OHS in front of OAM/OIM

All,
I configured OHS in front of oam/oim 11.1.1.3. Everything works great, however access_log in OHS does not show username for secure page access in oim/oam. Has anyone gone through this setup before, if so can you please let me know what i could be missing.
Thanks in advance,
Prasad.

It is doable :)
There are 2 stages:
1) To simply protect the pages you add a /oim/*...* and /oim/* resources and host in the agent you are using to access the server with (webgate) and then any hits will get redirected to the OAM login page. This should be done by default by your webgate agent AND you need to use the 10g webgate for proper integration (11g webgate is not supported for protectingthe IAM suite yet).
2) For full integration with passthrough authentication and reset password and self-service redirection you'll need to do more. Look through the Oracle docs on how to do this, it's scattered in a few different places, but here are some tips:
- if you're using VMs take snapshots before trying
- you'll need to go in EM to change OIM agent properties, in Weblogic to change providers (use OAMIdentityAserter first and then OAMAuthenticator second) and for full integration use the OIM Ldap-Sync (if you're doing it that way) as the identity store.
- do not use the automated tools that will magically do it for you like 'idmConfigTool'. They did not work for me, but rather wasted 2 days because my configuration did not fit its profile.
Good luck.
- JP

Similar Messages

  • OAM OIM OID OVD ?

    I always hear these things from Oracle, OAM, OIM, OID and OVD. are they the same thing? if not, I belive they are related since people always mention them together, then, what's relationship? please clarify
    I'm new to Oracle identity management products. please let me know if there are any others products closely relate to above in this family.
    Thanks

    Hi,
    Each and every thing performs specific role,It will interdependent you can say when it comes to implementation.
    OAM->oracle access manager=performing authentication and authorization of web based and non webbased resources by protecting them.
    OIM->oracle identity manager =managing identities of organisation,integrating and provisioning(giving access) to various application and single sign on.
    OID->oracle internet directory=its one of the directory server like sun directory server,AD for managing user data.
    OVD->oracle virtual directory=its a virtual directory server which provides only view from multiple directory servers.
    Please go through oracle docs for more info.
    Thanks,
    Ragu.

  • OAM-OIM 11g User Lockout Question

    All,
    We have a OAM and OIM 11.1.1.3 installation and i am testing the invalid login attempt scenarios and came across teh following situation. I was wondering if you could give me steps or some pointers for resolving this:
    1. created an account [email protected] as xelsysadm and reset the password on first login
    2. Have the following OIM default parameters (these are the only configs that i could find are possibly related to this)
    XL.UnlockAfter - 0
    XL.MaxLoginAttempts - 10
    3. Entered incorrect password and for the initial 4 times i got the OAM login screen back with an error message "An incorrect Username or Password was specified"
    4. After 5th attempt i just got the error message "Error
    An incorrect Username or Password was specified"
    5. I go back the http://oimservername:oimport/oim i get the login screen again and enter [email protected] with an incorrect password next 4 times (total 9 now) I get login screen back with "An incorrect Username or Password was specified"
    6. after the 10th attempt with incorrect password i get a different error message with no login screen "Error
    The user account is locked. Please contact Administrator."
    7. I logged into OIM as xelsysadm -> administration -> search user [email protected] and it doesn't show that the account is locked. I lock it anyways explicitly by clicking the button the user screen and click unlock immediately and now enter [email protected] and correct password everything works.
    Few questions that i have are:
    1. how do i get the OAM/OIM system to behave consistently, (give an incorrect username or password message until the first 9 attempts with a login screen back to the end user and give them an error message at the end that the accoutn is locked". I am okay with out of the box message text
    2. How will our operations team understand that the user is really locked becuase they have nowhere to go find this information
    3. what are all the places where i will look for this information in the above scneario when the user account is locked by himself. (OVD/OID, USR table in OIM_DEV schema etc)
    4. Are there any other best practices that i should follow in setting up the system.
    Thanks in advance for reviewing this.
    Prasad.

    It appears to be all happening in OAM. After researching some more, I found this piece at http://download.oracle.com/docs/cd/E17904_01/doc.1111/e15740/idmint.htm#CACBBIDI.
    But never the less it doesn't explain how to unlock the user other than the workaround that i found. Did anyone else had to deal with this.
    x---------------------------------------------------------------x
    2.8.4.4 Account Lock and Unlock
    Oracle Access Manager keeps track of the login attempts and locks the account when the count exceeds the established limit.
    When an account is locked, Oracle Access Manager displays the Help Desk contact information.
    When contacted by the end user, the Help Desk unlocks the account using the Oracle Identity Manager administrative console. Oracle Identity Manager notifies Oracle Access Manager about the changes.
    Account Lock and Unlock Flow
    When the number of unsuccessful user login attempts exceeds the value specified in the password policy, the user account is locked. Any login attempt after the user account has been locked displays a page that provides information about the account unlocking process, which will need to be customized to reflect the process (Help Desk information or similar) that is followed by your organization.
    Note:
    Oracle Identity Manager does not support automatic locking of a user account after a specific period has elapsed.
    The following describes the account locking/unlocking flow:
    Using a browser, a user tries to access an application URL that is protected by Oracle Access Manager.
    Oracle Access Manager Webgate (SSO Agent) intercepts the request and redirects the user to the Oracle Access Manager login page.
    The user submits credentials that fail Oracle Access Manager validation. Oracle Access Manager renders the login page and asks the user to resubmit credentials.
    The user's unsuccessful login attempts exceed the limit specified by the policy. Oracle Access Manager locks the user account and redirects the user to the Oracle Access Manager Account Lockout URL, which displays Help Desk contact information.
    The user contacts the Help Desk over the telephone and asks an administrator to unlock the account.
    Oracle Identity Manager notifies Oracle Access Manager of the account unlock event.
    The user attempts to access an application URL and this event triggers the normal Oracle Access Manager single sign-on flow.

