Friday 15 February 2013

Configuring/Synchronizing new attribute from OIM to OID


  • Extend the OID and OVD schemas with a value: orclSAMAccountName
  • Add the above attributes to the object class: “orclIDXPerson” in OID and OVD schemas
  • Create three basic info user attributes in OIM for the above attribute.
  • Export LDAPUser.xml from MDS
  • Add the following entry to the end of the <entity-attributes> tag:

<attribute name="orclSAMAccountname">
<type>string</type>
<required>false</required>
<attribute-group>Basic</attribute-group>
<searchable>true</searchable>
</attribute>

  • Add the following entry to the end of the <target-fields> tag: 
<field name="orclSAMAccountName">
<type>string</type>
<required>false</required>
</field>
  • Add the following entry to the end of the <attribute-maps> tag:
<attribute-map>
<entity-attribute>orclSAMAccountName</entity-attribute>
<target-field>orclSAMAccountName</target-field>
</attribute-map>
  • Improt LDAPUser.xml to OIM after the changes
  • Create a user in OIM - User created successfully with the new attribute populated in OID

Posted by at No comments:

Offline Provisioning - OIM 10g


New feature in 9102 for performance enhancement of provisioning engine by enabling the parallel execution.
To reduce the transaction time out for various target systems.

Example: Consider 10 users to be requested 10 target systems... (U1, U2,.....U10 to request for R1, R2....R10). So there will be a total of 100 transactions.

In releases earlier to 9102, where there is no off line provisioning, this process goes on as a sequential one
provision R1 to R10 to U1, then R1 to R10 to U2, and so on.

Only after U1 to U10 are completed, only then the request is completed. Basically, it is a serial execution, which is time taking.This can impact performance, and also the transaction time-out on the target systems might need to be increased. The admin has to wait for all the 100 provisioning to be completed, after clicking the submit button, to get a response to UI from the provisioning engine.

So the concept of offline provisioning using JMS messages has been introduced in version 9102.
As soon as the request is submitted, the provisioning engine submits a JMS message (for each account on target system).

In above case 100 messages will be submitted, and it gives a response back to the submitter that the operation has been initiated. So, submitter need not wait for the entire process(es) to complete.Slowly each of the request (here 100) is completed. By this most of the execution is offline and the execution can happen parallel and there will be improvement in performance. the submitter gets response as soon has he submits the request. The transaction time-out on target systems will not be affected as it is a parallel execution.

To enable offline provisioning, on the resource object form, in design console, tick mark the "offline-provisioning" check box and also on the provisioning process definition of this resource object, tick mark the "Auto Save Form" check box for provisioning use case.

For other user operations like enable, disable etc, only the "offline-provisioning" check box is enough to be tick marked. 

As soon as the request is submitted, the status of the request would be "provisioning in queue". As the JMS message is submitted. Once MDB picks up this JMS message and completes the provisioning, the status would now change to"provisioned"

You will not find any advantage of offline provisioning if the number of "operations(create, update, enable, disable, revoke) are less. But for any bulk operation as mentioned above, the submitter will not see the status for the request, until all the operations are complete.

But here, JMS message is initially submitted, a intermediate response is sent back, and then MDB picks up each JMS message parallel and completes the execution.Once execution is done, another status message is sent, based on details in "Task to object status mapping".


Trouble shooting:

What happens if one of the JMS messages get failed>>> Where to track these failed messages...
for this, before submitting a JMS message, all details related to the request and the JMS message are inserted into a table called OPS table.
Process instance, user key, obj key, kind of details of the request and JMS message details are inserted into the table.

Once the operation is complete, the row is deleted.
So if the request failed, it means the row is not deleted from this table.
OPS means Offline Persistance Store.

if all the JMS messages are processed successfully, then ops table will be empty.
So at any point of time, an admin can refer to this table for failed transactions and then take corrective action accordingly.

There is also a scheduled task that deletes these kind of failures after a certain age of days.
Name of the task is Remove Failed offline messages.

This task is present because, for a failed message, after u take corrective action, it has to be manually deleted. So for this purpose, we have put this scheduled task which deletes the failed messages after a certain period of time.
Posted by at No comments:

Alternate method for Importing and Exporting files in OIM for MDS

Export LDAPUser.xml from MDS
  1. Navigate to Identity and Access, oim. Right-click and navigate to System MBean Browser.
  2. Under Application Defined MBeans, navigate to oracle.mds.lcm, Server:oim_server1, Application:oim, MDSAppRuntime
  3. Click the Operations tab, and then click exportMetaData.
  4. In the toLocation field, enter /var/tmp/iam or the name of another directory.
  5. In the docs field, enter the complete file location as the Element.
  6. Click Invoke - This exports the file specified in the docs field to the directory specified in the toLocation field.

