OID: Command to create new OID Component

Here is the command to create new OID Component:

./opmnctl createcomponent -componentType OID -componentName oid3 -adminHost server -adminPort 7001  -Db_info "dbhost:1532:dbservicename" -Port 3063 -Sport 3133

Command requires login to weblogic admin server (server ):
  Username: weblogic
  Password:
Creating empty component directories...Done
Provisioning OID files for oid3
  OID onCreate....
Enter ODS password:
  Validating OID input parameters
Enter ODSSM password:
Enter OID admin password:
  Creating wallet and tnsnames.ora for OID
  Adding configuration entry for OID
  Updating opmn.xml with OID snippet
  Updating component-logs.xml with OID name
  Setting proxy mbean properties
Registering oid3 component
Invoking opmn reload...Done
Command succeeded.

OIM11g R1 Post Processor Event Handler to remove User Role after user is disabled

Here is the code:

package oim.custom.eventhandlers;
import java.util.HashMap;
import java.util.HashSet;
import java.util.Iterator;
import java.util.List;
import java.util.Set;
import oracle.iam.identity.rolemgmt.api.RoleManager;
import oracle.iam.identity.rolemgmt.api.RoleManagerConstants.RoleAttributeName;
import oracle.iam.identity.rolemgmt.vo.Role;
import oracle.iam.identity.rolemgmt.vo.RoleManagerResult;
import oracle.iam.identity.usermgmt.api.UserManager;
import oracle.iam.identity.usermgmt.vo.User;
import oracle.iam.platform.Platform;
import oracle.iam.platform.context.ContextManager;
import oracle.iam.platform.entitymgr.vo.SearchCriteria;
import oracle.iam.platform.kernel.spi.PostProcessHandler;
import oracle.iam.platform.kernel.vo.AbstractGenericOrchestration;
import oracle.iam.platform.kernel.vo.BulkEventResult;
import oracle.iam.platform.kernel.vo.BulkOrchestration;
import oracle.iam.platform.kernel.vo.EventResult;
import oracle.iam.platform.kernel.vo.Orchestration;
import Thor.API.tcResultSet;
import Thor.API.Operations.tcLookupOperationsIntf;
import com.thortech.util.logging.Logger;
public class RemoveRolesFromRetiredUser implements PostProcessHandler {
 private static final Logger logger = Logger.getLogger("CUSTOM.EVENTS");
 private static final String CLASS_NAME = "oim.custom.eventhandlers.RemoveRolesFromRetiredUser : ";
 private static final String LOOKUP_COLUMN_DECODE = "Lookup Definition.Lookup Code Information.Decode";

 public void initialize(HashMap arg0) {
  String METHOD_NAME = "initialize :: ";
  logger.info(CLASS_NAME + METHOD_NAME
    + " Initializing RemoveRolesFromRetiredUser Event Handler ");
 }

 @Override
 public BulkEventResult execute(long processId, long eventId,
   BulkOrchestration bulkorchestration) {
  String METHOD_NAME = "BulkEventResult execute :: ";
  logger.info(CLASS_NAME + METHOD_NAME + "Inside ");
  try {
   String operation = bulkorchestration.getOperation();
   logger.debug(CLASS_NAME + METHOD_NAME
     + "bulkorchestration.getOperation() " + operation);
   String user = bulkorchestration.getTarget().getEntityId();
   logger.debug(CLASS_NAME + METHOD_NAME
     + "bulkorchestration.getTarget().getEntityId() " + user);
   logger.debug(CLASS_NAME + METHOD_NAME
     + " ContextManager.getContextType() "
     + ContextManager.getContextType());
   // Remove the  Roles of the Retired User
   if (isUserRetired(user) && operation.equals("DISABLE")) {
    logger.info(CLASS_NAME + METHOD_NAME
      + " Updated Description of Disabled User "
      + getUserName(user, "User Login") + " is "
      + getUserName(user, "Description"));
    logger.info(CLASS_NAME + METHOD_NAME
      + " Updated Container of Disabled User "
      + getUserName(user, "User Login") + " is " + getUserName(user, "UserDN"));
    logger.info(CLASS_NAME + METHOD_NAME
      + "Removing the Roles from the Disabled User "
      + getUserName(user, "User Login"));
    removeRolesOfUser(user);
   }
  } catch (Exception e) {
   logger.error(CLASS_NAME + METHOD_NAME + e.getMessage());
   e.printStackTrace();
  }
  return new BulkEventResult();
 }

