Pages

Tuesday, December 9, 2014

How to Develop and Deploy WCF REST Servvice Web Deployment Manager / Jenkins

The following steps needs to be followed to deploy the WCF REST service in IIS using the Web Deployment Manager and Jenkin. They are

1. Download and Install Web Platform Installer

2.  Open the Microsoft Web Platform Installer and Install the following components to execute the MSBuild targets and also deploy the web application in IIS through Web Deployment Manager.

  2.1 Microsoft.Net Framework 4.5

     This component is required for to install the SharpDevelop IDE and also Run time environment for the IIS. 

  2.2 Web Deployment Manager

   This component is required for to deploy the REST FULL Web Services through Remote

  2.3 Visual Studio 2010 Shell (Isolated)

This component is required for to deploy the REST FULL Web Services using MSBuild targets. For example  /p:DeployOnBuild=True

3. Install the IIS 

This step is only required if your not installed IIS in Windows 7. I have highlighted the required component in bold font. Open the Control Panel --> Programs and Features -->  Turn Windows Feature On or Off --> Select Internet Information Services and Click OK Button. It will install the IIS.

  3.1 Enabling the AST..Net Handler

   This component is required to enable the ASP.net Mapping Handler components in IIS. This component was not installed after installing the IIS.  Open the Control Panel --> Programs and Features -->  Turn Windows Feature On or Off --> Select Internet Information Services --> Select World Wide Web Services --> Select ASP.NET check box and Click OK Button. It will install the ASP.NET feature.

  3.2 Enabling the WCF Handler

   This component is required to enable the WCF Mapping Handler  components in IIS. This component was not installed after installing the IIS.  Open the Control Panel --> Programs and Features -->  Turn Windows Feature On or Off --> Select Microsoft .NET Framework 3.5.1  --> Select Windows Communication Foundation HTTP Activation and  Windows Communication Foundation Non-HTTP Activation  and Click OK Button. It will install the WCF feature.

4. Download and install the Sharpdevelop IDE

 

5. Create the REST Service Project Using the Sharpdevelop IDE

Open the SharpDeveop IDE --> File --> Solution --> C# --> WCF -->  Select WCF REST Service and Enter Name is RestDemoService and Click Create Button and It will create the WCF REST Service Project. My Sample Code is given below. I am deploying the default generated code rest full wcf servce using web deployment manager and jenkin job.


using System;
using System.ServiceModel;
using System.ServiceModel.Web;

namespace RestDemoService
{
    [ServiceContract]
    public interface IService
    {
       [OperationContract]
       [WebGet(UriTemplate = "operation/{name}")]
       string MyOperation(string name);
    }
  
    public class Service : IService
    {
       public string MyOperation(string name)
       {
          // implement the operation
          return string.Format("Operation name: {0}", name);
       }
    }
}


6. Include the Visual Studio MSBuild Targets

 By default sharpdevlop ide was included the visual studio web application msbbuild targets. These msbuild targets are required to package the rest full wcf service as a zip file and also publish the zip files into the IIS Web Site.

Open the RestDemoService.csproj file and import the Microsoft.WebApplication.targets file. 
 
<Import Project="$(MSBuildExtensionsPath32)\Microsoft\VisualStudio\v10.0\WebApplications\Microsoft.WebApplication.targets" />

My windows 7 operating system is 32 bit machine and I have installed the  Visual Studio 2010 Shell 32 bit version. If your installed 64 bit version choose the path MSBuildExtensionsPath64. The sample 64 bit version as follows:

<Import Project="$(MSBuildExtensionsPath64)\Microsoft\VisualStudio\v10.0\WebApplications\Microsoft.WebApplication.targets" />


  Include the .svc and .config file in the Package


   By default .svc and .config files are not included in the package. We need to modify the .csproj file 

Original Version:

<ItemGroup>
    <None Include="Service.svc" />
    <None Include="web.config" />
  </ItemGroup>

Modified Version:

 <ItemGroup>
    <Content Include="Service.svc" />
    <Content Include="web.config" />
  </ItemGroup>

7. Check in the Code into your repository. 

My sample repository is svn.

8. Download the Jenkins and Install


9. Configuring the MSBuild .Net Plugin


Open the Jenkin Console and Click Manage Jenkins --> Manage Plugins --> Available  --> Select MsBuild Plugin -->Click Install Without Restart Button. It will install the MSBuild .Net Plugin

10.  Configuring the MSBuild Compiler

Open the Jenkin Console and Click Manage Jenkins --> Configure System --> Add MSBuild  -->Enter the following details.

MSBuild Name: MsBuild - 4.0
Path to MSBuild: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

In my example i am using the .net framework 4.0 and I have entered the msbuild .net 4.0 as shown above.

Click Save and It will save the MSBuild Configuration.

11.  Creating the Jenkin Job


Open the Jenkin Console --> Click New Item and Enter the following details to create the Jenkin Job:

1. Enter Item Name: Rest Demo Service
2. Select Freestyle project.

Click OK Button and It will create the Jenkin Job.


12. Configuring the Source Control

Open the Jenkin Console --> Click Jenknin job Rest Demo Service -> Configure --> Select Subversion in the Source Code Management and Enter the Repository URL. After entering the URL and It will ask the Credentials. Please click the Credentials and it will authenticate the user against the SVN Authentication repository. Leave the rest of the options as it is and Click Save Button and It will configure the subversion.

13.  Triggering the Build

Open the Jenkin Console --> Click Jenknin job Rest Demo Service -> Select Poll SCM and Enter the Schedule Time. My Sample build needs to be run every 11 Hours once. I have configured as follows:

H 11 * * *

14. Configuring the Build

Open the Jenkin Console --> Click Jenknin job Rest Demo Service -> Enter the following details:

1. MSBuild Version:

    This msbuild version is already configured in the configure system. Please select the MSBuild Version in the Combo box. In My case MSBuild Version is MSBuild - 4.0

2. MSBuild Build File:

   Enter the Solution File or Project File. In my example Solution File Name is RestDemoService.sln

3. Command Line Arguments:


/t:clean /t:rebuild /p:Configuration=Debug /p:DeployOnBuild=True /p:DeployTarget=MsDeployPublish /p:MSDeployPublishMethod=RemoteAgent /p:CreatePackageOnPublish=True /p:DeployIisAppPath="Default Web Site/RestDemoService" /p:MsDeployServiceUrl=<Remote Agent Host Name>  /p:username="Administrator User Name" /p:password=<Admin Password> 

I am deploying the application in Default Web Site/RestDemoService. You can replace with your Web Site/Application Name.

Deploying the Application Remote Server

MSDeployPublishMethod = RemoteAgent
MsDeployServiceUrl = Remote Host Name


Deploying the Application Local Machine

 MSDeployPublishMethod = InProc


username=Administrator User Name
password=Administrator Password



The above command will clean the build, compile the build and package as a zip file and publish to the IIS using the Deployment Manager using msbuild.


15. Running the Jenkin Job

Open the Jenkin Console --> Click Jenknin job Rest Demo Service -> Click Build Now. It will build the web application and deploy web application into the IIS.


16. Testing the WCF REST Service


Open the Browser and Access the following URL to test the WCF Web Service:

http://localhost/RestDemoService/Service.svc/operation/add

Response:

<string xmlns="http://schemas.microsoft.com/2003/10/Serialization/">Operation name: add</string> 



 

Thursday, November 20, 2014

javax.net.ssl.SSLKeyException: FATAL Alert:BAD_CERTIFICATE - A corrupt or unuseable certificate was received.


Error:

javax.net.ssl.SSLKeyException: FATAL Alert:BAD_CERTIFICATE - A corrupt or unuseable certificate was received.

