Вы находитесь на странице: 1из 322

Oracle Identity Manager: Administration

Volume I Student Guide

D46308GC10 Edition 1.0 January 2007 D48930

Oracle Identity Manager: Administration


Electronic Presentation

D46308GC10 Edition 1.0 January 2007 D48932

Authors
Robert La Vallie

Copyright 2007, Oracle. All rights reserved. Disclaimer This document contains proprietary information and is protected by copyright and other intellectual property laws. You may copy and print this document solely for your own use in an Oracle training course. The document may not be modified or altered in any way. Except where your use constitutes "fair use" under copyright law, you may not use, share, download, upload, copy, print, display, perform, reproduce, publish, license, post, transmit, or distribute this document in whole or in part without the express authorization of Oracle. The information contained in this document is subject to change without notice. If you find any problems in the document, please report them in writing to: Oracle University, 500 Oracle Parkway, Redwood Shores, California 94065 USA. This document is not warranted to be error-free. Restricted Rights Notice If this documentation is delivered to the United States Government or anyone using the documentation on behalf of the United States Government, the following notice is applicable: U.S. GOVERNMENT RIGHTS The U.S. Governments rights to use, modify, reproduce, release, perform, display, or disclose these training materials are restricted by the terms of the applicable Oracle license agreement and/or the applicable U.S. Government contract. Trademark Notice Oracle, JD Edwards, PeopleSoft, and Siebel are registered trademarks of Oracle Corporation and/or its affiliates. Other names may be trademarks of their respective owners.

Technical Contributors and Reviewers


John Aisien Rhonda Bassett Mary Bryksa Eugene Choi Usha George Rohit M Gupta Susan Jang Pavana Jain Nishant Kaushik Ed King Svetlana Kolomeyskaya Su Lim Bruce Lowenthal Todd Morrissette Naga Nagarajan Holger Dindler Rasmussen Vickie Reed Stanislav Sadykov Mohit Singh Adam Skaffloth Jayanthan Thomas Trent Watkins

Editors
Richard Wallis Daniel Milne

Graphic Designer
Steve Elwood Satish Bettegowda

Publisher
Jobi Varghese

Authors
Robert La Vallie

Copyright 2007, Oracle. All rights reserved. Disclaimer This document contains proprietary information and is protected by copyright and other intellectual property laws. You may copy and print this document solely for your own use in an Oracle training course. The document may not be modified or altered in any way. Except where your use constitutes "fair use" under copyright law, you may not use, share, download, upload, copy, print, display, perform, reproduce, publish, license, post, transmit, or distribute this document in whole or in part without the express authorization of Oracle. The information contained in this document is subject to change without notice. If you find any problems in the document, please report them in writing to: Oracle University, 500 Oracle Parkway, Redwood Shores, California 94065 USA. This document is not warranted to be error-free. Restricted Rights Notice If this documentation is delivered to the United States Government or anyone using the documentation on behalf of the United States Government, the following notice is applicable: U.S. GOVERNMENT RIGHTS The U.S. Governments rights to use, modify, reproduce, release, perform, display, or disclose these training materials are restricted by the terms of the applicable Oracle license agreement and/or the applicable U.S. Government contract. Trademark Notice Oracle, JD Edwards, PeopleSoft, and Siebel are registered trademarks of Oracle Corporation and/or its affiliates. Other names may be trademarks of their respective owners.

Technical Contributors and Reviewers


John Aisien Rhonda Bassett Mary Bryksa Eugene Choi Usha George Rohit M Gupta Pavana Jain Susan Jang Nishant Kaushik Ed King Svetlana Kolomeyskaya Su Lim Bruce Lowenthal Todd Morrissette Naga Nagarajan Holger Dindler Rasmussen Vickie Reed Stanislav Sadykov Mohit Singh Adam Skaffloth Jayanthan Thomas Trent Watkins

Editors
Richard Wallis Daniel Milne

Graphic Designer
Steve Elwood Satish Bettegowda

Publisher
Jobi Varghese

Introduction

Copyright 2007, Oracle. All rights reserved.

Course Objectives

After completing this course, you should be able to: Explain Oracle Identity Manager and its role in identity management Identify the three tiers and components of the Oracle Identity Manager architecture List the key features of Oracle Identity Manager with respect to identity management: reconciliation and provisioning Describe how Oracle Identity Manager handles reconciliation and provisioning

1-2

Copyright 2007, Oracle. All rights reserved.

Course Objectives

Identify what an Oracle Identity Manager connector is and how it is used by Oracle Identity Manager to perform provisioning and reconciliation actions List the components that this connector must have Explain the steps that need to be completed to build an Oracle Identity Manager connector Prepare a predefined database for Oracle Identity Manager Install and deploy your Oracle Identity Manager Diagnostic Dashboard

1-3

Copyright 2007, Oracle. All rights reserved.

Course Objectives

Use the dashboard tool to verify that Oracle Database is prepared properly and that Oracle Identity Manager can connect to it Install the Oracle Identity Manager Server Install the Oracle Identity Manager Design Console Perform postinstallation tasks for the Oracle Identity Manager Server and Design Console Use the Diagnostic Dashboard to verify that Oracle Identity Manager is loaded and configured properly Launch the Oracle Identity Manager Server Start the two Oracle Identity Manager consoles (the Administrative Console and the Design Console)
1-4 Copyright 2007, Oracle. All rights reserved.

Course Objectives

Differentiate between the two consoles Explain the links in the Administrative Console Explain the three types of Oracle Identity Manager users: system administrators, administrators of Oracle Identity Manager connectors, and end users Discuss the entities of which an Oracle Identity Manager user can be a member (that is, organizations and user groups) Differentiate between an organization and a user group Create records for an organization, the three types of Oracle Identity Manager users, and a user group

1-5

Copyright 2007, Oracle. All rights reserved.

Course Objectives

Assign an Oracle Identity Manager user to a user group Explain the following:
How administrators view and modify their profiles in Oracle Identity Manager How administrators change their challenge questions and, as a result, reset their passwords What a proxy is How administrators assign, modify, and remove proxies How administrators see the resources that are provisioned to them How administrators see requests that are initiated by them and requests that require their approval

1-6

Copyright 2007, Oracle. All rights reserved.

Course Objectives

Identify resources and Oracle Identity Manager connectors Explain how Oracle Identity Manager connectors differ from resources Discuss the three ways that a connector can be assigned to an Oracle Identity Manager user See how an administrator of an Oracle Identity Manager connector can view a graphical representation of a provisioning workflow Analyze what approval processes are and how they affect a provisioning workflow Identify the key features of autoprovisioning
1-7 Copyright 2007, Oracle. All rights reserved.

Course Objectives

Discuss other day-two provisioning functions that an administrator of an Oracle Identity Manager connector can perform. These functions include:
Temporarily deactivating an end users account with a resource Reinstating an end users account Modifying the password of an end users account Permanently revoking the access rights that an end user has with the resource

Identify the two levels of customization for the Oracle Identity Manager Administrative Console Modify the look and feel of the console (that is, brand it)
1-8 Copyright 2007, Oracle. All rights reserved.

Course Objectives

Change the functionality of the console without modifying the Oracle Identity Manager code Explain why the code should never be changed Describe the benefits of transferring Oracle Identity Manager connectors from one environment to another Identify the different ways that connectors can be transported between environments Explain how to export a connector Discuss how to import a different connector and configure it so that it is operable in your environment

1-9

Copyright 2007, Oracle. All rights reserved.

Course Objectives

Identify the two types of reports that an administrator can create for Oracle Identity Manager users: operational reports and historical reports Differentiate between these two types of reports List the different operational and historical reports that are available with Oracle Identity Manager Discuss additional reports that can be created using a third-party tool (such as Oracle Discoverer) Create operational and historical reports with the Oracle Identity Manager Administrative Console

1 - 10

Copyright 2007, Oracle. All rights reserved.

Course Objectives

Define attestation and attestation processes, including the fundamental components of an attestation process Describe the types of users who analyze, create, and manage attestation processes Identify the types of data that can be attested Discuss the different ways that attestation processes can be executed (that is, the schedule for attestation processes) Explain the workflow of an attestation process from beginning to end Configure your Oracle Identity Manager environment so that it can handle attestation processes
1 - 11 Copyright 2007, Oracle. All rights reserved.

Course Objectives

Create an attestation process by using the Oracle Identity Manager Administrative Console Access the Administrative Console as a reviewer and act on an attestation process that is assigned to you: certify it, decline it, reject it, or delegate it to another reviewer Access this console as a process owner and view information about the attestation process, including its status (certified, rejected, declined, or delegated to another reviewer) Troubleshoot Oracle Identity Manager

1 - 12

Copyright 2007, Oracle. All rights reserved.

Course Units

This course is divided into the following units: 1. Product Overview 2. Installing, Configuring, and Launching Oracle Identity Manager 3. Managing Users, User Entities, and Resources 4. Modifying the Oracle Identity Manager Administrative Console 5. Deploying Resources 6. Constructing Reports 7. Using Attestation 8. Performing Advanced Functions with Oracle Identity Manager
1 - 13 Copyright 2007, Oracle. All rights reserved.

Unit 1: Product Overview

This unit has a single lesson titled Understanding Oracle Identity Manager.

1 - 14

Copyright 2007, Oracle. All rights reserved.

Unit 2: Installing, Configuring, and Launching Oracle Identity Manager


This unit comprises the following lessons: Installing and Configuring Oracle Identity Manager Starting and Understanding Oracle Identity Managers Consoles

1 - 15

Copyright 2007, Oracle. All rights reserved.

Unit 3: Managing Users, User Entities, and Resources


This unit comprises the following lessons: Managing Users and User Entities Assigning Oracle Identity Manager Connectors to Users Provisioning Resources to Users

1 - 16

Copyright 2007, Oracle. All rights reserved.

Unit 4: Modifying the Oracle Identity Manager Administrative Console


This unit has a single lesson titled Customizing the Oracle Identity Manager Administrative Console.

1 - 17

Copyright 2007, Oracle. All rights reserved.

Unit 5: Deploying Resources

This unit has a single lesson titled Transferring Oracle Identity Manager Connectors.

