OAM 11gR2 changing OAM and Webgate from open to Simple Mode

changing OAM from Open to Simple Mode

1.  login to OAMCONSOLE
http://orasystemsusa.com:7001/oamconsole
click on Server Instances and select  oam_server1
you will find Mode = OPN change it to Mode = Simple

2. select SSO Agents and click on the Agent you are using i have  OAM11GAgent
     change  Security from  OPEN to Simple

3. you will get the below message
Artifacts are generated in following location : <FM_HOME>/user_projects/domains/IAMDomain/output/OAM11GAgent

4. go to the location where Artifices are generated
cd <FM_HOME>/user_projects/domains/IAMDomain/output/OAM11GAgent

5. copy these two files(aaa_cert.pem aaa_key.pem) to under Webgate directory as mentioned below
cp -r aaa_cert.pem aaa_key.pem <FM_HOME>/Oracle_WT1/instances/ohs_Webgate/config/OHS/ohs2_EM/webgate/config/simple/

6. copy 3 files  cwallet.sso ObAccessClient.xml password.xml under Webgate config directory as mentioned below

cp -r cwallet.sso ObAccessClient.xml password.xml <FM_HOME>/Oracle_WT1/instances/ohs_Webgate/config/OHS/ohs2_EM/webgate/config/

7. restart the webserver having webgate

OAM 11g R2 OAM Test Tool location and how to run it

in order to test the resource we use OAM Access Management Test Tool. interface is very close to what Siteminder R12 had

here is how to run the tester tool

cd <FM_HOME>/Oracle_IAM1/oam/server/tester

export JAVA_HOME=/app/jdk1.6.0_35/
export PATH=$JAVA_HOME/bin:$PATH

fun following command

java -jar oamtest.jar

after providing required resource information you can test how the request is flowing and what is the outcome of it.

OAM 11gr2ps2 supporting external login page settings

if you have a requirement to support external Login a page that is not deployed at OAM you have to make changes in Authentication Schemes.

At Authentication Schemes you have to select Context Type as external and at Challange URL you have to provide complete URL including host:port, servelet information till login page.

exporting OIM plugin ZIP using SQL Developer

steps to export Pluings ZIP from database using SQL Developer

login to SQL Developer 

1. click on user who's  have all the OIM schema objects( my dev configuration i have DEV_OIM). 
2. click on Tables and look for 2 below tables.

3. PLUGINS --> will provide the information about all the plugins in OIM , get ZIPID from this table about the ZIP Plugin you want to export

4. PLUGIN_ZIP --> select this table we will 2 columns ZIPID and ZIP, double click on (BLOB) of your desired ZIPID(ZIPID was taken from PLUGINS table). it will pop up the window, now select download, it will download the plugins you want to have.

OIM 11gR2PS2 soa patch issue and applying sequence

OIM_11.1.2.2_SOAPS6_PREREQS.zip

export ORACLE_HOME=/opt/oracle/Middleware/Oracle_SOA1
export PATH=$PATH:/opt/oracle/Middleware/Oracle_SOA1/Opatch

echo $PATH
Apply the following patches in Sequence
Patch 14126097
Patch 16024267
Patch 16170778
Patch 16535743
Patch 16899697
Patch 17418151
Patch 17538745
Patch 17610621
Patch 17988119
Patch 18011109
Patch 18011726

