Rajesh Kumar Oracle IDM Blog: 2016

Thursday, September 22, 2016

MDS export import delete

WLST command to export, import or delete OIM MDS files.

Connect WLST -
cd $OIM_HOME/common/bin
./wlst.sh
connect('weblogic', 'password', 't3://host:port')

* You have to give Weblogic Admin server host & port in above command
* Replace the server name with actual WebLogic managed server name in belwo command

(1) MDS Export command

All Files - exportMetadata(application='OIMMetadata',server='WLS_OIM',toLocation='/tmp/MDS/OIM0710')

One Particular File - exportMetadata(application='OIMMetadata',server='WLS_OIM',docs='/file/User.xml',toLocation='/tmp/MDS/OIM0710')

(2) MDS Import command
All Files - importMetadata(application='OIMMetadata',server='WLS_OIM',fromLocation='/tmp/MDS/OIM0710')

One Particular File -importMetadata(application='OIMMetadata',server='WLS_OIM',docs='/file/User.xml',fromLocation='/tmp/MDS/OIM0710')

(3) MDS Delete command

Delete all files and particular folder -
deleteMetadata(application='OIMMetadata',server='WLS_OIM',docs='/custom/metadata/AD User/**')

Delete files only from any particular folder -
deleteMetadata(application='OIMMetadata',server='WLS_OIM',docs='/custom/metadata/AD User/*')

Delete one file -
deleteMetadata(application='OIMMetadata',server='WLS_OIM',docs='/custom/metadata/ADUser/ADForm.xml')

Exist WLST -
exit()

To export SOA or OIM-UI MDS files, just change the application name in command with belwo value

exportMetadata(application='soa-infra',server='WLS_SOA',toLocation='/tmp/MDS/SOA0710')

exportMetadata(application='oracle.iam.console.identity.self-service.ear',server='WLS_OIM',toLocation='/tmp/MDS/OIMUI0710')

Thursday, July 14, 2016

Opatch command to get OIM environment details

Get OIM env details using Optach and other commnad [Java & Weblogic]

* Plz change the middle-ware folder structure as per installed env

(1) Get java version and home
java -version
echo $JAVA_HOME

(2) Get the snap shot of opatch applied in Oracle Common
export ORACLE_HOME=/apps/oracle/product/Middleware1036/oracle_common
cd /apps/oracle/product/Middleware1036/oracle_common/OPatch
./opatch lsinventory -detail

(3) Get the snap shot of opatch applied in SOA Home
export ORACLE_HOME=/apps/oracle/product/Middleware1036/Oracle_SOA
cd /apps/oracle/product/Middleware1036/Oracle_SOA/OPatch
./opatch lsinventory -all

(4) Get the snap shot of opatch applied in OIM Home
export ORACLE_HOME=/apps/oracle/product/Middleware1036/Oracle_OIM
cd /apps/oracle/product/Middleware1036/Oracle_OIM/OPatch
./opatch lsinventory

(4) Get the WebLogic Patch version -
cd /apps/oracle/product/Middleware1036/utils/bsu
./bsu.sh -view -patch_download_dir=/apps/oracle/product/Middleware1036/utils/bsu/cache_dir/ -status=applied -verbose -prod_dir=/apps/oracle/product/Middleware1036/wlserver_10.3/

Sunday, June 12, 2016

Bind TIBCO Queue or Topic with WebLogic Server

Bind TIBCO Queue or Topic with WebLogic Server

Get below details from TIBCO EMS system. Example values are shown for understanding only.
JMS Server Name : tibjmsnaming://host:port
Queue Name : JMS.TEST.Q
Connection Factory :- QueueConnectionFactory
UserName: userId
Password : password

Step 1 - Copy tibjms.jar & jms-2.0.jar in WebLogic domain lib folder and add in class path if required. By default WebLogic picks new jar from domain lib folder after restart.

Step 2 - Perform below Config action in WebLogic to bind the Queue or Topic
(a) Create New JMS Module
WebLogic Path:- Services - Messaging - JMS Modules
Name: TIBCOJMSModule.

Note - Keep all other field as default blank and save it.

(b) Create Foreign Server inside newly created JMS module
Name: TIBCOJMSFServer
JNDI Initial Context Factory: com.tibco.tibjms.naming.TibjmsInitialContextFactory
JNDI Connection URL: tibjmsnaming://host:port
JNDI Properties Credential: password
JNDI Properties: java.naming.security.principal=userId

Note - Put tibjms.jar in WebLogic domain lib folder for initial context factory class.

