Automating CSF Key Credentials Configurations

What are CSF Key Credentials?

A credential store is a repository of security data (credentials). A credential can hold username and password combinations, tickets, or public key certificates.

Credential Store Framework (CSF) is a framework which provides a set of in-built APIs that can be used by applications to create, read, update, and manage the credentials securely.

CSF Uses: 

The credential store is mainly used to store the credentials (username and password) to access the service and the applications.

Use Case Scenario: 

We had a requirement to configure the SOA CSF Key Credentials programmatically using an automated process.

Solution

The credential store configuration can be accomplished using a WLST command. In addition, ANT scripts are used for automation.

Step 1: Open a Windows Command Prompt or Linux/Unix Shell Terminal to start the WebLogic Server Administration Scripting Shell utility. Enter the following, depending on the system.

(Windows Command Prompt)

C:\Users\<<username>> cd <<ORACLE_HOME>>\wlserver\common\bin

C:\<<ORACLE HOME>>\wlserver\common\bin> wlst

(Unix/Linux Shell Terminal)

[oracle@myhost ]$ cd <<ORACLE_HOME>>/wlserver/common/bin

[oracle@myhost bin]$ ./wlst

Step 2: At the WLST utility prompt, connect to the Admin Server.

wlst:/offline> connect(‘weblogic’,’welcome1′,’t3://localhost:7001′)

Step 3: Once the user is successfully connected to the Admin Server, the following commands can be executed (see the image below).

(For CSF Key Creation)

createCred(map=<<keyMapName>>,key=<<keyName>>,user=<<keyUser>>,password=<<keyPass>>,desc=<<keyDesc>>)

(For CSF Key Update)

updateCred(map=<<keyMapName>>,key=<<keyName>>,user=<<keyUser>>,password=<<keyPass>>,desc=<<keyDesc>>)

(For CSF Key Deletion)

deleteCred(map=<<keyMapName>>,key=<<keyName>>)

Automating CSF Key Credentials

Automation of CSF Key Credential Configuration at deployment time

ANT Scripts can be used to automate CSF Key Credential Configuration at deployment time.

<target name=”createCSFKeyCred”>
<wlst debug=”false” arguments=”${admin.username} ${admin.password} ${admin.server} ${map} ${keyCredentialsName} ${user} ${password} ${desc}”>
<script>
adminUser=sys.argv[0]
adminPassword=sys.argv[1]
adminUrl=sys.argv[2]
keyMap=sys.argv[3]
keyName=sys.argv[4]
keyUser=sys.argv[5]
keyPass=sys.argv[6]
keyDesc=sys.argv[7]
print(‘Connecting to WLST Server’)
connect (adminUser,adminPassword,adminUrl)
print(‘Creating Security Credentials’)
createCred(map=keyMap,key=keyName,user=keyUser,password=keyPass,desc=keyDesc)
disconnect()
print(‘Disconnecting….’)
</script>
</wlst>
</target>

References

https://docs.oracle.com/cd/E12839_01/core.1111/e10043/csfadmin.htm#CACGIGDB 

Posted in SOA Tagged with: , , , , ,

Creating Your Own IoT Showcase Using Oracle SOA Suite

shutterstock_495910507Oracle Fusion Middleware 12c introduces a wealth of new features and capabilities, and continues to surpass expectations in the realm of performance and scalability as the leading strategic Event Stream Processing Platform from Oracle.

Recently, we worked on showcasing the capabilities of Oracle Fusion Middleware to process and analyze a large volume of high velocity data generated by Internet of Things (IoT) devices in real time.  This use case involved measuring the temperature of shipping containers during transit, and reporting on the status in real time.  Since the container contents were temperature sensitive, the temperature had to be maintained within given upper and lower values.  The ideal solution provides real-time alerts and intelligence allowing the user to flag the shipping carrier and make business decisions (such as either recalling or taking corrective action on the shipment) during transit.

As part of the demo, we built an IoT device using off-the-shelf components.  This device contained temperature, humidity, and location sensors, and was set up in a custom-printed 3D enclosure.  In a typical case, there would be multiple sensors deployed across several locations monitoring and measuring various factors as needed, and relaying this information in real time to the backend system for processing and analysis.  To receive and process data from the IoT device, we built a solution using Oracle Complex Event Processing (Stream Analytics) and Business Activity Monitoring to receive and process this data in real time, and present it as a dashboard.

