OIM 11g xelsysadm password reset

Pre 11G, in OIM, the password change for OIM administrator user (xelsysadm) can be reset by another admin via the Web console. Alternatively change the password using SQL in the OIM USR table where usr_login = XELSYSADM.

If 11G is using workflows, there is another location where the password needs to be changed.

Using Enterprise Manager (eg http://my.domain.name:7001/em), under farm_base_domain, click WebLogic Domain, click your base_domain.

This will open up the base_domain in the main window. On top left hand corner drop down WebLogic Domain, select Security, then select Credentials.

This will open up the Credential Store Provider window. Open the Credential called "oracle.oim.sysadminMap". Select the entry called Sysadmin. Use the Edit option to open the editor window. This should pop-up Edit Key. This should have a user name of the system admin (xelsysadm). Change the password here.

Stopping Node Manager

Stopping Node Manager

To stop a Node Manager process, close the command shell in which it is running.

If you stop a Node Manager process that is currently monitoring Managed Servers, do not shut down those Managed Servers while the Node Manager process is shut down.

Node Manager will be unaware of shutdowns performed on Managed Servers while it was down.

When Node Manager is restarted, if a Managed Server it was previously monitoring is not running, it will automatically restart it.

IDMTech: Difference between Event Handler and Entity Adapter

IDMTech: Difference between Event Handler and Entity Adapter

LDAP Sync in OIM 11g

Steps to Setup LDAP Sync After Install in OIM 11g:

Note: For simplicity, we are using the following hosts and ports as an example for various components involved in setting up LDAP sync. 

Host and port details for OID and OVD: 

OID/OVD host name: oidovd.oracle.com 
OID non-SSL port (LDAP): 3060 
OID SSL port (LDAPS): 3131 
OVD non-SSL port (LDAP): 6501 
OID/OVD managed server port: 7005 (In order to access ODSM) 
OID search base: dc=oracle,dc=com 
dn of user container : cn=oimusers,dc=oracle,dc=com 
dn of role container : cn=oimroles,dc=oracle,dc=com 
dn of reserve container : cn=oimreserve,dc=oracle,dc=com 

Host and port details for OIM: 

OIM host name: oim.oracle.com 
OIM managed server port: 8003 

Details for Database:

OIM schema owner and password: OIMUSER/******
Database host: dbhost.oracle.com
Listener port: 1521

The following environment variables are referred later in this article. These variables are not necessarily set in a deployment, and they are used to just to clarify a location of various files mentioned in this article:

$MW_HOME - This refers to the directory in which Weblogic is installed, for example
/home/oracle/wlsinstallhome

$OIM_HOME - This refers to the directory in which OIM is installed, for example 
/home/oracle/wlsinstallhome/Oracle_IDM1

1. Run LDAP pre configuration utility (Task 1) as per documentation mentioned above. This tool performs the following tasks: 

1.1 Creates user in OID, and assigns appropriate permissions to the base container and changelog, using file 
$OIM_HOME/server/ldap_config_util/oimadminuser.ldif 

1.2 Creates the user, role and user reservation containers under the search base using file 
$OIM_HOME/server/ldap_config_util/oimcontainers.ldif 

1.3 Creates required schema objects for OAM using the following files in $OIM_HOME/oam/server/oim-intg/schema: 
OID_oblix_pwd_schema_add.ldif 
OID_oblix_schema_add.ldif 
OID_oblix_schema_index_add.ldif
OID_oim_pwd_schema_add.ldif. 

As we can see, all mentioned steps are LDAP operations, and LDAPConfigPreSetup.bat/sh doesn't do any configuration in OIM or OVD. The documentation advices to modify the values in 
file $OIM_HOME/server/ldap_config_util/ldapconfig.props.

Note that LDAP details provided are for OID, not for OVD. Also, values for UserContainerName, RoleContainerName and ReservationContainerName should be relative distinguished names. Using the example values listed above, our ldapconfig.props would be:

OIDURL=ldap://oidovd.oracle.com:3060
OIMProviderURL=t3://oim.oracle.com:8003
OIDAdminUsername=cn=orcladmin
OIDSearchBase=dc=oracle,dc=com
UserContainerName=cn=oimusers
RoleContainerName=cn=oimroles
ReservationContainerName=cn=oimreserve

And in step 1.2 the following entries 
will be created: 

cn=oimusers, dc=oracle,dc=com 
cn=oimroles, dc=oracle,dc=com 
cn=oimreserve, dc=oracle,dc=com 

LDAPConfigPreSetup.bat/sh can be re-executed in case errors occur. During the subsequent execution, errors like "object already exist" etc. can be ignored.

2. Configure OVD adapters as per documentation (Task2). 

There are couple of things to note when configuring OVD adapters: 

2.1 For change log adapter, value of "Remote Base" field must be cn=changelog. Value for "Root" can be anything, but it is easiest to use the same value as in "Remote Base". 

2.2 For user adapter, value of "Remote Base" should be the same as used in ldapconfig.props for OIDSearchBase (dc=oracle,dc=com in our case). 

This value is what OVD uses when it perform LDAP operations against OID. Value for "Root" will be used by OIM when it performs LDAP operations against OVD. 
Value can be any valid LDAP DN (distinguished name), and this value will be used later to configure OIM for LDAP sync. 

2.3 Value for changelog plugin attribute targetDNFilter should be the same as the value of OIDSearchBase. If this is set to lower level, for example to cn=oimusers,dc=oracle,dc=com, then
role reconciliation will not work. 

2.4 Value for changelog plugin attribute modifierDNFilter must be cn=oimadmin,cn=users,cn=OIM,cn=Products,cn=OracleContext this OID user was created in step 1.1).
This value is used during reconciliation process to avoid reconciliation of entries modified by LDAP sync.

3. Modify IT Resource "Directory Server" using OIM admin console. 

3.1 Server URL and admin credentials are for OVD, not for OID. Admin DN needs to be full DN, for example cn=oimusers,dc=oracle,dc=com.

3.2 Changelog Container must be the same as defined as value of "Root" defined in step 2.1 

3.3 User Reservation Container needs to be full DN, for example cn=oimreserve,dc=oracle,dc=com. This needs to be somewhere under "Root" defined in step 2.2 

3.4 Search Base needs to be full DN, for example dc=oracle,dc=com. This needs to be the same as or somewhere under "Root" defined in step 2.2

4. Import metadata required for LDAP sync to MDS. 

4.1 Copy the complete directory $OIM_HOME/server/metadata/db to a new directory, for example /tmp/metadata/db. Note that user executing the following operations needs to have full 
access to this new directory structure. 

4.2 Remove oim-config.xml file from /tmp/metadata/db. 

4.3 Update /tmp/metadata/db/LDAPContainerRules.xml and replace: 

$DefaultUserContainer$ with full DN of the user container, for example
cn=oimusers,dc=oracle,dc=com.
$DefaultRoleContainer$ with full DN of the role container, for example 
cn=oimroles, dc=oracle,dc=com 

These values are DNs like OVD shows them, and depending on the settings done in steps 2.1 and 2.2 that might not be the same as OID represenation of the DN of the same entry.

Our sample LDAPContainerRules.xml is:

<?xml version="1.0"?>
<container-rules>
<user>
<rule>
<expression>Default</expression>
<container>cn=oimusers,dc=oracle,dc=com</container>
</rule>
</user>
<role>
<rule>
<expression>Default</expression>
<container>cn=oimroles,dc=oracle,dc=com</container>
</rule>
</role>
</container-rules>
4.4 Import the metadata to MDS repository with from location as /tmp/metadata. Essentially, in MDS these files should be available under location /db. 

4.4.1 Modify $OIM_HOME/server/bin/weblogic.properties, follow the instructions in that file itself. For our import operation, relevant sample values are:

metadata_from_loc=/home/oracle/tmp/metadata
wls_servername=oim_server1
application_name=OIMMetadata
4.4.2 Execute weblogicImportMetadata.bat/sh as described here: 
Note that this script will ask the weblogic server details. Provided information must be for managed server. Example: 

./weblogicImportMetadata.sh 
Starting import metadata script .... 
Please enter your username [weblogic] : 
Please enter your password [welcome1] : 
Please enter your server URL [t3://localhost:7001] :t3://oim.oracle.com:8003

5. Seed LDAP reconciliation scheduled Jobs to OIM Database. 

5.1 Create file oim.profile to any directory with following properties, and replace all values surrounded with <> with proper values.

operationsDB.user=<OIM DB User Name>
operationsDB.password=<OIM DB User Password>
operationsDB.driver=oracle.jdbc.xa.client.OracleXADataSource
operationsDB.host=<DB Host>
operationsDB.port=<DB listener port>
operationsDB.SID=<DB SID>
OIM.DBPassword=<OIM DB User Password>

oim.profile with our sample values: 

operationsDB.user=OIMUSER
operationsDB.password=welcome1
operationsDB.driver=oracle.jdbc.xa.client.OracleXADataSource
operationsDB.host=dbhost.oracle.com
operationsDB.port=1521
operationsDB.SID=IAM
OIM.DBPassword=welcome1

Note: Remove all trailing spaces from each line.

5.2 Set environment variables $ANT_HOME as $MW_HOME/modules/org.apache.ant_1.7.1 and $JAVA_HOME as $MW_HOME/jdk160_18 

5.3 Goto directory $OIM_HOME/server/seed_data/ and run ant script that loads LDAP reconciliation scheduled jobs as: 

ant -v -propertyfile <full path/filename for oim.profile created in step 5.1> 
-Dserver.dir=<$OIMHOME/server> 
-Dweblogic.server.dir=<Weblogic_SERVER_LOCATION> 
-Dwork.dir=. -f seed-rcu-data.xml seed-ldap-recon-jobs
for example

ant -v -propertyfile ./oim.profile 
-Dserver.dir=/scratch/shiphome/beahome/Oracle_IDM1/server 
-Dweblogic.server.dir= /scratch/shiphome/beahome/wlserver_10.3 
-Dwork.dir=. 
-f seed-rcu-data.xml seed-ldap-recon-jobs

This step might give the following error, which can be ignored: 

[java] Dec 1, 2010 3:48:12 AM oracle.jdbc.driver.OracleDriver registerMBeans 
[java] SEVERE: Error while registering Oracle JDBC Diagnosability MBean. 
[java] java.security.AccessControlException: access denied (javax.management.MBeanTrustPermissionregister)

In case of other errors, check log -Dwork.dir/ldap/SeedSchedulerData.log. 

