export and import of OAM 11g server configuration steps

 here are steps to export configuration from one OAM server and import to another OAM server

1)     Export OAM configuration from the existing OAM server:

$ cd <FM_HOME>/common/bin

$ ./wlst.sh

$ connect('WebAdmin','******','t3://weblogicserver:port')

$ exportPolicy(pathTempOAMPolicyFile='/home/oracle/oam_policies.xml')

$ exportPartners(pathTempOAMPartnerFile='/home/oracle/oam_partners.xml')

2)     Transfer exported files to the new OAM host.

3)     Import OAM configuration to the new OAM server:

$ cd <FM_HOME>/common/bin/

$ ./wlst.sh

$ connect('weblogic','******','t3://servername:port')

$ importPartners(pathTempOAMPartnerFile='/home/oracle/OAMExport/oam_partners.xml')

$ importPolicy(pathTempOAMPolicyFile='/home/oracle/OAMExport/oam_policies.xml')

4) Restart Admin and managed server.

ODSEE 11g grant read-only access to cn=config to a user or anyone

in order to grant read-only access to cn=config to a user or anyone you have to add following ACI (mostly it not recommended for anyone to have access at cn=config but in few cases you need to have anyone or user to have read only access to cn=config in order to read some vales)

use below command or add this ACI directly thru console

 ldapmodify -D "cn=Directory Manager" -w <password> -p 389
dn: cn=config
changetype: modify
add: aci
aci: (target ="ldap:///cn=config*")(targetattr != "aci || connection")(versio
 n 3.0; acl "config"; allow( read, search, compare ) userdn = "ldap:///anyon
 e";)

high leve backup and recover steps for OID OVD and OHS 10g

  Backup and Recovery plan

1.    OID

·        Backup the OID Database.

·        Backup the OID file system.

·        Restore the database from the previous step backup if there is any step failed. Also restore the OID file system from the backup.

2.    OVD

·        Backup the adapters.os_xml, acls_os_xml & schema.user.xml files after successful configuration of the OAM Specific configurations loaded into the OVD.

·        Complete file system backup from the OVD Server  home directory as a working version copy.

·        Restore the OVD from the previous step backup if there is any step failed while installation and or configurations.

3.    OHS

·        Complete file system backup from the OHS server home directory as working version copy.

·        Restore the OHS from the previous backup file system by overwriting the file system.

 

installing OHS 10g complete steps

1.1      OHS2 – v101330  Installation steps

 

1.   Uncompress the installer software as follows:
 $cd /op/oracle/softwares/OHS
 $cpio -idmv -R idmadm < AS101330_companionCD_sparc64_disk1.cpio

2.   Go to the OHS2 software installer location and run the runInstaller script.
  Ex: bash-3.00$ cd /op/oracle/softwares/OHS/Disk1/
          bash-3.00$ ./runInstaller

3.    Click ‘Next’ on welcome screen.

 

4. Provide the oracle inventory folder path if not default and OS user group name who is the owner for this OHS component.

5. Installer prompts to run the orainstRoot.sh script with ‘root’ user.

6. Enter the Installation name & path of the OHS
 Ex: ohs_as2
  path: /op/oracle/ohs_dev
 
7. Select Oracle Http Server with Apache 2.0 option and click ‘Next’





8. Select Automatic option in the Port Configuration screen if require specified ports then define the staticport.ini file and place in the <<OHS_HOME>>/staticports.ini  location and choose ‘Manual’
by default OHS will choose 7777 & for ssl : 4443 ports


9.    Click ‘Install’ on summary page

Installer installs the OHS in the specified <<OHS_HOME>> folder location.

10.  Installer prompts to run the root.sh script with ‘root’ user from <OHS_HOME>> folder location. Run the root.sh script with root user and click on ‘OK’ button.

11. Installation ends successfully and shows the OHS default HTTP url in the installer screen.  Click ‘Exit’ to exit the installation.

12. Start the OHS Server and access the ohs url as specified at the screen.

13. if welcome pages comes up, it means OHS is installed successfully.





