I'll Get My Coat
Identity Management? I'll Get My Coat...
Integrating Sun Role Manager v5 with Oracle Identity Manager
Sun Role Manager (SRM) can work in an offline or online mode with a Provisioning Server such as Sun's Identity Manager, other provisioning engines can be used such as CA, IBM and Oracle. In this blog posting we'll go through the steps required to integrate SRM 5 with Oracle's Identity Manager v9.1.0.
For this exercise I used a Windows XP image, purely to keep things simple as they can be.
Integration Steps:
- Install Sun JDK 1.6.0_10
- Install Oracle 11g RDBMS and Oracle Identity Manager, using JBoss 4.2.3 GA follow the steps defined here
- Install the OIM Design Console and test connectivity with the OIM Server. Extract the customClient.zip into c:/oracle/customClient
- Edit the c:/oracle/customClient/config/xlConfig.xml to the JBoss environment such as
- Deploy SRM into Glassfish not forgetting to set the RBACX_HOME system environment variable.
- Edit the /rbacx/WEB-INF/iam-context.xml file not forgetting that there are several edits that must be performed within this file. First one is to uncomment the oracle provisioning server;
- Second edit is to enable the OIM bean by removing the comments <-- and --> around the OIMIAMSolution Bean entry
- Next edit is to remove or preferably comment the lines starting <property name="namespaceMap"> down to the closing tab of the line <property name="secPolicyMap">
- Next copy the jar files from c:/oracle/customClient/lib into rbacx/WEB-INF/lib , originally in testing I had expected to copy the c:/oracle/customClient/ext jar files as well but this proved not necessary and in fact copying these 'ext' folder jars caused conflicts with the Apache xerces classes.
<CoreServer>
<java.naming.provider.url>jnp://localhost:1099</java.naming.provider.url> <java.naming.factory.initial>org.jnp.interfaces.NamingContextFactory</java.naming.factory.initial> </CoreServer>
</Discovery>
<bean class="com.vaau.rbacx.iam.service.impl.RbacxIAMServiceImpl" parent="baseServiceSupport" >
<property=name="iamSolutions">
<entry key="oracle">
<ref local="oim"/>
</entry>
</property>
<bean id="oim" class="com.vaau.rbacx.iam.oracle.OIMIAMSolution" parent="abstractIAMSolution">
Failure to do this edit will result in errors when the SRM starts.
We're not quite done yet with this file, next we must configure the OIM connection information:
<property name="loginConfig">
<value>C:/oracle/customClient/config/auth.conf</value>
</property>
<property name="maxStaleDays">
<value>1</value>
</property>
<property name = "excludeFlag">
<value>1</value>
</property>
<property name="oimHome">
<value>C:/oracle/customClient </property>
- In order to prevent the following stack trace you must copy the jbossall-client.jar from the OIM Design Console installation to the rbacx/WEB-INF/lib
10:05:55,238 ERROR [JBOSSLOGINHANDLER] Error in creating login context
javax.security.auth.login.LoginException: unable to find LoginModule class: org.jboss.security.ClientLoginModule
at javax.security.auth.login.LoginContext.invoke(LoginContext.java:808)
at javax.security.auth.login.LoginContext.access$000(LoginContext.java:186)
at javax.security.auth.login.LoginContext$4.run(LoginContext.java:683)
at java.security.AccessController.doPrivileged(Native Method)
at javax.security.auth.login.LoginContext.invokePriv(LoginContext.java:680)
at javax.security.auth.login.LoginContext.login(LoginContext.java:579)
at Thor.API.Security.LoginHandler.jbossLoginHandler.login(Unknown Source)
at Thor.API.Security.ClientLoginUtility.login(Unknown Source)
at Thor.API.tcUtilityFactory.
- Now at this stage you might think we're done copying jars and so on but there's one final thing we need to do, copy the log4j-1.2.8.jar from the JBoss server to the rbacx/WEB-INF/lib , this is also required to get your OIM Design Console to work properly with JBoss otherwise you will see the following stack trace:
Then 11:44:41,261 ERROR [JBOSSLOGINHANDLER] Error in creating login context javax.security.auth.login.LoginException: java.lang.NoSuchFieldError: TRACE at org.jboss.logging.Log4jLoggerPlugin.isTraceEnabled(Log4jLoggerPlugin.java:85) at org.jboss.logging.Logger.isTraceEnabled(Logger.java:122) at org.jboss.security.ClientLoginModule.initialize(ClientLoginModule.java:96) at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
- To enable log4j trace of the OIMIAMSolution class that does the heavy lifting between OIM and SRM you must edit the rbacx/WEB-INF/log4j.properties to include the following:
- Now we're ready to create the OIM Provisioning Server inside of Sun Role Manager. Login as an administrator and setup something similar to this, note that there's no Test Connection with the Oracle provider class inside of SRM so you'll need to run a scheduled job to flex the interface before any errors show up.
#Oracle Identity Manager Settings
com.vaau.rbacx.iam.oracle=DEBUG
It's always a good idea when testing integration with a provisioning server to set the OOTB IAM log4j to debug until things have settled down a bit
#RBACx IAM logging
log4j.logger.com.vaau.rbacx.iam=DEBUG
There you go, good luck, it took me some time to figure out all the pieces. More importantly what is colleague John Walsh "The Sultan" typing ?!
Oracle & Sun IdM Stack, One Perspective from KuppingerCole
Hello Everyone, well... what interesting times we come to, our number one competitor in the Identity Management space has stepped up and has announced plans to acquire us, sure you've all seen the news... assuming everything goes through as planned, what would any future Identity Management stack look like? Oracle have a very comprehensive and broad line of products from many recent acquisitions, Sun's stack is no where near as wide but does the river run more deeply with the Sun products? We'd like to think so but obviously and most importantly need to share these thoughts with our prospective new employers and here their opinion. This was an acquisition of Sun after all and not a merger.
Another interesting point is in the interim period prior to the acquisition being formalised (where Sun are still an independent) and I'm looking at my presales proof-of-concept (PoC) run list for the coming weeks and months and seeing a whole bunch of PoCs where we (Sun) are up against Oracle as our primary competitor, makes for interesting times !
Personally I'm looking forward to sharing with our new colleagues our roadmap plans, some confidential, some openly broadcast on the open source forums of dev.java.net (think OpenSSO) and seeing how Oracle perceive these plans.. If business as usual is anything (Think back to the Siebal and PSFT acquisitions etc) to go by at Oracle regarding acquisitions then its likely that no customer will be left behind this shows Oracle's integrity to customer commitment and is reassuring news for both Oracle and Sun Identity Mgmt customers who've invested in IdM software tech.
Here's one perspective from KuppingerCole on how the shake down could look like:
http://www.kuppingercole.com/articles/fg_mk_oracle_sun220409
Today's Page Hits: 131
Contact
www.flickr.com
|
Disclaimer I work at Sun Microsystems. The opinions expressed here are my own, and neither Sun nor any other party necessarily agrees with them.
Blogging Calendar
| « November 2009 | ||||||
| Mon | Tue | Wed | Thu | Fri | Sat | Sun |
|---|---|---|---|---|---|---|
1 | ||||||
2 | 3 | 4 | 5 | 7 | 8 | |
11 | 12 | 13 | 14 | 15 | ||
17 | 18 | 19 | 20 | 22 | ||
23 | 24 | 25 | 26 | 27 | 28 | 29 |
30 | ||||||
| Today | ||||||