Environment: Below is my environment I used for testing the upgrade process.
- Oracle Linux 6.3
- JRockit 1.6.0_75
- Oracle Identity Manager 11.1.2.1.3
- WebLogic 10.3.6
- SOA 11.1.1.6.0
- Oracle Database 11g R2
Tuesday, July 1, 2014
Upgrading OIM 11.1.2.x.x to 11.1.2.2.0
Description: This post will show you how to upgrade Oracle Identity Manager 11.1.2.1.0 to 11.1.2.2.0. The instructions for upgrading 11.1.2.0.0 to 11.1.2.2.0 are similar.
Environment: Below is my environment I used for testing the upgrade process.
Environment: Below is my environment I used for testing the upgrade process.
Sunday, June 15, 2014
No Password Expiration Date For OIM Schema
Oracle Database Version: 11g R2
Description: This post will show you how to setup the OIM Schema user to have no password expiration date. You've probably seen the following errors during OIM managed server start up:
The errors are caused by expired schema password and the OIM server will fail to start up.
After changing several database parameters that are responsible for password expiration and resolving expired accounts, you'll notice the accounts will have a NULL password expiration date. Thus, these accounts have no password expiration date.
Description: This post will show you how to setup the OIM Schema user to have no password expiration date. You've probably seen the following errors during OIM managed server start up:
[EL Severe]: 2014-06-15 19:55:22.713--ServerSession(514521790)--Exception [EclipseLink-4002] (Eclipse Persistence Services - 2.3.1.v20111018-r10243): org.eclipse.persistence.exceptions.DatabaseException Internal Exception: java.sql.SQLException: ORA-28001: the password has expired Error Code: 28001 Jun 15, 2014 7:55:22 PM oracle.security.jps.internal.credstore.ldap.LdapCredentialStore <init> WARNING: Could not create credential store instance. Reason oracle.security.jps.service.policystore.PolicyStoreException: javax.persistence.PersistenceException: Exception [EclipseLink-4002] (Eclipse Persistence Services - 2.3.1.v20111018-r10243): org.eclipse.persistence.exceptions.DatabaseException Internal Exception: java.sql.SQLException: ORA-28001: the password has expired Error Code: 28001 JPS-01055: Could not create credential store instance. Reason oracle.security.jps.service.policystore.PolicyStoreException: javax.persistence.PersistenceException: Exception [EclipseLink-4002] (Eclipse Persistence Services - 2.3.1.v20111018-r10243): org.eclipse.persistence.exceptions.DatabaseException Internal Exception: java.sql.SQLException: ORA-28001: the password has expired Error Code: 28001 Error: Diagnostics data was not saved to the credential store. Error: Validate operation has failed. Need to do the security configuration first!
The errors are caused by expired schema password and the OIM server will fail to start up.
 |
| Expired Schema Owner |
After changing several database parameters that are responsible for password expiration and resolving expired accounts, you'll notice the accounts will have a NULL password expiration date. Thus, these accounts have no password expiration date.
 | |
| No Password Expiration After Changing DB Parameters |
Friday, April 25, 2014
OIM Concepts
What is Oracle Identity Manager (OIM)?
A system that manages the life-cycle of identities. An example of a life-cycle of an identity is when an employee joins an organization and later leaves an organization.
Conventional Model
This is a model where an Identity Manager is not involved. There are potential problems that arises from this model. The diagram given below describes the process of hiring a new employee. The removal of an employee should work similarly.
#1. A new employee is hired. The employee’s information is placed into a Human Resource Management System (HRMS) by the HR department to indicate the employee is active to work for the organization.
#2. HR notifies the manager via email that a new employee is ready to start.
#3. Then the manager requests several target accounts to be made for the new employee. These accounts can be for applications, access to operating systems, directories, and etc (E.g. Google Apps, PeopleSoft, Active Directory). The manager would send out emails to the administrators in charge of the target system to carry out their tasks.
#4. The administrators of each of the target systems (E.g. Admins for Google Apps, Admins for PeopleSoft and Admins for Active Directory) are responsible for manually creating the accounts. There can be a hierarchy workflow when creating an account on the target system (E.g. Google Admin sends a request to Google Admin 2 to enable specific privileges -> Say Google Admin 2 is on vacation, so the task is delegated to a Temporary Google Admin -> and so on … ).
Problems With the Conventional Model
- Too many of the tasks are done manually
- Employee’s data is distributed among many systems and there is no centralized place to look up data.
