OIM 11g R2 - User random password Generation

Similar Messages

• Disable random Password generation button on Reset Password popup window.

  Hi ALL,
  We have a new requirement when user click on reset password tab on "Modify User" page, a pop up window will open with two options :
  1) Manually change the Password
  2) Auto-generate the Password (Randomly generated)
  I want to remove or disable this 2nd option. Can you please guide me what necessary changes required?
  Thanks,
  Amit

  It's easy enough to generate a random password. Use a
  constant string containing your alphabet (different
  systems have different rules about what characters
  are allowed). Then us Random first to generate a
  suitable length, then to pick a character from your
  alphabet for each slot. If there are further rules
  (e.g. "must contain at least one digit") then check
  the password you've just generated and if it fails
  the test, simply try again.
  But this isn't a particularly good system. It allows
  anyone to harrass a user by changing their password
  if they can guess their user name.
  The approach I favour is to send the user a one-time
  click-thru URL in an e-mail which allows them to set
  their password to anything they chose. That needs a
  special table in some data base. You generate a
  random token which acts as a one-shot password on a
  special "change password" page. As soon as the click
  through has been used then the database entry is
  deleted so that the token is invalidated. You should
  also invalidate the token if they log on in the
  normal way.I agree that the 'forgot your password' feature is nasty. I mean, we are normally enjoined from saying "invalid user id" or "invalid password", we have to say "invalid user id / password combination" or something to that effect. But by providing the 'forgot your password' feature, it would be trivial to write a bot to see which sites provide this, determine a good page from a bad (e.g., valid user id) and then have an easier time brute-forcing the password. Sad.
  On the other hand, I know personally that many companies are concerned with phishing attacks on their customers. As such, they have a blanket policy prohibiting any URL that hits a secured page in any way.
  So, what to do? :^(
  - Saish

• OIM 11g, Get users from table and insert them into Approval Task

  Hi All,
  I have OIM 11.1.1.5.4 in Solaris 10 and I have an Oracle Table configured as Trusted Source.
  I am using Database_App_Tables_9.1.0.5.0 connector.
  I want Reconciliate new users from a Oracle Table as follow:
  1. I ran the scheduled job
  2. The new users reconciled Must get into an Approval Task before of insert them into USR Table.
  3. The Administrator User Approved o Rejected the new users.
  4. The new users that were approval Must insert them into USR Table.
  Is there any form of implement this?, Can you guide me please?.
  Thanks for your Help.

  Through your Schedule Task, generate "*Create User*" (Request Type) request and assign approval workflow for such requests.
  After completion of approval ONLY, users will get created into OIM 11g.

• Random password generation

  Hi All,
  We have a link on login page "Forgot Password" ?
  As users clicks the link, idea is he goes to page that has emails address and submit button.
  As user enters his emails address and clicks submit, the mechanism gemerates a new password and sends it over to his email address.
  My question is, "I dont know how to generate that new random password."
  Is there a code around, that I can use ?
  thanks a lot,
  pp

  It's easy enough to generate a random password. Use a
  constant string containing your alphabet (different
  systems have different rules about what characters
  are allowed). Then us Random first to generate a
  suitable length, then to pick a character from your
  alphabet for each slot. If there are further rules
  (e.g. "must contain at least one digit") then check
  the password you've just generated and if it fails
  the test, simply try again.
  But this isn't a particularly good system. It allows
  anyone to harrass a user by changing their password
  if they can guess their user name.
  The approach I favour is to send the user a one-time
  click-thru URL in an e-mail which allows them to set
  their password to anything they chose. That needs a
  special table in some data base. You generate a
  random token which acts as a one-shot password on a
  special "change password" page. As soon as the click
  through has been used then the database entry is
  deleted so that the token is invalidated. You should
  also invalidate the token if they log on in the
  normal way.I agree that the 'forgot your password' feature is nasty. I mean, we are normally enjoined from saying "invalid user id" or "invalid password", we have to say "invalid user id / password combination" or something to that effect. But by providing the 'forgot your password' feature, it would be trivial to write a bot to see which sites provide this, determine a good page from a bad (e.g., valid user id) and then have an easier time brute-forcing the password. Sad.
  On the other hand, I know personally that many companies are concerned with phishing attacks on their customers. As such, they have a blanket policy prohibiting any URL that hits a secured page in any way.
  So, what to do? :^(
  - Saish

