Friday, May 26, 2017

Quick Tip#2: Ping and telnet

ping command is used to find out whether the remote host is reachable.

Syntax:
ping [hostname/ip]
ping google.com


But you cannot ping ports, thus if you need to find out if the port is open on a remote host, you use TELNET.

Syntax:
telnet [domainname or ip] [port]


If the port is open, you will see a blank screen. This will mean that connection is successful.


Exiting from telnet: Type 'Ctrl]' , and then 'q' or 'quit'

OIM: Troubleshooting Reconcilliation


1. Each instance of the recon schedule job execution process is associated with an unique identifier – the Job ID. This job ID is created when createReconciliationEvent() method is called from the recon code.

2. All the monitoring happens on the basis of job ID. Useful tables are:
  • recon_jobs
  • recon_batches
  • recon_events
  • ra_* staging tables
  • orchevents
  • orchfailedevents
3. Job ID can be found in two ways:
  • By searching for the recon event created by the scheduled job 
  • By querying the recon_jobs table
4. Tables involved in recon process:
  • RECON_JOBS
  • RECON_BATCHES
  • RECON_EVENTS
  • RA_* TABLES
5. Helpful SQLs:

--RECON_JOBS
select count(*) from recon_jobs

select * from recon_jobs order by rj_start_time DESC

select * from recon_jobs where rj_name = 'HRMS Trusted User Recon' order by rj_start_time DESC

select distinct(rj_job_status) from recon_jobs

--RECON_BATCHES
select * from recon_batches where rj_key = '386261'

select count(*) from recon_batches where rj_key = '386261'

--RECON_EVENTS
select * from recon_events where rj_key = '386261'

select re_key, rj_key, usr_key, RE_CHANGE_TYPE, RE_STATUS, RE_LINK_SOURCE from recon_events where rj_key = '386261'

select count(*) from recon_events where rj_key = '386261'

select DISTINCT(RE_CHANGE_TYPE) from recon_events  --DELETE, CHANGELOG, REGULAR

select DISTINCT(RE_STATUS) from recon_events

select DISTINCT(RE_LINK_SOURCE) from recon_events

6. Recon Batch Size System Property: OIM.ReconBatchSize
This property is used to specify the batch size for reconciliation. You can specify 0 as the value for this to indicate that the reconciliation will not be performed in batches.

7. Drilling into a single event
Tables used: recon_events, recon_batches, orchevents, orchfailedevents
  • Get event id of the event from the UI
  • Run the following SQLs:
select rb_key from recon_events where re_key = '2989631'
select rb_note from recon_batches where rb_key = '12962'
select * from orchevents where processid='572404' ORDER by orchorder  -- processid=obtained from rb_note column ALSO This would give the details of the all the Event handlers invoked including their execution order and their status
select * from orchfailedevents where processid='572404'

Wednesday, May 24, 2017

OAM: Learning the basics - Part 3 - Understanding User Identity Store, Default Store and System Store

The following is the third post of the series, OAM: Learning the basics.

This series is intended to guide you through understanding the basic concepts of OAM. I assume, no prior knowledge and experience of OAM on your part.

Identity Stores in OAM: 

Simply put, these are the LDAP directories against which the authentication happens. 

There are three identity stores that you must be aware of:


User Identity store: A User Identity Store is a centralized LDAP repository in which an aggregation of Administrator and user-oriented data is stored and maintained in an organized way. Oracle Access Management supports multiple LDAP vendors, and multiple LDAP stores can be registered for use by Oracle Access Management and its services. 

By default the Oracle Access Manager comes with the “UserIdentityStore1”, This identity store is configured with the Embedded LDAP Server of Weblogic instance on which the OAM is running. 

However, the embedded LDAP server should only be used for testing environment. For production environment, you should use external identity stores, such as OUD, OID, AD etc.

Default store: The LDAP store designated as the Default Store is the automatic choice for use by LDAP authentication modules unless you configure use of a different store for the module or plug-in. 

Identity Federation supports multiple Identity Stores, which can be assigned on a per Identity Partner basis. Each Identity Store must be registered with Oracle Access Management. 

If no Identity Store is defined in the Identity Partner, the designated Default Store is used.


System store: Only one User Identity Store can (and must) be designated as the System Store. This is used to authenticate Administrators signing in to use the Oracle Access Management Console, remote registration tools, and custom administrative commands in WLST. 

