Wednesday, January 11, 2012

OIM 11.1.1.5 User Manager API bug causes double provisioning

I wrote a Post Process Event Handler code, which provide value to a User's attribute during user creation. The event-handler code was using UserManagerment (oracle.iam.identity.usermgmt.api.UserManager) API.

public class GuidGenerationPostProcEventHandler implements oracle.iam.platform.kernel.spi.PostProcessHandler {
:
public EventResult execute(long processId, long eventId, Orchestration orchestration) { 
HashMap params = orchestration.getParameters();
String uid = this.getParamaterValue(params, Constants.USERID); 
oracle.iam.identity.usermgmt.vo.User user = new User(uid);
user.setAttribute("Micam Unique Id", generateUniqueId()); // generateUniqueId is a private method and returns some value 
try {
   usrMgrService = Platform.getService(UserManager.class);    
   usrMgrService.modify(Constants.USERID, uid, user);
catch (...) 
:
:
}
return ( new EventResult() );
    :
    :

The above said code worked as expected. It generated the value and populated the user attributes called "Micam Unique Id".  But, this code did some damage to my auto-provisioning set up to OID. I saw two auto-provisionings are initiated during user creation event instead of one. I could not figure out the cause. so I posted the query to oracle forum ( https://forums.oracle.com/forums/thread.jspa?threadID=2329154 ) and found the following answer from some of our smart users. 

There is a known issue in UserManagement APIs in OIM 11.1.15. Using the UsrMngmt APIs to update a User within an Orchestration will cause another user update orchestration to be initiated. The user update is also causing role membership rules to be evaluated, which in turn is triggering second provisioning. So solution is to use Entity Management (oracle.iam.platform.entitymgr.EntityManager) APIs instead . The new code snippet is given here, which works fine so far. 

public class GuidGenerationPostProcEventHandler implements oracle.iam.platform.kernel.spi.PostProcessHandler {
    :    
 public EventResult execute(long processId, long eventId, Orchestration orchestration) {        
        HashMap mapAttrs = new HashMap() ;
    mapAttrs.put("Micam Unique Id", generateUniqueId()); // generateUniqueId is a private method and returns some value 
    try {
   String userKey;     
   if (!orchestration.getOperation().equals("CREATE")) 
userKey = orchestration.getTarget().getEntityId();
   else {
    OrchestrationEngine orchEngine = Platform.getService(OrchestrationEngine.class);            
    userKey = (String) orchEngine.getActionResult(processID);
            }        
            
            entMgrService = Platform.getService(EntityManager.class);        
            entMgrService.modifyEntity(orchestration.getTarget().getType(), userKey, mapAttrs);                        
    }
    catch (..) {
    :      
    return ( new EventResult() );
     :
     :

As of writing this blog, there is no UserMgmt & EntityMgmt API documentations available from Oracle. So good luck.

Posted by Kabi Patt at 4:31 PM 2 comments
Labels:

Monday, January 9, 2012

Quick OIM TIP : Finding out OIM Version and Patch Information

(1) Execute the following query against OIM schema.
select XSD_VALUE from XSD where XSD_CODE='XL_BUILD_NUMBER';

 (2) .../Oracle/Middleware/Oracle_IDM1/OPatch/opatch lsinventory -details
Posted by Kabi Patt at 3:56 PM 1 comments
Labels:

Friday, January 6, 2012

OIM 11g: exporting User.xml using MDS utilities

Here are the steps to export OIM's  User.xml from metadata using weblogic MDS utilities.

$ cd /opt/Oracle/Middleware/Oracle_OIM/server/bin
Aassuming you have installed OIM at /opt/Oracle/Middleware/Oracle_OIM. The default directory could be /opt/Oracle/Middleware/Oracle_IDM2 for 11.1.1.5 installation

$ vi weblogic.properties.  Set the value similar to the example below.

wls_servername=oim_server1
application_name=OIMMetadata
metadata_from_loc=@From_location
metadata_to_loc=/opt/export
metadata_files=/file/User.xml

- The above said example assumes that your oim server name is oim_server1.
- The exported file will land in directory mentioned in metadata_to_loc
- Export operation ignores the value mentioned in metadata_from_loc proerty field.
- Rest of the property fields should be hard-coded as shown in the example.

$ ./weblogicExportMetadata.sh
User Name   = weblogic
Password     = Your Password
Server URL = t3://weblogic-admin-server:7001

While running this, you may see some warning about the SSL port and admin port. Just ignore it. If the above runs successfully, your exported User.xml will be in /opt/export/file directory.
Posted by Kabi Patt at 5:13 PM 1 comments
Labels:

Tuesday, October 25, 2011

OIM 11g logging.xml getting overwritten issue

After installing and configuring OID-Connector, I tried to do a simple manual user provisioning to OID. As expected, the user creation in OID was rejected. Time to debug :(  So I included OID related login handler in $DOMAIN_NAME/config/fmwconfig/servers/oim_server1/logging.xml followed by restarting the oim managed server. To my surprise the logging.xml file got overwritten (to the original one) right after the managed server restarted.


Finally found the solution in support.oracle.com under support id 1335539.1.  This issue shows up when your admin server is in box1 and managed server is in box2. The solution is simple. Just modify the logging.xml file of Box1 (admin server) and restart the OIM managed server. The change will propagate to Box2 where the OIM managed server is running.
Posted by Kabi Patt at 7:55 PM 0 comments
Labels:

Saturday, May 14, 2011

STRIDE Threat modelling and counter measure

Here is a quick list of threats and its counter measures based on STRIDE treat model. More information at http://msdn.microsoft.com/en-us/magazine/cc163519.aspx .

THREAT                          COUNTER MEASURE
-------------------------------------------------------------
Spoofing                              Authentication
Tampering                           Digital Signature, Hashing
Repudiation                         Audit
Information Disclosure       Encryption   
DOS                                    Availability
Elevation of Privileges       Authorization, Input data sanitation
Posted by Kabi Patt at 10:14 AM 0 comments
Labels:

Thursday, December 23, 2010

OIM Troubleshoot : .NullPointerException at getAttrColumnName during Trusted Recon

Problem Description :- I imported a Trusted-Reconciliation set up from one of the working environment to another environment. When I run the trusted recon on the new environment, I got the following error.

ERROR,21 Dec 2010 17:33:45,658,[XELLERATE.SERVER],Class/Method: tcRCE/createUserRecord encounter some problems: {1}
java.lang.NullPointerException
at com.thortech.xl.dataobj.util.tcAttributeSource.getAttrColumnName(Unknown Source)

I examined the "Reconciliation Event History" (Design console -> Recon Manager) and found only one Action called "Event Received" is logged. The successful recon usually have at least three Actions like
1. Event Received
2. Data Sorted
3. Created User
In my case the user is not getting created in OIM's USR  table .
 
Solution : After banging my head for 2 days, finally I found the dumb solution.
1. Go to "Xellerate User" process definition.
2. Delete all field maps from "Reconciliation Field Mapping".
3. Redo all the field mapping again.

I think this occurs when export and import of configuration done from one environment to other. Definitely a bug in OIM 9102 BP11.
Posted by Kabi Patt at 3:20 PM 0 comments
Labels:

Tuesday, November 2, 2010

OIM How to : Delete OIM Users

Never delete the OIM users. That is the OIM recommendation. But while playing in development environment, we sometime mess up OIM with too many unwanted Users. In case you wanted to clean it up here is the little script that may help. I got this from http://forums.oracle.com/forums/thread.jspa?threadID=1997648&tstart=15 .

delete from oud where oiu_key in (select oiu_key from oiu where usr_key in (select usr_key from usr where USR_LOGIN='USERXXX'));
delete from osi where req_key in (select req_key from req where orc_key in (select orc_key from orc,usr where orc.usr_key = usr.usr_key and USR_LOGIN='USERXXX'));
delete from osi where osi_assigned_to_usr_key in (select usr_key from usr where USR_LOGIN='USERXXX');
delete from osh where osh_assigned_to_usr_key in (select usr_key from usr where USR_LOGIN='USERXXX');
delete from rcd where rce_key in (select rce_key from rce,orc,usr where rce.orc_key = orc.orc_key and orc.usr_key = usr.usr_key and USR_LOGIN='USERXXX');
delete from rch where rce_key in (select rce_key from rce,orc,usr where rce.orc_key = orc.orc_key and orc.usr_key = usr.usr_key and USR_LOGIN='USERXXX');
delete from rcu where rce_key in (select rce_key from rce,orc,usr where rce.orc_key = orc.orc_key and orc.usr_key = usr.usr_key and USR_LOGIN='USERXXX');
delete from rcb where rce_key in (select rce_key from rce,orc,usr where rce.orc_key = orc.orc_key and orc.usr_key = usr.usr_key and USR_LOGIN='USERXXX');
delete from rpc where rce_key in (select rce_key from rce where usr_key in (select usr_key from usr where USR_LOGIN='USERXXX'));
delete from rcm where rce_key in (select rce_key from rce where usr_key in (select usr_key from usr where USR_LOGIN='USERXXX'));
delete from rcp where rce_key in (select rce_key from rce where usr_key in (select usr_key from usr where USR_LOGIN='USERXXX'));
delete from rce where orc_key in (select orc_key from orc,usr where orc.usr_key = usr.usr_key and USR_LOGIN='USERXXX');
delete from oio where orc_key in (select orc_key from orc,usr where orc.usr_key = usr.usr_key and USR_LOGIN='USERXXX');
delete from oiu where usr_key in (select usr_key from usr where USR_LOGIN='USERXXX');
delete from oti where orc_key in (select orc_key from orc,usr where orc.usr_key = usr.usr_key and USR_LOGIN='USERXXX');
delete from osi where orc_key in (select orc_key from orc,usr where orc.usr_key = usr.usr_key and USR_LOGIN='USERXXX');
delete from orc where usr_key in (select usr_key from usr where USR_LOGIN='USERXXX');
delete from upd where upp_key in (select upp_key from upp,usr where upp.usr_key = usr.usr_key and USR_LOGIN='USERXXX');
delete from upp where usr_key in (select usr_key from usr where USR_LOGIN='USERXXX');
delete from usg where usr_key in (select usr_key from usr where USR_LOGIN='USERXXX');
delete from uhd where uph_key in (select uph_key from uph,usr where uph.usr_key = usr.usr_key and USR_LOGIN='USERXXX');
delete from uph where usr_key in (select usr_key from usr where USR_LOGIN='USERXXX');
delete from pcq where usr_key in (select usr_key from usr where USR_LOGIN='USERXXX');
delete from rcu where usr_key in (select usr_key from usr where USR_LOGIN='USERXXX');
delete from usr where USR_LOGIN='USERXXX';
Posted by Kabi Patt at 11:09 AM 0 comments
Labels:
Subscribe to: Posts (Atom)