70
Tivoli ® Identity Manager Directory Integrator- Based Oracle eBS Adapter Installation and Configuration Guide Version 4.6 SC23-9919-00

Tivoli Identity Manager - IBMpublib.boulder.ibm.com/tividd/td/ITIM/SC32-9919-00/en_US/PDF/... · Dispatcher 11 Configuring logging for the ... SSL client (Tivoli Identity Manager

Embed Size (px)

Citation preview

Page 1: Tivoli Identity Manager - IBMpublib.boulder.ibm.com/tividd/td/ITIM/SC32-9919-00/en_US/PDF/... · Dispatcher 11 Configuring logging for the ... SSL client (Tivoli Identity Manager

Tivoli® Identity Manager

Directory Integrator- Based Oracle eBS Adapter Installation and Configuration

Guide

Version 4.6

SC23-9919-00

���

Page 2: Tivoli Identity Manager - IBMpublib.boulder.ibm.com/tividd/td/ITIM/SC32-9919-00/en_US/PDF/... · Dispatcher 11 Configuring logging for the ... SSL client (Tivoli Identity Manager
Page 3: Tivoli Identity Manager - IBMpublib.boulder.ibm.com/tividd/td/ITIM/SC32-9919-00/en_US/PDF/... · Dispatcher 11 Configuring logging for the ... SSL client (Tivoli Identity Manager

Tivoli® Identity Manager

Directory Integrator- Based Oracle eBS Adapter Installation and Configuration

Guide

Version 4.6

SC23-9919-00

���

Page 4: Tivoli Identity Manager - IBMpublib.boulder.ibm.com/tividd/td/ITIM/SC32-9919-00/en_US/PDF/... · Dispatcher 11 Configuring logging for the ... SSL client (Tivoli Identity Manager

Note:

Before using this information and the product it supports, read the information in Appendix F, “Notices,” on page 45.

This edition applies to version 4.6 of this adapter and to all subsequent releases and modifications until otherwise

indicated in new editions.

© Copyright International Business Machines Corporation 2008. All rights reserved.

US Government Users Restricted Rights – Use, duplication or disclosure restricted by GSA ADP Schedule Contract

with IBM Corp.

Page 5: Tivoli Identity Manager - IBMpublib.boulder.ibm.com/tividd/td/ITIM/SC32-9919-00/en_US/PDF/... · Dispatcher 11 Configuring logging for the ... SSL client (Tivoli Identity Manager

Contents

Preface . . . . . . . . . . . . . . . v

About this book . . . . . . . . . . . . . v

Intended audience for this book . . . . . . . . v

Publications and related information . . . . . . v

Tivoli Identity Manager library . . . . . . . v

Prerequisite product publications . . . . . . vii

Related publications . . . . . . . . . . viii

Accessing terminology online . . . . . . . viii

Accessing publications online . . . . . . . viii

Ordering publications . . . . . . . . . . ix

Accessibility . . . . . . . . . . . . . . ix

Tivoli technical training . . . . . . . . . . ix

Support information . . . . . . . . . . . ix

Conventions used in this book . . . . . . . . ix

Typeface conventions . . . . . . . . . . x

Operating system-dependent variables and paths x

Definitions for HOME and other directory

variables . . . . . . . . . . . . . . . x

Chapter 1. Overview of the Oracle eBS

Adapter . . . . . . . . . . . . . . . 1

Features of the adapter . . . . . . . . . . . 1

Architecture of the adapter . . . . . . . . . 1

Supported configurations . . . . . . . . . . 2

Chapter 2. Installing the Oracle eBS

Adapter . . . . . . . . . . . . . . . 3

Prerequisites . . . . . . . . . . . . . . 3

Tivoli Directory Integrator adapters solution directory 4

Installing the adapter . . . . . . . . . . . 4

Running the installer . . . . . . . . . . 5

Importing the adapter profile into the Tivoli Identity

Manager server . . . . . . . . . . . . . 5

Creating an Oracle eBS Adapter service . . . . . 6

Starting and stopping the adapter service . . . . . 7

Chapter 3. Configuring the Oracle eBS

Adapter . . . . . . . . . . . . . . . 9

Customizing the Oracle eBS Adapter profile . . . . 9

Configuration properties of the adapter . . . . . 10

Changing the port number for the RMI Dispatcher 11

Configuring logging for the adapter . . . . . . 11

Naming the log file . . . . . . . . . . . 12

Sizing the log file . . . . . . . . . . . 12

Configuring logging levels . . . . . . . . 12

Displaying logs in the user interface . . . . . 13

Appending information to an existing log file . . 13

Managing passwords when restoring accounts . . . 13

Chapter 4. Configuring SSL

authentication for the Oracle eBS

Adapter . . . . . . . . . . . . . . 15

SSL terminology . . . . . . . . . . . . . 15

SSL configurations . . . . . . . . . . . . 16

Configuring for one-way SSL authentication . . 16

Configuring for two-way SSL authentication . . 17

Task performed on the SSL server (Tivoli Directory

Integrator server workstation) . . . . . . . . 18

Creating a keystore for the Tivoli Directory

Integrator server . . . . . . . . . . . . 18

Creating a truststore for the Tivoli Directory

Integrator server . . . . . . . . . . . . 19

Creating a server-signed certificate for the Tivoli

Directory Integrator server . . . . . . . . 19

Creating a CA certificate for Tivoli Directory

Integrator . . . . . . . . . . . . . . 20

Importing the WebSphere Application Server CA

certificate into the Tivoli Directory Integrator

truststore . . . . . . . . . . . . . . 20

Configure Tivoli Directory Integrator to use the

keystores . . . . . . . . . . . . . . 20

Configure Tivoli Directory Integrator to use the

truststores . . . . . . . . . . . . . . 21

Enabling the adapter service to use SSL . . . . 21

Tasks performed on the SSL client (Tivoli Identity

Manager and WebSphere Application Server

workstation) . . . . . . . . . . . . . . 21

Creating a signed certificate for the Tivoli

Identity Manager server . . . . . . . . . 21

Creating a WebSphere Application Server CA

certificate for Tivoli Identity Manager . . . . . 22

Importing the Tivoli Identity Manager CA

certificate into the WebSphere Application Server

truststore . . . . . . . . . . . . . . 22

Chapter 5. Verifying the Oracle eBS

Adapter profile installation . . . . . . 23

Chapter 6. Troubleshooting the Oracle

eBS Adapter . . . . . . . . . . . . 25

Warning and error messages . . . . . . . . . 25

Logging information format . . . . . . . . . 25

Installer problems on UNIX and Linux platforms . . 26

Symptoms . . . . . . . . . . . . . . 26

Corrective action . . . . . . . . . . . 26

Chapter 7. Uninstalling the Oracle eBS

Adapter . . . . . . . . . . . . . . 29

Uninstalling the adapter from the Tivoli Directory

Integrator server . . . . . . . . . . . . . 29

Removing the adapter profile from the Tivoli

Identity Manager server . . . . . . . . . . 29

Appendix A. Adapter attributes . . . . 31

Attribute descriptions . . . . . . . . . . . 31

Attributes by Oracle eBS Adapter actions . . . . 32

System Login Add . . . . . . . . . . . 32

System Login Change . . . . . . . . . . 32

© Copyright IBM Corp. 2008 iii

Page 6: Tivoli Identity Manager - IBMpublib.boulder.ibm.com/tividd/td/ITIM/SC32-9919-00/en_US/PDF/... · Dispatcher 11 Configuring logging for the ... SSL client (Tivoli Identity Manager

System Login Delete . . . . . . . . . . 32

System Login Suspend . . . . . . . . . 33

System Login Restore . . . . . . . . . . 33

Test . . . . . . . . . . . . . . . . 33

Reconciliation . . . . . . . . . . . . 33

Appendix B. Installing on a zOS

operating system . . . . . . . . . . 35

RMI Dispatcher installation: . . . . . . . . . 35

Appendix C. Running in Federal

Information Processing Standards

compliance mode . . . . . . . . . . 37

Appendix D. Accessibility features for

the Oracle eBS Adapter . . . . . . . 39

Accessibility features . . . . . . . . . . . 39

Keyboard navigation . . . . . . . . . . . 39

IBM and accessibility . . . . . . . . . . . 39

Appendix E. Support information . . . 41

Searching knowledge bases . . . . . . . . . 41

Search the information center on your local

system or network . . . . . . . . . . . 41

Search the Internet . . . . . . . . . . . 41

Contacting IBM Software Support . . . . . . . 41

Determine the business impact of your problem 42

Describe your problem and gather background

information . . . . . . . . . . . . . 43

Submit your problem to IBM Software Support 43

Appendix F. Notices . . . . . . . . . 45

Trademarks . . . . . . . . . . . . . . 46

Index . . . . . . . . . . . . . . . 49

iv IBM Tivoli Identity Manager: Directory Integrator- Based Oracle eBS Adapter Installation and Configuration Guide

Page 7: Tivoli Identity Manager - IBMpublib.boulder.ibm.com/tividd/td/ITIM/SC32-9919-00/en_US/PDF/... · Dispatcher 11 Configuring logging for the ... SSL client (Tivoli Identity Manager

Preface

About this book

This installation guide provides the basic information that you need to install and

configure the IBM® Tivoli® Identity Manager Directory-Based Oracle E-Business

Suite Adapter (Oracle eBS Adapter). The Oracle eBS Adapter enables connectivity

between the Tivoli Identity Manager server and a managed resource . The Tivoli

Identity Manager server is the server for your Tivoli Identity Manager product.

Intended audience for this book

This book is intended for Oracle eBS security administrators responsible for

installing software on their site’s computer systems. Readers are expected to

understand operating system concepts. The person completing the Oracle eBS

Adapter installation procedure must also be familiar with their site’s system

standards. Readers should be able to perform routine security administration tasks.

Publications and related information

This section lists publications in the IBM Tivoli Identity Manager library and

related documents. The section also describes how to access Tivoli publications

online and how to order Tivoli publications.

Read the descriptions of the IBM Tivoli Identity Manager library. To determine

which additional publications you might find helpful, read the “Prerequisite

product publications” on page vii and the “Related publications” on page viii.

After you determine the publications you need, refer to the instructions in

“Accessing publications online” on page viii.

Tivoli Identity Manager library

The publications in the technical documentation library for your product are

organized into the following categories:

v Release information

v Online user assistance

v Server installation and configuration

v Problem determination

v Technical supplements

v Adapter installation and configuration

Release Information:

v Release Notes

Provides software and hardware requirements for the product, and additional

fix, patch, and other support information.

v Read This First card

Lists the publications for the product.

Online user assistance:

Provides online help topics and an information center for administrative tasks.

© Copyright IBM Corp. 2008 v

Page 8: Tivoli Identity Manager - IBMpublib.boulder.ibm.com/tividd/td/ITIM/SC32-9919-00/en_US/PDF/... · Dispatcher 11 Configuring logging for the ... SSL client (Tivoli Identity Manager

Server installation and configuration:

Provides installation and configuration information for the product server.

Problem determination:

Provides problem determination, logging, and message information for the

product.

Technical supplements:

The following technical supplements are provided by developers or by other

groups who are interested in this product:

v Performance and tuning information

Provides information needed to tune your production environment, available on

the Web at:

http://publib.boulder.ibm.com/tividd/td/tdprodlist.html

Click the I character in the A-Z product list to locate IBM Tivoli Identity

Manager products. Click the link for your product, and then browse the

information center for the Technical Supplements section.

v IBM Redbooks® and white papers are available on the Web at:

http://www.ibm.com/software/sysmgmt/products/support/IBMTivoliIdentityManager.html

Browse to the Self Help section, in the Learn category, and click the Redbooks

link.

v Technotes are available on the Web at:

http://www.redbooks.ibm.com/redbooks.nsf/tips/

v Field guides are available on the Web at:

http://www.ibm.com/software/sysmgmt/products/support/Field_Guides.html

v For an extended list of other Tivoli Identity Manager resources, search the

following IBM developerWorks® Web address:

http://www.ibm.com/developerworks/

Adapter documentation:

The technical documentation library also includes a set of platform-specific

documents for the adapter components of the product. Adapter information is

available on the Web at:

http://publib.boulder.ibm.com/tividd/td/tdprodlist.html

Click the I character in the A-Z product list to locate IBM Tivoli Identity Manager

products. Click the link for your product, and then browse the information center

for the adapter information that you want.

Skills and training:

The following additional skills and technical training information were available at

the time that this manual was published:

v Virtual Skills Center for Tivoli Software on the Web at:

http://www.cgselearning.com/tivoliskills/

v Tivoli Education Software Training Roadmaps on the Web at:

vi IBM Tivoli Identity Manager: Directory Integrator- Based Oracle eBS Adapter Installation and Configuration Guide

Page 9: Tivoli Identity Manager - IBMpublib.boulder.ibm.com/tividd/td/ITIM/SC32-9919-00/en_US/PDF/... · Dispatcher 11 Configuring logging for the ... SSL client (Tivoli Identity Manager

http://www.ibm.com/software/tivoli/education/eduroad_prod.html

v Tivoli Technical Exchange on the Web at:

http://www.ibm.com/software/sysmgmt/products/support/supp_tech_exch.html

Prerequisite product publications

To use the information in this book effectively, you must have knowledge of the

products that are prerequisites for your product. Publications are available from

the following locations:

v directory server

– http://publib.boulder.ibm.com/infocenter/pseries/index.jsp

– http://docs.hp.com/

– http://www.redhat.com/docs/

– http://docs.sun.com/db?q=solaris+9v Operating systems

– IBM AIX

http://publib16.boulder.ibm.com/pseries/

– Solaris Operating Environment

http://docs.sun.com/app/docs/prod/solaris

– Red Hat Linux

http://www.redhat.com/docs/

– Microsoft® Windows® Server 2003

http://www.microsoft.com/windowsserver2003/proddoc/default.mspxv Database servers

– IBM DB2 Universal Database

- Support: http://www.ibm.com/software/data/db2/udb/support.html

- Information center: http://publib.boulder.ibm.com/infocenter/db2help/index.jsp

- Documentation: http://www.ibm.com/cgi-bin/db2www/data/db2/udb/winos2unix/support/v8pubs.d2w/en_main

- DB2® product family: http://www.ibm.com/software/data/db2

- Fix packs: http://www.ibm.com/software/data/db2/udb/support/downloadv8.html

- System requirements: http://www.ibm.com/software/data/db2/udb/sysreqs.html

– Oracle

http://www.oracle.com/technology/documentation/index.html

http://otn.oracle.com/tech/index.html

http://otn.oracle.com/tech/linux/index.html

– Microsoft SQL Server

http://www.msdn.com/library/

http://www.microsoft.com/sql/v Directory server applications

– IBM Directory Server http://publib.boulder.ibm.com/tividd/td/tdprodlist.html Click the D

character in the A-Z list, and then click the link for your product to access the

product library.

