Provisioning to two Active Directory Domains with Oracle Identity Manager – Connector Cloning – Part I

In many large enterprises, there can be two Active Directory Domains used (sometimes more than two), for example, one for India users and one for North America users (Considering the company has two major locations). This requires two AD Connector instances to be created in OIM, for provisioning and reconciliation purposes. OIM Connector Guide for Active Directory User Management provides following description for creating copies of the Connector to provision into multiple target systems. However detailed instructions are not available in the connector.

From the Oracle Connector Documentation (Oracle Identity Manager Connector Guide for Microsoft Active Directory User Management – Release 9.1.1 – E11197-11 – Page 186):

Section: 4.15.1

To create a copy of the connector:

1. Create copies of the IT resource, resource object, process form, provisioning process, scheduled tasks, and lookup definitions that hold attribute mappings.
2. Create a copy of the Lookup.AD.Configuration lookup definition. In the copy that you create, change the values of the following entries to match the details of the process form copy that you create.
   1. 1. ROUserID
      2. ROUserManager
      3. ROFormName
      4. ROUserGUID
3. Map the new process tasks to the copy of the Lookup.AD.Configuration lookup definition.

Initially I was not sure how I can setup the Cloning. I had two Active Directory Domains. When the users are created in OIM, access policies will identity to which one it has to be provisioned. However I have to setup two AD Connectors for these two domains.

Based on my investigation, following AD Connector Specific objects are involved:

1. Copy of the IT Resource
2. Copy of the RO
3. Copy of the Process form
4. Copy of the Provisioning Process
5. Copy of the Scheduled Tasks
6. Copy of the Lookup Definitions
7. Copy of the Reconciliation Rule

First, you need to export the relevant objects as XML file, rename them by manually editing the XML file, then re-import them. One recommendation, is run your XML file through “xmllint –format” on Linux, that should make it more readable, so it is easier for you to edit (Thanks to Oracle Support for providing this – xmllint – information).

Here are the steps for cloning a connector – based on my personal experience:

1. Identify all the connector Objects used by the Active Directory Connector (Mostly the below tables – but I am still not sure whether I covered all the objects – Please let me know if I missed any).
2. Export these Objects using Deployment Manager Export Utility. This will create an XML File during the export.
3. Once you have the XML file, you need to identity and replace the values for the objects in the XML file. This is the main reason you should be aware of the AD Connector Objects.
4. Then, you can import this manipulated XML file into the OIM System. I faced errors during the import. I will write about those errors in the next post.

AD Connector Objects:

S. No.	Object Type	Object Name for AD Connector
1.	IT Resource	AD IT Resource
2.	Resource Object	AD User
3.	Process Form	UD_ADUSERUD_ADUSRC
4.	Provisioning Process	AD User
5.	Scheduled Tasks	Target Recon
6.	Lookup Definitions	Many…
7.	Child Tables	UD_ADUSER*

In my current OIM System, I have the default connector configured to the First AD Domain. The cloned connector is configured to the second AD Domain. I thought it was confusing. So, I had a question about this and received the below information from Oracle Support. Hope it is useful.

The best approach is to import the connector twice for the two domains by using the cloning method to clone twice, and leave the original objects installed unused. That way, when you upgrade to newer connector version on top the existing one, you will update the original unused template objects, then clone the change on to the two domain objects.

Second method is, keeping the installed AD Connector for one domain, and the clone the AD Connector for the second AD Domain, will also work.

I liked the approach of keeping two connectors cloned. You may like the other approach, but it is up to you to decide.

