Oracle DatabaseAdapter Installation and Configuration Guide · Oracle DatabaseAdapter Installation...

78
IBM Security Identity Manager Version 6.0 Oracle Database Adapter Installation and Configuration Guide SC27-4402-03

Transcript of Oracle DatabaseAdapter Installation and Configuration Guide · Oracle DatabaseAdapter Installation...

Page 1: Oracle DatabaseAdapter Installation and Configuration Guide · Oracle DatabaseAdapter Installation and Configuration Guide ... Oracle DatabaseAdapter Installation and Configuration

IBM Security Identity ManagerVersion 6.0

Oracle Database Adapter Installationand Configuration Guide

SC27-4402-03

���

Page 2: Oracle DatabaseAdapter Installation and Configuration Guide · Oracle DatabaseAdapter Installation and Configuration Guide ... Oracle DatabaseAdapter Installation and Configuration
Page 3: Oracle DatabaseAdapter Installation and Configuration Guide · Oracle DatabaseAdapter Installation and Configuration Guide ... Oracle DatabaseAdapter Installation and Configuration

IBM Security Identity ManagerVersion 6.0

Oracle Database Adapter Installationand Configuration Guide

SC27-4402-03

���

Page 4: Oracle DatabaseAdapter Installation and Configuration Guide · Oracle DatabaseAdapter Installation and Configuration Guide ... Oracle DatabaseAdapter Installation and Configuration

NoteBefore using this information and the product it supports, read the information in “Notices” on page 59.

Edition notice

Note: This edition applies to version 6.0 of IBM Security Identity Manager (product number 5724-C34) and to allsubsequent releases and modifications until otherwise indicated in new editions.

© Copyright IBM Corporation 2012, 2014.US Government Users Restricted Rights – Use, duplication or disclosure restricted by GSA ADP Schedule Contractwith IBM Corp.

Page 5: Oracle DatabaseAdapter Installation and Configuration Guide · Oracle DatabaseAdapter Installation and Configuration Guide ... Oracle DatabaseAdapter Installation and Configuration

Contents

Figures . . . . . . . . . . . . . . . v

Tables . . . . . . . . . . . . . . . vii

Preface . . . . . . . . . . . . . . . ixAbout this publication . . . . . . . . . . . ixAccess to publications and terminology . . . . . ixAccessibility . . . . . . . . . . . . . . xTechnical training. . . . . . . . . . . . . xSupport information . . . . . . . . . . . . xStatement of Good Security Practices . . . . . . x

Chapter 1. Oracle Database AdapterInstallation and Configuration Guide . . 1Overview of the adapter . . . . . . . . . . 1

Features of the adapter . . . . . . . . . . 1Architecture of the adapter . . . . . . . . 1Supported configurations . . . . . . . . . 2

Chapter 2. Adapter installation planning 5Preinstallation roadmap . . . . . . . . . . 5Installation roadmap. . . . . . . . . . . . 5Prerequisites . . . . . . . . . . . . . . 6Installation worksheet for the adapter . . . . . . 7Software download . . . . . . . . . . . . 8

Chapter 3. Adapter installation . . . . . 9Dispatcher installation verification . . . . . . . 9Installing the adapter . . . . . . . . . . . 9Start, stop, and restart the Oracle Database Adapterservice . . . . . . . . . . . . . . . . 10Importing the adapter profile into the IBM SecurityIdentity Manager server . . . . . . . . . . 10Adapter profile installation verification . . . . . 11Adapter user account creation . . . . . . . . 11Creating an adapter service . . . . . . . . . 13

Chapter 4. First steps after installation 17Adapter configuration . . . . . . . . . . . 17

Customizing the adapter profile . . . . . . 17Configuring OCI for Transparent ApplicationFailover . . . . . . . . . . . . . . 20

SSL configuration . . . . . . . . . . . . 26SSL overview . . . . . . . . . . . . . 26

Password management for account restoration . . 32Language pack installation for the Oracle Databaseadapter . . . . . . . . . . . . . . . . 33Verifying that the adapter is working correctly . . 33

Chapter 5. Troubleshooting the adaptererrors . . . . . . . . . . . . . . . 35Techniques for troubleshooting problems . . . . 35Warning and error messages. . . . . . . . . 37

Chapter 6. Adapter upgrade. . . . . . 39Dispatcher upgrade. . . . . . . . . . . . 39Upgrade of an existing adapter profile . . . . . 39

Chapter 7. Adapter uninstallation . . . 41Uninstalling the adapter from the Tivoli DirectoryIntegrator server. . . . . . . . . . . . . 41Adapter profile removal from the IBM SecurityIdentity Manager server . . . . . . . . . . 41

Chapter 8. Adapter reinstallation . . . 43

Appendix A. Adapter attributes . . . . 45Attributes by Oracle Database Adapter actions . . 46

System Login Add . . . . . . . . . . . 46System Login Change . . . . . . . . . . 46System Login Delete . . . . . . . . . . 47System Login Suspend . . . . . . . . . 47System Login Restore . . . . . . . . . . 47Test . . . . . . . . . . . . . . . . 47Reconciliation . . . . . . . . . . . . 47

Appendix B. Adapter installation on az/OS operating system . . . . . . . . 49

Appendix C. Definitions for ITDI_HOMEand ISIM_HOME directories . . . . . . 51

Appendix D. Support information . . . 53Searching knowledge bases . . . . . . . . . 53Obtaining a product fix . . . . . . . . . . 54Contacting IBM Support . . . . . . . . . . 54

Appendix E. Accessibility features forIBM Security Identity Manager . . . . 57

Notices . . . . . . . . . . . . . . 59

Index . . . . . . . . . . . . . . . 63

© Copyright IBM Corp. 2012, 2014 iii

Page 6: Oracle DatabaseAdapter Installation and Configuration Guide · Oracle DatabaseAdapter Installation and Configuration Guide ... Oracle DatabaseAdapter Installation and Configuration

iv IBM Security Identity Manager: Oracle Database Adapter Installation and Configuration Guide

Page 7: Oracle DatabaseAdapter Installation and Configuration Guide · Oracle DatabaseAdapter Installation and Configuration Guide ... Oracle DatabaseAdapter Installation and Configuration

Figures

1. The architecture of the Oracle Database Adapter 22. Example of a single server configuration . . . 2

3. Example of multiple server configuration 34. SSL communication overview . . . . . . 27

© Copyright IBM Corp. 2012, 2014 v

Page 8: Oracle DatabaseAdapter Installation and Configuration Guide · Oracle DatabaseAdapter Installation and Configuration Guide ... Oracle DatabaseAdapter Installation and Configuration

vi IBM Security Identity Manager: Oracle Database Adapter Installation and Configuration Guide

Page 9: Oracle DatabaseAdapter Installation and Configuration Guide · Oracle DatabaseAdapter Installation and Configuration Guide ... Oracle DatabaseAdapter Installation and Configuration

Tables

1. Preinstallation roadmap . . . . . . . . . 52. Installation roadmap . . . . . . . . . . 53. Prerequisites to install the adapter . . . . . 64. Required information to install the adapter 75. Required privileges and their descriptions 126. Warning and error messages . . . . . . . 377. Attributes, object identifiers, descriptions, and

corresponding column/table name on theOracle database . . . . . . . . . . . 45

8. Add request attributes for Oracle . . . . . 469. Change request attributes for Oracle . . . . 46

10. Delete request attributes for Oracle. . . . . 4711. Suspend request attributes for Oracle . . . . 4712. Restore request attributes for Oracle . . . . 4713. Test attributes . . . . . . . . . . . . 4714. Reconciliation request attributes for Oracle 48

© Copyright IBM Corp. 2012, 2014 vii

Page 10: Oracle DatabaseAdapter Installation and Configuration Guide · Oracle DatabaseAdapter Installation and Configuration Guide ... Oracle DatabaseAdapter Installation and Configuration

viii IBM Security Identity Manager: Oracle Database Adapter Installation and Configuration Guide

Page 11: Oracle DatabaseAdapter Installation and Configuration Guide · Oracle DatabaseAdapter Installation and Configuration Guide ... Oracle DatabaseAdapter Installation and Configuration

Preface

About this publication

The Oracle Database Adapter Information and Configuration Guide contains the basicinformation that you can use to install and configure the IBM® Security IdentityManager Oracle Database Adapter. The adapter enables connectivity between theIBM Security Identity Manager server and the managed resource.

IBM Security Identity Manager was previously known as Tivoli® Identity Manager.

Access to publications and terminologyThis section provides:v A list of publications in the “IBM Security Identity Manager library.”v Links to “Online publications.”v A link to the “IBM Terminology website.”

IBM Security Identity Manager library

For a complete listing of the IBM Security Identity Manager and IBM SecurityIdentity Manager Adapter documentation, see the online library(http://www-01.ibm.com/support/knowledgecenter/SSRMWJ/welcome).

Online publications

IBM posts product publications when the product is released and when thepublications are updated at the following locations:

IBM Security Identity Manager libraryThe product documentation site (http://www-01.ibm.com/support/knowledgecenter/SSRMWJ/welcome) displays the welcome page andnavigation for the library.

IBM Security Systems Documentation CentralIBM Security Systems Documentation Central provides an alphabetical listof all IBM Security Systems product libraries and links to the onlinedocumentation for specific versions of each product.

IBM Publications CenterThe IBM Publications Center site ( http://www-05.ibm.com/e-business/linkweb/publications/servlet/pbi.wss) offers customized search functionsto help you find all the IBM publications you need.

IBM Terminology website

The IBM Terminology website consolidates terminology for product libraries in onelocation. You can access the Terminology website at http://www.ibm.com/software/globalization/terminology.

© Copyright IBM Corp. 2012, 2014 ix

Page 12: Oracle DatabaseAdapter Installation and Configuration Guide · Oracle DatabaseAdapter Installation and Configuration Guide ... Oracle DatabaseAdapter Installation and Configuration

AccessibilityAccessibility features help users with a physical disability, such as restrictedmobility or limited vision, to use software products successfully. With this product,you can use assistive technologies to hear and navigate the interface. You can alsouse the keyboard instead of the mouse to operate all features of the graphical userinterface.

Technical trainingFor technical training information, see the following IBM Education website athttp://www.ibm.com/software/tivoli/education.

Support informationIBM Support provides assistance with code-related problems and routine, shortduration installation or usage questions. You can directly access the IBM SoftwareSupport site at http://www.ibm.com/software/support/probsub.html.

Appendix D, “Support information,” on page 53 provides details about:v What information to collect before contacting IBM Support.v The various methods for contacting IBM Support.v How to use IBM Support Assistant.v Instructions and problem-determination resources to isolate and fix the problem

yourself.

Note: The Community and Support tab on the product information center canprovide additional support resources.

Statement of Good Security PracticesIT system security involves protecting systems and information throughprevention, detection and response to improper access from within and outsideyour enterprise. Improper access can result in information being altered, destroyed,misappropriated or misused or can result in damage to or misuse of your systems,including for use in attacks on others. No IT system or product should beconsidered completely secure and no single product, service or security measurecan be completely effective in preventing improper use or access. IBM systems,products and services are designed to be part of a comprehensive securityapproach, which will necessarily involve additional operational procedures, andmay require other systems, products or services to be most effective. IBM DOESNOT WARRANT THAT ANY SYSTEMS, PRODUCTS OR SERVICES AREIMMUNE FROM, OR WILL MAKE YOUR ENTERPRISE IMMUNE FROM, THEMALICIOUS OR ILLEGAL CONDUCT OF ANY PARTY.

x IBM Security Identity Manager: Oracle Database Adapter Installation and Configuration Guide

Page 13: Oracle DatabaseAdapter Installation and Configuration Guide · Oracle DatabaseAdapter Installation and Configuration Guide ... Oracle DatabaseAdapter Installation and Configuration

Chapter 1. Oracle Database Adapter Installation andConfiguration Guide

This installation guide provides the basic information that you need to install andconfigure the Oracle Database Adapter. The adapter enables connectivity betweenthe IBM Security Identity Manager server and the managed resource.

Overview of the adapterThe Oracle Database Adapter enables communication between the IBM SecurityIdentity Manager server and the Oracle Database.

An adapter provides an interface between a managed resource and the IBMSecurity Identity Manager server. Adapters might reside on the managed resource.The IBM Security Identity Manager server manages access to the resource by usingyour security system. Adapters function as trusted virtual administrators on thetarget platform. They perform tasks, such as creating, suspending, and restoringuser accounts, and other administrative functions that are performed manually. Theadapter runs as a service, independently of whether you are logged on to the IBMSecurity Identity Manager server.

Features of the adapterThe adapter automates the user account management tasks.

The adapter automates these user account management tasks:v Reconciling user accounts and other support datav Adding user accountsv Modifying user account attributesv Modifying user account passwordsv Suspending, restoring, and deleting user accounts

Note: The Oracle Database Adapter does not manage the Oracle System privileges.The following Oracle System privileges are available on the account form on IBMSecurity Identity Manager. However, these privileges are managed only on TrustedOracle, the multi-level secure version of Oracle:v WRITEDOWN DBLOWv READUP DBHIGHv WRITEUP DBHIGHv WRITEDOWNv READUPv WRITEUP

Architecture of the adapterTo function correctly, the adapter requires several components.

You must install the following components:v Dispatcherv Tivoli Directory Integrator connector

© Copyright IBM Corp. 2012, 2014 1

Page 14: Oracle DatabaseAdapter Installation and Configuration Guide · Oracle DatabaseAdapter Installation and Configuration Guide ... Oracle DatabaseAdapter Installation and Configuration

v IBM Security Identity Manager adapter profile

You need to install the Dispatcher and the adapter profile; however, the TivoliDirectory Integrator connector might already be installed with the base TivoliDirectory Integrator product.

Figure 1 describes the components that work together to complete the user accountmanagement tasks in a Tivoli Directory Integrator environment.

For more information about Tivoli Directory Integrator, see the Quick Start Guide atIBM Security Identity Manager product documentation.

Supported configurationsThere are two ways to configure the Oracle Database Adapter. In a single serverconfiguration, the adapter is installed on only one server. In a multiple serverconfiguration, the adapter is installed on several different servers.

The fundamental components in each environment are:v TheIBM Security Identity Manager serverv The IBM Tivoli Directory Integrator serverv The managed resourcev The adapter

The adapter must be installed directly on the server that runs the Tivoli DirectoryIntegrator server.

Single server configurationIn a single server configuration, install the IBM Security Identity Managerserver, the Tivoli Directory Integrator server, and the Oracle DatabaseAdapter on one server to establish communication with an Oracledatabase. The Oracle database is installed on a different server as describedFigure 2.

