Oracle Access Manager (OAM) 11g Auditing Tips Let's say you want to enable auditing with OAM 11g so you can see successful/failed authentication and authorization events. You will commonly see documentation telling you to simply change the Audit Policy settings for your Weblogic domain in Enterprise Manager (see below) to enable OAM auditing.   Oracle Enterprise Manager - Audit Policy   Actually There's an additional step that you will need to take to full enable the auditing. Login to the OAM Console and navigate to the System Configuration tab. Choose Common Settings, and under Audit Configuration (see below) you will see an...

Common OID 11g Installation Issue on MSWin 2K8r2 Server If you're configuring OID 11g on a Windows 2008r2 server, you might encounter a strange behavior when running config.bat when OID tries to start - "Start Oracle Internet Directory: Failed" - After digging through the logs, you'll indeed find errors related to starting OIDLDAPD. It turns out it's an easy fix. You'll need to install the Microsoft Loopback adapter on the server. Here's how:         Go to Device Manager         Right-click on the computer name at the top of window and choose "Add Legacy Hardware" then...

CA SiteMinder Agent Cache - Performance Best Practices   The CA SiteMinder Web Agent stores user session and resource information in cache memory. This technique improves the Web Agent efficiency because it does not have to retrieve information from the Policy Server each time a user requests access. Web Agents store contextual information pertaining to user access privileges in a session cache.   By tuning the cache settings, you can better manage how information is stored. The size of the cache is measured by the number of cache entries. The total number of entries in each cache can NOT exceed the maximum cache size...

Identity Vault - Unable to connect to Linux/Unix Remote Loader Driver Checklist for solving error (-9006) Detail from driver   The Linux/Unix driver uses embedded Remote Loader Technology to communicate with the Identity Vault -- bi-directionally synchronizing changes between the Identity Vault and the connected system. New comers to Identity Manager commonly come face-to-face the above error.   The checklist below will save hours upon hours of undesired debugging efforts   1.     Ensure the Remote Loader is installed/initiated on the Linux/Unix system Type “rdxml” in the command line. If the command is NOT recognized, install the Remote Loader http://download.novell.com/index.jsp 2.     Start the Remote...

SailPoint Certification Exclusion Rules   One of the goals of a certification is to provide certifiers with a succinct list of items to be reviewed. Default values, low-risk entitlements, and distribution groups can commonly be removed from a certification.   It is also common to have application entitlements reviewed by one user and other entitlements by a separate user.  To remove various items from a SailPoint Certification, an Exclusion Rule is employed.  The Exclusion Rule iterates over the items in a certification and removes items based on logic built within the rule.  The matching items are removed from the "active list" and added to a list of items...

Creating Self-Signed SSL Certificate for Oracle Internet Directory (OID) using WLST While creating a Self-Signed Certificate for OID v11.1.1.5 (using WLST) I realized that many commands contained in Oracle's documentation were either outdated or incorrect. The below is a quick run through of the commands necessary to create the necessary certificate and then update OID to make use it. Feel free to independently examine the original commands in the OID Administration Guide but I've found that the modifications below are required to successfully configure SSL in OID. These steps originate from Fusion Middleware Administration Guide for OID - 26.3 "Configuring SSL...

DIP, Oracle, and Strong Encryption In attempting to connect DIP to a third party (Tivoli) LDAP, I received an error that complained - "RSA premaster secret error" as well as a warning - "Simple bind failed."  After some exploration, it was discovered that the SSL key Tivoli used was too large (> 64 bits).   Out-of-the-Box Oracle does NOTsupport "strong encryption" due to US Export Restrictions in its' Java installations.  As a result, "Unrestricted JCE Policy Files" need to be installed. You can download those files on Oracle's site after agreeing to the terms (including the US Export Restrictions): http://www.oracle.com/technetwork/java/javase/downloads/jce-6-download-429243.html   Then, copy the...

Quick Tip: Changing Java Heap Size for OIM A common tuning step you'll see to help your OIM performance is to increase the Java Heap size for the WebLogic servers. The problem is, it's hard to find a consensus among the varying Oracle documentations. Hopefully this blog post clears up some of the confusion. Recommendation IDMWORKs recommends the following steps for changing the Java Heap size: 1.  Discover the $DOMAIN_HOME/bin directory 2.  Edit the file called "setDomainEnv.sh" (setDomainEnv.cmd on Windows) 3.  Find the line which checks the USER_MEM_ARGS variable (somewhere around line 350 (259 on Windows)) Example: # IF USER_MEM_ARGS the...

Using Custom Java in BI Publisher Reports BI Publisher is a powerful tool for reporting. As the out-of-the-box report(s) solution available for Oracle Identity Management products, BI Publisher provides a ton of useful reporting capabilities. It is sometimes necessary to create custom reports that are tailored for specific needs and we have a great tool for adding functionality: your own custom Java code. Using this method, you can do some cool things like complicated logic, transformation, and more... Here's how it's done. Create Custom Java Class Start by creating your Java class (using Eclipse* for example) and create a JAR file. The functionality can be as...

Oracle Identity Manager (OIM) - Challenge Question Limitation Recently, working on a Challenge Question issue in OIM the customer defined a specific question of which was 64 characters (total length) and when users attempted to use the question an error message was displayed. Due to this information being stored within a database table, there is a limit for the character length of the question(s) and answer(s). Unfortunately, this information is not well documented by Oracle within the readily available documentation. Investigating the OIM Table Schema At a glance, one might think you can use up to 100 and 256 characters for questions and answers...