• OIM 11g Modify User Profile for Updating End Date

  Hi Gurus!
  We have an OIM implementation where users may request the creation of other users by means of a Create User request template. In this template we set the End Date to be 3 months after the request date.
  In order for the requester to extend the period of a user's OIM user account (along with its provisioned resources) we customized a Modify User Profile by displaying the End Date field and automatically populate it again to 3 months after the request date. Also we developed a custom event handler to enable the user when it is disabled and the End Date is updated to a future date.
  This Modify User Profile is working great when the user is still enabled (the End Date is still in the future), however, when the End Date has passed (and the user is Disabled) the requester is not able to see the user when selecting the Modify User Profile request template.
  Is there a way to allow requesters to also see disabled users in the Modify User Profile request template?
  Thank you in advance.
  Regards,

  Hi Kevin,
  thanks for your reply!
  But, in this case, when the user is already disabled due to his End Date, how can a requester, through the Self Service TAB, enable it?
  The Enable User request template does not work since when trying to enable the user, OIM sees the End Date is already passed and the DataSet validation throws an exception.
  The only way I saw was providing a Modify User Profile Request template to change the End Date and developing a custom event handler to enable the user upon the extension of the End Date...
  How can, in this situation, a requester enable the user and extend its End Date?
  Thank you!
  Regards,

• OIM 11g - Set a default password when a user is created

  Hi everybody,
  I'm trying to set a default password when I create a user manually but I've got some errors.
  I firstly created a pre-process event handler to generate automatically a login and an email for a user who is created and it worked fine. But now I'm trying to generate a default password (like "ChangeIt" for example) that the user will have to change the first time.
  This is the code I wrote :
  public EventResult execute(long processId, long eventId, Orchestration orchestration) {
  String methodName = "EventREsult execute";
  System.out.println("###### " + className + " - method " + methodName + " - STARTED");
  HashMap<String, Serializable> parameters = orchestration.getParameters();
  System.out.println("###### OK1");
  String firstName = (String)parameters.get(UserManagerConstants.AttributeName.FIRSTNAME.getId());
  System.out.println("###### OK2");
  String lastName = (String)parameters.get(UserManagerConstants.AttributeName.LASTNAME.getId());
  System.out.println("###### OK3");
  String userKey = (String)parameters.get(UserManagerConstants.AttributeName.USER_KEY.getId());
  System.out.println("###### OK4");
  String userLogin = firstName + lastName;
  parameters.put(UserManagerConstants.AttributeName.USER_LOGIN.getId(), userLogin);
  System.out.println("###### OK5");
  parameters.put(UserManagerConstants.AttributeName.EMAIL.getId(), firstName + "." + lastName + "@test.test");
  System.out.println("###### OK6");
  parameters.put(UserManagerConstants.AttributeName.PASSWORD.getId(), "ChangeIt");
  System.out.println("###### " + className + " - method " + methodName + " - ENDED");
  return new EventResult();
  And When I try to create a user, I've got the error : "An error occured. Null input buffer"
  This is what I have in the console :
  <10 mai 2012 16 h 44 CEST> <Error> <oracle.iam.identity.usermgmt.impl> <IAM-3050030> <Exception lors de la rÚalisation de l'opÚration.
  java.lang.IllegalArgumentException: Null input buffer
  at javax.crypto.Cipher.doFinal(DashoA13*..)
  at com.thortech.xl.crypto.tcDefaultDBEncryptionImpl.decrypt(tcDefaultDBEncryptionImpl.java:219)
  at com.thortech.xl.crypto.tcCryptoUtil.decrypt(tcCryptoUtil.java:122)
  at com.thortech.xl.crypto.tcCryptoUtil.decrypt(tcCryptoUtil.java:200)
  at oracle.iam.platform.utils.crypto.CryptoUtil.getDecryptedPassword(CryptoUtil.java:136)
  at oracle.iam.transUI.impl.handlers.user.UpdateUsrPwdFields.updateUserPwdFields(UpdateUsrPwd
  Fields.java:124)
  at oracle.iam.transUI.impl.handlers.user.UpdateUsrPwdFields.execute(UpdateUsrPwdFields.java:
  71)
  at oracle.iam.platform.kernel.impl.OrchProcessData.runPreProcessEvents(OrchProcessData.java:
  898)
  <10 mai 2012 16 h 44 CEST> <Error> <oracle.iam.identitytaskflow.logging> <BEA-000000> <IAM-3060023>
  I know this is something due to the password parameter but I don't understand what is expected for this one ...
  If you someone could help me with this it would be really helpful !
  Thanks,
  Thibault

