Thursday Jul 12, 2012

Adding RESTful Web Services to Oracle Identity Manager 11g

Overview

Organization's are leveraging RESTful Web Services to integrate multiple client interfaces and devices with Internet-centric data services. We will cover how RESTful Web Services can be added to Oracle Identity Manager (OIM) 11g using the Jersey (JAX-RS) framework and Project OpenPTK.

RESTful Web Services

RESTful Web Services have become a "defacto" Application Programming Interface (API) for the Internet. A typical RESTful Web Service architecture leverages HTTP to implement basic Create, Read, Update and Delete (CRUD) operations. The following table shows how RESTful Web Services use the combination of HTTP Operations and URIs to support these CRUD operations.

Resource - URI
CRUD HTTP
Operation
Collection
http://acme.com/users
Element
http://acme.com/users/abc123
Create POST Create an entry in the collection. Entry's Id is usually assigned and returned Treat the member as a Collection, Create a sub-collection
Read GET List the collection members Retrieve a representation of the member. Using the MIME-type
Update PUT Replace the entire collection with another collection Update the member of the collection. Maybe create if it does not exist
Delete DELETE Delete the entire collection Delete the member of the collection

RESTful Web Services enable the developer to create user interfaces using their choice of design tools and frameworks. RESTful Web Services can be consumed by a traditional Browser interface (leveraging AJAX-type techniques) as well as by mobile and tablet devices leveraging platform specific RESTful client frameworks.

Oracle Identity Manager 11g and Jersey (JAX-RS)

The Oracle Identity Manager (OIM) 11g provides a powerful Java API that can be used to programmatically manage user identities. Here's a blog entry detailing the use of the OIM 11g Java APIs.

RESTful Web Services are easy to create using the Jersey framework. The Jersey framework implements the JAX-RS specification and works with most Java development tools and Java Servlet Containers. Jersey provides a set of Java Annotations to provide RESTful Web Services. The following table highlights some of the Jersey Annotations:

Annotation Description
@Path("/users") Name of a relative URI path
@POST Designates method for HTTP POST Operation (Create)
@GET Designates method for HTTP GET Operation (Read)
@PUT Designates method for HTTP PUT Operation (Update)
@DELETE Designates method for HTTP DELETE Operation (Delete)
@Produces("text/plain") Specify the MIME-types to send back to the client
@Consumes("application/json") Specify the MIME-types, the resource can consume, sent by the client

Project OpenPTK

Project OpenPTK is an open source provisioning toolkit that extends the capabilities of a provisioning solution. Project OpenPTK leverges the Jersey framework to expose RESTful Web Services and it can leverage Oracle Identity Manager (OIM) 11g using its Java APIs. Project OpenPTK supports both JSON and XML RESTful Web Service data payloads, to and from the Client.

restful openptk oim11g overview

Configuration

The RESTful Web Service demonstration environment was configured using Project OpenPTK (v2.1) deployed to the same Weblogic domain that is hosting Oracle Identity Manager (OIM) 11g. Project OpenPTK has a set of documentation which covers configuration / installation procedures in more detail.

Prerequisites

Project OpenPTK is available from a Subversion (svn) on-line source code control system at http://java.net/projects/openptk. You will need svn to download the project. The download page contains more information on how to access the source code. Create a new directory to store the project's source code.

mkdir $HOME/source
cd $HOME/source
svn checkout \
https://svn.java.net/svn/openptk~svn/tags/release-2.1/openptk \
openptk --username guest

Project OpenPTK uses Maven (mvn) for building the source code and obtaining dependent JAR files. The Setup using Maven document provides more details on how to use maven. Run the mvn install command to download the core dependency files.

Procedure

Project OpenPTK uses Service modules to interface with identity repositories. A Service module was create using the Oracle Identity Manager (OIM) 11g OIMClient Java API. The following steps highlight how to integrate, build, and deploy Project OpenPTK to support Oracle Identity Manager 11g.

  1. Obtain the Oracle Identity Manager 11g oimclient.jar file.
  2. Install the oimclient.jar file into a local maven repository
  3. Build the OpenPTK Server using the oim11g Service module
  4. Copy the generated war file to the Weblogic server where Oracle Identity Manager 11g is installed
  5. Expand the war file:
    1. Update the openptk.xml configuration file
    2. Include the oimclient.jar file
  6. Deploy the OpenPTK Server to Weblogic

See the OpenPTK Service for OIM11g on Weblogic documentation page for detailed installation procedures.


Demonstration

Log into the OpenPTK Admin Interface and confirm that the Oracle Identity Manager 11g Context is working correctly. After logging in (http://localhost:7001/openptk-server):

  • Select the Contexts menu
  • Select the User-Oracle-OIMClient uri.
  • To list the Users, select the uri for the subjects
openptk admin interface

The curl command-line utility will be used to demonstrate the RESTful Web Services.

Authenticate

Project OpenPTK has an authentication mechanism. When the user is authenticated a Session is created within the OpenPTK Server and a HTTP Cookie is created for the user. Normally the web-browser would manage the HTTP Cookie. Since curl is being used, the Cookie returned from the authentication process will be saved in a text file called cookies.txt. The Cookie text file will be used on all the other curl commands.

Command:
curl -c cookies.txt \
-H "Accept: text/plain" \
http://oim11g:7001/openptk-server/login\?user=openptkconfig\&password=password\&clientid=identitycentral
Output:
<html>
<head>
<title>Servlet Login</title>
</head>
<body>
<h1>Login Success!</h1>
</body>
</html>

The contents of the cookies.txt file:

# Netscape HTTP Cookie File
# http://www.netscape.com/newsref/std/cookie_spec.html
# This file was generated by libcurl! Edit at your own risk.

oim11g FALSE / FALSE 0 JSESSIONID       Ht8JP8zS3yyhWh5XrD42Lb6rP1r7HF5LnR09vDGQkH7QmkKb8Gfh!697966766
oim11g FALSE / FALSE 0 OPENPTKSESSIONID 6be67d1e-ea37-4b45-bbaf-d34f270940b9

Search

Search for existing OIM11g users that have a firstname or lastname that contains "Jack". The OpenPTK Server supports encoding the response data in a number of different formats. To specify what encoding type to use, set the Accept HTTP Header variable to one of these MIME-type values:

  • application/json
  • application/xml
  • text/plain
  • text/html

We use the HTTP GET method (on the User-Oracle-OIMClient/subjects collection) to search for the users. The HTTP query parameter search is used to specify the search string.

Command:
curl -X GET \
-b cookies.txt \
-H "Accept: application/json" \
http://oim11g:7001/openptk-server/resources/contexts/User-Oracle-OIMClient/subjects/?search=Jack
Output:
{
    "response" : {
        "uri" : "http:\/\/oim11g:7001\/openptk-server\/resources\/contexts\/User-Oracle-OIMClient\/subjects\/",
        "state" : "SUCCESS",
        "length" : 2,
        "offset" : 0,
        "quantity" : 2,
        "results" : [
            {
                "subject" : {
                    "uri" : "http:\/\/oim11g:7001\/openptk-server\/resources\/contexts\/User-Oracle-OIMClient\/subjects\/JHARKNESS",
                    "uniqueid" : "JHARKNESS",
                    "attributes" : {
                        "uniqueid" : "JHARKNESS",
                        "email" : "jack@torchwood.org",
                        "roles" : "Full-Time",
                        "lastname" : "Harkness",
                        "firstname" : "Jack",
                        "lastcommafirst" : "Harkness, Jack"
                    }
                }
            },
            {
                "subject" : {
                    "uri" : "http:\/\/oim11g:7001\/openptk-server\/resources\/contexts\/User-Oracle-OIMClient\/subjects\/JSPARROW",
                    "uniqueid" : "JSPARROW",
                    "attributes" : {
                        "uniqueid" : "JSPARROW",
                        "email" : "jack@blackpearl.org",
                        "roles" : "Full-Time",
                        "lastname" : "Sparrow",
                        "firstname" : "Jack",
                        "lastcommafirst" : "Sparrow, Jack"
                    }
                }
            }
        ]
    }
}
Results: oim admin ui search

Create

We use the HTTP POST method (on the User-Oracle-OIMClient/subjects collection) to create a new user, in the collection. The curl -v option is used to show data being passed in and to show the Location value that is returned with the full URI of the created element (subject). Because we are sending in data that is "json" encoded, the HTTP Header variable Content-Type needs to be set to the application/json MIME-type. The successful operation returns a HTTP response code of 201 Created

