Alan Baugher

Use Powershell to call IM TEWS (SOAP)

Discussion created by Alan Baugher Employee on Apr 5, 2016
Latest reply on Jan 2, 2019 by deniy01

Hello All,

 

One of my customers asked a question about using CLI / script processes to on-board legacy/existing users, but also wished to lower business risk for any modifications.

 

The customer was running the CA Identity Management solution in Production environment with limited # of users to stabilize their business logic / workflows before opening the solution to the broader business community.   After all business validation / performance checks were successful, the customer wished to load user data into their IM solution but not disable any business rules (PX/MX/IdP) while doing so.

The methodology above is a successful model to isolate high impact challenges/issues due to any incorrect data mappings/business logic; prior to go-live status; over a period to allow full QA validation of 1000's of test scripts.

 

 

Challenge:  If the customer was to use the IM Bulk Loader Task or IM BLC (Bulk Load Client) Client tool, this process would create the user, at the top tier of the solution, and all IME (IM Environment) business rules would be used.

 

Since these users already exist within various userstores, e.g. Active Directory, Mainframe (ACF2/TSS/RACF), Unix/Linux, Databases, Cloud Apps, there is always the chance that an attribute may be changed if the business rules include Provisioning Roles (PR) and Account Templates (AT).  The change may be slight and have no impact, but there is the possibility of change.

 

Example:  Userstore/endpoint attributes that are quotas may be updated to a higher value, if the Account Template is set to a higher number than what the end user already has, this may be a desired state, but if not, this change is something to avoid or to be addressed in a controlled manner.    We wish to avoid thousands or millions of calls to the help desk for any loss of access or unscheduled change with this very large initial bulk load.

 

 

 

Goal:   Load 10 million users into the CA IM solution with low business risk for any unscheduled modifications to managed endpoint/userstore accounts using ONLY CLI (command line interface) / script processes.

- Eliminate data entry via manual input.   Avoid use of UI (IME) or GUI (IMPS Manager UI) for this use-case.

 

1)   Initial state:

   MX/PX/IdP business rules are active in the IME;  

   Endpoints have already been defined and explored.   Not correlated.  { Validate no correlation to [default user]  }

   PR (Provisioning Roles)/AT (Account Templates) exist and are actively managing production endpoint/userstores with service accounts that have proper access to manage accounts.

 

 

2)  Load a pre-filtered LDIF file to primary userstore for IM solution (IMCD = IM Corporate User store) of all 10 million users.

- Pro: User are loaded at the data tier;  IME is unaware of the new users = no business rules are activated

- Con: Audit record is limited for initial bulk load to Directory logs.

 

 

3) Use CLI process to call IM TEWS (SOAP) to assign a "NULL" Provisioning Role to the new user.

-  Pro:  This process will avoid the "Create Event" use-case; and avoid any business logic tied to this event.

The assignment of the "Null" PR will create an IMPS GU object with all mapped attributes from IMCD:IMPS

A "null" provisioning role does NOT have an Account Template associated with it.

-Con:  N/A

Use an OS supported CLI process that will allow web service calls to be called via scripts.

- If Linux, use CuRL.    If Windows OS, use Powershell

[Note:  CuRL may be used on Windows OS, but there is no "trusted" version from Microsoft or other source.

Suggest recompile source code on MS Windows to avoid any security concerns.]

 

 

4a) Re-Explore endpoints if needed.

Note:  If endpoint takes over 1 hour to run in single thread explore process, review using of IMPS CLI / ldapsearch to parallel explore operations on one or more IMPS servers.

- Recommendation:  Automate via OS scheduler

Note:  Explore operations will create the Endpoint Account (EA) pointer object in the IMPD (IM Provisioning Directory).

This "pointer object" is all that is needed for the IM solution to be aware of where the account exists, and which route to take to manage the endpoint account in the managed endpoint/userstore.

