masking security question at self-service screen, registration screen and password reset page in OIM 11.1.2.2.0

Masking security questions at OIM 11gR2PS 2

1.      Click on Create Sandbox.

2.      Give name of Sandbox Name mask_answer.

3.      Click Save and Close.

4.      Click on My Information.

5.      Click Customize, top bar will have more option after clicking.

6.      Click on View at the left side corner and select Source.

7.      It will show 2 screens at the same page. Scroll down bottom window to go to the Answer1, it will prompt you for Edit or Cancel. Select Edit

8.      At popup scroll down and click on Secret. Click on Apply and OK.

9.      Next click on Answer2 àclick on Edit à scroll down the popup window à select Secret à click OK.

10.   Repeat for all the security Answers.

11.   Open another window next to this screen and put below url

http://servername:port/identity/faces/firstlogin?action=setchallenges

12.   Select Answer1 à click on Edit à scroll down at the middle of popup à select Secret à click OK.

13.   Repeat same at all the Answers.

14.   Open another window and enter below

http://servername:port/identity/faces/forgotpassword

15.   Close customization by clicking close at the right side corner.

16.   Refresh the page. It will show you the screen to enter User login.

17.   Enter test5 and click Next.

18.   Come to the first screen close the customization

19.   Click on Customization again and select Source from View menu(same as it was done above).

20.   Click on the answer row(make sure it is selected inside the * if it is outside Secret option will not appear at popup) at popup scroll down and select Secret.

 

21.   Click on Apply and OK.

22.   Repeat this for all the other answers.

23.   Once done all the answers are done. Click on Close(to close the customization screen).

24.   Come to the first screen Close the customization screen.

25.   Click on Manage Sandboxes. Select sandbox that was created(mask_answer) and click on Publish.

command to find OIM patch information at linux

make sure you have setup OIM_ORACLE_HOME path

 

In the machine where OIM is installed, run the following command.

• $OIM_ORACLE_HOME/OPatch/opatch lsinventory -invPtrLoc $OIM_ORACLE_HOME/oraInst.loc

In tarball based environments /u01/oim/oim_home is usually the OIM_ORACLE_HOME

• setenv OIM_ORACLE_HOME /u01/oim/oim_home

 

 

[shahbaz@oim_home]$ $OIM_ORACLE_HOME/OPatch/opatch lsinventory -invPtrLoc $OIM_ORACLE_HOME/oraInst.loc

oim 11.1.2.2. branding error No Access. You cannot perform this action, most likely because you do not have edit privileges on this page.

when you try to update Identity Self Service branding logo and get access denied error. it is a bug.

To workaround this issue please perform the following steps:

1. Create and activate Sandbox
2. Enter customization mode
3. Navigate to firstlogin page by modifying url directly
4. Fill out change password info, but don't submit
5. View source and hide the element
6. Navigate back to home
7. Deactivate and export sandbox
8. Navigate in the zipped sandbox to the file firstlogin.jspx.xml
9. Extract the file and make changes
10. Repackage the file in the archive
11. Import sandbox
12. Publish sandbox

 

oim 11.1.2.2.0 logo replacement steps

logo needs to be placed at 2 places. suppose you have  image name mylogo.png

1. at below place logo will show up after login to console

find xlWebApp.war file at your system and copy log under that.
cp /tmp/mylogo.png    ../../xlWebApp.war/mylogo.png


2. logo at this place will show up at the login page.

please copy logo at this location.
cp /tmp/mylogo.png  ../../oim.ear/iam-consoles-faces.war/images/mylogo.png


3. now you have to customize the screen to add this logo

1.      Log into /identity screen

2.      Click on SandBoxes

3.      Click on Create sandbox name mylogo.

4.      Click Customize, top bar will have more option after clicking.

5.      Click on View at the left side corner and select Source.

6. Click on ORACLE logo, it will prompt you for Edit or Cancel. Select Edit

7. At the pop up go to Style and enter the below information

Background Image       url(/xlWebApp/tmo-logo156.png)

you can also specify Width, Hights and Style Class

8. Apply and save.

9. close from the right corner Close(it will close this customization screen).