   

OIM 11.1.2.2.0 setting up pre-defined security questions thru design console.

I am assuming that you know to setup the parameter to show number of question a system property (Number of Questions). after entering these questions.

here is the process on how to pre-define security questions.

cd to <OIM_HOME>/designconsole

./xlclient.sh

After login to xelsysadm/password

1.      Click on Lookup Defination

2.      On Code place enter *question* and click search button.

3.      Use button on the top to scroll next until you see Lookup.WebClient.Questions

4.     Click on Add it will add one line at the Code Key.

5.      Enter all the Questions that you want to be displayed once user login to OIM.

6      Click on Save.

7.      Due to some bug you will get the error when you try to add just ignore it and click on next button and comeback on same page in order to verify if all the questions there.

 

Testing

Login to OIM you should be able to see all the questions if user don’t have questions setup already.

 

 

OVD parameter vde.soTimeoutBackend to keep alive functionality

while tuning OVD connection to OID, please read below in order to troubleshoot performance issues that can occur at OVD side.


vde.soTimeoutBackend is defined in OVD to keep track of inactivity period. without this parameter setting OVD will response slower because it uses the inactive connection to talk to OID(or any LDAP server) and it has to wait to get the information about the inactive connection.
this parameter is present in OVD by default and it closes the inactive connection after the time specified by this parameter. in order to use this OS keep-alive needs to be enabled because it depends on the value of OS setting.


below is another parameter to consider

<socketOptions>… 
<keepAlive>false</keepAlive> 
... 
</socketOptions> 

Turn off keepAlive. This parameter is only required to ensure that there is a tcp keep alive sent to the client to make sure that the connection opened by the client to OVD is still valid. On Linux OS, the timing of this keepAlive parameter is controlled by the OS parameter net.ipv4.tcp_keepalive_time in second.

if you want OS to handle keep-alive setting than disabled this parameter

oracle document about collecting stuck thread information at weblogic

useful oracle Document about collecting Stuck Thread at Weblogic

This article provides information about different ways on taking java thread dumps in a WebLogic Server environment.

Thread dumps are essential diagnosis information used to analyze and troubleshoot performance related issues such as server hangs, deadlocks, slow running, idle or stuck applications, slow database interactions etc...

Different ways to take thread dumps in WebLogic Server

WebLogic Server (WLS) and Java offer several ways to generate thread dumps, they are detailed below.  It is always recommended to obtain the thread dumps by using operating system (OS) commands rather than by using Java classes or the Administration Console, because if the console is hanging, users won't be able to connect to it to issue thread dumps.

1. Use operating system commands to get the thread dumps when WLS starts up from a command-line script:
   
   • On Windows OSes, thread dumps can be created by
     
     <ctrl>+<break> -- the thread dumps are generated in the server stdout
   • On POSIX-compliant platforms (e.g. Solaris and Linux), first identify the process ID (pid) using the command ps -ef | grep java, then run
     
     kill -3 <pid> 2>&1
     Signal 3 is equivalent to SIGQUIT. Note that in Solaris, the thread dump is generated in the current shell, but in Linux, the thread dump is generated in the shell which started the java process specified by the pid.
2. Using beasvc (up to WLS 10.3.5 included):
   
   beasvc -dump -svcname:<service_name>
   • service_name is the Windows service that is running the server instance (e.g. mydomain_myserver)
3. Using wlsve (from 10.3.6/12.1.1):
   
   wlsve -dump -svcname:<service_name>
4. Using weblogic.WLST:
   
   setDomain.cmd or setDomain.sh depending on the OS
   java weblogic.WLST
   connect("<username>","<password>","t3://<url>:<port>")
   threadDump()
   The thread dump will be generated in Thread_Dump_AdminServer.txt.  Note 1274713.1 addresses WLST thread dump in more details with examples on how to define sleep time between each dump and number of dumps to take.
5. From a command line or shell, a thread dump can be generated via the following command (deprecated from WLS 9.0):
   
   setDomain.cmd or setDomain.sh depending on the OS
   java weblogic.Admin <url>:<port> -username <username> -password <password> THREAD_DUMP
   The thread dump will be generated in the defined server stdout.
6. From the WLS Administration Console, a thread dump can be created by navigating to Server -> <server_name> -> Monitoring -> Dump threads stack. This method could lead to truncated or incomplete thread dumps.
7. From the Services Administration Tools when WLS runs as a Windows Service, see Note 1348645.1
8. Java VisualVM can also be used to take thread dumps while applications are running, see http://docs.oracle.com/javase/6/docs/technotes/guides/visualvm/applications_local.html for more details
9. With jstack
   
   jstack <pid> or jstack -l <pid> to print additional information about locks
10. From the JRockit command line:
    
    jrcmd <pid> print_threads
11. From Java Mission Control with JDK 7:
    
    jcmd <pid> Thread.print 

increase the searh limit at OID and OVD

below is the command to update OID search limit.

ldapmodify -h localhost -p 3060 -D "cn=orcladmin" –q –f limitincrease.ldif –o rejects.ldif

Entries of limitincrease.ldif

dn: cn=oid,cn=osdldapd,cn=subconfigsubentry

changetype: modify

replace: orclsizelimit

orclsizelimit: 20000

steps to increase search limit at OVD

Login to Oracle Enterprise Manager Fusion Middleware Control for OVD

In OVDDomain à Identity and Access à click on ovd

Oracle Virtual Directory à drop down menu -à Administrationà server properties à In General tab à change Anonymous search and Authenticated User search to 20000.

ldapmodify not working, command mistakes

when you are running an ldif file with a lot of attributes to load into OID and getting error don't know what the reason is. please check space between each  record you are trying to import and definition of each record.

for example you are adding attributes to OID with below ldif file

Wrong Formate

dn: cn=subSchemaSubentry
changetype: modify
add: attributetypes
attributetypes: ( 2.16.840.1.113894.9999.1.24 NAME 'tAuthenticateUser' DESC
 'Authenticate User Flag' SYNTAX '1.3.6.1.4.1.1466.115.121.1.15' SINGLE-VALUE
  USAGE userApplications )


attributetypes: ( 2.16.840.1.113894.9999.1.25 NAME 'tAuthenticateCaller' DES
 C 'Authenticate Caller Flag' SYNTAX '1.3.6.1.4.1.1466.115.121.1.15' SINGLE-V
 ALUE USAGE userApplications )

attributetypes: ( 2.16.840.1.113894.9999.1.26 NAME 'tOneTimeTokenFlag' DESC
 'One Time Token Flag' EQUALITY caseExactMatch SYNTAX '1.3.6.1.4.1.1466.115.1
 21.1.15' SINGLE-VALUE USAGE userApplications )



attributetypes: ( 2.16.840.1.113894.9999.1.27 NAME 'tIPCheckFlag' DESC 'IP C
 heck Required Flag' SYNTAX '1.3.6.1.4.1.1466.115.121.1.15' SINGLE-VALUE USAG
 E userApplications )


and run below command
./ldapmodify -h qatovdx.unix.gsm.org -p 389 -D cn=orcladmin -w yourpassword  -v -f  /tmp/oid/tattributes_withspace.ldif

ldapmodify: no attributes to change or add (entry cn=subschemasubentry )

the issue is, each attribute need to have complete command and second and commonly over looked mistake is there is space between attribute command and attribute definition. so the command should be like this.

