IBM Tivoli Identity Manager Oracle Database Adapter 5.1.20 is available. Compatibility, installation, and other getting-started issues are addressed.
Welcome to the IBM Tivoli Identity Manager Oracle Database Adapter.
These Release Notes contain information for the following products that was not available when the IBM Tivoli Identity Manager manuals were printed:
The Oracle Database Adapter is designed to create and manage accounts on an Oracle Database. The adapter runs in "agentless" mode and communicates using JDBC to the systems being managed. IBM recommends the installation of this adapter (and the prerequisite IBM Tivoli Directory Integrator) on each node of an Identity Manager WAS cluster. A single copy of the adapter can handle multiple Identity Manager Services.
The deployment configuration is based, in part, on the topology of your network domain, but the primary factor is the planned structure of your IBM Tivoli Identity Manager Provisioning Policies and Approval Workflow process. Please refer to the identity Manager Information Center for a discussion of these topics.
The Identity Manager adapters are powerful tools that require Administrator Level authority. Adapters operate much like a human system administrator, creating accounts, permissions and home directories. Operations requested from the Identity Manager server will fail if the adapter is not given sufficient authority to perform the requested task. IBM recommends that this adapter run with administrative (root) permissions.
Note that service group name change is not supported.
The Oracle Database Adapter does not support service groups management.
Adapter Version
Component |
Version |
Build Date |
2015 August 28 05.04.37 |
Adapter Version |
5.1.20 |
Component Versions |
Adapter build: 5.1.20.86 Profile: 5.1.20.86 Connector: 5.1.20.86 Dispatcher 5.1.32(packaged separately) |
Documentation |
IBM Tivoli Identity Manager Oracle Database Installation and Configuration Guide |
New Features
Enhancement # (FITS) |
Description |
|
Items included in current release(5.1.20) |
71947 (36726) |
Include an option to enable/disable the use of cascade when removing a oracle user See Corrections to Installation Guide for additional information.
|
71039 (36376) |
Oracle adapter jdbc:thin client should support Oracle network encryption See Corrections to Installation Guide for additional information. |
|
Items included in 5.1.19 release |
|
None |
|
Items included in 5.1.18 release |
62006 (32682) |
Identity Manager Oracle Adapter must reconcile "Expiry Date" information from Oracle databases. See Corrections to Installation Guide for additional information.
|
59081 (31404) |
Identity Manager Oracle Adapter must reconcile information regarding account status and when it was locked or expired. See Corrections to Installation Guide for additional information.
|
Items included in 5.1.17 release |
|
56730 (30646) |
Oracle Adapter not returning the password last change date from the endpoint When password Changed out Side of Sec Mgr. Enhance the adapter to add support for new attribute i.e. "Last Password change". Note - This is a Read-Only attribute and should not be edited while performing ADD/MODIFY operation. To use this feature in Oracle 12c, grant "select on Sys.user$ " privilege to the user. See Corrections to Installation Guide for additional information.
|
|
Items included in 5.1.16 release |
RFE 34778 |
OSDB Certification : 12c support (non-container database) Note: This version of the adapter only supports non-container database. |
|
Items included in 5.1.15 release |
|
None |
Items included in 5.1.14 release |
|
None |
|
Items included in 5.1.13 release |
|
RFE33791 |
Add support for using bind variables when querying the Oracle Database. |
INT90431 |
Add support for the option of whether the Oracle Database service is SID |
INT90521 |
Remove support for TDI7.0 (With introducing bind variable support, it will no longer work with TDI 7.0 ) |
|
Items included in 5.1.11 release |
MR110910208 |
Oracle Transparent Application Failover (TAF). See Configuration Notes for additional information. |
|
Items included in 5.1.8 release |
MR1111103725 MR0716094732 |
Oracle: Add ability to require SSL connection from Oracle adapter to Oracle. Oracle: Need secure connection from Oracle adapter to Oracle database. See Configuration Notes for additional information. |
|
Add support for TDI 7.1 with Fix Pack 3 (or higher) |
|
Items included in 5.1.7 release |
MR070810203 |
Oracle database adapter needs to support proxy-from and proxy-to provisioning functionality. See Configuration Notes for additional information. |
OSDB |
This version of adapter is certified for Oracle Database version 11gR2. See Configuration Notes for additional information. |
|
Items included in 5.1.6 release |
MR091010394 |
Oracle database adapter did not handle tablespace quota properly when tablespace is dropped. Added support for "dropped" flag in the adapter. See Configuration Notes for additional information. |
|
Items included in 5.1.4 and 5.1.5 releases |
|
None |
|
Items included in 5.1.13 release |
MR0605095719 MR0605094210 |
Enhance the Oracle adapter to manage non-default roles. See Configuration Notes for additional information. |
|
Add support for TDI 7.0 with Fix Pack 1 (or higher) |
|
Items included in 5.1.2 release |
|
None |
|
Items included in 5.1.1 release |
|
Initial release for ITIM v5.1 |
Closed Issues
CMVC# |
APAR# |
PMR# / Description |
|
|
Items closed in current release(5.1.20) |
Internal |
|
Number of attributes completely failed and partially completed In some cases of change operation, like adding a role which does not exist, the log may have inconsistent update of number of attributes completely failed and number of attributes partially completed. In this scenario, ISIM may show incorrect status code but ISIM LDAP is updated correctly. |
|
|
Items closed in 5.1.19 release |
IV72523 |
|
Warning on eroraroles adds still causes ITIM Server LDAP to update.
|
RTC 123371
|
|
Stored procedures not installed/updated correctly by adapter From this version of adapter, New store procedure will get installed and old stored procedures will get uninstalled from the database.
