Archive | Uncategorized RSS feed for this section

Certification of CA Identity Manager Groups with CA Governance Minder

18 Oct

CA Governance Minder and Identity Minder integration supports certification of provisioning roles of Identity Minder.  This article will provide a method of using CA Governance Minder’s Pentaho Data Integration (PDI) utility to import CA Identity Minder groups for certification in CA Governance Minder.

Conversion Process:

On IdM import, users and provisioning roles are returned from IdM to GM

The PDI utility is executed post import and accomplishes the following:

  • Removes the user to provisioning role relationship by deleting all provisioning roles in the GM universe.
  • Connects to the IdM LDAP user store, retrieves IdM groups and creates the IdM groups as roles in the GM universe.
  • Assigns the GM users to the groups based upon a custom multi-valued LDAP user attribute that exists on each user that represents the membership of user to group.
  • After the above is finished, accomplishes the same on the GM model universe.

Pentaho Script

The PDI attached to this article demonstrates the user of integration between CA GM and IdM using Pentaho using the following Pentaho techniques:

  • Uses GM PDI processes to access GM resources.
  • Uses PDI LDAP processes to retrieve IdM users and groups from the user store
  • Performs transformations and validations on IdM information retrieved including parsing of LDAP DN’s, data validation, filtering, and merging.

The following link contains the Pentaho script that accomplishes the above tasks:

http://www.mediafire.com/file/2e4iuu9ug1bieay/Scrub.zip

 

 

Advertisements

CA Governance Minder 12.6.3 on Linux/WebSphere/Oracle

16 Sep

Supported OS

Red Hat Enterprise Linux version 5.x ,6.x Architecture   64-bit

Supported Application Servers

IBM WebSphere ND (on RHEL only) ver 7.0 JDK · 1.6.0 (JDK version is IBM JDK that comes with Web Sphere version)

IBM WebSphere ND (on RHEL only) ver 8.5.5 JDK · 1.6.0, 1.7.x (JDK version is IBM JDK)

GM Installation

Governance Minder requires a Linux/Windows host for the J2EE container. In this environment GM will be installed on a WebSphere 8.5.5.5 Cluster. The backend database used is an Oracle 12C database server.

To begin the installation of the GM WebSphere environment you will need to install the Government Minder binaries. The install files can be downloaded from CA at www.ca.com or copied from the development server at CMS.

Pre-Requisites

Open Ports

netstat -an -o |grep “1098 1099 1577 4026 4444 4445 4446 5001 8009 8080 8083 8093 8094 9092”

If no results are returned good, if results are found. Use netstat –an –o –b to locate, you must redirect traffic from these ports prior to GM install

Create databases

Done – The dbutil utility in can be used to create the databases prior to install, this will not be used

JDK deployment

Install JDK 1.6.45

mkdir /opt/CA/

chmod 775 /opt/CA/

copy jdk-6u45-linux-x64.bin to /opt/CA/

cd /opt/CA/

chmod 775 jdk-6u45-linux-x64.bin

./jdk-6u45-linux-x64.bin

rm –f jdk-6u45-linux-x64.bin

echo export JAVA_HOME=/opt/CA/jdk1.6.0_45 > /etc/profile.d/jdk.sh

vi /etc/profile.d/jdk.sh

Add the following:

export PATH=$JAVA_HOME/bin:$PATH

Save and exit

Start a new shell and verify that your JAVA_HOME variable is set and your PATH is mapped to the JDK

java –version will return

Java(TM) SE Runtime Environment (build 1.6.0_45-b06)

Java HotSpot(TM) 64-Bit Server VM (build 20.45-b01, mixed mode)

Configure JAVA alternatives

This is to be used if there are multiple JDK’s on the system

/usr/sbin/alternatives –install /usr/bin/java java /usr/java/jdk1.6.0_45/bin/java 1500

/usr/sbin/alternatives –config java

Output:

[root@e48v111v bin]# /usr/sbin/alternatives –config java

You may see the following if there are 2 programs which provide ‘java’.

Selection   Command

———————————————–

*+ 1           /usr/lib/jvm/jre-1.6.0-openjdk.x86_64/bin/java

   2           /usr/java/jdk1.6.0_45/bin/java

Enter to keep the current selection[+], or type selection number: 2

Select the new JDK (2) that was deployed

Verify JAVA version:

java –version

Should return java version 1.6.45 or above

Packages

The following packages must be installed

glibc-2.12-1.25.el6.i686.rpm

libX11-1.3-2.el6.i686.rpm

libxcb-1.5-1.el6.i686.rpm

libXtst-1.0.99.2-3.el6.i686.rpm

libXau-1.0.5-1.el6.i686.rpm

libXi-1.3-3.el6.i686.rpm

libXext-1.1-3.el6.i686.rpm

nss-softokn-freebl-3.12.9-3.el6.i686.rpm

dos2unix-3.1-37.el6.x86_64.rpm

Issue the following to install the required packages

yum install glibc-2.12-1.25.el6.i686 libX11-1.3-2.el6.i686 libxcb-1.5-1.el6.i686 libXtst-1.0.99.2-3.el6.i686 libXau-1.0.5-1.el6.i686 libXi-1.3-3.el6.i686 libXext-1.1-3.el6.i686 nss-softokn-freebl-3.12.9-3.el6.i686 dos2unix-3.1-37.el6.x86_64

