Basics of IDM -II

Adapters 

It is smallest component in IDM which is used to perform a particular function in IDM. It can be attached with a form, task. Depending on its type, it performs various operations in OIM. 

Type of Adapter 

•    Process Tasks adapters - automate completion of a process task and are attached to a Process Definition Form ( AD user, OID User, etc).As the name suggests, it can be attached only in task.

•  Entity Adapter - Automatically populates a field on the OIM User form or custom User Form on pre-update, pre-delete, pre-insert, post-insert, post-update, or post-delete.When you want to perform any operation on any Entity like user/group then we use Entity Adapters. It can be attached only with forms

•   Pre-Populate Adapter - : This adapter is used for populating any field on forms (Process/Object) with some data.specific type of rule generator attached to a user-created form field that can automatically generate data to the form but does not save that data to the OIM database but does send that information to appropriate directory user object. The data can come from manual entry on a form or from automated entry from the OIM defined forms.

• Rule Generator - can populate fields automatically on an OIM form or a user-created form and save to the OIM database based on business rules

•  Task Assignment Adapter - Automates the assignment of a process task to a user or group.It is used for assigning the task to any particular user/group. Task assignment adapter is used when you want to perform some operation to find the user to whom you want to assign task.

Process Form: Process form is used to send data to Target Resource.Like in AD, AD takes the user data from Process form. This is the actual data which goes to AD.

Resource Form: Resource form is used to take some input from the user while creating request for provisioning.


Object Form: Object form is associated with Resource Object. It is visible at the time of provisioning. It is used for getting some input from the user while provisioning.
 
 
Application Instance:  IT resource instance + resource object  
Application instance is the object that is to be provisioned to a user. Application Instances are checked out in the catalog and user can request for application instances via catalog.· In OIM 11gR2 resources and entitlements are bundled in Application Instance which user can select and request from catalog.Application instance is a combination of IT Resource and RO. So, you cannot create another App Instance with the same RO & IT Resource if it already exists for some other App Instance. One of these ( RO or IT Resource) must have a different name

• Application instance can be associated with multiple organizations.

• An application instance can also have entitlements associated with it. Entitlement can include Roles/Groups or Responsibility.

• Application Instance are published to the catalog by a scheduled task “Catalog Synchronization Job”

Disconnected resources : Disconnected resources are targets for which there is no connector.. In earlier releases of Oracle Identity Manager, disconnected provisioning is not supported as a first class use case, it is supported by using manual tasks in the provisioning process.In Oracle Identity Manager 11g Release 2 (11.1.2), disconnected resources are an enhanced configuration for manual provisioning that leverage SOA integration to provide higher flexibility and configurability of the manual provisioning workflow.
Orchestration:An orchestration is automated management of operations in Oracle Identity Manager. In case of event handlers, at what stage (pre-process/post-process etc) that event handler is about to be executed, on what object(user/role/resource etc) and in what order it is to be executed, are all handled by orchestration. Orchestration also holds data during these operations as well.

An adapter provides the following benefits:

• It extends the internal logic and functionality of Oracle Identity Manager.
• It interfaces with any software resource, by connecting to that resource by using the API of the resource.
• It enables the integration between Oracle Identity Manager and an external system.
• It can be generated without manually writing code. However, Oracle Identity Manager does not restrict you from writing your own code for creating adapters.
• It is lightweight and specific to your needs.

IT Resource: An IT resource is a physical representation of a logical resource object. It holds all the physical details of the resource for which a new user is provisioned. If, for example, you have a resource object called Customer Database, you need to also define one or more corresponding IT resource objects that represent the physical characteristics of the resource.This information is used by the OIM integration engine when it needs to communicate with those servers to complete a provisioning-related task.The specific set of attributes of an IT resource is highly dependent on the type of system on which the account is being created (relational database IT Resources expect schema names and passwords; LDAP servers IT Resources expect names places and directory information tree details). OIM allows you to define an IT resource type that acts as a template to define a specific data model for certain types of IT resources.

