List of resource provisioned to user in OIM

Query to list the resource that are in different status for given user.

Table Name	Table Description
OIU	Object Instance Request Target User Information. Associate user information to the resource object instance when provisioning take places.
OST	Object Status Information.
OBI	Object Instance Information. Once resource provisioned to user, OIM created resource instance for each resource provisioning.
OBJ	Resource Object definition information This contains detail about resource such as resource name, auto-save enable or not and auto-prepopulate is enable or not, and whether or not the resource object allows multiple instances.
USR	It contains user information like login id, password, etc.,

SQL Query:

select oiu.oiu_key, oiu.obi_key, oiu.orc_key, ost.ost_status, obj.obj_name, obj.obj_key,oiu.req_key 
from oiu 
inner join ost on oiu.ost_key = ost.ost_key 
inner join obi on oiu.obi_key = obi.obi_key
inner join obj on obi.obj_key = obj.obj_key 
where oiu.usr_key =(select usr_key from usr where usr_login='chellappan.sampath');

Set Environment Variables OIM 11G R2 PS2

Before we do deployments such as, register plugin, unregister plugin, upload jar, delete jar, etc., we need to set environment variable. I hope below list of environment variable will be easier for reference.

Note: These variables configured as per my local environment and you need make changes according to your environment.

export APP_SERVER=weblogic
export ANT_HOME=/opt/middleware/modules/org.apache.ant_1.7.1
export JAVA_HOME=/opt/java/jdk1.7.0_02
export PATH=/opt/java/jdk1.7.0_02/bin:/opt/middleware/modules/org.apache.ant_1.7.1/bin:$PATH
export MW_HOME=/opt/middleware
export XEL_HOME=/opt/middleware/Oracle_IDM1
export WL_HOME=/opt/middleware/wlserver_10.3
export OIM_ORACLE_HOME=/opt/middleware/Oracle_IDM1
export OIM_HOME=/opt/middleware/Oracle_IDM1/server
export DOMAIN_HOME=/opt/middleware/user_projects/domains/base_domain

OIM 11G Orchestration tables

Orchestration is vital component in OIM and we can say it is heart of OIM because, all operations, such as create user, modify user, delete, ldap sync, etc., were closely integrate with OIM Orchestration.

Known Issue: OIM Orchestration will retry failed event handlers ONLY 2 times and will ignore after that. Because, the retry limit was hard coded in OIM.

Table Name	Table Description
ORCHPROCESS	Stores the process instances that are being executed.
ORCHEVENTS	Stores event handler names, status and result for all orchestration processes. Event status like COMPLETED, FAILED, PENDING, etc.
ORCHFAILEDEVENTS	Stores event handler information that are executed because of failures in main flow.

SQL Query:

Below sql query is to get list of event handlers, which are executed for a particular users during enable process:

This query used to get user key from usr table.

select usr_key from USR 
where usr_login = ‘chellappan.sampath’;
-- 1024

This query get process instance of enabled user ‘chellappan.sampath’

select id from orchprocess 
where entityid=’1024’ and entitytype='User' and operation='ENABLE';
-- 561092

This query gets all the event handler for enabled user ‘chellappan.sampath’

select * from orchevents 
where processid=’561092’ order by orchorder;

Similarly you can do for user enable, create user, etc.,

Tuning database & application servers for OIM

Tuning Database

Since OIM has heavily depends on database, obviously we need to tune the database for better performance. Every time a user is created or provisioned resource to user, there are dozens of operations taking places behind the scenes especially tables of the functional databases.

Below table show recommended initial setting for 4 CPU (64 bit) and 8/20 GB RAM:

Parameters	Initial setting for DB
db_block_size	8192
memory_target	Minimum value is 6 GB. Maximum is MEMORY_TARGET/MEMORY_MAX_TARGET=Total Memory X 80% or 20GB, whichever is greate
sga_target	Minimum value is 4 GB. Maximum is SGA_TARGET=Total Memory X 80% X 60% or 16 GB assuming an overall memory cap of 20 GB for the Oracle Identity Manager database to run.
pga_aggregate_target	Minimum value is 2 GB. Maximum is PGA_TARGET=Total Memory X 80% X 40% or 4 GB whichever is greater
sga_max_size	10 GB
db_keep_cache_size	800M
log_buffer	15 MB
cursor_sharing	FORCE
open_cursors	2000
session_cached_cursors	800
query_rewrite_integrity	TRUSTED
db_file_multiblock_read_count	16
db_writer_processes	2
processes	Based on connection pool settings

While it is always recommended to check the Oracle Database Tuning reports within the database, Oracle provides recommendations of which can be found at this location: http://docs.oracle.com/cd/E14571_01/doc.1111/e14308/tuningfordb.htm#OMADM1811

Tuning Application Server

1. OIM uses oimOperationsDB and oimJMSStoreDS datasource deployed on WebLogic server. By default, maximum connection size is set to 50. You can increase size as per your environment. Note: Make sure the same connection size should be set to in DB side too.
2. Number of Message Driven Bean (MDB):OIM uses OIMMDBWorkManager MDB for processing all offline operations such as recon, audit, orchestration, etc. By default, it set to 80. You can set to -1 for unlimited.
3. Disable Reloading of Adapters and Plug-in Configuration
4. Change default memory arguments.

Periodically purging the Orchestration, Requests, Audit, Reconciliation tables in OIM.

OIM 11G R2 PS2 Installation Steps – High Level

Before you begin on OIM 11GR2 installation, I strongly recommend you to have look at the certification matrix. Because, developers may spend more time working with wrong components such as, OS version, JDK/JRE version etc. As a result, they could not complete installation.

OIM 11GR2 Certification Matrix is available in http://www.oracle.com/technetwork/middleware/id-mgmt/documentation/identity-access-111220certmatrix-2105036.xlsx

Note: Make sure you should have given full privileges to installation folder.

This post covers high-level steps based on the above certification matrix.

1. Install WebLogic 10.3.6 or later
2. Run the Repository Creation Utility.
3. Install SOA into the middleware home
4. Install the IAM components into the middleware home
5. Extend the WebLogic domain (If already exists) OR create a new domain for all the required IAM components by running the domain configuration.
6. Create the Policy Store
7. Configure SOA
8. Start WebLogic server
9. Configure OIM
10. Stop WebLogic Admin server
11. Start WebLogic Admin server, SOA, and followed by OIM

OIM SQL query to find who modified user attributes

We can identify when and who made change for user profile attributes for example, email address.

Below are tables stores users and audit information:

Table Name	Table Description
USR	It contains user information like login id, password, etc.,
UPA	User profile audit information

SQL Query:

Below query fetch the email address value for user ‘chellappan.sampath’ from audit table: 

select field_name, field_old_value, field_new_value 
from upa_fields fields 
where upa_usr_key in ( select upa_key from upa 
                       where upa_key in (select usr_key 
                                         from usr 
                                         where lower(usr_login) like 'chellappan.sampath')))
and field_name = 'Users.Email' 
order by upa_usr_key, field_name;

OIM SQL query to find who assigned role to users

OIM provides strong auditing features that will capture all user profile modification. It will be stored on UPA table.

Below are tables stores users and audit information:

Table Name	Table Description
USR	It contains user information like login id, password, etc.,
UPA	User profile audit information

SQL Query:

Below query gets list of roles when was assigned to user ‘chellappan.sampath’:

select * from upa 
where usr_key = (select usr_key from usr 
                 where lower(usr_login)= 'chellappan.sampath')
and src like '%RoleManager%CREATE%';

Similarly, we can check for user role revoked by using src with ‘%RoleManager%DELETE%'

OIM SQL query to get users whose specific role

We often may need to find user who has specific role in OIM.

Table Name	Table Description
USR	It contains user information like login id, password, etc.,
USG	Role assigned to user

SQL Query:

In this below example, I have used query to get users who have role called ‘System Administrator’.

select usr.usr_display_name, usr.usr_login, usr.usr_email, ugp.ugp_name
from usg usg
left outer join usr usr on (usg.usr_key = usr.usr_key)
left outer join ugp ugp on (ugp.ugp_key = usg.ugp_key)
where upper(ugp_name) in (upper('System Administrator'));

OIM SQL query to force users to change password on next login

When user’s password reset by either OIM Admin or API, user will be prompt to reset on next login.

We can avoid the force user password on next login by update column 'USR_CHANGE_PWD_AT_NEXT_LOGON' in table ‘usr’. This column takes values 0 or 1.

The column value 0 means User not forced to reset password on next login.

update usr set USR_CHANGE_PWD_AT_NEXT_LOGON='0'
where usr_login = 'chellappan.sampath';

The column value 1 means User forced to reset password on next login.

update usr set USR_CHANGE_PWD_AT_NEXT_LOGON='1'
where usr_login = 'chellappan.sampath';

Oracle Schema Version Registry

Most of the Oracle Fusion Middleware components require existence of schemas in database prior to install. These schemas created and loaded using RCU.

You can run query to get list of schema created though RCU:

select * from schema_version_registry;

Enabling Auto Login WebLogic and WebLogic Managed Servers

WebLogic and its managed server prompt to enter user name and password during server start up or shut down. Oracle provides options to skip this.  

A boot identity file contains the user credentials. An admin or managed server can refer this file for user credentials instead of prompting at command line to provide them. In addition, credentials encrypted.

Note:

1. If choose Development mode when we creating domain, a boot identity file is automatically created by domain creation wizard.
2. If we use Node Manager to start managed server instead of running script then, we do not need boot file because, Node manager creates its own boot identity file and store under each server directory “data/nodemanager”.

Steps to create boot identity file:

1. Stop all admin server as well managed servers.
2. Navigate to the domain directory MW_HOME/user_projects/domains/DOMAIN_NAME/servers
3. Create subdirectory security if it does not exist under DOMAIN_NAME/servers.
4. In the security directory, create a text file called boot.properties and edit it. In the file, add below lines and save it.
5. Start the admin server and it will not prompt to enter user name and password.
6. User name and password encrypted by the server when server started first time and added with timestamp when the encryption occurred.

Enabling logging in OIM 11G

Any custom applications such as, event handlers, schedule task, connectors, etc., to debug in the OIM 11g Server, we need to enable the logging.

Pre-Requisite

You need to add the logging configuration code in java class.

import java.util.logging.Level;
import java.util.logging.Logger;

private Logger logger=Logger.getLogger("blog.chella"); //Class name is blog.chella

Configuration of logs in logging.xml

Go to the $DOMAIN_HOME/config/fmwconfig/servers/OIM_SERVER directory and edit the logging.xml file.

Include log_handler inside log_handlers

<log_handlers>
    <log_handler name='bloghandler' level='FINEST' class='oracle.core.ojdl.logging.ODLHandlerFactory'>
        <property name='logreader:' value='off'/>
        <property name='path' value=/opt/chella/oimlogs'/>
        <property name='format' value='ODL-Text'/>
        <property name='useThreadName' value='true'/>
        <property name='locale' value='en'/>
        <property name='maxFileSize' value='5242880'/>
        <property name='maxLogSize' value='52428800'/>
        <property name='encoding' value='UTF-8'/>
    </log_handler>
</log_handlers>

Include logger inside loggers

<loggers>
    <logger name="Logger-Name" level="LOG LEVEL" useParentHandlers="false">
        <handler name="blog.chella"/>
        <handler name="console-handler"/>
    </logger>
</loggers>

Log Level	ODL Msg:Level	Description
SEVERE.intValue()+100	INCIDENT_ERROR:1	Serious problem caused by bug in product
SEVERE	ERROR:1	A serious problem but is not caused by a bug in the product.
WARNING	WARNING:1	A potential problem
INFO	NOTIFICATION:1	A major lifecycle event
CONFIG	NOTIFICATION:16	A finer level of granularity for reporting normal events.
FINE	TRACE:1	Trace or debug information for events
FINER	TRACE:16	Detailed trace or debug information
FINEST	TRACE:32	Very detailed trace or debug information

The FINEST log level will give the more detailed info. If you want to debug your connectors, schedule task, event handlers, etc, you can use FINEST log level.

Note: Make sure you have disabled FINEST level in production.

Developing and Deploying Event Handlers in OIM 11G R2

In this post, we set the middle name as “MN” if user does not provide middle name during user create operation.

Below are high-level steps:

1. Environment Setup
2. Developing plugins
1. Creating a JAR file with Custom Event Handler code
2. Creating Plugin XML
3. Creating Event Handler XML
4. Creating a Plug-in ZIP
3. Registering the Plug-in
4. Testing the Event handlers

Environment Setup

The following jar files are required to compile the event handler code:

From the OIM_ORACLE_HOME/server/platform/ directory:

•         iam-platform-kernel.jar

•         iam-platform-utils.jar

•         iam-platform-context.jar

•         iam-plaftorm-authz-service.jar

From the OIM_ORACLE_HOME/designconsole/lib/ directory:

•         oimclient.jar

•         xlAPI.jar

Developing Plugins

Creating a JAR file with Custom Event Handler code

This below java code will set hard coded middle name as “MN”.

package blog.chella;

import java.util.HashMap;
import com.thortech.util.logging.Logger;

import oracle.iam.platform.kernel.spi.PreProcessHandler;
import oracle.iam.platform.kernel.vo.AbstractGenericOrchestration;
import oracle.iam.platform.kernel.vo.BulkEventResult;
import oracle.iam.platform.kernel.vo.BulkOrchestration;
import oracle.iam.platform.kernel.vo.EventResult;
import oracle.iam.platform.kernel.vo.Orchestration;

public class MiddleNameExtension implements PreProcessHandler {
 private Logger logger = Logger.getLogger("blog.chella.MiddleNameExtension");

 @Override
 public void initialize(HashMap<string, string> arg0) {
  // TODO Auto-generated method stub
 }

 @Override
 public boolean cancel(long arg0, long arg1, AbstractGenericOrchestration arg2) {
  return false;
 }

 @Override
 public void compensate(long arg0, long arg1, AbstractGenericOrchestration arg2) {
  // TODO Auto-generated method stub
 }

 @Override
 public EventResult execute(long processId, long eventId, Orchestration orch) {
  // Request parameters from the OIM form
  HashMap parameters = orch.getParameters();
  // Type of operation like CREATE, DELETE, etc.,
  String operation = orch.getOperation();

  if (operation != null && operation.equalsIgnoreCase("CREATE")) {
   if (!parameters.containsKey("Middle Name")) {
    orch.addParameter("Middle Name", "MN");
   }
  }
  return new EventResult();
 }

 @Override
 public BulkEventResult execute(long processId, long eventId, BulkOrchestration bulkOrch) {
  return null;
 }
}

Make JAR file using below command or you can use tools such as eclipse, jdev, etc.,

jar cvf MiddleNameExtension.jar * 

Creating Plugin XML

Define the plug-in XML with the event handler plug-in point.

<?xml version="1.0" encoding="UTF-8"?>
<oimplugins>
  <plugins pluginpoint="oracle.iam.platform.kernel.spi.EventHandler">
    <plugin pluginclass="blog.chella.MiddleNameExtension" version="1.0" name="MiddleNameExtension" />
  </plugins>
</oimplugins>

Save this file as plugin.xml

Creating Event Handler XML

<?xml version='1.0' encoding='utf-8'?>
<eventhandlers xmlns="http://www.oracle.com/schema/oim/platform/kernel/"
      xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
      xsi:schemaLocation="http://www.oracle.com/schema/oim/platform/kernel orchestration-handlers.xsd">
   <!-- Custom preprocess event handlers for middlename -->
   <action-handler class="blog.chella.MiddleNameExtension" entity-type="User" operation="CREATE" name="MiddleNameExtension" stage="preprocess" order="FIRST" sync="TRUE"/>
</eventhandlers>

Save this file as MiddleNameExtension.xml

In OIM 11GR1, we import this xml in to OIM using weblogicImportMetadata.xml.

In OIM 11GR2, we can keep this in META-INF folder of Plugin-in zip.

Note: All event handlers must have valid XML name space. If you give wrong name spaces, OIM Orchestration engine will not recognize as event handler and as result, plugin won’t be triggered.

Creating a Plug-in ZIP

Plug-in zip structure:

Package plug-in XML (plugins.xml), the JAR (lib/MiddleNameExtension.jar), and Event handler XML (META-INF/MiddleNameExtension.xml) as zip file.

Regsiter the Plug-ins zip into the OIM Server 

We need to set below environment variables before running the script.

export APP_SERVER=weblogic
export ANT_HOME=/opt/middleware/modules/org.apache.ant_1.7.1
export JAVA_HOME=/opt/java/jdk1.7.0_02
export PATH=/opt/java/jdk1.7.0_02/bin:/opt/middleware/modules/org.apache.ant_1.7.1/bin:$PATH
export MW_HOME=/opt/middleware
export WL_HOME=/opt/middleware/wlserver_10.3
export DOMAIN_HOME=/opt/middleware/user_projects/domains/base_domain

Run the below script to register plugin:

ant -f pluginregistration.xml register

It will ask the following details after running the above command
1. OIM Admin User Name: xelsysadm
2. OIM Admin Password: password
3. OIM T3 URL: t3://localhost:14000

4. Context Factory: weblogic.jndi.WLInitialContextFactory (if its weblogic)

5. Plugin zip file location: Provide absolute path

Plugin (Event hanlder) will installed successfully without any issues.

Clear the OIM Cache

After we installed the plugin, we need to run Purge Cache utility to clear  and reload the plugin.

Run the PurgeCache.sh All file and it will ask the following details.
1. OIM Admin User Name: xelsysadm
2. OIM Admin Password: password
3. OIM T3 URL: t3://localhost:14000

Testing The Event Handlers

Login to the OIM Identity Console >> Users >> Create User >> Enter User’s First Name, Last Name, Login ID, Password, Organization Name, User Type and Click Save Button. It will display user created successfully as well, Middle Name as “MN”

Creating a wlfullclient.jar

Purpose of wlfullclient.jar is, whenever we deploy WLS Full Client (T3)/JMX/JMS/Web Services based applications in WebLogic server, the client application may need to invoke those services. Instead of adding lot of WebLogic specific jar’s at client, this single “wlfullclient.jar” interact with server.

With respect to OIM, We need wlfullclient.jar on client side (for example, design console, upload jars, etc.,) because, T3 protocol used to communicate with WebLogic and OIM servers. 

Steps to generate wlfullclient.jar:

1.    Setting the CLASS PATH

Go to the OIM_DOMAIN/bin directory and run the following command:

./setDomainEnv.sh

2.    Generating wlfullclient.jar

Go to the WL_HOME/server/lib directory and run any of the following command:

java –jar wljarbuilder.jar

OR

java -jar ../../../modules/com.bea.core.jarbuilder_1.3.0.0.jar

Now, it will generate the wlfullclient.jar. This jar file should now bundle with client application.