Note: - The adapter appends the adapter version to the name of the procedure when installing. While uninstalling the adapter will first check whether the isim versions of the new and old stored procedures are same and then will uninstall only those stored procedures whose version is lower than the version currently being installed. Once you have installed store procedures on resource, you can remove store procedure of that version from timsol folder.
|
|
|
Items closed in 5.1.18 release |
|
|
None. |
|
|
Items closed in 5.1.17 release |
Bug 1533/1534 |
PMR 92805,077,649 Underscore character in Oracle reconcile filter is not handled as expected. |
|
|
|
Items closed in 5.1.16 release |
IV62175 Oracle 5.1.14 adapter does not reconcile system privilege correctly when DBA_WM_SYS_PRIVS is not accessible Note: DBA_WM_SYS_PRIVS view is only available to users with the WM_ADMIN_ROLE or SELECT_CATALOG_ROLE role. |
||
|
IV62175 |
Oracle adapter Install Guide implies enabling auditing is optional (doc) For details refer to the following section: IV60298 Oracle adapter Install Guide implies enabling auditing is optional |
|
IV60298 |
Items included in 5.1.15 release |
|
|
Unable to set default consumer group For details refer to the following section: IV50833 Setup Stored Procedures SQL scripts |
|
IV50833 |
Items closed in 5.1.14 release |
Fixed adapter not returning group type membership during recon |
||
IV52049 |
Fixed user name quoting problems |
|
IV50378 |
Fixed user password should not show in log |
|
IV54961 |
Fixed "invalid column index" message |
|
INT104116 |
|
Items closed in 5.1.12 version |
|
|
Oracle adapter not setting default roles.
See Configuration Notes for additional information. |
|
IV04068 |
In the "Managing passwords when restoring accounts" section of the "Directory Integrator-Based Oracle Database Adapter Installation and Configuration Guide" document, the Property Name (mixed case) should be property name (lower case). There is also a missing ">" at the end of RESTORE ".
|
|
IV12085 |
Items closed in 5.1.8 version |
|
|
Test connection function in service form does not attempt to connect to Oracle server after a first successful connection. As a result, test connection reports a successful connection to Oracle server even when Oracle server is down.
|
38718 |
|
Items closed in 5.1.7 version |
|
|
31212,122,000 Error during add account for Oracle, if password contains special character, curly brackets {}.
|
|
IZ89618 |
Restore operation gives warning even if account type is "Local" |
|
37696 |
Restore sets password as "null" even if password is not changed If a restore operation does not contain password attribute (erPassword) then adapter was setting the password as "null" string. The adapter is updated. |
37698 |
Items closed in 5.1.6 version |
|
|
|
63319,668.668
Oracle TDI Adapter modify tablespace quota not working |
|
IZ81058 |
90554,999,760
Script error occurs when changing password to Oracle account where authentication type is EXTERNAL. |
|
IZ81480 |
Items closed in 5.1.5 version |
|
|
66853,122,000
Account under which the Oracle adapter is running must have Create Table and Drop Table permission. (release note update only) |
|
IZ74714 |
Items closed in 5.1.4 version |
|
|
08436,228,631
Oracle adapter always returns attribute erOraExpirePwd as failed. |
|
|
Items closed in 5.1.3 version |
|
|
14373,487,000
Oracle adapter shows the oracle connection password in clear text in the ibmdi.log file. |
|
IZ55533 |
Items closed in 5.1.2 version |
|
|
PMR 37877,999,624
Oracle adapter is converting the username to uppercase during provisioning. A new configuration option has been added to control this behavior. See Configuration Notes for more information |
|
|
Items closed in 5.1.1 version |
|
|
None. |
|
|
|
Known Issues
Internal# |
APAR# |
PMR# / Description |
|
|
Converting between Default and Non-default Roles It is a two-step process to make a role as a non-default role. 1. Assign a role to a user by the "GRANT" statement. 2. Assign the role as non-default by "ALTER USER". If the "ALTER USER" command fails, then that role will become the default role on the resource. However it will not reflect on the TIM side in any of the role lists. You are required to submit the recon operation, so it will appear in the default list or you can submit the request again. |
Error on SendOnly Attributes If the Oracle adapter fails to set the send-only attribute "erOraExpirePwd" on the Oracle database resource for an ADD Operation, then the Oracle Database Adapter will return this attribute in the failed attribute list and ITIM 5.1 will generate an "Object Class Violation" error. This is an ITIM 5.1 server defect and will be addressed in the next server fix pack. |
||
|
|
Restoring Local Authenticated Accounts Restoring an account for local authentication is a two-step process. 1. Change the password for the user. 2. Restore the account on the resource. If the step 1 executes successfully and step 2 fails then the password is changed on the resource without the account being restored. Workaround: the user remains suspended and the account can be restored with a new password. |
See the IBM Tivoli Identity Manager Adapter Installation Guide for detailed instructions.
The following corrections to the Installation Guide apply to this release:
RTC 123371 Stored procedures not installed/updated correctly by adapter
Replace chapter 10. Uninstalling the adapter section with below information.
You can completely uninstall the Oracle Database Adapter by following these steps -
1. Uninstall the adapter from Tivoli Directory Integrator server.
2. Uninstall the stored procedures from Oracle Database.
3. Adapter profile removal from the IBM Security Identity Manager server
Uninstall the adapter from the Tivoli Directory Integrator server
The Oracle Database Adapter installation installs oracledbsql folder on the Tivoli Directory Integrator server. Therefore, you need to remove oracledbsql folder
To remove the Oracle Database Adapter, complete these steps:
1. Stop the adapter service.
2. Remove oracledbsql folder from ITDI_HOME\timsol folder.
Uninstall the adapter stored procedures from Oracle Database
1. To drop the ISIM_SET_DEF_CONGROUP stored procedure execute this SQL command on the Oracle Database
Drop procedure ISIM_SET_DEF_CONGROUP_version
2. To drop the ISIM_OBTAIN_LOCK stored procedure execute this SQL command on the Oracle Database
Drop procedure ISIM_OBTAIN_LOCK_version
Where version corresponds to the adapter version. For e.g. if adapter version is 5.1.18.72 then the stored procedure names will be ISIM_SET_DEF_CONGROUP5111872 and ISIM_OBTAIN_LOCK5111872.