        at com.sun.xml.ws.wsdl.parser.RuntimeWSDLParser.tryWithMex(RuntimeWSDLParser.java:182)
        at com.sun.xml.ws.wsdl.parser.RuntimeWSDLParser.parse(RuntimeWSDLParser.java:153)
        at com.sun.xml.ws.client.WSServiceDelegate.parseWSDL(WSServiceDelegate.java:284)
        at com.sun.xml.ws.client.WSServiceDelegate.<init>(WSServiceDelegate.java:246)
        at com.sun.xml.ws.client.WSServiceDelegate.<init>(WSServiceDelegate.java:197)
        at com.sun.xml.ws.client.WSServiceDelegate.<init>(WSServiceDelegate.java:187)
        at weblogic.wsee.jaxws.spi.WLSServiceDelegate.<init>(WLSServiceDelegate.java:84)
        at weblogic.wsee.jaxws.spi.WLSProvider$ServiceDelegate.<init>(WLSProvider.java:598)
        at weblogic.wsee.jaxws.spi.WLSProvider.createServiceDelegate(WLSProvider.java:120)
        at weblogic.wsee.jaxws.spi.WLSProvider.createServiceDelegate(WLSProvider.java:112)
        at weblogic.wsee.jaxws.spi.WLSProvider.createServiceDelegate(WLSProvider.java:83)
        at javax.xml.ws.Service.<init>(Service.java:56)
        at edu.sfsu.excs.ExchangeConnectorService.<init>(ExchangeConnectorService.java:42)
        at edu.sfsu.exchange.connector.util.ExchangeConnectorUtil.getExchangeConnectorServiceSoap(Unknown Source)
        at edu.sfsu.exchange.connector.adapter.ExchangeConnectorWrapper.buildEXCSConfig(Unknown Source)
        at edu.sfsu.exchange.connector.adapter.ExchangeConnectorProcessTask.createUser(Unknown Source)
        at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
        at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
        at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
        at java.lang.reflect.Method.invoke(Method.java:597)
        at com.thortech.xl.adapterGlue.ScheduleItemEvents.adpEXCS_CREATEUSER.CREATEUSER(adpEXCS_CREATEUSER.java:110)
        at com.thortech.xl.adapterGlue.ScheduleItemEvents.adpEXCS_CREATEUSER.implementation(adpEXCS_CREATEUSER.java:54)
        at com.thortech.xl.client.events.tcBaseEvent.run(tcBaseEvent.java:196)
        at com.thortech.xl.dataobj.tcDataObj.runEvent(tcDataObj.java:2492)
        at com.thortech.xl.dataobj.tcScheduleItem.runMilestoneEvent(tcScheduleItem.java:2919)
        at com.thortech.xl.dataobj.tcScheduleItem.eventPostUpdate(tcScheduleItem.java:742)
        at com.thortech.xl.dataobj.tcDataObj.update(tcDataObj.java:664)
        at com.thortech.xl.dataobj.tcDataObj.save(tcDataObj.java:508)
        at com.thortech.xl.dataobj.tcScheduleItem.checkChildrenIfCompleted(tcScheduleItem.java:1808)
        at com.thortech.xl.dataobj.tcScheduleItem.checkChildren(tcScheduleItem.java:1852)
        at com.thortech.xl.dataobj.tcScheduleItem.eventPostUpdate(tcScheduleItem.java:723)
        at com.thortech.xl.dataobj.tcDataObj.update(tcDataObj.java:664)
        at com.thortech.xl.dataobj.tcDataObj.save(tcDataObj.java:508)
        at com.thortech.xl.dataobj.tcORC.completeSystemValidationMilestone(tcORC.java:1190)
        at com.thortech.xl.dataobj.tcOrderItemInfo.completeCarrierBaseMilestone(tcOrderItemInfo.java:735)
        at com.thortech.xl.dataobj.tcOrderItemInfo.eventPostInsert(tcOrderItemInfo.java:172)
        at com.thortech.xl.dataobj.tcUDProcess.eventPostInsert(tcUDProcess.java:237)
        at com.thortech.xl.dataobj.tcDataObj.insert(tcDataObj.java:604)
        at com.thortech.xl.dataobj.tcDataObj.save(tcDataObj.java:474)
        at com.thortech.xl.dataobj.tcTableDataObj.save(tcTableDataObj.java:2906)
        at com.thortech.xl.dataobj.tcORC.autoDOBSave(tcORC.java:3002)
        at com.thortech.xl.dataobj.util.tcOrderPackages.createOrder(tcOrderPackages.java:526)
        at com.thortech.xl.dataobj.util.tcOrderPackages.orderPackageForUser(tcOrderPackages.java:177)
        at com.thortech.xl.dataobj.tcOIU.provision(tcOIU.java:527)
        at com.thortech.xl.dataobj.tcOIU.eventPostInsert(tcOIU.java:306)
        at com.thortech.xl.dataobj.tcDataObj.insert(tcDataObj.java:604)
        at com.thortech.xl.dataobj.tcDataObj.save(tcDataObj.java:474)
        at com.thortech.xl.dataobj.tcTableDataObj.save(tcTableDataObj.java:2906)


Cause:

Renew the SSL Certificates are imported into the Web Logic Trusted Key Store.

Solution:

To resolve the above error, We need to enable ssl JSSE implementation in web logic server as follows:

1. Modify the startNodeManager.sh file
Add the JAVA_OPTIONS="${JAVA_OPTIONS} -Dweblogic.ssl.JSSEEnabled=true"
2. Modify the setDomainEnv.sh File
 Add the JAVA_OPTIONS="${JAVA_OPTIONS} -Dweblogic.ssl.JSSEEnabled=true"

After adding modifying the startNodeManager.sh and setDomainEnv.sh file and restart the Node Manager and Web Logic Managed Server and also Admin Server. The issue will be resolved.

Client Side:

If the issue is getting the client side, add the following property into a java system variable and the issue will be resolved.

-Dweblogic.security.SSL.enableJSSE=true











Monday, September 15, 2014

Configuring Openldap TLS/SSL

Configuring Openldap TLS/SSL

Environment: Cent OS 6.5 64 Bit

1. Configuring the TLS open Ldap

    The following steps needs to be performed to enable the TLS in openldap:

    1.1 Login as a root or sudo user with root previliges

    1.2 Create the ssl Directory

          Create the ssl directory to store the new Certificate Authority, Server Certicate, and Server Key.
       
      mkdir ssl
      cd ssl

     1.3 Create the new Certificate Authority

     
      Execute the following command to create the new ca

       /etc/pki/tls/misc/CA -newca
     
      The following input parameters needed after executing the newca command and I have highlighted  the steps in bold font.

      
       a) Enter Command to create the New CA Private Key
       b) Enter the PEM Pass Phrase
       c) Enter the CA Certificate details and the Common Name is mandatory field.
             
     
      CA certificate filename (or enter to create)
   
     stored in the /etc/pki/CA/private/ as a cakey.pem.
     
Making CA certificate ...
Generating a 2048 bit RSA private key
................................+++
..................+++
writing new private key to '/etc/pki/CA/private/./cakey.pem'


Enter PEM pass phrase:
Verifying - Enter PEM pass phrase:
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:US
State or Province Name (full name) []:CA
Locality Name (eg, city) [Default City]:San Francisco
Organization Name (eg, company) [Default Company Ltd]:Example.EDU
Organizational Unit Name (eg, section) []:
Common Name (eg, your name or your server's hostname) []:Example.EDU
Email Address []:

Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:
Using configuration from /etc/pki/tls/openssl.cnf
Enter pass phrase for /etc/pki/CA/private/./cakey.pem:
Check that the request matches the signature
Signature ok
Certificate Details:
        Serial Number: 9263543358417925999 (0x808eb79aa7edf76f)
        Validity
            Not Before: Sep 15 16:35:54 2014 GMT
            Not After : Sep 14 16:35:54 2017 GMT
        Subject:
            countryName               = US
            stateOrProvinceName       = CA
            organizationName          = Example.EDU
            commonName                = Example.EDU
        X509v3 extensions:

            X509v3 Subject Key Identifier:
                10:45:D2:A1:9F:2D:3C:69:8D:86:AD:48:CD:97:3C:97:13:B2:A1:AA
            X509v3 Authority Key Identifier:
                keyid:10:45:D2:A1:9F:2D:3C:69:8D:86:AD:48:CD:97:3C:97:13:B2:A1:AA

            X509v3 Basic Constraints:
                CA:TRUE
Certificate is to be certified until Sep 14 16:35:54 2017 GMT (1095 days)

Write out database with 1 new entries
Data Base Updated


   1.4 Copy the CA certificate from /etc/pki/CA/newcerts/ to ssl

The ca certificate stored in the  /etc/pki/CA/newcerts/ as a random generated string with pem extension. In my example ca certificate name is 808EB79AA7EDF76F.pem.

cp /etc/pki/CA/newcerts/808EB79AA7EDF76F.pem exampleca.pem

You can replace example.pem to your own name.

  1.5 Creating the Cert Reqest

   The following command is being used to create the cert request and it requires the common name parameter as a mandatory parameter and that parameter should be host name of the openldap server. In my example host name is localhost.localdomain.

openssl req -new -nodes -keyout newreq.pem -out newreq.pem





The -nodes argument above prevents encryption of the private key. OpenLDAP only works with unencrypted private keys


Generating a 2048 bit RSA private key
...............................................................................................................................................+++
.+++
writing new private key to 'newreq.pem'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:US
State or Province Name (full name) []:CA
Locality Name (eg, city) [Default City]:San Francisco
Organization Name (eg, company) [Default Company Ltd]:Example
Organizational Unit Name (eg, section) []:
Common Name (eg, your name or your server's hostname) []:localhost.localdomain
Email Address []:

Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:


After executing the above command it will create the newreq.pem file in the ssl directory.


   1.6 Signing the Certificate

Execute the following command to sign the certificate and it will stored in the ssl directory as newcert.pem.

/etc/pki/tls/misc/CA -sign


sing configuration from /etc/pki/tls/openssl.cnf
Enter pass phrase for /etc/pki/CA/private/cakey.pem:
Check that the request matches the signature
Signature ok
Certificate Details:
        Serial Number: 9263543358417926000 (0x808eb79aa7edf770)
        Validity
            Not Before: Sep 15 16:43:45 2014 GMT
            Not After : Sep 15 16:43:45 2015 GMT
        Subject:
            countryName               = US
            stateOrProvinceName       = CA
            localityName              = San Francisco
            organizationName          = Example
            commonName                = localhost.localdomain
        X509v3 extensions:
            X509v3 Basic Constraints:
                CA:FALSE
            Netscape Comment:
                OpenSSL Generated Certificate
            X509v3 Subject Key Identifier:
                83:46:4D:C7:B6:3A:3F:62:3B:87:D5:C4:75:10:18:07:FC:45:5D:9A
            X509v3 Authority Key Identifier:
                keyid:10:45:D2:A1:9F:2D:3C:69:8D:86:AD:48:CD:97:3C:97:13:B2:A1:AA

Certificate is to be certified until Sep 15 16:43:45 2015 GMT (365 days)
Sign the certificate? [y/n]:y


1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Updated
Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number: 9263543358417926000 (0x808eb79aa7edf770)
    Signature Algorithm: sha1WithRSAEncryption
        Issuer: C=US, ST=CA, O=Example.com, CN=Example.EDU
        Validity
            Not Before: Sep 15 16:43:45 2014 GMT
            Not After : Sep 15 16:43:45 2015 GMT
        Subject: C=US, ST=CA, L=San Francisco, O=Example, CN=localhost.localdomain
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
                Public-Key: (2048 bit)
                Modulus:
                    00:c2:20:e8:2b:c3:5c:0d:90:cc:ad:81:3c:34:08:
                    fc:36:d0:ca:6a:0c:06:8c:46:4f:c3:4f:1f:ef:b7:
                    b1:50:42:a7:43:5d:88:73:2f:d2:3e:0a:4e:fe:50:
                    ae:0f:65:26:17:a4:24:cc:4f:1f:5b:72:81:61:fc:
                    ec:32:8e:0f:e5:c3:8e:89:da:87:a7:25:b1:b2:e1:
                    29:db:7e:17:c1:a0:d1:df:80:f1:54:94:2d:30:ef:
                    ab:9f:61:ac:70:24:29:41:7e:a1:31:9f:d4:41:4e:
                    db:23:2e:75:49:b4:c5:e5:92:b2:5f:d9:4b:bd:e3:
                    13:0f:e7:4b:56:a0:bf:70:9b:61:e7:e1:cc:2e:ea:
                    e6:a2:cc:68:ad:83:02:ef:ce:40:31:3f:6a:c4:a0:
                    01:d1:b2:e8:08:a8:a2:93:5f:35:76:56:80:47:3a:
                    4e:65:b3:86:3d:7c:b6:a0:50:66:ca:52:15:7f:f0:
                    4b:41:8e:4d:77:b0:45:ca:f7:ed:ae:c9:a8:26:4e:
                    3d:76:7a:70:f3:ca:ab:2f:89:4c:e3:bb:22:be:24:
                    93:c5:4f:19:c4:a5:3d:99:14:2b:8b:9d:97:57:51:
                    24:c5:d8:88:75:98:fb:d7:35:f7:2c:ab:41:a6:88:
                    40:14:46:c1:2b:88:f7:0c:68:85:97:a8:ad:bb:56:
                    4d:91
                Exponent: 65537 (0x10001)
        X509v3 extensions:
            X509v3 Basic Constraints:
                CA:FALSE
            Netscape Comment:
                OpenSSL Generated Certificate
            X509v3 Subject Key Identifier:
                83:46:4D:C7:B6:3A:3F:62:3B:87:D5:C4:75:10:18:07:FC:45:5D:9A
            X509v3 Authority Key Identifier:
                keyid:10:45:D2:A1:9F:2D:3C:69:8D:86:AD:48:CD:97:3C:97:13:B2:A1:AA

    Signature Algorithm: sha1WithRSAEncryption
         aa:03:f3:dc:bc:20:88:ba:bc:3d:16:06:17:c5:25:a7:87:c8:
         18:96:a8:e0:33:9e:21:3f:ce:a0:54:c8:fd:13:c3:9c:3a:c7:
         1d:d7:0d:b3:8d:a9:64:9f:bf:32:50:59:26:2a:2d:9c:a6:fa:
         f7:67:87:ec:1e:f3:ac:0e:9f:b5:48:47:56:af:93:a5:b7:86:
         bf:9c:63:f7:ab:25:73:d1:8e:55:79:2a:7a:23:16:21:77:28:
         93:ad:a8:64:eb:bc:07:e7:a0:eb:14:69:61:b5:52:a9:2a:47:
         ef:84:9d:c6:5b:1d:c8:bd:8b:b4:61:64:14:88:91:45:68:4f:
         17:61:b1:33:f7:9c:3d:91:a9:31:33:54:ed:9b:7b:13:35:22:
         36:1b:52:23:fe:20:f4:3b:33:74:6f:71:fb:e5:ed:76:28:92:
         00:69:d6:12:03:44:a6:c8:02:ed:72:c1:7e:57:57:0c:58:a2:
         95:a3:db:1c:57:89:b6:92:64:64:4e:f2:2d:d2:8f:95:35:91:
         1b:4c:cd:89:87:44:01:68:2c:91:c9:af:79:69:0b:b1:a2:75:
         a3:15:2f:35:02:a3:26:08:5d:01:6f:6b:8e:d0:f3:36:f7:4f:
         c2:26:d2:a0:7f:ce:cc:36:b1:5a:2a:fb:fb:26:f6:93:c9:87:
         1b:59:fe:c4
-----BEGIN CERTIFICATE-----
MIIDqDCCApCgAwIBAgIJAICOt5qn7fdwMA0GCSqGSIb3DQEBBQUAMEYxCzAJBgNV
BAYTAlVTMQswCQYDVQQIDAJDQTEUMBIGA1UECgwLRXhhbXBsZS5jb20xFDASBgNV
BAMMC0V4YW1wbGUuRURVMB4XDTE0MDkxNTE2NDM0NVoXDTE1MDkxNTE2NDM0NVow
ZDELMAkGA1UEBhMCVVMxCzAJBgNVBAgMAkNBMRYwFAYDVQQHDA1TYW4gRnJhbmNp
c2NvMRAwDgYDVQQKDAdFeGFtcGxlMR4wHAYDVQQDDBVsb2NhbGhvc3QubG9jYWxk
b21haW4wggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDCIOgrw1wNkMyt
gTw0CPw20MpqDAaMRk/DTx/vt7FQQqdDXYhzL9I+Ck7+UK4PZSYXpCTMTx9bcoFh
/Owyjg/lw46J2oenJbGy4SnbfhfBoNHfgPFUlC0w76ufYaxwJClBfqExn9RBTtsj
LnVJtMXlkrJf2Uu94xMP50tWoL9wm2Hn4cwu6uaizGitgwLvzkAxP2rEoAHRsugI
qKKTXzV2VoBHOk5ls4Y9fLagUGbKUhV/8EtBjk13sEXK9+2uyagmTj12enDzyqsv
iUzjuyK+JJPFTxnEpT2ZFCuLnZdXUSTF2Ih1mPvXNfcsq0GmiEAURsEriPcMaIWX
qK27Vk2RAgMBAAGjezB5MAkGA1UdEwQCMAAwLAYJYIZIAYb4QgENBB8WHU9wZW5T
U0wgR2VuZXJhdGVkIENlcnRpZmljYXRlMB0GA1UdDgQWBBSDRk3Htjo/YjuH1cR1
EBgH/EVdmjAfBgNVHSMEGDAWgBQQRdKhny08aY2GrUjNlzyXE7KhqjANBgkqhkiG
9w0BAQUFAAOCAQEAqgPz3LwgiLq8PRYGF8Ulp4fIGJao4DOeIT/OoFTI/RPDnDrH
HdcNs42pZJ+/MlBZJiotnKb692eH7B7zrA6ftUhHVq+TpbeGv5xj96slc9GOVXkq
eiMWIXcok62oZOu8B+eg6xRpYbVSqSpH74SdxlsdyL2LtGFkFIiRRWhPF2GxM/ec
PZGpMTNU7Zt7EzUiNhtSI/4g9DszdG9x++XtdiiSAGnWEgNEpsgC7XLBfldXDFii
laPbHFeJtpJkZE7yLdKPlTWRG0zNiYdEAWgskcmveWkLsaJ1oxUvNQKjJghdAW9r
jtDzNvdPwibSoH/OzDaxWir7+yb2k8mHG1n+xA==
-----END CERTIFICATE-----
Signed certificate is in newcert.pem

  1.7 Renaming the Certicates

    This step is optional. For naming convention we are renaming the certs.

     mv newcert.pem servercert.pem
     mv newreq.pem serverkey.pem

  1.8 Copy the Certifcates from ssl to /etc/openldap/certs/


    cp exampleca.pem /etc/openldap/certs/
    cp server* /etc/openldap/certs/

  1.9 Change the OwnerChip from root to ldap

   chown ldap:ldap /etc/openldap/certs/exampleca.pem
   chown ldap:ldap /etc/openldap/certs/server*

  1.10  Include the Server Certificate and Server Key in the cn=Config Object

ldapmodify -D cn=config -H ldap://localhost.localdomain -W
Enter Password:

dn: cn=config
changetype: modify
replace: olcTLSCertificateFile
olcTLSCertificateFile: /etc/openldap/certs/servercert.pem

dn: cn=config
changetype: modify
replace: olcTLSCertificateKeyFile
olcTLSCertificateKeyFile: /etc/openldap/certs/serverkey.pem

   1.11 Modifying the ldap.conf file in the /etc/openldap/

    Add the following parameters into the ldap.conf file to enable the TLS.

   SSL ON
   TLS_CACERTDIR   /etc/openldap/certs
   TLS_REQCERT Allow

  1.12 Restart the OpenLdap Server

  /etc/init.d/slapd stop
  /etc/init.d/slapd start


   1.3 Testing the TLS

ldapsearch -H ldap://localhost.localdomain -D cn=Manager,dc=example,dc=edu -b dc=example,dc=edu -s base -W -ZZ
 
Enter LDAP Password:
# extended LDIF
#
# LDAPv3
# base <dc=example,dc=edu> with scope baseObject
# filter: (objectclass=*)
# requesting: ALL
#

# example.edu
dn: dc=example,dc=edu
objectClass: dcObject
objectClass: organization
o: Example
dc: example

# search result
search: 3
result: 0 Success

# numResponses: 2
# numEntries: 1
In the above command i have used -ZZ parameter because to start the TLS Session and also it mandatory to start the TLS Session.


2. Configuring the SSL open Ldap

      2.1 Modify the /etc/sysconfig/ldap file

       Modify the following parameters in the /etc/sysconfig/ldap file to enable the   ssl

SLAPD_LDAPS=yes

    2.2 Restart the OpenLdap Server

     Restart the Open Ldap Server and Take effect the changes.
     
     /etc/init.d/slapd stop
     /etc/init.d/slapd start

     2.3 Testing the SSL Configuration

ldapsearch -H ldaps://localhost.localdomain -D cn=Manager,dc=example,dc=edu -b dc=example,dc=edu -s base -W
 
Enter LDAP Password:
 
# extended LDIF
#
# LDAPv3
# base <dc=example,dc=edu> with scope baseObject
# filter: (objectclass=*)
# requesting: ALL
#

# example.edu
dn: dc=example,dc=edu
objectClass: dcObject
objectClass: organization
o: Example
dc: example

# search result
search: 2
result: 0 Success

# numResponses: 2
# numEntries: 1

3. References


Tuesday, September 9, 2014

ldap_add: Other (e.g., implementation specific) error (80) additional info: olcRefintAttribute : attribute type undefined

Hi

Error:

I got the following error while adding the config object to the openldap.

ldapadd -D cn=Config -H ldap://localhost -W

dn: olcOverlay=refint,olcDatabase={2}bdb,cn=config
changetype: add
objectClass: olcConfig
objectClass: olcRefIntConfig
objectClass: olcOverlayConfig
objectClass: top
olcRefIntAttribute: memberof member manager owner seeAlos
olcOverlay: refint


ldap_add: Other (e.g., implementation specific) error (80)
    additional info: olcRefintAttribute <seeAlos>: attribute type undefined

Cause:

seeAlos attribute not available in the schema and also syntax error.

Solution:

I have modified the attribute name from seeAlos to seeAlso and issue is resolved.


Tuesday, July 29, 2014

OIM Account Restore User Status From Deleted to Active

Restoring the Deleted Account in OIM


When you delete the user from the Oracle Identity Manager System, the user will not been removed physically from the system and also it changes the status from Active to Deleted. It also revoke the resources from the target system for the deleted user.


I need to reactivate the deleted user from the Oracle Identity Manager as follows:

1. Login to the OIM data base user into the data base and update the user status from Deleted to Active.

2. Execute the following sql to update the user status

UPDATE USR SET USR_STATUS = 'Active' WHERE usr_login='login id'

replace login id with your login id.

3. Login to the OIM Admin Console and verify the user status is changed  from Deleted to Active.

4. Re-Provision the users.

Thursday, July 24, 2014

Building the OIM metadata for data base Incremental reconciliation icf connector

Pre-Requisite


Incremental Target Reconciliation can be build in OIM using the SearchReconTask and also SyncReconTask. To build the incremental reconciliation, the following components needs to be modified and Developed:

Incremental Reconciliation for Database ICF SearchReconTask

1. Lookup.dbicf.Configuration


Add the Recon Date Format as a lookup code and decode should be valid java date format. For example 

Recon Date Format  - yyyy/MM/dd HH:mm:ss

2. DataBaseIdentityFilter Class

Override the createGreaterThanExpression and createAndExpression methods to implement the Incremental Reconciliation.


@Override
protected String createGreaterThanExpression(
GreaterThanFilter filter, boolean not) {
String operation="createGreaterThanOrEqualExpression - ";
logger.ok(operation + " Started");
         String query= null;
         if(not)
         {
                 return query;
         }

         Attribute attr= filter.getAttribute();
         if(attr==null || attr.getValue()==null || (attr.getValue()!=null && attr.getValue().isEmpty()))
         {
                 return query;
         }
         
         String name=filter.getName();
         Object val=attr.getValue().get(0);
         if(DataBaseIdentityUtil.isEmpty(val))
         {
                 throw new ConnectorException("The filter value can not be empty");
         }
         String strValue=DataBaseIdentityUtil.getString(val);
         
         if(name.equalsIgnoreCase("updateDate"))
         {
        query="T."+name + " > FUNC('TO_DATE','"+DataBaseIdentityUtil.convertDateToString(new Date(new Long(strValue).longValue()))+"','"+DataBaseIdentityConstants.DB_DATE_FORMAT+"')";
         }
         else
         {
        query="T."+name + " > '"+strValue+"'";
         }
     
         logger.ok(operation + " Final Filter "+query);
         logger.ok(operation + " Ended ");
         return query;
}
 
@Override
protected String createAndExpression(String leftExpression,
String rightExpression) {
return leftExpression + " AND "+ rightExpression;
}
 

3. Schedule Task Reconciliation Metadata

Add the Scheduled Task Name parameter name in the Schedule Task Reconciliation Metadata file. After Adding the parameter to the file as follows:

<?xml version = '1.0' encoding = 'UTF-8'?>
<xl-ddm-data version="2.0.1.0" user="XELSYSADM" database="jdbc:oracle:thin:@localhost:5524/estView.regress.rdbms.dev.us.oracle.com" exported-date="1307546406635" description="FF">
<scheduledTask repo-type="MDS" name="DataBaseICFConnectorReconciliation" mds-path="/db" mds-file="DataBaseICFConnectorReconciliation.xml">
    <completeXml>
        <scheduledTasks xmlns="http://xmlns.oracle.com/oim/scheduler">
            <task>
            <name>DataBaseICFConnectorReconciliation</name>
            <class>oracle.iam.connectors.icfcommon.recon.SearchReconTask</class>
            <description>DataBaseICFConnectorReconciliation</description>
            <retry>0</retry>
            <parameters>
              <string-param required="false" encrypted="false" helpText="Filter">Filter</string-param>
              <string-param required="false" encrypted="false" helpText="Incremental Recon Date Attribute">Incremental Recon Date Attribute</string-param>
              <string-param required="false" encrypted="false" helpText="IT Resource Name">IT Resource Name</string-param>
              <string-param required="false" encrypted="false" helpText="Object Type">Object Type</string-param>
              <string-param required="false" encrypted="false" helpText="Latest Token">Latest Token</string-param>
              <string-param required="false" encrypted="false" helpText="Resource Object Name">Resource Object Name</string-param>
              <string-param required="false" encrypted="false" helpText="Scheduled Task Name">Scheduled Task Name</string-param>
           </parameters>
          </task>
        </scheduledTasks>
    </completeXml>
</scheduledTask>
</xl-ddm-data>

The newly added parameter is highlighted as a bold  font.

4. Import Schedule Task Reconciliation Metadata

Re-import the Schedule Task Reconciliation Metadata into the oim repository as follows:

Login to the OIM Console  --> Advance --> Import Deployment Manager File --> Select the Scheduler Task File  --> Add File --> Import. It will import the XMl File into the OIM Repository.

5. DataBaseIdentityConnector Class

Include the Incremental Recon Date Attribute parameter as a Long value in the ConnectorObject attributes in the executeQuery method. The sample code is given below.


public void executeQuery(ObjectClass objectClass, String filter,
ResultsHandler handler, OperationOptions operations) {
logger.ok("executeQuery Started");
logger.ok("executeQuery filter "+filter);
List<String> returnAttrs= new ArrayList<String>();
if(operations != null)
{
for (String attr: operations.getAttributesToGet())
{
logger.ok("executeQuery Attributes "+attr);
returnAttrs.add(attr);
}
}
List<UserProfile> profiles=userProfileDao.findByUsersCriteria(filter);
logger.ok("executeQuery Result "+profiles);
if(profiles != null && !profiles.isEmpty())
{
for (UserProfile userProfile : profiles) 
{
ConnectorObject conobj=DataBaseIdentityUtil.convertMapToConnectorObject(userProfile);
if(returnAttrs.contains(DataBaseIdentityConstants.LAST_UPDATE))
{
conobj=DataBaseIdentityUtil.convertMapToConnectorObject(userProfile,DataBaseIdentityConstants.LAST_UPDATE);
}
else if(returnAttrs.contains(DataBaseIdentityConstants.CREATE_DATE))
{
conobj=DataBaseIdentityUtil.convertMapToConnectorObject(userProfile,DataBaseIdentityConstants.CREATE_DATE);
}
else
{
conobj=DataBaseIdentityUtil.convertMapToConnectorObject(userProfile);
}
logger.ok("executeQuery Attributes Objects  "+conobj.getAttributes());
handler.handle(conobj);
logger.ok("executeQuery Attributes Objects  After "+conobj.getAttributes());
}
}
logger.ok("executeQuery Ended");
}

