Tuesday, 30 May 2017

Decrypt user's password in OIM 11gR2 PS3

In OIM 11gR2 PS1 we were able to get the user's password in clear text using below java code

tcDataProvider dbProvider = new tcDataBaseClient();
String query = "select USR_LOGIN,USR_PASSWORD from USR where USR_LOGIN=UPPER('"+uid+"')";
tcDataSet dataSet = new tcDataSet();
dataSet.setQuery(dbProvider, query);
dataSet.executeQuery();
System.out.println("Password:: "+dataSet.getString("USR_PASSWORD"));

Starting from OIM 11gR2 PS2 this process no longer applicable, even if you run the above code in PS2 or PS3 version, this will give you ********* instead of clear text password.


I have found a way to get the user's password in clear text in OIM 11gR2 PS3 version. Execute the below procedure to get the same

1. take an ITResource in OIM and update password in password field.

     In my case I choose ITResource "Directory Server" and update "Admin Password" field.
    

2. From SQL Developer run the below query to get the database field of that ITResource

       select spd.SPD_FIELD_NAME, svp.SVP_FIELD_VALUE from spd, svp where
        spd.spd_key = svp.spd_key and
        spd.svd_key = (select svd_key from svr where svr_name = 'Directory Server') and
        svp.svr_key = (select svr_key from svr where svr_name = 'Directory Server')

        Output
       



3. Find out the password field that you updated from sysadmin console. You can see the password is encrypted.

4. Now run below query to get the encrypted password of OIM user

     select USR_PASSWORD from USR where USR_LOGIN='XELSYSADM';

     Output: 3412:ElLNJh2hLSqX+OdI9CxS8Q==

5. Now copy the password of XELSYSADM and update the "Admin Password" field in ITResource from database table.

6. Now run the below method to get the password of XELSYSADM in clear text


public void getITResourceParameter() throws Exception {


final String methodName = "::getITResourceParameter::";


Map phAttributeList = new HashMap();
phAttributeList.put("IT Resources.Name", "Directory Server");


HashMap paramMap = new HashMap();


tcITResourceInstanceOperationsIntf ITResourceAPI = (tcITResourceInstanceOperationsIntf)oimClient.getService(tcITResourceInstanceOperationsIntf.class);

tcResultSet itresSet = ITResourceAPI.findITResourceInstances(phAttributeList);
itresSet.goToRow(0);

String ITResourceKey = itresSet.getStringValue("IT Resources.Key");
System.out.println("ITResourceKey::"+ITResourceKey);

tcResultSet paramValuesRS = ITResourceAPI.getITResourceInstanceParameters(Long.parseLong(ITResourceKey));

for(int j=0;j<paramValuesRS.getTotalRowCount();j++){

paramValuesRS.goToRow(j);
paramMap.put(paramValuesRS.getStringValue("IT Resources Type Parameter.Name"), paramValuesRS.getStringValue("IT Resources Type Parameter Value.Value"));

}


String adminPassword = (String) paramMap.get("Admin Password");


System.out.println("adminPassword ::"+adminPassword);

}


You can use any user instead of XELSYSADM to get their OIM password in clear text.

Explanation    
1. Even if in OIM PS3 version, they block the dataset API to get the password in clear text from USR table, but ITResource API still capable of getting ITResource password in clear text from database.

2. OIM still use single encryption mechanism to encrypt all of its password.

Now if you can replace the encrypted password from USR table to SVP table of ITResource, then you can use the ITResource API to get the password.

** Oracle still need to work on this to enhance the security of user's password.

Monday, 29 May 2017

Get Parrent and Child request details of OIM

The below code snippet will give u the details of the Parent and Child request details of a given request id.



public void getRequestDetails(String reqId) throws Exception{

OIMClient oimClientObj = getRequesterConnection("xelsysadm");
RequestService reqAPI = (RequestService)oimClientObj.getService(RequestService.class);

/**
* Get parent request details
*/

Request req = reqAPI.getBasicRequestData("34002");
Request pReq = req.getParentRequest();
System.out.println("Parent Request: "+pReq.getRequestID());

/**
* get the child request details
*/
pReq = reqAPI.getBasicRequestData(pReq.getRequestID());
List<Request> cReqs = pReq.getChildRequests();

System.out.println("Other Chlied request for entitlements");


for (int i=0; i<cReqs.size(); i++){

System.out.println(cReqs.get(i).getRequestID()+" : "+cReqs.get(i).getRequestModelName());

}

}

Output

Parrent Request: 34001
Other Chlied request for entitlements
34002 : Provision ApplicationInstance
34003 : Provision Entitlement
34004 : Assign Roles



Approving OIM request programatically using BEPL APIs

Using BEPL APIs one can programmatically perform actions on a OIM request. Below is an example of the same.

