pmrun command to login as power user

suppose you have admin access on idmuser. once you login to Linux or solaris machine you have to run process management run to login to admin user who have full access.

you have to run the following. this command will change your login to idmuser and user will be running in kshell

./pmrun -u idmuser ksh

 

 

 

OIM11g R2: Adding UDF Fields In Set Challenge Question/Answers Page For First time Logging

Question:
OIM11g R2: Adding UDF Fields In Set Challenge Question/Answers Page For First time Logging

Answer:
User Defined Field(UDF) is not supported.

Adding a UDF to the first time login page (or for that matter to any page that contains the challenge questions and answers) is not supported

OID 10g backup naming contexts command

here is the example of backing up naming contexts. on second command it will generate output file that can be used to restore.

 

back up the naming contexts:
1.
Identify the replication agreement DN created

ldapsearch -h supplier_host -p port \ -b "orclreplicaid=supplier_replicaID,cn=replication configuration" \ -s sub "(orclreplicadn= orclreplicaid=consumer_replica_ID, \ cn=replication configuration)" dn

2.
On the supplier, use the following command to get the data from the supplier. Data loaded into the file will be based on the agreement configured:
ldifwrite connect="connect_string_of_sponsor_node" \
          basedn="replication_agreement_dn_retrieved_in_step_1" \
          file="name_of_output_LDIF_file"

OID 10g chaning supplier Directory server into read/write mode

Change the Directory Server at the Supplier to Read/Write Mode

 

in order to change the directory server on the supplier to read/write mode. To do this:

1. Create an LDIF file containing the following:
   

   Dn:
   Changetype: modify
   Replace: orclservermode
   Orclservermode: rw
   
   

2. Run the following command:
   

   ldapmodify –D "cn=orcladmin" –w administrator_password \
              –h host_name_of_supplier_node –p port –f name_of_LDIF_file

OID 10g deleting replica from replication group command

Delete the Replica from the Replication Group

Do this by using the Replication Environment Management Tool. Enter:

remtool -pdelnode [-v] [-bind hostname:port_number/replication_dn_password]

 

 

OID 10g conforming replication server and start replicatoin commands

To Ensure the Directory Replication Servers are Started commands

The exact procedure for starting the replication servers depends on whether this is a one-way or a two-way replica.

• For one-way LDAP replication, you must start the replication server at the consumer. Type:
  

  oidctl server=oidrepld connect=connect_string_of_consumer_replica \   
     instance=instance_number_of_consumer_replica  \
     flags= "-p port_of_oid_server_running_at_consumer \
             -h hostname_of_sponsor_replica -m false" start
  
  

  Using the -m false option is recommended when starting the Oracle Internet Directory replication server at the consumer for one-way LDAP replication. It disables conflict resolution for better performance.
• For two-way LDAP replication, you must start the Oracle Internet Directory replication servers at both the sponsor replica and the new replica, as follows:
  
  1. Start or restart the replication server at the sponsor replica. Type:
     

     oidctl server=oidrepld connect=connect_string_of_sponsor_replica \ 
        instance=instance_number_of_sponsor_replica \
        flags= "-p port_of_oid_server_running_at_sponsor_replica 
                -h hostname_of_consumer_replica" start
     
     

  2. Start the replication server at the new replica. Type:
     

     oidctl server=oidrepld connect=connect_string_of_consumer_replica \
         instance=instance_number_of_consumer_replica \
         flags= "-p port_of_oid_server_running_at_new_replica  \
                 -h hostname_of_consumer_replica"
      
     

 

When the replication server is started, it will start to bootstrap the data from the supplier to the consumer. Once the bootstrap has completed successfully, the replication server will automatically change to ONLINE mode to process changes from the supplier to the consumer.

 

OID 10g compare and reconcile supplier and consumer

Oracle Internet Directory Comparison and Reconciliation Tool to compare and reconcile the new supplier and consumer. For a one-way agreement, type:

oidcmprec operation=reconcile \
   source=new_supplier_host:port/new_supplier_replication_dn_passwd \
   destination=consumer_host:port/consumer_replication_dn_passwd \
   base='""' scope=sub

For a two-way agreement, type:

oidcmprec operation=merge \
   source=new_supplier_host:port/new_supplier_replication_dn_passwd \
   destination=consumer_host:port/consumer_replication_dn_passwd \
   base='""' scope=sub

This example assumes that the entire directory is replicated and, therefore, that base is set to " ". If you are using partial replication, use the base and dns2exclude arguments to the oidcmprec tool to include the desired DIT.

 

OID 10g changing replicatoin manager password remtool chgpwd

As required sometimes, You can change the password for the replication administrator database account on all nodes of a DRG using Oracle Database Advanced Replication by using the -chgpwd argument to the Replication Environment Management Tool, remtool.

 To use this argument, enter:
remtool -chgpwd


The remtool utility then prompts you for the MDS Global Name—that is, the name of the Master Definition Site—the current password, and the new password. It then asks you to confirm the new password. in case, If you enter an incorrect current password, then you must run the Replication Environment Management Tool again.


You can also use the -pchgpwd argument to remtool to change the password of the replication DN of a replica.

