It's all about IAM

OIM 11g R2 PS2 : Upgrade OIM 11g R2 PS1 to OIM 11g R2 PS2 - Best Practice

Upgrade of system is requiered to prevent our system from vulnerable threats and it also provides us new features as well. It's a critical face of any project. Recently we did our upgrade of OIM from R2 PS1 to R2 PS2 BP03. Here're few key points based on upgrade:

Here are some key factors which drive the success of any upgrade project:

  • Proper Planning
  • Components developed to achieve the business requirements
  • Type of code/APIs used for developing components
  • Level of UI Customization
  • Deployment process used for existing system
  • Design followed to achieve the business requirements
  • Dependent Softwares to be upgraded
  • Timeslines/SLA to upgrade the system (Prod environment can't be down for a long time)

Best Practice/Changes Faced

  • Prepare a list of all the softwares for upgrade like SOA, JDK, Weblogic, Database etc. Make sure that you follow the certification matrix provided by Oracle
  • Backup is required for all the database schemas and file structure
  • Make sure you have enough shared memory on the DB Box
  • If you are using Oracle Database 11.2.0.3, you may face issue "Bug 13099577 : ORA-1460 WHEN PARALLEL QUERY SERVERS ARE USED”
  • Prepare a list of OIM components which must be validated after upgrade
  • Disable critical schedulers before upgrade
  • Keep an eye on log files
  • Verification of UI Customization is required, we faced some minor issues.
  • Performance must be monitored in lower environments after upgrade
  • Upgrade within given timeslines is one of the key factor, so make sure you don't start servers so many times. Restart the servers if it is really "Required"

Overall, our upgrade was so smooth because we always follow best practices for code development and Thanks to Oracle for this smooth upgrade.

OIM 11g R2 PS2: Role Membership in Weird String in Database

In OIM 11g R2, if you see the role membership column in the database, it stores some weird string:

Select UGP_USER_MEMBERSHIP_RULE from UGP where UGP_USER_MEMBERSHIP_RULE is not null;

Example:
rO0ABXNyACtvcmFjbGUuaWFtLnBsYXRmb3JtLmVudGl0eW1nci52by5TZWFyY2hSdWxlAAAAAAAAAAECAAJMAAxtX3NlYXJjaEJhc2V0ABJMamF2YS9sYW5nL1N0cmluZztMAA1tX3NlYXJjaERlcHRodAA5TG9yYWNsZS9pYW0vcGxhdGZvcm0vZW50aXR5bWdyL3ZvL1NlYXJjaFJ1bGUkU2VhcmNoRGVwdGg7eHIAL29yYWNsZS5pYW0ucGxhdGZvcm0uZW50aXR5bWdyLnZvLlNlYXJjaENyaXRlcmlhnAluX4MjQvwCAANMAAZtX2FyZzF0ABJMamF2YS9sYW5nL09iamVjdDtMAAZtX2FyZzJxAH4ABEwACm1fb3BlcmF0b3J0ADpMb3JhY2xlL2lhbS9wbGF0Zm9ybS9lbnRpdHltZ3Ivdm8vU2VhcmNoQ3JpdGVyaWEkT3BlcmF0b3I7eHB0AAl1c3JfbG9naW50AAtPSU1JTlRFUk5BTH5yADhvcmFjbGUuaWFtLnBsYXRmb3JtLmVudGl0eW1nci52by5TZWFyY2hDcml0ZXJpYSRPcGVyYXRvcgAAAAAAAAAAEgAAeHIADmphdmEubGFuZy5FbnVtAAAAAAAAAAASAAB4cHQACU5PVF9FUVVBTHBw

So here's how they generate this weird string (just a base 64 encoded string):

SearchRule searchRule = new SearchRule("usr_login", "OIMINTERNAL", SearchCriteria.Operator.NOT_EQUAL);

ByteArrayOutputStream baos = new ByteArrayOutputStream();
ObjectOutputStream objectOutputStream = new ObjectOutputStream(baos);
objectOutputStream.writeObject(searchRule);
objectOutputStream.close();
boolean lineSeparat = false;
String searchRuleStr = Base64.encodeToString(baos.toByteArray(), lineSeparat);

OIM 11g R2 PS2: Role Membership Rule Through Java Code

After so much work pressure, finally found sometiME.

Happy Thanksgiving !!!


Creating and Adding the role membership rule through Java Code:

private static void creaeRule(RoleManager roleManager){
String roleKey = "221";
        SearchRule searchRule = new SearchRule("usr_login", "OIMINTERNAL", SearchCriteria.Operator.NOT_EQUAL);
        SearchRule searchRule1 = new SearchRule("usr_login", "XELSYSADM", SearchCriteria.Operator.NOT_EQUAL);
        SearchRule searchRule2 = new SearchRule("usr_login", "WEBLOGIC", SearchCriteria.Operator.NOT_EQUAL);
        SearchRule searchRule3 = new SearchRule("usr_login", "XELOPERATOR", SearchCriteria.Operator.NOT_EQUAL);
        SearchRule searchRule4 = new SearchRule("usr_emp_type", "XYZ", SearchCriteria.Operator.EQUAL);
        SearchRule searchRule5 = combineSearchRules(searchRule, searchRule1);
        SearchRule searchRule6 = combineSearchRules(searchRule2, searchRule5);
        SearchRule searchRule7 = combineSearchRules(searchRule3, searchRule6);
        SearchRule searchRule8 = combineSearchRules(searchRule4, searchRule7);

        try {
            roleManager.setUserMembershipRule(roleKey, searchRule8);
        } catch (Exception e) {
            e.printStackTrace();
        }
    }