Wednesday, October 10, 2012

Quick Tips: Finding the IAM component versions

It was little harder than I thought :(  My weblogic expert friend shared it.

For OIF and OAM :-

Assuming that you have installed OIF from Oracle_IDM2
$ export ORACLE_HOME=/opt/apps/Oracle/Middleware/Oracle_IDM2
$ export PATH=$PATH:/opt/apps/Oracle/Middleware/Oracle_IDM2/OPatch
$ opatch lsinventory -detail -invPtrLoc /opt/apps/Oracle/Middleware/Oracle_IDM2/oraInst.loc

For OHS  :-
opatch lsinventory -detail -invPtrLoc /opt/apps/OHS/Oracle_WT1/oraInst.loc

For WEBGATE :-
opatch lsinventory -detail -invPtrLoc /opt/apps/OHS/Oracle_OAMWebGate1/oraInst.loc -jdk /opt/apps/OHS/oracle_common/jdk/




Monday, October 1, 2012

Changing OIF server parameter using WLST

A quick reference on WLST usage. Here is an example of setting of an OIF server parameter (userldapconnectionreadtimeout') using WLST command.

$ export DOMAIN_HOME=..Directory/Oracle/Middleware/user_projects/domains/OIF_DOMAIN  
$ . Directory/opt/apps/Oracle/Middleware/Oracle_IDM2/fed/scripts/setOIFEnv.sh
$ java weblogic.WLST
wls:/offline> setConfigProperty('datastore','userldapconnectionreadtimeout', '120','long')
                   Please enter your username :weblogic
                   Please enter your password :
                   Please enter your server URL [t3://localhost:7001] :t3://oifServer.abc.com:7499

wls:/EPP_STAGE_SECURITY_DOMAIN/serverConfig> disconnect()

wls:offline >exit()

check for your change at :-
$ vi /opt/apps/Oracle/Middleware/user_projects/domains/EPP_STAGE_SECURITY_DOMAIN/config/fmwconfig/servers/wls_oif2/applications/OIF_11.1.1.2.0/configuration/config.xml

Monday, September 24, 2012

Making your OAM custom Login Form XSS safe

In real life OAM implementation we all use fancy login form , which is called from OAM authentication scheme. These custom login screen often use java scripts. The screen also contain at-least two input parameters 'Login-Name' and 'Password'.  So the screen is perfect play ground for XSS (Cross Site Scripting) attack. Here are few tips to make it XSS safe. For more information about XSS venerability check OWASP (https://www.owasp.org/index.php/XSS) website.

1. Make sure your authentication scheme has a challenge parameter called "ssoCookie=httponly". This will ensure that the java-script cannot read the OAM cookies.

2. The user input validation is must. For example evil user may enter "JohnDoe script alert(document.cookie); script" in the username field to test if the login form is venerable to XSS.

3. Always re-encode user output into safe code html, CSS, JS etc.  For example,  after safe encoding, your javascript should look like "<script> alert(document.cookie); <script>"
The OWASP ESAPI library to do this safe encoding.

Tuesday, May 29, 2012

OVD 11g Quick Tips

Finding OVD version :-
Open file ..../Oracle/Middleware/OVD_INST_1/config/OVD/ovd1/server.os_xml .
Look for section  "OVD_INST_1_OVD" .

Setting OVD Log (Alternative to console) :-
You can set OVD log level directly using console UI. But, you may get an error "JAVAX.EL.ELEXCEPTION: JAVA.LANG.NULLPOINTEREXCEPTION AT JAVAX.EL.BEANELRESOLVER" because of an  OVD 11.1.1.5 bug while doing it from em console.

Here is an alternative approach Doc
1. Stop OVD :
$ORACLE_INSTANCE/bin/opmnctl stopproc ias-component=ovd1

2. Open $ORACLE_INSTANCE/config/OVD/ovd1/ovd-logging.xml change such as to have
<loggers>
<logger name='com.octetstring.vde' level='TRACE:32' useParentHandlers='false' >
<handler name='OVDHandler'/ >
</logger >
<logger name='com.octetstring.accesslog' level='TRACE:32' useParentHandlers='false' >
<handler name='OVDAccessHandler'/ >
</logger >
</loggers>

3. Start OVD: $ORACLE_INSTANCE/bin/opmnctl startproc ias-component=ovd1


Setting Worker Tread :-

Does your OVD error log (.../ovd_inst/diagnostics/logs/OVD/ovd1/http-errors.log) shows occasional error message called “Low on Thread” or “Out of thread”. Check $OVD_HOME/config/OVD/listeners.os_xml for at least 50 worker threads in the LDAP listener.

look for entry
10 and change it to 50 
do it for "Admin Gateway", "LDAP Endpoint" and "LDAP SSL Endpoint".


