Overview: Auditing, Monitoring, and - Student Guid- 123docz.net

Practice 12 Overview: Auditing, Monitoring, and Logging for Oracle Identity Manager

In this practice, you complete tasks related to the following objectives:

1. Accessing the configuration details for the Oracle Identity Manager log to enable tracing on the Sun Java System Directory Server module. By capturing tracing data, you can view even more detailed information about events as they are triggered and logged to the log files. This can be particularly useful if you are tracking down an unrecoverable issue.

2. Initiating the provisioning process against a user created in Oracle Identity Manager.

You will modify the user’s provisioning process form to force a failure in the provisioning event.

3. Examining the provisioning process in Oracle Identity Manager and viewing the status in the Oracle Enterprise Manager Fusion Middleware Control logs.

4. Resolving the issue for the provisioning process and verifying that the user has been properly provisioned.

5. Configuring monitoring for reconciliation events and scheduled jobs and viewing the monitoring tools after making changes to an Active Directory account and reconciling the account with Oracle Identity Manager.

Practice 12 Overview: Auditing, Monitoring, and Logging for Oracle Identity Manager

In this practice, you learn how to:

• Access the configuration details of Oracle Identity Manager

• Force an error that is logged to the Oracle Identity Manager logs

• Filter Oracle Identity Manager logs to view messages pertaining to a failed provisioning event.

• Resolve the provisioning issue and verify the results by using logs and Oracle Identity Manager

• Perform an Active Directory update and reconciliation and view the results in the monitoring tools

Roadmap

In this section, you review a high-level overview of the topics to be discussed in the next lesson of the course.

Roadmap

• Lesson Objectives

• Auditing

• Monitoring

• Logging

• Managing Auditing, Monitoring, and Logging

• Lesson Summary

• Lesson Practice

• What’s Next?

Auditing, Monitoring, and Logging for Oracle Identity Manager Chapter 12 - Page 99

What’s Next?

Now that you have an understanding of auditing, monitoring, and logging for the Oracle Identity Manager environment, you are ready to learn how to export the Oracle Identity Manager configurations that you used during this course.

What’s Next?

In the next lesson of this course, you learn how to transfer Oracle Identity Manager configurations.

Specifically, you learn methods, advantages, and best practices of transferring these configurations, how to clone these

configurations, and how to export them so that they are available to be used in another Oracle Identity Manager environment.

Transferring Oracle Identity Manager Configurations

Chapter 13 - Page 1

Transferring Oracle Identity Manager Configurations

Chapter 13

Transferring Oracle Identity Manager Configurations

Transferring Oracle Identity Manager Configurations

Transferring Oracle Identity Manager Configurations

Chapter 13 - Page 3

Road Map

The road map is a listing of sections in this lesson that contain information about how to transfer the Oracle Identity Manager configuration from one server to another.

In the first section, the lesson objectives for the lesson are described. The lesson objectives provide a high-level insight into the lesson’s goals. The objectives continue to follow the scenario of Joseph, an Oracle administrator, who must understand how to how to export Oracle Identity Manager configuration objects. Next, you delve into the details highlighted by the lesson objectives. First, you examine the Deployment manager, describe the methods for transferring Oracle Identity Manager configurations through the Deployment Import and Export Manager, examine the advantages of transferring these configurations, and look at the best practices available for completing those tasks. You then examine the MDS utilities available for accessing the MDS repository. You also examine how to export and import configuration objects through the Deployment Manager and the MDS utilities.

Finally, an overview of the practice associated with this lesson is presented.

Road Map

• Lesson Objectives

• Deployment Manager Overview

– Methods of Transferring Configurations – Advantages of Transferring

Configurations – Best Practices

• MDS Utilities Overview

• Exporting and Importing Configuration Data

• Lesson Summary

• Lesson Practice

• What's Next?

Lesson Objectives

You continue to follow the scenario of Joseph, the Oracle administrator, who must understand what the Deployment Manager tool is, how it is used to export and import configuration

objects, and which other tools are available for performing similar tasks.

Importing and exporting configurations and entities is an integral part of migrating an Oracle Identity Manager environment from one server to another. These tasks are necessary for migrating from a testing environment to a staging, and eventually, to the final production environment.

