field guides are available on the Web at:
http://www.ibm.com/software/sysmgmt/products/support/Field_Guides.html
v For an extended list of other Tivoli Identity Manager resources, search the
following IBM developerWorks® Web address:
http://www.ibm.com/developerworks/
Adapter documentation:
The technical documentation library also includes a set of platform-specific
documents for the adapter components of the product. Adapter information is
available on the Web at:
http://publib.boulder.ibm.com/tividd/td/tdprodlist.html
Click the I character in the A-Z product list to locate IBM Tivoli Identity Manager
products. Click the link for your product, and then browse the information center
for the adapter information that you want.
Skills and training:
The following additional skills and technical training information were available at
the time that this manual was published:
v Virtual Skills Center for Tivoli Software on the Web at:
http://www.cgselearning.com/tivoliskills/
v Tivoli Education Software Training Roadmaps on the Web at:
vi IBM Tivoli Identity Manager: Directory Integrator- Based Oracle eBS Adapter Installation and Configuration Guide
http://www.ibm.com/software/tivoli/education/eduroad_prod.html
v Tivoli Technical Exchange on the Web at:
http://www.ibm.com/software/sysmgmt/products/support/supp_tech_exch.html
Prerequisite product publications
To use the information in this book effectively, you must have knowledge of the
products that are prerequisites for your product. Publications are available from
the following locations:
v directory server
– http://publib.boulder.ibm.com/infocenter/pseries/index.jsp
– http://docs.hp.com/
– http://www.redhat.com/docs/
– http://docs.sun.com/db?q=solaris+9v Operating systems
– IBM AIX
http://publib16.boulder.ibm.com/pseries/
– Solaris Operating Environment
http://docs.sun.com/app/docs/prod/solaris
– Red Hat Linux
http://www.redhat.com/docs/
– Microsoft® Windows® Server 2003
http://www.microsoft.com/windowsserver2003/proddoc/default.mspxv Database servers
– IBM DB2 Universal Database
- Support: http://www.ibm.com/software/data/db2/udb/support.html
- Information center: http://publib.boulder.ibm.com/infocenter/db2help/index.jsp
- Documentation: http://www.ibm.com/cgi-bin/db2www/data/db2/udb/winos2unix/support/v8pubs.d2w/en_main
- DB2® product family: http://www.ibm.com/software/data/db2
- Fix packs: http://www.ibm.com/software/data/db2/udb/support/downloadv8.html
- System requirements: http://www.ibm.com/software/data/db2/udb/sysreqs.html
– Oracle
http://www.oracle.com/technology/documentation/index.html
http://otn.oracle.com/tech/index.html
http://otn.oracle.com/tech/linux/index.html
– Microsoft SQL Server
http://www.msdn.com/library/
http://www.microsoft.com/sql/v Directory server applications
– IBM Directory Server http://publib.boulder.ibm.com/tividd/td/tdprodlist.html Click the D
character in the A-Z list, and then click the link for your product to access the
product library.
Preface vii
http://www.ibm.com/software/network/directory
– Sun ONE Directory Server
http://www.sun.com/software/products/directory_srvr/home_directory.xmlv WebSphere®
Additional information is available in the product directory or Web sites. http://www.ibm.com/software/webservers/appserv/was/library/ http://www.redbooks.ibm.com/
v WebSphere embedded messaging
http://www.ibm.com/software/integration/wmq/
v IBM HTTP Server
http://www.ibm.com/software/webservers/httpservers/library.html
Related publications
The following documents also provide useful information:
v The Tivoli Software Library provides a variety of Tivoli publications such as
white papers, datasheets, demonstrations, IBM Redbooks, and announcement
letters. The Tivoli Software Library is available on the Web at:
http://www.ibm.com/software/tivoli/literature/
v The Tivoli Software Glossary includes definitions for many of the technical terms
related to Tivoli software. The Tivoli Software Glossary is available from the
Glossary link of the Tivoli Software Library Web page at:
http://publib.boulder.ibm.com/tividd/glossary/tivoliglossarymst.htm
Accessing terminology online
The Tivoli Software Glossary includes definitions for many of the technical terms
related to Tivoli software. The Tivoli Software Glossary is available at the following
Tivoli software library Web site:
http://publib.boulder.ibm.com/tividd/glossary/tivoliglossarymst.htm
The IBM Terminology Web site consolidates the terminology from IBM product
libraries in one convenient location. You can access the Terminology Web site at the
following Web address:
http://www.ibm.com/software/globalization/terminology
Accessing publications online
IBM posts publications for this and all other Tivoli products, as they become
available and whenever they are updated, to the Tivoli Information Center Web
site at http://publib.boulder.ibm.com/tividd/td/link/tdprodlist.html.
In the Tivoli Information Center window, click the letter that matches the first
letter of your product name to access your product library. For example, click M to
access the IBM Tivoli Monitoring library or click O to access the IBM Tivoli
OMEGAMON® library.
Note: If you print PDF documents on other than letter-sized paper, set the option
in the File → Print window that allows Adobe® Reader to print letter-sized
pages on your paper.
viii IBM Tivoli Identity Manager: Directory Integrator- Based Oracle eBS Adapter Installation and Configuration Guide
Ordering publications
You can order many Tivoli publications online at http://www.elink.ibmlink.ibm.com/public/applications/publications/cgibin/pbi.cgi.
You can also order by telephone by calling one of these numbers:
v In the United States: 800-879-2755
v In Canada: 800-426-4968
In other countries, contact your software account representative to order Tivoli
publications. To locate the telephone number of your local representative, perform
the following steps:
1. Go to http://www.elink.ibmlink.ibm.com/public/applications/publications/cgibin/pbi.cgi.
2. Select your country from the list and click Go.
3. Click About this site in the main panel to see an information page that
includes the telephone number of your local representative.
Accessibility
Accessibility features help users with a physical disability, such as restricted
mobility or limited vision, to use software products successfully. With this product,
you can use assistive technologies to hear and navigate the interface. You can also
use the keyboard instead of the mouse to operate all features of the graphical user
interface.
For additional information, see Appendix D, “Accessibility features for the Oracle
eBS Adapter,” on page 39.
Tivoli technical training
For Tivoli technical training information, refer to the following IBM Tivoli
Education Web site at http://www.ibm.com/software/tivoli/education.
Support information
If you have a problem with your IBM software, you want to resolve it quickly. IBM
provides the following ways for you to obtain the support you need:
v IBM Support Assistant: You can search across a large collection of known
problems and workarounds, Technotes, and other information at
http://www.ibm.com/software/support/isa.
v Obtaining fixes: You can locate the latest fixes that are already available for your
product.
v Contacting IBM Software Support: If you still cannot solve your problem, and
you need to work with someone from IBM, you can use a variety of ways to
contact IBM Software Support.
For more information about these ways to resolve problems, see Appendix E,
“Support information,” on page 41.
Conventions used in this book
This reference uses several conventions for special terms and actions and for
operating system-dependent commands and paths.
Preface ix
Typeface conventions
This book uses the following typeface conventions:
Bold
v Lowercase commands and mixed case commands that are otherwise
difficult to distinguish from surrounding text
v Interface controls (check boxes, push buttons, radio buttons, spin
buttons, fields, folders, icons, list boxes, items inside list boxes,
multicolumn lists, containers, menu choices, menu names, tabs, property
sheets), labels (such as Tip:, and Operating system considerations:)
v Keywords and parameters in text
Italic
v Citations (examples: titles of books, diskettes, and CDs)
v Words defined in text (example: a nonswitched line is called a
point-to-point line)
v Emphasis of words and letters (words as words example: "Use the word
that to introduce a restrictive clause," letters as letters example: "The
LUN address must start with the letter L.")
v New terms in text (except in a definition list): a view is a frame in a
workspace that contains data.
v Variables and values you must provide: ... where myname represents...
Monospace
v Examples and code examples
v File names, programming keywords, and other elements that are difficult
to distinguish from surrounding text
v Message text and prompts addressed to the user
v Text that the user must type
v Values for arguments or command options
Operating system-dependent variables and paths
This guide uses the UNIX® convention for specifying environment variables and
for directory notation.
When using the Windows command line, replace $variable with %variable% for
environment variables and replace each forward slash (/) with a backslash (\) in
directory paths. The names of environment variables are not always the same in
Windows and UNIX. For example, %TEMP% in the Windows operating system is
equivalent to $tmp in a UNIX operating system.
Note: If you are using the bash shell on a Windows system, you can use the UNIX
conventions.
Definitions for HOME and other directory variables
The following table contains the default definitions that are used in this guide to
represent the HOME directory level for various product installation paths. You can
customize the installation directory and HOME directory for your specific
implementation. If this is the case, you need to make the appropriate substitution
for the definition of each variable represented in this table.
The value of path varies for these operating systems:
x IBM Tivoli Identity Manager: Directory Integrator- Based Oracle eBS Adapter Installation and Configuration Guide
v Windows: drive:\Program Files
v AIX®: /usr
v Other UNIX: /opt
Path variable Default definition Description
DB_INSTANCE_HOME Windows:
path\IBM\SQLLIB
UNIX:
v AIX, Linux®: /home/dbinstancename
v Solaris: /export/home/dbinstancename
The directory that
contains the
database for your
Tivoli Identity
Manager product.
LDAP_HOME v For IBM Directory Server Version 5.2
Windows:
path\IBM\LDAP
UNIX:
path/IBM/LDAP
– AIX, Linux: path/ldap
– Solaris: path/IBMldaps
v For IBM Directory Server Version 6.0
Windows:
path\IBM\LDAP
UNIX:
/opt/IBM/ldap/
– AIX, Solaris: /opt/IBM/ldap/
– Linux: /opt/ibm/ldap/
v For Sun ONE Directory Server
Windows:
path\Sun\MPS
UNIX:
/var/Sun/mps
The directory that
contains the
directory server
code.
Preface xi
Path variable Default definition Description
IDS_instance_HOME For IBM Directory Server Version 6.0
Windows:
drive\
idsslapd-instance_owner_name
The value of drive might be C:\. An
example of instance_owner_name might be
ldapdb2. For example, the log file might
be C:\idsslapd-itimldap\logs\ibmslapd.log
UNIX:
INSTANCE_HOME/idsslapd-instance_name
On Linux and AIX systems, the default
home directory is the
/home/instance_name/idsslapd-instance_name directory. On Solaris
systems, for example, the directory is the
/export/home/itimldap/idsslapd-itimldap. directory.
The directory that
contains the IBM
Directory Server
Version 6.0 instance.
HTTP_HOME Windows:
path\IBMHttpServer
UNIX:
path/IBMHttpServer
The directory that
contains the IBM
HTTP Server code.
ITIM_HOME Windows:
path\IBM\itim
UNIX:
path/IBM/itim
The base directory
that contains the
Tivoli Identity
Manager code,
configuration, and
documentation.
WAS_HOME Windows:
path\IBM\WebSphere\AppServer
UNIX:
path/IBM/WebSphere/AppServer
The WebSphere
Application Server
home directory.
