Wednesday, September 21, 2016

MAC vs DAC vs RBAC

Monday, August 29, 2016

Symantec SSL Certificate Checker

Useful tool:

Symantec SSL Certificate Checker

Tuesday, August 9, 2016

How user Lock Unlock functionality works in OIM - OAM integrated environment

http://idmexpress.blogspot.com.au/2014/09/how-user-lock-unlock-functionality.html

OIM11gR2PS3 - System Properties

As a reference.


Property NameKeywordDefault ValueDescription
Access Policy Revoke If No Longer Applies Enhancement
XL.AccessPolicyRevokeIfNoLongerAppliesEnhancement
FALSE
Determines if the Revoke if no longer applies flag in access policy is applicable.
If the value is true, then this flag is applicable to child table data (entitlements) along with parent data. The user can determine if child data must be removed or retained when access policy no longer applies to user based on this flag.
If the value if false, then child table data (entitlements) are always removed after access policy is no longer applied.
Note: This property is not used in Oracle Identity Manager Release 2 (11.1.2) or later.
Allows access policy based provisioning of multiple instances of a resource
XL.AllowAPBasedMultipleAccountProvisioning
FALSE
Determines if multiple instances of a resource can be provisioned to multiple target resources.
When the value is false, provisioning multiple instances of resource object via access policy is not allowed.
When the value is true, provisioning multiple instances of resource object via access policy is allowed.
Allows linking of access policies to reconciled and bulk loaded accounts
XL.AllowAPHarvesting
FALSE
Determines if access policy engine can link access policies to reconciled accounts and to accounts created by the Bulk Load Utility.
This property is used in the context of evaluating access policies for reconciled accounts and to accounts created by the Bulk Load Utility. For more information, see"Evaluating Policies for Reconciled and Bulk Load-Created Accounts".
Note: This property is used in Oracle Identity Manager 11g Release 2 (11.1.2.2.0) or later.
Are challenge questions disabled in OIM
OIM.DisableChallengeQuestions
FALSE
Determines if challenge questions are enabled or disabled when a user logs in to Oracle Identity Manager for the first time.
When value is False, challenge questions are enabled.
When value is True, challenge questions are disabled.
This property is primarily used in the context of Oracle Adaptive Access Manager (OAAM) configuration. When the value is TRUE, the challenge questions are handled by OAAM.
When the value is FALSE, then PWR.PWR_CHA_POLICY_ENABLED is honored to determine if challenge policy is enabled or not.
Catalog Additional Application Details Task Flow
CatalogAdditionalApplicationDetailsTaskFlow
/WEB-INF/oracle/iam/ui/common/tfs/empty-tf.xml#empty-tf
A custom task flow is to be displayed when an application is selected from the catalog checkout page. The task flow page will display as a tab in the cart details section.
Catalog Additional Entitlement Details Task Flow
CatalogAdditionalEntitlementDetailsTaskFlow
/WEB-INF/oracle/iam/ui/common/tfs/empty-tf.xml#empty-tf
A custom task flow is to be displayed when an entitlement is selected from the catalog checkout page. The task flow page will display as a tab in the cart details section.
Catalog Additional Role Details Task Flow
CatalogAdditionalRoleDetailsTaskFlow
/WEB-INF/oracle/iam/ui/common/tfs/empty-tf.xml#empty-tfs
A custom task flow is to be displayed when a role item is selected from the catalog checkout page. The task flow page will display as a tab in the cart details section.
Catalog Advanced Search Maximum Applications
CatalogAdvancedSearchMaxApps
15
In the default form for catalog advanced search, you can search for entitlements by specifying the list of applications to search from. This system property controls the maximum number of applications that can be selected for entitlement search.
Catalog Advanced Search Taskflow
CatalogAdvancedSearchTaskflow
/WEB-INF/oracle/iam/ui/catalog/tfs/catalog-advanced-search-tf.xml#catalog-advanced-search-tf
Determines the taskflow used for catalog search. If you create custom taskflow for catalog search, then change the value of this property to the complete path of the custom taskflow.
Catalog Attributes for Sorting Search Results
CatalogSortAttributes
ENTITY_DISPLAY_NAME; ENTITY_TYPE
This property determines the attributes that are displayed in the Sort By drop down in the catalog results tab.
Catalog Audit Data Collection
XL.CatalogAuditDataCollection
none
Determines if catalog auditing is enabled or disabled. The default value is none, which specifies that catalog auditing in disabled. To enable catalog auditing, set the value of this property to catalog.
Catalog Regex for special characters
Catalog.SpecialCharacterRegex
[^\w]
Enables text parsing and escaping of special characters when performing a catalog search by using some special characters. If you do not want any text parsing and escaping of special characters, then change the value of this property to [^\w^\W].
Catalog search MAX result size. Default value is -1 which means return all
XL.CatalogSearchResultCap
-1
When the data is huge in the request catalog and you encounter any issue with the performance of the catalog, you can change the value of this system property and provide some reasonable values, such as 500. As a result, catalog search will not return more than the specified value. If the value is -1, then no result size limit is applied on the catalog search result.
Catalog Searchable UDF In Tags
CATALOG.SearchableUdfInTags
FALSE
If want to use searchable UDF in TAGS, then you can set the value of this property to TRUE. Then, you can run the scheduled task in recalculate tags mode and searchable UDF values are part of the TAGS column. The same value can be used in keyword search.
Catalog Table Rows To Display Size
CatalogTableRowsToDisplaySize
10
This property is used to control the number of rows displayed in all tables found in all catalog-related pages.
CommonName generation plugin
XL.DefaultCommonNamePolicyImpl
oracle.iam.ldapsync.impl.plugins.FirstNameLastNamePolicy
Determines the common name generation plugin to generate common name.
Compiler Path for Connectors
XL.CompilerPath
Specifies the Java home depending on the application server.
Note: If the path of the JDK directory is not included in the System Path variable, then you must set the path of the JDK directory in the XL.CompilerPath system property. If this is not done, then an error is encountered during the adapter compilation stage of the process performed when you import an XML file by using the Deployment Manager.
Compute and Persist Min Age On Password Change
ComputePersistMinAgeOnPasswordChange
proactive
Password minimum age calculation has two modes, proactive and reactive mode.
In proactive, where minimum age date is calculated at password change time, any subsequent change to the user's applicable password policy's minimum age property will not be honored until the next password change, where as with the reactive approach, policy changes are applied immediately.
To enable proactive or reactive approach, system property Compute Persist Min Age On Password Change is introduced.
Copy both user and manager of user in the create user email notification
XL.NotifyUserCreateToOther
TRUE
Copies the user and user's manager in the email notification that is sent when a user is created.
Data Collection Session ID
XL.DataCollectionSessionID
dummy
Specifies the session ID of the current Oracle Identity Analytics (OIA) Data collection session.
Data Collection Status
XL.DataCollectionStatus
FINALIZED
Specifies the status of the current OIA data collection session.
Default Date Format
XL.DefaultDateFormat
yyyy/mm/dd hh:mm:ss z
When creating reconciliation events by calling the APIs and date format is not passed as one of the arguments to the API, Oracle Identity Manager assumes that all the date field values are specified in Default Date Format.
Default policy for username generation
XL.DefaultUserNamePolicyImpl
oracle.iam.identity.usermgmt.impl.plugins.DefaultComboPolicy
Determines the username policy to use when generating a username.
Default user name domain
XL.UserNameDomain
oracle.com
This property is used by the DefaultComboPolicy to generate a user name in e-mail format.
Display Certification or Attestation
OIM.ShowCertificationOrAttestation
attestation
This property has been superseded by theIdentity Auditor Features Enabledsystem property, and attestation is no longer supported.
Note: In this release, this property is not used as Attestation is not supported. This property is superceded by the Identity Auditor Features Enabled system property.
Does user have to provide challenge information during registration
PCQ.PROVIDE_DURING_SELFREG
TRUE
If the value is TRUE, then users will have to provide challenge information during registration.
Email Server
XL.MailServer
Email Server
Name of the e-mail server.
Note: After modifying the Email Server system property value, you must restart the server for the change to take effect.
Email Validation Pattern
XL.EmailValidationPattern
[A-Za-z0-9\.\_\#\!\$\&\'\*\/\=\?\^\`\{\}\~\|\%\+\-]+@[A-Za-z0-9.-]+\.[A-Za-z]{2,4}
This property contains the regular expression used to validate the email ID of a user.
Enable Exception Reports
XL.EnableExceptionReports
TRUE
This property is used to enable the exception reporting feature. Exception reporting is enabled only if the value is set to TRUE.
Evaluate LDAP Container Rules for Entity Modification
LDAPEvaluateContainerRulesForModify
FALSE
If the property value is TRUE, then the LDAP container rules defined in LDAPContainerRules.xml are evaluated for entity modification. However, if none of the rules match, then the default container is not returned. The original parent container of the entity is returned, which means that there is no change in the entity DN.
If the property value is FALSE, then the LDAP container rules defined in LDAPContainerRules.xml are not evaluated. The entity DN does not change.
Note: This property only applies to a modification scenario and not to the entity creation scenario.
