OIM 11g - Kerberos Authentication disable
Hi Experts,
We have OIM 11g set up with Kerberos SSO authentication enabled for OIM. We want this to be disabled. Can any one help where and how I can do this?
Thanks and Regards
Naveen
Edited by: user4537635 on May 16, 2013 5:52 AM
download connetor doc from below location(RSA Authentication Manager )
http://docs.oracle.com/cd/E11223_01/index.htm
Else try to download the connector extract it and open the connector doc(RSA Authentication Manager 9.1.0.7.0 )
http://www.oracle.com/technetwork/middleware/id-mgmt/downloads/connectors-101674.html
Similar Messages
-
OIM 11g - RSA Authentication Connector
Hello,
I need some information about RSA Authentication Manager connector.
We use RSA for VPN access authentication and we would like to integrate it into OIM.
I need to understand the capabilities of this connector such as provisioning and deprovisioning tokens and how to automate the distribution of soft tokens.
Can anyone help me ? Any docs or relevant links would help as well.
Thanks,
Baladownload connetor doc from below location(RSA Authentication Manager )
http://docs.oracle.com/cd/E11223_01/index.htm
Else try to download the connector extract it and open the connector doc(RSA Authentication Manager 9.1.0.7.0 )
http://www.oracle.com/technetwork/middleware/id-mgmt/downloads/connectors-101674.html -
I have set up SharePoint 2013 Foundation, SharePoint Reporting Services and SQL Server 2012 in a single server. I then created a Data Connection to Oracle 11g. Upon testing the connection, it throws the error “ORA-12638: Credential retrieval failed”.
Given below are the steps of installation and configuration.
Installation till basic authentication:
The installation has been done in a
single server.
Installed SQL Server 2012 (Developer version).
Selected only the following features:
Database Engine Services
Analysis Services
Reporting Services – SharePoint
Reporting Services Add-in for SharePoint Products
Management Tools – Basic
- Management Tools - Complete
2. Installed SQL Server 2012 SP1.
3. Installed SQL Server 2012 SP2.
4. Installed SharePoint Foundation 2013.
5. Created web application (without Kerberos; we did not even create the SPNs).
The application pool has been configured to use Reporting Services account since it is a single server installation. This account has been registered as a managed
account.
6. Created Site Collection.
7. Verified that Reporting Services is not installed.
8. Installed SharePoint Reporting Services from SharePoint 2013 Management Shell.
9. Verified that Reporting Services is installed.
10. Created a new SQL Server Reporting Services Service Application and associated the Web Application to the new SQL server Reporting Services Service Application.
11. Verified that SQL Server Reporting Services Service Application and its proxy have started. Reset IIS.
12. Created a Site.
13. Created a Data Connection library with “Report Data Source” content type.
14. Created a Report Model library with “Report Builder Model” content type.
15. Created a Report library with “Report Builder Report” content type.
16. Uploaded an SMDL to the Report Model library.
17. Added the top level site to Local Intranet instead of as a Trusted Site in the browser settings.
18. Able to create and save a report using Report Builder.
Hence, basic authentication is working and SSRS is able to connect to Oracle database.
Next we have to configure Kerberos settings between SharePoint and SQL Server.
Implementation of Kerberos authentication
In the Report Server machine, opened the file C:\Program Files\Common Files\Microsoft Shared\Web Server Extensions\15\WebServices\Reporting\rsreportserver.config and added the Authentication Types of RSWindowsNegotiate
and RSWindowsKerberos.
2. Set up the following SPNs.
a) SQL Server Database Engine service (sqlDbSrv2):
setspn -S MSSQLSvc/CER1110:1433 CERDEMO\sqlDbSrv2
setspn -S MSSQLSvc/CER1110.cer.demo.com:1433 CERDEMO\sqlDbSrv2
In the Delegation tab of the account, selected "Trust this user for delegation to any service (Kerberos only)".
b) Account: SharePoint Setup Admin account (spAdmin2)
setspn -S HTTP/CER1110:9999 CERDEMO\spAdmin2
setspn -S HTTP/CER1110.cer.demo.com:9999 CERDEMO\spAdmin2
In the Delegation tab of the account, selected "Trust this user for delegation to any service
(Kerberos only)".
c) Account: SQL Server Reporting Service account (sqlRepSrv2)
setspn -S HTTP/CER1110 CERDEMO\sqlRepSrv2
setspn -S HTTP/CER1110.cer.demo.com CERDEMO\sqlRepSrv2
In the Delegation tab of the account, selected "Trust this user for delegation to any service
(Kerberos only)".
3. Configure the Web Application to use “Negotiate (Kerberos)”.
4. Logged in as SharePoint Administrator to the SharePoint server and opened the top level site in the IE browser.
The Event Viewer logged the login process for the SharePoint Administration account as
Negotiate and not Kerberos.
5. Implemented Kerberos for Oracle database and client.
Able to connect to the Oracle database via Kerberos authentication using SQL Plus.
6. Turn on Windows Firewall.
7. While testing the site's data connection using Kerberos settings, got the error
“Can not convert claims identity to windows token. This may be due to user not logging in using windows credentials.”
Note: The Data Connection for basic authentication still worked.
8. Created a Claims to Windows Token Service account (spC2WTS2).
9. Started the Claims to Windows Token Service.
10. Registered the Claims to Windows Token Service account as a Managed Account.
11. Changed the Claims To Windows Token Service to use the above managed account.
12. Verified that the Claims to Windows Token Service account (spC2WTS2) is automatically added to the WSS_WPG local group on the SharePoint box.
Note: The Reporting Services service account is also a part of the WSS_WPG local group.
13. Added the Claims to Windows Token Service account (spC2WTS2) to the Local Admin Group on the machine having the SharePoint App Server.
14. In the SharePoint box, added the Claims to Windows Token Service account (spC2WTS2) in the Act as part of the operating system policy right.