Improve performance

rm /dev/random && mknod -m 644 /dev/random c 1 9

Output:

rm: remove character special file `/dev/random’? yes

Linux Environment Requirements

The install must be run as root

ulimit unlimited

umask 0022

Installation Instructions

mkdir /opt/CA/GM

chmod 775 /opt/CA/GM

cd /opt/CA/GM

The following files must be deployed in the /opt/CA/GM location

-rwxrwxr-x 1 root root   9944944 Aug 31 16:53 GEN06113240E.zip

-rwxrwxr-x 1 root root   22365919 Aug 31 16:53 GEN06113635E.zip

-rwxrwxr-x 1 root root   6508285 Aug 31 16:53 GEN06113840E.zip

-rwxrwxr-x 1 root root   7685405 Aug 31 16:53 GEN06114031E.zip

-rwxrwxr-x 1 root root 144821579 Aug 31 16:53 GEN06114144E.zip

-rwxrwxr-x 1 root root   21467559 Aug 31 16:53 GEN06114251E.zip

-rwxrwxr-x 1 root root   98058816 Aug 31 16:53 GEN06114404E.zip

-rwxrwxr-x 1 root root 128941761 Aug 31 16:53 GEN06114535E.zip

-rwxrwxr-x 1 root root 297298511 Aug 31 16:53 GEN06115951E.zip

-rwxrwxr-x 1 root root 293004965 Aug 31 16:53 GEN06120054E.zip

-rwxrwxr-x 1 root root   60494416 Aug 31 16:53 GEN06120210E.zip

-rwxrwxr-x 1 root root   2494281 Aug 31 16:53 GEN06120406E.zip

-rwxrwxr-x 1 root root   77711630 Aug 31 16:53 GEN06120508E.zip

-rwxrwxr-x 1 root root 246255121 Aug 31 16:53 GEN06120611E.zip

-rwxrwxr-x 1 root root     502996 Aug 31 16:53 GEN06121000E.zip

-rwxrwxr-x 1 root root     263826 Aug 31 16:53 GEN06120813E.zip

-rwxrwxr-x 1 root root 1020551602 Aug 31 16:53 GEN06120717E.zip

unzip ‘*.zip’

chmod 775 *

unzip CA-IdentityGovernance-12.6.03-Installer.zip

chmod 777 InstCAIdentityGovernance.bin

Run installer

./InstCAIdentityGovernance.bin

GM01

GM02

GM03

GM04

GM05

GM06

GM07

GM08

GM09

GM10

GM11

GM12

GM13

GM14/

Deploying Governance Minder on WebSphere

Oracle changes for JMS

This procedure describes how to create database users to synchronize Java Messaging Service (JMS) topics. Have the Oracle DBA’s issue the following as the system user, examine notes for complete privileges:

create user gvmBus identified by PASSWORD;

create user wpBus identified by PASSWORD;

grant select on pending_trans$ to gvmBus;

grant select on dba_2pc_pending to gvmBus;

grant select on dba_pending_transactions to gvmBus;

grant execute on dbms_xa to gvmBus;

grant select on pending_trans$ to wpBus;

grant select on dba_2pc_pending to wpBus;

grant select on dba_pending_transactions to wpBus;

grant execute on dbms_xa to wpBus;

commit;

Note:   The following specific privileges were used

GRANT CMS_CONNECT TO GVMBUS;

GRANT CMS_RESOURCE TO GVMBUS;

GRANT CONNECT TO GVMBUS;

GRANT GVMBUS_XA_ROLE TO GVMBUS;

GRANT RESOURCE TO GVMBUS;

ALTER USER GVMBUS DEFAULT ROLE ALL;

GRANT UNLIMITED TABLESPACE TO GVMBUS;

GRANT CMS_CONNECT TO WPBUS;

GRANT CMS_RESOURCE TO WPBUS;

GRANT CONNECT TO WPBUS;

GRANT RESOURCE TO WPBUS;

ALTER USER WPBUS DEFAULT ROLE ALL;

GRANT UNLIMITED TABLESPACE TO WPBUS;

Note:    The passwords for these users are the ones used in dataSources.py

Note:   The following privileges work to provide sufficient access

grant all privileges to gvmBus;

grant all privileges to wpBus;

Note:    The following privileges were not sufficient to start the GM Server

GRANT CREATE SESSION TO gvmBus WITH ADMIN OPTION;

GRANT CREATE SESSION TO wpBus WITH ADMIN OPTION;

Note:   The GVM_WorkPoint used in the commands below is based upon the WorkPoint schema name used in the GM GUI install steps previously

Hazelcast

This procedure describes how to configure Hazelcast. Hazelcast is an open source clustering and highly scalable Java data distribution operating environment that CA GovernanceMinder uses.

