Som's Oracle IAM Blog: June 2018

Decrypt weblogic Credential (boot.properties Credential)

· Create a file named decrypt_wlscredential.py under DOMAIN_HOME/security.

from weblogic.security.internal import *

from weblogic.security.internal.encryption import *

encryptionService = SerializedSystemIni.getEncryptionService(".")

clearOrEncryptService = ClearOrEncryptedService(encryptionService)

# Take encrypt password from user

usr = raw_input("Paste encrypted username ({AES}fk9EK...): ")

pwd = raw_input("Paste encrypted password ({AES}abcd1234…): ")

# Delete unnecessary escape characters

prepusr = usr.replace("\\", "")

preppwd = pwd.replace("\\", "")

# Display password

print "Weblogic User is: " + clearOrEncryptService.decrypt(prepusr)

print "Decrypted Password is: " + clearOrEncryptService.decrypt(preppwd)

· Set domain environment variables using below script.

cd DOMAIN_HOME/bin
source setDomainEnv.sh

· Copy the encrypted username and password from DOMAIN_HOME/servers/AdminServer/security/boot.properties.

It will be similar to {AES}abcd123….

username= {AES}mcXAr6waMC4pchqOuYnDrDWd7JhB4NX9sVnbDBI3DN8=

password= {AES}HgrXPpfgEEGsFJe0erD6HSpvX0FVrEGGOiwOIGumosQ=

· Execute decrypt_wlsadminpwd.py script using WLST. When prompted paste the encrypted password.

cd DOMAIN_HOME/security
java weblogic.WLST decrypt_wlspwd.py

· Provide the credentials as copied earlier from boot.properties

· The Decrypted Username and Password will be provided as shown above.

Thanks for Visiting

Code to get IT Resource properties in OIM

It is necessary to get IT Resource properties in OIM to know connection parameters of target system in OIM; specially the password which is encrypted.
This method is useful for many requirements like developing a connector or a scheduler.
The below code can be used for the same with minor changes as per the environment.
Required to change the OIM host & port and its credentials and the path of authwl.conf to connect to OIM environment.
Required to change IT Resource name and its paremeters

e.g.here ITR name is DSEE Server and parameters are baseContexts,principal,credentials etc.

CODE

package com.code;

import java.sql.Connection;

import java.sql.DriverManager;

import java.util.HashMap;

import java.util.Hashtable;

import java.util.Map;

import javax.security.auth.login.LoginException;

import oracle.iam.platform.OIMClient;

import oracle.iam.platform.Platform;

import Thor.API.tcResultSet;

import Thor.API.Exceptions.tcAPIException;

import Thor.API.Exceptions.tcColumnNotFoundException;

import Thor.API.Exceptions.tcITResourceNotFoundException;

import Thor.API.Operations.tcITResourceInstanceOperationsIntf;

import Thor.API.Operations.tcLookupOperationsIntf;

public class GetITResourceProperties {

private static OIMClient oimClient;

static Map<String, String> mapITResource = new HashMap<String, String>();

public static void main(String[] args) {

GetITResourceProperties obj = new GetITResourceProperties();

try {

oimClient = obj.oimClient();

mapITResource = obj.getITResourcesProperties("DSEE Server");//Provide correct IT Resource Name

String url = (String) mapITResource.get("baseContexts");

String user = (String) mapITResource.get("principal");

String password = (String) mapITResource.get("credentials");

System.out.println("url : " + url);

System.out.println("user : " + user);

System.out.println("password : " + password);

} catch (LoginException e) {

e.printStackTrace();

} catch (Exception e) {

e.printStackTrace();

}

public OIMClient oimClient() throws LoginException {

System.out.println("Creating client....");

String ctxFactory = "weblogic.jndi.WLInitialContextFactory";

String serverURL = "http://localhost:14000"; //Provide correct OIM Host & Port Name

System.setProperty("java.security.auth.login.config",

"E:\\Auth\\authwl.conf"); //Provide correct path of authwl.conf

System.setProperty("APPSERVER_TYPE", "wls");

String username = "xelsysadm";

char[] password = "Abcd1234".toCharArray();

Hashtable<String, String> env = new Hashtable<String, String>();

env.put(OIMClient.JAVA_NAMING_FACTORY_INITIAL, ctxFactory);

env.put(OIMClient.JAVA_NAMING_PROVIDER_URL, serverURL);

oimClient = new OIMClient(env);

System.out.println("Logging in");

oimClient.login(username, password);

System.out.println("Log in successful");

return oimClient;

}

private static Map<String, String> getITResourcesProperties(

String itResourceName) {

System.out.println("Inside getITResourcesProperties method");

tcITResourceInstanceOperationsIntf resourceFactory = null;

long vdResourceKey = 0L;

Map<String, String> result = new HashMap<String, String>();

try {

resourceFactory = (tcITResourceInstanceOperationsIntf) oimClient

.getService(tcITResourceInstanceOperationsIntf.class);