1 - 18

Copyright 2007, Oracle. All rights reserved.

Unit 6: Constructing Reports

This unit has a single lesson titled Creating Reports.

1 - 19

Copyright 2007, Oracle. All rights reserved.

Unit 7: Using Attestation

This unit comprises the following lessons: Understanding Attestation Creating, Managing, and Reviewing Attestation Processes

1 - 20

Copyright 2007, Oracle. All rights reserved.

Unit 8: Performing Advanced Functions with Oracle Identity Manager


This unit has a single lesson titled Troubleshooting Oracle Identity Manager.

1 - 21

Copyright 2007, Oracle. All rights reserved.

Summary

In this introductory lesson, you should have learned about the course units and lessons.

1 - 22

Copyright 2007, Oracle. All rights reserved.

Understanding Oracle Identity Manager

Copyright 2007, Oracle. All rights reserved.

Objectives

After completing this lesson, you should be able to: Explain Oracle Identity Manager and its role in identity management Identify the three tiers and components of the Oracle Identity Manager architecture List the key features of Oracle Identity Manager with respect to identity management: Reconciliation and provisioning Describe how Oracle Identity Manager handles reconciliation and provisioning

2-2

Copyright 2007, Oracle. All rights reserved.

Objectives

Identify what an Oracle Identity Manager connector is and how it is used by Oracle Identity Manager to perform provisioning and reconciliation actions List the components that this connector must have Explain the steps that need to be completed to build an Oracle Identity Manager connector

2-3

Copyright 2007, Oracle. All rights reserved.

Oracle Identity Manager

Oracle Identity Manager is an application that handles and selectively automates tasks that manage a users access privileges. Such tasks include: Creating access privileges to resources for users Modifying these privileges dynamically based on changes to user and business requirements Removing these access privileges from users

2-4

Copyright 2007, Oracle. All rights reserved.

Oracle Identity Manager Architecture

The architecture for Oracle Identity Manager: Is based on a Java 2 Enterprise Edition (J2EE) environment Separates the platforms Presentation, Server, and Data & Enterprise Integration tiers Enables the creation of n levels of layers

2-5

Copyright 2007, Oracle. All rights reserved.

Oracle Identity Manager Architecture: Advantages

The advantages of this architecture include: Scalability Flexibility Variety

2-6

Copyright 2007, Oracle. All rights reserved.

Oracle Identity Manager Architecture: Tiers


The Oracle Identity Manager architecture has three tiers:

Presentation tier
2-7

Server tier

Data & Enterprise Integration tier

Copyright 2007, Oracle. All rights reserved.

Tier 1: Presentation Tier

The Presentation tier of Oracle Identity Manager has two layers: Presentation layer
Two consoles for Oracle Identity Manager: Administrative Console and Design Console

Dynamic Presentation Logic layer


Logic for generating dynamic pages for the Administrative Console by using JSPs, Java Servlets, XML, and JavaBeans

2-8

Copyright 2007, Oracle. All rights reserved.

Tier 2: Server Tier

The Server tier of Oracle Identity Manager is the interface between the Presentation and Data & Enterprise Integration tiers. The application server for Oracle Identity Manager:
Resides in the Server tier Provides the life-cycle management, security, deployment, and run-time services to the logical components that support Oracle Identity Manager

2-9

Copyright 2007, Oracle. All rights reserved.

Tier 2: Server Tier

The Server tier of Oracle Identity Manager supports: Clustering Load balancing Security management Scheduling

2 - 10

Copyright 2007, Oracle. All rights reserved.

Tier 3: Data & Enterprise Integration Tier

The Data & Enterprise Integration tier of Oracle Identity Manager has two layers: Data Access layer
Layer that has components, which Oracle Identity Manager needs to communicate with its database

Back-end Database layer


Layer where the database resides

2 - 11

Copyright 2007, Oracle. All rights reserved.

Tier 3: Data & Enterprise Integration Tier

The Back-end Database layer leverages the following capabilities: Clustering Standby database Replication

2 - 12

Copyright 2007, Oracle. All rights reserved.

Reconciliation and Provisioning: Overview


Reconciliation is the process by which Oracle Identity Manager receives information from an external resource. Provisioning is the process by which Oracle Identity Manager sends information to a target resource. By using reconciliation and provisioning, Oracle Identity Manager can perform the following actions:
Create a user record in a resource Modify the privileges that the user has with the resource Remove the user record from the resource

2 - 13

Copyright 2007, Oracle. All rights reserved.

Reconciliation: Types

There are two types of reconciliation that Oracle Identity Manager performs: Trusted source reconciliation Targeted resource reconciliation

2 - 14

Copyright 2007, Oracle. All rights reserved.

2 - 15

Copyright 2007, Oracle. All rights reserved.

Reconciliation: Events

Oracle Identity Manager can perform three types of reconciliation events with an external resource: Reconciliation Insert Reconciliation Update Reconciliation Delete

2 - 16

Copyright 2007, Oracle. All rights reserved.

Provisioning: Types

There are two types of provisioning that Oracle Identity Manager performs: Day-one provisioning
Initial creation of access privileges to resources for users Removal of these privileges from users

Day-two provisioning
Dynamic modification of user privileges with resources, based on changes to user and business requirements

2 - 17

Copyright 2007, Oracle. All rights reserved.

Trusted Source Reconciliation: Conceptual Diagram


Via provisioning and reconciliation, Oracle Identity Manager can build an accurate picture of the user identities that it manages in both a trusted source and a target resource.
Reconciliation flow Provisioning flow

Administrator

Trusted source (for example, a corporate directory)

Target resource (for example, an Oracle database)

End user

2 - 18

Copyright 2007, Oracle. All rights reserved.

Targeted Resource Reconciliation: Conceptual Diagram


Via provisioning and reconciliation, Oracle Identity Manager can build an accurate picture of the user identities it manages in both a trusted source and a target resource.
Reconciliation flow Provisioning flow

End user

Trusted source (for example, a corporate directory)

Target resource (for example, an Oracle database)

Administrator

2 - 19

Copyright 2007, Oracle. All rights reserved.

Oracle Identity Manager Connector: Overview


An Oracle Identity Manager connector is a container that holds all of the information that Oracle Identity Manager needs to: Reconcile with an external resource Provision a user with a target resource

2 - 20

Copyright 2007, Oracle. All rights reserved.

Oracle Identity Manager Connector: Components

A connector must have the following seven components: IT resource type IT resource Process form Process task adapter Resource object Provisioning process Process task

2 - 21

Copyright 2007, Oracle. All rights reserved.

2 - 22

Copyright 2007, Oracle. All rights reserved.

Constructing an Oracle Identity Manager Connector: Step 1


Create an IT resource type. This record represents the classification type, parameter fields, and encryption settings that are associated with a resource.
IT resource type

2 - 23

Copyright 2007, Oracle. All rights reserved.

Constructing an Oracle Identity Manager Connector: Step 1

This screenshot illustrates an IT resource type for an Oracle database. There is a one-to-one relationship between the IT resource type and the connector. That is, each connector should have only one IT resource type.

2 - 24

Copyright 2007, Oracle. All rights reserved.

Constructing an Oracle Identity Manager Connector: Step 2


Define an IT resource. This record contains the values that Oracle Identity Manager needs to communicate with a resource and access it as a system administrator (for provisioning or reconciliation purposes).
IT resource type

IT resource

2 - 25

Copyright 2007, Oracle. All rights reserved.

Constructing an Oracle Identity Manager Connector: Step 2


This screenshot illustrates an IT resource for an Oracle database. There is a one-to-one relationship between the IT resource and the system, service, or application that it represents. If you have four resources, you would thus have four IT resources.

2 - 26

Copyright 2007, Oracle. All rights reserved.

Constructing an Oracle Identity Manager Connector: Step 3


Create a custom process form. This record is a central housing mechanism that holds everything that Oracle Identity Manager needs to either provision a user to a target resource or reconcile a user with an external resource.
IT resource type

IT resource

Custom process form

2 - 27

Copyright 2007, Oracle. All rights reserved.

Constructing an Oracle Identity Manager Connector: Step 3


This screenshot illustrates a custom process form for an Oracle database.

2 - 28

Copyright 2007, Oracle. All rights reserved.

Constructing an Oracle Identity Manager Connector: Step 4


Build a process task adapter. This piece of Java code is used by Oracle Identity Manager to automate the completion of a provisioning process task.
IT resource type

IT resource

Custom process form Process task adapter

2 - 29

Copyright 2007, Oracle. All rights reserved.

Constructing an Oracle Identity Manager Connector: Step 4


A process task adapter automates the creation of a users account in an Oracle database. There is a one-to-one relationship between the adapter and a process task: each task can be associated with only one adapter.

2 - 30

Copyright 2007, Oracle. All rights reserved.

Constructing an Oracle Identity Manager Connector: Step 5


Define a resource object. This record is a virtual representation of a resource and contains everything needed to either provision a user to that resource or reconcile a user with it.
IT resource type

IT resource

Resource object

5
Custom process form

Process task adapter

2 - 31

Copyright 2007, Oracle. All rights reserved.

Constructing an Oracle Identity Manager Connector: Step 5


Example of a resource object for an Oracle database

2 - 32

Copyright 2007, Oracle. All rights reserved.

Constructing an Oracle Identity Manager Connector: Step 6


Create a provisioning process. This record contains the steps that Oracle Identity Manager must complete to perform provisioning or reconciliation with a particular resource.
IT resource type

IT resource

Resource object

Provisioning process Process task adapter

Custom process form

2 - 33

Copyright 2007, Oracle. All rights reserved.

Constructing an Oracle Identity Manager Connector: Step 6


There is a 1-to-1 relationship between a provisioning process and the workflow that it represents. If you have two resourcerelated workflows, you should have two processes.

2 - 34

Copyright 2007, Oracle. All rights reserved.

Constructing an Oracle Identity Manager Connector: Step 7


Create a process task.
IT resource type

IT resource

Resource object

Provisioning process

Custom process form

7
2 - 35

Process task

Process task adapter

Copyright 2007, Oracle. All rights reserved.