To change the password only in the replication wallet, $ORACLE_HOME/dap/admin, use the -pchgwalpwd argument to remtool.

To use this argument, enter:
remtool -pchgwalpwd

 

OID commands cheet sheet, must need to have these commands for quick referance

cheat sheet for OID command. it is better to copy these commands at local disk instead of searching all the times.


Start .stop and Status the OID server

To start OID:
${ORACLE_HOME}/opmn/bin/opmnctl startall


To stop:
${ORACLE_HOME}/opmn/bin/opmnctl stopall

To get OID process status using opmnctl:
${ORACLE_HOME}/opmn/bin/opmnctl status

To get OID process using oidctl (OID Version 11g and higher):
${ORACLE_HOME}/oidctl connect=oiddb status

To start a specific OID instance using opmnctl:
${ORACLE_HOME}/opmn/bin/opmnctl startproc ias-component=oid1

other useful commands

The following example searches for all entries with any value for the objectclass attribute.
ldapsearch -p 389 -h sun1 -b "ou=hr, o=acme, c=us" -s subtree "objectclass=*"


The following example searches for all entries that have orcl at the beginning of the value for the objectclass attribute.
ldapsearch -p 389 -h sun1 -b "ou=hr, o=acme, c=us" -s subtree "objectclass=orcl*"


The following example searches for entries where the objectclass attribute begins with orcl and cn begins with foo.
ldapsearch -p 389 -h sun1 -b "ou=hr, o=acme, c=us" \
          -s subtree "(&(objectclass=orcl*)(cn=foo*))"


The following example searches for entries in which cn begins with foo or sn begins with bar.
ldapsearch -p 389 -h sun1 -b "ou=hr, o=acme, c=us" \
          -s subtree "(|(cn=foo*)(sn=bar*))"


The following example searches for entries in which employeenumber is less than or equal to 10000.
ldapsearch -p 389 -h sun1 -b "ou=hr, o=acme, c=us" \
           -s subtree "employeenumber<=10000"



Test if you can bind (connect) to the OID server:
$ ldapbind -p 389 -h my-host-name
bind successful
[edit] Add OID entries
Add an entry/ entries to the OID server:
$ ldapadd -h my-host-name -p 389 -D "cn=orcladmin" -w password -f onames.ldif


[edit] Lookup OID entries
Lookup an SQL*Net Service Name (in the example below, extract orclnetdescstring for TESTENTRY) in the OID directory:
$ ldapsearch -h my-host-name -p 389 -D "cn=orcladmin" -w password -b "cn=MYTEST,cn=OracleContext,dc=mycompany,dc=com" -s base "objectclass=*" orclnetdescstring


Lookup all user information using the mail attribute as the filter under a specified domain
$ ldapsearch -h my-host-name -p 389 -D "cn=orcladmin" -w password -b "dc=mycompany,dc=com" -s sub "mail=*"


Lookup a specific user in LDAP using a specific mail value
$ ldapsearch -h my-host-name -p 389 -D "cn=orcladmin" -w password -b "dc=mycompany,dc=com" -s sub "shahbaz@orasystemsusa.com"


Looking up a specifici user in LDAP but returning only the values for mail and uid cn attributes.
$ ldapsearch -h my-host-name -p 389 -D "cn=orcladmin" -w mypassword -b "dc=mycompany,dc=com" -s sub "mail=shahbaz@orasystemsusa.com" mail uid cn


Lookup all user information using the inetorgperson attribute as the filter under a specified domain and only returning the dn record
$ ldapsearch -h my-host-name -p 389 -D "cn=orcladmin" -w password -b "dc=mycompany,dc=com" -s sub "objectclass=inetorgperson" dn


[edit] Modify an OID entry
$ ldapmodify -h my-host-name -p 389 -D cn=orcladmin -w password -c -v -f <filename>.ldif

[edit] Delete an OID entry
$ ldapdelete -h my-host-name -p 389 -D "cn=orcladmin" -w password "cn=MYTEST,cn=OracleContext,dc=mycompany,dc=com"


[edit] Diagnostic Data
The following can only be performed on 11G and above.
$ oidctl connect=oiddb status -diag

    

to check if users account is locked or not run following command

ldapsearch -h <OID host> -p <oid port> -D cn=orcladmin -w <password> -b "<DN of the user>" -s sub "objectclass=*" oblogintrycount oblockedon oblockouttime pwdaccountlockedtime


to see or export all the member of a priticular group run following command, you can put output into a file

>ldapsearch -h host –p port –D bind account –q “cn=group” “uniquemember”  > allmember.txt


command to see all the groups a user is member of

Due to the fact that group memberships are maintained as attributes belonging to the group entry, it is not possible to view the groups that a particular user is a member of from ODSM. It is however possible to list the groups a user belongs to via command line.

Log in to the Server running OID, and enter the following command to return the list of groups to which a particular user belongs. Substitute the parameters in italics for the appropriate values, and enter the bind account password when prompted.

>ldapsearch -h host –p port –D bind account –q uniquemember=“user dn” “dn”

OID 10g command of breaking old replication agreement and setting up new agreemente

in case of failure of middle supplier (A-->B<-->C and if B failed). you have to create a new supplier(D) and create new replication agreement between them(A-->C<-->D). in order to Break the old replication agreement between the old supplier and consumer and set up a new agreement between the new supplier and consumer. Do this by using the Replication Environment Management Tool. Type:

 

 

remtool -pchgmaster [-v] [-bind consumer_host::port_number/replication_dn_password]

OID 10g cleaning up replication agreement after faliure or down server

 you can Clean up replication agreement by using the Replication Environment Management Tool. Type:

 

 

remtool -pcleanup -agrmt [-v] [-bind consumer_host::port_number/replication_dn_password]

OID 10g command to search attribute value

user below command to find out value of any object information

ldapsearch -h <OID_host> -p <OID_port> -D "cn=orcladmin" -w <password> -b "" -s base "objectclass=*" objectname




make sure after -b there are double codes twice without any space

objectname can be any object whose values you want to know.

 

OID 10g Enabling changelog command

Enable Change Log Regeneration on a Supplier

Enable change log regeneration at the supplier, as follows:

1. Create an LDIF file like this:
   

   dn: 
   changetype: modify
   replace: orcldiprepository
   orcldiprepository: TRUE
   
   

2. Apply the LDIF file by typing:
   

   ldapmodify -D "cn=orcladmin" -w password -h host_name -p port_number \
      -f LDIF_file

OID 10g Obtain the last change number

ldapsearch -h host -p port_number -D cn=orcladmin -w admin_pwd \
   -b "" -s base "objectclass=*" lastchangenumber

enabling and disabling changelog Generation OID 10G

Change log generation for the changes made by oidcmprec depends on the value of the orcldiprepository attribute of the root DSE. Change log generation behavior, however, can be controlled by using the genchglog argument.

The genchglog argument can have the following values:
default: The directory server settings determine whether a change log is generated or not. Change logs are generated if the root entry's orcldiprepository attribute is set to true.

They are not generated if orcldiprepository is set to false. The same rule applies for both the source and destination directories. default is the default value for gechglog.

true: Change logs are always generated, irrespective of the settings on the source and destination directories.

false: Change logs are never generated, irrespective of the settings on the source and destination directories.


In the following example, genchglog=false to turns off change log generation:

oidcmprec operation=merge scope=subtree base="'dc=com'" \
          source=myhost1.mycom.com:389/replication_dn_pwd \
          destination=myhost2.mycom.com:389/replication_dn_pwd \
          inclattr="*" exclattr="orclguid creatorsname modifiersname" \
          file=merge genchglog=false

 

increasing or decreasing replication speed in OID 10g when using LDAP-Based Replication orclupdateschedule

the default configuration achieves a processing time that is approximately 1 minute during which the change is retrieved from the supplier(master) and applied to the consumer.

Changing the default value for the orclupdateschedule attribute to 0 results in a replication time of 1 second. it means every second changes will be replicated to Consumer from Supplier.

 

 

 if you are using LDAP-Based Replication, Replicatoin   interval changes can be achieved by following these steps:

1. Edit mod.ldif as follows:
   

   dn: orclAgreementID=unique_identifier_of_the_replication_agreement,
    orclReplicaId=unique_identifier_of_the_supplier,
    cn=replication configuration
   changetype:modify 
   replace: orclupdateschedule 
   orclupdateschedule: 0
   
   

2. On the consumer host, upload mod.ldif as follows:

 

   ldapmodify -h consumer_host_name -p consumer_port -D cn=orcladmin \    -w administrator_password -v -f mod.ldif

 

3. Restart the directory replication server

 

oidctl connect=connect_string server=oidrepld instance=instance_number restart

 

 

OID 10g replication check and monitoring command remtool

 remtool  enables you to monitor the health of the replication process. You can run remtool periodically to ensure that your replication processes are performing properly.

 

there are 2 options to monitory health of replication process using remtool

 

 -pdipqstat 

 -pverify  

 

These are also known as the Display Queue Statistics Tool and the Replication Verification Tool. Their syntax is as follows:

 

remtool -pdispqstat [-v] [-bind hostname:port_number/replication_dn_password]

 

It will show the queue statistics of the DRG. Check to see if the number of Human Intervention Queue (HIQ) entries and change logs to be transported (Logs TBP) are higher than usual. If so, that means replication is running more slowly than it should.

 

 

 

remtool -pverify [-v] [-bind hostname:port_number/replication_dn_password] [-hiqmax hiqmax] [-tbtmax tbtmax]

First run the Display Queue Statistics Tool, if you see issues  Run the Replication Verification Tool to verify your replication configurations.

 

 

If the Replication Verification Tool reports test failure, check the report that it generates and follow the suggestion in the report to fix the specific failures. this is very useful report in order to fix failure issues.

 

how to enable and disable changelog in OID 11g

To enable and disable changelog.

to disable
change value to orclgeneratechangelog: 0  and run ldapmodify command

to Enable
orclgeneratechangelog: 1   set value to 1


here is reset instructions.
You can enable and disable change log generation by using ldapmodify to change the value of orclgeneratechangelog, which is an instance-specific attribute. You enable change log generation by setting the value to 1 and disable it by setting the value to 0. The command is:

ldapmodify -D cn=orcladmin -q -p portNum -h hostname -f ldifFile 

The LDIF file for changing the value of the orclgeneratechangelog attribute in the instance-specific entry to 1 looks like this:

dn: cn=componentname,cn=osdldapd,cn=subconfigsubentry
changetype: modify
replace: orclgeneratechangelog
orclgeneratechangelog: 1

 

 

OID 10g resetting password of ODSSM

OID database uses ODSSM account to access server manageability information from database. this user is created and random password is set during installation. this users password is stored into targets.xml. if you want to change you have to use SQLPLUs you cant change his password thru oidpasswd tool. also, its password is not stored in a wallet.
run SQLPLUS command change users password and you must update targets.xml file with new password. you can do this by setting new values in the user and password filed or you can use oidemdpasswd tool.

 

enablig weblogic, oam, oim, soa 11g thru enterprise manager

enterprise manager is the easiest way to enable logging. there are less changes of type. in my example I have enabled logging on Admin server. you can enable logging of Admin or Manager servers.

please follow these steps

loggin to EM(mostly enterprise manager url if you are using default port will look like http://servername:7001/em).

1. you will multiple folders, please expand Weblogic Domain
2. expand iamdev
3. right click on AdminServer
4. select log Configuration
5. go on right at tab Log Levels look down there is box called Logger Name, inside this box click on 6. Root Logger
7. expand oracle
8. expand oracle.oam
9. select log levels from drop down, if you want logging information of all the events you can simply 10. select at TRACE32 at oracle.oam level otherwise whatever logging you want you can enable by just clicking drop down menu button at the left. TRACE32 is the highest level of tracing that can be enabled.

 

vi editor's cheet sheet. most common commands. very usefull commands to remember linux solaris

here are most of the commands you will use while using VI editor. VI editor is most commonly used. if you know commands and how to use it you will love this editor.
some commands we use most frequently but it is better to know what can be achieved by VI editor.


Motion
--------------------------------------------------------------------------------
h Move left
j Move down
k Move up
l Move right
w Move to next word
W Move to next blank delimited word
b Move to the beginning of the word
B Move to the beginning of blank delimted word
e Move to the end of the word
E Move to the end of Blank delimited word
( Move a sentence back
) Move a sentence forward
{ Move a paragraph back
} Move a paragraph forward
0 Move to the begining of the line
$ Move to the end of the line
1G Move to the first line of the file
G Move to the last line of the file
nG Move to nth line of the file
:n Move to nth line of the file
fc Move forward to c
Fc Move back to c
H Move to top of screen
M Move to middle of screen
L Move to botton of screen
% Move to associated ( ), { }, [ ]


Quitting
--------------------------------------------------------------------------------
:x Exit, saving changes
:q Exit as long as there have been no changes
ZZ Exit and save changes if any have been made
:q! Exit and ignore any changes

Files
--------------------------------------------------------------------------------
:w file Write to file
:r file Read file in after line
:n Go to next file
:p Go to previos file
:e file Edit file
!!program Replace line with output from program


Inserting Text
--------------------------------------------------------------------------------
i Insert before cursor
I Insert before line
a Append after cursor
A Append after line
o Open a new line after current line
O Open a new line before current line
r Replace one character
R Replace many characters


Deleting Text
--------------------------------------------------------------------------------
Almost all deletion commands are performed by typing d followed by a motion. make sure small or capital letter difference. For example, dw deletes a word. A few other deletes are:
x Delete character to the right of cursor
X Delete character to the left of cursor
D Delete to the end of the line
dd Delete current line
:d Delete current line
dG  Delete till the end of file


Yanking Text
--------------------------------------------------------------------------------
Like deletion, almost all yank commands are performed by typing y followed by a motion. For example, y$ yanks to the end of the line. Two other yank commands are:
yy Yank the current line
:y Yank the current line
after yank you can use p to paste the line after taking cursor there.

Changing text
--------------------------------------------------------------------------------
The change command is a deletion command that leaves the editor in insert mode. It is performed by typing c followed by a motion. For wxample cw changes a word. A few other change commands are:
C Change to the end of the line
cc Change the whole line


Putting text
--------------------------------------------------------------------------------
p Put after the position or after the line
P Put before the poition or before the line



Markers
--------------------------------------------------------------------------------
Named markers may be set on any line in a file. Any lower case letter may be a marker name. Markers may also be used as limits for ranges.
mc Set marker c on this line
`c Go to beginning of marker c line.
'c Go to first non-blank character of marker c line.


Search for strings
--------------------------------------------------------------------------------
/string Search forward for string
?string Search back for string
n Search for next instance of string
N Search for previous instance of string


Replace
--------------------------------------------------------------------------------
The search and replace function is accomplished with the :s command. It is commonly used in combination with ranges or the :g command (below).
:s/pattern/string/flags Replace pattern with string according to flags.
g Flag - Replace all occurences of pattern
c Flag - Confirm replaces.
& Repeat last :s command


Regular Expressions
--------------------------------------------------------------------------------
. (dot) Any single character except newline
* zero or more occurances of any character
[...] Any single character specified in the set
[^...] Any single character not specified in the set
^ Anchor - beginning of the line
$ Anchor - end of line
\< Anchor - begining of word
\> Anchor - end of word
\(...\) Grouping - usually used to group conditions
\n Contents of nth grouping

[...] - Set Examples
[A-Z] The SET from Capital A to Capital Z
[a-z] The SET from lowercase a to lowercase z
[0-9] The SET from 0 to 9 (All numerals)
[./=+] The SET containing . (dot), / (slash), =, and +
[-A-F] The SET from Capital A to Capital F and the dash (dashes must be specified first)
[0-9 A-Z] The SET containing all capital letters and digits and a space
[A-Z][a-zA-Z] In the first position, the SET from Capital A to Capital Z
In the second character position, the SET containing all letters

Regular Expression Examples
/Hello/ Matches if the line contains the value Hello
/^TEST$/ Matches if the line contains TEST by itself
/^[a-zA-Z]/ Matches if the line starts with any letter
/^[a-z].*/ Matches if the first character of the line is a-z and there is at least one more of any character following it
/2134$/ Matches if line ends with 2134
/\(21|35\)/ Matches is the line contains 21 or 35
Note the use of ( ) with the pipe symbol to specify the 'or' condition
/[0-9]*/ Matches if there are zero or more numbers in the line
/^[^#]/ Matches if the first character is not a # in the line
Notes:
1. Regular expressions are case sensitive
2. Regular expressions are to be used where pattern is specified


Counts
--------------------------------------------------------------------------------
Nearly every command may be preceded by a number that specifies how many times it is to be performed. For example, 5dw will delete 5 words and 3fe will move the cursor forward to the 3rd occurence of the letter e. Even insertions may be repeated conveniently with thismethod, say to insert the same line 100 times.


Ranges
--------------------------------------------------------------------------------
Ranges may precede most "colon" commands and cause them to be executed on a line or lines. For example :3,7d would delete lines 3-7. Ranges are commonly combined with the :s command to perform a replacement on several lines, as with :.,$s/pattern/string/g to make a replacement from the current line to the end of the file.
:n,m Range - Lines n-m
:. Range - Current line
:$ Range - Last line
:'c Range - Marker c
:% Range - All lines in file
:g/pattern/ Range - All lines that contain pattern



Buffers
--------------------------------------------------------------------------------
Named buffers may be specified before any deletion, change, yank or put command. The general prefix has the form "c where c is any lowercase character. for example, "adw deletes a word into buffer a. It may thereafter be put back into text with an appropriate "ap.



Other
--------------------------------------------------------------------------------
~ Toggle upp and lower case
J Join lines
. Repeat last text-changing command
u Undo last change
U Undo all changes to line

how to install JDK in 3 easy steps at linux or solaris

how to install JDK easy steps

1. download JDK version from Oracle website depending on your operating system.

2. copy to you machine if unix or solaris change permission on this file using below command

chmod + x jdk1.6<complete name>.sh

On SPARC processors:
chmod +x jre-1_6_0 <update> -solaris-sparcv9.sh 
On x64/EM64T processors:
chmod +x jre-1_6_0 <update> -solaris-x64.sh

make sure when you are downloading the file and transferring to unix machines transfer it in a binary formate(if using Winscp option is there to download it in binary format) otherwise when you run the file you got error of corrupt file or invalid file format error.


if you have file with extension .Z

use following command to extract

gunzip -d filename.tar.z


3. run the executable

either using

./jre-1_6_0 <update> -solaris-sparcv9.sh

or
sh ./jre-1_6_0 <update> -solaris-sparcv9.sh

it will extract all the files are desired location. It is better to extract this binary file in a separate folder.



 

tee command to see screen messages into a seprate logfile

if you are doing a troubleshooting and can see screen messages that are moving very fast than use tee command to get screen messages into separate file.

tail -f server.log | tee screenmsg.txt

Error in CreateOUIProcess():22 Invalid argument

installation java/lang/noclassdeffounderror java/lang/object solaris

or message of file is corrupted message while installing a product.

Solution:

if you are installing this product at Unix boxes check they way you are transferring the files into these boxes. if you using Winscp please make sure to transfer as a binary format instead of default.

here is how you can choose binay format

Right click on the file
 select Upload
on that popup click on Transfer Setting and choose Binary

now this file will be transferred as a binary
 

how to untar files with .tar.z extension use gunzip -d filename.tar.Z

command to unzip file with .z extenstion

gunzip -d filename.tar.z

OIM OAM error failure of server apache bridge error

if you see this error
failure of server apache bridge error

Solution:
please check if your servers (OIM,OAM) are up and running. if they are stopped start then you will be able to access the url.