Administrators using the Oracle Access Management Console or remote registration utility must have credentials stored in the System Store. 

Once you define a remote User Store as the System Store, you must change the OAMAdminConsoleScheme to use an LDAP Authentication Module that references the same remote user store (the System Store).

In next post, we will learn to configure these identity stores.
Keep following....

OIM: Understanding Approval Workflow Rule Evaluation

When an operation (bulk or non-bulk) is being performed, approval workflow rule evaluation takes place in the following way:
  1. The approval workflow rules associated with the operation being performed are evaluated one by one, in the order in which they are configured.
  2. Rule evaluation stops, and the outcome, which is workflowID or Direct, of the matched rule is returned.
  3. Approval workflow rule evaluation stops at the first matching rule, which is the rule that evaluates to true, and that rule's outcome is returned as the result.
  4. For a Bulk operation, if none of the rules match, then the SOA composite configured in defaultRequestApprovalComposite of SOAConfig is returned implicitly.
  5. For a non-bulk operation, if none of the rules match, then the SOA composite configured in defaultOperationApprovalComposite of SOAConfig is returned implicitly.
If the approval workflow rule evaluation returns a WorkflowID, for example UserManagerApproval, then a request is created and the corresponding ASYNC orchestration is initiated. As part of the orchestration, there is a possibility that some of the data submitted by the user is modified or added. As a result, a different workflow ID than UserManagerApproval might be applicable. To handle such scenarios, approval workflow rules are re-evaluated before the workflow is initiated. If the re-evaluation results in a different workflowID, for example HRManagerApproval, then HRManagerApproval is initiated.

OIM: PS3 Exporting the Approval Workflow

Deployment Manager supports moving the approval workflow rules from test to production. When you invoke the deployment manager export, select Policy and export the necessary workflow rules.


OAM: Learning the basics - Part 2 - OAM Screens

The following is the second post of the series, OAM: Learning the basics. 

This series is intended to guide you through understanding the basic concepts of OAM. I assume, no prior knowledge and experience of OAM on your part.

Login into your OAM console, refer to the first post of the series to check the OAM urls. Use weblogic username and password. The following images are from a fresh install of OAM PS3.







You should now be familiar with the screens, don't worry about what each tab/link does yet. We will discuss the same in details in future posts.

Keep following...

Next Post: http://iamsoaguru.blogspot.com/2017/05/oam-learning-basics-part-3.html
Previous Post: http://iamsoaguru.blogspot.com/2017/05/oam-learning-basics-part-1-urls.html




OAM: Learning the basics - Part 1 - Urls

The following is the first post of the series, OAM: Learning the basics. 


This series is intended to guide you through understanding the basic concepts of OAM. I assume, no prior knowledge and experience of OAM on your part.

URLs

1. Admin server url

http://<WLS_HOST>:<WLS_PORT>/console
e.g. http://iamsoaguru:7001/console

<WLS_HOST>: Host name on which the weblogic server is running
<WLS_PORT>: Port Number on which the weblogic server is running


2. OAM url

http://<OAM_HOST>:<WLS_PORT>/oamconsole
e.g.  http://iamsoaguru:7001/oamconsole

Note the port number, this is not your usual 14000 port number, this is the weblogic port as OAM is deployed as a web application on top of weblogic. 

That is all, simple right. Keep following....

Next Post: http://iamsoaguru.blogspot.com/2017/05/oam-learning-basics-part-2-oam-screens.html

Friday, May 19, 2017

OIM: Catalog's 'Risk Level' on UI to 'item_risk' data base mapping

ITEM_RISK (catalog table in database) Risk Level on UI
1
2
3 Low Risk
4
5 Medium Risk
6
7 High Risk

Wednesday, May 17, 2017

OIM: FVC (Form Version Control Utility) Alternate Query

If new fields are added in the Process Form, that fields will not be available for the users who already have the account provisioned. In this case, OIM provides and OOTB utility to update the process form for such(provisioned) accounts, called Form Version Control Utility (FVC).

An alternate approach to this is executing the following query to update such accounts:

Update <process_form_UD_table> set process_form_table_version = (Select sdk_active_version from sdk where sdk_name='process_form_UD_table');

Monday, May 15, 2017

OIM: PS3 Sizing Guide

OIM PS3 sizing guide can be found at the following location:

http://www.oracle.com/technetwork/middleware/id-mgmt/oim11g-sizingguide-194346.pdf

OIM Error: java.io.InvalidClassException: oracle.iam.request.vo.BasicRequest; local class incompatible:

Error while running RequestService API

Exception in thread "main" javax.ejb.EJBException: failed to unmarshal interface oracle.iam.request.vo.Request; nested exception is: 
java.io.InvalidClassException: oracle.iam.request.vo.BasicRequest; local class incompatible: stream classdesc serialVersionUID = -5945010536412041491, local class serialVersionUID = -7263199514123717932; nested exception is: java.io.InvalidClassException: oracle.iam.request.vo.BasicRequest; local class incompatible: stream classdesc serialVersionUID = -5945010536412041491, local class serialVersionUID = -7263199514123717932
java.io.InvalidClassException: oracle.iam.request.vo.BasicRequest; local class incompatible: stream classdesc serialVersionUID = -5945010536412041491, local class serialVersionUID = -7263199514123717932

Solution:

Copy the 'oimclient.jar' and 'eclipselink.jar' from the location 'MIDDLEWARE_HOME/Oracle_IDM1/server/client/oimclient.zip' and add the same in your classpath.

OIM: Update 'xelsysadm' Password In Working OIM Environment


  1. Login to Oracle Identity Manager Self Service as Oracle Identity Manager administrator and change the xelsysadm's password.
  2. Also update the password in the OIMAdmin key under the oracle.wsm.security map in CSF.

If you have OIM-OAM integration environment with OVD and an LDAP in the back end, you need to change the xelsysadm password at following places.

  1. Change xelsysadm password in Identity Self service console.
  2. Change OIMAdmin password from EM Console under Weblogic domain -> iam domain -> security ->credentials - > oracle.wsm.security folder.
  3. Change xelsysadm password in Directory side using ldap. Because change in xelsysadm password will NOT be propagated to LDAP. One need to manually update the password in LDAP directory as well.

Friday, May 12, 2017

OIM: Create OIM connection from IDE(Eclipse/Jdev)

Given that you are able to create a project a your IDE, carry out the following two exercise to connect to OIM to execute your APIs:

  1. Writing the code
  2. Importing the necessary jars

Code:

import java.util.Hashtable;
import javax.security.auth.login.LoginException;
import oracle.iam.platform.OIMClient;


public class OimConnection {

    private static final String OIM_URL = "t3://iamsoaguru.local.com:14000";
    private static final String AUTH_CONF = "C://Rohit//designconsole//config//authwl.conf";
    protected static final String OIMUSERNAME = "xelsysadm";
    protected static final String OIMPASSWORD = "Welcome1";
    protected OIMClient oimClient = null;

    public OIMClient BaseClient() {

        System.setProperty("APPSERVER_TYPE", "wls");
        System.setProperty("java.security.auth.login.config", AUTH_CONF);
        Hashtable<String, String> env = new Hashtable<String, String>();
        env.put(OIMClient.JAVA_NAMING_FACTORY_INITIAL,
                "weblogic.jndi.WLInitialContextFactory");
        env.put(OIMClient.JAVA_NAMING_PROVIDER_URL, OIM_URL);
        oimClient = new OIMClient(env);

        try {
            oimClient.login(OIMUSERNAME, OIMPASSWORD.toCharArray());
            System.out.println("BaseClient.BaseClient() Login SUCCESS");
        } catch (LoginException e) {
            System.out.println("Exception in getting oimConnection");
            e.printStackTrace();
        }

        return oimClient;
    }

}

Required Jars:
  1. Commons-logging.jar
  2. Eclipselink.jar
  3. Jrf-api.jar
  4. OIMClient.jar
  5. Spring.jar
  6. WLFullClient.jar

Tuesday, May 2, 2017

OIM Query: List of roles without access policy attached

SELECT
  ugp1.ugp_name AS "Role Name",
  ugp1.UGP_DISPLAY_NAME AS "Role Display Name",
  ugp1.UGP_DESCRIPTION AS "Description",
  ugp1.UGP_CREATE AS "Create Date"
FROM ugp ugp1
WHERE ugp1.ugp_name not in (select  ugp.ugp_name
from pol
left join pog on pog.pol_key=pol.pol_key
join ugp on ugp.ugp_key = pog.ugp_key)
;