Total Pageviews

Sunday, December 28, 2014

specifying JVM file recording path

by default WLS admin server dont have JVM flight recording location, so it create JVM flight recording files at /tmp. you can check this parameter in Admin server JVM instance parameter and you can specify different path at Admin server instance.

in order to enable path you can run following command with parameter (repository=file_location) 

Option:
-XX:FlightRecorderOptions=parameter1=value[,parameter2=value]

Example:
java -XX:+FlightRecorder -XX:FlightRecorderOptions=disk=true,repository=file_location,maxchunksize=10M MyApp

to making this change thru console

make sure to take the backup of config.xml

a.        Log on to the weblogic console.
b.       Go to managed serverà server start à arguments
c.       specify log file location. Add -XX:FlightRecorderOptions=defaultrecording=true,repository=/idm/oracle/tmpJFR
and save

Wednesday, December 24, 2014

how to find out OS Port blocking information command

here is the command to check OS port blocking. this command should not return anything

 [bin]\> netstat -an | grep FIN_WAIT1

if this command is bringing any values it means this server port is being blocked. unblock the port in order to for other server to access information at this server.

Monday, December 15, 2014

federation protocols and their differences

Federation Protocols

In building a federated architecture that addresses interoperability, assurance, and trust concerns across security domains, the following protocols have emerged as useful building blocks for identity management integration:
  • SAML 1.0 and 1.1, which define a format for security data exchange known as an assertion, and profiles which provide the means for using the assertions
  • SAML 2.0, which extends SAML 1.1 to provide additional profiles.
  • WS-Federation, which enables different security realms to federate by brokering trust of identities, user attributes, authentication between participating Web services

SAML 1.x

SAML 1.0 defines two key concepts:
  1. a security token format, known as an assertion, which associates a given identity with specific access rights
  2. profiles that describe ways to package these assertions to provide single sign-on
SAML 1.1 updates SAML 1.0 with feedback and corrections. Specifically, SAML 1.1 introduces XML Digital Signatures changes that greatly improve interoperabilty. Because of these XML Digital Signature changes, Oracle recommends that you use the SAML 1.1 protocol over SAML 1.0 whenever possible as it greatly reduces issues when verifying signatures.

SAML 2.0

SAML 2.0 includes support for single sign-on based largely on the framework developed by the Liberty Alliance ID-FF specifications.
Although the concept of identity federation is not present in the specifications, SAML 2.0 promotes the existence of a name identifier for a specific use. SAML 2.0 supports a number of named profiles that largely mirror the functionality of the Liberty ID-FF 1.2 profiles, on top of the name identifiers inherited from SAML 1.x.

WS-Federation



The WS-Federation specification is "an integrated model for federating identity, authentication, and authorization across different trust realms and protocols." WS-Federation is a Web services-oriented standard which supports profiles for passive requestors, such as Web browsers, as well as active requestors such as SOAP-enabled applications.


How to De-install the Enterprise Manager Cloud Control 12c Agent

follow below oracle instruction if you have to uninstall EM 12c Agent.


Before you deinstall a Management Agent, do the following:
    a. Stop the Agent using command from Management Agent home:
$ emctl stop agent
Example:
../agent12c/agent_inst/bin/emctl stop agent
    b. Wait for the Management Agent to go to the unreachable state in the Cloud Control console.
    c. It is mandatory to delete the Management Agent and their monitored targets using any of the following methods:
      
Example:
$ emcli login -username=SYSMAN
$ emcli sync
$ emcli delete_target -name="example.com:1836" -type="oracle_emd" -delete_monitored_targets -async
       Or
 

2. Deinstalling using Graphical Method:

2.a.) Invoke the installer from Management Agent home by running the following command:
    
$<AGENT_HOME>/oui/bin/runInstaller -deinstall ORACLE_HOME=<absolute_path_to_agent_home> [-removeallfiles]

Example:
$ /u01/app/oracle/agent/core/12.1.0.1.0/oui/bin/runInstaller -deinstall ORACLE_HOME=/u01/app/oracle/agent/core/12.1.0.1.0 -removeallfiles

2.b.) In the Installation wizard click on "Installed Products" button.