  Hi, Thanks for your quick answer !
  So it solved half of the problem ! Now I've got an other error : decrypt failed
  And this is the beginning of the error in the console :
  <10 mai 2012 18 h 14 CEST> <Error> <XELLERATE.ACCOUNTMANAGEMENT> <BEA-000000> <Class/Method: tcDefau
  ltDBEncryptionImpl/decrypt encounter some problems: Input length must be multiple of 16 when decrypting with padded cipher
  javax.crypto.IllegalBlockSizeException: Input length must be multiple of 16 when decrypting with pad
  ded cipher
  at com.sun.crypto.provider.SunJCE_f.b(DashoA13*..)
  at com.sun.crypto.provider.SunJCE_f.b(DashoA13*..)
  at com.sun.crypto.provider.AESCipher.engineDoFinal(DashoA13*..)
  at javax.crypto.Cipher.doFinal(DashoA13*..)
  at com.thortech.xl.crypto.tcDefaultDBEncryptionImpl.decrypt(tcDefaultDBEncryptionImpl.java:2
  19)
  at com.thortech.xl.crypto.tcCryptoUtil.decrypt(tcCryptoUtil.java:122)
  at com.thortech.xl.crypto.tcCryptoUtil.decrypt(tcCryptoUtil.java:200)
  at oracle.iam.platform.utils.crypto.CryptoUtil.getDecryptedPassword(CryptoUtil.java:136)
  at oracle.iam.transUI.impl.handlers.user.UpdateUsrPwdFields.updateUserPwdFields(UpdateUsrPwd
  Fields.java:124)
  at oracle.iam.transUI.impl.handlers.user.UpdateUsrPwdFields.execute(UpdateUsrPwdFields.java:
  71)
  at oracle.iam.platform.kernel.impl.OrchProcessData.runPreProcessEvents(OrchProcessData.java:
  898)
  What does it means ? My password must be encrypted or something like this ?
  Thanks if you can help me with this !!
  Thibault

• OIM 11g R1 - User Login activities

  Hello,
  we have OAM-OIM-OID integration. A user authenticates against OAM/OID.
  It is possible to track any user login or user password changes?
  Where will this activities stored? OAM or OID?

  you can check the OAM or OID Audit logs.
  OID: ORACLE_INSTANCE/auditlogs/OID/oid1
  OAM: <MW_HOME>/user_projects/domains/OAM_domain/servers/oam_server1/logs/auditlogs
  Reference:
  http://docs.oracle.com/cd/E14571_01/doc.1111/e15478/audit.htm
  http://docs.oracle.com/cd/E15523_01/oid.1111/e10029/auditing.htm

