Popular Posts

Oracle Identity Manager Basics: Creating a Custom Adapter in OIM 11g
Identity Management
Oracle Identity Manager Basics: Creating a Custom Adapter in OIM 11g The purpose of this entry is to explain how to create a custom adapter in OIM.  The adapter will write to an external file.&n...
Externalizing Authorization from Applications using Oracle Entitlements Server
Identity Management
Typically in a private cloud scenario you might have a data center with a hardware grid hosting a middle-ware platform so let's take the next step: You have the departmental application owners bu...
OIM: Manually Revoking a Stuck Resource Object through the Database
Identity Management
Oracle Identity Manager: Manually Revoking a Stuck Resource Object through the Database Have you ever had a Resource Object stuck in a Pending or Provisioning state that you just couldn't do anythi...


  • Home
    Home This is where you can find all the blog posts throughout the site.
  • Categories
    Categories Displays a list of categories from this blog.
  • Tags
    Tags Displays a list of tags that has been used in the blog.
  • Bloggers
    Bloggers Search for your favorite blogger from this site.
  • Login
Recent blog posts
Recently at a client we were seeing intermittent Authentication errors with the following in the logs: Caused by: javax.security.auth.login.FailedLoginException: [Security:090304]Authentication Failed: User xelsysadm javax.security.auth.login.FailedLoginException: [Security:090302]Authentication Failed: User xelsysadm denied         at weblogic.security.providers.authentication.LDAPAtnLoginModuleImpl.login(LDAPAtnLoginModuleImpl.java:261)   We were not seeing the issues regularly, only during periods of high activity.   As a result of not being able to replicate the issue reliably, we had problems understanding what was going on. The user existed in the Identity Store (LDAP), was seen in the Weblogic Users section, and was viewable in OIM.  Sometimes the user would work and sometimes it would not.  We could not reliably define...
Hits: 78
Odds are if you have worked with drivers in the Novell/NetIQ Identity Management (IDM) product you have see the following error at least once: "Code(-9010) An exception occurred: novell.jclient.JCException: createEntry -613 ERR_SYNTAX_VIOLATION" This error can cause untold amounts of frustration for developers and support technicians who attempt to determine the cause of the error.  While the error does a great job of telling you why a transaction did not succeed, a syntax violation error as indicated in the message, it does not do a very good job of describing what syntax violation was encountered.  In fact, there are at least three...
Hits: 98
While recently working with NetIQ IDM 4.02 and NetIQ eDirectory 8.8.7 IR 7, we had an issue arise and wanted to pass along the solution. When deleting an object which has been verified to have an association, all drivers in a driver set have a delete event generated that does not have an association on it.  This causes events that are triggered by this to not function as designed. This is a sample of what the delete event looks like for this issue: <nds dtdversion="4.0" ndsversion="8.x">   <source>     <product edition="Standard" version="">DirXML</product>     <contact>Novell, Inc.</contact>   </source>   <input>...
Hits: 130
Today I thought about using Active Directory for authentication on Domain Controllers that didn't do LDAP over SSL (LDAPS)So after some work on it here’s the solution to enable it. I found a few posts online but they didn't seem to be written very clearly for an environment with a Certificate Authority(CA) not on a Domain Controller (DC). I found that all you really have to do is give the DC the correct type of certificate and it will automatically do LDAP over SSL. An important requirement here is that I don't want to force connections to use LDAP over SSL, but rather just enable it...
Hits: 230
I was introduced to this method of investigating Event Handlers using Enterprise Manager by a colleague.  The only other time I've seen it referenced was a quick reference in some of the OIM Developer documentation.  I've found this useful when beginning the Event Handler debug process. The basic premise of this method is to utilize Enterprise Manager to handle querying the MBean for the User and Operation.  I'll walk you through how to access the functionality (the screenshots are 11gR2 PS2 but the steps are applicable to any version of OIM 11gR2).  Open the Enterprise Manager that is associated with the Admin Server...
Hits: 312

One of the new features in OAM 11g R2 PS2 ( is called Persistent Login also known as Remember Me. Basically this means that OAM will have the option to remember a user’s session for some defined period of time so even if they close their browser, they’ll be able to log back in again without providing credentials. 

