IDM Blog-Oracle/Sun/Passlogix: March 2010

Tuesday, March 30, 2010

2 Stage Approval Process For Self Requested Account - PENDING

creation of approval processes related to users requesting access to resources. The specific approval process applied will depend on the role of the requesting user.

Lets Suppose if the user is an Intern, the request will need to be approved by the user’s manager as well as the Resource Owner. Otherwise, a simple manager approval is sufficient.

Here i am going to put the Target Resource is I-Planet, or you can choose any Requested Account. like AD/Exchange or SAP Applications for self request & Approval Process for IDM Manager i.e xelsysadm and Target Resource User Manager.

Condition 1. When User will create self request, the request will go to the Both Manager, and when one will Approve, it will shows Pending Approval and when both will Approve the Request, User Will get provisoned to the Target Resource.

By default, the iPlanet integration does not allow users to self-request this resource , so will Enable the Self Request, Like Below in the design Console

Start Your Application server, and Open the design Console with xelsysadm and password, then open the Resource Management >>>> Resource Object >>> Select iPlanet User through Search

Tuesday, March 23, 2010

Uninstalling Oracle Access Manager Components

During Oracle Access Manager component installation, information is saved after certain operations. Until information is saved, you may return and restate details. However, after you are informed that a component is being installed, Oracle Access Manager files are added to the file system.

Note:

If you cancel the installation process after receiving the message that a component is being installed and before completing all procedures, you must restore the system to it's previous condition to remove Oracle Access Manager-related information.

There are several steps you need to complete to remove an Oracle Access Manager component, as outlined in the discussion that follows. Some changes made for Oracle Access Manager are not handled automatically and must be manually removed when the Uninstaller program finishes:

Language Packs: Each installed Language Pack must be removed individually using appropriate file in the component's uninstall directory: Component_install_dir\identity|access\_uninstComponentLP_langtag\uninstaller.exe. For example, suppose you have an Identity Server and the WebPass installed with a Korean Language Pack. After uninstalling the Korean Language Pack on each component host, you must stop and restart both the Identity Server Service and the WebPass Web server instance. This will re-initialize corresponding components with the proper language support. Removing the Language Pack associated with the default Administrator language selected during installation is not supported.

Schema and Data Changes: If Oracle Access Manager will be removed and reinstalled with the same directory instance, only the Oracle Access Manager configuration tree(s) need be deleted. In this case, there is no need to remove the Oracle Access Manager schema from the directory instance. When reinstalling the Identity Server, select ÒNoÓ when asked if you want to update the schema (which is already present). Selecting ÒYesÓ results in an error message "schema already exists".

If, however, you plan to remove and reinstall Oracle Access Manager a different directory instance (or not reinstall at all) then configuration data must be removed manually from the directory server and Oracle Access Manager schema extensions must also be removed using cleanup files provided for your directory server. You must remove data from the Identity Server and Policy Manager.

Depending on the type of directory server, you may have one or two cleanup files. For instance, schema extension cleanup files are provided for user data only for VDS. However schema extension cleanup files are provided for both user data and Oblix (configuration data) for NDS, IPlanet, and Oracle Internet Directory. Schema extension cleanup file names begin with an abbreviation that identifies the type of directory, followed by the type of data to be removed.

As an example, look for the files similar to the following in the Identity Server and Policy Manager installation directories:

DirectoryName_user_schema_delete.ldif—Oracle Access Manager user data cleanup file for the specific named directory—removes user data that resides on a separate directory instance from configuration data
DirectoryName_oblix_schema_delete.ldif—Oracle Access Manager configuration data cleanup file for the specific named directory—removes both user and configuration data when both reside on the same directory instance
OID_oblix_schema_index_delete.ldif—Oracle Access Manager cleanup file for Oracle Internet Directory only—removes the Oracle Access Manager attribute index from Oracle Internet Directory before or after you use corresponding Oracle Access Manager data and schema cleanup files.
OID_user_index_delete.ldif—Oracle Access Manager cleanup file for Oracle Internet Directory only when a separate instance is used to host user data.

Some directory vendors do not provide schema cleanup files. For instance, no such files are provided for ActiveDirectory, and Active Directory Application Mode (ADAM).

Web Server Configuration Changes: Web server configuration changes that occur during installation must be manually reverted after uninstalling the Oracle Access Manager component (WebPass, Policy Manager, WebGate). For example, the ISAPI transfilter will be installed for IIS WebPass. However, when you uninstall WebPass this is not removed automatically. Also, the created Web service extension and the link to the identity directory will not be removed. This type of information must be removed manually. These are examples of information to remove, not a complete list. Further, you must remove any changes that you manually made to your Web server configuration file for the Oracle Access Manager component (WebPass, Policy Manager, WebGate) should be removed. For more information about what is added for each component

Tuning Apache 1.3 for Oracle Access Manager Web Components

The purpose of this note is to address some consideration for tuning Tuning Apache 1.3 for Oracle Access Manager Web Components.

Tuning Apache 1.3 for Oracle Access Manager Web Components

Apache 1.3 uses a process model for serving multiple http requests at once. This is different from the single process (thread) model employed by other Web servers, which manage several requests simultaneously in one process.

Each subordinate Apache worker-process responds to an incoming http request independently of every other worker-process. Several parameters in the Apache server configuration file (httpd.conf) affect how an Apache server decides to create or destroy worker processes.

The following affect the performance of the server:

MaxServers: The number of simultaneous http requests that a system can handle depends on the maximum performance of the system.

Performance Tuning: Performance tuning for a system should be done using an http load generating tool such as the ab program supplied with Apache.

MaxSpareServers: Sets the desired maximum number of idle child server processes. An idle process is one which is not handling a request. If there are more than MaxSpareServers idle, then the parent process will kill off the excess processes.

To preserve as much state as possible in the server, set the MaxSpareServers to a high value.

Setting this value to the maximum of 255 keeps all Apache worker-processes available indefinitely, but it does not provide an opportunity for worker-process recycling during low-load periods.

MaxClients: Sets the limit on the number of simultaneous requests that can be supported. As child processes are spawned to handle requests, no more than MaxClients number of processes will be created. Any connection attempts over the MaxClients limit will normally be queued, up to a number based on the ListenBacklog directive. Once a child process is freed at the end of a different request, the connection is then serviced.

To configure more than 256 clients the HARD_SERVER_LIMIT entry in httpd.h must be modified and Apache must be recompiled. With a high MaxClients setting and high load, the server will attempt to serve all requests immediately.

Memory constraints must be taken into account when setting this option. If the memory consumption of a child process (~1 MB in plain Apache, ~10 MB with mod_perl enabled) multiplied by the number of running child processes is larger than available system memory, then child processes will be swapped out of main memory to disk. A high number of disk swaps can have a severe impact on server performance.

