25 Sanity Checks
Topics:
Sanity Checks for Oracle Access Management
This section lists the sanity checks for Oracle Access Management (OAM).
Topics:
- Verifying LDAP Authentication for OAM Agent Protected Application for Valid User
- Verifying LDAP Authentication Failure for OAM Agent Protected Application for Invalid Password
- Verifying LDAP Authentication Failure for OAM Agent Protected Application for Invalid Username
- Verifying Access of OAM Agent Protected Unavailable Resource
- Verifying Access of Resource that was Recently Deleted or Replaced from the Policy
Parent topic: Sanity Checks
Verifying LDAP Authentication for OAM Agent Protected Application for Valid User
To verify the LDAP authentication for OAM agent protected application for valid user, do the following:
- Access an application protected by an OAM WebGate which is configured to OAM server.
- Check out the URL that is being redirected to for authentication is from OAM server.
- Provide a valid username and password from the OUD authentication form and click Login.
- Check the cookies that are created in the browser.
Expected Result:
-
OAM agent protected Application can be accessed on providing valid credentials.
-
ObSSOcookie and OAM_ID cookies are created in the browser session.
Parent topic: Sanity Checks for Oracle Access Management
Verifying LDAP Authentication Failure for OAM Agent Protected Application for Invalid Password
To verify the LDAP authentication failure for OAM agent protected application for invalid password, do the following:
- Access an application protected by an OAM WebGate which is configured to OAM server.
- Check out the URL that is being redirected to for authentication is from OAM server.
- Provide a valid username and an invalid password in the authentication form.
Expected Result:
-
User authentication fails.
-
Appropriate error message is displayed.
-
Resource cannot be accessed by the user.
Parent topic: Sanity Checks for Oracle Access Management
Verifying LDAP Authentication Failure for OAM Agent Protected Application for Invalid Username
To verify the LDAP authentication failure for OAM agent protected application for invalid username, do the following:
- Access an application protected by an OAM WebGate which is configured to OAM server.
- Check out the URL that is being redirected to for authentication is from OAM server.
- Provide an invalid username and any password in the authentication form.
Expected Result:
-
User authentication fails.
-
Appropriate error message is displayed.
-
Resource cannot be accessed by the user.
Parent topic: Sanity Checks for Oracle Access Management
Verifying Access of OAM Agent Protected Unavailable Resource
If you access an OAM agent protected unavailable resource, an appropriate error message is displayed though the credentials provided are valid. To verify this, do the following:
- Access a resource url protected by an OAM WebGate which is configured to OAM server when that resources is not available.
- Check out the URL that is being redirected to for authentication is from OAM server.
- Provide a valid username and password in the authentication form.
- Check the cookies that are created in the browser.
Expected Result:
OAM WebGate protected application cannot be accessed and a proper error message should be displayed.
Parent topic: Sanity Checks for Oracle Access Management
Verifying Access of Resource that was Recently Deleted or Replaced from the Policy
If you access a resource which was recently deleted or replaced from the policy, the authentication is not required and the access is granted. To verify this, do the following:
- Remove a resource and replace it with new one in the
policy.xml
or UI. - Access the application or resource that you deleted or replaced in the previous step. This application must be protected by an OAM WebGate which is configured to OAM server.
- Check if the user is not asked for authentication without having to restart the OAM 11g Server or WebLogic Server.
- Check if user is able to access the resource.
Expected Result:
Resource or Application can be accessed without having to authenticate user and without having to restart the OAM 11g Server or WebLogic Server.
Parent topic: Sanity Checks for Oracle Access Management
Sanity Checks for Oracle Identity Governance
This section lists the sanity checks for Oracle Identity Governance.
Topics:
- Creating Organization
- Creating User
- Creating Role
- Managing Sandboxes
- Publishing a Sandbox
- Adding User Defined Field (UDF) in User
- Creating Disconnected Application and Provision
- Importing and Configuring DB User Management
- Creating Access Policy and Provision
- Creating End User Request for Accounts, Entitlements, and Roles
- Resetting Account Password
- Creating Certification and Approving
- Creating Identity Audit Scan Definitions and Viewing its Results
- Testing Identity Audit
Parent topic: Sanity Checks
Creating Organization
To create an organization, do the following:
Parent topic: Sanity Checks for Oracle Identity Governance
Creating User
To create a user, do the following:
Parent topic: Sanity Checks for Oracle Identity Governance
Creating Role
To create a role, do the following:
Parent topic: Sanity Checks for Oracle Identity Governance
Managing Sandboxes
A number of the operations below require the creation of a sandbox. A sandbox is a non active area where things can be tried out prior to making them live.