Wednesday, January 11, 2012

OIM 11.1.1.5 User Manager API bug causes double provisioning

I wrote a Post Process Event Handler code, which provide value to a User's attribute during user creation. The event-handler code was using UserManagerment (oracle.iam.identity.usermgmt.api.UserManager) API.

public class GuidGenerationPostProcEventHandler implements oracle.iam.platform.kernel.spi.PostProcessHandler {
:
public EventResult execute(long processId, long eventId, Orchestration orchestration) { 
HashMap params = orchestration.getParameters();
String uid = this.getParamaterValue(params, Constants.USERID); 
oracle.iam.identity.usermgmt.vo.User user = new User(uid);
user.setAttribute("Micam Unique Id", generateUniqueId()); // generateUniqueId is a private method and returns some value 
try {
   usrMgrService = Platform.getService(UserManager.class);    
   usrMgrService.modify(Constants.USERID, uid, user);
catch (...) 
:
:
}
return ( new EventResult() );
    :
    :

The above said code worked as expected. It generated the value and populated the user attributes called "Micam Unique Id".  But, this code did some damage to my auto-provisioning set up to OID. I saw two auto-provisionings are initiated during user creation event instead of one. I could not figure out the cause. so I posted the query to oracle forum ( https://forums.oracle.com/forums/thread.jspa?threadID=2329154 ) and found the following answer from some of our smart users. 

There is a known issue in UserManagement APIs in OIM 11.1.15. Using the UsrMngmt APIs to update a User within an Orchestration will cause another user update orchestration to be initiated. The user update is also causing role membership rules to be evaluated, which in turn is triggering second provisioning. So solution is to use Entity Management (oracle.iam.platform.entitymgr.EntityManager) APIs instead . The new code snippet is given here, which works fine so far. 

public class GuidGenerationPostProcEventHandler implements oracle.iam.platform.kernel.spi.PostProcessHandler {
    :    
 public EventResult execute(long processId, long eventId, Orchestration orchestration) {        
        HashMap mapAttrs = new HashMap() ;
    mapAttrs.put("Micam Unique Id", generateUniqueId()); // generateUniqueId is a private method and returns some value 
    try {
   String userKey;     
   if (!orchestration.getOperation().equals("CREATE")) 
userKey = orchestration.getTarget().getEntityId();
   else {
    OrchestrationEngine orchEngine = Platform.getService(OrchestrationEngine.class);            
    userKey = (String) orchEngine.getActionResult(processID);
            }        
            
            entMgrService = Platform.getService(EntityManager.class);        
            entMgrService.modifyEntity(orchestration.getTarget().getType(), userKey, mapAttrs);                        
    }
    catch (..) {
    :      
    return ( new EventResult() );
     :
     :

As of writing this blog, there is no UserMgmt & EntityMgmt API documentations available from Oracle. So good luck.

Monday, January 9, 2012

Quick OIM TIP : Finding out OIM Version and Patch Information

(1) Execute the following query against OIM schema.
select XSD_VALUE from XSD where XSD_CODE='XL_BUILD_NUMBER';

 (2) .../Oracle/Middleware/Oracle_IDM1/OPatch/opatch lsinventory -details

Friday, January 6, 2012

OIM 11g: exporting User.xml using MDS utilities

Here are the steps to export OIM's  User.xml from metadata using weblogic MDS utilities.

$ cd /opt/Oracle/Middleware/Oracle_OIM/server/bin
Aassuming you have installed OIM at /opt/Oracle/Middleware/Oracle_OIM. The default directory could be /opt/Oracle/Middleware/Oracle_IDM2 for 11.1.1.5 installation

$ vi weblogic.properties.  Set the value similar to the example below.

wls_servername=oim_server1
application_name=OIMMetadata
metadata_from_loc=@From_location
metadata_to_loc=/opt/export
metadata_files=/file/User.xml

- The above said example assumes that your oim server name is oim_server1.
- The exported file will land in directory mentioned in metadata_to_loc
- Export operation ignores the value mentioned in metadata_from_loc proerty field.
- Rest of the property fields should be hard-coded as shown in the example.

$ ./weblogicExportMetadata.sh
User Name   = weblogic
Password     = Your Password
Server URL = t3://weblogic-admin-server:7001

While running this, you may see some warning about the SSL port and admin port. Just ignore it. If the above runs successfully, your exported User.xml will be in /opt/export/file directory.