Thursday Jul 12, 2012

Adding RESTful Web Services to Oracle Identity Manager 11g

Overview

Organization's are leveraging RESTful Web Services to integrate multiple client interfaces and devices with Internet-centric data services. We will cover how RESTful Web Services can be added to Oracle Identity Manager (OIM) 11g using the Jersey (JAX-RS) framework and Project OpenPTK.

RESTful Web Services

RESTful Web Services have become a "defacto" Application Programming Interface (API) for the Internet. A typical RESTful Web Service architecture leverages HTTP to implement basic Create, Read, Update and Delete (CRUD) operations. The following table shows how RESTful Web Services use the combination of HTTP Operations and URIs to support these CRUD operations.

Resource - URI
CRUD HTTP
Operation
Collection
http://acme.com/users
Element
http://acme.com/users/abc123
Create POST Create an entry in the collection. Entry's Id is usually assigned and returned Treat the member as a Collection, Create a sub-collection
Read GET List the collection members Retrieve a representation of the member. Using the MIME-type
Update PUT Replace the entire collection with another collection Update the member of the collection. Maybe create if it does not exist
Delete DELETE Delete the entire collection Delete the member of the collection

RESTful Web Services enable the developer to create user interfaces using their choice of design tools and frameworks. RESTful Web Services can be consumed by a traditional Browser interface (leveraging AJAX-type techniques) as well as by mobile and tablet devices leveraging platform specific RESTful client frameworks.

Oracle Identity Manager 11g and Jersey (JAX-RS)

The Oracle Identity Manager (OIM) 11g provides a powerful Java API that can be used to programmatically manage user identities. Here's a blog entry detailing the use of the OIM 11g Java APIs.

RESTful Web Services are easy to create using the Jersey framework. The Jersey framework implements the JAX-RS specification and works with most Java development tools and Java Servlet Containers. Jersey provides a set of Java Annotations to provide RESTful Web Services. The following table highlights some of the Jersey Annotations:

Annotation Description
@Path("/users") Name of a relative URI path
@POST Designates method for HTTP POST Operation (Create)
@GET Designates method for HTTP GET Operation (Read)
@PUT Designates method for HTTP PUT Operation (Update)
@DELETE Designates method for HTTP DELETE Operation (Delete)
@Produces("text/plain") Specify the MIME-types to send back to the client
@Consumes("application/json") Specify the MIME-types, the resource can consume, sent by the client

Project OpenPTK

Project OpenPTK is an open source provisioning toolkit that extends the capabilities of a provisioning solution. Project OpenPTK leverges the Jersey framework to expose RESTful Web Services and it can leverage Oracle Identity Manager (OIM) 11g using its Java APIs. Project OpenPTK supports both JSON and XML RESTful Web Service data payloads, to and from the Client.

restful openptk oim11g overview

Configuration

The RESTful Web Service demonstration environment was configured using Project OpenPTK (v2.1) deployed to the same Weblogic domain that is hosting Oracle Identity Manager (OIM) 11g. Project OpenPTK has a set of documentation which covers configuration / installation procedures in more detail.

Prerequisites

Project OpenPTK is available from a Subversion (svn) on-line source code control system at http://java.net/projects/openptk. You will need svn to download the project. The download page contains more information on how to access the source code. Create a new directory to store the project's source code.

mkdir $HOME/source
cd $HOME/source
svn checkout \
https://svn.java.net/svn/openptk~svn/tags/release-2.1/openptk \
openptk --username guest

Project OpenPTK uses Maven (mvn) for building the source code and obtaining dependent JAR files. The Setup using Maven document provides more details on how to use maven. Run the mvn install command to download the core dependency files.

Procedure

Project OpenPTK uses Service modules to interface with identity repositories. A Service module was create using the Oracle Identity Manager (OIM) 11g OIMClient Java API. The following steps highlight how to integrate, build, and deploy Project OpenPTK to support Oracle Identity Manager 11g.

  1. Obtain the Oracle Identity Manager 11g oimclient.jar file.
  2. Install the oimclient.jar file into a local maven repository
  3. Build the OpenPTK Server using the oim11g Service module
  4. Copy the generated war file to the Weblogic server where Oracle Identity Manager 11g is installed
  5. Expand the war file:
    1. Update the openptk.xml configuration file
    2. Include the oimclient.jar file
  6. Deploy the OpenPTK Server to Weblogic

See the OpenPTK Service for OIM11g on Weblogic documentation page for detailed installation procedures.


Demonstration

Log into the OpenPTK Admin Interface and confirm that the Oracle Identity Manager 11g Context is working correctly. After logging in (http://localhost:7001/openptk-server):

  • Select the Contexts menu
  • Select the User-Oracle-OIMClient uri.
  • To list the Users, select the uri for the subjects
openptk admin interface

The curl command-line utility will be used to demonstrate the RESTful Web Services.

Authenticate

Project OpenPTK has an authentication mechanism. When the user is authenticated a Session is created within the OpenPTK Server and a HTTP Cookie is created for the user. Normally the web-browser would manage the HTTP Cookie. Since curl is being used, the Cookie returned from the authentication process will be saved in a text file called cookies.txt. The Cookie text file will be used on all the other curl commands.

Command:
curl -c cookies.txt \
-H "Accept: text/plain" \
http://oim11g:7001/openptk-server/login\?user=openptkconfig\&password=password\&clientid=identitycentral
Output:
<html>
<head>
<title>Servlet Login</title>
</head>
<body>
<h1>Login Success!</h1>
</body>
</html>

The contents of the cookies.txt file:

# Netscape HTTP Cookie File
# http://www.netscape.com/newsref/std/cookie_spec.html
# This file was generated by libcurl! Edit at your own risk.

oim11g FALSE / FALSE 0 JSESSIONID       Ht8JP8zS3yyhWh5XrD42Lb6rP1r7HF5LnR09vDGQkH7QmkKb8Gfh!697966766
oim11g FALSE / FALSE 0 OPENPTKSESSIONID 6be67d1e-ea37-4b45-bbaf-d34f270940b9

Search

Search for existing OIM11g users that have a firstname or lastname that contains "Jack". The OpenPTK Server supports encoding the response data in a number of different formats. To specify what encoding type to use, set the Accept HTTP Header variable to one of these MIME-type values:

  • application/json
  • application/xml
  • text/plain
  • text/html

We use the HTTP GET method (on the User-Oracle-OIMClient/subjects collection) to search for the users. The HTTP query parameter search is used to specify the search string.

