Just some simple tips for setting up the connector server. Some of these tips are from my colleagues, some I have modified what my colleagues are doing and so are my own take on things.
When building a connector server machine, it works very well to create a separate disk where all of the connector server software can be loaded and run from. For a physical machine (iron) the D drive will be taken by a CD/DVD drive, and you can use E: for the connector server. On a VM, you could choose to use D: or E:, whatever your preference.
On install never accept the Program Files folder for where the software is installed to. If you followed the advice above you will install the software into the D: or E: drive, if not, install in the C: drive, so your top folder is E:\Identity Connectors (or your drive). Under that you should have a Connector Server folder.
After install, decide where you want to put the log files. The default is C: and that is a bad location for the files. You can put the logs inside the Connector Server folder, in a separate folder, or on a third drive letter, for that matter. I call my logs folder Logs with a capital L since this is Microsoft and we give civilized names to our folders in Windows, not like those "lower case-no blanks" Linux savages.
The bundles of course go into the Connector Server folder per the install guides for each connector. Be sure to set the key first. I will cover logging in a separate post.
I install WinSCP and Notepad++ on my connector servers so I can manage things easily. I also make sure the Remote Admin tools including Active Directory Administrative Center, AD module for Windows PowerShell, Web Server (IIS) Tools, Telnet Client, and .NET 3.5.1 Framework Windows features are installed.
Finally, many people don't know how to set up a VIP on a windows box. The command is:
netsh interface ip add address "Local Area Connection" <vip-address> <netmask>
The name "Local Area Connection" is an example, this needs to be the name of your existing Ethernet adapter. Sometimes it is named Local Area Connection, other times it is named Online Network, but you need to find out what it is called by running ipconfig /all and noting it. You are adding an address to the existing interface, so it needs to be the same.
Thursday, February 27, 2014
Wednesday, February 26, 2014
Oracle Diagnostic Logging - getting deeper into OIM11gR2
Going deeper into OIM is a little different using ODL instead of the old log4j.properties file in OIM 9.1.0.2
If you have read my previous post on how to set up and hand modify the ODL files for your server, you will be able to perform these tasks.
Here are some interesting logging points I have tried:
<logger name='oracle.iam.provisioning' level='TRACE:32'>
<handler name='odl-handler'/>
</logger>
<logger name='oracle.iam.identity' level='TRACE:1'>
<handler name='odl-handler'/>
</logger>
<logger name='Thor.API.Operations' level='TRACE:32'>
<handler name='odl-handler'/>
</logger>
<logger name='XELLERATE.DATABASE' level='NOTIFICATION:32'>
<handler name='odl-handler'/>
</logger>
<logger name='XELLERATE.SERVER' level='NOTIFICATION:1'>
<handler name='odl-handler'/>
</logger>
<logger name='XELLERATE.SCHEDULER' level='NOTIFICATION:1'>
<handler name='odl-handler'/>
</logger>
The handler name was changed back to odl-handler, but I use my own handler that segregates the parts I am interested in. I put all of the parts I am interested in, into a handler I call edu-handler, so in my logging.xml file, all of the above odl-handler references actually are edu-handler. I just want someone who wants to copy/paste to not have a failure because they haven't defined an edu-handler.
If you have read my previous post on how to set up and hand modify the ODL files for your server, you will be able to perform these tasks.
Here are some interesting logging points I have tried:
<logger name='oracle.iam.provisioning' level='TRACE:32'>
<handler name='odl-handler'/>
</logger>
<logger name='oracle.iam.identity' level='TRACE:1'>
<handler name='odl-handler'/>
</logger>
<logger name='Thor.API.Operations' level='TRACE:32'>
<handler name='odl-handler'/>
</logger>
<logger name='XELLERATE.DATABASE' level='NOTIFICATION:32'>
<handler name='odl-handler'/>
</logger>
<logger name='XELLERATE.SERVER' level='NOTIFICATION:1'>
<handler name='odl-handler'/>
</logger>
<logger name='XELLERATE.SCHEDULER' level='NOTIFICATION:1'>
<handler name='odl-handler'/>
</logger>
The handler name was changed back to odl-handler, but I use my own handler that segregates the parts I am interested in. I put all of the parts I am interested in, into a handler I call edu-handler, so in my logging.xml file, all of the above odl-handler references actually are edu-handler. I just want someone who wants to copy/paste to not have a failure because they haven't defined an edu-handler.