 

how to check webgate version information

11g webgate version information is at


$WebGate_Install_Dir/ webgate/ ohs/ config/ np1111_wg.txt

Product: Oracle Access Manager
Component: WebGate
WebServer: OHS11g
Platform: linux64
Locale: en-us
Release: 11.1.1.3.0 M1

for 10g webgate information is at same place but filename is different

$WebGate_Install_Dir/ access/ oblix/config/ np1014_wg.txt

Product: Oracle Access Manager
Component: WebGate
Platform: sparc-s2_64
WebServer: OHS11g
Locale: en-us
Release: 10.1.4.3.0 BP10
CertificationRelease: CR1
BuildVersion: B43

 

check java version at solaris bit suported version

java -version
Java(TM) 2 Runtime Environment, Standard Edition (build 1.5.0_06-b05)
Java HotSpot(TM) Server VM (build 1.5.0_06-b05, mixed mode)

if you see Server VM it means it is 64bit and if you see  Client

Java(TM) 2 Runtime Environment, Standard Edition (build 1.5.0_16-b02)
Java HotSpot(TM) Client VM (build 1.5.0_16-b02, mixed mode, sharing)


to see if it support 64 run this command

java -d64 -version
java version "1.5.0_34"
Java(TM) 2 Runtime Environment, Standard Edition (build 1.5.0_34-b03)
Java HotSpot(TM) 64-Bit Server VM (build 1.5.0_34-b03, mixed mode)

to see more clear message

run
truss -t exec java -d64 -version
java version "1.5.0_34"
Java(TM) 2 Runtime Environment, Standard Edition (build 1.5.0_34-b03)
Java HotSpot(TM) 64-Bit Server VM (build 1.5.0_34-b03, mixed mode)

 

finding Solaris version information bit version information and operating system detail command

to find out bit version

isainfo -kv

bash-3.00$ isainfo -kv
64-bit sparcv9 kernel modules


uname -r

to check release

bash-3.00$ uname -r
5.10

bash-3.00$ uname -v
Generic_147440-12
bash-3.00$ uname -a
SunOS devidm008 5.10 Generic_147440-12 sun4v sparc SUNW,T5440

bash-3.00$ uname -i
SUNW,T5440
bash-3.00$ uname -v
Generic_147440-12

/etc/realease

to check release info






 

OIM/OAM 11.1.2.2.0 integration error java.io.FileNotFoundException: ./config/jps-config.xml (No such file or directory)" error while running -configOIM ignore this error it is bug

if you are receiving following error while running integration setup

idmConfigTool.sh -configOIM input_file=configfile

NOTIFICATION: PManager instance is created without multitenancy support as JVM flag "oracle.multitenant.enabled" is not set to enable multitenancy support.
 oracle.security.jps.internal.config.xml.XmlConfigurationFactory initDefaultConfiguration
SEVERE: java.io.FileNotFoundException: ./config/jps-config.xml (No such file or directory)
 PM oracle.mds

Solution:

this is a bug.
this message can be ignored. you can also check logs(automation.log) this error will not be there.
your configuration is all done regardless of this error.



 

idmConfigTool.sh -configOAM command error about reading config file OIM/OAM 11gr2 integration

during OIM/OAM 11gR2ps2 integration you run this command as described by oracle documentation and if you got following error

 ./idmConfigTool.sh -configOAM input_file=OAMconfigPropertyFile
Error in reading config file

Solution:
check if all the values of properties file is correct. make sure all the parameters have values on the same line

for example

wrong example
OAM11G_IDM_DOMAIN_LOGOUT_URLS:
/console/jsp/common/logout.jsp,/em/targetauth/emaslogout.jsp,/oamsso/logout.html,/cgi-bin/logout.pl

correct example

OAM11G_IDM_DOMAIN_LOGOUT_URLS:/console/jsp/common/logout.jsp,/em/targetauth/emaslogout.jsp,/oamsso/logout.html,/cgi-bin/logout.pl

the difference is in wrong example parameter don't have value at the same line, so it cant read value.

 

finding PRIMARY_OAM_SERVERS value in OAM 11.1.2.2.0 steps to follow

here are the steps to find out OAM 11.1.2.2.0 servers Proxy port oracle documentation about this step is for older version.


PRIMARY_OAM_SERVERS is a comma-separated list of your Access Manager servers and the proxy ports they use.

Note:
To determine the proxy ports your Access Manager servers:

Log in to the Oracle Access Management administration console at http://admin.example.com:7001/oamconsole

Scroll down to Configuration tab.
Click on Server Instances.
click Search to see all the OAM instances
select oam_server1 instances.
Port is shown under OAM Proxy section.
 

Configuring Access Manager 11.1.2.2.0 for Integration correct steps to follow

if you are doing integration of OAM 11.1.2.2.0 and OIM 11.1.2.2.0 and you want to setup global passphrase. follow below steps

step mentioned at oracle documentation 11.1.2.2.0 to setup passphrase doest not apply to this version (instructions are for older version). need to open SR to correct these steps.


