EBS R12 integration with OAM 11g is covered in detail (with step by step instruction) in eBook eBook – E-Business Suite Integration with OID/OAM for Single Sign-On that I co-authored with Neha Mittal

This book also cover configuring logout (oacleanup.html) during AccessGate deployment by supplying Logout Page with paramater -DWebgateLogoutURL like

-DWebgateLogoutURL=http://innowave12.com:7777/public/oacleanup.html

When user clicks on logout link, this URL will logout user from both OAM and E-Business Suite Application and present user again AccessGate Login Page .

One of our readers requirement was that after logout instead of presenting Login Page, system should redirect User to different URL like (company’s website http://myCompnay.com)

To achieve this you use end_url as query parameter for logoutURL so during Access Gate deployment use -DWebgateLogoutURL like

-DWebgateLogoutURL=http://innowave12.com:7777/public/oacleanup.html?end_url=http://myCompany.com 

More on Logouts in OAM 11g here

Oracle Internet Directory (OID) by default listens on two ports LDAP (non secure) and LDAPS (secure LDAP), In this post I am going to cover in detail how to configure SSL in OID 11g and key points related to SSL in OID.

1. OID listens on two ports (LDAP and LDAPS) and list of port used is displayed by opmnctl status -l (In example below, OID is listening on SSL port 3131)

[aiam@innowave21 ~]$ opmnctl status -l

Processes in Instance: asinst_1
———————————+——————–+———+——-
ias-component | process-type | pid | status | uid | memused | uptime | ports
———————————+——————–+———+——-
oid1 | oidldapd | 26253 | Alive | 412548771 | 662564 | 371:51:57 | N/A
oid1 | oidldapd | 26213 | Alive | 412548770 | 374372 | 371:51:58 | N/A
oid1 | oidmon | 26145 | Alive | 412548769 | 298736 | 371:52:02 | LDAPS:3131,LDAP:3060
EMAGENT | EMAGENT | 26144 | Alive | 412548768 | 63824 | 371:52:02 | N/A

2. OID on LDAPS (secure) port  can be configured in one of three modes (controlled by attribute orclSSLAuthentication)

a) SSL with No Authentication (orclSSLAuthentication = 1) – In this mode neither client (making connection to OID) nor Server (OID) presents SSL certificate . Data is transferred on SSL

b) SSL with Server Authentication Only (orclSSLAuthentication = 32) - In this mode Server (OID) presents its SSL certificate to client (making connection to OID) but client doesn’t present any certificate to Server . Data is transferred on SSL

c) SSL with Client and Server Authentication (orclSSLAuthentication = 64) - In this mode both Server (OID) and client (making connection to OID) presents their SSL certificate to each other. Data is transferred on SSL

Note: Default setting is SSL with No Authentication i.e. orclSSLAuthentication value 1. Common practice is to change this to SSL with Server Authentication Only i.e. orclSSLAuthentication = 32

3. When OID is configured in Server Authentication (orclSSLAuthentication = 32) or (orclSSLAuthentication = 64) then SSL certificate and Certifying Authority’s (CA) certificates are stored in WALLETS (More on wallets here and here). Wallet can be managed by EM (Enterprise Manager) or WLST or orapki or OWM

Note: To manage wallets in OID 11g using EM or WLST, OID must be integrated with WebLogic with Enterprise Manager (EM).

4. For SSL certificated of OID, you can generate self signed certificates or create certificate request file and submit to Certifying Authority like verisign and store certificates in wallet.

.

To configure SSL in OID

1. Configure Wallet to store SSL certificate and Certifying Authority’s certificates using EM or WLST or OWM or orapki

2. Create Certificate Request File -> Get Certificate from Certifying Authority (CA) -> Import certificate in Wallet

or

2. Generate Self Signed Certificate in Wallet

3. Configure SSL parameter using EM or WLST or update SSL related attributes for OID instance (orclSSLAuthentication, orclSSLVersion, orclSSLWalletURL)

a) Ensure that Enable SSL is checked

b) Select Wallet from drop down (list will be based on wallets created in previous step – You can have more than one wallet but only one wallet will be used)

c) Select SSL Authentication Mode (orclSSLAuthentication 1 or 32 or 64)

d) Select ciphers (it is recommended to select ciphers based on enterprise security requirements)

e) Select SSL version (version 3 is recommended)

4. Restart OID using opmnctl stopall; opmnctl startall

5. Test SSL connection from ldapbind or ODSM or using LDAP browser

Here is OID instance configuration after configuring  SSL

More on OID SSL configuration in  OID Administrators Guide

This post covers key points and documentation to configure SSL in Oracle Virtual Directory (OVD) 11g. For SSL configuration in OID 11g click here

1. SSL Authentication Mode – OVD and any other SSL listener can be configured in one of three Authentication Mode
a. SSL No-Auth Mode : Neither client nor server are required to authenticate by showing their certificate. This mode is also called as anonymous or no authentication mode.
b. Server Authentication Mode : In this mode Server Authenticate itself to client by presenting SSL certificates but client does not Authenticate itself using certificate. This mode is also called as one-way SSL or Server authentication.
c. Mutual Authentication : In this mode both client and server authenticates each other using SSL certificates. This mode is also called as two-way SSL or Client authentication.

Note: OVD SSL Listener by default is configured in Server Authentication Mode.

2. OVD by default listens on four ports (More on OVD listeners  here)
a)  LDAP Listener – Non SSL LDAP default port 6501
b)  LDAPS Listener – SSL LDAP default port 7501
c)  Admin Listener – SSL Admin port 8899
d)  DSML Gateway – Non SSL HTTP port 8080

Note: Client’s usually connect to OVD using LDAP or LDAPS Listener

3. LDAPS and Admin Gateway Listener by default comes with SSL with self signed certificate. You can change from self signed certificates to certificates issues trusted CA like Verisign/Thawte or you can use your own CA.

4. SSL certificates (issued to OVD listeners) and Certifying Authority’s Certificates (Certificates of Authority that issues these certificate ) are stored in Keystore.

5. Keystore – In Oracle Fusion Middleware there are two type of keystores.

a) JKS Keystore and Truststore (aka Java Key Store)
b) Oracle Wallets

Note : OVD uses Java Key Store to store certificates. System Components of Fusion Middleware like OID & OHS uses Oracle Wallets to store SSL certificates.