  • OAM-OIM intg.- getting NPE errors while running idmconfigtool.sh script

    I trying to run idmconfigtool.sh for OIM-OAM integration and getting null pointer exception with -configOAM option. Running the script from OAM server. Here's my environment.
    OIM - 11gR2
    OAM - 11.1.1.5
    OVD - 11.1.1.6 front ending OUD
    OUD - 11gR2 (FMW identity store)
    Exception below from automation.log
    Feb 21, 2013 1:20:39 PM oracle.idm.automation.impl.oam.handlers.OAM11gIntegrationHandler configOAM11gIdStore
    SEVERE: Error while configuring webgate and domain
    java.lang.NullPointerException
    at oracle.idm.automation.impl.oam.handlers.OAM11gIntegrationHandler.configOAM11gIdStore(OAM11gIntegrationHandler.java:368)
    at oracle.idm.automation.impl.oam.handlers.OAM11gIntegrationHandler.execute(OAM11gIntegrationHandler.java:696)
    OVD structure:
    IDSTORE_USERSEARCHBASE: cn=users,dc=idm
    IDSTORE_SEARCHBASE: dc=idm
    IDSTORE_SYSTEMIDBASE: cn=systemids,dc=idm
    IDSTORE_GROUPSEARCHBASE: cn=groups,dc=idm
    I see err=32 in OVD logs when the script tries to search oamLDAP user. oamLDAP user exists under cn=systemids,dc=idm via OVD. But the script tries to build DN as cn=oamLDAP,cn=users,dc=idm and not referring to SYSTEMIDBASE.
    [2013-02-19T16:39:07.057-06:00] [octetstring] [TRACE] [OVD-00023] [com.octetstring.vde.backend.jndi.User_OUD.BackendJNDI] [tid: 36] [ecid: 0000Jnob4Ci1Vcs6wjZf6G1H7Hwp0001^T,0] [SRC_CLASS: com.octetstring.vde.util.VDELogger] [SRC_METHOD: debug] [#User_OUD] JNDI Adapter Search using:[[
    BindDN: cn=oamLDAP,cn=users,dc=idm
    Base: cn=oamLDAP,cn=users,dc=oud,dc=com
    javax.naming.NameNotFoundException: [LDAP: error code 32 - The search base entry 'cn=oamLDAP,cn=users,dc=oud,dc=com' does not exist];
    What I'm doing wrong here? I can move oamLDAP under cn=users and I hope that should fix this issue, but I dont want to mix admin Id's and user Id's under one container. Please let me know.

    I opened a ticket with support and haven't made much progress on this yet. Does anyone has any thoughts on this?
    Thanks.

  • OAM-OIM 11g r2 integration is failing

    Hi,
    Following is my configuration,
    1. I have OIM 11g r2 and OAM 11gr2 installed on different weblogic domains.
    2. OIM synchronized with OUD LDAP
    3. I followed the steps described in http://docs.oracle.com/cd/E27559_01/integration.1112/e27123/oim.htm
    4. After the integration, I'm not able to login to the Oracle Access Manager console. Though my authentication is successful, I'm getting authorization error.
    As per the doc, oamadmin user (member of oamadministrator group) should be able to login to the console. On weblogic console -> security realms screen, I can see oudauthenticator (authenticates against OUD LDAP) created by the idmconfig tool (tool used for the integration). On the same screen, if I open oamadmin user profile, I don't see any group membershiip information for this user. I also created Administrator group in my LDAP and assigned oamadmin as a member, but in vain. My guess is, since oam server is not recognizing user's role, it's giving an authorization error.
    The documentation mainly talks about using OID as LDAP between OIM and OAM, though it claims other LDAPs are also supported. If anyone has successfully integrated, what do you see in oamadmin user profile, especially in the group membership attribute. Any other ideas/workarounds are greatly appreciated.
    Thanks, Nishanth

    I successfully did this into my VMWare and oamadmin user has there:
    [oracle@thiagoleoncioVM ~]$ ldapsearch -D cn=orcladmin -w **** -b "dc=leoncio,dc=thiago" -L -s sub -v orclmtuid=*oaamadmin* memberOf
    filter pattern: orclmtuid=*oaamadmin*
    returning: memberOf
    filter is: (orclmtuid=*oaamadmin*)
    dn: cn=oaamadmin,cn=Users,dc=leoncio,dc=thiago
    memberof: cn=oaamcsrgroup,cn=groups,dc=leoncio,dc=thiago
    memberof: cn=oaamcsrmanagergroup,cn=groups,dc=leoncio,dc=thiago
    memberof: cn=oaamenvadmingroup,cn=groups,dc=leoncio,dc=thiago
    memberof: cn=oaaminvestigationmanagergroup,cn=groups,dc=leoncio,dc=thiago
    memberof: cn=oaaminvestigatorgroup,cn=groups,dc=leoncio,dc=thiago
    memberof: cn=oaamruleadministratorgroup,cn=groups,dc=leoncio,dc=thiago
    memberof: cn=oaamsoapservicesgroup,cn=groups,dc=leoncio,dc=thiago
    1 matches
    I hope this information helps you with your issue then you should be able to see what is missing there,
    Thiago Leoncio.

