Deployment Steps for OIM 11g R1 Custom Scheduled Taks or Event Handler

Set the following ENV variables for ST/EH import/export/delete operation
New Scheduler Task import into OIM
-----------------------------------
1. Register/Import a ScheduledTask/EventHander  metadata configuration into OIM
2. Register the ST/EH plugin package into MDS
3. Clear the cache of MDS
4. Restart the OIM server(s)
Overwrite the ST/EH package plugin class for the existing one.
--------------------------------------------------------------
1. Make sure no change in the structure & parameters of the ST/EH
2. Make sure the plugin.xml file have higher version than the lower
3. Register the ST/EH plugin package into MDS
4. Clear the cache of MDS
5. Restart the OIM server(s)
Delete/Remove the ST/EH from OIM
--------------------------------
1. export the removing Scheduled task metadata file from OIM to xml file
2. Remove the Scheduled Task configured in OIM/Admin/Scheduled Jobs list
3. Unregister the ST/EH class  if already exists:
4. Delete the ST/EH configuration from metadata
5. Clear the cache of MDS

• Set the following ENV variables for ST/EH import/export/delete operation
  ------------------------------------
  #
  /home/oracle> export MW_HOME=/opt/appbin/oracle/iam_middleware
  /home/oracle> export ORACLE_HOME=$MW_HOME/Oracle_IAM1
  /home/oracle> export OIM_ORACLE_HOME=$MW_HOME/Oracle_IAM1
  /home/oracle> export OIM_HOME=$MW_HOME/Oracle_IAM1
  /home/oracle> export WL_HOME=$MW_HOME/wlserver_10.3
  /home/oracle> export ANT_HOME=$MW_HOME/modules/org.apache.ant_1.7.1
  /home/oracle> export JAVA_HOME=/usr/java6_64
  /home/oracle> export PATH=$ORACLE_HOME/bin:$ANT_HOME/bin:JAVA_HOME/bin:$PATH
  /home/oracle> cd $OIM_HOME/server/bin

• Unregister the ST/EH class  if already exists:
  --------------------------------------------------------
  /opt/appbin/oracle/iam_middleware/Oracle_IAM1/server/plugin_utility> ant -f pluginregistration.xml unregister
  -------
  /opt/appbin/oracle/iam_middleware/wlserver_10.3/server/lib/wlfullclient.jar
      [input] Enter the oim user id:
  xelsysadm
      [input]Enter the oim user password:
      [input] Enter the server url [t3://<host>:<port>] :
  t3s://<<OIMHostname>>:14001
      [input] Enter class name (complete class name with package) of the plugin:
  <<packageName.security.provisioning>>.LDAPSync

           [echo]
            ------
            -------
     [echo] <Oct 7, 2014 5:00:08 PM PDT> <Notice> <Security> <BEA-090898> <Ignoring the trusted CA certificate "CN=GeoTrust Primary Certification Authority - G3,OU=(c) 2008 GeoTrust Inc. - For authorized use only,O=GeoTrust Inc.,C=US". The loading of the trusted certificate list raised a certificate parsing exception PKIX: Unsupported OID in the AlgorithmIdentifier object: 1.2.840.113549.1.1.11.>
     [echo] Plugin Unregistered
        BUILD SUCCESSFUL
       Total time: 1 minute 33 seconds

Make sure the database record OIM DB got deleted -->
select * from plugins where id like '%LDAPSync%'
select * from plugin_zip where zipid=plugins.zipid

if the above unregister command not deletes the record, can delete the records from sql  with the above command..

Delete the ST/EH configuration from metadata :---------------------------------------------
Note: just specifiy only the desired event handler entry out of the existing event handlers
only considers the metadata_files parameter in weblogic.properties will be considered to remove. verify the path in mds_paths table @oim

--> select * from mds_paths where path_fullname like '%EventHandler/ScheduledTaskName%'

weblogic.properties
---------
metadata_from_loc=/home/oracle/ImportData
metadata_to_loc=/home/oracle/ExportData
metadata_files=/home/oracle/DeleteData/db/custom/del_eventhandlers.xml

-->
$:/opt/appbin/oracle/iam_middleware/Oracle_IAM1/server/bin> ./weblogicDeleteMetadata.sh
----- ---
-----
Starting delete metadata script ....
Please enter your username :weblogic
Please enter your password :
Please enter your server URL [t3://localhost:7001] :t3://<<OIMHostname>>:14200
Connecting to t3://<<OIMHostname>>:14200 with userid weblogic ...
Successfully connected to managed Server 'oim_server1' that belongs to domain 'OIM_domain'.
Warning: An insecure protocol was used to connect to the
server. To ensure on-the-wire security, the SSL port or
Admin port should be used instead.
Location changed to custom tree. This is a writable tree with No root.
For more help, use help(custom)

Disconnected from weblogic server: oim_server1
End of delete metadata script ...