 public boolean isUserRetired(String userKey) {
  String METHOD_NAME = "isUserRetired :: ";
  logger.debug(CLASS_NAME + METHOD_NAME + "Inside ");
  boolean isUserRetired = false;
  try {
   HashSet retiredContainers = readLookup("Lookup.OIM.RetiredContainers");
   Iterator itr = retiredContainers.iterator();
   String userDN = getUserName(userKey, "UserDN");
   while(itr.hasNext()) {
    String containername = itr.next().toString();
    if(userDN.contains(containername)) {
     isUserRetired = true;
    }
   } 
  } catch (Exception e) {
   logger.error(CLASS_NAME
     + METHOD_NAME
     + "Error checking User Container "
     + e.getMessage());
  }
  return isUserRetired;
 }

 // Method to remove Roles from User
 public void removeRolesOfUser(String userkey) {
  final String METHOD_NAME = "removeOIMRoles :: ";
  logger.debug(CLASS_NAME + METHOD_NAME + "Inside ");
  String rolename = null;
  try {
   HashSet groupList = getRolesForUser(userkey);
   Set roleKeysSet = new HashSet();
   Iterator itr = groupList.iterator();
   while (itr.hasNext()) {
    rolename = itr.next().toString();
    roleKeysSet.add(getRoleKey(rolename));
   }
   RoleManagerResult result = null;
   RoleManager rmgr = Platform.getService(RoleManager.class);
   result = rmgr.revokeRoleGrants(userkey, roleKeysSet);
   logger.debug(CLASS_NAME + METHOD_NAME + "Role " + rolename
     + " Removed from User "
     + getUserName(userkey, "User Login") + result.getStatus());
  } catch (Exception e) {
   logger.debug(CLASS_NAME + METHOD_NAME + "Error Removing Roles "
     + e.getMessage());
   e.printStackTrace();
  }
 }
 public HashSet getRolesForUser(String userkey) {
  String METHOD_NAME = "getRolesForUser :: ";
  logger.debug(CLASS_NAME + METHOD_NAME + "Inside ");
  HashSet roleList = new HashSet();
  try {
   logger.debug(CLASS_NAME + METHOD_NAME + "Reading "
     + getUserName(userkey, "User Login") + "Roles ");
   RoleManager rolemanager = Platform.getService(RoleManager.class);
   List groupList = rolemanager
     .getUserMemberships(userkey, true);
   for (Role role : groupList) {
    String roleName = role.getAttribute("Role Name").toString();
    logger.debug(CLASS_NAME + METHOD_NAME + "RoleName :" + roleName);
    roleList.add(roleName);
   }
   HashSet removeRoles = readLookup("Lookup.OIM.IgnoreRole");
   // Exclude Default Roles from the List
   roleList.removeAll(removeRoles);
  } catch (Exception e) {
   logger.error(CLASS_NAME + METHOD_NAME + "Error Reading Roles"
     + e.getMessage());
   e.printStackTrace();
  }
  return roleList;
 }

 // Method to read Lookup containing default OIM Roles
 public HashSet readLookup(String lookup) {
  String METHOD_NAME = "readLookup :: ";
  logger.debug(CLASS_NAME + METHOD_NAME + "Inside ");
  HashSet records = new HashSet();
  try {
   String lookupDecode = lookup;
  