Resource Object: A resource object is an OIM object representing a logical resource for which users need to have accounts created. For instance, you can have OIM resource objects called “e-mail Server” and “Customer Database.” A resource object can represent almost anything, from applications, databases, and operating systems, to physical assets and any other entity relevant to provisioning. A resource object is used to track which users are provisioned to what logical assets.Resource objects are also used to design approval workflows and policies around those workflows that are application-centric.

      Application instances can be connected or disconnected. A connected application instance has a connector defined for the provisioning of entities. A disconnected application instance is used for the provisioning of a disconnected resource, for which a connector is not defined, and therefore, the provisioning is performed manually by the administrator.     

   

       Dataset in OIM: OIM11G has the concept of datasets instead of object forms and these datasets are xml files which has to be created manually.This xml file again have specific place holders for the resource name and the type of model to be used for the dataset and etc. Since this is created manually thus there are chances of typos/missing of tags etc which we can find only while uploading the data set into MDS (again are not very user friendly messages).Thus a tool would be a great way to generate a dataset based on the process form and the provisioning process automatically. The xml file thus generated can be modified accordingly manually later on for any special requirements 

   

Error with Ldapsync OIM and OID

Error with creating users in OIM with LdapSync 

After Ldap sync in OIM When create a user bellow error may trigger.

"An error Occurred while  performing create user operation.Unable to get  LDAP  connection,and  the root cause  is -null"

To fix this error

check IT Resource (Manage IT Resource) in OIM Advanced Administration Console

Search for IT Resource Type Directory Server and change Connection Pooling Supported to False

Now try to create user error may not  trigger.

But during Opening IT resource to update Connection pooling supported  value some times another error may occurred 

"A system error has occurred. Contact the Oracle Identity Manager System Administrator"

This error occurred after configuring oim for ldap sync. When you want to edit directory server(oim console- >advance->manage it resource->search->edit) to make connection pooling false in order to create user's it shows this error message. In order to resolve this error perform the following steps.

• 1) open SQL developer console and connect with OIM schema 
• 2) Run the following query:

select svr.svr_name, spd.spd_field_name, svp.svp_key, svp_field_value from svp inner join spd on spd.spd_key = svp.spd_key inner join svr on svr.svr_key = svp.svr_key; 

After this query you will get following value in plain text format i.e they are not encrypted

SVR_NAME	SPD_FIELD_NAME	SVP_KEY	SVP_FIELD_VALUE
Directory Server	Admin login	4	cn=oimLDAP,cn=system ids,dc=your domain,dc=com
Directory Server	Admin Password	5	oracle123
Directory Server	Search base	18	dc=your domain,dc=com
Directory Server	User reservation container	20	cn=Reserve,dc=your domain,dc=com

looking at this we can say that these value are not encrypted. Because of this we are facing this error. First make them null. 

• Before making them null backup the table through following query:

create table DEV_OIM.svp_bkp as (select * from DEV_OIM.svp);

• Now make them null:

update svp set svp_field_value=null where svp_field_value like ‘%dc%’; update svp set svp_field_value=null where svp_field_value like ‘%oracle%’; 

after this make sure to commit these changes to db. Now edit directory server, it will open now.

•  we have made some value null that value we have to provide manually in directory. provide that values and user will now be created. Due to this two problem will be solved user creation and the original one also. 

RCU-6130-6136 Error during schema creation

When I run the RCU for schema creation ,some times error may occur 

Error may occur during OID schema creation RCU-6130-6136 Error

  

To fix this error

Copy msvcr71.dll  from  *<your installer directory>\rcuHome\jdk\bin* to \Windows\SysWOW64 and \Windows\System32

And then run RCU again to create your schema  .

Configure Oracle Access Manager 11g R2

INSTALLATION AND CONFIGURATION OF OAM 11gR2

In this post I will cover detail configuration steps for Oracle Access Manager 11 g R2.

Check the dependency to install Oracle Access Manager 11gr2

1) Oracle Database must be installed

2) Run Oracle Fusion Middleware Repository Creation Utility (RCU) to create and load the appropriate schema for Oracle Identity and Access Management products. 

3) Install weblogic and create Middleware home. 