- There is no tracking of a given task (E.g. Has a Google account been created for the new employee ? If not, what is the progress and why is it being delayed?).
- Security breach with orphan/rogue accounts (E.g. There is a possible security breach if an employee has been fired and one of the employee’s account has not been revoked).
In the next section, you will see how including OIM can resolve many problems faced in the conventional model.
OIM Model
Before describing the OIM model, it is important to understand how an identity is represented in OIM.
An OIM Identity consists of user defined fields (UDFs), which are attributes that describe the identity, and accounts for specific access to applications. The accounts themselves have attributes and the data typically comes from external sources.
The diagram shows how OIM deals with managing identities. The diagram given below describes the process of hiring a new employee.
#1. A new employee is hired and the employee’s information is placed into HRMS.
#2. OIM is able to read in the new employee’s information from HRMS. With this information, OIM is able to create the identity in its own system. This process is known as Trusted User Reconciliation and this can be scheduled to run any time. (Side Note: Trusted User Reconciliation also handles updation. Say if an existing employee change his address, OIM is able to pick the changes in HRMS and update the identity with the appropriate value. Trusted User Reconciliation maps information from HRMS to User Defined Fields of an OIM Identity. OIM connectors allows the HRMS as well as the other target systems to be integrated with OIM).
#3. After the identity has been created for the new employee, OIM kicks off many other events to further process the new identity. Everything in OIM is event driven and many events are automated (Side Note: This involves configuring OIM components and writing custom code to achieve this).
#4. OIM communicates with the target systems in order to create the accounts for the new employee. (Side Note: OIM comes with predefined connectors which allows the target systems to be well integrated with OIM. These connectors allow OIM to perform many of the target system activities such creating, updating, and revoking accounts.)
OIM Advantages
- Centralized administration
- Easy to manage the identities and their associated accounts
- Flexible configurations to meet business requirements
- Automation of tasks
- Audits, Logs, Reports, Tracking requests (handling requests involve SOA)
- Rogue / Expired / Orphan accounts elimination via security policies
Terminology
Connectors
Used to integrate target resource systems into OIM. This allows OIM to manage all the identities as well as their target accounts.
Trusted User Reconciliation
Creation/Updation of identities in OIM by reading from an authoritative source. E.g. Users from HRMS
Target User Reconciliation (Account Reconciliation)
Read information from the target systems and synchronize the data in OIM. Also, linking of target accounts to an identity happens in this process.
Account Provisioning
Creation/Updation of target accounts for an OIM Identity on the target resource
Direct/Manual, Auto/Criteria, Request Based
Account Deprovisioning
Removal of target resource accounts from an OIM Identity. OIM can communicate with the target system to remove the account.
A system that manages the life-cycle of identities. An example of a life-cycle of an identity is when an employee joins an organization and later leaves an organization.
Conventional Model
This is a model where an Identity Manager is not involved. There are potential problems that arises from this model. The diagram given below describes the process of hiring a new employee. The removal of an employee should work similarly.
#1. A new employee is hired. The employee’s information is placed into a Human Resource Management System (HRMS) by the HR department to indicate the employee is active to work for the organization.
#2. HR notifies the manager via email that a new employee is ready to start.
#3. Then the manager requests several target accounts to be made for the new employee. These accounts can be for applications, access to operating systems, directories, and etc (E.g. Google Apps, PeopleSoft, Active Directory). The manager would send out emails to the administrators in charge of the target system to carry out their tasks.
#4. The administrators of each of the target systems (E.g. Admins for Google Apps, Admins for PeopleSoft and Admins for Active Directory) are responsible for manually creating the accounts. There can be a hierarchy workflow when creating an account on the target system (E.g. Google Admin sends a request to Google Admin 2 to enable specific privileges -> Say Google Admin 2 is on vacation, so the task is delegated to a Temporary Google Admin -> and so on … ).
Problems With the Conventional Model
- Too many of the tasks are done manually
- Employee’s data is distributed among many systems and there is no centralized place to look up data.
- There is no tracking of a given task (E.g. Has a Google account been created for the new employee ? If not, what is the progress and why is it being delayed?).
- Security breach with orphan/rogue accounts (E.g. There is a possible security breach if an employee has been fired and one of the employee’s account has not been revoked).
In the next section, you will see how including OIM can resolve many problems faced in the conventional model.
OIM Model
Before describing the OIM model, it is important to understand how an identity is represented in OIM.
