Peoplesoft Connectors for Oracle Identity Manager – Part II

This article is written in continuation to my Part I of the article with the same title (except it is called Part I). If you didn’t read that I recommend having a glance before reading this one (though I will try to recap some of the concepts). You can find the Part I here.

When you start talking about automating the User Provisioning Operations in an enterprise, Oracle Identity Manager is a wonderful product that comes into mind. There are other similar products. You can find the complete offerings from Gartner’s Magic Quadrant link below. Even if you are not planning to deploy Oracle Identity Manager, it will be useful if you can understand little bit about this product. Some learning to do.

Magic Quadrant for Provisioning for the Year 2010 (from Gartner), Oracle’s Identity and Access Management Products are the market leader in terms of Product Offerings and Service. You may probably want to have a look at this report Magic Quadrant for Provisioning at Gartner’s website. There are other vendors in the Leader’s Quadrant – IBM Tivoli, CA, Novell and Courion. I think you should read this article once.

One of the finding OIM 9.1.0.2 BP 10 was used for this report. However in Q3 2010, Oracle Identity Manager 11g was released (same time the report was published). It looks like we need to wait for few more months to see how OIM 11g did on the User Provisioning.

Let’s talk more about my favorite. Oracle Identity Manager (IDM).

Common Operations with Oracle Identity Manager (IDM)

Oracle Identity Manager (IDM) performs tasks related to Reconciliation and User Provisioning. This is on a high-level. Let’s talk little bit more about these individual operations and what they really can do.

All of the Oracle Documentation about IDM talks about three operations predominantly. They are:

• Trusted Source Reconciliation
• Target Reconciliation
• Provisioning

A clear understanding of these three operations is necessary to understand IDM Product. I want to make sure you are clear about these concepts before I start complicating more. So be patience and try to understand these terminologies first.

Trusted Source Reconciliation

In the Trusted Source Reconciliation, another Source System in an enterprise (for example, a Peoplesoft HRMS System) acts as a Trusted Source for user information. IDM connects to this Trusted Source and gets the user information through its scheduled Tasks. These scheduled Tasks can be run in IDM System to contact the Trusted Source. All the users that were created, modified or deleted are reconciled into the IDM System.

Since IDM System treats another system (a trusted source) for user information, this type of setup is called Trusted Source Reconciliation.

For example, a Peoplesoft HRMS System is fed by the HR Department in an enterprise. In this case, we can configure Peoplesoft HRMS System as a trusted source for IDM System. IDM System connects to this Peoplesoft System by Scheduled Tasks, and performs Trusted Source Reconciliation (which copies changed user information from the Peoplesoft System to IDM System).

Provisioning

In the provisioning configuration, an IDM System is considered as central repository for user information. Also, IDM System is configured to connect to target systems to perform copying the user information from IDM System to the target System. This is called Provisioning.

For Example, an IDM System can be configured to populate user information for the first time with Active Directory, Sun Java System Directory and Oracle Internet Directory. Going forward, whenever a new user is created or modified or deleted in an IDM System, then we can configure Provisioning Operation to perform the same operation in the Active Directory, Sun Java System Directory and Oracle Internet Directory.

Target Resource Reconciliation

Using Target Resource Reconciliation, we can achieve partial Reconciliation Operations with a Target Systems. For example, we can treat Microsoft Exchange System for feeding the “email” attribute. Then we can configure to copy the email data for user from Exchange to the IDM System using this configuration.

IDM integration with Peoplesoft Applications

IDM System needs to be integrated with various systems in the enterprise for Identity Administration purposes. We can do lot of things such as, automatic user account creation, password change across various target systems, etc through an IDM System. So what are the options we have to integrate an IDM System with various Peoplesoft Applications that handles user’s identity across an enterprise?

Here is an integration Example:

Here are the options:

Connectors (Three types of them: Pre-defined, GTC and Custom)

SPML Web Service

We will talk about these integration options in the next article.

Ok, I think I tried to explain few things about IDM. Let’s talk more about how we can integrate with Peoplesoft Systems in the next post.

PeopleSoft Upgrade to 9.1 - Part 1

Are you planning to Upgrade to PeopleSoft 9.1 from your current version? if you are the person who is heading or managing the PeopleSoft Space and you have not been involved in any of the PeopleSoft Upgrades previously and looking for Information where to start from? I believe you may have many questions about PeopleSoft Upgrade like how much time it would take, how much it would cost , what resources are needed etc etc. Well, before you start with your upgrade project , you would to work the following items:

Upgrades to PeopleSoft Enterprise software requires planning, resources, development, testing, and training. Since the first step involves planning, and if you are never been in an upgrade project or know little about upgrades, planning would requires complete knowledge about PeopleSoft Upgrade. If you are in such situation, this series of Upgrade Posts should help you to get started and prepare for the project:

You need to visit the Oracle Support Site for certain document ID to learn about the new release . Oracle calls such Document IDs as Upgrade Home Page.
For Example, if you are planning to do HRMS 8.9 to 9.1 Upgrade, you should be visiting a document id that says as PeopleSoft HRMS 8.9 to 9.1 Upgrade Home Page; In here, you would get information about Certified Upgrade Path, Upgrade Documentation , Demo to Demo Compare Results , Upgrade Templates and more importantly information about "Updates and Fixes Required at Upgrade".

PeopleSoft Enterprise HRMS 8.8x to 9.1 Upgrade Home Page

PeopleSoft Enterprise HRMS 8.9 to 9.1 Upgrade Home Page

PeopleSoft Enterprise HRMS 9.0 to 9.1 Upgrade Home Page

PeopleSoft Enterprise Financials/Supply Chain Management 9.0 to 9.1 Upgrade Home Page

PeopleSoft Enterprise Financials/Supply Chain Management 8.9 to 9.1 Upgrade Home Page

PeopleSoft Enterprise Portal Solutions 8.9 to 9.1 Upgrade Home Page

PeopleSoft Enterprise Portal Solutions 9.0 to 9.1 Upgrade Home Page

PeopleSoft Enterprise CRM 8.9 to 9.1 Upgrade Home Page

PeopleSoft Enterprise CRM 9.0 to 9.1 Upgrade Home Page

PeopleSoft Enterprise Portal Solutions 8.9 to 9.1 Upgrade Home Page

PeopleSoft Enterprise Portal Solutions 9.0 to 9.1 Upgrade Home Page

Enterprise PeopleTools 8.50 Hardware and Software Requirements

PeopleSoft Enterprise HRMS 9.1 Hardware and Software Requirements

The Main task of visiting Upgrade Home Page is to collect information and download the documents; Also, you would download the release notes of Application version and as well as Peopletools version. if you are jumping several releases inbetween , make sure you download each release notes. for example, if you are upgrading from 8.9to 9.1, you must download 9.0 and 9.1 release notes; at the technologic level , your new PeopleTools release notes should suffice, but may also require other downloads as well;

If you are planning to upgrade that involves 2 step or double upgrades where there is no supported path, for example, let's say your current release is 8.3; and you are planning to go to 9.1, then your upgrade would involve 2 steps or double upgrades. You typically follow upgrade paths, first you would go for 8.3 to 8.9 and then from 8.9 to 9.1; In this case, you will need to visit 2 upgrade home pages , one for 8.9 and them for 9.1 and also download the release notes;

Another question , you may have it for yourself, is that : Who should be involved in the upgrade process? Do you have the bandwidth in your current team to get it done? or Is it wise to provide the upgrade project entirely to a third party vendor who has done 9.1 upgrades in the past or to Oracle Ugprade lab? or should be that be mix i.e , part of the current team members and some indivial PeopleSoft Upgrade Consultants who are called Upgrade Specialists.. Whichever method you opt for, would need to take care of your budget, training to users and smooth upgrade cut over and suppport;

Introduction to LDAP Search Filters

LDAP Search Filters

I thought of writing more about LDAP Search filters, with few examples. The main purpose of learning this is for investigating LDAP Server related problems. This will be useful if are planning to integrate LDAP Server with Peoplesoft application. The LDAP search filters are not a complete list here, but this will give you a quick intro on this topic.

Peoplesoft and LDAP Servers

LDAP is a Protocol Specification for Lightweight Directory Access Protocol. RFC 4511 defines the latest LDAP Version 3 specification. This is a Proposed LDAP Standard.

Peoplesoft supports LDAP Servers for the integration either for Single Sign On, or for deploying an Enterprise Directory. Following list of LDAP Directory Servers are generally integrated with Peoplesoft Applications:

-          Sun Java Directory Server (Previously iPlanet Directory Server)

-          Novell’s eDirectory

-          Microsoft’s Active Directory

Most of the examples below use Oracle Internet Directory as the LDAP Server. However, if you understand the general LDAP Directory Server concepts, then, search filter concept will work with majority of LDAP Directory Servers.

LDAP Search Operation

LDAP Search operation can be done using many ways. One of the way of querying an LDAP Server is using ldapsearch utility.The examples below assumes you are running this utility in Unix/Linux environments.

Similar to ldapsearch utility, you can also use the ldifde utility to query entries from the Active Directory.

If you don’t like to use the command line utility for LDAP Queries, you can use any of the LDAP Browsers. There are few tools available; you can use tools such as, JXplorer or Softerra LDAP Browser (you can choose the one you like).  Most of the LDAP Browsers support the LDAP Search filters on these utilities. You just need to know some basics of LDAP and basic knowledge about Search Filters to use them.

The ldapsearch Utility

The ldapsearch utility is used for querying the LDAP Server. This utility works as long as the the target system adheres to the LDAP Specification. This utility is similar to the sqlplus tool to an Oracle Database. However ldapsearch utility is command line based, rather than giving you an interface like sqlplus.

Basic usage of ldapsearch command:

ldapsearch  [options]  filter  [attributes...]

As you can see above, filter is a mandatory argument for ldapsearch.

Here is an example of using ldapsearch utility:

ldapsearch -h 192.168.1.11 -p 389 -D “CN=testuser,CN=Users,DC=tserver,DC=com”  -w “mypassword” -b “” -s base “(objectclass=*)” defaultnamingcontext

Result:

defaultNamingContext=DC=tserver,DC=com

This command example returns the default naming context for the LDAP Server. In this example above, “(objectclass=*)” is a LDAP Search filter. Here are the other options we used:

-h -> Hostname or IP Address of the LDAP Directory Server

-p -> Port Number for the LDAP Directory, default LDAP port is 389, LDAPS with SSL port is 636.

-D -> Bind DN – LDAP DN for connecting to LDAP Directory – Login User for Querying purposes.

-w -> Password for the Login User used with –D option.

-b -> Base DN for the search – here the query starts from the top level of the Directory Structure.

-s base -> Search Scope is here is “base” (other possible values are sub and one)

In above example, we are printing the value of defaultnamingcontext attribute. If this attribute is omitted in the query, then all the attributes with values for this entry will be printed as a result.

Search filters

The latest RFC 4515 provides a specification for the LDAP Search filters. Let’s explore few more examples of using search filters.

You should understand how your LDAP schema is defined.

Search Filter for querying particular User ID – prints the dn:

ldapsearch -h 192.168.1.11 -p 389 -D “CN=testuser,CN=Users,DC=tserver,DC=com”  -w “mypassword” -b “” -s sub “(uid=U10023456)” dn

Search for a particular First Name and Last Name – It uses AND filter:

ldapsearch -h 192.168.1.11 -p 389 -D “CN=testuser,CN=Users,DC=tserver,DC=com”  -w “mypassword” -b “” -s sub “(&(givenname=Vijay)(sn=Chinnasamy))” dn

Search for a Pattern or Substring– First Name starts with Vij – It uses wildcard characters for pattern matching:

ldapsearch -h 192.168.1.11 -p 389 -D “CN=testuser,CN=Users,DC=tserver,DC=com”  -w “mypassword” -b “” -s sub “(givenname=Vij*)” dn

Search for First Name NOT Vijay – Using NOT filter:

ldapsearch -h 192.168.1.11 -p 389 -D “CN=testuser,CN=Users,DC=tserver,DC=com”  -w “mypassword” -b “” -s sub “(!(givenname=Vijay))” dn

Note that above queries starts the query from the root context, that is top of the LDAP Directory. If you know the base location, then you should use the value with the “-b” option in ldapsearch utility.