For the CA GovernanceMinder cluster integration, edit the hazelcast.xml file to adjust the Hazelcast lock mechanism. The Hazelcast.xml file is located in the eurekify.war file. Follow the following steps to modify the hazelcast.xml file.

mkdir /tmp/hazelcast

chmod 777 /tmp/hazelcast

cd /tmp/hazelcast

cp /opt/CA/GovernanceMinder/Server/rcm-websphere/eurekify.ear .

mv /opt/CA/GovernanceMinder/Server/rcm-websphere/eurekify.ear /opt/CA/GovernanceMinder/Server/rcm-websphere/eurekefy.ear.orig

jar xvf eurekify.ear eurekify.war

jar xvf eurekify.war WEB-INF/classes/hazelcast.xml

Note: If this is a multi server/clustered/federated configuration and only one the servers is available at the time of the install do not attempt to use both servers in the hazelcast.xml, this is unsupported

vi /tmp/hazelcast/WEB-INF/classes/hazelcast.xml

Change the group stanza password to be the WebSphere password, this needs to match the WAS Security you have setup, if there is no security setup, use the default values

<group>

<name>GM_WAS</name>

<password>PASSWORD</password>

</group>

Change the interfaces to include all servers in your WebSphere cluster

<tcp-ip enabled=”true”>

<interface>SHORTNAMEOFSERVER</interface>

</tcp-ip>

Recreate and place the modified .ear back in place

cd /tmp/hazelcast

jar uvf eurekify.war WEB-INF/classes/hazelcast.xml

jar uvf eurekify.ear eurekify.war

mv eurekify.ear /opt/CA/GovernanceMinder/Server/rcm-websphere

Review Python file parameters

vi /opt/CA/GovernanceMinder/Server/rcm-websphere/WAS-Scripts/dataSources.py

The password used was PASSWORD, so the four “db_pw” variables should have the install password.

Modify the gvmBus and wpBus user and passwords to match the user and passwords that were sent to the Oracle DBA’s in the previous steps

Set up the CA GovernanceMinder and Workpoint clusters.

Update the Custer Name and Server names in the gvmDefaults.py, the top 5 lines and bottom 2 are where modifications need to be made.

vi /opt/CA/GovernanceMinder/Server/rcm-websphere/WAS-Scripts/gvmDefaults.py

Top five Lines

Workpoint_Cluster_Name = “EUA-WP”

Workpoint_Server_Name_Format = “EUA-WP-S%d”

Workpoint_BusName = “wpBus”

Gvm_Cluster_Name = “EUA-GM”

Gvm_Server_Name_Format = “EUA-GM-S%d”

Bottom two lines, comment out the similar two lines with a # before

msJTDSdriverFullPath = “${WAS_INSTALL_ROOT}”+os.sep+essentialsDirName+os.sep+”JDBC”+os.sep+”jtds-1.2.jar”

ORACLEdriverFullPath = “${WAS_INSTALL_ROOT}”+os.sep+essentialsDirName+os.sep+”JDBC”+os.sep+”ojdbc6.jar”

Set up CA GovernanceMinder and setup CA GovernanceMinder and Workpoint Clusters

cd /opt/CA/GovernanceMinder/Server/rcm-websphere/WAS-Scripts

umask 0022

./DeployGVM.sh /opt/IBM/WebSphere/AppServer/bin/ >> deploy.log &

Note: The WebSphere directory to be used is the root directory of the application server and not the node or cluster locations of the wsadmin.sh script

Note: use tail –f deploy.log to examine log the last two commands should copy statements

Configure the CA GovernanceMinder folder

cd /opt/CA/GovernanceMinder/Server/rcm-websphere/WAS-Scripts

/opt/IBM/WebSphere/AppServer/bin/wsadmin.sh -lang jython -f setupEssentials.py >> setup.log &

