How To Use An Org.Org Adapter On An Org Powerbook (Orb) With An Org Idm.Org (Orber) Powerbook With An Adapter (Orbor) With A Powerbook 2 (Orbi) With The Power

Transcription

1 Tivoli Identity Manager Version 4.6 Oracle ERP Adapter Installation and Configuration Guide SC

2

3 Tivoli Identity Manager Version 4.6 Oracle ERP Adapter Installation and Configuration Guide SC

4 Note: Before using this information and the product it supports, read the information in Appendix C, Notices, on page 65. Third Edition (June 2005) This edition applies to version 4.6 of this adapter and to all subsequent releases and modifications until otherwise indicated in new editions. Copyright International Business Machines Corporation 2003, All rights reserved. US Government Users Restricted Rights Use, duplication or disclosure restricted by GSA ADP Schedule Contract with IBM Corp.

5 Contents Preface v Who should read this book v Publications and related information......v Tivoli Identity Manager library v Prerequisite Product Publications vii Related Publications viii Accessing publications online viii Accessibility viii Support information viii Conventions used in this book ix Typeface conventions ix Operating system differences ix Definitions for HOME and other directory variables x Chapter 1. Overview of the Oracle ERP adapter Features of the adapter Chapter 2. Installing and configuring the Oracle ERP adapter Prerequisites Installing the adapter Importing the adapter profile into the IBM Tivoli Identity Manager Server Importing the adapter profile Creating an Oracle ERP service Configuring the adapter Chapter 3. Configuring the Oracle ERP Adapter for IBM Tivoli Identity Manager. 9 Starting the adapter configuration tool Viewing configuration settings Changing protocol configuration settings Configuring event notification Setting event notification triggers Modifying an event notification context Changing the configuration key Changing activity logging settings Changing registry settings Modifying non-encrypted registry settings...21 Modifying encrypted registry settings Changing advanced settings Viewing statistics Changing code page settings Accessing help and additional options Chapter 4. Oracle services modifications Accessing the service configuration tool main menu 29 Viewing current Oracle services Adding a new Oracle service Example of adding an Oracle service Modifying an Oracle service Example of modifying an Oracle service Removing an Oracle service Example of removing an Oracle service Testing an Oracle connection Example of testing an Oracle connection Chapter 5. Configuring SSL authentication for the Oracle ERP Adapter Overview of SSL and digital certificates Private keys, public keys, and digital certificates 36 Self-signed certificates Certificate and key formats The use of SSL authentication Configuring certificates for SSL authentication...38 Configuring certificates for one-way SSL authentication Configuring certificates for two-way SSL authentication Configuring certificates when the adapter operates as an SSL client Managing SSL certificates using CertTool Starting CertTool Generating a private key and certificate request 43 Installing the certificate Installing the certificate and key from a PKCS12 file Viewing the installed certificate Installing a CA certificate Viewing CA certificates Deleting a CA certificate Viewing registered certificates Registering a certificate Unregistering a certificate Exporting a certificate and key to PKCS12 file..47 Chapter 6. Customizing the Oracle ERP adapter Copy the ERPProfile.jar file and extract the files..49 Create a new JAR file and install the new attributes on the IBM Tivoli Identity Manager Server Managing passwords when restoring accounts...50 Chapter 7. Upgrading the Oracle ERP Adapter or the ADK Upgrading the Oracle ERP adapter Upgrading the ADK Log files Chapter 8. Uninstalling the Oracle ERP adapter Appendix A. Adapter attributes Copyright IBM Corp. 2003, 2005 iii

6 Attributes descriptions Attributes by Oracle ERP Adapter actions System Login Add System Login Change System Login Delete System Login Suspend System Login Restore Reconciliation Appendix B. Support information Searching knowledge bases Search the information center on your local system or network Search the Internet Contacting IBM Software Support Determine the business impact of your problem 62 Describe your problem and gather background information Submit your problem to IBM Software Support 63 Appendix C. Notices Trademarks Index iv IBM Tivoli Identity Manager: Oracle ERP Adapter Installation and Configuration Guide

7 Preface Who should read this book The IBM Tivoli Identity Manager Oracle ERP for Windows Adapter (Oracle ERP Adapter) enables connectivity between the IBM Tivoli Identity Manager Server and a network of systems running the Oracle ERP resources. After the adapter is installed and configured, IBM Tivoli Identity Manager manages access to Windows resources with your site s security system. This manual describes how to install and prepare an Oracle ERP Adapter. Note: The program that is used to connect the managed resource to the IBM Tivoli Identity Manager Server is now called an adapter. The term adapter replaces the previously used term agent. The user interface used to configure the adapter still refers to an adapter as an agent. This book is intended for Oracle ERP resources security administrators responsible for installing software on their site s computer systems. Readers are expected to understand Windows and Oracle ERP resources concepts. The person completing the Oracle ERP Adapter installation procedure must also be familiar with their site system standards and needs to have appropriate Windows and Oracle experience and knowledge. Readers should be able to perform routine Windows and Oracle system and security administration tasks. Publications and related information Read the descriptions of the IBM Tivoli Identity Manager library. To determine which additional publications you might find helpful, read the Prerequisite Product Publications on page vii and the Related Publications on page viii. After you determine the publications you need, refer to the instructions in Accessing publications online on page viii. Tivoli Identity Manager library The publications in the technical documentation library for your product are organized into the following categories: v Release information v Online user assistance v Server installation and configuration v Problem determination v Technical supplements v Adapter installation and configuration Release Information: v Release Notes Provides software and hardware requirements for the product, and additional fix, patch, and other support information. v Read This First Card Lists the publications for the product. Online user assistance: Copyright IBM Corp. 2003, 2005 v

8 Provides online help topics and an information center for administrative tasks. Server installation and configuration: Provides installation and configuration information for the product server. Problem determination: Provides problem determination, logging, and message information for the product. Technical supplements: The following technical supplements are provided by developers or by other groups who are interested in this product: v Performance and tuning information Provides information needed to tune your production environment, available on the Web at: Click the I character in the A-Z product list to locate IBM Tivoli Identity Manager products. Click the link for your product, and then browse the information center for the Technical Supplements section. v Redbooks and white papers are available on the Web at: IBMTivoliIdentityManager.html Browse to the Self Help section, in the Learn category, and click the Redbooks link. v Technotes are available on the Web at: v Field guides are available on the Web at: v For an extended list of other Tivoli Identity Manager resources, search the following IBM developerworks Web address: Adapter installation and configuration: The technical documentation library also includes a set of platform-specific installation documents for the adapter components of the product. Adapter information is available on the Web at: Passport_Advantage_Home Click Support & downloads. Browse to the Downloads and drivers. Click the link for the adapter. Skills and training: The following additional skills and technical training information were available at the time that this manual was published: v Virtual Skills Center for Tivoli Software on the Web at: vi IBM Tivoli Identity Manager: Oracle ERP Adapter Installation and Configuration Guide

9 v Tivoli Education Software Training Roadmaps on the Web at: v Tivoli Technical Exchange on the Web at: supp_tech_exch.html Prerequisite Product Publications To use the information in this book effectively, you must have knowledge of the products that are prerequisites for your product. Publications are available from the following locations: v Oracle ERP resources v Operating systems IBM AIX Solaris Operating Environment Red Hat Linux Microsoft Windows Server v Database servers IBM DB2 Universal Database - Support: - Information center: index.jsp - Documentation: winos2unix/support/v8pubs.d2w/en_main - DB2 product family: - Fix packs: downloadv8.html - System requirements: sysreqs.html Oracle Microsoft SQL Server v Directory server applications IBM Directory Server en_us/html/ldapinst.htm Sun ONE Directory Server Preface vii

10 Related Accessibility v WebSphere Application Server Additional information is available in the product directory or Web sites. v WebSphere embedded messaging v IBM HTTP Server Publications Information that is related to your product is available in the following publications: v The Tivoli Software Library provides a variety of Tivoli publications such as white papers, datasheets, demonstrations, redbooks, and announcement letters. The Tivoli Software Library is available on the Web at: v The Tivoli Software Glossary includes definitions for many of the technical terms related to Tivoli software. The Tivoli Software Glossary is available from the Glossary link of the Tivoli Software Library Web page at: Accessing publications online IBM posts publications for this and all other Tivoli products, as they become available and whenever they are updated, to the Tivoli software information center Web site. Access the Tivoli software information center at the following Web address: Click the I character in the A-Z list, and then click the link for your product to access the product library. Note: If you print PDF documents on other than letter-sized paper, set the option in the File Print window that allows Adobe Reader to print letter-sized pages on your paper. The product documentation includes the following features to aid accessibility: v Documentation is available in convertible PDF format to give the maximum opportunity for users to apply screen-reader software. v All images in the documentation are provided with alternative text so that users with vision impairments can understand the contents of the images. Support information If you have a problem with your IBM software, you want to resolve it quickly. IBM provides the following ways for you to obtain the support you need: v Searching knowledge bases: You can search across a large collection of known problems and workarounds, Technotes, and other information. viii IBM Tivoli Identity Manager: Oracle ERP Adapter Installation and Configuration Guide

11 v Contacting IBM Software Support: If you still cannot solve your problem, and you need to work with someone from IBM, you can use a variety of ways to contact IBM Software Support. For more information about these ways to resolve problems, see Appendix B, Support information, on page 61. Conventions used in this book Typeface This reference uses several conventions for special terms and actions and for operating system-dependent commands and paths. conventions This guide uses the following typeface conventions: Bold Italic v Lowercase commands and mixed case commands that are otherwise difficult to distinguish from surrounding text v Interface controls (check boxes, push buttons, radio buttons, spin buttons, fields, folders, icons, list boxes, items inside list boxes, multicolumn lists, containers, menu choices, menu names, tabs, property sheets), labels (such as Tip:, and Operating system considerations:) v Keywords and parameters in text v Words defined in text v Emphasis of words (words as words) v New terms in text (except in a definition list) v Variables and values you must provide Monospace v Examples and code examples v File names, programming keywords, and other elements that are difficult to distinguish from surrounding text v Message text and prompts addressed to the user v Text that the user must type v Values for arguments or command options Operating system differences This guide uses the UNIX convention for specifying environment variables and for directory notation. When using the Windows command line, replace $variable with %variable% for environment variables and replace each forward slash (/) with a backslash (\) in directory paths. The names of environment variables are not always the same in Windows and UNIX. For example, %TEMP% in the Windows operating system is equivalent to $tmp in a UNIX operating system. Note: If you are using the bash shell on a Windows system, you can use the UNIX conventions. Preface ix

12 Definitions for HOME and other directory variables The following table contains the default definitions that are used in this guide to represent the HOME directory level for various product installation paths. You can customize the installation directory and HOME directory for your specific implementation. If this is the case, you need to make the appropriate substitution for the definition of each variable represented in this table. The value of path varies for these operating systems: v Windows: drive:\program Files v AIX: /usr v Other UNIX: /opt Path Variable Default Definition Description DB_INSTANCE_HOME Windows: path\ibm\sqllib UNIX: v AIX, Linux: /home/dbinstancename v Solaris: /export/home/dbinstancename LDAP_HOME v For IBM Directory Server Version 5.2 Windows: path\ibm\ldap UNIX: path/ibm/ldap AIX, Linux: path/ldap Solaris: path/ibmldaps v For IBM Directory Server Version 6.0 Windows: path\ibm\ldap UNIX: /opt/ibm/ldap/ AIX, Solaris: /opt/ibm/ldap/ Linux: /opt/ibm/ldap/ v For Sun ONE Directory Server Windows: path\sun\mps UNIX: /var/sun/mps The directory that contains the database for your Tivoli Identity Manager product. The directory that contains the directory server code. x IBM Tivoli Identity Manager: Oracle ERP Adapter Installation and Configuration Guide

13 Path Variable Default Definition Description IDS_instance_HOME For IBM Directory Server Version 6.0 Windows: drive\ idsslapd-instance_owner_name The value of drive might be C:\. An example of instance_owner_name might be ldapdb2. For example, the log file might be C:\idsslapd-ldapdb2\logs\ ibmslapd.log. UNIX: INSTANCE_HOME/idsslapd-instance_name The directory that contains the IBM Directory Server Version 6.0 instance. HTTP_HOME ITIM_HOME WAS_HOME WAS_MQ_HOME WAS_NDM_HOME Tivoli_Common_Directory On Linux and AIX systems, the default home directory is the /home/instance_name/idsslapdinstance_name directory. On Solaris systems, for example, the directory is the /export/home/ldapdb2/idsslapdldapdb2. directory. Windows: path\ibmhttpserver UNIX: path/ibmhttpserver Windows: path\ibm\itim UNIX: path/ibm/itim Windows: path\websphere\appserver UNIX: path/websphere/appserver Windows: path\ibm\websphere MQ UNIX: path/mqm Windows: path\websphere\deploymentmanager UNIX: path/websphere/deploymentmanager Windows: path\ibm\tivoli\common\ UNIX: path/ibm/tivoli/common/ The directory that contains the IBM HTTP Server code. The base directory that contains the Tivoli Identity Manager code, configuration, and documentation. The WebSphere Application Server home directory The directory that contains the WebSphere MQ code. The home directory on the Deployment Manager The central location for all serviceability-related files, such as logs and first-failure data capture Preface xi

14 xii IBM Tivoli Identity Manager: Oracle ERP Adapter Installation and Configuration Guide

15 Chapter 1. Overview of the Oracle ERP adapter Features of the adapter An adapter is a program that provides an interface between a managed resource and the IBM Tivoli Identity Manager Server. Adapters might or might not reside on the managed resource and the IBM Tivoli Identity Manager Server manages access to the resource by using your security system. Adapters function as trusted virtual administrators on the target platform, performing such tasks as creating login IDs, suspending IDs, and performing other functions administrators normally run manually. The adapter runs as a service, independent of whether or not a user is logged on to the IBM Tivoli Identity Manager Server. The IBM IBM Tivoli Identity Manager Oracle ERP Adapter enables connectivity between the IBM Tivoli Identity Manager Server and the Oracle ERP resources. This installation guide provides the basic information that you need to install and configure the Oracle ERP Adapter. This chapter provides an overview of the adapter and the features of the adapter. You can use the Oracle ERP Adapter to automate the following administrative tasks: v Creating an Oracle ERP account. v Changing an Oracle ERP account. v Suspending an Oracle ERP account. v Restoring an Oracle ERP account. v Reconciling all Oracle ERP accounts and supported data. Copyright IBM Corp. 2003,

16 2 IBM Tivoli Identity Manager: Oracle ERP Adapter Installation and Configuration Guide

