Posts Tagged ‘11g’

Oracle Access Manager (OAM) 11g Auditing Tips

Monday, January 30th, 2012

***NOTE: As with all Tips and Tricks we provide on the IDMWorks blog, use the following AT YOUR OWN RISK.  We do not guarantee this will work in your environment and make no warranties***

Let’s say you want to enable auditing with Oracle Access Manager 11g so you can see successful (and failed) authentication and authorization events. You will commonly see documentation telling you to simply change the Audit Policy settings for your Weblogic domain in Enterprise Manager (see below) to enable OAM auditing.

Oracle Enterprise Manager - Audit Policy

There’s actually an additional step that you will need to take to full enable the auditing. Login to the OAM Console and navigate to the System Configuration tab. Choose Common Settings, and under Audit Configuration (see below) you will see an option to enable a Filter. Note that the Filter Preset option defaults to Low, so you’ll need to change it to All to see authentication and authorization events. One more important thing to do is remove any users from the list, otherwise you will only capture events for those users listed.

OAM Console - Audit Configuration

Note that you’ll have to restart after you make the changed in Enterprise Manager. After the restart, you will find audit events in the IAU_BASE table, and the BI Publisher OAM reports. Remember, you can find the OAM reports in <Oracle_Home>/oam/server/reports/oam_audit_reports_11_1_1_3_0.zip.

Questions, comments or concerns? Feel free to reach out to us at IDMWorks.

Tags: , , , , ,
Posted in Access Management, Oracle, Oracle Access Manager, Tips & Tricks | No Comments »

Common OID 11g installation issue on Windows Server 2008 R2

Monday, January 23rd, 2012

***NOTE: As with all Tips and Tricks we provide on the IDMWorks blog, use the following AT YOUR OWN RISK.  We do not guarantee this will work in your environment and make no warranties***

If you’re configuring OID 11g on a Windows 2008 R2 server, you might encounter a strange behavior when running config.bat when OID tries to start: ”Start Oracle Internet Directory: Failed”. After digging through the logs, you’ll indeed find errors related to starting OIDLDAPD.

It turns out it’s an easy fix. You’ll need to install the Microsoft Loopback adapter on the server. Here’s how:

  1. Go to Device Manager.
  2. Right-click on the computer name at the top of window and choose Add Legacy Hardware.
  3. Click Next, then “Install the hardware I manually select from a list (Advanced)”
  4. Scroll down and click Network adapters in the list of hardware types, and click Next.
  5. A list of devices will appear in a few moments, and you should choose Microsoft on the left and Loopback adapter (see below)
  6. Click Next and wait for the brief installation to complete.

You may also encounter similar symptoms (OID fails to start), and these error messages in your sqlnet.log file located in %ORACLE_HOME%\network\log:

Directory does not exist for read/write [D:\Oracle\IDM\Oracle_IDM1\log] []

To resolve this, simply create the directory log\diag\clients in %ORACLE_HOME%.

In both cases, you’ll have to cancel and restart the configuration again. Note that when doing so, you’ll have to follow best practices in removing the partially configured domain and asinstance.

Questions, comments or concerns?  Feel free to reach out to us at IDMWorks.

Tags: , ,
Posted in Oracle, Oracle Internet Directory, Tips & Tricks | No Comments »

The Truth about Indexing in OID

Wednesday, January 18th, 2012

***NOTE: As with all Tips and Tricks we provide on the IDMWorks blog, use the following AT YOUR OWN RISK.  We do not guarantee this will work in your environment and make no warranties***

Oracle’s OID docs are pretty vague around indexing.  In reality, there are really two options:

  1. When creating an attribute, check the “Indexed” box
  2. Create the index in the future (after you figure out OID needs it for something!)

In order to do #2, you should follow this procedure:

  1. Navigate to the $MW_HOME/<domain>/ldap/bin/catalog connect=”OIDDB” add=”true” attribute=”<the attribute name that you want to index>” debug=”true” verbose=”true”

If you try to check the box (as in #1) after you have used the attribute, the ODSM interface will check the box, and make you think the attribute has been indexed (but it really hasn’t!)

Questions, comments or concerns?  Feel free to reach out to us at IDMWorks.