Force to set questions at startup
PCQ.FORCE_SET_QUES
False
When the user logs into the Oracle Identity Self Service or Oracle Identity System Administration for the first time, the user must set the default questions for resetting the password.
Note: After modifying the value of this property, you must restart Oracle Identity Manager server for the changes to take effect.
GTC Auto Import
XL.GTCAutoImport
true
Based on the value of this property, the DM xml that is generated while Generic Technology Connector (GTC) creation can be saved to a directory.
The default value of this property is true.
When the value of this property is set to "False", then while creating GTC, the DM xml (the xml that GTC creates and imports using Deployment Manager internally while GTC creation) created by the GTC framework is stored in the following directory:
OIM_HOME/GTC/XMLOutput
The naming convention followed for the DM xml is:
GTCNAME_CURRENTDATE_ TIMESTAMPcreated using date format "yyyy-MM-dd-HH-mm-ss".xml
For example:
TRUSTEDCSV_2009-02-05-22-41-11.xml
Homepage for Self Service console
OIM.IdentityHomepage
none
This property is used to set the page to be displayed after a user logs in to Oracle Identity Manager Self Service.
You can set one of the following as the value of this property:
  • my_access: Displays the My Access page
  • my_info: Displays the My Information page
  • home: Displays the Home page
  • catalog_home:Displays the Catalog page
  • none: Displays no page
After modifying the value of this property, you must restart Oracle Identity Manager server for the changes to take effect.
Note: This property is not used in Oracle Identity Manager 11g Release 2 (11.1.2.3.0).
Identity Auditor Feature Set Availability
OIG.IsIdentityAuditorEnabled
FALSE
When the value of this property is TRUE, role lifecycle management, Segregation of Duties (SoD), and identity certification are enabled.
Note: After modifying the value of this system property, you must restart Oracle Identity Manager server for the changes to take effect.
Inbox Task Tabs (none/all)
UI.INBOX.VIEW.TaskTabs
none
This property determines whether or not to show additional links, such as Initiated tasks, Reportees and Administrative tasks, in the Inbox. When set to all, the following links are displaied in the Inbox:
My tasks,Initiated tasks, Reportees, Administrative tasks.
When set to none, only the My tasks link is displayed in the Inbox.
Indicates if referential integrity is enabled in target LDAP directory
XL.IsReferentialIntegrityEnabledInLDAP
FALSE
The value of this property is TRUE if referential integrity in target LDAP directory is turned on.
The value of this property is FALSE if referential integrity in target LDAP directory is turned off.
To be able to modify an entity stored in LDAP, this prop must be set to TRUE.
Is DataProvider LDAP/DB
OIM.DataProvider
DB
Specifies the data provider, which is Oracle Identity Manager database. The default value is DB, which indicates that the database is the data provider.
Is disabled manager allowed
AllowDisabledManagers
FALSE
Specifies whether a user in the disabled state can be set as a manager for another user.
Is OIM Notifications disabled (true/false)
XL.DisableAllNotifications
false
This property is used to enable or disable all notifications in Oracle Identity Manager. When the value of this property is set to false, notifications are enabled. When the value of this property is true, notifications are disabled.
Is Self-Registration Allowed
XL.SelfRegistrationAllowed
TRUE
If the value is TRUE, then the users are allowed to self-register.
LDAP Reservation Plugin
XL.LDAPReservationPluginImpl
oracle.iam.identity.usermgmt.impl.plugins.reservation.ReservationInOID
This property determines the LDAP reservation plugin implementation to be picked up for reservation of user attributes.
Level of Role Auditing
XL.RoleAuditLevel
None
This property controls the amount of audit data collected when an operation is performed on a role, such as creation or modification. The supported levels are:
  • None: No audit data is collected.
  • Role: Creation, modification, and deletion of role is audited.
  • Role Hierarchy: Changes made to the role inheritance is audited.
Notify other recipients with the password reset email if email of user is null
XL.NotifyPasswordGenerationToOther
TRUE
When the value of this property is TRUE, the email notification for reset password is sent to other recipients if the email ID of the user is not specified.
Number of records to be executed in a batch during Catalog Enrichment
XL.CatalogEnrichmentBatchSize
500
This property determines how many records must be processed in a batch by the catalog job during catalog enrichment.
OIA integration status
OIM.IsOIAIntegrationEnabled
FALSE
Specifies whether OIA is integrated with Oracle Identity Manager.
Set the value of this property to TRUE before you add role memberships in Oracle Identity Manager.
If you set the value of this property to FALSE,incremental role memberships into OIA will not work.