4) Start the Oracle Identity and Access Management Installer 

5) Install the Oracle Identity and Access Management 11gsoftware

Configuration of OAM in new Domain

After successfully installation of Identity and Access Management product and review the prerequisites configure the OAM in new domain. To do that goes to following location F:\Oracle\Middleware\Oracle_IDM1\common\bin And run the config.bat file

Check the create a new weblogic domain and click Next button.

Select the Oracle Access Manager .you can select other appropriate product as well, in my case

1) Oracle Identity Manager

2) 2) Oracle soa Suite

3) 3) Oracle Adaptive Access manger –server

4) Oracle Adaptive Access manager –Admin server

5) Oracle Enterprise Manger

And click next

Specify the domain name and location where domain created. And click next

Enter the user password (in my case: Welcome1) and click next

Select the mode (in my case Development mode and check the variable JDks and click next button.

Select all the schemas and change the required field as follows

DBMS/service: ORADB (your database service name)

Host Name: localhost

Port: 1521

Schema Password: Welcome1

Click next

Click next

Select Admin server,

JMS distributes destination

Managed servers

Deployment and services and JMS file store and click next

Click next

Check the SSL listen port and SSl state and click next

Click next

Click next

Select all servers and click next

Click next

Click next

Click next

Click create

DO not start the Admin server .In OAM 11gr2. There are some extra steps need to be done before running the Admin server.

Create the policy store in database Process of create Policy store in database 

1) Navigate to ../Oracle\Middleware\oracle_common\common\bin 

2) Execute the following commands. For each command it will show you the success messages as below screen shots.

Run this command

wlst.cmd F:\Oracle\Middleware\Oracle_IDM1\common\tools\configureSecurityStore.py -d F:\Oracle\Middleware\user_projects\domains\base_domain -c IAM -p Welcome1 –m create

It will show the bellow message

Info: diagnostic credential created in the credential store.

Info: Create operation has completed successfully.

F:\Oracle\Middleware\oracle_common\common\bin>

Start the servers

1) Admin server

2) OAM server

for more details refer the bellow document

 http://docs.oracle.com/cd/E27559_01/install.1112/e27301/install.htm#CIHEDAJE

Basics of Oracle Identity Management

Identity Management: Overview

Identity management is a collection of processes and strategies that a company uses to

manage the complete security life cycle of resources for its internal and external users,

organizations, and entities, both within and beyond a firewall. An identity management

solution can provide a mechanism for implementing the user management aspects of a

corporate policy. It can also be a means to audit users and their access privileges.

Identity management ensures the integrity of large application grids by enabling new levels of

security and completeness to address the protection of enterprise resources and the

management of the processes acting on those resources.

Importance

Every company has identity management processes. However, as a company grows, so does

the number of users and organizations it has, as well as resources associated with these

users and organizations. In addition, it becomes increasingly difficult to maintain a secure

network environment. Therefore, an identity management solution is necessary for a company

to:

• Manage its user and organizational base, and handle the creation, modification, and

deletion of resource-related accounts for these users and organizations

• Regulate the access rights that users and organizations have with their accounts (for

audit, regulatory, and compliance purposes). This occurs through attestation, which is

the process of authorizing established internal controls, processes, and policies for data

related to users, organizations, and transactions.

• Enforce security policies for these accounts

• Provide auditing, logging, monitoring, tuning, configuration, reporting, analytic, fraud

detection.

• Pass correspondence between accounts across internal and external domains

Architecture of Oracle identity Manager

The Oracle Identity Manager architecture consists of three tiers

Tier 1: Client: The Oracle Identity Manager application GUI component reside in this tier. Users log in by using the Oracle Identity Manager client.The Oracle Identity Manager client interacts with the Oracle Identity Manager server, providing it with the user's login credentials.

Tier 2: Application Server: The second tier implements the business logic, which resides in the Java Data Objects that are managed by the supported J2EE application server (JBoss application server, BEA WebLogic, and IBM WebSphere). The Java Data Objects implement the business logic of the Oracle Identity Manager application, however, they are not exposed to any methods from the outside world. Therefore, to access the business functionality of Oracle Identity Manager, you can use the API layer within the J2EE infrastructure, which provides the lookup and communication mechanism.

