The sanity tests described in this appendix are over and above the normal tests detailed in the guide. They are designed to test the in-depth functionality of Oracle Access Management (OAM) and Oracle Identity Manager (OIM).
This appendix includes the following sections:
This section lists the sanity checks for Oracle Access Management (OAM). It includes the following topics:
Appendix B, "Verifying LDAP Authentication for OAM Agent Protected Application for Valid User"
Appendix B, "Verifying Access of OAM Agent Protected Unavailable Resource"
Verifying Access of Resource that was Recently Deleted or Replaced from the Policy
To verify the LDAP authentication for OAM agent protected application for valid user, do the following:
Access an application protected by an OAM WebGate which is configured to OAM server.
Check out the URL that is being redirected to for authentication is from OAM server.
Provide a valid username and password from the OID or OUD authentication form and click Login.
Check the cookies that are created in the browser.
OAM agent protected Application can be accessed on providing valid credentials.
ObSSOcookie and OAM_ID cookies are created in the browser session.
To verify the LDAP authentication failure for OAM agent protected application for invalid password, do the following:
Access an application protected by an OAM WebGate which is configured to OAM server.
Check out the URL that is being redirected to for authentication is from OAM server.
Provide a valid username and an invalid password in the authentication form.
User authentication fails.
Appropriate error message is displayed.
Resource cannot be accessed by the user.
To verify the LDAP authentication failure for OAM agent protected application for invalid username, do the following:
Access an application protected by an OAM WebGate which is configured to OAM server.
Check out the URL that is being redirected to for authentication is from OAM server.
Provide an invalid username and any password in the authentication form.
User authentication fails.
Appropriate error message is displayed.
Resource cannot be accessed by the user.
If you access an OAM agent protected unavailable resource, an appropriate error message is displayed though the credentials provided are valid. To verify this, do the following:
Access a resource url protected by an OAM WebGate which is configured to OAM server when that resources is not available.
Check out the URL that is being redirected to for authentication is from OAM server.
Provide a valid username and password in the authentication form.
Check the cookies that are created in the browser.
OAM WebGate protected application cannot be accessed and a proper error message should be displayed.
If you access a resource which was recently deleted or replaced from the policy, the authentication is not required and the access is granted. To verify this, do the following:
Remove a resource and replace it with new one in the policy.xml or UI.
Access the application or resource that you deleted or replaced in the previous step. This application must be protected by an OAM WebGate which is configured to OAM server.
Check if the user is not asked for authentication without having to restart the OAM 11g Server or WebLogic Server.
Check if user is able to access the resource.
Resource or Application can be accessed without having to authenticate user and without having to restart the OAM 11g Server or WebLogic Server.
This section lists the sanity checks for Oracle Identity Manager. It includes the following topics:
Creating End User Request for Accounts, Entitlements, and Roles
Creating Identity Audit Scan Definitions and Viewing its Results
To create an organization, do the following:
Log in to the Identity console as xelsysadm using the following URL:
https://prov.example.com/identity
Click Manage, and then click Organization.
Click Create Org, and specify the org name as Pepsi.
To create a user, do the following:
Log in to the Identity console as xelsysadm using the following URL:
https://prov.example.com/identity
Click Manage, and then click User.
Click Create User, and specify the user name as Rahul Dravid.
Select Org as Pepsi.
Log in as Rahul Dravid.
Set the challenge questions and answers.
Verify successful login to the Identity console.
To create a role, do the following:
Log in to the Identity console as xelsysadm using the following URL:
https://prov.example.com/identity
Click Manage, and then click Role.
Click Create and provide the mandatory attributes (Name, Display Name) to create a Role named Coach, and click Next.
Click Next.
On the Organizations page, click Add Organizations. Provide the organization name as Pepsi and click Search.
Select the organization Pepsi and click Add Selected. Click Select.
Click Next, and then click Finish.
To self-register a user, do the following:
Access the Identity console URL. For example:
https://prov.example.com/identity
Do not log in.
Click the Self-Registration link on the login page.
Enter the user login, lastname, email, challenge question, password, and Click Register.
Log in to the Identity console as xelsysadm.
