Discover IAM: 2016

Sunday 25 December 2016

Search User Key based on User Login in OIM11gR2

Search User Key based on User Login in OIM11gR2-
========================================================================

public String searchUserKey(String _usrLogin)
{
String _methodName = "searchUserKey()-";
Thor.API.Operations.tcUserOperationsIntf userintf = Platform.getService(Thor.API.Operations.tcUserOperationsIntf.class);

//String returnMsg = "userid not existing in OIM";
String userKey="";
java.util.HashMap<String, String> userMap = new java.util.HashMap<String, String>();

userMap.put("Users.User ID", _usrLogin);
Thor.API.tcResultSet moResultSet = null;
try {
moResultSet = userintf.findUsers(userMap);
String[] CName=moResultSet.getColumnNames();
userKey=moResultSet.getStringValue("Users.Key");
}
catch (tcColumnNotFoundException e)
{
// TODO Auto-generated catch block
e.printStackTrace();
}
catch (tcAPIException e) {
// TODO Auto-generated catch block
e.printStackTrace();
}

return userKey;
}

Search Role Key Based on Role Name in OIM11gR2

Search Role Key based on Role Name in OIM11gR2-
==================================================================

public String searchRolekey(String roleName)
{
System.out.println("************Inside Fetch Role***************");

Thor.API.Operations.tcGroupOperationsIntf _groupService = oimClient.getService(Thor.API.Operations.tcGroupOperationsIntf.class);

HashMap<String, String> roleMap = new HashMap<String, String>();

System.out.println("*********Role Name is*********: "+roleName);
roleMap.put("Groups.Role Name", roleName);

String roleKey="";
tcResultSet roleResultSet = null;
try {
roleResultSet = _groupService.findGroups(roleMap);
//String[] CNameforRole=roleResultSet.getColumnNames();
groupKey = roleResultSet.getStringValue("Groups.Key");
System.out.println("********Role key is********: "+groupKey);

}
catch (tcColumnNotFoundException e)
{
// TODO Auto-generated catch block
e.printStackTrace();
}
catch (tcAPIException e) {
// TODO Auto-generated catch block
e.printStackTrace();
}
return roleKeyKey;

}

Monday 7 November 2016

SQL Query for OIM11gR2

List of Table and Description

Table Name	Table Description
OIU	Object Instance Request Target User Information. Associate user information to the resource object instance when provisioning take places.
OST	Object Status Information.
OBI	Object Instance Information. Once resource provisioned to user, OIM created resource instance for each resource provisioning.
OBJ	Resource Object definition information This contains detail about resource such as resource name, auto-save enable or not and auto-prepopulate is enable or not, and whether or not the resource object allows multiple instances.
USR	It contains user information like login id, password, etc.,
ORCHPROCESS	Stores the process instances that are being executed.
ORCHEVENTS	Stores event handler names, status and result for all orchestration processes. Event status like COMPLETED, FAILED, PENDING, etc.
ORCHFAILEDEVENTS	Stores event handler information that are executed because of failures in main flow.
UPA	User profile audit information
USG	Role assigned to user

Query to list the resource that are in different status for given user-

select oiu.oiu_key, oiu.obi_key, oiu.orc_key, ost.ost_status, obj.obj_name, obj.obj_key,oiu.req_key

from oiu

inner join ost on oiu.ost_key = ost.ost_key

inner join obi on oiu.obi_key = obi.obi_key

inner join obj on obi.obj_key = obj.obj_key

where oiu.usr_key =(select usr_key from usr where usr_login='TESTUSR01');

Changing Resource Status in OIM in Account Tab

Through below query we can change the resource (AD, LDAP, Exchange etc..) Status.

update oiu set ost_key=(select ost_key from ost where obj_key=(select obj_key from obj where obj.obj_name = 'LDAP User') and ost_status='Revoked') where oiu.orc_key in(

SELECT orc_key FROM ud_ldap_usr WHERE ud_ldap_usr_userid in ('TESTUSR01'));

OIM SQL query to force users to change password on next login

When user’s password reset by either OIM Admin or API, user will be prompt to reset on next login.

We can avoid the force user password on next login by update column 'USR_CHANGE_PWD_AT_NEXT_LOGON' in table ‘usr’. This column takes values 0 or 1.