6. You can configure/manage SSL in OVD (LDAPS listener) using

a) WebLogic Scripting Tool (WLST)
or
b) Fusion Middleware Enterprise Manager Control (/em)

a) Creating keystore
b) viewing/updating keystore
c) exporting/importing keystore
d) deleting keystore

8. To create/manage  keystore in OVD -
a) Login to EM
b) Navigate to ovd -> Security -> Keystores

9. OVD by default creates following Keystore

a) keys.jks (Trust Store and SSL Keys for OVD LDAPS Listeners)

b) Optional – If LDAP Adapter using TLS/SSL is defined then adapters.jks (containing SSL certificate and trust store for OVD to LDAP connection on SSL )

10. Location of Key Store for OVD LDAPS Listener is defined in OVD EM : Administration -> Listeners -> LDAP SSL End Point (Edit) -> Change SSL Settings

11. Location of Key Store for OVD LDAP Adapter is defined in OVD EM : Administration -> Server Properties (Under TLS Configuration Section)

12. Java Keystore (JKS) for OVD is stored on File System under $ORACLE_INSTANCE/config/OVD/[ovd1]/keystores

13. If you don’t want to use self signed certificate and wish to use certificates signed by trusted certifying certificate (like verisign or thawte) or signed by your companies PKI then

a. Create Java keystore using /em or wlst
b. Generate CSR (Certificate Signing Request)
c. Send CSR to Certifying Authority (CA) for signing the certificates
d. Once you get signed certificate from CA (Certifying Authority) then import signed certificate in to keystore
e.  If certificates are signed by companies PKI then ask OVD clients (including ODSM) to include CA’s certificates (as trusted certificate)

Note: Certificates can be DER-encoded or Base-64 encoded format. You cannot use FMW control to import DER-encoded certificate.

References/Further Reading

• Enabling SSL on Oracle Virtual Directory Listeners in FMW Admin Guide
• Managing Key Store, Wallets and Certificates
• Master Note for SSL Configuration in Fusion Middleware 11g [ID 1218695.1]

Hi All,

I’ve been working on WebLogic Server startup issue since 3 days and I am glad that issue is fixed. There is a WebLogic 10.3.2 environment where OIM 10g is installed. We’re able to start the OIM application through xlStartManagedServer.sh properly and able to access OIM admin console. However while starting up WebLogic Admin Server using xlStartWLS.sh, we are getting the below exception:

INFO: Completed initializing Sun’s JavaServer Faces implementation (1.2_03-b04-FCS) for context ‘/console’
<Jan 28, 2013 10:09:55 AM PST> <Warning> <HTTP> <BEA-101162> <User defined listener com.sun.faces.config.ConfigureListener failed: java.lang.NoClassDefFoundError: javax/xml/parsers/SAXParserFactory.
java.lang.NoClassDefFoundError: javax/xml/parsers/SAXParserFactory
at com.sun.faces.config.ConfigureListener$WebXmlProcessor.getConfiguredFactory(ConfigureListener.java:1987)
…………
…………
Caused By: java.lang.ClassNotFoundException: javax.xml.parsers.SAXParserFactory
at weblogic.utils.classloaders.GenericClassLoader.findLocalClass(GenericClassLoader.java:296)
…………
…………
<Jan 28, 2013 10:09:55 AM PST> <Error> <Deployer> <BEA-149231> <Unable to set the activation state to true for the application ‘consoleapp’.
weblogic.application.ModuleException:
at weblogic.servlet.internal.WebAppModule.startContexts(WebAppModule.java:1399)
at weblogic.servlet.internal.WebAppModule.start(WebAppModule.java:460)
…………
…………
<Jan 30, 2013 10:59:00 PM PST> <Notice> <WebLogicServer> <BEA-000329> <Started WebLogic Admin Server “AdminServer” for domain “oim_domain” running in Production Mode>
<Jan 30, 2013 10:59:00 PM PST> <Notice> <WebLogicServer> <BEA-000365> <Server state changed to RUNNING>
<Jan 30, 2013 10:59:00 PM PST> <Notice> <WebLogicServer> <BEA-000360> <Server started in RUNNING mode>

Since the server status is showing as RUNNING, I have tried accessing WebLogic Console http://host:port/console and it is throwing 404 Not Found error

There’re no any other clue in Admin Server logs which console is not accessible. So here is fix for the issue:

The weblogic-application.xml located under $WL_HOME/server/lib/consoleapp/META-INF  has the package name <package-name>javax.xml.*</package-name> defined under the section <prefer-application-packages>

This package has been removed and bounced the server using xlStartWLS.sh and the server started without any exception and I am able to access the WebLogic console properly.

This post covers basics of SSL in WebLogic Server and how to configure SSL with Custom Certificates and Certifying Authority. For SSL in Oracle E-Business Suite click here, SSL in Oracle Internet Directory (OID) click here , SSL in Oracle Virtual Directory (OVD) click here , and for SSL in Oracle Access Manager (OAM) click here

Secure Socket Layer (SSL) is used to encrypt data between client and Server (WebLogic in this case).

1. When user connects to WebLogic Server they can connect
a) Directly to WebLogic Server (Admin or Managed Server Port , more on WebLogic Admin/Managed Server here ) or
b) via Web Server or Load Balancer (Web Server or Load Balancer then connects to WebLogic Server). To configure WebServer (OHS) in front of WebLogic Server click here

User –> Load Balancer (or WebServer) –> WebLogic Server
User –> WebLogic Server

a) You can terminate SSL at Load Balancer (or WebServer) and communication from Load Balancer (or WebServer) to WebLogic Server as non SSL (In this case Load Balancer (or Web Server) is configured to listen on SSL but WebLogic Server is configured to listen on NON SSL)
or
b) You can terminate SSL at WebLogic Server (In this case Load Balancer (or Web Server) and WebLogic Server are all configured to listen on SSL)

2. WebLogic Server (Admin or Managed Server) are configured for both both non-SSL and SSL port (To enable SSL you just need to select SSL Listen Port Enabled in WebLogic Console).

3. SSL certificates are issued to a Server by an certificate signing authority (aka Certifying Authority or CA)

4. There could be one Certifying Authority (root CA) and zero or more intermediate Certifying Authority (root CA delegates authority to issue certificates to intermediary CA)

In above screen
a) Root CA is “Class 3 Public Primary Certification Authority” that issued certificate to
b) “VeriSign Class 3 Public Primary Certification Authority – G5” (intermediate CA) that issued certificate to
c) “VeriSign Class 3 International Server CA – G3” (intermediate CA) that issued certificate to
d) *.oracle.com

In this case *.oracle.com is certificate where as three certificates above that are trusted certificates (certificates of certifying authority)

5. By default certificates for SSL Listener on WebLogic are Self Signed (i.e. Certificate and Certifying Authority both are WebLogic Server)

6. There are two types of certificate
a) Trusted Certificates - These are certificates of Certifying Authority (CA) . In second screen shot (above) certificates of “VeriSign Class 3 International Server CA – G3” or “VeriSign Class 3 Public Primary Certification Authority – G5” are trusted certificates
b) Identity Certificates – These are certificates of Server to which certificates are issued. In above screen shot certificate of *.oracle.com is identity certificate

7. Certificates (Trusted and Identity) for WebLogic are stored in Keystore. There are various types of Keystore that WebLogic Server Supports. Most common of them is Java Key Store (JKS) , file based repository with extension .jks

8. Java Key Store (JKS) stores two type of keys
a) Trust Store – to store Trusted Certificates (or certificates of certifying authority)
b) Identity Store – to store Identity Certificates (or certificates issues to a server by CA)

Note: You can keep both Trust Store and Identity Store in same Keystore (JKS) or they can be stored in different Keystore (one jks file for identity certificate and second jks file for trust certificates)

9. WebLogic comes with default (self signed) identity and trust store under $WL_HOME/server/lib
a) DemoIdentity.jks – Identity Store containing certificates of server (identity certificate)
b) DemoTrust.jks – Identity Store containing certificates of CA (trusted certificate)

10. keystore is managed by java utility keytool. keytool is used to generate certificates request, import certificates (issues by CA) or to import CA’s certificates.

