Oracle Access Manager 11gR2 Account Lockout URL
I have question on OAM and OIM Integration LOCKOUT URL.
Oracle 11gR2 documentation used is Introduction - 11g Release 2 (11.1.2.1.0)
Section 1.5.3.5 Account Lock and Unlock refers to account lockout url
4. The user's unsuccessful login attempts exceed the limit specified by the policy. Access Manager locks the user account and redirects the user to the Access Manager Account Lockout URL, which displays help desk contact information.
Where can we setup Access Manager Account Lockout URL in 11gR2?
Try specifying Account Lockout URL in oam-config.xml "AccountLockedURL" attribute. I am not sure what exact values should be set for other attributes mentioned in oam-config.xml (password policy related section) as some of them are related to OIM-OAM integration. Do you plan to integrate OIM-OAM in your environment
Similar Messages
-
Error during execution of SSO with Oracle Access Manager 11gR2
Hello friends,
I have a problem with SSO using Oracle Access Manager 11g R2, then describes the steps taken in this test:
1. Is accessed by the OAM protected application through IE browser, Chrome and Firefox for testing purposes.
2. The OAM protected application, here is redirected to the OAM page to enter the credentials for the application.
3. Shows the application, and again reorders authentication credentials.
Here the details of the cookie:
a. cookie1: ADMINCONSOLESESSION
b. cokkie2: OAMAuthnCookie_webgate11g.domain.com: 7777
We also found an error when starting the node oam_server in WebLogic Server 11g (10.3.6)
Log:
[2012-11-29T18:16:02.411-05:00] [oam_server1] [ERROR] [JPS-03156] [oracle.jps.authorization.framework] [tid: [ACTIVE].ExecuteThread: '0' for queue: 'weblogic.kernel.Default (self-tuning)'] [userId: <anonymous>] [ecid: 0000JhEStpUFW7WFLzRL8A1GhylJ000002,0] [APP: oam_server#11.1.2.0.0] The exception has been thrown by ARME. The authorization result is set to deny.[[
com.bea.security.providers.authorization.asi.InvocationException: ArmeRUNTIME Exception: null
at com.bea.security.providers.authorization.asi.AuthorizationProviderImpl.isAccessAllowed(AuthorizationProviderImpl.java:396)
at com.bea.security.ssal.micro.MicroAuthorizationManagerWrapper.isAccessAllowed(MicroAuthorizationManagerWrapper.java:73)
at com.bea.security.impl.AuthorizationServiceImpl.isAccessAllowed_internal(AuthorizationServiceImpl.java:914)
at com.bea.security.impl.AuthorizationServiceImpl.isAccessAllowed(AuthorizationServiceImpl.java:745)
at com.bea.security.impl.AuthorizationServiceImpl.isAccessAllowed(AuthorizationServiceImpl.java:668)
at com.bea.security.impl.AuthorizationServiceImpl.isAccessAllowed(AuthorizationServiceImpl.java:622)
at com.bea.security.AuthorizationService.isAccessAllowed(AuthorizationService.java:365)
at oracle.security.am.common.policy.runtime.provider.oes.proxy.OESRuntimeProxy.wait4OESRuntimeDBPolicyRefreshCompletion(OESRuntimeProxy.java:263)
at oracle.security.am.common.policy.runtime.provider.oes.proxy.OESRuntimeProxy.init(OESRuntimeProxy.java:193)
at oracle.security.am.common.policy.runtime.provider.oes.OESPolicyRuntimeProvider.init(OESPolicyRuntimeProvider.java:167)
at oracle.security.am.common.policy.runtime.PolicyRuntimeFactory.getNewInstance(PolicyRuntimeFactory.java:162)
at oracle.security.am.common.policy.runtime.PolicyRuntimeFactory.init(PolicyRuntimeFactory.java:93)
at oracle.security.am.common.policy.runtime.PolicyRuntimeFactory.getPolicyRuntime(PolicyRuntimeFactory.java:84)
at oracle.security.am.common.policy.util.PolicyComponentLifecycle.initialize(PolicyComponentLifecycle.java:100)
at oracle.security.am.lifecycle.ApplicationLifecycle.initComponentBootstrap(ApplicationLifecycle.java:156)
at oracle.security.am.lifecycle.ApplicationLifecycle.contextInitialized(ApplicationLifecycle.java:86)
at weblogic.servlet.internal.EventsManager$FireContextListenerAction.run(EventsManager.java:481)
at weblogic.security.acl.internal.AuthenticatedSubject.doAs(AuthenticatedSubject.java:321)
at weblogic.security.service.SecurityManager.runAs(SecurityManager.java:120)
at weblogic.servlet.internal.EventsManager.notifyContextCreatedEvent(EventsManager.java:181)
at weblogic.servlet.internal.WebAppServletContext.preloadResources(WebAppServletContext.java:1868)
at weblogic.servlet.internal.WebAppServletContext.start(WebAppServletContext.java:3154)
at weblogic.servlet.internal.WebAppModule.startContexts(WebAppModule.java:1518)
at weblogic.servlet.internal.WebAppModule.start(WebAppModule.java:484)
at weblogic.application.internal.flow.ModuleStateDriver$3.next(ModuleStateDriver.java:425)
at weblogic.application.utils.StateMachineDriver.nextState(StateMachineDriver.java:52)
at weblogic.application.internal.flow.ModuleStateDriver.start(ModuleStateDriver.java:119)
at weblogic.application.internal.flow.ScopedModuleDriver.start(ScopedModuleDriver.java:200)
