Tuesday, July 5, 2016

Oracle Access Manager default installation issue: ORA-00001: unique constraint (DEV_OAM.PK_ENTITIES) violated

When trying to set up a POC environment on windows 7, I've got this error.

You can solve that by:

set JAVA_OPTIONS=%JAVA_OPTIONS% -DDISABLE_CONFIG_ENTITY=true

You can find more detail below:
https://support.oracle.com/epmos/faces/DocumentDisplay?parent=SrDetailText&sourceId=3-11129429461&id=2034769.1

Friday, July 1, 2016

OIM - Customizable Application Using Oracle Metadata Services

Sharing a few links to help understanding how the OIM becomes customizable using MDS.

Building Customizable Oracle ADF Business Applications with Oracle Metadata Services (MDS)
http://www.oracle.com/technetwork/developer-tools/jdev/adfmds-128339.pdf

Metadata Services (MDS) Example: Power User vs. Normal User
http://www.oracle.com/technetwork/developer-tools/adf/learnmore/31-mds-sample-169173.pdf

Building Customizable Applications Using Oracle Metadata Services:
http://www.oracle.com/technetwork/articles/adf/part8-085816.html
http://www.oracle.com/technetwork/articles/adf/part9-169243.html
http://www.oracle.com/technetwork/articles/adf/part10-085778.html

Customizing and Personalizing an Application
http://docs.oracle.com/cd/E18941_01/tutorials/jdtut_11r2_18/jdtut_11r2_18.html

Desktop Self Service Password Reset - IAM

This is still a valid use case in some corporate environment to reset user's password via Desktop.

Most of IAM solutions are providing customised credential provider to support that.

CA                -   CA Identity Manager GINA/Credential Provider
Microsoft      -   Microsoft(Forefront) Identity Manager Self Service Password Reset
IBM              -   IBM Security(Tivoli) Identity Manager Desktop Password Reset Assistant
Oracle           -   not directly supported in IAM solution but it is achievable by integrating with ESSO.

I've done a POC using a simple credential provider to invoke a web browser with password reset request to any IAM system.

Wednesday, June 29, 2016

OIM11gR2PS3 (11.1.2.3) Plug-in Points

Table 17-1 Plug-in Points
Plug-in PointDescription
oracle.iam.ldapsync.LDAPContainerMapper
This is used by LDAP synchronization to determine which user/role container should be used to create the user/role in LDAP.
oracle.iam.platform.kernel.spi.EventHandler
This is the kernel event handler. See Chapter 18, "Developing Event Handlers" for information about kernel event handlers.
oracle.iam.platform.auth.api.LoginMapper
This is an implementation of a LoginMapper maps the JAAS user principal name to the corresponding Oracle Identity Manager username. This plug-in point is used to override the default mapping of JAAS user principal name to Oracle Identity Manager username for SSO scenarios. The default implementation returns the same value as the JAAS user principal name.This plug-in point is typically used in SSO scenarios where the JAAS user principal name and the Oracle Identity Manager username might be different. For example, the SSO system might set the email as the JAAS username but no user with that username exist in Oracle Identity Manager. For Oracle Identity Manager to recognize that user, the JAAS user principal name must be mapped to the Oracle Identity Manager username. This can be done by implementing a plug-in for LoginMapper, as shown:
public class CustomLoginMapper implements LoginMapper{
public String getOIMUserID(String jaasPrincipal) throws MappingException {
               return getUserName(jassPrincipal);
  }

private String getUserName(String emailID){
               String userName = null;

               //Use usermgmt APIs to get the username corresponding to this email id
               return userName;
 }
}
oracle.iam.identity.usermgmt.api.PasswordVerifier
This is used for verification of old password while changing the user's password. The class that is to be used for this validation is configured in the OIM.OldPasswordValidator system property. By default, use the container based authentication for verifying old password.
oracle.iam.request.plugins.StatusChangeEvent
This allows running of custom code during request status change.
oracle.iam.request.plugins.RequestDataValidator
This is used for custom validation of request data after submission.
oracle.iam.request.plugins.PrePopulationAdapter
This is used to prepopulate an attribute value by running custom code during request creation.
oracle.iam.scheduler.vo.TaskSupport
This is used to run the job in context. Execute method of the task is retrieved through the plug-in and is loaded.
oracle.iam.identity.usermgmt.api.UserNamePolicy
This is an implementation of username policies that are used to generate/validate username.
oracle.iam.identity.usermgmt.api.ReservationInLDAP
This is an implementation for reservation of user attributes in LDAP.

Tuesday, June 28, 2016

OIM11gR2PS3(11.1.2.3) - Default Notification Templates

Default Notification Templates
Notification TemplateDescription
Add Proxy Notification
Template to send notification after a proxy has been added for a user
Bulk Request Creation
Template to send notification during a bulk request creation
Create User Self Service Notification
Template to send notification after a new user is created
End Date
Template to send notification to the manager when end date of the reportee expires
Forgotten Username Notification
Template to send notification after user submits the Forgotten Username form
Generated Password Notification
Template to send notification after a password is generated by Oracle Identity Manager
Password Expired Notification
Template to send notification after password has expired
Password Warning Notification
Template to send notification before password expires
Request Creation
Template to send notification during a request creation
Request Identity Creation
Template to send notification during a Create User request
Request Status Change
Template to send notification during a request status change
Reset Password
Template to send notification after password has been reset
User Deleted
Template to send notification to the manager when the user account of the reportee is deleted as a result of expired end date

Thursday, June 16, 2016

How to remove Oracle 11gR2 on windows 7


1. Unzip Deinstallation tool on your machine

2. Run CMD as Administrator

3. C:\omss\deinstall>deinstall -home c:\omss\product\11.2.0\dbhome_1
Location of logs C:\omss\deinstall\\logs\

############ ORACLE DEINSTALL & DECONFIG TOOL START ############


######################## CHECK OPERATION START ########################
Install check configuration START
The deinstall tool cannot determine the home type needed to deconfigure the selected home.  Please select the type of Oracle home you are trying to deinstall.
Single Instance database - Enter 1
Real Application Cluster database - Enter 2
Grid Infrastructure for a cluster - Enter 3
Grid Infrastructure for a stand-alone server - Enter 4
Client Oracle Home - Enter 5
Transparent Gateways Oracle Home - Enter 6
1


Checking for existence of the Oracle home location c:\omss\product\11.2.0\dbhome_1
Oracle Home type selected for de-install is: SIDB
Oracle Base selected for de-install is:
Checking for existence of central inventory location C:\Program Files\Oracle\Inventory

Install check configuration END

Checking Windows and .NET products configuration START


The following Windows and .NET products will be deconfigured from the Oracle home : null

Checking Windows and .NET products configuration END


Network Configuration check config START

Network de-configuration trace file location: C:\omss\deinstall\logs\netdc_check37094.log

Specify all Single Instance listeners that are to be de-configured [LISTENER]:

Network Configuration check config END

Database Check Configuration START

Database de-configuration trace file location: C:\omss\deinstall\logs\databasedc_check37095.log

Use comma as separator when specifying list of values as input

Specify the list of database names that are configured in this Oracle home [ORCL]:

###### For Database 'ORCL' ######

Specify the type of this database (1.Single Instance Database|2.Oracle Restart Enabled Database) [1]:
Specify the diagnostic destination location of the database [c:\omss\product\11.2.0\dbhome_1\diag\rdbms\orcl]:
The directory c:\omss\product\11.2.0\dbhome_1\diag\rdbms\orcl does not exist.
Specify the diagnostic destination location of the database [c:\omss\product\11.2.0\dbhome_1\diag\rdbms\orcl]:
The directory c:\omss\product\11.2.0\dbhome_1\diag\rdbms\orcl does not exist.
Specify the diagnostic destination location of the database [c:\omss\product\11.2.0\dbhome_1\diag\rdbms\orcl]:
The directory c:\omss\product\11.2.0\dbhome_1\diag\rdbms\orcl does not exist.
Specify the diagnostic destination location of the database [c:\omss\product\11.2.0\dbhome_1\diag\rdbms\orcl]:
The directory c:\omss\product\11.2.0\dbhome_1\diag\rdbms\orcl does not exist.
Specify the diagnostic destination location of the database [c:\omss\product\11.2.0\dbhome_1\diag\rdbms\orcl]:
The directory c:\omss\product\11.2.0\dbhome_1\diag\rdbms\orcl does not exist.
Specify the diagnostic destination location of the database [c:\omss\product\11.2.0\dbhome_1\diag\rdbms\orcl]:
The directory c:\omss\product\11.2.0\dbhome_1\diag\rdbms\orcl does not exist.
Specify the diagnostic destination location of the database [c:\omss\product\11.2.0\dbhome_1\diag\rdbms\orcl]:
The directory c:\omss\product\11.2.0\dbhome_1\diag\rdbms\orcl does not exist.
Specify the diagnostic destination location of the database [c:\omss\product\11.2.0\dbhome_1\diag\rdbms\orcl]: C:\omss\diag
Specify the storage type used by the Database ASM|FS []: FS

Specify the list of directories if any database files exist on a shared file system. If 'ORCL' subdirectory is found, then it will be deleted. Otherwise, the specified directory will be deleted. Alter
natively, you can specify list of database files with full path [ ]:

Specify the flash recovery area location, if it is configured on the file system. If 'ORCL' subdirectory is found, then it will be deleted. []:

Specify the database spfile location [ ]: C:\omss\product\11.2.0\dbhome_1\database\myinit.ora

Database Check Configuration END

Enterprise Manager Configuration Assistant START

EMCA de-configuration trace file location: C:\omss\deinstall\\logs\emcadc_check.log

Checking configuration for database ORCL
Enterprise Manager Configuration Assistant END
Oracle Configuration Manager check START
OCM check log file location : C:\omss\deinstall\\logs\\ocm_check4882.log
Oracle Configuration Manager check END

######################### CHECK OPERATION END #########################


####################### CHECK OPERATION SUMMARY #######################
Oracle Home selected for de-install is: c:\omss\product\11.2.0\dbhome_1
Inventory Location where the Oracle home registered is: C:\Program Files\Oracle\Inventory
The following Windows and .NET products will be deconfigured from the Oracle home : null
Following Single Instance listener(s) will be de-configured: LISTENER
The following databases were selected for de-configuration : ORCL
Database unique name : ORCL
Storage used : FS
Will update the Enterprise Manager configuration for the following database(s): ORCL
No Enterprise Manager ASM targets to update
No Enterprise Manager listener targets to migrate
Checking the config status for CCR
Oracle Home exists with CCR directory, but CCR is not configured
CCR check is finished
Do you want to continue (y - yes, n - no)? [n]: yes
Do you want to continue (y - yes, n - no)? [n]: y
A log of this session will be written to: 'C:\omss\deinstall\\logs\deinstall_deconfig2016-06-16_03-37-49-PM.out'
Any error messages from this session will be written to: 'C:\omss\deinstall\\logs\deinstall_deconfig2016-06-16_03-37-49-PM.err'

######################## CLEAN OPERATION START ########################

Enterprise Manager Configuration Assistant START

EMCA de-configuration trace file location: C:\omss\deinstall\\logs\emcadc_clean.log

Updating Enterprise Manager Database Control configuration for database ORCL
Updating Enterprise Manager ASM targets (if any)
Updating Enterprise Manager listener targets (if any)
Enterprise Manager Configuration Assistant END
Database de-configuration trace file location: C:\omss\deinstall\logs\databasedc_clean37096.log
Database Clean Configuration START ORCL
This operation may take few minutes.
Database Clean Configuration END ORCL

Network Configuration clean config START

Network de-configuration trace file location: C:\omss\deinstall\logs\netdc_clean37097.log

De-configuring Single Instance listener(s): LISTENER

De-configuring listener: LISTENER
    Stopping listener: LISTENER
    Listener stopped successfully.
    Deleting listener: LISTENER
    Listener deleted successfully.
Listener de-configured successfully.

De-configuring Listener configuration file...
Listener configuration file de-configured successfully.

De-configuring Naming Methods configuration file...
Naming Methods configuration file de-configured successfully.

De-configuring Local Net Service Names configuration file...
Local Net Service Names configuration file de-configured successfully.

De-configuring backup files...
Backup files de-configured successfully.

The network configuration has been cleaned up successfully.

Network Configuration clean config END

Oracle Configuration Manager clean START
OCM clean log file location : C:\omss\deinstall\\logs\\ocm_clean4882.log
Oracle Configuration Manager clean END
Removing Windows and .NET products configuration START


Removing Windows and .NET products configuration END
Oracle Universal Installer clean START

Removing service 'OracleMTSRecoveryService' on the local node : Done

Removing service 'OracleOraDb11g_home1ClrAgent' on the local node : Done

Removing service 'OracleOraDb11g_home1TNSListener' on the local node : Done

Delete directory 'c:\omss\product\11.2.0\dbhome_1' on the local node : Done

Removing oracle home 'c:\omss\product\11.2.0\dbhome_1' from PATH variable on the local node : Done

Delete directory 'C:\Program Files\Oracle\Inventory' on the local node : Done

Delete Registry key 'HKEY_LOCAL_MACHINE\Software\Oracle\inst_loc' on the local node : Done

Oracle Universal Installer cleanup was successful.

Oracle Universal Installer clean END


Oracle install clean START


Oracle install clean END

Moved default properties file C:\omss\deinstall\response\deinstall_noHomeName.rsp as C:\omss\deinstall\response\deinstall_noHomeName.rsp0

######################### CLEAN OPERATION END #########################


####################### CLEAN OPERATION SUMMARY #######################
Updated Enterprise Manager configuration for database ORCL
Successfully de-configured the following database instances : ORCL
Following Single Instance listener(s) were de-configured successfully: LISTENER
Cleaning the config for CCR
As CCR is not configured, so skipping the cleaning of CCR configuration
CCR clean is finished
Successfully removed service 'OracleMTSRecoveryService' on the local node.
Successfully removed service 'OracleOraDb11g_home1ClrAgent' on the local node.
Successfully removed service 'OracleOraDb11g_home1TNSListener' on the local node.
Successfully deleted directory 'c:\omss\product\11.2.0\dbhome_1' on the local node.
Successfully removed oracle home 'c:\omss\product\11.2.0\dbhome_1' from PATH variable on the local node.
Successfully deleted directory 'C:\Program Files\Oracle\Inventory' on the local node.
Successfully deleted Registry key 'HKEY_LOCAL_MACHINE\Software\Oracle\inst_loc' on the local node.
Oracle Universal Installer cleanup was successful.

Oracle install successfully cleaned up the temporary directories.
#######################################################################


############# ORACLE DEINSTALL & DECONFIG TOOL END #############


C:\omss\deinstall>

Friday, June 10, 2016

OpenIDM 4 - Lab 3 - Connector

How OpenIDM Uses the OpenICF Framework and Connectors





































Connectors Supported With OpenIDM 4

  • Generic LDAP Connector - opendj, ad, adlds, generic
  • Active Directory Connector (with PowerShell scripts) - the generic LDAP connector is preferable to the Active Directory connector
  • CSV File Connector
  • Scripted SQL Connector
  • Database Table Connector
  • Groovy Connector Toolkit
  • PowerShell Connector Toolkit
  • Salesforce Connector
  • Google Apps Connector
  • XML File Connector

OpenIDM 4 - Lab 2 - Synchronization

You have a full control of the Synchronization by using the following:

- Reconciliation via local repository
- Synchronizing objects directly through connectors to external resources without storing managed objects for users in the local repository.
- Asynchronous reconciliation using workflow
- Implicit synchronization
- Compensated synchronization
- LiveSync
- Linking Historical Accounts
- Choice of data model (meta-directory or virtual)
- Synchronization Mapping (Scriptable/Link qualifier conditions, Scripts, Reusing links)
- Synchronization Filtering
- Scheduled Synchronization

Thursday, June 9, 2016

OpenIDM 4 - Lab 1 - Installation

The installation is extremely easy. For evaluating purpose, you only need to install Java JDK and download the package.

The feature I'm most interested in is the REST interface.

























User/Admin Interface:




OpenIDM 4 - Labs

After playing with Oracle IAM for 4 years since the 11gR2 released, I think it's time to have a look on other IAM products now. It's been almost 6 years now since my first post of OpenIDM.

The is to record my learning on the latest version of OpenIDM.

Oracle HTTP Server Fails to Enable the 443 Port the Error "(13)Permission denied: make_sock: could not bind to address [::]:443" on LINUX

Tried to change the OHS ssl port from 4443 to 443 following the document:

https://docs.oracle.com/cd/E29542_01/web.1111/e10144/getstart.htm#HSADM849


The OHS fails to start and the log shows the following error:
(13)Permission denied:  make_sock: could not bind to address [::]:443

SOLUTION:

Remove nosuid from /etc/fstab for your mount partition.


Wednesday, June 8, 2016

OIM - Date Related

Scheduled Task:
   - Delayed Delete User
   - Disable/Delete User After End Date
   - Enable User After Start Date
   - Sunrise of Accounts and entitlements
   - Sunset of Accounts and entitlements

User/Account/Entitlement:
   - Start Date
   - End Date


Tuesday, May 31, 2016

OIM&OMSS Integration


Have been kept an eye on the OMSS for 2 years now. The integration between OIM & OMSS has finally come in the 11gR2PS3 version.

The following is a good introduction of the integration.

Partner Webcast – Oracle Mobile Security Suite (OMSS): Unified Security for Mobility



Thursday, May 26, 2016

Oracle HTTP Server http request timeout

By default, WLIOTimeoutSecs for the WebLogic Plugin is configured to 300 seconds.

You can increase it (1800 seconds for example) as follows:

<Location /xxx>
      SetHandler weblogic-handler
      WebLogicHost xxxxxxxxxxx
      WebLogicPort xx
      WLIOTimeoutSecs 1800
</Location>

Thursday, May 12, 2016

OIM11gR2PS3 - Challenge Questions

PS3 has enhanced password policy with Challenge options. It allows you to define challenge questions as:
  - Admin Defined
  - User Defined
  - Admin OR User Defined



Tuesday, May 3, 2016

Oracle IDM 11g R2 PS3: What’s new?

I'm trying out all the new stuff of Oracle IDM 11gR2PS3.  Found a good summary of Oracle IDM 11g R2 PS3: What’s new ??

Friday, February 12, 2016

OAM 11gR2PS3 - Legacy OpenSSO Agent secure iPlanetDirectoryPro cookie issue

When OAM set the iPlanetDirectoryPro cookie as secure, the non-secure Legacy OpenSSO Agent won't be able to get the cookie.

The workaround is to edit the Header to set the cookie as non-secure at web tier.

OAM 11gR2PS3 - Legacy OpenSSO Agent cross-domain issue

The OAM 11gR2PS3 do not support the cross-domain for legacy OpenSSO Agent.

The workaround is to edit the Header to set the cookie domain as parent domain of both OAM server and the OpenSSO Agent server at web tier.


Tuesday, January 12, 2016

OAM 11gR2PS3 & Oracle OpenSSO Fedlet Integration

The integration between OAM anf Fedlet is pretty straight forward.

- Generate the fedlet sample and configure files.

- Deploy the fedletsample.war

- Create Service Provider Partner in OAM.



- Test

Monday, January 11, 2016

Protecting Intranet and Extranet Applications with a Single OAM 11g Deployment

If you have a requirement of protecting both intranet and extranet apps using single OAM deployment, this is a very good one to discuss on this topic:

http://www.ateam-oracle.com/protecting-intranet-and-extranet-applications-with-a-single-oam-11g-deployment/

Oracle Access Manager 11gR2PS3 & Sun Identity Manager (Oracle Waveset) Integration

There are three integration points between SIM & OAM: authentication/authorisation, password management and access management reporting.


Oracle Access Manager 11gR2PS3 Password Policy - Complex Password

OAM Password Policy do not support the requirement of "Must contain at least three of the following four categories'.  It is supported in OIM Password Policy.

Saturday, January 9, 2016

Sun IAM to Oracle IAM Migration - Phase Deployment Approach

There are number of different approach on how to migrate the Sun IAM (Access Manager, Identity Manager and Directory Server) to Oracle IAM.

I'm using an approach that I think it's controlled with minimal delivery risk.



Password Change - Difference between OpenSSO and OAM

When migrating OpenSSO to OAM, I noticed there is a difference between OpenSSO and OAM on handing end user self password change scenario.

End user password change via OpenSSO:   self change. The directory server change log shows the password has been changed by the user self.

End user password change OAM: admin change. The directory server change log shows the password has been changed by the user configured as BIND DN in OAM identity store.


OAM 11gR2PS3 - REST - Out Of The Box Oracle Access Manager (OAM) Authentication Token Service

Authenticate (Login):
curl -i -H "Content-Type: application/json" --request POST http://:/oic_rest/rest/oamauthentication/authenticate -d '{"X-Idaas-Rest-Subject-Type":"USERCREDENTIAL","X-Idaas-Rest-Subject-Username":"testuser","X-Idaas-Rest-Subject-Password":"Password1","X-Idaas-Rest-New-Token-Type-To-Create":"USERTOKEN"}' 

Validate:
curl --request GET http://:/oic_rest/rest/oamauthentication/tokens/info -H "X-Idaas-Rest-Subject: TOKEN d06sDhgayq2UzL4yrG5KE5r8YoS5yuHL5lz603C4yZ96oOWhCb+GPMb8lvyhTZO3/dD/CnisoRPdxTsto2ZBF956uMubdrG4UemNYLwQcJBWqFYFsjyiUTspaVDVYlxOHjsEOTJQBLijw3w0WuXufSKQqq+OqitHbGlNQeeWwDyYiat9emoh64TxdxBkbngC+4hDLCgh+DyoaInxEqHg43Xn2rIMIp6x8DibNjezmKIjPwmxN0ZUnus0zMyDZvuS3SaCc36U48TpLu1LFN4fCn9h68WFES2TpckaYQQhX/SZpF5z+yrE8Kpn8HqWlXOmX4FYP9tJT8fgHdI49bVKQPbCapkA7dqWhKa8e41sbYiR4V735BuD885kdmc9fvsEyognoy9HgwDEun+YlW7OpON6OyrnjmKgun1VK+NYt4+/S7sogkXA9fZtmdIuT1y/Zpd1SYhpsfsf+0kPNeVkkJM4o6aX6Gn9dyUVsbKIdqs3s/4DT8iRHQUmFzgBRwnw"

