It's all about IAM

Identity And Access Management - Rajiv Dewan

ICF Connector Server Issue - Read timed out

Issue Description:
org.identityconnectors.framework.common.exceptions.ConnectorException: Read timed out

In my current project, I was facing below exception while provisioning the user into LDAP. 

org.identityconnectors.framework.common.exceptions.ConnectorException: Read timed out

All the configurations were correct and couldn't find anything more in the logs. 

Change the Timeout value to 0 in Connector Server IT Resource

OIM 11g R2 PS3: Reconciliation Event Diagnostic

Here are the steps to view the diagnostic details about any reconciliation event. There are admins who don't know much about all the reconciliation tables so they can use this feature through Enterprise Manager to view details.

If you scroll down in Enterprise Manager, you can also see the reconciliation data for each attribute (single and multi-valued attributes) 

  1. Application Defined MBeans > oracle.iam > Server: oim_server > Reconciliation > EventDiagnostic
  2. Give Reconciliation Event ID
  3. Click Invoke

Migrate Weblogic Data Sources

I was working in an environment where we had multiple data sources in weblogic and we wanted to move these data sources from Dev environment to Stage environment. If we create these data sources manually then it would be time consuming and so many clicks, We can use APIs though. Anyways here are the steps which I followed:

Copied the data sources XMLs from /config/jdbc to /config/jdbc
Modified the /config/config.xml to add the entries of these data sources. It would be similar to below snippet (You can copy it from /config/config.xml):

 STAGE_CLUSTER: It's cluster name (target for data source) 

Modified the "XML File Name 1" and "XML File Name 2" to have the Stage JDBC URL, UserName, Password.

You'll face issue while modifying the password in XML files because it would be in encrypted format.
If you do not change password in XML file, weblogic will not allow you to reset the password from UI as well.


Go to Domain Directory and execute
Execute below command:
java -cp /server/lib/weblogic.jar:$CLASSPATH

Above command will return you encrypted string for password, paste the encrypted string in XMLs
Restart your server

Duplicate Entitlement On Rename

We have an OOTB job which creates/manages entitlements in ENT table. There's major issue associated with this job.

Job Description: 
It reads the data from Lookup which is there on the child form of Resource Object and "Entitlement" property is set as "True".

Issue Details:
Whenever we rename some entry in that lookup (child form lookup with "Entitlement" property set as "True") then "Entitlement List" job creates another entry in ENT table.

Expected Result: 
It should rename the existing entitlement.

Actual Result:
It creates another Entitlement with new name.

I found that there's no api published by Oracle to modify/rename the existing entitlement. There's one api "modfiyEntitlementlist" which is published by Oracle but it does different thing. Here's the description about the api from Oracle docs:

API Description:
Soft Deletes entitlement list row from entitlement list table by marking valid as 0 in the list of entitlements.

IT Resource Parameters API Source Code

Here's the method to print data from IT Resource:

     * @param itResourceName   IT Resource Name
     * @param itResourceInstanceOperationsIntf
     * @throws Exception

    private void printITResourceData(String itResourceName, tcITResourceInstanceOperationsIntf itResourceInstanceOperationsIntf) throws Exception {
        System.out.println("Printing IT Resource Data :: " + itResourceName);
        HashMap itresMap = new HashMap();
        itresMap.put("IT Resources.Name", itResourceName);
        tcResultSet findITResourceResult = itResourceInstanceOperationsIntf
        int findITResourceResultCount = findITResourceResult.getRowCount();
        System.out.println("findITResourceResultCount :: " + findITResourceResultCount);
        for (int i = 0; i < findITResourceResultCount; i++) {
            long itResourceKey = findITResourceResult.getLongValue("IT Resources.Key");
            System.out.println("itResourceKey :: " + itResourceKey);
            tcResultSet itResourceParameters = itResourceInstanceOperationsIntf.getITResourceInstanceParameters(itResourceKey);
            for (int j = 0; j < itResourceParameters.getRowCount(); j++) {
                String name = itResourceParameters.getStringValue("IT Resources Type Parameter.Name");
                String value = itResourceParameters.getStringValue("IT Resources Type Parameter Value.Value");
                System.out.println(name + " --> " + value);

OIM 11g R2 PS3 : API Usage: AdminRoleService

Oracle has introduced new apis for managing the admin roles. You can create/modify/assign admin roles. Here's the usage of these apis:

Note: These apis can be run inside OIM only.

AdminRoleService adminRoleService = Platform.getService(AdminRoleService.class);
String roleDisplayName = null;
String roleDescription = null;
String searchBase = null;
long roleID = 0L;
String membershipRuleInternal = null;
SearchRule membershipRule = null;
List capabilities = null;
AdminRole adminRole = adminRoleService.getAdminRole(roleName);
roleName = adminRole.getRoleName();
roleID = adminRole.getRoleId();
roleDescription = adminRole.getRoleDescription();
roleDisplayName = adminRole.getRoleDisplayName();
capabilities = adminRole.getCapabilities();
membershipRule = adminRole.getMembershipRule();
membershipRuleInternal = adminRole.getMembershipRuleInternal();
System.out.println("Role Name :: " +  roleName + " Role Display Name :: " + roleDisplayName );
System.out.println("Membership Rule :: " +  membershipRule + " Capabilities Size :: " + capabilities.size() );
System.out.println("Role ID :: " +  roleID + " Role Description :: " + roleDescription);

API Output:

Role Name :: OrclOIMCertificationViewer Role Display Name :: Certification Viewer
Membership Rule :: null Capabilities Size :: 0
Role ID :: 23 Role Description :: Role can view all certification definitions, jobs, and instances.

ForgeRock : Few Features

I was exploring ForgeRock Open IDM for some PoC and here are few things which I was able to do.

  • Configured Self Registration Link
  • Configured Forgot Password
  • Configured Security Questions
  • Add Custom Security Challenge Question
  • Validation for Mobile Phone field
  • Maximum Security Challenge Attempts
  • Configured Auto Unlock Features
Everything is configurable through .json files

Here are couple of screens from the PoC

Self Registration

Custom Security Questions

Forgot Password Feature

That's Not My Salary ;)

Validation for Mobile Phone