DataBaseIdentityUtil class

public static ConnectorObject convertMapToConnectorObject(UserProfile userProfile,String updateFieldName)
    {
            ConnectorObjectBuilder userObjBuilder = new ConnectorObjectBuilder();
            String status=userProfile.getStatus();
            if(!isEmpty(status) && status.equalsIgnoreCase(DataBaseIdentityConstants.STATUS_ENABLED))
            {
            userObjBuilder.addAttribute(DataBaseIdentityConstants.STATUS,DataBaseIdentityConstants.STATUS_ENABLED);
             
            }
            else
            {
            userObjBuilder.addAttribute(DataBaseIdentityConstants.STATUS,DataBaseIdentityConstants.STATUS_DISABLED );              
            }
            
            userObjBuilder.addAttribute(DataBaseIdentityConstants.FIRST_NAME,userProfile.getFirstName());
            userObjBuilder.addAttribute(DataBaseIdentityConstants.LAST_NAME,userProfile.getLastName());
            userObjBuilder.addAttribute(DataBaseIdentityConstants.MIDDLE_NAME,userProfile.getMiddleName());
            userObjBuilder.addAttribute(DataBaseIdentityConstants.USER_LOGIN,userProfile.getUserLogin());
            userObjBuilder.setUid(Long.toString(userProfile.getId()));
            userObjBuilder.setName(Long.toString(userProfile.getId()));
            
            if(updateFieldName != null)
            {
        if(updateFieldName.equalsIgnoreCase("updateDate"))
        {
        if(userProfile.getUpdateDate() != null)
        {
        userObjBuilder.addAttribute(updateFieldName,userProfile.getUpdateDate().getTime());
        }
        }
        if (updateFieldName.equalsIgnoreCase("createDate"))
        {
        if(userProfile.getCreateDate() != null)
        {
        userObjBuilder.addAttribute(updateFieldName,userProfile.getCreateDate().getTime());
        }
        }
            }
            logger.ok("Final Object Data "+userObjBuilder.toString());
            ConnectorObject conobj=userObjBuilder.build();
            logger.ok("Final Object Data "+conobj.getAttributes());
            return conobj;
    }


6. Re-Deploy the ICF Jar

Build the Jar File

Execute the following command to build and generate the dbconnector-demo-1.0.jar.

gradle build

Deploy the Jar File

1. Login to the OIM Server.
2. Go to the DOMAIN_HOME/bin directory and execute source ./setDomainEnv.sh file. After executing the file , it will set the classpath.
3. Go to the OIM_HOME/server/bin directory an execute the 

UploadJars.sh [-username <username>] [-password <password>] [-serverURL <t3://oimhostname:oimportno>] [-ctxFactory <weblogic.jndi.WLInitialContextFactory>] [- [-ICFBundle <Location of the ICF Bundle Jar>]

It will deploy the ICFBundle into the OIM repository.

7. Restart the OIM Server

Login to the OIM Server and go to the $DOMAIN_HOME/bin directory and execute the following files:

./stopManagedWebLogic.sh oim_server1 t3://weblogicadminhost:port
./startManagedWebLogic.sh oim_server1 t3://weblogicadminhost:port


8. Re-Create the Schedule Task

Delete Schedule Task Name

Login to the OIM Admin Console --> Advanced -->  System Management  --> Search Schedule Jobs --> Enter Schedule task job name. After Searching the job name, Select the Job Name in the list and Click X Icon . It will delete the Schedule Task Name

Create the Schedule Task Name

Login to the OIM Admin Console --> Advanced -->  System Management  --> Actions --> Create -->  Select Task Name from the Task List, Enter Schedule Job Name, Select  No Predefined Schedule for testing, later we can configure periodic, Enter Incremental Recon Date Attribute, IT Resource Name, Object Type, Latest Token, Resource Object Name, and Scheduled Task Name. The Job Name and Scheduled Task Name should be same because it will update the Latest Token value based on the Scheduled Task Name value. The example configuration is given below.


If you specify the Filter and Incremental Recon Date Attribute in the configuration, It will search the user based on the filter and also incremental Recon Date Attribute. It will invoke the createGreathanExpression, createEqualExpression, and also createAndExpression.







Incremental Reconciliation for Database ICF SynReconTask

Incremental Reconciliation for Database ICF SynReconTask

1. Creating the Scheduler Task Metadata


<?xml version = '1.0' encoding = 'UTF-8'?>
<xl-ddm-data version="2.0.1.0" user="XELSYSADM" database="jdbc:oracle:thin:@localhost:5524/estView.regress.rdbms.dev.us.oracle.com" exported-date="1307546406635" description="FF">
<scheduledTask repo-type="MDS" name="DataBaseICFConnectorSyncReconciliation" mds-path="/db" mds-file="DataBaseICFConnectorSyncReconciliation.xml">
    <completeXml>
        <scheduledTasks xmlns="http://xmlns.oracle.com/oim/scheduler">
            <task>
            <name>DataBaseICFConnectorSyncReconciliation</name>
            <class>oracle.iam.connectors.icfcommon.recon.SyncReconTask</class>
            <description>DataBaseICFConnectorSyncReconciliation</description>
            <retry>0</retry>
            <parameters>
              <string-param required="false" encrypted="false" helpText="IT Resource Name">IT Resource Name</string-param>
              <string-param required="false" encrypted="false" helpText="Object Type">Object Type</string-param>
              <string-param required="false" encrypted="false" helpText="Sync Token">Sync Token</string-param>
              <string-param required="false" encrypted="false" helpText="Resource Object Name">Resource Object Name</string-param>
      <string-param required="false" encrypted="false" helpText="Scheduled Task Name">Scheduled Task Name</string-param>
            </parameters>
          </task>
        </scheduledTasks>
    </completeXml>
</scheduledTask>
</xl-ddm-data>

2. Import Schedule Task Reconciliation Metadata

Import the Schedule Task Reconciliation Metadata into the oim repository as follows:

Login to the OIM Console  --> Advance --> Import Deployment Manager File --> Select the Scheduler Task File  --> Add File --> Import. It will import the XMl File into the OIM Repository.


3. Restart the OIM Server

Login to the OIM Server and go to the $DOMAIN_HOME/bin directory and execute the following files:

./stopManagedWebLogic.sh oim_server1 t3://weblogicadminhost:port
./startManagedWebLogic.sh oim_server1 t3://weblogicadminhost:port


4. Create the Schedule Task


Create the Schedule Task Name

Login to the OIM Admin Console --> Advanced -->  System Management  --> Actions --> Create -->  Select Task Name from the Task List, Enter Schedule Job Name, Select  No Predefined Schedule for testing, later we can configure periodic, Enter  IT Resource Name, Object Type, Resource Object Name, and Scheduled Task Name. The Job Name and Scheduled Task Name should be same because it will update the Sync Token value based on the Scheduled Task Name value. The example configuration is given below.



The Sync Token value updated after running the Schedule Task.

Tuesday, July 22, 2014

How to develop and deploy custom Identity connector framework (ICF) Connector in OIM

Developing the Custom Connector using the  Identity Connector Framework (ICF) classified as three parts. They are


1. Connector Development

It is a Java Connector Component and implementing the ICF interface to develop the Provisioning ,De-Provisioning, and Reconciliation.

2. Building the OIM metadata for User Provisioning

Building the OIM metadata for User Provisioning, Update User Attributes, Enable and Disable User, and De-Provisioning the user.

3. Building the OIM metada for Reconciliation

Building the metadata for target reconciliation.

Building the OIM metadata for data base reconciliation icf connector

The following components are required to build the ICF Connector Reconciliation (Target Reconciliation). They are

1. Reconciliation Lookup Configuration
2. Resource Object Reconciliation Fields
3. Resource Object Reconciliation Action Rules
4. Process Definition Reconciliation Field Mappings
5. Reconciliation Rules
6. Creating Reconciliation Profiles
7. Importing the Schedule Task Reconciliation Metadata to OIM Repository.
8. Create the OIM Schedule Job
9. Restart the OIM Server
10. Run the Reconciliation Schedule Task



1. Reconciliation Lookup Configuration

 The Lookup.dbcf.UM.ReconAttrMap component is required for mapping between the target resource and OIM ICF Connector Resource Object Reconciliation Fields.  The lookup code name is Resource Object Reconciliation Field Name  and Decode is Target Resource Schema.

1. Unique ID=__UID__
2. User Login=userLogin
3. First Name=firstName
4. Last Name=lastName
5. Middle Name=middleName
6. Status=status

2. Resource Object Reconciliation Fields

This component is required for creating the OIM ICF Connector Process Form field Label names and also data types for Mapping the Reconciliation. We also defining the IT Resource Object and also Object Status Mapping. They are

1. Unique ID = string
2. User Login = string
3. First Name = string
4. Last Name = string
5. Middle Name = string
6. Status = string
7. IT Resource Key = number


Reconciliation request , the OIM built the reconciliation object based on the target data and also it adds the Status and IT Resource Key in the Reconciliation Request.  The Status value should be Enabled  or Disabled for the target reconciliation mapping. If the value is other than these you need to write the User Transformation For Recon java code.

The following way to create the reconciliation fields:

Login to the Design Console --> Resource Management --> Object Reconciliation --> Reconciliation Fields -->  Add Field. It will display the following screen,



Enter the Field Name is Unique ID and Field Type is string. Click Save and Close button. It will create the reconciliation field mapping.