An OIM Identity consists of user defined fields (UDFs), which are attributes that describe the identity, and accounts for specific access to applications. The accounts themselves have attributes and the data typically comes from external sources.
The diagram shows how OIM deals with managing identities. The diagram given below describes the process of hiring a new employee.
#1. A new employee is hired and the employee’s information is placed into HRMS.
#2. OIM is able to read in the new employee’s information from HRMS. With this information, OIM is able to create the identity in its own system. This process is known as Trusted User Reconciliation and this can be scheduled to run any time. (Side Note: Trusted User Reconciliation also handles updation. Say if an existing employee change his address, OIM is able to pick the changes in HRMS and update the identity with the appropriate value. Trusted User Reconciliation maps information from HRMS to User Defined Fields of an OIM Identity. OIM connectors allows the HRMS as well as the other target systems to be integrated with OIM).
#3. After the identity has been created for the new employee, OIM kicks off many other events to further process the new identity. Everything in OIM is event driven and many events are automated (Side Note: This involves configuring OIM components and writing custom code to achieve this).
#4. OIM communicates with the target systems in order to create the accounts for the new employee. (Side Note: OIM comes with predefined connectors which allows the target systems to be well integrated with OIM. These connectors allow OIM to perform many of the target system activities such creating, updating, and revoking accounts.)
OIM Advantages
- Centralized administration
- Easy to manage the identities and their associated accounts
- Flexible configurations to meet business requirements
- Automation of tasks
- Audits, Logs, Reports, Tracking requests (handling requests involve SOA)
- Rogue / Expired / Orphan accounts elimination via security policies
Terminology
Connectors
Used to integrate target resource systems into OIM. This allows OIM to manage all the identities as well as their target accounts.
Trusted User Reconciliation
Creation/Updation of identities in OIM by reading from an authoritative source. E.g. Users from HRMS
Target User Reconciliation (Account Reconciliation)
Read information from the target systems and synchronize the data in OIM. Also, linking of target accounts to an identity happens in this process.
Account Provisioning
Creation/Updation of target accounts for an OIM Identity on the target resource
Direct/Manual, Auto/Criteria, Request Based
Account Deprovisioning
Removal of target resource accounts from an OIM Identity. OIM can communicate with the target system to remove the account.
Friday, April 4, 2014
Upgrading JRockit Version For WebLogic Server Instances
Description: This post will show you the necessary steps to replace an old version of JRockit with a newer one.
Friday, March 28, 2014
OIM Upload Jar Utility
Version: Oracle Identity Manager 11g R2
Description: The Upload Jar utility pushes a jar file to the database. After uploading a jar to the database, you should see a new record of the uploaded jar in {OIM_SCHEMA}.OIMHOME_JARS table.
Description: The Upload Jar utility pushes a jar file to the database. After uploading a jar to the database, you should see a new record of the uploaded jar in {OIM_SCHEMA}.OIMHOME_JARS table.
Friday, March 21, 2014
Setup Oracle Diagnostic Logging (ODL) for OIM Plug-ins
Version: Oracle Identity Manager 11g
Description: Oracle Diagnostic Logging (ODL) is the principal logging service used by OIM. This post shows you how to setup ODL for your OIM plug-ins (Event Handlers, Schedule Task, and Adapter code).
Description: Oracle Diagnostic Logging (ODL) is the principal logging service used by OIM. This post shows you how to setup ODL for your OIM plug-ins (Event Handlers, Schedule Task, and Adapter code).
Friday, March 14, 2014
Enable OIM Caching
Version: Oracle Identity Manager 11g
Description: The configurations for OIM caching are defined in the "/db/oim-config.xml" file, which is stored in MDS. To enable caching, you can either directly modify the "/db/oim-config,xml" configuration file or use the OIM Enterprise Manager (EM) console. This post goes over the latter. In the EM console, there are beans that correspond to the caching settings defined in "/db/oim-config.xml". Whenever you make a change to a bean, the change is push out to MDS.
Description: The configurations for OIM caching are defined in the "/db/oim-config.xml" file, which is stored in MDS. To enable caching, you can either directly modify the "/db/oim-config,xml" configuration file or use the OIM Enterprise Manager (EM) console. This post goes over the latter. In the EM console, there are beans that correspond to the caching settings defined in "/db/oim-config.xml". Whenever you make a change to a bean, the change is push out to MDS.
Subscribe to:
Posts (Atom)