Approve the self-registration request.
Verify email notification for self-reg from the inbox.
Log out and relog-in as self-reg user.
To add User Defined Field (UDF) in user, do the following:
Log in to the System Administration console as xelsysadmin using the following URL:
http://IGDADMIN.example.com/sysadmin
Create & Activate Sandbox.
Open User form under System Entities.
Click Create icon.
Select Text.
Populate Display Label and Name, select Searchable, and save form.
Publish Sandbox.
Log in to the Identity console as xelsysadm using the following URL:
http://prov.example.com/identity
Create and Activate Sandbox.
Open Users page, and click Create.
Populate mandatory attributes - Organization, User Type, Last Name.
Click Customize and, go to the Structure tab.
Select Basic information as panelFormLayout.
Click Add.
Select Data Component - Catalog, and then click UserVO.
Select the udf and select ADF Input Text w/ Label.
Close form.
Search any user and open user details page.
Click Customize link and go to the Structure tab.
Select Basic information as the panelFormLayout.
Click Add.
Select Data Component, and then select Manage Users, and UserVO1.
Add the udf by selecting ADF Output Formatted w/ Label.
Close the structure form by clicking Close on the top right corner of the Identity console window.
Open any user, and click Modify.
Click Customize link and go to the Structure tab.
Select Basic information as the panelFormLayout.
Click Add.
Select Data Component - Catalog, and then UserVO1.
Click Add next to the udf that was created in step 6 and select ADF Input Text w/ Label option.
Select First Name and click the Show Properties icon.
Copy the Value Change Listener of first name attribute. For example:
#{pageFlowScope.cartDetailStateBean.attributeValueChangedListener
Dismiss the properties page.
Select the udf that you just added, and click Edit Properties.
Select Auto-Submit, and add the Value Change Listener value that you copied in 32.
Click OK to apply the updates and close the form.
Publish the Sandbox.
Log out and log in again.
Open the user details page.
Create a user populating udf attribute and verify if it is displayed properly in user details page.
Modify the UDF attribute and verify if it is displayed properly.
To create disconnected app and provision, do the following:
Create a lookup by completing the following steps:
Log in to the System Administration console as xelsysadm using the following URL:
http://igdadmin.example.com/sysadmin
Go to System Configuration tab and click Lookups.
Click the Create Lookup Type icon. Create lookup type pop is displayed.
Enter the meaning as Lookup.Disc, and enter the code as Lookup.Disc.
Click on Create lookup code button.
Enter the value HDD for Meaning, and HDD for Code, and check Enabled.
Click Save.
Click Select and Search.
Enter the value Lookup.Disc for Meaning, Lookup.Disc for code, and click Search.
The values HDD and CD are displayed. Click OK.
Create disconnected application instances by completing the following steps:
Log in to the System Administration console as xelsysadm using the following URL:
http://igadmin.example.com/sysadmin
Click the Sandboxes link, and then click Create Sandbox.
Enter the name Disc, and click Save and Close. Click OK to confirm. Sandbox is activated.
Go to Provisioning configuration, and click Application Instances.
Click Create. The Create App Instance page is displayed by enabling the Attribute tab.
Enter the name as Disc, Description as Disc, and check the Enabled Disconnected check box. Click Save. Click OK to confirm. Feedback message is displayed to confirm that Application Instance Disc is created successfully.
On the same page, go to the Attribute tab. Form field is added with the name Disc. Click Edit next to Form field.
Enable the Field tab and open Manage Disc page. Click Child objects which is next to the Field tab.
Click Add, and enter the name as chdisc, description as chdisc, and Click OK.
Click chdisc. This opens another page by enabling the Fields tab.
Click Create a Custom Field and select Lookup as the Field type, and click OK.
Enter the Display name Disc. Name field will populate a value automatically, You do not have to enter another name for Name. Enter the description as Disc and check Enabled Searchable. Click Lookup Type, and then click Search or look up icon (Magnifier icon). Enter the meaning as Lookup.Disc.
Click Search. Values HDD and CD must be displayed. Click OK. Lookup must be selected. Default Value Label, One Drop down gets added. Click on that, and you will see the values: HDD and CD.
