Explaining PX Policies (Invoking Of External Code)
search cancel

Explaining PX Policies (Invoking Of External Code)

book

Article ID: 36219

calendar_today

Updated On:

Products

CA Identity Manager CA Identity Governance CA Identity Portal CA Identity Suite

Issue/Introduction

PX Policies can execute external code/commands (i.e. scripts, executables, java code). However it is best not to call scripts directly and in some cases calling executables directly can also be problematic. The best approach could be to implement a java wrapper class that then launches the desired script/executable.

CA Identity Manager does not support calling Powershell commands. This is because Powershell returns "objects" instead of serialized text and therefore the IM application doesn't detect that that the execution is complete.

There is a way to work around this product limitation and invoke Powershell commands as long as you are using JDK 1.6 versus JDK 1.5 by writing your own java class to invoke the Powershell instead of relying on the internal IM code. In this way your java class wrapper can force a close.

Environment

Identity Manager 14.x

Resolution

Start out by reviewing the following Tech Doc so you gain an understanding of the process involved in using PX to Run Java Code
https://knowledge.broadcom.com/external/article/49105

 

You would create a file such as PowershellWrapper.java and inside it has:

 

package com.ca.px.example;

import java.io.IOException;

public class PowershellWrapper {


   public static void main(String[] args) throws IOException {

      String command = "c:\\windows\\system32\\windowspowershell\\v1.0\\powershell.exe" + " " + args[0];
      Runtime runtime = Runtime.getRuntime();
      Process proc = runtime.exec(command);
      proc.getOutputStream().close();

   }

}


You would then compile this file such as:

"c:\program files\java\jdk1.6.0_29\bin\javac.exe" PowershellWrapper.java

You then need to copy the generated PowershellWrapper.class file over to your IM Server as the Tech Doc mentioned (i.e. user_console.war\web-inf\classes\com\ca\px\example).

If you are using Virtual Appliance, the folder is /opt/CA/VirtualAppliance/custom/IdentityManager/iam_im.ear_user_console.war_WEB-INF_lib

If you have a cluster you copy it to all nodes.

You then restart IMServer and you define your PX to have the action rule to External Codes\Run Java Code\Execute a main function

The class name value is com.ca.px.example.PowershellWrapper and you set a Parameter such as c:\\temp\\file.ps1 where your powershell command is in the file.ps1 just like it is now.

Additional Information

PX Policies should not invoke scripts (i.e. .bat, .cmd) directly but instead should implement a java wrapper that invokes those scripts. When PX Policies invoke an executable or the java wrapper the thread will wait for completion whereas when PX Policies invoke a script the thread will spawn a new cmd.exe and return right away and the new cmd.exe would execute the script.

The PX event will show complete regardless of whether the OS was even able to spawn the new cmd.exe which could happen under load. Using the above explained approach could be used to launch any scripts that need to be executed as well.