After completing these steps, test user and role creation in OIM to see that they are copied as user and group entry to appropriate OID container. Test also user and role reconciliation. If OIM user is created but there's no user in OID, common problem is that MDS data is not correct. In that case, please use MDS tools to check/correct the content of MDS.

Application Server and Web server

Application Server and Web server:

• A Web server exclusively handles HTTP requests, whereas an application server serves business logic to application programs through any number of protocols.
• Webserver mainly handles the Http requests but app server can be used to handle the http, rmi, TCP/IP and many more protocols.  In case of application server, it does the same thing, of getting and gives the response but it can process the requests. The web server can be considered as the subset of app server

Difference between a web server and an application server:

• WebServer can execute only web applications i.e. servlets and JSPs and has only a single container known as Web container which is used to interpret/execute web applications
• Application server can execute Enterprise application, i,e (servlets, jsps, and EJBs) it is having two containers 
• WebContainer (for interpreting/executing servlets and jsps)
• EJB container (for executing EJBs). It can perform operations like load balancing , transaction demarcation etc

Architecture of Oracle identity Manager

Architecture of Oracle identity Manager 11g R1:

The Oracle Identity Manager architecture consists of three tiers

• Tier 1: Client: The Oracle Identity Manager application GUI component reside in this tier. Users log in by using the Oracle Identity Manager client.The Oracle Identity Manager client interacts with the Oracle Identity Manager server, providing it with the user's login credentials.
• Tier 2: Application Server: The second tier implements the business logic, which resides in the Java Data Objects that are managed by the supported J2EE application server (JBoss application server, BEA WebLogic, and IBM WebSphere). The Java Data Objects implement the business logic of the Oracle Identity Manager application, however, they are not exposed to any methods from the outside world. Therefore, to access the business functionality of Oracle Identity Manager, you can use the API layer within the J2EE infrastructure, which provides the lookup and communication mechanism.
• Tier 3: Database: The third tier consists of the database. This is the layer that is responsible for managing the storage of data within Oracle Identity Manager.

Benefits of Identity Management

Benefits of Identity Management

Centralized auditing and reporting – Know who did what and report on system usage.

Reduce IT operating costs – Immediate return on investment is realized by eliminating the use of paper forms, phone calls and wait time for new account generation and enabling user self service and password management.

Minimize Security Risk – Control access to the network and instantaneously update accounts in a complex enterprise environment including: layoffs, acquisitions, partner changes, temporary and contract workers.

Improved quality of IT services -- Legal compliance – Many government mandates require secure control of access.

Adapters in OIM 11g

Adapters in OIM 11g

Adapter:

An Adapter is a Java class that is created by an OIM user through the Adapter Factory

Advantage:

Adapters are reusable components which is the biggest advantage.

Types:

Here are five types of Adapters in OIM:

1. Process Task Adapter
2. Task Assignment Adapter
3. Pre populate Adapter
4. Entity Adapter
5. Rule Generator Adapter

Process Task Adapter: As the name suggests, it can be attached only in task.

Example: Suppose in your provisioning workflow you have one task which is used for creating user then you can attach one Process task Adapter in this workflow which will create user.

Task Assignment Adapter: It is used for assigning the task to any particular user/group. Task assignment adapter is used when you want to perform some operation to find the user to whom you want to assign task.

Example: If you want to assign the request to some user based on target user’s attributes then we need task Assignment Adapter. In my OIM implementation user has an attribute Country. Client wants that if user is from INDIA the request should be approved by JMD01, if user is from USA then request should be approved by JMD02.. so .. on… In this case we’ll have to use Task Assignment Adapter.

Pre Populate Adapter: This adapter is used for populating any field on forms (Process/Object) with some data.

Example: I have a process form which has fields like First Name, Last Name, User ID. I want to fill these fields from User Data. Then we use Pre Populate Adapter which populates the value from user Profile to Process form Field. In general terms, it copies the User ID, First Name etc from user profile and paste it on the process form fields.

Entity Adapters: When you want to perform any operation on any Entity like user/group then we use Entity Adapters. It can be attached only with forms. These adapters can be used

1. Before inserting data into Database (Pre Insert)
2. After inserting data into Database (Post Insert)
3. Before updating data into database (Pre Update)
4. After updating data into database (Post Update)
5. Before deleting data into database (Pre Delete)
6. After deleting data into database (Post Delete)

Example: Client wants to generate default password say ‘Mani123’ while creating user. You will create entity adapter which will return a string “Mani123”. You’ll attach that adapter in Design Console > Data Object Manager > Users form on Pre-Insert i.e. before inserting data into Database of OIM.