• OIM 11g r2  User  UDF fields  Updation based on AD ID

  Hi,
  We have to update the UDF fields created for the users in OIM using the data from a table.
  This table contains the AD ID, and other fields.
  OIM User (already available) will be updated based on AD ID ….i;e AD ID column will be used to find the user in OIM and then his UDF will be updated based on the respective data from other columns in the table .
  Please can you help me on this task?
  Thanks,

  Your requirement doesn't tell much like when you want to update your user. If it would be on daily basis then go for Schedule Task, if you want to at the time of provisioning then you can have one task and attach your code to bring AD ID in OIM..
  You may leverage Event Handlers as well if your use case requires that.

• OIM 11g create user with API - double resources

  Hello.
  We have a custom web client for creating a user in OIM. When we create a user with the OOTB web app (formerly xlWebApp), it creates the user and the Access Policies work correctly to give the user one of each resource.
  When we create the user with the API from our custom web app, it tries to assign 2 of each resource to the new user. Has anyone seen this behavior before? Thank you.

  Bump Thanks.

• OIM 11g R1 - change xelsysadm passwords

  Hello,
  i need to change the passwords for xelsysadm.
  Where do i have to change all the passwords for xelsysadm?
  - OIM
  - OID (LDAP)
  - Credential Store Provider in EM (sysadmin = xelsysadm)
  - ???

  Use Oracle Document:
  http://docs.oracle.com/cd/E14571_01/doc.1111/e14308/handlinglcm.htm#CIAJCEEF

