Pageviews

Thursday, November 19, 2015

OIM - Target Reconciliation - Child Table entry is coming Blank.



Follow
24 people are following Ritesh Maddala. Be the first of your friends.

OIM - Target Reconciliation - Child Table entry is coming Blank.

Issue -

During target reconciliation, the users are getting linked properly and reconciliation data is also visible in Reconciliation Event, but the issue is, the Role Name is not visible or a blank value is coming in Child table.

Solution -

1. Configure/Create a lookup to get the Groups or Role from Target System.

2. Run lookup reconciliation scheduler.

3. Check the groups in lookup configured/created in step 1.

4. If Groups/Roles are present in the above lookup, run Entitlement List Scheduler.

5. Check Entitlement Tab under App Instance for Particular App Instance.

6. Now run the Target reconciliation again.

7. If you face the same issue, then check ReconAttrMap Lookup. It might be possible that, you have missed to append  "[LOOKUP]" as keyword for code key for the role attribute. 

Check your Connector DOC first for how to Map the Child Table Attributes in ReconAttrMap.

For example - If you are using DBAT connector then Replace --> Groups~Group Name to Groups~Group Name[LOOKUP]

Here in the above example - Groups is Multi Valued Attribute in Resource Object and Group Name is an attribute for Role/Group.




Wednesday, November 18, 2015

Error ORACLE.IAM.CONNECTORS.ICFCOMMON.PROV.ICPROVISIONINGMANAGER BEA-000000 oracle.iam.connectors.icfcommon.prov.ICProvisioningManager : doUpdate : Error while updating user java.lang.RuntimeException: Parameter 'uid' must not be null.

Issue - 

Error while disabling user - Parameter 'uid' must not be null.

Error ORACLE.IAM.CONNECTORS.ICFCOMMON.PROV.ICPROVISIONINGMANAGER  BEA-000000     oracle.iam.connectors.icfcommon.prov.ICProvisioningManager : doUpdate : Error while updating user
 java.lang.RuntimeException: Parameter 'uid' must not be null.

Solution -

1. Check your  ProvAttrMap lookup and add only those attributes as code and decode key which are in Resource Object.
2. Test your use case again.
3. If you are still facing issue - then check the Code and Decode key - also check the Process Form labels for Code Key or (Compare with your connector document for correct mapping of Code and Decode key in ProvAttrMap) 



DBAT Connector throwing Null Pointer Exception while Disabling User Account - ICProvisioningManager : doUpdate : Error while updating user java.lang.NullPointerException

Issue -

             ICProvisioningManager : doUpdate : Error while updating user 
                java.lang.NullPointerException
                at oracle.iam.connectors.icfcommon.prov.ICProvisioningManager.doUpdate(ICProvisioningManager.java:640)
                at oracle.iam.connectors.icfcommon.prov.ICProvisioningManager.doEnable(ICProvisioningManager.java:619)
                at oracle.iam.connectors.icfcommon.prov.ICProvisioningManager.disableUser(ICProvisioningManager.java:553)
Solution -

OIM expects UID as an object to be returned From groovy script. SO add the below line in your groovy script at the end - 

return new Uid(uid); 

Replace uid with the user id attribute in your groovy script. 


Thursday, April 23, 2015

RACF - Target Recon Issue - Not linked to any user - IAM-0050000[[ oracle.iam.platform.utils.SuperRuntimeException: oracle.iam.platform.tx.OIMTransactionException: java.sql.SQLException: ORA-01407: cannot update ("IAM_OIM"."OIU"."OST_KEY") to NULL

Problem :

IAM-0050000[[

oracle.iam.platform.utils.SuperRuntimeException: oracle.iam.platform.tx.OIMTransactionException: java.sql.SQLException: ORA-01407: cannot update ("IAM_OIM"."OIU"."OST_KEY") to NULL

Solution :

1. Login to OIM - Sysadmin Console.
2. Open Scheduler Window.
3. Search for "RACF Reconcile All Users"
4. Modify the "SingleValueAttributes" Parameter with all your required fields on the process form.