  • New OAM/OIM installation -

    Hi,
    I am trying to install OAM and OIM.
    I've completed the steps through creating the Oracle_IDM1 and the WebLogic domain. This WL domain has only an Adminserver.
    When I start WebLogic, I see this in the console output:
    <Apr 7, 2011 11:22:17 PM EDT> <Error> <oracle.oam.install> <OAM-69000> <OAM configuration failed.
    oracle.security.am.common.policy.admin.impl.PolicyValidationException: OAMSSA-06045: Validation Failure - an object of this type named "HTTP" already exists.
    Can anyone tell me why the above error is occurring?
    Also, after the WebLogic admin server starts, I can log into the WL Console (http://<host>:7001/console, and when I look under "Servers", I see:
    AdminServer RUNNING
    oam_server1 LocalMachine SHUTDOWN
    oim_server1 LocalMachine SHUTDOWN
    soa_server1 LocalMachine SHUTDOWN
    But, when I try to start oam_server1 (or oim_server1 or soa_server1), I get:
    For server oam_server1 the Node Manager associated with machine LocalMachine is not reachable.
    I'm somewhat familiar with WebLogic, but I set this up with just an Adminserver, so why is it trying to use a node manager? And, how do I resolve this problem?
    Thanks,
    Jim

    Hi,
    The oam_server1 is still failing to start. In the log, I see the following:
    ####<Apr 8, 2011 12:32:52 AM EDT> <Info> <Security> <30oamwls> <oam_server1> <[ACTIVE] ExecuteThread: '0' for queue: 'weblogic.kernel.Default (self-tuning)'> <<WLS Kernel>> <> <> <1302237172945> <BEA-000000> <StoreServiceImpl.initJDO - StoreService is initialized with Id = ldap_rLS0kqaprQVMH1oFJXt/qA2moQw=>
    ####<Apr 8, 2011 12:32:53 AM EDT> <Info> <Security> <30oamwls> <oam_server1> <[ACTIVE] ExecuteThread: '0' for queue: 'weblogic.kernel.Default (self-tuning)'> <<WLS Kernel>> <> <> <1302237173416> <BEA-090511> <The following exception has occurred:
    com.bea.common.engine.ServiceInitializationException: com.bea.common.engine.SecurityServiceRuntimeException: [Security:097533]SecurityProvider service class name for IDMDomainAgent is not specified.
         at com.bea.common.engine.internal.ServiceEngineImpl.findOrStartService(ServiceEngineImpl.java:365)
         at com.bea.common.engine.internal.ServiceEngineImpl.findOrStartService(ServiceEngineImpl.java:315)
         at com.bea.common.engine.internal.ServiceEngineImpl.lookupService(ServiceEngineImpl.java:257)
         at com.bea.common.engine.internal.ServicesImpl.getService(ServicesImpl.java:72)
         at weblogic.security.service.internal.WLSIdentityServiceImpl.initialize(WLSIdentityServiceImpl.java:47)
         at weblogic.security.service.CSSWLSDelegateImpl.initializeServiceEngine(CSSWLSDelegateImpl.java:300)
         at weblogic.security.service.CSSWLSDelegateImpl.initialize(CSSWLSDelegateImpl.java:222)
         at weblogic.security.service.CommonSecurityServiceManagerDelegateImpl.InitializeServiceEngine(CommonSecurityServiceManagerDelegateImpl.java:1784)
         at weblogic.security.service.CommonSecurityServiceManagerDelegateImpl.initializeRealm(CommonSecurityServiceManagerDelegateImpl.java:445)
         at weblogic.security.service.CommonSecurityServiceManagerDelegateImpl.loadRealm(CommonSecurityServiceManagerDelegateImpl.java:840)
         at weblogic.security.service.CommonSecurityServiceManagerDelegateImpl.initializeRealms(CommonSecurityServiceManagerDelegateImpl.java:870)
         at weblogic.security.service.CommonSecurityServiceManagerDelegateImpl.initialize(CommonSecurityServiceManagerDelegateImpl.java:1030)
         at weblogic.security.service.SecurityServiceManager.initialize(SecurityServiceManager.java:881)
         at weblogic.security.SecurityService.start(SecurityService.java:142)
         at weblogic.t3.srvr.SubsystemRequest.run(SubsystemRequest.java:64)
         at weblogic.work.ExecuteThread.execute(ExecuteThread.java:201)
         at weblogic.work.ExecuteThread.run(ExecuteThread.java:173)
    Caused By: com.bea.common.engine.SecurityServiceRuntimeException: [Security:097533]SecurityProvider service class name for IDMDomainAgent is not specified.
         at com.bea.common.security.internal.legacy.service.SecurityProviderImpl.init(SecurityProviderImpl.java:47)
         at com.bea.common.engine.internal.ServiceEngineImpl.findOrStartService(ServiceEngineImpl.java:363)
         at com.bea.common.engine.internal.ServiceEngineImpl.findOrStartService(ServiceEngineImpl.java:315)
         at com.bea.common.engine.internal.ServiceEngineImpl.lookupService(ServiceEngineImpl.java:257)
         at com.bea.common.engine.internal.ServicesImpl.getService(ServicesImpl.java:72)
         at weblogic.security.service.internal.WLSIdentityServiceImpl.initialize(WLSIdentityServiceImpl.java:47)
         at weblogic.security.service.CSSWLSDelegateImpl.initializeServiceEngine(CSSWLSDelegateImpl.java:300)