MaxClients should be configured as small as possible to preserve performance. Calculation of this value is straight-forward:
MaxClients = (Total RAM dedicated to web server) / (Child's max memory consumption) Or, taking into account memory shared by child processes:

MaxClients = (Total_RAM – Min_Shared_RAM_per_Child) / (Max_Child_Process_Size – Min_Shared_RAM_per_Child)

MaxRequestsPerChild: The MaxRequestsPerChild directive sets the limit on the number of requests that an individual child server process will handle. After MaxRequestsPerChild requests, the child process will die. If MaxRequestsPerChild is 0, then the process will never expire.

The primary purpose of this option is as a safety mechanism. Regularly recycling child processes prevents poorly behaving child processes from consuming memory resources. This safety mechanism is not unreasonable, but the start-up delay for Oracle Access Manager Web components (also known as plug-ins) is noticeable at the Web browser.

If you use this parameter, set it high enough for end users to rarely notice the startup delay. Oracle Access Manager plug-ins are designed to run under Web servers without this safety mechanism.
ThreadsPerChild

Available only with Apache 1.3 running on Windows. This directive tells the server how many threads it should use. This is the maximum number of connections the server can handle at once; be sure and set this number high enough for your site if you get a lot of hits.

This directive has no effect on Unix systems. Unix users should look to StartServers and MaxRequestsPerChild.

MinSpareServers: Sets the desired minimum number of idle child server processes. An idle process is one that is not handling a request.

If there are fewer than MinSpareServers idle, then the parent process creates new children at a maximum rate of 1 every second. Use this with the Policy Manager.

Note:

Setting this directive to some value m ensures that you will always have at least n + m httpd processes running when you have n active client requests.

Because of the fact that Oracle Access Manager plug-in initialization is deferred until the first request, using a high value for the MinSpareServers parameter provides minimal advantage.

However, it is useful to keep this parameter as high as possible. For dedicated Web server systems, this should pose no great burden.

StartServer: As with the MinSpareServers parameter, the advantage of the StartServers parameter is limited by the delayed initialization of the Oracle Access Manager plug-ins.

Appropriate values for the preceding parameters depend on the expected load and the performance class of the systems involved, including the Access Server and LDAP server. Apache servers on very high performance systems with high expected loads may be recompiled with a larger limit on the number of worker processes.

These systems may see a greater performance impact on the StartServers and MinSpareServers parameters for dealing with sudden load spikes.
You may need to adjust operating system limits for the Access Server for proper operation. In particular, the maximum number of file descriptors available for any one Access Server may need to be increased beyond the default value.

Configuring more than one connection between each Apache-based WebGate and an Access Server may quickly exceed this limit.
Access Server Tuning and Resolving Bottlenecks

Configuration of Apache 1.3 has an impact through the chain of communication from the WebGate to Access Server. Configuration changes may need to take place at Access Server, WebGate, and Apache levels to achieve desired performance levels and avoid bottlenecks. The four major configuration options are:

1. The number of Access Server connections allocated to the WebGate
2. The MaxClient Apache configuration option
3. The ThreadsPerChild Apache configuration option (on Windows only)
4. Number of Access Servers and/or number of Service Threads allocated to the Access Server(s)

Fine-tuning WebGate Connections to Access Server:

Take the following hypothetical examples:

Assumption: Access Server services each WebGate request in one second.

Configuration Scenario 1:
One Access Server (60 service threads) configured with one WebGate (Number of connections from WebGate to Access Server = 1) on Apache 1.3 Windows (MaxClient=1, ThreadsPerChild=60)

To fully utilize Access Server's 60 service threads, 60 requests per second should be sent by the WebGate. The bottleneck in this scenario is the number of connections from WebGate to Access Server as a single connection will be used by all requests.

Configuration Scenario 2:
One Access Server (60 service threads) configured with one WebGate (Number of connections from WebGate to Access Server = 5) on Apache 1.3 Windows (MaxClient=1, ThreadsPerChild=60)
Scenario 2 eases the bottleneck as 5 connections should be sufficient to handle the 60 req/sec load.

Configuration Scenario 3:
One Access Server (60 service threads) configured with one WebGate (Number of connections from WebGate to Access Server = 1) on Apache 1.3 Windows (MaxClient=2, ThreadsPerChild=30)

Scenario 3 eases the bottleneck by adding another Apache child process to service requests, however each child process may still have contention on the single Access Server connection allocated to it.

Configuration Scenario 4:
One Access Server (60 service threads) configured with one WebGate (Number of connections from WebGate to Access Server = 5) on Apache 1.3 Windows (MaxClient=2, ThreadsPerChild=30)

Scenario 4 uses both approaches.

Fine-Tuning MaxClient:
Configuration Scenario 1:

One Access Server (60 service threads) configured against one WebGate (no of connection from WG to AAA is 5) on Apache (ThreadsPerChild =10).
Assuming still that Access Server handles a request in one second, each thread will generate 1 request per second. Here each process of Apache has 10 threads and so the total rate of requests per Apache child process will be 10 req/sec. To fully utilize Access Server's 60 service threads, we can set the the MaxClient option to 6.

Configuration Scenario 2:
Two Access Server (60 service threads) configured against one WebGate (no of connection from WG to AAA is 5) on Apache (ThreadsPerChild =10).
With two Access Servers, 120 service threads are available to handle requests. To fully utilize these threads, MaxClient may be set to 12
Fine-Tuning ThreadPerChild

Configuration scenario 1:

One Access Server (60 service threads) configured against one WebGate (no of connection from WG to AAA is 5) on Apache (MaxClient=1).
Here we can set ThreadsPerChild to 60.

Configuration Scenario 2:
One Access Server (60 service threads) configured against one WebGate (no of connection from WG to AAA is 5) on Apache (MaxClient=2).
Here we can set ThreadsPerChild to 30.

Configuration Scenario 3:
Two Access Server (60 service threads) configured against one WebGate (no of connection from WG to AAA is 5) on Apache (MaxClient=10).
Here we can set ThreadsPerChild to 12.

Summary:

Achieving the proper balance of options to support desired load requires that the options be taken together. Load requirements or resource constraints tend to dictate one or more of these configuration options and the rest are derived from there.

1. Depending on the load to be supported on the webserver, configure values of MaxClient and ThreadsPerChild as follows
a. Compute MaxClient value
b. ThreadsPerChild = "Number of parallel requests on web server" / MaxClient
2. Once this is done, Access Server and WebGate configurations must be tuned accordingly
a. Threads in each Apache process share the same set of connections to the Access Server. If ThreadsPerChild is high, there may be contention for a small number of connections. To solve this increase the number of connections WebGate has available to it.
b. The maximum number of connections that may be established to Access Server is MaxClient * (Number of WebGate-to-Access Server connections). If this value approaches very high levels, resource constraints (memory, socket, network load) may be reached, causing system stability issues. To solve this, decrease connections or MaxClients.
c. The maximum possible number of requests that may be simultaneously sent to the Access Server is a product of (MaxClient * ThreadsPerChild). If the number of Service Threads configured in Access Server is less than the in-flow of requests, the average wait-time for requests will increase. In this case, increasing the number of service threads in the Access Server or adding additional Access Servers to the environment will help resolve the bottleneck.

Policy Manager Tuning Factors
Policy Manager performance may be impacted by both Apache and Policy Manager configuration parameters.

The following factors should be considered when tuning the Policy Manager for Apache:
• The idle child processes ensure that a new incoming request is serviced immediately. The more spare child processes, the faster the ramp up.
• Each child process opens separate connections to the directory server. The more child processes you have, the more directory server connections you have.
Assuming that each user is using one browser, there are four to five simultaneous requests to the Web server for images and js and HTML from the browser.

Assuming that there are four simultaneous users, the total number of simultaneous requests to the Web server is 4 * 5 = 20.
Given these factors, Oracle recommends the following to maintain a balance between how fast a new user is serviced and the number of connections to the directory server:
• MaxClients = 25

• MinSpareServers = 4

• MaxSpareServers = 5

Note:
The Policy Manager does not open connections on Web Server startup.

Instead, the Policy Manager creates connections on the first request.

To help compensate for any delay when the Policy Manager creates connections, the Policy Manager may be configured such that all directory server connections for all directory server profiles are set to 1

In this case, the Apache configuration may be as follows:
• MinSpareServers = 1

• MaxSpareServers = 2

• MaxServers = 2
In the preceding case, the Policy Manager responds in a reasonable time with some delay on the initial request.

Friday, March 19, 2010

OIM AD Connector Enhancement for Deleting eSSO Enabled Accounts

This sample code is intended to enable AD connector (version prior to 9.1) to delete users that are eSSO enabled. Currently the connector cannot handle the scenario when eSSO stores the users configuration data under the respective user object. The code provided can enhance the connector to delete the leafs associated with the user, enabling the default connector code to delete the user object.

Please note that this issue has been addressed in the 9.1 version of the AD connector by adding the parameter isUserDeleteLeafNode in the IT Resource. By enabling this parameter, the delete operation will use the TreeDeleteControl (1.2.840.113556.1.4.805) to delete all the sub-leafs in one operation.

This fix is done for Bug 6407478 DEPROVISIONING OF AD USER RESOURCE FAILS WHEN THE USER OBJECT HAS LEAF NODES

Software Requirements/Prerequisites

To compile the code Java JDK is needed, the same as the JDK used by the Application Server running OIM.

Configuring the Sample Code

The ADESSOExtension class from this example extends com.thortech.xl.integration.ActiveDirectory.tcUtilADTasks class from the default AD connector, overriding deleteUser method.

1. Create the following folders in your development workspace:

OIM_AD_ESSO

OIM_AD_ESSO/com/custom/AD

OID_AD_ESSO/lib

2. Create the file ADESSOExtension.java in OIM_AD_ESSO/com/custom/AD

3. Copy xliActiveDirectory.jar and xlVO.jar to OIM_AD_ESSO/lib

(the files can be found under current Xellerate home directory)

4. Review the java file and compile it with the command (run the command from OIM_AD_ESSO folder)

javac -classpath lib/xliActiveDirectory.jar;lib/xlVO.jar com/custom/AD/*

5. Build a JAR file containing the class:

jar cvf ad_esso.jar com

6. Copy the JAR file created to OIM_HOME/xellerate/JavaTasks

Running the Sample Code

To configure the adapter to call the custom code perform the following actions:

1. Open Design Console and search for the adapter (AD Delete User) in Adapter Manager

2. Add a Java Task before "Delete user" task

2.1 Functional Task-> Java -> New Object Instance

2.2 Set task name as "Delete Leafs"

2.3 Select API Source as JavaTaskJar:ad_esso.jar

2.4 Select Method as com.custom.AD.ADESSOExtension.deleteUser(....) and click Save

2.5 Map constructor parameters as Adapter Variables -> ADServer (your resource name) in the order:

Server Address,RootContext, Admin FQDN,Admin Password,UseSSL,SSL Port Number,TargetLocale Language, TargetLocale Country

2.6 Map the method parameters as:

Output: Adapter Variables->Return Variable

Input: Adapter Task->Get Hierarchy

Input: Adapter Task->Get User Object Name

3. Save the adapter and re-build it

Caution

This sample code is provided for educational purposes only and not supported by Oracle Support Services. It has been tested internally, however, and works as documented. We do not guarantee that it will work for you, so be sure to test it in your environment before relying on it.

Proofread this sample code before using it! Due to the differences in the way text editors, e-mail packages and operating systems handle text formatting (spaces, tabs and carriage returns), this sample code may not be in an executable state when you first receive it. Check over the sample code to ensure that errors of this type are corrected.

package com.custom.AD;

import java.util.Vector;
import java.util.logging.Logger;

public class ADESSOExtension extends com.thortech.xl.integration.ActiveDirectory.tcUtilADTasks {

  public static Logger logger = Logger.getLogger("XL_INTG.ACTIVEDIRECTORY");

  public ADESSOExtension(String ad_server, String rootcon, String princDN,
     String p_password, String pbSSL, String sslPort, String language,
     String country) throws Exception {
       super(ad_server,
           rootcon,
           princDN,
           p_password,
           pbSSL,
          sslPort,
          language,
          country
      );
  }

  public boolean deleteUser(String hierarchy, String username) throws Exception {
     hierarchy = checkHierarchy(hierarchy);
     Vector v = getObjects("cn="+username + "," + "cn="+username + "," + hierarchy);
     logger.info("Found " + v.size() + " leafs...");
     for (int i=v.size()-1;i>-1;i--){

       logger.info("Found leaf: " + v.get(i).toString());
       String name = v.get(i).toString();
       if (!"".equals(name.trim()) && name.length()>3){
        super.deleteUser("cn="+username + "," + "cn="+username + "," + hierarchy,name.substring(3));
       }
     }

super.deleteUser("cn="+username + "," + hierarchy,username);
return true;
}

}

Code Output

23:02:21,515 INFO [ACTIVEDIRECTORY] Certificate Path::C:\Program Files\SupportTools\
23:02:24,937 INFO [STDOUT] Dec 3, 2007 11:02:24 PM com.custom.AD.ADESSOExtensio n deleteUser
INFO: Found 5 leafs...
23:02:25,031 INFO [STDOUT] Dec 3, 2007 11:02:25 PM com.custom.AD.ADESSOExtensio n deleteUser
INFO: Found leaf:
23:02:25,125 INFO [STDOUT] Dec 3, 2007 11:02:25 PM com.custom.AD.ADESSOExtensio n deleteUser
INFO: Found leaf: CN=D4B13D82-9279-4A89-AEEA-802FDDD45B87
23:02:25,218 INFO [ACTIVEDIRECTORY] Certificate Path::C:\Program Files\Support Tools\
23:02:28,406 INFO [STDOUT] Dec 3, 2007 11:02:28 PM com.custom.AD.ADESSOExtensio n deleteUser
INFO: Found leaf: CN=SSOProvisioning
23:02:28,500 INFO [ACTIVEDIRECTORY] Certificate Path::C:\Program Files\Support Tools\
23:02:31,703 INFO [STDOUT] Dec 3, 2007 11:02:31 PM com.custom.AD.ADESSOExtensio n deleteUser
INFO: Found leaf: CN=SyncState
23:02:31,796 INFO [ACTIVEDIRECTORY] Certificate Path::C:\Program Files\Support Tools\
23:02:37,468 INFO [STDOUT] Dec 3, 2007 11:02:37 PM com.custom.AD.ADESSOExtensio n deleteUser
INFO: Found leaf: CN=208a5b4e-1c22-4cba-8f56-364ee6c126e3
23:02:37,578 INFO [ACTIVEDIRECTORY] Certificate Path::C:\Program Files\Support Tools\
23:02:40,875 INFO [ACTIVEDIRECTORY] Certificate Path::C:\Program Files\Support Tools\
23:02:45,906 INFO [STDOUT] Running Delete User
23:02:45,937 INFO [ACTIVEDIRECTORY] Certificate Path::C:\Program Files\Support Tools\

How to Change the Default Location (cn=Users,dc=domain,dc=com) for Creating Users in AD using OIM AD Connector?

How to create users in desired hierarchy (ou=Users.Provisioned\ou=Accounts\User1) other than the default hierarchy (cn=Users,dc=domain,dc=com.) on Active Directory server by the provisioning of "AD User" resource object.

To create users in desired hierarchy (ou=Users.Provisioned\Accounts\User1) on active directory server, Need to be create same organization hierarchy in OIM side also,while provisioning "AD User" Resource object need to be select that organization ou=Accounts under which hierarchy user will create on AD side.

Please follow the below steps.

1)Create Organization Unit ou=Users.Provisioned on AD side under dc=domain,dc=com.

2)Create one more ou=Accounts under ou=Users.Provisioned(this is parent organization for

ou=Accounts).

3)Login in OIM webclient click on Organization>>Create menu .

4)Create Organization say Name=Users.Provisioned.

5)Again create an organization say Name=Accounts and select Parent Name= "Users.Provisioned".

6)Create new user say "User1" and provision with "AD User" resource object.

7)while provisioning AD User Resource Object, AD User process form will show up.

8)Click on Organization Name lookup>> select desire OU=Accounts.

9)Complete provisioning process.

Result :

Check AD side under ou=Users.Provisioned\ou=Accounts\user=User1 will stored.

Note : In AD server IT Resorce Information >>Root Context=(dc=domain,dc=com) should be contain only domain name .

Should the OIM AD Password Sync Connector be Installed on all the Active Directory Domain Controller Machines to Which a User can Bind to

Should the OIM AD Password Sync Connector be installed on all the Active Directory Domain Controllers to which users can connect to change their passwords or should it be installed only on the Primary Domain Controller?

If the user's password is changed on an Active Directory Domain Controller, that Domain Controller should have the OIM AD Password Sync connector package installed in order for it to propagate the new password to OIM.

If only the Primary Active Directory Domain controller has the OIM AD Password Sync connector installed and if the password is changed on the non primary domain controller (which does not have the AD Password Sync connector installed and configured) and then primary domain controller having AD Password Sync connector would never execute the change password to OIM even after it the two domain controllers sync. One would never know on which Domain Controller a user is authenticated and where their password was changed, that's why AD Password Sync connector should on any Domain Controller that a user could bind to.

How to Add a New Field to AN OIM Connector (Step by Step Guide on OID Connector)

This document describes the steps needed to add a custom field to a OIM Connector. The steps provided are targeted to the OID connector. However, same concepts can be used to other connectors as well.

There are two sections, first describes the operations needed for provisioning. The second section describes how to add the field for synchronization.

Solution

Section 1: Provisioning

=================

Step1: Adding the new field to the OID Process Form
--------------------------------------------------------
1. In Design Console open Development Tools -> Form Designer
2. In Table Name field type UD_OID_USR and press Search
3. Click "Create new version" and enter the label and click Save
4. Select the new form version
5. Click Add and enter the details for the new field in the table.
In this example we will use:
NAME: UD_OID_USR_SOID
VARIANT TYPE: String
LENGTH: 100
FIELD LABEL: Sample OID Field
FIELD TYPE: TextField
ORDER: 16
6. Save the form
7. On the Properties tab, click Add, select the field and set Visible Field to true.
8. Save the form
9. Click "Make version active"

Step2: Create a process task for the Sample OID Field
--------------------------------------------------------
1. In Design Console open Process Management -> Process Definition
2. In the Name field type "OID User" and click search
3. Click Add
4. Enter the name as "Sample OID Field Updated"
The name of the connector must follow the following naming convention:
"<Field Name> Updated"
OIM calls the connector based on this naming rule.
5. Enter a description and also check "Conditional" and "Allow Multiple Instances"
6. Save the process task
7. On the Integration tab, click Add -> Adapter and select adpOIDMODIFYUSER adapter.
8. Click Save.
9. Map the adapter variables to the following values:

Step3: Adding the field to the provisioning lookup definition
-------------------------------------------------------------
1. In Design Console open Administration -> Lookup definition
2. In Code field type "AttrName.Prov.Map.OID" and click search
3. Click Add and enter "Sample OID Field" in the Code Key.
4. In Decode type the name of the field in OID, for example "description"
5. Click Save

Step4: Testing provisioning
---------------------------
1. Login to the Web Administration Console
2. Create a new OIM User
3. Provision an OID Account to the OIM user
4. Notice in the process form the new field "Sample OID Field"
5. Edit the process form, add a value for Sample OID Field and click Save
6. Check the description field on the account created in OID

Step5: Linking the field to an OIM User UDF (optional)
---------------------------------------------------------
If the scenario requires to link the field with a User Defined Field in the OIM user form:

Let's consider there a field defined in Users form like in the example below:
(In Design Console -> Administration -> User Defined Field Definition -> Users)
Label : Sample OID Field
DataType : String
Field Type : Text Field
Column Name : USR_UDF_S_OID
Field Sise : 100

1. In Design Console open Process Management -> Process Definition
2. In the Name field type "OID User" and click search
3. Click Add
4. Enter the name as "Change Sample OID Field"
5. Enter a description and also check "Conditional" and "Allow Multiple Instances"
6. Save the process task
7. On the Integration tab, click Add -> Adapter and select adpOIDMODIFYUSER adapter.
8. Click Save.
9. Map the adapter variables to the following values:

10. Navigate to Administration - Lookup Definition
11. Enter "Lookup.USR_PROCESS_TRIGGERS" in the Code field and click Search
12. Click Add and enter the follwing values:
Code Key - USR_UDF_S_OID
Decode - Change Sample OID Field
Note: Code Key is the database column name for the UDF (as assumed in the begining of Step5).
Note: Decode is the process task name (as assumed in Step5->point4).
13. Save the Lookup definition.

Section 2: Reconciliation

==================

Step1: Add the Reconciliation Field to OID User Resource Object
--------------------------------------------------------------------
1. In Design Console open Resource Management -> Resource Object
2. Type "OID User" in Name and click Search
3. On Object Reconciliation tab, click Add Field
4. Enter "Sample OID Field" in the field name and select the type as String
5. Click Save

Step2: Add the Reconciliation Field Mappings
-----------------------------------------------
1. In Design Console open Process Management -> Process Definition
2. Type "OID User" in the name field and click Search
3. On the Reconciliation Field Mappings tab, click Add Field Map
4. Select:
Field Name : Sample OID Field
Field Type : String
Process Data Field : UD_OID_USR_SOID
5. Click Save

Step3: Add the field to the reconciliation lookup definition
----------------------------------------------------------
1. In Design Console open Administration -> Lookup definition
2. In Code field type "AttrName.Recon.Map.OID" and click search
3. Click Add and enter "Sample OID Field" in the Code Key.
4. In Decode type the name of the field in OID, for example "description"
5. Click Save

Step4: Testing reconciliation
-----------------------------
1. Login to OID with Oracle Directory Manager (OIDAdmin)
2. Modify the description field for a specific user account
3. Run the reconciliation task
4. Check the process form for the specific user account in OIM Administration interface
5. The field Sample OID Field should be updated accordingly

Note: when a reconciliation event is received, the Reconciliation Update Received task is called and the process form is updated. If the requirement is to synchronize data further, a custom task can be linked to Reconciliation Update Received. However, the custom task implementation will probably require custom code.

Wednesday, March 17, 2010

Developing a Custom OIM Scheduled Task Using Eclipse

Purpose

This note helps one getting started with the development of a custom OIM scheduler task using Eclipse as a development platform for Java. This note will guide you trough the following stages:

1. Creating the working folder structure
2. Adding the JAR files needed from OIM server
3. Creating a java project in Eclipse
4. Writing a sample java class that will implement SchedulerBaseTask
5. Compiling the code with Eclipse
6. Creating the JAR file containing the sheduled task
7. Configuring the Scheduled Task in OIM

This Content will only be Applicable for Identity Manager - Version: 9.1 or later

Software Requirements/Prerequisites

+ Java JDK + Eclipse platform -> for Java development

Configuring the Sample Code

1. Creating the working folder structure

The following structure must be created in the home directory of your project (Separate project home for each project):

\bin \lib \src \jar

The folders will store:

src - source code of your project
bin - compiled code of your project
lib - OIM API libraries
jar - the final JAR file containing the scheduled task

2. Adding the JAR files needed Copy the file file:

OIM_HOME\xellerate\lib\xlVO.jar to PROJECT_HOME\lib OIM_HOME\xellerate\lib\xlAPI.jar to PROJECT_HOME\lib OIM_HOME\xellerate\lib\xlScheduler.jar to PROJECT_HOME\lib OIM_HOME\xellerate\lib\xlLogger.jar to PROJECT_HOME\lib OIM_HOME\xellerate\lib\xlUtils.jar to PROJECT_HOME\lib

Depending on the custom code implemented, other JAR files might be needed.

Creating a java project in Eclipse Once the above steps are completed we are ready to create a Java project. (this step requires Eclipse to be installed on your development machine.

Eclipse can be downloaded from http://www.eclipse.org/)

+ Start Eclipse platform
+ Select File->New->Project from the menu on top
+ Select Java Project and click Next
+ Type in a project name (For example OIM_SCHEDULED_TASK)
+ In the Contents panel select "Create project from existing source", click Browse and select your folder
+ Click Finish to exit the wizard At this point the project is created and you should be able to browse trough it in Package Explorer. Setting src in the build path:
+ In Package Explorer right click on project name and select Properties
+ Select Java Build Path in the left and Source tab in the right
+ Click Add Folder and select your src folder
+ Click OK

Running the Sample Code

4. Writing a sample java class that will implement SchedulerBaseTask

+ In Package Explorer, right click on src and select New->Package
+ Type the name of the package as com.oracle.oim.sample.scheduledtasks
+ Click Finish
+ In Package Explorer, right click on com.oracle.oim.sample and select New->Class.
+ Type the name of the class as SampleScheduledTask
+ Click Finish Put the sample code in the class

5. Compiling the code with Eclipse

Make sure there are no compilation errors reported by Eclipse and then select from the menu: Project -> Build All

6. Creating the JAR file containing the event handler To generate the jar file,

execute: \bin\jar -cvf ../jar/custom_sched_task.jar *

The following output should be seen: added manifest

adding: com/(in = 0) (out= 0)(stored 0%)
adding: com/oracle/(in = 0) (out= 0)(stored 0%)
adding: com/oracle/oim/(in = 0) (out= 0)(stored 0%)
adding: com/oracle/oim/sample/(in = 0) (out= 0)(stored 0%)
adding: com/oracle/oim/sample/scheduledtasks/(in = 0) (out= 0)(stored 0%)
adding: com/oracle/oim/sample/scheduledtasks/SampleScheduledTask.class(in = 1803) (out= 878)(deflated 51%)

Copy the resulted jar file from: \jar\custom_sched_task.jar to OIM_HOME\xellerate\ScheduleTask\

7. Configuring the Scheduled Task in OIM + open OIM Design Console + Administration ->Task SchedulerScheduled Task :

MyCustomScheduledTask Class Name:
com.oracle.oim.sample.scheduledtasks.SampleScheduledTask

Click Save

If there are any custom attributes for the scheduled task,

click the Add button to define them.
In this example, custom attributes are attributeName1 and attributeName2.

Sample Code

package com.oracle.oim.sample.scheduledtasks;

import com.thortech.xl.scheduler.tasks.SchedulerBaseTask;

import com.thortech.util.logging.Logger;

public class SampleScheduledTask extends SchedulerBaseTask

{ //define here the task attributes private String attributeValue1;

private String attributeValue2; //define here the logger

private Logger logger = Logger.getLogger("XELLERATE.CUSTOM_TASK");

public SampleScheduledTask()

{

super();

}
public void init()
{ logger.info("Starting init() for SampleScheduledTask");

try

{ //the task attributes can be retrived here

attributeValue1 = getAttribute("attributeName1");

attributeValue2 = getAttribute("attributeName2"); //perform other init actions here }catch

(Exception e){ e.printStackTrace();

} logger.info("Finishing init() for SampleScheduledTask");

}

public void execute()

{

logger.info("Starting execute() for SampleScheduledTask"); //if an API utility is needed

Thor.API.Operations.tcLookupOperationsIntf lookupUtility = null;

try{ //execute the custom processing here

logger.info("Executing SampleScheduledTask"); //if an API utility is needed

lookupUtility = (Thor.API.Operations.tcLookupOperationsIntf) getUtility(

"Thor.API.Operations.tcLookupOperationsIntf"); //any other utility can be initialized in the same way

}

catch(Exception e)

{ //make sure no exception is thrown in the Quartz scheduler //all exceptions should be handled here

e.printStackTrace();

}

logger.info("Finishing execute() for SampleScheduledTask");

}

public boolean stop()

{ //Stop the execution of this task

return true;//or false if cannot be stopped

}

}

Tuesday, March 16, 2010

Installing Oracle Identity Management 11g R1 (11.1.1.1)

Introduction:

Oracle Identity Management enables enterprises to manage the end-to-end lifecycle of user identities across all enterprise resources—both within and beyond the firewall. With Oracle Identity Management, you can deploy applications faster, apply the most granular protection to enterprise resources, automatically eliminate latent access privileges, and much more.

Oracle Identity Management 11g Release 1 (11.1.1) includes the following components:

Oracle Internet Directory
Oracle Directory Integration Platform
Oracle Virtual Directory
Oracle Directory Services Manager
Oracle Identity Federation

In this post we will see the installation of Oracle Identity Management 11g R1 (11.1.1.1). As mentioned before the approach for installing Oracle 11g FMW components is different then those of 10g components, I will mention the approach for installing Oracle Identity Management 11g.

Brief Installation Steps:

Following are the brief steps for installing Oracle Identity Management 11g

1) Install database 11g (11.1.0.6 / 11.1.0.7) including configuring TNS and listener
2) Create repository using Oracle RCU (Repository Creation Utility)
3) Install WLS (weblogic Server) and create a middleware home
4) Install Oracle Identity Management 11g inside middleware home

The installation will install and configure the complete Identity Management and provide the access URLs.

Download Locations:

You can download all the required software from following location

Oracle Database 11g (11.1.0.6/11.1.0.7) – http://www.oracle.com/technology/software/products/database/index.html

Oracle IDM 11g – http://www.oracle.com/technology/software/products/middleware/htdocs/111110_fmw.html (Download the product Identity Management)

Oracle RCU – http://www.oracle.com/technology/software/products/middleware/htdocs/111110_fmw.html

Oracle WLS 10.3.1 – http://www.oracle.com/technology/software/products/ias/htdocs/wls_main.html

Step 1) Install database 11g including configuring TNS and listener

For this you can refer previous post for database installation and create a 11g database. Also create a listener on any available port and configure TNS for the database.

Step 2) Create repository using Oracle RCU (Repository Creation Utility)

Using RCU, you can create repository for IDM. You dont have to install RCU for using it. RCU comes as a zip file along with the identity management software download. Once you unzip you run <RCU_UNZIP>/bin/rcu binary

This will invoke a GUI. On the first page you can select "Create Repository" and click on next.

On the next page RCU will ask for database details in which you want to create the repository. The page will look as shown below

Once you connect to database, on the next page you need to select the repository that you want to create. Here you can select "Identity Management" as shown below. Also you can use any prefix for these schema. All these schema created will have the prefix string prefixed to it. In this case it will prepend DEV before each schema name. Note that it wont prefix anything before ODS schema. This schema is used for OID and SSO configuration.

Once you click on next, it will show the summary and will create tablespace if they dont exists. After tablespace creation, click on create and it will create the required repository schemas.

Step 3) Install WLS (weblogic Server) and create a middleware home

Next step is to install WLS server. Carry out the basic installation of WLS. You need to provide a new location for middleware home when asked for as shown below.

Next it will ask for the location of weblogic. Here you can accept the default value as it will be created inside middleware home.

Select all other values as default and install WLS.

Step 4) Installing IDM 11g.

IDM installation involves many steps and screens. Please follow the below screen shots for installing IDM

When you start the IDM installer, you will see a welcome screen. Click on next.

Next you will see "Install option" screen. In this screen select "Install and Configure". Click on next.

The installer will perform the pre-requisite checks. Click on next.

In the next screen "Select Domain", click on "Create new domain" as shown below

Select all other values as default and install WLS.

Step 4) Installing IDM 11g.

IDM installation involves many steps and screens. Please follow the below screen shots for installing IDM

When you start the IDM installer, you will see a welcome screen. Click on next.

Next you will see "Install option" screen. In this screen select "Install and Configure". Click on next.

The installer will perform the pre-requisite checks. Click on next.

In the next screen "Select Domain", click on "Create new domain" as shown below

On the next screen, specify the install location inside middleware home.Click Next.

Select default values for next screen – Security Updates. Click Next.

On configure components screen, keep the default values. Click Next

On configure port screen, you can choose Automatic port assignment. Click Next.

On "Specify Oracle Virtual Directory Information" page, provide the inputs as shown in the screen below

Here you need to specify the password for orcladmin. Remember the password you are setting here as you will need that at many places later. Click on Next.

On "Specify Schema Database" page, you can specify the ODS schema details that we created using repository creation utility (Step 2)). Also you need to provide ODS schema password you set while running RCU in step 2) as shown below

On "Create Oracle Internet Directory" screen, specify the Realm and orcladmin password. Note here that this orcladmin user is different then we say couple of screens back. This orcladmin user is for OID, where as the previous orcladmin user was for OVD.

Next, On "Specify OIF Details" page, specify the PKCS12 password and the domain name for OIF as shown below

On rest of the screen, you can specify the default value and submit the installation. The installation will complete in approximately 45 mins. Once the installation and all configuration assistants completes successfully, you can login to weblogic console.

The default port for weblogic console is 7001. So the console URL becomes

http://<hostname>:7001/console

user name : Weblogic

password : As specified while installing WLS in step 3) Once you login, you will see the managed servers created for OID and OIF.

Email Notification in OIM

For setting email notifications for OIM, follow these steps.

1. To set up your email server.
a. Make sure that you have a parameter called Email Server with Keyword XL.MailServer in
Administration -> System Configuration tab in the Design Console.
b. Create an IT resource with following values:
Name : Email Server
Type : Mail Server
Authentication: False/True (as required. If set to true provide User Login, Password)
Server name: <server IP>

d. Select the Email Definition defined in step 2 above and assign it to the task.
e. Check for - Requester, User and User Manager and map the status to 'C'.
f. In the RESPONSE tab, Set the response as 'C' and set Status field as complete.
g. In the TASK TO OBJECT STATUS MAPPING, make the object status to provisioned.
h. In the Integration tab, add System adapter 'tcCompleteTask' and save.

4. Now provision a user with this resource object and check if email notification is triggered.

Setup of Email Notification for Oracle Identity Manager Users Created Via Reconciliation

This document provides instruction regarding how to setup a notification to send an email to an administrator when a user is added to Oracle Identity Manager via reconciliation with a trusted source.

Since the Xellerate User provisioning process is a system process, you are only allowed to modify Reconciliation Insert Received and Reconciliation Update Received. You are not allowed to setup email notifications for the tasks of Add, Delete, Enable, or Disable a user by modifying the Xellerate User provisioning process definition.

After completion of these steps an email notification will be sent to a recipient when an insert (create new user) or update reconciliation event is created by a scheduled task reconciling with a trusted source.

Solution

1. Ensure that the logging for the XELLERATE category is set to debug in the log4j.xml configuration file:
<category name="XELLERATE">
<priority value="DEBUG"/>
</category>

2. Check to see if there are any firewalls or routers between the OIM server and the smtp server. If any exist, ensure that they are setup to allow smtp traffic between the OIM server and the smtp server.

3. In the Design Console, ensure that you have a properly configured email server IT Resource with the same name as in the System Configuration:
a. Open the Administration - System Configuration form, perform a query for all objects, and look for the email server specification which has the keyword "XL.MailServer". The object name shown to the right is the IT Resource name that will be used to send email notifications.
b. Open Resource Management - IT Resources, perform a query, and locate the IT Resource with the name determined from the System Configuration. If none exists create one or modify the name of the existing email IT Resource if it has been created with a different name.
c. Check the IT Resource to verify that it has the correct information to connect to the smtp server.

4. Create an email template or use an existing one. The email templates are found in the Design Console under Process Management - Email Definition. Please refer to the "Oracle Identity Manager Design Console Guide" for more information on creating email templates and inserting dynamic variables such as the User Login from the Target: "User Profile Information".

5. In the Design Console add the email notification information in the Reconciliation Insert Received (or Reconciliation Update Received) process task for Xellerate User:
a. Open Process Management - Process Definition and query for "Xellerate User"
b. Double-click on the box to the left of the task "Reconciliation Insert Received" (or "Reconciliation Update Received").
c. In the pop-up window, click on the Assignment tab and configure to use the default rule, target type User, and set the "User" column to the login of the user who should receive the email notifications.
d. Click on the Notification tab and check the "Assignee" checkbox, set the status to "C" for Completed, and then set the Email column to the email template to send.

6. In the Administrative Console, verify that the sender specified in the email template has a valid email address. Also, verify that the recipient has a valid email address.

With the logging level for XELLERATE set to debug, you should see an entry in the log similar to the following but with the configuration information that you specify. This log will assist in troubleshooting any email connection, authentication, or other email processing errors. Note that this email IT Resource is configured for authentication to the smtp server.

Unable to Access User Profile Information with Approval Notification Email Definition

CONDITION

An email definition that is used to notify administrators / approvers of pending approval tasks has been created. The name of the user who made the request was not included in the notification email even though the <User Profile Information.First Name> tag was in the definition. It does not appear as though any of the variables for 'User Profile Information' are available. When setting the email definition as Provisioning Related, Request Related or General information, tags such as

<User Profile Information.First Name>

are not replaced with the appropriate First Name of the user in question.

It was expected that email would include the First Name of the user for this request replaced in for the <User Profile Information.First Name> tag.

For approval processes, as there can be more than one target user that the approval is for, the Oracle Identity Manager (OIM) server would not know which user to obtain the User Profile Information for and use it in the email notification.

How to Fix

As mentioned above, as a single approval can be for a set of users, OIM would not be able to know which user should be used in retrieving User Profile Information to be used in a notification email.

This type of dynamic substitution with User Profile Information is not supported for Approval notifications

How to Send an Email Notification Upon User Creation via the Admin Console

REQUIREMENT

It is desired to send a notification email to a user after an identity record is created in Oracle Identity Manager (OIM) via the Admin Console. Where does the the email template get attached to for this and how is that done so an OIM account holder gets the email notification?

A notification cannot be added to the Add User task in the Xellerate User provisioning process definition. But you can add a notification to the Reconciliation Insert Received Task as documented in that same Tech Note, for user accounts created via a trusted reconciliation.

If you want to send a notification for a user created via the Admin Console then you would need to employ a new task in the Xellerate User provisioning process instead. The steps below assume that the initial configuration of an email server and related steps required for making use of email notification have been completed already. For more info on those steps you may refer to Chapter 6 of the Design Console Guide for your version of OIM.

Open the "Xellerate User" provisioning process definition in the Design Console -> Process Management -> Process Definition.
Add a new task called "Notify" for example.
Check Required for Completion, Allow Cancel and optionally Disable Manual Insert.
In the Integration tab, add tcCompleteTask.
In the assignment tab, add an entry with the Default rule, target type of User, and for the User field pick an existing user with a valid email address in their User Profile.
In the Notification tab add an entry and check Assignee, have the Status field set to C and for the Email field pick a Provisioning type of Notification Template that you have already created
Make sure the other steps from the mentioned notes are completed for the IT Resource and email configuration.
Now create some new user and the email notification should be sent to the user from step 5.

Oracle® Identity Management Certification Information 10g (10.1.4.0.1)

How to Stop a Scheduled Task in OIM

OIM Scheduled Tasks must be written to recognize the stop execution method. Below is an example of how to accomplish this

Questions and Answers

Declare a boolean field (we will refer here it as "flag" from here onwards) in your schedule task code.
Implement the stop() method in your schedule task. This method is invoked whenever you select the "Stop Execution" option on a running schedule task and save the entry using the Task Scheduler form .
Try to set the flag(as defined in step 1) to a boolean value in this stop() method so that this flag's value can be used in the main execute() method to control and stop execution of the running of execute method where you will iteratively process records obtained on search on the target from which you are reconciling.
Put an implementation in your schedule task source code based on logic mentioned in the sample code given below to implement stop() method:

import com.thortech.xl.scheduler.tasks.SchedulerBaseTask;
import java.io.PrintStream;

public class SampleSchTaskWithStopMethod extends SchedulerBaseTask
{
public boolean stopped = false;

public SampleSchTaskWithStopMethod()
{
...
}

public void execute()
{

/*You should add a Check in this method for checking the flag's(which is being set in stop method)

value in the specific loop where you iteratively try to process all records obtained from target from which you are reconciling */

for (i=0;i<NumberOfRecordsRetrievedOnSearch;!flag)

{
//Process all records found on search on target
}

if(flag)
System.out.println("Reconciliation Stopped.\n");
else
System.out.println("Reconciliation Finished.\n");
}

public boolean stop()
{
flag = true;
return stopped;
}

}

Refer to below mentioned example to see a sample implementation:
import com.thortech.xl.scheduler.tasks.SchedulerBaseTask;
import java.io.PrintStream;

public class SampleImplementation extends SchedulerBaseTask
{

//This is the flag which we will use in stop method
public boolean stopped = false;

public SampleImplementation()
{
...
...
}

public void execute()
{
String eCount = getAttribute("count");
int count = 30;
if(eCount != null)
count = Integer.parseInt(eCount);
boolean checkInterrupt = true;
String eCheckInterrupt = getAttribute("stoppable");
if(eCheckInterrupt != null)
checkInterrupt = Boolean.valueOf(eCheckInterrupt).booleanValue();

//This is the loop where we check for the flag's value and iteratively try to process all records obtained on search from the target from which we want to reconcile

for(int i = 0; i < count && (!eCheckInterrupt || eCheckInterrupt && !stopped); i++)
{
//Here you process all records obtained from target
System.out.println("Iteration :" + i);
try
{
Thread.sleep(2000L);
}
catch(InterruptedException interruptedexception) { }
}

if(stopped)
System.out.println("Stopped.\n");
else
System.out.println("Done.");

}

public boolean stop()
{
//here we set the flag value to "true"

stopped = true;
return stopped;
}

}

Compile the schedule task code, create a jar file and put it in "ScheduleTask" folder of OIM Server to run the schedule task. Run the schedule task and while it is running please select the "Stop Execution" option at Task Scheduler form and save it to stop the running schedule task. It should stop the running schedule task instance.

Unable to Access Xellerate Application Because of "Error While Expanding Nexweb.war" After OIM Install…

The Xellerate Application won't come up after the the install.

Steps To Reproduce:

For example: On Windows 2003, install OIM version on Jboss application server and point it to an existing database instance used previously by same version of OIM. The installation will fail with the following error in the setup-jboss.profile.log

The installation failed because of
file:C:/oracle/xellerate/setup/jboss-setup.xml:273: Error while expanding
C:\oracle\xellerate\webapp\Nexaweb.war
at org.apache.tools.ant.taskdefs.Expand.expandFile(Expand.java:164)
at org.apache.tools.ant.taskdefs.Expand.execute(Expand.java:127)
at org.apache.tools.ant.Task.perform(Task.java:341)

Cause

OIM installer zip file which was copied and extracted was corrupt since the error indicates that there is a problem in expanding/unzipping the nexaweb.war file during the install.

Solution

To implement the solution, please execute the following steps:

Try installing OIM by recopying and extracting the existing installer zip file on a certified environment.
If it doesn't work, download the OIM installer again from the OTN website and then try a new install.

NOTE: Installing OIM on VMware images is not supported, tested, and certified.

Can The Entire 'Help' Menu Groups be Removed in OIM?

'Help' menu items are basically hard-coded in the source code and this can not be removed completely. You can however remove its pointed URL.

Please follow the below steps .

You need to modify two files to achieve this.

1)xlDefaultAdmin.properties(((<jboss-4.0.3SP1>\server\default\deploy\XellerateFull.ear\xlWebAp
p.war\WEB-INF\classes)
2)strusts-config.xml((<jboss-4.0.3SP1>\server\default\deploy\XellerateFull.ear\xlWebApp.war\WE
B-INF)

Please followthe below steps.

1)Open xlDefaultAdmin.properties,search help and comment all as below by this modification help
menu will be there but you won't be get help page by clicking.

#help=images/help.gif
#menuItem.Help.User-Guide.link=userguide/index.htm

2) Open strusts-config.xml file,remove path of JSPs and modify as below:
====

<action name="registrationHelpPageForm"
type="com.thortech.xl.webclient.actions.RegistrationHelpPageAction"
validate="false"
input="/tjspIndex.jsp"
scope="request"
path="/registrationHelp"
parameter="method">

<forward name="displayRegistrationHelpPage" path="" />
<forward name="displayLoginHelpPage" path="" />

</action>

=====

3)Restart your Apllication server and check the result.

How to Stop Schedule Tasks

How can a running scheduled task be stopped?

To get the stop mechanism to work for a schedule task, the Schedule Task process must be implemented to periodically check for the stop flag and respond to it. Since killing threads is not a good idea, stop schedule task is only a request to stop the task. Schedule tasks can only be stopped if they are written to honor stop requests.

This can be done in two ways:
• ScheduleTask can implement the stop( ) method. This returns a boolean value (true/false) to be compatible with 7.2.x, but the return value doesn't mean or represent anything.
• ScheduleTask can call isStopped() method to find out, if a stop request is pending.

How stop works:

To stop a schedule task, select the 'Stop Execution' check box and click on save.

The Task Bean (tcTSK) will detect that the save is to stop the task, by looking at the value of the check box. TSK bean locates the Scheduler Controller and issues a stop request. After the stop request is successfully issued, it disables the task, and clears the 'Stop Execution' check box.

When the Scheduler Controller receives the stop notification, it looks in the local tasks directory to see if the scheduler on this machine is running the task. If so, it sets the stopPending flag for the task and calls the stop( ) method in the scheduler.

If Schedule Task is not executing in the local machine, it sends a group notification to all the schedulers to stop the schedule task. Each Scheduler looks at the local active task list and stops the task if it is running the task. Otherwise they will ignore the message.

Group Notification:

All schedulers join a MultiCast group on the startup. The Group name is alwaus "ScheduleTasks", and they discover each other using the multicast-IP configured in xlconfig.xml file.

<Scheduler>
<MultiCastAddress>999.999.999.999</MultiCastAddress>

Use this setting to define the same multicast address for all machines running scheduler.

We are using JavaGroups API to join the cluster. JavaGroups will also take care of removing the group members as they are stopped.