Command:
curl -X POST -v \
-b cookies.txt \
-H "Content-Type: application/json" \
-d '{"subject" : { "attributes" : { "lastname" : "Bauer", "firstname" : "Jack" }}}' \
http://oim11g:7001/openptk-server/resources/contexts/User-Oracle-OIMClient/subjects
Output:
* About to connect() to oim11g port 7001
*   Trying 127.0.0.1... connected
* Connected to oim11g (127.0.0.1) port 7001
< POST /openptk-server/resources/contexts/User-Oracle-OIMClient/subjects HTTP/1.1
< User-Agent: curl/7.15.5 (i686-redhat-linux-gnu) libcurl/7.15.5 OpenSSL/0.9.8b zlib/1.2.3 libidn/0.6.5
< Host: oim11g:7001
< Accept: */*
< Cookie: OPENPTKSESSIONID=6be67d1e-ea37-4b45-bbaf-d34f270940b9
< Content-Type: application/json
< Content-Length: 78
< 
< {"subject" : { "attributes" : { "lastname" : "Bauer", "firstname" : "Jack" }}}
HTTP/1.1 201 Created
> Cache-Control: no-cache, no-transform
> Date: Wed, 11 Jul 2012 04:38:59 GMT
> Location: http://oim11g:7001/openptk-server/resources/contexts/User-Oracle-OIMClient/subjects/jbauer1
> Content-Length: 0
> Content-Type: application/json
> X-ORACLE-DMS-ECID: 0000JXoLJqJFw000jzwkno1FzDlJ00001r
> X-Powered-By: Servlet/2.5 JSP/2.1
* Connection #0 to host oim11g left intact
* Closing connection #0
Results:

Read

We use the HTTP GET method (on the User-Oracle-OIMClient/subjects/jbauer1 element) to read the user. We can retrieve the data using a number of different encoding formats: json, xml, plain, html. The examples below demonstrate how the HTTP Header variable Accept is used to "tell" the server what MIME-type we (the client) want to "accept".

Command:
curl -X GET \
-b cookies.txt \
-H "Accept: application/json" \
http://oim11g:7001/openptk-server/resources/contexts/User-Oracle-OIMClient/subjects/jbauer1

curl -X GET \
-b cookies.txt \
-H "Accept: application/xml" \
http://oim11g:7001/openptk-server/resources/contexts/User-Oracle-OIMClient/subjects/jbauer1

curl -X GET \
-b cookies.txt \
-H "Accept: text/plain" \
http://oim11g:7001/openptk-server/resources/contexts/User-Oracle-OIMClient/subjects/jbauer1
Output:
{
    "response" : {
        "uri" : "http:\/\/oim11g:7001\/openptk-server\/resources\/contexts\/User-Oracle-OIMClient\/subjects\/jbauer1",
        "state" : "SUCCESS",
        "status" : "Entry found",
        "subject" : {
            "uniqueid" : "JBAUER1",
            "attributes" : {
                "manager" : null,
                "status" : "Active",
                "lastname" : "Bauer",
                "firstname" : "Jack",
                "type" : "End-User",
                "uniqueid" : "JBAUER1",
                "title" : null,
                "email" : "Jack.Bauer@openptk.org",
                "roles" : "Full-Time",
                "forgottenPasswordQuestions" : [
                   "What is your favorite color?",
                   "What is your mother's maiden name?",
                   "What is the city of your birth?"],
                "telephone" : null,
                "fullname" : "Jack Bauer",
                "lastcommafirst" : "Bauer, Jack"
            }
        }
    }
}
Output:
<?xml version="1.0" encoding="UTF-8"?>
<response>
   <uri type="string">http://oim11g:7001/openptk-server/resources/contexts/User-Oracle-OIMClient/subjects/jbauer1</uri>
   <state type="string">SUCCESS</state>
   <status type="string">Entry found</status>
   <subject>
      <uniqueid type="string">JBAUER1</uniqueid>
      <attributes>
         <manager type="string"></manager>
         <status type="string">Active</status>
         <lastname type="string">Bauer</lastname>
         <firstname type="string">Jack</firstname>
         <type type="string">End-User</type>
         <uniqueid type="string">JBAUER1</uniqueid>
         <title type="string"></title>
         <email type="string">Jack.Bauer@openptk.org</email>
         <roles type="string">Full-Time</roles>
         <forgottenPasswordQuestions type="string">
            <values>
               <value>What is your favorite color?</value>
               <value>What is your mother's maiden name?</value>
               <value>What is the city of your birth?</value>
            </values>
         </forgottenPasswordQuestions>
         <telephone type="string"></telephone>
         <fullname type="string">Jack Bauer</fullname>
         <lastcommafirst type="string">Bauer, Jack</lastcommafirst>
      </attributes>
   </subject>
</response>
Output:
response=
    uri="http://oim11g:7001/openptk-server/resources/contexts/User-Oracle-OIMClient/subjects/jbauer1"
    state="SUCCESS"
    status="Entry found"
    subject=
        uniqueid="JBAUER1"
        attributes=
            manager=
            status="Active"
            lastname="Bauer"
            firstname="Jack"
            type="End-User"
            uniqueid="JBAUER1"
            title=
            email="Jack.Bauer@openptk.org"
            roles="Full-Time"
            forgottenPasswordQuestions=
               "What is your favorite color?"; 
               "What is your mother's maiden name?"; 
               "What is the city of your birth?"
            telephone=
            fullname="Jack Bauer"
            lastcommafirst="Bauer, Jack"

Update

We use the HTTP PUT method (on the User-Oracle-OIMClient/subjects/jbauer1 element) to update an existing user, in the collection. The curl -v option is used to show data being passed in and to show the details of the update operation. Because we are sending in data that is "json" encoded, the HTTP Header variable Content-Type needs to be set to the application/json MIME-type. The successful operation returns a HTTP response code of 204 No Content

Command:
curl -X PUT \
-v -b cookies.txt \
-H "Content-Type: application/json" \
-d '{ "subject" : { "attributes" : { "title" : "Special Agent", "email" : "jack@ctu.org" } } }' \
http://oim11g:7001/openptk-server/resources/contexts/User-Oracle-OIMClient/subjects/jbauer1
Output:
* About to connect() to oim11g port 7001
*   Trying 127.0.0.1... connected
* Connected to oim11g (127.0.0.1) port 7001
> PUT /openptk-server/resources/contexts/User-Oracle-OIMClient/subjects/jbauer1 HTTP/1.1
> User-Agent: curl/7.15.5 (i686-redhat-linux-gnu) libcurl/7.15.5 OpenSSL/0.9.8b zlib/1.2.3 libidn/0.6.5
> Host: oim11g:7001
> Accept: */*
> Cookie: OPENPTKSESSIONID=486104f5-0cdb-4b49-8a67-1b1929629538
> Content-Type: application/json
> Content-Length: 90
> 
> { "subject" : { "attributes" : { "title" : "Special Agent", "email" : "jack@ctu.org" } } }
HTTP/1.1 204 No Content
< Cache-Control: no-cache, no-transform
< Date: Thu, 12 Jul 2012 03:00:03 GMT
< Content-Length: 0
< Content-Type: application/json
< X-ORACLE-DMS-ECID: 0000JXt8GHAFw000jzwkno1FzDlJ000020
< X-Powered-By: Servlet/2.5 JSP/2.1
* Connection #0 to host oim11g left intact
* Closing connection #0
Results:

Delete

We use the HTTP DELETE method (on the User-Oracle-OIMClient/subjects/jbauer1 element) to delete the user, in the collection. The curl -v option is used to show data being passed in and to show the details of the delete operation. The successful operation returns a HTTP response code of 204 No Content

