Thursday, December 19, 2013

OIM ICF based connector filter error

Recently, I was helping a customer in an OIM project go live when we ran an “Active Directory User Target Recon Job” with an AD Connector ( and a regular expression filter to select just a subset of users.

To our surprise, every time we executed the job, we got a strange error:

(class: org/codehaus/groovy/runtime/ArrayUtil, method: createArray signature: ()[Ljava/lang/Object;) Illegal type in constant pool.

Friday, December 13, 2013

OAM WebGate connections through firewalls

In this post, we investigate a complication that can occur if you require a firewall between your WebGate agents and your OAM 11g servers within your deployment topology. We provide some guidance related to how to configure your WebGates in this case. This post is part of a larger series on Oracle Access Manager 11g called Oracle Access Manager Academy. An index to the entire series with links to each of the separate posts is available.

Wednesday, December 11, 2013

How to (correctly) make manual edits to oam-config.xml

Occasionally, it is necessary to make changes to OAM 11g configuration by directly updating the oam-config,xml file, rather than using the OAM console.  In this post, we describe the correct way to make changes to this file. This post is part of a larger series on Oracle Access Manager 11g called Oracle Access Manager Academy. An index to the entire series with links to each of the separate posts is available.

Monday, November 25, 2013

Where has your LDAP connection pool gone?

You have deployed Oracle BPM and decided to run some load tests against it. You're concerned, among other things, about the behavior of your backend LDAP server under peak times, whether it's going to be able to handle the load or not. You check the security providers settings in Weblogic Server and see you have an LDAP Authenticator (or some specialization, like OVD Authenticator, for instance) with an ldap pool size set to 50 connections. But your test reveals that many more than 50 connections gets open in your LDAP server. You change that number, redo your tests, but the behavior doesn't change at all. Then you get worried about the LDAP connection handling performed by the Weblogic authenticator.

This post is to tell you, as far this scenario goes, there's nothing wrong with it. In fact, for this specific scenario, you're looking at the wrong place for your connection pool settings.

Oracle BPM, as well as SOA, WebCenter, UCM (Universal Content Management), IPM (Imaging Processing Management) and others use something called User/Role API to communicate with LDAP stores. Whenever these components need to assert a user identity or query user/group/attribute information, they go through User/Role API. It is an abstraction built on top of JNDI to ease the access to Directory servers. You can connect to any LDAP server supported by WLS authenticators and use the very same set of APIs to retrieve and write data without having to resort on JNDI, regardless of the LDAP server you connect to.

Monday, October 14, 2013

Webgate Reverse Proxy Farm

Some of our larger deployments are seeing the benefits of centralizing their Webgate deployments onto a server farm. This post discusses some of the architecture and recommendation when deploying such an architecture.

First, what is a Webgate farm or Webgate Reverse Proxy farm? A Webgate farm is:
  • A series of web servers that are clustered on the basis of their protected applications.
  • These servers protect the same set of applications. It is not unheard of to create multiple farms for different sets of applications, say internal/external applications.
  • This architecture acts as a reverse proxy to back end applications.


Some things to consider when deploying this architecture:
  • Which team manages the proxy farm? Will it be the Security team or maybe the infrastructure team. Working knowledge of the farm infrastructure as well as proxy configuration is crucial.
  • Web server type. Any web server that WebGate supports will work. Many of our customers use Oracle HTTP Server (OHS) or Apache which has good support for virtual hosting and reverse proxy configuration.
Some benefits in deploying a centralized Webgate farm:
  • Adding patches/upgrading is easier knowing where the servers are as opposed to the application owner; Security team may not have access.
  • Adding more servers and/or upgrading servers is easier in a clustered environment.
  • Aside from Web-Gates protecting applications, the web server reverse proxy configuration defines which applications to expose. This provides additional security preventing inadvertent access.
Configuration considerations:
  • Use a single Web-Gate profile for all servers in the farm. It is highly recommend that you use a single Webgate profile for all servers on the farm; otherwise you may see cookie decryption errors if the load balancer is not configured correctly.
  • Use 'SERVER_NAME' for the preferred host value when using Apache/OHS and use 'HTTP_HOST_HEADER' for all other web servers. This is used for virtual hosting.  For more info on Host IDs take a look at this post.

Use Case: Internal/External Webgate Scenario

Let's say you have an internal facing application where both internal and external users are allowed access.  Well the easiest implementation is to only allow access through the DMZ.  This means that internal users must go back out to the DMZ to gain access.  Done.

