Pages

Saturday, November 28, 2015

Double login page for /sysadmin console in OIM-OAM Integrated Environment

In this post we shall see one of the issue observed in OIM-OAM Integrated environment.

ISSUE:


While accessing /sysadmin and /identity console in OIM-OAM Integrated environment ,we were observing double login page.Steps to reproduce the issue.

Step 1)  Accessing the OIM sysadmin console (http:/Hostname:<OIM Port>/sysadmin/)

Step 2) Provide login details for /sysadmin console.(xelsysadm/<Password>)

Step 3) Again it was redirecting and displaying OAM challenge URL(/oamconsole login page)

Step 4) Provided the same credentials again in OAM page.

Step 5) Now home page of /sysadmin console appeared.

REASON:


Authentication level of Authentication schemes protecting below resources was 2.


/oim/**
/oim
/sysadmin/**
/sysadmin
/wlWebApp/**
/wlWebApp
/idenity/**
/identity

Authentication level of Authentication schemes protecting /oamconsole was also 2
and hence we were getting doble login page while accessing /sysadmin and /identity console.


SOLUTION:


To resolve above issue we  changed Authentication level to 1 for Authentication scheme protecting all below resources:

/oim/**
/oim
/sysadmin/**
/sysadmin
/wlWebApp/**
/wlWebApp
/idenity/**
/identity


After making above changes only single login page was observed while accessing /sysadmin and /identity console.

Friday, November 27, 2015

Deployment Error - Oracle SOA suite

ISSUE:


Below error was observed in SOA logs at time of deployment.

<<
<Nov 19, 2015 2:13:54 PM AST> <Error> <oracle.soa.bpel.system> <BEA-000000> <Error while invoking bean "cube delivery": Error not handled.
failure to handle a error thrown from a scope, by any blocks in the scope chain.
This exception occurred because the error thrown in the BPMN flow was not handled by any error handlers and reached the top-level scope.
A top-level error handler should be added to the flow to handle errors not caught from within the flow.

java.sql.SQLException: Unexpected exception while enlisting XAConnection java.sql.SQLException: XA error: XAResource.XAER_NOTA start() failed on resource 'SOADataSource_base_domain': XAER_NOTA : The XID is not valid
oracle.jdbc.xa.OracleXAException
        at oracle.jdbc.xa.OracleXAResource.checkError(OracleXAResource.java:1616)
        at oracle.jdbc.xa.client.OracleXAResource.start(OracleXAResource.java:336)
        at weblogic.jdbc.jta.DataSource.start(DataSource.java:790)
        at weblogic.transaction.internal.XAServerResourceInfo.start(XAServerResourceInfo.java:1247)
        at weblogic.transaction.internal.XAServerResourceInfo.xaStart(XAServerResourceInfo.java:1180)
        at weblogic.transaction.internal.XAServerResourceInfo.enlist(XAServerResourceInfo.java:300)
        at weblogic.transaction.internal.ServerTransactionImpl.enlistResource(ServerTransactionImpl.java:561)
        at weblogic.transaction.internal.ServerTransactionImpl.enlistResource(ServerTransactionImpl.java:488)
        at weblogic.jdbc.jta.DataSource.enlist(DataSource.java:1673)
>>

REASON:


This error can be seen when the transaction has timed out but the exception is not caught by the application.

SOLUTION:


The solution is to set the XASetTransactionTimeout to true and XATransactionTimeout to zero (when this parameter is set to zero, the XAResource Session Timeout will be set to the global transaction timeout).