(c) Create Destinations inside newly created Foreign Server
Name: TIBCOJMSQ
Local JNDI Name: JMS.TEST.Q.Local
Remote JNDI Name: JMS.TEST.Q

Note - You can keep local JNDI same as remote or different. Use the local name in WebLogic ear xml.

(c) Create Connection Factories inside newly created Foreign Server
Name: TIBCOJMSConnectionFactory
Local JNDI Name: QueueConnectionFactoryLocal
Remote JNDI Name: QueueConnectionFactory
User Name: userId
Password: password

Note - You can keep local JNDI same as remote or different. Use the local name in WebLogic ear xml.

Step 3 - Deploy MDB listener EAR in WebLogic

(a) Sample MDB Listener class
public class MyListenerMDB implements MessageDrivenBean, MessageListener
{
public void onMessage(Message message)
{
try {
TextMessage msg;
if ((message instanceof TextMessage))
{
msg = (TextMessage)message;
System.out.println("Message is : " + msg.getText());
}
} catch (JMSException e){
e.printStackTrace();
}
}

public void setMessageDrivenContext(MessageDrivenContext messageDrivenContext) {}
public void ejbRemove() {}
public void ejbCreate() {}
}

(b) Sample weblogic-ejb-jar file
<weblogic-ejb-jar>
<weblogic-enterprise-bean>
<ejb-name>My_TIBCO_TEST_MDB</ejb-name>
<message-driven-descriptor>
<pool>
<max-beans-in-free-pool>1</max-beans-in-free-pool>
<initial-beans-in-free-pool>1</initial-beans-in-free-pool>
</pool>
<destination-jndi-name>JMS.TEST.Q.Local</destination-jndi-name>
<connection-factory-jndi-name>QueueConnectionFactoryLocal</connection-factory-jndi-name>
</message-driven-descriptor>
<enable-call-by-reference>True</enable-call-by-reference>
</weblogic-enterprise-bean>
</weblogic-ejb-jar>

(c) Sample ejb-jar file [If ejb class file is in package folder structure then give full path like com.test.MyListenerMDB]
<ejb-jar>
<enterprise-beans>
<message-driven>
<ejb-name>My_TIBCO_TEST_MDB</ejb-name>
<ejb-class>MyListenerMDB</ejb-class>
<transaction-type>Container</transaction-type>
<message-driven-destination>
<destination-type>javax.jms.Queue</destination-type>
</message-driven-destination>
</message-driven>
</enterprise-beans>
<assembly-descriptor>
<container-transaction>
<method>
<ejb-name>MDB_Name</ejb-name>
<method-name>*</method-name>
</method>
<trans-attribute>NotSupported</trans-attribute>
</container-transaction>
</assembly-descriptor>
</ejb-jar>

TIBCO Queue Sender and Receiver client

TIBCO Queue Sender and Receiver client

// Required jar - jms-2.0.jar, tibjms.jar

package com.test;

import javax.jms.*;
import com.tibco.tibjms.TibjmsQueueConnectionFactory;

public class TibcoSendListen {

public static void main(String[] args) throws Exception {
String serverUrl = "tcp://host:port"; // Replace host & Port with actual
String userName = "userId"; // Replace userId with actual
String password = "password"; // Replace password with actual
String queueName = "JMS.TEST.Q"; // Replace Q name with actual

QueueConnectionFactory factory = new TibjmsQueueConnectionFactory(serverUrl);
QueueConnection connection = factory.createQueueConnection(userName, password);
QueueSession session = connection.createQueueSession(false, javax.jms.Session.AUTO_ACKNOWLEDGE);

// Sending message into Queue
Queue queue = session.createQueue(queueName);
QueueSender sender = session.createSender(queue);
TextMessage jmsMessage = session.createTextMessage();
jmsMessage.setText("Sample Message from Rajesh!");
sender.send(jmsMessage);
System.out.println("Message Sent Successfully");

// Reading message from Queue
QueueReceiver receiver = session.createReceiver(queue);
connection.start();
TextMessage message = (TextMessage) receiver.receive();
System.out.println("Received message: " + message.getText());

sender.close();
receiver.close();
session.close();
connection.close();
}
}

Tuesday, June 7, 2016

OIM Design Console Setup in Local Machine

(1) Copy design console from $OIM_HOME/designconsole

(2) Copy below 2 lib in design console ext folder
$MIDDLEWARE_HOME/wlserver_10.3/server/lib/wlfullclient.jar
$MIDDLEWARE_HOME/oracle_common/modules/oracle.jrf_11.1.1/jrf-api.jar