17 Chapter 2. Installing and configuring the Oracle ERP adapter Installing and configuring the Oracle ERP Adapter involves several steps that you must complete in the appropriate sequence. Review the prerequisites before you begin the installation process. You can also create an account on the managed resource for the adapter to use. Prerequisites Table 1 identifies hardware, software, and authorization prerequisites to install the Oracle ERP Adapter. Verify that all of the prerequisites have been met before installing the Oracle ERP Adapter. Table 1. Prerequisites to install the adapter System v A 32-bit x86-based microprocessor. Operating System v Windows 2000 v A minimum of 256 MB of memory. v A minimum of 300 MB of free disk space. v Windows 2003 v Windows XP Oracle Client Software v 8i, versions and later v 9i Note: The system where the Oracle ERP Application software is installed must be able to communicate to the system where the adapter is installed. Oracle Server Software ERP 11i Network Connectivity TCP/IP network System Administrator The person completing the Oracle ERP Adapter Authority installation procedure must have system administrator authority to complete the steps in this chapter. IBM Tivoli Identity Manager Version 4.6 Server Installing the adapter The IBM Tivoli Identity Manager Oracle ERP Adapter installation files are available for download from the IBM Web site. Contact your IBM account representative for the Web address and download instructions. In order to install the adapter, complete the following steps: 1. Download the Oracle ERP Adapter installation compressed file from the IBM Web site. 2. Extract the contents of the file into a temporary directory. For example, C:/Temp. 3. Start the installation program using the setup.exe file in the temporary directory. For example, select Run... from the Start menu, and type C:\Temp\Setup.exe, in the Open field. Copyright IBM Corp. 2003,

18 4. On the Welcome window, click Next. 5. On the License Agreement window, review the license agreement and decide if you accept the terms of the license. If you do, select Accept and then click Next. 6. On the Select Destination Directory window, specify where you want to install the adapter in the Directory Name field. You can accept the default location, or click Browse to specify a different directory. Then, click Next. Figure 1. Select Destination Directory window 7. On the Oracle ERP Service Names window, type the following information: Oracle ERP service name, Oracle ERP account name, and Oracle ERP account password. Then select the Oracle version you are using and then click Next. Oracle Instances must define service names before the adapter works properly. The service names are case sensitive. Oracle ERP Service Name Specifies the service name for the database instance the adapter manages Oracle ERP Account Specifies the name of the Oracle ERP service account that the adapter uses to manage the Oracle ERP instance Account ERP Password Specifies the Oracle ERP service account password Note: You may add additional service names for the adapter to manage after the installation is completed. See Chapter 3, Configuring the Oracle ERP Adapter for IBM Tivoli Identity Manager, on page 9 and Chapter 4, Oracle services modifications for more information about adding, modifying, and deleting managed instances. 8. On the Installation Summary window, click Next to begin the installation. 4 IBM Tivoli Identity Manager: Oracle ERP Adapter Installation and Configuration Guide

19 9. On the Installation Completed window, click Finish to exit the program. 10. In the temporary directory, locate the storedpr.sql file and commit the file against the Oracle ERP database the adapter is intended to manage. The storedpr.sql file contains procedures and views that the adapter uses to manage Oracle ERP accounts. Importing the adapter profile into the IBM Tivoli Identity Manager Server Before you can add an adapter as a service to the IBM Tivoli Identity Manager Server, the server must have an adapter profile to recognize the adapter as a service. The files that are packaged with the Oracle ERP Adapter include the adapter JAR file, ERPProfile.jar. Using the Import feature of the Tivoli Identity Manager Server, you can import the adapter profile into the server as a service profile. The ERPProfile.jar file includes all of the files that are needed to define the adapter schema, account form, service form and profile properties. The ERPProfile.jar file will be referenced in this document to make any changes to the schema or the profile. You will be required to extract the files from the JAR file, make changes to the necessary files, and repackage the JAR file with the updated files. For more information on how to update the JAR files, see Copy the ERPProfile.jar file and extract the files on page 49. Importing the adapter profile An adapter profile defines the types of resources that the IBM Tivoli Identity Manager Server can manage. You must import the adapter profile into the IBM Tivoli Identity Manager Server before using the Oracle ERP Adapter. The profile is used to create a Oracle ERP Adapter service on the IBM Tivoli Identity Manager Server and to communicate with the adapter. Before you begin to import the adapter profile, verify that the following conditions are met: v The IBM Tivoli Identity Manager Server must be installed and running. v You must have Administrator authority on the IBM Tivoli Identity Manager Server. In order to import the adapter profile, complete the following steps: 1. Log in to the IBM Tivoli Identity Manager Server using an account that has the authority to perform administrative tasks. 2. On the Main Menu Navigation Bar, select the Configuration tab. 3. On the Configuration window, select Import/Export Import tabs. 4. On the Import window, in the File to Upload field, type the location of the ERPProfile.jar file, or click Browse to locate the file. 5. Click the Import data into Identity Manager link to import the adapter profile into the IBM Tivoli Identity Manager Server. v If the adapter profile is imported successfully, the following message is displayed: Profile installation complete. v If the adapter profile is not imported successfully, the following message is displayed: Profile installation failed. Chapter 2. Installing and configuring the Oracle ERP adapter 5

20 Creating an Oracle ERP service When you import the adapter profile, if you receive an error related to the schema, the trace.log file will contain information about that error. The trace.log file location is specified by the handler.file.filedir property that is defined in the IBM Tivoli Identity Manager enrolelogging.properties file, which is installed in the IBM Tivoli Identity Manager \data directory. After the adapter profile is imported into the IBM Tivoli Identity Manager Server, you must create a provisioning service to allow IBM Tivoli Identity Manager to communicate with the adapter. In order to create a provisioning service, complete the following steps: 1. Log in to the IBM Tivoli Identity Manager Server using an account that has the authority to perform administrative tasks. 2. On the Main Menu Navigation Bar, click the Provisioning tab. 3. On the Provisioning window, click the Manage Services tab. 4. On the Manage Services window, click Add. 5. From the list of service types, select Oracle ERP Profile, and then click Continue. The Oracle ERP Adapter service form is displayed. The service form contains the following fields: Service Name Specify a name that defines this Oracle ERP service on the IBM Tivoli Identity Manager Server. Service Name is a required field. Description Specify an optional description for this service. URL Specify the location and port number of the Oracle ERP Adapter. The port number is defined in the protocol configuration using the agentcfg program. For additional information about protocol configuration settings, see Changing protocol configuration settings on page 10. URL is a required field. User If https is specified as part of the URL, the adapter must be configured to use SSL authentication. If the adapter is not configured to use SSL authentication, specify http for the URL. For additional information about configuring the adapter to use SSL authentication, see Chapter 5, Configuring SSL authentication for the Oracle ERP Adapter, on page 35. ID Specify a Directory Access Markup Language (DAML) protocol user name. The user name is defined in the protocol configuration using the agentcfg program. For additional information about the protocol configuration settings, see Changing protocol configuration settings on page 10. User ID is a required field. Password Specify the password for the DAML protocol user name. This password is defined in the protocol configuration using the agentcfg program. For additional information about the protocol configuration settings, see Changing protocol configuration settings on page 10. Password is a required field. Oracle Service Specify the Oracle Service Name that is managed by this service. For 6 IBM Tivoli Identity Manager: Oracle ERP Adapter Installation and Configuration Guide

21 Configuring the adapter additional information about the Oracle Service Name, see Chapter 4, Oracle services modifications, on page 29. Oracle Service is a required field. Owner Specify the service owner, if any. Owner is an optional field. Service Prerequisite Specify an existing IBM Tivoli Identity Manager service that is a prerequisite for the Oracle ERP service. 6. To verify the connection, press Test. 7. To create the service, press Submit. Once you have installed the IBM Tivoli Identity Manager Oracle ERP Adapter, configuration is required to ensure that it functions properly. In order to configure the Oracle ERP Adapter, complete the following steps: 1. Start the Oracle ERP Adapter service using the Windows Services Tool. 2. Configure DAML to ensure communication with the Tivoli Identity Manager Server. For more information on configuring DAML, see Changing protocol configuration settings on page Configure the Oracle ERP Adapter to communicate with the IBM Tivoli Identity Manager Server by configuring the adapter for event notification. For more information on configuring event notification, see Configuring event notification on page For secure communication, install a certificate on the machine where the adapter resides and on the IBM Tivoli Identity Manager Server. For more information on installing certificates, see Chapter 5, Configuring SSL authentication for the Oracle ERP Adapter, on page Add optional extended attributes to the schema of the adapter. For more information on extending the attributes, see Chapter 6, Customizing the Oracle ERP adapter, on page Install the adapter profile on the IBM Tivoli Identity Manager Server. For more information on installing the adapter profile, see Importing the adapter profile into the IBM Tivoli Identity Manager Server on page Use the agentcfg utility to modify the adapter parameters. For more information on parameter configuration, see Chapter 3, Configuring the Oracle ERP Adapter for IBM Tivoli Identity Manager, on page Define the Oracle Service Names for the Oracle ERP Adapter to manage, see Chapter 4, Oracle services modifications, on page Add and then configure the service form on the IBM Tivoli Identity Manager Server. For additional information about adding and configuring a service form, see Creating an Oracle ERP service on page Configure the adapter account form. For more information on configuring the adapter account form, refer to the IBM Tivoli Identity Manager Information Center. Chapter 2. Installing and configuring the Oracle ERP adapter 7

23 Chapter 3. Configuring the Oracle ERP Adapter for IBM Tivoli Identity Manager Use the adapter configuration program, agentcfg, to view or modify the Oracle ERP Adapter parameters. All changes that you make to parameters with this tool take effect immediately. Starting the adapter configuration tool In order to start the adapter configuration tool, agentcfg, for Oracle ERP Adapter parameters, complete these steps: 1. From the Start Menu, select Programs Accessories Command Prompt. 2. At the command prompt, change to the \bin directory for the adapter. For example, type the following command, if the Oracle ERP Adapter is in the default location: cd C:\Tivoli\Agents\OracleERPAgent\bin 3. Type the following command: agentcfg -agent OracleERPAgent You can also use agentcfg to view or change configuration settings from a remote computer. See the table in Accessing help and additional options on page 25 for procedures on using additional arguments. 4. At the Enter configuration key for Agent OracleERPAgent prompt, type the configuration key for the Oracle ERP Adapter. The default configuration key is agent. You must change the configuration key once installation completes, to prevent unauthorized access to the configuration of the adapter. See Changing protocol configuration settings on page 10 for procedures to change the configuration key. The Main Configuration Menu is displayed. OracleERPAgent 4.6 Agent Main Configuration Menu A. Configuration Settings. B. Protocol Configuration. C. Event Notification. D. Change Configuration Key. E. Activity Logging. F. Registry Settings. G. Advanced Settings. H. Statistics. I. Codepage Support. X. Done. Select menu option: From the Main Menu, you can configure the protocol, view statistics, and modify settings, including configuration, registry, and advanced settings. Table 2. Options for the main configuration menu Option Configuration task For more information A Viewing protocol configuration settings See page 10. Copyright IBM Corp. 2003,

24 Table 2. Options for the main configuration menu (continued) Option Configuration task For more information B Changing protocol configuration settings See page 10. C Configuring event notification See page 13. D Changing the configuration key See page 19. E Changing activity logging settings See page 19. F Changing registry settings See page 21. G Changing advanced settings See page 23. H Viewing statistics See page 24. I Changing code page settings See page 25. Viewing configuration settings The following procedure describes how to view the Oracle ERP Adapter configuration settings. 1. At the Agent Main Configuration Menu, type A. The configuration settings for the Oracle ERP Adapter are displayed. The following screen is an example of the Oracle ERP Adapter configuration settings. Configuration Settings Name : OracleERPAgent Version : 4.6 ADK Version : 4.67 ERM Version : 4.67 enrole Version : 4.0 License : NONE Asynchronous ADD Requests : FALSE (Max.Threads:3) Asynchronous MOD Requests : FALSE (Max.Threads:3) Asynchronous DEL Requests : FALSE (Max.Threads:3) Asynchronous SEA Requests : FALSE (Max.Threads:3) Available Protocols : DAML Configured Protocols : DAML Logging Enabled : TRUE Logging Directory : C:\Tivoli\Agents\OracleERPAgent\Log Log File Name : OracleERPAgent.log Max. log files : 3 Max.log file size (Mbytes) : 1 Debug Logging Enabled : TRUE Detail Logging Enabled : FALSE Thread Logging Enabled : FALSE Press any key to continue 2. Press any key to return to the Main Menu. Changing protocol configuration settings The Oracle ERP Adapter uses the DAML protocol to communicate with the IBM Tivoli Identity Manager Server. By default, when the adapter is installed, the DAML protocol is configured to be used in nonsecure mode. In order to configure a secure environment, you must configure the DAML protocol to use SSL and install a certificate. Refer to Installing the certificate on page 44 for more information about installing certificates. 10 IBM Tivoli Identity Manager: Oracle ERP Adapter Installation and Configuration Guide

25 In previous versions of this adapter, you could add and remove protocols. However, in the latest version of this adapter, the DAML protocol is the only supported protocol that you can use. Therefore, you will not need to add or remove a protocol. In order to configure the DAML protocol for the Oracle ERP Adapter, complete the following steps: 1. At the Agent Main Configuration Menu, type B. The DAML protocol is configured and available by default for the Oracle ERP Adapter. Agent Protocol Configuration Menu Available Protocols: DAML Configured Protocols: DAML A. Add Protocol. B. Remove Protocol. C. Configure Protocol. X. Done Select menu option 2. At the Agent Protocol Configuration Menu, type C. The DAML Protocol Properties Menu is displayed. 3. At the DAML Protocol Properties Menu, type C. The protocol properties for the configured protocol is displayed. The properties on your menu might be different from the ones shown in the examples. The following screen is an example of the DAML protocol properties: DAML Protocol Properties A. USERNAME ****** ;Authorized user name. B. PASSWORD ****** ;Authorized user password. C. MAX_CONNECTIONS 100 ;Max Connections. D. PORTNUMBER ;Protocol Server port number. E. USE_SSL FALSE ;Use SSL secure connection. F. SRV_NODENAME ;Event Notif. Server name. G. SRV_PORTNUMBER 9443 ;Event Notif. Server port number. H. HOSTADDR ANY ;Listen on address < or "ANY" > I. VALIDATE_CLIENT_CE FALSE ;Require client certificate. J. REQUIRE_CERT_REG FALSE ;Require registered certificate. X. Done Select menu option: 4. Type the letter of the menu option for the protocol property that you want to configure. See Table 3 below for additional information about the properties that you can configure for the DAML protocol. Table 3. Options for the DAML protocol menu Option Configuration task A The following prompt is displayed: Modify Property USERNAME : Type a user ID. This value is the user ID that the IBM Tivoli Identity Manager Server uses to connect to the adapter. The default user ID is agent. Chapter 3. Configuring the Oracle ERP Adapter for IBM Tivoli Identity Manager 11