Preface vii

Page 10: Tivoli Identity Manager - IBMpublib.boulder.ibm.com/tividd/td/ITIM/SC32-9919-00/en_US/PDF/... · Dispatcher 11 Configuring logging for the ... SSL client (Tivoli Identity Manager

http://www.ibm.com/software/network/directory

– Sun ONE Directory Server

http://www.sun.com/software/products/directory_srvr/home_directory.xmlv WebSphere®

Additional information is available in the product directory or Web sites. http://www.ibm.com/software/webservers/appserv/was/library/ http://www.redbooks.ibm.com/

v WebSphere embedded messaging

http://www.ibm.com/software/integration/wmq/

v IBM HTTP Server

http://www.ibm.com/software/webservers/httpservers/library.html

Related publications

The following documents also provide useful information:

v The Tivoli Software Library provides a variety of Tivoli publications such as

white papers, datasheets, demonstrations, IBM Redbooks, and announcement

letters. The Tivoli Software Library is available on the Web at:

http://www.ibm.com/software/tivoli/literature/

v The Tivoli Software Glossary includes definitions for many of the technical terms

related to Tivoli software. The Tivoli Software Glossary is available from the

Glossary link of the Tivoli Software Library Web page at:

http://publib.boulder.ibm.com/tividd/glossary/tivoliglossarymst.htm

Accessing terminology online

The Tivoli Software Glossary includes definitions for many of the technical terms

related to Tivoli software. The Tivoli Software Glossary is available at the following

Tivoli software library Web site:

http://publib.boulder.ibm.com/tividd/glossary/tivoliglossarymst.htm

The IBM Terminology Web site consolidates the terminology from IBM product

libraries in one convenient location. You can access the Terminology Web site at the

following Web address:

http://www.ibm.com/software/globalization/terminology

Accessing publications online

IBM posts publications for this and all other Tivoli products, as they become

available and whenever they are updated, to the Tivoli Information Center Web

site at http://publib.boulder.ibm.com/tividd/td/link/tdprodlist.html.

In the Tivoli Information Center window, click the letter that matches the first

letter of your product name to access your product library. For example, click M to

access the IBM Tivoli Monitoring library or click O to access the IBM Tivoli

OMEGAMON® library.

Note: If you print PDF documents on other than letter-sized paper, set the option

in the File → Print window that allows Adobe® Reader to print letter-sized

pages on your paper.

viii IBM Tivoli Identity Manager: Directory Integrator- Based Oracle eBS Adapter Installation and Configuration Guide

Page 11: Tivoli Identity Manager - IBMpublib.boulder.ibm.com/tividd/td/ITIM/SC32-9919-00/en_US/PDF/... · Dispatcher 11 Configuring logging for the ... SSL client (Tivoli Identity Manager

Ordering publications

You can order many Tivoli publications online at http://www.elink.ibmlink.ibm.com/public/applications/publications/cgibin/pbi.cgi.

You can also order by telephone by calling one of these numbers:

v In the United States: 800-879-2755

v In Canada: 800-426-4968

In other countries, contact your software account representative to order Tivoli

publications. To locate the telephone number of your local representative, perform

the following steps:

1. Go to http://www.elink.ibmlink.ibm.com/public/applications/publications/cgibin/pbi.cgi.

2. Select your country from the list and click Go.

3. Click About this site in the main panel to see an information page that

includes the telephone number of your local representative.

Accessibility

Accessibility features help users with a physical disability, such as restricted

mobility or limited vision, to use software products successfully. With this product,

you can use assistive technologies to hear and navigate the interface. You can also

use the keyboard instead of the mouse to operate all features of the graphical user

interface.

For additional information, see Appendix D, “Accessibility features for the Oracle

eBS Adapter,” on page 39.

Tivoli technical training

For Tivoli technical training information, refer to the following IBM Tivoli

Education Web site at http://www.ibm.com/software/tivoli/education.

Support information

If you have a problem with your IBM software, you want to resolve it quickly. IBM

provides the following ways for you to obtain the support you need:

v IBM Support Assistant: You can search across a large collection of known

problems and workarounds, Technotes, and other information at

http://www.ibm.com/software/support/isa.

v Obtaining fixes: You can locate the latest fixes that are already available for your

product.

v Contacting IBM Software Support: If you still cannot solve your problem, and

you need to work with someone from IBM, you can use a variety of ways to

contact IBM Software Support.

For more information about these ways to resolve problems, see Appendix E,

“Support information,” on page 41.

Conventions used in this book

This reference uses several conventions for special terms and actions and for

operating system-dependent commands and paths.

Preface ix

Page 12: Tivoli Identity Manager - IBMpublib.boulder.ibm.com/tividd/td/ITIM/SC32-9919-00/en_US/PDF/... · Dispatcher 11 Configuring logging for the ... SSL client (Tivoli Identity Manager

Typeface conventions

This book uses the following typeface conventions:

Bold

v Lowercase commands and mixed case commands that are otherwise

difficult to distinguish from surrounding text

v Interface controls (check boxes, push buttons, radio buttons, spin

buttons, fields, folders, icons, list boxes, items inside list boxes,

multicolumn lists, containers, menu choices, menu names, tabs, property

sheets), labels (such as Tip:, and Operating system considerations:)

v Keywords and parameters in text

Italic

v Citations (examples: titles of books, diskettes, and CDs)

v Words defined in text (example: a nonswitched line is called a

point-to-point line)

v Emphasis of words and letters (words as words example: "Use the word

that to introduce a restrictive clause," letters as letters example: "The

LUN address must start with the letter L.")

v New terms in text (except in a definition list): a view is a frame in a

workspace that contains data.

v Variables and values you must provide: ... where myname represents...

Monospace

v Examples and code examples

v File names, programming keywords, and other elements that are difficult

to distinguish from surrounding text

v Message text and prompts addressed to the user

v Text that the user must type

v Values for arguments or command options

Operating system-dependent variables and paths

This guide uses the UNIX® convention for specifying environment variables and

for directory notation.

When using the Windows command line, replace $variable with %variable% for

environment variables and replace each forward slash (/) with a backslash (\) in

directory paths. The names of environment variables are not always the same in

Windows and UNIX. For example, %TEMP% in the Windows operating system is

equivalent to $tmp in a UNIX operating system.

Note: If you are using the bash shell on a Windows system, you can use the UNIX

conventions.

Definitions for HOME and other directory variables

The following table contains the default definitions that are used in this guide to

represent the HOME directory level for various product installation paths. You can

customize the installation directory and HOME directory for your specific

implementation. If this is the case, you need to make the appropriate substitution

for the definition of each variable represented in this table.

The value of path varies for these operating systems:

x IBM Tivoli Identity Manager: Directory Integrator- Based Oracle eBS Adapter Installation and Configuration Guide

Page 13: Tivoli Identity Manager - IBMpublib.boulder.ibm.com/tividd/td/ITIM/SC32-9919-00/en_US/PDF/... · Dispatcher 11 Configuring logging for the ... SSL client (Tivoli Identity Manager

v Windows: drive:\Program Files

v AIX®: /usr

v Other UNIX: /opt

Path variable Default definition Description

DB_INSTANCE_HOME Windows:

path\IBM\SQLLIB

UNIX:

v AIX, Linux®: /home/dbinstancename

v Solaris: /export/home/dbinstancename

The directory that

contains the

database for your

Tivoli Identity

Manager product.

LDAP_HOME v For IBM Directory Server Version 5.2

Windows:

path\IBM\LDAP

UNIX:

path/IBM/LDAP

– AIX, Linux: path/ldap

– Solaris: path/IBMldaps

v For IBM Directory Server Version 6.0

Windows:

path\IBM\LDAP

UNIX:

/opt/IBM/ldap/

– AIX, Solaris: /opt/IBM/ldap/

– Linux: /opt/ibm/ldap/

v For Sun ONE Directory Server

Windows:

path\Sun\MPS

UNIX:

/var/Sun/mps

The directory that

contains the

directory server

code.

Preface xi

Page 14: Tivoli Identity Manager - IBMpublib.boulder.ibm.com/tividd/td/ITIM/SC32-9919-00/en_US/PDF/... · Dispatcher 11 Configuring logging for the ... SSL client (Tivoli Identity Manager

Path variable Default definition Description

IDS_instance_HOME For IBM Directory Server Version 6.0

Windows:

drive\

idsslapd-instance_owner_name

The value of drive might be C:\. An

example of instance_owner_name might be

ldapdb2. For example, the log file might

be C:\idsslapd-itimldap\logs\ibmslapd.log

UNIX:

INSTANCE_HOME/idsslapd-instance_name

On Linux and AIX systems, the default

home directory is the

/home/instance_name/idsslapd-instance_name directory. On Solaris

systems, for example, the directory is the

/export/home/itimldap/idsslapd-itimldap. directory.

The directory that

contains the IBM

Directory Server

Version 6.0 instance.

HTTP_HOME Windows:

path\IBMHttpServer

UNIX:

path/IBMHttpServer

The directory that

contains the IBM

HTTP Server code.

ITIM_HOME Windows:

path\IBM\itim

UNIX:

path/IBM/itim

The base directory

that contains the

Tivoli Identity

Manager code,

configuration, and

documentation.

WAS_HOME Windows:

path\IBM\WebSphere\AppServer

UNIX:

path/IBM/WebSphere/AppServer

The WebSphere

Application Server

home directory.

WAS_NDM_HOME Windows:

path\IBM\WebSphere\DeploymentManager

UNIX:

path/IBM/WebSphere/DeploymentManager

The home directory

on the Deployment

Manager.

xii IBM Tivoli Identity Manager: Directory Integrator- Based Oracle eBS Adapter Installation and Configuration Guide

Page 15: Tivoli Identity Manager - IBMpublib.boulder.ibm.com/tividd/td/ITIM/SC32-9919-00/en_US/PDF/... · Dispatcher 11 Configuring logging for the ... SSL client (Tivoli Identity Manager

Path variable Default definition Description

ITDI_HOME Windows:

v for version 6.1.1:

drive\Program Files\IBM\TDI\V6.1.1

UNIX:

v for version 6.1.1:

/opt/IBM/TDI/V6.1.1

The ITDI_HOME directory contains the

jars/connectors subdirectory that contains

files for the adapters. For example, the

jars/connectors subdirectory contains the

files for the UNIX adapter.

Note: If Tivoli Directory Integrator is not

automatically installed with your Tivoli

Identity Manager product, the default

directory path for Tivoli Directory

Integrator might be as follows:

path/IBM/IBMDirectoryIntegrator

The directory where

Tivoli Directory

Integrator is

installed.

Tivoli_Common_Directory Windows:

path\ibm\tivoli\common\

UNIX:

path/ibm/tivoli/common/

The central location

for all

serviceability-related

files, such as logs

and first-failure data

capture.

Preface xiii

Page 16: Tivoli Identity Manager - IBMpublib.boulder.ibm.com/tividd/td/ITIM/SC32-9919-00/en_US/PDF/... · Dispatcher 11 Configuring logging for the ... SSL client (Tivoli Identity Manager

xiv IBM Tivoli Identity Manager: Directory Integrator- Based Oracle eBS Adapter Installation and Configuration Guide

Page 17: Tivoli Identity Manager - IBMpublib.boulder.ibm.com/tividd/td/ITIM/SC32-9919-00/en_US/PDF/... · Dispatcher 11 Configuring logging for the ... SSL client (Tivoli Identity Manager

Chapter 1. Overview of the Oracle eBS Adapter

An adapter is a program that provides an interface between a managed resource

and the Tivoli Identity Manager server. Adapters might or might not reside on the

managed resource and the Tivoli Identity Manager server manages access to the

resource by using your security system. Adapters function as trusted virtual

administrators on the target platform, performing such tasks as creating login IDs,

suspending IDs, and performing other functions administrators normally run

manually. The adapter runs as a service, independent of whether a user is logged

on to the Tivoli Identity Manager server.

The Oracle eBS Adapter enables communication between the Tivoli Identity

Manager server and an Oracle eBS user database also referred to as a FND_USER

directory. The following sections provide information about the Oracle eBS

Adapter:

v “Features of the adapter”

v “Architecture of the adapter”

v “Supported configurations” on page 2

Features of the adapter

You can use the Oracle eBS Adapter to automate the following administrative

tasks:

v Adding new users accounts on the oracle database

v Modifying the attributes of existing users

v Changing user account passwords

v Suspending and restoring existing user accounts

v Reconciling user accounts and other support data

Architecture of the adapter

IBM Tivoli Identity Manager communicates with the Oracle eBS Adapter to

administer the user accounts on the Oracle eBS. You can perform these actions on

an account: Add, Modify, Restore, and Suspend. You can also search for account

information and change an account password.

The Oracle eBS Adapter contains Tivoli Directory Integrator AssemblyLines that

serve one or more account operation. When the first request is sent from Tivoli

Identity Manager, the required AssemblyLine is loaded into Tivoli Directory

Integrator. The same Assemblyline is then cached to serve subsequent operations of

same type.

All Tivoli Directory Integrator-based adapters consist of the following components:

v RMI Dispatcher

v Tivoli Directory Integrator connector

v Tivoli Identity Manager adapter profile

© Copyright IBM Corp. 2008 1

Page 18: Tivoli Identity Manager - IBMpublib.boulder.ibm.com/tividd/td/ITIM/SC32-9919-00/en_US/PDF/... · Dispatcher 11 Configuring logging for the ... SSL client (Tivoli Identity Manager

Each component must be installed for the adapter to function correctly. You need

to install the RMI Dispatcher and the adapter profile, however, the Tivoli Directory

Integrator connector might already be installed with the base Tivoli Directory

Integrator product.

Figure 1 shows the various components that work together to complete user

management tasks in a Tivoli Directory Integrator environment.

For additional information about Tivoli Directory Integrator, see the Getting Started

Guide for your level of the IBM Tivoli Directory Integrator.