CORRECT FILE forate

dn: cn=subSchemaSubentry
changetype: modify
add: attributetypes attributetypes: ( 2.16.840.1.113894.9999.1.24 NAME 'tAuthenticateUser' DESC
 'Authenticate User Flag' SYNTAX '1.3.6.1.4.1.1466.115.121.1.15' SINGLE-VALUE
  USAGE userApplications )

dn: cn=subSchemaSubentry
changetype: modify
add: attributetypes
attributetypes: ( 2.16.840.1.113894.9999.1.25 NAME 'tAuthenticateCaller' DES
 C 'Authenticate Caller Flag' SYNTAX '1.3.6.1.4.1.1466.115.121.1.15' SINGLE-V
 ALUE USAGE userApplications )

dn: cn=subSchemaSubentry
changetype: modify
add: attributetypes 
attributetypes: ( 2.16.840.1.113894.9999.1.26 NAME 'tOneTimeTokenFlag' DESC
 'One Time Token Flag' EQUALITY caseExactMatch SYNTAX '1.3.6.1.4.1.1466.115.1
 21.1.15' SINGLE-VALUE USAGE userApplications )

dn: cn=subSchemaSubentry
changetype: modify
add: attributetypes 
attributetypes: ( 2.16.840.1.113894.9999.1.27 NAME 'tIPCheckFlag' DESC 'IP C
 heck Required Flag' SYNTAX '1.3.6.1.4.1.1466.115.121.1.15' SINGLE-VALUE USAG
 E userApplications )

OIM 11.1.2.2.0 customization of display message at password screen

In this post I have implemented a work around of OIM customization message. I have achieve requirement of user see message that only 3 out of 5 correct answer will let them reset their password( on my different post I have mentioned on how to set property that will allow 3 correct answers out of 5 in order to reset the password). you can have any number of correct answer configured as per your requirement.
This functionality could have been achieved by only customization the message at password reset page but once I change the message I got access denied error. this post is work around of that error.


1. Login to identity screen.
2. http://servername:port/identity/
3. Create sandbox
4. at Popup window enter sandbox name
5. Sandbox name password_msg.
6. Save and close the popup.
7. Open another tab and enter url as show below
a. http://servername:port/identity/faces/forgotpassword
8. Enter username as test and click next
9. go to the first Tab(identity tab) Click on Customize.

10. Click on View at the left side corner and select Source.

11. It will show 2 screens at the same page
12. Go to the first tab(forgotpassword) and click refresh.
13.  Click on the message "Answer the challenge questions below with the answers you set during registration."
14. Click Edit(it will open and popup now close this popup).
15. Click Close (on right corner to close the customization mod)
16. Come to the first tab(identity) and click on Close again(close customization).
17. Deactivate SandBox and Export Sandbox.
18. Exported sandbox will be on your local computer download folder.
19. Unzip the sand box and go to \oracle\iam\ui\unauthenticated\forgotpassword\pages\mdssys\cust\site\site\
20. Open ansChallengeQue.jsff.xml in textEditor or notepad.
21. Change
<mds:attribute name="value" value="Answer the challenge questions below with the answers you set during registration"/>
With
<mds:attribute name="value" value="Answer the challenge questions below with the answers you set during registration, only 3 correct answers will let you change the password"/>
22. Save and zip this folder to the same name password_msg
23. Login  to Identity console again(if it was logged off)
24. Go to Manage Sandboxes.
25. Click on the arrows >>  and you will see Import Sandboxe. Click on Import Sandboxe.
26. After successful import Publish sandbox.

Testing
Logoff from Identity console.
At the login page enter username test and click on the Forgot password Link.
Enter username test again and click Next.
At the next screen you will see the New Message (Answer the challenge questions below with the answers you set during registration, only 3 correct answers will let you change the password).

 

OIM 11.1.2.2.0 enablig caching information

Caching is configured in  /db/oim-config.xml configuration file, which is located in MDS where OIM
stores the configuration. you can use EM to export oim-config.xml make changes and import back this file.

Oracle recommends the following caching settings for optimal and better performance.
 Set the caching to true for all the components except the following two sections:
 threadLocalCacheEnabled="false"
 "StoredProcAPI" enabled="false"
 Set clustered="false" for non-clustered installation and clustered="true" for clustered installation.