RMI callsIBM SecurityIdentityManagerServer

DispatcherService(an instanceof the IBMTivoliDirectoryIntegrator)

Adapterresource

Figure 1. The architecture of the Oracle Database Adapter

IBM SecurityIdentity Manager Server

Tivoli DirectoryIntegrator Server

Adapter

Managed

resource

Figure 2. Example of a single server configuration

2 IBM Security Identity Manager: Oracle Database Adapter Installation and Configuration Guide

Page 15: Oracle DatabaseAdapter Installation and Configuration Guide · Oracle DatabaseAdapter Installation and Configuration Guide ... Oracle DatabaseAdapter Installation and Configuration

Multiple server configurationIn multiple server configuration, the IBM Security Identity Manager server,the Tivoli Directory Integrator server, the Oracle Database Adapter, and theOracle database are installed on different servers. Install the TivoliDirectory Integrator server and the Oracle Database Adapter on the sameserver as described Figure 3.

IBM SecurityIdentity Managerserver

Tivoli DirectoryIntegrator server Managed

resource

Adapter

Figure 3. Example of multiple server configuration

Chapter 1. Oracle Database Adapter Installation and Configuration Guide 3

Page 16: Oracle DatabaseAdapter Installation and Configuration Guide · Oracle DatabaseAdapter Installation and Configuration Guide ... Oracle DatabaseAdapter Installation and Configuration

4 IBM Security Identity Manager: Oracle Database Adapter Installation and Configuration Guide

Page 17: Oracle DatabaseAdapter Installation and Configuration Guide · Oracle DatabaseAdapter Installation and Configuration Guide ... Oracle DatabaseAdapter Installation and Configuration

Chapter 2. Adapter installation planning

Installing and configuring the adapter involves several steps that you mustcomplete in the appropriate sequence.

Review the roadmaps before you begin the installation process.

Preinstallation roadmapBefore you install the adapter, you must prepare the environment.

Prepare the environment by performing the tasks that are listed in Table 1.

Table 1. Preinstallation roadmap

Task For more information

Obtain the installation software. Download the software from PassportAdvantage® website. See “Softwaredownload” on page 8.

Verify that your environment meets thesoftware and hardware requirements for theadapter.

See “Prerequisites” on page 6.

Obtain and install the Dispatcher. Download the software from PassportAdvantage website. See “Softwaredownload” on page 8. Follow theinstallation instructions in the dispatcherdownload package.

Obtain the necessary information for theinstallation and configuration.

See “Installation worksheet for the adapter”on page 7.

Installation roadmapTo install the adapter, complete the tasks described in the roadmap.

Table 2. Installation roadmap

Task For more information

Verify the Dispatcher installation. See “Dispatcher installation verification” onpage 9.

Install the adapter. See “Installing the adapter” on page 9.

Import the adapter profile. See “Importing the adapter profile into theIBM Security Identity Manager server” onpage 10.

Verify the profile installation. See “Adapter profile installationverification” on page 11.

Create an adapter user account. See “Adapter user account creation” on page11.

Create a service. See “Creating an adapter service” on page13.

Configure the adapter. See “Adapter configuration” on page 17.

© Copyright IBM Corp. 2012, 2014 5

Page 18: Oracle DatabaseAdapter Installation and Configuration Guide · Oracle DatabaseAdapter Installation and Configuration Guide ... Oracle DatabaseAdapter Installation and Configuration

PrerequisitesVerify that your environment meets all the prerequisites before you install theadapter.

Table 3 identifies the software and operating system prerequisites for the adapterinstallation.

Ensure that you install the adapter on the same workstation as the IBM TivoliDirectory Integrator server.

Table 3. Prerequisites to install the adapter

Prerequisite Description

Tivoli Directory Integrator server Version 7.1 fix pack 5 or later

Version 7.1.1

IBM Security Identity Manager server Version 6.0

Oracle Database A system that runs the Oracle database withone of following versions:

v Oracle 10gR2 (10.2.0.x)

v Oracle 11g (11.1.0.x)

v Oracle 11gR2 (11.2.0.x)

Note: The adapter supports the Oracleversions described in the Oracle LifetimeSupport document: http://www.oracle.com/us/support/library/lifetime-support-technology-069183.pdf.

Oracle Thin JDBC Driver JDBC 10.2.0.1.0 DriverNote: The driver file names are

v ojdbc5.jar for Tivoli Directory Integrator 7.0(JDK version 1.5)

v ojdbc6.jar for Tivoli Directory Integrator 7.1(JDK version 1.6)

Oracle JDBC OCI DriverNote: You need this driver for OracleReal Application Cluster (RAC) andOracle Transparent Application Failover(TAF) architectures.

JDBC OCI 10.2.0.x DriverJDBC OCI 11.2.0.2.0 Driver

Network Connectivity Install the adapter on a workstation that cancommunicate with the IBM Security IdentityManager service through the TCP/IP network.

System Administrator AuthorityTo complete the adapter installation procedure,you must have system administrator authority.

Tivoli Directory Integrator adapterssolution directory

A Tivoli Directory Integrator adapters solutiondirectory is a Tivoli Directory Integrator workdirectory for IBM Security Identity Manageradapters. See the Dispatcher Installation andConfiguration Guide.

Install the Oracle Database Adapter and the appropriate Oracle Thin JDBC driverson the same workstation as the Tivoli Directory Integrator.

6 IBM Security Identity Manager: Oracle Database Adapter Installation and Configuration Guide

Page 19: Oracle DatabaseAdapter Installation and Configuration Guide · Oracle DatabaseAdapter Installation and Configuration Guide ... Oracle DatabaseAdapter Installation and Configuration

For information about the prerequisites and supported operating systems for TivoliDirectory Integrator, see the IBM Tivoli Directory Integrator 7.0: Administrator Guide.

Installation worksheet for the adapterThe installation worksheet identifies the information that you need beforeinstalling the adapter.

Table 4. Required information to install the adapter

Required information Description Value

IBM Tivoli DirectoryIntegrator HomeDirectory

The ITDI_HOME directory containsthe jars/connectors subdirectory thatcontains adapter jars. For example,the jars/connectors subdirectorycontains the jar for the UNIXadapter.

If Tivoli DirectoryIntegrator is automaticallyinstalled with your IBMSecurity Identity Managerproduct, the defaultdirectory path for TivoliDirectory Integrator is asfollows:

Windows:

v for version 7.0:

drive\ProgramFiles\IBM\TDI\V7.0

v for version 7.1

drive\ProgramFiles\IBM\TDI\V7.1

UNIX:

v for version 7.0:

/opt/IBM/TDI/V7.0

v for version 7.1:

/opt/IBM/TDI/V7.1

Adapters solutiondirectory

When you install the dispatcher, theadapter prompts you to specify a filepath for the adapters solutiondirectory. For more informationabout the solution directory, see theDispatcher Installation andConfiguration Guide.

The default solutiondirectory is located at:

Windows:

v for version 7.0:

drive\ProgramFiles\IBM\TDI\V7.0\isimsoln

v for version 7.1:

drive\ProgramFiles\IBM\TDI\V7.1\isimsoln

UNIX:

v for version 7.0:

/opt/IBM/TDI/V7.0/isimsoln

v for version 7.1:

/opt/IBM/TDI/V7.1/isimsoln

Chapter 2. Adapter installation planning 7

Page 20: Oracle DatabaseAdapter Installation and Configuration Guide · Oracle DatabaseAdapter Installation and Configuration Guide ... Oracle DatabaseAdapter Installation and Configuration

Software downloadDownload the software through your account at the IBM Passport Advantagewebsite.

Go to IBM Passport Advantage.

See the IBM Security Identity Manager Download Document for instructions.

Note:

You can also obtain additional adapter information from IBM Support.

8 IBM Security Identity Manager: Oracle Database Adapter Installation and Configuration Guide

Page 21: Oracle DatabaseAdapter Installation and Configuration Guide · Oracle DatabaseAdapter Installation and Configuration Guide ... Oracle DatabaseAdapter Installation and Configuration

Chapter 3. Adapter installation

All the adapters that are based on Tivoli Directory Integrator require theDispatcher for the adapters to function correctly.

If the Dispatcher is installed from a previous installation, do not reinstall it unlessthere is an upgrade to the Dispatcher. See “Dispatcher installation verification.”

After verifying the Dispatcher installation, you might need to install the TivoliDirectory Integrator connector. Depending on your adapter, the connector mightalready be installed as part of the Tivoli Directory Integrator product and nofurther action is required.

Dispatcher installation verificationIf this is the first installation of an adapter that is based on the Tivoli DirectoryIntegrator, you must install the Dispatcher before you install the adapter.

You must install the dispatcher on the same Tivoli Directory Integrator serverwhere you want to install the adapter.

Obtain the dispatcher installer from the IBM Passport Advantage website,http://ww.ibm.com/software/howtobuy/passportadvantage/pao_customers.htm.For information about Dispatcher installation, see the Dispatcher Installation andConfiguration Guide.

Installing the adapterUse these steps to install the adapter.

Before you begin

Ensure that you do the following tasks:v Verify that your site meets all the prerequisite requirements. See “Prerequisites”

on page 6.v Obtain a copy of the installation software. See “Software download” on page 8.v Obtain system administrator authority. See “Prerequisites” on page 6.

About this task

The adapter uses the IBM Tivoli Directory Integrator JDBC connector. Thisconnector is available with the base Tivoli Directory Integrator product. Becausethe Tivoli Directory Integrator JDBC connector is already installed, you need toinstall only the Dispatcher. See “Dispatcher installation verification.”

To install the Dispatcher, see the IBM Security Dispatcher Installation andConfiguration Guide.

What to do next

After you finish the adapter installation, do the following tasks:

© Copyright IBM Corp. 2012, 2014 9

Page 22: Oracle DatabaseAdapter Installation and Configuration Guide · Oracle DatabaseAdapter Installation and Configuration Guide ... Oracle DatabaseAdapter Installation and Configuration

1. Import the adapter profile. See “Importing the adapter profile into the IBMSecurity Identity Manager server.”

2. Set up the stored procedures for the SQL scripts to acquire a lock before youupdate the account's default consumer group attribute. Release the lock afterthe update.a. Extract the package and locate the oracledbsql folder inside the package.b. Copy the oracledbsql folder into the IBM Security Identity Manager solution

directory. For example, C:\TDI_HOME\timsol\.c. Import the latest adapter profile and restart the dispatcher.

3. Create a user account for the adapter on IBM Security Identity Manager. See“Adapter user account creation” on page 11.

Start, stop, and restart the Oracle Database Adapter serviceTo start, stop, or restart the adapter, you must start, stop, or restart the Dispatcher.

The adapter does not exist as an independent service or a process. The adapter isadded to the Dispatcher instance, which runs all the adapters that are installed onthe same Tivoli Directory Integrator instance.

See the topic about starting stopping, and restarting the dispatcher service in theDispatcher Installation and Configuration Guide.

Importing the adapter profile into the IBM Security Identity Managerserver

Use this task to create a service on the IBM Security Identity Manager server andestablish communication with the adapter.

Before you begin

Before you can create an adapter service, the IBM Security Identity Manager servermust have an adapter profile to recognize the adapter. The files that are packagedwith the adapter include the adapter profile JAR file. You can import the adapterprofile as a service profile on the server with the Import feature of IBM SecurityIdentity Manager.

The JAR file includes all the files that are required to define the adapter schema,account form, service form, and profile properties. You can extract the files fromthe JAR file to modify the necessary files and package the JAR file with theupdated files.

Before you begin to import the adapter profile, verify that the following conditionsare met:v The IBM Security Identity Manager server is installed and running.v You have root or Administrator authority on IBM Security Identity Manager.

About this task

An adapter profile defines the types of resources that the IBM Security IdentityManager server can manage. Use the profile to create an adapter service on IBMSecurity Identity Manager server and establish communication with the adapter.

To import the adapter profile, perform the following steps:

10 IBM Security Identity Manager: Oracle Database Adapter Installation and Configuration Guide

Page 23: Oracle DatabaseAdapter Installation and Configuration Guide · Oracle DatabaseAdapter Installation and Configuration Guide ... Oracle DatabaseAdapter Installation and Configuration

Procedure1. Log on to the IBM Security Identity Manager server by using an account that

has the authority to perform administrative tasks.2. In the My Work pane, expand Configure System and click Manage Service

Types.3. On the Manage Service Types page, click Import to display the Import Service

Types page.4. Specify the location of the JAR file in the Service Definition File field by

performing one of the following tasks:v Type the complete location of where the file is stored.v Use Browse to navigate to the file.

5. Click OK.

Note: If you import the adapter profile and receive an error that is related tothe schema, see the trace.log file for information about the error. Thetrace.log file location is specified by using the handler.file.fileDir propertythat is defined in the IBM Security Identity Manager enRoleLogging.propertiesfile. The enRoleLogging.properties file is installed in the ISIM_HOME\datadirectory.

6. Restart IBM Security Identity Manager for the change to take effect.

Adapter profile installation verificationAfter you install the adapter profile, verify that the installation was successful.

An unsuccessful installation:v Might cause the adapter to function incorrectly.v Prevents you from creating a service with the adapter profile.

To verify that the adapter profile is successfully installed, create a service with theadapter profile. For more information about creating a service, see “Creating anadapter service” on page 13.

If you are unable to create a service with the adapter profile or open an account onthe service, the adapter profile is not installed correctly. You must import theadapter profile again.

Adapter user account creationYou must create a user account for the adapter on the managed resource. Providethe account information when you create a service for the adapter on IBM SecurityIdentity Manager.

For more information about creating a service, see “Creating an adapter service”on page 13.

The accounts must be able to remotely connect to the Oracle Database server andmust have sufficient privileges to administer the Oracle Database users. Table 5 onpage 12 lists the required privileges that the user account must have to administerthe Oracle Database users.

Chapter 3. Adapter installation 11

Page 24: Oracle DatabaseAdapter Installation and Configuration Guide · Oracle DatabaseAdapter Installation and Configuration Guide ... Oracle DatabaseAdapter Installation and Configuration

Table 5. Required privileges and their descriptions

Privilege Description

CREATE USER To create an Oracle database user.

GRANT ANY ROLE To grant or remove roles to the Oracle database user.

SELECT ANY TABLE To perform the reconciliation operation and retrievethe following information from the Oracle database:

v List of Users and its attributes

v List of Tables

v List of Roles

v List of Privileges

v List of Consumer groups

v Oracle version

GRANT ANY PRIVILEGE To grant or remove privileges to the Oracle databaseuser.

