Thursday Mar 21, 2013

OIM11g R2: Reconciling a Disconnected System Account

Reconciliation of disconnected system account is same as reconciling a connected system account. The main difference lies in the source of reconciliation. In case of a connected system, a connection is established with the actual target system and data is pulled to OIM. Where as in case of a disconnected system, the data is made available to OIM using a CSV, Flat File or a database table. Reconciliation on both these types of systems look same in case of initial load. Some implementations make data available externally during initial load for all types of target systems.

 In any type of System's reconciliation, including IT Resource attribute among the RO attributes and recon data is mandatory. In case this information(IT Resource in the recon data) is missed in the recon data when submitting reconciliation event, the reconciliation event is created and linked successfully. The status on the recon event shows 'Creation Succeeded'. However, when navigated to the 'Accounts' tab or 'My Access' tab, the resource is not shown. The reconciliation rules are evaluated, the event gets linked, but the resource doesn't appear on the user's resource profile. Yes, you read it correctly.

Also, when another recon event is created for the same account, the event shows 'Update Succeeded' , but again no resource is seen is the user's resource profile.

The code snippet for submitting a simple recon even is here:

ReconOperationsService reconOp = client.getService(ReconOperationsService.class);
        System.out.println("reconOp="+reconOp);

         Map<String,Object> roDataMap = new HashMap<String,Object> ();

          roDataMap.put("User Name","name");
          roDataMap.put("Email","name@xyz.com");
roDataMap.put("IT Resource","ITR"); - This is most important

          try {

           EventAttributes ea=new EventAttributes();
           ea.setEventFinished(true);

           long eventKey = reconOp.createReconciliationEvent(RESOURCE_OBJECT, roDataMap , ea);
           reconOp.processReconciliationEvent(eventKey);
           System.out.println("eventKey="+eventKey);

          } catch (Exception e) {

              e.printStackTrace();
          }

Wednesday Jan 23, 2013

OIM 11g R1 - Multi Valued attribute reconciliation of a child form

This topic gives a brief description on how we can do reconciliation of a child form attribute which is also multi valued from a flat file .

The format of the flat file is (an example):

ManagementDomain1|Entitlement1|DIRECTORY SERVER,EMAIL

ManagementDomain2|Entitlement2|EMAIL PROVIDER INSTANCE - UMS,EMAIL VERIFICATION

In OIM there will be a parent form for fields Management domain and Entitlement.Reconciliation will assign Servers ( which are multi valued) to corresponding Management  Domain and Entitlement .In the flat file , multi valued fields are seperated by comma(,).

In the design console, Create a form with 'Server Name' as a field and make it a child form .

Open the corresponding Resource Object and add this field for reconcilitaion.While adding , choose 'Multivalued' check box. (please find attached screen shot on how to add it , Child Table.docx)

Open process definiton and add child form fields for recociliation. Please click on the 'Create Reconcilitaion Profile' buttton on the resource object tab.

The API methods used for child form reconciliation are :

1.           reconEventKey =   reconOpsIntf.createReconciliationEvent(resObjName, reconData,

                                                           false);

·                                    ‘False’  here tells that we are creating the recon for a child table .

2.               2.       reconOpsIntf.providingAllMultiAttributeData(reconEventKey, RECON_FIELD_IN_RO, true);

               RECON_FIELD_IN_RO is the field that we added in the Resource Object while adding for reconciliation, please refer the screen shot)

3.    reconOpsIntf.addDirectBulkMultiAttributeData(reconEventKey,RECON_FIELD_IN_RO, bulkChildDataMapList);

                bulkChildDataMapList  is coded as below :

                List<Map> bulkChildDataMapList = new ArrayList<Map>();

                  for (int i = 0; i < stokens.length; i++) {

                           Map<String, String> attributeMap = new HashMap<String, String>();

                          String serverName = stokens[i].toUpperCase();

                          attributeMap.put("Server Name", stokens[i]);

                          bulkChildDataMapList.add(attributeMap);

                        }

4                  4.       reconOpsIntf.finishReconciliationEvent(reconEventKey);

5.       reconOpsIntf.processReconciliationEvent(reconEventKey);

Now, we have to register the plug-in, import metadata into MDS and then create a scheduled job to execute which will run the reconciliation.

