Bulk password update Steps for OID

Steps to follow in order to bulk update users password in OID

1. create a file for all the users using below format

          dn: cn=test1,cn=Users,dc=abc,dc=com
          changetype: modify
          replace: userPassword
          userPassword: new_password

         dn: cn=test2,cn=Users,dc=abc,dc=com
         changetype: modify
         replace: userPassword
         userPassword: new_password

 
    dc=abc,dc=com (is as per your environment domain)

Things to consider while creating above file.

   a) get correct dn from OID. Go to OID select any users (users already exists in OID), right click on the users account and get dn, for example if it shows below

     cn=mani,cn=Users,dn=abc,dn=com

It means you need to get append cn=users,dn=abc,dn=com at the end of each record, for example users is test1 that you want to update the password you need to write the command like above I mentioned in step1.

 If users dn is uid=mani,cn=users,dn=abc,dn=com than users you will create file like

         dn: uid=test1,cn=Users,dc=abc,dc=com
         changetype: modify
         replace: userPassword
         userPassword: new_password

        dn: uid=test2,cn=Users,dc=abc,dc=com
        changetype: modify
        replace: userPassword
        userPassword: new_password

   b) Make sure there is a space between each record(empty line). if there is no space you will get error

   c) Make sure userPassword attribute exists in OID(it is default attribute) if it is changed in your environment please make sure to get correct attribute.

   d) Save file in .csv formate because sometimes extra spaces cause issues while running command

2. Load above file at OID server and run following "ldapmodify" command

 $ORACLE_HOME/bin/ldapmodify -h hostName -p port -D “cn=orcladmin” -w password -f usersPassword.ldif  > passwordusers.out

3. Test if user password is updated successfully

 $ORACLE_HOME/bin/ldapbind -h [oid_hostName] -p [oid_port] -D “uid=test1,cn=Users,dc=abc,dc=com” -w new_Password

 You should get message “bind successful”

Difference Between DCC and ECC in OAM

DCC : Detached Credential Collector (AKA Authenticating Webgate), new feature introduced in  11gR2

ECC  : Embedded Credential Collector, default 11g behavior

In OAM 10g user credentials are submitted to Webgate and than Webgate communicate to OAM server with mitigate the changes. when OAM 11G version was introduced, it had different flow. user credentials are submitted to Webgate and Webgate displays OAM server login page(for credential collection). so, you have to expose OAM server for credentials submissions that is not a good practice for companies who don't want to have  OAM exposed, it is security volatility for them. so Oracle provided DCC feature in OAM 11gR2.
Now, when you are configuring 11gR2 Webgate you have a check box "Allow Credentials Collector Operators". if you click this check box users credentials will be submitted to Webgate(middle tier) and Webgate will submit user credentials to OAM server.
DCC is the way to go now a days, now companies have option to separate Webgate in web tire from OAM server.
Access Manager supports the embedded credential collector (ECC) by default and also enables you to configure the latest Webgate to use as a detached credential collector (DCC, also known as an Authenticating Webgate).

For more detailed information, please refer the below URL :
http://www.ateam-oracle.com/part-2-custom-login-and-logout-with-detached-credential-collector-dcc/

WebGate plug-in is unable to contact any Access Server

One of the most common error in OAM is "WebGate plug-in is unable to contact any Access Server".

First of all, there are many reasons for this error to happen. Most of the time it is environment specific and hence, there is no straight forward/standard solution to this error.

However, the issue must be resolved if following points are verified to be working

1. As the error clearly states that webgate is not able to connect Access Server. There could be a connection problem between webgate & Access Server. check if firewall is terminating the connection between webgate & Access Server.

2. Check if the Access Server is up & running by issuing netstat command and look for the Access Server ip and port number.

3. Check if other webgates connected to Access Server is able to connect. If other webgates are connecting then it rule out the problem with Access Server.

4. Restart Access Server and Webserver. If restarting resolves the issue it means that while restarting Access Server terminates the old connections and new connection is being established.

5. Make sure all the components involved in OAM architecture is working fine for ex: directory server, load balancer, firewalls, database etc.

6. If it is a new installation, then verify the clock settings of Access Server host and webgate host. Access Server clock must be running ahead of webgate.

7. Verify the webgate diagnostic page. http(s)://hostname:port/access/oblix/apps/ webgate/bin/webgate.cgi?progid=1. If the page is not opening then webgate is not installed correctly.

8. If the Access Server and Webgate are configured in CERT mode then check if certificate is Valid.

9. Change the log level to TRACE and diagnose the oblog.log file for Access Server and Webgate.