Oracle yesterday (March 7) released version 11.1.8 of Fusion Applications 

• Documentation for Fusion Applications version 11.1.8 is available on OTN here
• Fusion Apps 11.1.8 software is available on eDelivery
• For new or changed features in 11.1.8 installation check here

.

Get trained from the best instructor known to have trained novices as experts in this field.

Commencement Date : 22 March 2014

Training Schedule :  22, 23, 29, 30 March 2014 & 05, 06 April 2014

Timing: 01:00PM GMT | 9:00AM EST | 6:00AM PST | 8:00AM CST | 7:00AM MST | 6:30PM IST | 02:00PM GMT+1

Training Duration : 6 Days

Course Fee : USD 499

Course Content & Registration Link :

http://www.focusthread.com/training/dba-trainings/oracle-weblogic-administrator-training/112-oracle-weblogic-administrator-training-contents
For full curriculum and details, email us at training@focusthread.com or contact us on Phone – US: +1 213-814-4243 |UK: +44(0) 20 7193 7426 |India: +91-9833815812

Class size is limited—sign up for this course today!!!

Get trained from the best instructor known to have trained novices as experts in this field.

Commencement Date: 24 March 2014

Training Schedule : 18 Days

Training Duration: 2 Hour each (Depending upon the topic)

Timings : [Monday to Thursday (US) and  Tuesday to Friday (GMT)]

Course Fee: USD 399

Course Content & Registration Link :

http://focusthread.com/training/weekday-trainings/weekday-core-dba-training/435-weekday-core-dba-training
For full curriculum and details, email us at training@focusthread.com or contact us on Phone – US: +1 213-814-4243 |UK: +44(0) 20 7193 7426 |India: +91-9833815812

Class size is limited—sign up for this course today!!!

I recently installed Oracle E-Business Suite (R12) for E-Business Suite Integration with OAM/OID for SSO training and installation failed with error RW-20003 Error Unzip Failed. This error is self explanatory that installation failed while unzipping a file but how do you know for which file unzip failed?

R12 installer writes log to various log files at each stage of installation (R12 installer first installs database and then application tier)

a) For Database Tier installation (when installation is less than 20%) : check logs at $ORCALE_HOME/appsutil/log/$CONTEXT_NAME/ where ORACLE_HOME is $ORACLE_BASE/db/tech_st/[11.x.x]

b) For Application Tier installation (when installation is greater than 20%) : depending on phase of application tier installation

$APPL_TOP/admin/$CONTEXT_NAME/log/
$INST_TOP/logs/<MMDDHHMM>.log
$INST_TOP/logs/ora/10.1.2/install/make_<MMDDHHMM>.log
$INST_TOP/logs/ora/10.1.3/install/make_<MMDDHHMM>.log
$INST_TOP/admin/log/

For list of other logs in R12 (prior to 12.2) click here

In my case error reported was in file /oracle/ apps/ r12/ PROD/ apps/ apps_st/ appl/ admin/ [PROD_demo]/ log/ installAppl.log with error

___

Unzip1063 – Start of native unzipping /stage/R1211/oraApps/Disk9/appl/stage/ar1006.zip at /oracle/apps/r12/PROD/apps/apps_st/appl/ar/12.0.0/
Retrying unzip for Unzip1063 – from /stage/R1211/oraApps/Disk9/appl/stage/ar1006.zip
Retrying unzip for Unzip1063 – from /stage/R1211/oraApps/Disk9/appl/stage/ar1006.zip

___

 Fix: Once you know zip file (Disk9 of oraApps software folder) then fix is to download this file again from eDelivery again.

Note: I had to re-install apps (by cleaning existing installation) after unzipping as retry failed.

To register for E-Business Suite (R12) integartion with OAM/OID for SSO (starting on 3rd May 2014) click here

If you are working on Multi Data Center in OAM 11g R2 PS2, you would encounter the issue of updating the oracle.oam.EnableMDCReplication flag to true as per the Oracle Documentation link. However the document does not specify where to change this property.

Here is what you need to do:

1. Goto WebLogic Domain directory.
2. Take backup of setDomainEnv.sh.
3. Edit the setDomainEnv.sh file to add oracle.oam.EnableMDCReplication as Java Property as shown below. I have updated this after line export JAVA_OPTIONS.
4. Save the file.
5. Restart the OAM WebLogic Admin and Managed Servers.

