Posts Tagged ‘Oracle Identity Manager’

OIM: Manually Revoking a Stuck Resource Object through the Database

Wednesday, June 29th, 2011

**NOTE: As with all Tips and Tricks we provide on the IDMWorks blog, use the following AT YOUR OWN RISK.  We do not guarantee this will work in your environment and make no warranties***

Oracle Identity Manager: Manually Revoking a Stuck Resource Object through the Database

Have you ever had a Resource Object stuck in a Pending or Provisioning state that you just couldn’t do anything about?  This happens a lot when first setting up a Resource Object and running Revoke before you create the Revoke tasks. The status will stay on “Provisioned” but all the tasks inside will say “Cancelled” and there’s nothing more you can do to it.  If you only allow one instance that user is now stuck.

Here is how to set the status to Revoked manually, through the database, so you can re-provision a new instance of the Resource Object.

First, let’s look at all the resource the user has. This query will show you his resources, their statues, and some necessary keys you’ll need later (Replace USER with your USERID):

select oiu.oiu_key, oiu.obi_key, oiu.orc_key, ost.ost_status, obj.obj_name, obj.obj_key,oiu.req_key
from oiu inner join ost on oiu.ost_key = ost.ost_key inner join obi on oiu.obi_key = obi.obi_key
inner join obj on obi.obj_key = obj.obj_key where oiu.usr_key=(select usr_key from usr where usr_login='USER');

Look at the results and find the line that has the stuck object and save the OIU_KEY and the OBJ_KEY.

Next we need the key for this Object’s Revoked status. Each Object has it’s own set of Status Codes, so to find the ones for our object above, run this query and replace YOUROBJKEY with the OBJ_KEY number from the first query above:

select * from OST where obj_key = YOUROBJKEY;

Look at the results and find the line where the OST_STATUS is “Revoked” and save the OST_KEY.

Next we will update the Object Instance, and set it’s status to the new key. If you want to see the current recode in it’s bare naked form run this (Replace THEKEY with the OIU_KEY from the first query):

select * from oiu where OIU_KEY = THEKEY;

You will see in the results the OST_KEY column. This is the current status of your Resource Object. This is what we are going to change to the new status. So let’s run this query, replaceing YOUROSTKEY with the OST_KEY from the second query and YOUROIUKEY with the OIU_KEY from the first query:

update oiu set ost_key = YOUROSTKEY where oiu_key=YOUROIUKEY;

Perform a Commit and that’s it. Pull up the resource profile for the user in the web console and you should see the status for that resource object is now “Revoked“.

Questions, comments or concerns?  Feel free to reach out to us at IDMWorks.

Tags: , , , , ,
Posted in Identity Management, Oracle Fusion Middleware, Oracle Identity Manager, Tips & Tricks | No Comments »

Taking Control of Your Oracle Identity Manager Scheduler

Tuesday, June 14th, 2011

**NOTE: As with all Tips and Tricks we provide on the IDMWorks blog, use the following AT YOUR OWN RISK.  We do not guarantee this will work in your environment and make no warranties***

According to Oracle’s sizing guide for Oracle Identity Manager (OIM) 10g in a large deployment you should break up your clustered servers by task.   For example, if you have four nodes in your cluster, you may use two to handle user requests, two to handle provisioning processes and scheduled tasks.   This allows you to dedicate servers to the tasks you want them handling.  This combined with load balancing, either through Weblogic, or through an appliance, provide a high level of stability and availability.   However, one thing I noticed when reading through Oracle’s documentation is nowhere does it mention how to do it.

So how do you do it?

The scheduler service on each server can be enabled or disabled by the xlconfig.xml file that contains the settings for OIM.    This will set the scheduler service to either start or not when OIM starts on that node. The file is typically found in the OIM_HOME\xellerate\config folder and can be modified with any text editor.

Always note that it is a very bad idea to change settings in the xlconfig file if you don’t know what they doso proceed with caution.

Use the following instructions to disable the Scheduler service for any nodes you do not wish to have it running.

Step1: Open the xlconfig.xml file with the editor of your choice

I like to use textpad or notepad++.

Step2: Find the line below:

<StartOnDeployment>true</StartOnDeployment>

Step3 Edit the line so it looks as follows:

<StartOnDeployment>false</StartOnDeployment>

Step4 Save your file

Step5 Restart OIM

That’s it.  It’s also good to note that in that same area of the xlconfig file (just above the line you modified) you will find a commented section explaining the Scheduler properties and what can be modified.  This includes:

XLUserName
XLPasswordUsed to login into xellerate when executing the scheduled tasks.
StartOnDeployment - Set this to true to start scheduler along with application startup.
ThreadPoolSize - Number of threads that can run scheduled jobs simulteniously.
DataBasePoolSizeNumber of database connection scheduler can open.
JNDIName  – The name underwhich the scheduler will be bound into JNDI tree
DatabaseDeligate – Quartz Scheduler Database delegate class

By modifying these settings you can better tailor your environment to suite your needs in production or to troubleshoot your environment where tasks are jumping from node to node, making it difficult to track them in the log.

