Creating a Web Services Connector for CA IdM using the CA API Gateway

23 Jun

Layer 7 Policy Manager

User:     admin

Password: 7layer



Project – Alias Wire Create User

Project view of Alias Wire Create User with list of assertions


SOAPUi request that AliasWire is expecting

This is what the AliasWire Web Service is expecting as a request to create the user

<env:Envelope xmlns:env=””&gt;


     <wsse:Security env:mustUnderstand=”1″ xmlns:wsse=””&gt;

         <wsse:UsernameToken wsu:Id=”UsernameToken-3″ xmlns:wsu=””&gt;


           <wsse:Password Type=””>DTN8fmbjl1DD/ICKY78wvOYsYNc=</wsse:Password&gt;

           <wsse:Nonce EncodingType=””>eN3hmjkJwj+BGvbU6zmpGg==</wsse:Nonce&gt;



         <hashKey xmlns=””>hashkey</hashKey&gt;




     <ns1:createUser xmlns:ns1=””&gt;














Project Logic and flow using assertions


#9 – All assertions must evaluate to true – Captures details of the request and response for auditing purposes

#25 – At least one assertion must evaluate to true – Determines the incoming request type

#26 – All assertions must evaluate to true – Returns a hard coded list of SCIM functions

(This is an XML list of SCIM functions)

#34 – All assertions must evaluate to true – Provide Schema

(This is an XML list of SCIM attribute/group attribute definitions)

#34 – All asserstions must evaluate to true – If the request is a POST of the user information from IdM, locate the attribute values and submit them to AliasWire

#55 – All assertions must evaluate to true – if the IdM request is a GET with user information, return the same information back to IdM to resolve errors returned from PM tool when it searches for user after a creation. Note: At this this time, this is a workaround as there is not a search function available at AliasWire.


The following statements will capture and send information to the CA API PM logs which can be accessed by using the View / Gateway Audit Events action from the CAP API Gateway – Policy Manager


Add Security Token Assertion


The username and password were taken from the SOAPUi , Project, Project View, WS Security Configurations


Password: xxR7fUd3W6664Y6TVMxO9w==


Configure WS-Security Decoration assertion



Apply WS-Security Assertion


Evaluate Regular expression – Insert hash key before end of wsse:Security

The following regular expression is used to insert the constant hash key which needs to be part of the security header for the request to AliasWire the hash key is:<hashKey xmlns=””>hashkey</hashKey&gt; and is constant and required with every message


Evaluate Regular expression – Validate URI

For each of the attributes received it is necessary to locate the attribute in the JSON message and place it into a variable to be used in the final submission

The regular expression: .*\<Phone\>(.*)\</P.*

Locates the <Phone> attribute, captures the data value (.*) until the end of the attribute \</P.* and places it in the context variable “phone” to be used at the X step


Context Variable –createnewUser

This uses the variables captured in the Evaluate Regular expression – Validate URI expressions and uses the variables to create the final message. Each of the variables: partnerBillerId, displayName, partnerUniqueId, role, firstName, lname, email and phone are used


Apply JSON Transformation


Successful SOAP message to AliasWire

<env:Envelope xmlns:env=””>   <env:Header>     <wsse:Security env:mustUnderstand=”1″ xmlns:wsse=””>         <wsse:UsernameToken wsu:Id=”UsernameToken-3″ xmlns:wsu=””>           <wsse:Username></wsse:Username>           <wsse:Password Type=””>DTN8fmbjl1DD/ICKY78wvOYsYNc=</wsse:Password>           <wsse:Nonce EncodingType=””>eN3hmjkJwj+BGvbU6zmpGg==</wsse:Nonce>           <wsu:Created>2015-06-18T16:36:22.166Z</wsu:Created>         </wsse:UsernameToken>         <hashKey xmlns=””>hashkey</hashKey>     </wsse:Security>   </env:Header>   <env:Body>     <ns1:createUser xmlns:ns1=””>         <user>           <partnerBillerId>999999</partnerBillerId>           <displayName>marijatbs123</displayName>           <partnerUniqueId>1719dcd7ef8e26f4e053e490ae0a3bqw</partnerUniqueId>           <role>CSR</role>           <fname>first</fname>           <lname>last</lname>           <email></email>           <phone>8584999984</phone>         </user>     </ns1:createUser>   </env:Body></env:Envelope>

Certificate Configuration

The Layer7 certificate needs to be imported into CA Connector Server

From the CA API Gateway Policy Manager GUI

Tasks / Manage Private Keys


Double click the certificate, view certificate, export, and save


Upload Certificate into CA Connector Server

Url: http://server:20080

Username: admin

Password: Password


Connector Express – Deploy AliasWire Connector

Start Connector Express and connect

Open Provisioning Servers on the R pane and select you will be prompted

Username: idmadmin

Password: Password


Create AliasWire Connector from Web Services – Layer 7

Using the Web Services – Layer7 endpoint as a project sample, open the im domain, open Endpoint Types and select the “Web Services – Layer 7” connector and R click and select Create project

Create New Project


Select No Source and OK


** Very Important **

Rename Web Services – Layer 7 to your new project name, this documented sample will be AliasWireSample. This prevents overwriting the existing project

Use Project / Save As and save with the new name (this sample was called AliasWireSample)



Remove all classes except for Endpoint and User Account





Modify User Account class

The existing attribute list needs to be modified to just support what AliasWire is expecting

Original list


Remove all attributes by selecting attributes and when the list is displayed modify to just list the following: User Name, FirstName, LastName, User Display Name, Id, External Id, Emails, Role and Phone Number

You accomplish this be removing the values in the R pane in the Maps to: column


Modify Attribute values

First Name – change name to fname


Last Name – change to lname


User Display Name – change to displayName, set the Required checkbox


Id – Set name to partnerBillerId, Set the required, create, read and modify checkboxes, set the default value to 999999


Additionally set the Acccount Template Value by Rule string to %UCU01%


ExternalId – set name to partnerUniqueId, , Set the required, create, read and modify checkboxes, set the min and max length to 20


Additionally set the Acccount Template Value by Rule string to %UCU02%


Modify the emails and Role attributes by selecting the Attributes value in th L column, select each and remove the multivalued checkbox and set the data type to string


Rename Roles to Role

Rename emails to email

Rename Phone Number to phone


Change Phone Number to Phone


Modify Account Screens

Select account screens in the list

Remove all screens except for Users, by selecting the box and –


Remove the Organization and User Information sub screens as well and produce a list that looks as follows:


Open Containers, select groups and remove the Groups container





Save Project

Select Project / Save

Deploy Endpoint

R click on Endpoint types and select eh Create new Endpoint Type


Select OK


Success. OK


Select your new AliasWireSample in the endpoint list, and select deploy metadata


Select Yes


You have deployed your new connector


Provision Management Create Endpoint

Connect to the Provisioning Manager

Start the CA Provisioning Manger Utility


User name: idmadmin

Password: Password

Creating new AliasWire Endpoint

Select Endpoints on the upper bar, in object type select the endpoint of AliasWire


Select ‘New’ to the R of AliasWire


Endpoint name:                                AliasWire

Endpoint name:                                AliasWire

User name:        admin

Password:           7layer

Base URL:            https://server:8443/v1/caim

Notes: The user name and password are required and are the CA API Gate (CA API GATEWAY) user name and password

The Base URL was/can through errors regarding the certificate which must be exported from CA API GATEWAY and imported into the CA keystore. The use of a shortname was needed rather than the FQDN of the server because the certificate generated and used was using the short name


Explore and Correlating and creating an account on AliasWire

R click on AliasWire and select Explore and Correlate


Select AliasWire in L Pane (it must not be grey and look like above, for Action select ‘Explore endpoint for managed objects’ and select Start

The result will be the following dialog


The Error above is expected and is a result the AliasWire endpoint not having a search ability (at present only a CreateUser function is available) to locate an users, however what we want to occur is the that it was able to retrieve scheme (Operation detail count in yellow), click OK and done.

Now R click on AliasWire and select content, select Accounts in the L pane and New in the create new content box


Create the user


You will find that:

  • Fields are required to be filled out
  • A default parterBillerId of 999999 was placed
  • The partnerUniqueId requires exactly 20 characters


  • The email must be formatted correctly (containing @ symbol)

Or errors are returned

Select OK to create user


Test user was created

Role Definition Generator

It is necessary to run the roledefgenerator.bat utility on the endpoint to generate the OSGI (.jar) bundle for import into the IdM management console to work with connector from the IdM application server (Web Ui).

Locate the completed connector in Connector Express

These steps need to occur after the connector has been deployed so verify that the connector exists and what its name is in Connector Express.


Run the Role Definition utility from the command line from the provisioning/connector server


The password is: Password

The result should be a .jar file with the connector name that can be used for import.


Notes: We encountered several issues with modification of the OOB Web Services – CA API GATEWAY connector that was used as a the base project for our new connector. The key part was that we removed many of the classes and later realized that they were mapped to other areas within Connector Express which resulted in errors when using roledefgenerator.bat. We had success by modifying the connector as little as possible, essentially just the account class and the user screens.

Import of the AliasWire .jar into the IdM Application server

On the IdM application server you need to place the .jar bundle generated by roledefgenerator in the deployment directory of the application server.


Use the management console to deploy the connector



User: idmadmin

Password: Password

Import the connector

Select Environment \ CustomerEnvironmentPOC \ Roles and Task Settings \ Import

Select the new connector check box and finish


When the import is completed, restart the application server

Your new endpoint is deployed and usable in both the IdM Web Ui and with the Windows PM GUI tool



Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

%d bloggers like this: