CoreID Policy domain

Hi
we installed Oracle CoreID 7.0.4.3 sucessfully using OID as a backend directory server for all data areas.
we created a policy domain to protect a resource using Basic over LDAP allowing all users.
Basic over LDAP was configured:
obMappingBase="dc=de,dc=pri,dc=xx,dc=com",obMappingFilter="(&(objectclass=inetorgperson)(uid=%userid%))"
obCredentialPassword="userPassword"
When we call the matching ULRs, the authentication forms pops up, but after entering correct credentials we get:
Oracle Netpoint Operation Error
The credentials (userid=orcladmin password=(omitted) Resource=/nagios/ RequesterIP=10.121.74.7 Operation=GET) used for the login are missing a required password.
Contact your website administrator to remedy this problem.
Can anyone help?
Guenter

Hi,
Even I was trying to configure IWA with COREid in a similar environment settings and ended up getting the same result. The difference in my environment was:
Authentication Scheme -> Challenge Method was "Ext", Challenge Parameter was "creds:REMOTE_USER" , The plugin was "credential_mapping" and the filter was obMappingBase="ou=Users,o=INTRANET",obMappingFilter="(&(objectclass=inetorgperson)(uid=%REMOTE_USER%))"
With the above settings, when I try to access the protected page, I get a similar message viz - Oracle Netpoint Operation Error : The mapping of credentials (Resource=/app1/homepage.html Operation=GET) to a user profile failed. The Access Server may not be able to connect to the user directory, or the authentication scheme iwa may have an invalid ObMappingFilter parameter for its credential_mapping plugin. Contact your website administrator to remedy this problem.
Any suggestions? Please let me know.
Thank you so much.

Similar Messages

Policy Domain Root error during Policy Manager installation

I am installing Policy manager for the first time and I am getting error at Policy domain root level.
If I specify Policy Domain Root as / it gives me this error
Unable to modify the entry with DN obapp=PSC,ou=Oblix,dc=SUPPLIER,DC=GLOBAL in the directory server - Object class violation in ModifyDBEntry_ADSI()
The DN obapp=PSC,ou=Oblix,dc=SUPPLIER,DC=GLOBAL exists in the directory.
My directory is Windows 2003 standard edition SP1 active directory. I am using Oracle access manager 10.1.4
user and policy directory is the same directory supplier.global.
Forest and domain functional level is Windows 2003
My person object class is: user
i have already installed webpass and identity server on same machine.
I have removed and tried to reinstall the policy manager on the same machine and the same error.
My identity server admin console is showing three directories:
AccessManager_setup_user_profile
AccessServer_default_user_profile
default-IdentityServer_1_6022
all of the directories have these settings dynamic auxiliary is yes and directory type is microsoft active directory (using adsi) without ldap for authentication checked.
I am getting these errors in my access logs looks like the path is wrong and the files are missing but not sure from which part of setup its taking this.
2007/02/06@19:22:35.265000     3040     1848     INIT     ERROR     0x000003B6     base\oblistrwutil.cpp:145     "Could not read file"     filename^C:\Program Files\NetPoint\WebComponent\access/oblix/lang/en-us/comm_servermsg.xml
2007/02/06@19:22:35.375000     3040     1848     INIT     ERROR     0x000003B6     base\oblistrwutil.cpp:145     "Could not read file"     filename^C:\Program Files\NetPoint\WebComponent\access/oblix/lang/en-us/sysmgmtmsg.xml
2007/02/06@19:22:36.015000     3040     1848     INIT     ERROR     0x000003B6     base\oblistrwutil.cpp:145     "Could not read file"     filename^C:\Program Files\NetPoint\WebComponent\access/oblix/lang/en-us/policysetupldifs_msg.xml
2007/02/06@19:22:37.843000     3040     1848     DB_RUNTIME     WARNING     0x00000007     \Oblix\coreid\np_common\db\ldap\util\ldap_util.cpp:1131     "Requested modify or add operation resulted in schema violation"     function^ModifyDBEntry()     dn^obapp=PSC,ou=Oblix,dc=SUPPLIER,DC=GLOBAL
2007/02/06@19:22:37.843000     3040     1848     DB_RUNTIME     WARNING     0x00000504     \Oblix\coreid\np_common\db\ldap\util\ldap_util.cpp:1217     "Exception during DB runtime code"     function^ModifyDBEntry()     dn^obapp=PSC,ou=Oblix,dc=SUPPLIER,DC=GLOBAL
2007/02/06@19:22:37.843000     3040     1848     DB_RUNTIME     WARNING     0x00000504     \Oblix\coreid\np_common\db\ldap\util\ldap_util3.cpp:837     "Exception during DB runtime code"     function^ModifyDBEntryWithDupCheck
Thanks for helping me out.
Message was edited by:
user557359

Hi,
Go to Policy domain root for Activer directory
Steps on how to resolve this are outlined there.
Rgds,
Boland

Policy domain root for Active directory

Does anyone know how to configure policy domain root in Active directory ?.
I am installing COREid Access policy manager which needs a policy domain root input during the web interface configuration.
Please some one help in resolving this issue.

Hi,
I might help if can give the exact description of the issue that you are getting. However I have encountered similar or exact problem that you are having. Let me know whci ldap directory you are using with your CoreID install.

Pop up warning when creating policy domain in OAM 10g

Has anyone seen below pop up warning when creating a policy domain in OAM 10g Policy manager?
Warning:
This policy domain controls the access to the URI you are currently accessing
/access/oblix/apps/policyservcenter/bin/policyservcenter.cgi
Are you sure you want to commit these changes?

Hi,
Does Note 842378.1 look like a match for you? Maybe the obcompounddata attribute is missing for some odd reason.
Regards,
Colin

Policy domain doesn't protected

I have following problems:
1.I haven't protection for any created policy domain, I have only protection for default policy domains /access and /identity . It can protect requested policy domain, if I put my resources under policy domains . /access or /identity.
How can I test that Oracle Access Manger really protect created policy domain on web server, I always used access tester, always fine work,but resources aren't protected.
For simple OAM configuration I used Doc ID: Note:437423.1 Step by Step: How to Protect a Root '/' Policy Domain With A Form Deployed On The Same WebGate HTTP Server, but resources aren't protected again.
2.When I enable default policy domains, I get very strange case, I have to try to log on at least 2-3 times for requested link on Oracle Access Console , that is very difficult for administration.

Not the same i had a similar one. I crated my own policy domain. ( As suggested by kiran )
Just documented the steps, try it out, Hope this helps.
http://nagarun.wordpress.com/2007/12/22/oracle-access-manager-administration/
Cheers, Nag

Policy Domain not found

Hy everybody!
Please help me, I have problem with Policy Doman,
when I test access with option Access Tester on my Policy Domain,
i get following message:
Evaluation result
Policy Domain <not found>
I checked in OID, my Policy Domain exists in following entry
obname=policy_domain_id, obapp=PSC, o=Oblix <DN>
but as you see error says that Policu Domain not found.
best regards!

Hi!
I have :
- 2 Authorization Rules
- 1 Default Authentication Rule
- 1 Default Authorization Expression
I checked Host identifier with ping command, it's correct.
Do you have any ideas about problem?
On following URL I posted picture of the my Policy Domain
http://img205.imageshack.us/img205/8909/policydomainhx6.jpg
<img src="http://img205.imageshack.us/img205/8909/policydomainhx6.th.jpg" border="0" alt="Free Image Hosting at www.ImageShack.us" />

Changing policy domain timeout value

Hi Idm folks,
Can we configure a different timeout values on policy domains protecting different applications?
For example; policy domain /domain01/... has a 15 miunte idle session timeout and policy doomain02/... would have a 6 hour idle session timeout.
I don't think we can, wanted to check if anyone had ever came across this requirement?
thanks!

For different applications are you using different webgates? In that case you can think of using separate host identifiers for different webgates and create policies for host identifiers and you can have different timeout values for webgates.
BUT, in a SSO scenario what kind of complication it will bring, needs to be evaluated on the environment (mainly the central and application webgate domain for obSSOCookie) and requirements. This can be an interesting exercise, I guess. :)

Policy domain root for Activer directory

I am setting up the access manager with active directory . But during web configuration ,it prompts for providing a policy domain root. I choose go ahead with default vlaue (i.e /). But it is returning me following error.
"Error in setting Policy Domain Root."
Please some one help out in resolving this issue.

Hi Nataraj,
I know what your problem is. Go to the computer running Active Directory, open "Open Active Directory Domains and Trusts" under Start -> Administrative tools. Right click on your domain shown and choose "Raise Domain to Functional level", you might need to this three to four times before this takes effect.
Then on the same window, right click on "active directory domains and trusts" and choose "Raise Forest functional Level", you might need to do this three times as well.
This will solve your problem, unfortunately you'll have to reinstall Access/Policy Manager. I have had this problem many times and this solved it. I am assuming you are using Windows 2003 Enterprise server.
Rgds,
Boland

Oracle access manager - Policy domain - Return Type

Hi,
I have a requirement where I need to return few LDAP parameter values through Policy domain while redirecting. But the return type should be propertytype and not headervar or cookie. This is SSO integration with websphere using JAAS subject. We have inhouse TAI connector developed for integration between websphere and oracle access manager.
Please help me to resolve this issue.
Regards,
Prashant

Hi Prashant,
OAM can return any type that you want, and OAM will set the name/value for that type - you can put "propertytype" in the type column, and the name and return attribute in the respective fields. "Cookie" and "HeaderVar" are the only types used by OAM WebGates, but your AccessGate (custom in-house connector) should be able to retrieve the values of propertytype that OAM sets.
Regards,
Colin

Overlapping OAM policy domains

The OAM documentation addresses overlapping policies within a single policy domain, but I haven't been able to find anything about overlaps between different domains.
I have a policy domain for a host that protects everything under the root "/". However, I want the "access" virtual directory to be handled the same as the access directory on all of the other hosts, so I added the access resource to a domain that defines the policy for all of the access directories.
The result is an overlap-- the access directory for that host is protected in the specific "access" domain, and it's also protected under the domain that protects everything under the root for that host.
Is this a problem for OAM? Does OAM apply the most-specific policy domain for a resource, as hoped in this case? OAM allows me to explicitly order policies within a domain, but I don't see any way to order domains themselves.
Thanks,
Matthew

For policy domain mapping, the basic algorithm OAM follows is to use the host and path elements of the URI to 'map' into the 'most specifically relevant' policy domain.
As far as the path is concerned, OAM tries to match the path beginning with the most strict pattern and then working backwards to achieve a match.
For example, consider the following configuration:
Policy Domain A protects MY_HOST/access/bin
Policy Domain B protects MY_HOST/access
If a request for MY_HOST/access/bin/foo?param=1 comes in...
OAM looks for a policy domain protecting a resource MY_HOST/access/bin/foo and can't find one.
Next, OAM looks for a policy domain protecting a resource MY_HOST/access/bin and finds it and processing continues from there.
So, in the case you illustrate, /access is simply a 'more strict' pattern than / which will catch all requests that match that pattern.
As you noted, the evaluation of 'Policies (exceptions to the default rules)' is managed by explicit order.
It is also important to note, in this discussion, that OAM does not tolerate ambiguity on the HOST element of a protected resource. Configuring OAM to map the same hostname variation to more than one host identifier will produce unpredictable results. Validation in the admin application is in place to help avoid this.
Hope that helps.
Cheers,
Mark

Fusion App installation - Registering OAM policy domain ...

Hi all,
I'm trying to perform Fusion Applications installation (Linux 64, Middleware 11.1.1.5.0, WLS 10.3.6) in a single host environment, without any load balancer..
The installation fails in "Registering OAM policy domain" phase with error "User does not belong to the group that is authorized to perform registration."
I'm able to login as oamadmin to http://vfusion01.mydomain.com:7001/oamconsole with admin's privileges.
Adding oamadmin into OAMAdministrators and OIMAdministrators groups in LDAP didn't help.
Any idea how to continue?
Thanks for support
Daniel F
[edit]OAM Validation/Authorization and Authentication are successful in OAM Test Tool:
[3/2/12 12:21 PM][request][validate] yes
[3/2/12 12:21 PM][response] Authentication scheme : OAMAdminConsoleScheme, level : 2
[3/2/12 12:21 PM][response] Redirect URL : https://vfusion01.mydomain.com:4443/oam/server/
[3/2/12 12:21 PM][response] Credentials expected : 0x4 (form)
[3/2/12 12:21 PM][request][authenticate] yes
[3/2/12 12:21 PM][response] User DN : cn=oamadmin,cn=users,dc=mydomain,dc=com
[3/2/12 12:21 PM][response] SessionID : 29b10d11-ab81-4446-9e86-880db6e5790c
[3/2/12 12:21 PM][response][action] OAM_IMPERSONATOR_USER :
[3/2/12 12:21 PM][request][authorize] yes
[3/2/12 12:21 PM][response][action] OAM_IMPERSONATOR_USER :
[3/2/12 12:21 PM][response][action] OAM_REMOTE_USER : oamadmin
[3/2/12 12:21 PM][response][action] OAM_IDENTITY_DOMAIN : OIMIDStore
[edit]
====================
[echo] Registering OAM policy domain ...
Registering policy file /fusion/faprov/provisioning/provisioning-plan/bootstrap_oam.conf for policy domain provisioning ...
[echoNested] Registering policy file /fusion/faprov/provisioning/provisioning-plan/bootstrap_oam.conf for policy domain provisioning ...
[echo] mode=CREATE
[echo] app_domain=provisioning
[echo] oam_aaa_host=vfusion01.mydomain.com
[echo] oam_aaa_port=5575
[echo] uris_file=/fusion/faprov/provisioning/provisioning-plan/bootstrap_oam.conf
[echo] hostname_variations=vfusion01.mydomain.com:12613,vfusion01.mydomain.com:12614
[echo] oam_admin_server=http://vfusion01.mydomain.com:7001
[echo] oam_admin_username=oamadmin
[echo] -usei18nlogin
[echo] default_authn_scheme=FAAuthScheme
[echo] oam_cache_header=
[echo] logouturi=/oamsso/logout.html
[echo] web_domain=OraFusionApp
[echo] oam_aaa_mode=simple
[echo] log_level=ALL
[echo] max_oam_connections=10
[echo] primary_oam_servers=wls_oam1:10
[echo] oam_ip_validation=0
[echo] oam_idle_session_timeout=900
[echo] oam_version=11
[echo] cookie_domain=mydomain.com
[echo] app_agent_password and oam_admin_password passed in via STDIN
Mar 1, 2012 6:39:01 PM oracle.security.am.engines.rreg.client.oamcfgwrapper.OAMCfgRREGWrapperImpl handleConfig
INFO: Into RREG Wrapper implementation
Enter password: Enter password: Mar 1, 2012 6:39:01 PM oracle.security.am.engines.rreg.client.util.RegClientFusionCfgURIsFileHandler readProtAndPubUrisFromFileAndSet
INFO: Success: URI:[provisioningBootstrap*] is added.
Mar 1, 2012 6:39:01 PM oracle.security.am.engines.rreg.client.util.RegClientFusionCfgURIsFileHandler readProtAndPubUrisFromFileAndSet
INFO: Success: URI:[provisioningBootstrap/.../*] is added.
Your registration request is being been sent to the Admin server at: http://vfusion01.mydomain.com:7001
Mar 1, 2012 6:39:05 PM oracle.security.am.engines.rreg.client.RegController processOamCfgRegistration
SEVERE: Server side error occurred. Specific error messages are:User does not belong to the group that is authorized to perform registration. Registration failed. Try again after verifying the users group.
Mar 1, 2012 6:39:05 PM oracle.security.oam.oamcfg.OAMCfgTool main
WARNING: OAMCFG-60083: OAM Configuration did not complete successfully. Refer log for details
Mar 1, 2012 6:39:05 PM oracle.security.oam.oamcfg.OAMCfgTool main
WARNING: Stack trace::
oracle.security.am.engines.rreg.client.RegController:processOamCfgRegistration() in file RegController.java:771
oracle.security.am.engines.rreg.client.oamcfgwrapper.OAMCfgRREGWrapperImpl:handleConfig() in file OAMCfgRREGWrapperImpl.java:359
oracle.security.oam.oamcfg.OAMCfgTool:main()[2012-03-01T18:39:05.530+01:00] [runProvisioning-install] [NOTIFICATION] [] [runProvisioning-install] [tid: 12] [ecid: 0000JNF5GUy5i^O6yj7i6G1FJuCA000003,0]
[logStatus] STATE=BUILD_ERROR!TIMESTAMP=2012-03-01 18:39:05 CET!TARGET=register-policy-domain!CATEGORY=BUILD_ERROR!DOMAIN=CommonDomain!HOSTNAME=vfusion01.mydomain.com!PRODUCTFAMILY=webgate!PRODUCT=WebGate!TASK=execSecure!TASKID=webgate.WebGate.BUILD_ERROR.register-policy-domain.execSecure!MESSAGE=Process "/fusion/fmw/jrockit-jdk1.6.0_29-R28.2.2-4.1.0/bin/java -jar /fusion/fmw/apps/webtier_mwhome/oracle_common/modules/oracle.oamprovider_11.1.1/oamcfgtool.jar mode=CREATE app_domain=provisioning oam_aaa_host=vfusion01.mydomain.com oam_aaa_port=5575 uris_file=/fusion/faprov/provisioning/provisioning-plan/bootstrap_oam.conf hostname_variations=vfusion01.mydomain.com:12613,vfusion01.mydomain.com:12614 oam_admin_server=http://vfusion01.mydomain.com:7001 oam_admin_username=oamadmin -usei18nlogin default_authn_scheme=FAAuthScheme oam_cache_header= logouturi=/oamsso/logout.html web_domain=OraFusionApp oam_aaa_mode=simple log_level=ALL max_oam_connections=10 primary_oam_servers=wls_oam1:10 oam_ip_validation=0 oam_idle_session_timeout=900 oam_version=11 cookie_domain=mydomain.com" exited with non-zero exit code "1". Input Stream before decrypting for process execution: "j8p+RGsjhPvGQxLt55GQFw==j8p+RGsjhPvGQxLt55GQFw==". Environment variables: "".!DETAIL=Process "/fusion/fmw/jrockit-jdk1.6.0_29-R28.2.2-4.1.0/bin/java -jar /fusion/fmw/apps/webtier_mwhome/oracle_common/modules/oracle.oamprovider_11.1.1/oamcfgtool.jar mode=CREATE app_domain=provisioning oam_aaa_host=vfusion01.mydomain.com oam_aaa_port=5575 uris_file=/fusion/faprov/provisioning/provisioning-plan/bootstrap_oam.conf hostname_variations=vfusion01.mydomain.com:12613,vfusion01.mydomain.com:12614 oam_admin_server=http://vfusion01.mydomain.com:7001 oam_admin_username=oamadmin -usei18nlogin default_authn_scheme=FAAuthScheme oam_cache_header= logouturi=/oamsso/logout.html web_domain=OraFusionApp oam_aaa_mode=simple log_level=ALL max_oam_connections=10 primary_oam_servers=wls_oam1:10 oam_ip_validation=0 oam_idle_session_timeout=900 oam_version=11 cookie_domain=mydomain.com" exited with non-zero exit code "1". Input Stream before decrypting for process execution: "j8p+RGsjhPvGQxLt55GQFw==j8p+RGsjhPvGQxLt55GQFw==". Environment variables: "".!BUILDFILE=/fusion/faprov/provisioning/provisioning-build/webgate-build.xml!LINENUMBER=512![2012-03-01T18:39:05.673+01:00] [runProvisioning-install] [ERROR] [FAPROV-00298] [runProvisioning-install] [tid: 12] [ecid: 0000JNF5GUy5i^O6yj7i6G1FJuCA000003,0] An Error Occured: [[Process "/fusion/fmw/jrockit-jdk1.6.0_29-R28.2.2-4.1.0/bin/java -jar /fusion/fmw/apps/webtier_mwhome/oracle_common/modules/oracle.oamprovider_11.1.1/oamcfgtool.jar mode=CREATE app_domain=provisioning oam_aaa_host=vfusion01.mydomain.com oam_aaa_port=5575 uris_file=/fusion/faprov/provisioning/provisioning-plan/bootstrap_oam.conf hostname_variations=vfusion01.mydomain.com:12613,vfusion01.mydomain.com:12614 oam_admin_server=http://vfusion01.mydomain.com:7001 oam_admin_username=oamadmin -usei18nlogin default_authn_scheme=FAAuthScheme oam_cache_header= logouturi=/oamsso/logout.html web_domain=OraFusionApp oam_aaa_mode=simple log_level=ALL max_oam_connections=10 primary_oam_servers=wls_oam1:10 oam_ip_validation=0 oam_idle_session_timeout=900 oam_version=11 cookie_domain=mydomain.com" exited with non-zero exit code "1". Input Stream before decrypting for process execution: "j8p+RGsjhPvGQxLt55GQFw==j8p+RGsjhPvGQxLt55GQFw==". Environment variables: "".        at oracle.apps.fnd.provisioning.ant.taskdefs.SecureExec.executeTask(SecureExec.java:381)        at oracle.apps.fnd.provisioning.ant.taskdefs.BaseProvisioningTask.execute(BaseProvisioningTask.java:102)        at org.apache.tools.ant.UnknownElement.execute(UnknownElement.java:288)        at sun.reflect.GeneratedMethodAccessor4.invoke(Unknown Source)        at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)        at java.lang.reflect.Method.invoke(Method.java:597)        at org.apache.tools.ant.dispatch.DispatchUtils.execute(DispatchUtils.java:105)        at org.apache.tools.ant.Task.perform(Task.java:348)        at org.apache.tools.ant.taskdefs.Sequential.execute(Sequential.java:62)        at oracle.apps.fnd.provisioning.ant.taskdefs.util.SynchronizedTask.executeInternal(SynchronizedTask.java:286)        at oracle.apps.fnd.provisioning.ant.taskdefs.util.SynchronizedTask.executeTask(SynchronizedTask.java:318)        at oracle.apps.fnd.provisioning.ant.taskdefs.BaseProvisioningTask.execute(BaseProvisioningTask.java:102)        at org.apache.tools.ant.UnknownElement.execute(UnknownElement.java:288)        at sun.reflect.GeneratedMethodAccessor4.invoke(Unknown Source)        at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)        at java.lang.reflect.Method.invoke(Method.java:597)        at org.apache.tools.ant.dispatch.DispatchUtils.execute(DispatchUtils.java:105)        at org.apache.tools.ant.Task.perform(Task.java:348)        at org.apache.tools.ant.taskdefs.Sequential.execute(Sequential.java:62)        at org.apache.tools.ant.UnknownElement.execute(UnknownElement.java:288)        at sun.reflect.GeneratedMethodAccessor4.invoke(Unknown Source)        at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)        at java.lang.reflect.Method.invoke(Method.java:597)        at org.apache.tools.ant.dispatch.DispatchUtils.execute(DispatchUtils.java:105)        at org.apache.tools.ant.Task.perform(Task.java:348)        at org.apache.tools.ant.taskdefs.MacroInstance.execute(MacroInstance.java:391)        at net.sf.antcontrib.logic.ForDelegate.doSequentialIteration(ForDelegate.java:228)        at net.sf.antcontrib.logic.ForDelegate.doTheTasks(ForDelegate.java:281)        at net.sf.antcontrib.logic.ForDelegate.execute(ForDelegate.java:214)        at net.sf.antcontrib.logic.For.execute(For.java:167)        at org.apache.tools.ant.UnknownElement.execute(UnknownElement.java:288)        at sun.reflect.GeneratedMethodAccessor4.invoke(Unknown Source)        at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)        at java.lang.reflect.Method.invoke(Method.java:597)        at org.apache.tools.ant.dispatch.DispatchUtils.execute(DispatchUtils.java:105)        at org.apache.tools.ant.Task.perform(Task.java:348)        at org.apache.tools.ant.Target.execute(Target.java:357)        at org.apache.tools.ant.Target.performTasks(Target.java:385)        at org.apache.tools.ant.Project.executeSortedTargets(Project.java:1329)        at org.apache.tools.ant.helper.SingleCheckExecutor.executeTargets(SingleCheckExecutor.java:40)        at org.apache.tools.ant.taskdefs.Ant.execute(Ant.java:416)        at org.apache.tools.ant.taskdefs.CallTarget.execute(CallTarget.java:106)        at org.apache.tools.ant.UnknownElement.execute(UnknownElement.java:288)
        at sun.reflect.GeneratedMethodAccessor4.invoke(Unknown Source)

First of all WLS 10.3.6 is not certified for FA and OAM 11.1.1.5. Second oamadmin must belong to the OAMAdministrators group and registered as a system administrator for the User Identity Store.
See the IDM EDG (FA edition) for more details. (http://docs.oracle.com/cd/E25054_01/fusionapps.1111/e21032/toc.htm)
HTH,
--olaf

Access Server console could not login due to disable /access policy domain

I misconfig to disable the /access policy domainn. And now the Access Server console could not login, alway loop at initial page. Identity Server console no problem.
Is there any method could enable the /access again? Customer could not accept the reinstallation due to this small problem.
Thank you.

Easiest way is to temporarily disable the webgate in the web server configuration - if it is IIS just remove the webgate from the ISAPI filters tab and restart IIS, if Apache revert back to an httpd.conf without the webgate entries.
Regards,
Colin

Password Policy creation error: Incorrect Domain Name

Hi folks,
I'm getting rather strange error ("Incorrect Domain Name") while trying to create a new Password Policy in OAM to enable user account lockout. I provide a name for the Password Policy, and use simple Policy Domain I've created as "Password Policy Domain", plus some basic values. I realize it's something simple, yet I cannot figure why the domain name would be incorrect.
Any help is greatly appreciated.
Thank you
Roman

In the password policy domain field you have to enter the base dn for the user to which this policy will be applied. something like ou=users,dc=company,dc=com
Check the directory profile of the user store.

Cross-Domain Policy File

I just made an IRC client for Android + iOS, and now I'm having issues porting it to the browser. I've built flash games where the server hosts the Policy Domain File, obviously with an IRC client that's not going to happen in all instances.
I'm wondering why the browser version can run perfectly fine under CS6's debug mode, but when it's been deployed to the browser it can't seem to connect? What settings would I have to do [if at all possible] to replicate this debug mode [in CS6] inside the browser?
Thanks!

In the browser, are you running it via Flash Player or are you making an AIR for web app?
The browser is the strictest sandbox Flash can run in. The infamous #2048 is a generic security violation. You're doing something your current sandbox doesn't allow. The most obvious thing to verify is on the SWF output settings make sure your sandbox is set to access network files, not access local files. Otherwise you'll get that error.
Outside that it's going to be looking for a socket policy file. I won't even get into creating these because your endpoint is an IRC server. Unless you're running your own IRC server you're not going to get some IRC server host to install a socket policy file for you so that point is moot. Without the socket policy file you're in some tough territory that will require some advanced debugging.
My suggestion would be to get Fiddler so you can actually see the request and response packets being sent to and from Flash inside your browser. You will definitely see Flash make a request and the response will give you clues on what's happening just before you receive the #2048 security error. You may see it request the policy file and then the server returns nothing or an invalid response and then Flash gives you the error. If that happens you may be out of luck.
Here's fiddler (I'd update your .NET to the latest and use V4 instead of V2):
http://www.fiddler2.com/fiddler2/version.asp
Here's another Adobe post of someone having a #2048 error while using fiddler to diagnose it:
http://forums.adobe.com/message/4668901#4668901
The fiddler site has some documentation. It's a pretty great tool for analyzing packet traffic (using the "select process" target will limit the packets to a browser you select (or any other app)). You may need to enable decrypting HTTPS traffic if you're using a SecureSocket. There's all instructions there on helping you diagnose and watch the inner workings of all requests/responses to track down the issue quickly.
Lastly I would uninstall Fiddler after you're done with it and reinstall it later when you need it. Especially if you enable HTTPS decryption. It must install some fake certificates to allow itself to intercept traffic. You'll just clutter up your certificates with junk certs if you keep fiddler installed. It's a very quick install/uninstall and the software itself is very widely used and regarded. It's not a trust thing, it's a cleanliness thing.

Oracle Access manager 10.1.4 (coreid) multiple authentication for same URL

I am evaluating oracle access manager hence new to this product.
I have a requirement where i have a /wps URL.
Users coming externally go through reverse proxy server to the final IIS web server. Internal user access IIS directly.
/wps should be protected by reverse proxy using forms authentication
while IIS server also protect /wps but should use basic authentication.
Looks like policy is shared by all webgates so i can define one authentication method for /wps.
Comparing this with CA Siteminder each agent have their own URLs to protect and so two agents can protect the same URL but with different authentication method. The single signon works as the protection level is same.

I have not done what you are speaking of; so I would assume that Boland is correct. One thing that you may want to consider is making the external users log into another resource before they hit the /wps. If the other resource is forms protected and at the same authentication level (number on auth scheme), then they can hit the external login resource, get their OBSSO cookie, then slide right thru the basic authentication request of the current policy domain.
Another idea would be to get a little more granular with your current policy domain. Have a file that's protected with forms auth in your policy domain that the external users authenticate to. Remember, this could be as simple as a dummy page that just does an HTTP redirect.
Good luck.
--Aaron

CoreID Policy domain

Similar Messages

Maybe you are looking for