Constructing an Oracle Identity Manager Connector: Step 7

Example of a process task that Oracle Identity Manager uses to create a users account in an Oracle database

2 - 36

Copyright 2007, Oracle. All rights reserved.

Constructing an Oracle Identity Manager Connector: Step 8


Attach the process task adapter to the process task.
IT resource type

IT resource

Resource object

Provisioning process

Custom process form

8
Process task Process task adapter

2 - 37

Copyright 2007, Oracle. All rights reserved.

Constructing an Oracle Identity Manager Connector: Step 8

Example of a process task adapter being connected to a process task to create a users account in an Oracle database

2 - 38

Copyright 2007, Oracle. All rights reserved.

Summary

In this lesson, you should have learned how to: Describe Oracle Identity Manager and its role in identity management Explain the three tiers and components of the Oracle Identity Manager architecture List the key features of Oracle Identity Manager with respect to identity management: reconciliation and provisioning Explain how Oracle Identity Manager handles reconciliation and provisioning

2 - 39

Copyright 2007, Oracle. All rights reserved.

Summary

In this lesson, you should have learned how to: Identify what an Oracle Identity Manager connector is and how it is used by Oracle Identity Manager to perform provisioning and reconciliation actions List the components that this connector must have Explain the steps that need to be completed to build an Oracle Identity Manager connector

2 - 40

Copyright 2007, Oracle. All rights reserved.

Installing and Configuring Oracle Identity Manager

Copyright 2007, Oracle. All rights reserved.

Objectives

After completing this lesson, you should be able to: Prepare a predefined database for Oracle Identity Manager Install and deploy your Oracle Identity Manager Diagnostic Dashboard Use the dashboard tool to verify that your Oracle database is prepared properly and that Oracle Identity Manager can connect to it Install the Oracle Identity Manager Server Install the Oracle Identity Manager Design Console Perform postinstallation tasks for the Oracle Identity Manager Server and Design Console
3-2 Copyright 2007, Oracle. All rights reserved.

Objectives

Use the Diagnostic Dashboard to verify that Oracle Identity Manager is loaded and configured properly

3-3

Copyright 2007, Oracle. All rights reserved.

Preparing a Database for Oracle Identity Manager

Oracle Identity Manager requires a database. To use Oracle Database, you must: Install Oracle Database Create a database instance Prepare this database

3-4

Copyright 2007, Oracle. All rights reserved.

Preparing a Database for Oracle Identity Manager

With the prepare_xl_db.bat script, administrators can prepare a database for Oracle Identity Manager.
E:\OIM901_Installation\installServer\ Xellerate\db\oracle> prepare_xl_db.bat train91 E:\orant\ora92 sysadm sysadm train91tbs E:\orant\ora92\oradata train91tbs_01 TEMP sys

3-5

Copyright 2007, Oracle. All rights reserved.

3-6

Copyright 2007, Oracle. All rights reserved.

Oracle Identity Manager Diagnostic Dashboard (Preinstallation)


The Oracle Identity Manager Diagnostic Dashboard is a Web application that can be used to check the preinstallation requirements for Oracle Identity Manager. These requirements include whether: An Oracle database is created and prepared properly Oracle Identity Manager can establish a connection to this database

3-7

Copyright 2007, Oracle. All rights reserved.

3-8

Copyright 2007, Oracle. All rights reserved.

Launching the Oracle Identity Manager Diagnostic Dashboard


To launch this tool, enter the appropriate URL in the Address field.

3-9

Copyright 2007, Oracle. All rights reserved.

Using the Oracle Identity Manager Diagnostic Dashboard (Preinstallation)

To use this tool, select the check boxes for the tests that you want to perform, enter the test parameters (where applicable), and click Verify.

3 - 10

Copyright 2007, Oracle. All rights reserved.

Using the Oracle Identity Manager Diagnostic Dashboard (Preinstallation)

Test passed Test failed

3 - 11

Copyright 2007, Oracle. All rights reserved.

Installing the Oracle Identity Manager Server

The following slides illustrate how to install the Oracle Identity Manager Server. You must install this server on the same machine that is running the JBoss application server.

3 - 12

Copyright 2007, Oracle. All rights reserved.

Installing the Oracle Identity Manager Server: Steps 14


Select Oracle Identity Manager with Audit and Compliance module to use the attestation features for audit and compliance purposes.

3 - 13

Copyright 2007, Oracle. All rights reserved.

Installing the Oracle Identity Manager Server: Steps 56


Enter the base directory where you install the Oracle Identity Manager Server: E:\OIM901_server.

3 - 14

Copyright 2007, Oracle. All rights reserved.

Installing the Oracle Identity Manager Server: Step 7


Select the Oracle option to configure Oracle Identity Manager to work with an Oracle database.

3 - 15

Copyright 2007, Oracle. All rights reserved.

Installing the Oracle Identity Manager Server: Step 8


Populate the Database Information screen with values that Oracle Identity Manager uses to connect to your Oracle database.

3 - 16

Copyright 2007, Oracle. All rights reserved.

Installing the Oracle Identity Manager Server: Step 9


Select the Oracle Identity Manager Default Authentication option to use predefined settings to authenticate the Administrative Console.

3 - 17

Copyright 2007, Oracle. All rights reserved.

Installing the Oracle Identity Manager Server: Steps 10-11


Select the JBoss option to configure Oracle Identity Manager to work with a JBoss application server.

3 - 18

Copyright 2007, Oracle. All rights reserved.

Installing the Oracle Identity Manager Server: Steps 12-15


Configure Oracle Identity Manager to work with your JBoss application server.

3 - 19

Copyright 2007, Oracle. All rights reserved.

Installing the Oracle Identity Manager Design Console


The following slides illustrate how to install the Oracle Identity Manager Design Console. Note: You do not have to install the Administrative Console. To launch it, start the Oracle Identity Manager Server, open a Web browser, and enter the appropriate URL in the Address field.

3 - 20

Copyright 2007, Oracle. All rights reserved.

Installing the Oracle Identity Manager Design Console: Steps 1-5


Enter the base directory where you install the Design Console: E:\OIM901_client.

3 - 21

Copyright 2007, Oracle. All rights reserved.

Installing the Oracle Identity Manager Design Console: Step 6


Select the JBoss option to configure the Design Console to work with a JBoss application server.

3 - 22

Copyright 2007, Oracle. All rights reserved.

Installing the Oracle Identity Manager Design Console: Step 7


Select this option to configure the Design Console to use the JRE that is packaged with Oracle Identity Manager.

3 - 23

Copyright 2007, Oracle. All rights reserved.

Installing the Oracle Identity Manager Design Console: Step 8


Populate the Application Server configuration screen so that the Design Console works with your JBoss application server.

3 - 24

Copyright 2007, Oracle. All rights reserved.

Installing the Oracle Identity Manager Design Console: Steps 9-12


Configure the Design Console to display approval and provisioning processes in a Web browser.

3 - 25

Copyright 2007, Oracle. All rights reserved.

3 - 26

Copyright 2007, Oracle. All rights reserved.

Performing Postinstallation Tasks for Oracle Identity Manager


The following section covers postinstallation tasks for the Oracle Identity Manager Server and Design Console. In this section of the lesson, you learn about the following tasks: Specifying an Oracle Identity Manager log level for the JBoss application server Making the Design Console operable by copying a JAR file into the appropriate Oracle Identity Manager directory

3 - 27

Copyright 2007, Oracle. All rights reserved.

Setting Oracle Identity Manager Log Levels for JBoss


Oracle Identity Manager supports five log levels: DEBUG INFO WARN ERROR FATAL The levels are listed here in descending order according to the amount of information logged. Thus, DEBUG logs the most information and FATAL logs the least information.

3 - 28

Copyright 2007, Oracle. All rights reserved.

Setting Oracle Identity Manager Log Levels for JBoss


In the priority value tag, you can set the log level for the JBoss application server to DEBUG, INFO, WARN, ERROR, or FATAL.
<category name =XELLERATE> <priority value=WARN /> </category>

3 - 29

Copyright 2007, Oracle. All rights reserved.

Making the Design Console Functional

Copy the jbossall-client.jar file and paste it into the E:\OIM901_client\xlclient\ext directory.

3 - 30

Copyright 2007, Oracle. All rights reserved.

Oracle Identity Manager Diagnostic Dashboard (Postinstallation)


The Diagnostic Dashboard can be used to: Check preinstallation requirements for Oracle Identity Manager Perform postinstallation checks and create reports to ensure that the Oracle Identity Manager environment is installed and configured properly

3 - 31

Copyright 2007, Oracle. All rights reserved.

Diagnostic Dashboard: Postinstallation Checks

You can use the Diagnostic Dashboard after installation to determine whether: An Oracle Identity Manager user account is locked because of successive invalid login attempts The data encryption key in your Oracle Identity Manager installation is identical to the one used to encrypt the data in your Oracle Identity Manager database The scheduler service is running Oracle Identity Manager can communicate with remote managers

3 - 32

Copyright 2007, Oracle. All rights reserved.

Diagnostic Dashboard: Postinstallation Checks

You can use the Diagnostic Dashboard after installation to determine whether: Oracle Identity Manager can submit and process a Java Messaging Service (JMS) message Single Sign-On (SSO) is configured properly for Oracle Identity Manager

3 - 33

Copyright 2007, Oracle. All rights reserved.

Diagnostic Dashboard: Reports

You can use the Diagnostic Dashboard to create reports that display the following information about your Oracle Identity Manager environment: System properties that are associated with all Java Virtual Machines Information about the version numbers of the library and extension files Detailed (or manifest) information about the library and extension files

3 - 34

Copyright 2007, Oracle. All rights reserved.

Using the Oracle Identity Manager Diagnostic Dashboard (Postinstallation)


To use the Diagnostic Dashboard, launch it. Select the check boxes for the tests that you want to perform, and then click Verify.

Test passed Test failed

3 - 35

Copyright 2007, Oracle. All rights reserved.

