Deploying the custom jar into the OIM placeholder library

Deploying the custom jar into the OIM placeholder library

The placeholder library is the file oracle.iam.ui.custom-dev-starter-pack.war. This file is available along with the other OIM application packages (EARs and WARs) at $OIM_ORACLE_HOME/server/apps folder.

Before doing any modification to this file, create a backup of it.

Using a ZIP tool, like 7-Zip, the steps are:

1.       Open the oracle.iam.ui.custom-dev-starter-pack.war

2.       Add the custom jar file to the 'WEB-INF/lib' folder. If the 'lib' folder does not exist, create it

3.       Save the oracle.iam.ui.custom-dev-starter-pack.war file.

4.       Copy the oracle.iam.ui.custom-dev-starter-pack.war file back to its original location under $OIM_ORACLE_HOME/server/apps

5.       Stop OIM managed server

6.       In WebLogic administration console, update the 'oracle.iam.ui.custom' library deployment and activate the changes

7.       Start OIM managed server.

Deprecated API's in 12C OIM

Below is the reference URL to check the deprecated list of API's, Interfaces, Classes etc.

https://docs.oracle.com/en/middleware/idm/identity-governance/12.2.1.3/omjav/deprecated-list.html

https://docs.oracle.com/cd/E52734_01/oim/OMJAV/deprecated-list.html#field

GTC Recon Process

Oracle Identity Manager 11g R2 PS2 Flat File GTC Recon Process

 

Description:

This post covers the process of GTC flat file configuration in Oracle Identity Manager 11g R2 PS2.

 

Process:

1.       Create Feed directory and Archive directory 

Mkdir /app/Sanjivani

Mkdir /app/Sanjivani/archive

2.       Create flat file as .CSV with attributes and user information. Refer the screen shot for example entry.

Cd /app/Sanjivani/

Cat test.csv

#GTC Trusted Source

globalid,firstname,lastname,email,organization,department,managerid,manager

oig01,arihant1,jain,abc@oracle.com,Xellerate Users,IAM,abc,HRUser

oig02,arihant2,jain,def@oracle.com,Xellerate Users,IAM, def,HRUser

oig03,arihant3,jain,ghi@oracle.com,Xellerate Users,IAM, ghi,HRUser

3.       Login to the SYSADMIN console.

4.       Click on the Generic Connector.

5.       Provide the Name of the GTC. Check the Reconciliation and Trusted Source  Reconciliation. Select Shared Drive in Transport provider and select CSV in Formate provider.

6.       Provide the required parameters as shown in the below screen.

7.       Map the attribute from Reconciliation Staging to OIM.

8.       Create two new attributes userType and EmployeeType in Reconciliation staging and map the attributes from Reconciliation staging to OIM.

9.       Click on Scheduler and search and select for GTC recon which we have just created and click on Run Now.

10.   Click on Refresh and check the status of the job success or failed.

11.   Click on Event Management in the same window and click on search. I will display the list of users created and status of user creation.

12.   Login to the OIM Identity Console and click on Users. Click on search it will display the users list.

 

 

 

UI Customization - Configure Page Flows in EM Console

Problem Statement : ADF Project(created new tile in Identity Self Service console) deployed but the changes are not visible or reflecting.

Solution : Configure the custom created Page Flow in EM Console.

1) Login to EM console

Weblogic Domain --> d_oimdomain --> Security --> Application Policies

2) Select Application Policies

3)

Create  resource to give page definition permissions to the region

Permission Class: oracle.adf.share.security.authorization.RegionPermission

Resource Name: <Page Definition Name>

Permission Actions: View

Create another Resource to give task flow permissions

TASKFLOWURL : "/WEB-INF/PageFlowDefintion-tf-definition.xml"

TASKFLOWID : "PageFlowDefintion-tf-definition"