15. The Claims to Windows Token Service account (spC2WTS2) has the WSS_WPG group configured.
When the C2WTS service was configured to use the managed account Claims to Windows Token Service account (spC2WTS2) earlier, the spC2WTS2 account was automatically
added to the WSS_WPG local group on the SharePoint box. The WSS_WPG group in turn is configured in c2wtshost.exe.config file.
16. Verified that the Reporting Services account is a managed account and part of the WSS_WPG group.
17. Earlier Service Application Pool - SQL Server Reporting Services App Pool service was associated with the SharePoint Admin account.
Changed this to associate the Reporting Service account with the Service Application Pool - SQL Server Reporting Services App Pool service.
18. Changed the delegation of the Reporting Service account to constrained delegation with Protocol Transitioning. This is because we are transitioning from one authentication scheme (Claims) to another (Windows Token).
For this, the delegation has been changed to "Trust this user for delegation to specified services only". Also, selected the sub radio button "Use
any authentication protocol". Selected the Oracle Kerberos service as the service to which this account can present delegated credentials.
Note: The Reporting Service account already had an HTTP SPN.
19. Next, the goal was to make the Claims To Windows Token Service account match the Reporting Service account.
For this, we created a fake SPN for the Claims To Windows Token Service account since the delegation tab was missing.
The delegation has been changed to "Trust this user for delegation to specified services only". Also, selected the sub radio button "Use any
authentication protocol". Selected the Oracle Kerberos service as the service to which this account can present delegated credentials.
20. Restarted the SharePoint server.
21. Tested the data connection with the Kerberos settings again.
Got the error
“ORA-12638: Credential retrieval failed”.
Can anyone tell me what is wrong with this setup?http://www.freeoraclehelp.com/2011/10/kerberos-authentication-for-oracle.html
Problem4: ORA-12638: Credential retrieval failed
Solution: Make sure that SQLNET.KERBEROS5_CC_NAME is set in sqlnet.ora and okinit has been run before attempting to connect to the database.
Do check
http://webcache.googleusercontent.com/search?q=cache:5a2Pf3FH7vkJ:externaltable.blogspot.com/2012/06/kerberos-authentication-and-proxy-users.html+&cd=5&hl=en&ct=clnk&gl=in
If this helped you resolve your issue, please mark it Answered. You can reach me through http://itfreesupport.com/ -
Disable Notification template in oim 11g
In OIM 11g there are a set of notifications under system management(advanced tab in admin console). How do you disable an email notification without deleting the email template?
Thanks.http://docs.oracle.com/cd/E21764_01/doc.1111/e14308/system_props.htm#BACGIDCH
Property: Recon.SEND_NOTIFICATION
Re: [OIM 11g] OOTB Email Notification
-Bikash -
OIM-AD connector Issues in OIM 11g
Hi
We are trying to provision user from OIM 11G to AD using Administration Tab of Admin Console.
As part of ADITResource configuration , follwoing fields are included.In the Enterprise manager OIM server log, we are getting the below error message.
Error Message In Enterprise manager OIM server log -
Module OIMCP.ADCS
Thread ID [ACTIVE].ExecuteThread: '3' for queue: 'weblogic.kernel.Default (self-tuning)'
Message com.thortech.xl.integration.ActiveDirectory.tcUtilADTasks : createUser : Wrong Value Specified in Root Context of IT ResourceOr Organization DN_
However, in Admin console Selfservice-->Task-->Provisioning -->Shows error as
Response:Connection Error encountered
Response Description: Error encountered while connecting to target system
We have sucessfully tested the connection using Diagnoistic Dashboard (XIMDD) & Ldap Browser.
IT Resource Details-
Parameter Value
AD Sync installed (yes/no) no
ADAM LockoutThreshold Value 5
ADDisableAttr Lookup Definition Lookup.ADProvisioning.DisableAttrLookup
ADGroup LookUp Definition Lookup.ADReconciliation.GroupLookup
Abandoned connection timeout 600
Admin FQDN cn=administrator,cn=Users,dc=example,dc=com
Admin Login administrator
Admin Password ********
Allow Password Provisioning yes
AtMap ADGroup AtMap.ADGroup
AtMap ADUser AtMap.AD
AtMap Group AtMap.ADGroup
Atmap ADOrg AtMap.ADOrg
Backup Server URL [NONE]
Connection pooling supported false
Connection wait timeout 100
Custom Attribute Name
CustomizedReconQuery
Inactive connection timeout 600
Initial pool size 1
Invert Display Name no
LDAP Connection Timeout 30000
Last Modified Time Stamp 0
Last Modified Time Stamp Group 0
Max pool size 30
Min pool size 2
Native connection pool class definition
OIM User UDF
Pool excluded fields
Pool preference Default
Port Number 389
Remote Manager Prov Lookup AtMap.AD.RemoteScriptlookUp
Remote Manager Prov Script Path
ResourceConnection class definition com.thortech.xl.integration.ActiveDirectory.ADResourceConnectionImpl
Root Context dc=example,dc=com
SSL Port Number 636
Server Address WIN-PEUB23TMMT4.example.com
Target Locale: Country US
Target Locale: Language en
Target Locale: TimeZone GMT
Target supports only one connection false
Timeout check interval 100
UPN Domain example.com
Use Disable Attr false
Use SSL false
Validate connection on borrow true
isADAM no
isUserDeleteLeafNode no
For Organization we have selected ou=Test,dc=example,dc=com in our lookup defination
Please suggest....
ThanksIt's not Key, it's the Scheduled Task attribute "IT Resource Name"
Documentation: http://download.oracle.com/docs/cd/E11223_01/doc.910/e11197/using_conn.htm#CHDFBAAC
Here is the documentation on the lookup format: http://download.oracle.com/docs/cd/E11223_01/doc.910/e11197/intro.htm#CHDHCCJD
-Kevin -
How to generate Email in OIM 11g r1 during recocillation
I want to generate Email id of user based on his first name and last name while creation of user.
I am using OIM 11g R1 .
Can anyone plz help me on this.1. Login to Design Console and open your GTC provisioning process definition , then Add a new task called "Notify Email".