10. Publish this Sandbox (if you don't see Publish Sandbox click on the arrow signs and select Publish Sandbox)

11. restart the OIM.

 

 

 

explicitly disable IPv6 for OVD Version 11.1.1.2.0 to 11.1.1.7.0

see the current matrix to see if your OAM version support IPV4 or IPV6.

www.oracle.com/technetwork/middleware/id-mgmt/documentation/identity-access-111220certmatrix-2105036.xlsx

if you have to disable IPV6 please follow below instructions in order to disable IPV6 at OVD.

To accomplish this add -DuseIPv6Address=false and -Djava.net.preferIPv6Addresses=false in "java-options" for the OVD instance

Perform the next:

1. Shutdown the OVD instance

Example:

opmnctl stopproc ias-component=ovd1

2. Make a backup copy of file opmn.xml

cd $INSTANCE_HOME/config/OPMN/opmn
cp opmn.xml opmn.xml.back

3. Edit file opmn.xml and add -DuseIPv6Address=false -Djava.net.preferIPv6Addresses=false in "java-options" for the OVD instance

Example:

</ias-component><ias-component id="ovd1">
  <process-type id="OVD" module-id="OVD">
     <module-data>
     <category id="start-options">
     <data id="java-bin" value="$ORACLE_HOME/jdk/bin/java"/>
     <data id="java-options" value="-server -Xms256m -Xmx256m  -DuseIPv6Address=false -Djava.net.preferIPv6Addresses=false -Dvde.soTimeoutBackend=0 -Didm.oracle.home=$ORACLE_HOME  -Dcommon.components.home=$ORACLE_HOME/../oracle_common -Doracle.security.jps.config=$ORACLE_INSTANCE/config/JPS/jps-config-jse.xml"/>
     <data id="java-classpath" value="$ORACLE_HOME/ovd/jlib/vde.jar$:$ORACLE_HOME/jdbc/lib/ojdbc6.jar"/>
     </category>
     </module-data>
     <stop timeout="120"/>
  </process-type>


4. Start the OVD instance

opmnctl startproc ias-component=ovd1

OAM check coherance server version information

[OAM@OAM]$ cat /<MW_HOME>/coherence_3.7/product.xml 
< ?xml version="1.0"?> 
< product> 
< name value="SA_COH"/> 
< version value="3.7.1.1.0"/> 
< /product> 

OAM 11gR2PS2 OVD authenticaiton scheme

OVD authentication scheme


Authentication Mode
-OVD

Challenge Method
Form

Context Type
external

Challenge Parameters
OverrideRetryLimit=3
ssoCookie=Secure

OAM 11gr2PS2 creating authentication scheme for user who dont use cookies parameter that need to use

authentication scheme for a  clients that don't support URL redirect or cookies

you have to specify


at Challenge Parameter use below parameter
CookieLessMode=true


my Authentication schema have following in it
Autheiticaiton Module  LDAP
Challenge Method Basic

 

OAM 11gr2PS2 error OAMSSA-02038 Failed to put session on queue QSize:11, upperLimit:100000

when you are doing load test and at OAM Server you see high CPU and below error.

Host hostname 
Host IP Address host IP
User <anonymous> 
Thread ID WriteBehindThread:CacheStoreWrapper(oracle.security.am.engines.sme.mapimpl.db.DbOraSmeStore):DistributedCache 
ECID 390c7670d8c160f7:-1331fb74:14901d0b714:-8000-0000000000000003 

Message Failed to put session af40b0e1-9906-447c-87f6-af92e28cda9b|08Nq21UOp50iJyNpbNY2uIFlsuk= on queue QSize:11, upperLimit:100000, recoveryFactory:0.8, enabled:false, previousWorkValue:171314, perviousWorkValue:1414210014497, P:0.3, I:0.1, integrationWindow:150000. 