OID using ODSM creating service account like orcladmin

How To Create a New User With the Same Privileges of Realm Admin user ORCLADMIN

From the ODSM interface of OID, navigate to the “Data Browser” tab
1. Search for “orcladmin”
2. Right-click on orcladmin, click “Create Like”
3. From the “Entry Properties” window
a. Ensure the following Object Classes are present: top, person, organizationalPerson, inetorgperson, orcluser, orcluserV2
4. Parent of the entry: cn=Service Accounts,dc=orasystemsusa,dc=com
5. Click “Next”
6. From the “Mandatory Properties” window
a. cn: enter an appropriate common name
b. sn: enter an appropriate surname
c. Relative Distinguished Name: typically either the uid or cn attribute is used
7. Click “Next”
8. From the “Optional Properties” window
a. Description: enter the purpose of this service account
b. givenName: enter an appropriate first name if applicable
c. mail: enter an email address for a point of contact for the service account
d. orclSAMAccountname: typically this is the same as the cn attribute
e. uid: typically this is the same as the cn attribute
f. userPassword: enter an appropriately complex password
9. Click “Next”
10. Click “Finish”
11. Add the full Relative Distinguished Name as a uniquemember to the following 12 groups:
* cn=OracleContextAdmins,cn=Groups,cn=OracleContext,dc=orasystemsusa,dc=com
* cn=OracleUserSecurityAdmins,cn=Groups,cn=OracleContext,dc=orasystemsusa,dc=com
* cn=iASAdmins,cn=Groups,cn=OracleContext,dc=orasystemsusa,dc=com
* cn=UserProxyPrivilege,cn=Groups,cn=OracleContext,dc=orasystemsusa,dc=com
* cn=OracleDASAdminGroup,cn=Groups,cn=OracleContext,dc=orasystemsusa,dc=com
* cn=OracleSuperUserAdminGroup,cn=Groups,cn=OracleContext,dc=orasystemsusa,dc=com
* cn=ASPAdmins,cn=Groups,cn=OracleContext,dc=orasystemsusa,dc=com
* cn=IAS & User Mgmt Application Admins,cn=Groups,cn=OracleContext,dc=orasystemsusa,dc=com
* cn=Trusted Applications Admins,cn=Groups,cn=OracleContext,dc=orasystemsusa,dc=com
* cn=Common User Attributes,cn=Groups,cn=OracleContext,dc=orasystemsusa,dc=com
* cn=Common Group Attributes,cn=Groups,cn=OracleContext,dc=orasystemsusa,dc=com
* cn=User Provisioning Admins,cn=Groups,cn=OracleContext

Viewing Message Payload for WebLogic Server

here is good information that i found about weblogic payload

Viewing Message Payload for WebLogic Server

A message contains two main components: the headers and the payload. The headers contain metadata about the message. The payload contains the actual content of the message.

To View the Payload of Text and Byte Messages

1. Select the topic or queue as described in Monitoring Topics and Queues for JMS IQ Manager.
2. In the Messages tab, select the message and click the View/Edit icon.
   The Text Message Payload (Live) dialog box appears.
3. To display any carriage return and line feed characters in the message (for text messages only), select the Show Carriage Return/Line Feed check box.
4. If the message contains XML and you want to view the XML in browser format, click View XML.
5. To delete the message, click Delete.
6. To save the payload to a file, click Download Payload.

OAM 11gr2ps2 oam login page coming twice or target application no getting attributes

OAM Identity Asserter:
if your Attribute not asserted on target application you need to create OAM Identity Asserter, also  OAM Identity Asserter is one of the reason of  SSO login page or Application Login Page coming twice.

the reason why we have to create OAM Identity Asserter is when user is coming after authentication from myrealm,OAM is not passing this user information to target application.

creating OAM Identity Asserter

1. login to Weblogic console.
2. click on Security Realms
3. select myrealms(name of your realm)
4. select Providers tab.
5. Click on Lock and Edit.
6. click on New(under Authentication Providers)
7. give name and select Type OAMIdentityAsserter and click OK
8. click on the newly created Authentication Provider.
9. make sure Control Flag is OPTIONAL
10. at Active Types select OAM_REMOTE_USER
    if you have have 10g Agents you have to select ObSSOCookie and if you have more attributes to assert you have to select OAM_IDENTITY_ASSERTION.
11. Save and Activate Changes.
12. Restart Admin server.

OAM 11gR2 integrating Webgate with OAM using rreg.sh command

integration Using RREG Tool.

cd <YOUR PATH>/Oracle_IAM1/oam/server/rreg
here you will fine input folder


cd <YOUR PATH>/Oracle_IAM1/oam/server/rreg/input

and modify OAM11GRequest.xml with the information as per your system

vi OAM11GRequest.xml

<serverAddress>http://orasystemsusa.com:7001</serverAddress>
<hostIdentifier>HostId11G</hostIdentifier>
<agentName>OAM11GAgent</agentName>
<agentBaseUrl>http://orasystemsusa.com:7777</agentBaseUrl>

<applicationDomain>DefaultAppDomain</applicationDomain>

save the file and go to bin folder in order to run command make sure to set two  PATH(OAM_REG_HOME amd JAVA_HOME). you can check if path are set by looking into oamreg.sh  otherwise command will fail if you are installing on windows you have to use oamreg.bat

cd <YOUR PATH>/Oracle_IAM1/oam/server/rreg/bin

export JAVA_HOME=/app/jdk1.6.0_35/
export PATH=$JAVA_HOME/bin:$PATH

chmod -R 777 oamreg.sh(if you get permission issue)

./oamreg.sh inband <DOMAIN_HOME>/oam/server/rreg/input/OAM11GRequest.xml

provide admin username and password
provide password for webgate if you want otherwise you can ignore
any predefined resources n

you should see Inband registration process completed successfully!

you can check agent specific files

cd <DOMAIN_HOME>/oam/server/rreg/output/RREG_OAM11GAgent

ls                                                                                          
cwallet.sso  ObAccessClient.xml      


now copy these files under webgate/config directory

cp -r cwallet.sso ObAccessClient.xml /<YOUR PATH>/Oracle_WT1/instances/Webgate/config/OHS/ohs1/webgate/config/    


 restart webserver and verify integration. you should see OAM login page after restart.