at weblogic.application.internal.flow.ModuleListenerInvoker.start(ModuleListenerInvoker.java:247)
at weblogic.application.internal.flow.ModuleStateDriver$3.next(ModuleStateDriver.java:425)
at weblogic.application.utils.StateMachineDriver.nextState(StateMachineDriver.java:52)
at weblogic.application.internal.flow.ModuleStateDriver.start(ModuleStateDriver.java:119)
at weblogic.application.internal.flow.StartModulesFlow.activate(StartModulesFlow.java:27)
at weblogic.application.internal.BaseDeployment$2.next(BaseDeployment.java:671)
at weblogic.application.utils.StateMachineDriver.nextState(StateMachineDriver.java:52)
at weblogic.application.internal.BaseDeployment.activate(BaseDeployment.java:212)
at weblogic.application.internal.EarDeployment.activate(EarDeployment.java:59)
at weblogic.application.internal.DeploymentStateChecker.activate(DeploymentStateChecker.java:161)
at weblogic.deploy.internal.targetserver.AppContainerInvoker.activate(AppContainerInvoker.java:79)
at weblogic.deploy.internal.targetserver.BasicDeployment.activate(BasicDeployment.java:184)
at weblogic.deploy.internal.targetserver.BasicDeployment.activateFromServerLifecycle(BasicDeployment.java:361)
at weblogic.management.deploy.internal.DeploymentAdapter$1.doActivate(DeploymentAdapter.java:51)
at weblogic.management.deploy.internal.DeploymentAdapter.activate(DeploymentAdapter.java:200)
at weblogic.management.deploy.internal.AppTransition$2.transitionApp(AppTransition.java:30)
at weblogic.management.deploy.internal.ConfiguredDeployments.transitionApps(ConfiguredDeployments.java:261)
at weblogic.management.deploy.internal.ConfiguredDeployments.transitionApps(ConfiguredDeployments.java:220)
at weblogic.management.deploy.internal.ConfiguredDeployments.activate(ConfiguredDeployments.java:169)
at weblogic.management.deploy.internal.ConfiguredDeployments.deploy(ConfiguredDeployments.java:123)
at weblogic.management.deploy.internal.DeploymentServerService.resume(DeploymentServerService.java:180)
at weblogic.management.deploy.internal.DeploymentServerService.start(DeploymentServerService.java:96)
at weblogic.t3.srvr.SubsystemRequest.run(SubsystemRequest.java:64)
at weblogic.work.ExecuteThread.execute(ExecuteThread.java:256)
at weblogic.work.ExecuteThread.run(ExecuteThread.java:221)
Caused by: com.wles.InternalException: ArmeRUNTIME Exception: null
at com.wles.arme.Credentials_ca.exceptionTransport(Credentials_ca.java:606)
at com.wles.arme.Credentials_ca._accessAllowed(Credentials_ca.java:343)
at com.wles.arme.CredentialsImpl._accessAllowed(CredentialsImpl.java:400)
at com.wles.arme.CredentialsImpl._accessAllowed(CredentialsImpl.java:422)
at com.wles.arme.CachingCredentialsImpl._accessAllowed(CachingCredentialsImpl.java:225)
at com.wles.arme.CredentialsImpl.accessAllowed(CredentialsImpl.java:452)
at com.wles.arme.CachingCredentialsImpl.accessAllowed(CachingCredentialsImpl.java:68)
at com.bea.security.providers.authorization.asi.AuthorizationProviderImpl.ARMEisAccessAllowed(AuthorizationProviderImpl.java:977)
at com.bea.security.providers.authorization.asi.AuthorizationProviderImpl.isAccessAllowed(AuthorizationProviderImpl.java:347)
... 52 more
causal exception is:
com.wles.InternalException: ArmeRUNTIME Exception: null
at com.wles.arme.Credentials_ca.exceptionTransport(Credentials_ca.java:606)
at com.wles.arme.Credentials_ca._accessAllowed(Credentials_ca.java:343)
at com.wles.arme.CredentialsImpl._accessAllowed(CredentialsImpl.java:400)
at com.wles.arme.CredentialsImpl._accessAllowed(CredentialsImpl.java:422)
at com.wles.arme.CachingCredentialsImpl._accessAllowed(CachingCredentialsImpl.java:225)
at com.wles.arme.CredentialsImpl.accessAllowed(CredentialsImpl.java:452)
at com.wles.arme.CachingCredentialsImpl.accessAllowed(CachingCredentialsImpl.java:68)
at com.bea.security.providers.authorization.asi.AuthorizationProviderImpl.ARMEisAccessAllowed(AuthorizationProviderImpl.java:977)
at com.bea.security.providers.authorization.asi.AuthorizationProviderImpl.isAccessAllowed(AuthorizationProviderImpl.java:347)
at com.bea.security.ssal.micro.MicroAuthorizationManagerWrapper.isAccessAllowed(MicroAuthorizationManagerWrapper.java:73)
at com.bea.security.impl.AuthorizationServiceImpl.isAccessAllowed_internal(AuthorizationServiceImpl.java:914)
at com.bea.security.impl.AuthorizationServiceImpl.isAccessAllowed(AuthorizationServiceImpl.java:745)
at com.bea.security.impl.AuthorizationServiceImpl.isAccessAllowed(AuthorizationServiceImpl.java:668)
at com.bea.security.impl.AuthorizationServiceImpl.isAccessAllowed(AuthorizationServiceImpl.java:622)
at com.bea.security.AuthorizationService.isAccessAllowed(AuthorizationService.java:365)
at oracle.security.am.common.policy.runtime.provider.oes.proxy.OESRuntimeProxy.wait4OESRuntimeDBPolicyRefreshCompletion(OESRuntimeProxy.java:263)
