Thursday, May 26, 2016

OIM R2 PS3 Integration with Siteminder

Requirement
  • Oracle Identity Manager is installed and configured.
  • CA Siteminder is installed and configured.
  • Identitypopulation in Oracle Identity Manager is synchronized with identity information in the LDAP registry used by the SSO provider. Oracle Identity Manger's LDAP synchronization feature can be used for this purpose.
  • Oracle Identity Manager system administrator (xelsysadm) account should be created in the LDAP repository so that you can perform SSO login to OIM using this administrator account. This account should be created in the same user container that has other OIM users in the LDAP repository. Also ensure that the LDAP user attribute, which is mapped to Oracle Identity Manager user login (uid or samAcountName), has the value set as XELSYSADM.
  • It is required that the SSO header returned by the SSO provider contains the username value which maps to OIM User Login field.

Configuration Steps


 1. Install Siteminder WebLogic Agent by referring to Siteminder installation documentation. Follow install GUI instructions.

 2. Edit the setDomainEnv.sh file to set the variables, as shown:
  •     ASA_HOME='PATH_TO_SITEMINDER_AGENT_HOME'
  •     export ASA_HOME
  •  SMASA_CLASSPATH="$ASA_HOME/conf:$ASA_HOME/lib/smagentapi.jar:$ASA_HOME/lib/smjavasdk2.jar:$ASA_HOME/lib/sm_jsafe.jar:$ASA_HOME/lib/smclientclasses.jar:$ASA_HOME/lib/sm_jsafeJCE.jar"
  •     export SMASA_CLASSPATH
  •     SM_JAVA_OPTIONS=" -Dsmasa.home=$ASA_HOME"
  •    export SM_JAVA_OPTIONS
  •     CLASSPATH=${SMASA_CLASSPATH}:${CLASSPATH}
  •    export CLASSPATH

    3. Edit the startWebLogic.sh file to add SM_JAVA_OPTIONS to the JAVA command, as shown:

    $JAVA_HOME/bin/java ${JAVA_VM} ${MEM_ARGS} -Dweblogic.Name=${SERVER_NAME} -Djava.security.policy=${WL_HOME}/server/lib/weblogic.policy ${JAVA_OPTIONS}
    ${SM_JAVA_OPTIONS} ${PROXY_SETTINGS} ${SERVER_CLASS}

    4. Edit the ASA_HOME/conf/WebAgent.conf file to change the value of the EnableWebAgent parameter to YES.

    5. Restart all Managed and Admin servers.
    6. Add/Configure SiteminderIdentityAsserter and SiteminderAuthenticationProvider in the Weblogic authentication chain. In Identity Asserter common configuration, select SMSESSION.

    In the Provider Specific subtab, set the "SMIdentity Asserter Config File:" field to ASA_HOME/conf/WebAgent.conf.

    In SiteminderAuthenticationProvider 'ProviderSpecific', update "SMAuth Provider Config File:" to ASA_HOME/conf/WebAgent.conf.

    7. Remove existing OIMAuthenticationProvider from the authentication chain.

    8. Add OIMSignatureAuthenticator to the authentication chain. Set the control flag to SUFFICIENT. This authenticator is added only to handle signature based login to Oracle Identity Manager.

    9. Add LDAP Authenticator (OID, Iplanet, and so on) to the authentication chain, and set its control flag as SUFFICIENT. Ensure that this authenticator is configured to point to the same LDAP provider, that is :

        Synchronized with Oracle Identity Manager, that is, have all the OIM Identity population
        Used by the Siteminder server for authentication purposes
        LDAPAuthenticator needs to be added in order to handle non-http based login requests (For example, login to OIM design console, or any other OIM client login) and OPSS based Assertion requests.

    10. Rearrange the authentication chain, as listed below.

    Authentication Provider Control Flag

    SiteminderIdentityAsserter
    OIMSignatureAuthenticator SUFFICIENT
    SiteminderAuthenticationProvider SUFFICIENT
    LDAPAuthenticator SUFFICIENT
    DefaultAuthenticator SUFFICIENT
    DefaultIdentityAsserter  

    11. Restart Admin server and all the Managed Servers in the domain.
    12. Configure SSO logout for oim by using the following command:

    cd <IDM_ORACLE_HOME>/common/bin
     
    ./wlst.sh
   connect()
   addOAMSSOProvider(loginuri="/${app.context}/adfAuthentication", logouturi="SITEMINDER_LOGOUT_URL", autologinuri="/obrar.cgi")
   exit()
   Note:
   The connect() call will ask for Admin server URL and WebLogic Admin username and password.

   13. Set the ssoenabled flag for Oracle Identity Manager to true. To do so:

        Login to Enterprise Manager, and open System MBean Browser.
        Open the oracle.iam:Location=<OIM_SERVER_NAME>,name=SSOConfig,type=XMLConfig.SSOConfig,XMLConfig=Config,Application=oim,ApplicationVersion=11.1.2.0.0 mbean.
        Set the value of ssoEnabled to true.

    Restart Admin Server and all Managed Servers in the domain.

Protect/unprotect the following Oracle Identity Manager resources on Siteminder side:

        Protect following resources:

        /identity
        /sysadmin
        /oim
        /xlWebApp
        /Nexaweb

        Unprotect the following URIs:

        /identity/faces/register
        /identity/faces/forgotpassword
        /identity/faces/trackregistration
        /identity/faces/forgotuserlogin
        /identity/faces/accountlocked
        /identity/adfAuthentication
        /identity/afr/blank.html
        /sysadmin/adfAuthentication
        /sysadmin/afr/blank.html
        /sysadmin/faces/noaccess
        /oim/afr/blank.html

        Unprotect the following resources:
        /workflowservice
        /callbackResponseService
        /spml-xsd
        /reqsvc
        /sysadmin/logout
        /identity/logout
        /identity/notification/secure
        /SchedulerService-web
        /wsm-pm
        /workflow
        /soa-infra
        /integration
        /b2b
        /sdpmessaging/userprefs-ui

    To support client-based login to Oracle Identity Manager, the smclientclasses.jar must be added to the client classpath. To set the client classpath:

        Go to the OIM_ORACLE_HOME/server/bin/ directory using the cd command.
        Open the setEnv.sh file in VI Editor.
        Add smclientclasses.jar to the CLASSPATH variable at the end. This setting ensures successful client login to Oracle Identity Manager while executing most of the client utilities present in OIM_ORACLE_HOME/server/bin.

        However, client classpath must be separately set for the Design Console login to work. To do so:

        Go to the OIM_ORACLE_HOME/designconsole directory.
        Open the classpath.sh file in VI Editor.
        Add smclientclasses.jar to the CLASSPATH variable at the end.

Validation steps Post OIM-Siteminder integration:

Validation step1:

 1) End-user login to OIM through SSO

 Pre-requisites: Create an end-user(say ENDUSER001 in OIM and ldap)

 2) Try logging in to OIM (through SSO) as end-user just created (say ENDUSER001 ) and check if the login is successful.

 Expected Output: 1. Login should be successful

 Validation step2: Verify if client based login to OIM works:

 1) To perform this step, make sure OIM Design console is installed and configured.
Try logging in to OIM Design console as xelsysadm with SSO password.

 Expected Output: Login to Design console as xelsysadm should be successful. (Assuming SiteminderAuthenticationProvider is configured properly for SSO login)

 Validation step3: Verify if Signature based Authentication works

 1. Try accessing the Scheduler service url. It should be running on OIM Managed server port
http://OIM_HOST:PORT/SchedulerService-web
2. Login as xelsysadm (providing xelsysadm's sso password)
3. If the login is successful and you can see the following details on the screen, signature login was successful:
Scheduler Current Status: STARTED
Last Error: NONE
4. If login is successful and the if screen has the following:
Scheduler Current Status: STOPPED
Click on START button on the page. If there are no errors on the page, signature login was successful. 



Posted by at No comments:

Wednesday, May 18, 2016

Orchestration


Oracle Identity Manager Orchestration  

Any action performed by a user or system in Oracle Identity Manager is an operation.
  • The process of any Oracle Identity Manager operation that goes through a predefined set of stages and executes some business logic in each stage is called an orchestration.
  • Orchestration is divided into predefined steps called stages. Every operation moves through these stages until it reaches finalization. Orchestration has the following stages


More details about OIM Orchestration                           

Monitoring OIM Orchestration

For OIM R2 PS2:

  • DB with sql queries: 
Tables involved
ORCHPROCESS : Stores the process instances that are being executed.
ORCHEVENTS: Stores event handler names, status and result for all orchestration processes.
Event status like COMPLETED, FAILED, PENDING, etc.
ORCHFAILEDEVENTS : Stores event handler information that are executed because of failures in main flow.

1. The query to get user key from usr table.

select usr_key from USR where usr_login = 'USER_LOGIN_NAME';

2. The query get process instance of enabled user 'USER_LOGIN_NAME'
select id from orchprocess where entityid=’USR_KEY’ and entitytype='User' and operation='ENABLE';

3. The query gets all the event handler for enabled user of step 1

select * from orchevents where processid='RESULT_OF_2' order by orchorder;

*Operation @ query step 2 can be enable, Create User, Provision Account, and Assign Role Membership,etc.

For OIM R2 PS3:

  • Table ORCHEVENTS dropped. All Orchestration events logged to server diagnostics log.  
  • EM console monitoring only available with MBean due to the above changes.

  Purging Orchestration

OIM Data Purge Job scheduled job

In the Job Details for OIM Data Purge Job, confirm that the Orchestration Entity Selection, the Provisioning Task Entity Selection, and the Recon Entity Selection values are Yes.

Real-time purge supports online mode only. Command-line Archival Purge Utilities support both online and offline modes based on the user input.
http://docs.oracle.com/cd/E40329_01/admin.1112/e27149/archival_utilities.htm#OMADM5348

 
Posted by at No comments:

Identity Audit

Identity Audit feature in OIM is used  to detect Segregation of Duties (SoD) violations. The detection mechanism of IDA monitors users' actual access to resources, and captures any violations on a continuous basis. 

  1. Detective mode: In a detective mode, the entire identity warehouse of users can be monitored for anomalies or toxic combinations of user access rights. 
  2. Preventive mode: In preventative mode, any access that is requested via the access catalog in real-time can be automatically detected as an Identity Audit policy violation, and preventative action can be taken.
Enabling Identity Audit in OIM R2 PS3 

















IDA Settings


 Creating Identity Rules



Creating SoD Policies

Creating Scan Definition

Running and Viewing Policy Violations


Policy Violation Details

IDA Maintenance

 Identity Audit Scan Cleanup Job + Identity Audit Maintenance Job
Records are purged from the following the tables
– IDA_SCAN_RUN_POLICIES
– IDA_SCAN_RUN_USERS

 Policy Violation Reports

Posted by at No comments:

Certification

"Identity certification is the process of reviewing user entitlements and access-privileges within an enterprise to ensure that users have not acquired entitlements that they are not authorized to have. It also involves either approving (certifying) or rejecting (revoking) each access-privilege."

 Types of certification:
  • User Certification (Supports multiPhases: Business  reviewer and Technical certifier)
  • Role Certification
  • Application Instance Certification
  • Entitlement Certification

Configuring Certifications:

  1. Marking a Catalog Item as Certifiable
  2. Setting the Certifier in the Request Catalog
  3. Setting User Manager and Organization Certifier
  4. Setting User Attributes for Certification Snapshot
  5. Setting Risk Levels for Individual Entities
  6. Tagging Attributes: Entitlement -ITResource -AccountName
  7. Configuring the Availability of Identity Certification: 
The certification feature is part of Compliance in Oracle Identity Manager. Therefore, the certification feature is available when the value of the Identity Auditor Feature Set Availability system property is set to TRUE. When the value of this property is TRUE, role lifecycle management, Segregation of Duties (SoD), and identity certification are enabled.


8. Configuring Reminders, Notifications, Escalations, and Expiry for Certifications (Optional)

Create Certification  Definition





More details can be found @ Oracle® Fusion Middleware Performing Self Service Tasks with Oracle Identity Manager

Certification Creation Task is used to create new certification  with some predefined certification definition.  The default name of the job is Cert_DEFINITION_NAME.

Certification Event Listener

"The Event Listener mechanism detects specific business events and stores the event details for certification. The stored event details are called Certification Event Triggers, and these are processed into certifications by the Certification Event Trigger Task, running as a scheduled job. The business events currently detected by event listeners are modifications of Oracle Identity Manager users, either individually or in bulk."

This feature enable customers to define business events that require certifications, and generate these certifications automatically via Certification Event Trigger Task


Certification Reports

Certification reports required to integrate with BI Publisher which  is shipped by default with Oracle Identity Manager 11g Release 2 (11.1.2.3.0)


Enabling OIM Reports Export in Identity Certification Details page.

  1. Log in to Oracle Identity Self Service Console.
  2. Click the Compliance tab.
  3. Click the Identity Certification box, and select Certification Configuration. The Certification Configuration page is displayed.
  4. Select the Enable Certification Reports option.
  5. Click Save.

Troubleshooting 

Identity Certification Logger via EM console

Tips:
  1. When the job running slow. Some index maybe required.
  2. When the job ran but no certification created, please ensure: 
  • All the certification configuration steps have been performed
  • Ensure that all required SOA patches are applied. 

Purging Identity Certification Tables

OIM Certification Purge Job will be purging the data of the following tables. Please contact oracle support to request the patch that contains this tool.
 CERT_xxx
 CERTD_xxx
 CERTDS_xxx
 CERTS_xxx

Based on the requirement set the value for following job parameters or use the default values provided.

  1.            Cert Campaigns for Purge
  2.            Maximum Purge Run Duration(in Mins)
  3.            Purge Retention Period(in days)
  4.            Purge Criteria
  5.            Run the job


Posted by at 3 comments:

Reconciliation

Posted by at No comments:
Posted by at No comments:

Oracle Identity Manager


"Oracle Identity Manager is a highly flexible and scalable enterprise identity administration system that provides operational and business efficiency by providing centralized administration & complete automation of identity and user provisioning events across enterprise as well as extranet applications. It manages the entire identity and role lifecycle to meet changing business and regulatory requirements and provides essential reporting and compliance functionalities."

Latest release  OIM 11.1.2.3.x R2 PS3   New Features?   Systems Certified!   Install&Configure    PS3Upgrade
*******************************************************************************************************************************************
Oracle Identity Manager Bundle Patches: 11.1.2.3.x (11gR2PS3) Version (Doc ID 2031368.1)

OIM R2 PS3 Admin Consol


OIM R2 PS3 Selfservice Identity Console








Posted by at 1 comment:
Subscribe to: Posts (Atom)