http://www.nulli.com/index.php en aarcega@nulli.com Copyright 2013 2013-05-01T19:38:36+00:00 http://www.nulli.com/index.php/blog/article/quest_collaborate_2013 http://www.nulli.com/index.php/blog/article/quest_collaborate_2013#When:19:38:36Z Anthony and Lisa were in Denver April 7-11 for the Collaborate 2013 conference, for networking, education and to discover the latest in PeopleSoft technology. Collaborate Conferences are annual, user-group driven technology and application forums for the Oracle community. This year there were approximately 6000 attendees, featuring some of the most engaging keynote speakers we have ever seen at a conference of this calibre.  Sean D. Tucker - Team Oracle Aviator, Aron Ralston - subject of the film 127 Hours and Tommy Spaulding - Author, all had incredibly inspiring messages. From A PeopleSoft Perspective: Key messages included the value of the much awaited version of PeopleSoft 9.2.  Features include the PeopleSoft Update Manager (PUM) which promises to make the application of fixes/patches much easier, task-keyword search features, Actionable Operational Analytics through pivot grids and drill down capability, train stops and activity guides. Overall, v9.2 is more "wizard" driven and intuitive than ever.  In contrast, Fusion HCM is still in its infancy as a separate product, featuring Global Payroll, but no Talent Management integration nor a T&L module, for example. Non-core sessions for mobile device implementation and security, and for Oracle Identity Manager (OIM) integration were well attended. OIM takes care of user account administration and access privileges, integrating with products from both Oracle and 3rd parties. Conference organizers provided ample time and space for regional users groups to meet; these meetings were also well attended. Mark Hurd the President of Oracle emphasized that Oracle's goal is to help customer's save money and innovate.  Mark pointed out that a business trend today is that the line of business is gaining more control over software selection whereas historically IT may have previously had more control.  The trend is that the business tells IT what they want instead of vice versa Last but not least, the final evening party featured a few firsts for many attendees: a vending truck offering free silk-screen t-shirts which were made while you waited, flipping-twisting skip rope jumpers, topped off with catering that included curious dark chocolate dipped bacon strips and - best of all - luscious, deep fried Oreo beignets! 2013-05-01T19:38:36+00:00 http://www.nulli.com/index.php/blog/article/repatriating_it_skills_now_is_the_time http://www.nulli.com/index.php/blog/article/repatriating_it_skills_now_is_the_time#When:18:33:59Z The following news article published in the Globe and Mail prompted me to write about the perception of IT Outsourcing as discussed with me by Information Technology professionals employed by companies in India, Canada and the United States. India’s IT outsourcing giant Wipro takes aim at Canada Add to ... GORDON PITTS The Globe and Mail Published Wednesday, Mar. 13 2013, 5:59 PM EDT Last updated Thursday, Mar. 14 2013, 1:49 PM EDT    Interesting article and very telling with regards to how business and government globally need to consider IT Outsourcing and impacts it has on community, country and long-term viablility of the knowlege based economy.    It is also telling that he views, correctly I think, that university grads need to be brought up to speed on application of technology beyond the academic training delivered in Canada.   This highlights the concern that is facing most companies here in North America of having shipped our knowledge and expertise base offshore to the cheapest labour source, we have now a steep path to climb to bring this knowledge back onshore and localized for use where it is needed daily.    His sending grads to India for 6 mths training used to be the other way around not 15 years ago.  It is more then just the indoctrination of the WiPro methodology, it is to give them practical experience with IT technology which isn't' readily available here as companies (other then Nulli) are afraid to invest in their people due to the fear of poaching and more importantly the cost to their bottom line in the eyes of shareholders and the management accountants that mostly have run corporations over the past 20 years. I heard him speak last year at Oracle OpenWorld where he clearly indicated that the world would need to work with WiPro in the area of IT since the world had lost the knowledge that WiPro had cultivated and grown and now sold back to the companies at increasing cost and with lower productivity.  