Related

• Implement SSL in WebLogic Server

More on SSL certificates , keytool and configuring SSL with WebLogic in next post

This is part II of SSL in WebLogic Server that covers creating KeyStore, generating Certificate Signing Request (CSR), importing Certificate in KeyStore, and finally using this keyStore with WebLogic Server. I strongly recommend to go through Part I “SSL in WebLogic KeyStore, Identity & Trust Store, Root and Intermediate CA“

High Level Steps to configure SSL in WebLogic Server are

1. Create Java KeyStore (JKS) and generate key
2. Generate Certificate Signing Request  (CSR)
3. Send this certificate request file to CA to issue certificate
4. Import Root CAs certificate
5. Import intermediate CAs certificate (If any)
6. Import certificate issued by CA
7. List content of keystore
8. Configure SSL in WebLogic Server
–8.1 Change KeyStore type in WebLogic Server
–8.2 Specify path of Identity KeyStore and Trust KeyStore
–8.3 Specify Private Key Alias in WebLogic Server
–8.4 Enable SSL in WebLogic Server
9. Test SSL in WebLogic Server

Low Level Steps to configure SSL in WebLogic Server

1. Create Java KeyStore and generate key: First step is to create KeyStore and private key (If you already have a keyStore then you can use that to generate key)

keytool -genkey -alias myAlias -keyalg RSA -keysize 2048 -dname “CN=serverName, OU=MyOrganizationUnit, O=myOrganization,L=myLocation, ST=myState, C=myCountry” -keypass [privat_key_password] -keystore [keystore_name].jks -storepass [keystore_password]

____

[aiam@innowave21 ~]$ keytool -genkey -alias innowave21 -keyalg RSA -keysize 2048 -dname “CN=innowave21.focusthread.com, OU=DBATeam, O=onlineAppsDBA, L=London, ST=London,C=GB” -keypass welcome1 -keystore innowave21.jks -storepass welcome1

[aiam@innowave21 ~]$ ls *.jks
innowave21.jks

_____

Note:
a) This step will create Keystore [keystore_name].jks
b) keytool utility is a Key and Certificate Management Tool and is available in $JAVA_HOME/bin
c) -genkey option signifies that we are generating private keys
d) -alias myAlias : Each entry in KeyStore (JKS) is represented by Alias. When you import signed certificate (issued by CA) in KeyStore then you should use same alias (used during key generation)
e) -keyalg RSA : is algorithm used to generate keyPair (default algorithm is DSA)
f) -keysize 2048 : is size of key used to generate private key
g) -dname : represents name of server to which certificate key is created. If you are generating keys for server innowave21.focusthread.com then use CN=innowave21.focusthread.com, OU=………

2. Generate Certificate Signing Request: Next step it so generate Certificate Signing Request (CSR) for Key (with alias innowave21) generated in previous step

keytool -certreq -alias myAlias -keystore [keystore_name].jks  -storepass [keystore_password] -file [certificate_request].csr

_____

keytool -certreq -alias innowave21 -keystore innowave21.jks -storepass welcome1 -file innowave21.csr

[aiam@innowave21 ~]$ ls *csr
innowave21.csr

_____
a) This step will create certificate signing request file
b) -certreq signifies that we are generating certificate signing request file
c) -alias myAlias must be same as one used during key generation in previous step

3. Send this certificate request file to Certifying Authority (CA) to issue certificate

4. Import Root CA certificate.
Once you receive certificate for your server then you must import certificate of Authority issued the certificate (before importing certificate issued by CA)

keytool -import -trustcacerts -alias rootcacert -keystore [keystore_name].jks -file rootCA.cer -storepass [keyStorePassword]

a) This step will import certificate of Certifying Authority (CA) with alias as rootcacert in KeyStore
b) -import signifies that we are importing certificate in keystore
c) -trustcacerts signifies that we are importing trusted certificates (In this case KeyStore is acting as trust Store, remember trust store and identity store discussed in part I ??). If you don’t use option -trustcacerts then it will try to import certificate as Identity Certificate
d) -alias must be different from one used during key generation
e) -file rootCA.cer is file that contains certificate of Root Certifying Authority (remember Root and Intermediate Certifying Authority discussed in part I ?? )

5. Import intermediate CA (If Any) certificate

If there are more than one Certifying Authority (CA) then you must import any intermediate CA

keytool -import -trustcacerts -alias intermediatecacert -keystore [keystore_name].jks -file intermediateCA.cer -storepass [keyStorePassword]

a) -import signifies that we are importing certificate in keystore
b) -trustcacerts signifies that we are importing trusted certificates (In this case KeyStore is acting as trust Store, remember trust store and identity store discussed in part I ??). If you don’t use option -trustcacerts then it will try to import certificate as Identity Certificate
c) -alias must be different from one used during key generation or while importing root CA
d) -file intermediateCA.cer is file that contains certificate of Intermediate Certifying Authority

6. Import Server Certifucate

Next step is to import Server Certifictae

keytool -import -alias myAlias -keystore [keystore_name].jks -file servercert.cer -keypass [keyPassword] -storepass [keyStorePassword]

If you want to view certificate stored in KeyStore then you can use option -list like below

keytool -list -v  -keystore [keystore_name].jks -storepass [keyStorePassword]

8. Configure SSL in WebLogic Server

In steps above Trust Store (store containing Root and Intermediate CA) and Identity Store (store containing Server Certificate) are same i.e.  [keystore_name].jks .

8.1 Change KeyStore type from “Demo Identity and Demo Trust” to “Custom Identity and Custom Trust”

WebLogic Server Console -> Name of Server (for which you wish to configure SSL) -> Configuration -> KeyStores -> change (next to Key Stores)

8.2 Specify path of Identity KeyStore and Trust KeyStore

In steps above Trust Store (store containing Root and Intermediate CA) and Identity Store (store containing server certificate) are same i.e.  [keystore_name].jks (innowave21.jks in my case).