Joseph will be responsible for making changes to the Oracle Identity Manager environment, even in testing mode, that will affect the environment itself. He will need to understand how to modify configuration files stored in the database to accomplish this.

He will also need to know how to use the Deployment Manager to fully deploy the

environment. One aspect of his tasks is importing Oracle Identity Manager connectors to provision users to resources. The Deployment Manager is used to import those connectors into the existing environment.

However, if he is managing multiple Oracle Identity Manager environments, Joseph may simply need to transfer the connectors and other objects from one environment to another.

Both the Deployment Manager and MDS utilities are key in performing these tasks.

Lesson Objectives

After completing this lesson, you should be able to:

• Identify and describe the Deployment Manager

• Describe the methods, advantages, and best practices for transferring configurations from one Oracle Identity

Manager environment to another

• Discuss how to export and import configurations

Transferring Oracle Identity Manager Configurations

Chapter 13 - Page 5

In this lesson, you learn about the configuration objects stored within Oracle Identity Manager and how to extract and modify these configuration objects. Specifically, you will examine the Deployment Manager’s Import and Export tool, which is used to import objects such as connectors or export objects such as organization and their hierarchy. You examine the methods used for transferring the objects, gain an understanding of the advantage of using the tools to perform these actions, and look at best practices for completing the tasks. Next, you will examine how to export a configuration object, make modifications if necessary, and push them back into the environment. This is performed by exporting, modifying, and then reimporting the new object. You look at the MDS utility, which can be used to make changes specifically to configuration objects that affect the behavior of Oracle Identity Manager.

Road Map

This section provides an overview of the Deployment Manager, its import and export function, the advantages of using the Deployment Manager to transfer configurations from one server to another, and best practices around how to perform the tasks associated with it.

Road Map

• Lesson Objectives

• Deployment Manager Overview

– Methods of Transferring Configurations – Advantages of Transferring

Configurations – Best Practices

• MDS Utilities Overview

• Exporting and Importing Configuration Data

• Lesson Summary

• Lesson Practice

• What's Next?

Transferring Oracle Identity Manager Configurations

Chapter 13 - Page 7

Deployment Manager Overview

The Deployment Manager is the Java application used for importing and exporting Oracle Identity Manager configurations. The tool is often used to migrate the Oracle Identity Manager configuration from one deployment to another, such as migrating from a testing to a staging environment, or to create a backup of the environment.

The Deployment Manager tool, available from the Oracle Identity Manager Administrative and User Console, can be used to save all or some of your configuration, including connector and connector components, organization hierarchy, scheduled jobs, and scheduled tasks, to name a few. Exported objects are stored in an XML file, which can then be imported into a different Oracle Identity Manager environment.

Using the Deployment Manager, you can update individual components of a deployment in different Oracle Identity Manager environments. You can identify objects associated with components that are to be exported and include those objects when performing the export.

You also can provide detailed information about the objects that you are exporting. That way, when the objects are being imported, it is clear which objects you are working with.

The Deployment Manager does not provide merge functionality of data between a source and target system. It overwrites the data on the target system that was contained in the XML file. It does not provide version control support, nor does it support code moving, as in moving JAR files from one environment to another for connectors. It also does not support custom label

Deployment Manager Overview

The Deployment Manager supports an Import and Export tool that is used to back up or migrate an

Oracle Identity

Manager environment.

moves for labels defined in the customResources.properties file or in property files that reside in the connectorResources directory. These actions must be performed manually.

Transferring Oracle Identity Manager Configurations

Chapter 13 - Page 9

Deployment Manager: Supported Configuration Objects

Using the Deployment Manager, you can import data from the Oracle Identity Manager database, the Meta Data Store (MDS) repository, or the API repository. By supporting import and export to and from these different databases within the Oracle Identity Manager

environment, you can import and export all types of objects from these repositories, including system properties, jobs, and scheduled tasks, which are in different repositories.

An object that is exported from one type of repository is automatically imported to the same type of repository. For example, if a scheduled task is exported from the MDS repository, the scheduled task is imported to the same repository type, MDS, in the target environment.

Exporting from Oracle Identity Manager

Deployment Manager: Supported Configuration Objects

Importing to Oracle Identity Manager

OIM DB MDS

API

OIM DB MDS

API

Supported Configuration Object Types

The Deployment Manager supports the export and import of the configuration objects or entities listed on the slide.

You can save some or all of these configuration objects to a single XML file. When the XML file is imported to Oracle Identity Manager, the Deployment Manager performs a verification step to ensure that the dependencies for any objects that you are importing are available, either in the import or in your system.

When you perform an export, the Deployment Manager provides you with the opportunity to select and export any of the dependencies for the objects that you have selected.

Supported Configuration Object Types

Configuration Object Configuration Object Configuration Object

Roles IT Resources Rules

Organizations Resource Objects Generic Technology Connector

providers

Access Policies IT Resource Definition GTC

Authorization Policies Lookup Definitions Error codes

Approval Policies Process Forms System Properties

User Metadata Provisioning Workflows and

Process Task Adapters

Email Definitions Roles and Organization

Metadata

Data Object Definition Event Handlers

Scheduled Tasks Rules Password Policies

Scheduled Jobs Notification Templates Request Templates

Request Datasets

Transferring Oracle Identity Manager Configurations

Chapter 13 - Page 11

Advantages of Using the Deployment Manager to Transfer Configurations

Advantages of Using the Deployment Manager to Transfer Configurations There are several advantages to using the Deployment Manager within the Oracle Identity Manager environment, including:

• Backups: By providing an interface to select configuration objects and their

dependencies, the Deployment Manager enables you to back up your configuration objects to a single XML file. Having a backup utility is important, particularly when

performing a horizontal migration―a migration of nonmetadata entities―from one Oracle Identity Manager environment to another.

• Efficiency: It is faster, less expensive, and requires fewer resources to transport

configuration objects between environments than to reconstruct the configuration objects manually in the different environments. For example, it is easier for a developer to modify multiple parts of a connector and upload only the parts of the connector that have been changed than to wait for the entire deployment to be rebuilt.

• Error Reduction: By using the Deployment Manager to transfer configurations, you minimize the number of errors that could be introduced if you are manually creating the configuration objects in multiple places. Using a single environment to create the configuration objects and push them out to other environments reduces the chance of introducing errors and enables the configuration objects to remain synchronized across the environments.

Backups

• Export

configuration objects to a single file

• Used with other tools in performing horizontal migration

Efficiency

• Faster, less expensive, and uses fewer resources

• Reduces time spent

updating entire

configuration

Error Reduction

• Minimizes the number of errors

• Helps to synchronize configuration across

multiple

environments

Advantages of Using the Deployment Manager to Transfer Configurations

Best Practices for Transferring Configuration Objects

Here is a list of best practices and cautions when working with the Deployment Manager:

• Export and import system objects only when it is necessary. System objects such as Request, Xellerate User, and System Administrator are internal to Oracle Identity Manager and importing these objects to a target system may introduce problems to the target environment.

• Export related groups of objects as much as possible. This logical grouping can consist of similar configuration objects such as IT resources or organizations. This does not limit your ability to import different configuration objects. That is accomplished by specifying multiple XML files when performing an import.

• Group definition data and operational data separately. Definition data, such as resource objects, processes, and rules are typically defined on testing and staging servers.

Operational data, such as groups and group permissions, are seen in the production environment and not necessarily in testing or staging.

• Use logical naming conventions when creating multiple versions of a form. You might be inclined to use version numbers to differentiate versions when creating or modifying forms. However, when performing an export or import, it is easier to select objects by a fully described name, such as Form Name – Before Production Env.

Best Practices for Transferring Configuration Objects

Export and import system objects only when necessary.

Export related groups of objects.

Group definition data separately from operational data.

Use logical naming conventions when working with multiple versions of a form.

Export root when working with organizational hierarchy.

Transferring Oracle Identity Manager Configurations

Chapter 13 - Page 13

• Export root to preserve a complete organizational hierarchy. When you export an organization, only one dependency level is exported. To obtain the full hierarchy, export the root of the hierarchy.

