Wednesday, November 13, 2013

OIM11g: How to Automate the deployment of User Modifiable Metadata Files

                 Here is how you can you or administrators can get away from providing user name and password or even server url in plain text when using WLST to modify the OIM metadata:
 
 
Step1: Connect to Admin Server using wlst.sh using the user using which you run the wlst.sh command. For example, in my case, I have created a user deployer with administrator and oimuser roles in the weblogic security realm to deploy the OIM metadata.
 
Step2: Run the below command:
 
storeUserConfig('configfile.secure','keyfile.secure')
Creating the key file can reduce the security of your system if it is not kept in a secured location after it is created. Do you want to cre
ate the key file? y or n y
The username and password that were used for this WebLogic Server connection are stored in configfile.secure and keyfile.secure.
 
Note: if you choose to create them in different directory, then prefix the directory path with the file name. For example, storeUserConfig('C:\configfile.secure','C:\keyfile.secure'). You can also choose a different name for the files.
 
This will create a user configuration file that contains your credentials in an encrypted form and a key file that WebLogic Server uses to unencrypt the credentials.

Step3: wls:/OIMDomain/serverConfig> exit()
 
Step4: Take the backup of weblogicExportMetadata.py.
 
Step5: Modify the weblogicExportMetadata.py as below:
 
Replace: connect() with
 
connect(userConfigFile='configfile.secure',userKeyFile='keyfile.secure',url='t3://host:14000')
 
Note: Please provide the absolute path if the configuration files are not in ORACLE_HOME/server/bin directory.
 
Step6: Save the python script.
 
Step7: Now, you can run the weblogicExportMetadata.bat and you will see that it won't prompt you to enter the username & password. See below:
 
Initializing WebLogic Scripting Tool (WLST) ...
Welcome to WebLogic Server Administration Scripting Shell
Type help() for help on available commands
Starting export metadata script ....
Connecting to t3://host:14000 with userid deployer ...
Successfully connected to managed Server 'oim_server1' that belongs to domain 'OIMDomain'.
Warning: An insecure protocol was used to connect to the
server. To ensure on-the-wire security, the SSL port or
Admin port should be used instead.
Location changed to custom tree. This is a writable tree with No root.
For more help, use help(custom)

Disconnected from weblogic server: oim_server1
End of export metadata script ...
 
Note: In case of unix, follow step 1 -4 on .sh files. You can repeat the same steps for weblogicImportMetadata.sh & weblogicDeleteMetadata.sh.

Addendum:


In your weblogicExportMetadata.py script, if you want Server URL, path of the above files to be dynamic, here is what you need to do:

Step1: Create a properties file i.e., creds.properties as below:

[Properties File for Deployment]
url: t3://host:14000
userConfigFile: C:\configfile.secure
userKeyFile: C:\keyfile.secure

Step2: Updated your weblogicExportMetadata.py script as below:

"""
Custom OIM metadata Script for Deployment
"""
print 'Starting export metadata script .... '

import ConfigParser
import string
config = ConfigParser.ConfigParser()
config.read("C:\creds.properties")
for section in config.sections():
        serverurl = config.get(section,'url')
        userFile = config.get(section,'userConfigFile')
        keyFile = config.get(section,'userKeyFile')

connect(userConfigFile=userFile,userKeyFile=keyFile,url=serverurl)
exportMetadata(application=application_name,
               server=wls_servername,
               toLocation=metadata_to_loc,
                   docs=metadata_files,
                   applicationVersion='*')
disconnect ()
print 'End of export metadata script ...'
exit()
 
 
References:
 
 
 
 
Posted by at 1 comment:
Labels: , , , , , , , ,

Thursday, November 7, 2013

OIM 11g: Create Access Policy using JAVA APIs

Here is the sample code to create access policies using JAVA APIs:

package junit.accesspolicy;
import java.io.BufferedReader;
import java.io.FileReader;
import java.util.ArrayList;
import java.util.HashMap;
import java.util.HashSet;
import java.util.Hashtable;
import java.util.Iterator;
import java.util.List;
import java.util.Set;
import com.thortech.xl.vo.AccessPolicyResourceData;
import com.thortech.xl.vo.PolicyChildTableRecord;
import oracle.iam.identity.rolemgmt.api.RoleManager;
import oracle.iam.identity.rolemgmt.api.RoleManagerConstants.RoleAttributeName;
import oracle.iam.identity.rolemgmt.vo.Role;
import oracle.iam.platform.OIMClient;
import oracle.iam.platform.Platform;
import oracle.iam.platform.entitymgr.vo.SearchCriteria;
import Thor.API.tcResultSet;
import Thor.API.Operations.tcAccessPolicyOperationsIntf;
import Thor.API.Operations.tcFormDefinitionOperationsIntf;
import Thor.API.Operations.tcITResourceInstanceOperationsIntf;
import Thor.API.Operations.tcObjectOperationsIntf;

public class createAccessPolicy { private static final String OIM_URL = "t3s://host:port";
 private static final String AUTH_CONF = "C:/designconsole/config/authwl.conf";
 private static final String OIM_USERNAME = "<>";
 private static final String OIM_PASSWORD = "<>;
 private static OIMClient oimClient = null;
 Hashtable env = new Hashtable();
 HashMap> mapping = new HashMap>();
 public tcAccessPolicyOperationsIntf moAccesspolicyutility; private static final String objName = "OID User"; //Object Name private static final String fParentName = "UD_OID_USR"; // Parent Process Form
 private static final String fChildName = "UD_OID_GRP"; // Child Process Form
 private static final String ITResourceName = "OID Server"; // IT Resource
 private static final String groupSuffix = ",cn=Groups,<>"; // Group DN

 public createAccessPolicy() {
  try {
   env.put(OIMClient.JAVA_NAMING_FACTORY_INITIAL,
     "weblogic.jndi.WLInitialContextFactory");
   env.put(OIMClient.JAVA_NAMING_PROVIDER_URL, OIM_URL);
   System.setProperty("java.security.auth.login.config", AUTH_CONF);
   System.setProperty("OIM.AppServerType", "wls");
   System.setProperty("APPSERVER_TYPE", "wls");
   oimClient = new OIMClient(env);
   oimClient.login(OIM_USERNAME, OIM_PASSWORD.toCharArray());
  } catch (Exception e) {
   e.printStackTrace();
  }
  return;
 }

 public void PolicyCreation(String policyName, String[] groups) {
  try {
   tcAccessPolicyOperationsIntf moAccesspolicyutility = oimClient
     .getService(tcAccessPolicyOperationsIntf.class);
   System.out.println(policyName);
   HashMap attr = new HashMap();   attr.put("Access Policies.Name", policyName); // Policy Name
   attr.put("Access Policies.Description", policyName); // Description same as Policy Name
   attr.put("Access Policies.Retrofit Flag", "1"); // Retrofit Flag
   attr.put("Access Policies.By Request", "0"); // Without Approval
   Long objKey = findObjectKey();
   long[] provObjKeys = { objKey }; //Object Key of Resource to be provisioned
   boolean[] revokeObgIsNotApply = { true }; //Revoke If No Longer Applies Flag
   long[] denyObjKeys = {}; //Object key of Resource to be denied
   Long roleKey = Long.parseLong(getRoleKey(policyName)); // Role attached to the Policy
   long[] groupKeys = { roleKey };  //In my case, Policy Name is same as Role Name   String groupPrefix = findITResourceKey() + "~cn=";
   //Populate Parent Form Data
   HashMap parentFormData = new HashMap();
   parentFormData.put("UD_OID_USR_SERVER",findITResourceKey());
   parentFormData.put("UD_OID_USR_ORG_DN",findITResourceKey()+"~users");
   parentFormData.put("UD_OID_USR_PREF_LANG","en");
   int groupLength = groups.length;
   //Populate Child Form Data
   AccessPolicyResourceData policyData[] = new AccessPolicyResourceData[groupLength+1];
   for (int i = 0; i < groupLength; i++) {
    String groupName = groupPrefix + groups[i].trim() + groupSuffix;
    System.out.println(groupName);
    policyData[i] = new AccessPolicyResourceData(findObjectKey(),
      objName, findParentFormKey(), fParentName, "P");
    HashMap childTableMap = new HashMap();
    childTableMap.put("UD_OID_GRP_GROUP_NAME", groupName);
    policyData[i] = new AccessPolicyResourceData(findObjectKey(),
      objName, findParentFormKey(), fParentName, "P");
    PolicyChildTableRecord pChildTableData = policyData[i]
      .addChildTableRecord(findChildFormKey(), "fChildName",
        "Add", childTableMap);
   }
   System.out.println(policyData.length);
   AccessPolicyResourceData formData = new AccessPolicyResourceData(findObjectKey(),
     objName, findParentFormKey(), fParentName, "P");
   formData.setFormData(parentFormData);
   policyData[groupLength] = formData;
   moAccesspolicyutility.createAccessPolicy(attr, provObjKeys,
     revokeObgIsNotApply, denyObjKeys, groupKeys, policyData);
   System.out.println(policyName + " Policy Created ");
  } catch (Exception e) {
   e.printStackTrace();
  }
 }

 public String findChildFormKey() {
  String ChildformKey = null;
  try {
   final String METHOD_NAME = "findChildFormKey :: ";
   tcFormDefinitionOperationsIntf objIntf = oimClient
     .getService(tcFormDefinitionOperationsIntf.class);
   HashMap attributes = new HashMap();
   attributes.put("Structure Utility.Table Name", fChildName);
   tcResultSet resultSet = objIntf.findForms(attributes);
   for (int i = 0; i < resultSet.getRowCount(); i++) {
    ChildformKey = resultSet
      .getStringValue("Structure Utility.Key");
   }
  } catch (Exception e) {
   e.printStackTrace();
  }
  return ChildformKey;
 }

 public Long findParentFormKey() {
  String ParentformKey = null;
  try {
   final String METHOD_NAME = "findParentFormKey :: ";
   tcFormDefinitionOperationsIntf objIntf = oimClient
     .getService(tcFormDefinitionOperationsIntf.class);
   HashMap attributes = new HashMap();
   attributes.put("Structure Utility.Table Name", fParentName);
   tcResultSet resultSet = objIntf.findForms(attributes);
   for (int i = 0; i < resultSet.getRowCount(); i++) {
    ParentformKey = resultSet
      .getStringValue("Structure Utility.Key");
   }
  } catch (Exception e) {
   e.printStackTrace();
  }
  return Long.parseLong(ParentformKey);
 }

 public String findITResourceKey() {
  String ITResourceKey = null;
  try {
   final String METHOD_NAME = "findITResourceKey :: ";
   tcITResourceInstanceOperationsIntf objIntf = oimClient
     .getService(tcITResourceInstanceOperationsIntf.class);
   HashMap attributes = new HashMap();
   attributes = objIntf.getITResourceInstances(ITResourceName);
   Set s = attributes.keySet();
   Iterator it = s.iterator();
   while (it.hasNext()) {
    ITResourceKey = it.next().toString();
   }
  } catch (Exception e) {
   e.printStackTrace();
  }
  return ITResourceKey;
 }

 public String getRoleKey(String roleName) {
  RoleManager rmgr = oimClient.getService(RoleManager.class);
  Set retAttrs = new HashSet();
  String roleKey = null;
  try {
   retAttrs.add(RoleAttributeName.DISPLAY_NAME.getId());
   SearchCriteria criteria = null;
   criteria = new SearchCriteria(RoleAttributeName.NAME.getId(),
     roleName, SearchCriteria.Operator.EQUAL);
   List roles = rmgr.search(criteria, retAttrs, null);
   roleKey = roles.get(0).getEntityId();
  } catch (Exception e) {
  }
  return roleKey;
 }

 public Long findObjectKey() {
  String objectKey = null;
  try {
   HashMap attributes = new HashMap();
   attributes.put("Objects.Name", objName);
   tcObjectOperationsIntf objIntf = oimClient
     .getService(tcObjectOperationsIntf.class);
   tcResultSet resultSet = objIntf.findObjects(attributes);
   for (int i = 0; i < resultSet.getRowCount(); i++) {
    objectKey = resultSet.getStringValue("Objects.Key");
   }
  } catch (Exception e) {
   e.printStackTrace();
  }
  return Long.parseLong(objectKey);
 }

 public static void main(String args[]) {
  createAccessPolicy obj = new createAccessPolicy();
  try {
  String Line = null;
  String File = "<>";
  //File Format is #AccessPolicyName,Groups to be added in child form
  BufferedReader buff = new BufferedReader(new FileReader(File));
  buff.readLine();
  while ((Line = buff.readLine()) != null) {
   String split[] = Line.split(",");
   String policyName = split[0].trim();
   String groupList[] = split[1].split(";");
   obj.PolicyCreation(policyName, groupList);
  }
  }catch(Exception e) {
   e.printStackTrace();
  }
 }
}

References:

http://docs.oracle.com/cd/E17904_01/apirefs.1111/e17334/Thor/API/Operations/tcAccessPolicyOperationsIntf.html

http://docs.oracle.com/cd/E27559_01/apirefs.1112/e28159/com/thortech/xl/vo/AccessPolicyResourceData.html

http://docs.oracle.com/cd/E27559_01/apirefs.1112/e28159/com/thortech/xl/vo/PolicyChildTableRecord.html


 
Posted by at No comments:
Labels: , , , , ,
Subscribe to: Posts (Atom)