Rule Generator Adapter - can populate fields automatically on an OIM form or a user-created form and save to the OIM database based on business rules

Difference between Event Handler and Entity Adapter

Event Handler	Entity Adapter
Need to extend tcBaseEvent	Class No need to extend any class
Can’t take any parameter from form	Can take any field from form as parameter
Can’t return any value on the form	Can return any value to any form field depending upon the form

Forms in OIM

What are the Forms in OIM?

There are two types of forms in OIM which are used for showing and storing user data for provisioning. 

Forms are:

1. Object Form
2. Process Form

Object Form: Object form is associated with Resource Object. It is visible at the time of provisioning. It is used for getting some input from the user while provisioning.

Example: user is raising request for some resource say “Resource A”. Client wants to store the Previous Company Name in the target resource and he doesn’t want to store this attribute in user Profile of that user. So we create one object form with one field say “Last Company Name”. While raising request for “Resource A”, user would be able to see this form and he has to fill his last company name.

Limitation: Can’t populate Target User Data on Object Form.

Process Form: This form is associated with provisioning process of any target resource. During a provisioning process, data flows to the actual target resource from process form only.

Features: 

• Can populate Target User Data on Process Form which can be used while provisioning
• Used for Best Practice

JBO-25003: Object UserForm of type view object is not found in OIM

JBO-25003: Object UserForm of type view object is not found in OIM

Error:

Seeing an Exception in Identity web console whenever trying to view open the Accounts tab for a user. This exception seem to occur if a user is provisioned to an application instance and whenver tries to request for the Application Instance using catalog. Also not able to provide any input to the child form fields in the catalog after the exception occurs.

Solution:

• Create a new sandbox and activate
• Create a new form
• Attach a new form to the existing application instance
• Publish the sandbox

Error while publishing the Sandbox

Error while publishing the Sandbox
 
Error:
 
 MDS-00001: exception in Metadata Services layer MDS-00165: metadata Object "/persdef/oracle/apps/cdm/foundation/parties/publicModel/persons/entity/PersonDEO.xml" has changed MDS-00164: There is a concurrent "UPDATE" operation on the document "/persdef/oracle/apps/cdm/foundation/parties/publicModel/persons/entity/mdssys/cust/Site/SITE/PersonDEO.xml.xml". MDS-00165: metadata Object "/persdef/oracle/apps/cdm/foundation/parties/personService/view/PersonDVO.xml" has changed .....
 

  

Solution:

 
As someone has made some concurrent changes to this object (consumer profile site/location ) in MDS before you publish the sandbox.
 
This warning is to make sure you don't publish the sandbox so as to avoid overwriting the metadata that has already been published to MDS.
 
The only way to avoid this error is to delete the sandbox and re-do the customizations.

Publishing the sandbox will trigger a DMS file corruption

 
Steps:  

• Take the bakcup of existing sandbox by using Export Sandbox tab in the UI.
• Delete current sandbox without publishing it
• Import the backup of existing sandbox.
• Publish the Sandbox 

Why does publishing a sandbox make it unusable?

Why does publishing a sandbox make it unusable?

Solution

There are two types of sandboxes:

 1) Sandboxes intended to be published.
  These sandboxes will be merged back to the mainline code.
 2) Sandboxes intended for "test-only" purposes.
  These "test-only" sandboxes will not be published and therefore produce no concurrency conflicts between sandboxes.

Here are document about sandbox for your reference:http://docs.oracle.com/cd/E15586_01/fusionapps.1111/e16691/ext_lifecycle.htm#CHDJFFFA

Access Policy High Level Steps

 
OIM 11g R2 PS2 Access Policy High-Level Steps:
 
Before we create Access Policy, you must create one custom role or you can use default role like ALL USERS.

If you have specific criteria for custom role then follow below steps otherwise skip the below step and directly go to Access Policy step.
 
Custom Role: 

• Login to the OIM Identity Console
• Go to <Administration> - <Roles> - <Create>
• Enter the required details and Click on Apply
• Click on Members tab; Click on Add Rule
• Select the field name and click Add
• Enter field value and click Add
• Click on Apply to save the Rule

 Access Policy:

• Login to the OIM sysadmin Console; Go to <Policies> - <Access Policies>
• Create Access Policy
• Enter the required details
• Select the Provisioned resources and add
• Once you added then it will move to right side box
• Select Disable if no longer applies radio button
• Denied resources list, if you have any
• Select the custom role for this access policy and add it
• Verify all the information entered is correct or not
• Click on Save to Create the access policy.

How GTC CSV Recon Scheduled Task in Clustered OIM work with Quartz Environment?

How GTC CSV Recon Scheduled Task in Clustered OIM work with Quartz Environment?
Below are few questions on how Scheduled Tasks work in a clustered environment .

Q) Do the task run on all servers in the cluster, at the scheduled time Or does any one server run the task?

A: The task is running only on one server at a time. However it can be any of the cluster nodes on which the scheduling is enabled


Q) A GTC CSV Recon scheduled task that looks for a CSV file in a particular server folder: Should the file be placed in a shared folder visible to all servers Or should the file be on only one of the servers?

