10.12 Working with Integration Activities

The Integration activity is an activity that allows workflows to exchange data with arbitrary Web services. Data sent to a Web service can integrate an individual workflow with other systems, inside and outside the organization. Data received from a Web service can provide decision support information on approval forms.

You create flowdata variables to move data from the workflow to the Web service for processing. The Integration activity automatically creates an action model for working with a Web service based on a WSDL document that you specify.

An action model is a visual representation of a set of instructions for processing XML documents and communicating with XML data sources. An action model performs all data mapping, data transformation, and data transfer within an Integration activity. You can edit the action model to manipulate data before and after the data is submitted to the Web service. You then map the data from the Integration activity back to flowdata variables for use in the workflow.

10.12.1 Adding an Integration Activity

IMPORTANT:Make sure that you have the same certificate as the Web service from which the WSDL file was obtained. Workflow Service uses this certificate to authenticate the Web service and establish a connection when the workflow is initiated. For more information on how to import the certificate, see Adding a Web Service Authentication Certificate to Workflow Service.

To add an Integration activity to a workflow:

  1. Log in to the Workflow Administration Console and navigate to Catalog > Workflow.

  2. Create a new workflow. (see Creating a Workflow).

  3. Select the newly created workflow. The workflow opens into the Workflow Builder tab.

  4. Drag an Integration activity from the palette and place it in the desired location in the workflow.

  5. In the INTEGRATION ACTIVITY properties view, type a name for the activity in the Name field.

  6. Click the edit icon for the WSDL Resource property to display a dialog box.

  7. Browse your file system to locate the WSDL file for the Web service that you want to use. Click the name of the WSDL file, then click Open.

    A dialog box that allows you to select a port type and operation for the Web service is displayed.

    The Select Port Type list includes a set of port types supported by the Web service. Each port type supports operations that include the input and output messages of the operation.

    This window allows you to specify the SOAP endpoint, the user ID used to access the SOAP endpoint, and the password used to access the SOAP endpoint. These options are all ECMAScript expressions and can be GCV values. Use the ECMA expression builder to configure the expressions you want to use.

    NOTE:The Use new WSDL Generation type option enables Workflow Builder to build the Integration activity using an XML Interchange action instead of a WS Interchange action. It is recommended that you leave this option selected, because the WSDL parsing is more robust, and the resulting Integration activity does not require the WSDL document be maintained as part of the provisioning request definition and is smaller in size.

  8. Select a port type from the Select Port Type list.

  9. Select an operation from the Select Operation list.

  10. If you want to specify a SOAP endpoint, specify a SOAP endpoint URL, either by selecting the URL from the Select Soap Service Endpoint Expression list or by clicking the edit icon and using the ECMA expression builder to configure an expression that resolves to the SOAP endpoint URL.

    NOTE:Ensure that you specify the private key in DER format (PKCS8) and without a password. You can convert the private key from PKS12 to PKCS8 format by running an OpenSSL command. For example, openssl pkcs8 -topk8 -inform PEM -outform DER -in key.pem -nocrypt > key

  11. If you want to use basic authentication for a SOAP endpoint, complete the following steps:

    1. Select SOAP Service requires Basic Authentication.

    2. In the User ID Expression field, click the edit icon and use the ECMA expression builder to specify an expression that resolves to the user ID used to access the SOAP endpoint.

    3. In the Password Expression field, click the edit icon and use the ECMA expression builder to specify an expression that resolves to the password used to access the SOAP endpoint.

  12. Click OK.

    The Integration activity creates an action model based on the WSDL document. You can use the action model at design time to test the input to the Web service, test the response from the Web service, and map and transform data, if necessary, before returning the data to the workflow.

    For many Web services, you don’t need to concern yourself with the action model. You simply create data item mappings for the Integration activity.

  13. Specify the Timeout, Retry Count, and Final Timeout Action properties (see Integration Activity).

10.12.2 Moving Data to and from the Integration Activity

  1. Create form fields to allow users to provide input to the Web service accessed by the Integration activity (see Creating New Forms). For example, if you are working with a Web service that provides stock quotes, you need a field for the user to specify a stock symbol.

  2. To move user input from the form to the workflow, create a flowdata variable in an activity that precedes the Integration activity in the workflow.

    For example, if you have created a form field called “symbol” to accept a stock symbol for input to the Web service, you would go to the post-activity data item mapping for the activity associated with the form that contains the symbol field, then you would map the symbol field to a flowdata variable (for example, flowdata.symbol).

  3. In the Workflow Builder tab, select the Integration activity icon, then select the Data Items tab.

  4. Select Pre Activity.

    In the Web Service Input Field grid, you should see fields that match all of the input fields associated with the port type and operation specified in Step 8 and Step 9.

    The integration activity automatically selects all of the input field associated with the port type and operation. You can remove the input fields by following this procedure:

    1. Click Mapping.

      The Modal window is displayed.

