What is Privileged Access Management?

A privileged user/account is a user/account who holds the "key to the kingdom" i.e. the user/account has administrative access to the systems. They can carry out system wide configuration changes, lock/unlock other users, define and enforce system policies, install software, apply patches, access sensitive information etc. For instance, the individual who can set up and delete email accounts on a Microsoft Exchange Server is a privileged user.

“Privileged Account Management(PAM)” or “Privileged Session Management(PSM)” are generally interchangeable.

As is clear from the description of a privileged account, this access needs to be controlled, monitored and audited. Most cyber attacks target these privilege accounts to gain access to resources in any organization. PAM keeps your organization safe from accidental or deliberate misuse of privileged access. Most organizations have 3 times as many privileged users as employees.

PAM allows you the following high level capabilities:

• Grant privileges to users only for systems on which they are authorized.
• Grant access only when it’s needed and revoke access when the need expires.
• Avoid the need for privileged users to have or need local/direct system passwords.
• Centrally and quickly manage access over a disparate set of heterogeneous systems.
• Create an unalterable audit trail for any privileged operation.

What is Access control

Access control is the selective restriction of access to a place or other resource. The act of accessing may mean consuming, entering, or using. Permission to access a resource is called authorization.

Deploy Single HTML in Apache tomcat server

1. Create a folder in webapps folder e.g. 'CustomApp'
2. Put your html in this folder e.g. first.html
3. Start tomcat and point your browser to url "http://localhost:8080/CustomApp/first.html"

Note:

1. If the name of your html file is 'index.html', it can be simply opened by the url:http://localhost:8080/CustomApp

Installing and Running Apache Tomcat Server

1. Download apache server from https://tomcat.apache.org/
2. If the you have downloaded the zip, unzip at the location of your choice.
3. Create the following three environment variables
• CATALINA_HOME point to the unzipped apache tomcat location where the bin and conf folders are located.
• JAVA_HOME
• JRE_HOME
4. Execute 'startup.bat' from CATALINA_HOME/bin.
5. Open the link http://localhost:8080 to check if server is running

Eclipse: JAR v/s Runnable JAR

Both the types standard and runnable contains the Manifest file and java class files. The difference is in the content of Manifest file.

The Manifest file for runnable jar has an entry for main class:

Main-Class: com.kpmg.rohit.appraisalStrory.StoryTeller

That means runnable jar specifically specifies the entry point of jar. 

So if you just want to bundle your project in a library to be used by any application, any type of jar will suffice. But, say, you want to execute by command line, the difference will be clear

So, I have two jars for same project, one exported as runnable and other as standard jar

Let me try to run both of them via command prompt:

The runnable jar is executed but standard jar throws an error, because java does not the entry point to this jar.

We can explicitly specify the class with main method to execute the standard jar as well

That is it, hope you get it.

OIM: Query to get the request data

The following queries will serve as a good starting point to fetch the request data in OIM:

1. To get the request form data

select * from REQUEST_BENEFICIARY_ENTITYDATA where rbed_rbe_key IN
(select RBE_KEY from REQUEST_BENEFICIARY_ENTITIES WHERE AND RBE_REQUEST_KEY = '<RequestId>' ) ORDER BY RBED_RBE_KEY DESC;


2. To get child table data

select * from REQUEST_BENEFICIARY_ENTITYDATA where RBED_PARENT_KEY = '<RBED_>' AND RBED_PARENT_KEY IS NOT NULL;

RBED_PARENT_KEY is returned from the first query.

1.       

Linux: Delete all lines from a file using vi

:1,$d

:1 -> Enters the command mode
1,$ -> All lines
d -> delete

OIM-SOA: Populating wftask table with custom attributes

Many a times, for reporting or other purposes, we need to populate the data the wftask table(directly mapped to human task in composite) with some custom data.

This custom data can be data from the payload or any other data that is present in the composite.

Updating the wftask table with the composite data can avoid writing bpel apis and a query suffices in this case.

How to do it, is probability what you are interested in. This is done by a simple assignment in the human task.

1. Expand your human task in the composite. You should see a construct like 'taskName_AssignTAskAttributes'

    2. This is where you need to assign the variables. You can do it in design editor, or can copy the following lines in BPEL file.

<copy> 

      <from variable="inputVariable" part="payload" 

        query="/client:process/client:EntityKey"/> 

      <to variable="initiateTaskInput" part="payload" 

       query="/taskservice:initiateTask/task:task/task:customAttributes/task:customAttributeString1"/> 

</copy> 

<copy> 

  <from variable="inputVariable" part="payload" 

   query="/client:process/client:BeneficiaryLogin"/> 

  <to variable="initiateTaskInput" part="payload" 

   query="/taskservice:initiateTask/task:task/task:customAttributes/task:customAttributeString2"/> 

</copy>

You might want to edit the data in from and to depending on your exact requirement.

3. Now, once you deploy and test the composite. You will see the two columns 'customAttributeString1' and 'customAttributeString2' populated in your wftask table.

Linux: Find all occurrence of a string in all files.

grep -rnw '<directory_path>' -e '<string you want to search>'

Database: Modify Column DDL

alter table <TableName> MODIFY <ColumnName> VARCHAR (50);

Java: Comma Separated String to List

    ArrayList<String> convertCommaSprtdStrToList(String commaSprtdStr) {
        ArrayList<String> list = new ArrayList<String>();
       
        if(commaSprtdStr == null || commaSprtdStr.isEmpty())
            return list;
       
        String[] strArr = commaSprtdStr.split(",");
       
        if(commaSprtdStr != null && !commaSprtdStr.isEmpty()) {
            for(String str : strArr) {
                list.add(str.trim());
            }
        }
       
        return list;
    }

Unable to open kernel device '\\.\Global\vmx86': The system cannot find the file specified. Did you reboot after installing VMware Workstation

If you got this error, you are already working with VMWare, so no point in replicating the error.
Solution however is simple and effective, just restart the 'VMWare Authorization Service' from the services console and retry.