Permission Actions : View

4) Restart the Servers

SQL Queries useful for OIM Operations

1.       To get the user list/details provisioned with particular entitlement 

Select usr_login,USR_DISPLAY_NAME,USR_UDF_EMPLOYEEID,ENT_CODE,ENT_Value,ENT_ASSIGN_UPDATE

from usr inner join ent_assign

on ent_assign.usr_key=usr.usr_key

inner join ent_list

on ent_list.ent_list_key=ent_assign.ent_list_key

where lower(ent_code) like '%=<ent code>%'

and usr_status = 'Active'

and obj_key=<Resource Object key>

order by usr_login;

 

2.       To get the list of entitlements provisioned to the user associated with Enabled/Provisioned accounts:

select * from ent_assign, usr ,catalog, oiu, ost, orc where ent_assign.ent_list_key=catalog.entity_key and Ent_assign.usr_key=usr.usr_key and ent_assign.oiu_key=oiu.oiu_key and ost.ost_key=oiu.ost_key and oiu.orc_key=orc.orc_key and usr.usr_login=<User Login>;

 

 

3.       To get the request details on the basis of request status

 

select IDENTIFICATIONKEY "Request ID",usr_login "Requestor ID",usr_display_name "Requestor’s Name",

REQUEST_CREATION_DATE "Requested Date",rbe_entity_type, rbe_entity_name,

ASSIGNEES "Approver ID",ASSIGNEESDISPLAYNAME "Approver’s Name",ASSIGNEDDATE "Assigned Date",REQUEST_STATUS "Request Status",EXPIRATIONDATE "Expiry Date"

from WFTASK

inner join request on request_id=IDENTIFICATIONKEY

inner join usr on REQUESTER_KEY=usr_key

inner join request_beneficiary_entities on request_key=rbe_request_key

where assigneddate between to_date('01-10-2019','DD-MM-YYYY') and to_date('31-12-2019','DD-MM-YYYY')

and request_status in ('Request Rejected','Request Withdrawn')

and ASSIGNEES not in ('xelsysadm,user','SYSTEM ADMINISTRATORS,group')

order by ASSIGNEDDATE DESC;

 

4.       To get the rejected tasks count for the resource object in particular time period

select  count(*),MIL.MIL_NAME,obj_name

FROM OSI

inner join SCH on SCH.SCH_KEY=OSI.SCH_KEY

inner join STA on STA.STA_STATUS=SCH.SCH_STATUS

inner join MIL on OSI.MIL_KEY=MIL.MIL_KEY

inner join TOS on MIL.TOS_KEY=TOS.TOS_KEY

inner join PKG on TOS.PKG_KEY=PKG.PKG_KEY

inner join OIU on OSI.ORC_KEY=OIU.ORC_KEY

inner join USR on OIU.USR_KEY=USR.USR_KEY

inner join OST on oiu.ost_key = ost.ost_key

inner join OBJ on OST.OBJ_KEY=OBJ.OBJ_KEY

inner join ORC on orc.orc_key = oiu.orc_key

WHERE to_date(to_char(sch_actual_start,'DD-MM-YYYY'),'DD-MM-YYYY')

between to_date('01-01-2018','DD-MM-YYYY') and to_date('01-01-2019','DD-MM-YYYY')

and usr_status='Active'

and obj_name= '<Resource Object Name>'

and ost_status in ('Provisioned','Enabled','Disabled')

and sta_bucket ='Rejected'

group by MIL.MIL_NAME,obj_name;

 

5.       To get list of all the rejected tasks

Select * from osi, sch, mil , orc,usr, oiu where orc.orc_key=osi.orc_key and sch.sch_key=osi.sch_key and oiu.orc_key=orc.orc_key and oiu.usr_key=usr.usr_key

and osi.mil_key=mil.mil_key and sch.sch_status='R';

 

6.       To get all entitlements attached to policies linked to a role

 

select * from pol, ugp,pog, poc where pol.pol_key=pog.pol_key

and poc.pol_key=pol.pol_key and pog.ugp_key=ugp.ugp_key and

ugp.ugp_name like '<Role Name>';

 

