Tuesday, March 16, 2010

Installing Oracle Identity Management 11g R1 (11.1.1.1)











Introduction:

Oracle Identity Management enables enterprises to manage the end-to-end lifecycle of user identities across all enterprise resources—both within and beyond the firewall. With Oracle Identity Management, you can deploy applications faster, apply the most granular protection to enterprise resources, automatically eliminate latent access privileges, and much more.

Oracle Identity Management 11g Release 1 (11.1.1) includes the following components:

  • Oracle Internet Directory
  • Oracle Directory Integration Platform
  • Oracle Virtual Directory
  • Oracle Directory Services Manager
  • Oracle Identity Federation

In this post we will see the installation of Oracle Identity Management 11g R1 (11.1.1.1). As mentioned before the approach for installing Oracle 11g FMW components is different then those of 10g components, I will mention the approach for installing Oracle Identity Management 11g.

Brief Installation Steps:

Following are the brief steps for installing Oracle Identity Management 11g

1) Install database 11g (11.1.0.6 / 11.1.0.7) including configuring TNS and listener
2) Create repository using Oracle RCU (Repository Creation Utility)
3) Install WLS (weblogic Server) and create a middleware home
4) Install Oracle Identity Management 11g inside middleware home

The installation will install and configure the complete Identity Management and provide the access URLs.

Download Locations:

You can download all the required software from following location

Oracle Database 11g (11.1.0.6/11.1.0.7) – http://www.oracle.com/technology/software/products/database/index.html

Oracle IDM 11g – http://www.oracle.com/technology/software/products/middleware/htdocs/111110_fmw.html (Download the product Identity Management)

Oracle RCU – http://www.oracle.com/technology/software/products/middleware/htdocs/111110_fmw.html

Oracle WLS 10.3.1 – http://www.oracle.com/technology/software/products/ias/htdocs/wls_main.html

Step 1) Install database 11g including configuring TNS and listener

For this you can refer previous post for database installation and create a 11g database. Also create a listener on any available port and configure TNS for the database.

Step 2) Create repository using Oracle RCU (Repository Creation Utility)

Using RCU, you can create repository for IDM. You dont have to install RCU for using it. RCU comes as a zip file along with the identity management software download. Once you unzip you run <RCU_UNZIP>/bin/rcu binary

This will invoke a GUI. On the first page you can select "Create Repository" and click on next.

On the next page RCU will ask for database details in which you want to create the repository. The page will look as shown below

Once you connect to database, on the next page you need to select the repository that you want to create. Here you can select "Identity Management" as shown below. Also you can use any prefix for these schema. All these schema created will have the prefix string prefixed to it. In this case it will prepend DEV before each schema name. Note that it wont prefix anything before ODS schema. This schema is used for OID and SSO configuration.


Once you click on next, it will show the summary and will create tablespace if they dont exists. After tablespace creation, click on create and it will create the required repository schemas.

Step 3) Install WLS (weblogic Server) and create a middleware home

Next step is to install WLS server. Carry out the basic installation of WLS. You need to provide a new location for middleware home when asked for as shown below.


Next it will ask for the location of weblogic. Here you can accept the default value as it will be created inside middleware home.

Select all other values as default and install WLS.

Step 4) Installing IDM 11g.

IDM installation involves many steps and screens. Please follow the below screen shots for installing IDM

When you start the IDM installer, you will see a welcome screen. Click on next.

Next you will see "Install option" screen. In this screen select "Install and Configure". Click on next.

The installer will perform the pre-requisite checks. Click on next.

In the next screen "Select Domain", click on "Create new domain" as shown below

Select all other values as default and install WLS.

Step 4) Installing IDM 11g.

IDM installation involves many steps and screens. Please follow the below screen shots for installing IDM

When you start the IDM installer, you will see a welcome screen. Click on next.

Next you will see "Install option" screen. In this screen select "Install and Configure". Click on next.

The installer will perform the pre-requisite checks. Click on next.

In the next screen "Select Domain", click on "Create new domain" as shown below

On the next screen, specify the install location inside middleware home.Click Next.

Select default values for next screen – Security Updates. Click Next.

On configure components screen, keep the default values. Click Next

On configure port screen, you can choose Automatic port assignment. Click Next.

On "Specify Oracle Virtual Directory Information" page, provide the inputs as shown in the screen below

Here you need to specify the password for orcladmin. Remember the password you are setting here as you will need that at many places later. Click on Next.

On "Specify Schema Database" page, you can specify the ODS schema details that we created using repository creation utility (Step 2)). Also you need to provide ODS schema password you set while running RCU in step 2) as shown below

On "Create Oracle Internet Directory" screen, specify the Realm and orcladmin password. Note here that this orcladmin user is different then we say couple of screens back. This orcladmin user is for OID, where as the previous orcladmin user was for OVD.

Next, On "Specify OIF Details" page, specify the PKCS12 password and the domain name for OIF as shown below

On rest of the screen, you can specify the default value and submit the installation. The installation will complete in approximately 45 mins. Once the installation and all configuration assistants completes successfully, you can login to weblogic console.

The default port for weblogic console is 7001. So the console URL becomes

http://<hostname>:7001/console

user name : Weblogic

password : As specified while installing WLS in step 3) Once you login, you will see the managed servers created for OID and OIF.

Email Notification in OIM

For setting email notifications for OIM, follow these steps.

1. To set up your email server.
a. Make sure that you have a parameter called Email Server with Keyword XL.MailServer in
Administration -> System Configuration tab in the Design Console.
b. Create an IT resource with following values:
Name : Email Server
Type : Mail Server
Authentication: False/True (as required. If set to true provide User Login, Password)
Server name: <server IP>

For setting email notifications for OIM, follow these steps.

1. To set up your email server.
a. Make sure that you have a parameter called Email Server with Keyword XL.MailServer in
Administration -> System Configuration tab in the Design Console.
b. Create an IT resource with following values:
Name : Email Server
Type : Mail Server
Authentication: False/True (as required. If set to true provide User Login, Password)
Server name: <server IP>

d. Select the Email Definition defined in step 2 above and assign it to the task.
e. Check for - Requester, User and User Manager and map the status to 'C'.
f. In the RESPONSE tab, Set the response as 'C' and set Status field as complete.
g. In the TASK TO OBJECT STATUS MAPPING, make the object status to provisioned.
h. In the Integration tab, add System adapter 'tcCompleteTask' and save.

4. Now provision a user with this resource object and check if email notification is triggered.

Setup of Email Notification for Oracle Identity Manager Users Created Via Reconciliation

This document provides instruction regarding how to setup a notification to send an email to an administrator when a user is added to Oracle Identity Manager via reconciliation with a trusted source.

Since the Xellerate User provisioning process is a system process, you are only allowed to modify Reconciliation Insert Received and Reconciliation Update Received. You are not allowed to setup email notifications for the tasks of Add, Delete, Enable, or Disable a user by modifying the Xellerate User provisioning process definition.

After completion of these steps an email notification will be sent to a recipient when an insert (create new user) or update reconciliation event is created by a scheduled task reconciling with a trusted source.

Solution

1. Ensure that the logging for the XELLERATE category is set to debug in the log4j.xml configuration file:
<category name="XELLERATE">
<priority value="DEBUG"/>
</category>



2. Check to see if there are any firewalls or routers between the OIM server and the smtp server. If any exist, ensure that they are setup to allow smtp traffic between the OIM server and the smtp server.

3. In the Design Console, ensure that you have a properly configured email server IT Resource with the same name as in the System Configuration:
a. Open the Administration - System Configuration form, perform a query for all objects, and look for the email server specification which has the keyword "XL.MailServer". The object name shown to the right is the IT Resource name that will be used to send email notifications.
b. Open Resource Management - IT Resources, perform a query, and locate the IT Resource with the name determined from the System Configuration. If none exists create one or modify the name of the existing email IT Resource if it has been created with a different name.
c. Check the IT Resource to verify that it has the correct information to connect to the smtp server.

4. Create an email template or use an existing one. The email templates are found in the Design Console under Process Management - Email Definition. Please refer to the "Oracle Identity Manager Design Console Guide" for more information on creating email templates and inserting dynamic variables such as the User Login from the Target: "User Profile Information".

5. In the Design Console add the email notification information in the Reconciliation Insert Received (or Reconciliation Update Received) process task for Xellerate User:
a. Open Process Management - Process Definition and query for "Xellerate User"
b. Double-click on the box to the left of the task "Reconciliation Insert Received" (or "Reconciliation Update Received").
c. In the pop-up window, click on the Assignment tab and configure to use the default rule, target type User, and set the "User" column to the login of the user who should receive the email notifications.
d. Click on the Notification tab and check the "Assignee" checkbox, set the status to "C" for Completed, and then set the Email column to the email template to send.