OIM: Create and deploy scheduled task

The following posts covers all aspects of developing and deploying a scheduled task in OIM and creating a scheduled job.

The post will cover the following tasks in detail:

>> How to create a scheduled task ?

>> How to package a scheduled task ?

>> How to deploy a scheduled task ? 

>> How to create a scheduled job ?

How to create a scheduled task

This includes the following items:

> Developing java class and creating jar file

> Creating plugin file

> Creating metadata file

Developing java class and jar files:

1. Create a java project in IDE of your choice

2. Import the following jars in your project class path:

common-logging.jar

eclipselink.jar

jrf-api.jar

oimclient.jar

spring.jar

wlfullclient.jar

3. Create a java class and extend the class oracle.iam.scheduler.vo.TaskSupport

4. You will have to implement the abstract methods of this class: execute, getAttributes and setAttributes

5. Don't worry about getAttributes and setAttributes. Remember, we are learning the basics and trying to get out first scheduled job up and running.
6. Execute method is what is called when the scheduled job is executed.
7. This method has an input argument as a HashMap, this map contains the value provided by you on the schedule job UI (The UI parameters are configured in an xml file, that we will see lator).
8. Implement your custom logic in this method:
      How to get the data from UI

String lookupName = (String) hashMap.get("Lookup Name");

      How to initializa API and write custom logic

       UserManager userManager = Platform.getService(UserManager.class);

       How to add custom logger

 Create LOGGER

 Add in logging.xml

  9. Create the jar file using IDE.

Creating plugin file: Always call it plugin.xml for ease of use

Create an xml file and change the bold parameters only, this file is self-explanatory. 

<?xml version="1.0" encoding="UTF-8"?>

  <oimplugins xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">

<plugins pluginpoint="oracle.iam.scheduler.vo.TaskSupport">

<plugin pluginclass= "com.rohit.st.demo.SchedulerDemo" version="1.0" name="SchedulerDemo"/>

</plugins>

   </oimplugins>

Creating metadata file: This goes in MDS datastore, so provide a business friendly name

Create an xml file and change the bold parameters only, this file is self-explanatory. 

<scheduledTasks xmlns="http://xmlns.oracle.com/oim/scheduler">

<task>

<name>SchedulerDemo</name>

<class>com.rohit.st.demo.SchedulerDemo</class>

<description>SchedulerDemo</description>

<retry>5</retry>

<parameters>

<string-param required="true" encrypted="false" helpText="Lookup Name">Lookup Name</string-param>

<string-param required="true" encrypted="false" helpText="First Name">First Name</string-param>

<string-param required="true" encrypted="false" helpText="Last Name">Last Name</string-param>

</parameters>

</task>

</scheduledTasks>

How to package a scheduled task

1. Create a directory (let us call is SchedulerDemo directory, call anything)

2. Create the following directories inside the SchedulerDemo directory.

       lib - place your jar file in this directory

       config

       resources

3. Also place plugin.xml directly inside SchedulerDemo directory.

4. Create the zip file.

5. Place the zip file on the OIM server in the environment where you want to deploy it.

How to deploy a scheduled task

Deploying plugin:

6. Next you need to register the plugin(This zip file that you created will be deployed in OIM as a plugin).

7. Set ANT_HOME environment variable.

    export ANT_HOME=/apps/oracle/middleware/modules/org.apache.ant_1.7.1 (env specific)

8. Update PATH environment variable.

     export PATH=$JAVA_HOME/bin:$ANT_HOME/bin:$PATH

9. Navigate to $OIM_HOME/server/plugin_utility

10. Edit/Check ant.properties and set the following values:

    wls.home

    oim.home

    mw.home

11. Execute the following command:

    ant -f pluginregistration.xml register

12. In a new environment, sometimes an error is encountered:

     /pluginregistration.xml:72: Class not found: oracle.iam.platform.utils.ant.PasswordInputHandler

In which case, cross check your ant.properties and if the error persists, navigate to the location $WLS_HOME/server/lib

and run: java -jar wljarbuilder.jar

13. Once this is done, navigate back to $OIM_HOME/server/plugin_utility and execute ant -f pluginregistration.xml register

14. You will need to provide the following values to the script

    User name: xelsysadm

    Password: xelsysadm's password (enc specific)

    URL:  t3://OIM_HOST:OIM_PORT (env specific). like t3://rohitdemo:14000

15. Checkpoint: Once the script run successfully, query the plugins table to see that the plugin was deployed.

Registering Metadata:

Now you need to import the metadata file that you created inside the MDS data store. We will use weblogicImportMetadata utility to do the same.

16. Place the metadata file on the server.

17. Navigate to  $OIM_HOME/server/bin

18. Take a backup of weblogic.properties file

19. Edit weblogic.properties file 

20. Set the value of 'metadata_to_loc'

21. Set OIM_ORACLE_HOME same as OIM_HOME

22. Execute command:

 ./weblogicImportMetadata.sh

Provide the following values:

weblogic (NOT xelsysadm)

weblogic's password

t3://OIM_HOST:OIM_POST (NOT weblogic port but OIM's port)

How to create a scheduled job 

1. Create from sysadmin console

2. Search for task name configured in metadata file