×

IDMWORKS Blog

Tips & Tricks: How to Install the New OIDSync RMI Adapter for ITIM


Tivoli Identity Manager Installation & Integration Procedures for OIDSync RMI Adapter

The following contains  the steps necessary to install the new OIDSync RMI Adapter in the ITIM Environment.

First, start with the Profile installation on ITIM (in this case the instructions necessary to install an OIDSync specific service profile on the ITIM 4.6 servers).

1.   Ensure that a copy of the file oidrmiprofile.jar, shipped with this release, is saved locally on the machine that you will use to open the web browser in the next step.

2.   Open the ITIM Management Console by entering the following URL into a Web-Browser:

URL: http://<ITIM_Console_Hostname>/enrole

3.   Enter the following information into the login screen to login to the ITIM console:

User ID: <ITIM_Manager_UID>

Password: <ITIM_Manager_PW>

4.   Click the Configuration tab in the menu at the top of the screen 5.   Click the Import/Export tab in the configuration menu.

5.   Click the Import tab in the Import/Export window

6.   Click the Browse button.

7.   Navigate to the location that you saved the oidrmiprofile.jar file, on the local machine.

8.   Select the oidrmiprofile.jar and click Open

9.   Click the Import data into Identity Manager link below the selected file

10. Click Continue to complete the import process.

Next up, ITIM Configuration and Provisioning Policy Creation.


The following contains the instructions necessary for configuring ITIM for the OID service (the steps necessary to create an OIDSync Service in the ITIM 4.6 administration console). It will also include instructions for creating a provisioning policy that will trigger the OIDSync adapter when a user is updated or added or removed from an OID role.

Let’s add an OIDSync Service!

    1. Open the ITIM Management Console by entering the following URL into a Web-Browser:

URL: http://<ITIM_Console_Hostname>/enrole

    1. Enter the following information into the login screen to login to the ITIM console:

User ID: <ITIM_Manager_UID>

Password: <ITIM_Manager_PW>

3.   Click on the Provisioning tab in the bar at the top of the screen

4.   Click on the Manage Services link in the navigation pane to the left and in the Org Chart Navigation Pane, expand the Customers Org Chart

5.   Select oidrmiprofile from the Service Type drop-down menu and click Continue

6.   The service creation screen should be displayed, enter the following information (note: If the Adapter was installed on more than one TDI server the Target RMI URLfield below should contain the IP/VIP of the load-balancing device between ITIM and the TDI servers).

Service Name: OID-Service-<OID_Target>

Target RMI URL: rmi://<TDI_Hostname>:1098/ITDIDispatcher

Target OID LDAP URL: ldap://<OID_Target>:389

Target OID username: <OID_LDAP_Admin>

Target OID password: <OID_LDAP_PW>

Target OID User DIT: <OID_User_DIT>

Target OID Group DIT: <OID_Group_DIT>

7.   Click the Test button to test the information entered.

8.   Click the Done button in the screen that pops up to signify that the test completed successfully

9.   Click Submit to submit the creation of the service.

10. Locate and click the newly created OID-Service service link.

11. Click on the Policy Enforcement link on the OID-Service service configuration page.

12. Select Correct from the Enforcement Action drop-down menu and click the Submit button

13. Click the Ok button in the warning message that appears

14. Click the Submit button to submit the change

Time to Restart the RMI Dispatcher

The following contains the steps necessary to restart the RMI Dispatcher Assembly Line on each of the TDI servers, to refresh their Assembly Line Cache. These instructions should be run on each of the TDI Servers running the RMI Dispatcher in the environment.

    1. Log into one of the ITIM TDI servers and switch to the root user

# su –

2.   Change to the /opt/TDI/timsol directory

# cd /opt/TDI/timsol

3.   Restart the RMI Dispatcher

# ./startRMIAdapter restart

4.   Repeat these steps on each of the TDI Servers with the RMI Dispatcher installed.

Add an OIDSync Provisioning Policy

The following describes the steps necessary to create the OIDSync provisioning policy that will trigger the OIDSync Adapter.