Hope this helps.

In OAM 11g R2 PS2, I was working on Multi Data Center setup by following the documentation. I had to run the WLST command addPartnerForMultiDataCentre by giving partnerInfo.properties file as input.

What does this command do?

In MDC, when the failover happens from DC1 to DC2, all the webgate requests will be routed to DC2 to serve. The user session would have cookies/session pertaining to DC1. When the DC2 OAM servers serve the user request, then DC2 specific cookies/session has to be present. Before that, DC2 OAM servers will talk to DC1 OAM servers through back channel using Access Gate.

partnerInfo.properties contains the below details:

remoteDataCentreClusterId=DC2_CLUSTER
oamMdcAgentId=ACCESS_GATE_NAME
PrimaryHostPort=DC2_OAM_SERVER_NAME:port
SecondaryHostPort=
AccessClientPasswd=ACCESS_GATE_PASSWORD
oamMdcSecurityMode=open
agentVersion=11g
trustStorePath=
keyStorePath=
globalPassPhrase=
keystorePassword=

Let me explain every parameter:

remoteDataCentreClusterId: This is the secondary Data center Cluster Name.

oamMdcAgentId: Access Gate name which is making back channel call to DC1 for validating/requesting user session details. By default in OAM 11g R2 PS2, accessgate-oic is created. I have used this in my case. Also, ensure that Allow Management operations flag is enabled in this AG profile. For quick test, you can verify the regular webgate profiles and see that this flag is disabled by default.

PrimaryHostPort & SecondaryHostPort: Secondary DC OAM server host name and port eg., oam2.oracle.com:5575 and oam2.oracle.com:5576 respectively.

oamMdcSecurityMode: Mode in which AG is running.

agentVersion: AG version defined in profile.

trustStorePath, keyStorePath, globalPassPhrase, keystorePassword: If AG is set in simple/cert mode, provide the keystore and relevant details.

Steps to run the command:

• Run ./wlst.sh from $ORACLE_HOME/common/bin
• connect to weblogic admin server.
• Run WLST command addPartnerForMultiDataCentre(propfile=”/opt/oam/MDC/partnerInfo.properties”)
• You should see successful message as shown belowls:/oam_domain/serverConfig>addPartnerForMultiDataCentre(propfile=”/opt/oam/MDC/partnerInfo.properties”)
  Partner added successfully.
  success:

• I had executed this command in both data centers. After execution, we can verify this in oam-config.xml under the section MultiDataCenterPartners as shown below

<Setting Name=”MultiDataCenterPartners” Type=”htf:map”>
<Setting Name=”CLUSTER_NAME” Type=”htf:map”>
<Setting Name=”oamMdcSecurityMode” Type=”xsd:string”>open</Setting>
<Setting Name=”periodForWatcher” Type=”xsd:string”>2000</Setting>
<Setting Name=”maxConnPool” Type=”xsd:string”>10</Setting>
<Setting Name=”minConnPool” Type=”xsd:string”>1</Setting>
<Setting Name=”delayForWatcher” Type=”xsd:string”>1000</Setting>
<Setting Name=”oamMdcAgentId” Type=”xsd:string”>accessgate-oic</Setting>
<Setting Name=”accessClientPasswd” Type=”xsd:string”>qqwer3235123asdf</Setting>
<Setting Name=”PrimaryHostPort” Type=”xsd:string”>HOST:PORT</Setting>
<Setting Name=”agentVersion” Type=”xsd:string”>11g</Setting>
<Setting Name=”serverConnTimeout” Type=”xsd:string”>3600</Setting>
<Setting Name=”SecondaryHostPort” Type=”xsd:string”></Setting>
</Setting>

• It worked as expected in DC1. When I executed in DC2, it displayed successful message but it is not updated in oam-config.xml.

Fix:

DC2 MDC cluster is write protected. To verify, open the oam-config.xml and look for the element WriteEnabledFlag as shown below.

  <Setting Name=”WriteEnabledFlag” Type=”xsd:boolean”>false</Setting>
Since it is set to false,  any changes made through WLST will not take effect. So run below WLST command to fix this or you can manually edit the oam-config.xml carefully.

setMultiDataCenterWrite(WriteEnabledFlag = "true")

Oracle acquired BitzerMobile in november 2013 and released it as Oracle Mobile Security Suite (OMSS). Oracle Mobile Security Suite (OMSS) is now part of Oracle Identity Management Suite and is currently available from eDelivery as version 3.0 (released on March 19, 2014). For new features introduced in OMSS 3.0 click here

We have launched Mobile Security Suite practice as part of our Identity Management Consulting Services. Contact Us If you are working on BitzerMobile/OMSS or wish to work on Mobile Security.

Related/References  

• Bitzer become OMSS
• OMSS on OTN
• OMSS Technical Whitepaper

This post covers installation of OID/OVD 11gR1 (11.1.1.7) that will be used as user repository (Identity Store) for our Oracle Access Manager (OAM) 11gR2 Admin Training (training starts on 3rd May and fee is 699 USD). If you are new to Oracle Identity & Access Management then first check Identity Management Products from Oracle

1. Download Software

1.1 Download OID/OVD software (Identity Management 11.1.1.7.0) from here

2.3 On Install Type choose Typical

2.4  Verify Product Installation directory and click next 

2.5 Uncheck Run Quickstart and finish installation

In next post I’ll cover installation of OID/OVD (IDM) software so stay tuned !!

You can register for our Oracle Access Manager (OAM) 11gR2 Admin Training (Fee is 699 USD), Contact Us if you have any queries regarding training or Oracle Identity & Access Management.

This post covers part ” of  OID/OVD 11gR1 (11.1.1.7) installation that will be used as user repository (Identity Store) for our Oracle Access Manager (OAM) 11gR2 Admin Training (training starts on 3rd May and fee is 699 USD). For first part of OID/OVD installation click here

1. Install IDM (OID/OVD/ODSM) 11.1.1.7

1.1 Start installer as cd /stage/oracle/idm/11.1.1.7.0/Disk1 (IdM 11.1.1.7 is unxipped at this location) and invoke 

./runInstaller

1.2 Select Install and configure

1.3 ODSM (more on ODSM here) requires Weblogic Server and WebLogic Domain.  Select create a new domain

1.4  Specify Installation Location

ORACLE_HOME is where OID/OVD software binaries go
ORACLE_INSTANCE is where OID/OVD binary/configuration and logs go

Note: ORACLE_HOME must be installed in MW_HOME created earlier

1.5  Select default on Configure Components (We are insatlling all the components)

1.6 On OVD configuration screen provide password of OVD superuser and click Next

1.7 You have option to create schema or use an schema (ODS) already created by RCU (Repository Creation Utility). For this post we are asking installer to create schema (and NOT using RCU to create ODS/ODSSM schema)

1.8 Set ODS & ODSSM schema password

1.9 Provide password for OID superuser (cn=orcladmin)

1.10  Specify OIF PKCS12 password

1.11 Provide OIF advanced attribute values

1.12 Click Install on installation summary screen

1.13 When prompted run script from root user

1.14 When configuration reaches 100 %, click Next

1.15 Click Finish

1.17  URL’s of some entities below. ODSM console is running on Managed server on port 7005 and Federation server runs on 7499 in this case

a) http://host:7001/console (WebLogic Console)

b) http://host:7005/odsm (ODSM Console)

c) ldap://host:3060 (OID Non SSL Listen Address)

d) ldaps://host:3131 (OID SSL Listen Address)

e) ldap://host:6501 (OVD Non SSL Listen Address)

f) ldaps://host:7501 (OVD SSL Listen Address)

g) 8899 for OVD HTTPS Listener port

h) 7499 WebLogic Managed Server hosting OIF

I installed new Linux Server for our Oracle Access Manager (OAM) 11gR2 Admin Training (training starts on 3rd May and fee is 699 USD). This post covers steps to configure YUM so that you can install missing RPM (RPMs required for Oracle Database and Fusion Middleware).

