Archive for the ‘Oracle Fusion Middleware’ Category

Quick Fix: Resolving RCU-6130/36 error while creating OID schema

Wednesday, January 25th, 2012

***NOTE: As with all Tips and Tricks we provide on the IDMWorks blog, use the following AT YOUR OWN RISKWe do not guarantee this will work in your environment and make no warranties***

This is one of those problems that leaves you scratching your head. While running the Oracle RCU (11.1.15 in this case) on a 64-bit Windows environment, you may encounter this error message during the OID schema creation:

RCU-6130: Action failed – RCU-6136:Error while trying to execute SQLPlus action.

If you check rcuHome/rcu/logs, you’ll find the most recent log file has messages like this:

java.io.IOException: java.io.IOException: Error initializing sqlplus.

Also, the solution is a peculiar one: copy the msvcr71.dll file from rcuHome\jdk\bin to C:\Windows\System32 and C:\Windows\SysWOW64

Questions, comments or concerns?  Feel free to reach out to us at IDMWorks.

Tags: , , , ,
Posted in Oracle, Oracle Fusion Middleware, Oracle Internet Directory, Tips & Tricks | No Comments »

Certification Process in OIA

Monday, January 23rd, 2012

***NOTE: As with all Tips and Tricks we provide on the IDMWorks blog, use the following AT YOUR OWN RISK.  We do not guarantee this will work in your environment and make no warranties***

Certification in Oracle Identity Analytics

A few quick hints for the OIA newbies out there:

To Auto revoke user entitlements on certification end date:

1. Start in Identity Certification->My Certification: and click on “New Certification”  and click next. In the General tab enter the certification name and select “User Entitlement” as the Type (and if its incremental select the check box too) and click next.

  • The Selection Strategy tab has many options to choose from. This includes “All Users, Specific Users, All Business Structures or Specific Business Structures“.  To add a specific users or business structures click Add and then click search to select the users or business structures from the list.
  • In the Period and Certifier tab has the following options,  ”Business Structure Manager, User Manager” or a specific user can be selected. Choose a Start Date and End Date for the Certification Date.  If no settings are done at the  Administration->Identity Certification” page then Configuration Details must be checked
  • From the General tab, search criteria can added.
  • The User Entitlement tab is where  entitlements and roles can be selected.
  • From the Reminder tab event reminders can be set.
  • From Revoke and Remediation you can perform Closed Loop Remediation however the Certification End Date should be chosen to revoke on a set certification end date or else you must choose Certification Completion Date to end on the certification completion run date.
  • The Summary Page tab allows you to Run Certification jobs immediately or else at a set later date. If the Certification is chosen to run now, a job will be created immediately and shows up in My Certification Jobs along with the name of the certification appended with “Jobs_Administrator_System”. In this case the name would be “Auto Revoke User Entitlements Jobs_Administrator_System” .

2.  Now log in as the Certifier and perform the actions of certifying and revoking actions for the users on Roles and Entitlements.

Questions, comments or concerns?  Feel free to reach out to us at IDMWorks.

Tags: , , , ,
Posted in Oracle, Oracle Fusion Middleware, Oracle Identity Analytics, Tips & Tricks | No Comments »

The Truth about Indexing in OID

Wednesday, January 18th, 2012

***NOTE: As with all Tips and Tricks we provide on the IDMWorks blog, use the following AT YOUR OWN RISK.  We do not guarantee this will work in your environment and make no warranties***

Oracle’s OID docs are pretty vague around indexing.  In reality, there are really two options:

  1. When creating an attribute, check the “Indexed” box
  2. Create the index in the future (after you figure out OID needs it for something!)

In order to do #2, you should follow this procedure:

  1. Navigate to the $MW_HOME/<domain>/ldap/bin/catalog connect=”OIDDB” add=”true” attribute=”<the attribute name that you want to index>” debug=”true” verbose=”true”

If you try to check the box (as in #1) after you have used the attribute, the ODSM interface will check the box, and make you think the attribute has been indexed (but it really hasn’t!)

