CA IdentityMinder Java Developer's Guide Tutorial (Sample)

xcvi
xcvii
http://www.caidentitymanagerbook.com
Preface
CA IdentityMinder Volume I: Java Developer's Guide will guide you java programming to extend
the functionality of CA IdentityMinder. You will learn basic administration concept, CA IdentityMinders
APIs, how to create custom workflow, and examples.
My CA IdentityMinder (formerly CA Identity Manager) Programming is a series of three books:
CA IdentityMinder Volume I: Java Developer's Guide, it is for beginning level.
CA IdentityMinder Volume II: Learn by Example Code, it is for advanced level.
CA IdentityMinder: Custom Connector, it is for the custom connector developer.
Please visit books web site for more details.
About This Book
You will learn:
CA IdentityMinder Administration Concepts
CA IdentityMinder Programming Concepts
How to develop Business Logic Task Handler and example codes.
How to create Custom Workflows and Workflow API example codes.
How to implement Participant Resolver API and example code.
How to implement Event Listener API and example code.
How to implement Logical Attribute API and example code.
How to implement Validation Rules and example code.
How to implement Email Notification and example code.
How to implement Notification Rule API and example code.
How to implement Task Execution Web Service (TEWS) and example code.
Who this book for
This book is intended for beginners who know a little about Java programming and would like to
learn how to implement CA IdentityMinder requirements by API.
xcviii

Convention
The following text conventions are used in this document:
Convention Meaning
Boldface Boldface type indicates book titles
Italic Italic type indicates emphasis, or placeholder variables
monospace
Monospace type indicates language and syntax elements
Customer Support
Feedback from our readers is always welcome. Let us know what you think about this book.
Please visit web site for more details:
The web site for books: http://www.caidentitymanagerbook.com
Blog and updated contents: http://caidentitymanager.blogspot.com
To send us general feedback or any questions, simply send an e-mail. Please check my email
from web site.
Download Source Code
Please visit our web site: http://www.caidentitymanagerbook.com
Trademarks
CA IdentityMinder, CA Identity Manager and CA SiteMinder are registered trademark of CA
Technologies.

xcix

Please accept my apologies:
DELAY: I expected to release this book September 2013 but I delay almost one year.
GRAMMAR: Please accept my apology for grammar mistake. Reviewing process may require up
to 3 months. Hopefully, my next release will fix this issue.
NO POLICY XPRESS: Policy Xpress is easy to learn. We may not need beginning level book.
EXAMPLES: I knew some examples can implement by Policy Xpress but I implement all examples
by programming because I want to show how to use APIs.
NO BASIC LEVEL: I apologize for some readers may complain this book is not for beginner. I will
fix by adding bonus chapters & VDO demo. Please visit my blog.
SUPPORT: I am full time programmer. I may not response your email immediately. Please allow
24 hours for a response. My time zone is New York EST.

Regard,
Kosakarika

About Author
I am Java Developer and live in New York.
Experience:
Front End: ExtJS, JQuery, Content Management(WebSphere Portal), and Portlet
(WebSphere/Weblogic/SUN Portal)
SOA: Rule JBoss Drools/Guvnor, ESB(ServiceMix/Camel) and BPEL(WebSphere Process Server)
IDM and SSO: CA IdentityMinder, CA SiteMinder, and SUN Access Manager.
Implemented multi-threading, high transaction real-time brokerage projects.
Certification:
Sun Certified Java Programmer 1.2
Sun Certified Business Component Developer 1.3
IBM Certified Developer - IBM WebSphere Portal Developer V6.1
IBM Certified Developer - Web Services Development for WebSphere V6.1
IBM System Administrator - WebSphere Application Server V6.1
IBM Enterprise Developer - IBM WebSphere Studio V5.0

c
Copyright 2014 W. Kosakarika

All rights reserved. No part of this book may be reproduced, stored in a retrieval system, or transmitted
in any form or by any means, without the prior written permission of the author, except in the case of
brief quotations embedded in critical articles or reviews.
Every effort has been made in the preparation of this book to ensure the accuracy of the information
presented. However, the information contained in this book is sold without warranty, either express or
implied. The author will be held liable for any damages caused or alleged to be caused directly or
indirectly by this book.
Author has endeavored to provide trademark information about all of the companies and products
mentioned in this book by the appropriate use of capitals. However, author cannot guarantee the
accuracy of this information.