 7.      To get List of role names against associated application instances evaluated through access         policies

select ugp.ugp_name, app_instance.app_instance_display_name from pol,ugp, pog , pof,obj,svr,app_instance

where pol.pol_key=pog.pol_key and

pog.ugp_key=ugp.ugp_key and pof.pol_key=pol.pol_key and obj.obj_key=pof.obj_key

and app_instance.itresource_key=svr.svr_key and

to_char(svr.svr_key)=pof.POF_FIELD_VALUE ;

                       

8. To get list of users associated with role and evaluated with access policy attached to it.

select  usr.usr_login, ugp.ugp_name,ent_list.ent_display_name,pol.pol_name from poc,ent_list,ent_assign,pol,pog,ugp,usr where poc.poc_field_value=ent_list.ent_code and poc.pol_key=pol.pol_key

and ent_assign.ent_list_key=ent_list.ent_list_key and pog.ugp_key=ugp.ugp_key and pog.pol_key=pol.pol_key

and ent_assign.usr_key=usr.usr_key

and  ugp.ugp_key in (select ugp.ugp_key from pol,ugp, pog , pof,obj,svr,app_instance

where pol.pol_key=pog.pol_key and

pog.ugp_key=ugp.ugp_key and pof.pol_key=pol.pol_key and obj.obj_key=pof.obj_key

and app_instance.itresource_key=svr.svr_key and

to_char(svr.svr_key)=pof.POF_FIELD_VALUE and app_instance_display_name=<Application instance display name>)

and  usr.usr_status='Active';

 

9.       To  get all the Users having specific account provisioned.

    SELECT USR.USR_LOGIN, USR.USR_FIRST_NAME, USR.USR_LAST_NAME

FROM OBJ, OBI, OIU, OST, USR

WHERE OBJ.OBJ_KEY = OBI.OBJ_KEY

AND OBI.OBI_KEY = OIU.OBI_KEY

AND OIU.USR_KEY = USR.USR_KEY

AND OIU.OST_KEY = OST.OST_KEY

AND OST.OBJ_KEY = OBJ.OBJ_KEY

AND OST.OST_STATUS IN ('Enabled','Provisioned')

AND OBJ.OBJ_NAME = '<Resource Object Name>';

 

 

10     To get all the User's provisioned/enabled accounts.

SELECT OBJ.OBJ_NAME, OST_STATUS

FROM OBJ, OBI, OIU, OST, USR

WHERE OBJ.OBJ_KEY = OBI.OBJ_KEY

AND OBI.OBI_KEY = OIU.OBI_KEY

AND OIU.USR_KEY = USR.USR_KEY

AND OIU.OST_KEY = OST.OST_KEY

AND OST.OBJ_KEY = OBJ.OBJ_KEY

AND OST.OST_STATUS IN ('Enabled','Provisioned')

AND USR.USR_LOGIN = '<User_Login>';

To get all the list of users provisioned to application between the dates

select distinct usr_login, usr_email, usr_status, ost_status, sch_actual_start, mil_name

FROM OSI 
inner join SCH on SCH.SCH_KEY=OSI.SCH_KEY 
inner join STA on STA.STA_STATUS=SCH.SCH_STATUS 
inner join MIL on OSI.MIL_KEY=MIL.MIL_KEY 
inner join TOS on MIL.TOS_KEY=TOS.TOS_KEY 
inner join PKG on TOS.PKG_KEY=PKG.PKG_KEY 
inner join OIU on OSI.ORC_KEY=OIU.ORC_KEY 
inner join USR on OIU.USR_KEY=USR.USR_KEY 
inner join OST on oiu.ost_key = ost.ost_key 
inner join OBJ on OST.OBJ_KEY=OBJ.OBJ_KEY 
inner join ORC on orc.orc_key = oiu.orc_key 
WHERE to_date(to_char(sch_actual_start,'DD-MM-YYYY'),'DD-MM-YYYY') between to_date('01-01-2018','DD-MM-YYYY') and to_date('01-07-2018','DD-MM-YYYY')
and 
ost_status in ('Provisioned','Enabled','Disabled')
and sta_bucket ='Completed'
and MIl_name ='Create User'

and upper(obj_name) like '%AD%';

Password Sync connector Installation and Upgrade

Install Password sync connector on Active Directory Domain Controller.