1. Create a project in eclipse.
2. Copy the below jars from servers

            [WL_HOME]/server/lib/weblogic.jar
      [SOA_HOME]/soa/modules/oracle.soa.fabric_11.1.1/bpm-infra.jar
      [SOA_HOME]/soa/modules/oracle.soa.fabric_11.1.1/fabric-runtime.jar
      [SOA_HOME]/soa/modules/oracle.soa.workflow_11.1.1/bpm-services.jar
      [WL_HOME]/server/lib/wlfullclient.jar

      [OIM_HOME]/server/ext/spml/wsclient_extended.jar

3. Set the above jars in your project classpath
4. Use the below code in your project.


import java.util.ArrayList;
import java.util.List;
import java.util.logging.Logger;


import com.bea.security.providers.xacml.entitlement.parser.Predicate;
import oracle.bpel.services.workflow.WorkflowException;
import oracle.bpel.services.workflow.client.config.RemoteClientType;
import oracle.bpel.services.workflow.client.config.RemoteClientType.Password;
import oracle.bpel.services.workflow.client.config.ServerType;
import oracle.bpel.services.workflow.client.config.WorkflowServicesClientConfigurationType;
import oracle.bpel.services.workflow.client.IWorkflowServiceClient;
import oracle.bpel.services.workflow.client.WorkflowServiceClientFactory;
import oracle.bpel.services.workflow.query.ITaskQueryService;
import oracle.bpel.services.workflow.query.ITaskQueryService.AssignmentFilter;
import oracle.bpel.services.workflow.repos.TableConstants;
import oracle.bpel.services.workflow.task.ITaskService;
import oracle.bpel.services.workflow.task.model.Task;
import oracle.bpel.services.workflow.verification.IWorkflowContext;



 

public class ApproveOIMRequest {

public void approveRequest(String reqId) throws Exception{
Logger logger = Logger.getLogger(ApproveOIMRequest.class.getName());

/**
* Adding SOA server and its properties into the WorkflowServicesClientConfigurationType
*/

WorkflowServicesClientConfigurationType wssst = new WorkflowServicesClientConfigurationType();
List<ServerType> servers = wssst.getServer();
ServerType server = new ServerType();
server.setDefault(true);
server.setName("soa");

servers.add(server);


/**
* Creating remote client with all the SOA server connection parameters including login user as xelsysadm.
*/

RemoteClientType rct = new RemoteClientType();
rct.setServerURL("t3://ess.com:8001");
rct.setUserName("xelsysadm");
Password weblogicPWD = new Password();
weblogicPWD.setValue("Welcome1");
rct.setPassword(weblogicPWD);
rct.setInitialContextFactory("weblogic.jndi.WLInitialContextFactory");
rct.setParticipateInClientTransaction(false);

server.setRemoteClient(rct);

/**
* Creating remote enterprise java bean interface to invoke workflow
* service located remotely from the client.
*
* After creating IWorkflowServiceClient object, get the Query Service.
*/

IWorkflowServiceClient wfsc = WorkflowServiceClientFactory.getWorkflowServiceClient(WorkflowServiceClientFactory.REMOTE_CLIENT,wssst,logger);

ITaskQueryService qService = wfsc.getTaskQueryService();

/**
* Authenticating using xelsysadm
*/

String xelsysadmPassword = "Welcome1";
IWorkflowContext wctx = qService.authenticate("xelsysadm", xelsysadmPassword.toCharArray(), null);

/**
* List the column name to get the value from query service.
* the columns are all from WFTASK table in SOAINFRA schema.
*/

List queryColumns = new ArrayList();
queryColumns.add("TASKID");
queryColumns.add("TASKNUMBER");
queryColumns.add("TITLE");
queryColumns.add("OUTCOME");
queryColumns.add("IDENTIFICATIONKEY");


/**
* Assigning filter for selecting assigned tasks
*/

AssignmentFilter assignmentFilter = AssignmentFilter.ALL;
/**
* List all the assignd tasks for logged in user.
*/

List tasks = qService.queryTasks(wctx, queryColumns, null, assignmentFilter, null, null, null, 0, 0);


/**
* get the object of task service in order to perform actions on tasks.
*/
ITaskService taskService = wfsc.getTaskService();

System.out.println("tasks.size() :"+tasks.size());
/**
* Iterate the list of tasks and check for the request id and status.
* if the status is not APPROVED and request id gets matched, then
* perform update task like APPROVE the task
*/

for (int i=0; i<tasks.size(); i++){

//System.out.println("Task found for request id: "+reqId);
Task task = (Task) tasks.get(i);
int taskNumber = task.getSystemAttributes().getTaskNumber();
String taskTitle = task.getTitle();
String taskId = task.getSystemAttributes().getTaskId();
String taskOutcome = task.getSystemAttributes().getOutcome();
String identificationKey = task.getIdentificationKey();

//System.out.println(taskNumber+" "+taskTitle+" "+taskOutcome+" "+identificationKey);

if (identificationKey.equalsIgnoreCase(reqId) && taskOutcome == null){
System.out.println(taskNumber+" "+""+" "+taskOutcome+" "+identificationKey);
taskOutcome = "APPROVE";
taskService.updateTaskOutcome(wctx, taskId, taskOutcome);

}

}

System.out.println("Done");
}


public static void main(String[] args) {

ApproveOIMRequest a = new ApproveOIMRequest();

try {
a.approveRequest("32001"); //Request Id is the input parameter.
} catch (Exception e) {

e.printStackTrace();

}

}

}


Wednesday, 24 May 2017

Weblogic bsu - java.lang.OutOfMemoryError

sometime you can find the java heap space issue while applying weblogic patches using bsu. The error looks like below