Tags: , , , , ,
Posted in Oracle, Oracle Fusion Middleware, Oracle Internet Directory, Tips & Tricks | No Comments »

OIM: Manually Revoking a Stuck Resource Object through the Database

Wednesday, June 29th, 2011

**NOTE: As with all Tips and Tricks we provide on the IDMWorks blog, use the following AT YOUR OWN RISK.  We do not guarantee this will work in your environment and make no warranties***

Oracle Identity Manager: Manually Revoking a Stuck Resource Object through the Database

Have you ever had a Resource Object stuck in a Pending or Provisioning state that you just couldn’t do anything about?  This happens a lot when first setting up a Resource Object and running Revoke before you create the Revoke tasks. The status will stay on “Provisioned” but all the tasks inside will say “Cancelled” and there’s nothing more you can do to it.  If you only allow one instance that user is now stuck.

Here is how to set the status to Revoked manually, through the database, so you can re-provision a new instance of the Resource Object.

First, let’s look at all the resource the user has. This query will show you his resources, their statues, and some necessary keys you’ll need later (Replace USER with your USERID):

select oiu.oiu_key, oiu.obi_key, oiu.orc_key, ost.ost_status, obj.obj_name, obj.obj_key,oiu.req_key
from oiu inner join ost on oiu.ost_key = ost.ost_key inner join obi on oiu.obi_key = obi.obi_key
inner join obj on obi.obj_key = obj.obj_key where oiu.usr_key=(select usr_key from usr where usr_login='USER');

Look at the results and find the line that has the stuck object and save the OIU_KEY and the OBJ_KEY.

Next we need the key for this Object’s Revoked status. Each Object has it’s own set of Status Codes, so to find the ones for our object above, run this query and replace YOUROBJKEY with the OBJ_KEY number from the first query above:

select * from OST where obj_key = YOUROBJKEY;

Look at the results and find the line where the OST_STATUS is “Revoked” and save the OST_KEY.

Next we will update the Object Instance, and set it’s status to the new key. If you want to see the current recode in it’s bare naked form run this (Replace THEKEY with the OIU_KEY from the first query):

select * from oiu where OIU_KEY = THEKEY;

You will see in the results the OST_KEY column. This is the current status of your Resource Object. This is what we are going to change to the new status. So let’s run this query, replaceing YOUROSTKEY with the OST_KEY from the second query and YOUROIUKEY with the OIU_KEY from the first query:

update oiu set ost_key = YOUROSTKEY where oiu_key=YOUROIUKEY;

Perform a Commit and that’s it. Pull up the resource profile for the user in the web console and you should see the status for that resource object is now “Revoked“.

Questions, comments or concerns?  Feel free to reach out to us at IDMWorks.

Tags: , , , , ,
Posted in Identity Management, Oracle Fusion Middleware, Oracle Identity Manager, Tips & Tricks | No Comments »

Taking Control of Your Oracle Identity Manager Scheduler

Tuesday, June 14th, 2011

**NOTE: As with all Tips and Tricks we provide on the IDMWorks blog, use the following AT YOUR OWN RISK.  We do not guarantee this will work in your environment and make no warranties***

According to Oracle’s sizing guide for Oracle Identity Manager (OIM) 10g in a large deployment you should break up your clustered servers by task.   For example, if you have four nodes in your cluster, you may use two to handle user requests, two to handle provisioning processes and scheduled tasks.   This allows you to dedicate servers to the tasks you want them handling.  This combined with load balancing, either through Weblogic, or through an appliance, provide a high level of stability and availability.   However, one thing I noticed when reading through Oracle’s documentation is nowhere does it mention how to do it.

So how do you do it?

The scheduler service on each server can be enabled or disabled by the xlconfig.xml file that contains the settings for OIM.    This will set the scheduler service to either start or not when OIM starts on that node. The file is typically found in the OIM_HOME\xellerate\config folder and can be modified with any text editor.

Always note that it is a very bad idea to change settings in the xlconfig file if you don’t know what they doso proceed with caution.

Use the following instructions to disable the Scheduler service for any nodes you do not wish to have it running.

Step1: Open the xlconfig.xml file with the editor of your choice

I like to use textpad or notepad++.

