Saturday, December 27, 2014

Propagating User Attributes to User Resource Accounts

Tested On: Oracle Identity Manager 11.1.2.2.0
Description: Shows how to propagate attributes from OIM User Profile to user resource accounts.

Sample Scenario
OIM User Attribute: First Name
Active Directory Process Form Field: First Name
Whenever the First Name OIM User Attribute is modified, the changes will also be pushed down to the First Name attribute on Active Directory.
References: http://docs.oracle.com/cd/E40329_01/dev.1112/e27150/promgt.htm#OMDEV2509

Thursday, December 25, 2014

Adding Attributes to an ICF Connector for Reconciliation

Version: Oracle Identity Manager 11.1.2.2.0
Description: Shows how to add an attribute to an Identity Connector Framework (ICF) OIM connector for reconciliation in general. The Database Application Tables (DBAT) 11.1.1.5.0 connector is used as an example. Refer to here for setting up the DBAT connector.

Reconciliation Event
Data Flow: Target Data -> Recon Fields -> Process Form
References: https://docs.oracle.com/cd/E22999_01/index.htm
https://docs.oracle.com/cd/E22999_01/doc.111/e20277/extnd_func.htm#CDEJFECH

Tuesday, December 23, 2014

Update Child Process Form via API

Version: Oracle Identity Manager 11.1.2.2.0
Description: Uses the Oracle Identity Manager API to make updates (add, delete, and modify) on a resource account child form.
Reference: http://docs.oracle.com/cd/E40329_01/apirefs.1112/e28159/toc.htm

Monday, December 22, 2014

Adding Attributes to an ICF Connector for Provisioning

Version: Oracle Identity Manager 11.1.2.2.0
Description: Shows how to add a resource attribute to an Identity Connector Framework (ICF) OIM connector for provisioning in general. The Database Application Tables (DBAT) 11.1.1.5.0 connector is used as an example. Refer to here for setting up the DBAT connector.
References: https://docs.oracle.com/cd/E22999_01/index.htm
https://docs.oracle.com/cd/E22999_01/doc.111/e20277/extnd_func.htm#CDEJFECH

Wednesday, December 17, 2014

OIM 11g R2 API: Resource Account Parent Form Modifications

Tested On: Oracle Identity Manager 11.1.2.2.0
Description: Contains sample code to make modifications to a specific resource account parent form using the ProvisioningService API.
Referencehttp://docs.oracle.com/cd/E40329_01/apirefs.1112/e28159/toc.htm


Monday, December 15, 2014

OIM Managed Bean Example: Custom Password Reset

Tested On: Oracle Identity Manager 11.1.2.2.0, WebLogic 10.3.6, JDeveloper 11.1.1.7.0
Description: Demonstrates how to setup and deploy a custom managed bean, and apply UI customization that triggers the bean. The example given here is a custom password reset managed bean. You can download the project here. Below are the results of the completing this tutorial:






Referenceshttp://docs.oracle.com/cd/E40329_01/dev.1112/e27150/uicust.htm#OMDEV4804
http://docs.oracle.com/cd/E40329_01/dev.1112/e27150/facesutils.htm#OMDEV5216
http://fusionsecurity.blogspot.com/2013/09/oim-reset-password-customization-example.html

Sunday, December 14, 2014

OIM Custom Validation Event Handler Example

Tested On: Oracle Identity Manager 11.1.2.2.0
Description: A custom validation event handler that validates if  the "Telephone Number" (USR_TELEPHONE_NUMBER) user attribute has the proper format. The event handler is triggered on modification of "Telephone Number" user attribute.


Referencehttp://docs.oracle.com/cd/E27559_01/dev.1112/e27150/oper.htm#OMDEV4778

Friday, December 12, 2014

Developing Managed Beans: JDeveloper Project Template

Tested On:  JDeveloper 11.1.1.7.0, Oracle Identity Manager 11.1.2.2.0
Description: Shows how to setup a JDeveloper project template for managed bean development.
Referenceshttp://docs.oracle.com/cd/E40329_01/dev.1112/e27150/uicust.htm#OMDEV4804

Wednesday, December 10, 2014

How to Export MDS Files Through WLST

Tested On: Oracle Identity Manager 11.1.2.2.0, WebLogic 10.3.6
Description: Demonstrates how to export configuration files from Metadata Store through WebLogic Scripting Tool command line interface.
Prerequisites: Oracle Identity Manager and WebLogic servers must be running.
Referenceshttp://docs.oracle.com/cd/E28271_01/web.1111/e13813/custom_mds.htm

1. Execute wlst.sh located in "$MW_HOME/Oracle_IDM1/common/bin" directory.



2. Connect to WebLogic Administration Server via WLST.

connect('WL_USER','PASSWORD','t3://WL_HOSTNAME:WL_PORT');

# Example
connect('weblogic', 'Password1','t3://localhost:7001');




3. Export metadata of an application.

# SyntaxexportMetadata(application, server, toLocation [, docs]
 [, restrictCustTo] [, excludeCustFor] [, excludeAllCust] [, excludeBaseDocs]
 [, excludeExtendedMetadata] [, excludeSeededDocs]
 [, fromLabel][, toLabel] [, applicationVersion] [, remote] [, tenantName])


#==========================
# Examples
# listApplications() = List all applications
#==========================

# OIM Configuration Files
exportMetadata(application='OIMMetadata', server='oim_server1', toLocation='/home/oracle/mds_backup/oim_metadata');


# OIM Self-Service UI Files
exportMetadata(application='oracle.iam.console.identity.self-service.ear', server='oim_server1', toLocation='/home/oracle/mds_backup/oim_self_service_ui');


# OIM Sysadmin UI Files
exportMetadata(application='oracle.iam.console.identity.sysadmin.ear', server='oim_server1', toLocation='/home/oracle/mds_backup/oim_sysadmin_ui');

# Export Single OIM file
exportMetadata(application='OIMMetadata', server='oim_server1', toLocation='/home/oracle/mds_backup/oim_main_config',docs='/db/oim-config.xml');