Import LDAPUser.xml to MDS
  1. Navigate to Identity and Access, oim. Right-click and navigate to System MBean Browser.
  2. Under Application Defined MBeans, navigate to oracle.mds.lcm, Server:oim_server1, Application:oim, MDSAppRuntime
  3. Click the Operations tab, and then click importMetaData
  4. In the fromLocation field, enter /var/tmp/iam or the name of the directory in which you have the configuration files.
  5. In the docs field, enter the complete file location as the Element. For example, /metadata/iam-features-ldap-sync/LDAPUser.xml
  6. Click Invoke - This imports the file specified in the docs field to MDS in the toLocation field.
Posted by at No comments:

Installing and Configuring 11gR1

Installation Process:

  1. Installed and configured DB using RCU 
  2. Installed Weblogic server - Right
  3. Install SOA and patched it to 11.1.1.50 
  4. Installed ofm_iam_generic_11.1.1.5.0_disk1_1of1.zip 
  5. If you need oid and ovd, you need to install ofm_idm_win_11.1.1.3.0_32_disk1_1of1.zip - This consists of OID, OVD, ODSM products 
  6. Created a weblogic domain using config.cmd
Configuration process:
  1. Run the configuration script from the directory: MW_HOME/oracle_common/common/bin/config.sh --> Extend the existing domain you created in the 6th step.
  2. Select the desired products, you want to -> these products are displayed based on your previous installations in steps 3 and 4 steps.
  3. For configuring OID, OVD and ODSM, you have a different directory to run the configuration script.
  4. Go to the directory specified in the installation wizard of Step 5 - <Installation_directory>/bin -> ./config.sh
  5. Once these are all setup, you need to run one more configuration script located in the directory created during the step 4 - <install_directory>/bin --> ./config.sh 
  6. This will configure Identity Server, Design Console, Remote Manager, Ldap synchronization, BI Publisher configuration settings. You can customize your selection there in the configuration wizard.
Posted by at No comments:

Post Process Event Handler


1. create "Eventhandlers.xml"

 Sample Eventhandlers.xml

 <eventhandlers xmlns="http://www.oracle.com/schema/oim/platform/kernel"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://www.oracle.com/schema/oim/platform/kernelorchestration-handlers
.xsd">
<action-handler class="oim.eventhandlers.UpdateManagerLogin"
entity-type="User" operation="CREATE" name="NamePostProcessEventHandlers"
stage="postprocess" order="FIRST" sync="TRUE"/>
<action-handler class="oim.eventhandlers.UpdateManagerLogin"
entity-type="User" operation="MODIFY" name="NamePostProcessEventHandlers"
stage="postprocess" order="SECOND" sync="TRUE"/>
</eventhandlers>
2. Export the Eventhandlers.xml to metadata

 For knowing how to import: Click here
3. Create plugin.xml
Sample plugin.xml
<?xml version="1.0" encoding="UTF-8"?>
<oimplugins>
<plugins pluginpoint="oracle.iam.platform.kernel.spi.EventHandler">
<plugin pluginclass="iam.oim.eventhandlers.UpdateManagerLogin" version="1.0" name="UpdateManagerLogin"/>
</plugins>
</oimplugins>

 3. Execute post process
Sample sourcecode
public EventResult execute(long processId, long eventId,
                               Orchestration orchestration) {
        System.out.println("Test fo Event Handler"); // Test fo Event Handler
        try {
           
            //Initilize variables
            UserManager userMgmt;
            userMgmt = Platform.getService(UserManager.class);
            String userKey = getUserKey(processId, orchestration);
           
            //Want to modify usr_mgr_key
            HashMap<String, Object> atrrMap= new HashMap<String, Object>();
           
            HashMap<String, Serializable> parameters = orchestration.getParameters();
            String mgrEmpID = getParamaterValue(parameters, "Manager Employee ID");
          
            Set<String> setMgr=new HashSet<String>();
            setMgr.add("usr_key");
            User usr_key_of_manager = userMgmt.getDetails("Employee Number", mgrEmpID,setMgr);
            String mgrUsrKey=usr_key_of_manager.getId();           
            System.out.println("Manager user key:"+mgrUsrKey);

             //user will upadated with the value of mgrUsrKey
            atrrMap.put("usr_manager_key", Long.valueOf(mgrUsrKey));
             //System.out.println("User key of the manager user"+usr_key_mgruser); 
            
             //get the user to whom you want to modify
            User user = userMgmt.getDetails("usr_key", Long.valueOf(userKey), null); 
            System.out.println("Before new"+user);
            user = new User(String.valueOf(user.getId()), atrrMap);          
            System.out.println("After new"+user);
                      
            UserManagerResult result = userMgmt.modify("usr_key", String.valueOf(userKey), user);          
            System.out.println("UserUpdate.process() "+result.getStatus());   

         return new EventResult();
    }
    private String getUserKey(long processID, Orchestration orchestration) {
        String userKey;
        String entityType = orchestration.getTarget().getType();
        EventResult result;
        result = new EventResult();     

         if (!orchestration.getOperation().equals("CREATE")) {
            userKey = orchestration.getTarget().getEntityId();
            System.out.println("UserKEY0" + userKey);
        } else {
            OrchestrationEngine orchEngine =
                Platform.getService(OrchestrationEngine.class);
            userKey = (String)orchEngine.getActionResult(processID);
            System.out.println("UserKEY-1" + userKey);
          
        }
        return userKey;
    }
4. add library - oimclient.jar file
5. register the plugin.xml and jar files (by zipping them into single file)

 Move to : OIM_HOME/server/plugin_utility
ant -f pluginregistration.xml register/unregister

 5. Restart the oim managed server
6. Test by creating/update the user
Reference documents from oracle:

 Extending User Managemen bu Developing Event Handlers:
http://docs.oracle.com/cd/E14571_01/doc.1111/e14309/oper.htm#CCHHHGEC

 Using API:
http://docs.oracle.com/cd/E14571_01/doc.1111/e14309/apis.htm

 Forums Discussions:
https://forums.oracle.com/forums/message.jspa?messageID=10174401#10174401
https://forums.oracle.com/forums/thread.jspa?messageID=9792462
https://forums.oracle.com/forums/message.jspa?messageID=10176817
Posted by at No comments:
Subscribe to: Posts (Atom)