WAS_NDM_HOME Windows:
path\IBM\WebSphere\DeploymentManager
UNIX:
path/IBM/WebSphere/DeploymentManager
The home directory
on the Deployment
Manager.
xii IBM Tivoli Identity Manager: Directory Integrator- Based Oracle eBS Adapter Installation and Configuration Guide
Path variable Default definition Description
ITDI_HOME Windows:
v for version 6.1.1:
drive\Program Files\IBM\TDI\V6.1.1
UNIX:
v for version 6.1.1:
/opt/IBM/TDI/V6.1.1
The ITDI_HOME directory contains the
jars/connectors subdirectory that contains
files for the adapters. For example, the
jars/connectors subdirectory contains the
files for the UNIX adapter.
Note: If Tivoli Directory Integrator is not
automatically installed with your Tivoli
Identity Manager product, the default
directory path for Tivoli Directory
Integrator might be as follows:
path/IBM/IBMDirectoryIntegrator
The directory where
Tivoli Directory
Integrator is
installed.
Tivoli_Common_Directory Windows:
path\ibm\tivoli\common\
UNIX:
path/ibm/tivoli/common/
The central location
for all
serviceability-related
files, such as logs
and first-failure data
capture.
Preface xiii
xiv IBM Tivoli Identity Manager: Directory Integrator- Based Oracle eBS Adapter Installation and Configuration Guide
Chapter 1. Overview of the Oracle eBS Adapter
An adapter is a program that provides an interface between a managed resource
and the Tivoli Identity Manager server. Adapters might or might not reside on the
managed resource and the Tivoli Identity Manager server manages access to the
resource by using your security system. Adapters function as trusted virtual
administrators on the target platform, performing such tasks as creating login IDs,
suspending IDs, and performing other functions administrators normally run
manually. The adapter runs as a service, independent of whether a user is logged
on to the Tivoli Identity Manager server.
The Oracle eBS Adapter enables communication between the Tivoli Identity
Manager server and an Oracle eBS user database also referred to as a FND_USER
directory. The following sections provide information about the Oracle eBS
Adapter:
v “Features of the adapter”
v “Architecture of the adapter”
v “Supported configurations” on page 2
Features of the adapter
You can use the Oracle eBS Adapter to automate the following administrative
tasks:
v Adding new users accounts on the oracle database
v Modifying the attributes of existing users
v Changing user account passwords
v Suspending and restoring existing user accounts
v Reconciling user accounts and other support data
Architecture of the adapter
IBM Tivoli Identity Manager communicates with the Oracle eBS Adapter to
administer the user accounts on the Oracle eBS. You can perform these actions on
an account: Add, Modify, Restore, and Suspend. You can also search for account
information and change an account password.
The Oracle eBS Adapter contains Tivoli Directory Integrator AssemblyLines that
serve one or more account operation. When the first request is sent from Tivoli
Identity Manager, the required AssemblyLine is loaded into Tivoli Directory
Integrator. The same Assemblyline is then cached to serve subsequent operations of
same type.
All Tivoli Directory Integrator-based adapters consist of the following components:
v RMI Dispatcher
v Tivoli Directory Integrator connector
v Tivoli Identity Manager adapter profile
© Copyright IBM Corp. 2008 1
Each component must be installed for the adapter to function correctly. You need
to install the RMI Dispatcher and the adapter profile, however, the Tivoli Directory
Integrator connector might already be installed with the base Tivoli Directory
Integrator product.
Figure 1 shows the various components that work together to complete user
management tasks in a Tivoli Directory Integrator environment.
For additional information about Tivoli Directory Integrator, see the Getting Started
Guide for your level of the IBM Tivoli Directory Integrator.
Supported configurations
The Oracle eBS Adapter supports different configurations. The fundamental
components in each environment are a Tivoli Identity Manager server, a Tivoli
Directory Integrator server, an Oracle eBS system, and the Oracle eBS Adapter. In
each configuration, the Oracle eBS Adapter must reside directly on the server
running the Tivoli Directory Integrator server.
For a single server configuration, you must install the Tivoli Identity Manager
server, Tivoli Directory Integrator server, and the Oracle eBS Adapter on one
server. The server communicates with an Oracle eBS, which is installed on a
different server. Refer to Figure 2.
Figure 1. The architecture of the Oracle eBS Adapter
TivoliIdentity Manager Server
TivoliDirectory Integrator Server
Adapter
Managedresource
Figure 2. Example of a single server configuration
2 IBM Tivoli Identity Manager: Directory Integrator- Based Oracle eBS Adapter Installation and Configuration Guide
Chapter 2. Installing the Oracle eBS Adapter
For every Tivoli Directory Integrator-based adapter, the RMI Dispatcher must be
installed. If you already have the RMI Dispatcher installed from a previous
installation, you do not need to install it again unless there is an upgrade to the
RMI Dispatcher. You can run the RMI Dispatcher installer so that it can detect if
there are any upgrades that would require you to reinstall the RMI Dispatcher.
After ensuring that the RMI Dispatcher is correctly installed, you might need to
install the Tivoli Directory Integrator connector. Depending on your adapter, the
connector might already be installed as part of the Tivoli Directory Integrator
product and no further action is required. The final installation task is to import
the adapter profile.
The following sections provide information for installing and configuring the
adapter.
v “Prerequisites”
v “Installing the adapter” on page 4
v “Importing the adapter profile into the Tivoli Identity Manager server” on page
5
v “Creating an Oracle eBS Adapter service” on page 6
v “Starting and stopping the adapter service” on page 7
Prerequisites
Table 1 identifies the software and operating system prerequisites for the Oracle
eBS Adapter. Verify that all of the prerequisites have been met before installing the
adapter.
Table 1. Prerequisites to run the adapter
Prerequisite Description
Tivoli Directory Integrator server v 6.0
v 6.1
v 6.1.1
Tivoli Identity Manager server
(Enterprise or Express)
Version 4.6
Oracle eBS A system running Oracle eBS Release 11i
(11.5.10)
Oracle Thin JDBC Driver
Note: See the online documentation for
how to install the JDBC driver at
(http://www.oracle.com/technology/software/tech/java/sqlj_jdbc/index.html).
All JDBC driver listed below can talk with all
the supported version of Oracle except Oracle
10g r2:
v JDBC 8.1.7 Driver
v JDBC 9.0.1 Driver
For Oracle 10g r2:
v JDBC 10.2.0.1.0 Driver
Network Connectivity The adapter must be installed on a system that
can communicate with the Tivoli Identity
Manager service through the TCP/IP network.
© Copyright IBM Corp. 2008 3
Table 1. Prerequisites to run the adapter (continued)
Prerequisite Description
System Administrator Authority A user with administrator privileges is needed
for the installation.
The Oracle eBS Adapter and the appropriate Oracle Thin JDBC drivers must be
installed on the same system as the Tivoli Directory Integrator server.
For information on the prerequisites and supported operating systems for Tivoli
Directory Integrator, see the IBM Tivoli Directory Integrator 6.1.1: Administrator
Guide.
Tivoli Directory Integrator adapters solution directory
A Tivoli Directory Integrator adapters solution directory is a Tivoli Directory
Integrator work directory for Tivoli Identity Manager adapters. The installer must
have read and write access to the Tivoli Directory Integrator adapters solution
directory and read access to the Tivoli Directory Integrator home directory.
If this is the first Tivoli Directory Integrator-based adapter installation, then you
are prompted to enter a directory as your adapters solution directory for all the
Tivoli Directory Integrator-based adapters to be installed. The parent folder that
you enter for the adapters solution directory needs to exist.
For every subsequent adapter installation, the installer uses the adapters solution
directory that is already set in the global.properties file and does not prompt for an
adapters solution directory.
Installing the adapter
The Oracle eBS Adapter uses the Tivoli Directory Integrator JDBC connector. This
connector is available with the base Tivoli Directory Integrator product. Because
the Tivoli Directory Integrator JDBC connector is already installed, you only need
to install the RMI Dispatcher. The RMI Dispatcher installer is included in the
Oracle eBS Adapter adapter compressed file.
The RMI Dispatcher has several different types of installer binaries. Select the one
appropriate for your operating system.
v For Linux operating systems only: DispatcherInstall_linux.bin
v For Windows operating systems only: DispatcherInstall_win.exe
v For all operating systems: DispatcherInstall.jar
Note: If you are running on a 64-bit operating system, you must use the Tivoli
Directory Integrator-supplied JVM. The JVM is located in
ITDI_HOME/jvm/jre/bin/, where ITDI_HOME is the directory where Tivoli
Directory Integrator is installed.
This can be accomplished either by:
v Ensuring that the first JVM path in the PATH environment variable is set
to ITDI_HOME/jvm/jre/bin
v Running the Java-based installer
ITDI_HOME/jvm/jre/bin/java -jar DispatcherInstall.jar
4 IBM Tivoli Identity Manager: Directory Integrator- Based Oracle eBS Adapter Installation and Configuration Guide
Running the installer
For zOS installation, see Appendix B, “Installing on a zOS operating system,” on
page 35.
Note: All directory paths and binaries for this procedure apply to Windows
operating systems. Change them as needed for other operating systems.
To run the installer:
1. Download the Oracle eBS Adapter compressed file from the IBM Web site.
Contact your IBM account representative for the Web address and download
instructions.
2. Extract the contents of the compressed file into a temporary directory and
navigate to that directory.
3. Start the installation program using the DispatcherINSTALL file in the
temporary directory. For example on a Windows operating system, select Run...
from the Start menu and type C:\Temp\Dispatcher_win.exe in the Open field.
Note: If you are running the Tivoli Directory Integrator on platforms other
than Linux or Windows operating systems, run the Java-based installer.
Use the java.exe that comes with Tivoli Directory Integrator to launch the
install. The java.exe located in the ITDI_HOME\jvm\jre\bin directory.
Issue the command:
ITDI_HOME/jvm/jre/bin/java –jar DispatcherInstall.jar
4. In the Welcome window, click Next.
5. In the License Agreement window, review the license agreement and decide if
you accept the terms of the license. If you do, click Accept, and then click Next.
6. In the Tivoli Directory Integrator Based Adapter Installer window, specify the
location where Tivoli Directory Integrator is installed. You can accept the
default location, or click Browse to specify a different directory. Then, click
Next.
7. If this is the first Tivoli Directory Integrator-based adapter installation, you are
prompted in the Adapter Solution Directory panel to specify the adapters
solution directory to be used for the Tivoli Directory Integrator-based Tivoli
Identity Manager adapters. If the adapters solution directory has been specified
during a previous Tivoli Directory Integrator-based adapter installation, the
prompt is not displayed.
8. In the confirmation window that displays the components that are to be
installed and the upgrades that are to be completed, click Install to begin the
installation. Otherwise, click Back to make changes.
9. In the Installation Completed window, click Finish to exit the program.
Importing the adapter profile into the Tivoli Identity Manager server
An adapter profile defines the types of resources that the Tivoli Identity Manager
server can manage. The profile is used to create an Oracle eBS Adapter service on
the Tivoli Identity Manager server. You must import the adapter profile into the
Tivoli Identity Manager server before using the Oracle eBS Adapter.
