Here is a basic example of an User Pre-Process EventHandler.  This handler looks for either new or changed first and last name values and recomputes a Display Name and Initials attribute.  It lacks proper error handling for missing values, but should give you a good idea how to work with the Eventhandlers.
Download as File
Discusses tips, tricks, revelations, and other items as we work to implement Oracle Identity Manager 11g to handle our provisioning and account management.
Tuesday, November 2, 2010
Thursday, October 21, 2010
Bundle Patch 1 for OIM 11.1.1.3 is now Available
The first bundle patch for OIM 11.1.1.3 has been released on My Oracle Support.  Has quite a number of fixes listed.
Thursday, October 7, 2010
Entity Adapters on the USR Data Form
Just received word from Oracle that Entity Adapters/Rule Generators in OIM 11g are no longer usable on the USR form, you must create these using the new EventHandler mechanism.
Wednesday, October 6, 2010
Trusted Reconciliations
There have been some important changes in the Trusted Reconciliation processes for bringing in new accounts/changed accounts from some system of record such as an HR system using the Generic Technology Connector or custom reconciliation connectors.  
The default mechanism for reconciliations is now a batched reconciliation, this processes many changed records much faster than before but also has some limitations. If you were previously using pre-insert or pre-update entity adapters, these will NOT fire in a batched reconciliation. The GTC in trusted reconciliation uses the batched mode exclusively and I have not yet identified a way to switch it to one-off events. This is important in that if you use pre adapters to calculate or modify certain values on the User form such as login, email address, expiration dates, etc. they won't trigger. You either have to switch these to a post operation which may cause a potential infinite loop condition or avoid batched mode.
If you use the APIs and/or a connector that creates reconciliation records then you have the ability to use a non-batched operation. In this mode, the pre entity adapters DO fire. Additionally pre adapters DO trigger on manual operations through the UI. In order to force a non-batched recon event. You must call the API method processReconciliationEvent after creating and/or finishing your event.
As in:
tcReconciliationOperationsIntf reconObj = Platform.getService(Thor.API.Operations.tcReconciliationOperationsIntf.class);
long rceKey = createReconciliationEvent("Resource Object Name", HashMap of attributes, true);
processReconciliationEvent(rceKey);
UPDATE:
You also need to close the event with a:
closeReconciliationEvent (rceKey);
or the batch will attempt to redo the linking when it executes. This will cause a failed orchestration task to linger out there.
In the next post, I'll give a concrete example of how to do a pre-modify EventHandler to compute some attributes.
The default mechanism for reconciliations is now a batched reconciliation, this processes many changed records much faster than before but also has some limitations. If you were previously using pre-insert or pre-update entity adapters, these will NOT fire in a batched reconciliation. The GTC in trusted reconciliation uses the batched mode exclusively and I have not yet identified a way to switch it to one-off events. This is important in that if you use pre adapters to calculate or modify certain values on the User form such as login, email address, expiration dates, etc. they won't trigger. You either have to switch these to a post operation which may cause a potential infinite loop condition or avoid batched mode.
If you use the APIs and/or a connector that creates reconciliation records then you have the ability to use a non-batched operation. In this mode, the pre entity adapters DO fire. Additionally pre adapters DO trigger on manual operations through the UI. In order to force a non-batched recon event. You must call the API method processReconciliationEvent after creating and/or finishing your event.
As in:
tcReconciliationOperationsIntf reconObj = Platform.getService(Thor.API.Operations.tcReconciliationOperationsIntf.class);
long rceKey = createReconciliationEvent("Resource Object Name", HashMap of attributes, true);
processReconciliationEvent(rceKey);
UPDATE:
You also need to close the event with a:
closeReconciliationEvent (rceKey);
or the batch will attempt to redo the linking when it executes. This will cause a failed orchestration task to linger out there.
In the next post, I'll give a concrete example of how to do a pre-modify EventHandler to compute some attributes.
Changes in Reconciliations
OIM 11g has brought many changes in the reconciliation engine.  Many of the changes are to improve performance and streamline the recon process.  For those of us familiar with or using OIM 9.1 some of these changes will require some thought as to how to migrate processes over.  I will be detailing some of the differences and how we have tackled them in the next few posts.
