Oracle Database Adapter Installation and Configuration Guide

Oracle Database Adapter Installation and Configuration Guide
IBM Security Identity Manager
Version 6.0
Oracle Database Adapter Installation
and Configuration Guide
SC27-4402-03
IBM Security Identity Manager
Version 6.0
Oracle Database Adapter Installation
and Configuration Guide
SC27-4402-03
Note
Before using this information and the product it supports, read the information in “Notices” on page 59.
Edition notice
Note: This edition applies to version 6.0 of IBM Security Identity Manager (product number 5724-C34) and to all
subsequent releases and modifications until otherwise indicated in new editions.
© Copyright IBM Corporation 2012, 2014.
US Government Users Restricted Rights – Use, duplication or disclosure restricted by GSA ADP Schedule Contract
with IBM Corp.
Contents
Figures . . . . . . . . . . . . . . . v
Chapter 5. Troubleshooting the adapter
errors . . . . . . . . . . . . . . . 35
Tables . . . . . . . . . . . . . . . vii
Techniques for troubleshooting problems
Warning and error messages. . . . .
Preface . . . . . . . . . . . . . . . ix
About this publication . . . . . .
Access to publications and terminology
Accessibility . . . . . . . . .
Technical training. . . . . . . .
Support information . . . . . . .
Statement of Good Security Practices .
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
. ix
. ix
. x
. x
. x
. x
Chapter 1. Oracle Database Adapter
Installation and Configuration Guide . . 1
Overview of the adapter . .
Features of the adapter . .
Architecture of the adapter
Supported configurations .
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
Chapter 2. Adapter installation planning
Preinstallation roadmap
Installation roadmap. .
Prerequisites . . . .
Installation worksheet for
Software download . .
. . . .
. . . .
. . . .
the adapter
. . . .
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
1
1
1
2
5
.
.
.
.
.
.
.
.
.
.
5
5
6
7
8
.
.
.
.
.
.
. 35
. 37
Chapter 6. Adapter upgrade. . . . . . 39
Dispatcher upgrade. . . . . . . .
Upgrade of an existing adapter profile .
.
.
.
.
.
.
. 39
. 39
Chapter 7. Adapter uninstallation . . . 41
Uninstalling the adapter from the Tivoli Directory
Integrator server. . . . . . . . . . . .
Adapter profile removal from the IBM Security
Identity Manager server . . . . . . . . .
Chapter 8. Adapter reinstallation
. 41
. 41
. . . 43
Appendix A. Adapter attributes . . . . 45
Attributes by Oracle Database Adapter
System Login Add . . . . . .
System Login Change . . . . .
System Login Delete . . . . .
System Login Suspend . . . .
System Login Restore . . . . .
Test . . . . . . . . . . .
Reconciliation . . . . . . .
actions
. . .
. . .
. . .
. . .
. . .
. . .
. . .
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
46
46
46
47
47
47
47
47
Chapter 3. Adapter installation . . . . . 9
Dispatcher installation verification . . . . . . . 9
Installing the adapter . . . . . . . . . . . 9
Start, stop, and restart the Oracle Database Adapter
service . . . . . . . . . . . . . . . . 10
Importing the adapter profile into the IBM Security
Identity Manager server . . . . . . . . . . 10
Adapter profile installation verification . . . . . 11
Adapter user account creation . . . . . . . . 11
Creating an adapter service . . . . . . . . . 13
Chapter 4. First steps after installation
17
Adapter configuration . . . . . . . . . .
Customizing the adapter profile . . . . .
Configuring OCI for Transparent Application
Failover . . . . . . . . . . . . .
SSL configuration . . . . . . . . . . .
SSL overview . . . . . . . . . . . .
Password management for account restoration .
Language pack installation for the Oracle Database
adapter . . . . . . . . . . . . . . .
Verifying that the adapter is working correctly .
. 17
. 17
© Copyright IBM Corp. 2012, 2014
.
.
.
.
20
26
26
32
Appendix B. Adapter installation on a
z/OS operating system . . . . . . . . 49
Appendix C. Definitions for ITDI_HOME
and ISIM_HOME directories . . . . . . 51
Appendix D. Support information . . . 53
Searching knowledge bases .
Obtaining a product fix . .
Contacting IBM Support . .
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
. 53
. 54
. 54
Appendix E. Accessibility features for
IBM Security Identity Manager . . . . 57
Notices . . . . . . . . . . . . . . 59
Index . . . . . . . . . . . . . . . 63
. 33
. 33
iii
iv
IBM Security Identity Manager: Oracle Database Adapter Installation and Configuration Guide
Figures
1.
2.
The architecture of the Oracle Database Adapter 2
Example of a single server configuration . . . 2
© Copyright IBM Corp. 2012, 2014
3.
4.
Example of multiple server configuration
SSL communication overview . . . .
.
3
. 27
v
vi
IBM Security Identity Manager: Oracle Database Adapter Installation and Configuration Guide
Tables
1.
2.
3.
4.
5.
6.
7.
Preinstallation roadmap . . . . . . . .
Installation roadmap . . . . . . . . .
Prerequisites to install the adapter . . . .
Required information to install the adapter
Required privileges and their descriptions
Warning and error messages . . . . . .
Attributes, object identifiers, descriptions, and
corresponding column/table name on the
Oracle database . . . . . . . . . .
© Copyright IBM Corp. 2012, 2014
. 5
. 5
. 6
7
12
. 37
8.
9.
10.
11.
12.
13.
14.
Add request attributes for Oracle . . .
Change request attributes for Oracle . .
Delete request attributes for Oracle. . .
Suspend request attributes for Oracle . .
Restore request attributes for Oracle . .
Test attributes . . . . . . . . . .
Reconciliation request attributes for Oracle
.
.
.
.
.
.
.
.
.
.
.
.
46
46
47
47
47
47
48
. 45
vii
viii
IBM Security Identity Manager: Oracle Database Adapter Installation and Configuration Guide
Preface
About this publication
The Oracle Database Adapter Information and Configuration Guide contains the basic
information that you can use to install and configure the IBM® Security Identity
Manager Oracle Database Adapter. The adapter enables connectivity between the
IBM Security Identity Manager server and the managed resource.
IBM Security Identity Manager was previously known as Tivoli® Identity Manager.
Access to publications and terminology
This section provides:
v A list of publications in the “IBM Security Identity Manager library.”
v Links to “Online publications.”
v A link to the “IBM Terminology website.”
IBM Security Identity Manager library
For a complete listing of the IBM Security Identity Manager and IBM Security
Identity Manager Adapter documentation, see the online library
(http://www-01.ibm.com/support/knowledgecenter/SSRMWJ/welcome).
Online publications
IBM posts product publications when the product is released and when the
publications are updated at the following locations:
IBM Security Identity Manager library
The product documentation site (http://www-01.ibm.com/support/
knowledgecenter/SSRMWJ/welcome) displays the welcome page and
navigation for the library.
IBM Security Systems Documentation Central
IBM Security Systems Documentation Central provides an alphabetical list
of all IBM Security Systems product libraries and links to the online
documentation for specific versions of each product.
IBM Publications Center
The IBM Publications Center site ( http://www-05.ibm.com/e-business/
linkweb/publications/servlet/pbi.wss) offers customized search functions
to help you find all the IBM publications you need.
IBM Terminology website
The IBM Terminology website consolidates terminology for product libraries in one
location. You can access the Terminology website at http://www.ibm.com/
software/globalization/terminology.
© Copyright IBM Corp. 2012, 2014
ix
Accessibility
Accessibility features help users with a physical disability, such as restricted
mobility or limited vision, to use software products successfully. With this product,
you can use assistive technologies to hear and navigate the interface. You can also
use the keyboard instead of the mouse to operate all features of the graphical user
interface.
Technical training
For technical training information, see the following IBM Education website at
http://www.ibm.com/software/tivoli/education.
Support information
IBM Support provides assistance with code-related problems and routine, short
duration installation or usage questions. You can directly access the IBM Software
Support site at http://www.ibm.com/software/support/probsub.html.
Appendix D, “Support information,” on page 53 provides details about:
v What information to collect before contacting IBM Support.
v The various methods for contacting IBM Support.
v How to use IBM Support Assistant.
v Instructions and problem-determination resources to isolate and fix the problem
yourself.
Note: The Community and Support tab on the product information center can
provide additional support resources.
Statement of Good Security Practices
IT system security involves protecting systems and information through
prevention, detection and response to improper access from within and outside
your enterprise. Improper access can result in information being altered, destroyed,
misappropriated or misused or can result in damage to or misuse of your systems,
including for use in attacks on others. No IT system or product should be
considered completely secure and no single product, service or security measure
can be completely effective in preventing improper use or access. IBM systems,
products and services are designed to be part of a comprehensive security
approach, which will necessarily involve additional operational procedures, and
may require other systems, products or services to be most effective. IBM DOES
NOT WARRANT THAT ANY SYSTEMS, PRODUCTS OR SERVICES ARE
IMMUNE FROM, OR WILL MAKE YOUR ENTERPRISE IMMUNE FROM, THE
MALICIOUS OR ILLEGAL CONDUCT OF ANY PARTY.
x
IBM Security Identity Manager: Oracle Database Adapter Installation and Configuration Guide
Chapter 1. Oracle Database Adapter Installation and
Configuration Guide
This installation guide provides the basic information that you need to install and
configure the Oracle Database Adapter. The adapter enables connectivity between
the IBM Security Identity Manager server and the managed resource.
Overview of the adapter
The Oracle Database Adapter enables communication between the IBM Security
Identity Manager server and the Oracle Database.
An adapter provides an interface between a managed resource and the IBM
Security Identity Manager server. Adapters might reside on the managed resource.
The IBM Security Identity Manager server manages access to the resource by using
your security system. Adapters function as trusted virtual administrators on the
target platform. They perform tasks, such as creating, suspending, and restoring
user accounts, and other administrative functions that are performed manually. The
adapter runs as a service, independently of whether you are logged on to the IBM
Security Identity Manager server.
Features of the adapter
The adapter automates the user account management tasks.
The adapter automates these user account management tasks:
v Reconciling user accounts and other support data
v Adding user accounts
v Modifying user account attributes
v Modifying user account passwords
v Suspending, restoring, and deleting user accounts
Note: The Oracle Database Adapter does not manage the Oracle System privileges.
The following Oracle System privileges are available on the account form on IBM
Security Identity Manager. However, these privileges are managed only on Trusted
Oracle, the multi-level secure version of Oracle:
v WRITEDOWN DBLOW
v
v
v
v
v
READUP DBHIGH
WRITEUP DBHIGH
WRITEDOWN
READUP
WRITEUP
Architecture of the adapter
To function correctly, the adapter requires several components.
You must install the following components:
v Dispatcher
v Tivoli Directory Integrator connector
© Copyright IBM Corp. 2012, 2014
1
v IBM Security Identity Manager adapter profile
You need to install the Dispatcher and the adapter profile; however, the Tivoli
Directory Integrator connector might already be installed with the base Tivoli
Directory Integrator product.
Figure 1 describes the components that work together to complete the user account
management tasks in a Tivoli Directory Integrator environment.
IBM Security RMI calls
Identity
Manager
Server
Dispatcher
Service
(an instance
of the IBM
Tivoli
Directory
Integrator)
Adapter
resource
Figure 1. The architecture of the Oracle Database Adapter
For more information about Tivoli Directory Integrator, see the Quick Start Guide at
IBM Security Identity Manager product documentation.
Supported configurations
There are two ways to configure the Oracle Database Adapter. In a single server
configuration, the adapter is installed on only one server. In a multiple server
configuration, the adapter is installed on several different servers.
The fundamental components in each environment are:
v TheIBM Security Identity Manager server
v The IBM Tivoli Directory Integrator server
v The managed resource
v The adapter
The adapter must be installed directly on the server that runs the Tivoli Directory
Integrator server.
Single server configuration
In a single server configuration, install the IBM Security Identity Manager
server, the Tivoli Directory Integrator server, and the Oracle Database
Adapter on one server to establish communication with an Oracle
database. The Oracle database is installed on a different server as described
Figure 2.
IBM Security
Identity Manager Server
Tivoli Directory
Integrator Server
Managed
resource
Adapter
Figure 2. Example of a single server configuration
2
IBM Security Identity Manager: Oracle Database Adapter Installation and Configuration Guide
Multiple server configuration
In multiple server configuration, the IBM Security Identity Manager server,
the Tivoli Directory Integrator server, the Oracle Database Adapter, and the
Oracle database are installed on different servers. Install the Tivoli
Directory Integrator server and the Oracle Database Adapter on the same
server as described Figure 3.
IBM Security
Identity Manager
server
Tivoli Directory
Integrator server
Managed
resource
Adapter
Figure 3. Example of multiple server configuration
Chapter 1. Oracle Database Adapter Installation and Configuration Guide
3
4
IBM Security Identity Manager: Oracle Database Adapter Installation and Configuration Guide
Chapter 2. Adapter installation planning
Installing and configuring the adapter involves several steps that you must
complete in the appropriate sequence.