This needs to be accomplished on each cluster server in a federated/cluster configuration. On each of the servers, repeat the following

cd /opt/CA

tar zcvf GMCluster.tar.gz GovernanceMinder/

copy the GMCluster.tar.gz to the other cluster members

On the other cluster members as root

ulimit unlimited

umask 0022

mkdir /opt/CA

chmod 775 /opt/CA

cd /opt/CA

cp GMCluster.tar.gz to this location

tar zxvf GMCluster.tar.gz

cd /opt/CA/GovernanceMinder/Server/rcm-websphere/WAS-Scripts

/opt/IBM/WebSphere/EntAppServer85-64/appServerbin/wsadmin.sh -lang jython -f setupEssentials.py

WebSphere Changes

Add JDBC provider

cp /oracle/product/12.1.0/db1/jdbc/lib/ojdbc6.jar /opt/IBM/WebSphere/AppServer/essentials/JDBC

Note:  The above assumes Oracle was installed on this machine and the database used was db1

Core Groups

Servers / Core groups / Core group bridge settings / Access point groups / DefaultAccessPointGroup / Core group access points

GM15

Select the core group and Show Detail, Select Bridge Interfaces, New

Select each of the Bridge interfaces (do this 4 times) listed in drop down and apply

GM16

Review changes and sync, the final list should look like this

GM17

Configure JDBC drivers and data sources on the WorkPoint cluster

This procedure describes how you install Oracle JDBC drivers and data sources on the WorkPoint cluster. Follow these steps for each of the JDBC providers, there will be six.

Resources / JDBC / JDBC Providers – The list should like this

GM18

Select each of the Oracle providers above

GM19

Select the Oracle11g Data provider for each

GM20

Review and synchronize changes for this provider, these steps should be done seven times total.

WebSphere Virtual Host Configuration

In Servers \ WebSphere Application Servers \ Application servers > EUA-GM-S1 > Ports

The WC_defaulthost is mapped to a port locate this value and that same port needs to be listed in Environment \ Virtual Hosts \ Default_host \ Host Alias

GM21

Restart Environment

/opt/IBM/WebSphere/AppServer/bin/stopManager.sh

/opt/IBM/WebSphere/AppServer/profiles/AppSrv01/bin/stopNode.sh

/opt/IBM/WebSphere/AppServer/bin/startManager.sh

/opt/IBM/WebSphere/AppServer/profiles/AppSrv01/bin/startNode.sh

JDBC Connection Verification

Verify the ojdbc6.jar is located in the WAS_install_root/essentials/JDBC/

Verify each of the JDBC resources by testing the connection in Resources \ JDBC \ DataSources

Select the following 6 and test connection

GM22

GM23

You need to receive a successful connection test for all 6

Start GM and WP applications

Servers / All Servers

GM24

Portal Verification

Verify each of the JDBC resources by testing the connection (has to wait until node is started)

This procedure describes how you verify a successful installation after you complete installing the product. When the CA GovernanceMinder installation is successful, you can access the CA GovernanceMinder Portal.

Follow these steps:

Select and start one server from the CA GovernanceMinder cluster, CA GovernanceMinder, and installed applications, including reports.

Review the started server logs and verify that no log errors exist.

Start all other servers in the CA GovernanceMinder cluster.

Review all the product cluster logs and verify that no errors exist in the logs.

You can access the Portal after a successful installation.

Open a browser and enter the following URL:

http://GM_Server_Name:9081/eurekify/portal/login

Log in using the following default administration credentials:

Username: AD1\EAdmin

Password: eurekify

Creating a Web Services Connector for CA IdM using the CA API Gateway

23 Jun

Layer 7 Policy Manager

User:     admin

Password: 7layer

Gateway: server.customer.com

00

Project – Alias Wire Create User

Project view of Alias Wire Create User with list of assertions

01

SOAPUi request that AliasWire is expecting

This is what the AliasWire Web Service is expecting as a request to create the user

<env:Envelope xmlns:env=”http://schemas.xmlsoap.org/soap/envelope/”&gt;

   <env:Header>

     <wsse:Security env:mustUnderstand=”1″ xmlns:wsse=”http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd”&gt;

         <wsse:UsernameToken wsu:Id=”UsernameToken-3″ xmlns:wsu=”http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd”&gt;

           <wsse:Username>wsuser@customer.com</wsse:Username>

           <wsse:Password Type=”http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-username-token-profile-1.0#PasswordDigest”>DTN8fmbjl1DD/ICKY78wvOYsYNc=</wsse:Password&gt;

           <wsse:Nonce EncodingType=”http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Base64Binary”>eN3hmjkJwj+BGvbU6zmpGg==</wsse:Nonce&gt;

           <wsu:Created>2015-06-18T16:36:22.166Z</wsu:Created>

         </wsse:UsernameToken>

         <hashKey xmlns=”http://www.aliaswire.com/common”>hashkey</hashKey&gt;