The latter was shielded from companies here since the premise was, I am getting 3 workers doing the same job as one of mine for the same price as one therefore I am better off since I am getting a 3 for 1 deal. Anyway, it is worth a paper of thought for certain.   WiPro needs to continue to grow markets like Canada to allow for it to continue to leverage the model that worked in the past and is now loosing appeal as results are not there and governments, read USA, are creating incentives for companies to repatriate the skill economy to America..... Just a few quick thoughts, Nulli, Derek Small, 2013-04-19T18:33:59+00:00 http://www.nulli.com/index.php/blog/article/commentary_oauth_twitters_secret_app_keys_leaked http://www.nulli.com/index.php/blog/article/commentary_oauth_twitters_secret_app_keys_leaked#When:19:40:05Z For years we have been recommending that clients never share a password or create group accounts that are used by multiple people.  It is always best to create separate accounts for each user that is using a service, or in this case when applications are using a service.  Turns out that Twitter has given multiple applications the same OAuth credentials to use, so it is going to be hard to find out who leaked the key, and hard to change the key without updating all the application owners. http://www.theregister.co.uk/2013/03/08/twitter_oauth_leaked_keys/ 2013-03-11T19:40:05+00:00 http://www.nulli.com/index.php/blog/article/changed_attributes_log_truncation_in_waveset_audit_log http://www.nulli.com/index.php/blog/article/changed_attributes_log_truncation_in_waveset_audit_log#When:05:03:56Z You may have noticed in Waveset’s auditlog reports that when too many attribute values have changed in a transaction, you don’t see the nicely printed before/attempted/after table of changed values.  This is a known limitation in the default database schema because the column that holds this info is a 4000 length VARCHAR field.  Waveset ships with a sample .sql script that allows you to change this column to a CLOB - IF your repository is an Oracle Database.     Documentation on this update can be found here: http://docs.oracle.com/cd/E19225-01/821-0094/6nl60aig6/index.html However, while running this on a Waveset 8.1.1.6 instance recently, i found that the change was ineffective, and It was still storing truncated 4000 character entries. By chance, I came across a Configuration object in the repository called RepositoryConfiguration.  It was different from the default init version and contained a setting that I could not find the Oracle documentation on called maxLogAcctAttrChangesLength.  It IS mentioned in the old Sun IdM 7.1.1 release notes (http://docs.oracle.com/cd/E19164-01/820-2952/indexa.html) but seems to have gone missing in the Waveset Admin Guide.  The value was set to 4000.  After updating it to an arbitrarily large value (ie 1000000) and an application server restart I was now getting non-truncated acctAttrChanges values in the new CLOB column. Here is a SQL sample to verify your results.  The most notable case of truncation in this environment occurred when modifying users with many Active Diretory groups (containing full group DNs): select length(ACCTATTRCHANGES) from WAVESET.LOG where ACTIONDATETIME like '20130225%' and resourcename = 'AD'; Oracle, Waveset/Sun IDM, Rob Jackson, 2013-02-26T05:03:56+00:00 http://www.nulli.com/index.php/blog/article/oracle_identity_manager_oim_11g_r2_rcu_error http://www.nulli.com/index.php/blog/article/oracle_identity_manager_oim_11g_r2_rcu_error#When:22:01:14Z Are you trying to install Oracle Identity Manager - OIM 11gR2 on Oracle Enterprise Linux 6 64-bit? Do you plan on running the OIM 11gR2 RCU to create some repositories during the installation? If you answered yes to these two questions then this little bit of information may be of assistance to you. Running the RCU on a 64-bit system will result in errors like this one: RCU- 6136: Error while trying to execute SQLPlus action   This RCU-6136 error is a result of the RCU installer being run on a 64-bit JDK of which portions of the RCU installer still rely on a 32-bit environment.   The result is that even if you are creating the repository on a 64-bit system you will encounter this error.  It means you will need to run the RCU on a 32bit JVM for a successful install.   NOTE:  Running it either remotely or locally using the –d32 option will not work. Hope this is a help. Michael Burchill, 2013-02-19T22:01:14+00:00 http://www.nulli.com/index.php/blog/article/oim_11g_r2_too_many_role_request_emails http://www.nulli.com/index.php/blog/article/oim_11g_r2_too_many_role_request_emails#When:01:45:16Z In OIM 11g R2, Oracle introduced a new feature called "Catalog", using which a user of an Organization can search and request for roles using a shopping cart type of functionality.  