Tuesday, 3 May 2016

Two way ssl for SOA in Oim 11gR2PS3

Use Case

Prerequisite

1. Weblogic Server where Web Service is running
2. Web service is target system and it requires 2 way ssl 
3. We have webservice connector 
4. OIM instance

Provision Account to User

Login to OIM instance
Click on Users à Search à DENNIS

Click on Submit
Account should be provisioned

WSDL url on Weblogic server should be accessible
          This is target WSDL url
          We are using webservice connector


Creating Custom Certificates for weblogic server

Create folder ServerCerts

Run  setDomainEnv.cmd from D:\Jdeveloper\user_projects\domains\Domain\bin
Run command to generate certificate
java utils.CertGen -certfile ServerCert -keyfile ServerKey -keyfilepass keypass


copy the CertGenCA.der file from %BEA_HOME%/wlserver_103/server/lib
directory to your newly created ServerCert dir


Run command java utils.der2pem CertGenCA.der
Run cmd :  type serverCert.pem CertGenCA.pem >> myCert.pem
Run cmd : java utils.ImportPrivateKey -keystore  SeverIdentity.jks –storepass Welcome1 storepass -storetype JKS –keypass Welcome1 -alias mykey –certfile myCert.pem -keyfile ServerKey.pem –keyfilepass Welcome1


Copy DemoTrust.jks into ServerCerts
copy D:\Jdeveloper\wlserver_10.3\server\lib\DemoTrust.jks
Contents of ServerCerts


Now start Weblogic Server and login to Admin Console

Two Way SSL Configuration for Weblogic Server

Login to weblogic Server
Click on Servers



Select Check box SSL Listen Port Enabled
Click on Save
Click on Keystore tab


Configuration for Custom Keystore

Click on change


Select Custom Identity and Custom Trust
Click on Save

Now fill details of custom certificates and keystore
Custom Identity Keystore :  D:\ServerCerts\ SeverIdentity.jks
Custom Identity Keystore Type: jks
Custom Identity Keystore Passphrase: Welcome1
Custom Trust Keystore: D:\ServerCerts\DemoTrust.jks
Custom Trust Keystore Passphrase:


Click on Save
Click on SSL tab



Click on Change
Select Keystore and click on Save

Private Key Alias: mykey
Private Key Passphrase: Welcome1
Click on Save



Click on Advance
Select hostname verification : NONE
Two Way Client Cert Behavior: Client Certs requested and Enforced



Click on Save
Open Firefox
This is target wsdl url
Enter WSDL url of your Web Service
https://<HOST>:<PORT>/services/SunIDMProvisioningService?WSDL


Soa Sca Deployment for SSL WSDL

1] After enabling two way ssl for weblogic server
We have to modify soa composite so that it points to   https://<HOST>:<PORT>/services/SunIDMProvisioningService?WSDL

2] Deploy soa composite on OIM instance
3] Modify IT resource so that it points to new soa composite
            After step  2] deployment of SOA composite

Login to SOA server

Click on your soa composite


Copy URL
Login as sysadmin
Click on IT resource
Edit IT resource related to AppInstace
Paste SOA composite URL for soaServiceWSDL

Creating Certificate for SOA (Client)

Create Directory ClientSOACerts


Run Command
java utils.CertGen -certfile ClientCert -keyfile ClientKey -keyfilepass Welcome1

Run Command :
type ClientCert.pem ..\CertGenCA.pem >> SoaCert.pem

Run Command : 
java utils.ImportPrivateKey -keystore ClientIdentity.jks -storepass Welcome1 -storetype JKS -keypass Welcome1 -alias mykey –certfile SoaCert.pem -keyfile ClientKey.pem -keyfilepass Welcome1


Contents of directory

Configuration For SOA Server

Login to SOA serverGo to directory
cd /home/oracle/Oracle/Middleware/user_projects/domains/base_domain
Create Directory SSL_ptd10820
mkdir SSL_ptd10820


Copy file D:\ServerCerts\ClientSOACerts\ClientIdentity.jks into /home/oracle/Oracle/Middleware/user_projects/domains/base_domain/SSL_ptd10820

Configure path of keystore for SOA server
Login to EM console of  OIM Instance
User Name : weblogic
Password   : Welcome1


Select SOA -> soa-infra->SOA Administration->Common Properties

Click “ More SOA Infra Advances Infrastructure Configuration Properties “

Click on KeystoreLocation

Click on Use Multiple Line Editor

Copy path /home/oracle/Oracle/Middleware/user_projects/domains/base_domain/SSL_ptd10820/ClientIdentity.jks



Click on Apply

Click on Return

Click on Apply

Click on Weblogic Domain which is on left pane

Right Click on base_domain

Go to Security -> Credential

Click on CreateMap

Enter Map Name SOA

Select That MAP and click on Create Key



Fill details as bellow

Key: KeystorePassword

User Name : KeystorePassword

Password: Welcome1

Note : this is password of  keystore ClientIdentity.jks which we configured


Click on OK

Restart SOA server

Test

1] Provision AppInstance account to User.
2] Provision Operation should be successful.

Monday, 2 May 2016

Oim Connector Configurations for offline/online working


What is Online/Offline Connector mode ?

Online Connector Mode
When connector is configured in online mode it make changes on actual target system for operations – Create , Update , Delete

Offline Connector Mode 
When connector is configured in offline mode it did not make changes on actual target system for operations – Create , Update , Delete 
Connector only returns success for its operation

Use Case 

Connector related Operations
           When we install connector on OIM we have to do many configuration related to connector                   Sanity testing –
                      For operations Create , Update , Delete , Recon   
            Approval Process related to different operations
            Email Notifications
            Access Policy rules

Migrating connector to Other environment
When we migrate connector on Test or Prod environment then we can configure it as OFFLINE mode and we can test all other configurations
We can change connector to ONLINE mode after testing all configurations

Approach

        Add a custom adapter which takes input parameters same as connector original task
        Add a lookup which contains connector mode
        Custom adapter reads lookup gets connector mode value
        If it is offline then returns success
        If it is online then calls original method

Diagram


Adapter Code

package com.psl;

import Thor.API.Exceptions.tcAPIException;
import Thor.API.Exceptions.tcColumnNotFoundException;
import Thor.API.Exceptions.tcInvalidLookupException;

import com.thortech.xl.dataaccess.tcDataProvider;
import oracle.iam.connectors.icfcommon.prov.ICProvisioningManager;
import oracle.iam.platform.Platform;
import Thor.API.Operations.tcLookupOperationsIntf;
import Thor.API.tcResultSet;

public class CustomAdapter 
{
    public CustomAdapter() {
        super();
    }
    
    public String pslCreateUnixUser(String szItResourceFieldName , String szObjectType, 
                            long lProcessInstanceKey , tcDataProvider otcDataProvider)
    {
            String szReturnValue = null , szMode = "online" , szSourceLookup = "Lookup.psl.connector.mode";
            //1 UD_UNIX_ITRESOURCE
            //2 szObjectType - User
            //3 long process data - process inst key
            //4 otcDataProvider
            System.out.println("[OnlineOfflineConnector] Start : Input Params");
            System.out.println("[OnlineOfflineConnector] [szItResourceFieldName : "+szItResourceFieldName+" szObjectType "+szObjectType+" lProcessInstanceKey "+lProcessInstanceKey+" otcDataProvider "+otcDataProvider+"]");

            System.out.println("[OnlineOfflineConnector] Start : Read Lookup . . . . .");
                        
            tcLookupOperationsIntf otcLookupOperationsIntf = Platform.getService(tcLookupOperationsIntf.class);
            tcResultSet otcResultSet;
            try 
            {
                otcResultSet = otcLookupOperationsIntf.getLookupValues(szSourceLookup);
                String szCodeKey, szMeaningValue;
                       
                for (int i = 0; i < otcResultSet.getRowCount(); i++) 
                {
                    otcResultSet.goToRow(i);
                    szCodeKey = otcResultSet.getStringValue("Lookup Definition.Lookup Code Information.Code Key");
                    szMeaningValue = otcResultSet.getStringValue("Lookup Definition.Lookup Code Information.Decode");
                    if(szItResourceFieldName.compareToIgnoreCase(szCodeKey) == 0)
                    {
                        szMode = szMeaningValue;
                        System.out.println("[OnlineOfflineConnector] Connector Mode is "+szMode);
                        break;
                    }
                }
            }
            catch (tcColumnNotFoundException e) 
            {
                System.out.println("[OnlineOfflineConnector] Exception occured "+e.getMessage());
            }
            catch (tcAPIException e) 
            {
                System.out.println("[OnlineOfflineConnector] Exception occured "+e.getMessage());
            }
            catch (tcInvalidLookupException e) 
            {
                System.out.println("[OnlineOfflineConnector] Exception occured "+e.getMessage());
            }
        
            if(szMode.compareToIgnoreCase("offline") == 0)
            {
                System.out.println("[OnlineOfflineConnector] Connector is configured in offline mode, hence return SUCCESS");
                szReturnValue = "SUCCESS";
            }    
            else
            {
                // Online mode Code Working
                System.out.println("[OnlineOfflineConnector] Connector is configured in online mode");
                System.out.println("[OnlineOfflineConnector] Creating Object oICProvisioningManager");
                
                ICProvisioningManager oICProvisioningManager 
                = new ICProvisioningManager(szItResourceFieldName , lProcessInstanceKey , otcDataProvider );
                
                System.out.println("[OnlineOfflineConnector] Object oICProvisioningManager created successfully.");
                
                System.out.println("[OnlineOfflineConnector] Before calling createObject("+szObjectType+")");
                
                szReturnValue = oICProvisioningManager.createObject(szObjectType);
                
                System.out.println("[OnlineOfflineConnector] Return Value : ["+szReturnValue+"]");
                
                System.out.println("[OnlineOfflineConnector] End");    
            }    
            
            
            return szReturnValue;
    }
}

Create Lookup

      Lookup.psl.connector.mode


Create Adapter

Attach Adapter on Unix and Dbat Connector