OAM 11gr2 deploye/configure webgate to webserver command

Deploy the Webgate to the webserver

cd <FMW_HOME>/OAMWebGate11gR2/webgate/ohs/tools/deployWebGate


./deployWebGateInstance.sh -oh <FMW_HOME>/OAMWebGate11gR2/ -w <FMW_HOME>/Oracle_WT1/instances/ohs_webgate11gR2/config/OHS/ohs1/


 Modify the webserver configuration file or httpd.conf file

cd <FMW_HOME>/Oracle_OAMWebGate11gR2/webgate/ohs/tools/setup/InstallTools

export LD_LIBRARY_PATH=/app/Weblogic/FMW/Oracle_WT1/lib
export PATH=$LD_LIBRARY_PATH:$PATH

to check if required libraries are present use

ldd EditHttpConf  => if you got all the required libraries path you can run below command otherwise make sure you have correct libraries path

./EditHttpConf -oh <FMW_HOME>/Oracle_OAMWebGate11gR2/ -w <FMW_HOME>/Oracle_WT1/instances/ohs_webgate11gR2/config/OHS/ohs1

manually starting ODSM server when starting from console failed

start Admin server

start Managed Server wls_ods1

cd $DOMAIN_HOME/bin

./startManagedWeblogic.sh wls_ods1

now access ODSM thru console

http://host:port/odsm   where managed server is wls_ods1 and default port is 7005

ODSM Exporting list of members

Exporting list of members in ODSM

following  stepsThe total list of users belonging to a particular group can be exported in an LDIF from ODSM

1.    From the ODSM interface of OID, navigate to the “Data Browser” tab

2.    Expand the Directory Information Tree and select the group whose membership needs to be viewed

3.    Right click on the name of the group in the Directory Information Tree and click “Export LDIF”

4.    Click “OK” on the pop up message and click on the link to view the LDIF

5.    The complete list of users can be copied and pasted into a text file

xhost fix for oracle linux 7 or all linux servers

when you run installer and get "DISPLAY not set. please set the DISPLAY and try again"

simply follow these steps it works. my target was to login to oracle in order to install oracle database 12c

1) Log on to oracle linux as root
2) Open a terminal
3) echo $DISPLAY    (get this value you have to use it after login to oracle my case it was :0)
4) enter 'xhost +'
5) enter 'su - oracle'
6) enter 'export DISPLAY=:0'
7) runInstaller (or use whatever installer is required)

if you are have an option to use any other terminal then putty i will use mobaxterm, you dont need to do all these  settings in order to run GUI interface.

oracle linux 7 at oracle VM VirtualBox 5.0.6 connecting to internet

oracle linux 7 at oracle VM VirtualBox connecting to internet

once you have installed Oracle Linux 7 at VirtualBox and you are tying to connect to internet in  order to run Rpm or something else you need to enable Ethernet.

this button is at the Top Right corner of VirtualBox 5.0.6 next to the speaker button. click and Enable one port it will let you connect to internet.

OIM plugin to generate custom userid

package oracle.iam.plugins;

import java.util.Locale;
import java.util.Map;

import java.util.Random;
import java.util.logging.Level;
import java.util.logging.Logger;

import oracle.iam.identity.exception.UserNameGenerationException;
import oracle.iam.identity.usermgmt.api.UserNamePolicy;
import oracle.iam.identity.usermgmt.utils.UserNameGenerationUtil;
import oracle.iam.identity.usermgmt.utils.UserNamePolicyUtil;
import oracle.iam.platform.kernel.ValidationFailedException;

public class ShahbazUserNamePolicy implements UserNamePolicy {
    private static final String CLASS_NAME =
        ShahbazUserNamePolicy.class.getSimpleName();

    private static final String policy =
        "ShahbazUserNamePolicy:Validation Failed: ";
    private static Logger logger =
        Logger.getLogger("COM.SHAHBAZ.ShahbazUserNamePolicy");

    public ShahbazUserNamePolicy() {
        super();
    }

    /**
     *This is the main method which gets trigger and generate user name based on requested input data e.g. first name and last name.
     * @param reqData - Map contains request data e.g. first name and last name
     * @return- generated user name
     * @throws ValidationFailedException
     */
    public String getUserNameFromPolicy(Map<String, String> reqData) throws ValidationFailedException {


