Friday, July 31, 2015

Oracle® Identity and Access Manager / SOA Workflows OWSM default-keystore.jks

Oracle® Identity and Access Manager / SOA Workflows  OWSM default-keystore.jks

Regenerate the default-keystore.jks following the steps descrided in the document below :  

1.In an empty working folder execute the following in order to generate a new keystore file:
keytool -genkey -alias xell -keyalg RSA -keysize 1024 -dname "CN=Customer, OU=Customer, O=Customer, L=City, ST=NY, C=US" -validity 3650 -keypass <password> -keystore default-keystore.jks -storepass <password> -storetype jks -provider sun.security.provider.Sun

Please ensure that JDK_HOME\jre\bin is in your PATH environment variable.


2.Generate a certifcate request:
keytool -certreq -alias xell -file xell.csr -keypass <password> -keystore default-keystore.jks -storepass <password> -storetype jks -provider sun.security.provider.Sun


3.Export the certificate:
keytool -export -alias xell -file xlserver.cert -keypass <password> -keystore default-keystore.jks -storepass <password> -storetype jks -provider sun.security.provider.Sun


4.Trust the certificate:
keytool -import -trustcacerts -alias xeltrusted -noprompt -keystore default-keystore.jks -file xlserver.cert -storepass <password>


5.Copy all the 3 generated files (default-keystore.jks, xell.csr, xlserver.cert) in MIDDLEWARE_HOME\user_projects\domains\<OIM Domain>\config\fmwconfig

You should repeat this step for each node in a clustered environment.


6.Change the values of the CSF keys for default-keystore.jks and xell:
 
- Login to Enterprise Manager
  - Right-click the domain
  - Navigate to Security, and then Credential
  - Expand oim
  - Edit default-keystore.jks and xell and change the password for both keys with the values used in steps 1-4.

Note: You should NOT change the passwords for other CSF keys!


7.Restart OIM server and check if everything is working fine.

One should do the following, saving in between :

1) Go to EM --> --> Security --> Credentials
2) Expand oracle.wsm.security map
3) Change paswords of the following keys
  - keystore-csf-key (user=owsm, password=keystore password)
  - enc-csf-key (user=xell, password)
  - sign-csf-key (user=xell, password)
  - recipient-alias-key (user=xell, password)

Thursday, July 16, 2015

Oracle® Identity Manager 11.1.2.2 and SOA 11.1.1.7: Callback and ReqSvc Service Discovery

In a recent project we had to face the challenge of debugging the issues with Callback and Reqsvc Services from SOA to OIM. The  URL doe the services is set during the install and configuration time, however this can be changed by using the following JMX Bean


  • Using the EM console, Navigate to Identity And Access 
  • Right Click on oim(11.1.2.0)
  • Go to the System MBean Browser
  • Navigate to Application Defined MBeans
  • Navigate to oracle.iam
  • Navigate to server_xxxxx (server name)
  • Navigate to XML Config
  • Navigate to Discovery Config




































  • On the RHS, for the OimFrontEndURL and OIMExternalFacingFrontEndURL, set the URL of the desired server https:://identitymindtelligent.com:14001














Monday, June 1, 2015

Oracle® Identity and Access Manager:: Develop a Custom SOA Composite


Create a JDeveloper application for custom SOA composite by running the helper utility:

1. Set up the environment (for Linux machines)
cd <BEAHOME>/wlserver_10.3/server/bin
bash
source setWLSEnv.sh
2. Run the utility by executing following commands:
cd <OIMHOME>/server/workflows/new-workflow
ant -f new_project.xml
3. Enter the JDeveloper application name (AssignRoleApprovalApp) when the following prompt is displayed:

Please enter application name

4. Enter the JDeveloper project name (AssignRoleApproval) when the following prompt is displayed:

Please enter project name
5. Enter the name of the ADF binding service (AssignRoleApprovalService) for the composite when the following prompt is displayed:




Please enter the service name for the composite. This needs to be unique across applications

The following screenshot (Figure 1) shows creation of AssignRoleApprovalApp.

Monday, May 4, 2015

Oracle® Identity & Access Manager / SOA Stack : Find the password for default-keystore.jks and .xldatabasekey keystores and stored keys.

The passwords for the keystores are saved in CSF - Credential Store Framework - filestore ($DOMAIN_ROOT/config/fmwconfig/cwallet.sso) and thus it's accessible via CSF API / Mbeans.


