11 Creating and Testing a Remote Manager IT Resource

This chapter describes the tasks for creating and testing a Remote Manager IT Resource. It contains the following topics:

• Postinstallation Configuration

• To Create and Test a Remote Manager IT Resource

Remote Manager is an Oracle Identity Manager component that acts like a proxy in directly communicating with a third-party system. The Remote Manager is used to invoke nonremotable APIs through Oracle Identity Manager and APIs that do not support Secure Sockets Layer (SSL) over secure connections.

After installing the Remote Manager and establishing the trust relation between the Oracle Identity Manager Server and the Remote Manager (trusting the certificate), you can create an IT Resource for the Remote Manager and then test it.

11.1 Postinstallation Configuration

After installing the Remote Manager, you can ensure that the certificate is trusted between the application server and the Remote Manager. To do so, first open the Remote Manager form in the Administration folder of the Design Console. The Remote Manager form shows all Remote Managers that are connected but not necessarily "trusted".

Perform the following steps to ensure that the trust relation between the application server and the Remote Manager is established through the certificate. In this procedure, the JBoss Application Server is used as an example. The keytool utility is used to import/export the certificates.

1. Using a command prompt, open the directory path and use the keytool utility to list the certificate fingerprints:

   XLREMOTE_HOME\xlremote

2. Enter the command:

   JAVA_HOME\jre\bin\keytool -list -keystore config\.xlkeystore

3. Enter the default password for xellerate keystore: xellerate

   Your keystore contains 1 entry

   xell, Jan 7, 2005, keyEntry,

   Certificate fingerprint (MD5):

   B0:F2:33:C8:69:E4:25:A3:CB:59:E8:51:27:EE:5C:52

   The certificate fingerprint is marked in bold. Compare this to the list of certificates in the keystore.

4. Open the Java SDK folder used for the application server. Again, enter the path and use the keytool to list the certificates in the keystore:

   JAVA_HOME\jre\lib\security\cacerts

5. Enter the following command to see the list of trusted certificates:

   JAVA_HOME\bin\keytool -keystore cacerts -storepass changeit -storetype jks -provider provider_name

   The output showing the keystore entries are as follows:

   Your keystore contains 25 entries
   equifaxsecureebusinessca1, Jul 23, 2003, trustedCertEntry,
   Certificate fingerprint (MD5): 64:9C:EF:2E:44:FC:C6:8F:52:07:D0:51:73:8F:CB:3D
   verisignclass4ca, Jun 29, 1998, trustedCertEntry,
   Certificate fingerprint (MD5): 1B:D1:AD:17:8B:7F:22:13:24:F5:26:E2:5D:4E:B9:10
   entrustglobalclientca, Jan 9, 2003, trustedCertEntry,
   Certificate fingerprint (MD5): 9A:77:19:18:ED:96:CF:DF:1B:B7:0E:F5:8D:B9:88:2E
   gtecybertrustglobalca, May 10, 2002, trustedCertEntry,
   Certificate fingerprint (MD5): CA:3D:D3:68:F1:03:5C:D0:32:FA:B8:2B:59:E8:5A:DB
   entrustgsslca, Jan 9, 2003, trustedCertEntry,
   Certificate fingerprint (MD5): 9D:66:6A:CC:FF:D5:F5:43:B4:BF:8C:16:D1:2B:A8:99
   verisignclass1ca, Jun 29, 1998, trustedCertEntry,
   Certificate fingerprint (MD5): 51:86:E8:1F:BC:B1:C3:71:B5:18:10:DB:5F:DC:F6:20
   thawtepersonalbasicca, Feb 12, 1999, trustedCertEntry,
   Certificate fingerprint (MD5): E6:0B:D2:C9:CA:2D:88:DB:1A:71:0E:4B:78:EB:02:41
   entrustsslca, Jan 9, 2003, trustedCertEntry,
   Certificate fingerprint (MD5): DF:F2:80:73:CC:F1:E6:61:73:FC:F5:42:E9:C5:7C:EE
   thawtepersonalfreemailca, Feb 12, 1999, trustedCertEntry,
   Certificate fingerprint (MD5): 1E:74:C3:86:3C:0C:35:C5:3E:C2:7F:EF:3C:AA:3C:D9
   verisignclass3ca, Oct 24, 2003, trustedCertEntry,
   Certificate fingerprint (MD5): 10:FC:63:5D:F6:26:3E:0D:F3:25:BE:5F:79:CD:67:67
   gtecybertrustca, May 10, 2002, trustedCertEntry,
   Certificate fingerprint (MD5): C4:D7:F0:B2:A3:C5:7D:61:67:F0:04:CD:43:D3:BA:58
   thawteserverca, Feb 12, 1999, trustedCertEntry,
   Certificate fingerprint (MD5): C5:70:C4:A2:ED:53:78:0C:C8:10:53:81:64:CB:D0:1D
   equifaxsecureca, Jul 23, 2003, trustedCertEntry,
   Certificate fingerprint (MD5): 67:CB:9D:C0:13:24:8A:82:9B:B2:17:1E:D1:1B:EC:D4
   thawtepersonalpremiumca, Feb 12, 1999, trustedCertEntry,
   Certificate fingerprint (MD5): 3A:B2:DE:22:9A:20:93:49:F9:ED:C8:D2:8A:E7:68:0D
   thawtepremiumserverca, Feb 12, 1999, trustedCertEntry,
   Certificate fingerprint (MD5): 06:9F:69:79:16:66:90:02:1B:8C:8C:A2:C3:07:6F:3A
   entrust2048ca, Jan 9, 2003, trustedCertEntry,
   Certificate fingerprint (MD5): BA:21:EA:20:D6:DD:DB:8F:C1:57:8B:40:AD:A1:FC:FC
   verisignserverca, Jun 29, 1998, trustedCertEntry,
   Certificate fingerprint (MD5): 74:7B:82:03:43:F0:00:9E:6B:B3:EC:47:BF:85:A5:93
   entrustclientca, Jan 9, 2003, trustedCertEntry,
   Certificate fingerprint (MD5): 0C:41:2F:13:5B:A0:54:F5:96:66:2D:7E:CD:0E:03:F4
   baltimorecybertrustca, May 10, 2002, trustedCertEntry,
   Certificate fingerprint (MD5): AC:B6:94:A5:9C:17:E0:D7:91:52:9B:B1:97:06:A6:E4
   geotrustglobalca, Jul 23, 2003, trustedCertEntry,
   Certificate fingerprint (MD5): F7:75:AB:29:FB:51:4E:B7:77:5E:FF:05:3C:99:8E:F5
   gtecybertrust5ca, May 10, 2002, trustedCertEntry,
   Certificate fingerprint (MD5): 7D:6C:86:E4:FC:4D:D1:0B:00:BA:22:BB:4E:7C:6A:8E
   equifaxsecureglobalebusinessca1, Jul 23, 2003, trustedCertEntry,
   Certificate fingerprint (MD5): 8F:5D:77:06:27:C4:98:3C:5B:93:78:E7:D7:7D:9B:CC
   baltimorecodesigningca, May 10, 2002, trustedCertEntry,
   Certificate fingerprint (MD5): 90:F5:28:49:56:D1:5D:2C:B0:53:D4:4B:EF:6F:90:22
   equifaxsecureebusinessca2, Jul 23, 2003, trustedCertEntry,
   Certificate fingerprint (MD5): AA:BF:BF:64:97:DA:98:1D:6F:C6:08:3A:95:70:33:CA
   verisignclass2ca, Oct 24, 2003, trustedCertEntry,
   Certificate fingerprint (MD5): B3:9C:25:B1:C3:2E:32:53:80:15:30:9D:4D:02:77:3E
   

   For clarity, the certificate fingerprints are highlighted in bold. The certificate fingerprint that is required is Certificate fingerprint (MD5.

   B0:F2:33:C8:69:E4:25:A3:CB:59:E8:51:27:EE:5C:52) is not in the trusted certificates. Therefore, you can import the certificate.