Delete (Logout):
curl -i -H "Content-Type: application/json" --request DELETE http://:/oic_rest/rest/oamauthentication/tokens/info -d '{"X-Idaas-Rest-Subject-Value":"d06sDhgayq2UzL4yrG5KE5r8YoS5yuHL5lz603C4yZ96oOWhCb+GPMb8lvyhTZO3/dD/CnisoRPdxTsto2ZBF956uMubdrG4UemNYLwQcJBWqFYFsjyiUTspaVDVYlxOHjsEOTJQBLijw3w0WuXufSKQqq+OqitHbGlNQeeWwDyYiat9emoh64TxdxBkbngC+4hDLCgh+DyoaInxEqHg43Xn2rIMIp6x8DibNjezmKIjPwmxN0ZUnus0zMyDZvuS3SaCc36U48TpLu1LFN4fCn9h68WFES2TpckaYQQhX/SZpF5z+yrE8Kpn8HqWlXOmX4FYP9tJT8fgHdI49bVKQPbCapkA7dqWhKa8e41sbYiR4V735BuD885kdmc9fvsEyognoy9HgwDEun+YlW7OpON6OyrnjmKgun1VK+NYt4+/S7sogkXA9fZtmdIuT1y/Zpd1SYhpsfsf+0kPNeVkkJM4o6aX6Gn9dyUVsbKIdqs3s/4DT8iRHQUmFzgBRwnw","X-Idaas-Rest-Subject-Type":"TOKEN"}'

Friday, January 8, 2016

Installing cURL on Cygwin on Windows

How to deploy OAM Custom Pages?

Custom Login Pages

Customise the pages in oamcustompages.war.
Deploy the war using WLS Console
Update the Authenticatoin Schme to use the custom WAR file: 
       Context Type = customWar 
       Context Value = /oamcustompages

Custom Password Pages

Customise the pages in oamcustompages.war.
Deploy the war using WLS Console
Specify Custom Pages in Password Policy:
        Password Service URL = /oamcustompages/pages/pswd.jsp

Custom Error and Logout Pages

Customise the pages (Error.jsp, Logout.jsp) in oamcustompages.war.
Deploy the war using WLS Console
Specify Custom Pages using WLST:
       updateCustomPages(pageExtension ="jsp", context="/oamcustompages")

Friday, November 6, 2015

Oracle Identity Manager Database Application Tables Connector with Entitlement

Step 1 - Installing and Configuring Database Application Tables Connector


Step 2 - Create lookup 

Lookup.DBAT.Groups

Step 3 - Setting Up Process Form Fields as Entitlements

Change the 'Field Type' from 'TextField' to 'LookupField'
Add properties for 'Group Name':
  - Entitlement = true
  - Lookup Code = Lookup.DBAT.Groups



Step 4 - Mark GROUP as [LOOKUP]




Step 5 - Harvest lookup by running Lookup Recon






















Step 6 - Harvest Entitlements and Sync Catalog

 - Run Entitlement List
 - Run Catalog Sync

Verify Catalog shows all the Entitlements. 

Step 7 - Verify 

 - Account & Entitlement Initial Load by running Target Resource User Reconciliation
 - Provision User with Entitlement


Friday, October 16, 2015

Deploying the IAM Suite 11gR2PS2 with the Deployment Wizard ('Highly Available' Topology)

Procured another NUC (NUC5i3RYH) with 16G RAM to test the FULL HA deployment using LCM.

The Lab Environment setup took me about 1 day including VM provisioning, DB install, NAS and Load Balancer.

The execution took about 10 hours.

Not sure why Oracle provides a tool that requires so many steps. It can be made much simpler.

Anyway, it's easier than the manually install/configure.

Hardware:
mini-pc-1: NUC DN2820FYKH with 8G RAM
mini-pc-2: NUC NUC5i3RYH with 16G RAM
home-pc: HP Desktop with 12G RAM

VM:
NAS (mini-pc-2) - 2G   192.168.0.101
DB (mini-pc-2) - 2G      192.168.0.88
OIM1 (mini-pc-2) - 6G    192.168.0.55
OAM1 (mini-pc-2) - 4G   192.168.0.56

LB (mini-pc-1) - 1G         192.168.0.100
OUD1 (mini-pc-1) - 1G   192.168.0.53
WEB1 (mini-pc-1) - 1G   192.168.0.51
OUD2 (mini-pc-1) - 1G   192.168.0.54
WEB2 (mini-pc-1) - 1G   192.168.0.52

