OAM11g-WNA and OVD

Similar Messages

• URGENT! Configuring WNA and keytab problems

  Hi, I've configured OAS10g integration with AD successfully and able to map the users successfully from AD to OID. The external authentication plugin is working as well. However, I am having problems configuring WNA and getting the following erros in the OC4J_SECURITY logfile:
  08/01/06 13:18:44 Getting creds for HTTP/[email protected]...
  08/01/06 13:18:44 Debug is true storeKey true useTicketCache false useKeyTab true doNotPrompt true ticketCache is null KeyTab is /san/oas10g/oracle/product/10gas_infra/j2ee/OC4J_SECURITY/config/oraprda01.keytab refreshKrb5Config is false principal is HTTP/oraprda01.mpx.biz tryFirstPass is false useFirstPass is false storePass is false clearPass is false
  principal's key obtained from the keytab
  08/01/06 13:18:44 principal is HTTP/[email protected]
  08/01/06 13:18:44 [Krb5LoginModule] authentication failed
  Pre-authentication information was invalid (24)
  08/01/06 13:18:44 KerberosAuthenticator: GSSException raised in constructor - No valid credentials provided (Mechanism level: Attempt to obtain new ACCEPT credentials failed!)
  08/01/06 13:18:44 GSSException: No valid credentials provided (Mechanism level: Attempt to obtain new ACCEPT credentials failed!)
  08/01/06 13:18:44 at sun.security.jgss.krb5.Krb5AcceptCredential.getKeyFromSubject(Krb5AcceptCredential.java:189)
  08/01/06 13:18:44 at sun.security.jgss.krb5.Krb5AcceptCredential.getInstance(Krb5AcceptCredential.java:80)
  08/01/06 13:18:44 at sun.security.jgss.krb5.Krb5MechFactory.getCredentialElement(Krb5MechFactory.java:75)
  08/01/06 13:18:44 at sun.security.jgss.GSSManagerImpl.getCredentialElement(GSSManagerImpl.java:149)
  08/01/06 13:18:44 at sun.security.jgss.GSSCredentialImpl.add(GSSCredentialImpl.java:334)
  08/01/06 13:18:44 at sun.security.jgss.GSSCredentialImpl.<init>(GSSCredentialImpl.java:44)
  08/01/06 13:18:44 at sun.security.jgss.GSSManagerImpl.createCredential(GSSManagerImpl.java:102)
  08/01/06 13:18:44 at oracle.security.jazn.oc4j.KerberosAuthenticator.<init>(Unknown Source)
  08/01/06 13:18:44 at oracle.security.jazn.oc4j.RealmUserManager.getHttpAuthenticator(Unknown Source)
  08/01/06 13:18:44 at oracle.security.jazn.oc4j.FilterUserManager.getHttpAuthenticator(Unknown Source)
  08/01/06 13:18:44 at com.evermind.server.http.HttpApplication.initAuthenticator(HttpApplication.java:5371)
  08/01/06 13:18:44 at com.evermind.server.http.HttpApplication.initDynamic(HttpApplication.java:980)
  08/01/06 13:18:44 at com.evermind.server.http.HttpApplication.<init>(HttpApplication.java:549)
  08/01/06 13:18:44 at com.evermind.server.Application.getHttpApplication(Application.java:890)
  08/01/06 13:18:44 at com.evermind.server.http.HttpServer.getHttpApplication(HttpServer.java:707)
  08/01/06 13:18:44 at com.evermind.server.http.HttpSite.initApplications(HttpSite.java:625)
  08/01/06 13:18:44 at com.evermind.server.http.HttpSite.setConfig(HttpSite.java:278)
  08/01/06 13:18:44 at com.evermind.server.http.HttpServer.setSites(HttpServer.java:278)
  08/01/06 13:18:44 at com.evermind.server.http.HttpServer.setConfig(HttpServer.java:179)
  08/01/06 13:18:44 at com.evermind.server.ApplicationServer.initializeHttp(ApplicationServer.java:2394)
  08/01/06 13:18:44 at com.evermind.server.ApplicationServer.setConfig(ApplicationServer.java:1551)
  08/01/06 13:18:44 at com.evermind.server.ApplicationServerLauncher.run(ApplicationServerLauncher.java:92)
  08/01/06 13:18:44 at java.lang.Thread.run(Thread.java:534)
  08/01/06 13:18:44 Caused by: javax.security.auth.login.LoginException: Pre-authentication information was invalid (24)
  08/01/06 13:18:44 at com.sun.security.auth.module.Krb5LoginModule.attemptAuthentication(Krb5LoginModule.java:585)
  08/01/06 13:18:44 at com.sun.security.auth.module.Krb5LoginModule.login(Krb5LoginModule.java:475)
  08/01/06 13:18:44 at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
  08/01/06 13:18:44 at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
  08/01/06 13:18:44 at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
  08/01/06 13:18:44 at java.lang.reflect.Method.invoke(Method.java:324)
  08/01/06 13:18:44 at javax.security.auth.login.LoginContext.invoke(LoginContext.java:675)
  08/01/06 13:18:44 at javax.security.auth.login.LoginContext.access$000(LoginContext.java:129)
  08/01/06 13:18:44 at javax.security.auth.login.LoginContext$4.run(LoginContext.java:610)
  08/01/06 13:18:44 at java.security.AccessController.doPrivileged(Native Method)
  08/01/06 13:18:44 at javax.security.auth.login.LoginContext.invokeModule(LoginContext.java:607)
  08/01/06 13:18:44 at javax.security.auth.login.LoginContext.login(LoginContext.java:534)
  08/01/06 13:18:44 at sun.security.jgss.LoginUtility.run(LoginUtility.java:57)
  Our setup is such that the SSO hostname is oraprda01.mpx.biz but the AD/KDC realm is AD.MULTIPLEX.BIZ. I found http://www.oracle.com/technology/obe/obe_as_10g/im/wna/wna.htm and we have more or less the same situation so it should work but it doesn't. I've already got this working in the test environment but the SSO hostname there is gfradev01.ad.multiplex.biz. Note that it has the same domain name as the AD realm.
  Doing a kinit without using the keytab file works for HTTP/[email protected] but when I use the keytab file, I get the pre-authentication error.
  Can anyone advice as to how we can make this work? Are there extra setups which need to be done on the AD server which Oracle did not document?
  Thank you very much,
  Abigail