     </wsse:Security>

   </env:Header>

   <env:Body>

     <ns1:createUser xmlns:ns1=”http://www.aliaswire.com/directbiller/cp/billeradmin”&gt;

         <user>

           <partnerBillerId>999999</partnerBillerId>

           <displayName>user123</displayName>

           <partnerUniqueId>1719dcd7ef8e26f4e053e490ae0a3bqw</partnerUniqueId>

           <role>CSR</role>

           <fname>firstname</fname>

           <lname>lastname</lname>

           <email>first.last@customer.com</email>

           <phone>8599998584</phone>

         </user>

     </ns1:createUser>

   </env:Body>

</env:Envelope>

Project Logic and flow using assertions

02

#9 – All assertions must evaluate to true – Captures details of the request and response for auditing purposes

#25 – At least one assertion must evaluate to true – Determines the incoming request type

#26 – All assertions must evaluate to true – Returns a hard coded list of SCIM functions

(This is an XML list of SCIM functions)

#34 – All assertions must evaluate to true – Provide Schema

(This is an XML list of SCIM attribute/group attribute definitions)

#34 – All asserstions must evaluate to true – If the request is a POST of the user information from IdM, locate the attribute values and submit them to AliasWire

#55 – All assertions must evaluate to true – if the IdM request is a GET with user information, return the same information back to IdM to resolve errors returned from PM tool when it searches for user after a creation. Note: At this this time, this is a workaround as there is not a search function available at AliasWire.

Auditing

The following statements will capture and send information to the CA API PM logs which can be accessed by using the View / Gateway Audit Events action from the CAP API Gateway – Policy Manager

03

Add Security Token Assertion

04

The username and password were taken from the SOAPUi , Project, Project View, WS Security Configurations

User: wsuser@customer.com

Password: xxR7fUd3W6664Y6TVMxO9w==

05

Configure WS-Security Decoration assertion

0607

0809

Apply WS-Security Assertion

10

Evaluate Regular expression – Insert hash key before end of wsse:Security

The following regular expression is used to insert the constant hash key which needs to be part of the security header for the request to AliasWire the hash key is:<hashKey xmlns=”http://www.aliaswire.com/common”>hashkey</hashKey&gt; and is constant and required with every message

11

Evaluate Regular expression – Validate URI

For each of the attributes received it is necessary to locate the attribute in the JSON message and place it into a variable to be used in the final submission

The regular expression: .*\<Phone\>(.*)\</P.*

Locates the <Phone> attribute, captures the data value (.*) until the end of the attribute \</P.* and places it in the context variable “phone” to be used at the X step

12

Context Variable –createnewUser

This uses the variables captured in the Evaluate Regular expression – Validate URI expressions and uses the variables to create the final message. Each of the variables: partnerBillerId, displayName, partnerUniqueId, role, firstName, lname, email and phone are used

13

Apply JSON Transformation

14

Successful SOAP message to AliasWire

<env:Envelope xmlns:env=”http://schemas.xmlsoap.org/soap/envelope/”>   <env:Header>     <wsse:Security env:mustUnderstand=”1″ xmlns:wsse=”http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd”>         <wsse:UsernameToken wsu:Id=”UsernameToken-3″ xmlns:wsu=”http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd”>           <wsse:Username>wsuser@customer.com</wsse:Username>           <wsse:Password Type=”http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-username-token-profile-1.0#PasswordDigest”>DTN8fmbjl1DD/ICKY78wvOYsYNc=</wsse:Password>           <wsse:Nonce EncodingType=”http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Base64Binary”>eN3hmjkJwj+BGvbU6zmpGg==</wsse:Nonce>           <wsu:Created>2015-06-18T16:36:22.166Z</wsu:Created>         </wsse:UsernameToken>         <hashKey xmlns=”http://www.aliaswire.com/common”>hashkey</hashKey>     </wsse:Security>   </env:Header>   <env:Body>     <ns1:createUser xmlns:ns1=”http://www.aliaswire.com/directbiller/cp/billeradmin”>         <user>           <partnerBillerId>999999</partnerBillerId>           <displayName>marijatbs123</displayName>           <partnerUniqueId>1719dcd7ef8e26f4e053e490ae0a3bqw</partnerUniqueId>           <role>CSR</role>           <fname>first</fname>           <lname>last</lname>           <email>first.last@customer.com</email>           <phone>8584999984</phone>         </user>     </ns1:createUser>   </env:Body></env:Envelope>

Certificate Configuration

The Layer7 certificate needs to be imported into CA Connector Server

From the CA API Gateway Policy Manager GUI

Tasks / Manage Private Keys

15

Double click the certificate, view certificate, export, and save

16

Upload Certificate into CA Connector Server

Url: http://server:20080

Username: admin

Password: Password

171819

Connector Express – Deploy AliasWire Connector

Start Connector Express and connect

Open Provisioning Servers on the R pane and select 10.170.110.9 you will be prompted