26 Table 3. Options for the DAML protocol menu (continued) Option Configuration task B The following prompt is displayed: Modify Property PASSWORD : Type a password. This value is the password for the user ID that the IBM Tivoli Identity Manager Server uses to connect to the adapter. The default password is agent. C The following prompt is displayed: Modify Property MAX_CONNECTIONS : Enter the maximum number of concurrent open connections that the adapter supports. The default number is 100. D The following prompt is displayed: Modify Property PORTNUMBER : Type a different port number. This value is the port number that the IBM Tivoli Identity Manager Server uses to connect to the adapter. The default port number is E The following prompt is displayed: Modify Property USE_SSL : Enter TRUE or FALSE to specify whether a secure SSL connection will be used to connect to or from the adapter. The default value is FALSE. You must install a certificate when USE_SSL is set to TRUE. For more information on certificate installation, see Installing the certificate on page 44. F The following prompt is displayed: Modify Property SRV_NODENAME : Type a server name or an IP address, for example, This value is the DNS name or IP address of the IBM Tivoli Identity Manager Server that is used for event notification and asynchronous request processing. Note: If your platform supports Internet Protocol version 6 (IPv6) connections, you can specify an IPv6 server. G The following prompt is displayed: Modify Property SRV_PORTNUMBER : Type a different port number to access the IBM Tivoli Identity Manager Server. This value is the port number that the adapter uses to connect to the IBM Tivoli Identity Manager Server. The default port number for WebLogic is The default port number for WebSphere Application Server (WAS) is IBM Tivoli Identity Manager: Oracle ERP Adapter Installation and Configuration Guide

27 Table 3. Options for the DAML protocol menu (continued) Option Configuration task H The HOSTADDR option is useful when the system where the adapter is running has more than one network adapter. The user can select which IP Address the adapter will listen to. The default value is ANY. I The following prompt is displayed: Modify Property VALIDATE_CLIENT_CE : Type TRUE to require the IBM Tivoli Identity Manager Server to send a certificate when it communicates with the adapter. Type FALSE to allow the IBM Tivoli Identity Manager Server to communicate with the adapter without a certificate. The default value is FALSE. Notes: 1. If you set this option to TRUE, you must configure options D through I. 2. The property name is actually VALIDATE_CLIENT_CERT. It is truncated by agentcfg to fit onto the screen. 3. You must use CertTool to install the appropriate CA certificates and optionally register the IBM Tivoli Identity Manager Server certificate. For more information on using CertTool, see Managing SSL certificates using CertTool on page 41. J The following prompt is displayed: Modify Property REQUIRE_CERT_REG : This value only applies when option I is set to TRUE. Type TRUE to require the client certificate from the IBM Tivoli Identity Manager Server to be registered with the adapter before it will accept an SSL connection. Type FALSE to require the client certificate only be verified against the list of CA certificates. The default value is FALSE. For more information on certificates, see Chapter 5, Configuring SSL authentication for the Oracle ERP Adapter, on page 35. Configuring event notification 5. At the prompt, change the value, and press Enter. The Protocol Properties Menu is displayed with your new settings. If you do not want to change the value, just press Enter to return to the Protocol Properties Menu. 6. Repeat steps 4 and 5 to configure as many protocol properties as you need to. 7. At the Protocol Properties Menu, type X to exit the menu. Event notification is a feature of the Oracle ERP Adapter that updates the IBM Tivoli Identity Manager Server at set intervals. Event notification detects changes that are made on the managed resource and updates the IBM Tivoli Identity Manager Server with the changes. You can enable event notification if you want to have updated information from the managed resource sent back to the IBM Tivoli Identity Manager Server between full reconciliations. Event notification is not intended to replace reconciliations on the IBM Tivoli Identity Manager Server. Chapter 3. Configuring the Oracle ERP Adapter for IBM Tivoli Identity Manager 13

28 When event notification is enabled, a database of the reconciliation data is kept on the machine where the adapter is installed. The database is updated with the changes that are requested by the IBM Tivoli Identity Manager Server and will remain synchronized with the server. You can specify an interval for the event notification process to compare the database to data that currently exists on the managed resource. When the interval has elapsed, any differences between the managed resource and the database are forwarded to the IBM Tivoli Identity Manager Server and updated in the local snapshot database. There are several steps to enabling event notification. These steps assume that the adapter is communicating successfully with the managed resource and the IBM Tivoli Identity Manager Server. First, you must configure the host name, port number, and login information for the IBM Tivoli Identity Manager Server. In order to identify the server for the DAML protocol to use, complete the following steps: 1. At the Agent Protocol Configuration Menu, select Configure Protocol. For more information on configuring a protocol, see Changing protocol configuration settings on page Type the letter of the menu option for the SRV_NODENAME property. 3. Specify the IP address or server name that identifies the IBM Tivoli Identity Manager Server, and press Enter. The Protocol Properties Menu is displayed with your new settings. 4. Type the letter of the menu option for the SRV_PORTNUMBER property. 5. Specify the port number that the adapter uses to connect to the Tivoli Identity Manager Server for event notification and press Enter. The Protocol Properties Menu is displayed with your new settings. The example menu shows all of the options displayed when Event Notification is enabled. If Event Notification is disabled, not all of the options are displayed. In order to set Event Notification for the IBM Tivoli Identity Manager Server, complete the following steps: 1. At the Agent Main Configuration Menu, type C. The Event Notification Menu is displayed. Event Notification Menu * Reconciliation interval : 1 day(s) * Next Reconciliation time : 23 hour(s) 56 min(s). 23 sec(s). * Configured Contexts : Jupiter, dd309 A. Enabled B. Time interval between reconciliations. C. Set Processing cache size. (currently: 50 Mbytes) D. Start event notification now. E. Set attributes to be reconciled. F. Reconciliation process priority. (current: 1) G. Add Event Notification Context. H. Modify Event Notification Context. I. Remove Event Notification Context. J. List Event Notification Contexts. X. Done Select menu option: Note: This menu shows all of the options that are displayed when Event Notification is enabled. If Event Notification is disabled, all of the options will not be displayed. 14 IBM Tivoli Identity Manager: Oracle ERP Adapter Installation and Configuration Guide

29 2. Type the letter of the menu option that you want to change. Option A must be enabled in order for the values of the other options to take effect. Press Enter to return to the Agent Event Notification Menu without changing the value. Table 4. Options for the event notification menu Option Configuration task A If this option is enabled, the adapter updates the IBM Tivoli Identity Manager Server with changes to the adapter at regular intervals. When the option is set to: v Disabled, pressing the A key changes to enabled v Enabled, pressing the A key changes to disabled Type A to toggle between the options. B The following prompt is displayed: Enter new interval ([ww:dd:hh:mm:ss]) Type a different reconciliation interval. For example, [00:01:00:00:00] Note: This value is the interval to wait once event notification completes before it is run again. The event notification process is resource intensive, therefore this value must not be set to run too frequently. C The following prompt is displayed: Enter new cache size[50]: Type a different value to change the processing cache size. D If this option is selected, event notification is started. E The Event Notification Entry Types Menu is displayed. See Setting event notification triggers on page 16 for more information. F The following prompt is displayed: Enter new thread priority [1-10]: Type a different thread value to change the event notification process priority. Note: Setting the thread priority to a lower value reduces the impact that the event notification process has on the performance of the adapter. A lower value might also cause event notification to take longer. G The following prompt is displayed: Enter new context name: Type the new context name, and press Enter. The new context is added. H A menu listing the available contexts is displayed. See Modifying an event notification context on page 17 for more information. I The Remove Context Menu is displayed. Select the context to remove. The following prompt is then displayed: Delete context context1? [no]: Press Enter to exit without deleting the context, or type Yes and press Enter to delete the context. Chapter 3. Configuring the Oracle ERP Adapter for IBM Tivoli Identity Manager 15

30 Table 4. Options for the event notification menu (continued) Option Configuration task J The Event Notification Contexts are displayed in the following format: Context Name : Context1 Target DN : erservicename=context1,o=ibm, ou=ibm,dc=com --- Attributes for search request --- {search attributes listed} If you changed the value for options B, C, E, or F, press Enter. The other options are automatically changed when you type the corresponding letter of the menu option. The Event Notification Menu is displayed with your new settings. Setting event notification triggers By default, all attributes are queried for value changes. Certain attributes that change frequently (for example, password age or last successful logon) must be omitted. 1. At the Event Notification Menu, type E. The Event Notification Entry Types Menu is displayed. Event Notification Entry Types A. USER B. GROUP X. Done Select menu option: The USER and GROUP types will not appear in the above menu until the following conditions have been met: a. Event notification has been enabled b. A context has been created and configured c. A full reconciliation has been run 2. Type A for a list of the attributes returned during a user reconciliation, or type B for attributes returned during a group reconciliation. The Event Notification Attribute Listing for the selected reconciliation type is displayed. The default setting lists all attributes that the adapter supports. The example below lists example attributes, and might differ from the list that is displayed on your machine. Event Notification Attribute Listing (a) **eroraerpcustomer (b) **eroraerpsupplier (c) **eroraerpfax (d) **eroraerp (e) **eruid (f) **eroraerppassworddays (g) **eroraerpowner (h) **eroraerpuserenddate (i) **eroraerpdescription (j) **eroraerpperson (k) **eraccountstatus (l) **eroraerpidcustomer (m) **eroraerppersonid (n) **eroraerpnamesupplier (o) **eroraerppasswdaccesses (p) **erpassword (q) **eroraerpidsupplier (r) **eroraerpinstancename (p)rev page 1 of 3 (n)ext X. Done Select menu option: 16 IBM Tivoli Identity Manager: Oracle ERP Adapter Installation and Configuration Guide

31 3. Type the letter of the menu option for the attribute to exclude from an event notification. Attributes that are marked with two asterisks (**) are returned during the event notification. Attributes that are not marked with asterisks are not returned during the event notification. Modifying an event notification context An event notification context corresponds to a service on the IBM Tivoli Identity Manager Server. Some adapters support multiple services. One Oracle ERP Adapter can have several IBM Tivoli Identity Manager services, by specifying a different base point for each service. The base point for the Oracle ERP Adapter is the point in the directory server that is used as the root for the adapter. This point can be an organizational unit (OU) or domain container (DC) base point. Because the base point is an optional value, if a value is not specified, the adapter uses the default domain of the machine on which it is installed. You can have multiple event notification contexts, but you must have at least one adapter. In the example screen below, note that Context1, Context2, and Context3 are three different contexts, all having a different base point. In order to modify an event notification context, complete the following steps: 1. At the Event Notification Menu, type H. The Modify Context Menu is displayed. Modify Context Menu A. Context1 B. Context2 C. Context3 X. Done Select menu option: 2. Type the letter of the menu option that you want to modify. The Modify Context Menu for the selected context is displayed. A. Set attributes for search B. Target DN: C. Delete Baseline Database X. Done Select menu option: Table 5. Options for the modify context menu Option Configuration task For more information A Adding search attributes for event notification See page 17. B Configuring the target DN for event notification contexts C Removing the baseline database for event notification contexts See page 18. See page 19. Adding search attributes for event notification For some adapters, you might need to specify an attribute-value pair for one or more contexts. These attribute-value pairs, which are defined by completing the steps below, serve multiple purposes: Chapter 3. Configuring the Oracle ERP Adapter for IBM Tivoli Identity Manager 17

32 v When multiple services are supported by a single adapter, each service needs to specify one or more attributes to differentiate it from the other services. v The search attributes are passed to the event notification process, once the event notification interval has occurred or is started manually. For each context, a full search request is sent to the adapter. Additionally, the attributes specified for that context are passed to the adapter. v When the IBM Tivoli Identity Manager Server initiates a reconciliation process, the adapter replaces the local database that represents this service with the new database. In order to add search attributes, complete the following steps: 1. At the Modify Context Menu for the context, type A. The Reconciliation Attribute Passed to Agent Menu is displayed. Reconciliation Attributes Passed to Agent for Context: Context A. Add new attribute B. Modify attribute value C. Remove attribute X. Done Select menu option: The valid attribute for the Oracle ERP Adapter is eroracleservicename. This is a required attribute for the Oracle ERP Adapter and the value must be set to the value entered for Oracle Service on the Adapter Service Form on the IBM Tivoli Identity Manager Server. 2. Type the letter of the menu option that you want to change. The supported attribute names will be displayed with two asterisks (**) in front of each name. When you type the letter of an attribute, it will toggle the asterisks on and off. Attributes without asterisks will not be updated during an event notification. The Reconciliation Attributes Passed to Agent Menu is displayed with the changes displayed. Configuring the target DN for event notification contexts The target DN field holds the unique name of the service that receives event notification updates. In order to configure the target DN, complete the following steps: 1. At the Modify Context Menu for the context, type B. 2. At the Enter Target DN prompt, type the target DN for the context, and press Enter. The target DN for the event notification context must be in the following format: erservicename=erservicename,o=organizationname,ou=tenantname,rootsuffix Each element of the DN is defined as follows: Table 6. DN elements and definitions Element Definition erservicename Specifies the name of the target service o Specifies the name of the organization ou Specifies the name of the tenant in which the organization is in 18 IBM Tivoli Identity Manager: Oracle ERP Adapter Installation and Configuration Guide

33 Table 6. DN elements and definitions (continued) Element Definition rootsuffix Specifies the root of the directory tree The Modify Context Menu is displayed with the new target DN listed. Removing the baseline database for event notification contexts This option is only available once a context is created and a reconciliation is run on the context to create a Baseline Database file. At the Modify Context Menu for the context, type C. The Modify Context Menu is displayed with the Delete Baseline Database option removed. Changing the configuration key You use the configuration key as a password to access the configuration tool for the adapter. In order to change the Oracle ERP Adapter configuration key, complete the following steps: 1. At the Main Menu prompt, type D. 2. Change the value of the configuration key, and press Enter. Press Enter to return to the Main Configuration Menu without changing the configuration key. The default configuration key is agent. Make sure that you choose passwords that cannot be easily guessed. The following message is displayed: Configuration key successfully changed. Changing activity logging settings The configuration program exits, and the Main Menu prompt is displayed. When you enable logging, Oracle ERP Adapter maintains a dated log file of all transactions, OracleERPAgent.log. By default, the log file is in the \log directory. In order to change the Oracle ERP Adapter activity logging settings, complete the following steps: 1. At the Main Menu prompt, type E. The Agent Activity Logging Menu is displayed. The following example shows the default activity logging settings. Agent Activity Logging Menu A. Activity Logging (Enabled). B. Logging Directory (current: C:\Tivoli\Agents\OracleERPAgent\Log). C. Activity Log File Name (current: OracleERPAgent.log). D. Activity Logging Max. File Size ( 1 mbytes) E. Activity Logging Max. Files ( 3 ) F. Debug Logging (Enabled). G. Detail Logging (Disabled). H. Base Logging (Disabled). I. Thread Logging (Disabled). X. Done Select menu option: 2. Type the letter of the Activity Logging Menu option that you want to change. Chapter 3. Configuring the Oracle ERP Adapter for IBM Tivoli Identity Manager 19

