OAM/OIM 11.1.1.3 audit question

Similar Messages

• Purge OAM/OIM 11.1.1.3 Audit Schema Data

  All,
  Does anyone know how to archive/purge audit data in OAM (IAU_BASE etc tables) and OIM (UPA etc tables).
  thanks in advance,

  any suggestion for iau_xxx tables.. I can develop similar custom scripts for iau_base, oam, oidcomponent and ovdcomponent tables, does this work?
  Prasad.

• OAM-OIM 11g User Lockout Question

  All,
  We have a OAM and OIM 11.1.1.3 installation and i am testing the invalid login attempt scenarios and came across teh following situation. I was wondering if you could give me steps or some pointers for resolving this:
  1. created an account [email protected] as xelsysadm and reset the password on first login
  2. Have the following OIM default parameters (these are the only configs that i could find are possibly related to this)
  XL.UnlockAfter - 0
  XL.MaxLoginAttempts - 10
  3. Entered incorrect password and for the initial 4 times i got the OAM login screen back with an error message "An incorrect Username or Password was specified"
  4. After 5th attempt i just got the error message "Error
  An incorrect Username or Password was specified"
  5. I go back the http://oimservername:oimport/oim i get the login screen again and enter [email protected] with an incorrect password next 4 times (total 9 now) I get login screen back with "An incorrect Username or Password was specified"
  6. after the 10th attempt with incorrect password i get a different error message with no login screen "Error
  The user account is locked. Please contact Administrator."
  7. I logged into OIM as xelsysadm -> administration -> search user [email protected] and it doesn't show that the account is locked. I lock it anyways explicitly by clicking the button the user screen and click unlock immediately and now enter [email protected] and correct password everything works.
  Few questions that i have are:
  1. how do i get the OAM/OIM system to behave consistently, (give an incorrect username or password message until the first 9 attempts with a login screen back to the end user and give them an error message at the end that the accoutn is locked". I am okay with out of the box message text
  2. How will our operations team understand that the user is really locked becuase they have nowhere to go find this information
  3. what are all the places where i will look for this information in the above scneario when the user account is locked by himself. (OVD/OID, USR table in OIM_DEV schema etc)
  4. Are there any other best practices that i should follow in setting up the system.
  Thanks in advance for reviewing this.
  Prasad.

  It appears to be all happening in OAM. After researching some more, I found this piece at http://download.oracle.com/docs/cd/E17904_01/doc.1111/e15740/idmint.htm#CACBBIDI.
  But never the less it doesn't explain how to unlock the user other than the workaround that i found. Did anyone else had to deal with this.
  x---------------------------------------------------------------x
  2.8.4.4 Account Lock and Unlock
  Oracle Access Manager keeps track of the login attempts and locks the account when the count exceeds the established limit.
  When an account is locked, Oracle Access Manager displays the Help Desk contact information.
  When contacted by the end user, the Help Desk unlocks the account using the Oracle Identity Manager administrative console. Oracle Identity Manager notifies Oracle Access Manager about the changes.
  Account Lock and Unlock Flow
  When the number of unsuccessful user login attempts exceeds the value specified in the password policy, the user account is locked. Any login attempt after the user account has been locked displays a page that provides information about the account unlocking process, which will need to be customized to reflect the process (Help Desk information or similar) that is followed by your organization.
  Note:
  Oracle Identity Manager does not support automatic locking of a user account after a specific period has elapsed.
  The following describes the account locking/unlocking flow:
  Using a browser, a user tries to access an application URL that is protected by Oracle Access Manager.
  Oracle Access Manager Webgate (SSO Agent) intercepts the request and redirects the user to the Oracle Access Manager login page.
  The user submits credentials that fail Oracle Access Manager validation. Oracle Access Manager renders the login page and asks the user to resubmit credentials.
  The user's unsuccessful login attempts exceed the limit specified by the policy. Oracle Access Manager locks the user account and redirects the user to the Oracle Access Manager Account Lockout URL, which displays Help Desk contact information.
  The user contacts the Help Desk over the telephone and asks an administrator to unlock the account.
  Oracle Identity Manager notifies Oracle Access Manager of the account unlock event.
  The user attempts to access an application URL and this event triggers the normal Oracle Access Manager single sign-on flow.

• API's OIM: How to access a Audit Information

  Hi Everybody!
  I work with API's OIM, i can access the audit information, for example: Users.Created By, but i dont understand how access to it! I need Help!

  There are couple of APIs are available, please have a look:
  http://otndnld.oracle.co.jp/document/products/id_mgmt/idm_903/doc_cd/javadocs/operations/Thor/API/Operations/tcAuditOperationsIntf.html

• OHS in front of OAM/OIM

  All,
  I configured OHS in front of oam/oim 11.1.1.3. Everything works great, however access_log in OHS does not show username for secure page access in oim/oam. Has anyone gone through this setup before, if so can you please let me know what i could be missing.
  Thanks in advance,
  Prasad.

  It is doable :)
  There are 2 stages:
  1) To simply protect the pages you add a /oim/*...* and /oim/* resources and host in the agent you are using to access the server with (webgate) and then any hits will get redirected to the OAM login page. This should be done by default by your webgate agent AND you need to use the 10g webgate for proper integration (11g webgate is not supported for protectingthe IAM suite yet).
  2) For full integration with passthrough authentication and reset password and self-service redirection you'll need to do more. Look through the Oracle docs on how to do this, it's scattered in a few different places, but here are some tips:
  - if you're using VMs take snapshots before trying
  - you'll need to go in EM to change OIM agent properties, in Weblogic to change providers (use OAMIdentityAserter first and then OAMAuthenticator second) and for full integration use the OIM Ldap-Sync (if you're doing it that way) as the identity store.
  - do not use the automated tools that will magically do it for you like 'idmConfigTool'. They did not work for me, but rather wasted 2 days because my configuration did not fit its profile.
  Good luck.
  - JP

• EHS- Audit question and findings table?

  Hi Gurus
  I wanted to know what is the table for Audit questions and findings and also wanted to know where do these corresponding texts are getting stored in SAP.
  Thanks
  Murali

  Hello Murali,
  please check the following tables
  PLMM_AUDIT - for Audit results
  For questions:
  PLMM_QUEST_H
  PLMM_QUEST_I
  PLMM_QUEST_RES
  for text
  CGPL_TEXT
  CGPL _ PROJECT
  Regards
  gajesh

• UPLOAD AUDIT QUESTIONS

  kindly  guide me  how to upload  audit questions  in sap system my query is sap also provide one temple in that templet what is contents to be  filled i cont understood any body work that temple  kindly  guide me in that  templet  we have filed like that external id description ext position   hierarchy level  task level assessm entsug desc

  Please check the sap note: 597982. You can find the SAP supplied XL template as a zip atatchment in the note and step by step guidance on how to upload audit questions using import/export functionality of audit management.
  Thanks,
  Ram

• OAM OIM OID OVD ?

  I always hear these things from Oracle, OAM, OIM, OID and OVD. are they the same thing? if not, I belive they are related since people always mention them together, then, what's relationship? please clarify
  I'm new to Oracle identity management products. please let me know if there are any others products closely relate to above in this family.
  Thanks

  Hi,
  Each and every thing performs specific role,It will interdependent you can say when it comes to implementation.
  OAM->oracle access manager=performing authentication and authorization of web based and non webbased resources by protecting them.
  OIM->oracle identity manager =managing identities of organisation,integrating and provisioning(giving access) to various application and single sign on.
  OID->oracle internet directory=its one of the directory server like sun directory server,AD for managing user data.
  OVD->oracle virtual directory=its a virtual directory server which provides only view from multiple directory servers.
  Please go through oracle docs for more info.
  Thanks,
  Ragu.

• Read attachment details of Audit Question (PLMD_AUDIT)

  Hi Experts,
  Kindly request you to assist me on the below.
  I'm trying to build a solution using ABAP for a requirement, where the logic has to find the attachment details of an audit question or action on the audit transaction (PLMD_AUDIT).
  For example, please see the attached:
  Screen shot 1.--> I'm not able to build the solution to check whether an audit question/action is having an attachment.
  Screen shot 2.--> If the attachment exists, then how to get the attachment and send an email.
  Appreciate your valuable inputs.
  Thank you
  Mahendra

  Hi Experts,
  Kindly request you to assist me on the below.
  I'm trying to build a solution using ABAP for a requirement, where the logic has to find the attachment details of an audit question or action on the audit transaction (PLMD_AUDIT).
  For example, please see the attached:
  Screen shot 1.--> I'm not able to build the solution to check whether an audit question/action is having an attachment.
  Screen shot 2.--> If the attachment exists, then how to get the attachment and send an email.
  Appreciate your valuable inputs.
  Thank you
  Mahendra

• OAM / OIM - Conceptual question

  Hi all,
  I'm trying to understand the overlap between OAM and OIM in terms of identity management. I'm going through the OAM manuals and it talks about OAM's Identity System in a way that very closely resembles a lot of what OIM does, ie. user management, groups, delegated admin, self admin, etc...
  I'm trying to understand how these two fit together. I know OIM does a lot more in terms of provisioning to other resources... is OAM considered a resources that OIM provisions to? If you have OIM and OAM, it seems that there's now 2 repositories of user data....
  Can someone explain (or point me to a doc that does) the relationship(s) between OIM and OAM, how they fit together, which drives the other, etc...?
  Thanks very much
  Alex

  OAM's Identity System is web based self service tool for users to edit their information for their identity records. Forgot Password Service will help the users to reset their passwords. Oracle Access Manager's main functionality is the Single Sign On feature and to offer AU and AZ services. Also OAM's Identity System helps you to create/manage/delegate LDAP Dynamic Groups and Organizations. Remember, OAM will not be able to provision users with LDAP Accounts. You need to create LDAP Accounts and then you can manage the users via OAM Identity System. You can also create users from OAM Identity System but no one creates users from OAM Identity System in a corporate environment. OAM Identity System is designed to provision the Access Administrators with capability of creating/managing/delegating the tasks of Dynamic LDAP Groups which are in turn used in AZ rules for Access Policies. AFAIK, creating users and organizations from OAM - Identity System is not recommended. My recommendation for using the OAM Identity System is to limit the usage to LDAP Dynamic Group Creation. As a Access Administrator it will be very convincing to create the groups without contacting the LDAP Teams.
  On the other hand, OIM can synchronize with Corporate HR systems/AD/LDAP and other authoritative identity sources and pull the records to OIM. Based on the business roles, OIM can automatically provision the users with all required resources with appropriate access rights. OIM also offers Forgot Password and Password Reset services which are recommended for usage in a corporate environment. Also I don't think you can create LDAP Dynamic Groups and Organizations in an authoritative LDAP via OIM.
  Coming to the integration part, OAM can protect OIM and offer Single Sign On to OIM Services. OIM can provision users to OAM but not straight forwards as there is no connector provided for OAM OOTB. If you have both OIM and OAM still you have a single identity (user) store. Both OAM and OIM will talk to the single user store for synchronization. For OIM, you will have a user account in OIM System apart from the user directory but for OAM you will use the account from the user directory to access Identity and Access Services.

• Relationship between OAM,OIM,OID

  Hi Gurus,
  I am very very new to fusion middleware ,i would like to know the relationship between following in simple terms.
  Oracle Access Manager
  Oracle Identitiy Manager
  Oracle Internet directory
  Below are my understanding correct i'f im wrong
  OID is like LDAP where passwords and passwords and security policies will be saved.
  redirecting to similar question or post is also fine.
  Thanks in advance...

  OIM and OAM may use OID to write/retrieve user details from OID.
  Lets say a user joined an organization. Now as per onboarding process, you reconcile user from trusted source to OIM and sync that user to OID using LDAP sync. Now when you try to access an application which is protected by OAM, the authentication and authorization of that user happens against OID if it is configured as user identity store.

• Can we use OID 11gR1 with the OAM/OIM 11gR2

  Hi,
  I am installing the IdM 11gR2. As OID does not comes with this pack. so can we use/install the OID which comes with the IdM 11gR1.
  Or is there any other option like OUD.
  Can we integrate the OUD 11gR2 with the OIM/OAM 11gR2 to manage the users/groups.? If yes, please share some document for it.
  Please suggest the best option as we are learning OIM/OIM 11gR2.
  Thanks
  Harry
  Edited by: Harry-Harry on Jan 28, 2013 12:59 AM
  Edited by: Harry-Harry on Jan 28, 2013 1:10 AM

  The latest OID in 11gR1 is 11.1.1.6
  It will support integration with 11gR2 OIM and OAM. Kishore already sent the certification matrix link.
  I am currently using OID 11.1.1.6 in above configuration and works fiine. Any other questions feel free to post your questions.

• OAM-OIM intg.- getting NPE errors while running idmconfigtool.sh script

  I trying to run idmconfigtool.sh for OIM-OAM integration and getting null pointer exception with -configOAM option. Running the script from OAM server. Here's my environment.
  OIM - 11gR2
  OAM - 11.1.1.5
  OVD - 11.1.1.6 front ending OUD
  OUD - 11gR2 (FMW identity store)
  Exception below from automation.log
  Feb 21, 2013 1:20:39 PM oracle.idm.automation.impl.oam.handlers.OAM11gIntegrationHandler configOAM11gIdStore
  SEVERE: Error while configuring webgate and domain
  java.lang.NullPointerException
  at oracle.idm.automation.impl.oam.handlers.OAM11gIntegrationHandler.configOAM11gIdStore(OAM11gIntegrationHandler.java:368)
  at oracle.idm.automation.impl.oam.handlers.OAM11gIntegrationHandler.execute(OAM11gIntegrationHandler.java:696)
  OVD structure:
  IDSTORE_USERSEARCHBASE: cn=users,dc=idm
  IDSTORE_SEARCHBASE: dc=idm
  IDSTORE_SYSTEMIDBASE: cn=systemids,dc=idm
  IDSTORE_GROUPSEARCHBASE: cn=groups,dc=idm
  I see err=32 in OVD logs when the script tries to search oamLDAP user. oamLDAP user exists under cn=systemids,dc=idm via OVD. But the script tries to build DN as cn=oamLDAP,cn=users,dc=idm and not referring to SYSTEMIDBASE.
  [2013-02-19T16:39:07.057-06:00] [octetstring] [TRACE] [OVD-00023] [com.octetstring.vde.backend.jndi.User_OUD.BackendJNDI] [tid: 36] [ecid: 0000Jnob4Ci1Vcs6wjZf6G1H7Hwp0001^T,0] [SRC_CLASS: com.octetstring.vde.util.VDELogger] [SRC_METHOD: debug] [#User_OUD] JNDI Adapter Search using:[[
  BindDN: cn=oamLDAP,cn=users,dc=idm
  Base: cn=oamLDAP,cn=users,dc=oud,dc=com
  javax.naming.NameNotFoundException: [LDAP: error code 32 - The search base entry 'cn=oamLDAP,cn=users,dc=oud,dc=com' does not exist];
  What I'm doing wrong here? I can move oamLDAP under cn=users and I hope that should fix this issue, but I dont want to mix admin Id's and user Id's under one container. Please let me know.

  I opened a ticket with support and haven't made much progress on this yet. Does anyone has any thoughts on this?
  Thanks.