This is a common feature you see on many websites, but up until this point, in OAM 11g this feature was not available. It was possible with custom code but it was not out-of-the-box. Now with PS2, this is an out-of-the-box feature. In this blog post we will give you some pointers on configuring this new feature, with special emphasis on a few key points you won’t find in the Oracle documentation.

Hits: 231

Posted by on in IDMWorks
Provisioning Microsoft Exchange accounts via NetIQ Identity Management (IDM) is a very common process.  With IDM 4.0 you can now provision mailboxes to Exchange 2013.  The big catch is that in order to provision to this version of Exchange you are required to go through the Windows PowerShell interface.  Following the NetIQ AD driver documentation for IDM 4.0 you will be able to easily get everything set up.  This means finding a server that you can install the following items: IDM 4.0 Remote Loader (configured for the AD driver) By default the remote loader and AD driver installed with the standard...
Hits: 330
In the past few months we have seen some cases where the out of the box Enterprise Manager (Fusion Middleware Control) ceases to function in an Identity Management deployment. In a recent example, we’ve seen this JSP error: A common troubleshooting step in this case is to remove the tmp directory from $DOMAIN_HOME/servers/AdminServer/, but in our experience this did not solve the issue. In the end, the solution was to redeploy the EM ear file along with all of its library dependencies. In this blog post, we will walk you through this process.  DISCLAIMER: Before attempting these steps, you should backup...
Hits: 221
CA IdentityMinder is a great application for managing identities and assigning roles and tasks.  All of these identities end up residing on some form of LDAP or a relational database with very specific schemas and "well known" attribute assignments. One of the most used well known attributes is "admin roles". It is supposed to be assigned to an attribute that is multi-valued, since people could have multiple roles.  For example, in my sample environment I used registeredAddress attribute to hold my admin roles. However, when dealing with these kind of attributes one has to pay close attention to the search criteria....
Hits: 248
In this post, we are going to walk through creating a custom managed beans to conditionally display OIM form field. The OIM UI customization use case:  Create a disconnected application instance – MainframeAccess in /sysadm, the MainframeAccessform will be created by default. Add 2 UDFs to the custom request form: 1. lookup field: RequestDataAccessTool, with values: ‘test1’,’test2’ and  ‘Other (Please List)’ 2. input text field: Other The UDF field: ‘Other’ will be displayed only when the value of ’Other (Please List)’ was selected from dropdown box RequestDataAccessTool.   Steps to create custom managed beans to show ‘Other’ field conditionally: 1. Create sandbox: MainframeDB2. Create...
Hits: 367
How many times have you loaded WinSCP, Eclipse, Apache Directory Studio, etc… on a fresh machine and have had an error popup saying the application can’t find java?   Below are simple directions on how to set JAVA_HOME and modify PATH to include JAVA. I’ll mention this now before you get copy-paste happy - the two paths are different, so pay attention to the paths in the examples. In Windows:       1. Click on the windows Start button       2. Right Click on Computer and select Properties       3. Click on Advanced System Settings       4. Under the Advanced tab, click...
Hits: 286
On Aug. 19th at 4:00 p.m. EST, Chad Cromwell, IDMWorks CTO, will present a brief webinar: Seamless Directory Integration & SCIM Provisioning.   The webinar will show how our IdentityForge suite of products, ForgeDS and ForgeIE, can help maintain and provision identities to on-premise target systems as well as cloud systems. During the webinar we will give a brief high-level overview of our products, our Identity Directory Store, and our Identity Gateway (Utilizing SCIM & LDAP). We will also demo these in action with a few of our target connectors: RACF, NonStop & ServiceNow. Register For Webinar Today    ...
Hits: 1071
Until recently, 2-factor strong authentication has usually had extra cost and complexity associated with it. In OAM 11g R2 PS2, Oracle has sought to eliminate a lot of this with the introduction of Oracle Mobile Authenticator (OMA). Support for OMA ships out of the box with PS2 and setup is fairly straightforward. This blog post will walk you through configuring OMA from start to finish, and we’ll also share some of the tips and tricks we learned along the way. At a high level, OMA requires that you configure the OAuth Service in OAM for secret key generation. Next, you will...