Adapter profile removal from the IBM Tivoli Identity Manager server
Before you remove the adapter profile, ensure that no objects exist on your IBM Tivoli Identity Manager server that reference the adapter profile.
Examples of objects on the IBM Tivoli Identity Manager server that can reference the adapter profile are:
Note: The Dispatcher component must be installed on your system for adapters to function correctly in a Tivoli Directory Integrator environment. When you delete the adapter profile for the Oracle Database Adapter, do not uninstall the Dispatcher.
For specific information about how to remove the adapter profile, see the online help or the IBM Tivoli Identity Manager product documentation.
Attribute |
Description |
Oracle column or table |
eroradonotcascadedelete |
Do not Cascade on Delete |
N/A |
Add the following in “Chapter 3. Adapter installation”, in section “creating an adapter service" under “step 5 of Procedures" at the end of “On the oracle connection tab”
Do not Cascade on Delete:
Optional: Select this check box to explicitly choose not to cascade while deleting a user. By default, the adapter deletes a user using cascade.
Attribute |
Description |
Oracle column or table |
eroraasoproperties |
JDBC Thin Client Properties File Path |
N/A |
Add the following in “Chapter 3. Adapter installation”, in section “creating an adapter service" under “step 5 of Procedures" at the end of “On the oracle connection tab”
JDBC Thin Client Properties File Path:
Optional: Specify properties file path of Oracle advanced security option to enable thin client encryption.
Add a new sub section “Configuring Network data encryption and Integrity
for JDBC thin clients” under “chapter 4 First steps after
Installation”.
Network data encryption and Integrity for JDBC thin clients is a feature of Oracle Advanced security, which lets thin Java database connectivity (JDBC) clients securely connect and communicate with oracle database.
To enable this feature of Oracle Advanced Security option, you must specify the properties file location on service form which contains several java properties.
Configuring the properties file
Extract the adapter package and locate the OraPropertiesFile folder inside the package,this folder contains OraASO.properties file.
Oracle advanced Security option properties file (OraASO.properties) contains several configuration properties which needs to be set. The properties file would look as the way given below:
oracle.net.encryption_client=requested
oracle.net.encryption_types_client=(AES256)
oracle.net.crypto_checksum_client=requested
oracle.net.crypto_checksum_types_client=SHA1
For all the possible values for these properties and detailed information, please refer “Configuring JDBC thin clients”.
Add the following as "Table 7. Group Attributes, descriptions and permissions of attribute" under Chapter Appendix A. Adapter attributes.
Attribute |
Description |
Oracle column or table |
eroraexpirydate |
Expiry Date of Oracle account |
ACCOUNT_STATUS |
|
|
|
Add the following as "Table 7. Group Attributes, descriptions and permissions of attribute" under Chapter Appendix A. Adapter attributes.
Attribute |
Description |
Oracle column or table |
eroracreatedate |
Creation Date of Oracle Account |
CREATED |
eroralockdate |
Lock Date of Oracle Account |
LOCK_DATE |
eroraaccountstatusstr |
Account Status of Oracle Account |
ACCOUNT_STATUS |
Add new row to Table 5 in Chapter 3: Installing the adapter, Section: Creating an adapter user account
Privilege - select on sys.user$
Description - For Oracle 12c support (non-container database) ,to access PTIME (password last changed date) column from sys.User$ table.
- To retrieve "Last password change date" correctly, grant this Privilege to the user.
Add new row to Table 5 in Chapter 3: Installing the adapter, Section: Creating an adapter user account.
Privilege - WM_ADMIN_ROLE or SELECT_CATALOG_ROLE role
Description - To access DBA_WM_SYS_PRIVS view
No additional steps are needed to install the 5.1 version of the Oracle DB adapter on an existing 5.0 adapter version. However you must import the 5.1 service type (profile) version after installing the adapter.
The account under which the adapter runs must have Create Table and Drop Table permissions. This information is omitted from the installation guide.
The following configuration notes apply to this release:
Add the following note to Chapter 4: Configuring the adapter, Section: Enabling auditing on Oracle resource
Note: erLastAccessDate attribute may not reflect the correct date if auditing is not enabled.
Add new row to Table 5 in Chapter 3: Installing the adapter, Section: Creating an adapter user account.
Privilege - Execute permission on DBMS_LOCK and ADMINISTER_RESOURCE_MANAGER system privilege
Description - To execute stored procedures which set the consumer group
Add the following to Chapter 3: Installing the Adapter, Section: Installing the Adapter
The consumer group attribute is now set using two stored procedures. This was done to handle simultaneous provisioning requests. The stored procedures are designed to acquire lock prior updating an account's default consumer group attribute; and then release the lock upon finishing update.
