User store for OAM

I am setting OID as default User store for OAM 11gR2. And shall continue to use the internal UserIdentityStore1 as Security Store.
Is this ok? What is best practice.

This should be fine and is recommended way.
When trying to set this up. I would recommend keep few things in mind. i.e. Make sure that you are having a new LDAP Authentication Module created for default User Identity Store. You don't want to create a mess out of your Authentication Modules and Authentication scheme configurations. Few of the OOTB Authentication Schemes use LDAP Authentication Module. If you change the User IdentityStore for it. Then your system store would be UserIdentityStore1 whereas the OAMConsoleScheme and other Authentication Schemes will be using LDAP Module which will be pointing to your OID's User Identity Store instead of your System Store.
~Yagnesh

Similar Messages

User Store for Portal

Hello,
We are implementing a new portal, and having trouble deciding on the user store for the portal.
Scenario:
u2022     The main functionality of the Portal is dependent on the SAP Systems (ESS\MSS), and BW System.
u2022     Currently there is no CUA or SAP Identity management Systems available.
u2022     The Usernames in our LDAP and SAP ECC systems are different, so we canu2019t use the LDAP.
From our preliminary brainstorming, we came up with following decision:
u2022     Use the ECC ABAP Store for user Base (So we leverage all the ECC users, and their current role assignments in the portal)
u2022     Later on, once weu2019re ready to install SAP IDM, and then Switch Portalu2019s User Store from ECC ABAP Store to IDM.
QUESTIONS:
1.     Is our approach here correct?
2.     Would it possible to switch portalu2019s user store from ECC ABAP Store to IDM?
3.     Should we consider installing CUA in the meantime until weu2019re ready to move to IDM?
Any Help or opinions would be much appreciatedu2026
Thanks,
Harman

Hi,
Q1 You wrote: " The Usernames in our LDAP and SAP ECC systems are different, so we canu2019t use the LDAP."
This is not 100% true... take a look at this help document as it explains some possibilities for you:
http://help.sap.com/saphelp_nw70ehp2/helpdata/en/0b/d82c4142aef623e10000000a155106/frameset.htm
Q2 Not really, see Q1 and in addition IDM is a Management and Provisioning System/Tool. It isn't a userstore on itself.
In other words IDM contains the single truth but it provisions it to systems (JAVA , ABAP, LDAP etc).
So it won't be possible to connect your Portal from an ABAP user store to an IDM user store as it doens't exist.
What theoretically could be possible is to now connect you Portal to an ABAP user store and later Back to its own UME and let this UME be under provisioning by the IDM system. But I can remember that it is not supported to go back from ABAP to UME. See also: http://help.sap.com/saphelp_nw70ehp2/helpdata/en/f5/8fdc3fca21eb06e10000000a1550b0/frameset.htm
Q3 Personally I think it is a first good step as it helps you to centralize and uniform your users and roles. But If you already decided to go for IDM (lets say next year) then it maybe the Return On Investment for implementing CUA now is nihil.
Do not hesitate to ask if above answers are unclear.
Good Luck,
Benjamin

Using two User Stores for one relying party trust

Hi all,
We got a request to implement a trust with an external party.
Internal users should be able to make use of that application. But also external users, which have their account stored in a different user store (question is asked if its a SQL or LDAP kind of store).
Is it possible to have a SSO effect for both internal and external users?
Somehow ADFS has to know if the user is internal or external. I can imagine an internal user being in the office will get a nice SSO feeling. From what i think this is not possible for external users. External users should still authenticate once on our sts
(adfs). Lets say this is true, is it possible for ADFS to see if a user is external, and then use the User Store that belongs to that external user?
You also must take in mind that an internal user could also be in a internet cafe, so SSO is not possible. Also this time the user should authenticate to the sts. But this time it has to use Active Directory as User Store.
I know internal users have a username in a different format then external users.
Is it possible for ADFS to know which User Store to pick based on the format of the username?
Thanks in advance for the reaction.

Hi,
Thank you for your posting!
Since Active Directory Federation Service is not an extension of Active Directory schema, I suggest you refer to the following forum to get professional support:
Claims based access platform (CBA), code-named Geneva Forum
http://social.msdn.microsoft.com/Forums/vstudio/en-US/home?forum=Geneva
Thank you for your understanding and support.
Best Regards,
Amy Wang

Issue adding second user store for failover in OAM

I am attempting to add a second OVD instance to the OAM Directory servers for Access Manager, Access Server & Identity server. I am getting the error
Unable to contact the DS. This may happen if DS is down or invalid credentials are provided.
I have verified communication between the OAM and OVD servers, I have imported the certificate into the OIS & AAA databases using certutil, I have used the same cert to connect to the directory with an ldap browser. Any idea why I can not access the server from OAM?