A: The GTC CVS files for the CVS Recon needs to be visible for all cluster nodes running scheduler so it should be placed in a shared folder visible to all servers.


Q) A custom scheduled task that generates a flat file using API calls. Will the file be generated on all servers at the scheduled time?

A: The flat file is generated only on node that was running the task.

Q) Is Quartz automatically setup for clustering when OIM is setup in a clustered environment?

A: One need to set the <clustering> to true in xlconfig.xml for the <Scheduler>. When using clustering the cluster nodes (Quartz) will race to get the lock on QRTZ_LOCK table and the one that gets the lock will execute the scheduled task.ute the scheduled task.

Can Users Be Completely Deleted From OIM Database?

Can Users Be Completely Deleted From OIM Database?

Suppose one has created many test users in our OIM database during the testing phase of the project, and would like to delete them before going into production. One can delete them through the OIM admin console, but that does not actually remove them from the DB tables, it just changes their status to 'Deleted'. Is there a way to delete the users completely?

Solution

There is no supported procedure for completely removing users from the OIM database. This is an intentional omission, since the ability to permanently delete data poses a threat from an auditing perspective.

The alternatives available are:

 1.The test users can be deleted through the OIM user interface, and their status will change to Deleted. It will not be possible to remove these deleted users completely. But, by enabling XL.UserIDReuse, it will be possibly to reuse the deleted user's login IDs for new users.

 2.The best option would be to take a database backup before creating any test users. That way, when testing is completed, the database can be restored to the state it was in before the test users were created.

Exchange WinRM Service Issue

Exchange WinRM Service Issue
 
Issue:
 
Connecting to remote server failed with the following error message : The client cannot connect to the destination specified in the request. Verify that the service on the destination is running and is accepting requests. Consult the logs and documentation for the WS-Management service running on the destination, most commonly IIS or WinRM. If the destination is the WinRM service, run the following command on the destination to analyze and configure the WinRM service:
 
Solution:

1. Make sure that "Exchange Trusted Subsystem" a member of the Domain Admins group.
2. Make sure that all the below services are up and running on Exchange Target system
• IIS Admin Service
• Windows Remote Management (WS-Management)
• World Wide Web Publishing Service
3. Make sure there is http port 80 binding to the default web site

Deleting User Instead Of Disable In OIM 11g

Issue:

'Disable/Delete User After End Date' Schedule Task Deleting User Instead Of Disable In OIM 11g 

Solution:

By default, as per the definition of "Disable/Delete User After End Date" task does both functions disable and delete user which is controlled by "Period to Delay User Delete" system property.

Default value of "Period to Delay User Delete" is '0', it means once user reach to end date, it will be deleted from OIM. One can control this using "Period to Delay User Delete" system property. One can try to set some positive number to delay in delete, it will keep user in Disabled status till that time.

If one wants to disable deleting, then one can effectively do so by setting XL.UserDeleteDelayPeriod sufficiently large.

For example set it to 36500 - 36500 days = ~100 years. So, with this set to 100 years, logically your users will never get deleted. 

Period to Delay User Delete

This property is used to specify the time period before deleting a user. When this property is set and a user is deleted, the user's state is changed to disabled and "automatically delete on date" is set to current date plus the delay period.

Description: "Period to Delay User Delete" 
Keyword:  XL.UserDeleteDelayPeriod
Default value: 0 (XL.UserDeleteDelayPeriod is measured in days)

Configure One-way SSL

Configure One-way SSL

By default, SSL is enabled and configured to use the demonstration Identity and Trust keystores. For testing and development purposes, the SSL configuration is complete.

Use the steps in this section to configure SSL for production use.

To configure SSL:

• Expand the Servers node.
• Select the name of the server for which you want to configure keystores (for example, exampleserver).
• Select the Configuration-->Keystores and SSL tab.
• Information about the demonstration Identity and Trust keystores is displayed in the Keystore Configuration.
• Configure new Identity and Trust keystores for WebLogic Server. 
• Click the Change... link in the SSL Configuration to configure attributes for SSL.
• The Configure SSL page appears.
• Specify how the identity and trust for WebLogic Server is stored.
•  The following options are available:
• Key Stores—Use this option if you created Identity and Trust keystores for WebLogic Server. If you choose this option, go to step 8.
• Files or Key Store Providers—Use this option if you stored private keys and trusted CA certificates in a file or in a JKS keystore accessed via the WebLogic Keystore provider (as supported in previous releases of WebLogic Server). If you choose this option, go to step 9. This option is available for the purpose of backward compatibility only and it automatcally set with security information from a previous release of WebLogic Server.
• Click Continue.
• Specify the alias used to load the private key into the keystore in the Private Key Alias and the password used to retrieve the private key from the keystore in the Passphrase attibute. You may have specified this information when creating the Identity keystore; however, for the purpose of SSL configuration specify the information again. 
• Note: You do not have to specify this information for the Trust keystore because trusted CA certificates are not individually identified to WebLogic Server with aliases. All trusted CA certificates in a keystore identified as trusted by WebLogic Server are trusted. Therefore, WebLogic Server does not require an alias when retrieving a trusted CA certificate from the keystore.
• Specify information about the location of identity and trust for WebLogic Server.
• Note: This step only applies if the Files or Key Store Providers option is specified.
• Private Key File Name—The directory location of the private key for WebLogic Server. Specify a value for this attribute only if you stored the private key for WebLogic Server in a file (versus a WebLogic Keystore provider).
• Private Key Alias—The alias specified when loading the private key for WebLogic Server from the keystore. Specify a value for this field only if you stored the private key for WebLogic Server in a keystore accessed by the WebLogic Keystore provider.
• Passphrase—The password specified when loading the private key for WebLogic Server into the keystore. Specify a value for this field only if you stored the private key for WebLogic Server in a keystore accesssed by the WebLogic Keystore provider. Confirm the password. If you protected the private key file with a password, specify the weblogic.management.pkpassword command-line argument when starting the server.
• Server Certificate File Name— The directory location of the digital certificate for WebLogic Server. If you are using a certificate chain that is deeper than two certificates, you to need to include the entire chain in PEM format in the certificate file.
• Trusted CA File Name—The name of the file containing the PEM-encoded trusted certificate authorities.
• Click Continue.
• Click Finish.
• Reboot WebLogic Server

Configuring Two-Way SSL

Configuring Two-Way SSL

By default, WebLogic Server is configured to use one-way SSL (the server passes its identity to the client). 

For a more secure SSL connection, use two-way SSL. In a two-way SSL connection, the client verifies the identity and trust of the server and then passes its identity to the server. The server then validates the identity and trust of the client before completing the SSL connection. The server determines whether or not two-way SSL is used.

Before configuring two-way SSL, ensure the Trust key store for the server includes the certificate for the trusted certificate authority that signed the certificate for the client.

To enable two-way SSL:

First Configure one-way SSL then follow the below steps for two-way SSL

• Expand the Servers node.
• Select the name of the server for which you want to configure two-way SSL (for example, exampleserver).
• Select the Configuration-->Keystores and SSL tab.
• Click the Show link under Advanced Options.
• Go to the Server attributes section of the window.
• Set the Two Way Client Cert Behavior attribute. 
• The following options are available:
• Client Certs Not Requested—The default (meaning one-way SSL).
• Client Certs Requested But Not Enforced—Requires a client to present a certificate. If a certificate is not presented, the SSL connection continues.
• Client Certs Requested And Enforced—Requires a client to present a certificate. If a certificate is not presented or if the certificate is not trusted, the SSL connection is terminated.
• Click Apply.

Reboot WebLogic Server.

SSL EXCEPTIONS IN ADMIN SERVER AND NODE MANAGER

SSL EXCEPTIONS IN ADMIN SERVER AND NODE MANAGER

Exception: 

javax.net.ssl.SSLKeyException: [Security:090482]BAD_CERTIFICATE alert was received from oracle.test.com – xx.xxx.xx.xx. Check the peer to determine why it rejected the certificate chain (trusted CA configuration, hostname verification). SSL debug tracing may be required to determine the exact reason the certificate was rejected.

Solution:

The above exception is one of the most common exception encountered during the setup of Weblogic Server in an environment. The stack does suggest what could be the reasons but the diagnostics are not mentioned.

To debug this issue, first we need to check the certificates used by Admin Server and the Node Manager. If we have Admin and the Node Manager using demo certificates, then the issue can be due to improper DNS mapping. 

We can use the nslookup to check the DNS entry. For testing purpose we can provide the ip address as the listen address for the admin server and the node manager and see if the issue is still occurring.

Also we will have to turn off host name verification and the basic validation check of the certificates. 
We can do it by specifying the following flag in startWeblogic.sh

-Dssl.debug=true -Dweblogic.security.SSL.ignoreHostnameVerification=true -Dweblogic.security.SSL.enforceConstraints=off

And the following flag in startNodeManager.sh

-Dssl.debug=true -Dweblogic.nodemanager.sslHostNameVerificationEnabled=false -Dweblogic.security.SSL.enforceConstraints=off

If the Admin Server is using Custom Identity and Custom trust, then its better to configure the node manger with custom identity and custom trust as well. 

By default the Node Manager is configured with Demo Identity and Demo Trust. To change it to custom identity and custom trust, we need to specify the following values in the nodemanager.properties file present in nodemanager home

Keystores=CustomIdentityandCustomTrust
CustomIdentityAlias= 
CustomIdentityKeyStoreFileName= 
CustomIdentityKeyStorePassPhrase = xxxxxx
CustomIdentityKeyStoreType = JKS
CustomIdentityPrivateKeyPassPhrase = xxxxxxx

Apply the same flags as above in the startup script of Admin Server and Node Manger.

Check from the console whether Node Manager is reachable or not.

Another option can be to use PLAIN communication between Admin Server and Node Manager.

We can change the Listen Type to PLAIN for the Node Manager from the console and set the secureListener=false in the nodemanager.properties file present in nodemanager home.