Tier 3: Database: The third tier consists of the database. This is the layer that is responsible for managing the storage of data within Oracle Identity Manager.

Oracle Identity Management Products

Oracle Identity Manager: Oracle Identity Manager is a highly flexible and scalable

enterprise identity management system that controls user accounts and access

privileges in enterprise IT resources centrally. It provides the functionality of

provisioning, identity and role administration, approval and request management, policy based

entitlement management, technology integration, and audit and compliance

automation.

Oracle Access Manager:Oracle Access Manager provides centralized, policy-driven

services for authentication and SSO. Oracle Access Manager integrates with various

authentication mechanisms, third-party Web servers and application servers, and

standards-based federated SSO solutions to ensure maximum flexibility and a well integrated,

comprehensive web access control solution. Oracle Access Manager

complements its own coarse-grained authorization capabilities by integrating with Oracle

Entitlements Server to provide fine-grained authorization to applications, portals,

databases, and Web services.

Oracle Adaptive Access Manager:Oracle Adaptive Access Manager is a Web-based

solution that provides resource protection by enabling an enterprise to perform fraud

detection software-based, multi factor authentication; and unique authentication

strengthening in real time through the Web and SMS devices such as cell phones.

Oracle Adaptive Access Manager supports complex, heterogeneous enterprise

environments.

Adaptive Risk Manager provides online risk analysis in real time, and

proactive actions to prevent fraud at critical log-in and transaction checkpoints.

Oracle Entitlements Server:Oracle Entitlements Server is a fine-grained authorization

engine that externalizes, unifies, and simplifies the management of complex entitlement

policies. Oracle Entitlements Server secures access to application resources and

software components (such as URLs, Enterprise JavaBeans, and JavaServer Pages) as

well as arbitrary business objects (such as customer accounts or patient records in a

database).

Oracle Entitlements Server provides a centralized administration point for managing

complex, standards-based entitlement policies across enterprise applications. This

results in a more-secure enterprise environment, improved ease of administration,

consistent policy enforcement, and improved compliance.

Oracle Identity Federation:Oracle Identity Federation is a self-contained and flexible

multiprotocol federation server that is deployable with existing identity management

systems. It enables browser-based, cross-domain SSO by using industry standards

(Security Assertion Markup Language [SAML], Liberty ID-FF, WS-Federation, and so

on). Version 11g of Oracle Identity Federation introduces support for Microsoft Windows

CardSpace (for example, an Oracle Identity Federation identity provider can challenge a

Copyright © 2010, Oracle and/or its affiliates. All rights reserved.

Oracle Identity Management Products: Overview

Chapter 14 - Page 8

user for login through the CardSpace protocol and then return a SAML assertion based

on the CardSpace authentication and claims).

Oracle Identity Analytics:Oracle Identity Analytics (formerly Sun Role Manager) is

now the strategic product going forward for Role Administration and Role Governance. It

provides enterprises with the ability to engineer and manage roles and automate critical

identity-based controls. After roles are defined, certified, and assigned, the software

continues to deliver value throughout the user access life cycle.

Oracle Internet Directory:Oracle Internet Directory is an LDAP v3 directory service

that leverages the scalability, high availability, and security features of Oracle Database.

It serves as the central user repository for Oracle Access Manager and other Oracle

applications. Oracle Internet Directory provides Oracle Fusion Middleware components,

Oracle Fusion applications, and in-house enterprise applications with an LDAP-based

mechanism for storing and accessing identity data such as user credentials (for

authentication), access privileges (for authorization), and profile information

Oracle Virtual Directory:Oracle Virtual Directory presents a single logical directory thatexposes real-time data from multiple heterogeneous data sources without directorysynchronization. That is, it provides real-time identity aggregation and transformationwithout data copying or data synchronization. Oracle Virtual Directory hides the

complexity of underlying data infrastructures by providing industry-standard LDAP and

XML views of existing enterprise identity information, without moving data from its native

location.