SELECT ANY DICTIONARYThe SELECT ANY DICTIONARY privilege replaces thedefault setting of the O7_DICTIONARY_ACCESSIBILITYinitialization parameter. The default value of theparameter is FALSE.

Using this system privilege, users can access all theobjects in the SYS schema, including tables that arecreated in that schema.

You must grant the required privileges to theindividual users based on the requirements. TheSELECT ANY DICTIONARY privilege is not included inthe GRANT ALL PRIVILEGES privilege. You can alsogrant the SELECT ANY DICTIONARY privilege through arole.

You might use the following scenarios, depending onyour requirements:

v If the O7_DICTIONARY_ACCESSIBILITY=TRUE, then theSELECT ANY TABLE privilege provides access to allSYS and non-SYS objects.

v If the O7_DICTIONARY_ACCESSIBILITY=FALSE, then theSELECT ANY TABLE privilege provides access only tonon-SYS objects.

v If the SELECT_CATALOG_ROLE privilege is enabled,then the SELECT_CATALOG_ROLE privilege providesaccess to all SYS views only.

v If only the SELECT ANY DICTIONARY privilege isenabled, then the SELECT ANY DICTIONARY privilegeprovides access to SYS schema objects only.

v If both SELECT ANY TABLE and SELECT ANYDICTIONARY privileges are enabled, then the SELECTANY TABLE and SELECT ANY DICTIONARY privilegesprovide access to all SYS and non-SYS objects.

v The SELECT ANY DICTIONARY andSELECT_CATALOG_ROLE privileges do not affect theO7_DICTIONARY_ACCESSIBILITY settings.

12 IBM Security Identity Manager: Oracle Database Adapter Installation and Configuration Guide

Page 25: Oracle DatabaseAdapter Installation and Configuration Guide · Oracle DatabaseAdapter Installation and Configuration Guide ... Oracle DatabaseAdapter Installation and Configuration

By default, a user is granted access on objects within the schema of the user. TheANY keyword grants access to users on all objects of that type in all schemas. Forexample:v To grant a system privilege, you must either have system privileges that are

granted with ADMIN OPTION or GRANT ANY PRIVILEGE.v To grant an object privilege, one of the following conditions must be met:

– You must be an object owner.– The object owner must grant you the object privileges with the GRANT

OPTION.– The object owner must grant you the GRANT ANY OBJECT PRIVILEGE

system privilege.

If you do not use the ANY keyword, you must either grant privileges, roles, tables,and so on, to a user account or the user account must be an object owner. When anew privilege, role, or a table is added in the schema, you must update thepermissions for the user account.

To reduce security risks, do not use the ANY keyword to grant privileges to useraccounts.

Creating an adapter serviceAfter the adapter profile is imported on IBM Security Identity Manager, you mustcreate a service so that IBM Security Identity Manager can communicate with theadapter.

About this task

To create or change a service, you must use the service form to provideinformation for the service. Service forms might vary depending on the adapter.

Note: If the following fields on the service form are changed for an existingservice, the IBM Security Identity Manager adapter service on the Tivoli DirectoryIntegrator server must be restarted.v Service Name

v Password

v Convert Username to Uppercase

v AL FileSystem Path

v Max Connection Count

Procedure1. Log on to the IBM Security Identity Manager server with an account that has

the authority to perform administrative tasks.2. In the My Work pane, click Manage Services and click Create.3. On the Select the Type of Service page, select Oracle Adapter Service Profile.4. Click Next to display the adapter service form.5. Complete the following fields on the service form:

On the Oracle Connection tab:

Service nameSpecify a name that defines the adapter service on the IBMSecurity Identity Manager server.

Chapter 3. Adapter installation 13

Page 26: Oracle DatabaseAdapter Installation and Configuration Guide · Oracle DatabaseAdapter Installation and Configuration Guide ... Oracle DatabaseAdapter Installation and Configuration

Note: Do not use forward (/) or backward slashes (\) in theservice name.

DescriptionOptional: Specify a description that identifies the service foryour environment.

Tivoli Directory Integrator locationSpecify the URL for the IBM Tivoli Directory Integratorinstance. The valid syntax for the URL is:rmi://ip-address:port/ITDIDispatcher

where:

ip-addressThe Tivoli Directory Integrator host.

port The port number for the Dispatcher.

The default URL isrmi://localhost:1099/ITDIDispatcher

For information about changing the port number, see IBMSecurity Dispatcher Installation and Configuration Guide.

Oracle Service NameSpecify the service name of Oracle instance to which theadapter must connect.

Is SID By default, this option is not selected. Select this check box ifthe Oracle Database service name provided is an SID instead ofa service name. This option affects the connection to thedatabase. If this option is selected while the database is using aservice name, then the test connection fails.

Oracle Service HostSpecify the host workstation on which the Oracle instance isrunning.

Oracle Service PortSpecify the TCP or TCPS port on which the Oracle service islistening. For example:v TCP: 1521v TCPS: 2484

Use SSL communication with OracleOptional: Select this check box to enable SSL communicationbetween the Oracle adapter and the Oracle database. Whenselected, specify the TCPS port in Oracle Service Port.

Oracle Service AliasSpecify the net service alias that is listed in the tnsnames.orafile that defines the connection to the Oracle instance. (Requiredwhen the OCI communication check box is selected.)

Use OCI communication with OracleOptional: Select this check box to enable OCI communicationbetween the Oracle adapter and the Oracle database.

Oracle Administrator NameSpecify the name of the user who has access to the Oracleresource and can do administrative operations.

14 IBM Security Identity Manager: Oracle Database Adapter Installation and Configuration Guide

Page 27: Oracle DatabaseAdapter Installation and Configuration Guide · Oracle DatabaseAdapter Installation and Configuration Guide ... Oracle DatabaseAdapter Installation and Configuration

Oracle Administrator PasswordSpecify the password for the user.

Oracle Server Distinguished NameOptional: Specify the distinguished name. For example,CN=client, C=US. This name is verified against the Oracledatabase server certificate.

OwnerOptional: Specify a IBM Security Identity Manager user as aservice owner.

Service PrerequisiteSpecify a IBM Security Identity Manager service that isprerequisite to this service.

Convert Username to UppercaseOptional: Select this check box to retain the case of the username. By default, the adapter converts the case of the username to uppercase.

On the Dispatcher Attributes tab:

Disable AL CachingSelect the check box to disable the assembly line caching in thedispatcher for the service. The assembly lines for the add,modify, delete, and test operations are not cached.

AL FileSystem PathSpecify the file path from where the dispatcher loads theassembly lines. If you do not specify a file path, the dispatcherloads the assembly lines received from IBM Security IdentityManager. For example, you can specify the following file pathto load the assembly lines from the profiles directory of theWindows operating system: c:\Files\IBM\TDI\V7.0\profilesor you can specify the following file path to load the assemblylines from the profiles directory of the UNIX and Linuxoperating system: system:/opt/IBM/TDI/V7.0/profiles.

Max Connection CountSpecify the maximum number of assembly lines that thedispatcher can run simultaneously for the service. For example,enter 10 when you want the dispatcher to run a maximum of10 assembly lines simultaneously for the service. If you enter 0in the Max Connection Count field, the dispatcher does notlimit the number of assembly lines that are run simultaneouslyfor the service.

On the Status and information tabThis page contains read only information about the adapter andmanaged resource. These fields are examples. The actual fields varydepending on the type of adapter and how the service form isconfigured. The adapter must be running to obtain the information.Click Test Connection to populate the fields.

Last status update: DateSpecifies the most recent date when the Status and informationtab was updated.

Chapter 3. Adapter installation 15

Page 28: Oracle DatabaseAdapter Installation and Configuration Guide · Oracle DatabaseAdapter Installation and Configuration Guide ... Oracle DatabaseAdapter Installation and Configuration

Last status update: TimeSpecifies the most recent time of the date when the Status andinformation tab was updated.

Managed resource statusSpecifies the status of the managed resource that the adapter isconnected to.

Adapter versionSpecifies the version of the adapter that the IBM SecurityIdentity Manager service uses to provision request to themanaged resource.

Profile versionSpecifies the version of the profile that is installed in the IBMSecurity Identity Manager server.

TDI versionSpecifies the version of the Tivoli Directory Integrator on whichthe adapter is deployed.

Dispatcher versionSpecifies the version of the Dispatcher.

Installation platformSpecifies summary information about the operating systemwhere the adapter is installed.

Adapter accountSpecifies the account that running the adapter binary file.

Adapter up time: DateSpecifies the date when the adapter started.

Adapter up time: TimeSpecifies the time of the date when the adapter started.

Adapter memory usageSpecifies the memory usage for running the adapter.

If the connection fails, follow the instructions in the error message. Alsov Verify the adapter log to ensure that the IBM Security Identity

Manager test request was successfully sent to the adapter.v Verify the adapter configuration information.v Verify IBM Security Identity Manager service parameters for the

adapter profile. For example, verify the work station name or the IPaddress of the managed resource and the port.

6. Click Finish.

16 IBM Security Identity Manager: Oracle Database Adapter Installation and Configuration Guide

Page 29: Oracle DatabaseAdapter Installation and Configuration Guide · Oracle DatabaseAdapter Installation and Configuration Guide ... Oracle DatabaseAdapter Installation and Configuration

Chapter 4. First steps after installation

After you install the adapter, you must do several other tasks. The tasks includeconfiguring the adapter, setting up SSL, installing the language pack, and verifyingthat the adapter works correctly.

Adapter configurationYou can use the configuration options for the Oracle Database Adapter.v “Customizing the adapter profile”v “Editing adapter profiles on the UNIX or Linux operating system” on page 18v “Configuring OCI for Transparent Application Failover” on page 20v “SSL configuration” on page 26

See the IBM Security Dispatcher Installation and Configuration Guide for additionalconfiguration options such as:v JVM propertiesv Dispatcher filteringv Dispatcher propertiesv Dispatcher port numberv Logging configurationsv Secure Sockets Layer (SSL) communication

Customizing the adapter profileTo customize the adapter profile, you must modify the Oracle Database AdapterJAR file. You might customize the adapter profile to change the account form orthe service form.

About this task

You can also use the Form Designer or the CustomLabels.properties file to changethe labels on the forms. Each adapter has a CustomLabels.properties file for thatadapter.

The JAR file is included in the Oracle Database Adapter compressed file that youdownloaded from the IBM website. The JAR file and the files that are contained inthe JAR file vary depending on your operating system.

Note: You cannot modify the schema for this adapter. You cannot add or deleteattributes from the schema.

The adapter JAR file includes the following files:v CustomLabels.properties

v erOracleAccount.xml

v erOracleRMIService.xml

v OracleAdapter.xml

v service.def

v schema.dsml

© Copyright IBM Corp. 2012, 2014 17

Page 30: Oracle DatabaseAdapter Installation and Configuration Guide · Oracle DatabaseAdapter Installation and Configuration Guide ... Oracle DatabaseAdapter Installation and Configuration

To edit the JAR file, perform these steps:1. Log on to the workstation where the Oracle Database Adapter is installed.2. On the Start menu, click Programs → Accessories → Command Prompt.3. Copy the JAR file into a temporary directory.4. Extract the contents of the JAR file into the temporary directory by running the

following command. The following example applies to the Oracle DatabaseAdapter profile. Type the name of the JAR file for your operating system.cd c:\tempjar -xvf OracleAdapterProfile.jar

The jar command extracts the files into the directory.5. Edit the file that you want to change.

After you edit the file, you must import the file into the IBM Security IdentityManager server for the changes to take effect.

To import the file, perform these steps:1. Create a JAR file by using the files in the \temp directory. Run the following

commands:cd c:\tempjar -cvf OracleAdapterProfile.jar OracleAdapterProfile

2. Import the JAR file into the IBM Security Identity Manager application server.For more information about importing the JAR file, see “Importing the adapterprofile into the IBM Security Identity Manager server” on page 10.

3. Stop and start the IBM Security Identity Manager server.4. Stop and start the Oracle Database Adapter service. See “Start, stop, and restart

the Oracle Database Adapter service” on page 10 for information aboutstopping and starting the adapter service.

Editing adapter profiles on the UNIX or Linux operating systemThe adapter profile .jar file might contain ASCII files that are created by using theMS-DOS ASCII format.

About this task

If you edit an MS-DOS ASCII file on the UNIX operating system, you might see acharacter ^M at the end of each line. These characters indicate new lines of text inMS-DOS. The characters can interfere with the running of the file on UNIX orLinux systems. You can use tools, such as dos2unix, to remove the ^M characters.You can also use text editors, such as the vi editor, to remove the charactersmanually.

Example

You can use the vi editor to remove the ^M characters. From the vi commandmode, run the following command and press Enter::%s/^M//g

When you use this command, enter ^M or Ctrl-M by pressing ^v^M or Ctrl V CtrlM sequentially. The ^v instructs the vi editor to use the next keystroke instead ofissuing it as command.

18 IBM Security Identity Manager: Oracle Database Adapter Installation and Configuration Guide

Page 31: Oracle DatabaseAdapter Installation and Configuration Guide · Oracle DatabaseAdapter Installation and Configuration Guide ... Oracle DatabaseAdapter Installation and Configuration

Configuration properties of the DispatcherThe solution.properties file and the itim_listener.properties file contain theconfiguration properties for the Dispatcher.

To configure the dispatcher properties, follow the configuration instructionsincluded in the dispatcher download package.

Table space quota file creationThe adapter enables allocating quota size on the table spaces when you provisionuser accounts. These quota size values can be customized by creating a text filenamed ITDI_Oracle_Adapter_TableSpace_Quota.txt in the IBM Tivoli DirectoryIntegrator adapters solution directory.

The adapter uses a text file named ITDI_Oracle_Adapter_TableSpace_Quota.txt fordeciding the quota that can be allocated to each table space for a user. The filecontains a list of quota values under the column name quota_size. See the followingexample.

Note: Use the following conventions for specifying the quota sizes:

K Kilobytes

M Megabytes

G Gigabytes

UNLIMITEDUnlimited quota

The following example shows the content for theITDI_Oracle_Adapter_TableSpace_Quota.txt file. In this sampleITDI_Oracle_Adapter_TableSpace_Quota.txt file, the Oracle user account has fouroptions for quota sizes on each table space.quota_size128K200K1M1G

If the adapter cannot locate the ITDI_Oracle_Adapter_TableSpace_Quota.txt file inTivoli Directory Integrator adapters solution directory, it uses these default valuesfor quota size:128K256K512K1M2M4M8M16M23M64MUNLIMITED

Enabling auditing on an Oracle resourceYou must enable auditing on the database so that the Oracle Database Adapter canretrieve the last access date of the user account.

