OIM Delegation
Hi!
I`m trying to configure approval process in OIM, and as a part of this process there is a need to use delegation feature.
BUT:
after delegate makes a decision request has to be returned to person, who delegated this request. By default after delegate makes his decision request proceeds to next step in approval process.
So my question is if there is a way to configure delegation feature? Or maybe there is some sort of attribute which indicates that there was delegation on previous step of approval process, so i can write an adapter to check this out?
Any help will be appreciated
Regards,
Ilya
Hi,
If i am understanding your question correctly you want to ask when any user request and manager approval is required then an email will shoot to both the manager as well as proxy user (manager set another user as proxy user for himself). Then answer is "Yes" if your approval task has email option then email will be sent to both the manager as well as proxy user.
Let me know what i have understood is correct or your question is different.
Similar Messages
-
How to restrict delegated administrators to modify their own OIM accounts
Hello - I have a requirement where we need to create delegated administrators for each department. The Delegated Admins are allowed to create and manage user accounts in OIM and OID resource. They can modify user accounts that are part of the organization that they have admin permission on however they should not be able to modify their own accounts. For example, if Org1-Admin is a part of Org1 and have admin priviledges on the Org1 he can create and modify user accounts in Org1 and provision user accounts to OID resource. He can update user profile data and process form data etc. But he should not be able to change his own user profile data and should not be able to get provisioned to OID resource. I am able to set up OIM for the delegated administration part but I am not sure how to restrict the delegated admin for modifying his own profile and restrict OID resource from him. The reason to have this requirement is these delegated admin accounts will act as non-user accounts i.e. they are not tied to any person they are more or less service accounts where if Person1 is assigned as a delegated admin of organization 1 in week 1 he should be able to do the tasks as discussed before using org1-admin account. The next week we may have person 2 doing this job and he should use the same account to login and to do these tasks, these delegated admins will have their own end user accounts that will be tied to their personal ID's and they can modify that account if they are delegated admin :) but not the delegated admin account.
Thanks,If your self-service application binds to the directory using some special account, like 'superuser_directory' (just an example), then you could allow superuser_directory to modify entries but deny aministrators the ability to modify entries. This means that they connect with their own login to the directory when they modify entries. If you want them to stop modifying their own entries in the application, that's a matter of making the application be aware of that..
-
Unable to invoke Custom PostProcessEventHandler in OIM 11g R2
Hi,
I am working with OIM 11g R2 .I created an custom PostProcessEventHandler to trigger on modify user operation.
I created a jar file of custom class as xyz.jar
I created an plugin.xml as:
<?xml version="1.0" encoding="UTF-8"?>
<oimplugins>
<plugins pluginpoint="oracle.iam.platform.kernel.spi.EventHandler">
<plugin pluginclass="com.xyz.DisablePostProcessEventHandler" version="1.0" name="DisablePostProcessEventHandler">
</plugin>
</plugins>
</oimplugins>
I made an xyz.zip of plugin.xml and lib/xyz.jar
I registered the xyz.zip by placing zip file in plugins directory.
I created an EventHandlers.xml as below:
<?xml version='1.0' encoding='utf-8'?>
<eventhandlers xmlns="http://www.oracle.com/schema/oim/platform/kernel"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://www.oracle.com/schema/oim/platform/kernelorchestration-handlers.xsd">
<!-- Custom postprocess event handlers -->
<action-handler
class="com.xyz.DisablePostProcessEventHandler" entity-type="User" operation="MODIFY" name="DisablePostProcessEventHandler" stage="postprocess" order="9999" sync="TRUE"/>
</eventhandlers>
and placed in the path temp/metadata/user/custom/CustomPostProcessHandler and imported it to MDS.
I purged the cache as ./PurgeCache MetaData.
When i am trying to modify user i am getting error as below:
[WARNING] [] [oracle.adf.controller.faces.lifecycle.Utils] [tid: [ACTIVE].ExecuteThread: '7' for queue: 'weblogic.kernel.Default (self-tuning)'] [userId: xelsysadm] [ecid: 0000JqaUC9MDoYO_qh5EiY1HJuY90001ve,0] [APP: oracle.iam.console.identity.self-service.ear#V2.0] ADF: Adding the following JSF error message: Localized message not available. Error returned is: JBO-29000: Unexpected exception caught: java.lang.NullPointerException, msg=null[[
oracle.jbo.JboException: JBO-29000: Unexpected exception caught: java.lang.NullPointerException, msg=null
at oracle.adf.model.binding.DCInvokeMethod.invokeMethod(DCInvokeMethod.java:699)
at oracle.adf.model.binding.DCDataControl.invokeMethod(DCDataControl.java:2143)
at oracle.adf.model.bc4j.DCJboDataControl.invokeMethod(DCJboDataControl.java:3114)
at oracle.adf.model.binding.DCInvokeMethod.callMethod(DCInvokeMethod.java:261)
at oracle.jbo.uicli.binding.JUCtrlActionBinding.doIt(JUCtrlActionBinding.java:1635)
at oracle.adf.model.binding.DCDataControl.invokeOperation(DCDataControl.java:2150)
at oracle.jbo.uicli.binding.JUCtrlActionBinding.invoke(JUCtrlActionBinding.java:740)
at oracle.adf.controller.v2.lifecycle.PageLifecycleImpl.executeEvent(PageLifecycleImpl.java:402)
at oracle.adfinternal.view.faces.model.binding.FacesCtrlActionBinding._execute(FacesCtrlActionBinding.java:252)
at oracle.adfinternal.view.faces.model.binding.FacesCtrlActionBinding.execute(FacesCtrlActionBinding.java:210)
at oracle.iam.ui.platform.utils.FacesUtils.executeOperationBinding(FacesUtils.java:165)
Caused by: java.lang.NullPointerException
at oracle.iam.request.impl.RequestEngine.startOrchestrationFromPreProcess(RequestEngine.java:5385)
at oracle.iam.request.impl.RequestEngine.triggerOperation(RequestEngine.java:5297)
at oracle.iam.request.impl.RequestEngine.doOperation(RequestEngine.java:5028)
at oracle.iam.impl.OIMServiceImpl.doOperation(OIMServiceImpl.java:43)
at sun.reflect.GeneratedMethodAccessor2994.invoke(Unknown Source)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
at java.lang.reflect.Method.invoke(Method.java:601)
at org.springframework.aop.support.AopUtils.invokeJoinpointUsingReflection(AopUtils.java:307)
at org.springframework.aop.framework.ReflectiveMethodInvocation.invokeJoinpoint(ReflectiveMethodInvocation.java:182)
at org.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:149)
at oracle.iam.platform.utils.DMSMethodInterceptor.invoke(DMSMethodInterceptor.java:25)
at org.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:171)
at org.springframework.aop.framework.JdkDynamicAopProxy.invoke(JdkDynamicAopProxy.java:204)
at $Proxy384.doOperation(Unknown Source)
at oracle.iam.api.OIMServiceEJB.doOperationx(Unknown Source)
at sun.reflect.GeneratedMethodAccessor4224.invoke(Unknown Source)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
at java.lang.reflect.Method.invoke(Method.java:601)
## Detail 0 ##
java.lang.NullPointerException
at oracle.iam.request.impl.RequestEngine.startOrchestrationFromPreProcess(RequestEngine.java:5385)
at oracle.iam.request.impl.RequestEngine.triggerOperation(RequestEngine.java:5297)
at oracle.iam.request.impl.RequestEngine.doOperation(RequestEngine.java:5028)
at oracle.iam.impl.OIMServiceImpl.doOperation(OIMServiceImpl.java:43)
at sun.reflect.GeneratedMethodAccessor2994.invoke(Unknown Source)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
at java.lang.reflect.Method.invoke(Method.java:601)
at org.springframework.aop.support.AopUtils.invokeJoinpointUsingReflection(AopUtils.java:307)
at org.springframework.aop.framework.ReflectiveMethodInvocation.invokeJoinpoint(ReflectiveMethodInvocation.java:182)
at org.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:149)
at oracle.iam.platform.utils.DMSMethodInterceptor.invoke(DMSMethodInterceptor.java:25)
at org.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:171)
at org.springframework.aop.framework.JdkDynamicAopProxy.invoke(JdkDynamicAopProxy.java:204)
at $Proxy384.doOperation(Unknown Source)
at oracle.iam.api.OIMServiceEJB.doOperationx(Unknown Source)
at sun.reflect.GeneratedMethodAccessor4224.invoke(Unknown Source)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
at java.lang.reflect.Method.invoke(Method.java:601)
at com.bea.core.repackaged.springframework.aop.support.AopUtils.invokeJoinpointUsingReflection(AopUtils.java:310)
at com.bea.core.repackaged.springframework.aop.framework.ReflectiveMethodInvocation.invokeJoinpoint(ReflectiveMethodInvocation.java:182)
at com.bea.core.repackaged.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:149)
at com.bea.core.repackaged.springframework.aop.support.Deleg
Please help me in resolving this issue.Hi Suny,
Yes I restarted the OIM Server but getting same error.