First published: September 2014

ci
Contents

Chapter 1 Introduction ................................................................................... Error! Bookmark not defined.
1.1 Why we need custom code .................................................................. Error! Bookmark not defined.
1.2 What this book covers .......................................................................... Error! Bookmark not defined.
1.3 Technical Terms .................................................................................... Error! Bookmark not defined.
1.4 CA IdentityMinder Components ........................................................... Error! Bookmark not defined.
1.5 Server Configuration ............................................................................ Error! Bookmark not defined.
1.6 Conclusions .......................................................................................... Error! Bookmark not defined.
Chapter 2 Administration Concepts ............................................................... Error! Bookmark not defined.
2.1 Requirement ......................................................................................... Error! Bookmark not defined.
2.2 Create Admin Task ............................................................................... Error! Bookmark not defined.
2.2.1 Profile Tab ..................................................................................... Error! Bookmark not defined.
2.2.2 Search Tab ..................................................................................... Error! Bookmark not defined.
2.2.3 Tabs Tab ........................................................................................ Error! Bookmark not defined.
2.2.4 Fields Tab ....................................................................................... Error! Bookmark not defined.
2.2.5 Event Tab ....................................................................................... Error! Bookmark not defined.
2.2.6 Role Use Tab .................................................................................. Error! Bookmark not defined.
2.3 Provisioning .......................................................................................... Error! Bookmark not defined.
2.3.1 Account Template and Attribute Mapping ................................... Error! Bookmark not defined.
2.3.2 Provisioning Directory ................................................................... Error! Bookmark not defined.
2.3.3 Attribute mapping: User- Global User - Account .......................... Error! Bookmark not defined.
2.3.4 Synchronization ............................................................................. Error! Bookmark not defined.
2.4 Identity Policy Set and Policy Xpress .................................................... Error! Bookmark not defined.
2.4.1 Identity Policy Set .......................................................................... Error! Bookmark not defined.
2.4.2 Policy Xpress .................................................................................. Error! Bookmark not defined.
2.5 How it works ......................................................................................... Error! Bookmark not defined.
2.5.1 How UI works ................................................................................ Error! Bookmark not defined.
2.5.2 View Submitted Task ..................................................................... Error! Bookmark not defined.
2.6 Conclusion ............................................................................................ Error! Bookmark not defined.

cii
Chapter 3 Programming Concepts and Configuring IDE ................................ Error! Bookmark not defined.
3.1 CA IdentityMinder APIs Overview ........................................................ Error! Bookmark not defined.
3.1.1 Business Logic Task Handler API (BLTH) ........................................ Error! Bookmark not defined.
3.1.2 Workflow API ................................................................................. Error! Bookmark not defined.
3.1.3 Participant Resolver API ................................................................ Error! Bookmark not defined.
3.1.4 Event Listener API .......................................................................... Error! Bookmark not defined.
3.1.5 Logical Attribute API ...................................................................... Error! Bookmark not defined.
3.1.6 Validation Rules ............................................................................. Error! Bookmark not defined.
3.1.7 Email Template .............................................................................. Error! Bookmark not defined.
3.1.8 Notification Rule ............................................................................ Error! Bookmark not defined.
3.1.9 Task Execution Web Service (TEWS) ............................................. Error! Bookmark not defined.
3.2 Task Phases .......................................................................................... Error! Bookmark not defined.
3.2.1 Synchronous Phase Operations ..................................................... Error! Bookmark not defined.
3.2.2 Asynchronous Phase Operations ................................................... Error! Bookmark not defined.
3.3 Configuring IDE ..................................................................................... Error! Bookmark not defined.
3.4 Conclusions .......................................................................................... Error! Bookmark not defined.
Chapter 4 Business Logic Task Handler .......................................................... Error! Bookmark not defined.
4.1 Programming and Configuration Concepts .......................................... Error! Bookmark not defined.
4.1.1 Programming ................................................................................. Error! Bookmark not defined.
4.1.2 Configuration ................................................................................. Error! Bookmark not defined.
4.2 Task Session .......................................................................................... Error! Bookmark not defined.
4.3 Access to Managed Objects ................................................................. Error! Bookmark not defined.
4.4 Code Examples ..................................................................................... Error! Bookmark not defined.
4.4.1 Basic programming: BLTHAdapter and life cycle ........................... Error! Bookmark not defined.
4.4.2 Modify users attributes by BLTHContext ..................................... Error! Bookmark not defined.
4.4.3 Modify users attribute by ProviderAccessor ................................ Error! Bookmark not defined.
4.4.4 BLTHContext and ProviderAccessor .............................................. Error! Bookmark not defined.
4.4.5 Business Logic Task Handler and screen. ...................................... Error! Bookmark not defined.
4.5 Use cases examples .............................................................................. Error! Bookmark not defined.