2.c.) On the Inventory screen, select the plug-in homes, and click "Remove" button.

2.d.) On the Inventory screen, select the sbin home, and click "Remove" button.

2.e.) On the Inventory screen, select the Management Agent, and click "Remove" button.

OR
Deinstalling using Silent Method:

2.i) Deinstall the plug-in homes:
$/oui/bin/runInstaller -silent -deinstall -removeallfiles "REMOVE_HOMES={absolute_path_to_plug-in_home}" -invPtrLoc
Example:
$ ../agent/core/12.1.0.1.0/oui/bin/runInstaller -silent -deinstall -removeallfiles "REMOVE_HOMES={../agent/plugins/oracle.sysman.emas.oms.plugin_12.1.0.1.0, ../agent/plugins/oracle.sysman.emct.oms.plugin_12.1.0.1.0}" -invPtrLoc /home/oracle/oraInst.loc

2.ii) Deinstall the sbin home:
$/oui/bin/runInstaller -silent -deinstall -removeallfiles "REMOVE_HOMES={absolute_path_to_sbin_directory}" -invPtrLoc
Example:
$ ../agent/agent_inst/oui/bin/runInstaller -silent -deinstall -removeallfiles "REMOVE_HOMES={../agent/sbin}" -invPtrLoc /home/oracle/oraInst.loc

2.iii) Deinstall the Management Agent:
$/oui/bin/runInstaller -silent -deinstall -removeallfiles "REMOVE_HOMES={absolute_path_to_agent_oracle_home}" -invPtrLoc
Example:
$ ../agent/core/12.1.0.1.0/oui/bin/runInstaller -silent -deinstall -removeallfiles "REMOVE_HOMES={../agent/core/12.1.0.1.0}" -invPtrLoc /home/oracle/oraInst.loc

Note: Parameter -invPtrLoc is optional
For Windows: Instead of runInstaller use setup.exe


3. (Only for Graphical Mode) Verify whether the Oracle Homes and other directories were successfully deinstalled. To do so, follow these steps:

3.a.) Invoke the installation wizard by running the following command from the Management Agent Home:
$/oui/bin/runInstaller
Example:
$ ../agent/core/12.1.0.1.0/oui/bin/runInstaller


3.b.) In the installation wizard, on the My Oracle Support Details screen, click on "Installed Products" button.

3.c.) On the Inventory screen, check whether or not the Oracle Homes and other directories you deinstalled appears. If the deinstallation was successful then those Oracle Homes and directories should not appear.

4. Open inventory.xml and check Agent plugin home and Agent sbin home entries are removed or not. These entries should be removed during deinstallation.


Note: inventory.xml would be located under ContentsXML folder under the inventory location in oraInst.loc file.
5. Remove the Cloud Control Management Agent base directory:

For UNIX platforms:
$ rm -rf <absolute_path_to_agent_base_dir>
Example:
$ rm -rf /u01/app/oracle/product/agent12c
For Microsoft Windows platforms:
C:\app\oracle> del <absolute_path_to_agent_base_dir
Example:
C:\app\oracle> del c:\app\oracle\product\agent12c
If the Windows Service Oracleagent12c1Agent (the service name may be different) is not deleted, you can delete it using the windows command:
C:\> sc delete Oracleagent12c1Agent

Saturday, December 13, 2014

admin server WLS start up error BEA-000386


ERROR:

<Critical> <WebLogicServer> <BEA-000386> <Server subsystem failed. Reason: weblogic.security.SecurityInitializationException: Authentication for user weblogic denied
weblogic.security.SecurityInitializationException: Authentication for user weblogic denied
       at weblogic.security.service.CommonSecurityServiceManagerDelegateImpl.doBootAuthorization(CommonSecurityServiceManagerDelegateImpl.java:965)
       at weblogic.security.service.CommonSecurityServiceManagerDelegateImpl.initialize(CommonSecurityServiceManagerDelegateImpl.java:1050)
       at weblogic.security.service.SecurityServiceManager.initialize(SecurityServiceManager.java:873)
       at weblogic.security.SecurityService.start(SecurityService.java:141)
       at weblogic.t3.srvr.SubsystemRequest.run(SubsystemRequest.java:64)
       Truncated. see log file for complete stacktrace
Caused By: javax.security.auth.login.FailedLoginException: [Security:090303]Authentication Failed: User weblogic weblogic.security.providers.authentication.LDAPAtnDelegateException: [Security:090295]caught unexpected exception
       at weblogic.security.providers.authentication.LDAPAtnLoginModuleImpl.login(LDAPAtnLoginModuleImpl.java:251)
       at com.bea.common.security.internal.service.LoginModuleWrapper$1.run(LoginModuleWrapper.java:110)
       at com.bea.common.security.internal.service.LoginModuleWrapper.login(LoginModuleWrapper.java:106)
       at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
       at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
       Truncated. see log file for complete stacktrace
>
 <Notice> <WebLogicServer> <BEA-000365> <Server state changed to FAILED>
<Error> <WebLogicServer> <BEA-000383> <A critical service failed. The server will shut itself down>
 <Notice> <WebLogicServer> <BEA-000365> <Server state changed to FORCE_SHUTTING_DOWN>


Solution:

taking the "servers/<managed>/data/ldap" directory and putting it in place of AdminServer's "ldap" directory solves this issue: the AdminServer boots fine

Sunday, December 7, 2014

how to get EJBs pools size information at weblogic


below is the place where you can find EJBs Pool size setting information.



navigate to Weblogic console > deployments > oam_server > EJBs > ControllerMessageBean > Configuration 

Thursday, December 4, 2014

how to disable OAM managed servers broadcast log information into Amdin Domain log

 
this action is performed when you don't want Manage Server send log information to Admin server logs for each action and which will increase traffic and cause high CPU usage. Each Manage Server already recording this information into its own logs. so sending same information to Admin Server is an extra load on Admin server to record in its logs. this will improve the performance of admin server

here is how to disable OAM Manager Server logs broad casing to Admin Server
1. connect to WebLogic admin console
2. Click on 'Environment --> Servers'
3. Click on 'oam_serverX' (X=1,2,3,4)
4. Click on 'Logging' tab
 5. Expand the 'Advanced' section
6. Under the 'Domain log broadcaster' change the 'Severity level' to 'Critical'
7. click Save and exit.

lsnrctl status error. set ORACLE_HOME to fix this issue

./lsnrctl status
LSNRCTL for Linux: Version 11.2.0.1.0 - Production on 04-DEC-2014 11:36:08
Copyright (c) 1991, 2009, Oracle.  All rights reserved.
Message 1053 not found; No message file for product=network, facility=TNSMessage 1020 not found; No message file for product=network, facility=TNSMessage 1021 not found; No message file for product=network, facility=TNSMessage 1022 not found; No message file for product=network, facility=TNSMessage 1023 not found; No message file for product=network, facility=TNSMessage 1026 not found; No message file for product=network, facility=TNSMessage 1034 not found; No message file for product=network, facility=TNSMessage 1024 not found; No message file for product=network, facility=TNSMessage 1025 not found; No message file for product=network, facility=TNSMessage 1040 not found; No message file for product=network, facility=TNSMessage 1033 not found; No message file for product=network, facility=TNSMessage 1028 not found; No message file for product=network, facility=TNSMessage 1415 not found; No message file for product=network, facility=TNS  Message 1050 not found; No message file for product=network, facility=TNS
  Message 1050 not found; No message file for product=network, facility=TNS
Message 1029 not found; No message file for product=network, facility=TNSMessage 1411 not found; No message file for product=network, facility=TNS
  Message 1408 not found; No message file for product=network, facility=TNS
  Message 1408 not found; No message file for product=network, facility=TNS
  Message 1408 not found; No message file for product=network, facility=TNS
Message 1411 not found; No message file for product=network, facility=TNS
  Message 1408 not found; No message file for product=network, facility=TNS
Message 1052 not found; No message file for product=network, facility=TNS[idmadm


Solution
please set ORACLE_HOME parameter

e.g
export ORACLE_HOME=/home/oracle/11.2.0

now start
./lsnrctl start

now you should be able to check status

Sunday, November 30, 2014

export and import of OAM 11g server configuration steps


 here are steps to export configuration from one OAM server and import to another OAM server

1)     Export OAM configuration from the existing OAM server:


$ cd <FM_HOME>/common/bin

$ ./wlst.sh

$ connect('WebAdmin','******','t3://weblogicserver:port')

$ exportPolicy(pathTempOAMPolicyFile='/home/oracle/oam_policies.xml')

$ exportPartners(pathTempOAMPartnerFile='/home/oracle/oam_partners.xml')


2)     Transfer exported files to the new OAM host.


