Domino 7 Provisioning
Hi,
I am configuring domino server from Sun identity manager. After enetering the information in the resource wizard, i test the test connection.That works fine.
Now configuring domino
1)Created an admin user.
2)Add the user to the access control list (ACL) of names.nsf
3)Gave the user Editor access.
and assigned the user the following roles:
� GroupModifier
� UserCreator
� UserModifier
4)Added the user to the ACL of the registration log, certlog.nsf, with Depositor access.
5)Added the user to the ACL of the Administration Requests, admin4.nsf, with Depositor access.
6)Added the newly created user to server security:
a. Added the user to the Run unrestricted Java/Javascript/COM: field.
b. Added the user (or user�s group) to the Access Server field.
c. Verifed that the value of Only allow server access to users listed in this Directory is Yes.
Sun Identity Manger Gateway Configuration
-Installed gateway at deployed folder i.e \idm in weblogic
-Created key HKEY_LOCAL_MACHINE\SOFTWARE\Waveset\Lighthouse\Gateway\notesInstallDir (gave the path value to it)
-Created key HKEY_LOCAL_MACHINE\SOFTWARE\Waveset\Lighthouse\Gateway\notesIniFile and gave the path value.
-Now started the gateway, started domino server, started weblogic server where idm is deployed.
Provisioning Exception
WavesetException: DominoExtension::Error while executing 'adminLogin' errCode:
'259'.
File does not exist
com.waveset.util.WavesetException: DominoExtension::Error while executing 'admin
Login' errCode: '259'.
File does not exist
at com.waveset.util.WavesetException.checkBreakpoint(WavesetException.ja
va:363)
at com.waveset.util.WavesetException.<init>(WavesetException.java:93)
at com.waveset.adapter.AgentResourceAdapter.getUsersFromResponse(AgentRe
sourceAdapter.java:415)
at com.waveset.adapter.AgentResourceAdapter.getUsersFromResponse(AgentRe
sourceAdapter.java:235)
at com.waveset.adapter.AgentResourceAdapter.doGetUser(AgentResourceAdapt
er.java:514)
at com.waveset.adapter.AgentResourceAdapter.getUser(AgentResourceAdapter
.java:533)
at com.waveset.provision.FetchContext.doFetch(FetchContext.java:338)
at com.waveset.provision.FetchContext.processOp(FetchContext.java:199)
at com.waveset.provision.ThreadContext.processContext(ThreadContext.java
:321)
at com.waveset.provision.ThreadContext.launchThreads(ThreadContext.java:
232)
at com.waveset.provision.Provisioner.fetchAccountsList(Provisioner.java:
2155)
at com.waveset.provision.Provisioner.fetchAccounts(Provisioner.java:2585
at com.waveset.session.UserViewer.assembleView(UserViewer.java:706)
at com.waveset.session.UserViewer.checkoutView(UserViewer.java:596)
at com.waveset.session.ViewMaster.checkoutView(ViewMaster.java:616)
at com.waveset.session.LocalSession.checkoutView(LocalSession.java:618)
at com.waveset.ui.util.GenericViewSource.getView(GenericViewSource.java:
385)
at jsp_servlet._account.__modify._jspService(__modify.java:671)
at weblogic.servlet.jsp.JspBase.service(JspBase.java:33)
at weblogic.servlet.internal.ServletStubImpl$ServletInvocationAction.run
(ServletStubImpl.java:971)
at weblogic.servlet.internal.ServletStubImpl.invokeServlet(ServletStubIm
pl.java:402)
at weblogic.servlet.internal.ServletStubImpl.invokeServlet(ServletStubIm
pl.java:446)
at weblogic.servlet.internal.ServletStubImpl.invokeServlet(ServletStubIm
pl.java:305)
at weblogic.servlet.internal.WebAppServletContext$ServletInvocationActio
n.run(WebAppServletContext.java:6350)
at weblogic.security.acl.internal.AuthenticatedSubject.doAs(Authenticate
dSubject.java:317)
at weblogic.security.service.SecurityManager.runAs(SecurityManager.java:
118)
at weblogic.servlet.internal.WebAppServletContext.invokeServlet(WebAppSe
rvletContext.java:3635)
at weblogic.servlet.internal.ServletRequestImpl.execute(ServletRequestImpl.java)
at weblogic.kernel.ExecuteThread.execute(ExecuteThread.java:197)
at weblogic.kernel.ExecuteThread.run(ExecuteThread.java:170)
Please do help me if anybody has provisioned domino7
Hmm, probably gateway compatibility problem?
Is the gateway.exe from the same package as the IDM (in other words, if it's not from previous release or so)?
Is the Lotus Client installed on the Gateway machine? Is the Lotus CLient working? Are you able to log on to your Domino Server using the Gateway Machine, Lotus Client and the user you've configured to be used with Domino adapter?
I believe that something from the above will produce an error, so you mat try it and see if there is any.
Similar Messages
-
Domino Provision error: No message queue with that name
Hi,
Recently when we try the domino provisioning we often receive this error:
No message queue with that name.
This error is intermittent.
Does any one has any idea why?
ThanksHi Wushilin,
We are also encountering the same problem.
Are you still facing the same issue?
If you have solved the problem, can you share the solution?
Thanks! -
Could not get IOR from Domino Server while provisioning Lotus Notes
Hi all,
There are two servers that have OIM installed, development server and test server. From development server, we can
provision to Lotus Notes just fine. But for test server everytime when
provision to Lotus Notes. There will be an exception
NotesException: Could not get IOR from Domino Server: http://10.3.100.61:63148/diiop_ior.txt
From test server
I can access the URL http://10.3.100.61:63148/diiop_ior.txt using Internet Explorer
I can telnet to 10.3.100.61 63148
I can use connector testing program and it work fine
All configuration and jar files are the same as development server
There is no firewall or antivirus running in both systems.
Both server is virtual server using VMWare.
OS: Windows2003R2 Enterprise
DB: Oracle 10gR2 10.2.0.2
AS: Oracle AS 10g 10.1.3.3.0
OIM 9.1.0
Lotus Notes Connector 9.0.4.2
Thank you.
Satit
The error is as below
=================================================
INFO,11 Nov 2008 11:24:26,109,[ADAPTER.LOTUSNOTES],LotusNotesProvision::init
INFO,11 Nov 2008 11:24:26,109,[ADAPTER.LOTUSNOTES],LotusNotesProvision::init
DEBUG,11 Nov 2008 11:24:26,109,[ADAPTER.LOTUSNOTES],LotusNotesProvision::init : Host 10.3.100.61
DEBUG,11 Nov 2008 11:24:26,109,[ADAPTER.LOTUSNOTES],LotusNotesProvision::init : Port 63148
DEBUG,11 Nov 2008 11:24:26,109,[ADAPTER.LOTUSNOTES],LotusNotesProvision::init : Admin Pongtape Ungkawanish/Telecom./Central Support/Fin./KK_Bangkok/TH
DEBUG,11 Nov 2008 11:24:26,109,[ADAPTER.LOTUSNOTES],LotusNotesProvision::init : Certifier OU
DEBUG,11 Nov 2008 11:24:26,109,[ADAPTER.LOTUSNOTES],LotusNotesProvision::init : Before session
08/11/11 11:24:26 Running setTimeoutParameters
08/11/11 11:24:26 Running Connect
INFO,11 Nov 2008 11:24:26,109,[ADAPTER.LOTUSNOTES],LNotesConnectionUtil::getSession
INFO,11 Nov 2008 11:24:26,109,[ADAPTER.LOTUSNOTES],LNotesConnectionUtil::getSession : ***Non-Secure Mode
ERROR,11 Nov 2008 11:24:26,109,[ADAPTER.LOTUSNOTES],LNotesConnectionUtil::getSession : ***Connection refused to Lotus Notes......
NotesException: Could not get IOR from Domino Server: http://10.3.100.61:63148/diiop_ior.txt
at lotus.domino.NotesFactory.requestIORPlain(Unknown Source)
at lotus.domino.NotesFactory.requestIORUsingArgs(Unknown Source)
at lotus.domino.NotesFactory.getIOR(Unknown Source)
at lotus.domino.NotesFactory.createSessionUP(Unknown Source)
at lotus.domino.NotesFactory.createSession(Unknown Source)
at com.thortech.xl.Integration.HostAccess.LNotesConnectionUtil.getSession(Unknown Source)
at com.thortech.xl.Integration.HostAccess.LotusNotesProvision.connect(Unknown Source)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
at java.lang.reflect.Method.invoke(Method.java:585)
at com.thortech.xl.adapterGlue.ScheduleItemEvents.adpLNCREATEUSER.CONNECT(adpLNCREATEUSER.java:449)
at com.thortech.xl.adapterGlue.ScheduleItemEvents.adpLNCREATEUSER.implementation(adpLNCREATEUSER.java:160)
at com.thortech.xl.client.events.tcBaseEvent.run(Unknown Source)
at com.thortech.xl.dataobj.tcDataObj.runEvent(Unknown Source)
at com.thortech.xl.dataobj.tcScheduleItem.runMilestoneEvent(Unknown Source)
at com.thortech.xl.dataobj.tcScheduleItem.eventPostInsert(Unknown Source)
at com.thortech.xl.dataobj.tcDataObj.insert(Unknown Source)
at com.thortech.xl.dataobj.tcDataObj.save(Unknown Source)
at com.thortech.xl.ejb.beansimpl.tcProvisioningOperationsBean.retryTasks(Unknown Source)
at com.thortech.xl.ejb.beans.tcProvisioningOperationsSession.retryTasks(Unknown Source)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
at java.lang.reflect.Method.invoke(Method.java:585)
at com.evermind.server.ejb.interceptor.joinpoint.EJBJoinPointImpl.invoke(EJBJoinPointImpl.java:35)
at com.evermind.server.ejb.interceptor.InvocationContextImpl.proceed(InvocationContextImpl.java:119)
at com.evermind.server.ejb.interceptor.system.DMSInterceptor.invoke(DMSInterceptor.java:52)
at com.evermind.server.ejb.interceptor.InvocationContextImpl.proceed(InvocationContextImpl.java:119)
at com.evermind.server.ejb.interceptor.system.TxRequiredInterceptor.invoke(TxRequiredInterceptor.java:50)
at com.evermind.server.ejb.interceptor.InvocationContextImpl.proceed(InvocationContextImpl.java:119)
at com.evermind.server.ejb.interceptor.system.SecurityRoleInterceptor.invoke(SecurityRoleInterceptor.java:47)
at com.evermind.server.ejb.interceptor.InvocationContextImpl.proceed(InvocationContextImpl.java:119)
at com.evermind.server.ejb.interceptor.system.DMSInterceptor.invoke(DMSInterceptor.java:52)
at com.evermind.server.ejb.interceptor.InvocationContextImpl.proceed(InvocationContextImpl.java:119)
at com.evermind.server.ejb.InvocationContextPool.invoke(InvocationContextPool.java:55)
at com.evermind.server.ejb.StatelessSessionEJBObject.OC4J_invokeMethod(StatelessSessionEJBObject.java:87)
at tcProvisioningOperations_RemoteProxy_6ocop18.retryTasks(Unknown Source)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
at java.lang.reflect.Method.invoke(Method.java:585)
at com.evermind.server.rmi.RmiMethodCall.run(RmiMethodCall.java:53)
at com.evermind.util.ReleasableResourcePooledExecutor$MyWorker.run(ReleasableResourcePooledExecutor.java:303)
at java.lang.Thread.run(Thread.java:595)
Caused by: java.lang.NullPointerException
at sun.net.www.protocol.http.HttpURLConnection.plainConnect(HttpURLConnection.java:781)
at sun.net.www.protocol.http.HttpURLConnection.connect(HttpURLConnection.java:669)
at sun.net.www.protocol.http.HttpURLConnection.getInputStream(HttpURLConnection.java:913)
... 45 more
INFO,11 Nov 2008 11:24:26,109,[ADAPTER.LOTUSNOTES],Unable to connect to the target. Attempting to reconnect after delay of 2000ms.......
INFO,11 Nov 2008 11:24:28,110,[ADAPTER.LOTUSNOTES],LNotesConnectionUtil::getSession
INFO,11 Nov 2008 11:24:28,110,[ADAPTER.LOTUSNOTES],LNotesConnectionUtil::getSession : ***Non-Secure Mode
ERROR,11 Nov 2008 11:24:28,110,[ADAPTER.LOTUSNOTES],LNotesConnectionUtil::getSession : ***Connection refused to Lotus Notes......
NotesException: Could not get IOR from Domino Server: http://10.3.100.61:63148/diiop_ior.txt
at lotus.domino.NotesFactory.requestIORPlain(Unknown Source)
at lotus.domino.NotesFactory.requestIORUsingArgs(Unknown Source)
at lotus.domino.NotesFactory.getIOR(Unknown Source)
at lotus.domino.NotesFactory.createSessionUP(Unknown Source)
at lotus.domino.NotesFactory.createSession(Unknown Source)
at com.thortech.xl.Integration.HostAccess.LNotesConnectionUtil.getSession(Unknown Source)
at com.thortech.xl.Integration.HostAccess.LNotesConnectionUtil.getSession(Unknown Source)
at com.thortech.xl.Integration.HostAccess.LotusNotesProvision.connect(Unknown Source)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
at java.lang.reflect.Method.invoke(Method.java:585)
at com.thortech.xl.adapterGlue.ScheduleItemEvents.adpLNCREATEUSER.CONNECT(adpLNCREATEUSER.java:449)
at com.thortech.xl.adapterGlue.ScheduleItemEvents.adpLNCREATEUSER.implementation(adpLNCREATEUSER.java:160)
at com.thortech.xl.client.events.tcBaseEvent.run(Unknown Source)
at com.thortech.xl.dataobj.tcDataObj.runEvent(Unknown Source)
at com.thortech.xl.dataobj.tcScheduleItem.runMilestoneEvent(Unknown Source)
at com.thortech.xl.dataobj.tcScheduleItem.eventPostInsert(Unknown Source)
at com.thortech.xl.dataobj.tcDataObj.insert(Unknown Source)
at com.thortech.xl.dataobj.tcDataObj.save(Unknown Source)
at com.thortech.xl.ejb.beansimpl.tcProvisioningOperationsBean.retryTasks(Unknown Source)
at com.thortech.xl.ejb.beans.tcProvisioningOperationsSession.retryTasks(Unknown Source)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
at java.lang.reflect.Method.invoke(Method.java:585)
at com.evermind.server.ejb.interceptor.joinpoint.EJBJoinPointImpl.invoke(EJBJoinPointImpl.java:35)
at com.evermind.server.ejb.interceptor.InvocationContextImpl.proceed(InvocationContextImpl.java:119)
at com.evermind.server.ejb.interceptor.system.DMSInterceptor.invoke(DMSInterceptor.java:52)
at com.evermind.server.ejb.interceptor.InvocationContextImpl.proceed(InvocationContextImpl.java:119)
at com.evermind.server.ejb.interceptor.system.TxRequiredInterceptor.invoke(TxRequiredInterceptor.java:50)
at com.evermind.server.ejb.interceptor.InvocationContextImpl.proceed(InvocationContextImpl.java:119)
at com.evermind.server.ejb.interceptor.system.SecurityRoleInterceptor.invoke(SecurityRoleInterceptor.java:47)
at com.evermind.server.ejb.interceptor.InvocationContextImpl.proceed(InvocationContextImpl.java:119)
at com.evermind.server.ejb.interceptor.system.DMSInterceptor.invoke(DMSInterceptor.java:52)
at com.evermind.server.ejb.interceptor.InvocationContextImpl.proceed(InvocationContextImpl.java:119)
at com.evermind.server.ejb.InvocationContextPool.invoke(InvocationContextPool.java:55)
at com.evermind.server.ejb.StatelessSessionEJBObject.OC4J_invokeMethod(StatelessSessionEJBObject.java:87)
at tcProvisioningOperations_RemoteProxy_6ocop18.retryTasks(Unknown Source)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
at java.lang.reflect.Method.invoke(Method.java:585)
at com.evermind.server.rmi.RmiMethodCall.run(RmiMethodCall.java:53)
at com.evermind.util.ReleasableResourcePooledExecutor$MyWorker.run(ReleasableResourcePooledExecutor.java:303)
at java.lang.Thread.run(Thread.java:595)
Caused by: java.lang.NullPointerException
at sun.net.www.protocol.http.HttpURLConnection.plainConnect(HttpURLConnection.java:781)
at sun.net.www.protocol.http.HttpURLConnection.connect(HttpURLConnection.java:669)
at sun.net.www.protocol.http.HttpURLConnection.getInputStream(HttpURLConnection.java:913)
... 46 morecheck if DIIOP service is turned on at the Lotus Domino side...
Oleg. -
Too Slow - Domino 6.5.4 with access manager agent 2.2 ?
I don't know how to tune Domino 6.5.4 with access manager agent 2.2?
I think AMAgent.properties is not good for SSO.
Please help me to tune it.
# $Id: AMAgent.properties,v 1.103 2005/09/19 22:08:34 madan Exp $
# Copyright ? 2002 Sun Microsystems, Inc. All rights reserved.
# U.S. Government Rights - Commercial software. Government users are
# subject to the Sun Microsystems, Inc. standard license agreement and
# applicable provisions of the FAR and its supplements. Use is subject to
# license terms. Sun, Sun Microsystems, the Sun logo and Sun ONE are
# trademarks or registered trademarks of Sun Microsystems, Inc. in the
# U.S. and other countries.
# Copyright ? 2002 Sun Microsystems, Inc. Tous droits r閟erv閟.
# Droits du gouvernement am閞icain, utlisateurs gouvernmentaux - logiciel
# commercial. Les utilisateurs gouvernmentaux sont soumis au contrat de
# licence standard de Sun Microsystems, Inc., ainsi qu aux dispositions en
# vigueur de la FAR [ (Federal Acquisition Regulations) et des suppl閙ents
# ? celles-ci.
# Distribu? par des licences qui en restreignent l'utilisation. Sun, Sun
# Microsystems, le logo Sun et Sun ONE sont des marques de fabrique ou des
# marques d閜os閑s de Sun Microsystems, Inc. aux Etats-Unis et dans
# d'autres pays.
# The syntax of this file is that of a standard Java properties file,
# see the documentation for the java.util.Properties.load method for a
# complete description. (CAVEAT: The SDK in the parser does not currently
# support any backslash escapes except for wrapping long lines.)
# All property names in this file are case-sensitive.
# NOTE: The value of a property that is specified multiple times is not
# defined.
# WARNING: The contents of this file are classified as an UNSTABLE
# interface by Sun Microsystems, Inc. As such, they are subject to
# significant, incompatible changes in any future release of the
# software.
# The name of the cookie passed between the Access Manager
# and the SDK.
# WARNING: Changing this property without making the corresponding change
# to the Access Manager will disable the SDK.
com.sun.am.cookie.name = iPlanetDirectoryPro
# The URL for the Access Manager Naming service.
com.sun.am.naming.url = http://sportal.yjy.dqyt.petrochina:80/amserver/namingservice
# The URL of the login page on the Access Manager.
com.sun.am.policy.am.login.url = http://sportal.yjy.dqyt.petrochina:80/amserver/UI/Login
# Name of the file to use for logging messages.
com.sun.am.policy.agents.config.local.log.file = c:/Sun/Access_Manager/Agents/2.2/debug/C__Lotus_Domino/amAgent
# This property is used for Log Rotation. The value of the property specifies
# whether the agent deployed on the server supports the feature of not. If set
# to false all log messages are written to the same file.
com.sun.am.policy.agents.config.local.log.rotate = true
# Name of the Access Manager log file to use for logging messages to
# Access Manager.
# Just the name of the file is needed. The directory of the file
# is determined by settings configured on the Access Manager.
com.sun.am.policy.agents.config.remote.log = amAuthLog.Dominoad.yjy.dqyt.petrochina.80
# Set the logging level for the specified logging categories.
# The format of the values is
# <ModuleName>[:<Level>][,<ModuleName>[:<Level>]]*
# The currently used module names are: AuthService, NamingService,
# PolicyService, SessionService, PolicyEngine, ServiceEngine,
# Notification, PolicyAgent, RemoteLog and all.
# The all module can be used to set the logging level for all currently
# none logging modules. This will also establish the default level for
# all subsequently created modules.
# The meaning of the 'Level' value is described below:
# 0 Disable logging from specified module*
# 1 Log error messages
# 2 Log warning and error messages
# 3 Log info, warning, and error messages
# 4 Log debug, info, warning, and error messages
# 5 Like level 4, but with even more debugging messages
# 128 log url access to log file on AM server.
# 256 log url access to log file on local machine.
# If level is omitted, then the logging module will be created with
# the default logging level, which is the logging level associated with
# the 'all' module.
# for level of 128 and 256, you must also specify a logAccessType.
# *Even if the level is set to zero, some messages may be produced for
# a module if they are logged with the special level value of 'always'.
com.sun.am.log.level =
# The org, username and password for Agent to login to AM.
com.sun.am.policy.am.username = UrlAccessAgent
com.sun.am.policy.am.password = LYnKyOIgdWt404ivWY6HPQ==
# Name of the directory containing the certificate databases for SSL.
com.sun.am.sslcert.dir = c:/Sun/Access_Manager/Agents/2.2/domino/cert
# Set this property if the certificate databases in the directory specified
# by the previous property have a prefix.
com.sun.am.certdb.prefix =
# Should agent trust all server certificates when Access Manager
# is running SSL?
# Possible values are true or false.
com.sun.am.trust_server_certs = true
# Should the policy SDK use the Access Manager notification
# mechanism to maintain the consistency of its internal cache? If the value
# is false, then a polling mechanism is used to maintain cache consistency.
# Possible values are true or false.
com.sun.am.notification.enable = true
# URL to which notification messages should be sent if notification is
# enabled, see previous property.
com.sun.am.notification.url = http://Dominoad.yjy.dqyt.petrochina:80/amagent/UpdateAgentCacheServlet?shortcircuit=false
# This property determines whether URL string case sensitivity is
# obeyed during policy evaluation
com.sun.am.policy.am.url_comparison.case_ignore = true
# This property determines the amount of time (in minutes) an entry
# remains valid after it has been added to the cache. The default
# value for this property is 3 minutes.
com.sun.am.policy.am.polling.interval=3
# This property allows the user to configure the User Id parameter passed
# by the session information from the access manager. The value of User
# Id will be used by the agent to set the value of REMOTE_USER server
# variable. By default this parameter is set to "UserToken"
com.sun.am.policy.am.userid.param=UserToken
# Profile attributes fetch mode
# String attribute mode to specify if additional user profile attributes should
# be introduced into the request. Possible values are:
# NONE - no additional user profile attributes will be introduced.
# HTTP_HEADER - additional user profile attributes will be introduced into
# HTTP header.
# HTTP_COOKIE - additional user profile attributes will be introduced through
# cookies.
# If not within these values, it will be considered as NONE.
com.sun.am.policy.agents.config.profile.attribute.fetch.mode=NONE
# The user profile attributes to be added to the HTTP header. The
# specification is of the format ldap_attribute_name|http_header_name[,...].
# ldap_attribute_name is the attribute in data store to be fetched and
# http_header_name is the name of the header to which the value needs
# to be assigned.
# NOTE: In most cases, in a destination application where a "http_header_name"
# shows up as a request header, it will be prefixed by HTTP_, and all
# lower case letters will become upper case, and any - will become _;
# For example, "common-name" would become "HTTP_COMMON_NAME"
com.sun.am.policy.agents.config.profile.attribute.map=cn|common-name,ou|organizational-unit,o|organization,mail|email,employeenumber|employee-
number,c|country
# Session attributes mode
# String attribute mode to specify if additional user session attributes should
# be introduced into the request. Possible values are:
# NONE - no additional user session attributes will be introduced.
# HTTP_HEADER - additional user session attributes will be introduced into HTTP header.
# HTTP_COOKIE - additional user session attributes will be introduced through cookies.
# If not within these values, it will be considered as NONE.
com.sun.am.policy.agents.config.session.attribute.fetch.mode=NONE
# The session attributes to be added to the HTTP header. The specification is
# of the format session_attribute_name|http_header_name[,...].
# session_attribute_name is the attribute in session to be fetched and
# http_header_name is the name of the header to which the value needs to be
# assigned.
# NOTE: In most cases, in a destination application where a "http_header_name"
# shows up as a request header, it will be prefixed by HTTP_, and all
# lower case letters will become upper case, and any - will become _;
# For example, "common-name" would become "HTTP_COMMON_NAME"
com.sun.am.policy.agents.config.session.attribute.map=
# Response Attribute Fetch Mode
# String attribute mode to specify if additional user response attributes should
# be introduced into the request. Possible values are:
# NONE - no additional user response attributes will be introduced.
# HTTP_HEADER - additional user response attributes will be introduced into
# HTTP header.
# HTTP_COOKIE - additional user response attributes will be introduced through
# cookies.
# If not within these values, it will be considered as NONE.
com.sun.am.policy.agents.config.response.attribute.fetch.mode=NONE
# The response attributes to be added to the HTTP header. The specification is
# of the format response_attribute_name|http_header_name[,...].
# response_attribute_name is the attribute in policy response to be fetched and
# http_header_name is the name of the header to which the value needs to be
# assigned.
# NOTE: In most cases, in a destination application where a "http_header_name"
# shows up as a request header, it will be prefixed by HTTP_, and all
# lower case letters will become upper case, and any - will become _;
# For example, "common-name" would become "HTTP_COMMON_NAME"
com.sun.am.policy.agents.config.response.attribute.map=
# The cookie name used in iAS for sticky load balancing
com.sun.am.policy.am.lb.cookie.name = GX_jst
# indicate where a load balancer is used for Access Manager
# services.
# true | false
com.sun.am.load_balancer.enable = false
####Agent Configuration####
# this is for product versioning, please do not modify it
com.sun.am.policy.agents.config.version=2.2
# Set the url access logging level. the choices are
# LOG_NONE - do not log user access to url
# LOG_DENY - log url access that was denied.
# LOG_ALLOW - log url access that was allowed.
# LOG_BOTH - log url access that was allowed or denied.
com.sun.am.policy.agents.config.audit.accesstype = LOG_DENY
# Agent prefix
com.sun.am.policy.agents.config.agenturi.prefix = http://Dominoad.yjy.dqyt.petrochina:80/amagent
# Locale setting.
com.sun.am.policy.agents.config.locale = en_US
# The unique identifier for this agent instance.
com.sun.am.policy.agents.config.instance.name = unused
# Do SSO only
# Boolean attribute to indicate whether the agent will just enforce user
# authentication (SSO) without enforcing policies (authorization)
com.sun.am.policy.agents.config.do_sso_only = true
# The URL of the access denied page. If no value is specified, then
# the agent will return an HTTP status of 403 (Forbidden).
com.sun.am.policy.agents.config.accessdenied.url =
# This property indicates if FQDN checking is enabled or not.
com.sun.am.policy.agents.config.fqdn.check.enable = true
# Default FQDN is the fully qualified hostname that the users should use
# in order to access resources on this web server instance. This is a
# required configuration value without which the Web server may not
# startup correctly.
# The primary purpose of specifying this property is to ensure that if
# the users try to access protected resources on this web server
# instance without specifying the FQDN in the browser URL, the Agent
# can take corrective action and redirect the user to the URL that
# contains the correct FQDN.
# This property is set during the agent installation and need not be
# modified unless absolutely necessary to accommodate deployment
# requirements.
# WARNING: Invalid value for this property can result in the Web Server
# becoming unusable or the resources becoming inaccessible.
# See also: com.sun.am.policy.agents.config.fqdn.check.enable,
# com.sun.am.policy.agents.config.fqdn.map
com.sun.am.policy.agents.config.fqdn.default = Dominoad.yjy.dqyt.petrochina
# The FQDN Map is a simple map that enables the Agent to take corrective
# action in the case where the users may have typed in an incorrect URL
# such as by specifying partial hostname or using an IP address to
# access protected resources. It redirects the browser to the URL
# with fully qualified domain name so that cookies related to the domain
# are received by the agents.
# The format for this property is:
# com.sun.am.policy.agents.config.fqdn.map = [invalid_hostname|valid_hostname][,...]
# This property can also be used so that the agents use the name specified
# in this map instead of the web server's actual name. This can be
# accomplished by doing the following.
# Say you want your server to be addressed as xyz.hostname.com whereas the
# actual name of the server is abc.hostname.com. The browsers only knows
# xyz.hostname.com and you have specified polices using xyz.hostname.com at
# the Access Manager policy console, in this file set the mapping as
# com.sun.am.policy.agents.fqdn.map = valid|xyz.hostname.com
# Another example is if you have multiple virtual servers say rst.hostname.com,
# uvw.hostname.com and xyz.hostname.com pointing to the same actual server
# abc.hostname.com and each of the virtual servers have their own policies
# defined, then the fqdnMap should be defined as follows:
# com.sun.am.policy.agents.fqdn.map = valid1|rst.hostname.com,valid2|uvw.hostname.com,valid3|xyz.hostname.com
# WARNING: Invalid value for this property can result in the Web Server
# becoming unusable or the resources becoming inaccessible.
com.sun.am.policy.agents.config.fqdn.map =
# Cookie Reset
# This property must be set to true, if this agent needs to
# reset cookies in the response before redirecting to
# Access Manager for Authentication.
# By default this is set to false.
# Example : com.sun.am.policy.agents.config.cookie.reset.enable=true
com.sun.am.policy.agents.config.cookie.reset.enable=false
# This property gives the comma separated list of Cookies, that
# need to be included in the Redirect Response to Access Manager.
# This property is used only if the Cookie Reset feature is enabled.
# The Cookie details need to be specified in the following Format
# name[=value][;Domain=value]
# If "Domain" is not specified, then the default agent domain is
# used to set the Cookie.
# Example : com.sun.am.policy.agents.config.cookie.reset.list=LtpaToken,
# token=value;Domain=subdomain.domain.com
com.sun.am.policy.agents.config.cookie.reset.list=
# This property gives the space separated list of domains in
# which cookies have to be set in a CDSSO scenario. This property
# is used only if CDSSO is enabled.
# If this property is left blank then the fully qualified cookie
# domain for the agent server will be used for setting the cookie
# domain. In such case it is a host cookie instead of a domain cookie.
# Example : com.sun.am.policy.agents.config.cookie.domain.list=.sun.com .iplanet.com
com.sun.am.policy.agents.config.cookie.domain.list=
# user id returned if accessing global allow page and not authenticated
com.sun.am.policy.agents.config.anonymous_user=anonymous
# Enable/Disable REMOTE_USER processing for anonymous users
# true | false
com.sun.am.policy.agents.config.anonymous_user.enable=false
# Not enforced list is the list of URLs for which no authentication is
# required. Wildcards can be used to define a pattern of URLs.
# The URLs specified may not contain any query parameters.
# Each service have their own not enforced list. The service name is suffixed
# after "# com.sun.am.policy.agents.notenforcedList." to specify a list
# for a particular service. SPACE is the separator between the URL.
com.sun.am.policy.agents.config.notenforced_list = http://dominoad.yjy.dqyt.petrochina/*.nsf http://dominoad.yjy.dqyt.petrochina/teamroom.nsf/TROutline.gif?
OpenImageResource http://dominoad.yjy.dqyt.petrochina/icons/*.gif
# Boolean attribute to indicate whether the above list is a not enforced list
# or an enforced list; When the value is true, the list means enforced list,
# or in other words, the whole web site is open/accessible without
# authentication except for those URLs in the list.
com.sun.am.policy.agents.config.notenforced_list.invert = false
# Not enforced client IP address list is a list of client IP addresses.
# No authentication and authorization are required for the requests coming
# from these client IP addresses. The IP address must be in the form of
# eg: 192.168.12.2 1.1.1.1
com.sun.am.policy.agents.config.notenforced_client_ip_list =
# Enable POST data preservation; By default it is set to false
com.sun.am.policy.agents.config.postdata.preserve.enable = false
# POST data preservation : POST cache entry lifetime in minutes,
# After the specified interval, the entry will be dropped
com.sun.am.policy.agents.config.postcache.entry.lifetime = 10
# Cross-Domain Single Sign On URL
# Is CDSSO enabled.
com.sun.am.policy.agents.config.cdsso.enable=false
# This is the URL the user will be redirected to for authentication
# in a CDSSO Scenario.
com.sun.am.policy.agents.config.cdcservlet.url =
# Enable/Disable client IP address validation. This validate
# will check if the subsequent browser requests come from the
# same ip address that the SSO token is initially issued against
com.sun.am.policy.agents.config.client_ip_validation.enable = false
# Below properties are used to define cookie prefix and cookie max age
com.sun.am.policy.agents.config.profile.attribute.cookie.prefix = HTTP_
com.sun.am.policy.agents.config.profile.attribute.cookie.maxage = 300
# Logout URL - application's Logout URL.
# This URL is not enforced by policy.
# if set, agent will intercept this URL and destroy the user's session,
# if any. The application's logout URL will be allowed whether or not
# the session destroy is successful.
com.sun.am.policy.agents.config.logout.url=
#http://sportal.yjy.dqyt.petrochina/amserver/UI/Logout
# Any cookies to be reset upon logout in the same format as cookie_reset_list
com.sun.am.policy.agents.config.logout.cookie.reset.list =
# By default, when a policy decision for a resource is needed,
# agent gets and caches the policy decision of the resource and
# all resource from the root of the resource down, from the Access Manager.
# For example, if the resource is http://host/a/b/c, the the root of the
# resource is http://host/. This is because more resources from the
# same path are likely to be accessed subsequently.
# However this may take a long time the first time if there
# are many many policies defined under the root resource.
# To have agent get and cache the policy decision for the resource only,
# set the following property to false.
com.sun.am.policy.am.fetch_from_root_resource = true
# Whether to get the client's hostname through DNS reverse lookup for use
# in policy evaluation.
# It is true by default, if the property does not exist or if it is
# any value other than false.
com.sun.am.policy.agents.config.get_client_host_name = false
# The following property is to enable native encoding of
# ldap header attributes forwarded by agents. If set to true
# agent will encode the ldap header value in the default
# encoding of OS locale. If set to false ldap header values
# will be encoded in UTF-8
com.sun.am.policy.agents.config.convert_mbyte.enable = false
#When the not enforced list or policy has a wildcard '*' character, agent
#strips the path info from the request URI and uses the resulting request
#URI to check against the not enforced list or policy instead of the entire
#request URI, in order to prevent someone from getting access to any URI by
#simply appending the matching pattern in the policy or not enforced list.
#For example, if the not enforced list has the value http://host/*.gif,
#stripping the path info from the request URI will prevent someone from
#getting access to http://host/index.html by using the URL http://host/index.html?hack.gif.
#However when a web server (for exmample apache) is configured to be a reverse
#proxy server for a J2EE application server, path info is interpreted in a different
#manner since it maps to a resource on the proxy instead of the app server.
#This prevents the not enforced list or policy from being applied to part of
#the URI below the app serverpath if there is a wildcard character. For example,
#if the not enforced list has value http://host/webapp/servcontext/* and the
#request URL is http://host/webapp/servcontext/example.jsp the path info
#is /servcontext/example.jsp and the resulting request URL with path info stripped
#is http://host/webapp, which will not match the not enforced list. By setting the
#following property to true, the path info will not be stripped from the request URL
#even if there is a wild character in the not enforced list or policy.
#Be aware though that if this is set to true there should be nothing following the
#wildcard character '*' in the not enforced list or policy, or the
#security loophole described above may occur.
com.sun.am.policy.agents.config.ignore_path_info = false
# Override the request url given by the web server with
# the protocol, host or port of the agent's uri specified in
# the com.sun.am.policy.agents.agenturiprefix property.
# These may be needed if the agent is sitting behind a ssl off-loader,
# load balancer, or proxy, and either the protocol (HTTP scheme),
# hostname, or port of the machine in front of agent which users go through
# is different from the agent's protocol, host or port.
com.sun.am.policy.agents.config.override_protocol =
com.sun.am.policy.agents.config.override_host =
com.sun.am.policy.agents.config.override_port =
# Override the notification url in the same way as other request urls.
# Set this to true if any one of the override properties above is true,
# and if the notification url is coming through the proxy or load balancer
# in the same way as other request url's.
com.sun.am.policy.agents.config.override_notification.url =
# The following property defines how long to wait in attempting
# to connect to an Access Manager AUTH server.
# The default value is 2 seconds. This value needs to be increased
# when receiving the error "unable to find active Access Manager Auth server"
com.sun.am.policy.agents.config.connection_timeout =
# Time in milliseconds the agent will wait to receive the
# response from Access Manager. After the timeout, the connection
# will be drop.
# A value of 0 means that the agent will wait until receiving the response.
# WARNING: Invalid value for this property can result in
# the resources becoming inaccessible.
com.sun.am.receive_timeout = 0
# The three following properties are for IIS6 agent only.
# The two first properties allow to set a username and password that will be
# used by the authentication filter to pass the Windows challenge when the Basic
# Authentication option is selected in Microsoft IIS 6.0. The authentication
# filter is named amiis6auth.dll and is located in
# Agent_installation_directory/iis6/bin. It must be installed manually on
# the web site ("ISAPI Filters" tab in the properties of the web site).
# It must also be uninstalled manually when unintalling the agent.
# The last property defines the full path for the authentication filter log file.
com.sun.am.policy.agents.config.iis6.basicAuthentication.username =
com.sun.am.policy.agents.config.iis6.basicAuthentication.password =
com.sun.am.policy.agents.config.iis6.basicAuthentication.logFile = c:/Sun/Access_Manager/Agents/2.2/debug/C__Lotus_Domino/amAuthFilterHi,
I installed opensso (so Sun Java(TM) System Access Manager 7.5) and the agent for Domino 6.5.4 and I have the message in logs "amAgent"
2007-07-11 18:40:16.119 Error 1708:3dbcf768 PolicyAgent: render_response(): Entered.
I have the box to identify but it doesnot connect me on my opensso server.
It still identify with Domino's server
Thanks for your response
Thomas -
Issue in provisioning user to lotus notes
Hi,
We are integrating Lotus notes with OIM 11g R2 using Lotus Notes 11.1.1 connector .
Lookup value reconciliation is working fine, but facing the below error with user provisioning.
Apr 29, 2013 3:55:29 PM org.identityconnectors.framework.api.operations.CreateApiOp create
FINE: Exception:
org.identityconnectors.framework.common.exceptions.ConnectorException: NotesException: Notes error: The local system cannot complete the operation because it is not running with a hierarchical name (testln)
at org.identityconnectors.framework.common.exceptions.ConnectorException.wrap(ConnectorException.java:101)
at org.identityconnectors.domino.Create.create(Create.java:116)
at org.identityconnectors.domino.DominoConnector.create(DominoConnector.java:205)
at org.identityconnectors.framework.impl.api.local.operations.CreateImpl.create(CreateImpl.java:80)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
at java.lang.reflect.Method.invoke(Method.java:597)
at org.identityconnectors.framework.impl.api.local.operations.ConnectorAPIOperationRunnerProxy.invoke(ConnectorAPIOperationRunnerProxy.java:93)
at sun.proxy.$Proxy7.create(Unknown Source)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
at java.lang.reflect.Method.invoke(Method.java:597)
at org.identityconnectors.framework.impl.api.local.operations.ThreadClassLoaderManagerProxy.invoke(ThreadClassLoaderManagerProxy.java:107)
at sun.proxy.$Proxy7.create(Unknown Source)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
at java.lang.reflect.Method.invoke(Method.java:597)
at org.identityconnectors.framework.impl.api.DelegatingTimeoutProxy.invoke(DelegatingTimeoutProxy.java:107)
at sun.proxy.$Proxy7.create(Unknown Source)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
at java.lang.reflect.Method.invoke(Method.java:597)
at org.identityconnectors.framework.impl.api.LoggingProxy.invoke(LoggingProxy.java:76)
at sun.proxy.$Proxy7.create(Unknown Source)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
at java.lang.reflect.Method.invoke(Method.java:597)
at org.identityconnectors.framework.server.impl.ConnectionProcessor.processOperationRequest(ConnectionProcessor.java:287)
at org.identityconnectors.framework.server.impl.ConnectionProcessor.processRequest(ConnectionProcessor.java:191)
at org.identityconnectors.framework.server.impl.ConnectionProcessor.run(ConnectionProcessor.java:121)
at java.util.concurrent.ThreadPoolExecutor$Worker.runTask(ThreadPoolExecutor.java:895)
at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:918)
at java.lang.Thread.run(Thread.java:662)
Caused by: NotesException: Notes error: The local system cannot complete the operation because it is not running with a hierarchical name (ADLN68)
at lotus.domino.local.Registration.NregisterNewUser(Native Method)
at lotus.domino.local.Registration.registerNewUser(Unknown Source)
at lotus.domino.local.Registration.registerNewUser(Unknown Source)
at org.identityconnectors.domino.Create.createAccount(Create.java:235)
at org.identityconnectors.domino.Create.create(Create.java:108)
Is it something related to service account previleges?
Comments will be appreciated.
Thanks,.
Edited by: 995074 on Apr 30, 2013 2:20 AMSet Lotus notes ITResource parameter 'idType' to '1'
-
Basic questions about Notes domino connector
Hi,
I have a very basic question about the Lotus Domino connector for OIM. We have a requirement to provision accounts into the domino mail server and while doing that also update some information directly into a separate nsf file.
I checked the documentation and it seems while configuring an IT resource, we need to give the Mail DB path, and thats the only place where it refers to it.
Could you guys please let me know if this can be done? Can I write directly to a different nsf file, which is not like provisioning to the complete mail server. So the other attributes in the IT resource may not be able to be set up as its just the file I need to provision into.
Looking forward to your response.
Thanks, MHello folks, please share your experience working with the lotus notes connector.
Thanks, M -
Issue with Domino connector (9.0.4.14)
Hi Experts,
I have installed Domino connector(9.0.4.14) on OIM 11.1.1.5. When i am trying to provision a user to domino, it is failing to due to below error
[2012-02-09T15:40:58.676+01:00] [oim_server1] [NOTIFICATION] [] [ADAPTER.LOTUSNOTES] [tid: [ACTIVE].ExecuteThread: '0' for queue: 'weblogic.kernel.Default (self-tuning)'] [userId: xelsysadm] [ecid: 15dcd4762ac88ff7:-3addef50:13561dd9e0f:-8000-0000000000002016,0] [APP: oim#11.1.1.3.0] Unable to connect to the target. Attempting to reconnect after delay of 2000ms.......
[2012-02-09T15:41:00.679+01:00] [oim_server1] [NOTIFICATION] [] [ADAPTER.LOTUSNOTES] [tid: [ACTIVE].ExecuteThread: '0' for queue: 'weblogic.kernel.Default (self-tuning)'] [userId: xelsysadm] [ecid: 15dcd4762ac88ff7:-3addef50:13561dd9e0f:-8000-0000000000002016,0] [APP: oim#11.1.1.3.0] LNotesConnectionUtil::getSession
[2012-02-09T15:41:00.679+01:00] [oim_server1] [NOTIFICATION] [] [ADAPTER.LOTUSNOTES] [tid: [ACTIVE].ExecuteThread: '0' for queue: 'weblogic.kernel.Default (self-tuning)'] [userId: xelsysadm] [ecid: 15dcd4762ac88ff7:-3addef50:13561dd9e0f:-8000-0000000000002016,0] [APP: oim#11.1.1.3.0] LNotesConnectionUtil::getSession : ***Non-Secure Mode
[2012-02-09T15:41:00.988+01:00] [oim_server1]
[ERROR] [] [ADAPTER.LOTUSNOTES] [tid: [ACTIVE].ExecuteThread: '0' for queue: 'weblogic.kernel.Default (self-tuning)'] [userId: xelsysadm] [ecid: 15dcd4762ac88ff7:-3addef50:13561dd9e0f:-8000-0000000000002016,0] [APP: oim#11.1.1.3.0] LNotesConnectionUtil::getSession : ***Connection refused to Lotus Notes......[[NotesException: Could not get IOR from Domino Server: http://hostname:port/diiop_ior.txt
I am not able to access http://hostname:port/diiop_ior.txt
Any service diiop which shud be enabled at Domino server?
Any help appreciated
Regards
A AbhinayHi Kevin,
Thanks for your reply,
We are trying to install the RACF Advanced Connector in OIM.After copying Connector to the ConnectorDefaultDirectory in OIMSERVER , we are trying to install the connector from the OIMAdmin Console. We are able to see the RACF connector version in the dropdown box, when we click on the Load button we are getting the SystemError Page.
Please let us know if there are any prequisites we need to take care before installing the connector,we dodn't find anything on this in the connector documentation.
Please help us to install the RACFAdvanced Connecttor
Thanks,
Ravi G -
Domino Gateway Crash with Java.io.EOF Exception
All,
My client has IDM 7.1 provisioning to Domino 6.5.4. It has been working fine untill last friday. Since then the gateway is crashing with Java.io.EOF Exception while trying to provision. The code has not changed and per some of the previous threads in this forum, I checked if they had any configuration changes in the Domino gateway server or at the domino side - like virus scan etc. However the answer was no.
I would really appreciate any help on this.
Thanks,
Biju.
Here is the last few lines in the gateway trace before it crashes:
27/2009 00.20.25.343000 [4924] (../../../../src/wps/agent/connect/main.cpp,247): Enter: doDominoInitialization
03/27/2009 00.20.25.343000 [4924] (../../../../src/wps/agent/connect/main.cpp,271): NotesIniFileDir: D:\IDM\gateway\notes.ini
03/27/2009 00.20.25.343000 [4924] (../../../../src/wps/agent/connect/main.cpp,279): NotesInstallDir: D:\notes
03/27/2009 00.20.25.343000 [4924] (../../../../src/wps/agent/connect/main.cpp,291): Domino Enabled
03/27/2009 00.20.25.343000 [4924] (../../../../src/wps/agent/connect/main.cpp,303): Updated PATH: ;D:\notes;
03/27/2009 00.20.25.343000 [4924] (../../../../src/wps/agent/connect/main.cpp,310): NOTESNTSERVICE Successfully set
03/27/2009 00.20.25.406000 [4924] (../../../../src/wps/agent/connect/main.cpp,327): Exit: doDominoInitialization
03/27/2009 00.20.25.406000 [2752] (../../../../src/wps/agent/connect/ntsvc.cpp,95): Service::svc
03/27/2009 00.20.25.437000 [2752] (../../../../src/wps/agent/connect/server.cpp,269): starting up server daemon PORT 9278
03/27/2009 00.20.25.875000 [2752] (../../../../src/wps/agent/connect/RAEncryptor.cpp,128): Error reading encrpytion key from registry. Using default.
03/27/2009 00.20.25.875000 [2752] (../../../../src/wps/agent/connect/RASecureConnection.cpp,64): RASecureConnection: new connection handler
03/27/2009 00.20.25.875000 [3068] (../../../../src/wps/agent/connect/client_handler.cpp,344): got 68 bytes
03/27/2009 00.20.25.875000 [3068] (../../../../src/wps/agent/connect/RASecureConnection.cpp,264): ReceivePrivate: count: 47, 64 wrapped up rawlength 63
03/27/2009 00.20.25.875000 [3068] (../../../../src/wps/agent/connect/RASecureConnection.cpp,273): Rightbefore decrypt:
03/27/2009 00.20.25.875000 [3068] (../../../../src/wps/agent/connect/RAEncryptor.cpp,69): RAEncryptor::Decrypt3DES: input length (56) moded to 7
03/27/2009 00.20.25.875000 [3068] (../../../../src/wps/agent/connect/RASecureConnection.cpp,114): SendPrivate: count: 0 pad: 4
03/27/2009 00.20.25.875000 [3068] (../../../../src/wps/agent/connect/RASecureConnection.cpp,422): Enter: MakeChallengeResponse
03/27/2009 00.20.25.875000 [3068] (../../../../src/wps/agent/connect/RASecureConnection.cpp,474): MakeChallengeResponse(in,out):
(5C,2F) (CC,56)
03/27/2009 00.20.25.875000 [3068] (../../../../src/wps/agent/connect/RASecureConnection.cpp,476): (26,E3) (D7,65)
03/27/2009 00.20.25.875000 [3068] (../../../../src/wps/agent/connect/RAEncryptor.cpp,128): Error reading encrpytion key from registry. Using default.
03/27/2009 00.20.25.875000 [3068] (../../../../src/wps/agent/connect/RASecureConnection.cpp,497): MakeChallengeResponse Key:
03/27/2009 00.20.25.875000 [3068] (../../../../src/wps/agent/connect/RASecureConnection.cpp,507): Exit: MakeChallengeResponse
03/27/2009 00.20.25.875000 [3068] (../../../../src/wps/agent/connect/RASecureConnection.cpp,114): SendPrivate: count: 16 pad: 4
03/27/2009 00.20.25.875000 [3068] (../../../../src/wps/agent/connect/client_handler.cpp,344): got 36 bytes
03/27/2009 00.20.25.875000 [3068] (../../../../src/wps/agent/connect/RASecureConnection.cpp,264): ReceivePrivate: count: 16, 32 wrapped up rawlength 32
03/27/2009 00.20.25.875000 [3068] (../../../../src/wps/agent/connect/RASecureConnection.cpp,273): Rightbefore decrypt:
03/27/2009 00.20.25.875000 [3068] (../../../../src/wps/agent/connect/RAEncryptor.cpp,69): RAEncryptor::Decrypt3DES: input length (24) moded to 3
03/27/2009 00.20.25.875000 [3068] (../../../../src/wps/agent/connect/RASecureConnection.cpp,114): SendPrivate: count: 0 pad: 4
03/27/2009 00.20.25.875000 [3068] (../../../../src/wps/agent/connect/RAEncryptor.cpp,128): Error reading encrpytion key from registry. Using default.
03/27/2009 00.20.25.875000 [3068] (../../../../src/wps/agent/connect/RASecureConnection.cpp,571): Session key :
03/27/2009 00.20.25.875000 [3068] (../../../../src/wps/agent/connect/client_handler.cpp,344): got 16036 bytes
03/27/2009 00.20.25.875000 [3068] (../../../../src/wps/agent/connect/RASecureConnection.cpp,264): ReceivePrivate: count: 16012, 16032 wrapped up rawlengthWorkflow Trace:
<List>
<String>defaultPasswordExp</String>
<String>365</String>
</List>
</List>
</ResultRows>
</ResultTable>
</ResultItem>
<ResultItem type='error' status='error'>
<ResultError throwable='com.waveset.util.WavesetException'>
<StackTrace>com.waveset.util.WavesetException:
==> java.io.EOFException:
at com.waveset.adapter.AgentResourceAdapter.getResponseBytes(AgentResourceAdapter.java:924)
at com.waveset.adapter.AgentResourceAdapter.getResponse(AgentResourceAdapter.java:955)
at com.waveset.adapter.AgentResourceAdapter.getResponse(AgentResourceAdapter.java:940)
at com.waveset.adapter.AgentResourceAdapter.getResponse(AgentResourceAdapter.java:934)
at com.waveset.adapter.AgentResourceAdapter.doCreateOrUpdateRequest(AgentResourceAdapter.java:1289)
at com.waveset.adapter.DominoResourceAdapter.doCreateOrUpdateRequest(DominoResourceAdapter.java:1072)
at com.waveset.adapter.AgentResourceAdapter.createAccounts(AgentResourceAdapter.java:266)
at com.waveset.adapter.ResourceAdapterBase.createAccount(ResourceAdapterBase.java:832)
at com.waveset.adapter.ResourceAdapterProxy.createAccount(ResourceAdapterProxy.java:213)
at com.waveset.provision.ProvisionContext.doResource(ProvisionContext.java:2103)
at com.waveset.provision.ProvisionContext.processOp(ProvisionContext.java:592)
at com.waveset.provision.ThreadContext.processContext(ThreadContext.java:330)
at com.waveset.provision.ThreadContext.launchThreads(ThreadContext.java:239)
at com.waveset.provision.ProvisionContext.doResources(ProvisionContext.java:280)
at com.waveset.provision.Provisioner.reProvision(Provisioner.java:2226)
at com.waveset.provision.Provisioner.reProvision(Provisioner.java:1416)
at com.waveset.provision.WorkflowServices.reProvision(WorkflowServices.java:2791)
at com.waveset.provision.WorkflowServices.call(WorkflowServices.java:789)
at com.waveset.adapter.RASecureConnection.access$700(RASecureConnection.java:53)
at com.waveset.adapter.RASecureConnection$ReceiveThread.run(RASecureConnection.java:1080)
Wrapped exception:
java.io.EOFException
at java.io.DataInputStream.readFully(DataInputStream.java:204)
at java.io.DataInputStream.readInt(DataInputStream.java:380)
at com.waveset.adapter.RASecureConnection.ReceivePrivateThread(RASecureConnection.java:540)
at com.waveset.adapter.RASecureConnection.access$700(RASecureConnection.java:53)
at com.waveset.adapter.RASecureConnection$ReceiveThread.run(RASecureConnection.java:1080)
</StackTrace>
<ResultError throwable='java.io.EOFException'>
<StackTrace>java.io.EOFException
at java.io.DataInputStream.readFully(DataInputStream.java:204)
at java.io.DataInputStream.readInt(DataInputStream.java:380)
at com.waveset.adapter.RASecureConnection.ReceivePrivateThread(RASecureConnection.java:540)
at com.waveset.adapter.RASecureConnection.access$700(RASecureConnection.java:53)
at com.waveset.adapter.RASecureConnection$ReceiveThread.run(RASecureConnection.java:1080)
</StackTrace>
</ResultError>
</ResultError>
</ResultItem>
</WavesetResult>
</ResourceResult> -
DIP synchronization from Domino LDAP to OID
Hi,
has anyone tried using DIP to synchronize users and groups from Lotus Domino LDAP to OID?
There is a connector available with OIM, but since I don't need provisioning was hoping to get away without extra OIM infrastructure. (I will use OIM if I have to).
My attempts are still in the early stage, and wanted to make sure I was going down the right road.
Using 10.1.4.3 OID, creating an import connector using the import openLDAP template.
Looks like I can get the mapping down and a manual bootstrap does work.
1) Can I adapt elements of the OIM adapter to work within the DIP connector?
2) Domino seems to store groups at the root DSE. The DIP connector does not accept empty or "" as a source domain to search for the groups. It needs that the source groups be stored in a container. Anyone run into this type of thing? Is there something to enter into the DIP connector config that will allow using the ROOT DSE of the target as search source?
3) When I enable the connector, Synchronization delivers a success status. Reconcile is errored and unsuccessful. Can I get by with only synchronization working?
4) Going outside of Oracle here...but is anyone aware if Lotus Domino LDAP maintains a changelog? Or does it use modify timestamps as attributes of users/groups?
5) In the eventuality that I need to write a custom agent for Domino or custom 'Reader' or reconcile agent. Has anyone done this or have sample code to look at? Even if not for Domino, but custom for other LDAP?
Thanksit's either DIP via LDAP or OIM connector via Lotus Java API. I'd go with LDAP...if DIP doesn't work, it's pretty simple to write a script to export records and then import them into OID. There are a lot of LDAP utilities, google is your friend.
-
Can anyone share secrets to executing a Domino rename in a workflow?
I'm setting renameview.accounts[Domino1].CertifierOrgHierarchy to the new OU hierarchy string and setting renameview.accounts[Domino1].certifierIDFile to the old OU's certifier file. An XML dump of the view shows these values are set correctly. The accountID is automatically updated to the new Domino DN (based on identity template) and the old accountID looks correct, so I know the names are different.
But the adapter returns "None of the components of the proposed new name are different than their old values." I've tried to manually set the renameview.accounts[Domino1].accountID to the old value, but been unsuccessful. The domino accounts I'm testing against at least were all created via IdM workflow, so those values should exist from the original provision, I'd think.
I'm using IdM 5.0 SP4 against Domino 6.5. Regular provisioning and common name changes works fine. Just moves are failing.
Any insight would be very much appreciated.
Thanks.Hmm, i had the same problem, the description in the resource documentation is very short. That is what worked for me after playing around:
- set "renameView.accounts[D].identity" to the new one
- set "renameView.accounts[D].CertifierOrgHierarchy" to the new one
- set "renameView.accounts[D].certifierIDFile" to the Certifier of the old (the current) org unit
- do not set first- or lastname!
The credentials for the Certifier we entered in the resource config and they are the same for the different certifiers.
I did a split in the update user workflow where i check if first/lastname is still the same and only org unit changes and use the renameView as described above. -
Does OIM Connector for Lotus Notes support Domino certification authority?
Lotus Notes allows an Organization to register servers and users without stamping each server ID and user ID if you have migrated the certifier to a Domino server-based certification authority (CA).
A Customer has done such a migration to a server-based certification authority (CA), and therefore they have set up Notes and Internet certifiers to use the CA process.
So, now this Customer does not require access to the certifier ID and ID password.
Having enabled certifiers for the CA process, they can now assign the registration authority role to administrators, who can then register users and manage certificate requests without having to provide the certifier ID and password.
My question is: is this compatible with the requirements of Oracle Identity Manager Connector for IBM Lotus Notes and Domino Release 9.0.4, that, among other parameters, requires to specify CertPath (Complete file specification of the certifier ID to be used when creating certifier ID files) and CertPwd (Password of the certifier ID file)?
Regards,
Angelo CarugatiI quite new with OIM, but not at all... For sure, I need to configure a connector for Lotus Notes / Domino.
The main points in my question are (USING A connector for Lotus Notes / Domino):
- How can I create 1 user account (and related data), on different servers (IT Resources), with different "mail templates", when the data should be the same, and the user mail database, should only be a replica on the the 2nd server
- Maybe, I need to configure 2 distincts IT Resources, and run both (through Provisioning Policies), when I need to provision a user, as described in my scenario (above), right?
- In the 2nd server, I dont want the user to be created with a new mail database (neither new user data, as shortName, IDfile... ).
I want that same data, and a replicated mail DB is generated on the 2nd server (webmail server)
Is it possible, how can I configure this within OIM connector for Lotus Notes / Domino? -
A customer has asked us if we can build an IDK for Lotus Notes/Domino in Lotus Script.
We've validated that it's technically possible and now it's time to figure out how to approach the problem from the business side, i.e. do we do it as a consulting project, a closed-source/for-profit product or as an open source product.
I'm leaning toward open source, but first I want to see if anyone out there would benefit from a Lotus Notes/Domino IDK (aside from this one customer of ours).
Thoughts?
Chris Bucchere | bdg | [email protected] | http://www.thebdgway.comI quite new with OIM, but not at all... For sure, I need to configure a connector for Lotus Notes / Domino.
The main points in my question are (USING A connector for Lotus Notes / Domino):
- How can I create 1 user account (and related data), on different servers (IT Resources), with different "mail templates", when the data should be the same, and the user mail database, should only be a replica on the the 2nd server
- Maybe, I need to configure 2 distincts IT Resources, and run both (through Provisioning Policies), when I need to provision a user, as described in my scenario (above), right?
- In the 2nd server, I dont want the user to be created with a new mail database (neither new user data, as shortName, IDfile... ).
I want that same data, and a replicated mail DB is generated on the 2nd server (webmail server)
Is it possible, how can I configure this within OIM connector for Lotus Notes / Domino? -
Issue with ICF domino connector
Hi Experts,
I need to integrate Lotus notes with OIM 11.1.1.5. I am using lotus notes 11.1.1.5 connector and it's based on ICF. I have installed connector server on windows 2003, domino identity connector on top of it and domino connector using connector installer. When i am trying to provision a user to domino, it is failing due to ICF integration issue
I am not able to configure logs due to Bug 12422935.
Any one has worked on ICF connector?
Any help appreciated
Regards
A AbhinayPFB for logs at server console
<Feb 13, 2012 12:41:55 PM CET> <Warning> <oracle.iam.consoles.faces.mvc.common> <BEA-000000> <oracle.iam.platform.canonic.base.NoteException: An error occurred while searching tasks from the SOA Server.>
Running CREATEUSER
Target Class = oracle.iam.connectors.icfcommon.prov.ICProvisioningManager
Thread Id: 139 Time: 2012-02-13 12:42:52.986 Class: oracle.iam.connectors.icfcommon.prov.ICProvisioningManager Method: createObject Level: OK Message: Enter
Thread Id: 139 Time: 2012-02-13 12:42:53.018 Class: oracle.iam.connectors.icfcommon.service.oim9.OIM9Provisioning Method: getFormDataMapByLabel Level: OK Message: Enter
Thread Id: 139 Time: 2012-02-13 12:42:53.074 Class: oracle.iam.connectors.icfcommon.service.oim9.OIM9Provisioning Method: getFormDataMapByLabel Level: OK Message: sFormValue in TS: 1970-01-01 01:00:00.0
Thread Id: 139 Time: 2012-02-13 12:42:53.074 Class: oracle.iam.connectors.icfcommon.service.oim9.OIM9Provisioning Method: getFormDataMapByLabel Level: OK Message: Return
Thread Id: 139 Time: 2012-02-13 12:42:53.075 Class: oracle.iam.connectors.icfcommon.service.oim9.OIM9Provisioning Method: getChildFormDataByLabel Level: OK Message: Enter
Thread Id: 139 Time: 2012-02-13 12:42:53.075 Class: oracle.iam.connectors.icfcommon.service.oim9.OIM9Provisioning Method: getChildFormDataByLabel Level: OK Message: isDateAsTS: true
Thread Id: 139 Time: 2012-02-13 12:42:53.095 Class: oracle.iam.connectors.icfcommon.service.oim9.OIM9Provisioning Method: getChildFormDataByLabel Level: OK Message: Child Form Name: UD_LNGRP
Thread Id: 139 Time: 2012-02-13 12:42:53.095 Class: oracle.iam.connectors.icfcommon.service.oim9.OIM9Provisioning Method: getChildFormDataByLabel Level: OK Message: ChildFormDefKey: 23
Thread Id: 139 Time: 2012-02-13 12:42:53.114 Class: oracle.iam.connectors.icfcommon.service.oim9.OIM9Provisioning Method: getChildFormDataByLabel Level: OK Message: Return
Thread Id: 139 Time: 2012-02-13 12:42:53.114 Class: oracle.iam.connectors.icfcommon.service.oim9.OIM9Configuration Method: getITResourceDetails Level: OK Message: Enter
Thread Id: 139 Time: 2012-02-13 12:42:53.144 Class: oracle.iam.connectors.icfcommon.service.oim9.OIM9Configuration Method: getITResourceDetails Level: OK Message: Return
Thread Id: 139 Time: 2012-02-13 12:42:53.145 Class: oracle.iam.connectors.icfcommon.service.oim9.OIM9Configuration Method: getLookupMap Level: OK Message: Enter: Lookup.Configuration.Domino
Thread Id: 139 Time: 2012-02-13 12:42:53.171 Class: oracle.iam.connectors.icfcommon.service.oim9.OIM9Configuration Method: getLookupMap Level: OK Message: Return
Thread Id: 139 Time: 2012-02-13 12:42:53.186 Class: oracle.iam.connectors.icfcommon.prov.ICProvisioningManager Method: createObject Level: ERROR Message: Error while creating user
oracle.iam.connectors.icfcommon.exceptions.OIMException: Thor.API.Exceptions.tcAPIException: Row index out of bounds
at oracle.iam.connectors.icfcommon.service.oim9.OIM9Configuration.getITResource(OIM9Configuration.java:91)
at oracle.iam.connectors.icfcommon.ResourceConfig.<init>(ResourceConfig.java:80)
at oracle.iam.connectors.icfcommon.service.oim9.OIM9Configuration.getResouceConfig(OIM9Configuration.java:104)
at oracle.iam.connectors.icfcommon.prov.ICProvisioningManager.init(ICProvisioningManager.java:103)
at oracle.iam.connectors.icfcommon.prov.ICProvisioningManager.createObject(ICProvisioningManager.java:114)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
at java.lang.reflect.Method.invoke(Method.java:597)
at com.thortech.xl.adapterGlue.ScheduleItemEvents.adpLNCREATEUSER.CREATEUSER(adpLNCREATEUSER.java:109)
at com.thortech.xl.adapterGlue.ScheduleItemEvents.adpLNCREATEUSER.implementation(adpLNCREATEUSER.java:54)
at com.thortech.xl.client.events.tcBaseEvent.run(tcBaseEvent.java:196)
at com.thortech.xl.dataobj.tcDataObj.runEvent(tcDataObj.java:2492)
at com.thortech.xl.dataobj.tcScheduleItem.runMilestoneEvent(tcScheduleItem.java:2919)
at com.thortech.xl.dataobj.tcScheduleItem.eventPostInsert(tcScheduleItem.java:553)
at com.thortech.xl.dataobj.tcDataObj.insert(tcDataObj.java:604)
at com.thortech.xl.dataobj.tcDataObj.save(tcDataObj.java:474)
at com.thortech.xl.ejb.beansimpl.tcProvisioningOperationsBean.retryTasks(tcProvisioningOperationsBean.java:4042)
at Thor.API.Operations.tcProvisioningOperationsIntfEJB.retryTasksx(Unknown Source)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
at java.lang.reflect.Method.invoke(Method.java:597)
at com.bea.core.repackaged.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:149)
at com.bea.core.repackaged.springframework.aop.support.DelegatingIntroductionInterceptor.doProceed(DelegatingIntroductionInterceptor.java:131)
at com.bea.core.repackaged.springframework.aop.support.DelegatingIntroductionInterceptor.invoke(DelegatingIntroductionInterceptor.java:119)
at com.bea.core.repackaged.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:171)
at com.bea.core.repackaged.springframework.jee.spi.MethodInvocationVisitorImpl.visit(MethodInvocationVisitorImpl.java:37)
at weblogic.ejb.container.injection.EnvironmentInterceptorCallbackImpl.callback(EnvironmentInterceptorCallbackImpl.java:54)
at com.bea.core.repackaged.springframework.jee.spi.EnvironmentInterceptor.invoke(EnvironmentInterceptor.java:50)
at com.bea.core.repackaged.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:171)
at com.bea.core.repackaged.springframework.aop.interceptor.ExposeInvocationInterceptor.invoke(ExposeInvocationInterceptor.java:89)
at com.bea.core.repackaged.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:171)
at com.bea.core.repackaged.springframework.aop.support.DelegatingIntroductionInterceptor.doProceed(DelegatingIntroductionInterceptor.java:131)
at com.bea.core.repackaged.springframework.aop.support.DelegatingIntroductionInterceptor.invoke(DelegatingIntroductionInterceptor.java:119)
at com.bea.core.repackaged.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:171)
at com.bea.core.repackaged.springframework.aop.framework.JdkDynamicAopProxy.invoke(JdkDynamicAopProxy.java:204)
at $Proxy344.retryTasksx(Unknown Source)
at Thor.API.Operations.tcProvisioningOperationsIntfEJB_4xftoh_tcProvisioningOperationsIntfRemoteImpl.__WL_invoke(Unknown Source)
at weblogic.ejb.container.internal.SessionRemoteMethodInvoker.invoke(SessionRemoteMethodInvoker.java:40)
at Thor.API.Operations.tcProvisioningOperationsIntfEJB_4xftoh_tcProvisioningOperationsIntfRemoteImpl.retryTasksx(Unknown Source)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
at java.lang.reflect.Method.invoke(Method.java:597)
at weblogic.ejb.container.internal.RemoteBusinessIntfProxy.invoke(RemoteBusinessIntfProxy.java:85)
at $Proxy183.retryTasksx(Unknown Source)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
at java.lang.reflect.Method.invoke(Method.java:597)
at org.springframework.aop.support.AopUtils.invokeJoinpointUsingReflection(AopUtils.java:307)
at org.springframework.aop.framework.JdkDynamicAopProxy.invoke(JdkDynamicAopProxy.java:198)
at $Proxy343.retryTasksx(Unknown Source)
at Thor.API.Operations.tcProvisioningOperationsIntfDelegate.retryTasks(Unknown Source)
at com.thortech.xl.webclient.actions.ResourceProfileProvisioningTasksAction.retryTasks(ResourceProfileProvisioningTasksAction.java:702)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