ciii
Chapter 5 Workflow ................................................................................................................................... 96
5.1 Workflow Concepts .......................................................................................................................... 96
5.1.1 Default Workflow Features ....................................................................................................... 97
5.1.2 Workpoint Designer Concept .................................................................................................. 104
5.2 Custom Workflow ........................................................................................................................... 106
5.2.1 Workflow and CA IdentityMinder ........................................................................................... 107
5.2.2 Workpoint Component ................................................................. Error! Bookmark not defined.
5.3 Code Examples ..................................................................................... Error! Bookmark not defined.
5.3.1 Workflow: One Approver ............................................................. Error! Bookmark not defined.
5.3.2 Workflow: Delay by city ................................................................ Error! Bookmark not defined.
5.3.3 Category ........................................................................................ Error! Bookmark not defined.
5.4 WorkPoint Programming ...................................................................... Error! Bookmark not defined.
5.4.1 Activity, Server Automated and Automated ................................. Error! Bookmark not defined.
5.4.2 Script for Server Automated and Automated ............................... Error! Bookmark not defined.
5.4.3 Agent scripts can be designated Synchronous or Asynchronous. . Error! Bookmark not defined.
5.4.4 Saving Job Objects ......................................................................... Error! Bookmark not defined.
5.4.5 Search reference ........................................................................... Error! Bookmark not defined.
5.5 Use cases examples .............................................................................. Error! Bookmark not defined.
Chapter 6: Additional APIs ............................................................................. Error! Bookmark not defined.
6.1 Participant Resolver API ....................................................................... Error! Bookmark not defined.
6.1.2 Code Example: Participant Resolver API ....................................... Error! Bookmark not defined.
6.1.3 Use Case Example .......................................................................... Error! Bookmark not defined.
6.2 Event Listener API ................................................................................. Error! Bookmark not defined.
6.2.2 Code Example: Event Listener API ................................................. Error! Bookmark not defined.
6.2.3 Code Example: Event Generating .................................................. Error! Bookmark not defined.
6.2.4 Use Case Examples ........................................................................ Error! Bookmark not defined.

civ
6.3 Logical Attribute API ............................................................................. Error! Bookmark not defined.
6.3.2 Code Example ................................................................................ Error! Bookmark not defined.
6.3.3 Use Case ........................................................................................ Error! Bookmark not defined.
6.4 Validation Rules .................................................................................... Error! Bookmark not defined.
6.4.2 Code Example: Task-level validation ............................................. Error! Bookmark not defined.
6.4.3 Code Example: Directory-level validation ..................................... Error! Bookmark not defined.
6.5 Email Notification ................................................................................. Error! Bookmark not defined.
6.5.1 How to implement email notification ........................................... Error! Bookmark not defined.
6.5.2 Code Example: Email Template ..................................................... Error! Bookmark not defined.
6.5.3 Code Example: Email notification by Service API .......................... Error! Bookmark not defined.
6.6 Notification Rule API ............................................................................ Error! Bookmark not defined.
6.6.3 Use Case ........................................................................................ Error! Bookmark not defined.
6.6.3 Notification Rule and Email Template Limitation and Service API Error! Bookmark not defined.
6.7 Task Execution Web Service (TEWS) .................................................... Error! Bookmark not defined.
6.8 Additional Concept ............................................................................... Error! Bookmark not defined.
Appendix A: Import Workflow ....................................................................... Error! Bookmark not defined.
Appendix B: Hot Deployment ......................................................................... Error! Bookmark not defined.

96

Chapter 5 Workflow
The CA IdentityMinder official document does not have much detail about work flow. We
learned some basic concepts from previous chapter:
If requirement requires approver, you need workflows.
Workflow runs under asynchronous phase.
Workflows can have a long life. It may take time up to an hour or month.
The Business Logic Task Handler has been done before workflow start.
This chapter, you will learn both workflow API and how to create custom workflow.
5.1 Workflow Concepts
You must enable workflow in Management Console. By default, workflow is disabled.
Configuration: Management Console
1. In the Management Console, select an Environment.
2. Go to Advanced Settings, Workflow.
3. Select the Enabled check box, and click Save.
4. Restart the application server.

Figure 5-1 shows workflow properties in Management Console
In the event mappings table, there are some default mappings between event and global
workflow process. It means when any events in this table start, workflow will be executed. We do not
modify any values.