Review the roadmaps before you begin the installation process.
Preinstallation roadmap
Before you install the adapter, you must prepare the environment.
Prepare the environment by performing the tasks that are listed in Table 1.
Table 1. Preinstallation roadmap
Task
For more information
Obtain the installation software.
Download the software from Passport
Advantage® website. See “Software
download” on page 8.
Verify that your environment meets the
software and hardware requirements for the
adapter.
See “Prerequisites” on page 6.
Obtain and install the Dispatcher.
Download the software from Passport
Advantage website. See “Software
download” on page 8. Follow the
installation instructions in the dispatcher
download package.
Obtain the necessary information for the
installation and configuration.
See “Installation worksheet for the adapter”
on page 7.
Installation roadmap
To install the adapter, complete the tasks described in the roadmap.
Table 2. Installation roadmap
Task
For more information
Verify the Dispatcher installation.
See “Dispatcher installation verification” on
page 9.
Install the adapter.
See “Installing the adapter” on page 9.
Import the adapter profile.
See “Importing the adapter profile into the
IBM Security Identity Manager server” on
page 10.
Verify the profile installation.
See “Adapter profile installation
verification” on page 11.
Create an adapter user account.
See “Adapter user account creation” on page
11.
Create a service.
See “Creating an adapter service” on page
13.
Configure the adapter.
See “Adapter configuration” on page 17.
© Copyright IBM Corp. 2012, 2014
5
Prerequisites
Verify that your environment meets all the prerequisites before you install the
adapter.
Table 3 identifies the software and operating system prerequisites for the adapter
installation.
Ensure that you install the adapter on the same workstation as the IBM Tivoli
Directory Integrator server.
Table 3. Prerequisites to install the adapter
Prerequisite
Description
Tivoli Directory Integrator server
Version 7.1 fix pack 5 or later
Version 7.1.1
IBM Security Identity Manager server
Version 6.0
Oracle Database
A system that runs the Oracle database with
one of following versions:
v Oracle 10gR2 (10.2.0.x)
v Oracle 11g (11.1.0.x)
v Oracle 11gR2 (11.2.0.x)
Note: The adapter supports the Oracle
versions described in the Oracle Lifetime
Support document: http://www.oracle.com/
us/support/library/lifetime-supporttechnology-069183.pdf.
Oracle Thin JDBC Driver
JDBC 10.2.0.1.0 Driver
Note: The driver file names are
v ojdbc5.jar for Tivoli Directory Integrator 7.0
(JDK version 1.5)
v ojdbc6.jar for Tivoli Directory Integrator 7.1
(JDK version 1.6)
Oracle JDBC OCI Driver
Note: You need this driver for Oracle
Real Application Cluster (RAC) and
Oracle Transparent Application Failover
(TAF) architectures.
JDBC OCI 10.2.0.x Driver
JDBC OCI 11.2.0.2.0 Driver
Network Connectivity
Install the adapter on a workstation that can
communicate with the IBM Security Identity
Manager service through the TCP/IP network.
System Administrator Authority
Tivoli Directory Integrator adapters
solution directory
To complete the adapter installation procedure,
you must have system administrator authority.
A Tivoli Directory Integrator adapters solution
directory is a Tivoli Directory Integrator work
directory for IBM Security Identity Manager
adapters. See the Dispatcher Installation and
Configuration Guide.
Install the Oracle Database Adapter and the appropriate Oracle Thin JDBC drivers
on the same workstation as the Tivoli Directory Integrator.
6
IBM Security Identity Manager: Oracle Database Adapter Installation and Configuration Guide
For information about the prerequisites and supported operating systems for Tivoli
Directory Integrator, see the IBM Tivoli Directory Integrator 7.0: Administrator Guide.
Installation worksheet for the adapter
The installation worksheet identifies the information that you need before
installing the adapter.
Table 4. Required information to install the adapter
Required information Description
IBM Tivoli Directory
Integrator Home
Directory
Value
The ITDI_HOME directory contains
the jars/connectors subdirectory that
contains adapter jars. For example,
the jars/connectors subdirectory
contains the jar for the UNIX
adapter.
If Tivoli Directory
Integrator is automatically
installed with your IBM
Security Identity Manager
product, the default
directory path for Tivoli
Directory Integrator is as
follows:
Windows:
v for version 7.0:
drive\Program
Files\IBM\TDI\V7.0
v for version 7.1
drive\Program
Files\IBM\TDI\V7.1
UNIX:
v for version 7.0:
/opt/IBM/TDI/V7.0
v for version 7.1:
/opt/IBM/TDI/V7.1
Adapters solution
directory
When you install the dispatcher, the
adapter prompts you to specify a file
path for the adapters solution
directory. For more information
about the solution directory, see the
Dispatcher Installation and
Configuration Guide.
The default solution
directory is located at:
Windows:
v for version 7.0:
drive\Program
Files\IBM\TDI\V7.0\
isimsoln
v for version 7.1:
drive\Program
Files\IBM\TDI\V7.1\
isimsoln
UNIX:
v for version 7.0:
/opt/IBM/TDI/V7.0/
isimsoln
v for version 7.1:
/opt/IBM/TDI/V7.1/
isimsoln
Chapter 2. Adapter installation planning
7
Software download
Download the software through your account at the IBM Passport Advantage
website.
Go to IBM Passport Advantage.
See the IBM Security Identity Manager Download Document for instructions.
Note:
You can also obtain additional adapter information from IBM Support.
8
IBM Security Identity Manager: Oracle Database Adapter Installation and Configuration Guide
Chapter 3. Adapter installation
All the adapters that are based on Tivoli Directory Integrator require the
Dispatcher for the adapters to function correctly.
If the Dispatcher is installed from a previous installation, do not reinstall it unless
there is an upgrade to the Dispatcher. See “Dispatcher installation verification.”
After verifying the Dispatcher installation, you might need to install the Tivoli
Directory Integrator connector. Depending on your adapter, the connector might
already be installed as part of the Tivoli Directory Integrator product and no
further action is required.
Dispatcher installation verification
If this is the first installation of an adapter that is based on the Tivoli Directory
Integrator, you must install the Dispatcher before you install the adapter.
You must install the dispatcher on the same Tivoli Directory Integrator server
where you want to install the adapter.
Obtain the dispatcher installer from the IBM Passport Advantage website,
http://ww.ibm.com/software/howtobuy/passportadvantage/pao_customers.htm.
For information about Dispatcher installation, see the Dispatcher Installation and
Configuration Guide.
Installing the adapter
Use these steps to install the adapter.
Before you begin
Ensure that you do the following tasks:
v Verify that your site meets all the prerequisite requirements. See “Prerequisites”
on page 6.
v Obtain a copy of the installation software. See “Software download” on page 8.
v Obtain system administrator authority. See “Prerequisites” on page 6.
About this task
The adapter uses the IBM Tivoli Directory Integrator JDBC connector. This
connector is available with the base Tivoli Directory Integrator product. Because
the Tivoli Directory Integrator JDBC connector is already installed, you need to
install only the Dispatcher. See “Dispatcher installation verification.”
To install the Dispatcher, see the IBM Security Dispatcher Installation and
Configuration Guide.
What to do next
After you finish the adapter installation, do the following tasks:
© Copyright IBM Corp. 2012, 2014
9
1. Import the adapter profile. See “Importing the adapter profile into the IBM
Security Identity Manager server.”
2. Set up the stored procedures for the SQL scripts to acquire a lock before you
update the account's default consumer group attribute. Release the lock after
the update.
a. Extract the package and locate the oracledbsql folder inside the package.
b. Copy the oracledbsql folder into the IBM Security Identity Manager solution
directory. For example, C:\TDI_HOME\timsol\.
c. Import the latest adapter profile and restart the dispatcher.
3. Create a user account for the adapter on IBM Security Identity Manager. See
“Adapter user account creation” on page 11.
Start, stop, and restart the Oracle Database Adapter service
To start, stop, or restart the adapter, you must start, stop, or restart the Dispatcher.
The adapter does not exist as an independent service or a process. The adapter is
added to the Dispatcher instance, which runs all the adapters that are installed on
the same Tivoli Directory Integrator instance.
See the topic about starting stopping, and restarting the dispatcher service in the
Dispatcher Installation and Configuration Guide.
Importing the adapter profile into the IBM Security Identity Manager
server
Use this task to create a service on the IBM Security Identity Manager server and
establish communication with the adapter.
Before you begin
Before you can create an adapter service, the IBM Security Identity Manager server
must have an adapter profile to recognize the adapter. The files that are packaged
with the adapter include the adapter profile JAR file. You can import the adapter
profile as a service profile on the server with the Import feature of IBM Security
Identity Manager.
The JAR file includes all the files that are required to define the adapter schema,
account form, service form, and profile properties. You can extract the files from
the JAR file to modify the necessary files and package the JAR file with the
updated files.
Before you begin to import the adapter profile, verify that the following conditions
are met:
v The IBM Security Identity Manager server is installed and running.
v You have root or Administrator authority on IBM Security Identity Manager.
About this task
An adapter profile defines the types of resources that the IBM Security Identity
Manager server can manage. Use the profile to create an adapter service on IBM
Security Identity Manager server and establish communication with the adapter.
To import the adapter profile, perform the following steps:
10
IBM Security Identity Manager: Oracle Database Adapter Installation and Configuration Guide
Procedure
1. Log on to the IBM Security Identity Manager server by using an account that
has the authority to perform administrative tasks.
2. In the My Work pane, expand Configure System and click Manage Service
Types.
3. On the Manage Service Types page, click Import to display the Import Service
Types page.
4. Specify the location of the JAR file in the Service Definition File field by
performing one of the following tasks:
v Type the complete location of where the file is stored.
v Use Browse to navigate to the file.
5. Click OK.
Note: If you import the adapter profile and receive an error that is related to
the schema, see the trace.log file for information about the error. The
trace.log file location is specified by using the handler.file.fileDir property
that is defined in the IBM Security Identity Manager enRoleLogging.properties
file. The enRoleLogging.properties file is installed in the ISIM_HOME\data
directory.
6. Restart IBM Security Identity Manager for the change to take effect.
Adapter profile installation verification
After you install the adapter profile, verify that the installation was successful.
An unsuccessful installation:
v Might cause the adapter to function incorrectly.
v Prevents you from creating a service with the adapter profile.
To verify that the adapter profile is successfully installed, create a service with the
adapter profile. For more information about creating a service, see “Creating an
adapter service” on page 13.
If you are unable to create a service with the adapter profile or open an account on
the service, the adapter profile is not installed correctly. You must import the
adapter profile again.
Adapter user account creation
You must create a user account for the adapter on the managed resource. Provide
the account information when you create a service for the adapter on IBM Security
Identity Manager.
For more information about creating a service, see “Creating an adapter service”
on page 13.
The accounts must be able to remotely connect to the Oracle Database server and
must have sufficient privileges to administer the Oracle Database users. Table 5 on
page 12 lists the required privileges that the user account must have to administer
the Oracle Database users.
Chapter 3. Adapter installation
11
Table 5. Required privileges and their descriptions
Privilege
Description
CREATE USER
To create an Oracle database user.
GRANT ANY ROLE
To grant or remove roles to the Oracle database user.
SELECT ANY TABLE
To perform the reconciliation operation and retrieve
the following information from the Oracle database:
v List of Users and its attributes
v List of Tables
v List of Roles
v List of Privileges
v List of Consumer groups
v Oracle version
GRANT ANY PRIVILEGE
SELECT ANY DICTIONARY
To grant or remove privileges to the Oracle database
user.
The SELECT ANY DICTIONARY privilege replaces the
default setting of the O7_DICTIONARY_ACCESSIBILITY
initialization parameter. The default value of the
parameter is FALSE.
Using this system privilege, users can access all the
objects in the SYS schema, including tables that are
created in that schema.
You must grant the required privileges to the
individual users based on the requirements. The
SELECT ANY DICTIONARY privilege is not included in
the GRANT ALL PRIVILEGES privilege. You can also
grant the SELECT ANY DICTIONARY privilege through a
role.
You might use the following scenarios, depending on
your requirements:
v If the O7_DICTIONARY_ACCESSIBILITY=TRUE, then the
SELECT ANY TABLE privilege provides access to all
SYS and non-SYS objects.
v If the O7_DICTIONARY_ACCESSIBILITY=FALSE, then the
SELECT ANY TABLE privilege provides access only to
non-SYS objects.
v If the SELECT_CATALOG_ROLE privilege is enabled,
then the SELECT_CATALOG_ROLE privilege provides
access to all SYS views only.
v If only the SELECT ANY DICTIONARY privilege is
enabled, then the SELECT ANY DICTIONARY privilege
provides access to SYS schema objects only.
v If both SELECT ANY TABLE and SELECT ANY
DICTIONARY privileges are enabled, then the SELECT
ANY TABLE and SELECT ANY DICTIONARY privileges
provide access to all SYS and non-SYS objects.
v The SELECT ANY DICTIONARY and
SELECT_CATALOG_ROLE privileges do not affect the
O7_DICTIONARY_ACCESSIBILITY settings.