Repeat the steps to creating the reconciliation field mapping for remaining fields.


3. Resource Object Reconciliation Action Rules

This component is required for linking the OIM associated user based on the reconciliation rules. The following reconciliation action rules needs to be create:

Rule Condition - Action

1. No Matches Found  = None
2. One Entity Match Found = Establish Link
3. One Process Match Found = Establish Link


The following way to create the reconciliation action rules:

Login to the Design Console --> Resource Management --> Object Reconciliation --> Reconciliation Action Rules -->  Add. It will display the following screen,



Select the Rule Condition is No Matches Found and Rule Action is None. Repeat the steps  to create the Reconciliation Rule Actions for remaining fields.


4. Process Definition Reconciliation Field Mappings

This component is required to populate the data from target resource to OIM Connector Process form to evaluate the reconciliation rules. The following fields needs to be mapped:

Resource Reconciliation Field  - Process Form Column Name
1. Unique ID = UD_DBICF_USR_UNIQUE_ID
2. User Login = UD_DBICF_USR_LOGIN
3. First Name = UD_DBICF_USR_FIRST_NAME
4. Last Name = UD_DBICF_USR_LAST_NAME
5. Middle Name = UD_DBICF_USR_MIDDLE_NAME
6. Status = OIM_OBJECT_STATUS
7. IT Resource Key = UD_DBICF_USR_SERVER

Replace Process Form Column Name with your own process form column Name. Status field mapping always OIM_OBJECT_STATUS.


The following way to create the Process Definition Reconciliation Field Mappings:

Login to the Design Console --> Process Definition --> Search Process Definition --> Select Process Definition in the Process Definition Table --> Reconciliation Field Mappings --> Add Field Map. It will display the following screen,




Select the Field Name is Unique ID and Process Data Field is UD_DBICF_USR_UNIQUE_ID. Click Save and Close Icon and It will create the Reconciliation Field Mappings. Repeat the steps to create the Reconciliation Field Mapping for remaining  fields.

Configuring the Reconciliation Key Field

This configuration is required for maintain the uniqueness while doing the reconciliation. The configuration as follows:



5. Reconciliation Rules

This component is required to evaluate the OIM Data based on the Reconciliation Target Data and Linking the OIM User to Target User.

OIM User  -  Target User

1. User Login  = User Login.


The following way to create the Process Definition Reconciliation Field Mappings:

Login to the Design Console --> Development Tools --> Reconciliation Rules. It will display the following screen,





Enter the Name , Select the Object and Description. Click Save and It will display the following screen.




Click Add Rule Element and It will Display the following screen.


Select the User Profile Data is User Login, Operator is Equals, Attribute is User Login, Click Save and Close Button. It will create the reconciliation rule. Replace User Profile Data, Operator, and Attribute according to your requirement.


After configuring the reconciliation rule look like this:



Select Active Check Box and Click Save Icon. It will activate the Reconciliation rule.


6. Creating Reconciliation Profiles

This component is required fro to create the reconciliation profile into the oim repository.

The following way to create the Reconciliation Profile:

Login to the Design Console --> Resource Management --> Object Reconciliation --> Create Reconciliation Profile. It will create the reconciliation profile.

7. Importing the Schedule Task Reconciliation Metadata to OIM Repository.

This component is required to reconcile the user  from the target system.


The following xml needs to be imported to create the schedule task:



\<?xml version = '1.0' encoding = 'UTF-8'?>
<xl-ddm-data version="2.0.1.0" user="XELSYSADM" database="jdbc:oracle:thin:@localhost:5524/estView.regress.rdbms.dev.us.oracle.com" exported-date="1307546406635" description="FF">
<scheduledTask repo-type="MDS" name="DataBaseICFConnectorReconciliation" mds-path="/db" mds-file="DataBaseICFConnectorReconciliation.xml">
    <completeXml>
        <scheduledTasks xmlns="http://xmlns.oracle.com/oim/scheduler">
            <task>
            <name>DataBaseICFConnectorReconciliation</name>
            <class>oracle.iam.connectors.icfcommon.recon.SearchReconTask</class>
            <description>DataBaseICFConnectorReconciliation</description>
            <retry>0</retry>
            <parameters>
              <string-param required="false" encrypted="false" helpText="Filter">Filter</string-param>
              <string-param required="false" encrypted="false" helpText="Incremental Recon Date Attribute">Incremental Recon Date Attribute</string-param>
              <string-param required="false" encrypted="false" helpText="IT Resource Name">IT Resource Name</string-param>
              <string-param required="false" encrypted="false" helpText="Object Type">Object Type</string-param>
              <string-param required="false" encrypted="false" helpText="Latest Token">Latest Token</string-param>
              <string-param required="false" encrypted="false" helpText="Resource Object Name">Resource Object Name</string-param>
            </parameters>
          </task>
        </scheduledTasks>
    </completeXml>
</scheduledTask>
</xl-ddm-data>



Login to the OIM Console  --> Advance --> Import Deployment Manager File --> Select the Scheduler Task File  --> Add File --> Import. It will import the XMl File into the OIM Repository.

8. Create the OIM Schedule Job

This component is required to create the schedule job to reconcile the users from target system to oim.

Login to the OIM Console  --> Advance --> System Management --> Actions --> Create. It will display the following screen.



Enter the Job Name, Select Task  the DataBaseICFConnectorReconciliation from the Task Lists. Afterselecting the Task Name from list and it will show the following schedule task parameters:

1. Filter
2. Incremental Recon Date Attribute
3. IT Resource Name
4. Object Type
5. Latest Token
6. Resource Object Name

Enter the Filter is equalTo('userLogin','Login'), IT Resource Name is <IT Resource Name>, Object Type is User, and Resource Object Name is Database ICF User. Replace Filter, IT Resource Name, Resource Object Name according to your naming convention.


9. Restart the OIM Server

Login to the OIM Server and go to the $DOMAIN_HOME/bin directory and execute the following files:

./stopManagedWebLogic.sh oim_server1 t3://weblogicadminhost:port
./startManagedWebLogic.sh oim_server1 t3://weblogicadminhost:port

10. Run the Reconciliation Schedule Task

After running the schedule job, it will fetch the data from the target resource and it will create the reconciliation event. If the the reconciliation rule matches, it will associate the owner to the target account.



Build the Incremental Reconciliation Data Base ICF Connector

Monday, July 21, 2014

Testing the ICF Connector User Provisioning in OIM Admin Console

Creating the IT Resource

Login to the OIM Admin Console. Click  --> Advanced --> Create IT Resource -->  Enter IT Resource Name is Application Data Base User and Select IT Resource Type is Data Base ICF Connector --> Continue --> Enter the driver is oracle.jdbc.driver.OracleDriver, url is jdbc:oracle:thin:@localhost:1521:orcl, userName is scott, password is your password, and environment is remote. --> Click Continue with default values to get the Finish button. Click Finish button and it will create the IT Resource.

Creating the Data Source

We need to create the data source in oim server. Go to the Web Logic Admin Console --> Services --> Data Sources --> New  --> Enter JNDI Name is mydatasource and Select Data base type is Oracle  --> Next --> Select Data Base Driver --> Next --> Next --> Enter Data Base Name, Host Name, Port, Data Base User Name, Password and Confirm Password --> Next  --> Next --> Select the Server is oim_server1 --> Finish. It will create the data source.

Restart the OIM Server

Login to the OIM Server machine and Go to the DOMAIN_HOME/bin directory and execute the following command to restart the web logic server

./stopManagedWebLogic.sh oim_server1 <OIM Admin Url>

./startManagedWebLogic.sh oim_server1 <OIM Admin Url>

Testing the Connector Provisioning Operation

Login to the OIM Admin Console --> Search User --> Enter the user you want to seach -->  Click the user from the search list --> Click Resources tab --> Add -->  Select  Resource is Dabase ICF User --> Contiinue --> Continue -->  It will initiate the Provsioning. You will see user in the resources tab with Provisioning Status.

Click Open Form and Select the Data Base Server from the IT Resource List --> Click Save. It will Provisioned the user to target system and also status changed from provisioning to provisioned.


Friday, July 18, 2014

Building the OIM metadata for data base icf connector

The following tasks  needs to be performed to create the OIM metadata for provisioning and Reconciliation. They are

  • Provisioning

The following components are required to build the user provisioning. They are

1. IT Resource Type Definition
2. Connector Lookup Configuration
3. Pre-Populate Adapters 
4. Process Form Definition
5. Process Task Adapters
6. Resource Object
7. Process Definition


1. It Resource Type Definition

This component is required to establish the communication from Oracle Identity Manager to Target Resource. In our example target resource is Data Base Identity Connector. Creating the IT Resource Type Definition as follows.

Login to the design console  --> Resource Management --> IT Resource Type Deinition. Enter the Server Type and Select Insert Multiple Check box and Click Save. It will create the IT Resource Type Definition as Database ICF Connector.

It Resource Type Parameters:

The IT Resource Type Parameters are available in the  DataBaseIdentityConfig class with @ConfigurationProperty annotation. Those properties should be added in the IT Resource Parameter Section and also you need to add additional parameter Configuration Lookup for configuring the Connector Info like Connector Class, Connector Bundle, Connector Provisioning Attribute Mapping, etc.