2. Check Required for Completion, Allow Cancel and optionally Disable Manual Insert.
3. In the Integration tab, add tcCompleteTask
4. In the assignment tab, add an entry with the Default rule, target type of User, and for the User field pick an existing user with a valid email address in their User Profile.
5. In the Notification tab add an entry and check Assignee, (You can select User, Manager etc ) have the Status field set to C and for the Email field pick a Provisioning type of Notification Template that you have already created.
N.B: 7. Make sure the IT Resource and email configuration properly otherwise you will not get the mail.
Thanks
Tamim Khan -
OIM 11g Login Screen not showing up
Hi,
I installed OIM 11g and could able to login successfully.Couple of days back,my database has got some problem and I solved it and restarted my OIM.OIM server is starting up but when I try to access the admin console,it is just saying "Loading" but the login screen is not getting displayed.
In the server log,I could see the following error during the server stop
"javax.security.auth.login.LoginException: javax.security.auth.login.LoginException: java.lang.SecurityException: [Security:090304]Authentication Failed: User xelsysadm javax.security.auth.login.FailedLoginException: [Security:090302]Authentication Failed: User xelsysadm denied
at weblogic.security.auth.login.UsernamePasswordLoginModule.login(UsernamePasswordLoginModule.java:199)"
and the following error which accessing the admin console.
" [HTTP][java.lang.NoClassDefFoundError]] [dcid: 11d1def534ea1be0:41b34a55:12b9b675a66:-7ffd-0000000000000026] incident 20 created with problem key "BEA-101017 [HTTP][java.lang.NoClassDefFoundError]"
Any idea what might be going wrong?
Thanks,What did you solve *? ? ?* That's where lies your solution. xelsysadm is being denied the access, so could be something on password front. If you have the DB backup, revert to an older state and it would be fine.
-
SOAP API integration problem with OIM 11g R1
Hi,
We're facing a problem when we are attempting to provision for a third party Web Service application in OIM 11g R1.
During development and test running in an IDE environment, JDeveloper, the soap wsdl requests are triggered and a response is received successfully. However, when we shift the work and integrate it with OIM using design console, there seems to be an error indicating an invalid wsdl location. We have used the super class Exception, in try-catch block for handling of the exceptions. Please see the log message.
Xl Home Dir :/oracle/Middleware/Oracle_IDM1/server
Running CREATEUSERTASK
Target Class = org.identityconnectors.Provisioning.QuickShareUserProvisioning
URL : XXXXX
User ID : XXXX
Password : XXXX
ERROR: Invalid wsdl location robi/XXXX_saved_wsdl.wsdl
When we simply run the jar file from the command line, it gives us, java.lang.NoClassDefFoundError: javax/xml/rpc/Service
[oracle@idmlab JavaTasks]$ java -jar archive1.jar
URL : XXXXX
User ID : XXXX
Password : XXXX
Exception in thread "main" java.lang.NoClassDefFoundError: javax/xml/rpc/Service
at java.lang.ClassLoader.defineClass1(Native Method)
at java.lang.ClassLoader.defineClassCond(ClassLoader.java:631)
at java.lang.ClassLoader.defineClass(ClassLoader.java:615)
at java.security.SecureClassLoader.defineClass(SecureClassLoader.java:141)
at java.net.URLClassLoader.defineClass(URLClassLoader.java:283)
at java.net.URLClassLoader.access$000(URLClassLoader.java:58)
at java.net.URLClassLoader$1.run(URLClassLoader.java:197)
at java.security.AccessController.doPrivileged(Native Method)
at java.net.URLClassLoader.findClass(URLClassLoader.java:190)
at java.lang.ClassLoader.loadClass(ClassLoader.java:306)
at sun.misc.Launcher$AppClassLoader.loadClass(Launcher.java:301)
at java.lang.ClassLoader.loadClass(ClassLoader.java:247)
at org.identityconnectors.Provisioning.QuickShareUserProvisioning.createUser(QuickShareUserProvisioning.java:41)
at org.identityconnectors.Provisioning.QuickShareUserProvisioning.main(QuickShareUserProvisioning.java:215)
Caused by: java.lang.ClassNotFoundException: javax.xml.rpc.Service
at java.net.URLClassLoader$1.run(URLClassLoader.java:202)
at java.security.AccessController.doPrivileged(Native Method)
at java.net.URLClassLoader.findClass(URLClassLoader.java:190)
at java.lang.ClassLoader.loadClass(ClassLoader.java:306)
at sun.misc.Launcher$AppClassLoader.loadClass(Launcher.java:301)
at java.lang.ClassLoader.loadClass(ClassLoader.java:247)
... 14 more
Any help or suggestion, appreciated!
Thanks
Tamim KhanHi Kevin,
Thanks a lot for the response. But, when i deployed the composite SAR in to the server from Jdeveloper, i checked the option to "Overwrite any existing composite with same revision ID". SO, i used the same revision ID (Say 1.0), will this also need to be disabled?
Thanks,
Srini -
I have two forests with a transitive on-way trust between them: PROD -> TEST (test trusts PROD). I had previously had kerberos authentication working with winrm from PROD to machines in TEST. I have verified the trust is healthy, I also verified users
in TEST can use WINRM with kerberos just fine. Users from PROD cannot connect via kerberos to machines in TEST with winrm.
I have verified the service has registered the appropriate SPNs. I ran dcdiag against all my PROD and TEST domain controllers and didn't find anything that would prevent kerberos from happening. I even tried disabling the firewall entirely on my TEST dcs
but that didn't gain me anything.
I've enabled kerberos logging but only see the expected errors such as it couldn't find a PROD SPN for the machine, which it shouldn't from what I understand, it should go to the TEST domain and find the SPN from there.
I'm really out of next steps before I call PSS and hope someone here has run into this and could provide me some next steps.
PowerShell Error:
Connecting to remote server failed with the following error message : WinRM cannot process the request. The following error occured while using Kerberos authentication: The network path was not found.