Step 1) Log into Weblogic Admin Console
Step 2) Click on Services -> Data Sources and then click on data source you need to change(SOA Data Source) in above case.
Step 3) Click on Transaction Tab
Step 4) Click on check box next to "Set XA Transaction Timeout"
Step 5) Make sure that "XA Transaction Timeout" has a value of 0
Step 6) Save and Activate changes.
Step 7) Bounce SOA Server

Please follow this below golden rule while setting timeout parameter:

syncMaxWaitTime < BPEL EJB's transaction timeout < Global Transaction Timeout (JTA timeout) < XA timeout < distributed lock timeout


Wednesday, November 25, 2015

Provisioning of account to User using OIM 11G R2 API



Provision Account


Generally, you come across scenario where to provision user accounts through API based on customer requirements.Oracle Identity Manager allows you to provision account using the OIM API. Sometimes you will need give account from remote operations (web service or some remote connector).

For this, firstly you need to find out the right application instance for the provisioning account. To find the right application instance, Oracle has pre-defined API

findApplicationInstanceByName method of oracle.iam.provisioning.api.ApplicationInstanceService 

Once you are able to find the right application instance then use the same for provisioning account. To provision account, use the oracle.iam.provisioning.api.ProvisioningService 




import java.util.HashMap;
import java.util.Map;
import java.util.logging.Logger;
import oracle.iam.platform.Platform;
import oracle.iam.provisioning.api.ApplicationInstanceService;
import oracle.iam.provisioning.api.ProvisioningService;
import oracle.iam.provisioning.exception.ApplicationInstanceNotFoundException;
import oracle.iam.provisioning.exception.GenericAppInstanceServiceException;
import oracle.iam.provisioning.exception.GenericProvisioningException;
import oracle.iam.provisioning.exception.UserNotFoundException;
import oracle.iam.provisioning.vo.Account;
import oracle.iam.provisioning.vo.AccountData;
import oracle.iam.provisioning.vo.ApplicationInstance;
import oracle.iam.provisioning.vo.FormInfo;


/** ProvisionAccount.java
 *
 * illustrates how to provision account
 * based on ApplicationInstance Name
 * @author Nagaraju Gorrepati
 */

public class ProvisionAccount {

    protected static Logger logger = Logger.getLogger("ProvisionAccount");
    /*Make sure Log Handler is configued on ProvisonAccount*/
    private static String classname;

    public ProvisionAccount() {
        classname = getClass().getName();
    }

    /**
     * This method is used to provisionAccount
     * @param userKey
     * @throws UserNotFoundException
     * @throws ApplicationInstanceNotFoundException
     * @throws GenericProvisioningException
     */

    public void provisionAccount(String userKey) {


        String methodName =
            Thread.currentThread().getStackTrace()[1].getMethodName();
        logger.finest(classname + "::" + methodName + "::started");

        /**@param serverName ProcessFormFiledName
 */
        String serverName = null;
        /**
         * @param itResourceName
         * The ITResource Name for application that needs to be provisioned
         * It holds the connection information to connect the target system
         * from OIM
         */

        String itResourceName = null;
        ApplicationInstance appInstance = null;

        ProvisioningService service =
            Platform.getService(ProvisioningService.class);


        try {
            appInstance = findApplicationInstanceByName("XXXXXX");
            // XXXXXX represents Application Instance Name
        } catch (ApplicationInstanceNotFoundException e) {
            logger.severe(classname + "::" + methodName + e.getMessage());
        } catch (GenericAppInstanceServiceException e) {
            logger.severe(classname + "::" + methodName + e.getMessage());
        }
        FormInfo formInfo = appInstance.getAccountForm();

        Map parentData = new HashMap();

        parentData.put(serverName, itResourceName);
        //serverName example : UD_ADUSER_SERVER
        //itResourceName example : Active Directory
        //Add data that needs to populate for the account
        String formKey = String.valueOf(formInfo.getFormKey());

        AccountData accountData = new AccountData(formKey, null, parentData);

        Account account = new Account(appInstance, accountData);

        account.setAccountType(Account.ACCOUNT_TYPE.Primary);


        try {
            service.provision(userKey, account);
        } catch (UserNotFoundException e) {
            logger.severe(classname + "::" + methodName + e.getMessage());
        } catch (ApplicationInstanceNotFoundException e) {
            logger.severe(classname + "::" + methodName + e.getMessage());
        } catch (GenericProvisioningException e) {
            logger.severe(classname + "::" + methodName + e.getMessage());
        }
        logger.finest(classname + "::" + methodName + "::Finished");
    }