Chapter 4. First steps after installation 19

Page 32: Oracle DatabaseAdapter Installation and Configuration Guide · Oracle DatabaseAdapter Installation and Configuration Guide ... Oracle DatabaseAdapter Installation and Configuration

About this task

To enable auditing, do the following steps.

Procedure1. Set the initialization parameter audit_trail to TRUE in the init.ora file.

Alternately, you can issue the following command at the SQL command-lineprompt:ALTER SYSTEM SET audit_trail=TRUE scope=SPFILE

2. Restart the database instance.3. To turn on the auditing for user logon and logoff, log on as a user with Oracle

administration authority. Issue the following command at the SQLcommand-line prompt:AUDIT CONNECT

What to do next

To verify that auditing is enabled on an instance, issue the following command atthe SQL command-line prompt:SHOW PARAMETER AUDIT_TRAIL

The parameter AUDIT_TRAIL and its value are displayed. Any value except NONE orFALSE indicates that auditing is enabled. For more information about theparameters, see the Oracle online help.

Note: If the auditing is not enabled, then the Oracle Database Adaptercannotretrieve information about when the user last accessed the account. All the otherattributes except the Last Access Date attribute are then retrieved duringreconciliation. No other operations are affected by disabling auditing of the Oracledatabase.

Configuring OCI for Transparent Application FailoverTransparent Application Failover (TAF) is a feature of the Java™ DatabaseConnectivity (JDBC) Oracle Call Interface (OCI) driver. If you configure theadapter to use TAF, then the adapter can automatically reconnect to a secondarydatabase instance if the original database connection fails.

About this task

During the reconnect process, the active transactions roll back.

To configure the Oracle adapter to use OCI, you must perform the followinghigh-level steps in this sequence.1. Install the JDBC OCI driver. For detailed instructions, see “Installing the JDBC

OCI driver” on page 21.2. Configure the OCI connection between the Oracle Database Adapter and the

Oracle database, “Configuring the OCI connection” on page 21.3. “Modifying the Oracle Database Adapter service form for OCI” on page 25.

Procedure1. Install the JDBC OCI driver. For detailed instructions, see “Installing the JDBC

OCI driver” on page 21.

20 IBM Security Identity Manager: Oracle Database Adapter Installation and Configuration Guide

Page 33: Oracle DatabaseAdapter Installation and Configuration Guide · Oracle DatabaseAdapter Installation and Configuration Guide ... Oracle DatabaseAdapter Installation and Configuration

2. Configure the OCI connection between the Oracle Database Adapter and theOracle database For detailed instructions, see “Configuring the OCIconnection.”

3. Configure the Oracle adapter service form. For detailed instructions, see“Modifying the Oracle Database Adapter service form for OCI” on page 25

Installing the JDBC OCI driverTransparent Application Failover (TAF) is a feature of the Java DatabaseConnectivity (JDBC) Oracle Call Interface (OCI) driver. You must install the OracleDatabase Client software on the IBM Tivoli Directory Integrator target.

Procedure1. Obtain the Oracle Database Client software from the Downloads page on the

Oracle Technology Network website. For example, you can download thewin32_11gR2_client.zip file for the Oracle Database 11g Release 2 Client(11.2.0.1.0) for Microsoft Windows (32-bit) software.

2. Install the client software.When you install the client software, select the installation type that installstools for developing applications, networking services, and basic clientsoftware. For example, if you are using the Oracle Database 11gR2 Client, selectthe Runtime installation type.Alternatively, you can select the installation type that installs the instant clientsoftware. For example, if you are using the Oracle Database 11gR2 Client, selectthe InstantClient installation type. The instant client installation requires lessdisk space than the runtime installation.

Note: Use the Oracle Support website to determine the Oracle client and serverversions that you require. For example, to use the OCI JDBC driver for SSLcommunication from an 11gR2 client to a 10gR2 server requires the followingminimum versions:v Oracle Client 11gR2 (11.2.0.2.0 or higher) to connect to Oracle Server 10gR2

(10.2.0.2.0 or higher).

Configuring the OCI connectionYou can enable OCI communication between the Oracle Database Adapter and theOracle database. You must configure Oracle Net Services (ONS) on the TivoliDirectory Integrator where the Oracle Client software is installed.

About this task

To configure Oracle Net Services, you must complete the following high-leveltasks.

Procedure1. Configure the Oracle Net Services. For detailed instructions, see “Configuring

Oracle Net Services.”2. Configure the Oracle Database Adapter. For detailed instructions, see

“Configuring the Oracle adapter” on page 23

Configuring Oracle Net Services:

For Transparent Application Failover, you must configure Oracle Net Services byediting the tnsnames.ora and sqlnet.ora files on the Oracle database server.

Chapter 4. First steps after installation 21

Page 34: Oracle DatabaseAdapter Installation and Configuration Guide · Oracle DatabaseAdapter Installation and Configuration Guide ... Oracle DatabaseAdapter Installation and Configuration

Procedure

1. Locate the tnsnames.ora and sqlnet.orafiles in the network\admin directory ofthe Oracle home directory.

Note: These files do not exist in an Instant Client installation. In this case, youmust create the files. These files must be in the same directory as one another.For example, you might choose to save these files in the Instant Clientdirectory.

2. Open the files in a text editor.

Note: To configure Transparent Application Failover, you must use a text editorrather than Oracle Net Manager to edit these files.

3. Configure the files for your environment.

Example

The information in the following files is an example of how you can configureTransparent Application Failover:

sqlnet.ora:

SQLNET.AUTHENTICATION_SERVICES= (NONE)NAMES.DIRECTORY_PATH= (TNSNAMES)

tnsnames.ora:

PRODONE =(DESCRIPTION_LIST =

(FAILOVER = true)(LOAD_BALANCE = false)(DESCRIPTION =

(ADDRESS_LIST =(ADDRESS = (PROTOCOL = TCP)(HOST = YourFirstHost)(PORT = 1521))

)(CONNECT_DATA =

(SERVER = dedicated)(FAILOVER_MODE =

(BACKUP = PRODTWO)(TYPE = select)(METHOD = basic)(RETRIES = 20)(DELAY = 3)

)(SERVICE_NAME = ORCL)

))(DESCRIPTION =

(ADDRESS_LIST =(ADDRESS = (PROTOCOL = TCP)(HOST = YourSecondHost)(PORT = 1521))

)(CONNECT_DATA =

(SERVICE_NAME = ORCL))

))

PRODTWO =(DESCRIPTION_LIST =

(DESCRIPTION =(ADDRESS_LIST =

(ADDRESS = (PROTOCOL = TCP)(HOST = YourSecondHost)(PORT = 1521)))(CONNECT_DATA =

22 IBM Security Identity Manager: Oracle Database Adapter Installation and Configuration Guide

Page 35: Oracle DatabaseAdapter Installation and Configuration Guide · Oracle DatabaseAdapter Installation and Configuration Guide ... Oracle DatabaseAdapter Installation and Configuration

(SERVICE_NAME = ORCL))

))

Note:

v When you use Transparent Application Failover, if the connected instance failsor is shutdown, the adapter can automatically reconnect to a database.Transparent Application Failover enables the application to transparentlyreconnect to a specified secondary instance. This reconnection process creates anew connection that is identical to the original connection.

v In the tnsnames.ora file, PRODONE is the example net service alias that definesboth Transparent Application Failover and Connect Time Failover (CTF). Thefirst description in the DESCRIPTION_LIST defines Transparent ApplicationFailover. The second description in the DESCRIPTION_LIST defines Connect TimeFailover.

v The Transparent Application Failover description indicates that if an establishedconnection to YourFirstHost fails, then the connection fails over toYourSecondHost via the PRODTWO net service alias. The Connect Time Failoverdescription indicates that if YourFirstHost is down before the initial connection,then the connection fails over to YourSecondHost.

v The select type is a feature of Transparent Application Failover. Use select toindicate that if the first connection fails while it is processing a SELECTstatement, then the statement runs again when a new connection is established.The cursor moves to the correct position so the client can continue fetching rowswithout interruption.

Configuring the Oracle adapter:

You must configure Tivoli Directory Integrator to locate the JDBC OCI driver andOracle Net Services.

About this task

To use OCI communication, the adapter must have access to the JDBC OCI driverand the Oracle Net Services files, tnsnames.ora and sqlnet.ora.

Note: To locate the JDBC OCI driver, you must amend the path variable to includethe ORACLE_HOME/bin directory or the Instant Client directory. Depending on theTivoli Directory Integrator service, you must configure the path variable slightlydifferently, as described in the following steps.

Procedure

1. Determine which Tivoli Directory Integrator service is used on your server.There are two Tivoli Directory Integrator services that can exist or coexist onyour Tivoli Directory Integrator target.v The "IBM Security Identity Manager adapter", which is called

ITDIAsService.exe.v The "IBM Tivoli Directory Integrator" service, which is called

ibmdiservice.exe.2. For the ITDIAsService service, edit the ImagePath registry variable in the

following location: HKLM\SYSTEM\ControlSet001\Service\IBM Security IdentityManager Adapter.

Chapter 4. First steps after installation 23

Page 36: Oracle DatabaseAdapter Installation and Configuration Guide · Oracle DatabaseAdapter Installation and Configuration Guide ... Oracle DatabaseAdapter Installation and Configuration

Note: The value of ImagePath is an expandable String Value ofREG_EXPAND_SZ Type.v For a Database Client installation, edit the ImagePath variable to include

%ORACLE_HOME%\bin as follows:"C:\Program Files\IBM\TDI\V7.1\timsol\ITDIAsService.exe" ...-Djava.library.path ="C:\Program Files\IBM\TDI\V7.1\libs;%ORACLE_HOME%\bin;%PATH%" ...

Note: Use %ORACLE_HOME% in the ImagePath variable only whenORACLE_HOME is defined as a System variable on Windows. Otherwise,you must explicitly include the Oracle home bin directory as follows:"C:\Program Files\IBM\TDI\V7.1\timsol\ITDIAsService.exe" ...-Djava.library.path ="C:\Program Files\IBM\TDI\V7.1\libs;C:\app\administrator\product\11.2.0\client_1\bin;%PATH%" ...

v For an Instant Client installation, edit the ImagePath variable to include thedirectory of the Instant Client files as follows:"C:\Program Files\IBM\TDI\V7.1\timsol\ITDIAsService.exe" ...-Djava.library.path ="C:\Program Files\IBM\TDI\V7.1\libs;C:\app\administrator\product\11.2.0\client_1;%PATH%" ...

3. For the ibmdiservice service, edit the path variable in the ibmdiservice.propsproperties file.This properties file is in the following directory:C:\Program Files\IBM\TDI\V7.1\timsol

v For a Database Client installation, edit the path variable to include the Oraclehome bin directory as follows:path=C:\Program Files\IBM\TDI\V7.1\jvm\jre\bin;C:\Program Files\IBM\TDI\V7.1\libs;C:\app\administrator\product\11.2.0\client_1\bin;

v For an Instant Client installation, set the path variable to the Oracle homedirectory as follows:path=C:\Program Files\IBM\TDI\V7.1\jvm\jre\bin;C:\Program Files\IBM\TDI\V7.1\libs;C:\app\administrator\product\11.2.0\client_1;

4. For both services, you must configure Tivoli Directory Integrator to locate theOracle Net Services files as follows:v For a Database Client installation, define the ORACLE_HOME environment

variable in the Windows registry so that Tivoli Directory Integrator can locatethe Oracle Net Services files.

Note: Alternatively, you can define the ORACLE_HOME as a Systemvariable in Windows.An example ORACLE_HOME environment value is:ORACLE_HOME=C:\app\administrator\product\11.2.0\client_1

v For an Instant Client installation, you must define the TNS_ADMINenvironment variable, which is an Oracle Client variable, to point to thelocation (directory) of the ONS configuration files.An example TNS_ADMIN environment value is:TNS_ADMIN=C:\app\administrator\product\11.2.0\client_1

Note: If you define ORACLE_HOME, the JDBC OCI driver locates the OracleNet Services files in the network\admin directory of the Oracle home directory.If you define TNS_ADMIN, the JDBC OCI driver locates the Oracle NetServices files in the specified directory.

24 IBM Security Identity Manager: Oracle Database Adapter Installation and Configuration Guide

Page 37: Oracle DatabaseAdapter Installation and Configuration Guide · Oracle DatabaseAdapter Installation and Configuration Guide ... Oracle DatabaseAdapter Installation and Configuration

Modifying the Oracle Database Adapter service form for OCITo configure OCI communication between the Oracle adapter and the Oracledatabase, you must modify the Oracle adapter service form.

Procedure1. Select the Use OCI communication with Oracle check box.

If the Use OCI communication with Oracle check box is selected, the adapteruses the JDBC OCI driver to communicate with the Oracle database server.When this check box is not selected, the adapter uses the JDBC Thin driver tocommunicate with the Oracle database server.

2. Enter a value for the Oracle Service Alias field that corresponds to the netservice alias listed in the tnsnames.ora file.The net service alias name is on the left side of the equals (=) sign in thetnsnames.ora file. The example tnsnames.ora file in “Configuring Oracle NetServices” on page 21 uses PRODONE as the net service name for TAF. For thisexample configuration, enter PRODONE in the Oracle Service Alias field.

What to do next

If you are using the JDBC OCI driver, and you want to use SSL communication,then you must complete further configuration. The Use SSL communication withOracle check box is only for the JDBC Thin driver. To enable SSL communicationbetween the Oracle adapter and the Oracle database for the JDBC OCI driver, youmust include SSL information in the Oracle Net Services files.