3)     Import OAM configuration to the new OAM server:


$ cd <FM_HOME>/common/bin/

$ ./wlst.sh

$ connect('weblogic','******','t3://servername:port')

$ importPartners(pathTempOAMPartnerFile='/home/oracle/OAMExport/oam_partners.xml')
$ importPolicy(pathTempOAMPolicyFile='/home/oracle/OAMExport/oam_policies.xml')

4) Restart Admin and managed server.

Wednesday, November 26, 2014

ODSEE 11g grant read-only access to cn=config to a user or anyone

in order to grant read-only access to cn=config to a user or anyone you have to add following ACI (mostly it not recommended for anyone to have access at cn=config but in few cases you need to have anyone or user to have read only access to cn=config in order to read some vales)

use below command or add this ACI directly thru console

 ldapmodify -D "cn=Directory Manager" -w <password> -p 389
dn: cn=config
changetype: modify
add: aci
aci: (target ="ldap:///cn=config*")(targetattr != "aci || connection")(versio
 n 3.0; acl "config"; allow( read, search, compare ) userdn = "ldap:///anyon
 e";)


high leve backup and recover steps for OID OVD and OHS 10g



  Backup and Recovery plan


1.    OID


·        Backup the OID Database.

·        Backup the OID file system.

·        Restore the database from the previous step backup if there is any step failed. Also restore the OID file system from the backup.

2.    OVD



·        Backup the adapters.os_xml, acls_os_xml & schema.user.xml files after successful configuration of the OAM Specific configurations loaded into the OVD.

·        Complete file system backup from the OVD Server  home directory as a working version copy.

·        Restore the OVD from the previous step backup if there is any step failed while installation and or configurations.

3.    OHS

·        Complete file system backup from the OHS server home directory as working version copy.

·        Restore the OHS from the previous backup file system by overwriting the file system.

 

installing OHS 10g complete steps



1.1      OHS2 – v101330  Installation steps


 

1.   Uncompress the installer software as follows:
 $cd /op/oracle/softwares/OHS
 $cpio -idmv -R idmadm < AS101330_companionCD_sparc64_disk1.cpio


2.   Go to the OHS2 software installer location and run the runInstaller script.
  Ex: bash-3.00$ cd /op/oracle/softwares/OHS/Disk1/
          bash-3.00$ ./runInstaller

3.    Click ‘Next’ on welcome screen.

 
4. Provide the oracle inventory folder path if not default and OS user group name who is the owner for this OHS component.

5. Installer prompts to run the orainstRoot.sh script with ‘root’ user.

6. Enter the Installation name & path of the OHS
 
Ex: ohs_as2
  path: /op/oracle/ohs_dev
 
7. Select Oracle Http Server with Apache 2.0 option and click ‘Next’





8. Select Automatic option in the Port Configuration screen if require specified ports then define the staticport.ini file and place in the <<OHS_HOME>>/staticports.ini  location and choose ‘Manual’
by default OHS will choose 7777 & for ssl : 4443 ports


9.    Click ‘Install’ on summary page

Installer installs the OHS in the specified <<OHS_HOME>> folder location.

10.  Installer prompts to run the root.sh script with ‘root’ user from <OHS_HOME>> folder location. Run the root.sh script with root user and click on ‘OK’ button.

11. Installation ends successfully and shows the OHS default HTTP url in the installer screen.  Click ‘Exit’ to exit the installation.

12. Start the OHS Server and access the ohs url as specified at the screen.

13. if welcome pages comes up, it means OHS is installed successfully.





 
 
 

Monday, November 24, 2014

OIM 11.1.2.2.0 setting up pre-defined security questions thru design console.


I am assuming that you know to setup the parameter to show number of question a system property (Number of Questions). after entering these questions.

here is the process on how to pre-define security questions.

cd to <OIM_HOME>/designconsole

./xlclient.sh


After login to xelsysadm/password

1.      Click on Lookup Defination

2.      On Code place enter *question* and click search button.

3.      Use button on the top to scroll next until you see Lookup.WebClient.Questions

4.     Click on Add it will add one line at the Code Key.

5.      Enter all the Questions that you want to be displayed once user login to OIM.

6      Click on Save.

7.      Due to some bug you will get the error when you try to add just ignore it and click on next button and comeback on same page in order to verify if all the questions there.

 

Testing

Login to OIM you should be able to see all the questions if user don’t have questions setup already.

 

 

Sunday, November 23, 2014

OVD parameter vde.soTimeoutBackend to keep alive functionality

while tuning OVD connection to OID, please read below in order to troubleshoot performance issues that can occur at OVD side.


vde.soTimeoutBackend is defined in OVD to keep track of inactivity period. without this parameter setting OVD will response slower because it uses the inactive connection to talk to OID(or any LDAP server) and it has to wait to get the information about the inactive connection.
this parameter is present in OVD by default and it closes the inactive connection after the time specified by this parameter. in order to use this OS keep-alive needs to be enabled because it depends on the value of OS setting.


below is another parameter to consider

<socketOptions>… 
<keepAlive>false</keepAlive> 
... 
</socketOptions> 

Turn off keepAlive. This parameter is only required to ensure that there is a tcp keep alive sent to the client to make sure that the connection opened by the client to OVD is still valid. On Linux OS, the timing of this keepAlive parameter is controlled by the OS parameter net.ipv4.tcp_keepalive_time in second.


if you want OS to handle keep-alive setting than disabled this parameter

oracle document about collecting stuck thread information at weblogic

useful oracle Document about collecting Stuck Thread at Weblogic

This article provides information about different ways on taking java thread dumps in a WebLogic Server environment.
Thread dumps are essential diagnosis information used to analyze and troubleshoot performance related issues such as server hangs, deadlocks, slow running, idle or stuck applications, slow database interactions etc...

Different ways to take thread dumps in WebLogic Server

WebLogic Server (WLS) and Java offer several ways to generate thread dumps, they are detailed below.  It is always recommended to obtain the thread dumps by using operating system (OS) commands rather than by using Java classes or the Administration Console, because if the console is hanging, users won't be able to connect to it to issue thread dumps.
  1. Use operating system commands to get the thread dumps when WLS starts up from a command-line script:
    • On Windows OSes, thread dumps can be created by
      <ctrl>+<break> -- the thread dumps are generated in the server stdout
    • On POSIX-compliant platforms (e.g. Solaris and Linux), first identify the process ID (pid) using the command ps -ef | grep java, then run
      kill -3 <pid> 2>&1
      Signal 3 is equivalent to SIGQUIT. Note that in Solaris, the thread dump is generated in the current shell, but in Linux, the thread dump is generated in the shell which started the java process specified by the pid.
  2. Using beasvc (up to WLS 10.3.5 included):
    beasvc -dump -svcname:<service_name>
    • service_name is the Windows service that is running the server instance (e.g. mydomain_myserver)
  3. Using wlsve (from 10.3.6/12.1.1):
    wlsve -dump -svcname:<service_name>
  4. Using weblogic.WLST:
    setDomain.cmd or setDomain.sh depending on the OS
    java weblogic.WLST
    connect("<username>","<password>","t3://<url>:<port>")
    threadDump()
    The thread dump will be generated in Thread_Dump_AdminServer.txt.  Note 1274713.1 addresses WLST thread dump in more details with examples on how to define sleep time between each dump and number of dumps to take.
  5. From a command line or shell, a thread dump can be generated via the following command (deprecated from WLS 9.0):
    setDomain.cmd or setDomain.sh depending on the OS
    java weblogic.Admin <url>:<port> -username <username> -password <password> THREAD_DUMP
    The thread dump will be generated in the defined server stdout.
  6. From the WLS Administration Console, a thread dump can be created by navigating to Server -> <server_name> -> Monitoring -> Dump threads stack. This method could lead to truncated or incomplete thread dumps.
  7. From the Services Administration Tools when WLS runs as a Windows Service, see Note 1348645.1
  8. Java VisualVM can also be used to take thread dumps while applications are running, see http://docs.oracle.com/javase/6/docs/technotes/guides/visualvm/applications_local.html for more details
  9. With jstack
    jstack <pid> or jstack -l <pid> to print additional information about locks
  10. From the JRockit command line:
    jrcmd <pid> print_threads
  11. From Java Mission Control with JDK 7:
    jcmd <pid> Thread.print 

Saturday, November 22, 2014

increase the searh limit at OID and OVD

below is the command to update OID search limit.


ldapmodify -h localhost -p 3060 -D "cn=orcladmin" –q –f limitincrease.ldif –o rejects.ldif


Entries of limitincrease.ldif

dn: cn=oid,cn=osdldapd,cn=subconfigsubentry

changetype: modify

replace: orclsizelimit

orclsizelimit: 20000


steps to increase search limit at OVD


Login to Oracle Enterprise Manager Fusion Middleware Control for OVD

In OVDDomain à Identity and Access à click on ovd

Oracle Virtual Directory à drop down menu -à Administrationà server properties à In General tab à change Anonymous search and Authenticated User search to 20000.

Wednesday, November 19, 2014

ldapmodify not working, command mistakes

when you are running an ldif file with a lot of attributes to load into OID and getting error don't know what the reason is. please check space between each  record you are trying to import and definition of each record.

for example you are adding attributes to OID with below ldif file

Wrong Formate

dn: cn=subSchemaSubentry
changetype: modify
add: attributetypes
attributetypes: ( 2.16.840.1.113894.9999.1.24 NAME 'tAuthenticateUser' DESC
 'Authenticate User Flag' SYNTAX '1.3.6.1.4.1.1466.115.121.1.15' SINGLE-VALUE
  USAGE userApplications )


attributetypes: ( 2.16.840.1.113894.9999.1.25 NAME 'tAuthenticateCaller' DES
 C 'Authenticate Caller Flag' SYNTAX '1.3.6.1.4.1.1466.115.121.1.15' SINGLE-V
 ALUE USAGE userApplications )

attributetypes: ( 2.16.840.1.113894.9999.1.26 NAME 'tOneTimeTokenFlag' DESC
 'One Time Token Flag' EQUALITY caseExactMatch SYNTAX '1.3.6.1.4.1.1466.115.1
 21.1.15' SINGLE-VALUE USAGE userApplications )



attributetypes: ( 2.16.840.1.113894.9999.1.27 NAME 'tIPCheckFlag' DESC 'IP C
 heck Required Flag' SYNTAX '1.3.6.1.4.1.1466.115.121.1.15' SINGLE-VALUE USAG
 E userApplications )


and run below command
./ldapmodify -h qatovdx.unix.gsm.org -p 389 -D cn=orcladmin -w yourpassword  -v -f  /tmp/oid/tattributes_withspace.ldif
ldapmodify: no attributes to change or add (entry cn=subschemasubentry )
the issue is, each attribute need to have complete command and second and commonly over looked mistake is there is space between attribute command and attribute definition. so the command should be like this.
CORRECT FILE forate
dn: cn=subSchemaSubentry
changetype: modify
add: attributetypes
attributetypes: ( 2.16.840.1.113894.9999.1.24 NAME 'tAuthenticateUser' DESC
 'Authenticate User Flag' SYNTAX '1.3.6.1.4.1.1466.115.121.1.15' SINGLE-VALUE
  USAGE userApplications )

dn: cn=subSchemaSubentry
changetype: modify
add: attributetypes

attributetypes: ( 2.16.840.1.113894.9999.1.25 NAME 'tAuthenticateCaller' DES
 C 'Authenticate Caller Flag' SYNTAX '1.3.6.1.4.1.1466.115.121.1.15' SINGLE-V
 ALUE USAGE userApplications )