Saturday, September 18, 2010
User Defined Attributes and GTC
When creating UDFs for the User form, Don't use spaces in the Name.  Instead of Student Expiration Date, use Student_Expiration_Date for example.  The GTC seems to have a hard time making the translation to the actual DB column name if you don't.  I tried working with the customResource bundles in order to fix this, but no combination I tried seemed to work.  I also tried editing the Process using the design console, but that just caused other issues.  Only way I could get it to recon properly was with UDFs names without spaces. 
If you do this, you will have ugly names on your User forms in the UI. Additionally if you need to localize for other languages, the way to add the localizations is somewhat obscure. You need to locate the IdentityTaskFlow.jar in your ORACLE_HOME/server/apps/oim.ear/admin.war/WEB-INF/lib directory. Inside this jar you will find the various language resource bundles at oracle/iam/identitytaskflow/resources/UserAttributes_en.properties and so on.
Extract this file. Add your UDF Names to Localization mappings to the file. The key should be in all lower case to work properly.
For example the above item would be added as:
student_expiration_date=Student Expiration Date
Update the jar and restart the OIM instance. Your UI should now reflect the localized names for your UDF fields!
If you do this, you will have ugly names on your User forms in the UI. Additionally if you need to localize for other languages, the way to add the localizations is somewhat obscure. You need to locate the IdentityTaskFlow.jar in your ORACLE_HOME/server/apps/oim.ear/admin.war/WEB-INF/lib directory. Inside this jar you will find the various language resource bundles at oracle/iam/identitytaskflow/resources/UserAttributes_en.properties and so on.
Extract this file. Add your UDF Names to Localization mappings to the file. The key should be in all lower case to work properly.
For example the above item would be added as:
student_expiration_date=Student Expiration Date
Update the jar and restart the OIM instance. Your UI should now reflect the localized names for your UDF fields!
Thursday, September 16, 2010
Default SOA Workflows
I'm not sure if we ran into an installer thing, or something else, however while testing the approval workflows we were getting consistent failures.  When we looked into it, the default SOA composites for the out of box workflows were not deployed to the SOA instance.
These are located in your ORACLE_HOME for OIM at ORACLE_HOME/server/workflows/composites. They are already registered with OIM, just not deployed into SOA. You can either extract the jar files from the zips in the above directory and deploy via the Enterprise Manager console or extract the zips and open with JDeveloper and deploy that way. Which ever you are more comfortable with. We used JDeveloper so we would have the defaults available to extend for our own purposes.
These are located in your ORACLE_HOME for OIM at ORACLE_HOME/server/workflows/composites. They are already registered with OIM, just not deployed into SOA. You can either extract the jar files from the zips in the above directory and deploy via the Enterprise Manager console or extract the zips and open with JDeveloper and deploy that way. Which ever you are more comfortable with. We used JDeveloper so we would have the defaults available to extend for our own purposes.
Friday, September 10, 2010
Useful Script to Automatically Start NodeManager at Boot-up
Found this excellent post with a script to start the NodeManager as a service.
http://weblogicserver.blogspot.com/2010/01/node-manager-as-unix-startup-process.html
http://weblogicserver.blogspot.com/2010/01/node-manager-as-unix-startup-process.html
Adding additional User Defined Attributes (UDF) to the User form - Part II
After we created all of the additional UDFs required on our OIM/Xellerate User form, we thought we were home-free.  We created a test user using some of our new fields and the were properly created and the attributes set in the directory as mapped.  However we ran into a bit of a head-scratcher.  When we went to the modify user form, we could see none of our new attributes.  
After fooling around with properties files and verifying settings, we finally figured out that the 'Authorization Policy' that was granting xelsysadm the ability to modify forms did not automatically include all the new attributes. We tried to edit the 'User Management Adminstration Policy' to check the additional attributes as allowed, however it seems you can't edit the built-in policies. So we created a new policy based on this policy and selected all of the new attributes. Problem solved!
After fooling around with properties files and verifying settings, we finally figured out that the 'Authorization Policy' that was granting xelsysadm the ability to modify forms did not automatically include all the new attributes. We tried to edit the 'User Management Adminstration Policy' to check the additional attributes as allowed, however it seems you can't edit the built-in policies. So we created a new policy based on this policy and selected all of the new attributes. Problem solved!