  If urgent, contact Support.
  Is the account option ‘Do not require kerberos preauthentication’ checked (see MicroSoft KB 832572)
  In addition: metalink Note: 466288.1
  Message was edited on 1-feb-2008 by: Frank van Bortel

• OAM 11gR2 and OVD

  Hi,
  It appears OVD did not make it into the Oracle Fusion Middleware Identity Management 11gR2 release. The latest version available is still the one included in the Oracle Fusion Middleware Identity Management 11gR1 release. Is that correct?
  If so, I have a deployment of Oracle Access Manager 11gR2, which I'd like to integrate with OVD. Does this situation mean that I must deploy another entire WebLogic domain for the Oracle Fusion Middleware Identity Management 11gR1 release? Or is it possible to somehow install the 11gR1 version of OVD into the 11gR2 instance I've already got?
  - Jim

  Yes, the latest version of OVD available is 11.1.1.6 (11g R1). You may use this version with OAM 11gR2.
  OVD 11.1.1.6 uses WebLogic 10.3.6 and OAM 11g R2 also uses the same weblogic version. Please let me know if you are on some other version of WLS.
  As per best practice, try to keep the OAM and OVD in separate WLS domains.

• OID External Authentication Plug-in and OVD

  Hello, ppl.
  I have success installed AD, OVD(11g), OID(10g), and BI Publisher with SSO (10g).
  When i synchronize AD -> OID, and use External Auth Plug-in, synchronized users can success login to BI Publisher.
  When i synchronize AD -> OID through OVD, and use External Auth Plug-in which look in the AD, synchronized users can success login to BI Publisher.
  But when i synchronize AD -> OID through OVD, and switch External Auth Plug-in from AD to OVD, synchronize users can not login to BI Publisher.
  How can i use External Auth Plug-in with OVD, did any one have solution?
  In the future, OVD can contains multiple forests from AD's, now AD have one forest(dc).
  Help :)
  Thanks.
  Jeff.

