Finally found the solution in support.oracle.com under support id 1335539.1. This issue shows up when your admin server is in box1 and managed server is in box2. The solution is simple. Just modify the logging.xml file of Box1 (admin server) and restart the OIM managed server. The change will propagate to Box2 where the OIM managed server is running.
Tuesday, October 25, 2011
OIM 11g logging.xml getting overwritten issue
After installing and configuring OID-Connector, I tried to do a simple manual user provisioning to OID. As expected, the user creation in OID was rejected. Time to debug :( So I included OID related login handler in $DOMAIN_NAME/config/fmwconfig/
Finally found the solution in support.oracle.com under support id 1335539.1. This issue shows up when your admin server is in box1 and managed server is in box2. The solution is simple. Just modify the logging.xml file of Box1 (admin server) and restart the OIM managed server. The change will propagate to Box2 where the OIM managed server is running.
Finally found the solution in support.oracle.com under support id 1335539.1. This issue shows up when your admin server is in box1 and managed server is in box2. The solution is simple. Just modify the logging.xml file of Box1 (admin server) and restart the OIM managed server. The change will propagate to Box2 where the OIM managed server is running.
Saturday, May 14, 2011
STRIDE Threat modelling and counter measure
Here is a quick list of threats and its counter measures based on STRIDE treat model. More information at http://msdn.microsoft.com/en-us/magazine/cc163519.aspx .
THREAT COUNTER MEASURE
-------------------------------------------------------------
Spoofing Authentication
Tampering Digital Signature, Hashing
Repudiation Audit
Information Disclosure Encryption
DOS Availability
Elevation of Privileges Authorization, Input data sanitation
THREAT COUNTER MEASURE
-------------------------------------------------------------
Spoofing Authentication
Tampering Digital Signature, Hashing
Repudiation Audit
Information Disclosure Encryption
DOS Availability
Elevation of Privileges Authorization, Input data sanitation
Thursday, December 23, 2010
OIM Troubleshoot : .NullPointerException at getAttrColumnName during Trusted Recon
Problem Description :- I imported a Trusted-Reconciliation set up from one of the working environment to another environment. When I run the trusted recon on the new environment, I got the following error.
ERROR,21 Dec 2010 17:33:45,658,[XELLERATE.SERVER],Class/Method: tcRCE/createUserRecord encounter some problems: {1}
java.lang.NullPointerException
at com.thortech.xl.dataobj.util.tcAttributeSource.getAttrColumnName(Unknown Source)
I examined the "Reconciliation Event History" (Design console -> Recon Manager) and found only one Action called "Event Received" is logged. The successful recon usually have at least three Actions like
1. Event Received
2. Data Sorted
3. Created User
In my case the user is not getting created in OIM's USR table .
Solution : After banging my head for 2 days, finally I found the dumb solution.
1. Go to "Xellerate User" process definition.
2. Delete all field maps from "Reconciliation Field Mapping".
3. Redo all the field mapping again.
I think this occurs when export and import of configuration done from one environment to other. Definitely a bug in OIM 9102 BP11.
ERROR,21 Dec 2010 17:33:45,658,[XELLERATE.SERVER],Class/Method: tcRCE/createUserRecord encounter some problems: {1}
java.lang.NullPointerException
at com.thortech.xl.dataobj.util.tcAttributeSource.getAttrColumnName(Unknown Source)
I examined the "Reconciliation Event History" (Design console -> Recon Manager) and found only one Action called "Event Received" is logged. The successful recon usually have at least three Actions like
1. Event Received
2. Data Sorted
3. Created User
In my case the user is not getting created in OIM's USR table .
Solution : After banging my head for 2 days, finally I found the dumb solution.
1. Go to "Xellerate User" process definition.
2. Delete all field maps from "Reconciliation Field Mapping".
3. Redo all the field mapping again.
I think this occurs when export and import of configuration done from one environment to other. Definitely a bug in OIM 9102 BP11.
Tuesday, November 2, 2010
OIM How to : Delete OIM Users
Never delete the OIM users. That is the OIM recommendation. But while playing in development environment, we sometime mess up OIM with too many unwanted Users. In case you wanted to clean it up here is the little script that may help. I got this from http://forums.oracle.com/forums/thread.jspa?threadID=1997648&tstart=15 .
delete from oud where oiu_key in (select oiu_key from oiu where usr_key in (select usr_key from usr where USR_LOGIN='USERXXX'));
delete from osi where req_key in (select req_key from req where orc_key in (select orc_key from orc,usr where orc.usr_key = usr.usr_key and USR_LOGIN='USERXXX'));
delete from osi where osi_assigned_to_usr_key in (select usr_key from usr where USR_LOGIN='USERXXX');
delete from osh where osh_assigned_to_usr_key in (select usr_key from usr where USR_LOGIN='USERXXX');
delete from rcd where rce_key in (select rce_key from rce,orc,usr where rce.orc_key = orc.orc_key and orc.usr_key = usr.usr_key and USR_LOGIN='USERXXX');
delete from rch where rce_key in (select rce_key from rce,orc,usr where rce.orc_key = orc.orc_key and orc.usr_key = usr.usr_key and USR_LOGIN='USERXXX');
delete from rcu where rce_key in (select rce_key from rce,orc,usr where rce.orc_key = orc.orc_key and orc.usr_key = usr.usr_key and USR_LOGIN='USERXXX');
delete from rcb where rce_key in (select rce_key from rce,orc,usr where rce.orc_key = orc.orc_key and orc.usr_key = usr.usr_key and USR_LOGIN='USERXXX');
delete from rpc where rce_key in (select rce_key from rce where usr_key in (select usr_key from usr where USR_LOGIN='USERXXX'));
delete from rcm where rce_key in (select rce_key from rce where usr_key in (select usr_key from usr where USR_LOGIN='USERXXX'));
delete from rcp where rce_key in (select rce_key from rce where usr_key in (select usr_key from usr where USR_LOGIN='USERXXX'));
delete from rce where orc_key in (select orc_key from orc,usr where orc.usr_key = usr.usr_key and USR_LOGIN='USERXXX');
delete from oio where orc_key in (select orc_key from orc,usr where orc.usr_key = usr.usr_key and USR_LOGIN='USERXXX');
delete from oiu where usr_key in (select usr_key from usr where USR_LOGIN='USERXXX');
delete from oti where orc_key in (select orc_key from orc,usr where orc.usr_key = usr.usr_key and USR_LOGIN='USERXXX');
delete from osi where orc_key in (select orc_key from orc,usr where orc.usr_key = usr.usr_key and USR_LOGIN='USERXXX');
delete from orc where usr_key in (select usr_key from usr where USR_LOGIN='USERXXX');
delete from upd where upp_key in (select upp_key from upp,usr where upp.usr_key = usr.usr_key and USR_LOGIN='USERXXX');
delete from upp where usr_key in (select usr_key from usr where USR_LOGIN='USERXXX');
delete from usg where usr_key in (select usr_key from usr where USR_LOGIN='USERXXX');
delete from uhd where uph_key in (select uph_key from uph,usr where uph.usr_key = usr.usr_key and USR_LOGIN='USERXXX');
delete from uph where usr_key in (select usr_key from usr where USR_LOGIN='USERXXX');
delete from pcq where usr_key in (select usr_key from usr where USR_LOGIN='USERXXX');
delete from rcu where usr_key in (select usr_key from usr where USR_LOGIN='USERXXX');
delete from usr where USR_LOGIN='USERXXX';
delete from oud where oiu_key in (select oiu_key from oiu where usr_key in (select usr_key from usr where USR_LOGIN='USERXXX'));
delete from osi where req_key in (select req_key from req where orc_key in (select orc_key from orc,usr where orc.usr_key = usr.usr_key and USR_LOGIN='USERXXX'));
delete from osi where osi_assigned_to_usr_key in (select usr_key from usr where USR_LOGIN='USERXXX');
delete from osh where osh_assigned_to_usr_key in (select usr_key from usr where USR_LOGIN='USERXXX');
delete from rcd where rce_key in (select rce_key from rce,orc,usr where rce.orc_key = orc.orc_key and orc.usr_key = usr.usr_key and USR_LOGIN='USERXXX');
delete from rch where rce_key in (select rce_key from rce,orc,usr where rce.orc_key = orc.orc_key and orc.usr_key = usr.usr_key and USR_LOGIN='USERXXX');
delete from rcu where rce_key in (select rce_key from rce,orc,usr where rce.orc_key = orc.orc_key and orc.usr_key = usr.usr_key and USR_LOGIN='USERXXX');
delete from rcb where rce_key in (select rce_key from rce,orc,usr where rce.orc_key = orc.orc_key and orc.usr_key = usr.usr_key and USR_LOGIN='USERXXX');
delete from rpc where rce_key in (select rce_key from rce where usr_key in (select usr_key from usr where USR_LOGIN='USERXXX'));
delete from rcm where rce_key in (select rce_key from rce where usr_key in (select usr_key from usr where USR_LOGIN='USERXXX'));