Components in Oracle Access Manager (OAM) 10g to consider for performance tuning LDAP Directory and Data Database(s) Oracle Access Manager Web Server(s) Network Tuning Caches OAM Server Recommendations To improve reliability, Oracle recommends that you install and operate identity and access servers on independent and dedicated hardware/resources. As an example, consider a small Oracle Access Manager deployment for up to 15,000 users. You could use four server-class computers: two installed with Identity Server and two installed with Access Server, with IP switching technology in front of each pair to provide load balancing and failover. When your deployment has light load conditions, where...

NetIQ IDM4 - Monitoring Using Operations Center One of the primary uses for Operations Center is to build & display Business Service Models that represent a holistic view a customer's Business Application(s).  It is desirable to include within a Business Model the overall "health & wellness" of IDM4 and its' associated drivers.  The Possibilities By using Operations Center's ability to integrate with many different health & perfromance monitoring tools, it is possible to add NetIQ IDM4 into the mix to show such things as: IDM4 Individual Driver Health IDM4 Driver Unprocessed Cache CPU Utilization of the IDM4 Server Java Heap usage within IDM4 It...

Oracle Identity Manager 11gR1 Tuning Considerations Oracle Identity Manager (OIM) is a powerful tool for organizations to manage user accounts across many systems. Because it is such a key piece of the IT/IS puzzle, it becomes critical to produce high performance from within. While Oracle provides some baseline sizing recommendations and other resource tuning steps, some of the documentation is incomplete and at times - contradictory. This guide should help clear up confusion regarding OIM performance tuning. Sizing: One of the most important improvements you can make for performance is allocating enough resources on your OIM servers. Based on Oracle's OIM 11g "Sizing Guide," you...

Oracle Identity Governance Suite 11g Essentials Exam Here's some notes on the The Oracle Identity Governance Suite 11g Essentials Exam (1Z1-459) There were 139 questions with a 2 1/2 hours time limit.  I took about 90-95 minutes before I called it good enough.  I'm going to go through topic by topic to anything I think you should focus on.  I will say to start, they asked for a lot more detailed questions about stuff that I would call nitpicky type stuff than I expected.  There were a lot of pick 3 answer questions.  They asked a lot about specific api's to...

Deleting Certifications from NetIQ AGS & Sailpoint Identity IQ As ofttimes happens, we find the the need to delete a certification after it has been created in Net IQ’s AGS and/or Sailpoint’s Identity IQ. Unfortunately there is no way to delete the certification from the standard User Interface.   To delete a certification from NetIQ AGS  and/or Sailpoint Identity IQ, the Administrator needs to go to the AGS/IIQ console and follow the below steps: Navigate to /$AppServer_Home/webapps/ags(iiq)/WEB-INF/bin Based on the tool you are using, type “./ags console“ or “./iiq console“ Type “list certificationgroup” and identify the certificationgroup to be removed Type...

Resolving an “Export Failed” Error in OIM Deployment Manager The Problem Recently I experienced a strange issue when using the OIM 11g Deployment Manager export feature. After selecting the artifacts to export and specifying a file name and location for the XML file, an unfortunately timed “Export Failed“ dialog box appears. Usually the first place you look when this happens is the OIM logs on the server to figure out what’s wrong.  On this occasion, everything looked normal in the logs and there were no error messages or any signs of trouble. It turns out the problem was locally on the...

Changing the Password of the ORCLADMIN Account We’ve all done it. Whether or not we had to do a Proof of Concept, a  demo or installing Fusion Middleware applications before integrating them with other Enterprise applications. When prompted to enter a password for the ORCLADMIN account we often quickly enter a password that is simple and quick to remember (and password policies are not enforced during the install).  S now we end up with an Oracle Internet Directory (for example) installation containing a simple password for superuser account, which creates potential security risks and comes to the attention of Security groups....

Novell Operations Center (NOC) Controlling Adapters from a Formula Script In Novell Operations Center (NOC) connections to outside data sources are made through Adapters.  It might be that the customer would like to have a backup Adapter to a given data source but not want to buy a license for more than one Adapter of a given type.  There is a way to solve this issue.  Since an Adapter can be defined (and NOT started) even if no license exists, it is possible to define the second Adapter, configure it as Stopped and then using a Formula Script (really just Java...

Managing Active Directory with the NetIQ Directory & Resource Administrator First let us review some of the challenges in administrating AD and LDAP in general: Directory structures are inflexible Changing AD once it is implemented to meet changing administrative or organizational needs are difficult. Delegating and “un-delegating” access is a royal pain Delegating account administration access is possible using native Active Directory technologies.  However, without extensive documentation of these delegations, modifying or removing delegation is very difficult. Limiting what objects or properties a user can manage is easy enough but the ongoing maintenance presents a significant challenge. In addition, using only native...

Integrating NetIQ (Novell) Identity Manager (IDM) with Aveksa Compliance Manager (ACM) Steps to Entitlement Provisioning: Install the “Role Based Provisioning Module” which installs the Webservice to connect IDM and ACM  Create the “User application” and “Role and Provisioning” drivers (these drivers can be configured to hold the entitlements and role information)  Enable the Novell Plugin in the plugin folder on the Aveksa server, this creates a fulfillment workflow handler with the IDM connection information for provisioning. _______________________________ If Entitlements are enabled on the IDM, create the Application and Entitlement collector. Configure the fulfillment handler generated under the request tab for the...