 Caching changes can be done in /db/oim-config.xml using EM -> System MBean Browser -> oracle.iam ->
XMLConfig -> Config -> XMLConfig.CacheConfig -> Cache -> XMLConfig.CacheConfig.CacheCategoryConfig –>

Attributes.
Note: Changing this value gets saved into MDS database schema used by the OIM servers. So changing it
once is good enough for multi node/Clustered installations.

OIM 11.1.2.2.0 performance tuning parameter in production

please make sure to change these parameters when you install OIM in productions environment.

By default, reloading of adapters and plug-in configuration are enabled for ease of development. These
should be disabled in the production environment for better performance.
This configuration is configured in the /db/oim-config.xml configuration file, which is located in MDS where OIM stores the configuration.

To do so:
replace
 In the oim-config.xml file, replace the following for adapters:
 <ADPClassLoaderConfig adapterReloadingEnabled="true" loadingStyle="ParentFirst"
reloadInterval="15" reloadingEnabled="true">

 With:
 <ADPClassLoaderConfig adapterReloadingEnabled="false" loadingStyle="ParentFirst"
reloadInterval="15" reloadingEnabled="false">


 Replace the following for plug-ins:
 <storeConfig reloadingEnabled="true" reloadingInterval="20"/>
 With:
 <storeConfig reloadingEnabled="false" reloadingInterval="20"/>
 Save the oim-config.xml file and import it back to MDS.

NOTE: Changing this value gets saved into MDS database schema used by the OIM servers. So changing it
once is good enough for multi node/Clustered installations

JVM performance tuning increasing heap size process

if you see performance issues at OIM and they are mostly due to JMV, please tune these parameters.

It is recommended to increase the heap and permgen memory for production environments as below and
monitor the memory usage pattern. Based on the usage, you can choose to increase or decrease the memory
settings.

To change the JVM memory setting:
1. If your OIM version is 11.1.2.1.0 or above, use DOMAIN_HOME/bin/setOIMDomainEnv.sh
(Unix) or setOIMDomainEnv.cmd (Windows). If not, continue to use
DOMAIN_HOME/bin/setSOADomainEnv.sh (Unix) or setSOADomainEnv.cmd (Windows) to
change the heap size settings.
2. Change the value of DEFAULT_MEM_ARGS and PORT_MEM_ARGS from the default value and
save.
3. Restart OIM Server
Note: For a clustered or multi-node installation, this step needs to be repeated on all the install locations

Note:
setSOADomainEnv.sh  file have below value
DEFAULT_MEM_ARGS="-Xms512m -Xmx1024m"

Xms --> minimum size value
Xmx --> Maximum size value

login to OAM 11gr2 failed due to OVD adaptor password expired

logs at OAM shows these error while trying to login to OAM console.

User <anonymous> 
Thread ID [ACTIVE].ExecuteThread: '0' for queue: 'weblogic.kernel.Default (self-tuning)' 
ECID 0051wdyO4FUFw0ULy6^AyW0004B50000jk 
Message Could not get user : eidmhptest6, idstore: OVDStore, with exception: oracle.security.idm.OperationFailureException: javax.naming.NamingException: [LDAP: error code 1 - LDAP Error 1 : Error Communicating with database: ORA-28000: the account is locked 

Solution:
check diagonistic logs. you will see following error.

 [ERROR] [OVD-60160] [com.octetstring.vde.backend.db.ICS DB Adapter.BackendDB] [tid: 45] [ecid: 0051wi9gUchFw0ULy6^AyW0004B500017g,0:2:3] [URI: /oam/server/auth_cred_submit] Failure in loading database metadata [#IACS DB Adapter] .[[ 
java.sql.SQLException: ORA-28000: the account is locked 

it shows the ICS DB Adapter credentials are expired.


check adaptor information at
$ORACLE_INSTANCE/config/OVD/ovd1/adapters.os_xml file 

change the OVD adaptor information (change password) and restart the service it should fix the issue.

weblogic start error. delete LDAP tmp folders

<Store> <BEA-280060> <The persistent store "_WLS_wls_ods1" encountered
a fatal error, and it must be shut down:
weblogic.store.PersistentStoreFatalException: [Store:280105]The
persistent file store "_WLS_wls_ods1" cannot open file
_WLS_WLS_ODS1000000.DAT.