Supported configurations

The Oracle eBS Adapter supports different configurations. The fundamental

components in each environment are a Tivoli Identity Manager server, a Tivoli

Directory Integrator server, an Oracle eBS system, and the Oracle eBS Adapter. In

each configuration, the Oracle eBS Adapter must reside directly on the server

running the Tivoli Directory Integrator server.

For a single server configuration, you must install the Tivoli Identity Manager

server, Tivoli Directory Integrator server, and the Oracle eBS Adapter on one

server. The server communicates with an Oracle eBS, which is installed on a

different server. Refer to Figure 2.

Figure 1. The architecture of the Oracle eBS Adapter

TivoliIdentity Manager Server

TivoliDirectory Integrator Server

Adapter

Managedresource

Figure 2. Example of a single server configuration

2 IBM Tivoli Identity Manager: Directory Integrator- Based Oracle eBS Adapter Installation and Configuration Guide

Page 19: Tivoli Identity Manager - IBMpublib.boulder.ibm.com/tividd/td/ITIM/SC32-9919-00/en_US/PDF/... · Dispatcher 11 Configuring logging for the ... SSL client (Tivoli Identity Manager

Chapter 2. Installing the Oracle eBS Adapter

For every Tivoli Directory Integrator-based adapter, the RMI Dispatcher must be

installed. If you already have the RMI Dispatcher installed from a previous

installation, you do not need to install it again unless there is an upgrade to the

RMI Dispatcher. You can run the RMI Dispatcher installer so that it can detect if

there are any upgrades that would require you to reinstall the RMI Dispatcher.

After ensuring that the RMI Dispatcher is correctly installed, you might need to

install the Tivoli Directory Integrator connector. Depending on your adapter, the

connector might already be installed as part of the Tivoli Directory Integrator

product and no further action is required. The final installation task is to import

the adapter profile.

The following sections provide information for installing and configuring the

adapter.

v “Prerequisites”

v “Installing the adapter” on page 4

v “Importing the adapter profile into the Tivoli Identity Manager server” on page

5

v “Creating an Oracle eBS Adapter service” on page 6

v “Starting and stopping the adapter service” on page 7

Prerequisites

Table 1 identifies the software and operating system prerequisites for the Oracle

eBS Adapter. Verify that all of the prerequisites have been met before installing the

adapter.

Table 1. Prerequisites to run the adapter

Prerequisite Description

Tivoli Directory Integrator server v 6.0

v 6.1

v 6.1.1

Tivoli Identity Manager server

(Enterprise or Express)

Version 4.6

Oracle eBS A system running Oracle eBS Release 11i

(11.5.10)

Oracle Thin JDBC Driver

Note: See the online documentation for

how to install the JDBC driver at

(http://www.oracle.com/technology/software/tech/java/sqlj_jdbc/index.html).

All JDBC driver listed below can talk with all

the supported version of Oracle except Oracle

10g r2:

v JDBC 8.1.7 Driver

v JDBC 9.0.1 Driver

For Oracle 10g r2:

v JDBC 10.2.0.1.0 Driver

Network Connectivity The adapter must be installed on a system that

can communicate with the Tivoli Identity

Manager service through the TCP/IP network.

© Copyright IBM Corp. 2008 3

Page 20: Tivoli Identity Manager - IBMpublib.boulder.ibm.com/tividd/td/ITIM/SC32-9919-00/en_US/PDF/... · Dispatcher 11 Configuring logging for the ... SSL client (Tivoli Identity Manager

Table 1. Prerequisites to run the adapter (continued)

Prerequisite Description

System Administrator Authority A user with administrator privileges is needed

for the installation.

The Oracle eBS Adapter and the appropriate Oracle Thin JDBC drivers must be

installed on the same system as the Tivoli Directory Integrator server.

For information on the prerequisites and supported operating systems for Tivoli

Directory Integrator, see the IBM Tivoli Directory Integrator 6.1.1: Administrator

Guide.

Tivoli Directory Integrator adapters solution directory

A Tivoli Directory Integrator adapters solution directory is a Tivoli Directory

Integrator work directory for Tivoli Identity Manager adapters. The installer must

have read and write access to the Tivoli Directory Integrator adapters solution

directory and read access to the Tivoli Directory Integrator home directory.

If this is the first Tivoli Directory Integrator-based adapter installation, then you

are prompted to enter a directory as your adapters solution directory for all the

Tivoli Directory Integrator-based adapters to be installed. The parent folder that

you enter for the adapters solution directory needs to exist.

For every subsequent adapter installation, the installer uses the adapters solution

directory that is already set in the global.properties file and does not prompt for an

adapters solution directory.

Installing the adapter

The Oracle eBS Adapter uses the Tivoli Directory Integrator JDBC connector. This

connector is available with the base Tivoli Directory Integrator product. Because

the Tivoli Directory Integrator JDBC connector is already installed, you only need

to install the RMI Dispatcher. The RMI Dispatcher installer is included in the

Oracle eBS Adapter adapter compressed file.

The RMI Dispatcher has several different types of installer binaries. Select the one

appropriate for your operating system.

v For Linux operating systems only: DispatcherInstall_linux.bin

v For Windows operating systems only: DispatcherInstall_win.exe

v For all operating systems: DispatcherInstall.jar

Note: If you are running on a 64-bit operating system, you must use the Tivoli

Directory Integrator-supplied JVM. The JVM is located in

ITDI_HOME/jvm/jre/bin/, where ITDI_HOME is the directory where Tivoli

Directory Integrator is installed.

This can be accomplished either by:

v Ensuring that the first JVM path in the PATH environment variable is set

to ITDI_HOME/jvm/jre/bin

v Running the Java-based installer

ITDI_HOME/jvm/jre/bin/java -jar DispatcherInstall.jar

4 IBM Tivoli Identity Manager: Directory Integrator- Based Oracle eBS Adapter Installation and Configuration Guide

Page 21: Tivoli Identity Manager - IBMpublib.boulder.ibm.com/tividd/td/ITIM/SC32-9919-00/en_US/PDF/... · Dispatcher 11 Configuring logging for the ... SSL client (Tivoli Identity Manager

Running the installer

For zOS installation, see Appendix B, “Installing on a zOS operating system,” on

page 35.

Note: All directory paths and binaries for this procedure apply to Windows

operating systems. Change them as needed for other operating systems.

To run the installer:

1. Download the Oracle eBS Adapter compressed file from the IBM Web site.

Contact your IBM account representative for the Web address and download

instructions.

2. Extract the contents of the compressed file into a temporary directory and

navigate to that directory.

3. Start the installation program using the DispatcherINSTALL file in the

temporary directory. For example on a Windows operating system, select Run...

from the Start menu and type C:\Temp\Dispatcher_win.exe in the Open field.

Note: If you are running the Tivoli Directory Integrator on platforms other

than Linux or Windows operating systems, run the Java-based installer.

Use the java.exe that comes with Tivoli Directory Integrator to launch the

install. The java.exe located in the ITDI_HOME\jvm\jre\bin directory.

Issue the command:

ITDI_HOME/jvm/jre/bin/java –jar DispatcherInstall.jar

4. In the Welcome window, click Next.

5. In the License Agreement window, review the license agreement and decide if

you accept the terms of the license. If you do, click Accept, and then click Next.

6. In the Tivoli Directory Integrator Based Adapter Installer window, specify the

location where Tivoli Directory Integrator is installed. You can accept the

default location, or click Browse to specify a different directory. Then, click

Next.

7. If this is the first Tivoli Directory Integrator-based adapter installation, you are

prompted in the Adapter Solution Directory panel to specify the adapters

solution directory to be used for the Tivoli Directory Integrator-based Tivoli

Identity Manager adapters. If the adapters solution directory has been specified

during a previous Tivoli Directory Integrator-based adapter installation, the

prompt is not displayed.

8. In the confirmation window that displays the components that are to be

installed and the upgrades that are to be completed, click Install to begin the

installation. Otherwise, click Back to make changes.

9. In the Installation Completed window, click Finish to exit the program.

Importing the adapter profile into the Tivoli Identity Manager server

An adapter profile defines the types of resources that the Tivoli Identity Manager

server can manage. The profile is used to create an Oracle eBS Adapter service on

the Tivoli Identity Manager server. You must import the adapter profile into the

Tivoli Identity Manager server before using the Oracle eBS Adapter.

Before you import the adapter profile, verify that the following conditions are met:

v The Tivoli Identity Manager server is installed and running.

v You have root or Administrator authority on the Tivoli Identity Manager server.

Chapter 2. Installing the Oracle eBS Adapter 5

Page 22: Tivoli Identity Manager - IBMpublib.boulder.ibm.com/tividd/td/ITIM/SC32-9919-00/en_US/PDF/... · Dispatcher 11 Configuring logging for the ... SSL client (Tivoli Identity Manager

The adapter profile is included in the JAR file for the adapter, OraEBSProfile.jar. To

import the adapter profile, complete these steps:

1. Log in to the Tivoli Identity Manager server using an account that has the

authority to perform administrative tasks.

2. Import the adapter profile (or service type) using the import service type

feature for your IBM Tivoli Identity Manager product. Refer to the information

center or the online help for specific instructions about importing service types.

When you import the adapter profile, if you receive an error related to the schema,

refer to the trace.log file for information about the error. The trace.log file location

is specified using the handler.file.fileDir property defined in the IBM Tivoli

Identity Manager enRoleLogging.properties file. The enRoleLogging.properties file

is installed in the IBM Tivoli Identity Manager \data directory.

Creating an Oracle eBS Adapter service

You must create a service for the Oracle eBS Adapter before the Tivoli Identity

Manager server can use the adapter to communicate with the managed resource.

The Oracle eBS Adapter profile name is “Oracle EBS Adapter Service Profile”.

To create a service, complete these steps:

1. Log in to the Tivoli Identity Manager server using an account that has the

authority to perform administrative tasks.

2. Create the service using the information for your IBM Tivoli Identity Manager

product. Refer to the information center or the online help for specific

instructions about creating a service.

To create or change a service, you must use the service form to provide

information for the service. Service forms might vary depending on the adapter.

Note: If the following fields on the service form are changed for an existing

service, the IBM Tivoli Identity Manager Adapter service on the Tivoli

Directory Integrator server needs to be restarted.

v Service Name

v Password

v Owner

v Service prerequisite

See “Starting and stopping the adapter service” on page 7.

The Oracle eBS Adapter service form contains the following fields:

Service name

Specify a name that defines this service on the Tivoli Identity Manager

server.

Description

Optional: Specify a description for this service.

Tivoli Directory Integrator location

Optional: Specify the URL for the Tivoli Directory Integrator instance. Valid

syntax is rmi://ip-address:port/ITDIDispatcher, where ip-address is the

Tivoli Directory Integrator host and port is the port number for the RMI

Dispatcher. The default URL is

rmi://localhost:16231/ITDIDispatcher

6 IBM Tivoli Identity Manager: Directory Integrator- Based Oracle eBS Adapter Installation and Configuration Guide

Page 23: Tivoli Identity Manager - IBMpublib.boulder.ibm.com/tividd/td/ITIM/SC32-9919-00/en_US/PDF/... · Dispatcher 11 Configuring logging for the ... SSL client (Tivoli Identity Manager

See “Changing the port number for the RMI Dispatcher” on page 11 for

information about changing the port number.

Oracle eBS Service Name

Specify the service name of Oracle eBS database instance to which the

adapter is going to connect.

Oracle eBS Service Host

Specify the host workstation on which the Oracle eBS database instance is

running.

Oracle eBS Service Port

Specify the port on which the Oracle eBS database service is listening.

Administrator Name

Specify the user that has access to the Oracle eBS database to log in and

perform administrative operations.

Password

Specify the password for administrator user.

Owner

Optional: Specify a Tivoli Identity Manager user as a service owner.

Service Prerequisite

Optional: Specify a Tivoli Identity Manager service that is prerequisite to

this service.

Starting and stopping the adapter service

After you edit the properties file for the adapter, you must stop and restart the

adapter service in order for the changes to take effect. The method used to stop

and restart the adapter depends on the operating system.

AIX operating systems

The adapter installer creates a subsystem called ITIMAd when the adapter

is first installed. ITIM_RMI.xml is the configuration file. Use these

commands to start and stop the adapter service.

startsrc —s ITIMAd

stopsrc —c —s ITIMAd

The adapter service runs the ibmdisrv.bat command. The bat file starts a

Java™ process that does not stop when the adapter service is stopped. To

stop this process, obtain the process ID (PID) and then kill the process.

v To obtain the PID of the process, type this command: ps -ef|grep

<ITDI_HOME_DIR>/_jvm/jre/bin/, where ITDI_HOME_DIR is the

directory where Tivoli Directory Integrator is installed.

v To kill the process, type this command: kill -9 <pid>.

HP-UX operating systems

The adapter installer copies the ITIMAd script file to the adapters solution

directory. This directory is a separate solution directory for all Tivoli

Directory Integrator-based Tivoli Identity Manager adapters. From this

directory, type these commands to start, stop, and restart the adapter

service.

ITIMAd start

ITIMAd stop

ITIMAd restart

Chapter 2. Installing the Oracle eBS Adapter 7

Page 24: Tivoli Identity Manager - IBMpublib.boulder.ibm.com/tividd/td/ITIM/SC32-9919-00/en_US/PDF/... · Dispatcher 11 Configuring logging for the ... SSL client (Tivoli Identity Manager

Linux or Solaris operating systems

The adapter installer automatically copies the ITIMAd script file to the

/etc/init.d/ directory when the adapter is installed. From the /etc/init.d/

directory, type these commands to start, stop, and restart the adapter

service.

ITIMAd start

ITIMAd stop

ITIMAd restart

Windows operating systems

From the Control Panel, select Administrative Tools -> Services. From the

Services menu, you can start and stop the adapter service. The service

name is IBM Tivoli Identity Manager Adapter.

zOS operating systems

Navigate to the adapter solution directory and enter the following

commands:

1. To start the adapter:

% ./ITIMAd start

2. To verify that the process ibmdisrv_ascii is running:

% ps –ef | grep ibmdisrv_ascii

3. To stop the adapater:

% ./ITIMAd stop

4. To verify that the process ibmdisrv_ascii is not running:

% ps –ef | grep ibmdisrv_ascii

8 IBM Tivoli Identity Manager: Directory Integrator- Based Oracle eBS Adapter Installation and Configuration Guide

Page 25: Tivoli Identity Manager - IBMpublib.boulder.ibm.com/tividd/td/ITIM/SC32-9919-00/en_US/PDF/... · Dispatcher 11 Configuring logging for the ... SSL client (Tivoli Identity Manager

Chapter 3. Configuring the Oracle eBS Adapter

This chapter describes the configuration options for the Oracle eBS Adapter. The

following sections provide information for configuring the adapter.

v “Customizing the Oracle eBS Adapter profile”

v “Configuration properties of the adapter” on page 10

v “Changing the port number for the RMI Dispatcher” on page 11

v “Configuring logging for the adapter” on page 11

Customizing the Oracle eBS Adapter profile

To customize the Oracle eBS Adapter profile, you must make changes to the Oracle

eBS Adapter JAR file, OraEBSProfile.jar. You might customize the adapter profile to

make changes to the account form or the service form.