1.  Open the ITIM Management Console by entering the following URL into a Web-Browser

URL: http://<ITIM_Console_Hostname>/enrole

2.  Enter the following information into the login screen to login to the ITIM console

User ID: <ITIM_Manager_UID>

Password: <ITIM_Manager_PW>

3.   Click on the Provisioning tab in the bar at the top of the screen

4.   Click on the Define Provisioning Policies link in the left navigation pane

5.   In the Org Chart Navigation Pane, expand the Customers Org Chart

6.   Click the Add button to add a new provisioning policy

7.   The provisioning policy creation window should be displayed. Ensure that the General tab is selected and enter the following information:

Policy Name: OID-Policy-<OID_Target>

Caption: OIDSync Provisioning Policy for the target: <OID_Target>

Service Resolution Scope: SubTree

Priority: 100

8.   Within the provisioning policy creation window select the Membership tab and complete the following sub-steps to add the associated OID role(s) to this provisioning policy.

    • Click the Add button to add a new role to the provisioning policy

 

    • In the type selection screen select Organizational Role from the Type drop-down menu and click Continue

 

    • Enter <OID_Target_Role> as the entry in the search criteria textbox and click Search

 

    • Check the box next to the <OID_Target_Role> role and click Add

 

    • Repeat these steps for adding a role for each associated OID role with this <OID_Target>.

 

    • Click the Add button to add a new entitlement to the provisioning policy

 

    • On the main entitlement screen enter the following information

9.   Within the provisioning policy creation window select the Entitlements tab and complete the following sub-steps to add the proper entitlements to this provisioning policy.

Type: Automatic

Target Type: Service

Service Type: oidrmiprofile

Service Name: OID-Service-<OID_Target>

    • Click the Get detail link for the Advanced Provisioning Parameter List option

 

    • Click Add

 

    • Check the following attributes (some may appear on the second page) and click Add
        • Email Address – mail

        • erOIDGroupMember

        • First Name – givenname

        • Full Name – cn

        • Last Name – sn

        • User ID

    • Enter the following for the attribute values:
        • Full Name – cn: {subject.getProperty(“cn”)[0]}

        • erOIDGroupMember:

{var r = new Array(); var newGroups = new Array(); r= subject.getProperty(“role”); if( r == null) return newGroups; if( r != null){ for( i= 0; i < r.length; i++) { if( r[i].getProperty(“errolename”)[0] == null){ return newGroups;      break; }newGroups[i] = r[i].getProperty(“errolename”)[0];}}  return newGroups;}

    • User ID – eruid: {subject.getProperty(“cn”)[0]}

    • First Name – givenname:

{var givenname = “”;var frstnameArr = subject.getProperty(‘givenname’);if(frstnameArr!= null && frstnameArr.length>0){givenname = frstnameArr[0];}else {givenname=null;}return givenname;}

    • Email Address – mail:

{var mail = “”;var mailArr = subject.getProperty(‘mail’);if(mailArr!=null && mailArr.length>0){mail = mailArr[0];}else {mail=null;}return mail;}

    • Last Name: {subject.getProperty(“sn”)[0]}
    • Set each of the attributes to Mandatory by selecting Mandatory from the drop-down menu or placing a checkmark in the Mandatory checkbox.

 

    • Click the Submit button

 

    • Click the Add button

 

    • Click OK in the successful add notification that pops up

10. Click Continue to continue the process of adding the provisioning policy

11. Click Submit to submit the creation of the provisioning policy

Test Procedures

The following contains the procedures that will be used to verify the installation and configuration procedures of the OIDSync Adapter above. The tests that will be conducted to verify the procedures above are as follows:

    1. Add an existing user to one of the OID target roles, associated with the provisioning policy created above.

2.   Update the user’s e-mail address.

3.   Add the user to a group that is not one of the OID target roles, associated with the provisioning policy created above.

4.   Remove the user from the role added above.

5.   Remove the user from the OID target role, associated with the provisioning policy created above.

Test 1:  Provision an Existing ITIM User

This test will add an existing user within ITIM to an OID target role, associated with the provisioning policy created above. This should result in the user being provisioned an account on the target Oracle Internet Directory Server (OID) LDAP.

Pre-Conditions

These pre-conditions must be met in order for this test to be viewed as fully-valid

    • The test user should already exist in ITIM

 

    • The test user should not already exist in the OID LDAP

Procedures

1.  Open the ITIM Management Console by entering the following URL into a Web-Browser

URL: http://<ITIM_Console_Hostname>/enrole

2.  Enter the following information into the login screen to login to the ITIM console

User ID: <ITIM_Manager_UID>

Password: <ITIM_Manager_PW>

3.   Click on the Search tab in the bar at the top of the screen

4.   In the search fields enter the following information and then click Search

Select: Person    gcssafPerson

Where: Full Name – cn   Contains    <ITIM_TestUser>

5.   Click on the link for the <ITIM_TestUser> user

6.   Click on the link to Access Personal Information for the <ITIM_TestUser> user account

7.   The <ITIM_TestUser> user’s information is shown, make the following change to update the user’s account information.

    • Make the following change
        • Click the Search button next to the Organizational Roles attribute entry

        • In the window that appears enter <OID_Target_Role> as the search criteria and click Search

        • Check the box for the <OID_Target_Role> role, click Add, then click Done

        • The <OID_Target_Role> role should now appear in the Organizational Roles attribute entry

        • Scroll to the bottom of the page and click Submit to submit the data change

        • Click the Submit button to submit the user data changes

8.   Wait until the user data change has been processed by the ITIM workflow.

9.   Open a terminal window to one of the ITIM LDAP servers and switch to the root user

# su –

10. Search the OID Target LDAP to ensure that the user entry was successfully provisioned

# idsldapsearch –D “<OID_LDAP_Admin>” -w <OID_LDAP_PW> -h <OID_Target> -b “<OID_USER_DIT>” -s sub cn=<OID_TestUser>

The output should look similar to the following:

cn=stefan.bojko,cn=Users,ou=widget,ou=bus,ou=ddd,o=company,c=us

mail=sbojko@test.com

uid=stefan.bojko

objectclass=top

objectclass=person

objectclass=organizationalPerson

objectclass=inetOrgPerson

objectclass=orclUser

objectclass=orclUserV2

sn=bojko

cn=stefan.bojko

Test 2:  Update an Existing ITIM/OID User

Objective

This test will update the user that was provisioned above. This should result in an update to the user that was provisioned an account on the target Oracle Internet Directory Server (OID) LDAP, in the previous test.

Pre-Conditions

These pre-conditions must be met in order for this test to be viewed as fully-valid

    • The test user should already exist in ITIM

 

    • The test user should already exist in the OID LDAP

Procedures

1.  Open the ITIM Management Console by entering the following URL into a Web-Browser

URL: http://<ITIM_Console_Hostname>/enrole

2.  Enter the following information into the login screen to login to the ITIM console

User ID: <ITIM_Manager_UID>

Password: <ITIM_Manager_PW>

Click on the Search tab in the bar at the top of the screen

3.   In the search fields enter the following information and then click Search

Select: Person    gcssafPerson

Where: Full Name – cn   Contains    <ITIM_TestUser>

4.   Click on the link for the <ITIM_TestUser> user

5.   Click on the link to Access Personal Information for the <ITIM_TestUser> user account

6.  the <ITIM_TestUser> user’s information is shown, make the following change to update the user’s account information:

Make the following changes:

    • Locate Email Address – mail attribute
        • Update the value of Email Address – mail to a new value

        • Scroll to the bottom of the page and click Submit to submit the data change

        • Click the Submit button to submit the user data changes

7.   Wait until the user data change has been processed by the ITIM workflow.

8.   Open a terminal window to one of the ITIM LDAP servers and switch to the root user

# su –

9.   Search the OID Target LDAP to ensure that the user entry was successfully provisioned

# idsldapsearch –D “<OID_LDAP_Admin>” -w <OID_LDAP_PW> -h <OID_Target> -b “<OID_USER_DIT>” -s sub cn=<OID_TestUser>

The output should be similar to the following:

cn=stefan.bojko,cn=Users,ou=widget,ou=bus,ou=ddd,o=company,c=us

mail=stefan.bojko@test.com

uid=stefan.bojko

objectclass=top

objectclass=person

objectclass=organizationalPerson

objectclass=inetOrgPerson

objectclass=orclUser

objectclass=orclUserV2

sn=bojko

cn=stefan.bojko

10. Ensure that the user’s mail attribute was updated in the results of the command above.

Test 3:  Update the Groups of an Existing ITIM/OID User

Objective

This test will add an existing user within ITIM to a role in ITIM. The result should be an update to the appropriate group in the target Oracle Internet Directory Server (OID) LDAP.