Command:
curl -X GET \
-b cookies.txt \
-H "Accept: application/json" \
http://oim11g:7001/openptk-server/resources/contexts/User-Oracle-OIMClient/subjects/?search=Jack
Output:
{
    "response" : {
        "uri" : "http:\/\/oim11g:7001\/openptk-server\/resources\/contexts\/User-Oracle-OIMClient\/subjects\/",
        "state" : "SUCCESS",
        "length" : 2,
        "offset" : 0,
        "quantity" : 2,
        "results" : [
            {
                "subject" : {
                    "uri" : "http:\/\/oim11g:7001\/openptk-server\/resources\/contexts\/User-Oracle-OIMClient\/subjects\/JHARKNESS",
                    "uniqueid" : "JHARKNESS",
                    "attributes" : {
                        "uniqueid" : "JHARKNESS",
                        "email" : "jack@torchwood.org",
                        "roles" : "Full-Time",
                        "lastname" : "Harkness",
                        "firstname" : "Jack",
                        "lastcommafirst" : "Harkness, Jack"
                    }
                }
            },
            {
                "subject" : {
                    "uri" : "http:\/\/oim11g:7001\/openptk-server\/resources\/contexts\/User-Oracle-OIMClient\/subjects\/JSPARROW",
                    "uniqueid" : "JSPARROW",
                    "attributes" : {
                        "uniqueid" : "JSPARROW",
                        "email" : "jack@blackpearl.org",
                        "roles" : "Full-Time",
                        "lastname" : "Sparrow",
                        "firstname" : "Jack",
                        "lastcommafirst" : "Sparrow, Jack"
                    }
                }
            }
        ]
    }
}
Results: oim admin ui search

Create

We use the HTTP POST method (on the User-Oracle-OIMClient/subjects collection) to create a new user, in the collection. The curl -v option is used to show data being passed in and to show the Location value that is returned with the full URI of the created element (subject). Because we are sending in data that is "json" encoded, the HTTP Header variable Content-Type needs to be set to the application/json MIME-type. The successful operation returns a HTTP response code of 201 Created

Command:
curl -X POST -v \
-b cookies.txt \
-H "Content-Type: application/json" \
-d '{"subject" : { "attributes" : { "lastname" : "Bauer", "firstname" : "Jack" }}}' \
http://oim11g:7001/openptk-server/resources/contexts/User-Oracle-OIMClient/subjects
Output:
* About to connect() to oim11g port 7001
*   Trying 127.0.0.1... connected
* Connected to oim11g (127.0.0.1) port 7001
< POST /openptk-server/resources/contexts/User-Oracle-OIMClient/subjects HTTP/1.1
< User-Agent: curl/7.15.5 (i686-redhat-linux-gnu) libcurl/7.15.5 OpenSSL/0.9.8b zlib/1.2.3 libidn/0.6.5
< Host: oim11g:7001
< Accept: */*
< Cookie: OPENPTKSESSIONID=6be67d1e-ea37-4b45-bbaf-d34f270940b9
< Content-Type: application/json
< Content-Length: 78
< 
< {"subject" : { "attributes" : { "lastname" : "Bauer", "firstname" : "Jack" }}}
HTTP/1.1 201 Created
> Cache-Control: no-cache, no-transform
> Date: Wed, 11 Jul 2012 04:38:59 GMT
> Location: http://oim11g:7001/openptk-server/resources/contexts/User-Oracle-OIMClient/subjects/jbauer1
> Content-Length: 0
> Content-Type: application/json
> X-ORACLE-DMS-ECID: 0000JXoLJqJFw000jzwkno1FzDlJ00001r
> X-Powered-By: Servlet/2.5 JSP/2.1
* Connection #0 to host oim11g left intact
* Closing connection #0
Results:

Read

We use the HTTP GET method (on the User-Oracle-OIMClient/subjects/jbauer1 element) to read the user. We can retrieve the data using a number of different encoding formats: json, xml, plain, html. The examples below demonstrate how the HTTP Header variable Accept is used to "tell" the server what MIME-type we (the client) want to "accept".

Command:
curl -X GET \
-b cookies.txt \
-H "Accept: application/json" \
http://oim11g:7001/openptk-server/resources/contexts/User-Oracle-OIMClient/subjects/jbauer1

curl -X GET \
-b cookies.txt \
-H "Accept: application/xml" \
http://oim11g:7001/openptk-server/resources/contexts/User-Oracle-OIMClient/subjects/jbauer1

curl -X GET \
-b cookies.txt \
-H "Accept: text/plain" \
http://oim11g:7001/openptk-server/resources/contexts/User-Oracle-OIMClient/subjects/jbauer1
Output:
{
    "response" : {
        "uri" : "http:\/\/oim11g:7001\/openptk-server\/resources\/contexts\/User-Oracle-OIMClient\/subjects\/jbauer1",
        "state" : "SUCCESS",
        "status" : "Entry found",
        "subject" : {
            "uniqueid" : "JBAUER1",
            "attributes" : {
                "manager" : null,
                "status" : "Active",
                "lastname" : "Bauer",
                "firstname" : "Jack",
                "type" : "End-User",
                "uniqueid" : "JBAUER1",
                "title" : null,
                "email" : "Jack.Bauer@openptk.org",
                "roles" : "Full-Time",
                "forgottenPasswordQuestions" : [
                   "What is your favorite color?",
                   "What is your mother's maiden name?",
                   "What is the city of your birth?"],
                "telephone" : null,
                "fullname" : "Jack Bauer",
                "lastcommafirst" : "Bauer, Jack"
            }
        }
    }
}
Output:
<?xml version="1.0" encoding="UTF-8"?>
<response>
   <uri type="string">http://oim11g:7001/openptk-server/resources/contexts/User-Oracle-OIMClient/subjects/jbauer1</uri>
   <state type="string">SUCCESS</state>
   <status type="string">Entry found</status>
   <subject>
      <uniqueid type="string">JBAUER1</uniqueid>
      <attributes>
         <manager type="string"></manager>
         <status type="string">Active</status>
         <lastname type="string">Bauer</lastname>
         <firstname type="string">Jack</firstname>
         <type type="string">End-User</type>
         <uniqueid type="string">JBAUER1</uniqueid>
         <title type="string"></title>
         <email type="string">Jack.Bauer@openptk.org</email>
         <roles type="string">Full-Time</roles>
         <forgottenPasswordQuestions type="string">
            <values>
               <value>What is your favorite color?</value>
               <value>What is your mother's maiden name?</value>
               <value>What is the city of your birth?</value>
            </values>
         </forgottenPasswordQuestions>
         <telephone type="string"></telephone>
         <fullname type="string">Jack Bauer</fullname>
         <lastcommafirst type="string">Bauer, Jack</lastcommafirst>
      </attributes>
   </subject>
</response>
Output:
response=
    uri="http://oim11g:7001/openptk-server/resources/contexts/User-Oracle-OIMClient/subjects/jbauer1"
    state="SUCCESS"
    status="Entry found"
    subject=
        uniqueid="JBAUER1"
        attributes=
            manager=
            status="Active"
            lastname="Bauer"
            firstname="Jack"
            type="End-User"
            uniqueid="JBAUER1"
            title=
            email="Jack.Bauer@openptk.org"
            roles="Full-Time"
            forgottenPasswordQuestions=
               "What is your favorite color?"; 
               "What is your mother's maiden name?"; 
               "What is the city of your birth?"
            telephone=
            fullname="Jack Bauer"
            lastcommafirst="Bauer, Jack"

Update

We use the HTTP PUT method (on the User-Oracle-OIMClient/subjects/jbauer1 element) to update an existing user, in the collection. The curl -v option is used to show data being passed in and to show the details of the update operation. Because we are sending in data that is "json" encoded, the HTTP Header variable Content-Type needs to be set to the application/json MIME-type. The successful operation returns a HTTP response code of 204 No Content