Tuesday Dec 11, 2012

Configuring Weblogic Server 10.3.6 from 32-bit mode to 64-bit mode

This post pertains to the configuration of Weblogic Server from 32-bit mode to 64-bit mode on Solaris OS. Just in case, you have WLS 10.3.6 running in 32-bit mode and the JDK being used is installed for 64-bit mode [On Solaris OS, JDK 64-bit installation comprises of installing 32-bit JDK followed by a patch for 64-bit JDK]. 

Verification of the mode being used

One can verify the mode of Weblogic Server in the following ways

  • Either check the commonEnv.sh script located at $MIDDLEWARE_HOME/wlserver_10.3/common/bin where $MIDDLEWARE_HOME refers to the install directory of Middleware. Look for the patterns - SUN_ARCH_DATA_MODEL and JAVA_USE_64BIT in the file. 
    For 32-bit mode, the parameters would appear as shown below
    SUN_ARCH_DATA_MODEL="32"
    JAVA_USE_64BIT=false
  • Check the server console logs; which JDK is being used during start-up
  • By checking which JDK is used by the running process of Weblogic Server

Configuration Steps

  • Take a backup of the commonEnv.sh script located at $MIDDLEWARE_HOME/wlserver_10.3/common/bin where $MIDDLEWARE_HOME refers to the install directory of Middleware
  • Modify the commonEnv.sh script for the following parameters: The values should be 64 and true respectively for 64-bit mode
    SUN_ARCH_DATA_MODEL="64"
    JAVA_USE_64BIT=true 
  • Restart the weblogic server.

One can confirm that the JDK being used is 64-bit by looking at the Weblogic console logs during server start up or by looking at the running process.

Sunday Dec 09, 2012

OAM OVD integration - Error Encounterd while performance test "LDAP response read timed out, timeout used:2000ms"

While working on OAM OVD integration for one of my client, I have been involved in the performance test of the products wherein I encountered OAM authentication failures while talking to OVD during heavy load. OAM logs revealed the following:

oracle.security.am.common.policy.common.response.ResponseException: oracle.security.am.engines.common.identity.provider.exceptions.IdentityProviderException: OAMSSA-20012: Exception in getting user attributes for user : dummy_user1, idstore MyIdentityStore with exception javax.naming.NamingException: LDAP response read timed out, timeout used:2000ms.; remaining name 'ou=people,dc=oracle,dc=com' at oracle.security.am.common.policy.common.response.IdentityValueProvider.getUserAttribute(IdentityValueProvider.java:271)

...

During the authentication and authorization process, OAM complains that the LDAP repository is taking too long to return user attributes.The default value is 2 seconds as can be seen from the exception, "2000ms". While troubleshooting the issue, it was found that we can increase the ldap read timeout in oam-config.xml. 

For reference, the attribute to add in the oam-config.xml file is:

<Setting Name="LdapReadTimeout" Type="xsd:string">2000</Setting>

However it is not recommended to increase the time out unless it is absolutely necessary and ensure that back-end directory servers are working fine. Rather I took the path of tuning OVD in the following manner:

1) Navigate to ORACLE_INSTANCE/config/OPMN/opmn folder and edit opmn.xml. Search for <data id="java-options" ………> and edit the contents of the file with the highlighted items:

<category id="start-options"><data id="java-bin" value="$ORACLE_HOME/jdk/bin/java"/><data id="java-options" value="-server -Xms1024m -Xmx1024m -Dvde.soTimeoutBackend=0 -Didm.oracle.home=$ORACLE_HOME -Dcommon.components.home=$ORACLE_HOME/../oracle_common -XX:+PrintGCDetails -XX:+PrintGCDateStamps -Xloggc:/opt/bea/Middleware/asinst_1/diagnostics/logs/OVD/ovd1/ovdGClog.log -XX:+UseConcMarkSweepGC -Doracle.security.jps.config=$ORACLE_INSTANCE/config/JPS/jps-config-jse.xml"/><data id="java-classpath" value="$ORACLE_HOME/ovd/jlib/vde.jar$:$ORACLE_HOME/jdbc/lib/ojdbc6.jar"/></category></module-data><stop timeout="120"/><ping interval="60"/></process-type>

When the system is busy, a ping from the Oracle Process Manager and Notification Server (OPMN) to Oracle Virtual Directory may fail. As a result, OPMN will restart Oracle Virtual Directory after 20 seconds (the default ping interval). To avoid this, consider increasing the ping interval to 60 seconds or more.

