The Blog

All Java is Not Created Equal

lcolette | January 31st, 2012

***NOTE: As with all Tips and Tricks we provide on the IDMWorks blog, use the following AT YOUR OWN RISK.  We do not guarantee this will work in your environment and make no warranties***

The what:

Java & CA Identity Manager V12.5

The issue:

I got hung up with a version of Java 6.29 that should have worked with CA IDM V12.5 but on Windows, the IDM install was completing yet the JBoss startup hung on Analytics everytime.

The symptoms:

On Windows, CA IDM did not load thoroughly enough to do a clean uninstall. In the boot log there were errors abound specific to  ‘unzipping jar files’ but not much more to go on.

I replaced JBoss with a new download from a known good load to no avail.

I thought perhaps the Java version was incorrect. I uninstalled and reinstalled Java 6.27 but this only appeared to cause more problems.

The Solution:

In an effort to not have to wipe the box to change the Java install, I renamed the folder containing 6.27 to 6.29 and reset the Java Home variable.
The IDM console started up correctly utilizing the lower version of Java from the higher named Container.
The product release notes did say Java 6.X but this does not always guarantee compatibility.

Questions, comments or concerns? Feel free to reach out to us at IDMWorks.

Tags: , , , , , , , , ,
Posted in CA, CA Identity Manager, Identity Management, Java Development, Tips & Tricks | No Comments »

Oracle Access Manager (OAM) 11g Auditing Tips

jhinerman | January 30th, 2012

***NOTE: As with all Tips and Tricks we provide on the IDMWorks blog, use the following AT YOUR OWN RISK.  We do not guarantee this will work in your environment and make no warranties***

Let’s say you want to enable auditing with Oracle Access Manager 11g so you can see successful (and failed) authentication and authorization events. You will commonly see documentation telling you to simply change the Audit Policy settings for your Weblogic domain in Enterprise Manager (see below) to enable OAM auditing.

Oracle Enterprise Manager - Audit Policy

There’s actually an additional step that you will need to take to full enable the auditing. Login to the OAM Console and navigate to the System Configuration tab. Choose Common Settings, and under Audit Configuration (see below) you will see an option to enable a Filter. Note that the Filter Preset option defaults to Low, so you’ll need to change it to All to see authentication and authorization events. One more important thing to do is remove any users from the list, otherwise you will only capture events for those users listed.

OAM Console - Audit Configuration

Note that you’ll have to restart after you make the changed in Enterprise Manager. After the restart, you will find audit events in the IAU_BASE table, and the BI Publisher OAM reports. Remember, you can find the OAM reports in <Oracle_Home>/oam/server/reports/oam_audit_reports_11_1_1_3_0.zip.

Questions, comments or concerns? Feel free to reach out to us at IDMWorks.

Tags: , , , , ,
Posted in Access Management, Oracle, Oracle Access Manager, Tips & Tricks | No Comments »

Quick Fix: Resolving RCU-6130/36 error while creating OID schema

jhinerman | January 25th, 2012

***NOTE: As with all Tips and Tricks we provide on the IDMWorks blog, use the following AT YOUR OWN RISKWe do not guarantee this will work in your environment and make no warranties***

This is one of those problems that leaves you scratching your head. While running the Oracle RCU (11.1.15 in this case) on a 64-bit Windows environment, you may encounter this error message during the OID schema creation:

RCU-6130: Action failed – RCU-6136:Error while trying to execute SQLPlus action.

If you check rcuHome/rcu/logs, you’ll find the most recent log file has messages like this:

java.io.IOException: java.io.IOException: Error initializing sqlplus.

Also, the solution is a peculiar one: copy the msvcr71.dll file from rcuHome\jdk\bin to C:\Windows\System32 and C:\Windows\SysWOW64

Questions, comments or concerns?  Feel free to reach out to us at IDMWorks.

Tags: , , , ,
Posted in Oracle, Oracle Fusion Middleware, Oracle Internet Directory, Tips & Tricks | No Comments »

Certification Process in OIA

pramod | January 23rd, 2012

***NOTE: As with all Tips and Tricks we provide on the IDMWorks blog, use the following AT YOUR OWN RISK.  We do not guarantee this will work in your environment and make no warranties***

Certification in Oracle Identity Analytics

A few quick hints for the OIA newbies out there:

To Auto revoke user entitlements on certification end date:

1. Start in Identity Certification->My Certification: and click on “New Certification”  and click next. In the General tab enter the certification name and select “User Entitlement” as the Type (and if its incremental select the check box too) and click next.