If you enabled Entitlement, make sure that Searchable and Searchable Picklist are also selected. Keep the remaining ones with the default values.
Click Save and then click Close.
Click Back to Parent Object, and then click Regenerate view.
Enable Parent Form + Child Tables (Master/Detail), keep the default setting. Click OK.
Go to the Application Instance tab. Search for an Application Instance Disc.
Click Refresh, and click Apply on Disc form.
Go to the System Configuration tab, and click Scheduler.
Enter the value Ent* in the Search Scheduled Jobs field, click Search or Go button.
The results are displayed. Click on Entitlement List job name.
Click Run now. A confirmation message is displayed saying the Job is running.
Click Refresh. Verify that the execution status is successful. Close the window.
Go to the Application instance's Entitlement tab. Two entitlements are displayed - HDD, CD.
Search organization name, by entering the value Top, and click Search.
Top organization should be displayed. Select that row / organization, and click Add Selected. Selected organization gets added successfully.
Check Apply to Entitlement, and click Select. Selected Organization gets added successfully.
Click Assign.
Search for the organization name Pepsi, and click Search.
Pepsi organization is displayed. Select that row / organization, and click Add Selected.
Selected organization gets added successfully. Check Apply to Entitlement and click Select. Selected organization gets added successfully.
Go to the Application Instance's Attribute tab. Click Apply. A message is displayed stating that the Application instances disc is modified successfully.
Click Sandboxes.
Select the same sandbox Disc. Click Export sandbox button. Export sandbox generate .zip file sandbox_disc.zip. Click OK button. Zip file is saved and generated.
After export is successfully completed, click Publish sandbox button. Click Yes to confirm.
After you publish, the sandbox is listed under Publish Sandboxes link.
Provision the disconnected application instances and entitlements to user by completing the following steps:
Log in to the Identity console as xelsysadm using the following URL:
https://prov.example.com/identity
Click Manage and then click Users.
Search for the user name Rahul Dravid, and click Search.
The user Rahul Dravid is displayed. Click on that user link. User details are displayed.
Go to Accounts tab, and then to the Request Account tab. Account access request page is displayed. Select Enabled Add access., and go to the Catalog tab. All available Application Instances are displayed.
Click Add to cart of the Disc Disconnected application instances, and click Next. The cart detail page is displayed
Click the Pen Icon on Request detail pane.
Enter the account logging name as Rahul Dravid_123, and the password as Welcome1. Click Update.
Click Submit. Request will be generated with a message Request for access completed successfully.
Go to the Self Service tab. Click Provisioning task, and the go to the Manual Fulfillment tab. Manual fulfillment page is displayed.
Click on that request. Request details are displayed. Verify the data. Click Complete, and then click Refresh.
Go to the Manage tab, and then to the User tab. Open the same user Rahul Dravid.
Go to the Account tab. Click Refresh. Verify that the account status is Provisioned.
Select the same account name Rahul Dravid_123, and click Request Entitlement button. Entitlement Access request page is displayed. Enable Add Access and go to the Catalog tab.
Click Add to cart for entitlement HDD. Click Next.
Click Submit. Request will be generated with a message "Request for access completed successfully".
Go to the Self service tab. Click on Provisioning task, and go to Manual Fulfillment tab. Manual fulfillment page is displayed
Click on that request. Request details are displayed. Verify the data. Click Complete, and then click Refresh.
Go to the Manage tab, and then to the User tab. Open the same user Rahul Dravid.
Go to the Entitlement tab. Click Refresh button. Verify that the Entitlement status is Provisioned.
To import and configure Database user management, do the following:
Download the latest Database User Management Connector from the Oracle Identity Manager Connector Downloads page on Oracle Technology Network (OTN):
http://www.oracle.com/technetwork/middleware/id-mgmt/downloads/connectors-101674.html
Log in to the System Administration console as xelsysadmin user using the following URL:
http://igdadmin.example.com/sysadmin
Go to the System Configuration tab and click Import.
Select the file DBUserManagement-Oracle-ConnectorConfig.xml'. Sample location: D:\DBUM11.1.1.6\DBUM-11.1.1.6.0\DBUM-11.1.1.6.0\xml
Click Add.