  I write custom plug-in for OVD.
  When user bind, then log write...
  OVD bind command's
  1) ldapbind -h <OVD_HOST> -p 6501 -D "[email protected]" -w Oracle10g
  ldap_bind: Invalid credentials
  2) ldapbind -h <OVD_HOST> -p 6501 -D "cn=smith,cn=users,dc=domain,dc=local" -w Oracle10g
  bind successful
  3) ldapbind -h <OVD_HOST> -p 6501 -D "cn=smith,cn=users,dc=domain,dc=local" -w Oracle10g2
  ldap_bind: Invalid credentials
  AD bind command's
  1) ldapbind -h <AD_HOST> -p 389 -D "[email protected]" -w Oracle10g
  bind successful
  2) ldapbind -h <AD_HOST> -p 389 -D "cn=smith,cn=users,dc=domain,dc=local" -w Oracle10g
  bind successful
  In my log file for OVD bind command's, just second and third command written.
  Did any one know, why first command not binded and why not logged?
  public void bind(Chain chain, Credentials creds, DirectoryString dn, BinarySyntax password, Bool result) throws DirectoryException, ChainException {
  //pre bind
  try {
  chain.nextBind(creds, dn, password, result);
  } catch (DirectoryException e) {
  try {
  FileWriter out = new FileWriter("c://mylogs//bind_error.txt");
  out.write("bind: " + dn.toString());
  out.close();
  } catch (IOException ioe) {
  ioe.printStackTrace();
  //post bind
  try {
  FileWriter out = new FileWriter("c://mylogs//bind.txt");
  out.write("bind: " + dn.toString());
  out.close();
  } catch (IOException ioe) {
  ioe.printStackTrace();
  ...

• OAM11g- WNA question

  Hi,
  We are trying to configure multi-domain WNA using OAM 11.1.1.5.2. WNA works fine with one domain and fails with the other i.e., if the user logs in to windows with second domain, the authentication fails and we see the KDC is sending NTLM token instead of SPNEGO token and hence the authentication fails. Has anyone tried multi-domain WNA using OAM 11g ? Any ideas/suggestions on how to configure this ??
  Thanks

  Hi
  I have configured multiple Authn schemes with unique kd5 and keytab files for 2 domains (I'm assuming it will scale to n domains) without issue, it works fine assuming you have multiple policies using their own scheme. I'm now trying to work out if I can use a single policy and single custom Authn module to determine the source domain and user the appropriate kd5/keytab files. Any ideas?
  Thanks
  Roman

• Oam11g and oim 9.1.0.2 SSO

  anyone done sso with oam11g and oim 9.1.0.2?
  I seem to be having issue where OAM11g sessions and header variables not getting over.

  Hi,
  Can you provide more details ?
  Thanks
  GK

• Oracle Enterprise User, OVD and MS Active Directory (AD)

  Hi,
  I need to authenticate Oracle Users from MS Active Directory.
  If I create an Oracle Enterprise User, can I just use OVD or do I need also OID ?
  If the answer is YES, I just need OVD do I need just to install OVD or do I need any other installation from OIM in order for it to work?
  Thanks in advance for answering this post : )
  CMT

  Hi,
  I am not sure that you are correct.
  In the meantime, some one mentioned a white paper to read: "Directory Services Integration with Database Enterprise User Secuirty. In page 10 it mentions a scenario: EUS deployment using Active Directory and OVD
  (without OID).
  The cons mentioned are: Need to extend AD schema to include EUS meta-data (which I am not sure how its done).

• OVD 11G, OID 11G and WebApplication - opmnctl

  Hi Guys,
  My understanding was that OID and OVD were web applications.
  Surprisingly, it seems that it is a combination of a webapp and something else.
  In fact, I don't think opmnctl fits into the web container.
  Can you please clarify my understanding of these 2 products ?
  I wanted to try to make 2 instances of the same product on 1 VM (2 JVMs).
  - By using weblogic clustering only, does this is feasable ? (or is opmnctl is not going to be clustered)
  - If not, how can I make sure to have 1 cluster of weblogic + opmnctl on 1 VM ?
  Thank you.

  Contrary to intution, OVD 11g is not a J2EE application, it is a standalone J2SE server. Therefore, weblogic clustering is not relevant for OVD fail-over. opmnctl is an utility to start, stop and query status of many applications, of which ovd can be one.

• How to deploy EUS  using OVD with existing active directory ?