6. Perform the procedure described in the "Trusting the Remote Manager Certificate" section in the installation guide for the application server that you use.

11.2 To Create and Test a Remote Manager IT Resource

To create and test a Remote Manager IT resource, perform the following steps:

Note:

If you want to test the Remote Manager IT Resource over a non-SSL connection, then set the <RMIOverSSL> property in the following file to false:

OIM_HOME\xellerate\config\xlconfig.xml

1. In the Design Console, open the Resource Object form.

2. Create a resource object. In this example, the following parameters are set:

   • The name is MyObj

   • The option, Order for User is enabled

   • The Type is Application

   • The following check boxes are available:

     • Allowed Multiple

     • Auto Save

     • Self Request Allowed

     • Allow All

     • Auto Launch

3. Create an IT resource type for the resource object. Open the IT Resource Type Definition form. In this example, the following parameters are set:

   • Server Type: MyObjServer.

     Note:

     While defining the IT Resource Type parameter in the Design Console, you can specify which fields will be encrypted.

4. Create an IT resource for the Remote Manager. In this example, the following parameters are set:

   • The name of the IT Resource is remote.

   • The name of the Type is Remote Manager.

     Ensure that the IT resource has the proper URL and service name, and that the Remote Manager is installed at the location indicated by the URL.

   • Note:

     Check to see if the name itself is not present in the URL. For example, the Remote Manager is composed of the service name and URL, as follows:

     service name: RManager url: rmi://w2kevandanwkstn:12346

5. Create an instance of the MyObjServer IT Resource Type created previously. Open the IT Resource Information Form. In the Remote Manager field, ensure that the Remote Manager created in Step 4 (remote) is selected.

6. After saving the information in the IT Resources Information form, you can provide any additional details required for that IT resource. In this example, the user name and password are entered.

7. Create a JAR file for the following code:

   package testme;
   import java.io.PrintStream;
   public class test
   {
       public test ()
       {
       }
       public static int addme(int i, int j)
       {
        /*6*/System.out.println(i + "+" + j + "=" + (i + j));
        /*7*/return i + j;
        }
        public static void main(String args[])
        {
         /*  11*/addme(5, 10);
        }
   }
   

   This code will be run on the Remote Manager.

8. Copy the JAR file into the xlremote_home/JavaTasks and OIM_HOME/xellerate/JavaTasks directories.

9. Create an adapter that will be run in the Remote Manager. Open the Adapter Factory form. In this example, the following parameters are set:

   • The Adapter Name is remotetest.

   • The Adapter Type is Process Task.

     For this example, you can create three variables for this adapter (based on example code in the .jar file). Click Add. The Java code takes two integers as arguments and the IT resource as the third variable.

10. In the first variable, the following parameters are set:

11. • The Variable name is var1.

    • The Variable type is Integer.

    • The Map To option is set to Resolve at Run time.

12. Create the second variable in the same way you did the first. The following parameters are set:

    • The Variable name is var2.

    • The Variable type is Integer.

    • The Map To option is set to Resolve at Run time.

13. Create the third variable for IT Resource. The parameters are set as follows:

    • The Variable name is ITRes.

    • The Variable type is ITResource.

    • The Map To option is set to Resolve at Run time.

    • The Resource Type is MyObjServer.

      Note:

      The Resource Type field must be the same "ITResource Type" created in Step 5 and not Remote Manager.

14. Add a New Remote Java Task. In the Adapter Factory Form, click Add. Ensure that the Functional Task option is active. Select the Remote option. Click Continue.

15. The Object Instance Selection dialog box is displayed. Create a new Object Instance. Ensure that the New Object Instance option is active. Click Continue.

16. The Remote window is displayed. In this example, the following parameters are set:

    • The Task Name is remote.

    • The API Source references the .jar file in the JavaTask folder.

    • The Application API is Testme.test.

    • The Constructor is set to 0 public testme.test ().

    • The Method is set to testme.test.addme (int, int).

      After clicking Save, the IT Resource is automatically added as an argument. The Application Method Parameters are ready for mapping.

17. Begin mapping the parameters by highlighting the first item in the Parameter Data Mapping list. This output parameter is an integer. The following mapping is set:

    • Map To: Adapter Variables

    • Name: Return variable

18. Click Set.

19. Highlight the second parameter to map. This input parameter is an integer. The following mapping is set:

    • Map: Adapter Variables

    • Name: var1

20. Click Set.

21. Select the third parameter to map. This input parameter is an integer. The following mapping is set:

    • Map To: Adapter Variables

    • Name: var2

22. Click Set.

23. Select the final parameter to map. Map this ITResource to the variable passed as input to the adapter. The following mapping is set:

    • Map To: Adapter Variables

    • Name: ITRes

24. Click Set.

25. Click Set. Then click Save. The Adapter Factory form is displayed.

26. Compile the adapter by clicking Build.

To invoke the adapter, you can create a provisioning process that calls this adapter as one task. To do this:

1. Open the Process Definition Form. In this example, the following parameters are set:

   • The Name field is MyObjProv

   • The Type field is Provisioning

   • The Object name is MyObj

     The following check boxes are available:

     • Default Process

     • Auto Pre-populate

     • Auto Save Form

2. Click the Save icon. The provisioning tasks automatically appear in the Tasks tab.

3. Click Add to create a new task. In this example, the parameters are set:

   • The Task Name field is Call Remote Adapter.

   • The Task Description field explains the task's function.

4. Click the Save icon. Then click the Integration tab. Next, click Add to add an adapter to this task. The Handler Type window is displayed.

5. Enable the Adapter option and select the adapter to be executed.

6. Click the Save icon. In the Integration tab, the adapter name appears in the Name field. The Status field shows that the Mapping is incomplete. The Adapter Variables pane shows the variables are not mapped.

7. Select the first variable, Adapter return value, then click Map. The Edit Data Mapping for Variable window is displayed. The parameters are set to:

   • Data Type: Object

   • Map To: Response Code

8. Select the second variable, var1 then click Map. The Edit Data Mapping for Variable window appears. The parameters are set to:

   • Data Type: Integer

   • Map To: Literal

   • Qualifier: Integer

   • Literal Value: 10

9. Select the third variable, var2, then click Map. The Edit Data Mapping for Variable window is displayed. The parameters are set to:

   • Data Type: set to Integer

   • Map To: Literal

   • Qualifier: Integer

   • Literal Value: 20

10. Select the fourth variable, ITRes, and then click Map. The Edit Data Mapping for Variable window is displayed. The parameters are set to:

    • Data Type: IT Resource (MyObjServer)

    • Map To: IT Resource

    • Qualifier: MyObjServerInstance

11. Click the Responses tab of the Editing Task window. Click Add to add the possible responses from the adapter. In this example, the only possible response is 30. Set Description to Completed and Status to C.

12. Click the Task to Object Status Mapping tab. In the Completed category, set Object Status to Provisioned.

13. At this point, you are ready to directly provision a user with the newly created resource to test the execution of the remote task. However, you must first ensure that the Remote Manager is running. Open the Remote Manager Form and verify that the service is available.

14. Start the Oracle Identity Manager Administrative and User Console and login as Administrator. Navigate to Users, Manage and select a user to provision this resource (MyObj). The User Detail page appears with the selected user. In the View Additional Details About This User pull-down option, select Resource Profile.

15. The User Detail, Resource Profile page is displayed. Click Provision New Resource and select the newly created resource (MyObj).

16. The Provision Resource to User wizard is displayed. Click Continue to complete the provisioning process.

17. Continue with the provisioning process until you come to the Resource Successfully Provisioned page is displayed.

18. Check the Remote Manager log file to see if the code is executed. The Remote Manager log file is located in the OIM_HOME/xlremote/log directory. The last line in the log should be similar to the following:

    DONE5+10=15
    

    The preceding line shows that the two input integers are added to equal 15. This indicates that the code executed correctly and that the resource object was provisioned.