Exception in thread "main" Exception in thread "Thread-0" java.lang.OutOfMemoryError: Java heap space
        at java.util.HashMap.createEntry(HashMap.java:897)
        at java.util.HashMap.addEntry(HashMap.java:884)
        at java.util.HashMap.put(HashMap.java:505)
        at com.bea.cie.common.dao.xbean.XBeanDataHandler.loadPropertyMap(XBeanDataHandler.java:778)
        at com.bea.cie.common.dao.xbean.XBeanDataHandler.<init>(XBeanDataHandler.java:99)
        at com.bea.cie.common.dao.xbean.XBeanDataHandler.createDataHandler(XBeanDataHandler.java:559)
        at com.bea.cie.common.dao.xbean.XBeanDataHandler.getComplexValue(XBeanDataHandler.java:455)
        at com.bea.plateng.patch.dao.cat.PatchCatalogHelper.getPatchDependencies(PatchCatalogHelper.java:442)
        at com.bea.plateng.patch.dao.cat.PatchCatalogHelper.getPatchDependencies(PatchCatalogHelper.java:464)
        at com.bea.plateng.patch.dao.cat.PatchCatalog.getPatchDependencies(PatchCatalog.java:56)
        at com.bea.plateng.patch.dao.cat.PatchCatalogHelper.getInvalidatedPatchMap(PatchCatalogHelper.java:1621)
        at com.bea.plateng.patch.PatchSystem.updatePatchCatalog(PatchSystem.java:436)
        at com.bea.plateng.patch.PatchSystem.refresh(PatchSystem.java:130)
        at com.bea.plateng.patch.PatchSystem.<init>(PatchSystem.java:114)
        at com.bea.plateng.patch.PatchSystem.<clinit>(PatchSystem.java:41)
        at com.bea.plateng.patch.Patch.main(Patch.java:279)
java.lang.NoClassDefFoundError: Could not initialize class com.bea.plateng.patch.PatchSystem
        at com.bea.plateng.patch.PatchClientHelper.getAllPatchDetails(PatchClientHelper.java:74)
        at com.bea.plateng.patch.PatchInstallationHelper.cleanupPatchSets(PatchInstallationHelper.java:130)
        at com.bea.plateng.patch.PatchTarget.<init>(PatchTarget.java:272)
        at com.bea.plateng.patch.PatchTargetFactory.create(PatchTargetFactory.java:30)
        at com.bea.plateng.patch.ProductAliasTarget.constructPatchTargetList(ProductAliasTarget.java:88)
        at com.bea.plateng.patch.ProductAliasTarget.<init>(ProductAliasTarget.java:46)
        at com.bea.plateng.patch.ProductAliasTargetHelper.getProdAliasTargetList(ProductAliasTargetHelper.java:55)
        at com.bea.plateng.patch.ProductAliasTargetHelper.getAllHomeToProdAliasesTargetMap(ProductAliasTargetHelper.java:32)
        at com.bea.plateng.patch.ProductAliasTargetHelper.checkProfilesInProductAliases(ProductAliasTargetHelper.java:133)
        at com.bea.plateng.patch.Patch$1.run(Patch.java:376)
        at java.lang.Thread.run(Thread.java:745)





Solution


1. open the bsu.sh (MIDDLEWARE_HOME/utils/bsu/bsu.sh) file edit mode
2. change the memory args value as below


From


MEM_ARGS="-Xms256m -Xmx512m"


To


MEM_ARGS="-Xms512m -Xmx1024m"


3. Save the file and run bsu again.

Tuesday, 23 May 2017

Calling Unix command from Java

Here is the code sample for calling Unix command from java. The below sample can only run the Unix command in the same system.


public class LinuxInJava {
    public static void main(String args[]) {
        String s;
        Process p;
        try {
            p = Runtime.getRuntime().exec("ls -aF");
            BufferedReader br = new BufferedReader(new InputStreamReader(p.getInputStream()));
            while ((s = br.readLine()) != null){
                System.out.println("line: " + s);
   
    }
            p.waitFor();
            System.out.println ("exit: " + p.exitValue());
            p.destroy();
        } catch (Exception e) {}
    }
}




Friday, 19 May 2017

OIM 11gR2 PS3 Workflow policy page showing blank

In OIM 11gR2 PS3, one should not update the default applications (Self-Service and Sysadmin) from Weblogic deployments.



Sometime during implementation of OIM UI Customizations, peoples are updating the oracle.iam.ui.custom. In PS3 you can find that while updating oracle.iam.ui.custom, automatically below depended applications got updated.



If by mistake oracle.iam.console.identity.self-service.ear and oracle.iam.console.identity.sysadmin.ear got updated then you may find the workflow policy in sysadmin console showing blank. See the below image where opening the Workflows -> Approvals showing a white page.






Reason:
In OIM PS3, if some how oracle.iam.console.identity.self-service.ear and oracle.iam.console.identity.sysadmin.ear got updated then the OPSS policy gets overwritten.


Solution:
To resolve this issue, we need to Re-Seed the policy again from self service and sysadmin.
There are 3 policy files you need to re-seed.


1. Copy 'jazn-data.xml' (from OIM.ear) to a different directory.
2. Copy 'jazn-data.xml' (found in oracle.iam.console.identity.self-service.ear) to a different directory.
3. Copy 'jazn-data-sysadmin.xml' (found in oracle.iam.console.identity.self-service.ear) to a different directory.


