Posts Tagged ‘Oracle Identity Manager’

« Older Entries

The Truth about Indexing in OID

Wednesday, January 18th, 2012

***NOTE: As with all Tips and Tricks we provide on the IDMWorks blog, use the following AT YOUR OWN RISK.  We do not guarantee this will work in your environment and make no warranties***

Oracle’s OID docs are pretty vague around indexing.  In reality, there are really two options:

  1. When creating an attribute, check the “Indexed” box
  2. Create the index in the future (after you figure out OID needs it for something!)

In order to do #2, you should follow this procedure:

  1. Navigate to the $MW_HOME/<domain>/ldap/bin/catalog connect=”OIDDB” add=”true” attribute=”<the attribute name that you want to index>” debug=”true” verbose=”true”

If you try to check the box (as in #1) after you have used the attribute, the ODSM interface will check the box, and make you think the attribute has been indexed (but it really hasn’t!)

Questions, comments or concerns?  Feel free to reach out to us at IDMWorks.

Tags: , , , , ,
Posted in Oracle, Oracle Fusion Middleware, Oracle Internet Directory, Tips & Tricks | No Comments »

Registry Hacking to Remove Unneeded Oracle Services

Wednesday, November 30th, 2011

***NOTE: As with all Tips and Tricks we provide on the IDMWorks blog, use the following AT YOUR OWN RISK.  We do not guarantee this will work in your environment and make no warranties***

Something we haven’t seen blogged about much is uninstalling services.   This is not something I would recommend for just any service you don’t like.  It’s important to take into consideration the application that installed the service and, when possible use the native application uninstaller.  However when you are dealing with an Oracle application, for example, that doesn’t really have an uninstaller and only rarely installs services, it’s  a good idea to know how to hack your way to removing the offending applet that is no longer in use (and we “hacking” in the nicest possible way).

To make this relevant to the Oracle IAM stack, this process is supported for uninstalling the OIM AD password synch agent and uninstalling the OID application service.

On the “unsupported” side, this would be considered a registry hack.

How to:

  1. Open the registry on your windows machine(search or run regedit.exe on almost all windows machines)
  2. In the left pane (the tree navigator) go to the following key
    1. HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\
    2. Find the key with the name of the service you wish to uninstall
      1. For Oracle it is often clearly named (‘oracle application service’ or some such)
      2. Right click on the key(still in the left pane) and click on “delete”.
      3. You will be asked to confirm, just click “yes”.

Questions, comments or concerns?  Feel free to reach out to us at IDMWorks.

Tags: , , , ,
Posted in Oracle Identity Manager, Oracle Internet Directory, Tips & Tricks | 1 Comment »

Oracle Identity &Access Manager 11g for Administrators (Packt Publishing)

Tuesday, October 11th, 2011

Our Oracle Practice Lead, Jom John, has recently been a technical reviewer for Packt Publishing’s “Oracle Identity and Access Manager 11g for Administrators“.

The book is a solid tool to add to your IAM toolkit for those with the role requiring the ability to administer Oracle Identity Management (OIM & OAM) including installation, configuration, and day-to-day tasks or for those simply looking to learn the Oracle IAM stack and need a starting point.  Beginner or Advanced alike might want to pick this book up.

There aren’t a lot of great resources on this subject so when one comes out and it happens to be a product one of our team has worked on then we can endorse it highly.

Looking to have Jom or our Oracle team involved in your Oracle IAM project, feel free to reach out to us at IDMWorks!

And feel free to ask any questions below and we will make Jom answer them :)

Tags: , , ,
Posted in IDMWorks, Oracle, Oracle Access Manager, Oracle Identity Manager | No Comments »

Things that make us Smile

Wednesday, July 27th, 2011

From our friend and a true IdMRockstar, Adam Callen:

What works? IDMWorks!

Feel free to reach out to us any time at IDMWorks!

Tags: , , , , , ,
Posted in IDMWorks, Oracle | No Comments »

OIM: Manually Revoking a Stuck Resource Object through the Database

Wednesday, June 29th, 2011

**NOTE: As with all Tips and Tricks we provide on the IDMWorks blog, use the following AT YOUR OWN RISK.  We do not guarantee this will work in your environment and make no warranties***

Oracle Identity Manager: Manually Revoking a Stuck Resource Object through the Database

Have you ever had a Resource Object stuck in a Pending or Provisioning state that you just couldn’t do anything about?  This happens a lot when first setting up a Resource Object and running Revoke before you create the Revoke tasks. The status will stay on “Provisioned” but all the tasks inside will say “Cancelled” and there’s nothing more you can do to it.  If you only allow one instance that user is now stuck.

Here is how to set the status to Revoked manually, through the database, so you can re-provision a new instance of the Resource Object.

First, let’s look at all the resource the user has. This query will show you his resources, their statues, and some necessary keys you’ll need later (Replace USER with your USERID):

select oiu.oiu_key, oiu.obi_key, oiu.orc_key, ost.ost_status, obj.obj_name, obj.obj_key,oiu.req_key
from oiu inner join ost on oiu.ost_key = ost.ost_key inner join obi on oiu.obi_key = obi.obi_key
inner join obj on obi.obj_key = obj.obj_key where oiu.usr_key=(select usr_key from usr where usr_login='USER');

Look at the results and find the line that has the stuck object and save the OIU_KEY and the OBJ_KEY.

Next we need the key for this Object’s Revoked status. Each Object has it’s own set of Status Codes, so to find the ones for our object above, run this query and replace YOUROBJKEY with the OBJ_KEY number from the first query above:

select * from OST where obj_key = YOUROBJKEY;

Look at the results and find the line where the OST_STATUS is “Revoked” and save the OST_KEY.

Next we will update the Object Instance, and set it’s status to the new key. If you want to see the current recode in it’s bare naked form run this (Replace THEKEY with the OIU_KEY from the first query):

select * from oiu where OIU_KEY = THEKEY;

You will see in the results the OST_KEY column. This is the current status of your Resource Object. This is what we are going to change to the new status. So let’s run this query, replaceing YOUROSTKEY with the OST_KEY from the second query and YOUROIUKEY with the OIU_KEY from the first query:

update oiu set ost_key = YOUROSTKEY where oiu_key=YOUROIUKEY;

Perform a Commit and that’s it. Pull up the resource profile for the user in the web console and you should see the status for that resource object is now “Revoked“.

Questions, comments or concerns?  Feel free to reach out to us at IDMWorks.

Tags: , , , , ,
Posted in Identity Management, Oracle Fusion Middleware, Oracle Identity Manager, Tips & Tricks | No Comments »

Oracle Identity Manager, Oracle Linux 5, & VMWare

Tuesday, June 28th, 2011

**NOTE: As with all Tips and Tricks we provide on the IDMWorks blog, use the following AT YOUR OWN RISK.  We do not guarantee this will work in your environment and make no warranties***

As someone who has spent the majority of my computing time in a Microsoft Windows world but familiar with Linux I didn’t think twice when attempting to setup an Oracle Identity Manager environment based on Linux. A few obstacles later I learned some very important lessons for installing OIM on Linux.

  • First, it is important to know the “root” user password but to also have another account available with permission to access installation data. Some processes requires “root” user access while others strictly prohibit “root” user from executing them. For the most part you will not be using “root” user for the installs but there are some scripts used in the installation processes that require “root” user to execute making knowledge of both accounts a must.
  • Always understand the prerequisites! Oracle Identity Manager requires other applications like Oracle Database, Web Logic, etc. Each of these applications have their own prerequisites like versions of Java JDK, Java_Home variables declared in the .bash_profile, and certain Linux packages be installed. If these prerequisites aren’t met it can result in errors during installation, stalled installations, and even graphical distortions with the install wizards. This means that before attempting to install the OIM components it is very worthwhile to double check all of the prerequisites prior to installation to make your life easier.
  • Another useful tip is to “know your installer”. Many of the OIM component downloads contain installers for multiple platforms and some generic installers that are platform independent. Knowing which install to use for the desired platform is important. Some of the generic installers do not have some components bundled in the installer that are required. A perfect example is the Web Logic Server installer. Web Logic requires a JDK selection during the install process.  While the OS specific installs come bundled with compatible JDK’s the generic install does not include any JDK so one will have to be installed separately and manually specified.  Which installer to use is determined by the compatibility matrix on Oracle’s website.  And I can tell you for sure that it will save you time and frustration to look at that before starting your installs.
  • For VM installs you may run into an issue that upon install the max resolution is 800 x 600.  This becomes a small issue since the Oracle Database 11g installer wants a 1024 x 768 resolution so the full menu won’t appear on the screen.  This is actually a pretty easy fix.  In the display properties change the hard to an LCD with the desired resolution.  Once that is set you can go back to the resolution selection screen and change to a higher resolution.  A reboot will be required before the new resolution can take effect though.
  • And probably the most useful thing to know is the Linux commands that will be used throughout these installs.  Below is a list of some of the commands that were used:
  1. su:  This command lets you assume superuser or “root” user level access, provided that you know the password for that account.
  2. exit: When you are finished with “root” user access this command will exit the root user session and return the terminal permissions back to the logged in user.
  3. java -version: This will print out what version of java is installed and registered in the environment variables located in the .bash_profile.
  4. whereis java: This will print out the different locations that java is installed based on the environment variables and any linked symbols.
  5. vi ~/.bash_profile:
    • This command will allow you to edit the .bash_profile where environment variables are declared.
    • This file should only be edited under instruction because if this file is fouled up it can trash the system and require a complete reinstall.
  6. : wq: When editing the .bash_profile file this command will allow you save the changes and then exit back to the terminal.  Of course there are other commands that can be used to accomplish the thing.
  7. . ./.bash_profile: After editing the .bash_profile this will reload the settings using the updated file.
  8. rpm -ivh <filename>: This will install packages that may be missing.  This does require an exact file name to be specified.