The information in the following files serves as an example of how you canconfigure Transparent Application Failover with SSL:

sqlnet.ora:

SQLNET.AUTHENTICATION_SERVICES= (TCPS)NAMES.DIRECTORY_PATH= (TNSNAMES)

SSL_VERSION = 3.0SSL_CLIENT_AUTHENTICATION = FALSESSL_SERVER_DN_MATCH = YES

WALLET_LOCATION =(SOURCE =

(METHOD = FILE)(METHOD_DATA =

(DIRECTORY = C:\temp\client))

)

tnsnames.ora:

PRODONESSL =(DESCRIPTION_LIST =

(FAILOVER = true)(LOAD_BALANCE = false)(DESCRIPTION =

(ADDRESS_LIST =(ADDRESS = (PROTOCOL = TCPS)(HOST = YourFirstHost)(PORT = 2484))

)(CONNECT_DATA =

(SERVER = dedicated)(FAILOVER_MODE =

(BACKUP = PRODTWOSSL)(TYPE = select)(METHOD = basic)

Chapter 4. First steps after installation 25

Page 38: Oracle DatabaseAdapter Installation and Configuration Guide · Oracle DatabaseAdapter Installation and Configuration Guide ... Oracle DatabaseAdapter Installation and Configuration

(RETRIES = 20)(DELAY = 3)

)(SERVICE_NAME = ORCL)

)(SECURITY =

(SSL_SERVER_CERT_DN = "CN=client, C=US"))

)(DESCRIPTION =

(ADDRESS_LIST =(ADDRESS = (PROTOCOL = TCPS)(HOST = YourSecondHost)(PORT = 2484))

)(CONNECT_DATA =

(SERVICE_NAME = ORCL))(SECURITY =

(SSL_SERVER_CERT_DN = "CN=client, C=US"))

))

PRODTWOSSL =(DESCRIPTION_LIST =

(DESCRIPTION =(ADDRESS_LIST =

(ADDRESS = (PROTOCOL = TCPS)(HOST = YourSecondHost)(PORT = 2484)))(CONNECT_DATA =

(SERVICE_NAME = ORCL))(SECURITY =

(SSL_SERVER_CERT_DN = "CN=client, C=US"))

))

For more information about configuring SSL for the JDBC OCI driver, see the"Stores for Client Authentication" subsection of “Configuring the SSL connection”on page 28.

SSL configurationYou can configure Secure Sockets Layer (SSL) communication across the entiresolution. You can use SSL communication between the IBM Security IdentityManager, Tivoli Directory Integrator and Oracle servers.

To use SSL communication between the system components, you can configure theTivoli Directory Integrator server as the SSL server. You can configure both theIBM Security Identity Manager and the Oracle servers as SSL clients.

SSL overviewYou can secure your environment with SSL communication between IBM SecurityIdentity Manager, Tivoli Directory Integrator, and the Oracle servers.

The two main communication channels that you can secure with SSLcommunication are depicted in Figure 4 on page 27.

26 IBM Security Identity Manager: Oracle Database Adapter Installation and Configuration Guide

Page 39: Oracle DatabaseAdapter Installation and Configuration Guide · Oracle DatabaseAdapter Installation and Configuration Guide ... Oracle DatabaseAdapter Installation and Configuration

Each of these channels governs the communication between two main systemcomponents.

1 This channel includes communication between IBM Security IdentityManager and Tivoli Directory Integrator. To configure SSL communicationfor this channel, see the Secure Sockets Layer (SSL) information in the IBMSecurity Dispatcher Installation and Configuration Guide.

2 This channel includes communication between Tivoli Directory Integratorand the Oracle database server. To configure SSL communication for thischannel, see “SSL configuration” on page 26.

Note: Configuring SSL for each of these channels is optional. You can choosewhether to configure SSL for neither, one or both channels.

JDBC driver location for SSLJDBC Thin driver version 10g Release 2 and above include SSL support. You canobtain the Oracle Database 10gR2, 11g, or 11gR2 driver from the followinglocations:v The ORACLE_HOME\jdbc\lib directory of an Oracle database (client or server)

installation.v The JDBC Driver Downloads page on the Oracle Technology Network website.

Tivoli Directory Integrator version 7.0Use ojdbc5.jar, which is the driver for JDK 1.5.

Tivoli Directory Integrator version 7.1Use ojdbc6.jar, which is the driver for use with JDK 1.6.

You must copy the appropriate driver to one of the following locations on theTivoli Directory Integrator server:v TDI_HOME\jars\3rdparty\others.v TDI_HOME\jvm\jre\lib\ext.

where TDI_HOME is the directory where Tivoli Directory Integrator is installed.For example, on a Windows platform, the default directory is C:\ProgramFiles\IBM\TDI\V7.x.

You must also delete previous versions of the JDBC Thin driver from these twoTDI_HOME locations. The previous versions of the driver are one or more of thefollowing files:v ojdbc14.jar

v classes12.zip

v nls_charset12.zip

v classes111.zip

Tivoli Identify Manager(SSL client)

Truststore

CA certificate “A”

Tivoli Directory Integrator(SSL server)

Keystore

Certificate “A”

Oracle database(SSL client)

Truststore

CA certificate “A”

1 2

Figure 4. SSL communication overview

Chapter 4. First steps after installation 27

Page 40: Oracle DatabaseAdapter Installation and Configuration Guide · Oracle DatabaseAdapter Installation and Configuration Guide ... Oracle DatabaseAdapter Installation and Configuration

v nls_charset11.zip

Note: The .zip files that are listed might be named as .jar files. For example,classes12.jar.

Configuring the SSL connectionTo enable SSL communication between the Oracle adapter and the Oracle database,you must configure a truststore and optionally a keystore for the Dispatcher.

About this task

If the Oracle database requires SSL client authentication then you must configure akeystore.

To configure the truststore for the Dispatcher, you must import the certificateauthority (CA) certificate to sign the certificate for the Oracle database.

Configuring server authentication:

To configure SSL, you must first configure the server authentication by importing aCA certificate into the truststore.

Procedure

1. Run the following command to import a CA certificate into a truststore:keytool -import -v -alias OACA -file CA.cer -keystore truststore.jks -storetypeJKS -storepass "ThePwd12"

Note:

The location for the truststore.jks and the solutions.properties files are inthe ITDI_HOME\timsol directory.

When you issue the keytool command to import the CA certificate, ensure thatthe truststore details match the solution.properties entries.

2. Set the following properties in the solutions.properties file:## server authenticationjavax.net.ssl.trustStore=truststore.jksjavax.net.ssl.trustStorePassword=ThePwd12javax.net.ssl.trustStoreType=jks

The store password, ThePwd12, is for test purposes only.If the keystore properties are not set in the solution.properties file, use thesame values as the truststore properties for these keystore entries:## client authenticationjavax.net.ssl.keyStore=truststore.jksjavax.net.ssl.keyStorePassword=ThePwd12javax.net.ssl.keyStoreType=jks

Configuring client authentication:

If the Oracle database requires SSL client authentication, then you must configure akeystore.

About this task

To determine whether the Oracle database requires SSL client authentication,complete the following step.

28 IBM Security Identity Manager: Oracle Database Adapter Installation and Configuration Guide

Page 41: Oracle DatabaseAdapter Installation and Configuration Guide · Oracle DatabaseAdapter Installation and Configuration Guide ... Oracle DatabaseAdapter Installation and Configuration

Procedure

Verify the sqlnet.ora file on the target Oracle database server, which is themanaged resource, for the following line:SSL_CLIENT_AUTHENTICATION = FALSE

The FALSE value means that the Oracle database server does NOT require SSLclient authentication. The TRUE value means that the Oracle database server DOESrequire SSL client authentication.

Note: The store password ThePwd12 is for test purposes only.

Example

For test purposes, you can use the following commands to set up a JKS typekeystore:cd c:\tempmkdir clientjks

keytool -genkey -alias OADB -dname "CN=client,C=US" -storetype JKS -keystoreclientjks\client.jks -keyalg RSA -storepass "ThePwd12"

keytool -certreq -alias OADB -file clientjks\creq.cer -keystore clientjks\client.jks-storepass "ThePwd12"

orapki cert create -wallet ./authority -request clientjks\creq.cer -certclientjks\signed.cer -validity 3650 -pwd=ThePwd12

keytool -import -v -alias OACA -file authority\CA.cer -keystore clientjks\client.jks-storepass "ThePwd12"

keytool -import -v -alias OADB -file clientjks\signed.cer -keystoreclientjks\client.jks -storepass "ThePwd12"

These example commands assume that you created a self-signed certificateauthority. See “Configuring the Oracle database server.”

What to do next

If the keystore properties are not set in the solution.properties file, then set thefollowing properties accordingly:## client authenticationjavax.net.ssl.keyStore=client.jksjavax.net.ssl.keyStorePassword=ThePwd12javax.net.ssl.keyStoreType=jks

Configuring the Oracle database server:

Use Oracle tools, such as the Oracle Wallet Manager and the orapki command, toconfigure both the truststore and the keystore on the Oracle database server.

About this task

For test purposes, you can use the following commands to set up a self-signedcertificate authority, truststore, and keystore:cd c:\tempmkdir authoritymkdir servermkdir client

Chapter 4. First steps after installation 29

Page 42: Oracle DatabaseAdapter Installation and Configuration Guide · Oracle DatabaseAdapter Installation and Configuration Guide ... Oracle DatabaseAdapter Installation and Configuration

Self-signed certificate authorityorapki wallet create -wallet ./authority -pwd=ThePwd12

orapki wallet add -wallet ./authority -dn "CN=authority, C=US" -keysize 2048-self_signed -validity 3650 -pwd=ThePwd12

orapki wallet export -wallet ./authority -dn "CN=authority, C=US" -cert./authority/CA.cer -pwd=ThePwd12

Use the CA.cer file in the authority directory as the trusted certificate when youissue the keytool command to import a CA certificate into the Dispatchertruststore.

Stores for Server Authenticationorapki wallet create -wallet ./server -auto_login -pwd=ThePwd12

orapki wallet add -wallet ./server -dn "CN=server, C=US" -keysize 2048-pwd=ThePwd12

orapki wallet export -wallet ./server -dn "CN=server, C=US" -request./server/creq.cer -pwd=ThePwd12

orapki cert create -wallet ./authority -request ./server/creq.cer -cert./server/signed.cer -validity 3650 -pwd=ThePwd12

orapki wallet add -wallet ./server -trusted_cert -cert ./authority/CA.cer-pwd=ThePwd12

orapki wallet add -wallet ./server -user_cert -cert ./server/signed.cer-pwd=ThePwd12

Stores for Client Authenticationorapki wallet create -wallet ./client -auto_login -pwd=ThePwd12

orapki wallet add -wallet ./client -dn "CN=client, C=US" -keysize 2048-pwd=ThePwd12

orapki wallet export -wallet ./client -dn "CN=client, C=US" -request./client/creq.cer -pwd=ThePwd12

orapki cert create -wallet ./authority -request ./client/creq.cer -cert./client/signed.cer -validity 3650 -pwd=ThePwd12

orapki wallet add -wallet ./client -trusted_cert -cert ./authority/CA.cer-pwd=ThePwd12

orapki wallet add -wallet ./client -user_cert -cert ./client/signed.cer-pwd=ThePwd12

Oracle Network Configuration

Configure the following two files on the Oracle database server to enable SSL:v listener.orav sqlnet.ora

These files are in the network\admin directory of the Oracle home directory. Youcan use Oracle Net Manager or a text editor to edit these files.

listener.ora:

30 IBM Security Identity Manager: Oracle Database Adapter Installation and Configuration Guide

Page 43: Oracle DatabaseAdapter Installation and Configuration Guide · Oracle DatabaseAdapter Installation and Configuration Guide ... Oracle DatabaseAdapter Installation and Configuration

SSL_VERSION = 3.0SSL_CLIENT_AUTHENTICATION = FALSE

WALLET_LOCATION =(SOURCE =

(METHOD = FILE)(METHOD_DATA =

(DIRECTORY = myDir))

)

LISTENER =(DESCRIPTION_LIST =

(DESCRIPTION =(ADDRESS = (PROTOCOL = TCP)(HOST = myHost)(PORT = nonSSLPort))

)(DESCRIPTION =

(ADDRESS = (PROTOCOL = TCPS)(HOST = myHost)(PORT = sslPort)))

)

sqlnet.ora:

SQLNET.AUTHENTICATION_SERVICES= (TCPS, NTS)NAMES.DIRECTORY_PATH= (TNSNAMES)

SSL_VERSION = 3.0SSL_CLIENT_AUTHENTICATION = FALSE

WALLET_LOCATION =(SOURCE =

(METHOD = FILE)(METHOD_DATA =

(DIRECTORY = myDir))

)

where:

myDir The directory location of the truststore on the Oracle Database Server. Forexample C:\temp\server.

myHostThe server host name.

nonSSLPortThe non-SSL communication port (TCP protocol). For example, 1521.

sslPortThe SSL communication port (TCPS protocol). For example, 2484.

Modifying the Oracle Database Adapter service form for SSL:

To enable SSL communication between the Oracle adapter and the Oracle database,you must configure the Oracle adapter service form.

About this task

Make the following changes to configure the Oracle Database Adapter serviceform.

Procedure

1. Select the Use SSL communication with Oracle check box.

Chapter 4. First steps after installation 31

Page 44: Oracle DatabaseAdapter Installation and Configuration Guide · Oracle DatabaseAdapter Installation and Configuration Guide ... Oracle DatabaseAdapter Installation and Configuration

2. Update the Oracle Service Port value to the TCPS port that is listed in thelistener.ora file. For example, 2484.

3. (Optional) Provide a value for Oracle Server Distinguished Name.If provided, the adapter verifies this value against the Oracle database servercertificate.

Note:

v Start both the listener and database services as the user who created thewallet, so both services can access the wallet successfully. On Windows,change the Log On As account for the listener and database services fromthe default Local System account to wallet creator.

v The sqlnet.ora and the listener.ora files contain the wallet location. Inmost cases, both files contain the same wallet location, but the listener mightuse its own wallet.– Use the distinguished name of the certificate from the wallet in the

sqlnet.ora file. The Oracle adapter verifies this name when you provide avalue for the optional Oracle Server Distinguished Name on the serviceform.

– For security, include a distinguished name in the service form to avoid therisk of a server that is faking its identity.

v For more information about configuring SSL with the Oracle driver, see thewhite paper "SSL with Oracle JDBC Thin Driver" on the Oracle website.

Password management for account restorationHow each restore action interacts with its corresponding managed resourcedepends on the managed resource or on the business processes that youimplement.

Certain resources reject a password when a request is made to restore an account.In this case, you can configure IBM Security Identity Manager to forego the newpassword requirement. You can configure the Oracle Database Adapter to require anew password when the account is restored. This feature is useful if yourcompany's business processes require you to reset the password when an accountis restored.

In the service.def file, you can define whether a password is required as a newprotocol option. When you import the adapter profile, if an option is not specified,the adapter profile importer determines the correct restoration password behaviorfrom the schema.dsml file. The adapter profile components enable remote servicesto know whether to discard a password that is entered by the user where multipleaccounts on disparate resources are being restored. In this situation, where onlysome of the accounts that are being restored might require a password. Remoteservices discard the password from the restore action for those managed resourcesthat do not require them.

Edit the service.def file to add the new protocol options, for example:<Property Name = "com.ibm.itim.remoteservices.ResourceProperties.

PASSWORD_NOT_REQUIRED_ON_RESTORE"<value>true</value></property><Property Name = "com.ibm.itim.remoteservices.ResourceProperties.

PASSWORD_NOT_ALLOWED_ON_RESTORE"<value>false</value></property>

32 IBM Security Identity Manager: Oracle Database Adapter Installation and Configuration Guide

Page 45: Oracle DatabaseAdapter Installation and Configuration Guide · Oracle DatabaseAdapter Installation and Configuration Guide ... Oracle DatabaseAdapter Installation and Configuration

By adding the two options in the preceding example, you can ensure that you arenot prompted for a password when an account is restored.

Language pack installation for the Oracle Database adapterThe adapters use a separate language package from the IBM Security IdentityManager.

See the IBM Security Identity Manager library and search for information aboutinstalling the adapter language pack.

Verifying that the adapter is working correctlyAfter you install and configure the adapter, take steps to verify that the installationand configuration are correct.

Procedure1. Test the connection for the service that you created on IBM Security Identity

Manager.2. Run a full reconciliation from IBM Security Identity Manager.3. Run all supported operations such as add, modify, and delete on one user

account.4. Verify the ibmdi.log file after each operation to ensure that no errors are

reported.5. Verify the IBM Security Identity Manager log file trace.log to ensure that no

errors are reported when you run an adapter operation.

Chapter 4. First steps after installation 33

Page 46: Oracle DatabaseAdapter Installation and Configuration Guide · Oracle DatabaseAdapter Installation and Configuration Guide ... Oracle DatabaseAdapter Installation and Configuration

34 IBM Security Identity Manager: Oracle Database Adapter Installation and Configuration Guide

Page 47: Oracle DatabaseAdapter Installation and Configuration Guide · Oracle DatabaseAdapter Installation and Configuration Guide ... Oracle DatabaseAdapter Installation and Configuration

Chapter 5. Troubleshooting the adapter errors

Troubleshooting can help you determine why a product does not function properly.

These topics provide information and techniques for identifying and resolvingproblems with the adapter. They also provide information about troubleshootingerrors that might occur during the adapter installation.

Techniques for troubleshooting problemsTroubleshooting is a systematic approach to solving a problem. The goal oftroubleshooting is to determine why something does not work as expected andhow to resolve the problem. Certain common techniques can help with the task oftroubleshooting.

The first step in the troubleshooting process is to describe the problem completely.Problem descriptions help you and the IBM technical-support representative knowwhere to start to find the cause of the problem. This step includes asking yourselfbasic questions:v What are the symptoms of the problem?v Where does the problem occur?v When does the problem occur?v Under which conditions does the problem occur?v Can the problem be reproduced?

The answers to these questions typically lead to a good description of the problem,which can then lead you to a problem resolution.

What are the symptoms of the problem?

When starting to describe a problem, the most obvious question is “What is theproblem?” This question might seem straightforward; however, you can break itdown into several more-focused questions that create a more descriptive picture ofthe problem. These questions can include:v Who, or what, is reporting the problem?v What are the error codes and messages?v How does the system fail? For example, is it a loop, hang, crash, performance

degradation, or incorrect result?

Where does the problem occur?

Determining where the problem originates is not always easy, but it is one of themost important steps in resolving a problem. Many layers of technology can existbetween the reporting and failing components. Networks, disks, and drivers areonly a few of the components to consider when you are investigating problems.

The following questions help you to focus on where the problem occurs to isolatethe problem layer:v Is the problem specific to one platform or operating system, or is it common

across multiple platforms or operating systems?v Is the current environment and configuration supported?

© Copyright IBM Corp. 2012, 2014 35

Page 48: Oracle DatabaseAdapter Installation and Configuration Guide · Oracle DatabaseAdapter Installation and Configuration Guide ... Oracle DatabaseAdapter Installation and Configuration

v Do all users have the problem?v (For multi-site installations.) Do all sites have the problem?

If one layer reports the problem, the problem does not necessarily originate in thatlayer. Part of identifying where a problem originates is understanding theenvironment in which it exists. Take some time to completely describe the problemenvironment, including the operating system and version, all correspondingsoftware and versions, and hardware information. Confirm that you are runningwithin an environment that is a supported configuration; many problems can betraced back to incompatible levels of software that are not intended to run togetheror have not been fully tested together.

When does the problem occur?

Develop a detailed timeline of events leading up to a failure, especially for thosecases that are one-time occurrences. You can most easily develop a timeline byworking backward: Start at the time an error was reported (as precisely as possible,even down to the millisecond), and work backward through the available logs andinformation. Typically, you need to look only as far as the first suspicious eventthat you find in a diagnostic log.

To develop a detailed timeline of events, answer these questions:v Does the problem happen only at a certain time of day or night?v How often does the problem happen?v What sequence of events leads up to the time that the problem is reported?v Does the problem happen after an environment change, such as upgrading or

installing software or hardware?

Responding to these types of questions can give you a frame of reference in whichto investigate the problem.

Under which conditions does the problem occur?

Knowing which systems and applications are running at the time that a problemoccurs is an important part of troubleshooting. These questions about yourenvironment can help you to identify the root cause of the problem:v Does the problem always occur when the same task is being performed?v Does a certain sequence of events need to happen for the problem to occur?v Do any other applications fail at the same time?

Answering these types of questions can help you explain the environment inwhich the problem occurs and correlate any dependencies. Remember that justbecause multiple problems might have occurred around the same time, theproblems are not necessarily related.

Can the problem be reproduced?

From a troubleshooting standpoint, the ideal problem is one that can bereproduced. Typically, when a problem can be reproduced you have a larger set oftools or procedures at your disposal to help you investigate. Consequently,problems that you can reproduce are often easier to debug and solve.

However, problems that you can reproduce can have a disadvantage: If theproblem is of significant business impact, you do not want it to recur. If possible,

36 IBM Security Identity Manager: Oracle Database Adapter Installation and Configuration Guide

Page 49: Oracle DatabaseAdapter Installation and Configuration Guide · Oracle DatabaseAdapter Installation and Configuration Guide ... Oracle DatabaseAdapter Installation and Configuration

re-create the problem in a test or development environment, which typically offersyou more flexibility and control during your investigation.v Can the problem be re-created on a test system?v Are multiple users or applications encountering the same type of problem?v Can the problem be re-created by running a single command, a set of

commands, or a particular application?

For information about obtaining support, see Appendix D, “Support information,”on page 53.

Warning and error messagesA warning or error message might be displayed in the user interface to provideinformation about the adapter or when an error occurs.

A warning or error might be displayed in the user interface to provide informationthat you need to know about the adapter or about an error. Table 6 containswarnings or errors which might be displayed in the user interface if the OracleDatabase Adapter is installed on your system.

Table 6. Warning and error messages

Message code Warning or error message Remedial action

CTGIMT001E The following error occurred. Error:Either the Oracle service name isincorrect or the service is not up.

Ensure that the Oracle service name given on IBMSecurity Identity Manager service form is running.

CTGIMT001E The following error occurred. Error:Either the Oracle host or port isincorrect.

Verify that the host workstation name or the port forthe Oracle service is correctly specified.

CTGIMT002E The login credential is missing orincorrect.

Verify that you provided correct login credential onservice form.

CTGIMT001E The following error occurred. Error:No suitable JDBC driver found.

Ensure that the correct version of the JDBC thindriver is copied onto the workstation where theadapter is installed. Ensure that the path for thedriver is included in the system CLASSPATHvariable.

CTGIMT600E An error occurred while establishingcommunication with the IBM TivoliDirectory Integrator server.

IBM Security Identity Manager cannot establish aconnection with IBM Tivoli Directory Integrator. To fixthis problem, ensure that:

v IBM Tivoli Directory Integrator is running.

v The URL specified on the service form for theIBMTivoli Directory Integrator is correct.

Chapter 5. Troubleshooting the adapter errors 37

Page 50: Oracle DatabaseAdapter Installation and Configuration Guide · Oracle DatabaseAdapter Installation and Configuration Guide ... Oracle DatabaseAdapter Installation and Configuration

Table 6. Warning and error messages (continued)

Message code Warning or error message Remedial action

CTGIMT004E The adapter does not have permissionto add an account: Account_Name.

The administrator user provided on the IBM TivoliDirectory Integrator service form does not have therequired privileges to add a user account. Ensure thatan administrator user with the required privileges isspecified on service form. These privileges are theminimum required for the administrator user:

v CREATE USER

v ALTER USER

v DROP USER

v SELECT ANY TABLE

v GRANT ANY ROLE

v GRANT ANY PRIVILEGE

v EXECUTE ANY PROCEDURE

v ADMINISTER_RESOURCE_MANAGER

v SELECT ANY DICTIONARY

Note: To use the following Stored Procedure, youmust provide EXECUTE ANY PROCEDURE andADMINISTER_RESOURCE_MANAGER privileges tothe administrator user:

v dbms_resource_manager_privs.grant_switch_consumer_group

v DBMS_RESOURCE_MANAGER_PRIVS.REVOKE_SWITCH_CONSUMER_GROUP

v

dbms_resource_manager.set_initial_consumer_group

v DBMS_WM.RevokeSystemPriv

CTGIMT003E The account already exists. Use different name for the user to be added.

CTGIMT015E An error occurred while deleting theAccount_Name account because theaccount does not exist.

The user you trying to delete does not exist. Ensurethat you are deleting only an existing account.

38 IBM Security Identity Manager: Oracle Database Adapter Installation and Configuration Guide

Page 51: Oracle DatabaseAdapter Installation and Configuration Guide · Oracle DatabaseAdapter Installation and Configuration Guide ... Oracle DatabaseAdapter Installation and Configuration

Chapter 6. Adapter upgrade

You can upgrade the adapter by installing the new version of the adapter.

Upgrading the adapter might also involve additional tasks, such as upgrading theconnector, the dispatcher, and the existing adapter profile. To verify the requiredversion of these adapter components, see the adapter release notes. For theinstallation steps, see Chapter 3, “Adapter installation,” on page 9.

Dispatcher upgradeBefore you upgrade the dispatcher, verify the version of the dispatcher.v If the dispatcher version mentioned in the release notes is later than the existing

version on your workstation, install the dispatcher.v If the dispatcher version mentioned in the release notes is the same or earlier

than the existing version, do not install the dispatcher.

Note: Stop the dispatcher service before the upgrading the dispatcher and start itagain after the upgrade is complete.

Upgrade of an existing adapter profileRead the adapter Release Notes for any specific instructions before you import anew adapter profile into IBM Security Identity Manager.

See “Importing the adapter profile into the IBM Security Identity Manager server”on page 10.

Note: Restart the dispatcher service after importing the profile. Restarting thedispatcher clears the assembly lines cache and ensures that the dispatcher runs theassembly lines from the updated adapter profile.

© Copyright IBM Corp. 2012, 2014 39

Page 52: Oracle DatabaseAdapter Installation and Configuration Guide · Oracle DatabaseAdapter Installation and Configuration Guide ... Oracle DatabaseAdapter Installation and Configuration

40 IBM Security Identity Manager: Oracle Database Adapter Installation and Configuration Guide

Page 53: Oracle DatabaseAdapter Installation and Configuration Guide · Oracle DatabaseAdapter Installation and Configuration Guide ... Oracle DatabaseAdapter Installation and Configuration

Chapter 7. Adapter uninstallation

You can completely uninstall the Oracle Database Adapter.1. Uninstall the adapter from Tivoli Directory Integrator server.2. Remove the adapter profile from the IBM Security Identity Manager server.

Uninstalling the adapter from the Tivoli Directory Integrator serverYou can remove the Oracle Database Adapter.

About this task

The Oracle Database Adapter installation installs the Dispatcher only on the TivoliDirectory Integrator server. Therefore, you only need to uninstall from theDispatcher. There is no uninstall for the Oracle Database Adapter.

The JAR file needed to uninstall the Dispatcher was created in theITDI_HOME\DispatcherUninstall directory when the Dispatcher was installed.

Note: The Dispatcher is required for all Tivoli Directory Integrator-based adapters.If you uninstall the Dispatcher, none of the other installed adapters function.

To remove the Oracle Database Adapter, complete these steps:1. Stop the adapter service.2. Run the DispatcherUninstall.jar file. To run the JAR file, double click on the

executable file or enter the following command at the command prompt:TDI_HOME/jvm/jre/bin/java –jar DispatcherUninstall.jar

Adapter profile removal from the IBM Security Identity Manager serverBefore you remove the adapter profile, ensure that no objects exist on your IBMSecurity Identity Manager server that reference the adapter profile.

Examples of objects on the IBM Security Identity Manager server that can referencethe adapter profile are:v Adapter service instancesv Policies referencing an adapter instance or the profilev Accounts

Note: The Dispatcher component must be installed on your system for adapters tofunction correctly in a Tivoli Directory Integrator environment. When you deletethe adapter profile for the Oracle Database Adapter, do not uninstall theDispatcher.

For specific information about how to remove the adapter profile, see the onlinehelp or the IBM Security Identity Manager product documentation.

© Copyright IBM Corp. 2012, 2014 41

Page 54: Oracle DatabaseAdapter Installation and Configuration Guide · Oracle DatabaseAdapter Installation and Configuration Guide ... Oracle DatabaseAdapter Installation and Configuration

42 IBM Security Identity Manager: Oracle Database Adapter Installation and Configuration Guide

Page 55: Oracle DatabaseAdapter Installation and Configuration Guide · Oracle DatabaseAdapter Installation and Configuration Guide ... Oracle DatabaseAdapter Installation and Configuration

Chapter 8. Adapter reinstallation

There are no special considerations for reinstalling the adapter. You do not need toremove the adapter before reinstalling.

For more information, see Chapter 6, “Adapter upgrade,” on page 39.

© Copyright IBM Corp. 2012, 2014 43

Page 56: Oracle DatabaseAdapter Installation and Configuration Guide · Oracle DatabaseAdapter Installation and Configuration Guide ... Oracle DatabaseAdapter Installation and Configuration

44 IBM Security Identity Manager: Oracle Database Adapter Installation and Configuration Guide

Page 57: Oracle DatabaseAdapter Installation and Configuration Guide · Oracle DatabaseAdapter Installation and Configuration Guide ... Oracle DatabaseAdapter Installation and Configuration

Appendix A. Adapter attributes

The IBM Security Identity Manager server communicates with the Oracle DatabaseAdapter with attributes that are included in transmission packets that are sent overa network.

The combination of attributes that is included in the packets depends on the typeof action that the IBM Security Identity Manager server requests from the OracleDatabase Adapter.