4. Go to [DOMAIN_HOME]/config/fmwconfig/ take a backup of the file 'jps-config-jse.xml' in the same folder


cp jps-config-jse.xml jps-config-jse_backup.xml


5. Open the backup file 'jps-config-jse_backup.xml' and add the below 2 jps contexts just before the "</jpsContexts>" tag.


<jpsContext name="mydst">
<serviceInstanceRef ref="policystore.db"/>
</jpsContext>

<jpsContext name="mysrc">
<serviceInstanceRef ref="mysource.policystore.xml"/>
</jpsContext>



6. Open the 'jps-config-jse_backup.xml' file and add the below 'serviceInstance' just before the "</serviceInstances>" tag.


<serviceInstance name="mysource.policystore.xml"
provider="policystore.xml.provider" location="<FILE PATH>">
<description>My source</description>
</serviceInstance>



Give an absolute path of jazn-dataXXXX.xml in <FILE PATH> as per the step 1. You need to change the <FILE PATH> 3 times to seed 3 different policies.


7. Goto the location "[MWHOME]/oracle_common/common/bin/" and execute "sh wlst.sh" script


8. Execute the below command to import policies from Jazn-dataxxx.xml to the OPSS store.


Syntax
migrateSecurityStore(type='appPolicies', configFile='/opt/app/oracle/Middleware/user_projects/domains/<oim_domain>/config/fmwconfig/jps-config-jse_backup.xml',
src='mysrc', dst='mydst', srcApp='<Follow point B mentioned above>', overWrite='false')



Example
migrateSecurityStore(type='appPolicies', configFile='[DOMAIN_HOME]/config/fmwconfig/jps-config-jse_backup.xml',src='mysrc', dst='mydst', srcApp='OIM', overWrite='false')


Note: srcApp value will be changed according to the policy data as below:
'jazn-data.xml' (from OIM.ear)  - srcApp is OIM
'jazn-data.xml' (found in oracle.iam.console.identity.self-service.ear) - srcApp is OracleIdentityManager
'jazn-data-sysadmin.xml' (found in oracle.iam.console.identity.self-service.ear) - srcApp is OracleIdentityManager




9. Exit the WLST session using exit() command.
10. Repeat from the Step 6 for the other 2 policies.
11. Once done take a restart of OIM servers.


Example for the WLS command for other 2 policies:


migrateSecurityStore(type='appPolicies', configFile='[DOMAIN_HOME]/config/fmwconfig/jps-config-jse_backup.xml',src='mysrc', dst='mydst', srcApp='OracleIdentityManager', overWrite='false')

Thursday, 18 May 2017

Changing SOA Admin user for OIM

SOA Admin user is an user which is required for OIM to communicate with SOA. By default OIM use weblogic as SOA Admin user, but you can change this user as per your requirement. Changes need to be done in several location. Below is a python script cn be used to change SOA Admin user.


Run this python script for $OIM_HOME/common/bin/wlst.sh


wlst> ./tmp/changeSOAAdmin.py $WL_USER $WL_PASSWORD $OIM1_URL $ADMIN_URL_T3 $WEBLOGIC_DOMAIN_NAME


------------------------------------changeSOAAdmin.py--------------------------------------
#!/usr/bin/python
import sys
wl_user=sys.argv[1]
wl_password=sys.argv[2]
oim1_url=sys.argv[3]
admin_url=sys.argv[4]
domain_name=sys.argv[5]


connect(wl_user,wl_password, oim1_url)
custom()
cd('/oracle.iam/oracle.iam:name=SOAConfig,type=XMLConfig.SOAConfig,XMLConfig=Config,Application=oim,ApplicationVersion=11.1.2.0.0')
set('Username', wl_user)
shutdown(force='true')
disconnect()

connect(wl_user,wl_password,admin_url)
deleteCred(map="oim", key="SOAAdminPassword");
createCred(map="oim", key="SOAAdminPassword", user=wl_user,password=wl_password);

edit()
startEdit()

cd('/ForeignJNDIProviders/ForeignJNDIProvider-SOA')
set('User',wl_user)
set('Password',wl_password)

save()
activate()
exit()

-------------------------------------------------------------------------------------------------------------------
The above script is doing 3 changes


1. Changing the SOA Admin Username in XMLConfig.SOAConfig
2. Recreating the SOAAdminPassword CSF
3. Updating the new user details in ForeignJNDIProvider-SOA

WLST to grant Jps Permission to OIM domain directories

You can grant Jps Permission to directories using following WLST command.


Syntax


grantPermission(codeBaseURL=[]DIRECTORY_URL', permClass=[PERMISSION_CLASS]', permTarget='[PERMISSION_TARGET]')


Example


[OIM_HOME]/common/bin/wlst.sh
connect(wl_user,wl_password, admin_url)


grantPermission(codeBaseURL='file:${XL.HomeDir}/apps/-', permClass='oracle.security.jps.JpsPermission', permTarget='IdentityAssertion')


grantPermission(codeBaseURL='file:${domain.home}/servers/${weblogic.Name}/tmp/_WL_user/-', permClass='oracle.security.jps.JpsPermission', permTarget='IdentityAssertion')

WLST command to deploy SOA composites for OIM

You can deploy SOA composites for OIM using WLST command, without login into EM console


Syntax


sca_deployComposite(serverURL, sarLocation, [overwrite], [user], [password],
[forceDefault], [configplan], [partition])



Example


$SOA_HOME/common/bin/wlst.sh
sca_deployComposite('http://localhost:8001','/workflows/sca_ManagerApproval_rev1.2.jar',true,'weblogic','abcd1234',true,'/workflows/ManagerApproval_cfgplan.xml');

DuplicateRefException in Disconnected Application Instance after upgrading OIM to PS3

After upgrading OIM to PS3 from previous version (like PS1 or R2 base version), we observed that the disconnected application instance's form doesn't work properly. Issue may happen with create form  and modify form.