Pre-Conditions

These pre-conditions must be met in order for this test to be viewed as fully-valid

    • The test user should already exist in ITIM

 

    • The test user should already exist in the OID LDAP

 

    • The test user should not already be a member of the test role in ITIM

 

    • The test user should not already be a member of the test role in the OID target

Procedures

1.  Open the ITIM Management Console by entering the following URL into a Web-Browser

URL: http://<ITIM_Console_Hostname>/enrole

2.  Enter the following information into the login screen to login to the ITIM console

User ID: <ITIM_Manager_UID>

Password: <ITIM_Manager_PW>

3.   Click on the Search tab in the bar at the top of the screen

4.   In the search fields enter the following information and then click Search

Select: Person

Where: Full Name – cn   Contains    <ITIM_TestUser>

5.   Click on the link for the <ITIM_TestUser> user

6.   Click on the link to Access Personal Information for the <ITIM_TestUser> user account

7.   The <ITIM_TestUser> user’s information is shown, make the following change to update the user’s account information.

    • Make the following changes:
        • Click the Search button next to the Organizational Roles attribute entry

        • In the window that appears enter <OID_Test_Role> as the search criteria and click Search

 

    • Check the box for the <OID_Test_Role> role, click Add, then click Done

 

    • The <OID_Test_Role> role should now appear in the Organizational Roles attribute entry

 

    • Scroll to the bottom of the page and click Submit to submit the data change

 

    • Click the Submit button to submit the user data changes

8.   Wait until the user data change has been processed by the ITIM workflow.

9.   Open a terminal window to one of the ITIM LDAP servers and switch to the root user

# su –

10. Search the OID Target LDAP to ensure that the user entry was successfully provisioned

# idsldapsearch –D “<OID_LDAP_Admin>” -w <OID_LDAP_PW> -h <OID_Target> -b “<OID_GROUP_DIT>” -s sub uniquemember=”cn=<OID_TestUser>,<OID_USER_DIT>” cn

The output should be similar to the following:

cn=ABAC_PERF_TEST_CRAZY,cn=Groups,ou=widget,ou=bus,ou=ddd,o=company,c=us

cn=ABAC_PERF_TEST_CRAZY

cn=BA-ACC-CANNON-ADMINS,cn=Groups,ou=widget,ou=bus,ou=ddd,o=company,c=us

cn=BA-ACC-CANNON-ADMINS

cn=BA-ACC-DYESS-ADMINS,cn=Groups,ou=widget,ou=bus,ou=ddd,o=company,c=us

cn=BA-ACC-DYESS-ADMINS

cn=OIDSync_110.93_Group,cn=Groups,ou=widget,ou=bus,ou=ddd,o=company,c=us

cn=OIDSync_110.93_Group

Test 4:  Update the Groups of an Existing ITIM/OID User

Objective

This test will remove an existing user within ITIM from a role in ITIM. The result should be an update to the appropriate group in the target Oracle Internet Directory Server (OID) LDAP.

Pre-Conditions

These pre-conditions must be met in order for this test to be viewed as fully-valid

    • The test user should already exist in ITIM

 

    • The test user should already exist in the OID LDAP

 

    • The test user should already be a member of the test role in ITIM

 

    • The test user should already be a member of the test role in the OID target

Procedures

1.  Open the ITIM Management Console by entering the following URL into a Web-Browser

URL: http://<ITIM_Console_Hostname>/enrole

2. Enter the following information into the login screen to login to the ITIM console

User ID: <ITIM_Manager_UID>

Password: <ITIM_Manager_PW>

3.   Click on the Search tab in the bar at the top of the screen

4.   In the search fields enter the following information and then click Search

Select: Person

Where: Full Name – cn   Contains    <ITIM_TestUser>

5.   Click on the link for the <ITIM_TestUser> user

6.   Click on the link to Access Personal Information for the <ITIM_TestUser> user account

7.   The <ITIM_TestUser> user’s information is shown, make the following change to update the user’s account information.