at oracle.security.am.common.policy.runtime.provider.oes.proxy.OESRuntimeProxy.init(OESRuntimeProxy.java:193)
at oracle.security.am.common.policy.runtime.provider.oes.OESPolicyRuntimeProvider.init(OESPolicyRuntimeProvider.java:167)
at oracle.security.am.common.policy.runtime.PolicyRuntimeFactory.getNewInstance(PolicyRuntimeFactory.java:162)
at oracle.security.am.common.policy.runtime.PolicyRuntimeFactory.init(PolicyRuntimeFactory.java:93)
at oracle.security.am.common.policy.runtime.PolicyRuntimeFactory.getPolicyRuntime(PolicyRuntimeFactory.java:84)
at oracle.security.am.common.policy.util.PolicyComponentLifecycle.initialize(PolicyComponentLifecycle.java:100)
at oracle.security.am.lifecycle.ApplicationLifecycle.initComponentBootstrap(ApplicationLifecycle.java:156)
at oracle.security.am.lifecycle.ApplicationLifecycle.contextInitialized(ApplicationLifecycle.java:86)
at weblogic.servlet.internal.EventsManager$FireContextListenerAction.run(EventsManager.java:481)
at weblogic.security.acl.internal.AuthenticatedSubject.doAs(AuthenticatedSubject.java:321)
at weblogic.security.service.SecurityManager.runAs(SecurityManager.java:120)
at weblogic.servlet.internal.EventsManager.notifyContextCreatedEvent(EventsManager.java:181)
at weblogic.servlet.internal.WebAppServletContext.preloadResources(WebAppServletContext.java:1868)
at weblogic.servlet.internal.WebAppServletContext.start(WebAppServletContext.java:3154)
at weblogic.servlet.internal.WebAppModule.startContexts(WebAppModule.java:1518)
at weblogic.servlet.internal.WebAppModule.start(WebAppModule.java:484)
at weblogic.application.internal.flow.ModuleStateDriver$3.next(ModuleStateDriver.java:425)
at weblogic.application.utils.StateMachineDriver.nextState(StateMachineDriver.java:52)
at weblogic.application.internal.flow.ModuleStateDriver.start(ModuleStateDriver.java:119)
at weblogic.application.internal.flow.ScopedModuleDriver.start(ScopedModuleDriver.java:200)
at weblogic.application.internal.flow.ModuleListenerInvoker.start(ModuleListenerInvoker.java:247)
at weblogic.application.internal.flow.ModuleStateDriver$3.next(ModuleStateDriver.java:425)
at weblogic.application.utils.StateMachineDriver.nextState(StateMachineDriver.java:52)
at weblogic.application.internal.flow.ModuleStateDriver.start(ModuleStateDriver.java:119)
at weblogic.application.internal.flow.StartModulesFlow.activate(StartModulesFlow.java:27)
at weblogic.application.internal.BaseDeployment$2.next(BaseDeployment.java:671)
at weblogic.application.utils.StateMachineDriver.nextState(StateMachineDriver.java:52)
at weblogic.application.internal.BaseDeployment.activate(BaseDeployment.java:212)
at weblogic.application.internal.EarDeployment.activate(EarDeployment.java:59)
at weblogic.application.internal.DeploymentStateChecker.activate(DeploymentStateChecker.java:161)
at weblogic.deploy.internal.targetserver.AppContainerInvoker.activate(AppContainerInvoker.java:79)
at weblogic.deploy.internal.targetserver.BasicDeployment.activate(BasicDeployment.java:184)
at weblogic.deploy.internal.targetserver.BasicDeployment.activateFromServerLifecycle(BasicDeployment.java:361)
at weblogic.management.deploy.internal.DeploymentAdapter$1.doActivate(DeploymentAdapter.java:51)
at weblogic.management.deploy.internal.DeploymentAdapter.activate(DeploymentAdapter.java:200)
at weblogic.management.deploy.internal.AppTransition$2.transitionApp(AppTransition.java:30)
at weblogic.management.deploy.internal.ConfiguredDeployments.transitionApps(ConfiguredDeployments.java:261)
at weblogic.management.deploy.internal.ConfiguredDeployments.transitionApps(ConfiguredDeployments.java:220)
at weblogic.management.deploy.internal.ConfiguredDeployments.activate(ConfiguredDeployments.java:169)
at weblogic.management.deploy.internal.ConfiguredDeployments.deploy(ConfiguredDeployments.java:123)
at weblogic.management.deploy.internal.DeploymentServerService.resume(DeploymentServerService.java:180)
at weblogic.management.deploy.internal.DeploymentServerService.start(DeploymentServerService.java:96)
at weblogic.t3.srvr.SubsystemRequest.run(SubsystemRequest.java:64)
at weblogic.work.ExecuteThread.execute(ExecuteThread.java:256)
at weblogic.work.ExecuteThread.run(ExecuteThread.java:221)
We appreciate your support in solving the case. Thanks...
JLK
Edited by: JLK on Nov 30, 2012 9:43 AMHi Viju,
Did you executed the python script to register OPSS. If not then you will get the mentioned error:
I have mentioned couple of workarounds. Can you try those and let me know the results. Take the backup of your entire environment before you follow the steps:::
1. For the ARME issue patch can be applied for 11.1.2
OAM Bundle Patch Release History (Doc ID 736372.1)
Yes. This is a benign message. ( the ARME issue)
OAM 11R2 After Upgrade The Managed Server Start With Error ArmeRUNTIME Exception: Null (Doc ID 1509559.1)
The other issue is under investgation and is benign.