OIM 11gR2 How to make plugins easier to manage
Making plugins easier to manage is simple. I have a prior post that is not as detailed but is still applicable. First, occasionally run this query against your database and export the results:
SELECT DISTINCT(ID) FROM PLUGINS ORDER BY ID ASC
This will give you a list of the current plugins you have. If you want to know more try this query:
SELECT ID,VERSION,NAME,TYPE FROM PLUGINS ORDER BY ID ASC, VERSION DESC
The second query will show if you have multiple versions. The system should pick the highest numbered version, but I do not trust that. IMHO, always keep just the latest copy of each plugin.
The second thing to do is to make the plugin utility easier to use. Here's how: Open the ant.properties file and make sure you have filled in the provided values. I use MW_HOME in these examples but they need to be your $MW_HOME, spelled out in the file.
wls.home=$MW_HOME/wlserver_10.3
oim.home=$MW_HOME/Oracle_IDM1/server
login.config=${oim.home}/config/authwl.conf
mw.home=$MW_HOME
Correction: ant does not pick up the environment variables
mw.home=/u01/app/oracle/fmw
wls.home=/u01/app/oracle/fmw/wlserver_10.3
oim.home=/u01/app/oracle/fmw/Oracle_IDM1/server
Third, add the next 3 lines to the same file:
OIM.Username=xelsysadm
OIM.UserPassword=<your password>
ServerURL=t3://yourservice.yoursystem.yourdomain:14000
CtxFactory=weblogic.jndi.WLInitialContextFactory
Then you just run ant -f pluginregistration.xml unregister
All you have to type in is the password for xelsysadm
and paste the full class name from the export you did in step 1.
For the file names when you are running ant -f pluginregistration.xml register
I copy the files into a /home/oracle/plugins folder and then use:
find ~/plugins -name '*plugin*' -print
And then copy the line with the full pathname before I run the ant script. Again I just enter the password for xelsysadm and then paste the filename.
Be sure to fully stop and restart all servers (no rolling restarts) to make the new plugins active. I have found that PurgeCache does not work.
SELECT DISTINCT(ID) FROM PLUGINS ORDER BY ID ASC
This will give you a list of the current plugins you have. If you want to know more try this query:
SELECT ID,VERSION,NAME,TYPE FROM PLUGINS ORDER BY ID ASC, VERSION DESC
The second query will show if you have multiple versions. The system should pick the highest numbered version, but I do not trust that. IMHO, always keep just the latest copy of each plugin.
The second thing to do is to make the plugin utility easier to use. Here's how: Open the ant.properties file and make sure you have filled in the provided values. I use MW_HOME in these examples but they need to be your $MW_HOME, spelled out in the file.
login.config=${oim.home}/config/authwl.conf
Correction: ant does not pick up the environment variables
mw.home=/u01/app/oracle/fmw
wls.home=/u01/app/oracle/fmw/wlserver_10.3
oim.home=/u01/app/oracle/fmw/Oracle_IDM1/server
Third, add the next 3 lines to the same file:
OIM.Username=xelsysadm
OIM.UserPassword=<your password>
ServerURL=t3://yourservice.yoursystem.yourdomain:14000
CtxFactory=weblogic.jndi.WLInitialContextFactory
Then you just run ant -f pluginregistration.xml unregister
All you have to type in is the password for xelsysadm
and paste the full class name from the export you did in step 1.
For the file names when you are running ant -f pluginregistration.xml register
I copy the files into a /home/oracle/plugins folder and then use:
find ~/plugins -name '*plugin*' -print
And then copy the line with the full pathname before I run the ant script. Again I just enter the password for xelsysadm and then paste the filename.
Be sure to fully stop and restart all servers (no rolling restarts) to make the new plugins active. I have found that PurgeCache does not work.
Thursday, February 20, 2014
OIM 11gR2 - When to use Platform.getServiceForEventHandlers
Just a quick reminder when creating Event Handlers (not for Scheduled Tasks)
UserManager usrMgr=Platform.getService (UserManager.class);
is used when you need to query for user parameters, such as when an orchestration might change one field, and you need to fill in other fields from the USR table in order to provide some kind of an update. An example is Display Name, which, if only the Last Name is changed, you will want to retrieve the First and Middle Name fields in order to properly construct the Display Name.
Platform.getServiceForEventHandlers is used when you want to perform any kind of updates within an Event Handler. Example:
ProvisioningService provSvcUP = Platform.getServiceForEventHandlers(ProvisioningService.class,
null, "ADMIN","XXXHandler", null);
UserManager usrMgr=Platform.getService (UserManager.class);
is used when you need to query for user parameters, such as when an orchestration might change one field, and you need to fill in other fields from the USR table in order to provide some kind of an update. An example is Display Name, which, if only the Last Name is changed, you will want to retrieve the First and Middle Name fields in order to properly construct the Display Name.
Platform.getServiceForEventHandlers is used when you want to perform any kind of updates within an Event Handler. Example:
ProvisioningService provSvcUP = Platform.getServiceForEventHandlers(ProvisioningService.class,
null, "ADMIN","XXXHandler", null);
Tuesday, February 18, 2014
OIM11gR2 Using the old Thor interfaces
Sometimes you need to use the old Thor interfaces for getting information from the system. Lookups are one of these items, and that will be the example used here.
Also see my other posting OIM How to pull an IT Resource Parameter
Import the resource:
import Thor.API.Operations.tcLookupOperationsIntf;
Define the interface (spell something differently, in this case I used lower case L in lookup):
tcLookupOperationsIntf tclookupOperationsIntf =null;
Get the service:
tclookupOperationsintf = Platform.getService(tcLookupOperationsIntf.class);
Optionally you can do this all in one line. You should null check the returned value.
Here's a completed task that just checks to see if a value is in a list:
Thor.API.tcResultSet rs=null;
try {
rs=tclookupOperationsIntf.getLookupValues(validAccountLookup);
int rowcount=rs.getRowCount();
for (int irow=0; irow < rowcount; ++irow) {
rs.goToRow(irow);
String codeKey=rs.getStringValue
("Lookup Definition.Lookup Code Information.Code Key");
String decode=rs.getStringValue
("Lookup Definition.Lookup Code Information.Decode");
if (appInstanceName.equals(codeKey)) {
logger.logp(Level.FINE, getClass().getName(), methodName,
"Found "+appInstanceName+" in row "+irow+", returning true");
return true;
}
}
}
I left out all of the checks and catches, just showing functional code.
Also see my other posting OIM How to pull an IT Resource Parameter
Import the resource:
import Thor.API.Operations.tcLookupOperationsIntf;
Define the interface (spell something differently, in this case I used lower case L in lookup):
tcLookupOperationsIntf tclookupOperationsIntf =null;
Get the service:
tclookupOperationsintf = Platform.getService(tcLookupOperationsIntf.class);
Optionally you can do this all in one line. You should null check the returned value.
Here's a completed task that just checks to see if a value is in a list:
Thor.API.tcResultSet rs=null;
try {
rs=tclookupOperationsIntf.getLookupValues(validAccountLookup);
int rowcount=rs.getRowCount();
for (int irow=0; irow < rowcount; ++irow) {
rs.goToRow(irow);
String codeKey=rs.getStringValue
("Lookup Definition.Lookup Code Information.Code Key");
String decode=rs.getStringValue
("Lookup Definition.Lookup Code Information.Decode");
if (appInstanceName.equals(codeKey)) {
logger.logp(Level.FINE, getClass().getName(), methodName,
"Found "+appInstanceName+" in row "+irow+", returning true");
return true;
}
}
}
I left out all of the checks and catches, just showing functional code.
Wednesday, February 12, 2014
Interesting point on SQL comparisons
Here's an interesting point regarding SQL in-equality comparisons.
An inequality expression normally looks like this:
where usr_udf_vegan <> '1'
If you work with OIM you will recognize the database field as a User Defined Field (UDF) and the value as the value of a "checked" checkbox which is a string value of '1' - but this is not limited to only OIM.
Now if you try to run this query against a table of values of '1', '0', and NULL, you might see that the NULL values don't get flagged as true. You would think they would because they are not '1'.
In order to overcome this, add the following:
where (usr_udf_vegan is null or usr_udf_vegan <> '1')
The following also does not work:
where usr_udf_vegan not in ('1')
This specific issue came up with OIM role inequality comparisons and the fix is in the latest bundle patch of OIM.
An inequality expression normally looks like this:
where usr_udf_vegan <> '1'
If you work with OIM you will recognize the database field as a User Defined Field (UDF) and the value as the value of a "checked" checkbox which is a string value of '1' - but this is not limited to only OIM.
Now if you try to run this query against a table of values of '1', '0', and NULL, you might see that the NULL values don't get flagged as true. You would think they would because they are not '1'.
In order to overcome this, add the following:
where (usr_udf_vegan is null or usr_udf_vegan <> '1')
The following also does not work:
where usr_udf_vegan not in ('1')
This specific issue came up with OIM role inequality comparisons and the fix is in the latest bundle patch of OIM.
Subscribe to:
Posts (Atom)