Extending the connector in OIM (for OUD Provisioning)

•   Here we are going to discuss the steps required in detail, to extend a connector in OIM for provisioning to target system. Steps are similar for OOTB connectors like OUD/OID/AD connector.
•  In this blog, we are extending OUD connector for a custom field MySSN as per the project  requirement.
•  It is divided into 2 sections. First section for user creation and second section for user modification.

     1.        Attribute to propagate to OUD for user creation:

•  Consider a new custom field is created in OIM user form as MySSN as below.

•          Create MySSN field in OUD process form in Design Console under Form Designer.

• To prepopulate the value from user form to process form do below configuration in pre- populate tab of process form.

•   Go to sysadmin console------> create a sandbox ------> create a new form ----->Attach new form to OUD Application Instance -------->publish sandbox
•  Go to  Lookup.LDAP.UM.ProvAttrMap and add MySSN value as below

   ( It will be Lookup.OID.UM.ProvAttrMap in case of OID connector and                        Lookup.AD.UM.ProvAttrMap in case of AD connector )

    code key -------> OIM value (as per process form Field Label)

    decode key -------> OUD value (in this case it is postalCode)

    (These values are case sensitive; provide exact correct values)

• Now if provision a new user to OUD MySSN value should propagate from OIM to OUD.

2.        Modification in user form attribute to propagate to OUD:

•  Create two tasks as Change MySSN and MySSN Updated in process definition of LDAP User.

     (Always name of tasks must be Change Label & Label Updated. Change Label task will trigger        the Label Updated task.)

• Change MySSN task will bring the changes from OIM User form to Process form and MySSN Updated task will bring changes from OIM process form to OUD Target.

         Change MySSN Task 

   

        MySSN Updated Task:

•   Now if we change MySSN value in OIM user form, then go to resource history of already provisioned account of OUD, and add Task Change MySSN, then MySSN Updated task will auto trigger and propagate the modified value to OUD.
• However, to automate this process we need to make changes in Lookup.USR_PROCESS_TRIGGERS lookup.

      Lookup.USR_PROCESS_TRIGGERS

• Here USR_UDF_MYSSN is the USR DB column name and Change MySSN is the exact task name.

• This is used to automate the trigger of Change MySSN Task if MySSN attribute changed in OIM User Form.
• Change MySSN Task in turn triggers MySSN Updated Task, which updates MySSN value in OUD.

    Testing:

•  Created a new user in OIM with MySSN value as 760001 and the same value propagated to OUD while user creation.

• Now modify the value in OIM user form to 560045 and found that the same value reflected in OUD.

     

•         Check in Resource History that Change MySSN and MySSN Updated Tasks triggered as expected.

*************Thanks For Visiting**************

Decrypt weblogic Credential (boot.properties Credential)

·         Create a file named decrypt_wlscredential.py under DOMAIN_HOME/security.  

    from weblogic.security.internal import *

    from weblogic.security.internal.encryption import *

    encryptionService = SerializedSystemIni.getEncryptionService(".")

    clearOrEncryptService = ClearOrEncryptedService(encryptionService)

    # Take encrypt password from user

    usr = raw_input("Paste encrypted username ({AES}fk9EK...): ")

    pwd = raw_input("Paste encrypted password ({AES}abcd1234…): ")

   # Delete unnecessary escape characters

  prepusr = usr.replace("\\", "")

  preppwd = pwd.replace("\\", "")

  # Display password

  print "Weblogic User is: " + clearOrEncryptService.decrypt(prepusr)

  print "Decrypted Password is: " + clearOrEncryptService.decrypt(preppwd)

·         Set domain environment variables using below script. 

cd DOMAIN_HOME/bin
source setDomainEnv.sh  

·         Copy the encrypted username and password from DOMAIN_HOME/servers/AdminServer/security/boot.properties.

It will be similar to {AES}abcd123…. 

username= {AES}mcXAr6waMC4pchqOuYnDrDWd7JhB4NX9sVnbDBI3DN8=

password= {AES}HgrXPpfgEEGsFJe0erD6HSpvX0FVrEGGOiwOIGumosQ=

·         Execute decrypt_wlsadminpwd.py script using WLST. When prompted paste the encrypted password.

cd DOMAIN_HOME/security
java weblogic.WLST decrypt_wlspwd.py 

·         Provide the credentials as copied earlier from boot.properties 

  

·         The Decrypted Username and Password will be provided as shown above.

                                          *****Thanks for Visiting*****

Code to get IT Resource properties in OIM

• It is necessary to get IT Resource properties in OIM to know connection parameters of target system in OIM; specially the password which is encrypted.
• This method is useful for many requirements like developing a connector or a scheduler.
• The below code can be used for the same with minor changes as per the environment.
• Required to change the OIM host & port and its credentials and the path of authwl.conf to connect to OIM environment.
• Required to change IT Resource name and its paremeters   

         e.g.here ITR name is DSEE Server and parameters are baseContexts,principal,credentials etc.

         

CODE

package com.code;

import java.sql.Connection;

import java.sql.DriverManager;

import java.util.HashMap;

import java.util.Hashtable;

import java.util.Map;

import javax.security.auth.login.LoginException;

import oracle.iam.platform.OIMClient;

import oracle.iam.platform.Platform;

import Thor.API.tcResultSet;

import Thor.API.Exceptions.tcAPIException;

import Thor.API.Exceptions.tcColumnNotFoundException;

import Thor.API.Exceptions.tcITResourceNotFoundException;

import Thor.API.Operations.tcITResourceInstanceOperationsIntf;

import Thor.API.Operations.tcLookupOperationsIntf;

public class GetITResourceProperties {

private static OIMClient oimClient;

static Map<String, String> mapITResource = new HashMap<String, String>();

public static void main(String[] args) {

GetITResourceProperties obj = new GetITResourceProperties();

try {

oimClient = obj.oimClient();

mapITResource = obj.getITResourcesProperties("DSEE Server");//Provide correct IT Resource Name

String url = (String) mapITResource.get("baseContexts");

String user = (String) mapITResource.get("principal");

String password = (String) mapITResource.get("credentials");

System.out.println("url : " + url);

System.out.println("user : " + user);

System.out.println("password : " + password);

} catch (LoginException e) {

e.printStackTrace();

} catch (Exception e) {

e.printStackTrace();

}

}

public OIMClient oimClient() throws LoginException {

System.out.println("Creating client....");

String ctxFactory = "weblogic.jndi.WLInitialContextFactory";

String serverURL = "http://localhost:14000"; //Provide correct OIM Host & Port Name

System.setProperty("java.security.auth.login.config",

"E:\\Auth\\authwl.conf");            //Provide correct path of authwl.conf

System.setProperty("APPSERVER_TYPE", "wls");

String username = "xelsysadm";

char[] password = "Abcd1234".toCharArray();

Hashtable<String, String> env = new Hashtable<String, String>();

env.put(OIMClient.JAVA_NAMING_FACTORY_INITIAL, ctxFactory);

env.put(OIMClient.JAVA_NAMING_PROVIDER_URL, serverURL);

oimClient = new OIMClient(env);

System.out.println("Logging in");

oimClient.login(username, password);

System.out.println("Log in successful");

return oimClient;

}

private static Map<String, String> getITResourcesProperties(

String itResourceName) {

System.out.println("Inside getITResourcesProperties method");

tcITResourceInstanceOperationsIntf resourceFactory = null;

long vdResourceKey = 0L;

Map<String, String> result = new HashMap<String, String>();

try {

resourceFactory = (tcITResourceInstanceOperationsIntf) oimClient

.getService(tcITResourceInstanceOperationsIntf.class);

Map<String, String> filter = new HashMap<String, String>();

filter.put("IT Resource.Name", itResourceName);

tcResultSet resources = resourceFactory.findITResourceInstances(filter);

vdResourceKey = resources.getLongValue("IT Resource.Key");

System.out.println("IT Resource key : " + vdResourceKey);

tcResultSet params = resourceFactory.getITResourceInstanceParameters(vdResourceKey);

for (int j = 0, objectRowCount = params.getRowCount(); j < objectRowCount; j++) {

params.goToRow(j);

result.put(params.getStringValue("IT Resources Type Parameter.Name"),

params.getStringValue("IT Resource.Parameter.Value"));

}

} catch (tcAPIException e) {

e.printStackTrace();

} catch (tcColumnNotFoundException e) {

e.printStackTrace();

} catch (tcITResourceNotFoundException e) {

e.printStackTrace();

} catch (Exception e) {

e.printStackTrace();

}

return result;

}

}

                  

                                                   *****Thanks for visiting*****

OAM Custom Login Page (with Alert and Error Messages)

• For many applications it is a primary requirement to provide a client specific login page where their company logo or messages should be displayed.
• An OAM resource should prepare this login page which will be thrown to user when the resource is accessed.
• Mostly .jsp or .html pages are used as a custom login page in OAM.
• Here a .html page is used as a login page which has username and password fields and a submit button to post the credentials.
• It displays alert messages to user if username or password field left blank. Most Importantly it also provides OAM Error messages on the page if wrong username or password is provided.
• <scipt> tag is used to write the scripts in the .html page which will show the alert and error messages.
• In this page validate() function is used for alert messages and ReadCookie() function is used for OAM error messages.
• This page can be used as a login page for any application just by changing the path of .css and image files and most importantly the auth_cred_submit url which should have oam_host: port as below:

        action=http://oam_host:oam_port/oam/server/auth_cred_submit

• Please find below the code for html page. Copy and paste the contents in a notepad and save as MyPage.html page.

  Code for the Login page

            

 <html lang="en">

<head>

<meta charset="utf-8">

<meta http-equiv="X-UA-Compatible" content="IE=edge,chrome=1">

<title>Login to My Application</title>

<img src="images/child.jpg" alt="Child" height="200" width="200">

<link rel="stylesheet" href="images/style.css">

</head>

 <script type="text/javascript">

  function trim(s)

    {

    return s.replace( /^\s*/, "" ).replace( /\s*$/, "" );

    }

  function validate() {

    var x = document.forms["frmLogin"]["username"].value;

    if (x == "") {

        alert("Login is Empty");

        return false;

    }

var y = document.forms["frmLogin"]["password"].value;

    if (y == "") {

        alert("Password is Empty");

        return false;

    }

}

function ReadCookie() {

var id = getUrlVars()["p_error_codes_list"];

if (id == "OAM-2") {

            var data="<b>UserID or Password is not Correct</b>";

            document.getElementById('mylocation').innerHTML="<span style=\"color:red\">" + data + "</span>";

            }

            else if (id == "OAM-1") {

            var data="<b>An incorrect Username or Password is specified</b>";

  document.getElementById('mylocation').innerHTML="<span style=\"color:red\">" +              data + "</span>";

            }

            else if (id == "OAM-8") {

            var data="<b>Authentication failed</b>";

            document.getElementById('mylocation').innerHTML="<span style=\"color:red\">" + data + "</span>";            }

}

function getUrlVars() {

    var vars = [], hash;

    var hashes = window.location.href.slice(window.location.href.indexOf('?') + 1).split('&');

    for(var i = 0; i < hashes.length; i++)

    {

        hash = hashes[i].split('=');

        vars.push(hash[0]);

        vars[hash[0]] = hash[1];

    }

    return vars;

}

</script>

<style>

body {

                        background-color:#6694CF;

     }

</style>

<div Style="position:absolute; visibility:show; left:5px; top:5px;">

   <!--img src="images/ascena-eprocurement-color.png" width="65%"/-->

</div>

<body onload="ReadCookie()">

<section class="container">

    <div class="login">

      <h1>Login to aPP</h1>

 <form name="frmLogin" onSubmit="return validate()" action="http://localhost:14100/oam/server/auth_cred_submit"method="post">       

 <p><input type="text" name="username" placeholder="Username"></p>

<p><input type="password" name="password" placeholder="Password"></p>

 <p><input name="request_id" value="<%=reqId%>" type="hidden"></p>

 <p><input type="submit" name="sSubmit" value="Login"></p>        

 <label id="mylocation"></label>

      </form>

 <div class="login-help">

 <p>Forgot your password? <a href="http://localhost:7001/console">Click here to reset it</a>.</p>

    </div>

  </section>

</body>

</html>

•          Keep this page under htdocs folder of OHS. 

•  Create an Authentication scheme as MyScheme as per below screenshot.  

•      If want a .jsp page, modify the page accordingly (use <% tag instead of script); then it should be deployed in OAM server as a .war file and the Authentication scheme should be as below.

• Create an Authentication policy MyPolicy using Myscheme and protect the required resource with that policy.
• Gives Alert and Error messages as below: 

   

     

                                             ******Thanks for visiting*****

Enabling Custom Logging in OIM

• The logger configuration file is present at below location 

/appl/iam/middleware/user_projects/domains/oim_domain/config/fmwconfig/servers/oim_server1 /logging.xml 

•  IMPORTANT NOTE:  

  Take the backup of the logging.xml file before updating any new changes.

Steps Followed: 

• Add the log_handler as required in the xml file. Below example shows the log_handler structure.  