Click Next. You can either provide the ITResource details now or later. To provide the same later, click Skip.
Click View Selections, and click Import. Once the import is successfully completed, click OK.
Copy the third party jars of target systems to the OIM_HOME/server/ConnectorDefaultDirectory/targetsystems-lib/DBUM-11.1.1.6.0 directory.
Note:
:If the target is Oracle database, no driver jar is needed.To configure a trusted source reconciliation, create and configure a new IT resource. For example, Oracle DB Trusted of type Oracle DBUM.
In the Configuration Lookup, update the trusted configuration lookup name as Lookup.DBUM.Oracle.Configuration.Trusted. This configures the ITResource for the target system.
Either you can create the ITResource and provide the following details or Open the existing ITResource 'Oracle DB' as specified below:
ITResource Details:
Configuration Lookup = Lookup.DBUM.Oracle.Configuration
Connector Server Name =
Connection Properties = Specify the connection properties for the target system database.
Database Name = This field identifies database type (such as Oracle and MSSQL) and its used for loading respective scripts. Sample value: Oracle
JDBC Driver = oracle.jdbc.driver.OracleDriver
JDBC URL = For Oracle: jdbc:oracle:thin:@host:port:sid
Login Password = Enter the password for the user name of the target system account to be used for connector operations.
Login User = sys as sysdba
To create an access policy and provision, do the following:
Create a Role named DBUMRole.
Create an user named Jean Wilson.
Assign the role DBUMRole to Jean Wilson.
Log in to system administration console.
Open Access Policies page under Policies.
Click Create Access policy on Manage page.
Populate the following:
Access Policy Name : DBUM Policy
Access Policy Description : Policy to provision DBUM App to users
Retrofit Access Policy : true
Click Continue.
Select Resources page, and select the DBUM resource and continue.
On the Provide Resource Data page, select the IT resource attribute, and click Set Additional data.
Select two or more child data and click Continue.
Select Revoke if no longer applies and click Continue.
In "Step 3: Select Resources - Specify the resources to be denied by this access policy" - DONOT select any resource. Click Continue.
Click Create Access policy.
Create another user named Patrick Morgan and assign the user role DBUMRole.
Log in to system administration console and run scheduler job Evaluate User Policies.
Open the user details page of Jean Wilson and click Accounts tab. DBUM Account should be in Provisioned state.
Go to the Entitlements tab and verify all child data added in step 11 are displayed.
Repeat the previous two steps for user Patrick Morgan.
To create an end user request for roles, do the following:
Create a user Arthur Hill.
Log in as Arthur Hill and open My Access page, and then Roles.
Click Request roles and in catalog, add DBUMRole to cart.
Submit request.
Log in as administrator and open inbox.
Open the request and approve.
As Arthur Hill,verify that the role is assigned successfully.
To create an end user request for accounts, do the following:
Create a user Bruce Parker.
Log in as Bruce Parker and open My Access page, and then Roles.
Click Request Accounts.
From the Catalog, select the DBUM App and add to cart.
On the submission page, populate the form fields and submit request.
Log in as administrator and open Inbox.
Open the request, verify the details, and approve request.
As Bruce Parker, verify that the Account is provisioned successfully.
To create an end user request for entitlements, do the following:
Log in as Jean Wilson.
Open the My Access page and go to the Accounts tab.
Select the DBUM app, and click Request Entitlements.
Add any entitlement to cart and submit request.
Log in as administrator and open Inbox.
Open the request and approve.
As Jean Wilson, verify that the entitlement is provisioned successfully.
To reset the account password, do the following:
Log in to the Identity console as Jean Wilson.
Click My Access and go to the Accounts tab.
Select DBUM App and click Reset Password.
Provide a new password and submit.
Log out and re-login as xelsysadm.
Click Manage and then click Users.
Search for Jean Wilson and open the user details page.
Go to the Accounts tab and select DBUM App.
Click Resource profile history and check if the Password Updated task is triggered and is in Completed status.
In order to create certification and approve, you must complete the following prerequisites:
Log in to Identity console by xelsysadm.
