Password Encryption and Decryption in OIM

Prerequisites:

Set below environment variables with proper values/paths, which are required to run utility.
Note: These variables configured as per my local environment and you need make changes according to your environment. Please make sure configured these variables on box having OIM installed.

• export JAVA_HOME=/usr/local/jdk24/jdk1.6.0_24
• export PATH=/usr/kerberos/bin:/usr/local/bin:/bin:/usr/bin:/home/pandharinath.mahalle/bin:$JAVA_HOME/bin
• export MW_HOME=/home/oracle/Middleware
• export WL_HOME=$MW_HOME/wlserver_10.3
• export ORACLE_COMMON_HOME=$MW_HOME/oracle_common
• export ORACLE_OIM_HOME=$MW_HOME/Oracle_IDM1
• export DOMAIN_HOME=/home/oracle/Middleware/user_projects/domains/base_domain
• export CLASSPATH=$ORACLE_OIM_HOME/server/platform/iam-platform-utils.jar:$WL_HOME/server/lib/wlfullclient.jar:$ORACLE_OIM_HOME/designconsole/ext/spring.jar:$ORACLE_OIM_HOME/designconsole/lib/oimclient.jar:$ORACLE_OIM_HOME/designconsole/ext/commons-logging.jar:$ORACLE_COMMON_HOME/modules/oracle.jrf_11.1.1/*:$ORACLE_OIM_HOME/modules/oracle.jps_11.1.1/*:$ORACLE_OIM_HOME/modules/*:$ORACLE_COMMON_HOME/modules/oracle.osdt_11.1.1/*:$ORACLE_OIM_HOME/modules/oracle.iau_11.1.1/*:$ORACLE_OIM_HOME/inventory/Scripts/ext/jlib/glassfish.jaxb_1.0.0.0_2-1-12.jar:$CLASSPATH 

 

 Decryption Utility:

1. Create DecryptPassword.java file on linux box having OIM installed and configured above env variables. 

2.  Write below code in it.

import com.thortech.xl.crypto.*;     public class DecryptPassword {         public static void main(String[] args) throws Exception {         if(args.length >= 1){             DecryptPassword oDecryptPwd = new DecryptPassword();            String param = args[0];            System.out.println("Password after decryption:" +oDecryptPwd.getDecryptedPassword(param));         }                  }               public String getDecryptedPassword(String encryptedPwd) throws tcCryptoException{         String decryptedPwd = tcCryptoUtil.decrypt(encryptedPwd,"DBSecretKey");         return decryptedPwd;     } }

 3. Compile it using below command.
javac DecryptPassword.java

4. Run it using below command.
java -Doracle.security.jps.config=$DOMAIN_HOME/config/fmwconfig/jps-config.xml -DDOMAIN_HOME=$DOMAIN_HOME DecryptPassword 8650:OIuWk+mYHr6dCNKJfcbl4f9dfK6WidqzaSY47d21oh8=

Sample Input/Output:
Input : 8650:OIuWk+mYHr6dCNKJfcbl4f9dfK6WidqzaSY47d21oh8=
Output :  Welcome@123654

Encryption Utility:

1. Create EncryptPassword.java file on linux box having OIM installed and configured above env variables. 

2.  Write below code in it.

import com.thortech.xl.crypto.*; public class EncryptPassword {     public static void main(String[] args) throws Exception {         if(args.length >= 1){             EncryptPassword oEncryptPwd = new EncryptPassword();                                     String param = args[0];                                     System.out.println("Password after encryption: "+oEncryptPwd.getEncryptedPassword(param));                     }              }                     public String getEncryptedPassword(String decryptedPwd) throws tcCryptoException{         String encryptedPwd= tcCryptoUtil.encrypt(decryptedPwd,"DBSecretKey");         return encryptedPwd;     } }

  

3. Compile it using below command.

javac EncryptPassword.java

4. Run it using below command.
java -Doracle.security.jps.config=$DOMAIN_HOME/config/fmwconfig/jps-config.xml -DDOMAIN_HOME=$DOMAIN_HOME EncryptPassword Welcome@123