at java.lang.reflect.Method.invoke(Method.java:597)
at org.apache.struts.actions.DispatchAction.dispatchMethod(DispatchAction.java:269)
at com.thortech.xl.webclient.actions.tcLookupDispatchAction.execute(tcLookupDispatchAction.java:133)
at com.thortech.xl.webclient.actions.tcActionBase.execute(tcActionBase.java:894)
at com.thortech.xl.webclient.actions.tcAction.execute(tcAction.java:213)
at org.apache.struts.chain.commands.servlet.ExecuteAction.execute(ExecuteAction.java:58)
at org.apache.struts.chain.commands.AbstractExecuteAction.execute(AbstractExecuteAction.java:67)
at org.apache.struts.chain.commands.ActionCommandBase.execute(ActionCommandBase.java:51)
at org.apache.commons.chain.impl.ChainBase.execute(ChainBase.java:191)
at org.apache.commons.chain.generic.LookupCommand.execute(LookupCommand.java:305)
at org.apache.commons.chain.impl.ChainBase.execute(ChainBase.java:191)
at org.apache.struts.chain.ComposableRequestProcessor.process(ComposableRequestProcessor.java:283)
at org.apache.struts.action.ActionServlet.process(ActionServlet.java:1914)
at org.apache.struts.action.ActionServlet.doPost(ActionServlet.java:463)
at javax.servlet.http.HttpServlet.service(HttpServlet.java:727)
at javax.servlet.http.HttpServlet.service(HttpServlet.java:821)
at weblogic.servlet.internal.StubSecurityHelper$ServletServiceAction.run(StubSecurityHelper.java:227)
at weblogic.servlet.internal.StubSecurityHelper.invokeServlet(StubSecurityHelper.java:125)
at weblogic.servlet.internal.ServletStubImpl.execute(ServletStubImpl.java:300)
at weblogic.servlet.internal.TailFilter.doFilter(TailFilter.java:27)
at weblogic.servlet.internal.FilterChainImpl.doFilter(FilterChainImpl.java:57)
at com.thortech.xl.webclient.security.CSRFFilter.doFilter(CSRFFilter.java:78)
at weblogic.servlet.internal.FilterChainImpl.doFilter(FilterChainImpl.java:57)
at oracle.iam.platform.auth.web.PwdMgmtNavigationFilter.doFilter(PwdMgmtNavigationFilter.java:122)
at weblogic.servlet.internal.FilterChainImpl.doFilter(FilterChainImpl.java:57)
at oracle.iam.platform.auth.web.OIMAuthContextFilter.doFilter(OIMAuthContextFilter.java:108)
at weblogic.servlet.internal.FilterChainImpl.doFilter(FilterChainImpl.java:57)
at oracle.security.jps.ee.http.JpsAbsFilter$1.run(JpsAbsFilter.java:111)
at oracle.security.jps.util.JpsSubject.doAsPrivileged(JpsSubject.java:313)
at oracle.security.jps.ee.util.JpsPlatformUtil.runJaasMode(JpsPlatformUtil.java:413)
at oracle.security.jps.ee.http.JpsAbsFilter.runJaasMode(JpsAbsFilter.java:94)
at oracle.security.jps.ee.http.JpsAbsFilter.doFilter(JpsAbsFilter.java:161)
at oracle.security.jps.ee.http.JpsFilter.doFilter(JpsFilter.java:71)
at weblogic.servlet.internal.FilterChainImpl.doFilter(FilterChainImpl.java:57)
at oracle.dms.servlet.DMSServletFilter.doFilter(DMSServletFilter.java:136)
at weblogic.servlet.internal.FilterChainImpl.doFilter(FilterChainImpl.java:57)
at weblogic.servlet.internal.RequestEventsFilter.doFilter(RequestEventsFilter.java:27)
at weblogic.servlet.internal.FilterChainImpl.doFilter(FilterChainImpl.java:57)
at weblogic.servlet.internal.WebAppServletContext$ServletInvocationAction.wrapRun(WebAppServletContext.java:3715)
at weblogic.servlet.internal.WebAppServletContext$ServletInvocationAction.run(WebAppServletContext.java:3681)
at weblogic.security.service.SecurityManager.runAs(SecurityManager.java:120)
at weblogic.servlet.internal.WebAppServletContext.securedExecute(WebAppServletContext.java:2277)
at weblogic.servlet.internal.WebAppServletContext.execute(WebAppServletContext.java:2183)
at weblogic.servlet.internal.ServletRequestImpl.run(ServletRequestImpl.java:1454)
at weblogic.work.ExecuteThread.execute(ExecuteThread.java:209)
at weblogic.work.ExecuteThread.run(ExecuteThread.java:178)
Caused by: Thor.API.Exceptions.tcAPIException: Row index out of bounds
at Thor.API.tcMetaDataSet.goToRow(tcMetaDataSet.java:870)
at oracle.iam.connectors.icfcommon.service.oim9.OIM9Configuration.getITResource(OIM9Configuration.java:83)
at oracle.iam.connectors.icfcommon.ResourceConfig.<init>(ResourceConfig.java:80)
at oracle.iam.connectors.icfcommon.service.oim9.OIM9Configuration.getResouceConfig(OIM9Configuration.java:104)
at oracle.iam.connectors.icfcommon.prov.ICProvisioningManager.init(ICProvisioningManager.java:103)
at oracle.iam.connectors.icfcommon.prov.ICProvisioningManager.createObject(ICProvisioningManager.java:115)
... 100 more
Thread Id: 139 Time: 2012-02-13 12:42:53.187 Class: oracle.iam.connectors.icfcommon.prov.ICProvisioningManager Method: createObject Level: OK Message: Return [ICFINTEGRATION_EXCEPTION] -
IDM 8.0 Domino User Registration Failure with Explicit Policy
I'm using IDM 8.0 Patch 5 with a Lotus Notes 7.0.2 CCH1 client. I have been successfully creating accounts for almost 2 years and am looking to migrate to IDM 8.x. Previous to my IDM 8.x configuration, I have been using the Lotus Notes 6.5.5 CCH2 client with IDM 6.0 SP2. I have been using an explicit policy since day one with the previous configuration without any issues. The policy was being set using the Policy schema attribute with a field on the user form and worked fine. As of IDM 8.0, the gateway service crashes on every attempt to create a user when the Lotus Notes 6.5.5 client is used. Due to this headache, I tried the Lotus Notes 7.0.2 client and the gateway no longer crashes. However, a new error message is produced. At about the point in registration where the notes ID file is generated (which doesn't succeed), it throws the following error:
DominoExtension::Error while executing 'WS_REGNewPerson' errCode: '8421' Registration Failed: A policy could not be retrieved from the Domino directory.
When I stop the gateway service and open the Lotus Notes client using the same credentials the gateway service uses, I can easily find the policy object that we've been using, open it, look at it, etc. With the gateway trace enabled at the highest level (4), it shows no other information between the call to WS_REGNewPerson and the error displayed in the response. I would also like to mention that I noticed the new availability of the explicit policy attribute on the resource configuration page. I attempted to use the resource attribute instead of the form field that I was previously using and it also fails with the same error.
It should also be noted that I'm running this new environment in parallel with the existing system, that is, IDM 6.0 SP2 with Lotus Notes 6.5.5. That environment has its own gateway servers and web servers. The production Domino environment has not changed and still works fine in the current production IDM environment. The IDM 8.x environment is running against the same Domino servers (same physical servers), but is using separate web servers and gateway servers in a test environment using the same credentials as the production environment.
Has anyone seen this issue and had success in overcoming it? Any assistance would be greatly appreciated.There are a couple of important bugs here:
Bug 19094: gateway crashes when provisioning Notes user if Notes client version is 6.5 and server is 7.x
Bug 17213: Add support for Lotus Domino/Notes 8
The resolution brought on by BUG # 17213 added a section to the release notes that states the Domino Server and Lotus Notes client versions must match.
Regarding the error you're seeing:
DominoExtension::Error while executing 'WS_REGNewPerson' errCode: '8421' Registration Failed: A policy could not be retrieved from the Domino directory.
I believe there was a change from REGNewUser to REGNewPerson, which could be playing a role, but I am not certain. I hope this helps.
-A -
Lotus Notes Connector: Resource is provisioned but the Create User task...
Hi,
I am getting some problems with the Lotus Notes Connector. The resource is provisioned but the Create User task is rejected. In the Lotus Notes server log, there is no problem and the account was created successfully.
Below is the response OIM has set to the task:
Respuesta: ERROR_UNID_SET
Descripción de Respuesta: User created successfully. Error while updating user unique attribute in the process form.
Notas:
As you can see below, there was no error when the adapter was executed:
DEBUG [ACTIVE] ExecuteThread: '0' for queue: 'weblogic.kernel.Default (self-tuning)' ADAPTER.LOTUSNOTES - LotusNotesProvisionsetPropertyEntered method
INFO [ACTIVE] ExecuteThread: '0' for queue: 'weblogic.kernel.Default (self-tuning)' ADAPTER.LOTUSNOTES - LotusNotesProvision::loadAttributeMapping: START
DEBUG [ACTIVE] ExecuteThread: '0' for queue: 'weblogic.kernel.Default (self-tuning)' ADAPTER.LOTUSNOTES - LotusNotesProvision: :loadAttributeMapping : Attribute Mapping file : C:\oracle\oim9101\xellerate/XLIntegrations/LotusNotes/config/attributemapping_prov.properties
DEBUG [ACTIVE] ExecuteThread: '0' for queue: 'weblogic.kernel.Default (self-tuning)' ADAPTER.LOTUSNOTES - LotusNotesProvisiongetParsedPropertiesEntered method
DEBUG [ACTIVE] ExecuteThread: '0' for queue: 'weblogic.kernel.Default (self-tuning)' ADAPTER.LOTUSNOTES - LotusNotesProvisiongetParsedProperties---- END
DEBUG [ACTIVE] ExecuteThread: '0' for queue: 'weblogic.kernel.Default (self-tuning)' ADAPTER.LOTUSNOTES - LotusNotesProvision::createUser : CreateMailDb true
DEBUG [ACTIVE] ExecuteThread: '0' for queue: 'weblogic.kernel.Default (self-tuning)' ADAPTER.LOTUSNOTES - LotusNotesProvision::createUser : ShortName
DEBUG [ACTIVE] ExecuteThread: '0' for queue: 'weblogic.kernel.Default (self-tuning)' ADAPTER.LOTUSNOTES - LotusNotesProvision::createUser : SecurityType 1
DEBUG [ACTIVE] ExecuteThread: '0' for queue: 'weblogic.kernel.Default (self-tuning)' ADAPTER.LOTUSNOTES - LotusNotesProvision::createUser : MailSystem 0
DEBUG [ACTIVE] ExecuteThread: '0' for queue: 'weblogic.kernel.Default (self-tuning)' ADAPTER.LOTUSNOTES - LotusNotesProvision::createUser : Storeaddbook true
DEBUG [ACTIVE] ExecuteThread: '0' for queue: 'weblogic.kernel.Default (self-tuning)' ADAPTER.LOTUSNOTES - LotusNotesProvision::createUser : SynchInternetPwd true
DEBUG [ACTIVE] ExecuteThread: '0' for queue: 'weblogic.kernel.Default (self-tuning)' ADAPTER.LOTUSNOTES - LotusNotesProvision::createUser : InternetAddress
DEBUG [ACTIVE] ExecuteThread: '0' for queue: 'weblogic.kernel.Default (self-tuning)' ADAPTER.LOTUSNOTES - LotusNotesProvision::createUser : CertifierIDFile C:\Lotus\Domino\Data\cert.id