Command:
curl -X DELETE \
-v -b cookies.txt \
http://oim11g:7001/openptk-server/resources/contexts/User-Oracle-OIMClient/subjects/jbauer1
Output:
* About to connect() to oim11g port 7001
*   Trying 127.0.0.1... connected
* Connected to oim11g (127.0.0.1) port 7001
> DELETE /openptk-server/resources/contexts/User-Oracle-OIMClient/subjects/jbauer1 HTTP/1.1
> User-Agent: curl/7.15.5 (i686-redhat-linux-gnu) libcurl/7.15.5 OpenSSL/0.9.8b zlib/1.2.3 libidn/0.6.5
> Host: oim11g:7001
> Accept: */*
> Cookie: OPENPTKSESSIONID=6789055b-2561-489e-a6bd-3c5424859f81
> 
< HTTP/1.1 204 No Content
< Cache-Control: no-cache, no-transform
< Connection: close
< Date: Thu, 12 Jul 2012 03:44:49 GMT
< Content-Length: 0
< Content-Type: text/plain
< X-ORACLE-DMS-ECID: 0000JXtIW4EFw000jzwkno1FzDlJ00002A
< X-Powered-By: Servlet/2.5 JSP/2.1
* Closing connection #0
Results:
curl -X GET \
-v -b cookies.txt \
-H "Accept: text/plain" \
http://oim11g:7001/openptk-server/resources/contexts/User-Oracle-OIMClient/subjects/jbauer1

* About to connect() to oim11g port 7001
*   Trying 127.0.0.1... connected
* Connected to oim11g (127.0.0.1) port 7001
> GET /openptk-server/resources/contexts/User-Oracle-OIMClient/subjects/jbauer1 HTTP/1.1
> User-Agent: curl/7.15.5 (i686-redhat-linux-gnu) libcurl/7.15.5 OpenSSL/0.9.8b zlib/1.2.3 libidn/0.6.5
> Host: oim11g:7001
> Cookie: OPENPTKSESSIONID=6789055b-2561-489e-a6bd-3c5424859f81
> Accept: text/plain
> 
< HTTP/1.1 404 Not Found
< Cache-Control: no-cache, no-transform
< Date: Thu, 12 Jul 2012 03:49:38 GMT
< Content-Length: 9
< Content-Type: text/html; charset=UTF-8
< X-ORACLE-DMS-ECID: 0000JXtJak1Fw000jzwkno1FzDlJ00002C
< X-Powered-By: Servlet/2.5 JSP/2.1
Connection #0 to host oim11g left intact
* Closing connection #0

Even more ...

We have covered how to use Jersey (JAX-RS), via Project OpenPTK, to implement RESTful Web Services for Oracle Identity Manager 11g. We focused on basic Create, Read, Update, Delete and Search operations related to Users. The OpenPTK project also includes RESTful Web Service examples for other tasks such as Self-Service Registration which leverages the Oracle Identity Manager 11g registration feature. Take a look at the CAPTCHA and Identity Manager blog entry that uses the registration feature.

YouTube Video

Thursday Jul 05, 2012

Project OpenPTK Release 2.1 Available

The OpenPTK owners are pleased to announce that release 2.1 is available.  It has been "tagged" in the svn repository. See the download page for details.  

This release is an update to version 2.0.  This release contains bug fixes, enhancements to existing capabilities, and new features.  The most notable change in this release is the use of maven, instead of ant, for the build process.  The adoption of maven has made the project more modular, reduced its download size (less bundled jar files) and will enable the future support of Project OpenPTK in a maven repository.

For full details, see the OpenPTK version 2.1 Release Notes

Tuesday Apr 17, 2012

Programmatically Provisioning Users via Oracle Identity Manager's Java API

Ultimate control over your identities

Oracle Identity Manager (OIM) 11gR1 provides complete life-cycle management of user identities. Identity life-cycle management includes the creation, modification and termination of user access to provisioned resources. Organizations have specific requirements for how they need to manage both internal users and external users (citizens, customers, students, etc.). A provisioning solution needs to be flexible so that it can integrate into the various parts of an organization. OIM 11gR1 provides a range of options for how it can be customized. One of the most powerful and flexible ways of extending a solution is through the use of a Application Programming Interface (API). OIM 11gR1 provides a Java API which can be used to interface with multiple aspects of identity life-cycle management.

The examples covered, in these procedures, only demonstrate a select set of capabilities (basic User management) from a larger collection of interfaces and methods provided by the OIM 11gR1 Client Java API.  Organizations have used these OIM 11gR1 Java APIs for unique integration with their processes, and to support specialized user interface requirements.

User Management

The OIM 11gR1 Java APIs support searching, creating, reading, updating and deleting of Users. This procedure will cover how to use the OIM 11gR1 Java APIs to perform these operations.

Reference

Getting Started

OIM 11gR1 leverages a new Java API. The previous API (Thor) is still available. But, it is recommended that new projects use the OIM 11gR1 Client API.

Create a directory for downloading the required OIM files and sample source files. This procedure will use a directory/folder called examples.

Required server files

You will need to obtain the following files from the OIM 11gR1 server:

oimclient.zip
  • The OIM 11gR1 Java API classes are packaged as a jar file called oimclient.jar. This jar file is packaged within the oimclient.zip file. The oimclient.zip file is located in the OIM_ORACLE_HOME/server/client folder, on the OIM 11gR1 server.
  • Copy oimclient.zip from the OIM 11gR1 server:
    scp user@oimserver:/OIM_ORACLE_HOME/server/client/oimclient.zip .
  • Expand the oimclient.zip file:
    unzip oimclient.zip
  • The oimclient.zip file contains the following items:

    README text file containing information on using the bundled sample program
    oimclient.jar JAR file containing the OIM 11gR1 classes
    conf Sub-folder containing auth files
    lib Sub-folder containing jar files required by the OIM 11gR1 API
    sample Sub-folder containing bundled sample source code (not used)
wlfullclient.jar
  • Access the Weblogic Server system
    ssh user@wlserver
  • Change directories to the server/lib directory.
    cd WL_HOME/server/lib
  • Use the following command to create the wlfullclient.jar file in the server/lib directory:
    java -jar wljarbuilder.jar
  • Copy the wlfullclient.jar file.

Get the samples

This procedure will use a collection of samples that can be downloaded from a svn (subversion) repository, associated with Project OpenPTK. The following command will download the sample source code into a directory structure named oim:

svn export https://svn.java.net/svn/openptk~svn/branches/Oracle/OIM11gR1/examples/java/OIMClient/src/oim oim --username guest

Note: If you do not have svn (or a similar client subversion tool) you can get a "snap shot" of the source files as a downloadable zip file.

When the required jar files and the example code have been downloaded, the folder/directory structure should look like the following diagram.

folder structure

Review the samples

The sample source code leverages a Java packaging name-space starting with oim.client. At this level, you will find the following items:

Client.java Abstract class that contains OIM 11gR1 Server connection information. This class is used by all of the sample programs.
You will need to edit this file and change the OIM 11gR1 Server connection information.
organization Sub-folder for the package oim.client.organization which contains sample Java code that leverages some of the organization related capabilities of the OIM 11gR1 Client API. This folder and its samples are not used as part of this procedure.
request Sub-folder for the package oim.client.request which contains sample Java code that leverages some of the request related capabilities of the OIM 11gR1 Client API. This folder and its samples are not used as part of this procedure.
role Sub-folder for the package oim.client.role which contains sample Java code that leverages some of the role related capabilities of the OIM 11gR1 Client API. This folder and its samples are not used as part of this procedure.
user Sub-folder for the package oim.client.user which contains sample Java code that leverages some of the user related capabilities of the OIM 11gR1 Client API. We will be using some of these files to demonstrate basic operations related to a user:

ClientUser.java Abstract class, extends Client. It provides "User" specific capabilities.
UserChangePassword.java Not used as part of this procedure
UserCreate.java Demonstrates the creating of a user. Extends ClientUser
UserDelete.java Demonstrates the deleting of a user. Extends ClientUser
UserRead.java Demonstrates the reading of a user. Extends ClientUser
UserRegister.java Not used as part of this procedure
UserSearch.java Demonstrates the searching of users. Extends ClientUser
UserUnauthChallenge.java Not used as part of this procedure
UserUnauthSelfService.java Not used as part of this procedure
UserUpdate.java Demonstrates the updating of a user. Extends ClientUser

Class structure

The following diagram illustrates the class structure used by the samples. This procedure will cover many of the classes in the user package.

class structure

Source code

Client.java

This is an abstract class. It provides common methods that are used by all of the sub-categories; organization, request, role and user. For this procedure, we will focus on the user sub-category. This class establishes the connection to the OIM 11gR1 Server. It performs the following tasks:

  1. Creates a HashTable containing connection data
  2. Creates a OIMClient object using the HashTable
  3. Executes the OIMClinet.login(...) method to login as the proxy (admin) user

You will need to edit this file and set the OIM 11gR1 Server connection information. The URL, Admin UserId, and Admin Password will need to be set.

   private static final String OIM_URL = "t3://localhost:14000"; // OIM 11g deployment
   ...
   protected static final String OIM_USERNAME = "xelsysadm";
   protected static final String OIM_PASSWORD = "Passw0rd"; // "Passw0rd"
OIM_URL t3://hostname:port The url for connecting to the OIM 11gR1 server
OIM_USERNAME xelsysadm The login id of a user that has admin privileges to manage user accounts
OIM_PASSWORD password The password for the admin user

Note: The above example "hard codes" the proxy user's id and password.  The "hard coding" of these values is NOT recommended and is NOT secure.  The source code and techniques covered in these procedures are for demonstration purposes only and should NOT be used in a production environment.  The proxy user id and password should be accessible to the program at runtime and securely controlled.