Hi,
I assume its OAM 10g -
Even though you add failover servers through the console, you would need to check if its reflected in the correct xml file.
Theres a file by name 'failover.xml' (I dont remember the path). Please check if its updated with the correct information.
-- Pramod Aravind

Problem with using OID as Identity Store for OAM

I have oam11.1.1.5.1 and oid 11.1.1.5.
I switched the embedded ldap to OID as the default as well as the system identity store followed the doc http://docs.oracle.com/cd/E21764_01/doc.1111/e15478/datasrc.htm#BHCJEDJA
In the oid I have created the group Administrators and added the users to: weblogic, weblogicoi, oamtester and more.
Only weblogic can sign into the oam console by one login :
http://<host>:/oamconsole , redirected to the page having oam port 14100 with the login wizard, get in with weblogic account credential.
and for the others have to have two logins:
http://<host>:/oamconsole , redirected to the page having oam port 14100 with the login wizard,
After keyed in the user credential, got redirected to back to the page having port 7001 with the login wizard, keyed in the user credential again and got in.
All the passords are using in the oid's, that confirms the oid is the oam's identity store.
Seems weblogic is the seed account. Could I miss something for granting privs for the others? if so what did I miss? Do I have to create an authentication provider with the oid(ldap) in WLS' security domain? If so, is that a mandatory?
Edited by: gadba on Jan 14, 2012 7:06 AM

Hi,
Did you set the Authentication Module to use your newly created User Identity Store? Or is it still pointing to your default UserIdentityStore1. If not, you will have to modify these configuration in your Access Manager Settings. Also, make sure that your new User Identity store is set as default store as well as system store.
~Yagnesh

Issue on LDAP as a user-store for WebLogic Administrators

Hi All,
I have configured a Novell LDAP into WEblogic 10.3.2 successfully. I am able to view all of LDAP users and groups on Weblogic Admin Console, which includes my own account in LDAP.
Now I am trying to configure my account as a Weblogic administrator so that I can log in the Weblogic Admin Console as my own account in LDAP. I don't want to set up an Administrators group in LDAP. I want to add the user to the Admin global role. As my understanding, all I need to do is
1. Go to "myrealm"
2. Click the tab "Roles and Policies"
3. Click the tab "Realm Roles"
4. Expand the link "Global Roles"
5. Click the link "View Role Conditions" coressponding to the name "Admin". Enter the panel "Edit Global Role"
6. Click the button "Add Conditions"
7. Select "Predicate List" as "user"
8. Click the button "Next"
9. Enter my username (jwang) in LDAP to the field "User Argument Name:"
10. Click the button "Add"
11. Click the button "Finish"
12. Back to the page "Edit Global Role"
13. Here I can see
User : jwang
Or
Group : Administrators
14. Click the button "Save"
15. Restart the server
16. Log in with the new user jwang. It got denied.
Can someone help me on this and why I can not log in?
Thanks a lot.
John

Hi Faisal,
Thank you very much for your prompt reply. With your suggestion, I do figure out where my problem is. I did set the control flag in my ldapAuthenticator "OPTIONAL". However, it appears that the DefaultAuthenticator is given as "REQUIRED" by default.
Once I changed it to be "OPTIONAL", it works.
Thanks again.
John