(3) update the classpath.bat file for jrf-api.jar

(4) Update the xlclient.cmd for java, Home dir path, auth file ref. It will looks like below

"C:\Program Files\Java\jdk1.7.0_71\bin\java" %DEBUG_OPTS% ^
-DXL.ExtendedErrorOptions=TRUE -DXL.HomeDir=C:\designconsole ^
-Djava.security.policy=config\xl.policy ^
-Dlog4j.configuration=config\log.properties ^
-DAPPSERVER_TYPE=wls ^
-Dweblogic.security.SSL.trustedCAKeyStore=%TRUSTSTORE_LOCATION% ^
-Djava.security.manager -Djava.security.auth.login.config=config\authwl.conf ^
com.thortech.xl.client.base.tcAppWindow -server server

Steps to build wlfullclient.jar. It doesn't come with OIM installer, need to build in OIM server.
cd $MIDDLEWARE_HOME/wlserver_10.3/server/lib
java -jar wljarbuilder.jar

Steps to Install Design console if not installed in server.
cd /$MIDDLEWARE_HOME/Oracle_IDM1/bin/
./config.sh [select design console only]

Thursday, June 2, 2016

Base 64 Encoding and Decoding

Base 64 Encoding and Decoding

// jar needed - common-codec-1.10.jar

package com.test;

import org.apache.commons.codec.binary.Base64;

public class Base64Test {

public static void main(String[] args) {
// encode data using BASE64
byte[] bytesEncoded = Base64.encodeBase64("userid:password".getBytes());
System.out.println("encoded value is " + new String(bytesEncoded ));

// Decode data by processing encoded data
byte[] valueDecoded= Base64.decodeBase64(bytesEncoded );
System.out.println("Decoded value is " + new String(valueDecoded));
}
}

Friday, May 20, 2016

OIM SCIM Java Client

OIM SCIM Java Client.

/*Jar needed - commons-codec-1.10.jar & json-20140107.jar

Steps to run belwo code
Update Host, Port & password and then call Create User method
Once user is created in OIM then get the user key from DB and pass it to Update User method.
*/

package com.test;

import java.io.OutputStreamWriter;
import java.net.HttpURLConnection;
import java.net.URL;

import org.apache.commons.codec.binary.Base64;
import org.json.JSONArray;
import org.json.JSONObject;

public class SCIMClient {

static String authStringEnc = "";
static String scimURL = "";
public static void main(String[] args) throws Exception {
String name = "xelsysadm";
String password = "password"; // Update Password
scimURL = "http://host:port/idaas/im/scim/v1"; // Update Host, Port

String authString = name + ":" + password;
authStringEnc = "Basic " + new String(Base64.encodeBase64(authString.getBytes()));
System.out.println("Base64 encoded auth string: " + authStringEnc);

createUser();
//updateUser("144"); // Change the user key '144' with actual one.

}

public static void createUser() throws Exception{
JSONObject obj = workerJSON();
boolean flag = processHTTPCall(scimURL + "/Users", "POST", obj);
if (flag)
System.out.println("User created successfully!");
}

public static void updateUser(String userKey) throws Exception{
JSONObject obj = workerJSON();
boolean flag = processHTTPCall(scimURL +"/Users/"+ userKey, "PUT", obj);
if (flag)
System.out.println("User updated successfully!");
}

public static boolean processHTTPCall(String httpUrl, String method, JSONObject obj) throws Exception{
boolean flag = false;

HttpURLConnection connection = null;
URL url = new URL(httpUrl);
connection = (HttpURLConnection)url.openConnection();
connection.setRequestMethod(method);
connection.setRequestProperty("Content-Type","application/scim+json");
connection.setRequestProperty("Authorization", authStringEnc);
connection.setConnectTimeout(50000);
connection.setDoOutput(true);
connection.setReadTimeout(50000);
OutputStreamWriter out =
new OutputStreamWriter(connection.getOutputStream());
out.write(obj.toString());
out.close();