• OIM 11g searching users by UDF, using API

  Hi,
  I can't search by any field other then "Users.User ID, Users.Key, Users.Middle Name ... "
  Standard fields but not on the list above (i.e. "USR_STREET"), allways result as 0 (rs.getRowCount()=0).
  And the worst is searching by user defined field. It always ends with exception.
  my code:
  tcUserOperationsIntf a = client
                           .getService(tcUserOperationsIntf.class);
                 Hashtable ht = new Hashtable();
                 ht.put("USR_UDF_HR_ID1", "10000008");
                 System.out.println(ht);
                 tcResultSet rs = a.findAllUsers(ht);
                 System.out.println("count: " + rs.getRowCount());
                 System.out.println(rs.getStringValue("Users.User ID"));
                 System.out.println(rs.getStringValue("USR_UDF_HR_ID1"));
  HR_ID1 is string, not required, not unique, searchable.
  What I get is:
  *Thor.API.Exceptions.tcAPIException: Error occurred while finding users.
       at weblogic.rjvm.ResponseImpl.unmarshalReturn(ResponseImpl.java:234)
       at weblogic.rmi.cluster.ClusterableRemoteRef.invoke(ClusterableRemoteRef.java:348)
       at weblogic.rmi.cluster.ClusterableRemoteRef.invoke(ClusterableRemoteRef.java:259)
       at Thor.API.Operations.tcUserOperationsIntf_e9jcxp_tcUserOperationsIntfRemoteImpl_1033_WLStub.findAllUsersx(Unknown Source)
       at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
       at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
       at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
       at java.lang.reflect.Method.invoke(Method.java:597)
       at weblogic.ejb.container.internal.RemoteBusinessIntfProxy.invoke(RemoteBusinessIntfProxy.java:84)
       at $Proxy2.findAllUsersx(Unknown Source)
       at Thor.API.Operations.tcUserOperationsIntfDelegate.findAllUsers(Unknown Source)
       at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
       at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
       at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
       at java.lang.reflect.Method.invoke(Method.java:597)
       at Thor.API.Base.SecurityInvocationHandler$1.run(SecurityInvocationHandler.java:68)
       at weblogic.security.acl.internal.AuthenticatedSubject.doAs(AuthenticatedSubject.java:321)
       at weblogic.security.service.SecurityManager.runAs(SecurityManager.java:121)
       at weblogic.security.Security.runAs(Security.java:41)
       at Thor.API.Security.LoginHandler.weblogicLoginSession.runAs(weblogicLoginSession.java:52)
       at Thor.API.Base.SecurityInvocationHandler.invoke(SecurityInvocationHandler.java:79)
       at $Proxy3.findAllUsers(Unknown Source)
       at com.netline.woz.magwit.ApiTester.main(ApiTester.java:72)
  Caused by: Thor.API.Exceptions.tcAPIException: Error occurred while finding users.
       at com.thortech.xl.ejb.beansimpl.tcUserOperationsBean.findAllUsers(tcUserOperationsBean.java:4588)
       at Thor.API.Operations.tcUserOperationsIntfEJB.findAllUsersx(Unknown Source)
       at sun.reflect.GeneratedMethodAccessor2851.invoke(Unknown Source)
       at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
       at java.lang.reflect.Method.invoke(Method.java:597)
       at com.bea.core.repackaged.springframework.aop.support.AopUtils.invokeJoinpointUsingReflection(AopUtils.java:310)
       at com.bea.core.repackaged.springframework.aop.framework.ReflectiveMethodInvocation.invokeJoinpoint(ReflectiveMethodInvocation.java:182)
       at com.bea.core.repackaged.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:149)
       at com.bea.core.repackaged.springframework.aop.support.DelegatingIntroductionInterceptor.doProceed(DelegatingIntroductionInterceptor.java:131)
       at com.bea.core.repackaged.springframework.aop.support.DelegatingIntroductionInterceptor.invoke(DelegatingIntroductionInterceptor.java:119)
       at com.bea.core.repackaged.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:171)
       at com.bea.core.repackaged.springframework.jee.spi.MethodInvocationVisitorImpl.visit(MethodInvocationVisitorImpl.java:37)
       at weblogic.ejb.container.injection.EnvironmentInterceptorCallbackImpl.callback(EnvironmentInterceptorCallbackImpl.java:54)
       at com.bea.core.repackaged.springframework.jee.spi.EnvironmentInterceptor.invoke(EnvironmentInterceptor.java:50)
       at com.bea.core.repackaged.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:171)
       at com.bea.core.repackaged.springframework.aop.interceptor.ExposeInvocationInterceptor.invoke(ExposeInvocationInterceptor.java:89)
       at com.bea.core.repackaged.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:171)
       at com.bea.core.repackaged.springframework.aop.support.DelegatingIntroductionInterceptor.doProceed(DelegatingIntroductionInterceptor.java:131)
       at com.bea.core.repackaged.springframework.aop.support.DelegatingIntroductionInterceptor.invoke(DelegatingIntroductionInterceptor.java:119)
       at com.bea.core.repackaged.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:171)
       at com.bea.core.repackaged.springframework.aop.framework.JdkDynamicAopProxy.invoke(JdkDynamicAopProxy.java:204)
       at $Proxy321.findAllUsersx(Unknown Source)
       at Thor.API.Operations.tcUserOperationsIntf_e9jcxp_tcUserOperationsIntfRemoteImpl.findAllUsersx(tcUserOperationsIntf_e9jcxp_tcUserOperationsIntfRemoteImpl.java:1182)
       at Thor.API.Operations.tcUserOperationsIntf_e9jcxp_tcUserOperationsIntfRemoteImpl_WLSkel.invoke(Unknown Source)
       at weblogic.rmi.internal.BasicServerRef.invoke(BasicServerRef.java:589)
       at weblogic.rmi.cluster.ClusterableServerRef.invoke(ClusterableServerRef.java:230)
       at weblogic.rmi.internal.BasicServerRef$1.run(BasicServerRef.java:477)
       at weblogic.security.acl.internal.AuthenticatedSubject.doAs(AuthenticatedSubject.java:363)
       at weblogic.security.service.SecurityManager.runAs(SecurityManager.java:147)
       at weblogic.rmi.internal.BasicServerRef.handleRequest(BasicServerRef.java:473)
       at weblogic.rmi.internal.wls.WLSExecuteRequest.run(WLSExecuteRequest.java:118)
       at weblogic.work.ExecuteThread.execute(ExecuteThread.java:201)
       at weblogic.work.ExecuteThread.run(ExecuteThread.java:173)*
  Any idea what's missing? I saw in diffrent threads that searching by UDF should work fine...
  Thank you,
  Magda