Configure OAuth Service
Hits: 650
One of the connectors for NetIQ Identity Manager is the SOAP driver.  It can be used to transform directory changes into SOAP API calls.  In general, a single change in the directory on an object results in a single API call being preformed.  However, what happens when you need to make multiple API calls based on a single change?  Or if your SOAP endpoint has multiple databases and requires separate calls for each?   Typically, a XSLT stylesheet is developed to make the transform from XML to SOAP language.   Below is an example of an add event being converted into a...
Hits: 356
The challenge is: How do you make Aveksa Compliance Manager automatically create a User account object in Active Directory after running a collection (& unification) for all new users. This should be pretty easy... right, but it's not as easy as you think so I built a mindmap which explains the process:       Create an AFX connector, make sure that you enable the following functions: Create, Update and Add to AD Group Create an Application (and collectors) and associate the AFX connector to this Application. Make sure you collect Account, Account Mappings and Groups. Create an Account Template (it needs to...
Hits: 492
Certifications are one of the major components of NetIQ’s Access Governance Suite (AGS).  Great time and work is taken before the certifications are generated to make sure each certification item is routed to the correct person.  However, there are times where certification items need to be moved to another person.  AGS offers 3 different types of moving ownership of a certification item to another user.  Each type differs slightly.  The preferred method will depend on how the certification is to be run and the business rules of the organization.  To try to avoid some confusion, here are the definitions for Forwarding,...
Hits: 418
This is part 2 of a 2 part series. In part 1, we discussed developing these web service wrappers and handling security for both the OIM credentials and web service endpoints. In part 2, we'll demonstrate how to invoke these web services from your BPEL Approval Workflow (and even how to store your web service user credentials in the CSF).  One quick note: We received some great feedback on part 1 (thanks everyone!). One suggestion we wanted to pass along was to use Fault Policies around your web service calls to retry the operation in the event of network issues. We...
Hits: 510
 When we are working with a client to support a new Cloud or Enterprise system for integration with our IdentityForge suite of products, our first question to clients is usually, “Can we include an agent?” As a result, I often find myself answering variations of the question, “Why are agent-based approaches so important for identity information matters?” The reason we feel this is important is that we want to provide real value to our current and future customers. To achieve maximum ROI from their information security investments, we want to provide them with the ability to access data on the target...
Hits: 400
Leading enterprise and cloud integration software provides effective and secure synchronization between cloud-based IT automation and service management solution and enterprise information security infrastructure. MIAMI, FL (PRWEB) June 16, 2014 IdentityForge, an IDMWORKS company, today announced the availability of the Advanced Adapter for ServiceNow®. Acquired by IDMWORKS in March 2014, IdentityForge is a global leader in providing enterprise and cloud integration software for identity & access management (IAM), biometric, governance and risk, monitoring, modernization projects and custom solutions for both private and public entities. ServiceNow is a popular platform-as-a-service provider of IT service management software, and is used by many Fortune...
Hits: 307
  Overview   In this paper, we are going to walk through setting up Mobile & Social so we can log in to a protected page using a Google account.   My starting point is a fresh install of OAM R2 PS2 ( I also have OHS installed ( with an 11g Webgate. For my Identity Store, I have a fresh instance of OUD, also   ...
Hits: 496


Contact Us

Please fill in all required fields.