Example using IMPS ldapsearch (modified with four (4) explore option flags) to explore a limited set of users that userID starts with the letter "a" character:

ldapsearch -h [hostname] -p 20389 -D "eTGlobalUserName=[username],eTGlobalUserContainerName=Global Users,eTNamespaceName=CommonObjects,dc=im,dc=eta" -w [password] -b "eTADSContainerName=Users,eTADSDirectoryName=[directory_name],eTNamespaceName=ActiveDirectory,dc=im,dc=eta" -s sub "(&(eTADSAccountName=a*)(objectclass=*))" eTExploreUpdateEtrust

 

 

4b) Use IMPS CLI / etautil to create manual correlation scripts

Avoid using a single threaded process from one single IMPS server.   Create parallel correlation processes.

Follow the below format for an input file to etautil -

ADD   BASE   CLASS   ATTRIBUTE  IN  BASE  CLASS  ATTRIBUTE  SEMICOLON

ADD  eTACFLidContainerName=Accounts,eTACFDirectoryName=MainframeACF2HostA,eTNamespaceName=CA-ACF2,dc=im   eTACFLid  eTACFLidName=LID  IN   'eTGlobalUserContainerName=Global Users,eTNamespaceName=CommonObjects,dc=im'    eTGlobalUser eTGlobalUserName=GUID;

Pro:  This correlation will now tie (create an inclusion), the endpoint account (EA) to the IMPS Global User (GU).   This will allow the following to occur:

- Attribute Sync:  Account Status (lock/unlock) & Password sync from top-tier to bottom-tier (endpoints/userstore)

- Audit Record:  Where a user account exists

- Deletion Use-Case:   Since the record is now attached, the top tier now has the availability to manage the delete user and all managed endpoint account use-case.

 

 

5) Use the IMPS CLI / etautil to build the relationship between an Account Template (AT) and the Endpoint Account (EA) pointer object.

Avoid using a single threaded process from one single IMPS server.   Create parallel correlation processes.

Follow the below format for an input file to etautil -

ADD   BASE   CLASS   ATTRIBUTE  IN  BASE  CLASS  ATTRIBUTE  SEMICOLON

ADD    eTADSOrgUnitName=RUUsers,eTADSOrgUnitName=Russia,eTADSOrgUnitName=EMEA,eTADSOrgUnitName=Regions,eTADSDirectoryName=ADS_Hostname,eTNamespaceName=ActiveDirectory,dc=im   eTADSAccount eTADSAccountName='Abikutova (EXT), Olesjja'  IN   'eTADSPolicyContainerName=Active Directory Policies,eTNamespaceName=CommonObjects,dc=im' eTADSPolicy eTADSPolicyName=ADSContractorPolicy;

Pro:  This relationship / inclusion will now tie the endpoint account (EA) to an exact Account Template (AT).   This will allow the additional functionality to occur:

- Attribute Sync:  All managed attributes within the Account Template that use Rule Strings, e.g. %FN%, will now propagate from top-tier to bottom-tier (endpoints/userstore)

 

 

6) Use the IMPS CLI / etautil to build the relationship between an Global User (GU) and the Provisioning Role (PR).

Avoid using a single threaded process from one single IMPS server.   Create parallel correlation processes.

Follow the below format for an input file to etautil -

ADD   BASE   CLASS   ATTRIBUTE  IN  BASE  CLASS  ATTRIBUTE  SEMICOLON

ADD   'eTGlobalUserContainerName=Global Users,eTNamespaceName=CommonObjects'   eTGlobalUser eTGlobalUserName=GUID   IN  'eTRoleContainerName=Roles,eTNamespaceName=CommonObjects' eTRole eTRoleName=USContractorRole;

Pro:  This relationship / inclusion will now tie the Global User (GU) to an exact Provisioning Role (PR).   This will allow the additional functionality to occur:

- Modify / Delete Use-Case by Role:   The IME (top tier) will now be able to manage the user by Roles; either removal or append to.

