You may have noticed in Waveset’s auditlog reports that when too many attribute values have changed in a transaction, you don’t see the nicely printed before/attempted/after table of changed values. This is a known limitation in the default database schema because the column that holds this info is a 4000 length VARCHAR field. Waveset ships with a sample .sql script that allows you to change this column to a CLOB - IF your repository is an Oracle Database.
In OIM 11g R2, Oracle introduced a new feature called "Catalog", using which a user of an Organization can search and request for roles using a shopping cart type of functionality. There is also an option to generate emails to notify the user at what stage his/ her Role Request is at. Since, the Role request could go through multiple approvals, emails are sent for each stage of approval. Currently with OOTB Role Request workflow, upto 9 emails sent for the whole Role Approval processes completion and around 5 to 8 emails generated for Role Rejection. Though this could be a useful feature to some customers, it could be a nuisance for others who would be expecting at the most 2 emails for either Role Approval or Rejection.
This post describes a way to limit the number of emails generated to 2, one when the initial Role Request is made and one when a final decision (either Approve or Reject) is made.
After installing Patch 14760806 also called ORACLE IDENTITY MANAGEMENT SUITE BUNDLE PATCH 11.1.2.0.2 (BP02), to fix a few existing issues with OIM 11.1.2.0.1, we saw "access denied" issues while accessing OIM Identity Console as an "End User". "System Administrator" users could access the console with out any issues. The reason for this is that an OOTB Authorization plugin that allows an "End User" to access his/ her profile is not applied after applying the patch and it has to be manually deployed. The same plugin is also responsible for allowing a user to request roles using Catalog tool. This post describes the error messages displayed, the worked around (suggested by Oracle) and a few missing instructions in Oracle documentation for the plugin deployment.
I've spent the day going through and planning the disk environment for a HA deployment of OIM, OAM, OPAM and OVD. There really isn't a very good reference on this topic, there are a couple of publications from Oracle: the Oracle Fusion Middleware Enterprise Deployment Guide for Oracle Identity Management, and the Oracle Identity Management 11.1.2 Enterprise Deployment Blueprint that have some good information but these documents do need to be updated to reflect the most recently supported WebLogic server (10.3.6).
For those of us that have run the Oracle Identity Manager config, you have probably noticed a small checkbox on the OIM Server screen called "Enable LDAP Sync" and asked yourself: Hmmm, I wonder what that does?
Oracle has just released an updated version of its Identity Management 11.1.2 Enterprise Deployment Blueprint and I must say, this is tremendous effort from Oracle to fill in some of the gaps in its documentation. It is nice to have a single place to go to for the steps that are required for setting up OAM and OIM to work together in a clustered, highly available design.
Back in the days of OAM 10g there was a set of 13 standard reports that Oracle made available for BI Publisher. These old reports can be found at http://www.oracle.com/technetwork/middleware/id-mgmt/oam-reports-1-132943.zip. I am now on the search for reports for OAM 11gR2. There are signs of hope, Oracle's license for OAM includes a Restricted Use License for BI Publisher.
I was extending Data Exporter (A.K.A. Waveset Data Warehouse) today to include some custom user attributes as described here. I ran into a compiler class import issue with the ant script distributed with the source (in Waveset distribution):
Posted By: Trevor Roskewich
February 29, 2012
Filed Under:Oracle , OIA 11g
Customers that have upgraded to Oracle Identity Analytics 11g PS1 (11.1.1.5) may have noticed that flat-file account imports, previously successful, now error-out post-upgrade.