Username: idmadmin

Password: Password

20

Create AliasWire Connector from Web Services – Layer 7

Using the Web Services – Layer7 endpoint as a project sample, open the im domain, open Endpoint Types and select the “Web Services – Layer 7” connector and R click and select Create project

Create New Project

21

Select No Source and OK

22

** Very Important **

Rename Web Services – Layer 7 to your new project name, this documented sample will be AliasWireSample. This prevents overwriting the existing project

Use Project / Save As and save with the new name (this sample was called AliasWireSample)

23

Classes

Remove all classes except for Endpoint and User Account

Before

24

After

25

Modify User Account class

The existing attribute list needs to be modified to just support what AliasWire is expecting

Original list

26

Remove all attributes by selecting attributes and when the list is displayed modify to just list the following: User Name, FirstName, LastName, User Display Name, Id, External Id, Emails, Role and Phone Number

You accomplish this be removing the values in the R pane in the Maps to: column

27

Modify Attribute values

First Name – change name to fname

28

Last Name – change to lname

29

User Display Name – change to displayName, set the Required checkbox

30

Id – Set name to partnerBillerId, Set the required, create, read and modify checkboxes, set the default value to 999999

31

Additionally set the Acccount Template Value by Rule string to %UCU01%

32

ExternalId – set name to partnerUniqueId, , Set the required, create, read and modify checkboxes, set the min and max length to 20

33

Additionally set the Acccount Template Value by Rule string to %UCU02%

34

Modify the emails and Role attributes by selecting the Attributes value in th L column, select each and remove the multivalued checkbox and set the data type to string

35

Rename Roles to Role

Rename emails to email

Rename Phone Number to phone

36

Change Phone Number to Phone

37

Modify Account Screens

Select account screens in the list

Remove all screens except for Users, by selecting the box and –

38

Remove the Organization and User Information sub screens as well and produce a list that looks as follows:

39

Open Containers, select groups and remove the Groups container

Before

40

After

41

Save Project

Select Project / Save

Deploy Endpoint

R click on Endpoint types and select eh Create new Endpoint Type

42

Select OK

43

Success. OK

44

Select your new AliasWireSample in the endpoint list, and select deploy metadata

45

Select Yes

46

You have deployed your new connector

47

Provision Management Create Endpoint

Connect to the Provisioning Manager

Start the CA Provisioning Manger Utility

48

User name: idmadmin

Password: Password

Creating new AliasWire Endpoint

Select Endpoints on the upper bar, in object type select the endpoint of AliasWire

49

Select ‘New’ to the R of AliasWire

5051

Endpoint name:                                AliasWire

Endpoint name:                                AliasWire

User name:        admin

Password:           7layer

Base URL:            https://server:8443/v1/caim

Notes: The user name and password are required and are the CA API Gate (CA API GATEWAY) user name and password

The Base URL was/can through errors regarding the certificate which must be exported from CA API GATEWAY and imported into the CA keystore. The use of a shortname was needed rather than the FQDN of the server because the certificate generated and used was using the short name

52

Explore and Correlating and creating an account on AliasWire

R click on AliasWire and select Explore and Correlate

53

Select AliasWire in L Pane (it must not be grey and look like above, for Action select ‘Explore endpoint for managed objects’ and select Start

The result will be the following dialog

54

The Error above is expected and is a result the AliasWire endpoint not having a search ability (at present only a CreateUser function is available) to locate an users, however what we want to occur is the that it was able to retrieve scheme (Operation detail count in yellow), click OK and done.

Now R click on AliasWire and select content, select Accounts in the L pane and New in the create new content box

55

Create the user

56

You will find that:

  • Fields are required to be filled out
  • A default parterBillerId of 999999 was placed
  • The partnerUniqueId requires exactly 20 characters

57

  • The email must be formatted correctly (containing @ symbol)

Or errors are returned

Select OK to create user

58

Test user was created

Role Definition Generator

It is necessary to run the roledefgenerator.bat utility on the endpoint to generate the OSGI (.jar) bundle for import into the IdM management console to work with connector from the IdM application server (Web Ui).

Locate the completed connector in Connector Express

These steps need to occur after the connector has been deployed so verify that the connector exists and what its name is in Connector Express.

59

Run the Role Definition utility from the command line from the provisioning/connector server

6061

The password is: Password

The result should be a .jar file with the connector name that can be used for import.

62

Notes: We encountered several issues with modification of the OOB Web Services – CA API GATEWAY connector that was used as a the base project for our new connector. The key part was that we removed many of the classes and later realized that they were mapped to other areas within Connector Express which resulted in errors when using roledefgenerator.bat. We had success by modifying the connector as little as possible, essentially just the account class and the user screens.