There is also an option to generate emails to notify the user at what stage his/ her Role Request is at.  Since, the Role request could go through multiple approvals, emails are sent for each stage of approval.  Currently with OOTB Role Request workflow, upto 9 emails sent for the whole Role Approval processes completion and around 5 to 8 emails generated for Role Rejection.  Though this could be a useful feature to some customers, it could be a nuisance for others who would be expecting at the most 2 emails for either Role Approval or Rejection. This post describes a way to limit the number of emails generated to 2, one when the initial Role Request is made and one when a final decision (either Approve or Reject) is made. Problem Description: In OIM 11g R2, by default we either turn on the sending emails for Request Notifications which sends a lot of emails for each request or totally turn off the emails.  There was no way to reduce the number of emails generated for Request Notifications.     Oracle's Solution Oracle announced at the end of last year that this issue would be fixed in the next Bundle Patch scheduled to release some time in January of this year.  Oracle released Patch 14760806 also called ORACLE IDENTITY MANAGEMENT SUITE BUNDLE PATCH 11.1.2.0.2 (BP02) on the 14th of January. Patch Issues: We jumped right in and applied the patch as soon as we could to fix this issue.   We were not able to immediately test the email feature as we faced Identity Console "Access Denied" issues (as discussed here) after applying the patch.  Once we could resolve the console issues.  We tested the patch and it still was generating 9 emails for Role Approval and 5 to 8 emails for Role Reject.   Missing Information: After going through the patch documentation we could not find relevant information as to how to limit the emails.  Since we know that RequestNotificationLevel System Property deals with either turning on or off of emails completly, we thought that there should be a setting for this System Property that limits the emails or there could be a new System Property that limits the emails.  Since we could not find any new System Properties relevant to Emails, we raised an SR with Oracle.  Fix: By setting this value of RequestNotificationLevel  to 2 (courtesy Oracle), we were able to generate only 2 emails for either Role Request Approval or Role Request Reject.  Hope this information would be updated in Oracle documents soon.  If this post helped you to reduce the email notifications, please leave a comment.         Nulli, IM, Oracle, 11g R2, OIM 11g, Hyma Pandyaram, 2013-02-17T01:45:16+00:00 http://www.nulli.com/index.php/blog/article/oim_issues_after_installing_oracle_identity_management_suite_bundle_patch_1 http://www.nulli.com/index.php/blog/article/oim_issues_after_installing_oracle_identity_management_suite_bundle_patch_1#When:00:40:11Z After installing Patch 14760806 also called ORACLE IDENTITY MANAGEMENT SUITE BUNDLE PATCH 11.1.2.0.2 (BP02),  to fix a few existing issues with OIM 11.1.2.0.1, we saw "access denied" issues while accessing OIM Identity Console as an "End User".   "System Administrator" users could access the console with out any issues.  The reason for this is that an OOTB Authorization plugin that allows an "End User" to access his/ her profile is not applied after applying the patch and it has to be manually deployed.  The same plugin is also responsible for allowing a user to request roles using Catalog tool.  This post describes the error messages displayed, the worked around (suggested by Oracle) and a few missing instructions in Oracle documentation for the plugin deployment. Environment : Windows 2008 R2 Standard Edition (64 Bit), OIM 11.1.2.0.2, OVD 11.1.1.6, WebLogic 10.3.6 Problem Description:  After successfully installing Patch 14760806 on top of BP01 to fix too many emails generated for a Role request issue discussed in another post here, we tried to test if the issue was fixed.  For this we performed the following steps. Access OIM Identity console http://hostname:port/identity Log in as "testuser" whose user type is "End User" Click Catalog tab Search for roles Select required role and Add to the Cart To our surprise at this moment we saw a pop up that said "Localized message not available.  Error returned is: You do not have permission to view details of user - 102" The next step we did was to try to access "My Information" tab and it also failed to display the user profile information with the same error as above.  We were pretty sure that we did not modify any of the user permission (Authorization policies) before and after applying the patch. This problem did not arise when we logged in to Identity console as XELSYSADM or other SYTEM ADMINISTRATORS.   Only users with User Type "End User" had permission issues.  Other errors you might see: JBO-29000: Unexpected exception caught: oracle.iam.ui.platform.exception.OIMRuntimeException, msg=JBO-29000: Unexpected exception caught oracle.iam.selfservice.exception.UserLookupException, msg=You do not have permission to view details of user 102 JBO-29000: Unexpected exception caught: oracle.iam.selfservice.exception.UserLookupException, msg=You do not have permission to view details of user 102 Cause: There are certain OOTB Authorization plugins deployed with OIM which take care of what permissions each user has on the OIM Console.  While applying the BP02 one such plugin which is available as authorization-plugin.zip, is not deployed (a BUG in the patch).  Without this plugin, OIM was not able to find relevant permissions for "End User" to allow access tabs in Identity Console and hence the user was denied access.   Workaround: Oracle suggested to deploy authorization-plugin.zip plugin manually and said that would fix the problem with End User permissions. How to register a plugin? Here is Oracle documentation link that describes plugin registration using command line.  Make sure that your OIM Managed Server is up and running while you perform the registration.  Missing Steps: Even though we followed steps described in the above link, our plugin was still not being registered.   It was failing with error: "[echo] Error: Could not find or load main class oracle.iam.platformservice.utils.PluginUtility" This was fixed by: adding ..\Oracle_IAM1\\server\client\oimclient.jar to CLASSPATH  If you still see errors: Try replacing ${oim.home}/config/authwl.conf of login.config with the actual path in ant.properties file Also if you are using Windows replace all '/' in the paths of ant.properties with '//' A successful plugin registration displays "[echo] Plugin oracle.iam.platform.authopss.plugin.impl.AttributeResolverImpl version 1.0 Registered" Restart OIM Managed Server.   Result: This fixed the access denied errors for end users.  Could access "My Information" and request roles using "Catalog".  The number of emails were also reduced as discussed here if you are interested to take a look at.   Hope this helps somebody out there.  Have a great Family Day Weekend!     IM, Oracle, 11g R2, OIM 11g, Hyma Pandyaram, 2013-02-17T00:40:11+00:00 http://www.nulli.com/index.php/blog/article/forgerock_openam_9.5.x http://www.nulli.com/index.php/blog/article/forgerock_openam_9.5.x#When:22:04:14Z It does run on Solaris 10  & GlassFish 2.1.1! I’m a big fan of the ForgeRock suite of products for various reasons. One is the flexibility they give you when it comes to infrastructure. Since OpenAM is open you’ll find it will run on just about anything. The downside to this wonderful fact is that you have to often figure out for yourself how to make it work.   In this blog posting I am providing some OpenAM memory configuration options that I have researched and hope you find useful. Forgerock’s site has some good tweaking advice for running their software on Tomcat but Tomcat and GlassFish are very different animals.   They have completely different threading models, one uses Grizzly the other uses Catalina, one is a J2EE server while the other is a Java Servlet container. I don’t even think their kids go to the same school. If you add to this mix the architectural differences between SPARC and x86 architectures then you could quickly run into some very confusing tuning options for OpenAM. I have tested and verified on Oracle Solaris 10, JDK6.0.35 and GlassFish 2.1.1 patch 19 the following settings. These settings might also be of use to someone tuning in an OpenAM Intel environment.   As always, the settings are provided as-is, where-is and you use them at your own risk.   In no way are these settings warrantied but they will be a great starting place for you and your OpenAM tuning efforts. *Note 1 – Before you start tweaking JVM settings it’s important to assign an appropriate number of threads to the Glassfish Server. Too few and you’ll be under utilizing your hardware. Too many and you’ll spend more time context switching than you will spend working. *Note 2 – These are the settings used in one environment. Your memory settings will depend on your environments needs. (You don’t have to use 4 GB of memory.) Turn this: Into this: Using this:              <jvm-options>-XX:+UseCMSInitiatingOccupancyOnly</jvm-options>         <jvm-options>-XX:CMSInitiatingOccupancyFraction=45</jvm-options>         <jvm-options>-XX:ConcGCThreads=8</jvm-options>         <jvm-options>-XX:ParallelGCThreads=30</jvm-options>         <jvm-options>-XX:+ParallelRefProcEnabled</jvm-options>         <jvm-options>-XX:+CMSClassUnloadingEnabled</jvm-options>         <jvm-options>-XX:+ExplicitGCInvokesConcurrentAndUnloadsClasses</jvm-options>         <jvm-options>-XX:SurvivorRatio=6</jvm-options>         <jvm-options>-Xmn1280m</jvm-options>         <jvm-options>-XX:PermSize=256m</jvm-options>         <jvm-options>-XX:+CMSClassUnloadingEnabled</jvm-options>         <jvm-options>-XX:+UseCMSCompactAtFullCollection</jvm-options>         <jvm-options>-verbosegc</jvm-options>         <jvm-options>-server</jvm-options>         <jvm-options>-d64</jvm-options>         <jvm-options>-Xss256k</jvm-options>         <jvm-options>-Xmx4096m</jvm-options>         <jvm-options>-Xms4096m</jvm-options>         <jvm-options>-Xloggc:/app/logs/gc/OpenAM-51000-gc.log</jvm-options>         <jvm-options>-XX:MaxPermSize=256m</jvm-options>         <jvm-options>-XX:HeapDumpPath=/app/logs/gc</jvm-options>         <jvm-options>-XX:+UseConcMarkSweepGC</jvm-options>         <jvm-options>-XX:+HeapDumpOnOutOfMemoryError</jvm-options>         <jvm-options>-Dsun.rmi.dgc.server.gcInterval=3600000</jvm-options>         <jvm-options>-Dsun.rmi.dgc.client.gcInterval=3600000</jvm-options> In closing, I’d like to thank Satadru Roy for all his help in determining these JVM options. Best of luck!   ForgeRock, OpenAM, Michael Burchill, 2013-02-14T22:04:14+00:00 http://www.nulli.com/index.php/blog/article/14th_annual_privacy_security_conference_off_to_a_flying_start http://www.nulli.com/index.php/blog/article/14th_annual_privacy_security_conference_off_to_a_flying_start#When:15:27:59Z I have the pleasure of attending this year's 14th Annual Privacy & Security Conference.  I haven't attended this conference for years (I think I went to the 2nd or 3rd annual conference as a vendor), and it has certainly become a meca for all things related to IT security and public privacy with attendees from all across Canada. I was able to attend a great session put on by the Office of the Information and Privacy Commissioner of Alberta.  Alberta is the only province in Canada which requires mandatory reporting of a breach of personal informational to be reported to the Commissioner's office.  There is a fine of $100k for organizations that don't do this in a reasonal time frame. So what type of impact does this have on businesses?  Well, anyone that is collecting information in Alberta about Albertans could be affected by this legislation.  So a Toronto based company that collects information via a website would be affected because the collection is done on the individual's computer in Alberta.   And what types of breaches can happen?  examples included using recycled medical records for puppy bedding, sending out sensitive employee data via email, hackers connecting to databases, mailing letters to the wrong address, and the list goes on... The Commissioner's office investigates the cases that have a real risk to cause harm to the individual, such as loss of reputation, financial loss, or identity theft.   So what causes most breaches?  Well human error is listed as the top reason, followed by theft, and poor security of IT assests.  In the case of the last point, identity and access management solutions can significantly reduce the risk of having a breach of personal information.  Having strong password policies and locking down high, priviledged accounts can dramatically reduce hacker's abilities to cause a breach and if a breach does occur, using tools like these will often assist in providing an audit trail: valuable evidence that your organization is being diligent. The session was very well done!  It is days like these that it makes me proud to be an Albertan! Roland Davis, 2013-02-07T15:27:59+00:00 http://www.nulli.com/index.php/blog/article/weblib_security_all_in_the_record_name http://www.nulli.com/index.php/blog/article/weblib_security_all_in_the_record_name#When:21:22:58Z A customer recently created some custom IScript that was triggered from a page button. Pressing the button popped open a new browser window with printer-friendly text saved down from a variety of data fields on the page. Everything worked fine except that not everyone was authorized to use the button logic.  Isolating the error pointed to the custom IScript call, per the following line. ViewContentURL(GenerateScriptContentURL(%Portal, %Node, Record.<custom recname>, Field.PRINT_BTN, "FieldFormula", "IScript_<custom IScript>")); When implementing an IScript, the container or WEBLIB record name must be prefixed with "WEBLIB_".  So the code line above should really read something like: ViewContentURL(GenerateScriptContentURL(%Portal, %Node, Record.WEBLIB_<remainder of custom recname>, Field.PRINT_BTN, "FieldFormula", "IScript_<custom IScript>"));       HI, PeopleTools, Anthony Arcega, 2013-02-04T21:22:58+00:00