Deploying Provisioning-Integrated Applications 13-7 ■ Creating a Provisioning Profile ■ Modifying a Provisioning Profile ■ Deleting a Provisioning Profile ■ Disabling a Provisioning Profile

13.2.3.1 Creating a Provisioning Profile

The following example creates a new provisioning profile that makes Portal aware of updates to the user and group information that is maintained in Oracle Internet Directory. Example: oidprovtool operation=create ldap_host=myhost.mycompany.com ldap_port=389 \ ldap_user_dn=cn=orcladmin application_ dn=orclApplicationCommonName=PORTAL,cn=Portal,cn=Products,cn=OracleContext \ organization_dn=dc=us,dc=mycompany,dc=com interface_name=PORTAL.WWSEC_OID_SYNC \ interface_type=PLSQL interface_connect_info=myhost:1521:iasdb:PORTAL:password \ schedule=360 event_subscription=USER:dc=us,dc=mycompany,dc=com:DELETE \ event_subscription=GROUP:dc=us,dc=mycompany,dc=com:DELETE \ event_ subscription=USER:dc=us,dc=mycompany,dc=com:MODIFYorclDefaultProfileGroup,userpa ssword \ event_subscription=GROUP:dc=us,dc=mycompany,dc=com:MODIFYuniqueMember \ profile_mode=OUTBOUND

13.2.3.2 Modifying a Provisioning Profile

The following example modifies an existing provisioning profile for the Portal application. It changes the event subscription for the attributes that are provisioned when a user entry is modified. Example: oidprovtool operation=modify ldap_host=myhost.mycompany.com ldap_port=389 \ ldap_user_dn=cn=orcladmin application_ dn=orclApplicationCommonName=PORTAL,cn=Portal,cn=Products,cn=OracleContext \ organization_dn=dc=us,dc=mycompany,dc=com \ subscription=USER:dc=us,dc=mycompany,dc=com:MODIFYorclDefaultProfileGroup,userpa ssword,mail,cn,sn

13.2.3.3 Deleting a Provisioning Profile

The following example disables a provisioning profile for the Portal application. Example: oidprovtool operation=delete ldap_host=myhost.mycompany.com ldap_port=389 \ ldap_user_dn=cn=orcladmin application_ dn=orclApplicationCommonName=PORTAL,cn=Portal,cn=Products,cn=OracleContext \ organization_dn=dc=us,dc=mycompany,dc=com

13.2.3.4 Disabling a Provisioning Profile

The following example disables a provisioning profile for the Portal application. 13-8 Oracle Fusion Middleware Administrators Guide for Oracle Directory Integration Platform Example: oidprovtool operation=disable ldap_host=myhost.mycompany.com ldap_port=389 \ ldap_user_dn=cn=orcladmin application_ dn=orclApplicationCommonName=PORTAL,cn=Portal,cn=Products,cn=OracleContext \ organization_dn=dc=us,dc=mycompany,dc=com