Summary

In this lesson, you should have learned how to: Configure a preexisting Oracle database so that it works properly with Oracle Identity Manager Load and start the Oracle Identity Manager Diagnostic Dashboard Use the dashboard to ensure that the database is prepared correctly and that Oracle Identity Manager can connect to it Install the Oracle Identity Manager Server and Design Console Set an Oracle Identity Manager log level for the JBoss application server
3 - 36 Copyright 2007, Oracle. All rights reserved.

Summary

In this lesson, you should have learned how to: Make the Design Console functional by copying a JAR file into an Oracle Identity Manager directory Use the Diagnostic Dashboard to verify that your Oracle Identity Manager environment is installed and configured correctly

3 - 37

Copyright 2007, Oracle. All rights reserved.

Practice 3 Overview: Installing and Configuring Oracle Identity Manager


This practice covers the following topics: Preparing a database for Oracle Identity Manager Installing and deploying the Oracle Identity Manager Diagnostic Dashboard Using the dashboard to verify that the database is prepared properly and that Oracle Identity Manager can connect to it Installing and configuring an Oracle Identity Manager Server and an Oracle Identity Manager Design Console Using the Diagnostic Dashboard to verify that the Oracle Identity Manager environment is installed and configured properly
3 - 38 Copyright 2007, Oracle. All rights reserved.

Starting and Understanding Oracle Identity Managers Consoles

Copyright 2007, Oracle. All rights reserved.

Objectives

After completing this lesson, you should be able to: Launch the Oracle Identity Manager Server Start the two Oracle Identity Manager consoles (the Administrative Console and the Design Console) Differentiate between the two consoles Explain the links on the Administrative Console

4-2

Copyright 2007, Oracle. All rights reserved.

Launching the Oracle Identity Manager Server


Double-click the xlStartServer.bat command script, which resides in the E:\OIM901_server\ xellerate\bin directory on your machine.

4-3

Copyright 2007, Oracle. All rights reserved.

Launching the Oracle Identity Manager Administrative Console


Open the login page and enter the appropriate credentials in the User ID and Password fields. Then click Login.

4-4

Copyright 2007, Oracle. All rights reserved.

4-5

Copyright 2007, Oracle. All rights reserved.

Launching the Oracle Identity Manager Design Console


Open the login window and enter the appropriate credentials in the User ID and Password fields. Then click Login.

4-6

Copyright 2007, Oracle. All rights reserved.

Oracle Identity Manager Consoles

Developers use the Design Console to build Oracle Identity Manager connectors.

4-7

Copyright 2007, Oracle. All rights reserved.

Oracle Identity Manager Consoles

Administrators use the Administrative Console to manage Oracle Identity Manager connectors.

4-8

Copyright 2007, Oracle. All rights reserved.

Administrative Console: My Account Link

With the My Account link, administrators view and modify their account information, reset a password, and designate a proxy.

4-9

Copyright 2007, Oracle. All rights reserved.

Administrative Console: My Resources Link

With the My Resources link, administrators view, create, and modify information about requests and resources.

4 - 10

Copyright 2007, Oracle. All rights reserved.

Administrative Console: Requests Link


With the Requests link, administrators create and track requests of resources for other Oracle Identity Manager users, as well as manage approval tasks.

4 - 11

Copyright 2007, Oracle. All rights reserved.

Administrative Console: To-Do List Link

With the To-Do List link, administrators can handle all tasks that require their attention.

4 - 12

Copyright 2007, Oracle. All rights reserved.

Administrative Console: Users Link

With the Users link, administrators create and manage records for Oracle Identity Manager users.

4 - 13

Copyright 2007, Oracle. All rights reserved.

Administrative Console: Organizations Link


With the Organizations link, administrators create and manage records for Oracle Identity Manager organizational units.

4 - 14

Copyright 2007, Oracle. All rights reserved.

Administrative Console: User Groups Link

With the User Groups link, administrators create and manage records for user groups.

4 - 15

Copyright 2007, Oracle. All rights reserved.

Administrative Console: Access Policies Link

With the Access Policies link, administrators create and manage access policies.

4 - 16

Copyright 2007, Oracle. All rights reserved.

Administrative Console: Resource Management Link


With the Resource Management link, administrators manage resources for a user or organization.

4 - 17

Copyright 2007, Oracle. All rights reserved.

Administrative Console: Deployment Management Link


With the Deployment Management link, administrators transfer connectors from one environment to another.

4 - 18

Copyright 2007, Oracle. All rights reserved.

Administrative Console: Reports Link

With the Reports link, administrators create operational and historical reports.

4 - 19

Copyright 2007, Oracle. All rights reserved.

4 - 20

Copyright 2007, Oracle. All rights reserved.

Administrative Console: Attestation Link

With the Attestation link, administrators can create and manage an attestation process.

4 - 21

Copyright 2007, Oracle. All rights reserved.

Administrative Console: Help Link


With the Help link, administrators can view an online version of the Oracle Identity Manager Administrative Console and User Guide.

4 - 22

Copyright 2007, Oracle. All rights reserved.

Summary

In this lesson, you should have learned how to: Start the Oracle Identity Manager Server, the Administrative Console, and the Design Console Identify the two consoles, including the differences between them Provide a thorough discussion of the links on the Administrative Console

4 - 23

Copyright 2007, Oracle. All rights reserved.

Practice 4 Overview: Starting and Understanding Oracle Identity Managers Consoles


This practice covers the following topics: Launching the Oracle Identity Manager Server Launching the Oracle Identity Manager Administrative Console Launching the Oracle Identity Manager Design Console

4 - 24

Copyright 2007, Oracle. All rights reserved.

Managing Users and User Entities

Copyright 2007, Oracle. All rights reserved.

Objectives

After completing this lesson, you should be able to: Explain the three types of Oracle Identity Manager users: system administrators, administrators of Oracle Identity Manager connectors, and end users Discuss the entities of which an Oracle Identity Manager user can be a member (that is, organizations and user groups) Differentiate between an organization and a user group Create records for an organization, the three types of Oracle Identity Manager users, and a user group Assign an Oracle Identity Manager user to a user group

5-2

Copyright 2007, Oracle. All rights reserved.

Objectives

In addition, you should be able to explain: How administrators view and modify their profiles in Oracle Identity Manager How administrators change their challenge questions and, as a result, reset their passwords What a proxy is How administrators assign, modify, and remove proxies How administrators see the resources that are provisioned to them How administrators see requests that are initiated by them and requests that require their approval
5-3 Copyright 2007, Oracle. All rights reserved.

Oracle Identity Manager Users: Three Types

System administrators: Users who have both read access and write access to all forms and records in Oracle Identity Manager Administrators of Oracle Identity Manager connectors: Users who have read- and write-access rights to their own user profiles (and the records associated with them), as well as the profiles and records of any end users whom they supervise End users: Users who are recipients of the resources that are provisioned to them by Oracle Identity Manager. They have read-access rights to their own user profile (and the records associated with it).

5-4

Copyright 2007, Oracle. All rights reserved.

5-5

Copyright 2007, Oracle. All rights reserved.

Oracle Identity Manager User Entities: Two Types


Organization: Record that represents a unit in a companys hierarchy (for example, a department, division, or cost center) Organization User group: Collection of one or more Oracle Identity Manager users who share some common functionality, such as access rights, roles, or permissions for resources
User groups
5-6 Copyright 2007, Oracle. All rights reserved.

User

Creating Oracle Identity Manager Users and User Entities


The following slides illustrate how to create:
Organizations Three types of Oracle Identity Manager users User groups

In addition, you learn how to assign a user to a group and perform various administrative functions for a user.

5-7

Copyright 2007, Oracle. All rights reserved.

Creating an Organization

Example: Creating an organization named Curriculum Dev. The organizations classification type is Department.

5-8

Copyright 2007, Oracle. All rights reserved.

5-9

Copyright 2007, Oracle. All rights reserved.

Creating a User

Example: Creating a user named Robert La Vallie

5 - 10

Copyright 2007, Oracle. All rights reserved.

5 - 11

Copyright 2007, Oracle. All rights reserved.

Creating a User Group

Example: Creating a user group named Oracle 10g Approvers

5 - 12

Copyright 2007, Oracle. All rights reserved.

Assigning a User to a User Group

Example: Assigning the user named Robert La Vallie to the ORACLE 9i USERS group

5 - 13

Copyright 2007, Oracle. All rights reserved.

5 - 14

Copyright 2007, Oracle. All rights reserved.

Viewing Your Profile

Administrators can see basic information about their user accounts. This example shows the profile of the administrator named Pauline Sammut.

5 - 15

Copyright 2007, Oracle. All rights reserved.

Modifying Your Profile

Administrators can change basic information about their user accounts. This example illustrates modifying the profile of the administrator named Pauline Sammut.

5 - 16

Copyright 2007, Oracle. All rights reserved.

Changing Your Challenge Questions and Answers


Administrators can change their challenge questions and answers.

5 - 17

Copyright 2007, Oracle. All rights reserved.

5 - 18

Copyright 2007, Oracle. All rights reserved.

Resetting Your Password

Administrators can reset their passwords. This example illustrates resetting an administrators password.

5 - 19

Copyright 2007, Oracle. All rights reserved.

Proxies: Overview

Administrators can delegate any task approval responsibilities for which they are unavailable (because of illness, vacation, and so on) to another administrator. This delegated administrator is known as a proxy.

5 - 20

Copyright 2007, Oracle. All rights reserved.

Assigning a Proxy

Administrators can assign proxies. This example illustrates assigning a proxy named Leonard Agneta to an administrator.

5 - 21

Copyright 2007, Oracle. All rights reserved.

Modifying a Proxy

Administrators can modify their proxies. This example illustrates modifying the proxy named Leonard Agneta for an administrator.

5 - 22

Copyright 2007, Oracle. All rights reserved.

Removing a Proxy

Administrators can remove their proxies. This example illustrates removing the proxy named Leonard Agneta from an administrator.

5 - 23

Copyright 2007, Oracle. All rights reserved.

Viewing Your Resources

Administrators can see the resources that are provisioned to them. This example shows that a resource named Oracle RO is provisioned to an administrator.

5 - 24

Copyright 2007, Oracle. All rights reserved.

Viewing Your Requests

Administrators can see the requests that they initiate as well as requests that require their approval.

5 - 25

Copyright 2007, Oracle. All rights reserved.