1.       On the Microsoft Active Directory host computer, run the installer as follows:

a. Unzip MSFT_PSync_91150.zip to a temporary directory.

b. In the temporary directory, run the setup.exe file to start the installer.

2.       On the Welcome page, click Next.

3.       On the next page, click Next.

4.       On the screen enter the Installation path and click Next. 

5.       On the Active Directory Configuration Parameters page, enter the below details.

Domain = xyz.com

Port = 389

Host = Domain Controller host name on which the connector installation is carried out.

Persistent Store = OU=OIMPS

click Next.

 

6.       On the second Active Directory Configuration Parameters page, enter values

or the following fields:

User = oimpassword@xyz.com  < Active directory service account having administrator group access>

Password = <Account’s password>

Log File Path = Default Path < Or change it as per the standard >

click Next.

 

7.      On the Oracle Identity Manager Configuration Parameters page, specify the below values.

Host = oim.xyz.com < OIM Server Host >

Port = 443 < OIM Server Port >

Administrator Login = xelsysadm < OIM Admin account user Name >

Administrator Password = < Admin account’s password >

OIM User Attribute = Users.User ID <Attribute to link AD account with OIM User >

OIM Application Server Type =  Weblogic

UseSSL = Yes

Client Certificate Subject Name = *.xyz.com

click Next.

 

8.       On the Configuration Parameter Information page, enter values for the following fields.

Time Interval = 1 < seconds the connector sleeps between processing password change

events.>

Maximum Retry = 5

click Next.

 

9.       Click Next on Summary Page.

10.      Copy the oimadpwdsync10.dll and orclmessages.dll files from the Windows\SysWOW64 directory to the WINDOWS\system32 directory.

11.       Click Next to complete the installation and restart the server.

12.       Enable logging for the connector.

·         Open Registry Editor, using regedit command in Run dialog box.

·         Navigate to the following key to enable AD Logs

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Con-trol\Lsa\oimpwdsync\ADConfig

·         On the right pane, double-click the Log value. Enter Y in the dialog box.

·         Navigate to the following key to enable OIM Logs

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Con-trol\Lsa\oimpwdsync\OIMConfig

·         On the right pane, double-click the Log value. Enter Y in the dialog box.

·         Restart the servers.

 

13.       Apply the recommended patch or latest p27948293_91150_MSWIN-x86-64.zip.

·         Unzip the p27948293_91150_MSWIN-x86-64.zip file to a temporary location.

·         Copy %WINDIR%\System32\oimadpwdsync10.dll to a backup location.

·         Rename %WINDIR%\System32\oimadpwdsync10.dll to %WINDIR%\System32\oimadpwdsync10.dll_default.

·         Copy ExtractedPatchLocation\MSFT_AD_PSync_9.1.1.5.16\lib\win64\oimadpwdsync10.dll to %WINDIR%\System32

·         Modify ExtractedPatchLocation\MSFT_AD_PSync_9.1.1.5.16\ Update_oimpwdsync.reg as per the requirement.

·         Run the Update_oimpwdsync.reg file.

·         Restart the server.

Testing

1.       Change a User’s Password on the Domain Controller Active Directory.

2.       Verify the logs are populated accordingly.

3.       User can login in OIM with the updated Password.

End User Testing

1)      Windows password change should be propagated to OIM and user can login with the changed Password.

SQL Queries

Table Meaning used in SQL Queries.

OBJ- resource object information

App_instance -  application instance information

EVT - Defines event handlers by providing a process and class name. In addition the scheduling time of when the event handler can execute is set to pre (insert, update, delete) or post (insert, update, delete)

PKD - Package dependency table holds the dependency relationships between child packages of a parent package

PKG - Consists of names and system keys of service processes, which consist of a group ofservices from the TOS table. Defines a Process in Xellerate.

TOS - Holds information about a process.

SDK - User define data object meta data definition.

SRE - Defines Which Pre-populate Rule Generator Will Run For A Field Of User Defined DataObject.

