Creating a Web Services Connector for CA IdM using the CA API Gateway

23 Jun

Layer 7 Policy Manager

User:     admin

Password: 7layer

Gateway: server.customer.com

00

Project – Alias Wire Create User

Project view of Alias Wire Create User with list of assertions

01

SOAPUi request that AliasWire is expecting

This is what the AliasWire Web Service is expecting as a request to create the user

<env:Envelope xmlns:env=”http://schemas.xmlsoap.org/soap/envelope/”&gt;

   <env:Header>

     <wsse:Security env:mustUnderstand=”1″ xmlns:wsse=”http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd”&gt;

         <wsse:UsernameToken wsu:Id=”UsernameToken-3″ xmlns:wsu=”http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd”&gt;

           <wsse:Username>wsuser@customer.com</wsse:Username>

           <wsse:Password Type=”http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-username-token-profile-1.0#PasswordDigest”>DTN8fmbjl1DD/ICKY78wvOYsYNc=</wsse:Password&gt;

           <wsse:Nonce EncodingType=”http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Base64Binary”>eN3hmjkJwj+BGvbU6zmpGg==</wsse:Nonce&gt;

           <wsu:Created>2015-06-18T16:36:22.166Z</wsu:Created>

         </wsse:UsernameToken>

         <hashKey xmlns=”http://www.aliaswire.com/common”>hashkey</hashKey&gt;

     </wsse:Security>

   </env:Header>

   <env:Body>

     <ns1:createUser xmlns:ns1=”http://www.aliaswire.com/directbiller/cp/billeradmin”&gt;

         <user>

           <partnerBillerId>999999</partnerBillerId>

           <displayName>user123</displayName>

           <partnerUniqueId>1719dcd7ef8e26f4e053e490ae0a3bqw</partnerUniqueId>

           <role>CSR</role>

           <fname>firstname</fname>

           <lname>lastname</lname>

           <email>first.last@customer.com</email>

           <phone>8599998584</phone>

         </user>

     </ns1:createUser>

   </env:Body>

</env:Envelope>

Project Logic and flow using assertions

02

#9 – All assertions must evaluate to true – Captures details of the request and response for auditing purposes

#25 – At least one assertion must evaluate to true – Determines the incoming request type

#26 – All assertions must evaluate to true – Returns a hard coded list of SCIM functions

(This is an XML list of SCIM functions)

#34 – All assertions must evaluate to true – Provide Schema

(This is an XML list of SCIM attribute/group attribute definitions)

#34 – All asserstions must evaluate to true – If the request is a POST of the user information from IdM, locate the attribute values and submit them to AliasWire

#55 – All assertions must evaluate to true – if the IdM request is a GET with user information, return the same information back to IdM to resolve errors returned from PM tool when it searches for user after a creation. Note: At this this time, this is a workaround as there is not a search function available at AliasWire.

Auditing

The following statements will capture and send information to the CA API PM logs which can be accessed by using the View / Gateway Audit Events action from the CAP API Gateway – Policy Manager

03

Add Security Token Assertion

04

The username and password were taken from the SOAPUi , Project, Project View, WS Security Configurations

User: wsuser@customer.com

Password: xxR7fUd3W6664Y6TVMxO9w==

05

Configure WS-Security Decoration assertion

0607

0809

Apply WS-Security Assertion

10

Evaluate Regular expression – Insert hash key before end of wsse:Security

The following regular expression is used to insert the constant hash key which needs to be part of the security header for the request to AliasWire the hash key is:<hashKey xmlns=”http://www.aliaswire.com/common”>hashkey</hashKey&gt; and is constant and required with every message

11

Evaluate Regular expression – Validate URI

For each of the attributes received it is necessary to locate the attribute in the JSON message and place it into a variable to be used in the final submission

The regular expression: .*\<Phone\>(.*)\</P.*

Locates the <Phone> attribute, captures the data value (.*) until the end of the attribute \</P.* and places it in the context variable “phone” to be used at the X step

12

Context Variable –createnewUser

This uses the variables captured in the Evaluate Regular expression – Validate URI expressions and uses the variables to create the final message. Each of the variables: partnerBillerId, displayName, partnerUniqueId, role, firstName, lname, email and phone are used

13

Apply JSON Transformation

14

Successful SOAP message to AliasWire

<env:Envelope xmlns:env=”http://schemas.xmlsoap.org/soap/envelope/”>   <env:Header>     <wsse:Security env:mustUnderstand=”1″ xmlns:wsse=”http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd”>         <wsse:UsernameToken wsu:Id=”UsernameToken-3″ xmlns:wsu=”http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd”>           <wsse:Username>wsuser@customer.com</wsse:Username>           <wsse:Password Type=”http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-username-token-profile-1.0#PasswordDigest”>DTN8fmbjl1DD/ICKY78wvOYsYNc=</wsse:Password>           <wsse:Nonce EncodingType=”http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Base64Binary”>eN3hmjkJwj+BGvbU6zmpGg==</wsse:Nonce>           <wsu:Created>2015-06-18T16:36:22.166Z</wsu:Created>         </wsse:UsernameToken>         <hashKey xmlns=”http://www.aliaswire.com/common”>hashkey</hashKey>     </wsse:Security>   </env:Header>   <env:Body>     <ns1:createUser xmlns:ns1=”http://www.aliaswire.com/directbiller/cp/billeradmin”>         <user>           <partnerBillerId>999999</partnerBillerId>           <displayName>marijatbs123</displayName>           <partnerUniqueId>1719dcd7ef8e26f4e053e490ae0a3bqw</partnerUniqueId>           <role>CSR</role>           <fname>first</fname>           <lname>last</lname>           <email>first.last@customer.com</email>           <phone>8584999984</phone>         </user>     </ns1:createUser>   </env:Body></env:Envelope>