ClientUser.java

This is an abstract class that extends Client and provides methods that can be used by sub-classes which need to leverage the User APIs. For example, The User APIs need the UserManager class to execute operations. This class performs the following tasks:

  1. Gets a UserManager object via the OIMClient.getService(UserManager.class) method.
  2. Gets a UnauthenticatedSelfService object via the OIMClient.getService(UnauthenticatedSelfService.class) method.(not used in this procedure)

UserCreate.java

This class extends ClientUser and demonstrates how a user can be "directly" created in the OIM 11gR1 user repository. Note: OIM 11gR1 also provides a "registration" facility for creating users. This procedure does not cover the registration mechanism (topic for another blog). This class performs the following tasks:

  1. Gets the UserManager
  2. Creates a HashMap, to hold attributes
  3. Adds attributes (name/value) to the HashMap
  4. Creates a User object using an accountId and adds the HashMap of attributes.
  5. Calls the UserManager create() method to create the new user.
  6. A UserManagerResult object is returned. It is evaluated.

NOTICE: If you plan on running this sample, you may need to update some of the variables. Check the following variables and make sure the values will work in your environment:
      String accountId = "jhomer";
      String first = "John";
      String last = "Homer";

UserSearch.java

This class extends ClientUser and demonstrates how to search for users in the OIM 11gR1 user repository. This class performs the following tasks:

  1. Gets the UserManager
  2. Creates a "simple" SearchCriteria object using an attribute name, attribute value and a SearchCriteria.Operator.
  3. Creates a HashSet of attribute names (what attributes to return in the search results).
  4. Creates a HashMap for search parameters. Parameters can include how to sort the search results and how many (rows) to return. This example uses a NULL HashMap which means that default parameters will be used.
  5. Calls the UserManager search() method. The method uses the Search Criteria, Attribute Names, and Parameters to perform the search.
  6. A List of User objects is return.
    For each user, its Attributes name and value are obtained. The user data is displayed.

NOTICE: If you plan on running this sample, you may need to update the source file. Uncomment and/or update one of the SearchCriteria items:
      criteria = new SearchCriteria("First Name", "John", SearchCriteria.Operator.EQUAL);
//      criteria = new SearchCriteria("Email", "John.Wayne@openptk.org", SearchCriteria.Operator.EQUAL);
//      criteria = new SearchCriteria("First Name", "scott", SearchCriteria.Operator.EQUAL);
//      criteria = new SearchCriteria("User Login", "*", SearchCriteria.Operator.EQUAL);
//      criteria = new SearchCriteria("usr_key", "*", SearchCriteria.Operator.EQUAL);

UserUpdate.java

This class extends ClientUser and demonstrates how to update a user in the OIM 11gR1 user repository. This class performs the following tasks:

  1. Gets the UserManager
  2. Creates a HashMap, to hold attributes (that will be updated)
  3. The attributes to be modified (name and value), are added to the HashMap
  4. Creates a User object using an accountId and adds the HashMap of attributes.
  5. Calls the UserManager modify() method to update the existing user.
  6. A UserManagerResult object is returned. It is evaluated.

NOTICE: If you plan on running this sample, you may need to update the "login id" to match the "login id" that was used to create the user. Check the following lines of code and make sure the values will work in your environment:
      user = new User("jhomer", mapAttrs);
      result = umgr.modify("User Login", "jhomer", user);

UserRead.java

This class extends ClientUser and demonstrates how to read a user in the OIM 11gR1 user repository. This class performs the following tasks:

  1. Gets the UserManager
  2. Creates a HashMap, to hold attributes (which ones to return)
  3. The attributes to be returned (name and value), are added to the HashMap
  4. Creates a User object using an accountId and adds the HashMap of attributes. In this example, the HashMap is null, all of the available/allowed attributes will be returned.
  5. Calls the UserManager getDetails() method to read the existing user.
  6. A User object is returned.
  7. The attributes can be obtained by calling the "getter" methods or by obtaining a HashMap of the attributes and iterating through it. Both techniques are used.

NOTICE: If you plan on running this sample, you may need to update the "login id" to match the "login id" that was used to create the user. Check the following lines of code and make sure the values will work in your environment:
      user = umgr.getDetails("jhomer", attrNames, true);

UserDelete.java

This class extends ClientUser and demonstrates how to delete a user in the OIM 11gR1 user repository. This class performs the following tasks:

  1. Gets the UserManager
  2. Calls the UserManager delete() method to delete the existing user.
  3. A UserManagerResult object is returned. It is evaluated.

NOTICE: If you plan on running this sample, you may need to update the "login id" to match the "login id" that was used to create the user. Check the following lines of code and make sure the values will work in your environment:
      result = umgr.delete("User Login", "jhomer");

Compile samples

Compile the Java code from the directory where the jar files and source files where downloaded. Set the CLASSPATH and run javac

export CLASSPATH=.:oimclient.jar:wlfullclient.jar
javac oim/client/*/*

Run samples

Create

A new user will be created with the login id of "jhomer".

java oim/client/user/UserCreate

LOG: __BEGIN__
LOG: UserManager ready
LOG: User object created: 'jhomer'
LOG: Creation status: 'COMPLETED'
LOG: __END__

Search

The new user is in the search output, lastname="John".

java oim/client/user/UserSearch

LOG: __BEGIN__
LOG: UserManager ready
LOG: search results, quantity=8
LOG: EntityId: 214, Id: 214, Attributes: Email='John.Homer@oracle.com', usr_key='214', User Login='JHOMER', Last Name='Homer', First Name='John', 
LOG: EntityId: 8, Id: 8, Attributes: Email='John.Smith@oracle.com', usr_key='8', User Login='JSMITH1', Last Name='Smith', First Name='John', 
LOG: EntityId: 27, Id: 27, Attributes: Email='John.Wayne@openptk.org', usr_key='27', User Login='JWAYNE', Last Name='Wayne', First Name='John', 
LOG: EntityId: 12, Id: 12, Attributes: Email='john.thompson@email.com', usr_key='12', User Login='JTHOMPSON', Last Name='Thompson', First Name='John', 
LOG: EntityId: 83, Id: 83, Attributes: Email='John.Simpson@openptk.org', usr_key='83', User Login='JSIMPSON', Last Name='Simpson', First Name='John', 
LOG: EntityId: 10, Id: 10, Attributes: Email='John.Smith3@oracle.com', usr_key='10', User Login='JSMITH3', Last Name='Smith', First Name='John', 
LOG: EntityId: 14, Id: 14, Attributes: Email='John.Hope@openptk.org', usr_key='14', User Login='JHOPE', Last Name='Hope', First Name='John', 
LOG: EntityId: 17, Id: 17, Attributes: Email='test@test.com', usr_key='17', User Login='JHENRY2', Last Name='Henry', First Name='John', 
LOG: __END__

Read

The new user, "jhomer" has the following details.

java oim/client/user/UserRead

LOG: __BEGIN__
LOG: UserManager ready
LOG: Got user detail
LOG: 
Id                            : 214
Entity Id                     : 214
Login                         : JHOMER
First Name                    : John
Middle Name                   : (null)
Last Name                     : Homer
Common Name                   : JHOMER
Display Name                  : John Homer
Employee Number               : (null)
Employee Type                 : Full-Time
Email                         : John.Homer@oracle.com
User Type                     : End-User
Country                       : (null)
Description                   : (null)
Status                        : Active
Generation Qualifier          : (null)
Account Status                : 0
Manager Key                   : (null)
Manually Locked               : (null)
User Disabled                 : 0
Policy Update Enabled         : (null)
Change Password At Next login : 1
Password Cant Change          : (null)
Password Expired              : (null)
Password Generated            : (null)
Password Must Change          : (null)
Password Never Expires        : (null)
Password Warned               : (null)
Attributes                    : 
FA Territory=
usr_pwd_warn_date='Tue Aug 07 22:23:17 CDT 2012
Employee Number=
usr_locale=
Middle Name=
Manually Locked=
usr_disabled='0
usr_update='Mon Apr 16 22:23:17 CDT 2012
Date Format=
Display Name='{base=John Homer}
Mobile=
usr_timezone=
LDAP Organization=
usr_locked='0
usr_pwd_reset_attempts_ctr='0
Currency=
End Date=
Pager=
usr_deprovisioned_date=
Time Format=
usr_created=
usr_deprovisioning_date=
Color Contrast=
PO Box=
usr_create='Mon Apr 16 22:23:17 CDT 2012
LDAP GUID=
Full Name='{base=null}
Accessibility Mode=
Country=
Xellerate Type='End-User
usr_change_pwd_at_next_logon='1
usr_pwd_expire_date='Tue Aug 14 22:23:17 CDT 2012
usr_pwd_cant_change=
Email='John.Homer@oracle.com
usr_provisioned_date='Mon Apr 16 22:23:16 CDT 2012
usr_data_level=
Common Name='JHOMER
Automatically Delete On=
Locked On=
Start Date=
Last Name='Homer
usr_login_attempts_ctr='0
First Name='John
Locality Name=
usr_manager_key=
Number Format=
usr_policy_update=
Street=
Embedded Help=
usr_pwd_expired=
Department Number=
Hire Date=
usr_createby='1
usr_pwd_warned=
Telephone Number=
Home Postal Address=
Font Size=
usr_updateby='1
Description=
Home Phone=
LDAP Organization Unit=
usr_pwd_min_age_date=
Assurance Level='1
Fax=
Postal Code=
act_key='1
usr_key='214
User Login='JHOMER
Title=
Status='Active
Generation Qualifier=
State=
Postal Address=
Initials=
usr_pwd_never_expires=
usr_pwd_must_change=
LDAP DN=
Role='Full-Time
FA Language=
Password Generated=
usr_provisioning_date=

LOG: __END__

Update

The new user, "jhomer" will be updated. You can see the modified email address in the Search output and the updated title in the Read output.

java oim/client/user/UserUpdate

LOG: __BEGIN__
LOG: UserManager ready
LOG: User object created
LOG: Modification status: 'COMPLETED'
LOG: __END__
java oim/client/user/UserSearch

LOG: __BEGIN__
LOG: UserManager ready
LOG: search results, quantity=8
LOG: EntityId: 214, Id: 214, Attributes: Email='jhomer@oracle.com', usr_key='214', User Login='JHOMER', Last Name='Homer', First Name='John', 
LOG: EntityId: 8, Id: 8, Attributes: Email='John.Smith@oracle.com', usr_key='8', User Login='JSMITH1', Last Name='Smith', First Name='John', 
LOG: EntityId: 27, Id: 27, Attributes: Email='John.Wayne@openptk.org', usr_key='27', User Login='JWAYNE', Last Name='Wayne', First Name='John', 
LOG: EntityId: 12, Id: 12, Attributes: Email='john.thompson@email.com', usr_key='12', User Login='JTHOMPSON', Last Name='Thompson', First Name='John', 
LOG: EntityId: 83, Id: 83, Attributes: Email='John.Simpson@openptk.org', usr_key='83', User Login='JSIMPSON', Last Name='Simpson', First Name='John', 
LOG: EntityId: 10, Id: 10, Attributes: Email='John.Smith3@oracle.com', usr_key='10', User Login='JSMITH3', Last Name='Smith', First Name='John', 
LOG: EntityId: 14, Id: 14, Attributes: Email='John.Hope@openptk.org', usr_key='14', User Login='JHOPE', Last Name='Hope', First Name='John', 
LOG: EntityId: 17, Id: 17, Attributes: Email='test@test.com', usr_key='17', User Login='JHENRY2', Last Name='Henry', First Name='John', 
LOG: __END__


java oim/client/user/UserRead

LOG: __BEGIN__
LOG: UserManager ready
LOG: Got user detail
LOG: 
Id                            : 214
Entity Id                     : 214
Login                         : JHOMER
First Name                    : John
Middle Name                   : (null)
Last Name                     : Homer
Common Name                   : JHOMER
Display Name                  : John Homer
Employee Number               : (null)
Employee Type                 : Full-Time
Email                         : jhomer@oracle.com
User Type                     : End-User
Country                       : (null)
Description                   : (null)
Status                        : Active
Generation Qualifier          : (null)
Account Status                : 0
Manager Key                   : (null)
Manually Locked               : (null)
User Disabled                 : 0
Policy Update Enabled         : (null)
Change Password At Next login : 1
Password Cant Change          : (null)
Password Expired              : (null)
Password Generated            : (null)
Password Must Change          : (null)
Password Never Expires        : (null)
Password Warned               : (null)
Attributes                    : 
FA Territory=
usr_pwd_warn_date='Tue Aug 07 22:23:17 CDT 2012
Employee Number=
usr_locale=
Middle Name=
Manually Locked=
usr_disabled='0
usr_update='Mon Apr 16 22:24:19 CDT 2012
Date Format=
Display Name='{base=John Homer}
Mobile=
usr_timezone=
LDAP Organization=
usr_locked='0
usr_pwd_reset_attempts_ctr='0
Currency=
End Date=
Pager=
usr_deprovisioned_date=
Time Format=
usr_created=
usr_deprovisioning_date=
Color Contrast=
PO Box=
usr_create='Mon Apr 16 22:23:17 CDT 2012
LDAP GUID=
Full Name='{base=null}
Accessibility Mode=
Country=
Xellerate Type='End-User
usr_change_pwd_at_next_logon='1
usr_pwd_expire_date='Tue Aug 14 22:23:17 CDT 2012
usr_pwd_cant_change=
Email='jhomer@oracle.com
usr_provisioned_date='Mon Apr 16 22:23:16 CDT 2012
usr_data_level=
Common Name='JHOMER
Automatically Delete On=
Locked On=
Start Date=
Last Name='Homer
usr_login_attempts_ctr='0
First Name='John
Locality Name=
usr_manager_key=
Number Format=
usr_policy_update=
Street=
Embedded Help=
usr_pwd_expired=
Department Number=
Hire Date=
usr_createby='1
usr_pwd_warned=
Telephone Number=
Home Postal Address=
Font Size=
usr_updateby='1
Description=
Home Phone=
LDAP Organization Unit=
usr_pwd_min_age_date=
Assurance Level='1
Fax=
Postal Code=
act_key='1
usr_key='214
User Login='JHOMER
Title='Engineer
Status='Active
Generation Qualifier=
State=
Postal Address=
Initials=
usr_pwd_never_expires=
usr_pwd_must_change=
LDAP DN=
Role='Full-Time
FA Language=
Password Generated=
usr_provisioning_date=

LOG: __END__

Delete

The new user, "jhomer" will be deleted. The search output no longer contains the user.

java oim/client/user/UserDelete

LOG: __BEGIN__
LOG: UserManager ready
LOG: Delete status: 'COMPLETED'
LOG: __END__


java oim/client/user/UserSearch

LOG: __BEGIN__
LOG: UserManager ready
LOG: search results, quantity=7
LOG: EntityId: 8, Id: 8, Attributes: Email='John.Smith@oracle.com', usr_key='8', User Login='JSMITH1', Last Name='Smith', First Name='John', 
LOG: EntityId: 27, Id: 27, Attributes: Email='John.Wayne@openptk.org', usr_key='27', User Login='JWAYNE', Last Name='Wayne', First Name='John', 
LOG: EntityId: 12, Id: 12, Attributes: Email='john.thompson@email.com', usr_key='12', User Login='JTHOMPSON', Last Name='Thompson', First Name='John', 
LOG: EntityId: 83, Id: 83, Attributes: Email='John.Simpson@openptk.org', usr_key='83', User Login='JSIMPSON', Last Name='Simpson', First Name='John', 
LOG: EntityId: 10, Id: 10, Attributes: Email='John.Smith3@oracle.com', usr_key='10', User Login='JSMITH3', Last Name='Smith', First Name='John', 
LOG: EntityId: 14, Id: 14, Attributes: Email='John.Hope@openptk.org', usr_key='14', User Login='JHOPE', Last Name='Hope', First Name='John', 
LOG: EntityId: 17, Id: 17, Attributes: Email='test@test.com', usr_key='17', User Login='JHENRY2', Last Name='Henry', First Name='John', 
LOG: __END__

YouTube Video

Summary

These procedures used a collection of Java sample programs to demonstrate some of the "User" capabilities of the OIM 11gR1 Java API. These samples merely provide an introduction into how Oracle Identity 11gR1 can be extended.