Creating a Sandbox
Sandboxes can be created from either the sysadmin console or the identity console. The steps are the same. Below is an example for creating a sandbox in the sysadmin console. To create a sandbox you perform the following steps:
Parent topic: Sanity Checks for Oracle Identity Governance
Publishing a Sandbox
Once the changes are fine, you publish the sandbox to make it live. This is achieved by performing the following steps:
Parent topic: Sanity Checks for Oracle Identity Governance
Adding User Defined Field (UDF) in User
To add User Defined Field (UDF) in user, do the following:
Parent topic: Sanity Checks for Oracle Identity Governance
Creating Disconnected Application and Provision
To create disconnected app and provision, do the following:
-
Create a lookup by completing the following steps:
-
Log in to the System Administration console as
xelsysadm
using the following URL:http://
igdadmin.example.com
/sysadmin
-
Go to System Configuration tab and click Lookups.
-
Click the Create link under Action drop down list.
-
Enter the meaning as
Lookup.Disc
, and enter the code asLookup.Disc
. -
Click Create link under Action drop down list.
-
Enter the value
HDD
for Meaning, andHDD
for Code. -
Click Save.
-
Enter the value
Lookup.Disc
for Meaning,Lookup.Disc
for code, and click Search. -
The values HDD and CD are displayed. Click OK.
-
-
Create disconnected application instances by completing the following steps:
-
Log in to the System Administration console as
xelsysadm
using the following URL:http://
igadmin.example.com
/sysadmin
-
Click the Sandboxes link, and then click Create Sandbox.
-
Enter the name Disc, and click Save and Close. Click OK to confirm. Sandbox is activated.
-
Go to Provisioning configuration, and click Application Instances.
-
Click Create. The Create App Instance page is displayed by enabling the Attribute tab.
-
Enter the name as Disc, Description as Disc, and check the Disconnected check box. Click Save. Click OK to confirm. Feedback message is displayed to confirm that Application Instance Disc is created successfully.
-
On the same page, go to the Attribute tab. Form field is added with the name Disc. Click Edit next to Form field.
-
Enable the Field tab and open Manage Disc page. Click Child objects which is next to the Field tab.
-
Click Add, and enter the name as chdisc, description as chdisc, and Click OK.
-
Click chdisc. This opens another page by enabling the Fields tab.
-
Click Create link under Action drop down list and select Lookup as the Field type, and click OK.
-
Enter Display Label and name as
Disc
, select Searchable. Click Lookup Type, and then click Search or look up icon (Magnifier icon). Enter the meaning asLookup.Disc
. -
Click Search. Values HDD and CD must be displayed. Click OK. Lookup must be selected. Default Value Label, One Drop down gets added. Click on that, and you will see the values: HDD and CD.
If you enabled Entitlement, make sure that Searchable and Searchable Picklist are also selected. Keep the remaining ones with the default values.
-
Click Save and then click Close.
-
Click Back to Parent Object, and then click Regenerate view.
-
Enable Parent Form + Child Tables (Master/Detail), keep the default setting. Click OK.
-
Go to the Application Instance tab. Search for an Application Instance Disc.
-
Click Refresh, and click Apply on Disc form.
-
Go to the System Configuration tab, and click Scheduler.
-
Enter the value Ent* in the Search Scheduled Jobs field, click Search or Go button.
-
The results are displayed. Click on Entitlement List job name.
-
Click Run now. A confirmation message is displayed saying the Job is running.
-
Click Refresh. Verify that the execution status is successful. Close the window.
-
Go to the Application instance's Entitlement tab. Two entitlements are displayed - HDD, CD.
-
Search organization name, by entering the value Top, and click Search.
-
Top organization should be displayed. Select that row / organization, and click Add Selected. Selected organization gets added successfully.
-
Check Apply to Entitlement, and click Select. Selected Organization gets added successfully.
-
Click Assign.
