It's all about SECURITY

OIM 11g R2 PS2 : High Level Step Installation


 Here are the High Level Steps for OIM 11g R2 PS2 Suite Installation:

OIM 11g R2 PS2 - Screens


  • Installation of Database
  • Schema Creation Through RCU
  • Installation of Weblogic
  • Installation of SOA Suite
  •  Mandatory Patches for SOA Suite  (11.1.1.7) -> Will be available under IAM Suite Disk 1
  •  Installation of OIM Suite
  •  Weblogic Domain Creation
  •  Upgrading OPSS Schema using Patch Set Assistant
  •  Configure Database Security Store for OIM Domain
  •  Start Servers
  •  Configuration of OIM Servers, Design Console

Posted by

OIM 11g R2 PS2 : New Feature Screens


Here are some screens for OIM (Oracle Identity Manager)11g R2 PS2 (11.1.2.2.0):




New Login Screen - New Look and Feel



Home Page


New Catalog Screen - Add Beneficiary Within Same Same Screen




New Organization Screen (Certifier)



Membership Rule for Organization



Not Equal To In Membership Rule



System Entities in Sysadmin Console



















Posted by

Download: OIM 11g R2 PS2

OIM 11g R2 PS2 is out, here is the link to download:

 Click Here To Download

Certification Matrix:

Certification Matrix: Click Here To Download
Posted by

Enetitlement Revocation Information

Something to share (OIM 11g R2 PS1):

 If entitlements get provisioned to users, we can verify from the Entitlement Tab under User Details but if entitlement gets "Revoked" from a user, there's no way to find that information from OIM User Interface (Enhancement request can be opened with Oracle).

 OIM is a tool for Auditing so I believe that it stores that information somewhere but Where ???

 "ENT_ASSIGN_HIST". It contains a column called "VALID_TO_DATE" which stores the Revocation Date.

Posted by

Provisioning Through API - OIM 11g R2 PS1

Here is the code to initiate provisioning through code:

public void provisionAccess(ProvisioningService provisioningService, ApplicationInstanceService applicationInstanceService){
       
 oracle.iam.provisioning.vo.ApplicationInstance applicationInstance;
 try {
        applicationInstance = applicationInstanceService.findApplicationInstanceByName("AD User");
            long applicationInstanceKey = applicationInstance.getApplicationInstanceKey();
            FormInfo accountForm = applicationInstance.getAccountForm();
            long formKey = accountForm.getFormKey();
            AccountData accountData = new AccountData(String.valueOf(formKey), null, new HashMap());
            oracle.iam.provisioning.vo.Account account = new Account(applicationInstance, accountData);
            provisioningService.provision("1111", account); // 1111 is the Beneficiary Key
        } catch (ApplicationInstanceNotFoundException e) {
            e.printStackTrace();
        } catch (GenericAppInstanceServiceException e) {
            e.printStackTrace();
        } catch (oracle.iam.platform.authopss.exception.AccessDeniedException e) {
            e.printStackTrace();
        } catch (UserNotFoundException e) {
            e.printStackTrace();
        } catch (GenericProvisioningException e) {
            e.printStackTrace();
        } catch (Exception e) {
            e.printStackTrace();
        }
   }
Posted by

Office 365 - Add / Remove License in Bulk

We can add/remove license in office 365 from a csv file. You can have a csv file which will contain principal names of all the users for whom you want to add/remove license. Header will be UserPrincipalName.

And execute these commands:

Connect-MsolService --> Provide username and password

Get-MsolAccountSku |ft AccountSkuId   

--> Above command It will return values like :EXCHANGESTANDARD

Add License:

$AccountSkuId="PROVIDE_VALUE_HERE"                      --> Provide Value here
$UsageLocation="PROVIDE_VALUE_HERE                    --> Provide Value here like US, IN
$Users=Import-Csv C:\Users.csv
$Users | ForEach-Object {
Set-MsolUser -UserPrincipalName $_.UserPrincipalName -UsageLocation $UsageLocation
Set-MsolUserLicense -UserPrincipalName $_.UserPrincipalName -AddLicenses $AccountSkuId
}


Remove License:

$AccountSkuId="PROVIDE_VALUE_HERE"                     --> Provide Value here
$UsageLocation="PROVIDE_VALUE_HERE                    --> Provide Value here like US, IN
$Users=Import-Csv C:\Users.csv
$Users | ForEach-Object {
Set-MsolUser -UserPrincipalName $_.UserPrincipalName -UsageLocation $UsageLocation
Set-MsolUserLicense -UserPrincipalName $_.UserPrincipalName -RemoveLicenses $AccountSkuId
}

Posted by

FVC (Form Version Control Utility)

Description:

If we add new field(s) in Process Form, that field won't be available for the existing provisioned users.

 Solution:

 FVC (Form Version Control Utility) comes with OIM which updates the form which are associated with existing users.


OR

 Update PROCESS_FORM_TABLE set PROCESS_FORM_TABLE_VERSION =
(Select SDK_ACTIVE_VERSION from SDK where SDK_NAME='PROCESS_FORM_TABLE');
COMMIT;

NOTE:

Replace PROCESS_FORM_TABLE  with actual process form i.e. "UD_XXX"
Posted by

Weird Issue With LDAP/ICF Connector

Issue: 

Integrated ODSEE (LDAP) with OIM 11g R2 PS1 using OID-11.1.1.5.0 connector. Wanted to test the reconciliation with one user so I gave the filter as equalTo('uid','RAJIVDEWAN') and ran the reconciliation; No reconciliation event generated.
Workaround: 

 Changed the filter from:

equalTo('uid','RAJIVDEWAN')

to 

equalTo('uid','rajivdewan')


And I was able to see the reconciliation event. 

I don't know whether it's a connector issue or it's an ICF issue.
Posted by

OIM - OIA Integration : Exception While Importing Data from OIM

Integration: OIM - OIA
Use Case: Import Users/Accounts etc
Exception:

 Cause: java.sql.SQLException: Unable to start the Universal Connection Pool: oracle.ucp.UniversalConnectionPoolException: Invalid connection validation SQL statement

Expected Solution:
  1. Verify connection parameters in oimjdbc.properties
  2. Verify password property in iam-context.xml (proper line must be commented out for password)
  3. Make sure that oimjdbc.properties should not have spaces around "=" for 
    • oim.jdbc.username
    • oim.jdbc.url
    • oim.jdbc.driverClassName
    • oim.jdbc.password.encrypted
Posted by

ICF Usability Issue

I was working with ICF Connector and faced some usability issue. In older connectors, when some operations don't get completed properly, we used to get proper responses like "CONNECTION_FAILURE", "USER_ALREADY_EXIST", "USER_ALREADY_DISABLED" etc. In ICF connector, though we have different responses in Responses tab but most of time, it returns only "CONNECTOR_EXCEPTION".
Task responses don't tell you anything about the cause of failure so it means every-time we are dependent on the connector logs.

 We have defined different levels for OIM support L1, L2 and L3.  L2 people just use OIM UI to find the root cause of the issue as they are not OIM guys and L3 people go through the logs for finding the root cause.  But after using ICF connector, it seems that we'll have to remove L2 support from OIM projects and need to add more people in L3 support. ;-)


Posted by
Subscribe to: Posts (Atom)