    • Make the following changes:
        • Click on <OID_Test_Role> in the Organizational Roles list-box and click Delete

        • The Organizational Roles list-box should no longer contain the <OID_Test_Role>

 

    • Scroll to the bottom of the page and click Submit to submit the data change

 

    • Click the Submit button to submit the user data changes

8.   Wait until the user data change has been processed by the ITIM workflow.

9.   Open a terminal window to one of the ITIM LDAP servers and switch to the root user

# su –

10. Search the OID Target LDAP to ensure that the user entry was successfully provisioned

# idsldapsearch –D “<OID_LDAP_Admin>” -w <OID_LDAP_PW> -h <OID_Target> -b “<OID_GROUP_DIT>” -s sub uniquemember=”cn=<OID_TestUser>,<OID_USER_DIT>” cn

The output should look similar to the following:

cn=ABAC_PERF_TEST_CRAZY,cn=Groups,ou=widget,ou=bus,ou=ddd,o=company,c=us

cn=ABAC_PERF_TEST_CRAZY

cn=BA-ACC-DYESS-ADMINS,cn=Groups,ou=widget,ou=bus,ou=ddd,o=company,c=us

cn=BA-ACC-DYESS-ADMINS

cn=OIDSync_110.93_Group,cn=Groups,ou=widget,ou=bus,ou=ddd,o=company,c=us

cn=OIDSync_110.93_Group

Test 5:  De-Provision an existing ITIM/OID User

Objective

This test will remove an existing user within ITIM from an OID target role, associated with the provisioning policy created above. This should result in the user being provisioned an account on the target Oracle Internet Directory Server (OID) LDAP.

Pre-Conditions

These pre-conditions must be met in order for this test to be viewed as fully-valid

    • The test user should already exist in ITIM

 

    • The test user should already exist in the OID LDAP

Procedures

1.  Open the ITIM Management Console by entering the following URL into a Web-Browser

URL: http://<ITIM_Console_Hostname>/enrole

2.  Enter the following information into the login screen to login to the ITIM console

User ID: <ITIM_Manager_UID>

Password: <ITIM_Manager_PW>

3.   Click on the Search tab in the bar at the top of the screen

4.   In the search fields enter the following information and then click Search

Select: Person

Where: Full Name – cn   Contains    <ITIM_TestUser>

5.   Click on the link for the <ITIM_TestUser> user 6.   Click on the link to Access Personal Information for the <ITIM_TestUser> user account 7.   The <ITIM_TestUser> user’s information is shown, make the following change to update the user’s account information.

    • Make the following changes:
        • Click on <OID_Target_Role> in the Organizational Roles list-box and click Delete

        • The Organizational Roles list-box should no longer contain the <OID_Target_Role>

 

    • Scroll to the bottom of the page and click Submit to submit the data change

 

    • Click the Submit button to submit the user data changes

8.   Wait until the user data change has been processed by the ITIM workflow.

9.   Open a terminal window to one of the ITIM LDAP servers and switch to the root user

# su –

10. Search the OID Target LDAP to ensure that the user entry was successfully provisioned

# idsldapsearch –D “<OID_LDAP_Admin>” -w <OID_LDAP_PW> -h <OID_Target> -b “<OID_USER_DIT>” -s sub cn=<OID_TestUser>

There should be no output from this command, because the users account should no longer exist in the OID target LDAP.
 

Questions, comments or concerns? Feel free to reach out to us below or at IDMWORKS

Questions, comments or concerns? Feel free to reach out to us below, or email us at IDMWORKS to learn more about how you can protect your organization and customers.

Tags:

Leave a Reply

Your email address will not be published. Required fields are marked *