When I was recently writing a custom code for reconciling multiple columns of a child table from a home grown product for a customer, I faced few problems. I faced this issue may be because I was writing recon code for multiple multi data attributes for the first time ☺. Just to help you guys I am sharing the sample code of that portion which may trouble you:
Monday, October 9, 2017
Thursday, February 25, 2016
Authenticating OIM API without password (Signing Digitally)
We can access OIM 11g R2 API's without providing xelsysadm (or any admin user) password. In other words we can authenticate OIM API's with digital signature similar to 10g as shown in below code snippet:
public OIMClient loginUsingSignature() throws tcCryptoException, LoginException {
OIMClient clientPlatform = null;
try {
String userName = "XELSYSADM";
System.setProperty("java.security.auth.login.config", "c:\authwl.conf");
System.setProperty("APPSERVER_TYPE", "wls");
System.setProperty("weblogic.Name", "oim_server1");
Hashtable env = new Hashtable();
env.put(OIMClient.JAVA_NAMING_PROVIDER_URL, "t3:/host:port");
env.put(OIMClient.JAVA_NAMING_FACTORY_INITIAL, "weblogic.jndi.WLInitialContextFactory");
clientPlatform = new OIMClient(env);
tcSignatureMessage signedMsg = tcCryptoUtil.sign(userName, "PrivateKey");
byte[] tmpB = tcCryptoUtil.getSerializedMessage(signedMsg);
String tmp = "xlSigned::" + Base64.getEncoded(tmpB);
clientPlatform.login(userName, tmp);
} catch (Exception ex) {
}
return clientPlatform;
}
public OIMClient loginUsingSignature() throws tcCryptoException, LoginException {
OIMClient clientPlatform = null;
try {
String userName = "XELSYSADM";
System.setProperty("java.security.auth.login.config", "c:\authwl.conf");
System.setProperty("APPSERVER_TYPE", "wls");
System.setProperty("weblogic.Name", "oim_server1");
Hashtable env = new Hashtable();
env.put(OIMClient.JAVA_NAMING_PROVIDER_URL, "t3:/host:port");
env.put(OIMClient.JAVA_NAMING_FACTORY_INITIAL, "weblogic.jndi.WLInitialContextFactory");
clientPlatform = new OIMClient(env);
tcSignatureMessage signedMsg = tcCryptoUtil.sign(userName, "PrivateKey");
byte[] tmpB = tcCryptoUtil.getSerializedMessage(signedMsg);
String tmp = "xlSigned::" + Base64.getEncoded(tmpB);
clientPlatform.login(userName, tmp);
} catch (Exception ex) {
}
return clientPlatform;
}
Wednesday, August 20, 2014
Dependent Resource Object Concept in Oracle Identity Manager (OIM)
Do you know Exchange Resource Object is dependent upon 'Active Directory' RO?.......common!!! you know this :)
Recently for one of my customer it was reported that whenever AD account is disabled the corresponding Exchange account is also getting disabled and vice-versa.
At first glance I thought(which is also mentioned in excahnge connector guide) this functionality is specific to the AD/Excahnge connector.But when investigated
following facts came out:
1) This functionality does not have any thing to do with any connector deployment rather it is becuase of RO Dependency.
2) All the process task of dependent RO which has Task effects as "Disabled", "Enabled" and "Revoke" would be trigerred automatically if corresponding tasks from
Parent Resource Object is trigerred.
3) The important thing to notice is that all these tasks trigerring is dependent on the Parent RO's Statuses selcted from Statuses tab.
I believe you got it if not please do let me know ;)
Recently for one of my customer it was reported that whenever AD account is disabled the corresponding Exchange account is also getting disabled and vice-versa.
At first glance I thought(which is also mentioned in excahnge connector guide) this functionality is specific to the AD/Excahnge connector.But when investigated
following facts came out:
1) This functionality does not have any thing to do with any connector deployment rather it is becuase of RO Dependency.
2) All the process task of dependent RO which has Task effects as "Disabled", "Enabled" and "Revoke" would be trigerred automatically if corresponding tasks from
Parent Resource Object is trigerred.
3) The important thing to notice is that all these tasks trigerring is dependent on the Parent RO's Statuses selcted from Statuses tab.
I believe you got it if not please do let me know ;)
Wednesday, June 18, 2014
Stand Alone OIM with a Cluster is not a good Idea in 11gR2 PS2
Let me explain what I mean by "Stand Alone OIM with a Cluster..." . As we all know that a new OIM instance can be pointed to an existing OIM DB schema just by copying some config files (e.g. .xlDatabaseKey, etc) used by an already running OIM cluster or stand alone instance.In one of the recent enagements due to some reasons(guess what? :)) it was decided to add one more OIM instance not being part of the existing OIM cluster but just using the same database.This new OIM instance was erected for a very specific purpose which had a huge dependency on SOA server.After the new instance was brought up we saw below issues :(
1) Some how the SOA url ( You can see this in EM) pointed to the new stand alone soa server. Now think what could be the adverse effect?
2) Since the weblogic password was different for this new instance an authentication error was thrown in case when a soa call is made from any of the cluster server.
There are some workarounds that can be used but this architecture is at all not advisable.
If you are trapped in such situation or want to learn how to come out of it please email me at zubair.jamia@gmail.com
Monday, May 14, 2012
Oracle Identity Manager (OIM) Interview Questions
Recently i have appeared for couple interviews and just wanted to share the questions asked. As far as level of the questions concerns would cover from junior programmer to the architect level. If require i would be providing answers to some of the questions.
Q1(very generic now a days):What is the difference between OIM 11g and 10g from the high level architecture perspective?
Ans1: At high level below are the brief differences
a) 10g Request Management has been replaced by SOA composite which has a customized schema accommodating BPEL and Human Task.
b) Reconciliation engine has been re-written in 11g to enhance the performance by introducing the cache mechanism.
c) OES libraries are used as an authorization engine unlike 10g had its own object vs view based authorization.
d) Plugin services platform is introduced in 11g to have easy customization in place which can be some what mapped to entity adapter functionality in 10g.
e) Groups in 10g are now called as Roles in 11g with some modifications which makes it like ldap roles.
Some more differences related with notifications, schedulers and etc can be discussed if time permits.
Q2: What is Form Version Control Utility (FVC) and why it is used?
Q3: What are the benefits of using MDS in OIM 11g ?
Q4: Suppose if a target system is integrated with OIM and the administrator of that particular application creates an account in it. How would you know this irregularity through OIM?
Q5: Suppose you don't have the connector cloning tool in OIM, then how would you clone a connector? Explain the step by step approach.
Q6: Why OIM uses Remote Manager (RM)?
Q7: What is a service account? Or Why a service account is required?
Q8: Will account attributes of a service account would change with the change of its owner corresponding user attribute (in OIM)? Explain your reasoning in either case?
Q9: What is the significance of USR_Triggers* lookup?
Q10: Differentiate the scenario when you would use ldap sync VS OID Connector?
Q11: Suppose if you have to write a custom connector for a Target Application exposing some java API. What all methods do u need to write a basic connector?
Q12: Differentiate b/w Request Model and Request Template.
Q13: What all different levels of approvals does OIM 11g approval engine carry? Also explain their differences.
Q14: What is SOD? how it has been implemented in OIM?
Q15: While migrating OIM 10g to 11g what all components can directly be migrated?
Q1(very generic now a days):What is the difference between OIM 11g and 10g from the high level architecture perspective?
Ans1: At high level below are the brief differences
a) 10g Request Management has been replaced by SOA composite which has a customized schema accommodating BPEL and Human Task.
b) Reconciliation engine has been re-written in 11g to enhance the performance by introducing the cache mechanism.
c) OES libraries are used as an authorization engine unlike 10g had its own object vs view based authorization.
d) Plugin services platform is introduced in 11g to have easy customization in place which can be some what mapped to entity adapter functionality in 10g.
e) Groups in 10g are now called as Roles in 11g with some modifications which makes it like ldap roles.
Some more differences related with notifications, schedulers and etc can be discussed if time permits.
Q2: What is Form Version Control Utility (FVC) and why it is used?
Q3: What are the benefits of using MDS in OIM 11g ?
Q4: Suppose if a target system is integrated with OIM and the administrator of that particular application creates an account in it. How would you know this irregularity through OIM?
Q5: Suppose you don't have the connector cloning tool in OIM, then how would you clone a connector? Explain the step by step approach.
Q6: Why OIM uses Remote Manager (RM)?
Q7: What is a service account? Or Why a service account is required?
Q8: Will account attributes of a service account would change with the change of its owner corresponding user attribute (in OIM)? Explain your reasoning in either case?
Q9: What is the significance of USR_Triggers* lookup?
Q10: Differentiate the scenario when you would use ldap sync VS OID Connector?
Q11: Suppose if you have to write a custom connector for a Target Application exposing some java API. What all methods do u need to write a basic connector?
Q12: Differentiate b/w Request Model and Request Template.
Q13: What all different levels of approvals does OIM 11g approval engine carry? Also explain their differences.
Q14: What is SOD? how it has been implemented in OIM?
Q15: While migrating OIM 10g to 11g what all components can directly be migrated?
Subscribe to:
Posts (Atom)