Wednesday, September 8, 2010
Purging Cache
The PurgeCache script works a bit differently than it does in 9.1, it took me a few tries to figure out what it was asking.  The script is located in your IAM_HOME/server/bin directory and the easiest thing to do is bring the setWLSEnv.sh environment into your shell before running.
Initially I thought it was asking for the weblogic administrator information (Port 7001) as the export/import scripts did. It is actually looking for the OIM instance information.
[Enter the admin username:]xelsysadm
[Enter the admin password:]
[Enter the service url : (i.e.: t3://oimhostname:oimportno)]t3://oimmidtierhostname:14000
I created a little script on my path to run this without going into the directory.
Initially I thought it was asking for the weblogic administrator information (Port 7001) as the export/import scripts did. It is actually looking for the OIM instance information.
[Enter the admin username:]xelsysadm
[Enter the admin password:]
[Enter the service url : (i.e.: t3://oimhostname:oimportno)]t3://oimmidtierhostname:14000
I created a little script on my path to run this without going into the directory.
export OIM_ORACLE_HOME=/oracle/product/fmw/iam
. /oracle/product/fmw/wlserver_10.3/server/bin/setWLSEnv.sh
pushd /oracle/product/fmw/iam/server/bin
./PurgeCache.sh $1
User Attributes and Categories
While managing user attributes, I have noticed a few things to keep an eye out for.  If you move or delete an attribute from a category, re-order it to the highest numbered position first (Farthest away from 1).  If you don't you will likely be missing some of the other attributes from the list in the category after the move/delete.  This is relatively easy to repair.
1) Export the /file/User.xml metadata using the export utility.
2) Look for the metadata-attachment section of the xml. This section lists the ordering of the attributes in the categories. When you find the category in question, it will likely be missing entries for the affected attributes.
They look like this:
<metadata>
<name>2</name>
<value>SIS Affiliation</value>
<category>categories.Internal Attributes</category>
</metadata>
3) Re-add metadata sections for the missing attributes.
4) Import the /file/User.xml
5) I had to restart the OIM instance in order to see the changes, it doesn't seem to refresh this metadata on the fly. UPDATE: PurgeCache All worked.
1) Export the /file/User.xml metadata using the export utility.
2) Look for the metadata-attachment section of the xml. This section lists the ordering of the attributes in the categories. When you find the category in question, it will likely be missing entries for the affected attributes.
They look like this:
<metadata>
<name>2</name>
<value>SIS Affiliation</value>
<category>categories.Internal Attributes</category>
</metadata>
3) Re-add metadata sections for the missing attributes.
4) Import the /file/User.xml
5) I had to restart the OIM instance in order to see the changes, it doesn't seem to refresh this metadata on the fly. UPDATE: PurgeCache All worked.
Wednesday, September 1, 2010
LDAP Sync Config - Part 2
As part of our implementation of OID, we use several different object classes of our own creation as well as the eduPerson object class.  Additionally we don't use cn as our RDN for user accounts, we use a custom unique ID.  We were able to change the LDAP Sync configuration in OIM to support all of this quite easily.
1) Add the custom attributes to the User Attributes in OIM.
2) Export the /metadata/iam-features-ldap-sync/LDAPUser.xml metadata from the repository.
3) To add additional object classes to be added on create, add additional <value> entries to the <parameter name="objectclass"> node .
Ex:
<parameter name="objectclass">
<value>orclIDXPerson</value>
<value>eduPerson</value>
</parameter>
4) Add your custom attributes to the three sections as noted in 13.4 of the OIM System Administrators guide.
5) To change your RDN from cn to another attribute, update the <parameter name="rdnattribute"> tag to the new directory attribute name.
Ex:
<parameter name="rdnattribute">
<value>companyid</value>
</parameter>
6) Reimport the metadata and test!
</parameter></parameter>
1) Add the custom attributes to the User Attributes in OIM.
2) Export the /metadata/iam-features-ldap-sync/LDAPUser.xml metadata from the repository.
3) To add additional object classes to be added on create, add additional <value> entries to the <parameter name="objectclass"> node .