12
IBM Security Identity Manager: Oracle Database Adapter Installation and Configuration Guide
By default, a user is granted access on objects within the schema of the user. The
ANY keyword grants access to users on all objects of that type in all schemas. For
example:
v To grant a system privilege, you must either have system privileges that are
granted with ADMIN OPTION or GRANT ANY PRIVILEGE.
v To grant an object privilege, one of the following conditions must be met:
– You must be an object owner.
– The object owner must grant you the object privileges with the GRANT
OPTION.
– The object owner must grant you the GRANT ANY OBJECT PRIVILEGE
system privilege.
If you do not use the ANY keyword, you must either grant privileges, roles, tables,
and so on, to a user account or the user account must be an object owner. When a
new privilege, role, or a table is added in the schema, you must update the
permissions for the user account.
To reduce security risks, do not use the ANY keyword to grant privileges to user
accounts.
Creating an adapter service
After the adapter profile is imported on IBM Security Identity Manager, you must
create a service so that IBM Security Identity Manager can communicate with the
adapter.
About this task
To create or change a service, you must use the service form to provide
information for the service. Service forms might vary depending on the adapter.
Note: If the following fields on the service form are changed for an existing
service, the IBM Security Identity Manager adapter service on the Tivoli Directory
Integrator server must be restarted.
v Service Name
v Password
v Convert Username to Uppercase
v AL FileSystem Path
v Max Connection Count
Procedure
1. Log on to the IBM Security Identity Manager server with an account that has
the authority to perform administrative tasks.
2. In the My Work pane, click Manage Services and click Create.
3. On the Select the Type of Service page, select Oracle Adapter Service Profile.
4. Click Next to display the adapter service form.
5. Complete the following fields on the service form:
On the Oracle Connection tab:
Service name
Specify a name that defines the adapter service on the IBM
Security Identity Manager server.
Chapter 3. Adapter installation
13
Note: Do not use forward (/) or backward slashes (\) in the
service name.
Description
Optional: Specify a description that identifies the service for
your environment.
Tivoli Directory Integrator location
Specify the URL for the IBM Tivoli Directory Integrator
instance. The valid syntax for the URL is:
rmi://ip-address:port/ITDIDispatcher
where:
ip-address
The Tivoli Directory Integrator host.
port
The port number for the Dispatcher.
The default URL is
rmi://localhost:1099/ITDIDispatcher
For information about changing the port number, see IBM
Security Dispatcher Installation and Configuration Guide.
Oracle Service Name
Specify the service name of Oracle instance to which the
adapter must connect.
Is SID By default, this option is not selected. Select this check box if
the Oracle Database service name provided is an SID instead of
a service name. This option affects the connection to the
database. If this option is selected while the database is using a
service name, then the test connection fails.
Oracle Service Host
Specify the host workstation on which the Oracle instance is
running.
Oracle Service Port
Specify the TCP or TCPS port on which the Oracle service is
listening. For example:
v TCP: 1521
v TCPS: 2484
Use SSL communication with Oracle
Optional: Select this check box to enable SSL communication
between the Oracle adapter and the Oracle database. When
selected, specify the TCPS port in Oracle Service Port.
Oracle Service Alias
Specify the net service alias that is listed in the tnsnames.ora
file that defines the connection to the Oracle instance. (Required
when the OCI communication check box is selected.)
Use OCI communication with Oracle
Optional: Select this check box to enable OCI communication
between the Oracle adapter and the Oracle database.
Oracle Administrator Name
Specify the name of the user who has access to the Oracle
resource and can do administrative operations.
14
IBM Security Identity Manager: Oracle Database Adapter Installation and Configuration Guide
Oracle Administrator Password
Specify the password for the user.
Oracle Server Distinguished Name
Optional: Specify the distinguished name. For example,
CN=client, C=US. This name is verified against the Oracle
database server certificate.
Owner
Optional: Specify a IBM Security Identity Manager user as a
service owner.
Service Prerequisite
Specify a IBM Security Identity Manager service that is
prerequisite to this service.
Convert Username to Uppercase
Optional: Select this check box to retain the case of the user
name. By default, the adapter converts the case of the user
name to uppercase.
On the Dispatcher Attributes tab:
Disable AL Caching
Select the check box to disable the assembly line caching in the
dispatcher for the service. The assembly lines for the add,
modify, delete, and test operations are not cached.
AL FileSystem Path
Specify the file path from where the dispatcher loads the
assembly lines. If you do not specify a file path, the dispatcher
loads the assembly lines received from IBM Security Identity
Manager. For example, you can specify the following file path
to load the assembly lines from the profiles directory of the
Windows operating system: c:\Files\IBM\TDI\V7.0\profiles
or you can specify the following file path to load the assembly
lines from the profiles directory of the UNIX and Linux
operating system: system:/opt/IBM/TDI/V7.0/profiles.
Max Connection Count
Specify the maximum number of assembly lines that the
dispatcher can run simultaneously for the service. For example,
enter 10 when you want the dispatcher to run a maximum of
10 assembly lines simultaneously for the service. If you enter 0
in the Max Connection Count field, the dispatcher does not
limit the number of assembly lines that are run simultaneously
for the service.
On the Status and information tab
This page contains read only information about the adapter and
managed resource. These fields are examples. The actual fields vary
depending on the type of adapter and how the service form is
configured. The adapter must be running to obtain the information.
Click Test Connection to populate the fields.
Last status update: Date
Specifies the most recent date when the Status and information
tab was updated.
Chapter 3. Adapter installation
15
Last status update: Time
Specifies the most recent time of the date when the Status and
information tab was updated.
Managed resource status
Specifies the status of the managed resource that the adapter is
connected to.
Adapter version
Specifies the version of the adapter that the IBM Security
Identity Manager service uses to provision request to the
managed resource.
Profile version
Specifies the version of the profile that is installed in the IBM
Security Identity Manager server.
TDI version
Specifies the version of the Tivoli Directory Integrator on which
the adapter is deployed.
Dispatcher version
Specifies the version of the Dispatcher.
Installation platform
Specifies summary information about the operating system
where the adapter is installed.
Adapter account
Specifies the account that running the adapter binary file.
Adapter up time: Date
Specifies the date when the adapter started.
Adapter up time: Time
Specifies the time of the date when the adapter started.
Adapter memory usage
Specifies the memory usage for running the adapter.
If the connection fails, follow the instructions in the error message. Also
v Verify the adapter log to ensure that the IBM Security Identity
Manager test request was successfully sent to the adapter.
v Verify the adapter configuration information.
v Verify IBM Security Identity Manager service parameters for the
adapter profile. For example, verify the work station name or the IP
address of the managed resource and the port.
6. Click Finish.
16
IBM Security Identity Manager: Oracle Database Adapter Installation and Configuration Guide
Chapter 4. First steps after installation
After you install the adapter, you must do several other tasks. The tasks include
configuring the adapter, setting up SSL, installing the language pack, and verifying
that the adapter works correctly.
Adapter configuration
You can use the configuration options for the Oracle Database Adapter.
v “Customizing the adapter profile”
v “Editing adapter profiles on the UNIX or Linux operating system” on page 18
v “Configuring OCI for Transparent Application Failover” on page 20
v “SSL configuration” on page 26
See the IBM Security Dispatcher Installation and Configuration Guide for additional
configuration options such as:
v
v
v
v
JVM properties
Dispatcher filtering
Dispatcher properties
Dispatcher port number
v Logging configurations
v Secure Sockets Layer (SSL) communication
Customizing the adapter profile
To customize the adapter profile, you must modify the Oracle Database Adapter
JAR file. You might customize the adapter profile to change the account form or
the service form.
About this task
You can also use the Form Designer or the CustomLabels.properties file to change
the labels on the forms. Each adapter has a CustomLabels.properties file for that
adapter.
The JAR file is included in the Oracle Database Adapter compressed file that you
downloaded from the IBM website. The JAR file and the files that are contained in
the JAR file vary depending on your operating system.
Note: You cannot modify the schema for this adapter. You cannot add or delete
attributes from the schema.
The adapter JAR file includes the following files:
v CustomLabels.properties
v erOracleAccount.xml
v
v
v
v
erOracleRMIService.xml
OracleAdapter.xml
service.def
schema.dsml
© Copyright IBM Corp. 2012, 2014
17
To
1.
2.
3.
4.
edit the JAR file, perform these steps:
Log on to the workstation where the Oracle Database Adapter is installed.
On the Start menu, click Programs → Accessories → Command Prompt.
Copy the JAR file into a temporary directory.
Extract the contents of the JAR file into the temporary directory by running the
following command. The following example applies to the Oracle Database
Adapter profile. Type the name of the JAR file for your operating system.
cd c:\temp
jar -xvf OracleAdapterProfile.jar
The jar command extracts the files into the directory.
5. Edit the file that you want to change.
After you edit the file, you must import the file into the IBM Security Identity
Manager server for the changes to take effect.
To import the file, perform these steps:
1. Create a JAR file by using the files in the \temp directory. Run the following
commands:
cd c:\temp
jar -cvf OracleAdapterProfile.jar OracleAdapterProfile
2. Import the JAR file into the IBM Security Identity Manager application server.
For more information about importing the JAR file, see “Importing the adapter
profile into the IBM Security Identity Manager server” on page 10.
3. Stop and start the IBM Security Identity Manager server.
4. Stop and start the Oracle Database Adapter service. See “Start, stop, and restart
the Oracle Database Adapter service” on page 10 for information about
stopping and starting the adapter service.
Editing adapter profiles on the UNIX or Linux operating system
The adapter profile .jar file might contain ASCII files that are created by using the
MS-DOS ASCII format.
About this task
If you edit an MS-DOS ASCII file on the UNIX operating system, you might see a
character ^M at the end of each line. These characters indicate new lines of text in
MS-DOS. The characters can interfere with the running of the file on UNIX or
Linux systems. You can use tools, such as dos2unix, to remove the ^M characters.
You can also use text editors, such as the vi editor, to remove the characters
manually.
Example
You can use the vi editor to remove the ^M characters. From the vi command
mode, run the following command and press Enter:
:%s/^M//g
When you use this command, enter ^M or Ctrl-M by pressing ^v^M or Ctrl V Ctrl
M sequentially. The ^v instructs the vi editor to use the next keystroke instead of
issuing it as command.
18
IBM Security Identity Manager: Oracle Database Adapter Installation and Configuration Guide
Configuration properties of the Dispatcher
The solution.properties file and the itim_listener.properties file contain the
configuration properties for the Dispatcher.
To configure the dispatcher properties, follow the configuration instructions
included in the dispatcher download package.
Table space quota file creation
The adapter enables allocating quota size on the table spaces when you provision
user accounts. These quota size values can be customized by creating a text file
named ITDI_Oracle_Adapter_TableSpace_Quota.txt in the IBM Tivoli Directory
Integrator adapters solution directory.
The adapter uses a text file named ITDI_Oracle_Adapter_TableSpace_Quota.txt for
deciding the quota that can be allocated to each table space for a user. The file
contains a list of quota values under the column name quota_size. See the following
example.
Note: Use the following conventions for specifying the quota sizes:
K
Kilobytes
M
Megabytes
G
Gigabytes
UNLIMITED
Unlimited quota
The following example shows the content for the
ITDI_Oracle_Adapter_TableSpace_Quota.txt file. In this sample
ITDI_Oracle_Adapter_TableSpace_Quota.txt file, the Oracle user account has four
options for quota sizes on each table space.
quota_size
128K
200K
1M
1G
If the adapter cannot locate the ITDI_Oracle_Adapter_TableSpace_Quota.txt file in
Tivoli Directory Integrator adapters solution directory, it uses these default values
for quota size:
128K
256K
512K
1M
2M
4M
8M
16M
23M
64M
UNLIMITED
Enabling auditing on an Oracle resource
You must enable auditing on the database so that the Oracle Database Adapter can
retrieve the last access date of the user account.
Chapter 4. First steps after installation
19
About this task
To enable auditing, do the following steps.
Procedure
1. Set the initialization parameter audit_trail to TRUE in the init.ora file.
Alternately, you can issue the following command at the SQL command-line
prompt:
ALTER SYSTEM SET audit_trail=TRUE scope=SPFILE
2. Restart the database instance.
3. To turn on the auditing for user logon and logoff, log on as a user with Oracle
administration authority. Issue the following command at the SQL
command-line prompt:
AUDIT CONNECT
What to do next
To verify that auditing is enabled on an instance, issue the following command at
the SQL command-line prompt:
SHOW PARAMETER AUDIT_TRAIL
The parameter AUDIT_TRAIL and its value are displayed. Any value except NONE or
FALSE indicates that auditing is enabled. For more information about the
parameters, see the Oracle online help.
