×

IDMWORKS Blog

How To Integrate OIM12c with OPAM11g


With the release of OIM12C from Oracle, the OPAM (Privileged Account Manager) product is no longer included and it won’t be included going forward.

Oracle doesn’t support the integration of OIM12c and OPAM 11g, so I have set up and tested an unsupported integration, which I am going to share below. This will be useful for those who have OIM/OPAM currently deployed and want to upgrade OIM to the 12C version but want to keep their existing OPAM implementation.

Environment
Oracle Linux 7 Virtualbox

Oracle12c Database

OUD12c OUD {This is for the OPAM container}

OIM12c {Java 1.8, OIM Middleware Home}

OPAM11g {Java 1.7, OPAM Middleware Home}

Integration Solution
Once you have both OIM and OPAM installed this is where it gets interesting because you are using 2 different WebLogic versions. You will need to make sure that you are using Java 1.7 in the OPAM environment configuration. There are several environment variables that need to be set to run the opamSetup.sh.   I am going to list them and how I set them.

APP-SEVER=OPAM Weblogic

OIM_ORACLE_HOME= <OIM 11g>

JAVA_HOME= <JDK 1.7>

MW_HOME=<Middleware for 11g>

WL_HOME=<Weblogic 11g>

DOMAIN_HOME=<OIM12c>

Errors
When you run this command, you will find that it creates errors for a couple of the steps in creation.

SEVERE: Cannot create system property Enable OIM-OPAM Integration: error unmarshalling arguments; nested exception is:

java.io.InvalidClassException: oracle.iam.conf.vo.SystemProperty; local class incompatible: stream classdesc serialVersionUID = 6491324116362892284, local class serialVersionUID = -4381079791367100134; nested exception is: java.io.InvalidClassException: oracle.iam.conf.vo.SystemProperty; local class incompatible: stream classdesc serialVersionUID = 6491324116362892284, local class serialVersionUID = -4381079791367100134.

SEVERE: Cannot create IT Resource instance OPAMServer: failed to unmarshal interface Thor.API.tcResultSet; nested exception is:

java.io.InvalidClassException: Thor.API.tcMetaDataSet; local class incompatible: stream classdesc serialVersionUID = 1, local class serialVersionUID = 497665130057943698; nested exception is: java.io.InvalidClassException: Thor.API.tcMetaDataSet; local class incompatible: stream classdesc serialVersionUID = 1, local class serialVersionUID = 497665130057943698.

This will require you to manually fix these in OIM12c.

First you will need to create an IT Resource. From the error noted above.

The other error is needing a system property which needs to be created in the Catalog.

Conclusion
In this post my main goal was to be able to set up OIM12c to integrate with OPAM 11g. The additional steps that I have not covered here since its part of the standard OPAM configuration is to add the OPAM CA Certificate to the OIM Key Store. I also installed the LDAP connector in OIM since I am using OUD. I created the tags in the catalog and associated the tags in the UI. Now when I go to Request Access I am able to use the newly created tags as part of the search criteria.

In my example I used “opam” in the cert tags field to get information.

I can also do a search on the OPAM tag and retrieve information to select from as well. I searched on “database”. I could also do the same for “unix” for example.

Now as a requester you can request for these entitlements in OIM, upon approval you will be granted the entitlement which in OPAM gives you the ability to check out the privileged accounts associated with these entitlements.

Questions, comments or concerns? Feel free to reach out to us below, or email us at IDMWORKS to learn more about how you can protect your organization and customers.

Leave a Reply

Your email address will not be published. Required fields are marked *