5. I have populated the "SingleValueAttributes" Parameter with below values -

cn,
defaultGroup,
instdata,
lastaccessdate,
lastconnectdate,
location
owner,
resumeDate,
revokeDate,
Status,
tsoaccess,
tsoAcctNum,
tsoHoldclass,
tsoMaxSize,
tsoMsgclass,
tsoProc,
tsoSize,
tsoSysoutclass,
tsoUnit,
tsoUserdata,
uid,
userPassword,
waaccnt.
6. After changing the parameter value click Apply and re run the Scheduler.

Monday, September 29, 2014

OAM Interview Questions, Oracle Access Manager Interview Questions, Access Management Interview Questions.

Disclaimer : The contents of this post is meant only to help IAM professionals to get the basic understanding of OIM and is an extract from various sites and standard Oracle® Documents.


Click this image to access the OAM Interview Question PDF



Oracle Identity Manager Interview Questions, OIM Interview Questions, IDM Interview Questions, Identity Management Interview Questions, Identity Manager Interview Questions.

Disclaimer : The contents of this post is meant only to help IDM professionals to get the basic understanding of OIM and is an extract from various sites and standard Oracle® Documents.


Click this image to access the OIM Interview Question PDF
Click this image to access the OIM Interview Questions PDF

OAM Interview Questions : http://rite-oim.blogspot.in/2014/09/oam-interview-questions-oracle-access.html


Tuesday, January 28, 2014

Logging, Auditing, and Monitoring the Directory, Enable Audit Logging in OID 11g, Audit Logs in OID, Configure OID Audit Logs, OID logs, Auditting in OID 11g

Logging, Auditing, and Monitoring the Directory

Managing and Enabling Audit Logging in OID 11g

In Oracle Fusion Middleware 11g Release 1 (11.1.1), auditing provides a measure of
accountability and answers the "who has done what and when" types of questions.


Prerequisites:

  • OID 11g is installed in Environment.
  • OID instances must be Up and Running.
  • OID managed Servers must be Up and Running.
Here are the Steps, that an individual should follow to Enable Audit Logs in OID 11g:

  1. Checking the Configurations. 
  2. Checking the output file.
  3. Preparing LDIF file.
  4. Enabling the Audit Logging using Command Prompt.
  5. Re-Checking the Configurations. 
  6. Testing Audit Logging.
1. Checking the Configurations 

This step will help us to check the configuration of OID instance whether OID Audit Logging is Enabled or not .

Run the below Command in Command Prompt(Windows) or Terminal(Linux) where OID instance is installed.

Note: To run this command you may have to set the Environment Variables based on your server configurations. Normally In Windows we dont have to set the environment variables to run the below command.

Syntax:
ldapsearch -p <oid_port> -h <hostname> -D <username> -q \ -b "cn=oid2,cn=osdldapd,cn=subconfigsubentry" \ -s base "objectclass=*" > <filepath>

Example:

In Windows:
ldapsearch -p 3060 -h localhost -D cn=orcladmin -q \ -b "cn=oid2,cn=osdldapd,cn=subconfigsubentry" \ -s base "objectclass=*" > C:\Oracle\Middleware\c5.txt

Provide  Password and Hit Enter

In Linux:
ldapsearch -p 3060 -h localhost -D cn=orcladmin -q \ -b "cn=oid2,cn=osdldapd,cn=subconfigsubentry" \ -s base "objectclass=*" > /u01/app/Oracle\Middleware\c5.txt

Provide  Password and Hit Enter

2. Checking the output File.

Open file c5.txt  from the location 

Windows:
 C:\Oracle\Middleware\ 

Linux:
/u01/app/Oracle\Middleware\

Search for the ObjectClass "orclaudcustevents" and check the value Against this ObjectClass. If the value is blank then the configuration is not enabled for Audit Logging and we have to Enable logging which is given in next step.


3.Preparing LDIF file:

We will set the "orclaudcustevents" value using LDIF file.

Open any text editor and enter the values below:

dn: cn=oid2,cn=osdldapd,cn=subconfigsubentry
changetype: modify
replace: orclaudFilterPreset
orclaudFilterPreset: Custom
-
replace: orclaudcustevents
orclaudcustevents: UserLogin 

Save this file as LDIF file (for e.g. : aud.ldif)

Here OID2 is the component name, check the instance home for your component name and  UserLogin is the event for which we are enabling the Audit Logs. There are different types of events for which you can enable Audit Logging simultaneously. Some events are listed below which can be used with UserLogin.

UserLogin.FAILURESONLY, UserLogout, CheckAuthorization,
ModifyDataItemAttributes, CompareDataItemAttributes, ChangePassword.FAILURESONLY
orclaudfilterpreset=custom

4.Enabling the Audit Logs using Command Prompt.

LDAP Modify command is used  to Enable the Audit Logs and modify the value of orclaudcustevents

Run the command below:

Syntax:

ldapmodify -D <username> -q -p <port> -h <hostname> -f <filelocation>

Example:

ldapmodify -D cn=orcladmin -q -p 3060 -h localhost -f C:\Oracle\Middleware\aud.ldif

Enter Password when prompted:

5. Re-Checking the Configurations:

Rerun the LDAP Search command to check new Configurations.

Do the steps 1 and 2 from above. This time in Step 2 the output must show the below result:












6. Testing Audit Logging:

Open the ODSM page in browser using the URL below: 

http://<hostname>:<port>/odsm

In my case http://localhost:7005/odsm

Try to Log-in using any User say cn=orcladmin with Correct password:

If user logs in correctly, log out and re-log-in with different user say cn=testuser and with Incorrect Password this time.

Now we will see the Audit Logs whether Our UserLogin Events are captured or not:

Open Location 

INSTANCE_HOME/AuditLogs/component-name/

In my case : C:\Oracle\Middleware\asinstance1\auditlogs\OID\oid2\

and open the latest audit log file 

for e.g: file with name audit_pid3924.txt

You must receive the logs with events captured for UserLogin as below example. Click the image below to see results:






The Other way to check the Audit Logging in OID is, using EM console : http://onlineappsdba.com/index.php/2012/08/28/how-to-findaudit-failed-login-attempts-in-oid-11g/

*********************************************************************************




Tuesday, December 10, 2013

UDF in OIM 11g R2, User Defined Fields in OIM 11g R2, Custom Attributes in OIM 11g R2

UDF(User Defined Fields) or Custom Attributes in Oracle Identity Management (OIM 11g R2)




1. REGISTERING A NEW ATTRIBUTE

2. ADDING A NEW ATTRIBUTE IN FORM

3. CREATE A NEW USER

4. CHECK NEW USER AND ATTRIBUTE IN OIM

USER TABLE


FOR DETAILED INFORMATION ON UDF PLEASE REFER "Configuring Custom Attributes" IN OIM 11G R2 ADMIN
GUIDE

1. REGISTERING A NEW ATTRIBUTE

To create a custom attribute or UDF Log in to Oracle Identity System Administration using
http://localhost:14000/sysadmin and change hostname and port no. accordingly.
Type username and password of admin.



















Create and activate a sandbox. Click on Sandboxes on upper right corner.




Click on Create Sandbox.







Give a name to your sandbox and click Save and Close.

















Click on Form Designer in the left pane under Configuration header.

















Search for the form of User Type and click User.











Click on Create icon under Custom Panel











Select Field Type as Text and click OK.
















After Clicking OK button you will receive a custom attribute wizard .





























Fill up fields as shown below and Click Save and Close to Save.
















Now goto Manage Sandboxes tab , Select the activated sandboxes and Click Publish Sandbox to


















Commit the changes done so far.
So far we have registered the new attribute in User Form.

2. ADDING A NEW ATTRIBUTE IN FORM

Login to OIM Self service Console using http://localhost:14000/oim and change hostname and port no.
accordingly.

Enter the admin username and password.

















Click on the Sandboxes to create a new Sandbox


















Click on the Create Sandbox, enter following details then save and close the wizard.




























Click Users under Administration in left pane.

















Click Create to open User Creation Form.


















Fill the mandatory fields to avoid some validation exceptions.

Click on the Customize link situated at above right corner to customize the user form.




Click on the View and select Source to edit ADF code.

Select basic Information Area of User form to add attribute there by using your mouse pointer.













After selecting the area a confirmation window appears, Click Edit and confirm.










Now click Add Content button. Scroll, search, and click Data Component - Manage Users Link.












Scroll Down and search for UserVO1 Component. Click it.














After clicking a new wizard will get appear , scroll deep down and search for Major_Skill text box
component.

Click on the add button on left and select ADF Input Text W/ Lable. You can observer that
a new Field is automatically appears in User Form in Basic Information Area. Close Wizard.























Select the new attribute in ADF editor and click edit












Check on the Auto Submit and click ok.



















Close the Customize window.





3. CREATE A NEW USER

In Create User Form just fill with some information and submit












4. CHECK NEW USER AND ATTRIBUTE IN OIM USER TABLE

Check User in Database and find the new attribute (column) USR_UDF_MAJOR_SKILL















Wednesday, October 16, 2013

ObAccessClient.lst does not contain a client id - ACCESS_GATE FATAL 0x00001824

Hi,

Problem Description :

When A new Webgate agent is registered with OAM, sometimes due to some mis-configuration it the OHS servers throws some common exception. Today I got a very uncommon exception in OHS - Webgate - OAM configuration. Below is the stack trace came in :
------------------------------------------------------------------------------------------------------------
Message from syslogd@ at Wed Oct 16 10:19:05 2013 ...
mmvhsgbobis001a Oblix: 2013/10/16@10:19:05.07603      
3716    3765    ACCESS_GATE     FATAL   0x00001520    
/ade/aime_ngamac_497961/ngamac/src/palantir/webgate2/src/apache2entry_web_gate.cpp:589
"Exception thrown during WebGate initialization"

Message from syslogd@ at Wed Oct 16 10:19:05 2013 ...
mmvhsgbobis001a Oblix: 2013/10/16@10:19:05.07618      
3716    3765    ACCESS_GATE     FATAL   0x00001824    
/ade/aime_ngamac_497961/ngamac/src/palantir/webgate2/src/apache2entry_web_gate.cpp:590
 "ObAccessClient.lst does not contain a client id."      raw_code^213

------------------------------------------------------------------------------------------------------------

Message from syslogd@ at Wed Oct 16 10:46:35 2013 ...
mmvhsgbobis001a Oblix: 2013/10/16@10:46:35.09020    
 4728    4733    ACCESS_GATE     FATAL   0x00001520  
 /ade/aime_ngamac_497961/ngamac/src/palantir/webgate2/src/apache2entry_web_gate.cpp:589
  "Exception thrown during WebGate initialization"

Message from syslogd@ at Wed Oct 16 10:46:35 2013 ...
mmvhsgbobis001a Oblix: 2013/10/16@10:46:35.09035    
 4728    4733    ACCESS_GATE     FATAL   0x0000182A  
 /ade/aime_ngamac_497961/ngamac/src/palantir/webgate2/src/apache2entry_web_gate.cpp:590
"An internal ObError exception was caught."     raw_code^224

------------------------------------------------------------------------------------------------------------

Solution for Above Error:
------------------------------
Check "ObAccessClient.xml file in 
MW_HOME/ohs/instances/instance1/config/OHS/ohs1/webgate/config

If anything is looking inappropriate, just once more copy the artifacts from OAM_RREG_HOME/output/Agent_Name/ObAccessClient.xml  to this location.
(In My case I have registered the Agents using RREG - OAM remote Registration Tool).

If that doesn't work, you have to delete the present Agent from OAM and  re-register the Agent to create the new Artifacts (cwallet.sso and ObaccessClient.xml). Copy the new Artifacts to MW_HOME/ohs/instances/instance1/config/OHS/ohs1/webgate/config





Tuesday, October 8, 2013

ClassCastException error during OIM- Siebel Provisioning/Reconciliation

ClassCastException error during OIM-

Siebel Provisioning/Reconciliation

OIM connector for Siebel was apparently installed successfully. But, provisioning to the Siebel resource did not go through. A careful inspection of logs reveals the notorious “ClassCastException”.
Environment: OIM 11g 11.1.1.5.0 (PS1), Siebel 8.1.1, Oracle DB 11.2.0.1, Siebel User Management Release 11.1.1, Oracle Enterprise Linux 5.6 (64 bit), WLS 10.3.5
Stacktrace
java.lang.ClassCastException: java.lang.NoClassDefFoundError cannot be cast to org.identityconnectors.framework.common.objects.ConnectorObject
Other variants:
java.lang.NoClassDefFoundError
Investigation
This problem occurs if the required third party JARs (as noted in the connector documentation) were not successfully bundled within the connector during connector installation.
The documentation instructs one to copy siebel.jar and siebelji_enu.jar from SIEBEL_INSTALLATION_DIRECTORY/siebsrvr/CLASSES directory location and place in OIM_HOME/ConnectorDefaultDirectory/targetsystems-lib/siebel-RELEASE_NUMBER. But the downloaded third party jars size showed ridiculous 133KB (where healthy Siebel.jar ->1,295KB, SiebelJI_enu.jar -> 42KB).
Verification
1. $OIM_HOME/server/bin/DownloadJars.sh
[Enter Xellerate admin username :]xelsysadm
[Enter the admin password :]
[Enter serverURL :[ t3://localhost:7001 ]]t3://localhost:14000
[Enter context Factory :[ weblogic.jndi.WLInitialContextFactory ]]
Enter the jar type
  1.JavaTasks
  2.ScheduleTask
  3.ThirdParty
  4.ICFBundle
4 <——————————— Choose 4 for SiebelConnectorBundle here
Enter the full path of the download directory :

/tmp
Enter the name of jar file to be downloaded from DB :
org.identityconnectors.siebel-1.0.1.jar <—————– The name of the SiebelApps bundle
Do u want to download more jars [y/n] :n
Download jar executed successfully
2. Create a new Directory and name it Siebel_Jar. Unzip the downloaded org.identityconnectors.siebel-1.0.1.jar file into Siebel_Jar and check for the four required third-party JAR files which will not be present.
Your Directory Should look like :

Siebel_Jar
             |--------|
                        |----org
                        |----THIRDPARTYREADME.txt
                        |----META-INF
                        |----org.identityconnectors.siebel-1.0.1.jar

Solution
1. In the directory where the downloaded org.identityconnectors.siebel-1.0.1.jar was unzipped (ie. so you’re in the structure of the archive itself) create a sub-directory within this called: lib
2. Copy the Two External Jars i.e. (Siebel.jar and SiebelJI_enu.jar) required Siebel third-party JAR files into this new lib directory.
3. Move org.identityconnectors.siebel-1.0.1.jar file from this directory to another directory. Re-jar the files which now contain the third-party files in the new lib directory (the following command assumes you’re in the same directory(Siebel_Jar) where the original jar was unzipped in to and you’ve moved the original JAR file from this directory so it doesn’t end up in the new archive):
Now Your Directory should look like:
Siebel_Jar
             |--------|
                        |----org
                        |----THIRDPARTYREADME.txt
                        |----META-INF
                        |----lib
 Now Run the command below.
jar cvfm org.identityconnectors.siebel-1.0.1.jar META-INF/MANIFEST.MF *
(note the use of the existing MANIFEST.MF file as OIM will check for this)
4. Upload this new updated JAR file back into the database:
$OIM_HOME/server/bin/UploadJars.sh
[Enter Xellerate admin username :]
[Enter Xellerate admin username :]xelsysadm
[Enter the admin password :]
[Enter serverURL :[ t3://localhost:7001 ]]t3://localhost:14000
[Enter context Factory :[ weblogic.jndi.WLInitialContextFactory ]]
Enter the jar type
   1.JavaTasks
   2.ScheduleTask
   3.ThirdParty
   4.ICFBundle
4 <———————— again choose option 4 here for the SiebelConnectorBundle
Enter the path/location of jar file :
/tmp/jars/ org.identityconnectors.siebel-1.0.1.jar <—————– The name of the SiebelApps bundle
Do u want to load more jars [y/n] :n
Upload jar executed successfully
5. Restart OIM and retest provisioning and monitor logs.





******************************************************************************
******************************************************************************