Sunday, November 11, 2012

Xellerate User Task Flow- Modification

To enable the triggers in the xellerate user task flow follow the below steps:

Change the system property in OIM:



Save it and restart the server.

After restart you should be able to trigger any task based on the USR profile updates including User Enable/Disable.


Sunday, October 7, 2012

Custom Event Handlers in OIM 11G-From OIM Dev Guide


Implementing Custom Event Handlers

To implement custom event handlers:
  1. Implement one of the SPIs mentioned in table below to write a custom pre-process, post-process, or validation handler.
    Table 7-3 SPIs to Write Custom Event Handlers
    StageSPI to implement
    Pre-Processoracle.iam.platform.kernel.spi.PreProcessHandler
    Post-Processoracle.iam.platform.kernel.spi.PostProcessHandler
    Validationoracle.iam.platform.kernel.spi.ValidationHandler
  2. Include the following JAR files in the class path to compile a custom class:
    From OIM_INSTALL_HOME/server/platform
    • iam-platform-kernel.jar
    • iam-platform-util.jar
    • iam-platform-context.jar
    • iam-plaftorm-authz-service.jar
    From OIM_INSTALL_HOME/designconsole/lib
    • OIMClient.jar
    • xlAPI.jar
    From OIM_INSTALL_HOME/designconsole/lib and OIM_INSTALL_HOME/server:
    All other JAR files
  3. Create a library of JAR files containing the custom classes.
The following code samples illustrate how to invoke Oracle Identity Manager 9.1.x APIs and 11g APIs to customize user management operations. See SPI Javadocs for more information.
Example 1: Custom Password Validation
Example shows a sample custom validation handler code fragment that checks to ensure that $ is not used in a password.
Example 7-1 Sample Custom Validation Handler
throws ValidationException, ValidationFailedException {
    HashMap<String, Serializable> parameters = orchestration.getParameters();
    String password = (parameters.get("usr_password") instanceof ContextAware)
      ? (String) ((ContextAware) parameters.get("usr_password")).getObjectValue()
      : (String) parameters.get("usr_password");
    if (password.contains("$")) {
      throw new ValidationFailedException();
    }
}
Example 2: Custom Pre-process Event Handler to Set Middle Initial
Example 7-2 shows a sample custom pre process event handler code fragment that sets the middle initial to the first letter of the first name if the user does not have a middle name.
Example 7-2 Sample Custom Pre Process Event Handler
// This custom preprocess event handler sets the first letter of the first name as the middle initial
// when the user doesn't have a middle name
public EventResult execute(long processId, long eventId, Orchestration orchestration) {
   HashMap<String, Serializable> parameters = orchestration.getParameters();
   // If the middle name is empty set the first letter of the first name as the     middle initial
  String middleName = getParamaterValue(parameters, "Middle Name");
  if (isNullOrEmpty(middleName)) {
     String firstName = getParamaterValue(parameters, "First Name");
     middleName = firstName.substring(0,1);
     orchestration.addParameter("Middle Name", middleName);
  }
  return new EventResult();
}
private String getParamaterValue(HashMap<String, Serializable> parameters, String key) {
  String value = (parameters.get(key) instanceof ContextAware)
  ? (String) ((ContextAware) parameters.get(key)).getObjectValue()
  : (String) parameters.get(key);
  return value;
}
Example 3: Custom Post-process Event Handler to Provision Resource Object
 shows a sample custom post process event handler code fragment that provisions a resource object OBJ005 to a user whose role is ROLE 00.5
Example 7-3 Sample Custom Post Process Event Handler
// This custom post process event handler provisions resource object 'OBJ005' to a user who has role 'ROLE 005'
public EventResult execute(long processId, long eventId, Orchestration orchestration) {
tcUserOperationsIntf userOperationsService = Platform.getService(tcUserOperationsIntf.class);
try {
String userKey = getUserKey(processId, orchestration);
if (hasRole(userKey, "ROLE 005")) {
long objKey = findObject("OBJ001");
userOperationsService.provisionResource(Long.getLong(userKey), objKey);
}
} catch (Exception e) {
throw new EventFailedException("Error occurred ", e);
}
 
return new EventResult();
}
 
// This method retrieves the key of the user entity on which an operation is performed
// This method shows how to retrieve the operation being performed, entity type
// and the associated value objects 
private String getUserKey (long processID, Orchestration orchestration) {
String userKey;
String entityType = orchestration.getTarget().getType();
EventResult result = new EventResult();
 
if (!orchestration.getOperation().equals("CREATE")) {
userKey = orchestration.getTarget().getEntityId();
} else {
OrchestrationEngine orchEngine = Platform.getService(OrchestrationEngine.class);
userKey = (String) orchEngine.getActionResult(processID);
}
return userKey;
}
 