I will write a continuation of this post later. Until then

Read More about Oracle Identity Manager

Something I learned about Oracle Database 11g RMAN restore

Last weekend (it was saturday night), I needed to restore a Development database from a old backup. I never did a RMAN restore before until last saturday. As the saying goes, “necessity is the mother of invention”. Though it is not really an invention (rman is there for a long time), for me, I learned to know about RMAN restore last week.
Our DBA was not available on Saturday. I needed to test few things on the Development and for that I need to restore a backup that was taken earlier couple of months ago. So I did the follow the procedures to restore the database using RMAN.
This could be a basic thing all the DBAs know about. But for me this is not something I do everyday. So this was new to me.
First, I ran the “shutdown immediate” command to shutdown my development database. Then I followed these steps to restore the database from a older backup taken by RMAN. Database was running on the Redhat Enterprise Linux Machine and the database version was 11.1.1.6.0.
$ rman
…
RMAN> list backup;
List of Backup Sets
===================
…….
I got the TAG details from here.
……
RMAN>  restore datafile ‘/u02/oradata/OIMTST/system01.dbf’ from tag = ‘BEFORERECON’;
…
RMAN>  restore datafile ‘/u02/oradata/OIMTST/sysaux01.dbf’ from tag = ‘BEFORERECON’;
….
RMAN> restore datafile ‘/u02/oradata/OIMTST/undotbs01.dbf’ from tag = ‘BEFORERECON’;
…
RMAN> restore datafile ‘/u02/oradata/OIMTST/users01.dbf’ from tag = ‘BEFORERECON’;
…
RMAN> restore datafile ‘/u02/oradata/OIMTST/oimtst4_tspace_01.dbf’ from tag = ‘BEFORERECON’;
…
RMAN> list backup of controlfile;
…
RMAN> restore controlfile to ‘/u02/oradata/OIMTST/control01a.ctl’ from tag = ‘TAG20100820T112653′
…
RMAN> quit
Recovery Manager complete.
$
Copying the Control Files:
============================
cd /u02/oradata/OIMTST  # The conrol files are located here.
cp control01a.ctl control01.ctl
cp control01a.ctl control02.ctl
cp control01a.ctl control03.ctl
$ sqlplus / as sysdba….
SQL> startup
ORACLE instance started.
Total System Global Area 1073131520 bytes
Fixed Size                  2151248 bytes
Variable Size             264244400 bytes
Database Buffers          801112064 bytes
Redo Buffers                5623808 bytes
Database mounted.
ORA-01589: must use RESETLOGS or NORESETLOGS option for database open
SQL>
SQL> alter database open resetlogs;
Database altered.
SQL>
Hurray!!!! It is success!!!
This was my first restore using RMAN. I knew the concepts earlier, but I didn’t really restore a database like this before. I thought of sharing this knowledge.
We will meet in another post. Until then

Read More about Oracle Database 11g

Checking on Oracle Fusion Applications

Sun Blogger Vijay Tatkar wrote in his blog about the eight technology innovations mentioned by Larry Ellision during his Oracle Open World Keynote speech during last week. Nearly half of them were Sun Hardware related (such as Exadata, ExaLogicSun ultraSPARC t3 etc). Here is the list:

1. Fusion Apps
2. Unbreakable Linux Kernel
3. Solaris Express 11
4. unltraSPARC t3 chip
5. mySQL 5.5
6. exadata
7. exalogic
8. Java 7 and 8

Since the beginning, I am always interested to know more about Fusion Apps, mainly out of curiosity. Oracle Fusion Applications were formally introduced during the Oracle Open World last week (during Open World 2010). As per Oracle Release, this was one of the major innovation or next big thing for Oracle. As you are aware, Fusion Middleware Products were released already. Now, it is time to talk about the Fusion Applications.
You may be already aware; I started my IT career as a Web Developer in a small web hosting company. I used to write perl CGI code and hosting them on Linux Servers running with Apache Web Server and mySQL Database. I got bored (or I wanted a change, I am not sure!) with that job and then moved into the Unix System Administration. I worked as a Sun Solaris Admin and HP Unix Admin for some time. Then I worked in both Peoplesoft System Administration for nearly 7 years and currently working in an Oracle Identity Management (which is part of Oracle Fusion Middleware products) project for nearly past one year.
So, the question is “now what?” And how can we develop the knowledge for Fusion Apps Administration.
I am not sure when Fusion Apps will be deployed full-fledged instead of the other ERP Applications like Peoplesoft. I don’t think it will be near soon, but may be after few years, Oracle may buy in customers who are going to do a new implementation of some ERP Applications.
You know what, Fusion middleware for Fusion Apps is like PeopleTools for Peoplesoft Applications. PeopleTools Technology is the abstract layer on top of which all the Peoplesoft Applications run on. PeopleTools was originally built on C and C++ and finally evolved into a Java Technology. However I still feel some of them are C++ code. While Fusion Middleware is more Java and J2EE apps, I believe Fusion Apps will be more J2EE apps than Peoplesoft. I need to spend little bit more time on implementing a Fusion Middleware and an application. As of now, I only worked on Identity Management Product Sure and little but of Oracle Portal Technologies.
For an IT Infrastructure Administrator like me (who mainly works on Oracle Server Technologies), I think understanding the Fusion Middleware Stack will be important.
Talk to you later. Until then

