Layer 7 Policy Manager
User: admin
Password: 7layer
Gateway: server.customer.com
Project – Alias Wire Create User
Project view of Alias Wire Create User with list of assertions
SOAPUi request that AliasWire is expecting
This is what the AliasWire Web Service is expecting as a request to create the user
<env:Envelope xmlns:env=”http://schemas.xmlsoap.org/soap/envelope/”>
<env:Header>
<wsse:Security env:mustUnderstand=”1″ xmlns:wsse=”http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd”>
<wsse:UsernameToken wsu:Id=”UsernameToken-3″ xmlns:wsu=”http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd”>
<wsse:Username>wsuser@customer.com</wsse:Username>
<wsse:Password Type=”http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-username-token-profile-1.0#PasswordDigest”>DTN8fmbjl1DD/ICKY78wvOYsYNc=</wsse:Password>
<wsse:Nonce EncodingType=”http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Base64Binary”>eN3hmjkJwj+BGvbU6zmpGg==</wsse:Nonce>
<wsu:Created>2015-06-18T16:36:22.166Z</wsu:Created>
</wsse:UsernameToken>
<hashKey xmlns=”http://www.aliaswire.com/common”>hashkey</hashKey>
</wsse:Security>
</env:Header>
<env:Body>
<ns1:createUser xmlns:ns1=”http://www.aliaswire.com/directbiller/cp/billeradmin”>
<user>
<partnerBillerId>999999</partnerBillerId>
<displayName>user123</displayName>
<partnerUniqueId>1719dcd7ef8e26f4e053e490ae0a3bqw</partnerUniqueId>
<role>CSR</role>
<fname>firstname</fname>
<lname>lastname</lname>
<email>first.last@customer.com</email>
<phone>8599998584</phone>
</user>
</ns1:createUser>
</env:Body>
</env:Envelope>
Project Logic and flow using assertions
#9 – All assertions must evaluate to true – Captures details of the request and response for auditing purposes
#25 – At least one assertion must evaluate to true – Determines the incoming request type
#26 – All assertions must evaluate to true – Returns a hard coded list of SCIM functions
(This is an XML list of SCIM functions)
#34 – All assertions must evaluate to true – Provide Schema
(This is an XML list of SCIM attribute/group attribute definitions)
#34 – All asserstions must evaluate to true – If the request is a POST of the user information from IdM, locate the attribute values and submit them to AliasWire
#55 – All assertions must evaluate to true – if the IdM request is a GET with user information, return the same information back to IdM to resolve errors returned from PM tool when it searches for user after a creation. Note: At this this time, this is a workaround as there is not a search function available at AliasWire.
Auditing
The following statements will capture and send information to the CA API PM logs which can be accessed by using the View / Gateway Audit Events action from the CAP API Gateway – Policy Manager
Add Security Token Assertion
The username and password were taken from the SOAPUi , Project, Project View, WS Security Configurations
User: wsuser@customer.com
Password: xxR7fUd3W6664Y6TVMxO9w==
Configure WS-Security Decoration assertion
Apply WS-Security Assertion
Evaluate Regular expression – Insert hash key before end of wsse:Security
The following regular expression is used to insert the constant hash key which needs to be part of the security header for the request to AliasWire the hash key is:<hashKey xmlns=”http://www.aliaswire.com/common”>hashkey</hashKey> and is constant and required with every message
Evaluate Regular expression – Validate URI
For each of the attributes received it is necessary to locate the attribute in the JSON message and place it into a variable to be used in the final submission
The regular expression: .*\<Phone\>(.*)\</P.*
Locates the <Phone> attribute, captures the data value (.*) until the end of the attribute \</P.* and places it in the context variable “phone” to be used at the X step
Context Variable –createnewUser
This uses the variables captured in the Evaluate Regular expression – Validate URI expressions and uses the variables to create the final message. Each of the variables: partnerBillerId, displayName, partnerUniqueId, role, firstName, lname, email and phone are used
Apply JSON Transformation
Successful SOAP message to AliasWire
<env:Envelope xmlns:env=”http://schemas.xmlsoap.org/soap/envelope/”> <env:Header> <wsse:Security env:mustUnderstand=”1″ xmlns:wsse=”http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd”> <wsse:UsernameToken wsu:Id=”UsernameToken-3″ xmlns:wsu=”http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd”> <wsse:Username>wsuser@customer.com</wsse:Username> <wsse:Password Type=”http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-username-token-profile-1.0#PasswordDigest”>DTN8fmbjl1DD/ICKY78wvOYsYNc=</wsse:Password> <wsse:Nonce EncodingType=”http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Base64Binary”>eN3hmjkJwj+BGvbU6zmpGg==</wsse:Nonce> <wsu:Created>2015-06-18T16:36:22.166Z</wsu:Created> </wsse:UsernameToken> <hashKey xmlns=”http://www.aliaswire.com/common”>hashkey</hashKey> </wsse:Security> </env:Header> <env:Body> <ns1:createUser xmlns:ns1=”http://www.aliaswire.com/directbiller/cp/billeradmin”> <user> <partnerBillerId>999999</partnerBillerId> <displayName>marijatbs123</displayName> <partnerUniqueId>1719dcd7ef8e26f4e053e490ae0a3bqw</partnerUniqueId> <role>CSR</role> <fname>first</fname> <lname>last</lname> <email>first.last@customer.com</email> <phone>8584999984</phone> </user> </ns1:createUser> </env:Body></env:Envelope>
Certificate Configuration
The Layer7 certificate needs to be imported into CA Connector Server
From the CA API Gateway Policy Manager GUI
Tasks / Manage Private Keys
Double click the certificate, view certificate, export, and save
Upload Certificate into CA Connector Server
Url: http://server:20080
Username: admin
Password: Password
Connector Express – Deploy AliasWire Connector
Start Connector Express and connect
Open Provisioning Servers on the R pane and select 10.170.110.9 you will be prompted
Username: idmadmin
Password: Password
Create AliasWire Connector from Web Services – Layer 7