delete from rcp where rce_key in (select rce_key from rce where usr_key in (select usr_key from usr where USR_LOGIN='USERXXX'));
delete from rce where orc_key in (select orc_key from orc,usr where orc.usr_key = usr.usr_key and USR_LOGIN='USERXXX');
delete from oio where orc_key in (select orc_key from orc,usr where orc.usr_key = usr.usr_key and USR_LOGIN='USERXXX');
delete from oiu where usr_key in (select usr_key from usr where USR_LOGIN='USERXXX');
delete from oti where orc_key in (select orc_key from orc,usr where orc.usr_key = usr.usr_key and USR_LOGIN='USERXXX');
delete from osi where orc_key in (select orc_key from orc,usr where orc.usr_key = usr.usr_key and USR_LOGIN='USERXXX');
delete from orc where usr_key in (select usr_key from usr where USR_LOGIN='USERXXX');
delete from upd where upp_key in (select upp_key from upp,usr where upp.usr_key = usr.usr_key and USR_LOGIN='USERXXX');
delete from upp where usr_key in (select usr_key from usr where USR_LOGIN='USERXXX');
delete from usg where usr_key in (select usr_key from usr where USR_LOGIN='USERXXX');
delete from uhd where uph_key in (select uph_key from uph,usr where uph.usr_key = usr.usr_key and USR_LOGIN='USERXXX');
delete from uph where usr_key in (select usr_key from usr where USR_LOGIN='USERXXX');
delete from pcq where usr_key in (select usr_key from usr where USR_LOGIN='USERXXX');
delete from rcu where usr_key in (select usr_key from usr where USR_LOGIN='USERXXX');
delete from usr where USR_LOGIN='USERXXX';
Monday, April 12, 2010
OAM "No schema definition for attribute XX found" error.
Does this error below looks familiar to you ? This occurs if an attribute is deleted from one of the configured object without deleting the corresponding object configuration of COREid.
{
Bug Report Form
An error has occurred while executing the application.
Your browser doesn't support sending mail automatically!
Please send E-Mail to with the following information:
# Your Name
# Organization
# E-Mail Address
# Phone Number
# Comment
Make sure to append the following traceback in the mail.
Traceback
data\module_main.cpp:568: Error: Exception re-thrown in HandleEvent.
common\obprogram_registry.cpp:794: Error: Exception re-thrown in ObProgramRegistry::Execute.
common\obprogramservice.cpp:314: Error: Exception re-thrown in ObProgramService::Execute.
admin_console\acps_metaattribute.cpp:39: Error: Exception re-thrown in ACMetaAttributeProgram::Execute.
admin_console\metaattribute.cpp:1513: Error: Exception re-thrown in ACPS::MetaAttributeGenTabMainMetaAttributePage().
admin_console\metaattribute.cpp:1412: Error: No schema definition for attribute mdeTempEscalationAuthZId was found.
Product
User Manager AdminVersion
Platform
Microsoft Windows
}
For example, say you have an an extra attribute called 'userPreference' configured part of an auxiliary object 'myCompanyAddistionalUser'. All the attributes with this object is configured via "Common Configuration" as well as in some specific user tab in "User Configuration". If you delete this attribute 'userPreference' in LDAP, make sure you delete it from corresponding common and tab configuration. Otherwise you will see this error.
For the above said example, The common configuration may be found at "dn: obattr=userPreference, obclass=myCompanyAddistionalUser, o=Oblix,o=abc,dc=com". Similarly the tab configuration may be found out at "dn: obattr=userPreference, obpanelid=Employees, obapp=userservcenter, o=Oblix,o=abc,dc=com". Just delete these two entries in LDAP followed by clearing the cache of Identity Server. Your Id Server will be happy again.
{
Bug Report Form
An error has occurred while executing the application.
Your browser doesn't support sending mail automatically!
Please send E-Mail to with the following information:
# Your Name
# Organization
# E-Mail Address
# Phone Number
# Comment
Make sure to append the following traceback in the mail.
Traceback
data\module_main.cpp:568: Error: Exception re-thrown in HandleEvent.
common\obprogram_registry.cpp:794: Error: Exception re-thrown in ObProgramRegistry::Execute.
common\obprogramservice.cpp:314: Error: Exception re-thrown in ObProgramService::Execute.
admin_console\acps_metaattribute.cpp:39: Error: Exception re-thrown in ACMetaAttributeProgram::Execute.
admin_console\metaattribute.cpp:1513: Error: Exception re-thrown in ACPS::MetaAttributeGenTabMainMetaAttributePage().
admin_console\metaattribute.cpp:1412: Error: No schema definition for attribute mdeTempEscalationAuthZId was found.