   // Read Lookup to Find FilteredRoles
   tcLookupOperationsIntf lookupOps = Platform
     .getService(tcLookupOperationsIntf.class);
   tcResultSet lookupResultSet = lookupOps
     .getLookupValues(lookupDecode);
   for (int i = 0; i < lookupResultSet.getRowCount(); i++) {
    lookupResultSet.goToRow(i);
    String decode = lookupResultSet.getStringValue(
      LOOKUP_COLUMN_DECODE).trim();
    records.add(decode);
   }
  } catch (Exception e) {
   logger.error(CLASS_NAME + METHOD_NAME + "Error Reading Lookup"
     + e.getMessage());
   e.printStackTrace();
  }
  return records;
 }
 // Method to get RoleKey based on Rolename input
 public String getRoleKey(String roleName) {
  final String METHOD_NAME = "getRoleKey :: ";
  logger.debug(CLASS_NAME + METHOD_NAME + "Inside ");
  RoleManager rmgr = Platform.getService(RoleManager.class);
  Set retAttrs = new HashSet();
  String roleKey = null;
  try {
   retAttrs.add(RoleAttributeName.DISPLAY_NAME.getId());
   SearchCriteria criteria = null;
   criteria = new SearchCriteria(RoleAttributeName.NAME.getId(),
     roleName, SearchCriteria.Operator.EQUAL);
   List roles = rmgr.search(criteria, retAttrs, null);
   roleKey = roles.get(0).getEntityId();
  } catch (Exception e) {
   e.printStackTrace();
  }
  return roleKey;
 }
 // Method to retrieve User Login based on the usr_key
 public String getUserName(String key, String attribute) {
  String METHOD_NAME = "getUserName :: ";
  logger.debug(CLASS_NAME + METHOD_NAME + "Inside ");
  String userattr = null;
  try {
   HashMap attributes = null;
   HashMap parameters = null;
   Set attrNames = null;
   List users = null;
   UserManager umgr = Platform.getService(UserManager.class);
   SearchCriteria criteria = new SearchCriteria("usr_key", key,
     SearchCriteria.Operator.EQUAL);
   attrNames = new HashSet();
   attrNames.add(attribute);
   users = umgr.search(criteria, attrNames, parameters);
   if (users != null && !users.isEmpty()) {
    for (User user : users) {
     attributes = user.getAttributes();
     userattr = attributes.get(attribute).toString();
     logger.debug(CLASS_NAME + METHOD_NAME + " User : "
       + userattr);
    }
   }
  } catch (Exception e) {
   logger.error(CLASS_NAME + METHOD_NAME
     + "Error Retrieving User Login " + e.getMessage());
   e.printStackTrace();
  }
  return userattr;
 }
 @Override
 public EventResult execute(long processId, long eventId,
   Orchestration orchestration) {
  return null;
 }
 @Override
 public boolean cancel(long arg0, long arg1,
   AbstractGenericOrchestration arg2) {
  return false;
 }
 @Override
 public void compensate(long arg0, long arg1,
   AbstractGenericOrchestration arg2) {
 }
}

Here is the plugin.xml:

http://www.w3.org/2001/XMLSchema-instance

">
Here is the eventhandlers.xml:

http://www.oracle.com/schema/oim/platform/kernel
" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://www.oracle.com/schema/oim/platform/kernel orchestration-handlers.xsd"> 
Cheers!