    /**
     * This method is used to findfindApplicationInstanceByName
     * @param applicationInstanceName
     * @throws ApplicationInstanceNotFoundException
     * @throws GenericAppInstanceServiceException
     * @return
     */

    public ApplicationInstance findApplicationInstanceByName(String applicationInstanceName) {

        String methodName =
            Thread.currentThread().getStackTrace()[1].getMethodName();
        logger.finest(classname + "::" + methodName + "::started");


        ApplicationInstanceService service =
            Platform.getService(ApplicationInstanceService.class);

        ApplicationInstance appInstance = null;

        try {
            appInstance =
                    service.findApplicationInstanceByName(applicationInstanceName);
        } catch (ApplicationInstanceNotFoundException e) {
            logger.severe(classname + "::" + methodName + e.getMessage());

        } catch (GenericAppInstanceServiceException e) {
            logger.severe(classname + "::" + methodName + e.getMessage());
        }
        return appInstance;
        logger.finest(classname + "::" + methodName + "::Finished");
    }


}

Saturday, November 14, 2015

Oracle Webcenter Portal 11.1.1.9 Integration with OAM 11.1.2.2.0

In this post we shall see  integration of  WebCenter Portal 11.1.1.9 with Oracle Access Manager (OAM) 11.1.2.0.

Assumption:
1) Oracle Access Manager 11gR2 installed and configured. 
2) Oracle Internet Directory installed and configured. 
3) OAM Integrated with OID.  
4) Oracle HTTP Server installed and configured. 
5) Oracle Webcenter Portal 11.1.1.9 installed and configured. 
6) Oracle Webgate installed 
7) Oracle Webgate integrated with OAM and OHS.

Creation of OAM Identity Provider in PORTAL Domain:


1) Create OAM Identity Asserter Provider in PORTAL Domain:2) Login to the weblogic console--> Navigate to security realms -> myrealm -> Providers3) Click New, and then enter a name and select a type:

Name:
OAM Identity Asserter
Type:
OAMIdentityAsserter
Click
OK
In the Authentication Providers table, click the newly added authenticator(OAM Identity Asserter) Click the Common tab, set the Control Flag to
REQUIRED.
Click the Common tab, specify the chosen Active Type for your installed WebGate, 
Note :  Both ObSSOCookie and OAM_REMOTE_USER must be set as Active Types for the asserter. Without both of these set as Active Types, you will be re-prompted by WebLogic for authentication after authenticating to OAM. 
4) Click Save.

Creation of OID Authenticator Provider in PORTAL Domain:


1) Associate WebCenter Portal Domain  with Identity Store (For ex OID/OVD)
Note : When you install the content server it uses the weblogic embedded identity store.
2) Create OID Authenticator Provider in PORTAL Domain:
3)  Login to the weblogic console--> Navigate to security realms -> myrealm -> Providers
4) Click New, and then enter a name and select a type:

Name: OID Authenticator
Type: OracleInternetDirectoryAuthenticator
Click OK.
In the Authentication Providers table, click the newly added authenticator.(OID Authenticator )
On the Settings page, click the Common tab, set the Control Flag to SUFFICIENT.
Click Save.
Click the Provider Specific tab and specify the following required settings using values for your own environment:

  • Host: Server details where OID is installed
  • Port: Port no of OID ( Default 3060)
  • Principal: LDAP administrative user. For example cn=orcladmin.
  • Credential: LDAP administrative user password.
  • User Base DN: Same searchbase as in Oracle Access Manager. ( cn=users,dc=example,dc=com)
  • All Users Filter: For example: (&(uid=*)(objectclass=person)) 
  • User Name Attribute: Set as the default attribute for username in the LDAP directory. For example: cn
  • Group Base DN: The group searchbase (same as User Base DN)
  • Do not set the All Groups filter as the default works fine as is.
5) Click Save.