Table 7 is a listing of the attributes that are used by the Oracle Database Adapter.The table gives a brief description and corresponding column on the Oracledatabase (if applicable) for the value of the attribute.

Table 7. Attributes, object identifiers, descriptions, and corresponding column/table name on the Oracle database

Attribute Description Oracle column or table

erOraServiceNameThe SID/Service Name ofthe Oracle instance.

NA

erOraSysPrivThe System Privilegeassigned to the user.

PRIVILEGE/DBA_SYS_PRIV

erOraDefaultTableSpaceThe name of the defaulttable space.

DEFAULT_TABLESPACE/DBA_USERS

erOraTemporaryTableSpaceThe name of thetemporary table space.

TEMPORARY_TABLESPACE/DBA_USERS

erOraTblSpcQuotaThe maximum spaceallowed on a table space.

MAX_BYTES/DBA_TS_QUOTA

erOraAuthenticationTypeSpecifies how the user isauthenticated by Oracle.

PASSWORD/DBA_USERS

erOraGlobalNameAn external name thatidentifies the user.

EXTERNAL_NAME/DBA_USERS

erOraTblspacesNameThe name for theerOraTablespaces group.

TABLESPACE_NAME/DBA_TABLESPACES

erOraPrflNameThe name for theerOraProfiles group.

PROFILE/DBA_PROFILES

erOraRolesNameThe name for theerOraRoles group.

ROLE/DBA_ROLES

erOraRoleThe database rolesassigned as default roles tothe account.

ROLE, DEFAULT_ROLE/DBA_ROLE_PRIV

erOraNonDefRoleThe database rolesassigned as non defaultroles (for example,password protected roles)to the account.

ROLE, DEFAULT_ROLE/DBA_ROLE_PRIV

erOraProfileThe profile name assignedto the account.

PROFILE/DBA_USERS

erOraExpirePwdIf true, set the password toexpire.

ACCOUNT_STATUS/DBA_USERS

© Copyright IBM Corp. 2012, 2014 45

Page 58: Oracle DatabaseAdapter Installation and Configuration Guide · Oracle DatabaseAdapter Installation and Configuration Guide ... Oracle DatabaseAdapter Installation and Configuration

Table 7. Attributes, object identifiers, descriptions, and corresponding column/table name on the Oracledatabase (continued)

Attribute Description Oracle column or table

erOraProxyUsersThe proxy user for thisuser.

PROXY/PROXY_USERS

erOraRsrcConsumerGroupThe resource consumergroups that a user canswitch to.

GRANTED_GROUP/DBA_RSRC_CONSUMER_GROUP_PRIVS

erOraServiceHostThe host workstationwhere the Oracle service isrunning.

NA

erOraServicePortThe port on which theOracle service is listening.

NA

erOraDefRsrcConsumerGroupThe default or initialresource consumer groupfor a user.

INITIAL_RSRC_CONSUMER_GROUP/DBA_USERS

erServiceUidThe Oracle resourceadministrator ID.

NA

erPasswordThe password for Oracleadministrator.

PASSWORD/DBA_USERS

erUidThe login name. USERNAME/DBA_USERS

erAccountStatusThe status of the accounteither enabled or disabled.

ACCOUNT_STATUS/DBA_USERS

Attributes by Oracle Database Adapter actionsThe following topics describe typical Oracle Database Adapter actions by theirfunctional transaction group.

The topics include more information about required and optional attributes sent tothe Oracle Database Adapter to complete that action.

System Login AddA System Login Add is a request to create a user account with the specifiedattributes.

Table 8. Add request attributes for Oracle

Required attribute Optional attribute

erUidAll other supported attributes

System Login ChangeA System Login Change is a request to change one or more attributes for thespecified users.

Table 9. Change request attributes for Oracle

Required attribute Optional attribute

erUidAll other supported attributes

46 IBM Security Identity Manager: Oracle Database Adapter Installation and Configuration Guide

Page 59: Oracle DatabaseAdapter Installation and Configuration Guide · Oracle DatabaseAdapter Installation and Configuration Guide ... Oracle DatabaseAdapter Installation and Configuration

System Login DeleteA System Login Delete is a request to remove the specified user from the Oracledatabase.

Table 10. Delete request attributes for Oracle

Required attribute Optional attribute

erUid None

System Login SuspendA System Login Suspend is a request to disable a user account. The user is notremoved, and the user's attributes are not modified.

Table 11. Suspend request attributes for Oracle

Required attribute Optional attribute

erUid

erAccountStatus

None

System Login RestoreA System Login Restore is a request to activate a user account that was previouslysuspended. After an account is restored, the user can access the system by usingthe same attributes as the ones before the Suspend function was called.

Table 12. Restore request attributes for Oracle

Required attribute Optional attribute

erUid

erAccountStatus

None

TestYou can use attributes to test the connection.

Table 13. Test attributes

Required attribute Optional attribute

None None

ReconciliationThe Reconciliation request synchronizes user account information between IBMSecurity Identity Manager and the adapter.

Appendix A. Adapter attributes 47

Page 60: Oracle DatabaseAdapter Installation and Configuration Guide · Oracle DatabaseAdapter Installation and Configuration Guide ... Oracle DatabaseAdapter Installation and Configuration

Table 14. Reconciliation request attributes for Oracle

Required attribute Optional attribute

None None

48 IBM Security Identity Manager: Oracle Database Adapter Installation and Configuration Guide

Page 61: Oracle DatabaseAdapter Installation and Configuration Guide · Oracle DatabaseAdapter Installation and Configuration Guide ... Oracle DatabaseAdapter Installation and Configuration

Appendix B. Adapter installation on a z/OS operating system

To install the adapters on the z/OS UNIX operating system, you must install theDispatcher.

The adapter uses the Tivoli Directory Integrator JDBC connector that is availablewith the base Tivoli Directory Integrator product.

For information about installing the Dispatcher, see the Tivoli Directory IntegratorDispatcher Installation and Configuration Guide.

After the installation of the adapter is complete, verify the startup and shutdownof the adapter. For more detailed instructions, see“Start, stop, and restart theOracle Database Adapter service” on page 10.

© Copyright IBM Corp. 2012, 2014 49

Page 62: Oracle DatabaseAdapter Installation and Configuration Guide · Oracle DatabaseAdapter Installation and Configuration Guide ... Oracle DatabaseAdapter Installation and Configuration

50 IBM Security Identity Manager: Oracle Database Adapter Installation and Configuration Guide

Page 63: Oracle DatabaseAdapter Installation and Configuration Guide · Oracle DatabaseAdapter Installation and Configuration Guide ... Oracle DatabaseAdapter Installation and Configuration

Appendix C. Definitions for ITDI_HOME and ISIM_HOMEdirectories

ITDI_HOME is the directory where Tivoli Directory Integrator is installed.ISIM_HOME is the directory where IBM Security Identity Manager is installed.

ITDI_HOMEThis directory contains the jars/connectors subdirectory that contains filesfor the adapters.

Windowsdrive\Program Files\IBM\TDI\ITDI_VERSION

For example the path for version 7.1:C:\Program Files\IBM\TDI\V7.1

UNIX/opt/IBM/TDI/ITDI_VERSION

For example the path for version 7.1:/opt/IBM/TDI/V7.1

ISIM_HOMEThis directory is the base directory that contains the IBM Security IdentityManager code, configuration, and documentation.

Windowspath\IBM\isim

UNIXpath/IBM/isim

© Copyright IBM Corp. 2012, 2014 51

Page 64: Oracle DatabaseAdapter Installation and Configuration Guide · Oracle DatabaseAdapter Installation and Configuration Guide ... Oracle DatabaseAdapter Installation and Configuration

52 IBM Security Identity Manager: Oracle Database Adapter Installation and Configuration Guide

Page 65: Oracle DatabaseAdapter Installation and Configuration Guide · Oracle DatabaseAdapter Installation and Configuration Guide ... Oracle DatabaseAdapter Installation and Configuration

Appendix D. Support information

You have several options to obtain support for IBM products.v “Searching knowledge bases”v “Obtaining a product fix” on page 54v “Contacting IBM Support” on page 54

Searching knowledge basesYou can often find solutions to problems by searching IBM knowledge bases. Youcan optimize your results by using available resources, support tools, and searchmethods.

About this task

You can find useful information by searching the product documentation for IBMSecurity Identity Manager. However, sometimes you must look beyond the productdocumentation to answer your questions or resolve problems.

Procedure

To search knowledge bases for information that you need, use one or more of thefollowing approaches:1. Search for content by using the IBM Support Assistant (ISA).

ISA is a no-charge software serviceability workbench that helps you answerquestions and resolve problems with IBM software products. You can findinstructions for downloading and installing ISA on the ISA website.

2. Find the content that you need by using the IBM Support Portal.The IBM Support Portal is a unified, centralized view of all technical supporttools and information for all IBM systems, software, and services. The IBMSupport Portal lets you access the IBM electronic support portfolio from oneplace. You can tailor the pages to focus on the information and resources thatyou need for problem prevention and faster problem resolution. Familiarizeyourself with the IBM Support Portal by viewing the demo videos(https://www.ibm.com/blogs/SPNA/entry/the_ibm_support_portal_videos)about this tool. These videos introduce you to the IBM Support Portal, exploretroubleshooting and other resources, and demonstrate how you can tailor thepage by moving, adding, and deleting portlets.

3. Search for content about IBM Security Identity Manager by using one of thefollowing additional technical resources:v IBM Security Identity Manager version 6.0 technotes and APARs (problem

reports).v IBM Security Identity Manager Support website.v IBM Redbooks®.v IBM support communities (forums and newsgroups).

4. Search for content by using the IBM masthead search. You can use the IBMmasthead search by typing your search string into the Search field at the top ofany ibm.com® page.

5. Search for content by using any external search engine, such as Google, Yahoo,or Bing. If you use an external search engine, your results are more likely to

© Copyright IBM Corp. 2012, 2014 53

Page 66: Oracle DatabaseAdapter Installation and Configuration Guide · Oracle DatabaseAdapter Installation and Configuration Guide ... Oracle DatabaseAdapter Installation and Configuration

include information that is outside the ibm.com domain. However, sometimesyou can find useful problem-solving information about IBM products innewsgroups, forums, and blogs that are not on ibm.com.

Tip: Include “IBM” and the name of the product in your search if you arelooking for information about an IBM product.

Obtaining a product fixA product fix might be available to resolve your problem.

About this task

You can get fixes by following these steps:

Procedure1. Obtain the tools that are required to get the fix. You can obtain product fixes

from the Fix Central Site. See http://www.ibm.com/support/fixcentral/.2. Determine which fix you need.3. Download the fix. Open the download document and follow the link in the

“Download package” section.4. Apply the fix. Follow the instructions in the “Installation Instructions” section

of the download document.

Contacting IBM SupportIBM Support assists you with product defects, answers FAQs, and helps usersresolve problems with the product.

Before you begin

After trying to find your answer or solution by using other self-help options suchas technotes, you can contact IBM Support. Before contacting IBM Support, yourcompany or organization must have an active IBM software subscription andsupport contract, and you must be authorized to submit problems to IBM. Forinformation about the types of available support, see the Support portfolio topic inthe “Software Support Handbook”.

Procedure

To contact IBM Support about a problem:1. Define the problem, gather background information, and determine the severity

of the problem. For more information, see the Getting IBM support topic in theSoftware Support Handbook.

2. Gather diagnostic information.3. Submit the problem to IBM Support in one of the following ways:

v Using IBM Support Assistant (ISA):Any data that has been collected can be attached to the service request.Using ISA in this way can expedite the analysis and reduce the time toresolution.a. Download and install the ISA tool from the ISA website. See

http://www.ibm.com/software/support/isa/.b. Open ISA.

54 IBM Security Identity Manager: Oracle Database Adapter Installation and Configuration Guide

Page 67: Oracle DatabaseAdapter Installation and Configuration Guide · Oracle DatabaseAdapter Installation and Configuration Guide ... Oracle DatabaseAdapter Installation and Configuration

c. Click Collection and Send Data.d. Click the Service Requests tab.e. Click Open a New Service Request.

v Online through the IBM Support Portal: You can open, update, and view allof your service requests from the Service Request portlet on the ServiceRequest page.

v By telephone for critical, system down, or severity 1 issues: For the telephonenumber to call in your region, see the Directory of worldwide contacts webpage.

Results

If the problem that you submit is for a software defect or for missing or inaccuratedocumentation, IBM Support creates an Authorized Program Analysis Report(APAR). The APAR describes the problem in detail. Whenever possible, IBMSupport provides a workaround that you can implement until the APAR isresolved and a fix is delivered. IBM publishes resolved APARs on the IBM Supportwebsite daily, so that other users who experience the same problem can benefitfrom the same resolution.

Appendix D. Support information 55

Page 68: Oracle DatabaseAdapter Installation and Configuration Guide · Oracle DatabaseAdapter Installation and Configuration Guide ... Oracle DatabaseAdapter Installation and Configuration

56 IBM Security Identity Manager: Oracle Database Adapter Installation and Configuration Guide

Page 69: Oracle DatabaseAdapter Installation and Configuration Guide · Oracle DatabaseAdapter Installation and Configuration Guide ... Oracle DatabaseAdapter Installation and Configuration

Appendix E. Accessibility features for IBM Security IdentityManager

Accessibility features help users who have a disability, such as restricted mobilityor limited vision, to use information technology products successfully.

Accessibility features

The following list includes the major accessibility features in IBM Security IdentityManager.v Support for the Freedom Scientific JAWS screen reader applicationv Keyboard-only operationv Interfaces that are commonly used by screen readersv Keys that are discernible by touch but do not activate just by touching themv Industry-standard devices for ports and connectorsv The attachment of alternative input and output devices

The IBM Security Identity Manager library, and its related publications, areaccessible.

Keyboard navigation

This product uses standard Microsoft Windows navigation keys.

Related accessibility information

The following keyboard navigation and accessibility features are available in theform designer:v You can use the tab keys and arrow keys to move between the user interface

controls.v You can use the Home, End, Page Up, and Page Down keys for more

navigation.v You can launch any applet, such as the form designer applet, in a separate

window to enable the Alt+Tab keystroke to toggle between that applet and theweb interface, and also to use more screen workspace. To launch the window,click Launch as a separate window.

v You can change the appearance of applets such as the form designer by usingthemes, which provide high contrast color schemes that help users with visionimpairments to differentiate between controls.

IBM and accessibility

See the IBM Human Ability and Accessibility Center For more information aboutthe commitment that IBM has to accessibility.