Import of the AliasWire .jar into the IdM Application server

On the IdM application server you need to place the .jar bundle generated by roledefgenerator in the deployment directory of the application server.

63

Use the management console to deploy the connector

http:// ssopoc11.customer.com:88/iam/immange

64

User: idmadmin

Password: Password

Import the connector

Select Environment \ CustomerEnvironmentPOC \ Roles and Task Settings \ Import

Select the new connector check box and finish

65

When the import is completed, restart the application server

Your new endpoint is deployed and usable in both the IdM Web Ui and with the Windows PM GUI tool

Congradulations!

CENTOS 6 and AMD A10-6800K Build – Graphics, Overclock and Monitoring

14 Jul

Purpose:  As a builder I wanted to create a CentOS 6 server using a AMD A10-6800K processor, and setup KVM virtualization to host several virtualized OS’s for several purposes.

Build:  Silverstone TJ08B-E, AMD a10-6800K, ASRock FM2A75 PRO4-M, Corsair 32Gb 1600 CMZ32GX3M4X1600C10, Cooler Mater Hyper 212 EVO, Corsair 430W CX430, 2x Seagate Baracuda ST2000DM001, LiteON IHAS124-04 CD/DVD

# Base CentOS install, patching after installing CentOS from the Live CD
yum update
reboot

# Elrepro repository for additional packages
rpm -Uvh http://elrepo.org/elrepo-release-6-5.el6.elrepo.noarch.rpm
wget http://dl.fedoraproject.org/pub/epel/6/x86_64/epel-release-6-8.noarch.rpm
wget http://rpms.famillecollet.com/enterprise/remi-release-6.rpm
sudo rpm -Uvh remi-release-6*.rpm epel-release-6*.rpm
vi /etc/yum.repos.d/remi.repo
#  Modify [remi] portion change enabled option to 1

# Radeon Graphics driver required libraries
yum install kernel-devel kernel-sources kernel-headers gcc gcc-c++ libgcc glibc glibc-devel glib2 glib2-devel libstdc++ libstdc++-devel

# Download and install the Radeon Driver
http://support.amd.com/us/gpudownload/linux/Pages/radeon_linux.aspx
Select install driver and automatic
You will be asked to reboot on completion, accept

#  Testing Graphic driver utilities
glxgears
fgl_glxgears

# To remove ATI graphics driver
/usr/share/ati/fglrx-uninstall.sh

# System monitor gkrellm
yum install gkrellm

# Setup of monitoring tools
yum install lm-sensors
yes “” | sensors-detect
# create a directory to build a kernel module
# download all of the files from https://github.com/groeck/nct6775 to this directory
# you may need to modify the Makefile KERNEL_BUILD paramter to pont to your kernel such as
# KERNEL_BUILD   := /usr/src/kernels/$(TARGET)
make
make install
# Test module build
modprobe nct6775
sensors
#  This should now show your CPU and FAN stats

# Create file /etc/sysconfig/modules/lm-sensors.modules permissions 755
#!/bin/sh
modprobe nct6775 >/dev/null 2>&1
exit 0

# Go into gkrellm configuration / built ins / Sensors
#  your temp, fan, and voltages can be selected based on output from sensors

#  System Stability Tester to load the OS and test stability
http://sourceforge.net/projects/systester/files/systester/1.4.0/systester-1.4.2-linux-amd64.tar.gz/download
gunzip systester-1.4.2-linux-amd64.tar.gz
tar xvf systester-1.4.2-linux-amd64.tar
cd systester-1.4.2-linux-amd64
systester

Conclusion: You can now run systester to load the CPU and monitor CPU temps with the gkrellm GUI to show CPU and Fan temps and speeds.  I have a OC’d system running at 4.6Ghz with a CPU voltage of 1.43, at rest temp 32.5C, load temp 53C

4.6_At_Rest 4.6_At_Stress 4.6_Stress_Complete

WorkPoint Designer fails to log in (WebLogic)

2 Nov

Configuration of the WorkPoint Designer needs a few adjustments to get allow it to work.  Otherwise the WorkPoint Designer will start but will have CORBA.NO_PERMISSION: errors in your log.

Workflow Designer install
cp /opt/Oracle/Middleware/wlserver_10.3/server/lib/wlclient.jar /opt/CA/IdentityManager/IAM_Suite/IdentityManager/tools/Workpoint/lib
vi /opt/CA/IdentityManager/IAM_Suite/IdentityManager/tools/Workpoint/bin/init.sh
uncomment the line # EJB_CLASSPATH=../lib/wlclient.jar

vi /opt/CA/IdentityManager/IAM_Suite/IdentityManager/tools/Workpoint/conf/workpoint-client.properties
uncomment the following lines
java.naming.factory.initial=weblogic.jndi.WLInitialContextFactory
java.naming.provider.url=t3://localhost:7001
java.naming.security.principal=workpoint
Change this line
java.naming.security.credentials=workpoint!

