Friday, November 6, 2009

Oracle Identity Manager 9.1.0 - Active Directory Integration and User Provisioing - PENDING

Oracle Identity Manager - Integration of Microsoft Active Directory



Oracle Identity Manager -- Integration of Microsoft Active Directory

Oracle Identity Manager automates access rights management, security, and provisioning of IT resources. Oracle Identity Manager Connectors are used to integrate Oracle Identity Manager with third-party applications.

Integration OF Active Directory Contains Different Module

These are… Reconciliation Module

Reconciliation involves duplicating in Oracle Identity Manager the creation of and modifications to user accounts on the target system. It is an automated process initiated by a scheduled task that you configure

Based on the type of data reconciled from the target system, reconciliation can be divided into the following types

Lookup Fields Reconciliation

To populate the Lookup.ADReconliation.GroupLookup lookup definition, the following fields of
AD Groups are reconciled:

• sAMAccountName
• objectGUID


Group Reconciliation

The reconciliation module extracts the following elements from the target system to construct AD Group reconciliation event records

• sAMAccountName
• objectGUID
• Organization Name
• instanceType
• cn


User Reconciliation

The reconciliation module extracts the following elements from the target system to construct AD User reconciliation event records:

• sAMAccountName
• objectGUID
• name
• memberOf
• sn
• cn
• Initials


Provision

Provisioning involves creating or modifying a user's access rights on the target system through Oracle Identity Manager. You use the Oracle Identity Manager Administrative and User Console to perform provisioning operationsing Module For this target system, provisioning is divided into the following types

Organization Provisioning

The following fields are provisioned:

• USN Create
• USN Change
• objectGUID
• Organization Name

This is the value of the Name field in the Create Organization form of the Oracle Identity Manager Administrative and User Console

Group Provisioning

The following fields are provisioned:

• Group Name
• Organization Name
• objectGUID
• Group Type
• Group Display Name

User Provisioning

The following fields are provisioned:

• User ID
• Password
• objectGUID
• Organization Name
• First Name
• Last Name
• Middle Name
• User Must Change Password at Next Logon
• Password Never Expires
• Account Expiration Date
• Full Name
• Group Name

Following table lists the functions that are available with this connector

Multilanguage Support

The connector supports the following languages:

Chinese Simplified
Chinese Traditional
English
French
German
Italian
Japanese
Korean
Portuguese (Brazilian)
Spanish

Files and Directories

Functionality of the Files Associated with AD-Integration and User Provisioning

lib/xliActiveDirectory.jar This JAR file contains the class files required for provisioning
lib/xliADRecon.jar This JAR file contains the class files required for reconciliation
Files in the resources directory resource bundle is a file containing localized versions of the text strings that are displayed on the user interface of Oracle Identity Manager. These text strings include GUI element labels and messages displayed on the Administrative and User Console.

scripts/install.bat This batch file is used to add a certificate to the keystore if Oracle Identity Manager is installed on a Microsoft Windows operating system

scripts/install.sh This file is used to add a certificate to the keystore if Oracle Identity Manager is installed on a UNIX-based system
test/config/config.properties This file is used to set input test data for the connector test suite
test/lib/xliADTest.jar This JAR file contains the class files required for the connector test suite
test/scripts/runADTest.bat This file is used to run a test using the connector test suite
xml/xliADResourceObject.xml This XML file contains definitions for the connector components related to reconciliation and provisioning.

These components include:
All resource objects for reconciliation and provisioning

IT resource types
Custom process forms
Process task and adapters (along with their mappings
Login resource objects
Provisioning process
Pre-populate rules

xml/xliADXLResourceObject.xml This XML file contains the configuration for the objects, such as Xellerate User and Xellerate Organization, which are specific to trusted sources. You must import this file only if you plan to use the connector in trusted source reconciliation mode

Configuring the Target System -----

Ensuring That the Parent Organization Exists in Microsoft Active Directory - You must ensure that the parent organization exists in the target server installation. The parent organization is specified as the value of the Root Context parameter in the IT resource definition

Enabling or Disabling Password Policies on Microsoft Active Directory ---- On Microsoft Active Directory, the "Passwords must meet complexity requirements" policy setting is used to enable or disable password policies. You can choose whether or not you want to use SSL to secure communication between Oracle Identity Manager and Microsoft Active Directory.