I have logger in my code and and nothing is getting printed thet menas the code is not getting invoked itself.
My eventhandler is for postprocess and I am not understanding why i am getting PreProcess error.
java.lang.NullPointerException
at oracle.iam.request.impl.RequestEngine.startOrchestrationFromPreProcess(RequestEngine.java: -
OIM Startup Error After weblogic user password change
Hello,
I'm running OIM 10g (BP15) on WLS server in clustered mode. Everything was running smoothly until -
I changed the weblogic password after going to
security realms >myrealm >Users and Groups >weblogic > Passwords:
I was able to login to WLS using new cred (weblogic/newpasswd). But OIM server startup started giving login errors as below.
I reverted back by change by setting the old password again... but the error continued....
Please suggest. I already tried putting the correct passwords in the boot.properties. But it didn't help.
Please note.. i'm successfully able to login to WLS console.. only OIM server startup is having below errors..
OIM_SERVER1.log is opened. All server side log events will be written to this file.>
<Jan 26, 2012 6:44:31 PM PST> <Notice> <Security> <BEA-090082> <Security initializing using security realm myrealm.>
ERROR,26 Jan 2012 18:44:53,194,[XELLERATE.ACCOUNTMANAGEMENT],Class/Method: Authenticate/connect User with ID: WEBLOGIC was not found in Xellerate.
ERROR,26 Jan 2012 18:44:53,202,[XELLERATE.ACCOUNTMANAGEMENT],Class/Method: XellerateLoginModuleImpl/login encounter some problems:
com.thortech.xl.security.tcLoginException:
at com.thortech.xl.security.tcLoginExceptionUtil.createException(tcLoginExceptionUtil.java:96)
at com.thortech.xl.security.tcLoginExceptionUtil.createException(tcLoginExceptionUtil.java:53)
at com.thortech.xl.security.Authenticate.connect(Authenticate.java:152)
at com.thortech.xl.security.Authenticate.connect(Authenticate.java:71)
at com.thortech.xl.security.wl.XellerateLoginModuleImpl.login(XellerateLoginModuleImpl.java:159)
at com.bea.common.security.internal.service.LoginModuleWrapper$1.run(LoginModuleWrapper.java:110)
at com.bea.common.security.internal.service.LoginModuleWrapper.login(LoginModuleWrapper.java:106)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
at java.lang.reflect.Method.invoke(Method.java:597)
at javax.security.auth.login.LoginContext.invoke(LoginContext.java:769)
at javax.security.auth.login.LoginContext.access$000(LoginContext.java:186)
at javax.security.auth.login.LoginContext$4.run(LoginContext.java:683)
at javax.security.auth.login.LoginContext.invokePriv(LoginContext.java:680)
at javax.security.auth.login.LoginContext.login(LoginContext.java:579)
at com.bea.common.security.internal.service.JAASLoginServiceImpl.login(JAASLoginServiceImpl.java:113)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
at java.lang.reflect.Method.invoke(Method.java:597)
at com.bea.common.security.internal.utils.Delegator$ProxyInvocationHandler.invoke(Delegator.java:57)
at $Proxy22.login(Unknown Source)
at weblogic.security.service.internal.WLSJAASLoginServiceImpl$ServiceImpl.login(WLSJAASLoginServiceImpl.java:89)
at com.bea.common.security.internal.service.JAASAuthenticationServiceImpl.authenticate(JAASAuthenticationServiceImpl.java:82)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
at java.lang.reflect.Method.invoke(Method.java:597)
at com.bea.common.security.internal.utils.Delegator$ProxyInvocationHandler.invoke(Delegator.java:57)
at $Proxy40.authenticate(Unknown Source)
at weblogic.security.service.WLSJAASAuthenticationServiceWrapper.authenticate(WLSJAASAuthenticationServiceWrapper.java:40)
at weblogic.security.service.PrincipalAuthenticator.authenticate(PrincipalAuthenticator.java:348)
at weblogic.security.service.CommonSecurityServiceManagerDelegateImpl.doBootAuthorization(CommonSecurityServiceManagerDelegateImpl.java:929)
at weblogic.security.service.CommonSecurityServiceManagerDelegateImpl.initialize(CommonSecurityServiceManagerDelegateImpl.java:1050)
at weblogic.security.service.SecurityServiceManager.initialize(SecurityServiceManager.java:873)
at weblogic.security.SecurityService.start(SecurityService.java:141)
at weblogic.t3.srvr.SubsystemRequest.run(SubsystemRequest.java:64)
at weblogic.work.ExecuteThread.execute(ExecuteThread.java:209)
at weblogic.work.ExecuteThread.run(ExecuteThread.java:178)
<Jan 26, 2012 6:44:53 PM PST> <Critical> <Security> <BEA-090402> <Authentication denied: Boot identity not valid; The user name and/or password from the boot identity file (boot.properties) is not valid. The boot identity may have been changed since the boot identity file was created. Please edit and update the boot identity file with the proper values of username and password. The first time the updated boot identity file is used to start the server, these new values are encrypted.>
<Jan 26, 2012 6:44:53 PM PST> <Critical> <WebLogicServer> <BEA-000386> <Server subsystem failed. Reason: weblogic.security.SecurityInitializationException: Authentication denied: Boot identity not valid; The user name and/or password from the boot identity file (boot.properties) is not valid. The boot identity may have been changed since the boot identity file was created. Please edit and update the boot identity file with the proper values of username and password. The first time the updated boot identity file is used to start the server, these new values are encrypted.
weblogic.security.SecurityInitializationException: Authentication denied: Boot identity not valid; The user name and/or password from the boot identity file (boot.properties) is not valid. The boot identity may have been changed since the boot identity file was created. Please edit and update the boot identity file with the proper values of username and password. The first time the updated boot identity file is used to start the server, these new values are encrypted.
at weblogic.security.service.CommonSecurityServiceManagerDelegateImpl.doBootAuthorization(CommonSecurityServiceManagerDelegateImpl.java:959)
at weblogic.security.service.CommonSecurityServiceManagerDelegateImpl.initialize(CommonSecurityServiceManagerDelegateImpl.java:1050)
at weblogic.security.service.SecurityServiceManager.initialize(SecurityServiceManager.java:873)
at weblogic.security.SecurityService.start(SecurityService.java:141)
at weblogic.t3.srvr.SubsystemRequest.run(SubsystemRequest.java:64)
Truncated. see log file for complete stacktrace
Caused By: javax.security.auth.login.FailedLoginException: [Security:090304]Authentication Failed: User weblogic javax.security.auth.login.FailedLoginException: [Security:090302]Authentication Failed: User weblogic denied
at weblogic.security.providers.authentication.LDAPAtnLoginModuleImpl.login(LDAPAtnLoginModuleImpl.java:261)
at com.bea.common.security.internal.service.LoginModuleWrapper$1.run(LoginModuleWrapper.java:110)
at com.bea.common.security.internal.service.LoginModuleWrapper.login(LoginModuleWrapper.java:106)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
Truncated. see log file for complete stacktrace
>
<Jan 26, 2012 6:44:53 PM PST> <Notice> <WebLogicServer> <BEA-000365> <Server state changed to FAILED>
<Jan 26, 2012 6:44:53 PM PST> <Error> <WebLogicServer> <BEA-000383> <A critical service failed. The server will shut itself down>
<Jan 26, 2012 6:44:53 PM PST> <Notice> <WebLogicServer> <BEA-000365> <Server state changed to FORCE_SHUTTING_DOWN>
Thanks,Got the solution :
1. Log on to the WebLogic Server Administration Console.
2. Click the domain name for the Managed Server.
3. Click View Domain-wide security settings.
4. Click the Embedded LDAP tab.
5. Select the Refresh replica at startup option, and then click Apply. -
Login issue in OIM11g due to oim credsmap error
We have OIM 11gR2PS1 installed on unix box. We have AD connector 11.1.1.5.0 installed on it .Also,peoplesoft recon connector PSFT_ER-11.1.1.5.0 is installed
In our scenario,we have webservice code in which using recon event we are creating users in OIM environment
This is hosted on same OIM server unix box.Inside webservice code we have refred oimclient.jar file to work with OIM APIs and Recon Service class.
When i tested webservice for first time it was unable to load OIM API classes as it was unable to find oimclient.jar in classpath.
So to resolve this issue i kept oimclient.jar in location- "WL_HOME/server/lib/" and also added following entry in setDomainEnv.sh to load oimclient.jar explicitly in classpath
CLASSPATH="WL_HOME/server/lib/oimclient.jar:${CLASSPATH}"
export CLASSPATH
and made entry in system-jazn-data.xml present in DOMAIN_HOME//config/fmwconfig/ as :
<grant>
<grantee>
<codesource>
<url>file:${domain.home}/servers/oim_server1/stage/*</url>
</codesource>
</grantee>
<permissions>
<permission>
<class>oracle.security.jps.service.credstore.CredentialAccessPermission</class>
<name>context=SYSTEM,mapName=oim,keyName=*</name>
<actions>read,write</actions>
</permission>
</permissions>
</grant>
After this change, webservice was working as expected and OIM related things were working fine.
But,when we tried to run schedule task "Active Directory Group Lookup Recon" for AD, we are getting error message as :
java.lang.LinkageError: loader constraint violation: loader (instance of com/thortech/xl/dataobj/tcADPClassLoader) previously initiated loading for a different type with name "com/thortech/xl/dataaccess/tcDataProvider"
So,to resolve this AD schedule task issue,we rolled back changes made for webservice in setDomainEnv.sh and system-jazn-data.xml file
and removed explicit classpath entry line of oimclient.jar from setDomainEnv.sh
But after restrating all admin and managed servers,we are currently facing issue in logging into OIM idenity/syadmin or design console with xelsyadm credentials
we have never made any changes of password for xelsyadm account or not made any change in any authenticatorproviders in weblogic console
we tried everything form reverting all changes to original setup without webservice or peoplesoft listener implementation
removed all explicit classpath entries or grant entry for oim credsmap from system-jazn-data.xml.
But still same issue persists
Any helpful suggestion is appreciated on this ASAP.
issue logs are:
TaskFlow Registration: TaskFlowDeployerThread.registerTaskFlowWithTask - Error while setting task display, this can happen with app loading issue, trying to load for 2
<Nov 11, 2013 11:24:20 PM EST> <Warning> <oracle.soa.services.workflow.worklist> <BEA-000000> <<.> Error while setting task display, this can happen with app loading issue, trying to load for 2>
<Nov 11, 2013 11:24:24 PM EST> <Error> <XELLERATE.ACCOUNTMANAGEMENT> <BEA-000000> <Class/Method: tcDefaultDBEncryptionImpl/initKeyStore encounter some problems: access denied ("oracle.security.jps.service.credstore.CredentialAccessPermission" "context=SYSTEM,mapName=oim,keyName=.xldatabasekey" "read")
java.security.AccessControlException: access denied ("oracle.security.jps.service.credstore.CredentialAccessPermission" "context=SYSTEM,mapName=oim,keyName=.xldatabasekey" "read")
at java.security.AccessControlContext.checkPermission(AccessControlContext.java:372)
at java.security.AccessController.checkPermission(AccessController.java:559)
at oracle.security.jps.util.JpsAuth$AuthorizationMechanism$3.checkPermission(JpsAuth.java:458)
at oracle.security.jps.util.JpsAuth.checkPermission(JpsAuth.java:518)
at oracle.security.jps.util.JpsAuth.checkPermission(JpsAuth.java:544)
at oracle.security.jps.internal.credstore.util.CsfUtil.checkPermission(CsfUtil.java:643)
at oracle.security.jps.internal.credstore.ldap.LdapCredentialStore.containsCredential(LdapCredentialStore.java:214)
at oracle.iam.platform.utils.config.OIMPrivilegedExceptionAction.run(CSFCredentialProvider.java:236)
at java.security.AccessController.doPrivileged(Native Method)
at oracle.iam.platform.utils.config.CSFCredentialProvider.getPassword(CSFCredentialProvider.java:79)
at oracle.iam.platform.utils.config.standalone.StandAloneCryptoConfig.getPassword(StandAloneCryptoConfig.java:76)
at com.thortech.xl.crypto.tcDefaultDBEncryptionImpl.initKeyStore(tcDefaultDBEncryptionImpl.java:67)
at com.thortech.xl.crypto.tcDefaultDBEncryptionImpl.getCipher(tcDefaultDBEncryptionImpl.java:96)
at com.thortech.xl.crypto.tcDefaultDBEncryptionImpl.encrypt(tcDefaultDBEncryptionImpl.java:193)
at com.thortech.xl.crypto.tcCryptoUtil.encrypt(tcCryptoUtil.java:118)
at com.thortech.xl.crypto.tcCryptoUtil.encrypt(tcCryptoUtil.java:275)
at oracle.iam.platform.auth.impl.Authenticator.encrypt(Authenticator.java:188)
at oracle.iam.platform.auth.impl.Authenticator.authenticateWithPassword(Authenticator.java:161)
at oracle.iam.platform.auth.impl.Authenticator.authenticate(Authenticator.java:134)
at oracle.iam.platform.auth.providers.wls.OIMAuthLoginModule.login(OIMAuthLoginModule.java:46)
at com.bea.common.security.internal.service.LoginModuleWrapper$1.run(LoginModuleWrapper.java:110)
at java.security.AccessController.doPrivileged(Native Method)
at com.bea.common.security.internal.service.LoginModuleWrapper.login(LoginModuleWrapper.java:106)
at sun.reflect.GeneratedMethodAccessor951.invoke(Unknown Source)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
at java.lang.reflect.Method.invoke(Method.java:606)
at javax.security.auth.login.LoginContext.invoke(LoginContext.java:784)
at javax.security.auth.login.LoginContext.access$000(LoginContext.java:203)
at javax.security.auth.login.LoginContext$4.run(LoginContext.java:698)
at javax.security.auth.login.LoginContext$4.run(LoginContext.java:696)
at java.security.AccessController.doPrivileged(Native Method)
at javax.security.auth.login.LoginContext.invokePriv(LoginContext.java:695)
at javax.security.auth.login.LoginContext.login(LoginContext.java:594)
at com.bea.common.security.internal.service.JAASLoginServiceImpl.login(JAASLoginServiceImpl.java:113)
at sun.reflect.GeneratedMethodAccessor961.invoke(Unknown Source)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
at java.lang.reflect.Method.invoke(Method.java:606)
at com.bea.common.security.internal.utils.Delegator$ProxyInvocationHandler.invoke(Delegator.java:57)
at com.sun.proxy.$Proxy16.login(Unknown Source)
at weblogic.security.service.internal.WLSJAASLoginServiceImpl$ServiceImpl.login(WLSJAASLoginServiceImpl.java:89)
at com.bea.common.security.internal.service.JAASAuthenticationServiceImpl.authenticate(JAASAuthenticationServiceImpl.java:82)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:57)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
at java.lang.reflect.Method.invoke(Method.java:606)
at com.bea.common.security.internal.utils.Delegator$ProxyInvocationHandler.invoke(Delegator.java:57)
at com.sun.proxy.$Proxy34.authenticate(Unknown Source)
at weblogic.security.service.WLSJAASAuthenticationServiceWrapper.authenticate(WLSJAASAuthenticationServiceWrapper.java:40)
at weblogic.security.service.PrincipalAuthenticator.authenticate(PrincipalAuthenticator.java:338)
at weblogic.servlet.security.internal.SecurityModule.checkAuthenticate(SecurityModule.java:252)
at weblogic.servlet.security.ServletAuthentication.login(ServletAuthentication.java:466)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:57)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
at java.lang.reflect.Method.invoke(Method.java:606)
