Reconfigure OAM components

Similar Messages

• OAM and MS Active Directory Integration on Non-Windows Server envrionment

  I will start by saying that I am dealing with a heterogeneous environment here where multiple systems are run by different levels of management. Our Oracle systems chose to go all *nix (Oracle Solaris and Red Hat Linux) and hence we do not have a single Windows Server in our Oracle services area and would really like to keep it that way as we prefer to keep a uniform platform across our Oracle servers.  However, the desktop side of our department has chosen to use Microsoft Active Directory and now we wish to integrate and perform authentication against it for our OAM protected sites.  We are in the initial setup phase but we have no desire to implement a critical server such as OAM on the Windows platform and would rather tie OAM running on a Red Hat Linux server to Active Directory.  We will also be using OID as we run Portal but do not want to use it as our authentication authority for Oracle Products (local policy is that Active Directory is the only valid credential authority on site as we are moving to true Single Sign On across our desktops and web applications).  I have a few questions.
  1. Can it be done natively or would we have to run the Windows version of OAM?
  2. If you must run OAM on Windows to use AD for authentication, Is there some way to setup the Windows version of OAM as sort of an interface for our main OAM server running on Red Hat Linux to do the AD Auth?
  3. Can it be done using some sort of an interface such as Oracle Virtual Directory to interface with the LDAP interface to MS Active Directory?

  Hi David,
  Answers in-line
  1. Can it be done natively or would we have to run the Windows version of OAM?
  You can run all of the OAM Servers on *nix, and simply point to AD as an OAM data source on the machine:port that AD is running on. There is no need for the OAM components to be on Windows.
  2. If you must run OAM on Windows to use AD for authentication, Is there some way to setup the Windows version of OAM as sort of an interface for our main OAM server running on Red Hat Linux to do the AD Auth
  As above, this is not necessary.
  3. Can it be done using some sort of an interface such as Oracle Virtual Directory to interface with the LDAP interface to MS Active Directory?
  Yes, this is entirely possible. Even though it is not necessary in your situation, it often provides more flexibility to front-end the user store with OVD, for example when adding/renaming Windows domains, or specifying specific branches for users and so on.
  Regards,
  Colin

• Is there any OOTB audit report functionality in OAM?

  I configure audit policy and audits log to files.
  I'm wondering is there any built-in audit report functionality in oam without crystal report or any other outside report tools?

  OAM has very limited Audit functionality when it comes to comply the industry standards. It all depends on what exactly you are trying to Audit.
  - If you are looking for OAM Components Diagnostics - Refer to Access System - System Management - Diagnostics
  - If you are looking to track the access reports of users - Refer to Access System - System Management - Manage Reports. You can create custom reports in this section to track who accessed what and when?
  - If you are looking to track the system statistics like number of AU/AZ, LDAP calls, SLA's, Health Monitoring - You can use Oracle Enterprise Manager - Identity Management Pack
  http://www.oracle.com/technology/products/oem/prod_focus/idm_mgmt.html
  - If you need to track down the changes of what users changed on their profiles and password failures, Group History, Identity/User History, you can go for BI Publisher Reports for OAM. Oracle provides OOTB report templates for most of the reports in OAM. Refer to the Zip file on OAM Home Page
  http://www.oracle.com/technology/products/id_mgmt/coreid_acc/index.html
  Again, it all depends on your requirement to judge what will be feasible to achieve the desired audit.
  Hope this helps !

• OAM Second Site Issue

  I'm running into an issue with OAM forcing users to re-authenticate to the application they are logged into when I access a second site protected by OAM.
  I'm using the same forms authentication scheme setup for both sites. I access site 1 first and log in. Then site 1 has a link that pops up a new window that takes the user to the second site. The user gets logged in automatically to the second site without any issues. But when I try to do anything in site 1, it forces me to re-authenticate.
  I've read on metalink that if the shared secret is corrupted that this could occur, but I regenerated the shared secret and restarted all the OAM components but still run into this issue.
  Both sites are in the same domain. Is there something I need to do with the policy of the authentication level?

  Thanks for the response. Both sites are using the same webgate, and timeout is set pretty high since this is dev. The authentication level is the same as is the directory store.
  I'm using the same form login auth scheme for both sites. I'm going to try creating two different form logins and adding the redirect to see if that will help.

• Exporting/importing policies in OAM 10g

  How can I export/import policies in 10.1.4.3? Is there a command-line tool for this? Appreciate any advice.
  Thanks,
  Alex

  Hi,
  You can do this by migrating the LDAP data, since all the config/policy data is stored in the LDAP.
  Here are a high level steps of what might be required -
  (Note: These may not be the complete tasks which you might have to do, and may differ for your settings).
  -> Ensure the LDAP (in both envs) are of the same version, and the schema are the same.
  -> If the schema has been copied as well, make sure the references have been changed (hostname, IP, etc, if any).
  -> Take a backup of the the data in the from/to environment(s).
  -> Export the config data (and policy data if req) from the existing env into an ldif file using LDAP commands or using an LDAP Editor (Eg: Apache Directory Studio).
  -> Change references (hostname, IP, etc, (if any)) to match the new environment settings. (Eg: obDBAgentHost).
  -> Import the ldif file in the new environment.
  -> Ensure the components (LDAP, OIS, AAA, Webserver) comes up fine in the new environment. (After installing/configuring the required OAM components).
  -> Reconfig components if necessary.
  -- Pramod Aravind

• OAM 10g reinstall issue

  We're having a problem reinstalling OAM 10g.
  We had an OAM 10g install with config and user data stored in OID. All the OAM components were uninstalled from a testing server, the oblix schema objects, attributes and oblix branch were deleted from OID. The ID server and webpass were reinstalled and the ID server web config step carried out, but after that the ID server will not restart because it can't find an ID. When we look at the new oblix branch in the ldap there isn't much there and specifically the DBAgents entry is missing.
  The suggestions for the error all point to it being that this isn't the first ID server to be installed in the ldap. We've uninstalled the first one and tried to remove everything from the ldap. Can anyone suggest what we may have left behind in the ldap because something is retaining a reference to the previous install.
  Thanks for any help.

  If a component installation terminates (or is terminated by you) after component files were extracted to the designated installation directory, you should run the Uninstaller for that component and then remove the installation directory before attempting to reinstall in the same location.
  If you simply delete the installation directory and attempt to reinstall the component in the same location, the vpd.properties file is left in an inconsistent state and reinstalling will not work.
  For example, suppose you terminate a WebGate installation after component files were extracted, then you remove the installation directory manually rather than using the WebGate uninstaller.
  In this case, the extracted files are deleted but the vpd.properties file is not. This leaves the vpd.properties file in an inconsistent state that prevents successful installation.
  Reinstalling Oracle Access Manager with Oracle Internet Directory
  If Oracle Access Manager will be removed and reinstalled with the same directory instance, only the Oracle Access Manager configuration tree(s) need be deleted.
  In this case, there is no need to remove the Oracle Access Manager schema from the directory instance.
  When reinstalling the Identity Server, select "No" when asked if you want to update the schema (which is already present). Selecting "Yes" results in an an error message "schema already exists".
  You remove the Oracle Access Manager configuration tree from the directory server instance using tools and instructions from your directory vendor.
  For Oracle Internet Directory, for example, you may use the Oracle Internet Directory Administration Console.
  However, you cannot simply delete the parent object because there are dependencies and recursive deletes are not possible.
  Oracle recommends that you do not remove the Oracle Access Manager schema from Oracle Internet Directory using the Console.
  Instead, Oracle recommends that you use the LDIF files in Component_install_dir\identity\access\oblix\data.ldap\common. For example:
  OID_oblix_schema_index_delete.ldif : Oracle Access Manager attrbitue index cleanup file drops the Oracle Access Manager indexes before or after you clean up the schema.
  OID_user_schema_delete.ldif—Oracle Access Manager user data cleanup file for Oracle Internet Directory—removes user data that resides on a separate directory instance from configuration data
  OID_oblix_schema_delete.ldif—Oracle Access Manager configuration data cleanup file for Oracle Internet Directory—removes both user and configuration data when both reside on the same directory instance
  When user data and configuration data reside in the same directory instance, only the OID_oblix_schema_delete.ldif needs to be used with the because it will also remove the user schema objects.
  However, when a separate directory instance hosts only user data the OID_user_schema_delete.ldif should be used. In either case, however, you must use the OID_oblix_schema_delete.ldif to remove the attribute index.
  For steps, see Chapter 20, "Removing Oracle Access Manager".