         at weblogic.security.service.CSSWLSDelegateImpl.initialize(CSSWLSDelegateImpl.java:222)
         at weblogic.security.service.CommonSecurityServiceManagerDelegateImpl.InitializeServiceEngine(CommonSecurityServiceManagerDelegateImpl.java:1784)
         at weblogic.security.service.CommonSecurityServiceManagerDelegateImpl.initializeRealm(CommonSecurityServiceManagerDelegateImpl.java:445)
         at weblogic.security.service.CommonSecurityServiceManagerDelegateImpl.loadRealm(CommonSecurityServiceManagerDelegateImpl.java:840)
         at weblogic.security.service.CommonSecurityServiceManagerDelegateImpl.initializeRealms(CommonSecurityServiceManagerDelegateImpl.java:870)
         at weblogic.security.service.CommonSecurityServiceManagerDelegateImpl.initialize(CommonSecurityServiceManagerDelegateImpl.java:1030)
         at weblogic.security.service.SecurityServiceManager.initialize(SecurityServiceManager.java:881)
         at weblogic.security.SecurityService.start(SecurityService.java:142)
         at weblogic.t3.srvr.SubsystemRequest.run(SubsystemRequest.java:64)
         at weblogic.work.ExecuteThread.execute(ExecuteThread.java:201)
         at weblogic.work.ExecuteThread.run(ExecuteThread.java:173)
    >
    ####<Apr 8, 2011 12:32:53 AM EDT> <Error> <Security> <30oamwls> <oam_server1> <[ACTIVE] ExecuteThread: '0' for queue: 'weblogic.kernel.Default (self-tuning)'> <<WLS Kernel>> <> <> <1302237173426> <BEA-090870> <The realm "myrealm" failed to be loaded: weblogic.security.service.SecurityServiceException: com.bea.common.engine.ServiceInitializationException: com.bea.common.engine.SecurityServiceRuntimeException: [Security:097533]SecurityProvider service class name for IDMDomainAgent is not specified..
    weblogic.security.service.SecurityServiceException: com.bea.common.engine.ServiceInitializationException: com.bea.common.engine.SecurityServiceRuntimeException: [Security:097533]SecurityProvider service class name for IDMDomainAgent is not specified.
         at weblogic.security.service.CSSWLSDelegateImpl.initializeServiceEngine(CSSWLSDelegateImpl.java:342)
         at weblogic.security.service.CSSWLSDelegateImpl.initialize(CSSWLSDelegateImpl.java:221)
         at weblogic.security.service.CommonSecurityServiceManagerDelegateImpl.InitializeServiceEngine(CommonSecurityServiceManagerDelegateImpl.java:1783)
         at weblogic.security.service.CommonSecurityServiceManagerDelegateImpl.initializeRealm(CommonSecurityServiceManagerDelegateImpl.java:442)
         at weblogic.security.service.CommonSecurityServiceManagerDelegateImpl.loadRealm(CommonSecurityServiceManagerDelegateImpl.java:840)
         at weblogic.security.service.CommonSecurityServiceManagerDelegateImpl.initializeRealms(CommonSecurityServiceManagerDelegateImpl.java:869)
         at weblogic.security.service.CommonSecurityServiceManagerDelegateImpl.initialize(CommonSecurityServiceManagerDelegateImpl.java:1030)
         at weblogic.security.service.SecurityServiceManager.initialize(SecurityServiceManager.java:881)
         at weblogic.security.SecurityService.start(SecurityService.java:142)
         at weblogic.t3.srvr.SubsystemRequest.run(SubsystemRequest.java:64)
         at weblogic.work.ExecuteThread.execute(ExecuteThread.java:201)
         at weblogic.work.ExecuteThread.run(ExecuteThread.java:173)
    Caused By: com.bea.common.engine.ServiceInitializationException: com.bea.common.engine.SecurityServiceRuntimeException: [Security:097533]SecurityProvider service class name for IDMDomainAgent is not specified.
         at com.bea.common.engine.internal.ServiceEngineImpl.findOrStartService(ServiceEngineImpl.java:365)
         at com.bea.common.engine.internal.ServiceEngineImpl.findOrStartService(ServiceEngineImpl.java:315)
         at com.bea.common.engine.internal.ServiceEngineImpl.lookupService(ServiceEngineImpl.java:257)
         at com.bea.common.engine.internal.ServicesImpl.getService(ServicesImpl.java:72)
         at weblogic.security.service.internal.WLSIdentityServiceImpl.initialize(WLSIdentityServiceImpl.java:47)
         at weblogic.security.service.CSSWLSDelegateImpl.initializeServiceEngine(CSSWLSDelegateImpl.java:300)
         at weblogic.security.service.CSSWLSDelegateImpl.initialize(CSSWLSDelegateImpl.java:222)
         at weblogic.security.service.CommonSecurityServiceManagerDelegateImpl.InitializeServiceEngine(CommonSecurityServiceManagerDelegateImpl.java:1784)
         at weblogic.security.service.CommonSecurityServiceManagerDelegateImpl.initializeRealm(CommonSecurityServiceManagerDelegateImpl.java:445)
         at weblogic.security.service.CommonSecurityServiceManagerDelegateImpl.loadRealm(CommonSecurityServiceManagerDelegateImpl.java:840)
         at weblogic.security.service.CommonSecurityServiceManagerDelegateImpl.initializeRealms(CommonSecurityServiceManagerDelegateImpl.java:870)
