Tuesday, January 12, 2016

OAM 11gR2PS3 & Oracle OpenSSO Fedlet Integration

The integration between OAM anf Fedlet is pretty straight forward.

- Generate the fedlet sample and configure files.

- Deploy the fedletsample.war

- Create Service Provider Partner in OAM.



- Test

Monday, January 11, 2016

Protecting Intranet and Extranet Applications with a Single OAM 11g Deployment

If you have a requirement of protecting both intranet and extranet apps using single OAM deployment, this is a very good one to discuss on this topic:

http://www.ateam-oracle.com/protecting-intranet-and-extranet-applications-with-a-single-oam-11g-deployment/

Oracle Access Manager 11gR2PS3 & Sun Identity Manager (Oracle Waveset) Integration

There are three integration points between SIM & OAM: authentication/authorisation, password management and access management reporting.


Oracle Access Manager 11gR2PS3 Password Policy - Complex Password

OAM Password Policy do not support the requirement of "Must contain at least three of the following four categories'.  It is supported in OIM Password Policy.

Saturday, January 9, 2016

Sun IAM to Oracle IAM Migration - Phase Deployment Approach

There are number of different approach on how to migrate the Sun IAM (Access Manager, Identity Manager and Directory Server) to Oracle IAM.

I'm using an approach that I think it's controlled with minimal delivery risk.



Password Change - Difference between OpenSSO and OAM

When migrating OpenSSO to OAM, I noticed there is a difference between OpenSSO and OAM on handing end user self password change scenario.

End user password change via OpenSSO:   self change. The directory server change log shows the password has been changed by the user self.

End user password change OAM: admin change. The directory server change log shows the password has been changed by the user configured as BIND DN in OAM identity store.


OAM 11gR2PS3 - REST - Out Of The Box Oracle Access Manager (OAM) Authentication Token Service

Authenticate (Login):
curl -i -H "Content-Type: application/json" --request POST http://:/oic_rest/rest/oamauthentication/authenticate -d '{"X-Idaas-Rest-Subject-Type":"USERCREDENTIAL","X-Idaas-Rest-Subject-Username":"testuser","X-Idaas-Rest-Subject-Password":"Password1","X-Idaas-Rest-New-Token-Type-To-Create":"USERTOKEN"}' 

Validate:
curl --request GET http://:/oic_rest/rest/oamauthentication/tokens/info -H "X-Idaas-Rest-Subject: TOKEN d06sDhgayq2UzL4yrG5KE5r8YoS5yuHL5lz603C4yZ96oOWhCb+GPMb8lvyhTZO3/dD/CnisoRPdxTsto2ZBF956uMubdrG4UemNYLwQcJBWqFYFsjyiUTspaVDVYlxOHjsEOTJQBLijw3w0WuXufSKQqq+OqitHbGlNQeeWwDyYiat9emoh64TxdxBkbngC+4hDLCgh+DyoaInxEqHg43Xn2rIMIp6x8DibNjezmKIjPwmxN0ZUnus0zMyDZvuS3SaCc36U48TpLu1LFN4fCn9h68WFES2TpckaYQQhX/SZpF5z+yrE8Kpn8HqWlXOmX4FYP9tJT8fgHdI49bVKQPbCapkA7dqWhKa8e41sbYiR4V735BuD885kdmc9fvsEyognoy9HgwDEun+YlW7OpON6OyrnjmKgun1VK+NYt4+/S7sogkXA9fZtmdIuT1y/Zpd1SYhpsfsf+0kPNeVkkJM4o6aX6Gn9dyUVsbKIdqs3s/4DT8iRHQUmFzgBRwnw"