To set up the stored procedures SQL scripts, follow these steps:
1. Unzip the package and locate oracledbsql folder inside the package.
2. Copy the oracledbsql folder into ISIM solution directory. For example, C:\TDI_HOME\timsol\
3. Import the latest adapter profile and restart the dispatcher.
4. To setup store procedure on resource, perform recon operation.
Change the following in Appendix A: Adapter Attributes, Table 8
Attribute |
Description |
Oracle Column or Table |
erOraRsrcConsumerGroup |
The consumer groups that a user can switch to. |
GRANTED_GROUP/DBA_RSRC_CONSUMER_GROUP_PRIVS |
erOraDefRsrcConsumerGroup |
The default or initial consumer group for a user. If not assigned any value, a default value DEFAULT_CONSUMER_GROUP is assigned to this attribute. Thus this attribute can have either above default value or some value from the resource consumer group list allowed for the user (though resource consumer group is multivalued attribute). Assigning any value outside this list will result in error on resource. The erOraRsrcConsumerGroup and erOraDefRsrcConsumerGroup must have the same value. |
INITIAL_RSRC_CONSUMER_GROUP/DBA_USERS |
Is SID option
Configuration Attribute "Is SID" has been added to the Profile. If the customer have Oracle Database service as SID instead of real Service Name then, the SID value should still be put in the Oracle Service Name field and also check the Is SID box. By default, Is SID check box is not selected. This essentially affects the connection to the database. If it is accidentally selected while the database is using real Service Name, then the test connection will fail.
Configuration Attribute "ConvertUserNameToUpperCase" has been added to the Profile. If the customer does not wish to convert the username to uppercase when provisioning accounts on the resource, they can select ConvertUserNameToUpperCase = FALSE.
Summary of Changes:
i) A new attribute erOraConvertUserNameToUpperCase (OID: 1.3.6.1.4.1.6054.3.138.2.23) is defined and added in the erOraRMIService class.
ii) A new label (eroraconvertusernametouppercase = Convert Username to Uppercase) is added to the CustomLabels.properties file.
Limitations:
o Resource Consumer Group
o Default Consumer Group
o Workspace related System Privileges
This is due to the fact that the above attributes are set using the Oracle-supplied stored procedures. These stored procedures convert the username to Uppercase.
Oracle adapter is enhanced to manage Non-Default roles through ITIM adapter for Oracle resource. To support this enhancement profile of Oracle adapter is extended.
The following two new String attributes are defined in the schema.dsml file:
i. "erOraNonDefRole (OID: 1.3.6.1.4.1.6054.3.138.2.24)" added in the "erOraAccount" class.
ii. "erOraPassRequired (OID: 1.3.6.1.4.1.6054.3.138.2.25)" added in the "erOraRoles" class.
A new label (eroranondefrole = Database Non Default Roles) is added for the "erOraNonDefRole" attribute in the CustomLabels.properties file.
This attribute is visible on the account form, and only password protected and external roles will be displayed in the search widget of this attribute. If you want to display the all roles in the non-default list then you will need to modify the search filter on account from as,
Existing filter:
<filter>(&(objectclass=erOraRoles)(!(erOraPassRequired=No)))</filter>
Modify the filter as:
<filter>(objectclass=erOraRoles)</filter>
A role can be converted from a Non-Default role to a Default role in one TIM operation using the following process:
1. First remove the role from Non-default role list and assign same role as a default role in same operation.
Prior to adapter version 5.1.11, converting a role from a Default role to Non-default required two TIM operations using the following process:
1. First revoke(delete) the role from the default role list from TIM in one operation,
2. Modify the account and add the role as a non-default role from TIM in second operation.
From adapter version 5.1.11 onwards, a role can be converted from a Default role to a Non-Default role in one TIM operation using the following process:
1. First remove the role from the default role list and assign the same role as a Non-default role in the same operation.
Oracle adapter is enhanced so that if a tablespace is dropped from the system table "DBA_TS_QUOTAS", then during the reconcile operation, tablespace quota will not be returned to the ITIM.
Note that this feature will be supported on those versions of Oracle on which the column "DROPPED" is available in system table "DBA_TS_QUOTAS".
For example in Oracle versions 8i and 9i, the column "DROPPED" is not available in the system table "DBA_TS_QUOTAS", so, this feature (enhancement) will not be supported on these versions and the adapter will recon all the tablespace quotas as earlier versions were doing.
Oracle adapter is certified for Oracle Database 11g and 11gR2.
The following item needs to be added under sub section the "Managed Resource" in the "Installation Platform" under the section "Supported Configuration"
1. Managed resource: Oracle Database version 11g and 11gR2
The type 4 drivers for 11gR2 should be copied to one of the following locations.
i. TDI_HOME\jars\3rdparty\others
ii. TDI_HOME\jvm\jre\lib\ext
where TDI_HOME is the directory where the Tivoli Directory Integrator is installed. For example, on a Windows platform this directory would be "C:\Program Files\IBM\TDI\V7.0"
Adapter is enhanced to manage proxy-to provisioning functionality. To support this enhancement profile of Oracle adapter is extended.
The following new String attribute is defined in schema.dsml:
i. "erOraProxyToUsers (OID:1.3.6.1.4.1.6054.3.138.2.26)" is added in the "erOraAccount" class.
1. A new label (eroraproxytousers = Proxy to Users) is added for this attribute in the CustomLabels.properties file.
2. This attribute is visible on the Account form.
The label for the string attribute "erOraProxyUsers" is replaced with "Proxy from Users" in the CustomLabels.properties file. This attribute is also visible on the Account form.
Notes:
=====
i. Account form is enhanced to incorporate a new attribute "Proxy to Users". The user being added from the account form will act as a proxy user for all the valid specified values in this attribute.
ii. "Proxy to Users" attribute is a multivalued attribute.
Adapter is enhanced to allow a secure connection from the adapter to the Oracle database.
The following new Boolean and Distinguished Name (DN) attributes are defined in the schema.dsml file:
i. "erOraUseSSL (OID:1.3.6.1.4.1.6054.3.138.2.27)" is added for the "erOraRMIService" class.
1. A new label (erorausessl = Use SSL communication with Oracle) is added for this attribute in the CustomLabels.properties file.
2. This attribute is visible on the Service form.
ii. "erOraServerDN (OID:1.3.6.1.4.1.6054.3.138.2.28)" is added for the "erOraRMIService" class.
1. A new label (eroraserverdn = Oracle Server Distinguished Name) is added for this attribute in the CustomLabels.properties file.
