Tivoli Identity Manager (ITIM) is quite a robust identity provisioning engine with an array of adapters for different kind of resources with an ease of customisation.

The core Application Program Interfaces of ITIM also allows external programs to interact with ITIM. However, there comes a dependency where the application needs a Java Authentication and Authorisation Service module to communicate with ITIM and version specific jar files which are updated along with the update of Websphere or ITIM updates. In case of exposed WebService of ITIM, any external client can send SOAP messages to communicate with ITIM and can have benefits of using some of the core provisioning capabilities. To construct Java clients, one needs to incorporate some of the libraries provided with the ITIM Webservice Package. In this article we will emphasise on how to create JAVA Clients because of my personal familiarity with the language. However, anyone who is familiar with WebService Architecture and development, can do with the other Programming Language to make use of the publicly exposed services.

Architecture

ITIM webservice is a J2EE application which can be optionally deployed in Websphere Application Server that hosts ITIM. Deployment of this application automatically publishes the WSDL which can be accessed and used to generate clients. There are different services for different provisioning tasks in ITIM. We will take brief looks at each of the functionality of ITIM WebServices one by one in further section. The following image is a simplified version of Webservice architecture of ITIM.

Contents of the WebService Wrapper

The ITIM WebService suite consists

  • ITIM Web Service Web Application
  • ITIM WebService Client
  • ITIM Client Utilities (Some utility classes)

Documents to understand the WebService classes, methods , requests and response

 

Functionalities

There are several web service functionalities to utilise the core data services of ITIM. The following are a few service functionalities and classes available with the java wrapper of web services

  • WSSessionService :Provides Authentication, Session Creation and password challenge authentication methods
  • WSAccessService : Perform access related operations like create access , modify access or a define a group or role as access
  • WSAccountService : Provides basic account services for specific services and also helps retrieving account informations
  • WSPersonService : Provides basic person related operations like creating a person, modifying ,de-provisioning or suspending a person
  • OrganisationalContainerService : Creates, retrieves and traverses organisation tree in ITIM)
  • WSProvisioningPolicyService : Manages Provisioning Policies
  • WSItimService (is a proxy Webservice combines the services of other services and can be used instead of using other webservices)

Java Client Example

 

Test Communication

Get ITIM Information including the user logged-in it’s accounts

package com.ibm.itim.ws.test;

import java.net.MalformedURLException;

import java.rmi.RemoteException;

import javax.xml.rpc.ServiceException;import com.ibm.itim.ws.exceptions.WSInvalidLoginException;

import com.ibm.itim.ws.exceptions.WSLoginServiceException;

import com.ibm.itim.ws.model.WSAccount;

import com.ibm.itim.ws.model.WSPerson;

import com.ibm.itim.ws.model.WSSession;

import com.ibm.itim.ws.services.WSItimService;import com.ibm.itim.ws.services.WSPersonService;

import com.ibm.itim.ws.services.WSSessionService;

import com.ibm.itim.ws.services.facade.ITIMWebServiceFactory;

public class TestClient {

/**

* @param args

* @throws MalformedURLException

* @throws RemoteException

* @throws WSLoginServiceException

* @throws WSInvalidLoginException

*/

public static void main(String[] args) {

// Replace the URL with passing arguments from command line

String serverAddress = “http://HOST:PORT/ITIMWebServices”;

String userid =”itim manager”;

String password = “xxxxxxxxxx”;

ITIMWebServiceFactory webServiceFactory;

try {

webServiceFactory = new ITIMWebServiceFactory(serverAddress);

//*  ITIMWebServiceFactory class is a factory which generates all the services available, like PersonService, AccountService, OrganisationalContainer Service 

WSItimService itimService = webServiceFactory.getWSItimService();

WSSession session = itimService.login(userid, password);

WSSessionService manager =webServiceFactory.getWSSessionService();

WSPerson person = itimService.getPrincipalPerson(session);

WSPersonService personService=webServiceFactory.getWSPersonService();

System.out.println(“ITIM Version: “+manager.getItimVersion());

System.out.println(“User name from ITIM is ” + person.getName());

System.out.println(“Trying to get list of accounts owned by ” + person.getName());