97
5.1.1 Default Workflow Features
This section, we will learn default workflow features in CA IdentityMinder. We cover these
topics:
Workflow Level, workflow can run admin task or event level.
Select Workflows, which workflow can execute.
Policy Base, it is condition to start workflow.
Task and screen for Approver.
Approver, who is approver.
Expected Outcome, the final result: approve or reject.
Workflow Level
Workflow can run at Admin task level and/or Event level. What level should be? It is depending
on requirements. For example, we have admin task Modify User, our admin task has 2 tabs: Profile
Tab and Access Role Tab. So events will be generated from this admin task divides as 2 groups:
The first group of events came from profile tab; events will be generated when users attributes
have been modified.
The second group of events came from access role tab; events will be generated when we add
or remove access role.

Figure 5-2 shows all events from example admin task.
We have 2 requests: request to modify users attributes from the profile tab and another one
request to add/remove role from the access role tab.
Senario1: all requests (both modify users attributes and add/remove role) need only one
workflow for approval, we should specific workflow as Admin Task Level.
98
Senario2: only modify users attributes request (profiles tab) require approver, we should
specific workflow at Event Level: ModifyUserEvent.
Senario3: only add role (access role tab) request requires approver, we should specific workflow
at Event Level: AssignAccessRoleEvent.
Senario4: Any requests (modify users attributes and add/remove role) require Manager as first
approver.
o Modify users attributes request requires HR manager as second approver
o Adding role request requires IT manager second approver.
We specific the first approver workflow at Admin Task Level and the HR and IT workflow at
Event Level: ModifyUserEvent and AssignAccessRoleEvent. This case shows in the picture below.

Figure 5-3 shows workflow of Senario4

Admin Task Level
The workflow at admin task requires to set an attribute TASK_LEVEL=true. You will see it in the
example code. Enable work flow at admin task level, you have to configure:
On the Profile tab, check Enable Workflow checkbox.
99
On the Profile tab, click the pencil icon at workflow process label. The workflow configuration
screen display.

Figure 5-4 shows how to configure workflow at admin task level
Event Level
Enable work flow at event level, you have to configure:
On the Profile tab, verify that Enable Workflow is checked
On the Events tab, click pencil icon on events. The workflow mapping screen display, and select
a process template.

Figure 5-5 shows how to configure workflow at event level
Select Workflows
100
You can select workflow from drop down. CA IdentityMinder provides three default process
templates:
SingleStepApprovalProcess for one primary approver and default participant when primary
approver is not found.
TwoStageApprovalProcess for two primary approvers and default participant when primary
approver is not found.
EscalationApprovalProcess for one primary approver and default participant when primary
approver is not found. This workflow primary approver can escalate to another approver.
You can create more custom workflow, so we will go details later.

Policy Base
The policy-based is condition before start workflow. The picture below show Policy Base: if
users city is New York, it requires workflow: TwoStageApprovalProcess.

Figure 5-6 shows screen of workflows policy base

If request is not met any condition, event or admin task will execute without workflow.

Approvers Task
If workflow requires approver, we need screen for approver to perform action approve or reject.
The picture below show screen to select Approval Task:
101

Figure 5-7 shows configuration for approvers screen.
The picture below shows the example approvers screen. The icon means that value has
been changed. You can click to rollback the value.

Figure 5-8 shows screen for approver
102
You can create new approver task by create new admin task. You have to choose action as
Approve Event or Approve Task.
Approver
If workflow requires approver, we have to specific who is approver. We can select type of
approver form drop down Participant Resolver. It provides condition to get approver.

Figure 5-9 shows drop down: Participant Resolver
If your requirement getting approver is complicated, you can do programming by using
Participation Resolver API. We will learn Participation Resolver API in the next chapter.
Expected Outcome
Working with workflow, we should always aware outcomes: approve or reject. For example, we
have admin task with 2 tabs: Profile tab and Access Role tab. We have one Business Logic Task Handler
and we set 3 workflows: one at admin task level, one for ModifyUserEvent and one for
AssignAccessRoleEvent. The picture below shows all outcomes.
103

Figure 5-10 shows all outcomes examples
If you use ProviderAccessor API, you have to aware ProviderAccessor updates user store directly
and not depend on workflow. The picture below shows initial value of City is Toronto. And then we use
ProviderAccessor API modify City attribute to be New York. Whatever workflows will be rejected or
approved, the final value of city is New York.