The following videos provide a high level overview of the use case followed by the actual demo.  In the coming weeks, we will guide you on how to build your very own IoT showcase using the Oracle SOA Suite platform.  Stay tuned!

IoT Introduction and Business Use Case

IoT Demo

 

 

Posted in SOA Tagged with: , , , , , ,

Resolving GTC Issues in Oracle Identity Manager

The GTC (Generic Technology Connector) is used to build connectors for target systems like flat-file imports via FTP or SPML-based provisioning over Web Services. It can be used to integrate target systems that do not need complicated provisioning process flows with OIM.

The GTC can be created in OIM using the web-based point-and-click graphical wizard, which clearly shows the user the data flows that are being defined within the connector. This will reduce the deployment timelines.

In this post, we’ll demonstrate how to resolve a GTC issue while configuring a CSV file for use in reconciliation in OIM11gR2 PS3.

Issue: You may experience the following issue when creating a Flat File Trusted Generic Technology Connector (GTC) when the GTC is saved. We are following standard steps to create a GTC in OIM.

1

The corresponding error appears in the OIM diagnostic log:

<Nov 3, 2016 3:09:20 PM IST> <Error> <XELLERATE.WEBAPP> <BEA-000000> <Class/Method: CreateGenConnectorAction/createGenericConnectorSuccess encounter some problems: java.lang.NullPointerException
oracle.iam.platform.utils.ServiceInitializationException: java.lang.NullPointerException at oracle.iam.platform.Platform.getService(Platform.java:277)
<Nov 3, 2016 3:09:20 PM IST> <Error> <XELLERATE.DATABASE> <BEA-000000> <Class/Method: DirectDB/getConnection encounter some problems: Error while retrieving database connection.Please check for the following

 Database server is running.

 Datasource configuration settings are correct.

java.sql.SQLException: java.sql.SQLException: Exception occurred while getting connection: oracle.ucp.UniversalConnectionPoolException: Cannot get Connection from Datasource: java.sql.SQLRecoverableException: IO Error: Invalid connection string format, a valid format is: “host:port:sid” at com.thortech.xl.util.DirectDB$DBPoolManager.getConnection(DirectDB.java:441)

Solution: Need to correct parameter maxConnections and url values in the OIM-MDS file /db/oim-config.xml, as shown below:

Existing Value:

MaxConnections = 5
Url = jdbc:oracle:thin:@[Host DB IP]:1521/orcl

Sample Expected Value:

MaxConnections = 25
Url = jdbc:oracle:thin:@<OIM_DB_HOST_IP>:<OIM_DB_PORT>/<OIM_DB_SID>

Note: URL value above should contain the correct value of the host, port, and SID of OIM database.

We have two approaches to performing the above changes:

Approach 1: Use the standard EM console.

Approach 2: Use weblogicExportMetadata.sh & weblogicImportMetadata.sh standard OOB OIM utility.

We’ll go into more detail below.

APPROACH 1 – Using the standard EM console

Using an EM console should be the preferred approach since it reduces the possbility of making errors with the configuration files. The existing values should be verified and saved as a backup before being changed, using the steps mentioned below –

 Step 1: Log in to OIM-EM console http://<EM_HostIP>:< EM_HostPort>/em

Step 2: Click on Identity and Access > OIM > oim(11.1.2.0.0)

 2

Step 3: Click on drop down Oracle Identity Manager > System MBean Browser

 3

Step 4: Click on Application Defined MBeans > oracle.iam

 4

Step 5: Click on XMLConfig > Config

5

Step 6: Click on XMLConfig.DirectDBConfig > DirectDB

Make below changes and click on Apply.

MaxConnections = 25
Url = jdbc:oracle:thin:@<OIM_DB_HOST_IP>:<OIM_DB_PORT>/<OIM_DB_SID>

6

 

Step 7: Verify the changes.

