HAPPY NEW YEAR 2017

Identity And Access Management - Rajiv Dewan

DEMO: OIM - OPAM- OUD Integration

Got a request for OIM-OPAM Integration so uploaded a small video for the demo which shows how integration works between OIM-OPAM-OUD.


Details about the demo:

Must Have Criteria (*):
  1. User must exists in Oracle Unified Directory (OUD)
  2. User must be part of Employee group of Oracle Unified Directory (OUD)
OIM will be used for creating the account in OUD and assigning the Employee group in OUD.

I have used a user called "MMORGAN" who didn't exist in OUD before. I created his account and he was able to login to OPAM console but he was not able to see any service accounts for check-out operation; so I assigned Employee group in OUD and he is able to see service account "OUDAdmin" under "My Accounts" tab of OPAM.

I have used ICF connector to integrate OIM with OUD.


Demo: Click Here


ODSM Configuration with Oracle Unified Directory (OUD)

Oracle Directory Service Manager (ODSM) - Oracle Unified Directory (OUD)

Go to /oracle_common/common/bin and run config.cmd/sh

Access URL : http://AdminHost:AdminPort/odsm




















OIM 11g R2 PS2: Modify User Operation with Request Generation

Here's the sample code for modifying a user with request generation. In this code example, I am submitting a request for modifying a custom user attribute (employeeStatus) and setting the value as "loa".

public void submitModifyUserRequest(OIMService oimService){
        String userKey = "101";
        RequestData requestData = new RequestData();
        List attrs = new ArrayList();
        RequestEntityAttribute attr = new RequestEntityAttribute("employeeStatus", "loa", TYPE.String );
        attrs.add(attr);
        requestData.setJustification("Required Justification");
        RequestEntity requestEntity = new RequestEntity();
        requestEntity.setRequestEntityType(OIMType.User);
        requestEntity.setEntityKey(userKey);
        requestEntity.setOperation(RequestConstants.MODEL_MODIFY_OPERATION);
        requestEntity.setEntityData(attrs);
        List entities = new ArrayList();
        entities.add(requestEntity);
        requestData.setTargetEntities(entities);
        try {
            OperationResult result = oimService.doOperation(requestData, OIMService.Intent.REQUEST);
            System.out.println("Result :: " + result.getOperationStatus());
            System.out.println("Request ID :: " + result.getRequestID());
        } catch (OIMServiceException e) {
            e.printStackTrace();
        }
    }

OIM 11g R2 PS2: UI Customization Basic - Demo


OOTB user interface doesn't fulfill all the business needs so we do UI Customization in the product. OIM 11g R2 is based on ADF MVC Framework. 

Did some basic customization for some PoC, here's the link to video. It's not a tutorial video but learned few new things about OIM APIs and will be sharing soon on this blog:


Click Here - Demo Video

OIM 11g R2 PS2 : Upgrade OIM 11g R2 PS1 to OIM 11g R2 PS2 - Best Practice

Upgrade of system is requiered to prevent our system from vulnerable threats and it also provides us new features as well. It's a critical face of any project. Recently we did our upgrade of OIM from R2 PS1 to R2 PS2 BP03. Here're few key points based on upgrade:

Here are some key factors which drive the success of any upgrade project:

  • Proper Planning
  • Components developed to achieve the business requirements
  • Type of code/APIs used for developing components
  • Level of UI Customization
  • Deployment process used for existing system
  • Design followed to achieve the business requirements
  • Dependent Softwares to be upgraded
  • Timeslines/SLA to upgrade the system (Prod environment can't be down for a long time)

Best Practice/Changes Faced

  • Prepare a list of all the softwares for upgrade like SOA, JDK, Weblogic, Database etc. Make sure that you follow the certification matrix provided by Oracle
  • Backup is required for all the database schemas and file structure
  • Make sure you have enough shared memory on the DB Box
  • If you are using Oracle Database 11.2.0.3, you may face issue "Bug 13099577 : ORA-1460 WHEN PARALLEL QUERY SERVERS ARE USED”
  • Prepare a list of OIM components which must be validated after upgrade
  • Disable critical schedulers before upgrade
  • Keep an eye on log files
  • Verification of UI Customization is required, we faced some minor issues.
  • Performance must be monitored in lower environments after upgrade
  • Upgrade within given timeslines is one of the key factor, so make sure you don't start servers so many times. Restart the servers if it is really "Required"

Overall, our upgrade was so smooth because we always follow best practices for code development and Thanks to Oracle for this smooth upgrade.