13.3 Registering Applications for Provisioning

After you install an application and use the oidprovtool to create a provisioning profile for it, you must perform the following steps to register the application for provisioning: 1. Perform the initial provisioning registration and create a provisioning-integration profile. The Oracle Directory Integration Platform Service uses the provisioning-integration profiles to identify provisioning-integrated applications. 2. Provide the Oracle Directory Integration Platform Service with application- specific attributes, default values, and whether an attribute is mandatory when provisioning users for the application. 3. Register any plug-ins that are required by the provisioning-integrated application. This can include application-specific plug-ins that the application uses to enforce business policies. When creating users with the Provisioning Console, an administrator can assign user attributes for a specific provisioning-integrated application. Because Oracle Internet Directory is the primary directory for attributes that the Provisioning Console manages, application-specific attributes are stored in Oracle Internet Directory for each user that is provisioned for an application. For better performance, provisioning-integrated applications usually cache a local copy of user attributes instead of retrieving them from Oracle Internet Directory. Applications are notified of user creations, user deletions, and attribute modifications either synchronously with the Data Access Java plug-in or asynchronously with a PLSQL plug-in. Registration creates a unique identity for an application in Oracle Internet Directory. Oracle applications typically register themselves for provisioning by using the repository APIs located in the repository.jar file, which Oracle Application Server installs by default in the ORACLE_HOMEjlib directory. In addition to creating an application entry in Oracle Internet Directory, the repository APIs can be used to add applications to privileged groups. For non-Oracle applications that are not capable of using the registration APIs, you can use LDAP commands and LDIF templates to create identities for the applications in Oracle Internet Directory. You create a container for the application under cn=Products,cn=OracleContext or cn=Products, cn=OracleContext, Realm DN . The container where you create an application identity depends on whether the application will be available to users in a single realm or multiple realms. In most cases, you should create an application identity in the cn=Products, cn=OracleContext container so the application is not bound by the identity Note: The Oracle Directory Integration Platform Service does not support instance-level provisioning of applications that support a multiple instance architecture. If you install multiple instances of the same application, the Oracle Directory Integration Platform Service treats each instance as a separate provisioning-integrated application. Deploying Provisioning-Integrated Applications 13-9 management policies of a specific Oracle Internet Directory identity management realm. You can install multiple instances of the same application. Installing a new instance of a provisioning-integrated application creates a separate entry for the new instance under the application identity container. Although some configuration settings are instance-specific, other settings are shared across multiple instances of the same application. As an example, consider an application that is similar to Oracle Files. You can deploy multiple instances of Oracle Files in an environment where each instance is independent of other instances. You define each instance as a separate provisioning-integrated application. You can also provision users in multiple instances of the application. When you install the first instance of an application, you must create in Oracle Internet Directory the entries shown in the following example. The example creates the application identity in the cn=Products, cn=OracleContext container, and assumes the application name and type are Files-App1 and FILES. dn: cn=FILES,cn=Products,cn=OracleContext changetype: add objectclass: orclContainer dn: orclApplicationCommonName=Files-App1,cn=FILES,cn=Products,cn=OracleContext changetype: add objectclass: orclApplicationEntity orclappfullname: Files Application Instance 1 userpassword: password description: This is a test application instance. protocolInformation: protocol information orclVersion: 1.0 orclaci: access to entry by group=cn=odisgroup,cn=DIPAdmins,cn=Directory Integration Platform,cn=Products,cn=OracleContext browse,proxy by group=cn=User Provisioning Admins,cn=Groups,cn=OracleContext browse,proxy orclaci: access to attr= by group=cn=odisgroup,cn=DIPAdmins,cn=Directory Integration Platform,cn=Products,cn=OracleContext search,read,write,compare by group=cn=User Provisioning Admins,cn=Groups,cn=OracleContext search,read,write,compare When you install the second instance of an application, you must create in Oracle Internet Directory the entries shown in the following example. The example also creates the application identity in the cn=Products, cn=OracleContext container, and assumes the application name is Files-App2. dn: orclApplicationCommonName=Files-App2,cn=FILES,cn=Products,cn=OracleContext changetype: add objectclass: orclApplicationEntity orclappfullname: Files Application Instance 2 userpassword: password description: This is a test Appliction instance. protocolInformation: protocol information orclVersion: 1.0 orclaci: access to entry by group=cn=odisgroup,cn=DIPAdmins,cn=Directory Integration Platform,cn=Products,cn=OracleContext browse,proxy by group=cn=User Provisioning Admins,cn=Groups,cn=OracleContext browse,proxy orclaci: access to attr= by group=cn=odisgroup,cn=DIPAdmins,cn=Directory Integration Platform,cn=Products,cn=OracleContext search,read,write,compare by group=cn=User Provisioning Admins,cn=Groups,cn=OracleContext search,read,write,compare 13-10 Oracle Fusion Middleware Administrators Guide for Oracle Directory Integration Platform After you successfully register a provisioned-integrated application with Oracle Internet Directory, you may need to add the application to various privileged groups. Table 13–1 lists common privileged groups in Oracle Internet Directory. The following LDIF file demonstrates how to grant create user privileges in all realms to the Files-App1 application: dn:cn=OracleCreateUser,cn=Groups,cn=OracleContext changetype: modify add: uniquemember uniquemember: orclApplicationCommonName=Files-App1,cn=FILES,cn=Products,cn=OracleContext

13.4 Configuring Application Provisioning Properties

After you register a provisioning-integrated application, you must configure its properties. Each application’s provisioning profile maintains its own provisioning configuration properties. Provisioning-integrated applications use properties to store the following types of metadata: ■ Application identity information ■ Identity realm information ■ Default application provisioning policies ■ Application attribute properties and defaults ■ Application provisioning plug-ins ■ Application event interface information ■ Application event propagation information Oracle Directory Integration Platform Provisioning supports three versions of provisioning profiles: 1.1, 2.0, and 3.0. Version 3.0 provisioning profiles are only available with Oracle Identity Management 11g Release 1 11.1.1. Different applications support different provisioning profile versions. For example, many Oracle applications only support version 2.0. However, Oracle Collaboration Suite supports provisioning profile version 3.0. The primary differences between the provisioning profile versions are as follows: ■ You can only use the Provisioning Console to provision target applications that support provisioning profile version 3.0. Although applications that only support provisioning profile versions 1.1 and 2.0 will not be available in the Provisioning Console, they will be notified of events for which they are configured. Table 13–1 Common Privileged Groups in Oracle Internet Directory Group Description OracleDASCreateUser Create users OracleDASEditUser Edit users OracleDASDeleteUser Delete users OracleDASCreateGroup Create groups OracleDASEditGroup Edit groups OracleDASDeleteGroup Delete groups