Changing control flag of Default Authenticator :


1)  Default Authenticator: Perform the following steps to set up the Default Authenticator for use with the Identity Asserter:
2) Go to Security Realm--myrealm-- >click Providers.
3) Click DefaultAuthenticator to see its configuration page.
4) Click the Common tab and set the Control Flag to SUFFICIENT
5) Click Save.


Reorder Providers: 



1) Go to  Security Realm--myrealm-- >click Providers.
2 ) On the Summary page where providers are listed, click the Reorder button
3) On the Reorder Authentication Providers page, list to order the providers as follows:

  • OAM Identity Asserter (REQUIRED)
  • OID Authenticator (SUFFICIENT)
  • Default Authenticator (SUFFICIENT)
4) Click OK.
5) Activate Changes.
6) Restart Oracle WebLogic Admin Server and Portal(WC_Spaces) Server.


Configuring Centralized logout for Webcenter Portal:


1) Navigate to $ORACLE_WC1/common/bin. 
2) Launch WLST by issuing the './wlst.sh' command.
3)  From the wlst prompt, issue the 'connect' command to connect to the WebLogic Admin Server running within your PORTAL domain. For example:
connect('weblogic','welcome1','localhost:7001') 
4) Once connected to your WebLogic instance, issue the following command exactly as shown below.
addOAMSSOProvider(loginuri="/${app.context}/adfAuthentication",logouturi="/oamsso/logout.html")
5) Disconnect from WLST by issuing the 'exit()' command.  
6) Restart Portal(WC_Spaces) server and Admin Server. 


Configuring the OHS Webgate to Proxy Requests to WC_spaces:


1) Edit mod_wl_ohs.conf file @ <OHS_Home>/instances/<webtierInstance>/config/OHS/<ohsInstance>
2) Add below entry 
 
<IfModule>
<Location /webcenter>
      SetHandler weblogic-handler
      WebLogicHost Hostname
      WebLogicPort 8888
</Location>

<Location /webcenterhelp>
      SetHandler weblogic-handler
      WebLogicHost Hostname
      WebLogicPort 8888
</Location>

<Location /rss>
      SetHandler weblogic-handler
      WebLogicHost Hostname
      WebLogicPort 8888
</Location>

<Location /rest>
      SetHandler weblogic-handler
      WebLogicHost Hostname
      WebLogicPort 8888
</Location>

<Location /owc_discussions>
      SetHandler weblogic-handler
      WebLogicHost Hostname
      WebLogicPort 8890
</Location>

<Location /activitygraph-engines>
      SetHandler weblogic-handler
      WebLogicHost Hostname
      WebLogicPort 8891
</Location>

<Location /wcps>
      SetHandler weblogic-handler
      WebLogicHost Hostname
      WebLogicPort 8891
</Location>

</IfModule>
3) Save and close the file.  
4) Restart the OHS Webgate instance. 


Configuring WebCenter Spaces for SSO:



1) Edit the setDomainEnv.sh to set the parameter oracle.webcenter.spaces.osso to true
$cd $DOMAIN_HOME/bin 
vi setDomainEnv.sh 

Add the following
EXTRA_JAVA_PROPERTIES="-Doracle.webcenter.spaces.osso=true ${EXTRA_JAVA_PROPERTIES}"
export EXTRA_JAVA_PROPERTIES
 

2) Save the file.
3) Restart Admin Server and WC_Spaces Server.

Protect above mentioned resources at OAM side:

1) Create Resource
2) Create Authentication Policy and Authorization Policy
3) Create Authentication Scheme
4) Create Authentication Module
5) Create User Identity Store


Testing the Configuration:



1) Ensure that the Oracle Access Manager Access Server, Oracle HTTP Server configured for OAM Webgate, Oracle Internet Directory, and Oracle Webcenter Portal (WC_Spaces) are all running.  
2) Access the Oracle Portal  instance through the OAM Webgate at the address of http://<ohs-host>:<ohs-port>/webcenter
3) An OAM web form login should be presented.  Login with valid credentials stored within the OID instance that Portal(WC_Spaces) and OAM share. 
4) The Portal page should be presented with no other authentication challenges.