and

Failed to put session on queue QSize:11, upperLimit:100000 


Solution:

it is a bug. The fix is adding below setting under oam-config.xml file
 

<Setting Name="IntegrationPercent" 
@ Type="xsd:integer">0</Setting> 

install Coherence 3.7.1 at OAM 11gr2PS1

Upgrade instructions to install Coherence 3.7.1.x on OAM 11gr2PS1:

1. Download recommended coherence patch from Oracle
2. Shutdown all the servers.
3. On the each Server including the admin server, do the following.
   1. Unzip the contents of the patch to tmp folder.
   2. Backup the jar that exists at the location  MW_HOME/oracle_common/modules/oracle.coherence/coherence.jar
   3. copy the jar tmp/coherence/lib/coherence.jar to the folder  MW_HOME/oracle_common/modules/oracle.coherence
   4. Backup the folder /config and all its nested contents.
4. Start the Admin Server
5. Log into weblogic console
6. Lock configuration
7. Select Deployments and locate the coherence library
8. Select the library and press the Delete button.
9. Release Configuration and apply changes.
10. Lock configuration
11. Select Deployments and press the Install button.
12. Select the coherence jar in the file path. Ensure that the library name is "coherence". Hit the next button till you finish deployments.
13. Save and release the configuration.
14. Stop And Start the Admin Server. Verify the the oam_admin deployment is started.

Steps to recovery on failure to install.

1. Stop all servers.
2. Restore the /config folder.
3. Restore the coherence.jar.
4. Restart.

oam performance troubleshooting check with strace command

if you want to troubleshoot performance issue at OAM. read below oracle guideline to figure out the issue

In order to confirm if the process is indeed blocking on reading from /dev/random, collect an strace output from the process while the issue is taking place (run as root), i.e:  

# strace -rt -o strace.out -p <process_id>

This will let us know how many open system calls are made to dev/random 

Once it is ascertained that most number of open system calls are made to dev/random we should either increase the entropy of the environment or we can change the PRNG (Pseudo Random Number Generator) for that environment. 

In order to generate random numbers that are not predictable, SSL security code relies upon "entropy" on a machine. Entropy is activity such as mouse movement, disk IO, or network traffic. If entropy is minimal or non-existent, then the random number generator will be slow, and security operations may time out. This may disrupt activities such as booting a managed server into a domain using a secure admin channel. This issue generally occurs for a period after startup. Once sufficient entropy has been achieved on a JVM, the random number generator should be satisfied for the lifetime of the machine. 

There are two possible options at hand to resolve the issue: 

1.) Find ways to increase the entropy on the system permanently (System Administrator needs to be engaged) -> try increasing the entropy on the problematic system (by increasing IO activity on the system). 

2.) Use faster but less secure random number generator "/dev/urandom" using following JAVA System 

Please add the following Java command line (JAVA_OPTIONS) : 

-Djava.security.egd=file:/dev/urandom 
OR 
-Djava.security.egd=file:/dev/./urandom 
-Djava.security.egd=file:/dev/./urandom

Note that  "Option-2" is not recommended in Production Environment.

OAM11gR2, restart of oam server after installation and configuration throws exception java.lang.Exception: Unsupported session store version detected. Required "11.1.2.0.0" but found "11.1.1.5.0"

[oam_server1] [ERROR] [] [oracle.oam.engine.session] [tid: DistributedCache] [userId: <anonymous>] [ecid: 0000JsA23E8B5EoLKUG7ye1HQkGY000003,1:30972] [APP: oam_server#11.1.2.0.0] Unsupported session store version detected. Required "11.1.2.0.0" but found "11.1.1.5.0".[[
java.lang.Exception: Unsupported session store version detected. Required "11.1.2.0.0" but found "11.1.1.5.0".