34 Option A must be enabled in order for the values of the other options to take effect. Press Enter to return to the Agent Activity Logging Menu without changing the value. Table 7. Options for the activity logging menu Option Configuration task A Set this option to enabled to have the adapter maintain a dated log file of all transactions. When the option is set to: v Disabled, pressing the A key changes to enabled v Enabled, pressing the A key changes to disabled Type A to toggle between the options. B The following prompt is displayed: Enter log file directory: Type a different value for the logging directory, for example, C:\Log. When the logging option is enabled, details about each access request are stored in the logging file that is in this directory. C The following prompt is displayed: Enter log file name: Type a different value for the log file name. When the logging option is enabled, details about each access request are stored in the logging file. D The following prompt is displayed: Enter maximum size of log files (mbytes): Type a new value, for example, 10. The oldest data is archived when the log file reaches the maximum file size. File size is measured in megabytes. It is possible for the activity log file size to exceed disk capacity. E The following prompt is displayed: Enter maximum number of log files to retain: Type a new value up to 100, for example, 5. The adapter automatically deletes the oldest activity logs beyond the specified limit. F If this option is set to enabled, the adapter includes the debug statements in the log file of all transactions. When the option is set to: v Disabled, pressing the F key changes the value to enabled v Enabled, pressing the F key changes the value to disabled Type F to toggle between the options. G If this option is set to enabled, the adapter maintains a detailed log file of all transactions. The detail logging option must be used for diagnostic purposes only. Detailed logging enables more messages from the adapter and might increase the size of the logs. When the option is set to: v Disabled, pressing the G key changes the value to enabled v Enabled, pressing the G key changes the value to disabled Type G to toggle between the options. 20 IBM Tivoli Identity Manager: Oracle ERP Adapter Installation and Configuration Guide

35 Table 7. Options for the activity logging menu (continued) Option Configuration task H If this option is set to enabled, the adapter maintains a log file of all transactions in the Adapter Development Kit (ADK) and library files. Base logging will substantially increase the size of the logs. When the option is set to: v Disabled, pressing the H key changes the value to enabled v Enabled, pressing the H key changes the value to disabled Type H to toggle between the options. I If this option is enabled, the log file will contain thread IDs, in addition to a date and timestamp on every line of the file. When the option is set to: v Disabled, pressing the I key changes the value to enabled v Enabled, pressing the I key changes the value to disabled Type I to toggle between the options. Changing registry settings 3. Press Enter if you changed the value for option B, C, D, or E. The other options are changed automatically when you type the corresponding letter of the menu option. The Agent Activity Logging Menu is displayed with your new settings. In order to change the Oracle ERP Adapter registry settings, complete the following steps: 1. At the Main Menu, type F. The Registry Menu is displayed. OracleERPAgent 4.6 Agent Registry Menu A. Modify Non-encrypted registry settings. B. Modify encrypted registry settings. C. Multi-instance settings. X. Done Select menu option: 2. See the following procedures on modifying registry settings. Modifying non-encrypted registry settings In order to modify the non-encrypted registry settings, complete the following steps: 1. At the Agent Registry Menu, type A. The Non-encrypted Registry Settings Menu is displayed. Chapter 3. Configuring the Oracle ERP Adapter for IBM Tivoli Identity Manager 21

36 Agent Registry Items ENROLE_Version RdbmsInstance1 OracleSericeName:LogonAccount Page 1 of 1 A. Add new attribute B. Modify attribute value C. Remove attribute X. Done Select menu option: 2. Type the letter of the menu option for the action that you want to perform on an attribute. Table 8. Attribute configuration option descriptions Option Configuration task A Add new attribute B Modify attribute value C Remove attribute 3. Type the registry item name, and press Enter. 4. If you selected option A or B, type the registry item value and press Enter. The Non-encrypted Registry Settings Menu displays the new settings. Table 9 describes the registry keys and their available settings: Table 9. Non-encrypted registry key descriptions Key ENROLE_Version 4.0 RdbmsInstance1 Description OracleSericeName:LogonAccount Note: RdbmsInstance1 indicates the Oracle service name and the account to log into that service. You can have multiple instances of this key if the adapter is configured to manage multiple services. Modifying encrypted registry settings In order to modify the encrypted registry settings, complete the following steps: 1. At the Agent Registry Menu, type B. The Encrypted Registry Settings Menu is displayed. Encrypted Registry Items RdbmsInstance1Passwd password Page 1 of 1 A. Add new attribute B. Modify attribute value. C. Remove attribute. X. Done Select menu option: 2. Type the letter of the menu option for the action that you want to perform on an attribute. 22 IBM Tivoli Identity Manager: Oracle ERP Adapter Installation and Configuration Guide

37 Table 10. Attribute configuration option descriptions Option Configuration task A Add new attribute B Modify attribute value C Remove attribute 3. Type the registry item name, and press Enter. Refer to Table 9 on page 22 for a description of each registry key. 4. If you selected option A or B, type the registry item value and press Enter. The Encrypted Registry Settings Menu displays the new settings. Table 11. Encrypted registry key descriptions Key RdbmsInstance1Passwd Description password Changing advanced settings You can change the Oracle ERP Adapter thread count settings for the following types of requests: v System Login Add v System Login Change v System Login Delete v Reconciliation These settings determine the maximum number of requests that the Oracle ERP Adapter processes concurrently. In order to change these settings, complete the following steps: 1. At the Main Menu prompt, type G. The Advanced Settings Menu is displayed. The following example shows the default thread count settings. OracleERPAgent 4.6 Advanced Settings Menu A. Single Thread Agent (current:true) B. ADD max. thread count. (current:3) C. MODIFY max. thread count. (current:3) D. DELETE max. thread count. (current:3) E. SEARCH max. thread count. (current:3) F. Allow User EXEC procedures (current:false) G. Archive Request Packets (current:false) H. UTF8 Conversion support (current:true) I. Pass search filter to agent (current:false) J. Thread Priority Level (1-10) (current:4) X. Done Select menu option: 2. Type the letter of the menu option of the advanced setting that you want to change. For a description of each option, see Table 12. Table 12. Options for the advanced settings menu Option Description A Forces the adapter to allow only one request at a time. The default value is TRUE. Chapter 3. Configuring the Oracle ERP Adapter for IBM Tivoli Identity Manager 23

38 Table 12. Options for the advanced settings menu (continued) Option Description B Controls how many simultaneous ADD requests can run at one time. The default value is 3. C Controls how many simultaneous MODIFY requests can run at one time. The default value is 3. D Controls how many simultaneous DELETE requests can run at one time. The default value is 3. E Controls how many simultaneous SEARCH requests can run at one time. The default value is 3. F Determines whether the adapter allows pre- and post-exec functions. Enabling this option is a potential security risk. The default value is FALSE. G This option is no longer supported. H This option is no longer supported. I Currently, this adapter does not support processing filters directly. This option must always be FALSE. J Sets the thread priority level for the adapter. The default value is Change the value, and press Enter. The Advanced Settings Menu is displayed with your new settings. Viewing statistics In order to view an event log for the Oracle ERP Adapter, complete the following steps: 1. At the Main Menu prompt, type H. The activity history for the adapter is displayed. OracleERPAgent 4.6 Agent Request Statistics Date Add Mod Del Ssp Res Rec /15/ X. Done 2. Type X to return to the Main Configuration Menu. 24 IBM Tivoli Identity Manager: Oracle ERP Adapter Installation and Configuration Guide

39 Changing code page settings In order to list the supported code page information for the Oracle ERP Adapter, the adapter must be running. Run the following command to view the code page information: agentcfg -agent [adapter_name] -codepages In order to change the code page settings for the Oracle ERP Adapter, complete the following steps: 1. At the Main Menu prompt, type I. The Code Page Support Menu for the adapter is displayed. OracleERPAgent 4.6 Codepage Support Menu * Configured codepage: US-ASCII * ******************************************* * Restart Agent After Configuring Codepages ******************************************* A. Codepage Configure. X. Done Select menu option: 2. Type A to configure a code page. Note: The OracleERPAgent code page uses unicode, therefore this option is not applicable. 3. Type X to return to the Main Configuration Menu. Accessing help and additional options In order to access the agentcfg help menu and use the help arguments, complete the following steps: 1. At the Main Menu prompt, type X. The command prompt is displayed, and you are in the \bin directory. 2. Type agentcfg -help at the prompt to view the help menu. The following list of possible commands is displayed: -version ; Show version -hostname < value> ; Target nodename to connect to (Default:Local host IP address) -findall ; Find all agents on target node -list ; List available agents on target node -agent <value> ; Name of agent -tail ; Display agent s activity log -schema ; Display agent s attribute schema -portnumber <value>; Specified agent s TCP/IP port number -netsearch <value> ; Lookup agents hosted on specified subnet -confidencetest ; Confidence test -setup ; Confidence test setup -help ; Display this help screen Table 13 describes each argument. Table 13. Arguments and descriptions for the agentcfg help command Argument Description -version Use this argument to display the version of the agentcfg tool. Chapter 3. Configuring the Oracle ERP Adapter for IBM Tivoli Identity Manager 25

40 Table 13. Arguments and descriptions for the agentcfg help command (continued) Argument Description -hostname <value> Use the -hostname argument with any of the following arguments to specify a different host: v v v v -findall -list -tail -agent Enter a host name or IP address as the value. -findall Use this argument to search and display all port addresses between and and their assigned adapter names. This option will timeout on unused port numbers, so it might take several minutes to complete. Add the -hostname argument to search a remote host. -list Use this argument to display the adapters that are installed on the local host of the Oracle ERP Adapter. By default, the first time you install an adapter, it is either assigned to port address or to the next available port number. All subsequently installed adapters are then assigned to the next available port address. Once an unused port is found, the listing stops. Use the -hostname argument to search a remote host. -agent <value> Use this argument to specify the adapter that you want to configure. Enter an adapter name as the value. Use this argument with the -hostname argument to modify the configuration setting from a remote host. You can also use this argument with the -tail argument. -tail Use this argument with the -agent argument to display the activity log for an adapter. Add the -hostname argument to display the log file for an adapter on a different host. -schema This option is no longer supported. -portnumber <value> Use this argument with the -agent argument to specify the port number that is used for connections for the agentcfg tool. -netsearch <value> Use this argument with the -findall argument to display all active adapters on the system. You must specify a subnet address as the value. -confidencetest Use this argument to run a test to add, modify, search, and delete a request to the adapter. The confidence test allows you to test the connection between the adapter and the Oracle ERP resources. This allows you to verify that the adapter can connect to Oracle ERP resources without the IBM Tivoli Identity Manager Server. -setup Use this argument, along with the confidence argument, to configure the confidence test. -help Use this argument to display the Help information for the agentcfg command. -codepages Use this argument to display a list of available codepages. 3. Type agentcfg and one or more of the supported arguments at the prompt. 26 IBM Tivoli Identity Manager: Oracle ERP Adapter Installation and Configuration Guide

41 You must type agentcfg before every argument to run the adapter configuration tool. Type agentcfg -list to list all of the adapters on the local host IP address. Note that the port address for the IBM Tivoli Identity Manager Server is The output is similar to the following output: Agent(s) installed on node OracleERPAgent (44970) Type agentcfg -agent OracleERPAgent to display the Main Menu of the agentcfg tool, which is used to view or modify the Oracle ERP Adapter parameters. Type agentcfg -list -hostname to list the adapters on a host whose IP address is The output is similar to the following output: Agent(s) installed on node OracleERPAgent (44970) Type agentcfg -agent OracleERPAgent -hostname to display the Main Menu of the agentcfg tool for a host whose IP address is Use the menu options to view or modify the Oracle ERP Adapter parameters. Chapter 3. Configuring the Oracle ERP Adapter for IBM Tivoli Identity Manager 27

43 Chapter 4. Oracle services modifications This chapter describes how to use the provided service configuration program to view or modify Oracle Services. In order for the modification with this tool to take effect immediately, you must restart the Oracle ERP adapter. Note: The names of the Oracle Services used must be valid names of Oracle Services within the Oracle Client Network Configuration. Accessing the service configuration tool main menu The following procedure describes how to access the main menu of the servicecfg tool for Oracle ERP Adapter parameters: 1. Log in to the Oracle ERP Adapter account. 2. Change the directory to the Oracle ERP Adapter bin directory. # cd C:\Tivoli\Agents\OracleERPAgent\\bin 3. Type servicecfg and press Enter. # servercfg The Main menu appears. ITIM Oracle ERP Agent Services Utility ) Display current Oracle Services. 2) Add a new Oracle Service. 3) Modify an Oracle Service. 4) Remove an Oracle Service. 5) Test Oracle Connection. 0) Exit. Enter Option: This appendix includes a section for each of the following main functions: v For option 1, see Viewing current Oracle services v For option 2, see Adding a new Oracle service on page 30 v For option 3, see Modifying an Oracle service on page 31 v For option 4, see Removing an Oracle service on page 32 v For option 5, see Testing an Oracle connection on page 32 Type 0 to return to the main menu Viewing current Oracle services The following procedure describes how to the view the current Oracle Services: 1. Type option 1 (Display current Oracle Services) at the main menu prompt. The current Oracle Services for the Oracle ERP Adapter appear. The following is a sample of the Oracle Service settings: Copyright IBM Corp. 2003,

44 ITIM Oracle ERP Agent Services Utility Display Current Services. Available Oracle Services 1 through 10 RdbmsInstance1=VIS:apps RdbmsInstance2=abc:apps N)next; P)previous; X)exit; --> Adding a new Oracle service 2. Type N to see the next ten Oracle Services, type P to see the previous ten Oracle Services, or type X to return to the main menu. The following procedure describes how to add a new Oracle Service: 1. Type 2 (Add a new Oracle Service) at the main menu prompt. The Add a new Oracle Service menu appears. 2. Type the new Oracle Service Name and press Enter. Oracle Service Name: 3. Type the Oracle service account name and press Enter....Oracle Account: Note: This is the name of the Oracle Administration Account. 4. Type the Oracle service account password and press Enter....Account password: This is the password of the Oracle Administration Account. 5. Type the Oracle service account password again and press Enter....Verify Password: 6. Press any key to continue. Hit any key to continue The main menu reappears. 7. From the OracleERPAgent\data directory, copy one of the Oracle service name XML files and rename it to the name of the new Oracle service instance. Example of adding an Oracle service The example below is a script to add a new Oracle Service: ITIM Oracle ERP Agent Services Utility Adding RdbmsInstance3. Oracle Service Name: OracleS...Oracle Account: apps...account Password:...Verify Password: Added Service OracleS with Account apps. Hit any key to continue. 30 IBM Tivoli Identity Manager: Oracle ERP Adapter Installation and Configuration Guide

45 Modifying an Oracle service The following procedure describes how to modify an Oracle Service: 1. Type 3 (Modify an Oracle Service) at the main menu prompt and press Enter. The Modify an Oracle Service menu appears. ITIM Oracle ERP Agent Services Utility Modify Service. Available Oracle Services 1 through 10 RdbmsInstance1=VIS:apps RdbmsInstance2=abc:apps RdbmsInstance3=OracleS:apps N)next; P)previous; M)modify; X)exit; --> 2. Type N to see the next ten Oracle Services, type P to see the previous Oracle Services, or type M to select an Oracle Service to modify and press Enter. 3. Type the number of the Oracle Service you want to modify and press Enter. Enter the OraService number to modify : 4. Accept the default or type a new service name and press Enter. Oracle Service Name [sugar]: 5. Accept the default or type a new Oracle service account name and press Enter....Oracle Account [fairy]: 6. Type the Oracle Service account password and press Enter....Account Password : 7. Type the Oracle administrator account password again and press Enter....Verify Password : 8. Press any key. The Modify an Oracle Service menu is displayed again with the new values listed. Example of modifying an Oracle service The example below is a script to modify an Oracle Service: ITIM Oracle ERP Agent Services Utility Modify Service. Available Oracle Services 1 through 10 RdbmsInstance1=VIS:apps RdbmsInstance2=abc:apps RdbmsInstance3=OracleS:apps N)next; P)previous; M)modify; X)exit; --> Chapter 4. Oracle services modifications 31