         at weblogic.security.service.CommonSecurityServiceManagerDelegateImpl.initialize(CommonSecurityServiceManagerDelegateImpl.java:1030)
         at weblogic.security.service.SecurityServiceManager.initialize(SecurityServiceManager.java:881)
         at weblogic.security.SecurityService.start(SecurityService.java:142)
         at weblogic.t3.srvr.SubsystemRequest.run(SubsystemRequest.java:64)
         at weblogic.work.ExecuteThread.execute(ExecuteThread.java:201)
         at weblogic.work.ExecuteThread.run(ExecuteThread.java:173)
    Caused By: com.bea.common.engine.SecurityServiceRuntimeException: [Security:097533]SecurityProvider service class name for IDMDomainAgent is not specified.
         at com.bea.common.security.internal.legacy.service.SecurityProviderImpl.init(SecurityProviderImpl.java:47)
         at com.bea.common.engine.internal.ServiceEngineImpl.findOrStartService(ServiceEngineImpl.java:363)
         at com.bea.common.engine.internal.ServiceEngineImpl.findOrStartService(ServiceEngineImpl.java:315)
         at com.bea.common.engine.internal.ServiceEngineImpl.lookupService(ServiceEngineImpl.java:257)
         at com.bea.common.engine.internal.ServicesImpl.getService(ServicesImpl.java:72)
         at weblogic.security.service.internal.WLSIdentityServiceImpl.initialize(WLSIdentityServiceImpl.java:47)
         at weblogic.security.service.CSSWLSDelegateImpl.initializeServiceEngine(CSSWLSDelegateImpl.java:300)
         at weblogic.security.service.CSSWLSDelegateImpl.initialize(CSSWLSDelegateImpl.java:222)
         at weblogic.security.service.CommonSecurityServiceManagerDelegateImpl.InitializeServiceEngine(CommonSecurityServiceManagerDelegateImpl.java:1784)
         at weblogic.security.service.CommonSecurityServiceManagerDelegateImpl.initializeRealm(CommonSecurityServiceManagerDelegateImpl.java:445)
         at weblogic.security.service.CommonSecurityServiceManagerDelegateImpl.loadRealm(CommonSecurityServiceManagerDelegateImpl.java:840)
         at weblogic.security.service.CommonSecurityServiceManagerDelegateImpl.initializeRealms(CommonSecurityServiceManagerDelegateImpl.java:870)
         at weblogic.security.service.CommonSecurityServiceManagerDelegateImpl.initialize(CommonSecurityServiceManagerDelegateImpl.java:1030)
         at weblogic.security.service.SecurityServiceManager.initialize(SecurityServiceManager.java:881)
         at weblogic.security.SecurityService.start(SecurityService.java:142)
         at weblogic.t3.srvr.SubsystemRequest.run(SubsystemRequest.java:64)
         at weblogic.work.ExecuteThread.execute(ExecuteThread.java:201)
         at weblogic.work.ExecuteThread.run(ExecuteThread.java:173)
    >
    ####<Apr 8, 2011 12:32:53 AM EDT> <Notice> <Security> <30oamwls> <oam_server1> <[ACTIVE] ExecuteThread: '0' for queue: 'weblogic.kernel.Default (self-tuning)'> <<WLS Kernel>> <> <> <1302237173426> <BEA-090082> <Security initializing using security realm myrealm.>
    ####<Apr 8, 2011 12:32:53 AM EDT> <Critical> <WebLogicServer> <30oamwls> <oam_server1> <Main Thread> <<WLS Kernel>> <> <> <1302237173536> <BEA-000362> <Server failed. Reason:
    There are 1 nested errors:
    weblogic.security.service.SecurityServiceRuntimeException: [Security:090399]Security Services Unavailable
         at weblogic.security.service.CommonSecurityServiceManagerDelegateImpl.doBootAuthorization(CommonSecurityServiceManagerDelegateImpl.java:916)
         at weblogic.security.service.CommonSecurityServiceManagerDelegateImpl.initialize(CommonSecurityServiceManagerDelegateImpl.java:1050)
         at weblogic.security.service.SecurityServiceManager.initialize(SecurityServiceManager.java:875)
         at weblogic.security.SecurityService.start(SecurityService.java:141)
         at weblogic.t3.srvr.SubsystemRequest.run(SubsystemRequest.java:64)
         at weblogic.work.ExecuteThread.execute(ExecuteThread.java:201)
         at weblogic.work.ExecuteThread.run(ExecuteThread.java:173)
    >
    ####<Apr 8, 2011 12:32:56 AM EDT> <Notice> <WebLogicServer> <30oamwls> <oam_server1> <Main Thread> <<WLS Kernel>> <> <> <1302237176310> <BEA-000365> <Server state changed to FAILED>
    ####<Apr 8, 2011 12:32:56 AM EDT> <Error> <WebLogicServer> <30oamwls> <oam_server1> <Main Thread> <<WLS Kernel>> <> <> <1302237176310> <BEA-000383> <A critical service failed. The server will shut itself down>
    ####<Apr 8, 2011 12:32:56 AM EDT> <Notice> <WebLogicServer> <30oamwls> <oam_server1> <Main Thread> <<WLS Kernel>> <> <> <1302237176650> <BEA-000365> <Server state changed to FORCE_SHUTTING_DOWN>
    ####<Apr 8, 2011 12:32:56 AM EDT> <Info> <WebLogicServer> <30oamwls> <oam_server1> <Main Thread> <<WLS Kernel>> <> <> <1302237176721> <BEA-000236> <Stopping execute threads.>
    I found this:
    http://smm-tech-tips.blogspot.com/2011/03/securityprovider-service-class-name-for.html
    but is this (deleting the IDMDomainAgent provider) the correct way to resolve this?
    Jim

