Lab4 :: OIM Integration with Active Directory

1.Install Active Directory - DCPROMO

   Configure DNS Server, Add the Active Directory Domain Services Role,

   Install Active Directory Domain Services (DCPROMO)

2.Install Connecter server and restart the services

3.Copy the AD connecter Bundle to Connecter Default Directory in

OIM and if need to change port Number(default : 8759)and add switches

4.Install AD Connector using Manage Connector in sysadmin

console

5.Create IT Resource

6.Create Sanbox and activate, create Application Instace + Form

7.Run Catalog Synchronization Scheduler Job

8.Provision user to AD

select User from OIM --> Accounts --> Request Accounts --> Catlog--> AD Application Instance--> Add to cat --> Chek in --> Load the Org -->User Accounts --> Refresh...( Status :: Provisioned )

9. Reconciliation to OIM from AD

Trusted User Recon from Target Resource AD to OIM :-

========================================================

Before Running Trusted Recon we need to make sure that ITResouce has following configuration:

++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++

+     Lookup.Configuration.ActiveDirectory.Trusted         +

++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++

Run Scheduler

Note :: it is used Initial Reconciliation to OIM, (org,groups and users and others )

Target User Recon from Target Resource AD to OIM :-

=======================================================

Before Running Target Recon we need to make sure that ITResouce has following configuration:

++++++++++++++++++++++++++++++++++++++

+Lookup.Configuration.ActiveDirectory+

++++++++++++++++++++++++++++++++++++++

Run Scheduler

Note :: It is used if an user already in oim or provisioned user , that time we are using Target Reconciliation. But in this time an user updates visible in only in Process form not in Object form.



----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------

1.  install windows server 2008 r2

2. confif DOMAIN Controller (DCPROMO)

3. set static ip address

4. disable firewall

5. down and install Connector server

6. down Active directory conn

7. copy the AD -->ad-->bundle --files

8. past them into installed connector server --IdentityConnector--Connectorserver---(paste)

9.Stop  the services for Connector server

10. Edit the ConnectorServer.exe.conf the following

<swithes>
<ad name="ActiveDirectorySwitch" value="4" />
</switches>

 11. save it

12. start the Connector services

13. copy the AD (parent folder)--->AD(child folder)

15. paste them into c:\oracle\Middleware\Oracle_IDM1\server\DefaultConnector (Paste here AD Child folder)

16. Goto sysadmin CONSOLE

15. SELECT managedConnector --install--> select AD childfolder-->click load -->next-->next-->finish

16. now edit the ou and groups and users in "ACtive Directory users and Computer"


17. now Recon the DC -->OU-->Groups-->user (.Trusted)

how to recon
------------
run the sheduler(AD orglookup recon, groups,users) at SYSADMIN console

18. provision the org,groups,users to Target System

How to provi
-------------

1. Goto Sysadmin console

2. create sandbox and activate it

3. when we create new appInstance -->run the CatSYSJOb sheduler

4. when we use already created AppIns no need to run the CatSysJob Sheduler

5. create form form AppInstance

6.now Export the sandbox for safety

7. Now publish the sandbox



8. Next Goto Self service Console

9. exi, new created groups,users

10. select or create -> and then RequestAccounts-->going catalog-->select APPInstance-->Add to cat--> check out --> choose our org (destination) and readytosub-->submit

11. now close the catalog

12. and click accounts -->refresh

13. now result is Provisioned ..

14. if provisioning commes --> no need to warry--> check the error --> See ur IT resources fileds

15. okay



16. Automatic provi( Through Access polices)



- By lakshmi Prasada Reddy Nandyala | nandyala@lakshmiprasad.co.in || Contact :: 9490059784

Lab3 :: Oracle Identity Self-Service Console

Hit :: http://oim.luckyskills.com:14000/identity

                                      

user Id : xelsysadm  Password : Lucky1234

Forgot User Login, Forgot Password, New User Registration, Track my Registration

Home, Inbox,

My Profile(My-information, My Access),

Request (Catalog, Track request, Pending Attestations),

Certifications (Dashboard)

Administration (users, Roles, Role Categories, Organizations, Attestation Dashboard, Open Tasks)

Accessibility, Sandboxes, Customize, Help, Sign-Out

Design Console :-

User Management     - Organizational Defaults, Policy History, Roles

Resource Management - IT Resources Type definition, Rule Designer, Resource Objects

Process Management  - Email Definitions, Process Definitions

Administration      - Lookup Definitions, user Defined field definitions, Remote Manager

development Tools   - Adapter Factory, Adapter Manager, Form Designer, Error Message Definitions 

Reconciliation Rules

Business Rules Definitions - Event Handler Manager, Data Object Manager

Lab2 :: Oracle Identity Manager ( OIM ) Sysadmin Console Overview

Hit :: http://oim.luckyskills.com:14000/sysadmin

                                      

user Id : xelsysadm 

Password : Lucky1234

SYSADMIN Console :-

EVENTMANGEMENT - Reconciliation

Certifications - Certification Configuration, Certification definitions, Event Listeners, Risk Configurations

POLICIES - Approval Policies, Access Policies, Attestation Configuration, Password Policy

CONFIGURATIONS - Form Designer, IT Resource, Generic Connector, Application Instances, Lookups

SYSTEM MANAGEMENT - Scheduler, Notification, System Configuration, Manage Connector, Import, Export

UPGRADE

EVENTMANGEMENT - Reconciliation page to create and manage reconciliation events.

Approval Policies - Use this page to create and manage approval policies. An approval policy helps to associate request types with approval processes defined in the workflow service

Access Policies - Use this page to create and manage access policies. Access policies define how to automate the provisioning of target systems to users. Access policies are a list of roles and resources

to be provisioned or de-provisioned.

Attestation Configuration - Use this page to create, configure and manage attestation processes, and work with the attestation dashboard

Password Policy - Use this page to create and manage password policies. Password policy management includes setting password policy rules, and creating, searching, and deleting password policies

Form Designer - Use this page to create and manage forms of type users, roles, organizations, catalog, and resources that are not predefined in Oracle Identity Manager.

IT Resource - Use this page to create and manage IT resources. IT resource is composed of parameters that store connection information about a target system. Oracle Identity Manager uses this information to connect to a specific installation or

instance of the target system

Generic Connector - Use the Generic Connector page to create and manage generic connectors. Generic connectors are basic connectors without advanced features. The connectors utilize generic connectivity technologies, such as SPML and JDBC

Application Instances - Use this page to create and manage application instances. An application instance is a combination of an IT resource instance and resource object. Users have accounts and entitlements that are associated with application instance and not with the IT resource instance or resource object.

Lookups - Use this page to create and manage lookup definitions.

Scheduler - Use this page to create and manage scheduled jobs. Scheduled jobs are jobs that are run at specified time intervals to manage various activities in Oracle Identity Manager.

Notification - Use this page to create and manage notification templates. A notification template is used to send notifications.

System Configuration - Use this page to create and manage system properties. System properties define the characteristics that control the behavior of Oracle Identity Manager.

Manage Connector - Use this page to define, install, clone, upgrade, and uninstall predefined connectors in an Oracle Identity Manager environment. A predefined connector is designed for commonly used target systems such as Microsoft Active Directory and PeopleSoft Enterprise Applications

Import - Use this page to import Oracle Identity Manager configurations by using the Deployment Manager

Export

Use this page to export Oracle Identity Manager configurations by using the Deployment Manager.

Upgrade

When you upgrade your Oracle Identity Manager environment from 11g Release1(R1)(11.1.1.5) to 11g Release2 (R2)(11.1.2), the custom attributes for entities (such as users, roles, organizations, and application instances) exist in the back-end. However, if you want to display these attributes as form fields in the Oracle Identity Manager user interface, then you must customize the associated pages on the interface to add the custom form fields. To do so, use the links in the Upgrade region of the Identity System Administration Console.

The Upgrade region contains the following:

Upgrade User Form -  Use this page to create and manage custom form fields for the user entity.

Upgrade Role Form - Use this page to create and manage custom form fields for the role entity.

Upgrade Organization Form  - Use this page to create and manage custom form fields for the organization entity.

Upgrade Application Instances - Use this page to create and manage custom form fields for the application instance entity.

Approval policy is a configurable entity of request management that helps associate various request types with approval processes defined in the request service only for request-level and operation-level approvals. It associates approval workflows to be initiated at request or operation levels for a request type.

Each approval policy decides on what process to invoke based on approval policy priority and approval policy rule

Approval policy priorities are based on the following:

For request level, request type + request level

For operation level, request type + operation level + scope, which is the specific entity associated with the request heterogeneous requests

Oracle Business Rules (OBR)

The following methodologies are used:

Request-Level Methodology

          

     This methodology is used for all request types at the request level of approval.

Operation-Level Methodology: Organization-Based Selection

    

     This methodology is used for all user-related request types, such as Create User, Modify User, Disable User, Enable User, and Delete User, at the operation level of approval

Operation-Level Methodology: Role-Based Selection

     This methodology is used for all role-related request types at the operation level of

approval.

Operation-Level Methodology: Application Instance-Based Selection

    

     This methodology is also used for entitlement related requests (provision/revoke).

Resource - A resource is a logical entity in Oracle Identity Manager that can be provisioned to a user or an organization in Oracle Identity Manager. For example, Microsoft Active

Account - Accounts are actual instances of a resource that are created and provisioned to a user or organization in Oracle Identity Manager. For example, an e-mail account on an Exchange server is an account (instance) of resource type Exchange

IT Resource Type - IT resource type is a logical entity in Oracle Identity Manager used to model a physical target and all its attributes including (but not limited to) the connectivity information and the credentials required to connect to the physical computer. For example, IT resource type AD server is used to model an actual AD server.

IT Resource Instance

     These are actual instances of specific IT resource type that represent the actual physical target. They also have specific values for all the attributes of the physical target, such as IP address, port, user name, and password. Two physical AD servers in a deployment are represented by two instances of IT resource type AD Server.

Account Discriminator

     Account discriminator is a collection of attributes on a form that uniquely identifies the logical entity on which accounts are created. This term is sometimes loosely referred to as a target. For instance, for an AD server, an account discriminator can be a combination of AD server (an attribute of type IT Resource) and Organization Name. Typically, account discriminators are attributes of type IT Resource. Attributes are marked as account discriminators by setting the Account Discriminator property of a Form field to True

Evaluate User Policies scheduled task Application Instance Post Delete Processing Job scheduled job Catalog Synchronization Job scheduled job

Entitlement List - Target to LKV Table - ENT_LIST Table

A connector consists of the following artifacts:

Binaries (JAR and DLL files) that contain the connector code

XML file(s) consisting of data of Objects defined in Oracle Identity Manager, such as an IT resource, resource object, provisioning process and process tasks, process form and child forms, adapters and adapter tasks, lookup definitions, reconciliation rules, and scheduled tasks

Integration libraries that enable adapters to perform actions on the target system For some target systems, third-party integration libraries might be required to enable communication or specific functionality with the target systems

Oracle Identity Manager Connector artifacts :-

Resource objects

Event handlers

Process forms

IT resources

Data object definitions

Pre-Populate adapters

Processes

IT resource type definitions

Task adapters

Lookups

Scheduled tasks

There are four types of rules:

General - Enables Oracle Identity Manager to add a user to a role automatically and to determine the password policy that is assigned to a resource object.

Process Determination - Determines the provisioning processes for a for a resource object.

Organization Provisioning, User Provisioning, approval or standard approval.

Task Assignment - Specifies the user or role that is assigned to a process task.

Pre-populate - Determines which pre-populate adapter is executed for a form field.

The resource object's classification status.

A resource object can belong to one of the following types:

Application - Classifies this resource object as an application.

Generic - Contains business-related processes.

System - Oracle Identity Manager uses this type of resource object internally.

Do not modify system resource objects without first consulting Oracle.

Disconnected - Classifies the resource object as a disconnected resource

The Resource Objects form contains the following tabs:

Depends On Tab, Object Authorizers Tab, Process Determination Rules Tab Event Handlers/Adapters Tab, Resource Audit Objectives, Status Definition Tab Administrators Tab, Password Policies Rule Tab, User-Defined Fields Tab Process Tab, Object Reconciliation Tab

The Editing Task window contains the following tabs:

General Tab, Integration Tab, Task Dependency Tab, Responses Tab Undo/Recovery Tab, Notification Tab, Task to Object Status Mapping Tab

Assignment Tab of the Editing Task Window

The Form Designer form contains the following tabs:

Additional Columns Tab, Child Table(s) Tab, Object Permissions Tab

Properties Tab, Administrators Tab, Usage Tab, Pre-Populate Tab

Default Columns Tab, User Defined Fields Tab

Adaptor : - Process Task, Rule Generator, Pre-populate, Rule Generator Entity, Task Assignment

Lab1 :: Oracle Identity and Access Management ( IDAM ) Installation & Configuration

0. Virtual Box

1. Install base Operating System like as Linux or Windows server

2. Install Oracle Databse and Configure database settings

3. Install RCU for Table_spaces

4. Install JRocket / JDK

5. Install Weblogic Server--> Admin Server

6. Install SOA and apply patches  managed server 1 ---> approvals

7. Install OIM and OAM, OAAM,OIF  --> Managed server 2

8. Config Weblogic

9. Database Security Store 

10. Config OIM

11. Config Design Console

Note : localhost == oim.luckyskills.com

>Starting / stopping the Database :-

>sqlplus / as sysdba

sql>startup / shut immediate

>Starting / stopping the LISTNER :-

>lsnrctl start / lsnrctl stop

>lsnrctl status

Starting / stopping the WebLogic Server:-

/home/oracle/Oracle/Middleware/user_projects/domails/base_domains/bin

./startWeblogic.sh

./stopWeblogic.sh

Starting / stopping the OIM Server:-

/home/oracle/Oracle/Middleware/user_projects/domails/base_domains/bin

./startManagedWeblogic.sh oim_server1

./stoptManagedWeblogic.sh oim_server1

Starting / stopping the SOA Server:-

/home/oracle/Oracle/Middleware/user_projects/domails/base_domains/bin

./startManagedWeblogic.sh soa_server1

./stoptManagedWeblogic.sh soa_server1

Starting / stopping the oam Server:-

/home/oracle/Oracle/Middleware/user_projects/domails/base_domains/bin

./startManagedWeblogic.sh oam_server1

./stoptManagedWeblogic.sh oam_server1

Starting the Design Console:-

/home/oracle/Oracle/Middleware/Oracle_IDM1/desgnconsole>

./xlclient.sh

Logging into OIAM Consoles -

==========================================================

Database

          

if 11g :   https://oim.luckyskills.com:1158/em

if 12c :   https://oim.luckyskills.com:5500/em

Weblogic

     http://oim.luckyskills.com:7001/em  

                           or                                         http://oim.luckyskills.com:7001/console

OIM       

     http://oim.luckyskills.com:14000/sysadmin

          

     http://oim.luckyskills.com:14000/identity

     Desktop Console ::   /home/oracle/Oracle/Middleware/DEV_IDM1/designconsole>       ./xlclient.cmd/sh

Soa       

       http://oim.luckyskills.com:8001/soa-infra

OAM       

     http://oim.luckyskills.com:7001/oamconsole

     http://oim.luckyskills.com:14100/oam/server/ref

OAAM Admin

     http://oam.luckyskills.com:14200/oaam_admin

OAAM Server

     http://oam.luckyskills.com:14300/oaam_server