-
Search for the organization name TestOrg, and click Search.
-
TestOrg organization is displayed. Select that row / organization, and click Add Selected.
-
Selected organization gets added successfully. Check Apply to Entitlement and click Select. Selected organization gets added successfully.
-
Go to the Application Instance's Attribute tab. Click Apply. A message is displayed stating that the Application instances disc is modified successfully.
-
Click Sandboxes.
-
Select the same sandbox Disc. Click Export sandbox button. Export sandbox generate .zip file
sandbox_disc.zip
. Click OK button. Zip file is saved and generated. -
After export is successfully completed, click Publish sandbox button. Click Yes to confirm.
-
After you publish, the sandbox is listed under Publish Sandboxes link.
-
-
Provision the disconnected application instances and entitlements to user by completing the following steps:
-
Log in to the Identity console as
xelsysadm
using the following URL:https://
prov.example.com
/identity
-
Click Manage and then click Users.
-
Search for the user name
Rahul Dravid
, and click Search. -
The user Rahul Dravid is displayed. Click on that user link. User details are displayed.
-
Go to Accounts tab, and then to the Request Account tab. Account access request page is displayed. Select Enabled Add access., and go to the Catalog tab. All available Application Instances are displayed.
-
Click Add to cart of the Disc Disconnected application instances, and click Next. The cart detail page is displayed
-
Click the Pen Icon on Request detail pane.
-
Enter the account logging name as
Rahul Dravid_123
, and the password as<password>
. Click Update. -
Click Submit. Request will be generated with a message
Request for access completed successfully
. -
Go to the Self Service tab. Click Provisioning task, and the go to the Manual Fulfillment tab. Manual fulfillment page is displayed.
-
Click on that request. Request details are displayed. Verify the data. Click Complete, and then click Refresh.
-
Go to the Manage tab, and then to the User tab. Open the same user Rahul Dravid.
-
Go to the Account tab. Click Refresh. Verify that the account status is
Provisioned
. -
Select the same account name Rahul Dravid_123, and click Request Entitlement button. Entitlement Access request page is displayed. Enable Add Access and go to the Catalog tab.
-
Click Add to cart for entitlement
HDD
. Click Next. -
Click Submit. Request will be generated with a message "Request for access completed successfully".
-
Go to the Self service tab. Click on Provisioning task, and go to Manual Fulfillment tab. Manual fulfillment page is displayed
-
Click on that request. Request details are displayed. Verify the data. Click Complete, and then click Refresh.
-
Go to the Manage tab, and then to the User tab. Open the same user Rahul Dravid.
-
Go to the Entitlement tab. Click Refresh button. Verify that the Entitlement status is
Provisioned
.
-
Parent topic: Sanity Checks for Oracle Identity Governance
Importing and Configuring DB User Management
To import and configure Database user management, do the following:
Parent topic: Sanity Checks for Oracle Identity Governance
Creating Access Policy and Provision
To create an access policy and provision, do the following:
- Log in to the Identity console as
xelsysadm
using the following URL: https://prov.example.com/identity. - Click Manage.
- Click Roles and Access Policies -> Roles.
- Create a Role named
DBUMRole
. - Click Home tab to select the main management options.
- Click Users.
- Click Create.
- Create an user named
Jean Wilson
. - Click Home tab.
- Click Roles and Access Policies -> Roles.
- Select the Role
DBUMRole
. - The role page is displayed - Click Members.
- Click Add.
- In the add members dialogue box, search for the user Jean Wilson.
- Click the user Jean Wilson.
- Click Add Selected.
- Click Apply.
- Create another user named
Patrick Morgan
and assign the user roleDBUMRole
. - Click Manage and click Hometab.
- Open the user details page of Jean Wilson and click Accounts tab. DBUM Account should be in Provisioned state.
- Go to the Entitlements tab and verify all child data added are displayed.
- Repeat the previous two steps for user Patrick Morgan.
Parent topic: Sanity Checks for Oracle Identity Governance
Creating End User Request for Accounts, Entitlements, and Roles
To create an end user request for roles, do the following:
-
Create a user
Arthur Hill
. -
Log in as
Arthur Hill
and open My Access page, and then Roles. -
Click Request and in catalog, add DBUMRole to cart.
-
Submit request.