at oracle.idm.common.login.SignInBean.handleWeblogicAuthn(SignInBean.java:131)
at oracle.idm.common.login.SignInBean.doLogin(SignInBean.java:97)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:57)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
at java.lang.reflect.Method.invoke(Method.java:606)
at com.sun.el.parser.AstValue.invoke(AstValue.java:187)
at com.sun.el.MethodExpressionImpl.invoke(MethodExpressionImpl.java:297)
at org.apache.myfaces.trinidadinternal.taglib.util.MethodExpressionMethodBinding.invoke(MethodExpressionMethodBinding.java:53)
at org.apache.myfaces.trinidad.component.UIXComponentBase.broadcastToMethodBinding(UIXComponentBase.java:1256)
at org.apache.myfaces.trinidad.component.UIXCommand.broadcast(UIXCommand.java:183)
at weblogic.security.acl.internal.AuthenticatedSubject.doAs(AuthenticatedSubject.java:321)
at weblogic.security.service.SecurityManager.runAs(SecurityManager.java:120)
at weblogic.servlet.internal.WebAppServletContext.securedExecute(WebAppServletContext.java:2273)
at weblogic.servlet.internal.WebAppServletContext.execute(WebAppServletContext.java:2179)
at weblogic.servlet.internal.ServletRequestImpl.run(ServletRequestImpl.java:1490)
at weblogic.work.ExecuteThread.execute(ExecuteThread.java:256)
at weblogic.work.ExecuteThread.run(ExecuteThread.java:221)
>
<Nov 11, 2013 11:24:24 PM EST> <Error> <OIM Authenticator> <BEA-000000> <Error encrypting password>
java.lang.reflect.InvocationTargetException
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:57)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
at java.lang.reflect.Method.invoke(Method.java:606)
at oracle.idm.common.login.SignInBean.handleWeblogicAuthn(SignInBean.java:131)
at oracle.idm.common.login.SignInBean.doLogin(SignInBean.java:97)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:57)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
at java.lang.reflect.Method.invoke(Method.java:606)
at com.sun.el.parser.AstValue.invoke(AstValue.java:187)
at com.sun.el.MethodExpressionImpl.invoke(MethodExpressionImpl.java:297)
at weblogic.servlet.internal.FilterChainImpl.doFilter(FilterChainImpl.java:56)
at oracle.dms.servlet.DMSServletFilter.doFilter(DMSServletFilter.java:139)
at weblogic.servlet.internal.FilterChainImpl.doFilter(FilterChainImpl.java:56)
at weblogic.servlet.internal.RequestEventsFilter.doFilter(RequestEventsFilter.java:27)
at weblogic.servlet.internal.FilterChainImpl.doFilter(FilterChainImpl.java:56)
at weblogic.servlet.internal.WebAppServletContext$ServletInvocationAction.wrapRun(WebAppServletContext.java:3730)
at weblogic.servlet.internal.WebAppServletContext$ServletInvocationAction.run(WebAppServletContext.java:3696)
at weblogic.security.acl.internal.AuthenticatedSubject.doAs(AuthenticatedSubject.java:321)
at weblogic.security.service.SecurityManager.runAs(SecurityManager.java:120)
at weblogic.servlet.internal.WebAppServletContext.securedExecute(WebAppServletContext.java:2273)
at weblogic.servlet.internal.WebAppServletContext.execute(WebAppServletContext.java:2179)
at weblogic.servlet.internal.ServletRequestImpl.run(ServletRequestImpl.java:1490)
at weblogic.work.ExecuteThread.execute(ExecuteThread.java:256)
at weblogic.work.ExecuteThread.run(ExecuteThread.java:221)
Caused by: javax.security.auth.login.FailedLoginException: [Security:090304]Authentication Failed: User xelsysadm javax.security.auth.login.FailedLoginException: [Security:090302]Authentication Failed: User xelsysadm denied
at weblogic.security.providers.authentication.LDAPAtnLoginModuleImpl.login(LDAPAtnLoginModuleImpl.java:261)
at com.bea.common.security.internal.service.LoginModuleWrapper$1.run(LoginModuleWrapper.java:110)
at java.security.AccessController.doPrivileged(Native Method)
at com.bea.common.security.internal.service.LoginModuleWrapper.login(LoginModuleWrapper.java:106)
at sun.reflect.GeneratedMethodAccessor951.invoke(Unknown Source)
at com.bea.common.security.internal.utils.Delegator$ProxyInvocationHandler.invoke(Delegator.java:57)
at com.sun.proxy.$Proxy34.authenticate(Unknown Source)
at weblogic.security.service.WLSJAASAuthenticationServiceWrapper.authenticate(WLSJAASAuthenticationServiceWrapper.java:40)
at weblogic.security.service.PrincipalAuthenticator.authenticate(PrincipalAuthenticator.java:338)
at weblogic.servlet.security.internal.SecurityModule.checkAuthenticate(SecurityModule.java:252)
at weblogic.servlet.security.ServletAuthentication.login(ServletAuthentication.java:466)
... 72 moreHi All,
I have tried out option of adding authwl.conf in java argument as mentioned. But,still same issue persists. I think it will be same whether we refer authwl.conf file from OIM_ORACLE_HOME/server/config or OIM_ORACLE_HOME/designconsole/config/ location.
We havent made any changes in USR table for xelsysadm user
Even system-jazn-data.xml is intact.
Actually,when i removed following classpath entry from setDomainEnv.sh file
CLASSPATH="WL_HOME/server/lib/oimclient.jar:${CLASSPATH}"
export CLASSPATH
Its working fine and i am not facing any login issue in OIM console.Also the Active Directory connector scheduled task are running fine without giving earlier error whic is becaus of explicit classpath addition in setDomainEnv.sh.This error was
java.lang.LinkageError: loader constraint violation: loader (instance of com/thortech/xl/dataobj/tcADPClassLoader) previously initiated loading for a different type with name "com/thortech/xl/dataaccess/tcDataProvider" .
This error was arising since i have explicitly mentioned oimclient.jar again in classpath and as OIM server also will load it at OIM server startup time. So it was finding two instance of tcDataProvider and was not able to decide to refer to which one of them.
But, I have to refer oimclient.jar in my webservice code to work.If we dont add classpath entry explicitly for oimclient.jar then it will throw error..that it is unable to load OIMClient class.
Webservice is deployed in OIM serveer . Is there any other way by which i can refer oimclient class in webservice code without causing this classpath conflict issue. ?
Also.is it correctthat for first time when we load Classpath explicitly like i did in my scenario,then it will always try to refer same classpath for that jar always.
For ex: in my env i made changes in setDomainEnv.sh and modifed classpath enrty as :
CLASSPATH="${OIM_ORACLE_HOME}/server/client/oimclient.jar:${CLASSPATH}"
export CLASSPATH
but this time it will start throwin the exception as :
<Nov 11, 2013 11:24:24 PM EST> <Error> <XELLERATE.ACCOUNTMANAGEMENT> <BEA-000000> <Class/Method: tcDefaultDBEncryptionImpl/initKeyStore encounter some problems: access denied ("oracle.security.jps.service.credstore.CredentialAccessPermission" "context=SYSTEM,mapName=oim,keyName=.xldatabasekey" "read")
java.security.AccessControlException: access denied ("oracle.security.jps.service.credstore.CredentialAccessPermission" "context=SYSTEM,mapName=oim,keyName=.xldatabasekey" "read")
Do i need to reinstall OIM setup to resolve this issue or is there any other way to refer oimclient.jar in my webservice code deployed in OIM env ?
Please suggest.
