soa based central identity and access - ijerst.com · soa based central identity and access ......

126

This article can be downloaded from http://www.ijerst.com/currentissue.php

Int. J. Engg. Res. & Sci. & Tech. 2017 Madhavi Vallabhaneni and Mohan Arava, 2017

SOA BASED CENTRAL IDENTITY AND ACCESSMANAGER

Build a common resource identity and access management solution to grant and revoke accessprivileges and access rights of all resources using a single web based loosely coupled system(SOA based) to easily integrate with new systems and to provide detailed dashboard of usageof different resources and their compliance adherence.

Keywords: Identity and access management, SSO, SOA based integration, SOA work flows,Centralization of IAM

INTRODUCTIONSOA based central Identity and access Managerprovides a secure single view. The portal will allowusers to have access to data from Siebel, etc.,Oracle applications along with access to productdocumentations. This document defines thedesign specification for the Au Financiers IDAMSolution and forms the basis with SOA from whichthe technology solutions are designed. Thedocument contains description of the features tobe implemented as well as requirements for thesolution.

Through a state-of-the-art, standards-basedsolution, Oracle’s proposed technology deliversauthentication, Web single sign-on, access policy1 M.Tech Student, Department of Computer Science and Engineering, Vishwa Bharathi PG College of Engineering & Management,

(Approved by AICTE, New Delhi, Ministry of HRD, Govt. of India), Kuppenakuntla (V), Penuballi (M), R.R. District 501503,India.

2 Assistant Professor, Department of Computer Science and Engineering, Vishwa Bharathi PG College of Engineering & Management,(Approved by AICTE, New Delhi, Ministry of HRD, Govt. of India), Kuppenakuntla (V), Penuballi (M), R.R. District 501503,India.

Int. J. Engg. Res. & Sci. & Tech. 2017

ISSN 2319-5991 www.ijerst.comVol. 6, No. 1, February 2017

© 2017 IJERST. All Rights Reserved

Research Paper

creation and enforcement, user self-registrationand self-service, delegated administration,reporting, and auditing. Real-time access toidentity information ensures that applications getaccess to changes in identity information directlyfrom the source, avoiding user confusion andsecurity issues involved in synchronizationdelays. Required Customizations will be donewith SOA .

Existing System• Everything is manually operated.

• Student admissions and their entries into theinstitution and into their respectivedepartments are handled by the people inadmin section.

Madhavi Vallabhaneni1* and Mohan Arava2

*Corresponding Author: Madhavi Vallabhaneni [email protected]

127



• Checking of persons into the examination hallis manually done.

• Staff entrance into the department and theiraccess over any resource is not actuallymaintained. Even this is with respect to thestudents and other staff in the college.

• The daily log of students, staff andmanagement is maintained in manualregisters which are later entered into thesystems by other persons.

• Requires a lot of time-effort.

Proposed System• Automating every operation by implementing

IAM.

• Students or staff once they join into the collegewill be automatically identified and their accessover any resource will be pre-defined.

• So trying for any resource which the person isnot authorized will be denied by checking it.

• Security is provided for each and everyresource present in the institution.

• Notification regarding any event or informationwill be directed to the respective persons withreduced time effort compared to existingsystem.

• Centralised system.

TOOLS, TECHNOLOGY USEDAND METHODOLOGYIdentity Management: Broad administrativearea that deals with identifying individuis aals ina system (such as an org, a network, or anenterprise) and controlling their access toresources within that system by associating userrights and restrictions with the establishedidentity.

Identity Management: Is an Lifecyclemaintenance of organization

• Provisioning

• Account creation

• Account updates

• Role maintenance

• Account removal

• Authentication & Authorization

• Access Control

Identity and Access Management: IAMtechnology is used to initiate, capture, record andmanage user identities and their related accesspermissions in an automated fashion. Thisensures that access privileges are grantedaccording to one interpretation of policy and allindividuals and services are properlyauthenticated, authorized and audited.

Access Management• Provides a single sign on to web recourses

• Centralized policy based authentication andauthorization

• Tracks all users authentication

• Extends access beyond organizationboundaries

Figure 1: Systems of Record, EnterpriseDirectory

Systems of Record Enterprise Directory

128



Provisioning• The process of providing users with access

to data and technology resources.

• The term typically is used in reference toenterprise-level resource management.Provisioning can be thought of as acombination of the duties of the humanresources and IT departments in anorganization, where users are given accessto data repositories or granted authorizationto systems, applications and databases basedon a unique user identity, and users areappropriated hardware resources, such ascomputers, mobile phones and pagers.

• The process of providing customers orclients with accounts, the appropriateaccess to those accounts, all the rightsassociated with those accounts, and all ofthe resources necessary to manage theaccounts.

Reconciliation• Reconciliation is the process by which

operations, such as user creation,modification, or deletion, started on the targetsystem are communicated to Oracle IdentityManager.

• The reconciliation process compares theentries in Oracle Identity Manager repositoryand the target system repository, determinesthe difference between the two repositories,

and applies the latest changes to OracleIdentity Manager repository.

• The reconciliation process involves generationof events to be applied to Oracle IdentityManager. These events reflect atomic changesin the target system, and contain.

• The reconciliation events that are generatedconsequent ly because of changesoccurring in the target system are managedby using the Event Management section inOracle Identity System Administration,which addresses these event managementneeds.

Password Management• Password manager software is used by

individuals to organize and encrypt manypersonal passwords using a single login. Thisoften involves the use of an encryption key aswell. Password managers are also referredto as password wallets.

• Password synchronization software is usedby organizations to arrange for differentpasswords, on different systems, to have thesame value when they belong to the sameperson.

• Self-service password reset software enablesusers who forgot their password or triggeredan intruder lockout to authenticate usinganother mechanism and resolve their ownproblem, without calling an IT help desk.

Figure 2: Provisioning and Reconciliation

129



SOA (Service Oriented Architecture):Automating the entire system along with itsresources, handling many functions and havingsecurity for the entire system, all this processmakes use of many modules, policies under AM.

Managing entire process with a centralisedapproach.

Integrating different applications, systems,etc., is done using API’s.

The modules that are going to be covered inthis Environment are:

• Integrating all systems and resourcesavailable

• User life cycle management

• Auditing.

• Provisioning

• Reconciliation

• Password management

“A service-oriented architecture is essentiallya collection of services. These servicescommunicate with each other. Thecommunication can involve either simple datapassing or it could involve two or more services

coordinating some activity. Some means ofconnecting services to each other is needed.”(http://www.service-architecture.com/web-services/articles/service oriented_architecture_soa_definition.html)

Characteristics of SOA• Services have platform independent, self

describing interfaces (XML)

• Messages are formally defined

• Services can be discovered

• Services have quality of service characteristicsdefined in policies

• Services can be provided on any platform

• Distributed functionality exposed as shared,reusable services

• Goal is to streamline deployment, reduceduplication of functions, and allow executionof business processes across diverseapplication platforms in a network

• Tightly-bound to object representation

Figure 3: Password Management

Figure 4: Characteristics of SOA

Integration of ApplicationApplication Integration is defined as the processof making independently designed applicationsystems work together. Integration is generally

130



providers. When a domain uses an LDAP store,all policy and credential data is kept andmaintained in a centralized store. However, whenusing XML policy stores, the changes made onManaged Servers are not propagated to theAdministration Server unless they use the samedomain home. The Oracle Fusion MiddlewareSOA Suite EDG topology uses different domainhomes for the Administration Server and theManaged Server, thus Oracle requires the use ofan LDAP store as policy and credential store forintegrity and consistency. By default OracleWebLogic Server domains use an XML file forthe policy store.

difficult because, in every case, developers mustreconcile disparate information architecturesinvolving different data, process and objectmodels. In addition, in most cases, developersmust also make the overall solution operateacross multiple operating systems, databasesand middleware technologies.

OAM INTIGRATION WITHSOAOracle Fusion Middleware allows using differenttypes of credential and policy stores in a WebLogic domain. Domains can use stores basedon an XML file or on different types of LDAP

Figure 5: Admin Login Page

Figure 6: Identity Self Service Console

131



Figure 7: Identity Admin Service Console

Figure 8: Creation User in OIM

Figure 9: Provisioning

132



Figure 10: Reconcile the User in OIM

Figure 11: OAM Console

Sample Code for SOA Based IdentityManagement and Access Management• Create User

• Lock User

• Unlock User

• Disable User

• Enable User

• Reset Password

package oimclient;

import java.util.HashMap;

import java.util.Hashtable;

import javax.security.auth.login.LoginException;

import oracle.iam.identity.exception.NoSuchUserException;

import oracle.iam.identity.exception.UserAlreadyExistsException;

import oracle.iam.identity.exception.UserCreateException;

import oracle.iam.identity.exception.UserDisableException;

import oracle.iam.identity.exception.UserEnableException;

133



import oracle.iam.identity.exception.UserLockException;

import oracle.iam.identity.exception.UserManagerException;

import oracle.iam.identity.exception.UserUnlockException;

import oracle.iam.identity.exception.ValidationFailedException;

import oracle.iam.identity.usermgmt.api.UserManager;

import oracle.iam.identity.usermgmt.vo.User;

import oracle.iam.platform.OIMClient;

public class OIM {

UserManager userManager;

public OIM() {

super();

}

public static void main(String[] arg) {

OIM oim=new OIM();

oim.OIMConnection();

oim.createUser(“sachinTen”); //comment if youare calling any other methods below

//oim.lockUser(“sachinTen”); //uncomment tolock user

//oim.unLockUser(“sachinten”); //uncommentto unlock user

//oim.disableUser(“sachinTen”); //uncommentto disabel user

//oim.enableUser(“sachinTen”); //uncommentto enable user

//oim.resetPassword(“sachinTen”); //uncommnet to reset password

}

public void OIMConnection(){ //Function toConnection to OIM

Hashtable<Object, Object> env = newHashtable<Object, Object>();

env.put(OIMClient.JAVA_NAMING_FACTORY_INITIAL, “weblogic.jndi.WLInitialContextFactory”);

env.put(OIMClient.JAVA_NAMING_PROVIDER_URL, “t3://localhost:14000”); //Update localhostwith your OIM machine IP

System.setProperty(“java.security.auth.login.config”, “D:/Oracle_New/Middleware/Oracle_IDM1/server/client/oimclient/conf/authwl.conf”); //Update path of authwl.conf file according to yourenvironment

System.setProperty(“OIM.AppServerType”,“wls”);

System.setProperty(“APPSERVER_TYPE”,“wls”);

oracle.iam.platform.OIMClient oimClient = neworacle.iam.platform.OIMClient(env);

try {

oimClient.login(“xelsysadm”, “Password”.toCharArray()); //Update password of Admin withyour environment password

System.out.print(“Successfully Connectedwith OIM “);

} catch (LoginException e) {

System.out.print(“Login Exception”+ e);

}

userManager = oimClient.getService(UserManager.class);

}

134



public void createUser(String userId) { //Function to create User

HashMap<String, Object> userAttributeValueMap = new HashMap<String, Object>();

userAttributeValueMap.put(“act_key”, newLong(1));

userAttributeValueMap.put(“User Login”,userId);

userAttributeValueMap.put(“First Name”,“Sachin”);

userAttributeValueMap.put(“Last Name”,“Ten”);

userAttr ibuteValueMap.put(“Email”,“[email protected]”);

us e rA t t r ib u teVa lu eMap .pu t ( “us r_password”, “Password123”);

userAt t r ibuteValueMap.put (“Role”,“OTHER”);

User user = new User(“Sachin”,userAttributeValueMap);

try {

userManager.create(user);

System.out.println(“\nUser got created....”);

} catch (ValidationFailedException e) {

e.printStackTrace();

} catch (UserAlreadyExistsException e) {


} catch (UserCreateException e) {


}

}

public void disableUser(String userId) { //Function to disable user

try {

userManager.disable(userId, true);

System.out.print(“\n Disabled userSuccessfully”);



} catch (UserDisableException e) {


} catch (NoSuchUserException e) {


}

}

public void enableUser(String userId) { //Function to enable user

try {

userManager.enable(userId, true);

System.out.print(“\n Enabled userSuccessfully”);



} catch (UserEnableException e) {




}

}

public void resetPassword(String userId) { //Function to reset user password

try {

userManager.resetPassword(userId,true,true); //Random Password will be set and

135



will be sent to user mail if notifications are enabled

System.out.println(“Reset Passworddone...”);



} catch (UserManagerException e) {


}

}

public void lockUser(String userId) { //Functionto Lock User

try {

userManager.lock(userId, true,true);



} catch (UserLockException e) {




}

}

public void unLockUser(String userId) { //Function to Unlock user

try {

userManager.unlock(userId, true);



} catch (UserUnlockException e) {




}

}

}

Uses• Organizations have to bring together a well

understood set of identity managementcapabilities in an organized fashion if they areto respond effectively.

• Effective control of identity managementservices for a SOA will require the use ofpolicies which define the identity-specificrequirements of each interaction, such as howa employee of a organization service must beauthenticated or their rights to accessparticular information.

• SOA allows different ways to developapplications by combining services.

SOA is to erase application boundaries andtechnology differences.

DisadvantagesIncreased Overhead: Every time a serviceinteracts with another service, complete validationof every input parameter takes place. Thisincreases the response time and machine load,and thereby reduces the overall performance.

High Investment Cost: Implementation of SOArequires a large upfront investment by means oftechnology, development, and human resource.

Complex Service Management: The serviceneeds to ensure that messages have beendelivered in a timely manner. But as services keepexchanging messages to perform tasks, thenumber of these messages can go into millionseven for a single application. This poses a big

136



challenge to manage such a huge population ofservices.

CONCLUSION AND FUTUREENHANCEMENTThis section provides general information aboutthe evolution of Oracle Identity Management afterthe 11g R2 release. Such evolution revolvesaround three main axes: role management,identity as a service, and identity and accessmanagement analytics. Future releases of OracleIdentity Management will leverage its service-based architecture to enhance Oracle’s overallidentity and access management offering.

Oracle Identity Manager is an identitymanagement product that automates userprovisioning, identity administration, andpassword management, integrated in acomprehensive workflow engine.

REFERENCES1. Cloud Corporation_Response.ppt

2. Documents from Cloud Authentication andAuthorization Security.

3. Hassan Qusay (2011), “Demystifying CloudComputing”, The Journal of DefenseSoftware Engineering (CrossTalk), January/February, pp. 16-21, Retrieved 11 December2014.

4. Fonebell (2015), “Know Why CloudComputing Technology is the NewRevolution”.

5. Peter Mell and Timothy Grance (2011), “TheNIST Definition of Cloud Computing”,National Institute of Standards andTechnology, Retrieved 24 July.

6. Baburajan and Rajani (2011), “The RisingCloud Storage Market OpportunityStrengthens Vendors”, InfoTECH.

7. Oestreich and Ken (2010), “ConvergedInfrastructure”, CTO Forum,Thectoforum.com

8. Oracle identity management.pdf

9. Sample opportunity data.xls