        String METHOD_NAME = CLASS_NAME + ":" + "getUserNameFromPolicy: ";
        logger.log(Level.FINE, METHOD_NAME + ":START");

        String userName = null;

        String fullName =
            (String)reqData.get("First Name") + " " + (String)reqData.get("Last Name");
        logger.log(Level.FINE,
                   METHOD_NAME + ":Generating Network ID for User Full Name:" +
                   fullName);


        userName = generateNetworkId();
        userName = UserNameGenerationUtil.trimWhiteSpaces(userName);


        try {
            if ((UserNamePolicyUtil.isUserExists(userName)) ||
                (UserNamePolicyUtil.isUserNameReserved(userName))) {

                boolean userNameGenerated = false;

                for (int ix = 1; ix < Integer.MAX_VALUE; ix++) {
                    userName = generateNetworkId();
                    if (UserNameGenerationUtil.isUserNameExistingOrReserved(userName)) {
                        continue;
                    }
                    userNameGenerated = true;
                    break;
                }

                if (!userNameGenerated) {
                    String error_message =
                        "This should never happen. OIM is failed to generate unique user name for " +
                        fullName;
                    showErrorMessagePopup(error_message);
                }
            }
        } catch (UserNameGenerationException e) {
            logger.log(Level.SEVERE,
                       METHOD_NAME + "Exception: " + e.getMessage(), e);
        }

        System.out.println(METHOD_NAME +
                           ":Successfully generated unique network ID for " +
                           fullName + " Network ID: " + userName);
        logger.log(Level.FINE,
                   METHOD_NAME + ":Successfully generated unique network ID for " +
                   fullName + " Network ID: " + userName);
        logger.log(Level.FINE, METHOD_NAME + ":END");

        return userName;
    }

    @Override
    public boolean isUserNameValid(String string, Map<String, String> map) {
        return false;
    }

    @Override
    public String getDescription(Locale locale) {
        return "Generate Unique Network ID n + 5 random numbers + 2 random chars ShahbazUserNamePolicy";
    }

    /**
     *This method is used to generate random netowork id
     * @returns random network id
     */
    private static String generateNetworkId() {

        Random rand = new Random();
        String userid = "n";

        int pick = rand.nextInt(90000) + 10000;
        userid = userid.concat(Integer.toString(pick));

        char c1 = (char)(rand.nextInt(26) + 'a');
        char c2 = (char)(rand.nextInt(26) + 'a');
        userid = userid.concat(Character.toString(c1));
        userid = userid.concat(Character.toString(c2));

        return userid;

    }


    /**
     *This method is used to show error message popup if there is any validation failure.
     * @param errorMessage - Message to be displayed.
     * @throws ValidationFailedException
     */
    private void showErrorMessagePopup(String errorMessage) throws ValidationFailedException {

        String error_message = policy + errorMessage;
        ValidationFailedException exception =
            new ValidationFailedException(error_message);
        exception.setErrorCode("IAM-3050105");
        exception.setErrorData(new Object[] { error_message });
        throw exception;

    }

 /*   public static void main(String[] args) {
        ShahbazUserNamePolicy unamePolicy = new ShahbazUserNamePolicy();
        for (int j = 0; j < 10; j++) {
            System.out.println(unamePolicy.generateNetworkId());
        }
    }
*/
}

OPAM 11g certificate import error

OPAM certificate import error

Error:
keytool error: java.io.IOException: Keystore was tampered with, or password was incorrect

Solution:

if you did not setup the keystore password please use default values. here are the

Default Weblogic DemoTrust & DemoIdentity KeyStore passwords 

 

Trust store location	%ORACLE_HOME%/weblogic/wlserver_10.3/ server/lib/DemoTrust.jks
Trust store password	DemoTrustKeyStorePassPhrase
Key store location	%ORACLE_HOME%/weblogic/wlserver_10.3/ server/lib/DemoIdentity.jks
Key store password	DemoIdentityKeyStorePassPhrase
Private key password	DemoIdentityPassPhrase

run the command again with this default value

 

keytool -import -file /oracle/software/repo/filename.pem -keystore /oracle/Middleware/wlserver_10.3/server/lib/DemoTrust.jks -storepass DemoTrustKeyStorePassPhrase -trustcacerts -alias opam

OIM 11g R2 RCU-6130:Action failed - RCU-6136:Error while trying to execute SQLPlus action

Error
OIM 11g R2  RCU-6130:Action failed - RCU-6136:Error while trying to execute SQLPlus action

Solution:
you are running wrong RCU utility or your RCU files are corrupted. please get the correct version from oracle site and re-run after extracting it.