Product
User Manager AdminVersion
Platform
Microsoft Windows
}
For example, say you have an an extra attribute called 'userPreference' configured part of an auxiliary object 'myCompanyAddistionalUser'. All the attributes with this object is configured via "Common Configuration" as well as in some specific user tab in "User Configuration". If you delete this attribute 'userPreference' in LDAP, make sure you delete it from corresponding common and tab configuration. Otherwise you will see this error.
For the above said example, The common configuration may be found at "dn: obattr=userPreference, obclass=myCompanyAddistionalUser, o=Oblix,o=abc,dc=com". Similarly the tab configuration may be found out at "dn: obattr=userPreference, obpanelid=Employees, obapp=userservcenter, o=Oblix,o=abc,dc=com". Just delete these two entries in LDAP followed by clearing the cache of Identity Server. Your Id Server will be happy again.
Wednesday, February 17, 2010
Deploying Sun IDM 8.1 on Weblogic
Here are few quick steps to deploy Sun IDM (now called Oracle_Waveset) on Weblogic app server on a Window box. Note that Sun IDM is a web application which requires any standard application server and a db repository. The installable is just a war file.
A. ENVIRONMENT PREPARATION
(1) download IDM 8.1 from here. Extract the downloaded file IDM_8_1_0_0.zip to a temporary directory say C:\Sun\idm_setup .
(2) Create database, say 'waveset' of any of the supported RDMS like MySql, Oracle, MS SQLServer. Create the IDM related tables in this database using your db specific sql script available in C:\Sun\idm_setup\db_scripts directory. For example, run data file ..\db_scripts\create_waveset_tables.sqlserver if your db is MS SQL server.
(3) Create an Weblogic instance meant for running the IDM application later.
B. IDM INSTALLATION
(1) From command prompt :-
-> cd C:\Sun\idm_setup (This is where you extracted the IDM installables)
-> set WSHOME=C:\Sun\idm (Assuming this is your installation directory)
-> set JAVA_Home=C:\bea\jdk150_04 (You can choose your jdk )
-> run install.bat
select the component installation directory as 'C:\Sun\idm'
This will create the application (exploded IDM war file) at 'C:\Sun\idm'
(2) Next step is to set up the jdbc driver. IDM application will use this to connect to its repository. Here is a example of jdbc setup for MS SQL Server db repository.
-> copy sqljdbc.jar file to C:\Sun\idm\WEB-INF\lib\sqljdbc.jar
-> click 'next' on "launch setup" screen and enter the followings
URL : jdbc:sqlserver://YourSQLServer:1433;DatabaseName=waveset
JDBC Driver : com.microsoft.sqlserver.jdbc.SQLServerDriver
connectAsUSer : waveset-db-userid
connect password: password
-> click next :- (if error shows up here then exit from setup and do c:\sun\idm\bin\lh setup )
(3) Next initialize Identity Manager with default init.xml
-> Continue Demo setup : No
-> import init.xml identity Manager Configuration. Click 'Execute' .
(4) Finally deploy the application from weblogic console.
-> run weblogic server that is created for IDM purpose
-> go to http://weblogicMachineName:7001/console/
-> After authentication, select deployment and pick the application location as 'C:\Sun\idm'.
-> Make sure the deployment status of IDM is "active". Now go to http:// weblogicMachineName:7001/idm
UserId / password : configurator/configurator
OR
UserId / password : administrator/administrator
You will see the IDM administration related screens.
Happy Learning..
A. ENVIRONMENT PREPARATION
(1) download IDM 8.1 from here. Extract the downloaded file IDM_8_1_0_0.zip to a temporary directory say C:\Sun\idm_setup .
(2) Create database, say 'waveset' of any of the supported RDMS like MySql, Oracle, MS SQLServer. Create the IDM related tables in this database using your db specific sql script available in C:\Sun\idm_setup\db_scripts directory. For example, run data file ..\db_scripts\create_waveset_tables.sqlserver if your db is MS SQL server.
(3) Create an Weblogic instance meant for running the IDM application later.
B. IDM INSTALLATION
-> cd C:\Sun\idm_setup (This is where you extracted the IDM installables)
-> set WSHOME=C:\Sun\idm (Assuming this is your installation directory)
-> set JAVA_Home=C:\bea\jdk150_04 (You can choose your jdk )
-> run install.bat
select the component installation directory as 'C:\Sun\idm'
This will create the application (exploded IDM war file) at 'C:\Sun\idm'
(2) Next step is to set up the jdbc driver. IDM application will use this to connect to its repository. Here is a example of jdbc setup for MS SQL Server db repository.