Reason and Solution:
this error happen when Weblogic is not stopped completely and you have started weblogic again. now at the LDAP folder session information is old. the best way to fix this error is delete all temp,ldap,cache directories and restart Weblogic server.


next time please make sure you check admin server is stopped completely before making any changes and restarting it.
 

enabling sme optimizations for troubleshooting

Below are the instructions to enable sme optimizations. 
1) On all the servers including the admin server, set the following system property in the setDomainEnv.sh. 
-Doracle.oam.sme.elo=true 

eg: EXTRA_JAVA_PROPERTIES=" -Doracle.oam.sme.elo=true ${EXTRA_JAVA_PROPERTIES}" 

2) Restart all the servers. 

oam 11.1.2.2.0 chaning OPSS database users password procedure

1)opss-DBDS (DB datasource) needs to be updated: 
--------------------------------- 
Navigate to the Data Source pool 
Weblogic Console > Services > Data Source > opss-DBDS > Connection Pool > Change Password. 

2) Stop all the admin servers.

3) this needs to be run in offline mode.
Run modifyBootStrapCredential(jpsConfigFile='./jps-config.xml', username='<schema_owner>', password='<db user password>')

Example:
modifyBootStrapCredential(jpsConfigFile='/<MW_HOME>/user_projects/domains/mydomain/config/fmwconfig/jps-config.xml', username='DEV_OPSS', password='password1')


below is the oracle recommended way of changing OPSS schema password


1- Take a back up of the opss-jdbc.xml  file
2- Change the password in the wls console, save changes.
3- Stop all WLS servers
OR
1- Stop all WLS servers
2- Change the DATA source password with WLST (offline)
2.1- Run  $MW_HOME/oracle_common/common/bin/wlst.sh to set the wlst environment.
2.2- Use the readDomain WLST command to read the configuration of the domain in offline mode,
wls:/offline>readDomain (‘<WLS_DOMAIN_HOME_PATH>’)

Example:
wls:/offline> readDomain('/refresh/home/Middleware/user_projects/domains/IDMDomain')

2.3- Use cd(‘JDBCSystemResource/<OPSSDS name>/JdbcResource/<OPSSDS name>/JDBCDriverParams/NO_NAME_0’)

Example
wls:/offline>cd(‘JDBCSystemResource/OPSSDS/JdbcResource/OPSSDS/JDBCDriverParams/NO_NAME_0’)

2.4- The WLST set(‘<parameter_name>’,’<parameter_value>’) is used to change a parameter offline. To change the password ,  set(‘PasswordEncrypted’,’<password_value>’)

Example:
wls:/offline/IDMDomain/JDBCSystemResource/OPSSDS/JdbcResource/OPSSDS/JDBCDriverParams/NO_NAME_0>set('PasswordEncrypted','welcome2')

2.5- After all the changes to the parameters are done, the updateDomain() command needs to run to save them to the domain configuration:
Example:
wls:/offline/IDMDomain/JDBCSystemResource/OPSSDS/JdbcResource/OPSSDS/JDBCDriverParams/NO_NAME_0>updateDomain()

2.6- Run  exit() to exit WLST.
Example:
wls:/offline/IDMDomain/JDBCSystemResource/OPSSDS/JdbcResource/OPSSDS/JDBCDriverParams/NO_NAME_0>exit()

2.7- Run exit() to exit WLST.
Example:
wls:/offline/IDMDomain/JDBCSystemResource/OPSSDS/JdbcResource/OPSSDS/JDBCDriverParams/NO_NAME_0>exit()

Later:
3- Change the OPSS schema password in the database
4- Go to the oracle_common\common\bin>wlst.sh
5- Run modifyBootStrapCredential(jpsConfigFile='./jps-config.xml', username='<schema_owner>', password='<db user password>')