Note: If the auditing is not enabled, then the Oracle Database Adaptercannot
retrieve information about when the user last accessed the account. All the other
attributes except the Last Access Date attribute are then retrieved during
reconciliation. No other operations are affected by disabling auditing of the Oracle
database.
Configuring OCI for Transparent Application Failover
Transparent Application Failover (TAF) is a feature of the Java™ Database
Connectivity (JDBC) Oracle Call Interface (OCI) driver. If you configure the
adapter to use TAF, then the adapter can automatically reconnect to a secondary
database instance if the original database connection fails.
About this task
During the reconnect process, the active transactions roll back.
To configure the Oracle adapter to use OCI, you must perform the following
high-level steps in this sequence.
1. Install the JDBC OCI driver. For detailed instructions, see “Installing the JDBC
OCI driver” on page 21.
2. Configure the OCI connection between the Oracle Database Adapter and the
Oracle database, “Configuring the OCI connection” on page 21.
3. “Modifying the Oracle Database Adapter service form for OCI” on page 25.
Procedure
1. Install the JDBC OCI driver. For detailed instructions, see “Installing the JDBC
OCI driver” on page 21.
20
IBM Security Identity Manager: Oracle Database Adapter Installation and Configuration Guide
2. Configure the OCI connection between the Oracle Database Adapter and the
Oracle database For detailed instructions, see “Configuring the OCI
connection.”
3. Configure the Oracle adapter service form. For detailed instructions, see
“Modifying the Oracle Database Adapter service form for OCI” on page 25
Installing the JDBC OCI driver
Transparent Application Failover (TAF) is a feature of the Java Database
Connectivity (JDBC) Oracle Call Interface (OCI) driver. You must install the Oracle
Database Client software on the IBM Tivoli Directory Integrator target.
Procedure
1. Obtain the Oracle Database Client software from the Downloads page on the
Oracle Technology Network website. For example, you can download the
win32_11gR2_client.zip file for the Oracle Database 11g Release 2 Client
(11.2.0.1.0) for Microsoft Windows (32-bit) software.
2. Install the client software.
When you install the client software, select the installation type that installs
tools for developing applications, networking services, and basic client
software. For example, if you are using the Oracle Database 11gR2 Client, select
the Runtime installation type.
Alternatively, you can select the installation type that installs the instant client
software. For example, if you are using the Oracle Database 11gR2 Client, select
the InstantClient installation type. The instant client installation requires less
disk space than the runtime installation.
Note: Use the Oracle Support website to determine the Oracle client and server
versions that you require. For example, to use the OCI JDBC driver for SSL
communication from an 11gR2 client to a 10gR2 server requires the following
minimum versions:
v Oracle Client 11gR2 (11.2.0.2.0 or higher) to connect to Oracle Server 10gR2
(10.2.0.2.0 or higher).
Configuring the OCI connection
You can enable OCI communication between the Oracle Database Adapter and the
Oracle database. You must configure Oracle Net Services (ONS) on the Tivoli
Directory Integrator where the Oracle Client software is installed.
About this task
To configure Oracle Net Services, you must complete the following high-level
tasks.
Procedure
1. Configure the Oracle Net Services. For detailed instructions, see “Configuring
Oracle Net Services.”
2. Configure the Oracle Database Adapter. For detailed instructions, see
“Configuring the Oracle adapter” on page 23
Configuring Oracle Net Services:
For Transparent Application Failover, you must configure Oracle Net Services by
editing the tnsnames.ora and sqlnet.ora files on the Oracle database server.
Chapter 4. First steps after installation
21
Procedure
1. Locate the tnsnames.ora and sqlnet.orafiles in the network\admin directory of
the Oracle home directory.
Note: These files do not exist in an Instant Client installation. In this case, you
must create the files. These files must be in the same directory as one another.
For example, you might choose to save these files in the Instant Client
directory.
2. Open the files in a text editor.
Note: To configure Transparent Application Failover, you must use a text editor
rather than Oracle Net Manager to edit these files.
3. Configure the files for your environment.
Example
The information in the following files is an example of how you can configure
Transparent Application Failover:
sqlnet.ora:
SQLNET.AUTHENTICATION_SERVICES= (NONE)
NAMES.DIRECTORY_PATH= (TNSNAMES)
tnsnames.ora:
PRODONE =
(DESCRIPTION_LIST =
(FAILOVER = true)
(LOAD_BALANCE = false)
(DESCRIPTION =
(ADDRESS_LIST =
(ADDRESS = (PROTOCOL = TCP)(HOST = YourFirstHost)(PORT = 1521))
)
(CONNECT_DATA =
(SERVER = dedicated)
(FAILOVER_MODE =
(BACKUP = PRODTWO)
(TYPE = select)
(METHOD = basic)
(RETRIES = 20)
(DELAY = 3)
)
(SERVICE_NAME = ORCL)
)
)
(DESCRIPTION =
(ADDRESS_LIST =
(ADDRESS = (PROTOCOL = TCP)(HOST = YourSecondHost)(PORT = 1521))
)
(CONNECT_DATA =
(SERVICE_NAME = ORCL)
)
)
)
PRODTWO =
(DESCRIPTION_LIST =
(DESCRIPTION =
(ADDRESS_LIST =
(ADDRESS = (PROTOCOL = TCP)(HOST = YourSecondHost)(PORT = 1521))
)
(CONNECT_DATA =
22
IBM Security Identity Manager: Oracle Database Adapter Installation and Configuration Guide
(SERVICE_NAME = ORCL)
)
)
)
Note:
v When you use Transparent Application Failover, if the connected instance fails
or is shutdown, the adapter can automatically reconnect to a database.
Transparent Application Failover enables the application to transparently
reconnect to a specified secondary instance. This reconnection process creates a
new connection that is identical to the original connection.
v In the tnsnames.ora file, PRODONE is the example net service alias that defines
both Transparent Application Failover and Connect Time Failover (CTF). The
first description in the DESCRIPTION_LIST defines Transparent Application
Failover. The second description in the DESCRIPTION_LIST defines Connect Time
Failover.
v The Transparent Application Failover description indicates that if an established
connection to YourFirstHost fails, then the connection fails over to
YourSecondHost via the PRODTWO net service alias. The Connect Time Failover
description indicates that if YourFirstHost is down before the initial connection,
then the connection fails over to YourSecondHost.
v The select type is a feature of Transparent Application Failover. Use select to
indicate that if the first connection fails while it is processing a SELECT
statement, then the statement runs again when a new connection is established.
The cursor moves to the correct position so the client can continue fetching rows
without interruption.
Configuring the Oracle adapter:
You must configure Tivoli Directory Integrator to locate the JDBC OCI driver and
Oracle Net Services.
About this task
To use OCI communication, the adapter must have access to the JDBC OCI driver
and the Oracle Net Services files, tnsnames.ora and sqlnet.ora.
Note: To locate the JDBC OCI driver, you must amend the path variable to include
the ORACLE_HOME/bin directory or the Instant Client directory. Depending on the
Tivoli Directory Integrator service, you must configure the path variable slightly
differently, as described in the following steps.
Procedure
1. Determine which Tivoli Directory Integrator service is used on your server.
There are two Tivoli Directory Integrator services that can exist or coexist on
your Tivoli Directory Integrator target.
v The "IBM Security Identity Manager adapter", which is called
ITDIAsService.exe.
v The "IBM Tivoli Directory Integrator" service, which is called
ibmdiservice.exe.
2. For the ITDIAsService service, edit the ImagePath registry variable in the
following location: HKLM\SYSTEM\ControlSet001\Service\IBM Security Identity
Manager Adapter.
Chapter 4. First steps after installation
23
Note: The value of ImagePath is an expandable String Value of
REG_EXPAND_SZ Type.
v For a Database Client installation, edit the ImagePath variable to include
%ORACLE_HOME%\bin as follows:
"C:\Program Files\IBM\TDI\V7.1\timsol\ITDIAsService.exe" ...
-Djava.library.path ="C:\Program Files\IBM\TDI\V7.1\libs;
%ORACLE_HOME%\bin;%PATH%" ...
Note: Use %ORACLE_HOME% in the ImagePath variable only when
ORACLE_HOME is defined as a System variable on Windows. Otherwise,
you must explicitly include the Oracle home bin directory as follows:
"C:\Program Files\IBM\TDI\V7.1\timsol\ITDIAsService.exe" ...
-Djava.library.path ="C:\Program Files\IBM\TDI\V7.1\libs;
C:\app\administrator\product\11.2.0\client_1\bin;%PATH%" ...
v For an Instant Client installation, edit the ImagePath variable to include the
directory of the Instant Client files as follows:
"C:\Program Files\IBM\TDI\V7.1\timsol\ITDIAsService.exe" ...
-Djava.library.path ="C:\Program Files\IBM\TDI\V7.1\libs;
C:\app\administrator\product\11.2.0\client_1;%PATH%" ...
3. For the ibmdiservice service, edit the path variable in the ibmdiservice.props
properties file.
This properties file is in the following directory:
C:\Program Files\IBM\TDI\V7.1\timsol
v For a Database Client installation, edit the path variable to include the Oracle
home bin directory as follows:
path=C:\Program Files\IBM\TDI\V7.1\jvm\jre\bin;C:\Program Files\IBM\TDI\V7.1\
libs;C:\app\administrator\product\11.2.0\client_1\bin;
v For an Instant Client installation, set the path variable to the Oracle home
directory as follows:
path=C:\Program Files\IBM\TDI\V7.1\jvm\jre\bin;C:\Program Files\IBM\TDI\V7.1\
libs;C:\app\administrator\product\11.2.0\client_1;
4. For both services, you must configure Tivoli Directory Integrator to locate the
Oracle Net Services files as follows:
v For a Database Client installation, define the ORACLE_HOME environment
variable in the Windows registry so that Tivoli Directory Integrator can locate
the Oracle Net Services files.
Note: Alternatively, you can define the ORACLE_HOME as a System
variable in Windows.
An example ORACLE_HOME environment value is:
ORACLE_HOME=C:\app\administrator\product\11.2.0\client_1
v For an Instant Client installation, you must define the TNS_ADMIN
environment variable, which is an Oracle Client variable, to point to the
location (directory) of the ONS configuration files.
An example TNS_ADMIN environment value is:
TNS_ADMIN=C:\app\administrator\product\11.2.0\client_1
Note: If you define ORACLE_HOME, the JDBC OCI driver locates the Oracle
Net Services files in the network\admin directory of the Oracle home directory.
If you define TNS_ADMIN, the JDBC OCI driver locates the Oracle Net
Services files in the specified directory.
24
IBM Security Identity Manager: Oracle Database Adapter Installation and Configuration Guide
Modifying the Oracle Database Adapter service form for OCI
To configure OCI communication between the Oracle adapter and the Oracle
database, you must modify the Oracle adapter service form.
Procedure
1. Select the Use OCI communication with Oracle check box.
If the Use OCI communication with Oracle check box is selected, the adapter
uses the JDBC OCI driver to communicate with the Oracle database server.
When this check box is not selected, the adapter uses the JDBC Thin driver to
communicate with the Oracle database server.
2. Enter a value for the Oracle Service Alias field that corresponds to the net
service alias listed in the tnsnames.ora file.
The net service alias name is on the left side of the equals (=) sign in the
tnsnames.ora file. The example tnsnames.ora file in “Configuring Oracle Net
Services” on page 21 uses PRODONE as the net service name for TAF. For this
example configuration, enter PRODONE in the Oracle Service Alias field.
What to do next
If you are using the JDBC OCI driver, and you want to use SSL communication,
then you must complete further configuration. The Use SSL communication with
Oracle check box is only for the JDBC Thin driver. To enable SSL communication
between the Oracle adapter and the Oracle database for the JDBC OCI driver, you
must include SSL information in the Oracle Net Services files.
