How to Create and Deploy Connectors Using Connector Xpress

You can configure provisioning for an environment to provide accounts in other systems to users managed by . Accounts provide users with access to additional resources, such as an email account. You provide these additional accounts by assigning provisioning roles, which you create through .
You can configure provisioning for an environment to provide accounts in other systems to users managed by
Identity Manager
. Accounts provide users with access to additional resources, such as an email account. You provide these additional accounts by assigning provisioning roles, which you create through
Identity Manager
The images shows the steps for configuring an environment for provisioning
The images shows the steps for configuring an environment for provisioning
As an administrator, complete the following steps:
Verify Prerequisites
Before you configure the environment for provisioning, make sure that the Provisioning Directory is installed on CA Directory. For more information, see the
Installing section
Enable Provisioning Server Access
Enabling access to Provisioning Server helps you connect to the Provisioning Sserver so that you can access the accounts available in the provisioning directory.
Follow these steps:
  1. Open the Management Console by typing the following URL in a browser:
    • hostname
      Defines the fully qualified host name of the system where the
      Identity Manager
      server is installed.
    • port
      Defines the application server port number.
  2. Click Directories.
  3. Click Create from Wizard.
  4. Type the path and filename of the directory XML file for configuring the Provisioning Directory. The XML file is stored in the directoryTemplates\ProvisioningServer in the Administrative Tools folder. The default location of that folder is:
    • Windows: [set the Installation Path variable]\tools
    • UNIX: [set the alternate Installation Path variable]/tools
    You can use this directory configuration file as installed with no modification.
  5. Click Next.
  6. Enter the values for the fields on this window as follows:
    • Name
      Specifies a name for the Provisioning Directory that is associated with the Provisioning Server that you are configuring.
    • If
      Identity Manager
      does not integrate with SiteMinder, specify a meaningful name for the object that
      Identity Manager
      uses to connect to the user directory.
    • If
      Identity Manager
      integrates with SiteMinder, you have two choices:
      • If you want to create a user directory connection object in SiteMinder, specify any meaningful name.
        Identity Manager
        creates this object in SiteMinder with the name you specify.
      • If you want to connect to an existing SiteMinder user directory, specify the name of the SiteMinder user directory connection object exactly as it appears in the Policy Server user interface.
    • Host
      Specifies the host name or IP address of the system where the user directory is installed.
    • Port
      Specifies the port number of the user directory.
    • Domain
      Specifies the name of the provisioning domain that
      Identity Manager
      When creating a Provisioning Directory in the Management Console with the foreign language characters as the domain name, the Provisioning Directory creation fails.
      The name must match the name of the provisioning domain that you specified during the installation.
      The domain name is case-sensitive.
    • Username
      Specifies a user that can log in to the Provisioning Manager.
      The user must have the Domain Administrator profile, or an equivalent set of privileges for the Provisioning Domain.
    • Password
      Specifies the password for the global user that you specified in the Username field.
    • Confirm Password
      Enter the password that you typed in the Password field again for the confirmation.
    • Secure Connection
      Indicates whether
      Identity Manager
      uses a secure connection.
      Be sure to select this option for Active Directory user stores.
    • Directory Search Parameters
    • maxrows
      Defines the maximum number of results that
      Identity Manager
      can return when searching a user directory. This value overrides any limit that is set in the LDAP directory. When conflicting settings apply, the LDAP server uses the lowest setting.
      The maxrows parameter does not limit the number of results that are displayed on the
      Identity Manager
      task screen. To configure display settings, modify the list screen definition in the
      Identity Manager
      User Console.
    • timeout
      Determines the maximum number of seconds that
      Identity Manager
      searches a directory before terminating the search.
    • Failover Connections
      Specifies the hostname and port number of one or more optional systems that are alternate Provisioning Servers. If multiple servers are listed,
      Identity Manager
      attempts to connect to the systems in the listed order.
      The alternate Provisioning Servers are used if the primary Provisioning Server fails. When the primary Provisioning Server becomes available again, the alternate Provisioning Server continues to be used. If you want to return to using the Provisioning Server, restart the alternate Provisioning Servers.
    Click Next.
  7. Select the objects for managing, such as Users or Groups.
  8. After you have configured the objects as needed, click Show summary deploy directory and review the settings for the Provisioning Directory.
  9. Click one of these actions:
    1. Click Back to modify.
    2. Click Save to save the directory information if you want to come back later to deploy.
    3. Click Finish to complete this procedure and start configuring an environment with provisioning.
Configure the Inbound Administrator
For the inbound synchronization to work, create a special
Identity Manager
 user called 
inbound administrator
. An inbound administrator is an account that
Identity Manager
 uses during synchronization. In the previous releases of
Identity Manager
, the inbound administrator was called the 
corporate use
r. No user logs in to this user account; instead,
Identity Manager
 uses it internally. Use this procedure for configuring user account with an inbound administrator privileges.