1. Identify your Oracle Enterprise Linux version from enterprise-release file

cat /etc/enterprise-release

You should see entry like

Enterprise Linux Enterprise Linux Server release 5.5 (Carthage)

Output above represents that version of Linux is 5.5

2. Next task is to download yum repository configuration file from Oracle Public Yum Server.

# cd /etc/yum.repos.d  

# wget http://public-yum.oracle.com/public-yum-el5.repo

3. Enable yum for 5.5 (as our linux version is 5.5) in file /etc/yum.repos.d/public-yum-el5.repo by changing enabled from 0 to 1. Enable same as per your OEL version

[el5_u5_base]

name=Enterprise Linux $releasever Update 5 installation media copy ($basearch)
baseurl=http://public-yum.oracle.com/repo/EnterpriseLinux/EL5/5/base/$basearch/
gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-oracle
gpgcheck=1
enabled=1

4. Install packages in Oracle Linux as shown below

yum list

yum install [package_name]

Related

• Public Yum Server
• Fahd Mirza’s post on how to read public yum

You can register for our Oracle Access Manager (OAM) 11gR2 Admin Training(Fee is 699 USD), Contact Us if you have any queries regarding training or Oracle Identity & Access Management.

This post will give an insight into IAMSuiteAgent and how to disable it?

IAMSuiteAgent is a pre-built Java agent that comes with OAM 11g by default. Few important points of IAMSuiteAgent are:

The IAMSuiteAgent is a domain-wide agent:

• Once Access Manager is deployed, the IAMSuiteAgent is installed on every server in the domain
• Unless disabled, every request coming into the WebLogic Application Server is evaluated and processed by the IAMSuiteAgent
• Certain IAMSuiteAgent configuration elements are available in the WebLogic Administration Console (in the Security Provider section) and others in the Oracle Access Management Console.

I’d another OAM 11g R2 PS1 setup in the same node where R2 is installed. For some reason, the PS2 instance OAM Admin Console is redirecting to PS1 IAMSuiteAgent for authentication which is not expected.

So I’ve disabled IAMSuiteAgent in OAM Admin Console in PS2 instance, but of no luck. Troubleshooting why PS2 OAM console is redirecting to PS1 IAMSuiteAgent is a story for another day. Since I was running short of time, I had to disable IAMSuiteAgent. This is how I did:

1. Set the environment variable export WLSAGENT_DISABLED=true. This change can also be made in setDomainEnv.sh.
2. Restart the WebLogic Admin Server.
3. Access the OAM Admin Console and notice that IAMSuiteAgent will not intercept. Refer the below screenshot for login page.

References:

Oracle Documentation: http://docs.oracle.com/cd/E27559_01/admin.1112/e27239/webgate.htm

This post is from our demo environment to configure Segregation of Duties (SoD) in EBS using GRC/OAACG/OIM. Contact Us if you are interested in demo of GRC/OAACG/OIM/EBS integration for SoD.

I discussed about Oracle EBS (R12/11i) integration with Oracle Identity Manager (OIM) here, and two type of connectors available for EBS integration are

a) EBS UM Connector : User Management to provisioning Accounts in EBS (FND_USER)

b) EBS ER Connector : Employee Reconciliation to create users in OIM from EBS EMployee record (PER_ALL_PEOPLE_F).

In this post I am going to share an issue I encountered in EBS-ER connector during reconciliation of Employee record from EBS to OIM.

For reconciliation of Employee Record from EBS to OIM, you run schedule job eBusiness Suite HRMS Trusted Reconciliation in OIM.

When I run this scheduled job I encountered error like

___

<Apr 10, 2014 11:24:03 PM BST> <Error> <OIMCP.EBSER> <BEA-000000> <================= Start Stack Trace =======================>
<Apr 10, 2014 11:24:03 PM BST> <Error> <OIMCP.EBSER> <BEA-000000> <oracle.iam.connectors.ebs.hrms.tasks.EmployeeReconciliationTask : execute>
<Apr 10, 2014 11:24:03 PM BST> <Error> <OIMCP.EBSER> <BEA-000000> <Query execution failed>
<Apr 10, 2014 11:24:03 PM BST> <Error> <OIMCP.EBSER> <BEA-000000> <Description : Failed to execute the query>
<Apr 10, 2014 11:24:03 PM BST> <Error> <OIMCP.EBSER> <BEA-000000> <oracle.iam.connectors.ebs.common.TargetOperationException: Failed to execute the query
at oracle.iam.connectors.ebs.common.dao.DBUtil.getFirstPage(Unknown Source)
at oracle.iam.platform.tx.OIMTransaction CallbackWithoutResult.process (OIMTransactionCallbackWithoutResult.java:9)
at oracle.iam.platform.tx.OIMTransactionCallback. doInTransaction(OIMTransactionCallback.java:13)
at org.springframework.transaction.support. TransactionTemplate.execute(TransactionTemplate.java:128)
at oracle.iam.platform.tx.OIMTransactionManager. execute(OIMTransactionManager.java:22)
ActionExecutorWrapper.execute(AbstractSubjectSecurity.java:228)
at oracle.security.jps.internal.jaas.CascadeActionExecutor$ SubjectPrivilegedAction.run(CascadeActionExecutor.java:68)
at weblogic.security.acl.internal.AuthenticatedSubject.doAs(AuthenticatedSubject.java:321)

