OAM 10g reinstall issue

Similar Messages

• OAM 10g Reset Password Issue in Password Policy Management

  Hi,
  We are using OAM 10g and we have configured password policy for our application with selecting "Change on Reset" Check Box.
  We have created new user in create user identity tab and when we are logging with new user for the first time, it is not redirecting to the reset password page.
  Can someone shed light on this issue?
  Thanks,
  Ganesh

  Hi Colin,
  As you said, We have configured obpasswordchangeflag in Create User Workflow by setting the default value true.
  We have created new user in create user tab and checked in LDAP Browser as it is showing obpasswordchangeflag =true in newly created user's profile.
  Now, when we are trying to login with new user, it is still not redirecting to the Reset Password Page.
  please find below the url which we have configured in Password Policy Change Redirect URL:
  /identity/oblix/apps/lost_pwd_mgmt/bin/lost_pwd_mgmt.cgi?program=redirectforchangepwd&login=%loginid%%userid%&backURL=%HostTarget%%RESOURCE%&STLogin=%applySTLogin%&target=top&style=style1
  Can you please help me on this issue?
  Thanks,
  Ganesh

• OAM 10g - obmygroups and nested dynamic groups

  I've run into an issue with the obmygroups header action in OAM 10g, and I'm not sure whether this is by design or not.
  The obmygroups will return static and dynamic group names for which the user is a member, and it will return static groups that contain nested static groups where the user is a member of the nested group. However, it doesn't seem to static groups with nested dynamic groups where the user is a member of the nested dynamic group.
  Is that by design? Is there any way to nest dynamic groups so that obmygroups will return the parent group name? I'd like to have a group that contains both nested static and nested dynamic groups, and have the obmygroups action return the name of the parent group.
  Thanks,
  Matt

  Return Attribute Action in authentication or authorization rules
  obmygroups:<ldap_url> special attribute returns those groups to which the user belongs that also satisfy the criteria <ldap_url> filter specifies.
  EX: "obmygroups:ldap:///cn=Groups,dc=myorg,dc=com??sub(group_type=role) returns all the groups in cn=Groups,dc=myorg,dc=com tree for which the logged-in user is a member and the group_type is role.
  For more information check OAM Access Administration Guide

• OAM 10g directory server switch

  Hi,
  I need to reinstall the OID 11g instance that OAM 10g uses for users/policies/config.
  The OID host name and port will not change and I'll load all the original OAM data into the new OID.
  I think I just need to run a script that wil load all the OAM schema objects into OID.
  Can anyone tell me which script does this?
  I'm wondering if it's ds_conf_update but this may change more than I need.
  Thanks
  Darren

  Hi Darren,
  Yes, ds_conf_update is the command to do this - it is documented in the OAM 10g Installation Guide.
  Regards,
  Colin

• OIM 9.1 and OAM 10g integration document

  Hi,
  Could you please provide me any link or document for OIM 9.1.0.2 integration with OAM 10g ?
  Thanks
  Sandy

  Best Practices Document:
  http://download.oracle.com/docs/cd/E14899_01/doc.9102/e14761/oamsso.htm#sthref78
  Within OIM, once you have configured OAM to pass a header variable, it's just 2 parameters that change in the OIM xlconfig.xml file.
  -Kevin

• 10g Migration issue in forms related to graphics

  Hi..
  I am facing a 10G migration issue realted to graphics in Forms.
  A form got migrated from 6i to 10g and it has Graphics in it but it is not displaying the graphics in Runtime after
  migration.can anyone help me reagrding how to resolve this Graphics issue in 10g.
  Thanks,
  Venkat

  Graphics no longer exists in Developer Suite 10G. You have to replace the functionality , e.g. by using BI Beans. Have a look at the samples page http://www.oracle.com/technology/sample_code/products/forms/index.html

• Pop up warning when creating policy domain in OAM 10g

  Has anyone seen below pop up warning when creating a policy domain in OAM 10g Policy manager?
  Warning:
  This policy domain controls the access to the URI you are currently accessing
  /access/oblix/apps/policyservcenter/bin/policyservcenter.cgi
  Are you sure you want to commit these changes?

  Hi,
  Does Note 842378.1 look like a match for you? Maybe the obcompounddata attribute is missing for some odd reason.
  Regards,
  Colin

• OAM 10g attribute is not visible in object class in Identity System console

  Hi All,
  This is about OAM 10g environment with OID used as user/config/policy store. There are one custom user object class and custom attributes defined in Identity System console already. Now there is a requirement to add another custom attribute to that already existing custom user object class.
  I have created the attribute in schema through ldap command and I am able to see it in LDAP browser as well. However even after restarting OAM identity server and webpass services, the attribute is not visible in Identity System console -> Common Configuration -> Objectclasses -> Custom object class.
  Appreciate any help. Please treat this as urgent.
  Thanks
  Mahendra.

  The solution is to add the attributes in OVD schema as OVD is the user store.

• Configuration of oim 10g and oam 10g.. and integrating oam10g with oid

  Hi..
  i am trying to configure OAM10g and OIM10g and integrate OAM10g with OID..
  please send me the documents if any had...
  Thanks & Regards,
  avinash

  For integrating OIM 10g with OAM 10g, refer doc below:
  http://docs.oracle.com/cd/E14899_01/doc.9102/e14761/oamsso.htm#sthref78
  For OAM and OID integration refer:
  http://docs.oracle.com/cd/E15217_01/index.htm
  regards,
  GP

• URGENT: OAM 10g server and webgate certificates query

  Hi experts,
  There is an OAM 10g environment. OAM Access Server and Identity Server is installed and up and running. OAM servers are in CERT mode. So to install webgates residing in different machines from OAM servers, can we use the same OAM Access Server certificates for WebGate certificate while installing WebGate?
  Thanks
  IDM Team.
  Edited by: 898990 on Mar 13, 2013 1:38 PM

  Figured it out. The OAM proxy (AccessServerConfigProxy @port 5575) for 10g webgates was configured to listen in cert mode. I had to switch it to open mode. Not sure how it got switched, but got the webgate install going for now. Thanks.

• Monitoring Tool for OAM 10g

  Hi all,
  I am trying to find all possible ways to monitor a OAM 10g server.. From the documentations I read about SNMP Monitoring.. So I installed the SNMP Agent in the machine where OAM is installed.. And I came to know how to enable SNMP Monitoring in OAM 10g..
  I am drafting my understandings.. please correct me if I am worng;
  - The SNMP Agent that is installed in the OAM machine will gather the monitoring information
  - The Agent will send the information via SNMP to a master application
  If my understanding is correct, these are my questions for which I need your answers; :)
  1. Do I need to install any third party tools like Tivoli or Sun SunNet Manager to which the SNMP Agent will send the information??
  2. My task is to create a custom monitoring application for OAM 10g. Can u please suggest me a best way to do this..
  3. Is there any other way to monitor the Identity and Access Server..
  Thank you :)
  A * R

  The Identity Management Pack for Enterprise Manager provide central Monitoring of most of the IAM component (included OAM) and should provide soon monitoring of all IAM component in version 11g. So if you are looking at a complete solution this is a good way to go.
  http://www.oracle.com/products/middleware/identity-management/management-monitoring.html
  http://www.oracle.com/technology/products/oem/pdf/twp_idm_mgmt.pdf
  hth
  Chris
  Edited by: chris W on Dec 10, 2009 1:38 PM

• OAM 10g  - custom resource type issue

  I've created a custom resource type, say, boolean with one operation: TRUE. Then I defined resources of type boolean in my domain: /folder, /folder/1
  and /folder/2. I created a policy that sets TRUE for resources /folder, /folder/*, and the rule is some LDAP query, like      ldap:///<my_suffix>??sub? (|(attr='A')(title='B')). Then when I run policy tester for a user (who I know has attribute I set in the LDAP query) and for example, resource /main/1, OAM tells me: policy name - correct name, rule - undefined, authorization - inconclusive. If anyone played with custom resource types, can you please advise? Why does it say "rule not found"?
  Thanks,
  -Alex

  Hi Alex,
  Doing the equivalent works for me - I suspect that it's a problem more with the resource syntax that the policy is protecting than with custom resource types. In my env I have:
  - Policy Domain protecting resource of type boolean, resource /folder1
  - Policy within the domain protecting url prefix /folder1, url pattern test/.../*, resource type boolean, resource operation TRUE
  - authorisation rule (used in the Authorisation Expression for the policy) ldap:///dc=example,dc=com??sub?(|(uid=bjensen)(givenName=*ba*))
  and the Access Tester shows the rule and expected results when testing url boolean:///folder1/test/whatever
  Are you using the /.../* syntax in your policy?
  Regards,
  Colin

• OAM 10g policy evaluation issue

  I have the policy with following authorization expression: Rule A|Rule B.
  Rule A:
  allowed: all users with o=Org A
  denied: any user
  allow takes precedence: true
  Rule B:
  allowed: all users with o=Org B
  denied: any user
  allow takes precedence: true
  I want the policy to grant access to any user in either of organizations. It does not work for users with o=Org B. Instead access tester shows that Rule A was in effect and authorization is inconclusive. The only way I can make it to work is by removing denial conditions completely: i.e. denied=no one is denied. It does not make sense to me - each rule actually works if not combined with another one.
  Does anybody know whether it is a bug?
  Thanks,
  Alex

  Hi Alex,
  The important thing to remember is that for OR conditions, OAM will stop processing the expression as soon as the user is explicitly referenced (for either Allow or Deny) in a rule, as evaluated from left to right. So if you have an expression:
  RuleA OR RuleB OR RuleC
  and the logged in user is not mentioned in ruleA, but is Allowed in RuleB, then OAM will not process RuleC.
  (With AND conditions, OAM needs to know all of the results, so in the case of an expression:
  RuleX AND RuleY AND RuleZ
  if the user satisfies RuleX, then OAM still needs to process RuleY and RuleZ in order to determine if the user meets the requirements of the expression.)
  In the majority of cases, the way OAM works does boil down to the same as Boolean logic. If, for example, the OR expression above tested that a user is in either GroupA, or GroupB, or GroupC and the user is in GroupA, the only effect of the way that OAM works is that it does not unnecessarily work out if the user is in GroupB or GroupC.
  The two areas which I can see as potentially causing confusion are:
  - when you have an Allow Anyone or Deny Anyone in a rule. In this case, clearly every user is explicitly mentioned in a rule, and processing will stop at this rule as far as OR operations are concerned (as in the example you originally gave).
  - when you want different actions to be performed depending on which rule is applied (so if a user is a member of both GroupA and GroupC, you may have different sets of header variables that need to be applied).
  But generally, if these are not factors, I would expect the same behaviour for more complex relations (such as your "(Rule 1 OR Rule 2) AND (Rule 3 OR Rule 4)" expression) to be the same as for Boolean operations. In this case if a user satisfies Rule1, then it will still evaluate AND (Rule3 OR Rule4), but not Rule2.
  If the above factors really do cause OAM to evaluate undesirable results for you, would it be possible to move the complexity to group membership? For example you could define group membership to be the result of a complex ldap filter, and then define a simple rule (and expression) and associated actions which allows access based on this group.
  Regards,
  Colin

• OIF+OAM: install/config  issues

  This post is long. Hoping that at least one of the issues is seen by someone or someone has insights before we open SR(s) with Oracle.
  We have a working OAM/OVD 11.1.1.5 installation (done according to the EDG at http://docs.oracle.com/cd/E21764_01/core.1111/e12035/toc.htm).
  We started an evaluation of OIF and ran into some issues grouped under Install and Config categories.
  h2. Install issues:
  We installed it per chapter 16 of that EDG and and all the steps went OK except step 16.7 (http://docs.oracle.com/cd/E21764_01/core.1111/e12035/oif.htm#BAJCJHBG).The config properties userldaphaenabled, fedldaphaenabled are getting set via WLST but don't appear to be persisted anywhere. On a restart they are false again. Are they supposed to be saved to config.xml of the IDMDomain? Can I try adding them manually like this as child elements under each of the wls_oif managed servers?
  <datastore>
  <userldaphaenabled>true</userldaphaenabled>
  <fedldaphaenabled>true</fedldaphaenabled>
  </datastore>
  If those settings were properly set what is it supposed to do? I can see that config.xml, cots.xml files are stored as blobs in one of the OIF db tables. Will the above setting move them from DB to LDAP?
  h2. Config/Runtime Issues:
  We proceeded with configuration because the /sp/metadata and /idp/metadata test URLs are working fine via the VIP address. we used this manual to do the integration.
  http://docs.oracle.com/cd/E21764_01/doc.1111/e15740/oif.htm#CACJDDGE. In section 4.3.1.6 (Configure Oracle Identity Federation in SP Mode) of this document it says to configure Oracle SSO. We only have OAM and not osso. We went ahead and configured the second tab (OAM) in the screen capture in that section as well (is there any documentation on how to configure that tab?)
  In SP mode (section 4.3) , testing of a resource protected with OIFScheme in OAM is not successful. It does not show any OIF login screen. Instead it takes the user to through these URLs:
       1.     https://sso.company.com/test-app/
       2.     https://sso.company.com/fed/user/sposso  
       3.     https://sso.company.com/fed/user/authnoam?refid=id-tB20kXzmHjpn6MUSdOr7qbmd2OU-
       4.     https://sso.company.com/fed/sp/art20?SAMLart=AAQAAbV1ElKBtte9uuhKoeo4h%2FMufCdY2wDlDIM2T9dL%2BvhsvtfUrwCuZg8%3D&RelayState=id-JPh8MY05pAZRckl4yOc2J4-80GI-
  and then shows this error in the browser:
  Error 401--Unauthorized
  From RFC 2068 Hypertext Transfer Protocol -- HTTP/1.1:
  10.4.2 401 Unauthorized
  The request requires user authentication. The response MUST include a WWW-Authenticate header field (section 14.46) containing a challenge applicable to the requested resource. The client MAY repeat the request with a suitable Authorization header field (section 14.8). If the request already included Authorization credentials, then the 401 response indicates that authorization has been refused for those credentials. If the 401 response contains the same challenge as the prior response, and the user agent has already attempted authentication at least once, then the user SHOULD be presented the entity that was given in the response, since that entity MAY include relevant diagnostic information. HTTP access authentication is explained in section 11.
  The following errors are seen in the WLS_OIF1 (we turned off WLS_OIF2 during this test) managed server logs:
  <Mar 10, 2012 10:58:37 AM PST> <Error> <oracle.security.fed.eventhandler.authn.engines.oam.OAMAuthnEventHandler> <FED-18068> <Authentication failed: WebGate did not authenticate the user>
  <Mar 10, 2012 10:58:37 AM PST> <Emergency> <oracle.security.fed.model.config.Configuration> <FED-10174> <Property was not found: httpheaderattrcollector.>
  <Mar 10, 2012 10:59:27 AM PST> <Warning> <oracle.security.fed.http.handlers.authn.LoginRequestHandler> <FED-18051> <Authentication instant was not sent from the authentication engine.>
  <Mar 10, 2012 10:59:37 AM PST> <Error> <oracle.security.fed.util.ssl.KeystoreUtil> <FED-18080> <Could not retrieve key from the key store. Please verify that the key password is equal to the key store
  < this error is followed by an exception shown below>
  <Mar 10, 2012 10:59:39 AM PST> <Error> <oracle.security.fed.eventhandler.authn.engines.osso.OssoFinishSPSSOEventHandler> <FED-15134> <The service providercould not map the identity provider response to a user>
  FED-18080 exception:
  java.security.UnrecoverableKeyException: Cannot recover key
       at sun.security.provider.KeyProtector.recover(KeyProtector.java:311)
       at sun.security.provider.JavaKeyStore.engineGetKey(JavaKeyStore.java:121)
       at sun.security.provider.JavaKeyStore$JKS.engineGetKey(JavaKeyStore.java:38)
       at java.security.KeyStore.getKey(KeyStore.java:763)
       at com.sun.net.ssl.internal.ssl.SunX509KeyManagerImpl.<init>(SunX509KeyManagerImpl.java:113)
       at com.sun.net.ssl.internal.ssl.KeyManagerFactoryImpl$SunX509.engineInit(KeyManagerFactoryImpl.java:48)
       at javax.net.ssl.KeyManagerFactory.init(KeyManagerFactory.java:239)
       at oracle.security.fed.util.ssl.KeystoreUtil.createKeyManagers(Unknown Source)
       at oracle.security.fed.util.soap.OIFSSLProtocolSocketFactory.createSSLContext(Unknown Source)
       at oracle.security.fed.util.soap.OIFSSLProtocolSocketFactory.getSSLContext(Unknown Source)
       at oracle.security.fed.util.soap.OIFSSLProtocolSocketFactory.createSocket(Unknown Source)
       at oracle.security.fed.util.soap.OIFSSLProtocolSocketFactory.createSocket(Unknown Source)
       at org.apache.commons.httpclient.HttpConnection.open(HttpConnection.java:707)
       at org.apache.commons.httpclient.MultiThreadedHttpConnectionManager$HttpConnectionAdapter.open(MultiThreadedHttpConnectionManager.java:1361)
       at org.apache.commons.httpclient.HttpMethodDirector.executeWithRetry(HttpMethodDirector.java:387)
       at org.apache.commons.httpclient.HttpMethodDirector.executeMethod(HttpMethodDirector.java:171)
       at org.apache.commons.httpclient.HttpClient.executeMethod(HttpClient.java:397)
       at org.apache.commons.httpclient.HttpClient.executeMethod(HttpClient.java:346)
       at oracle.security.fed.util.soap.SimpleSoapSender.sendMessage(Unknown Source)
       at oracle.security.fed.http.flow.profiles.sp.SendSoapRequestSSOResponseHandler.perform(Unknown Source)
       at oracle.security.fed.controller.ApplicationController.processServletRequest(Unknown Source)
       at oracle.security.fed.controller.web.servlet.FederationServlet.doGet(Unknown Source)
       at javax.servlet.http.HttpServlet.service(HttpServlet.java:707)
       at javax.servlet.http.HttpServlet.service(HttpServlet.java:821)
       at weblogic.servlet.internal.StubSecurityHelper$ServletServiceAction.run(StubSecurityHelper.java:227)
       at weblogic.servlet.internal.StubSecurityHelper.invokeServlet(StubSecurityHelper.java:125)
       at weblogic.servlet.internal.ServletStubImpl.execute(ServletStubImpl.java:300)
       at weblogic.servlet.internal.TailFilter.doFilter(TailFilter.java:27)
       at weblogic.servlet.internal.FilterChainImpl.doFilter(FilterChainImpl.java:57)
       at oracle.security.jps.ee.http.JpsAbsFilter$1.run(JpsAbsFilter.java:111)
       at oracle.security.jps.util.JpsSubject.doAsPrivileged(JpsSubject.java:313)
       at oracle.security.jps.ee.util.JpsPlatformUtil.runJaasMode(JpsPlatformUtil.java:413)
       at oracle.security.jps.ee.http.JpsAbsFilter.runJaasMode(JpsAbsFilter.java:94)
       at oracle.security.jps.ee.http.JpsAbsFilter.doFilter(JpsAbsFilter.java:161)
       at oracle.security.jps.ee.http.JpsFilter.doFilter(JpsFilter.java:71)
       at weblogic.servlet.internal.FilterChainImpl.doFilter(FilterChainImpl.java:57)
       at oracle.dms.servlet.DMSServletFilter.doFilter(DMSServletFilter.java:136)
       at weblogic.servlet.internal.FilterChainImpl.doFilter(FilterChainImpl.java:57)
       at weblogic.servlet.internal.WebAppServletContext$ServletInvocationAction.wrapRun(WebAppServletContext.java:3715)
       at weblogic.servlet.internal.WebAppServletContext$ServletInvocationAction.run(WebAppServletContext.java:3681)
       at weblogic.security.acl.internal.AuthenticatedSubject.doAs(AuthenticatedSubject.java:321)
       at weblogic.security.service.SecurityManager.runAs(SecurityManager.java:120)
       at weblogic.servlet.internal.WebAppServletContext.securedExecute(WebAppServletContext.java:2277)
       at weblogic.servlet.internal.WebAppServletContext.execute(WebAppServletContext.java:2183)
       at weblogic.servlet.internal.ServletRequestImpl.run(ServletRequestImpl.java:1454)
       at weblogic.work.ExecuteThread.execute(ExecuteThread.java:209)
       at weblogic.work.ExecuteThread.run(ExecuteThread.java:178)
  A minor other problem seems to be with adcri:
  Cause: DFW-40112: There was an error executing adrci commands; the following errors have been found "Cannot run program "/app/iam/middleware/wlserver_10.3/server/adr/adrci": java.io.IOException: error=12, Cannot allocate memory"
  Action: Ensure that command line tool "adrci" can be executed from the command line.
  We can run the adcri tool from command line using the same LD_LIBRARY_PATH as used by the wls_oif1 server. Why is it trying to run it and failing and what is it trying to do? Can we turn it off?

  I reinstalled the suite. This time, during the Policy Manager install I left the "Root Directory for Policy Domains" (step/page 7-12) at the default, which was "/". The GUI now works correctly.
  On the previous install I changed the path to /AccessManagerPolicy -- it wasn't clear to me what the installer meant by 'root directory'. I did try to get /AccessManagerPolicy to work by creating a directory under my web root to match, but I still had issues with the Policy Domain -- the no policy domains would match. So, it looks like this parameter should never be changed in the installer.
  Aaron.

• Read Only privileges for Access Server and Identity Server - OAM 10g

  Hi,
  I am working on Oracle Access Manager 10g version 10.1.4.
  I use an administrative account that is a member of the 'COREid Administrators' group to log into the access console and identity console of OAM.
  Since this is the administrative account, it has the rights to modify and update all access/identity entities.
  How can I set up an account that has "view only" privileges over all access and identity objects in OAM?
  I need to log into the access and identity consoles of OAM and view all policy domains/policies/access system configuration/user manager config/group manager config etc bt not be able to modify any of them.
  Is there a way to setup such an account in OAM?
  Regards,
  Abhishek.

  Hi Abhishek,
  It is possible to define different levels of administrator, but it is not possible to give an admin read access (to objects in the consoles) without also giving modify access. I do not believe that there is a straightforward way to meet this requirement - for the Access System you could use the Policy Manager API and write your own interface (which does not have the ability to modify) but obviously this would be some development effort.
  Regards,
  Colin