The OraEBSProfile.jar file is included in the Oracle eBS Adapter compressed file

that you downloaded from the IBM Web site.

Note: You cannot modify the schemas for this adapter. Attributes cannot be added

to or deleted from the schema.

v Service.def

v Schema.dsml

v CustomLabels.properties

v erOracleEBSAccount.xml

v erOracleEBSRMIService.xml

v OracleEBSAdapter.xml

v OracleEBSManageUserAL.xml

v OracleEBSSearchUserAL.xml

To edit the OraEBSProfile.jar file, complete these steps:

1. Log in to the system where the Oracle eBS Adapter is installed.

2. Copy the OraEBSProfile.jar file into a temporary directory.

3. Extract the contents of the OraEBSProfile.jar file into the temporary directory by

running the following command.

jar -xvf OraEBSProfile.jar

The jar command extracts the files into the OraEBSProfile directory.

4. Edit the file that you want to change.

After you edit the file, you must import the file into the Tivoli Identity Manager

server for the changes to take effect.

To import the file, complete these steps:

1. Create a new JAR file using the files in the /tmp directory by running the

following commands:

cd c:\temp

#jar -cvf OraEBSProfile.jar OraEBSProfile

© Copyright IBM Corp. 2008 9

Page 26: Tivoli Identity Manager - IBMpublib.boulder.ibm.com/tividd/td/ITIM/SC32-9919-00/en_US/PDF/... · Dispatcher 11 Configuring logging for the ... SSL client (Tivoli Identity Manager

2. Import the OraEBSProfile.jar file into the Tivoli Identity Manager Application

server. For more information on importing the JAR file, refer to “Importing the

adapter profile into the Tivoli Identity Manager server” on page 5.

3. Stop and start the Tivoli Identity Manager server.

4. Stop and start the Oracle eBS Adapter service. See “Starting and stopping the

adapter service” on page 7 for information about stopping and starting the

adapter service.

Configuration properties of the adapter

The global.properties and the itim_listener.properties files contain the configuration

properties for the adapters. To configure the properties for an adapter, you must

change one of these files. Table 2 lists the properties contained in the properties

files.

Table 2. Configuration properties for the adapter

Property Properties file Description

ALShutdownTimeout itim_listener.properties Specifies the amount of time, in

seconds, before the RMI

Dispatcher should shut down

when a shutdown request is sent

to the dispatcher. All assembly

lines that are being maintained are

terminated when the dispatcher

shuts down. The default value 300

seconds, which is five minutes.

com.ibm.di.dispatcher.bindName global.properties Specifies the RMI bind name to be

used. The default value is

ITDIDispatcher.

com.ibm.di.dispatcher.disableConntectorCache global.properties Specifies whether the RMI

Dispatcher should cache the

connection to the managed

resource so that no new

connections are established upon

subsequent calls. In this case, the

same connection is used for all

calls. The default value is true.

com.ibm.di.dispatcher.objectPort global.properties Specifies the port on which the

actual Dispatcher remote object

listens for RMI requests. The

default value is 0, which means a

random port is selected at

runtime.

com.ibm.di.dispatcher.registryPort global.properties Specifies the port on which the

RMI Dispatcher listens for

provisioning requests from IBM

Tivoli Identity Manager. The

default value is 16231.

SearchALUnusedTimeout itim_listener.properties Specifies the amount of time, in

seconds, to wait before deleting

assembly lines that have not been

used. The default value is 600

seconds, which is 10 minutes.

10 IBM Tivoli Identity Manager: Directory Integrator- Based Oracle eBS Adapter Installation and Configuration Guide

Page 27: Tivoli Identity Manager - IBMpublib.boulder.ibm.com/tividd/td/ITIM/SC32-9919-00/en_US/PDF/... · Dispatcher 11 Configuring logging for the ... SSL client (Tivoli Identity Manager

Table 2. Configuration properties for the adapter (continued)

Property Properties file Description

SearchReaperThreadTimeOut itim_listener.properties Specifies the amount of time, in

seconds, to release data from

memory. This property is used

during a reconciliation response.

The default value is 300 seconds,

which is five minutes.

SearchResultSetSize itim_listener.properties Specifies the number of records,

per response, returned during a

reconciliation between IBM Tivoli

Identity Manager and the adapter.

The default value is 100.

Changing the port number for the RMI Dispatcher

If the Remote Method Invocation (RMI) Dispatcher is run as a service, by default,

the port number is 16231. The installer automatically sets this parameter in the

global.properties file.

If the Tivoli Directory Integrator home directory is the same directory as the IBM

Solutions directory, change the port number in the global.properties file. Otherwise,

change the port number in the solutions.properties file in the IBM Solutions

directory. To change the port number for the dispatcher, complete these steps.

1. Stop the service that is used to run the adapter. Refer to “Starting and stopping

the adapter service” on page 7 for information about stopping and starting the

Oracle eBS Adapter service.

2. Change the global.properties file or the solutions.properties file to use the

correct port number.

com.ibm.di.dispatcher.registryPort=16231

3. Start the service again.

Configuring logging for the adapter

Log files might provide information that is helpful for diagnosing and

troubleshooting problems with the adapter. The type of information collected in

your log file is determined by the settings in the log4j.properties file. To configure

logging for the adapter, you must update this file.

The file in Tivoli Directory Integrator versions 6.1 or later, the file is located in the

adapter solutions/etc directory. To find the location of the adapter solutions directory,

search for the ADAPTER_SOLDIR entry in the global.properties file, which is

located in your ITDI_HOME/etc directory.

When multiple adapters are running on the same server where Tivoli Directory

Integrator is installed, logging information for the adapters is stored in the same

log file. The RMI Dispatcher logs are also stored in this log file. You cannot

configure logging to store information about the different components in different

log files.

After you complete the changes to the log4j.properties file, you must stop and

restart the service for the adapter to view the configuration changes.

Chapter 3. Configuring the Oracle eBS Adapter 11

Page 28: Tivoli Identity Manager - IBMpublib.boulder.ibm.com/tividd/td/ITIM/SC32-9919-00/en_US/PDF/... · Dispatcher 11 Configuring logging for the ... SSL client (Tivoli Identity Manager

The following sections contain information about configuring logging for the

adapter.

Naming the log file

The log4j.appender.Default.file entry in the log4j.properites file is used to configure

the name of the log file. To change the name of the log file, change the value of

log4j.appender.Default.file. In the example below, the log file generated is

ibmdi.log.

log4j.appender.Default.file=ibmdi.log

Sizing the log file

The log4j.appender.Default.MaxFileSize entry in the log4j.properties file is used to

configure the maximum size of the log file. For example,

log4j.appender.Default.MaxFileSize=8MB

The number of log files generated is determined by the

log4j.appender.Default.MaxBackupIndex entry. In the example below, the number

of log files generated is 10.

log4j.appender.Default.MaxBackupIndex=10

Configuring logging levels

The Directory Integrator-based adapter logging level is determined by the

log4j.rootCategory attribute in the log file. The four levels for logging information

are ERROR, WARN, INFO, and DEBUG. By default the logging level is set to

INFO.

Other Tivoli Directory Integrator components might have their own log level set.

These settings are not changed by the log4j.rootCategory setting. For example,

log4j.logger.com.ibm.config and the log4j.logger.com.ibm.loader logging categories

are set to WARN by default. To control the level of information logged you can

either edit the component log level settings to be the same as the setting of the

log4j.rootCategory attribute setting or comment out the individual component

logging statement.

For example, if you set the log4j.rootCategory logging level to ERROR,

log4j.rootCategory=ERROR

you would also need to change the component logging level settings

log4j.logger.com.ibm.di.config=ERROR

log4j.logger.com.ibm.di.loader=ERROR

or comment out the statements.

# log4j.logger.com.ibm.di.config=WARN

# log4j.logger.com.ibm.di.loader=WARN

DEBUG

The DEBUG level logs all of the details related to a specific operation. This

is the highest level of logging. If logging is set to DEBUG, all other levels

of logging information are displayed in the log file.

ERROR

The ERROR level logs only error conditions. The ERROR level provides the

lowest amount of logging information.

12 IBM Tivoli Identity Manager: Directory Integrator- Based Oracle eBS Adapter Installation and Configuration Guide

Page 29: Tivoli Identity Manager - IBMpublib.boulder.ibm.com/tividd/td/ITIM/SC32-9919-00/en_US/PDF/... · Dispatcher 11 Configuring logging for the ... SSL client (Tivoli Identity Manager

INFO The INFO level logs information about workflow. It generally explains how

an operation occurs.

WARN

The WARNING level logs information when an operation completes

successfully but there are issues with the operation.

Displaying logs in the user interface

If the RMI Dispatcher is running from the command prompt by calling ibmdisrv

(ibmdisrv.bat file for Windows operating systems and ibmdisrv for UNIX and

Linux operating systems), the logs can be displayed on the console. To display the

logs on the console:

1. Set the TDI_SOLDIR environment variable to the Tivoli Directory Integrator

adapters solution directory.

2. Change your working directory to the Tivoli Directory Integrator adapters

solution directory.

3. Edit the log4j.properties file located in the etc directory under the Tivoli

Directory Integrator adapters solution directory:

v Add CONSOLE to the log4j.rootCategory.

log4j.rootCategory=DEBUG, Default, CONSOLE

v Uncomment the log4j.appender.CONSOLE lines:

log4j.appender.CONSOLE=org.apache.log4j.ConsoleAppender

log4j.appender.CONSOLE.layout=org.apache.log4j.PatternLayout

log4j.appender.CONSOLE.layout.ConversionPattern=%d [%t] %-5p - %m%n0

4. To run the RMI Dispatcher from the command line, at the command prompt

for the Tivoli Directory Integrator adapters solution directory issue the

following commands:

For Windows operating systems

cd c:\Program Files\IBM\TDI\V6.1.1\timsol

set TDI_SOLDIR="c:\Program Files\IBM\TDI\V6.1.1\timsol"

c:\Program Files\IBM\TDI\V6.1.1\ibmdisrv.bat -c ITIM_RMI.xml -d

For UNIX and Linux operating systems

cd /opt/IBM/TDI/V6.1.1/timsol

export TDI_SOLDIR=/opt/IBM/TDI/V6.1.1/timsol

/opt/IBM/TDI/V6.1.1/ibmdisrv -c ITIM_RMI.xml -d

Appending information to an existing log file

By default, log file information is deleted and created again each time the RMI

Dispatcher starts. To append information to an existing log file before or after the

dispatcher starts, change the value of the following entry from false to true in the

log4j.properties file: log4jappender.Default.append. For example,

log4j.appender.Default.append=true

Managing passwords when restoring accounts

How each restore action interacts with its corresponding managed resource

depends on either the managed resource, or the business processes that you

implement. Certain resources reject a password when a request is made to restore

an account. In this case, you can configure IBM Tivoli Identity Manager to forego

the new password requirement. You can set the Oracle eBS Adapter to require a

Chapter 3. Configuring the Oracle eBS Adapter 13

Page 30: Tivoli Identity Manager - IBMpublib.boulder.ibm.com/tividd/td/ITIM/SC32-9919-00/en_US/PDF/... · Dispatcher 11 Configuring logging for the ... SSL client (Tivoli Identity Manager

new password when the account is restored, if your company has a business

process in place that dictates that the account restoration process must be

accompanied by resetting the password.

In the service.def file, you can define whether a password is required as a new

protocol option. When you import the adapter profile, if an option is not specified,

the adapter profile importer determines the correct restoration password behavior

from the schema.dsml file. Adapter profile components also enable remote services

to find out if you discard a password that is entered by the user in a situation

where multiple accounts on disparate resources are being restored. In this

situation, only some of the accounts being restored might require a password.

Remote services will discard the password from the restore action for those

managed resources that do not require them.

Edit the service.def file to add the new protocol options, for example:

<Property Name = "com.ibm.itim.remoteservices.ResourceProperties.

PASSWORD_NOT_REQUIRED_ON_RESTORE"<value>true</value>

</property>

<Property Name = "com.ibm.itim.remoteservices.ResourceProperties.

PASSWORD_NOT_ALLOWED_ON_RESTORE"<value>false</value>

</property>

By adding the two options in the example above, you are ensuring that you will

not be prompted for a password when an account is restored.

14 IBM Tivoli Identity Manager: Directory Integrator- Based Oracle eBS Adapter Installation and Configuration Guide

Page 31: Tivoli Identity Manager - IBMpublib.boulder.ibm.com/tividd/td/ITIM/SC32-9919-00/en_US/PDF/... · Dispatcher 11 Configuring logging for the ... SSL client (Tivoli Identity Manager

Chapter 4. Configuring SSL authentication for the Oracle eBS

Adapter

When configuring Secure Sockets Layer (SSL) communication for the Tivoli

Directory Integrator-based adapters, you are configuring SSL between WebSphere

Application Server and Tivoli Directory Integrator. There are steps needed to

configure the Tivoli Directory Integrator to use SSL as well as the steps needed to

configure WebSphere using the default keystore and default truststore. For

additional WebSphere SSL configuration information, see the WebSphere online

help available from the WebSphere Application Server Administrative Console.

SSL terminology

SSL server

For this SSL configuration, the Tivoli Directory Integrator side is the SSL

Server. It listens for connection requests.

SSL client

For these SSL configurations the workstation on which the Tivoli Identity

Manager server and the WebSphere Application Server are installed is the

SSL client. It issues connection requests to the Tivoli Directory Integrator.

Signed certificates

A signed digital certificate is an industry-standard method of verifying the

authenticity of an entity, such as a server, client, or application. Signed

certificates are issued by a third-party certificate authority for a fee. Some

utilities, such as the iKeyman utility, can also issue signed certificates. A

Certificate Authority or CA certificate must be used to verify the origin of

a signed digital certificate.

