Tested On: Oracle Identity Manager 11.1.2.2.0
Description: Shows how to propagate attributes from OIM User Profile to user resource accounts.
Sample Scenario
OIM User Attribute: First Name
Active Directory Process Form Field: First Name
Whenever the First Name OIM User Attribute is modified, the changes will also be pushed down to the First Name attribute on Active Directory.
References: http://docs.oracle.com/cd/E40329_01/dev.1112/e27150/promgt.htm#OMDEV2509
Saturday, December 27, 2014
Thursday, December 25, 2014
Adding Attributes to an ICF Connector for Reconciliation
Version: Oracle Identity Manager 11.1.2.2.0
Description: Shows how to add an attribute to an Identity Connector Framework (ICF) OIM connector for reconciliation in general. The Database Application Tables (DBAT) 11.1.1.5.0 connector is used as an example. Refer to here for setting up the DBAT connector.
References: https://docs.oracle.com/cd/E22999_01/index.htm
https://docs.oracle.com/cd/E22999_01/doc.111/e20277/extnd_func.htm#CDEJFECH
Description: Shows how to add an attribute to an Identity Connector Framework (ICF) OIM connector for reconciliation in general. The Database Application Tables (DBAT) 11.1.1.5.0 connector is used as an example. Refer to here for setting up the DBAT connector.
Reconciliation Event Data Flow: Target Data -> Recon Fields -> Process Form |
https://docs.oracle.com/cd/E22999_01/doc.111/e20277/extnd_func.htm#CDEJFECH
Tuesday, December 23, 2014
Update Child Process Form via API
Version: Oracle Identity Manager 11.1.2.2.0
Description: Uses the Oracle Identity Manager API to make updates (add, delete, and modify) on a resource account child form.
Reference: http://docs.oracle.com/cd/E40329_01/apirefs.1112/e28159/toc.htm
Description: Uses the Oracle Identity Manager API to make updates (add, delete, and modify) on a resource account child form.
Reference: http://docs.oracle.com/cd/E40329_01/apirefs.1112/e28159/toc.htm
Monday, December 22, 2014
Adding Attributes to an ICF Connector for Provisioning
Version: Oracle Identity Manager 11.1.2.2.0
Description: Shows how to add a resource attribute to an Identity Connector Framework (ICF) OIM connector for provisioning in general. The Database Application Tables (DBAT) 11.1.1.5.0 connector is used as an example. Refer to here for setting up the DBAT connector.
References: https://docs.oracle.com/cd/E22999_01/index.htm
https://docs.oracle.com/cd/E22999_01/doc.111/e20277/extnd_func.htm#CDEJFECH
Description: Shows how to add a resource attribute to an Identity Connector Framework (ICF) OIM connector for provisioning in general. The Database Application Tables (DBAT) 11.1.1.5.0 connector is used as an example. Refer to here for setting up the DBAT connector.
References: https://docs.oracle.com/cd/E22999_01/index.htm
https://docs.oracle.com/cd/E22999_01/doc.111/e20277/extnd_func.htm#CDEJFECH
Wednesday, December 17, 2014
OIM 11g R2 API: Resource Account Parent Form Modifications
Tested On: Oracle Identity Manager 11.1.2.2.0
Description: Contains sample code to make modifications to a specific resource account parent form using the ProvisioningService API.
Reference: http://docs.oracle.com/cd/E40329_01/apirefs.1112/e28159/toc.htm
Description: Contains sample code to make modifications to a specific resource account parent form using the ProvisioningService API.
Reference: http://docs.oracle.com/cd/E40329_01/apirefs.1112/e28159/toc.htm
Monday, December 15, 2014
OIM Managed Bean Example: Custom Password Reset
Tested On: Oracle Identity Manager 11.1.2.2.0, WebLogic 10.3.6, JDeveloper 11.1.1.7.0
Description: Demonstrates how to setup and deploy a custom managed bean, and apply UI customization that triggers the bean. The example given here is a custom password reset managed bean. You can download the project here. Below are the results of the completing this tutorial:
References: http://docs.oracle.com/cd/E40329_01/dev.1112/e27150/uicust.htm#OMDEV4804
http://docs.oracle.com/cd/E40329_01/dev.1112/e27150/facesutils.htm#OMDEV5216
http://fusionsecurity.blogspot.com/2013/09/oim-reset-password-customization-example.html
Description: Demonstrates how to setup and deploy a custom managed bean, and apply UI customization that triggers the bean. The example given here is a custom password reset managed bean. You can download the project here. Below are the results of the completing this tutorial:
References: http://docs.oracle.com/cd/E40329_01/dev.1112/e27150/uicust.htm#OMDEV4804
http://docs.oracle.com/cd/E40329_01/dev.1112/e27150/facesutils.htm#OMDEV5216
http://fusionsecurity.blogspot.com/2013/09/oim-reset-password-customization-example.html
Sunday, December 14, 2014
OIM Custom Validation Event Handler Example
Tested On: Oracle Identity Manager 11.1.2.2.0
Description: A custom validation event handler that validates if the "Telephone Number" (USR_TELEPHONE_NUMBER) user attribute has the proper format. The event handler is triggered on modification of "Telephone Number" user attribute.
Reference: http://docs.oracle.com/cd/E27559_01/dev.1112/e27150/oper.htm#OMDEV4778
Description: A custom validation event handler that validates if the "Telephone Number" (USR_TELEPHONE_NUMBER) user attribute has the proper format. The event handler is triggered on modification of "Telephone Number" user attribute.
Reference: http://docs.oracle.com/cd/E27559_01/dev.1112/e27150/oper.htm#OMDEV4778
Friday, December 12, 2014
Developing Managed Beans: JDeveloper Project Template
Tested On: JDeveloper 11.1.1.7.0, Oracle Identity Manager 11.1.2.2.0
Description: Shows how to setup a JDeveloper project template for managed bean development.
References: http://docs.oracle.com/cd/E40329_01/dev.1112/e27150/uicust.htm#OMDEV4804
Description: Shows how to setup a JDeveloper project template for managed bean development.
References: http://docs.oracle.com/cd/E40329_01/dev.1112/e27150/uicust.htm#OMDEV4804
Wednesday, December 10, 2014
How to Export MDS Files Through WLST
Tested On: Oracle Identity Manager 11.1.2.2.0, WebLogic 10.3.6
Description: Demonstrates how to export configuration files from Metadata Store through WebLogic Scripting Tool command line interface.
Prerequisites: Oracle Identity Manager and WebLogic servers must be running.
References: http://docs.oracle.com/cd/E28271_01/web.1111/e13813/custom_mds.htm
1. Execute wlst.sh located in "$MW_HOME/Oracle_IDM1/common/bin" directory.
2. Connect to WebLogic Administration Server via WLST.
3. Export metadata of an application.
Description: Demonstrates how to export configuration files from Metadata Store through WebLogic Scripting Tool command line interface.
Prerequisites: Oracle Identity Manager and WebLogic servers must be running.
References: http://docs.oracle.com/cd/E28271_01/web.1111/e13813/custom_mds.htm
1. Execute wlst.sh located in "$MW_HOME/Oracle_IDM1/common/bin" directory.
2. Connect to WebLogic Administration Server via WLST.
connect('WL_USER','PASSWORD','t3://WL_HOSTNAME:WL_PORT'); # Example connect('weblogic', 'Password1','t3://localhost:7001');
3. Export metadata of an application.
# SyntaxexportMetadata(application, server, toLocation [, docs] [, restrictCustTo] [, excludeCustFor] [, excludeAllCust] [, excludeBaseDocs] [, excludeExtendedMetadata] [, excludeSeededDocs] [, fromLabel][, toLabel] [, applicationVersion] [, remote] [, tenantName]) #========================== # Examples # listApplications() = List all applications #========================== # OIM Configuration Files exportMetadata(application='OIMMetadata', server='oim_server1', toLocation='/home/oracle/mds_backup/oim_metadata'); # OIM Self-Service UI Files exportMetadata(application='oracle.iam.console.identity.self-service.ear', server='oim_server1', toLocation='/home/oracle/mds_backup/oim_self_service_ui'); # OIM Sysadmin UI Files exportMetadata(application='oracle.iam.console.identity.sysadmin.ear', server='oim_server1', toLocation='/home/oracle/mds_backup/oim_sysadmin_ui'); # Export Single OIM file exportMetadata(application='OIMMetadata', server='oim_server1', toLocation='/home/oracle/mds_backup/oim_main_config',docs='/db/oim-config.xml');
Tuesday, December 9, 2014
How to Unregister an OIM Plugin
Version: Oracle Identity Manager 11.1.2.2.0
Description: Shows how to remove a custom plugin such as an event handler or scheduled task from Oracle Identity Manager via API.
Description: Shows how to remove a custom plugin such as an event handler or scheduled task from Oracle Identity Manager via API.
package com.blogspot.oraclestack.utilities; import java.util.Hashtable; import java.util.logging.Level; import java.util.logging.Logger; import javax.security.auth.login.LoginException; import oracle.iam.platform.OIMClient; import oracle.iam.platform.pluginframework.PluginException; import oracle.iam.platformservice.api.PlatformService; import oracle.iam.platformservice.api.PlatformUtilsService; import oracle.iam.platformservice.exception.InvalidCacheCategoryException; import oracle.iam.platformservice.exception.PlatformServiceAccessDeniedException; /** * Removes a single plugin. This does not remove an entire zip plugin. * Query the OIM.PLUGINS table to get ID and VERSION. */ public class UnRegisterPlugin { // Substitute these values accordingly public static final String OIM_HOSTNAME = "localhost"; public static final String OIM_PORT = "14000"; public static final String OIM_PROVIDER_URL ="t3://" + OIM_HOSTNAME + ":" + OIM_PORT; public static final String OIM_USERNAME = "xelsysadm"; public static final String OIM_PASSWORD = "Password1"; public static final String OIM_CLIENT_HOME ="/home/oracle/jdeveloper/mywork/OracleIdentityManager/Resources/oimclient"; public static final String AUTHWL_PATH =OIM_CLIENT_HOME + "/conf/authwl.conf"; public static final String PLUGIN_ID = "com.blogspot.oraclestack.eventhandlers.SetMiddleNamePreprocessEH"; public static final String PLUGIN_VERSION = "1.0"; public static void main(String[] args) { OIMClient oimClient = null; try { //Set system properties required for OIMClient System.setProperty("java.security.auth.login.config", AUTHWL_PATH); System.setProperty("APPSERVER_TYPE", "wls"); // Create an instance of OIMClient with OIM environment information Hashtable env = new Hashtable(); env.put(OIMClient.JAVA_NAMING_FACTORY_INITIAL,"weblogic.jndi.WLInitialContextFactory"); env.put(OIMClient.JAVA_NAMING_PROVIDER_URL, OIM_PROVIDER_URL); oimClient = new OIMClient(env); // Login to OIM with the approriate credentials oimClient.login(OIM_USERNAME, OIM_PASSWORD.toCharArray()); // Remove single plugin PlatformService service = oimClient.getService(PlatformService.class); service.unRegisterPlugin(PLUGIN_ID, PLUGIN_VERSION); // Purge Cache PlatformUtilsService platUtilOps = oimClient.getService(PlatformUtilsService.class); platUtilOps.purgeCache("ALL"); } catch (PlatformServiceAccessDeniedException ex) {Logger.getLogger(RegisterPlugin.class.getName()).log(Level.SEVERE, null, ex);} catch (PluginException ex) {Logger.getLogger(RegisterPlugin.class.getName()).log(Level.SEVERE, null, ex);} catch (LoginException ex) {Logger.getLogger(RegisterPlugin.class.getName()).log(Level.SEVERE, null, ex);} catch (InvalidCacheCategoryException e) {Logger.getLogger(RegisterPlugin.class.getName()).log(Level.SEVERE, null, e);} finally { // Logout user from OIMClient if (oimClient != null) { oimClient.logout(); } } } }
Saturday, December 6, 2014
Custom Preprocess Event Handler to Set Middle Name
Version: Oracle Identity Manager 11.1.2.2.0
Description: A preprocess event handler which sets the user's middle name using the first letter of the user's first name if the user does not have a value for middle name. The event handler triggers on the creation of an OIM User.
Reference: https://docs.oracle.com/cd/E40329_01/dev.1112/e27150/oper.htm#OMDEV4768
Description: A preprocess event handler which sets the user's middle name using the first letter of the user's first name if the user does not have a value for middle name. The event handler triggers on the creation of an OIM User.
Reference: https://docs.oracle.com/cd/E40329_01/dev.1112/e27150/oper.htm#OMDEV4768
Tuesday, December 2, 2014
Disabling OOTB OIM Event Handlers
Description: Shows you how to disable an out of the box event handler in Oracle Identity Manager.
** USE AT YOUR OWN RISK **
References: https://docs.oracle.com/cd/E21764_01/doc.1111/e14309/utils.htm#OMDEV2810
http://docs.oracle.com/cd/E40329_01/dev.1112/e27150/uploadutil.htm#OMDEV4859
Tested On: Oracle Identity Manager 11.1.2.2.0
1. Figure out the metedata file you would like to export. Execute the following SQL query on the MDS schema to obtain all the predefined event handlers:
2. Export the event handler XML file from MDS via EM console or weblogicExportMetadata.sh. Refer Import and Export Metadata using EM Console for step by step instructions.
3. Keep a backup copy of the original XML file.
4. Modify the XML file. Given below is an example of commenting out one of the predefined event handler from "/metadata/iam-features-passwordmgmt/event-definition/EventHandlers.xml" file:
6. Purge the cache or restart the OIM server for changes to take effect.
7. You can query the ORCHEVENTS table from the OIM schema to see the trigger points of each event handler process.
** USE AT YOUR OWN RISK **
References: https://docs.oracle.com/cd/E21764_01/doc.1111/e14309/utils.htm#OMDEV2810
http://docs.oracle.com/cd/E40329_01/dev.1112/e27150/uploadutil.htm#OMDEV4859
Tested On: Oracle Identity Manager 11.1.2.2.0
1. Figure out the metedata file you would like to export. Execute the following SQL query on the MDS schema to obtain all the predefined event handlers:
SELECT * FROM mds_paths WHERE path_fullname LIKE '%EventHandlers.xml%';
2. Export the event handler XML file from MDS via EM console or weblogicExportMetadata.sh. Refer Import and Export Metadata using EM Console for step by step instructions.
3. Keep a backup copy of the original XML file.
4. Modify the XML file. Given below is an example of commenting out one of the predefined event handler from "/metadata/iam-features-passwordmgmt/event-definition/EventHandlers.xml" file:
<?xml version='1.0' encoding='UTF-8'?> <eventhandlers xmlns="http://www.oracle.com/schema/oim/platform/kernel" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://www.oracle.com/schema/oim/platform/kernel orchestration-handlers.xsd"> <validation-handler class="oracle.iam.passwordmgmt.eventhandlers.ResetPasswordValidationHandler" entity-type="User" operation="RESET_PASSWORD" name="ResetPasswordValidationHandler" order="FIRST" sync="TRUE"/> <validation-handler class="oracle.iam.passwordmgmt.eventhandlers.UserPasswordValidationHandler" entity-type="User" operation="CREATE" name="CreateUserPasswordValidationHandler" order="1020"/> <validation-handler class="oracle.iam.passwordmgmt.eventhandlers.UserPasswordValidationHandler" entity-type="User" operation="CHANGE_PASSWORD" name="UserPasswordValidationHandler" order="2"/> <!--<action-handler class="oracle.iam.passwordmgmt.eventhandlers.ResetPasswordPreProcessHandler" entity-type="User" operation="RESET_PASSWORD" name="ResetPasswordPreProcessHandler" stage="preprocess" sync="TRUE" order="9900"/>--> <action-handler class="oracle.iam.passwordmgmt.eventhandlers.ResetPasswordActionHandler" entity-type="User" operation="RESET_PASSWORD" name="ResetPasswordActionHandler" order="FIRST" stage="action" sync="TRUE"/> <postprocess-handler class="oracle.iam.passwordmgmt.eventhandlers.PasswordNotificationHandler" entity-type="User" operation="RESET_PASSWORD" name="ResetPasswordNotificationHandler" order="FIRST" stage="postprocess" sync="TRUE"/> <postprocess-handler class="oracle.iam.passwordmgmt.eventhandlers.PasswordNotificationHandler" entity-type="User" operation="CREATE" name="CreateUserPasswordNotificationHandler" order="1180" stage="postprocess" sync="TRUE"/> <postprocess-handler class="oracle.iam.passwordmgmt.eventhandlers.PasswordNotificationHandler" entity-type="User" operation="CHANGE_PASSWORD" name="PasswordNotificationHandler" order="THIRD" stage="postprocess" sync="TRUE"/> </eventhandlers>5. Import the modified XML file into MDS via EM console.
6. Purge the cache or restart the OIM server for changes to take effect.
7. You can query the ORCHEVENTS table from the OIM schema to see the trigger points of each event handler process.
Monday, November 24, 2014
How to Create SPML Applications for SIM
Version: Sun Identity Manager 8.1
References: https://docs.oracle.com/cd/E19225-01/820-5597/ahvap/index.html
https://docs.oracle.com/cd/E19225-01/820-5597/ahvch/index.html
1. The necessary JAR files can be found in "$WSHOME//WEB-INF/lib" directory. The following JAR files are needed to built SIM SPML applications:
References: https://docs.oracle.com/cd/E19225-01/820-5597/ahvap/index.html
https://docs.oracle.com/cd/E19225-01/820-5597/ahvch/index.html
1. The necessary JAR files can be found in "$WSHOME//WEB-INF/lib" directory. The following JAR files are needed to built SIM SPML applications:
- openspml.jar
- mail.jar
- soap.jar
2. Given below is sample JAVA code to demonstrate the use of SPML client:
import java.net.MalformedURLException; import java.util.ArrayList; import java.util.HashMap; import java.util.List; import java.util.Map; import java.util.logging.Level; import java.util.logging.Logger; import org.openspml.client.LighthouseClient; import org.openspml.message.ExtendedRequest; import org.openspml.message.FilterTerm; import org.openspml.message.ModifyRequest; import org.openspml.message.SearchRequest; import org.openspml.message.SearchResponse; import org.openspml.message.SearchResult; import org.openspml.message.SpmlResponse; import org.openspml.util.SpmlException; /** * Sun Identity Manager: SPML Client * Test class for demonstration purposes * @author oracle */ public class SIMSPMLClient { // SIM environment information private static final String simServiceAccountUser = "configurator"; private static final String simServiceAccountPassword = "configurator"; private static final String simPort = "8080"; private static final String simHostname = "localhost"; private static final String simWebServiceURL = "http://" + simHostname + ":" + simPort +"/idm/servlet/rpcrouter2"; // Class logger private static final Logger logger = Logger.getLogger(SIMSPMLClient.class.getName()); /** * Test Driver * @param args */ public static void main(String[] args) { LighthouseClient client = null; String accountId = null; String resourceAccountName = "Database Table"; try { // Setup SIM SMPL client client = new LighthouseClient(); client.setUrl(simWebServiceURL); client.setUser(simServiceAccountUser); client.setPassword(simServiceAccountPassword); // Call method to modify user attributes accountId = "jdoe"; HashMap<String, Object> modAttrs = new HashMap<String, Object>(); modAttrs.put("email", "jdoe@gmail.com"); modAttrs.put("status", "Active"); modifyUserAttributes(client, accountId, modAttrs); // Provision target resource accountId = "gbass"; HashMap<String, Object> resAttrs = new HashMap<String, Object>(); resAttrs.put("resources", "Database Table"); //delimited by comma resAttrs.put("status", "Created"); //modifyUserAttributes(client, accountId, resAttrs); // Deprovision target resource, but does not remove assignment in SIM ExtendedRequest dreq = new ExtendedRequest(); dreq.setOperationIdentifier("deleteUser"); dreq.setAttribute("accountId","gbass"); dreq.setAttribute("accounts","Database Table"); //SpmlResponse res = client.request(dreq); //System.out.println(res.getResult()); // Deprovision target resources and removes assignment HashMap<String, Object> resRmAttrs = new HashMap<String, Object>(); resAttrs.put("resources", ""); //modifyUserAttributes(client, accountId, resRmAttrs); // Call custom workflow String simWorkFlowName = "Custom-Workflow"; String username = "jmann"; HashMap<String, Object> wfAttrs = new HashMap<String, Object>(); wfAttrs.put("ACTION", "MODIFY"); wfAttrs.put("__UID__", username); wfAttrs.put("__NAME__", username); wfAttrs.put("__PASSWORD__", "jmann"); wfAttrs.put("EMAIL", "jmann8@gmail.com"); wfAttrs.put("LASTNAME", ""); wfAttrs.put("USERNAME", username); //callSimWorkFlow(client, simWorkFlowName, wfAttrs); // Disable resource account accountId = "gbass"; //disableResourceAccount(client, accountId, resourceAccountName); // Enable resource account //enableResourceAccount(client, accountId, resourceAccountName); // Create SIM account HashMap<String, String> attrs = new HashMap<String,String>(); attrs.put("lastname", "Parker"); attrs.put("firstname", "Peter"); attrs.put("email", "pparker@gmail.com"); attrs.put("password","Password1"); //client.createUser("pparker", attrs); // Delete SIM account List<String> accounts = new ArrayList<String>(); //client.deleteUser("pparker", accounts); // Search SIM User based on accountId SearchRequest req = new SearchRequest(); req.addAttribute("lastname"); req.addAttribute("email"); FilterTerm ft = new FilterTerm(); ft.setOperation(FilterTerm.OP_EQUAL); ft.setName("accountId"); ft.setValue("jdoe"); req.addFilterTerm(ft); SearchResponse res = (SearchResponse)client.request(req); System.out.println(res.getResults()); List results = res.getResults(); if (results != null) { for (int i = 0 ; i < results.size() ; i++) { SearchResult sr = (SearchResult) results.get(i); System.out.println("Identifier=" + sr.getIdentifierString() + " sn=" + sr.getAttribute("lastname").getValue() + " email=" + sr.getAttribute("email").getValue()); } } } catch (SpmlException ex) { logger.log(Level.SEVERE, null, ex); } catch (MalformedURLException ex) { logger.log(Level.SEVERE, null, ex); } finally { if (client != null) { try { client.logout(); } catch (SpmlException