New versions of OIM connectors have been released in the
past few months(version
number is 11.1.1.x). These new releases bring
an important change to OIM connectors: they are based on the Identity Connector
Framework (IFC). The 11.1.1.5 documentation for the ICF is available at:
One of the things that ICF brings is the capability of
deploying connectors to an ‘Identity Connector Server’(but keep in mind you still need to deploy the connector to OIM as well). When using a connector
server, OIM will delegate to the connector server the execution of the provisioning
tasks. Except for the .NET based connectors (like AD and Exchange), the
connector server is an optional piece in an OIM topology and its use depends on the project requirements.
One of the common issues when deploying ICF based connectors
is the wrong configuration of an IT Resource instance. You will notice that any
‘IT Resource’ defined by an ICF based connector will have a ‘Connector Server Name’
attribute. This attribute must be left blank unless you are actually connecting
to a connector server. The picture below shows such attribute:
So whenever deploying an ICF based connector, you have two
options to configure an IT Resource instance:
- you leave the ‘Connector Server Name’ attribute blank
- you deploy a connector server and configure it in OIM, and then configure its name in the IT Resource instances of the connector you are deploying.
Below there are two common exceptions seen in the OIM log files when the 'IT Resource Instance' attribute contains a value but there is no 'connector server' to connect to.
oracle.iam.connectors.icfcommon.exceptions.IntegrationException: The value for a key [Host] is not defined in the provided map.
at oracle.iam.connectors.icfcommon.util.MapUtil.getRequiredValue(MapUtil.java:94)
at oracle.iam.connectors.icfcommon.ConnectorFactory.createConnectorFacade(ConnectorFactory.java:142)
at oracle.iam.connectors.icfcommon.prov.ICProvisioningManager.init(ICProvisioningManager.java:114)
at oracle.iam.connectors.icfcommon.prov.ICProvisioningManager.init(ICProvisioningManager.java:123)
at oracle.iam.connectors.icfcommon.prov.ICProvisioningManager.deleteObject(ICProvisioningManager.java:302)
at oracle.iam.connectors.icfcommon.util.MapUtil.getRequiredValue(MapUtil.java:94)
at oracle.iam.connectors.icfcommon.ConnectorFactory.createConnectorFacade(ConnectorFactory.java:142)
at oracle.iam.connectors.icfcommon.prov.ICProvisioningManager.init(ICProvisioningManager.java:114)
at oracle.iam.connectors.icfcommon.prov.ICProvisioningManager.init(ICProvisioningManager.java:123)
at oracle.iam.connectors.icfcommon.prov.ICProvisioningManager.deleteObject(ICProvisioningManager.java:302)
oracle.iam.connectors.icfcommon.exceptions.OIMException: Invalid IT Resource Name [Connector Server]
at oracle.iam.connectors.icfcommon.service.oim9.OIM9Configuration.getITResource(OIM9Configuration.java:122)
at oracle.iam.connectors.icfcommon.ResourceConfig.getITResource(ResourceConfig.java:157)
at oracle.iam.connectors.icfcommon.ResourceConfig.<init>(ResourceConfig.java:76)
at oracle.iam.connectors.icfcommon.service.oim9.OIM9Configuration.getResourceConfig(OIM9Configuration.java:131)
at oracle.iam.connectors.icfcommon.recon.AbstractReconTask.init(AbstractReconTask.java:114)
at oracle.iam.connectors.icfcommon.service.oim9.OIM9Configuration.getITResource(OIM9Configuration.java:122)
at oracle.iam.connectors.icfcommon.ResourceConfig.getITResource(ResourceConfig.java:157)
at oracle.iam.connectors.icfcommon.ResourceConfig.<init>(ResourceConfig.java:76)
at oracle.iam.connectors.icfcommon.service.oim9.OIM9Configuration.getResourceConfig(OIM9Configuration.java:131)
at oracle.iam.connectors.icfcommon.recon.AbstractReconTask.init(AbstractReconTask.java:114)
Hello Daniel,
ReplyDeleteIs it recommended that the connector server be separate from the OIM server? With the company I work for and I'm assuming many others, getting an additional server is a major process, including small VMs.
-Ryan
Ryan,
DeleteThere are two types of connector servers: .NET based and Java based.
Provisioning/Recon to AD and Exchange will require you to run a .NET connector server on a Windows box. In this case, connector server is a mandatory piece. Check connector documentation for the requirements around Windows box (like same domain as AD and others).
Java based connector server can run anywhere (even in the same box OIM server is running). But keep in mind that connector server is an optional piece for Java based connectors, these connectors can be directly executed in OIM.
Thanks!
Hello Daniel,
ReplyDeleteWe have using AD and Exchange connectors in my project,Here One thing i am not understand,we have use only one connector server for both exchange and AD?
If one connector server is enough for both then where i have install this connector server in AD or Exchange server?
Both AD and Exchange servers are in same Domain.
Venu, one connector servers instance deployed to any Windows machine belonging to the same domain should be enough.
DeleteHi Daniel, what are benefit of using ICF over OSB ? and when one should go for ICF ?
ReplyDeleteHelp Appreciated.
Hi there, I have not heard about ICF over OSB. One should go for ICF when developing new connectors (or re-coding existing ones),
DeleteOSB (oracle service bus) i mean ESB. I think even many people prefer ESB for integration/connector rather than ICF, not sure why , do you have any thought ?
ReplyDeleteOSB and ICF are not meant to solve the same problems. So it is not a choice of going with one or another. Service bus are like a front end for published web servers, whereas ICF is specific for identity management connectors.
Deleteor can you highlight some example which can not fullfill using ICF and we must go for OSB/ESB.
ReplyDeleteHelp Appreciated.
Hi Daniel,
ReplyDeleteI heard aboud below problem, is it still exist?
1) complete LDAP schema with native object class. For example inetOrgPerson
2) On the other hand, the framework provides pre-defined and fixed object class names __ACCOUNT__ and __GROUP__
Problem:
both __ACCOUNT__ and inetOrgPerson object classes are exposed by the LDAP identity connector and they are the same. Which one should be used, no clarity in the framework?
Is there any other Issues you come accross this framework ?
Help Appreciated.
I did not understand the issue.
DeleteAlso does this framework support following,
ReplyDelete1)Can Integration possible irrespective of the platform (linux,solaris,win etc) / protocal (http,https,jms, etc) ?
2) does it support application within org and outside the org/intranet (i mean in cloud))
example
Lets take a typical environment where we have CRM system (linux), HR sys (cloud) email system (window) , Billiing system. For example this application running on different platform, some running within org some on the cloud,. Different application,different protocol and different api
can ICF framework support above ?
yes and yes. ICF is either Java (multi platform) or MS based (Windows). And the connectors running on it cam talk different protocols.
Delete