Signer certificates (Certificate Authority certificates)

A Certificate Authority (CA) certificate must be used to verify the origin of

a signed digital certificate. When an application receives another

application’s signed certificate, it uses a CA certificate to verify the

originator of the certificate. Many applications, such as Web browsers, are

configured with the CA certificates of well-known certificate authorities to

eliminate or reduce the task of distributing CA certificates throughout the

security zones in a network.

Self-signed certificates

A self-signed certificate contains information about the owner of the

certificate and the owner’s signature. Basically, it is a signed certificate and

CA certificate in one. If you choose to use self-signed certificates, you must

extract the CA certificate from it in order to configure SSL.

SSL keystore

The SSL keystore is a key database file designated as a keystore. It contains

the SSL certificate.

Note: The keystore and truststore can be the same physical file.

SSL truststore

The SSL truststore is a key database file designated as a truststore. The SSL

truststore contains the list of signer certificates (CA certificates) that define

© Copyright IBM Corp. 2008 15

Page 32: Tivoli Identity Manager - IBMpublib.boulder.ibm.com/tividd/td/ITIM/SC32-9919-00/en_US/PDF/... · Dispatcher 11 Configuring logging for the ... SSL client (Tivoli Identity Manager

which certificates the SSL protocol trusts. Only a certificate issued by one

of these listed trusted signers is accepted.

Note: The truststore and keystore can be the same physical file.

One-way SSL authentication

For one-way SSL, a keystore and certificate is only required on the SSL

server side (Tivoli Directory Integrator server) and a truststore is only

required on the SSL client side (the Tivoli Identity Manager server).

Two-way SSL authentication (client-side authentication)

For SSL using two-way SSL (client-side) authentication, both a keystore

with a certificate, and a truststore containing the signer certificate that

issued the other side’s certificate, are required on both the SSL server and

SSL client sides.

SSL configurations

The following steps describe how to configure WebSphere Application Server and

Tivoli Directory Integrator for one-way or two-way SSL communication. If you

need more information about any of the steps, go to the referenced task for the

detailed steps.

Configuring for one-way SSL authentication

To configure one-way SSL perform the following tasks:

1. Create a keystore for the Tivoli Directory Integrator server. See “Creating a

keystore for the Tivoli Directory Integrator server” on page 18.

2. Create a truststore for the Tivoli Directory Integrator server. See “Creating a

truststore for the Tivoli Directory Integrator server” on page 19.

3. Create a certificate for the Tivoli Directory Integrator server. See“Creating a

server-signed certificate for the Tivoli Directory Integrator server” on page 19.

4. Create a CA certificate for the Tivoli Directory Integrator server. See “Creating

a CA certificate for Tivoli Directory Integrator” on page 20.

5. Import the Tivoli Directory Integrator CA certificate into the WebSphere

Application Server truststore. See “Importing the Tivoli Identity Manager CA

certificate into the WebSphere Application Server truststore” on page 22

6. Configure Tivoli Directory Integrator to use the keystores. See “Configure

Tivoli Directory Integrator to use the keystores” on page 20.

Tivoli Identify Manager(SSL client)

Truststore

CA certificate “A”

Tivoli Directory Integrator(SSL server)

Keystore

Certificate “A”

Figure 3. One-way SSL authentication (server authentication)

16 IBM Tivoli Identity Manager: Directory Integrator- Based Oracle eBS Adapter Installation and Configuration Guide

Page 33: Tivoli Identity Manager - IBMpublib.boulder.ibm.com/tividd/td/ITIM/SC32-9919-00/en_US/PDF/... · Dispatcher 11 Configuring logging for the ... SSL client (Tivoli Identity Manager

Note: The editing of the solution.properties file for steps 6, 7, and 8 can be

done in one operation. Doing so eliminates the need for a stop and

restart of the adapter service at the end of steps 6 and 7.

7. Configure Tivoli Directory Integrator to use the truststores. See “Configure

Tivoli Directory Integrator to use the truststores” on page 21.

8. Enable the adapter service to use SSL. See “Enabling the adapter service to

use SSL” on page 21.

9. Stop and restart the adapter service. See “Starting and stopping the adapter

service” on page 7.

10. Stop and restart WebSphere Application Server.

Note: The truststore is not needed on the Tivoli Directory Integrator server for

one-way SSL, but the configuration of truststore is needed for the RMI SSL

initialization to succeed.

Configuring for two-way SSL authentication

To configure two-way SSL perform the following tasks:

1. Create a keystore for the Tivoli Directory Integrator server. See “Creating a

keystore for the Tivoli Directory Integrator server” on page 18.

2. Create a truststore for the Tivoli Directory Integrator server. See “Creating a

truststore for the Tivoli Directory Integrator server” on page 19.

3. Create a certificate for the Tivoli Directory Integrator server. See“Creating a

server-signed certificate for the Tivoli Directory Integrator server” on page 19.

4. Create a CA certificate for the Tivoli Directory Integrator server. See “Creating

a CA certificate for Tivoli Directory Integrator” on page 20.

5. Import the Tivoli Directory Integrator CA certificate into the WebSphere

Application Server truststore. See “Importing the Tivoli Identity Manager CA

certificate into the WebSphere Application Server truststore” on page 22

6. Configure Tivoli Directory Integrator to use the keystores. See “Configure

Tivoli Directory Integrator to use the keystores” on page 20.

Tivoli Identify Manager(SSL client)

Truststore

CA certificate “A”

Keystore

Certificate “B”

Tivoli Directory Integrator(SSL server)

Truststore

CA certificate “B”

Keystore

Certificate “A”

Figure 4. Two-way SSL authentication (client authentication)

Chapter 4. Configuring SSL authentication for the Oracle eBS Adapter 17

Page 34: Tivoli Identity Manager - IBMpublib.boulder.ibm.com/tividd/td/ITIM/SC32-9919-00/en_US/PDF/... · Dispatcher 11 Configuring logging for the ... SSL client (Tivoli Identity Manager

Note: The editing of the solution.properties file for steps 6, 7, and 8 can be

done in one operation. Doing so eliminates the need for a stop and

restart of the adapter service at the end of steps 6 and 7.

7. Configure Tivoli Directory Integrator to use the truststores. See “Configure

Tivoli Directory Integrator to use the truststores” on page 21.

8. Enable the adapter service to use SSL. See “Enabling the adapter service to

use SSL” on page 21.

9. Create a certificate for the Tivoli Identity Manager server. See “Creating a

signed certificate for the Tivoli Identity Manager server” on page 21.

10. Create a CA certificate for Tivoli Identity Manager. See “Creating a WebSphere

Application Server CA certificate for Tivoli Identity Manager” on page 22.

11. Import WAS CA Certificate into Tivoli Directory Integrator truststore. See

“Importing the WebSphere Application Server CA certificate into the Tivoli

Directory Integrator truststore” on page 20.

12. Stop and restart the adapter service. See “Starting and stopping the adapter

service” on page 7.

13. Stop and restart WebSphere Application Server.

Task performed on the SSL server (Tivoli Directory Integrator server

workstation)

The Tivoli Directory Integrator acts as the SSL server. All of these tasks are

performed on the Tivoli Directory Integrator server.

Note: The file names and locations such as tdikeys.jks and ITDI_HOME\keys used

in theses tasks are examples and used for consistency. Your actual file names

and locations might be different.

Creating a keystore for the Tivoli Directory Integrator server

A keystore is a database of private keys and the associated certificates needed to

authenticate the corresponding public keys. Digital certificates are stored in a

keystore file. A keystore also manages certificates from trusted entities.

Note: The keystore can be the same physical file as the truststore.

1. Navigate to the ITDI_HOME\jvm\jre\bin directory.

2. Launch the ikeyman.exe file (Windows operating systems) or ikeyman

(Unix/Linux operating systems).

3. Select Key Database File > New.

4. Select key database type of JKS.

5. Type the keystore file name: tdikeys.jks.

6. Type the location: ITDI_HOME\keys.

Note: This directory must already exist, otherwise the step fails.

7. Click OK .

8. Type the keystore a password, for example, secret.

9. Click OK to continue.

18 IBM Tivoli Identity Manager: Directory Integrator- Based Oracle eBS Adapter Installation and Configuration Guide

Page 35: Tivoli Identity Manager - IBMpublib.boulder.ibm.com/tividd/td/ITIM/SC32-9919-00/en_US/PDF/... · Dispatcher 11 Configuring logging for the ... SSL client (Tivoli Identity Manager

Creating a truststore for the Tivoli Directory Integrator server

A truststore is a database of public keys for target servers. The SSL truststore

contains the list of signer certificates (CA certificates) that define which certificates

the SSL protocol trusts. Only a certificate issued by one of these listed trusted

signers can be accepted.

Note: The truststore can be the same physical file as the keystore. You can skip

this task if you choose to use the same file for keystore and truststore.

1. Navigate to the ITDI_HOME\jvm\jre\bin directory.

2. Launch the ikeyman.exe file (Windows operating systems) or ikeyman (UNIX

or Linux operating systems).

3. Select Key Database File > New.

4. Select key database type of JKS.

5. Type the keystore file name: tditrust.jks.

6. Type the location: ITDI_HOME\keys.

Note: This directory must already exist, otherwise the step fails.

7. Click OK.

8. Type the keystore a password, for example, secret.

9. Click OK to continue.

Creating a server-signed certificate for the Tivoli Directory

Integrator server

A self-signed certificate contains information about the owner of the certificate and

the owner’s signature. This type of certificate is generally used in a testing

environment. It is a signed certificate and CA certificate in one. If you choose to

use self-signed certificates, you must extract the CA certificate from it in order to

configure SSL.

Alternatively, you can purchase a certificate from a well-known authority such as

VeriSign, which is the generally done in production environments. As another

alternative, you can use a certificate server, such as the one included with

Microsoft Windows 2003 Advanced Server, to generate your own certificates.

To create the self-signed certificate:

1. Navigate to the ITDI_HOME\jvm\jre\bin directory.

2. Launch the ikeyman.exe file (Windows operating systems) or ikeyman (UNIX

or Linux operating systems.)

3. Select Key Database File > Open.

4. Browse to the keystore file created previously: ITDI_HOME\keys\tdikeys.jks

5. Enter the keystore password: secret.

6. Select Create > New Self Signed certificate.

7. Set the Key Label to tdiserver.

8. Use your system name (DNS name) as the Common Name (workstation

name).

9. Enter your Organization, for example IBM.

10. Click OK.

Chapter 4. Configuring SSL authentication for the Oracle eBS Adapter 19

Page 36: Tivoli Identity Manager - IBMpublib.boulder.ibm.com/tividd/td/ITIM/SC32-9919-00/en_US/PDF/... · Dispatcher 11 Configuring logging for the ... SSL client (Tivoli Identity Manager

Creating a CA certificate for Tivoli Directory Integrator

A Certificate Authority or CA certificate must be used to verify the origin of a

signed digital certificate. When an application receives another application’s signed

certificate, it uses a CA certificate to verify the originator of the certificate. Many

applications, such as Web browsers, are configured with the CA certificates of

well-known certificate authorities to eliminate or reduce the task of distributing CA

certificates throughout the security zones in a network.

1. Extract the Server certificate for client use by selecting Extract Certificate.

2. Select Binary DER data as the data type.

3. Enter the certificate file name: idiserver.der.

4. Enter the location as ITDI_HOME\keys.

5. Click OK.

6. Copy the idiserver.der certificate file to the workstation on which Tivoli

Identity Manager is installed.

Importing the WebSphere Application Server CA certificate

into the Tivoli Directory Integrator truststore

1. Copy the SSL Client CA certificate file created in “Creating a WebSphere

Application Server CA certificate for Tivoli Identity Manager” on page 22,

timclient.der, to the ITDI_HOME\keys directory on the workstation on which

Tivoli Directory Integrator is installed.

2. Navigate to the ITDI_HOME\jvm\jre\bin directory.

3. Launch the ikeyman.exe file (Windows operating systems) or ikeyman (UNIX

or Linux operating systems).

4. Select Key Database File > Open.

5. Select key database type of JKS.

6. Type the keystore file name: tditrust.jks.

7. Type the location: ITDI_HOME\keys.

8. Click OK.

9. Click Signer Certificates in the dropdown menu.

10. Click Add.

11. Select Binary DER data as the data type.

12. Use Browse to select the timclient.der file stored in ITDI_HOME\keys.

13. Use timclient as the label.

14. Click OK to continue.

Configure Tivoli Directory Integrator to use the keystores

1. Navigate to the Tivoli Directory Integrator adapters solution directory

(ITDI_HOME\timsol).

2. Open the Tivoli Directory Integrator solution.properties file in an editor.

3. Edit the following lines under client authentication, uncomment them if

necessary, and set the location, password and type of keystore to match the

keystore you created in “Creating a keystore for the Tivoli Directory Integrator

server” on page 18:

javax.net.ssl.keyStore=ITDI_HOME\keys\tdikeys.jks

{protect}-javax.net.ssl.keyStorePassword=secret

javax.net.ssl.keyStoreType=JKS

4. Save your changes.

20 IBM Tivoli Identity Manager: Directory Integrator- Based Oracle eBS Adapter Installation and Configuration Guide

Page 37: Tivoli Identity Manager - IBMpublib.boulder.ibm.com/tividd/td/ITIM/SC32-9919-00/en_US/PDF/... · Dispatcher 11 Configuring logging for the ... SSL client (Tivoli Identity Manager

5. Stop and restart the adapter service. See “Starting and stopping the adapter

service” on page 7.

Configure Tivoli Directory Integrator to use the truststores

1. Navigate to the Tivoli Directory Integrator adapters solution directory

(ITDI_HOME\timsol).

2. Open the Tivoli Directory Integrator solution.properties file in an editor.

3. Edit the following lines under client authentication, uncomment them if

necessary, and set the location, password and type of truststore to match the

truststore you created in “Creating a truststore for the Tivoli Directory

Integrator server” on page 19:

javax.net.ssl.trustStore=ITDI_HOME\keys\tditrust.jks

{protect}-javax.net.ssl.trustStorePassword=secret

javax.net.ssl.trustStoreType=JKS

4. Save your changes.

5. Stop and restart the adapter service. See “Starting and stopping the adapter

service” on page 7.

Enabling the adapter service to use SSL

1. Navigate to the Tivoli Directory Integrator adapters solution directory

(ITDI_HOME\timsol).

2. Open the Tivoli Directory Integrator solution.properties file in an editor.

3. Edit the following two lines depending on the type of secure communications

you want to use.

For no SSL:

com.ibm.di.dispatcher.ssl=false

com.ibm.di.dispatcher.ssl.clientAuth=false

For one-way SSL:

com.ibm.di.dispatcher.ssl=true

com.ibm.di.dispatcher.ssl.clientAuth=false

For two-way SSL:

com.ibm.di.dispatcher.ssl=true

com.ibm.di.dispatcher.ssl.clientAuth=true

4. Save your changes.

5. Stop and restart the adapter service. See “Starting and stopping the adapter

service” on page 7.

Tasks performed on the SSL client (Tivoli Identity Manager and

WebSphere Application Server workstation)

All the tasks are performed on the server workstation on which Tivoli Identity

Manager and WebSphere Application Server are installed.

Note: The file names and locations such as timclient.der and c:\keys used in

theses tasks are examples and used for consistency. Your actual file names

and locations might be different.

Creating a signed certificate for the Tivoli Identity Manager

server

As previously mentioned in the server-side tasks, you can alternatively use a

well-known authority or your own certificate server to generate a certificate. For

Chapter 4. Configuring SSL authentication for the Oracle eBS Adapter 21

Page 38: Tivoli Identity Manager - IBMpublib.boulder.ibm.com/tividd/td/ITIM/SC32-9919-00/en_US/PDF/... · Dispatcher 11 Configuring logging for the ... SSL client (Tivoli Identity Manager

these cases, use the Personal certificates requests option under the

NodeDefaultKeyStore step to produce a certificate request to send to the

well-known authority or to your certificate server. You use the accept option under

Personal certificates to load the data sent by the certificate authority in response to

the request.

1. Connect to the WebSphere Application Server Administrative Console.

2. Navigate to Security > SSL certificate and key management > Keystores and

certificates.

3. Select NodeDefaultKeyStore.

4. Select Personal certificates.

5. Select Create a self-signed certificate.

6. Enter appropriate values for the certificate fields:

v Set the Alias to timclient.

v Use your system name (DNS name) as the Common Name (workstation

name).

v Enter your Organization, for example IBM.7. Click OK and save.

8. Extract the CA certificate from the self-signed certificate.

Creating a WebSphere Application Server CA certificate for

Tivoli Identity Manager

1. Check the checkbox for the created certificate, and select Extract.

2. Enter a file name: c:\keys\timclient.der.

3. Select Binary DER data as the data type.

4. Click OK.

Importing the Tivoli Identity Manager CA certificate into the

WebSphere Application Server truststore

1. Copy the SSL server CA certificate file created in “Creating a CA certificate for

Tivoli Directory Integrator” on page 20, idiserver.der, to the c:\keys directory

on the workstation on which Tivoli Identity Manager is installed.

2. Connect to the WebSphere Application Server Administrative Console.

3. Navigate to Security > SSL certificate and key management > Keystores and

certificates.

4. Select NodeDefaultTrustStore.

5. Select Signer certificates.

6. Click Add.

v Set the Alias to idiserver.

v Specify the file name of the exported Tivoli Directory Integrator server

certificate: c:\ keys\idiserver.der.

v Select Binary DER data as the data type.7. Click OK to continue and save.

22 IBM Tivoli Identity Manager: Directory Integrator- Based Oracle eBS Adapter Installation and Configuration Guide

Page 39: Tivoli Identity Manager - IBMpublib.boulder.ibm.com/tividd/td/ITIM/SC32-9919-00/en_US/PDF/... · Dispatcher 11 Configuring logging for the ... SSL client (Tivoli Identity Manager

Chapter 5. Verifying the Oracle eBS Adapter profile

installation

If the Oracle eBS Adapter profile is not already installed on your system, you must

import the adapter profile. See “Importing the adapter profile into the Tivoli

Identity Manager server” on page 5 for information about importing the adapter

profile.

After you install the adapter profile, verify that the adapter profile was

successfully installed. If the adapter profile is not installed correctly, the adapter

might not function as it is intended to function.

To verify that the adapter profile was successfully installed, complete these steps.

v Create a service using the Oracle eBS Adapter profile.

v Open an account on the service.

If you are unable to create a service using the Oracle eBS Adapter profile or open

an account on the service, the adapter profile is not installed correctly. You might

need to import the adapter profile again.

© Copyright IBM Corp. 2008 23

Page 40: Tivoli Identity Manager - IBMpublib.boulder.ibm.com/tividd/td/ITIM/SC32-9919-00/en_US/PDF/... · Dispatcher 11 Configuring logging for the ... SSL client (Tivoli Identity Manager

24 IBM Tivoli Identity Manager: Directory Integrator- Based Oracle eBS Adapter Installation and Configuration Guide

Page 41: Tivoli Identity Manager - IBMpublib.boulder.ibm.com/tividd/td/ITIM/SC32-9919-00/en_US/PDF/... · Dispatcher 11 Configuring logging for the ... SSL client (Tivoli Identity Manager

Chapter 6. Troubleshooting the Oracle eBS Adapter

Troubleshooting is the process of determining why a product does not function as

it is designed to function. This chapter provides information and techniques for

identifying and resolving problems related to the Oracle eBS Adapter. It also

provides information about troubleshooting errors that might occur during

installation.

Warning and error messages

A warning or error might be displayed in the user interface to provide information

that the user needs to know about the adapter or when an error occurs. Table 3

contains warnings or errors which might be displayed in the user interface if the

Oracle eBS Adapter is installed on your system.

Table 3. Warning and error messages

Warning or error message Recommended Action

CTGIMT001E The following error occurred. Error: Either

the Oracle EBS service name is incorrect or the service is

not up.

Ensure that the Oracle database service name given on

Tivoli Identity Manager service form is running.

CTGIMT001E The following error occurred. Error: Either

the Oracle EBS host or port is incorrect.

Verify that the host workstation name or the port for the

Oracle eBS database service is correctly specified.

CTGIMT002E The login credential is missing or incorrect. Verify that you have provided correct login credential on

service form.

CTGIMT001E The following error occurred. Error: No

suitable JDBC driver found.

Ensure that the correct version of the JDBC thin driver is

copied onto the workstation where the adapter is

installed and that the path is included in the system

CLASSPATH variable.

CTGIMT600E An error occurred while establishing

communication with the IBM Tivoli Directory Integrator

server.

Tivoli Identity Manager cannot establish a connection

with Tivoli Directory Integrator. To fix this problem,

ensure that:

v TheTivoli Directory Integrator is running.

v The URL specified on the service form for the Tivoli

Directory Integrator is correct.

Logging information format

Logs added to the log file for the adapter or the RMI Dispatcher have the

following format:

Log Level [Assembly Line_ProfileName_Request ID]_

[Connector Name] - message

Log Level

Specifies the logging level that you configured for the adapter. The options

are DEBUG, ERROR, INFO, and WARN. See “Configuring logging for the

adapter” on page 11 for information about using the log4j.properties file to

configure logging.

Assembly Line

Specifies the name of the assembly line that is logging the information.

© Copyright IBM Corp. 2008 25

Page 42: Tivoli Identity Manager - IBMpublib.boulder.ibm.com/tividd/td/ITIM/SC32-9919-00/en_US/PDF/... · Dispatcher 11 Configuring logging for the ... SSL client (Tivoli Identity Manager

ProfileName

Specifies the name of the profile. Profile names might vary based on the

adapter that is running or the operating system.

Request ID

Specifies the number of the request. Request number is used to uniquely

identify a specific request.

Connector Name

Specifies the connector for the adapter.

message

Specifies the actual message information.

The example below is an actual message that might be displayed in a log file:

INFO [AssemblyLine.AssemblyLines/OracleManageUserAL_Oracle_test-no-requestid_

6bc889c0-2853-11b2-2970-00000a4d445d.1126072314] - [conOracleManageUser]

Load Attribute Map

Installer problems on UNIX and Linux platforms

The adapter installer creates temporary files during installation. On the UNIX and

Linux platforms these files are located in the /tmp directory. If the installation has

been interrupted, or if the installer was run with an unsupported JVM, these

temporary files might cause subsequent installations to fail or not to work

correctly.

Symptoms

v The installation completes successfully, but the adapters solution directory is not

created.

v The installation completes successfully, but the adapters solution directory is

created as a file instead of a directory.

Corrective action

To correct either condition:

1. Remove any of the following files from the /tmp directory:

ITDIAsService.sh

rmITDIAsService.sh

deldispatcher.sh

createdir.sh

copyfiles.sh

copyagentfile.sh

delfiles.sh

copylog4j.sh

2. Run the uninstaller.

3. Edit the ITDI_HOME/etc/global.properties file to remove the following

properties:

ADAPTER_SOLDIR

com.ibm.di.dispatcher.registryPort

com.ibm.di.dispatcher.bindName

com.ibm.di.dispatcher.ssl

com.ibm.di.dispatcher.clientAuth

com.ibm.di.dispatcher.disableConnectorCache

ITDI_HOME

4. Remove the following JAR files from the ITDI_HOME/jars/3rdparty/IBM

directory

26 IBM Tivoli Identity Manager: Directory Integrator- Based Oracle eBS Adapter Installation and Configuration Guide

Page 43: Tivoli Identity Manager - IBMpublib.boulder.ibm.com/tividd/td/ITIM/SC32-9919-00/en_US/PDF/... · Dispatcher 11 Configuring logging for the ... SSL client (Tivoli Identity Manager

itdiAgents.jar

itdiAgents-common.jar

rmi-dispatcher-client.jar

rmi-dispatcher.jar

5. Delete the timsol directory of file.

6. Run the installer again with the correct JVM.

Chapter 6. Troubleshooting the Oracle eBS Adapter 27

Page 44: Tivoli Identity Manager - IBMpublib.boulder.ibm.com/tividd/td/ITIM/SC32-9919-00/en_US/PDF/... · Dispatcher 11 Configuring logging for the ... SSL client (Tivoli Identity Manager

28 IBM Tivoli Identity Manager: Directory Integrator- Based Oracle eBS Adapter Installation and Configuration Guide

Page 45: Tivoli Identity Manager - IBMpublib.boulder.ibm.com/tividd/td/ITIM/SC32-9919-00/en_US/PDF/... · Dispatcher 11 Configuring logging for the ... SSL client (Tivoli Identity Manager

Chapter 7. Uninstalling the Oracle eBS Adapter

To completely uninstall the Oracle eBS Adapter, you need to perform two

procedures:

1. Uninstall the adapter from the Tivoli Directory Integrator server.

2. Remove the adapter profile from the Tivoli Identity Manager server.

Uninstalling the adapter from the Tivoli Directory Integrator server

The Oracle eBS Adapter installation installs the RMI Dispatcher only on the Tivoli

Directory Integrator server. Therefore, you only need to uninstall for the RMI

Dispatcher. There is no uninstall for the Oracle eBS Adapter.

The JAR file needed to uninstall the Oracle eBS Adapter was created in the

ITDI_HOME\DispatcherUninstall directory when the RMI Dispatcher was

installed.

Note: The RMI Dispatcher is required for all Tivoli Directory Integrator-based

adapters. If you uninstall the RMI Dispatcher, none of the other installed

adapters function.

To remove the Oracle eBS Adapter, complete these steps:

1. Stop the adapter service.

2. Run the DispatcherUninstall.jar file. To run the JAR file, double click on the

executable file or enter the following command at the command prompt:

TDI_HOME/jvm/jre/bin/java –jar DispatcherUninstall.jar

Removing the adapter profile from the Tivoli Identity Manager server

Before removing the adapter profile ensure that no objects exist on your Tivoli

Identity Manager server that reference the adapter profile. Examples of objects on

the Tivoli Identity Manager server that can reference the adapter profile are:

v Adapter service instances

v Policies referencing an adapter instance or the profile

v Accounts

For specific information on how to remove the adapter profile, see the online help

or the information center for your Tivoli Identity Manager product.

© Copyright IBM Corp. 2008 29

Page 46: Tivoli Identity Manager - IBMpublib.boulder.ibm.com/tividd/td/ITIM/SC32-9919-00/en_US/PDF/... · Dispatcher 11 Configuring logging for the ... SSL client (Tivoli Identity Manager

30 IBM Tivoli Identity Manager: Directory Integrator- Based Oracle eBS Adapter Installation and Configuration Guide

Page 47: Tivoli Identity Manager - IBMpublib.boulder.ibm.com/tividd/td/ITIM/SC32-9919-00/en_US/PDF/... · Dispatcher 11 Configuring logging for the ... SSL client (Tivoli Identity Manager

Appendix A. Adapter attributes

Attribute descriptions

The Tivoli Identity Manager server communicates with the Oracle eBS Adapter

using attributes that are included in transmission packets that are sent over a

network. The combination of attributes, included in the packets, depends on the

type of action that the Tivoli Identity Manager server requests from the Oracle eBS

Adapter.

Table 4 is a listing of the attributes that are used by the Oracle eBS Adapter. The

table gives a brief description, constraints, and permissions. The permissions are:

Read The attribute is reconciled but not modified by the adapter.

Write The attribute is modified by the adapter but not reconciled.

Read and Write

The attribute is reconciled and can be modified by the adapter.

Table 4. Attributes, descriptions, constraints, and permissions

Attribute Description Constraints Permissions

erAccountStatus Specifies the status of the account as enabled

or disabled.

Read and

Write

erLastAccessDate The users last login date and time in Oracle

eBS.

Read

erOraEBSCust Customer. Read and

Write

erOraEBSDescription A short description for the User Name. The description is

limited to a

maximum of 240

characters.

Read and

Write

erOraEBSLeftPwdAccess Specifies the number of login accesses

remaining (from the current day) until the

password expires.

The maximum value

is 999999999999999.

Read and

Write

erOraEBSPerson Person. Read and

Write

erOraEBSPwdAccesses Specifies the number of login accesses allowed

before the password expires.

The maximum value

is 999999999999999.

Read and

Write

erOraEBSPwdLifeSpanDays Specifies the number of days after which the

password expires

The maximum value

is 999999999999999.

Read and

Write

erOraEBSResp Specifies the name of responsibilty in the form

Aplication_Name|Responsibility_Name.