Exiting WebLogic Scripting Tool.
log file:
[2014-10-08T10:29:19.859-07:00] [oim_server1] [WARNING] [MDS-01268] [oracle.mds] [tid: [ACTIVE].ExecuteThread: '1' for queue: 'weblogic.kernel.Default (self-tuning)'] [userId: weblogic] [ecid: ea37b5dd1ddd0753:-2e24c29e:148e22fa064:-8000-0000000000006b59,0] [APP: OIMMetadata#11.1.1.3.0] The associated extended metadata document for the given document name /home/oracle/DeleteData/db/custom/del_eventhandlers.xml is missing.

-----
delete the record from database:
delete from mds_paths where path_docid in (<<path_docid of EH/ST entries)) 
Register/Import a ST/EH  metadata configuration into OIM:
-----------------------------------------------------------------------
$:/opt/appbin/oracle/iam_middleware/Oracle_IAM1/server/bin> vi weblogic.properties
modify the entries:
application_name=OIMMetadata  [scheduled task]; oim [event handlers]
metadata_from_loc=/home/oracle/importData/LDAPOutOfSync/metadata
metadata_file=/file/LDAPOutOfSync.xml

$:/opt/appbin/oracle/iam_middleware/Oracle_IAM1/server/bin> ./weblogicImportMetadata.sh
Starting import metadata script ....
Please enter your username :weblogic
Please enter your password :
Please enter your server URL [t3://localhost:7001] :t3s://<<oimhostname>>:14001
Connecting to t3s://<<oim admin host>>:7008 with userid weblogic ...
<Oct 8, 2014 2:22:57 PM PDT> <Info> <Security> <BEA-090906> <Changing the default Random Number Generator in RSA CryptoJ from ECDRBG to FIPS186PRNG. To disable this change, specify -Dweblogic.security.allowCryptoJDefaultPRNG=true>
----
For more help, use help(domainRuntime)

Disconnected from weblogic server: AdminServer
End of importing metadata script ...

Exiting WebLogic Scripting Tool.

Register the ST/EH plugin package into MDS
----------------------------------------------------------
/opt/appbin/oracle/iam_middleware1/Oracle_IAM1/server/plugin_utility> ant -f pluginregistration.xml register
Buildfile: pluginregistration.xml
register:
     [echo]
     -----
     ------
     [echo]
     [echo] /opt/appbin/oracle/iam_middleware1/Oracle_IAM1/server/ext/spring.jar:/opt/appbin/oracle/iam_middleware1/Oracle_IAM1/server/ext/jakarta-commons/commons-logging.jar:----------------------:/opt/appbin/oracle/iam_middleware1/wlserver_10.3/server/lib/wlfullclient.jar
    [input] Enter the oim user id:
xelsysadm
    [input]Enter the oim user password:
    [input] Enter the server url [t3://<host>:<port>] :
t3://<<oimhostname>>:14200
    [input] Enter name (complete file name with path) of the plugin file:
/home/oracle/ImportData/db/pluginzip/LDAPSync.zip
     [echo]
     [echo] Plugin Registered
BUILD SUCCESSFUL
Total time: 35 seconds

Clear the cache of MDS:------------------------------

$:/opt/appbin/oracle/iam_middleware/Oracle_IAM1/server/bin> ./PurgeCache.sh ALL
[Enter the admin username:]xelsysadm
[Enter the admin password:]
[Enter the service url : (i.e.: t3://oimhostname:oimportno)]t3s://<<oimhostname>>:14001
<Oct 8, 2014 3:04:08 PM PDT> <Info> <Security> <BEA-090906> <Changing the default Random Number Generator in RSA CryptoJ from ECDRBG to FIPS186PRNG. To disable this change, specify -Dweblogic.security.allowCryptoJDefaultPRNG=true>
PurgeCache Login Success...
Purging the cache categories:[ALL] is successful

Reference URLs:
--------------------
33 MDS Utilities and User Modifiable Metadata Files - http://docs.oracle.com/cd/E23943_01/doc.1111/e14309/utils.htm
http://docs.oracle.com/cd/E14571_01/doc.1111/e14309/utils.htm
#file location should be start with /db ,/file or /custom
http://docs.oracle.com/cd/E21764_01/doc.1111/e14309/oper.htm
#developing scheduled task -
http://docs.oracle.com/cd/E21764_01/doc.1111/e14309/refsched.htm
# Import and Export Metadata using EM Console -
http://oraclestack.blogspot.com/2014/02/import-and-export-metadata-using-em.html

OIMTuning

OIM Tuning

1. OIM- OS Tuning:

Change the ulimit param to 8192  or unlimited
Make sure OS host machine has sufficient memory & hard disk space available

2.   OIM- Weblogic tuning:

a)   Increase the Weblogic managed servers heapsize to 4GB 

change in startWebLogic.sh file:

[USER_MEM_ARGS="-Xms4096m –Xmx4096m -Xmn1648m -Xss256k -XX:PermSize=384m -XX:MaxPermSize=384m"]

if [ "${SERVER_NAME}" = "" ] ; then
    echo "Admin Server "
else
    echo "oam and oim mgmd servers"
MEM_ARGS="-Xms2048m –Xmx4096m -Xmn1648m -Xss256k -XX:PermSize=384m -X:MaxPermSize=384m"
export MEM_ARGS
fi

b)   Make sure the DB connection pools atleast the below number or more based on the load on weblogic connection pools:

<<This section requires to update still! >>

Datasource Name	initial	Max	Increment
Mds-oim	2	50	1
mds-owsm	0	15	1
oimJMSStoreDS	50	50	1
oimOperationsDB	100	100	1
<<SOA specific Datasource >>	default	default	default

 

c)   Updating the Distributed Lock Timeout from 60 seconds to 300 seconds and in oim-config.xml, update the checkout time from 1200 secs to 2700 secs.

For Distributed Lock Timeout changes: in WLS console, select each OIM Datasource-configuration – transaction - XA Transaction Timeout = 300

For checkout time in OIM configurations: <<Middleware home>>/ Oracle_IAM1/server/metadata/db/oim-config.xml

<directDBConfigParams driver="oracle.jdbc.OracleDriver"
.. checkoutTimeout="12002700"

 

• For more Tuning follow this guide to improve the performance of the OIM - Optional:
  http://docs.oracle.com/cd/E27559_01/doc.1112/e28552/oim.htm#BABGEAHH

Note: when DB connection pool configured then compare the other applications (OID, OAM, OIM) connection pool configurations and the sum of pool size should be served by DB server and the max values of the DB env parameters should set.

**Note: Above configuration changes requires bouncing the component application servers to get effective the changes.

OIM Load the Access Policies from File

package prod.oim.utilities.run;

import java.io.BufferedReader;
import java.io.FileReader;
import java.sql.Connection;
import java.sql.PreparedStatement;
import java.sql.ResultSet;
import java.text.SimpleDateFormat;
import java.util.ArrayList;
import java.util.Date;
import java.util.HashMap;
import java.util.HashSet;
import java.util.Hashtable;
import java.util.Iterator;
import java.util.Set;
import com.thortech.xl.client.dataobj.tcDataBaseClient;
import com.thortech.xl.dataaccess.tcDataProvider;
import com.thortech.xl.dataaccess.tcDataSet;
import com.thortech.xl.dataobj.util.XLDatabase;
import com.thortech.xl.vo.AccessPolicyResourceData;
import com.thortech.xl.vo.PolicyChildTableRecord;
import com.thortech.xl.vo.User;
import Thor.API.tcResultSet;
import Thor.API.Base.tcBaseUtility;
import Thor.API.Operations.tcAccessPolicyOperationsIntf;
import Thor.API.Operations.tcFormDefinitionOperationsIntf;
import Thor.API.Operations.tcITResourceInstanceOperationsIntf;
import Thor.API.Operations.tcObjectOperationsIntf;
import Thor.API.Security.XLClientSecurityAssociation;
import oracle.iam.identity.usermgmt.api.UserManagerConstants.AttributeName;
import oracle.iam.platform.OIMClient;
import oracle.iam.platform.Platform;
import oracle.iam.selfservice.self.selfmgmt.api.AuthenticatedSelfService;
public class InitialAccessPolicyLoad {
 private static final String OIM_URL = "t3s://<<host>>:<<port>>";
 private static final String AUTH_CONF = "C:/designconsole/config/authwl.conf";
 private static final String OIM_USERNAME = "xelsysadm";
 private static final String OIM_PASSWORD = "XXXXXXXXX";
 private static OIMClient oimClient = null;
 Hashtable<String, String> env = new Hashtable<String, String>();
 tcAccessPolicyOperationsIntf moAccesspolicyutility = null;
 HashMap<String, HashSet<String>> mapping = new HashMap<String, HashSet<String>>();
 private static final String objName = "OID User";
 private static final String fParentName = "UD_OID_USR";
 private static final String fChildName = "UD_OID_GRP";
 private static final String ITResourceName = "OID Server";
 private static final String groupSuffix = ",cn=Groups,dc=ftb,dc=ca,dc=gov";
 public InitialAccessPolicyLoad() {
  try {
   env.put(OIMClient.JAVA_NAMING_FACTORY_INITIAL,
     "weblogic.jndi.WLInitialContextFactory");
   env.put(OIMClient.JAVA_NAMING_PROVIDER_URL, OIM_URL);
   System.setProperty("java.security.auth.login.config", AUTH_CONF);
   System.setProperty("OIM.AppServerType", "wls");
   System.setProperty("APPSERVER_TYPE", "wls");
   oimClient = new OIMClient(env);
   oimClient.login(OIM_USERNAME, OIM_PASSWORD.toCharArray());
  } catch (Exception e) {
   e.printStackTrace();
  }
 }
 public void uploadMapping() {
  try {
   int validRecorddCount = 0;
   int invalidRecordCount = 0;
   String File1 = "C:\\Projects\\OIM\\InputFiles\\InitialAccessPolicyLoad.csv";
   String ROLE_DELIMITER = ";";
   String FILE_DELIMITER = ",";
   BufferedReader buff = new BufferedReader(new FileReader(
     File1));
   buff.readLine();
   String Line = null;
   boolean isValidRecord = true;
   String PolicyName = null;
   String Groups = null;
   ArrayList<String> GroupList = new ArrayList<String>();
   while ((Line = buff.readLine()) != null) {
    if (Line.startsWith("#")) {
     isValidRecord = false;
    }
    String[] values = Line.split(FILE_DELIMITER);
    if (values.length == 0) {
     isValidRecord = false;
     System.out
       .println("Missing Policy Name & ABC Groups in Record: "
         + Line);
    }
    if (values.length == 1) {
     PolicyName = values[0].trim();
     isValidRecord = false;
     System.out.println("Missing ABC Groups in Record: " + Line);
    }
    if (values.length == 2) {
     isValidRecord = true;
     PolicyName = values[0].trim();
     if (PolicyName.trim().isEmpty()) {
      System.out.println("Access Policy Missing in Record: "
        + Line);
      isValidRecord = false;
     } else if (!AccessPolicyExist(PolicyName)) {
      System.out
        .println("Access Policy doesn't exist in OIM: "
          + Line);
      isValidRecord = false;
     } else {
      Groups = values[1];
      String[] gList = Groups.split(ROLE_DELIMITER);
      for (int i = 0; i < gList.length; i++) {
       GroupList.add(gList[i].trim());
      }
     }
    }
    if (isValidRecord) {
     System.out.println("ADDING RECORD: " + Line);
     uploadPolicyData(PolicyName, GroupList);
     validRecorddCount++;
    } else {
     invalidRecordCount++;
    }
    GroupList = new ArrayList<String>();
    PolicyName = null;
    Groups = null;
   }
   buff.close();
   System.out.println(" Access Policies Data Load Complete from File "
     + File1);
   System.out.println("Record Processed : " + +validRecorddCount
     + " & Record Ignored :" + invalidRecordCount);
  } catch (Exception e) {
   e.printStackTrace();
  }
 }
 public Long findObjectKey() {
  final String METHOD_NAME = "findObjectKey :: ";
  String objectKey = null;
  try {
   HashMap<String, String> attributes = new HashMap<String, String>();
   attributes.put("Objects.Name", objName);
   tcObjectOperationsIntf objIntf = oimClient
     .getService(tcObjectOperationsIntf.class);
   tcResultSet resultSet = objIntf.findObjects(attributes);
   for (int i = 0; i < resultSet.getRowCount(); i++) {
    objectKey = resultSet.getStringValue("Objects.Key");
   }
  } catch (Exception e) {
   e.printStackTrace();
  }
  return Long.parseLong(objectKey);
 }
 public Long findParentFormKey() {
  String ParentformKey = null;
  try {
   final String METHOD_NAME = "findParentFormKey :: ";
   tcFormDefinitionOperationsIntf objIntf = oimClient
     .getService(tcFormDefinitionOperationsIntf.class);
   HashMap<String, String> attributes = new HashMap<String, String>();
   attributes.put("Structure Utility.Table Name", fParentName);
   tcResultSet resultSet = objIntf.findForms(attributes);
   for (int i = 0; i < resultSet.getRowCount(); i++) {
    ParentformKey = resultSet
      .getStringValue("Structure Utility.Key");
   }
  } catch (Exception e) {
   e.printStackTrace();
  }
  return Long.parseLong(ParentformKey);
 }
 public String findChildFormKey() {
  String ChildformKey = null;
  try {
   final String METHOD_NAME = "findChildFormKey :: ";
   tcFormDefinitionOperationsIntf objIntf = oimClient
     .getService(tcFormDefinitionOperationsIntf.class);
   HashMap<String, String> attributes = new HashMap<String, String>();
   attributes.put("Structure Utility.Table Name", fChildName);
   tcResultSet resultSet = objIntf.findForms(attributes);
   for (int i = 0; i < resultSet.getRowCount(); i++) {
    ChildformKey = resultSet
      .getStringValue("Structure Utility.Key");
   }
  } catch (Exception e) {
   e.printStackTrace();
  }
  return ChildformKey;
 }
 public String findITResourceKey() {
  String ITResourceKey = null;
  try {
   final String METHOD_NAME = "findITResourceKey :: ";
   tcITResourceInstanceOperationsIntf objIntf = oimClient
     .getService(tcITResourceInstanceOperationsIntf.class);
   HashMap<String, String> attributes = new HashMap<String, String>();
   attributes = objIntf.getITResourceInstances(ITResourceName);
   Set s = attributes.keySet();
   Iterator it = s.iterator();
   while (it.hasNext()) {
    ITResourceKey = it.next().toString();
   }
  } catch (Exception e) {
   e.printStackTrace();
  }
  return ITResourceKey;
 }
 public void uploadPolicyData(String PolicyName, ArrayList<String> GroupList) {
  final String METHOD_NAME = "uploadPolicyData :: ";
  boolean policyExist = true;
  String policyDescription = null;
  SimpleDateFormat sdfDate = new SimpleDateFormat("yyyy-MM-dd");
  Date now = new Date();
  String strDate = sdfDate.format(now);
  System.out.println(strDate);
  String groupPrefix = findITResourceKey() + "~cn=";
  try {
   tcAccessPolicyOperationsIntf moAccesspolicyutility = oimClient
     .getService(tcAccessPolicyOperationsIntf.class);
   HashMap<String, String> searchPolicy = new HashMap<String, String>();
   searchPolicy.put("Access Policies.Name", PolicyName);
   tcResultSet result = moAccesspolicyutility
     .findAccessPolicies(searchPolicy);
   if (result.getRowCount() == 0) {
    System.out.println("Access Policy " + PolicyName + "not Found");
    policyExist = false;
   } else {
    policyDescription = result
    .getStringValue("Access Policies.Description");
    System.out.println("policyDescription"+policyDescription);
    long policyKey = result.getLongValue("Access Policies.Key");
    for (int i = 0; i < GroupList.size(); i++) {
     HashMap<String, String> childTableMap = new HashMap<String, String>();
     String groupName = groupPrefix + GroupList.get(i).trim()
       + groupSuffix;
     System.out.println("OID Group Name: " + groupName);
     childTableMap.put("UD_OID_GRP_GROUP_NAME", groupName);
     AccessPolicyResourceData policyData = new AccessPolicyResourceData(
       findObjectKey(), objName, findParentFormKey(),
       fParentName, "P");
     PolicyChildTableRecord pChildTableData = policyData
       .addChildTableRecord(findChildFormKey(),
         "fChildName", "Add", childTableMap);
    
      moAccesspolicyutility.setDataSpecifiedForObject(policyKey,
      findObjectKey(), findParentFormKey(), policyData);
     
     System.out.println(" Group: " + GroupList.get(i)
       + " attached to the Access Policy: " + PolicyName);
    }
   }
  } catch (Exception e) {
   e.printStackTrace();
  }
 }


 public boolean AccessPolicyExist(String policyName) {
  boolean policyExist = true;
  try {
   tcAccessPolicyOperationsIntf moAccesspolicyutility = oimClient
     .getService(tcAccessPolicyOperationsIntf.class);
   HashMap<String, String> searchPolicy = new HashMap<String, String>();
   searchPolicy.put("Access Policies.Name", policyName);
   tcResultSet result = moAccesspolicyutility
     .findAccessPolicies(searchPolicy);
   if (result.getRowCount() == 0) {
    policyExist = false;
   }
  } catch (Exception e) {
   e.printStackTrace();
  }
  return policyExist;
 }
 public static void main(String args[]) {
  InitialAccessPolicyLoad obj = new InitialAccessPolicyLoad();
  obj.uploadMapping();
 }
}

Event Handlers:
            http://www.ateam-oracle.com/oim-11g-event-handlers/
            http://idmoim.blogspot.com/2011/07/developing-and-deploying-oim-11g-custom_29.html
            http://idmoim.blogspot.com/2014/04/event-handler-handler-deployment-in-oim.html
                http://idmoim.blogspot.com/2011/07/developing-and-deploying-oim-11g-custom_29.html
                http://docs.oracle.com/cd/E14571_01/doc.1111/e14309/oper.htm

Custom user attribute & Event Handdler implementation: 
http://fusionsecurity.blogspot.com/2011/09/oim-11g-event-handler-example.html

OIM JAVA API to connect OIM SSL Port

1. Assuming your java app is working with NON SSL port.
2. Make sure add the following jars into your Java program Classpath with following Order:

$WL_HOME/server/lib/wlfullclient.jar
$WL_HOME/server/lib/webserviceclient+ssl.jar
$WL_HOME/server/lib/wlcipher.jar
$WL_HOME/server/lib/cryptoj.jar
$WL_HOME/server/ext/Jakarta-oro-2.0.8.jar
$WL_HOME/server/ext/Javagroups-all.jar
$WL_HOME/server/lib/Commons-logging.jar
$WL_HOME/server/lib/Jrf-api.jar
$ORACLE_HOME/designconsole/lib/Oimclient.jar
$ORACLE_HOME/server/lib/Iam-platfrom-pluginframework.jar
$ORACLE_HOME/server/lib/Iam-platfrom-util.jar
$ORACLE_HOME/server/lib/Iam-platfrom-auth-client.jar
$ORACLE_HOME/server/lib/activation.jar


Note: sometimes order causes the failures.. try change the order of wlfullclient.jar & webserviceclient+ssl.jar

3. Identify the keystore for your Java program default JDK (usually JVM Jre/lib/security/cacerts) and import the   OIM server cert - rootCA into this keystore. Make sure this cert entry type needs to be trustedCertEntry

4. set the envrionment variable before classpath : TRUSTSTORE_LOCATION=<<keystore file path>>

5. In the Java code change the OIM URL to SSL port
    OIM_URL="t3s://<<host>>:<<ssl port>>;
6. compile and run.

In case cacerts store you are using customer jks file and needs to change then add these following to Java runtime params..

 System.setProperty("javax.net.ssl.trustStoreType","JKS");

 System.setProperty("javax.net.ssl.trustStore","C:/designconsole/cacerts");

 System.setProperty("javax.net.ssl.trustStorePassword","changeit");

or

 -Djavax.net.ssl.trustStoreType=JKS -Djavax.net.ssl.trustStore=C:/designconsole/cacerts -Djavax.net.ssl.trustStorePassword=changeit  

 All the best