46 Removing an Oracle service The following procedure describes how to remove an Oracle Service: 1. Type option 4 (Remove an Oracle Service) at the main menu prompt. The Remove an Oracle Service menu appears. ITIM Oracle ERP Agent Services Utility Available Oracle Services 1 through 10 RdbmsInstance1=VIS:apps RdbmsInstance2=abc:apps RdbmsInstance3=OracleS:apps N)next; P)previous; R)remove; X)exit; --> 2. Type N to see the next ten Oracle Services, type P to see the previous ten Oracle Services, or type R to select an Oracle Service to remove. 3. Type the number of the Oracle Service you want to remove and press Enter. Enter the OraService number to delete : 4. Type Y and press Enter. Are you sure [Y/N]: The Oracle Service that you selected is deleted. Example of removing an Oracle service The example below is a script to remove an Oracle Service: ITIM Oracle ERP Agent Services Utility Remove Service. Available Oracle Services 1 through 10 RdbmsInstance1=VIS:apps RdbmsInstance2=abc:apps RdbmsInstance3=OracleS:apps N)next; P)previous; R)remove; X)exit; --> r Testing an Oracle connection The following procedure describes how to test the connection to your Oracle database: 1. Type 5 (Test Oracle Service connection) at the main menu prompt. The Test Oracle Service connection menu appears. ITIM Oracle ERP Agent Services Utility Test Oracle connection. Available Oracle Services 1 through 10 RdbmsInstance1=VIS:apps RdbmsInstance2=abc:apps RdbmsInstance3=OracleS:apps N)next; P)previous; T)test connection; X)exit; --> 32 IBM Tivoli Identity Manager: Oracle ERP Adapter Installation and Configuration Guide

47 2. Type N to see the next ten Oracle Services, type P to see the previous ten Oracle Services, or type T to select an Oracle Service connection to test. 3. Type the number of the Oracle Service that you want to remove and press Enter. Enter the OraService number to test : If the test is successful, the following message appears: Connection SUCCESSFUl to OraService1 : sugar. 4. Press any key. Hit any key to continue. The Test Oracle connection menu reappears. Example of testing an Oracle connection The example below is a script to test an Oracle connection: ITIM Oracle ERP Agent Services Utility Test Oracle connection. Available Oracle Services 1 through 10 RdbmsInstance1=VIS:apps RdbmsInstance2=abc:apps RdbmsInstance3=OracleS:apps N)next; P)previous; T)test connection; X)exit; --> Enter the RdbmsInstance number to test: 1 Connection SUCCESSFUL to RdbmsInstance1 : VIS. Hit any key to continue. Chapter 4. Oracle services modifications 33

49 Chapter 5. Configuring SSL authentication for the Oracle ERP Adapter In order to establish a secure connection between a IBM Tivoli Identity Manager adapter and the IBM Tivoli Identity Manager Server, you must configure the adapter and the server to use the Secure Sockets Layer (SSL) authentication with the default communication protocol, DAML. By configuring the adapter for SSL, you ensure that the IBM Tivoli Identity Manager Server verifies the identity of the adapter before a secure connection is established. You can configure SSL authentication for connections that originate from the IBM Tivoli Identity Manager Server or from the adapter. Typically, the IBM Tivoli Identity Manager Server initiates a connection to the adapter in order to set or retrieve the value of a managed attribute on the adapter. However, depending on the security requirements of your environment, you might need to configure SSL authentication for connections that originate from the adapter. For example, if the adapter uses events to notify the IBM Tivoli Identity Manager Server of changes to attributes on the adapter, you can configure SSL authentication for Web connections that originate from the adapter to the Web server used by the IBM Tivoli Identity Manager Server. In a production environment, you need to enable SSL security; however, for testing purposes you might want to disable SSL. If an external application that communicates with the adapter (such as the IBM Tivoli Identity Manager Server) is set to use server authentication, you must enable SSL on the adapter to verify the certificate that the application presents. This chapter presents an overview of SSL authentication, certificates, and how to enable SSL authentication using the CertTool utility. Overview of SSL and digital certificates When you deploy IBM Tivoli Identity Manager in an enterprise network, you must secure communication between the IBM Tivoli Identity Manager Server and the software products and components with which the server communicates. The industry-standard SSL protocol, which uses signed digital certificates from a certificate authority (CA) for authentication, is used to secure communication in a IBM Tivoli Identity Manager deployment. Additionally, SSL provides encryption of the data exchanged between the applications. Encryption makes data transmitted over the network intelligible only to the intended recipient. Signed digital certificates enable two applications connecting in a network to authenticate each other s identity. An application acting as an SSL server presents its credentials in a signed digital certificate to verify to an SSL client that it is the entity it claims to be. An application acting as an SSL server can also be configured to require the application acting as an SSL client to present its credentials in a certificate, thereby completing a two-way exchange of certificates. Signed certificates are issued by a third-party certificate authority for a fee. Some utilities, such as those provided by OpenSSL, can also issue signed certificates. A certificate-authority certificate (CA certificate) must be installed to verify the origin of a signed digital certificate. When an application receives another Copyright IBM Corp. 2003,

50 application s signed certificate, it uses a CA certificate to verify the originator of the certificate. A certificate authority can be well-known and widely used by other organizations, or it can be local to a specific region or company. Many applications, such as Web browsers, are configured with the CA certificates of well known certificate authorities to eliminate or reduce the task of distributing CA certificates throughout the security zones in a network. Private keys, public keys, and digital certificates Keys, digital certificates, and trusted certificate authorities are used to establish and verify the identities of applications. SSL uses public key encryption technology for authentication. In public key encryption, a public key and a private key are generated for an application. Data encrypted with the public key can only be decrypted using the corresponding private key. Similarly, the data encrypted with the private key can only be decrypted using the corresponding public key. The private key is password-protected in a key database file so that only the owner can access the private key to decrypt messages that are encrypted using the corresponding public key. A signed digital certificate is an industry-standard method of verifying the authenticity of an entity, such as a server, client, or application. In order to ensure maximum security, a certificate is issued by a third-party certificate authority. A certificate contains the following information to verify the identity of an entity: Organizational information Public This section of the certificate contains information that uniquely identifies the owner of the certificate, such as organizational name and address. You supply this information when you generate a certificate using a certificate management utility. key The receiver of the certificate uses the public key to decipher encrypted text sent by the certificate owner to verify its identity. A public key has a corresponding private key that encrypts the text. Certificate authority s distinguished name The issuer of the certificate identifies itself with this information. Digital Self-signed signature The issuer of the certificate signs it with a digital signature to verify its authenticity. This signature is compared to the signature on the corresponding CA certificate to verify that the certificate originated from a trusted certificate authority. Web browsers, servers, and other SSL-enabled applications generally accept as genuine any digital certificate that is signed by a trusted certificate authority and is otherwise valid. For example, a digital certificate can be invalidated because it has expired or the CA certificate used to verify it has expired, or because the distinguished name in the digital certificate of the server does not match the distinguished name specified by the client. certificates You can use self-signed certificates to test an SSL configuration before you create and install a signed certificate issued by a certificate authority. A self-signed certificate contains a public key, information about the owner of the certificate, and the owner s signature. It has an associated private key, but it does not verify the 36 IBM Tivoli Identity Manager: Oracle ERP Adapter Installation and Configuration Guide

51 origin of the certificate through a third-party certificate authority. Once you generate a self-signed certificate on an SSL server application, you must extract it and add it to the certificate registry of the SSL client application. This procedure is the equivalent of installing a CA certificate that corresponds to a server certificate. However, you do not include the private key in the file when you extract a self-signed certificate to use as the equivalent of a CA certificate. Use a key management utility to generate a self-signed certificate and a private key, to extract a self-signed certificate, and to add a self-signed certificate. Where and how you choose to use self-signed certificates depends on your security requirements. In order to achieve the highest level of authentication between critical software components, do not use self-signed certificates, or use them selectively. For example, you can choose to authenticate applications that protect server data with signed digital certificates, and use self-signed certificates to authenticate Web browsers or IBM Tivoli Identity Manager adapters. If you are using self-signed certificates, in the following procedures you can substitute a self-signed certificate for a certificate and CA certificate pair. Certificate and key formats Certificates and keys are stored in files with the following formats:.pem format A privacy-enhanced mail (.pem ) format file begins and ends with the following lines:.arm.der -----BEGIN CERTIFICATE END CERTIFICATE----- The use of SSL authentication A.pem file format supports multiple digital certificates, including a certificate chain. If your organization uses certificate chaining, use this format to create CA certificates. format An.arm file contains a base-64 encoded ASCII representation of a certificate, including its public key, but not its private key. An.arm file format is generated and used by the IBM Key Management utility. format A.der file contains binary data. A.der file can only be used for a single certificate, unlike a.pem file, which can contain multiple certificates..pfx format (PKCS12) A PKCS12 file is a portable file that contains a certificate and a corresponding private key. This format is useful for converting from one type of SSL implementation to a different implementation. For example, you can create and export a PKCS12 file using the IBM Key Management utility, then import the file to another machine using the CertTool utility. When you start the adapter, the available connection protocols are loaded. The DAML protocol is the only available protocol that supports the use of SSL authentication. You can specify to use the DAML SSL implementation. Chapter 5. Configuring SSL authentication for the Oracle ERP Adapter 37

52 The DAML SSL implementation uses a certificate registry to store private keys and certificates. The location of the certificate registry is managed internally by the CertTool key and certificate management tool; therefore, you do not specify the location of the registry when you perform certificate management tasks. For more information on the DAML protocol, see Changing protocol configuration settings on page 10. Configuring certificates for SSL authentication Use the following procedures to configure the adapter for one-way or two-way SSL authentication using signed certificates. In order to perform these procedures, use the CertTool utility. Configuring certificates for one-way SSL authentication In this scenario, the IBM Tivoli Identity Manager Server and the Tivoli Identity Manager adapter are set to use SSL. Client authentication is not set on either application. The Tivoli Identity Manager Server operates as the SSL client and initiates the connection. The adapter operates as the SSL server and responds by sending its signed certificate to the Tivoli Identity Manager Server. The Tivoli Identity Manager Server uses the CA certificate that is installed to validate the certificate sent by the adapter. In Figure 2, Application A operates as the IBM Tivoli Identity Manager Server, and Application B operates as the IBM Tivoli Identity Manager adapter. Tivoli Identity Manager Server (SSL client) 1 Hello Tivoli Identity Manager adapter (SSL server) C Keystore CA Certificate A Verify Send Certificate B Certificate A Figure 2. One-way SSL authentication (server authentication) In order to configure one-way SSL, perform the following tasks for each application: 1. On the adapter, complete these steps: a. Start the CertTool utility. b. In order to configure the SSL-server application with a signed certificate issued by a certificate authority: 1) Create a certificate signing request (CSR) and private key. This step creates the certificate with an embedded public key and a separate private key and places the private key in the PENDING_KEY registry value. 2) Submit the CSR to the certificate authority using the instructions supplied by the CA. When you submit the CSR, specify that you want the root CA certificate returned with the server certificate. 38 IBM Tivoli Identity Manager: Oracle ERP Adapter Installation and Configuration Guide

53 2. On the Tivoli Identity Manager Server, complete one of these steps: v If you are configuring the use of a signed certificate issued by a well-known CA, ensure that the Tivoli Identity Manager Server has stored the root certificate of the CA (CA certificate) in its keystore. If the keystore does not contain the CA certificate, extract the CA certificate from the adapter and add it to the keystore of the server. v If you are configuring the use of self-signed certificates: If you generated the self-signed certificate on the Tivoli Identity Manager Server, the certificate is already installed in its keystore. If you generated the self-signed certificate using the key management utility of another application, extract the certificate from that application s keystore and add it to the keystore of the Tivoli Identity Manager Server. Configuring certificates for two-way SSL authentication In this scenario, the IBM Tivoli Identity Manager Server and the Tivoli Identity Manager adapter are set to use SSL and the adapter is set to use client authentication. Once sending its certificate to the Tivoli Identity Manager Server, the adapter requests identity verification from the server, which sends its signed certificate to the adapter. Both applications are configured with signed certificates and corresponding CA certificates. In Figure 3, the IBM Tivoli Identity Manager Server operates as Application A, and the IBM Tivoli Identity Manager adapter operates as Application B. Tivoli Identity Manager Server (SSL client) Keystore CA Certificate A Verify Hello Send Certificate A Tivoli Identity Manager adapter (SSL Cserver) Certificate A C Send Certificate A Certificate B Verify CA Certificate B Send Certificate B Figure 3. Two-way SSL authentication (client authentication) The following procedure assumes that you have already configured the adapter and Tivoli Identity Manager Server for one-way SSL authentication using the procedure described in Configuring certificates for one-way SSL authentication on page 38. Therefore, if you are using signed certificates from a CA: v The adapter is configured with a private key and a signed certificate that was issued by a CA. v The Tivoli Identity Manager Server is configured with the CA certificate of the CA that issued the signed certificate of the adapter. In order to complete the certificate configuration for two-way SSL, perform the following tasks: Chapter 5. Configuring SSL authentication for the Oracle ERP Adapter 39

54 1. On the Tivoli Identity Manager Server, create a CSR and private key, obtain a certificate from a CA, install the CA certificate, install the newly signed certificate, and extract the CA certificate to a temporary file. 2. On the adapter, add the CA certificate that was extracted from the keystore of the Tivoli Identity Manager Server to the adapter. When you have finished the two-way certificate configuration, each application has its own certificate and private key and the CA certificate of the CA that issued the certificates for each application. Configuring certificates when the adapter operates as an SSL client In this scenario, the adapter operates as an SSL client in addition to operating as an SSL server. This scenario applies if the adapter initiates a connection to the Web server (used by the IBM Tivoli Identity Manager Server) to send an event notification. For example, the adapter initiates the connection and the Web server responds by presenting its certificate to the adapter. Figure 4 illustrates how a IBM Tivoli Identity Manager adapter operates as an SSL sever and an SSL client. When communicating with the IBM Tivoli Identity Manager Server, the adapter sends its certificate for authentication. When communicating with the Web server, the adapter receives the certificate of the Web server. Certificate A CA Certificate C CA Certificate A Tivoli Identity Manager Adapter A Hello Certificate A Tivoli Identity Manager Server B Certificate C Hello Web server Certificate C C Figure 4. IBM Tivoli Identity Manager adapter operating as an SSL server and an SSL client If the Web Server is configured for two-way SSL authentication, it verifies the identity of the adapter, which sends its signed certificate to the Web server (not shown in the illustration). In order to enable two-way SSL authentication between the adapter and Web server, use the following procedure: 1. Configure the Web server to use client authentication. 2. Follow the procedure for creating and installing a signed certificate on the Web server. 3. Install the CA certificate on the adapter using the CertTool utility. 4. Add the CA certificate corresponding to the signed certificate of the adapter to the Web server. 40 IBM Tivoli Identity Manager: Oracle ERP Adapter Installation and Configuration Guide