ADP - Defines an adapter created through the Adapter Factory.

RAV - Stores the runtime data mappings for 'Pre-populate' adapters. The data source being an Xellerate form or child table, or a user defined form.

ADV - Adapter variable table contains variables that have been created for specific adapters.

SDC - Column Metadata.

MIL - Holds information about tasks of a process

Different process tasks and mapped adapters in any process definition of a resource:

select mil.mil_name,evt.evt_name,obj.obj_name 

from obj join pkg on  pkg.obj_key=obj.obj_key join tos on tos.pkg_key=pkg.pkg_key join mil on

mil.tos_key=tos.tos_key  left outer join evt on mil.evt_key=evt.evt_key

where obj.obj_name='<Resource Object Name>';

Process forms attached to Resource Objects based on app display name :

select obj_name,sdk_name 

from 

tos,pkg,sdk,obj, app_instance where tos.pkg_key=pkg.pkg_key

and tos.sdk_key=sdk.sdk_key and obj.obj_key=app_instance.object_key

and PKG.OBJ_KEY=obj.obj_key and APP_INSTANCE_DISPLAY_NAME='<Application Instance Name>';

Pre-populate Adapter and Adapter Mapping  of  process form :

select  sdc_label,adp.adp_name, rav_map_to,rav_map_qualifier,rav_map_value,sre_order

from

sre, sdk, evt , adp, rav,  adv, sdc  where sre.SDK_KEY=sdk.sdk_key and sre.EVT_KEY=evt.evt_key

and adp.EVT_KEY=evt.evt_key and rav.SRE_KEY=sre.sre_key and sdc.SDC_NAME=sre.sre_sdc_name

and rav.adv_key=adv.adv_key and adv.adp_key=adp.adp_key

and sdk.sdk_name=<Process Form Name>  order by sre_order asc ;

ORA-00001: unique constraint (IDM_OIM.PK_USR) violated at line number xxxx

Issue - ORA-00001: unique constraint (IDM_OIM.PK_USR) violated at line number 1308
 

Problem Summary - Bulk Load Failed due to users already present with the usr_key, so find out the failed users from table
select * from USR_11G_FROM_PROD_EX1;
Update the usr_key and bulk load the failed users.
 

Solution - Onboard the failed users with different usr_key

Insert Custom System Property in OIM Database Table

Manually inserting a property into the PTY table.

Insert into PTY (PTY_KEY,LKU_KEY,PTY_KEYWORD,PTY_VALUE,PTY_NAME,PTY_SYSTEM,PTY_LOGINREQUIRED,PTY_RUN_ON,PTY_DATA_LEVEL,PTY_CREATE,PTY_CREATEBY,PTY_UPDATE,PTY_UPDATEBY,PTY_NOTE,PTY_ROWVER) values (PTY_SEQ.nextval,null,'EnvironmentName','ETS','Environment Name',null,'1',null,2,systimestamp,1,systimestamp,1, EMPTY_CLOB(),'0000000000000000');

The Unlock Job is not in Sync

By default any Password policy including Default Policy are set to Permanent Lockout, which disables the Unlock Job.
- The user can only be unlocked by Admin Users manually when Permanent Lockout is set.


To configure the Password Policy and the job to be in sync do the following for each Password Policy:

1. Log in as xelsysadm in OIM Identity UI

2. Click on Manage tab >> Policies icon >> Password Policies selection.

3. Select a Password Policy to edit

4. Ensure that "Permanent Lockout" is unchecked.

5. Set the Lock Duration to the total time for the lockout. Example: 30 minutes.

6. Save and repeat for each policy.

7. Log in as xelsysadm in the OIM sysadmin UI

8. Click on Scheduler

9. Search for Automatically Unlock User job

10. Set the job to run periodically.
- OOTB it is set to once daily
If you set it to every 5 minutes, then the job will "check" every five minutes to see if anyone is locked, if if so, has the Lock Duration has been met.
- so if Duration is 30, then on the 6th time it checks, the user would be unlocked.

The period of the job should be less than or equal to the smallest Lock Duration of the password policies that are active.