In the Weblogic console
IPPS-A / Security Realms / myrealm
Select users and groups and create a new user
name:  workpoint
password: workpoint!

Restart the Weblogic server
/opt/Oracle/Middleware/user_projects/domains/IPPSA/stopWebLogic.sh
/opt/Oracle/Middleware/user_projects/domains/IPPSA/startWebLogic.sh

Start the Workpoint Designer
/opt/CA/IdentityManager/IAM_Suite/IdentityManager/tools/Workpoint/bin/Designer.sh
You can use the default user without password

CA Identity Minder Report Server Installation

16 Oct

The report server is highly sensitive to the environment that is being used and the following was needed
to be completed prior to install.

  • Update standard packages: yum update

You IP configuration must be fixed, you need to have your FQDN and short name in your
/etc/hosts file such as:

  • 192.168.83.24   idm-report.domain.com      idm-report
  • 127.0.0.1               localhost.domain.com localhost

Ensure 32bit compatibility libraries are installed

  • yum install compat-libstdc++-33-3.2.3-61.i386

Create a user and group for the Report Server

  • groupadd cabi
  • useradd -g cabi -d /home/cabi -m cabi

SE Linux Firewall port exception: 6400, 3306, 6410, 8080, 8443, 8005
As root (required) Run a terminal session

  • export LANG=en_US.utf8
  • export LC_ALL=en_US.utf8

./cabinstall.sh on the CD Rom Drive (in terminal)

  • System or User Install:    2 – System
  • MySQL Database Info:  User Id: sa

In a new terminal window

  • su – cabi
  • /opt/CA/SharedComponents/CommonReporting3/bobje/stopservers (errors)

In old terminal window (as root)

  • cd /tmp
  • grep makeccvt /var/log/audit/audit.log | audit2allow -M postgreylocal
  • semodule -i postgreylocal.pp
  • grep mozjsshell /var/log/audit/audit.log | audit2allow -M postgreylocal
  • semodule -i postgreylocal.pp

In terminal window as cabi

  • /opt/CA/SharedComponents/CommonReporting3/bobje/stopserver
  • /opt/CA/SharedComponents/CommonReporting3/bobje/startservers

Verify Install is successful

Install Service Pack 5

  • Logout of any session and relogin after install
  • ./biekpatch

Server initialization Scripts:

  • /opt/CA/SharedComponents/CommonReporting3/bobje/init/setupinit.sh

Reboot server
In terminal window as cabi

  • /opt/CA/SharedComponents/CommonReporting3/bobje/startservers

Verify that patch has been done

Installation of CA Provisioning Server Fails

10 Oct

Installation of the CA Provisioning server will fail due to SELinux which is configured to run by default on CentOS 5.8.  SELinux is explained in this link.  To accomplish a running CA IdentityMinder Provisioning Server the following two actions need to occur:

Here are the steps I used:

Step #1 – Get the Provisioning Server installed

Purpose:  This will prevent the Provisioning Server install to fail with a log message of: “Starting im_ps failed…” or “Connection refused”

(as root) Prior to installing CA ProvisioningServer

/usr/sbin/setenforce 0

(as root) After installation is complete

/usr/sbin/setenforce 1

Step #2 – Allow the Provisioning Server to run in SELinux

Purpose:  To allow the Provisioning Server to run without disabling SELinux completely and just isolating the CA slapd executable for a SELinux policy modification.

In a terminal session as root

su – imps

cd /opt/CA/IdentityManager/ProvisioningServer/bin

/opt/CA/IdentityManager/ProvisioningServer/bin/imps stop im_ps

/opt/CA/IdentityManager/ProvisioningServer/bin/imps start im_ps

You will receive the message: “Starting im_ps failed…”

Keep this terminal window open and start a new terminal as root

grep slapd /var/log/audit/audit.log | audit2allow -m postgreylocal > postgreylocal.te

cat postgreylocal.te – You should see something similar

module postgreylocal 1.0;

require {

type unconfined_t;

type usr_t;

class file execmod;

}

#============= unconfined_t ==============

allow unconfined_t usr_t:file execmod;

If it does than execute:

grep slapd /var/log/audit/audit.log | audit2allow -M postgreylocal

semodule -i postgreylocal.pp

Your slapd process has now been granted a SELinux policy to execute

Go back to your imps user terminal session and execute

/opt/CA/IdentityManager/ProvisioningServer/bin/imps start im_ps

You will receive a im_ps started successfully message (woot!)