OIM 11.1.2.2 error while configurint OIM server INST-6193

 Error
 error : INST-6193: The attribute JpsContextName in MBean com.oracle.sdp.messaging:Location=soa_server1,name=ServerConfig

Solution:
most likely you did not applied SOA mandatory patches. Oracle clearly tells that these patches are mandatory. at this stage even if apply SOA patches again, it will not work. i have to reinstall everything again and after applying Mandatory SOA patches i was able to complete installation.


 

OIM 11.1.2.2 dropping repository error

error

oracle.sysman.assistants.rcu.backend.validation.PrereqException: RCU-6083:Failed - Check prerequisites requirement for selected component:MDS 

The schema owner 'PROD_MDS' is connected to the database. Please disconnect and try again.

 

 

solution

restart the database. it will kill the sessions. i have tried to kill the sessions but it did not work. only restart work

OIM 11gR2 steps to configure design console

to configure design console do the following 2 steps

1. run this command to generate .jar file

/app/oracle/wlserver_10.3/server/lib and run "java -jar wljarbuilder.jar"

 

2. Copy wlfullclient.jar to /<OIM_HOME>/designconsole/ext and lib

OIM 11g r2 property to confige delay delete users account in IM

Here is the process if you dont want to delete users from OIM or want to set different delete date than default (same day) after end date(end date disable users account but do not delete).

1. Disable/Delete User After End Date

An end date is defined when a user account is created. This scheduled task disables user accounts for which the end date had passed the current date at the time when the task is run.

  

2. Delayed Delete User

This scheduled task automatically deletes the user whose delete date is before the start of today.

The XL.UserDeleteDelayPeriod system property indicates the number of days after which the user is to be deleted. When the administrator deletes a user, the user is marked in the Disabled state, and the user's 'Automatically Delete On' date is set for the future date after the number of days indicated in the XL.UserDeleteDelayPeriod system property.

if you want to only disable account but we don't want to delete accounts from OIM, you can change system  property value of  "Period to Delay User Delete"  default value is set to "0" it means delete users after disabling(same day) . we can set any value like 365(for one year), 1825(for 5 years) or any value to delete a users account after disabling it.

 

if we don't want to delete any account after disabling it, you can stop "Delayed Delete User" schedule job to run(it is not a good practice to keep the old accounts in OIM).

configuring Exadata(Database) to use OID authentication

follow this oracle post

http://docs.oracle.com/cd/B28359_01/network.111/b28528/getstrtd.htm#DBIMI235

No X11 DISPLAY variable was set, but this program performed an operation which requires itNo X11 DISPLAY variable was set, but this program performed an operation which requires it

Error,
No X11 DISPLAY variable was set, but this program performed an operation which requires itNo X11 DISPLAY variable was set, but this program performed an operation which requires it

Reason
you are getting this because your Linux or Solaris system dont support graphic images and you are trying to open an image that have graphical representation and you are connected to this server using putty.

Solution
on internet you will search a lot of solution but if you dont want to waste your time, the easiest solution is just install MobaXterm professional version ( version 7 is better , higher version have limitation on how many servers you can save)  and open your server using Mobaxterm instead of using Putty.

windows XP Mode Cisco VPN connect error "vpn establishment capability from a remote desktop is disabled. a vpn connection will not be established"

once you  have installed Cisco VPN at Windows XP Mode and trying to connect and got this error
"vpn establishment capability from a remote desktop is disabled. a vpn connection will not be established"

Solution:
click on Tools
select first option Disable Integration Features
it will ask you username and password(use same username and password that you used when installing Windows XP Mode).

each time you connect to VPN you have to disable it.
 

creating OUD IT Resouce in OIM, configuration lookup value of OUD

IT Resource => trustedOUDITRes
 
   baseContexts   : "dc=orasystems,dc=com"
   Configuration Lookup : Lookup.LDAP.OUD.Configuration.Trusted
   Connector Server Name :
   credentials    : Password
   failover    :
   host     : orasystemsusa.com
   port     : 1389
   principal    : cn=Directory Manager
   ssl      : false
 

OID bulk password update, complete steps for beginners

steps to follow in order to bulk update users password in OID( i have explained these steps for beginner who have to run this task.