• Specify passphrase as password used for KeyStore

8.3 Specify Private Key Alias in WebLogic Server

Enter the Alias you used during creation of certificate request and password of KeyStore

WebLogic Server Console -> Name of Server (for which you wish to configure SSL) -> Configuration -> SSL

8.4 Enable SSL in WebLogic Server 

Finally enable SSL in WebLogic Server ; WebLogic Server Console -> Name of Server (for which you wish to configure SSL) -> Configuration -> General

9. Test SSL in WebLogic Server 

https://<hostName_of_WebLogic_Server>:<SSL_ListenPort>

References

• Keytool – Key and Certificate Management Tool
• Configure SSL in WebLogic Server
• My Oracle Support Note : 1230333.1 How to Create a Java Keystore via Keytool in FMW 11g
• Configure Key Store

Hi All,

This post will provide detailed steps to replicate one OIM 10g environment to the other. It is assumed that source and target OIM environments are of 10g version and are on patches with same application server.

Steps to be performed at Source OIM environment:

• Shutdown the OIM server.
• Export the OIM database using below command

               exp system/<SYSTEM_PASSWORD> file=<DUMP_FILE_NAME>.dmp owner=<SOURCE_OIM_DB_USER> log=exp_<file_name>.log consistent=y statistics=none

• Export the tablespaces used by OIM server using below commands

                select DEFAULT_TABLESPACE, TEMPORARY_TABLESPACE from dba_users where username=’<SOURCE_OIM_DB_USER>’;

                select distinct tablespace_name from dba_segments where owner=’<SOURCE_OIM_DB_USER>’;

Steps to be performed at Destination OIM environment:

• Shutdown the OIM server.
• Backup the OIM database schema using the below command

    exp system/<system_password> file=<file_name>_backup.dmp owner=<OIM_DB_USER> log=exp_<FILE_NAME>.log statistics=none

• Backup the files $OIM_HOME/config/.xldatabasekey and $OIM_HOME/config/.xlkeystore and $OIM_HOME/config/configkey.key
• Drop the OIM schema user and tablespaces using the below commands

drop user <OIM_DB_USER> cascade
drop tablespace <OIM_DB_TABLESPACE_NAME> including content and datafile
drop tablespace <OIM_DB_TEMP_TABLESPACE_NAME> including content and datafile

• Create OIM schema user with prepare_xl_db.bat/sh script as shown below.  NOTE: The schema name should be same as it was dropped in previous step.

    prepare_xl_db.bat <DB_CONNECT_STRING> <$ORACLE_HOME> <OIM_DB_USER> <OIM_DB_USER_PASSWORD> <OIM_DB_TABLESPACE_NAME> <OIM_DB_DATAFILE_LOCATION> <OIM_DB_DATAFILE_NAME> <OIM_DB_TEMP_TABLESPACE_NAME> <DB_SYSTEM_USER_PASSWORD>

• If there are any additional tablespaces that are used by OIM they need to be created too.
• Copy the dmp files from Source to Destination OIM environment to a location that has appropriate permissions.
• Ensure the tablespaces of OIM schema user are dimensioned properly for smooth importing of DB dump file.
• Import the dump file using the below command.

     imp system/<SYSTEM_PASSWORD> file=<DUMP_FILE_NAME>.dmp fromuser=<SOURCE_OIM_DB_USER> touser=<OIM_DB_USER> log=imp_<FILE_NAME>.log

Check the import log file to make sure that there are no errors.

Additional Steps:

• When a OIM schema backup was taken in a fresh OIM 10g environment and in the future you wish to restore the OIM 10g with fresh DB then there is no need to execute the below steps.

• Login to OIM Database as OIM schema user and update the schema name using the below command.

                      SQLPLUS>update SDK set SDK_SCHEMA=’<OIM_DB_USER>’;
                      SQLPLUS>commit;

• Copy from source to destination the following files: $OIM_HOME/config/.xldatabasekey, $OIM_HOME/config/.xlkeystore and $OIM_HOME/config/configkey.key.
• Modify xlconfig.xml with following changes under DirectDB section:

Change the <url> value to the correct one.
Change the <username> value to the correct one.
If the password for the schema of the new environment is different from the original one, then set the encrypted value for to “false” and then set the password in clear text.Modify xlconfig.xml

• Login to the application server console and update the data sources xlDS and xlXADS for Database URL, DB port, and DB schema credentials.

Testing the replication:
Start the OIM server and make sure that there are no exceptions in logs. Try to login to OIM admin console with xelsysadm user. Please note to use xelsysadm credentials as per Source OIM environment.

References:

Oracle metalink note 555655.1.

SIM2OIM:-

Oracle WevSet (OW) (earlier Sun Identity Manager – SIM) is Identity Management product from Sun that Oracle acquired in and renamed as Oracle Waveset (OW). Oracle Identity Manager (OIM) is a provisioning and identity Management product from Thor Xellerate that Oracle acquired and renamed as Oracle Identity Manager (OIM). Oracle Identity Manager is strategic identity provisioning/reconciliation and management software from Oracle . Oracle Waveset (including Connector Server) will slowly merge with Oracle Identity Manager.

This post covers an overview of Oracle Waveset (OW, earlier Sun Identity Manager) to Oracle Identity Manager migration.

1. Oracle Waveset (OW) objects that can be directly mapped to their equivalents in OIM.

1.1 These will be automatically or partially migrated Not too many surprises here. A good portion of OW objects could find direct mappings in OIM. Example of such objects 

a) Enterprise Identity Data Objects (e.g. Organization, Role, User, and Resource)

b) Schema Templates and Policy Objects (e.g. IDM Schema Configuration, Email Templates, and Password Policy)

c) Administration and Authorization Objects (e.g. Capabilities and Admin Roles)

d) Business Logic and Process Data Objects (e.g. Process/Object Forms) 

Note: Not all features of these objects could be directly mapped to OIM. For Example, dynamic variables in OW Email Templates need to be manually configured in OIM once these templates are automatically migrated. How much these OW features are used in your OW/SIM implementation will determine the amount of automatic translation that could happen. 

2. Oracle Waveset (OW) objects with no direct equivalent in OIM. 

2.1 There will be a report capturing these objects and they will require manual migration. 

2.2 As a general rule of thumb, any customized XPRESS scripting will likely require re-implementation. The migration toolkit will not be able to translate XPRESS logic into SOA composites or OIM adapters or Java code underlying adapters. User Interfaces and Workflows fall into this category.  

3. Audit trail / Historical data. These records will not be automatically migrated

As Oracle Waveset and Oracle Identity Manager employ different schema for persistence of audit records, recommendation is to follow a co-existence strategy. In this approach, audit artefacts would be generated from either OW, OIM or both depending on context / need.

4. Identity Connector Framework (ICF) will be leveraged by the migration toolkit. Plan is to build both OW and OIM resource connectors on top of the new Identity Connector Framework (ICF). It’s already available to Oracle Waveset customers as long as they upgrade their installation to 8.1.x. This not only enables them to leverage new features and enjoy updates to the connectors provided by Oracle but also unifies the underlying infrastructure for a seamless transition by the migration toolkit.

Overall, the Oracle Waveset to Oracle Identity Manager migration toolkit by Oracle is a respectable attempt at automating the migration tasks. It pays attention to details regarding product differences and focuses on identifying customizations that require manual effort to migrate. For example, the toolkit takes care of passwords and challenge questions/answers when migrating OW users such that end users won’t need to reset passwords or re-enter their challenge answers in OIM.  

