Integrating Oracle Identity Analytics with Oracle Identity Manager (PS1 and R2)

My   RBACX_HOME = /oia11g/Oracle/OIA_Install

         RBACX_LIB= /oia11g/Oracle/OIA_Lib

          OIMServer is the provisioning Server.

1.       Copy the Required Files From the OIM Server

• Copy the following OIM JAR files located in the <OIMDesignConsole>/lib folder to the Oracle Identity Analytics $RBACX_HOME/WEB-INF/lib folder:
• xlAPI.jar
• xlCache.jar
• xlDataObjectBeans.jar
• xlDataObjects.jar
• xlScheduler.jar
• xlUtils.jar
• xlVO.jar

• Copy the following JAR files located in the <IDM-HOME>/server/lib folder to the Oracle Identity Analytics $RBACX_HOME/WEB-INF/lib folder:
• xlCrypto.jar
• wlXLSecurityProviders.jar
• xlAuthentication.jar
• xlLogger.jar

• Create folder “$RBACX_HOME/xellerate “  and Copy the config folder located at <OIMDesignConsole>/config to it.

• If you are using Oracle Identity Manager 11.1.1.5.0 , copy the following OIM files to the Oracle Identity Analytics $RBACX_HOME/WEB-INF/lib folder:
• oimclient.jar

Use the version located in the <OIMDesignConsole>/lib folder. (Important: Do not use a copy of this JAR file located in any other directory.)

• iam-platform-utils.jar

This file is located in the <OIMDesignConsole>/lib folder.

• If deploying to a WebLogic application server, and if Oracle Identity Analytics and Oracle Identity Manager are on different WebLogic domains, copy the <WLS-HOME>/server/lib/wlfullclient.jar file to the Oracle Identity Analytics $RBACX_HOME/WEB-INF/lib folder.
• If the wlfullclient.jar file is not present, follow these steps to generate it:
1. Type cd<WLS-HOME>/server/lib, where <WLS-HOME> is the base WebLogic installation directory
2. Type java -jar wljarbuilder.jar
3. Copy the wlfullclient.jar file to the $RBACX_HOME/WEB-INF/lib folder

2.        Edit the Oracle Identity Analytics Configuration Files

1. Stop Oracle Identity Analytics.
2. Enable Oracle Identity Manager as a supported provisioning server by editing iam-context.xml in the $RBACX_Home/WEB-INF folder as follows:

Uncomment the following lines at the start of iam-context.xml:

<import resource="oim-commons-context.xml"/>

<import resource="oim-11g-context.xml"/> <!-- This also works with at least Oracle Identity Manager 9.1.0.2 BP17-->

Enable the following:

           <entry key="oracle">

           <ref bean="oimSolution"/>

            </entry>

Save your changes.

3. Start Oracle Identity Analytics.

                        Edit $RBACX_HOME/conf/oimjdbc.properties. Provide the OIM DB connection details.

                        oim.jdbc.username = DEV_OIM

                        oim.jdbc.password= password

                        oim.jdbc.url = jdbc:oracle:thin:@hostname:1521:SID

1.       Run the OIA Property Encryption Utility to encrypt the database password located in the oimjdbc.properties file.

$ java -jar ../rbacx_staging/WEB-INF/lib/vaau-commons-crypt.jar  -encryptProperty -cipherKeyProperties ./cipherKey.properties -propertyFile ./ oimjdbc.properties -propertyName oim.jdbc.password

1. Open the oim-11g-context.xml file  from  <RBACX_HOME>/rbacx_staging/WEB-INF  for editing and search for the word password.
2. Comment out the oim.jdbc.password line and uncomment the oim.jdbc.password.encrypted line.

The XML should look like the following sample:

<property name="URL" value="${oim.jdbc.url}"/>

<property name="user" value="${oim.jdbc.username}"/>

<!--<property name="password" value="${oim.jdbc.password}"/>-->

<property name="password" value="${oim.jdbc.password.encrypted}"/>

3. Save your changes.

3.       Open Form Designer and, for each OIM resource, add the properties that OIA needs to exchange data with OIM. ( I am adding these property files for AD Resource only )

1. Log in to the Oracle Identity Manager Design Console.
2. Open the Form Designer.
3. For each Resource, the following properties need to be added to some identified feed for accounts, policies, and entitlements imports:
• AccountName - Identifies the unique account in the target system

• ITResource - Identifies the unique IT Resource field for the target system
• Entitlement - Identifies the account attribute designated for privileges
• OIAParentAttribute - This property identifies the parent or mandatory entitlement attributes.

Add this property only if you have installed at least OIM 11.1.1.5.0 or at least OIM 9.1.0.2 BP17.

Complete this step as follows:

1. Locate the Process Form for the given resource.

The AccountName and ITResource properties are on the parent form, and the Entitlement and OIAParentAttribute properties are on the child form.

2. Open the child Process Form and create a new version.
3. Click the Properties tab.
4. Locate ONLY ONE entitlement field per form, click Add Property, and add the Entitlement = true property setting.

If there are multiple Entitlement child forms, add one Entitlement = true property setting per Entitlement form.

5. If you have installed at least OIM 11.1.1.5.0 or at least OIM 9.1.0.2 BP17, add the OIAParentAttribute property.

For OIM 11.1.1.5.0, first create the OIAParentAttribute property as a custom property. You only need to do this once.