Thursday Jan 05, 2012

CAPTCHA and Identity Manager

Wrote a blog entry on my team's SecureGov site the other day.  It's an overview of how we built a custom registration interface for Oracle Identity Manager (OIM) 11g.  What was unique about this solution is that it integrated the reCAPTCHA service into the registration process.

Wednesday Jan 04, 2012

Project OpenPTK v2.0 released

Version 2.0 "shipped" 

The Project Open Provisioning ToolKit (OpenPTK) http://www.openptk.org has released version 2.0. It has been "tagged" in the svn repository. See the project download page for access instructions ...  https://sites.google.com/a/openptk.org/docs/release-2-x/v2-0-download

Release 2.0 of Project OpenPTK builds on the success of Release 1.x.

The goal ... enable developers to create custom interfaces to a variety of repositories....

Release 2.0 gives the developer more choices for how they want to create custom interfaces. Release 2.0 supports more back-end repositories: SPML 1 and 2, LDAP, JDBC, Oracle Identity Manager 11g. 

Here is a summary of the major new features in version 2.0:

  • Servlet-Based (Engine Architecture)
  • RESTful-based Web Service
  • Service / Operation Level Configuration
  • Client-Side Java API
  • Authentication
  • Authorization
  • Models, Views and Relationships
  • Actions
  • Encryption
  • Templates
  • Definition Functions
  • Enhanced Search
  • Services

 

For full details, see the OpenPTK version 2.0 Release Notes:

https://sites.google.com/a/openptk.org/docs/release-2-x/release-notes

Tuesday Mar 15, 2011

One Year Later

It's been a year since the merger of Sun into Oracle. I'm still focused on Identity Management ... with a twist. I'm a member of the Oracle Public Sector team. At Sun, I supported mostly commercial customers.

Monday Jan 05, 2009

Project OpenPTK 2.0.0 development has started

This past weekend, we Checked In the initial development code for Release 2.0.0 of Project OpenPTK. This code is a re-design of the Framework to support new features. The new code is available from the main SVN trunk ...

svn checkout https://openptk.dev.java.net/svn/openptk/trunk/openptk openptk --username guest

The latest stable build of release 1.1.0 is available from the release-1.1 SVN tag ...

svn checkout https://openptk.dev.java.net/svn/openptk/tags/release-1.1/openptk openptk-1.1 --username guest

As we work on this release, we'll update the documentation. The What's New page is updated as the features are completed.

Monday Aug 25, 2008

Secure SPML communications

Last week I got an email from a developer that is using Project OpenPTK. They want to use HTTPS/SSL to secure communications between the Sun Identity Manager and an OpenPTK-enabled application.

I was pretty sure this was "do-able" but I have not had a chance/need to configure OpenPTK using HTTPS/SSL. With that said, I did some research, contacted some co-workers, and set-up a little test lab. The process is relatively straight forward, I used two Glassfish domains (SPML-Server / SPML-Client) and self-signed certificates:

  1. Configure OpenPTK applications to use SSL/HTTPS
  2. Replace the default certificate on the SPML-Server (Sun Identity Manager)
  3. Add the certificate to the SPML-Client (OpenPTK-enabled Application)

The complete (detailed) process is documented in the Project OpenPTK Release 1.1 Installation Guide

Saturday Aug 23, 2008

Third Meeting: Chicago-Area Identity Management User Group

This past Thursday evening we had our third meeting. Sun hosted the meeting in their Itasca, IL office. The attendees included the local Sun Identity team, partners (Laurus Technologies) and users (United Airlines, Motorola, Kraft Foods, Northeastern Illinois University).

To "kick-off" the meeting, the Sun Identity team asked the User Group community for help ... Leveraging the wikis.sun.com site, they started a new collaboration site focused at sharing Identity Manager knowledge. http://wikis.sun.com/display/sunidmdev is a wiki site where registered users can share their workflows, forms, and other artifacts with the community.

Agenda:

6:00 - 6:30Greetings and Catered Dinner
6:30 - 6:45Introductions
6:45 - 7:30What's New with Identity Manager and Role Manager
7:30 - 7:45Break
7:45 - 8:30Integrating Identity Manager and Access Manager (OpenSSO)
8:30 - 9:00User Group business

The first presentation was given by the Identity folks at Sun. They gave an overview of Identity Manager 8.0 and Role Manager 4.0. They covered the new features, integration points and a roadmap. The second presentation was given by Laurus Technologies. They gave a presentation and demonstration related to how you can integrate Identity Manager with Access Manager (they actually used OpenSSO, very cool).

During the "business" part of the meeting, we talked about how to improve the User Group. Here is what the members asked for:

  • Want to hear customer stories
  • Have meetings during business hours
  • Allow remote attendance (webex)
We updated out list of future meeting topics. We had two customers offer to give a presentation on what they are doing with Identity Manager. The next meeting has been set for Thursday November 13th, 2008. It will be a breakfast meeting held at the Sun Itasca IL office, a webex session will be available those users that can't attend in-person. The current agenda (subject to change):
8:30 - 9:00Greetings and Breakfast
9:00 - 9:45Customer Story: Motorola
9:45 - 10:30Customer Story: To Be Confirmed
10:30 - 11:00User Group business

Sun Microsystems, Inc.
Two Pierce Place
15th Floor, Skyline Conference Room
Itasca, IL 60143

Future topics:

  1. Sun Role Manager SOD and Compliance
  2. Sun Identity Manager and and Access Manager integration
  3. Directory Server non-people use
  4. Federated Access Manger 8 feature update
  5. Sun JavaCaps 6 feature update
  6. Password Sync with Active Directory
  7. Identity Manager to enable business growth
  8. PKI integration
  9. Customer Stories
  10. Panel of Customers for Role Manager
  11. Identity as a software service (SaaS)
  12. ESSO
  13. External facing deployments
  14. Role Rationalizaton: best practices, customer deployments

If you wish to be imformed (sent emails) of User Group activities, please send an email to RequestChicagoIdmLUG at Sun dot COM and you will be added to the mailing list.

Friday Aug 01, 2008

wikis.sun.com a perfect fit

Looking for a wiki to collaborate information ... i've got just the one: wikis.sun.com

Project OpenPTK is about to release a new version (1.1). As with any software development project, the jobs not done until the documentation is done. Previous releases used PDF files to distribute documentation (source files were .odt). Emailing source files between the development team was not working. We decided to move our documentation to a wiki. Our requirements:

  • Fully accessible to anyone for reading
  • Easy to manage document / page structures
  • Ability to control create / update access to specific documents / pages
  • Easy to use syntax
  • Scalable / Available architecture

After researching a number of options, we decided to create a project on http://wikis.sun.com. Our wiki site can be directly found at http://wikis.sun.com/display/openptk or from the OpenPTK url http://wiki.openptk.org

The site is still under construction by the Project Team. The migration of documents to wiki pages has been going great. A couple of pages are done ... take a look at the Overview, Release Notes, and the Configuration Reference Guide.

If your looking for a public facing wiki site to host your collaboration project ... check it out.

Monday Jun 30, 2008

I did say Yellow fire trucks

I was at my Fire Station (where I volunteer) a few weeks ago when a local newspaper reporter stopped by to do a story on the color of fire trucks. They wanted to talk to Pingree Grove because our fire truck are Yellow. The Chief and I (Public Information Officer) told the story of why our fire trucks are not red. If you are curious, the on-line version of the print article is here

Friday May 23, 2008

Second Meeting: Chicago-Area Identity Management User Group

Last night was our second meeting. Sun hosted the meeting in their Itasca, IL office. We had two great presentations giving by Partners that are experts in Identity Management. It was great to see the users asking questions and sharing experiences. After the formal meeting ended, a number of the users and partners stayed late, told stories and discussed solutions. The community is growing.