Read and

Write

erOraEBSSessionNumber Specifies the session ID Read

erOraEBSSupp Specifies a supplier. Read and

Write

erOraEBSUserEndDate Specifies the user's effective end date. Read and

Write

© Copyright IBM Corp. 2008 31

Page 48: Tivoli Identity Manager - IBMpublib.boulder.ibm.com/tividd/td/ITIM/SC32-9919-00/en_US/PDF/... · Dispatcher 11 Configuring logging for the ... SSL client (Tivoli Identity Manager

Table 4. Attributes, descriptions, constraints, and permissions (continued)

Attribute Description Constraints Permissions

erOraEBSUserFax Specifies the user's fax number The fax number is

limited to a

maximum of 80

characters.

Read and

Write

erOraEBSUserMail Specifies the user's e-mail address. The e-mail address is

limited to a

maximum of 240

characters.

Read and

Write

erOraEBSStartDate Specifies the user's effective start date. Read and

Write

erPassword Specifies the password for the user name. The password is

limited to a

maximum of 45

characters.

Write

erUid Specifies the user name. The user name is

limited to a

maximum of 100

characters.

Read and

Write

Attributes by Oracle eBS Adapter actions

The following lists are typical Oracle eBS Adapter actions by their functional

transaction group. The lists include more information about required and optional

attributes sent to the Oracle eBS Adapter to complete that action.

System Login Add

A System Login Add is a request to create a new user account with the specified

attributes.

Table 5. Add request attributes for Oracle

Required attribute Optional attribute

erUid

erPassword

All other supported attributes

System Login Change

A System Login Change is a request to change one or more attributes for the

specified users.

Table 6. Change request attributes for Oracle

Required attribute Optional attribute

erUid All other supported attributes

Note: An account rename, that is, a erUid change is not supported.

System Login Delete

Note: This operation is not supported.

32 IBM Tivoli Identity Manager: Directory Integrator- Based Oracle eBS Adapter Installation and Configuration Guide

Page 49: Tivoli Identity Manager - IBMpublib.boulder.ibm.com/tividd/td/ITIM/SC32-9919-00/en_US/PDF/... · Dispatcher 11 Configuring logging for the ... SSL client (Tivoli Identity Manager

System Login Suspend

A System Login Suspend is a request to disable a user account. The user is neither

removed nor are their attributes modified.

Table 7. Suspend request attributes for Oracle

Required attribute Optional attribute

erUid

erAccountStatus

None

System Login Restore

A System Login Restore is a request to activate a user account that was previously

suspended. Once an account is restored, the user can access the system with the

same attributes as those before the Suspend function was called.

Table 8. Restore request attributes for Oracle

Required attribute Optional attribute

erUid

erAccountStatus

None

Test

The following table identifies attributes needed to test the connection.

Table 9. Test attributes

Required attribute Optional attribute

None None

Reconciliation

The Reconciliation request synchronizes user account information between Tivoli

Identity Manager and the adapter.

Table 10. Reconciliation request attributes for Oracle

Required attribute Optional attribute

None None

Appendix A. Adapter attributes 33

Page 50: Tivoli Identity Manager - IBMpublib.boulder.ibm.com/tividd/td/ITIM/SC32-9919-00/en_US/PDF/... · Dispatcher 11 Configuring logging for the ... SSL client (Tivoli Identity Manager

34 IBM Tivoli Identity Manager: Directory Integrator- Based Oracle eBS Adapter Installation and Configuration Guide

Page 51: Tivoli Identity Manager - IBMpublib.boulder.ibm.com/tividd/td/ITIM/SC32-9919-00/en_US/PDF/... · Dispatcher 11 Configuring logging for the ... SSL client (Tivoli Identity Manager

Appendix B. Installing on a zOS operating system

To install the adapters on the zOS UNIX file system, you only need to install the

RMI Dispatcher because the adapter uses the Tivoli Directory Integrator JDBC

connector that is available with the base Tivoli Directory Integrator product.

RMI Dispatcher installation:

1. Locate the delivered adapter compressed file.

2. Extract the contents of the compressed file into a temporary directory and

navigate to that directory.

3. From the temporary directory, locate and navigate to the zSystem directory.

4. Under the zSystem directory, locate the following two files:

v Dispatcher.tar

v instDispatcher_zOS.sh

Note: Dispatcher.tar is a binary UNIX tar file and instDispatcher_zOS.sh is a

UNIX shell script.

5. Transfer the two files to the zOS workstation where the adapter is to be

installed. Both files must be copied to the same directory.

6. Set the execution flag on instDispatcher_zOS.sh:

chmod +x instDispatcher_zOS.sh

7. Run the installerby issuing the command:

./instDispatcher_zOS.sh

The following dialog is displayed.

Note: The path given in the following example might be different on your

system.************************************************

ITIM RMI Dispatcher Installation Program

************************************************

You will prompted to enter the following information:

TDI home directory.

Your TDI solution directory.

Make sure you have the above information available and

the Dispatcher.jar is located in the current directory

before you continue

1. Install

2. Quit

Please enter choice: 1

Extracting content of Dispatcher...

Enter TDI home directory,

Hit [Enter] to accept [/usr/lpp/itdi]

or type new value (full path):

Enter the solution directory name (full path): /u/user2/rmi/soldir

© Copyright IBM Corp. 2008 35

Page 52: Tivoli Identity Manager - IBMpublib.boulder.ibm.com/tividd/td/ITIM/SC32-9919-00/en_US/PDF/... · Dispatcher 11 Configuring logging for the ... SSL client (Tivoli Identity Manager

extracting content of Dispatcher.jar...

setting up solution directory tree /u/user2/rmi/soldir...

getting files from TDI home directory /usr/lpp/itdi...

updating /u/user2/rmi/soldir/solution.properties file...

getting dispatcher files from /u/user2/rmi/Dispatcher...

updating /u/user2/rmi/soldir/ITIMAd file...

Installation complete, press any key to continue...

After the installation of the adapter is complete, to verify the startup and

shutdown of the adapter go to “Starting and stopping the adapter service” on page

7.

36 IBM Tivoli Identity Manager: Directory Integrator- Based Oracle eBS Adapter Installation and Configuration Guide

Page 53: Tivoli Identity Manager - IBMpublib.boulder.ibm.com/tividd/td/ITIM/SC32-9919-00/en_US/PDF/... · Dispatcher 11 Configuring logging for the ... SSL client (Tivoli Identity Manager

Appendix C. Running in Federal Information Processing

Standards compliance mode

Note: Tivoli Directory Integrator 6.1.1 is not fully FIPS 140-2 compliant.

Tivoli Directory Integrator uses the Java Secure Socket Extension (JSSE) for SSL

communication which is FIPS 140-2 compliant. IBMJSSEFIPS is the provider name

for the pure Java JSSE FIPS 140-2 implementation. You need to include this

provider name, using the correct case, in the java.security file located in

ITDI_HOME/jvm/jre/lib/security directory.

security.provider.1=com.ibm.fips.jsse.IBMJSSEFIPSProvider

The RMI dispatcher code runs within the Tivoli Directory Integrator JVM. Tivoli

Directory Integrator must be configured to run in FIPS mode. See the Tivoli

Directory Integrator documentation for detailed information on how to set or

change security providers.

© Copyright IBM Corp. 2008 37

Page 54: Tivoli Identity Manager - IBMpublib.boulder.ibm.com/tividd/td/ITIM/SC32-9919-00/en_US/PDF/... · Dispatcher 11 Configuring logging for the ... SSL client (Tivoli Identity Manager

38 IBM Tivoli Identity Manager: Directory Integrator- Based Oracle eBS Adapter Installation and Configuration Guide

Page 55: Tivoli Identity Manager - IBMpublib.boulder.ibm.com/tividd/td/ITIM/SC32-9919-00/en_US/PDF/... · Dispatcher 11 Configuring logging for the ... SSL client (Tivoli Identity Manager

Appendix D. Accessibility features for the Oracle eBS Adapter

Accessibility features help a user who has a physical disability, such as restricted

mobility or limited vision, to use information technology products successfully.

Accessibility features

The following list includes the major accessibility features in the Oracle eBS

Adapter. These features support:

v Keyboard-only operation.

v Interfaces that are commonly used by screen readers.

v Keys that are tactilely discernible and do not activate just by touching them.

v Industry-standard devices for ports and connectors.

v The attachment of alternative input and output devices.

v Documentation is available in convertible PDF format to give the maximum

opportunity for users to apply screen-reader software.

v All images in the documentation are provided with alternative text so that users

with vision impairments can understand the contents of the images.

Note: The IBM Tivoli Identity Manager Information Center and its related

publications are accessibility-enabled for the IBM Home Page Reader. You

can operate all features using the keyboard instead of the mouse.

Keyboard navigation

This product uses standard Microsoft Windows navigation keys.

IBM and accessibility

See the IBM Accessibility Center at http://www.ibm.com/able for more information

about the commitment that IBM has to accessibility.

© Copyright IBM Corp. 2008 39

Page 56: Tivoli Identity Manager - IBMpublib.boulder.ibm.com/tividd/td/ITIM/SC32-9919-00/en_US/PDF/... · Dispatcher 11 Configuring logging for the ... SSL client (Tivoli Identity Manager

40 IBM Tivoli Identity Manager: Directory Integrator- Based Oracle eBS Adapter Installation and Configuration Guide

Page 57: Tivoli Identity Manager - IBMpublib.boulder.ibm.com/tividd/td/ITIM/SC32-9919-00/en_US/PDF/... · Dispatcher 11 Configuring logging for the ... SSL client (Tivoli Identity Manager

Appendix E. Support information

Use the following options to obtain support for IBM products:

v “Searching knowledge bases”

v “Contacting IBM Software Support”

Searching knowledge bases

If you have a problem with your IBM software, you want it resolved quickly. Begin

by searching the available knowledge bases to determine whether the resolution to

your problem is already documented.

Search the information center on your local system or

network

IBM provides extensive documentation that can be installed on your local

computer or on an intranet server. You can use the search function of this

information center to query conceptual information, instructions for completing

tasks, reference information, and support documents.

Search the Internet

If you cannot find an answer to your question in the information center, search the

Internet for the latest, most complete information that might help you resolve your

problem. To locate Internet resources for your product, open one of the following

Web sites:

v Performance and tuning information

Provides information needed to tune your production environment, available on

the Web at:

http://publib.boulder.ibm.com/tividd/td/tdprodlist.html

Click the I character in the A-Z product list to locate IBM Tivoli Identity

Manager products. Click the link for your product, and then browse the

information center for the Technical Supplements section.

v Redbooks and white papers are available on the Web at:

http://www.ibm.com/software/sysmgmt/products/support/IBMTivoliIdentityManager.html

Browse to the Self Help section, in the Learn category, and click the Redbooks

link.

v Technotes are available on the Web at:

http://www.redbooks.ibm.com/redbooks.nsf/tips/

v Field guides are available on the Web at:

http://www.ibm.com/software/sysmgmt/products/support/Field_Guides.html

v For an extended list of other Tivoli Identity Manager resources, search the

following IBM developerWorks Web address:

http://www.ibm.com/developerworks/

Contacting IBM Software Support

IBM Software Support provides assistance with product defects.

© Copyright IBM Corp. 2008 41

Page 58: Tivoli Identity Manager - IBMpublib.boulder.ibm.com/tividd/td/ITIM/SC32-9919-00/en_US/PDF/... · Dispatcher 11 Configuring logging for the ... SSL client (Tivoli Identity Manager

Before contacting IBM Software Support, your company must have an active IBM

software maintenance contract, and you must be authorized to submit problems to

IBM. The type of software maintenance contract that you need depends on the

type of product you have:

v For IBM distributed software products (including, but not limited to, Tivoli,

Lotus®, and Rational® products, as well as DB2 and WebSphere products that

run on Windows or UNIX operating systems), enroll in Passport Advantage® in

one of the following ways:

– Online: Go to the Passport Advantage Web page (http://www.lotus.com/services/passport.nsf/WebDocs/ Passport_Advantage_Home) and click How

to Enroll

– By phone: For the phone number to call in your country, go to the IBM

Software Support Web site (http://techsupport.services.ibm.com/guides/contacts.html) and click the name of your geographic region.

v For IBM eServer™ software products (including, but not limited to, DB2 and

WebSphere products that run in zSeries®, pSeries®, and iSeries™ environments),

you can purchase a software maintenance agreement by working directly with

an IBM sales representative or an IBM Business Partner. For more information

about support for eServer software products, go to the IBM Technical Support

Advantage Web page (http://www.ibm.com/servers/eserver/techsupport.html).

If you are not sure what type of software maintenance contract you need, call

1-800-IBMSERV (1-800-426-7378) in the United States or, from other countries, go to

the contacts page of the IBM Software Support Handbook on the Web

(http://techsupport.services.ibm.com/guides/contacts.html) and click the name of

your geographic region for phone numbers of people who provide support for

your location.

Follow the steps in this topic to contact IBM Software Support:

1. Determine the business impact of your problem.

2. Describe your problem and gather background information.

3. Submit your problem to IBM Software Support.

Determine the business impact of your problem

When you report a problem to IBM, you are asked to supply a severity level.

Therefore, you need to understand and assess the business impact of the problem

you are reporting. Use the following criteria:

Severity 1 Critical business impact: You are unable to use the program,

resulting in a critical impact on operations. This condition

requires an immediate solution.

Severity 2 Significant business impact: The program is usable but is

severely limited.

Severity 3 Some business impact: The program is usable with less

significant features (not critical to operations) unavailable.

Severity 4 Minimal business impact: The problem causes little impact on

operations, or a reasonable circumvention to the problem has

been implemented.

42 IBM Tivoli Identity Manager: Directory Integrator- Based Oracle eBS Adapter Installation and Configuration Guide

Page 59: Tivoli Identity Manager - IBMpublib.boulder.ibm.com/tividd/td/ITIM/SC32-9919-00/en_US/PDF/... · Dispatcher 11 Configuring logging for the ... SSL client (Tivoli Identity Manager

Describe your problem and gather background information

When explaining a problem to IBM, be as specific as possible. Include all relevant

background information so that IBM Software Support specialists can help you

solve the problem efficiently. To save time, know the answers to these questions:

v What software versions were you running when the problem occurred?

v Do you have logs, traces, and messages that are related to the problem

symptoms? IBM Software Support is likely to ask for this information.

v Can the problem be re-created? If so, what steps led to the failure?

v Have any changes been made to the system? (For example, hardware, operating

system, networking software, and so on.)

v Are you currently using a workaround for this problem? If so, please be

prepared to explain it when you report the problem.