OIM: How to Disable/Enable User Resource Object using API

Here is the sample code to disable the resource objects allocated to a user:

 

 

Long userKey = Long.parseLong(getUserKey(

"y9506a"));

 

userOp = oimClient.getService(tcUserOperationsIntf.class);
 
tcResultSet userObjects = userOp.getObjects(userKey);
 
Long processKey = userObjects.getLongValue(Users-Object Instance For User.Key");
 
 // Disable the Resource Object
 

userOp.disableAppForUser(userKey, processKey);

 

// Enable the Resource Object

 

userOp.enableAppForUser(userKey, processKey);

 

String ostatus = userObjects.getStringValue(

"Objects.Object Status.Status");

 

System.

out.println(ostatus);

 

OIM - Code to Revoke Resource Object from User Profile

Here is the sample code to revoke the resource object for a user:

 

   Long userKey = getUserKey("OIMUSER0176");
   tcUtilityFactory ioUtilityFactory = new tcUtilityFactory(env,
     OIM_USERNAME, OIM_PASSWORD);
   userOp = (tcUserOperationsIntf) ioUtilityFactory
     .getUtility("Thor.API.Operations.tcUserOperationsIntf");
   tcResultSet resultSet = userOp.getObjects(userKey);
   long key = resultSet.getLongValue("Users-Object Instance For User.Key");
   userOp.revokeObject(userKey, key);
 
 
       

OVD Metrics - "No Data Available" Issue

From the time we have enabled HTTPS and LDAPS port, we are having time tough troubleshooting Enterprise Manager not showing metrics for OVD & OID.

 

Here is one of the recent update from Oracle Support Team on this issue that helped me:

 

OVD Metrics - "No Data Available" (Doc ID 1492530.1)

HOW TO CHECK IF IPv6 is Used

Hi,

You might have came across lot of issues due to IPV6 enabled on your machine/server and even disabling IPV6 doesn't put an end to your issue. Then here is a java code that you can run to confirm if IPV6 is disabled or not:

import java.net.*;
import java.util.*;

public class IPV4Only {
 public static void main(String[] args) throws Exception {
    boolean b=true;
     Enumeration nifs = NetworkInterface.getNetworkInterfaces();
     while (nifs.hasMoreElements()) {
         NetworkInterface      nif = nifs.nextElement();
         Enumeration addrs = nif.getInetAddresses();
         while (addrs.hasMoreElements()) {
             InetAddress hostAddr = addrs.nextElement();
             if ( hostAddr instanceof Inet6Address ){
                b=false;
                 System.out.println("NetworkInterfaceV6List failed - found IPv6 address " + hostAddr.getHostAddress() );
             }
         }
     }
    if (b) {
        System.out.println("No IPv6 detected");
    } else {
        System.out.println("Detect IPv6 interfaces - use java property java.net.preferIPv4Stack=true ");
    }
 }
}

Reference:
OAM: HOW TO CHECK IF IPv6 used ? [ID 1407525.1] 

OIM11g: Bulk Load the Data in Access Policies

Hi All,

The requirement for the code that you see below comes from my client who while learning to create access policies asked me below question:

In OIM, you cannot add multiple groups in single iteration to AccessPolicy but you can remove multiple groups. What's the rationale behind this?

Well, I couldn't agree more with him and I have no answer for him and before he could throw any other question or think of asking me to modifying the OIM UI to provide capability to add multiple groups to Access Policy, I told him that I can create a Bulk Data Load Utility which can be used for loading the groups in bulk to access policies and below is the code for that:

package security.provisioning;
import java.io.BufferedReader;
import java.io.FileReader;
import java.util.ArrayList;
import java.util.Arrays;
import java.util.HashMap;
import java.util.HashSet;
import java.util.List;
import java.util.Set;
import com.thortech.xl.vo.AccessPolicyResourceData;
import com.thortech.xl.vo.PolicyChildTableRecord;
import Thor.API.tcResultSet;
import Thor.API.Operations.tcAccessPolicyOperationsIntf;
import oracle.iam.identity.rolemgmt.api.RoleManager;
import oracle.iam.identity.rolemgmt.api.RoleManagerConstants.RoleAttributeName;
import oracle.iam.identity.rolemgmt.vo.Role;
import oracle.iam.platform.Platform;
import oracle.iam.platform.entitymgr.vo.SearchCriteria;
import oracle.iam.scheduler.vo.TaskSupport;
import com.thortech.util.logging.Logger;
public class InitialAccessPolicyLoad extends TaskSupport {
 HashMap> mapping = new HashMap>();
 tcAccessPolicyOperationsIntf moAccesspolicyutility = null;
 private static final Logger logger = Logger.getLogger("SECURITY.EVENTS");
 private static final String CLASS_NAME = "security.provisioning.InitialAccessPolicyLoad : ";
 private static final long formKey = 25;
 private static final long objectKey = 24;
 private static final String tableKey = "22";
 private static final String objName = "OID User";
 private static final String fName = "UD_OID_USR";
 private static final String groupPrefix ="41~cn=";
 private static final String groupSuffix=",cn=Groups,dc=sample,dc=com";
 public void execute(HashMap arg0) {
  final String METHOD_NAME = "execute :: ";
  try {
   logger.debug(CLASS_NAME + METHOD_NAME + "Entering Method - execute");
   // Output File Name
   String inputFileName = arg0.get("Input File Name").toString();
   logger.debug(CLASS_NAME + METHOD_NAME + " Input File Name "
     + inputFileName);
   // Delimiter for EDR Group List
   String ROLE_DELIMITER = arg0.get("List Delimiter").toString();
   logger.debug(CLASS_NAME + METHOD_NAME + " List Delimiter "
     + ROLE_DELIMITER);
   // Delimiter for the Attributes in the Input File
   String FILE_DELIMITER = arg0.get("Field Delimiter").toString();
   logger.debug(CLASS_NAME + METHOD_NAME + " Field Delimiter "
     + FILE_DELIMITER);
   // Read Input File
   BufferedReader buff = new BufferedReader(new FileReader(inputFileName));
   buff.readLine();
   String Line = null; 
   boolean isValidRecord = true;
   String PolicyName = null;
   String RoleName = null;
   String Groups = null;
   ArrayList GroupList = new ArrayList();
   while ((Line = buff.readLine()) != null) {
  
    if (Line.startsWith("#")) {
     isValidRecord = false;
    }
  
    String[] values = Line.split(FILE_DELIMITER);
  
    if (values.length == 1) {
     PolicyName = values[0];
     isValidRecord = false;
    } else if (values.length == 2) {
     PolicyName = values[0];
     RoleName = values[1];
     isValidRecord = false;
    } else if (values.length == 3) {
     isValidRecord = true;
     PolicyName = values[0];
     RoleName = values[1];
     Groups = values[2];
     String[] gList = Groups.split(ROLE_DELIMITER);
     for(int i=0;i      GroupList.add(gList[i]);
     }
    }
  
  
    if (isValidRecord) {
     uploadPolicyData(PolicyName,RoleName,GroupList);
     logger.debug(CLASS_NAME + METHOD_NAME + "ADDING RECORD: " + Line);
    } else {
     logger.debug(CLASS_NAME + METHOD_NAME + "INVALID RECORD: " + Line);
    }
   }
   
   logger.info(CLASS_NAME + METHOD_NAME
     + " Access Policies Data Loaded");
  } catch (Exception e) {
   logger.error(CLASS_NAME + METHOD_NAME + e.getMessage());
  }
 }
 public void uploadPolicyData(String PolicyName, String RoleName, ArrayList GroupList) {
  final String METHOD_NAME = "uploadPolicyData :: ";

  try {
   tcAccessPolicyOperationsIntf moAccesspolicyutility = Platform
     .getService(tcAccessPolicyOperationsIntf.class);
   HashMap searchPolicy = new HashMap();
   searchPolicy.put("Access Policies.Name", PolicyName);
   tcResultSet result = moAccesspolicyutility.findAccessPolicies(searchPolicy);
 
   long policyKey = result.getLongValue("Access Policies.Key");
   logger.debug(CLASS_NAME + METHOD_NAME + "Access Policies.Key" +policyKey);
 
   Long roleKey = Long.parseLong(getRoleKey(RoleName));
   long[] roleKeys = { roleKey };
 
   //Add the Role NAME
   moAccesspolicyutility.assignGroups(policyKey, roleKeys);
   logger.info(CLASS_NAME + METHOD_NAME
     + " Role: "+ RoleName +" is attached to the Access Policy: " + PolicyName);
 
   for(int i = 0;i  
    HashMap childTableMap = new HashMap();
    String groupName = groupPrefix+GroupList.get(i)+groupSuffix;
    logger.debug(CLASS_NAME + METHOD_NAME + "OID Group Name: " +groupName);
    childTableMap.put("UD_OID_GRP_GROUP_NAME", groupName);
    AccessPolicyResourceData policyData = new AccessPolicyResourceData(objectKey,objName,formKey,fName,"P");
    PolicyChildTableRecord pChildTableData = policyData.addChildTableRecord(tableKey, "UD_OID_GRP", "Add", childTableMap);
    moAccesspolicyutility.setDataSpecifiedForObject(policyKey, objectKey, formKey, policyData);
    logger.info(CLASS_NAME + METHOD_NAME
      + " Group: "+ GroupList.get(i) +" attached to the Access Policy: " + PolicyName);
   }
  } catch (Exception e) {
   logger.error(CLASS_NAME + METHOD_NAME + e.getMessage());
  }
 }


 public String getRoleKey(String roleName) {
  final String METHOD_NAME = "getRoleKey :: ";
  System.out.println(CLASS_NAME + METHOD_NAME
    + "Entering Method - getRoleKey");
  RoleManager rmgr = Platform.getService(RoleManager.class);
  Set retAttrs = new HashSet();
  String roleKey = null;
  try {
   retAttrs.add(RoleAttributeName.DISPLAY_NAME.getId());
   SearchCriteria criteria = null;
   criteria = new SearchCriteria(RoleAttributeName.NAME.getId(),
     roleName, SearchCriteria.Operator.EQUAL);
   List roles = rmgr.search(criteria, retAttrs, null);
   roleKey = roles.get(0).getEntityId();
  } catch (Exception e) {
   logger.error(CLASS_NAME + METHOD_NAME + e.getMessage());
  }
  return roleKey;
 }

 // Method to check if  Role exists in OIM or not
 public boolean isRoleExist(String[] roles) {

  String METHOD_NAME = "isRoleExist :: ";
  logger.debug(CLASS_NAME + METHOD_NAME +"Entering Method - isRoleExist");
  boolean roleExist = false;
  boolean roleListEmpty = false;
  if(Arrays.toString(roles).length() == 2) {
   roleListEmpty = true;
  }

  try {
   if (!roleListEmpty) {
   RoleManager rmgr = Platform.getService(RoleManager.class);
   Set retAttrs = new HashSet();
   retAttrs.add(RoleAttributeName.DISPLAY_NAME.getId());
   SearchCriteria criteria = null;
   for (int i = 0; i < roles.length; i++) {
    criteria = new SearchCriteria(RoleAttributeName.NAME.getId(),
      roles[i], SearchCriteria.Operator.EQUAL);
    List role = rmgr.search(criteria, retAttrs, null);
    if (role.size() != 0) {
     roleExist = true;
    } else {
     logger.debug(CLASS_NAME + METHOD_NAME + roles[i]
       + " DOESN'T EXIST IN OIM");
     roleExist = false;
    }
   }
  }
   }catch (Exception e) {
    logger.error(CLASS_NAME + METHOD_NAME + e.getMessage());
  }
  return roleExist;
 }
 public HashMap getAttributes() {
  return null;
 }
 public void setAttributes() {
 }
}
I don't know how easy/hard is to modify the UI to provide the capability but considering this as "Nice To Have" requirement, I think the above solution is good enough. There are couple of things like Checking if OID Group exist or not or update(add & delete) the Groups I might need to add later.

Note: This code is specific to OID Resource and assume that access policy is already created.