Thanks,
RPB -
Invalid Login error while trying to login to OIM console
Hi,
I have installed OIM 11gR2 in my local environment. It was working fine a day back but post installation of OAM, I am unable to login to OIM console with the correct credentials. OIM and OAM had been installed in the same domain. I deleted the OAM server but even after that it is not working. Getting the following error :
<Oct 23, 2013 11:27:25 AM IST> <Error> <Default> <BEA-000000> <Failed to communicate with any of configured Access Server, ensure that it is up and running.>
java.lang.reflect.InvocationTargetException
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:57)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
at java.lang.reflect.Method.invoke(Method.java:606)
at oracle.idm.common.login.SignInBean.handleWeblogicAuthn(SignInBean.java:127)
at oracle.idm.common.login.SignInBean.doLogin(SignInBean.java:97)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:57)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
at java.lang.reflect.Method.invoke(Method.java:606)
at com.sun.el.parser.AstValue.invoke(AstValue.java:187)
at com.sun.el.MethodExpressionImpl.invoke(MethodExpressionImpl.java:297)
at org.apache.myfaces.trinidadinternal.taglib.util.MethodExpressionMethodBinding.invoke(MethodExpressionMethodBinding.java:53)
at org.apache.myfaces.trinidad.component.UIXComponentBase.broadcastToMethodBinding(UIXComponentBase.java:1415)
at org.apache.myfaces.trinidad.component.UIXCommand.broadcast(UIXCommand.java:183)
at oracle.adf.view.rich.component.fragment.UIXInclude.broadcast(UIXInclude.java:103)
at oracle.adf.view.rich.component.fragment.ContextSwitchingComponent$1.run(ContextSwitchingComponent.java:92)
at oracle.adf.view.rich.component.fragment.ContextSwitchingComponent._processPhase(ContextSwitchingComponent.java:361)
at oracle.adf.view.rich.component.fragment.ContextSwitchingComponent.broadcast(ContextSwitchingComponent.java:96)
at oracle.adf.view.rich.component.fragment.UIXInclude.broadcast(UIXInclude.java:97)
at javax.faces.component.UIViewRoot.broadcastEvents(UIViewRoot.java:475)
at javax.faces.component.UIViewRoot.processApplication(UIViewRoot.java:756)
at oracle.adfinternal.view.faces.lifecycle.LifecycleImpl._invokeApplication(LifecycleImpl.java:957)
at oracle.adfinternal.view.faces.lifecycle.LifecycleImpl._executePhase(LifecycleImpl.java:427)
at oracle.adfinternal.view.faces.lifecycle.LifecycleImpl.execute(LifecycleImpl.java:207)
at javax.faces.webapp.FacesServlet.service(FacesServlet.java:265)
at weblogic.servlet.internal.StubSecurityHelper$ServletServiceAction.run(StubSecurityHelper.java:227)
at weblogic.servlet.internal.StubSecurityHelper.invokeServlet(StubSecurityHelper.java:125)
at weblogic.servlet.internal.ServletStubImpl.execute(ServletStubImpl.java:301)
at weblogic.servlet.internal.TailFilter.doFilter(TailFilter.java:26)
at weblogic.servlet.internal.FilterChainImpl.doFilter(FilterChainImpl.java:56)
at oracle.adf.model.servlet.ADFBindingFilter.doFilter(ADFBindingFilter.java:205)
at weblogic.servlet.internal.FilterChainImpl.doFilter(FilterChainImpl.java:56)
at oracle.adf.view.page.editor.webapp.WebCenterComposerFilter.doFilter(WebCenterComposerFilter.java:117)
at weblogic.servlet.internal.FilterChainImpl.doFilter(FilterChainImpl.java:56)
at oracle.adfinternal.view.faces.webapp.rich.RegistrationFilter.doFilter(RegistrationFilter.java:128)
at org.apache.myfaces.trinidadinternal.webapp.TrinidadFilterImpl$FilterListChain.doFilter(TrinidadFilterImpl.java:446)
at oracle.adfinternal.view.faces.activedata.AdsFilter.doFilter(AdsFilter.java:60)
at org.apache.myfaces.trinidadinternal.webapp.TrinidadFilterImpl$FilterListChain.doFilter(TrinidadFilterImpl.java:446)
at org.apache.myfaces.trinidadinternal.webapp.TrinidadFilterImpl._doFilterImpl(TrinidadFilterImpl.java:271)
at org.apache.myfaces.trinidadinternal.webapp.TrinidadFilterImpl.doFilter(TrinidadFilterImpl.java:177)
at org.apache.myfaces.trinidad.webapp.TrinidadFilter.doFilter(TrinidadFilter.java:92)
at weblogic.servlet.internal.FilterChainImpl.doFilter(FilterChainImpl.java:56)
at oracle.help.web.rich.OHWFilter.doFilter(Unknown Source)
at weblogic.servlet.internal.FilterChainImpl.doFilter(FilterChainImpl.java:56)
at oracle.iam.ui.platform.servletfilter.IdentityContextFilter.doFilter(IdentityContextFilter.java:50)
at weblogic.servlet.internal.FilterChainImpl.doFilter(FilterChainImpl.java:56)
at oracle.adf.library.webapp.LibraryFilter.doFilter(LibraryFilter.java:180)
at weblogic.servlet.internal.FilterChainImpl.doFilter(FilterChainImpl.java:56)
at oracle.iam.ui.platform.view.authz.filter.AdvancedConsoleAccessFilter.doFilter(AdvancedConsoleAccessFilter.java:125)
at weblogic.servlet.internal.FilterChainImpl.doFilter(FilterChainImpl.java:56)
at oracle.security.jps.ee.http.JpsAbsFilter$1.run(JpsAbsFilter.java:119)
at java.security.AccessController.doPrivileged(Native Method)
at oracle.security.jps.util.JpsSubject.doAsPrivileged(JpsSubject.java:324)
at oracle.security.jps.ee.util.JpsPlatformUtil.runJaasMode(JpsPlatformUtil.java:460)
at oracle.security.jps.ee.http.JpsAbsFilter.runJaasMode(JpsAbsFilter.java:103)
at oracle.security.jps.ee.http.JpsAbsFilter.doFilter(JpsAbsFilter.java:171)
at oracle.security.jps.ee.http.JpsFilter.doFilter(JpsFilter.java:71)
at weblogic.servlet.internal.FilterChainImpl.doFilter(FilterChainImpl.java:56)
at oracle.security.am.agent.wls.filters.OAMServletAuthenticationFilter.doFilter(OAMServletAuthenticationFilter.java:264)
at oracle.security.am.agent.wls.filters.OAMValidationSystemFilter.doFilter(OAMValidationSystemFilter.java:133)
at oracle.security.wls.oamagent.OAMAgentWrapperFilter.doFilter(OAMAgentWrapperFilter.java:120)
at weblogic.servlet.internal.FilterChainImpl.doFilter(FilterChainImpl.java:56)
at oracle.dms.servlet.DMSServletFilter.doFilter(DMSServletFilter.java:163)
at weblogic.servlet.internal.FilterChainImpl.doFilter(FilterChainImpl.java:56)
at weblogic.servlet.internal.RequestEventsFilter.doFilter(RequestEventsFilter.java:27)
at weblogic.servlet.internal.FilterChainImpl.doFilter(FilterChainImpl.java:56)
at weblogic.servlet.internal.WebAppServletContext$ServletInvocationAction.wrapRun(WebAppServletContext.java:3730)
at weblogic.servlet.internal.WebAppServletContext$ServletInvocationAction.run(WebAppServletContext.java:3696)
at weblogic.security.acl.internal.AuthenticatedSubject.doAs(AuthenticatedSubject.java:321)
at weblogic.security.service.SecurityManager.runAs(SecurityManager.java:120)
at weblogic.servlet.internal.WebAppServletContext.securedExecute(WebAppServletContext.java:2273)
at weblogic.servlet.internal.WebAppServletContext.execute(WebAppServletContext.java:2179)
at weblogic.servlet.internal.ServletRequestImpl.run(ServletRequestImpl.java:1490)
at weblogic.work.ExecuteThread.execute(ExecuteThread.java:256)
at weblogic.work.ExecuteThread.run(ExecuteThread.java:221)
Caused by: javax.security.auth.login.FailedLoginException: [Security:090304]Authentication Failed: User xelsysadm javax.security.auth.login.FailedLoginException: [Security:090302]Authentication Failed: User xelsysadm denied
at weblogic.security.providers.authentication.LDAPAtnLoginModuleImpl.login(LDAPAtnLoginModuleImpl.java:261)
at com.bea.common.security.internal.service.LoginModuleWrapper$1.run(LoginModuleWrapper.java:110)
at java.security.AccessController.doPrivileged(Native Method)
at com.bea.common.security.internal.service.LoginModuleWrapper.login(LoginModuleWrapper.java:106)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:57)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
at java.lang.reflect.Method.invoke(Method.java:606)
at javax.security.auth.login.LoginContext.invoke(LoginContext.java:784)
at javax.security.auth.login.LoginContext.access$000(LoginContext.java:203)
at javax.security.auth.login.LoginContext$4.run(LoginContext.java:698)
at javax.security.auth.login.LoginContext$4.run(LoginContext.java:696)
at java.security.AccessController.doPrivileged(Native Method)
at javax.security.auth.login.LoginContext.invokePriv(LoginContext.java:695)
at javax.security.auth.login.LoginContext.login(LoginContext.java:594)
at com.bea.common.security.internal.service.JAASLoginServiceImpl.login(JAASLoginServiceImpl.java:113)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:57)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
at java.lang.reflect.Method.invoke(Method.java:606)
at com.bea.common.security.internal.utils.Delegator$ProxyInvocationHandler.invoke(Delegator.java:57)
at com.sun.proxy.$Proxy16.login(Unknown Source)
at weblogic.security.service.internal.WLSJAASLoginServiceImpl$ServiceImpl.login(WLSJAASLoginServiceImpl.java:89)
at com.bea.common.security.internal.service.JAASAuthenticationServiceImpl.authenticate(JAASAuthenticationServiceImpl.java:82)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:57)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
at java.lang.reflect.Method.invoke(Method.java:606)
at com.bea.common.security.internal.utils.Delegator$ProxyInvocationHandler.invoke(Delegator.java:57)
at com.sun.proxy.$Proxy34.authenticate(Unknown Source)
at weblogic.security.service.WLSJAASAuthenticationServiceWrapper.authenticate(WLSJAASAuthenticationServiceWrapper.java:40)
at weblogic.security.service.PrincipalAuthenticator.authenticate(PrincipalAuthenticator.java:338)
at weblogic.servlet.security.internal.SecurityModule.checkAuthenticate(SecurityModule.java:252)
at weblogic.servlet.security.ServletAuthentication.login(ServletAuthentication.java:466)
... 76 more
Any help will be appreciated.