The easiest way to find the password in cleartext is to use the JpsCredentialStore MBean via Enterprise Manager:

1. Login to EM
2. Browse to

   WebLogic Domain -> <Domain> -> System MBean Browser

3. In MBean Browser browse to

   Application Defined MBeans -> com.oracle.jps -> Domain: <Domain>
     -> JpsCredentialStore

4. From Operations tab execute the getPortableCredentialMap operation with
   following parameter:

   Name     Type              Value
   -------- ----------------  ---------------------
   p1       java.lang.String  oim

5. Browse through the provided credential list to get the password
   in human readable form for the entry you are interested in.

Thursday, April 9, 2015

Oracle® Enterprise Manager 12c Cloud Control


Make a directory to hold the Middleware installation.
$ mkdir -p /u01/app/oracle/Middleware
Unzip the Cloud Control media, the start the installation by running the "runInstller" script.
$ unzip em12_linux64_disk1of2.zip
$ unzip em12_linux64_disk2of2.zip

$ ./runInstaller
If you wish to receive support information, enter the required details, or uncheck the security updates checkbox and click the "Next" button. Click the "Yes" button the subsequent warning dialog.

If you wish to check for updates, enter the required details, or check the "Skip" option and click the "Next" button.

Press "Next" button.



Select the "Create a new Enterprise Manager System" and "Simple" options, enter the middleware home ("/u01/app/oracle/Middleware") and click the "Next" button.



Enter the administrator password and database repository details, then click the "Next" button.

On the first warning dialog, click the "Yes" button to disable the stats gathering job.



Check the additional warnings, then click the "OK" button to continue.

If you are happy with the review information, click the "Install" button.

Wait while the installation and configuration take place.

When prompted, run the root scripts, then click the "OK" button.

Make note of the URLs, then click the "Close" button to exit the installer. A copy of this information is available in the "/u01/app/oracle/Middleware/oms/install/setupinfo.txt" file.

The login screen is available from a browser using the URL provided in the previous screen ("https://localhost:7803/em"). Log in with the username "sysman" and the password you specified during your installation.

Once logged in, you are presented with a with the "License Agreement" screen. Click the "I Agree" button and you are presented with the homepage selector screen. Select the desired homepage (I chose Summary) and click the "Preview" button.

You are presented with the selected screen as the console homepage.

Startup/Shutdown
Use the following commands to turn on all components installed by this article.
#!/bin/bash
export ORACLE_HOME=/u01/app/oracle/product/11.2.0/db_1
export OMS_HOME=/u01/app/oracle/Middleware/oms
export AGENT_HOME=/u01/app/oracle/Middleware/agent/core/12.1.0.1.0

# Start everything
$ORACLE_HOME/bin/dbstart $ORACLE_HOME

$OMS_HOME/bin/emctl start oms

$AGENT_HOME/bin/emctl start agent
Use the following commands to turn off all components installed by this article.

#!/bin/bash
export ORACLE_HOME=/u01/app/oracle/product/11.2.0/db_1
export OMS_HOME=/u01/app/oracle/Middleware/oms
export AGENT_HOME=/u01/app/oracle/Middleware/agent/core/12.1.0.1.0

# Stop everything
$OMS_HOME/bin/emctl stop oms -all

$AGENT_HOME/bin/emctl stop agent

$ORACLE_HOME/bin/dbshut $ORACLE_HOME

Wednesday, April 8, 2015

SOA 11.1.1.7 Garbage Collection

# WLST script which calls GC.

from java.util import *
from javax.management import *
import javax.management.Attribute

print 'starting the script .... '

# please replace userid and password with your AdminServer userid and password
# plz change the IP adresss and port number accordingly
connect('userid','password',url='t3://localhost:port')

state('AdminServer')

# For Force GC ....
domainRuntime()
cd('/ServerRuntimes/AdminServer/JVMRuntime/AdminServer')
print ' Performing Force GC...'
cmo.runGC()

disconnect()
print 'End of script ...'
exit()

Sunday, April 5, 2015

Oracle® Virtual directory OVD: Controlling the Maximum Heap Size

The -Xmx parameter in the opmn.xml file controls the maximum heap size allocated to the Oracle Virtual Directory server. The default value is -Xmx256m. Edit this parameter as needed to increase or decrease the maximum heap size allocated to the Oracle Virtual Directory server. The opmn.xml file is located in the ORACLE_INSTANCE/config/OPMN/opmn/ directory.

The following example shows the -Xmx parameter set to -Xmx2048m, which allocates 2 GB of heap size to the Oracle Virtual Directory Server:
<ias-component id="OVD_COMPONENT_NAME">
            <process-type id="OVD" module-id="OVD">
               <module-data>
                  <category id="start-options">
                     <data id="java-options" value="-server -Xms512m -Xmx2048m                               
-Doracle.security.jps.config=$ORACLE_INSTANCE/config/JPS/jps-config-jse.xml 
-Dvde.soTimeoutBackend=120"/>
                     <data id="java-classpath" value="$ORACLE_
HOME/ovd/jlib/vde.jar$:$ORACLE_HOME/jdbc/lib/ojdbc6.jar"/>
                  </category>
               </module-data>
               <stop timeout="120"/>
            </process-type>
         </ias-component>

Tuesday, March 31, 2015

Oracle® Virtual directory OVD 11g Basic Setup This shows how to create a simple OVD

Oracle® Virtual directory OVD 11g  Basic Setup

This shows how to create a simple OVD setup - 2 LDAP adapters. One is AD and the other is OUD (though could be any other LDAP)

The first step is to create a Local Store Adapter (LSA). A LSA is created so that we have a "root" or "tree-top" entry because the other adapters will be branches because that's typically easier to organize with. But a root entry is needed because many application expect a valid entry to be there.

To simplify creating the root entry - the OVD wizard will pre-populate the entry.

Choose domain if using dc= as the DN attribute.

Click finish

Next we will create the AD adapter.

Connect to the AD server. If you have multiple AD servers for this domain - then enter them here. It can be a service account - it does not have to be AD admin.

This screen verifies we connect correctly.

Map to the proper branches here. Note OVD exposes a different namespace to OVD clients.

Click finish.

Next create LDAP adapter for OUD.

Enter OUD connection information.

Verify settings were correct.

Map to the OUD DIT.

Click finish

Because we have both AD and OUD - they have different LDAP schema. AD has its own (in particular the username is stored in samaccountname instead of uid by default). We will use the VirtualAttribute plug-in to map samaccountname to uid.

Select the VirtualAttributePlugin

Add the mapping.

Click apply

Now when you look at the entry - you see both samaccountname and uid. If you want only uid - use ReplaceAttribute instead of AddAttribute.

Oracle® Virtual directory OVD 11g - Setup a Join with AD and OUD

Oracle® Virtual directory OVD 11g - Setup a Join with AD and OUD

This simple how-to shows how to configure a basic OVD join adapter setup. The join adapter is used when an application requires data from 2 or more adapters appear as the same single entry. For example John's name, email and username comes from Active Directory while his phone number comes from the telephone database. It is not for the use case where data from different sources contain different entries. For example if employees are in 1 LDAP and customers in another, then the basic OVD setup should be used. Note that this setup will only show the default configuration where only data in the primary adapter can be searched. If data in the second adapter needs to be searched - this requires the ForkJoin adapter and will be covered in a different how-to.

The first step to do is go to the primary adapter and set its visibility to "Internal". This makes it only visible to the Join adapter (and plug-ins).


Repeat the same for the second adapter.

Now create the Join adapter

The join adapter can have the primary and bind adapters be different. For example have OUD be the data directory but use AD (Windows) passwords for authentication.

The join rules are set after you create the entry

This is the most common join rule - link 2 different adapters based on values in attributes. The attributes do not need to be the same, as long as the values are the same.

Make sure to apply the rules.

This shows a simple search. The simplest way to verify the join occured is to look for the "vdejoindn" attribute - this is a OVD proprietary virtual attribute that indicates the DN of the joined source entry. And of course you will see any attributes from the secondary source. Note - if the primary and secondary source share the same attribute and values, only a single value will be shown.

Wednesday, February 25, 2015

Oracle® Identity and Access Manager: Purge Cache



Purging is required when caching is enabled and if you make any system configuration changes. It is not required if caching is disabled.


  • Before running the PurgeCache utility, navigate to the OIM_HOME/server/bin/ directory.

  • Before running the PurgeCache utility, you must run the DOMAIN_HOME/bin/setDomainEnv.sh script.
To use the PurgeCache utility, run PurgeCache.bat CATEGORY_NAME on Microsoft Windows or PurgeCache.sh CATEGORY_NAME on UNIX. The CATEGORY_NAME argument represents the name of the category that must be purged. For example, the following commands purge all FormDefinition entries from a system and its clusters:./

$PurgeCache.sh ALL