<oracle.adfinternal.view.faces.renderkit.rich.RegionRenderer> WARNING when accessing oamconsole (Doc ID 1511967.1)
The final message is spoken to here:
WLS 10.3.3: "Auto-Ref-By: WebApp" deployed as shared library is affecting other web applications. (Doc ID 1210393.1)
Action Plan:
=========
1. For the ARME issue patch can be applied for 11.1.2
OAM Bundle Patch Release History (Doc ID 736372.1)
Hope this helps. -
Oracle Access Manager 11gR2 Web application: "oam" failed to preload
Any pointers for troubleshooting this error?
Managed Server starts up but fails to start-up "oam" deployment.
weblogic.application.ModuleException: [HTTP:101216]Servlet: "AMInitServlet" failed to preload on startup in Web application: "oam".
java.lang.ExceptionInInitializerError
at oracle.security.am.pbl.transport.http.AMInitServlet.initializeAmServer(AMInitServlet.java:113)
at oracle.security.am.pbl.transport.http.AMInitServlet.init(AMInitServlet.java:79)
at weblogic.servlet.internal.StubSecurityHelper$ServletInitAction.run(StubSecurityHelper.java:283)
at weblogic.security.acl.internal.AuthenticatedSubject.doAs(AuthenticatedSubject.java:321)
at weblogic.security.service.SecurityManager.runAs(SecurityManager.java:120)
at weblogic.servlet.internal.StubSecurityHelper.createServlet(StubSecurityHelper.java:64)
at weblogic.servlet.internal.StubLifecycleHelper.createOneInstance(StubLifecycleHelper.java:58)
at weblogic.servlet.internal.StubLifecycleHelper.<init>(StubLifecycleHelper.java:48)
at weblogic.servlet.internal.ServletStubImpl.prepareServlet(ServletStubImpl.java:539)
at weblogic.servlet.internal.WebAppServletContext.preloadServlet(WebAppServletContext.java:1981)
at weblogic.servlet.internal.WebAppServletContext.loadServletsOnStartup(WebAppServletContext.java:1955)
at weblogic.servlet.internal.WebAppServletContext.preloadResources(WebAppServletContext.java:1874)
at weblogic.servlet.internal.WebAppServletContext.start(WebAppServletContext.java:3154)
at weblogic.servlet.internal.WebAppModule.startContexts(WebAppModule.java:1518)
at weblogic.servlet.internal.WebAppModule.start(WebAppModule.java:484)
at weblogic.application.internal.flow.ModuleStateDriver$3.next(ModuleStateDriver.java:425)
at weblogic.application.utils.StateMachineDriver.nextState(StateMachineDriver.java:52)
at weblogic.application.internal.flow.ModuleStateDriver.start(ModuleStateDriver.java:119)
at weblogic.application.internal.flow.ScopedModuleDriver.start(ScopedModuleDriver.java:200)
at weblogic.application.internal.flow.ModuleListenerInvoker.start(ModuleListenerInvoker.java:247)
at weblogic.application.internal.flow.ModuleStateDriver$3.next(ModuleStateDriver.java:425)
at weblogic.application.utils.StateMachineDriver.nextState(StateMachineDriver.java:52)
at weblogic.application.internal.flow.ModuleStateDriver.start(ModuleStateDriver.java:119)
at weblogic.application.internal.flow.StartModulesFlow.activate(StartModulesFlow.java:27)
at weblogic.application.internal.BaseDeployment$2.next(BaseDeployment.java:671)
at weblogic.application.utils.StateMachineDriver.nextState(StateMachineDriver.java:52)
at weblogic.application.internal.BaseDeployment.activate(BaseDeployment.java:212)
at weblogic.application.internal.EarDeployment.activate(EarDeployment.java:59)
at weblogic.application.internal.DeploymentStateChecker.activate(DeploymentStateChecker.java:161)
at weblogic.deploy.internal.targetserver.AppContainerInvoker.activate(AppContainerInvoker.java:79)
at weblogic.deploy.internal.targetserver.operations.AbstractOperation.activate(AbstractOperation.java:569)
at weblogic.deploy.internal.targetserver.operations.ActivateOperation.activateDeployment(ActivateOperation.java:150)
at weblogic.deploy.internal.targetserver.operations.ActivateOperation.doCommit(ActivateOperation.java:116)
at weblogic.deploy.internal.targetserver.operations.StartOperation.doCommit(StartOperation.java:149)
at weblogic.deploy.internal.targetserver.operations.AbstractOperation.commit(AbstractOperation.java:323)
at weblogic.deploy.internal.targetserver.DeploymentManager.handleDeploymentCommit(DeploymentManager.java:844)
at weblogic.deploy.internal.targetserver.DeploymentManager.activateDeploymentList(DeploymentManager.java:1253)
at weblogic.deploy.internal.targetserver.DeploymentManager.handleCommit(DeploymentManager.java:440)
at weblogic.deploy.internal.targetserver.DeploymentServiceDispatcher.commit(DeploymentServiceDispatcher.java:163)
at weblogic.deploy.service.internal.targetserver.DeploymentReceiverCallbackDeliverer.doCommitCallback(DeploymentReceiverCallbackDeliverer.java:195)
at weblogic.deploy.service.internal.targetserver.DeploymentReceiverCallbackDeliverer.access$100(DeploymentReceiverCallbackDeliverer.java:13)
at weblogic.deploy.service.internal.targetserver.DeploymentReceiverCallbackDeliverer$2.run(DeploymentReceiverCallbackDeliverer.java:68)
at weblogic.work.SelfTuningWorkManagerImpl$WorkAdapterImpl.run(SelfTuningWorkManagerImpl.java:545)