• OIM Profile Field\Column Analysis Approach & Questions

  Like many of you know IdM projects are often rooted in analysis and not implementation (as much). As part of that I'm creating a matrix of OIM Profile (form) Fields and\or DB columns (mostly USR) - including name, isvalidated, isrequired, format, length, defaults, values, etc. Then the next step is to do the same with the resources (AD, LDAP, DB, etc). Then that analysis becomes the basis to determine what gets "pushed up" to the OIM profile, who should be the 'authoritative source', etc. I know this is a very common approach and one that Oracle even uses on many of it's OIM consulting gigs. Any comments on this approach is appreciated.
  But what I'm most interested in is any insight people can share about these following OIM Fields\DB Columns:
  1. USR.USR_CREATED, USR.USR_UPDATED - is that technically set to be SYSDATE (of the DB) upon insert\update? Opposed to likely defining a new Date() in the java. Is this true of all the DATE related columns? Are the DATE fields validated (OOB) so that they cannot occur in the past?
  2. USR.USR_MANAGER vs USR.USR_MANAGER_KEY - Are these both references to the same thing? If so, why is this needed?
  3. USR.USR_DATA_LEVEL - what\when is it used?
  4. USR.USR_FSS - what\when is it used?
  5. USR_LOCATION - what\when is it used?
  6. USR_NOTE - what\when is it used?
  7. USR_PWD_MIN_AGE_DATE - is that used to not allow people to change the password until after X many days? Or is more about finding the LCD password interval across all the resources & OIM?
  8. USR_UPDATE_AD - Is this used for AD? If so, why isn't it prefixed with UDF?
  9. USR_TODO - is this just there in case Oracle wants to add a field in the future? Or is actually used currently?

  1. USR.USR_CREATED, USR.USR_UPDATED -> By default, you do not have access to these through the web. They are automatically updated with the SYSDATE. They are also used in audit information and reports.
  2. USR.USR_MANAGER is not used. The USR.USR_MANAGER_KEY contains the USR_KEY of the manager. Could be in the database from previous versions and no longer used.
  3. DATALEVEL is used on all the tables. If the value is set to 1, you cannot make changes to it. If you try and update specific tasks in the Xellerate User provisioning process, or the default tasks on the Users Data Object, you will recieve an error that you cannot modify this value. It's because the security is set to 1.
  4. Unused?
  5. USR.USR_LOCATION -> You could add this value to be displayed in the User Form and write whatever location information you want to it. By default, it is not used.
  6. USR_NOTE -> Unused. Could be from previous version. Like Location, you could add it to the User Form to be displayed if you want.
  7. USR_PWD_MIN_AGE_DATE -> This valus is populated if your password policy has a password minimum age date preventing immediate change.
  8. USR_UPDATE_AD -> Not used. However, if you import the AD Connector, you will get an UDF for it.
  9. USR_TODO -> Not used. Could be added to User Form.
  -Kevin

• Audit Questions

  Our VOIP enviroment raised some flags on the latest audit scan and I am trying to resolve the items:
  A few items have me confused:
  The following showed up on 3 of the devices:
  remote network time service has denial of service (123/udp)...Upgrade to NTP 4.2.4p8 or later.
  1 callmanager had this and it running the latest revision 7.1.3.32900-4 and is supposed to be resolved. (Another CCM running the same version didn't have the vulernability).
  Our 2 UCCX servers running Cisco Application Administration - 7.0(1)_Build168 had the same vulerability.  From what I can tell Cisco has fixed for most products but not the UCCX platform.  I know this is going to a linux based version soon but is there a patch or ugrade that can reslove this?
  Also Weak Ciphers appear on almost all of the Linux based servers...is there a way to disable this?
  Thanks,
  Joe

  Dear Laxmi
  You can upload the questions through excel , XML template. The template and details is available in the SAP note 597982
  Regards
  Gajesh