1. create a file for all the users using below format

dn: cn=test1,cn=Users,dc=mycompany,dc=com
changetype: modify
replace: userPassword
userPassword: new_password

dn: cn=test2,cn=Users,dc=mycompany,dc=com
changetype: modify
replace: userPassword
userPassword: new_password

dc=mycompany,dc=com( is as per your environment)

things to consider while creating above file.

a) get correct dn from OID. go to OID select any users (users already exists in OID), right click on the users account and get dn, for example if it shows below

cn=scott,cn=Users,dn=mycompany,dn=com

it means you need to get append cn=users,cn=mycompany,cn=com at the end of each record, for example users is test1 that you want to update the password you need to write the command like above i mentioned in step1.

if users dn is

uid=scott,con=users,dn=mycompany,dn=com

than users you will create file like

dn: uid=test1,cn=Users,dc=mycompany,dc=com
changetype: modify
replace: userPassword
userPassword: new_password

dn: uid=test2,cn=Users,dc=mycompany,dc=com
changetype: modify
replace: userPassword
userPassword: new_password

b) there is a space between each record(empty line). if there is no space you will get error

c) make sure userPassword attribute exists in OID(it is default attribute) if it is changed in your environment please make sure to get correct attribute.

d) save file in .csv formate because sometimes extra spaces cause issues while running command

2. load above file at OID server and run following ldapmodify command

$ORACLE_HOME/bin/ldapmodify -h hostName -p port -D “cn=orcladmin” -w password -f usersPassword.ldif  > passwordusers.out

c) Test if user password is updated successfully

$ORACLE_HOME/bin/ldapbind -h [oid_hostName] -p [oid_port] -D “uid=test1,cn=Users,dc=mycompany,dc=com” -w new_Password

You should get message “bind successful”

troubleshooting bind issues with OID, OVD and OTD

LDAP binds can be tested against OID, OVD, and OTD to eliminate possible areas for which authentication errors are occurring. The following commands can be run from the OID box for the respective directories:

* OID: ldapbind -p 3060 -D <RDN of user> -q
* OVD: ldapbind -p 6051 -D <RDN of user> -q
* OTD: ldapbind -h <OTD hostname> -p 7012 -D <RDN of user> -q 

oam 11gR2 Validating Oracle Identity Federation

Validate the configuration of Oracle Identity Federation on IDMHOST1 and IDMHOST2 by accessing the SP metatadata on each host.

On IDMHOST1, access the SP metadata by going to:

http://IDMHOST1.mycompany.com:7499/fed/sp/metadata



On IDMHOST2, access the SP metadata by going to:

http://IDMHOST2.mycompany.com:7499/fed/sp/metadata



If the configuration is correct, you can access the following URL from a web browser:

https://SSO.mycompany.com/fed/sp/metadata



You should see metadata.

OIM 11.1.2.2.0 customization of display message at password screen

I have implemented the requirement where I have to change message that is displayed once user reset their password. current message is "Answer the challenge questions below with the answers you set during registration" I have to change it a message "Answer the challenge questions below with the answers you set during registration only 3 correct answers will let you reset the password"

here is how I implemented this requirement.



1. Create and activate Sandbox.
2. open another browser and enter url like servername:port/identity/faces/forgotpassword
3. Enter customization mode at first page
4. Fill out change password info, but don't submit
5. View source and hide the element
6. Navigate back to home
7. Deactivate and export sandbox
8. Navigate in the zipped sandbox to the file firstlogin.jspx.xml
9. Extract the file and make changes
10. Repackage the file in the archive
11. Import sandbox
12. Publish sandbox

Registering Webgate with RREG utility

registering Webgate thru RREG

Using RREG Tool.

cd /<IAM_HOME>/oam/server/rreg
INPUT :
cd <IAM_HOME>/oam/server/rreg/input
vi OAM11GRequest.xml

<serverAddress>http://servername.com:7001</serverAddress>
<hostIdentifier>RREGHost</hostIdentifier>
<agentName>RREGAgent</agentName>
<agentBaseUrl>http://servername.com:port</agentBaseUrl>

<applicationDomain>RREGDomain</applicationDomain>

COMMAND :
cd <IAM_HOME>/oam/server/rreg/bin

export JAVA_HOME=/u01/jdk1.6.0_35/
export PATH=$JAVA_HOME/bin:$PATH

chmod -R 777 oamreg.sh

./oamreg.sh inband <IAM_HOME>oam/server/rreg/input/OAM11GRequest.xml



OUTPUT :

cd <IAM_HOME>/oam/server/rreg/output/RREG_OAM11GAgent
ls                                                                                        
cwallet.sso  ObAccessClient.xml    

cp -r cwallet.sso ObAccessClient.xml <OHS_HOME>/instances/WebgateRREG/config/OHS/ohs2_EM/webgate/config/  

Verify : restart webserver and verify integratation.