Command:
curl -X PUT \
-v -b cookies.txt \
-H "Content-Type: application/json" \
-d '{ "subject" : { "attributes" : { "title" : "Special Agent", "email" : "jack@ctu.org" } } }' \
http://oim11g:7001/openptk-server/resources/contexts/User-Oracle-OIMClient/subjects/jbauer1
Output:
* About to connect() to oim11g port 7001
*   Trying 127.0.0.1... connected
* Connected to oim11g (127.0.0.1) port 7001
> PUT /openptk-server/resources/contexts/User-Oracle-OIMClient/subjects/jbauer1 HTTP/1.1
> User-Agent: curl/7.15.5 (i686-redhat-linux-gnu) libcurl/7.15.5 OpenSSL/0.9.8b zlib/1.2.3 libidn/0.6.5
> Host: oim11g:7001
> Accept: */*
> Cookie: OPENPTKSESSIONID=486104f5-0cdb-4b49-8a67-1b1929629538
> Content-Type: application/json
> Content-Length: 90
> 
> { "subject" : { "attributes" : { "title" : "Special Agent", "email" : "jack@ctu.org" } } }
HTTP/1.1 204 No Content
< Cache-Control: no-cache, no-transform
< Date: Thu, 12 Jul 2012 03:00:03 GMT
< Content-Length: 0
< Content-Type: application/json
< X-ORACLE-DMS-ECID: 0000JXt8GHAFw000jzwkno1FzDlJ000020
< X-Powered-By: Servlet/2.5 JSP/2.1
* Connection #0 to host oim11g left intact
* Closing connection #0
Results:

Delete

We use the HTTP DELETE method (on the User-Oracle-OIMClient/subjects/jbauer1 element) to delete the user, in the collection. The curl -v option is used to show data being passed in and to show the details of the delete operation. The successful operation returns a HTTP response code of 204 No Content

Command:
curl -X DELETE \
-v -b cookies.txt \
http://oim11g:7001/openptk-server/resources/contexts/User-Oracle-OIMClient/subjects/jbauer1
Output:
* About to connect() to oim11g port 7001
*   Trying 127.0.0.1... connected
* Connected to oim11g (127.0.0.1) port 7001
> DELETE /openptk-server/resources/contexts/User-Oracle-OIMClient/subjects/jbauer1 HTTP/1.1
> User-Agent: curl/7.15.5 (i686-redhat-linux-gnu) libcurl/7.15.5 OpenSSL/0.9.8b zlib/1.2.3 libidn/0.6.5
> Host: oim11g:7001
> Accept: */*
> Cookie: OPENPTKSESSIONID=6789055b-2561-489e-a6bd-3c5424859f81
> 
< HTTP/1.1 204 No Content
< Cache-Control: no-cache, no-transform
< Connection: close
< Date: Thu, 12 Jul 2012 03:44:49 GMT
< Content-Length: 0
< Content-Type: text/plain
< X-ORACLE-DMS-ECID: 0000JXtIW4EFw000jzwkno1FzDlJ00002A
< X-Powered-By: Servlet/2.5 JSP/2.1
* Closing connection #0
Results:
curl -X GET \
-v -b cookies.txt \
-H "Accept: text/plain" \
http://oim11g:7001/openptk-server/resources/contexts/User-Oracle-OIMClient/subjects/jbauer1

* About to connect() to oim11g port 7001
*   Trying 127.0.0.1... connected
* Connected to oim11g (127.0.0.1) port 7001
> GET /openptk-server/resources/contexts/User-Oracle-OIMClient/subjects/jbauer1 HTTP/1.1
> User-Agent: curl/7.15.5 (i686-redhat-linux-gnu) libcurl/7.15.5 OpenSSL/0.9.8b zlib/1.2.3 libidn/0.6.5
> Host: oim11g:7001
> Cookie: OPENPTKSESSIONID=6789055b-2561-489e-a6bd-3c5424859f81
> Accept: text/plain
> 
< HTTP/1.1 404 Not Found
< Cache-Control: no-cache, no-transform
< Date: Thu, 12 Jul 2012 03:49:38 GMT
< Content-Length: 9
< Content-Type: text/html; charset=UTF-8
< X-ORACLE-DMS-ECID: 0000JXtJak1Fw000jzwkno1FzDlJ00002C
< X-Powered-By: Servlet/2.5 JSP/2.1
Connection #0 to host oim11g left intact
* Closing connection #0

Even more ...

We have covered how to use Jersey (JAX-RS), via Project OpenPTK, to implement RESTful Web Services for Oracle Identity Manager 11g. We focused on basic Create, Read, Update, Delete and Search operations related to Users. The OpenPTK project also includes RESTful Web Service examples for other tasks such as Self-Service Registration which leverages the Oracle Identity Manager 11g registration feature. Take a look at the CAPTCHA and Identity Manager blog entry that uses the registration feature.

YouTube Video

Thursday Jul 05, 2012

Project OpenPTK Release 2.1 Available

The OpenPTK owners are pleased to announce that release 2.1 is available.  It has been "tagged" in the svn repository. See the download page for details.  

This release is an update to version 2.0.  This release contains bug fixes, enhancements to existing capabilities, and new features.  The most notable change in this release is the use of maven, instead of ant, for the build process.  The adoption of maven has made the project more modular, reduced its download size (less bundled jar files) and will enable the future support of Project OpenPTK in a maven repository.

For full details, see the OpenPTK version 2.1 Release Notes

Tuesday Apr 17, 2012

Programmatically Provisioning Users via Oracle Identity Manager's Java API

Ultimate control over your identities

Oracle Identity Manager (OIM) 11gR1 provides complete life-cycle management of user identities. Identity life-cycle management includes the creation, modification and termination of user access to provisioned resources. Organizations have specific requirements for how they need to manage both internal users and external users (citizens, customers, students, etc.). A provisioning solution needs to be flexible so that it can integrate into the various parts of an organization. OIM 11gR1 provides a range of options for how it can be customized. One of the most powerful and flexible ways of extending a solution is through the use of a Application Programming Interface (API). OIM 11gR1 provides a Java API which can be used to interface with multiple aspects of identity life-cycle management.

The examples covered, in these procedures, only demonstrate a select set of capabilities (basic User management) from a larger collection of interfaces and methods provided by the OIM 11gR1 Client Java API.  Organizations have used these OIM 11gR1 Java APIs for unique integration with their processes, and to support specialized user interface requirements.

User Management

The OIM 11gR1 Java APIs support searching, creating, reading, updating and deleting of Users. This procedure will cover how to use the OIM 11gR1 Java APIs to perform these operations.

Reference

Getting Started

OIM 11gR1 leverages a new Java API. The previous API (Thor) is still available. But, it is recommended that new projects use the OIM 11gR1 Client API.

Create a directory for downloading the required OIM files and sample source files. This procedure will use a directory/folder called examples.

Required server files

You will need to obtain the following files from the OIM 11gR1 server:

oimclient.zip
  • The OIM 11gR1 Java API classes are packaged as a jar file called oimclient.jar. This jar file is packaged within the oimclient.zip file. The oimclient.zip file is located in the OIM_ORACLE_HOME/server/client folder, on the OIM 11gR1 server.
  • Copy oimclient.zip from the OIM 11gR1 server:
    scp user@oimserver:/OIM_ORACLE_HOME/server/client/oimclient.zip .
  • Expand the oimclient.zip file:
    unzip oimclient.zip
  • The oimclient.zip file contains the following items:

    README text file containing information on using the bundled sample program
    oimclient.jar JAR file containing the OIM 11gR1 classes
    conf Sub-folder containing auth files
    lib Sub-folder containing jar files required by the OIM 11gR1 API
    sample Sub-folder containing bundled sample source code (not used)
wlfullclient.jar
  • Access the Weblogic Server system
    ssh user@wlserver
  • Change directories to the server/lib directory.
    cd WL_HOME/server/lib
  • Use the following command to create the wlfullclient.jar file in the server/lib directory:
    java -jar wljarbuilder.jar
  • Copy the wlfullclient.jar file.

Get the samples

This procedure will use a collection of samples that can be downloaded from a svn (subversion) repository, associated with Project OpenPTK. The following command will download the sample source code into a directory structure named oim:

svn export https://svn.java.net/svn/openptk~svn/branches/Oracle/OIM11gR1/examples/java/OIMClient/src/oim oim --username guest

Note: If you do not have svn (or a similar client subversion tool) you can get a "snap shot" of the source files as a downloadable zip file.

When the required jar files and the example code have been downloaded, the folder/directory structure should look like the following diagram.

folder structure

Review the samples

The sample source code leverages a Java packaging name-space starting with oim.client. At this level, you will find the following items:

Client.java Abstract class that contains OIM 11gR1 Server connection information. This class is used by all of the sample programs.
You will need to edit this file and change the OIM 11gR1 Server connection information.
organization Sub-folder for the package oim.client.organization which contains sample Java code that leverages some of the organization related capabilities of the OIM 11gR1 Client API. This folder and its samples are not used as part of this procedure.
request Sub-folder for the package oim.client.request which contains sample Java code that leverages some of the request related capabilities of the OIM 11gR1 Client API. This folder and its samples are not used as part of this procedure.
role Sub-folder for the package oim.client.role which contains sample Java code that leverages some of the role related capabilities of the OIM 11gR1 Client API. This folder and its samples are not used as part of this procedure.
user Sub-folder for the package oim.client.user which contains sample Java code that leverages some of the user related capabilities of the OIM 11gR1 Client API. We will be using some of these files to demonstrate basic operations related to a user:

ClientUser.java Abstract class, extends Client. It provides "User" specific capabilities.
UserChangePassword.java Not used as part of this procedure
UserCreate.java Demonstrates the creating of a user. Extends ClientUser
UserDelete.java Demonstrates the deleting of a user. Extends ClientUser
UserRead.java Demonstrates the reading of a user. Extends ClientUser
UserRegister.java Not used as part of this procedure
UserSearch.java Demonstrates the searching of users. Extends ClientUser
UserUnauthChallenge.java Not used as part of this procedure
UserUnauthSelfService.java Not used as part of this procedure
UserUpdate.java Demonstrates the updating of a user. Extends ClientUser

Class structure

The following diagram illustrates the class structure used by the samples. This procedure will cover many of the classes in the user package.

class structure

Source code

Client.java

This is an abstract class. It provides common methods that are used by all of the sub-categories; organization, request, role and user. For this procedure, we will focus on the user sub-category. This class establishes the connection to the OIM 11gR1 Server. It performs the following tasks:

  1. Creates a HashTable containing connection data
  2. Creates a OIMClient object using the HashTable
  3. Executes the OIMClinet.login(...) method to login as the proxy (admin) user

You will need to edit this file and set the OIM 11gR1 Server connection information. The URL, Admin UserId, and Admin Password will need to be set.

   private static final String OIM_URL = "t3://localhost:14000"; // OIM 11g deployment
   ...
   protected static final String OIM_USERNAME = "xelsysadm";
   protected static final String OIM_PASSWORD = "Passw0rd"; // "Passw0rd"
OIM_URL t3://hostname:port The url for connecting to the OIM 11gR1 server
OIM_USERNAME xelsysadm The login id of a user that has admin privileges to manage user accounts
OIM_PASSWORD password The password for the admin user

Note: The above example "hard codes" the proxy user's id and password.  The "hard coding" of these values is NOT recommended and is NOT secure.  The source code and techniques covered in these procedures are for demonstration purposes only and should NOT be used in a production environment.  The proxy user id and password should be accessible to the program at runtime and securely controlled.

ClientUser.java

This is an abstract class that extends Client and provides methods that can be used by sub-classes which need to leverage the User APIs. For example, The User APIs need the UserManager class to execute operations. This class performs the following tasks:

  1. Gets a UserManager object via the OIMClient.getService(UserManager.class) method.
  2. Gets a UnauthenticatedSelfService object via the OIMClient.getService(UnauthenticatedSelfService.class) method.(not used in this procedure)

UserCreate.java

This class extends ClientUser and demonstrates how a user can be "directly" created in the OIM 11gR1 user repository. Note: OIM 11gR1 also provides a "registration" facility for creating users. This procedure does not cover the registration mechanism (topic for another blog). This class performs the following tasks:

  1. Gets the UserManager
  2. Creates a HashMap, to hold attributes
  3. Adds attributes (name/value) to the HashMap
  4. Creates a User object using an accountId and adds the HashMap of attributes.
  5. Calls the UserManager create() method to create the new user.
  6. A UserManagerResult object is returned. It is evaluated.

NOTICE: If you plan on running this sample, you may need to update some of the variables. Check the following variables and make sure the values will work in your environment:
      String accountId = "jhomer";
      String first = "John";
      String last = "Homer";

UserSearch.java

This class extends ClientUser and demonstrates how to search for users in the OIM 11gR1 user repository. This class performs the following tasks:

  1. Gets the UserManager
  2. Creates a "simple" SearchCriteria object using an attribute name, attribute value and a SearchCriteria.Operator.
  3. Creates a HashSet of attribute names (what attributes to return in the search results).
  4. Creates a HashMap for search parameters. Parameters can include how to sort the search results and how many (rows) to return. This example uses a NULL HashMap which means that default parameters will be used.
  5. Calls the UserManager search() method. The method uses the Search Criteria, Attribute Names, and Parameters to perform the search.
  6. A List of User objects is return.
    For each user, its Attributes name and value are obtained. The user data is displayed.

NOTICE: If you plan on running this sample, you may need to update the source file. Uncomment and/or update one of the SearchCriteria items:
      criteria = new SearchCriteria("First Name", "John", SearchCriteria.Operator.EQUAL);
//      criteria = new SearchCriteria("Email", "John.Wayne@openptk.org", SearchCriteria.Operator.EQUAL);
//      criteria = new SearchCriteria("First Name", "scott", SearchCriteria.Operator.EQUAL);
//      criteria = new SearchCriteria("User Login", "*", SearchCriteria.Operator.EQUAL);
//      criteria = new SearchCriteria("usr_key", "*", SearchCriteria.Operator.EQUAL);

UserUpdate.java

This class extends ClientUser and demonstrates how to update a user in the OIM 11gR1 user repository. This class performs the following tasks:

  1. Gets the UserManager
  2. Creates a HashMap, to hold attributes (that will be updated)
  3. The attributes to be modified (name and value), are added to the HashMap
  4. Creates a User object using an accountId and adds the HashMap of attributes.
  5. Calls the UserManager modify() method to update the existing user.
  6. A UserManagerResult object is returned. It is evaluated.

NOTICE: If you plan on running this sample, you may need to update the "login id" to match the "login id" that was used to create the user. Check the following lines of code and make sure the values will work in your environment:
      user = new User("jhomer", mapAttrs);
      result = umgr.modify("User Login", "jhomer", user);

UserRead.java

This class extends ClientUser and demonstrates how to read a user in the OIM 11gR1 user repository. This class performs the following tasks:

  1. Gets the UserManager
  2. Creates a HashMap, to hold attributes (which ones to return)
  3. The attributes to be returned (name and value), are added to the HashMap
  4. Creates a User object using an accountId and adds the HashMap of attributes. In this example, the HashMap is null, all of the available/allowed attributes will be returned.
  5. Calls the UserManager getDetails() method to read the existing user.
  6. A User object is returned.
  7. The attributes can be obtained by calling the "getter" methods or by obtaining a HashMap of the attributes and iterating through it. Both techniques are used.

NOTICE: If you plan on running this sample, you may need to update the "login id" to match the "login id" that was used to create the user. Check the following lines of code and make sure the values will work in your environment:
      user = umgr.getDetails("jhomer", attrNames, true);

UserDelete.java

This class extends ClientUser and demonstrates how to delete a user in the OIM 11gR1 user repository. This class performs the following tasks:

  1. Gets the UserManager
  2. Calls the UserManager delete() method to delete the existing user.
  3. A UserManagerResult object is returned. It is evaluated.

NOTICE: If you plan on running this sample, you may need to update the "login id" to match the "login id" that was used to create the user. Check the following lines of code and make sure the values will work in your environment:
      result = umgr.delete("User Login", "jhomer");

Compile samples

Compile the Java code from the directory where the jar files and source files where downloaded. Set the CLASSPATH and run javac

export CLASSPATH=.:oimclient.jar:wlfullclient.jar
javac oim/client/*/*

Run samples

Create

A new user will be created with the login id of "jhomer".

java oim/client/user/UserCreate

LOG: __BEGIN__
LOG: UserManager ready
LOG: User object created: 'jhomer'
LOG: Creation status: 'COMPLETED'
LOG: __END__

Search

The new user is in the search output, lastname="John".

java oim/client/user/UserSearch

LOG: __BEGIN__
LOG: UserManager ready
LOG: search results, quantity=8
LOG: EntityId: 214, Id: 214, Attributes: Email='John.Homer@oracle.com', usr_key='214', User Login='JHOMER', Last Name='Homer', First Name='John', 
LOG: EntityId: 8, Id: 8, Attributes: Email='John.Smith@oracle.com', usr_key='8', User Login='JSMITH1', Last Name='Smith', First Name='John', 
LOG: EntityId: 27, Id: 27, Attributes: Email='John.Wayne@openptk.org', usr_key='27', User Login='JWAYNE', Last Name='Wayne', First Name='John', 
LOG: EntityId: 12, Id: 12, Attributes: Email='john.thompson@email.com', usr_key='12', User Login='JTHOMPSON', Last Name='Thompson', First Name='John', 
LOG: EntityId: 83, Id: 83, Attributes: Email='John.Simpson@openptk.org', usr_key='83', User Login='JSIMPSON', Last Name='Simpson', First Name='John', 
LOG: EntityId: 10, Id: 10, Attributes: Email='John.Smith3@oracle.com', usr_key='10', User Login='JSMITH3', Last Name='Smith', First Name='John', 
LOG: EntityId: 14, Id: 14, Attributes: Email='John.Hope@openptk.org', usr_key='14', User Login='JHOPE', Last Name='Hope', First Name='John', 
LOG: EntityId: 17, Id: 17, Attributes: Email='test@test.com', usr_key='17', User Login='JHENRY2', Last Name='Henry', First Name='John', 
LOG: __END__

Read

The new user, "jhomer" has the following details.

java oim/client/user/UserRead

LOG: __BEGIN__
LOG: UserManager ready
LOG: Got user detail
LOG: 
Id                            : 214
Entity Id                     : 214
Login                         : JHOMER
First Name                    : John
Middle Name                   : (null)
Last Name                     : Homer
Common Name                   : JHOMER
Display Name                  : John Homer
Employee Number               : (null)
Employee Type                 : Full-Time
Email                         : John.Homer@oracle.com
User Type                     : End-User
Country                       : (null)
Description                   : (null)
Status                        : Active
Generation Qualifier          : (null)
Account Status                : 0
Manager Key                   : (null)
Manually Locked               : (null)
User Disabled                 : 0
Policy Update Enabled         : (null)
Change Password At Next login : 1
Password Cant Change          : (null)
Password Expired              : (null)
Password Generated            : (null)
Password Must Change          : (null)
Password Never Expires        : (null)
Password Warned               : (null)
Attributes                    : 
FA Territory=
usr_pwd_warn_date='Tue Aug 07 22:23:17 CDT 2012
Employee Number=
usr_locale=
Middle Name=
Manually Locked=
usr_disabled='0
usr_update='Mon Apr 16 22:23:17 CDT 2012
Date Format=
Display Name='{base=John Homer}
Mobile=
usr_timezone=
LDAP Organization=
usr_locked='0
usr_pwd_reset_attempts_ctr='0
Currency=
End Date=
Pager=
usr_deprovisioned_date=
Time Format=
usr_created=
usr_deprovisioning_date=
Color Contrast=
PO Box=
usr_create='Mon Apr 16 22:23:17 CDT 2012
LDAP GUID=
Full Name='{base=null}
Accessibility Mode=
Country=
Xellerate Type='End-User
usr_change_pwd_at_next_logon='1
usr_pwd_expire_date='Tue Aug 14 22:23:17 CDT 2012
usr_pwd_cant_change=
Email='John.Homer@oracle.com
usr_provisioned_date='Mon Apr 16 22:23:16 CDT 2012
usr_data_level=
Common Name='JHOMER
Automatically Delete On=
Locked On=
Start Date=
Last Name='Homer
usr_login_attempts_ctr='0
First Name='John
Locality Name=
usr_manager_key=
Number Format=
usr_policy_update=
Street=
Embedded Help=
usr_pwd_expired=
Department Number=
Hire Date=
usr_createby='1
usr_pwd_warned=
Telephone Number=
Home Postal Address=
Font Size=
usr_updateby='1
Description=
Home Phone=
LDAP Organization Unit=
usr_pwd_min_age_date=
Assurance Level='1
Fax=
Postal Code=
act_key='1
usr_key='214
User Login='JHOMER
Title=
Status='Active
Generation Qualifier=
State=
Postal Address=
Initials=
usr_pwd_never_expires=
usr_pwd_must_change=
LDAP DN=
Role='Full-Time
FA Language=
Password Generated=
usr_provisioning_date=

LOG: __END__

Update

The new user, "jhomer" will be updated. You can see the modified email address in the Search output and the updated title in the Read output.

java oim/client/user/UserUpdate

LOG: __BEGIN__
LOG: UserManager ready
LOG: User object created
LOG: Modification status: 'COMPLETED'
LOG: __END__
java oim/client/user/UserSearch

LOG: __BEGIN__
LOG: UserManager ready
LOG: search results, quantity=8
LOG: EntityId: 214, Id: 214, Attributes: Email='jhomer@oracle.com', usr_key='214', User Login='JHOMER', Last Name='Homer', First Name='John', 
LOG: EntityId: 8, Id: 8, Attributes: Email='John.Smith@oracle.com', usr_key='8', User Login='JSMITH1', Last Name='Smith', First Name='John', 
LOG: EntityId: 27, Id: 27, Attributes: Email='John.Wayne@openptk.org', usr_key='27', User Login='JWAYNE', Last Name='Wayne', First Name='John', 
LOG: EntityId: 12, Id: 12, Attributes: Email='john.thompson@email.com', usr_key='12', User Login='JTHOMPSON', Last Name='Thompson', First Name='John', 
LOG: EntityId: 83, Id: 83, Attributes: Email='John.Simpson@openptk.org', usr_key='83', User Login='JSIMPSON', Last Name='Simpson', First Name='John', 
LOG: EntityId: 10, Id: 10, Attributes: Email='John.Smith3@oracle.com', usr_key='10', User Login='JSMITH3', Last Name='Smith', First Name='John', 
LOG: EntityId: 14, Id: 14, Attributes: Email='John.Hope@openptk.org', usr_key='14', User Login='JHOPE', Last Name='Hope', First Name='John', 
LOG: EntityId: 17, Id: 17, Attributes: Email='test@test.com', usr_key='17', User Login='JHENRY2', Last Name='Henry', First Name='John', 
LOG: __END__


java oim/client/user/UserRead

LOG: __BEGIN__
LOG: UserManager ready
LOG: Got user detail
LOG: 
Id                            : 214
Entity Id                     : 214
Login                         : JHOMER
First Name                    : John
Middle Name                   : (null)
Last Name                     : Homer
Common Name                   : JHOMER
Display Name                  : John Homer
Employee Number               : (null)
Employee Type                 : Full-Time
Email                         : jhomer@oracle.com
User Type                     : End-User
Country                       : (null)
Description                   : (null)
Status                        : Active
Generation Qualifier          : (null)
Account Status                : 0
Manager Key                   : (null)
Manually Locked               : (null)
User Disabled                 : 0
Policy Update Enabled         : (null)
Change Password At Next login : 1
Password Cant Change          : (null)
Password Expired              : (null)
Password Generated            : (null)
Password Must Change          : (null)
Password Never Expires        : (null)
Password Warned               : (null)
Attributes                    : 
FA Territory=
usr_pwd_warn_date='Tue Aug 07 22:23:17 CDT 2012
Employee Number=
usr_locale=
Middle Name=
Manually Locked=
usr_disabled='0
usr_update='Mon Apr 16 22:24:19 CDT 2012
Date Format=
Display Name='{base=John Homer}
Mobile=
usr_timezone=
LDAP Organization=
usr_locked='0
usr_pwd_reset_attempts_ctr='0
Currency=
End Date=
Pager=
usr_deprovisioned_date=
Time Format=
usr_created=
usr_deprovisioning_date=
Color Contrast=
PO Box=
usr_create='Mon Apr 16 22:23:17 CDT 2012
LDAP GUID=
Full Name='{base=null}
Accessibility Mode=
Country=
Xellerate Type='End-User
usr_change_pwd_at_next_logon='1
usr_pwd_expire_date='Tue Aug 14 22:23:17 CDT 2012
usr_pwd_cant_change=
Email='jhomer@oracle.com
usr_provisioned_date='Mon Apr 16 22:23:16 CDT 2012
usr_data_level=
Common Name='JHOMER
Automatically Delete On=
Locked On=
Start Date=
Last Name='Homer
usr_login_attempts_ctr='0
First Name='John
Locality Name=
usr_manager_key=
Number Format=
usr_policy_update=
Street=
Embedded Help=
usr_pwd_expired=
Department Number=
Hire Date=
usr_createby='1
usr_pwd_warned=
Telephone Number=
Home Postal Address=
Font Size=
usr_updateby='1
Description=
Home Phone=
LDAP Organization Unit=
usr_pwd_min_age_date=
Assurance Level='1
Fax=
Postal Code=
act_key='1
usr_key='214
User Login='JHOMER
Title='Engineer
Status='Active
Generation Qualifier=
State=
Postal Address=
Initials=
usr_pwd_never_expires=
usr_pwd_must_change=
LDAP DN=
Role='Full-Time
FA Language=
Password Generated=
usr_provisioning_date=

LOG: __END__

Delete

The new user, "jhomer" will be deleted. The search output no longer contains the user.

java oim/client/user/UserDelete

LOG: __BEGIN__
LOG: UserManager ready
LOG: Delete status: 'COMPLETED'
LOG: __END__


java oim/client/user/UserSearch

LOG: __BEGIN__
LOG: UserManager ready
LOG: search results, quantity=7
LOG: EntityId: 8, Id: 8, Attributes: Email='John.Smith@oracle.com', usr_key='8', User Login='JSMITH1', Last Name='Smith', First Name='John', 
LOG: EntityId: 27, Id: 27, Attributes: Email='John.Wayne@openptk.org', usr_key='27', User Login='JWAYNE', Last Name='Wayne', First Name='John', 
LOG: EntityId: 12, Id: 12, Attributes: Email='john.thompson@email.com', usr_key='12', User Login='JTHOMPSON', Last Name='Thompson', First Name='John', 
LOG: EntityId: 83, Id: 83, Attributes: Email='John.Simpson@openptk.org', usr_key='83', User Login='JSIMPSON', Last Name='Simpson', First Name='John', 
LOG: EntityId: 10, Id: 10, Attributes: Email='John.Smith3@oracle.com', usr_key='10', User Login='JSMITH3', Last Name='Smith', First Name='John', 
LOG: EntityId: 14, Id: 14, Attributes: Email='John.Hope@openptk.org', usr_key='14', User Login='JHOPE', Last Name='Hope', First Name='John', 
LOG: EntityId: 17, Id: 17, Attributes: Email='test@test.com', usr_key='17', User Login='JHENRY2', Last Name='Henry', First Name='John', 
LOG: __END__

YouTube Video

Summary

These procedures used a collection of Java sample programs to demonstrate some of the "User" capabilities of the OIM 11gR1 Java API. These samples merely provide an introduction into how Oracle Identity 11gR1 can be extended.

Thursday Jan 05, 2012

CAPTCHA and Identity Manager

Wrote a blog entry on my team's SecureGov site the other day.  It's an overview of how we built a custom registration interface for Oracle Identity Manager (OIM) 11g.  What was unique about this solution is that it integrated the reCAPTCHA service into the registration process.

Wednesday Jan 04, 2012

Project OpenPTK v2.0 released

Version 2.0 "shipped" 

The Project Open Provisioning ToolKit (OpenPTK) http://www.openptk.org has released version 2.0. It has been "tagged" in the svn repository. See the project download page for access instructions ...  https://sites.google.com/a/openptk.org/docs/release-2-x/v2-0-download

Release 2.0 of Project OpenPTK builds on the success of Release 1.x.

The goal ... enable developers to create custom interfaces to a variety of repositories....

Release 2.0 gives the developer more choices for how they want to create custom interfaces. Release 2.0 supports more back-end repositories: SPML 1 and 2, LDAP, JDBC, Oracle Identity Manager 11g. 

Here is a summary of the major new features in version 2.0:

  • Servlet-Based (Engine Architecture)
  • RESTful-based Web Service
  • Service / Operation Level Configuration
  • Client-Side Java API
  • Authentication
  • Authorization
  • Models, Views and Relationships
  • Actions
  • Encryption
  • Templates
  • Definition Functions
  • Enhanced Search
  • Services

 

For full details, see the OpenPTK version 2.0 Release Notes:

https://sites.google.com/a/openptk.org/docs/release-2-x/release-notes

Monday Aug 25, 2008

Secure SPML communications

Last week I got an email from a developer that is using Project OpenPTK. They want to use HTTPS/SSL to secure communications between the Sun Identity Manager and an OpenPTK-enabled application.

I was pretty sure this was "do-able" but I have not had a chance/need to configure OpenPTK using HTTPS/SSL. With that said, I did some research, contacted some co-workers, and set-up a little test lab. The process is relatively straight forward, I used two Glassfish domains (SPML-Server / SPML-Client) and self-signed certificates:

  1. Configure OpenPTK applications to use SSL/HTTPS
  2. Replace the default certificate on the SPML-Server (Sun Identity Manager)
  3. Add the certificate to the SPML-Client (OpenPTK-enabled Application)

The complete (detailed) process is documented in the Project OpenPTK Release 1.1 Installation Guide

Saturday Aug 23, 2008

Third Meeting: Chicago-Area Identity Management User Group

This past Thursday evening we had our third meeting. Sun hosted the meeting in their Itasca, IL office. The attendees included the local Sun Identity team, partners (Laurus Technologies) and users (United Airlines, Motorola, Kraft Foods, Northeastern Illinois University).

To "kick-off" the meeting, the Sun Identity team asked the User Group community for help ... Leveraging the wikis.sun.com site, they started a new collaboration site focused at sharing Identity Manager knowledge. http://wikis.sun.com/display/sunidmdev is a wiki site where registered users can share their workflows, forms, and other artifacts with the community.

Agenda:

6:00 - 6:30Greetings and Catered Dinner
6:30 - 6:45Introductions
6:45 - 7:30What's New with Identity Manager and Role Manager
7:30 - 7:45Break
7:45 - 8:30Integrating Identity Manager and Access Manager (OpenSSO)
8:30 - 9:00User Group business

The first presentation was given by the Identity folks at Sun. They gave an overview of Identity Manager 8.0 and Role Manager 4.0. They covered the new features, integration points and a roadmap. The second presentation was given by Laurus Technologies. They gave a presentation and demonstration related to how you can integrate Identity Manager with Access Manager (they actually used OpenSSO, very cool).

During the "business" part of the meeting, we talked about how to improve the User Group. Here is what the members asked for:

  • Want to hear customer stories
  • Have meetings during business hours
  • Allow remote attendance (webex)
We updated out list of future meeting topics. We had two customers offer to give a presentation on what they are doing with Identity Manager. The next meeting has been set for Thursday November 13th, 2008. It will be a breakfast meeting held at the Sun Itasca IL office, a webex session will be available those users that can't attend in-person. The current agenda (subject to change):
8:30 - 9:00Greetings and Breakfast
9:00 - 9:45Customer Story: Motorola
9:45 - 10:30Customer Story: To Be Confirmed
10:30 - 11:00User Group business

Sun Microsystems, Inc.
Two Pierce Place
15th Floor, Skyline Conference Room
Itasca, IL 60143

Future topics:

  1. Sun Role Manager SOD and Compliance
  2. Sun Identity Manager and and Access Manager integration
  3. Directory Server non-people use
  4. Federated Access Manger 8 feature update
  5. Sun JavaCaps 6 feature update
  6. Password Sync with Active Directory
  7. Identity Manager to enable business growth
  8. PKI integration
  9. Customer Stories
  10. Panel of Customers for Role Manager
  11. Identity as a software service (SaaS)
  12. ESSO
  13. External facing deployments
  14. Role Rationalizaton: best practices, customer deployments

If you wish to be imformed (sent emails) of User Group activities, please send an email to RequestChicagoIdmLUG at Sun dot COM and you will be added to the mailing list.

Friday May 23, 2008

Second Meeting: Chicago-Area Identity Management User Group

Last night was our second meeting. Sun hosted the meeting in their Itasca, IL office. We had two great presentations giving by Partners that are experts in Identity Management. It was great to see the users asking questions and sharing experiences. After the formal meeting ended, a number of the users and partners stayed late, told stories and discussed solutions. The community is growing.

This meeting is about bringing together a community of users, vendors and partners with common interests in identity management. The group focuses on provisioning, access control, and user repository technologies that support business processes related to the management of identity data. The following technologies were discussed during the meeting:

  • Identity Manager
  • Access Manager
  • Directory Server
  • Role Manager
  • Java CAPS

Meeting agenda:

6:30 - 7:00Greetings and Catered Dinner
7:00 - 7:15Introductions
7:15 - 8:00Upgrading Identity Manager, Laurus Technologies
8:00 - 8:45Doing more with Identity Manager, Deloitte
8:45 - 9:00User Group business

The attendees included the local Sun identity team, partners (Laurus Technologies, Deliotte) and users (United Airlines, Motorola, Hewitt, Northern Trust, Allstate). We compiled a list of topics for future meetings:

  1. Sun Identity Manager 8 feature update
  2. Sun Identity Manager and Sun Role Manager integration
  3. Sun Role Manager SOD and Compliance
  4. Sun Identity Manager and and Access Manager integration
  5. Directory Server non-people use
  6. Federated Access Manger 8 feature update
  7. Sun JavaCaps 6 feature update
  8. Password Sync with Active Directory
  9. Identity Manager to enable business growth
  10. PKI integration
  11. Customer Stories
  12. Panel of Customers for Role Manager
  13. Identity as a software service (SaaS)

The community voted and selected two topics the next meeting:

  • Identity Manager: Update, Role Manager integration, SOD/Compliance
    (Brian Taylor from Delottte is leading this topic)
  • Access Manager and Identity Manager Integration
    (Jeremy Miller from Larus Technologies is leading this topic)

The next meeting has been scheduled for Thursday, August 21st, 2008 @ 6:00pm. The meeting will be held at:

Sun Microsystems, Inc.
Two Pierce Place
15th Floor, Skyline Conference Room
Itasca, IL 60143

If you wish to be imformed (sent emails) of User Group activities, please send an email to RequestChicagoIdmLUG at Sun dot COM and you will be added to the mailing list.

Thursday May 01, 2008

Late Night with Project OpenPTK

Tuesday night the OpenPTK team had a meeting @9:30 PM Central that went past midnight. Derrick, Terry and I talked about what was going to be in release 1.1, the plans for 1.2 and 2.0 of the project. We got a lot of new features added to release 1.1 and the plans for the future look good. We're getting more help from the community, which is great. We've posted the minutes of the meeting (thanks Terry) on openptk.dev.java.net under the meeting minutes forum.

Saturday Apr 26, 2008

First sfbay Idm user group meeting

Last week I was invited to speak at the first sfbay identity management user group meeting. The meeting was held at the Sun Santa Clara facility. I gave an overview of Project OpenPTK. We had users from The Gap, Hitatchi, Weyerhauser and Safeway. It was a good first meeting. If your interested in joining the user group, please send an email to "REQUEST_SFBAY_IDM_LUG AT sun DOT com"

Wednesday Apr 16, 2008

How To Extend OpenPTK

Extending OpenPTK, the User Provisioning Toolkit by Masoud Kalali -- Project Open Provisioning ToolKit (OpenPTK) is as an open source user provisioning toolkit exposing APIs, web services, HTML taglibs, and JSR-168 portlets with user self-service and administration examples. OpenPTK hides the implementation differences between different user stores, allowing developers to use multiple stores with a common API. Masoud Kalali shows how to use and extend the toolkit.

Thursday Mar 20, 2008

An Overview of Project OpenPTK

logo

OpenPTK is an open source project that provides a collection of tools and sample applications that Web and Java developers can use to integrate custom applications with user provisioning systems. Using industry standard interfaces, developers can build flexible user management applications that support Enterprise-class, department/group level and Web 2.0 type user provisioning environments.

Organizations:

Most intranet and Internet applications require user authentication. Applications either have an intergrated data store (e.g. RDBMS) or leverage an network service (e.g. LDAP) for validating users. Managing the "life cycle" of user data has become challenging. There are different user provisioning strategies:

  • An enterprise typically implements a provisioning solution such as Sun's Identity Manager to manage user data across multiple applications and services.
  • Departments (or group level) many only have a single application that has a dedicated user data store. The volume of user management activities is usually small.
  • Web 2.0, Internet facing, applications typically leverage a scaleable / available network service for storing user information.

Requirements:

Organizations need to implement a set of basic user management capabilities. For End Users, a solution needs to provide; "Forgotten Password" and "Self Service" functionality. For User Administration, a solution needs to provide fundemental Create, Read, Update, Delete and Password operations. Provisioning solutions and user data stores most likely provide these basic user management capabilities through their native interfaces. The problem is that these native interfaces may not meet the organization's requirements. Organizations have expressed the need to intergrate user management systems with different custom "End User" experiences/interfaces. Commonly requested interfaces include:

Remote Web Interface: Organizations need a Web interface, for user provisioning, that can be deployed remotely from the system that host the provisioning solution.
Command Line Interface: Administrators need an interface that allows them to perform provisioning from a comamnd-line interface, either interactively or from a shell script.
Portal / Portlet Interface: Enterprise and Departmental organizations may have to provide user provisioning interfaces into an existing Portal infrastructure.
WSDL-based Web Service: Developers need to integrate user provisioning into a SOA environment and are requiring Web Services that can be used by SOA development tools.

Because of these requirements for custom end-user experiences, organizations will build applications that leverage different types of development environments. The "End User" application (experience) may need to support a rich-native desktop interface, a browser-based interface, a Web Service or a command-line interface. Developers will design solutions that integrate an orgaization's interface experience with the various user data stores. Developers will most likely have to learn the details related to interacting with the various user data stores. Web developers may not be prepared to deal with Java APIs that are need to access the data store(s).

Solution:

Project OpenPTK is a three-tier architecture which enables developers to focus on the business application interface, not on the underlying user data store. There's a number of "Consumer Tier" interfaces which address various development options. The "back-end" user data store is abstracted through the "Service Tier". The "Framework Tier" integrates the Consumer and Service tiers while also managing configurations, logging/debugging and provisioning operations.

Project OpenPTK Architecture

Consumer Tier interfaces/examples:

User Management Lite (UML): A JSPs/Taglib-based web application which provides basic user administration, and self-service functions.
Command Line Interface (CLI): Provides basic provisioning operations. The CLI can be part of custom scripts that administrators can use to automate provisioning tasks.
JSR-168 Portlets: Provides "Forgotten Password", "Self Service" and "User Administration" capabilities. These portlets can be integrated into a customers existing JSR-168 compliant Portal server.
WSDL-based Web Service: Provides User provisioning operations. Web Service clients (e.g. Java CAPS and soapUI) can reference the WSDL from this service and create custom integration solutions.

Service Tier implementations:

SPML: The Service Provisioning Markup Language is the external interface used by Sun's Identity Manager user provisioning solution.
SPE: Sun's Identity Manager, user provisioning solution, contains a Service Provider Edition interface for user provisioning.
JNDI: The Java Naming and Directory Interface API is used to access LDAP-based (e.g. OpenDS) user data stores.
JDBC: The Java Database Connectivity API is used to access Relational Database user data stores (e.q. MySQL).

Developers can use Project OpenPTK's interfaces and APIs to handle user provisioning operations without having to worry about the back-end user data stores. User provisioning applications that leverage Project OpenPTK can easily support multiple different user data stores through the use of its flexible configuration mechanism.

Project OpenPTK is a formal open source project hosted on Java.net and is part of the Identity Management community. Project OpenPTK founders: Scott Fehrman, Derrick Harcey and Terry Sigle are Pre-Sales Systems Engineers supporting Sun's Identity Management products.

The Project OpenPTK site contains source code (via svn), documentation, distributions and tracks issues. Anyone is welcome to join the community as an Observer and please subscribe to the "user" and "announce" mailing lists.

Wednesday Feb 20, 2008

First Meeting: Chicago-Area Identity Management User Group

Last night was the first meeting of the Chicago-Area Identity Management User Group. Sun hosted the meeting in their Itasca, IL office. The user group is focused on sharing knowledge and experiences related to; Identity Manager, Access Manager, Directory Server and RBACx

The attendees included the Sun identity team, partners (Laurus Technologies, Deliotte) and customers (Kraft, Motorola, Hewitt). Meeting agenda:

  • User Group vision/strategy
  • Sun: Identity Suite Roadmap
  • Deloitte: Role Management for Enterprise (RM4E)
  • User Group Next Steps

The user group raised / discussed the following items:

  • More focus on managability with Identity Manager; upgrades, integration, debugging
  • More "best practices" examples (whitepapers, templates, etc.) for Identity Manager
  • How to leverage Identity Manager for SOX compliance
  • Need Resource Kit (tools) for Identity Manager, like Directory Server
  • Need to enhance the Directory Editor that part of the Directory Server

Agenda for the next meeting:

  • Upgrading Identity Manager (Laurus Technologies)
  • Getting more value out of Identity Manager (Deloitte)
  • Identity Manager 8.0 Overview (Sun)
The next meeting will be help at the Sun Itasca Office @ 6:30 pm on Thursday May 22nd 2008.

If you're interested in joining the user group, please send an email to: requestChicagoIdmLUG at Sun dot COM

Wednesday Jan 09, 2008

First Project OpenPTK meeting for 2008

The Project OpenPTK team had their first meeting of the year. We posted the notes on openptk.dev.java.net as a new Forum called Meeting Minutes. We talked about ope issues and new ideas. Here's a summary of ideas for new features:

  • JDBC Service
  • RESTful Web Service
  • Authentication
  • Solaris Naming Service

Monday Dec 03, 2007

LDAP/JNDI Service for Project OpenPTK

Today we posted an announcement related to a new feature that was just added to Project OpenPTK. The new feature is a Service that enables OpenPTK-based applications to provision users to LDAP-based directory servers.

Why is this important? The new LDAP/JNDI Service demonstrates that User Provisioning applications (which leverage Project OpenPTK consumer interfaces) can be abstracted from the back-end user repository. Prior to this announcement, OpenPTK-based applications could only leverage the SPML Service. Developers can now build User Provisioning interfaces that could use LDAP for Search and Read operations while SPML would be used for Create, Update and Delete operations.

The Test Samples and Example applications provided in the Project OpenPTK source download have been tested with both LDAP/JNDI and SPML. The Command Line and User Management Lite examples can easily switch between back-end user repositories by either updating a configuration file or by specifying a context at run-time.

The OpenDS directory server was used for development and testing. It was so easy to download, install and configure. Another must have tool, if your working with LDAP, is the Apache Directory Studio.

This is just the beginning of what the Project OpenPTK team has planned for this new LDAP/JNDI Service.

About

Scott Fehrman

Search

Archives
« April 2014
SunMonTueWedThuFriSat
  
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
   
       
Today
News

No bookmarks in folder

Projects

No bookmarks in folder

Ref. Material

No bookmarks in folder