OIM 11g R2 PS2: Role Membership in Weird String in Database

In OIM 11g R2, if you see the role membership column in the database, it stores some weird string:

Select UGP_USER_MEMBERSHIP_RULE from UGP where UGP_USER_MEMBERSHIP_RULE is not null;

Example:
rO0ABXNyACtvcmFjbGUuaWFtLnBsYXRmb3JtLmVudGl0eW1nci52by5TZWFyY2hSdWxlAAAAAAAAAAECAAJMAAxtX3NlYXJjaEJhc2V0ABJMamF2YS9sYW5nL1N0cmluZztMAA1tX3NlYXJjaERlcHRodAA5TG9yYWNsZS9pYW0vcGxhdGZvcm0vZW50aXR5bWdyL3ZvL1NlYXJjaFJ1bGUkU2VhcmNoRGVwdGg7eHIAL29yYWNsZS5pYW0ucGxhdGZvcm0uZW50aXR5bWdyLnZvLlNlYXJjaENyaXRlcmlhnAluX4MjQvwCAANMAAZtX2FyZzF0ABJMamF2YS9sYW5nL09iamVjdDtMAAZtX2FyZzJxAH4ABEwACm1fb3BlcmF0b3J0ADpMb3JhY2xlL2lhbS9wbGF0Zm9ybS9lbnRpdHltZ3Ivdm8vU2VhcmNoQ3JpdGVyaWEkT3BlcmF0b3I7eHB0AAl1c3JfbG9naW50AAtPSU1JTlRFUk5BTH5yADhvcmFjbGUuaWFtLnBsYXRmb3JtLmVudGl0eW1nci52by5TZWFyY2hDcml0ZXJpYSRPcGVyYXRvcgAAAAAAAAAAEgAAeHIADmphdmEubGFuZy5FbnVtAAAAAAAAAAASAAB4cHQACU5PVF9FUVVBTHBw

So here's how they generate this weird string (just a base 64 encoded string):

SearchRule searchRule = new SearchRule("usr_login", "OIMINTERNAL", SearchCriteria.Operator.NOT_EQUAL);

ByteArrayOutputStream baos = new ByteArrayOutputStream();
ObjectOutputStream objectOutputStream = new ObjectOutputStream(baos);
objectOutputStream.writeObject(searchRule);
objectOutputStream.close();
boolean lineSeparat = false;
String searchRuleStr = Base64.encodeToString(baos.toByteArray(), lineSeparat);

OIM 11g R2 PS2: Role Membership Rule Through Java Code

After so much work pressure, finally found sometiME.

Happy Thanksgiving !!!


Creating and Adding the role membership rule through Java Code:

private static void creaeRule(RoleManager roleManager){
String roleKey = "221";
        SearchRule searchRule = new SearchRule("usr_login", "OIMINTERNAL", SearchCriteria.Operator.NOT_EQUAL);
        SearchRule searchRule1 = new SearchRule("usr_login", "XELSYSADM", SearchCriteria.Operator.NOT_EQUAL);
        SearchRule searchRule2 = new SearchRule("usr_login", "WEBLOGIC", SearchCriteria.Operator.NOT_EQUAL);
        SearchRule searchRule3 = new SearchRule("usr_login", "XELOPERATOR", SearchCriteria.Operator.NOT_EQUAL);
        SearchRule searchRule4 = new SearchRule("usr_emp_type", "XYZ", SearchCriteria.Operator.EQUAL);
        SearchRule searchRule5 = combineSearchRules(searchRule, searchRule1);
        SearchRule searchRule6 = combineSearchRules(searchRule2, searchRule5);
        SearchRule searchRule7 = combineSearchRules(searchRule3, searchRule6);
        SearchRule searchRule8 = combineSearchRules(searchRule4, searchRule7);

        try {
            roleManager.setUserMembershipRule(roleKey, searchRule8);
        } catch (Exception e) {
            e.printStackTrace();
        }
    }

OIM Upgrade: OIM 11g R2 PS1 to OIM 11g R2 PS2 : OIM Binaries Upgrade




NOTE:

Select the existing OIM HOME at step # 4.

















OIM Upgrade: OIM 11g R2 PS1 to OIM 11g R2 PS2


There are two ways to upgrade your OIM from OIM 11g R2 PS1 to OIM 11g R2 PS2:
  1. Manual
  2. Automated (i.e through Deployment Tool)
 But Automated way can ONLY be used if you have setup your existing environment using Deployment Tool. You can get more details about this on Oracle site.


For my case, I did this upgrade through Manual procedure. Here are the high level steps for upgrading OIM 11g R2 PS1 (11.1.2.1.x) to OIM 11g R2 PS2 (11.1.2.2.0):


1
JVM Configuration for Oracle Identity Manager Server (Weblogic)
2
Shutdown All The Servers
3
Upgrade Weblogic to 10.3.6 (Not Required If You Are Already Using  10.3.6)
4
Upgrade SOA Suite to 11.1.1.7.0 (Not Required If You Are Already Using  11.1.1.7.0)
5
Upgrade Oracle Identity Manager Binaries (Installation of OIM 11.1.2.2.0 on Existing OIM Home)
6
Upgrade OIM, MDS, SOAINFRA, OPSS, ORASDPM Schemas
7
Upgrade Oracle Platform Security Services
8
Upgrade Java Required Files
9
Upgrade OIM Through OIMUpgrade Utility (Start Admin and SOA Servers Before this Step)

OPAM : Oracle Privileged Account Manager -> Check-in & Check-out

Here are few screens of Check-in & Check-out features of Oracle Privileged Account Manager (OPAM)