Step2: Find the line below:

<StartOnDeployment>true</StartOnDeployment>

Step3 Edit the line so it looks as follows:

<StartOnDeployment>false</StartOnDeployment>

Step4 Save your file

Step5 Restart OIM

That’s it.  It’s also good to note that in that same area of the xlconfig file (just above the line you modified) you will find a commented section explaining the Scheduler properties and what can be modified.  This includes:

XLUserName
XLPasswordUsed to login into xellerate when executing the scheduled tasks.
StartOnDeployment - Set this to true to start scheduler along with application startup.
ThreadPoolSize - Number of threads that can run scheduled jobs simulteniously.
DataBasePoolSizeNumber of database connection scheduler can open.
JNDIName  – The name underwhich the scheduler will be bound into JNDI tree
DatabaseDeligate – Quartz Scheduler Database delegate class

By modifying these settings you can better tailor your environment to suite your needs in production or to troubleshoot your environment where tasks are jumping from node to node, making it difficult to track them in the log.

Questions, comments or concerns?  Feel free to reach out to us at IDMWorks.

Tags: , , , , , , , , , , ,
Posted in Identity Management, Identity Provisioning, Oracle Identity Manager, Security & Risk, Tips & Tricks, WebLogic | No Comments »

Uninstalling Oracle Fusion Middleware Products

Friday, March 25th, 2011

***NOTE: As with all Tips and Tricks we provide on the IDMWorks blog, use the following AT YOUR OWN RISK.  We do not guarantee this will work in your environment and make no warranties***

Recently I’ve had to uninstall Oracle Internet Directory and Oracle Virtual Directory version 11.1.1.2.0 on a Windows server. The uninstallation instructions provided in the Oracle Fusion Middleware Installation Guide are a good start, but some additional steps are required on the WebLogic side.

Here are the steps needed to uninstall OID and OVD 11g:

1. In a command prompt go to $ORACLE_HOME\oui\bin (i.e. C:\Oracle\Middleware\Oracle_IDM1)
2. Enter setup.exe –deinstall
3. After the Welcome screen you will get three options presented to you:
a. De-install Oracle Home
b. De-install ASInstances managed by WebLogic Domain
c. De-install Unmanaged ASInstances

Assuming you did a standard install of OID and OVD then you are going to have an ASInstance managed by WebLogic.

From this menu you want to select “option b” (De-Install ASInstances managed by WebLogic Domain).

Note: Make sure you de-install the ASInstance first before you uninstall Oracle Home. If you uninstall Oracle Home first, then the uninstaller will be gone and the ASInstance will still be remaining.

4. On the next screen you will need to enter the following information:

a. Domain Host Name:
b. Domain Port No: (i.e. 7001)
c. User name: (i.e. weblogic)
d. Password: <password for weblogic admin user)

Note: Make sure the WebLogic admin server is running.

5. On the next screen you must specify the Managed Instance Directory (i.e. C:\ Oracle\Middleware\asinst_1).

6. After the uninstall of the Managed instance is completed you will need to run the setup.exe –deinstall command again.

7. This time you want to select Deinstall Oracle Home.

8. Specify the Oracle Home Directory on the next screen (i.e. C:\Oracle\Middleware\Oracle_IDM1).

After the uninstall process is complete you are 3/4ths of the way done with completely uninstalling OID and OVD. The uninstall process leaves behind the IDMDomain (or whatever Domain name you provided during installation) that was created in WebLogic. If you try to re-install OID, OVD or any other Fusion Middleware IDM component you’ll have to specify another Domain name unless you take these additional steps:

1. Go to the IDMDomain folder in windows explorer (i.e. C:\Oracle\Middleware\user_projects\domains).
2. Delete the IDMDomain folder and all its contents.
3. After the domain is deleted you will need to update the NodeManager domain configuration. Navigate to the folder containing the nodemanager.domains file (i.e. C:\Oracle\Middleware\wlserver_10.3\common\nodemanager)

Note: Before modifying any files, it’s always best practice to make a copy of it first.

4. Open the file and remove the IDMDomain line. (i.e. IDMDomain=C\:\\Oracle\\Middleware\\user_projects\\domains\\IDMDomain)

5. Navigate to the folder containing the domain-registry.xml file (i.e. C:\Oracle\Middleware)

6. Open the file and remove the IDMDomain line.

7. Go to Start->All Programs->Oracle WebLogic->User Projects and delete the IDMDomain folder and its contents.

Note: Remember to also use the RCU to drop the OID database tables

Now you should have a clean WebLogic instance if you want to re-install OID or OVD.

Questions? Sound off below or ask us here at IDMWorks.

Tags: , , , , , , ,
Posted in Identity Management, Oracle Fusion Middleware, Oracle Identity Manager, Oracle Internet Directory, Oracle Virtual Directory, Tips & Tricks, WebLogic | No Comments »

Oracle Identity Manager (OIM) 11g install for Beginners (in the Cloud baby)!

Friday, March 4th, 2011

***NOTE: As with all Tips and Tricks we provide on the IDMWorks blog, use the following AT YOUR OWN RISK.  We do not guarantee this will work in your environment and make no warranties***

This is  a supplement to the post Setting up Oracle Identity and Access Management Suite (11g) in the Cloud: A few things that work & don’t work detailing  a basic install and the little errors that prevented it from running that were encountered when someone new to Oracle Identity Manager (11g) installed it in a Cloud environment.

To install OIM you have to go through several steps before you even start installing it.  Now I’m sure that most folks reading this have pre-existing environments that allow you to skip many of the following steps but let’s assume you are doing this from a brand spankin’ new MS Windows server.

Basically, you want to do the install first, and then the configuration.

1) You need to have the Java Development Kit (JDK) installed. Now you might think that just having it installed is good enough however the default installation path will put it in the ‘Program Files‘ folder.  Most MS Windows systems don’t have any particular preference however, your IDM install doesn’t like spaces in the file paths So be sure you have it installed in  a folder without spaces.

2) Be certain you are utilizing a static IP address. If you don’t, I would suggest reviewing the suggested fixes in the Setting up Oracle Identity and Access Management Suite (11g) in the Cloud: A few things that work & don’t work post.  Otherwise you will likely get a fair amount of errors when everything is up and running. The entire suite depends on having a static DNS name and IP address. When it doesn’t things fail without warning.

3) Now you should install the database. A few things to note here:

  • The database is where everything points to. Fortunately it’s not particularly hard to set up the software. Unfortunately the database itself has a few requirements. The  Setting up Oracle … in the Cloud post again covers the tricks needed to get this working properly but one thing I would add is that the default for the desktop install on the database has the wrong language code set. Don’t use it but do use “server” instead.

4) Once you have the database installed you have to run RCU.  Unfortunately RCU is a 32 bit program that is very picky about 64 bit operating systems. When installed in conjunction with a 64 bit database and then attempting to link the 32 bit RCU it would work until it attempted to add the OIM tables in.  Then it broke. The only fix I found was to use a 32 bit database. The RCU is just putting tables for the systems you are installing next to run off of, so we can assume it’s fully possible to drop the tables in manually, but I wouldn’t want to do it.

5) Assuming you finished the last few steps you can go onto the actual install of the programs. WebLogic first. If you are using the generic JAR installer, which you probably should be, you have to use your Java install to unpack it.  Now there is something you should take note of when you install WebLogic. There is a screen where it’s looking for Java packages. The generic JAR doesn’t have these with it. Again it is very picky about what folder it has selected to do the Java install with. It’s not so picky about whether or not the folder is occupied. Make sure it’s pointing to the right place. If all else fails, copy the Java bin to the area the installer wants. If you don’t things will install fine but never run (note: be sure to have the correct version installed as the systems are very specific about what they are compatible with).

6) Alrighty then, WebLogic is installed. Web/logic is the heart of everything else OIM related. With OIM installed you also need SOA. You have to install the .2 version and then upgrade to the .3 version. Typically this is a pretty straight forward install.

7) NOW we can install OIM. The OIM install itself is pretty easy again but it is the next few steps that can mess you up. Make sure you don’t start up the Configuration Manager quite yet.