Sample Input/Output:
Input : Welcome@123654
Output :   1164:4OQStpGN4yYTIkOzTcuIbrMx/rZwD6YoW2AcE5O6Vo4=

 

oracle.iam.connectors.icfcommon.prov.ICProvisioningManager : doUpdate : Error while updating user[[ javax.naming.OperationNotSupportedException: [LDAP: error code 53 - 0000052D: SvcErr: DSID-031A12D2, problem 5003 (WILL_NOT_PERFORM), data 0]; remaining name 'CN=Test3 User3,CN=Users,DC=Domain,DC=com'

Issue: 

Password Update operation failing in Active Directory or AD with below exception even if operation performing by Admin User:

oracle.iam.connectors.icfcommon.prov.ICProvisioningManager : doUpdate : Error while updating user[[

javax.naming.OperationNotSupportedException: [LDAP: error code 53 - 0000052D: SvcErr: DSID-031A12D2, problem 5003 (WILL_NOT_PERFORM), data 0]; remaining name 'CN=Test3 User3,CN=Users,DC=Domain,DC=com'

                at com.sun.jndi.ldap.LdapCtx.mapErrorCode(LdapCtx.java:3140)

                at com.sun.jndi.ldap.LdapCtx.processReturnCode(LdapCtx.java:3013)

                at com.sun.jndi.ldap.LdapCtx.processReturnCode(LdapCtx.java:2820)

                at com.sun.jndi.ldap.LdapCtx.c_modifyAttributes(LdapCtx.java:1458)

                at com.sun.jndi.toolkit.ctx.ComponentDirContext.p_modifyAttributes(ComponentDirContext.java:255)

                at com.sun.jndi.toolkit.ctx.PartialCompositeDirContext.modifyAttributes(PartialCompositeDirContext.java:172)

                at com.sun.jndi.toolkit.ctx.PartialCompositeDirContext.modifyAttributes(PartialCompositeDirContext.java:161)

                at javax.naming.directory.InitialDirContext.modifyAttributes(InitialDirContext.java:148)

Debugging:

Check oim_server1-digaonistic.log, under oim_server1/logs to find the cause of password update operation failure in AD.

Cause:

Trying to update password not matched all the conditions as per password policy.

Solution:

Many time we thought, we are giving password having all the conditions matched present in password policy. But in Active Directory Password Policy, there is one condition Minimum password age [which might confused you just like me :)] it means once changed the password of user, we can't change password of him/her again until number of days provided as a value of it.

In below AD Password Policy Minimum password age is 1 day, so once changed the password of user, we can't change password for next 24 hours otherwise same exception will through.

Notes :

• Value of condition Minimum password age may vary from customer to customer. In development phase, I will suggest to keep it 0. 
• To view Password policy conditions Logon to Domain Controller having AD installed with Administrator and go to Start-->Administrative Tools-->Local Security Policy-->Account Settings-->Password Policy.
• To change Password policy conditions need to disable it, then only one can change.

OIM Custom status for Account

        1. Login to Design console.

        2.Go to Resource Management --> Resource Object and click on Status Definition Tab. Click on Add, provide appropriate status and save it. Here I have added  Not Allowed as custom status.

      

         3. Go to Process Management--> Process Definition, select & open Process task (Here I have used Create User ) to which want map the status. Click on Task to Object Status Mapping.

        4. To assign custom status, double click Object Status column against appropriate Response(Here I have used C which means Completed). This will open Lookup which would have custom status that we have added, select it & click on OK and save.

        5. Execute the Process Task to which custom status has been mapped and verify account status.

        Note: Make sure process task should completed (C as Status Code) as we mapped our custom status to it. To verify it check resource history of resource like give below.

SQL Query to get Process Instance Key of particular Resource for user in OIM

 Query to get Process Instance Key:

SELECT ORC_KEY FROM ORC,PKG,USR WHERE ORC.PKG_KEY=PKG.PKG_KEY AND ORC.USR_KEY=USR.USR_KEY AND PKG_NAME=’[Insert Resource Name here]’ AND USR_LOGIN=’[Insert User Login here]’; Example: To get Process Instance Key of AD User resource for TESTUSER user: SELECT ORC_KEY FROM ORC,PKG,USR WHERE ORC.PKG_KEY=PKG.PKG_KEY AND ORC.USR_KEY=USR.USR_KEY AND PKG_NAME='AD User' AND USR_LOGIN=’TESTUSER’;

SQL query to get all the accounts of user in OIM

Query to get active/enabled accounts:

SELECT OBJ.OBJ_NAME FROM OBJ,OBI,OIU,OST,USR WHERE OBJ.OBJ_KEY=OBI.OBJ_KEY AND OBI.OBI_KEY=OIU.OBI_KEY AND OIU.USR_KEY=USR.USR_KEY AND OIU.OST_KEY=OST.OST_KEY AND OST.OBJ_KEY=OBJ.OBJ_KEY AND USR.USR_LOGIN='[Insert User Login here]' AND OST.OST_STATUS IN ('Enabled','Provisioned'); Example: To get all the active/enabled accounts of user TESTUSER SELECT OBJ.OBJ_NAME FROM OBJ,OBI,OIU,OST,USR WHERE OBJ.OBJ_KEY=OBI.OBJ_KEY AND OBI.OBI_KEY=OIU.OBI_KEY AND OIU.USR_KEY=USR.USR_KEY AND OIU.OST_KEY=OST.OST_KEY AND OST.OBJ_KEY=OBJ.OBJ_KEY AND USR.USR_LOGIN='TESTUSER' AND OST.OST_STATUS IN ('Enabled','Provisioned');

Query to get disabled accounts:

SELECT OBJ.OBJ_NAME FROM OBJ,OBI,OIU,OST,USR WHERE OBJ.OBJ_KEY=OBI.OBJ_KEY AND OBI.OBI_KEY=OIU.OBI_KEY AND OIU.USR_KEY=USR.USR_KEY AND OIU.OST_KEY=OST.OST_KEY AND OST.OBJ_KEY=OBJ.OBJ_KEY AND USR.USR_LOGIN='[Insert User Login here]' AND OST.OST_STATUS IN ('Disabled'); Example: To get all the active/enabled accounts of user TESTUSER SELECT OBJ.OBJ_NAME FROM OBJ,OBI,OIU,OST,USR WHERE OBJ.OBJ_KEY=OBI.OBJ_KEY AND OBI.OBI_KEY=OIU.OBI_KEY AND OIU.USR_KEY=USR.USR_KEY AND OIU.OST_KEY=OST.OST_KEY AND OST.OBJ_KEY=OBJ.OBJ_KEY AND USR.USR_LOGIN='TESTUSER' AND OST.OST_STATUS IN ('Disabled');

Query to get revoked accounts:

SELECT OBJ.OBJ_NAME  FROM OBJ,OBI,OIU,OST,USR WHERE OBJ.OBJ_KEY=OBI.OBJ_KEY AND OBI.OBI_KEY=OIU.OBI_KEY AND OIU.USR_KEY=USR.USR_KEY AND OIU.OST_KEY=OST.OST_KEY AND OST.OBJ_KEY=OBJ.OBJ_KEY AND USR.USR_LOGIN='[Insert User Login here]' AND OST.OST_STATUS IN ('Revoked'); Example: To get all the revoked accounts of user TESTUSER SELECT OBJ.OBJ_NAME  FROM OBJ,OBI,OIU,OST,USR WHERE OBJ.OBJ_KEY=OBI.OBJ_KEY AND OBI.OBI_KEY=OIU.OBI_KEY AND OIU.USR_KEY=USR.USR_KEY AND OIU.OST_KEY=OST.OST_KEY AND OST.OBJ_KEY=OBJ.OBJ_KEY AND USR.USR_LOGIN='TESTUSER' AND OST.OST_STATUS IN ('Revoked');