Questions, comments or concerns?  Feel free to reach out to us at IDMWorks.

Tags: , , , , ,
Posted in Oracle, Oracle Fusion Middleware, Oracle Internet Directory, Tips & Tricks | No Comments »

OIM: Manually Revoking a Stuck Resource Object through the Database

Wednesday, June 29th, 2011

**NOTE: As with all Tips and Tricks we provide on the IDMWorks blog, use the following AT YOUR OWN RISK.  We do not guarantee this will work in your environment and make no warranties***

Oracle Identity Manager: Manually Revoking a Stuck Resource Object through the Database

Have you ever had a Resource Object stuck in a Pending or Provisioning state that you just couldn’t do anything about?  This happens a lot when first setting up a Resource Object and running Revoke before you create the Revoke tasks. The status will stay on “Provisioned” but all the tasks inside will say “Cancelled” and there’s nothing more you can do to it.  If you only allow one instance that user is now stuck.

Here is how to set the status to Revoked manually, through the database, so you can re-provision a new instance of the Resource Object.

First, let’s look at all the resource the user has. This query will show you his resources, their statues, and some necessary keys you’ll need later (Replace USER with your USERID):

select oiu.oiu_key, oiu.obi_key, oiu.orc_key, ost.ost_status, obj.obj_name, obj.obj_key,oiu.req_key
from oiu inner join ost on oiu.ost_key = ost.ost_key inner join obi on oiu.obi_key = obi.obi_key
inner join obj on obi.obj_key = obj.obj_key where oiu.usr_key=(select usr_key from usr where usr_login='USER');

Look at the results and find the line that has the stuck object and save the OIU_KEY and the OBJ_KEY.

Next we need the key for this Object’s Revoked status. Each Object has it’s own set of Status Codes, so to find the ones for our object above, run this query and replace YOUROBJKEY with the OBJ_KEY number from the first query above:

select * from OST where obj_key = YOUROBJKEY;

Look at the results and find the line where the OST_STATUS is “Revoked” and save the OST_KEY.

Next we will update the Object Instance, and set it’s status to the new key. If you want to see the current recode in it’s bare naked form run this (Replace THEKEY with the OIU_KEY from the first query):

select * from oiu where OIU_KEY = THEKEY;

You will see in the results the OST_KEY column. This is the current status of your Resource Object. This is what we are going to change to the new status. So let’s run this query, replaceing YOUROSTKEY with the OST_KEY from the second query and YOUROIUKEY with the OIU_KEY from the first query:

update oiu set ost_key = YOUROSTKEY where oiu_key=YOUROIUKEY;

Perform a Commit and that’s it. Pull up the resource profile for the user in the web console and you should see the status for that resource object is now “Revoked“.

Questions, comments or concerns?  Feel free to reach out to us at IDMWorks.

Tags: , , , , ,
Posted in Identity Management, Oracle Fusion Middleware, Oracle Identity Manager, Tips & Tricks | No Comments »

Oracle Identity Manager, Oracle Linux 5, & VMWare

Tuesday, June 28th, 2011

**NOTE: As with all Tips and Tricks we provide on the IDMWorks blog, use the following AT YOUR OWN RISK.  We do not guarantee this will work in your environment and make no warranties***

As someone who has spent the majority of my computing time in a Microsoft Windows world but familiar with Linux I didn’t think twice when attempting to setup an Oracle Identity Manager environment based on Linux. A few obstacles later I learned some very important lessons for installing OIM on Linux.