• CG-OAM integration for Sites Visitors

  Hi Gurus,
  I m doing the webcenter sites and community gadget integration to do comments on sites.
  we want user to get authenticated via OAM before submitting comments on pages.
  I know this integration for visitors is not supported.
  I am seeking guidance to do this customization .
  Please help.
  Thanks,
  ~Dev

  Hi David,
  Answers in-line
  1. Can it be done natively or would we have to run the Windows version of OAM?
  You can run all of the OAM Servers on *nix, and simply point to AD as an OAM data source on the machine:port that AD is running on. There is no need for the OAM components to be on Windows.
  2. If you must run OAM on Windows to use AD for authentication, Is there some way to setup the Windows version of OAM as sort of an interface for our main OAM server running on Red Hat Linux to do the AD Auth
  As above, this is not necessary.
  3. Can it be done using some sort of an interface such as Oracle Virtual Directory to interface with the LDAP interface to MS Active Directory?
  Yes, this is entirely possible. Even though it is not necessary in your situation, it often provides more flexibility to front-end the user store with OVD, for example when adding/renaming Windows domains, or specifying specific branches for users and so on.
  Regards,
  Colin

• Change in the AD Server (OAM)

  Hi All,
  I have successfully installed Identity and Access System and able to login to Access manager and policy domian.
  now the AD is moved to the other server i.e the IP of the AD which I was using is being changed. Now I am unable to login to the Access sytem.Can anyone tell me wat config changes should I make if there is change in the ip of the AD.
  Thanks in Advance.

  You will need to reconfigure your Identity Server and Policy Manager to point to the new IP address. If Access Server has been installed, then that also needs to be reconfigured with the new IP address of the AD. To reconfigure the components you can make use with the utilities provided for reconfiguration in the "tools" directory.
  Else following approach can be used :
  In order to change the AD server IP in the identity server configuration files, run the setup of Identity Server. Follow the below steps to reconfigure Identity Server:
  1. Stop Identity Server
  2. Take a backup of the existing /identity/oblix/config folder
  3. Copy the contents of ois_server_config.xml.bak to ois_server_config.xml
  4. Rename/remove configInfo.xml
  5. Rename/remove setup.xml
  6. Remove/rename oblix/config/ldap folder
  7. Start the identity server
  8. Start the webpass web server
  Access /identity/oblix and click on Identity System Console, you will be prompted to go through setup screen. Here you can provide the new IP address of the AD server.
  Same steps can be followed to reconfigure the Policy Manager.
  -Amol

• Cn=Users domain is not displaying after configuring new object class in OAM

  We have configured a custom object class which inherits inetorgperson objectclass and reconfigured OAM. After the reconfiguration cn=Users is not available in OAM Attibute Access Control Management domain selection,Delegated Administration domain selection , Workflow Definition -workflow domain selection and searchbase domain.
  If anyone has faced similar issue,please reply back.
  Thanks inadvance.
  Regards,
  Srikanth

  > I cannot RDP using the user
  Any error message?
  Greetings/Grüße,
  Martin
  Mal ein
  gutes Buch über GPOs lesen?
  Good or bad GPOs? - my blog…
  And if IT bothers me -
  coke bottle design refreshment (-:

• OAM 101 - Using Windows login?

  I'm very much a newb and am still trying to get the OIM(user provisioning) part of the equation going right now.
  But eventually I'll probably need to hook OAM into it. I understand that OAM is essentially WebSSO (opposed to eSSO), but how can one use the Windows authentication (AD \ Kerberos) and use that to authenticate the WebApps? My assumption is that the kerberos ticket (session) is initiated via the windows desktop login and OAM can authenticate against AD anyway, so as long as I can say that my webapps are only accessible internally (within the firewall), I would like to NOT require the user to have to re-login (but still authenticate using that Win login). At a very "high level" (overused mgmt term) what is the flow of implementing this & the corresponding OAM components\concepts. Not sure if it matters but webapps are java\flex based for the most part - not portals though. I realize that it's probably an intricate solution, but any insight is appreciated.
  ** I understand how essentially eSSO solutions work with scripts\templates & "trapping" login prompts, but am interested to hear a pure OAM solution.

  For information on OAM IWA, read:
  Metalink Note 314951.1: How Does Integrated Windows Authentication and Single Sign On Work?
  Step for your implementation:
  - Build an IIS server with a webgate and configure it for Integrated Windows Authentication. This will be the central authentication webgate:
  Metalink Note 361312.1: How To Setup Integrated Windows Authentication (IWA) as an Authentication WebGate
  - Configure OIM to be protected by OAM WebGate. Make sure Form Login is working correctly:
  http://download.oracle.com/docs/cd/E10391_01/doc.910/e10361/oamsso.htm#sthref75
  - In the OIM (Form) Authentication Scheme, configure a 'Challenge Redirect' to the IIS server. This will take care of valid Windows users who are logging in through IE browser.
  - For invalid user or non-IE browser, the user will be faced with a pop-up window to enter his credentials. You can make use of this for login.
  - If this pop-up window is not acceptable to the customer, then on the same IIS, write an IIS filter for the following function: If the windows user is invalid or the user is using a non-IE browser, then redirect to custom OIM Form Login.
  Another article worth exploring is:
  Metalink Note 395244.1: How to Revert to Form Based Authentication if Integrated Windows Authentication (IWA) Authentication Failed
  -shetty2k

• OAM Access SDK

  Hi there,
  I am trying to set up an Access Gate on my OAM server.
  When I run the "configureAccessGate.exe -i c:\oracle\access -t AccessGate -w AG-SDK" I keep getting "Access Server you specified is currently down. Please check your Access Server."
  However, when I run the "configureWebGate.exe -i c:\oracle\Webgate\access -t Webgate -w Webgate1", using the same parameters, it runs successfully. (on the same machine)
  So I know that the server is up and running and the parameters are correct.
  Anyone encountered that issue?
  TIA

  Hi,
  Are you trying to configure automatic cache flush b/w Identity System and Access System ?.
  If Yes, while running configureAccessGate utility, you have to mention the Access Server SDK installation path available in the Identity Server installation directory.
  Example: configureAccessGate -i <IdentityServer_install_dir/identity/AccessServerSDK> -t AccessGate -w <Access Gate ID defined in Access System Console>
  If you are implementing your own Access Gate (custome WebGate) then use below steps:
  1. Install Access Server SDK.
  2. Run below utility
  configureAccessGate -i <AccessServerSDK Install Folder> -t AccessGate -w <Access Gate ID defined in Access System Console>
  In both cases observe the value of paramter "-i"
  Note: If all OAM components are NOT on the same machine then make sure clocks are synchronized across all machines.
  Regards
  GK Goalla
  Edited by: GK Goalla on May 24, 2010 4:40 AM

• OAMCM upgrade to 10.1.4.2.0

  Hi all,
  Can any one please tell me the patch number for Oracle Access Manager Configuration Manager to upgrade from 10.1.4.0.1 to 10.1.4.2.0.
  I coundn't found any where in metalink also.
  Thanks in advance.
  Siva Pokuri.

  Hi Siva,
  You do need to stop the OAM components - you should be able to stop everything, perform the patch upgrade, and then restart everything with everything working OK. There is not much functional difference between 10.1.4.0.1 and 10.1.4.2 (but a lot of fixes make the upgrade worthwhile) so the system should behave the same as before the upgrade. However, as with any upgrade you should try it in a test system just to make sure that nothing is broken.
  If you're doing the upgrade it is also worth applying a recent Bundle Patch (BP) at the same time (the upgrade path is 10.1.4.0.1->10.1.4.2->10.1.4.2BPxx - you can't do it as a single upgrade).
  Regards,
  Colin

• CERT mode

  Hello,
  Regarding CERT mode communication between aaa and accessgate (via SDK).
  In my customer environment, they have multiple nodes in their websphere cluster, my understanding is they will need to generate certificate requests for each websphere node.
  However, in terms of administration and configuration simplicity, they want to create one common cert request, generate one signed cert, and have one private key and deploy it across all websphere nodes.
  Question is, does the common name defined in the certificate HAVE to match the hostname of the server presenting the certificate? if it doesnt match, will it prevent OAM from establishing the SSL session between the accessgate and the access server?
  Thanks in advance

  Hi,
  When you install OAM and say the transport security mode is 'cert' you get an option to generate a certificate request. Get certificate using that request and you can use that for all the OAM components.
  Thanks.

• OAM reconfiguration of user repository Data

  Hi All,
  I have OAM configured Policy and Configuration data with Sun One Ldap Server and now I want to reconfigure the same OAM with other Sun One Ldap server for Policy and Configuration data.
  How can I achieve this?
  Regards,
  Poorna
  Edited by: Poorna.K on 07-Aug-2009 07:52

  Hi I have some issue in reconfiguring user repository with OAM.
  Sun Ldap is using as user repository and another instance of Sun ldap is used for configuration and policy storage.
  Now i want to use OVD in front of sun ldap for user repository when i tired in Redhat linux env i am getting some issue , I am getting setup page after deleting setup.xml and i am able to proceed until providing group object class page after clicking next button it is hanging i tried couple of time but not able to success.
  Can any one help on this.
  Regards,
  Poorna