Map<String, String> filter = new HashMap<String, String>();

filter.put("IT Resource.Name", itResourceName);

tcResultSet resources = resourceFactory.findITResourceInstances(filter);

vdResourceKey = resources.getLongValue("IT Resource.Key");

System.out.println("IT Resource key : " + vdResourceKey);

tcResultSet params = resourceFactory.getITResourceInstanceParameters(vdResourceKey);

for (int j = 0, objectRowCount = params.getRowCount(); j < objectRowCount; j++) {

params.goToRow(j);

result.put(params.getStringValue("IT Resources Type Parameter.Name"),

params.getStringValue("IT Resource.Parameter.Value"));

}

} catch (tcAPIException e) {

e.printStackTrace();

} catch (tcColumnNotFoundException e) {

e.printStackTrace();

} catch (tcITResourceNotFoundException e) {

e.printStackTrace();

} catch (Exception e) {

e.printStackTrace();

}

return result;

}

Thanks for visiting

OAM Custom Login Page (with Alert and Error Messages)

For many applications it is a primary requirement to provide a client specific login page where their company logo or messages should be displayed.
An OAM resource should prepare this login page which will be thrown to user when the resource is accessed.
Mostly .jsp or .html pages are used as a custom login page in OAM.
Here a .html page is used as a login page which has username and password fields and a submit button to post the credentials.
It displays alert messages to user if username or password field left blank. Most Importantly it also provides OAM Error messages on the page if wrong username or password is provided.
<scipt> tag is used to write the scripts in the .html page which will show the alert and error messages.
In this page validate() function is used for alert messages and ReadCookie() function is used for OAM error messages.
This page can be used as a login page for any application just by changing the path of .css and image files and most importantly the auth_cred_submit url which should have oam_host: port as below:

action=http://oam_host:oam_port/oam/server/auth_cred_submit

Please find below the code for html page. Copy and paste the contents in a notepad and save as MyPage.html page.

Code for the Login page

<html lang="en">

<head>

<meta charset="utf-8">

<meta http-equiv="X-UA-Compatible" content="IE=edge,chrome=1">

<title>Login to My Application</title>

<img src="images/child.jpg" alt="Child" height="200" width="200">

<link rel="stylesheet" href="images/style.css">

</head>

<script type="text/javascript">

function trim(s)

{

return s.replace( /^\s*/, "" ).replace( /\s*$/, "" );

}

function validate() {

var x = document.forms["frmLogin"]["username"].value;

if (x == "") {

alert("Login is Empty");

return false;

}

var y = document.forms["frmLogin"]["password"].value;

if (y == "") {

alert("Password is Empty");

return false;

}

function ReadCookie() {

var id = getUrlVars()["p_error_codes_list"];

if (id == "OAM-2") {

var data="<b>UserID or Password is not Correct</b>";

document.getElementById('mylocation').innerHTML="<span style=\"color:red\">" + data + "</span>";

}

else if (id == "OAM-1") {

var data="<b>An incorrect Username or Password is specified</b>";

document.getElementById('mylocation').innerHTML="<span style=\"color:red\">" + data + "</span>";

}

else if (id == "OAM-8") {

var data="<b>Authentication failed</b>";

document.getElementById('mylocation').innerHTML="<span style=\"color:red\">" + data + "</span>"; }

}

function getUrlVars() {

var vars = [], hash;

var hashes = window.location.href.slice(window.location.href.indexOf('?') + 1).split('&');

for(var i = 0; i < hashes.length; i++)

{

hash = hashes[i].split('=');

vars.push(hash[0]);

vars[hash[0]] = hash[1];

}

return vars;

}

</script>

<style>

body {

background-color:#6694CF;

}

</style>

<div Style="position:absolute; visibility:show; left:5px; top:5px;">

</div>

<body onload="ReadCookie()">

<section class="container">

<div class="login">

<h1>Login to aPP</h1>

<form name="frmLogin" onSubmit="return validate()" action="http://localhost:14100/oam/server/auth_cred_submit"method="post">

<p><input type="text" name="username" placeholder="Username"></p>

<p><input type="password" name="password" placeholder="Password"></p>

<p><input name="request_id" value="<%=reqId%>" type="hidden"></p>

<p><input type="submit" name="sSubmit" value="Login"></p>

<label id="mylocation"></label>

</form>

<div class="login-help">

<p>Forgot your password? <a href="http://localhost:7001/console">Click here to reset it</a>.</p>

</div>

</section>

</body>

</html>

Keep this page under htdocs folder of OHS.

Create an Authentication scheme as MyScheme as per below screenshot.

If want a .jsp page, modify the page accordingly (use <% tag instead of script); then it should be deployed in OAM server as a .war file and the Authentication scheme should be as below.

Create an Authentication policy MyPolicy using Myscheme and protect the required resource with that policy.
Gives Alert and Error messages as below:

Som's Oracle IAM Blog

Monday 18 June 2018