The IT Resource Type Parameters are

1. driver
2. url
3 userName
4. password
5. environment
6. Configuration Lookup.

The example screen shot is given below.






2. Connector Lookup Configuration

This component is required to maintain the connector configuration for user provisioning and reconciliation. The following lookup configuration needs to be configured:

2.1 Lookup.dbicf.Configuration

This Component is required to configure the connector bundle information and also User Provisioning and Reconciliation Lookup info. The lookup parameters as follows:

1. Bundle Version
2. Bundle Name
3. Connector Name
4. User Configuration Lookup.

The Bundle Version and Bundle Name is available in the Data Base Connector ICF JAR in the META-INF/MANIFEST.MF file. The Connector Name is Data Base Identity Connector class with full qualified name. In our example edu.sfsu.identity.dbconnector.DatabaseIdentityConnector. The bundle name mapping should be as follows:

Bundle Version = ConnectorBundle-Version
Bundle Name= ConnectorBundle-Name
Connector Name = Connector Class Name with package
User Configuration Lookup=Lookup.dbcf.UM.Configuration
 
The sample values are given below in the screen shot.




2.2 Lookup.dbcf.UM.Configuration

This component is required for configuring the Provisioning and Reconciliation configuration lookup details.  The configuration lookup parameters as follows:

1. User Validation For Prov = false
2. Provisioning Attribute Map =  Lookup.dbcf.UM.ProvAttrMap
3. User Transformation For Recon = false
4. User Validation For Recon = false
5. Recon Attribute Map = Lookup.dbcf.UM.ReconAttrMap

The parameter 2. Provisioning Attribute Map contains the Process Form field label and target resource schema mapping.

The configuration details are given below as a screen shot.






2.3. Lookup.dbcf.UM.ProvAttrMap

This component is required for provisioning attribute mapping from Process Form Field Label to Target Resource Schema Mapping. The mapping details as follows:

1. Unique ID = __UID__
2. User Login = userLogin
3. User Password = password
4. First Name= firstName
5. Last Name = lastName
6. Middle Name= middleName

The configuration details are given below as a screen shot.




3. Pre-Populate Adapter

This component is required to transfer the values from Oracle Identity Manager User data to Process Form while after initiating the user provisioning. The pre-populate creation process as follows:

3.1. Create Pre-populate Adapter
3.2. Create Adapter Variable
3.3. Create Adapter Task

3.1. Create Pre-populate Adapter

Click Adapter Factory --> and enter the following values into the form
Adapter Name: dbicf_prepop_adp
Adapter Type: Pre-populate Rule Generator
Description: Enter your description


Click Save Icon and It will create the Pre-Populate Adapter

3.2. Create Adapter Variable

Click Variable List --> Add and it will display the following screen.



Enter the following details into the variable screen and click Save Icon.


Variable Name: oimdata
Type : String
Mapp To : Resolve at runtime
Description: Enter Description



The configuration of the Adapter Variable as follows:




3.3. Create Adapter Task

Click Add --> Logic Task --> SET VARIABLE -->  and It will display the following screen.



Select the variable Name is Adapter return value, operand Type is Variable and Operand Qualifier is oimdata. The sample is given below.


Click Save Icon and it will Display the following screen.



Click Build Button and It will compile the adapter and ready to use in process form.



4. Process Form Definition

This component is required to capture the data from Oracle Identity Manager and transfer to process definition to store the values in target resource. The following sub component are required to create the process form definition.

4.1 Creating the Process Form

4.2 Additional Columns

4.3 Properties

4.4 Pre-Populate

4.5  Building Form


4.1 Creating the Process Form

Click Form Designer --> Enter Table Name and Description and Click Save Button. It will create the Process Form. The process form configuration is given below as a screen shot.




4.2 Additional Columns

Add the following additional columns in the Additional Column Section to capture the data. They are


1. Unique ID
2. User Login
3. User Password
4. First Name
5. Last Name
6. Middle Name
7.Data Base Server


The configuration details are given below:



4.3 Properties

Click Properties tab and configure the following properties for validation.

1. User Login
    Required = true
2. User Password
    Required = true
3. Last Name
    Required = true
4.Data Base Server
    Required = true
    Type = Data Base ICF Connector

The configuration details are given below:




4.4 Pre-Populate

This component is required for mapping from OIM User to Process Form Field. The following field are mapping:

1. User Login = User Login
2. User Password = Password
3. First Name = First Name
4. Last Name= Last Name
5. Middle Name = Middle Initial

The User Login configuration as shown below a screen shot.



Select the Field Name is User Login, Rule is Default, Adapter is dbicf_prepop_adp and Clcik Save. Click Map Button and It will display the following screen.


Select Map To is User Definition and Qualifier is User Login. Click Save Icon.

Repeat the steps for remaining fields. After completion of the configuration look like this: 



4.5  Building Form

Click Make version Active button and it will display the following screen.


Click OK button and it will activate the form is active mode and  and we can use in the resource object.


5. Process Task Adapters

This is required to process the data from OIM to target resource and persists the data into the database. The following components are required for database connector. They are

5.1. Create User
5.2. Update User
5.3. Delete User
5.4. Enable User
5.5. Disable User


5.1. Create User

5.1.1.Create Adapter

Click Adapter Factory --> Enter the Adapter Name. Adapter Type and Description. Click Save Icon and It will display the following screen.


5.1.2 Create Responses

The following responses needs to be created. They are

Code Name - Status
1. SUCCESS  - C (Completed)
2. ERROR - R (Rejected Due to failure)

The configuration as follows:



5.1.3.Create Variable

Click Variable List tab and Create the following variables in the variable list. They are

Name - Type - Mapped As - Description
1. objectType  - String - Resolve at runtime -  objecttype
2. processInstanceKey - Long - Resolve at runtime - processinstancekey
3. itResourceColumnName -String - Resolve at runtime -  itresourcecolumnnmae

Resolve at runtime means we will map the values later at the process definition create task mapping.

The configuration as follows:



5.1.4.Create Adapter Task

Click Adapter Task tab --> Add  --> Functional Task (Java) --> Select New Object Instance --> Continue --> Enter task Name and Select API Source is ICFIntglar:icf-oim-intg.jar and Select Application is ICProvisioningManager class and Select method createObject. Click Save Icon and It will display the following screen.




Click Constructor and Method it will display the following screen.



Constructor Mapping

Input: String - Map to Adapter Variable - Name is itResourceColumnName
inpiut: long  - Map to Adapter Variable - Name is processInstanceKey
input: com.thortech.xl.dataaccess.tcDataProvider - Map to  Adapter References - Name is Database reference

Method Mapping

Output: String - Map to Adapter Variable - Name is Return Variable
Input: String - Map to Adapter Variable - Name is objectType

After mapping is done, the configuration is given below:


Click Save Icon and click close button and it will display the following screen.



5.1.5 Compile the Adapter

Click Build button and It will compile the adapter and it will display the following screen.



After compiling the adapter , the Compile Status os OK. If your seeing any error while compiling the adapter, please fix the errors and recompile.

5.2. Update User

5.2.1.Create Adapter

Follow the step 5.1.1 to create the adapter.

5.2.2 Create Responses

Follow the steps 5.1.2 to create the responses.

5.2.3.Create Variable

Follow the steps 5.1.3 to create the variables. Add the following additional variable:

 attrFieldName -String - Resolve at runtime - Attribute Field Label.


5.1.4.Create Adapter Task

Follow the steps 5.1.4 to create the Adapter task. Choose Methods is updateAttributeValue(String).

Constructor Mapping

Input: String - Map to Adapter Variable - Name is itResourceColumnName
inpiut: long  - Map to Adapter Variable - Name is processInstanceKey
input: com.thortech.xl.dataaccess.tcDataProvider - Map to  Adapter References - Name is Database reference

Method Mapping

Output: String - Map to Adapter Variable - Name is Return Variable
Input: String - Map to Adapter Variable - Name is objectType
Input: String - Map to Adapter Variable - Name is attrFieldName


5.2.5 Compile the Adapter

Follow the steps 5.1.5 to compile the dapter

5.3 Delete User

5.3.1.Create Adapter

Follow the step 5.1.1 to create the adapter.

5.3.2 Create Responses

Follow the steps 5.1.2 to create the responses.

5.3.3.Create Variable

Follow the steps 5.1.3 to create the variables.


5.3.4.Create Adapter Task

Follow the steps 5.1.4 to create the Adapter task. Choose Methods is deleteUser(String objectType)

Constructor Mapping

Input: String - Map to Adapter Variable - Name is itResourceColumnName
inpiut: long  - Map to Adapter Variable - Name is processInstanceKey
input: com.thortech.xl.dataaccess.tcDataProvider - Map to  Adapter References - Name is Database reference

Method Mapping

Output: String - Map to Adapter Variable - Name is Return Variable
Input: String - Map to Adapter Variable - Name is objectType


5.3.5 Compile the Adapter

Follow the steps 5.1.5 to compile the dapter

5.4 Enable User

5.4.1.Create Adapter

Follow the step 5.1.1 to create the adapter.

5.4.2 Create Responses

Follow the steps 5.1.2 to create the responses.

5.4.3.Create Variable

Follow the steps 5.1.3 to create the variables.


5.4.4.Create Adapter Task

Follow the steps 5.1.4 to create the Adapter task. Choose Methods is enableObject(String objectType)

Constructor Mapping

Input: String - Map to Adapter Variable - Name is itResourceColumnName
inpiut: long  - Map to Adapter Variable - Name is processInstanceKey
input: com.thortech.xl.dataaccess.tcDataProvider - Map to  Adapter References - Name is Database reference

Method Mapping

Output: String - Map to Adapter Variable - Name is Return Variable
Input: String - Map to Adapter Variable - Name is objectType


5.4.5 Compile the Adapter

Follow the steps 5.1.5 to compile the adapter


5.4 Disable User

5.5.1.Create Adapter

Follow the step 5.1.1 to create the adapter.

5.5.2 Create Responses

Follow the steps 5.1.2 to create the responses.

5.5.3.Create Variable

Follow the steps 5.1.3 to create the variables.


5.5.4.Create Adapter Task

Follow the steps 5.1.4 to create the Adapter task. Choose Methods is disableUser(String objectType)

Constructor Mapping

Input: String - Map to Adapter Variable - Name is itResourceColumnName
inpiut: long  - Map to Adapter Variable - Name is processInstanceKey
input: com.thortech.xl.dataaccess.tcDataProvider - Map to  Adapter References - Name is Database reference

Method Mapping

Output: String - Map to Adapter Variable - Name is Return Variable
Input: String - Map to Adapter Variable - Name is objectType


5.5.5 Compile the Adapter

Follow the steps 5.1.5 to compile the adapter

6. Resource Object

Creating Resource Object

Click Resource Object --> Enter Object Definition Name, Select Type is Application, Select  Allow multiple (Multiple Instances can be created), Allow All (Every one can be requested),Self Requested Allow (Request the resource using the self Service Option), and Off-line Provisioning Check boxes. Click Save and It will create the Resource Object.





7. Process Definition

Click Process Management --> Process Definition --> Enter Name, Type,Object Name,  Table Name, Select Default Process, Auto Pre-populate, and Auto Save Form Check box. Click Save Button and it will display the following screen.



Tasks

The following tasks needs to be created for provisioning operations in the connector. They are

7.1 Create User

Create task is being used to provision the user into the target system.

7.1.1 Create User Task:

Click Add button in the Tasks Section and it will open the following screen.



Enter the Task Name is Create User, Task Description is Creating the User in target System, Select Required for Completion, Allow Cancellation while Pending, Allow multiple Instances, Enter Retry Period in minutes, and Retry Count. Click Save button.The configuration details are given below.


Task Integration

Click Integration tab and it will display the following screen.



Click Add button and It will display the following screen.



Select Adapter option and it will display the following screen.



The create user adapter name  is dbicf_database_createuser. While you selecting this adapter in the process definition is adpDBICF_DATABASE_CREATEUSER.

Select Create User adapter is adpDBICF_DATABASE_CREATEUSER and it will


Click OK Button and It will display the following screen



Click Yes button and it will display the following screen.


Integration Adapter Mapping:

Select Adapter return value and click Map button and It will display the following screen.



Select the Map To is Response Code and Click Save Button and Click Close button.


Select objectType and click Map button and It will display the following screen.






Select Map to is Literal,Qualifier is String, and Literal Value is User. Click Save and Close button.


Select processInstanceKey --> click Map button --> Select Map to Process Data and Qualifier is Process Instance. Click Save  and Close button.

Select itResourceColumnName --> click Map button --> Select Map to Literal, Qualifier is String, and Literal value is UD_DBICF_USR_SERVER. Click Save  and Close button. After configuring all the variables, the configuration is shown below.



Tasks Object Status Mapping

Click Object Status Mapping Tab --> Select  Status C and Object Status is Provisioned and Click Save. The configuration as follows:



Click Save and Close Button.



Tasks Enable User

General Tab
Click Add button and Enter the following details in the general Section.
Task Name : Enable User
Description :

Enabling the user in target resource

Select Task Properties like Conditional, Required Completion,Allow Cancellation while pending, Allow multiple instances,  Enter Retry Period in minutes is 30 and Retry Count is 5.

Select Task Effect is Enable Process or Access to Application

The Configuration details are given below







Integration Tab

Click Integration Tab --> Add  --> Select Adapter option --> Select adpDBICF_DATABASE_ENABLEUSER --> Click Save --> Click OK button --> Click Yes Button.

Mapping the Adapter Variable

Select Adapter return value --> click Map button --> Select Map to Response Code. Click Save  and Close button.

Select objectType --> click Map button --> Select Map to Literal,Select Qualifier String, and 
Literal Value is User. Click Save  and Close button.

Select itResourceColumnName --> click Map button --> Select Map to Literal,Select Qualifier String, and Literal Value is UD_DBICF_USR_SERVER. Click Save  and Close button.


Select processInstanceKey --> click Map button --> Select Map to Process Data and Qualifier is Process Instance. Click Save  and Close button.

After Completing the Configuration as follows:






Task Object Status Mapping


Click Object Status Mapping Tab --> Select  Status C and Object Status is Enabled and Click Save. The configuration as follows:




Click Save and Close button. It will create the Enable User Task.





Tasks Disable User:

General Tab
Click Add button and Enter the following details in the general Section.
Task Name : Disable User
Description :

Disabling the user in target resource

Select Task Properties like Conditional, Required Completion,Allow Cancellation while pending, Allow multiple instances,  Enter Retry Period in minutes is 30 and Retry Count is 5.

Select Task Effect is Disable Process or Access to Application

The Configuration details are given below



Integration Tab

Click Integration Tab --> Add  --> Select Adapter option --> Select adpDBICF_DATABASE_DISABLEUSER --> Click Save --> Click OK button --> Click Yes Button.

Mapping the Adapter Variable

Select Adapter return value --> click Map button --> Select Map to Response Code. Click Save  and Close button.

Select objectType --> click Map button --> Select Map to Literal,Select Qualifier String, and 
Literal Value is User. Click Save  and Close button.

Select itResourceColumnName --> click Map button --> Select Map to Literal,Select Qualifier String, and Literal Value is UD_DBICF_USR_SERVER. Click Save  and Close button.


Select processInstanceKey --> click Map button --> Select Map to Process Data and Qualifier is Process Instance. Click Save  and Close button.

After Completing the Configuration as follows:



Task Object Status Mapping


Click Object Status Mapping Tab --> Select  Status C and Object Status is Disabled and Click Save. The configuration as follows:


Click Save and Close button. It will create the Disable User Task.


Tasks Delete User:

General Tab
Click Add button and Enter the following details in the general Section.
Task Name : Delete User
Description :

Deleting the user in target resource

Select Task Properties like Conditional, Required Completion,Allow Cancellation while pending, Allow multiple instances,  Enter Retry Period in minutes is 30 and Retry Count is 5.

Integration Tab

Click Integration Tab --> Add  --> Select Adapter option --> Select adpDBICF_DATABASE_DISABLEUSER --> Click Save --> Click OK button --> Click Yes Button.

Mapping the Adapter Variable

Select Adapter return value --> click Map button --> Select Map to Response Code. Click Save  and Close button.

Select objectType --> click Map button --> Select Map to Literal,Select Qualifier String, and 
Literal Value is User. Click Save  and Close button.

Select itResourceColumnName --> click Map button --> Select Map to Literal,Select Qualifier String, and Literal Value is UD_DBICF_USR_SERVER. Click Save  and Close button.


Select processInstanceKey --> click Map button --> Select Map to Process Data and Qualifier is Process Instance. Click Save  and Close button.

After Completing the Configuration as follows:



Task Object Status Mapping


Click Object Status Mapping Tab --> Select  Status C and Object Status is Revoked and Click Save. The configuration as follows:


Tasks User Login Updated:


Tasks Disable User:

General Tab
Click Add button and Enter the following details in the general Section.
Task Name : User Login Updated
Description : Updating the user login target resource

Select Task Properties like Conditional, Required Completion,Allow Cancellation while pending, Allow multiple instances,  Enter Retry Period in minutes is 30 and Retry Count is 5.
The Configuration details are given below






Integration Tab

Click Integration Tab --> Add  --> Select Adapter option --> Select adpDBICF_DATABASE_DISABLEUSER --> Click Save --> Click OK button --> Click Yes Button.

Mapping the Adapter Variable

Select Adapter return value --> click Map button --> Select Map to Response Code. Click Save  and Close button.

Select objectType --> click Map button --> Select Map to Literal,Select Qualifier String, and 
Literal Value is User. Click Save  and Close button.

Select attrFieldName --> click Map button --> Select Map to Literal,Select Qualifier String, and Literal Value is USer Login. Click Save  and Close button.


Select itResourceColumnName --> click Map button --> Select Map to Literal,Select Qualifier String, and Literal Value is UD_DBICF_USR_SERVER. Click Save  and Close button.


Select processInstanceKey --> click Map button --> Select Map to Process Data and Qualifier is Process Instance. Click Save  and Close button.

After Completing the Configuration as follows:


Repeat tasks User Login Updated steps for the following tasks.

Tasks User Password Updated
Tasks First Name Updated
Tasks Last Name Updated
Tasks Middle Name Updated