I'll Get My Coat

Integrating Sun Role Manager v5 with Oracle Identity Manager

Sun Role Manager (SRM) can work in an offline or online mode with a Provisioning Server such as Sun's Identity Manager, other provisioning engines can be used such as CA, IBM and Oracle.   In this blog posting we'll go through the steps required to integrate SRM 5 with Oracle's Identity Manager v9.1.0.

 For this exercise I used a Windows XP image, purely to keep things simple as they can be.

Integration Steps:

• Install Sun JDK 1.6.0_10
  
• Install Oracle 11g RDBMS and Oracle Identity Manager, using JBoss 4.2.3 GA follow the steps defined here
• Install the OIM Design Console and test connectivity with the OIM Server. Extract the customClient.zip into c:/oracle/customClient
• Edit the c:/oracle/customClient/config/xlConfig.xml to the JBoss environment such as
  
<Discovery>
<CoreServer>
<java.naming.provider.url>jnp://localhost:1099</java.naming.provider.url> <java.naming.factory.initial>org.jnp.interfaces.NamingContextFactory</java.naming.factory.initial> </CoreServer>
</Discovery>
• Deploy SRM into Glassfish not forgetting to set the RBACX_HOME system environment variable.
• Edit the /rbacx/WEB-INF/iam-context.xml file not forgetting that there are several edits that must be performed within this file. First one is to uncomment the oracle provisioning server;

<bean class="com.vaau.rbacx.iam.service.impl.RbacxIAMServiceImpl" parent="baseServiceSupport" > <property=name="iamSolutions">
<entry key="oracle">
<ref local="oim"/>
</entry>
</property>

• Second edit is to enable the OIM bean by removing the comments <-- and --> around the OIMIAMSolution Bean entry

<bean id="oim" class="com.vaau.rbacx.iam.oracle.OIMIAMSolution" parent="abstractIAMSolution">

• Next edit is to remove or preferably comment the lines starting <property name="namespaceMap"> down to the closing tab of the line <property name="secPolicyMap">

Failure to do this edit will result in errors when the SRM starts.

We're not quite done yet with this file, next we must configure the OIM connection information:


<property name="loginConfig"> <value>C:/oracle/customClient/config/auth.conf</value> </property>
<property name="maxStaleDays"> <value>1</value> </property>
<property name = "excludeFlag"> <value>1</value> </property>
<property name="oimHome"> <value>C:/oracle/customClient </property>

• Next copy the jar files from c:/oracle/customClient/lib into rbacx/WEB-INF/lib  , originally in testing I had expected to copy the c:/oracle/customClient/ext jar files as well but this proved not necessary and in fact copying these 'ext' folder jars caused conflicts with the Apache xerces classes.

• In order to prevent the following stack trace you must copy the jbossall-client.jar from the OIM Design Console installation to the rbacx/WEB-INF/lib

10:05:55,238 ERROR [JBOSSLOGINHANDLER] Error in creating login context javax.security.auth.login.LoginException: unable to find LoginModule class: org.jboss.security.ClientLoginModule at javax.security.auth.login.LoginContext.invoke(LoginContext.java:808) at javax.security.auth.login.LoginContext.access$000(LoginContext.java:186) at javax.security.auth.login.LoginContext$4.run(LoginContext.java:683) at java.security.AccessController.doPrivileged(Native Method) at javax.security.auth.login.LoginContext.invokePriv(LoginContext.java:680) at javax.security.auth.login.LoginContext.login(LoginContext.java:579) at Thor.API.Security.LoginHandler.jbossLoginHandler.login(Unknown Source) at Thor.API.Security.ClientLoginUtility.login(Unknown Source) at Thor.API.tcUtilityFactory.(Unknown Source) at com.vaau.rbacx.iam.oracle.OIMIAMSolution.getUtilityFactory(OIMIAMSolution.java:1845) at com.vaau.rbacx.iam.oracle.OIMIAMSolution.readUsers(OIMIAMSolution.java:412) at com.vaau.rbacx.iam.service.impl.RbacxIAMServiceImpl.importUsers(RbacxIAMServiceImpl.java: 118) at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39) at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25) at java.lang.reflect.Method.invoke(Method.java:597)

• Now at this stage you might think we're done copying jars and so on but there's one final thing we need to do, copy the log4j-1.2.8.jar from the JBoss server to the rbacx/WEB-INF/lib , this is also required to get your OIM Design Console to work properly with JBoss otherwise you will see the following stack trace:

Then 11:44:41,261 ERROR [JBOSSLOGINHANDLER] Error in creating login context javax.security.auth.login.LoginException: java.lang.NoSuchFieldError: TRACE at org.jboss.logging.Log4jLoggerPlugin.isTraceEnabled(Log4jLoggerPlugin.java:85) at org.jboss.logging.Logger.isTraceEnabled(Logger.java:122) at org.jboss.security.ClientLoginModule.initialize(ClientLoginModule.java:96) at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)

• To enable log4j trace of the OIMIAMSolution class that does the heavy lifting between OIM and SRM you must edit the rbacx/WEB-INF/log4j.properties to include the following:

#Oracle Identity Manager Settings
com.vaau.rbacx.iam.oracle=DEBUG

It's always a good idea when testing integration with a provisioning server to set the OOTB IAM log4j to debug until things have settled down a bit

#RBACx IAM logging
log4j.logger.com.vaau.rbacx.iam=DEBUG


• Now we're ready to create the OIM Provisioning Server inside of Sun Role Manager. Login as an administrator and setup something similar to this, note that there's no Test Connection with the Oracle provider class inside of SRM so you'll need to run a scheduled job to flex the interface before any errors show up.
  



There you go, good luck, it took me some time to figure out all the pieces.  More importantly what is colleague John Walsh "The Sultan" typing ?!

Comments[1]