If the issue is in create form, then you will not be able to raise request of it. Submit of request will throw exceptions.
If issue is with modify form then request can be created but approvers/fulfillment users will not be able to see the form data from request.


we noticed that the issue occurred on those disconnected applications where there are some hidden field in request dataset.


The error looks like below.


oracle.mds.exception.MDSRuntimeException: MDS-00010: DuplicateRefException. In document /oracle/iam/ui/runtime/form/view/pages/[APP_NAME]CreateForm.jsff there are multiple elements with the same ID _xg_0


oracle.mds.exception.MDSRuntimeException: MDS-00010: DuplicateRefException. In document /oracle/iam/ui/runtime/form/view/pages/[APP_NAME]ModifyForm.jsff there are multiple elements with the same ID _xg_0


Solution


1. Export the whole MDS of identity self service.


$OIM_HOME/common/bin/wlst.sh
connect('${WL_USER}','${WL_PASSWORD}','${ADMIN_URL_T3}');
exportMetadata(application='oracle.iam.console.identity.self-service.ear', server='${OIM_INSTANCE_NAME}', toLocation='/tmp/mds');


2. Go to the location where the MDS is exported /tmp/mds.
3. Now move to /oracle/iam/ui/runtime/form/view/pages/mdssys/cust/site/site/
4. Here you can see the create form and modify form's jsff files for all the application instances.
5. Open the create or modify jsff file in editor mode. You can see there are 2 <af: panelFormLayout> tags, which are under same <mds: insert> tag




6. Edit this form and put each <af: panelFormLayout>  under a separate <mds: insert> tag, like below.




7. Save the form do the same for all other application forms.


You can also use the below Unix command to perform the bulk update on all the forms.


Create Forms


find /tmp/mds/oracle/iam/ui/runtime/form/view/pages/mdssys/cust/site/site/ -name *CreateForm.jsff.xml -exec \
 sed  --in-place -e '/<\/af:panelFormLayout>/,/<panelFormLayout id="_xg_0"/s/<\/af:panelFormLayout>/<\/af:panelFormLayout>\n<\/mds:insert>\n<mds:insert parent="sdh1" position="last">/' {} \;



Modify Forms


find /tmp/mds/oracle/iam/ui/runtime/form/view/pages/mdssys/cust/site/site/ -name *ModifyForm.jsff.xml -exec \
 sed  --in-place -e '/<\/af:panelFormLayout>/,/<panelFormLayout id="_xg_0"/s/<\/af:panelFormLayout>/<\/af:panelFormLayout>\n<\/mds:insert>\n<mds:insert parent="sdh1" position="last">/' {} \;



Note: Change the id="_xg_0" or "_xg_1" according to your error message.


8. Zip the entire MDS.


cd /tmp/mds
zip -r ../mds.zip . >/dev/null



9. Upload the mds zip to OIM MDS repository


$OIM_HOME/common/bin/wlst.sh
connect('${WL_USER}','${WL_PASSWORD}','${ADMIN_URL_T3}');
importMetadata(application='oracle.iam.console.identity.self-service.ear', server='$OIM_INSTANCE_NAME', fromLocation='/tmp/mds.zip');



10. Restart the OIM servers.
11. Check all the Disconnected Application Instance form from OIM identity console.


Tuesday, 16 May 2017

Apply weblogic patches in bulk using unix script.

If you apply more than one weblogic patches, then you have to either run the bsu.sh (located at $ORACLE_HOME/utils/bsu) in GUI mode or 1 by 1 in console mode. You can use the below script to install all the patches in one run.


follow the below steps:


1. Create a directory named /tmp/WLS_Patch
2. Put all the patches zip in the above directory
3. Create a sh file name run.sh and copy the below text into the file and save it.


echo "*********************"
echo Upgrade WLS
echo "*********************"
mkdir $ORACLE_HOME/utils/bsu/cache_dir
cd $ORACLE_HOME/utils/bsu/cache_dir
yes | find /tmp/WLS_Patch -name \*.zip -exec unzip  {} \;

cd ..
for i in 56MM CM69 FSG4 IMWL VRGR XA6W YVDZ ZARV
do

 ./bsu.sh -prod_dir=$WL_HOME -patchlist=$i -verbose -install | tee $i.out
 grep "Result: Success" $i.out
 if [ $? -ne 0 ]
 then
  echo "Unexpected issue applying patch $i. Check file $i.out"
  exit 1
 fi
done

echo "*********************"
echo WLS Upgraded
echo "*********************"



4. Replace the ORACLE_HOME and WL_HOME with the appropriate value as per your environment.
5. Add the patch alias name in the for loop list (highlighted in bold)
6. Save the file and run the script.
7. if any error occurred check the i.out file generated where the script is located.







Upload jar for ScduleTask or JavaTask in OIM 11gR2 PS3 using API

You can upload the ScheduleTask and JavaTask jar in OIM from your custom java applications. Here is the example of the same. similarly you also download, update and delete jar files from OIM database.




public void uploadJar() throws PlatformServiceException{
      
  PlatformUtilsService platformUtilsService = (PlatformUtilsService) oimClient.getService(PlatformUtilsService.class);
        JarElement jarElement = new JarElement();
        jarElement.setName("abcd.jar");
        jarElement.setPath("/tmp/abcd.jar");
        jarElement.setType("ScheduleTask");
       
        Set jarElementSet = new HashSet();
        jarElementSet.add(jarElement);
       
        platformUtilsService.uploadJars(jarElementSet );
        System.out.println("Finish uploading jar" );
    }

Thursday, 11 May 2017

Update OIM 11gR2 PS3 Schedule job parameter programatically using API.

We can update OIM schedule job parameter programmatically using available APIs. Here is the code sample.




 public void updateSchedulerParam(String jobName, String paramName, String newValue){
 
  SchedulerService schdulerService = (SchedulerService)oimClientObj.getService(SchedulerService.class);
 
  try {
  
   JobDetails jobDetails = schdulerService.getJobDetail(jobName);
   HashMap<String, JobParameter> schParam = jobDetails.getParams();
  
   for (Entry<String, JobParameter> entry : schParam.entrySet()) {
      
    String key = entry.getKey();
       JobParameter jobParam = entry.getValue();
       Serializable value = jobParam.getValue();
             
       System.out.println("Old key value pair: "+key+" = "+ value);
      
       if (key.equalsIgnoreCase(paramName)){
        value = newValue;
        System.out.println(value.toString());
        jobParam.setValue(value);
      
        System.out.println(jobParam.getValue());
        schParam.put(key, jobParam);
        break;
       }
   }
   jobDetails.setParams(schParam);
   schdulerService.updateJob(jobDetails);
   System.out.println("Updated successfully");
  
 } catch (Exception e) {
    e.printStackTrace();
 }
 }

Update OIM 11gR2 PS3 catalog attributes using API

In OIM, catalog default attributes can be easily updated by Catalog Sync schedule job. But if you add any custom attributes in the catalog, those field are very difficult to update using the Catalog Sync job.


You can use the below code snippet to update catalog default and custom attributes. While using this code in real implementation, use a CSV file with all the data and attaché the code in a schedule task.


 /**
  * This method update catalog form of specified entity
  * @param DBColumnName Catalog form field name
  * @param DBColumnValue Catalog form field value
  * @throws SchedulerException
  */

 private void updateCatalogDetailsValue(String DBColumnName, Object DBColumnValue) throws SchedulerException{
 
  oracle.iam.platform.utils.vo.OIMType oimtype = null;
 
  CatalogService catalogAPI = (CatalogService)oimClientObj.getService(CatalogService.class);
 
  System.out.println("ItemName::"+ItemName);
  System.out.println("ItemType::"+ItemType);

  try {
 
   //Set catalog entity type
   if(ItemType.equals("Entitlement")){
    oimtype = oracle.iam.platform.utils.vo.OIMType.Entitlement;
   }
   if(ItemType.equals("Role")){
    oimtype = oracle.iam.platform.utils.vo.OIMType.Role;
   }
   if(ItemType.equals("ApplicationInstance")){
    oimtype = oracle.iam.platform.utils.vo.OIMType.ApplicationInstance;
   }
  
   //Get catalog form of a specified entity
   Catalog catalog = catalogAPI.getCatalogItemDetails(null, ItemName, oimtype, null);
  
   System.out.println("Found Catalog item Display Name: "+catalog.getEntityDisplayName());
  
   //Set default catalog fields
   if(DBColumnName.equalsIgnoreCase("Catagory")){
   
    catalog.setCategoryName(String.valueOf(DBColumnValue));
   }else if(DBColumnName.equalsIgnoreCase("Audit Objective")){
   
    catalog.setAuditObjectives(String.valueOf(DBColumnValue));
   }else if(DBColumnName.equalsIgnoreCase("User Defined Tags")){
   
    catalog.setUserDefinedTags(String.valueOf(DBColumnValue));
   }else if(DBColumnName.equalsIgnoreCase("Certifiable")){
   
    catalog.setCertifiable(Boolean.valueOf(DBColumnValue.toString()));
   }else if(DBColumnName.equalsIgnoreCase("Approver User")){
   
    catalog.setApproverUserLogin(String.valueOf(DBColumnValue));
    catalog.setApproverUser(getUserKey(String.valueOf(DBColumnValue)));
   }else if(DBColumnName.equalsIgnoreCase("Approver Role")){
   
    catalog.setApproverRoleDisplayName(String.valueOf(DBColumnValue));
    catalog.setApproverRole(getRoleKey(String.valueOf(DBColumnValue)));
   }else if(DBColumnName.equalsIgnoreCase("Certifier User")){
   
    catalog.setCertifierUser(getUserKey(String.valueOf(DBColumnValue)));
    catalog.setCertifierUserLogin(String.valueOf(DBColumnValue));
   
   }else if(DBColumnName.equalsIgnoreCase("Certifier Role")){
   
    catalog.setCertifierRoleDisplayName(String.valueOf(DBColumnValue));
    catalog.setCertfierRole(getRoleKey(String.valueOf(DBColumnValue)));
   }else if(DBColumnName.equalsIgnoreCase("Fulfilment User")){
   
    catalog.setFulFillMentUser(getUserKey(String.valueOf(DBColumnValue)));
    catalog.setFulFillMentUserLogin(String.valueOf(DBColumnValue));
   }else if(DBColumnName.equalsIgnoreCase("Fulfilment Role")){
   
    catalog.setFulFillmentRoleDisplayName(String.valueOf(DBColumnValue));
    catalog.setFulFillMentRole(getRoleKey(String.valueOf(DBColumnValue)));
   }else if(DBColumnName.equalsIgnoreCase("Risk Level")){
   
    if(String.valueOf(DBColumnValue)== "High Risk")
     catalog.setItemRisk(7);
    else if(String.valueOf(DBColumnValue)== "Medium Risk")
     catalog.setItemRisk(5);
    else if(String.valueOf(DBColumnValue)== "Low Risk")
     catalog.setItemRisk(3);
    else
     System.out.println("Wrong Risk Value");
   }else{
   
    //Updating custom field
    List<MetaData> catalogMetaDataList = catalog.getMetadata();
    MetaData catalogMetaData = null;
    for(int j=0; j< catalogMetaDataList.size(); j++){
    
     catalogMetaData = catalogMetaDataList.get(j);
     MetaDataDefinition catalogMetaDataDef = catalogMetaData.getMetaDataDefinition();
    
     System.out.println(j+":::catalogMetaDataDef.getDisplayName():::::"+catalogMetaDataDef.getDisplayName());
    
     if(catalogMetaDataDef.getDisplayName().equalsIgnoreCase(DBColumnName)){
     
      catalogMetaData.setValue(String.valueOf(DBColumnValue));
      catalogMetaDataList.set(j, catalogMetaData);
      break;
     }
    }
   
    //Set catalog metadata
    catalog.setMetadata(catalogMetaDataList);
   
   }
   //Update catalog
   catalogAPI.updateCatalogItems(catalog);
  
  } catch (CatalogException e) {
  
   e.printStackTrace();
  
   if ((e.toString().indexOf("No Detail found for specified catalog item") > 0)){
    System.out.println("Ignore msg");
   
   }else{
   
    throw new Exception("ERROR: Catalog Exception, see server log and server log for more details ");
   }
  
  }
 }

Close OIM 11gR2 PS3 Identity Certification in bulk using API

closing identity certification from OIM identity console is possible by an administrator, but feasible for large number. Here is a code example of doing the same for bulk.

You can get the list of certification which are not completed yet from the OIM database, using below query

select CERT_ID, USER_ID from CERTD_USER where CERT_ID in (select ID from CERT_SERTS where CERT_STATE in ('17','2','1','11','12',13','14','15','16'))

the CERT_SATE numbers are defined as below inside OIM

STATE_EXPIRED : 4
STATE_COMPLETE : 3
STATE_FINAL_REVIEW : 17
STATE_IN_PROGRESS : 2
STATE_NEW : 1
STATE_PHASE_1 : 11
STATE_PHASE_1_D : 12
STATE_PHASE_1_V : 13
STATE_PHASE_2 : 14
STATE_PHASE_2_D : 15
STATE_PHASE_2_V : 16

You can use the below code snippets to close all the open certification tasks.

/**
  *
  * @param cert_id: certification id. available in CERTD_USER table
  * @param userEntityId: User id for the certification which are pending. available in CERTD_USER.
  * @throws Exception
  */

 public void closeCertification(long cert_id,String userEntityId) throws Exception{
  
   CertificationService certificationService = (CertificationService)oimClient.getService(CertificationService.class);
    char[] oimAdminPassword = "Welcome1".toCharArray(); //Xelsysadm password
    
   List<Long> userEntityIds = new ArrayList<Long>();
   userEntityIds.add(Long.valueOf(userEntityId));
  
   
//get the certification instance from cert id
   CertificationInstance certInstance = certificationService.loadCertification(cert_id,null);
   System.out.println("Status : "+certInstance.getStatus());
   System.out.println("STATE_EXPIRED : "+CertificationConstants.STATE_EXPIRED);
   System.out.println("STATE_COMPLETE : "+CertificationConstants.STATE_COMPLETE);
  
 
  //get the different status level
   int status = certInstance.getStatus();
   int complete = CertificationConstants.STATE_COMPLETE;
   int expired = CertificationConstants.STATE_EXPIRED;
  
  
 //Checking the current status of the certification instance.
   if (status==complete) {
   
    System.out.println("certification already completed : "+cert_id);
   }else if(status==expired){
    System.out.println("certification already completed : "+cert_id);
   }  
   else{
   
    
//Certifying user of the cert instance with cancel comment
    certificationService.certifyUsers(cert_id, null, userEntityIds, CertificationConstants.STATUS_ABSTAIN, "Canceled due migration");
    certificationService.certifyRemainingUserContent(cert_id, null, userEntityIds, "Canceled due migration");
   
    if ( certificationService.canBeCompleted(cert_id, null) ) {
    
   
  //completing the certification.
     certificationService.completeCertification(cert_id, null, oimAdminPassword);
     System.out.println("Certification Completed successfully : "+cert_id);
    }else{
     System.out.println("Certification not Completed yet : "+cert_id+" , "+certInstance.getPercentComplete()+"% completed");
    }
   }
   

Assign and Revoke OIM Admin roles using API

OIM has several admin roles, which are under the scope of some organizations. in PS3 there is a separate application for managing admin roles, but in the older version this operation was incorporated under organization's life cycle.

Here are the API examples of managing Admin role life cycle like assigning or revoke. This API will work in all the OIM 11gR2 versions including PS3.

 /**
  * Assigning OIM Admin role to a user.
  * @param Userid
  * @param adminRoleName
  */

 public void assignAdminRole(String Userid, String adminRoleName){
 
  try {
  
  
 /**
    * initialize API and get the details of a specified admin role
    */

   AdminRoleService admRoleAPI = (AdminRoleService)oimClient.getService(AdminRoleService.class);
   AdminRole admRole = admRoleAPI.getAdminRole(adminRoleName);
  
   
//Print some details.
   System.out.println("Scope ::"+admRole.isScoped());
   System.out.println("Role Description ::"+admRole.getRoleDescription());
   System.out.println("Role Description ::"+admRole.getRoleId());
  
   //Create a new membership object.
   AdminRoleMembership admMembership = new  AdminRoleMembership();
   admMembership.setAdminRole(admRole);
   admMembership.setUserId(getUserKey(Userid));
  
   
/**
    * Every Admin role scoped under some organization (or organizations).
    * Assigning any admin role you need to set the scope id.
    */

   AdminRoleVO adminRoleVo = admRoleAPI.getAdminRoleVO(String.valueOf(admRole.getRoleId()));
   List<AdminRoleRuleScope> scopes = adminRoleVo.getAdminRoleRuleScopes();
   AdminRoleRuleScope scope = scopes.get(0);
   System.out.println("Admin Role In Scope Organization: "+scope.getInScopeOfOrganizationName()); //printing the organization name
   
     
   
/**
    * If the admin role is not scoped then set the scope id for SYSTEM ADMINISTRATOR organization
    * which is generally 3.  
    */
 
  if (admRole.isScoped()){
    
    admMembership.setScopeId(getOrgKey(scope.getInScopeOfOrganizationName()));
    
   }else{
    
    admMembership.setScopeId("3");
   }
   
    System.out.println("new set Scope ::"+admMembership.getScopeId());
    AdminRoleMembership newMemberShip = admRoleAPI.addAdminRoleMembership(admMembership);
    System.out.println("Admin Role Successfully Assigned to the User: "+Userid+" Key: "+newMemberShip.getUserId());
   
  
  } catch (Exception e) {
   // TODO Auto-generated catch block
   e.getMessage();
  }
 
 
 }

 
/**
  * Revok an Admin Role from user.
  * @param Userid
  * @param adminRoleName
  */

 public void revokeAdminRole(String Userid, String adminRoleName){
 
  AdminRoleService admRoleAPI = (AdminRoleService)oimClient.getService(AdminRoleService.class);
  List<String> adminRoles = new ArrayList();
  adminRoles.add(adminRoleName);
 
 
 /**
   * Get the user and admin role membership object.
   */

  List<AdminRoleMembership> adminMemberShipList = admRoleAPI.listMembershipsForUserByRoleName(getUserKey(Userid), adminRoles);
  AdminRoleMembership adminMemberShip = adminMemberShipList.get(0);
 
  
//revoke admin role.
  boolean status = admRoleAPI.removeAdminRoleMembership(adminMemberShip);
  System.out.println("Admin Role Successfully revoke from User: "+Userid+" Status: "+status);
 }


 
 /**
  * get user key from given username
  * @param userid
  * @return Userkey
  */

 private String getUserKey(String userid){
 
  String key = "";
  UserManager userAPI = (UserManager)oimClient.getService(UserManager.class);
  java.util.Set retAttrs = new HashSet();
  retAttrs.add(UserManagerConstants.AttributeName.USER_KEY.getId());
 
  User user;
  try {
   user = userAPI.getDetails(UserManagerConstants.AttributeName.USER_LOGIN.getId(), userid, retAttrs);
   key = user.getId();
  } catch (NoSuchUserException e) {
    e.printStackTrace();
  } catch (UserLookupException e) {
   e.printStackTrace();
  } catch (SearchKeyNotUniqueException e) {
   e.printStackTrace();
  } catch (AccessDeniedException e) {
     e.printStackTrace();
  }
  return key;
 }

 
 /**
  * get organization Key from a given Org name
  * @param orgName
  * @return OrgKey
  */

 private String getOrgKey(String orgName){
 
  String key = "";
  OrganizationManager orgAPI = (OrganizationManager)oimClient.getService(OrganizationManager.class);
  java.util.Set retAttrs = new HashSet();
  retAttrs.add(OrganizationManagerConstants.AttributeName.ID_FIELD.getId());
 
  try {
   Organization org = orgAPI.getDetails(OrganizationManagerConstants.AttributeName.ORG_NAME.getId(), orgName, retAttrs);
   key = String.valueOf(org.getAttribute("act_key"));
  
  } catch (SearchKeyNotUniqueException e) {
      e.printStackTrace();
  } catch (OrganizationManagerException e) {
    e.printStackTrace();
  } catch (AccessDeniedException e) {
    e.printStackTrace();
  }
 
  return key;
 }

Followers

OIM API for adding process task and retry failed task

 In this blog you can find how to add new process task and retry any failed/rejected tasks using API. Adding new process task: /************...