APPROACH 2 –  Using weblogicExportMetadata.sh & weblogicImportMetadata.sh standard OOB OIM utility

If you wish to get your hands dirty and perform the changes manually using the command line, here are the steps. It is recommended that the EM console be used for such changes in order to avoid unnecessary edits. Always make a backup copy of the files you’ll be editing before making any changes.  Use the weblogicExportMetadata.sh & weblogicImportMetadata.sh standard OOB OIM utility available under $MW_HOME/Oracle_IDM/server/bin.

Please note that oim-config.xml file will be exported under the standard /db folder (under sample /tmp/export_04112016 directory). In the steps below MW_HOME refers to Middleware installed folder and OIM_ORACLE_HOME refers to IOM installed folder.

Step 1: Check parameters values in the file weblogic.properties under /app/oracle/middleware/Oracle_IDM/server/bin/

Step 2: Go to $MW_HOME/Oracle_IDM/server/bin  & run ./weblogicExportMetadata.sh

Below is the folder structure once the export is done successfully:

7

Step 3: Modify the oim-config.xml file as suggested under the Solution section above, and place it under /tmp/import_04112016/db

Step 4: Go to /app/oracle/middleware/Oracle_IDM/server/bin & run ./weblogicImportMetadata.sh

Step 5: Verify the changes using Step 2.

Now, create the GTC again using the standard steps. If the issue persists, restart Admin and OIM-managed server after clearing the temp cache directory.

As always, if you have any questions regarding this process or our provided solution, please do not hesitate to post a comment below, and our team will get back to you.

Posted in Oracle Identity Manager Tagged with: , , ,

Tech Shorts – WebLogic Server 12.2.1.1 – EM and Console Slow Response

We recently implemented a complete Oracle Fusion Middleware 12c (12.2.1.1) Stack for a client based on Oracle SOA Enterprise Deployment Guide (EDG). The design focus was to implement a highly available and scalable clustered environment which contained OSB, SOA, MFT, OWSM, ESS, BAM managed servers, and a highly available Admin Server. Each of the managed servers had their own dedicated VM with an active-passive Admin Server cluster. We performed extensive tuning and load testing to make sure the system can function under demand.

However, as we migrated to higher environments, the deployments screen would take a long time to render, even though all the deployed applications functioned as expected without any issue. It sometimes resulted in timeouts and would cause application deployments to fail. The overall performance of both the WebLogic Console and Enterprise Manager was sluggish, particularly affecting the deployment screen, with wait times of over 30 mins to render a single click action! If some of the servers were shutdown, the load time would improve slightly, but it was not a viable option to keep the server shut down. From the log files, everything appeared to be normal and there were no error messages.

Working together with Oracle Support, we noticed that in some of the thread dumps and Java Flight Recordings, a few of the managed beans took too long to respond and this was later identified as a known defect. In order to confirm that this was the issue, we disabled the new thread self-tuning functionality added in this release of WebLogic Server. In order to disable the new thread self-tuning functionality, we added the following JVM start-up parameter to all the WebLogic Servers and restarted.

-Dweblogic.UseEnhancedIncrementAdvisor=false   

After the restart, the WebLogic Console was significantly improved and the deployment screen would load in a few seconds, a great improvement from the 30 minutes before the thread tuning setting was applied.

This verified that their performance issue was due to the newly added functionality, and the temporary workaround was to disable it. At the time of writing this post, Oracle has released a patch that fixes this issue. The high-level steps are as follows:

  1. Remove the parameter -Dweblogic.UseEnhancedIncrementAdvisor=false from all WebLogic Server startup
  2. Apply Patch 23762529 for WLS 12.2.1.1.0 to all the servers in the domain
  3. Restart all the servers and test by logging in to console and clicking on the Deployments tab
  4. If it works, then apply Patch 24901211 for WLS 12.2.1 to all servers in the domain
  5. Restart all the servers and test

This should resolve the performance issues caused by the new thread self-tuning functionality.

Posted in SOA Tagged with: , , ,

Changing the XELSYSADM Password in OIM 11gR2

shutterstock_120673339It is sometimes necessary to change the password of the Oracle Identity Management (OIM) System Administrator, known as XELSYSADM.  As this user has many dependencies in OIM, we would need to change the XELSYSADM password using the WLS utility.  Previously (in version 10g), this was a small task, but with the introduction of OIM 11g, new approval workflows, and other special security features, this task can now be somewhat involved and needs to be executed with care.

Some instructions suggest changing the XELSYSADM password from the OIM Identity Console, with a couple of CSF keys from the EM console – that’s it!  This may be true in some cases, but not in all.  If you have LDAP sync enabled or OIM integrated with OAM, following those steps is not enough.  In this case, the best way to change the system admin user password is through the oimadminpassword_wls.sh utility.

The oimadminpassword_wls.sh utility is available in the <ORACLE_HOME>/server/bin directory.  Running this utility is quite simple, as you just need to provide the values of certain parameters in the oimadminpassword_wls.properties file, then run the shell (.sh) file in your Linux environment.  Keep in mind, however, that this is not applicable if your OIM is on a Windows environment.  There is no batch file for a Windows environment.

If we open the oimadminpassword_wls.sh script and check a command that this utility is running, we can change the password by simply running a java class file.  This java class file can be directly run, even if your OIM environment is on a Windows box.

The following are common steps to be executed, regardless of environment (e.g., Linux or Windows):

  1. Log in to the EM console with the WebLogic user credentials.
  2. Expand the WebLogic Domain, right click OIAM_domain, and navigate to Security > Credentials.
  3. On the Credentials page, Expand ‘oim’ and select ‘sysadmin’, then click on the Edit icon to change the XELSYSADM credentials from the pop-up window.

1

4.  Repeat step 3, above, for the oim.sysadminmap (CSF key: sysadmin) and                                          oracle.wsm.security (CSF key: OIMAdmin) CSF maps.

 Follow the steps below to change the password for the XELSYSADM user (System Administrator or any other user) in a Linux environment:

  1. Open the Command prompt.
  2. Go to the <OIM_ORACLE_HOME>/server/bin directory.
  3. Open the oimadminpasswd_wls.properties file from the <OIM_ORACLE_HOME>/server/bin directory.
  4. Update the following content from the oimadminpasswd_wls.properties file. (Example values are provided for each attribute present in the file.  These are sample values only; you must change all values as appropriate for your environment.)

  1. Execute the ./oimadminpasswd_wls.sh  oimadminpasswd_wls.properties command on the command line. It will ask a couple of questions, as shown below.  Provide the correct input for each question.

  1. A confirmation message should be received after successful execution of the utility.

Follow the steps below to change the password for the XELSYSADM user (System Administrator or any other user) in a Windows environment:

1.  Open the command prompt and run the following command, as appropriate:

a.  Run the command below if you have OIM-OAM integration enabled or LDAP sync enabled:

<JAVA_HOME>/bin/java -Doracle.security.jps.config=<DOMAIN_HOME>\config\fmwconfig\jps-config-jse.xml -DDOMAIN_HOME=<DOMAIN_HOME> oracle.iam.platform.utils.OIMAdminPasswordReset_WLS jdbc:oracle:thin:@<DB_HOST>:<DB_PORT>:<SID> <OIM_SCHEMA_OWNER> xelsysadm ldap://<LDAP_HOST>:<LDAP_PORT> <LDAP_ADMIN_USER> cn=xelsysadm,cn=Users,dc=example,dc=com

If you do not have LDAP sync or OIM-OAM integration enabled, run the command below:

<JAVA_HOME>/bin/java -Doracle.security.jps.config=<DOMAIN_HOME>\config\fmwconfig\jps-config-jse.xml -DDOMAIN_HOME=<DOMAIN_HOME> oracle.iam.platform.utils.OIMAdminPasswordReset_WLS jdbc:oracle:thin:@<DB_HOST>:<DB_PORT>:<SID> <OIM_SCHEMA_OWNER> xelsysadm

where,

<JAVA_HOME> is e.g. C:\Java\jdk1.7.0_51
<DOMAIN_HOME> is e.g.
C:\Oracle\Middleware\user_projects\domains\iam_domain
<OIM_SCHEMA_OWNER> is e.g. DEV_OIM
<LDAP_HOST> is server hostname where OID, AD is deployed for ldap sync
<DB_HOST> is server hostname of the database server
<DB_PORT> is e.g.
1521
<SID> is e.g.
orcl
<LDAP_PORT> is e.g
3060 for OID
<LDAP_ADMIN_USER> is e.g.
cn=orcladmin

2. After running the command, enter the password for the DB Schema user and LDAP admin user.  Also, enter the new password for XELSYSADM you wish to set.

Enter the following after running the script to complete the password change for XELSYSADM:

  • OIM DB Schema Password
  • LDAP Administrator Password
  • OIM Administrator XELSYSADM new password
  • Re-enter OIM Administrator XELSYSADM new password

As always, if you have any questions about the processes or ideas presented here, please leave us a comment below.

Posted in Oracle Identity Manager Tagged with: , , , , ,

Oracle Identity Cloud Service Integration with Salesforce

As promised in an earlier blog post, we are continuing our exploration of Oracle Identity Cloud Service (IDCS) this week.  In this post, we’ll provide some insight on IDCS Integration with Salesforce to achieve Single Sign-On (SSO).  Herein are the various steps involved in achieving this.

Note:  We did not have a Salesforce instance available for this demo, so we used the developer version of Salesforce.  The Salesforce developer edition is fairly easy to obtain – just sign up at https://developer.salesforce.com/signup.  After signing up, we received an email with the credentials and were set to go.

High-Level Integration Steps

IDCS–Salesforce integration can be achieved using the following steps:

  1. Create test users in Oracle IDCS.
  2. Create the same test users in Salesforce as were created in IDCS in Step 1.
  3. Register the Salesforce Domain.
  4. Extract Identity Provider Metadata from IDCS and import to Salesforce.
  5. Extract Service Provider Metadata from Salesforce and import to IDCS.
  6. Test the login.

Detailed Steps

The details of each step are provided below.

Step 1:  Upload users in Oracle IDCS via CSV import. This step is the same as illustrated in the previous blog post on IDCS.

Step 2:  Create users in Salesforce.

a.  Log in to Salesforce.

b.  Click on Manage Users link.

1

c.  Click on Users.

2

d.  Click New User button.

3

e.  Fill in the user details in the form, shown below, making sure that the username is the same as the username in IDCS.

4

f.  Click the Save button and make sure that the newly created user is visible in the list.

5

Step 3:  Register the Salesforce Domain.

a.  Log in to Salesforce.

b.  Click on Domain Management.

6

c.  Click on My Domain.

7

d.  The My Domain page is shown below.

8

e.  Enter the domain name and click the Check Availability button.

9

f.  Click the Register Domain button.

10

g.  User receives an email confirmation. Please note that this can sometimes take a day to receive.

h.  To complete the domain registration, follow the instructions in the email.

Step 4:  Extract Identity Provider Metadata from IDCS and import to Salesforce.

 Follow the below steps to extract Metadata from IDCS.

a.  Log in to IDCS at:  https://xxxxx.identity.oraclecloud.com/fed/v1/Metadata

b.  Enter username and password to log in.

11

c.  Click on the File menu and select Save As.

12

d.  Enter the name of the file and click the Save button.

13

Follow the steps below to Import Metadata to Salesforce.

a.  Log in to Salesforce at: https://serene-dev-ed.my.salesforce.com

b.  Click on Security Controls, then Single Sign-On Settings.

14

c.  The Single Sign-On settings page is shown below.

15

d.  Click the New from Metadata File button.

16

e.  Enter Name of Identity provider and select the extracted IDCS file.

17

f.  Click the Create Button.

18

g.  Click Save.

19

h.  Click the Edit button.

20

i.  Check the SAML Enabled box. Click Save.

21

j.  The page will look like that shown below.

22

k.  Click on Domain Management > My Domain.

23

l.  Click the Edit button under Authentication Configuration.

24

m.  Click on Deploy to Users button to deploy the domain to the users.

25

Step 5:  Extract Service Provider Metadata from Salesforce and import to IDCS.

 Follow the below steps to Extract Service Provider Metadata from Salesforce.

a.  Log in to Salesforce at: https://serene-dev-ed.my.salesforce.com

b.  Click on Security Controls, then Single Sign-On Settings.

26

c.  Click on SAML Single Sign-On Settings.

27

d.  Click the Download Metadata button and save the file.

28

e.  Click on the IDCS MetaData link and note the following values. Also, download the signing certificate.

  • logoutRequestUrl
  • partnerProviderId
  • assertionConsumerUrl

f.  Click on Certificate and Key Management.

29

g.  Click the SelfSignedCert_29Dec2016_073349 link from the Certificates panel and click the Download Certificate button to save the file.

30

Follow the below steps to Import Salesforce SP Metadata into IDCS.

a.  Obtain access token from OIDCS as admin user.

URL: IDCS token service end point

Headers: Authorization

Operation: POST

Data: admin user, password, scope

Example:

31

b.  Use the above access token to invoke the REST API.

URL: IDCS token service end point

Headers: Authorization

Operation: POST

Data: Details populated with service provider SCIM schema

32

Step 6:  Test the login.

a.  Log in to Salesforce at: https://serene-dev-ed.my.salesforce.com.  You should be redirected to the IDCS login page.

33

b.  Enter username and password.

c.  User is now logged in to Salesforce successfully!

34

 Optionally, follow these steps to verify the underlying SAML Exchange.

a.  Behind the scenes, the Salesforce service provider sends a signed authentication request to IDCS (which can be seen in the SAML tracer plugin in Chrome).

b.  IDCS Identity Provider sends a signed assertion response confirming the user’s identity.

35

As always, if you have any questions about these steps to Integrate IDCS with Salesforce, please do not hesitate to leave us a comment below!

Posted in Oracle Identity Cloud Service, Salesforce Tagged with: , , , ,

Oracle Identity Cloud Service Integration with Oracle Eloqua Marketing Cloud Service

Oracle launched its Identity Cloud Service (IDCS) in the fall of 2016.  IDCS is designed on Microservice architecture, which aligns with the Cloud principles of Scalability, Elasticity, Resilience, Ease of Deployment, Functional Agility, Technical Adoption, and Organization Alignment.  Moreover, IDCS is intended to provide a set of hybrid identity features to maintain a single identity for each user across on-premises and in-the-cloud services, while delivering a seamless user experience.

This blog is the first of a multi-part series that will focus on providing insights and common use cases for IDCS.  In this post, we will discuss how an integration with IDCS can simplify user authentication and single-sign-on capabilities for Oracle Eloqua Marketing Cloud Service.  This blog post highlights the federation capability of IDCS.

High-Level Integration Steps

IDCS–Oracle Eloqua integration can be achieved using the following steps:

1

Step 1:  Upload users in Oracle IDCS via CSV import.

Step 2:  Create users in Oracle Eloqua Marketing Cloud Service.

Step 3:  Extract Identity Provider Metadata from IDCS and import to Oracle Eloqua Marketing Cloud Service.

Step 4:  Extract Service Provider Metadata from Oracle Eloqua Marketing Cloud Service and import it into IDCS.

Step 5:  Test the login.

In general, these high-level steps will remain the same for IDCS integration with any other Oracle Cloud Product.

Detailed Steps

The details of each step are listed below.

Step 1:  Upload users in Oracle IDCS via CSV import.

a.  Create a CSV file. A sample CSV file can be found on the Oracle Documentation here.

2

Sample file to create users in IDCS and Eloqua

3

b. Log in to IDCS.

c.  Click on the Users tab.

4

d.  Click on the Import button.

5

e.  Click the Browse button.

6f.  Select UserImport.csv.

g.  Click the Import button.

7

h.  User import completed.

8i.  Click on the Job tab and verify the user import status.

9

j.  Click on the User tab and validate the created users.

10

Step 2:  Create users in Oracle Eloqua Marketing Cloud Service.

a.  Log in to Oracle Eloqua Marketing Cloud Service.

11

b.  The Marketing Eloqua Cloud home page looks like this:

12

c.  Click on Contact from the Audience tab.

d.  Click the Upload button.

13

e.  Select the CSV file.

14

f.  Click the cloud to upload the file.

15

g.  Select the file that contains the users which need to be created in Oracle Eloqua Marketing Cloud Service.

16

h.  Validate the user details and click the Next Step button.

17

i.  Click the Next Step button.

18

j.  Select the root folder.

19

k.  Click the Finish button.

l.  The User is created.

Step 3:  Extract Identity Provider Metadata from IDCS and import to Oracle Marketing Cloud.

 Follow the below steps to extract Metadata from IDCS.

a.  Log in to IDCS.

https://xxxxx.identity.oraclecloud.com/fed/v1/Metadata

b.  Enter user name and password to log in.

20

c.  Click on the file menu and select Save As.

21

d.  Enter the name of the file and click the Save button.

22

Follow the steps below to Import Metadata to Oracle Eloqua Marketing Cloud Service.

a.  Log in to Oracle Eloqua Marketing Cloud Service: https://login.eloqua.com/

23

b.  Click the Settings icon in the upper right corner of the screen.

24

c.  Click on View Users.

25

d.  Click the Single Sign On tab, then click on Identity Provider Setting.

26

e.  The Identity Provider Management dashboard is displayed, as seen below:

27

f.  Click on the Upload Identity Provider from Metadata button.

28

g.  Enter the name of the Identity Provider and select the extracted IDCS file.

29

h.  Click the Open button.

30

i.  Click the Save Button.

Step 4:  Extract Service Provider Metadata from Oracle Eloqua Marketing Cloud and import to IDCS.

 Extract Service Provider Metadata from Oracle Eloqua Marketing Cloud.

a.  Log in to Oracle Eloqua Marketing Cloud Service: https://login.eloqua.com/. Click on the Settings icon in the upper right corner.

31

b.  Click on View Users.

32

c.  Click the Single Sign-On tab, then click on Identity Provider Settings.

33

d.  The Identity Provider Management dashboard is displayed, as shown below:

34

e.  Click on the IDCS Metadata link and note the following values. Also, download the signing certificate.

  • logoutRequestUrl
  • partnerProviderId
  • assertionConsumerUrl

35

f.  Click the Single Sign-On tab, then click on Certificate Setup.

36

g.  Click on Service Provider Certificate for IDCS Metadata.

37

h.  Click the Download button.

38

i.  Finish.

Importing Oracle Eloqua Marketing Cloud Service SP Metadata into IDCS.

Currently, IDCS does not offer any UI interface for the addition of Service Provider Metadata, or any other similar changes to SAML settings.  These functionalities are exposed as REST APIs.  Hence, any addition or likewise changes can be achieved by using the curl commands or using REST clients.

For example, we can use a poster plugin as a rest client for these operations.

Importing Service Provider Metadata to IDCS is a two-step process.

a.  Obtain access token from OIDCS as admin user.

URL: IDCS token service end point

Headers: Authorization

Operation: POST

Data: admin user, password, scope

Example:

39

b.  Use the above access token to invoke the REST API.

URL: IDCS token service end point

Headers: Authorization

Operation: POST

Data: Details populated with service provider SCIM schema

40

Step 5:  Test the login.

a.  Log in to Oracle Eloqua Marketing Cloud Service:  https://login.eloqua.com/

41

b.  Click Sign in with SSO or another account; Enter Company Name and click the Sign In button.

42

c.  The page should be redirected to the IDCS login.

43

d.  Enter IDCS username and password.

44

e.  User is now logged in to Eloqua Marketing Cloud successfully!

45

Finally, follow these steps to verify the underlying SAML Exchange.

a.  Behind the scenes, the Eloqua service provider sends a signed authentication request to IDCS (which can be seen in the SAML tracer plugin in Chrome).

46

b.  IDCS Identity Provider sends a signed assertion response confirming the user’s identity.

47

Concluding Remarks

Here, we saw how simple and easy it is to on-board a cloud application for Federation.  The frustrations of on-premises solutions, such as acquiring hardware, setting up the load balancer, installing and configuring components can be avoided.  The cloud instance is readily available for everyone immediately from day-one, unlike the on-premises solution which required months to prepare the environment.

Oracle Identity Cloud Service provides a comprehensive IAM platform, built on modern cloud principles that can be used by organizations to simplify interactions with business partners and customers.

Posted in Integration Tagged with: , , , , ,

Installing Oracle Identity & Access Manager Suite with the LCM (Lifecycle Management) Tool

shutterstock_332258036Recently, while working on an IAM project in which we needed to build an Enterprise Security Infrastructure using the 11gR2PS3 version of the IAM software, the requirement for Lifecycle Management (LCM) presented itself.  The LCM tool is designed to simplify and automate the multiple manual steps of a typical IAM installation.

The traditional method of installation includes installing/configuring quite a few components, such as JAVA, WebLogic, SOA, OIM, RCU, then creating a domain.  With the introduction of LCM, the installation is simplified and automated; however, there is a learning curve involved and there are changes expected in the infrastructure.

It is important to fully understand the various aspects of the LCM tools and their benefit, as well as how LCM can help reduce implementation time.  Herein is a brief presentation prepared for our customer in order to educate them on LCM, as well as highlight the benefits, challenges, and limitation of the LCM tool.

 

Posted in Lifecycle Management (LCM) Tagged with: , , , , ,

Implementing Restrictions on a Claimed Human Task

Recently, we ran into an issue in which we had multiple users in BPM falling under the same group with similar access, and we needed to restrict the users’ access to the BPM Human Task claimed by another user.  In this way, only the assigned party can take actions on the Task.

In order to provide a solution to the above issue, we worked within the Access Restrictions provided in Human Task, and restricted the Owner of the Task with “View Only” access.

The below snapshots illustrate this process.

  • Open Human Task and go to Access → Actions (Tab).

1

  • Uncheck all grants, except “View”, “Resume Timers”, and “Suspend Timers”.

2

  • Save and Test the Process. Any user other than the Assignee should not be able to perform any action on the Task.
Posted in Access Tagged with: , , , ,

Did you know? Oracle Mobile: JSONBeanSerializationHelper Does Not Respect Case!

shutterstock_273386390Oracle Mobile is a framework provided by Oracle that enables developers to build cross-platform mobile applications.  At AST, a passionate set of developers are using Oracle Mobile to build mobile applications that will be used as an extension for Oracle Cloud Products.  During our development life-cycle, we discovered a fundamental issue with the Oracle Mobile framework, particularly with the JSONBeanSerializationHelper class.

The role of the JSONBeanSerializationHelper class within the Oracle Mobile framework is to convert JAVA objects to JSON strings.  A JSON string is an industry standard accepted for data representation; it consists of name: value pairs.  According to the JSON Specification, a JSON String is always case-sensitive.  When the JSONBeanSerializationHelper converts a JAVA object into name: value pairs, it doesn’t respect the variable case in the JAVA object.  All variables are converted to names in JSON strings in lowercase.

We took this up with Oracle and have an Enhancement Request (ER) logged.  We will update this post once the ER has been resolved.

Described below is a use case and how this impacts the mobile application integration with Oracle Service Cloud.  However, you could face the same issue when integrating with other Oracle Cloud Products:

Use Case

Consider a use case in which you have a mobile application built using Oracle Mobile.  The application has a feature that allows you to create an incident in Oracle Service Cloud.

Issue Details

  • Consider an Incident bean defined as:

  • An incident object will be instantiated and initialized when the user inputs the required values from the mobile interface.
  • The incident object is then converted to JSON using oracle.adfmf.framework.api.JSONBeanSerializationHelper

  • Converted jsonObject:

  • The JSON generated will not be accepted by the create incident API because:
    1. It contains “null” names: value pairs for variables that did not hold any values
    2. It contains a “type” name: value pair for variable with custom data types
    3. It contains “propertyChangeSupport” names: value pairs as the beans had a property change attribute defined. This is not expected by the create incident REST-API
    4. The JSON did not respect the case of the JAVA variables defined in the Incident bean when generating corresponding name: value pairs.
      1. For example: Consider the attribute “transit” in the JSON – the JAVA variable was defined as “Transit”. The create incident REST-API also expects the name to be “Transit”.

Workaround

  • Option 1: Create your own implementation of the JSON serialization class. 
  • Option 2: Create a method to format your JSON as a break-fix.
    • Call custom method removeNullsAndTypeFromJSON post-JSON conversion

  • removeNullsAndTypeFromJSON” method implementation:

Reference

Posted in JSON Tagged with: , , , , ,