at weblogic.work.ExecuteThread.execute(ExecuteThread.java:256)
at weblogic.work.ExecuteThread.run(ExecuteThread.java:221)
Caused by: java.lang.NullPointerException
at oracle.security.am.pbl.diagnostic.DiagnosticUtil.<init>(DiagnosticUtil.java:80)
at oracle.security.am.pbl.diagnostic.DiagnosticUtil.<clinit>(DiagnosticUtil.java:65)
... 45 more
at weblogic.servlet.internal.WebAppModule.startContexts(WebAppModule.java:1520)
at weblogic.servlet.internal.WebAppModule.start(WebAppModule.java:484)
at weblogic.application.internal.flow.ModuleStateDriver$3.next(ModuleStateDriver.java:425)
at weblogic.application.utils.StateMachineDriver.nextState(StateMachineDriver.java:52)
at weblogic.application.internal.flow.ModuleStateDriver.start(ModuleStateDriver.java:119)
Truncated. see log file for complete stacktrace
Caused By: java.lang.NullPointerException
at oracle.security.am.pbl.diagnostic.DiagnosticUtil.<init>(DiagnosticUtil.java:80)
at oracle.security.am.pbl.diagnostic.DiagnosticUtil.<clinit>(DiagnosticUtil.java:65)
at oracle.security.am.pbl.transport.http.AMInitServlet.initializeAmServer(AMInitServlet.java:113)
at oracle.security.am.pbl.transport.http.AMInitServlet.init(AMInitServlet.java:79)
at weblogic.servlet.internal.StubSecurityHelper$ServletInitAction.run(StubSecurityHelper.java:283)SOA is not required. WebGate is a separate installation, separate from where you install the Oracle Access Manager.
Oracle Access Manager is like the management station, WebGate would typically be installed on a host where a Web Server is running. So WebGate running on the WebServer host would be used to provide access control functions for web pages hosted on Web Server. You will have to do the configuration of WebGate separately after Access Manager has been installed. Please mark answer helpful/correct if helpful. -
Oracle Access manager 10.1.4 (coreid) multiple authentication for same URL
I am evaluating oracle access manager hence new to this product.
I have a requirement where i have a /wps URL.
Users coming externally go through reverse proxy server to the final IIS web server. Internal user access IIS directly.
/wps should be protected by reverse proxy using forms authentication
while IIS server also protect /wps but should use basic authentication.
Looks like policy is shared by all webgates so i can define one authentication method for /wps.
Comparing this with CA Siteminder each agent have their own URLs to protect and so two agents can protect the same URL but with different authentication method. The single signon works as the protection level is same.I have not done what you are speaking of; so I would assume that Boland is correct. One thing that you may want to consider is making the external users log into another resource before they hit the /wps. If the other resource is forms protected and at the same authentication level (number on auth scheme), then they can hit the external login resource, get their OBSSO cookie, then slide right thru the basic authentication request of the current policy domain.
Another idea would be to get a little more granular with your current policy domain. Have a file that's protected with forms auth in your policy domain that the external users authenticate to. Remember, this could be as simple as a dummy page that just does an HTTP redirect.
Good luck.
--Aaron -
Integrating Oracle Access Manager with Kerberos (WNA)
Hi,
I have working Oracle Access Manager currently being able only to authenticate users against Active Directory. I want to enable WNA. But I am still having issues with correctly configure it:
I do not know what am I doing wrong.
I am logged as example.com\testuser into Windows XP, using firefox with WNA enabled for URI example.com. Then I enter http://oracle.example.com which is my Oracle HTTP Server's protected URL, then I am receiving ERROR from Oracle Access Manager: "The user account is locked or disabled. Please contact the System Administrator."
In OAM Log there is this: <Jun 19, 2012 4:14:15 PM CEST> <Error> <oracle.oam.controller> <OAM-02010> <User account is locked. Authentication failed.>
Interesting is when I disable WNA support in firefox, then this behavior occurs: fisrt there is this dialog shown "A username and password are being requested by http://oracle.example.com:14100. The site says: "OAM 11g"" --> here I enter example.com\testuser and password. After this new dialog is shown: A username and password are being requested by http://oracle.example.com:14100. The site says: "WebLogic Server", then after entering weblogic/password I receive "The user account is locked or disabled. Please contact the System Administrator."
In the OAM log this is logged:
<Jun 19, 2012 4:22:28 PM CEST> <Error> <oracle.oam.user.identity.provider> <OAMSSA-20023> <Authentication Failure for user : weblogic.>
<Jun 19, 2012 4:22:28 PM CEST> <Error> <oracle.oam.controller> <OAM-02010> <User account is locked. Authentication failed.>
Any ideas? I am really stuck here.