OAM 11g throws error when user store is changed

We have OAM 11g integrated with OIF 11g as the SP. We need to change the OAM User store from OID to OVD. I added a new User store in the OAM console and set that as the default store. In the OAM console, under System Configuration -> Common Configuration -> Data Stores -> User Identity Stores, I added the OVD repository we want to use and set it as the default store. When I make this change in OAM data stores, OAM throws an error.
On the browser I see the error: System error. Please re-try your action. If you continue to get this error, please contact the Administrator.
In the OAM diagnostic logs, I see the following errors:
[2012-08-11T08:37:27.016-04:00] [oam_server1] [ERROR] [OAMSSA-20005] [oracle.oam.user.identity.provider] [tid: [ACTIVE].ExecuteThread: '0' for queue: 'weblogic.kernel.Default (self-tuning)'] [userId: <anonymous>] [ecid: 3480b637355d0d24:-ed7c663:13913246a02:-8000-000000000000040f,0] [APP: oam_server] Error initializing User/Role API : null.
[2012-08-11T08:37:27.021-04:00] [oam_server1] [WARNING] [OAMSSA-20007] [oracle.oam.user.identity.provider] [tid: [ACTIVE].ExecuteThread: '0' for queue: 'weblogic.kernel.Default (self-tuning)'] [userId: <anonymous>] [ecid: 3480b637355d0d24:-ed7c663:13913246a02:-8000-000000000000040f,0] [APP: oam_server] Unable to connect to the User Store. User Store may not be initialized : Error initializing User/Role API : null..
[2012-08-11T08:37:27.021-04:00] [oam_server1] [ERROR] [OAMSSA-12126] [oracle.oam.engine.authn] [tid: [ACTIVE].ExecuteThread: '0' for queue: 'weblogic.kernel.Default (self-tuning)'] [userId: <anonymous>] [ecid: 3480b637355d0d24:-ed7c663:13913246a02:-8000-000000000000040f,0] [APP: oam_server] Cannot assert the username from DAP token.
The user exists in OVD and appropriate attributes have been set.
Comparing the trace for the two, in the OID trace, I see a 302 for the URL at /oam/server/dap/cred_submit. In the OVD trace, I see a 200 for the same URL.
Following is a successful request when OID is set as the default user store:
GET /oam/server/dap/cred_submit?osso_sassoToken=v1.0%7ENEVGMzBGMUJFRTdGRkM0NjQxREFFQn5GODdEQjFEMjczMjZCQjFCQTZEQTlDQTI5RDA3RTA0QTQ2OThEQzdEfjRCMDk0OUE1RjgyNjcwRkU2M0E3OTM5QjI1OTlCMzdEfmRiYzEzMDFiMWMxOTFiMDA5ZmM3YWM5MTFjNjM5MDhjNTgwMzZjMzYyZDZhZTQ3OTY5ZGRiNTllYmVlMTUwMjkxYTY4MzQwZjU2ZGEwMmNhMmE4YTM0YWUwNmUxMjY4MzE5NmFkNjM4YzIwOTliMWZmM2NmZTRhMjYyYmU2N2M1MDEwYWY5OWFmOWU1NTg5NGIyYTVjYWRkOGRlMDI5NjVjN2I2YzM5YTJjMDU1NmU5OTJkMzU4Y2RlYzAxNmU4MWZjMDRiYjFjM2RhYTAzYzliNDIwNjQzOTZlNzZlMzZhOTMwZjI4YTAyMzdmMTI1NjVjOTcwYTk1NzFkZDMzNzQ%3D HTTP/1.1
Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/x-shockwave-flash, */*
Referer: http://hostname.idpdomain.com/fed/user/?refid=id-5RtbGMaw6NfaaPUgth-wxZwxY5Q-
Accept-Language: en-us
UA-CPU: x86
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; SV1; .NET CLR 1.1.4322; .NET CLR 2.0.50727)
Host: hostname.spdomain.com:14101
Connection: Keep-Alive
Cache-Control: no-cache
HTTP/1.1 302 Moved Temporarily
Connection: close
Date: Sat, 11 Aug 2012 12:42:32 GMT
Transfer-Encoding: chunked
Location: https://www.google.com
Set-Cookie: OAM_ID=VERSION_4~8u5oPtHwZW/uJbd8ybw87A==~I2VDurl3pyBxQdHBmwHXXu5AabtNgaGcQx1FJ6v3sVzuoU0WOvMyDi40pizUWNrSIUkCIrl7Fc6cumRyKUAU0yHSHEtzwtiGO3bmiC7rOXKglLnO9Iw0eNUATA1AuJ7m9a6JxE5fX2vDFDYzk/H9eK5/74mO9TKNP0HTcKF6NzEluuTT3sRlQH3dAzBhPouTCO6yMmd00SmQEhrQxCpUc+ec78GFQgfKrE+6mDNTFSO9gHEB0JQ+xzGzzsr34BDCTB2FC41d0Q3tTGXANSHHRg==; path=/; secure; HttpOnly
Set-Cookie: OAM_REQ=invalid; path=/; secure; HttpOnly
X-ORACLE-DMS-ECID: 3480b637355d0d24:-ed7c663:13913246a02:-8000-000000000000042d
X-Powered-By: Servlet/2.5 JSP/2.1
Following is a failed request when OVD is set as the default user store:
GET /oam/server/dap/cred_submit?osso_sassoToken=v1.0%7ENEVGMjRDREUyNUU4QTI1REUwMzVGM344MzRCNTU5RTNCREM1MjFBMjFBRDQ4MTBBNjMzMTI5QzM0MUU5RjI5fjA4ODY1M0JENjg1ODk1MTZDNUVGQjU0NTYwRjg5OEREfjYyMWE3NzhjMzUwMmVhODQ5MWRkMGIyYTBkYmM1MGU0ZDlmZTA0ZjE1NDBhMDVkOGM3ZWIwOGUzNGY3ZDhiNTBhMTNkMjY0MDliMGZmMmY2MzJjZGZjM2UzNzgzNzQ3YzM3OTIwYjlkMmNhZWY0ZDQ2M2MyYzE1NWM2MDkxMjI4MjU0NTEyZDIzODU3NTBlZjI4MjRlZTAzOWFkYmMxYTVmZWE3NTk5NTRlMGY3NTkyNjE5YTRkM2U3OTczZjZiMThmYzgxODg2MzM3ZDg5NzQ2NWUxYmZhNThjOGVmN2VhZmI5OGRiMDNiZmJmZGJjOWUzZmNjYTU1N2U5OWVjMDQ%3D HTTP/1.1
Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/x-shockwave-flash, */*
Referer: http://hostname.idpdomain.com/fed/user/?refid=id-R5gYcX-W8o6-bQSR2IIYdkQLLKA-
Accept-Language: en-us
UA-CPU: x86
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; SV1; .NET CLR 1.1.4322; .NET CLR 2.0.50727)
Host: hostname.spdomain.com:14101
Connection: Keep-Alive
Cache-Control: no-cache
HTTP/1.1 200 OK
Cache-Control: no-cache, no-store
Date: Sat, 11 Aug 2012 12:37:26 GMT
Pragma: no-cache
Content-Length: 2051
Content-Type: text/html; charset=UTF-8
Expires: 0
Set-Cookie: OAM_JSESSIONID=0VksQmSHwhpr2vT33Kq1ZgqWgxrtk2BXxpr4PgmL1LwThMxYSlKQ!-450564370; path=/; HttpOnly
X-ORACLE-DMS-ECID: 3480b637355d0d24:-ed7c663:13913246a02:-8000-000000000000040f
X-Powered-By: Servlet/2.5 JSP/2.1

Hi AV,
we had the same problem
the reason was a wrong definition in cutomizing
Partner Processing -> Define Partner Determination Procedure -> User Interface Settings
there for the relevant procedure we had to define this sequence of functions :
1. Activity Partner
2. Contact Partner
3. Employee Responsible
4. Sales Representative
Regards
Meinrad

User Store

Everything worked with Access Manager 6.0, but now I'm using AM 7.0. Not in legecy mode. New GUI.
Creating a sub realm and policy with a referral at the root did not work for protecting multiple applications. I think referrals only give users permissions to manage policies in sub realms. I wanted to create a realm for each application, but that approach does not seem to work. Any suggestions?
I've given up on sub realms and just created a user store and a normal policy at the root. When I try to authenticate, Access Manager keeps checking the policy server LDAP. I want the user authenticating against the user store I just added.
In the policy I selected the new user store for the authentication scheme, but that did not seem to work.
Any suggestions or ideas?

Thank you for replying. I was wondering if anyone watches this forum.
Yes, I created an LDAP Authentication Module for the new user store. In the policy I created an "Authentication Scheme" that refers to my new user store.
No, I have not modied the chain. When tried changing "Default Authentication Chain", I was unable to login to the AM console using the amAdmin user id.
I thought "Administrator Authentication Chain" applied to amAdmin and I could modify the "Default Authentication Chain" to use my new user store.
Thanks again!

Can I upload a simple iPhone App that all it does is direct the User to a Filemaker Pro URL   fmp://~filename.fmp?$VariableName=Value This launches Filemaker Go and directs the user to the Database Hosted online   Right now there is no app store for

Can I upload a simple iPhone App that all it does is direct the User to a Filemaker Pro URL   fmp://~filename.fmp?$VariableName=Value This launches Filemaker Go and directs the user to the Database Hosted online
Right now there is no app store for Filemaker Go.   Filemaker Forgot about us.
So I want to create a simple native iPhone App that all it does
is launch
fmp://~/filename.fmp12?$VariableName=value
This URL will launch the Filemaker Go App
Filemaker Go is a app that the user will have to have
downloaded already on the device..
The Simple Native app will launch the Filemaker Go.
The fmp URL has the information where the Filemaker Pro database is hosted
and get the user where they need to be..
Help Me please
iPhone 5s, iOS 8.1.3

That would be software. And, you said "upload." That's "uploading software." Why do you question what you stated?
I don't know where you even want to upload this software. The only way it can be downloaded to a device is through the iTunes store. Do you even know what you want to do?

I'm a brand new Mac user. I want to send photos from Iphoto to my local store for printing, like I can do in Picasa. I can't find that option in Iphoto.

I'm a brand new Mac user. I want to send photos from Iphoto to my local store for printing, like I can do in Picasa. I can't find that option in Iphoto. I do not want to order them through Itunes.

I have not idea how you do it with Picasa but with iPhoto you either export the photos to a desktop folder and upload from there or burns that folder to CD - or from the upload window use the media browser in the lower left hand corner of the upload windows - media ==> photos ==> iPhoto
For pictures see - https://discussions.apple.com/thread/3547767?tstart=0
LN

Cannot load classes for custom user store

I implemented a custom user store and deployed as sda library into NetWeaver preview SP16. NetWeaver is not able to load those classes when configuring that user store through Visual Administrator. Below is the error message I got,
Unable to register user store!
java.lang.SecurityException: com.sap.engine.services.security.exceptions.BaseSecurityException: Can not instantiate UserContext.
     at com.sap.engine.services.security.server.UserStoreImpl.<init>(UserStoreImpl.java:78)
     at com.sap.engine.services.security.server.UserStoreFactoryCache.registerUserStore(UserStoreFactoryCache.java:120)
     at com.sap.engine.services.security.server.UserStoreFactoryImpl.registerUserStore(UserStoreFactoryImpl.java:150)
     at com.sap.engine.services.security.userstore.RemoteUserStoreFactoryImpl.registerUserStore(RemoteUserStoreFactoryImpl.java:64)
     at com.sap.engine.services.security.userstore.RemoteUserStoreFactoryImplp4_Skel.dispatch(RemoteUserStoreFactoryImplp4_Skel.java:99)
     at com.sap.engine.services.rmi_p4.DispatchImpl._runInternal(DispatchImpl.java:304)
     at com.sap.engine.services.rmi_p4.DispatchImpl._run(DispatchImpl.java:193)
     at com.sap.engine.services.rmi_p4.server.P4SessionProcessor.request(P4SessionProcessor.java:122)
     at com.sap.engine.core.service630.context.cluster.session.ApplicationSessionMessageListener.process(ApplicationSessionMessageListener.java:33)
     at com.sap.engine.core.cluster.impl6.session.MessageRunner.run(MessageRunner.java:41)
     at com.sap.engine.core.thread.impl3.ActionObject.run(ActionObject.java:37)
     at java.security.AccessController.doPrivileged(Native Method)
     at com.sap.engine.core.thread.impl3.SingleThread.execute(SingleThread.java:100)
     at com.sap.engine.core.thread.impl3.SingleThread.run(SingleThread.java:170)
Caused by: java.lang.ClassNotFoundException: mypackage.myusercontextimpl
Found in negative cache
Loader Info -
ClassLoader name: [common:library:com.sap.security.api.sda;library:com.sap.security.core.sda;library:security.class;library:webservices_lib;service:adminadapter;service:basicadmin;service:com.sap.security.core.ume.service;service:configuration;service:connector;service:dbpool;service:deploy;service:jmx;service:jmx_notification;service:keystore;service:security;service:userstore]
Parent loader name: [Frame ClassLoader]
References:
   library:com.sap.ip.basecomps
   library:core_lib
   common:library:IAIKSecurity;library:activation;library:mail;library:tcsecssl
   library:servlet
   library:sapxmltoolkit
   library:com.sap.mw.jco
   library:com.sap.util.monitor.jarm
   library:j2eeca
   library:opensql
   interface:security
   interface:log
   interface:shell
   interface:keystore_api
   library:ejb20
   interface:webservices
   library:com.sap.guid
   interface:appcontext
   interface:endpoint_api
   interface:resourceset_api
   interface:resourcecontext_api
   common:service:iiop;service:naming;service:p4;service:ts
   interface:ejbcomponent
   interface:container
   interface:visual_administration
   interface:transactionext
   interface:dsr_ejbcontext_api
   service:timeout
   library:tc~jmx
   interface:cross
   service:file
   service:locking
   library:tcSLUTIL
   service:memory
   library:antlr
   library:jdbdictionary
   library:opensqlextensions
Resources:
   C:\usr\sap\J2E\JC00\j2ee\cluster\server0\bin\services\dbpool\dbpool.jar
   C:\usr\sap\J2E\JC00\j2ee\cluster\server0\bin\services\basicadmin\basicadmin.jar
   C:\usr\sap\J2E\JC00\j2ee\cluster\server0\bin\ext\security.class\tc_sec_compat.jar
   C:\usr\sap\J2E\JC00\j2ee\cluster\server0\bin\services\adminadapter\adminadapter.jar
   C:\usr\sap\J2E\JC00\j2ee\cluster\server0\bin\services\basicadmin\jstartupimpl.jar
   C:\usr\sap\J2E\JC00\j2ee\cluster\server0\bin\services\jmx_notification\jmx_notification.jar
   C:\usr\sap\J2E\JC00\j2ee\cluster\server0\bin\services\security\security.jar
   C:\usr\sap\J2E\JC00\j2ee\cluster\server0\bin\services\com.sap.security.core.ume.service\com.sap.security.core.ume.service.jar
   C:\usr\sap\J2E\JC00\j2ee\cluster\server0\bin\ext\security.class\tc_sec_saml_toolkit_api.jar
   C:\usr\sap\J2E\JC00\j2ee\cluster\server0\bin\ext\security.class\tc_sec_userstore_lib.jar
   C:\usr\sap\J2E\JC00\j2ee\cluster\server0\bin\ext\webservices_lib\webservices_lib.jar
   C:\usr\sap\J2E\JC00\j2ee\cluster\server0\bin\services\basicadmin\jstartupapi.jar
   C:\usr\sap\J2E\JC00\j2ee\cluster\server0\bin\ext\security.class\tc_sec_jaas_test.jar
   C:\usr\sap\J2E\JC00\j2ee\cluster\server0\bin\services\dbpool\sqljimpl.jar
   C:\usr\sap\J2E\JC00\j2ee\cluster\server0\bin\ext\com.sap.security.core.sda\com.sap.security.core.tpd.jar
   C:\usr\sap\J2E\JC00\j2ee\cluster\server0\bin\ext\com.sap.security.api.sda\com.sap.security.api.perm.jar
   C:\usr\sap\J2E\JC00\j2ee\cluster\server0\bin\services\connector\connectorimpl.jar
   C:\usr\sap\J2E\JC00\j2ee\cluster\server0\bin\ext\webservices_lib\saaj-api.jar
   C:\usr\sap\J2E\JC00\j2ee\cluster\server0\bin\services\configuration\configuration.jar
   C:\usr\sap\J2E\JC00\j2ee\cluster\server0\bin\ext\security.class\tc_sec_saml_jaas.jar
   C:\usr\sap\J2E\JC00\j2ee\cluster\server0\bin\ext\security.class\tc_sec_saml_xmlbind.jar
   C:\usr\sap\J2E\JC00\j2ee\cluster\server0\bin\ext\security.class\tc_sec_saml_util.jar
   C:\usr\sap\J2E\JC00\j2ee\cluster\server0\bin\ext\security.class\tc_sec_csi.jar
   C:\usr\sap\J2E\JC00\j2ee\cluster\server0\bin\ext\security.class\tc_sec_saml_toolkit_core.jar
   C:\usr\sap\J2E\JC00\j2ee\cluster\server0\bin\ext\security.class\tc_sec_ssf.jar
   C:\usr\sap\J2E\JC00\j2ee\cluster\server0\bin\services\userstore\userstore.jar
   C:\usr\sap\J2E\JC00\j2ee\cluster\server0\bin\ext\security.class\tc_sec_https.jar
   C:\usr\sap\J2E\JC00\j2ee\cluster\server0\bin\ext\security.class\tc_sec_saml_service_api.jar
   C:\usr\sap\J2E\JC00\j2ee\cluster\server0\bin\ext\webservices_lib\jaxrpc-api.jar
   C:\usr\sap\J2E\JC00\j2ee\cluster\server0\bin\services\dbpool\opensqllib.jar
   C:\usr\sap\J2E\JC00\j2ee\cluster\server0\bin\services\deploy\deploy.jar
   C:\usr\sap\J2E\JC00\j2ee\cluster\server0\bin\ext\security.class\tc_sec_jaas.jar
   C:\usr\sap\J2E\JC00\j2ee\cluster\server0\bin\services\jmx\jmx_sec.jar
   C:\usr\sap\J2E\JC00\j2ee\cluster\server0\bin\ext\com.sap.security.api.sda\com.sap.security.api.jar
   C:\usr\sap\J2E\JC00\j2ee\cluster\server0\bin\ext\com.sap.security.core.sda\com.sap.security.core.jar
   C:\usr\sap\J2E\JC00\j2ee\cluster\server0\bin\services\jmx\jmx.jar
   C:\usr\sap\J2E\JC00\j2ee\cluster\server0\bin\ext\webservices_lib\jaxm-api.jar
   C:\usr\sap\J2E\JC00\j2ee\cluster\server0\bin\services\keystore\keystore.jar
Loading model: {parent,local,references}
     at com.sap.engine.frame.core.load.ReferencedLoader.loadClass(ReferencedLoader.java:348)
     at com.sap.engine.services.security.server.UserStoreImpl.<init>(UserStoreImpl.java:75)
     ... 13 more
     at com.sap.engine.services.security.exceptions.BaseSecurityException.writeReplace(BaseSecurityException.java:349)
     at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
     at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
     at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
     at java.lang.reflect.Method.invoke(Method.java:324)
     at java.io.ObjectStreamClass.invokeWriteReplace(ObjectStreamClass.java:896)
     at java.io.ObjectOutputStream.writeObject0(ObjectOutputStream.java:1011)
     at java.io.ObjectOutputStream.writeObject(ObjectOutputStream.java:278)
     at com.sap.engine.services.rmi_p4.DispatchImpl.throwException(DispatchImpl.java:139)
     at com.sap.engine.services.rmi_p4.DispatchImpl._runInternal(DispatchImpl.java:306)
     at com.sap.engine.services.rmi_p4.DispatchImpl._run(DispatchImpl.java:193)
     at com.sap.engine.services.rmi_p4.server.P4SessionProcessor.request(P4SessionProcessor.java:122)
     at com.sap.engine.core.service630.context.cluster.session.ApplicationSessionMessageListener.process(ApplicationSessionMessageListener.java:33)
     at com.sap.engine.core.cluster.impl6.session.MessageRunner.run(MessageRunner.java:41)
     at com.sap.engine.core.thread.impl3.ActionObject.run(ActionObject.java:37)
     at java.security.AccessController.doPrivileged(Native Method)
     at com.sap.engine.core.thread.impl3.SingleThread.execute(SingleThread.java:100)
     at com.sap.engine.core.thread.impl3.SingleThread.run(SingleThread.java:170)