6. In the Administrative Console, verify that the sender specified in the email template has a valid email address. Also, verify that the recipient has a valid email address.

With the logging level for XELLERATE set to debug, you should see an entry in the log similar to the following but with the configuration information that you specify. This log will assist in troubleshooting any email connection, authentication, or other email processing errors. Note that this email IT Resource is configured for authentication to the smtp server.

2010-04-03 11:55:12,921 INFO [STDOUT] DEBUG SMTP: useEhlo true, useAuth true
2010-04-03 11:55:12,921 INFO [STDOUT] DEBUG SMTP: useEhlo true, useAuth true
2010-04-03 11:55:12,937 INFO [STDOUT] DEBUG SMTP: trying to connect to host "192.168.0.3", port 25
2010-04-03 11:55:12,953 INFO [STDOUT] 220 ten.mydomain.com Microsoft ESMTP MAIL Service, Version: 6.0.3790.1830 ready at Thu, 3 Apr 2010 10:56:39 -0500
2010-04-03 11:55:12,953 INFO [STDOUT] DEBUG SMTP: connected to host "192.168.0.3", port: 25
2010-04-03 11:55:12,953 INFO [STDOUT] EHLO WIN3KEE
2010-04-03 11:55:12,968 INFO [STDOUT] 250-ten.mydomain.com Hello [192.168.0.2]
250-TURN
250-SIZE
250-ETRN
250-PIPELINING
250-DSN
250-ENHANCEDSTATUSCODES
250-8bitmime
250-BINARYMIME
250-CHUNKING
250-VRFY
250-X-EXPS GSSAPI NTLM LOGIN
250-X-EXPS=LOGIN
250-AUTH GSSAPI NTLM LOGIN
250-AUTH=LOGIN
250-X-LINK2STATE
250-XEXCH50
250 OK
2010-04-03 11:55:13,000 INFO [STDOUT] DEBUG SMTP: Found extension "TURN", arg ""
2010-04-03 11:55:13,000 INFO [STDOUT] DEBUG SMTP: Found extension "SIZE", arg ""
2010-04-03 11:55:13,000 INFO [STDOUT] DEBUG SMTP: Found extension "ETRN", arg ""
2010-04-03 11:55:13,000 INFO [STDOUT] DEBUG SMTP: Found extension "PIPELINING", arg ""
2010-04-03 11:55:13,000 INFO [STDOUT] DEBUG SMTP: Found extension "DSN", arg ""
2010-04-03 11:55:13,000 INFO [STDOUT] DEBUG SMTP: Found extension "ENHANCEDSTATUSCODES", arg ""
2010-04-03 11:55:13,000 INFO [STDOUT] DEBUG SMTP: Found extension "8bitmime", arg ""
2010-04-03 11:55:13,015 INFO [STDOUT] DEBUG SMTP: Found extension "BINARYMIME", arg ""
2010-04-03 11:55:13,015 INFO [STDOUT] DEBUG SMTP: Found extension "CHUNKING", arg ""
2010-04-03 11:55:13,015 INFO [STDOUT] DEBUG SMTP: Found extension "VRFY", arg ""
2010-04-03 11:55:13,015 INFO [STDOUT] DEBUG SMTP: Found extension "X-EXPS", arg "GSSAPI NTLM LOGIN"
2010-04-03 11:55:13,015 INFO [STDOUT] DEBUG SMTP: Found extension "X-EXPS=LOGIN", arg ""
2010-04-03 11:55:13,015 INFO [STDOUT] DEBUG SMTP: Found extension "AUTH", arg "GSSAPI NTLM LOGIN"
2010-04-03 11:55:13,031 INFO [STDOUT] DEBUG SMTP: Found extension "AUTH=LOGIN", arg ""
2010-04-03 11:55:13,031 INFO [STDOUT] DEBUG SMTP: Found extension "X-LINK2STATE", arg ""
2010-04-03 11:55:13,031 INFO [STDOUT] DEBUG SMTP: Found extension "XEXCH50", arg ""
2010-04-03 11:55:13,031 INFO [STDOUT] DEBUG SMTP: Found extension "OK", arg ""
2010-04-03 11:55:13,031 INFO [STDOUT] DEBUG SMTP: Attempt to authenticate
2010-04-03 11:55:13,031 INFO [STDOUT] AUTH LOGIN
2010-04-03 11:55:13,046 INFO [STDOUT] 334 VXNlcm5hbWU6
2010-04-03 11:55:13,046 INFO [STDOUT] YWRtaW5pc3RyYXRvcg==
2010-04-03 11:55:13,046 INFO [STDOUT] 334 UGFzc3dvcmQ6
2010-04-03 11:55:13,046 INFO [STDOUT] YWJjZDEyMzQ=
2010-04-03 11:55:13,062 INFO [STDOUT] 235 2.7.0 Authentication successful.
2010-04-03 11:55:13,062 INFO [STDOUT] DEBUG SMTP: use8bit false
2010-04-03 11:55:13,078 INFO [STDOUT] MAIL FROM:<administrator@mydomain.com>
2010-04-03 11:55:13,078 INFO [STDOUT] 250 2.1.0 administrator@mydomain.com....Sender OK
2010-04-03 11:55:13,078 INFO [STDOUT] RCPT TO:<administrator@mydomain.com>
2010-04-03 11:55:13,078 INFO [STDOUT] 250 2.1.5 administrator@mydomain.com
2010-04-03 11:55:13,078 INFO [STDOUT] DEBUG SMTP: Verified Addresses
2010-04-03 11:55:13,093 INFO [STDOUT] DEBUG SMTP: administrator@mydomain.com
2010-04-03 11:55:13,093 INFO [STDOUT] DATA
2010-04-03 11:55:13,093 INFO [STDOUT] 354 Start mail input; end with <CRLF>.<CRLF>
2010-04-03 11:55:13,093 INFO [STDOUT] Message-ID: <27633417.1207238112921.JavaMail.administrator@WIN3KEE>
Date: Thu, 3 Apr 2010 11:55:12 -0400 (EDT)
From: administrator@mydomain.com
To: administrator@mydomain.com
Subject: OIM User Added by reconciliation
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit

An OIM User OIM008 was added.
.
2010-04-03 11:55:13,781 INFO [STDOUT] 250 2.6.0 <27633417.1207238112921.JavaMail.administrator@WIN3KEE> Queued mail for delivery
2010-04-03 11:55:13,781 INFO [STDOUT] QUIT


Unable to Access User Profile Information with Approval Notification Email Definition

CONDITION

An email definition that is used to notify administrators / approvers of pending approval tasks has been created. The name of the user who made the request was not included in the notification email even though the <User Profile Information.First Name> tag was in the definition. It does not appear as though any of the variables for 'User Profile Information' are available. When setting the email definition as Provisioning Related, Request Related or General information, tags such as

<User Profile Information.First Name>

are not replaced with the appropriate First Name of the user in question.

It was expected that email would include the First Name of the user for this request replaced in for the <User Profile Information.First Name> tag.

For approval processes, as there can be more than one target user that the approval is for, the Oracle Identity Manager (OIM) server would not know which user to obtain the User Profile Information for and use it in the email notification.

How to Fix

As mentioned above, as a single approval can be for a set of users, OIM would not be able to know which user should be used in retrieving User Profile Information to be used in a notification email.

This type of dynamic substitution with User Profile Information is not supported for Approval notifications

How to Send an Email Notification Upon User Creation via the Admin Console

REQUIREMENT

It is desired to send a notification email to a user after an identity record is created in Oracle Identity Manager (OIM) via the Admin Console. Where does the the email template get attached to for this and how is that done so an OIM account holder gets the email notification?

A notification cannot be added to the Add User task in the Xellerate User provisioning process definition. But you can add a notification to the Reconciliation Insert Received Task as documented in that same Tech Note, for user accounts created via a trusted reconciliation.

If you want to send a notification for a user created via the Admin Console then you would need to employ a new task in the Xellerate User provisioning process instead. The steps below assume that the initial configuration of an email server and related steps required for making use of email notification have been completed already. For more info on those steps you may refer to Chapter 6 of the Design Console Guide for your version of OIM.

  1. Open the "Xellerate User" provisioning process definition in the Design Console -> Process Management -> Process Definition.
  2. Add a new task called "Notify" for example.
  3. Check Required for Completion, Allow Cancel and optionally Disable Manual Insert.
  4. In the Integration tab, add tcCompleteTask.
  5. In the assignment tab, add an entry with the Default rule, target type of User, and for the User field pick an existing user with a valid email address in their User Profile.
  6. In the Notification tab add an entry and check Assignee, have the Status field set to C and for the Email field pick a Provisioning type of Notification Template that you have already created
  7. Make sure the other steps from the mentioned notes are completed for the IT Resource and email configuration.
  8. Now create some new user and the email notification should be sent to the user from step 5.