I am using this keytab file:
[root@oracle centos]# klist -ke /home/oracle/keytab.testuser1
Keytab name: WRFILE:/home/oracle/keytab.testuser1
KVNO Principal
7 HTTP/[email protected] (des-cbc-crc)
7 HTTP/[email protected] (des-cbc-md5)
7 HTTP/[email protected] (arcfour-hmac)
7 HTTP/[email protected] (aes256-cts-hmac-sha1-96)
7 HTTP/[email protected] (aes128-cts-hmac-sha1-96)
kinit passes fine:
[root@oracle centos]# kinit -V HTTP/[email protected] -k -t /home/oracle/keytab.testuser1
Using default cache: /tmp/krb5cc_0
Using principal: HTTP/[email protected]
Using keytab: /home/oracle/keytab.testuser1
Authenticated to Kerberos v5
Why and which user is locked? I can lock with the AD user into windows domain, so I assume it is not locked + I checked it in the Active Directory.Ok, now I got it working. Sh~t! Why oracle documentation says I should set AD datasource with this parameter:
User Name Attribute: UserPrincipalName, when this does not work?!
After changing to User Name Attribute: sAMAccountName my WNA works!!!
I have been fighting all day with this! The question is why such behavior - if the problem is in wrongly written oracle documentation, or I have problem somewehere else.
Btw my user in AD looks like this:
distinguishedName: CN=John Doe,CN=Users,DC=example,DC=com
sAMAccountName: doejohn
userPrincipalName [email protected]
It looks OAM takes "doejohn" from Windows via WNA/Kerberos and searches for this using UserPrincipalName and this is giving no match of course because "doejohn != [email protected]".
The question is why does it take doejohn and not [email protected] from Windows WNA/Kerberos ??? -
Integrating Oracle EBS R12 with Oracle Access Manager 11g
Hi Everyone ,
Oracle Access Manager version 11.1.1.5
Oracle Identity Management 11.1.1.6.0
Oracle Access Manager WebGate 11.1.1.5
Oracle E-Business Suite AccessGate patch p12796012
Apps Version : 12.1.1
DB Version 11.2.0.3
PLatform : OEL 5.8
We are trying to Integrating Oracle E-Business Suite Release 12 with Oracle Access Manager 11g using Oracle E-Business Suite AccessGate.We followed metalink id's
1309013.1 and 1543803.1 and some other documents.We have performed every step as documented , and everything seems to work fine untill user tries to log out from Oracle Applications i.e User
is able to login to Oracle Applications through access gate and everything is working fine. But as user click logout button an error messsage is diplayed like "*500*
*Internal Server Error Servlet error: An exception occured* " (The url at the time of this message is http://hostname:port/OA_HTML/AppsLogout ).
Apps Tier (oacore) Application log:-
+13/05/15 19:04:20.229 html: Servlet error+
java.lang.NoSuchMethodError: oracle.apps.fnd.sso.SSOManager.getAuthAgentLogoutUrl(Ljava/lang/String;Ljava/lang/String;)Ljava/lang/String;
at oracle.apps.fnd.sso.AppsLogoutRedirect.doGet(AppsLogoutRedirect.java:193)
at javax.servlet.http.HttpServlet.service(HttpServlet.java:743)
at javax.servlet.http.HttpServlet.service(HttpServlet.java:856)
+at com.evermind[Oracle Containers for J2EE 10g (10.1.3.4.0) ].server.http.ResourceFilterChain.doFilter(ResourceFilterChain.java:64)+
at oracle.apps.jtf.base.session.ReleaseResFilter.doFilter(ReleaseResFilter.java:26)
+at com.evermind[Oracle Containers for J2EE 10g (10.1.3.4.0) ].server.http.EvermindFilterChain.doFilter(EvermindFilterChain.java:15)+
at oracle.apps.fnd.security.AppsServletFilter.doFilter(AppsServletFilter.java:318)
+at com.evermind[Oracle Containers for J2EE 10g (10.1.3.4.0) ].server.http.ServletRequestDispatcher.invoke(ServletRequestDispatcher.java:621)+
+at com.evermind[Oracle Containers for J2EE 10g (10.1.3.4.0) ].server.http.ServletRequestDispatcher.forwardInternal(ServletRequestDispatcher.java:370)+
+at com.evermind[Oracle Containers for J2EE 10g (10.1.3.4.0) ].server.http.HttpRequestHandler.doProcessRequest(HttpRequestHandler.java:871)+
+at com.evermind[Oracle Containers for J2EE 10g (10.1.3.4.0) ].server.http.HttpRequestHandler.processRequest(HttpRequestHandler.java:453)+
Apps Tier Apache Error log :-
+[Wed May 15 18:50:52 2013] [error] [client 192.168.0.2] [ecid: 1368624052:192.168.0.61:10798:0:44,0] File does not exist: /u01/eBiZR12/apps/apps_st/comn/java/classes//+
WE have set all required profile in Oracle Application as directed in documents , and users are able to login just fine , but they are not able to logout.
IS there something that we are missing , any help is highly appreciated.
Regards
Edited by: TheKop88 on May 16, 2013 11:39 AMHi there ,
Thanks for reply ,
We had already gone through that document earlier. We noticed that when Apllication Profile "*Apllications SSO Type* " is set to SSWA then OA_HTML/AppsLogout is
working fine , but when we set "*Applications SSO Type*" to SSWA w/SSO then OA_HTML/AppsLogout is not working(not redirecting) .Error thrown on web browser is "+500 Internal Server Error Servlet error: An exception occurred. The current application deployment descriptors do not allow for including it in this response+" . we believe that we might have missed some Profile settings that is causing this error.
Regards
Edited by: TheKop88 on May 16, 2013 12:03 PM
Edited by: TheKop88 on May 16, 2013 12:07 PM -
Oracle Access Manager, ADAM & UCM integration? Help please..
I`m currently investigating the potential of using Oracle Access Manager (OAM) as a tool that allows connections to multiple Active Directory(AD) or ADAM servers providing a single point to author and manage users with a good easy to use GUI.