1. In the Design Console, expand Administration and click Lookup Definition.
2. Search for Lookup.FormField.Custom.Properties.
3. Click Add to add the OIAParentAttribute property.

To add the OIAParentAttribute property to the form, do the following:

Locate ONLY ONE entitlement field per form, click Add Property, and add the OIAParentAttribute = true property setting. (If you cannot find the OIAParentAttribute property, create it as a custom property. See the steps in the note box.)

If there are multiple Entitlement child forms, add one OIAParentAttribute = true property setting per Entitlement form.

6. Save the child form and make it active.

If there are multiple child forms, update all of them by repeating steps d, e, and f, before going to the next step.

7. Locate the parent process form and create a new version.
8. Click the Properties tab.
9. Locate the field that uniquely identifies the account in the target system, click Add Property, and add the AccountName = true property setting. See the following screen capture for an example.
10. Locate the ITResource field for the target system, click Add Property, and add the ITResource = true property setting.
11. Save the parent form and make it active.
1. Repeat for each Resource.
2. Restart the Oracle Identity Analytics server.

4.       Step 4: Configure the Oracle Identity Manager Data Collection Scheduler

Use the following steps to register the Oracle Identity Manager scheduled task that is required to support the OIA-OIM integration.

Follow these steps to register the task with OIM:

1. Enable the DataCollection Schedule task if you are using Oracle Identity Manager 9.1.0.2. (If you are using at least Oracle Identity Manager 11.1.1.5.0, the DataCollection Schedule task is already enabled so you should skip this step.)

To enable the DataCollection Schedule task, open the Design Console, search for the DataCollection Schedule task, and make it Active.

2. Enable the following system property in Oracle Identity Manager by setting the value to TRUE:

OIM.IsOIAIntegrationEnabled = TRUE

In OIM 11gR2.

OIA integration status = TRUE

5.       Step 5: Configure Oracle Identity Analytics to Connect to Oracle Identity Manager

1. Log in to Oracle Identity Analytics.
2. Choose Administration > Configuration.
3. Click Provisioning Servers.
4. Click New Provisioning Server Connection.
5. From the Type of Provisioning Server Connection drop-down menu, select oracle and click Next.
6. Complete the form:
• Server Name - Type the Oracle Identity Manager Server name.
• Xellerate Home - Type the path to the xellerate folder in OIM.

If Oracle Identity Manager is on a separate machine, create a local xellerate folder and copy the config folder from <OIMDesignConsole> in the xellerate folder.

• Login Config - Type the path to the authentication configuration (auth<AS>.conf) file. (Example: oia11g\Oracle/OIA_Install\xellerate\config\authwl.conf)
• User Name -  xelsysadm
• Password - Enter the OIM password.
6. Click Save.

6.       Step 6: Import the Oracle Identity Manager (OIM) Data Into Oracle Identity Analytics (OIA)

To Verify That Each Import Job Completed Successfully

§  Log in to Oracle Identity Analytics.

§  Choose Administration > Auditing & Events.

§  Click Import/Export Logs.

§  In the table, find the entries for your import jobs.

§  Click the entry in the Description column to view the Import Log Details page.

§  Verify that the number or Oracle Identity Manager export records (Number of Output Records) and the number of Oracle Identity Analytics import records (Number of Input Records) are the same

Schedule or run the import jobs in the following order:

1. Import Resource Metadata.

Administration -->Configuration --> Import/Export --> Schedule new job -->Import Resource MetaData - ->OIMServer (OIM Server type:- Oracle) - -> Provide the name - - > Check Run the job Now - - > Click on Finish.

You can check Resource type imported from OIM under

Administration -->Configuration -->Resource Type

2. Validate that the Parent attribute is set.

Administration -->Configuration -->Resource Type.

Select the Resource imported from OIM make sure that you have selected the attributes for

o   Managed.

o   Auditable.

o   Importable.

o   Minable.

o   Certifiable. (repeat the same for all the resources imported from OIM)

3. Import Resources.

4.       Administration -->Configuration --> Import/Export --> Schedule new job -->Import Resources - ->OIMServer (OIM Server type: - Oracle) - -> Provide the name - - > Check Run the job Now - - > Click on Finish.

Click on Identity Warehouse - -> Resources to see all the resources imported from OIM.

5. Import the Glossary Data.

Administration - - > Configuration- -> Import/Export - ->Schedule Job- - > Import > Import Glossary.

6. Import Policies.

Administration - - > Configuration- -> Import/Export - ->Schedule Job- - > Import Policies.

7. Import Roles.

Administration - - > Configuration- -> Import/Export - ->Schedule Job- - > Import Roles

8. Import Users, Accounts, User Role Memberships, and Entitlements.

Administration - - > Configuration- -> Import/Export - ->Schedule Job- - > Import Users, Accounts, User Role Memberships, and Entitlements

Choose one of the following:

• Load all resources defined in the system at the time the job is run - Choose this option to import data from all resources.
• Load only those resources selected in the table - Choose this option to import data only from select resources. If you choose this option, select one or more resources in the table.

§  Type a name and description for the job.

§  Select the Entitlements option if you did not perform the Glossary Import job .

§  Select the User Role Membership option to import User-Role membership data.

§  Select Full - All entities found on the OIM server will be imported.

§  Select Incremental - All OIM entities updated since the last successful import will be imported.

·         Click Finish to generate the import job.

9. Verify each import.