On the other hand, no magic tool could solve real life problems in a quick and easy way. (This was one of the lessons taught in Doraemon’s stories). 

Rest part I’ll post soon…

For Installing the IDM7.1 on existing IdM 6.0 Deployment, certain steps must be taken care, for recoverability of the application.

1. Take full backup of the existing idm installation directory. On Prod  box () the location is:

/appbin/IBM/WebSphere/AppServer1/……../idm_war.ear/idm.war 

     Place the backup files at location

/………./ on Production box ()

1. 2.     Copy the ServerRepository.xml from

$WSHOME/WEB-INF/ to /appbin/………./serverrepositorybackup/ on Prod Box

1. If available remove the Cryptix jars (cryptix-jceapi.jar and cryptix-jce-provider.jar) from the      $WSHOME/WEB-INF/lib/ directory on Prod box by doing the following. 

        rm $WSHOME/WEB-INF/lib/cryptix-jceapi.jar

        rm $WSHOME/WEB-INF/lib/cryptix-jce-provider.jar 

export WSHOME=

/appbin/IBM/WebSphere/……../idm_war.ear/idm.war

export PATH=/usr/jdk/jdk1.5.0_14/bin:$PATH     

1. echo $WSHOME (make sure that wshome is pointing to right path) 

Note: It may show an error because idm repo is converted to 7.1 & IdM application is still IdM 6.0. So Unix Team will give the error message to Upgrade Team. Upgrade Team will take the decision for next step.

Applying the Upgrade

Update IDM manually on Linux/Unix environment.

  WEB-TEAM Tasks

 Do this for one Application Server.

1. Stop App JVM’s on Prod Box.   
2. Set the environment 

export WSHOME=/appbin/IBM/WebSphere/………………/idm_war.ear/idm.war

export TEMP=/appbin/IdMUpgradeRelatedData/tempupgradeidm71/TEMP

export SOURCE=/appbin/IdMUpgradeRelatedData/tempupgradeidm71/SOURCE    

1. Verify if variables have been set by doing the following

echo $WSHOME

echo $TEMP

echo $SOURCE

echo $DISPLAY

echo $PATH

echo $JAVA_HOME

1. Run pre-process in the following order:

cd $TEMP

jar -xvf $SOURCE/………/idmcommon.jar

export CLASSPATH=$TEMP/WEB-INF/lib/idm.jar:$TEMP/WEB-

INF/lib/idmcommon.jar:$WSHOME/WEB-INF/lib/ojdbc14.jar:$WSHOME/WEB-INF/lib/j2ee.jar:   

1. echo $CLASSPATH    (VERIFY if classpath has been set properly)
2. Run the set command again  to check whether CLASSPATH is set correctly or not 
3. Execute the following command

java -classpath $CLASSPATH -Dwaveset.home=$WSHOME

com.waveset.install.UpgradePreProcess 

1. Install software by running the following command:                              

cd $WSHOME

jar –xvf $SOURCE/idm.war  

1. Copy the ServerRepository.xml file from   

/appbin/IdMUpgradeRelatedData/……/.backup/    to

$WSHOME/WEB-INF/ on Prod Box (). 

1.  Check the ServerRepository.xml is pointing the same database where it should point to. With the      following command

  cd $WSHOME/bin

  ./lh setRepo -c –v

The above command must show that IdM is pointing to <Host IP>:1596: idmpr01 and schema <IdM repo> database.      

1. Run post-process by running the following command at shell prompt 

}   Run the below command for Post process.

java -classpath $CLASSPATH -Dwaveset.home=$WSHOME

com.waveset.install.UpgradePostProcess 

}    Change the directory to $WSHOME/bin/solaris or $WSHOME/bin/linux, and then set permissions on the files in the directory so that they are executable as

              chmod +x $WSHOME/bin/solaris/*

              chmod +x $WSHOME/bin/linux/* 

1. During the upgrade process some files may not be installed properly.

       IdM Upgrade Team will help to install that files.

} Copy the contents from

$WSHOME/patches/………./includes/ TO

$WSHOME/includes/

}  Copy the contents from 

$WSHOME/patches/………/filesNotInstalled/user/  TO

$WSHOME/user/

} Copy the contents from

$WSHOME/patches/………/filesNotInstalled/styles/ TO

$WSHOME/styles/  

1.   Remove the files from the jvm’s work/cache directory. Location is like

/appbin/IBM/WebSphere/……………./idm_war/idm.war

1. Check the ServerRepository.xml is pointing the same database where it should point to. With the following command.

cd $WSHOME/bin

lh setRepo -c –v

It should point to the right database. 

15. Touch all the .jsp’s in $WSHOME directory including all the subdirectories.

find . -name ‘*.jsp’ -exec touch {} \;   

1. Start the application server to verify whether it’s running properly. 

To start/stop the server

Go to location

/appbin/IBM/WebSphere/AppServer1/profiles/idmapp01/bin 

./stopServer.sh server1

./startServer.sh server1

Problem Description:

During the installation of Oracle Application Server 10g Release 3 (10.1.3) or SOA 10g (10.1.3.1.0), the ascontrol application is configured automatically only when choosing a basic installation type. If an advanced installation type is chosen, there is an option to configure the ascontrol application for the instance being installed. On the “Administration Settings” screen, there is a checkbox named “Configure this as an Administration OC4J instance”, which must be checked if you would like the ascontrol to be configured to start and be routable automatically. Here unfortunately I missed this option to check and completed the installation. Later I have noticed I missed to enable the ascontrol application.

Here I have specified the steps to enable ascontrol after installation.

Step 1: Check the opmn status

opmnctl status -app

Following example, “ascontrol” row showing it is “stopped” and routable is set to “false”:

application type: OC4J
——+——————-+———+———+—————-+———-+—–                                                                             —
pid   | name              | state   | rtid    | classification | routable | pare                                                                             nt
——+——————-+———+———+—————-+———-+—–                                                                             —
                                                                    
27683 | Nexaweb           | started | g_rt_id | external       | true     | default
27683 | WSIL-App          | started | g_rt_id | internal       | true     | default
27683 | datatags          | started | g_rt_id | internal       | true     | default
27683 | default           | started | g_rt_id | external       | true     | system
27683 | ascontrol         | Stopped | g_rt_id | external       | false    | system
27683 | Xellerate         | started | g_rt_id | external       | true     | default
27683 | javasso           | stopped | g_rt_id | internal       | true     |      

Note this can be set to false and stopped because this instance was not chosen for ascontrol at installation time, or becomes disabled when creating a new instance.

If the status for the routable value is “false”, the Oracle HTTP Server will not recognize the /em location, as indicated by the error_log and browser errors. If it is configured to not start and route as designed, ASControl will not be found on the /em location.

