Tuesday, July 17, 2012

OIM & Connector Server


New versions of OIM connectors have been released in the past few months(version number is 11.1.1.x). These new releases bring an important change to OIM connectors: they are based on the Identity Connector Framework (IFC). The 11.1.1.5 documentation for the ICF is available at:

http://docs.oracle.com/cd/E21764_01/doc.1111/e14309/icfpart.htm#sthref467

One of the things that ICF brings is the capability of deploying connectors to an ‘Identity Connector Server’(but keep in mind you still need to deploy the connector to OIM as well). When using a connector server, OIM will delegate to the connector server the execution of the provisioning tasks. Except for the .NET based connectors (like AD and Exchange), the connector server is an optional piece in an OIM topology and its use depends on the project requirements.


One of the common issues when deploying ICF based connectors is the wrong configuration of an IT Resource instance. You will notice that any ‘IT Resource’ defined by an ICF based connector will have a ‘Connector Server Name’ attribute. This attribute must be left blank unless you are actually connecting to a connector server. The picture below shows such attribute:


So whenever deploying an ICF based connector, you have two options to configure an IT Resource instance:
  • you leave the ‘Connector Server Name’ attribute blank 
  •  you deploy a connector server and configure it in OIM, and then configure its name in the IT Resource instances of the connector you are deploying.

Below there are two common exceptions seen in the OIM log files when the 'IT Resource Instance' attribute contains a value but there is no 'connector server' to connect to.

oracle.iam.connectors.icfcommon.exceptions.IntegrationException: The value for a key [Host] is not defined in the provided map.
        at oracle.iam.connectors.icfcommon.util.MapUtil.getRequiredValue(MapUtil.java:94)
        at oracle.iam.connectors.icfcommon.ConnectorFactory.createConnectorFacade(ConnectorFactory.java:142)
        at oracle.iam.connectors.icfcommon.prov.ICProvisioningManager.init(ICProvisioningManager.java:114)
        at oracle.iam.connectors.icfcommon.prov.ICProvisioningManager.init(ICProvisioningManager.java:123)
        at oracle.iam.connectors.icfcommon.prov.ICProvisioningManager.deleteObject(ICProvisioningManager.java:302)

oracle.iam.connectors.icfcommon.exceptions.OIMException: Invalid IT Resource Name [Connector Server]
        at oracle.iam.connectors.icfcommon.service.oim9.OIM9Configuration.getITResource(OIM9Configuration.java:122)
        at oracle.iam.connectors.icfcommon.ResourceConfig.getITResource(ResourceConfig.java:157)
        at oracle.iam.connectors.icfcommon.ResourceConfig.<init>(ResourceConfig.java:76)
        at oracle.iam.connectors.icfcommon.service.oim9.OIM9Configuration.getResourceConfig(OIM9Configuration.java:131)
        at oracle.iam.connectors.icfcommon.recon.AbstractReconTask.init(AbstractReconTask.java:114)
Posted by Daniel Gralewski at 6:30 AM
Labels: , , ,

13 comments:

  1. UnknownJuly 19, 2012 at 7:35:00 AM PDT

    Hello Daniel,

    Is it recommended that the connector server be separate from the OIM server? With the company I work for and I'm assuming many others, getting an additional server is a major process, including small VMs.

    -Ryan

    ReplyDelete
    Replies
    1. Daniel GralewskiJuly 20, 2012 at 6:45:00 AM PDT

      Ryan,

      There are two types of connector servers: .NET based and Java based.

      Provisioning/Recon to AD and Exchange will require you to run a .NET connector server on a Windows box. In this case, connector server is a mandatory piece. Check connector documentation for the requirements around Windows box (like same domain as AD and others).

      Java based connector server can run anywhere (even in the same box OIM server is running). But keep in mind that connector server is an optional piece for Java based connectors, these connectors can be directly executed in OIM.

      Thanks!

      Delete
  2. UnknownMarch 4, 2013 at 11:37:00 PM PST

    Hello Daniel,

    We have using AD and Exchange connectors in my project,Here One thing i am not understand,we have use only one connector server for both exchange and AD?
    If one connector server is enough for both then where i have install this connector server in AD or Exchange server?

    Both AD and Exchange servers are in same Domain.

    ReplyDelete
    Replies
    1. Daniel GralewskiMarch 5, 2013 at 9:55:00 AM PST

      Venu, one connector servers instance deployed to any Windows machine belonging to the same domain should be enough.

      Delete
  3. iamcreativeApril 10, 2013 at 7:16:00 AM PDT

    Hi Daniel, what are benefit of using ICF over OSB ? and when one should go for ICF ?

    Help Appreciated.

    ReplyDelete
    Replies
    1. Daniel GralewskiApril 12, 2013 at 5:55:00 AM PDT

      Hi there, I have not heard about ICF over OSB. One should go for ICF when developing new connectors (or re-coding existing ones),

      Delete
  4. iamcreativeApril 14, 2013 at 2:36:00 AM PDT

    OSB (oracle service bus) i mean ESB. I think even many people prefer ESB for integration/connector rather than ICF, not sure why , do you have any thought ?

    ReplyDelete
    Replies
    1. Daniel GralewskiMay 17, 2013 at 6:44:00 AM PDT

      OSB and ICF are not meant to solve the same problems. So it is not a choice of going with one or another. Service bus are like a front end for published web servers, whereas ICF is specific for identity management connectors.

      Delete
  5. iamcreativeApril 14, 2013 at 2:39:00 AM PDT

    or can you highlight some example which can not fullfill using ICF and we must go for OSB/ESB.

    Help Appreciated.

    ReplyDelete
  6. iamcreativeApril 15, 2013 at 10:38:00 PM PDT

    Hi Daniel,

    I heard aboud below problem, is it still exist?
    1)      complete LDAP schema with native object class. For example inetOrgPerson
    2)      On the other hand, the framework provides pre-defined and fixed object class names __ACCOUNT__ and __GROUP__

    Problem:
    both __ACCOUNT__ and inetOrgPerson object classes are exposed by the LDAP identity connector and they are the same. Which one should be used, no clarity in the framework?

    Is there any other Issues you come accross this framework ?
    Help Appreciated.

    ReplyDelete
  7. iamcreativeApril 15, 2013 at 10:39:00 PM PDT

    Also does this framework support following,
    1)Can Integration possible irrespective of the platform (linux,solaris,win etc) / protocal (http,https,jms, etc) ?
    2) does it support application within org and outside the org/intranet (i mean in cloud))
    example
    Lets take a typical environment where we have CRM system (linux), HR sys (cloud) email system (window) , Billiing system. For example this application running on different platform, some running within org some on the cloud,. Different application,different protocol and different api

    can ICF framework support above ?

    ReplyDelete
    Replies
    1. Daniel GralewskiMay 17, 2013 at 6:55:00 AM PDT

      yes and yes. ICF is either Java (multi platform) or MS based (Windows). And the connectors running on it cam talk different protocols.

      Delete

Note: Only a member of this blog may post a comment.

Subscribe to: Post Comments (Atom)