OAM-OIM Integration Note for 11GR2

Recently while integrating Oracle Access Manager (OAM) and Oracle Identity Manager (OIM) 11g Release2, I found some issues which I want to highlight in this post.

Documentation Reference: 

First of all, I would like to refer to the recent document for this integration at “11GR2 Integration Guide for Oracle Management Suite”. This can be found at http://docs.oracle.com/cd/E27559_01/integration.1112/e27123/oim.htm#CACJDIDD.

It is worthwhile to mention that if you want to find the integration reference from the Identity Manager Guide (http://docs.oracle.com/cd/E27559_01/admin.1112/e27149/int_oimcomp.htm#BABFIHIG), it will refer you to the 11GR1 documentation, so please be careful to identify the correct and recent location for the integration.

Note about Pre-requisites:
 

Now, I will highlight some important pre-requisites:

Firstly, as we all know, for this integration OIM requires enablement of LDAP Synchronization. So it is a good practice while configuring the OIM you select Enabling of LDAP Synchronization and follow the steps for the LDAP Directory that you want to configure. This is because, though post-installation enablement of LDAP Synchronization is allowed from Oracle 11G R1 release, it is a tedious process.

Secondly, while trying to reset a user password in the OIM Server log you will see an error message as follows:

oim_server1-diagnostic.log:LDAP Error 65 : [LDAP: error code 65 - Failed to find orclpwdexpirationdate in mandatory or optional attribute list.] [Root exception is  oracle.ods.virtualization.service.VirtualizationException: oracle.ods.virtualization.engine.util.DirectoryException: LDAP Error 65 :[LDAP: error code 65 - Failed to find orclpwdexpirationdate in mandatory or optional attribute list.]] 

To workaround this issue, change the backend IDStore schema as follows.

(a) Create a new attributetype with the following:

                  i.     Name: orclPwdExpirationDate
                 ii.     Object ID:  2.16.840.1.113894.200.1.7
                iii.     EQUALITY: caseIgnoreMatch
                iv.     SYNTAX: Directorystring
                 v.     SINGLE-VALUE USAGE userApplications


(b) And also modify the orclIDXPerson objectclass to include orclPwdExpirationDate as an optional attribute.

The above note can be found in the Release Note for 11G R2, but it is worthwhile to mention here.

An important documentation miss:
 

Now, let me highlight an important  miss in the 11GR2 documentation.
In  Section 7.6, before running the idmconfigTool here, you should generate the wlfullclient.jar, otherwise the idmcofigTool will not be able to connect to the database properly and you will observe the following error:

SEVERE: Error while seeding configuration in oim-config.xml
Sep 28, 2012 6:36:34 PM oracle.iam.sso.config.io.MsgLogger logError
ALL: Error while seeding configuration in oim-config.xml
oracle.mds.exception.MDSRuntimeException: MDS-00003: error connecting to the
database
Unable to start the Universal Connection Pool:
oracle.ucp.UniversalConnectionPoolException: Error during pool creation in
Universal Connection Pool Manager MBean:
oracle.ucp.UniversalConnectionPoolException: Error during pool creation in
Universal Connection Pool Manager: java.sql.SQLException: Invalid Universal
Connection Pool configuration: java.sql.SQLException: Unable to create factory
class instance with provided factory class name:
java.lang.ClassNotFoundException: oracle.jdbc.pool.OracleDataSource


To generate the wlfullcient.jar, do the following:

 i.     Navigate to the MW_HOME/wlserver_10.3/server/lib directory
ii.     And then run: java -jar wljarbuilder.jar

The above is mentioned in 11GR1 documentation but it has been omitted in 11GR2 for some unknown reason. Also, there are some other points to be noted under this section:

• The value for the DOMAIN_LOCATION which is mentioned in the sample OIMconfigPropertyFile can generate confusion to the users. It should be corrected. A typical value for DOMAIN_LOCATION can be: /home/oracle/Oracle/Middleware/user_projects/domain/oamdomain
• It is mentioned that “Set OAM_SERVER_VERSION to 10g if using a 10g Webgate”, it should be mentioned as “Set OAM_SERVER_VERSION to 10g if using a 10g OAM Server, otherwise set to 11g if using a 11g OAM Server”.  

In Section 7.7: In the sample mod_wl_ohs.conf, while mentioning the WebLogicPort directives for most of the Locations, the directives are incorrectly mentioned as:
“WebLogicPort <OAM managed server host>

These should be read as:
“WebLogicPort <OAM managed server port>

A Reminder about OAM ID Store:

Before concluding this post, I would like to re-iterate that the Identity Store in OAM needs to be configured correctly for the SSO to happen.  Some salient points that need to be taken care of are:   
Before trying the integration, the Identity Store for the Oracle Access Manager needs to be set correctly so that it points to the right ID Store. Also the configuration for the LDAPScheme (the default authentication scheme that is protecting the /identity and the /sysadmin resources) should also refer to the same ID Store.

If users are created from the OIM, depending on the schema it may happen that the users are created in a separate container and not similar as defined in the user base search in the ID Store as configured in OAM Identity Store. In that case the user base search needs to be modified.