The column value 0 means User not forced to reset password on next login.

update usr set USR_CHANGE_PWD_AT_NEXT_LOGON='0'

where usr_login = 'TESTUSR01';

The column value 1 means User forced to reset password on next login.

update usr set USR_CHANGE_PWD_AT_NEXT_LOGON='1'

where usr_login = ‘TESTUSR01’;

OIM 11G Orchestration Query-

Orchestration is main Component in OIM, Operations, such as create user, modify user, Delete, Enable etc., were closely integrate with OIM Orchestration.

Known Issue: OIM Orchestration will retry failed event handlers ONLY 2 times and will ignore after that. Because, the retry limit was hard coded in OIM.

SQL Query:

Below sql query is to get list of event handlers, which are executed for a particular users during enable process:

This query used to get user key from usr table-

select usr_key from USR

where usr_login = ‘TESTUSR01’;

-- 1065

This query get process instance of enabled user ‘TESTUSR01’

select id from orchprocess

where entityid=’1065’ and entitytype='User' and operation='ENABLE';

-- 367098

This query gets all the event handler for enabled user ‘TESTUSR01’

select * from orchevents

where processid=’367098’ order by orchorder;

In the same way we can use for Create, Modify, Delete, Disable...etc Operation.

OIM SQL query to find who modified user attributes

We can identify when and who made change for user profile attributes for example, email address.

Below query fetch the email address value for user ‘TESTUSR01’ from audit table:

select field_name, field_old_value, field_new_value

from upa_fields fields

where upa_usr_key in ( select upa_key from upa

where upa_key in (select usr_key from usr

where lower(usr_login) like 'TESTUSR01')))

and field_name = 'Users.Email'

order by upa_usr_key, field_name;

OIM SQL query to find who assigned role to users

OIM provides strong auditing features that will capture all user profile modification. It will be stored on UPA table.

Below query gets list of roles when was assigned to user ‘TESTUSR01’:

select * from upa

where usr_key = (select usr_key from usr

where lower(usr_login)= 'TESTUSR01')

and src like '%RoleManager%CREATE%';

Similarly, we can check for user role revoked by using src with ‘%RoleManager%DELETE%'

Oracle Schema Version Registry

Most of the Oracle Fusion Middleware components require existence of schemas in database prior to install. These schemas created and loaded using RCU.

You can run query to get list of schema created though RCU:

select * from schema_version_registry;

OIM SQL query to get users whose specific role

We often may need to find user who has specific role in OIM.

I have used query to get users who have role called ‘System Administrator’.

select usr.usr_display_name, usr.usr_login, usr.usr_email, ugp.ugp_name

from usg usg

left outer join usr usr on (usg.usr_key = usr.usr_key)

left outer join ugp ugp on (ugp.ugp_key = usg.ugp_key)

where upper(ugp_name) in (upper('System Administrator'));

Query to update the ldap common name on process form

update ud_ldap_usr set

UD_LDAP_USR_COMMON_NAME='Test01 User01'

where UD_LDAP_USR_USERID='TESTUSR01'

Friday 28 October 2016

Verifying Event Handler Registered Successfully or not in EM Console in OIM11gR2

Once you have registered the Plugins for Event Handler and getting some issue and you want to verify that Event Handler registered successfully or not then follow below steps-

1. Login to EM console- http://localhost:7001/em/
2. Expand "Identity and Access" -->Expand "OIM" -->Click on "oim(11.12.0.0)"
3. Click on Oracle Identity Manager arrow and click on System MBean Browser

4. Expand "Application Defined MBeans" -->"oracle.iam" --> Server: oim_server1 -->Application: oim -->IAMAppDesignMBean --> Click on "ConfigQueryMBeanName".

5. Click on Operation -->Click On "getEventHandlers"

6. Once getEventHandler opened provide the below details-
P1 --> User
P2 --> Enable (Provide any operation for which you have registered your Event Handler like- Create, Modify, Enable, Disable etc...) and Click on Invoke

7. It will fetched the all registered OOTB and Custom Event Handles details from Metadata and show this in Returns the Value. You can check your Custom Event Handler in the list. If its present here then Event Handler registered Successfully.