RCU 11.1.1.5.0 was used instead of RCU 11.1.2.0.0 before installation OAM server

SOLUTION

1. Drop he RCU for 11.1.1.5.0 and create a new schema with RCU 11.1.2.0.0 before installing OAM11gR2.

OR

2. Create a new Schema with 11.1.2.0.0 RCu with new schema owner.

OAM 11g and OIF integration setps registerOIFDAPPartner command fails

Error

registerOIFDAPPartner command fails
wls:/oam_domain/serverConfig> registerOIFDAPPartner(keystoreLocation="<MW_HOME>/10.3.3/user_projects/domains/oam_domain/keystore",logoutURL="http://logouturl",rolloverTime="500")
Registration Failed


Solution:
You may not set the environment variables correctly for the wlst.sh

run commands to set up your environment variables.

[orasystemsusa@idm bin]$ . ./setDomainEnv.sh

cd /u01/oid/oid_home/fed/scripts
[orasystemsusa@idm scripts]$ . ./setOIFEnv.sh

cd /u01/oim/oim_home/common/bin
[orasystemsusa@idm bin]$ ./wlst.sh

after implementing Chain Authentication, error IdentityProviderException: OAMSSA-20027: Could not get user "

Oracle Access Manager  11.1.1.5.0

Implemented chain authentication in OAM 11gR1. After that, you observed OAMSSA-20027 error in oam-diagnostic log eventhough users can login without issue. you are just seeing these errors at the diagnostic logs.

[2012-09-09T12:11:03.410-07:00] [OAM_Server2] [ERROR] [] [oracle.oam.plugin] [tid: [ACTIVE].ExecuteThread: '1' for queue: 'weblogic.kernel.Default (self-tuning)'] [userId: <anonymous>] [ecid: 004mKaQ7yjcBp2e_p_d9iY0002dv00000e,0:1] [APP: oam_server] [URI: /oam/server/auth_cred_submit] Exception occurred when authenticating the user against UserIdentityStore - [[
oracle.security.am.engines.common.identity.provider.exceptions.IdentityProviderException: OAMSSA-20027: Could not get user : <Username>.
at oracle.security.am.engines.common.identity.provider.impl.UserProviderImpl.getUser(UserProviderImpl.java:1309)
at oracle.security.am.engines.common.identity.provider.impl.UserProviderImpl.locateUser(UserProviderImpl.java:1093)
at oracle.security.am.engines.common.identity.provider.impl.IdentityProviderImpl.locateUser(IdentityProviderImpl.java:893)
at oracle.security.am.engines.common.identity.provider.impl.OracleUserIdentityProvider.locateUser(OracleUserIdentityProvider.java:465)
at oracle.security.am.plugin.authn.UserIdentificationPlugIn.process(UserIdentificationPlugIn.java:477)
at oracle.security.am.engine.authn.internal.executor.PlugInExecutor.execute(PlugInExecutor.java:179)
at oracle.security.am.engine.authn.internal.executor.AuthenticationSchemeExecutor.execute(AuthenticationSchemeExecutor.java:102)
at 

Reason

The chain authentication has 2 steps:

    Step1 - verified against ID Store 1 

    Step2 - verified against ID Store 2

In the event where the user only exist in ID Store2, the error will be thrown after executing step1, before moving to step2. 

Solution:
 this error can be ignored because if user doest exists in one ID store it is present at other ID Store. it is just an information message.

  

steps for installing Customization installer for Jdeveloper 11g

Download OIM installer Jdeveloper Extenstion from Oracle site make sure version is correct as per your OIM release.

Save at local drive and Extract it

Start jdeveloper as a administrator

Go to help

Select Check for Updates

Click Next

Select Install from Local File and select zip file location you extracted previously.

Click Next

at summary page Click Finish

It will say to finish installing updates Jdeveloper needs to restart  

click Yes

After Restart

Go to Tools

OIM Customization Installer à Configure

Provide required parameters and click  Test Connection and verify.

Save the connection information.