Questions, comments or concerns?  Feel free to reach out to us at IDMWorks.

Tags: , , ,
Posted in Identity Management, linux, Oracle Fusion Middleware, Oracle Identity Manager, Tips & Tricks, VMWare | Comments Off

Taking Control of Your Oracle Identity Manager Scheduler

Tuesday, June 14th, 2011

**NOTE: As with all Tips and Tricks we provide on the IDMWorks blog, use the following AT YOUR OWN RISK.  We do not guarantee this will work in your environment and make no warranties***

According to Oracle’s sizing guide for Oracle Identity Manager (OIM) 10g in a large deployment you should break up your clustered servers by task.   For example, if you have four nodes in your cluster, you may use two to handle user requests, two to handle provisioning processes and scheduled tasks.   This allows you to dedicate servers to the tasks you want them handling.  This combined with load balancing, either through Weblogic, or through an appliance, provide a high level of stability and availability.   However, one thing I noticed when reading through Oracle’s documentation is nowhere does it mention how to do it.

So how do you do it?

The scheduler service on each server can be enabled or disabled by the xlconfig.xml file that contains the settings for OIM.    This will set the scheduler service to either start or not when OIM starts on that node. The file is typically found in the OIM_HOME\xellerate\config folder and can be modified with any text editor.

Always note that it is a very bad idea to change settings in the xlconfig file if you don’t know what they doso proceed with caution.

Use the following instructions to disable the Scheduler service for any nodes you do not wish to have it running.

Step1: Open the xlconfig.xml file with the editor of your choice

I like to use textpad or notepad++.

Step2: Find the line below:

<StartOnDeployment>true</StartOnDeployment>

Step3 Edit the line so it looks as follows:

<StartOnDeployment>false</StartOnDeployment>

Step4 Save your file

Step5 Restart OIM

That’s it.  It’s also good to note that in that same area of the xlconfig file (just above the line you modified) you will find a commented section explaining the Scheduler properties and what can be modified.  This includes:

XLUserName
XLPasswordUsed to login into xellerate when executing the scheduled tasks.
StartOnDeployment - Set this to true to start scheduler along with application startup.
ThreadPoolSize - Number of threads that can run scheduled jobs simulteniously.
DataBasePoolSizeNumber of database connection scheduler can open.
JNDIName  – The name underwhich the scheduler will be bound into JNDI tree
DatabaseDeligate – Quartz Scheduler Database delegate class

By modifying these settings you can better tailor your environment to suite your needs in production or to troubleshoot your environment where tasks are jumping from node to node, making it difficult to track them in the log.

Questions, comments or concerns?  Feel free to reach out to us at IDMWorks.

Tags: , , , , , , , , , , ,
Posted in Identity Management, Identity Provisioning, Oracle Identity Manager, Security & Risk, Tips & Tricks, WebLogic | No Comments »

Uninstalling Oracle Fusion Middleware Products

Friday, March 25th, 2011

***NOTE: As with all Tips and Tricks we provide on the IDMWorks blog, use the following AT YOUR OWN RISK.  We do not guarantee this will work in your environment and make no warranties***

Recently I’ve had to uninstall Oracle Internet Directory and Oracle Virtual Directory version 11.1.1.2.0 on a Windows server. The uninstallation instructions provided in the Oracle Fusion Middleware Installation Guide are a good start, but some additional steps are required on the WebLogic side.

Here are the steps needed to uninstall OID and OVD 11g:

1. In a command prompt go to $ORACLE_HOME\oui\bin (i.e. C:\Oracle\Middleware\Oracle_IDM1)
2. Enter setup.exe –deinstall
3. After the Welcome screen you will get three options presented to you:
a. De-install Oracle Home
b. De-install ASInstances managed by WebLogic Domain
c. De-install Unmanaged ASInstances

Assuming you did a standard install of OID and OVD then you are going to have an ASInstance managed by WebLogic.

From this menu you want to select “option b” (De-Install ASInstances managed by WebLogic Domain).

Note: Make sure you de-install the ASInstance first before you uninstall Oracle Home. If you uninstall Oracle Home first, then the uninstaller will be gone and the ASInstance will still be remaining.

4. On the next screen you will need to enter the following information:

a. Domain Host Name:
b. Domain Port No: (i.e. 7001)
c. User name: (i.e. weblogic)
d. Password: <password for weblogic admin user)

Note: Make sure the WebLogic admin server is running.

5. On the next screen you must specify the Managed Instance Directory (i.e. C:\ Oracle\Middleware\asinst_1).

6. After the uninstall of the Managed instance is completed you will need to run the setup.exe –deinstall command again.

7. This time you want to select Deinstall Oracle Home.

8. Specify the Oracle Home Directory on the next screen (i.e. C:\Oracle\Middleware\Oracle_IDM1).

After the uninstall process is complete you are 3/4ths of the way done with completely uninstalling OID and OVD. The uninstall process leaves behind the IDMDomain (or whatever Domain name you provided during installation) that was created in WebLogic. If you try to re-install OID, OVD or any other Fusion Middleware IDM component you’ll have to specify another Domain name unless you take these additional steps:

1. Go to the IDMDomain folder in windows explorer (i.e. C:\Oracle\Middleware\user_projects\domains).
2. Delete the IDMDomain folder and all its contents.
3. After the domain is deleted you will need to update the NodeManager domain configuration. Navigate to the folder containing the nodemanager.domains file (i.e. C:\Oracle\Middleware\wlserver_10.3\common\nodemanager)

Note: Before modifying any files, it’s always best practice to make a copy of it first.

4. Open the file and remove the IDMDomain line. (i.e. IDMDomain=C\:\\Oracle\\Middleware\\user_projects\\domains\\IDMDomain)

5. Navigate to the folder containing the domain-registry.xml file (i.e. C:\Oracle\Middleware)

6. Open the file and remove the IDMDomain line.

7. Go to Start->All Programs->Oracle WebLogic->User Projects and delete the IDMDomain folder and its contents.

Note: Remember to also use the RCU to drop the OID database tables

Now you should have a clean WebLogic instance if you want to re-install OID or OVD.

Questions? Sound off below or ask us here at IDMWorks.

Tags: , , , , , , ,
Posted in Identity Management, Oracle Fusion Middleware, Oracle Identity Manager, Oracle Internet Directory, Oracle Virtual Directory, Tips & Tricks, WebLogic | No Comments »

OIM: Changing the Database Name on JBoss

Thursday, March 24th, 2011

***NOTE: As with all Tips and Tricks we provide on the IDMWorks blog, use the following AT YOUR OWN RISK. We do not guarantee this will work in your environment and make no warranties***

If you ever need to move your Oracle Identity Manager database due to a hostname or IP or SID change, there are a few places where the new connection string needs to be updated. This is for OIM 9.1.0.x on JBoss.

  • OIM_HOME/config/xlconfig.xml
  • OIM_HOME/profiles/jboss.profile [Two places]
  • JBOSS_HOME/server/default/deply/xell-ds.xml [Two places]

Tags: ,
Posted in Oracle Identity Manager, Tips & Tricks | No Comments »

Oracle Identity Manager (OIM) 11g install for Beginners (in the Cloud baby)!

Friday, March 4th, 2011

***NOTE: As with all Tips and Tricks we provide on the IDMWorks blog, use the following AT YOUR OWN RISK.  We do not guarantee this will work in your environment and make no warranties***

This is  a supplement to the post Setting up Oracle Identity and Access Management Suite (11g) in the Cloud: A few things that work & don’t work detailing  a basic install and the little errors that prevented it from running that were encountered when someone new to Oracle Identity Manager (11g) installed it in a Cloud environment.

To install OIM you have to go through several steps before you even start installing it.  Now I’m sure that most folks reading this have pre-existing environments that allow you to skip many of the following steps but let’s assume you are doing this from a brand spankin’ new MS Windows server.

Basically, you want to do the install first, and then the configuration.

1) You need to have the Java Development Kit (JDK) installed. Now you might think that just having it installed is good enough however the default installation path will put it in the ‘Program Files‘ folder.  Most MS Windows systems don’t have any particular preference however, your IDM install doesn’t like spaces in the file paths So be sure you have it installed in  a folder without spaces.

2) Be certain you are utilizing a static IP address. If you don’t, I would suggest reviewing the suggested fixes in the Setting up Oracle Identity and Access Management Suite (11g) in the Cloud: A few things that work & don’t work post.  Otherwise you will likely get a fair amount of errors when everything is up and running. The entire suite depends on having a static DNS name and IP address. When it doesn’t things fail without warning.

3) Now you should install the database. A few things to note here:

  • The database is where everything points to. Fortunately it’s not particularly hard to set up the software. Unfortunately the database itself has a few requirements. The  Setting up Oracle … in the Cloud post again covers the tricks needed to get this working properly but one thing I would add is that the default for the desktop install on the database has the wrong language code set. Don’t use it but do use “server” instead.

4) Once you have the database installed you have to run RCU.  Unfortunately RCU is a 32 bit program that is very picky about 64 bit operating systems. When installed in conjunction with a 64 bit database and then attempting to link the 32 bit RCU it would work until it attempted to add the OIM tables in.  Then it broke. The only fix I found was to use a 32 bit database. The RCU is just putting tables for the systems you are installing next to run off of, so we can assume it’s fully possible to drop the tables in manually, but I wouldn’t want to do it.

5) Assuming you finished the last few steps you can go onto the actual install of the programs. WebLogic first. If you are using the generic JAR installer, which you probably should be, you have to use your Java install to unpack it.  Now there is something you should take note of when you install WebLogic. There is a screen where it’s looking for Java packages. The generic JAR doesn’t have these with it. Again it is very picky about what folder it has selected to do the Java install with. It’s not so picky about whether or not the folder is occupied. Make sure it’s pointing to the right place. If all else fails, copy the Java bin to the area the installer wants. If you don’t things will install fine but never run (note: be sure to have the correct version installed as the systems are very specific about what they are compatible with).

6) Alrighty then, WebLogic is installed. Web/logic is the heart of everything else OIM related. With OIM installed you also need SOA. You have to install the .2 version and then upgrade to the .3 version. Typically this is a pretty straight forward install.

7) NOW we can install OIM. The OIM install itself is pretty easy again but it is the next few steps that can mess you up. Make sure you don’t start up the Configuration Manager quite yet.

8 ) Now we configure Weblogic. You are looking for a file called config.sh in a folder called common. It’s in the directory you installed all the stuff you have already installed. Now when you bring it up, you want to select the programs you want Weblogic to support. Then you have to connect to the database you have running still.  If you can’t connect make sure your password is right. If you still can’t connect then your database isn’t liking something.

9 ) Since you have WebLogic configured you now have to configure OIM.  It’s pretty straightforward. You point it at the WebLogic address that you setup and the program will register yourself. One thing you should look out for is the line OIM HTTP URL. This line should have your WebLogic connection address with a different port. In my silliness installing this once I had it as the same port, it allowed WebLogic to run, and OIM started up just fine, but after a moment OIM alone would stop, as well as the soa-infra server.

10) Start everything up!

Questions? Feel free to reach out to us at IDMWorks.

Tags: , , , , , ,
Posted in Cloud Computing, Identity Management, Oracle Identity Manager, Tips & Tricks, WebLogic | No Comments »

« Older Entries