The UCM will connect directly to OAM and authenticate users connecting from AD accounts..
At the moment we use Quest software to manage users, but the cost for setting up users is £15/user where as OAM is only £3. I believe..
Right the questions I have :)
1. Has any one set this type of environment up?
2. ls OAM stand alone or will I need additional software to set it up?
Reading the installation guide it says I need the following:
# Oracle Internet Directory 10g (10.1.4.0.1)
# Microsoft Active Directory
# Oracle Virtual Directory Server 10.1.4.0.1
# Oracle Virtual Directory Manager 10.1.4.0.1
# Oracle Virtual Directory Patch 10.1.4.0.1 (P5667977)
# Stand-alone Oracle HTTP Server 2.x (This needs to be preinstalled in your environment. You can download the OHS 2.x standalone from the Oracle SOA Suite 10g Companion (10.1.3.1.0) release from here.)
3. Can I use IIS instead of Oracle HTTP Server?
4. Can I install OAM on 1 server or do I need multiple servers, I`v been looking at the diagrams and reading through the guides I`m getting a little confused with Identity and Access server?Hi,
Have you got information reg UCM & OAM integration?
Could you please help me with the integration guide?
Regards,
Ashish -
Oracle Access Manager, ADAM & Oracle ECM - UCM integration?
I`m currently investigating the potential of using Oracle Access Manager (OAM) as a tool that allows connections to multiple Active Directory(AD) or ADAM servers providing a single point to author and manage users with a good easy to use GUI.
The UCM will connect directly to OAM and authenticate users connecting from AD accounts..
At the moment we use Quest software to manage users, but the cost for setting up users is £15/user where as OAM is only £3. I believe..
Right the questions I have :)
1. Has any one set this type of environment up?
2. ls OAM stand alone or will I need additional software to set it up?
Reading the installation guide it says I need the following:
# Oracle Internet Directory 10g (10.1.4.0.1)
# Microsoft Active Directory
# Oracle Virtual Directory Server 10.1.4.0.1
# Oracle Virtual Directory Manager 10.1.4.0.1
# Oracle Virtual Directory Patch 10.1.4.0.1 (P5667977)
# Stand-alone Oracle HTTP Server 2.x (This needs to be preinstalled in your environment. You can download the OHS 2.x standalone from the Oracle SOA Suite 10g Companion (10.1.3.1.0) release from here.)
3. Can I use IIS instead of Oracle HTTP Server?
4. Can I install OAM on 1 server or do I need multiple servers, I`v been looking at the diagrams and reading through the guides I`m getting a little confused with Identity and Access server?The OAM identity system (identity server and WebPass) sound like a good fit for what you want to do. One constraint is that if you want to create/manage users in different directory instances via a single OAM identity system installation, you would also need OVD.
And yes you definitely can have IIS host the WebPass - OHS, OID etc are not required.
-Vinod -
Oracle 11g for Oracle access manager, OID version details
At present we have 1og db for sso and oid. I have checking in db that our exsisting OID and SSO versions are
Oracle9iAS Single Sign-On 10.1.2.0.2
Oracle9iAS Internet Directory
OID 10.1.2.1.0
We are moving to diff hosting solution and vendor is recommanding to have 11g Oracle access manager(in 11g sso is replaced by OAM) and OID.
What is the version of OID with 11g or please refer me to the documentaion where i can greb 11g OAM, oid etc versionsKapardhi wrote:
Where can i find oracle 11g server for windows7 home basic 64bit version...Oracle 11gR2 is certified on Windows 7 x64 - Professional, Enterprise, and Ultimate editions -- http://docs.oracle.com/cd/E11882_01/install.112/e24283/toc.htm#BGBEEBAD
You can download 11gR2 from http://www.oracle.com/technetwork/database/enterprise-edition/downloads/index.html
Thanks,
Hussein -
Oracle Access Manager 11g Basic with E-Business Suite
Hi gurus,
I was just wondering if anyone could tell me if the basic edition of Oracle Access Manager 11g is licensed for use with e-Business Suite 11i as a partner application? Or is it necessary to purchase the full license to use it with EBS?925237 wrote:
Hi gurus,
I was just wondering if anyone could tell me if the basic edition of Oracle Access Manager 11g is licensed for use with e-Business Suite 11i as a partner application? Or is it necessary to purchase the full license to use it with EBS?You need a license for Oracle Access Manager. However, AccessGate is available at no charge to customers who have already licensed both Oracle E-Business Suite and Oracle Access Manager.
Oracle E-Business Suite AccessGate Release 1.0.2 Now Available
https://blogs.oracle.com/stevenChan/entry/ebs_accessgate_102
Oracle Access Manager 11.1.1.5 Certified with E-Business Suite 12
https://blogs.oracle.com/stevenChan/entry/oracle_access_manager_11_11
Oracle Access Manager 11.1.1.3 Certified with E-Business Suite 12
https://blogs.oracle.com/stevenChan/entry/oracle_access_manager_11_1
Please contact your Oracle sales representative (account manager), he/she is the best one to answer your license questions.
Global Pricing and Licensing
http://www.oracle.com/us/corporate/pricing/index.html
Thanks,
Hussein -
Problem in customizing Oracle Access Manager 10g
HI,
I am facing some problem while incorporating customizations into Oracle Access Manager 10g.