If you do not configure SSL and try to provision a Microsoft Active Directory user through Oracle Identity Manager, then the user's password cannot be updated by using Oracle Identity Manager. Therefore, if the communication is not secured by SSL, then you must disable any existing password policies in Microsoft Active Directory. This is achieved by disabling the "Passwords must meet complexity requirements" policy setting.

If you configure SSL and you want to enforce both the default Microsoft Windows password policy and a custom password policy, then you must enable the "Passwords must meet complexity requirements" policy setting.

To enable or disable the "Passwords must meet complexity requirements" policy setting:

1.On the Microsoft Windows computer hosting the Active Directory domain controller on which you are installing the password synchronization module, start the Domain Security Policy application.

To do this, on the Microsoft Windows computer, click the Start menu, Programs, Administrative Tools, and Domain Security Policy.

2.If you are using Microsoft Active Directory 2003, then directly proceed to the next step.

If you are using Microsoft Active Directory 2000, then select Window Settings on the left pane of the Domain Security Policy application window and then proceed to the next step.

3.Select Security Settings, expand Account Policies, and then click Password Policy.

4.Double-click Passwords must meet complexity requirements.

5.In the Password Must Meet Complexity Requirements Properties dialog box, select Define this policy setting and then select:

◦Enabled, if you want to enable password policies

◦Disable, if you do not want to enable password policies

6.Click OK.

Copying the Connector Files and External Code Files

lib/xliActiveDirectory.jar OIM_home/xellerate/JavaTasks
lib/xliADRecon.jar OIM_home/xellerate/ScheduleTask

Files in the resources directory OIM_home/xellerate/connectorResources
Files in the scripts directory OIM_home/xellerate/scripts

After you copy the install.bat (or install.sh) file, use a text editor to open the file and specify the actual location of the JDK directory in the file.

Directories and files in the test directory OIM_home/xellerate/test

Files in the xml directory OIM_home/xellerate/XLIntegrations/ActiveDirectory/xml

ldapbp.jar file into the OIM_home/xellerate/ThirdParty directory on the Oracle Identity Manager server

Installing Oracle Access Manager On Oracle Enterprise Linux

Installing OAM on Oracle Enterprise Linux 4

Wednesday, November 4, 2009

HOW TO UPGRADE SUN IDENTITY MANAGER PRODUCT

Here in am going to explain you the Basic thing About When you upgrade the Identity manager from Existing Version to New Version just Take care of following Things..

Identity Manager Upgrade Process
  • The process for upgrading Identity Manager is as follows:Prepare for the upgrade >-

    > Document existing environment
    > Determine upgrade version
    > Document customizations
  • Develop an upgrade plan

    > Create test environment
    > Upgrade test environment
    > Verify correct upgrade


  • Production environment deployment

    The procedure for updating Identity Manager is as follows:

    > Develop Production rollout plan
    > Execute the plan

Back up Identity Manager

> File system
> Database

• Preserve local changes (customizations)
• Upgrade the software
• Set the license key (if necessary)
• Confirm that the local changes have been restored
• Restore any additional customizations

Identity Manager Tools for Upgrade

  • Describe the issues associated with upgrades
  • Describe the file system assessment tool
  • Describe the repository object assessment tool
  • Use assessments and snapshots

Issues With Upgrades Problem:


Difficult to determine what files have been modified creating problems in upgrades
• Difficult to determine what objects have been modified when problems are reported to support

Solution:

• lh assessment
• Snapshot

Types of Changes

• Files on the file system:

JavaServer Pages™ (JSP™ pages)
Cascading Style Sheets (CSS)
Property files
Resource bundles
Service packs

• Repository objects:

Roles
User forms
Configuration objects

File System Inventory

The lh assessment tool:

• Cannot be used in the UI because APIs are not available in application servers.
• Uses initial checksums kept in idm.jar (per file system object)
• Determines actually modified files, not just a timestamp change
• Checks for Java classes as well (WEB_INF/classes/com)
• Uses the WSHOME environment variable
• Creates output that can be saved to a file

Inventory Sub-commands lh assessment

• inventory – a (files added)
• inventory – m (files modified)
• inventory – d (files deleted)
• inventory (all files added, deleted or modified)
• installed (list installed releases, service packs, and hot fixes)

Repository Object Changes


Administrative Interface using the Debug Pages:

:PORT">http://:PORT NUMBER/IDM CONTEXT/debug

• The baseline.xml file is shipped with each release.
• Administrators can create additional snapshots that can be compared.
• Most objects and object attributes are saved to a separate object in the database:

No users
No resources

• Snapshot processing goes through internal caches. (This might cause some inconsistencies.)
• Snapshots can be exported to a file.
• A snapshot is not a rollback.

Repository Objects Captured

TaskDefinitions
Roles
Configuration
Objects
AdminRole
AdminGroup
EmailTemplate
Policy
ResourceForm
ResourceAction
Rule
TaskTemplate
UserForm
RemedyConfig

Snapshot Compare

• You have the ability to compare two snapshots to determine object differences.
• A baseline snapshot called baseline.xml is available in the idm/sample directory.
• Import the baseline snapshot.
• Create another snapshot.
• Compare the two.

Tuesday, November 3, 2009

SUN IDM Pass Through Authentication

TEST CASE _ 1
Some Time One Account have "N" of Virtual Account, and each Virtual Accounts have the same password after provision, But at the same Time If Virtual Account User have changed the password of Target Resource and Want to re-SET the password from other or existing Acccount ID and password. from Admin Module or End User Module then We use the concept of PASS THROUGH AUTHENTICATION CONCEPT
TEST CASE_2
If User has accesing N Number of resource and All user have diffrent password, and May be End user will lost the password, so that through PASSTHROUGH AUTHENTICATION TECHNIQUE end User can RESET THE PASSWORD.
Here In the video i have Explained Same Thing..



In this Video First i am opening the Oracle repository to check that WAVESET- REPOSITORY is working or not???? then i start the Glass Fish Application server. after that i start the Sun Identity manager 8.1

Then is start the Sun One Directory Server to Create One User in LDAP and RECONCILE the USer into Identity Manager. after that I Provison into AD and Other Resource.

Due to some LDAP PROBLEM i again create one user (test.passauth) then i assigned AD as Target Resource for Provisioning. after that i chage the password from one of the Virtual User, either from IDentity Manager or from Active Directory target Resource. so that the both password will be diffrent..



Then i assigned (test.passauth) as Account Administrator so that we can check the passthrough Authentication on both End User Login Page and Admin page also

Then click on Security Tab of Identity Manager Admin Login SCREEN. Then CLICK ON LOGIN Sub TAB.. Here actually Some Existing Login Module is presant so that i delete that one
and will create New Login Module.

Click on MANAGE LOGIN MODULE >>>

then It will open One New Form where you can put the name of the Passthrough Authentication Module (test.pass_AUTHENTICATION) >>>> Select the Resource where you want PASS THROUGH AUTHENTICATION .. here i want through Active Directory and Identity Manager user . so first i select the Active Directory then select the AD - Sub List. >>>>>> Next i select one more Account ID Group that Identity Manager. we can add Any number It depends on where you want this functionality.

>>> Select Login Sucess requirement = sufficent >>> SAVE --- Will do for Both or any number of resource same process like in Video.

Now click on Return Login Application >>>> Sleect where yopu want to mapp this component so here i have mapped with End User and Admin Login BOTH. >>>> Click on USER INTERFACE >>> SELECT THE NEWLY CREATED LOGIN MODULE GROUP NAME >>> check the session Time out and Organization also.

Same process here you can find with Administrative Login Screen also.

Now TEST THE COMPONENT >>> Logout from Admin Login.. and open the End USer Screen and put the Existing user ID and put the cross Resource password like what password you have put into IDM use in AD password and VICE VERSA.. so that you can reset the password from both end user and Admin Login Module.

This process is called PASS THROUGH AUTHENTICATION