  • First, it is important to know the “root” user password but to also have another account available with permission to access installation data. Some processes requires “root” user access while others strictly prohibit “root” user from executing them. For the most part you will not be using “root” user for the installs but there are some scripts used in the installation processes that require “root” user to execute making knowledge of both accounts a must.
  • Always understand the prerequisites! Oracle Identity Manager requires other applications like Oracle Database, Web Logic, etc. Each of these applications have their own prerequisites like versions of Java JDK, Java_Home variables declared in the .bash_profile, and certain Linux packages be installed. If these prerequisites aren’t met it can result in errors during installation, stalled installations, and even graphical distortions with the install wizards. This means that before attempting to install the OIM components it is very worthwhile to double check all of the prerequisites prior to installation to make your life easier.
  • Another useful tip is to “know your installer”. Many of the OIM component downloads contain installers for multiple platforms and some generic installers that are platform independent. Knowing which install to use for the desired platform is important. Some of the generic installers do not have some components bundled in the installer that are required. A perfect example is the Web Logic Server installer. Web Logic requires a JDK selection during the install process.  While the OS specific installs come bundled with compatible JDK’s the generic install does not include any JDK so one will have to be installed separately and manually specified.  Which installer to use is determined by the compatibility matrix on Oracle’s website.  And I can tell you for sure that it will save you time and frustration to look at that before starting your installs.
  • For VM installs you may run into an issue that upon install the max resolution is 800 x 600.  This becomes a small issue since the Oracle Database 11g installer wants a 1024 x 768 resolution so the full menu won’t appear on the screen.  This is actually a pretty easy fix.  In the display properties change the hard to an LCD with the desired resolution.  Once that is set you can go back to the resolution selection screen and change to a higher resolution.  A reboot will be required before the new resolution can take effect though.
  • And probably the most useful thing to know is the Linux commands that will be used throughout these installs.  Below is a list of some of the commands that were used:
  1. su:  This command lets you assume superuser or “root” user level access, provided that you know the password for that account.
  2. exit: When you are finished with “root” user access this command will exit the root user session and return the terminal permissions back to the logged in user.
  3. java -version: This will print out what version of java is installed and registered in the environment variables located in the .bash_profile.
  4. whereis java: This will print out the different locations that java is installed based on the environment variables and any linked symbols.
  5. vi ~/.bash_profile:
    • This command will allow you to edit the .bash_profile where environment variables are declared.
    • This file should only be edited under instruction because if this file is fouled up it can trash the system and require a complete reinstall.
  6. : wq: When editing the .bash_profile file this command will allow you save the changes and then exit back to the terminal.  Of course there are other commands that can be used to accomplish the thing.
  7. . ./.bash_profile: After editing the .bash_profile this will reload the settings using the updated file.
  8. rpm -ivh <filename>: This will install packages that may be missing.  This does require an exact file name to be specified.

Questions, comments or concerns?  Feel free to reach out to us at IDMWorks.

Tags: , , ,
Posted in Identity Management, linux, Oracle Fusion Middleware, Oracle Identity Manager, Tips & Tricks, VMWare | Comments Off

Uninstalling Oracle Fusion Middleware Products

Friday, March 25th, 2011

***NOTE: As with all Tips and Tricks we provide on the IDMWorks blog, use the following AT YOUR OWN RISK.  We do not guarantee this will work in your environment and make no warranties***

Recently I’ve had to uninstall Oracle Internet Directory and Oracle Virtual Directory version 11.1.1.2.0 on a Windows server. The uninstallation instructions provided in the Oracle Fusion Middleware Installation Guide are a good start, but some additional steps are required on the WebLogic side.

Here are the steps needed to uninstall OID and OVD 11g:

1. In a command prompt go to $ORACLE_HOME\oui\bin (i.e. C:\Oracle\Middleware\Oracle_IDM1)
2. Enter setup.exe –deinstall
3. After the Welcome screen you will get three options presented to you:
a. De-install Oracle Home
b. De-install ASInstances managed by WebLogic Domain
c. De-install Unmanaged ASInstances

Assuming you did a standard install of OID and OVD then you are going to have an ASInstance managed by WebLogic.

From this menu you want to select “option b” (De-Install ASInstances managed by WebLogic Domain).

Note: Make sure you de-install the ASInstance first before you uninstall Oracle Home. If you uninstall Oracle Home first, then the uninstaller will be gone and the ASInstance will still be remaining.

4. On the next screen you will need to enter the following information:

a. Domain Host Name:
b. Domain Port No: (i.e. 7001)
c. User name: (i.e. weblogic)
d. Password: <password for weblogic admin user)

Note: Make sure the WebLogic admin server is running.