Follow these steps:
  1. Log in to the environment as the user with the System Manager role.
  2. Create a user. You can name the user 
     as a reminder of its purpose.
  3. Choose Admin Roles, Modify Admin Role, and select a role that contains the tasks you use for the synchronization.
    • Provisioning Create User
    • Provisioning Enable/Disable User
    • Provisioning Modify User
    If you have not modified the default synchronization tasks, use the Provisioning Synchronization Manager role.
  4. On the Members tab, add a member policy that includes:
    • A member rule that the new user meets.
    • A scope rule providing access to all users who are affected by provisioning directory changes that trigger the inbound synchronization. Select the Owners tab to create the owner rule.
  5. In the Management Console:
    1. Select the Environment.
    2. Select Advanced Settings, Provisioning.
    3. Complete the Organization for the Creating Inbound Users field if the CA Identity Manager directory includes an organization.
      This organization is where users are created when the inbound synchronization occurs. For example, when a user is added to the provisioning directory, CA Identity Manager adds the user to this organization.
    4. Complete the Inbound Administrator field with the User ID of the user that you created in Step 2.
    5. Click Validate to confirm the user ID is accepted. The complete user ID appears below the user ID entered.
    6. Modify other fields on the screen. 
      When you modify, be sure that you understand how the fields interact. For details on each field, click the Help link on the screen.
Connect an Environment to the Provisioning Server
As a system administrator, assign the provisioning server to an environment for synchronizing the accounts in both the directories.
Follow these steps:
  1. In the Management Console, click Environments.
  2. Click the name of the environment that you want to associate with the Provisioning Server.
  3. Click the right arrow icon in the Provisioning Server field.
    The Provisioning Properties screen opens.
  4. Select the Provisioning Server.
  5. Click Save at the bottom of the screen.
Configure Synchronization in the Provisioning Manager
Inbound synchronization keeps
Identity Manager
up to date with changes that occur in the provisioning directory. Changes include those made using Provisioning Manager and changes in endpoints for which the Provisioning Server has a connector.
Each Provisioning Server supports a single environment. However, you can configure backup environments on different systems in a cluster in case the current environment is unavailable.
Follow these steps:
  1. In the
    Identity Manager
    server, choose Start,
    Identity Manager
    , Provisioning Manager.
  2. Click System,
    Identity Manager
  3. Complete the Host Name field with the name of the system where the
    Identity Manager
    Server is installed.
  4. Complete the Port field with the application server port number.
  5. Complete the Environment name field with the alias for the environment.
  6. Select Secured Connection if you want the HTTPS protocol to communicate with the
    Identity Manager
    server instead of using HTTP and encrypting the individual notifications.
  7. Click Add.
  8. Repeat steps 3-6 for each of the backup version of the environment.
    If the application server for the current environment is unavailable, the
    Identity Manager
    failovers to a backup environment. You can reorder the current and backup environments to set the failover order.
  9. If it is the first environment, fill in the Shared Secret fields using the password that was entered during the
    Identity Manager
    installation for the user for embedded components.
    These fields do not apply if FIPS is enabled in this installation.
  10. Set the Log Level as follows:
    • No Log--No information is written to the log file.
    • Error--Only error messages are logged.
    • Info--Error and information messages are logged (default).
    • Warning--Error, warning, and information messages are logged.
    • Debug--All information is logged.
  11. Restart the application server before you log in to the environment.
For a log of inbound synchronization operations and any problems that are encountered during synchronization, see the following file:
Import Custom Provisioning Roles
When you create the environment, you have the choice to use the default roles or a custom role definition file you create. If you import custom roles definitions,
import the Provisioning Only role definitions. After you create the environment, import the role definitions from the ProvisioningOnly-RoleDefinitions.xml file, which is in one of these folders:
admin_tools/ProvisioningOnlyRoleDefinitions/Organization admin_tools/ProvisioningOnlyRoleDefinitions/NoOrganization
The default location for
: [set the Installation Path variable]\tools
  • UNIX
    : [set the alternate Installation Path variable]/tools
Account Synchronization for the Reset User Password Task
Before you enable provisioning for an environment, the account synchronization setting for the Reset User Password task is set to On Task Completion. However, when you import the ProvisioningOnly-RoleDefinitions.xml configuration file which creates the roles and tasks for user provisioning, account synchronization is disabled.
To use the Reset User Password to trigger the account synchronization, change account synchronization for this task back to On Task Completion.