  • Purge OAM/OIM 11.1.1.3 Audit Schema Data

    All,
    Does anyone know how to archive/purge audit data in OAM (IAU_BASE etc tables) and OIM (UPA etc tables).
    thanks in advance,

    any suggestion for iau_xxx tables.. I can develop similar custom scripts for iau_base, oam, oidcomponent and ovdcomponent tables, does this work?
    Prasad.

  • OAM / OIM - Conceptual question

    Hi all,
    I'm trying to understand the overlap between OAM and OIM in terms of identity management. I'm going through the OAM manuals and it talks about OAM's Identity System in a way that very closely resembles a lot of what OIM does, ie. user management, groups, delegated admin, self admin, etc...
    I'm trying to understand how these two fit together. I know OIM does a lot more in terms of provisioning to other resources... is OAM considered a resources that OIM provisions to? If you have OIM and OAM, it seems that there's now 2 repositories of user data....
    Can someone explain (or point me to a doc that does) the relationship(s) between OIM and OAM, how they fit together, which drives the other, etc...?
    Thanks very much
    Alex

    OAM's Identity System is web based self service tool for users to edit their information for their identity records. Forgot Password Service will help the users to reset their passwords. Oracle Access Manager's main functionality is the Single Sign On feature and to offer AU and AZ services. Also OAM's Identity System helps you to create/manage/delegate LDAP Dynamic Groups and Organizations. Remember, OAM will not be able to provision users with LDAP Accounts. You need to create LDAP Accounts and then you can manage the users via OAM Identity System. You can also create users from OAM Identity System but no one creates users from OAM Identity System in a corporate environment. OAM Identity System is designed to provision the Access Administrators with capability of creating/managing/delegating the tasks of Dynamic LDAP Groups which are in turn used in AZ rules for Access Policies. AFAIK, creating users and organizations from OAM - Identity System is not recommended. My recommendation for using the OAM Identity System is to limit the usage to LDAP Dynamic Group Creation. As a Access Administrator it will be very convincing to create the groups without contacting the LDAP Teams.
    On the other hand, OIM can synchronize with Corporate HR systems/AD/LDAP and other authoritative identity sources and pull the records to OIM. Based on the business roles, OIM can automatically provision the users with all required resources with appropriate access rights. OIM also offers Forgot Password and Password Reset services which are recommended for usage in a corporate environment. Also I don't think you can create LDAP Dynamic Groups and Organizations in an authoritative LDAP via OIM.
    Coming to the integration part, OAM can protect OIM and offer Single Sign On to OIM Services. OIM can provision users to OAM but not straight forwards as there is no connector provided for OAM OOTB. If you have both OIM and OAM still you have a single identity (user) store. Both OAM and OIM will talk to the single user store for synchronization. For OIM, you will have a user account in OIM System apart from the user directory but for OAM you will use the account from the user directory to access Identity and Access Services.

  • Relationship between OAM,OIM,OID

    Hi Gurus,
    I am very very new to fusion middleware ,i would like to know the relationship between following in simple terms.
    Oracle Access Manager
    Oracle Identitiy Manager
    Oracle Internet directory
    Below are my understanding correct i'f im wrong
    OID is like LDAP where passwords and passwords and security policies will be saved.
    redirecting to similar question or post is also fine.
    Thanks in advance...

    OIM and OAM may use OID to write/retrieve user details from OID.
    Lets say a user joined an organization. Now as per onboarding process, you reconcile user from trusted source to OIM and sync that user to OID using LDAP sync. Now when you try to access an application which is protected by OAM, the authentication and authorization of that user happens against OID if it is configured as user identity store.