Before you import the adapter profile, verify that the following conditions are met:
v The Tivoli Identity Manager server is installed and running.
v You have root or Administrator authority on the Tivoli Identity Manager server.
Chapter 2. Installing the Oracle eBS Adapter 5
The adapter profile is included in the JAR file for the adapter, OraEBSProfile.jar. To
import the adapter profile, complete these steps:
1. Log in to the Tivoli Identity Manager server using an account that has the
authority to perform administrative tasks.
2. Import the adapter profile (or service type) using the import service type
feature for your IBM Tivoli Identity Manager product. Refer to the information
center or the online help for specific instructions about importing service types.
When you import the adapter profile, if you receive an error related to the schema,
refer to the trace.log file for information about the error. The trace.log file location
is specified using the handler.file.fileDir property defined in the IBM Tivoli
Identity Manager enRoleLogging.properties file. The enRoleLogging.properties file
is installed in the IBM Tivoli Identity Manager \data directory.
Creating an Oracle eBS Adapter service
You must create a service for the Oracle eBS Adapter before the Tivoli Identity
Manager server can use the adapter to communicate with the managed resource.
The Oracle eBS Adapter profile name is “Oracle EBS Adapter Service Profile”.
To create a service, complete these steps:
1. Log in to the Tivoli Identity Manager server using an account that has the
authority to perform administrative tasks.
2. Create the service using the information for your IBM Tivoli Identity Manager
product. Refer to the information center or the online help for specific
instructions about creating a service.
To create or change a service, you must use the service form to provide
information for the service. Service forms might vary depending on the adapter.
Note: If the following fields on the service form are changed for an existing
service, the IBM Tivoli Identity Manager Adapter service on the Tivoli
Directory Integrator server needs to be restarted.
v Service Name
v Password
v Owner
v Service prerequisite
See “Starting and stopping the adapter service” on page 7.
The Oracle eBS Adapter service form contains the following fields:
Service name
Specify a name that defines this service on the Tivoli Identity Manager
server.
Description
Optional: Specify a description for this service.
Tivoli Directory Integrator location
Optional: Specify the URL for the Tivoli Directory Integrator instance. Valid
syntax is rmi://ip-address:port/ITDIDispatcher, where ip-address is the
Tivoli Directory Integrator host and port is the port number for the RMI
Dispatcher. The default URL is
rmi://localhost:16231/ITDIDispatcher
6 IBM Tivoli Identity Manager: Directory Integrator- Based Oracle eBS Adapter Installation and Configuration Guide
See “Changing the port number for the RMI Dispatcher” on page 11 for
information about changing the port number.
Oracle eBS Service Name
Specify the service name of Oracle eBS database instance to which the
adapter is going to connect.
Oracle eBS Service Host
Specify the host workstation on which the Oracle eBS database instance is
running.
Oracle eBS Service Port
Specify the port on which the Oracle eBS database service is listening.
Administrator Name
Specify the user that has access to the Oracle eBS database to log in and
perform administrative operations.
Password
Specify the password for administrator user.
Owner
Optional: Specify a Tivoli Identity Manager user as a service owner.
Service Prerequisite
Optional: Specify a Tivoli Identity Manager service that is prerequisite to
this service.
Starting and stopping the adapter service
After you edit the properties file for the adapter, you must stop and restart the
adapter service in order for the changes to take effect. The method used to stop
and restart the adapter depends on the operating system.
AIX operating systems
The adapter installer creates a subsystem called ITIMAd when the adapter
is first installed. ITIM_RMI.xml is the configuration file. Use these
commands to start and stop the adapter service.
startsrc —s ITIMAd
stopsrc —c —s ITIMAd
The adapter service runs the ibmdisrv.bat command. The bat file starts a
Java™ process that does not stop when the adapter service is stopped. To
stop this process, obtain the process ID (PID) and then kill the process.
v To obtain the PID of the process, type this command: ps -ef|grep
<ITDI_HOME_DIR>/_jvm/jre/bin/, where ITDI_HOME_DIR is the
directory where Tivoli Directory Integrator is installed.
v To kill the process, type this command: kill -9 <pid>.
HP-UX operating systems
The adapter installer copies the ITIMAd script file to the adapters solution
directory. This directory is a separate solution directory for all Tivoli
Directory Integrator-based Tivoli Identity Manager adapters. From this
directory, type these commands to start, stop, and restart the adapter
service.
ITIMAd start
ITIMAd stop
ITIMAd restart
Chapter 2. Installing the Oracle eBS Adapter 7
Linux or Solaris operating systems
The adapter installer automatically copies the ITIMAd script file to the
/etc/init.d/ directory when the adapter is installed. From the /etc/init.d/
directory, type these commands to start, stop, and restart the adapter
service.
ITIMAd start
ITIMAd stop
ITIMAd restart
Windows operating systems
From the Control Panel, select Administrative Tools -> Services. From the
Services menu, you can start and stop the adapter service. The service
name is IBM Tivoli Identity Manager Adapter.
zOS operating systems
Navigate to the adapter solution directory and enter the following
commands:
1. To start the adapter:
% ./ITIMAd start
2. To verify that the process ibmdisrv_ascii is running:
% ps –ef | grep ibmdisrv_ascii
3. To stop the adapater:
% ./ITIMAd stop
4. To verify that the process ibmdisrv_ascii is not running:
% ps –ef | grep ibmdisrv_ascii
8 IBM Tivoli Identity Manager: Directory Integrator- Based Oracle eBS Adapter Installation and Configuration Guide
Chapter 3. Configuring the Oracle eBS Adapter
This chapter describes the configuration options for the Oracle eBS Adapter. The
following sections provide information for configuring the adapter.
v “Customizing the Oracle eBS Adapter profile”
v “Configuration properties of the adapter” on page 10
v “Changing the port number for the RMI Dispatcher” on page 11
v “Configuring logging for the adapter” on page 11
Customizing the Oracle eBS Adapter profile
To customize the Oracle eBS Adapter profile, you must make changes to the Oracle
eBS Adapter JAR file, OraEBSProfile.jar. You might customize the adapter profile to
make changes to the account form or the service form.
The OraEBSProfile.jar file is included in the Oracle eBS Adapter compressed file
that you downloaded from the IBM Web site.
Note: You cannot modify the schemas for this adapter. Attributes cannot be added
to or deleted from the schema.
v Service.def
v Schema.dsml
v CustomLabels.properties
v erOracleEBSAccount.xml
v erOracleEBSRMIService.xml
v OracleEBSAdapter.xml
v OracleEBSManageUserAL.xml
v OracleEBSSearchUserAL.xml
To edit the OraEBSProfile.jar file, complete these steps:
1. Log in to the system where the Oracle eBS Adapter is installed.
2. Copy the OraEBSProfile.jar file into a temporary directory.
3. Extract the contents of the OraEBSProfile.jar file into the temporary directory by
running the following command.
jar -xvf OraEBSProfile.jar
The jar command extracts the files into the OraEBSProfile directory.
4. Edit the file that you want to change.
After you edit the file, you must import the file into the Tivoli Identity Manager
server for the changes to take effect.
To import the file, complete these steps:
1. Create a new JAR file using the files in the /tmp directory by running the
following commands:
cd c:\temp
#jar -cvf OraEBSProfile.jar OraEBSProfile
© Copyright IBM Corp. 2008 9
2. Import the OraEBSProfile.jar file into the Tivoli Identity Manager Application
server. For more information on importing the JAR file, refer to “Importing the
adapter profile into the Tivoli Identity Manager server” on page 5.
3. Stop and start the Tivoli Identity Manager server.
4. Stop and start the Oracle eBS Adapter service. See “Starting and stopping the
adapter service” on page 7 for information about stopping and starting the
adapter service.
Configuration properties of the adapter
The global.properties and the itim_listener.properties files contain the configuration
properties for the adapters. To configure the properties for an adapter, you must
change one of these files. Table 2 lists the properties contained in the properties
files.
Table 2. Configuration properties for the adapter
Property Properties file Description
ALShutdownTimeout itim_listener.properties Specifies the amount of time, in
seconds, before the RMI
Dispatcher should shut down
when a shutdown request is sent
to the dispatcher. All assembly
lines that are being maintained are
terminated when the dispatcher
shuts down. The default value 300
seconds, which is five minutes.
com.ibm.di.dispatcher.bindName global.properties Specifies the RMI bind name to be
used. The default value is
ITDIDispatcher.
com.ibm.di.dispatcher.disableConntectorCache global.properties Specifies whether the RMI
Dispatcher should cache the
connection to the managed
resource so that no new
connections are established upon
subsequent calls. In this case, the
same connection is used for all
calls. The default value is true.
com.ibm.di.dispatcher.objectPort global.properties Specifies the port on which the
actual Dispatcher remote object
listens for RMI requests. The
default value is 0, which means a
random port is selected at
runtime.
com.ibm.di.dispatcher.registryPort global.properties Specifies the port on which the
RMI Dispatcher listens for
provisioning requests from IBM
Tivoli Identity Manager. The
default value is 16231.
SearchALUnusedTimeout itim_listener.properties Specifies the amount of time, in
seconds, to wait before deleting
assembly lines that have not been
used. The default value is 600
seconds, which is 10 minutes.
10 IBM Tivoli Identity Manager: Directory Integrator- Based Oracle eBS Adapter Installation and Configuration Guide
Table 2. Configuration properties for the adapter (continued)
Property Properties file Description
SearchReaperThreadTimeOut itim_listener.properties Specifies the amount of time, in
seconds, to release data from
memory. This property is used
during a reconciliation response.
The default value is 300 seconds,
which is five minutes.
SearchResultSetSize itim_listener.properties Specifies the number of records,
per response, returned during a
reconciliation between IBM Tivoli
Identity Manager and the adapter.
The default value is 100.
Changing the port number for the RMI Dispatcher
If the Remote Method Invocation (RMI) Dispatcher is run as a service, by default,
the port number is 16231. The installer automatically sets this parameter in the
global.properties file.
If the Tivoli Directory Integrator home directory is the same directory as the IBM
Solutions directory, change the port number in the global.properties file. Otherwise,
change the port number in the solutions.properties file in the IBM Solutions
directory. To change the port number for the dispatcher, complete these steps.
1. Stop the service that is used to run the adapter. Refer to “Starting and stopping
the adapter service” on page 7 for information about stopping and starting the
Oracle eBS Adapter service.
2. Change the global.properties file or the solutions.properties file to use the
correct port number.
com.ibm.di.dispatcher.registryPort=16231
3. Start the service again.
Configuring logging for the adapter
Log files might provide information that is helpful for diagnosing and
troubleshooting problems with the adapter. The type of information collected in
your log file is determined by the settings in the log4j.properties file. To configure
logging for the adapter, you must update this file.
The file in Tivoli Directory Integrator versions 6.1 or later, the file is located in the
adapter solutions/etc directory. To find the location of the adapter solutions directory,
search for the ADAPTER_SOLDIR entry in the global.properties file, which is
located in your ITDI_HOME/etc directory.