Now let's say the requirement is that internal users must access the site internally and external users through the DMZ.  In 10g it was relatively easy to set this up (see diagram below).  All that was needed is two sets of Webgates; one within the DMZ and a second internally.  Once authenticated the ObSSOCookie is easily consumed by any of the Webgates shown below; as long as the same OAM infrastructure supported both internal and external users/applications.
In 11g, the cookie model is quite different as you an read here.  Supporting the above use case will not work out-of -the-box; nor is it recommended.  However it can be done with some caveats:
  • Set a user defined parameter in the Webgate configuration, filterOAMAuthnCookie=false
  • The Webgate profile for all Webgates depicted must be the same.
By default, the OAM_Authn cookie will not be passed along in the HTTP payload for security reasons; however, setting the parameter 'filterOAMAuthNCookie' to 'false' removes this condition.  Also keep in mind that the Webgate profile must be the same for both sets of Webgates in order for Single-Sign-On (SSO) to work.  This may not be feasible depending on your topology/requirements.

The recommended approach in 11g is to create a new end-point for the application.
Notice the distinction, we again decouple the Webgate from the application and create another Webgate Proxy farm (internally).  Why?  In 10g it was feasible for the Webgate plug-in to reside on the same web server as the application; it was also possible to have a single transaction going through two Webgates.  In 11g, this is not recommended; a single transaction should never pass through two Webgates.

Thursday, September 19, 2013

A first look at POST data preservation in OAM 11g R2 PS1

In this post, we have a quick look at POST data preservation, a new feature introduced in the 11g R2 PS1 (or version of Oracle Access Manager. We'll explain the problem that this feature solves and walk through a simple example explaining how to configure and use the feature. This post is part of a larger series on Oracle Access Manager 11g called Oracle Access Manager Academy. An index to the entire series with links to each of the separate posts is available.

Tuesday, September 17, 2013

Part 1: How To Load Test OAM11g using Apache JMeter

Exciting, it is Go Live day, the system goes online, everything seems ok for a while, and then Kerplunk!  Thousands of things could have happened and everyone scrambles to figure it out.  What went wrong?   My first question is, “Was a proper load test completed?”  Yes, Load Test.  Functionally the software may have worked, but under a heavy load issues can start bubbling up.  If you have been there like I have many times you know what I am talking about.  Situations like this could be avoided? 

This is where this article comes in.  I have learned the hard way that load testing can provide a lot of great feedback to determine issues whether it be the software, the design, the deployment, or the architecture.  The bottom line is if you do not have fancy software like HP Load Runner, the poor mans version, Apache JMeter, can come to the rescue.  JMeter is FREE, well documented (As much as any other software at least), and there are tons of blogs and articles on JMeter since it has been around for quite a while.  JMeter can also do much more beyond HTTP type of load testing.  I would love to cover even more about JMeter, but unfortunately I have to focus this article to a basic load test that works with OAM11g.   Minimally, I hope this article at least gets you started and even excited to learn more about this great tool.

Monday, September 9, 2013

OIM Reset Password Customization Example

Out-of-the-box, the OIM reset password functionality is available to system administrators, and to delegated administrators who have administrative privileges on users’ accounts and have the ‘reset password’ privilege assigned to them. The data of the user who is having his/her password reset plays no role on how this functionality is presented to delegated administrators.

This post shows a way of having password reset functionality behaving differently depending on the end user data. This post is another post of the OIM Academy series, to check the series click here.
Before going further, it is important to mention that there is a need to first understand the OIM UI customizations concepts. Apart from the OIM documentation available here, you can also check this example and this post.

Tuesday, August 13, 2013

OIM 11g R2 Delegated Administration Model – Sample implementation (Part II)


This article is the continuation of Part I which describes the architecture of a Solution that addresses the requirements of a Sample Use case described later.

In Part I, some key concepts were discussed. Below is a list of topics introduced in Part I of this post:

·         Scoped Administrative Roles

·         Access Policies

·         Disconnected Application Instance

·         Entitlements

This list is intended to serve as a reminder to the audience of the concepts comprising the foundation of the proposed solution.

This post will focus on the following use case:

A Real-Estate Company needs to implement a Provisioning solution to control access to the company's applications. Users log in to an application and are granted access to the application’s features based on group memberships in LDAP groups.

The company has hundreds of LDAP groups controlling what users can do within applications; individual assignment of those entitlements would be highly impractical.

In addition, the company is about to complete three acquisitions and needs to be able to quickly incorporate the new assets to the provisioning framework and start controlling access grants for the new employees coming over from the acquisitions. This is very complex to achieve since the acquired companies have their own directories which will not go away overnight.

Part III will provide the step by step instructions on how to address the requirements.

Thursday, August 8, 2013

The importance of "orclguid" in Oracle Virtual Directory

This post will discuss the steps to configure the orclguid within Oracle Virtual Directory (OVD).  It is especially important when integrating OVD with Oracle Access Manager (OAM) and Weblogic Server (WLS).  I see many customers omitting this configuration which leads to errors in OAM.  


All Lightweight Directory Access Protocol (LDAP) repositories contain a global unique identifier (guid) for every entry.  OVD is no different; it also has a guid object called the orclguid.  When configuring OVD with LDAP repositories it is important to map the LDAP's guid object with Oracle's guid object.  This however, is not configured by default.  In order to do this you will need to configure the VirtualAttribute plug-in for your adapter.

For more information please take a look at the OVD plug-in section in the documentation.

Forgetting this step may cause errors with respect to a) Authentication Failures and b) Identity propagation. For example, in Active Directory (AD) the guid object is called objectGuid, if this is not mapped to an orclGuid you will have issues when trying to propagate the users identity.

High-Level Steps

Once you have determined what the guid object is for your back-end LDAP repository, you will need to use the VirtualAttribute plug-in to map the two attributes. In our example above, the mapping will take the form: 


where objectguid is the guid object for AD.

If you have multiple LDAP back-ends, then you will need to configure the VirtualAttribute plug-in for each one.  Below are some screen shots that shows where you need to configure the plug-in.

Select the plug-in tab within the Adapter configuration...

Create a new Virtual Attribute plug-in with the parameters shown...

The OVD Provider in WLS, the 'orclguid' is already set as the GUID Attribute.   If not, make sure that the value of 'orclguid' is listed as below...

That's it!  The 'orclguid' will now be passed to OAM/WLS for each object with OVD.

Monday, August 5, 2013

Creating a Custom OVD Plugin

1. Introduction

In a recent engagement, I worked with a customer that had a business requirement where they needed to create and expose to their application two computed LDAP attributes, based on the value of an existing attribute.

For instance, let’s say the original attribute is "myCorpID" and its value could be something like "23451588-IT Specialist".

The requirement is to have two new defined attributes: "jobCode" and "jobTitle", that would have values "jobCode=23451588" and "jobTitle=IT Specialist".

To achieve this we would use OVD, which was already in place to virtualize different LDAP directoriess and databases.

OVD does not come with functionality out of the box to implement this requirement but does allow you to write custom plugins, where you can extend the capabilities of OVD to include requirements such as the one my customer had.

This post shows how to develop a custom OVD plug-in.

This plug-in reads a LDAP Object’s attribute value, splits the value in two, using a delimiter, and creates two new attributes with values assigned from the split operation.

Though this is a very simple requirement, and in fact my customer requirements were more complex than that, it can be used as a starting point to develop different use-case needs.

This plug-in is designed to work with a LDAP Adapter, and will run it’s logic for each LDAP "get" operation, before handing the result back to OVD.

The plug-in is flexible enough to work with any LDAP "objectClass" that has an attribute of String data type with a pattern delimiter that can be split in two.

Wednesday, July 24, 2013

Long-lived TCP connections and Load Balancers

I've talked about the subject of long lived TCP connections and load balancers for years, explaining to people why they may not need or want to use a load balancer between two servers. Each time I explain it I remind myself that I should probably write it down so I can just point to the URL.

So today is the day that I write it down for you.

Wednesday, July 17, 2013

OIM 11g R2 Delegated Administration Model - Sample implementation (Part I)


It is a very common requirement from customers to have a delegated administration model that is not tied to the organizations where the administrators are placed.
Historically, OIM only supports a one-to-one relationship between Users and Organizations. However, starting with OIM 11g R2 and the introduction of the Catalog, it is possible to publish resources to one or more Organizations.
This allows to limit the visibility of the resources to only the users who need them. However, OIM 11g R2 also provides the mechanisms to delegate the administration of Users, Organizations and Resources to specific users regardless of the Organization to which those users belong.
This article describes an approach that can be used to implement a Provisioning Solution powered by OIM 11g R2 that is not necessarily tied to an organization-centric model. The intent of this design is to show our readers how to leverage the advanced features of OIM 11g R2 to implement Delegated Administration Models that are resource-centric and not organization-centric.

Monday, July 15, 2013

OAM 11g Custom Authentication Plugins: Interacting with the Identity Store

The OAM 11g release includes a powerful authentication plugin framework, which can be used to extend the out-of-the-box authentication schemes, or to implement something completely custom. In this post, we explore how an authentication plugin can interact with the underlying LDAP Identity Store, via a simple example. This post is part of a larger series on Oracle Access Manager 11g called Oracle Access Manager Academy. An index to the entire series with links to each of the separate posts is available.

Wednesday, July 3, 2013

OAM 11g: The Policy migration Strategy

The purpose of this post is to provide some tips when planning a policy migration from Oracle Access Manager (OAM) 10g to OAM 11g.  Before you begin, I recommend that you install the latest Bundle Patch (BP).  At the time of this writing, the latest BP for OAM 11gR2PS1 is patch 16872730.  Installing this patch will save you lots of time as there has been a few important bugs fixed in this release.  Secondly, take a look at the documentation link here; within the document take note of Table 11-1.  The table the describes what artifacts are compatible from OAM 10g.

The first step is to run a policy migration report on the OAM 10g artifacts.  This report will display all artifacts along with the compatibility mode.  The modes are COMPATIBLE, INCOMPATIBLE, INCOMPATIBLE WITH LESS FEATURES and IGNORE.  The documentation goes over these modes in more details and the report will give you an idea on how much of manual changes you will need to make in your new OAM 11g environment.  The more of the INCOMPATIBLE type modes could mean more manual changes.  The report file can be huge depending on your data set; however, the file itself has a lot of blank spaces due to formatting of the data.  I recommend that you replace say two blank spaces for one in your favourite editor.  This should make it easier to read the file.
Here is a small sampling of the file.

I added a single line for each artifact type:

Artifact TypeArtifactDetailsCompatibilityMessage
DATA,, Port:3060 COMPATIBLEThe data store LDAP entry name will be modified to
AUTHENTICATION SCHEMES10g AuthenticationDescription: Migrated: 10g Authentication scheme.COMPATIBLE_WITH_ LESS_FEATURESSome of the challenge parameters will not be migrated. Post migration actions will be required to modify the authentication scheme as per Oracle Access Manager 11g. Missing challenge parameters are: [name: form ,value: /login.htm, name: creds ,value: userid password domain authtype customPlugin, name: action ,value: /access/login.cgi, name: path ,value:/
HOST IDssourceHostIDHost:Port
POLICY DOMAINOblix::Resources/identity IGNORE

There are three modes of execute for the migration tool; these are COMPLETE, INCREMENTAL and DELTADELTA mode is new in PS1 and is not the same as INCREMENTAL.  When planning your policy migration strategy one of the things you will need to decide is whether you are planning to co-exists with OAM 10g.  If so, the policies in OAM 10g may change and you may need to push changes to your new OAM 11g environment.  The DELTA mode is used in this scenario.  INCREMENTAL mode is used when you only want a sub-set of the artifacts from 10g.  Keep in mind that if you migrate single policy domain, all dependencies for that policy domain will also be migrated.

Once you have evaluated the report, the next step is to prep your OAM 11g environment.  Now, I have never seen a migration attempted only once.  Undoubtedly, you may need to run the migration tool multiple times due to testing/issues etc.  Running the tool multiple times for the same data set against the same 11g environment is not recommended.  Even if you remove all the data from the 11g environment, you may still see some unintended side effects.  My recommendation is to make a clean back-up of the environment.  Once you have installed OAM 11g (including the patch), make a back-up if the domain home directory.  You may also need to modify the script to increase the JVM heap size as described here in section 11.17.2.

If the migration fails or has issues, here are the steps to get back to a clean state:
1) Shutdown the Weblogic Admin server.
2) Drop and create the OAM 11g Schema using Repository Creation Utility (RCU).  Make sure you create the schema using the same schema name and password.
3) Remove the domain home directory and recover by copying the back-up directory.  If you changed the JVM properties,  make sure the changes exists after you copied from the back-up directory.
4) Run the script to re-associate OAM to the database policy store.

This will allow you to quickly re-run the migration tool against the same domain you initially created.  Instructions for running the migration script is documented here.   Depending on your data set; the actual policy migration could take hours.  Running the script again without following the steps I outlined above will more than likely waste more of your time.  Trust me.

Tuesday, July 2, 2013

A checklist for OIM go-live

This post presents a list of configuration points in OIM that must be taken into account whenever a customer is planning an OIM go-live. This list is not intended to replace the OIM documentation, instead, the idea is to complement it. It provides tips on a few topics that are not part of the documentation.

Let's go for them:

Monday, July 1, 2013

Announcing the A-Team Chronicles

I’m pleased to announce the launch of the A-Team Chronicles. This is a new website that will host blogs and other content from the whole A-Team including experts focused on JAVA, WebLogic, Coherence, WebCenter, AIA, SOA, Fusion Apps, and of course the Identity Management posse that you’ve come to know and love.

On the A-Team Chronicles you can find all the articles we post here and much more.

All the Identity Management and Middleware Security content that you are used to seeing on this site can be found at this link:

There is an RSS category for the same content that can be found here:

There are additional RSS feeds and sub category pages for access management, identity governance, directories, and platform security. That being said, I heavily encourage you to subscribe to the base Identity Management category.

For you twitter users, our existing twitter feed has already begun to publish links to articles on the A-Team Chronicles.

We hope you enjoy the site! Drop us a line and let us know what you think.

Monday, June 17, 2013

Loading unique passwords with OIM bulk load

Using Oracle Identity Manager's bulk load tool is a great way to load large numbers of user records into OIM in an efficient and performant way. The standard and documented usage of the tool does not make provision for the loading of unique user passwords, though. This article describes an approach that can be used to achieve that requirement. This post is also part of the OIM 11g Academy Series.

Friday, June 14, 2013

Part 4: Kerberos Authentication, RBAC and SAML identity propagation in OAG

This post is the fourth and last post of a series by Andre Correa and Paulo Pereira on OAG (Oracle API Gateway).

In the first post we introduced the use case and talked about the Kerberos authentication part.

In the second post we talked about Role Based Access Control.

In the third post, we described how to propagate the authenticated user through a SAML token and also covered OWSM configuration in OSB and SOA.

In this post we talk about the client, how we actually submit a Kerberos token along with our request to OAG.

In the first post, we said (verbatim):

“Perhaps the most challenging part was the test client. Supporting Kerberos was a must. Our first and natural attempt was OAG’s API Explorer (formerly OEG Service Explorer). After numerous attempts, configuration changes everywhere, we came to the the conclusion that it simply does not support the SPNEGO protocol properly. In summary, it seems that it doesn’t honor the second leg of the protocol, i.e., after receiving a “WWW-Authenticate: Negotiate” HTTP header in the response, it does not resubmit the request along with the Kerberos token. And we also did not find a way to bypass SPNEGO and submit the Kerberos token directly. The free version of SOAP UI also failed.

Fortunately, via Prasad’s blog post, we came to know a .Net-based tool called WCFStorm-lite, dead simple, that just works. However, another requirement for this exercise was to show test automation best practices. So the client tool should ideally have scripts capabilities, allowing for the client integration into an ANT build script, for example. WCFStorm-lite has some scripts capabilities, but we did not go any further in looking at them, because almost at the same time we got to know Apache CXF’s support for Kerberos.

That basically put an end to our research. What could be better than simply writing a piece of java code? At the heart of Apache CXF’s framework are what they call interceptors, which are basically web services handlers. An inbound interceptor is attached to a web service and processes the message before service invocation. An outbound interceptor is attached to a web service proxy and process the message as it leaves the client. An out-of-the-box Kerberos interceptor interfaces with the KDC, gets a Kerberos token and attaches it to the request before sending it out to the web service (in our use case, a web service exposed by OAG).”

Very well, let’s talk about how to configure a Kerberos Outbound Interceptor in Apache CXF.

Thursday, June 13, 2013

Part 3: Kerberos Authentication, RBAC and SAML identity propagation in OAG

This post is the third one of a series by Andre Correa and Paulo Pereira on OAG (Oracle API Gateway).

In the first post we introduced the use case and talked about the Kerberos authentication part.

In the second post we talked about Role Based Access Control.

In this one we describe how to build a SAML token out of the authenticated user and sign it so it properly interoperates with an OWSM server-side policy applied to OSB proxy service. We also cover the necessary OWSM configuration in OSB and SOA. As a reminder, a typical request in our exercise flows through OTD -> OAG -> OTD -> OSB -> OTD -> SOA -> Stub server, and we're required to keep the user identity all the way up to the Stub server.

Now we're specifically talking about the third policy in our overall circuit:

'Add SAML token policy' is as simple as:

We first add the SAML token (using the Insert SAML Authentication Assertion filter), then we sign it (using the XML Signature Generation filter). Let's look at each filter in detail.

Monday, June 3, 2013

OIM 11g R2 Performance Patch

Oracle has released a set of patches to address some performance issues in OIM 11g R2 self-service interface. Information about these patches is available in the following Oracle support note:
  • Document 1557879.1 OIM 11gR2: Patches for Performance Issues Related to Self-service UI
The note contains the details for each specific R2 releases.

Any customer who is running OIM or implementing OIM at this point should plan to apply the patches.

Just a reminder, the recommendation is always to start applying patches in lower environments: from DEV to PROD.  Don't forget to validate the patches in one environment before proceeding to the next.

Tuesday, May 7, 2013

OIM 11g R2 Self Registration with CAPTCHA

This post walks you through the fun of customizing OIM and adding a CAPTCHA solution to the self-registration page. Captcha solutions are largely used in web sites to try to prevent automated robots from registering, filling forms, sending messages and many other things.

The captcha solution used is Simple Captcha and it is available here. It is easy to use and easy to hook into applications.

This is another post of the Oracle Identity Manager Academy. To check other tricks, tips and examples you can find the academy post here.

Wednesday, May 1, 2013

Synchronization of Roles in Catalog OIM 11g R2


The Catalog is one of the most fundamental features of OIM 11g R2 request based provisioning. All requests for Resources/Accounts, Entitlements and Roles are accomplished through the Catalog. Roles in OIM 11g R2 can be defined within a given category. There are two main out-of-the-box categories: OIM Roles and Default. The category affects the visibility of the Role in the Catalog.

Sometimes, customers may require to change the category of an existing Role in order to make it possible to request the Role through the Catalog. If the Role was initially created within the OIM Roles category,  it will not be visible in the Catalog because there is no entry in the Catalog's table for the Role.


A Role is available in the Catalog when its category is set to 'Default'. This can be ensured by modifying the Role's attributes in the Self-Service User Interface and selecting the 'Default' category from the List of Values. The picture that follows shows where this is done and provides an example:

In the example above, the role MASSACHUSETTS ORG MEMBER was originally created with OIM Roles as the selected category. As a result, this role can't be requested through the Catalog. The role's category will need to be updated to 'Default'. The images below demonstrate the change:

Roles are published immediately after they are created; however, if a Role is updated after creation like in the previous example, the Catalog Synchronization Job has to be executed to reflect the changes in the Catalog.

To invoke the Catalog Synchronization Job, an Administrator needs to log in to the System Administration Console of OIM and open the Scheduler Window; then navigate to the Catalog Synchronization Job as shown in the following picture:

The Job must be executed with the following values in the Job's attributes: 
  • Mode = full
  • Process Roles set to Yes
  • Updated Date must be blank

After the execution of the Catalog Synchronization Job, searching for the Role in the Catalog should now display the role in the results as shown below:


The Catalog is one of the main components of OIM 11g R2. The Request-Based provisioning functionality revolves around it. Any entity in OIM that can be requested by users needs to be visible in the Catalog. Roles that have OIM Roles as their category, are not visible in the Catalog; only the ones in the 'Default' category will be displayed in Catalog Search Results.

If a Role was initially created with OIM Roles as its category and then is updated to the Default category will not be displayed in the results of a Catalog search unless the Role is added to the CATALOG table in OIM's Database. This is accomplished by running the Catalog Synchronization Job through OIM's Scheduler. The job must be executed in Full mode, the 'Process Roles' option must be set to 'Yes' and the 'Updated Date' value must be blank.

Wednesday, April 10, 2013

Don’t Be that Guy – Part 2: Avoiding Outages Due to Full Disks and Partitions

A while back, I wrote about the fact that many customers experience severe outages with their Fusion Middleware products when they let the digital certificates associated with the SSL connections in their deployments expire.

To be fair, certificates are often “out of sight and out of mind” and indeed many system administrators don’t have much experience managing certificates.  However, the same cannot be said about disk space.  We all deal with managing disk space on multiple systems including our desktop clients, home PCs, and even phones. 

Today as a public service announcement I’d like to discuss the dangers of not paying attention to whether or not you have adequate disk space on your dev, test, and production machines running your middleware software. 

I’ll be honest, I see a surprising number of customers experience everything from long delays in their dev and QA cycles to real production outages because of instability caused by running out of disk space.  So, size your machines with adequate disk space, monitor your disk usage, and be aware of your logger and auditing configurations in your Fusion Middleware Products.

Most Fusion Middleware / IAM products including OAM and OIM log to the standard JAVA/WLS logs .out and .log; as well as to the Oracle diagnostic log -diagnostics.log.  The standard logs can be configured in the WLS console while the diagnostic log can be configured by editing the logging.xml file, through WLST, or in EM.
Most customers that use our auditing capabilities log directly to a database.  However, the default storage is “bus-stop files” which do reside on the local file system and obviously take up space.

Speaking of databases, I see a fair amount of similar pain being caused by databases running up against various size limits like tablespace or data file limits.  So, make sure you are also actively managing data size limits on the DB.

Friday, March 15, 2013

My White Paper on OAM Mobile and Social

Back in December I started putting together a White Paper on OAM 11g R2's new Mobile and Social capabilities. The paper covered the work we did for a Proof of Concept for a bank's new mobile banking application. Between the end of year holidays, a bunch of other projects and a long vacation the whole process of getting it all down on paper, reviewed and published took much longer than I expected to, but the paper is finally ready.

If you're interested in writing iOS apps that authenticate against OAM and then access REST services protected by OAM this paper might be right up your alley.

The paper is available from the Mobile and Social Access Services page on Just scroll down to the Technical Information section and hit the link Oracle Mobile and Social Case Study - Mobile Banking Application (PDF) (or just click that link).

If you read it and have ideas, questions, comments, or even absurd remarks I'm all ears!

Wednesday, March 13, 2013

Part 2: Kerberos Authentication, RBAC and SAML identity propagation in OAG

This post is the second one of a series by Andre Correa and Paulo Pereira on OAG (Oracle API Gateway).

The first post is found at Check it out for use case background and the Kerberos authentication part.

As mentioned, one of the requirements in our exercise was to authorize the user against a ROLE X URI matrix, called “Authorization Matrix”. In this post we’re looking at the second policy (Call ‘Perform Authorization’) in the overall flow:


Basically, “Perform Authorization” had to:

a. Obtain the authenticated user (authenticated by Kerberos);

b. Lookup the groups memberships in Active Directory;

c. For the requested URI, query a Database for the authorized roles for that URI in particular;

d. Check if any of the user groups (obtained from AD) is in the list returned by the DB query;

e. Authorize the user in case the check on the previous steps passes.

Tuesday, March 12, 2013

Part 1: Kerberos Authentication, RBAC and SAML identity propagation in OAG

This post is the first one of a series by Andre Correa and Paulo Pereira on OAG (Oracle API Gateway).

Throughout the series, we are going to talk about Kerberos authentication, Role Based Access Control (RBAC) and SAML identity propagation in OAG 11g, formerly known as OEG (Oracle Enterprise Gateway). What follows has been implemented as part of a larger exercise involving the SOA suite, OSB, OTD (Oracle Traffic Director) and the Exalogic platform. The kind of architecture presented here can be used as general guidance, but that may not apply to your use case scenarios. We will also briefly touch on OWSM policies that were applied to OSB and SOA composite.

The use case is about enabling end users to place orders. As you might think, there are quite a few 3rd-party systems to interact with in order to have the order fulfilled and the product provisioned to the end user. SOA to the rescue.

Security Requirements

Provide a security shell around SOA and channel each and every request through OAG. The classic model of perimeter defense. As the applications used by end users are Kerberos enabled, the customer wanted to see OAG authenticating Kerberos tokens generated by Active Directory’s KDC (Key Distribution Center). After authentication, we were asked to authorize the user based on a Security Matrix (a relation of groups and URIs) kept in an Oracle database. Finally, with the user properly authenticated and authorized, we should forget Kerberos and instead propagate a SAML token to the SOA platform. This identity should then be preserved all the way to downstream 3rd-party systems.

At the end of our exercise, the policy we built in OAG is expressed as the following circuit, where we can clearly see authentication, authorization and token switch. We expand the contents of each filter/policy as we go. In this post, we focus on the Kerberos Service filter and how we enable the policy for the service we want to protect.


Deployment Architecture

All Oracle FMW components (as well as OAG) were deployed for HA on a 4-node 1/8 Exalogic rack, as per the following diagram.

Monday, March 11, 2013

OAM 11g Custom Authentication Plugins: Collecting additional credentials

One of the things that OAM 11g does a very good job of is enabling LDAP-based user authentication, based on collecting username and password from a login form. I've seen a lot of questions from the field relating to how to handle more complex, multi-step or multi-factor authentication scenarios and while this post is certainly not intended to be exhaustive regarding this topic, I will go through a fairly common scenario on which most multi-factor authentication processes will depend: returning the user to the login page to collect additional credentials.

This post is part of a larger series on Oracle Access Manager 11g called Oracle Access Manager Academy. An index to the entire series with links to each of the separate posts is available.

Monday, February 18, 2013

Part 3: OAM11g WNA Identity Store Considerations and Configurations

This post is part of a larger series on Oracle Access Manager 11g called Oracle Access Manager Academy. An index to the entire series with links to each of the separate posts is available.

This is the final post of a three part series.  In "Part 1: Under the Covers of OAM11g WNA integration with Multiple AD Forests", I covered the flow of how WNA works and what was going on behind the scenes, and in "Part 2: How to Configure OAM11g WNA for Multiple AD Forests", I went into detail on how to configure WNA.  In this final post I am going to go over what I think would be two of the most common scenarios that the OAM11g Identity Store would be used for WNA, and how it impacts the Kerberos authentication module configurations.

Thursday, February 14, 2013

Part 2: How to Configure OAM11g WNA for Multiple AD Forests

This post is part of a larger series on Oracle Access Manager 11g called Oracle Access Manager Academy.  An index to the entire series with links to each of the separate posts is available.

This is the second post of a three part series.  In "Part 1: Under the Covers of OAM11g WNA integration with Multiple AD Forests", I covered the flow of how WNA works and what was going on behind the scenes.  This article will cover the technical details on how to implement WNA in a way that will support multiple Active Directory Forests that either have no transient trust between them, or even all trusted; in either case this will work for you.

Before we get into the details on how to setup WNA for multi Active Directory domains I just want to point out that I will use a straw man of three Active Directory KDC servers so you can understand any additional steps needed to support more than one KDC.  However, this would also work for as few as one domain, or more than three domains.  All that is needed is to simply extrapolate the steps to fit your requirements; I will be sure to comment where necessary.

Tuesday, February 12, 2013

Part 1: Under the Covers of OAM11g WNA integration with Multiple AD Forests

This post is part of a larger series on Oracle Access Manager 11g called Oracle Access Manager Academy. An index to the entire series with links to each of the separate posts is available.

This is the first post of a three part series that expands on a great article Matt wrote --- “The (Windows) Natives Are Restless”. Matt’s article covered some configurations, browser settings, and some examples of role mapping, but I want to dive into this whole WNA solution a lot more. So Part 1 will include just what the title eludes to, Under the Covers of the WNA integration with Multiple Active Directory Forests, then Part 2 will cover the details of the WNA configuration to make it work against multiple untrusted or trusted domains, and finally in Part 3) some highlights on leveraging OVD11g to pull it all together and make sure WNA can find the correct user across multiple forests.

Monday, January 28, 2013

Populating request attributes in OIM 11g R2 Part II - UI Customization

This is the second post of a two-post series about pre-populating requests in OIM 11g R2. The first post is available here. This post is also part of OIM 11g Academy Series.

The approach describe in this post is more sophisticated when compared to the pre-populate plug-in described in the previous post. The emphasis here is UI interaction. It is also important to mention that this approach does not work for requests created through the APIs, it works only for UI based requests. Another difference is that while the pre-populated plug-ins are specific to request attributes, this approach is application instance specific. In other words, each different application instance request form will require a different customization.

Wednesday, January 23, 2013

Populating request attributes in OIM 11g R2 Part I - Prepopulate Plug-in

This is the first of a two posts series about pre-populating requests in OIM 11 R2. This post is also part of the OIM 11g Academy Series.

With the introduction of the Catalog, request creation process changed from a wizard to a shopping cart experience style. But request pre-populating is still a common requirement for OIM customers.

There are two different approaches to pre-populate a request:
  1. Pre-populate plug-ins
  2. UI customization

Monday, January 21, 2013

Twitter Jam Tomorrow

Date: Tuesday, January 22, 2013
Time: 10 am PT / 1 pm ET
Topic: Authentication – Stronger or More Often?
Platform: Twitter
Hashtag: #authchat

Get Your Tweets On…

If you are on Twitter, join the tweet jam on Authentication on Jan 22nd at 10 am PT. You will be tweeting with the industry heavyweights and the IDM twitterati. Mike Neuenschwander will take control of the @OracleIDM handle and jam with industry experts on this year’s hot topic – Authentication! You don’t have to sit on the sidelines. Join in the discussion. Mike will kick it off at 10 am PST. Just follow #authchat.

Some housekeeping notes for the tweet jam:
-           Please make sure to use #authchat for every tweet you send on this topic
-           Pls use A1, A2… et al when responding to questions so it is easy for anyone following the discussion.
-           You can amplify others’ comments by retweeting. When modifying a tweet before retweeting, it is generally acceptable to use “MT” rather than “RT”
-           If replying to another tweet, pls don’t forget to use #authchat  and put a “.” (period) in front of the initiator’s twitter handle so everyone can see the response.
-           Feel free to solicit responses/comments from specific individuals by calling out their twitter handles. Just don’t forget to put the hashtag #authchat

Follow @OracleIDM today. And let your followers know about the upcoming tweet jam by tweeting about it. Perhaps something along the lines of:
Looking forward to the tweet jam on #authentication and getting the industry’s take. Join on Jan 22, 10 a PT #authchat #oracleidm

They will be archiving and posting the discussion on our blog OracleIDM afterwards.

Friday, January 4, 2013

OIM 11g R2 Requests Lifecycle Management API’s


OIM 11g R2 being such a comprehensive provisioning solution, it provides API’s for almost every aspect of functionality available in the product. This makes it a little difficult to decide which examples are needed the most in the documentation. Fortunately, the documentation does supply samples that can definitely serve as a foundation for more complex pieces of code. Some of the API’s I found developers using more often than others are the ones related to the operations associated with users’ requests for resources. Amongst those the following API’s are mostly required:
  • Request Creation/Submission
  • Request History Data Access
  • Child Table Data Manipulation
  • Approval Information Data Access
This blog post will include a few samples on how to accomplish each one of the above mentioned operations within the context of a use case described shortly. The intent is to provide some useful API’s code samples that customers and partners can use to write their own custom code that requires such functionality.

Thursday, January 3, 2013

Authenticating OIM APIs without end user's password

A common requirement in an OIM implementation is to not expose OIM user interface to all types of end users. To address this requirement, usually a custom application using OIM APIs is developed and deployed. Such application will expose specific OIM functionalities to end users. In most of the cases, customers want the custom application/OIM APIs to act as the end user, and not as a service account; this approach leverages OIM security model, and the actions will be correctly audited in OIM. Usually this custom application will be protected by a SSO solution, and asking the end user to provide his/her password is not an option. So the big question is: how to authenticate the OIM APIs against OIM server and make them act as the end user?

This is another post in the OIM Academy series. To view the entire OIM 11g Academy series click here

In OIM 9.x, the APIs provide two different ways of authentication: through OIM user's credentials (username and password) and through the so called digital signature authentication. The digital signature authentication process allows authentication without a password, and because of that it is a largely used approach in custom OIM APIs based applications.

With the introduction of OIM 11g, the digital signature APIs are being deprecated. They will still work when correctly configured, but they may be discontinued in future OIM releases.

In R2 there is an easier way of using OIM APIs without the need of end's user password. This post shows how this can be done.