Questions, comments or concerns?  Feel free to reach out to us at IDMWorks.

Tags: , , , , , , , , , , ,
Posted in Identity Management, Identity Provisioning, Oracle Identity Manager, Security & Risk, Tips & Tricks, WebLogic | No Comments »

OIM Bulk Load Utility: DB Permissions

Friday, May 7th, 2010

The latest version of Oracle Identity Manager (9.1.0.2) comes with a tool called the Bulk Load Utility, designed to quickly import large numbers of users into the system. The utility is backwards compatible with OIM 9.1.0.1.

There are a few tweaks required to get the Bulk Load Utility functioning as it does not work straight out of the box.

First, you will need to create a table space in the database. The code below should do, but feel free to adjust as needed:

create tablespace tspace logging datafile '/opt/oracle/tspace.dbf' size 32m autoextend on next 32m maxsize 2048m extent management local;

Second, the utility runs under the OIM user account and, by default,  does not have sufficient privileges causing the tool to error out. To fix this,  try the following:

grant CREATE ANY SYNONYM, CREATE ANY TRIGGER, CREATE ANY TYPE, CREATE DATABASE LINK, CREATE JOB, CREATE LIBRARY, CREATE MATERIALIZED VIEW, CREATE PROCEDURE, CREATE SEQUENCE, CREATE TABLE , CREATE TRIGGER , CREATE VIEW to oimuser;

With these two changes the tool should run fine under the CSV file load.

Tags: , , , , ,
Posted in Oracle Identity Manager | No Comments »

Enabling SPML Web Services with OIM

Tuesday, October 20th, 2009

Enabling SPML web services is pretty trivial, but since I’m doing it in my virtual environment and taking screen shots, I thought I would add it here.

Image here

Next Step is to enable SSL communications:
Step 1 – Generate the Keys using keytool
keytool -genkey -alias serverjboss -keyalg RSA -keysize 1024 -dname “CN=localhost,OU=Identity,O=Oracle,C=US” -keypass welcome -keystore E:\jboss-4.2.3.GA\server\jbossserver.jks -storepass welcome -storetype jks

Step 2 – Sign the Certs
keytool -selfcert -alias serverjboss -sigalg MD5withRSA -validity 2000 -keypass welcome -keystore E:\jboss-4.2.3.GA\server\jbossserver.jks -storepass welcome

Step 3 – Export the Cert
keytool -export -alias serverjboss -file E:\jboss-4.2.3.GA\server\jbossserver.cert -keypass welcome -keystore E:\jboss-4.2.3.GA\server\jbossserver.jks -storepass welcome -storetype jks -provider sun.security.provider.Sun
(You will receive a confirmation message: Certificate stored in file )

Step 4 – modify the server.xml file (for JBoss this file is located here: $JBOSS_HOME/server/default/deploy/jboss-web.deployer
Add the following entry:
maxThreads="100" strategy="ms" maxHttpHeaderSize="8192"
emptySessionPath="true"
scheme="https" secure="true" clientAuth="false"
sslProtocol="TLS"
keystoreFile="E:\jboss-4.2.3.GA\server\jbossserver.jks"
keystorePass="welcome"
truststoreFile="E:\jboss-4.2.3.GA\server\jbossserver.jks"
truststorePass="welcome"/>

All done! Restarting the JBoss application server should deploy the new ear file!

Tags: ,
Posted in Oracle Identity Manager, SPML | No Comments »

OIM Design Console on RHEL

Sunday, July 26th, 2009

I was trying to get the design console installed on my Virtual Machines and was annoyed about having to have Windows and Linux running at the same time (My base operating system is Leopard). This took a little while to figure out (minutes, not hours) and is by no way magical – just took a little determination.. Here are the steps to run the OIMDC on RHEL:

1. Add the classpath variable (see attached .bash_profile)
2. Zip up the xlclient directory from a windows installation and extract into a target dir on Unix
3. Create a symbolic link from Config to config (yes- case senstitive)
4. Create a shell script (see attached xlclient.sh)
5. Modify the xlconfig.xml file in the config directory (URL 2x)

Enjoy!

Tags: , , ,
Posted in Oracle Identity Manager | No Comments »