    2. Expand the nodes and deselect any input fields that you want to remove.

    3. Click Ok to return to the Data Items tab.

      IMPORTANT:The Integration activity does not support multivalued fields. As a result, the Web service response will contain only one value, even if you select an operation with input field that returns multiple values. For example, the getWorkEntries operation, which is used to query work entries (activities) and returns a list of WorkEntry objects, will only return the first work entity object in the logs.

  5. For each Web Service Input Field, click in the Source Expression field, then click the ECMA expression builder button.

    The ECMA expression builder is displayed.

  6. Expand the flowdata node in the ECMAScript Objects pane of the ECMA expression builder, then double-click the flowdata variable for the user input to the Web service.

  7. Click OK to return to the Data Item Mapping view.

  8. Select Post Activity.

    In the Web Service Output Field grid, you should see fields that match all of the output fields associated with the port type and operation specified in Step 8 and Step 9.

  9. The Integration activity automatically selects all of the output fields associated with the port type and operation. If you want to remove some of the output fields, follow these steps:

    1. Click Mapping.

      The Sample Document dialog box is displayed.

    2. Expand the nodes of the sample document and deselect any attributes that you want to remove.

    3. Click OK to return to the Data Item Mapping view.

  10. Click Map All to automatically create flowdata variables for each Web Service Output Field.

    Alternatively, for each Web Service Output Field, click in the Source Expression field, then click the ECMA expression builder button.

  11. Expand the flowdata node in the ECMAScript Objects pane of the ECMA expression builder, then double-click the flowdata variable that will receive data from the Web service.

  12. If you want to configure the Integration activity to provide more detailed information about any potential SOAP faults that might be encountered during the SOAP call of the activity, select Fault Maps in the Data Item Mapping view and click Map All. If Identity Manager encounters a SOAP fault, the Integration activity executes the fault maps to provide further details.

  13. Click OK to close the ECMA expression builder.

    Now you can work in the Integration view to test and refine the interaction with the Web service.

10.12.3 Adding a Web Service Authentication Certificate to Workflow Service

Before adding a WSDL file to the Integration activity, export the certificate from the Web service, import it into the cacerts directory of Workflow Service, and restart Tomcat.

You can use the following keytool command to import the certificate file:

/opt/netiq/idm/apps/jdk/jre/bin/keytool -import -alias aliasName -file certFile -keystore /opt/netiq/idm/apps/jdk/jre/lib/security/cacerts

  • Replace aliasName with a unique name of your choice for this certificate.

  • Replace certFile with the name of your certificate file.

For example,

/opt/netiq/idm/apps/jdk/jre/bin/keytool -import -alias idm -file certfile.cer -keystore /opt/netiq/idm/apps/jdk/jre/lib/security/cacerts

10.12.4 Troubleshooting Issues with Integration Activity

The following table lists the issues you might encounter and the suggested actions for working on these issues.

Issue

Suggested Actions

When a workflow with an Integration activity is initiated, Workflow Service tries and fails to authenticate the Web service. The following error is reported in the Catalina log file:

<m:Message>com.sssw.b2b.rt.GNVException: rt001801:Document I/O error: peer not authenticated;---&gt; nested javax.net.ssl.SSLPeerUnverifiedException: peer not authenticated</m:Message> </m:FaultInfo>

Ensure that you have the same certificate as the Web service from which the WSDL file was obtained. For instructions on how to import the certificate, see Adding a Web Service Authentication Certificate to Workflow Service.

When using the flowdata.get() method, the Log activity is unable to retrieve data from an Integration activity. This behavior is only seen in a few SOAP endpoints, such as getEngineState, getProcess, and getVersion, as well as the majority of APIs in the roles WSDL file. This issue occurs when the WSDL parser eliminates SOAP return values that are contained in an attribute from the Web service response while copying them to the Integration activity’s Web service output fields. As a result, the log activity is unable to retrieve entire data using the flowdata.get() method.

To resolve this issue, you must ensure the following:

  • When defining expressions in the Log activity, use the flowdata.getObject() ECMAScript instead of flowdata.get() to retrieve data items from an Integration activity.

    NOTE:The flowdata.getObject() returns a Java arraylist of DOM nodes.

    For example, if you want to get the version of the Web service using the getVersion endpoint, you must specify the following ECMA expression in the Log activity’s Comment field: flowdata.getObject('Integration_<N>/Envelope/Body/getVersionResponse/Version').get(0).getAttribute('<name>')

    Where, <N> denotes the unique identifier for the Integration activity.

    .get(0) is the first element for an array list, that is the Version DOM element.

    <name> is the value of the attribute in the form of a string. For example, major, minor, and revision.

  • When mapping the Web service response back into the flowdata object (post-activity mapping) in the Integration activity, make sure that you select the parent fields and deselect all other output fields in the Mapping modal window.

    For example, for getEngineState endpoint, click Post Activity > Mapping in Data Items tab, and select the getEngineStateResponse and Envelope check boxes.