DEBUG [ACTIVE] ExecuteThread: '0' for queue: 'weblogic.kernel.Default (self-tuning)' ADAPTER.LOTUSNOTES - LotusNotesProvision::createUser : Registrationlog
DEBUG [ACTIVE] ExecuteThread: '0' for queue: 'weblogic.kernel.Default (self-tuning)' ADAPTER.LOTUSNOTES - LotusNotesProvision::createUser : MailOwnerAccess 0
DEBUG [ACTIVE] ExecuteThread: '0' for queue: 'weblogic.kernel.Default (self-tuning)' ADAPTER.LOTUSNOTES - LotusNotesProvision::createUser : MinPwdlen 8
DEBUG [ACTIVE] ExecuteThread: '0' for queue: 'weblogic.kernel.Default (self-tuning)' ADAPTER.LOTUSNOTES - LotusNotesProvision::createUser : Addbook true
DEBUG [ACTIVE] ExecuteThread: '0' for queue: 'weblogic.kernel.Default (self-tuning)' ADAPTER.LOTUSNOTES - LotusNotesProvision::createUser : RegistrationServer win2k3base/oimdev
DEBUG [ACTIVE] ExecuteThread: '0' for queue: 'weblogic.kernel.Default (self-tuning)' ADAPTER.LOTUSNOTES - LotusNotesProvision::createUser : OrgUnit during create -- oimdev
DEBUG [ACTIVE] ExecuteThread: '0' for queue: 'weblogic.kernel.Default (self-tuning)' ADAPTER.LOTUSNOTES - LotusNotesProvision::createUser : OrgUnit oimdev
DEBUG [ACTIVE] ExecuteThread: '0' for queue: 'weblogic.kernel.Default (self-tuning)' ADAPTER.LOTUSNOTES - LotusNotesProvision::createUser : MailQuotaWarning 40
DEBUG [ACTIVE] ExecuteThread: '0' for queue: 'weblogic.kernel.Default (self-tuning)' ADAPTER.LOTUSNOTES - LotusNotesProvision::createUser : Received null values for ExpirationDate:
DEBUG [ACTIVE] ExecuteThread: '0' for queue: 'weblogic.kernel.Default (self-tuning)' ADAPTER.LOTUSNOTES - LotusNotesProvision::getDefaultDate : Setting Default date
DEBUG [ACTIVE] ExecuteThread: '0' for queue: 'weblogic.kernel.Default (self-tuning)' ADAPTER.LOTUSNOTES - LotusNotesProvision::createUser : IdType 173
DEBUG [ACTIVE] ExecuteThread: '0' for queue: 'weblogic.kernel.Default (self-tuning)' ADAPTER.LOTUSNOTES - LotusNotesProvision::createUser : MailTemplateName
DEBUG [ACTIVE] ExecuteThread: '0' for queue: 'weblogic.kernel.Default (self-tuning)' ADAPTER.LOTUSNOTES - LotusNotesProvision::createUser : MailQuotaLimit 50
DEBUG [ACTIVE] ExecuteThread: '0' for queue: 'weblogic.kernel.Default (self-tuning)' ADAPTER.LOTUSNOTES - LotusNotesProvision::createUser : LastName : Gerente
DEBUG [ACTIVE] ExecuteThread: '0' for queue: 'weblogic.kernel.Default (self-tuning)' ADAPTER.LOTUSNOTES - LotusNotesProvision::createUser : IdFilePath : C:\Lotus\Domino\id
DEBUG [ACTIVE] ExecuteThread: '0' for queue: 'weblogic.kernel.Default (self-tuning)' ADAPTER.LOTUSNOTES - LotusNotesProvision::createUser : MailServer : win2k3base/oimdev
DEBUG [ACTIVE] ExecuteThread: '0' for queue: 'weblogic.kernel.Default (self-tuning)' ADAPTER.LOTUSNOTES - LotusNotesProvision::createUser : FirstName : Teste
DEBUG [ACTIVE] ExecuteThread: '0' for queue: 'weblogic.kernel.Default (self-tuning)' ADAPTER.LOTUSNOTES - LotusNotesProvision::createUser : Comment :
DEBUG [ACTIVE] ExecuteThread: '0' for queue: 'weblogic.kernel.Default (self-tuning)' ADAPTER.LOTUSNOTES - LotusNotesProvision::createUser : MiddleName :
DEBUG [ACTIVE] ExecuteThread: '0' for queue: 'weblogic.kernel.Default (self-tuning)' ADAPTER.LOTUSNOTES - LotusNotesProvision::createUser : Location :
DEBUG [ACTIVE] ExecuteThread: '0' for queue: 'weblogic.kernel.Default (self-tuning)' ADAPTER.LOTUSNOTES - LotusNotesProvision::createUser : MailDBPath : mail\
DEBUG [ACTIVE] ExecuteThread: '0' for queue: 'weblogic.kernel.Default (self-tuning)' ADAPTER.LOTUSNOTES - LotusNotesProvision::createUser : ForwardDomain : oimdev
DEBUG [ACTIVE] ExecuteThread: '0' for queue: 'weblogic.kernel.Default (self-tuning)' ADAPTER.LOTUSNOTES - LotusNotesProvisioncheckUserExistsEntered method
DEBUG [ACTIVE] ExecuteThread: '0' for queue: 'weblogic.kernel.Default (self-tuning)' ADAPTER.LOTUSNOTES - LotusNotesProvision::getUserName: Org Unit: oimdev
DEBUG [ACTIVE] ExecuteThread: '0' for queue: 'weblogic.kernel.Default (self-tuning)' ADAPTER.LOTUSNOTES - LotusNotesProvision::getUserName: Final UserName --- CN=Teste Gerente/OU=oimdev/oimdev
DEBUG [ACTIVE] ExecuteThread: '0' for queue: 'weblogic.kernel.Default (self-tuning)' ADAPTER.LOTUSNOTES - LotusNotesProvisioncheckUserExistsExiting method
DEBUG [ACTIVE] ExecuteThread: '0' for queue: 'weblogic.kernel.Default (self-tuning)' ADAPTER.LOTUSNOTES - LotusNotesProvision::getUserName: Org Unit: oimdev
DEBUG [ACTIVE] ExecuteThread: '0' for queue: 'weblogic.kernel.Default (self-tuning)' ADAPTER.LOTUSNOTES - LotusNotesProvision::getUserName: Final UserName --- CN=Teste Gerente/OU=oimdev/oimdev
DEBUG [ACTIVE] ExecuteThread: '0' for queue: 'weblogic.kernel.Default (self-tuning)' ADAPTER.LOTUSNOTES - LotusNotesProvision::createUser : User Name: CN=Teste Gerente/OU=oimdev/oimdev
DEBUG [ACTIVE] ExecuteThread: '0' for queue: 'weblogic.kernel.Default (self-tuning)' ADAPTER.LOTUSNOTES - LotusNotesProvision::createUser : Full Name: CN=Teste Gerente/O=oimdev
INFO [ACTIVE] ExecuteThread: '0' for queue: 'weblogic.kernel.Default (self-tuning)' ADAPTER.LOTUSNOTES - LotusNotesProvision::createUser : User Created Successfully
INFO [ACTIVE] ExecuteThread: '0' for queue: 'weblogic.kernel.Default (self-tuning)' ADAPTER.LOTUSNOTES - LotusNotesProvision::triggerAdminP : Invoking trigger AdminP
DEBUG [ACTIVE] ExecuteThread: '0' for queue: 'weblogic.kernel.Default (self-tuning)' ADAPTER.LOTUSNOTES - LotusNotesProvision::triggerAdminP : MailServer : win2k3base/oimdev
DEBUG [ACTIVE] ExecuteThread: '0' for queue: 'weblogic.kernel.Default (self-tuning)' ADAPTER.LOTUSNOTES - LotusNotesProvision::loadAdminpProperties : AdminP properties file : C:\oracle\oim9101\xellerate/XLIntegrations/LotusNotes/config/adminP.properties
DEBUG [ACTIVE] ExecuteThread: '0' for queue: 'weblogic.kernel.Default (self-tuning)' ADAPTER.LOTUSNOTES - LotusNotesProvision::triggerAdminP : AdminPCommand : tell adminp process all
I've retried the Create User task and got the Lotus Console messages below. There is no error:
10/20/2009 02:02:56 AM Admin Process: Checking for all requests to perform
10/20/2009 02:03:30 AM DIIOP Server: 192.168.200.6 connected
10/20/2009 02:03:36 AM Opened session for win2k3base/oimdev (Release 6.5.6)
10/20/2009 02:03:36 AM Closed session for win2k3base/oimdev Databases accessed: 2 Documents read: 0 Documents written: 0
10/20/2009 02:03:37 AM Certifying Teste Gerente/oimdev
10/20/2009 02:03:48 AM Opened session for win2k3base/oimdev (Release 6.5.6)
tell adminp process all >C:\DOCUME~1\ADMINI~1.WIN\LOCALS~1\Temp\rem22706.con
10/20/2009 02:03:49 AM Admin Process: Checking for all requests to perform
10/20/2009 02:03:49 AM Remote console command issued by win2k3base/oimdev: tell adminp process all
10/20/2009 02:03:49 AM Closed session for win2k3base/oimdev Databases accessed: 0 Documents read: 0 Documents written: 0
10/20/2009 02:03:49 AM DIIOP Server: 192.168.200.6 disconnected
Any suggestion?
Edited by: Renato.Guimaraes on 19/10/2009 21:04Sunny,
I figured out the problem... Wrong configurations. See what I did:
a) Reviewed the explanation below about the paramater certifierOU of Lotus Notes ITRes, so I set it to empty.
certifierOU Specifies the OU of the certifier to be used when creating user accounts If you use a certifier on the target system, then you must specify the certifier OU value. If
you do not have a certifier on the target system, then leave this parameter field empty.
If there are multiple certifiers on the target system, then you must create one IT resource (of the Lotus Notes IT resource type) for each certifier. Refer to Oracle Identity Manager
Design Console Guide for information about creating IT resources. If you specify a value for the certifierOU parameter, then the user OU value that you specify on the process form is ignored during the creation of a DN for a new user account.
If you do not specify a value for the certifierOU parameter, then the user OU value that you specify on the process form is used in the DN. This feature ensures that only one OU value
is included in the DN.
If you specify a value for the certifierOU IT resource parameter, then user records for which the certifier OU value in the DN does not match the certifierOU parameter value are not
reconciled. This is because the user DN is used to match records in the target system and Oracle Identity Manager, and a difference in the certifier OU value would lead to a
mismatch in DN values. The following example illustrates this type of scenario:
Suppose a user account on Lotus Notes has the following DN:
CN=John Doe/OU=testcertou/O=test/C=US
If testcertou has not been assigned as the value of the certifierOU parameter for any of the IT resources created on this Oracle Identity Manager installation, then the records of this
user cannot be reconciled into Oracle Identity Manager.
Sample value: NY
b) The MailServer paramater was win2k3base/oimdev and I've changed it to CN=win2k3base/O=oimdev.
c) As the certifierOU is clear now, so I have to inform the Orgnation Unit field in the process form.
Thanks.
Edited by: Renato.Guimaraes on 24/10/2009 23:19
Edited by: Renato.Guimaraes on 24/10/2009 23:27
Maybe you are looking for
-
Dear Friend, I don't want to use coding. I want to send through Toolbar E-Mail Icon. I am not using SDK i want to configure E-Mail in SAP. I tried but when i wil click that Icon it throws Error, "Attachement folder not define and attache ment folder
-
Load balancing for JSPs and servlets
Hi: I am using IIS as the proxy server, with the WLS plug-in, to a WLS cluster. This provides round robin load balancing just fine. Will it provide weight based load balancing if I set 'weblogic.system.weight'
-
Is there an iPhone app that provides the shutter speed and f/stop of a picture that is taken with the iPhone? I'd like to use my iPhone as an exposure meter to set my pinhole camera. Thanks. Joel
-
How do I sort only selected rows?
Hi, in Maverick, the option to sort only selected rows seems to be gone anyone out there who knows how to do this? Cheers Paull
-
Problem when install oracle 10g client on whitebox enterprise Linux 3
I download oracle-client-10103.tar.bz2 and unzip. After set environment variable follow instruction I run runmefirst.sh, system cannot recognize the .o file.