MERRY CHRISTMAS AND HAPPY NEW YEAR 2016

Identity And Access Management - Rajiv Dewan

OIM Connectors: Office 365, ServiceNow, RestAPI, SalesForce


Oracle has released few new connectors for Oracle Identity Manager:


  • Office 365
  •  ServiceNow
  •  Generic REST 
  • SalesForce

These connectors can be downloaded from below link:

http://www.oracle.com/technetwork/middleware/id-mgmt/downloads/connectors-101674.html

Sample Code: OIM API Code for Provision Application Instance

Here is the sample OIM API code for submitting request for Provision Application Instance:



public void submitProvisionRequest(RequestService requestService) throws InvalidRequestException, InvalidRequestDataException, RequestServiceException, BulkBeneficiariesAddException, BulkEntitiesAddException{
      
        String beneficiaryKey = "141";
        String applicationInstanceName = "ActiveDirectory";
        String applicationInstanceKey = "14";
        RequestData requestData = new RequestData();
        Beneficiary beneficiary = new Beneficiary();
      
        beneficiary.setBeneficiaryKey(beneficiaryKey);
        beneficiary.setBeneficiaryType(Beneficiary.USER_BENEFICIARY);

        RequestBeneficiaryEntity requestEntity = new RequestBeneficiaryEntity();
        requestEntity.setRequestEntityType(OIMType.ApplicationInstance);
        requestEntity.setEntitySubType(applicationInstanceName);
        requestEntity.setEntityKey(applicationInstanceKey);
        requestEntity.setOperation(RequestConstants.MODEL_PROVISION_APPLICATION_INSTANCE_OPERATION);

      
        List targetEntities = new ArrayList();
        targetEntities.add(requestEntity);

        beneficiary.setTargetEntities(targetEntities);

        List beneficiaries = new ArrayList();
        beneficiaries.add(beneficiary);
        requestData.setBeneficiaries(beneficiaries);
      
        String requestID = requestService.submitRequest(requestData);
        System.out.println("Request ID :: " + requestID);
    }

OIM - SOA : Value too large for column "WFMESSAGEATTRIBUTE"."STRINGVALUE"

Issue Description:

For every request in OIM, OIM User Interface allows justification of 4000 characters but if you provide justification of 4000 characters, you will see error in the SOA Logs:

ORA-12899: value too large for column "_SOAINFRA"."WFMESSAGEATTRIBUTE"."STRINGVALUE" (actual: 4000, maximum: 2000) 

which means SOA supports justification of maximum of 2000 characters.

Workaround:
Put a solution in OIM UI (can be done in many ways) to restrict users from entering justification of more than 2000 characters.


Disconnected Weird Issue - Deployment Manager Import

Disconnected Applications

Weird issue while migrating disconnected applications from one environment to another environment.

Details:

There were two disconnected applications with below names:
  1. RajivDewan
  2. Rajiv

There's no issue while importing first application "RajivDewan" but when you try to import another one "Rajiv" then you will face below issue :

com.thortech.xl.ddm.exception.DDMException: Object specified is invalid.Rajiv [ApplicationInstance]

Reason:
This error comes at the time of importing application instance when application instance name is a sub-string of existing application instance name.

Solution:
Do not create application instance with similar names to avoid this issue

Workaround:
  • Change the existing application instance name from the database for time being
  • Import the second application instance
  • Rollback the name of existing (old) application instance






Note:
There's a support note on this issue but that doesn't contain the workaround.

OIM Deployment Manager Import DDM Exception Error

Sometimes we see a common error (refer below screenshots) while import the XML through Deployment Manager. On the screen it shows error: "Error encountered while reading the file."





When you see the server logs, you'll find below lines:

DDMException: Version m.n.o is not accepted by DDM Version a.b.c



This error comes due to DDM version mismatch. Error message tells you the DDM version of OIM Server and DDM version of XML. As per screenshot:

OIM Server DDM Version: 2.0.2.1
XML DDM Version: 11.1.2.2.0

To resolve this issue, you can edit the XML file manually and replace the existing DDM version with OIM Server's DDM version. It should look same as below screenshot:



On replacing the DDM version, save the XML file and try to re-import. It should work (always worked for me) ;)

OIM Coding Standard: Do's and Don'ts


I am not an expert but here are few Do's and Don't s based on my experience:

Do's

  • Make use of Loggers
  • Use different level of Logger Level based upon data you want to print
  • Each method must have the "Entering" and "Exiting" statements
  • Must print atleast "User Login" in Entering Statement
  • Use organization specific package and class names
  • Maintain minimum jar files
  • Make minimum use of class variables
  • Make minimum OIM API instances or Database Connection
  • Each class and method must have Java Comments
  • Make use of Try/Catch and Throws/Throw for Error Handling
  • Use meaningful names for variables and java class
  • Make use of Lookups, System Properties for storing configurable parameters
  • Close the OIM API Instances and Database at the end of Operation
  • Must print the error message before throw statement and inside catch block


Don't:

  • Do not hard code anything
  • Do not use System.out.println in Java Code
  • Do not print password in Java Code
 

OIM URLs for different pages of OIM and Forgot Password

I am just pasting few URLs for UI Customization in OIM. These are listed in Oracle Documents but I am just keeping it here for quick reference:




  • User Registration: /identity/faces/register
  • Forgot Password: /identity/faces/forgotpassword
  • First Time Login: /identity/faces/firstlogin?action=setchallenges

     
  • You can show/hide challenge question answers in Forgot Password Page 
  • You can add custom message in First Time Login screen (Screenshot attached) 
  • You customize registration page
If you want to add custom challenge questions, Go to Lookup: Lookup.Webclient.Questions and add your questions.  You may have to restart the server




Note:

It seems that we can add maximum of 10 questions for Forgot Password Functionality. I will confirm once I test this configuration.

Manage Direct Role Members Through Membership Rules

Problem Summary:  
Managing the role membership of Direct Members through membership rules

Problem Description:

We have a role with some membership rule but we have assigned this role to few users through API as well. Tomorrow if we change the existing membership rule then these direct users won't come out of the role automatically based on the new membership rule. Someone has to remove these users from role manually or programmatically if we change the membership rule.

Solution:

Update USG set USG_PROV_MECHANISM ='Rule-Based Role-Assignment', USG_RULE_BASED=1, USG_PROV_BY=ROLE_KEYwhere UGP_KEY=ROLE_KEY and USG_RULE_BASED is null;

NOTE: ROLE_KEY is the key of the role/group.

After running this query, now if you modify the membership rule then these users will come out of the role automatically. No need to remove the role from Direct Members manually or through programmatically. They will taken care by Oracle Identity Manager..





Upload Jar Through Eclipse JDeveloper

Upload Jar Through Eclipse/Jdeveloper:

No need to run the UploadJar Utility through command line



public void uploadJar(PlatformUtilsService platformUtilsService) throws PlatformServiceException{
        String METHODNAME = "uploadJar() :: ";
        System.out.println( METHODNAME +"ENTERING");
        JarElement jarElement = new JarElement();
        jarElement.setName("CustomScheduleTasks.jar");
        jarElement.setPath("/tmp/CustomScheduleTasks.jar");
        jarElement.setType("ScheduleTask");
       
        Set jarElementSet = new HashSet();
        jarElementSet.add(jarElement);
       
        platformUtilsService.uploadJars(jarElementSet );
        System.out.println(METHODNAME + "EXITING" );
    }

    


Note: /tmp/ is the directory on OIM Server with read permissions on the file

Weblogic Password Decrypt

Recover the forgotten password of weblogic:


Run setWLSEnv.sh or setDomainEnv.sh
And run below code:

public static void main(String[] args) {
System.out.println("Weblogic Password Decryptor");
String path = "/opt/Oracle/user_projects/domains/base_domain/security"; 


// Path for SerializedSystemIni.dat file
 

String encryptPassword = "{AES}GaEknL4mi65+nUpsoSttcNMfDA8QUX+k6DkEQl4pePw="; 

// You can find this value from boot.properties of config.xml
 

ClearOrEncryptedService ces = new ClearOrEncryptedService(SerializedSystemIni.getEncryptionService(path));
 

encryptPassword = encryptPassword .replace("\\", "");
System.out.println("Plain Text Password :: " + ces.decrypt(encryptPassword));

}


Note:

You can run this code in your local by copying SerializedSystemIni.dat file on your local machine but you must have Middleware Home on your local machine