ThanksOAM side:
How you deleted OAM server?
It seems that OAM server not uninstalled clearly.
OIM side:
Check for the OIMAuthenticator in the security->realms->myrealm in weblogic
There should be OIMAuthenticator to authenticate OIM users through the database.
Is your DefaultAuthenticator also set to Sufficient? -
Problems Implementation Password Policy on OIM 9.1.0
Hello,,,
Please help me,
i was create password policy on OIM, i inject that pass policy to one of resource object, i create object form and process form with same configuration ( field table ), i use data flow to transmit the data between object form and process form..
i set process definition with check AUTO SAVE FORM, and AUTO PRE-POPULATE,
the Problems is :
1. When i try to do provisioning process ( with delegated admin : xelsysadm ) to that resource object (target system) , after admin submit , status process is provisioning, and the detail is System Validation : Pending
2. Then i try to remove password policy on resource object, and i try again to do the provisioning, and the process working fine, status process provisioned, detail process
system validation : completed, Create user : completed
why it'is happen ?
that the important point is, why AUTO SAVE FORM cannot working fine if i inject Password Policy on resource Object...
Warm regards,
Ricky R
ManilaWhen you say you have checked auto prepop means that there are pre pops attached to certain fields on your process form that you want to be auto triggered before provisioning commences. So i'm assuming that you are pre-populating password field. Is the password value that you are prepopping the field with conform to the standards of the password policy? If not that could be the reason why your provisioning process isnt getting kicked off. you will need to supply a password (either manually or if you want to automate it (pre pop it)) that coforms to the password policy defined on the resource object. Also i think the name of the password field must be _PASSWORD.
-
Customizing labels in Admin Console of OIM
Hi,
I had done some labels change in Advanced & Self Service console of OIM using OIMUI.jar. Now, i need to change the labels in Administration console. If I search for a user and select the user here, I can see whatever his Resources,Roles, Proxies etc he is having. Now, I need to change the label of Roles with some other name. Along with it, the headers in the Roles table like Display Name,Role Name, Description,Role Namespace etc. should also be changed. But I am unable to find the exact properties file in OIMUI or am I looking at the correct jar to do these changes in Oracle Identity Manager - Delegated Administration console.
Please let me know.
Thanks in advanceThanks so much Rajiv. Changes getting reflected.
-
Hi,
My OIM 11g installation was working fine. Suddenly I started getting the below error while trying to login to OIM admin and design console
<Sep 2, 2012 6:34:11 PM IST> <Alert> <Diagnostics> <BEA-320016> <Creating diagnostic image in c:\oracle\middleware\user_projects\domains\idmdomain\servers\oim_server1\adr\diag\ofm\idmdomain\oim_server1\incident\incdir_5 with a lockout minute period of 1.>
<Sep 2, 2012 6:34:23 PM IST> <Error> <XELLERATE.ACCOUNTMANAGEMENT> <BEA-000000><Class/Method: tcDefaultDBEncryptionImpl/initKeyStore encounter some problems: access denied (oracle.security.jps.service.credstore.CredentialAccessPermission context=SYSTEM,mapName=oim,keyName=.xldatabasekey read)
java.security.AccessControlException: access denied (oracle.security.jps.service.credstore.CredentialAccessPermission context=SYSTEM,mapName=oim,keyName=.xldatabasekey read)
at java.security.AccessControlContext.checkPermission(AccessControlContext.java:323)
at java.security.AccessController.checkPermission(AccessController.java:546)
at oracle.security.jps.util.JpsAuth$AuthorizationMechanism$3.checkPermission(JpsAuth.java:436)
at oracle.security.jps.util.JpsAuth.checkPermission(JpsAuth.java:496)
at oracle.security.jps.util.JpsAuth.checkPermission(JpsAuth.java:519)
at oracle.security.jps.internal.credstore.util.CsfUtil.checkPermission(CsfUtil.java:611)
at oracle.security.jps.internal.credstore.ssp.SspCredentialStore.containsCredential(SspCredentialStore.java:299)
at oracle.iam.platform.utils.config.OIMPrivilegedExceptionAction.run(CSFCredentialProvider.java:205)
at java.security.AccessController.doPrivileged(Native Method)
at oracle.iam.platform.utils.config.CSFCredentialProvider.getPassword(CSFCredentialProvider.java:75)
at oracle.iam.platform.utils.config.standalone.StandAloneCryptoConfig.getPassword(StandAloneCryptoConfig.java:80)
at com.thortech.xl.crypto.tcDefaultDBEncryptionImpl.initKeyStore(tcDefaultDBEncryptionImpl.java:67)
at com.thortech.xl.crypto.tcDefaultDBEncryptionImpl.getCipher(tcDefaultDBEncryptionImpl.java:96)
at com.thortech.xl.crypto.tcDefaultDBEncryptionImpl.encrypt(tcDefaultDBEncryptionImpl.java:193)
at com.thortech.xl.crypto.tcCryptoUtil.encrypt(tcCryptoUtil.java:118)
at com.thortech.xl.crypto.tcCryptoUtil.encrypt(tcCryptoUtil.java:275)
at oracle.iam.platform.auth.impl.Authenticator.encrypt(Authenticator.java:185)
at oracle.iam.platform.auth.impl.Authenticator.authenticateWithPassword(Authenticator.java:160)
at oracle.iam.platform.auth.impl.Authenticator.authenticate(Authenticator.java:133)
at oracle.iam.platform.auth.providers.wls.OIMAuthLoginModule.login(OIMAuthLoginModule.java:44)
at com.bea.common.security.internal.service.LoginModuleWrapper$1.run(LoginModuleWrapper.java:110)
at java.security.AccessController.doPrivileged(Native Method)
at com.bea.common.security.internal.service.LoginModuleWrapper.login(LoginModuleWrapper.java:106)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
at java.lang.reflect.Method.invoke(Method.java:597)
at javax.security.auth.login.LoginContext.invoke(LoginContext.java:769)
at javax.security.auth.login.LoginContext.access$000(LoginContext.java:186)
at javax.security.auth.login.LoginContext$4.run(LoginContext.java:683)
at java.security.AccessController.doPrivileged(Native Method)
at javax.security.auth.login.LoginContext.invokePriv(LoginContext.java:680)
at javax.security.auth.login.LoginContext.login(LoginContext.java:579)
at com.bea.common.security.internal.service.JAASLoginServiceImpl.login(JAASLoginServiceImpl.java:113)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
at java.lang.reflect.Method.invoke(Method.java:597)
at com.bea.common.security.internal.utils.Delegator$ProxyInvocationHandler.invoke(Delegator.java:57)
at $Proxy25.login(Unknown Source)
at weblogic.security.service.internal.WLSJAASLoginServiceImpl$ServiceImpl.login(WLSJAASLoginServiceImpl.java:89)
at com.bea.common.security.internal.service.JAASAuthenticationServiceImpl.authenticateJAASAuthenticationServiceImpl.java:82)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
at java.lang.reflect.Method.invoke(Method.java:597)
at com.bea.common.security.internal.utils.Delegator$ProxyInvocationHandler.invoke(Delegator.java:57)
at $Proxy43.authenticate(Unknown Source)
at weblogic.security.service.WLSJAASAuthenticationServiceWrapper.authenticateWLSJAASAuthenticationServiceWrapper.java:40)
at weblogic.security.service.PrincipalAuthenticator.authenticate(PrincipalAuthenticator.java:348)
at weblogic.servlet.security.internal.SecurityModule.checkAuthenticate(SecurityModule.java:251)
at weblogic.servlet.security.ServletAuthentication.login(ServletAuthentication.java:413)
at oracle.idm.common.login.SignInBean.doLogin(SignInBean.java:88)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
at java.lang.reflect.Method.invoke(Method.java:597)
at com.sun.el.parser.AstValue.invoke(Unknown Source)
at com.sun.el.MethodExpressionImpl.invoke(Unknown Source)
at org.apache.myfaces.trinidadinternal.taglib.util.MethodExpressionMethodBinding.invokeMethodExpressionMethodBinding.java:53)
at org.apache.myfaces.trinidad.component.UIXComponentBase.broadcastToMethodBinding(UIXComponentBase.java:1256)
at org.apache.myfaces.trinidad.component.UIXCommand.broadcast(UIXCommand.java:183)
at oracle.adf.view.rich.component.fragment.UIXInclude.broadcast(UIXInclude.java:102)
at oracle.adf.view.rich.component.fragment.ContextSwitchingComponent$1.run(ContextSwitchingComponent.java:92)
at oracle.adf.view.rich.component.fragment.ContextSwitchingComponent._processPhaseContextSwitchingComponent.java:361)
at oracle.adf.view.rich.component.fragment.ContextSwitchingComponent.broadcast(ContextSwitchingComponent.java:96)
at oracle.adf.view.rich.component.fragment.UIXInclude.broadcast(UIXInclude.java:96)
at javax.faces.component.UIViewRoot.broadcastEvents(UIViewRoot.java:475)
at javax.faces.component.UIViewRoot.processApplication(UIViewRoot.java:756)
at oracle.adfinternal.view.faces.lifecycle.LifecycleImpl._invokeApplication(LifecycleImpl.java:788)
at oracle.adfinternal.view.faces.lifecycle.LifecycleImpl._executePhase(LifecycleImpl.java:306)
at oracle.adfinternal.view.faces.lifecycle.LifecycleImpl.execute(LifecycleImpl.java:186)
at javax.faces.webapp.FacesServlet.service(FacesServlet.java:265)
at weblogic.servlet.internal.StubSecurityHelper$ServletServiceAction.run(StubSecurityHelper.java:227)
at weblogic.servlet.internal.StubSecurityHelper.invokeServlet(StubSecurityHelper.java:125)
at weblogic.servlet.internal.ServletStubImpl.execute(ServletStubImpl.java:300)
at weblogic.servlet.internal.TailFilter.doFilter(TailFilter.java:26)
at weblogic.servlet.internal.FilterChainImpl.doFilter(FilterChainImpl.java:56)
at oracle.help.web.rich.OHWFilter.doFilter(Unknown Source)
at weblogic.servlet.internal.FilterChainImpl.doFilter(FilterChainImpl.java:56)
at oracle.adf.model.servlet.ADFBindingFilter.doFilter(ADFBindingFilter.java:205)
at weblogic.servlet.internal.FilterChainImpl.doFilter(FilterChainImpl.java:56)
at oracle.adfinternal.view.faces.webapp.rich.RegistrationFilter.doFilter(RegistrationFilter.java:106)
at org.apache.myfaces.trinidadinternal.webapp.TrinidadFilterImpl$FilterListChain.doFilter(TrinidadFilterImpl.java:446)
at oracle.adfinternal.view.faces.activedata.AdsFilter.doFilter(AdsFilter.java:60)
at org.apache.myfaces.trinidadinternal.webapp.TrinidadFilterImpl$FilterListChain.doFilter(TrinidadFilterImpl.java:446)
at org.apache.myfaces.trinidadinternal.webapp.TrinidadFilterImpl._doFilterImpl(TrinidadFilterImpl.java:271)
at org.apache.myfaces.trinidadinternal.webapp.TrinidadFilterImpl.doFilter(TrinidadFilterImpl.java:177)
at org.apache.myfaces.trinidad.webapp.TrinidadFilter.doFilter(TrinidadFilter.java:92)
at weblogic.servlet.internal.FilterChainImpl.doFilter(FilterChainImpl.java:56)
at oracle.iam.platform.auth.web.OIMUnauthContextFilter.doFilter(OIMUnauthContextFilter.java:63)
at weblogic.servlet.internal.FilterChainImpl.doFilter(FilterChainImpl.java:56)
at oracle.adf.library.webapp.LibraryFilter.doFilter(LibraryFilter.java:175)
at weblogic.servlet.internal.FilterChainImpl.doFilter(FilterChainImpl.java:56)
at oracle.security.jps.ee.http.JpsAbsFilter$1.run(JpsAbsFilter.java:111)
at java.security.AccessController.doPrivileged(Native Method)
at oracle.security.jps.util.JpsSubject.doAsPrivileged(JpsSubject.java:313)
at oracle.security.jps.ee.util.JpsPlatformUtil.runJaasMode(JpsPlatformUtil.java:413)
at oracle.security.jps.ee.http.JpsAbsFilter.runJaasMode(JpsAbsFilter.java:94)
at oracle.security.jps.ee.http.JpsAbsFilter.doFilter(JpsAbsFilter.java:161)
at oracle.security.jps.ee.http.JpsFilter.doFilter(JpsFilter.java:71)
at weblogic.servlet.internal.FilterChainImpl.doFilter(FilterChainImpl.java:56)
at oracle.dms.servlet.DMSServletFilter.doFilter(DMSServletFilter.java:136)
at weblogic.servlet.internal.FilterChainImpl.doFilter(FilterChainImpl.java:56)
at weblogic.servlet.internal.RequestEventsFilter.doFilter(RequestEventsFilter.java:27)
at weblogic.servlet.internal.FilterChainImpl.doFilter(FilterChainImpl.java:56)
at weblogic.servlet.internal.WebAppServletContext$ServletInvocationAction.wrapRun(WebAppServletContext.java:3715)
at weblogic.servlet.internal.WebAppServletContext$ServletInvocationAction.run(WebAppServletContext.java:3681)
at weblogic.security.acl.internal.AuthenticatedSubject.doAs(AuthenticatedSubject.java:321)
at weblogic.security.service.SecurityManager.runAs(SecurityManager.java:120)
at weblogic.servlet.internal.WebAppServletContext.securedExecute(WebAppServletContext.java:2277)
at weblogic.servlet.internal.WebAppServletContext.execute(WebAppServletContext.java:2183)
at weblogic.servlet.internal.ServletRequestImpl.run(ServletRequestImpl.java:1454)
at weblogic.work.ExecuteThread.execute(ExecuteThread.java:209)
at weblogic.work.ExecuteThread.run(ExecuteThread.java:178)
>
<Sep 2, 2012 6:34:23 PM IST> <Error> <OIM Authenticator> <BEA-000000> <Error encrypting password>
I uninstalled the whole OIM, SOA and DB and installed the same again but I am still getting the same error.
Please help me in solving this issue as I am struck and don't know how to process further.
I am using 64 bit installation of OIM.
Thanks in advance.Have you gone through below.
1. Check the file permissions on ".xldatabasekey" in <DOMAIN_HOME>/config/fmwconfig/
2. Check the credential store map in EM. Further reading: http://download.oracle.com/docs/cd/E14571_01/doc.1111/e14308/handlinglcm.htm#CIAEFAGF
Article 1327577.1, talk about "required steps to be able to deploy a custom J2EE application that is able to interact with the Credential Store Framework to retrieve user credential" -
OIM 11g - Limiting support users to assign roles to correct users
We have OIM 11.1.1.5.0 and support a couple of third party organizations with delegated administration.