-> copy sqljdbc.jar file to C:\Sun\idm\WEB-INF\lib\sqljdbc.jar
-> click 'next'
JDBC Driver : com.microsoft.sqlserver.jdbc.SQLServerDriver
connectAsUSer : waveset-db-userid
connect password: password
-> click next :- (if error shows up here then exit from setup and do c:\sun\idm\bin\lh setup )
(3) Next initialize Identity Manager with default init.xml
-> Continue Demo setup : No
-> import init.xml identity Manager Configuration. Click 'Execute' .
(4) Finally deploy the application from weblogic console.
-> run weblogic server that is created for IDM purpose
-> go to http://weblogicMachineName:7001/console/
-> After authentication, select deployment and pick the application location as 'C:\Sun\idm'.
-> Make sure the deployment status of IDM is "active". Now go to http://
UserId / password : configurator/configurator
OR
UserId / password : administrator/administrator
You will see the IDM administration related screens.
Happy Learning..
Monday, August 3, 2009
Few Useful Tips on Sun LDAP Multi-Master Replication
If you are using Sun Directory Server 5.2, here are few useful tips on Multi Master replications.
(1) The typical steps of configuring multi-master (say M1 and M2 fro reference) is to define replication agreement on each of the LDAP which push changes to other. But initially both the LDAPs has to be in sync. While defining the agreement from console, it usually displays a message that "remote replica of the selected agreement has not been initialized from this replica". The same message will be seen on other LDAP's console's agreement definition screen. This gives an impression as if both the LDAP has to be initialized with each other to be in perfect synchronization to start with. But NEVER do initialize both way.
For example, After defining replication agreement on each of the LDAP, only do a full initialization from M1 to M2. Never do the same from M2, even if agreement in M2 console displays the above said message of "remote replica of the selected agreement has not been initialized from this replica".
(2) While doing full initialization from M1 to M2, the schema MAY NOT not get loaded to M2. So copy ".../slapd-M2/config/schema" directory from M1 to M2 followed by restarting M2. Do the initialization after the schema at both M1 and M2 are same.
(3) Index information does not get loaded to when an initialization is done from one master to other. So export the index from source master and import it to other master followed by a re-indexing.
(4) For some reason, if you have to delete the existing agreement and create the same again, make sure you are assigning a new replica-id. This will avoid possible data corruption.
(5) When exporting data from any of the LDAPs participating in multi-master replication, you will see replication info(e.g. obEnabled;vucsn-49de55e5000000010000;deleted: disabled) in exported data. what if you wanted clean data only? There are many ways, here is one of them.
ldapsearch.exe -h yourHost -p yourPort -D myUser -w myPassword -b obname=o=Finance,dc=company,dc=com -s sub (objectclass=Top) > exported.ldif
(1) The typical steps of configuring multi-master (say M1 and M2 fro reference) is to define replication agreement on each of the LDAP which push changes to other. But initially both the LDAPs has to be in sync. While defining the agreement from console, it usually displays a message that "remote replica of the selected agreement has not been initialized from this replica". The same message will be seen on other LDAP's console's agreement definition screen. This gives an impression as if both the LDAP has to be initialized with each other to be in perfect synchronization to start with. But NEVER do initialize both way.
For example, After defining replication agreement on each of the LDAP, only do a full initialization from M1 to M2. Never do the same from M2, even if agreement in M2 console displays the above said message of "remote replica of the selected agreement has not been initialized from this replica".
(2) While doing full initialization from M1 to M2, the schema MAY NOT not get loaded to M2. So copy ".../slapd-M2/config/schema" directory from M1 to M2 followed by restarting M2. Do the initialization after the schema at both M1 and M2 are same.
(3) Index information does not get loaded to when an initialization is done from one master to other. So export the index from source master and import it to other master followed by a re-indexing.
(4) For some reason, if you have to delete the existing agreement and create the same again, make sure you are assigning a new replica-id. This will avoid possible data corruption.
(5) When exporting data from any of the LDAPs participating in multi-master replication, you will see replication info(e.g. obEnabled;vucsn-49de55e5000000010000;deleted: disabled) in exported data. what if you wanted clean data only? There are many ways, here is one of them.
ldapsearch.exe -h yourHost -p yourPort -D myUser -w myPassword -b obname=o=Finance,dc=company,dc=com -s sub (objectclass=Top) > exported.ldif
Subscribe to:
Posts (Atom)
