Tuesday, May 7, 2013

OIM 11g R2 Self Registration with CAPTCHA

This post walks you through the fun of customizing OIM and adding a CAPTCHA solution to the self-registration page. Captcha solutions are largely used in web sites to try to prevent automated robots from registering, filling forms, sending messages and many other things.

The captcha solution used is Simple Captcha and it is available here. It is easy to use and easy to hook into applications.

This is another post of the Oracle Identity Manager Academy. To check other tricks, tips and examples you can find the academy post here.
Read more »
Posted by Daniel Gralewski at 6:30 AM 0 comments Links to this post
Labels: , , , ,

Wednesday, May 1, 2013

Synchronization of Roles in Catalog OIM 11g R2


Introduction 

The Catalog is one of the most fundamental features of OIM 11g R2 request based provisioning. All requests for Resources/Accounts, Entitlements and Roles are accomplished through the Catalog. Roles in OIM 11g R2 can be defined within a given category. There are two main out-of-the-box categories: OIM Roles and Default. The category affects the visibility of the Role in the Catalog.

Sometimes, customers may require to change the category of an existing Role in order to make it possible to request the Role through the Catalog. If the Role was initially created within the OIM Roles category,  it will not be visible in the Catalog because there is no entry in the Catalog's table for the Role.

Procedure

A Role is available in the Catalog when its category is set to 'Default'. This can be ensured by modifying the Role's attributes in the Self-Service User Interface and selecting the 'Default' category from the List of Values. The picture that follows shows where this is done and provides an example:




In the example above, the role MASSACHUSETTS ORG MEMBER was originally created with OIM Roles as the selected category. As a result, this role can't be requested through the Catalog. The role's category will need to be updated to 'Default'. The images below demonstrate the change:






Roles are published immediately after they are created; however, if a Role is updated after creation like in the previous example, the Catalog Synchronization Job has to be executed to reflect the changes in the Catalog.

To invoke the Catalog Synchronization Job, an Administrator needs to log in to the System Administration Console of OIM and open the Scheduler Window; then navigate to the Catalog Synchronization Job as shown in the following picture:



The Job must be executed with the following values in the Job's attributes: 
  • Mode = full
  • Process Roles set to Yes
  • Updated Date must be blank
After the execution of the Catalog Synchronization Job, searching for the Role in the Catalog should now display the role in the results as shown below:



Summary

The Catalog is one of the main components of OIM 11g R2. The Request-Based provisioning functionality revolves around it. Any entity in OIM that can be requested by users needs to be visible in the Catalog. Roles that have OIM Roles as their category, are not visible in the Catalog; only the ones in the 'Default' category will be displayed in Catalog Search Results.

If a Role was initially created with OIM Roles as its category and then is updated to the Default category will not be displayed in the results of a Catalog search unless the Role is added to the CATALOG table in OIM's Database. This is accomplished by running the Catalog Synchronization Job through OIM's Scheduler. The job must be executed in Full mode, the 'Process Roles' option must be set to 'Yes' and the 'Updated Date' value must be blank.
Posted by Alex Lopez at 8:24 AM 0 comments Links to this post
Labels: , , , , ,

Wednesday, April 10, 2013

Don’t Be that Guy – Part 2: Avoiding Outages Due to Full Disks and Partitions

A while back, I wrote about the fact that many customers experience severe outages with their Fusion Middleware products when they let the digital certificates associated with the SSL connections in their deployments expire.

To be fair, certificates are often “out of sight and out of mind” and indeed many system administrators don’t have much experience managing certificates.  However, the same cannot be said about disk space.  We all deal with managing disk space on multiple systems including our desktop clients, home PCs, and even phones. 

Today as a public service announcement I’d like to discuss the dangers of not paying attention to whether or not you have adequate disk space on your dev, test, and production machines running your middleware software. 

I’ll be honest, I see a surprising number of customers experience everything from long delays in their dev and QA cycles to real production outages because of instability caused by running out of disk space.  So, size your machines with adequate disk space, monitor your disk usage, and be aware of your logger and auditing configurations in your Fusion Middleware Products.

Most Fusion Middleware / IAM products including OAM and OIM log to the standard JAVA/WLS logs .out and .log; as well as to the Oracle diagnostic log -diagnostics.log.  The standard logs can be configured in the WLS console while the diagnostic log can be configured by editing the logging.xml file, through WLST, or in EM.
Most customers that use our auditing capabilities log directly to a database.  However, the default storage is “bus-stop files” which do reside on the local file system and obviously take up space.
 
Speaking of databases, I see a fair amount of similar pain being caused by databases running up against various size limits like tablespace or data file limits.  So, make sure you are also actively managing data size limits on the DB.
Posted by Brian Eidelman at 2:18 PM 0 comments Links to this post
Labels: , ,

Friday, March 15, 2013

My White Paper on OAM Mobile and Social

Back in December I started putting together a White Paper on OAM 11g R2's new Mobile and Social capabilities. The paper covered the work we did for a Proof of Concept for a bank's new mobile banking application. Between the end of year holidays, a bunch of other projects and a long vacation the whole process of getting it all down on paper, reviewed and published took much longer than I expected to, but the paper is finally ready.

If you're interested in writing iOS apps that authenticate against OAM and then access REST services protected by OAM this paper might be right up your alley.

The paper is available from the Mobile and Social Access Services page on Oracle.com. Just scroll down to the Technical Information section and hit the link Oracle Mobile and Social Case Study - Mobile Banking Application (PDF) (or just click that link).

If you read it and have ideas, questions, comments, or even absurd remarks I'm all ears!

Posted by Chris Johnson (Oracle) at 1:43 PM 3 comments Links to this post
Labels: , ,

Wednesday, March 13, 2013

Part 2: Kerberos Authentication, RBAC and SAML identity propagation in OAG


This post is the second one of a series by Andre Correa and Paulo Pereira on OAG (Oracle API Gateway).

The first post is found at http://fusionsecurity.blogspot.com.br/2013/03/part1-kerberos-authentication-rbac-and.html. Check it out for use case background and the Kerberos authentication part.

As mentioned, one of the requirements in our exercise was to authorize the user against a ROLE X URI matrix, called “Authorization Matrix”. In this post we’re looking at the second policy (Call ‘Perform Authorization’) in the overall flow:

KerberosPolicy

Basically, “Perform Authorization” had to:

a. Obtain the authenticated user (authenticated by Kerberos);

b. Lookup the groups memberships in Active Directory;

c. For the requested URI, query a Database for the authorized roles for that URI in particular;

d. Check if any of the user groups (obtained from AD) is in the list returned by the DB query;

e. Authorize the user in case the check on the previous steps passes.
Read more »
Posted by Paulo Albuquerque at 2:42 PM 0 comments Links to this post
Labels: , , , ,
Subscribe to: Posts (Atom)