Using the Web Services – Layer7 endpoint as a project sample, open the im domain, open Endpoint Types and select the “Web Services – Layer 7” connector and R click and select Create project
Create New Project
Select No Source and OK
** Very Important **
Rename Web Services – Layer 7 to your new project name, this documented sample will be AliasWireSample. This prevents overwriting the existing project
Use Project / Save As and save with the new name (this sample was called AliasWireSample)
Classes
Remove all classes except for Endpoint and User Account
Before
After
Modify User Account class
The existing attribute list needs to be modified to just support what AliasWire is expecting
Original list
Remove all attributes by selecting attributes and when the list is displayed modify to just list the following: User Name, FirstName, LastName, User Display Name, Id, External Id, Emails, Role and Phone Number
You accomplish this be removing the values in the R pane in the Maps to: column
Modify Attribute values
First Name – change name to fname
Last Name – change to lname
User Display Name – change to displayName, set the Required checkbox
Id – Set name to partnerBillerId, Set the required, create, read and modify checkboxes, set the default value to 999999
Additionally set the Acccount Template Value by Rule string to %UCU01%
ExternalId – set name to partnerUniqueId, , Set the required, create, read and modify checkboxes, set the min and max length to 20
Additionally set the Acccount Template Value by Rule string to %UCU02%
Modify the emails and Role attributes by selecting the Attributes value in th L column, select each and remove the multivalued checkbox and set the data type to string
Rename Roles to Role
Rename emails to email
Rename Phone Number to phone
Change Phone Number to Phone
Modify Account Screens
Select account screens in the list
Remove all screens except for Users, by selecting the box and –
Remove the Organization and User Information sub screens as well and produce a list that looks as follows:
Open Containers, select groups and remove the Groups container
Before
After
Save Project
Select Project / Save
Deploy Endpoint
R click on Endpoint types and select eh Create new Endpoint Type
Select OK
Success. OK
Select your new AliasWireSample in the endpoint list, and select deploy metadata
Select Yes
You have deployed your new connector
Provision Management Create Endpoint
Connect to the Provisioning Manager
Start the CA Provisioning Manger Utility
User name: idmadmin
Password: Password
Creating new AliasWire Endpoint
Select Endpoints on the upper bar, in object type select the endpoint of AliasWire
Select ‘New’ to the R of AliasWire
Endpoint name: AliasWire
Endpoint name: AliasWire
User name: admin
Password: 7layer
Base URL: https://server:8443/v1/caim
Notes: The user name and password are required and are the CA API Gate (CA API GATEWAY) user name and password
The Base URL was/can through errors regarding the certificate which must be exported from CA API GATEWAY and imported into the CA keystore. The use of a shortname was needed rather than the FQDN of the server because the certificate generated and used was using the short name
Explore and Correlating and creating an account on AliasWire
R click on AliasWire and select Explore and Correlate
Select AliasWire in L Pane (it must not be grey and look like above, for Action select ‘Explore endpoint for managed objects’ and select Start
The result will be the following dialog
The Error above is expected and is a result the AliasWire endpoint not having a search ability (at present only a CreateUser function is available) to locate an users, however what we want to occur is the that it was able to retrieve scheme (Operation detail count in yellow), click OK and done.
Now R click on AliasWire and select content, select Accounts in the L pane and New in the create new content box
Create the user
You will find that:
- Fields are required to be filled out
- A default parterBillerId of 999999 was placed
- The partnerUniqueId requires exactly 20 characters
- The email must be formatted correctly (containing @ symbol)
Or errors are returned
Select OK to create user
Test user was created
Role Definition Generator
It is necessary to run the roledefgenerator.bat utility on the endpoint to generate the OSGI (.jar) bundle for import into the IdM management console to work with connector from the IdM application server (Web Ui).
Locate the completed connector in Connector Express
These steps need to occur after the connector has been deployed so verify that the connector exists and what its name is in Connector Express.
Run the Role Definition utility from the command line from the provisioning/connector server
The password is: Password
The result should be a .jar file with the connector name that can be used for import.
Notes: We encountered several issues with modification of the OOB Web Services – CA API GATEWAY connector that was used as a the base project for our new connector. The key part was that we removed many of the classes and later realized that they were mapped to other areas within Connector Express which resulted in errors when using roledefgenerator.bat. We had success by modifying the connector as little as possible, essentially just the account class and the user screens.
Import of the AliasWire .jar into the IdM Application server
On the IdM application server you need to place the .jar bundle generated by roledefgenerator in the deployment directory of the application server.
Use the management console to deploy the connector
http:// ssopoc11.customer.com:88/iam/immange
User: idmadmin
Password: Password
Import the connector
Select Environment \ CustomerEnvironmentPOC \ Roles and Task Settings \ Import
Select the new connector check box and finish
When the import is completed, restart the application server
Your new endpoint is deployed and usable in both the IdM Web Ui and with the Windows PM GUI tool
Congradulations!
Leave a Reply