Example:
modifyBootStrapCredential(jpsConfigFile='/<MW_HOME>/user_projects/domains/mydomain/config/fmwconfig/jps-config.xml', username='DEV_OPSS', password='welcome1')

OAM 11.1.2.0.0 protected URL changes from https to http after enterning creadientials at login page, weblogic redirect issue

When SSL offloading is done at F5 (SSL termination at loadbalancer), the redirect url during authentication is replacing loadbalancer protocol (https) with http

Actions:
-----------------------
1. Access a protected URL using https

2. When challenged, provide user credentials and login
3. The final redirect URL is not https

Ex:

https://HOST/oam/server/auth_cred_submit
POST /oam/server/auth_cred_submit HTTP/1.1

HTTP/1.1 302 Moved Temporarily
Connection: close
Transfer-Encoding: chunked
Location: http://HOST/obrar.cgi?cookie=xxxxxx

Reason:

weblogic server not using loadbalancer protocol (https) for redirect urls


Solution:
follow below steps if you are having above issue at OAM 11.1.2.0


the steps to resolve this issue include

1) Set WL-Proxy-SSL to true at the Load Balancer end

2) Set the WebLogic 'Plugin Enabled' flag as follows
  a. Log into WebLogic Console 
  b. Click the domain name on the left menu bar
  c. Then choose 'Configurations' Tab and 'Web Applications' sub tab
  d. Click 'Lock & Edit' button on top left menu
  e. Check box 'WebLogic Plugin Enabled'
  f. Save and activate the change.

  If proxying requests to a standalone WebLogic Server, please enable this setting on the individual server level from the admin console by clicking on the -> Configuration -> General tab. In the advanced options, check the checkbox for WebLogicPluginEnabled and save the changes.

  If proxying requests to a WebLogic Cluster, enable this setting at the cluster level from the admin console by clicking on the Cluster -> Configuration -> General tab. In the advanced options, check the checkbox for WebLogicPluginEnabled and save the changes.

3) When you start the WebLogicAdmin server, pass the following parameter:
  -Dweblogic.http.isWLProxyHeadersAccessible=true

To do this:
  a. Open setEnv.sh/cmd (located in /webserv//bin)
  b. Change the JAVA_OPTIONS_os value and add "-Dweblogic.http.isWLProxyHeadersAccessible=true". 

For example
  For Windows:
  SET JAVA_OPTIONS_WIN32=-jrockit -XnoOpt -XXnoJITInline -Xms512m -Xmx512m -Dtoplink.xml.platform=oracle.toplink.platform.xml.jaxp.JAXPPlatform -Dweblogic.http.isWLProxyHeadersAccessible=true

  For Linux:
  JAVA_OPTIONS_LINUX="-jrockit -XnoOpt -XXnoJITInLine -Xms512m -Xmx512m -Dtoplink.xml.platform=oracle.toplink.platform.xml.jaxp.JAXPPlatform -Dcom.sun.xm..namespace.QName.useCompatibleSerialVersionUIT=1.0 -Dweblogic.http.isWLProxyHeadersAccessible=true"

Note: If you've uncommented the JAVA_OPTIONS_ADMINSERVER parameter, then the 'isWLProxyHeadersAccessible' parameter needs to be added to JAVA_OPTIONS_ADMINSERVER instead of JAVA_OPTIONS_os.

 Example:
  For Windows:
  SET JAVA_OPTIONS_ADMINSERVER=-jrockit -Xms256m -Xmx256m -Dweblogic.http.isWLProxyHeadersAccessible=true

  For Linux:
  JAVA_OPTIONS_ADMINSERVER="-jrockit -Xms256m -Xmx256m -
Dcom.sun.xml.namespace.QName.useCompatibleSerialVersionUID=1.0 -Dweblogic.http.isWLProxyHeadersAccessible=true"

4) Use WebLogic 10.3.2 or a higher patch level of WebLogic 10.3.x
  This is required because there is a an issue in WebLogic 10.3.1 that causes issues with this functionality.