Tuesday, December 9, 2014

How to Unregister an OIM Plugin

Version: Oracle Identity Manager 11.1.2.2.0
Description: Shows how to remove a custom plugin such as an event handler or scheduled task from Oracle Identity Manager via API.
package com.blogspot.oraclestack.utilities;

import java.util.Hashtable;
import java.util.logging.Level;
import java.util.logging.Logger;
import javax.security.auth.login.LoginException;
import oracle.iam.platform.OIMClient;
import oracle.iam.platform.pluginframework.PluginException;
import oracle.iam.platformservice.api.PlatformService;
import oracle.iam.platformservice.api.PlatformUtilsService;
import oracle.iam.platformservice.exception.InvalidCacheCategoryException;
import oracle.iam.platformservice.exception.PlatformServiceAccessDeniedException;


/**
 * Removes a single plugin. This does not remove an entire zip plugin.
 * Query the OIM.PLUGINS table to get ID and VERSION.
 */
public class UnRegisterPlugin
{
    // Substitute these values accordingly 
    public static final String OIM_HOSTNAME = "localhost";
    public static final String OIM_PORT = "14000";
    public static final String OIM_PROVIDER_URL ="t3://" + OIM_HOSTNAME + ":" + OIM_PORT;
    public static final String OIM_USERNAME = "xelsysadm";
    public static final String OIM_PASSWORD = "Password1";
    public static final String OIM_CLIENT_HOME ="/home/oracle/jdeveloper/mywork/OracleIdentityManager/Resources/oimclient";
    public static final String AUTHWL_PATH =OIM_CLIENT_HOME + "/conf/authwl.conf";
    public static final String PLUGIN_ID = "com.blogspot.oraclestack.eventhandlers.SetMiddleNamePreprocessEH";
    public static final String PLUGIN_VERSION = "1.0";
   
    public static void main(String[] args) 
    {
        OIMClient oimClient = null;


        try
        {
            //Set system properties required for OIMClient
            System.setProperty("java.security.auth.login.config", AUTHWL_PATH);
            System.setProperty("APPSERVER_TYPE", "wls");

            // Create an instance of OIMClient with OIM environment information
            Hashtable env = new Hashtable();
            env.put(OIMClient.JAVA_NAMING_FACTORY_INITIAL,"weblogic.jndi.WLInitialContextFactory");
            env.put(OIMClient.JAVA_NAMING_PROVIDER_URL, OIM_PROVIDER_URL);
            oimClient = new OIMClient(env);

            // Login to OIM with the approriate credentials
            oimClient.login(OIM_USERNAME, OIM_PASSWORD.toCharArray());

            // Remove single plugin
            PlatformService service = oimClient.getService(PlatformService.class);
            service.unRegisterPlugin(PLUGIN_ID, PLUGIN_VERSION);
           
            // Purge Cache
            PlatformUtilsService platUtilOps = oimClient.getService(PlatformUtilsService.class);
            platUtilOps.purgeCache("ALL");
        }

        catch (PlatformServiceAccessDeniedException ex) {Logger.getLogger(RegisterPlugin.class.getName()).log(Level.SEVERE, null, ex);}                               
        catch (PluginException ex) {Logger.getLogger(RegisterPlugin.class.getName()).log(Level.SEVERE, null, ex);}
        catch (LoginException ex) {Logger.getLogger(RegisterPlugin.class.getName()).log(Level.SEVERE, null, ex);}
        catch (InvalidCacheCategoryException e) {Logger.getLogger(RegisterPlugin.class.getName()).log(Level.SEVERE, null, e);}

        finally
        {
            // Logout user from OIMClient
            if (oimClient != null) { oimClient.logout(); }
        }
    }
}

Saturday, December 6, 2014

Custom Preprocess Event Handler to Set Middle Name

Version: Oracle Identity Manager 11.1.2.2.0
Description:  A preprocess event handler which sets the user's middle name using the first letter of the user's first name if the user does not have a value for middle name. The event handler triggers on the creation of an OIM User.
Referencehttps://docs.oracle.com/cd/E40329_01/dev.1112/e27150/oper.htm#OMDEV4768

Tuesday, December 2, 2014

Disabling OOTB OIM Event Handlers

Description: Shows you how to disable an out of the box event handler in Oracle Identity Manager.
** USE AT YOUR OWN RISK **   
References: https://docs.oracle.com/cd/E21764_01/doc.1111/e14309/utils.htm#OMDEV2810
http://docs.oracle.com/cd/E40329_01/dev.1112/e27150/uploadutil.htm#OMDEV4859
Tested On: Oracle Identity Manager 11.1.2.2.0

1. Figure out the metedata file you would like to export. Execute the following SQL query on the MDS schema to obtain all the predefined event handlers:

SELECT * FROM mds_paths WHERE path_fullname LIKE '%EventHandlers.xml%';

2. Export the event handler XML file from MDS via EM console or weblogicExportMetadata.sh. Refer Import and Export Metadata using EM Console for step by step instructions.

3. Keep a backup copy of the original XML file.

4. Modify the XML file. Given below is an example of commenting out one of the predefined event handler from "/metadata/iam-features-passwordmgmt/event-definition/EventHandlers.xml" file:

<?xml version='1.0' encoding='UTF-8'?>
<eventhandlers xmlns="http://www.oracle.com/schema/oim/platform/kernel" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://www.oracle.com/schema/oim/platform/kernel orchestration-handlers.xsd">
<validation-handler class="oracle.iam.passwordmgmt.eventhandlers.ResetPasswordValidationHandler" entity-type="User" operation="RESET_PASSWORD" name="ResetPasswordValidationHandler" order="FIRST" sync="TRUE"/>
<validation-handler class="oracle.iam.passwordmgmt.eventhandlers.UserPasswordValidationHandler" entity-type="User" operation="CREATE" name="CreateUserPasswordValidationHandler" order="1020"/>
<validation-handler class="oracle.iam.passwordmgmt.eventhandlers.UserPasswordValidationHandler" entity-type="User" operation="CHANGE_PASSWORD" name="UserPasswordValidationHandler" order="2"/>
<!--<action-handler class="oracle.iam.passwordmgmt.eventhandlers.ResetPasswordPreProcessHandler" entity-type="User" operation="RESET_PASSWORD" name="ResetPasswordPreProcessHandler" stage="preprocess" sync="TRUE" order="9900"/>-->
<action-handler class="oracle.iam.passwordmgmt.eventhandlers.ResetPasswordActionHandler" entity-type="User" operation="RESET_PASSWORD" name="ResetPasswordActionHandler" order="FIRST" stage="action" sync="TRUE"/>
<postprocess-handler class="oracle.iam.passwordmgmt.eventhandlers.PasswordNotificationHandler" entity-type="User" operation="RESET_PASSWORD" name="ResetPasswordNotificationHandler" order="FIRST" stage="postprocess" sync="TRUE"/>
<postprocess-handler class="oracle.iam.passwordmgmt.eventhandlers.PasswordNotificationHandler" entity-type="User" operation="CREATE" name="CreateUserPasswordNotificationHandler" order="1180" stage="postprocess" sync="TRUE"/>
<postprocess-handler class="oracle.iam.passwordmgmt.eventhandlers.PasswordNotificationHandler" entity-type="User" operation="CHANGE_PASSWORD" name="PasswordNotificationHandler" order="THIRD" stage="postprocess" sync="TRUE"/>
</eventhandlers>

5. Import the modified XML file into MDS via EM console.

6. Purge the cache or restart the OIM server for changes to take effect.

7. You can query the ORCHEVENTS table from the OIM schema to see the trigger points of each event handler process.

Monday, November 24, 2014

How to Create SPML Applications for SIM

Version: Sun Identity Manager 8.1
References: https://docs.oracle.com/cd/E19225-01/820-5597/ahvap/index.html
https://docs.oracle.com/cd/E19225-01/820-5597/ahvch/index.html

1. The necessary JAR files can be found in "$WSHOME//WEB-INF/lib" directory. The following JAR files are needed to built SIM SPML applications:

  • openspml.jar
  • mail.jar
  • soap.jar
2. Given below is sample JAVA code to demonstrate the use of SPML client:

import java.net.MalformedURLException;
import java.util.ArrayList;
import java.util.HashMap;
import java.util.List;
import java.util.Map;
import java.util.logging.Level;
import java.util.logging.Logger;
import org.openspml.client.LighthouseClient;
import org.openspml.message.ExtendedRequest;
import org.openspml.message.FilterTerm;
import org.openspml.message.ModifyRequest;
import org.openspml.message.SearchRequest;
import org.openspml.message.SearchResponse;
import org.openspml.message.SearchResult;
import org.openspml.message.SpmlResponse;
import org.openspml.util.SpmlException;

/**
 * Sun Identity Manager: SPML Client
 * Test class for demonstration purposes
 * @author oracle
 */
public class SIMSPMLClient
{
    // SIM environment information
    private static final String simServiceAccountUser = "configurator";
    private static final String simServiceAccountPassword = "configurator";
    private static final String simPort = "8080";
    private static final String simHostname = "localhost";
    private static final String simWebServiceURL = "http://" + simHostname + ":" + simPort +"/idm/servlet/rpcrouter2";
   
    // Class logger
    private static final Logger logger = Logger.getLogger(SIMSPMLClient.class.getName());
   
    /**
     * Test Driver
     * @param args
     */
    public static void main(String[] args)
    {
        LighthouseClient client = null;
        String accountId = null;
        String resourceAccountName = "Database Table";
       
        try
        {
            // Setup SIM SMPL client
            client = new LighthouseClient();
            client.setUrl(simWebServiceURL);
            client.setUser(simServiceAccountUser);
            client.setPassword(simServiceAccountPassword);
          
            // Call method to modify user attributes
            accountId = "jdoe";
            HashMap<String, Object> modAttrs = new HashMap<String, Object>();
            modAttrs.put("email", "jdoe@gmail.com");
            modAttrs.put("status", "Active");
            modifyUserAttributes(client, accountId, modAttrs);
          
            // Provision target resource
            accountId = "gbass";
            HashMap<String, Object> resAttrs = new HashMap<String, Object>();
            resAttrs.put("resources", "Database Table"); //delimited by comma
            resAttrs.put("status", "Created");
            //modifyUserAttributes(client, accountId, resAttrs);
           
            // Deprovision target resource, but does not remove assignment in SIM
            ExtendedRequest dreq = new ExtendedRequest();
            dreq.setOperationIdentifier("deleteUser");
            dreq.setAttribute("accountId","gbass");
            dreq.setAttribute("accounts","Database Table");
            //SpmlResponse res = client.request(dreq);
            //System.out.println(res.getResult());
           
            // Deprovision target resources and removes assignment
            HashMap<String, Object> resRmAttrs = new HashMap<String, Object>();
            resAttrs.put("resources", "");
            //modifyUserAttributes(client, accountId, resRmAttrs);

            // Call custom workflow
            String simWorkFlowName = "Custom-Workflow";
            String username = "jmann";
            HashMap<String, Object> wfAttrs = new HashMap<String, Object>();
            wfAttrs.put("ACTION", "MODIFY");
            wfAttrs.put("__UID__", username);
            wfAttrs.put("__NAME__", username);
            wfAttrs.put("__PASSWORD__", "jmann");
            wfAttrs.put("EMAIL", "jmann8@gmail.com");
            wfAttrs.put("LASTNAME", "");
            wfAttrs.put("USERNAME", username);
            //callSimWorkFlow(client, simWorkFlowName, wfAttrs);

           // Disable resource account
           accountId = "gbass";
           //disableResourceAccount(client, accountId, resourceAccountName);

           // Enable resource account
           //enableResourceAccount(client, accountId, resourceAccountName);
          
           // Create SIM account
           HashMap<String, String> attrs = new HashMap<String,String>();
           attrs.put("lastname", "Parker");
           attrs.put("firstname", "Peter");
           attrs.put("email", "pparker@gmail.com");
           attrs.put("password","Password1");
           //client.createUser("pparker", attrs);
          