 Set a global passphrase.
By default, Oracle Access Manager is configured to use the Open security model. In the following steps you will use the idmConfigTool to change the security model, consequently you must set a global passphrase. Although you do not need to set the global passphrase and the WebGate access password to be the same, it is recommended that you do so. Proceed as follows.
Log in to the Oracle Access Management administration console as the WebLogic administration user:
http://oam_adminserver_host:port/oamconsole
Go to Configuration tab.
Click Access Manager Settings.
Go to Access Protocol section
Enter Global Passphrase at Simple Mode Configuration
Click Apply.

configuring weblogic timeout setting using WLST command in 3 steps

To configure weblogic   the timeout setting using WLST, perform these steps:

1. Run the following WLST command to list all adapters: listAdapters().
2. Run the following WLST command to set the timeout for each adapter. 120 second timeout is an example, set to zero for no timeout.
   modifyLDAPAdapter('<ADAPTER NAME>', 'OperationTimeout', 120000)
3. Restart WebLogic Server.

OIM 11gR2 and OAM 11gr2 configuring OVD adapter wlst command

make sure to take backup of file that is being changed
<MW_HOME>/user_projects/domains/oimdev/config/fmwconfig/ovd/oim/adapters.os_xml

you can use WLST utility to do that.

in order to get adapter information you need to use wlst.sh utility that is under <MW_HOME>/oracle_common/common/bin/  if you are using utility under weblogic you will get following error while running
wls:/iamdev/serverConfig>listAdapters(contextName='oim')

wls:/iamdev/serverConfig> listAdapters(contextName='oim')
Traceback (innermost last):
  File "<console>", line 1, in ?
NameError: listAdapters

$wlst.sh

wls:/offline> connect('weblogic','password','t3://orasystemsusa.com:7001')

Connecting to 't3://orasystemsusa.com:7001' with userid weblogic ...

Successfully connected to Admin Server 'AdminServer' that belongs to domain 'oimdev'.

 

Warning: An insecure protocol was used to connect to the

server. To ensure on-the-wire security, the SSL port or

Admin port should be used instead.

 

wls:/iamdev/serverConfig> listAdapters(contextName='oim')

Location changed to domainRuntime tree. This is a read-only tree with DomainMBea                    n as the root.

For more help, use help(domainRuntime)

 

Adapter Name : LDAP1

Adapter Type : LDAP

 

 

Adapter Name : CHANGELOG_LDAP1

Adapter Type : LDAP

 

 

wls:/iamdev/domainRuntime>getAdapterDetails(adapterName='LDAP1',contextName='oim')

DETAILS OF ADAPTER :  LDAP1

Adapter Type                : LDAP

Name                        : LDAP1

Virtual NameSpace           : dc=company,dc=com

Remote NameSpace            : dc=company,dc=com

LDAP Host                   : [orasystemsusa.com :   389]

Bind DN                     : cn=orcladmin

Secure                      : false

Pass Credentials            : Always

Max size of Connection Pool : 10

Plugin                      : DMSMetrics

Plugin                      : UserManagement

 

• To update the user name and password values in the USER adapter:

  modifyLDAPAdapter(adapterName='LDAP1',attribute='BindDN', value='cn=oimLDAP,cn=systemids,dc=example,dc=com', contextName='oim')
  
  modifyLDAPAdapter(adapterName='LDAP1',attribute='BindPassword', value='******', contextName='oim')
  

• To update the user name and password values in the CHANGELOG adapter:

  modifyLDAPAdapter(adapterName='CHANGELOG_LDAP1',attribute='BindDN', value='cn=oimLDAP,cn=systemids,dc=example,dc=com', contextName='oim')
  
  modifyLDAPAdapter(adapterName='CHANGELOG_LDAP1',attribute='BindPassword', value='welcome1', contextName='oim')

wlst command error while integrating OIM 11gR2 OAM 11gR2

below error

wls:/iamdev/domainRuntime> modifyLDAPAdapter(adapterName=’LDAP1',attribute='BindDN', value='cn=oimLDAP,cn=systemids, dc=orasystemsusa,dc=com', contextName='oim')
Traceback (innermost last):
  (no code object) at line 0
  File "<console>", line 1
        modifyLDAPAdapter(adapterName=’LDAP1',attribute='BindDN', value='cn=oimLDAP,cn=systemids, dc=orasystemsusa,dc=com'', contextName='oim')
                                      ^
SyntaxError: Lexical error at line 1, column 31.  Encountered: "\u2019" (8217), after : ""

Solution:

check your single code '  make sure to replace all the single codes and commas and re-run this command. when you copy command from any document sometimes codes are not correct. this error was fixed after replacing all the single and double codes including commas


 

starting OID 10g admin console command

to start admin console

 ./oidadmin

OIM 11g and OAM 11g integration understanding idmConfigTool.sh utility

in order to integrate OIM 11gR2ps2 and OAM 11gR2ps2 we need to run idmConfigTool.sh. below are steps that are performed by this utility. if you understand what it does it help to understand what is missing in integration.

if you are integrating OIM/OAM 11gR2ps2 integration with OID 10g you need to add many attributes and object classes in order for this utility to run and create all the required steps for integration.