2. This attribute is visible on the Service form.
SSL support in the JDBC Thin driver was first included in the 10g Release 2 of the driver. Thus the driver is obtained from Oracle Database 10gR2, 11g, or 11gR2. One can obtain the driver from:
i) The ORACLE_HOME\jdbc\lib directory of an Oracle database (client or server) installation.
ii) The JDBC Driver Downloads page on the Oracle Technology Network (OTN) website.
The driver for use with JDK 1.5 and thus TDI 7.0 is ojdbc5.jar. The ojdbc5.jar file should be copied to one of the following locations on the Tivoli Directory Integrator (TDI) machine:
i. TDI_HOME\jars\3rdparty\others
ii. TDI_HOME\jvm\jre\lib\ext
where TDI_HOME is the directory where the TDI is installed. For example, on a window platform this directory would be "C:\Program Files\IBM\TDI\V7.0".
The driver for use with JDK 1.6 and thus TDI 7.1 is ojdbc6.jar. The ojdbc6.jar file should be copied to the two TDI_HOME locations listed above. For TDI 7.1, the TDI_HOME directory on a window platform would be "C:\Program Files\IBM\TDI\V7.1".
Furthermore previous versions of the JDBC Thin driver should be removed from the two above TDI_HOME locations. The previous versions of the driver are one or more of the following:
Note that the zip files listed above may alternatively have been named as jar files, e.g. classes12.jar.
To enable SSL communication between the Oracle adapter and the Oracle database, a truststore and optionally a keystore need to be configured for the RMI dispatcher. A keystore will have to be configured if the Oracle database requires SSL client authentication.
To configure the truststore for the RMI dispatcher, you must minimally import the Certification Authority (CA) certificate that is used to sign the certificate for the Oracle database.
The command to import a CA certificate into the truststore is as follows:
keytool -import -v -alias OACA -file CA.cer -keystore truststore.jks -storetype JKS -storepass "ThePwd12"
The location for the truststore.jks and the solutions.properties files are in the TDI_HOME\timsol directory.
In the solutions.properties file, the following properties need to be set:
## server authentication
javax.net.ssl.trustStore=truststore.jks
javax.net.ssl.trustStorePassword=ThePwd12
javax.net.ssl.trustStoreType=jks
If the javax.net.ssl.trustStore property is already set to a truststore other than truststore.jks, then the keytool command must import the CA certificate into the file specified in the property.
Note that the store password, ThePwd12, is for test purposes only.
If a keystore is not required for the Oracle adapter and the keystore properties is not set in the solution.properties file, then you must set the properties to the same values as the truststore properties:
## client authentication
javax.net.ssl.keyStore=truststore.jks
javax.net.ssl.keyStorePassword=ThePwd12
javax.net.ssl.keyStoreType=jks
If the Oracle database requires SSL client authentication, then a keystore will have to be configured. For test purposes you can use the following commands to setup a JKS type keystore:
cd c:\temp
mkdir clientjks
keytool -genkey -alias OADB -dname "CN=client,C=US" -storetype JKS -keystore clientjks\client.jks -keyalg RSA -storepass "ThePwd12"
keytool -certreq -alias OADB -file clientjks\creq.cer -keystore clientjks\client.jks -storepass "ThePwd12"
orapki cert create -wallet ./authority -request clientjks\creq.cer -cert clientjks\signed.cer -validity 3650 -pwd=ThePwd12
keytool -import -v -alias OACA -file authority\CA.cer -keystore clientjks\client.jks -storepass "ThePwd12"
keytool -import -v -alias OADB -file clientjks\signed.cer -keystore clientjks\client.jks -storepass "ThePwd12"
The above commands assume that you have created a self-signed certification authority as described in the Oracle Database Server Configuration section later in this document.
If a keystore is not required for the Oracle Adapter and the keystore properties is not set in the solution.properties file then you must set the properties to same values as truststore properties:
## client authentication
javax.net.ssl.keyStore=client.jks
javax.net.ssl.keyStorePassword=ThePwd12
javax.net.ssl.keyStoreType=jks
Note that the store password, ThePwd12, is for test purposes only.
To determine whether the Oracle database requires SSL client authentication, check the sqlnet.ora file on the target Oracle database server (the managed resource) for the following line:
SSL_CLIENT_AUTHENTICATION = FALSE
The FALSE value means that the Oracle database server does NOT require SSL client authentication. The TRUE value means that the Oracle database server DOES require SSL client authentication.
To configure both the truststore and the keystore on the Oracle database server, Oracle tools, such as the Oracle Wallet Manager and the orapki command, are used. For test purposes you can use the following commands to setup a self-signed certification authority, truststore, and keystore:
cd c:\temp
mkdir authority
mkdir server
mkdir client
Self-signed Certification Authority
orapki wallet create -wallet ./authority -pwd=ThePwd12
orapki wallet add -wallet ./authority -dn "CN=authority, C=US" -keysize 2048 -self_signed -validity 3650 -pwd=ThePwd12
orapki wallet export -wallet ./authority -dn "CN=authority, C=US" -cert ./authority/CA.cer -pwd=ThePwd12
The CA.cer file in the authority directory is the trusted certificate that is used in the keytool command to import a CA certificate into the truststore for the RMI dispatcher.