  Hi,
  I am new in Oracle FMW and want to explore more into it,
  I have existing MS active directory with users and group policies defined there  and I need to implement the solution for  all users  to authenticate in oracle Database (11gR2) via AD.
  and after searching reading some docs I came to know that It can be done by  "EUS deployment using AD and OVD".
  Now I am bit confused for where to start Please guide me . My env is as follows
  I have existing MS AD server (win2003) and oracle Database 11gR2 on HP unix..So Do I need another server (Win2003/2008) to install OVD or can I install OVD on existing AD server.
  What exactly software required to install OVD as I have downloded software from e delivery site "Oracle Identity and Access Management 11g (11.1.1.7.0)"  
  Is it same or do i need to download other one?

  Check this:
  Installing and Configuring Oracle Virtual Directory
  OIM Image: OID and OVD 11g Basic Install Steps
  Oracle&amp;reg; Fusion Middleware
  Middleware Technologies : Installing Oracle Virtual Directory

• Enable SSO APEX 4 and MS Active Directory

  Hi,
  I want enable SSO on my APEX applications. Actually, we use Microsoft Active Directory and Windows 2003 (tomorrow maybe Windows 2008).
  Regarding your experiences, what is the best solution that I can us in order to implement SSO ?
  Thanks for your help,
  I have forget to give this informations :
  - Our Oracle Server is under Linux.
  - We use Oracle Database 11GR2.
  - Our domain controller is under Windows 2003 (we will probably upgrade to 2008 this year).
  - Our APEX version is 4.1.0.00.32.
  Edited by: user7224400 on 3 févr. 2012 16:23

  Morten -- Interesting. I wish we had found that before we implemented WebLogic and the APEX listener, it may have been an interesting other option to consider. I'm not sure it would have made it past our change control folks as they might bark at the supportability/security, but it is a intriguing option.
  Patrick -- (You have a great blog by the way.). We are talking about upgrading our APEX 3.1 instances this year so I am very interested in the new authentication type. Is it doing anything other than simply retrieving the logon_user? i.e., is it actually authenticating against anything or would it just read the logon_user and let them in if they matched a known username?
  AJ -- We just converted from Oracle Portal last year. When I had Oracle Portal, I had it setup to use Windows Native Authentication following the supported solution for that and then had APEX set up as a partner application for portal. So if someone hit portal first, they'd automatically logon as their active directory user through WNA and would be dropped into portal. If they then hit a link for APEX in portal, it would (in rapid succession) go to APEX, redirect back to the portal SSO server, see they were authenticated in app server, and drop them into APEX with barely a visible screen flicker. It worked flawlessly UNTIL we started upgrading to Windows 7. Then a number of changes and patches are required to get WNA to work with app server 10g and Windows 7. If you are using portal in your 10g IAS, you may want to consider that route.
  Pardon me while I hop on my soapbox briefly -- I think if our friends in Oracle land could come out with a fully supported method of using NTLM or similar technologies to automatically login to APEX applicaitons, it would help considerably in the adoption of APEX and the APEX listener in customers that have Oracle databases and Active Directory which is a pretty decent size market.
  Ok, soapbox moment ended. :-)
  Rgds/Mark M.

• Why we are use OVD?

  Hi ,
  I am new to OIM and OAM.Currently in my project they are using OID and OVD .
  The diff bet ween OID and OVD is in OVD there is no Database Repository .
  what my question is already OID is there whay we are using OVD?
  Could any one please explain.
  Thanks in advance.
  Regards,
  Ravi.

  You don't need to use OVD if you don't need it. OVD allows you to present multiple LDAP resources as if they were one. For example, you could configure OIM/OAM to look at OVD which presents a virtual view of your OID and WebLogic embedded LDAP, so no matter whether the user is in OID or WebLogic, they can authenticate. Similarly, if you have other LDAP repositories like ODSEE or AD, you could do something similar.

• Installing OID, OVD on 11g Linux system

  Hi,
  I have installed OIM11g (db, rcu,wl server,oim server, soa server) on linux 5.7
  I would like to install OID and OVD ON THIS.
  Can you please provide me the some steps to install these and also the order in which I need to install these?
  I am thinking the below order.
  1) Access manager & Adaptive access manager with LDAP sync
  2) OID
  3) OVD
  4) Http server
  5) Webtier
  6) Webgates
  Is this the correct order? Please let me know.