Once you have confirmed that this is the instance desired for ASControl, the following will enable it for automatic startup and routing:

Step 2. Change the following ORACLE_HOME/j2ee/home/config/server.xml line -

From:

<application name=”ascontrol” path=”../../home/applications/ascontrol.ear” parent=”system” start=”false” />

To:

<application name=”ascontrol” path=”../../home/applications/ascontrol.ear” parent=”system” start=”true” />

Step 3. Change the following ORACLE_HOME/j2ee/home/config/default-web-site.xml line -

From:

<web-app application=”ascontrol” name=”ascontrol” load-on-startup=”true” root=”/em” ohs-routing=”false” />

To:

<web-app application=”ascontrol” name=”ascontrol” load-on-startup=”true” root=”/em” ohs-routing=”true” />

Step 4. Restart HTTP_Server and OC4J to ensure ascontrol is automatically started and routed:

opmnctl stopall

opmnctl startall

Step 5. Access the ASControl page:

http://hostname.domainname:port/em

Step 6. The ascontrol application should be starting automatically, but if it does not, the following can be tested to further troubleshoot:

opmnctl start -app

opmnctl startproc application=ascontrol

opmnctl start –app

Problem Description:

Unable to bring up Oracle Application Server 10g Release 3 (10.1.3) and notice following error in opmn.log.

13/02/15 16:09:57 [ons-internal] ONS server initiated

13/02/15 16:09:57 [pm-internal] Create pm state directory: /u01/apps/oracle/opmn/logs/states

13/02/15 16:09:57 [pm-internal] PM state file does not exist: /u01/apps/oracle/opmn/logs/states/.opmndat

13/02/15 16:09:57 [pm-internal] OPMN server ready.  Request handling enabled.

13/02/15 16:09:57 [ons-listener] 10.400.87.176,6006: BIND (Address already in use)

Cause:

The error is a generic one and there are several possible causes

There is process / program already using the port values which the OPMN sub component ONS is configured to use.

To find out the port values used by OPMN / ONS view the following file

$ORACLE_HOME/opmn/conf/opmn.xml

For example:

The opmn.xml in an OracleAS 10g Rel 3 (10.1.3) ORACLE_HOME will contain lines like:

<notification-server interface=”ipv4″>

<port local=”6113″ remote=”6203″ request=”6006″/>

Confirm whether the port is already in use or not. Using following cmd

netstat –ano

Solution : kill the port or change the port in opmn.xml file like

<notification-server interface=”ipv4″>

<port local=”6113″ remote=”6203″ request=”6007″/>

Note: The new port should not be in use.

Problem Description:

Error while recreating OracleAS Metadata Repository Schemas using MRCA tools.

I couldn’t able to remove the old schema from DB using MRCA tools.

Here I would like to cover the steps of removing ODS schema from DB directly.

Remove the failed MR installation using cleanMR. The cleanMR script is located in the ORACLE_HOME/repca/clean directory, where ORACLE_HOME specifies the directory where you installed OracleAS Metadata Repository Creation Assistant.

prompt> cleanMR -HOST db_host -PORT db_port -SERVICE_NAME service_name

[-DBUSER dbuser] -DBPASSWD password [-DBROLE dbrole]

Please refer to below section for getting details on the clearMR script execution process,

http://docs.oracle.com/cd/B28196_01/repca.1014/b28214/remove.htm#CHDBIGFG

4.7 Removing OracleAS Metadata Repository Using the cleanMR Script

The cleanMR script does not remove Oracle Internet Directory (OID) schemas, so please remove the following from the database:

1. 1.    Schema: ODS

Tablespace: OLTS_ATTRSTORE

Tablespace: OLTS_BATTRSTORE

Tablespace: OLTS_CT_STORE

Tablespace: OLTS_DEFAULT

Tablespace: OLTS_SVRMGSTORE

e.g.

SQL> drop tablespace OLTS_ATTRSTORE cascade;

SQL> drop tablespace OLTS_BATTRSTORE cascade;

SQL> drop tablespace OLTS_CT_STORE cascade;

SQL> drop tablespace OLTS_DEFAULT cascade;

SQL> drop tablespace OLTS_SVRMGSTORE cascade;

SQL> drop schema ODS;

2.      Now recreate the ods schema using MRCA tool.

Hi All ,

We have an urgent requirement for a full time Oracle Technical Administrator for our organisation. Great opportunity to work extensively on oracle database technologies.
- Candidate must have more than 6 months of experience in Oracle Apps DBA
- Candidate must have good knowledge on Linux server
- Candidate will be cross trained on Fusion Middleware technologies like WebLogic, SOA, WebCenter , identity Management
- Best salary in the industry

If interested , kindly send your updated profiles with
relevant experience
current salary
expected salary
notice period
location
to jobs@focusthread.com or call on 9833815811

- Tushar
Focusthread

We often come across cases where we require to modify the heap size according to our applications’s needs eg java.lang.OutOfMemoryError
Whenever we want to change the Heap size in WebLogic server (AdminServer or managed servers), we can customize setDomainEnv.sh in $DOMAIN_HOME/bin with required memory arguments.
Below are the two scenarios:

Scenario 1:
We need to change the memory arguments to a value same for all servers in a Domain. Suppose we want to keep Xmx 1024 M and Xms 1024 M for all server in an Domain (Admin and all managed servers).
We will edit setDomainEnv.sh in $DOMAIN_HOME/bin with our required values of Xmx and Xms.
Search for line “# IF USER_MEM_ARGS the environment variable” in setDomainEnv.sh
We will add line
USER_MEM_ARGS=”-Xms1024m -Xmx1024m”
export USER_MEM_ARGS
below line “ # IF USER_MEM_ARGS the environment variable is set, use it to override ALL MEM_ARGS values”
and above line “ if [ "${USER_MEM_ARGS}" != "" ] ; then”
Example :
# IF USER_MEM_ARGS the environment variable is set, use it to override ALL MEM_ARGS values
USER_MEM_ARGS=”-Xms1024m -Xmx1024m”
export USER_MEM_ARGS
if [ "${USER_MEM_ARGS}" != "" ] ; then
MEM_ARGS=”${USER_MEM_ARGS}”
export MEM_ARGS
fi

Scenario 2:
We need to change the memory arguments to values different for all servers in a Domain. Suppose we want to keep Xmx 512 M and Xms 512 M for Admin server and Xmx 1g and Xms 1g for ebsag_server and oam_server1 managed servers in a Domain
We will edit setDomainEnv.sh in $DOMAIN_HOME/bin with our required values of Xmx and Xms.
Search for line “# IF USER_MEM_ARGS the environment variable” in setDomainEnv.sh
We will add lines
case “${SERVER_NAME}” in
“AdminServer”) USER_MEM_ARGS=”-Xms512m -Xmx512m” ;;
“oam_server1″) USER_MEM_ARGS=”-Xms1g -Xmx1g” ;;
“ebsag_server”) USER_MEM_ARGS=”-Xms1g -Xmx1g” ;; *)
echo “Unknown Server Detected!!. Memory set as Xms1g Xmx2g.”;
USER_MEM_ARGS=”-Xms1g -Xmx2g” ;;
esac
USER_MEM_ARGS=”${USER_MEM_ARGS} -d64 -XX:PermSize=256m -XX:MaxPermSize=512m -Djava.awtheadless=true -Djbo.ampool.maxpoolsize=600000″
Below line “ # IF USER_MEM_ARGS the environment variable is set, use it to override ALL MEM_ARGS values” and above line “ if [ "${USER_MEM_ARGS}" != "" ] ; then”

Note that we are using Switch case programming concept in defining different memory arguments for different servers in this domain. We can edit this switch case as per our requirements.
Example :
# IF USER_MEM_ARGS the environment variable is set, use it to override ALL MEM_ARGS values

case “${SERVER_NAME}” in
“AdminServer”) USER_MEM_ARGS=”-Xms512m -Xmx512m” ;;
“oam_server1″) USER_MEM_ARGS=”-Xms1g -Xmx1g” ;;
“ebsag_server”) USER_MEM_ARGS=”-Xms1g -Xmx1g” ;; *)
echo “Unknown Server Detected!!. Memory set as Xms1g Xmx2g.”;
USER_MEM_ARGS=”-Xms1g -Xmx2g” ;;
esac
USER_MEM_ARGS=”${USER_MEM_ARGS} -d64 -XX:PermSize=256m -XX:MaxPermSize=512m -Djava.awtheadless=true -Djbo.ampool.maxpoolsize=600000″

if [ "${USER_MEM_ARGS}" != "" ] ; then
MEM_ARGS=”${USER_MEM_ARGS}”
export MEM_ARGS
fi

This change will be reflected when the Servers are bounced . The new heap size change can be confirmed from the Admin console of the domain (Click on servers -> server_name -> monitoring -> performance) or from server_name.log or server_name.out in $DOMAIN_HOME/servers/Server_Name/logs.

If you integrate Oracle E-Business Suite with Oracle Internet Directory (OID) and Oracle Identity Manager (OIM) (without Oracle EBS connectors) then users from EBS to OID are synced via EBS Provisioning Profile. These user in OID are then synced to OIM using LDAPSync

Note: If you integrate EBS with OID/OIM without EBS connectors then provisioning of EBS Responsibility (entitlements) is not possible via OIM.

When user sync from Oracle E-Business Suite (R12) to Oracle Internet Directory (OID), attributes that gets provisioned from EBS to OID are ( USER_NAME->UID, DESCRIPTION -> DESCRIPTION, EMAIL_ADDRESS -> MAIL, FAX -> FACSIMILETELEPHONENUMBER, END_DATE -> ORCLACTIVEENDDATE, START_DATE -> ORCLACTIVESTARTDATE, START_DATE/END_DATE -> ORCLISENABLED, ENCRYPTED_USER_PASSWORD -> USERPASSWORD )

If you login to Oracle Identity Manager and view user details, DESCRIPTION field is not visible by default. You can make attribute DESCRIPTION visible in user detail screen of OIM using steps mentioned here

Here are quick steps to make DESCRIPTION field visible in OIM

1. Login to OIM as user  with System Administrator role like xelsysadm

2. Click on Advanced (Top right corner ) and go to Advanced Administration Console

3. Click in User Configuration

4. Click on User Attribute under Actions 

5. Under Other User Attribute, select Description and click on Modify Attribute 

6. Change Visible from No to Yes and click Save 

7. Query the user and ensure that you can see description field

Result for beta certification  1Z1-459 (now live 1Z0-459) Oracle Identity Governance Suite 11g Essentials is out now and certification is live . More here and here

This certification is based on OIM 11gR2, OPAM 11gR2, and OIA 11gR1 . After passing exam 1Z0-459, certification you get is “Oracle Identity Manager 11g Certified Implementation Specialist”

Congratulation to all those who passed ! – I must say Exam was not easy and full credit to certification team for such an extensive set of questions.

In commonly used terms Identity represents a user where as an Account represents an access to system. For Example Atul Kumar (an Identity) can have an Account in Active Directory system or an Account in ERP/CRM system.

To view user’s account in OIA : Login to OIA -> Identity Warehouse -> Users -> Search for user -> select tab Accounts

1. Information about account in stored in table ACCOUNTS in rbacx schema (rbacxservice)

2. Each account is categorised in one of four account types
a) Provisioning Account (default account type)
b) High Privileged
c) Service Account
d) System Account

.
3. You can import Accounts in OIA in bulk using section 2.2.2 Importing Accounts

4. If you have configured OIM to OIA integration (More here) and after running Job “Import Users, Accounts, User Role Memberships, and Entitlements” if you don’t see data under Accounts tab then ensure that you run import job “Import Resource Metadata“, “Import Resources” and then “Import Glossary” (MOS # 1384162.1)

5. It is possible to import Accounts into OIA from OIM, Waveset (Sun Identity Manager) or flat file (csv).

6. It is possible to export Accounts from OIA to OIM or Waveset (Sun Identity Manager) but exporting Account from OIA in to flat file is not supported (MOS # 1365165.1)

7. An orphan account in OIA is an account that belongs to a user who is no longer with the organization or controlling business unit in OIA.

Can WebLogic send an email when a certain message shows up in the WLS log?  The answer is yes and it is pretty straight-forward to configure.

To setup notifications in Weblogic server (here I am taking example of OID Weblogic server), we need to create a mail session that will be used to send notification mails.

Creating Mail Sessions: 

Below is an example to create a mail session using Weblogic Console:

In above example,

aplsso_d  is the username  on Weblogic server Host  cph-sso-am01-d. Make sure you have smtp configured on the Weblogic host node

After mail session is created, it is given a target server.

It indicates on which WebLogic Server instances or clusters the mail session is accessible. Only applications that have been deployed to the selected servers or clusters can use this mail session

Configuring a Diagnostic Module:

A diagnostic system module is a software component that you configure to monitor an aspect of a server or server resource. You can configure multiple system modules to monitor different aspects of a server, but only one such module can be active on a server.

A diagnostic module contains watches and notifications. We can create watches for several monitoring aspects and can assign notifications to those watches within a diagnostic module. Notifications can be mail notifications as in this case.

Below screenshot shows the diagnostic module for wls_ods1 managed server in OID domain

We have selected target wls_ods1 managed server as target to diagnostic module created above.

Click on watches and notification Tab to configure watches and notifications. We have set severity as Notice, so this module will keep track of all events in this manged server under Notice tag in server level logs.

Creating Watches:

We have created a watch ServerUp which will monitor if server is Up .

Now to monitor this event, we need to set rules for this condition of server. We have edited the rules with below :

(MESSAGE LIKE ‘RUNNING’) OR (MESSAGE LIKE ‘running in Production Mode’) OR (MSGID = ‘BEA-000360′)

Similarly we will create a watch for Server condition “Down”, All step are same , we just need to change the Rule set

Rule Set for ServerDown watch is:

(MESSAGE = ‘FORCE_SHUTTING_DOWN’) OR (MESSAGE = ‘SHUTTING_DOWN’) OR (MSGID = ‘BEA-002607′) OR (MSGID = ‘BEA-000236′) OR (MESSAGE LIKE ‘SHUTTING_DOWN’) OR (MESSAGE LIKE ‘FORCE_SHUTTING_DOWN’) OR (MSGID = ‘BEA-000383′) OR (MSGID = ‘BEA-000396′) OR (MSGID = ‘BEA-000388′)

We have created watches for Server up and Server going down. Now we will create Notifications via which we will receive the notifications for defined events.

I will demonstrate the Notification for Server Up watch:

Creating Notification for serverUp Watch :

As can be seen below we are using the mail session created earlier, in this notification.

We can set our customized messages in notifications also; we can select the recipients of this notification.

Now that the notifications and watches are created, we can assign notification to respective watches.

For watch Server Up:

Similar steps are followed for Server Down notification. Save the changes and then active changes. If the configuration is fine, You will receive emails like below:

We can configure these for different log events so its convinient in troubleshooting and reducing the undesired downtimes.

Oracle Identity Manager (OIM) Provides assigning Proxy to some other user so that when a user is on leave or out of office, user can delegated task/approvals to someone else.

• To assign proxy in OIM: login to Self Service Console : My Profile -> Proxies -> Add Proxy

On Adding Proxy, users were getting error “The add proxy operation for user [user_name] failed with following error oracle. bpel. services. workflow. client. workflowServiceClientException javax.xml.ws.WebServiceException could not determine wsdl ports”

When you assign Proxy in OIM 11g, request is fulfilled by SOA server (SOA server is mandatory in OIM 11g). If you hit this error first thing to check is that SOA server is running and there are no errors in SOA server log file. In my case SOA server was running and there were no errors related to SOA service /soa-infra (STATE of deployment soa-infra in WebLogic Console was ACTIVE )

Message reported in OIM server out file was

_____
<24-Mar-2013 20:47:50 o’clock UTC> <Error> <oracle.iam.configservice.impl> <IAM-3020003> <The attribute PROXY_NAME does not exist!>
<24-Mar-2013 20:47:50 o’clock UTC> <Warning> <oracle.iam.selfservice.self.agentry> <BEA-000000> <IAM-3045001>
<24-Mar-2013 20:47:51 o’clock UTC> <Error> <oracle.iam.identity.usermgmt.impl> <IAM-3050062> <Failed setting proxy in BPEL. The operation will be rolled back.>

_____

Message reported  in OIM Diagnostics log file was

_____

[2013-03-24T20:47:50.722+00:00] [WLS_OIM2] [NOTIFICATION] [IAM-1010010] [oracle.iam.platform.authz.impl] [tid: [ACTIVE].ExecuteThread: ’1′ for queue: ‘weblogic.kernel.Default (self-tuning)’] [userId: xelsysadm] [ecid: 004qB7DDy4I7u1W5Lzl3ie00053X000M4O,0:1] [APP: oim#11.1.1.3.0] [URI: /oim/faces/pages/Self.jspx] ********** Entering the Authorization Segment with parameters:: LoggedInUserId = 30, target resourceID = null, Feature = SELF_SERVICE_USER_MANAGEMENT, Action = MODIFY_SELF_USER_PROXY_PROFILE **********

[2013-03-24T20:47:50.722+00:00] [WLS_OIM2] [NOTIFICATION] [IAM-1010033] [oracle.iam.platform.authz.impl] [tid: [ACTIVE].ExecuteThread: ’1′ for queue: ‘weblogic.kernel.Default (self-tuning)’] [userId: xelsysadm] [ecid: 004qB7DDy4I7u1W5Lzl3ie00053X000M4O,0:1] [APP: oim#11.1.1.3.0] [URI: /oim/faces/pages/Self.jspx] OES Results are not found in cache with Key F: SELF_SERVICE_USER_MANAGEMENTS: 30P: MODIFY_SELF_USER_PROXY_PROFILEOESDefinition

[2013-03-24T20:47:51.696+00:00] [WLS_OIM2] [ERROR] [IAM-3050062] [oracle.iam.identity.usermgmt.impl] [tid: [ACTIVE].ExecuteThread: ’1′ for queue: ‘weblogic.kernel.Default (self-tuning)’] [userId: xelsysadm] [ecid: 004qB7DDy4I7u1W5Lzl3ie00053X000M4O,0:1] [APP: oim#11.1.1.3.0] [URI: /oim/faces/pages/Self.jspx] Failed setting proxy in BPEL. The operation will be rolled back.

_____

Here are some of the questions that came to my mind while troubleshooting this issue

How OIM knows which SOA server to connect (Where is SOA server URL defined in OIM) ?

What user OIM server uses to connect to SOA Server ?

Where is password stored for this user (used to connect to SOA server) ?

_____

SOA URL is defined in OIM’s Application Defined MBEAN (oracle.iam -> Server: <oim_server_name>, Application: oim -> XMLConfig -> Config -> XML.Config.SOAConfig -> SOAConfig)

• URL to connect to SOA server is defined by Attribute SoapURL and User that is used to connect is defined in attribute Username

• Password for username defined above is stored in credential store of OIM (Map : OIM ; key : SOAAdminPassword )

Root Cause : In my case SOA URL ( defined by SoapURL property) was not reachable from OIM server (blocked by firewall).

Related/References 

• Setting Proxy User In OIM Fails with “Could not determine wsdl ports” Error [ID 1459121.1]
• Enable OIM to connect to SOA using LDAP User

Join now to reap the benefits of Online Oracle Apps DBA R12 Training which is constantly in great demand. This is a course tailor made for you keeping in mind the latest in the world of Oracle.

Please find the course details mentioned below:

Commencement Date : 31 March 2013

Training Schedule: 31 March 2013 & 06, 07, 13, 14, 20, 21 April 2013

Training Duration : 7 Days

Timings :1:00 Noon GMT | 9:00AM EST | 6:00AM PST | 8:00AM CST | 7:00AM MST | 6:30PM IST

Course Fee: USD 799

Our Forte:

• Extensive Hands-on training

• Certified Oracle Apps Instructors with real-time experience

• Courses designed for the latest Oracle Apps versions

• Study material with presentations & lab exercises designed by industry experts

• Practice at your leisure 24/7 during the training

• Email support post training completion

Mode of Training :

Our trainings are conducted online using an interactive web-conferencing software which also has integrated VoIP. Participants will be able to view trainer’s desktop remotely & communicate with him at the same time. Trainer can also take control of your PC/Laptop in case you get stuck while performing exercises. For Audio, you need to have a headset (earphone & microphone)

For further information and registration email us at training @ focusthread . com  or contact us on Phone – US:+1 213-814-4243|UK:  +44(0) 20 7193 7426 |India: +91-22-64536768