// This method checks if a given user has a given role. 
// It demonstrates how to invoke a OIM 11g API from a custom event handler
private boolean hasRole(String userKey, String roleName) 
throws Exception {
RoleManager roleManager = Platform.getService(RoleManager.class);
List<Identity> roles = roleManager.getUserMemberships(userKey);
 
for (Iterator iterator = roles.iterator(); iterator.hasNext();) {
Role role = (Role) iterator.next();
if (roleName.equals((String)role.getAttribute("Role Name"))) {
return true;
}
 
}
return false;
}
 
// This method finds details about a resource object with the given name. 
// It demonstrates how to invoke a 9.1.x API from a custom event handler
private long findObject(String objName) throws Exception {
long objKey = 0;
tcObjectOperationsIntf objectOperationsService = Platform.getService(tcObjectOperationsIntf.class);
HashMap params = new HashMap();
params.put("Objects.Name", objName);
tcResultSet objects = objectOperationsService.findObjects(params);
for (int i = 0; i < objects.getRowCount(); i++) {
objects.goToRow(i);
if (objects.getStringValue("Objects.Name").equals(objName)) {
objKey = objects.getLongValue("Objects.Key");
}
}
return objKey;
}

Creating Plug-ins for Custom Event Handlers

To create plug-ins containing custom event handlers, you need to develop the appropriate event handler classes. See Chapter 6, "Developing Plug-ins" for details.
Note:
Ensure that plug-in point used in the plug-in definition is set to oracle.iam.platform.kernel.spi.EventHandler.
Note:
The plug-ins can be packaged as required, just like the JAR files, as long as they adhere to the packaging guidelines.
Here is an example of a plug-in XML file:
<?xml version="1.0" encoding="UTF-8"?>
<oimplugins>
  <plugins pluginpoint="oracle.iam.platform.kernel.spi.EventHandler">
    <plugin pluginclass=  
       "oracle.oim.extensions.preprocess.SamplePreprocessExtension" 
        version="1.0" 
        name="SamplePreprocessExtension">
    </plugin>
    <plugin pluginclass= 
        "oracle.oim.extensions.postprocess.SamplePostprocessExtension"
         version="1.0" 
         name="SamplePostprocessExtension">
    </plugin>
    <plugin pluginclass= 
       "oracle.oim.extensions.validation.SampleValidationExtension"
        version="1.0" 
        name="SampleValidationExtension">
    </plugin>
  </plugins>
</oimplugins>

7.2.2.3 Defining Custom Events

Take these steps to define custom events:
  1. Create the metadata XML file containing definitions of all the custom events.
    Example 7-4 shows what a metadata file looks like:
    Example 7-4 Sample Metadata XML File for Custom Event Definitions
    <?xml version='1.0' encoding='utf-8'?>
    <eventhandlers>
      <!-- Custom preprocess event handlers -->
      <action-handler
        class="oracle.oim.extensions.preprocess.SamplePreprocessExtension"
        entity-type="User" 
        operation="CREATE" 
        name="SamplePreprocessExtension"
        Stage="preprocess"
        order="1000" 
        sync="TRUE"/>
     
      <!-- Custom postprocess event handlers -->
      <action-handler
        class="oracle.oim.extensions.postprocess.SamplePostprocessExtension"
        entity-type="User" 
        operation="CREATE" 
        name="SamplePostprocessExtension"
        stage="postprocess"
        order="1000" 
        sync="TRUE"/>
     
      <action-handler
        class="oracle.oim.extensions.postprocess.SamplePostprocessExtension"
        entity-type="User" 
        operation="MODIFY" 
        name="SamplePostprocessExtension"
        stage="postprocess"
        order="1000" 
        sync="TRUE"/>
     
      <!-- Custom validation event handlers -->
       <validation-handler
        class="oracle.oim.extensions.validation.SampleValidationExtension"
        entity-type="User" 
        operation="CREATE" 
        name="SampleValidationExtension"
        order="1000"/>       
     
       <validation-handler
        class="oracle.oim.extensions.validation.SampleValidationExtension"
        entity-type="User" 
        operation="MODIFY" 
        name="SampleValidationExtension"
        order="1000"/>       
    </eventhandlers>
    
  2. Import these event definitions into MDS. See Chapter 30, "MDS Utilities and User Modifiable Metadata Files" for more information. For a shiphome-based install the scripts necessary to import the event definitions are located in the following directory:
    OIM_HOME/common/wlst

EventHandler in OIM 11G- Get the existing values of the entity

OrchestrationTarget target = orchestration.getTarget();
if (target != null) {
Object[] entityObjs = target.getAllExisting();
if (entityObjs.length == 1) {
Object entityObj = entityObjs[0];
if (entityObj instanceof Entity) {
ent = (Entity) entityObj;
}
}
}

Thursday, October 4, 2012

OIM 11GR2 Client API Login


String authConfigLoc = "C:/OIM/authwl.conf";
System
.setProperty("java.security.auth.login.config",
authConfigLoc);
System.setProperty("APPSERVER_TYPE", "wls");
Map<String, String> env = new Hashtable<String, String>();
env.put(OIMClient.JAVA_NAMING_PROVIDER_URL, providerURL);
env.put(OIMClient.JAVA_NAMING_FACTORY_INITIAL,
"weblogic.jndi.WLInitialContextFactory");
oimClient = new OIMClient((Hashtable<String,String>)env);
oimClient.login(userName, password.toCharArray());

Wednesday, September 19, 2012

New OIM 11GR2 Features


New Features

Access Request Catalog

In OIM 11GR2 a new UI based shopping cart based request model has been introduced where the users can request any catalog type item which includes roles,resources,entitlements or all clubbed together as a profile. There is no concept of direct provisioning any more. Everything is replaced via the catalog request. The following are the various catalog items that can be requested from the UI.

-          Roles
-          Application Instances
-          Entitlements

Catalog item also comes with tagging feature which form the key words in searching the catalog item. This feature becomes very handy to the administrators to easily search the catalog item.

The following are the various new concepts/key terms  introduced as part of the catalog:

Catalog
Catalog (aka Request Catalog) offers a consistent and intuitive request experience for customers to request Roles, Entitlements and Application Instances following the commonly used Shopping Cart paradigm. The catalog is a structured commodity with its own set of metadata.

Catalog Item
A Catalog Item is an item (Roles, Entitlements or Application Instances) that can be requested by a user, either for themselves or on behalf of other users.

Category
A Catalog Item Category is a way to organize the request catalog. Each catalog item is associated with one and only one category. A catalog item navigation category is an attribute of the catalog item. Catalog Administrators can edit a Catalog Item and provide a value for the category.

Application Instance
An Application Instance represents an account on particular target. When users request an application instance, they are requesting an account in a particular target. Application Instances can be connected, if fulfillment is automated via a Connector, or disconnected, if fulfillment is manual. Application Instances can have entitlements associated with them.

Enterprise Roles

Enterprise Roles are defined by customers. Enterprise Roles have policies associated with them. Users can request enterprise roles via the Catalog. When a role is granted, application instances or entitlements are provisioned to the user.

Entitlement
Entitlements are privileges in an application that govern what a user of the application can do.

Tags
Tags are search keywords. When users search the Access Request Catalog, the search is performed against the tags. Tags are of three types
  • Auto-generated: The Catalog synchronization process auto-tags the Catalog Item using the Item Type, Item Name and Item Display Name
  • User-defined: User-defined Tags are additional keywords entered by the Catalog Administrator
  • Arbitrary tags: While defining a metadata if user has marked that metadata as searchable, then that will also be part of tags.

Shopping Cart
The Shopping Cart refers to the collection of Catalog Items that are being requested. A user can have only one cart active at any given time and the cart can contain roles, application instances, entitlements, or any combination of the three.

Catalog synchronization
Catalog synchronization refers to the process of loading roles, application instances, and entitlements into the Catalog. There is a scheduled task that comes OOTB to synchronize the newly created roles,app instances and entitlements to the catalog.

Catalog Security Model:

Catalog security is driven by two factors:
  • The security model that uses Organization-based scoping for users, roles, application instances and entitlements. This security model controls what items a requester can see in the Catalog search results and the users who can be added as target users.
  • The security model that is not scoped by organization and is used for global Admin Roles such as Catalog Administrator.





Application Instance

Application instance is a new abstraction used in 11g Release 2 (11.1.2). It is a combination of IT resource instance (target connectivity and connector configuration) and resource object (provisioning mechanism).

Application instance will be published to organizations and can be requested by users of those organizations. Suppose Microsoft Active Directory (AD) is to be provisioned to users across different organizations or departments across the world. You can define application instances consisting of the following:
  • AD as the resource object
  • Each AD server instance with the connectivity information, such as URL and password, as IT resources

Multiple Accounts Per Application Instance

Oracle Identity Manager supports multiple accounts in a single application instance. The first account that is created is tagged as primary account, and there can be only one primary account for a user. The subsequent accounts created on the same application instance would be tagged as Other. When the user requests entitlements, the entitlements are appended to the primary account.