  • Can we use OID 11gR1 with the OAM/OIM 11gR2

    Hi,
    I am installing the IdM 11gR2. As OID does not comes with this pack. so can we use/install the OID which comes with the IdM 11gR1.
    Or is there any other option like OUD.
    Can we integrate the OUD 11gR2 with the OIM/OAM 11gR2 to manage the users/groups.? If yes, please share some document for it.
    Please suggest the best option as we are learning OIM/OIM 11gR2.
    Thanks
    Harry
    Edited by: Harry-Harry on Jan 28, 2013 12:59 AM
    Edited by: Harry-Harry on Jan 28, 2013 1:10 AM

    The latest OID in 11gR1 is 11.1.1.6
    It will support integration with 11gR2 OIM and OAM. Kishore already sent the certification matrix link.
    I am currently using OID 11.1.1.6 in above configuration and works fiine. Any other questions feel free to post your questions.

  • Wallet and Cert location with OHS in front of B2B

    Hi,
    I am trying to figure out how many and what types of Certs are needed as well as where the wallet should reside in the following scenario. We have a stand alone OHS in a public DMZ which is forwarding our inbound trading partner messages to the MidTier server which contains B2B. We have also configured B2B to use the public DMZ OHS as a proxy when sending outbound messages to the trading partners. The RosettaNet PIPs that we will be implementing require signing (non-repudiation), encryption and SSL.
    I assume that SSL must be enabled on the public DMZ OHS, but does it have to be enabled on the MidTier server as well? I believe that if we had to enable it on both servers, then different certs would be required for the different servers, but I am not sure.
    Also, we have to configure the outbound messages from our B2B with all of this (signing, encryption and SSL). Does this require a cert and wallet on the B2B server or on the OHS or both? I know that when configuring the trading partner within B2B, the cert must be accessed, but I am completely confused on if this is the cert that we use on OHS or something different.
    Thanks so much for any help you can provide!
    Darrin

    Hi Darrin,
    Certificates will be used at both OHS and Midtier. At OHS you are receiving incoming traffic so your server certificate should be there (in PKCS 12 format). From midtier, you are sending messages to your TP's (your Outbound), so your client certificate should be at Midtier at following location-
    Oracle_Home/Apache/Apache/conf/ssl.wlt/default
    At above location three files should be there-
    1. cwallet.sso
    2. ewallet.p12 (Your Client cert with all trading partners server cert public key in base 64 format including CA's cert as well)
    3 ewallet.txt (export of whole ewallet.p12 in ".txt" format)
    Give path of ewallet.txt in your tip.properties file.
    SSL would be enabled at both midtier and OHS, but if OHS is sending messages to midtier at HTTP port then do not enable transport security in your host tp's delivery channel.
    You have to upload certificates which will be used for siging and encryption at resepective tp's delivery channel.
    Wallets are used for client and server authentication and signing and encryption in outbound where as certs uploaded at tp's delivery channel are used for decrypting the incoming message as well as verifying the tp's signature in message.
    Regards,
    Anuj
    Edited by: Anuj Dwivedi on Feb 11, 2009 12:28 PM

  • OAM/OIM 11.1.1.3 audit question

    All,
    We are collecting login information in the IAU_BASE table. Most of the time IAU_INITIATOR value is null. Does anyone have an idea why this is the case? Is there a setup that we are missing in OAM configuration?
    thanks in advance,
    Prasad.

    Hi - did you ever get an answer to this question or figure this out?

  • Using ohs as a front end to weblogic

    I had a lot of trouble trying to enable ssl in weblogic (10.3.4 windows 64 bits). So I was thinking of just using ohs as a front end. I need the traffice between the forms and reports clients and the web service to be encrypted. Between the webservice and weblogic and database can be in the clear. I already got ohs to do ssl for application express. It was nowhere as hard to deal with as weblogic (10.3.4) . I don't seem to be able to think like weblogic :-(
    However I need some good and correct instructions on how to do this. Anyone got any?
    This is one of those things where the more you look the more confused you get.
    (BTW this seems to be saying you can't use ohs in front of em or console.)
    for example:
    Doc ID 1268723.1
    Following this note will result in the following architecture:
    Browser --> https --> OHS --> https --> WebLogic Server
    There are three steps needed to configure mod_wl_ohs in this setup:
    Step I: Configure OHS for SSL
    Step II: Configure Weblogic for SSL
    Step III: Configure mod_wl_ohs
    Now that is very complex and one has to face both the wallet and the keystore and more.
    whereas another doc
    Doc ID 1240977.1
    advocates only enabling ssl in ohs and not in weblogic. Well which is it? Does ssl have to be in weblogic?
    If it does I could picture not involving ohs and that apparently crash prone module.