Summary

In this lesson, you should have learned how to: Create system administrators, administrators of Oracle Identity Manager connectors, and end users Create organizations and user groups Differentiate between an organization and a user group Assign a user to a user group View and modify an administrators profile in Oracle Identity Manager Change an administrators challenge questions and answers Reset an administrators password

5 - 26

Copyright 2007, Oracle. All rights reserved.

Summary

In this lesson, you should have learned how to: Assign, modify, and remove a proxy for an administrator See the resources that are provisioned to an administrator View, track, and approve requests generated by and for an administrator

5 - 27

Copyright 2007, Oracle. All rights reserved.

Practice 5 Overview: Managing Users and User Entities


This practice covers the following topics: Creating records for an organization, a user group, and the three types of Oracle Identity Manager users Assigning an Oracle Identity Manager user to a group Viewing and modifying the profile of an Oracle Identity Manager administrator Changing challenge questions and answers and, as a result, resetting the password of an administrator Assigning, modifying, and removing a proxy for an administrator Viewing the resources and requests that are associated with an administrator
5 - 28 Copyright 2007, Oracle. All rights reserved.

Assigning Oracle Identity Manager Connectors to Users

Copyright 2007, Oracle. All rights reserved.

Objectives

After completing this lesson, you should be able to do the following: Identify resources and Oracle Identity Manager connectors Explain how Oracle Identity Manager connectors differ from resources Discuss the three ways in which a connector can be assigned to an Oracle Identity Manager user

6-2

Copyright 2007, Oracle. All rights reserved.

Resources

A resource is an external system, service, or application with which Oracle Identity Manager communicates to perform either provisioning or reconciliation.

Server

Messaging applications

Operating systems

6-3

Copyright 2007, Oracle. All rights reserved.

Examples of Resources

Examples of resources include the following: Collaboration and messaging applications: Microsoft Exchange 3.3; Novell GroupWise 2.1 Database servers: Oracle9i Database Enterprise Edition; Oracle Database 10g; MS SQL Server 2000 Directory servers: MS Active Directory 4.4; Novell eDirectory 2.1; Oracle Internet Directory 1.1; Sun Java System Directory Server 4.1 Enterprise applications: Oracle E-Business Suite 2.1; PeopleSoft Enterprise Applications 3.0; SAP Enterprise Applications 3.0 Operating systems: Microsoft Windows 2.1; UNIX 4.1
6-4 Copyright 2007, Oracle. All rights reserved.

Examples of Resources

Security managers: IBM RACF 1.1; RSA Authentication Manager 4.1 Web access control applications: RSA ClearTrust 3.0

6-5

Copyright 2007, Oracle. All rights reserved.

Oracle Identity Manager Connectors

An Oracle Identity Manager connector is a container that holds all of the information that Oracle Identity Manager needs to:
Reconcile with an external resource Provision a user with a target resource

In short, each resource is represented in Oracle Identity Manager by a corresponding connector.

6-6

Copyright 2007, Oracle. All rights reserved.

How Connectors Differ from Resources

Assigning a connector to a user does not necessarily mean that the related resource is provisioned to the user. For provisioning to occur, you must:
Populate the fields of the custom process form that is contained in your connector Save this information to your Oracle Identity Manager database

6-7

Copyright 2007, Oracle. All rights reserved.

How Connectors Are Assigned to Users

There are three ways that an Oracle Identity Manager connector can be assigned to a user:
Through direct provisioning Via criteria (autogroup membership rules and access policies) By requests

The following slides illustrate the three ways that a connector can be assigned to a user.

6-8

Copyright 2007, Oracle. All rights reserved.

Assigning Connectors to Users: Direct Provisioning


The graphic in this slide illustrates how a connector can be assigned to an Oracle Identity Manager user through direct provisioning.

Administrator

Connector

End user

6-9

Copyright 2007, Oracle. All rights reserved.

Assigning Connectors to Users: Criteria

The graphic in this slide illustrates how a connector can be assigned to an Oracle Identity Manager user via criteria (autogroup membership rules and access policies).

Administrator

Autogroup rule

User group

Access policy

Approver

End user
6 - 10

Connector

Approval process

Copyright 2007, Oracle. All rights reserved.

Assigning Connectors to Users: Requests

The graphic in this slide illustrates how a connector can be assigned to an Oracle Identity Manager user by a request.
Request Administrator Approver Approval process

End user
6 - 11

Connector

Copyright 2007, Oracle. All rights reserved.

Direct-Provisioning a Connector to a User

This example illustrates using direct provisioning to assign a connector to the end user named Leonard Agneta.

6 - 12

Copyright 2007, Oracle. All rights reserved.

6 - 13

Copyright 2007, Oracle. All rights reserved.

Using Criteria to Assign a Connector to a User

Another way to assign a connector to an end user is for Oracle Identity Manager to evaluate criteria about the user. These criteria include an autogroup membership rule and an access policy. For this to occur, you need to complete the following steps: Assign an autogroup membership rule to a user group. As a result, Oracle Identity Manager can add the end user to the group. Build the access policy. Oracle Identity Manager allocates the connector to the user because the user belongs to the user group.

6 - 14

Copyright 2007, Oracle. All rights reserved.

Assigning an Autogroup Membership Rule to a User Group


This example illustrates assigning an autogroup membership rule to the Developers user group.

6 - 15

Copyright 2007, Oracle. All rights reserved.

Creating an Access Policy

This example illustrates creating an access policy for the Developers user group.

6 - 16

Copyright 2007, Oracle. All rights reserved.

6 - 17

Copyright 2007, Oracle. All rights reserved.

Using a Request to Assign a Connector to a User

This example illustrates using a request to assign the Oracle RO connector to the user with the ID of LAGNETA.

6 - 18

Copyright 2007, Oracle. All rights reserved.

6 - 19

Copyright 2007, Oracle. All rights reserved.

Summary

In this lesson, you should have learned how to: Identify resources and Oracle Identity Manager connectors Differentiate between Oracle Identity Manager connectors and resources Assign an Oracle Identity Manager connector to a user through direct provisioning, criteria (specifically, autogroup membership rules and access policies), and requests

6 - 20

Copyright 2007, Oracle. All rights reserved.

Practice 6 Overview: Assigning Oracle Identity Manager Connectors to Users


This practice covers assigning an Oracle Identity Manager connector to a user in three ways: Direct provisioning Autogroup membership rules and access policies Requests

6 - 21

Copyright 2007, Oracle. All rights reserved.

6 - 22

Copyright 2007, Oracle. All rights reserved.

Provisioning Resources to Users

Copyright 2007, Oracle. All rights reserved.

Objectives

After completing this lesson, you should be able to: See how administrators of Oracle Identity Manager connectors can view a graphical representation of a provisioning workflow Analyze what approval processes are and how they impact a provisioning workflow Identify the key features of autoprovisioning

7-2

Copyright 2007, Oracle. All rights reserved.

Objectives

Discuss other day-two provisioning functions that an administrator of an Oracle Identity Manager connector can perform. These functions include:
Temporarily deactivating an end users account with a resource Reinstating an end users account Modifying the password of an end users account Permanently revoking the access rights that an end user has with the resource

7-3

Copyright 2007, Oracle. All rights reserved.

Graphical Workflow Definition Renderer: Overview


The Graphical Workflow Definition Renderer tool enables Oracle Identity Manager administrators to see a visual representation of the connectors provisioning workflow.

7-4

Copyright 2007, Oracle. All rights reserved.

Viewing a Graphical Representation of a Provisioning Workflow


This screenshot is a visual representation of the DataBase Access (Login) provisioning process via the Graphical Workflow Definition Renderer.

7-5

Copyright 2007, Oracle. All rights reserved.

7-6

Copyright 2007, Oracle. All rights reserved.

Graphical Workflow Definition Renderer: High-Level Information


This example shows top-level information about the DataBase Access (Login) provisioning process.

7-7

Copyright 2007, Oracle. All rights reserved.

Graphical Workflow Definition Renderer: Features

Features of the Graphical Workflow Definition Renderer include: Dragging and dropping the components that appear in the workflow (for visibility purposes) Customizing the items that can be displayed in the workflow Saving the current state of the workflow as an image Refreshing the workflow

7-8

Copyright 2007, Oracle. All rights reserved.

7-9

Copyright 2007, Oracle. All rights reserved.

Graphical Workflow Definition Renderer: Provisioning Tab


This tab displays all process tasks that are used to give a user access rights to a resource. In this example, the Create Login task is used to provision a user to an Oracle database.

7 - 10

Copyright 2007, Oracle. All rights reserved.

Graphical Workflow Definition Renderer: Reconciliation Tab


This tab displays the tasks and flow of the reconciliation events associated with a provisioning process. In this example, the Reconciliation Insert event is displayed.

7 - 11

Copyright 2007, Oracle. All rights reserved.

7 - 12

Copyright 2007, Oracle. All rights reserved.

Graphical Workflow Definition Renderer: Resource Event Tab


This tab displays all workflows associated with changes to a users access rights with a resource. The Enable Login workflow reinstates the users access to the resource.

7 - 13

Copyright 2007, Oracle. All rights reserved.

Graphical Workflow Definition Renderer: Form Event Tab


This tab displays workflows associated with changes to data in the process form attached to the provisioning process. The Password Updated workflow modifies the users password on the target resource.

7 - 14

Copyright 2007, Oracle. All rights reserved.

Approval Processes: Overview

An approval process is used to approve the provisioning of a representative resource for a user. Approval processes are usually completed manually whereas provisioning processes are typically completed automatically. To complete an approval process, certain tasks must be completed. Although a connector is not required to have an approval process, it must have at least one provisioning process.

7 - 15

Copyright 2007, Oracle. All rights reserved.

7 - 16

Copyright 2007, Oracle. All rights reserved.

Completing an Approval Process

In this example, the user who belongs to the US_ORACLE_ RO_APPROVERS group approves the allocation of the Oracle RO connector for the user named Jill James.

7 - 17

Copyright 2007, Oracle. All rights reserved.

Types of Provisioning

Manual provisioning Autoprovisioning

7 - 18

Copyright 2007, Oracle. All rights reserved.