OIM2 (home-pc) - 6G      192.168.0.57
OAM2 (home-pc) - 4G     192.168.0.58

Step 1 - Lab Environment Setup

db.qingfeng.com - Windows - 2GB
oudhost1.qingfeng.com - OES 6.5 - 1GB
oudhost2.qingfeng.com - OES 6.5 - 1GB
oimhost1.qingfeng.com - OES 6.5 - 6GB
oimhost2.qingfeng.com - OES 6.5 - 6GB
oamhost1.qingfeng.com - OES 6.5 - 4GB
oamhost2.qingfeng.com - OES 6.5 - 4GB
webhost1.qingfeng.com - OES 6.5 - 1GB
webhost2.qingfeng.com - OES 6.5 - 1GB
nas.qingfeng.com - FreeNAS 9.3 - 2GB
lb.qingfeng.com (web.qingfeng.com, sso.qingfeng.com, ldap.qingfeng.com)  - OES 6.5 - 1GB 

Shared Storage - FreeNAS has been used to create shared storage.
Load Balancer:  HAProxy has been used for load balancing.
web.qingfeng.com:80 - webhost1.qingfeng.com:7777, webhost2.qingfeng.com:7777
sso.qingfeng.com:443 - webhost1.qingfeng.com:7777, webhost2.qingfeng.com:7777
ldap.qingfeng.com:389 - oudhost1.qingfeng.com:1389, oudhost2.qingfeng.com:1389

Step 2 - Create Response File







 


















Step 3 - Execution

oudhost1-preverify - 1 minute 33 seconds
oudhost2-preverify - 1 minute 10 seconds
oimhost1-preverify - 24 seconds
oimhost2-preverify - 28 seconds
oamhost1-preverify - 11 seconds
oamhost2-preverify - 28 seconds
webhost1-preverify - 1 minute 9 seconds
webhost2-preverify - 1 minute 19 seconds

oudhost1-install - 13 minutes 28 seconds
oudhost2-install - 53 seconds
oimhost1-install - 42 minutes 20 seconds
oimhost2-install - 18 seconds
oamhost1-install - 36 minutes 39 seconds
oamhost2-install - 21 seconds
webhost1-install - 51 minutes 56 seconds
webhost2-install - 53 seconds

oudhost1-preconfigure - 5 minutes 32 seconds
oudhost2-preconfigure - 6 minutes 34 seconds
oimhost1-preconfigure - 77 minutes 54 seconds
oimhost2-preconfigure - 1 minute 29 seconds
oamhost1-preconfigure - 60 minutes 32 seconds
oamhost2-preconfigure - 1 minute 15 seconds
webhost1-preconfigure - 4 minutes 1 seconds
webhost2-preconfigure - 3 minutes 17 seconds

oudhost1-configure - 1 minute 34 seconds
oudhost2-configure - 1 minute 50 seconds 
oimhost1-configure - 45 minutes 41 seconds
oimhost2-configure - 15 minutes 24 seconds
oamhost1-configure - 17 minutes 37 seconds
oamhost2-configure - 13 minutes 37 seconds
webhost1-configure - 58 seconds
webhost2-configure - 57 seconds

oudhost1-configure-secondary - 3 minutes 34 seconds
oudhost2-configure-secondary - 3 minutes 17 seconds 
oimhost1-configure-secondary - 12 minutes 33 seconds
oimhost2-configure-secondary - 15 seconds 
oamhost1-configure-secondary - 13 minutes 9 seconds
oamhost2-configure-secondary - 16 seconds 
webhost1-configure-secondary - 57 seconds
webhost2-configure-secondary - 54 seconds 

oudhost1-postconfigure - 1 minute 11 seconds
oudhost2-postconfigure - 1 minute 20 seconds 
oimhost1-postconfigure - 49 minutes 21 seconds
oimhost2-postconfigure - 25 minutes 11 seconds 
oamhost1-postconfigure - 33 minutes 35 seconds
oamhost2-postconfigure - 17 minutes 29 seconds 
webhost1-postconfigure - 2 minutes 19 seconds
webhost2-postconfigure - 1 minute 44 seconds

oudhost1-startup - 2 minutes 41 seconds
oudhost2-startup - 2 minutes 25 seconds 
oimhost1-startup - 38 minutes 21 seconds
oimhost2-startup - 22 minutes 6 seconds 
oamhost1-startup - 20 minutes 54 seconds
oamhost2-startup - 10 minutes 2 seconds 
webhost1-startup - 1 minute 26 seconds
webhost2-startup - 1 minute 23 seconds

oudhost1-validate - 1 minute 10 seconds
oudhost2-validate - 59 seconds 
oimhost1-validate - 1 minute 33 seconds
oimhost2-validate - 2 minutes 25 seconds 
oamhost1-validate - 45 seconds
oamhost2-validate - 29 seconds 
webhost1-validate - 58 seconds
webhost2-validate - 58 seconds