5. On the next screen you must specify the Managed Instance Directory (i.e. C:\ Oracle\Middleware\asinst_1).

6. After the uninstall of the Managed instance is completed you will need to run the setup.exe –deinstall command again.

7. This time you want to select Deinstall Oracle Home.

8. Specify the Oracle Home Directory on the next screen (i.e. C:\Oracle\Middleware\Oracle_IDM1).

After the uninstall process is complete you are 3/4ths of the way done with completely uninstalling OID and OVD. The uninstall process leaves behind the IDMDomain (or whatever Domain name you provided during installation) that was created in WebLogic. If you try to re-install OID, OVD or any other Fusion Middleware IDM component you’ll have to specify another Domain name unless you take these additional steps:

1. Go to the IDMDomain folder in windows explorer (i.e. C:\Oracle\Middleware\user_projects\domains).
2. Delete the IDMDomain folder and all its contents.
3. After the domain is deleted you will need to update the NodeManager domain configuration. Navigate to the folder containing the nodemanager.domains file (i.e. C:\Oracle\Middleware\wlserver_10.3\common\nodemanager)

Note: Before modifying any files, it’s always best practice to make a copy of it first.

4. Open the file and remove the IDMDomain line. (i.e. IDMDomain=C\:\\Oracle\\Middleware\\user_projects\\domains\\IDMDomain)

5. Navigate to the folder containing the domain-registry.xml file (i.e. C:\Oracle\Middleware)

6. Open the file and remove the IDMDomain line.

7. Go to Start->All Programs->Oracle WebLogic->User Projects and delete the IDMDomain folder and its contents.

Note: Remember to also use the RCU to drop the OID database tables

Now you should have a clean WebLogic instance if you want to re-install OID or OVD.

Questions? Sound off below or ask us here at IDMWorks.

Tags: , , , , , , ,
Posted in Identity Management, Oracle Fusion Middleware, Oracle Identity Manager, Oracle Internet Directory, Oracle Virtual Directory, Tips & Tricks, WebLogic | No Comments »

Zen and the the Art of Identity Management

Monday, November 15th, 2010

Interestingly enough I have been asked many times as to what exactly IDMWorks is and what it is that we do (and I don’t just mean the wife and kids).  As such it seems time to do the quasi-annual blog sales pitch.  I think most of our readers have an idea what we do and have perused the site to better inform themselves but there are some that don’t tread any farther than this here blog.  So in keeping with the simplicity of blogvertising I present you IDMWorks.

Subject:  Enterprise Identity & Access Management and Governance, Risk & Compliance

You may be aware of many of the issues organizations are facing today around the various challenges and aspects of Identity Management and Information Security.

At IDMWORKS we understand the problems that many of you are facing and are positioned to help.  IDMWORKS is a vendor agnostic, Identity Management, Access Management, and Governance, Risk and Compliance Management Consultancy. We have consultants and engineers across the United States and North America that specialize helping clients with most aspects of Identity, Access Management, and GRC issues, including the following:

  • Identity and Access Management technology evaluations and POCs
  • Identity Management strategy creation, Integration and Deployment
  • Identity Management / IT Security Technologies Assessment, Evaluation,  and Planning
  • Identity Management / IT Security Education
  • Pre & Post Identity Management project Support Services
  • Identity Federation
  • PCI Compliance
  • Governance, Risk and Compliance Management , Provisioning
  • Single Sign-on and Web Access management
  • Data Loss Prevention

IDMWORKS has been built upon the skills and experience of dedicated IDM professionals and specialist with a customer base that includes Government, Healthcare, Education, Financial Services, Energy, Manufacturing and Retail clients.

IDMWORKS has experience with the integration and implementation of the market  leading Identity & Access Management, and GRC solutions and technologies – CA, Oracle/Sun, Novell,  IBM,  Aveksa, Citrix, Passlogix,  and Sailpoint, to name a few – and would welcome the opportunity to discuss your IT Security needs to determine how we can help.

We would like to offer you the opportunity to take advantage of an initial Identity Management, and Compliance Assessment. The results of the assessment will include recommendations on potential solutions to address your current Identity management and GRC related issues.

For further information or to arrange an initial consultation, contact IDMWorks to discuss how we can help with a solution to address your needs.

Tags: , , , , , , , , , , ,
Posted in Access Management, Aveksa, Best Practices, CA, CA Identity Manager, CA SiteMinder, Citrix, Citrix Password Manager, Citrix XenApp, Cloud Computing, Enterprise Single Sign On (ESSO), Governance, GRC, Identity Management, Identity Provisioning, Novell, Novell Access Manager, Novell Identity Manager, Oracle Access Manager, Oracle Fusion Middleware, Oracle Identity Manager, Oracle Role Manager, Password Management, PCI Compliance, RBAC, Risk & Compliance, Roadmap, Role Management, SailPoint, Security & Risk, Single Sign On (SSO), SOA, SRM, Sun Identity & Access Management, Sun Identity Manager | No Comments »

So now what? What to do with your Sun IAM stack (hint: start looking)

Friday, November 12th, 2010

Legacy Sun Java System Identity and Access Management (IAM) customers have been calling us up often to ask about the state of the industry and their options with the Sun IAM stack moving forward.   The choices are many right now but one fact remains, Sun IDM and Open SSO’s days are numbered.  The products will be around for a while, years in fact, but eventually like that Saturn dealership on the corner, it will go away. Thus the grand migration is underway.  As an IAM enabled company the question of where to migrate to is paramount.  So let’s talk options.

Option 1) Stick with Sun As-Is

The old wait and see approach, but let’s be honest, the clock is ticking.  Like a legacy application your IT staff built in their garage it won’t keep up with the rest of market and the future of IDM.  There will never be a grand Cloud version of Sun IDM.  What is most interesting is that there are options to move away from Sun that pretty much expire by years end.

So let’s move away from Option 1 for now and take a look at the future.

Option 2) “Migrate” to Oracle IAM (as part of Oracle Fusion Middleware)

I say migrate because with any non-Sun tool (and Oracle IAM is a much different beast) there is NO upgrade path. Oracle is attempting to woo existing Sun implementations into the fold by offering license swaps in the short term. For those looking to definitively move into Oracle IAM then this is the best bet and should be done ASAP as the swap cycle is time limited.

Option 3) Migrate to Novell IAM

Similar to Oracle, Novell is offering a swap out of the Sun software and licenses.  This is a very interesting proposition.  Novell is willing to give the product up for free in order to build the relationship.  Basically from what the Novell Website states:

  • The Sun Identity Manager swap gives you Novell Identity Manager, roles based provisioning module and enterprise integration module.
  • The Sun Role Manager swap gives you Novell Access Governance Suite.
  • The Sun Open SSO swap gives you Novell Access Manager.
  • The Sun Directory Server EE swap gives you Novell eDirectory.
  • Sun subscription customers can opt in for equivalent Novell product subscriptions and will be considered for additional incentives on a case-by-case basis.

I think this is brilliant tactic that I am surprised a few other vendors haven’t tried.  To be straight, Novell has a great directory and SSO offering and is making huge strides in the Provisioning and Federation space.  At a minimum for a no-cost look I might suggest talking to a Novell rep.  But alas, much like Oracle, Novell’s offer is time-boxed.  Come Dec.31, 2010 a statement of interest (not a purchase mind you, this simply locks in Novell’s committment in 2011 for the swap) must be signed or that coach turns back into a pumpkin.

Option 4)  Migrate to CA IAM, IBM IAM, Microsoft IAM, etc. (there are many to chose from)

Choices, choices, choices.  I can say that CA is making a major push in the IAM space and IBM seems to be lagging a bit but has been a big player in the past.  Microsoft is also making strides to broaden their footprint in the IAM space.  And there are plenty more vendors to look at. My guess is there are deals to be had even if there is no published “sale” going on.