Read More about Oracle Fusion Applications

Peoplesoft Connectors for Oracle Identity Manager – Part I

Introduction

Couple of weeks ago, I attended an Oracle Webcast titled “Introducing Oracle Identity Management 11g”. That webcast was about introducing the remaining components of Oracle Identity Management Product Suite which is part of the Oracle Fusion Middleware 11g (we can call it as a second set of product release!).

During the first phase release of Oracle Fusion Middleware Components, Oracle released the few components such as Oracle Internet Directory (OID), Oracle Virtual Directory (OVD) etc. Along with couple of other components, following are the major software releases (as part of second release) of the new Oracle Identity Management 11g Product Suite:

• Oracle Identity Manager
• Oracle Access Manager
• Oracle Identity Analytics
• … and few others …

In Identity Management, Oracle Identity Management 11g product suite provides Identity and Access Management (IAM) functions along with compliance/security related solutions. In Oracle Identity Management 11g, as usual, more features are added such as security development platform, integration with Fusion Middleware.

In this blog series, I am going to talk more about the Oracle Identity Manager (OIM) Product. Let us first understand about the Oracle Identity Manager Product and its features, and then we will talk more about various options available for integrating Peoplesoft Systems with Oracle Identity Manager Product. I used my personal experience with the product and referred the Oracle Identity Manager 11g Release 1 documentation for these. These are various guides available as part of Oracle Fusion Middleware Documentation. If you need in-depth knowledge about this product, you need to refer these manuals. Let’s understand OIM product first.

About Oracle Identity Manager

One of the Major and important Oracle Identity Management Component is Oracle Identity Manager (OIM). Earlier this product was called Xellerate Provisioning (by a company called Thor technologies). OIM product provides a central repository to store user and group information for any organization. One of the important features of OIM is it can integrate with various target systems available (such as Peoplesoft HRMS, SAP, Active Directory, Siebel etc). Also, various other Oracle products such as JD Edwards, EBS and Oracle Retail  have connectors as well.

I like the OIM Connectors Page at the Oracle Website. You should visit once. There are connectors for most commonly used products in the market (such as Sun Java Directory, Novell eDirectory, SAP products, Databases, Siebel etc). In this post, I want to explore the Peoplesoft Connectors and how can we deploy these connectors in an enterprise implementing OIM. I am going to provide a conceptual understanding only, for more details on the Connectors; you should refer the connector documentation (Search for “oracle identity manager connector documentation” to visit the Connector Documentation page). Also, other products (that has no connectors) can be integrated with OIM using Generic Technology Connectors (GTC) which is delivered as part of OIM product. We will talk more about GTC in later posts.

Integrating Peoplesoft HRMS system with OIM

Peoplesoft HRM (or HRMS) Systems are ERP systems deployed in many enterprises across the world. Hexaware supports many such Peoplesoft HRMS systems implementation and support across the globe. There are two Peoplesoft connectors available for OIM product.  They are:

• PSFT Employee Reconciliation Connector
• PSFT User Management Connector

These two connectors are used for different purposes in a Peoplesoft based environment. Let’s explore the use of these connectors using an Architecture diagram. I created the following diagram to show the integration and the use of PSFT connectors.

In this High-level Architecture, I used an existing Peoplesoft HRMS System as a trusted source for OIM. OIM will play a role of central repository to store user and group information. The User Provisioning will be happening to multiple target systems mentioned in the diagram.

PSFT Employee Reconciliation Connector is used to perform trusted source reconciliation with Peoplesoft HRMS system. In this scenario, Peoplesoft HRMS system is the source for all the user or employee related information during the entire user management lifecycle (user add, user delete, user modification etc). There are two versions of the PSFT Employee Recon Connector.

• Version 9.0.4.x
• Version 9.1.x

If you are in Peopletools 8.48 or earlier releases, then you should opt for 9.0.4. For detailed list of supported releases, you can refer the connector documentation.

Both Version 9.0.4.x and Version 9.1.x use Integration Broker Architecture for integrating with OIM. As you are aware, the IB architecture is considerably changed starting with Peopletools 8.48. There are new features added in Peopletools 8.49. For Version 9.1.x, the Supported Peoplesoft HRMS systems are 8.9, 9.0 and 9.1 with Peopletools 8.49 and 8.50.

Let’s explore these two Peoplesoft Connectors for OIM in future posts. I really like to share and learn more about these connectors, mainly for two reasons. I worked as Peoplesoft Admin for so many years and I also learned some basics of OIM recently. Let’s meet in next post. Until then

Read More about OIM Connector

Oracle Internet Directory LDAP Relpica States in Fusion Middleware 11g

Oracle Internet Directory LDAP Relpica States in Fusion Middleware 11g (11.1.1)

In the Oracle Fusion Middleware 11g Documentation (I think I was referring to Version 11.1.1 of the doco), you can find OID Administrator’s Guide. As the name suggests, this is the top most important and valuable guide for Oracle Internet Directory Administrators. I think I have read most of this guide already. However I still refer this guide, since there is a lot of information provided in this guide (and it is a reference guide too).

I want to write about the LDAP Replica states mentioned in the Appendix D (How Replication Works) of this Guide. In Fusion middleware, Oracle provides lot of details about Oracle Internet Directory Replication. Earlier this information was scattered around the Oracle Support Website and was difficult to find. Now, I think Oracle collected most of this information in this guide.

If you are working or supporting or planning to implement an OID Replication High Availability environment, then you should be familiar with this section of the topic in the guide. This replica states information will be useful if you are running LDAP Based Replica (Just to refresh your memory, there are two types of Replication possible, ASR based and LDAP Based – ASR is based on Ddatabase Links, while LDAP based replication uses a LDAP Client process).

orclReplicaState Attribute

orclReplicaState attribute stores the Replication State for the LDAP Based Replication Replica. You can check the current Replica State of the OID using the ldapsearch command. (In a Live System that uses LDAP based replication, it will be set to the numeric value of 1 – which means it is in online state).

You need to run the following LDAPSEARCH and check the orclreplicastate attribute as shown below. Please make sure to replace values for the arguments specific to your site, I just gave an example.

ldapsearch -h localhost -p 389 -D cn=orcladmin -w password -b “orclreplicaid=local_replica_ID, cn=replication configuration” -s sub objectclass=*

You need to check the value of the orclreplicastate in the output. Alternatively, you can get the orclreplicastate attribute value directly as shown below example:

ldapsearch -h localhost -p 389 -D cn=orcladmin -w password -b “orclreplicaid=local_replica_ID, cn=replication configuration” -s sub objectclass=* orclreplicastate

The local_replica_ID is specific to your installation, normally it is machine_database. You can check the value using a ldapsearch query as shown below.

Ldapsearch Argument Description:

Argument	Description
-h	Hostname or IP Address of the LDAP Directory ServerI used localhost since I am running this command on the same server where OID is running.
-p	Port Number for the LDAP Directory, default LDAP port is 389, LDAPS port is 636.If you use the port 636, then you should define the –U argument.
-D	Bind DN – LDAP DN for connecting to LDAP Directory
-w	Password for the Bind DN – It is site specific.
-b	Base DN for the search – here it starts from the top.
-s base	Search Scope is base (other values are sub and one)

orclReplicaState possible values in 11g

There are 9 LDAP Replica States mentioned in this guide (In 10g OID, there are only 7 LDAP Replica states, it looks like Oracle added two more LDAP Replica states in 11.1.1). As I mentioned earlier, in a normal production system which uses LDAP based replication, the orclreplicastate will be set to the value of 1 automatically during the start of the replication server first time.

Let’s list the LDAP replica states:

LDAP Replica State	Description
0	Bootstrap - This is one of the important Value. You can setup a new LDAP based consumer replica using this value. Lets talk about it in next blog
1	Online – For regular replication processing.
2	Offline
3	Bootstrap in progress
4	Bootstrap in progress + cn=orclcontext completed
5	Bootstrap completed with failures
6	Database based
7	Sync Schema only (Not Data)
8	Bootstrap without schema sync (Only Data)

In a LDAP replication with high-availability environment, it is a must that you should understand these values and their significance. Let’s talk about these values and how we can exploit this attribute and their values in the coming blogs. Until then

Read More about Oracle Internet Directory