ex) { logger.log(Level.SEVERE, null, ex); } } } } /** * Modification request to modify attributes on a user. * SIM user attributes and resource attributes can be modified by this method. * Also provisioning of resource account can be made. * @param client SPML client with service account logged in * @param accountId Identifier to match against SIM account and make modifications * @param attributes Attributes to modify on user * @return SIM SPML response * @throws SpmlException */ public static SpmlResponse modifyUserAttributes(LighthouseClient client, String accountId, Map<String, Object> attributes) throws SpmlException { // Create a request to send to SIM ModifyRequest req = new ModifyRequest(); req.setIdentifier(accountId); // SIM attributes to modify for (Map.Entry<String, Object> entry : attributes.entrySet()) { req.addModification(entry.getKey(), entry.getValue()); } // Send request to SIM and SIM sends a response back SpmlResponse response = client.request(req); logger.log(Level.INFO, "Response Code: {0}", new Object[] {response.getResult()}); return response; } /** * Call a SIM work flow to be executed. * @param client SPML client with service account logged in * @param workflow Name of SIM work flow * @param attributes Attributes includes accountId to be processed by work flow * @return SIM SPML response * @throws SpmlException */ public static SpmlResponse callSimWorkFlow(LighthouseClient client, String workFlowName, Map<String, Object> attributes) throws SpmlException { // Create a request to send to SIM ExtendedRequest req = new ExtendedRequest(); req.setOperationIdentifier("launchProcess"); req.setAttribute("process", workFlowName); // SIM attributes to sent to work flow for (Map.Entry<String, Object> entry : attributes.entrySet()) { req.setAttribute(entry.getKey(), entry.getValue()); } // Send request to SIM and SIM sends a response back SpmlResponse response = client.request(req); logger.log(Level.INFO, "Response Code: {0}", new Object[] {response.getResult()}); return response; } /** * Disables a resource account in SIM * @param client SPML client with service account logged in * @param accountId SIM user whose resource account is going to be disabled * @param accountName Resource account to disable * @return * @throws SpmlException */ public static SpmlResponse disableResourceAccount(LighthouseClient client, String accountId, String accountName) throws SpmlException { ExtendedRequest req = new ExtendedRequest(); req.setOperationIdentifier("disableUser"); req.setAttribute("accountId", accountId); req.setAttribute("accounts", accountName); SpmlResponse response = client.request(req); logger.log(Level.INFO, "Response Code: {0}", new Object[] {response.getResult()}); return response; } /** * Enable a resource account in SIM * @param client SPML client with service account logged in * @param accountId SIM user whose resource account is going to be disabled * @param accountName Resource account to disable * @return * @throws SpmlException */ public static SpmlResponse enableResourceAccount(LighthouseClient client, String accountId, String accountName) throws SpmlException { ExtendedRequest req = new ExtendedRequest(); req.setOperationIdentifier("enableUser"); req.setAttribute("accountId", accountId); req.setAttribute("accounts", accountName); SpmlResponse response = client.request(req); logger.log(Level.INFO, "Response Code: {0}", new Object[] {response.getResult()}); return response; } }
Sunday, November 23, 2014
How to Setup and Use OpenSPML Browser with SIM
Version: Sun Identity Manager 8.1
References: https://docs.oracle.com/cd/E19225-01/820-5597/6ngvvl0av/index.html
Setup OpenSPML Browser
1. Set WSHOME environment variable and include "WSHOME/bin" in the PATH environment variable. WSHOME is the directory you installed the Sun Identity Manager components. Given below is an example of setting up these variables in the bash profile:
2. Set execute permission for "WSHOME/bin/lh" file.
3. Execute the following command to start the OpenSPML browser:
Using OpenSPML Browser
1. Setup the connection parameters on the "Connect" tab. Then click "Test" to test the connection.
2. Now you'll be able to perform the operations on the OpenSPML browser. Below are examples:
References: https://docs.oracle.com/cd/E19225-01/820-5597/6ngvvl0av/index.html
Setup OpenSPML Browser
1. Set WSHOME environment variable and include "WSHOME/bin" in the PATH environment variable. WSHOME is the directory you installed the Sun Identity Manager components. Given below is an example of setting up these variables in the bash profile:
# User specific environment and startup programs ORACLE_HOME=/home/oracle/db/app/oracle/product/11.2.0/dbhome_1 ORACLE_SID=orcl JAVA_HOME=/home/oracle/jrockit-jdk1.6.0_81 WSHOME=/home/oracle/idm PATH=$WSHOME/bin:$JAVA_HOME/bin:$PATH:$HOME/bin export JAVA_HOME ORACLE_HOME WSHOME ORACLE_SID PATH
2. Set execute permission for "WSHOME/bin/lh" file.
chmod 744 $WSHOME/bin/lh
3. Execute the following command to start the OpenSPML browser:
lh spml
Using OpenSPML Browser
1. Setup the connection parameters on the "Connect" tab. Then click "Test" to test the connection.
Server URL: http://HOSTNAME:PORT/idm/servlet/rpcrouter2 Username: configurator Password: configurator |
Success Message |
Add |
Modify |
Sunday, November 16, 2014
How to Setup Database Table Resource in SIM
Version: Sun Identity Manager 8.1
Description: This post will show you how to setup a database table resource in Sun Identity Manager. An Oracle database table is used as an example.
Reference: https://docs.oracle.com/cd/E19225-01/820-6551/gijbf/index.html
Description: This post will show you how to setup a database table resource in Sun Identity Manager. An Oracle database table is used as an example.
Reference: https://docs.oracle.com/cd/E19225-01/820-6551/gijbf/index.html
Wednesday, November 12, 2014
How to Create / Delete Users in SIM
Version: Sun Identity Manager 8.1
Create User
1. Log in to the Sun Identity Manager console.
2. Click "Accounts" on the menu bar.
3. On the "User List" box, select "New User" from "-- New Actions --" drop down menu.
4. Fill out the necessary fields on the "Create User" form. Then save.
5. Click OK.
Delete User
1. Navigate to Accounts -> List Accounts.
2. Check mark the user to delete and then select "Delete" under "-- User Actions --" drop down menu.
3. Confirm deletion of user.
4, Result page is displayed.
Monday, November 10, 2014
How to Install Sun Identity Manager
Version: Sun Identity Manager 8.1
Operating System: Oracle Linux 6 (64-bit)
Components Tested On: Tomcat 6.41, Java 6.38 (64-bit)
Prerequisites
Install Tomcat 6
1. Download the Tomcat 6 here. Select Binary Distributions => Core => tar.gz.
File: apache-tomcat-6.0.41.tar.gz
2. Execute the following command to extract the tar.gz file. A "apache-tomcat-6.0.41" directory is created. The location of that directory is refer to as the TOMCAT_HOME directory.
tar -xvf apache-tomcat-6.0.41.tar.gz
3. Add the following lines to the top of $TOMCAT_HOME/bin/setclasspath.sh file:
# Location of a JDK JAVA_HOME=/home/oracle/jdk1.6.0_38 # Location of your unpacked Tomcat CATALINA_HOME=/home/oracle/apache-tomcat-6.0.41 export JAVA_HOME CATALINA_HOME
4. When configuring Tomcat to support UTF-8, add the URIEncoding="UTF-8" attribute to the connector element in the $TOMCAT_HOME/conf/server.xml file, for example:
<Connector port="8080" protocol="HTTP/1.1" connectionTimeout="20000" redirectPort="8443" URIEncoding="UTF-8" />
5. When configuring Tomcat to support UTF-8, also add -Dfile.encoding=UTF-8 in your Java VM options. Add the following line to the top of “$TOMCAT_HOME/bin/catalina.sh”:
export JAVA_OPTS="-Dfile.encoding=UTF-8"6. To start the Tomcat server, execute $TOMCAT_HOME/bin/startup.sh script. To stop the Tomcat server, execute $TOMCAT_HOME/bin/shutdown.sh script.