           // Delete SIM account
           List<String> accounts = new ArrayList<String>();
           //client.deleteUser("pparker", accounts);
           
           // Search SIM User based on accountId
           SearchRequest req = new SearchRequest();
           req.addAttribute("lastname");
           req.addAttribute("email");
           FilterTerm ft = new FilterTerm();
           ft.setOperation(FilterTerm.OP_EQUAL);
           ft.setName("accountId");
           ft.setValue("jdoe");
           req.addFilterTerm(ft);
           SearchResponse res = (SearchResponse)client.request(req);
           System.out.println(res.getResults());
           List results = res.getResults();
           if (results != null) 
           {
               for (int i = 0 ; i < results.size() ; i++)
               {
                   SearchResult sr = (SearchResult) results.get(i);
                   System.out.println("Identifier=" + sr.getIdentifierString() + " sn=" + sr.getAttribute("lastname").getValue() + " email=" + sr.getAttribute("email").getValue());
              }
           }         
       }
      
       catch (SpmlException ex)
       {
           logger.log(Level.SEVERE, null, ex);
       }
      
       catch (MalformedURLException ex)
       {
           logger.log(Level.SEVERE, null, ex);
       }
      
       finally
       {
           if (client != null)
           {
               try
               {
                   client.logout();
               }
              
               catch (SpmlException ex)
               {
                   logger.log(Level.SEVERE, null, ex);
               }
           }
       }
    }

   
    /**
     * Modification request to modify attributes on a user.
     * SIM user attributes and resource attributes can be modified by this method.
     * Also provisioning of resource account can be made.
     * @param client        SPML client with service account logged in
     * @param accountId     Identifier to match against SIM account and make modifications
     * @param attributes    Attributes to modify on user
     * @return              SIM SPML response
     * @throws SpmlException
     */
    public static SpmlResponse modifyUserAttributes(LighthouseClient client, String accountId, Map<String, Object> attributes) throws SpmlException
    {
        // Create a request to send to SIM
        ModifyRequest req = new ModifyRequest();
        req.setIdentifier(accountId);
       
        // SIM attributes to modify
        for (Map.Entry<String, Object> entry : attributes.entrySet())
        {
            req.addModification(entry.getKey(), entry.getValue());
        }

        // Send request to SIM and SIM sends a response back
        SpmlResponse response = client.request(req);
        logger.log(Level.INFO, "Response Code: {0}", new Object[] {response.getResult()});
       
        return response;
    }

   
    /**
     * Call a SIM work flow to be executed.
     * @param client        SPML client with service account logged in
     * @param workflow      Name of SIM work flow
     * @param attributes    Attributes includes accountId to be processed by work flow
     * @return              SIM SPML response
     * @throws SpmlException
     */
    public static SpmlResponse callSimWorkFlow(LighthouseClient client, String workFlowName, Map<String, Object> attributes) throws SpmlException
    {
        // Create a request to send to SIM
        ExtendedRequest req = new ExtendedRequest();
        req.setOperationIdentifier("launchProcess");
        req.setAttribute("process", workFlowName);
       
        // SIM attributes to sent to work flow
        for (Map.Entry<String, Object> entry : attributes.entrySet())
        {
            req.setAttribute(entry.getKey(), entry.getValue());
        }

        // Send request to SIM and SIM sends a response back
        SpmlResponse response = client.request(req);
        logger.log(Level.INFO, "Response Code: {0}", new Object[] {response.getResult()});

        return response;
    }

    /**
     * Disables a resource account in SIM
     * @param client        SPML client with service account logged in
     * @param accountId     SIM user whose resource account is going to be disabled
     * @param accountName   Resource account to disable
     * @return
     * @throws SpmlException
     */
    public static SpmlResponse disableResourceAccount(LighthouseClient client, String accountId, String accountName) throws SpmlException
    {
        ExtendedRequest req = new ExtendedRequest();
        req.setOperationIdentifier("disableUser");
        req.setAttribute("accountId", accountId);
        req.setAttribute("accounts", accountName);
        SpmlResponse response = client.request(req);
        logger.log(Level.INFO, "Response Code: {0}", new Object[] {response.getResult()});
        return response;
    }

    /**
     * Enable a resource account in SIM
     * @param client        SPML client with service account logged in
     * @param accountId     SIM user whose resource account is going to be disabled
     * @param accountName   Resource account to disable
     * @return
     * @throws SpmlException
     */
    public static SpmlResponse enableResourceAccount(LighthouseClient client, String accountId, String accountName) throws SpmlException
    {
        ExtendedRequest req = new ExtendedRequest();
        req.setOperationIdentifier("enableUser");
        req.setAttribute("accountId", accountId);
        req.setAttribute("accounts", accountName);
        SpmlResponse response = client.request(req);
        logger.log(Level.INFO, "Response Code: {0}", new Object[] {response.getResult()});
        return response;
    }
}

Sunday, November 23, 2014

How to Setup and Use OpenSPML Browser with SIM

Version: Sun Identity Manager 8.1
References: https://docs.oracle.com/cd/E19225-01/820-5597/6ngvvl0av/index.html

Setup OpenSPML Browser
1. Set WSHOME environment variable and include "WSHOME/bin" in the PATH environment variable. WSHOME is the directory you installed the Sun Identity Manager components. Given below is an example of setting up these variables in the bash profile:

# User specific environment and startup programs
ORACLE_HOME=/home/oracle/db/app/oracle/product/11.2.0/dbhome_1
ORACLE_SID=orcl
JAVA_HOME=/home/oracle/jrockit-jdk1.6.0_81
WSHOME=/home/oracle/idm
PATH=$WSHOME/bin:$JAVA_HOME/bin:$PATH:$HOME/bin

export JAVA_HOME ORACLE_HOME WSHOME ORACLE_SID PATH

2. Set execute permission for "WSHOME/bin/lh" file.

chmod 744 $WSHOME/bin/lh

3. Execute the following command to start the OpenSPML browser:

lh spml


Using OpenSPML Browser
1. Setup the connection parameters on the "Connect" tab. Then click "Test" to test the connection.
Server URL: http://HOSTNAME:PORT/idm/servlet/rpcrouter2
Username: configurator
Password: configurator
Success Message
2. Now you'll be able to perform the operations on the OpenSPML browser. Below are examples:

Add

Modify




Sunday, November 16, 2014

How to Setup Database Table Resource in SIM

Version: Sun Identity Manager 8.1
Description: This post will show you how to setup a database table resource in Sun Identity Manager. An Oracle database table is used as an example.
Reference: https://docs.oracle.com/cd/E19225-01/820-6551/gijbf/index.html

Wednesday, November 12, 2014

How to Create / Delete Users in SIM

Version: Sun Identity Manager 8.1

Create User

1. Log in to the Sun Identity Manager console.

2. Click "Accounts" on the menu bar.
 
3.  On the "User List" box, select "New User" from "-- New Actions --" drop down menu.

4. Fill out the necessary fields on the "Create User" form. Then save.

5. Click OK.


Delete User
1. Navigate to Accounts -> List Accounts.

2. Check mark the user to delete and then select "Delete" under "-- User Actions --" drop down menu.
3. Confirm deletion of user.

4, Result page is displayed.

Monday, November 10, 2014

How to Install Sun Identity Manager

Version: Sun Identity Manager 8.1
Operating System: Oracle Linux 6 (64-bit)
Components Tested On: Tomcat 6.41, Java 6.38 (64-bit)
Prerequisites
Install Tomcat 6
1. Download the Tomcat 6 here. Select Binary Distributions => Core => tar.gz.
File: apache-tomcat-6.0.41.tar.gz


2. Execute the following command to extract the tar.gz file. A "apache-tomcat-6.0.41" directory is created. The location of that directory is refer to as the TOMCAT_HOME directory. 
tar -xvf apache-tomcat-6.0.41.tar.gz

3. Add the following lines to the top of $TOMCAT_HOME/bin/setclasspath.sh file:
# Location of a JDK
JAVA_HOME=/home/oracle/jdk1.6.0_38 

# Location of your unpacked Tomcat
CATALINA_HOME=/home/oracle/apache-tomcat-6.0.41

export JAVA_HOME CATALINA_HOME

4. When configuring Tomcat to support UTF-8, add the URIEncoding="UTF-8" attribute to the connector element in the $TOMCAT_HOME/conf/server.xml file, for example:
    <Connector port="8080" protocol="HTTP/1.1" 
               connectionTimeout="20000" 
               redirectPort="8443"
               URIEncoding="UTF-8" />

5. When configuring Tomcat to support UTF-8, also add -Dfile.encoding=UTF-8 in your Java VM options. Add the following line to the top of “$TOMCAT_HOME/bin/catalina.sh”:
export JAVA_OPTS="-Dfile.encoding=UTF-8"

6. To start the Tomcat server, execute $TOMCAT_HOME/bin/startup.sh script. To stop the Tomcat server, execute $TOMCAT_HOME/bin/shutdown.sh script.

Installing Sun Identity Manager
1. Download the file from https://edelivery.oracle.com.
Product Pack: Sun Products
Platform: Oracle Solaris on SPARC (32-bit)
Sun Products Media Pack for Oracle Solaris on SPARC (32-bit)
Sun Identity Manager 8.1
File: V19877-01.zip (158M)

2. When installing Identity Manager on UNIX® or Linux systems, the /var/opt/sun/install
directory must exist and be writable by the user running the installer.
sudo mkdir -p /var/opt/sun/install
sudo chown oracle:oracle /var/opt/sun/install/

3. Make a directory to unzip the SIM file.
mkdir /home/oracle/sim
cd /home/oracle/sim
mv /home/oracle/Downloads/V19877-01.zip /home/oracle/sim/
unzip V19877-01.zip

4. Execute the following commands to start the installer:
# Make the install script executable
chmod 750 install

# The argument is needed to run installer on a 64-bit machine
JAVA_OPTS=-Dos.arch="x86" ./install

5. Below are screen shots to walk you through the installation wizard:
Welcome Screen
Click Next
Click Yes (Accept License)
Select New Installation
Then click Next
Specify path to install SIM components.
This path will be refer to as WSHOME.






Before clicking "Launch Setup", add the
additional jars in "$WSHOME/WEB-INF/lib" directory
JavaMail API 1.4.7 (mail.jar)
GlassFish Server (glassfish3/mq/lib/jms.jar)





Specify the repository path.

Select "No, I will configure Identity Manager myself"
Click Execute


Click Next



6. Navigate into WSHOME and package everything into a WAR file.
cd /home/oracle/idm
jar -cvf ../idm.war *

7. Move the WAR file into TOMCAT_HOME/webapps directory. Restart the Tomcat server.

8. Once the Tomcat server is running, go to "localhost:8080/idm" to access the Sun Identity Manager console.
ID: administrator
Password: administrator
or
ID: configurator
Password: configurator




Sunday, October 19, 2014

Installing and Configuring Database Application Tables Connector

Description: This post will show you how to install and configure the Database Application Tables Connector. Oracle Database is used as an example for the target system.
Version: Database Application Tables 11.1.1.5.0
References: Oracle Identity Manager Identity Connectors Documentation Release 11.1.1
Oracle® Identity Manager Connector Guide for Database Application Tables Release 11.1.1

Saturday, October 18, 2014

Export and Import MDS Using EM Console

Description: MDS can be exported and imported via EM console. The export / import utilities in EM console can be used to backup MDS, to migrate all the customization done on the Identity Self-Service and Identity System Administration User Interfaces (E.g. User Form, Application Instance Form, User Profile, etc.), and to apply MDS configuration changes.
Tested On: OIM 11.1.2.2.0, WebLogic 10.3.6

Thursday, October 16, 2014

Creating a Disconnected Resource

Description: Disconnected resources are targets for which there is no connector. SOA is required to be running for provisioning a disconnected resource. This post will show you how to create a disconnected resource and setup entitlements for a disconnected resource.
Tested On:  Oracle Identity Manager 11.1.2.2.0
Reference: Oracle® Fusion Middleware Administrator's Guide for Oracle Identity Manager11g Release 2 (11.1.2.2.0): Managing Disconnected Resources

Tuesday, October 14, 2014

OIM Bulk Load Utility

Description: The Oracle Identity Manager Bulk Load Utility can be used to load large amount of users, accounts, roles, role hierarchies, role memberships, or role categories directly to the database. The data can be loaded from a database table or CSV file. It is required that the Oracle Identity Manager managed servers are shut down in the process of running the bulk load utility.
Tested on Oracle Identity Manager Version: 11.1.2.2.0
Reference: Oracle Identity Manager Bulk Load Utility

Monday, October 13, 2014

OIM 11g R2 PS2 Virtual Machine Template

Download Link: OIM 11g R2 PS2 VM Template
Operating System: Oracle Linux 6.5 (64-bits)
Oracle Database Version: 11.2.0.1.0
Oracle User Password: Password1

Java 6
WebLogic 10.3.6
Service-Oriented Architecture (SOA) 11.1.1.7.0
Identity Management (IDM) 11.1.2.2.0

Sunday, October 12, 2014

Oracle Database 11.2.0.1.0 Virtual Machine Template

Download Link: Oracle Database 11g R2 VM Template
Operating System: Oracle Linux 6.5 (64-bits)
Oracle Database Version: 11.2.0.1.0
Oracle User Password: Password1

Wednesday, October 1, 2014

Running OIM Bulk Load Utility Remotely

Description: This post will show you how to install the Oracle Database client. An Oracle database client is needed to run the Oracle Identity Manager Bulk Load Utility when the Oracle Database and Oracle Identity Manager application server are on separate machines.

Download Link: Oracle Database 11g Release 2 Client (11.2.0.1.0) for Linux x86-64
File Name: linux.x64_11gR2_client.zip

Sunday, September 28, 2014

How to Install OIM 11.1.2.2.0

This guide will show you how to install Oracle Identity Manager 11g Release 2 Patch Set 2 (OIM 11g R2 PS2) in an Oracle Linux 6 (64-bit) environment. The installation was tested in the following environment:
Operating System: Oracle Linux 6.5 (Virtual Machine)
Oracle Database: 11.2.0.1.0

Prerequisites
References
Overview
  1. JRockit Installation
  2. WebLogic 10.3.6 Installation
  3. Using Repository Creation Utility 11.1.2.2.0 to Create Schema
  4. SOA 11.1.1.7.0 Installation
  5. Apply SOA Mandatory Patches
  6. IDM 11.1.2.2.0 Installation
  7. Create WebLogic Domain
  8. Upgrade OPSS Schema
  9. Configure Database Security Store
  10. Configure OIM 11.1.2.2
  11. Post-Installation Tasks

Monday, August 18, 2014

WebLogic Server: Change to Production Mode

Tested On: WebLogic 10.3.6
Description: Demonstrated how to switch from development mode to production mode. The runtime mode is a domain-wide setting. As each Managed Server starts, it refers to the mode of the Administration Server to determine its runtime mode.
References: http://docs.oracle.com/cd/E23943_01/apirefs.1111/e13952/taskhelp/domainconfig/ChangeRuntimeModes.html

Tuesday, August 5, 2014

OpenLDAP: Adding inetOrgPerson Object Class

1. Shutdown OpenLDAP.

2. Locate the path of the "inetorgperson.schema" file (E.g. /usr/local/etc/openldap/schema). At the top of the "slapd.conf" file (E.g. Location = /usr/local/etc/openldap) include the following lines:

include         /usr/local/etc/openldap/schema/core.schema
include         /usr/local/etc/openldap/schema/cosine.schema
include         /usr/local/etc/openldap/schema/inetorgperson.schema

Adjust the location of the schema files accordingly. The "inetorgperson.schema"file requires "core.schema" and "cosine.schema" files (These files should be in the same directory as the "inetorgperson.schema" file).

3. Start OpenLDAP by executing the slapd script (E.g. Location = /usr/local/libexec).

4. Verify you are able to create a user with the inetOrgPerson object class and set attributes associated with object class. 

inetOrgPerson Object Class via Apache Directory Studio Schema Browser

User with inetOrgPerson Object Class assigned

Tuesday, July 1, 2014

Upgrading OIM 11.1.2.x.x to 11.1.2.2.0

Description: This post will show you how to upgrade Oracle Identity Manager 11.1.2.1.0 to 11.1.2.2.0. The instructions for upgrading 11.1.2.0.0 to 11.1.2.2.0 are similar.

Environment: Below is my environment I used for testing the upgrade process.
  • Oracle Linux 6.3
  • JRockit 1.6.0_75
  • Oracle Identity Manager 11.1.2.1.3
  • WebLogic 10.3.6
  • SOA 11.1.1.6.0
  • Oracle Database 11g R2
References: Oracle® Fusion Middleware Upgrade Guide for Oracle Identity and Access Management 11g Release 2 (11.1.2.2.0)

Sunday, June 15, 2014

No Password Expiration Date For OIM Schema

Oracle Database Version: 11g R2
Description: This post will show you how to setup the OIM Schema user to have no password expiration date. You've probably seen the following errors during OIM managed server start up:

[EL Severe]: 2014-06-15 19:55:22.713--ServerSession(514521790)--Exception [EclipseLink-4002] (Eclipse Persistence Services - 2.3.1.v20111018-r10243): org.eclipse.persistence.exceptions.DatabaseException
Internal Exception: java.sql.SQLException: ORA-28001: the password has expired

Error Code: 28001
Jun 15, 2014 7:55:22 PM oracle.security.jps.internal.credstore.ldap.LdapCredentialStore <init>
WARNING: Could not create credential store instance. Reason oracle.security.jps.service.policystore.PolicyStoreException: javax.persistence.PersistenceException: Exception [EclipseLink-4002] (Eclipse Persistence Services - 2.3.1.v20111018-r10243): org.eclipse.persistence.exceptions.DatabaseException
Internal Exception: java.sql.SQLException: ORA-28001: the password has expired

Error Code: 28001
JPS-01055: Could not create credential store instance. Reason oracle.security.jps.service.policystore.PolicyStoreException: javax.persistence.PersistenceException: Exception [EclipseLink-4002] (Eclipse Persistence Services - 2.3.1.v20111018-r10243): org.eclipse.persistence.exceptions.DatabaseException
Internal Exception: java.sql.SQLException: ORA-28001: the password has expired

Error Code: 28001
Error: Diagnostics data was not saved to the credential store.
Error: Validate operation has failed.
Need to do the security configuration first!

The errors are caused by expired schema password and the OIM server will fail to start up.
Expired Schema Owner

After changing several database parameters that are responsible for password expiration and resolving expired accounts, you'll notice the accounts will have a NULL password expiration date. Thus, these accounts have no password expiration date.

No Password Expiration After Changing DB Parameters

Friday, April 25, 2014

OIM Concepts

What is Oracle Identity Manager (OIM)?
A system that manages the life-cycle of identities. An example of a life-cycle of an identity is when an employee joins an organization and later leaves an organization.


Conventional Model
This is a model where an Identity Manager is not involved. There are potential problems that arises from this model. The diagram given below describes the process of hiring a new employee. The removal of an employee should work similarly.




#1. A new employee is hired. The employee’s information is placed into a Human Resource Management System (HRMS) by the HR department to indicate the employee is active to work for the organization.

#2. HR notifies the manager via email that a new employee is ready to start.

#3. Then the manager requests several target accounts to be made for the new employee. These accounts can be for applications, access to operating systems, directories, and etc (E.g. Google Apps, PeopleSoft, Active Directory). The manager would send out emails to the administrators in charge of the target system to carry out their tasks.

#4. The administrators of each of the target systems (E.g. Admins for Google Apps, Admins for PeopleSoft and Admins for Active Directory) are responsible for manually creating the accounts. There can be a hierarchy workflow when creating an account on the target system (E.g. Google Admin sends a request to Google Admin 2 to enable specific privileges -> Say Google Admin 2 is on vacation, so the task is delegated to a Temporary Google Admin -> and so on … ).
Problems With the Conventional Model
- Too many of the tasks are done manually
- Employee’s data is distributed among many systems and there is no centralized place to look up data.
- There is no tracking of a given task (E.g. Has a Google account been created for the new employee ? If not, what is the progress and why is it being delayed?).
- Security breach with orphan/rogue accounts (E.g. There is a possible security breach if an employee has been fired and one of the employee’s account has not been revoked).

In the next section, you will see how including OIM can resolve many problems faced in the conventional model.


OIM Model
Before describing the OIM model, it is important to understand how an identity is represented in OIM.


An OIM Identity consists of user defined fields (UDFs), which are attributes that describe the identity, and accounts for specific access to applications. The accounts themselves have attributes and the data typically comes from external sources.


The diagram shows how OIM deals with managing identities. The diagram given below describes the process of hiring a new employee.




#1. A new employee is hired and the employee’s information is placed into HRMS.


#2. OIM is able to read in the new employee’s information from HRMS. With this information, OIM is able to create the identity in its own system. This process is known as Trusted User Reconciliation and this can be scheduled to run any time. (Side Note: Trusted User Reconciliation also handles updation. Say if an existing employee change his address, OIM is able to pick the changes in HRMS and update the identity with the appropriate value. Trusted User Reconciliation maps information from HRMS to User Defined Fields of an OIM Identity. OIM connectors allows the HRMS as well as the other target systems to be integrated with OIM).

#3. After the identity has been created for the new employee, OIM kicks off many other events to further process the new identity. Everything in OIM is event driven and many events are automated (Side Note: This involves configuring OIM components and writing custom code to achieve this).

#4. OIM communicates with the target systems in order to create the accounts for the new employee. (Side Note: OIM comes with predefined connectors which allows the target systems to be well integrated with OIM. These connectors allow OIM to perform many of the target system activities such creating, updating, and revoking accounts.)


OIM Advantages
- Centralized administration
- Easy to manage the identities and their associated accounts
- Flexible configurations to meet business requirements
- Automation of tasks
- Audits, Logs, Reports, Tracking requests (handling requests involve SOA)
- Rogue / Expired / Orphan accounts elimination via security policies

Terminology

Connectors
Used to integrate target resource systems into OIM. This allows OIM to manage all the identities as well as their target accounts.

Trusted User Reconciliation
Creation/Updation of identities in OIM by reading from an authoritative source. E.g. Users from HRMS

Target User Reconciliation (Account Reconciliation)
Read information from the target systems and synchronize the data in OIM. Also, linking of target accounts to an identity happens in this process.

Account Provisioning
Creation/Updation of target accounts for an OIM Identity on the target resource
Direct/Manual, Auto/Criteria, Request Based

Account Deprovisioning
Removal of target resource accounts from an OIM Identity. OIM can communicate with the target system to remove the account.

Friday, April 4, 2014

Upgrading JRockit Version For WebLogic Server Instances

Description: This post will show you the necessary steps to replace an old version of JRockit with a newer one.

Friday, March 28, 2014

OIM Upload Jar Utility

Version: Oracle Identity Manager 11g R2
Description: The Upload Jar utility pushes a jar file to the database. After uploading a jar to the database, you should see a new record of the uploaded jar in {OIM_SCHEMA}.OIMHOME_JARS table.

Friday, March 21, 2014

Setup Oracle Diagnostic Logging (ODL) for OIM Plug-ins

Version: Oracle Identity Manager 11g
Description: Oracle Diagnostic Logging (ODL) is the principal logging service used by OIM. This post shows you how to setup ODL for your OIM plug-ins (Event Handlers, Schedule Task, and Adapter code).

Friday, March 14, 2014

Enable OIM Caching

Version: Oracle Identity Manager 11g
Description: The configurations for OIM caching are defined in the "/db/oim-config.xml" file, which is stored in MDS. To enable caching, you can either directly modify the "/db/oim-config,xml" configuration file or use the OIM Enterprise Manager (EM) console. This post goes over the latter. In the EM console, there are beans that correspond to the caching settings defined in "/db/oim-config.xml". Whenever you make a change to a bean, the change is push out to MDS.

Friday, March 7, 2014

How to Remove User Defined Field (UDF) From User Form UI

Version: Oracle Idenity Manager 11g R2
Description: OIM does not provide an easy way to remove a UDF from the User form. A workaround is to export a sandbox, modify serveral XMLs files, and import sandbox.   

Friday, February 28, 2014

Delete UDFs using OIM API

Version: Oracle Identity Manager 11g
Description: Oracle Identity Manager has an API service, namely ConfigManager, that allows developers to perform various operations on User Defined Field (UDF).

** WARNING USE AT YOUR OWN RISK **
This post will show you how to use ConfigManager API service to delete a UDF. The "deleteAttribute" method only deletes the attribute in the backend (USR, SDC, MV_USER_COLS, and User.xml metadata) and all the UI customizations are untouched. Once in a while the "deleteAttribute" method does not remove the backend data fully, and hence you would have to manually clear the data.

Friday, February 21, 2014

SSL for OIMClient

Version: Oracle Identity Manager 11g
Description: This will show you how to SSL for OIMClient on a stand alone Java application.

Prerequisite:

1. Ensure SSL listen Port for OIM is enabled.
  • Log into WebLogic Administration console.
  • Navigate to Servers -> OIM_SERVER.
  • Check mark SSL Listen Port Enabled and restart OIM server.
2. Include "webserviceclient+ssl.jar" and  "cryptoj.jar" in your project class path.

3. Execute the java application with the following jvm argument:
  • -Dweblogic.security.SSL.trustedCAKeyStore= {Demo Trust Keystore}
In WebLogic Administration console, navigate to Servers -> OIM_SERVER -> Keystores to see the location of your Demo Trust Keystore
E.g. /home/oracle/Oracle/Middleware/wlserver_10.3/server/lib/DemoTrust.jks

Friday, February 14, 2014

Configure Design Console to Use SSL

Version: Oracle Identity Manager 11g
Description: This post will show you how to setup SSL for designconsole.
Prerequisite:  Ensure SSL listen Port for OIM is enabled.

1. Log into WebLogic Administration console.
2. Navigate to Servers -> OIM_SERVER.
3. Check mark SSL Listen Port Enabled and restart OIM server.

Sunday, February 2, 2014

Import and Export Metadata using EM Console

Version: Oracle Identity Manager 11g R2
Description: The Enterprise Manager (EM) console has tools that allow you to import and export MDS files. The out-of-the-box import and export scripts, namely "weblogicExportMetadata", "weblogicImportMetadata", and " weblogic.properties", located in "$MW_HOME/Oracle_IDM1/server/bin" have been deprecated. An example is given here to show you how to use the EM import and export utilities.

Monday, January 27, 2014

Modify OIM11gR2 Session Timeout

Version: Oracle Identity Manager 11g R2
Description: This guide will show you how to increase or decrease session timeout  for the Identity Self Service and Identity System Administration pages.

Thursday, January 23, 2014

OIM Diagnostic Dashboard

Version: Oracle Identity Manager 11g R2
Description: This guide will show how to install the Oracle Identity Diagnostic Dashboard. The Oracle Identity Manager Diagnostic Dashboard is a standalone web application that allows you to validate your OIM installation and  configurations. Several validations include provisioning and reconciliation for some connectors , database connectivity, and target system SSL trust verification. Refer to "Working with the Diagnostic Dashboard" section in "Oracle® Fusion Middleware Administrator's Guide for Oracle Identity Manager" for more information.

Saturday, January 11, 2014

Cloning a Connector

Version: Oracle Identity Manager 11g R2
Description: Oracle Identity Manager has a built-in utility that allows you to clone a connector. This utility generates an XML file containing all the artifacts of the initial state of a connector. If you've made modifications to a connector such as adding new reconciliation and process form fields, they will
not be included. After generating the XML, use the "Import Deployment Manager" to import the XML to your OIM instance. ODSEE/OUD/LDAPV3 Connector, which is part of OID-11.1.1.6.0 connector bundle, is used an example.

Side Notes:
There is a minor issue with the clone utility. The scheduled jobs of the cloned connector will override the scheduled jobs of the original connector. A work around is to modify the XML and change the value of the name attribute in each of the Job tag.

You may run into a case where importing the cloned connector fails. The "Import Deployment Manager" does not have rollbacks, which means changes are made even on failures. If you receive an error, you can re-import the XML since the  "Import Deployment Manager" overrides the existing changes (Process forms are the exception).

Tuesday, January 7, 2014

BI Publisher 11.1.1.6.0 Software Installation

Prerequisites:  Linux environment setup and Oracle Database 11g

Description: This guide will show you how to install BI Publisher 11.1.1.6.0 on a Linux 64 bit environment. Here is an overview of the "Software Only" type installation path:
  1. Install Java. 
  2. Install WebLogic 10.3.6.
  3. Create BI Publisher schemas with Repository Creation Utility 11.1.1.6.0.
  4. Install BI Publisher.
  5. Configure BI Publisher.
Downloads: You can download BI Publisher 11.1.1.6.0 here. The others can be downloaded from Oracle Software Delivery Cloud. You may use a different version of Java as long as the Business Intelligence Suite 11.1.1.6.0 certification matrix is fulfilled.
  1. Java (jdk-7u45-linux-x64.gz)
  2. WebLogic 10.3.6 (V29856-01.zip)
  3. RCU 11.1.1.1.6.0 (V29674-01.zip)
  4. BI Publisher
    • bi_linux_x86_111160_64_disk1_1of2.zip
    • bi_linux_x86_111160_64_disk1_2of2.zip
    • bi_linux_x86_111160_64_disk2_1of2.zip
    • bi_linux_x86_111160_64_disk2_2of2.zip
    • bi_linux_x86_111160_64_disk3.zip
ReferencesBI Publisher Documentation Library