Tuesday, July 17, 2012

OIM & Connector Server


New versions of OIM connectors have been released in the past few months(version number is 11.1.1.x). These new releases bring an important change to OIM connectors: they are based on the Identity Connector Framework (IFC). The 11.1.1.5 documentation for the ICF is available at:


One of the things that ICF brings is the capability of deploying connectors to an ‘Identity Connector Server’(but keep in mind you still need to deploy the connector to OIM as well). When using a connector server, OIM will delegate to the connector server the execution of the provisioning tasks. Except for the .NET based connectors (like AD and Exchange), the connector server is an optional piece in an OIM topology and its use depends on the project requirements.


One of the common issues when deploying ICF based connectors is the wrong configuration of an IT Resource instance. You will notice that any ‘IT Resource’ defined by an ICF based connector will have a ‘Connector Server Name’ attribute. This attribute must be left blank unless you are actually connecting to a connector server. The picture below shows such attribute:


So whenever deploying an ICF based connector, you have two options to configure an IT Resource instance:
  • you leave the ‘Connector Server Name’ attribute blank 
  •  you deploy a connector server and configure it in OIM, and then configure its name in the IT Resource instances of the connector you are deploying.

Below there are two common exceptions seen in the OIM log files when the 'IT Resource Instance' attribute contains a value but there is no 'connector server' to connect to.

oracle.iam.connectors.icfcommon.exceptions.IntegrationException: The value for a key [Host] is not defined in the provided map.
        at oracle.iam.connectors.icfcommon.util.MapUtil.getRequiredValue(MapUtil.java:94)
        at oracle.iam.connectors.icfcommon.ConnectorFactory.createConnectorFacade(ConnectorFactory.java:142)
        at oracle.iam.connectors.icfcommon.prov.ICProvisioningManager.init(ICProvisioningManager.java:114)
        at oracle.iam.connectors.icfcommon.prov.ICProvisioningManager.init(ICProvisioningManager.java:123)
        at oracle.iam.connectors.icfcommon.prov.ICProvisioningManager.deleteObject(ICProvisioningManager.java:302)

oracle.iam.connectors.icfcommon.exceptions.OIMException: Invalid IT Resource Name [Connector Server]
        at oracle.iam.connectors.icfcommon.service.oim9.OIM9Configuration.getITResource(OIM9Configuration.java:122)
        at oracle.iam.connectors.icfcommon.ResourceConfig.getITResource(ResourceConfig.java:157)
        at oracle.iam.connectors.icfcommon.ResourceConfig.<init>(ResourceConfig.java:76)
        at oracle.iam.connectors.icfcommon.service.oim9.OIM9Configuration.getResourceConfig(OIM9Configuration.java:131)
        at oracle.iam.connectors.icfcommon.recon.AbstractReconTask.init(AbstractReconTask.java:114)

13 comments:

  1. Hello Daniel,

    Is it recommended that the connector server be separate from the OIM server? With the company I work for and I'm assuming many others, getting an additional server is a major process, including small VMs.

    -Ryan

    ReplyDelete
    Replies
    1. Ryan,

      There are two types of connector servers: .NET based and Java based.

      Provisioning/Recon to AD and Exchange will require you to run a .NET connector server on a Windows box. In this case, connector server is a mandatory piece. Check connector documentation for the requirements around Windows box (like same domain as AD and others).

      Java based connector server can run anywhere (even in the same box OIM server is running). But keep in mind that connector server is an optional piece for Java based connectors, these connectors can be directly executed in OIM.

      Thanks!

      Delete
  2. Hello Daniel,

    We have using AD and Exchange connectors in my project,Here One thing i am not understand,we have use only one connector server for both exchange and AD?
    If one connector server is enough for both then where i have install this connector server in AD or Exchange server?

    Both AD and Exchange servers are in same Domain.

    ReplyDelete
    Replies
    1. Venu, one connector servers instance deployed to any Windows machine belonging to the same domain should be enough.

      Delete
  3. Hi Daniel, what are benefit of using ICF over OSB ? and when one should go for ICF ?

    Help Appreciated.

    ReplyDelete
    Replies
    1. Hi there, I have not heard about ICF over OSB. One should go for ICF when developing new connectors (or re-coding existing ones),

      Delete
  4. OSB (oracle service bus) i mean ESB. I think even many people prefer ESB for integration/connector rather than ICF, not sure why , do you have any thought ?

    ReplyDelete
    Replies
    1. OSB and ICF are not meant to solve the same problems. So it is not a choice of going with one or another. Service bus are like a front end for published web servers, whereas ICF is specific for identity management connectors.

      Delete
  5. or can you highlight some example which can not fullfill using ICF and we must go for OSB/ESB.

    Help Appreciated.

    ReplyDelete
  6. Hi Daniel,

    I heard aboud below problem, is it still exist?
    1)      complete LDAP schema with native object class. For example inetOrgPerson
    2)      On the other hand, the framework provides pre-defined and fixed object class names __ACCOUNT__ and __GROUP__

    Problem:
    both __ACCOUNT__ and inetOrgPerson object classes are exposed by the LDAP identity connector and they are the same. Which one should be used, no clarity in the framework?

    Is there any other Issues you come accross this framework ?
    Help Appreciated.

    ReplyDelete
  7. Also does this framework support following,
    1)Can Integration possible irrespective of the platform (linux,solaris,win etc) / protocal (http,https,jms, etc) ?
    2) does it support application within org and outside the org/intranet (i mean in cloud))
    example
    Lets take a typical environment where we have CRM system (linux), HR sys (cloud) email system (window) , Billiing system. For example this application running on different platform, some running within org some on the cloud,. Different application,different protocol and different api

    can ICF framework support above ?

    ReplyDelete
    Replies
    1. yes and yes. ICF is either Java (multi platform) or MS based (Windows). And the connectors running on it cam talk different protocols.

      Delete

Note: Only a member of this blog may post a comment.