I have to add following object classes at OID 10g while integrating OIM 11gR2 and OAM 11gR2. previously I have added some object classes too when I was integrating OIM 11g with OID 10g. if you are integrating OIM with OID 10g run this utility and add missing attributes and Object classes after reviewing logs of this utility.

i have added following Attrubutes at OID 10g because I was getting error of missing object classes and attributes.


all attributes are single value and Syntax is Directory String

orclFAPersonID 

orclMTTenantGUID

orclMTTenantUName

orclMTUID

created orclIDXGroup as a object class

 groupOfIniqueNames (mandatory objects)

following are optional objects added to orclIDXGroup

optional attributes added as Directory String single value

orclMTTenantGUID

orclMTTenantUName

orclMTUID

run this utility after command I have mentioned what steps are being performed by this utility.

./idmConfigTool.sh -preConfigIDStore -f propertiesfile.txt

it does the following

it add following attributes

dn: cn=orclFAUserReadPrivilegeGroup
dn: cn=orclFAUserWritePrivilegeGroup
dn: cn=orclFAUserWritePrefsPrivilegeGroup
dn: cn=orclFAGroupReadPrivilegeGroup
dn: cn=orclFAGroupWritePrivilegeGroup

it loads aci file
idm_idstore_groups_acl_template.ldif

it creates password policies
cn=SystemIDPolicy

it loads file to add OID tuning parameter
idstore_tuning.ldif

it add following parameter
add: orclinmemfiltprocess
it modify/modify "container" object class
dn: cn=subschemasubentry
changetype: modify
add: objectclasses
objectclasses: ( 2.16.840.1.113894.200.2.6 NAME 'container' SUP orclContainer
  STRUCTURAL )
 
it modify attribute
dn: cn=catalogs
changetype: modify
add: orclindexedattribute
orclindexedattribute: orclFAPersonID

add second password policy
dn: cn=FAPolicy,cn=pwdPolicies


if you are getting following error

GSL_EC_PWDPOLSUBENTINV

oracle.ldap.util.LDIFLoader loadOneLdifFile
INFO: Ignoring Error:  javax.naming.NameNotFoundException: [LDAP: error code 32 - Parent entry not found in the directory.]; remaining name 'cn=SystemIDPolicy,cn=pwdPolicies,cn=Common,cn=Products,cn=OracleContext,dc=orasystemsusa,dc=com

most proberbly your parameters value of below attribute is not correct.

IDSTORE_SEARCHBASE 

 

OHS proxy to OIM server modification at OHS level

if you have installed OHS at different machine and want to proxy to OIM server add following at OHS file mod_wl_ohs.conf that is located under OHS instance   /config/OHS/ohs2  ( my have second ohs2 configured at this location.


<IfModule weblogic_module>
     WebLogicHost hostname
     WebLogicPort 14000
     MatchExpression /identity/*
     MatchExpression /sysadmin/*
     MatchExpression /oim*
     MatchExpression /admin*
     MatchExpression /xlWebApp*
     MatchExpression /Nexaweb*
     MatchExpression /workflowservice*
     MatchExpression /callbackService*
     MatchExpression /SchedulerService-web*
     MatchExpression /iam-consoles-faces*
</IfModule>

configuring OHS 11g second instance

1. make sure existing instance is up and running(otherwise it new OHS instance will take default port of previous instance if you existing instance is running at default port 7778. it if is not sure run following command to check.
again if you don't know the where is opmnctl use following command

find . -name opmnctl

to find status run.
opmnctl status -l

to start
opmnctl start


2. navigate to $OHS_HOME (if you use default configuration than it will be at <MW_HOME>/Oracle_WT1/bin

run following command
./config.sh

3. it will display the welcome screen. click next
4. you will get following option to install

Oracle HTTP Server
Oracle Web cache
Associate Selected Components with WebLogic Domain

if you are installing only OHS select Oracle HTTP Server

5.than asked you the existing OHS home
 provide this information. if you are not sure what is the instance home you can find instances directory using find command and make sure it is the correct instance you can also find it using httpd.conf file
provide this information and new instance name (it take default name if you don't want to change the information select next after selecting Instance Home Location.

6. select Next and follow all the steps till finish.

7. after you install it automatically start OHS server. you can check using opmnctl status to see if is running and up.




 

Enabling and Disabling OID tracing thru command

1. Create the following files 

debugon.ldif 

--cut here--- 
dn: cn=oid1,cn=osdldapd,cn=subconfigsubentry 
changetype: modify 
replace: orcldebugop 
orcldebugop: 511 
. 
dn: cn=oid1,cn=osdldapd,cn=subconfigsubentry 
changetype: modify 
replace: orcldebugflag 
orcldebugflag: 1 
----cut here------- 


debugoff.ldif 

--cut here--- 
dn: cn=oid1,cn=osdldapd,cn=subconfigsubentry 
changetype: modify 
replace: orcldebugop 
orcldebugop: 0 

dn: cn=oid1,cn=osdldapd,cn=subconfigsubentry 
changetype: modify 
replace: orcldebugflag 
orcldebugflag: 0 
----cut here------- 

2. Enable OID tracing 

ldapmodify -h <host> -p <port> -D "cn=orcladmin" -w <password> -f 
debugon.ldif 


Disable OID tracing 

ldapmodify -h <host> -p <port> -D "cn=orcladmin" -w <password> -f 
debugon.ldif