Thursday 27 October 2016

Adding New Attribute on Process Form in OIM11gR2

I want to add new attribute "Mobile Number" on "LDAP User" Process Form correspond to OIM UDF "Mobile". So for adding the new attribute on Process Form and for pushing the OIM UDF attribute on Process Form and in Target we need to follow below steps-

1. Open the Process Form "UD_LDAP_USR".

2. Click on "Create New Version".

3. Provide the Version Name and Save.

4. Add the New Attribute "Mobile Number" on Process Form and Click on Save.

5. For mapping the OIM UDF "Mobile" to Process Form Attribute "Mobile Number" during User Creation in LDAP, add the Prepopulate adapter on "Mobile Number" attribute.

6. Activate the Form Version. (wait few minute for activating the Form Version)

7. Go To OIM Sysadmin console: http://OIMHost:OIMPort/sysadmin/, Create and Activate the Sandbox on Sysadmin Console.

8. Create New Form and update new Form to Application Instance.

9. Export the Sandbox for backup purpose and Publish the Sandbox.

10. Updating the Process Form of Existing user through below query.

1 Run the below query-

Select SDK_ACTIVE_VERSION from sdk where SDK_NAME='UD_LDAP_USR';

1 Run the below Query to update the Process form for existing user-

Update UD_LDAP_USR set UD_LDAP_USR_VERSION =

(Select SDK_ACTIVE_VERSION from sdk where SDK_NAME='UD_LDAP_USR');

Commit;

1 11. Add the these new attribute in recon Profile and Create the Reconciliation Profile. (After click on Create reconciliation Profile it should show Success message-wait for few minute for getting success message)

For Pushing the Changes in LDAP from OIM once attribute value Updated in OIM Profile-

1 1. Create the Change task for attribute Mobile in “LDAP USR” Process Definition

Change Mobile Number

3. 2. Map the UDF with Change Task in lookup “Lookup.USR.Process_Triggers” like below. Please check the correct attribute name of Mobile in OIM Profile-

Code	Decode
USR_MOBILE	Change Mobile Number

1. 3. Create the Updated Task for all 3 attribute if not present in “LDAP USR” Process Definition and before creating verify that if these task already present.

Mobile Number Updated

4. Add the Process Form Attribute and LDAP target attribute Name in lookup "Lookup.LDAP.UM.ProvAttrMap"

Code	Decode
Mobile Number	mobile

Wednesday 26 October 2016

Custom Security Challenge Question Localisation in OIM11gR2

To localise custom Challenge Question in OIM11gR2 we need to follow below Steps. I am providing the localisation of Challenge question for French language.

====================================================================

1. Create the Properties file with name- "customResources_fr_FR.properties_fr_FR" and put the below content with Challange question. In English question space is replaced with ~ sign.

-------------------------------------------------------------------------------------------------------------

# This a French custom resource template file. It will used if Browser locale related file is not found say

# "customResources_<lang>_<country>.properties". End user can use it to extend translation for custom lookup, fields etc.

# Below are the few examples of that :

# For lookup addition:

#global.<lookup_code>.<encode_data>=<unicoded_decodedata_string>

# For UDF Label addition:

# global.udf.<udf_column_name>=<unicoded_label_string>

# For UDF Lookup addition:

# For lookup by column and lookup by code :

# global.<lookup_code>.<encode_data>=<unicoded_decodedata_string>

###Challenge Questions - French ###

global.Lookup.WebClient.Questions.Who~is~your~childhood~sports~hero?=Qui était votre athlète préféré lorsque vous étiez enfant ?

global.Lookup.WebClient.Questions.What~is~the~name~of~your~favorite~childhood~friend?=Comment s'appelait votre meilleur(e) ami(e) d'enfance ?

global.Lookup.WebClient.Questions.What~is~the~name~of~the~hospital~where~you~were~born?=Comment s'appelle l’hôpitaloù vous êtes né(e) ?

-------------------------------------------------------------------------------------------------------------------------

2. Copy "customResources_fr_FR.properties_fr_FR" file on OIM server through WinSCP on location-"/app/oracle/middleware/Oracle_IDM1/server/customResources".

3. Convert the Properties file from Native to ASCII. In this Process all the file content will be copied in new Properties file- "customResources_fr_FR.properties". For this we need to run below command on OIM Server box through Putty-

native2ascii customResources_fr_FR.properties_fr_FR customResources_fr_FR.properties

4. Now Upload the resource Bundle Properties file in Database through Upload Resource Bundle Utility. For this we need to follow below Steps-

1. For running the UploadResourceBundles.sh go to below path

$ cd /app/oracle/middleware/Oracle_IDM1/server/bin

2. Set the Environment variable.

export DOMAIN_HOME=/app/oracle/user_projects/domains/OIMDomain1

export WL_HOME=/app/oracle/middleware/wlserver_10.3

export ORACLE_HOME=/app/oracle/middleware/Oracle_IDM1

export OIM_ORACLE_HOME=/app/oracle/middleware/Oracle_IDM1

export JAVA_HOME=/app/oracle/java/jdk1.7.0_80

export MW_HOME=/app/oracle/middleware

export APP_SERVER=weblogic

3. Run the below command-

$ ./UploadResourceBundles.sh

Steps are mentioned below for Running the UploadResourceBundle.sh-

[iamusr@sciamdas62 customResources]$ cd /app/oracle/middleware/Oracle_IDM1/server/bin

#####################Setting Path#####################################################

[iamusr@sciamdas62 bin]$ export DOMAIN_HOME=/app/oracle/user_projects/domains/OIMDomain1

[iamusr@sciamdas62 bin]$ export WL_HOME=/app/oracle/middleware/wlserver_10.3

[iamusr@sciamdas62 bin]$ export ORACLE_HOME=/app/oracle/middleware/Oracle_IDM1

[iamusr@sciamdas62 bin]$ export OIM_ORACLE_HOME=/app/oracle/middleware/Oracle_IDM1

[iamusr@sciamdas62 bin]$ export JAVA_HOME=/app/oracle/java/jdk1.7.0_80

[iamusr@sciamdas62 bin]$ export MW_HOME=/app/oracle/middleware

[iamusr@sciamdas62 bin]$ export APP_SERVER=weblogic

[iamusr@sciamdas62 bin]$

#####################Running Upload Resource Bundle Utility#############################

[iamusr@sciamdas62 bin]$ ./UploadResourceBundles.sh

For running the Utilities the following environment variables need to be set

APP_SERVER is weblogic

OIM_ORACLE_HOME is /app/oracle/middleware/Oracle_IDM1

JAVA_HOME is /app/oracle/java/jdk1.7.0_80

MW_HOME is /app/oracle/middleware

WL_HOME is /app/oracle/middleware/wlserver_10.3

DOMAIN_HOME is /app/oracle/user_projects/domains/OIMDomain1

Executing oracle.iam.platformservice.utils.ResourceUploadUtility in IPv4 mode

[Enter Xellerate admin username :]xelsysadm #####Comment- Xelsysadm Username#######

[Enter the admin password :] ******* ##### Comment- Xelsysadm Password#######

[[Enter serverURL (Ex. t3://oimhostname:oimportno for weblogic or corbaloc:iiop:localhost:2801 for websphere)]:]t3://sciamdas62:14000 ##### Comment- t3 URL#######

[[Enter context (i.e.: weblogic.jndi.WLInitialContextFactory for weblogic or com.ibm.websphere.naming.WsnInitialContextFactory for websphere)]:]weblogic.jndi.WLInitialContextFactory ##### Comment- Weblogic Context#######

Logging configuration class "oracle.core.ojdl.logging.LoggingConfiguration" failed

java.lang.ClassNotFoundException: oracle.core.ojdl.logging.LoggingConfiguration

log4j:WARN No appenders could be found for logger (org.springframework.jndi.JndiTemplate).

log4j:WARN Please initialize the log4j system properly.

Enter the resource bundle type

1.Custom Resource

2.Connector Resource

1 ######Select appion-1 as Custom Resource#######

Enter the path/location of resource bundle file : #######Properties file with Path#######

/app/oracle/middleware/Oracle_IDM1/server/customResources/customResources_fr_FR.properties

Do u want to load more resource bundles [y/n] :n ###Here provided “N” because this is last file if want to upload more file then Provide option "Y" and in last file Provide Option "N" ####

Upload resource executed successfully

[iamusr@sciamdas62 bin]$

These are the above Steps for localising the Custom Challenge Question in OIM11gR2. For testing the Challenge question set the Browser language as French and test the Security Challange Question for Particular Language.

If we need to delete the uploaded Properties file then we need to follow below Steps-

Steps are mentioned below for Running the DeleteResourceBundle.sh-