Stores for Server Authentication
orapki wallet create -wallet ./server -auto_login -pwd=ThePwd12
orapki wallet add -wallet ./server -dn "CN=server, C=US" -keysize 2048 -pwd=ThePwd12
orapki wallet export -wallet ./server -dn "CN=server, C=US" -request ./server/creq.cer -pwd=ThePwd12
orapki cert create -wallet ./authority -request ./server/creq.cer -cert ./server/signed.cer -validity 3650 -pwd=ThePwd12
orapki wallet add -wallet ./server -trusted_cert -cert ./authority/CA.cer -pwd=ThePwd12
orapki wallet add -wallet ./server -user_cert -cert ./server/signed.cer -pwd=ThePwd12
Stores for Client Authentication
orapki wallet create -wallet ./client -auto_login -pwd=ThePwd12
orapki wallet add -wallet ./client -dn "CN=client, C=US" -keysize 2048 -pwd=ThePwd12
orapki wallet export -wallet ./client -dn "CN=client, C=US" -request ./client/creq.cer -pwd=ThePwd12
orapki cert create -wallet ./authority -request ./client/creq.cer -cert ./client/signed.cer -validity 3650 -pwd=ThePwd12
orapki wallet add -wallet ./client -trusted_cert -cert ./authority/CA.cer -pwd=ThePwd12
orapki wallet add -wallet ./client -user_cert -cert ./client/signed.cer -pwd=ThePwd12
Oracle Network Configuration
The following two files need to be configured on the Oracle database server to enable SSL:
TDI must be configured to locate these Oracle Net Services files along with locating the JDBC OCI driver.
In a Database Client installation, the ORACLE_HOME environment variable is defined, thus enabling TDI to locate the Oracle Net Services files. On Windows, ORACLE_HOME is often defined in the registry.
In an Instant Client installation, one must define the TNS_ADMIN environment variable, which is an Oracle Client variable, to point to the location (directory) of the ONS configuration files.
Configuring TDI to locate the JDBC OCI driver is described in the Oracle Adapter Configuration section later in this document.
The following two files need to be configured on the Oracle database client to enable TAF:
These files are located in the network\admin directory of the Oracle home directory. These files are often edited through the Oracle Net Manager, but must be edited through a text editor for purposes of TAF configuration. Editing both these files effectively configures Oracle Net Services.
In an Instant Client installation these files do not exist. Once created, they must co-exist in the same directory. For example, these files can be saved in the Instant Client directory, an apt destination.
The information in the following files serves as an example on how TAF can be configured:
sqlnet.ora:
SQLNET.AUTHENTICATION_SERVICES=
(NONE)
NAMES.DIRECTORY_PATH= (TNSNAMES)
tnsnames.ora:
PRODONE =
(DESCRIPTION_LIST =
(FAILOVER = true)
(LOAD_BALANCE = false)
(DESCRIPTION =
(ADDRESS_LIST =
(ADDRESS = (PROTOCOL =
TCP)(HOST = YourFirstHost)(PORT = 1521))
)
(CONNECT_DATA =
(SERVER = dedicated)
(FAILOVER_MODE =
(BACKUP = PRODTWO)
(TYPE = select)
(METHOD = basic)
(RETRIES = 20)
(DELAY = 3)
)
(SERVICE_NAME = ORCL)
)
)
(DESCRIPTION =
(ADDRESS_LIST =
(ADDRESS = (PROTOCOL =
TCP)(HOST = YourSecondHost)(PORT = 1521))
)
(CONNECT_DATA =
(SERVICE_NAME = ORCL)
)
)
)
PRODTWO =
(DESCRIPTION_LIST =
(DESCRIPTION =
(ADDRESS_LIST =
(ADDRESS = (PROTOCOL =
TCP)(HOST = YourSecondHost)(PORT = 1521))
)
(CONNECT_DATA =
(SERVICE_NAME = ORCL)
)
)
)
With TAF the adapter can automatically reconnect to a database when the instance to which the connection is made fails or is shutdown. TAF enables the application to transparently reconnect to a preconfigured secondary instance creating a fresh connection, but identical to the connection that was established on the first original instance.
In the tnsnames.ora file listed above, PRODONE is the net service alias that defines (as an example) both TAF and Connect Time Failover (CTF). The first description in the description list defines TAF. The second description in the description list defines CTF.
The TAF description indicates that once a connection to YourFirstHost is established and then subsequently the connection fails, then the connection fails over to YourSecondHost via the PRODTWO net service alias. The CTF description indicates that when YourFirstHost is down prior to the initial connection, then the connection fails over to YourSecondHost.
One feature of TAF is to configure a failover TYPE of select which indicates that after the first connection fails and the second connection succeeds and the first connection was in the middle of a SELECT statement, the statement will re-execute on the second connection, repositioning the cursor so the client can continue fetching rows as if nothing has happened.
TDI must be configured to locate the JDBC OCI driver and Oracle Net Services. To locate the JDBC OCI driver, the path variable must be amended to include the Oracle home bin directory or the Instant Client directory. To locate Oracle Net Services, the ORACLE_HOME environment variable must be defined for a Database Client installation or the TNS_ADMIN environment variable for an Instant Client installation.
Depending on the TDI service, the path variable is configured slightly different in TDI.
There are two TDI services that can exist or co-exist on your TDI target.
i) The "IBM Tivoli Identity Manager Adapter" aka ITDIAsService.exe
ii) The "IBM Tivoli Directory Integrator" service aka ibmdiservice.exe
For the ITDIAsService service, we configure the path in the Windows registry. For the ibmdiservice service, configure the path in the ibmdiservice.props properties file.
For both TDI services, check to see that the ORACLE_HOME environment variable is defined in the Windows registry in a Database Client installation, or alternatively define the ORACLE_HOME environment variable as a System variable in Windows.
For an Instant Client installation, define the TNS_ADMIN environment variable as a System variable in Windows.
An example ORACLE_HOME environment value is:
ORACLE_HOME=C:\app\administrator\product\11.2.0\client_1
An example TNS_ADMIN environment value is:
TNS_ADMIN=C:\app\administrator\product\11.2.0\client_1
With ORACLE_HOME defined, the JDBC OCI driver knows to locate the Oracle Net Services files in the network\admin directory of the Oracle home directory. With TNS_ADMIN defined, the JDBC OCI driver knows to locate the Oracle Net Services files in the specified directory.