  Did you restart your oim server after creation of the UDF?
  Also, you can create a lookup definition of Field type. Put the database field in the field, and the Users.XXXXX in the label and then you should be able to search on the Users.XXXX after a restart.
  -Kevin

• Use OIM 11g UI directly for password resets

  1. What is the best practice in using OIM for password resets? Two options that i have usually heard of are writing a custom app or UI and use OIM APIs for password resets. The other is use OIM UI directly.
  Are there any other options.
  2. Of the two options mentioned above, are there any concerns if we want to expose the OIM UI password reset link to internet- example, post the OIM UI link across the company's website which is available to everybody?
  Regards,
  Anand

  People,
  Any help will be really appreciated. I am looking for some suggestions in this regards. Thanks
  Anand

• OIM 11g , Ignore User Creation

  Folks ,
  I am facing a issue , hoping you guys could throw some pointers ..
  I have a trusted recon set up via GTC DB connector . There is particular condition when i dont want the user to created in OIM though it will be pulled by GTC (Unfortunately i cant stop that).
  So in nutshell, i want to ignore the OIM user creation when a particular reconciled attribute lets say firstName = ABC AND user is not already present in oim, then ignore the user creation ..
  Any pointers how to achieve this ..
  Thanks
  Suren

  Thanks Raghav for your response , but how ill this work .
  So , when FirstName = ABC record will come , as per your recon rule .., it wont link to any existing user and it will land up in No Match Found status and as its trusted recon it will create the user .., which i dont want ..
  I cant delete rest of the action rules , they are required for processing the updates etc ...
  Please let me know if you need more info ..
  Thanks
  Suren

• OIM 11G : Selecting Multiple RO's in Single "Self Request Resource" Failing

  Hello Everyone,
  OIM 11G : End User "Self Request Resource" failing when user selects 2 or more resources in a Single Self Request Resource Request
  1) On OIM 11G, I have created 2 resource objects, workflow, process forms.
  2) Created the separate request dataset xml and imported into OIM repository
  3) Now if an end user creates a request , "Self Request Resource" and selects one of the resource
  4) Form defined as per request dataset shows up perfectly for the application on Resource Attributes page which comes next.
  5) Only Problem that I am seeing is when End User selects 2 resources in one single request
  Both the resource request dataset has been correctly configured because selecting only 1 works not both when both are selected in same request.
  Thanks,
  Deepak

  Hello Experts,
  on OIM 11G
  I am getting the above issue when an end user does a "self request resource" and selects 2 Resource Objects.
  On the Next Page, attribute form defined as per the request dataset.xml does not show up.
  Both the RO's are seen on top breadcrumbs but with a blank form. I can navigate to the next RO Resource Data Details again with a blank form.
  Though the attribute form as per request dataset comes up properly if I select any 1 of the 2 RO's and make "self request resource". everything goes fine.
  I have followed the documentation thoroughly to import the datasets etc and can see request dataset in MDS_PATHS table (DEV_MDS user).
  If anybody has also faced a similar issue or tested that selecting 2 RO's in 1 single "self request resource" works , pls let me know.
  Thanking in advance,
  Deepak

• Oim 11g Custom Challenge questions

  hi,
  does oim 11g allows users to setup custom challenge questions.
  Sun Idm does have this feature..
  any idea on Oracle Idm..
  thank you.

  How to add custom challenge questions in OIM 11g
  Find below link for 11gR2
  http://srini-bellamkonda.blogspot.in/2012/11/adding-custom-challenge-questions-in.html