When multiple adapters are running on the same server where Tivoli Directory
Integrator is installed, logging information for the adapters is stored in the same
log file. The RMI Dispatcher logs are also stored in this log file. You cannot
configure logging to store information about the different components in different
log files.
After you complete the changes to the log4j.properties file, you must stop and
restart the service for the adapter to view the configuration changes.
Chapter 3. Configuring the Oracle eBS Adapter 11
The following sections contain information about configuring logging for the
adapter.
Naming the log file
The log4j.appender.Default.file entry in the log4j.properites file is used to configure
the name of the log file. To change the name of the log file, change the value of
log4j.appender.Default.file. In the example below, the log file generated is
ibmdi.log.
log4j.appender.Default.file=ibmdi.log
Sizing the log file
The log4j.appender.Default.MaxFileSize entry in the log4j.properties file is used to
configure the maximum size of the log file. For example,
log4j.appender.Default.MaxFileSize=8MB
The number of log files generated is determined by the
log4j.appender.Default.MaxBackupIndex entry. In the example below, the number
of log files generated is 10.
log4j.appender.Default.MaxBackupIndex=10
Configuring logging levels
The Directory Integrator-based adapter logging level is determined by the
log4j.rootCategory attribute in the log file. The four levels for logging information
are ERROR, WARN, INFO, and DEBUG. By default the logging level is set to
INFO.
Other Tivoli Directory Integrator components might have their own log level set.
These settings are not changed by the log4j.rootCategory setting. For example,
log4j.logger.com.ibm.config and the log4j.logger.com.ibm.loader logging categories
are set to WARN by default. To control the level of information logged you can
either edit the component log level settings to be the same as the setting of the
log4j.rootCategory attribute setting or comment out the individual component
logging statement.
For example, if you set the log4j.rootCategory logging level to ERROR,
log4j.rootCategory=ERROR
you would also need to change the component logging level settings
log4j.logger.com.ibm.di.config=ERROR
log4j.logger.com.ibm.di.loader=ERROR
or comment out the statements.
# log4j.logger.com.ibm.di.config=WARN
# log4j.logger.com.ibm.di.loader=WARN
DEBUG
The DEBUG level logs all of the details related to a specific operation. This
is the highest level of logging. If logging is set to DEBUG, all other levels
of logging information are displayed in the log file.
ERROR
The ERROR level logs only error conditions. The ERROR level provides the
lowest amount of logging information.
12 IBM Tivoli Identity Manager: Directory Integrator- Based Oracle eBS Adapter Installation and Configuration Guide
INFO The INFO level logs information about workflow. It generally explains how
an operation occurs.
WARN
The WARNING level logs information when an operation completes
successfully but there are issues with the operation.
Displaying logs in the user interface
If the RMI Dispatcher is running from the command prompt by calling ibmdisrv
(ibmdisrv.bat file for Windows operating systems and ibmdisrv for UNIX and
Linux operating systems), the logs can be displayed on the console. To display the
logs on the console:
1. Set the TDI_SOLDIR environment variable to the Tivoli Directory Integrator
adapters solution directory.
2. Change your working directory to the Tivoli Directory Integrator adapters
solution directory.
3. Edit the log4j.properties file located in the etc directory under the Tivoli
Directory Integrator adapters solution directory:
v Add CONSOLE to the log4j.rootCategory.
log4j.rootCategory=DEBUG, Default, CONSOLE
v Uncomment the log4j.appender.CONSOLE lines:
log4j.appender.CONSOLE=org.apache.log4j.ConsoleAppender
log4j.appender.CONSOLE.layout=org.apache.log4j.PatternLayout
log4j.appender.CONSOLE.layout.ConversionPattern=%d [%t] %-5p - %m%n0
4. To run the RMI Dispatcher from the command line, at the command prompt
for the Tivoli Directory Integrator adapters solution directory issue the
following commands:
For Windows operating systems
cd c:\Program Files\IBM\TDI\V6.1.1\timsol
set TDI_SOLDIR="c:\Program Files\IBM\TDI\V6.1.1\timsol"
c:\Program Files\IBM\TDI\V6.1.1\ibmdisrv.bat -c ITIM_RMI.xml -d
For UNIX and Linux operating systems
cd /opt/IBM/TDI/V6.1.1/timsol
export TDI_SOLDIR=/opt/IBM/TDI/V6.1.1/timsol
/opt/IBM/TDI/V6.1.1/ibmdisrv -c ITIM_RMI.xml -d
Appending information to an existing log file
By default, log file information is deleted and created again each time the RMI
Dispatcher starts. To append information to an existing log file before or after the
dispatcher starts, change the value of the following entry from false to true in the
log4j.properties file: log4jappender.Default.append. For example,
log4j.appender.Default.append=true
Managing passwords when restoring accounts
How each restore action interacts with its corresponding managed resource
depends on either the managed resource, or the business processes that you
implement. Certain resources reject a password when a request is made to restore
an account. In this case, you can configure IBM Tivoli Identity Manager to forego
the new password requirement. You can set the Oracle eBS Adapter to require a
Chapter 3. Configuring the Oracle eBS Adapter 13
new password when the account is restored, if your company has a business
process in place that dictates that the account restoration process must be
accompanied by resetting the password.
In the service.def file, you can define whether a password is required as a new
protocol option. When you import the adapter profile, if an option is not specified,
the adapter profile importer determines the correct restoration password behavior
from the schema.dsml file. Adapter profile components also enable remote services
to find out if you discard a password that is entered by the user in a situation
where multiple accounts on disparate resources are being restored. In this
situation, only some of the accounts being restored might require a password.
Remote services will discard the password from the restore action for those
managed resources that do not require them.
Edit the service.def file to add the new protocol options, for example:
<Property Name = "com.ibm.itim.remoteservices.ResourceProperties.
PASSWORD_NOT_REQUIRED_ON_RESTORE"<value>true</value>
</property>
<Property Name = "com.ibm.itim.remoteservices.ResourceProperties.
PASSWORD_NOT_ALLOWED_ON_RESTORE"<value>false</value>
</property>
By adding the two options in the example above, you are ensuring that you will
not be prompted for a password when an account is restored.
14 IBM Tivoli Identity Manager: Directory Integrator- Based Oracle eBS Adapter Installation and Configuration Guide
Chapter 4. Configuring SSL authentication for the Oracle eBS
Adapter
When configuring Secure Sockets Layer (SSL) communication for the Tivoli
Directory Integrator-based adapters, you are configuring SSL between WebSphere
Application Server and Tivoli Directory Integrator. There are steps needed to
configure the Tivoli Directory Integrator to use SSL as well as the steps needed to
configure WebSphere using the default keystore and default truststore. For
additional WebSphere SSL configuration information, see the WebSphere online
help available from the WebSphere Application Server Administrative Console.
SSL terminology
SSL server
For this SSL configuration, the Tivoli Directory Integrator side is the SSL
Server. It listens for connection requests.
SSL client
For these SSL configurations the workstation on which the Tivoli Identity
Manager server and the WebSphere Application Server are installed is the
SSL client. It issues connection requests to the Tivoli Directory Integrator.
Signed certificates
A signed digital certificate is an industry-standard method of verifying the
authenticity of an entity, such as a server, client, or application. Signed
certificates are issued by a third-party certificate authority for a fee. Some
utilities, such as the iKeyman utility, can also issue signed certificates. A
Certificate Authority or CA certificate must be used to verify the origin of
a signed digital certificate.
Signer certificates (Certificate Authority certificates)
A Certificate Authority (CA) certificate must be used to verify the origin of
a signed digital certificate. When an application receives another
application’s signed certificate, it uses a CA certificate to verify the
originator of the certificate. Many applications, such as Web browsers, are
configured with the CA certificates of well-known certificate authorities to
eliminate or reduce the task of distributing CA certificates throughout the
security zones in a network.
Self-signed certificates
A self-signed certificate contains information about the owner of the
certificate and the owner’s signature. Basically, it is a signed certificate and
CA certificate in one. If you choose to use self-signed certificates, you must
extract the CA certificate from it in order to configure SSL.
SSL keystore
The SSL keystore is a key database file designated as a keystore. It contains
the SSL certificate.
Note: The keystore and truststore can be the same physical file.
SSL truststore
The SSL truststore is a key database file designated as a truststore. The SSL
truststore contains the list of signer certificates (CA certificates) that define
© Copyright IBM Corp. 2008 15
which certificates the SSL protocol trusts. Only a certificate issued by one
of these listed trusted signers is accepted.
Note: The truststore and keystore can be the same physical file.
One-way SSL authentication
For one-way SSL, a keystore and certificate is only required on the SSL
server side (Tivoli Directory Integrator server) and a truststore is only
required on the SSL client side (the Tivoli Identity Manager server).
Two-way SSL authentication (client-side authentication)
For SSL using two-way SSL (client-side) authentication, both a keystore
with a certificate, and a truststore containing the signer certificate that
issued the other side’s certificate, are required on both the SSL server and
SSL client sides.
SSL configurations
The following steps describe how to configure WebSphere Application Server and
Tivoli Directory Integrator for one-way or two-way SSL communication. If you
need more information about any of the steps, go to the referenced task for the
detailed steps.
Configuring for one-way SSL authentication
To configure one-way SSL perform the following tasks:
1. Create a keystore for the Tivoli Directory Integrator server. See “Creating a
keystore for the Tivoli Directory Integrator server” on page 18.
2. Create a truststore for the Tivoli Directory Integrator server. See “Creating a
truststore for the Tivoli Directory Integrator server” on page 19.
3. Create a certificate for the Tivoli Directory Integrator server. See“Creating a
server-signed certificate for the Tivoli Directory Integrator server” on page 19.
4. Create a CA certificate for the Tivoli Directory Integrator server. See “Creating
a CA certificate for Tivoli Directory Integrator” on page 20.
5. Import the Tivoli Directory Integrator CA certificate into the WebSphere
Application Server truststore. See “Importing the Tivoli Identity Manager CA
certificate into the WebSphere Application Server truststore” on page 22
6. Configure Tivoli Directory Integrator to use the keystores. See “Configure
Tivoli Directory Integrator to use the keystores” on page 20.
Tivoli Identify Manager(SSL client)
Truststore
CA certificate “A”
Tivoli Directory Integrator(SSL server)
Keystore
Certificate “A”
Figure 3. One-way SSL authentication (server authentication)
16 IBM Tivoli Identity Manager: Directory Integrator- Based Oracle eBS Adapter Installation and Configuration Guide
Note: The editing of the solution.properties file for steps 6, 7, and 8 can be
done in one operation. Doing so eliminates the need for a stop and
restart of the adapter service at the end of steps 6 and 7.
7. Configure Tivoli Directory Integrator to use the truststores. See “Configure
Tivoli Directory Integrator to use the truststores” on page 21.
8. Enable the adapter service to use SSL. See “Enabling the adapter service to
use SSL” on page 21.
9. Stop and restart the adapter service. See “Starting and stopping the adapter
service” on page 7.
10. Stop and restart WebSphere Application Server.
Note: The truststore is not needed on the Tivoli Directory Integrator server for
one-way SSL, but the configuration of truststore is needed for the RMI SSL
initialization to succeed.
Configuring for two-way SSL authentication
To configure two-way SSL perform the following tasks:
1. Create a keystore for the Tivoli Directory Integrator server. See “Creating a
keystore for the Tivoli Directory Integrator server” on page 18.
2. Create a truststore for the Tivoli Directory Integrator server. See “Creating a
truststore for the Tivoli Directory Integrator server” on page 19.
3. Create a certificate for the Tivoli Directory Integrator server. See“Creating a
server-signed certificate for the Tivoli Directory Integrator server” on page 19.
4. Create a CA certificate for the Tivoli Directory Integrator server. See “Creating
a CA certificate for Tivoli Directory Integrator” on page 20.
5. Import the Tivoli Directory Integrator CA certificate into the WebSphere
Application Server truststore. See “Importing the Tivoli Identity Manager CA
certificate into the WebSphere Application Server truststore” on page 22
6. Configure Tivoli Directory Integrator to use the keystores. See “Configure
Tivoli Directory Integrator to use the keystores” on page 20.
Tivoli Identify Manager(SSL client)
Truststore
CA certificate “A”
Keystore
Certificate “B”
Tivoli Directory Integrator(SSL server)
Truststore
CA certificate “B”
Keystore
Certificate “A”
Figure 4. Two-way SSL authentication (client authentication)
Chapter 4. Configuring SSL authentication for the Oracle eBS Adapter 17
Note: The editing of the solution.properties file for steps 6, 7, and 8 can be
done in one operation. Doing so eliminates the need for a stop and
restart of the adapter service at the end of steps 6 and 7.
7. Configure Tivoli Directory Integrator to use the truststores. See “Configure
Tivoli Directory Integrator to use the truststores” on page 21.
8. Enable the adapter service to use SSL. See “Enabling the adapter service to
use SSL” on page 21.
9. Create a certificate for the Tivoli Identity Manager server. See “Creating a
signed certificate for the Tivoli Identity Manager server” on page 21.
10. Create a CA certificate for Tivoli Identity Manager. See “Creating a WebSphere
Application Server CA certificate for Tivoli Identity Manager” on page 22.
11. Import WAS CA Certificate into Tivoli Directory Integrator truststore. See
“Importing the WebSphere Application Server CA certificate into the Tivoli
Directory Integrator truststore” on page 20.
12. Stop and restart the adapter service. See “Starting and stopping the adapter
service” on page 7.
13. Stop and restart WebSphere Application Server.
Task performed on the SSL server (Tivoli Directory Integrator server
workstation)
The Tivoli Directory Integrator acts as the SSL server. All of these tasks are
performed on the Tivoli Directory Integrator server.
Note: The file names and locations such as tdikeys.jks and ITDI_HOME\keys used
in theses tasks are examples and used for consistency. Your actual file names
and locations might be different.
Creating a keystore for the Tivoli Directory Integrator server
A keystore is a database of private keys and the associated certificates needed to
authenticate the corresponding public keys. Digital certificates are stored in a
keystore file. A keystore also manages certificates from trusted entities.
Note: The keystore can be the same physical file as the truststore.
1. Navigate to the ITDI_HOME\jvm\jre\bin directory.
2. Launch the ikeyman.exe file (Windows operating systems) or ikeyman
(Unix/Linux operating systems).
3. Select Key Database File > New.
4. Select key database type of JKS.
5. Type the keystore file name: tdikeys.jks.
6. Type the location: ITDI_HOME\keys.
Note: This directory must already exist, otherwise the step fails.
7. Click OK .
8. Type the keystore a password, for example, secret.
9. Click OK to continue.
18 IBM Tivoli Identity Manager: Directory Integrator- Based Oracle eBS Adapter Installation and Configuration Guide
Creating a truststore for the Tivoli Directory Integrator server
A truststore is a database of public keys for target servers. The SSL truststore
contains the list of signer certificates (CA certificates) that define which certificates
the SSL protocol trusts. Only a certificate issued by one of these listed trusted
signers can be accepted.
Note: The truststore can be the same physical file as the keystore. You can skip
this task if you choose to use the same file for keystore and truststore.
1. Navigate to the ITDI_HOME\jvm\jre\bin directory.
2. Launch the ikeyman.exe file (Windows operating systems) or ikeyman (UNIX
or Linux operating systems).
3. Select Key Database File > New.
4. Select key database type of JKS.
5. Type the keystore file name: tditrust.jks.
6. Type the location: ITDI_HOME\keys.
Note: This directory must already exist, otherwise the step fails.
7. Click OK.
8. Type the keystore a password, for example, secret.
9. Click OK to continue.
Creating a server-signed certificate for the Tivoli Directory
Integrator server
A self-signed certificate contains information about the owner of the certificate and
the owner’s signature. This type of certificate is generally used in a testing
environment. It is a signed certificate and CA certificate in one. If you choose to
use self-signed certificates, you must extract the CA certificate from it in order to
configure SSL.
Alternatively, you can purchase a certificate from a well-known authority such as
VeriSign, which is the generally done in production environments. As another
alternative, you can use a certificate server, such as the one included with
Microsoft Windows 2003 Advanced Server, to generate your own certificates.
To create the self-signed certificate:
1. Navigate to the ITDI_HOME\jvm\jre\bin directory.
2. Launch the ikeyman.exe file (Windows operating systems) or ikeyman (UNIX
or Linux operating systems.)
3. Select Key Database File > Open.
4. Browse to the keystore file created previously: ITDI_HOME\keys\tdikeys.jks
5. Enter the keystore password: secret.
6. Select Create > New Self Signed certificate.
7. Set the Key Label to tdiserver.
8. Use your system name (DNS name) as the Common Name (workstation
name).
9. Enter your Organization, for example IBM.
10. Click OK.
Chapter 4. Configuring SSL authentication for the Oracle eBS Adapter 19
Creating a CA certificate for Tivoli Directory Integrator
A Certificate Authority or CA certificate must be used to verify the origin of a
signed digital certificate. When an application receives another application’s signed
certificate, it uses a CA certificate to verify the originator of the certificate. Many
applications, such as Web browsers, are configured with the CA certificates of
well-known certificate authorities to eliminate or reduce the task of distributing CA
certificates throughout the security zones in a network.
1. Extract the Server certificate for client use by selecting Extract Certificate.
2. Select Binary DER data as the data type.
3. Enter the certificate file name: idiserver.der.
4. Enter the location as ITDI_HOME\keys.
5. Click OK.
6. Copy the idiserver.der certificate file to the workstation on which Tivoli
Identity Manager is installed.
Importing the WebSphere Application Server CA certificate
into the Tivoli Directory Integrator truststore
1. Copy the SSL Client CA certificate file created in “Creating a WebSphere
Application Server CA certificate for Tivoli Identity Manager” on page 22,
timclient.der, to the ITDI_HOME\keys directory on the workstation on which
Tivoli Directory Integrator is installed.
2. Navigate to the ITDI_HOME\jvm\jre\bin directory.
3. Launch the ikeyman.exe file (Windows operating systems) or ikeyman (UNIX
or Linux operating systems).
4. Select Key Database File > Open.
5. Select key database type of JKS.
6. Type the keystore file name: tditrust.jks.
7. Type the location: ITDI_HOME\keys.
8. Click OK.
9. Click Signer Certificates in the dropdown menu.
10. Click Add.
11. Select Binary DER data as the data type.
12. Use Browse to select the timclient.der file stored in ITDI_HOME\keys.
13. Use timclient as the label.
14. Click OK to continue.
Configure Tivoli Directory Integrator to use the keystores
1. Navigate to the Tivoli Directory Integrator adapters solution directory
(ITDI_HOME\timsol).
2. Open the Tivoli Directory Integrator solution.properties file in an editor.
3. Edit the following lines under client authentication, uncomment them if
necessary, and set the location, password and type of keystore to match the
keystore you created in “Creating a keystore for the Tivoli Directory Integrator
server” on page 18:
javax.net.ssl.keyStore=ITDI_HOME\keys\tdikeys.jks
{protect}-javax.net.ssl.keyStorePassword=secret
javax.net.ssl.keyStoreType=JKS
4. Save your changes.
20 IBM Tivoli Identity Manager: Directory Integrator- Based Oracle eBS Adapter Installation and Configuration Guide
5. Stop and restart the adapter service. See “Starting and stopping the adapter
service” on page 7.
Configure Tivoli Directory Integrator to use the truststores
1. Navigate to the Tivoli Directory Integrator adapters solution directory
(ITDI_HOME\timsol).
2. Open the Tivoli Directory Integrator solution.properties file in an editor.
3. Edit the following lines under client authentication, uncomment them if
necessary, and set the location, password and type of truststore to match the
truststore you created in “Creating a truststore for the Tivoli Directory
Integrator server” on page 19:
javax.net.ssl.trustStore=ITDI_HOME\keys\tditrust.jks
{protect}-javax.net.ssl.trustStorePassword=secret
javax.net.ssl.trustStoreType=JKS
4. Save your changes.
5. Stop and restart the adapter service. See “Starting and stopping the adapter
service” on page 7.
Enabling the adapter service to use SSL
1. Navigate to the Tivoli Directory Integrator adapters solution directory
(ITDI_HOME\timsol).
2. Open the Tivoli Directory Integrator solution.properties file in an editor.
3. Edit the following two lines depending on the type of secure communications
you want to use.
For no SSL:
com.ibm.di.dispatcher.ssl=false
com.ibm.di.dispatcher.ssl.clientAuth=false
For one-way SSL:
com.ibm.di.dispatcher.ssl=true
com.ibm.di.dispatcher.ssl.clientAuth=false
For two-way SSL:
com.ibm.di.dispatcher.ssl=true
com.ibm.di.dispatcher.ssl.clientAuth=true
4. Save your changes.
5. Stop and restart the adapter service. See “Starting and stopping the adapter
service” on page 7.
Tasks performed on the SSL client (Tivoli Identity Manager and
WebSphere Application Server workstation)
All the tasks are performed on the server workstation on which Tivoli Identity
Manager and WebSphere Application Server are installed.
Note: The file names and locations such as timclient.der and c:\keys used in
theses tasks are examples and used for consistency. Your actual file names
and locations might be different.
Creating a signed certificate for the Tivoli Identity Manager
server
As previously mentioned in the server-side tasks, you can alternatively use a
well-known authority or your own certificate server to generate a certificate. For
Chapter 4. Configuring SSL authentication for the Oracle eBS Adapter 21
these cases, use the Personal certificates requests option under the
NodeDefaultKeyStore step to produce a certificate request to send to the
well-known authority or to your certificate server. You use the accept option under
Personal certificates to load the data sent by the certificate authority in response to
the request.
1. Connect to the WebSphere Application Server Administrative Console.
2. Navigate to Security > SSL certificate and key management > Keystores and
certificates.
3. Select NodeDefaultKeyStore.
4. Select Personal certificates.
5. Select Create a self-signed certificate.
6. Enter appropriate values for the certificate fields:
v Set the Alias to timclient.
v Use your system name (DNS name) as the Common Name (workstation
name).
v Enter your Organization, for example IBM.7. Click OK and save.
8. Extract the CA certificate from the self-signed certificate.
Creating a WebSphere Application Server CA certificate for
Tivoli Identity Manager
1. Check the checkbox for the created certificate, and select Extract.
2. Enter a file name: c:\keys\timclient.der.
3. Select Binary DER data as the data type.
4. Click OK.
Importing the Tivoli Identity Manager CA certificate into the
WebSphere Application Server truststore
1. Copy the SSL server CA certificate file created in “Creating a CA certificate for
Tivoli Directory Integrator” on page 20, idiserver.der, to the c:\keys directory
on the workstation on which Tivoli Identity Manager is installed.
2. Connect to the WebSphere Application Server Administrative Console.
3. Navigate to Security > SSL certificate and key management > Keystores and
certificates.
4. Select NodeDefaultTrustStore.
5. Select Signer certificates.
6. Click Add.
v Set the Alias to idiserver.
v Specify the file name of the exported Tivoli Directory Integrator server
certificate: c:\ keys\idiserver.der.
v Select Binary DER data as the data type.7. Click OK to continue and save.
22 IBM Tivoli Identity Manager: Directory Integrator- Based Oracle eBS Adapter Installation and Configuration Guide
Chapter 5. Verifying the Oracle eBS Adapter profile
installation
If the Oracle eBS Adapter profile is not already installed on your system, you must
import the adapter profile. See “Importing the adapter profile into the Tivoli
Identity Manager server” on page 5 for information about importing the adapter
profile.
After you install the adapter profile, verify that the adapter profile was
successfully installed. If the adapter profile is not installed correctly, the adapter
might not function as it is intended to function.
To verify that the adapter profile was successfully installed, complete these steps.
v Create a service using the Oracle eBS Adapter profile.
v Open an account on the service.
If you are unable to create a service using the Oracle eBS Adapter profile or open
an account on the service, the adapter profile is not installed correctly. You might
need to import the adapter profile again.
© Copyright IBM Corp. 2008 23
24 IBM Tivoli Identity Manager: Directory Integrator- Based Oracle eBS Adapter Installation and Configuration Guide
Chapter 6. Troubleshooting the Oracle eBS Adapter
Troubleshooting is the process of determining why a product does not function as
it is designed to function. This chapter provides information and techniques for
identifying and resolving problems related to the Oracle eBS Adapter. It also
provides information about troubleshooting errors that might occur during
installation.
Warning and error messages
A warning or error might be displayed in the user interface to provide information
that the user needs to know about the adapter or when an error occurs. Table 3
contains warnings or errors which might be displayed in the user interface if the
Oracle eBS Adapter is installed on your system.
Table 3. Warning and error messages
Warning or error message Recommended Action
CTGIMT001E The following error occurred. Error: Either
the Oracle EBS service name is incorrect or the service is
not up.
Ensure that the Oracle database service name given on
Tivoli Identity Manager service form is running.
CTGIMT001E The following error occurred. Error: Either
the Oracle EBS host or port is incorrect.
Verify that the host workstation name or the port for the
Oracle eBS database service is correctly specified.
CTGIMT002E The login credential is missing or incorrect. Verify that you have provided correct login credential on
service form.
CTGIMT001E The following error occurred. Error: No
suitable JDBC driver found.
Ensure that the correct version of the JDBC thin driver is
copied onto the workstation where the adapter is
installed and that the path is included in the system
CLASSPATH variable.
CTGIMT600E An error occurred while establishing
communication with the IBM Tivoli Directory Integrator
server.
Tivoli Identity Manager cannot establish a connection
with Tivoli Directory Integrator. To fix this problem,
ensure that:
v TheTivoli Directory Integrator is running.
v The URL specified on the service form for the Tivoli
Directory Integrator is correct.
Logging information format
Logs added to the log file for the adapter or the RMI Dispatcher have the
following format:
Log Level [Assembly Line_ProfileName_Request ID]_
[Connector Name] - message
Log Level
Specifies the logging level that you configured for the adapter. The options
are DEBUG, ERROR, INFO, and WARN. See “Configuring logging for the
adapter” on page 11 for information about using the log4j.properties file to
configure logging.
Assembly Line
Specifies the name of the assembly line that is logging the information.
© Copyright IBM Corp. 2008 25
ProfileName
Specifies the name of the profile. Profile names might vary based on the
adapter that is running or the operating system.
Request ID
Specifies the number of the request. Request number is used to uniquely
identify a specific request.
Connector Name
Specifies the connector for the adapter.
message
Specifies the actual message information.
The example below is an actual message that might be displayed in a log file:
INFO [AssemblyLine.AssemblyLines/OracleManageUserAL_Oracle_test-no-requestid_
6bc889c0-2853-11b2-2970-00000a4d445d.1126072314] - [conOracleManageUser]
Load Attribute Map
Installer problems on UNIX and Linux platforms
The adapter installer creates temporary files during installation. On the UNIX and
Linux platforms these files are located in the /tmp directory. If the installation has
been interrupted, or if the installer was run with an unsupported JVM, these
temporary files might cause subsequent installations to fail or not to work
correctly.
Symptoms
v The installation completes successfully, but the adapters solution directory is not
created.
v The installation completes successfully, but the adapters solution directory is
created as a file instead of a directory.
Corrective action
To correct either condition:
1. Remove any of the following files from the /tmp directory:
ITDIAsService.sh
rmITDIAsService.sh
deldispatcher.sh
createdir.sh
copyfiles.sh
copyagentfile.sh
delfiles.sh
copylog4j.sh
2. Run the uninstaller.
3. Edit the ITDI_HOME/etc/global.properties file to remove the following
properties:
ADAPTER_SOLDIR
com.ibm.di.dispatcher.registryPort
com.ibm.di.dispatcher.bindName
com.ibm.di.dispatcher.ssl
com.ibm.di.dispatcher.clientAuth
com.ibm.di.dispatcher.disableConnectorCache
ITDI_HOME
4. Remove the following JAR files from the ITDI_HOME/jars/3rdparty/IBM
directory
26 IBM Tivoli Identity Manager: Directory Integrator- Based Oracle eBS Adapter Installation and Configuration Guide
itdiAgents.jar
itdiAgents-common.jar
rmi-dispatcher-client.jar
rmi-dispatcher.jar
5. Delete the timsol directory of file.
6. Run the installer again with the correct JVM.
Chapter 6. Troubleshooting the Oracle eBS Adapter 27
28 IBM Tivoli Identity Manager: Directory Integrator- Based Oracle eBS Adapter Installation and Configuration Guide
Chapter 7. Uninstalling the Oracle eBS Adapter
To completely uninstall the Oracle eBS Adapter, you need to perform two
procedures:
1. Uninstall the adapter from the Tivoli Directory Integrator server.
2. Remove the adapter profile from the Tivoli Identity Manager server.
Uninstalling the adapter from the Tivoli Directory Integrator server
The Oracle eBS Adapter installation installs the RMI Dispatcher only on the Tivoli
Directory Integrator server. Therefore, you only need to uninstall for the RMI
Dispatcher. There is no uninstall for the Oracle eBS Adapter.
The JAR file needed to uninstall the Oracle eBS Adapter was created in the
ITDI_HOME\DispatcherUninstall directory when the RMI Dispatcher was
installed.
Note: The RMI Dispatcher is required for all Tivoli Directory Integrator-based
adapters. If you uninstall the RMI Dispatcher, none of the other installed
adapters function.
To remove the Oracle eBS Adapter, complete these steps:
1. Stop the adapter service.
2. Run the DispatcherUninstall.jar file. To run the JAR file, double click on the
executable file or enter the following command at the command prompt:
TDI_HOME/jvm/jre/bin/java –jar DispatcherUninstall.jar
Removing the adapter profile from the Tivoli Identity Manager server
Before removing the adapter profile ensure that no objects exist on your Tivoli
Identity Manager server that reference the adapter profile. Examples of objects on
the Tivoli Identity Manager server that can reference the adapter profile are:
v Adapter service instances
v Policies referencing an adapter instance or the profile
v Accounts
For specific information on how to remove the adapter profile, see the online help
or the information center for your Tivoli Identity Manager product.
© Copyright IBM Corp. 2008 29
30 IBM Tivoli Identity Manager: Directory Integrator- Based Oracle eBS Adapter Installation and Configuration Guide
Appendix A. Adapter attributes
Attribute descriptions
The Tivoli Identity Manager server communicates with the Oracle eBS Adapter
using attributes that are included in transmission packets that are sent over a
network. The combination of attributes, included in the packets, depends on the
type of action that the Tivoli Identity Manager server requests from the Oracle eBS
Adapter.
Table 4 is a listing of the attributes that are used by the Oracle eBS Adapter. The
table gives a brief description, constraints, and permissions. The permissions are:
Read The attribute is reconciled but not modified by the adapter.
Write The attribute is modified by the adapter but not reconciled.
Read and Write
The attribute is reconciled and can be modified by the adapter.
Table 4. Attributes, descriptions, constraints, and permissions
Attribute Description Constraints Permissions
erAccountStatus Specifies the status of the account as enabled
or disabled.
Read and
Write
erLastAccessDate The users last login date and time in Oracle
eBS.
Read
erOraEBSCust Customer. Read and
Write
erOraEBSDescription A short description for the User Name. The description is
limited to a
maximum of 240
characters.
Read and
Write
erOraEBSLeftPwdAccess Specifies the number of login accesses
remaining (from the current day) until the
password expires.
The maximum value
is 999999999999999.
Read and
Write
erOraEBSPerson Person. Read and
Write
erOraEBSPwdAccesses Specifies the number of login accesses allowed
before the password expires.
The maximum value
is 999999999999999.
Read and
Write
erOraEBSPwdLifeSpanDays Specifies the number of days after which the
password expires
The maximum value
is 999999999999999.
Read and
Write
erOraEBSResp Specifies the name of responsibilty in the form
Aplication_Name|Responsibility_Name.
Read and
Write
erOraEBSSessionNumber Specifies the session ID Read
erOraEBSSupp Specifies a supplier. Read and
Write
erOraEBSUserEndDate Specifies the user's effective end date. Read and
Write
© Copyright IBM Corp. 2008 31
Table 4. Attributes, descriptions, constraints, and permissions (continued)
Attribute Description Constraints Permissions
erOraEBSUserFax Specifies the user's fax number The fax number is
limited to a
maximum of 80
characters.
Read and
Write
erOraEBSUserMail Specifies the user's e-mail address. The e-mail address is
limited to a
maximum of 240
characters.
Read and
Write
erOraEBSStartDate Specifies the user's effective start date. Read and
Write
erPassword Specifies the password for the user name. The password is
limited to a
maximum of 45
characters.
Write
erUid Specifies the user name. The user name is
limited to a
maximum of 100
characters.
Read and
Write
Attributes by Oracle eBS Adapter actions
The following lists are typical Oracle eBS Adapter actions by their functional
transaction group. The lists include more information about required and optional
attributes sent to the Oracle eBS Adapter to complete that action.
System Login Add
A System Login Add is a request to create a new user account with the specified
attributes.
Table 5. Add request attributes for Oracle
Required attribute Optional attribute
erUid
erPassword
All other supported attributes
System Login Change
A System Login Change is a request to change one or more attributes for the
specified users.
Table 6. Change request attributes for Oracle
Required attribute Optional attribute
erUid All other supported attributes
Note: An account rename, that is, a erUid change is not supported.
System Login Delete
Note: This operation is not supported.
32 IBM Tivoli Identity Manager: Directory Integrator- Based Oracle eBS Adapter Installation and Configuration Guide
System Login Suspend
A System Login Suspend is a request to disable a user account. The user is neither
removed nor are their attributes modified.
Table 7. Suspend request attributes for Oracle
Required attribute Optional attribute
erUid
erAccountStatus
None
System Login Restore
A System Login Restore is a request to activate a user account that was previously
suspended. Once an account is restored, the user can access the system with the
same attributes as those before the Suspend function was called.
Table 8. Restore request attributes for Oracle
Required attribute Optional attribute
erUid
erAccountStatus
None
Test
The following table identifies attributes needed to test the connection.
Table 9. Test attributes
Required attribute Optional attribute
None None
Reconciliation
The Reconciliation request synchronizes user account information between Tivoli
Identity Manager and the adapter.
Table 10. Reconciliation request attributes for Oracle
Required attribute Optional attribute
None None
Appendix A. Adapter attributes 33
34 IBM Tivoli Identity Manager: Directory Integrator- Based Oracle eBS Adapter Installation and Configuration Guide
Appendix B. Installing on a zOS operating system
To install the adapters on the zOS UNIX file system, you only need to install the
RMI Dispatcher because the adapter uses the Tivoli Directory Integrator JDBC
connector that is available with the base Tivoli Directory Integrator product.
RMI Dispatcher installation:
1. Locate the delivered adapter compressed file.
2. Extract the contents of the compressed file into a temporary directory and
navigate to that directory.
3. From the temporary directory, locate and navigate to the zSystem directory.
4. Under the zSystem directory, locate the following two files:
v Dispatcher.tar
v instDispatcher_zOS.sh
Note: Dispatcher.tar is a binary UNIX tar file and instDispatcher_zOS.sh is a
UNIX shell script.
5. Transfer the two files to the zOS workstation where the adapter is to be
installed. Both files must be copied to the same directory.
6. Set the execution flag on instDispatcher_zOS.sh:
chmod +x instDispatcher_zOS.sh
7. Run the installerby issuing the command:
./instDispatcher_zOS.sh
The following dialog is displayed.
Note: The path given in the following example might be different on your
system.************************************************
ITIM RMI Dispatcher Installation Program
************************************************
You will prompted to enter the following information:
TDI home directory.
Your TDI solution directory.
Make sure you have the above information available and
the Dispatcher.jar is located in the current directory
before you continue
1. Install
2. Quit
Please enter choice: 1
Extracting content of Dispatcher...
Enter TDI home directory,
Hit [Enter] to accept [/usr/lpp/itdi]
or type new value (full path):
Enter the solution directory name (full path): /u/user2/rmi/soldir
© Copyright IBM Corp. 2008 35
extracting content of Dispatcher.jar...
setting up solution directory tree /u/user2/rmi/soldir...
getting files from TDI home directory /usr/lpp/itdi...
updating /u/user2/rmi/soldir/solution.properties file...
getting dispatcher files from /u/user2/rmi/Dispatcher...
updating /u/user2/rmi/soldir/ITIMAd file...
Installation complete, press any key to continue...
After the installation of the adapter is complete, to verify the startup and
shutdown of the adapter go to “Starting and stopping the adapter service” on page
7.
36 IBM Tivoli Identity Manager: Directory Integrator- Based Oracle eBS Adapter Installation and Configuration Guide
Appendix C. Running in Federal Information Processing
Standards compliance mode
Note: Tivoli Directory Integrator 6.1.1 is not fully FIPS 140-2 compliant.
Tivoli Directory Integrator uses the Java Secure Socket Extension (JSSE) for SSL
communication which is FIPS 140-2 compliant. IBMJSSEFIPS is the provider name
for the pure Java JSSE FIPS 140-2 implementation. You need to include this
provider name, using the correct case, in the java.security file located in
ITDI_HOME/jvm/jre/lib/security directory.
security.provider.1=com.ibm.fips.jsse.IBMJSSEFIPSProvider
The RMI dispatcher code runs within the Tivoli Directory Integrator JVM. Tivoli
Directory Integrator must be configured to run in FIPS mode. See the Tivoli
Directory Integrator documentation for detailed information on how to set or
change security providers.
© Copyright IBM Corp. 2008 37
38 IBM Tivoli Identity Manager: Directory Integrator- Based Oracle eBS Adapter Installation and Configuration Guide
Appendix D. Accessibility features for the Oracle eBS Adapter
Accessibility features help a user who has a physical disability, such as restricted
mobility or limited vision, to use information technology products successfully.
Accessibility features
The following list includes the major accessibility features in the Oracle eBS
Adapter. These features support:
v Keyboard-only operation.
v Interfaces that are commonly used by screen readers.
v Keys that are tactilely discernible and do not activate just by touching them.
v Industry-standard devices for ports and connectors.
v The attachment of alternative input and output devices.
v Documentation is available in convertible PDF format to give the maximum
opportunity for users to apply screen-reader software.
v All images in the documentation are provided with alternative text so that users
with vision impairments can understand the contents of the images.
Note: The IBM Tivoli Identity Manager Information Center and its related
publications are accessibility-enabled for the IBM Home Page Reader. You
can operate all features using the keyboard instead of the mouse.
Keyboard navigation
This product uses standard Microsoft Windows navigation keys.
IBM and accessibility
See the IBM Accessibility Center at http://www.ibm.com/able for more information
about the commitment that IBM has to accessibility.
© Copyright IBM Corp. 2008 39
40 IBM Tivoli Identity Manager: Directory Integrator- Based Oracle eBS Adapter Installation and Configuration Guide
Appendix E. Support information
Use the following options to obtain support for IBM products:
v “Searching knowledge bases”
v “Contacting IBM Software Support”
Searching knowledge bases
If you have a problem with your IBM software, you want it resolved quickly. Begin
by searching the available knowledge bases to determine whether the resolution to
your problem is already documented.
Search the information center on your local system or
network
IBM provides extensive documentation that can be installed on your local
computer or on an intranet server. You can use the search function of this
information center to query conceptual information, instructions for completing
tasks, reference information, and support documents.
Search the Internet
If you cannot find an answer to your question in the information center, search the
Internet for the latest, most complete information that might help you resolve your
problem. To locate Internet resources for your product, open one of the following
Web sites:
v Performance and tuning information
Provides information needed to tune your production environment, available on
the Web at:
http://publib.boulder.ibm.com/tividd/td/tdprodlist.html
Click the I character in the A-Z product list to locate IBM Tivoli Identity
Manager products. Click the link for your product, and then browse the
information center for the Technical Supplements section.
v Redbooks and white papers are available on the Web at:
http://www.ibm.com/software/sysmgmt/products/support/IBMTivoliIdentityManager.html
Browse to the Self Help section, in the Learn category, and click the Redbooks
link.
v Technotes are available on the Web at:
http://www.redbooks.ibm.com/redbooks.nsf/tips/
v Field guides are available on the Web at:
http://www.ibm.com/software/sysmgmt/products/support/Field_Guides.html
v For an extended list of other Tivoli Identity Manager resources, search the
following IBM developerWorks Web address:
http://www.ibm.com/developerworks/
Contacting IBM Software Support
IBM Software Support provides assistance with product defects.
© Copyright IBM Corp. 2008 41
Before contacting IBM Software Support, your company must have an active IBM
software maintenance contract, and you must be authorized to submit problems to
IBM. The type of software maintenance contract that you need depends on the
type of product you have:
v For IBM distributed software products (including, but not limited to, Tivoli,
Lotus®, and Rational® products, as well as DB2 and WebSphere products that
run on Windows or UNIX operating systems), enroll in Passport Advantage® in
one of the following ways:
– Online: Go to the Passport Advantage Web page (http://www.lotus.com/services/passport.nsf/WebDocs/ Passport_Advantage_Home) and click How
to Enroll
– By phone: For the phone number to call in your country, go to the IBM
Software Support Web site (http://techsupport.services.ibm.com/guides/contacts.html) and click the name of your geographic region.
v For IBM eServer™ software products (including, but not limited to, DB2 and
WebSphere products that run in zSeries®, pSeries®, and iSeries™ environments),
you can purchase a software maintenance agreement by working directly with
an IBM sales representative or an IBM Business Partner. For more information
about support for eServer software products, go to the IBM Technical Support
Advantage Web page (http://www.ibm.com/servers/eserver/techsupport.html).
If you are not sure what type of software maintenance contract you need, call
1-800-IBMSERV (1-800-426-7378) in the United States or, from other countries, go to
the contacts page of the IBM Software Support Handbook on the Web
(http://techsupport.services.ibm.com/guides/contacts.html) and click the name of
your geographic region for phone numbers of people who provide support for
your location.
Follow the steps in this topic to contact IBM Software Support:
1. Determine the business impact of your problem.
2. Describe your problem and gather background information.
3. Submit your problem to IBM Software Support.
Determine the business impact of your problem
When you report a problem to IBM, you are asked to supply a severity level.
Therefore, you need to understand and assess the business impact of the problem
you are reporting. Use the following criteria:
Severity 1 Critical business impact: You are unable to use the program,
resulting in a critical impact on operations. This condition
requires an immediate solution.
Severity 2 Significant business impact: The program is usable but is
severely limited.
Severity 3 Some business impact: The program is usable with less
significant features (not critical to operations) unavailable.
Severity 4 Minimal business impact: The problem causes little impact on
operations, or a reasonable circumvention to the problem has
been implemented.
42 IBM Tivoli Identity Manager: Directory Integrator- Based Oracle eBS Adapter Installation and Configuration Guide
Describe your problem and gather background information
When explaining a problem to IBM, be as specific as possible. Include all relevant
background information so that IBM Software Support specialists can help you
solve the problem efficiently. To save time, know the answers to these questions:
v What software versions were you running when the problem occurred?
v Do you have logs, traces, and messages that are related to the problem
symptoms? IBM Software Support is likely to ask for this information.
v Can the problem be re-created? If so, what steps led to the failure?
v Have any changes been made to the system? (For example, hardware, operating
system, networking software, and so on.)
v Are you currently using a workaround for this problem? If so, please be
prepared to explain it when you report the problem.
Submit your problem to IBM Software Support
You can submit your problem in one of two ways:
v Online: Go to the ″Submit and track problems″ page on the IBM Software
Support site (http://www.ibm.com/software/support/probsub.html). Enter
your information into the appropriate problem submission tool.
v By phone: For the phone number to call in your country, go to the contacts page
of the IBM Software Support Handbook on the Web (http://techsupport.services.ibm.com/guides/contacts.html) and click the name of your
geographic region.
If the problem you submit is for a software defect or for missing or inaccurate
documentation, IBM Software Support creates an Authorized Program Analysis
Report (APAR). The APAR describes the problem in detail. Whenever possible,
IBM Software Support provides a workaround for you to implement until the
APAR is resolved and a fix is delivered. IBM publishes resolved APARs on the
IBM product support Web pages daily, so that other users who experience the
same problem can benefit from the same resolutions.
For more information about problem resolution, see Searching knowledge bases.
Appendix E. Support information 43
44 IBM Tivoli Identity Manager: Directory Integrator- Based Oracle eBS Adapter Installation and Configuration Guide
Appendix F. Notices
This information was developed for products and services offered in the U.S.A.
IBM may not offer the products, services, or features discussed in this document in
other countries. Consult your local IBM representative for information on the
products and services currently available in your area. Any reference to an IBM
product, program, or service is not intended to state or imply that only that IBM
product, program, or service may be used. Any functionally equivalent product,
program, or service that does not infringe any IBM intellectual property right may
be used instead. However, it is the user’s responsibility to evaluate and verify the
operation of any non-IBM product, program, or service.
IBM may have patents or pending patent applications covering subject matter
described in this document. The furnishing of this document does not give you
any license to these patents. You can send license inquiries, in writing, to:
IBM Director of Licensing
IBM Corporation
North Castle Drive
Armonk, NY 10504-1785
U.S.A.
For license inquiries regarding double-byte (DBCS) information, contact the IBM
Intellectual Property Department in your country or send inquiries, in writing, to:
IBM World Trade Asia Corporation
Licensing
2-31 Roppongi 3-chome, Minato-ku
Tokyo 106-0032, Japan
The following paragraph does not apply to the United Kingdom or any other
country where such provisions are inconsistent with local law:
INTERNATIONAL BUSINESS MACHINES CORPORATION PROVIDES THIS
PUBLICATION “AS IS” WITHOUT WARRANTY OF ANY KIND, EITHER
EXPRESS OR IMPLIED, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED
WARRANTIES OF NON-INFRINGEMENT, MERCHANTABILITY OR FITNESS
FOR A PARTICULAR PURPOSE. Some states do not allow disclaimer of express or
implied warranties in certain transactions, therefore, this statement may not apply
to you.
This information could include technical inaccuracies or typographical errors.
Changes are periodically made to the information herein; these changes will be
incorporated in new editions of the publication. IBM may make improvements
and/or changes in the product(s) and/or the program(s) described in this
publication at any time without notice.
Any references in this information to non-IBM Web sites are provided for
convenience only and do not in any manner serve as an endorsement of those Web
sites. The materials at those Web sites are not part of the materials for this IBM
product and use of those Web sites is at your own risk.
IBM may use or distribute any of the information you supply in any way it
believes appropriate without incurring any obligation to you.
© Copyright IBM Corp. 2008 45
Licensees of this program who wish to have information about it for the purpose
of enabling: (i) the exchange of information between independently created
programs and other programs (including this one) and (ii) the mutual use of the
information which has been exchanged should contact:
IBM Corporation
2ZA4/101
11400 Burnet Road
Austin, TX 78758
U.S.A.
Such information may be available, subject to appropriate terms and conditions,
including in some cases, payment of a fee.
The licensed program described in this information and all licensed material
available for it are provided by IBM under terms of the IBM Customer Agreement,
IBM International Program License Agreement, or any equivalent agreement
between us.
Any performance data contained herein was determined in a controlled
environment. Therefore, the results obtained in other operating environments may
vary significantly. Some measurements may have been made on development-level
systems and there is no guarantee that these measurements will be the same on
generally available systems. Furthermore, some measurements may have been
estimated through extrapolation. Actual results may vary. Users of this document
should verify the applicable data for their specific environment.
Information concerning non-IBM products was obtained from the suppliers of
those products, their published announcements or other publicly available sources.
IBM has not tested those products and cannot confirm the accuracy of
performance, compatibility or any other claims related to non-IBM products.
Questions on the capabilities of non-IBM products should be addressed to the
suppliers of those products.
Trademarks
IBM, the IBM logo, and ibm.com are trademarks or registered trademarks of
International Business Machines Corporation in the United States, other countries,
or both. If these and other IBM trademarked terms are marked on their first
occurrence in this information with a trademark symbol (® or
™), these symbols
indicate U.S. registered or common law trademarks owned by IBM at the time this
information was published. Such trademarks may also be registered or common
law trademarks in other countries. A current list of IBM trademarks is available on
the Web at ″Copyright and trademark information″ at www.ibm.com/legal/copytrade.shtml.
Adobe, Acrobat, Portable Document Format (PDF), and PostScript are either
registered trademarks or trademarks of Adobe Systems Incorporated in the United
States, other countries, or both.
Cell Broadband Engine and Cell/B.E. are trademarks of Sony Computer
Entertainment, Inc., in the United States, other countries, or both and is used under
license therefrom.
46 IBM Tivoli Identity Manager: Directory Integrator- Based Oracle eBS Adapter Installation and Configuration Guide
Java and all Java-based trademarks are trademarks of Sun
Microsystems, Inc. in the United States, other countries, or
both.
Microsoft, Windows, Windows NT, and the Windows logo are trademarks of
Microsoft Corporation in the United States, other countries, or both.
Intel, Intel logo, Intel Inside, Intel Inside logo, Intel Centrino, Intel Centrino logo,
Celeron, Intel Xeon, Intel SpeedStep, Itanium, and Pentium are trademarks or
registered trademarks of Intel Corporation or its subsidiaries in the United States
and other countries.
UNIX is a registered trademark of The Open Group in the United States and other
countries.
Linux is a trademark of Linus Torvalds in the U.S., other countries, or both.
ITIL is a registered trademark, and a registered community trademark of the Office
of Government Commerce, and is registered in the U.S. Patent and Trademark
Office.
IT Infrastructure Library is a registered trademark of the Central Computer and
Telecommunications Agency which is now part of the Office of Government
Commerce.
Other company, product, and service names may be trademarks or service marks
of others.
Appendix F. Notices 47
48 IBM Tivoli Identity Manager: Directory Integrator- Based Oracle eBS Adapter Installation and Configuration Guide
Index
Special charactersITDI_HOME
Tivoli Directory Integrator server installation directory xiii
Aaccessibility ix, 39
keyboard 39
pdf format, for screen-reader software 39
shortcut keys 39
text, alternative for document images 39
adapterattributes
by adapter action 32
descriptions 31
configuration 3
customization 9
customization steps 9
features 1
installation 3
installation overview 1
supported configurations 2
uninstall 29
adapter configuration 3
adapter customization 9
adapter installation 3
adapter overview 1
adapter profileverifying installation 23
architectural overviewsupported configurations 2
attributesby Oracle eBS Adapter action
add 32
change 32
delete 32
reconciliation 33
restore 33
suspend 33
descriptions 31
Bbooks
see publications v, viii
Ccertificate authority
definition 15
certificatesdefinition 15
configurationadapter 3
supported 2
conventionsHOME directory
ITDI_HOME xiii
Tivoli_Common_Directory xiii
conventions (continued)HOME directory (continued)
DB_INSTANCE_HOME xi
HTTP_HOME xii
ITIM_HOME xii
LDAP_HOME xi
WAS_HOME xii
WAS_NDM_HOME xii
typeface x
used in this document ix
customer supportsee Software Support 41
customizationadapter 9
DDB_INSTANCE_HOME
DB2 UDB installation directory xi
definition xi
directoryITDI_HOME xiii
DB_INSTANCE_HOME xi
HTTP_HOME xii
installationDB2 UDB xi
IBM Directory Server xi
IBM HTTP Server xii
Tivoli Directory Integrator server xiii
WebSphere Application Server base product xii
WebSphere Application Server Network Deployment
product xii
installation for Sun ONE Directory Server xi
ITIM_HOME xii
LDAP_HOME xi
WAS_HOME xii
WAS_NDM_HOME xii
disability 39
documentsIBM Tivoli Identity Manager library v
related viii
Eeducation
see Tivoli technical training ix
encryptionFIPS 37
environment variables, notation x
FFederal Information Processing Standards 37
FIPS 37
Hhome directories
ITDI_HOME xiii
© Copyright IBM Corp. 2008 49
home directories (continued)DB_INSTANCE_HOME xi
HTTP_HOME xii
ITIM_HOME xii
LDAP_HOME xi
WAS_HOME xii
WAS_NDM_HOME xii
HTTP_HOMEdefinition xii
IBM HTTP Server installation directory xii
IiKeyman utility 15
importadapter profile 5
information centers, searching to find software problem
resolution 41
installationadapter 3
directoryDB2 UDB xi
IBM Directory Server xi
IBM HTTP Server xii
Sun ONE Directory Server xi
Tivoli Directory Integrator server xiii
WebSphere Application Server base product xii
WebSphere Application Server Network Deployment
product xii
profile 5
troubleshooting 25
uninstall 29
Internet, searching to find software problem resolution 41
ITDI_HOMEdefinition xiii
ITIM_HOMEdefinition xii
directory xii
Kkey management utility
iKeyman 15
knowledge bases, searching to find software problem
resolution 41
LLDAP_HOME
definition xi
IBM Directory Server installation directory xi
Sun ONE Directory Server installation directory xi
logstrace.log file 6
Mmanuals
see publications v, viii
Nnotation
environment variables x
path names x
notation (continued)typeface x
Oonline publications
accessing viii
operating system prerequisites 3
ordering publications ix
Ppdf format, for screen-reader software 39
private keydefinition 15
problem determinationdescribing problem for IBM Software Support 43
determining business impact for IBM Software Support 42
submitting problem to IBM Software Support 43
profile installationverification 23
protocolSSL
overview 15
publications v
accessing online viii
IBM Tivoli Identity Manager library v
ordering ix
related viii
Rreconciliation
attributes 33
restoring accountspassword requirements 13
RMI dispatcher 1
Ssecurity
FIPS 37
shortcut keyskeyboard 39
software prerequisites 3
Software Supportcontacting 41
describing problem for IBM Software Support 43
determining business impact for IBM Software Support 42
submitting problem to IBM Software Support 43
SSLcertificate installation 15
overview 15
supported configurations 2
Ttext, alternative for document images 39
tivoli directory integrator connector 1
Tivoli Identity Manager Serverimporting adapter profile 5
Tivoli software information center viii
Tivoli technical training ix
Tivoli_Common_Directorydefinition xiii
50 IBM Tivoli Identity Manager: Directory Integrator- Based Oracle eBS Adapter Installation and Configuration Guide
trace.log file 6
training, Tivoli technical ix
troubleshooting adapter installation 25
typeface conventions x
Uuninstallation 29
updatingadapter profile 9
upgradeadapter profile 5
Vvariables, notation for x
verificationadapter profile install 23
operating system prerequisites 3
software prerequisites 3
WWAS_HOME
definition xii
WebSphere Application Server base installation
directory xii
WAS_NDM_HOMEdefinition xii
WebSphere Application Server Network Deployment
installation directory xii
Index 51
52 IBM Tivoli Identity Manager: Directory Integrator- Based Oracle eBS Adapter Installation and Configuration Guide
����
Printed in USA
SC23-9919-00