  • The Selection Strategy tab has many options to choose from. This includes “All Users, Specific Users, All Business Structures or Specific Business Structures“.  To add a specific users or business structures click Add and then click search to select the users or business structures from the list.
  • In the Period and Certifier tab has the following options,  ”Business Structure Manager, User Manager” or a specific user can be selected. Choose a Start Date and End Date for the Certification Date.  If no settings are done at the  Administration->Identity Certification” page then Configuration Details must be checked
  • From the General tab, search criteria can added.
  • The User Entitlement tab is where  entitlements and roles can be selected.
  • From the Reminder tab event reminders can be set.
  • From Revoke and Remediation you can perform Closed Loop Remediation however the Certification End Date should be chosen to revoke on a set certification end date or else you must choose Certification Completion Date to end on the certification completion run date.
  • The Summary Page tab allows you to Run Certification jobs immediately or else at a set later date. If the Certification is chosen to run now, a job will be created immediately and shows up in My Certification Jobs along with the name of the certification appended with “Jobs_Administrator_System”. In this case the name would be “Auto Revoke User Entitlements Jobs_Administrator_System” .

2.  Now log in as the Certifier and perform the actions of certifying and revoking actions for the users on Roles and Entitlements.

Questions, comments or concerns?  Feel free to reach out to us at IDMWorks.

Tags: , , , ,
Posted in Oracle, Oracle Fusion Middleware, Oracle Identity Analytics, Tips & Tricks | No Comments »

Common OID 11g installation issue on Windows Server 2008 R2

jhinerman | January 23rd, 2012

***NOTE: As with all Tips and Tricks we provide on the IDMWorks blog, use the following AT YOUR OWN RISK.  We do not guarantee this will work in your environment and make no warranties***

If you’re configuring OID 11g on a Windows 2008 R2 server, you might encounter a strange behavior when running config.bat when OID tries to start: ”Start Oracle Internet Directory: Failed”. After digging through the logs, you’ll indeed find errors related to starting OIDLDAPD.

It turns out it’s an easy fix. You’ll need to install the Microsoft Loopback adapter on the server. Here’s how:

  1. Go to Device Manager.
  2. Right-click on the computer name at the top of window and choose Add Legacy Hardware.
  3. Click Next, then “Install the hardware I manually select from a list (Advanced)”
  4. Scroll down and click Network adapters in the list of hardware types, and click Next.
  5. A list of devices will appear in a few moments, and you should choose Microsoft on the left and Loopback adapter (see below)
  6. Click Next and wait for the brief installation to complete.

You may also encounter similar symptoms (OID fails to start), and these error messages in your sqlnet.log file located in %ORACLE_HOME%\network\log:

Directory does not exist for read/write [D:\Oracle\IDM\Oracle_IDM1\log] []

To resolve this, simply create the directory log\diag\clients in %ORACLE_HOME%.

In both cases, you’ll have to cancel and restart the configuration again. Note that when doing so, you’ll have to follow best practices in removing the partially configured domain and asinstance.

Questions, comments or concerns?  Feel free to reach out to us at IDMWorks.

Tags: , ,
Posted in Oracle, Oracle Internet Directory, Tips & Tricks | No Comments »

The Truth about Indexing in OID

Paul Bedi | January 18th, 2012

***NOTE: As with all Tips and Tricks we provide on the IDMWorks blog, use the following AT YOUR OWN RISK.  We do not guarantee this will work in your environment and make no warranties***

Oracle’s OID docs are pretty vague around indexing.  In reality, there are really two options:

  1. When creating an attribute, check the “Indexed” box
  2. Create the index in the future (after you figure out OID needs it for something!)

In order to do #2, you should follow this procedure:

  1. Navigate to the $MW_HOME/<domain>/ldap/bin/catalog connect=”OIDDB” add=”true” attribute=”<the attribute name that you want to index>” debug=”true” verbose=”true”

If you try to check the box (as in #1) after you have used the attribute, the ODSM interface will check the box, and make you think the attribute has been indexed (but it really hasn’t!)

Questions, comments or concerns?  Feel free to reach out to us at IDMWorks.