Friday, November 13, 2015

Oracle Webcenter Portal 11.1.1.9 Install/Configure

In this post we shall see installation and configuration of Oracle Webcenter Portal 11.1.1.9.

Install Oracle Webcenter Content 11.1.1.9:



1) Download the required software from Oracle Site.

2) Install schema for Oracle Webcenter Portal  using RCU.
Note : Before creating schema for Portal server make sure "processes" pasameter at database level is greater than or equal to 200.
sql>show parameter processes;
processes    integer     200 


4) Execute runInstaller from Disk1



5) On Welcome Screen Click Next. 

6) Select Skip Software Updates, and then click Next to continue the installation 

7) After the prerequisite checks complete with no errors, click Next to continue the installation. 

8) Specify the Middleware home (MW_HOME) and WebCenter Content Oracle home (WC_PORTAL_ORACLE_HOME) locations.
 
Oracle Middleware Home: Select the Middleware home directory (MW_HOME, which was created during the installation of Oracle WebLogic Server.
Oracle Home Directory: Specify the directory where you want to install Oracle WebCenter Portal. 

9) Select WebLogic Server to install Oracle WebCenter Content on an Oracle WebLogic Server.

10) Click Install to start the software installation.

11) After the progress reaches 100%, click Next to go to the last screen.

12) Click Save to save the installation configuration, and then click Finish to exit the installer.

Configure Oracle Webcenter Portal  11.1.1.9:


1) Start Fusion Middleware Configuration Wizard:WC_PORTAL_ORACLE_HOME/common/bin/config.sh

2) Select Create a new WebLogic Domain.
Click Next to continue. 

3) Select Generate a domain configured automatically to support the following products.
Select product that you wish to configure. 

 

4)  Enter the name of the domain you want to create in the Domain name field.
Click Next to continue. 

 

5) The User name field has the default administrator user name, weblogic. You can specify a different administrator user name if you want.
In the User password field, enter the password for the administrator user.
 
6) Under WebLogic Domain Startup Mode, Development Mode is the default mode. For a production system, select Production Mode.
Enter
JDK Location and Click Next to continue. 
 7)  Enter Details as below:
  • Vendor: Select a database vendor from the list.
  • Driver: Leave the default driver for the database vendor selected, or select a driver for the component schema from the list.
  • Schema Owner: Enter the user name of the application schema owner, specified during schema creation with RCU.
  • Schema Password: Enter the schema password, specified during schema creation with RCU.
  • DBMS/Service: Database Name
  • Host Name: Specify the Hostname on which your database is installed.
  • Listen Port: Specify the database listen port number. The default port number is 1521.







8) After the test succeeds, click Next to continue. 

9) Select below optional options for configuring the Administration Server and Managed Servers: 

 

10) Enter Admin Server Name and Port No:(Make sure port is free and available for use)

 

11)  WC_Spaces configuration:
Enter Port Number for WC_Spaces .For each Server, you can use the default Listen port value(8888). For increased security, you can specify a non default port number(make sure port is free) 

 

 
12) Review your configuration and  click Create to create the domain. 

13) When the domain is created successfully, click Done. 

14) Start Admin Server from below location:$DOMAIN_HOME/bin
$./startWebLogic.sh 

15) Create Machine from Weblogic Console and Add WC_Spaces to that machine. 

16) Start NodeManager Process from below location:$WL_HOME/server/bin
$nohup ./startNodeManager.sh & 

17) Execute setNMProps.sh from below location:$WL_HOME/oracle_common/common/bin
$. ./setNMProps.sh 

18) Start WC_Spaces server  from WebLogic console. 

19) Access http://Hostname:8888/webcenter page.