Hi sheshu0022,
Based on my research, the issue can be occurred due to something get corrupted in the script task. To fix this issue, please copy the code in the task, then rebuild the script task with the same code to test again.
The following similar thread is for your reference:
http://stackoverflow.com/questions/15165760/ssis-script-task-fails-on-server-with-error-cannot-load-script-for-execution
Thanks,
Katherine Xiong
Katherine Xiong
TechNet Community Support

Unable to modify user password through OAM identity system console.

HI,
I am trying to reset the password of a user through OAM Identity console.
I had logged in through orcladmin(admin), and tried to update the password for users, as well as orcladmin also.
After clicking save, its giving me error "Modify User Entry Failed" and password is not updated in LDAP
Also note that I am able to modify any other attribute of that user like last name, title, firstname etc through identity console.
Its only user password attribute which is not geting updated.
I am user OVD, which is integrated with OID & AD for user store.
Also I tried to set "Access Attribute control" for modifying user password, but that didnt help.
Kinldy suggest if you have came across this kind of issue.
Regards,
Ankit.

HI,
Thanks for the replies.
As my OVD is integrated with OID & AD both, I am picking up the users from OID for update.
Also the SSL is configured betveen OVD & AD, but still AD user password is also not successfull.
Niether of two is working.
I am not able to create a user through Identity System console, as I had not configured workfllow.
I believe for updating user attibute, workflow defination need not to be define.
Also As I had mentioned before, I am able to modify all the other attributes other than user password.
Also Schema is extended properly.
Thanks & Regards,
Ankit

ORA-00001: unique constraint during "Configure Database Security Store for OIM Domain"

Hi Guru's,
I am following the below steps for OIM 11.1.2.1 with SOA 11.1.1.7 Installation and facing below error during step "Configure Database Security Store for OIM Domain".
Installed Database 11.2.0.3
Installed RCU (Here I used two versions.
RCU 11.1.2 - Used IDAM prefix for (Metadata Services, OPSS, OIM)
RCU 11.1.1.7 - Used SOA prefix for(Metadata Services,SOA Infrastructure, User Messaging service)
Installed JDK 7 (Java 1.7)
Installed WL 10.3.6 (MW_HOME-/u01/Middleware/fmw, WL_HOME=/u01/Middleware/fmw/wlserver_10.3)
Installed FMW 11.1.2.1 for OIM. (ORACLE_HOME=Oracle_IDM1)
Installed FMW 11.1.1.7 for SOA (ORACLE_HOME=Oracle_SOA1)
WL Domain creation. (Domain Name – idam_domain1)
Configure Database Security Store for OIM Domain.
Internal Exception: java.sql.SQLIntegrityConstraintViolationException: ORA-00001: unique constraint (IDAM_OPSS.IDX_JPS_RDN_PDN) violated
Also followed the below bug solution, but issue still occurs.
Bug 16690836 : CONFIGURE DATABASE SECURITY STORE (CONFIGURESECURITYSTORE.PY) SCRIPT IS FAILING
@ 1. Delete the Schemas using RCU.
@ 2. Recreate the OAM schemas.
@ 3. Reinstall the WLS and OAM software.
@ 4. Run config.sh to create a new domain.
@ 5. Run setDomainEnv.sh from user_projects/domains/<Domain_name>/bin
@ 6. Run the configureSecurityStore.py from same window.
Not sure if anyone tried with different steps that fixed the issue? Could you please help.
Thanks
VG

Hi Gurus, I got the solution from Oracle. SOA 11.1.1.7.0 shouldn't be used with Identity Management 11.1.2.1.0(11GR1-PS1) version. Identity Management 11.1.2.1.0(11GR1-PS1) is bundled with SOA 11.1.1.6.0. When used this SOA version, Installation went smooth. Thanks VG

Why must I set the AD as "default user store " when use Kerberos scheme ???