2) Navigate to ORACLE_INSTANCE/config/OVD/ovd1 folder.Open listeners.os_xml file and perform the following changes:

· Search for <ldap id=”Ldap Endpoint”…….> and point the cursor to that line.

· Change threads count to 200.

· Change anonymous bind to Deny.

· Change workQueueCapacity to 8096.

Add a new parameter <useNIO> and set its value to false viz: <useNIO>false</useNio>

Snippet: <ldap version="8" id="LDAP Endpoint">

.......

....... 

<socketOptions><backlog>128</backlog>

         <reuseAddress>false</reuseAddress>
         <keepAlive>false</keepAlive>
         <tcpNoDelay>true</tcpNoDelay>
         <readTimeout>0</readTimeout>
      </socketOptions>
<useNIO>false</useNIO>
</ldap>

Restart OVD server.

For more information on OVD tuneup refer to http://docs.oracle.com/cd/E25054_01/core.1111/e10108/ovd.htm.

Please Note: There were few patches released from OAM side for performance tune-up as well. Will provide the updates shortly !!!


WNA Configuration in OAM 11g

Pre-Requisite:

  1. Kerberos authentication scheme has to exist. This is usually pre-configured OAM authentication scheme. It should have Authentication Level - "2", Challenge Method - "WNA", Challenge Direct URL - "/oam/server" and Authentication Module- "Kerberos".
  2. The default authentication scheme name is "KerberosScheme", this name can be changed.
  3. The DNS name has to be resolvable on the OAM Server.
  4. The DNS name with referrals to AD have to be resolvable on OAM Server. Ensure nslookup work for the referrals.

Pre-Install:

  1. AD team to produce keytab file on the AD server by running ktpass command.
  2. Provide OAM Hostname to AD Team.
  3. Receive from AD team the following:
    • Keypass file produced when running the ktpass command
    • ktpass username
    • ktpass password
  4. Copy the keytab file to convenient location in OAM install tree and rename the file if desired. For instance where oam-policy.xml file resides. i.e. /fa_gai2_d/idm/admin/domains/idm-admin/IDMDomain/config/fmwconfig/keytab.kt

Configure WNA Authentication on OAM Server:

  1. Create config file krb.config and set the environment variable to the path to this file:
    KRB_CONFIG=/fa_gai2_d/idm/admin/domains/idm-admin/IDMDomain/config/fmwconfig/krb.conf
    The variable KRB_CONFIG has to be set in the profile for the user that OAM java container(i.e. Wbelogic Server) runs as, so that this setting is available to the OAM server. i.e. "applmgr" user.
  2. In the krb.conf file specify:
    [libdefaults]
    default_realm= NOA.ABC.COM
    dns_lookup_realm= true
    dns_lookup_kdc= true
    ticket_lifetime= 24h
    forwardable= yes

    [realms]
    NOA.ABC.COM={
    kdc=hub21.noa.abc.com:88
    admin_server=hub21.noa.abc.com:749
    default_domain=NOA.ABC.COM

    [domain_realm]
    .abc.com=ABC.COM
    abc.com=ABC.COM
    .noa.abc.com=NOA.ABC.COM
    noa.abc.com=NOA.ABC.COM

    Where hub21.noa.abc.com is load balanced DNS VIP name for AD Server and NOA.ABC.COM is the name of the domain.
  3. Create authentication policy to WNA protect the resource( i.e. EBSR12) and choose the "KerberosScheme" as authentication scheme.
    Login to OAM Console => Policy Configuration Tab => Browse Tab => Shared Components => Application Domains => IAM Suite => Authentication Policies => Create
    Name: ABC WNA Auth Policy
    Authentication Scheme: KerberosScheme
    Failure URL: http://hcm.noa.abc.com/cgi-bin/welcome

  4. Edit System Configuration for Kerberos
    • System Configuration Tab => Access Manager Settings => expand Authentication Modules => expand Kerberos Authentication Module => double click on Kerberos
    • Edit "Key Tab File" textbox - put in /fa_gai2_d/idm/admin/domains/idm-admin/IDMDomain/config/fmwconfig/keytab.kt
    • Edit "Principal" textbox - put in HTTP/OAM_Host@NOA.ABC.COM
    • Edit "KRB Config File" textbox - put in /fa-gai2_d/idm/admin/domains/idm-admin/IDMDomain/config/fmwconfig/krb.conf
    • Cilck "Apply"
    • In the script setting environment for the WLS server where OAM is deployed set the variable:
      KRB_CONFIG=/fa_gai2_d/idm/admin/domains/idm-admin/IDMDomain/config/fmwconfig/krb.conf

  5. Re-start OAM server and OAM Server Container( Weblogic Server)

Wednesday Dec 05, 2012

Using ant to register plugins and deploy metadata xmls

Ant can be used to register plugins directly to MDS.

Following is the ant script to register plugin zip:

<target name="register_plugin" depends="compile_package">
    <echo> Register Plugin : ${plugin.base}/${project.name}.zip</echo>
    <java classname="oracle.iam.platformservice.utils.PluginUtility" classpathref="classpath" fork="true">
        <sysproperty key="XL.HomeDir" value="${oim.home.server}"/>
        <sysproperty key="OIM.Username" value="${oim.username}"/>    
        <sysproperty key="OIM.UserPassword" value="${oim.password}"/>
        <sysproperty key="ServerURL" value="${oim.url}"/>
       <sysproperty key="PluginZipToRegister" value="${plugin.base}/${project.name}.zip"/>
        <sysproperty key="java.security.auth.login.config" value="${oim.home}\designconsole\config\authwl.conf"/>
        <arg value="REGISTER"/>
        <redirector error="redirector.err" errorproperty="redirector.err" output="redirector.out" outputproperty="redirector.out"/>
    </java>
    <copy file="${plugin.base}/${project.name}.zip" todir="${oim.home.server}\plugins"/>
</target>

This script requires following properties:

plugin.base

project.name

oim.home.server

oim.username

oim.password

You can either define a properties file for these properties or define them directly in build.xml. Build.properties will look like:

# Set the OIM home here

oim.home=C:/Oracle/Middleware02/Oracle_IDM

# Set the weblogic home here

wls.home=C:/Oracle/Middleware02/wlserver_10.3

OIM.ServerName=oim_server1

# e.g.: used in building the jar and zip files

#Note : no spaces in the project name

project.name=ScheduledTask_Sample

#Set the oim username

oim.username=xelsysadm

# set the oim password

oim.password=Welcome1

WL.Username=weblogic

WL.UserPassword=weblogic1

#set the oim URL here

oim.url=t3://localhost:14000

WL.url=t3://localhost:7001

#Location from where the metadata files are pickedup for MDS import

metadata.location=C:/Project /src/ScheduledTask_Sample /metaxml/

Following is the ANT script to import metadata xml:

<target name="ImportMetadata">
                <echo> Preparing for MDS xmls Upload...</echo>
                <copy file="${oim.home}/bin/weblogic.properties" todir="."/>
                <replaceregexp file="weblogic.properties" match="wls_servername=(.*)" replace="wls_servername=${OIM.ServerName}" byline="true"/>
                <replaceregexp file="weblogic.properties" match="application_name=(.*)" replace="application_name=OIMMetadata" byline="true"/>
                <replaceregexp file="weblogic.properties" match="metadata_from_loc=(.*)" replace="metadata_from_loc=${metadata.location}" byline="true"/>
                <copy file="${oim.home}/bin/weblogicImportMetadata.py" todir="."/>
                <replace file="weblogicImportMetadata.py">
                     <replacefilter token="connect()" value="connect('${wl.username}', '${wl.password}', '${wl.url}')"/>
                </replace>
                <echo> Importing metadata xmls to MDS... </echo>
                <exec dir="." vmlauncher="false" executable="${oim.home}/../common/bin/wlst.sh">
                        <arg value="-loadProperties"/>
                        <arg value="weblogic.properties"/>
                        <arg value="weblogicImportMetadata.py"/>
                        <redirector output="deletemd_redirector.out" logerror="true" outputproperty="deletemd_redirector.out" />
                </exec>
                <echo>${deletemd_redirector.out}</echo>
                <echo>${deletemd_redirector.out}</echo>
                <echo>Completed metadata xmls import to MDS</echo>
</target>

Monday Dec 03, 2012

OAM11gR2: Enabling SSL in the Data Store

Enabling SSL in the Data Store of OAM11gR2 comprises of the below mentioned steps.

  • Import the certificate/s required for establishing the trust with the Store(backend) in the keystore(cacerts) on the machine hosting OAM's Weblogic Admin server
  • Restart the Weblogic Admin server
  • Specify the <Hostname>:<SSL port> in the "Location" field of the Data Store and select the "Enable SSL" checkbox

Pre-requisite:-

  • Certificate/s to be imported are available for import
  • Data Store has already been created using OAM admin console and the connection to the store is successful on non-SSL port( though one can always create a Data Store with SSL settings on the first go)

Steps for importing the certificate/s:-

One can use the keytool utility that comes bundled with JDK to import the certificate. The step for importing the certificate would be same for self-signed and third party certificates (like VeriSign)

$JAVA_HOME/bin/keytool -import -v -noprompt -trustcacerts -alias <aliasname> -file <Path to the certificate file> -keystore $JAVA_HOME/jre/lib/security/cacerts

Here $JAVA_HOME refers to the path of JDK install directory

Note: In case multiple certificates are required for establishing the trust, import all those certificates using the same keytool command mentioned above 

One can verify the import of the certificate/s by using the below mentioned command

$JAVA_HOME/bin/keytool -list -alias <aliasname>-v -keystore $JAVA_HOME/jre/lib/security/cacerts

When the trust gets established for the SSL communication, specifying the SSL specific settings in the Data Store (via OAM admin console) wouldn't result into the previously seen error (when Certificates are yet to be imported) and the "Test Connection" would be successful.

E-Business Integration with SSO using AccessGate

Moving away from the legacy Oracle SSO, Oracle E-Business Suite (EBS) came up with EBS AccessGate as the way forward to provide Single Sign On with Oracle Access Manager (OAM). As opposed to AccessGate in OAM terminology, EBS AccessGate has no specific connection with OAM with respect to configuration. Instead, EBS AccessGate uses the header variables sent from the SSO system to create the native user-session, like any other SSO enabled web application.

E-Business Suite Integration with Oracle Access Manager

It is a known fact that E-Business suite requires Oracle Internet Directory (OID) as the user repository to enable Single Sign On. This is due to the fact that E-Business Suite needs to be registered with OID to for Single Sign On. Additionally, E-Business Suite uses “orclguid” in OID to map the Single Sign On user with the corresponding local user profile. During authentication, EBS AccessGate expects SSO system to return orclguid and EBS username (stored as a user-attribute in SSO user store) in two header variables USER_ORCLGUID and USER_NAME respectively.


Following diagram depicts the authentication flow once SSO system returns EBS Username and orclguid after successful authentication:

EBS AccessGate and OAM


Saturday Dec 01, 2012

New Features in OIM11gR2

WEB CONSOLEs in OIM 11gR2

** In 11gR1 there were 3 Admin Web Consoles :

· Self Service Console

· Administration Console and

· Advanced Administration Console accessible

Whereas in OIM 11gR2 , Self Service and Administration Console have are now combined and now called as Identity Self Service Console http://host:port/identity

This console has 3 features in it for managing self profile (My Profile), Managing Requests like requesting for App Instances and Approving requests (Requests) and General Administration tasks of creating/managing users, roles, organization, attestation etc (Administration)

** In OIM 11gR2 – new console sysadmin has been added Administrators which includes some of the design console functions apart from general administrations features. http://host:port/sysadmin

Application Instances

Application instance is the object that is to be provisioned to a user. Application Instances are checked out in the catalog and user can request for application instances via catalog.

· In OIM 11gR2 resources and entitlements are bundled in Application Instance which user can select and request from catalog.

· Application instance is a combination of IT Resource and RO. So, you cannot create another App Instance with the same RO & IT Resource if it already exists for some other App Instance. One of these ( RO or IT Resource) must have a different name.

· If you want that users of a particular Organization should be able to request for an Application instances through catalog then App Instances must be attached to that particular Organization.

· Application instance can be associated with multiple organizations.

· An application instance can also have entitlements associated with it. Entitlement can include Roles/Groups or Responsibility.

· Application Instance are published to the catalog by a scheduled task “Catalog Synchronization Job

· Application Instance can have child/ parent application instance where child application instance inherits all attributes of parent application instance.

Important point to remember with Application Instance

If you delete the application Instance in OIM 11gR2 and create a new one with the same name, OIM will not allow doing so. It throws error saying Application Instance already exists with same Resource Object and IT resource.

This is because there is still some reference that is not removed in OIM for deleted application Instance. So to completely delete your application Instance from OIM, you must:

1. Delete the app Instance from sysadmin console.

2. Run the App Instance Post Delete Processing Job in Revoke/Delete mode.

3. Run the Catalog Synchronization job.

Once done, you should be able to create a new App instance with the previous RO & IT Resouce name.

Catalog

Catalog allows users to request Roles, Application Instance, and Entitlements in an Application.

Catalog Items – Roles, Application Instance and Entitlements that can be requested via catalog are called as catalog items.

Detailed Information ( attributes of Catalog item)

Category – Each catalog item is associated with one and only one category. Catalog Administrators can provide a value for catalog item.

· Tags – are search keywords helpful in searching Catalog. When users search the Catalog, the search is performed against the tags.

To define a tag, go to Catalog->Search the resource-> select the resource-> update the tag field with custom search keyword.

Tags are of three types:
a) Auto-generated Tags: The Catalog synchronization process auto-tags the Catalog Item using the Item Type, Item Name and Item Display Name
b) User-defined Tags: User-defined Tags are additional keywords entered by the Catalog Administrator.
c) Arbitrary Tags: While defining a metadata if user has marked that metadata as searchable, then that will also be part of tags.

Sandbox

Sanbox is a new feature introduced in OIM11gR2. This serves as a temporary development environment for UI customizations so that they don’t affect other users before they are published and linked to existing OIM UI.

All UI customizations should be done inside a sandbox, this ensures that your changes/modifications don’t affect other users until you have finalized the changes and customization is complete. Once UI customization is completed, the Sandbox must be published for the customizations to be merged into existing UI and available to other users.

Creating and activating a sandbox is mandatory for customizing the UI by .Without an active sandbox, OIM does not allow to customize any page.

a) Before you perform any activity in OIM (like Create/Modify Forms, Custom Attribute, creating application instances, adding roles/attributes to catalog) you must create a Sand Box and activate it.

b) One can create multiple sandboxes in OIM but only one sandbox can be active at any given time.

c) You can export/import the sandbox to move the changes from one environment to the other.

Creating Sandbox

To create sandbox, login to identity manager self service (/identity) or System Administration (/sysadmin) and click on top right of link “Sandboxes” and then click on Create SandBox.

Publishing Sandbox

Before you publish a sandbox, it is recommended to backup MDS. Use /EM to backup MDS by following the steps below :

Creating MDS Backup

1. Login to Oracle Enterprise Manager as the administrator.

2. On the landing page, click oracle.iam.console.identity.self-service.ear(V2.0).

3. From the Application Deployment menu at the top, select MDS configuration.

4. Under Export, select the Export metadata documents to an archive on the machine where this web browser is running option, and then click Export.

All the metadata is exported in a ZIP file.

Creating Password Policy through Admin Console :

In 11gR1 and previous versions password policies could be created & applied via OIM Design Console only. From OIM11gR2 onwards, Password Policies can be created and assigned using Admin Console as well.


Friday Nov 30, 2012

OIM 11g notification framework

OIM 11g has introduced an improved and template based Notifications framework. New release has removed the limitation of sending text based emails (out-of-the-box emails) and enhanced to support html features. New release provides in-built out-of-the-box templates for events like 'Reset Password', 'Create User Self Service' , ‘User Deleted' etc. Also provides new APIs to support custom templates to send notifications out of OIM.

OIM notification framework supports notification mechanism based on events, notification templates and template resolver. They are defined as follows:

Ø Events are defined as XML file and imported as part of MDS database in order to make notification event available for use.

Ø Notification templates are created using OIM advance administration console. The template contains the text and the substitution 'variables' which will be replaced with the data provided by the template resolver. Templates support internationalization and can be defined as HTML or in form of simple text.

Ø Template resolver is a Java class that is responsible to provide attributes and data to be used at runtime and design time. It must be deployed following the OIM plug-in framework. Resolver data provided at design time is to be used by end user to design notification template with available entity variables and it also provides data at runtime to replace the designed variable with value to be displayed to recipients.

Steps to define custom notifications in OIM 11g are:

Steps#

Steps

1.

Define the Notification Event

2.

Create the Custom Template Resolver class

3.

Create Template with notification contents to be sent to recipients

4.

Create Event triggering spots in OIM

1. Notification Event metadata

The Notification Event is defined as XML file which need to be imported into MDS database. An event file must be compliant with the schema defined by the notification engine, which is NotificationEvent.xsd. The event file contains basic information about the event.
XSD location in MDS database: “/metadata/iam-features-notification/NotificationEvent.xsd”
Schema file can be viewed by exporting file from MDS using weblogicExportMetadata.sh script.
Sample Notification event metadata definition:

1: <?xml version="1.0" encoding="UTF-8"?>

2: <Events xmlns:xsi=http://www.w3.org/2001/XMLSchema-instance xsi:noNamespaceSchemaLocation="../../../metadata/NotificationEvent.xsd">

3: <EventType name="Sample Notification">

4: <StaticData>

5: <Attribute DataType="X2-Entity" EntityName="User" Name="Granted User"/>

6: </StaticData>

7: <Resolver class="com.iam.oim.demo.notification.DemoNotificationResolver">

8: <Param DataType="91-Entity" EntityName="Resource" Name="ResourceInfo"/>

9: </Resolver>

10: </EventType>

11: </Events>

Line#

Description

1.

XML file notation tag

2.

Events is root tag

3.

EventType tag is to declare a unique event name which will be available for template designing

4.

The StaticData element lists a set of parameters which allow user to add parameters that are not data dependent. In other words, this element defines the static data to be displayed when notification is to be configured. An example of static data is the User entity, which is not dependent on any other data and has the same set of attributes for all event instances and notification templates. Available attributes are used to be defined as substitution tokens in the template.

5.

Attribute tag is child tag for StaticData to declare the entity and its data type with unique reference name. User entity is most commonly used Entity as StaticData.

6.

StaticData closing tag

7.

Resolver tag defines the resolver class. The Resolver class must be defined for each notification. It defines what parameters are available in the notification creation screen and how those parameters are replaced when the notification is to be sent. Resolver class resolves the data dynamically at run time and displays the attributes in the UI.

8.

The Param DataType element lists a set of parameters which allow user to add parameters that are data dependent. An example of the data dependent or a dynamic entity is a resource object which user can select at run time. A notification template is to be configured for the resource object. Corresponding to the resource object field, a lookup is displayed on the UI. When a user selects the event the call goes to the Resolver class provided to fetch the fields that are displayed in the Available Data list, from which user can select the attribute to be used on the template.

Param tag is child tag to declare the entity and its data type with unique reference name.

9.

Resolver closing tag

10

EventType closing tag

11.

Events closing tag

Note: - DataType needs to be declared as “X2-Entity” for User entity and “91-Entity” for Resource or Organization entities. The dynamic entities supported for lookup are user, resource, and organization.

Once notification event metadata is defined, need to be imported into MDS database. Fully qualified resolver class name need to be define for XML but do not need to load the class in OIM yet (it can be loaded later).

2. Coding the notification resolver

All event owners have to provide a resolver class which would resolve the data dynamically at run time. Custom resolver class must implement the interface oracle.iam.notification.impl.NotificationEventResolver and override the implemented methods with actual implementation. It has 2 methods:

S#

Methods Descriptions

1.

public List<NotificationAttribute> getAvailableData(String eventType, Map<String, Object> params);

This API will return the list of available data variables. These variables will be available on the UI while creating/modifying the Templates and would let user select the variables so that they can be embedded as a token as part of the Messages on the template. These tokens are replaced by the value passed by the resolver class at run time. Available data is displayed in a list.

The parameter "eventType" specifies the event Name for which template is to be read.
The parameter "params" is the map which has the entity name and the corresponding value for which available data is to be fetched.

Sample code snippet:

List<NotificationAttribute> list = new ArrayList<NotificationAttribute>();

long objKey = (Long) params.get("resource");

//Form Field details based on Resource object key

HashMap<String, Object> formFieldDetail = getObjectFormName(objKey);

for (Iterator<?> itrd = formFieldDetail.entrySet().iterator(); itrd.hasNext(); ) {

NotificationAttribute availableData = new NotificationAttribute();

Map.Entry formDetailEntrySet = (Entry<?, ?>)itrd.next();

String fieldLabel = (String)formDetailEntrySet.getValue();

availableData.setName(fieldLabel);

list.add(availableData);

}

return list;

2.

Public HashMap<String, Object> getReplacedData(String eventType, Map<String, Object> params);

This API would return the resolved value of the variables present on the template at the runtime when notification is being sent.

The parameter "eventType" specifies the event Name for which template is to be read.
The parameter "params" is the map which has the base values such as usr_key, obj_key etc required by the resolver implementation to resolve the rest of the variables in the template.

Sample code snippet:


HashMap<String, Object> resolvedData = new HashMap<String, Object>();
String firstName = getUserFirstname(params.get("usr_key"));
resolvedData.put("fname", firstName);

String lastName = getUserLastName(params.get("usr_key"));
resolvedData.put("lname", lastname);
resolvedData.put("count", "1 million");
return resolvedData;

This code must be deployed as per OIM 11g plug-in framework. The XML file defining the plug-in is as below:

<?xml version="1.0" encoding="UTF-8"?>

<oimplugins xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">

<plugins pluginpoint="oracle.iam.notification.impl.NotificationEventResolver">

<plugin pluginclass= " com.iam.oim.demo.notification.DemoNotificationResolver" version="1.0" name="Sample Notification Resolver"/>

</plugins>

</oimplugins>

3. Defining the template

To create a notification template:

Log in to the Oracle Identity Administration

Click the System Management tab and then click the Notification tab

From the Actions list on the left pane, select Create

On the Create page, enter values for the following fields under the Template Information section:

Template Name: Demo template

Description Text: Demo template

Under the Event Details section, perform the following:

From the Available Event list, select the event for which the notification template is to be created from a list of available events. Depending on your selection, other fields are displayed in the Event Details section. Note that the template Sample Notification Event created in the previous step being used as the notification event. The contents of the Available Data drop down are based on the event XML StaticData tag, the drop down basically lists all the attributes of the entities defined in that tag. Once you select an element in the drop down, it will show up in the Selected Data text field and then you can just copy it and paste it into either the message subject or the message body fields prefixing $ symbol. Example if list has attribute like First_Name then message body will contains this as $First_Name which resolver will parse and replace it with actual value at runtime.

In the Resource field, select a resource from the lookup. This is the dynamic data defined by the Param DataType element in the XML definition. Based on selected resource getAvailableData method of resolver will be called to fetch the resource object attribute detail, if method is overridden with required implementation. For current scenario, Map<String, Object> params will get populated with object key as value and key as “resource” in the map. This is the only input will be provided to resolver at design time. You need to implement the further logic to fetch the object attributes detail to populate the available Data list. List string should not have space in between, if object attributes has space for attribute name then implement logic to replace the space with ‘_’ before populating the list. Example if attribute name is “First Name” then make it “First_Name” and populate the list. Space is not supported while you try to parse and replace the token at run time with real value.

Make a note that the Available Data and Selected Data are used in the substitution tokens definition only, they do not define the final data that will be sent in the notification. OIM will invoke the resolver class to get the data and make the substitutions.

Under the Locale Information section, enter values in the following fields:

To specify a form of encoding, select either UTF-8 or ASCII.

In the Message Subject field, enter a subject for the notification.

From the Type options, select the data type in which you want to send the message. You can choose between HTML and Text/Plain.

In the Short Message field, enter a gist of the message in very few words.

In the Long Message field, enter the message that will be sent as the notification with Available data token which need to be replaced by resolver at runtime.

After you have entered the required values in all the fields, click Save.

A message is displayed confirming the creation of the notification template. Click OK

4. Triggering the event

A notification event can be triggered from different places in OIM. The logic behind the triggering must be coded and plugged into OIM.

Examples of triggering points for notifications:

Event handlers: post process notifications for specific data updates in OIM users

Process tasks: to notify the users that a provisioning task was executed by OIM

Scheduled tasks: to notify something related to the task

The scheduled job has two parameters:

Template Name: defines the notification template to be sent

User Login: defines the user record that will provide the data to be sent in the notification

Sample Code Snippet:

public void execute(String templateName , String userId) {

try {

NotificationService notService = Platform.getService(NotificationService.class);

NotificationEvent eventToSend=this.createNotificationEvent(templateName,userId);

notService.notify(eventToSend);

} catch (Exception e) {

e.printStackTrace();

}

}

private NotificationEvent createNotificationEvent(String poTemplateName, String poUserId) {

NotificationEvent event = new NotificationEvent();

String[] receiverUserIds= { poUserId };

event.setUserIds(receiverUserIds);

event.setTemplateName(poTemplateName);

event.setSender(null);

HashMap<String, Object> templateParams = new HashMap<String, Object>();

templateParams.put("USER_LOGIN",poUserId);

event.setParams(templateParams);

return event;

}

public HashMap getAttributes() {

return null;

}

public void setAttributes() {}

}

About

OIM11gR2 Blog by NA-TAG Offshore IDAM team

Search

Categories
Archives
« August 2015
SunMonTueWedThuFriSat
      
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
     
Today