Figure 5-11 shows ProviderAccessor API modify attributes value
104
5.1.2 Workpoint Designer Concept
The workflows inside of CA IdentityMinder are created by tools WorkPoint Designer. WorkPoint
Designer is 3
rd
party software and integrated with CA IdentityMinder. You can run Workpoint Designer
by command in <admin_tools>\WorkPoint\bin\Designer.bat

Figure 5-12 shows starter screen of Workpoint Designer
You have to check configuration file workpoint-client.properties. The file is located in folder
<admin_tools>\WorkPoint\conf. The J2EE Client Configuration must match with your application server.
Processes vs. Jobs
Process and Job is technical term of Workpoint.
Processes are a function that a business conducts and normally repeats.
Jobs are the process instance.
For example, if the Process is a plan for an order fulfillment process, the specific cases (or Jobs)
are the actual orders. Process looks like a Class in java and job is an object or instance of java class.
Processes
Run Workpint Designer, select Open Process from menu. Double click on process named
SingleStateApproval, you will see the process.
105

Figure 5-13 shows processes SingleStateApproval
Jobs
Select Open Job from menu. Double click on process named SingleStateApproval you will
see the jobs of this process. (If you executed some admin task that contains workflow
SingleStateApproval) You can see the current status of job date created, date started. Select one of
them.

Figure 5-14 shows job
106
The selected nodes appear as blue color; in picture is node Approval and node IM Reject.
The selected line paths appear as green line.
Using Help
Click menu Help, help contents will display as pop up. You can select topic process definition
and job definition. It shows What is a Process? and What is a Job?

Figure 5-15 shows help of Workpoint Designer
Another Workpoint document located in <admin_tools>\Workpoint\docs.
5.2 Custom Workflow
The official CA IdentityMinder documents do not tell exactly how to create custom workflow
step by steps. The all the rest of this chapter will show how to create custom workflow.
Why we need custom workflow?
The first reason, the default template workflows do not fit our requirements. For example, you
may want 3 approvers, the default supports up to 2 approvers.
The second reason, we need integration with other systems or perform some business logic
during workflow process. For example:
During workflow, we need to call web services.
If users location is North America, it requires second approver. We have to create routing path
to check users location.
This section contains 2 parts.
Workflow for CA IdentityMinder, you will learn the rule of workflow that relates to CA
IdentityMinder.
Workpoint Programming, we introduce some Workpoint API features.
107
5.2.1 Workflow and CA IdentityMinder
When you create workflow for CA IdentityMinder, you have to follow these rules:
Rule 1: Must start with a node Start and end with a node Stop
It makes sense rule, workflow must have start and end point. In Workpoint designer, you drag
node from menu.

Figure 5-16 shows Start and Stop node in Workpoint Designer

Rule 2: Must have Node Approve or Reject before go to Node Stop
Any workflow, you need to set state to be Approve or Reject before complete workflow. We
need to tell the final result to CA IdentityMinder, it is approved or rejected.
Drag automate node and set configuration: (You will see details in example code, do not worry)
In the resources tab: select external
In the agents tab, for approve state, select Notify IM Approver and for reject state, select
Notify IM Reject

Figure 5-17 shows Approve and Reject state before Stop
108
Workflow is not always requires both approve and reject. Some workflow must have at least
one approve node before node stop. (The work flow has only one reject node does not make sense)
Rule 3: Approver Configuration (If you require approver)
If you require approver, you have to: (You will see details in example code)
Drag activity node to canvas
In the resources tab: select IMApprovers
In the agents tab: select Nobody AutoComplete to asynchronous
In the user data tab, set value in below table: (We have details step by step in example: Basic
custom workflow.)
Name Type Description
ACTION_PERFORMED Text For transition
PARTICIPANT_ID Text Approver ID
PARTICIPANT_NAME Text Link to properties file
PARTICIPANT_DESCRIPTION Text Link to properties file

Rule 4: workflow at admin task level (Optional)
The default value, workflow can run at event level. If you want workflow run at admin task level,
you have to:
Select processs User Data and add TASK_LEVEL = true
END of SAMPLE
The rest of Chapter
5.2.2 Workpoint Component
5.3 Code Examples
5.3.1 Workflow: One Approver
5.3.2 Workflow: Delay by city
5.3.3 Category
5.4 WorkPoint Programming
5.4.1 Activity , Server Automated and Automated
5.4.2 Script for Server Automated and Automated
5.4.3 Agent scripts can be designated Synchronous or Asynchronous.
5.4.4 Saving Job Objects
5.4.5 Search reference
5.5 Use cases examples
5.5 Conclusion
109

CA IdentityMinder Java Developer's Guide Tutorial (Sample)

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

CA IdentityMinder Java Developer's Guide Tutorial (Sample)

Uploaded by

Copyright:

Available Formats

xcvi

You might also like