Delete (Logout):
curl -i -H "Content-Type: application/json" --request DELETE http://:/oic_rest/rest/oamauthentication/tokens/info -d '{"X-Idaas-Rest-Subject-Value":"d06sDhgayq2UzL4yrG5KE5r8YoS5yuHL5lz603C4yZ96oOWhCb+GPMb8lvyhTZO3/dD/CnisoRPdxTsto2ZBF956uMubdrG4UemNYLwQcJBWqFYFsjyiUTspaVDVYlxOHjsEOTJQBLijw3w0WuXufSKQqq+OqitHbGlNQeeWwDyYiat9emoh64TxdxBkbngC+4hDLCgh+DyoaInxEqHg43Xn2rIMIp6x8DibNjezmKIjPwmxN0ZUnus0zMyDZvuS3SaCc36U48TpLu1LFN4fCn9h68WFES2TpckaYQQhX/SZpF5z+yrE8Kpn8HqWlXOmX4FYP9tJT8fgHdI49bVKQPbCapkA7dqWhKa8e41sbYiR4V735BuD885kdmc9fvsEyognoy9HgwDEun+YlW7OpON6OyrnjmKgun1VK+NYt4+/S7sogkXA9fZtmdIuT1y/Zpd1SYhpsfsf+0kPNeVkkJM4o6aX6Gn9dyUVsbKIdqs3s/4DT8iRHQUmFzgBRwnw","X-Idaas-Rest-Subject-Type":"TOKEN"}'

Friday, January 8, 2016

Installing cURL on Cygwin on Windows

How to deploy OAM Custom Pages?

Custom Login Pages

Customise the pages in oamcustompages.war.
Deploy the war using WLS Console
Update the Authenticatoin Schme to use the custom WAR file: 
       Context Type = customWar 
       Context Value = /oamcustompages

Custom Password Pages

Customise the pages in oamcustompages.war.
Deploy the war using WLS Console
Specify Custom Pages in Password Policy:
        Password Service URL = /oamcustompages/pages/pswd.jsp

Custom Error and Logout Pages

Customise the pages (Error.jsp, Logout.jsp) in oamcustompages.war.
Deploy the war using WLS Console
Specify Custom Pages using WLST:
       updateCustomPages(pageExtension ="jsp", context="/oamcustompages")

Friday, November 6, 2015

Oracle Identity Manager Database Application Tables Connector with Entitlement

Step 1 - Installing and Configuring Database Application Tables Connector


Step 2 - Create lookup 

Lookup.DBAT.Groups

Step 3 - Setting Up Process Form Fields as Entitlements

Change the 'Field Type' from 'TextField' to 'LookupField'
Add properties for 'Group Name':
  - Entitlement = true
  - Lookup Code = Lookup.DBAT.Groups



Step 4 - Mark GROUP as [LOOKUP]




Step 5 - Harvest lookup by running Lookup Recon






















Step 6 - Harvest Entitlements and Sync Catalog

 - Run Entitlement List
 - Run Catalog Sync

Verify Catalog shows all the Entitlements. 

Step 7 - Verify 

 - Account & Entitlement Initial Load by running Target Resource User Reconciliation
 - Provision User with Entitlement


Friday, October 16, 2015

Deploying the IAM Suite 11gR2PS2 with the Deployment Wizard ('Highly Available' Topology)

Procured another NUC (NUC5i3RYH) with 16G RAM to test the FULL HA deployment using LCM.

The Lab Environment setup took me about 1 day including VM provisioning, DB install, NAS and Load Balancer.

The execution took about 10 hours.

Not sure why Oracle provides a tool that requires so many steps. It can be made much simpler.

Anyway, it's easier than the manually install/configure.

Hardware:
mini-pc-1: NUC DN2820FYKH with 8G RAM
mini-pc-2: NUC NUC5i3RYH with 16G RAM
home-pc: HP Desktop with 12G RAM

VM:
NAS (mini-pc-2) - 2G   192.168.0.101
DB (mini-pc-2) - 2G      192.168.0.88
OIM1 (mini-pc-2) - 6G    192.168.0.55
OAM1 (mini-pc-2) - 4G   192.168.0.56

LB (mini-pc-1) - 1G         192.168.0.100
OUD1 (mini-pc-1) - 1G   192.168.0.53
WEB1 (mini-pc-1) - 1G   192.168.0.51
OUD2 (mini-pc-1) - 1G   192.168.0.54
WEB2 (mini-pc-1) - 1G   192.168.0.52