Tags: , , , , ,
Posted in Oracle, Oracle Fusion Middleware, Oracle Internet Directory, Tips & Tricks | No Comments »

Congratulations to Logic Trends for being acquired by Fishnet Security

Paul Bedi | December 19th, 2011

Looks like it has been a popular week in acquisitions!

Tags:
Posted in IDMWorks | No Comments »

BitKOO acquired by Quest Software

Todd Rossin - CISSP | December 18th, 2011

Congrats to both Quest and BitKOO on the acquisition as announced on the Quest Software website.

http://www.quest.com/tv/All-Videos/1330217833001/Quest-Software-Acquires-BiTKOO/Video/

Tags: , , , , ,
Posted in BiTKOO, Quest Software | No Comments »

Registry Hacking to Remove Unneeded Oracle Services

Rob Kimball | November 30th, 2011

***NOTE: As with all Tips and Tricks we provide on the IDMWorks blog, use the following AT YOUR OWN RISK.  We do not guarantee this will work in your environment and make no warranties***

Something we haven’t seen blogged about much is uninstalling services.   This is not something I would recommend for just any service you don’t like.  It’s important to take into consideration the application that installed the service and, when possible use the native application uninstaller.  However when you are dealing with an Oracle application, for example, that doesn’t really have an uninstaller and only rarely installs services, it’s  a good idea to know how to hack your way to removing the offending applet that is no longer in use (and we “hacking” in the nicest possible way).

To make this relevant to the Oracle IAM stack, this process is supported for uninstalling the OIM AD password synch agent and uninstalling the OID application service.

On the “unsupported” side, this would be considered a registry hack.

How to:

  1. Open the registry on your windows machine(search or run regedit.exe on almost all windows machines)
  2. In the left pane (the tree navigator) go to the following key
    1. HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\
    2. Find the key with the name of the service you wish to uninstall
      1. For Oracle it is often clearly named (‘oracle application service’ or some such)
      2. Right click on the key(still in the left pane) and click on “delete”.
      3. You will be asked to confirm, just click “yes”.

Questions, comments or concerns?  Feel free to reach out to us at IDMWorks.

Tags: , , , ,
Posted in Oracle Identity Manager, Oracle Internet Directory, Tips & Tricks | 1 Comment »

Tips & Tricks: Novell IDM JDBC Driver Filter Gotcha

GaryR | October 20th, 2011

***NOTE: As with all Tips and Tricks we provide on the IDMWorks blog, use the following AT YOUR OWN RISK.  We do not guarantee this will work in your environment and make no warranties***

Have you ever had a JDBC driver that wouldn’t find changes in the database while using a triggerless Publisher channel?

The obvious things to check are the views/tables in the database the driver monitors to make sure the changes appear there correctly. Ideally you will check the class objects and attributes in the driver filter to make sure they are sent to Synchronize for the Publisher channel. Additionally you should check to make sure the Publisher channel is enabled and configured properly in the driver settings.

Unfortunately once you have checked these items you still may have the issue.

Having run into this issue a few times I’d recommend taking another look at the Driver Filter.

Basically what happens in a JDBC driver with a triggerless connection to a database is that it polls the database tables or views configured in the driver settings at the scheduled intervals by doing a “SELECT *” command for each table or view tracked. If a class in the filter has the “Track member of template” set to “No” the driver does not do the SELECT statement for the table or view associated with that class.  Thus, in the filter, the class object setting for “Track member of template” should be set to “Yes” if you want those objects monitored in the Publisher channel.

Another way this issue can be found is by reviewing the driver logs. Each time the driver checks for changes in the database the SELECT statements are recorded (provided that the logging is turned on and set to an appropriate level). If no SELECT statement is found for a table/view that is expected then the template setting is the  likely cause.

And since this is a filter setting the fix is easy:
1. Open the driver filter in Designer
2. Select the desired class in the filter
3. Set the “Track member of template” setting to “Yes”
4. Save the filter changes
5. Deploy the filter changes to eDirectory
6. Restart the driver to initialize the changes

Questions, comments or concerns?  Feel free to reach out to us at IDMWorks.

Tags: , , , , , , ,
Posted in Novell, Novell Identity Manager, Tips & Tricks | No Comments »

« Older Entries

Identity Management

Data Center Services

PCI Compliance

Reg. Compliance

Project Development