System.out.println("Response code from server is ::" +connection.getResponseCode());
System.out.println("Response Message from server is ::" +connection.getResponseMessage());

if(connection.getResponseCode() < 300){
System.out.println("HTTP Call was successful!");
flag = true;
}else{
System.out.println("Error Encountered during HTTP Call");
}

return flag;
}

// get the JSON object by running curl command and build exact format for create/update. It supports single, multiple, full attributes update.
public static JSONObject workerJSON(){
JSONObject workerObj = new JSONObject();

JSONArray schemas = new JSONArray();
schemas.put("urn:ietf:params:scim:schemas:extension:oracle:2.0:OIG:User");
schemas.put("urn:ietf:params:scim:schemas:core:2.0:User");
schemas.put("urn:ietf:params:scim:schemas:extension:enterprise:2.0:User");
schemas.put("urn:ietf:params:scim:schemas:extension:oracle:2.0:IDM:User");
workerObj.put("schemas", schemas);

JSONObject userOIGObj = new JSONObject();
userOIGObj.put("Department", "Security");

JSONObject homeValue = new JSONObject();
homeValue.put("value", "1");
homeValue.put("$ref", scimURL + "/Organizations/1");

userOIGObj.put("homeOrganization", homeValue);

workerObj.put("urn:ietf:params:scim:schemas:extension:oracle:2.0:OIG:User", userOIGObj);

workerObj.put("displayName", "John peter");

JSONArray email = new JSONArray();
JSONObject mailObj = new JSONObject();
mailObj.put("value", "john.peter3@test.com");
mailObj.put("type", "work");
email.put(mailObj);
workerObj.put("emails", email);

workerObj.put("organization", "Xellerate Users");

JSONObject userEntObj = new JSONObject();
userEntObj.put("employeeNumber", "12345");

JSONObject mgrObj = new JSONObject();
mgrObj.put("value", "1");
userEntObj.put("manager", mgrObj);

workerObj.put("urn:ietf:params:scim:schemas:extension:enterprise:2.0:User", userEntObj);

JSONArray contactNumber = new JSONArray();

JSONObject mobileNumber = new JSONObject();
mobileNumber.put("value", "123-456-7999");
mobileNumber.put("type", "mobile");
contactNumber.put(mobileNumber);

JSONObject workNumber = new JSONObject();
workNumber.put("value", "123-456-7888");
workNumber.put("type", "work");
contactNumber.put(workNumber);

workerObj.put("phoneNumbers", contactNumber);

JSONObject nameObj = new JSONObject();
nameObj.put("middleName", "M");
nameObj.put("familyName", "John");
nameObj.put("givenName", "Peter");
workerObj.put("name", nameObj);

JSONObject addrObj = new JSONObject();
JSONArray homeAddr = new JSONArray();
addrObj.put("region", "AMER");
addrObj.put("country", "US");
addrObj.put("type", "work");
homeAddr.put(addrObj);
workerObj.put("addresses", homeAddr);

workerObj.put("title", "Lead Developer");

System.out.println("Jason object is --->" + workerObj);
return workerObj;
}
}

/*
To get sample JSON object using CURL [https://curl.haxx.se/] in CMD
curl --user xelsysadm:password http://host:port/idaas/im/scim/v1/Users/1
*/

Sunday, May 15, 2016

OIM Terminology

-------- OIM Terminology

Reconciliations - Process to sync up OIM with other system

Trusted Recon - Sync up against HR system [Identity]

Target Recon - Sync up against target system [Access]

Resource Object - Symbolic representation of Target system

SOA Composite - Approval workflow logic deployed in SOA

IT Resource - Target system connection info

Adapter - Java method symbolic representation

Provisioning Workflow - Set of task flow to manage access in target system

Process Form - Place holder form used by provisioning task

Lookup - Place holder for any config used by OIM code

Catalog - Name itself suggest. It contains all available target so user can pick and request

Email Template - Contains email template used by OIM to send communication

Schedule Task - Job running on period basic. Like recon process.

Policy

Approval Policy - Contains Application vs SOA Composite mapping

Access Policy - Contains rule for automatic giving target access to any user

----------- Commonly used Configuration

OIM is used for managing Identity and Access. So we have to onboard users and target system inside OIM before managing the Access.

User On-boarding - Process is called Trusted Reconciliation. Typically we create a schedule job to pull delta from HR system and sync OIM identity.

Application on-boarding - Multiple steps need to follow for boarding new target system in OIM.