OIM2 (home-pc) - 6G      192.168.0.57
OAM2 (home-pc) - 4G     192.168.0.58

Step 1 - Lab Environment Setup

db.qingfeng.com - Windows - 2GB
oudhost1.qingfeng.com - OES 6.5 - 1GB
oudhost2.qingfeng.com - OES 6.5 - 1GB
oimhost1.qingfeng.com - OES 6.5 - 6GB
oimhost2.qingfeng.com - OES 6.5 - 6GB
oamhost1.qingfeng.com - OES 6.5 - 4GB
oamhost2.qingfeng.com - OES 6.5 - 4GB
webhost1.qingfeng.com - OES 6.5 - 1GB
webhost2.qingfeng.com - OES 6.5 - 1GB
nas.qingfeng.com - FreeNAS 9.3 - 2GB
lb.qingfeng.com (web.qingfeng.com, sso.qingfeng.com, ldap.qingfeng.com)  - OES 6.5 - 1GB 

Shared Storage - FreeNAS has been used to create shared storage.
Load Balancer:  HAProxy has been used for load balancing.
web.qingfeng.com:80 - webhost1.qingfeng.com:7777, webhost2.qingfeng.com:7777
sso.qingfeng.com:443 - webhost1.qingfeng.com:7777, webhost2.qingfeng.com:7777
ldap.qingfeng.com:389 - oudhost1.qingfeng.com:1389, oudhost2.qingfeng.com:1389

Step 2 - Create Response File







 
























Step 3 - Execution

oudhost1-preverify - 1 minute 33 seconds
oudhost2-preverify - 1 minute 10 seconds
oimhost1-preverify - 24 seconds
oimhost2-preverify - 28 seconds
oamhost1-preverify - 11 seconds
oamhost2-preverify - 28 seconds
webhost1-preverify - 1 minute 9 seconds
webhost2-preverify - 1 minute 19 seconds

oudhost1-install - 13 minutes 28 seconds
oudhost2-install - 53 seconds
oimhost1-install - 42 minutes 20 seconds
oimhost2-install - 18 seconds
oamhost1-install - 36 minutes 39 seconds
oamhost2-install - 21 seconds
webhost1-install - 51 minutes 56 seconds
webhost2-install - 53 seconds

oudhost1-preconfigure - 5 minutes 32 seconds
oudhost2-preconfigure - 6 minutes 34 seconds
oimhost1-preconfigure - 77 minutes 54 seconds
oimhost2-preconfigure - 1 minute 29 seconds
oamhost1-preconfigure - 60 minutes 32 seconds
oamhost2-preconfigure - 1 minute 15 seconds
webhost1-preconfigure - 4 minutes 1 seconds
webhost2-preconfigure - 3 minutes 17 seconds

oudhost1-configure - 1 minute 34 seconds
oudhost2-configure - 1 minute 50 seconds 
oimhost1-configure - 45 minutes 41 seconds
oimhost2-configure - 15 minutes 24 seconds
oamhost1-configure - 17 minutes 37 seconds
oamhost2-configure - 13 minutes 37 seconds
webhost1-configure - 58 seconds
webhost2-configure - 57 seconds

oudhost1-configure-secondary - 3 minutes 34 seconds
oudhost2-configure-secondary - 3 minutes 17 seconds 
oimhost1-configure-secondary - 12 minutes 33 seconds
oimhost2-configure-secondary - 15 seconds 
oamhost1-configure-secondary - 13 minutes 9 seconds
oamhost2-configure-secondary - 16 seconds 
webhost1-configure-secondary - 57 seconds
webhost2-configure-secondary - 54 seconds 

oudhost1-postconfigure - 1 minute 11 seconds
oudhost2-postconfigure - 1 minute 20 seconds 
oimhost1-postconfigure - 49 minutes 21 seconds
oimhost2-postconfigure - 25 minutes 11 seconds 
oamhost1-postconfigure - 33 minutes 35 seconds
oamhost2-postconfigure - 17 minutes 29 seconds 
webhost1-postconfigure - 2 minutes 19 seconds
webhost2-postconfigure - 1 minute 44 seconds

oudhost1-startup - 2 minutes 41 seconds
oudhost2-startup - 2 minutes 25 seconds 
oimhost1-startup - 38 minutes 21 seconds
oimhost2-startup - 22 minutes 6 seconds 
oamhost1-startup - 20 minutes 54 seconds
oamhost2-startup - 10 minutes 2 seconds 
webhost1-startup - 1 minute 26 seconds
webhost2-startup - 1 minute 23 seconds

oudhost1-validate - 1 minute 10 seconds
oudhost2-validate - 59 seconds 
oimhost1-validate - 1 minute 33 seconds
oimhost2-validate - 2 minutes 25 seconds 
oamhost1-validate - 45 seconds
oamhost2-validate - 29 seconds 
webhost1-validate - 58 seconds
webhost2-validate - 58 seconds

Step 4 - Post-Provisioning Steps

Step 5 - Other Manual Change

Merge the following files into one conf file under /moduleconf/:
    idminternal_vh.conf
    oimadmin_vh.conf
    idmadmin_vh.conf

Step 6 - Verify


Access Manager Console: http://web.qingfeng.com/oamconsole


Identity Manager User Interface with OAM Integration: http://web.qingfeng.com/identity


  



















Identity Manager Admin Interface with OAM Integration: http://web.qingfeng.com/sysadmin



































SOA: http://web.qingfeng.com/soa-infra







Friday, September 25, 2015

Deploying the IAM Suite 11gR2PS2 with the Deployment Wizard ('Single Node on Multiple Hosts' Topology)

Step 1 - Lab Environment Setup

db.oracle.com - Windows - 2GB
oudhost1.oracle.com - OES 6.5 - 1GB
oamhost1.oracle.com - OES 6.5 - 4GB
oimhost1.oracle.com - OES 6.5 - 6GB
webhost1.oracle.com - OES 6.5 - 1GB
nas.oracle.com - FreeNAS 9.3 - 1GB

Notes: make sure the oam and oim hosts have the enough allocated RAM.

Step 2 - Create Response File

11gR2PS2 Deployment Wizard do not give the option for 'Single Node on Multiple Hosts' topology.  You need to manually modify the response file to delete the settings for second node.




Step 3 - Execution

oudhost1-preverify - 35 seconds
oimhost1-preverify - 30 seconds
oamhost1-preverify - 12 seconds
webhost1-preverify - 23 seconds

oudhost1-install - 7 minutes 2 seconds
oimhost1-install - 51 minutes 2 seconds
oamhost1-install - 39 minutes 57 seconds
webhost1-install - 25 minutes 33 seconds

oudhost1-preconfigure - 5 minutes 28 seconds
oimhost1-preconfigure - 74 minutes 14 seconds
oamhost1-preconfigure - 66 minutes 12 seconds
webhost1-preconfigure - 4 minutes 14 seconds

oudhost1-configure - 1 minutes 27 seconds
oimhost1-configure - 45 minutes 21 seconds
oamhost1-configure - 20 minutes 9 seconds
webhost1-configure - 1 minute 14 seconds

oudhost1-configure-secondary - 3 minutes 45 seconds
oimhost1-configure-secondary - 13 minutes 47 seconds
oamhost1-configure-secondary - 13 minutes 48 seconds
webhost1-configure-secondary - 55 seconds

oudhost1-postconfigure - 1 minute 8 seconds
oimhost1-postconfigure - 48 minutes 34 seconds
oamhost1-postconfigure - 35 minutes 36 seconds
webhost1-postconfigure - 2 minutes 36 seconds

oudhost1-startup - 3 minutes 22 seconds
oimhost1-startup - 40 minutes 50 seconds
oamhost1-startup - 22 minutes 8 seconds
webhost1-startup - 1 minute 29 seconds

oudhost1-validate - 55 seconds
oimhost1-validate - 1 minute 46 seconds
oamhost1-validate - 45 seconds
webhost1-validate - 52 seconds

Step 4 - Post-Provisioning Steps

Step 5 - Other Manual Change

Because I haven't setup the Load Balancer and Virtual Hosts for this deployment, a few things need to be modified in order to make everything function.

Add the following in the OHS httpd.conf:
ProxyRequests Off
ProxyPass /oam http://oamhost1.oracle.com:14100/oam
ProxyPassReverse /oam http://oamhost1.oracle.com:14100/oam

Delete sso_vh.conf and oimadmin_vh.conf from /moduleconf.

Step 6 - Verify 

OIM Admin Console: http://oimhost1.oracle.com:7101/console

OAM Admin Console: http://oamhost1.oracle.com:7001/console

OIM Enterprise Manager: http://oimhost1.oracle.com:7101/em

OAM Enterprise Manager: http://oamhost1.oracle.com:7001/em

Access Manager Console: http://webhost1.oracle.com:7777/oamconsole

Identity Manager User Interface with OAM Integration: http://webhost1.oracle.com:7777/identity
 
Identity Manager Admin Interface with OAM Integration: http://webhost1.oracle.com:7777/sysadmin


SOA: http://webhost1.oracle.com:7777/soa-infra

NEXT is the FULL HA deployment.




Thursday, September 17, 2015

WLST lost connection to the WebLogic Server that you were connected to

Exception: weblogic.management.jmx.RemoteRuntimeException: weblogic.rjvm.PeerGoneException: No message was received for: '240' seconds.
Problem invoking WLST - Traceback (innermost last):














Solution: increase your VM's allocated memory size.

Tuesday, September 15, 2015

How to increase volume in linux?

I always forget things.   Post this for my own record.


Monday, September 14, 2015

Deploying the IAM Suite 11gR2PS2 with the Deployment Wizard ('Single Node on Multiple Hosts' Topology) - Minimum Memory Requirement

Tried to deploy the topology on guest VMs in my home PC with 12G ram. I have managed to run past the configure-secondary phase on all servers but failed at OIM post-configure phase because of not enough memory allocated to the OIM VM.

My current setting for all VMs on my home PC:
DB - 1G
NAS - 1G
OUD - 1G
OIM - 4G
OAM - 2G
WEB - 1G

I am planning to utilise my another NUC mini-pc with 8G ram to continue the lab.

The hardware/memory allocation would be:
DB (mini-pc) - 2G
NAS (mini-pc) - 1G
OUD (mini-pc) - 1G
WEB (mini-pc) - 1G
OIM (home-pc) - 6G
OAM (home-pc) - 4G

Will update the progress.


Friday, September 11, 2015

Setup a Lab Env with Multiple Hosts + Shared Storage

I've set up a lab environment with multiple hosts + shared storage in order to try out the 'Deploying the IAM Suite 11gR2PS2 with the Deployment Wizard ('Single Node on Multiple Hosts' Topology)'.

db.oracle.com    - Windows
oudhost1.oracle.com  - OES 6.5
oamhost1.oracle.com  - OES 6.5
oimhost1.oracle.com  - OES 6.5
webhost1.oracle.com  - OES 6.5
nas.oracle.com - FreeNAS 9.3

Because I haven't set up DNS server, I've added all the host/ip mapping in /etc/hosts on all VMs.

Make sure the firewall should be disabled on all VMs.

Deploying the IAM Suite 11gR2PS2 with the Deployment Wizard ('Single Node on Multiple Hosts' Topology) - Create Reponse File

Not sure why the 11gR2PS2 Deployment Wizard do not give the option for 'Single Node on Multiple Hosts' topology. The checkbox for 'Provide Details for Second Node' is greyed out when you choose 'High Available (HA)'.



So I removed the second node configuration in the response file to see what will happen: