Friday, 9 June 2017

Unable to modify Disconnected Application Instance with non-Entitlement child data in OIM 11.1.2.3.0



Problem Description

When we create any disconnected application instance with child form in OIM 11gR2 PS1, we add the multivalued attribute into child dataset. This multivalued attribute hold the role data of the application. This can be set in 2 ways,


Either as Entitlement, where the role data will be visible in catalog as entitlement and can be added to child form directly using Modify Account option.


Or Only as Application Role, where role data will not be exposed as entitlements in catalog, and only option to add is to modify account.


if you go with the first option where role data are exposed as entitlements, then you have to select the Entitlement check box in the attribute configuration.




once you do that, automatically in the corresponding process definition 2 tasks are added for child data grant and revoke.


But if you choose the option 2, where child data are not exposed as entitlements, then no extra process task gets created in process definition. Only the form update task will be responsible for adding and removing child data in application instance.






Using option 2, when any one add a role through "Modify Account" process, "UD_[APP_NAME] Updated" task gets triggered and assign task for fulfillment.


In OIM 11.1.2.3.0 if you create disconnected application instance with 2nd option, then it will not work properly. When you add any role data in child table through "Modify Account" process, no process task gets triggered. As a result records get added in OIM database (child table), but no fulfillment task assigned to implementers.




Resolution (as of now)
Create the process task for each operation manually (insert, update, delete in child table), and map the adpMANUALPROVISIONING adapter.



Monday, 5 June 2017

Retrive Weblogic CSF credentials using Java and Jps API

WebLogic CSF (Credential Store Framework) holds security data of WebLogic domain like credential. A credential can hold user name and password combinations, tickets, or public key certificates.

WebLogic CSF has 2 different types
          1. Password - A password credential encapsulates a user name and a password
          2. Generic - A generic credential encapsulates any customized data or arbitrary token.

This CSF can also be used for storing credential of other applications like OIM, SOA etc. and can be used for authentication from customized applications. For example if some one wants to create an Web Service to call OIM or SOA APIs, person need to authenticate in OIM or SOA. In that scenario we can use WebLogic CSF to store and use the credential of OIM or SOA.

The below code snippet will describe how to get the credential from WebLogic CSF using java. This code can be used only from the WebLogic domain application.



private void getCredential() throws Exception{
/*
* Initializing JpsContext with current factory context.
* oracle.security.jps.JpsContext can be found under jps-api.jar
*/
oracle.security.jps.JpsContext ctx = oracle.security.jps.JpsContextFactory.getContextFactory().getContext();

final oracle.security.jps.service.credstore.CredentialStore cs = (oracle.security.jps.service.credstore.CredentialStore) ctx
.getServiceInstance(oracle.security.jps.service.credstore.CredentialStore.class);

/*
* Below section is for getting data from CSF of type Passsowrd
* "oracle.wsm.security" is Credential Map name
* "SOAAdmin" is the Password CSF key name
*/
oracle.security.jps.service.credstore.CredentialMap cmap = cs.getCredentialMap("oracle.wsm.security");
oracle.security.jps.service.credstore.Credential cred = cmap.getCredential("SOAAdmin");

if (cred instanceof oracle.security.jps.service.credstore.PasswordCredential) {
oracle.security.jps.service.credstore.PasswordCredential pcred =
(oracle.security.jps.service.credstore.PasswordCredential)cred;

char[] p = pcred.getPassword();
String UserName = pcred.getName();
String Password = new String(p);

System.out.println("UserName : " + UserName);
System.out.println("Password : " + Password);

}

/*
* Below section is for getting data from CSF of type Generic.
* "oracle.wsm.security" is Credential Map name
* "oimurl" is the custom Generic CSF key name
*/


oracle.security.jps.service.credstore.CredentialMap cmapURL = cs.getCredentialMap("oracle.wsm.security");
oracle.security.jps.service.credstore.Credential credURL = cmapURL.getCredential("oimurl");

if (credURL instanceof oracle.security.jps.service.credstore.GenericCredential){
oracle.security.jps.service.credstore.GenericCredential gcred = (oracle.security.jps.service.credstore.GenericCredential) credURL;

if (gcred.getCredential() instanceof Hashtable){

/*
*This hash table contains all the key value pair of generic CSF
*/
Hashtable result = (Hashtable) gcred.getCredential();

String URL = new String((char[]) result.get("oimurl"));
String confPath = new String((char[]) result.get("confPath"));

System.out.println("URL : "+URL);
System.out.println("confPath : "+confPath);

}
}
}

Followers

OIM API for adding process task and retry failed task

 In this blog you can find how to add new process task and retry any failed/rejected tasks using API. Adding new process task: /************...