Admins in OrgA have an admin role AdminRoleA which allows them to assign UserRoleA to their users. Similarly, admins in OrgB are given AdminRoleB that gives them the ability to assign UserRoleB to their users.
We have support groups that can help these organizations. I have defined the Support role to inherit from AdminRoleA and AdminRoleB. The problem that I'm finding is that the support user can assign UserRoleB to a user in the other organization OrgA.
I could probably solve this by writing custom code in a validation handler but I just wondered if I was missing something and should have configured these roles and auth policies differently.
Thanks.Thanks, I was afraid of having to do mess with the backend like that. What if I removed the the "all users" role from people I didn't want to have that access? How would that affect the user?
EDIT- It appears as though you cannot revoke that role. I guess I had never tried to do it before.
Edited by: 970312 on Jan 28, 2013 7:52 PM -
There's a requirement from my customer that I have to create a group containing only managers and I have to give them only manage user menu item.In that manage user menu item they can see only their reportees and nothing else.
So I created a delegated group called managers and gave them the manage user menu item.When I login in OIM as one of the member of the group I get to see the menu item in the web console but when I search besed on user id I get the following error
Your search did not return any results.
Try again.
So guys please help with this and in the manage user filter i dont need all other attributes like search based on userid,employee no etcLook at tjspSearchUser.jsp in xlWebApp/pages and tjspSearchUserTiles.jsp in xlWebApp/tiles , you could make your custom code based on it then you could create a new menu item for your custom search criteria only for your managers
Oracle has a workshop explaining these customizing task, i don't know if it is public content. -
OIM vs OIA : Identity Certification
Hello Experts,
I need to analyze the Identity Certification feature of OIM 11gR2 vs OIA i.e. what advantage/disadvantage do one has over the other.
What all features are supported by one and not by the other. Is it really necessary to install OIA for the purpose of identity certifications or OIM 11gR2 is sufficient.
Kindly share some link/info which has this kind of comparison.
Thanks :)You can delegate all accounts belong to certain user to someone else in "User Entitlement Certification". This is available when you check the option "Employee Verification Required" while creating the certification. You cannot selectively select certain accounts to be delegated to another certifier.
-
OIM resource permission configuration
Hello,
We are required to configure a user groups that should be able to modify user profile and resource A while restricting modifications on resource B.
If a member of this group makes a modification to the user attribute that would trigger access policy and subsequently changes child table in resource B, OIM fails to update the user since the user has no pinsert ermission for resource B (Error evaluating access policy)..
Is there a solution for this problem?
ThanksAccess policies are mostly for provisioning, you're talking about delegated administration where the delegated admin is allowed to manage resource A but not resource B. This requires customization in both 9.1 and 11g. In 11g there's an authorization policy concept that can be used along with organizations but it's still not a good fit for what you're trying to do. Anyway you can implement this by checking the user's permissions against your own (custom) authorization model. Search the forum, this has come up before.
-
Reconciliation with resource and delegation
Hi All,
I have developed a java class that is working fine for the delegation purpose means as per the inputs, it sets the delegatee for that user for a particular interval.
Now my requirement is that when I reconcile OIM against a resource, suppose AD, then the value set as delegatee in AD should also be reconciled properly and also if there is any change in delegatee it should be reflected in OIM also. I think this is possible, if at the time of reconciliation I can call the java class developed for delegation. But I am not getting how it can be done on the event of changing a particular attribute? If there is any other way for doing the same, then please suggest.
Besides this, in OIM form we have location and department fields. is it possible to modify it so that the location field is a drop down list and on the basis of the value selected in location, department is populated.
Please put your points over here. It will be really helpful to me.
Thanks
GauravAdding resources to tasks may not adjust duration if the task is not effort driven or if the task is fixed duration.
When you initially assign the resource at a lower assignment unit, Project calculates the work for the resource based upon Assignment Units * Task Duration.
If after you have assigned the resource (your second scenario), you drop the assignment units, Project will, by default, not recalculate the work. It will assume you wish the resource to work fewer hours per day (lower assignment unit) on the same
amount of work. So, duration is adjusted (increased) if you drop assignment units.
See: http://office.microsoft.com/en-us/project-help/change-the-task-type-project-uses-to-calculate-task-duration-HP010092039.aspx
It applies even though the article is for 2007.
For additional information see:
http://office.microsoft.com/en-us/training/using-task-types-RZ001077906.aspx?section=6
And certainly, feel free to post back with additional questions. -
OAM / OIM - Conceptual question
Hi all,
I'm trying to understand the overlap between OAM and OIM in terms of identity management. I'm going through the OAM manuals and it talks about OAM's Identity System in a way that very closely resembles a lot of what OIM does, ie. user management, groups, delegated admin, self admin, etc...
I'm trying to understand how these two fit together. I know OIM does a lot more in terms of provisioning to other resources... is OAM considered a resources that OIM provisions to? If you have OIM and OAM, it seems that there's now 2 repositories of user data....
Can someone explain (or point me to a doc that does) the relationship(s) between OIM and OAM, how they fit together, which drives the other, etc...?
Thanks very much
AlexOAM's Identity System is web based self service tool for users to edit their information for their identity records. Forgot Password Service will help the users to reset their passwords. Oracle Access Manager's main functionality is the Single Sign On feature and to offer AU and AZ services. Also OAM's Identity System helps you to create/manage/delegate LDAP Dynamic Groups and Organizations. Remember, OAM will not be able to provision users with LDAP Accounts. You need to create LDAP Accounts and then you can manage the users via OAM Identity System. You can also create users from OAM Identity System but no one creates users from OAM Identity System in a corporate environment. OAM Identity System is designed to provision the Access Administrators with capability of creating/managing/delegating the tasks of Dynamic LDAP Groups which are in turn used in AZ rules for Access Policies. AFAIK, creating users and organizations from OAM - Identity System is not recommended. My recommendation for using the OAM Identity System is to limit the usage to LDAP Dynamic Group Creation. As a Access Administrator it will be very convincing to create the groups without contacting the LDAP Teams.
On the other hand, OIM can synchronize with Corporate HR systems/AD/LDAP and other authoritative identity sources and pull the records to OIM. Based on the business roles, OIM can automatically provision the users with all required resources with appropriate access rights. OIM also offers Forgot Password and Password Reset services which are recommended for usage in a corporate environment. Also I don't think you can create LDAP Dynamic Groups and Organizations in an authoritative LDAP via OIM.
Coming to the integration part, OAM can protect OIM and offer Single Sign On to OIM Services. OIM can provision users to OAM but not straight forwards as there is no connector provided for OAM OOTB. If you have both OIM and OAM still you have a single identity (user) store. Both OAM and OIM will talk to the single user store for synchronization. For OIM, you will have a user account in OIM System apart from the user directory but for OAM you will use the account from the user directory to access Identity and Access Services.
Maybe you are looking for
-
my ipad is disabled. What should i do?
-
Flash dynamic scrollbar determined by browser width
Hi everybody, I've been asked to recreate a scrolling panel in flash, very similar to the one on: www.un.titled.co.uk My client likes the way that whichever window width you choose, the panel re-adjusts itself. Can you see how the scrolling mechanism
-
Applying Path on Oracle 9i (9.2.0.4.0)
Hi all, I am planning to apply a upgrade path on my current Oracle Database server. I have not done this activity in past so I need to know some things before I start off. Issue 1 Does the patch applucation is self-explanatory? i.e. Does it have the
-
Upgraded 10.1.3.3.2 to 10.1.3.4.0... getting OPR4ONWY:U9IM8TAC:OI2DL65P
Upgraded 10.1.3.3.2 to 10.1.3.4.0.080726.1900 getting OPR4ONWY:U9IM8TAC:OI2DL65P One of the drill through report is getting this error never got on before the upgrade?? Any ideas? It also Changed the SQL is was running by A LOT! went from 4MB to 40MB
-
USB connection for TravelDock for MicroPhoto
I love my TravelDock, but I have a minor issue. When the MicroPhoto is docked in the TravelDock, and then connected to my computer via the USB connection in the rear of the TravelDock, the computer does not detect anything. I have the TravelDock and