CascadeActionExecutor.execute(CascadeActionExecutor.java:50)

at oracle.security.jps.internal.jaas.AbstractSubjectSecurity

$ActionExecutorWrapper.execute(AbstractSubjectSecurity.java:228)
at Thor.API.Security.LoginHandler.Assertion

LoginSession.runAs(AssertionLoginSession.java:93)
at oracle.iam.scheduler.impl.quartz.QuartzJob.execute(QuartzJob.java:77)
Caused by: oracle.iam.connectors.ebs.common.TargetOperationException: Failed to get the paged records
at oracle.iam.connectors.ebs.common.dao.DBUtil.getPagedRecords(Unknown Source)
… 32 more
Caused by: oracle.iam.connectors.ebs.common.TargetOperationException: Invalid format of NUMBER value
at oracle.iam.connectors.ebs.common.dao.DBUtil.setNamedParameters(Unknown Source)
… 33 more
Caused by: java.lang.NumberFormatException: For input string: “BUSINESS_GROUP_ID”
at java.lang.NumberFormatException.forInputString(NumberFormatException.java:65)
… 34 more
>
<Apr 10, 2014 11:24:03 PM BST> <Error> <OIMCP.EBSER> <BEA-000000> <================= End Stack Trace =======================>

________

Import message in the whole error stack was Caused by: java.lang.NumberFormatException: For input string: “BUSINESS_GROUP_ID”

When reconciliation Job eBusiness Suite HRMS Trusted Reconciliation is run, it runs SQL query that fetches data from table PER_ALL_PEOPLE_F table of EBS and look for column BUSINESS_GROUP_ID 

Query : Table PER_ALL_PEOPLE_F (search for BUSINESS_GROUP_ID and CURRENT_EMPLOYEE_FLAG, EFFECTIVE_START_DATE)

Fix : Set lookup Lookup.EBS.HRMS.QueryFilters in OIM Design Console

Log into OIM Design Console -> Administration=>Lookup Definition and search for Lookup.EBS.HRMS.QueryFilters

Enter the following Values…

fromDate = 01-Jan-2012|Date|DD-Mon-YYYY
businessGroupID = 202|number
toDate = 12-Apr-2014|Date|DD-Mon-YYYY

Save the Changes

(Here 202 is BUSINESS_GROUP_ID from PER_ALL_PEOPLE_F table)

Run the schedule job eBusiness Suite HRMS Trusted Reconciliation this should now create users in OIM (from EBS Employee)

We usually secure ObSSOCookie to pass this cookie in SSL environment and to avoid non-SSL applications to access. This is a very good feature to improve security in OAM. However if you also want to secure ObFormLoginCookie although you don’t find any sensitive information in this cookie, you can do so. Securing ObFormLoginCookie will allow end users to access applications in both non-SSL and SSL unlike securing ObSSOCookie. Securing ObFormLoginCookie is explained below and this is in 10g OAM version. Perhaps this would work in 11g too, I haven’t tried it albeit.