This meeting is about bringing together a community of users, vendors and partners with common interests in identity management. The group focuses on provisioning, access control, and user repository technologies that support business processes related to the management of identity data. The following technologies were discussed during the meeting:

  • Identity Manager
  • Access Manager
  • Directory Server
  • Role Manager
  • Java CAPS

Meeting agenda:

6:30 - 7:00Greetings and Catered Dinner
7:00 - 7:15Introductions
7:15 - 8:00Upgrading Identity Manager, Laurus Technologies
8:00 - 8:45Doing more with Identity Manager, Deloitte
8:45 - 9:00User Group business

The attendees included the local Sun identity team, partners (Laurus Technologies, Deliotte) and users (United Airlines, Motorola, Hewitt, Northern Trust, Allstate). We compiled a list of topics for future meetings:

  1. Sun Identity Manager 8 feature update
  2. Sun Identity Manager and Sun Role Manager integration
  3. Sun Role Manager SOD and Compliance
  4. Sun Identity Manager and and Access Manager integration
  5. Directory Server non-people use
  6. Federated Access Manger 8 feature update
  7. Sun JavaCaps 6 feature update
  8. Password Sync with Active Directory
  9. Identity Manager to enable business growth
  10. PKI integration
  11. Customer Stories
  12. Panel of Customers for Role Manager
  13. Identity as a software service (SaaS)

The community voted and selected two topics the next meeting:

  • Identity Manager: Update, Role Manager integration, SOD/Compliance
    (Brian Taylor from Delottte is leading this topic)
  • Access Manager and Identity Manager Integration
    (Jeremy Miller from Larus Technologies is leading this topic)

The next meeting has been scheduled for Thursday, August 21st, 2008 @ 6:00pm. The meeting will be held at:

Sun Microsystems, Inc.
Two Pierce Place
15th Floor, Skyline Conference Room
Itasca, IL 60143

If you wish to be imformed (sent emails) of User Group activities, please send an email to RequestChicagoIdmLUG at Sun dot COM and you will be added to the mailing list.

Wednesday May 14, 2008

Liferay 5.0 on existing Glassfish v2

I setup Liferay 5.0.1 on Glassfish v2 to test some JSR-168 Portlets as part of Project OpenPTK. Here are my notes on getting Liferay running. I installed this configuration on my Apple MacBook Pro with Leopard (10.5).

The liferay website does not have an install guide for release 5.0. I used the 4.4 Admin guide. This wiki site has some useful information for installing Liferay with Glassfish. These docs got me going but I had to perform a few extra / different steps to make things work.

Pre-condition:

Set some variables:

  • export GLASSFISH=/usr/local/glassfish_v2
  • export LIFERAY=/work/Software/Projects/liferay_v5.0
  • export MYSQL=/usr/local/mysql

Create a directory to store and extract the downloaded files: ${LIFERAY}

Download Software:

http://www.liferay.com/web/guest/downloads/additional.

  • Liferay Portal 5.0.1 WAR file for Servlet 2.4 to the directory: ${LIFERAY}
  • Liferay Portal 5.0.1 Dependencies file and unzip to the dependencies subdirectory: ${LIFERAY}/dependencies
  • Liferay Portal 5.0.1 SQL Scripts file and unzip to the sql subdirectory: ${LIFERAY}/sql
  • Files for Developers: Liferay Plugins SDK 5.0.1 file and unzip to the lib subdirectory: ${LIFERAY}

MySQL Database configuration:

Login as the administrator to the database of your choice. Select either the minimal installation (scripts in the sql/create-minimal subdirectory) or the full example installation script (scripts in the sql/create subdirectory) and run the script for your database server (e.g. create-mysql.sql). The default database created by the script is called lportal.

Recommended security: Create a separate Liferay database user and grant it SELECT, INSERT, UPDATE, DELETE permissions on all tables in the lportal database.

# mysql -uroot -ppassword < ${LIFERAY}/liferay-portal-sql-5.0.1/create-minimal/create-minimal-mysql.sql
# mysql -uroot -ppassword
mysql> grant all on lportal.\* to lportal identified by 'lportal';
mysql> grant all on lportal.\* to lportal@localhost identified by 'lportal';

Create a new Glasfish domain:

admin name:lportal
admin password:lportallportal
# ${GLASSFISH}/bin/asadmin create-domain --adminport 14848 --instanceport 18080 lportal
Please enter the admin user name>
Please enter the admin password>
Please enter the admin password again>
Please enter the master password [Enter to accept the default]:>
Please enter the master password again [Enter to accept the default]:>
Using port 14848 for Admin.
Using port 18080 for HTTP Instance.
Default port 7676 for JMS is in use. Using 50684
Default port 3700 for IIOP is in use. Using 50685
Default port 8181 for HTTP_SSL is in use. Using 50686
Default port 3820 for IIOP_SSL is in use. Using 50687
Default port 3920 for IIOP_MUTUALAUTH is in use. Using 50688
Default port 8686 for JMX_ADMIN is in use. Using 50689
Domain being created with profile:developer, as specified by variable AS_ADMIN_PROFILE in configuration file.
Security Store uses: JKS
Domain liferay created.

Stop Glassfish if it's running:

# ${GLASSFISH}/bin/asadmin stop-domain lportal

Copy some files:

Copy the Liferay dependencies to the Glassfish domains/lportal/lib subdirectory.

# cd ${LIFERAY}/liferay-portal-dependencies-5.0.1
# cp portal-kernel.jar portal-service.jar portlet.jar ${GLASSFISH}/domains/lportal/lib

Note: the docs for Liferay 4.4 mention copying the xercesImpl.jar file. Liferay failed to run and gave me errors about missing other classes. After adding a jar and restarting a few time ... I got it working by adding these other two jar.

Copy the xercesImpl.jar, xalan.jar and serializer.jar file from the Liferay lib subdirectory to the Glassfish domains/lportal/lib subdirectory.

# cp ${LIFERAY}/lib/xercesImpl.jar ${GLASSFISH}/domains/lportal/lib
# cp ${LIFERAY}/lib/xalan.jar ${GLASSFISH}/domains/lportal/lib
# cp ${LIFERAY}/lib/serializer.jar ${GLASSFISH}/domains/lportal/lib

Copy the JDBC driver for your database to the domains/lportal/lib directory.

# cp mysql-jdbc.jar  ${GLASSFISH}/domains/lportal/lib

Start Glassfish:

# ${GLASSFISH}/bin/asadmin start-domain lportal

Resources/JDBC/Connection Pools:

If you are using the Glassfish web-based admin console, go to Resources/JDBC/Connection Pools and create a connection pool to connect to the lportal database. Here is the asadmin command to perform the same function.

Usage: ${GLASSFISH}/bin/asadmin create-jdbc-connection-pool 
       --datasourceclassname classname 
       [--terse=false] 
       [--echo=false] 
       [--interactive=true] 
       [--host localhost] 
       [--port 4848|4849] 
       [--secure | -s] 
       [--user admin_user] 
       [--passwordfile file_name] 
       [--restype res_type] 
       [--steadypoolsize 8] 
       [--maxpoolsize 32] 
       [--maxwait 60000] 
       [--poolresize 2] 
       [--idletimeout 300] 
       [--isolationlevel isolation_level] 
       [--isisolationguaranteed] 
       [--isconnectvalidatereq=false] 
       [--validationmethod auto-commit] 
       [--validationtable tablename] 
       [--failconnection=false] 
       [--allownoncomponentcallers=false] 
       [--nontransactionalconnections=false] 
       [--description text] 
       [--property (name=value)[:name=value]\*] 
       jdbc_connection_pool_id

# ${GLASSFISH}/bin/asadmin create-jdbc-connection-pool \\
  --datasourceclassname com.mysql.jdbc.jdbc2.optional.MysqlDataSource \\
  --host localhost \\
  --port 14848 \\
  --user lportal \\ 
  --restype javax.sql.DataSource \\
  --description "MySQL Liferay Portal 5.0.1" \\
  --property ServerName=localhost:Password=lportal:DatabaseName=lportal:User=lportal:Port=3306:PortNumber=3306:LoginTimeout=0:ProfileSql=false \\
  MySQL_Liferay
Please enter the admin password>
Command create-jdbc-connection-pool executed successfully.

Resources/JDBC/JDBC Resources:

If you are using the Glassfish web-based admin console, go to Resources/JDBC/JDBC Resources, create a JDBC resource with the JNDI name jdbc/LiferayPool, and associate it with the connection pool created in the previous step. Here is the asadmin command to perform the same function.