dn: cn=subSchemaSubentry
changetype: modify
add: attributetypes 

attributetypes: ( 2.16.840.1.113894.9999.1.26 NAME 'tOneTimeTokenFlag' DESC
 'One Time Token Flag' EQUALITY caseExactMatch SYNTAX '1.3.6.1.4.1.1466.115.1
 21.1.15' SINGLE-VALUE USAGE userApplications )

dn: cn=subSchemaSubentry
changetype: modify
add: attributetypes 

attributetypes: ( 2.16.840.1.113894.9999.1.27 NAME 'tIPCheckFlag' DESC 'IP C
 heck Required Flag' SYNTAX '1.3.6.1.4.1.1466.115.121.1.15' SINGLE-VALUE USAG
 E userApplications )

Monday, November 17, 2014

OIM 11.1.2.2.0 customization of display message at password screen

In this post I have implemented a work around of OIM customization message. I have achieve requirement of user see message that only 3 out of 5 correct answer will let them reset their password( on my different post I have mentioned on how to set property that will allow 3 correct answers out of 5 in order to reset the password). you can have any number of correct answer configured as per your requirement.
This functionality could have been achieved by only customization the message at password reset page but once I change the message I got access denied error. this post is work around of that error.


1. Login to identity screen.
2. http://servername:port/identity/
3. Create sandbox
4. at Popup window enter sandbox name
5. Sandbox name password_msg.
6. Save and close the popup.
7. Open another tab and enter url as show below
a. http://servername:port/identity/faces/forgotpassword
8. Enter username as test and click next
9. go to the first Tab(identity tab) Click on Customize.

10. Click on View at the left side corner and select Source.

11. It will show 2 screens at the same page
12. Go to the first tab(forgotpassword) and click refresh.
13.  Click on the message "Answer the challenge questions below with the answers you set during registration."
14. Click Edit(it will open and popup now close this popup).
15. Click Close (on right corner to close the customization mod)
16. Come to the first tab(identity) and click on Close again(close customization).
17. Deactivate SandBox and Export Sandbox.
18. Exported sandbox will be on your local computer download folder.
19. Unzip the sand box and go to \oracle\iam\ui\unauthenticated\forgotpassword\pages\mdssys\cust\site\site\
20. Open ansChallengeQue.jsff.xml in textEditor or notepad.
21. Change
<mds:attribute name="value" value="Answer the challenge questions below with the answers you set during registration"/>
With
<mds:attribute name="value" value="Answer the challenge questions below with the answers you set during registration, only 3 correct answers will let you change the password"/>
22. Save and zip this folder to the same name password_msg
23. Login  to Identity console again(if it was logged off)
24. Go to Manage Sandboxes.
25. Click on the arrows >>  and you will see Import Sandboxe. Click on Import Sandboxe.
26. After successful import Publish sandbox.

Testing
Logoff from Identity console.
At the login page enter username test and click on the Forgot password Link.
Enter username test again and click Next.
At the next screen you will see the New Message (Answer the challenge questions below with the answers you set during registration, only 3 correct answers will let you change the password).

 

Saturday, November 15, 2014

OIM 11.1.2.2.0 enablig caching information

Caching is configured in  /db/oim-config.xml configuration file, which is located in MDS where OIM
stores the configuration. you can use EM to export oim-config.xml make changes and import back this file.

Oracle recommends the following caching settings for optimal and better performance.
 Set the caching to true for all the components except the following two sections:
 threadLocalCacheEnabled="false"
 "StoredProcAPI" enabled="false"
 Set clustered="false" for non-clustered installation and clustered="true" for clustered installation.


 Caching changes can be done in /db/oim-config.xml using EM -> System MBean Browser -> oracle.iam ->
XMLConfig -> Config -> XMLConfig.CacheConfig -> Cache -> XMLConfig.CacheConfig.CacheCategoryConfig –>

Attributes.
Note: Changing this value gets saved into MDS database schema used by the OIM servers. So changing it
once is good enough for multi node/Clustered installations.

OIM 11.1.2.2.0 performance tuning parameter in production

please make sure to change these parameters when you install OIM in productions environment.

By default, reloading of adapters and plug-in configuration are enabled for ease of development. These
should be disabled in the production environment for better performance.
This configuration is configured in the /db/oim-config.xml configuration file, which is located in MDS where OIM stores the configuration.

To do so:
replace
 In the oim-config.xml file, replace the following for adapters:
 <ADPClassLoaderConfig adapterReloadingEnabled="true" loadingStyle="ParentFirst"
reloadInterval="15" reloadingEnabled="true">

 With:
 <ADPClassLoaderConfig adapterReloadingEnabled="false" loadingStyle="ParentFirst"
reloadInterval="15" reloadingEnabled="false">


 Replace the following for plug-ins:
 <storeConfig reloadingEnabled="true" reloadingInterval="20"/>
 With:
 <storeConfig reloadingEnabled="false" reloadingInterval="20"/>
 Save the oim-config.xml file and import it back to MDS.

NOTE: Changing this value gets saved into MDS database schema used by the OIM servers. So changing it
once is good enough for multi node/Clustered installations

JVM performance tuning increasing heap size process

if you see performance issues at OIM and they are mostly due to JMV, please tune these parameters.

It is recommended to increase the heap and permgen memory for production environments as below and
monitor the memory usage pattern. Based on the usage, you can choose to increase or decrease the memory
settings.

To change the JVM memory setting:
1. If your OIM version is 11.1.2.1.0 or above, use DOMAIN_HOME/bin/setOIMDomainEnv.sh
(Unix) or setOIMDomainEnv.cmd (Windows). If not, continue to use
DOMAIN_HOME/bin/setSOADomainEnv.sh (Unix) or setSOADomainEnv.cmd (Windows) to
change the heap size settings.
2. Change the value of DEFAULT_MEM_ARGS and PORT_MEM_ARGS from the default value and
save.
3. Restart OIM Server
Note: For a clustered or multi-node installation, this step needs to be repeated on all the install locations

Note:
setSOADomainEnv.sh  file have below value
DEFAULT_MEM_ARGS="-Xms512m -Xmx1024m"

Xms --> minimum size value
Xmx --> Maximum size value


login to OAM 11gr2 failed due to OVD adaptor password expired


logs at OAM shows these error while trying to login to OAM console.

User <anonymous> 
Thread ID [ACTIVE].ExecuteThread: '0' for queue: 'weblogic.kernel.Default (self-tuning)' 
ECID 0051wdyO4FUFw0ULy6^AyW0004B50000jk 
Message Could not get user : eidmhptest6, idstore: OVDStore, with exception: oracle.security.idm.OperationFailureException: javax.naming.NamingException: [LDAP: error code 1 - LDAP Error 1 : Error Communicating with database: ORA-28000: the account is locked 

Solution:
check diagonistic logs. you will see following error.

 [ERROR] [OVD-60160] [com.octetstring.vde.backend.db.ICS DB Adapter.BackendDB] [tid: 45] [ecid: 0051wi9gUchFw0ULy6^AyW0004B500017g,0:2:3] [URI: /oam/server/auth_cred_submit] Failure in loading database metadata [#IACS DB Adapter] .[[ 
java.sql.SQLException: ORA-28000: the account is locked 


it shows the ICS DB Adapter credentials are expired.


check adaptor information at
$ORACLE_INSTANCE/config/OVD/ovd1/adapters.os_xml file 

change the OVD adaptor information (change password) and restart the service it should fix the issue.

weblogic start error. delete LDAP tmp folders

<Store> <BEA-280060> <The persistent store "_WLS_wls_ods1" encountered
a fatal error, and it must be shut down:
weblogic.store.PersistentStoreFatalException: [Store:280105]The
persistent file store "_WLS_wls_ods1" cannot open file
_WLS_WLS_ODS1000000.DAT.

Reason and Solution:
this error happen when Weblogic is not stopped completely and you have started weblogic again. now at the LDAP folder session information is old. the best way to fix this error is delete all temp,ldap,cache directories and restart Weblogic server.


next time please make sure you check admin server is stopped completely before making any changes and restarting it.