The information in the following files serves as an example of how you can
configure Transparent Application Failover with SSL:
sqlnet.ora:
SQLNET.AUTHENTICATION_SERVICES= (TCPS)
NAMES.DIRECTORY_PATH= (TNSNAMES)
SSL_VERSION = 3.0
SSL_CLIENT_AUTHENTICATION = FALSE
SSL_SERVER_DN_MATCH = YES
WALLET_LOCATION =
(SOURCE =
(METHOD = FILE)
(METHOD_DATA =
(DIRECTORY = C:\temp\client)
)
)
tnsnames.ora:
PRODONESSL =
(DESCRIPTION_LIST =
(FAILOVER = true)
(LOAD_BALANCE = false)
(DESCRIPTION =
(ADDRESS_LIST =
(ADDRESS = (PROTOCOL = TCPS)(HOST = YourFirstHost)(PORT = 2484))
)
(CONNECT_DATA =
(SERVER = dedicated)
(FAILOVER_MODE =
(BACKUP = PRODTWOSSL)
(TYPE = select)
(METHOD = basic)
Chapter 4. First steps after installation
25
(RETRIES = 20)
(DELAY = 3)
)
(SERVICE_NAME = ORCL)
)
(SECURITY =
(SSL_SERVER_CERT_DN = "CN=client, C=US")
)
)
(DESCRIPTION =
(ADDRESS_LIST =
(ADDRESS = (PROTOCOL = TCPS)(HOST = YourSecondHost)(PORT = 2484))
)
(CONNECT_DATA =
(SERVICE_NAME = ORCL)
)
(SECURITY =
(SSL_SERVER_CERT_DN = "CN=client, C=US")
)
)
)
PRODTWOSSL =
(DESCRIPTION_LIST =
(DESCRIPTION =
(ADDRESS_LIST =
(ADDRESS = (PROTOCOL = TCPS)(HOST = YourSecondHost)(PORT = 2484))
)
(CONNECT_DATA =
(SERVICE_NAME = ORCL)
)
(SECURITY =
(SSL_SERVER_CERT_DN = "CN=client, C=US")
)
)
)
For more information about configuring SSL for the JDBC OCI driver, see the
"Stores for Client Authentication" subsection of “Configuring the SSL connection”
on page 28.
SSL configuration
You can configure Secure Sockets Layer (SSL) communication across the entire
solution. You can use SSL communication between the IBM Security Identity
Manager, Tivoli Directory Integrator and Oracle servers.
To use SSL communication between the system components, you can configure the
Tivoli Directory Integrator server as the SSL server. You can configure both the
IBM Security Identity Manager and the Oracle servers as SSL clients.
SSL overview
You can secure your environment with SSL communication between IBM Security
Identity Manager, Tivoli Directory Integrator, and the Oracle servers.
The two main communication channels that you can secure with SSL
communication are depicted in Figure 4 on page 27.
26
IBM Security Identity Manager: Oracle Database Adapter Installation and Configuration Guide
Tivoli Identify Manager
(SSL client)
Tivoli Directory Integrator
(SSL server)
Truststore
Keystore
1
CA certificate “A”
Oracle database
(SSL client)
Truststore
2
CA certificate “A”
Certificate “A”
Figure 4. SSL communication overview
Each of these channels governs the communication between two main system
components.
1
This channel includes communication between IBM Security Identity
Manager and Tivoli Directory Integrator. To configure SSL communication
for this channel, see the Secure Sockets Layer (SSL) information in the IBM
Security Dispatcher Installation and Configuration Guide.
2
This channel includes communication between Tivoli Directory Integrator
and the Oracle database server. To configure SSL communication for this
channel, see “SSL configuration” on page 26.
Note: Configuring SSL for each of these channels is optional. You can choose
whether to configure SSL for neither, one or both channels.
JDBC driver location for SSL
JDBC Thin driver version 10g Release 2 and above include SSL support. You can
obtain the Oracle Database 10gR2, 11g, or 11gR2 driver from the following
locations:
v The ORACLE_HOME\jdbc\lib directory of an Oracle database (client or server)
installation.
v The JDBC Driver Downloads page on the Oracle Technology Network website.
Tivoli Directory Integrator version 7.0
Use ojdbc5.jar, which is the driver for JDK 1.5.
Tivoli Directory Integrator version 7.1
Use ojdbc6.jar, which is the driver for use with JDK 1.6.
You must copy the appropriate driver to one of the following locations on the
Tivoli Directory Integrator server:
v TDI_HOME\jars\3rdparty\others.
v TDI_HOME\jvm\jre\lib\ext.
where TDI_HOME is the directory where Tivoli Directory Integrator is installed.
For example, on a Windows platform, the default directory is C:\Program
Files\IBM\TDI\V7.x.
You must also delete previous versions of the JDBC Thin driver from these two
TDI_HOME locations. The previous versions of the driver are one or more of the
following files:
v ojdbc14.jar
v classes12.zip
v nls_charset12.zip
v classes111.zip
Chapter 4. First steps after installation
27
v nls_charset11.zip
Note: The .zip files that are listed might be named as .jar files. For example,
classes12.jar.
Configuring the SSL connection
To enable SSL communication between the Oracle adapter and the Oracle database,
you must configure a truststore and optionally a keystore for the Dispatcher.
About this task
If the Oracle database requires SSL client authentication then you must configure a
keystore.
To configure the truststore for the Dispatcher, you must import the certificate
authority (CA) certificate to sign the certificate for the Oracle database.
Configuring server authentication:
To configure SSL, you must first configure the server authentication by importing a
CA certificate into the truststore.
Procedure
1. Run the following command to import a CA certificate into a truststore:
keytool -import -v -alias OACA -file CA.cer -keystore truststore.jks -storetype
JKS -storepass "ThePwd12"
Note:
The location for the truststore.jks and the solutions.properties files are in
the ITDI_HOME\timsol directory.
When you issue the keytool command to import the CA certificate, ensure that
the truststore details match the solution.properties entries.
2. Set the following properties in the solutions.properties file:
## server authentication
javax.net.ssl.trustStore=truststore.jks
javax.net.ssl.trustStorePassword=ThePwd12
javax.net.ssl.trustStoreType=jks
The store password, ThePwd12, is for test purposes only.
If the keystore properties are not set in the solution.properties file, use the
same values as the truststore properties for these keystore entries:
## client authentication
javax.net.ssl.keyStore=truststore.jks
javax.net.ssl.keyStorePassword=ThePwd12
javax.net.ssl.keyStoreType=jks
Configuring client authentication:
If the Oracle database requires SSL client authentication, then you must configure a
keystore.
About this task
To determine whether the Oracle database requires SSL client authentication,
complete the following step.
28
IBM Security Identity Manager: Oracle Database Adapter Installation and Configuration Guide
Procedure
Verify the sqlnet.ora file on the target Oracle database server, which is the
managed resource, for the following line:
SSL_CLIENT_AUTHENTICATION = FALSE
The FALSE value means that the Oracle database server does NOT require SSL
client authentication. The TRUE value means that the Oracle database server DOES
require SSL client authentication.
Note: The store password ThePwd12 is for test purposes only.
Example
For test purposes, you can use the following commands to set up a JKS type
keystore:
cd c:\temp
mkdir clientjks
keytool -genkey -alias OADB -dname "CN=client,C=US" -storetype JKS -keystore
clientjks\client.jks -keyalg RSA -storepass "ThePwd12"
keytool -certreq -alias OADB -file clientjks\creq.cer -keystore clientjks\client.jks
-storepass "ThePwd12"
orapki cert create -wallet ./authority -request clientjks\creq.cer -cert
clientjks\signed.cer -validity 3650 -pwd=ThePwd12
keytool -import -v -alias OACA -file authority\CA.cer -keystore clientjks\client.jks
-storepass "ThePwd12"
keytool -import -v -alias OADB -file clientjks\signed.cer -keystore
clientjks\client.jks -storepass "ThePwd12"
These example commands assume that you created a self-signed certificate
authority. See “Configuring the Oracle database server.”
What to do next
If the keystore properties are not set in the solution.properties file, then set the
following properties accordingly:
## client authentication
javax.net.ssl.keyStore=client.jks
javax.net.ssl.keyStorePassword=ThePwd12
javax.net.ssl.keyStoreType=jks
Configuring the Oracle database server:
Use Oracle tools, such as the Oracle Wallet Manager and the orapki command, to
configure both the truststore and the keystore on the Oracle database server.
About this task
For test purposes, you can use the following commands to set up a self-signed
certificate authority, truststore, and keystore:
cd c:\temp
mkdir authority
mkdir server
mkdir client
Chapter 4. First steps after installation
29
Self-signed certificate authority
orapki wallet create -wallet ./authority -pwd=ThePwd12
orapki wallet add -wallet ./authority -dn "CN=authority, C=US" -keysize 2048
-self_signed -validity 3650 -pwd=ThePwd12
orapki wallet export -wallet ./authority -dn "CN=authority, C=US" -cert
./authority/CA.cer -pwd=ThePwd12
Use the CA.cer file in the authority directory as the trusted certificate when you
issue the keytool command to import a CA certificate into the Dispatcher
truststore.
Stores for Server Authentication
orapki wallet create -wallet ./server -auto_login -pwd=ThePwd12
orapki wallet add -wallet ./server -dn "CN=server, C=US" -keysize 2048
-pwd=ThePwd12
orapki wallet export -wallet ./server -dn "CN=server, C=US" -request
./server/creq.cer -pwd=ThePwd12
orapki cert create -wallet ./authority -request ./server/creq.cer -cert
./server/signed.cer -validity 3650 -pwd=ThePwd12
orapki wallet add -wallet ./server -trusted_cert -cert ./authority/CA.cer
-pwd=ThePwd12
orapki wallet add -wallet ./server -user_cert -cert ./server/signed.cer
-pwd=ThePwd12
Stores for Client Authentication
orapki wallet create -wallet ./client -auto_login -pwd=ThePwd12
orapki wallet add -wallet ./client -dn "CN=client, C=US" -keysize 2048
-pwd=ThePwd12
orapki wallet export -wallet ./client -dn "CN=client, C=US" -request
./client/creq.cer -pwd=ThePwd12
orapki cert create -wallet ./authority -request ./client/creq.cer -cert
./client/signed.cer -validity 3650 -pwd=ThePwd12
orapki wallet add -wallet ./client -trusted_cert -cert ./authority/CA.cer
-pwd=ThePwd12
orapki wallet add -wallet ./client -user_cert -cert ./client/signed.cer
-pwd=ThePwd12
Oracle Network Configuration
Configure the following two files on the Oracle database server to enable SSL:
v listener.ora
v sqlnet.ora
These files are in the network\admin directory of the Oracle home directory. You
can use Oracle Net Manager or a text editor to edit these files.
listener.ora:
30
IBM Security Identity Manager: Oracle Database Adapter Installation and Configuration Guide
SSL_VERSION = 3.0
SSL_CLIENT_AUTHENTICATION = FALSE
WALLET_LOCATION =
(SOURCE =
(METHOD = FILE)
(METHOD_DATA =
(DIRECTORY = myDir)
)
)
LISTENER =
(DESCRIPTION_LIST =
(DESCRIPTION =
(ADDRESS = (PROTOCOL = TCP)(HOST = myHost)(PORT = nonSSLPort))
)
(DESCRIPTION =
(ADDRESS = (PROTOCOL = TCPS)(HOST = myHost)(PORT = sslPort))
)
)
sqlnet.ora:
SQLNET.AUTHENTICATION_SERVICES= (TCPS, NTS)
NAMES.DIRECTORY_PATH= (TNSNAMES)
SSL_VERSION = 3.0
SSL_CLIENT_AUTHENTICATION = FALSE
WALLET_LOCATION =
(SOURCE =
(METHOD = FILE)
(METHOD_DATA =
(DIRECTORY = myDir)
)
)
where:
myDir The directory location of the truststore on the Oracle Database Server. For
example C:\temp\server.
myHost
The server host name.
nonSSLPort
The non-SSL communication port (TCP protocol). For example, 1521.
sslPort
The SSL communication port (TCPS protocol). For example, 2484.
Modifying the Oracle Database Adapter service form for SSL:
To enable SSL communication between the Oracle adapter and the Oracle database,
you must configure the Oracle adapter service form.
About this task
Make the following changes to configure the Oracle Database Adapter service
form.
Procedure
1. Select the Use SSL communication with Oracle check box.
Chapter 4. First steps after installation
31
2. Update the Oracle Service Port value to the TCPS port that is listed in the
listener.ora file. For example, 2484.
3. (Optional) Provide a value for Oracle Server Distinguished Name.
If provided, the adapter verifies this value against the Oracle database server
certificate.
Note:
v Start both the listener and database services as the user who created the
wallet, so both services can access the wallet successfully. On Windows,
change the Log On As account for the listener and database services from
the default Local System account to wallet creator.
v The sqlnet.ora and the listener.ora files contain the wallet location. In
most cases, both files contain the same wallet location, but the listener might
use its own wallet.
– Use the distinguished name of the certificate from the wallet in the
sqlnet.ora file. The Oracle adapter verifies this name when you provide a
value for the optional Oracle Server Distinguished Name on the service
form.
– For security, include a distinguished name in the service form to avoid the
risk of a server that is faking its identity.
v For more information about configuring SSL with the Oracle driver, see the
white paper "SSL with Oracle JDBC Thin Driver" on the Oracle website.
Password management for account restoration
How each restore action interacts with its corresponding managed resource
depends on the managed resource or on the business processes that you
implement.
Certain resources reject a password when a request is made to restore an account.