  Hi Kevin,
  I have successfully installed OID now by following your suggesion.
  1) Installed wlserver 10.3.6 as a new middleware home
  2) Installed IDM 11.1.1.6
  3) Configured just OID.
  Now, I am trying to create a new connection in odsm to login into it using the below values but it is saying "incorrect credentials".
  Directory type - OID
  Name: OID_Instance
  Server: localhost
  Port: 7005
  SSL: unchecked
  username:cn=oracladmin
  Password: Passw0rd
  Start page: Data Browser
  Please help me.
  Here is my configuration file.
  Middleware Home Location : /u01/Oracle/Middleware_1036
  Oracle Instance Location : /u01/Oracle/Middleware_1036/Instances
  Oracle Instance : OID_Instance
  Domain Option : Create Domain
  Domain Name : odsm_domain
  Domain Home : /u01/Oracle/Middleware_1036/user_projects/domains/odsm_domain
  Domain Host Name : myserver.home.com
  Domain Port : 7002
  Weblogic Console : http://myserver.home.com:7002/console
  Weblogic User Name : weblogic
  Automatic Port Detection : true
  Enterprise Manager :
  http://myserver.home.com:7002/em
  Enterprise Manager Agent
       http://myserver.home.com:5162/emd/main
  Oracle Internet Directory
  Oracle Directory Services Manager :
            http://myserver.home.com:7005/odsm/faces/odsm.jspx

• OAM OIM OID OVD ?

  I always hear these things from Oracle, OAM, OIM, OID and OVD. are they the same thing? if not, I belive they are related since people always mention them together, then, what's relationship? please clarify
  I'm new to Oracle identity management products. please let me know if there are any others products closely relate to above in this family.
  Thanks

  Hi,
  Each and every thing performs specific role,It will interdependent you can say when it comes to implementation.
  OAM->oracle access manager=performing authentication and authorization of web based and non webbased resources by protecting them.
  OIM->oracle identity manager =managing identities of organisation,integrating and provisioning(giving access) to various application and single sign on.
  OID->oracle internet directory=its one of the directory server like sun directory server,AD for managing user data.
  OVD->oracle virtual directory=its a virtual directory server which provides only view from multiple directory servers.
  Please go through oracle docs for more info.
  Thanks,
  Ragu.

• Finding existing allocated object ID numbers in OID & OVD

  Is there any way to find the object IDs that are already used in OID and OVD?
  I need to create some new attributes - so I'll need to assign new object IDs to these attributes - and I want these to continue on from IDs that have previously been assigned (and obviously, be different numbers).
  I can see that I can use the Oracle Directory Services Manager to find the Object ID for each individual attribute we already have set up by clicking on each individual attribute in the Schema tab, but given that we have a couple of thousand attributes, that's not very practical.
  Is there some other way to view to allocated Object IDs via the DSM, or some query I can run on the OID & OVD databases?
  Thanks

  Actually, the fact that it's a string works for me here,
  since my custom formatter expects a string.
  That's the one last thing I'm confused about. Following the
  example I got from a book, I made my formatter. And it was the
  place I got the "myNumber" thing. So how would I modify my
  FractionFormatter.as to eliminated the need to pass the string from
  the main file (if I understand correctly):
  package myComponents
  //Import base Formatter class
  import mx.formatters.Formatter
  public class FractionFormatter extends Formatter {
  // Declare the variable to hold the pattern string.
  public var myNumber:String;
  // Constructor
  public function FractionFormatter() {
  // Call base class constructor.
  super();
  // Override format().
  override public function format(value:Object):String {
  //Validate value - it must be a nonzero length string.
  if(value.length == 0) {
  // Return empty string and error message for zero-length
  string.
  error="Zero Length String";
  return ""
  //If the value is valid, format the string.
  switch (myNumber) {
  case ".25" :
  return "1/4";
  break;
  case ".5":
  return "1/2";
  break;
  case ".75":
  return "3/4";
  break;
  case "1":
  return "1";
  break;
  case "1.25":
  return "1 1/4";
  break;
  default :
  // If formatString is not "upper" or "lower",
  // return empty string and set the error message.
  error="Invalid Format String";
  return "";
  }

• Administrative privileges in OVD

  Hi All,
  I have OAM setup with both OID and OVD. The user data stores in OVD.
  What I need is, a user with administrative privileges in OVD to be able to update other users attributes, other than the default administrator.
  Please help in this scenario...
  Thanks.

  Any ideas please...!!!
  How to grant privileges to a user other than admin user (cn=admin) in OVD.