When trying to access the url with a particular style name.... i am getting the following error :
obhtmlpage.cpp:160: Error:
obhtmlpage.cpp:277: Error: ExXSLTProcessingGeneric: Exception processing stylesheet. Root stylesheet ID: ../../../lang/en-us/style0/login.xsl
obxdkxsl.cpp:224: Error: ObXDKTransform
obxdkcache.cpp:528: Error:
obxdkcache.cpp:565: Error:
../obcacheof.cpp:429: Error:
../obcacheof.cpp:795: Error:
../obcacheof.cpp:932: Error:
obxdkcache.cpp:291: Error: ObXdkObject::ObXdkObject
Front Page Admin
Sun Microsystems Solaris
Could someone please provide some help as to how to solve the problem.
Thanks.One good way to debug the XSL stylesheet issue is to apply the XSL outside of OAM with input XML and see if you get the results. You can use tools such as XML SPy for XSL development and testing.
This error is more in line with XSL syntax and processing.
Thanks
Ram -
Oracle Access Manager 10g3 Blog
Hi Everyone,
I have created a New Blog for Oracle Access Manager and i would like everyone to have a look at it and give me some comments on it like what are the other topics i can keep which can help us all etc....
You can visit it at http://go4oam.blogspot.com/HI,
I am facing some problem while incorporating customizations into Oracle Access Manager 10g.
When trying to access the url with a particular style name.... i am getting the following error :
obhtmlpage.cpp:160: Error:
obhtmlpage.cpp:277: Error: ExXSLTProcessingGeneric: Exception processing stylesheet. Root stylesheet ID: ../../../lang/en-us/style0/login.xsl
obxdkxsl.cpp:224: Error: ObXDKTransform
obxdkcache.cpp:528: Error:
obxdkcache.cpp:565: Error:
../obcacheof.cpp:429: Error:
../obcacheof.cpp:795: Error:
../obcacheof.cpp:932: Error:
obxdkcache.cpp:291: Error: ObXdkObject::ObXdkObject
Front Page Admin
Sun Microsystems Solaris
Could someone please provide some help as to how to solve the problem.
Thanks. -
Configuration of APEX applications to use Oracle Access Manager for Login
Is there Oracle documentation on configuring an APEX application to accept a login id passed by Oracle Access Manager? Would someone please help with some instructions on how to do it. Thanks.
Hi Ravi,
this looks like a WLS issue.
1-You can try as a workaround to remove this validator configuration in taglib definition file: .tld and see the behavior.
2-Or you are missing something into url.
I hope this helps,
Thiago Leoncio. -
How to create a custom plugin in Oracle Access Manager to create a cookie
How to create a custom plugin in Oracle Access Manager to create a cookie or Header Variable..
VipinIts has more steps which you need to consider in addition to Note:101048.1 which is mentioned by Prashant_Pathak. Both notes have enough information. If not, let's know what else you need to set
-
Install Oracle Access Manager in existing Access Manager domain
Hi
I am operator of a windows system with Oracle Access Manager installed.
We use OAM for SSO against Webpages in OIM running on Jboss, and now we are going to implement against a WebLogic webapplication too.
The userbase is standard Active Directory
I did not set up OAM myself so I'm not completely sure how it works.
To be able to test the SSO solution given by an external provider, I need to have a proper stage environment.
My idea is to set up another OAM on another server, wich points towards the same AD domaincontroller as the existing OAM
Is this possible? In the installation guide I find that the new AccessManager system should be added into the existing OAM configuration , before we turn of the existing OAM and then install the complete OAM on the new server. Then we can turn on the existing OAM again, and implement them as clusters. I would like them to be two indipendent instances not affecting one another, but in the same AD domain to be able to test features in one of them and use the other as the production server.
My fear is that I "mess up" the form in AD created from the old OAM, and that way mess the upp production environment.
Edited by: user631873 on 11.sep.2009 06:22Hi,
Technically, you can certainly set up a new OAM infrastructure which points to the existing AD instance. You could do this in a number of ways, for example:
- set up the new instance so that it points to the same users and configuration branch as the existing instance, so that the new instance is effectively just an extension of the existing instance (with extra Identity and Access Servers, etc) ;
- set up the new instance so that it points to the same AD instance, but uses different User searchbase and Config branch. In this case the new instance is more or less completely separate, but it happens to use the same directory ;
- set up the new instance so that it points to the same Users, but a different Config branch, in which case the new instance has independed OAM configuration (policies, authentication schemes etc) but operates on the same user base.
(In OAM you can define separate ldap locations for the Users, Identity Config and Access Config.)
It depends on exactly what you want, but if the idea is to have a proper stage environment, then it is usually better for them to be completely independent, including the directory. OAM can update users as well as policies, and additionally different major versions of OAM have different schemas, so there are risks when using the same directory instance. Load testing is also an issue, since the directory is accessed extensivley by OAM.
Regards,
Colin
Maybe you are looking for
-
I can only open Firefox websites by using a url link. If I try to type something in the address bar it will not even attempt to load the page, no loading circle, no error or no connection message. I'm at youtube.com and I type in google.com and slap
-
Apple TV shows a yellow warning sign and says there is a problem connecting to the network when I try to connect - either followed by "(-3)" or "(-6)" at the end of the message. Have tried diagnostics which confirms all ok, switched off and back on e
-
How to save 4 bit .bmp file in photoshop
I saved gif file to 4 bit bmp file, but the next time I try doing it I cannot, the photo shop does not support it. If I have to do I have to do it I have to close photoshop and open the application once again to save another gif file to bmp. I need a
-
hi there just trying to rip Goa Head cds to i tunes but have an error 50 ???please help
-
Trojan virus how do you know you have it?
I was asked to update my adobe acrobat reader. I replied no. Is there an issue with Adobe? also disable the java plug in? what will that do?