In this case, you can configure IBM Security Identity Manager to forego the new
password requirement. You can configure the Oracle Database Adapter to require a
new password when the account is restored. This feature is useful if your
company's business processes require you to reset the password when an account
is restored.
In the service.def file, you can define whether a password is required as a new
protocol option. When you import the adapter profile, if an option is not specified,
the adapter profile importer determines the correct restoration password behavior
from the schema.dsml file. The adapter profile components enable remote services
to know whether to discard a password that is entered by the user where multiple
accounts on disparate resources are being restored. In this situation, where only
some of the accounts that are being restored might require a password. Remote
services discard the password from the restore action for those managed resources
that do not require them.
Edit the service.def file to add the new protocol options, for example:
<Property Name
</property>
<Property Name
= "com.ibm.itim.remoteservices.ResourceProperties.
PASSWORD_NOT_REQUIRED_ON_RESTORE"<value>true</value>
= "com.ibm.itim.remoteservices.ResourceProperties.
PASSWORD_NOT_ALLOWED_ON_RESTORE"<value>false</value>
</property>
32
IBM Security Identity Manager: Oracle Database Adapter Installation and Configuration Guide
By adding the two options in the preceding example, you can ensure that you are
not prompted for a password when an account is restored.
Language pack installation for the Oracle Database adapter
The adapters use a separate language package from the IBM Security Identity
Manager.
See the IBM Security Identity Manager library and search for information about
installing the adapter language pack.
Verifying that the adapter is working correctly
After you install and configure the adapter, take steps to verify that the installation
and configuration are correct.
Procedure
1. Test the connection for the service that you created on IBM Security Identity
Manager.
2. Run a full reconciliation from IBM Security Identity Manager.
3. Run all supported operations such as add, modify, and delete on one user
account.
4. Verify the ibmdi.log file after each operation to ensure that no errors are
reported.
5. Verify the IBM Security Identity Manager log file trace.log to ensure that no
errors are reported when you run an adapter operation.
Chapter 4. First steps after installation
33
34
IBM Security Identity Manager: Oracle Database Adapter Installation and Configuration Guide
Chapter 5. Troubleshooting the adapter errors
Troubleshooting can help you determine why a product does not function properly.
These topics provide information and techniques for identifying and resolving
problems with the adapter. They also provide information about troubleshooting
errors that might occur during the adapter installation.
Techniques for troubleshooting problems
Troubleshooting is a systematic approach to solving a problem. The goal of
troubleshooting is to determine why something does not work as expected and
how to resolve the problem. Certain common techniques can help with the task of
troubleshooting.
The first step in the troubleshooting process is to describe the problem completely.
Problem descriptions help you and the IBM technical-support representative know
where to start to find the cause of the problem. This step includes asking yourself
basic questions:
v
v
v
v
What are the symptoms of the problem?
Where does the problem occur?
When does the problem occur?
Under which conditions does the problem occur?
v Can the problem be reproduced?
The answers to these questions typically lead to a good description of the problem,
which can then lead you to a problem resolution.
What are the symptoms of the problem?
When starting to describe a problem, the most obvious question is “What is the
problem?” This question might seem straightforward; however, you can break it
down into several more-focused questions that create a more descriptive picture of
the problem. These questions can include:
v Who, or what, is reporting the problem?
v What are the error codes and messages?
v How does the system fail? For example, is it a loop, hang, crash, performance
degradation, or incorrect result?
Where does the problem occur?
Determining where the problem originates is not always easy, but it is one of the
most important steps in resolving a problem. Many layers of technology can exist
between the reporting and failing components. Networks, disks, and drivers are
only a few of the components to consider when you are investigating problems.
The following questions help you to focus on where the problem occurs to isolate
the problem layer:
v Is the problem specific to one platform or operating system, or is it common
across multiple platforms or operating systems?
v Is the current environment and configuration supported?
© Copyright IBM Corp. 2012, 2014
35
v Do all users have the problem?
v (For multi-site installations.) Do all sites have the problem?
If one layer reports the problem, the problem does not necessarily originate in that
layer. Part of identifying where a problem originates is understanding the
environment in which it exists. Take some time to completely describe the problem
environment, including the operating system and version, all corresponding
software and versions, and hardware information. Confirm that you are running
within an environment that is a supported configuration; many problems can be
traced back to incompatible levels of software that are not intended to run together
or have not been fully tested together.
When does the problem occur?
Develop a detailed timeline of events leading up to a failure, especially for those
cases that are one-time occurrences. You can most easily develop a timeline by
working backward: Start at the time an error was reported (as precisely as possible,
even down to the millisecond), and work backward through the available logs and
information. Typically, you need to look only as far as the first suspicious event
that you find in a diagnostic log.
To develop a detailed timeline of events, answer these questions:
v Does the problem happen only at a certain time of day or night?
v How often does the problem happen?
v What sequence of events leads up to the time that the problem is reported?
v Does the problem happen after an environment change, such as upgrading or
installing software or hardware?
Responding to these types of questions can give you a frame of reference in which
to investigate the problem.
Under which conditions does the problem occur?
Knowing which systems and applications are running at the time that a problem
occurs is an important part of troubleshooting. These questions about your
environment can help you to identify the root cause of the problem:
v Does the problem always occur when the same task is being performed?
v Does a certain sequence of events need to happen for the problem to occur?
v Do any other applications fail at the same time?
Answering these types of questions can help you explain the environment in
which the problem occurs and correlate any dependencies. Remember that just
because multiple problems might have occurred around the same time, the
problems are not necessarily related.
Can the problem be reproduced?
From a troubleshooting standpoint, the ideal problem is one that can be
reproduced. Typically, when a problem can be reproduced you have a larger set of
tools or procedures at your disposal to help you investigate. Consequently,
problems that you can reproduce are often easier to debug and solve.
However, problems that you can reproduce can have a disadvantage: If the
problem is of significant business impact, you do not want it to recur. If possible,
36
IBM Security Identity Manager: Oracle Database Adapter Installation and Configuration Guide
re-create the problem in a test or development environment, which typically offers
you more flexibility and control during your investigation.
v Can the problem be re-created on a test system?
v Are multiple users or applications encountering the same type of problem?
v Can the problem be re-created by running a single command, a set of
commands, or a particular application?
For information about obtaining support, see Appendix D, “Support information,”
on page 53.
Warning and error messages
A warning or error message might be displayed in the user interface to provide
information about the adapter or when an error occurs.
A warning or error might be displayed in the user interface to provide information
that you need to know about the adapter or about an error. Table 6 contains
warnings or errors which might be displayed in the user interface if the Oracle
Database Adapter is installed on your system.
Table 6. Warning and error messages
Message code
Warning or error message
Remedial action
CTGIMT001E
The following error occurred. Error:
Either the Oracle service name is
incorrect or the service is not up.
Ensure that the Oracle service name given on IBM
Security Identity Manager service form is running.
CTGIMT001E
The following error occurred. Error:
Either the Oracle host or port is
incorrect.
Verify that the host workstation name or the port for
the Oracle service is correctly specified.
CTGIMT002E
The login credential is missing or
incorrect.
Verify that you provided correct login credential on
service form.
CTGIMT001E
The following error occurred. Error:
No suitable JDBC driver found.
Ensure that the correct version of the JDBC thin
driver is copied onto the workstation where the
adapter is installed. Ensure that the path for the
driver is included in the system CLASSPATH
variable.
CTGIMT600E
An error occurred while establishing
communication with the IBM Tivoli
Directory Integrator server.
IBM Security Identity Manager cannot establish a
connection with IBM Tivoli Directory Integrator. To fix
this problem, ensure that:
v IBM Tivoli Directory Integrator is running.
v The URL specified on the service form for theIBM
Tivoli Directory Integrator is correct.
Chapter 5. Troubleshooting the adapter errors
37
Table 6. Warning and error messages (continued)
Message code
Warning or error message
Remedial action
CTGIMT004E
The adapter does not have permission The administrator user provided on the IBM Tivoli
to add an account: Account_Name.
Directory Integrator service form does not have the
required privileges to add a user account. Ensure that
an administrator user with the required privileges is
specified on service form. These privileges are the
minimum required for the administrator user:
v CREATE USER
v ALTER USER
v DROP USER
v SELECT ANY TABLE
v GRANT ANY ROLE
v GRANT ANY PRIVILEGE
v EXECUTE ANY PROCEDURE
v ADMINISTER_RESOURCE_MANAGER
v SELECT ANY DICTIONARY
Note: To use the following Stored Procedure, you
must provide EXECUTE ANY PROCEDURE and
ADMINISTER_RESOURCE_MANAGER privileges to
the administrator user:
v dbms_resource_manager_privs.grant_switch_
consumer_group
v DBMS_RESOURCE_MANAGER_PRIVS.REVOKE_
SWITCH_CONSUMER_GROUP
v
dbms_resource_manager.set_initial_consumer_group
v DBMS_WM.RevokeSystemPriv
CTGIMT003E
The account already exists.
Use different name for the user to be added.
CTGIMT015E
An error occurred while deleting the
Account_Name account because the
account does not exist.
The user you trying to delete does not exist. Ensure
that you are deleting only an existing account.
38
IBM Security Identity Manager: Oracle Database Adapter Installation and Configuration Guide
Chapter 6. Adapter upgrade
You can upgrade the adapter by installing the new version of the adapter.
Upgrading the adapter might also involve additional tasks, such as upgrading the
connector, the dispatcher, and the existing adapter profile. To verify the required
version of these adapter components, see the adapter release notes. For the
installation steps, see Chapter 3, “Adapter installation,” on page 9.
Dispatcher upgrade
Before you upgrade the dispatcher, verify the version of the dispatcher.
v If the dispatcher version mentioned in the release notes is later than the existing
version on your workstation, install the dispatcher.
v If the dispatcher version mentioned in the release notes is the same or earlier
than the existing version, do not install the dispatcher.
Note: Stop the dispatcher service before the upgrading the dispatcher and start it
again after the upgrade is complete.
Upgrade of an existing adapter profile
Read the adapter Release Notes for any specific instructions before you import a
new adapter profile into IBM Security Identity Manager.
See “Importing the adapter profile into the IBM Security Identity Manager server”
on page 10.
Note: Restart the dispatcher service after importing the profile. Restarting the
dispatcher clears the assembly lines cache and ensures that the dispatcher runs the
assembly lines from the updated adapter profile.
© Copyright IBM Corp. 2012, 2014
39
40
IBM Security Identity Manager: Oracle Database Adapter Installation and Configuration Guide
Chapter 7. Adapter uninstallation
You can completely uninstall the Oracle Database Adapter.
1. Uninstall the adapter from Tivoli Directory Integrator server.
2. Remove the adapter profile from the IBM Security Identity Manager server.
Uninstalling the adapter from the Tivoli Directory Integrator server
You can remove the Oracle Database Adapter.
About this task
The Oracle Database Adapter installation installs the Dispatcher only on the Tivoli
Directory Integrator server. Therefore, you only need to uninstall from the
Dispatcher. There is no uninstall for the Oracle Database Adapter.
The JAR file needed to uninstall the Dispatcher was created in the
ITDI_HOME\DispatcherUninstall directory when the Dispatcher was installed.
Note: The Dispatcher is required for all Tivoli Directory Integrator-based adapters.
If you uninstall the Dispatcher, none of the other installed adapters function.
To remove the Oracle Database Adapter, complete these steps:
1. Stop the adapter service.
2. Run the DispatcherUninstall.jar file. To run the JAR file, double click on the
executable file or enter the following command at the command prompt:
TDI_HOME/jvm/jre/bin/java
–jar
DispatcherUninstall.jar
Adapter profile removal from the IBM Security Identity Manager server
Before you remove the adapter profile, ensure that no objects exist on your IBM
Security Identity Manager server that reference the adapter profile.
Examples of objects on the IBM Security Identity Manager server that can reference
the adapter profile are:
v Adapter service instances
v Policies referencing an adapter instance or the profile
v Accounts
Note: The Dispatcher component must be installed on your system for adapters to
function correctly in a Tivoli Directory Integrator environment. When you delete
the adapter profile for the Oracle Database Adapter, do not uninstall the
Dispatcher.
For specific information about how to remove the adapter profile, see the online
help or the IBM Security Identity Manager product documentation.
© Copyright IBM Corp. 2012, 2014
41
42
IBM Security Identity Manager: Oracle Database Adapter Installation and Configuration Guide
Chapter 8. Adapter reinstallation
There are no special considerations for reinstalling the adapter. You do not need to
remove the adapter before reinstalling.
For more information, see Chapter 6, “Adapter upgrade,” on page 39.
© Copyright IBM Corp. 2012, 2014
43
44
IBM Security Identity Manager: Oracle Database Adapter Installation and Configuration Guide
Appendix A. Adapter attributes
The IBM Security Identity Manager server communicates with the Oracle Database
Adapter with attributes that are included in transmission packets that are sent over
a network.
The combination of attributes that is included in the packets depends on the type
of action that the IBM Security Identity Manager server requests from the Oracle
Database Adapter.
Table 7 is a listing of the attributes that are used by the Oracle Database Adapter.
The table gives a brief description and corresponding column on the Oracle
database (if applicable) for the value of the attribute.
Table 7. Attributes, object identifiers, descriptions, and corresponding column/table name on the Oracle database
Attribute
Description
Oracle column or table
erOraServiceName
The SID/Service Name of
the Oracle instance.
NA
erOraSysPriv
The System Privilege
assigned to the user.
PRIVILEGE/DBA_SYS_PRIV
erOraDefaultTableSpace
The name of the default
table space.
DEFAULT_TABLESPACE/DBA_USERS
erOraTemporaryTableSpace
The name of the
temporary table space.
TEMPORARY_TABLESPACE/DBA_USERS
erOraTblSpcQuota
The maximum space
allowed on a table space.
MAX_BYTES/DBA_TS_QUOTA
erOraAuthenticationType
Specifies how the user is
authenticated by Oracle.
PASSWORD/DBA_USERS
erOraGlobalName
An external name that
identifies the user.
EXTERNAL_NAME/DBA_USERS
erOraTblspacesName
The name for the
erOraTablespaces group.
TABLESPACE_NAME/DBA_TABLESPACES
erOraPrflName
The name for the
erOraProfiles group.
PROFILE/DBA_PROFILES
erOraRolesName
The name for the
erOraRoles group.
ROLE/DBA_ROLES
erOraRole
ROLE, DEFAULT_ROLE/DBA_ROLE_PRIV
The database roles
assigned as default roles to
the account.
The database roles
assigned as non default
roles (for example,
password protected roles)
to the account.
ROLE, DEFAULT_ROLE/DBA_ROLE_PRIV
erOraProfile
The profile name assigned
to the account.
PROFILE/DBA_USERS
erOraExpirePwd
If true, set the password to ACCOUNT_STATUS/DBA_USERS
expire.
erOraNonDefRole
© Copyright IBM Corp. 2012, 2014
45
Table 7. Attributes, object identifiers, descriptions, and corresponding column/table name on the Oracle
database (continued)
Attribute
Description
Oracle column or table
erOraProxyUsers
The proxy user for this
user.
PROXY/PROXY_USERS
erOraRsrcConsumerGroup
The resource consumer
groups that a user can
switch to.
GRANTED_GROUP/
DBA_RSRC_CONSUMER_GROUP_PRIVS
erOraServiceHost
The host workstation
NA
where the Oracle service is
running.
erOraServicePort
The port on which the
Oracle service is listening.
NA
erOraDefRsrcConsumerGroup
The default or initial
resource consumer group
for a user.
INITIAL_RSRC_CONSUMER_GROUP/
DBA_USERS
erServiceUid
The Oracle resource
administrator ID.
NA
erPassword
The password for Oracle
administrator.
PASSWORD/DBA_USERS
The login name.
USERNAME/DBA_USERS
The status of the account
either enabled or disabled.
ACCOUNT_STATUS/DBA_USERS
erUid
erAccountStatus
Attributes by Oracle Database Adapter actions
The following topics describe typical Oracle Database Adapter actions by their
functional transaction group.
The topics include more information about required and optional attributes sent to
the Oracle Database Adapter to complete that action.
System Login Add
A System Login Add is a request to create a user account with the specified
attributes.
Table 8. Add request attributes for Oracle
Required attribute
erUid
Optional attribute
All other supported attributes
System Login Change
A System Login Change is a request to change one or more attributes for the
specified users.
Table 9. Change request attributes for Oracle
Required attribute
erUid
46
Optional attribute
All other supported attributes
IBM Security Identity Manager: Oracle Database Adapter Installation and Configuration Guide
System Login Delete
A System Login Delete is a request to remove the specified user from the Oracle
database.
Table 10. Delete request attributes for Oracle
Required attribute
Optional attribute
erUid
None
System Login Suspend
A System Login Suspend is a request to disable a user account. The user is not
removed, and the user's attributes are not modified.
Table 11. Suspend request attributes for Oracle
Required attribute
Optional attribute
erUid
None
erAccountStatus
System Login Restore
A System Login Restore is a request to activate a user account that was previously
suspended. After an account is restored, the user can access the system by using
the same attributes as the ones before the Suspend function was called.
Table 12. Restore request attributes for Oracle
Required attribute
Optional attribute
erUid
None
erAccountStatus
Test
You can use attributes to test the connection.
Table 13. Test attributes
Required attribute
Optional attribute
None
None
Reconciliation
The Reconciliation request synchronizes user account information between IBM
Security Identity Manager and the adapter.
Appendix A. Adapter attributes
47
Table 14. Reconciliation request attributes for Oracle
48
Required attribute
Optional attribute
None
None
IBM Security Identity Manager: Oracle Database Adapter Installation and Configuration Guide
Appendix B. Adapter installation on a z/OS operating system
To install the adapters on the z/OS UNIX operating system, you must install the
Dispatcher.
The adapter uses the Tivoli Directory Integrator JDBC connector that is available
with the base Tivoli Directory Integrator product.
For information about installing the Dispatcher, see the Tivoli Directory Integrator
Dispatcher Installation and Configuration Guide.
After the installation of the adapter is complete, verify the startup and shutdown
of the adapter. For more detailed instructions, see“Start, stop, and restart the
Oracle Database Adapter service” on page 10.
© Copyright IBM Corp. 2012, 2014
49
50
IBM Security Identity Manager: Oracle Database Adapter Installation and Configuration Guide
Appendix C. Definitions for ITDI_HOME and ISIM_HOME
directories
ITDI_HOME is the directory where Tivoli Directory Integrator is installed.
ISIM_HOME is the directory where IBM Security Identity Manager is installed.
ITDI_HOME
This directory contains the jars/connectors subdirectory that contains files
for the adapters.
Windows
drive\Program Files\IBM\TDI\ITDI_VERSION
For example the path for version 7.1:
C:\Program Files\IBM\TDI\V7.1
UNIX
/opt/IBM/TDI/ITDI_VERSION
For example the path for version 7.1:
/opt/IBM/TDI/V7.1
ISIM_HOME
This directory is the base directory that contains the IBM Security Identity
Manager code, configuration, and documentation.
Windows
path\IBM\isim
UNIX
path/IBM/isim
© Copyright IBM Corp. 2012, 2014
51
52
IBM Security Identity Manager: Oracle Database Adapter Installation and Configuration Guide
Appendix D. Support information
You have several options to obtain support for IBM products.
v “Searching knowledge bases”
v “Obtaining a product fix” on page 54
v “Contacting IBM Support” on page 54
Searching knowledge bases
You can often find solutions to problems by searching IBM knowledge bases. You
can optimize your results by using available resources, support tools, and search
methods.
About this task
You can find useful information by searching the product documentation for IBM
Security Identity Manager. However, sometimes you must look beyond the product
documentation to answer your questions or resolve problems.
Procedure
To search knowledge bases for information that you need, use one or more of the
following approaches:
1. Search for content by using the IBM Support Assistant (ISA).
ISA is a no-charge software serviceability workbench that helps you answer
questions and resolve problems with IBM software products. You can find
instructions for downloading and installing ISA on the ISA website.
2. Find the content that you need by using the IBM Support Portal.
The IBM Support Portal is a unified, centralized view of all technical support
tools and information for all IBM systems, software, and services. The IBM
Support Portal lets you access the IBM electronic support portfolio from one
place. You can tailor the pages to focus on the information and resources that
you need for problem prevention and faster problem resolution. Familiarize
yourself with the IBM Support Portal by viewing the demo videos
(https://www.ibm.com/blogs/SPNA/entry/the_ibm_support_portal_videos)
about this tool. These videos introduce you to the IBM Support Portal, explore
troubleshooting and other resources, and demonstrate how you can tailor the
page by moving, adding, and deleting portlets.
3. Search for content about IBM Security Identity Manager by using one of the
following additional technical resources:
v IBM Security Identity Manager version 6.0 technotes and APARs (problem
reports).
v IBM Security Identity Manager Support website.
v IBM Redbooks®.
v IBM support communities (forums and newsgroups).
4. Search for content by using the IBM masthead search. You can use the IBM
masthead search by typing your search string into the Search field at the top of
any ibm.com® page.
5. Search for content by using any external search engine, such as Google, Yahoo,
or Bing. If you use an external search engine, your results are more likely to
© Copyright IBM Corp. 2012, 2014
53
include information that is outside the ibm.com domain. However, sometimes
you can find useful problem-solving information about IBM products in
newsgroups, forums, and blogs that are not on ibm.com.
Tip: Include “IBM” and the name of the product in your search if you are
looking for information about an IBM product.
Obtaining a product fix
A product fix might be available to resolve your problem.
About this task
You can get fixes by following these steps:
Procedure
1. Obtain the tools that are required to get the fix. You can obtain product fixes
from the Fix Central Site. See http://www.ibm.com/support/fixcentral/.
2. Determine which fix you need.
3. Download the fix. Open the download document and follow the link in the
“Download package” section.
4. Apply the fix. Follow the instructions in the “Installation Instructions” section
of the download document.
Contacting IBM Support
IBM Support assists you with product defects, answers FAQs, and helps users
resolve problems with the product.
Before you begin
After trying to find your answer or solution by using other self-help options such
as technotes, you can contact IBM Support. Before contacting IBM Support, your
company or organization must have an active IBM software subscription and
support contract, and you must be authorized to submit problems to IBM. For
information about the types of available support, see the Support portfolio topic in
the “Software Support Handbook”.
Procedure
To contact IBM Support about a problem:
1. Define the problem, gather background information, and determine the severity
of the problem. For more information, see the Getting IBM support topic in the
Software Support Handbook.
2. Gather diagnostic information.
3. Submit the problem to IBM Support in one of the following ways:
v Using IBM Support Assistant (ISA):
Any data that has been collected can be attached to the service request.
Using ISA in this way can expedite the analysis and reduce the time to
resolution.
a. Download and install the ISA tool from the ISA website. See
http://www.ibm.com/software/support/isa/.
b. Open ISA.
54
IBM Security Identity Manager: Oracle Database Adapter Installation and Configuration Guide
c. Click Collection and Send Data.
d. Click the Service Requests tab.
e. Click Open a New Service Request.
v Online through the IBM Support Portal: You can open, update, and view all
of your service requests from the Service Request portlet on the Service
Request page.
v By telephone for critical, system down, or severity 1 issues: For the telephone
number to call in your region, see the Directory of worldwide contacts web
page.
Results
If the problem that you submit is for a software defect or for missing or inaccurate
documentation, IBM Support creates an Authorized Program Analysis Report
(APAR). The APAR describes the problem in detail. Whenever possible, IBM
Support provides a workaround that you can implement until the APAR is
resolved and a fix is delivered. IBM publishes resolved APARs on the IBM Support
website daily, so that other users who experience the same problem can benefit
from the same resolution.
Appendix D. Support information
55
56
IBM Security Identity Manager: Oracle Database Adapter Installation and Configuration Guide
Appendix E. Accessibility features for IBM Security Identity
Manager
Accessibility features help users who have a disability, such as restricted mobility
or limited vision, to use information technology products successfully.
Accessibility features
The following list includes the major accessibility features in IBM Security Identity
Manager.
v Support for the Freedom Scientific JAWS screen reader application
v Keyboard-only operation
v Interfaces that are commonly used by screen readers
v Keys that are discernible by touch but do not activate just by touching them
v Industry-standard devices for ports and connectors
v The attachment of alternative input and output devices
The IBM Security Identity Manager library, and its related publications, are
accessible.
Keyboard navigation
This product uses standard Microsoft Windows navigation keys.
Related accessibility information
The following keyboard navigation and accessibility features are available in the
form designer:
v You can use the tab keys and arrow keys to move between the user interface
controls.
v You can use the Home, End, Page Up, and Page Down keys for more
navigation.
v You can launch any applet, such as the form designer applet, in a separate
window to enable the Alt+Tab keystroke to toggle between that applet and the
web interface, and also to use more screen workspace. To launch the window,
click Launch as a separate window.
v You can change the appearance of applets such as the form designer by using
themes, which provide high contrast color schemes that help users with vision
impairments to differentiate between controls.
IBM and accessibility
See the IBM Human Ability and Accessibility Center For more information about
the commitment that IBM has to accessibility.
© Copyright IBM Corp. 2012, 2014
57
58
IBM Security Identity Manager: Oracle Database Adapter Installation and Configuration Guide
Notices
This information was developed for products and services offered in the U.S.A.
IBM may not offer the products, services, or features discussed in this document in
other countries. Consult your local IBM representative for information on the
products and services currently available in your area. Any reference to an IBM
product, program, or service is not intended to state or imply that only that IBM
product, program, or service may be used. Any functionally equivalent product,
program, or service that does not infringe any IBM intellectual property right may
be used instead. However, it is the user's responsibility to evaluate and verify the
operation of any non-IBM product, program, or service.
IBM may have patents or pending patent applications covering subject matter
described in this document. The furnishing of this document does not give you
any license to these patents. You can send license inquiries, in writing, to:
IBM Director of Licensing
IBM Corporation
North Castle Drive
Armonk, NY 10504-1785 U.S.A.
For license inquiries regarding double-byte (DBCS) information, contact the IBM
Intellectual Property Department in your country or send inquiries, in writing, to:
Intellectual Property Licensing
Legal and Intellectual Property Law
IBM Japan, Ltd.
19-21, Nihonbashi-Hakozakicho, Chuo-ku
Tokyo 103-8510, Japan
The following paragraph does not apply to the United Kingdom or any other
country where such provisions are inconsistent with local law :
INTERNATIONAL BUSINESS MACHINES CORPORATION PROVIDES THIS
PUBLICATION "AS IS" WITHOUT WARRANTY OF ANY KIND, EITHER
EXPRESS OR IMPLIED, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED
WARRANTIES OF NON-INFRINGEMENT, MERCHANTABILITY OR FITNESS
FOR A PARTICULAR PURPOSE.
Some states do not allow disclaimer of express or implied warranties in certain
transactions, therefore, this statement might not apply to you.
This information could include technical inaccuracies or typographical errors.
Changes are periodically made to the information herein; these changes will be
incorporated in new editions of the publication. IBM may make improvements
and/or changes in the product(s) and/or the program(s) described in this
publication at any time without notice.
Any references in this information to non-IBM Web sites are provided for
convenience only and do not in any manner serve as an endorsement of those Web
sites. The materials at those Web sites are not part of the materials for this IBM
product and use of those Web sites is at your own risk.
© Copyright IBM Corp. 2012, 2014
59
IBM may use or distribute any of the information you supply in any way it
believes appropriate without incurring any obligation to you.
Licensees of this program who wish to have information about it for the purpose
of enabling: (i) the exchange of information between independently created
programs and other programs (including this one) and (ii) the mutual use of the
information which has been exchanged, should contact:
IBM Corporation
2Z4A/101
11400 Burnet Road
Austin, TX 78758 U.S.A.
Such information may be available, subject to appropriate terms and conditions,
including in some cases payment of a fee.
The licensed program described in this document and all licensed material
available for it are provided by IBM under terms of the IBM Customer Agreement,
IBM International Program License Agreement or any equivalent agreement
between us.
Any performance data contained herein was determined in a controlled
environment. Therefore, the results obtained in other operating environments may
vary significantly. Some measurements may have been made on development-level
systems and there is no guarantee that these measurements will be the same on
generally available systems. Furthermore, some measurement may have been
estimated through extrapolation. Actual results may vary. Users of this document
should verify the applicable data for their specific environment.
Information concerning non-IBM products was obtained from the suppliers of
those products, their published announcements or other publicly available sources.
IBM has not tested those products and cannot confirm the accuracy of
performance, compatibility or any other claims related to non-IBM products.
Questions on the capabilities of non-IBM products should be addressed to the
suppliers of those products.
All statements regarding IBM's future direction or intent are subject to change or
withdrawal without notice, and represent goals and objectives only.
This information contains examples of data and reports used in daily business
operations. To illustrate them as completely as possible, the examples include the
names of individuals, companies, brands, and products. All of these names are
fictitious and any similarity to the names and addresses used by an actual business
enterprise is entirely coincidental.
COPYRIGHT LICENSE:
This information contains sample application programs in source language, which
illustrate programming techniques on various operating platforms. You may copy,
modify, and distribute these sample programs in any form without payment to
IBM, for the purposes of developing, using, marketing or distributing application
programs conforming to the application programming interface for the operating
platform for which the sample programs are written. These examples have not
been thoroughly tested under all conditions. IBM, therefore, cannot guarantee or
imply reliability, serviceability, or function of these programs. You may copy,
modify, and distribute these sample programs in any form without payment to
60
IBM Security Identity Manager: Oracle Database Adapter Installation and Configuration Guide
IBM for the purposes of developing, using, marketing, or distributing application
programs conforming to IBM's application programming interfaces.
Each copy or any portion of these sample programs or any derivative work, must
include a copyright notice as follows:
If you are viewing this information softcopy, the photographs and color
illustrations might not appear.
© (your company name) (year). Portions of this code are derived from IBM Corp.
Sample Programs. © Copyright IBM Corp. _enter the year or years_. All rights
reserved.
If you are viewing this information in softcopy form, the photographs and color
illustrations might not be displayed.
Trademarks
IBM, the IBM logo, and ibm.com are trademarks or registered trademarks of
International Business Machines Corp., registered in many jurisdictions worldwide.
Other product and service names might be trademarks of IBM or other companies.
A current list of IBM trademarks is available on the Web at "Copyright and
trademark information" at http://www.ibm.com/legal/copytrade.shtml.
Adobe, Acrobat, PostScript and all Adobe-based trademarks are either registered
trademarks or trademarks of Adobe Systems Incorporated in the United States,
other countries, or both.
IT Infrastructure Library is a registered trademark of the Central Computer and
Telecommunications Agency which is now part of the Office of Government
Commerce.
Intel, Intel logo, Intel Inside, Intel Inside logo, Intel Centrino, Intel Centrino logo,
Celeron, Intel Xeon, Intel SpeedStep, Itanium, and Pentium are trademarks or
registered trademarks of Intel Corporation or its subsidiaries in the United States
and other countries.
Linux is a trademark of Linus Torvalds in the United States, other countries, or
both.
Microsoft, Windows, Windows NT, and the Windows logo are trademarks of
Microsoft Corporation in the United States, other countries, or both.
ITIL is a registered trademark, and a registered community trademark of the Office
of Government Commerce, and is registered in the U.S. Patent and Trademark
Office.
UNIX is a registered trademark of The Open Group in the United States and other
countries.
Cell Broadband Engine and Cell/B.E. are trademarks of Sony Computer
Entertainment, Inc., in the United States, other countries, or both and is used under
license therefrom.
Notices
61
Java and all Java-based trademarks and logos are trademarks or registered
trademarks of Oracle and/or its affiliates.
Privacy Policy Considerations
IBM Software products, including software as a service solutions, ("Software
Offerings") may use cookies or other technologies to collect product usage
information, to help improve the end user experience, and to tailor interactions
with the end user or for other purposes. In many cases, no personally identifiable
information is collected by the Software Offerings. Some of our Software Offerings
can help enable you to collect personally identifiable information. If this Software
Offering uses cookies to collect personally identifiable information, specific
information about this offering’s use of cookies is set forth below.
This Software Offering does not use cookies or other technologies to collect
personally identifiable information.
If the configurations deployed for this Software Offering provide you as customer
the ability to collect personally identifiable information from end users via cookies
and other technologies, you should seek your own legal advice about any laws
applicable to such data collection, including any requirements for notice and
consent.
For more information about the use of various technologies, including cookies, for
these purposes, see IBM's Privacy Policy at http://www.ibm.com/privacy and
IBM’s Online Privacy Statement at http://www.ibm.com/privacy/details/us/en
sections entitled "Cookies, Web Beacons and Other Technologies and Software
Products and Software-as-a Service".
62
IBM Security Identity Manager: Oracle Database Adapter Installation and Configuration Guide
Index
A
accessibility x, 57
accounts
required privileges 11
restoration
business processes 32
password requirements 32
service creation 11
adapter
access
JDBC OCI driver 23
Oracle Net Services 23
actions 46
attributes
combinations in packets 45
descriptions 45
in Oracle database 45
type of action 45
customization steps 17
Dispatcher 49
features 1
installation
connector 1
connector requirement 9
Dispatcher 1
Dispatcher, requirement 9
Dispatcher, verifying 9
obtaining software 9
prerequisites 9
profile 1
profile import 9
roadmap 5
troubleshooting errors 35
user account creation 9
verifying 33
warnings 35
worksheet 7
z/OS UNIX operating system 49
overview ix, 1
previous product name ix
profile
importing 10
removing 41
service creation 11
upgrading 10, 39
verifying installation 11
reinstallation 43
required components
Dispatcher 1
profile 1
Tivoli Directory Integrator
connector 1
supported configurations 2
task automation 1
Tivoli Directory Integrator
configuration 23
uninstall 41
upgrading 39
user account management tasks 1
z/OS UNIX operating system 49
© Copyright IBM Corp. 2012, 2014
adapter installation
overview 1
adapters
profiles
removing 41
attributes
combinations in packets 45
descriptions 45
in Oracle database 45
testing connection 47
type of action 45
auditing
enabling 20
on database 20
authentication
CA certificate import 28
client, configuring 28
keystore 28
server, configuring 28
C
client
authentication, configuring 28
keystore 28
configurations
adapter 2
Dispatcher properties 19
overview 2
connection
OCI, configuring 21
testing 47
connector
installation requirement 9
Tivoli Directory Integrator 1
D
database
attributes 45
column or table 45
descriptions 45
identifiers 45
System Login Delete 47
definition
certificate authority 26
certificates 26
private key 26
directory integrator
connector 1
uninstalling the adapter 41
Dispatcher
configuration properties 19
installation
verifying 9
upgrading 39
download, software 8
E
education x
error messages
37
F
first steps after installation
17
I
IBM
Software Support x
Support Assistant x
IBM Support Assistant 54
iKeyman utility 26
installation
adapter
connector requirement 9
Dispatcher requirement 9
profile 10
software 9
Dispatcher
verifying 9
first steps following 17
language pack 33
planning
adapter 5
roadmaps 5
sequence 5
profile
unsuccessful 11
verifying 11
roadmap 5
uninstall 41
verification
adapter 33
worksheet 7
ISA 54
ISIM_HOME definition 51
ITDI_HOME definition 51
ITDI_Oracle_Adapter_
TableSpace_Quota.txt file 19
J
JDBC driver, location for SSL
JDBC OCI driver
location 21
obtaining 21
27
K
key management utility, iKeyman
knowledge bases 53
26
63
L
language pack
installation 33
same for adapters and server
logs, trace.log file 10
33
Q
quota file
customizing 19
table space 19
M
messages
error 37
warning 37
MS-DOS ASCII characters
R
Reconciliation request 48
removing, adapter profiles 41
requests
Reconciliation 48
System Login Add 46
System Login Change 46
System Login Delete 47
System Login Restore 47
System Login Suspend 47
road maps, preinstallation 5
18
N
notices
59
O
OCI
configuring for the resource 20
driver
location 21
obtaining 21
online
publications ix
terminology ix
operating system prerequisites 6
Oracle Adapter service form
modifying 31
OCI 25
Oracle database server
configuring
keystore 29
Oracle tools 29
truststore 29
Oracle Net Services
for OCI communication 23
Instant Client installation 22
Transparent Application Failover
overview, adapter 1
P
preinstallation
Dispatcher 5
environment 5
required software 5
roadmap 5
private key, definition 26
privileges
required 11
user account 11
problem-determination x
profile
editing on UNIX or Linux 18
profiles
adapter 17
removing 41
properties
configuring the Dispatcher 19
protocol
SSL, overview 26
publications
accessing online ix
64
trace.log file 10
training x
Transparent Application Failover,
configuring for the resource 20
troubleshooting
contacting support 54
error messages 37
getting fixes 54
identifying problems 35
searching knowledge bases 53
support website x
techniques 35
warning messages 37
publications (continued)
list of ix
U
S
22
server authentication, configuring 28
service
creating
adapter communication 13
after profile import 13
form
adapter variations 13
existing service 13
restart 10
start 10
stop 10
software
download 8
requirements 6
website 8
SSL
certificate installation 26
communication
between servers 26
keystore and truststore 28
main channels 26
optional 26
Oracle adapter and database 28
connection 28
JDBC driver 27
overview 26
support contact information 54
System Login Add request 46
System Login Change request 46
System Login Delete request 47
System Login Restore request 47
System Login Suspend request 47
uninstallation 41
uninstalling, adapter from the directory
integrator 41
updating
adapter profile 17
upgrades
adapter 39
adapter profile 17
adapter profiles 39
dispatcher 39
user account
Reconciliation 48
required privileges 11
service creation 11
V
verification
installation 33
operating system prerequisites
software prerequisites 6
vi command 18
W
warning messages
T
table space, setting quotas 19
TAF, configuring for the resource
terminology ix
Tivoli Directory Integrator
configuration 23
connector 1
20
IBM Security Identity Manager: Oracle Database Adapter Installation and Configuration Guide
37
6
Printed in USA
SC27-4402-03
Was this manual useful for you? yes no
Thank you for your participation!

* Your assessment is very important for improving the work of artificial intelligence, which forms the content of this project

Download PDF

advertising