Hi ,
I am using kerberos scheme to authenticate user by OAM after user logged into the AD domain . It works well when there is only 1 AD domain ,for I can set that AD as the default identity store so that OAM can find user from the store and set the header .
But when there are two totally different AD domains with different users , there will be a question. That is , I can only set one AD domain as the default identity store. So when I use the other AD domain to visit webgate protected resource, OAM notice me the the user/password error. But if the AD user exist in both AD domains, it will be OK, because the user mapping is finished correctly.
logs here:
[2011-07-26T22:19:18.599+08:00] [oam_server1] [ERROR] [OAMSSA-20040] [oracle.oam.user.identity.provider] [tid: [ACTIVE].ExecuteThread: '0' for queue: 'weblogic.kernel.Default (self-tuning)'] [userId: <anonymous>] [ecid: cbefca7cded5e992:3fca7bfd:131657b3817:-8000-0000000000000c19,0] [APP: oam_server] Could not modify user attribute for user : sAMAccountName, attribute : smicer, value : {2} .
[2011-07-26T22:19:18.600+08:00] [oam_server1] [ERROR] [] [oracle.oam.engine.authn] [tid: [ACTIVE].ExecuteThread: '0' for queue: 'weblogic.kernel.Default (self-tuning)'] [userId: <anonymous>] [ecid: cbefca7cded5e992:3fca7bfd:131657b3817:-8000-0000000000000c19,0] [APP: oam_server] Failure getting users by attribute : sAMAccountName, value : smicer.[[
oracle.security.am.engines.common.identity.provider.exceptions.IdentityProviderException: OAMSSA-20016: Failure getting users by attribute : sAMAccountName, value : smicer.
     at oracle.security.am.engines.common.identity.provider.impl.UserProviderImpl.getUsersByAttribute(UserProviderImpl.java:342)
     at oracle.security.am.engines.common.identity.provider.impl.IdentityProviderImpl.getUsersByAttribute(IdentityProviderImpl.java:656)
     at oracle.security.am.engines.common.identity.provider.impl.OracleUserIdentityProvider.getUsersByAttribute(OracleUserIdentityProvider.java:288)
     at oracle.security.am.engine.authn.internal.executor.KerberosModuleExecutor.execute(KerberosModuleExecutor.java:254)
     at oracle.security.am.engine.authn.internal.executor.AuthenticationSchemeExecutor.execute(AuthenticationSchemeExecutor.java:94)
     at oracle.security.am.engine.authn.internal.controller.AuthenticationEngineControllerImpl.validateUser(AuthenticationEngineControllerImpl.java:261)
     at oracle.security.am.engines.enginecontroller.AuthnEngineController.authenticateUser(AuthnEngineController.java:669)
     at oracle.security.am.engines.enginecontroller.AuthnEngineController.processEvent(AuthnEngineController.java:294)
     at oracle.security.am.controller.MasterController.processEvent(MasterController.java:354)
     at oracle.security.am.controller.MasterController.processRequest(MasterController.java:517)
     at oracle.security.am.controller.MasterController.process(MasterController.java:457)
     at oracle.security.am.pbl.PBLFlowManager.delegateToMasterController(PBLFlowManager.java:209)
     at oracle.security.am.pbl.PBLFlowManager.handleBaseEvent(PBLFlowManager.java:147)
     at oracle.security.am.pbl.PBLFlowManager.processRequest(PBLFlowManager.java:107)
     at oracle.security.am.pbl.transport.http.AMServlet.handleRequest(AMServlet.java:168)
     at oracle.security.am.pbl.transport.http.AMServlet.doPost(AMServlet.java:133)
     at oracle.security.am.pbl.transport.http.AMServlet.doGet(AMServlet.java:673)
     at javax.servlet.http.HttpServlet.service(HttpServlet.java:707)
     at javax.servlet.http.HttpServlet.service(HttpServlet.java:820)
     at weblogic.servlet.internal.StubSecurityHelper$ServletServiceAction.run(StubSecurityHelper.java:227)
     at weblogic.servlet.internal.StubSecurityHelper.invokeServlet(StubSecurityHelper.java:125)
     at weblogic.servlet.internal.ServletStubImpl.execute(ServletStubImpl.java:300)
     at weblogic.servlet.internal.ServletStubImpl.execute(ServletStubImpl.java:183)
     at weblogic.servlet.internal.RequestDispatcherImpl.invokeServlet(RequestDispatcherImpl.java:523)
     at weblogic.servlet.internal.RequestDispatcherImpl.forward(RequestDispatcherImpl.java:253)
     at oracle.security.am.pbl.transport.http.CredCollectServlet.getCredentials(CredCollectServlet.java:148)
     at oracle.security.am.pbl.transport.http.CredCollectServlet.doPost(CredCollectServlet.java:84)
     at oracle.security.am.pbl.transport.http.CredCollectServlet.doGet(CredCollectServlet.java:71)
     at javax.servlet.http.HttpServlet.service(HttpServlet.java:707)
     at javax.servlet.http.HttpServlet.service(HttpServlet.java:820)
     at weblogic.servlet.internal.StubSecurityHelper$ServletServiceAction.run(StubSecurityHelper.java:227)
     at weblogic.servlet.internal.StubSecurityHelper.invokeServlet(StubSecurityHelper.java:125)
     at weblogic.servlet.internal.ServletStubImpl.execute(ServletStubImpl.java:300)
     at weblogic.servlet.internal.TailFilter.doFilter(TailFilter.java:26)
     at weblogic.servlet.internal.FilterChainImpl.doFilter(FilterChainImpl.java:56)
     at oracle.security.am.agent.wls.filters.OAMServletAuthenticationFilter.doFilter(OAMServletAuthenticationFilter.java:265)
     at oracle.security.am.agent.wls.filters.OAMValidationSystemFilter.doFilter(OAMValidationSystemFilter.java:133)
     at oracle.security.wls.oamagent.OAMAgentWrapperFilter.doFilter(OAMAgentWrapperFilter.java:120)
     at weblogic.servlet.internal.FilterChainImpl.doFilter(FilterChainImpl.java:56)
     at oracle.security.jps.ee.http.JpsAbsFilter$1.run(JpsAbsFilter.java:111)
     at java.security.AccessController.doPrivileged(Native Method)
     at oracle.security.jps.util.JpsSubject.doAsPrivileged(JpsSubject.java:313)
     at oracle.security.jps.ee.util.JpsPlatformUtil.runJaasMode(JpsPlatformUtil.java:413)
     at oracle.security.jps.ee.http.JpsAbsFilter.runJaasMode(JpsAbsFilter.java:94)
     at oracle.security.jps.ee.http.JpsAbsFilter.doFilter(JpsAbsFilter.java:161)
     at oracle.security.jps.ee.http.JpsFilter.doFilter(JpsFilter.java:71)
     at weblogic.servlet.internal.FilterChainImpl.doFilter(FilterChainImpl.java:56)
     at oracle.dms.servlet.DMSServletFilter.doFilter(DMSServletFilter.java:136)
     at weblogic.servlet.internal.FilterChainImpl.doFilter(FilterChainImpl.java:56)
     at weblogic.servlet.internal.WebAppServletContext$ServletInvocationAction.wrapRun(WebAppServletContext.java:3715)
     at weblogic.servlet.internal.WebAppServletContext$ServletInvocationAction.run(WebAppServletContext.java:3681)
     at weblogic.security.acl.internal.AuthenticatedSubject.doAs(AuthenticatedSubject.java:321)
     at weblogic.security.service.SecurityManager.runAs(SecurityManager.java:120)
     at weblogic.servlet.internal.WebAppServletContext.securedExecute(WebAppServletContext.java:2277)
     at weblogic.servlet.internal.WebAppServletContext.execute(WebAppServletContext.java:2183)
     at weblogic.servlet.internal.ServletRequestImpl.run(ServletRequestImpl.java:1454)
     at weblogic.work.ExecuteThread.execute(ExecuteThread.java:209)
     at weblogic.work.ExecuteThread.run(ExecuteThread.java:178)
Caused by: oracle.security.idm.ObjectNotFoundException: No User found matching the criteria
     at oracle.security.idm.providers.stdldap.util.DirectSearchResponse.initSearch(DirectSearchResponse.java:174)
     at oracle.security.idm.providers.stdldap.util.NonPagedSearchResponse.<init>(NonPagedSearchResponse.java:52)
     at oracle.security.idm.providers.stdldap.util.NonPagedSearchResponse.<init>(NonPagedSearchResponse.java:43)
     at oracle.security.idm.providers.stdldap.util.LDAPRealm.searchUsers(LDAPRealm.java:489)
     at oracle.security.idm.providers.stdldap.LDIdentityStore.search(LDIdentityStore.java:274)
     at oracle.security.idm.providers.stdldap.LDIdentityStore.searchUsers(LDIdentityStore.java:367)
     at oracle.security.am.engines.common.identity.provider.impl.UserProviderImpl.getUsersByAttribute(UserProviderImpl.java:314)
     ... 57 more
It seems OAM must set the AD as "default user store " , and only if so , AD domain users can login to webgate protected resources by kerberos .
So, how can I make 2 AD available together ? Can you kindly give some advice? It will be very appreciated.
Thanks !!