55 For more information on configuring certificates when the adapter initiates a connection to the Web server (used by the Tivoli Identity Manager Server) to send an event notification, see the Tivoli Identity Manager Information Center. Managing SSL certificates using CertTool Starting The procedures in this section describe how to use the CertTool utility to manage private keys and certificates. This section includes instructions for performing the following tasks: v Starting CertTool. v Generating a private key and certificate request on page 43. v Installing the certificate on page 44. v Installing the certificate and key from a PKCS12 file on page 44. v Viewing the installed certificate on page 45. v Viewing CA certificates on page 45. v Installing a CA certificate on page 45. v Deleting a CA certificate on page 45. v Viewing registered certificates on page 46. v Registering a certificate on page 46. v Unregistering a certificate on page 46. CertTool In order to start the certificate configuration tool, CertTool, for the Oracle ERP Adapter, complete these steps: 1. Select Programs from the Start menu, select Accessories, and then select Command Prompt. 2. In the Microsoft Windows DOS Command Prompt window, change to the bin directory for the adapter. For example, if the Oracle ERP Adapter directory is in the default location, type the following command: cd C:\Tivoli\Agents\OracleERPAgent\bin 3. Type CertTool -agent OracleERPAgent at the prompt. The Main Menu is displayed: Main menu - Configuring agent: OracleERPAgent A. Generate private key and certificate request B. Install certificate from file C. Install certificate and key from PKCS12 file D. View current installed certificate E. List CA certificates F. Install a CA certificate G. Delete a CA certificate H. List registered certificates I. Register certificate J. Unregister a certificate K. Export certificate and key to PKCS12 file X. Quit Choice: Chapter 5. Configuring SSL authentication for the Oracle ERP Adapter 41

56 From the Main Menu, you can generate a private key and certificate request, install and delete certificates, register and unregister certificates, and list certificates. The following sections summarize the purpose of each group of options. The first set of options (A through D) allows you to generate a CSR and install the returned signed certificate on the adapter. A. Generate private key and certificate request Generate a CSR and the associated private key that is sent to the certificate authority. For more information on option A, see Generating a private key and certificate request on page 43. B. Install certificate from file Install a certificate from a file. This file must be the signed certificate returned by the CA in response to the CSR that is generated by option A. For more information on option B, see Installing the certificate on page 44. C. Install certificate and key from a PKCS12 file Install a certificate from a PKCS12 format file that includes both the public certificate and a private key. If options A and B are not used to obtain a certificate, the certificate that you use must be in PKCS12 format. For more information on option C, see Installing the certificate and key from a PKCS12 file on page 44. D. View current installed certificate View the certificate that is installed on the system. For more information on option D, see Viewing the installed certificate on page 45. The second set of options enable you to install root CA certificates on the adapter. A CA certificate is used by the IBM Tivoli Identity Manager adapter to validate the corresponding certificate presented by a client, such as the IBM Tivoli Identity Manager Server. E. List CA certificates Show the installed CA certificates. The adapter only communicates with IBM Tivoli Identity Manager Servers whose certificates are validated by one of the installed CA certificates. F. Install a CA certificate Install a new CA certificate so that certificates generated by this CA can be validated. The CA certificate file can either be in X.509 or PEM encoded formats. For more information on how to install a CA certificate, see Installing a CA certificate on page 45. G. Delete a CA certificate Remove one of the installed CA certificates. For more information on how to delete a CA certificate, see Deleting a CA certificate on page 45. The remaining options (H through K) apply to adapters that must authenticate the application (for example, the IBM Tivoli Identity Manager Server or the Web server) to which the adapter is sending information. These options enable you to register certificates on the adapter. For IBM Tivoli Identity Manager Version 4.5 or earlier, the signed certificate of the IBM Tivoli Identity Manager Server must be registered with an adapter to enable client authentication on the adapter. If you do not intend to upgrade an existing adapter to use CA certificates for client authentication, the signed certificate presented by the IBM Tivoli Identity Manager Server must be registered with the adapter. 42 IBM Tivoli Identity Manager: Oracle ERP Adapter Installation and Configuration Guide

57 If you configure the adapter to use event notification, or client authentication is enabled in DAML, then you must install the CA certificate corresponding to the signed certificate of the IBM Tivoli Identity Manager Server using the Install a CA certificate option, option F. H. List registered certificates List all registered certificates that will be accepted for communications. For more information on listing registered certificates, see Viewing registered certificates on page 46. I. Register a certificate Register a new certificate. The certificate to be registered be in Base 64 encoded X.509 format or PEM. For more information on registering certificates, see Registering a certificate on page 46. J. Unregister a certificate Unregister (remove) a certificate from the registered list. For more information on unregistering certificates, see Unregistering a certificate on page 46. K. Export certificate and key to PKCS12 file Export a previously installed certificate and private key. You will be prompted for the filename and a password for encryption. For more information on exporting a certificate and key to a PKCS12 file, see Exporting a certificate and key to PKCS12 file on page 47. Generating a private key and certificate request A certificate signing request is an unsigned certificate that is a text file. When you submit an unsigned certificate to a certificate authority, the CA signs the certificate with the private digital signature that is included in their corresponding CA certificate. When the CSR is signed, it becomes a valid certificate. A CSR contains information about your organization, such as the organization name, country, and the public key for your Web server. In order to generate a CSR file, complete these steps: 1. At the Main Menu of the CertTool, type A. The following message and prompt are displayed: Enter values for certificate request (press enter to skip value) At the Organization prompt, type your organization name, and press Enter. 3. At the Organizational Unit prompt, type the organizational unit, and press Enter. 4. At the Agent Name prompt, type the name of the adapter you are requesting a certificate for, and press Enter. 5. At the prompt, type the address for the contact person for this request, and press Enter. 6. At the State prompt, type the state in which the adapter resides (if the adapter is in the United States), and press Enter. Some certificate authorities do not accept two letter abbreviations for states, so you must type the full name of the state. 7. At the Country prompt, type the country in which the adapter resides, and press Enter. 8. At the Locality prompt, type the name of the city in which the adapter resides, and press Enter. Chapter 5. Configuring SSL authentication for the Oracle ERP Adapter 43

58 9. At the Accept these values prompt, type Y to accept the values displayed, or type N to re-enter the values, and press Enter. The private key and certificate request are generated once the values are accepted. 10. At the Enter name of file to store PEM cert request prompt, type the name of the file that you want to use to store the values you specified during the previous steps, and press Enter. 11. Press Enter to continue. The certificate request and input values are written to the file you specified, and the Main Menu is displayed again. You can now request a certificate from a trusted CA by sending the.pem file that you just generated to a certificate authority vendor. Example of certificate signing request Your CSR file will look similar to the following example: -----BEGIN CERTIFICATE REQUEST----- MIIB1jCCAT8CAQAwgZUxEjAQBgNVBAoTCWFjY2VzczM2MDEUMBIGA1UECxMLZW5n aw5lzxjpbmcxedaobgnvbamtb250ywdlbnqxjdaibgkqhkig9w0bcqewfw50ywdl bnraywnjzxnzmzywlmnvbtelmakga1uebhmcvvmxezarbgnvbagtcknhbglmb3ju awexdzanbgnvbactbklydmluztcbnzanbgkqhkig9w0baqefaaobjqawgykcgyea mr6acpnwf6hllc72bmukawaxcebtxcocnnth9uc8vumhpbimagjuc4s91hprilg7 UtlbOfy6X3R3kbeR8apRR9uLYrPIvQ1b4NK0whsytij6syCySaFQIB6V7RPBatFr 6XQ9hpsARdkGytZmGTgGTJ1hSS/jA6mbxpgmttz9HPECAwEAAaAAMA0GCSqGSIb3 DQEBAgUAA4GBADxA1cDkvXhgZntHkwT9tCTqUNV9sim8N/U15HgMRh177jVaHJqb N1Er46vQSsOOOk4z2i/XwOmFkNNTXRVl9TLZZ/D+9mGZcDobcO+lbAKlePwyufxK Xqdpu3d433H7xfJJSNYLYBFkrQJesITqKft0Q45gIjywIrbctVUCepL END CERTIFICATE REQUEST----- Installing the certificate Once you receive your certificate from your trusted CA, you install it in the registry of the adapter. In order to install the certificate, complete these steps: 1. If you received the certificate as part of an message, copy the text of the certificate to a text file, and copy that file to the bin directory for the adapter. For example, C:\Tivoli\Agents\OracleERPAgent\bin 2. At the Main Menu of the CertTool, type B. The following prompt is displayed: Enter name of certificate file: At the Enter name of certificate file prompt, type the full path to the certificate file, and press Enter. The certificate is installed in the registry for the adapter, and the Main Menu is displayed again. Installing the certificate and key from a PKCS12 file If you do not use the CertTool utility to generate a CSR to obtain a certificate, you must install both the certificate and private key, which must be stored in a PKCS12 file. The CA might send a password protected file, or PKCS12 file (a file with the.pfx extension), which includes both the certificate and private key. In order to install the certificate from this PKCS12 file, complete these steps: 1. Copy the PKCS12 file to the bin directory for the adapter. For example, C:\Tivoli\Agents\OracleERPAgent\bin 2. At the Main Menu for the CertTool, type C. The following prompt is displayed: Enter name of PKCS12 file: IBM Tivoli Identity Manager: Oracle ERP Adapter Installation and Configuration Guide

59 3. At the Enter name of PKCS12 file prompt, type the name of the PKCS12 file that has the certificate and private key information, and press Enter. For example, DamlSrvr.pfx. 4. At the Enter password prompt, type the password to access the file, and press Enter. The certificate and private key are installed in the adapter registry, and the Main Menu is displayed. Viewing the installed certificate In order to list the certificate that is installed on your system, at the Main Menu of CertTool, type D. The installed certificate is listed, and the Main Menu is displayed. The following example lists an installed certificate: The following certificate is currently installed. Subject: c=us,st=california,l=irvine,o=daml,cn=daml Server Installing a CA certificate If you are using client authentication, you need to install a CA certificate. The CA certificate you install is issued by a certificate authority vendor. In order to install a CA certificate that was extracted into a temporary file, complete the following steps: 1. At the Main Menu prompt, type F (Install a CA certificate). The following prompt is displayed: Enter name of certificate file: 2. At the Enter name of certificate file prompt, type the name of the certificate file, such as DamlCACerts.pem, and press Enter. The certificate file is opened, and the following prompt is displayed: [email protected],c=us,st=california,l=irvine,o=ibm,ou=engineering,cn=eng Install the CA? (Y/N) 3. At the Install the CA prompt, type Y to install the certificate, and press Enter. The certificate file is installed in the CACerts.pem file. Viewing CA certificates CertTool only installs one certificate and one private key. In order to list the CA certificate that is installed on the adapter, type E at the Main Menu prompt. The installed CA certificates are displayed and the Main Menu is displayed. The following example lists an installed CA certificate: Subject: o=ibm,ou=samplecacert,cn=testca Valid To: Wed Jul 26 23:59: Deleting a CA certificate In order to delete a CA certificate from the adapter directories, complete the following steps: 1. At the Main Menu prompt, type G. A list of all CA certificates installed on the adapter is displayed. 0 - [email protected],c=us,st=california,l=irvine,o=ibm,ou=engineering,cn=eng 1 - [email protected],c=us,st=california,l=irvine,o=ibm,ou=support,cn=support Enter number of CA certificate to remove: Chapter 5. Configuring SSL authentication for the Oracle ERP Adapter 45

60 2. At the Enter number of CA certificate to remove prompt, type the number of the CA certificate that you want to remove, and press Enter. The CA certificate is deleted from the CACerts.pem file, and the Main Menu is displayed. Viewing registered certificates Only requests that present a registered certificate will be accepted by the adapter when client validation is enabled. In order to view a list of all registered certificates available to the adapter, at the Main Menu prompt, type H. The registered certificates are displayed and the Main Menu is displayed. The following example lists registered certificates: 0 - [email protected],c=us,st=california,l=irvine,o=ibm,ou=engineering,cn=eng 1 - [email protected],c=us,st=california,l=irvine,o=ibm,ou=support,cn=support Registering a certificate In order to register a certificate for the adapter, complete the following steps: 1. At the Main Menu prompt, type I. The following prompt is displayed: Enter name of certificate file: 2. At the Enter name of certificate file prompt, type the name of the certificate file that you want to register, and press Enter. The subject of the certificate is displayed, and a prompt is displayed, for example: [email protected],c=us,st=california,l=irvine,o=ibm,ou=engineering,cn=eng Register this CA? (Y/N) 3. At the Register this CA prompt, type Y to register the certificate, and press Enter. The certificate is registered to the adapter, and the Main Menu is displayed. Unregistering a certificate In order to unregister a certificate for the adapter, complete the following steps: 1. At the Main Menu prompt, type J. The registered certificates are displayed. The following example lists registered certificates: 0 - [email protected],c=us,st=california,l=irvine,o=ibm,ou=engineering,cn=eng 1 - [email protected],c=us,st=california,l=irvine,o=ibm,ou=support,cn=support 2. Type the number of the certificate file that you want to unregister, and press Enter. The subject of the selected certificate is displayed, and a prompt is displayed, for example: [email protected],c=us,st=california,l=irvine,o=ibm,ou=engineering,cn=eng Unregister this CA? (Y/N) 3. At the Unregister this CA prompt, type Y to unregister the certificate, and press Enter. The certificate is removed from the registered certificate list for the adapter, and the Main Menu is displayed. 46 IBM Tivoli Identity Manager: Oracle ERP Adapter Installation and Configuration Guide

61 Exporting a certificate and key to PKCS12 file In order to export a certificate and key to a PKCS12 file for the adapter, complete the following steps: 1. At the Main Menu prompt, type K. The following prompt is displayed: Enter name of PKCS12 file: 2. At the Enter name of PKCS12 file prompt, type the name of the PKCS12 file for the installed certificate or private key, and press Enter. 3. At the Enter Password prompt, type the password for the PKCS12 file, and press Enter. 4. At the Confirm Password prompt, type the password again, and press Enter. The certificate or private key is exported to the PKCS12 file, and the Main Menu is displayed. Chapter 5. Configuring SSL authentication for the Oracle ERP Adapter 47

63 Chapter 6. Customizing the Oracle ERP adapter You can update the Oracle ERP Adapter JAR file, ERPProfile.jar, to make changes to the adapter schema, account form, service form, and profile properties. In order to make such updates, you must extract the files from the JAR file, make changes to the necessary files, and repackage the JAR file with the updated files. Complete these steps to customize the Oracle ERP Adapter profile: 1. Copy the JAR file to a temporary directory and extract the files. For more information on extracting the files, see Copy the ERPProfile.jar file and extract the files. 2. Make the appropriate file changes. 3. Install the new attributes on the IBM Tivoli Identity Manager Server. For more information on updating this file, see Create a new JAR file and install the new attributes on the IBM Tivoli Identity Manager Server on page 50. Copy the ERPProfile.jar file and extract the files The profile JAR file, ERPProfile.jar, is included in the Oracle ERP Adapter compressed file that you downloaded from the IBM Web site. The ERPProfile.jar file contains the following files: v v v v v CustomLabels.properties eroracleerpaccount.xml eroracleerpdamlservice.xml resource.def schema.dsml v xforms.xml You can modify these files to customize your environment. When you finish updating the profile JAR file, install it on the IBM Tivoli Identity Manager Server. For more information on the profile installation, see Importing the adapter profile into the IBM Tivoli Identity Manager Server on page 5. In order to modify the ERPProfile.jar file, complete the following steps: 1. Log on to the system where the Oracle ERP Adapter is installed. 2. On the Start menu, click Programs Accessories Command Prompt. 3. Copy the ERPProfile.jar file into a temporary directory. 4. Extract the contents of` the ERPProfile.jar file into the temporary directory by running the following command: cd c:\temp jar -xvf ERPProfile.jar The jar command will create the c:\temp\adprofile directory. 5. Edit the appropriate file. Copyright IBM Corp. 2003,

64 Create a new JAR file and install the new attributes on the IBM Tivoli Identity Manager Server Once you modify the schema.dsml and CustomLabels.properties files, you must import these files, and any other files that were modified for the adapter, into the IBM Tivoli Identity Manager Server for the changes to take effect. In order to install the new attributes, complete the following steps: 1. Create a new JAR file using the files in the \temp directory by running the following commands: cd c:\temp jar -cvf ERPProfile.jar ERPProfile 2. Import the ERPProfile.jar file into the IBM Tivoli Identity Manager Application Server. For more information on importing the file, see Importing the adapter profile on page Stop and start the directory server. 4. Stop and start the Oracle ERP Adapter service for the changes to take effect. Managing passwords when restoring accounts When a person s accounts are restored from being previously suspended, you are prompted to supply a new password for the reinstated accounts. However, there are circumstances when you might want to circumvent this behavior. The password requirement to restore an account on Oracle ERP resources falls into two categories: allowed and required. How each restore action interacts with its corresponding managed resource depends on either the managed resource, or the business processes that you implement. Certain resources will reject a password when a request is made to restore an account. In this case, you can configure IBM Tivoli Identity Manager to forego the new password requirement. You can set the Oracle ERP Adapter to require a new password when the account is restored, if your company has a business process in place that dictates that the account restoration process must be accompanied by resetting the password. In the resource.def file, you can define whether or not a password is required as a new protocol option. When you import the adapter profile, if an option is not specified, the adapter profile importer determines the correct restoration password behavior from the schema.dsml and xforms.xml files. Adapter profile components also enable remote services to find out if you discard a password that is entered by the user in a situation where multiple accounts on disparate resources are being restored. In this scenario, only some of the accounts being restored might require a password. Remote services will discard the password from the restore action for those managed resources that do not require them. In order to configure the Oracle ERP Adapter to not prompt for a new password when restoring accounts: 1. Stop the IBM Tivoli Identity Manager Server. 2. Extract the files from the ERPProfile.jar file. For more information on customizing the adapter profile file, see Copy the ERPProfile.jar file and extract the files on page Change to the \ADProfile directory, where the resource.def file has been created. 4. Edit the resource.def file to add the new protocol options, for example: 50 IBM Tivoli Identity Manager: Oracle ERP Adapter Installation and Configuration Guide

65 <Property Name = "com.ibm.itim.remoteservices.resourceproperties. PASSWORD_NOT_REQUIRED_ON_RESTORE" Value = "TRUE"/> <Property Name = "com.ibm.itim.remoteservices.resourceproperties. PASSWORD_NOT_ALLOWED_ON_RESTORE" Value = "FALSE"/> By adding the two options in the example above, you are ensuring that you will not be prompted for a password when an account is restored. 5. Create a new ERPProfile.jar file using the resource.def file and import the adapter profile file into the IBM Tivoli Identity Manager Server. For more information, refer to Create a new JAR file and install the new attributes on the IBM Tivoli Identity Manager Server on page Start the IBM Tivoli Identity Manager Server again. Note: If you are upgrading an existing adapter profile, the new adapter profile schema will not be reflected immediately. You need to stop and start the IBM Tivoli Identity Manager Server in order to refresh the cache and therefore the adapter schema. For more information on upgrading an existing adapter, see Upgrading the Oracle ERP adapter on page 53. Chapter 6. Customizing the Oracle ERP adapter 51

67 Chapter 7. Upgrading the Oracle ERP Adapter or the ADK You can either upgrade the Oracle ERP Adapter or the Adapter Development Kit (ADK). The ADK is the base component of the adapter. While all adapters have the same ADK, the remaining adapter functionality is specific to the managed resource. You can perform an adapter upgrade to migrate your current adapter installation to a newer version, for example version 4.4 to version 4.6. Upgrading the adapter, as opposed to reinstalling it, will allow you to keep your configuration settings. Additionally, you will not have to uninstall the current adapter and install the newer version. However, if a code fix has been made to the ADK, instead of upgrading the entire adapter, you can upgrade just the ADK to the newer version. Upgrading the Oracle ERP adapter Upgrading the ADK During an upgrade, in order to maintain all of your current configuration settings, as well as the certificate and private key, do not uninstall the old version of the adapter before installing the new version. During the install, specify the same installation directory where the previous adapter was installed. For more information on how to install the adapter, see Chapter 2, Installing and configuring the Oracle ERP adapter, on page 3. If you currently have version 4.5 of the Oracle ERP Adapter installed, and you want version 4.6, an upgrade of the adapter is necessary. Upgrading the adapter involves several steps that you must complete in the appropriate sequence. In order to upgrade an existing adapter, complete the following steps: 1. Stop the Oracle ERP Adapter service. 2. Install the new version of the adapter. When the upgraded adapter starts for the first time, new log files will be created, replacing the old files. The ADK consists of the runtime library, filtering and event notification functionality, protocol settings, and logging information. The remainder of the adapter is comprised of the Add, Modify, Delete, and Search functions. While all adapters have the same ADK, the remaining functionality is specific to the managed resource. You can use the ADK upgrade program to update the ADK portion of the adapters that are currently installed on a machine. This allows you to install just the ADK, and not the entire adapter. As part of the ADK upgrade, the ADK library and the DAML protocol library are updated. In addition, the agentcfg and CertTool binaries are updated. Copyright IBM Corp. 2003,

68 Prior to upgrading the ADK files, the upgrade program checks the current version of the ADK. If the current level is higher than what you are attempting to install, a warning message is displayed. In order to upgrade the Oracle ERP Adapter ADK, complete the following steps: 1. Download the ADK upgrade program compressed file from the IBM Web site. 2. Extract the contents of the compressed file into a temporary directory. 3. Stop the Oracle ERP Adapter service. 4. Start the upgrade program using the adkinst_win32.exe file in the temporary directory. For example, select Run from the Start menu, and type C:\TEMP\adkinst_win32.exe in the Open field. If no adapter is installed, you will receive the following error message, and the program exits: No Agent Installed - Cannot Install ADK. 5. On the Welcome window, click Next. 6. On the Software License Agreement window, review the license agreement and decide if you accept the terms of the license. If you do, click Accept. 7. On the Installation Information window, click Next to begin the installation. 8. On the Install Completed window, click Finish to exit the program. Log files Logging entries are stored in the <ADKVersion>Installer.log and <ADKVersion>Installeropt.log files, where <ADKVersion> is the version of the ADK. For example, ADK46Installer.log and ADK46Installeropt.log. These files are created in the folder where you run the installation program. 54 IBM Tivoli Identity Manager: Oracle ERP Adapter Installation and Configuration Guide

69 Chapter 8. Uninstalling the Oracle ERP adapter Before you remove the adapter, inform your users that the Oracle ERP Adapter will be unavailable. If the server is taken offline, adapter requests that were completed might not be recovered when the server is back online. To remove the Oracle ERP Adapter, complete these steps: 1. Stop the adapter service. 2. Remove the adapter. For specific information about uninstalling the adapter, see the online help or the information center for your IBM Tivoli Identity Manager product. Copyright IBM Corp. 2003,

71 Appendix A. Adapter attributes As part of the adapter implementation, a dedicated account for IBM Tivoli Identity Manager to access the Oracle ERP resources is created on the Oracle ERP resources. The Oracle ERP Adapter consists of files and directories that are owned by the IBM Tivoli Identity Manager account. These files establish communication with the IBM Tivoli Identity Manager Server. Attributes descriptions The IBM Tivoli Identity Manager Server communicates with the Oracle ERP Adapter using attributes that are included in transmission packets that are sent over a network. The combination of attributes, included in the packets, depends on the type of action that the IBM Tivoli Identity Manager Server requests from the Oracle ERP Adapter. Table 14 is an alphabetical listing of the attributes that are used by the Oracle ERP Adapter. The table gives a brief description and the data type for the value of the attribute. Table 14. Attributes, descriptions, and data types. Attribute Directory server attribute Description Data type GroupDesc description Specifies a description for the group InstanceName eroraerpinstancename Specifies the instance name String String lu_password erpassword Specifies the password String OraErpCustomer eroraerpcustomer Specifies the customer name OraErpCustomerId eroraerpidcustomer Specifies the customer user ID OraErpDescription eroraerpdescription Specifies the description for the Oracle ERP OraErp eroraerp Specifies the Electronix mail address String Integer String String OraErpFax facsimiletelephonenumber Specifies the fax number String OraErpOwner eroraerpowner Specifies the owner of the Oracle ERP account OraErpPasswordAccesses eroraerppasswdaccesses Specifies the number of accesses allowed for the password OraErpPasswordDays eroraerppassworddays Specifies the life span of the password OraErpPerson eroraerpperson Specifies the name of the person OraErpPersonId eroraerppersonid Specifies the user ID of the person OraErpResponsibility eroraerpresponsibility Specifies the responsibility name String Integer Integer String Integer String Copyright IBM Corp. 2003,

72 Table 14. Attributes, descriptions, and data types. (continued) Attribute Directory server attribute Description Data type OraErpResponsibilityId eroraerpidresponsibility Specifies the responsibility ID Integer OraErpSupplier eroraerpsupplier Specifies the supplier String OraErpSupplierId eroraerpidsupplier Specifies the supplier ID Integer OraErpSupplierName eroraerpnamesupplier Specifies the name of the supplier OraErpUserEndDate eroraerpuserenddate Specifies the end date of the user OraErpUserStartDate eroraerpuserstartdate Specifies the start date of the user UserName eruid Specifies the application user name UserStatus eraccountstatus Specifies if the user account is suspended String Date Date String String Attributes by Oracle ERP Adapter actions The following lists are typical Oracle ERP Adapter actions by their functional transaction group. The lists include more information about required and optional attributes sent to the Oracle ERP Adapter to complete that action. System Login Add A System Login Add is a request to create a new user account with the specified attributes. Table 15. Add request attributes Required attribute Optional attribute eruid erpassword eroraerpdescription eroraerppasswordaccesses eroraerppassworddays eroraerpperson eroraerpcustomer eroraerpsupplier eroraerpuserstartdate eroraerpuserenddate eroraerp eroraerpfax eroraerpresponsibility System Login Change A System Login Change is a request to change one or more attributes for the specified users. 58 IBM Tivoli Identity Manager: Oracle ERP Adapter Installation and Configuration Guide

73 Table 16. Change request attributes Required attribute Optional attribute eruid eroraerpdescription erpassword eroraerppasswordaccesses eroraerppassworddays eroraerpperson eroraerpcustomer eroraerpsupplier eroraerpuserstartdate eroraerpuserenddate eroraerp eroraerpfax eroraerpresponsibility System Login Delete A System Login Delete is a request to remove the specified user from the directory. Table 17. Delete request attributes Required attribute Optional attribute eruid None System Login Suspend A System Login Suspend is a request to disable a user account. The user is neither removed nor are their attributes modified. Table 18. Suspend request attributes Required Attributes Optional Attributes eruid eraccountstatus None System Login Restore A System Login Restore is a request to activate a user account that was previously suspended. Once an account is restored, the user can access the system with the same attributes as those before the Suspend function was called. Table 19. Restore request attributes Required attribute Optional attribute eruid eraccountstatus erpassword None Appendix A. Adapter attributes 59

74 Reconciliation The Reconciliation request synchronizes user account information between IBM Tivoli Identity Manager and the adapter. Table 20. Reconciliation request attributes Attributes returned during reconciliation All supported attributes 60 IBM Tivoli Identity Manager: Oracle ERP Adapter Installation and Configuration Guide

75 Appendix B. Support information This section describes the following options for obtaining support for IBM products: v Searching knowledge bases v Contacting IBM Software Support Searching knowledge bases If you have a problem with your IBM software, you want it resolved quickly. Begin by searching the available knowledge bases to determine whether the resolution to your problem is already documented. Search the information center on your local system or network IBM provides extensive documentation that can be installed on your local computer or on an intranet server. You can use the search function of this information center to query conceptual information, instructions for completing tasks, reference information, and support documents. Search the Internet If you cannot find an answer to your question in the information center, search the Internet for the latest, most complete information that might help you resolve your problem. To locate Internet resources for your product, open one of the following Web sites: v Performance and tuning information Provides information needed to tune your production environment, available on the Web at: Click the I character in the A-Z product list to locate IBM Tivoli Identity Manager products. Click the link for your product, and then browse the information center for the Technical Supplements section. v Redbooks and white papers are available on the Web at: IBMTivoliIdentityManager.html Browse to the Self Help section, in the Learn category, and click the Redbooks link. v Technotes are available on the Web at: v Field guides are available on the Web at: v For an extended list of other Tivoli Identity Manager resources, search the following IBM developerworks Web address: Contacting IBM Software Support IBM Software Support provides assistance with product defects. Copyright IBM Corp. 2003,

76 Before contacting IBM Software Support, your company must have an active IBM software maintenance contract, and you must be authorized to submit problems to IBM. The type of software maintenance contract that you need depends on the type of product you have: v For IBM distributed software products (including, but not limited to, Tivoli, Lotus, and Rational products, as well as DB2 and WebSphere products that run on Windows or UNIX operating systems), enroll in Passport Advantage in one of the following ways: Online: Go to the Passport Advantage Web page ( services/passport.nsf/webdocs/ Passport_Advantage_Home) and click How to Enroll By phone: For the phone number to call in your country, go to the IBM Software Support Web site ( contacts.html) and click the name of your geographic region. v For IBM eserver software products (including, but not limited to, DB2 and WebSphere products that run in zseries, pseries, and iseries environments), you can purchase a software maintenance agreement by working directly with an IBM sales representative or an IBM Business Partner. For more information about support for eserver software products, go to the IBM Technical Support Advantage Web page ( If you are not sure what type of software maintenance contract you need, call IBMSERV ( ) in the United States or, from other countries, go to the contacts page of the IBM Software Support Handbook on the Web ( and click the name of your geographic region for phone numbers of people who provide support for your location. Follow the steps in this topic to contact IBM Software Support: 1. Determine the business impact of your problem. 2. Describe your problem and gather background information. 3. Submit your problem to IBM Software Support. Determine the business impact of your problem When you report a problem to IBM, you are asked to supply a severity level. Therefore, you need to understand and assess the business impact of the problem you are reporting. Use the following criteria: Severity 1 Critical business impact: You are unable to use the program, resulting in a critical impact on operations. This condition requires an immediate solution. Severity 2 Significant business impact: The program is usable but is severely limited. Severity 3 Some business impact: The program is usable with less significant features (not critical to operations) unavailable. Severity 4 Minimal business impact: The problem causes little impact on operations, or a reasonable circumvention to the problem has been implemented. 62 IBM Tivoli Identity Manager: Oracle ERP Adapter Installation and Configuration Guide

77 Describe your problem and gather background information When explaining a problem to IBM, be as specific as possible. Include all relevant background information so that IBM Software Support specialists can help you solve the problem efficiently. To save time, know the answers to these questions: v What software versions were you running when the problem occurred? v Do you have logs, traces, and messages that are related to the problem symptoms? IBM Software Support is likely to ask for this information. v Can the problem be re-created? If so, what steps led to the failure? v Have any changes been made to the system? (For example, hardware, operating system, networking software, and so on.) v Are you currently using a workaround for this problem? If so, please be prepared to explain it when you report the problem. Submit your problem to IBM Software Support You can submit your problem in one of two ways: v Online: Go to the Submit and track problems page on the IBM Software Support site ( Enter your information into the appropriate problem submission tool. v By phone: For the phone number to call in your country, go to the contacts page of the IBM Software Support Handbook on the Web ( techsupport.services.ibm.com/guides/contacts.html) and click the name of your geographic region. If the problem you submit is for a software defect or for missing or inaccurate documentation, IBM Software Support creates an Authorized Program Analysis Report (APAR). The APAR describes the problem in detail. Whenever possible, IBM Software Support provides a workaround for you to implement until the APAR is resolved and a fix is delivered. IBM publishes resolved APARs on the IBM product support Web pages daily, so that other users who experience the same problem can benefit from the same resolutions. For more information about problem resolution, see Searching knowledge bases. Appendix B. Support information 63

79 Appendix C. Notices This information was developed for products and services offered in the U.S.A. IBM may not offer the products, services, or features discussed in this document in other countries. Consult your local IBM representative for information on the products and services currently available in your area. Any reference to an IBM product, program, or service is not intended to state or imply that only that IBM product, program, or service may be used. Any functionally equivalent product, program, or service that does not infringe any IBM intellectual property right may be used instead. However, it is the user s responsibility to evaluate and verify the operation of any non-ibm product, program, or service. IBM may have patents or pending patent applications covering subject matter described in this document. The furnishing of this document does not give you any license to these patents. You can send license inquiries, in writing, to: IBM Director of Licensing IBM Corporation North Castle Drive Armonk, NY U.S.A. For license inquiries regarding double-byte (DBCS) information, contact the IBM Intellectual Property Department in your country or send inquiries, in writing, to: IBM World Trade Asia Corporation Licensing 2-31 Roppongi 3-chome, Minato-ku Tokyo , Japan The following paragraph does not apply to the United Kingdom or any other country where such provisions are inconsistent with local law: INTERNATIONAL BUSINESS MACHINES CORPORATION PROVIDES THIS PUBLICATION AS IS WITHOUT WARRANTY OF ANY KIND, EITHER EXPRESS OR IMPLIED, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF NON-INFRINGEMENT, MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE. Some states do not allow disclaimer of express or implied warranties in certain transactions, therefore, this statement may not apply to you. This information could include technical inaccuracies or typographical errors. Changes are periodically made to the information herein; these changes will be incorporated in new editions of the publication. IBM may make improvements and/or changes in the product(s) and/or the program(s) described in this publication at any time without notice. Any references in this information to non-ibm Web sites are provided for convenience only and do not in any manner serve as an endorsement of those Web sites. The materials at those Web sites are not part of the materials for this IBM product and use of those Web sites is at your own risk. IBM may use or distribute any of the information you supply in any way it believes appropriate without incurring any obligation to you. Copyright IBM Corp. 2003,

80 Licensees of this program who wish to have information about it for the purpose of enabling: (i) the exchange of information between independently created programs and other programs (including this one) and (ii) the mutual use of the information which has been exchanged should contact: IBM Corporation 2ZA4/ Burnet Road Austin, TX U.S.A. Such information may be available, subject to appropriate terms and conditions, including in some cases, payment of a fee. The licensed program described in this information and all licensed material available for it are provided by IBM under terms of the IBM Customer Agreement, IBM International Program License Agreement, or any equivalent agreement between us. Any performance data contained herein was determined in a controlled environment. Therefore, the results obtained in other operating environments may vary significantly. Some measurements may have been made on development-level systems and there is no guarantee that these measurements will be the same on generally available systems. Furthermore, some measurements may have been estimated through extrapolation. Actual results may vary. Users of this document should verify the applicable data for their specific environment. Information concerning non-ibm products was obtained from the suppliers of those products, their published announcements or other publicly available sources. IBM has not tested those products and cannot confirm the accuracy of performance, compatibility or any other claims related to non-ibm products. Questions on the capabilities of non-ibm products should be addressed to the suppliers of those products. Trademarks The following terms are trademarks or registered trademarks of International Business Machines Corporation in the United States, other countries, or both: IBM IBM logo ibm.com AIX AS/400 DB2 Domino i5/os Informix iseries Linux Lotus Lotus Notes MQSeries Notes OS/400 Power PC Tivoli 66 IBM Tivoli Identity Manager: Oracle ERP Adapter Installation and Configuration Guide

81 Tivoli logo Universal Database WebSphere Microsoft, Windows, Windows NT, and the Windows logo are trademarks of Microsoft Corporation in the United States, other countries, or both. Intel, Intel Inside (logos), MMX and Pentium are trademarks of Intel Corporation in the United States, other countries, or both. UNIX is a registered trademark of The Open Group in the United States and other countries. Linux is a trademark of Linus Torvalds in the U.S., other countries, or both. Java and all Java-based trademarks are trademarks of Sun Microsystems, Inc. in the United States, other countries, or both. Other company, product, and service names may be trademarks or service marks of others. Appendix C. Notices 67

83 Index A accessibility pdf format, for screen-reader software viii statement for documentation viii text, alternative for document images viii activity logging 19 adapter ADK upgrade 53 attributes by adapter action 58 descriptions 57 configuration steps 7 customization steps 49 features 1 installation overview 1 profile purpose 5 removal 55 upgrade 53 adapter configuration tool See agentcfg adapter overview 1 ADK46Installer.log file 54 ADK46Installeropt.log file 54 administrator authority 3 agentcfg arguments 25 changing adapter parameters configuration key 19 protocol settings 11 registry settings 21 request processing 23 menus activity logging 19 advanced settings 23 event notification 14 help 25 Main Configuration 9 Protocol Configuration 10 registry 21 viewing configuration settings 10 attributes by Oracle ERP Adapter action add 58 change 58 delete 59 reconciliation 60 restore 59 suspend 59 descriptions 57 B books see publications viii C certificate authority definition 35 certificate signing request (CSR) 44 certificates CA available functions 42 deleting 45 installing 45 viewing installed 45 certificate management tools See CertTool definition 35 examples certificate signing request (CSR) 44 install 44 installation from file 44 sample 44 key formats 37 overview 35 private keys and digital certificates 36 protocol configuration tool See CertTool register 42 registered registering 46 removing 46 viewing 46 request 43 self-signed 36 viewing installed 45 registered 46 viewing installed 45 viewing registered 46 CertTool CA certificate deleting 45 installing 45 viewing 45 certificate install 44 register 42 request 43 viewing installed 45 viewing registered 46 changing adapter parameters accessing 37, 41 options 42 client authentication 42 install certificate 44 private key, generating 43 registered certificate registering 46 removing 46 viewing 46 character sets, supported 23 client authentication 39 client validation, SSL 40 configuration key changing with agentcfg 19 default value 9, 19 purpose 9 Copyright IBM Corp. 2003,

84 configuration (continued) settings changing with agentcfg 9 default value 10 viewing with agentcfg 10 SSL 38 context baseline database 19 deleting 15 listing 16 modifying 17 search attributes 17 target DN 18 conventions HOME directory Tivoli_Common_Directory xi DB_INSTANCE_HOME x HTTP_HOME xi ITIM_HOME xi LDAP_HOME x WAS_HOME xi WAS_MQ_HOME xi WAS_NDM_HOME xi typeface ix UNIX variable, directory notation ix used in this document ix CSR definition 43 file, generating 43 customer support see Software Support 61 D DAML protocol configuring with agentcfg 11 encryption default value 11 type 11 options 11 properties, changing with agentcfg options 11 password 12 portnumber 12 require_cert_reg 13 srv_nodename 12 srv_portnumber 12 username 11 validate_client_ce 13 SSL authentication 37 DB_INSTANCE_HOME DB2 UDB installation directory x definition x debug log default value 19 enable/disable with agentcfg 19 purpose 20 detail log default value 19 enable/disable with agentcfg 19 purpose 20 directory DB_INSTANCE_HOME x HTTP_HOME xi installation DB2 UDB x IBM Directory Server x directory (continued) installation (continued) IBM HTTP Server xi WebSphere Application Server base product xi WebSphere Application Server Network Deployment product xi WebSphere MQ xi installation for Sun ONE Directory Server x ITIM_HOME xi LDAP_HOME x names, UNIX notation ix WAS_HOME xi WAS_MQ_HOME xi WAS_NDM_HOME xi disabilities, using documentation viii documents IBM Tivoli Identity Manager library v related viii E enable/disable with agentcfg 19 encrypted registry settings 21 encryption DAML protocol default value 11 type 11 SSL 35, 36 environment variable UNIX notation ix event notification cache size 15 changing with agentcfg 14 context baseline database 19 deleting 15 listing 16 modifying 17 search attributes 17 target DN 18 enable/disable 15 reconciliation attributes 15 context 15 intervals 15 modifying 15 process priority 15 starting manually 15 H help menu for agentcfg 25 accessing with -help command 25 home directories DB_INSTANCE_HOME x HTTP_HOME xi ITIM_HOME xi LDAP_HOME x WAS_HOME xi WAS_MQ_HOME xi WAS_NDM_HOME xi HTTP_HOME definition xi IBM HTTP Server installation directory xi 70 IBM Tivoli Identity Manager: Oracle ERP Adapter Installation and Configuration Guide

85 I IBM Tivoli Identity Manager Serverprerequisites 3 import adapter profile 5, 50 PKCS12 file 37 information centers, searching to find software problem resolution 61 installation certificate 44 directory DB2 UDB x IBM Directory Server x IBM HTTP Server xi Sun ONE Directory Server x WebSphere Application Server base product xi WebSphere Application Server Network Deployment product xi WebSphere MQ xi profile 5 uninstall 55 installation prerequisites administrator authority 3 IBM Tivoli Identity Manager Server 3 network connectivity 3 operating system 3 Oracle application software 3 Oracle server software 3 system 3 Internet, searching to find software problem resolution 61 ITIM_HOME definition xi directory xi K knowledge bases, searching to find software problem resolution 61 L LDAP_HOME definition x IBM Directory Server installation directory x Sun ONE Directory Server installation directory x logs activity settings, changing 10 ADK46Installer.log file 54 ADK46Installeropt.log file 54 debug 19 detail 19 directory, changing with agentcfg 20 display using agentcfg 26 enable/disable, changing with agentcfg 20 file name, changing with agentcfg 19 settings, changing with adaptercfg 20 settings, changing with agentcfg log file name 20 max file size 20 settings, default values 19 statistics 24 trace.log file 6 view events 10 viewing statistics 24 M manuals see publications viii N network connectivity 3 non-encrypted registry settings 21 O online publications accessing viii operating system prerequisites 3 P password protected file See PKCS12 file passwords changing configuration key 19 configuration key, default value 9, 19 passwords, changing with agentcfg DAML protocol 12 path names, notation ix pdf format, for screen-reader software viii PKCS12 file certificate and key installation 44 export certificate and key 47 portnumber changing with agentcfg 11 portnumber, changing with agentcfg 12 private key definition 35 private key, generating 43 problem determination describing problem for IBM Software Support 63 determining business impact for IBM Software Support 62 submitting problem to IBM Software Support 63 properties, changing with agentcfg 11 protocol DAML configuring with agentcfg 11 encryption default value 11 encryption type 11 properties, changing with agentcfg 11 SSL overview 35 server-to-adapter configuration 38 two-way configuration 39, 40 public key 36 publications accessing online viii IBM Tivoli Identity Manager library v related viii R reconciliation attributes 15, 60 context 15 intervals 15 modifying 15 process priority 15 Index 71

86 registry settings encrypted 21 non-encrypted 21 require_cert_reg, changing with agentcfg 13 restoring accounts password requirements 50 S self-signed certificate 36 Software Support contacting 61 describing problem for IBM Software Support 63 determining business impact for IBM Software Support 62 submitting problem to IBM Software Support 63 srv_nodename, changing with agentcfg 12 srv_portnumber, changing with agentcfg 12 SSL certificate installation 35 certificate signing request 43 encryption 35 key formats 37 overview 35 private keys and digital certificates 36 self-signed certificates 36 server-to-adapter configuration 38 two-way configuration 39, 40 SSL implementations, DAML protocol 37 system prerequisites 3 upgrade (continued) adapter profile 5 ADK 53 username, changing with agentcfg 11 UTF8 support 23 V validate_client_ce, changing with agentcfg 13 W WAS_HOME definition xi WebSphere Application Server base installation directory xi WAS_MQ_HOME definition xi WebSphere MQ installation directory xi WAS_NDM_HOME definition xi WebSphere Application Server Network Deployment installation directory xi western European character set, support 23 T text, alternative for document images viii thread count settings changing with agentcfg 23 default values 23 maximum concurrent requests 23 reconciliation requests 23 system login add requests 23 system login change requests 23 system login delete requests 23 Tivoli Identity Manager Adapter communication with the server 39, 40 SSL communication 39, 40 Tivoli Identity Manager Server communication with the adapter 38 configuring event notification 14 importing adapter profile 5 SSL communication 38 Tivoli software information center viii Tivoli_Common_Directory definition xi trace.log file 6 two-way configuration SSL client 39 client and server 40 typeface conventions ix U uninstallation 55 updating adapter profile 49 upgrade adapter IBM Tivoli Identity Manager: Oracle ERP Adapter Installation and Configuration Guide

87

88 Printed in USA SC