    Well I wanted to close this out by saying that I never found out definitively how to put ohs in front of
    weblogic. (10.3.4) I'm not sure it's that great of an idea considering some reports of problems with
    mod_wl_ohs in support but anyway I did get ssl working in weblogic. Basically I followed 1109753.1 This is the very
    simple way that you just configure ssl for wls_forms and wls_reports in weblogic and no involvement of any apache
    modules or rewriting or proxying or anything like that.
    I did convert the oracle wallet (cwallet.sso) that I was using for ohs to .jks using the
    orapki pks12_to_jks command. That had in fact the server cert and two associated trust certs from the cert
    vendor. Some instructions make it sound like you have to "separate identity and trust" but I didn't and it does
    work.
    Configuration of WLS_FORMS or WLS_REPORTS for ssl is like this:
    in weblogic administration http://myserver:7001/console :
    (environment,servers, WLS_FORMS)
    _________keystores tab _________________
    keystores: custom identity and java standard trust
    custom identity keystore: d:\somewhere\mykeystore.jks
    custom identity keystore type JKS
    custom identity keystore passphrase keystorepasswd
    Java Standard Trust Keystore:     
    C:\PROGRA~1\Java\JDK16~1.0_2\jre\lib\security\cacerts
    Java Standard Trust Keystore Type:     jks
    <no passwords entered for java standard trust although the password is known to be changeit>
    ___________SSL tab_____________
    Identity and Trust Locations:     Keystores
    Private Key Location:     from Custom Identity Keystore
    Private Key Alias: <for key. You can list this with a utility if you forgot>
    Private Key Passphrase: <private key password>
    Certificate Location:     from Custom Identity Keystore
    Trusted Certificate Authorities:     from Java Standard Trust Keystore
    plus in Configuration Tab:
    ssl listen port enabled specify port you want
    I am guessing that since the forms and reports ports are different by default
    that the ssl ports should be different also?
    after that I actually think you have to stop and then start the service instead of just restart ssl.
    Anyway then try whatever your forms or reports url was but using the new port and using https:
    eg. https://my.domain.name:7002/forms/frmservlet
    If that doesn't work then look for the log which is something like:
    c:\<middlewarehome>/user_projects/domains/mydomain/servers/WLS_FORMS/logs look for it there.

  • Can't login to OIM 11g Design Console after integrate with OAM 11g

    Dear All,
    After successfully integrate oim 11g with oam 11g, we cannot access the design console of oim 11g anymore (access denied).
    Is it cause of oam protection?
    Or do we have to do additional configuration?
    Please help...
    Thank you,
    -heri-

    962874 wrote:
    Hi All,
    I have installed and configured OAM,OIM,SOA under weblogic domain. After configured OAM on weblogic domain(by extending it)
    I am getting the following error while login to oim console,design console .
    <Jan 17, 2013 4:26:09 AM EST> <Warning> <Socket> <BEA-000449> <Closing socket as no data read from it on 172.16.30.107:57,579 during the configured idle timeout of 5 secs>
    <Jan 17, 2013 4:26:10 AM EST> <Error> <Default> <BEA-000000> <Failed to communicate with any of configured Access Server, ensure that it is up and running.> Is the port 57,579 correct? Port numbers cannot have comma in them. Also try to telnet to that host and port from your machine to check if there is no network issue.
    Regards,
    Nani-Bikash
    Edited by: 932574 on Jan 17, 2013 10:40 AM

  • OIM Device Logging During Sign On

    We are implementing OIAM Suite Plus 11g R2. We have a requirement to record the users device IP Address when they log in to our system. After reviewing some of the Oracle documentation, I have not been able to find if this is possible as well as how to implement. We are trying to avoid performing customization that will would require continued support as new OIAM release are made available. Our goal is to utilize as much Oracle delivered functionality as possible without performing development. Can someone please point me to the correct documentation or let me know if this is possible.

    There is access.log file for OIM (as well as for other products such as OAM). This log file has entries similar to Apache / OHS's access.log file. This file would record client IP address. 
    location of log file : <Domain_Home>/servers/<server_name>/log
    If you have load balancer /  proxy server (apache / ohs) in front of OIAM suite , then you would have to set either WL-Proxy-Client-IP http header to pass client IP address to weblogic / OIAM suite.
    You can refer to this link
    How to Enable/collect End User Client IP Address in Weblogic with Loadbalancer/w | dBuggr
    hope this helps

Maybe you are looking for

  • Access is denied  while creation hfm classic application in workspace

    access is denied while creation hfm classic application in workspace. i have given full roles and access to my admin user. still i am facing same issue. i am trying to create classic application workspace under Access is denied. Access is denied. Sho

  • Read-only fields in an online form

    I'm creating a web form with FormsCentral, and would like to mark certain fields as "For Office Use Only" and not make them editable by the user filling out the form.  Is this possible?

  • How to create multiple outecomes in workflow

    Hi Gurus, I am developing the PR workflow. and in that I want to create 2 different nodes for signle activity. how can I create those multiple outcomes for signel activity in workflow. Thanks in Advcance. Moderator message : Wrong forum, post the que

  • How do I get additional parameters into a Linux Script / PowerShell Discovery?

    Hi all, I'm trying to do a Linux Shell / PowerShell discovery as described in http://operatingquadrant.com/2013/07/30/unixlinux-mp-authoring-discovering-and-monitoring-failover-clusters/ but for the complex logic I need the GUID of the target object

  • Edit Workspace Problem

    How do I get my photo in the edit work space over to the far left?.  I can't get it out of the mid dle of the workspace.  It makes it very difficult to use my rulers when cropping?