Best Practices for Transferring Configuration Objects

Best Practices for Transferring Configuration Objects (continued)

• Provide clear export descriptions when exporting objects. A meaningful description is one of the items that you provide when exporting data by using the Deployment Manager.

This description is used by the importer who is importing the contents of the XML file.

• Check all warnings before completing an import. The Deployment Manager issues warnings if it encounters missing dependencies, entities to be imported with the same name as entities in the target environment, or other issues. Pay close attention and investigate all the warnings issued so that you can reduce the number of problems encountered later.

• Check all dependencies before exporting data. When exporting data, you can select entities with dependencies that already exist on the target system. In that case, there is no need to select the dependency for that entity or object. If the dependency does not already exist, it should be exported. You can export those dependencies separately so that they can be imported if necessary.

• Match scheduled task parameters between the target and source systems. If your

scheduled tasks depend on certain parameters to run properly, the parameters should be added. The rules for determining how to import scheduled tasks are:

- If the parameter exists in the target system but not in the XML file, the parameter is removed from the system.

Best Practices for Transferring Configuration Objects

Provide clear export descriptions.

Check all warnings before completing an import.

Check all dependencies before exporting data.

Match scheduled task parameters.

Transferring Oracle Identity Manager Configurations

Chapter 13 - Page 15

- If the parameter does not exist in the target system but does exist in the XML file, the parameter from the XML file is added to the target system.

- If the parameter exists in the target system and in the XML file, the most recent value is taken.

Best Practices for Transferring Configuration Objects

Best Practices for Transferring Configuration Objects (continued)

• Compile adapters and enable scheduled tasks. After an import operation, the adapters are set to recompile and the scheduled tasks are disabled. After importing the classes and adjusting the task attributes, manually recompile the adapters and enable the scheduled tasks.

• Export entity adapters separately. Entity adapters are modified to bring just the entity adapter, not its usage. If you want to export the usage of an entity adapter, you must separately export each use with a data object by exporting the data object. If you export a data object, all the adapters and event handlers attached to the object along with the permissions on the object are exported. You must pay particular attention when exporting data objects. For example, to export a form, you should also add the data object

corresponding to the form. This ensures that the associated entity adapters can use the form.

• Check permissions for roles. When you export roles, the role permissions on different data objects are also exported. However, when you import data, any permissions for missing data objects are ignored. If the role is exported as a way of exporting role permission setup, check the warnings carefully to ensure that permission requirements are met. For example, if a role has permissions for objects A, B, and C, but the target system has only objects A and B, the permissions for object C are ignored. If object C is

Best Practices for Transferring Configuration Objects

Compile adapters and enable scheduled tasks.

Export entity adapters separately.

Check permissions for roles.

Back up the database.

Transferring Oracle Identity Manager Configurations

Chapter 13 - Page 17

added later, the role permissions for C must be added manually, or the role must be imported again.

• Back up the database. Before importing data, back up the database. The Deployment Manager and Oracle Identity Manager do not support rollback.

Best Practices for Transferring Configuration Objects

Best Practices for Transferring Configuration Objects (continued)

• Import data when the system is quiet. Import operations include schema changes. These changes affect currently running transactions on the system. To limit the effect of an import operation, temporarily disable the Web application for general use and perform the operation when the system has the least activity (for example, overnight).

• Update the SDK table. The SDK table contains metadata definitions for user-defined data objects. When you import data from an XML file into the SDK table, the values in the SDK_SCHEMA column might be modified with the schema name of the source system where the XML file was created. For this reason, after you import data from an XML file into the SDK table, you must check the schema name in the SDK_SCHEMA column, and if necessary, manually change it to the schema name on the target system where the Oracle Identity Manager database is running. To update the schema name in the SDK_SCHEMA column, run a SQL query similar to the following:

UPDATE SDK SET SDK_SCHEMA='target system schema name‘

If you do not update the schema name in the SDK_SCHEMA column, an error similar to the following might be generated when you import other XML files that modify user- defined field (UDF) definitions:

CREATE SEQUENCE UGP_SEQ

java.sql.SQLException: ORA-00955: name is already used by an

Best Practices for Transferring Configuration Objects

Import data when the system is quiet.

Update the SDK table.

Remove data object fields before importing event handlers as

dependencies.