I wouldn’t keep any pre-conceived notions about any of the vendors right now and thanks to the Oracle-Sun purchase the alternative vendors are pumping time and money into getting your business.  We at IDMWorks are happy to work with you on any and all of the products in the market.  We can help to dissect and divide the various offerings and help you to understand the best choice that fits into your environment.

The point is NOW is the time to take the Pepsi challenge.  If you have a SUN IAM implementation you should be taking a look at the various vendors (including those not listed in Option 4) and line up a chat (or webcast, lunch-and-learn, email or phone call) with your local vendor representative because by 2011 a potential low cost update may go away.

Feel free to shoot us a note if you have questions.

Tags: , , , , , , , , , ,
Posted in Access Management, CA, CA Identity Manager, Identity Management, Identity Provisioning, Novell, Novell Access Manager, Novell Identity Manager, Oracle Access Manager, Oracle Fusion Middleware, Oracle Identity Manager, Sun Identity & Access Management | 5 Comments »

Elvis has left the building (what to do when a new version of the software is released).

Wednesday, August 25th, 2010

RE: Oracle Fusion Middleware 10g vs. 11g stack selection (OID, OVD, OIM, OAM specifically).

Here at IDMWorks we specialize in Identity and Access Management full life-cycle services.

Discovery √ Design √ Implementation √ Development √ Support √

During a recent trip to a customer site for an installation of the Oracle Fusion Middleware stack we ran into an interesting conundrum. We were to install the 10g release of OVD, OID, OAM and OIM into the development environment. The customer pointed out that 11g had been released approximately 3 weeks prior and asked for a recommendation of whether we should jump to the 11g implementation path or continue down the 10g path.

First, let me say, the customer was right on point with the question. We like a customer who is knowledgeable and will challenge the decisions and recommendations that we make as a team because that is the same customer who will “take care” of their system long after Elvis (or in this case IDMWorks) has left the building.

Conventional wisdom states that you never jump to the next release of a product in the first month. You wait for stabilization (and typically the first service pack). However in this case we must keep in mind that the products, at least the directory components, are pretty mature. So we can add another option of a mixed upgrade, perhaps 11g OID and OVD, with the 10g release of OAM and OIM. Additionally, with a new release, and this speaks to stabilization, you don’t have the luxury of all the little “gotchas” that have been addressed with implementations of the past. In our case, when we had a Linux Service Pack Library dependency issue, we had Google to rely on to find the fix in less than 5 minutes. No call to Oracle Support, no waiting for recreation and resolution, no explanation to the customer on why we must halt progress while we investigate the issue.

So we created a game plan as follows:

1) Stick with what works!
The known 10g release, while the “older” release, provides a level of maturity and issue resolution that will allow our project to remain on budget and time. This is HUGE. The unknowns that a fresh release present, if the customer has time and budgetary constraints (don’t they all?), means that time spent resolving the “basics” is time lost (and hence money).

2) Plan, Plan, Plan for the future!
In order to address the 11g want of the customer, the resolution we opted for, was to develop an upgrade path and plan to 11g including the steps, the timeline, the associated cost and the follow up procedures that will allow, in a cost and time effective manner, the ability to smoothly transition into the next release in a matter of months instead of years.

3) Work with the customer
This should go without saying but don’t let personal agendas drive the project to failure. The customer wants (and rightfully so) the latest and greatest they can have. If that means the latest technology, than so be it. In our case we have three options, Old, New, and Newish (a little old and new mixed together). However, because we are the implementation partner ours is not to decide but to recommend. As such we explained all available options, gave our recommended approach and let the customer know that if they choose to move forward with another option (the non-recommended one) we would support them 100% and move forward in that direction.

In the end the customer stuck with the recommendation approach and we are well on our way to a successful implementation with a path to the future product laid over the existing framework!

Tags: , , , , , , , , , ,
Posted in Access Management, Best Practices, Identity Management, Oracle Access Manager, Oracle Fusion Middleware, Oracle Identity Manager, Oracle Internet Directory, Oracle Virtual Directory | No Comments »