Note: You must do a full import of role memberships at least once after this property is enabled.
Old Password Validator
OIM.OldPasswordValidator
oracle.iam.identity.usermgmt.impl.ContainerLoginPasswordVerifier
The property specifies the name of the plugin class to be used for verifying old passwords.
OMSS Enabled
OMSS Enabled
false
When the value of this property is true, OMSS integration is enabled, and the OMSS links and tabs are displayed in Oracle Identity Self Service.
Note: After modifying the value of this system property, you must restart Oracle Identity Manager server for the changes to take effect.
Period to Delay User Delete
XL.UserDeleteDelayPeriod
0
This property is used to specify the time period before deleting a user. When this property is set and a user is deleted, the user's state is changed to disabled and "automatically delete on date" is set to current date plus the delay period.
If this property is not set, then the user is automatically deleted at the expiration of the end date by the Disable/Delete User After End Date scheduled job.
Proxy User Email Notification
XL.ProxyNotificationTemplate
Notify Proxy User
The corresponding PTY_VALUE is the e-mail definition name that is sent when a proxy user is created. User gets a notification e-mail when the user is made the proxy for some other user.
Recon Batch Size
OIM.ReconBatchSize
500
This property is used to specify the batch size for reconciliation. You can specify 0 as the value for this to indicate that the reconciliation will not be performed in batches.
Note: When using trusted source reconciliation from Oracle Directory Server Enterprise Edition (ODSEE), the value of this property must not be 0. When the value is 0, users are not created in Oracle Identity Manager.
Note: You must restart Oracle Identity Manager server after setting this property.
Request Notification Level
RequestNotificationLevel
0
This property indicates whether or not notification is sent to the requester and beneficiary when a request is created or the request status is changed. This property can have the following values:
  • 0: The notification feature is disabled.
  • 1: Notifications are sent for every change in request status.
  • 2: Notifications are sent for request creation and change of status to any of the Request End statuses. Request End statuses include Request Failed and other failure related statuses, Request Completed, Request Withdrawn, and Request Closed.
  • 3: Email notifications are sent only on request completion.
For request notification level 2, notifications are sent for request creation and change of status to any of the Request End statuses. Request End statuses include Request Failed and other failure related statuses, Request Completed, Request Withdrawn, and Request Closed.
Retry Count for recon event
Recon.RetryCount
5
This property determines the reconciliation retry count. The retry count value is picked up from the value of this property.
If you specify a value that is greater than 0, then auto retry is configured. If you specify 0 as the value of this property, then auto retry is not configured.
Search Stop Count
XL.IDADMIN_STOP_COUNT
300
This property determines the maximum number of records that are displayed in the advanced search result. If the search criteria specified returns more number of records than that value of this property, then the number of records displayed is limited to this value. In addition, a warning is displayed stating that the results exceed maximum counts and you must refine your search with additional attributes.
Segregation of Duties (SOD) Check Required
XL.SoDCheckRequired
FALSE
This property indicates whether or not Segregation of Duties (SoD) check is required.
Send email notification based on user locale
XL.SendEmailNotificationBasedOnUserLocale
false
This property determines whether an email notification is sent based on the receiver's (user/manager/assignee/requestor) locale when the value is set to true. If the value is set to false, then notification is sent in the server locale.
Note: This system property has been deprecated in this release of Oracle Identity Manager.
Should send notifications in recon or not
Recon.SEND_NOTIFICATION
true
Determines if notification is sent to the user when the user login and password are generated in postprocess event handler for user creation via trusted source reconciliation.
If the value is set to true, then notification is sent when user login and password are generated in postprocess event handler for user creation via trusted source reconciliation.
If the value is set to false, then notification is not sent when user login and password are generated in postprocess event handler for user creation via trusted source reconciliation.
Shows tasks assigned to group users with highest priority or least load only
XL.ShowTaskAssignedToGroupUserOnly
FALSE
If the value is TRUE, then the tasks are assigned to group users with highest priority or least load only when the assignment type is Group User With Least Load.
Specifies the LDAP container mapper plug-in to be used
LDAPContainerMapperPlugin
oracle.iam.ldapsync.impl.DefaultLDAPContainerMapper
When Oracle Identity Manager is installed with LDAP synchronization enabled, this plug-in determines in which container users and roles are to be created. Value of this system property indicates the default Oracle Identity Manager plug-in name used for computing the container values. If the default plug-in does not meet the requirement, then you can define your own plug-in to determine the container and specify the name of the plug-in in this system property.
URL for challenge questions modification
OIM.ChallengeQuestionsModificationURL
NONE
When a user is locked, an automatic unlock occurs after a prescribed time period. This property defines that time period in seconds. Therefore, for example, if a user account is locked and the value of this property is 86400 seconds (one day), then the account is automatically unlocked after one day.
The value of this property is the URL within OAAM that handles the challenge questions. For example:
http://OAAM_HOST:OAAM_PORT/OAAM_SERVER/userPreferences.do?showView=registerQuestions
URL for change password
OIM.ChangePasswordURL
NONE
This property is used in combination with the property OIM.DisableChallengeQuestions. The value of this property is the URL within OAAM that handles the change password functionality. For example:
http://OAAM_HOST:OAAM_PORT/OAAM_SERVER/userPreferences.do?showView=changePassword
User Attribute Reservation Enabled
XL.IsUsrAttribReservEnabled
TRUE
This property is used to enable user attribute reservation.
User Id reuse property.Requires dropping the index present on USR_LOGIN column
XL.UserIDReuse
FALSE
Determines whether a deleted user account can be reused. To reuse a deleted user account, assign this property a value of TRUE and drop the unique index for the USR_LOGIN column in the USR table and create a nonunique index. To prevent a user account from being reused, assign this property a value of FALSE.
Note: It is imperative to de-provision all accounts associated with a deleted user, because if you create a new user with the same user name as that of the deleted user by setting the XL.UserIDReuse property totrue, then the new user might get access to offline accounts of the deleted user that was not deleted as part of the de-provisioning process.
User Language
user.language
en
The user.language value is configured during installation for Locale handling at server side.
User profile audit data collection level
XL.UserProfileAuditDataCollection
Resource Form
This property controls the user profile data that is collected for audit purpose when an operation is performed on the user, such as creation, modification, or deletion of a user, role grants or revokes, and resource provisioning or deprovisioning. Depending upon the property value, such as Resource Form or None, the data is populated in the UPA table.
The audit levels are specified as values of this property. The supported levels are:
  • Process Task: Audits the entire user profile snapshot together with the resource lifecycle process.
  • Resource Form: Audits user record, role membership, resource provisioned, and any form data associated to the resource.
  • Resource: Audits the user record, role membership, and resource provisioning.
  • Membership: Only audits the user record and role membership.
  • Core: Only audits the user record.
  • None: No audit is stored.
User Region
user.region
US
The user.region value is configured during installation for Locale handling at server side.
Whether or not email should be validated for uniqueness
OIM.EmailUniqueCheck
TRUE
This property is available in an Oracle Identity Manager 11g Release 2 (11.1.2.1.0) deployment that has been upgraded from an earlier release of Oracle Identity Manager.
If the value of this property is FALSE, then Email Uniqueness check is not performed by Oracle Identity Manager.
If the value if TRUE, then Email Uniqueness check is performed by Oracle Identity Manager.
Note: If this property is not present, then Email Uniqueness check is performed by Oracle Identity Manager.
Workflows Enabled
Workflows Enabled
TRUE
This property determines whether SOA server is turned on or turned off.
If the value of this property is TRUE, then SOA sever is turned on.
If the value of this property is FALSE, then SOA server is turned off.
Note: After setting the value of this system property, you must restart Oracle Identity Manager.
Note: Toggling between enabling and disabling workflows is not supported.
Workflow Policies Enabled
Workflow Policies Enabled
TRUE
This property determines whether approval workflows is enabled or disabled in Oracle Identity Manager. Approval workflows is used to determine if operation requires approval or not, and if approval is required, then which workflow is to be invoked.
If the value of this property is TRUE, then approval workflow is enabled.
If the value of this property is FALSE, then approval workflow is disabled.
For detailed information about approval workflow, see Chapter 4, "Managing Workflows".