Creating Custom Attributes in 11g

Creating Custom Attributes for User Profile
============================================
Step-1:
=======
* Should not use GUI form designer for users.
* Browser -> OIM Login -> Advanced -> User Configurtion
* Left Panel -> Actions -> User Attributes
* Right Panel -> "Custom Attributes" Category Name -> Create Attribute Button

Step-2: Create Authorization Policy
=======
* Browser -> OIM Login -> Administration -> Create Authorization Policy
* Policy Name = test; Entity Name = User Management -> Next
* Permissions : Check "Enable All Permissions" checkbox at top -> Next
* Data Constraints : All Users -> Next
* Assigment: Click on Add Command Button -> A new search box will display -> Without entering any data, click on Search -> A list will display. Just select all of them
* Save it.

Related Bugs:
OTN-1

Creating Custom Attributes for Roles, Organizations, etc
=========================================================
* All customizations happen through GUI
* Choose Administration -> User Defined Fields.
* There will be 4 tables, one for Organizations, One for Roles, etc...
* Add Attributes, Add Properties
* Save
* Check these new things in Web UI.
This document describes complete example for all except users

Developer Guide - Chapter : 13.3 User Defined Field Definition Form Page 303 of 802

Installation of DBAT connector for target provisioning

Step-1 : Copy files to ConnectorDefaultDirectory
=======
* ade:[ labburi_dmuBug12682244 ] [labburi@adc2171727 ConnectorDefaultDirectory]$ pwd
/scratch/labburi/view_storage/labburi_dmuBug12682244/oracle/work/OIM/ConnectorDefaultDirectory
* ade:[ labburi_dmuBug12682244 ] [labburi@adc2171727 ConnectorDefaultDirectory]$ cp -R /work/labburi/installables/connectors/DBAT91050/Database_App_Tables_9.1.0.5.0 ./

Step-2: Install Connector
=======
* Browser -> OIM Login --> Advanced Tab --> Install Connector
* Screen-1:
- Select DBAT connector
- Click on Load
- Click on Continue

* Screen-2:
- Install. Following message will display
DatabaseApplicationTables 9.1.0.5.0 Installation Status : Successful
Configuration of Connector Libraries
Import of Connector XML Files (Using Deployment Manager)
Compilation of Adapter Definitions
Perform the following steps before you start using this connector.
1. Go to Resource Management >> Create IT Resource and create an IT resource for this connector.
2. Go to Advanced >> System Management >> Search Scheduled Job and configure the following scheduled Jobs that are already created for this connector.

* Do not follow these steps. These are not required
1. Go to Resource Management >> Create IT Resource and create an IT resource for this connector.
2. Go to Advanced >> System Management >> Search Scheduled Job and configure the following scheduled Jobs that are already created for this connector.
ITResource will be created automatically when you configure GTC.


Step-3: Configure GTC
=======
* Browser -> OIM Login --> Advanced Tab --> Create Generic Connector

* Screen-1:
- Provide name - DBAT91050
- Select Provisioning checkbox (This testcase needs this)
- Deselect Reconcilation checkbox
- Transport Provider : DBAT Provisioning
- Format Provider : DBAT Provisioning

* Screen-2: Specify Paramater Values (This works for DB XE 10g too)
- DB Driver : oracle.jdbc.driver.OracleDriver
- DB URL : jdbc:oracle:thin:@10.133.169.36:1521:xe
- DB User ID : SYSTEM
- DB Password : ********
- Parent Table / View Name : oim_target
- All other fields should not be touched. Leave them and click continue

* Screen-3: Map Data as needed.

Step-4: Verify
=======
* Verify that ITResource for DBAT is created automatically through Web UI.
* Verify that a new provisioning process is created automatically from Steps-2&3 through GUI.

Step-5: Test
=======
* Create a test user
* Provision DBAT91050
* Using SQL Developer, connect to target system and verify that oim_target table is populated with test user data from OIM

References:
===========
DBApplicationTables_guide

OIM 11g / 9x: DB Table Description

To get some documentation on OIM Tables, try the following:
-----------------------------------------------------------
- Connect to OIM DB using Oracle SQL Developer.
- Left Panel -> List of Tables -> Click on table name. You will see table information on Right Panel
- Right Panel -> Detail Tab -> Look for Comments Field at the end. It has some documentation.

****************
Tables Analysis
****************

* SDC - User Defined Fields in User Form, etc...
- Used by interface - getFormFeildsData() to get user defined attributes.
Sample Query
------------
SELECT sdc.sdc_key, sdc.sdk_key, sdc_name, sdc_variant_type, sdc_sql_length, sdc_label, sdc_field_type, SDC_DEFAULT_VALUE, sdc_order, sdc_profile_enabled, sdc_encrypted, sdc_rowver,sdc_version, sdpv.sdp_property_value as Editable, sdpr.sdp_property_value as Optional, sdpv.sdp_property_value as Visible , sdplkv.sdp_property_value as LookupCode FROM sdk, sdc LEFT OUTER JOIN sdp_visible_v sdpv on sdc.sdc_key=sdpv.sdc_key LEFT OUTER JOIN sdp_required_v sdpr on sdc.sdc_key=sdpr.sdc_key LEFT OUTER JOIN sdp_lookupcode_v sdplkv on sdc.sdc_key=sdplkv.sdc_key WHERE sdc.sdk_key=sdk.sdk_key and (sdc.sdc_default is null or sdc.sdc_default='0') and sdc.sdc_version=0 and sdk.sdk_key=3 ORDER BY sdc_order asc, sdc.sdc_key asc;

Sample Result
--------------
155 3 USR_UDF_OBGUID String 300 ObjectGUID TextField 1 0 0000000000000001 0 false false
561 3 USR_UDF_MYCUSTATTR1BN String 25 MyCustAttr1 TextField CustAttr1DefValue 2 0 0000000000000000 0
562 3 USR_UDF_MYCUSTAATR2BN String 25 MyCustAttr2 TextField CustAttr2DefVal 3 0 0000000000000000 0

* ORC: Order Content Item Table
- Used by ScheduledTask to run a set of ordered events.

* SCH - Schedulted Item Table
- Used by tcScheduledTask to run scheduled Tasks.

* MIL : Tasks in Processes
- Contains all tasks from all processes.

* GCD : Generic Connector definitions Table.
- When you do "Install Connector" + "Create Generic Connector" in 11g UI, the entire information that you enter to create a new connector - like Format, data mapping between source and target, etc... will be formed into an XML document and will be stored in GCD_XML Field of GCD Table.
- During provisioning, a scheduled task will kick-in Generic Connector package - transform operation in OIM. This will transform data from USR tables' user record into target systems record using GCD_XML fields' connector definition.

* PTY - Property definition
- Properties Table
- Metadata used by OIM for System Properties defined. Product uses this to set status etc... as defined by OIM configuration
Sample Data
------------
70 XL.GTCAutoImport true GTC Auto Import 1 S 2 01-APR-11 1 01-APR-11 1 0000000000000000
71 XL.PagingSystemDefaultMaxRecords 1000 Paging System Default Max Records 1 S 2 01-APR-11 1 01-APR-11 1 0000000000000000
72 XL.SoDCheckRequired FALSE XL.SoDCheckRequired 1 S 2 01-APR-11 1 01-APR-11 1 000000000000
57 XL.RequestRaisedByYou.DayLimit 30 Property to indicate day limit set for Request raised by you 1 S 2 31-MAR-11 1 31-MAR-11 1 0000000000000000
58 XL.RequestRaisedForYou.DayLimit 30 Property to indicate day limit set for Request raised for you 1 S 2 31-MAR-11 1 31-MAR-11 1 0000000000000000

**************************************************
User Tables
**************************************************
* USR : All user information - very important table.
* UPH: User Policy Profile History Table

**************************************************
Resource Objects
**************************************************
Just like we have a class definition and a class instance in Java, we have Resource Object Definition and Resource Object Instance.
* OBJ : Resource Object Definition
- Defines structure of an object
Sample Data
------------
21 21 U Generic 1 1 Laptopres 0 1 1 0 0 0 05-APR-11 1 05-APR-11 1 0000000000000003 0 0
83 86 U Generic 1 1 Stapler 0 1 1 0 0 1 29-APR-11 1 29-APR-11 1 0000000000000001 0 0

* OBI : Resource Object Instance
- Entry for a resource object instantiated at run time.
- Very important as Provisioning operates on tcOBI to complete Provisioning.
Sample Data
------------
466 126 131 Data Received 1 27-JUN-11 1 27-JUN-11 1 0000000000000000

* RIU : Request Users Resolved Object Instances
- When you revoke a resource object from users resources, OIM will update revoke request information in this table
- Table Fields
RIU_KEY NUMBER, REQ_KEY NUMBER, OBJ_KEY NUMBER, USR_KEY NUMBER,
OIU_KEY NUMBER, OBI_KEY NUMBER, RIU_COMPLETED, RIU_DATA_LEVEL, RIU_CREATE
RIU_CREATEBY, RIU_UPDATE, RIU_UPDATEBY, RIU_NOTE, RIU_ROWVER
Sample Query Result
====================
1 110 125 182 235 444 1 27-JUN-11 1 27-JUN-11 1 0000000000000001
2 110 126 182 236 445 0 27-JUN-11 1 27-JUN-11 1 0000000000000000
3 111 125 183 237 448 1 27-JUN-11 1 27-JUN-11 1 0000000000000001

* OST : OBJECT STATUS INFORMATION.
- Contains users, resource objects and all objects
Sample Query Result
====================
268 110 Revoked 0 20-JUN-11 1 20-JUN-11 1 0000000000000000
269 110 Provisioned 1 20-JUN-11 1 20-JUN-11 1 0000000000000000
270 110 Provide Information 0 20-JUN-11 1 20-JUN-11 1 0000000000000000


**************************************************
Request Object Tables
**************************************************
* RQH - Request History Table
Sample Query Result
====================
66 41 1 Object Approval Complete 14-APR-11 1 14-APR-11 1 0000000000000000
67 41 61 181 Approved 14-APR-11 1 14-APR-11 1 0000000000000000
68 42 1 Request Initialized 14-APR-11 62 14-APR-11 62 0000000000000000
69 42 61 182 Awaiting Data 14-APR-11 62 14-APR-11 62 0000000000000000
70 42 61 182 Data Received 14-APR-11 62 14-APR-11 62 0000000000000000

* RQO - ? TODO
Sample Query Result
====================




**************************************************************************
SAMPLE QUERIES
***************************************************************************
* SELECT sdc.sdc_key, sdc.sdk_key, sdc_name, sdc_variant_type, sdc_sql_length, sdc_label, sdc_field_type, SDC_DEFAULT_VALUE, sdc_order, sdc_profile_enabled, sdc_encrypted, sdc_rowver,sdc_version, sdpv.sdp_property_value as Editable, sdpr.sdp_property_value as Optional, sdpv.sdp_property_value as Visible , sdplkv.sdp_property_value as LookupCode FROM sdk, sdc LEFT OUTER JOIN sdp_visible_v sdpv on sdc.sdc_key=sdpv.sdc_key LEFT OUTER JOIN sdp_required_v sdpr on sdc.sdc_key=sdpr.sdc_key LEFT OUTER JOIN sdp_lookupcode_v sdplkv on sdc.sdc_key=sdplkv.sdc_key WHERE sdc.sdk_key=sdk.sdk_key and (sdc.sdc_default is null or sdc.sdc_default='0') and sdc.sdc_version=0 and sdk.sdk_key=3 ORDER BY sdc_order asc, sdc.sdc_key asc;

* select ost.ost_key, ost_status from ost ost, obj obj where obj.obj_key=ost.obj_key and obj.obj_name='Request';

* select ost.ost_key, ost_status from ost ost, rqo rqo where ost.obj_key=rqo.obj_key and rqo.req_key=130;

* select * from OST where OST_STATUS='Object Approval Complete';

* select osi.orc_key, osi.mil_key, osi.sch_key, osi_rowver, sch_rowver, osi_retry_for, sch_offlined from osi osi, sch sch where osi.sch_key=sch.sch_key and sch.sch_key=1091;

* select mil_name from osi osi,sch sch,pkg pkg,tos tos,mil mil where osi.sch_key = sch.sch_key and osi.pkg_key=pkg.pkg_key and pkg.pkg_key = tos.pkg_key and tos.tos_key = mil.tos_key and pkg_type='Approval' and mil_name in('Awaiting Object Data','Awaiting Approval Data') and osi.mil_key = mil.mil_key and osi.sch_key=1091;

* select * from act act where act_name='Requests'

* select obi.obi_key, obi.obj_key, obi_status, obi_rowver, rqo_rowver, obd.obd_parent_key from rqo rqo, obi obi left outer join obd obd on obd.obd_child_key=obi.obj_key where rqo.obi_key = obi.obi_key and rqo.req_key=131 order by obd.obd_parent_key desc;

* select act_key from act act where act_name='Requests';

* select obj_autolaunch from obj where obj_key = 126;

* select pty_value from pty where pty_keyword='XL.RequestCompleteStatus';

* select orc.orc_key, orc.orc_status, oiu.oiu_key, riu.riu_key from orc orc, oiu oiu, riu riu where orc.orc_key=oiu.orc_key and riu.oiu_key=oiu.oiu_key and riu.req_key=131 and riu.obj_key=125;

* select riu.oiu_key, oiu.oiu_rowver from riu riu, oiu oiu where riu.oiu_key=oiu.oiu_key and riu.req_key=131 and riu.obj_key=125;

* select pty_value from pty where pty_keyword='XL.RequestCompleteStatus';

Table Updates
--------------
update RIU set RIU_COMPLETED=0 where riu_key=2;

OIM 9x : Useful DB Queries for Debugging OIM

1. Get resource objects to operate for a user. This happens during access policy evaluation when user is being created.
- Post Event during user creation process.
Query
-----
select obj.obj_key, obj.obj_name, obj.obj_allow_multiple, obj.obj_allowall, pop.pop_denial, pop.pop_revoke_object from pop pop, obj obj where pop.pol_key = 41 and pop.obj_key = obj.obj_key;
Results
--------
108 RO_A 1 1 0 0
109 RO_B 1 1 0 1
110 RO_C 1 1 0 1

2. List of provioned objects for an user
Query
-----
select * from oiu oiu, obj obj, obi obi, ost ost where oiu.obi_key = obi.obi_key and obi.obj_key = obj.obj_key and oiu.usr_key = 161 and oiu.ost_key = ost.ost_key and ost.ost_status != 'Revoked';

3. Get a particular task from a provisioning process
Query
------
select mil_key, mil_name, mil_sequence, mil_day, mil_hour, mil_minute,mil_create_multiple, mil_cancel_while_pending, mil_comp_on_rec, mil_required_complete, mil_retry_period, mil_retry_count, evt_key, mil_default_assignee, mil_assign_to_manager from mil where mil_key=373;
Results
-------
373 Enable User 0 1 1 0 0 1

OIM 9x : Membership auto-assign

1. Goto Design Console GUI --> Resource Management --> Rule Designer,
Create a new rule as -
* GroupMemMiddleName : Rule Type - "General" : Rule Sub Type - Empty : Rule Operator - "AND"
* Save it.
* Add a new "Rule Elemenent" - "Middle Name == Roger"
* Save it.

2. Goto Browser UI --> Manage User Groups --> "Test Group" --> Memebership Rules
Assign this new rule to the group.

Now if a new user with middle name Roger is created, he will be member of this "Test Group" automatically.

Adding tasks to a Provisioning Process

Create User : "Required for Completion" : tcCompleteTask : C-Completed-Provisioned : None for "Task Effect"

Delete User : "Conditional" : tcCompleteTask : C-Completed-Revoked : None for "Task Effect"

Enable User : "Conditional" : tcCompleteTask : C-Completed-Revoked : "Enable Process or Access to Application" for "Task Effect"

Disable User: "Conditional" : tcCompleteTask : C-Completed-Revoked : "Disable Process or Access to Application" for "Task Effect"

* With above tasks in a provisioning process, when you enable a user, Enable User task in Provisioning process will kick-in. This will kick-in not because of task name but because of Task-Effect configured above.

* With above tasks in a provisioning process, when you disable a user, Disable User task in Provisioning process will kick-in. This will kick-in not because of task name but because of Task-Effect configured above.

========================================
How to define reserved names for tasks?
========================================
* In Design Console GUI --> Administration --> Lookup Definition, Type *trigger* in "Code" text box --> Click Lookup in toolbar menu.
* In Lookup Definition Table --> Select "Lookup.USR_PROCESS_TRIGGERS"
You will get a "Code Key" - "Decode" table

In this table, you will see that task names are defined for a particular operation. For ex: "USR_FIRST_NAME" - "Change First Name"
So if you define a task in Provisioning process with task name "change First Name", then OIM will trigger this particular task when user profile modifies for "First Name" field.

You can extend this table for new tasks if needed.

=================
Test Case to try:
==================
Define a provisioning process for resource object Laptop. Add a new task

Create User : "Required for Completion" : tcCompleteTask : C-Completed-Provisioned : None for "Task Effect"

1. Try provisiong this resource object Laptop to test user - tu1. Provisioning will happen.
2. Disable the user. You will see that OIM reports that - there is no task for Disable.

======
Notes
======
* OIM operates task-based. If a particular task "Disable User" with Task Effect as described above in 10 Provisioning Processes. If a user - tu1 is disabled, then all 10 provisioning processes - tasks will be triggered.

Designing Shuttle boxes in ADF UI

Code Example: GoogleCodeLink

PanelStretchLayout Geometry - Link

Some discussion:
1. OTN-Thread1
2. OTN-Thread2
3. OTN-Thread3

ADF Documentation
1. ADF Overview
2. JDEV Overview

Creating new sample ADF tab in OIM 11g

Oracle Deployment doc: OracleDocLink

Step-1 : Copy src code of new tab
======
ade:[ lakshman_IAM0612 ] [lakshman@parrot lib]$ pwd
ade:[ lakshman_IAM0612 ] [lakshman@parrot lib]$ /scratch/lakshman/view_storage/lakshman_IAM0612/tklocal/oimDeployments/oim.ear/iam-consoles-faces.war/WEB-INF/lib/.
ade:[ lakshman_IAM0612 ] [lakshman@parrot lib]$ cp /work/lakshman/bugs/tabBug/cuFiles/CustomTabApp/deploy/adflibCustomTabs1.jar .

Step-2: No need to do any change in Self.jspx
=======


Step-3 : Make changes to faces-config-self.xml
======

ade:[ lakshman_IAM0612 ] [lakshman@parrot oim.ear]$ diff ./iam-consoles-faces.war/WEB-INF/faces-config-self.xml /work/lakshman/bugs/tabBug/myChanges/faces-config-self.xml
235a236,250
>
> customPage
> oracle.iam.consoles.faces.backing.Self$OperationAction
> application
>
> id
> java.lang.String
> customization_page
>
>
> pageUrl
> java.lang.String
> /examples/MyProfile.jspx
>
>
258a274,277
>
> #{customPage.id}
> #{customPage}
>


ade:[ lakshman_IAM0612 ] [lakshman@parrot oim.ear]$ cp /work/lakshman/bugs/tabBug/myChanges/faces-config-self.xml ./iam-consoles-faces.war/WEB-INF/faces-config-self.xml


Step-4: Copy Self.properties
=======
* cp iam-consoles-faces.jar /work/lakshman/bugs/tabBug/myChanges/
* cd /work/lakshman/bugs/tabBug/myChanges/
* mkdir dir_iam-consoles-faces.jar
* mv iam-consoles-faces.jar ./dir_iam-consoles-faces.jar/
* cd ./dir_iam-consoles-faces.jar/
* jar -xvf iam-consoles-faces.jar
* rm iam-consoles-faces.jar
* cp ../Self.properties ./oracle/iam/consoles/faces/resources/Self.properties
* cd /work/lakshman/bugs/tabBug/myChanges/dir_iam-consoles-faces.jar
* jar -cvf ../iam-consoles-faces.jar ./*
* jar -tvf /work/lakshman/bugs/tabBug/myChanges/iam-consoles-faces.jar - Check if there is anything wrong.
* cd /scratch/lakshman/view_storage/lakshman_IAM0612/tklocal/oimDeployments/oim.ear/iam-consoles-faces.war/WEB-INF/lib
* cp /work/lakshman/bugs/tabBug/myChanges/iam-consoles-faces.jar ./

Step-5: Restart wls server
=======

Step-6: Make changes and re-test
=======
When the user first accesses the Self Service console and a custom ADF tab the MyProfile.jspx file is copied into iam-consoles-faces.war. This file will need to be deleted when any new changes to the source file are redeployed.
Delete: oim.ear/iam-consoles-faces.war/examples/MyProfile.jspx
Note: this file will only exist after a user access the Self Service console.

********
Notes:
********
* Use latest JDev 11g for ADF development.
* Mapping between MyProfile.jspx and CustomUserProfile.java (bean class with business logic) is provided in faces-config.xml. You have managed bean name, class etc... here
* In MyProfile.jspx, we reference all business logic using beanName.logic. Example:
inputText label="#{customtabsBundle.EMAIL}"
value="#{profile.userprofile.email}" id="abc"

commandButton text="#{customtabsBundle.APPLY}"
actionListener="#{profile.updateAction}"
id="xyz"
where profile is bean name, useprofile is data member of this bean class.

oamcfgtool commands

----- Create -------

[root@adc2171727 oracle.oamprovider_11.1.1]# /work/installations/oracle/middleware/jrockit_160_22_D1.1.1-3/bin/java -jar oamcfgtool.jar mode=CREATE app_domain="domain1" cookie_domain=".us.oracle.com" protected_uris="/em,/console" app_agent_password="welcome1" ldap_host="parrot.us.oracle.com" ldap_port=5389 ldap_userdn="cn=Directory Manager" ldap_userpassword=password ldap_base="dc=us,dc=oracle,dc=com" oam_aaa_host=parrot.us.oracle.com oam_aaa_port=6522
Mar 30, 2011 1:26:39 AM oracle.security.oam.oamcfg.OAMCfgGlobalConfigHandler constructGlobalConfig
INFO: Processed input parameters
Mar 30, 2011 1:26:40 AM oracle.security.oam.oamcfg.OAMCfgGlobalConfigHandler constructGlobalConfig
INFO: Initialized Global Configuration
Mar 30, 2011 1:26:49 AM oracle.security.oam.oamcfg.create.impl.OAMCfgConfigCreator doCreate
INFO: Successfully completed the Create operation.
Mar 30, 2011 1:26:49 AM oracle.security.oam.oamcfg.create.impl.OAMCfgConfigCreator doCreate
INFO: Operation Summary:
Mar 30, 2011 1:26:49 AM oracle.security.oam.oamcfg.create.impl.OAMCfgConfigCreator doCreate
INFO: Policy Domain : domain1
Mar 30, 2011 1:26:49 AM oracle.security.oam.oamcfg.create.impl.OAMCfgConfigCreator doCreate
INFO: Host Identifier: domain1
Mar 30, 2011 1:26:49 AM oracle.security.oam.oamcfg.create.impl.OAMCfgConfigCreator doCreate
INFO: Access Gate ID : domain1_AG
[root@adc2171727 oracle.oamprovider_11.1.1]#

----- Delete -------

[root@adc2171727 oracle.oamprovider_11.1.1]# /work/installations/oracle/middleware/jrockit_160_22_D1.1.1-3/bin/java -jar oamcfgtool.jar mode=DELETE authn_schemes="OraDefaultI18NFormAuthNScheme" ldap_base="dc=us,dc=oracle,dc=com" ldap_host=parrot.us.oracle.com ldap_port=5389 ldap_userdn="cn=Directory Manager" ldap_userpassword=password oam_aaa_host=parrot.us.oracle.com oam_aaa_port=6522
Mar 30, 2011 1:55:31 AM oracle.security.oam.oamcfg.OAMCfgGlobalConfigHandler processOAMCfgParams
INFO:
This operation would delete the parameters specified and cannot be undone...
If needed, type 'No' and refer help (java -jar jar -help)
Enter Yes to continue deletion and No to exit
Yes
Mar 30, 2011 1:55:35 AM oracle.security.oam.oamcfg.OAMCfgGlobalConfigHandler constructGlobalConfig
INFO: Processed input parameters
Mar 30, 2011 1:55:35 AM oracle.security.oam.oamcfg.OAMCfgGlobalConfigHandler constructGlobalConfig
INFO: Initialized Global Configuration
Mar 30, 2011 1:55:35 AM oracle.security.oam.oamcfg.delete.impl.OAMCfgConfigDeleter doDelete
INFO: Successfully completed the Delete operation.
[root@adc2171727 oracle.oamprovider_11.1.1]#

Configuring Password Policy in Oracle Access Manager (Formerly Oblix NetPoint)

Configuring OAM (Access and Identity System) to use password policy is not very obvious. There is no single document or post that describes all required steps at one place. Hence this effort.

=======
Step-1: Import ldifs to DS configured against OAM.
=======

* Create an ldif file - lpm.ldif with following schema change (for LPM functionality)
---------------------
dn: cn=schema
changetype: modify
add: attributetypes
attributetypes: ( 1.3.6.1.4.1.9999.1.1094.204 NAME 'myChallenge' SYNTAX '1.3.6.1.4.1.1466.115.121.1.15' )

dn: cn=schema
changetype: modify
add: attributetypes
attributetypes: ( 1.3.6.1.4.1.9999.1.1094.205 NAME 'myResponse' SYNTAX '1.3.6.1.4.1.1466.115.121.1.15' )

dn: cn=schema
changetype: modify
add: objectclasses
objectclasses: ( 1.3.6.1.4.1.9999.1.1094.206 NAME 'oblixAuxPerson4LPM' DESC 'User defined objectclass' SUP top AUXILIARY MAY ( myChallenge $ myResponse ) )
---------------------

Import above lpm.ldif to DS containing user data.

* Create ldif pwd.ldif with following data entry.
Note : schema change for this class was already done as part of Oblix Schema change during setup.
---------------------
dn:obclass=oblixPersonPwdPolicy,o=Oblix,dc=red,dc=iplanet,dc=com
objectclass: top
objectclass: OblixClass
obready: true
obclasstype: personClass
obclass: oblixPersonPwdPolicy
obclasskind: Auxiliary
obver: 10.1.4.0
----------------------

Import above pwd.ldif to DS containing oblix tree.

=======
Step-2: Configure oblixAuxPerson4LPM in Identity Console (for LPM functionality)
=======
a) goto Identity System Console --> Common Configuration --> Object Classes
* Add auxiliary class oblixauxperson4lpm.
Object Class - oblixauxperson4lpm
Class Attribute - No Class Attribute is specified.
Class Type - Person
Class Kind - Auxiliary

b) goto Identity System Console --> User Manager Configuration --> Tabs --> Employees
* Modify Employees tab to associate auxiliary class oblixauxperson4lpm.

c) goto Identity System Console --> User Manager Configuration --> Tabs --> Employees --> View Object Profile --> Configure Panels
* Configure your default panel or lpm panel to add myChallenge and myResponse attributes to user profile depending upon your customization.

d) goto User Manager --> Configuration --> Attribute Access Control
* Set attribute access to myChallenge and myResponse as desired.

=======
Step-3: Configure oblixPersonPwdPolicy in Identity Console
=======
a) goto Identity System Console --> User Manager Configuration --> Tabs --> Employees
* Modify Employees tab to associate auxiliary class oblixPersonPwdPolicy

=======
Step-4: Setup Password Policy
=======
a) goto Identity System Console --> System Configuration --> Password Policy --> Add
* Create a new password policy as you need.

My test password policy looks like -
Password Policy Name : testpwdpolicy
Password Policy Domain : dc=red,dc=iplanet,dc=com
Password policy filter : Did not specify
Lost Password Policy Name : Did not specify
Password Minimum Length : 3 characters
Minimum Number of Uppercase Characters : 0 characters
Minimum Number of Lowercase Characters : 0 characters
Minimum Number of Nonalphanumeric Characters : 0 characters
Minimum Number of Numeric Characters : 0 characters
Externally specified validation rules : Did not check
Password Validity Period : 4 days
Password Expiry Notice Period : 3 days
Mode of Conveying the Expiry Notice : At Login
Password minimum age : Did not specify
Change on Reset : Enable
Password History : No Password History
Number of login tries allowed : 3
Lockout Duration : 1 Hours
Login tries reset : 2 days
Lost Password Redirect Stylesheet : Defaults
Password Change Redirect Stylesheet : Defaults
Password Expiry Warning Redirect URL : Defaults
Custom Account Lockout Redirect URL : Defaults
Password Policy Enable : Enable

b) Create default URLs for redirects

My test configuration looks like -
Lost Password Redirect URL : http://parrot.red.iplanet.com:8080/identity/oblix/apps/lost_pwd_mgmt/bin/lost_pwd_mgmt.cgi?program=passwordChallengeResponse&login=%userid%&backURL=%HostTarget%%RESOURCE%&target=top
Password Change Redirect URL : http://parrot.red.iplanet.com:8080/identity/oblix/apps/lost_pwd_mgmt/bin/lost_pwd_mgmt.cgi?program=redirectforchangepwd&login=%userid%&backURL=%HostTarget%%RESOURCE%&target=top
Password Expiry Warning Redirect URL : http://parrot.red.iplanet.com:8080/sample/passwordexpiry.html
Custom Account Lockout Redirect URL : http://parrot.red.iplanet.com:8080/sample/accountlockout.html

Log Authentication attempts:
Successful Attempts Attribute : Enable
Failed Attempts Attribute : Enable

=======
Step-5: Enabling access system to use password policy.
=======
By default access server does not use password policy defined through identity system. You had to do oblixPersonPwdPolicy configuration for this. In addition do the following
a) goto Access System Console --> Access System Configuration --> Authentication Management --> Basic Over LDAP --> Plugins --> validate_password
* Modify it as
obCredentialPassword="password",obReadPasswdMode="LDAP",obWritePasswdMode="LDAP"

Note: Make sure there is no typo in the above value. You can copy paste this text to your text editor and make sure there are no special characters or typos. I had to debug for long time because of some special character in this (copy paste error).

=======
Step-6: Configure LPM policy
=======
a) goto Identity System Console --> System Configuration --> Lost Password Policy --> Add
* Create a new password policy as you need.
* Link it with Password Policy setup in Step-4 if you need

=======
Step-7: Restart Identity and Access System
=======

=======
Step-8: Test
=======
* To test Redirect URLs defined in password policy, you need to test a resource protected by access system. If you test your password policy by accessing Identity or Access Console, you will not be redirected.

a) Access a protected resource
http://parrot.red.iplanet.com:8080/sample/test.html

Try authentication failure. Open LDAP browser to data store. You can see that user entry will get updated with lockout and password related information. This means Access System is kicking in password policy. Now test as you wish.

OpenSSO book by QA Manager

Ex-Sun QA manager wrote this OpenSSO book by compiling documentation available in OpenSSO product docs
http://indirat.wordpress.com