When you explore the rbacx.log, it will contain the following error:
20:59:09,251 ERROR [CSVAccountFileReader] ---> Error occured file reading file:
java.lang.RuntimeException: Unable to import accounts
at com.vaau.rbacx.iam.file.csv.CSVAccountFileReader.importAccounts(CSVAccountFileReader.java:354)
at com.vaau.rbacx.iam.file.csv.CSVAccountFileReader.readCSVFileInternal(CSVAccountFileReader.java:168)
at com.vaau.rbacx.iam.file.csv.AbstractCSVFileReader.readInternal(AbstractCSVFileReader.java:85)
at com.vaau.rbacx.iam.file.support.AbstractFileReader.read(AbstractFileReader.java:160)
at com.vaau.rbacx.iam.file.support.AbstractFileReader.run(AbstractFileReader.java:82)
at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:908)
at java.lang.Thread.run(Thread.java:662)
Caused by: java.lang.NullPointerException
at java.util.Date.getMillisOf(Date.java:939)
at java.util.Date.after(Date.java:912)
at com.vaau.rbacx.manager.AccountManagerImpl.hasAccountChanged(AccountManagerImpl.java:844)
at com.vaau.rbacx.manager.AccountManagerImpl.updateAccounts(AccountManagerImpl.java:716)
at com.vaau.rbacx.manager.AccountManagerImpl.createOrUpdateAccounts(AccountManagerImpl.java:158)
at com.vaau.rbacx.core.support.RbacxDataImporterImpl.importAccounts(RbacxDataImporterImpl.java:915)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
at java.lang.reflect.Method.invoke(Method.java:597)
at org.springframework.aop.support.AopUtils.invokeJoinpointUsingReflection(AopUtils.java:307)
at org.springframework.aop.framework.ReflectiveMethodInvocation.invokeJoinpoint(ReflectiveMethodInvocation.java:182)
at org.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:149)
at org.springframework.transaction.interceptor.TransactionInterceptor.invoke(TransactionInterceptor.java:106)
at org.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:171)
at org.springframework.aop.framework.JdkDynamicAopProxy.invoke(JdkDynamicAopProxy.java:204)
at $Proxy136.importAccounts(Unknown Source)
at com.vaau.rbacx.iam.file.csv.CSVAccountFileReader.importAccounts(CSVAccountFileReader.java:310)
at com.vaau.rbacx.iam.file.csv.CSVAccountFileReader.readCSVFileInternal(CSVAccountFileReader.java:168)
at com.vaau.rbacx.iam.file.csv.AbstractCSVFileReader.readInternal(AbstractCSVFileReader.java:84)
at com.vaau.rbacx.iam.file.support.AbstractFileReader.read(AbstractFileReader.java:160)
at com.vaau.rbacx.iam.file.support.AbstractFileReader.run(AbstractFileReader.java:82)
at java.util.concurrent.ThreadPoolExecutor$Worker.runTask(ThreadPoolExecutor.java:886)
... 2 more
OIA 11.1.1.5 introduced a code fix to address Bug 12752492 - user risk summary is not recalculated when re-imported account. The code provided new columns, including RISK_UPDATE_DATE, that have been added to most tables to support the fix, as noted in the database update script (i.e. migrate-rbacx-11.1.1.3.xto11.1.1.5.0-oracle.sql). The accounts table affected are noted in this alter statement:
alter table rbacxservice.accounts add risk_update_date timestamp;
Other tables such as attribute_value_metadata have the risk_update_date set to sysdate after the column is created in the script. However, this is not the case for the accounts table - meaning the value is left null by default. It appears that a globaluser update (i.e. user import from a provisioning system like Oracle Waveset) may also set the RISK_UPDATE_DATE on the accounts associated with the user to the sysdate of the import. However, orphaned accounts could remain null. The fix for Bug 12752492 attempts to compare the current time with the risk_update_date value in the database for an account being imported - a value of null results in the null pointer exception as noted in the log above.
Posted By: Hyma Pandyaram
February 09, 2012
Filed Under:IM , Oracle , OID 11g
While trying to create a DIP (11.1.1.2) profile for Database Import using manageSyncProfiles command from ../Oracle_IDM1/bin, I was getting the following error.
[oracle@somehost bin]$ ./manageSyncProfiles register -h localhost -p 7005 -D weblogic -f dbimp.properties
Properties file dbimp.properties does not have correct key-value format.
Oracle Waveset 8.1.1 Patch 6 is available for download
Have you ever needed to clean-up entries with accented letters and wondered if Oracle Waveset (formerly Sun IDM) could manage this for you?
For many years, Oracle has provided a well documented OAM SSO solution for PeopleSoft using typical header variable integration. However, PeopleBooks for PeopleTools 8.51 has become so, shall we say, refined, it's now harder to acheive success with such time-tested integration steps.
OVD 11g installed on Windows 2008 workstation fails to start with the following diagnostic log error:
While preparing to install OAM 11g, some of us were curious whether all the "ob..." attributes would remain intact or if they would be renamed with, for instance, an "orcl..." prefix. It struck one of my colleagues that the "ob" attributes would survive, if only to facilitate a workable upgrade path or to ease product development.
The Oracle Enterprise Manager Fusion Middleware Control 11g shows OID is down even though opmnctl shows OID is up.
It is unlikely that many will have this problem, but if you do this could save some time and headache troubleshooting...
Upgrade from COREid 7 to OAM 10.1.4.0.1 process drops the root CA......
Posted By: Dave Bennett
November 11, 2010
Filed Under:Oracle , OAM 10g
I just had the most frustrating experience. I am in the midst of upgrading OAM 7.x to 10.1.4.3. I had all the components upgraded to 10.1.4.0.1 so I got backups taken.
SAML Service coming back to OAM in a future release?
Posted By: Dave Bennett
September 20, 2010
Filed Under:Oracle , OAM 11g
AuthN and AuthZ responses supports....
Is your OAM installation setup in simple mode? Then chances are your installation is going to break on July 25, 2010. You may have heard a faint ticking every time you got near one of your OAM machines, but never had a chance to figure out where this impending failure was going to come from. As you know,according to Mayan Calendar, in 2012 in simple mode OAM generates certificates for you using the simpleCA root CA (tools\openssl\simpleCA). This root certificate is also used to complete the chain of trust when establishing SSL connections.
But did you know that root CA certificates expire? The OAM certificate expires Jul 25 18:03:57 2010 GMT after which your OAM components will no longer be able to communicate with each other
Posted By: Patrick Radtke
January 04, 2010
Filed Under:Oracle , OAM 10g
OAM supports UTF-8 in incoming data, and can generate HTML pages encoded with UTF-8, but what about internally? Is UTF-8 data available in plugins? In HTTP header variables?
Oracle has designated Nulli as an Oracle Gold Partner in the Oracle PartnerNetwork Specialized Program. Nulli having achieved Pillar Partner - Security and Identity status is now being recognized as a Gold Specialized partner for our implementation services excellence for the Oracle Access Manager, Identity Manager, Internet Directory, Virtual Directory and the Oracle suite of identity products including the Oracle Entitlement Server.
The bind account that OAM uses to connect to OID directory services needs to have full rights over the portion of the DIT that you intend to manage with OAM.
Posted By: Mark Miller
September 10, 2009
Filed Under:Oracle , OAM 10g
One of the key tasks during development and deployment of OAM is running the product browser-based-setup process. It is this process that results in the initial 'oblix branch' being written to the directory service. So, when a customer wants to start again, the question is, "How do I make that setup process happen again?"
If you are using the OVD Shadow Joiner feature then you will need to add the vdeShadowObject object class to the directory hosting the shadow objects. Here is a little LDIF file for just such a need...
I was installing OAS 10.1.4.0.1 today as I needed to use OID for an OAM deployment.
Many of our readers are aware that we have had the "COREid Migration Service" available for public use for the past three years. This service has been a resounding success with several high profile North American OAM customers relying on it to maintain consistency across their environments. The expression, "If it ain't broke, don't fix it." best describes our attitude towards the initial release.
Setting up IWA is a fairly straight forward task.
Posted By: Sandeep Chaturvedi
February 11, 2009
Filed Under:Oracle , OAM 11g
Panel tabs in OAM, how are they used?
Modifiying the RDN for User in Oracle Internet Directory (OID 10g) - known issue.....
When using a older Access Server SDK (7.0.4) with a newer Access Server (10.1.4) running in backward compatibility mode recently,
Posted By: Dave Bennett
August 19, 2008
Filed Under:Oracle , OAM 10g
IdXml interprets attribute access differently vs using a portal insert to perform the same change....
Posted By: Dave Bennett
August 07, 2008
Filed Under:Oracle , OAM 10g
In order to be able to search for deactivated users, the logged in user need to be a participant in a reactivate user workflow definition.
Posted By: Dave Bennett
August 06, 2008
Filed Under:Oracle , OID 10g
Here are a few simple notes for handling OID indexes.
Posted By: Mark Miller
July 26, 2008
Filed Under:Oracle , OAM 10g
Certain actions (such as creating or removing an LDAP entry) are only available via OAM's 'workflow' engine. A freshly installed OAM system has no workflows configured, thus, no immediate mechanism to affect such actions.
Posted By: Mark Miller
July 22, 2008
Filed Under:Oracle , OAM 10g
It makes sense that the ideal HTTP Client for IDXML processing is the authenticated user's browser. After all, it already has the ObSSOCookie.
Posted By: Dave Bennett
July 22, 2008
Filed Under:Oracle , OAM 10g
What if you want to include a virtual attribute in your search results that is derived form another attribute?
Posted By: Dave Bennett
July 22, 2008
Filed Under:Oracle , OAM 10g
Creating a mapping file for OVD to use on inbound and/or outbound LDAP transactions can sometimes be tricky to get absolutely correct the first time. Invariably, the message
Could not complete mapping
is bound to show up at least once when you are trying something new.
Posted By: Dave Bennett
July 03, 2008
Filed Under:Oracle , OAM 10g
Posted By: Dave Bennett
May 22, 2008
Filed Under:Oracle , OAM 10g
When installing the 10.1.4 WebGate to protect an application with web services that relied on the Oracle Client for database connectivity, the application failed to run after the install. The following message is what was received back from the application:
The provider is not compatible with the version of Oracle client
Posted By: Sandeep Chaturvedi
January 29, 2008
Filed Under:Oracle , OAM 10g
If OAM protects a web resource with a basic authentication scheme, any browser request for that request returns a 401 with a "WWW-Authenticate: basic" header.
Posted By: Sandeep Chaturvedi
January 29, 2008
Filed Under:Oracle , OAM 10g
Posted By: Sandeep Chaturvedi
January 17, 2008
Filed Under:Oracle , OAM 10g
The IIS Resource Kit's SelfSSL tool is a quick and sneaky way to get both IIS and ADAM running SSL for quick OAM sandbox environments.
Posted By: Mark Miller
January 17, 2008
Filed Under:Oracle , OAM 10g
When you know that it is in fact not down, and you've checked that all your WebGate parameters are correct a million times...
Posted By: Mark Miller
January 02, 2008
Filed Under:Oracle , OID 10g
Posted By: Dave Bennett
March 09, 2007
Filed Under:Oracle , OAM 10g
This is a simple one, but a nuisance none-the-less.
This is a little bit off topic as OAM goes but everytime I want a quick OAM / Servlet container working environment, it takes me too long to discover this info.
Posted By: Dave Bennett
November 26, 2006
Filed Under:Oracle , OAM 10g
Posted By: Mark Miller
November 24, 2006
Filed Under:Oracle , OAM 10g
IDXML can be cool. It can also cause one to question one's future in front of a keyboard.
When creating a custom style for Oracle Access Manager (formerly COREid) the product creates a localized directory for you in the default language, but all of the files in the localized copy point back to the main style sheets in the shared directory. In order to keep the vanilla sheets for style0 (Classic Style) intact it is advisable to create a duplicate shared directory (i.e. newstyle_shared).
A web server with a WebGate installed on it suddenly does not serve pages and generates 500 errors.
Successful migrations of Oracle Access Manager (formerly COREid) configuration data rely heavily on consistent directory naming of entries between envionments.
Successful migrations of Oracle Access Manager (formerly COREid) configuration data rely heavily on consistent directory naming of entries between envionments.
Nulli Secundus is pleased to announce that our COREid Migration Service has entered a pre-beta (invitation only) phase.
Have you ever wanted to get a nice clean schema file containing all of your custom attirbutes and object class entries but exluding the special microsofty attributes from and AD/AM (or AD) instance so that you can archive it off into a source control system or just simply migrate it to another environment?
Gettng quite specific here - but if you have this problem, you'll appreciate the info...
In COREid deployments where the Access and/or Identity services are installed on the same box as the LDAP server, the COREid service(s) sometimes start faster than LDAP.
A common request for COREid customization is removing unused menu options in the User Manager, Group Manager, and Org. Manager applications (like Create User Identity, Deactivated User Identities, Configuration, etc).
When simple mode certificates are going to expire, .......
Have you ever needed to bulk load AD/AM with a bunch of LDIF users for testing or conversion purposes, but been frustrated by its inability to allow password changes over an unsecured port?
Ever enabled the NetPoint Identity Domain policy domain but not NetPoint Access Manager?
By default Oracle COREid simple mode certificates are issued for 1 year (365 days) by default.
Some people look at the vanilla COREid interface and make a quick decision that they don't like it, or that it's not what they hoped it to be.
Have you ever got confused when using substitution syntax in COREid search base and attribute access control settings?
Ever wanted to reduce or increase the AD/AM search limit (page size)?
Have you ever had some header variables show up and not others?
OK, so COREid supports rudimentary pattern matching in policy patterns. For instance, one can create a URL pattern in a policy definition that matches multiple URLs with a single policy (pattern).