OID 11g how to start OVD without starting all the components

./opmnctl status -l
to see all the port OID is running

./opmnctl stopproc ias-component=ovd1

./opmnctl startproc ias-component=ovd1

export import of OAM 11g policies difference between exportPolicy and exportPartner command

These commands 
exportPolicy(pathTempOAMPolicyFile='/eidm/oracle/policies/oam_policies_292015.xml') 
importPolicy(pathTempOAMPolicyFile='/eidm/oracle/policies/oam_policies_292015.xml') 
These commands do not create webgate profiles in target system. As you know these policy input file do not have the webgate profiles details. 


For export/import of webgates/Partners you can user "exportPartner/importPartner" commands. 


Refer http://docs.oracle.com/cd/E28271_01/core.1111/e10105/testprod.htm#ASADM11693 
Section "Task 5 Move Oracle Access Manager 11g to a New Target Environment" 

OAM 11g R2 PS2 how to manually purge session table if it is not truncated automatically

PS2 have a bug where it will not truncate users session table automatically once user is logged off  and once any users tries to access the application, system will go thru whole table in order to find any active session. that can consume a lot of resources. here is how to truncate this table manually for once and than it needs to be monitor to see if this table is updated automatically or  not.


Shutdown all OAM servers
Back up the table OAM tables EIDM_OAM. OAM_SESSION_ATTRIBUTES, EIDM_OAM. OAM_SESSION  using data pump.

alter table EIDM_OAM.OAM_SESSION_SP_LIST disable constraint OAM_SESSION_SP_LIST_FK1;

alter table EIDM_OAM.OAM_SESSION_ATTRIBUTES disable  constraint OAM_SESSION_ATTRIBUTES_FK1;

TRUNCATE TABLE EIDM_OAM.OAM_SESSION_ATTRIBUTES;
TRUNCATE TABLE EIDM_OAM.OAM_SESSION;

alter table EIDM_OAM.OAM_SESSION_SP_LIST enable constraint OAM_SESSION_SP_LIST_FK1;

alter table EIDM_OAM.OAM_SESSION_ATTRIBUTES enable  constraint OAM_SESSION_ATTRIBUTES_FK1;

Start OAM servers

IPV6 compatibility version with OAM 11g r2

versions 11.1.2.2 (OAM)  11g R2 PS2 and 11.1.1.6 (OHS) are certified with IPv6.

11.1.2.1 (OAM) 11g R2 PS1 does not support IPv6

how to change ODS user running query schedule in OID to improve performance at high availability environment

Database statistics are updated automatically, OIDMON runs oidstats.sql for every configured number of updates to the database. By default, for every 5000 entries added OIDMON runs the oidstats.sql. This frequency can be changed using ldapmodify commad as shown below 

$ORACLE_HOME/bin/ldapmodify -p <oidPort> -h <oidHost> -D cn=orcladmin -w <adminPassword> << eof 
dn: cn=configset,cn=oidmon,cn=subconfigsubentry 
changetype: modify 
replace: orclstatsperiodicity 
orclstatsperiodicity: <desired_number> 




So to ensure that statistics will not be gathered except during a defined period (maintenance windows and the 3am oidstats), you should disable the supplemental oidmon statstics gathering and rely only on the once-daily oidstats database job and the autotask job. This is accomplished with ldapmodify to set the orclstatsperiodicity to 0: 

Example ldif to modify orclstatsperiodicity using ldapmodify: 
- - - 
dn: cn=configset,cn=oidmon,cn=subconfigsubentry 
changetype: modify 
replace: orclstatsperiodicity 
orclstatsperiodicity: 0 

switching off diagnostics data off

if you are seeing your diagnostics are growing very large you can disable them in order to decrease the load on server. WLS server 9.2 and 10.0 have com.bea.wlw.netui.disableInstrumentation is false by default.

here are 2 ways of disabling this setting.

Detailed steps for permanently switching off the diagnostics data collecting are as follows:

1. Shutdown your WebLogic server.
2. Clear the <SERVER`>/data/store/diagnostics directories.
3. 
   
4. Apply the startup parameter, e.g, in setDomainEnv.sh, modify 

1. JAVA_OPTIONS:JAVA_OPTIONS="${JAVA_OPTIONS} -D_Offline_FileDataArchive=true -Dcom.bea.wlw.netui.disableInstrumentation=true -Dweblogic.connector.ConnectionPoolProfilingEnabled=false"export JAVA_OPTIONS
2. 
   