Installing Sun Identity Manager
1. Download the file from https://edelivery.oracle.com.
Product Pack: Sun Products
Platform: Oracle Solaris on SPARC (32-bit)
Sun Products Media Pack for Oracle Solaris on SPARC (32-bit)
Sun Identity Manager 8.1
File: V19877-01.zip (158M)
2. When installing Identity Manager on UNIX® or Linux systems, the /var/opt/sun/install
directory must exist and be writable by the user running the installer.
sudo mkdir -p /var/opt/sun/install sudo chown oracle:oracle /var/opt/sun/install/
3. Make a directory to unzip the SIM file.
mkdir /home/oracle/sim cd /home/oracle/sim mv /home/oracle/Downloads/V19877-01.zip /home/oracle/sim/ unzip V19877-01.zip
4. Execute the following commands to start the installer:
# Make the install script executable chmod 750 install # The argument is needed to run installer on a 64-bit machine JAVA_OPTS=-Dos.arch="x86" ./install
5. Below are screen shots to walk you through the installation wizard:
Welcome Screen Click Next |
Click Yes (Accept License) |
Select New Installation Then click Next |
Specify path to install SIM components. This path will be refer to as WSHOME. |
Before clicking "Launch Setup", add the
additional jars in "$WSHOME/WEB-INF/lib" directory
- JavaMail API 1.4.7 (mail.jar)
- JavaBeans Activation Framework 1.1 (activation.jar)
- GlassFish Server (glassfish3/mq/lib/jms.jar)
|
Specify the repository path. |
Select "No, I will configure Identity Manager myself" |
Click Execute |
Click Next |
6. Navigate into WSHOME and package everything into a WAR file.
cd /home/oracle/idm jar -cvf ../idm.war *
7. Move the WAR file into TOMCAT_HOME/webapps directory. Restart the Tomcat server.
8. Once the Tomcat server is running, go to "localhost:8080/idm" to access the Sun Identity Manager console.
ID: administrator Password: administrator or ID: configurator Password: configurator |
Monday, October 20, 2014
Deleting Application Instances
Description: Oracle Identity Manager has a schedule job that cleanup application instances that have been soft-deleted.
Tested On: Oracle Identity Manager 11.1.2.2.0
References: Oracle® Fusion Middleware Administrator's Guide for Oracle Identity Manager 11g Release 2 (11.1.2.2.0): Managing Application Instances
Oracle® Fusion Middleware Administrator's Guide for Oracle Identity Manager 11g Release 2 (11.1.2.2.0): Managing the Scheduler
Tested On: Oracle Identity Manager 11.1.2.2.0
References: Oracle® Fusion Middleware Administrator's Guide for Oracle Identity Manager 11g Release 2 (11.1.2.2.0): Managing Application Instances
Oracle® Fusion Middleware Administrator's Guide for Oracle Identity Manager 11g Release 2 (11.1.2.2.0): Managing the Scheduler
Sunday, October 19, 2014
Installing and Configuring Database Application Tables Connector
Description: This post will show you how to install and configure the Database Application Tables Connector. Oracle Database is used as an example for the target system.
Version: Database Application Tables 11.1.1.5.0
References: Oracle Identity Manager Identity Connectors Documentation Release 11.1.1
Oracle® Identity Manager Connector Guide for Database Application Tables Release 11.1.1
Version: Database Application Tables 11.1.1.5.0
References: Oracle Identity Manager Identity Connectors Documentation Release 11.1.1
Oracle® Identity Manager Connector Guide for Database Application Tables Release 11.1.1
Saturday, October 18, 2014
Export and Import MDS Using EM Console
Description: MDS can be exported and imported via EM console. The export / import utilities in EM console can be used to backup MDS, to migrate all the customization done on the Identity Self-Service and Identity System Administration User Interfaces (E.g. User Form, Application Instance Form, User Profile, etc.), and to apply MDS configuration changes.
Tested On: OIM 11.1.2.2.0, WebLogic 10.3.6
Tested On: OIM 11.1.2.2.0, WebLogic 10.3.6
Thursday, October 16, 2014
Creating a Disconnected Resource
Tested On: Oracle Identity Manager 11.1.2.2.0
Reference: Oracle® Fusion Middleware Administrator's Guide for Oracle Identity Manager11g Release 2 (11.1.2.2.0): Managing Disconnected Resources
Tuesday, October 14, 2014
OIM Bulk Load Utility
Description: The Oracle Identity Manager Bulk Load Utility can be used to load large amount of users, accounts, roles, role hierarchies, role memberships, or role categories directly to the database. The data can be loaded from a database table or CSV file. It is required that the Oracle Identity Manager managed servers are shut down in the process of running the bulk load utility.
Tested on Oracle Identity Manager Version: 11.1.2.2.0
Reference: Oracle Identity Manager Bulk Load Utility
Tested on Oracle Identity Manager Version: 11.1.2.2.0
Reference: Oracle Identity Manager Bulk Load Utility
Monday, October 13, 2014
OIM 11g R2 PS2 Virtual Machine Template
Download Link: OIM 11g R2 PS2 VM Template
Operating System: Oracle Linux 6.5 (64-bits)
Oracle Database Version: 11.2.0.1.0
Oracle User Password: Password1
Java 6
WebLogic 10.3.6
Service-Oriented Architecture (SOA) 11.1.1.7.0
Identity Management (IDM) 11.1.2.2.0
Operating System: Oracle Linux 6.5 (64-bits)
Oracle Database Version: 11.2.0.1.0
Oracle User Password: Password1
WebLogic 10.3.6
Service-Oriented Architecture (SOA) 11.1.1.7.0
Identity Management (IDM) 11.1.2.2.0
Sunday, October 12, 2014
Oracle Database 11.2.0.1.0 Virtual Machine Template
Download Link: Oracle Database 11g R2 VM Template
Operating System: Oracle Linux 6.5 (64-bits)
Oracle Database Version: 11.2.0.1.0
Oracle User Password: Password1
Operating System: Oracle Linux 6.5 (64-bits)
Oracle Database Version: 11.2.0.1.0
Oracle User Password: Password1
Wednesday, October 1, 2014
Running OIM Bulk Load Utility Remotely
Description: This post will show you how to install the Oracle Database client. An Oracle database client is needed to run the Oracle Identity Manager Bulk Load Utility when the Oracle Database and Oracle Identity Manager application server are on separate machines.
Download Link: Oracle Database 11g Release 2 Client (11.2.0.1.0) for Linux x86-64
File Name: linux.x64_11gR2_client.zip
Download Link: Oracle Database 11g Release 2 Client (11.2.0.1.0) for Linux x86-64
File Name: linux.x64_11gR2_client.zip
Sunday, September 28, 2014
How to Install OIM 11.1.2.2.0
This guide will show you how to install Oracle Identity Manager 11g Release 2 Patch Set 2 (OIM 11g R2 PS2) in an Oracle Linux 6 (64-bit) environment. The installation was tested in the following environment:
Operating System: Oracle Linux 6.5 (Virtual Machine)
Oracle Database: 11.2.0.1.0
Prerequisites
References
Operating System: Oracle Linux 6.5 (Virtual Machine)
Oracle Database: 11.2.0.1.0
Prerequisites
References
- Oracle Identity Management 11g Documentation
- Oracle Identity and Access Management 11g Release 2 (11.1.2.2.0)
- Oracle Software Delivery Cloud
- JRockit Installation
- WebLogic 10.3.6 Installation
- Using Repository Creation Utility 11.1.2.2.0 to Create Schema
- SOA 11.1.1.7.0 Installation
- Apply SOA Mandatory Patches
- IDM 11.1.2.2.0 Installation
- Create WebLogic Domain
- Upgrade OPSS Schema
- Configure Database Security Store
- Configure OIM 11.1.2.2
- Post-Installation Tasks
Tuesday, August 19, 2014
OpenLDAP: Adding New Attribute to inetOrgPerson Object Class
Description: Demonstrates how to extend inetOrgPerson object class to use a custom attribute.
Prerequisites:
http://oraclestack.blogspot.com/2014/08/openldap-adding-inetorgperson-object.html
Reference:
http://www.openldap.org/doc/admin24/schema.html
Prerequisites:
http://oraclestack.blogspot.com/2014/08/openldap-adding-inetorgperson-object.html
Reference:
http://www.openldap.org/doc/admin24/schema.html
Monday, August 18, 2014
WebLogic Server: Change to Production Mode
Tested On: WebLogic 10.3.6
Description: Demonstrated how to switch from development mode to production mode. The runtime mode is a domain-wide setting. As each Managed Server starts, it refers to the mode of the Administration Server to determine its runtime mode.