Submit your problem to IBM Software Support

You can submit your problem in one of two ways:

v Online: Go to the ″Submit and track problems″ page on the IBM Software

Support site (http://www.ibm.com/software/support/probsub.html). Enter

your information into the appropriate problem submission tool.

v By phone: For the phone number to call in your country, go to the contacts page

of the IBM Software Support Handbook on the Web (http://techsupport.services.ibm.com/guides/contacts.html) and click the name of your

geographic region.

If the problem you submit is for a software defect or for missing or inaccurate

documentation, IBM Software Support creates an Authorized Program Analysis

Report (APAR). The APAR describes the problem in detail. Whenever possible,

IBM Software Support provides a workaround for you to implement until the

APAR is resolved and a fix is delivered. IBM publishes resolved APARs on the

IBM product support Web pages daily, so that other users who experience the

same problem can benefit from the same resolutions.

For more information about problem resolution, see Searching knowledge bases.

Appendix E. Support information 43

Page 60: Tivoli Identity Manager - IBMpublib.boulder.ibm.com/tividd/td/ITIM/SC32-9919-00/en_US/PDF/... · Dispatcher 11 Configuring logging for the ... SSL client (Tivoli Identity Manager

44 IBM Tivoli Identity Manager: Directory Integrator- Based Oracle eBS Adapter Installation and Configuration Guide

Page 61: Tivoli Identity Manager - IBMpublib.boulder.ibm.com/tividd/td/ITIM/SC32-9919-00/en_US/PDF/... · Dispatcher 11 Configuring logging for the ... SSL client (Tivoli Identity Manager

Appendix F. Notices

This information was developed for products and services offered in the U.S.A.

IBM may not offer the products, services, or features discussed in this document in

other countries. Consult your local IBM representative for information on the

products and services currently available in your area. Any reference to an IBM

product, program, or service is not intended to state or imply that only that IBM

product, program, or service may be used. Any functionally equivalent product,

program, or service that does not infringe any IBM intellectual property right may

be used instead. However, it is the user’s responsibility to evaluate and verify the

operation of any non-IBM product, program, or service.

IBM may have patents or pending patent applications covering subject matter

described in this document. The furnishing of this document does not give you

any license to these patents. You can send license inquiries, in writing, to:

IBM Director of Licensing

IBM Corporation

North Castle Drive

Armonk, NY 10504-1785

U.S.A.

For license inquiries regarding double-byte (DBCS) information, contact the IBM

Intellectual Property Department in your country or send inquiries, in writing, to:

IBM World Trade Asia Corporation

Licensing

2-31 Roppongi 3-chome, Minato-ku

Tokyo 106-0032, Japan

The following paragraph does not apply to the United Kingdom or any other

country where such provisions are inconsistent with local law:

INTERNATIONAL BUSINESS MACHINES CORPORATION PROVIDES THIS

PUBLICATION “AS IS” WITHOUT WARRANTY OF ANY KIND, EITHER

EXPRESS OR IMPLIED, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED

WARRANTIES OF NON-INFRINGEMENT, MERCHANTABILITY OR FITNESS

FOR A PARTICULAR PURPOSE. Some states do not allow disclaimer of express or

implied warranties in certain transactions, therefore, this statement may not apply

to you.

This information could include technical inaccuracies or typographical errors.

Changes are periodically made to the information herein; these changes will be

incorporated in new editions of the publication. IBM may make improvements

and/or changes in the product(s) and/or the program(s) described in this

publication at any time without notice.

Any references in this information to non-IBM Web sites are provided for

convenience only and do not in any manner serve as an endorsement of those Web

sites. The materials at those Web sites are not part of the materials for this IBM

product and use of those Web sites is at your own risk.

IBM may use or distribute any of the information you supply in any way it

believes appropriate without incurring any obligation to you.

© Copyright IBM Corp. 2008 45

Page 62: Tivoli Identity Manager - IBMpublib.boulder.ibm.com/tividd/td/ITIM/SC32-9919-00/en_US/PDF/... · Dispatcher 11 Configuring logging for the ... SSL client (Tivoli Identity Manager

Licensees of this program who wish to have information about it for the purpose

of enabling: (i) the exchange of information between independently created

programs and other programs (including this one) and (ii) the mutual use of the

information which has been exchanged should contact:

IBM Corporation

2ZA4/101

11400 Burnet Road

Austin, TX 78758

U.S.A.

Such information may be available, subject to appropriate terms and conditions,

including in some cases, payment of a fee.

The licensed program described in this information and all licensed material

available for it are provided by IBM under terms of the IBM Customer Agreement,

IBM International Program License Agreement, or any equivalent agreement

between us.

Any performance data contained herein was determined in a controlled

environment. Therefore, the results obtained in other operating environments may

vary significantly. Some measurements may have been made on development-level

systems and there is no guarantee that these measurements will be the same on

generally available systems. Furthermore, some measurements may have been

estimated through extrapolation. Actual results may vary. Users of this document

should verify the applicable data for their specific environment.

Information concerning non-IBM products was obtained from the suppliers of

those products, their published announcements or other publicly available sources.

IBM has not tested those products and cannot confirm the accuracy of

performance, compatibility or any other claims related to non-IBM products.

Questions on the capabilities of non-IBM products should be addressed to the

suppliers of those products.

Trademarks

IBM, the IBM logo, and ibm.com are trademarks or registered trademarks of

International Business Machines Corporation in the United States, other countries,

or both. If these and other IBM trademarked terms are marked on their first

occurrence in this information with a trademark symbol (® or

™), these symbols

indicate U.S. registered or common law trademarks owned by IBM at the time this

information was published. Such trademarks may also be registered or common

law trademarks in other countries. A current list of IBM trademarks is available on

the Web at ″Copyright and trademark information″ at www.ibm.com/legal/copytrade.shtml.

Adobe, Acrobat, Portable Document Format (PDF), and PostScript are either

registered trademarks or trademarks of Adobe Systems Incorporated in the United

States, other countries, or both.

Cell Broadband Engine and Cell/B.E. are trademarks of Sony Computer

Entertainment, Inc., in the United States, other countries, or both and is used under

license therefrom.

46 IBM Tivoli Identity Manager: Directory Integrator- Based Oracle eBS Adapter Installation and Configuration Guide

Page 63: Tivoli Identity Manager - IBMpublib.boulder.ibm.com/tividd/td/ITIM/SC32-9919-00/en_US/PDF/... · Dispatcher 11 Configuring logging for the ... SSL client (Tivoli Identity Manager

Java and all Java-based trademarks are trademarks of Sun

Microsystems, Inc. in the United States, other countries, or

both.

Microsoft, Windows, Windows NT, and the Windows logo are trademarks of

Microsoft Corporation in the United States, other countries, or both.

Intel, Intel logo, Intel Inside, Intel Inside logo, Intel Centrino, Intel Centrino logo,

Celeron, Intel Xeon, Intel SpeedStep, Itanium, and Pentium are trademarks or

registered trademarks of Intel Corporation or its subsidiaries in the United States

and other countries.

UNIX is a registered trademark of The Open Group in the United States and other

countries.

Linux is a trademark of Linus Torvalds in the U.S., other countries, or both.

ITIL is a registered trademark, and a registered community trademark of the Office

of Government Commerce, and is registered in the U.S. Patent and Trademark

Office.

IT Infrastructure Library is a registered trademark of the Central Computer and

Telecommunications Agency which is now part of the Office of Government

Commerce.

Other company, product, and service names may be trademarks or service marks

of others.

Appendix F. Notices 47

Page 64: Tivoli Identity Manager - IBMpublib.boulder.ibm.com/tividd/td/ITIM/SC32-9919-00/en_US/PDF/... · Dispatcher 11 Configuring logging for the ... SSL client (Tivoli Identity Manager

48 IBM Tivoli Identity Manager: Directory Integrator- Based Oracle eBS Adapter Installation and Configuration Guide

Page 65: Tivoli Identity Manager - IBMpublib.boulder.ibm.com/tividd/td/ITIM/SC32-9919-00/en_US/PDF/... · Dispatcher 11 Configuring logging for the ... SSL client (Tivoli Identity Manager

Index

Special charactersITDI_HOME

Tivoli Directory Integrator server installation directory xiii

Aaccessibility ix, 39

keyboard 39

pdf format, for screen-reader software 39

shortcut keys 39

text, alternative for document images 39

adapterattributes

by adapter action 32

descriptions 31

configuration 3

customization 9

customization steps 9

features 1

installation 3

installation overview 1

supported configurations 2

uninstall 29

adapter configuration 3

adapter customization 9

adapter installation 3

adapter overview 1

adapter profileverifying installation 23

architectural overviewsupported configurations 2

attributesby Oracle eBS Adapter action

add 32

change 32

delete 32

reconciliation 33

restore 33

suspend 33

descriptions 31

Bbooks

see publications v, viii

Ccertificate authority

definition 15

certificatesdefinition 15

configurationadapter 3

supported 2

conventionsHOME directory

ITDI_HOME xiii

Tivoli_Common_Directory xiii

conventions (continued)HOME directory (continued)

DB_INSTANCE_HOME xi

HTTP_HOME xii

ITIM_HOME xii

LDAP_HOME xi

WAS_HOME xii

WAS_NDM_HOME xii

typeface x

used in this document ix

customer supportsee Software Support 41

customizationadapter 9

DDB_INSTANCE_HOME

DB2 UDB installation directory xi

definition xi

directoryITDI_HOME xiii

DB_INSTANCE_HOME xi

HTTP_HOME xii

installationDB2 UDB xi

IBM Directory Server xi

IBM HTTP Server xii

Tivoli Directory Integrator server xiii

WebSphere Application Server base product xii

WebSphere Application Server Network Deployment

product xii

installation for Sun ONE Directory Server xi

ITIM_HOME xii

LDAP_HOME xi

WAS_HOME xii

WAS_NDM_HOME xii

disability 39

documentsIBM Tivoli Identity Manager library v

related viii

Eeducation

see Tivoli technical training ix

encryptionFIPS 37

environment variables, notation x

FFederal Information Processing Standards 37

FIPS 37

Hhome directories

ITDI_HOME xiii

© Copyright IBM Corp. 2008 49

Page 66: Tivoli Identity Manager - IBMpublib.boulder.ibm.com/tividd/td/ITIM/SC32-9919-00/en_US/PDF/... · Dispatcher 11 Configuring logging for the ... SSL client (Tivoli Identity Manager

home directories (continued)DB_INSTANCE_HOME xi

HTTP_HOME xii

ITIM_HOME xii

LDAP_HOME xi

WAS_HOME xii

WAS_NDM_HOME xii

HTTP_HOMEdefinition xii

IBM HTTP Server installation directory xii

IiKeyman utility 15

importadapter profile 5

information centers, searching to find software problem

resolution 41

installationadapter 3

directoryDB2 UDB xi

IBM Directory Server xi

IBM HTTP Server xii

Sun ONE Directory Server xi

Tivoli Directory Integrator server xiii

WebSphere Application Server base product xii

WebSphere Application Server Network Deployment

product xii

profile 5

troubleshooting 25

uninstall 29

Internet, searching to find software problem resolution 41

ITDI_HOMEdefinition xiii

ITIM_HOMEdefinition xii

directory xii

Kkey management utility

iKeyman 15

knowledge bases, searching to find software problem

resolution 41

LLDAP_HOME

definition xi

IBM Directory Server installation directory xi

Sun ONE Directory Server installation directory xi

logstrace.log file 6

Mmanuals

see publications v, viii

Nnotation

environment variables x

path names x

notation (continued)typeface x

Oonline publications

accessing viii

operating system prerequisites 3

ordering publications ix

Ppdf format, for screen-reader software 39

private keydefinition 15

problem determinationdescribing problem for IBM Software Support 43

determining business impact for IBM Software Support 42

submitting problem to IBM Software Support 43

profile installationverification 23

protocolSSL

overview 15

publications v

accessing online viii

IBM Tivoli Identity Manager library v

ordering ix

related viii

Rreconciliation

attributes 33

restoring accountspassword requirements 13

RMI dispatcher 1

Ssecurity

FIPS 37

shortcut keyskeyboard 39

software prerequisites 3

Software Supportcontacting 41

describing problem for IBM Software Support 43

determining business impact for IBM Software Support 42

submitting problem to IBM Software Support 43

SSLcertificate installation 15

overview 15

supported configurations 2

Ttext, alternative for document images 39

tivoli directory integrator connector 1

Tivoli Identity Manager Serverimporting adapter profile 5

Tivoli software information center viii

Tivoli technical training ix

Tivoli_Common_Directorydefinition xiii

50 IBM Tivoli Identity Manager: Directory Integrator- Based Oracle eBS Adapter Installation and Configuration Guide

Page 67: Tivoli Identity Manager - IBMpublib.boulder.ibm.com/tividd/td/ITIM/SC32-9919-00/en_US/PDF/... · Dispatcher 11 Configuring logging for the ... SSL client (Tivoli Identity Manager

trace.log file 6

training, Tivoli technical ix

troubleshooting adapter installation 25

typeface conventions x

Uuninstallation 29

updatingadapter profile 9

upgradeadapter profile 5

Vvariables, notation for x

verificationadapter profile install 23

operating system prerequisites 3

software prerequisites 3

WWAS_HOME

definition xii

WebSphere Application Server base installation

directory xii

WAS_NDM_HOMEdefinition xii

WebSphere Application Server Network Deployment

installation directory xii

Index 51

Page 68: Tivoli Identity Manager - IBMpublib.boulder.ibm.com/tividd/td/ITIM/SC32-9919-00/en_US/PDF/... · Dispatcher 11 Configuring logging for the ... SSL client (Tivoli Identity Manager

52 IBM Tivoli Identity Manager: Directory Integrator- Based Oracle eBS Adapter Installation and Configuration Guide

Page 69: Tivoli Identity Manager - IBMpublib.boulder.ibm.com/tividd/td/ITIM/SC32-9919-00/en_US/PDF/... · Dispatcher 11 Configuring logging for the ... SSL client (Tivoli Identity Manager
Page 70: Tivoli Identity Manager - IBMpublib.boulder.ibm.com/tividd/td/ITIM/SC32-9919-00/en_US/PDF/... · Dispatcher 11 Configuring logging for the ... SSL client (Tivoli Identity Manager

����

Printed in USA

SC23-9919-00