Create Resource Object [Symbolic representation of target system]

Create IT Resource [target system connection parameter]

Configure Provisioning Workflow [Task flow to manage access]

Configure Process Form

Crete Application Instance and publish in catalog

Application Recon - Also called as Target Reconciliations. Typically we create a schedule job to pull delta from target system and sync OIM access.

OIM Product Installation

--------------- High level steps for OIM Installation

Install Java

Install database

Run the Repository Creation Utility (RCU)

Install WebLogic

Install SOA suite

Install OIM suite

Create domain

Middle ware configuration [Deploy ear file in servers]

----------- Product usage

OIM - Used for managing Identity and Access

SOA - Used for approval process. SOA composite contains approval workflow and java code. Jdeveloper tool is used to create new composite.

BI Publisher - Used for viewing report.

------------- Access Diff product

OIM Access -

Browser - /identity

/sysadmin

Design Console

SOA Access - Browser - /soa-infra

BI Publisher - Browser - /xmlpserver

-------- Folder Structure in unix box

MW_Home

- Java

- Weblogic

- OIM

- SOA

- Oracle Common

Weblogic_Domain

- contains config file [ear file deployment configuration], Admin Server, Managed Servers [OIM, SOA, BI Publisher]

----------- DB Schema

- OIM

- SOAINFRA

- BIPUBLISHER

- MDS [Meta data, contains properties and config file]

- OPSS [Platform Security]

System for Cross-domain Identity Management (SCIM)

These days enterprise applications are mushrooming inside the premise and over the cloud. All applications need to communicate with IDM system for getting basic use details or any similar info. To facilitate this communicate application owner depends on IDM system lib and expertise which makes integration painful and slower.

To overcome this issue SCIM (System for Cross-domain Identity Management) came in picture as open standard to exchange the user information between identity domains.

SCIM standard uses JSON object to exchange info and doesn't require IDM system specified lib. Most of IDM system has implemented this feature in thr product. Oracle has also included this feature in PS3 product.

OIM SCIM Service URL in PS3 :- http://host:port/idaas/im/scim/v1/Users

To get sample JSON object using CURL in CMD
curl --user xelsysadm:password http://host:port/idaas/im/scim/v1/Users/1

Method -
POST [Create Resource eg - User, Group]
GET [Get Resource]
PUT [Update Resource]
PATCH [Modify Particular field]
DELETE [Delete Resource]

Java Client to get sample JSON obj ------------------

//lib - sun.misc.BASE64Decoder.jar or any BASE 64 encoder

public static void getUser() throws Exception{

String authStringEnc = "Basic "+ new String(new Decoder.BASE64Encoder().encode(("xelsysadm:password").getBytes()));

URL url = new URL("http://host:port/idaas/im/scim/v1/Users?filter=userName eq SMITHJ");
HttpURLConnection connection = null;
connection = (HttpURLConnection) url.openConnection();
connection.setRequestMethod("GET");
connection.setRequestProperty("Content-Type", "application/scim+json");
connection.setRequestProperty("Authorization", authStringEnc);
connection.setConnectTimeout(5000);
connection.setDoOutput(true);
connection.setReadTimeout(5000);

int responseCode = connection.getResponseCode();
System.out.println("Response Code : " + responseCode);

BufferedReader in = new BufferedReader(
new InputStreamReader(connection.getInputStream()));
String inputLine;
StringBuffer response = new StringBuffer();

while ((inputLine = in.readLine()) != null) {
response.append(inputLine);
}
in.close();

//print JSON Objcet
System.out.println(response.toString());

}

OIM 11gR2 PS3 Upgrade Steps

OIM 11gR2 PS3 Upgrade high level steps -

Single Server

Upgrade JDK

Patch WebLogic

Upgrade SOA binary

Upgrade OIM binary

Upgrade RCU

Crete BI Publisher Schema

Upgrade Existing Schema

Run Middle Tier Upgrade Offline

Run Middle Tier Upgrade Online

Patch SOA

Patch OIM

Multi Servers [High Availability]

Upgrade JDK in all servers

Patch WebLogic in all servers

Upgrade SOA binary in all servers

Upgrade OIM binary in all servers

Upgrade RCU

Crete BI Publisher Schema

Upgrade Existing Schema

Run Middle Tier Upgrade Offline in Primary node
Pack/Unpack domain config from Primary to other domain

Run Middle Tier Upgrade Online in Primary node

Patch SOA in all servers

Patch OIM in all servers

Extend BI Publisher Servers