-
Log in as administrator and open Pending Approvals.
-
Open the request and approve.
-
As
Arthur Hill
,verify that the role is assigned successfully.
To create an end user request for accounts, do the following:
-
Create a user
Bruce Parker
. -
Log in as
Bruce Parker
and open My Access page, and then Roles. -
Click Request.
-
From the Catalog, select the DBUM App and add to cart.
-
Click Next and click Submit to submit the request.
-
Log in as administrator and open Inbox.
-
Open the request, verify the details, and approve request.
-
As
Bruce Parker
, verify that the Account is provisioned successfully.
To create an end user request for entitlements, do the following:
- Log in as
Jean Wilson
. - Open the My Access page and go to the Accounts tab.
- Select the DBUM app, and click Request Entitlements under Action.
- Add any entitlement to cart and submit request.
- Log in as administrator and open Inbox.
- Open the request and approve.
- As Jean Wilson, verify that the entitlement is provisioned successfully.
Parent topic: Sanity Checks for Oracle Identity Governance
Resetting Account Password
To reset the account password, do the following:
- Log in to the Identity console as
Jean Wilson
. - Click My Access and go to the Accounts tab.
- Select SSOTarget and click Reset Password in Action.
- Provide a new password and submit.
- Log out and re-login as
xelsysadm
. - Click Manage and then click Users.
- Search for Jean Wilson and open the user details page.
- Go to the Accounts tab and select DBUM App.
- Click Resource History under Action and check if the Password Updated task is triggered and is in Completed status.
Parent topic: Sanity Checks for Oracle Identity Governance
Creating Certification and Approving
In order to create certification and approve, you must complete the following prerequisites:
-
Log in to Identity console by
xelsysadm
. -
Launch the System Administration console.
-
Go to the System Configuration tab and click Configuration Properties.
-
Look for the following system properties:
Property name = Identity Auditor Feature Set Availability
Keyword = OIG.IsIdentityAuditorEnabled
Value = TRUE
-
Save the setting.
-
Restart the OIM server to see the Compliance tab in Identity console.
To create a certification and approve, do the following:
Parent topic: Sanity Checks for Oracle Identity Governance
Creating Identity Audit Scan Definitions and Viewing its Results
In order to create identity audit scan definitions, complete the following prerequisites:
-
Log in to the Identity console as
xelsysadm
. -
Launch the Sysadmin console.
-
Go to the System Configuration tab, and click Configuration Properties.
-
Look for the following system properties:
Property name = Identity Auditor Feature Set Availability
Keyword = OIG.IsIdentityAuditorEnabled
Value = TRUE
-
Save the setting.
-
Restart the OIM server to See the Compliance tab in the Identity console.
Create a rule by doing the following:
-
Log in to the Identity console as
xelsysadm
. -
Click Compliance, and then click Identity Audit.
-
Select Rules, and click Create.
-
Create an identity rule
Identity Rule 1
by the following condition builder:user.Display Name; Equals ; Rahul Dravid
-
Click Create. The rule is created.
Create a policy by doing the following:
-
Log in to the Identity console as
xelsysadm
. -
Click Compliance and then click Identity Audit.
-
Click Policies, and click Create.
-
Create a policy
Identity Policy 1
by adding the ruleIdentity Rule 1
. -
Click Create.
Create scan definition by doing the following:
-
Log in to the Identity console as
xelsysadm
using the following URL:https://
prov.example.com
/identity
-
Click Compliance and then click Identity Audit.
-
Click Scan definitions, and then click Create.
-
Create a scan definition
Identity Scan 1
by adding the policyIdentity Policy 1
. -
On the Base selection page, select all users.
-
On the Configuration page, keep the default values.
-
On the Summary page, click Finish. Scan definition is added successfully.
-
Run the scan definition by selecting Identity Scan 1, and clicking Run now. Verify that the scan definition is run successfully.
-
Preview the scan definition result by doing the following:
-
After you run the scan definition, select the scan definition row or record Identity Scan 1.
-
Click View Scan. The scan definition results are displayed.
-
Parent topic: Sanity Checks for Oracle Identity Governance
Testing Identity Audit
Complete the following steps to enable audit feature in Oracle Identity Manager:
Parent topic: Sanity Checks for Oracle Identity Governance