Please find the below URL for your reference:

http://download.oracle.com/docs/cd/E15051_01/wls/docs103/nodemgr/nodemgr_config.html#wp1101097

Reset Node Manager Username/Password

Reset Node Manager Username/Password

If this is the first domain on the server you might want to consider resetting the node manager credentials. This step is optional, but I feel it is neater if the node manager has different credentials to the administration servers. 

To reset the credentials, do the following:

• Log in to the administration server (http://hostname:7001/console).
• In the "Domain Structure" tree on the left, click on the domain name (clusterDomain).
• Click on the "Security" tab. This should automatically put you in the "General" sub-tab.
• Click the "Advanced" link towards the bottom of the screen.
• If you are running in production mode, click the "Lock & Edit" button.
• Enter the "NodeManager Username", "NodeManager Password" and "Confirm NodeManager Password", then click the "Save" button.
• If you are running in production mode, click the "Activate Changes" button.

Keystore and Certificates in Clustered Environments

Keystore and Certificates in Clustered Environments

If you are working with WebLogic clusters spanning multiple machines, you have to make sure all certificates in the cluster are marked as trusted, otherwise the AdminServer will not be able to communicate with all the node managers.

Assuming you have a two node cluster, you would have to do the following.

Make sure you have followed the process described in the previous section on each of the machines making up the cluster before continuing.

Make sure all certificates are available on all nodes by copying them into the keystore folders on each server.

cd ~/keystore
scp wls11g-1.localdomain-rootCA.der oracle@wls11g-2.localdomain:/home/oracle/keystore
scp oracle@wls11g-2.localdomain:/home/oracle/keystore/wls11g-2.localdomain-rootCA.der .

On the first node, load the certificate generated on the second node into the local trust keystore using the following command.

$JAVA_HOME/jre/bin/keytool -import -v -trustcacerts -alias selfsigned2 -file wls11g-2.localdomain-rootCA.der \-keystore trust.jks -storepass password1

On the second node, load the certificate generated on the first node into the local trust keystore using the following command.

$JAVA_HOME/jre/bin/keytool -import -v -trustcacerts -alias selfsigned2 -file wls11g-1.localdomain-rootCA.der \-keystore trust.jks -storepass password1

You can now continue with the rest of the configuration.

Configure Node Manager Keystores

Configure Node Manager Keystores

Edit the "$WL_HOME/common/nodemanager/nodemanager.properties" file
Add the following entries. The values used reflect the information used to create the keystores above.

KeyStores=CustomIdentityAndCustomTrust
CustomIdentityKeystoreType=jks
CustomIdentityKeyStoreFileName=/home/oracle/keystore/identity.jks
CustomIdentityKeyStorePassPhrase=password1
CustomIdentityPrivateKeyPassPhrase=password1
CustomIdentityAlias=selfsigned
CustomTrustKeystoreType=jks
CustomTrustKeyStoreFileName=/home/oracle/keystore/trust.jks

CustomTrustKeyStorePassPhrase=password1

Restart the node manager.

javax.net.ssl.SSLKeyException:BAD_CERTIFICATE alert in Weblogic cluster

javax.net.ssl.SSLKeyException: [Security:090482]BAD_CERTIFICATE alert in Weblogic cluster

Solution:

In this case, Admin Server and the Node Manager are using default demo certificates. The node manager configuration is done using the fully qualified machine name and entries are there in /etc/hosts. 

After trying so many options to debug, finally decided to disable the Host Name Varification.

Edit both Node manager startup script and weblogic startup script and add following lines.

1. Nodemanager startup script under $WLS_HOME/wlserver_10.3/server/bin

Take a backup of startNodeManager.sh script and edit it

JAVA_OPTIONS="${JAVA_OPTIONS} -Dweblogic.nodemanager.sslHostNameVerificationEnabled=false"
export JAVA_OPTIONS

2. Similarly take a backup of startWeblogic.sh script under $DOMAIN_HOME/bin

and add following entry

JAVA_OPTIONS="${JAVA_OPTIONS} -Dweblogic.security.SSL.ignoreHostnameVerification=true"
export JAVA_OPTIONS

Restart all services. The warning is gone now and the node manager status of all nodes when checked from console page changed to "Reachable"

Configure SSL for Managed Server

Configure SSL for Managed Server

This process should be followed for the AdminServer and all managed servers.

• In the WebLogic Server Administration Console, click on <Servers> in the <Domain Structure> tree.
• Click on the <managed server> you wish to configure.
• Click on the <Configuration >- <Keystores> tab and sub-tab.
• If you are running on production mode, click the <Lock & Edit> Button.
• Click the <Change> button next to the <Keystores> setting.
• Select the <Custom Identity and Custom Trust> option and click the <Save> button.

• Enter the identity details. For example.
• Custom Identity Keystore: /home/oracle/keystore/identity.jks
• Custom Identity Keystore Type: JKS
• Custom Identity Keystore Passphrase: password1
• Confirm Custom Identity Keystore Passphrase: password1

• Enter the trust information. For example.
• Custom Identity Keystore: /home/oracle/keystore/trust.jks
• Custom Identity Keystore Type: JKS
• Custom Identity Keystore Passphrase: password1
• Confirm Custom Identity Keystore Passphrase: password1

• Click the <Save> button.
• Click the <SSL> tab.

• Enter the identity details. For example.
• Private Key Alias: selfsigned
• Private Key Passphrase: password1
• Confirm Private Key Passphrase: password1

• Click the <Save> button.
• If you are running in production mode, click the <Activate Changes> button.
• Restart the managed server.

The managed server will now be using the new identity and trust keystores.

Self-Signed Certificates and Oracle Wallets

How to create Self-Signed Certificates and Oracle Wallets:

Please refer the below document for Oracle Wallets and Certificate Creations

http://docs.oracle.com/cd/E23943_01/core.1111/e10105/walletmgr.htm

Post-Installation Tasks For OIM 11G R2 PS2

Post-Installation Tasks For OIM 11G R2 PS2 

Important URLs

#WebLogic Admin Console
http://localhost:7001/console
Admin User: weblogic

#SOA Infrastructure
http://localhost:8001/soa-infra
Admin User: weblogic

#Oracle Identity Manager System Administration
http://localhost:14000/sysadmin
Admin User: xelsysadm

#Oracle Identity Manager Self Service
http://localhost:14000/identity
Admin User: xelsysadm

Starting and Stopping the Servers
Note: Once the WebLogic Administration is running, you can go the the WebLogic Administration Console to start/stop the servers.

#Start/Stop WebLogic Administration Server
cd /home/oracle/Oracle/Middleware/user_projects/domains/domain_name/bin
./startWebLogic.sh
./stopWebLogic.sh

#Start OIM Managed Server
cd /home/oracle/Oracle/Middleware/user_projects/domains/domain_name/bin
./startManagedWebLogic.sh oim_server1
./stopManagedWebLogic.sh oim_server1

#Start SOA Managed Server
cd /home/oracle/Oracle/Middleware/user_projects/domains/domain_name/bin
./startManagedWebLogic.sh soa_server1
./stopManagedWebLogic.sh soa_server1

Enable Design Console

Create the "wlfullclient.jar" and get it the proper permissions. This file needs to be copied into $MW_HOME/wlserver_10.3/server/lib/" and "<IDM_HOME>/Oracle_IDM1/designconsole/ext/". WebLogic Administration Server and "oim_server1" managed server must be running.

Execute the following commands:

C:\Users\Mani>cd /home/oracle/Oracle/Middleware/wlserver_10.3/server/lib/

java -jar /home/oracle/Oracle/Middleware/modules/com.bea.core.jarbuilder_1.7.0.0.jar

(OR)

Go to $Wl_Server/server/lib

Run the command: java -jar Jarbuilder.jar; it will generates wlfullclient.jar file.

Assgin permissions to the wlfullclient.jar file

copy wlfullclient.jar file into $IDM_HOME/designconsole/ext/

To start Design Console:

cd  $IDM_HOME/designconsole

a. Go to Config folder and verify the host name or IP address in xlconfig.xml file
b. Verify the java path in classpath file
c. Verify the Java location in xlclient.cmd/sh to successfully start the desgin console

Command to start: ./xlclient.sh (for Linux OS)
                            ./xlclient.cmd (for Windows OS)

Boot Identity File for OIM 11g R1,R2

How to create Boot Identity File for OIM

Version: OIM 11.1.1.5.0, OIM 11.1.2.2.0

Weblogic Contains out of box scripts to start up your Weblogic server instances like startWebLogic.cmd and startManagedWeblogic.cmd on Windows. Whenever you run these scripts, you are prompted to enter weblogic administrator credentials.

What is boot identity file:

It is a file which contains user credentials for starting and stopping an instance of Weblogic Server.

Steps:

1. Create a boot.properties file under 

$MW_HOME\user_projects\domains\domain_name\servers\oimserver1\security

On windows: create boot.properties manually 
On Linux: touch boot.properties

2. In the boot.properties file, provide weblogic username and password and save the file

Example: username=weblogic
              password=enter password here

3. Start Admin Server and then start SOA Managed Server.The boot.properties file will get encrypted and you will no longer be prompted for a username and password when starting the weblogic administration server,SOA Managed Server,OIM Managed Server

Boot Identity File for SOA

How to create Boot Identity File for SOA

Version: SOA 11.1.1.5.0, SOA 11.1.1.6.0

Weblogic Contains out of box scripts to start up your Weblogic server instances like startWebLogic.cmd and startManagedWeblogic.cmd on Windows. Whenever you run these scripts, you are prompted to enter weblogic administrator credentials.

What is boot identity file:

It is a file which contains user credentials for starting and stopping an instance of Weblogic Server.

Steps:

1. Create a boot.properties file under 

$MW_HOME\user_projects\domains\domain_name\servers\soaserver1\security

On windows: create boot.properties manually 
On Linux: touch boot.properties

2. In the boot.properties file, provide weblogic username and password and save the file

Example: username=weblogic
              password=enter password here

3. Start Admin Server and then start SOA Managed Server.The boot.properties file will get encrypted and you will no longer be prompted for a username and password when starting the weblogic administration server and SOA Managed Server