Friday, October 9, 2020

Sailpoint Identity IQ CertificationAutomaticClosing Rule

We have seen many time to send the Expiry Notification , when the Access Review is Expired , ie no action is taken CertificationAutomaticClosingRule can be used to send the notification , here is the sample code for using this Rule. 

  import sailpoint.object.Identity;
  import sailpoint.object.EmailOptions;
  import sailpoint.object.EmailTemplate;  
  import sailpoint.object.Certification;
  import org.apache.commons.logging.Log;
  import sailpoint.object.SignOffHistory;
  import org.apache.commons.logging.LogFactory;

  System.out.println("Entering Certification Auto closing rule.");

  List toAddresses = Arrays.asList("");

  List certifiers = certification.getCertifiers();
  Identity certifier = context.getObjectByName(Identity.class,certifiers.get(0).toString());
  System.out.println("certifier : " + certifier);

  if(null != certifier){
    toAddresses = Arrays.asList(certifier.getEmail());
    System.out.println("toAddresses : " + toAddresses);
  }

  String tplName = "Certification Expired Notification";
  EmailTemplate template = context.getObjectByName(EmailTemplate.class, tplName);
  if (null == template) {  
    System.out.println("Could not find email template [ " + tplName + "]");
    return;
  }

  Map args = new HashMap();  
  args.put("certification", certification);
  args.put("ownerName", certifier.getDisplayName());

  System.out.println("certification : " + certification);
  System.out.println("ownerName : " + certifier.getDisplayName());

  certification.addSignOffHistory((Identity)context.getObjectByName(Identity.class, "spadmin"));
  
  //Send Notifciation of Expiry
  
  System.out.println("Exiting Certification Auto closing rule");
  return ;  

Sailpoint Identity IQ CertificationSignOffApprover Rule

We have seen many time to send the Completion Notification , when the Access Review is completed CertificationSignOffApprover Rule can be used to send the notification , here is the sample code for using this Rule. 

  import java.util.Map;
  import java.util.List;
  import java.util.Arrays;
  import sailpoint.object.Identity;
  import sailpoint.api.SailPointContext;
  import sailpoint.object.Certification;
  import sailpoint.object.EmailOptions;
  import sailpoint.object.EmailTemplate; 
  import sailpoint.object.SignOffHistory; 
  import org.apache.commons.logging.Log;
  import org.apache.commons.logging.LogFactory;

  System.out.println("Entering Certification Sign Off Rule.");


  List signOffList=certification.getSignOffHistory();
  System.out.println("signOffList : " + signOffList);


  for(SignOffHistory signOffHistory:signOffList){
    if(signOffHistory.getSignerName().equalsIgnoreCase("spadmin")){      
      System.out.println("signOffHistory.getSignerName() : " + signOffHistory.getSignerName());
      return null;
    }
  }

  Date activationDate = certification.getActivated();
  System.out.println("activationDate : " + activationDate);

  if (activationDate != null) {

    List certifiers = certification.getCertifiers();
    Identity certifier = context.getObjectByName(Identity.class,certifiers.get(0).toString());
    System.out.println("certifier : " + certifier);

    List toAddresses = Arrays.asList("");
    if (null != certifier) {
      toAddresses = Arrays.asList(certifier.getEmail());
    }

    String tplName = "Certification Completion Notification";
    EmailTemplate template = context.getObjectByName(EmailTemplate.class, tplName);
    if (null == template) {
      System.out.println("Could not find email template [ " + tplName + "]");
      return null;
    }

    Map args = new HashMap();
    args.put("certification", certification);
    args.put("ownerName", certifier.getDisplayName());

    //Send Notifciation of completion 
	
  }
  System.out.println("Exiting Certification Sign Off Rule");

  return null;

Monday, September 14, 2020

Test AD authentication via PowerShell

Test password

Sometimes, it is useful to test Active Directory credentials to validate the login or the password in many scenario to test the Identity and Access management Use Cases For example, following the bulk creation of users / Update , Password Reset and many other scenario

The most commonly used actions is connecting to a remote desktop (RDP) or connecting to a webmail. However, either the number of login to be tested is too important, or no service is accessible to test an authentication.

PowerShell to the rescue

$UserName = 'vkejriwal'
$Password = 'yyyyyyyy'

Function Test-ADAuthentication {
    param(
        $username,
        $password)
    
    (New-Object DirectoryServices.DirectoryEntry "",$username,$password).psbase.name -ne $null
}

Test-ADAuthentication -username $UserName -password $password

The return values are:
  • TRUE if authentication is successful
  • FALSE if authentication failed. The reason can be:
    • bad login. 
    • bad password
    • locked out AD acount: Get-ADUser -Identity xxx -Properties LockedOut,AccountLockoutTime | Select samaccountname,LockedOut,AccountLockoutTime
    • disabled AD account: Get-ADUser -Identity xxxx | Select samaccountname,Enabled

Thursday, August 20, 2020

Sailpoint IdentityIQ Export Object using Sailpoint API

All Sailpoint IdentityIQ Object can be exported using the API also , hear is the example of the code which is used to export all the Bundle object present in the instance.

Generally we use the console to export the sailpoint identityIQ object 

checkout <class name> <object name or ID> <file> [-clean [=id,created…]]

Similar thing can be done using the API also, below is the sample source code 

import java.util.ArrayList;
import java.util.Iterator;
import java.util.List;

import sailpoint.api.SailPointContext;
import sailpoint.api.SailPointFactory;
import sailpoint.object.Bundle;
import sailpoint.object.Filter;
import sailpoint.object.QueryOptions;
import sailpoint.server.ExportVisitor;
import sailpoint.server.Exporter.Cleaner;
import sailpoint.spring.SpringStarter;
import sailpoint.tools.GeneralException;
import sailpoint.tools.Util;
		
               List propertiesToClean = new ArrayList();
		propertiesToClean.add("id");
		propertiesToClean.add("created");
		propertiesToClean.add("modified");
		Cleaner cleaner = new Cleaner(propertiesToClean);
		
		
		try {
			List<Bundle> roles = context.getObjects(Bundle.class);
			System.out.println(roles);
			  for (Bundle bun : roles){
			    try{
			    	if(null !=bun.getType() && bun.getType().equalsIgnoreCase("business")){
						//new ExportVisitor(context).visit(bun);
						String xml = bun.toXml();
						System.out.println("raw xml" + xml);
					if (propertiesToClean != null){
						xml = cleaner.clean(xml);
						System.out.println("clean xml" + xml);
					}
					Util.writeFile("C://Temp//"+bun.getName()+".xml", xml);		    	
			    	}
			    }catch (GeneralException e) {
					// TODO Auto-generated catch block
					e.printStackTrace();
				}			
			  }
		} catch (GeneralException e) {
			// TODO Auto-generated catch block
			e.printStackTrace();
		}finally {
			try {
				SailPointFactory.releaseContext(context);
			} catch (GeneralException e) {
				e.printStackTrace();
			}
		}
		
	}



Saturday, August 15, 2020

Sailpoint IdentityIQ Patching from 7.3p2 to 7.3p3

All the Application server instance must be stopped before starting the process. 

Navigate to the /apps/tomcat/bin

./shutdown.sh

Database backup

Once the application is in MM, DB  backup should be taken

File backup

SP binaries need to be backed up before performing the patching of the system, this file backup step need to be performed on all the application server nodes

1.      Navigate to

/apps/tomcat/webapps/

2.      Run below command

tar -zcvf identityiq_node1_7.3p2.tar.gz identityiq/

move the tar file to some common backup path the /apps/backup

Build War File

Use SSB to build the war file , few important things to note here

  1. Read the Read me from the Patch war file
  2. Check out what the patch contain basically the files which are modified as the part of the patch and if you have modified anything
  3. For example , we have modified the Bundle.js , so here we need to take the patch file and rewrite /overwite our changes on this file
  4. This Patch contains few changes related to AD , example they have introduced few entry in XML related to performance and also the IIQ TLS and connectivity has been introduced , make sure you have updated the Application xml accordingly
  5. Other Changes related to Active Directory Application is "ldapExtendedControls" and "ADAppVersion" entry addition , Same way check for the other application in your environment and make the changes accordingly.
  6.  Few Changes related to most common Application are below
  7. Copy the patch jar file in base\patch dir of SSB
  8. Make a directory with name 7.3p3 inside base\efix
  9. build.properties values need to be updated to IIQVersion=7.3 IIQPatchLevel=p3
Active Directory Application

<entry key="ADAppVersion" value="V2"/>
<entry key="ldapExtendedControls"> 
		<value> 
		  <List> 
			<String>1.2.840.113556.1.4.1339</String> 
		  </List> 
		</value> 
</entry>

Delimited Application

<entry key="sftpAuthMethod" value="password"/>

Web Service Application

Support <AUTHENTICATE>	  
<entry key="isGetObjectRequiredForPTA">
           <value>
            <Boolean>true</Boolean>
          </value>
</entry>
<entry key="httpCookieSpecsStandard" value="true" />
<entry key="encrypted" value="accesstoken,refresh_token,oauth_token_info,client_secret,private_key,private_key_password,clientCertificate,clientKeySpec,resourceOwnerPassword" />


Database patching

Copy the created war file inside the identityiq directory

inside the identityiq

jar xvf identityiq.war

Navigate to \WEB-INF\database check for the file name and execute the scripts related changes on the database upgrade_identityiq_tables-7.3p3.oracle

Sailpoint patching

Navigate to \WEB-INF\bin folder and execute the patch command to update IIQ

IQ service update

Uninstall the IQService and Install it again , follow the steps