1) Should my setup be defaulting to 32-bit compilersYes. On Solaris compilers generate 32-bit code by default
2) I have read that adding -m64 to the compile command will make it 64-bit, is this accurate?It will make compiler produce 64-bit binaries.
Compiler itself will stay 32-bit ;-)
3) Is there a way to set the compilers to default to 64-bit so that the user doesn't have to specify -m64?No. At least no compiler-specific way. Only UNIX general tricks (shell alias, shell script etc)
4) Does everyone just use -m64 and forget about it?Yep. They have no choice

Share OID for OAM and for Siteminder

Hello,
Has anyone deployed or know if the same OID deployment can be used for OIM-OAM and for policy store of Siteminder? OIM-OAM will have its own user and policies stored in OID, while Siteminder would have its own policy store in the same OID deployment.
If possible, what are the challenges/disadvantages you see/have faced?
Thanks.

Ninad,
It appears you answered your own question. If product A is certified for a certain version of OID and product B is not yet certified, then you would have to wait to upgrade until both are certified if you want to stay within the support policies for both product A and B. That's the major constraint.
As Sagar noted, the policy stores for both OAM (10g) and SiteMinder can be separated into their own directory instances, so they can be tuned separately. OAM 11g no longer stores policy data inteh directory, so it's a non-issue for that product, anyway. However,you will have to apply each products' user schemas to all your users so they can work with either product. Here are the possible issues:
- Your directory server will have to index both OAM and SiteMinder attributes, so it has to index a lot of stuff, which is potentially a lot of overhead for the directory to maintain.
- Each product maintains separate attributes for password policies, so if you enforce password policies using both products, you could run into problems and confusion for your end users.
I'm just wondering why you aren't using one Access Mgmt product for everything? Are you trying to transition from SiteMinder to OAM or something?

User store for OAM

Similar Messages

Maybe you are looking for