8 ) Now we configure Weblogic. You are looking for a file called config.sh in a folder called common. It’s in the directory you installed all the stuff you have already installed. Now when you bring it up, you want to select the programs you want Weblogic to support. Then you have to connect to the database you have running still.  If you can’t connect make sure your password is right. If you still can’t connect then your database isn’t liking something.

9 ) Since you have WebLogic configured you now have to configure OIM.  It’s pretty straightforward. You point it at the WebLogic address that you setup and the program will register yourself. One thing you should look out for is the line OIM HTTP URL. This line should have your WebLogic connection address with a different port. In my silliness installing this once I had it as the same port, it allowed WebLogic to run, and OIM started up just fine, but after a moment OIM alone would stop, as well as the soa-infra server.

10) Start everything up!

Questions? Feel free to reach out to us at IDMWorks.

Tags: , , , , , ,
Posted in Cloud Computing, Identity Management, Oracle Identity Manager, Tips & Tricks, WebLogic | No Comments »

Setting up Oracle Identity and Access Management Suite (11g) in the Cloud: A few things that work & don’t work

Wednesday, March 2nd, 2011

***NOTE: As with all Tips and Tricks we provide on the IDMWorks blog, use the following AT YOUR OWN RISK.  We do not guarantee this will work in your environment and make no warranties***

The Oracle IAM 11g suite consists of several different products,  Identity Federation, Identity Manager, Internet Directory, and Access Manager, to name a few.  All of the products, rather most of the products, have the same basic requirements…database, RCU, WebLogic, and IDM  that must be installed.   Because of the nature of the Amazon EC2 Cloud there are a few things to keep in mind when building these components in the Cloud and a few things to do before starting your applications.  Please note this is all MS Windows centric.

Install order…

You can install the database or WebLogic first, it really doesn’t matter, but I typically will use the following order as it provides a good restore point:

FIRST:

  1. Database (software) install
  2. WebLogic 10.3.4 install
  3. IDM (software only install)

Back EVERYTHING Up

THEN:

  1. Install the listener
  2. Create database
  3. Run RCU
  4. Install SOA (only if needed)
  5. Configure IDM

When Installing the Database:

  1. A few things to do when installing the database (Cloud or not) is to set some environment variables in Windows, (this isn’t necessarily required with 11g as with older installs but can still be a time saver).   Regarding the Cloud, setting the ORACLE_HOSTNAME=”permanent name of machine”, is very helpful as both the listener and the dbconsole have real trouble starting after a reboot with changing names.  This will allow the database as a service in Windows successfully thus making it easier to remember what to type into the IDM RCU setup and IDM configuration setup.
  2. When creating the database set open cursors to 500, session cached cursors to 100, and processes to 500.  This can be done in the DBCA when creating the database by pressing the “All Initialization Parameters” button on the Configure Options screen (where you configure both the memory and character set.)

When Installing WebLogic:

Make sure you use the generic jar file with any 64 bit install.

  1. Install Java if needed and from a command prompt go to the directory where the jar file is located and type: ” java –jar wls1034_generic.jar” (or whatever the name of the jar is).

When Installing the Oracle IAM Suite:

Once the suite is configured for your application and the WebLogic domain created there are a few things that can be done to make life a little easier:

  1. You can edit the config.xml (located at Oraclehome\user_projects\domains\IDMDomain\config) file to point to the correct host name by changing all instances from ip-xxxxxxxx.ec2.internal to the hostname.cloud.<organization>.net to insure the admin console starts correctly.
  2. For those who use the Fusion Enterprise Console, it may have trouble starting due to a class path issue, however to correct the error open the setdomainenv.cmd and search for the following line

set POST_CLASSPATH=(Oracle_home)\wlserver_10.3\server\lib\weblogic.jar:;%POST_CLASSPATH%

Just after that line, add the following

set POST_CLASSPATH=(Oracle_home)\Oracle_IDM1\oui\jlib\lib\http_client.jar:;%POST_CLASSPATH%

3.  Save and Close the file

4.  Restart WebLogic for it to take effect.

Last but not least:

  1. Add the  host name ” ip-xxxxxxxxxxx.internal” from when the applications were configured to your Hosts file located at c:\windows\system32\drivers\etc pointing to 127.0.0.1 (the IP loop-back address in Windows).   This should help solve everything else not already solved.  This way, whenever you boot, any app that asks for the old name will be able to route to the server directly.  This might not be the cleanest solution but it’ll work.
  2. In fact, make sure all listening addresses in WebLogic are set to blank and the nodemanager set to localhost (if you set it to blank, it automatically sets to localhost) and launch your managed weblogic sessions with the loopback address ( to be sure it launches successfully).

The combination of these tricks should resolve most, if not all, issues in getting IDM environments up and running in the cloud.

PS: In order to start your environment:

To start WebLogic: oracle_home\user_projects\domains\IDMDomain\starweblogic.cmd

To start your Application: oracle_home\user_projects\domains\IDMDomain\bin\startmanagedweblogic Appservername http://serverhostname:7001

Questions? Feel free to reach out to us at IDMWorks.

Tags: , , , , , ,
Posted in Best Practices, Cloud Computing, Identity Management, Oracle Access Manager, Oracle Identity Manager, Tips & Tricks, WebLogic | 3 Comments »

Tricks of the Trade: Oracle Access Manager Performance Tuning

Thursday, October 28th, 2010

***NOTE: As with all Tips and Tricks we provide on the IDMWorks blog, use the following AT YOUR OWN RISK.  We do not guarantee this will work in your environment and make no warranties***

Typically with COTS applications the vendor will provide instructions as to what software components are configurable to meet a customer’s business needs.  But is it enough to simply understand what components are allowed to be customized?

Depending on the nature of the business the customization can play a significant role in how an application performs and what software components need be tuned.

Some examples of the questions you need to ask yourself and your organization include:

What type of organization are we running the application in?

Is this a banking site where most of the daily activities are dawdling with the exception of pay day when everyone and their significant other wants to see their salaries deposited, thus slowing down down the systems to a crawl?

Is this a high-traffic auction or retail site where customer registrations constantly hammer repositories while  inventories get updated thousands times per minute and the company must account for triple traffic around Chrismahanukwanzakah?

Is this a research site where databases get pounded with complex queries by the Revenge of the Nerds crew?

We at IDMWorks have run into these situations a multitude of times while working with customers.   Many times we see applications get tuned incorrectly or the application is tuned to the correct specifications but the hardware isn’t sufficient enough to handle the required settings (like putting a Smart Car engine in a Mustang).

So for today I would like to promote tuning guidelines for an Identity System, specifically Oracle Access Manager (OAM), and explain how to better tune your application and/or help make better decisions during the design and architecture phase of your project.

Tuning Identity System Searches

For OAM and really any Access Management application, the types of searches that user’s conduct in the directory can significantly affect performance.

For example, Customer Service Representatives in a high traffic call center should not perform a search for a customer with the last name “Smith” while instead searching for the last name “Smith” compounded with the first name to insure a narrowing of the search.  Of course this is common sense and we all know how our user’s practice common sen….um, forget that last line.

So lets force the CSRs to come to our train of thinking.

These steps below will help you to optimize Identity System Searches in the directory:

Restricting the operator use in search

When users conduct a search in an Identity System application, the search bar presents a drop-down list with options for matching the search input with a set of results. These options include the following:

  • That contains
  • Contains in order
  • Equals
  • Less than
  • Greater than
  • Begins with
  • Ends with
  • Sounds like

The “greater than” and “less than” operations can result in many entries being searched and retrieved. By eliminating these choices, you can improve the performance of search operations. You configure and adjust the search operations in a set of parameter files.

To eliminate the “greater than” and “less than” search operations

1.   To modify the search bar open each of the following files in a text editor (here Install_dir is the directory where Oracle Access Manager is installed):

Install_dir\identity\oblix\apps\userservcenter\bin\userservcenterparams.xml
Install_dir\identity\oblix\apps\groupservcenter\bin\groupservcenterparams.xml
Install_dir\identity\oblix\apps\objservcenter\bin\objservcenterparams.xml
Install_dir\identity\oblix\apps\selector\bin\selectorparams.xml

2.  Find the entry for the ObEnhanceSearchList parameter in each of these files. and edit the entry in each of the files so that it only contains the following parameters:

<ValNameList ListName=”ObEnhanceSearchList” > 

<NameValPair ParamName=”OOS” Value=”MOOS”/>

<NameValPair ParamName=”OSM” Value=”MOSM”/>

<NameValPair ParamName=”OEM” Value=”MOEM”/>

<NameValPair ParamName=”OBW” Value=”MOBW”/>

<NameValPair ParamName=”OEW” Value=”MOEW”/>

</ValNameList>

4. Modify the query builder by opening the following file in a text editor:

Install_dir\identity\oblix\apps\querybuilder\bin\querybuilderparams.xml

5. Then edit the element ObQBOperatorsList to have only the following values:

<ValList ListName=”ObQBOperatorsList” > 

<ValListMember Value=”CND_CON”/>

<ValListMember Value=”CND_DNC”/>

<ValListMember Value=”CND_EQ”/>

<ValListMember Value=”CND_NEQ”/>

<ValListMember Value=”CND_PRE”/>

<ValListMember Value=”CND_NPR”/>

<ValListMember Value=”CND_BW”/>

<ValListMember Value=”CND_EW”/>

</ValList>

Require the user to enter a minimum number of characters in a search field

1.       To specify the minimum number of characters users must enter in the primary search bar open the following file in a text editor (where Install_dir is the directory where Oracle Access Manager is installed):

Install_dir\identity\oblix\apps\common\bin\oblixappparams.xml

2.       Set the value of the searchStringMinimumLength parameter to the minimum length of the string that users can input (as illustrated in the following example):

<NameValPair ParamName=”SearchStringMinimumLength” Value=”3″/>

Restricting the Number of Entries Returned on a Search

You can set a limit on the number of elements that can be returned as the result of a search in an OAM.  This limits the effect that a search can have on performance.  You can configure the maximum number of search results that are returned from the directory server on the Size Limit parameter for the directory server instance profile.

For example, if you set the value of this parameter to 1,000, a maximum of 1,000 entries can be returned in the search results. The default value of 0 indicates that an unlimited number of results can be returned.

You can specify different size limits for different directory server profiles. For example, you can configure a size limit of 0 (unlimited) for the directory server instances that your valued Identity System Administrators use and you can configure a limit of 1,000 for the directory server profiles that are used by those lowly demented end users such as Customer Service Reps (wait, did I just write that?) .

To restrict the number of entries returned on a search

1.       From the Identity System Console select System Configuration.

2.       On the System Configuration page select Directory Profiles.

3.       Select the link for the directory server profile to which you want to add a database instance (the Modify Directory Server Profile page will appear).

4.       Scroll down to Database Instances and select the database instance you wish to configure (the Modify Database Instance page appears).

5.       Configure the Size Limit parameter to indicate the maximum number of search results that can be returned from the directory server.

Create Thread-Safe Plug-Ins

Both the Access Server and Identity Server are multithreaded. Thus when writing  custom code  ensure that all Identity Event plug-ins are thread-safe. This recommendation also applies to Identity Event plug-ins.

Consider Pooling Identity Servers

It is a good practice to use at least two Identity Servers running in a pooled primary configuration. Pooled primary means using multiple Identity Servers that run as primary servers with one or more WebPass instances connecting to the primary Identity Servers.

You can use separate Identity Servers as secondary servers when using the  pooled primary approach. If you have only two servers, a pooled primary configuration is recommended over using one primary and one secondary server. When running a pooled primary configuration it is best to use identical but separate hardware for the Identity Servers.

Advantages of pooled primary mode

  • Increased performance through load balancing
  • Increased availability through multiple servers
  • Automatic failover

Disadvantages of pooled primary mode

  • The cost of additional hardware.
  • Additional system configuration (if there are no secondary servers each primary server needs to be sized to handle the total expected load if the other primary servers are unavailable).

Configure Identity Servers from a File System Level

Identity Server configuration and stylesheet files must be identical on all servers. This applies to all configurations that use multiple Identity Servers. You should configure all Identity Servers from a file system level, that is, ensure that all directory and file system structures are identical.