1. Login to OAM Access Console.
2. Edit form authentication scheme.
3. Specify the Challenge Parameter miscCookies:Secure along with other challenge parameters. Refer the below screenshot.
4. Restart the Resource Webgate for quick config refresh.
5. Access the application protected by the above Form Auth scheme.
6. Observe that when the ObFormLoginCookie is set, you will also see “secure”. For example, refer below:

Set-Cookie: ObFormLoginCookie=wh%3DRESOURCE-WEBGATE-HOST%20wu%3D%2Findex.html%20wo%3D1%20rh%3Dhttps%3A%2F%2FRESOURCE-WEBGATE-HOST%3A8080%20ru%3D%2Findex.html; Secure; path=/dummy.cgi

This post is from our demo environment to configure Segregation of Duties (SoD) in Oracle eBusiness Suite (R12) using GRC/OAACG/OIM. Contact Us if you are interested in demo of GRC/OAACG/OIM/EBS integration for SoD.

I discussed about Oracle EBS (R12/11i) integration with Oracle Identity Manager(OIM) here, and two type of connectors available for EBS integration are

a) EBS UM Connector : User Management to provisioning Accounts in EBS (FND_USER)

b) EBS ER Connector : Employee Reconciliation to create users in OIM from EBS EMployee record (PER_ALL_PEOPLE_F).

Before EBS Responsibility (treated as entitlement in OIM) can be provisioned via OIM, these responsibility must be visible in OIM as lookup. Schedule Job lookup of EBS Responsibility fethches these responsibility from EBS and store them as lookup in OIM. In this post I am going to share an issue I encountered in EBS-UM connector while running schedule job  lookup of EBS Responsibility.

.

Schedule job failed with error in OIM logs as

_______

<Apr 22, 2014 11:26:22 PM BST> <Error> <OIMCP.EBSUM> <BEA-000000> <====================================================>
<Apr 22, 2014 11:26:22 PM BST> <Error> <OIMCP.EBSUM> <BEA-000000> <oracle.iam.connectors.ebs.usermgmt.tasks.UserMgmtLookupReconciliationTask : initializeAndValidateTaskParams : Please provide a valid value to Scheduled Task attribute: IT Resource Name>
<Apr 22, 2014 11:26:22 PM BST> <Error> <OIMCP.EBSUM> <BEA-000000> <====================================================
>
<Apr 22, 2014 11:26:22 PM BST> <Error> <OIMCP.EBSUM> <BEA-000000> <================= Start Stack Trace =======================>
<Apr 22, 2014 11:26:22 PM BST> <Error> <OIMCP.EBSUM> <BEA-000000> <oracle.iam.connectors.ebs.usermgmt.tasks.UserMgmtLookupReconciliationTask : init>
<Apr 22, 2014 11:26:22 PM BST> <Error> <OIMCP.EBSUM> <BEA-000000> <Invalid Schedule Task Parameter>
<Apr 22, 2014 11:26:22 PM BST> <Error> <OIMCP.EBSUM> <BEA-000000> <Description : Invalid Schedule Task Parameter>
<Apr 22, 2014 11:26:22 PM BST> <Error> <OIMCP.EBSUM> <BEA-000000> <oracle.iam.connectors.common.ConnectorException: Invalid Schedule Task Parameter
at oracle.iam.connectors.ebs.usermgmt.tasks.UserMgmtLookupReconciliationTask.init(Unknown Source)
at com.thortech.xl.scheduler.tasks.SchedulerBaseTask.execute(SchedulerBaseTask.java:382)

Caused By: oracle.iam.connectors.common.ConnectorException: Invalid Schedule Task Parameter
at oracle.iam.connectors.ebs.usermgmt.tasks.UserMgmtLookupReconciliationTask.init(Unknown Source)

_______
Fix is to populate two parameters of scheduled job (IT Resource Name and Query Property File)

This schedule job uses a properties file ebsUMLookupQuery.properties (that comes as part of EBS-UM connector).  This properties file has entry like below to get list of all the responsibility in EBS

____

Lookup.EBS.Application=SELECT fa.application_id AS CODE, fa.application_short_name AS DECODE FROM fnd_application fa

Lookup.EBS.UMX.Roles=SELECT (CONCAT(fa.application_id || ‘~’, b.name)) AS CODE, (b.display_name) AS DECODE FROM fnd_application fa, wf_local_roles b WHERE b.orig_system = ‘UMX’ AND b.status = ‘ACTIVE’ AND fa.application_short_name = b.owner_tag

Lookup.EBS.Responsibility=SELECT (CONCAT(fa.application_id || ‘~’, fr.responsibility_id)) AS CODE, fr.responsibility_name AS DECODE FROM fnd_application fa, fnd_responsibility_tl fr WHERE fa.application_id = fr.application_id

Lookup.EBS.SecurityGroup=SELECT security_group_id AS CODE, security_group_key AS DECODE FROM fnd_security_groups

_____

Fix is to populate two parameters of scheduled job (IT Resource Name and Query Property File)

Contact Us if you are interested in demo of OIM/EBS integration or integration of OIM/EBS/GRC.

Hi All,

This is one of the most common activity that every IDM assignment might consist of, backing up and restoring LDAP. In this post I would like to provide an insight about backing up and restoring details for Oracle Internet Directory 11g.

Essentially what you need to take backup is :

• Users and group data : Containing under realm say dc=oracle,dc=com
• Schema: object classes and attributes
• LDAP configuration: such as configuration set etc.,

For a small LDAP there are two ways to take backup:

1. Stopping all OID processes and taking backup of database schemas ODS, ODSSM  (OR)
2. Backing up ldap content (both ldap data + schema) into ldif files.

Backing up and restoring production environments is a topic for another day.

Backing up OID environment:

1. Shutdown OID process using opmnctl.
2. Set ORACLE_HOME env variable.
3. Run the command $ORACLE_HOME/ldap/bin/ldifwrite connect=”OIDDB” basedn=”dc=oracle,dc=com” ldiffile=”oid_backup.ldif”
4. NOTE: Fetch the OID connection string value from file $AS_INSTANCE/config/tnsnames.ora. Specify the basedn for the data that you want to fetch and this is used for specific naming context backup. If you want to fetch complete OID, specify it as blank say “”.
5. Start the OID process using opmnctl.
6. Run the command to backup schema $ORACLE_HOME/bin/ldapsearch -h OID_Host -p OID_Port -D cn=orcladmin -w OID_Password -L -b “cn=subschemasubentry” -s base “objectclass=*” > oid_schema.ldif

Restoring OID environment:

OID restoration can happen in the same node or different node.

1. Shutdown the target OID node. Copy the oid_backup.ldif and oid_schema.ldif to the location $ORACLE_HOME/ldap/bin.
2. Run the command to delete all entries in new OID node $ORACLE_HOME/ldap/bin/bulkdelete connect=”OIDDB” basedn=”"
3. Run the command to load the new entries $ORACLE_HOME/ldap/bin/bulkload connect=”OIDDB” generate=”TRUE” load=”TRUE” restore=”TRUE” file=”oid_backup.ldif”
4. Run the command to load the schema ./bulkload connect=”OIDDB” generate=true load=true restore=true file=../../bin/oid_schema.ldif
5. Start the OID process using opmnctl. Test the OID using ldapbind.

Output files:

The bulk utilities will write the logs to several files:

$AS_INSTANCE/diagnostics/logs/OID/tools/bulkload.log: This file contains the bulkload command output.

$AS_INSTANCE/diagnostics/logs/OID/tools/duplicateDN.log: This file contains the list of duplicate DNs found while running bulkload command.

$AS_INSTANCE/diagnostics/logs/OID/tools/bulkdelete.log: This file contains the bulkdelete command output.

$AS_INSTANCE/diagnostics/logs/OID/tools/ldifwrite.log: This file contains the bulkwrite command output.

$AS_INSTANCE/OID/load/badentry.ldif: This file contains a list of bad LDIF entries.

Hope this helps. Please write your suggestions/comments.

I’ve come across an issue in OAM 11g R2 PS2 environment. Multi Data Center is also being setup with one DC as Master and other DC as Clone. After configuring the Clone DC using T2P commands and running few WLST commands to accomplish MDC setup, the below errors were seen while starting the OAM WebLogic Admin/Managed Servers.

<Apr 8, 2014 4:28:05 PM PDT> <Warning> <oracle.oam.engine.policy> <OAMSSA-06342> <Bootstrap failed for handler oracle.security.am.common.policy.tools.upgrade.r2ps2.bootstrap.RMR2PS2BootstrapHandler!>

<Apr 8, 2014 4:28:05 PM PDT> <Error> <oracle.oam.engine.policy> <BEA-000000> <Policy store update operations are not allowed, system is write protected.