© Copyright IBM Corp. 2012, 2014 57

Page 70: Oracle DatabaseAdapter Installation and Configuration Guide · Oracle DatabaseAdapter Installation and Configuration Guide ... Oracle DatabaseAdapter Installation and Configuration

58 IBM Security Identity Manager: Oracle Database Adapter Installation and Configuration Guide

Page 71: Oracle DatabaseAdapter Installation and Configuration Guide · Oracle DatabaseAdapter Installation and Configuration Guide ... Oracle DatabaseAdapter Installation and Configuration

Notices

This information was developed for products and services offered in the U.S.A.

IBM may not offer the products, services, or features discussed in this document inother countries. Consult your local IBM representative for information on theproducts and services currently available in your area. Any reference to an IBMproduct, program, or service is not intended to state or imply that only that IBMproduct, program, or service may be used. Any functionally equivalent product,program, or service that does not infringe any IBM intellectual property right maybe used instead. However, it is the user's responsibility to evaluate and verify theoperation of any non-IBM product, program, or service.

IBM may have patents or pending patent applications covering subject matterdescribed in this document. The furnishing of this document does not give youany license to these patents. You can send license inquiries, in writing, to:

IBM Director of LicensingIBM CorporationNorth Castle DriveArmonk, NY 10504-1785 U.S.A.

For license inquiries regarding double-byte (DBCS) information, contact the IBMIntellectual Property Department in your country or send inquiries, in writing, to:

Intellectual Property LicensingLegal and Intellectual Property LawIBM Japan, Ltd.19-21, Nihonbashi-Hakozakicho, Chuo-kuTokyo 103-8510, Japan

The following paragraph does not apply to the United Kingdom or any othercountry where such provisions are inconsistent with local law :

INTERNATIONAL BUSINESS MACHINES CORPORATION PROVIDES THISPUBLICATION "AS IS" WITHOUT WARRANTY OF ANY KIND, EITHEREXPRESS OR IMPLIED, INCLUDING, BUT NOT LIMITED TO, THE IMPLIEDWARRANTIES OF NON-INFRINGEMENT, MERCHANTABILITY OR FITNESSFOR A PARTICULAR PURPOSE.

Some states do not allow disclaimer of express or implied warranties in certaintransactions, therefore, this statement might not apply to you.

This information could include technical inaccuracies or typographical errors.Changes are periodically made to the information herein; these changes will beincorporated in new editions of the publication. IBM may make improvementsand/or changes in the product(s) and/or the program(s) described in thispublication at any time without notice.

Any references in this information to non-IBM Web sites are provided forconvenience only and do not in any manner serve as an endorsement of those Websites. The materials at those Web sites are not part of the materials for this IBMproduct and use of those Web sites is at your own risk.

© Copyright IBM Corp. 2012, 2014 59

Page 72: Oracle DatabaseAdapter Installation and Configuration Guide · Oracle DatabaseAdapter Installation and Configuration Guide ... Oracle DatabaseAdapter Installation and Configuration

IBM may use or distribute any of the information you supply in any way itbelieves appropriate without incurring any obligation to you.

Licensees of this program who wish to have information about it for the purposeof enabling: (i) the exchange of information between independently createdprograms and other programs (including this one) and (ii) the mutual use of theinformation which has been exchanged, should contact:

IBM Corporation2Z4A/10111400 Burnet RoadAustin, TX 78758 U.S.A.

Such information may be available, subject to appropriate terms and conditions,including in some cases payment of a fee.

The licensed program described in this document and all licensed materialavailable for it are provided by IBM under terms of the IBM Customer Agreement,IBM International Program License Agreement or any equivalent agreementbetween us.

Any performance data contained herein was determined in a controlledenvironment. Therefore, the results obtained in other operating environments mayvary significantly. Some measurements may have been made on development-levelsystems and there is no guarantee that these measurements will be the same ongenerally available systems. Furthermore, some measurement may have beenestimated through extrapolation. Actual results may vary. Users of this documentshould verify the applicable data for their specific environment.

Information concerning non-IBM products was obtained from the suppliers ofthose products, their published announcements or other publicly available sources.IBM has not tested those products and cannot confirm the accuracy ofperformance, compatibility or any other claims related to non-IBM products.Questions on the capabilities of non-IBM products should be addressed to thesuppliers of those products.

All statements regarding IBM's future direction or intent are subject to change orwithdrawal without notice, and represent goals and objectives only.

This information contains examples of data and reports used in daily businessoperations. To illustrate them as completely as possible, the examples include thenames of individuals, companies, brands, and products. All of these names arefictitious and any similarity to the names and addresses used by an actual businessenterprise is entirely coincidental.

COPYRIGHT LICENSE:

This information contains sample application programs in source language, whichillustrate programming techniques on various operating platforms. You may copy,modify, and distribute these sample programs in any form without payment toIBM, for the purposes of developing, using, marketing or distributing applicationprograms conforming to the application programming interface for the operatingplatform for which the sample programs are written. These examples have notbeen thoroughly tested under all conditions. IBM, therefore, cannot guarantee orimply reliability, serviceability, or function of these programs. You may copy,modify, and distribute these sample programs in any form without payment to

60 IBM Security Identity Manager: Oracle Database Adapter Installation and Configuration Guide

Page 73: Oracle DatabaseAdapter Installation and Configuration Guide · Oracle DatabaseAdapter Installation and Configuration Guide ... Oracle DatabaseAdapter Installation and Configuration

IBM for the purposes of developing, using, marketing, or distributing applicationprograms conforming to IBM's application programming interfaces.

Each copy or any portion of these sample programs or any derivative work, mustinclude a copyright notice as follows:

If you are viewing this information softcopy, the photographs and colorillustrations might not appear.

© (your company name) (year). Portions of this code are derived from IBM Corp.Sample Programs. © Copyright IBM Corp. _enter the year or years_. All rightsreserved.

If you are viewing this information in softcopy form, the photographs and colorillustrations might not be displayed.

Trademarks

IBM, the IBM logo, and ibm.com are trademarks or registered trademarks ofInternational Business Machines Corp., registered in many jurisdictions worldwide.Other product and service names might be trademarks of IBM or other companies.A current list of IBM trademarks is available on the Web at "Copyright andtrademark information" at http://www.ibm.com/legal/copytrade.shtml.

Adobe, Acrobat, PostScript and all Adobe-based trademarks are either registeredtrademarks or trademarks of Adobe Systems Incorporated in the United States,other countries, or both.

IT Infrastructure Library is a registered trademark of the Central Computer andTelecommunications Agency which is now part of the Office of GovernmentCommerce.

Intel, Intel logo, Intel Inside, Intel Inside logo, Intel Centrino, Intel Centrino logo,Celeron, Intel Xeon, Intel SpeedStep, Itanium, and Pentium are trademarks orregistered trademarks of Intel Corporation or its subsidiaries in the United Statesand other countries.

Linux is a trademark of Linus Torvalds in the United States, other countries, orboth.

Microsoft, Windows, Windows NT, and the Windows logo are trademarks ofMicrosoft Corporation in the United States, other countries, or both.

ITIL is a registered trademark, and a registered community trademark of the Officeof Government Commerce, and is registered in the U.S. Patent and TrademarkOffice.

UNIX is a registered trademark of The Open Group in the United States and othercountries.

Cell Broadband Engine and Cell/B.E. are trademarks of Sony ComputerEntertainment, Inc., in the United States, other countries, or both and is used underlicense therefrom.

Notices 61

Page 74: Oracle DatabaseAdapter Installation and Configuration Guide · Oracle DatabaseAdapter Installation and Configuration Guide ... Oracle DatabaseAdapter Installation and Configuration

Java and all Java-based trademarks and logos are trademarks or registeredtrademarks of Oracle and/or its affiliates.

Privacy Policy Considerations

IBM Software products, including software as a service solutions, ("SoftwareOfferings") may use cookies or other technologies to collect product usageinformation, to help improve the end user experience, and to tailor interactionswith the end user or for other purposes. In many cases, no personally identifiableinformation is collected by the Software Offerings. Some of our Software Offeringscan help enable you to collect personally identifiable information. If this SoftwareOffering uses cookies to collect personally identifiable information, specificinformation about this offering’s use of cookies is set forth below.

This Software Offering does not use cookies or other technologies to collectpersonally identifiable information.

If the configurations deployed for this Software Offering provide you as customerthe ability to collect personally identifiable information from end users via cookiesand other technologies, you should seek your own legal advice about any lawsapplicable to such data collection, including any requirements for notice andconsent.

For more information about the use of various technologies, including cookies, forthese purposes, see IBM's Privacy Policy at http://www.ibm.com/privacy andIBM’s Online Privacy Statement at http://www.ibm.com/privacy/details/us/ensections entitled "Cookies, Web Beacons and Other Technologies and SoftwareProducts and Software-as-a Service".

62 IBM Security Identity Manager: Oracle Database Adapter Installation and Configuration Guide

Page 75: Oracle DatabaseAdapter Installation and Configuration Guide · Oracle DatabaseAdapter Installation and Configuration Guide ... Oracle DatabaseAdapter Installation and Configuration

Index

Aaccessibility x, 57accounts

required privileges 11restoration

business processes 32password requirements 32

service creation 11adapter

accessJDBC OCI driver 23Oracle Net Services 23

actions 46attributes

combinations in packets 45descriptions 45in Oracle database 45type of action 45

customization steps 17Dispatcher 49features 1installation

connector 1connector requirement 9Dispatcher 1Dispatcher, requirement 9Dispatcher, verifying 9obtaining software 9prerequisites 9profile 1profile import 9roadmap 5troubleshooting errors 35user account creation 9verifying 33warnings 35worksheet 7z/OS UNIX operating system 49

overview ix, 1previous product name ixprofile

importing 10removing 41service creation 11upgrading 10, 39verifying installation 11

reinstallation 43required components

Dispatcher 1profile 1Tivoli Directory Integrator

connector 1supported configurations 2task automation 1Tivoli Directory Integrator

configuration 23uninstall 41upgrading 39user account management tasks 1z/OS UNIX operating system 49

adapter installationoverview 1

adaptersprofiles

removing 41attributes

combinations in packets 45descriptions 45in Oracle database 45testing connection 47type of action 45

auditingenabling 20on database 20

authenticationCA certificate import 28client, configuring 28keystore 28server, configuring 28

Cclient

authentication, configuring 28keystore 28

configurationsadapter 2Dispatcher properties 19overview 2

connectionOCI, configuring 21testing 47

connectorinstallation requirement 9Tivoli Directory Integrator 1

Ddatabase

attributes 45column or table 45descriptions 45identifiers 45System Login Delete 47

definitioncertificate authority 26certificates 26private key 26

directory integratorconnector 1uninstalling the adapter 41

Dispatcherconfiguration properties 19installation

verifying 9upgrading 39

download, software 8

Eeducation xerror messages 37

Ffirst steps after installation 17

IIBM

Software Support xSupport Assistant x

IBM Support Assistant 54iKeyman utility 26installation

adapterconnector requirement 9Dispatcher requirement 9profile 10software 9

Dispatcherverifying 9

first steps following 17language pack 33planning

adapter 5roadmaps 5sequence 5

profileunsuccessful 11verifying 11

roadmap 5uninstall 41verification

adapter 33worksheet 7

ISA 54ISIM_HOME definition 51ITDI_HOME definition 51ITDI_Oracle_Adapter_

TableSpace_Quota.txt file 19

JJDBC driver, location for SSL 27JDBC OCI driver

location 21obtaining 21

Kkey management utility, iKeyman 26knowledge bases 53

© Copyright IBM Corp. 2012, 2014 63

Page 76: Oracle DatabaseAdapter Installation and Configuration Guide · Oracle DatabaseAdapter Installation and Configuration Guide ... Oracle DatabaseAdapter Installation and Configuration

Llanguage pack

installation 33same for adapters and server 33

logs, trace.log file 10

Mmessages

error 37warning 37

MS-DOS ASCII characters 18

Nnotices 59

OOCI

configuring for the resource 20driver

location 21obtaining 21

onlinepublications ixterminology ix

operating system prerequisites 6Oracle Adapter service form

modifying 31OCI 25

Oracle database serverconfiguring

keystore 29Oracle tools 29truststore 29

Oracle Net Servicesfor OCI communication 23Instant Client installation 22Transparent Application Failover 22

overview, adapter 1

Ppreinstallation

Dispatcher 5environment 5required software 5roadmap 5

private key, definition 26privileges

required 11user account 11

problem-determination xprofile

editing on UNIX or Linux 18profiles

adapter 17removing 41

propertiesconfiguring the Dispatcher 19

protocolSSL, overview 26

publicationsaccessing online ix

publications (continued)list of ix

Qquota file

customizing 19table space 19

RReconciliation request 48removing, adapter profiles 41requests

Reconciliation 48System Login Add 46System Login Change 46System Login Delete 47System Login Restore 47System Login Suspend 47

road maps, preinstallation 5

Sserver authentication, configuring 28service

creatingadapter communication 13after profile import 13

formadapter variations 13existing service 13

restart 10start 10stop 10

softwaredownload 8requirements 6website 8

SSLcertificate installation 26communication

between servers 26keystore and truststore 28main channels 26optional 26Oracle adapter and database 28

connection 28JDBC driver 27overview 26

support contact information 54System Login Add request 46System Login Change request 46System Login Delete request 47System Login Restore request 47System Login Suspend request 47

Ttable space, setting quotas 19TAF, configuring for the resource 20terminology ixTivoli Directory Integrator

configuration 23connector 1

trace.log file 10training xTransparent Application Failover,

configuring for the resource 20troubleshooting

contacting support 54error messages 37getting fixes 54identifying problems 35searching knowledge bases 53support website xtechniques 35warning messages 37

Uuninstallation 41uninstalling, adapter from the directory

integrator 41updating

adapter profile 17upgrades

adapter 39adapter profile 17adapter profiles 39dispatcher 39

user accountReconciliation 48required privileges 11service creation 11

Vverification

installation 33operating system prerequisites 6software prerequisites 6

vi command 18

Wwarning messages 37

64 IBM Security Identity Manager: Oracle Database Adapter Installation and Configuration Guide

Page 77: Oracle DatabaseAdapter Installation and Configuration Guide · Oracle DatabaseAdapter Installation and Configuration Guide ... Oracle DatabaseAdapter Installation and Configuration
Page 78: Oracle DatabaseAdapter Installation and Configuration Guide · Oracle DatabaseAdapter Installation and Configuration Guide ... Oracle DatabaseAdapter Installation and Configuration

����

Printed in USA

SC27-4402-03