- Audit Record:  The IME (top tier) will now be aware of what Roles the user has to be manage.

- Sync Operations:   User Sync by Role will now be possible.  Typically used when many endpoints are managed by one (1) roles; and the endpoint lifecycle is changed by one hostname to another hostname.

 

 

7)  Validation:  Use CLI processes to push changed to the IM Task "Modify User" to validate attribute is mapped correctly and the value will flow from top-tier to bottom-tier.

 

 

 

MS POWERSHELL EXAMPLE  [ Invoke-WebRequest ]

 

Example with MS Powershell for CLI on MS Windows to call SOAP web-server using the Invoke-WebRequest module.

Assumptions:  IME has Web Service enabled in the IME Management Console.   & IM Modify User task is enabled for webservice

Note:   No SSL nor CA SSO tight integration in example

Methodology:   Use SOAPUI tool to connect to IME WSDL and validate IM Modify User task is exposed; and then use SOAPUI to validate SOAP Body to submit record.  Validate in IM VST.

SoapUI | Functional Testing for SOAP and REST APIs

 

 

The below Powershell script allow three (3) input strings:   UID to be managed,  the IME Service Account that has access to IM Modify User Task; and the Service Account password:

The script is used to attach a Provisioning Role to a user.   See Step #3 above.

The SOAP Body was reduced to the minimal XML code needed to meet requirements.

 

**********************************  Script below  *****************************

[CmdletBinding()]
Param(
  [Parameter(Mandatory=$True,Position=1)]
  [string]$accountID,

  [Parameter(Mandatory=$True,Position=2)]
  [string]$adminid,

    [Parameter(Mandatory=$True,Position=3)]
  [string]$adminpassword

)

[xml]$SOAP = @"
<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/" xmlns:wsdl="http://tews6/wsdl">
  <soapenv:Header/>
  <soapenv:Body>
     <wsdl:TaskContext>
        <wsdl:admin_id>$adminid</wsdl:admin_id>
        <wsdl:admin_password>$adminpassword</wsdl:admin_password>
     </wsdl:TaskContext>
     <wsdl:ModifyUser>
        <wsdl:ModifyUserSearch>
           <wsdl:Subject index="?">
              <wsdl:UID>$accountID</wsdl:UID>
           </wsdl:Subject>
        </wsdl:ModifyUserSearch>
        <wsdl:ModifyUserProvisioningRolesTab>
           <wsdl:UserMemberProvisioningRoles>
              <wsdl:add index="?">
                 <wsdl:Name>NULL</wsdl:Name>
              </wsdl:add>
           </wsdl:UserMemberProvisioningRoles>
        </wsdl:ModifyUserProvisioningRolesTab>
     </wsdl:ModifyUser>
  </soapenv:Body>
</soapenv:Envelope>
"@

 

$headers = @{"SOAPAction" = "http://tews6/wsdl"}

$URI = "http://HOSTNAME_FQDN_HEREi/iam/im/TEWS6/ime_name_here"
$out = Invoke-WebRequest $uri -Method post -ContentType 'text/xml; charset=utf-8' -Body $SOAP -Headers $headers

Write-Host "$out"

**********************************  Script above  *****************************

 

 

The script above may be adjusted for the four (4) scenarios:

1)    No Auth; No SSL
2)    IM Auth Only; No SSL      [Current Script]
3)    IM Auth Only; SSL enabled
4)    SM Auth w/Impersonation; SSL enabled

 

 

1)

Additional note for step #4a:

Four (4) Explore Option Flags for IMPS ldapsearch / etautil CLI
eTExploreUpdateEtrust = Retrieves all managed objects.
eTExploreCorrelateUsers = Correlates accounts with Global Users using existing ones.
eTExploreCreateUsers = Creates Global Users as needed during the correlation.
eTExploreUpdateUsers = Sets/refreshes the global user attributes using account attribute values.

 

 

 

Cheers,

 

A.

Outcomes