Analysis:

The OAM 11g documentation states “Clone Data Centers can be write protected so no updates can be made to the system or policy configurations”. So I had set WriteEnabledFlag flag in oam-config.xml to false. Therefore any updates to Clone DC for policy or system changes will fail.

You can verify this flag in oam-config.xml and it would look like:

<Setting Name=”WriteEnabledFlag” Type=”xsd:boolean”>true</Setting>

However the weblogic servers would start up fine.

Solution:

Even Clone DC should be Write Enabled.

Connect to weblogic admin server through wlst.sh and run commands as shown below:

wls:/oam_domain/serverConfig> domainRuntime()

Location changed to domainRuntime tree. This is a read-only tree with DomainMBean as the root.

For more help, use help(domainRuntime)

wls:/oam_domain/domainRuntime> setMultiDataCenterWrite(WriteEnabledFlag=”true”)

Data center write enable flag set successfully

wls:/oam_domain/domainRuntime>

Oracle Identity Manager (OIM) can be integrated Oracle Identity Analytics (OIA) or Oracle/SAP GRC (Governance, Risk, and Compliance) for SoD (Segregation of Duties).

We recently implemented OIM integration with Oracle GRC (OAACG - Oracle Application Access Control Governor) for Oracle E-Business Suite (EBS R12) for SoD.

EBS Responsibility Provisioning from OIM to EBS were failing with error “String index out of range: -7 SODCheck Completed with Error“

Error in OIM logs reported was
____

<Apr 24, 2014 7:25:20 PM BST> <Error> <XELLERATE.JAVACLIENT> <BEA-000000> <oracle.iam.grc.sod.scomp.impl.oaacg.analysis. SoDAnalysisExecutionOperOAACG80/ startPreventiveSynConflictSimulation: String index out of range: -7>
<Apr 24, 2014 7:25:20 PM BST> <Error> <XELLERATE.JAVACLIENT> <BEA-000000> <SILServiceImpl. executeSynchronousSoDSimulation SILServiceComponentException : String index out of range: -7>
<Apr 24, 2014 7:25:20 PM BST> <Error> <XELLERATE.JAVACLIENT> <BEA-000000> <Class/Method: InitiateSODCheck/makeSODCall encounter some problems: String index out of range: -7java.lang.StringIndexOutOfBoundsException: String index out of range: -7>
<Apr 24, 2014 7:25:20 PM BST> <Error> <XELLERATE.JAVACLIENT> <BEA-000000> <SOD Check Result is null>

____________

• OIM connects to OAACG module of GRC using IT Resource (defined in OIM), check screenshot below.

• In GRC you define datasource and this datasource (In GRC) should match with datasource in OIM IT Resource for OAACG-ITRes 

Fix: If you are hitting error like above then ensure that Datasource defined in OIM IT Resource “OAACG-ITRes” should match with data source defined in GRC.

Online Patching feature of Oracle E-Business Suites 12.2.x allows patching activity, while users are working on the System. The Online Patching cycle consists of several phases (i.e prepare, apply, finalize, cutover and cleanup etc.), with the critical phase where the changes are committed being called cutover. Up to this phase, you can run a special phase called abort, which will undo the changes made so far in the patching cycle.

System can be rolled back, If cutover fails or after cutover, you want to revert to the state of the system before the patching cycle was started. Here, you can see the advantage of Oracle Database Flashback feature to go back to a designated point in time (a restore point). You should create the restore point just before running the cutover phase.

In order to proceed further, one may use the following Oracle Document, from where abstract was taken:
Oracle E-Business Suite Release 12.2: Backup and Recovery Guidelines For Online Patching Cutover (Doc ID 1584097.1)

• Where are OID ports configured (In xml file under ORACLE_INSTANCE or in OID Database) ?
• Can you keep ORACLE_HOME (for IAM) outside Middleware Home (MW_HOME) ?
• What is Relative Distinguished Name (RDN) of entry with Distinguished Name (DN) “uid=jbloggs, cn=Users,dc=mydomain,dc=com” ? 

For some of interesting QUIZ like above and chance to win monthly prize, LikeUs on our FaceBook page https://www.facebook.com/k21technologies  and participate in QUIZ