When the user gets provisioned to an application instance, the Oracle Identity Manager checks if it is the first account getting provisioned for the user in that application instance. If it is the first account, then the account is marked as primary. When existing user accounts are reconciled from application instances, the first account that gets reconciled is marked as primary. If the account marked as primary is not the actual primary account, then you can manually change the primary tag for the account and mark another account as primary.

Disconnected Application Instances

Oracle Identity Manager supports provisioning of disconnected resources by using the SOA worklist for manual provisioning of disconnected resources. After the role-based provisioning decision or SOA request approval is complete and the corresponding application instance is determined to be a disconnected application instance, a new SOA workflow is started. This new SOA workflow is assigned to the manual provisioning administrator.

Example:

Oracle Identity Manager cannot provision a physical access card, the application instance of the disconnected resource is to be provisioned.

-          To create a disconnected app instance:

To achieve provisioning of disconnected resource, you can create application instances of the disconnected type. The manual provisioning administrator can use the Pending Approvals section of the Oracle Identity Self Service to update all fields in the request. After the manual provisioning administrator submits the manual provisioning worklist item, the provisioning infrastructure marks the underlying provisioning task to be completed based on the response of the manual provisioning administrator. If the administrator specifies that task is manually completed, then the status is changed to provisioned.

Application Instance Security

The Application Instance is also the entity with which security primitives are associated via the organization publishing mechanism. In multi-tenant environments, resource definitions can be shared by multiple organizations, but only those organizations that have the application instance published to them will be actually able to provision to the targets.

App Instance and Forms

There is an option to create a new version of the form for each app instance. It allows to add,modify,delete the existing fields from the form and all this can be done from the UI.

Deleting Application Instances

Application instances can be deleted(hard delete or soft delete) from oracle identity manager. The app instance can also be marked as revoked incase the target system is decommissioned. The scheduled task to perform the deletion of the application instances allows the following modes:

  • Revoke: This mode is used when the application instance is deleted, but the provisioned accounts in the target system still exist. Using the Revoke mode deletes the accounts from the target system.
  • Delete: This mode is used when the target system no longer exists, and there are no traces of the accounts in Oracle Identity Manager. Using the Delete mode hard-deletes the accounts from all provisioning tasks and targets, and subsequently from Oracle Identity Manager.
  • Decommission: This mode is used when the target system no longer exists and the provisioned accounts cannot be revoked from the target system. Using the Decommission mode changes the account status to Revoke without keeping the accounts in Oracle Identity Manager in provisioned state.

After deleting the app instances we should run the Catalog Synchronization Job scheduled job to make sure the soft deleted application instances do not appear in the catalog any more.


Different Web Consoles for Administration and Self Service

  • OIM 11GR2 has introduced 2 different consoles:
    • Self Service[http://host:port/identity]
    • Identity System Administration[http://host:port/sysadmin]

New UI Features ported from Design Console
The following features have been ported to the web UI from the design console:
-          Form Designer
-          Lookups
-          IT Resource
-          Password Policies

Web Center Based UI Customizations
OIM 11GR2 features a very user friendly GUI based UI customization based on the Oracle web center. All the changes are stored in a temporary metadata storage area called as sandbox. Once the changes are completed the sandbox needs to be published which will deploy all the changes.


-          Sandboxes
A sandbox represents an area where metadata objects can be modified without affecting their mainline usage. In other words, a sandbox is a temporary storage area to save a group of runtime page customizations before they are either saved and published to other users, or discarded.

Admin Roles and User Roles

OIM 11GR2 has classified the roles as admin roles and user roles. The detailed explanation for these is as follows:

-          Admin Roles
These are the predefined roles in OIM which are used to restrict the level of access. The organization “Top” has all the admin roles. Any new user who requires admin level access has to be made a member of this Admin role from the organization. These roles can’t be searched from the roles and are only accessible from the organizationàAdmin Roles.
-          Roles
These are the basic user roles and can be used to associate with the access policies and membership rules. The users can be added directly to these roles from rolesàmembers. In OIM 11GR2 authorization policies has been removed. So we cannot restrict the access based on the user roles. The access can only be restricted based on the admin roles which are predefined.

Thursday, June 14, 2012

Unable to Open the Directory Server via OIM web console-OIM 11G

If you are facing this problem where you are unable to open the IT Resource detail for Directory Server via the OIM web console and clicking on that will direct you to the System Error occured page then follow the below steps:

  1. Query the table SVP and see that all the entries are not encrypted properly.
  2. Now update the table entries with 'NULL' values with respect to the 'Directory Server' IT Resource only.
  3. Now go back to the OIM console and then try accessing the IT Resource 'Directory Server'. 
  4. Now you should be able to open the IT Resource detail and update it accordingly.
This happens when you try to play around with the encrption keys for the database and then try to configure the sync again.

Cheers,
Vishnu

LDAP Sync Configuration- OIM 11G

Once you install OIM along with the LDAP sync enabled :

1. Start WLST
cd $MW_HOME/oracle_common/common/bin
./wlst.sh
2. Connect to Admin Server
connect(‘weblogic’,'welcome1′,’t3://localhost:7001′)  — Here weblogic is admin user name of weblogic domain, localhost is server name on which Admin Server is running and 7001 is admin server port is running
3. To list adapters for OIM
listAdapters(contextName=’oim’)
You should see output like
_______
Adapter Name : oid1
Adapter Type : LDAP 
Adapter Name : CHANGELOG_oid1
Adapter Type : LDAP

_______

4.  To get adapter details for adapter oid1
 getAdapterDetails(adapterName=’oid1′, contextName=’oim’)
______
wls:/ohsdomain/domainRuntime> getAdapterDetails(adapterName=’oid1′, contextName=’oim’)
DETAILS OF ADAPTER :  oid1
Adapter Type                : LDAP
Name                        : oid
Virtual NameSpace           : dc=com
Remote NameSpace            : dc=com
LDAP Host                   : [localhost : 389]
Secure                      : false
Bind DN                     : cn=orcladmin
Pass Credentials            : Always
Max size of Connection Pool : 10
________
5. To modify BindDN to oimLDAP user created during OIM-OAM integration
Update username and password in adapter oid1
modifyLDAPAdapter(adapterName=’oid1′,attribute=’BindDN’, value=’cn=orcladminuser,cn=SystemUsers,dc=com’, contextName=’oim’)
modifyLDAPAdapter(adapterName=’oid1′,attribute=’BindPassword’, value=’asULikeIT′, contextName=’oim’)
Update username and password in adapter CHANGELOG_oid1
modifyLDAPAdapter(adapterName=’CHANGELOG_oid1′,attribute=’BindDN’, value=’cn=oimLDAP,cn=SystemUsers,dc=com’, contextName=’oim’)
modifyLDAPAdapter(adapterName=’CHANGELOG_oid1′,attribute=’BindPassword’, value=’welcome1′, contextName=’oim’)
 Note: Realm (Domain Name) in OID in above command is “dc=com” , change this value as per your setting.

For any help on the WLST commands just type
help('OracleLibOVDConfig').
 
This will list all the LDSP Sync related commands to manage the LDAP sync adapters. 
)

The following link will be very handy too:


Sunday, February 12, 2012

OIM 11G API Usage

//Set the following vm arguments if you are executing in eclipse:
/*
-Djava.naming.provider.url=t3://hostname:port (for weblogic)
or
-Djava.naming.provider.url=jnp://hostname:port (for jboss)

Djava.security.auth.login.config=config\authwl.conf (for weblogic)
or
Djava.security.auth.login.config=config\auth.conf (for jboss)

-Djava.security.policy=config\xl.policy*/
Initializing the oimClient:

Hashtable<String, String> env = new Hashtable<String, String>();
            env.put(OIMClient.JAVA_NAMING_PROVIDER_URL, providerURL);
            env.put(OIMClient.JAVA_NAMING_FACTORY_INITIAL, OIMClient.WLS_CONTEXT_FACTORY);

            oimClient = new OIMClient(env);
            oimClient.login(userName, password.toCharArray());

//Getting the required service api's
usrMgrService = oimClient.getService(UserManager.class);
            notificationService = oimClient.getService(NotificationService.class);       
            roleMgrService = oimClient.getService(RoleManager.class);
            orgMgrService = oimClient.getService(OrganizationManager.class);

//Creating a user and user management
UserManager usrmanager=sample.getUsrMgrService();
            HashMap<String,Object> createUserMap=new HashMap<String, Object>();
            String userLogin="Testvish";
            createUserMap.put(UserManagerConstants.AttributeName.FIRSTNAME.getId(), "Testvish");
            createUserMap.put(UserManagerConstants.AttributeName.LASTNAME.getId(), "Testvish");
            createUserMap.put(UserManagerConstants.AttributeName.USER_LOGIN.getId(), "Testvish");
            createUserMap.put(UserManagerConstants.AttributeName.USERTYPE.getId(), "End-User");
            createUserMap.put(UserManagerConstants.AttributeName.EMPTYPE.getId(), "EMP");
            createUserMap.put(UserManagerConstants.AttributeName.PASSWORD.getId(), "vish@777");
            createUserMap.put(UserManagerConstants.AttributeName.DISPLAYNAME.getId(), "Testvish");
            createUserMap.put(UserManagerConstants.AttributeName.EMAIL.getId(), "Testvish@abc.com");
            createUserMap.put(UserManagerConstants.AttributeName.PHONE_NUMBER.getId(), "765454544");
            createUserMap.put("act_key", new Long("1"));
            User user=new User(userLogin,createUserMap);
            usrmanager.create(user);

//User Update
createUserMap.put("PHONE_NUMBER", "123456789");
            usrmanager.modify(new User(userLogin,createUserMap));

//Organization Create
String orgName="sampleOrg1";
            HashMap<String,Object> createOrgMap=new HashMap<String, Object>();
            createOrgMap.put("Organization Name", orgName);
            createOrgMap.put("Organization Customer Type", "Branch");
            Organization orgCreate = new Organization(orgName,createOrgMap);
            OrganizationManager orgManager=sample.getOrgMgrService();
            orgManager.create(orgCreate);

Pre-Process Event Handler to generate the Display Name in OIM 11G

public EventResult execute(long processId, long eventId, Orchestration orchestration) {

HashMap<String, Serializable> parameters = orchestration.getParameters();
HashMap<String, Object> mapAttrs = new HashMap<String, Object>();

String firstName = (String)parameters.get(UserManagerConstants.AttributeName.FIRSTNAME.getId());
String lastName = (String)parameters.get(UserManagerConstants.AttributeName.LASTNAME.getId());
mapAttrs.put("base", lastName" "firstName);

orchestration.addParameter("Display Name", mapAttrs);

return new EventResult();
}

Tuesday, February 7, 2012

Lotus Notes connection testing utility

The following piece of code can be used to test the connectivity with the lotus notes and also can be used to perform various operations:

Session _session=null;
         Session session=null;
         Database userDb;
         System.out.println("inside main");
         try {
             HashMap<String,String> credentialsMap=getHashMapFromProperties("./properties/LotusNotes.properties");
             String hostName=credentialsMap.get("HostName");
             System.out.println(hostName);
             String port=credentialsMap.get("PortNumber");
             System.out.println(port);
             String AdminID=credentialsMap.get("AdminID");
             System.out.println(AdminID);
             String AdminPwd=credentialsMap.get("AdminPassword");
             System.out.println(AdminPwd);
             String server=credentialsMap.get("Server");
             String database=credentialsMap.get("Database");
             System.out.println("Creating Notes Session");
             session=NotesFactory.createSession(hostName+":"+port,AdminID,AdminPwd);
             System.out.println("Session created successfully");
             userDb=session.getDatabase(server, database);
             System.out.println("Database loaded successfully");
             DocumentCollection collection=userDb.search("((form='Person')&(ShortName='"+arg[0]+"'))");
             int countDoc=collection.getCount();
             Document doc = collection.getFirstDocument();
.
.
.
-----
Reading the credentials from the properties file:

private static HashMap<String, String> getHashMapFromProperties(String filelocation){
          HashMap<String, String> hashMap = new HashMap<String, String>();
          String thisLine = null;   
          String DELIMITER="=";                     
   try {
               BufferedReader bufferedReader =
                    new BufferedReader(new InputStreamReader(new FileInputStream(filelocation)));
               while ((thisLine = bufferedReader.readLine()) != null) {
                    if(thisLine.trim().startsWith("#")) continue;
                    int indexOfDelimiter = thisLine.indexOf(DELIMITER);
                    hashMap.put(thisLine.substring(0, indexOfDelimiter), thisLine.substring(indexOfDelimiter + 1));
               }              
        } catch (FileNotFoundException e) {
               System.out.println("Exception Occurred while parsing " + filelocation+":"+e);
               System.exit(1);
          } catch (IOException e) {
               System.out.println("Exception Occurred while parsing " + filelocation+":"+e);  
               System.exit(1);
          }   
          return hashMap;
    }

Validation Handler in OIM 11G

This describes the usage of a validation handler used in validating the data entered as part of creating a request. This validation handler will be attached to the request dataset and which inturn will be invoked by OIM.

public class DataSetValidator implements oracle.iam.request.plugins.RequestDataValidator{

    public void validate(RequestData requestdata) throws InvalidRequestDataException {
        // TODO Auto-generated method stub