• OAM- "You do not have sufficient access rights" message with Master Admin

  Customer has configured the OAM system to have both the primary and the secondary side for failover purposes. The back end directory server on both systems are in sync. The primary side of the systems works well as far as this issue is concerned.
  On the secondary side, if you login with the MASTER administrator of the system and click 'Identity System Console' or click any of the configurations under the Configurations in the User Manager, you get the error message saying "You do not have sufficient access rights". However, if they navigate to the Access system on the same browser and access the "Access System Console", and then navigate back to the Identity system, the Master Administrative rights are granted and now have a full access to the system.
  We tried following things to resolve the issue, but could not resolve it:
  1) Tried deleting 'cookieencryptionkey' which is found under "obcontainerid=encryptionkey,o=oblix" and restarted both the Identity Servers.
  2) Confirmed that the OAM administrator is present in cn=Web Masters,o=Oblix,<> and cn=Directory Administrators,o=Oblix,<> from the LDAP.
  3) Under the apps=PSC node, checked the Advance Properties for the 'obuniquememberStr' attribute:
  - Master Web Resource Admins (cn=master web resource admins, obapp=PSC, o=oblix, ...)
  Made sure that the values for the 'obuniquememberStr' attribute has the correct value there.
  4) Reconfigured the Secondary Identity Server.
  None of the above really helped to resolve the issue.
  Could anybody please help here to get rid of this issue.
  -Amol

  Hi Vinod,
  Here is the customer's response to your above 2 questions:
  1. We have 4 Directory server profiles for Identity servers; one for user data and one for configuration data for each server.
  I have at least reduced them to two and used only the ones initially used by the primary identity server as our user and configuration data do not reside together. User data is consumed via OVD.
  However, this does not seem to have any effect on the current behavior.
  2. All components except for the access server are on 10.1.4.2 and the access server is on 10.1.4.1
  Also below are the errors from the oblogs:
  dentity Server log
  =============
  2008/03/19@10:04:16.508530 4332 262160 PPP INFO 0x000008C7 obeventcatalog.cpp:183 "Cannot find the action" function^ObEventCatalog::GetActionEntry2Modify() actionName^ENCRYPTION_cookieEncryptionKey
  Access Server Log
  =============
  2008/03/19@10:03:56.329959 13608 1687633 CONNECTIVITY DEBUG3 0x00000201 /usr/abuild/Oblix/1014lwhf/palantir/netlib/src/obmessagechannel.cpp:601 "Received " ipaddr^10.217.209.81 ipport^1853 seqno^12 opcode^1 opcodeStr^IsResrcOpProtected Message^ro=t%253d0%2520o%253d%2520no%253d%2520r%253d%2520nr%253d%2520wu%253d/identity/oblix/apps/admin/bin/frontpage_admin.cgi%2520wh%253d10.217.209.81%2520wo%253d1%2520wa%253d0%2520ws%253d st=ma%253d2%2520mi%253d2%2520sg%253d0%2520sm%253d version=3 pd=
  2008/03/19@10:03:56.340433 3099 802864 AUTHENTICATION DEBUG2 0x00000201 /usr/abuild/Oblix/1014lwhf/palantir/aaa_server/src/aaa_service_server.cpp:2779 "Authorization successful"
  Webgate Log
  ==========
  2008/03/19@10:04:05.661000 5796 4516 HTTP_REQ DEBUG3 0x00000201 \Oblix\coreid1014\palantir\webgate2\src\isprotected.cpp:185 "Resource is protected" ResourceOperation^GET ResourceType^http Resource^//10.217.209.81/identity/oblix/apps/admin/bin/front_page_admin.cgi authnSchemeName^Oracle Access and Identity Basic Over LDAP
  2008/03/19@10:04:14.661000 5796 4516 LDAP DEBUG3 0x00000201 \Oblix\coreid1014\np_common\db\ldap\util\ldap_util2.cpp:537 "MLK-Memory leak for LDAP error information. This will show up as memory leak in LDAP SDK calls." key^25
  2008/03/19@10:04:14.661000 5796 4516 LDAP DEBUG3 0x00000201 \Oblix\coreid1014\np_common\db\ldap\util\ldap_util2.cpp:537 "MLK-Memory leak for LDAP error information. This will show up as memory leak in LDAP SDK calls." key^25
  2008/03/19@10:05:54.552000 5796 5256 CONFIG DEBUG2 0x00000201 \Oblix\coreid1014\palantir\access_api\src\obconfig.cpp:865 "Client configuration not updated"
  2008/03/19@10:05:54.552000 5796 5256 CONFIG INFO 0x0000182D \Oblix\coreid1014\palantir\access_api\src\obconfig.cpp:866 "The Access Server has returned a fatal error with no detailed information." raw_code^302
  I checked the OVD logs but did not find any error in it. Customer also tried to unprotect the /identity and /access URLs but the issue persist.
  Also I do not feel this as a bug, because this environment was working quite for few months without any such issues, also there were no changes made on the OVD/AD configurations. However, the server that hosts the OVD/AD was shut down and when it was restarted, we started experiencing this issue.