Step 4 - Post-Provisioning Steps

Step 5 - Other Manual Change

Merge the following files into one conf file under /moduleconf/:
    idminternal_vh.conf
    oimadmin_vh.conf
    idmadmin_vh.conf

Step 6 - Verify


Access Manager Console: http://web.qingfeng.com/oamconsole


Identity Manager User Interface with OAM Integration: http://web.qingfeng.com/identity


  



















Identity Manager Admin Interface with OAM Integration: http://web.qingfeng.com/sysadmin



































SOA: http://web.qingfeng.com/soa-infra







Friday, September 25, 2015

Deploying the IAM Suite 11gR2PS2 with the Deployment Wizard ('Single Node on Multiple Hosts' Topology)

Step 1 - Lab Environment Setup

db.oracle.com - Windows - 2GB
oudhost1.oracle.com - OES 6.5 - 1GB
oamhost1.oracle.com - OES 6.5 - 4GB
oimhost1.oracle.com - OES 6.5 - 6GB
webhost1.oracle.com - OES 6.5 - 1GB
nas.oracle.com - FreeNAS 9.3 - 1GB

Notes: make sure the oam and oim hosts have the enough allocated RAM.

Step 2 - Create Response File

11gR2PS2 Deployment Wizard do not give the option for 'Single Node on Multiple Hosts' topology.  You need to manually modify the response file to delete the settings for second node.




Step 3 - Execution

oudhost1-preverify - 35 seconds
oimhost1-preverify - 30 seconds
oamhost1-preverify - 12 seconds
webhost1-preverify - 23 seconds

oudhost1-install - 7 minutes 2 seconds
oimhost1-install - 51 minutes 2 seconds
oamhost1-install - 39 minutes 57 seconds
webhost1-install - 25 minutes 33 seconds

oudhost1-preconfigure - 5 minutes 28 seconds
oimhost1-preconfigure - 74 minutes 14 seconds
oamhost1-preconfigure - 66 minutes 12 seconds
webhost1-preconfigure - 4 minutes 14 seconds

oudhost1-configure - 1 minutes 27 seconds
oimhost1-configure - 45 minutes 21 seconds
oamhost1-configure - 20 minutes 9 seconds
webhost1-configure - 1 minute 14 seconds

oudhost1-configure-secondary - 3 minutes 45 seconds
oimhost1-configure-secondary - 13 minutes 47 seconds
oamhost1-configure-secondary - 13 minutes 48 seconds
webhost1-configure-secondary - 55 seconds

oudhost1-postconfigure - 1 minute 8 seconds
oimhost1-postconfigure - 48 minutes 34 seconds
oamhost1-postconfigure - 35 minutes 36 seconds
webhost1-postconfigure - 2 minutes 36 seconds

oudhost1-startup - 3 minutes 22 seconds
oimhost1-startup - 40 minutes 50 seconds
oamhost1-startup - 22 minutes 8 seconds
webhost1-startup - 1 minute 29 seconds

oudhost1-validate - 55 seconds
oimhost1-validate - 1 minute 46 seconds
oamhost1-validate - 45 seconds
webhost1-validate - 52 seconds

Step 4 - Post-Provisioning Steps

Step 5 - Other Manual Change

Because I haven't setup the Load Balancer and Virtual Hosts for this deployment, a few things need to be modified in order to make everything function.

Add the following in the OHS httpd.conf:
ProxyRequests Off
ProxyPass /oam http://oamhost1.oracle.com:14100/oam
ProxyPassReverse /oam http://oamhost1.oracle.com:14100/oam

Delete sso_vh.conf and oimadmin_vh.conf from /moduleconf.

Step 6 - Verify 

OIM Admin Console: http://oimhost1.oracle.com:7101/console

OAM Admin Console: http://oamhost1.oracle.com:7001/console

OIM Enterprise Manager: http://oimhost1.oracle.com:7101/em

OAM Enterprise Manager: http://oamhost1.oracle.com:7001/em

Access Manager Console: http://webhost1.oracle.com:7777/oamconsole

Identity Manager User Interface with OAM Integration: http://webhost1.oracle.com:7777/identity
 
Identity Manager Admin Interface with OAM Integration: http://webhost1.oracle.com:7777/sysadmin


SOA: http://webhost1.oracle.com:7777/soa-infra

NEXT is the FULL HA deployment.