        // TODO Auto-generated method stub
        System.out.println("Entering the Data Validation Handler");
        List<Beneficiary> beneficiaries = null;    
        List<RequestBeneficiaryEntity> benEntities = null; 
            List<RequestBeneficiaryEntityAttribute> benAttrs = null;
            beneficiaries = requestdata.getBeneficiaries();
        if (beneficiaries != null && !beneficiaries.isEmpty()){
                     for (Beneficiary beneficiary : beneficiaries){
                   benEntities = beneficiary.getTargetEntities();
                       if (benEntities != null && benEntities.size() > 0){
                for (RequestBeneficiaryEntity benEntity : benEntities) {
                    System.out.println("Inside the For loop");
                    benAttrs = benEntity.getEntityData();
                    if (benAttrs != null && benAttrs.size() > 0){
                        System.out.println("Inside If");
                                    for (RequestBeneficiaryEntityAttribute benAttr : benAttrs){
                                        System.out.println("Inside the attributes For loop");
                                      System.out.println("Attribute Name is: "+benAttr.getName());
                                      System.out.println("Attribute Name is: "+benAttr.getValue());
                                        if(benAttr.hasChild()){
                            List <RequestBeneficiaryEntityAttribute> list = benAttr.getChildAttributes();
                                         Iterator iterator = list.iterator();
                                               while(iterator.hasNext()){
                                               RequestBeneficiaryEntityAttribute attribute =(RequestBeneficiaryEntityAttribute)iterator.next();
                                           System.out.println("GenericRequestValidator.validate() Name "+attribute.getName());
                                           System.out.println("GenericRequestValidator.validate()) Value "+attribute.getValue());
                                           }
                          }
                      }
                    }
                }
                }
                     }
        }else{
            System.out.println("RequestData is null");
        }
       
       
       
       
   
       
    }

After this we will have to package it and register this as a plugin in OIM. Later we will have to modify the request dataset xml as follows:

<DataSetValidator name="SampleValidator" classname="com.test.ad.DataSetValidator"/>

Note: We will have to export the dataset from the MDS and then modify it and then import the xml back. To export the dataset follow the steps below:
First, export the document by modifying the following values in
the weblogic.properties file and running the
weblogicExportMetadata.sh/weblogicExportMetadata.bat file:
wls_servername=oim server name, for example oim_server1
application_name=oim
metadata_to_loc=/scratch/data
metadata_files=/metadata/user/custom/EventHandlers.xml
The document will be exported to the /scratch/data/metadata/user/custom folder.
Under /scratch/data, if the folder structure /metadata/user/custom does not exist,
MDS will create it.

Importing into MDS:

To import the file into MDS, modify the following values in the
weblogic.properties file and run the
weblogicImportMetadata.sh/weblogicImportMetadata.bat file:
wls_servername=oim server name, for example oim_server1
application_name=oim
metadata_from_loc=/scratch/data

The above tag will be added as a child element under the request-data-set. So there will be only one dataset validator for one request dataset. Its a one to one.

Tuesday, January 24, 2012

Custom Event Handler in OIM 11G

Step 1:
 //The below code shows an example of implementing the PreProcessHandler. In the same way you can implement the other interfaces:
Pre-Process-- oracle.iam.platform.kernel.spi.PreProcessHandler
Post-Process-- oracle.iam.platform.kernel.spi.PostProcessHandler
Validation-- oracle.iam.platform.kernel.spi.ValidationHandler
Validation handler can be used to validate the data being entered while creating a user,role in OIM.
Writing a custom code to implement the actual logic:
Sample code:

import java.io.Serializable;
import java.util.HashMap;
import java.util.Iterator;
import java.util.Set;

import com.thortech.util.logging.Logger;

import oracle.iam.platform.context.ContextAware;
import oracle.iam.platform.kernel.vo.AbstractGenericOrchestration;
import oracle.iam.platform.kernel.vo.BulkEventResult;
import oracle.iam.platform.kernel.vo.BulkOrchestration;
import oracle.iam.platform.kernel.vo.EventResult;
import oracle.iam.platform.kernel.vo.Orchestration;


public class GenerateUserID implements oracle.iam.platform.kernel.spi.PreProcessHandler{

    public boolean cancel(long l, long l1, AbstractGenericOrchestration abstractgenericorchestration) {
        // TODO Auto-generated method stub
        return false;
    }

    public void compensate(long l, long l1, AbstractGenericOrchestration abstractgenericorchestration) {
        // TODO Auto-generated method stub
       