Possible causes are:
-The user name or password specified are invalid.
-Kerberos is used when no authentication method and no user name are specified.
-Kerberos accepts domain user names, but not local user names.
-The Service Principal Name (SPN) for the remote computer name and port does not exist.
-The client and remote computers are in different domains and there is no trust between the two domains.
After checking for the above issues, try the following:
-Check the Event Viewer for events related to authentication.
-Change the authentication method; add the destination computer to the WinRM TrustedHosts configuration setting or use HTTPS transport.
Note that computers in the TrustedHosts list might not be authenticated.
-For more information about WinRM configuration, run the following command: winrm help config. For more information, see the about_Remote_Troubleshooting Help topic.
+ CategoryInfo : OpenError: (:) [], PSRemotingTransportException
+ FullyQualifiedErrorId : PSSessionStateBroken
winrs Error:
Winrs error:
WinRM cannot process the request. The following error occured while using Kerberos authentication: The network path was not found.
Possible causes are:
-The user name or password specified are invalid.
-Kerberos is used when no authentication method and no user name are specified.
-Kerberos accepts domain user names, but not local user names.
-The Service Principal Name (SPN) for the remote computer name and port does not exist.
-The client and remote computers are in different domains and there is no trust between the two domains.
After checking for the above issues, try the following:
-Check the Event Viewer for events related to authentication.
-Change the authentication method; add the destination computer to the WinRM TrustedHosts configuration setting or use HTTPS transport.
Note that computers in the TrustedHosts list might not be authenticated.
-For more information about WinRM configuration, run the following command: winrm help config.Hi Adam,
I'm a little unclear about which SPNs you were looking for, in which case could you confirm you were checking that on the computer object belonging to the actual destination host it has the following SPNs registered?
WSMAN/<NetBIOS name>
WSMAN/<FQDN>
If you were actually trying to use WinRM to connect to the remote forest's domain controllers, then what you said makes sense, but I was caught between assuming this was the case or you meant another member server in that remote forest.
Also, from the client trying to connect to this remote server, are you able to telnet to port 5985? (If you've used something other than the default, try that port)
If you can't, then you've got something else like a firewall (be that the Windows firewall on the destination or a hardware firewall somewhere in between) blocking you at the port level, or the listener on the remote box just isn't working as expected. I
just replied to your other winrm post with steps for checking the latter, so I won't repeat myself here.
If you can telnet to it and the SPNs exist, then you might be up against something called selective authentication which has to do with how the trust was defined. You can have a read of
this to learn a bit more about selective trusts and whether or not it's affecting you.
Cheers,
Lain -
Customizing Request Application Flows in OIM 11g?
To all:
I'm trying to work through a scenario using Request Templates - I'm not sure that this approach is possible using configuration approaches and wanted to see if anyone has any useful feedback. First, let me describe the problem I'm attempting to solve:
- The users who will be using self-service will be somewhat restricted on what they can do: basically, once they have an account in OIM (this is 'automatic' from a reconciliation - there's no self-registration or user creation) they can request access to a small number of applications.
The ideal flow that we would like to follow is:
Step 1: Log in to OIM.
Step 2: Create Request
Step 3: Select the Application for requested access and the requested role.
Step 4: Enter an effective date and justification.
Step 5: Submit
... something 'application focused', not 'resource focused' as the end user community is not particularly aware (nor do they really need to be) about the details of how a user is authenticated.
I can get 'close' to this using a request template, with this flow:
Step 1: Log in to OIM
Step 2: Create a request.
Step 3: Select a Request Template. (I named the template after the application - "Select App Account")
Step 4: Select Your Resource (only one in this case - restricted to "AD User")
Step 5: Enter information about the AD account. (I can restrict this down to only allow for group selection, which is great.)
Step 6: Enter effective date, justification
Step 7: Submit
So the only thing I'd really like to 'skip' (or somehow default) is the selection of a resource and skip that step - because the template only allows for a single selection anyway, and having an extra step with a single selection that may only muddle the process would be detrimental to the usability of the request.
Is this a modification that we can make to the request flow ("If only one resource, default and move on") - or will we need to create some form of customized request process using the APIs?
I've dug into the JSF navigation in the iam-console-faces WAR file; it seems that navigation is tied up in the backing beans - has anyone else used Request Templates to meet this type of need?
My thanks in advance for any insight you can provide!Dewan.Rajiv wrote:
It's a new flow which Oracle has introduced in OIM 11g. You can't skip that selection until you do modification in OOTB UI.
RO is mandatory thing to raise request so you can go for custom UI (Need ADF Knowledge) in which you'll ask end user to select other things except that Resource and you'll fetch RO name from some configuration file for using in request APIs.Thanks - it looks like customizing the OOTB UI might not be possible - rather than using ADF/Faces configuration files, most of the navigation redirects seem to be 'hidden away' in compiled class files. (My original thought: add some kind of filter and/or extension to an ADF Task Flow that governs the request application flow - but there are not task flow files to modify?) -
OIM 11g Server Configuration Wizard Error - Cannot Connect to Oracle DB
I appreciate any and all suggestions or thoughts on how to best continue troubleshooting this error that I am describing below.
I am attempting to install Oracle Identity and Access Management Suite 11g on a Windows 7 machine…in following the installation guides I have successfully installed the following Oracle Components
- Oracle Database 11.2.0.1.0
- Created Schemas using RCU 11.1.1.3.3
- Oracle WebLogic Server 10.3.3.0
- Oracle SOA 11.1.1.2.0
- Oracle SOA 11.1.1.3.0 (Patch Set)
- Oracle IAM SUITE 11.1.1.3.0
Following the above installations, I created a new WebLogic Domain and as the next step am running the OIM Configuration Wizard to configure the OIM Server, however I am unable to setup a connection to the Oracle DB via the OIM Configuration Wizard. I am getting an error message when attempting to setup the connection to the Oracle Database using the OIM 11g Server Configuration Wizard:
ERROR:*
INST:6102 Unable to connect to the database with the given credentials.
*+[DETAILS] Check the values. Make sure the Database is up and running and connect string, user name, and password are correct.+*
INST:6102 Unable to connect to the database with the given credentials.
*+[DETAILS] Check the values. Make sure the Database is up and running and connect string, user name, and password are correct.+*
When installing the Oracle Database 11gR2 I used the following install configuration:
Oracle base: C:\MyApps\Oracle
Software location: C:\MyApps\Oracle\DB_HOME\11.2.0\dbhome_1
Database file location: C:\MyApps\Oracle\DB_HOME\oradata
Database Edition: Personal Edition (3.27 GB)
Character Set: Unicode (AL32UTF8)
Global database name: orcl.dev.com
Administrative Password: Password1
Confirm Password: Password1
When creating my Schemas using RCU 11.1.1.3.3 I used the following Database Connection Details
DB TYPE: Oracle Database
HOST NAME: localhost
PORT: 1521
SERVICE NAME: orcl.dev.com
USERNAME: sys
PASSWORD: Password1
ROLE: SYSDBA
I used a Prefix of “DEV” when creating the schemas so Schema Owners DEV_OIM and DEV_MDS where created. Also, I configured to use the same password for all Schemas: “Password1″. So the password for DEV_OIM and DEV_MDS should be the same, “Password1″.
REPRODUCING THE ERROR
To reproduce the error, when I launch the Oracle Identity Management 11g Configuration Wizard I am first brought to the “Welcome” Screen. I click the [Next>] button.
Next, I am on the “Components to Configure” screen where I select OIM Server and OIM Design Console and click the [Next>] button. (NOTE I have also tested by simply selecting only the OIM Server)
Next, I am on the “Database” screen where I enter the connection information
Connection String: localhost:1521:orcl.dev.com
(NOTE I have also tested using localhost:1521:orcl)
OIM Schema User Name: DEV_OIM
OIM Schema Password: Password1
MDS Schema User Name: DEV_MDS
MDS Schema Password: Password1
When I click the [Next>] button after entering the Database Connection details I encounter the following two errors (1 error for each logon DEV_OIM and DEV_MDS)
INST:6102 Unable to connect to the database with the given credentials.
INST:6102 Unable to connect to the database with the given credentials.
TROUBLESHOOTING
NOTE: I can successfully start the Oracle DB Services and connect via the Enterprise Console, SQL Plus, and JDBCTest Java Client…I just cannot get past this connection error in the OIM Server Configuration Wizard.
JDBCTest.java TEST CLIENT
NOTE: THIS IS THE JAVA TEST CLIENT THAT I AM USING TO TEST DATABASE CONNECTIVITY THRU A SPECIFIED JDBC URL AND DRIVER THAT WORKS SUCCESSFULLY.*
import java.sql.Connection;
import java.sql.DatabaseMetaData;
import java.sql.DriverManager;
import java.sql.ResultSet;
public class JDBCTest {
public static void main(String[] args) throws Exception {
String url = "jdbc:oracle:thin:@localhost:1521:orcl";
String driver = "oracle.jdbc.OracleDriver";
String user = "DEV_OIM";
String password = "Password1";
try {
Class.forName(driver);
Connection conn = DriverManager.getConnection(url, user, password);
// Get the MetaData
DatabaseMetaData metaData = conn.getMetaData();
// Get driver information
System.out.println("");
System.out.println("#########################################");
System.out.println("# ***DRIVER INFORMATION***");
System.out.println("#");
System.out.println("# Driver Name = " + metaData.getDriverName());
System.out.println("# Driver Version = " + metaData.getDriverVersion());
System.out.println("#");
System.out.println("#########################################");
System.out.println("");
System.out.println("");
// Get database information
System.out.println("#########################################");
System.out.println("# ***DATABASE INFORMATION***");
System.out.println("#");
System.out.println("# Database Product Name = " + metaData.getDatabaseProductName());
System.out.println("# Database Product Version = " + metaData.getDatabaseProductVersion());
System.out.println("#");
System.out.println("#########################################");
System.out.println("");
System.out.println("");
// Get schema information
ResultSet schemas = metaData.getSchemas();
System.out.println("#########################################");
System.out.println("# ***SCHEMA INFORMATION***");
System.out.println("#");
System.out.println("# Schemas:");
while (schemas.next()) {
System.out.println("# " + schemas.getString(1));
System.out.println("#########################################");
System.out.println("");
System.out.println("");
// Get table information
System.out.println("Tables");
ResultSet tables = metaData.getTables("", "", "", null);
while (tables.next()) {
System.out.println(tables.getString(3));
conn.close();
} catch (Exception ex) {
ex.printStackTrace();
*"lsnrctl status" COMMAND TEST SUCCESSFUL*
When the Listener Service is on I get the following output using lsnrctl status command
C:\> lsnrctl status
LSNRCTL for 32-bit Windows: Version 11.2.0.1.0 - Production on 21-SEP-2010 15:59:43
Copyright (c) 1991, 2010 Oracle. All rights reserved.
STATUS of the LISTENER
Alias LISTENER
Version TNSLSNR for 32-bit Windows:Version 11.2.0.1.0 - Production
Start Date 21-SEP-2010 14:43:57
Uptime 0 days 1 hr. 15 min. 46 sec
Trace Level off
Security ON: Local OS Authentication
SNMP OFF
Listener Parameter File C:\MyApps\Oracle\DB_HOME\11.2.0\dbhome_1\NETWORK\ADMIN\listener.ora
Listener Log File c:\myapps\oracle\diag\tnslsnr\\listener\alert\log.xml
Listening Endpoints Summary…
(DESCRIPTION=(ADDRESS=(PROTOCOL=tcp)(HOST=127.0.0.1)(PORT=1521)))
Services Summary…
Service “CLRExtProc” has 1 instance(s).
Instance “CLRExtProc”, status UNKNOWN, has 1 handler(s) for this service…
Service “orcl.dev.com” has 1 instance(s).
Instance “orcl”, status READY, has 1 handler(s) for this service….
