IAM solution & support

Sunday, 16 December 2018

How to provide two Authentication Schem for Protected Application in Oracle Access Manager?

In my Organization have WNA authentication Scheme for all Application in oracle Access Manager.

So some user not have account in AD Domain(External user ,Vendor ), they have user login ID and password, But if user access the application url then it search for kerbrose token but user not have account in AD.

Solution :

1) we can provide separate url for external/ non AD user :

Simply we can provide the Direct Application URL.

Application Team is not ready to provide two url for single Application.

2)We can add second authentication Scheme in same Application for external or non AD user:

i)External user request to access the application then user authentication will be fail .

ii)we will add the authentication failure URL to direct Application URL or form based URL.

iii) user will get login page then provide the credential and able to access the application.

iv) failure URL we need to protect with from base authentication scheme.

v) There is also other option to decide the Authentication scheme which is Advance Rule in Authentication policy where we can provide the condition based on the condition authentication scheme well select and server to user .

Drop me mail for more details :sudhirmca26@gmail.com

Error User Account Lock or Disable

Multiple new user getting error Account is locked or disabled .

Application Integrated with WNA authentication .

we have check user account in AD, there use account is active and unlock state.

later we check the user login ID and sAMAccountName is different.

actually if user name is more than 20 Character then AD is not supporting the long login ID so Identity management team have change the logic Like user first name dot(.) user last name first character.

We have updated the user sAMAccountName with user login name, after that every user who have log name(more than 20 Character ) they able to access the application successfully.

Issues : user login the system with user id which is different from sAMAccountName, user requesting the application and OAM searching the user in AD with user login ID which is not match with any user sAMAccountName so its throw the error user account is locked or disabled .

Wednesday, 15 August 2018

Process to Renew SAML Certificate

Process to Renew SAM / Federation certificate:

1 )Backup Plan: Take the backup of bellow files

i .oamkeystore

ii .oamtruststore

iii oam-config.xml

2)Generate the .oamkestore and .oamtrust store on oam server :-

Development have removed the WLST command that was available in previous OAM versions to obtain the .oamkeystore keystore password, to enhance security. Therefore you will need to reset the OAM keystore password before you start.
Open a terminal session on your OAM machine
Go to the Location /middleware/Oracle_IDM1/common/bin
./wlst.sh (Run this command )
connect()
provide the server details and credencial to connect : t3://hostIP:port
user Id & password
domainRuntime()
resetKeystorePassword()
password : *********
confirme password : *********
Exit()

Create oamkeystore run the bellow command :
Go to the location of java keytool
/keytool -genkeypair -alias samlsigningcer -keyalg RSA -keysize 2048 -sigalg sha1withrsa -dname cn="<machine name> " -validity 1000 -keystore /u01/app/middleware/user_projects/domains/domain/config/fmwconfig.oamkeystore -storetype JCEKS

Create oamtruststore by using bellow command :
keytool -genkeypair -alias samlencryptiongcer -keyalg RSA -keysize 2048 -sigalg sha1withrsa -dname cn="<Machine name> " -validity 1000 -keystore /u01/app/middleware/user_projects/domains/domain/config/fmwconfig/.oamkeystore -storetype JCEKS
OAM lunch pad → federation setting → oamkeystore → add the two new entry and select the samlining alisas name and samlencruption alisas and provide the password and save it.
SAML Metadat we can find on OAM Lunch Pad -> federation setting select ->encryption key and singing key and import the metadata .

Import the certificate from metadata and save as .cer file and then

Share the this meta data file and certificate with your service provider .

----------------------------------------------------------------------------------------------

Thursday, 16 June 2016

orchestration control flow for create user

orchestration control flow for create user .

1. validation
    ====================================================================
    History Id : 4822 has history Status : Data Validation Succeeded
    Action Performed : Required Data Check by Engine
.........................................................................
2. preprocess
    ===============================================
   History Id : 4823 has history Status : No User Match Found
    Action Performed : Auto Matching Rules Evaluation
    History Note : null
     ..............................................
    History Id : 4824 has history Status : Creation Succeeded
    Action Performed : Auto Action Rules Evaluation
   History Note : null
=============================================

3. Action    ===========================================================================================
   Listing the associated Event Handlers
   EventHandler name is : CreateUsersActionHandler stage is : ACTION status is: COMPLETED
   EventHandler result : [1089]
   Is synchronous : true
============================================================================================
4.Audit
============================================================================================
   EventHandler name is : UserAuditHandler stage is : AUDIT status is: COMPLETED
   EventHandler result : null
   Is synchronous : true
   -------------------------------------------

   EventHandler name is : LwUserAuditHandler stage is : AUDIT status is: COMPLETED
   EventHandler result : null
   Is synchronous : true
===================================================================
5.POSTPROCESS
====================================================================
   EventHandler name is : ReconUserLoginHandler stage is : POSTPROCESS status is: COMPLETED
   EventHandler result : oracle.iam.platform.kernel.vo.BulkEventResult@75d20901
   Is synchronous : true
---------------------------------------------

   EventHandler name is : ReconUserPasswordHandler stage is : POSTPROCESS status is: COMPLETED
   EventHandler result : oracle.iam.platform.kernel.vo.BulkEventResult@304d5d15
   Is synchronous : true
---------------------------------------------

   EventHandler name is : ReconUserDisplayNameHandler stage is : POSTPROCESS status is: COMPLETED
   EventHandler result : oracle.iam.platform.kernel.vo.BulkEventResult@271a2679
   Is synchronous : true
---------------------------------------------

   EventHandler name is : ReconUpdateUsrPwdFields stage is : POSTPROCESS status is: COMPLETED
   EventHandler result : oracle.iam.platform.kernel.vo.BulkEventResult@25d3e5fd
   Is synchronous : true
---------------------------------------------

   EventHandler name is : CreateUserPostProcessHandler stage is : POSTPROCESS status is: COMPLETED
   EventHandler result : oracle.iam.platform.kernel.vo.BulkEventResult@7aa05871
   Is synchronous : true
---------------------------------------------

   EventHandler name is : ReconScheduledTaskUserHandler stage is : POSTPROCESS status is:    COMPLETED
   EventHandler result : oracle.iam.platform.kernel.vo.BulkEventResult@350ea19c
   Is synchronous : true
---------------------------------------------

    EventHandler name is : CreateUserOrgChangeCalculator stage is : POSTPROCESS status is:     COMPLETED
    EventHandler result : oracle.iam.platform.kernel.vo.BulkEventResult@539423fa
    Is synchronous : true
---------------------------------------------

     EventHandler name is : SelfServiceNotificationHandler stage is : POSTPROCESS status is:      COMPLETED
     EventHandler result : oracle.iam.platform.kernel.vo.BulkEventResult@22c61cf4
     Is synchronous : true
---------------------------------------------

     EventHandler name is : CreateUserPasswordNotificationHandler stage is : POSTPROCESS status       is: COMPLETED
     EventHandler result : oracle.iam.platform.kernel.vo.BulkEventResult@7c96e901
     Is synchronous : true
---------------------------------------------

      EventHandler name is : CreateUserPasswordHistoryPostProcessHandler stage is : POSTPROCESS       status is: COMPLETED
     EventHandler result : oracle.iam.platform.kernel.vo.BulkEventResult@179b808e
     Is synchronous : true
---------------------------------------------

      EventHandler name is : CreateUserPostProcessActionHandler stage is : POSTPROCESS status is:       COMPLETED
      EventHandler result : oracle.iam.platform.kernel.vo.BulkEventResult@6214f6bd
      Is synchronous : true
---------------------------------------------

   EventHandler name is : UserAdminRoleAutoGrantHandler stage is : POSTPROCESS status is:    COMPLETED
   EventHandler result : null
   Is synchronous : true
---------------------------------------------

    EventHandler name is : SelfServicePostHandler stage is : POSTPROCESS status is: COMPLETED
    EventHandler result : oracle.iam.platform.kernel.vo.BulkEventResult@4e532499
    Is synchronous : true
---------------------------------------------

   EventHandler name is : CustomPostProcessHandler stage is : POSTPROCESS status is: COMPLETED
   EventHandler result : oracle.iam.platform.kernel.vo.BulkEventResult@3487e0fb
   Is synchronous : true
=============================================================
6.Finalization
=============================================================
EventHandler name is : CreateUserFinalizationHandler stage is : FINALIZATION status is: COMPLETED
EventHandler result : null
Is synchronous : true

=============================================================

Tuesday, 5 April 2016

Creating Lookup using java API

package lookup;
import oracle.iam.platform.OIMClient;
import Thor.API.tcResultSet;
import ojas.oimConnect;
import Thor.API.Operations.tcLookupOperationsIntf;

import java.io.BufferedReader;
import java.io.File;
import java.io.FileNotFoundException;
import java.io.FileReader;

import java.io.IOException;

import javax.security.auth.login.LoginException;
//@Autor Sudhir

public class Createlookup {
    // connection of oim you can write your won connection details here
    private static OIMClient oimClient;

    //
public void addLookupEntry(String LookupCode,String Lookup) {
try {
   tcLookupOperationsIntf lookupOps = oimClient.getService(tcLookupOperationsIntf.class);
   lookupOps.addLookupValue("lookup.ojas.States", LookupCode, Lookup, "", "");
} catch (Exception e) {
   e.printStackTrace();
}
}

public void displayLookup(String lookupname) {
try {
   tcLookupOperationsIntf lookupOps = oimClient .getService(tcLookupOperationsIntf.class);
   tcResultSet values = lookupOps.getLookupValues(lookupname);
   for (int i = 0; i < values.getRowCount(); i++) {
    values.goToRow(i);
    System.out.print(values.getStringValue("Lookup Definition.Lookup Code Information.Decode"));
    System.out.println("," + values.getStringValue("Lookup Definition.Lookup Code Information.Code Key"));
   }
} catch (Exception e) {
   e.printStackTrace();
}
}
public static void main(String args[]) throws LoginException,
                                                  FileNotFoundException,
                                                  IOException {
   Createlookup obj = new Createlookup();

     oimClient = oimConnect.getOIMConnection();

     File inputFile;
     inputFile = new File("F:\\data\\infom.txt");
     FileReader fReader = new FileReader(inputFile);
        BufferedReader bReader = new BufferedReader(fReader);
        String readData = bReader.readLine();
        while (readData != null)
        {
        String[] keyValue = readData.trim().split(",");
        obj.addLookupEntry(keyValue[0],keyValue[1]);
            readData = bReader.readLine();
        }
     fReader.close();
     bReader.close();

obj.displayLookup("lookup.ojas.States");
}
}

Tuesday, 17 November 2015

After configuring Oracle Identity Manager Server with Ldapsync enabled when running the LDAP Post-Configuration Utility LDAPConfigPostSetup.sh the following exception is thrown:

Note : Since OVD 11.1.1.6 access control is enabled by default.

Solution :- Two Option

1. Disable Access control :
ODSM click Advanced Tab -> server setting -> setting and unchecked Enable access control .

2. Create an ACL for the Proxydn user used so that he has access to the changelod.

--------------------------------------------------------------------------------------------------------

Thursday, 10 September 2015

Aprovisioing account using API

package sudhiridm

import java.util.HashMap;
import java.util.HashSet;
import java.util.Hashtable;
import java.util.List;
import java.util.Set;

import oracle.iam.identity.usermgmt.api.UserManager;
import oracle.iam.identity.usermgmt.vo.User;
import oracle.iam.platform.OIMClient;
import oracle.iam.platform.entitymgr.vo.SearchCriteria;
import oracle.iam.provisioning.api.ApplicationInstanceService;
import oracle.iam.provisioning.api.ProvisioningService;
import oracle.iam.provisioning.vo.Account;
import oracle.iam.provisioning.vo.AccountData;
import oracle.iam.provisioning.vo.ApplicationInstance;

public class AccountProvisioning {

    public static void main(String[] args) throws Exception {

        System.setProperty("java.security.auth.login.config", "F:\\designconsole\\config\\authwl.conf");
                   System.setProperty("java.security.policy", "F:\\designconsole\\config\\xl.policy");
                   System.setProperty("APPSERVER_TYPE", "wls");


    Hashtable env = new Hashtable();
    env.put("java.naming.provider.url", "t3://180.00.101.00:14000/");
    env.put("java.naming.factory.initial", "weblogic.jndi.WLInitialContextFactory");

    OIMClient oimClient = new OIMClient(env);
    oimClient.login("xelsysadm", "ancd123");
    System.out.println("Connection to oim successfully established");

    ApplicationInstanceService aiSvc = oimClient.getService(ApplicationInstanceService.class);
    ProvisioningService provSvc = oimClient.getService(ProvisioningService.class);
    UserManager usrMgr = oimClient.getService(UserManager.class);

    String appInstanceName = "FirstProvAppInst";

    // Find the user
    SearchCriteria criteria = new SearchCriteria("User Login",
            "KAGRWAL", SearchCriteria.Operator.EQUAL);

    Set retSet = new HashSet();
    retSet.add("usr_key");
    retSet.add("User Login");
    retSet.add("First Name");
    retSet.add("Last Name");

    List<User> users = usrMgr.search(criteria, retSet, null);
    System.out.println(users);
    for (User u : users) {
            ApplicationInstance ai = aiSvc.findApplicationInstanceByName(appInstanceName);

            HashMap<String, Object> parentData = new HashMap<String, Object>();

                parentData.put("UD_OID_USR_LAST_NAME","Agrwal");

                parentData.put("UD_OID_USR_ORG_DN","53~ou=People,dc=ojas,dc=com");
        System.out.println(parentData);
            AccountData accountData = new AccountData(ai.getAccountForm().getFormKey() + "", "", parentData);
            Account account = new Account(ai, accountData);

            System.out.println("Provisioning app instance " + appInstanceName + " to user " + u.getEntityId());
            provSvc.provision(u.getEntityId(), account);
    }

    oimClient.logout();
    System.exit(0);

    }
}