Configure Identity Servers to Use 3 GB of Virtual Memory

On Windows, if the Identity Server causes high memory utilization, the system can crash. You can configure an Identity Server to use 3 GB of virtual address space even if 2 GB addressing is already enabled in the boot.ini file.

By default the virtual address space of Identity Server is limited to 2 GB. You can configure a 3GB switch in the Boot.ini file to allocate 3 GB of virtual address space to an Identity Server that uses IMAGE_FILE_LARGE_ADDRESS_AWARE in the process header. This switch allows applications to address an additional 1 GB of virtual address space beyond the usual 2 GB limit.

The following example shows how to add the 3GB parameter in the Boot.ini file to enable Identity Server memory tuning:

[boot loader] 

timeout=30

default=multi(0)disk(0)rdisk(0)partition(2)\WINNT

[operating systems]

multi(0)disk(0)rdisk(0)partition(2)\WINNT=”????” /3GB

Well class, that is all for today, I hope this helps you with your deployment of Oracle Access Manager.

Look for additional discussions on tuning Workflows, Access Server and the Directory in the near future.

Tags: , , , , ,
Posted in Access Management, Best Practices, Oracle Access Manager, Tips & Tricks | No Comments »

Elvis has left the building (what to do when a new version of the software is released).

Wednesday, August 25th, 2010

RE: Oracle Fusion Middleware 10g vs. 11g stack selection (OID, OVD, OIM, OAM specifically).

Here at IDMWorks we specialize in Identity and Access Management full life-cycle services.

Discovery √ Design √ Implementation √ Development √ Support √

During a recent trip to a customer site for an installation of the Oracle Fusion Middleware stack we ran into an interesting conundrum. We were to install the 10g release of OVD, OID, OAM and OIM into the development environment. The customer pointed out that 11g had been released approximately 3 weeks prior and asked for a recommendation of whether we should jump to the 11g implementation path or continue down the 10g path.

First, let me say, the customer was right on point with the question. We like a customer who is knowledgeable and will challenge the decisions and recommendations that we make as a team because that is the same customer who will “take care” of their system long after Elvis (or in this case IDMWorks) has left the building.

Conventional wisdom states that you never jump to the next release of a product in the first month. You wait for stabilization (and typically the first service pack). However in this case we must keep in mind that the products, at least the directory components, are pretty mature. So we can add another option of a mixed upgrade, perhaps 11g OID and OVD, with the 10g release of OAM and OIM. Additionally, with a new release, and this speaks to stabilization, you don’t have the luxury of all the little “gotchas” that have been addressed with implementations of the past. In our case, when we had a Linux Service Pack Library dependency issue, we had Google to rely on to find the fix in less than 5 minutes. No call to Oracle Support, no waiting for recreation and resolution, no explanation to the customer on why we must halt progress while we investigate the issue.

So we created a game plan as follows:

1) Stick with what works!
The known 10g release, while the “older” release, provides a level of maturity and issue resolution that will allow our project to remain on budget and time. This is HUGE. The unknowns that a fresh release present, if the customer has time and budgetary constraints (don’t they all?), means that time spent resolving the “basics” is time lost (and hence money).

2) Plan, Plan, Plan for the future!
In order to address the 11g want of the customer, the resolution we opted for, was to develop an upgrade path and plan to 11g including the steps, the timeline, the associated cost and the follow up procedures that will allow, in a cost and time effective manner, the ability to smoothly transition into the next release in a matter of months instead of years.

3) Work with the customer
This should go without saying but don’t let personal agendas drive the project to failure. The customer wants (and rightfully so) the latest and greatest they can have. If that means the latest technology, than so be it. In our case we have three options, Old, New, and Newish (a little old and new mixed together). However, because we are the implementation partner ours is not to decide but to recommend. As such we explained all available options, gave our recommended approach and let the customer know that if they choose to move forward with another option (the non-recommended one) we would support them 100% and move forward in that direction.

In the end the customer stuck with the recommendation approach and we are well on our way to a successful implementation with a path to the future product laid over the existing framework!

Tags: , , , , , , , , , ,
Posted in Access Management, Best Practices, Identity Management, Oracle Access Manager, Oracle Fusion Middleware, Oracle Identity Manager, Oracle Internet Directory, Oracle Virtual Directory | No Comments »