Path for ibmdiservice in Properties File
Edit the path variable in the ibmdiservice.props file, which can be found in the following directory:
C:\Program Files\IBM\TDI\V7.0\timsol
Edit the path variable to include the Oracle home bin as follows:
path=C:\Program Files\IBM\TDI\V7.0\jvm\jre\bin;C:\Program Files\IBM\TDI\V7.0\libs; C:\app\administrator\product\11.2.0\client_1\bin;
For an Instant Client installation edit the path variable as follows:
path=C:\Program Files\IBM\TDI\V7.0\jvm\jre\bin;C:\Program Files\IBM\TDI\V7.0\libs; C:\app\administrator\product\11.2.0\client_1;
Path for ITDIAsService in Registry
Edit the ImagePath registry variable, which can be found in the following location:
HKLM\SYSTEM\ControlSet001\Service\IBM Tivoli Identity Manager Adapter
Note: The value of ImagePath is an expandable String Value aka a REG_EXPAND_SZ Type.
Edit the ImagePath variable to include %ORACLE_HOME%\bin as follows:
"C:\Program Files\IBM\TDI\V6.1.1\timsol\ITDIAsService.exe"; -Djava.library.path ="C:\Program Files\IBM\TDI\V6.1.1\libs;%ORACLE_HOME%\bin;%PATH%";
Note: Use %ORACLE_HOME% in the ImagePath variable only when the ORACLE_HOME variable is defined as a System variable on Windows, otherwise explicitly include the Oracle home bin directory as follows:
"C:\Program Files\IBM\TDI\V6.1.1\timsol\ITDIAsService.exe";
-Djava.library.path ="C:\Program Files\IBM\TDI\V6.1.1\libs;
C:\app\administrator\product\11.2.0\client_1\bin;%PATH%;
For an Instant Client installation, edit the ImagePath variable to include the directory of the Instant Client files as follows:
"C:\Program Files\IBM\TDI\V6.1.1\timsol\ITDIAsService.exe";
-Djava.library.path ="C:\Program Files\IBM\TDI\V6.1.1\libs;
C:\app\administrator\product\11.2.0\client_1;%PATH%;
To enable OCI communication between the Oracle adapter and the Oracle database, the following changes are needed on the Oracle adapter service form:
i) Check the checkbox labeled Use OCI communication with Oracle.
ii) Enter a value for the Oracle Service Alias field that corresponds to the net service alias listed in the tnsnames.ora file.
Once the Use OCI communication with Oracle checkbox is checked, then the JDBC OCI driver will be used to communicate with the Oracle database server. When unchecked then the JDBC Thin driver will be used to communicate with the Oracle database server.
Net service aliases defined in the tnsnames.ora file are names on the left hand side of the equal sign. For example, in the tnsnames.ora file listed above, PRODONE is the net service name defined for TAF and thus the value to be entered in the Oracle Service Alias field.
Note that the checkbox labeled Use SSL communication with Oracle is for only the JDBC Thin driver. To enable SSL communication between the Oracle adapter and the Oracle database on behalf of the JDBC OCI driver requires additional configuration.
The information in the following files serves as an example on how TAF with SSL can be configured:
sqlnet.ora:
SQLNET.AUTHENTICATION_SERVICES=
(TCPS)
NAMES.DIRECTORY_PATH= (TNSNAMES)
SSL_VERSION = 3.0
SSL_CLIENT_AUTHENTICATION = FALSE
SSL_SERVER_DN_MATCH = YES
WALLET_LOCATION =
(SOURCE =
(METHOD = FILE)
(METHOD_DATA =
(DIRECTORY = C:\temp\client)
)
)
tnsnames.ora:
PRODONESSL =
(DESCRIPTION_LIST =
(FAILOVER = true)
(LOAD_BALANCE = false)
(DESCRIPTION =
(ADDRESS_LIST =
(ADDRESS = (PROTOCOL =
TCPS)(HOST = YourFirstHost)(PORT = 2484))
)
(CONNECT_DATA =
(SERVER = dedicated)
(FAILOVER_MODE =
(BACKUP = PRODTWOSSL)
(TYPE = select)
(METHOD = basic)
(RETRIES = 20)
(DELAY = 3)
)
(SERVICE_NAME = ORCL)
)
(SECURITY =
(SSL_SERVER_CERT_DN = "CN=client,
C=US")
)
)
(DESCRIPTION =
(ADDRESS_LIST =
(ADDRESS = (PROTOCOL = TCPS)(HOST =
YourSecondHost)(PORT = 2484))
)
(CONNECT_DATA =
(SERVICE_NAME = ORCL)
)
(SECURITY =
(SSL_SERVER_CERT_DN = "CN=client,
C=US")
)
)
)
PRODTWOSSL =
(DESCRIPTION_LIST =
(DESCRIPTION =
(ADDRESS_LIST =
(ADDRESS = (PROTOCOL =
TCPS)(HOST = YourSecondHost)(PORT = 2484))
)
(CONNECT_DATA =
(SERVICE_NAME = ORCL)
)
(SECURITY =
(SSL_SERVER_CERT_DN =
"CN=client, C=US")
)
)
)
Configuring SSL for the JDBC OCI driver is described in the Stores for Client Authentication subsection of the Oracle Database Server Configuration section earlier in this document.
The IBM Tivoli Identity Manager adapters can be customized and/or extended. The type and method of this customization may vary from adapter to adapter.
Getting Started
Customizing and extending adapters requires a number of additional skills. The developer must be familiar with the following concepts and skills prior to beginning the modifications:
Note: If the customization requires a new IBM Tivoli Directory Integrator connector, the developer must also be familiar with IBM Tivoli Directory Integrator connector development and working knowledge of Java programming language.
IBM Tivoli Identity Manager Resources:
Check the "Training" section of the IBM Tivoli Identity Manager Support web site for links to training, publications, and demos.
IBM Tivoli Directory Integrator Resources:
Check the "Training" section of the IBM Tivoli Directory Integrator Support web site for links to training, publications, and demos.
Support for Customized Adapters
The integration to the IBM Tivoli Identity Manager server "the adapter framework" is supported. However, IBM does not support the customizations, scripts, or other modifications. If you experience a problem with a customized adapter, IBM Support may require the problem to be demonstrated on the GA version of the adapter before a PMR is opened.
Installation Platform
The IBM Tivoli Identity Manager Adapter was built and tested on the following product versions.
Adapter Installation Platform:
Managed Resource:
IBM Tivoli Identity Manager:
This information was developed for products and services offered in the U.S.A. IBM may not offer the products, services, or features discussed in this document in other countries. Consult your local IBM representative for information on the products and services currently available in your area. Any reference to an IBM product, program, or service is not intended to state or imply that only that IBM product, program, or service may be used. Any functionally equivalent product, program, or service that does not infringe any IBM intellectual property right may be used instead. However, it is the users responsibility to evaluate and verify the operation of any non-IBM product, program, or service.
IBM may have patents or pending patent applications covering subject matter described in this document. The furnishing of this document does not give you any license to these patents. You can send license inquiries, in writing, to:
IBM Director of Licensing
IBM Corporation
North Castle Drive
Armonk, NY 10504-1785 U.S.A.
For license inquiries regarding double-byte (DBCS) information, contact the IBM Intellectual Property Department in your country or send inquiries, in writing, to:
IBM World Trade Asia Corporation
Licensing
2-31 Roppongi 3-chome, Minato-ku
Tokyo 106-0032, Japan
The following paragraph does not apply to the United Kingdom or any other country where such provisions are inconsistent with local law: INTERNATIONAL BUSINESS MACHINES CORPORATION PROVIDES THIS PUBLICATION "AS IS" WITHOUT WARRANTY OF ANY KIND, EITHER EXPRESS OR IMPLIED, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF NON-INFRINGEMENT, MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE. Some states do not allow disclaimer of express or implied warranties in certain transactions, therefore, this statement may not apply to you.
This information could include technical inaccuracies or typographical errors. Changes are periodically made to the information herein; these changes will be incorporated in new editions of the publication. IBM may make improvements and/or changes in the product(s) and/or the program(s) described in this publication at any time without notice.
Any references in this information to non-IBM Web sites are provided for convenience only and do not in any manner serve as an endorsement of those Web sites. The materials at those Web sites are not part of the materials for this IBM product and use of those Web sites is at your own risk.
IBM may use or distribute any of the information you supply in any way it believes appropriate without incurring any obligation to you.
Licensees of this program who wish to have information about it for the purpose of enabling: (i) the exchange of information between independently created programs and other programs (including this one) and (ii) the mutual use of the information which has been exchanged should contact:
IBM Corporation
2ZA4/101
11400 Burnet Road
Austin, TX 78758 U.S.A.
Such information may be available, subject to appropriate terms and conditions, including in some cases, payment of a fee.
The licensed program described in this information and all licensed material available for it are provided by IBM under terms of the IBM Customer Agreement, IBM International Program License Agreement, or any equivalent agreement between us.
Any performance data contained herein was determined in a controlled environment. Therefore, the results obtained in other operating environments may vary significantly. Some measurements may have been made on development-level systems and there is no guarantee that these measurements will be the same on generally available systems. Furthermore, some measurements may have been estimated through extrapolation. Actual results may vary. Users of this document should verify the applicable data for their specific environment.
Information concerning non-IBM products was obtained from the suppliers of those products, their published announcements or other publicly available sources. IBM has not tested those products and cannot confirm the accuracy of performance, compatibility or any other claims related to non-IBM products. Questions on the capabilities of non-IBM products should be addressed to the suppliers of those products.
Trademarks
IBM, the IBM logo, and ibm.com are trademarks or registered trademarks of International Business Machines Corp., registered in many jurisdictions worldwide. Other product and service names might be trademarks of IBM or other companies. A current list of IBM trademarks is available on the Web at "Copyright and trademark information" at www.ibm.com/legal/copytrade.shtml.
Adobe, Acrobat, PostScript and all Adobe-based trademarks are either registered trademarks or trademarks of Adobe Systems Incorporated in the United States, other countries, or both.
IT Infrastructure Library is a registered trademark of the Central Computer and Telecommunications Agency which is now part of the Office of Government Commerce.
Intel, Intel logo, Intel Inside, Intel Inside logo, Intel Centrino, Intel Centrino logo, Celeron, Intel Xeon, Intel SpeedStep, Itanium, and Pentium are trademarks or registered trademarks of Intel Corporation or its subsidiaries in the United States and other countries.
Linux is a trademark of Linus Torvalds in the United States, other countries, or both.
Microsoft, Windows, Windows NT, and the Windows logo are trademarks of Microsoft Corporation in the United States, other countries, or both.
ITIL is a registered trademark, and a registered community trademark of the Office of Government Commerce, and is registered in the U.S. Patent and Trademark Office.
UNIX is a registered trademark of The Open Group in the United States and other countries.
Java and all Java-based trademarks and logos are trademarks or registered trademarks of Oracle and/or its affiliates.
Cell Broadband Engine is a trademark of Sony Computer Entertainment, Inc. in the United States, other countries, or both and is used under license therefrom.
Linear Tape-Open, LTO, the LTO Logo, Ultrium, and the Ultrium logo are trademarks of HP, IBM Corp. and Quantum in the U.S. and other countries.
Other company, product, and service names may be trademarks or service marks of others.