Topic
  • 6 replies
  • Latest Post - ‏2008-09-19T14:15:10Z by Sundar123
SystemAdmin
SystemAdmin
9855 Posts

Pinned topic ITIM: setting the erPassword attribute by means of a custom workflow

‏2006-12-18T12:26:05Z |
Hi guys,
I want to customize the ChangePassword workflow to syncronize the password of two different account, ie, when the ITIM password is changed , the same password will be set in the windows account. If it will be a normal attribute, next code will work...

[i]password = TIMAccount.getProperty("erPassword")[0];
WinAccount.setProperty("erPassword",password );[/i]

Any ideas?.

I am working with ITIM 4.5.1 and the error message says:

[i]2006-12-18 12:23:57,934:queue:///WQ_itim_wf?persistence=2-6<ERROR:com.ibm.itim.workflow.engine.WorkflowEngine>Application ac
tivity exception. http://java.lang.ClassCastException java.lang.String
java.lang.ClassCastException: java.lang.String
at com.ibm.itim.common.AttributeValue.getBytes(AttributeValue.java:469)
at com.ibm.itim.dataservices.model.domain.Account.getPassword(Account.java:336)
at com.ibm.itim.workflowextensions.RemoteServicesAdapter.changePassword(RemoteServicesAdapter.java:427)
at com.ibm.itim.workflowextensions.AccountExtensions.changePassword(AccountExtensions.java:1020)
at java.lang.reflect.Method.invoke(Native Method)
at com.ibm.itim.workflow.engine.ApplicationActivityExecutor.execute(ApplicationActivityExecutor.java(Compiled Code))
at com.ibm.itim.workflow.engine.WorkflowEngine.executeActivity(WorkflowEngine.java:2526)
at com.ibm.itim.workflow.engine.WorkflowEngine.processMessage(WorkflowEngine.java:587)
at com.ibm.itim.workflow.engine.ExecutionContext.processMessage(ExecutionContext.java:975)
at com.ibm.itim.workflow.engine.MessageRouter.onMessage(MessageRouter.java:75)
at com.ibm.itim.messaging.MessageManagerListener.processTransactedQueue(MessageManagerListener.java(Compiled Code))
at com.ibm.itim.messaging.MessageManagerListener.run(MessageManagerListener.java:306)
[/i]
Updated on 2008-09-19T14:15:10Z at 2008-09-19T14:15:10Z by Sundar123
  • SystemAdmin
    SystemAdmin
    9855 Posts

    Re: ITIM: setting the erPassword attribute by means of a custom workflow

    ‏2007-08-30T11:41:31Z  
    Hi,

    I have the same problem. Is this issue solved?

    thanks,
    Gergely
  • SystemAdmin
    SystemAdmin
    9855 Posts

    Re: ITIM: setting the erPassword attribute by means of a custom workflow

    ‏2007-08-30T12:05:46Z  
    Hi,

    I have the same problem. Is this issue solved?

    thanks,
    Gergely
    I'm not sure that you can do that - at least at 4.5.1.

    ITIM will do that for you if you check "Enable password synchronization", or if the password change comes from a password interceptor.

    If you really have to do it yourself in a workflow then in 4.6 (not 4.5) there are un-documented (and therefore unsupported) calls to decrypt and re-encrypt the password. Tried them in a lab & they were fine - wasn't keen on deploying them myself - they may also have been depreciated;
    entity.get().getAndDecryptPassword();
    entity.get().setAndEncryptPassword(String);

    Big health warning if you use them.....

  • SystemAdmin
    SystemAdmin
    9855 Posts

    Re: ITIM: setting the erPassword attribute by means of a custom workflow

    ‏2007-08-30T12:51:16Z  
    I'm not sure that you can do that - at least at 4.5.1.

    ITIM will do that for you if you check "Enable password synchronization", or if the password change comes from a password interceptor.

    If you really have to do it yourself in a workflow then in 4.6 (not 4.5) there are un-documented (and therefore unsupported) calls to decrypt and re-encrypt the password. Tried them in a lab & they were fine - wasn't keen on deploying them myself - they may also have been depreciated;
    entity.get().getAndDecryptPassword();
    entity.get().setAndEncryptPassword(String);

    Big health warning if you use them.....

    Thaks for the help.
    It is working for me!
  • SystemAdmin
    SystemAdmin
    9855 Posts

    Re: ITIM: setting the erPassword attribute by means of a custom workflow

    ‏2007-08-30T17:19:16Z  
    I'm not sure that you can do that - at least at 4.5.1.

    ITIM will do that for you if you check "Enable password synchronization", or if the password change comes from a password interceptor.

    If you really have to do it yourself in a workflow then in 4.6 (not 4.5) there are un-documented (and therefore unsupported) calls to decrypt and re-encrypt the password. Tried them in a lab & they were fine - wasn't keen on deploying them myself - they may also have been depreciated;
    entity.get().getAndDecryptPassword();
    entity.get().setAndEncryptPassword(String);

    Big health warning if you use them.....

    Poorly documented maybe, but I don't believe they are unsupported. (But I don't speak for ITIM support, so I might be wrong.)

    There are a few more details to using these methods. First, you must add the property "javascript.password.access.enabled=true" to your fesiextensions.properties file.

    Second, there are similar methods available on person objects, but the names are getAndDecryptSyncPassword and setAndEncryptSyncPassword. These only work if you have password synchronization enabled.

    Finally, the getAndDecryptPassword method only works on account objects that are passed as inputs to your workflow. It will not work on account you read from the directory using something such as AccountSearch.searchByFilter(). The reason is that the account objects passed as inputs to the workflow have encrypted passwords, so that the passwords can be decrypted and sent to an adapter. But the account objects that are stored in the directory have hashed passwords. There is no way to decrypt those.
  • SystemAdmin
    SystemAdmin
    9855 Posts

    Re: ITIM: setting the erPassword attribute by means of a custom workflow

    ‏2007-09-19T10:29:06Z  
    Hi,

    Can u please share some sample code that can be used to run a custom workflow through java.
    If possible it should use sun java apis otherwise please provide me path from where i can get ibm java apis.

    Thanks
  • Sundar123
    Sundar123
    11 Posts

    Re: ITIM: setting the erPassword attribute by means of a custom workflow

    ‏2008-09-19T14:15:10Z  
    Poorly documented maybe, but I don't believe they are unsupported. (But I don't speak for ITIM support, so I might be wrong.)

    There are a few more details to using these methods. First, you must add the property "javascript.password.access.enabled=true" to your fesiextensions.properties file.

    Second, there are similar methods available on person objects, but the names are getAndDecryptSyncPassword and setAndEncryptSyncPassword. These only work if you have password synchronization enabled.

    Finally, the getAndDecryptPassword method only works on account objects that are passed as inputs to your workflow. It will not work on account you read from the directory using something such as AccountSearch.searchByFilter(). The reason is that the account objects passed as inputs to the workflow have encrypted passwords, so that the passwords can be decrypted and sent to an adapter. But the account objects that are stored in the directory have hashed passwords. There is no way to decrypt those.
    Method names are setAndEncryptSynchPassword,getAndDecryptSynchPassword (with 'h')atleast in TIM 5.0

    Regards,
    Sundar