References: http://docs.oracle.com/cd/E23943_01/apirefs.1111/e13952/taskhelp/domainconfig/ChangeRuntimeModes.html
Description: Demonstrated how to switch from development mode to production mode. The runtime mode is a domain-wide setting. As each Managed Server starts, it refers to the mode of the Administration Server to determine its runtime mode.
References: http://docs.oracle.com/cd/E23943_01/apirefs.1111/e13952/taskhelp/domainconfig/ChangeRuntimeModes.html
Tuesday, August 5, 2014
OpenLDAP: Adding inetOrgPerson Object Class
1. Shutdown OpenLDAP.
2. Locate the path of the "inetorgperson.schema" file (E.g. /usr/local/etc/openldap/schema). At the top of the "slapd.conf" file (E.g. Location = /usr/local/etc/openldap) include the following lines:
Adjust the location of the schema files accordingly. The "inetorgperson.schema"file requires "core.schema" and "cosine.schema" files (These files should be in the same directory as the "inetorgperson.schema" file).
3. Start OpenLDAP by executing the slapd script (E.g. Location = /usr/local/libexec).
4. Verify you are able to create a user with the inetOrgPerson object class and set attributes associated with object class.
2. Locate the path of the "inetorgperson.schema" file (E.g. /usr/local/etc/openldap/schema). At the top of the "slapd.conf" file (E.g. Location = /usr/local/etc/openldap) include the following lines:
include /usr/local/etc/openldap/schema/core.schema include /usr/local/etc/openldap/schema/cosine.schema include /usr/local/etc/openldap/schema/inetorgperson.schema
Adjust the location of the schema files accordingly. The "inetorgperson.schema"file requires "core.schema" and "cosine.schema" files (These files should be in the same directory as the "inetorgperson.schema" file).
3. Start OpenLDAP by executing the slapd script (E.g. Location = /usr/local/libexec).
4. Verify you are able to create a user with the inetOrgPerson object class and set attributes associated with object class.
inetOrgPerson Object Class via Apache Directory Studio Schema Browser |
User with inetOrgPerson Object Class assigned |
Tuesday, July 1, 2014
Upgrading OIM 11.1.2.x.x to 11.1.2.2.0
Description: This post will show you how to upgrade Oracle Identity Manager 11.1.2.1.0 to 11.1.2.2.0. The instructions for upgrading 11.1.2.0.0 to 11.1.2.2.0 are similar.
Environment: Below is my environment I used for testing the upgrade process.
Environment: Below is my environment I used for testing the upgrade process.
- Oracle Linux 6.3
- JRockit 1.6.0_75
- Oracle Identity Manager 11.1.2.1.3
- WebLogic 10.3.6
- SOA 11.1.1.6.0
- Oracle Database 11g R2
Sunday, June 15, 2014
No Password Expiration Date For OIM Schema
Oracle Database Version: 11g R2
Description: This post will show you how to setup the OIM Schema user to have no password expiration date. You've probably seen the following errors during OIM managed server start up:
The errors are caused by expired schema password and the OIM server will fail to start up.
After changing several database parameters that are responsible for password expiration and resolving expired accounts, you'll notice the accounts will have a NULL password expiration date. Thus, these accounts have no password expiration date.
Description: This post will show you how to setup the OIM Schema user to have no password expiration date. You've probably seen the following errors during OIM managed server start up:
[EL Severe]: 2014-06-15 19:55:22.713--ServerSession(514521790)--Exception [EclipseLink-4002] (Eclipse Persistence Services - 2.3.1.v20111018-r10243): org.eclipse.persistence.exceptions.DatabaseException Internal Exception: java.sql.SQLException: ORA-28001: the password has expired Error Code: 28001 Jun 15, 2014 7:55:22 PM oracle.security.jps.internal.credstore.ldap.LdapCredentialStore <init> WARNING: Could not create credential store instance. Reason oracle.security.jps.service.policystore.PolicyStoreException: javax.persistence.PersistenceException: Exception [EclipseLink-4002] (Eclipse Persistence Services - 2.3.1.v20111018-r10243): org.eclipse.persistence.exceptions.DatabaseException Internal Exception: java.sql.SQLException: ORA-28001: the password has expired Error Code: 28001 JPS-01055: Could not create credential store instance. Reason oracle.security.jps.service.policystore.PolicyStoreException: javax.persistence.PersistenceException: Exception [EclipseLink-4002] (Eclipse Persistence Services - 2.3.1.v20111018-r10243): org.eclipse.persistence.exceptions.DatabaseException Internal Exception: java.sql.SQLException: ORA-28001: the password has expired Error Code: 28001 Error: Diagnostics data was not saved to the credential store. Error: Validate operation has failed. Need to do the security configuration first!
The errors are caused by expired schema password and the OIM server will fail to start up.
Expired Schema Owner |
After changing several database parameters that are responsible for password expiration and resolving expired accounts, you'll notice the accounts will have a NULL password expiration date. Thus, these accounts have no password expiration date.
No Password Expiration After Changing DB Parameters |
Friday, April 25, 2014
OIM Concepts
What is Oracle Identity Manager (OIM)?
A system that manages the life-cycle of identities. An example of a life-cycle of an identity is when an employee joins an organization and later leaves an organization.
Conventional Model
This is a model where an Identity Manager is not involved. There are potential problems that arises from this model. The diagram given below describes the process of hiring a new employee. The removal of an employee should work similarly.
#1. A new employee is hired. The employee’s information is placed into a Human Resource Management System (HRMS) by the HR department to indicate the employee is active to work for the organization.
#2. HR notifies the manager via email that a new employee is ready to start.
#3. Then the manager requests several target accounts to be made for the new employee. These accounts can be for applications, access to operating systems, directories, and etc (E.g. Google Apps, PeopleSoft, Active Directory). The manager would send out emails to the administrators in charge of the target system to carry out their tasks.
#4. The administrators of each of the target systems (E.g. Admins for Google Apps, Admins for PeopleSoft and Admins for Active Directory) are responsible for manually creating the accounts. There can be a hierarchy workflow when creating an account on the target system (E.g. Google Admin sends a request to Google Admin 2 to enable specific privileges -> Say Google Admin 2 is on vacation, so the task is delegated to a Temporary Google Admin -> and so on … ).
Problems With the Conventional Model
- Too many of the tasks are done manually
- Employee’s data is distributed among many systems and there is no centralized place to look up data.
- There is no tracking of a given task (E.g. Has a Google account been created for the new employee ? If not, what is the progress and why is it being delayed?).
- Security breach with orphan/rogue accounts (E.g. There is a possible security breach if an employee has been fired and one of the employee’s account has not been revoked).
In the next section, you will see how including OIM can resolve many problems faced in the conventional model.
OIM Model
Before describing the OIM model, it is important to understand how an identity is represented in OIM.
An OIM Identity consists of user defined fields (UDFs), which are attributes that describe the identity, and accounts for specific access to applications. The accounts themselves have attributes and the data typically comes from external sources.
The diagram shows how OIM deals with managing identities. The diagram given below describes the process of hiring a new employee.
#1. A new employee is hired and the employee’s information is placed into HRMS.
#2. OIM is able to read in the new employee’s information from HRMS. With this information, OIM is able to create the identity in its own system. This process is known as Trusted User Reconciliation and this can be scheduled to run any time. (Side Note: Trusted User Reconciliation also handles updation. Say if an existing employee change his address, OIM is able to pick the changes in HRMS and update the identity with the appropriate value. Trusted User Reconciliation maps information from HRMS to User Defined Fields of an OIM Identity. OIM connectors allows the HRMS as well as the other target systems to be integrated with OIM).
#3. After the identity has been created for the new employee, OIM kicks off many other events to further process the new identity. Everything in OIM is event driven and many events are automated (Side Note: This involves configuring OIM components and writing custom code to achieve this).
#4. OIM communicates with the target systems in order to create the accounts for the new employee. (Side Note: OIM comes with predefined connectors which allows the target systems to be well integrated with OIM. These connectors allow OIM to perform many of the target system activities such creating, updating, and revoking accounts.)
OIM Advantages
- Centralized administration
- Easy to manage the identities and their associated accounts
- Flexible configurations to meet business requirements
- Automation of tasks
- Audits, Logs, Reports, Tracking requests (handling requests involve SOA)
- Rogue / Expired / Orphan accounts elimination via security policies
Terminology
Connectors
Used to integrate target resource systems into OIM. This allows OIM to manage all the identities as well as their target accounts.
Trusted User Reconciliation
Creation/Updation of identities in OIM by reading from an authoritative source. E.g. Users from HRMS
Target User Reconciliation (Account Reconciliation)
Read information from the target systems and synchronize the data in OIM. Also, linking of target accounts to an identity happens in this process.
Account Provisioning
Creation/Updation of target accounts for an OIM Identity on the target resource
Direct/Manual, Auto/Criteria, Request Based
Account Deprovisioning
Removal of target resource accounts from an OIM Identity. OIM can communicate with the target system to remove the account.
A system that manages the life-cycle of identities. An example of a life-cycle of an identity is when an employee joins an organization and later leaves an organization.
Conventional Model
This is a model where an Identity Manager is not involved. There are potential problems that arises from this model. The diagram given below describes the process of hiring a new employee. The removal of an employee should work similarly.
#1. A new employee is hired. The employee’s information is placed into a Human Resource Management System (HRMS) by the HR department to indicate the employee is active to work for the organization.
#2. HR notifies the manager via email that a new employee is ready to start.
#3. Then the manager requests several target accounts to be made for the new employee. These accounts can be for applications, access to operating systems, directories, and etc (E.g. Google Apps, PeopleSoft, Active Directory). The manager would send out emails to the administrators in charge of the target system to carry out their tasks.
#4. The administrators of each of the target systems (E.g. Admins for Google Apps, Admins for PeopleSoft and Admins for Active Directory) are responsible for manually creating the accounts. There can be a hierarchy workflow when creating an account on the target system (E.g. Google Admin sends a request to Google Admin 2 to enable specific privileges -> Say Google Admin 2 is on vacation, so the task is delegated to a Temporary Google Admin -> and so on … ).
Problems With the Conventional Model
- Too many of the tasks are done manually
- Employee’s data is distributed among many systems and there is no centralized place to look up data.
- There is no tracking of a given task (E.g. Has a Google account been created for the new employee ? If not, what is the progress and why is it being delayed?).
- Security breach with orphan/rogue accounts (E.g. There is a possible security breach if an employee has been fired and one of the employee’s account has not been revoked).
In the next section, you will see how including OIM can resolve many problems faced in the conventional model.
OIM Model
Before describing the OIM model, it is important to understand how an identity is represented in OIM.
An OIM Identity consists of user defined fields (UDFs), which are attributes that describe the identity, and accounts for specific access to applications. The accounts themselves have attributes and the data typically comes from external sources.
The diagram shows how OIM deals with managing identities. The diagram given below describes the process of hiring a new employee.
#1. A new employee is hired and the employee’s information is placed into HRMS.
#2. OIM is able to read in the new employee’s information from HRMS. With this information, OIM is able to create the identity in its own system. This process is known as Trusted User Reconciliation and this can be scheduled to run any time. (Side Note: Trusted User Reconciliation also handles updation. Say if an existing employee change his address, OIM is able to pick the changes in HRMS and update the identity with the appropriate value. Trusted User Reconciliation maps information from HRMS to User Defined Fields of an OIM Identity. OIM connectors allows the HRMS as well as the other target systems to be integrated with OIM).
#3. After the identity has been created for the new employee, OIM kicks off many other events to further process the new identity. Everything in OIM is event driven and many events are automated (Side Note: This involves configuring OIM components and writing custom code to achieve this).
#4. OIM communicates with the target systems in order to create the accounts for the new employee. (Side Note: OIM comes with predefined connectors which allows the target systems to be well integrated with OIM. These connectors allow OIM to perform many of the target system activities such creating, updating, and revoking accounts.)
OIM Advantages
- Centralized administration
- Easy to manage the identities and their associated accounts
- Flexible configurations to meet business requirements
- Automation of tasks
- Audits, Logs, Reports, Tracking requests (handling requests involve SOA)
- Rogue / Expired / Orphan accounts elimination via security policies
Terminology
Connectors
Used to integrate target resource systems into OIM. This allows OIM to manage all the identities as well as their target accounts.
Trusted User Reconciliation
Creation/Updation of identities in OIM by reading from an authoritative source. E.g. Users from HRMS
Target User Reconciliation (Account Reconciliation)
Read information from the target systems and synchronize the data in OIM. Also, linking of target accounts to an identity happens in this process.
Account Provisioning
Creation/Updation of target accounts for an OIM Identity on the target resource
Direct/Manual, Auto/Criteria, Request Based
Account Deprovisioning
Removal of target resource accounts from an OIM Identity. OIM can communicate with the target system to remove the account.
Friday, April 4, 2014
Upgrading JRockit Version For WebLogic Server Instances
Description: This post will show you the necessary steps to replace an old version of JRockit with a newer one.
Friday, March 28, 2014
OIM Upload Jar Utility
Version: Oracle Identity Manager 11g R2
Description: The Upload Jar utility pushes a jar file to the database. After uploading a jar to the database, you should see a new record of the uploaded jar in {OIM_SCHEMA}.OIMHOME_JARS table.
Description: The Upload Jar utility pushes a jar file to the database. After uploading a jar to the database, you should see a new record of the uploaded jar in {OIM_SCHEMA}.OIMHOME_JARS table.
Friday, March 21, 2014
Setup Oracle Diagnostic Logging (ODL) for OIM Plug-ins
Version: Oracle Identity Manager 11g
Description: Oracle Diagnostic Logging (ODL) is the principal logging service used by OIM. This post shows you how to setup ODL for your OIM plug-ins (Event Handlers, Schedule Task, and Adapter code).
Description: Oracle Diagnostic Logging (ODL) is the principal logging service used by OIM. This post shows you how to setup ODL for your OIM plug-ins (Event Handlers, Schedule Task, and Adapter code).
Friday, March 14, 2014
Enable OIM Caching
Version: Oracle Identity Manager 11g
Description: The configurations for OIM caching are defined in the "/db/oim-config.xml" file, which is stored in MDS. To enable caching, you can either directly modify the "/db/oim-config,xml" configuration file or use the OIM Enterprise Manager (EM) console. This post goes over the latter. In the EM console, there are beans that correspond to the caching settings defined in "/db/oim-config.xml". Whenever you make a change to a bean, the change is push out to MDS.
Description: The configurations for OIM caching are defined in the "/db/oim-config.xml" file, which is stored in MDS. To enable caching, you can either directly modify the "/db/oim-config,xml" configuration file or use the OIM Enterprise Manager (EM) console. This post goes over the latter. In the EM console, there are beans that correspond to the caching settings defined in "/db/oim-config.xml". Whenever you make a change to a bean, the change is push out to MDS.
Friday, March 7, 2014
How to Remove User Defined Field (UDF) From User Form UI
Version: Oracle Idenity Manager 11g R2
Description: OIM does not provide an easy way to remove a UDF from the User form. A workaround is to export a sandbox, modify serveral XMLs files, and import sandbox.
Description: OIM does not provide an easy way to remove a UDF from the User form. A workaround is to export a sandbox, modify serveral XMLs files, and import sandbox.
Friday, February 28, 2014
Delete UDFs using OIM API
Version: Oracle Identity Manager 11g
Description: Oracle Identity Manager has an API service, namely ConfigManager, that allows developers to perform various operations on User Defined Field (UDF).
** WARNING USE AT YOUR OWN RISK **
This post will show you how to use ConfigManager API service to delete a UDF. The "deleteAttribute" method only deletes the attribute in the backend (USR, SDC, MV_USER_COLS, and User.xml metadata) and all the UI customizations are untouched. Once in a while the "deleteAttribute" method does not remove the backend data fully, and hence you would have to manually clear the data.
Description: Oracle Identity Manager has an API service, namely ConfigManager, that allows developers to perform various operations on User Defined Field (UDF).
** WARNING USE AT YOUR OWN RISK **
This post will show you how to use ConfigManager API service to delete a UDF. The "deleteAttribute" method only deletes the attribute in the backend (USR, SDC, MV_USER_COLS, and User.xml metadata) and all the UI customizations are untouched. Once in a while the "deleteAttribute" method does not remove the backend data fully, and hence you would have to manually clear the data.
Friday, February 21, 2014
SSL for OIMClient
Version: Oracle Identity Manager 11g
Description: This will show you how to SSL for OIMClient on a stand alone Java application.
Prerequisite:
1. Ensure SSL listen Port for OIM is enabled.
3. Execute the java application with the following jvm argument:
E.g. /home/oracle/Oracle/Middleware/wlserver_10.3/server/lib/DemoTrust.jks
Description: This will show you how to SSL for OIMClient on a stand alone Java application.
Prerequisite:
1. Ensure SSL listen Port for OIM is enabled.
- Log into WebLogic Administration console.
- Navigate to Servers -> OIM_SERVER.
- Check mark SSL Listen Port Enabled and restart OIM server.
3. Execute the java application with the following jvm argument:
- -Dweblogic.security.SSL.trustedCAKeyStore= {Demo Trust Keystore}
E.g. /home/oracle/Oracle/Middleware/wlserver_10.3/server/lib/DemoTrust.jks
Friday, February 14, 2014
Configure Design Console to Use SSL
Version: Oracle Identity Manager 11g
Description: This post will show you how to setup SSL for designconsole.
Prerequisite: Ensure SSL listen Port for OIM is enabled.
1. Log into WebLogic Administration console.
2. Navigate to Servers -> OIM_SERVER.
3. Check mark SSL Listen Port Enabled and restart OIM server.
Description: This post will show you how to setup SSL for designconsole.
Prerequisite: Ensure SSL listen Port for OIM is enabled.
1. Log into WebLogic Administration console.
2. Navigate to Servers -> OIM_SERVER.
3. Check mark SSL Listen Port Enabled and restart OIM server.
Sunday, February 2, 2014
Import and Export Metadata using EM Console
Version: Oracle Identity Manager 11g R2
Description: The Enterprise Manager (EM) console has tools that allow you to import and export MDS files. The out-of-the-box import and export scripts, namely "weblogicExportMetadata", "weblogicImportMetadata", and " weblogic.properties", located in "$MW_HOME/Oracle_IDM1/server/bin" have been deprecated. An example is given here to show you how to use the EM import and export utilities.
Description: The Enterprise Manager (EM) console has tools that allow you to import and export MDS files. The out-of-the-box import and export scripts, namely "weblogicExportMetadata", "weblogicImportMetadata", and " weblogic.properties", located in "$MW_HOME/Oracle_IDM1/server/bin" have been deprecated. An example is given here to show you how to use the EM import and export utilities.
Monday, January 27, 2014
Modify OIM11gR2 Session Timeout
Version: Oracle Identity Manager 11g R2
Description: This guide will show you how to increase or decrease session timeout for the Identity Self Service and Identity System Administration pages.
Description: This guide will show you how to increase or decrease session timeout for the Identity Self Service and Identity System Administration pages.
Thursday, January 23, 2014
OIM Diagnostic Dashboard
Version: Oracle Identity Manager 11g R2
Description: This guide will show how to install the Oracle Identity Diagnostic Dashboard. The Oracle Identity Manager Diagnostic Dashboard is a standalone web application that allows you to validate your OIM installation and configurations. Several validations include provisioning and reconciliation for some connectors , database connectivity, and target system SSL trust verification. Refer to "Working with the Diagnostic Dashboard" section in "Oracle® Fusion Middleware Administrator's Guide for Oracle Identity Manager" for more information.
Description: This guide will show how to install the Oracle Identity Diagnostic Dashboard. The Oracle Identity Manager Diagnostic Dashboard is a standalone web application that allows you to validate your OIM installation and configurations. Several validations include provisioning and reconciliation for some connectors , database connectivity, and target system SSL trust verification. Refer to "Working with the Diagnostic Dashboard" section in "Oracle® Fusion Middleware Administrator's Guide for Oracle Identity Manager" for more information.
Saturday, January 11, 2014
Cloning a Connector
Version: Oracle Identity Manager 11g R2
Description: Oracle Identity Manager has a built-in utility that allows you to clone a connector. This utility generates an XML file containing all the artifacts of the initial state of a connector. If you've made modifications to a connector such as adding new reconciliation and process form fields, they will
not be included. After generating the XML, use the "Import Deployment Manager" to import the XML to your OIM instance. ODSEE/OUD/LDAPV3 Connector, which is part of OID-11.1.1.6.0 connector bundle, is used an example.
Side Notes:
There is a minor issue with the clone utility. The scheduled jobs of the cloned connector will override the scheduled jobs of the original connector. A work around is to modify the XML and change the value of the name attribute in each of the Job tag.
You may run into a case where importing the cloned connector fails. The "Import Deployment Manager" does not have rollbacks, which means changes are made even on failures. If you receive an error, you can re-import the XML since the "Import Deployment Manager" overrides the existing changes (Process forms are the exception).
Description: Oracle Identity Manager has a built-in utility that allows you to clone a connector. This utility generates an XML file containing all the artifacts of the initial state of a connector. If you've made modifications to a connector such as adding new reconciliation and process form fields, they will
not be included. After generating the XML, use the "Import Deployment Manager" to import the XML to your OIM instance. ODSEE/OUD/LDAPV3 Connector, which is part of OID-11.1.1.6.0 connector bundle, is used an example.
Side Notes:
There is a minor issue with the clone utility. The scheduled jobs of the cloned connector will override the scheduled jobs of the original connector. A work around is to modify the XML and change the value of the name attribute in each of the Job tag.
You may run into a case where importing the cloned connector fails. The "Import Deployment Manager" does not have rollbacks, which means changes are made even on failures. If you receive an error, you can re-import the XML since the "Import Deployment Manager" overrides the existing changes (Process forms are the exception).
Tuesday, January 7, 2014
BI Publisher 11.1.1.6.0 Software Installation
Prerequisites: Linux environment setup and Oracle Database 11g
Description: This guide will show you how to install BI Publisher 11.1.1.6.0 on a Linux 64 bit environment. Here is an overview of the "Software Only" type installation path:
Description: This guide will show you how to install BI Publisher 11.1.1.6.0 on a Linux 64 bit environment. Here is an overview of the "Software Only" type installation path:
- Install Java.
- Install WebLogic 10.3.6.
- Create BI Publisher schemas with Repository Creation Utility 11.1.1.6.0.
- Install BI Publisher.
- Configure BI Publisher.
- Java (jdk-7u45-linux-x64.gz)
- WebLogic 10.3.6 (V29856-01.zip)
- RCU 11.1.1.1.6.0 (V29674-01.zip)
- BI Publisher
- bi_linux_x86_111160_64_disk1_1of2.zip
- bi_linux_x86_111160_64_disk1_2of2.zip
- bi_linux_x86_111160_64_disk2_1of2.zip
- bi_linux_x86_111160_64_disk2_2of2.zip
- bi_linux_x86_111160_64_disk3.zip
Subscribe to:
Posts (Atom)