Ex:
<parameter name="objectclass">
<value>orclIDXPerson</value>
<value>eduPerson</value>
</parameter>
4) Add your custom attributes to the three sections as noted in 13.4 of the OIM System Administrators guide.
5) To change your RDN from cn to another attribute, update the <parameter name="rdnattribute"> tag to the new directory attribute name.
Ex:
<parameter name="rdnattribute">
<value>companyid</value>
</parameter>
6) Reimport the metadata and test!
</parameter></parameter>
Tuesday, August 31, 2010
LDAP Sync Config Gotcha
Ran into a small gotcha while configuring the LDAP Sync for OIM.  In step 13.7 of the Enterprise Deployment guide you are setting the LDAPSync parameters while running the OIM configuration utility.  The docs seem to indicate that you are only entering a relative DN for the users and roles containers, that the rest of the DN root is defined elsewhere.  We were getting errors creating new users after configuring it this way, we realized it must not be building the full correct DN for new users. 
To repair, export /db/LDAPContainerRules.xml from the metadata repository and change the containers from just the 'cn=Users' to the full dn root 'cn=Users,dc=company,dc=com' and likewise for the Roles. Reimport and you should be all set.
To repair, export /db/LDAPContainerRules.xml from the metadata repository and change the containers from just the 'cn=Users' to the full dn root 'cn=Users,dc=company,dc=com' and likewise for the Roles. Reimport and you should be all set.
Looking for OIM xlconfig.xml in 11g?
The new OIM stores its metadata config files in the database so you have to export it, edit, and re-import the file.
I found documentation on how to accomplish this in section 17.5.6 in the Enterprise Deployment Guide via command line. You can also perform the operation using Enterprise Manager by following section 18.2 in the OIM System Administration guide.
I found documentation on how to accomplish this in section 17.5.6 in the Enterprise Deployment Guide via command line. You can also perform the operation using Enterprise Manager by following section 18.2 in the OIM System Administration guide.
Installing OIM/OID/OVD 11g
We have successfully installed our development environment.  We have two mid-tier nodes running in the current setup.
Node One:
WL AdminServer and Enterprise Manager
OIM/SOA
Node Two:
OID
OVD
ODSM
I found the best installation instructions that covered the gotchas was the Enterprise Deployment Guide for Identity Management. There are a couple of steps the basic installation guide misses that may cause issues when you add OIM into the same domain. Section 4.7.6 in the enterprise guide in particular.
Eric
Node One:
WL AdminServer and Enterprise Manager
OIM/SOA
Node Two:
OID
OVD
ODSM
I found the best installation instructions that covered the gotchas was the Enterprise Deployment Guide for Identity Management. There are a couple of steps the basic installation guide misses that may cause issues when you add OIM into the same domain. Section 4.7.6 in the enterprise guide in particular.
Eric
Monday, August 30, 2010
IdM 11G!
It has been awhile since I've posted, but we are up to some exciting things here and I want to use this platform to provide some information, lessons learned, and other information as we begin our work toward a full upgrade/re-implementation of the IDM/IAM 11g Stack.
We have decided rather than try to upgrade to the 11g versions, we are going to take this opportunity to use all of the information and things we have learned over our 10g setups to re-implement on 11g. This will give us many benefits, not the least of which is parallelism, ability to gradually phase in new versions, new hardware/OS/database setups. As well as the many things we have learned how to do better, things we thought we would use and never did, overly complicated groups and attributes, etc.
Additional as we are replacing our main ERP system as a parallel project, this will give us the opportunity to have our OIM11g installation uncluttered with old, unused connectors and interfaces.
We have started installing our development environment and the installation is fairly straight forward.
Stay tuned!
We have decided rather than try to upgrade to the 11g versions, we are going to take this opportunity to use all of the information and things we have learned over our 10g setups to re-implement on 11g. This will give us many benefits, not the least of which is parallelism, ability to gradually phase in new versions, new hardware/OS/database setups. As well as the many things we have learned how to do better, things we thought we would use and never did, overly complicated groups and attributes, etc.
Additional as we are replacing our main ERP system as a parallel project, this will give us the opportunity to have our OIM11g installation uncluttered with old, unused connectors and interfaces.
We have started installing our development environment and the installation is fairly straight forward.
Stay tuned!
Subscribe to:
Comments (Atom)
 