Oracle® Identity Management Certification Information 10g (10.1.4.0.1)

How to Stop a Scheduled Task in OIM

OIM Scheduled Tasks must be written to recognize the stop execution method. Below is an example of how to accomplish this

Questions and Answers

  1. Declare a boolean field (we will refer here it as "flag" from here onwards) in your schedule task code.
  2. Implement the stop() method in your schedule task. This method is invoked whenever you select the "Stop Execution" option on a running schedule task and save the entry using the Task Scheduler form .
  3. Try to set the flag(as defined in step 1) to a boolean value in this stop() method so that this flag's value can be used in the main execute() method to control and stop execution of the running of execute method where you will iteratively process records obtained on search on the target from which you are reconciling.
  4. Put an implementation in your schedule task source code based on logic mentioned in the sample code given below to implement stop() method:

import com.thortech.xl.scheduler.tasks.SchedulerBaseTask; 
import java.io.PrintStream; 

public class SampleSchTaskWithStopMethod extends SchedulerBaseTask 

public boolean stopped = false; 

public SampleSchTaskWithStopMethod() 

... 


public void execute() 



/*You should add a Check in this method for checking the flag's(which is being set in stop method) 

value in the specific loop where you iteratively try to process all records obtained from target from which you are reconciling  */

for (i=0;i<NumberOfRecordsRetrievedOnSearch;!flag) 


//Process all records found on search on target 



if(flag) 
System.out.println("Reconciliation Stopped.\n"); 
else 
System.out.println("Reconciliation Finished.\n"); 




public boolean stop() 

flag = true; 
return stopped; 

  1. import com.thortech.xl.scheduler.tasks.SchedulerBaseTask; 
    import java.io.PrintStream; 

    public class SampleImplementation extends SchedulerBaseTask 


    //This is the flag which we will use in stop method 
    public boolean stopped = false; 

    public SampleImplementation() 

    ... 
    ... 


    public void execute() 

    String eCount = getAttribute("count"); 
    int count = 30; 
    if(eCount != null) 
    count = Integer.parseInt(eCount); 
    boolean checkInterrupt = true; 
    String eCheckInterrupt = getAttribute("stoppable"); 
    if(eCheckInterrupt != null) 
    checkInterrupt = Boolean.valueOf(eCheckInterrupt).booleanValue(); 


    //This is the loop where we check for the flag's value and iteratively try to process all records obtained on search from the target from which we want to reconcile 

    for(int i = 0; i < count && (!eCheckInterrupt || eCheckInterrupt && !stopped); i++) 

    //Here you process all records obtained from target 
    System.out.println("Iteration :" + i); 
    try 

    Thread.sleep(2000L); 

    catch(InterruptedException interruptedexception) { } 




    if(stopped) 
    System.out.println("Stopped.\n"); 
    else 
    System.out.println("Done."); 



    public boolean stop() 

    //here we set the flag value to "true" 

    stopped = true; 
    return stopped; 




Compile the schedule task code, create a jar file and put it in "ScheduleTask" folder of OIM Server to run the schedule task. Run the schedule task and while it is running please select the "Stop Execution" option at Task Scheduler form and save it to stop the running schedule task. It should stop the running schedule task instance.

Unable to Access Xellerate Application Because of "Error While Expanding Nexweb.war" After OIM Install…

The Xellerate Application won't come up after the the install.

Steps To Reproduce:

For example: On Windows 2003, install OIM version on Jboss application server and point it to an existing database instance used previously by same version of OIM. The installation will fail with the following error in the setup-jboss.profile.log

The installation failed because of
file:C:/oracle/xellerate/setup/jboss-setup.xml:273: Error while expanding
C:\oracle\xellerate\webapp\Nexaweb.war
at org.apache.tools.ant.taskdefs.Expand.expandFile(Expand.java:164)
at org.apache.tools.ant.taskdefs.Expand.execute(Expand.java:127)
at org.apache.tools.ant.Task.perform(Task.java:341)

Cause

OIM installer zip file which was copied and extracted was corrupt since the error indicates that there is a problem in expanding/unzipping the nexaweb.war file during the install.

Solution

To implement the solution, please execute the following steps:

  1. Try installing OIM by recopying and extracting the existing installer zip file on a certified environment.
  2. If it doesn't work, download the OIM installer again from the OTN website and then try a new install.

NOTE: Installing OIM on VMware images is not supported, tested, and certified.

Can The Entire 'Help' Menu Groups be Removed in OIM?

'Help' menu items are basically hard-coded in the source code and this can not be removed completely. You can however remove its pointed URL.

Please follow the below steps .


You need to modify two files to achieve this.

1)xlDefaultAdmin.properties(((<jboss-4.0.3SP1>\server\default\deploy\XellerateFull.ear\xlWebAp
p.war\WEB-INF\classes)
2)strusts-config.xml((<jboss-4.0.3SP1>\server\default\deploy\XellerateFull.ear\xlWebApp.war\WE
B-INF)

Please followthe below steps.

1)Open xlDefaultAdmin.properties,search help and comment all as below by this modification help
menu will be there but you won't be get help page by clicking.

#help=images/help.gif
#menuItem.Help.User-Guide.link=userguide/index.htm

2) Open strusts-config.xml file,remove path of JSPs and modify as below:
====
<!-- ========== Added by Jitendra for setting session ============================== -->
<action name="registrationHelpPageForm"
type="com.thortech.xl.webclient.actions.RegistrationHelpPageAction"
validate="false"
input="/tjspIndex.jsp"
scope="request"
path="/registrationHelp"
parameter="method">

<forward name="displayRegistrationHelpPage" path="" />
<forward name="displayLoginHelpPage" path="" />

</action>
<!-- <forward name="displayRegistrationHelpPage" path= "/tjspRegistrationHelp.jsp" />
<forward name="displayLoginHelpPage" path="/tjspLoginHelp.jsp" /> -->
=====

3)Restart your Apllication server and check the result.


 

How to Stop Schedule Tasks

How can a running scheduled task be stopped?

To get the stop mechanism to work for a schedule task, the Schedule Task process must be implemented to periodically check for the stop flag and respond to it. Since killing threads is not a good idea, stop schedule task is only a request to stop the task. Schedule tasks can only be stopped if they are written to honor stop requests.

This can be done in two ways:
• ScheduleTask can implement the stop( ) method. This returns a boolean value (true/false) to be compatible with 7.2.x, but the return value doesn't mean or represent anything.
• ScheduleTask can call isStopped() method to find out, if a stop request is pending.

How stop works:

To stop a schedule task, select the 'Stop Execution' check box and click on save.

The Task Bean (tcTSK) will detect that the save is to stop the task, by looking at the value of the check box. TSK bean locates the Scheduler Controller and issues a stop request. After the stop request is successfully issued, it disables the task, and clears the 'Stop Execution' check box.

When the Scheduler Controller receives the stop notification, it looks in the local tasks directory to see if the scheduler on this machine is running the task. If so, it sets the stopPending flag for the task and calls the stop( ) method in the scheduler.

If Schedule Task is not executing in the local machine, it sends a group notification to all the schedulers to stop the schedule task. Each Scheduler looks at the local active task list and stops the task if it is running the task. Otherwise they will ignore the message.

Group Notification:

All schedulers join a MultiCast group on the startup. The Group name is alwaus "ScheduleTasks", and they discover each other using the multicast-IP configured in xlconfig.xml file.

<Scheduler>
<MultiCastAddress>999.999.999.999</MultiCastAddress>

Use this setting to define the same multicast address for all machines running scheduler.

We are using JavaGroups API to join the cluster. JavaGroups will also take care of removing the group members as they are stopped.

OAM/OIM Integration Steps: Configuring OAM Policy To Protect OIM

This document is intended to provide clear instructions on how to configure Oracle Access Manager policy for Oracle Identity Manager

The basic steps for performing an OAM/OIM integration are documented in the Oracle Identity Manager Best Practices Guide, Chapter 8.

However, there are some additional notes that are important when configuring this integration.


The following procedure describes how to configure single sign-on for Oracle Access Manager.
On the welcome page of the Access System, click Policy Manager, and then click Create Policy Domain.

Create a policy domain and policies to restrict access to the Oracle Identity Manager URLs.
In the Access System console,

define host identifiers for Oracle Identity Manager.
Click Policy Manager,

and then click the link for the Oracle Identity Manager policy domain.
Click the Resources tab and define resources for Oracle Access Manager to protect.
Click the Authorization Rules tab and define an authorization rule to determine

authenticated users who can access the Oracle Identity Manager URLs.

Click the Default Rules tab. The Authentication Rule subtab is selected.

Define an authentication rule, for example, Basic Over LDAP.
Click the Authorization Expression subtab under the Default Rules tab

Click the Add button

Configure the authorization expression, using the rule(s) defined in step 6 to determine what users will be authorized to access the Oracle Identity Manager URLs. Click the 'Save' button at the bottom of the page when done.

Click the Actions subtab under the Authorization Expression subtab, and define an authorization action that sets a custom HTTP header variable on successful authorization.

The header variable should contain a value that maps to the Oracle Identity Manager user ID.

It is important to use a valid header variable name as determined by the type of Web server being used for the integration. Specifically, as noted in
Chapter 5 of the OAM Access Administration Guide, different Web servers handle header variables differently. Refer to your Web server's documentation for information on how header variables are processed. For example: Netscape/iPlanet Web servers precede Access System variables with the string, HTTP:
If you define a variable called HTTP_CN, Netscape/iPlanet produces a variable called HTTP_HTTP_CN.
When you write an application that must read a header variable, the application must look for a variable called HTTP_HTTP_CN and not HTTP_CN.
Microsoft IIS expects header variables to be defined with a dash, not an underscore. You would enter HTTP–CN, not HTTP_CN.
The receiving application must read the variable as if it had an underscore. It looks for HTTP_CN, not HTTP–CN.

Click the Policies tab.

Click Add and define an access policy in the Oracle Identity Manager policy domain, and add the Oracle Identity Manager URL resources to this policy.

Youn can see more in below link Provided by Oracle - OBE Example

Installing Oracle Access Manager: Identity Server and WebPass

Installing Oracle Access Manager: Policy Manager, Access Server, and WebGate

http://www.oracle.com/technology/obe/fusion_middleware/im1014/ovd-oam/oam-ovd/install_oam2/install_oam2.htm


Password Policy Is Not Redirecting To "Change Password" Page.

-- Problem Statement: I have configured the password policy per documentation.

But in access server logs I see "Passwordexpired and password-change redirect URL is NULL" error.Oracle® Access Manager Identity and Common Administration Guide10g (10.1.4.0.1)Chapter 7 Configuring Global SettingsSection 7.8.5.1 Configuring Redirection to a Password Reset Page After Password Expiry

http://download.oracle.com/docs/cd/B28196_01/idmanage.1014/b25343/idconfig.htm#BABFCJFC

The obcompoundata was not top of the o=Oblix,ou=apps,dc=epri,dc=com tree.Oracle® Access

Manager Schema Description10g (10.1.4.2.0)Chapter 1 Schema Description for 10gTable 1-26 oblixConfig Attributes

http://download.oracle.com/docs/cd/E10761_01/doc/oam.1014/e10357/schema.htm#CFHFJIBH

To implement the solution, please execute the following steps::Please create three ldifs files to create the obpasswordchangeredirecturl, obpasswordexpiryredirecturl

and obcompounddata attribute at the ou=Oblix level:dn: o=Oblix,ou=apps,dc=epri,dc=comchangetype: modifyreplace:

obpasswordchangeredirecturlobpasswordchangeredirecturl: http://www.google.comdn: o=Oblix,ou=apps,dc=epri,dc=comchangetype: modifyreplace:

obpasswordexpiryredirecturlobpasswordexpiryredirecturl: http://www.yahoo.comdn: o=Oblix,ou=apps,dc=epri,dc=comchangetype: modifyreplace: obcompounddataobcompounddata::

PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0idXRmLTgiPz4KPENvbXBvdW5kTGlzdAogICAgeG1sbnM9Imh0dHA6Ly93d3cub2JsaXguY29tIgogICAgTGlzdE5hbWU9Im9iY29tcG91bmRkYXRhIj4KICAgIDxWYWxOYW1lTGlzdAogICAgICAgIHhtbG5zPSJodHRwOi8vd3d3Lm9ibGl4LmNvbSIKICAgICAgICBMaXN0TmFtZT0iQXV0aG5Mb2dnaW5nQ29uZmlnIj4KICAgICAgICA8TmFtZVZhbFBhaXIKICAgICAgICAgICAgUGFyYW1OYW1lPSJTdWNjZXNzTG9nRW5hYmxlZCIKICAgICAgICAgICAgVmFsdWU9ImZhbHNlIj48L05hbWVWYWxQYWlyPgogICAgICAgIDxOYW1lVmFsUGFpcgogICAgICAgICAgICBQYXJhbU5hbWU9IlN1Y2Nlc3NBdHRlbXB0VGltZUF0dHJpYnV0ZSIKICAgICAgICAgICAgVmFsdWU9Im9ibGFzdFN1Y2Nlc3NGdWxMb2dpbiI+PC9OYW1lVmFsUGFpcj4KICAgICAgICA8TmFtZVZhbFBhaXIKICAgICAgICAgICAgUGFyYW1OYW1lPSJGYWlsZWRMb2dFbmFibGVkIgogICAgICAgICAgICBWYWx1ZT0iZmFsc2UiPjwvTmFtZVZhbFBhaXI+CiAgICAgICAgPE5hbWVWYWxQYWlyCiAgICAgICAgICAgIFBhcmFtTmFtZT0iRmFpbGVkQXR0ZW1wdFRpbWVBdHRyaWJ1dGUiCiAgICAgICAgICAgIFZhbHVlPSJvYmxhc3RGYWlsZWRMb2dpbiI+PC9OYW1lVmFsUGFpcj4KICAgIDwvVmFsTmFtZUxpc3Q+CjwvQ29tcG91bmRMaXN0Pgo=1.

Once all three have been added, please verify it exists by running an ldapsearch.

2. Once they are in place then restart identity and access servers and retest.

Error When Starting Apache 2.2 WebGate Service On Windows

COREid Access - Version: 7.0.4 to 10.1.

After installing WebGate with Apache 2.2 on Windows platform Apache fails to start with the following error

Event Type: ErrorEvent Source: Apache ServiceEvent Category: NoneEvent ID: 3299Date: 3/5/2008Time: 11:22:27 AMUser: N/AComputer: APPSRV01Description:The Apache service named reported the following error:httpd.exe: Syntax error on line 516 of D:/Apache2.2/conf/httpd.conf: Cannot load D:/NetPoint/WebComponent/access/oblix/apps/webgate/bin/webgatessl.dll into server: The specified procedure could not be found.

For COREid 7.0.4 environments, package COREid7_0_4_Win32_APACHE2_WebGate.exe was used to install WebGate.

For Oracle Access Manager (OAM) 10.1.4 environments, package Oracle_Access_Manager10_1_4_01_WIN32_Apache2_webgate.exe was used to install WebGate.

No errors or problems encountered during WebGate installation

WebGate software developed for use with Apache 2.0 is being used with Apache 2.2. Attempts

to use the WebGate libraries compiled for Apache 2.0 will produce errors when Apache 2.2 tries to load them.

There is no support currently for WebGate 7.0.4 with Apache 2.2 webserver on Windows platform.

Support for WebGate with Apache 2.2 on Windows was introduced with Oracle Access Manager release 10.1.4

For WebGate 7.0.4.x on Windows use Apache 2.0 instead of Apache 2.2.For WebGate 10.1.4 on Windows with Apache 2.2 use the APACHE22 installer package which can be downloaded from

http://www.oracle.com/technology/software/products/ias/htdocs/101401.html

Oracle Access Manager - 3rd Party Integration section. The contents of the CD downloads can be verified from the Oracle Access Manager - 3rd Party Integration readme

Invalid user found": Exception When a OIM User Changes it's own OIM User Id While Logged into the OIM Web Client

Create is a custom resource object in OIM that is intended to change the OIM User Login. This login needs to be 'approved' by an approver say UserA. When the UserA approves the request, the provisioning task updates UserA's OIM "Users.User ID" with the new login, but then server immediately shows the following errors:

"ERROR,21 Feb 2008 09:07:49,949, RMICallHandler-597 XELLERATE.ACCOUNTMANAGEMENT - Class/Method: tcDataBase/getUser encounter some problems: Invalid user found: UserA" ... ... java.lang.RuntimeException: Invalid user found: UserA "ERROR,21 Feb 2008 09:08:31,564, AJPRequestHandler-RMICallHandler-597 XELLERATE.WEBAPP - Class/Method: tcLogonAction/execute encounter some problems: User account is invalid. Username: UserA"

Steps To Reproduce:
Create a Resource object.
Make the approval for the resource object be approved by the "Request Target User".
Have the target user login.
Have the target user approve the request.
Have the provisioning process alter the target user "Users.User ID"

The cause of the issue is that the Userid used by the user to log into OIM got changed. Due to the changing of the original Userid by the adapter in the session which was created by user's original Userid, the server errors out as its not able to find the original Userid used for login and server throws a "Invalid user found" error.

How to get the Solution

To implement the solution, please execute the following steps::There is no solution or work-around for this issue as changing of it's Userid by the User who is logged inis not correct. One shouldn't do it as OIM keep the Userid information in the session. Changing Userid inthe mid-stream can cause un-foreseen errors