Manual Provisioning

An administrator of an Oracle Identity Manager connector completes the custom process form and saves the values to the database. Manual intervention is required by the administrator for provisioning to occur.

7 - 19

Copyright 2007, Oracle. All rights reserved.

Autoprovisioning

Autoprovisioning is the Oracle Identity Manager process of:


Populating a custom process form of a connector Saving the values in the form to its database Using these values to provision an end user with a resource

With autoprovisioning, Oracle Identity Manager provisions the corresponding resource to an end user after the connector is assigned to the user.

7 - 20

Copyright 2007, Oracle. All rights reserved.

Day-Two Provisioning Functions

Oracle Identity Manager is an application that can handle day-two provisioning functions, including: Temporarily disabling an end users account with an external resource Reinstating the users account with the resource Modifying the password of the users account Permanently revoking the access rights that the user has with the resource

7 - 21

Copyright 2007, Oracle. All rights reserved.

Day-Two Provisioning Functions: Disabling a Users Account


In this example, an administrator disables Robert La Vallies account with an external resource. As a result, Oracle Identity Manager temporarily deactivates this users account.

7 - 22

Copyright 2007, Oracle. All rights reserved.

Day-Two Provisioning Functions: Reinstating the Users Account


In this example, an administrator enables Robert La Vallies account with an external resource. As a result, Oracle Identity Manager reinstates this users account.

7 - 23

Copyright 2007, Oracle. All rights reserved.

Day-Two Provisioning Functions: Modifying the Users Password


In this example, an administrator modifies the password of Robert La Vallies account with an external resource.

7 - 24

Copyright 2007, Oracle. All rights reserved.

Day-Two Provisioning Functions: Deleting the Users Account


In this example, an administrator deletes Robert La Vallies account with an external resource. As a result, Oracle Identity Manager permanently revokes the access rights that this user has with the resource.

7 - 25

Copyright 2007, Oracle. All rights reserved.

Summary
In this lesson, you should have learned how to: View a graphical representation of a provisioning workflow in Oracle Identity Manager Discuss approval processes, including how they affect a provisioning workflow Complete an approval process Analyze autoprovisioning Perform day-two provisioning functions, including:
Disabling an end users account with an external resource Reinstating the account Modifying the password of the user who is accessing the account Deleting the users account with the resource
7 - 26 Copyright 2007, Oracle. All rights reserved.

Practice 7 Overview: Provisioning Resources to Users


This practice covers the following topics: Completing the approval process of an Oracle Identity Manager connector Direct-provisioning a connector to an end user Temporarily disabling an end users account with an external resource Reinstating the users account with the resource Modifying the password of the users account Permanently revoking the access rights that the user has with the account

7 - 27

Copyright 2007, Oracle. All rights reserved.

7 - 28

Copyright 2007, Oracle. All rights reserved.

Customizing the Oracle Identity Manager Administrative Console

Copyright 2007, Oracle. All rights reserved.

Objectives

After completing this lesson, you should be able to: Identify the two levels of customization for the Oracle Identity Manager Administrative Console Modify the look and feel of the console to brand it for your company Change the functionality of the console without modifying the Oracle Identity Manager code Explain why the code should never be changed

8-2

Copyright 2007, Oracle. All rights reserved.

Levels of Customization

There are two levels of customization that an administrator should perform with the Oracle Identity Manager Administrative Console: Modifying the look and feel of the console (that is, branding it) Changing the functionality of the console without modifying the Oracle Identity Manager code

8-3

Copyright 2007, Oracle. All rights reserved.

8-4

Copyright 2007, Oracle. All rights reserved.

Branding the Console

There are different ways to brand the Administrative Console, including: Customizing the overall layout of the Web pages of the console Modifying the descriptive text and labels that appear on the Web pages of the console Replacing company and product logos with your own icons Changing the color, font, and alignment of text

8-5

Copyright 2007, Oracle. All rights reserved.

Changing the Functionality

There are different ways to change the functionality of the Administrative Console without changing the code, including: Customizing the self-registration process for creating a users account Configuring how users can modify the profiles of their accounts Customizing the behavior of the fields that appear on the Web pages of this console Setting the menu items that are available to users who belong to a particular group Customizing search pages
8-6 Copyright 2007, Oracle. All rights reserved.

Customizing the Overall Layout of a Web Page

In this example, you customize the general layout of a Web page by displaying the company logo at the right side of the header banner.

8-7

Copyright 2007, Oracle. All rights reserved.

Adding Logos

In this example, you replace the products default logo with your own company logo.

8-8

Copyright 2007, Oracle. All rights reserved.

Modifying Text and Labels

In this example, you modify the text and label of the Search User button that appears on the Manage User form.

8-9

Copyright 2007, Oracle. All rights reserved.

8 - 10

Copyright 2007, Oracle. All rights reserved.

Customizing Colors, Font, and Alignment of Text


In this example, you modify the color, font, and alignment of the text that appears in the footer banner of the console.

8 - 11

Copyright 2007, Oracle. All rights reserved.

8 - 12

Copyright 2007, Oracle. All rights reserved.

Customizing the Self-Registration Process

In this example, you change the Middle Name field of the User Self-Registration form from optional to mandatory.

8 - 13

Copyright 2007, Oracle. All rights reserved.

8 - 14

Copyright 2007, Oracle. All rights reserved.

Customizing the Behavior of a Form Field

In this example, you change the Email Address field of the Create User form from optional to mandatory.

8 - 15

Copyright 2007, Oracle. All rights reserved.

8 - 16

Copyright 2007, Oracle. All rights reserved.

Customizing Menu Items for User Groups

In this example, you add menu items associated with deploying Oracle Identity Manager connectors to users (such as Dawn Jones) who belong to a particular group.

8 - 17

Copyright 2007, Oracle. All rights reserved.

8 - 18

Copyright 2007, Oracle. All rights reserved.

Customizing Search Pages

In this example, you customize the search pages of your console by reducing (from 10 to 5) the maximum number of search results that can appear on a Web page.

8 - 19

Copyright 2007, Oracle. All rights reserved.

Summary

In this lesson, you should have learned how to: Differentiate between the two levels of customization for the Oracle Identity Manager Administrative Console Brand the console Change the functionality of the console without modifying the Oracle Identity Manager code Explain why the code should never be changed

8 - 20

Copyright 2007, Oracle. All rights reserved.

Practice 8 Overview: Customizing the Oracle Identity Manager Administrative Console


This practice covers the following topics: Branding the Oracle Identity Manager Administrative Console Changing the functionality of the console without modifying the Oracle Identity Manager code

8 - 21

Copyright 2007, Oracle. All rights reserved.

8 - 22

Copyright 2007, Oracle. All rights reserved.

Transferring Oracle Identity Manager Connectors

Copyright 2007, Oracle. All rights reserved.

Objectives

After completing this lesson, you should be able to do the following: Describe the benefits of transferring Oracle Identity Manager connectors from one environment to another Identify the different ways that connectors can be transported between environments Explain how to export a connector Discuss how to import a different connector and configure it so that it is operable in your environment

9-2

Copyright 2007, Oracle. All rights reserved.

Transferring Oracle Identity Manager Connectors: Benefits


Benefits of transferring Oracle Identity Manager connectors from one environment to another: Efficiency Error reduction

9-3

Copyright 2007, Oracle. All rights reserved.

Transferring Oracle Identity Manager Connectors: Ways


Transfer a component of a connector or an entire connector from one environment to another Transport multiple Oracle Identity Manager connectors between environments simultaneously

9-4

Copyright 2007, Oracle. All rights reserved.

Exporting Oracle Identity Manager Connectors

To export an Oracle Identity Manager connector so that it is operable in another environment: 1. Build an *.xml file that contains the components of your connector. 2. Export this file into a designated location that can be accessed from your home or office environment.

9-5

Copyright 2007, Oracle. All rights reserved.

Exporting Oracle Identity Manager Connectors

In this example, you export the Oracle RO connector.

9-6

Copyright 2007, Oracle. All rights reserved.

9-7

Copyright 2007, Oracle. All rights reserved.

Using Oracle Identity Manager Connectors: Setup


The following steps show you how to set up and run an Oracle Identity Manager connector so that it is operable in your environment. 1. Import the *.xml file that contains the designated Oracle Identity Manager connector. 2. Paste any external JAR files into their designated locations. 3. Recompile the adapters that are contained in your Oracle Identity Manager connector. 4. Define IT resources for the specific machines, applications, or services that are represented by your connector.

9-8

Copyright 2007, Oracle. All rights reserved.

Using Oracle Identity Manager Connectors: Run Time


5. Assign the Oracle Identity Manager connector to a user. 6. Populate the fields of the custom process form that is contained in your connector. Then save this information to the database. 7. Verify that the login credentials you entered in the custom form can be used to access the external resource (that is, an Oracle database).

9-9

Copyright 2007, Oracle. All rights reserved.

Step 1: Importing Oracle Identity Manager Connectors


In this example, you import a connector into your Oracle Identity Manager environment.

9 - 10

Copyright 2007, Oracle. All rights reserved.

9 - 11

Copyright 2007, Oracle. All rights reserved.

Step 2: Pasting the JAR Files


Copy the xliDatabaseAccess.jar file (which resides in your E:\OIM901_files directory) and paste it into your E:\OIM901_server\xellerate\JavaTasks directory.

9 - 12

Copyright 2007, Oracle. All rights reserved.

Step 3: Recompiling the Adapters

The Adapter Manager form is used to compile multiple adapters simultaneously.

9 - 13

Copyright 2007, Oracle. All rights reserved.

Step 4: Defining the IT Resources


An IT resource is an instance that contains the values that Oracle Identity Manager needs to: Communicate with an external resource (in this case, an Oracle database) Access the external resource as an administrator (for provisioning purposes)

9 - 14

Copyright 2007, Oracle. All rights reserved.

9 - 15

Copyright 2007, Oracle. All rights reserved.

Step 5: Assigning a Connector to a User

In this example, you assign an Oracle Identity Manager connector to a user.

9 - 16

Copyright 2007, Oracle. All rights reserved.

Step 6: Completing the Custom Process Form

The values in the custom process form represent the login credentials of the target user that Oracle Identity Manager passes into the corresponding external resource (in this case, an Oracle database).

9 - 17

Copyright 2007, Oracle. All rights reserved.

Step 7: Accessing the Database

This screenshot illustrates a successful login to your Oracle SQL*Plus client. It indicates that the designated user is provisioned with the external resource (in this case, an Oracle database).

9 - 18

Copyright 2007, Oracle. All rights reserved.

Summary

In this lesson, you should have learned how to: Describe the benefits and different ways of transferring Oracle Identity Manager connectors between environments Discuss how to export an Oracle Identity Manager connector Explain how to import a different Oracle Identity Manager connector and configure it so that it works in your environment

9 - 19

Copyright 2007, Oracle. All rights reserved.

Practice 9 Overview: Transferring Oracle Identity Manager Connectors


This practice covers exporting an *.xml file that contains your Oracle Identity Manager connector.

9 - 20

Copyright 2007, Oracle. All rights reserved.

Creating Reports

Copyright 2007, Oracle. All rights reserved.

Objectives

After completing this lesson, you should be able to do the following: Identify the two types of reports that an administrator can create for Oracle Identity Manager users: operational reports and historical reports Differentiate between these two types of reports List the different operational and historical reports that are available with Oracle Identity Manager Discuss additional reports that can be created by using a third-party tool (such as Crystal Reports) Create operational and historical reports with the Oracle Identity Manager Administrative Console
10 - 2 Copyright 2007, Oracle. All rights reserved.

Operational and Historical Reports

An administrator can create two types of reports for Oracle Identity Manager users: Operational reports: Information about resources that a user can access (current data) Historical reports: Information about resources that are associated with a user throughout that users employment with the company (life-cycle data)

10 - 3

Copyright 2007, Oracle. All rights reserved.

Operational Reports: Types

There are four types of operational reports: Who Has What Resource Access List Entitlements Summary Policy List

10 - 4

Copyright 2007, Oracle. All rights reserved.

Historical Reports: Types

There are five types of historical reports: User Resource Access History Resource Access List History User Profile History User Membership History Group Membership History

10 - 5

Copyright 2007, Oracle. All rights reserved.

Other Reports: Types

An administrator can create the following eight additional reports by using a third-party reporting tool. Who Has What: Lists the users and the resources with which they are provisioned Direct Provisioned: Shows the following information:
Resources that are directly provisioned to the target users User who directly provisioned the resources for the target users Users who received the resources

10 - 6

Copyright 2007, Oracle. All rights reserved.

Other Reports: Types


Requests Made: Displays requests that are created by users Active Queue: Subset of the Requests Made report; lists the requests that are approved by users Requests Executed: Subset of the Active Queue report; shows the requests that are executed by Oracle Identity Manager Reconciled Apps: Lists the successful events that are associated with reconciliation Reconciled Users: Displays the users who are added to Oracle Identity Manager through reconciliation Unreconciled Data: Shows the reconciliation events that could not be matched to a specific user, organization, or provisioning process
10 - 7 Copyright 2007, Oracle. All rights reserved.

Creating a Who Has What Operational Report

In this example, you create a Who Has What operational report for the user with the ID of RLAVALLI.

10 - 8

Copyright 2007, Oracle. All rights reserved.

Creating a Resource Access List Operational Report


In this example, you create a Resource Access List operational report for the Oracle RO resource.

10 - 9

Copyright 2007, Oracle. All rights reserved.

Creating an Entitlements Summary Operational Report


In this example, you create an Entitlements Summary operational report. DataBase Access (Login) is the designated resource and Revoked is the associated status level (or entitlement).

10 - 10

Copyright 2007, Oracle. All rights reserved.

Creating a Policy List Operational Report

In this example, you create a Policy List operational report. Users Access Policy is the designated policy and Oracle 9i Users is the target user group.

10 - 11

Copyright 2007, Oracle. All rights reserved.

Creating a User Resource Access History Historical Report


In this example, you create a User Resource Access History historical report for the user with the ID of RLAVALLI.

10 - 12

Copyright 2007, Oracle. All rights reserved.

Creating a Resource Access List History Historical Report


In this example, you create a Resource Access List History historical report for the Oracle RO resource.

10 - 13

Copyright 2007, Oracle. All rights reserved.

Creating a User Profile History Historical Report


In this example, you create a User Profile History historical report for the user with the ID of RLAVALLI.

Current e-mail address Original e-mail address

10 - 14

Copyright 2007, Oracle. All rights reserved.

Creating a User Membership History Historical Report


In this example, you create a User Membership History historical report for the user with the ID of RLAVALLI.

10 - 15

Copyright 2007, Oracle. All rights reserved.

Creating a Group Membership History Historical Report


In this example, you create a Group Membership History historical report for the Oracle 9i Approvers user group.

10 - 16

Copyright 2007, Oracle. All rights reserved.

Summary

In this lesson, you should have learned how to: Identify operational reports and historical reports (and the differences between them) List the different operational and historical reports that are available with Oracle Identity Manager Discuss additional reports that can be created by using a third-party tool (such as Crystal Reports) Create operational and historical reports with the Oracle Identity Manager Administrative Console

10 - 17

Copyright 2007, Oracle. All rights reserved.

Practice 10 Overview: Creating Reports


This practice covers creating the following types of reports: Operational reports

10 - 18

Who Has What Resource Access List Entitlements Summary Policy List User Resource Access History Resource Access List History User Profile History User Membership History Group Membership History
Copyright 2007, Oracle. All rights reserved.

Historical reports

Understanding Attestation

Copyright 2007, Oracle. All rights reserved.

Objectives

After completing this lesson, you should be able to: Define attestation and attestation processes, including the fundamental components of an attestation process Describe the types of users who analyze, create, and manage attestation processes Identify the types of data that can be attested Discuss the different ways that attestation processes can be executed (that is, the schedule for attestation processes) Explain the workflow of an attestation process from beginning to end

11 - 2

Copyright 2007, Oracle. All rights reserved.

Attestation

Mechanism by which Oracle Identity Manager users are notified periodically of a report they must review
This report outlines the provisioned resources that certain users have.

Process of authorizing established internal controls, processes, and policies for user-related and transactional-related data

11 - 3

Copyright 2007, Oracle. All rights reserved.

Attestation Processes

An attestation process is the framework by which an attestation workflow is set up and created. It contains the following run-time components:

+
User Data

+
Schedule

11 - 4

Copyright 2007, Oracle. All rights reserved.

Attestation Process: Users

Four types of users analyze, create, and manage attestation processes:

Compliance manager

System administrator

Process owner

Reviewer

11 - 5

Copyright 2007, Oracle. All rights reserved.

11 - 6

Copyright 2007, Oracle. All rights reserved.

Attestation Process: Data

Two types of data can be attested: Oracle Identity Manager users and the resources they can access Fine-grained privileges that determine how a user should be entitled to a resource

11 - 7

Copyright 2007, Oracle. All rights reserved.

Attestation Process: Schedule

All activities that are associated with an attestation process can be: Run at a periodic interval (for example, every three months) Executed on demand

11 - 8

Copyright 2007, Oracle. All rights reserved.

Attestation Process: Workflow


Oracle Identity Manager repository

4
Certify
Schedule Data E-mail Reviewer notification

Decline

Reject

Delegate
E-mail notification

E-mail notification Reviewer Process owner

11 - 9

Copyright 2007, Oracle. All rights reserved.

Summary

In this lesson, you should have learned how to: Identify attestation and attestation processes, including the primary components of an attestation process Describe the users, data, and schedules that are associated with attestation processes Explain how an attestation process works from beginning to end

11 - 10

Copyright 2007, Oracle. All rights reserved.

Creating, Managing, and Reviewing Attestation Processes

Copyright 2006, Oracle. All rights reserved.

Objectives

After completing this lesson, you should be able to: Configure your Oracle Identity Manager environment so that it can handle attestation processes Create an attestation process through the Oracle Identity Manager Administrative Console Access the Administrative Console as a reviewer and act on an attestation process that is assigned to you: certify it, decline it, reject it, or delegate it to another reviewer Access this console as a process owner and view information about the attestation process, including its status: whether it is certified, rejected, declined, or delegated to another reviewer
12 - 2 Copyright 2006, Oracle. All rights reserved.

Configuring an Attestation Process

There are six steps in setting up an attestation process: 1. Configuring your Oracle Identity Manager environment so that its attestation features are available 2. Configuring the resource object of your connector so that its data can be reviewed during an attestation process 3. Configuring the process form of your connector so that its data is available for review during an attestation process 4. Assigning a manager to the user who is the recipient of the target resource (This manager is responsible for reviewing the attestation process for the user.)

12 - 3

Copyright 2006, Oracle. All rights reserved.

Configuring an Attestation Process

5. Assigning menu items to the following user groups:


User group that is responsible for creating and managing the attestation process (that is, the process owner group) User group that is responsible for reviewing the attestation process (the reviewer group)

6. Assigning administrative privileges and permissions to each of these groups

12 - 4

Copyright 2006, Oracle. All rights reserved.

Installing the Oracle Identity Manager Server

By selecting this option, you can use the attestation features of Oracle Identity Manager for audit and compliance purposes.

12 - 5

Copyright 2006, Oracle. All rights reserved.

Configuring the Resource Object

Select the Financially Significant check box of your connectors representative resource object in the Design Console.

12 - 6

Copyright 2006, Oracle. All rights reserved.

Configuring the Process Form

Set the value of this record to Resource Form in the Design Console.

12 - 7

Copyright 2006, Oracle. All rights reserved.

Assigning a Manager to a User

Assign the manager with the ID of TJONES to the end user named Robert La Vallie. This manager is responsible for reviewing the attestation process for the user.

12 - 8

Copyright 2006, Oracle. All rights reserved.

Assigning Menu Items to User Groups

Assign menu items to users who belong to the IT group. This group represents the users who are responsible for creating and managing attestation processes.

12 - 9

Copyright 2006, Oracle. All rights reserved.

Assigning Menu Items to User Groups

Assign a menu item to users who belong to the Managers group. This group represents the users who are responsible for reviewing attestation processes.

12 - 10

Copyright 2006, Oracle. All rights reserved.

12 - 11

Copyright 2006, Oracle. All rights reserved.

Assigning Administrative Privileges and Permissions for User Groups


Assign administrative privileges and permissions to users who belong to the IT group. This group represents the users who are responsible for creating and managing attestation processes.

12 - 12

Copyright 2006, Oracle. All rights reserved.

12 - 13

Copyright 2006, Oracle. All rights reserved.

Creating an Attestation Process

There are five stages in creating an attestation process: 1. Defining high-level information about the attestation process 2. Defining the scope and reviewer for the attestation process 3. Defining the administrative details of the attestation process 4. Verifying the information of the attestation process 5. Assigning groups of users to the attestation process who are responsible for reviewing and managing it

12 - 14

Copyright 2006, Oracle. All rights reserved.

12 - 15

Copyright 2006, Oracle. All rights reserved.

Stage 1: Defining High-Level Information

On the Define Process screen, you specify highlevel information about the attestation process.

12 - 16

Copyright 2006, Oracle. All rights reserved.

Stage 2: Defining the Scope and Reviewer


On the Define Attestation Scope And Reviewer screen, you specify how a user should have access rights to a resource (that is, the scope) and the reviewer for the attestation process.

12 - 17

Copyright 2006, Oracle. All rights reserved.

Stage 3: Defining the Administrative Details

On the Define Administrative Details screen, you specify how often the attestation process should be run. You also specify its process owner group.

12 - 18

Copyright 2006, Oracle. All rights reserved.

12 - 19

Copyright 2006, Oracle. All rights reserved.

Stage 4: Verifying the Information

On the Verify Info Page screen, you ensure that the information in the attestation process is correct.

12 - 20

Copyright 2006, Oracle. All rights reserved.

Stage 5: Assigning Groups

On the Administrative Groups screen, you assign groups of users who are responsible for reviewing and managing the attestation process.

12 - 21

Copyright 2006, Oracle. All rights reserved.

Reviewer Actions for an Attestation Process

As a reviewer of an attestation process, you can perform one of the following actions with it: Delegate it to another reviewer Reject it Certify it Decline to act on it

12 - 22

Copyright 2006, Oracle. All rights reserved.

Reviewing an Attestation Process

As a reviewer, you perform an action on an attestation process. You can certify, reject, or decline an attestation process or can delegate it to another reviewer.

12 - 23

Copyright 2006, Oracle. All rights reserved.

12 - 24

Copyright 2006, Oracle. All rights reserved.

Process Owner Actions for an Attestation Process


As the owner of an attestation process, you can view the following information about it: High-level and detailed information The date and time when the attestation process is submitted to a reviewer The reviewer who received the attestation process The status of the attestation process (that is, whether the reviewer certified it, rejected it, declined it, or delegated it to another reviewer) The delegation path (if the attestation process is delegated to another reviewer)

12 - 25

Copyright 2006, Oracle. All rights reserved.

Viewing an Attestation Process

As a process owner, you can view both high-level and detailed information about an attestation process.

12 - 26

Copyright 2006, Oracle. All rights reserved.

12 - 27

Copyright 2006, Oracle. All rights reserved.

Summary

In this lesson, you should have learned how to: Configure your Oracle Identity Manager environment so that it can handle attestation processes Create an attestation process with the Oracle Identity Manager Administrative Console Act on an attestation process as a reviewer: certify it, decline it, reject it, or delegate it to another reviewer View information about an attestation process as a process owner, including its status: whether it is certified, rejected, declined, or delegated to another reviewer

12 - 28

Copyright 2006, Oracle. All rights reserved.

Practice 12 Overview: Creating, Managing, and Reviewing Attestation Processes


This practice covers the following topics: Setting up your environment so that you can create attestation processes Using the Oracle Identity Manager Administrative Console to create an attestation process Acting on an attestation process (for example, certifying it) Viewing both high-level and detailed information about an attestation process

12 - 29

Copyright 2006, Oracle. All rights reserved.

12 - 30

Copyright 2006, Oracle. All rights reserved.

Troubleshooting Oracle Identity Manager

Copyright 2007, Oracle. All rights reserved.

Objectives

After completing this lesson, you should be able to troubleshoot problems that administrators commonly encounter with Oracle Identity Manager. These problems are fixed through the use of disaster-recovery procedures.

13 - 2

Copyright 2007, Oracle. All rights reserved.

Increasing the Size of the Java Pool

Problem: After launching the Oracle Identity Manager Diagnostic Dashboard, the Database Prerequisites Check fails.
The reason for the failure is that the current Java pool size of your Oracle database is 32 MB. As a result, it does not meet the minimum requirement of 60 MB.

Solution:
1. Stop the Oracle Identity Manager Server. 2. Access the database by using the Oracle Enterprise Manager Console. 3. Click the Instance subnode. A Configuration form is nested in this node.

13 - 3

Copyright 2007, Oracle. All rights reserved.

Increasing the Size of the Java Pool

4. Click the Configuration form (to make it active). 5. In this form, select the Memory tab. In the Java Pool field, enter 60. Then click the Apply button that appears on this tab. A Shutdown Options window appears. 6. In the Shutdown Options window, select the Immediate option. Then click OK. Your database is shut down and restarted so that the changes to your Java pool can be registered. 7. Close the Oracle Enterprise Manager Console. 8. Restart the Oracle Identity Manager Server.

13 - 4

Copyright 2007, Oracle. All rights reserved.

Changing the Authentication Mode

Problem: After installing Oracle Identity Manager, you want to change the authentication mode from the applications default setting to Single Sign-On (SSO). Solution:
1. Stop the Oracle Identity Manager Server. 2. Use a text editor to open the xlconfig.xml file, which is located in the E:\OIM901_Server\xellerate\config directory. 3. Look for the following piece of code: <Authentication> Default </Authentication>

13 - 5

Copyright 2007, Oracle. All rights reserved.

Changing the Authentication Mode

4. Replace the Default value with the name of the header value configured in the SSO system. 5. Save your changes. 6. Restart the Oracle Identity Manager Server.

13 - 6

Copyright 2007, Oracle. All rights reserved.

Exporting a File Properly

Problem: Exporting a file via the Deployment Manager form (which can be found in the Oracle Identity Manager Administrative Console) results in an invalid file, a corrupted XML file, or a file created with 0 KB. Solution:
1. When you export your file, make sure that no other users are also attempting to export a file. 2. At the same time, verify that no reconciliation workflows or scheduled tasks are being run. 3. Reconfigure the minimum and maximum memory parameters of the JBoss application server to 512 MB and 1,024 MB, respectively.

13 - 7

Copyright 2007, Oracle. All rights reserved.

Verifying That the Oracle Identity Manager Scheduler Is Running


Problem: You want to verify that the service that programs events to be executed at periodic intervals (that is, the Oracle Identity Manager Scheduler) is running. Solution:
1. Launch a Web browser. 2. In the Address field, enter the following URL: http://localhost:8087/xlScheduler/status (localhost is the machine name for the application server, and 8087 is this servers port number.)

13 - 8

Copyright 2007, Oracle. All rights reserved.

Customizing the Login Page of the Administrative Console


Problem: You want to customize the Login page of the Administrative Console. Solution: Open the tjspLoginTiles.jsp file, which is located in the following directory: E:\jboss-4.0.2\server\default\deploy\ XellerateFull.ear\xlWebApp.war\xlWebApp\ tiles This file contains the properties that pertain to the Login page.

13 - 9

Copyright 2007, Oracle. All rights reserved.

Changing the Background Color of Oracle Identity Manager Explorer


Problem: You want to customize the Administrative Console so that the background color for the header is different from the background color that appears in your Oracle Identity Manager Explorer. Solution:
1. Stop the Oracle Identity Manager Server. 2. Use a text editor to open the Xellerate.css file, which is located in the E:\jboss-4.0.2\server\default\ deploy\XellerateFull.ear\xlWebApp.war\css directory.

13 - 10

Copyright 2007, Oracle. All rights reserved.

Changing the Background Color of Oracle Identity Manager Explorer


3. In this file, create a new class called ExplorerMenu and add the new background color. To do so, add this piece of code to it: .ExplorerMenu { BACKGROUND-COLOR: <color>; } In the code, <color> represents the new color. 4. Use a text editor to open the tjspClassicLayout.jsp file, which is located in the E:\jboss4.0.2\server\default\deploy\ XellerateFull.ear\xlWebApp.war\layouts directory.

13 - 11

Copyright 2007, Oracle. All rights reserved.

Changing the Background Color of Oracle Identity Manager Explorer


5. Replace the Sidebar element with the ExplorerMenu class. 6. Save your changes. 7. Restart the Oracle Identity Manager Server.

13 - 12

Copyright 2007, Oracle. All rights reserved.

Unlocking the xelsysadm User Account

Problem: The xelsysadm user account is locked and cannot be unlocked because an Oracle Identity Manager user exceeded the maximum number of login attempts. Solution:
1. Stop the Oracle Identity Manager Server. 2. Open a DOS window. 3. In the DOS prompt that appears, enter sqlplus /nolog. A SQL prompt appears. 4. Connect to the Oracle database as an administrator (for example, connect sys/sys@train91 as sysdba, where sys is the system user and password and train91 is the name of the database).

13 - 13

Copyright 2007, Oracle. All rights reserved.

Unlocking the xelsysadm User Account

5. Run the following query: SQL>UPDATE SYS.USR SET USR_LOCKED=0, USR_LOGIN_ATTEMPTS_CTR=0 WHERE USR_LOGIN=XELSYSADM; 6. After you see that the row is updated, commit the changes to the database. To do so, enter the following at the SQL prompt: SQL>commit; 7. Restart the Oracle Identity Manager Server.

13 - 14

Copyright 2007, Oracle. All rights reserved.

Summary

In this lesson, you should have learned how to use disaster-recovery procedures to fix common problems that administrators encounter with Oracle Identity Manager.

13 - 15

Copyright 2007, Oracle. All rights reserved.

13 - 16

Copyright 2007, Oracle. All rights reserved.

Оценить