3.  Restart your WebLogic server.

DMS

The Dynamic Monitoring Service is a facility in FMw (JRF to be more precise) that collects runtime data on the components deployed to WebLogic. Each component is responsible for how much or how little they use the service and SOA collects a fair amount of information. To view what is collected on any running server you can use the following URL, http://host:port/dms/Spy and login with admin credentials. 


DMS is essentially always running and collecting this information in the runtime and to protect against loss of this data it also runs automatic backups, by default at the 3 hour interval mentioned above. Most of the management options for DMS are exposed through WLST but these settings are not so we must open the dms_config.xml file which can be found in DOMAIN_HOME/config/fmwconfig/servers/<server_name>/dms_config.xml. 


The contents are fairly short and at the bottom you will find the following entry: 

<dumpConfiguration> 
    <dump intervalSeconds="10800" maxSizeMBytes="75" enabled="true"/> 
</dumpConfiguration> 

The interval of 10800 seconds corresponds to the 3 hours and the maximum size is 75MB. The file is written as an archive to DOMAIN_HOME/servers/<server_name>/logs/metrics. This archive contains the dump in XML format. 


You can disable the dumps all together by simply setting the 'enabled' value to 'false' or of course you could modify the other parameters to suit your needs. Disabling the dumps will NOT impact DMS collections or display at runtime. It will only eliminate these periodic backups. 

oim 11g r2ps2 design console configuration before starting first time

before running design console, it needs to be configured. here are the steps to configure it

1. <ML_HOME>/server/lib
2. run below command
java -jar wljarbuilder.jar

3. above command will create  wlfullclient.jar
copy wlfullclient.jar to  <OIM_HOME>/designconsole/ext

4. now run
   ./xlclient.sh

oam 11gr2 Authentication Scheme, how to give control to custom plugin for credentials collection

In multi-step authentication mode, the plug-in can either collect the credentials from start or use the credentials obtained from the default login page and collect extra credentials if required. If the challenge parameter initial_command=NONE is set in the authentication scheme, control comes to the plug-in directly and the plug-in controls the credentials to be collected.

OAM Authenitcation Module StepUI and StepUA meanings and execution sequence

when you are defining Steps during Authentication Module the meaning are following

 StepUI is an abbreviation of User Identification(not User Interface)

StepUA is an abbreviation of User Authentication.


the Steps Orchestration sequence is

StepUI goes first and if that succeeds then StepUA follows.

if StepUI result is failed or error the end result is Failure and it doest goes to StepUA

if StepUI success and StepUA failed or error result is Failure too


how these plug-ins works in OAM.

when user tries to access resource protected by this Authentication Scheme, user is asked to enter username and password. the request goes to OAM. OAM calls  StepUI plugin to locate user in directory, than StepUA plugin is called and verify if username and password entered matches with directory, if yes(both steps succeeds)  user is authenticated. 

soa 11g ulr's

default port of soa is 8001

soa-infra
servername:port/soa-infra

SOA Composer      # Disconnected App Instance
servername:port/soa/composer

BPM Worklist
servername:port/integration/worklistapp

OAM 11gR2 difference between ECC and DCC Authentication Model

DCC    => Detached Credential Collector (AKA Authenticating WebGate), new feature introduced in  11gR2 

ECC    => Embedded Credential Collector, default 11g behaviour

in OAM 10g user credentials are submitted to Webgate and than Webgate communicate to OAM server with mitigate the chanegs. when OAM 11G version was introduced, it had different flow. user credentials are submitted to webgate and webgate displays OAM server login page(for credential collection). so, you have to expose OAM server for credentials submissions that is not a good practice for companies who dont want to have  OAM exposed, it is security volatility for them. so Oracle provided DCC feature in OAM 11gR2.

Now, when you are configuring 11gR2 Webgate you have a check box "Allow Credentials Collector Operators". if you click this check box users credentials will be submitted to Webgate(middle tier) and webgate will submit user credentials to OAM server.

DCC is the way to go now a days, now companies have option to separate Webgate in webtire from OAM server.

how to check global passphrase in OAM 11gr2 for simple mod

1. run wlst command
./ wlst.sh

2. connect to wlst
In the WLST shell, enter the command to connect and then enter the requested information.
wls:/offline> connect()
Please enter your username [weblogic] :
Please enter your password [weblogic] :
Please enter your server URL [t3://localhost:7001] :
wls:/base_domain/serverConfig>



3. change location
Enter the following command to change the location to the read-only domainRuntime tree (for help, use help(domainRuntime)). For example:
wls:/OAM_AC>domainRuntime()



4.View the global passphrase by entering the following command. For example:
wls:/OAM_AC> displaySimpleModeGlobalPassphrase()