Launch the System Administration console.
Go to the System Configuration tab and click Configuration Properties.
Look for the following system properties:
Property name = Identity Auditor Feature Set Availability
Keyword = OIG.IsIdentityAuditorEnabled
Value = TRUE
Save the setting.
Restart the OIM server to see the Compliance tab in Identity console.
To create a certification and approve, do the following:
Log in to the Identity console as xelsysadm.
Go to compliance, Certification, and then Definitions.
Create a user type certification with the following information:
General details page: Enter the name = UserCertification, Type = user; Enter Description and click Next.
Base Selection page: Selected Organization and Add organization (Pepsi). Added organization is displayed. Select Any Level as Risk Level, and click Next.
Content selection page: Keep the default values, and click Next.
Configuration page: Keep the default and click Next.
Select the reviewer by searching for a user, for example, MSDhoni, and click Next.
Disable Incremental, and click Next.
Summary page: Click Create, and click Yes to confirm. Certification is created successfully.
Log in to the System Administration console as xelsysadm.
Click Scheduler.
Search for a certification cert_UserCertification. Verify that the job is run successfully.
Log in to the Identity console as xelsysadm, and log out from the xelsysadm.
Log in to the Identity console as reviewer (MSDhoni).
Go to Self service, and click Certification.
Open the same certification UserCertification [ MSDhoni ].
Certification details are displayed. You will see the user "Rahul Dravid".
Click on Rahul Dravid user.
Verify, Role - Coach, Account - Disc, Entitlement - HDD.
Select all rows, and take the Certify action. Sign-off pop up should be displayed
Enter the password (username = MSDhoni ; Password = Welcome1). Click OK. Certification is completed successfully. It should now reflect in your Inbox. It will be displayed under the Completed section.
Log in to the Identity console as MSDhoni / Xelsysadm.
Go to Complaince, Certification, and then Dashboard. Dashboard details are displayed.
Select Completed from the Show Label. This displays all of the completed certifications.
In order to create identity audit scan definitions, complete the following prerequisites:
Log in to the Identity console as xelsysadm.
Launch the Sysadmin console.
Go to the System Configuration tab, and click Configuration Properties.
Look for the following system properties:
Property name = Identity Auditor Feature Set Availability
Keyword = OIG.IsIdentityAuditorEnabled
Value = TRUE
Save the setting.
Restart the OIM server to See the Compliance tab in the Identity console.
Create a rule by doing the following:
Log in to the Identity console as xelsysadm.
Click Compliance, and then click Identity Audit.
Select Rules, and click Create.
Create an identity rule Identity Rule 1 by the following condition builder:
user.Display Name; Equals ; Rahul Dravid
Click Create. The rule is created.
Create a policy by doing the following:
Log in to the Identity console as xelsysadm.
Click Compliance and then click Identity Audit.
Click Policies, and click Create.
Create a policy Identity Policy 1 by adding the rule Identity Rule 1.
Click Create.
Create scan definition by doing the following:
Log in to the Identity console as xelsysadm using the following URL:
https://prov.example.com/identity
Click Compliance and then click Identity Audit.
Click Scan definitions, and then click Create.
Create a scan definition Identity Scan 1 by adding the policy Identity Policy 1.
On the Base selection page, select all users.
On the Configuration page, keep the default values.
On the Summary page, click Finish. Scan definition is added successfully.
Run the scan definition by selecting Identity Scan 1, and clicking Run now. Verify that the scan definition is run successfully.
Preview the scan definition result by doing the following:
After you run the scan definition, select the scan definition row or record Identity Scan 1.
Click View Scan. The scan definition results are displayed.
Complete the following steps to enable audit feature in Oracle Identity Manager:
Log in to the System Administration console.
Click System Properties under System Configuration.
Search for the property OIG.IsIdentityAuditorEnabled and update the property value to TRUE.
Restart the Oracle Identity Manager Managed Server for the change to take effect.
Log in to the Identity console as xelsysadm using the following URL:
https://prov.example.com/identity
Click Compliance and then click Reports.
Verify that the Reports page is opened successfully.