Usage: ${GLASSFISH}/bin/asadmin create-jdbc-resource 
       --connectionpoolid id 
       [--terse=false] 
       [--echo=false] 
       [--interactive=true] 
       [--host localhost] 
       [--port 4848|4849] 
       [--secure | -s] 
       [--user admin_user] 
       [--passwordfile file_name] 
       [--enabled=true] 
       [--description text] 
       [--target target(Default server)] 
       [--property (name=value)[:name=value]\*] 
       jndi_name

# ${GLASSFISH}/bin/asadmin create-jdbc-resource \\
  --connectionpoolid MySQL_Liferay \\
  --host localhost \\
  --port 14848 \\
  --user lportal \\
  --enabled=true \\
  --description "Liferay Portal 5.0.1 Pool" \\
  jdbc/LiferayPool
Please enter the admin password>
Command create-jdbc-resource executed successfully.

Resources/JavaMail Sessions:

If you are using the Glassfish web-based admin console, go to Resources/JavaMail Sessions and create a JavaMail resource with the JNDI name mail/MailSession. Here is the asadmin command to perform the same function.

Usage: ${GLASSFISH}/bin/asadmin create-javamail-resource 
       --mailhost hostname 
       --mailuser username 
       --fromaddress address 
       [--terse=false] 
       [--echo=false] 
       [--interactive=true] 
       [--host localhost] 
       [--port 4848|4849] 
       [--secure | -s] 
       [--user admin_user] 
       [--passwordfile file_name] 
       [--storeprotocol imap] 
       [--storeprotocolclass com.sun.mail.imap.IMAPStore] 
       [--transprotocol smtp] 
       [--transprotocolclass com.sun.mail.smtp.SMTPTransport] 
       [--debug=false] 
       [--enabled=true] 
       [--description text] 
       [--property (name=value)[:name=value]\*] 
       [--target target(Default server)] 
       jndi_name

# ${GLASSFISH}/bin/asadmin create-javamail-resource \\
  --mailhost localhost \\
  --mailuser root@localhost \\
  --fromaddress root@localhost \\
  --host localhost \\
  --port 14848 \\
  --user lportal \\
  --enabled=true \\
  --description "Liferay Portal Mail" \\
  mail/MailSession
Please enter the admin password>
Command create-javamail-resource executed successfully.

Restart Glassfish:

# ${GLASSFISH}/bin/asadmin stop-domain lportal
# ${GLASSFISH}/bin/asadmin start-domain lportal

Deploy Liferay:

Deploy the Liferay WAR file to the server with the context root /.

Usage: ${GLASSFISH}/bin/asadmin deploy 
       [--terse=false] 
       [--echo=false] 
       [--interactive=true] 
       [--host localhost] 
       [--port 4848|4849] 
       [--secure | -s] 
       [--user admin_user] 
       [--passwordfile file_name] 
       [--virtualservers virtual_servers] 
       [--contextroot context_root] 
       [--force=true] 
       [--precompilejsp=false] 
       [--verify=false] 
       [--name component_name] 
       [--upload=true] 
       [--retrieve local_dirpath] 
       [--dbvendorname dbvendorname] 
       [--createtables=true|false | --dropandcreatetables=true|false] 
       [--uniquetablenames=true|false] 
       [--deploymentplan deployment_plan] 
       [--enabled=true] 
       [--generatermistubs=false] 
       [--availabilityenabled=false] 
       [--libraries jar_file[(pathseparator)jar_file]\*] 
       [--target target(Default server)] 
       filepath 

# ${GLASSFISH}/bin/asadmin deploy \\
  --host localhost \\
  --port 14848 \\
  --user lportal \\
  --contextroot / \\
  --precompilejsp=false \\
  --verify=false \\
  --name "Liferay-Portal-5.0.1" \\
  --enabled=true \\
  ${LIFERAY}/liferay-portal-5.0.1.war

You can also deploy liferay by copying the ${LIFERAY}/liferay-portal-5.0.1.war file to the autodeploy sub-directory of the glassfish domain: ${GLASSFISH}/domains/lportal/autodeploy

# cp ${LIFERAY}/liferay-portal-5.0.1.war ${GLASSFISH}/domains/lportal/autodeploy

If the application server is running locally, set the upload option to false (if using the asadmin command-line tool) or use the Local packaged file or directory that is accessible from the Application Server option in the Admin Console. For faster application load times, precompile the JSPs (this will take several minutes).

Do not run the verifier, as the sun-web.xml file does not match its DTD and will cause a deployment failure.

The liferay portal is ready to run:

  1. Connect to the portal on http://localhost:18080.
  2. Login as the default administrator: test@liferay.com
  3. Password is test

Monday May 12, 2008

CommunityOne JavaOne Summary

I attended JavaOne (and CommunityOne) last week. I was basically "drinking from the fire hose". There were more sessions to attend then what I had time for. The Technical Sessions and Labs are on-line so I have no reason to not review the ones I missed ... except for time. I was focused on a few specific topics:

  • opensolaris
  • NetBeans
  • RESTful web services
  • AJAX enabled user interfaces

opensolaris:

The first opensolaris distribution (2008.05) was relased. The use of LiveCD for installation made things very simple and easy. There's a lots of new features, besides the new installer. The most obvious new features include a new user interface (gnome based), ZFS root filesystem and a new package management system. I downloaded the latest release (1.6) of Sun xVM VirtualBox for my Mac and installed the opensolaris distribution. very cool!

www.opensolaris.com

NetBeans:

Release 6.1 added more support for technologies that I've been researching: ajax frameworks and RESTful web services. I was't going to upgrade from 6.0 until I attended sessions during NetBeans Day (part of CommmunityOne). Check out the new features on the NetBeans site. During lunch I installed 6.1. It installed just fine. I had it use my 6.0 preferences. The only plug-in I had to manually add was "JAX-RPC" for a legacy web service project that I have.

NetBeans has come a long way from when I first used it three years ago. The performance, integration with App Servers (Glassfish), editor features, and collection of plugins has made this an awesome tool. I'm not the only one who must think so ... I've been seeing less-and-less of Eclipse on people's laptops and used within the Vendor booths.

NetBean 6.1 Download

RESTful web services:

One of the features on the roadmap for Project OpenPTK is a RESTful web service. My personal observation is that the RESTful tools are almost there. The spec JSR-311 JAX-RS: The JavaTM API for RESTful Web Services, is in review and Jersey is available for testing. I starting writing RESTful-type Servlets from scratch and it's a lot of work ... I'll let the RESTful tools make this easier.

AJAX enabled user interfaces:

There's lots of choices (maybe too many). I've not made a decision. But, since Java is my first language i'm leaning toward the options that don't require me to learn something new like Ruby, PHP, or JavaScript (I do know a little JavaScript). I liked what I saw from the jMaki client-server framework for building Ajax enabled applications. I also like Project Woodstock which is focused on developing the next generation of User Interface Components for the web, based on Java Server Faces and AJAX.

Other observations:

The most widely used OS by the presenters was MacOS X, second was Solaris/Linux and third was Windows (at least for the sessions I attended). I've noticed that the laptop of choice for JavaOne attendees (most likely developers) is shifting to Apple. I'll estimate that 50% of the people I noticed made Apple MacBook (Pro)'s. Last year that number was about 25%-30% and two years ago it was around 10%-15%.

Notes:

Here are my notes from each day:

Saturday May 10, 2008

JavaOne Day Four

After having breakfest with some Sun friends we headed for Moscone.

General Session

This was a full session of cool Java demos:

  • VisualVM
  • JavaScript features in NetBeans
  • NVidia APX 2500, Java 3D on a mobile device
  • Project Darkstar
  • Java Card 3.0 innovation, robots fighting
  • Pervasive Java
  • Livescribe, very cool device, i might have to get one of these. It's amazing what a key note talk will do for business. Before the CEO of Livescribe finished his demo ... people were leaving the session to buy one. People were lined up out the door of Moscone to buy one.
  • Java Real Time
  • License to Drive, Tommy Jr.
  • Java Rocks on Mars, Arizona State University
  • CERN
We had to leave after the last demo. Got on BART and headed for SFO ... until next year: June 2-5, 2009.

About

Scott Fehrman

Search

Archives
« April 2014
SunMonTueWedThuFriSat
  
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
   
       
Today
News

No bookmarks in folder

Projects

No bookmarks in folder

Ref. Material

No bookmarks in folder