<log_handler name='My-Test-handler' level='FINEST' class='oracle.core.ojdl.logging.ODLHandlerFactory'>

<property name='logreader:' value='off'/>

<property name='path' value='/appl/iam/middleware/user_projects/domains/oim_domain/servers/oim_server1/logs/Custom/MyTestLog.log'/>

<property name='format' value='ODL-Text'/>

<property name='useThreadName' value='true'/>

<property name='locale' value='en'/>

<property name='maxFileSize' value='5242880'/>

<property name='maxLogSize' value='52428800'/>

<property name='encoding' value='UTF-8'/>

</log_handler> 

• Include the log_handler added in the loggers section.Below example shows the format to add the log_handler. 

<loggers>             

<logger name="MyTestLogger" level="TRACE:32" useParentHandlers="false">

<handler name="My-Test-handler"/>

<handler name="console-handler"/>

</logger>  

•  Create the object of the logger class in the java code written for OIM. Below mentioned lines of code shows the package to be imported and the logger class to be created in the java class. 

import oracle.core.ojdl.logging.ODLLogger;

public class TestClass {

      ODLLogger logger = ODLLogger.getODLLogger("MyTestLogger");

protected void testMethod(String resourceObject) {

logger.info("its my test log message");

}} 

• The logging level can be chosen as required. PFB table.

Java Level	ODL Message Type: Level
SEVERE.intValue()+100	INCIDENT_ERROR:1
SEVERE	ERROR:1
WARNING	WARNING:1
INFO	NOTIFICATION:1
CONFIG	NOTIFICATION:16
FINE	TRACE:1
FINER	TRACE:16
FINEST	TRACE:32

  

Installation of OIM using pre-existing Database and Schema

·         Sometimes because of some misconfigurations or human errors/mistakes OIM environments get corrupted or not responding properly. So it’s required to reinstall OIM to set up the environment again. 

·         This blog explains similar scenario where we reinstalling OIM without touching our DB & RCU. Here our new OIM domain is going to point the same existing database. 

·         This blog is going to explain only the steps need to be followed in sequence. General installation steps with screenshots are not shown here.

·         Only the necessary steps which are different than fresh installation are explained thoroughly.

STEPS

1.             Not required to install DB and RCU again as it is going to point the existing DB/RCU.

2.             Install JDK 1.6 or JDK 1.7 using general steps.

3.             Install weblogic 10.3.6 using general steps.

4.             Install SOA using general steps.

5.             Install IAM software using general steps.

6.             Create Domain for OIM pointing to existing DB/schema. Provide old DB and schema details. 

The next steps will be different than the steps of fresh installation which will be our point of interest.

7.        OPSS Configuration / Configure Database Security Store using join operation.

OPSS JOIN:

• The security store with in your DB is encrypted using an encryption key. The first step is to get that key exported.
• Let's assume oimdomain1 is the domain initially configured with the security store and oimdomain2 is the new domain that needs to be associated.  

i)     First export the encryption key using below command –

cd $MW_HOME/oracle_common/common/bin

./wlst.sh  

exportEncryptionKey(jpsConfigFile=”MW_HOME/user_projects/domains/oimdomain1/config/fmwconfig/jpsconfig.xml",keyFilePath=”MW_HOME/user_projects/domains/oimdomain1/config/fmwconfig/key_opss”, keyFilePassword=”q1w2e3r4”)

(keyFilePassword is the password that used to create old opss security store)

• Then copy the generated key_opss file from old domain to new domain. 

ii)    Associate the security store with the new domain oimdomain2. 

cd $MW_HOME/oracle_common/common/bin 

./wlst.sh MW_HOME /Oracle_IDM1/common/tools/configureSecurityStore.py -d MW_HOME /user_projects/domains/oimdomain2 -c IAM -p Oracle123 -m join -k MW_HOME/ user_projects/domains/ oimdomain2/config/fmwconfig/key_opss -w q1w2e3r4  

(Here Oracle123 is the OPSS schema password and q1w2e3r4 is the keyfile password) 

iii)  Then validate its proper or not. 

<MW_HOME>/oracle_common/common/bin 

./wlst.sh MW_HOME/Oracle_IDM1/common/tools/configureSecurityStore.py -d /opt/oracle/apps/Middleware/user_projects/domains/oimdomain2 -m validate

8.       Copy .xldatabasekey file from Middleware_Home/user_projects/domains /oimdomain1/config/fmwconfig   location of old domain to corresponding location of new domain.

9.       Proceed to OIM configuration using general steps.

10.   After configuring OIM, copy 3 files cwallet.so, default_keystore.jks and xlserver.crt files from Middleware_Home/user_projects/domains /oimdomain1/config/fmwconfig location of old domain to corresponding location of new domain.

11.   Restart OIM admin and managed servers.




******************************Thanks for Visiting*********************************