Service “orclXDB.dev.com” has 1 instance(s).
Instance “orcl” status READY, has 1 handler(s) for this service…
The command completed successfullyWhenever installing oracle databases, i install the software only first. Then i setup the listener. Then i create a database instance using the dbca tool. This way all the information is added to the pre-existing listener configurations rather than trying to create the listener afterwards. Also, during the dbca database creation, i supply a full service name such as orcl.hostname and use the service name in future configurations where it asked. This usually solves any issues of the listener or database not being found correctly.
-Kevin -
I have created one Task assignement adapter and assigned to one user (myself). I have enabled that Send Mail check box, However I am NOT getting email from OIM 11g.
I have already defined EMail server IT resource details as below
Authentication: False
Server Name: &&&&&&&&
User Login: xelsysadm
User Password: xelsysadm
Could you please let me know what could be the reason???I do not think so since We are able to send emails during AD provisioning in same domain.
In my case Do I need to provide From address anywhere in OIM?
Pls suggest. -
Populate enddate after change in user status in OIM 11g ?
Hello experts,
We have a requirement whenever a user is getting 'Disabled' end-date needs to be set to the current system date and When the user is enabled end-date need to be reset to some predefined date
We are planning to go with custom adapter for this. Now in OIM 11g USR_STATUS is not working as expected. Then how do we trigger for disable or enable.
Is event handler is the only option for this scenario ? Please advice.
Thanks,
Deepakthere are two ways to handle this
first is to use post update event handler
get the user status and update end date and start date
second, using custom adapter.
no need to put trigger.
just attach your code on the response of enable user and disable user task in AD,OID ...or so on work flow.
try and let me know
regards,
nishith nayan -
Hi,
My OIM 11g installation was working fine. Suddenly I started getting the below error while trying to login to OIM admin and design console
<Sep 2, 2012 6:34:11 PM IST> <Alert> <Diagnostics> <BEA-320016> <Creating diagnostic image in c:\oracle\middleware\user_projects\domains\idmdomain\servers\oim_server1\adr\diag\ofm\idmdomain\oim_server1\incident\incdir_5 with a lockout minute period of 1.>
<Sep 2, 2012 6:34:23 PM IST> <Error> <XELLERATE.ACCOUNTMANAGEMENT> <BEA-000000><Class/Method: tcDefaultDBEncryptionImpl/initKeyStore encounter some problems: access denied (oracle.security.jps.service.credstore.CredentialAccessPermission context=SYSTEM,mapName=oim,keyName=.xldatabasekey read)
java.security.AccessControlException: access denied (oracle.security.jps.service.credstore.CredentialAccessPermission context=SYSTEM,mapName=oim,keyName=.xldatabasekey read)
at java.security.AccessControlContext.checkPermission(AccessControlContext.java:323)
at java.security.AccessController.checkPermission(AccessController.java:546)
at oracle.security.jps.util.JpsAuth$AuthorizationMechanism$3.checkPermission(JpsAuth.java:436)
at oracle.security.jps.util.JpsAuth.checkPermission(JpsAuth.java:496)
at oracle.security.jps.util.JpsAuth.checkPermission(JpsAuth.java:519)
at oracle.security.jps.internal.credstore.util.CsfUtil.checkPermission(CsfUtil.java:611)
at oracle.security.jps.internal.credstore.ssp.SspCredentialStore.containsCredential(SspCredentialStore.java:299)
at oracle.iam.platform.utils.config.OIMPrivilegedExceptionAction.run(CSFCredentialProvider.java:205)
at java.security.AccessController.doPrivileged(Native Method)
at oracle.iam.platform.utils.config.CSFCredentialProvider.getPassword(CSFCredentialProvider.java:75)
at oracle.iam.platform.utils.config.standalone.StandAloneCryptoConfig.getPassword(StandAloneCryptoConfig.java:80)
at com.thortech.xl.crypto.tcDefaultDBEncryptionImpl.initKeyStore(tcDefaultDBEncryptionImpl.java:67)
at com.thortech.xl.crypto.tcDefaultDBEncryptionImpl.getCipher(tcDefaultDBEncryptionImpl.java:96)
at com.thortech.xl.crypto.tcDefaultDBEncryptionImpl.encrypt(tcDefaultDBEncryptionImpl.java:193)
at com.thortech.xl.crypto.tcCryptoUtil.encrypt(tcCryptoUtil.java:118)
at com.thortech.xl.crypto.tcCryptoUtil.encrypt(tcCryptoUtil.java:275)
at oracle.iam.platform.auth.impl.Authenticator.encrypt(Authenticator.java:185)
at oracle.iam.platform.auth.impl.Authenticator.authenticateWithPassword(Authenticator.java:160)
at oracle.iam.platform.auth.impl.Authenticator.authenticate(Authenticator.java:133)
at oracle.iam.platform.auth.providers.wls.OIMAuthLoginModule.login(OIMAuthLoginModule.java:44)
at com.bea.common.security.internal.service.LoginModuleWrapper$1.run(LoginModuleWrapper.java:110)
at java.security.AccessController.doPrivileged(Native Method)
at com.bea.common.security.internal.service.LoginModuleWrapper.login(LoginModuleWrapper.java:106)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
at java.lang.reflect.Method.invoke(Method.java:597)
at javax.security.auth.login.LoginContext.invoke(LoginContext.java:769)
at javax.security.auth.login.LoginContext.access$000(LoginContext.java:186)
at javax.security.auth.login.LoginContext$4.run(LoginContext.java:683)
at java.security.AccessController.doPrivileged(Native Method)
at javax.security.auth.login.LoginContext.invokePriv(LoginContext.java:680)
at javax.security.auth.login.LoginContext.login(LoginContext.java:579)
at com.bea.common.security.internal.service.JAASLoginServiceImpl.login(JAASLoginServiceImpl.java:113)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
at java.lang.reflect.Method.invoke(Method.java:597)
at com.bea.common.security.internal.utils.Delegator$ProxyInvocationHandler.invoke(Delegator.java:57)
at $Proxy25.login(Unknown Source)
at weblogic.security.service.internal.WLSJAASLoginServiceImpl$ServiceImpl.login(WLSJAASLoginServiceImpl.java:89)
at com.bea.common.security.internal.service.JAASAuthenticationServiceImpl.authenticateJAASAuthenticationServiceImpl.java:82)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
at java.lang.reflect.Method.invoke(Method.java:597)
at com.bea.common.security.internal.utils.Delegator$ProxyInvocationHandler.invoke(Delegator.java:57)
at $Proxy43.authenticate(Unknown Source)
at weblogic.security.service.WLSJAASAuthenticationServiceWrapper.authenticateWLSJAASAuthenticationServiceWrapper.java:40)
at weblogic.security.service.PrincipalAuthenticator.authenticate(PrincipalAuthenticator.java:348)
at weblogic.servlet.security.internal.SecurityModule.checkAuthenticate(SecurityModule.java:251)
at weblogic.servlet.security.ServletAuthentication.login(ServletAuthentication.java:413)
at oracle.idm.common.login.SignInBean.doLogin(SignInBean.java:88)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
at java.lang.reflect.Method.invoke(Method.java:597)
at com.sun.el.parser.AstValue.invoke(Unknown Source)
at com.sun.el.MethodExpressionImpl.invoke(Unknown Source)
at org.apache.myfaces.trinidadinternal.taglib.util.MethodExpressionMethodBinding.invokeMethodExpressionMethodBinding.java:53)
at org.apache.myfaces.trinidad.component.UIXComponentBase.broadcastToMethodBinding(UIXComponentBase.java:1256)
at org.apache.myfaces.trinidad.component.UIXCommand.broadcast(UIXCommand.java:183)
at oracle.adf.view.rich.component.fragment.UIXInclude.broadcast(UIXInclude.java:102)
at oracle.adf.view.rich.component.fragment.ContextSwitchingComponent$1.run(ContextSwitchingComponent.java:92)
at oracle.adf.view.rich.component.fragment.ContextSwitchingComponent._processPhaseContextSwitchingComponent.java:361)
at oracle.adf.view.rich.component.fragment.ContextSwitchingComponent.broadcast(ContextSwitchingComponent.java:96)
at oracle.adf.view.rich.component.fragment.UIXInclude.broadcast(UIXInclude.java:96)
at javax.faces.component.UIViewRoot.broadcastEvents(UIViewRoot.java:475)
at javax.faces.component.UIViewRoot.processApplication(UIViewRoot.java:756)
at oracle.adfinternal.view.faces.lifecycle.LifecycleImpl._invokeApplication(LifecycleImpl.java:788)
at oracle.adfinternal.view.faces.lifecycle.LifecycleImpl._executePhase(LifecycleImpl.java:306)
at oracle.adfinternal.view.faces.lifecycle.LifecycleImpl.execute(LifecycleImpl.java:186)
at javax.faces.webapp.FacesServlet.service(FacesServlet.java:265)
at weblogic.servlet.internal.StubSecurityHelper$ServletServiceAction.run(StubSecurityHelper.java:227)
at weblogic.servlet.internal.StubSecurityHelper.invokeServlet(StubSecurityHelper.java:125)
at weblogic.servlet.internal.ServletStubImpl.execute(ServletStubImpl.java:300)
at weblogic.servlet.internal.TailFilter.doFilter(TailFilter.java:26)
at weblogic.servlet.internal.FilterChainImpl.doFilter(FilterChainImpl.java:56)
at oracle.help.web.rich.OHWFilter.doFilter(Unknown Source)
at weblogic.servlet.internal.FilterChainImpl.doFilter(FilterChainImpl.java:56)
at oracle.adf.model.servlet.ADFBindingFilter.doFilter(ADFBindingFilter.java:205)
at weblogic.servlet.internal.FilterChainImpl.doFilter(FilterChainImpl.java:56)
at oracle.adfinternal.view.faces.webapp.rich.RegistrationFilter.doFilter(RegistrationFilter.java:106)
at org.apache.myfaces.trinidadinternal.webapp.TrinidadFilterImpl$FilterListChain.doFilter(TrinidadFilterImpl.java:446)
at oracle.adfinternal.view.faces.activedata.AdsFilter.doFilter(AdsFilter.java:60)
at org.apache.myfaces.trinidadinternal.webapp.TrinidadFilterImpl$FilterListChain.doFilter(TrinidadFilterImpl.java:446)
at org.apache.myfaces.trinidadinternal.webapp.TrinidadFilterImpl._doFilterImpl(TrinidadFilterImpl.java:271)
at org.apache.myfaces.trinidadinternal.webapp.TrinidadFilterImpl.doFilter(TrinidadFilterImpl.java:177)
at org.apache.myfaces.trinidad.webapp.TrinidadFilter.doFilter(TrinidadFilter.java:92)
at weblogic.servlet.internal.FilterChainImpl.doFilter(FilterChainImpl.java:56)
at oracle.iam.platform.auth.web.OIMUnauthContextFilter.doFilter(OIMUnauthContextFilter.java:63)
at weblogic.servlet.internal.FilterChainImpl.doFilter(FilterChainImpl.java:56)
at oracle.adf.library.webapp.LibraryFilter.doFilter(LibraryFilter.java:175)
at weblogic.servlet.internal.FilterChainImpl.doFilter(FilterChainImpl.java:56)
at oracle.security.jps.ee.http.JpsAbsFilter$1.run(JpsAbsFilter.java:111)
at java.security.AccessController.doPrivileged(Native Method)
at oracle.security.jps.util.JpsSubject.doAsPrivileged(JpsSubject.java:313)
at oracle.security.jps.ee.util.JpsPlatformUtil.runJaasMode(JpsPlatformUtil.java:413)
at oracle.security.jps.ee.http.JpsAbsFilter.runJaasMode(JpsAbsFilter.java:94)
at oracle.security.jps.ee.http.JpsAbsFilter.doFilter(JpsAbsFilter.java:161)
at oracle.security.jps.ee.http.JpsFilter.doFilter(JpsFilter.java:71)
at weblogic.servlet.internal.FilterChainImpl.doFilter(FilterChainImpl.java:56)
at oracle.dms.servlet.DMSServletFilter.doFilter(DMSServletFilter.java:136)
at weblogic.servlet.internal.FilterChainImpl.doFilter(FilterChainImpl.java:56)
at weblogic.servlet.internal.RequestEventsFilter.doFilter(RequestEventsFilter.java:27)
at weblogic.servlet.internal.FilterChainImpl.doFilter(FilterChainImpl.java:56)
at weblogic.servlet.internal.WebAppServletContext$ServletInvocationAction.wrapRun(WebAppServletContext.java:3715)
at weblogic.servlet.internal.WebAppServletContext$ServletInvocationAction.run(WebAppServletContext.java:3681)
at weblogic.security.acl.internal.AuthenticatedSubject.doAs(AuthenticatedSubject.java:321)
at weblogic.security.service.SecurityManager.runAs(SecurityManager.java:120)
at weblogic.servlet.internal.WebAppServletContext.securedExecute(WebAppServletContext.java:2277)
at weblogic.servlet.internal.WebAppServletContext.execute(WebAppServletContext.java:2183)
at weblogic.servlet.internal.ServletRequestImpl.run(ServletRequestImpl.java:1454)
at weblogic.work.ExecuteThread.execute(ExecuteThread.java:209)
at weblogic.work.ExecuteThread.run(ExecuteThread.java:178)
>
<Sep 2, 2012 6:34:23 PM IST> <Error> <OIM Authenticator> <BEA-000000> <Error encrypting password>
I uninstalled the whole OIM, SOA and DB and installed the same again but I am still getting the same error.
Please help me in solving this issue as I am struck and don't know how to process further.
I am using 64 bit installation of OIM.
Thanks in advance.Have you gone through below.
1. Check the file permissions on ".xldatabasekey" in <DOMAIN_HOME>/config/fmwconfig/
2. Check the credential store map in EM. Further reading: http://download.oracle.com/docs/cd/E14571_01/doc.1111/e14308/handlinglcm.htm#CIAEFAGF
Article 1327577.1, talk about "required steps to be able to deploy a custom J2EE application that is able to interact with the Credential Store Framework to retrieve user credential" -
OIM 11g: Connector based on SEND / EXPECT or scripting
Hello
I have a system that I need to integrate into OIM 11g. (11.1.1.5.2) The application has a scripting engine to perform all user management functions. For example, on the system itself you would run the following from the command line:
account create 'bsmith'
account password 'password'
account permission 'login'
account group default 'enduser'
account description 'Bob Smith'
account firstname 'Bob'
account lastname 'Smith'
The account repository is a custom format, and I cannot provisioning directly to it via the DB tables, or flat file etc etc. The system, however, is running on a standard UNIX platform, so I have access to SSH into the box and issue the commands.
Question: What is the best way to implement a connector to an application that only uses a scripting engine for account management? Is there an OOTB connector that can use UNIX send/expect? What about executing a shell script with inputs for the variables needed? Can I use the standard SSH connector, and override the 'user add' command?
Thank you.Following are the the list of mappings. The ones wth similar names are easy to guess. Notice that USR_COUNTRY is missing in the list. I have requested Oracle to log a bug for this and for any other missing fields. If accepted this should be available in the next patch.
(Mapping between user definition qualifiers on data object manager form and actual USR fields)
=== Process Definition ===
Name -> pkg_name
Type -> pkg_type
=== Object Definition ===
Object Name -> obj_name
Object Type -> obj_type
Object Target Type -> obj_order_for
=== Organization Definition ===
Organization Name -> act_name
Organization ID -> act_key
Organization Type -> act_cust_type
Organization Status -> act_status
Organization Parent ID -> parent_key
+ Organization UDFs
=== User Definition ===
User Key -> usr_key
Request Key -> req_key
Identity -> usr_fss
User Login -> usr_login
Role -> usr_emp_type
Password -> usr_password
First Name -> usr_first_name
Middle Initial -> usr_middle_name
Last Name -> usr_last_name
Disabled -> usr_disabled
Type -> usr_type
User Status -> usr_status
Manager -> usr_manager_key
Organization -> act_key
Start Date -> usr_start_date
End Date -> usr_end_date
Provisioning Date -> usr_provisoning_date
Deprovisioning Date -> usr_deprovisioning_date
Provisioned Date -> usr_provisioned_date
Deprovisioned Date -> usr_deprovisioned_date
Email Address -> usr_email
Email -> usr_email
+ User UDFs
Maybe you are looking for
-
Hi, Getting the error code 27850, have managed to find fixes for windows 7 but when trying to apply them it would seem that windows 8 doesn't have the same registry?? Have tried manualling removing every bit of Cisco off the pc but as soon as it gets
-
When I open terminal and do sash [email protected] it says warning rsa key not recognized to go to known-hosts file which ican not grt into I have download pico but am not sure how to launch it or what I ave to do.
-
What happened to Closed Caption menu?
I have Apple TV 3rd generation. I have been watching the French TV Series SPIRAL on Netflix for a few months now with English Subtitles/Closed Caption on. I've had the caption set up in medium yellow font with clear background which was nice and no
-
Java.sql.SQLException: Invalid SQL type for column
Hi guys! We are migrating from TOMCAT to WebLogic and we are getting the following error: java.sql.SQLException: Invalid SQL type for column at javax.sql.rowset.RowSetMetaDataImpl.checkColType(RowSetMetaDataImpl.java:94) at javax.sql.rowset
-
PLease Help !Jsp Session expired when open Window with "_blank" atributte
PLease please Help me! Hi , I have a problem First , all my pages when load evaluate if session exists . If not exists session this page redirect other page (page_expired.jsp) this works correctly ... but when page01.jsp open page02.jsp from : <form