    }

    public EventResult execute(long processID, long eventID, Orchestration orchestration) {
        // TODO Auto-generated method stub
        Logger logger=Logger.getLogger("CustomEventHandler");
        logger.debug("Entering the EventHandler");
        HashMap<String, Serializable> parameters = orchestration.getParameters();
        Set<String> keyset=parameters.keySet();
        Iterator<String> itr=keyset.iterator();
        while(itr.hasNext()){
            String attrName=itr.next();
            System.out.println("Attr Name is : "+attrName);
            System.out.println(parameters.get(attrName));
        }
        String middleName = getParamaterValue(parameters, "Middle Name");
        if (middleName==null||middleName.isEmpty()) {
            String firstName = getParamaterValue(parameters, "First Name");
            middleName = firstName.substring(1,3);
            orchestration.addParameter("Middle Name", middleName);
            }
        return new EventResult();
    }

    public BulkEventResult execute(long l, long l1, BulkOrchestration bulkorchestration) {
        // TODO Auto-generated method stub
        return null;
    }
   
    private String getParamaterValue(HashMap<String, Serializable> parameters,
            String key) {
            String value = (parameters.get(key) instanceof ContextAware)
            ? (String) ((ContextAware) parameters.get(key)).getObjectValue()
            : (String) parameters.get(key);
            return value;
            }

    public void initialize(HashMap<String, String> arg0) {
        // TODO Auto-generated method stub
       
    }

   

}

Step 2:
Create a plugin.xml file with the following contents:



<?xml version="1.0" encoding="UTF-8"?>
<oimplugins xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://www.oracle.com/schema/oim/plugin plugin.xsd">
<plugins pluginpoint="oracle.iam.platform.kernel.spi.EventHandler">
<plugin pluginclass=
"com.test.ad.GenerateUserID"
version="1.0"
name="SamplePreprocessExtension">
</plugin>
</plugins>
</oimplugins>

Step 3:

Creating a metadata xml.
Note: Make sure that the right namespace is given if you are using the latest version 11.1.1.5. This is not required if you are using older version 11.1.1.3.
EventHandlers.xml
<?xml version="1.0" encoding="UTF-8"?> 
<eventhandlers xmlns="http://www.oracle.com/schema/oim/platform/kernel" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://www.oracle.com/schema/oim/platform/kernel orchestration-handlers.xsd">
<!-- Custom preprocess event handlers -->
<action-handler
class="com.test.ad.GenerateUserID"
entity-type="User"
operation="CREATE"
name="SamplePreprocessExtension"
stage="preprocess"
order="1000"
sync="TRUE"/>
</eventhandlers>

Step 4: Packaging
Package the contents in the following manner:

Folder Handler.zip if extracted should look like this:
lib[dir]
plugin.xml[file]

Note: The lib folder should containg the jar file which has the custom eventhandler implementation.

Step 5:
Register the plugin using the OIM_HOME/plugin-utility/pluginregistration.xml.
Run the following command:
ant -f pluginregistration.xml register
Give the complete path of the zip file like /app/Oracle/CustomPlugins/Handler.zip and make sure that the user has enough permissions.
Note: make sure that the ant path is exported to the path.

Step 6:
MDS import:

 Using the weblogicImportMetadata.sh/bat import the EventHandlers.xml.

Now validate the user create functionality as implemented by the eventhandler.






Monday, January 16, 2012

Configuring BI publisher with OIM 11G


Configure BI Publisher URL in OIM 11g
OIM 11g uses BI Publisher for reports.
  Here are the steps to configure BI Publisher with OIM 11g:


Login to Enterprise Manager URL will be

http://IP_or_Domain_Admin_Server:Admin_Server_Port/em
Example :http://oimserverhost:7001/em

Go to Identity and Access ---> "OIM"

Right Click  "OIM" and Select "System MBean Browser"

Go to "Application Defined MBeans" ---> "oracle.iam" ---> "Server: << OIM_Server_Name >> " ---> "Application:oim" ---> "XMLConfig" ---> "config" ---> "XMLConfig.DiscoverConfig" ---> "Discovery"

 At right side, you'll see following attribute "BIPublisherURL"


In Value column, provide the URL of your BI Publisher.

Click Apply.

Restart the Server

Login into OIM 11g.

Go to Advanced Tab ---> Administration ---> Reports ---> BI Publisher

Adding a new Data Source in BI publisher:


Login to Oracle BI publisher -Administrator/Administrator
Goto -->Admin-->Datasources-->JDBC DataSource

Create the data source of type 11G and save it. This should create the report data store automatically and we will be able to view the OOTB OIM reports by going to the Reports-->Shared Folder-->more-->Oracle Identity Manager Reports.