WSAccount[] accounts = personService.getAccountsByOwner(session, person.getItimDN());

if (accounts != null) {

System.out.println(“Found ” + accounts.length + ” accounts for ” + person.getName());

for (int i = 0; i < accounts.length; i++)

{

WSAccount account = accounts[i];System.out.println(”    “+ account.getName() + ” on service ” +        account.getServiceName());

}

} else {

System.out.println(“No accounts retrieved”);

}

System.out.println(“End of test”);

} catch (MalformedURLException e1) {

// TODO Auto-generated catch block

e1.printStackTrace();

} catch (ServiceException e) {

// TODO Auto-generated catch block

e.printStackTrace();

} catch (WSInvalidLoginException e) {

// TODO Auto-generated catch block

e.printStackTrace();

} catch (WSLoginServiceException e) {

// TODO Auto-generated catch block

e.printStackTrace();

} catch (RemoteException e) {

// TODO Auto-generated catch block

e.printStackTrace();

}

}

}

Create a new person object in ITIM

This example creates a person of type “inetOrgPerson” which corresponds to the entity type  “Person”.

package com.ibm.itim.ws.test;

import java.net.MalformedURLException;

import java.rmi.RemoteException;

import java.sql.Date;

import java.util.ArrayList;

import java.util.Calendar;

import java.util.Collection;

import javax.xml.rpc.ServiceException;

import com.ibm.itim.ws.client.constants.WSObjectCategoryConstants;

import com.ibm.itim.ws.exceptions.WSInvalidLoginException;

import com.ibm.itim.ws.exceptions.WSLoginServiceException;

import com.ibm.itim.ws.model.WSAccount;

import com.ibm.itim.ws.model.WSAttribute;

import com.ibm.itim.ws.model.WSOrganizationalContainer;

import com.ibm.itim.ws.model.WSPerson;

import com.ibm.itim.ws.model.WSRequest;

import com.ibm.itim.ws.model.WSSession;

import com.ibm.itim.ws.services.WSOrganizationalContainerService;

import com.ibm.itim.ws.services.WSPersonService;

import com.ibm.itim.ws.services.WSSessionService;

import com.ibm.itim.ws.services.facade.ITIMWebServiceFactory;

public class CreatePerson {

/**

* @param args

*/

public static void main(String[] args) {

System.out.println(“Usage of the class is java CreatePerson ou uid sn cn “);

String serverAddress = “http://localhost:9080/ITIMWebServices”;

String userid =”itim manager”;

String password = “xxxxxxx”;

String Ou=args[0];

String sn=args[1];

String givenName=args[2];

try {

System.out.println(“Trying connection to ITIMWebServices”);

ITIMWebServiceFactory webServiceFactory = new ITIMWebServiceFactory(serverAddress);

WSSessionService manager = webServiceFactory.getWSSessionService();

//*       System.out.println(“Trying authentication for user ” + userid);

WSSession session = manager.login(userid, password);

System.out.println(“User id ” + userid + ” logged in succesfully to ” + serverAddress);

// Get the Person Service and get the session

WSPersonService personService = webServiceFactory.getWSPersonService();                  //

// Get the container in which the person has to be create

WSOrganizationalContainerService containerService = webServiceFactory.getWSOrganizationalContainerService();

String containerProfile = WSObjectCategoryConstants.ORGUNIT;

WSOrganizationalContainer[] wsContainers = containerService.searchContainerByName(session, null,containerProfile, Ou);

if (wsContainers != null && wsContainers.length > 0) {

System.out.println(“Found ” + wsContainers.length + ” containers for ” + Ou);

// Set the parent container for the person. If the search found

// more than 1 container, select

// the one you want. We arbitrarily choose the first found

// container in this example.

WSOrganizationalContainer parentContainer = wsContainers[0];

// Create a person value object.

WSPerson wsPerson = new WSPerson();

Collection attrList = new ArrayList();

wsPerson.setProfileName(“Person”);//

String uid=givenName.substring(0,1)+sn;

String cn= givenName+” ” +sn;

WSAttribute wsAttr = new WSAttribute(“uid”, new String[] {uid});

attrList.add(wsAttr);

// Populate the mandatory cn and sn attributes

wsAttr = new WSAttribute(“cn”, new String[] {cn});

attrList.add(wsAttr);

wsAttr = new WSAttribute(“sn”, new String[] {sn});

attrList.add(wsAttr);

wsAttr = new WSAttribute(“givenName”, new String[] {“7890”});

attrList.add(wsAttr);

WSAttribute[] wsAttrs = (WSAttribute[])attrList.toArray(new WSAttribute[attrList.size()]);

wsPerson.setAttributes(wsAttrs);

// Submit a person create request

Calendar calendar = Calendar.getInstance();

calendar.setTime(new Date(0));

WSRequest request = personService.createPerson(session,parentContainer, wsPerson, calendar);

System.out.println(“Submitted person create request id = ” +request.getRequestId());

}

else {

System.out.println(“No container found matching ” + Ou);

}                    System.out.println(“End of test”);

} catch (WSInvalidLoginException e) {

e.printStackTrace();

} catch (WSLoginServiceException e) {

e.printStackTrace();

} catch (RemoteException e) {

e.printStackTrace();

} catch (IllegalArgumentException e) {

e.printStackTrace();

} catch (MalformedURLException e) {

e.printStackTrace();

} catch (ServiceException e) {

e.printStackTrace();

}

} }

* WSPerson class is used to construct the person object

*WSOrganisationalContainerService gives methods related to organisational containers in ITIM
 
Small code snippet of using WSAccountService
 
  • Only for testing purpose. This code has a lot of hardcoded stuff.
    ITIMWebServiceFactory webServiceFactory = new ITIMWebServiceFactory(serverAddress);

WSSessionService manager = webServiceFactory.getWSSessionService();

System.out.println(“Trying authentication for user ” + userid);

WSSession session = manager.login(userid, password);

WSPersonService personService=webServiceFactory.getWSPersonService();

accountService = webServiceFactory.getWSAccountService();

String serviceDN=”erglobalid=3685365980767361353,ou=services,erglobalid=00000000000000000000,ou=Synetis,DC=COM”;

Collection attrList = new ArrayList();

WSAttribute wsAttr = new WSAttribute(“eruid”, new String[] {“abcd2”});

attrList.add(wsAttr);

// Populate the mandatory cn and sn attributes

wsAttr = new WSAttribute(“cn”, new String[] {“Test Acct”});

attrList.add(wsAttr);

wsAttr = new WSAttribute(“sn”, new String[] {“Acct”});

attrList.add(wsAttr);

wsAttr = new WSAttribute(“owner”, new String[] {“erglobalid=171286038059213820,ou=0,ou=people,erglobalid=00000000000000000000,ou=Synetis,dc=com”});

attrList.add(wsAttr);

WSAttribute[] wsAttrs = (WSAttribute[])attrList.toArray(new WSAttribute[attrList.size()]);

Calendar calendar = Calendar.getInstance();

calendar.setTime(new Date(0)); // Set submit date to current time

WSRequest request = accountService.createAccount(session, serviceDN,wsAttrs, calendar);

System.out.println(“Account created with the request id : ” + request.getRequestId());

wsAttr =

new WSAttribute(“owner”, new String[] {“erglobalid=171286038059213820,ou=0,ou=people,erglobalid=00000000000000000000,ou=Synetis,dc=com”});

attrList.add(wsAttr);

WSAttribute[] wsAttrs = (WSAttribute[])attrList.toArray(new WSAttribute[attrList.size()]);

Calendar calendar = Calendar.getInstance();

calendar.setTime(new Date(0)); // Set submit date to current time

WSRequest request = accountService.createAccount(session, serviceDN,wsAttrs, calendar);

System.out.println(“Account created with the request id : ” + request.getRequestId());

Screen shots for displaying creation of an account by a java class using webservice ITIM

The request id matches , hense indicating the request launched from a webservice client in ITIM.

Deployment of ITIM WebService

The section will give the step by step approach to deploy the service in the ITIM Server . Webservice application is always deployed in the ITIM Websphere Application Server node, whether in single or cluster mode. The following is the pre-requisite of deploying the service for Websphere Application Server (WAS):
  • Websphere version should be 6.x or 7.x fro ITIM 5.0 or ITIM 5.1
Steps
  • Download the ITIM Web Service wrapper from the link given below:
 
  • The wrapper is an exe file. This can be executed in windows environment.

 
 
 
Following of the article on “An Introduction and Deployment of “ITIM WebService 1.3.2″  2/3”