Certificate Configuration

The Layer7 certificate needs to be imported into CA Connector Server

From the CA API Gateway Policy Manager GUI

Tasks / Manage Private Keys

15

Double click the certificate, view certificate, export, and save

16

Upload Certificate into CA Connector Server

Url: http://server:20080

Username: admin

Password: Password

171819

Connector Express – Deploy AliasWire Connector

Start Connector Express and connect

Open Provisioning Servers on the R pane and select 10.170.110.9 you will be prompted

Username: idmadmin

Password: Password

20

Create AliasWire Connector from Web Services – Layer 7

Using the Web Services – Layer7 endpoint as a project sample, open the im domain, open Endpoint Types and select the “Web Services – Layer 7” connector and R click and select Create project

Create New Project

21

Select No Source and OK

22

** Very Important **

Rename Web Services – Layer 7 to your new project name, this documented sample will be AliasWireSample. This prevents overwriting the existing project

Use Project / Save As and save with the new name (this sample was called AliasWireSample)

23

Classes

Remove all classes except for Endpoint and User Account

Before

24

After

25

Modify User Account class

The existing attribute list needs to be modified to just support what AliasWire is expecting

Original list

26

Remove all attributes by selecting attributes and when the list is displayed modify to just list the following: User Name, FirstName, LastName, User Display Name, Id, External Id, Emails, Role and Phone Number

You accomplish this be removing the values in the R pane in the Maps to: column

27

Modify Attribute values

First Name – change name to fname

28

Last Name – change to lname

29

User Display Name – change to displayName, set the Required checkbox

30

Id – Set name to partnerBillerId, Set the required, create, read and modify checkboxes, set the default value to 999999

31

Additionally set the Acccount Template Value by Rule string to %UCU01%

32

ExternalId – set name to partnerUniqueId, , Set the required, create, read and modify checkboxes, set the min and max length to 20

33

Additionally set the Acccount Template Value by Rule string to %UCU02%

34

Modify the emails and Role attributes by selecting the Attributes value in th L column, select each and remove the multivalued checkbox and set the data type to string

35

Rename Roles to Role

Rename emails to email

Rename Phone Number to phone

36

Change Phone Number to Phone

37

Modify Account Screens

Select account screens in the list

Remove all screens except for Users, by selecting the box and –

38

Remove the Organization and User Information sub screens as well and produce a list that looks as follows:

39

Open Containers, select groups and remove the Groups container

Before

40

After

41

Save Project

Select Project / Save

Deploy Endpoint

R click on Endpoint types and select eh Create new Endpoint Type

42

Select OK

43

Success. OK

44

Select your new AliasWireSample in the endpoint list, and select deploy metadata

45

Select Yes

46

You have deployed your new connector

47

Provision Management Create Endpoint

Connect to the Provisioning Manager

Start the CA Provisioning Manger Utility

48

User name: idmadmin

Password: Password

Creating new AliasWire Endpoint

Select Endpoints on the upper bar, in object type select the endpoint of AliasWire

49

Select ‘New’ to the R of AliasWire

5051

Endpoint name:                                AliasWire

Endpoint name:                                AliasWire

User name:        admin

Password:           7layer

Base URL:            https://server:8443/v1/caim

Notes: The user name and password are required and are the CA API Gate (CA API GATEWAY) user name and password

The Base URL was/can through errors regarding the certificate which must be exported from CA API GATEWAY and imported into the CA keystore. The use of a shortname was needed rather than the FQDN of the server because the certificate generated and used was using the short name

52

Explore and Correlating and creating an account on AliasWire

R click on AliasWire and select Explore and Correlate

53

Select AliasWire in L Pane (it must not be grey and look like above, for Action select ‘Explore endpoint for managed objects’ and select Start

The result will be the following dialog

54

The Error above is expected and is a result the AliasWire endpoint not having a search ability (at present only a CreateUser function is available) to locate an users, however what we want to occur is the that it was able to retrieve scheme (Operation detail count in yellow), click OK and done.

Now R click on AliasWire and select content, select Accounts in the L pane and New in the create new content box

55

Create the user

56

You will find that:

  • Fields are required to be filled out
  • A default parterBillerId of 999999 was placed
  • The partnerUniqueId requires exactly 20 characters

57

  • The email must be formatted correctly (containing @ symbol)

Or errors are returned

Select OK to create user

58

Test user was created

Role Definition Generator

It is necessary to run the roledefgenerator.bat utility on the endpoint to generate the OSGI (.jar) bundle for import into the IdM management console to work with connector from the IdM application server (Web Ui).

Locate the completed connector in Connector Express

These steps need to occur after the connector has been deployed so verify that the connector exists and what its name is in Connector Express.

59

Run the Role Definition utility from the command line from the provisioning/connector server

6061

The password is: Password

The result should be a .jar file with the connector name that can be used for import.

62

Notes: We encountered several issues with modification of the OOB Web Services – CA API GATEWAY connector that was used as a the base project for our new connector. The key part was that we removed many of the classes and later realized that they were mapped to other areas within Connector Express which resulted in errors when using roledefgenerator.bat. We had success by modifying the connector as little as possible, essentially just the account class and the user screens.

Import of the AliasWire .jar into the IdM Application server

On the IdM application server you need to place the .jar bundle generated by roledefgenerator in the deployment directory of the application server.

63

Use the management console to deploy the connector

http:// ssopoc11.customer.com:88/iam/immange

64

User: idmadmin

Password: Password

Import the connector

Select Environment \ CustomerEnvironmentPOC \ Roles and Task Settings \ Import

Select the new connector check box and finish

65

When the import is completed, restart the application server

Your new endpoint is deployed and usable in both the IdM Web Ui and with the Windows PM GUI tool

Congradulations!

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: