java.security.AccessControlException: access denied ("oracle.security.jps.service.credstore.CredentialAccessPermission" "context=SYSTEM,mapName=oim,keyName=OIMSchemaPassword" "read")

Issue:

java.security.AccessControlException: access denied ("oracle.security.jps.service.credstore.CredentialAccessPermission" "context=SYSTEM,mapName=oim,keyName=OIMSchemaPassword" "read")

        at java.security.AccessControlContext.checkPermission(AccessControlContext.java:366)

        at java.security.AccessController.checkPermission(AccessController.java:560)

        at oracle.security.jps.util.JpsAuth$AuthorizationMechanism$3.checkPermission(JpsAuth.java:458)

        at oracle.security.jps.util.JpsAuth.checkPermission(JpsAuth.java:518)

        at oracle.security.jps.util.JpsAuth.checkPermission(JpsAuth.java:544)

        Truncated. see log file for complete stacktrace

Caused By: java.security.AccessControlException: access denied ("oracle.security.jps.service.credstore.CredentialAccessPermission" "context=SYSTEM,mapName=oim,keyName=OIMSchemaPassword" "read")

        at java.security.AccessControlContext.checkPermission(AccessControlContext.java:366)

        at java.security.AccessController.checkPermission(AccessController.java:560)

        at oracle.security.jps.util.JpsAuth$AuthorizationMechanism$3.checkPermission(JpsAuth.java:458)

        at oracle.security.jps.util.JpsAuth.checkPermission(JpsAuth.java:518)

        at oracle.security.jps.util.JpsAuth.checkPermission(JpsAuth.java:544)

        Truncated. see log file for complete stacktrace

Fix/Resolution:

1.       Take the backup of weblogic.policy file to recover easily in case of any issues.

a.        Go to $WLS_HOME/server/lib/weblogic.policy

b.       cp weblogic.policy weblogic.policy_backup

2.       Add the below lines(end of the file) into weblogic.policy file

                        grant codeBase "file:$MW_HOME/patch_wls1036/patch_jars/*" {

permission java.security.AllPermission;

};

3.       Take the backup of system-jazn-data.xml file to recover easily in case of any issues

a.        Go to $DOMAIN_HOME/config/fmwconfig/system-jazn-data.xml

b.       $cp system-jazn-data.xml system-jazn-data.xml_backup

4.       Add the below lines (end of the file) into $DOMAIN_HOME/config/fmwconfig/system-jazn-data.xml:

<grant>

  <grantee>

    <codesource>

      <url>file:${wls.home}/../../patch_wls1036/patch_jars/*</url>

    </codesource>

  </grantee>

        <permissions>

                        <permission>
 <class>oracle.security.jps.service.credstore.CredentialAccessPermission</class>

     <name>context=SYSTEM,mapName=oim,keyName=*</name>

     <actions>read,write</actions>

                        </permission>

   </permissions>

</grant>

5.        Restart Admin and managed servers.

            NOTE: Kindly note, MW_HOME will vary from environment to environment depends on your machine path.

                          Also, similar solution is applicable to any component like OAM/OIF/OID etc..

           Hope this post helps you to resolve this issue. 

          

           Thank you for reading out my blog !!

Creating a wlfullclient.jar and Design console configuration

Use the following steps to create a wlfullclient.jar file :

   1. Change directories to the server/lib directory.

         $cd WL_HOME/server/lib

   2. Use the following command to create wlfullclient.jar in the server/lib directory:

         $java -jar wljarbuilder.jar

    3. wlfullclient.jar file will created under $WL_HOME/server/lib

   4.You can now copy and bundle the wlfullclient.jar to $OIM_HOME/designconsole/lib and

       $OIM_HOME/designconsole/ext folders.

   5.  Add the wlfullclient.jar to the client application's class path.

Note : For both Windows and Linux platforms, wlfullclient.jar file generation procedure is same in OIM.

Hope this will helps you !!

javax.security.auth.login.LoginException in OIM Design Console

Issue :

javax.security.auth.login.LoginException: java.lang.RuntimeException: Failed to instantiate MD5 SecureRandom: Unsupported algorithm

The javax.security.auth.login.LoginException: java.lang.RuntimeException: Failed to instantiate MD5 SecureRandom: Unsupported algorithm exception is thrown after clicking the Login Button in the Oracle Identity Manager Design Console.

Error:

Error Keyword: DAE.LOGON_DENIED
Description: Invalid Login.
Remedy: Contact your system administrator.
Action: E
Severity: H
Help URL:
Detail:
javax.security.auth.login.LoginException: java.lang.RuntimeException: Failed to instantiate MD5 SecureRandom: Unsupported algorithm, MD5Random, selected for FIPS140 mode: FIPS140_SSL
at com.certicom.tls.interfaceimpl.TLSSystem.getRandomNumberGenerator(Unknown Source)
at com.certicom.tls.record.handshake.MessageRandom.initialize(Unknown Source)
at com.certicom.tls.record.handshake.MessageRandom.<init>(Unknown Source)
at com.certicom.tls.record.handshake.HandshakeHandler.startHandshake(Unknown Source)
at com.certicom.tls.interfaceimpl.TLSConnectionImpl.startHandshake(Unknown Source)
at com.certicom.tls.interfaceimpl.TLSConnectionImpl.completeHandshake(Unknown Source)
at com.certicom.tls.record.WriteHandler.write(Unknown Source)
at com.certicom.io.OutputSSLIOStreamWrapper.write(Unknown Source)
at java.io.BufferedOutputStream.flushBuffer(BufferedOutputStream.java:66)
at java.io.BufferedOutputStream.flush(BufferedOutputStream.java:124)
at java.io.DataOutputStream.flush(DataOutputStream.java:107)
at weblogic.rjvm.t3.MuxableSocketT3.connect(MuxableSocketT3.java:406)
at weblogic.rjvm.t3.ConnectionFactoryT3S.createConnection(ConnectionFactoryT3S.java:44)
at weblogic.rjvm.ConnectionManager.createConnection(ConnectionManager.java:1784)
at weblogic.rjvm.ConnectionManager.findOrCreateConnection(ConnectionManager.java:1424)
at weblogic.rjvm.ConnectionManager.bootstrap(ConnectionManager.java:443)
at weblogic.rjvm.ConnectionManager.bootstrap(ConnectionManager.java:322)
at weblogic.rjvm.RJVMManager.findOrCreateRemoteInternal(RJVMManager.java:254)
at weblogic.rjvm.RJVMManager.findOrCreate(RJVMManager.java:197)
at weblogic.rjvm.RJVMFinder.findOrCreateRemoteServer(RJVMFinder.java:238)
at weblogic.rjvm.RJVMFinder.findOrCreateInternal(RJVMFinder.java:200)
at weblogic.rjvm.RJVMFinder.findOrCreate(RJVMFinder.java:170)
at weblogic.rjvm.ServerURL.findOrCreateRJVM(ServerURL.java:153)
at weblogic.rjvm.ServerURL.findOrCreateRJVM(ServerURL.java:96)
at weblogic.security.auth.Authenticate.authenticate(Authenticate.java:80)
at weblogic.security.auth.login.UsernamePasswordLoginModule.login(UsernamePasswordLoginModule.java:184)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
at java.lang.reflect.Method.invoke(Method.java:597)
at javax.security.auth.login.LoginContext.invoke(LoginContext.java:769)
at javax.security.auth.login.LoginContext.access$000(LoginContext.java:186)
at javax.security.auth.login.LoginContext$4.run(LoginContext.java:684)
at javax.security.auth.login.LoginContext.invokePriv(LoginContext.java:680)
at javax.security.auth.login.LoginContext.login(LoginContext.java:579)
at Thor.API.Security.LoginHandler.weblogicLoginHandler.login(weblogicLoginHandler.java:62)
at oracle.iam.platform.OIMClient.login(OIMClient.java:134)
at oracle.iam.platform.OIMClient.login(OIMClient.java:114)
at com.thortech.xl.client.base.tcAppWindow.internalLogin(tcAppWindow.java:585)
at com.thortech.xl.client.base.tcAppWindow.login(tcAppWindow.java:504)
at com.thortech.xl.client.base.tcAppWindow.<init>(tcAppWindow.java:118)
at com.thortech.xl.client.base.tcAppWindow.main(tcAppWindow.java:174)

Solution 1:

The cryptoj.jar file is missing in the $WLS_HOME/lib directory. Copy the cryptoj.jar file from

$WLS_HOME/lib to $OIM_HOME/designconsole/ext directory.

Solution 2:

If crypto.jar file available, still you are getting an login issue means try the following options :

1. Try to create wlfullclient.jar file and copy it to design console lib and ext directories

2. Verify provided OIM Username and Password is correct

Hope this will helps you!

Enabling the SSL Oracle Identity Manager Design Console

To enable the SSL for Oracle Identity Manager Design Console by following the below steps:

1. Configuring the OIM Design Console

The following task's needs to be performed to enable the SSL for Oracle Identity Manager Design Console. They are

1.1 Copy Jar Files

1.1.1 Login into the OIM Server.
1.1.2 Copy the webserviceclient+ssl.jar and cryptoj.jar from the $WLS_HOME/lib to $OIM_ORACLE_HOME/designconsole/ext directory

1.2 Configuring classpath.sh


1.2.1 Go to the Go to the $OIM_ORACLE_HOME/designconsole directory and edit the classpath.sh file and add the following content before $CLASSPATH. They are

:./ext/cryptoj.jar:./ext/webserviceclient+ssl.jar

1.2.2 Define the TRUSTSTORE_LOCATION variable in the classpath.sh file.

TRUSTSTORE_LOCATION = "OIM Trust Store.jks"

export TRUSTSTORE_LOCATION

1.3 Configuring xlconfig.xml


1.3.1 Go to the $OIM_ORACLE_HOME/designconsole/config directory and edit the xlconfig.xml file.

1.3.2 Modify the following parameters

< ApplicationURL>https://localhost:<sslport>/xlWebApp/loginWorkflowRenderer.do</ApplicationURL>

< java.naming.provider.url>t3s://localhost:<sslport>/oim</java.naming.provider.url>

1.4 Configuring xlclient.sh


1.4.1 Go to the Go to the $OIM_ORACLE_HOME/designconsole/ directory and edit the xlclient.sh file and add the following content if your using Self Signed Cert or root certificate is not trusted authority provider.

1.4.1.1 Turn off the SSL Constraints
-Dweblogic.security.SSL.enforceConstraints=off \

1.4.1.2 Turn Off the Host Name Verification
-Dweblogic.security.SSL.ignoreHostnameVerification=true \

1.4.1.3 Turn Off the default Random Number Generator.
The changing default Random Number generator shown in the log as follows

<Dec 05, 2015 11:51:50 AM IST> <Info> <Security> <BEA-090906> <Changing the default Random Number Generator in RSA CryptoJ from ECDRBG to FIPS186PRNG. To disable this change, specify -Dweblogic.security.allowCryptoJDefaultPRNG=true>

To turn of the off the random generator number in the log add the following flag.

-Dweblogic.security.allowCryptoJDefaultPRNG=true \


1.4.1.4 Debug the SSL Parameters
-Dssl.debug=true \

-Dweblogic.StdoutDebugEnabled=true \

1.5 Sample xlclient.sh file

After configuring the xlclient.sh file and the file content should be following format.

java -DXL.ExtendedErrorOptions=TRUE \
-DXL.HomeDir=. -Djava.security.policy=config/xl.policy \
-Djava.security.manager -Djava.security.auth.login.config=config/authwl.conf \
-Dlog4j.configuration=config/log.properties \
-Dweblogic.security.SSL.trustedCAKeyStore=$TRUSTSTORE_LOCATION \
-Dweblogic.security.SSL.enforceConstraints=off \
-Dweblogic.security.SSL.ignoreHostnameVerification=true \
-Dweblogic.security.allowCryptoJDefaultPRNG=true \
-Dssl.debug=true \
-Dweblogic.StdoutDebugEnabled=true \
-cp $CLASSPATH com.thortech.xl.client.base.tcAppWindow -server server

OIM Interview Questions

1. What are the new features in PS3?
2. What are the differences between PS2 and PS3?
3. How do you identify rogue account creation in target system?
4. What is the high level architecture of OIM 11g R2?
5. List out difference between OIM 9.1 and 11g and possibly 11gR2
6. What are the new features in 11gR2 PS2 , PS3
7. How do you save multi-valued attribute in process form and how the linking happens between process form & child form ,   1 child form per multi valued attribute
8. Can we still use entity adapters in OIM 11g
9. What is plugin service in oim 11g/ what is the orchestration service in oim 11g.
10. What is the difference between entity match found and process match found?
11. What are service accounts in oim?
12. Why remote manager is used?
13. What is a connector server and types of connector server available?
14. What is ICF, ICF architecture?
15. Why connector server (ICF) is used. Can connector server replace remote manager? Types of connector server.  Which OOTB connector is ICF based now - 11g?
16. What is Lookup.USR_PROCESS_TRIGGERS, how data flow happens during provisioning.
17. How will you develop a custom connector from scratch? List all the components involved.
18. What are the different types of adapters and under which circumstances they are used.
19. List some OIM API java classes.  How do we initialize the api before we can use them  (example tcUserOperationsIntf)
20. List some differences in api classes / new classes from 11g point of view
21. How you create a plugin in oim 11g (packaging, registration, MDS seeding etc.)
22. Difference between execute and bulk Execute in post process handler and under which scenarios they are used?
23. Can preprocess event handler be used during trusted user recon
24. Email templates are now removed in oim 11g and how do we send emails in oim 11g?
25. What are notification templates, notification resolvers, notification event xml file registration?
26. Oim 9.1 - formmetadata.xml - why we use it and what all is possible by changing/configuring it.
27. How do you modify self-registration page in 11g?
28. A lot of questions on MDS , how we use it, what all configuration objects are stored, the structure of configuration objects , oim-config.xml, list some very common file names
29. What is the difference between object form and process form (9.1)
30. What has replaced object form in 11g?
31. What is the difference between approval policy, authorization policy and access policy?
32. How do we deploy the SOA workflows in 11g?
33. What is basic Request Templates model, how are they extended to create custom ones, how authorization is enforced while defining new one,  Is it possible that certain set of users can only see the certain request templates (yes).
34. How do you create a custom scheduled task in OIM 11g?
35. How do you create a custom plugin in OIM 11g?
36. What performance improvement measures have been implemented in OIM 11g in terms of reconciliation?
37. How do you use task assignment adapter in OIM?
38. Under what circumstances spml is used?
39. Attestation - Why / what / when / how?
40. Certification - Why / what / when / how?
41. List out the difference between LDAP sync and OID Connector when both can essentially sync the user info between oim and OID (11g )
42. How can you disable certain menu item on OIM 11g R2 PS2 based on the user's role?
43. What is request dataset status change plugin and how do you use it?
44. What is request dataset validator plugin and how do you use it?
45. What are application instances, disconnected applications?
46. What is a sandbox and how will you go about doing sandbox management, its issues and limitations?
47. What is a dynamic organization and how do we use it ?
48. Pre Process Event Handlers are applicable on what all entities and event types?
49. What is a catalog, what all it contains, how do you publish item to a catalog, how will you do catalog management?
50. What is a public task flow and how do you develop and use it in OIM?
51. What is Access Policy Harvesting and how will you set it up?
52. Difference between OIM 11g R1 and OIM 11g R2?
53. Difference between OIM 10g and OIM 11g R2?
54. What is Request Catalog?
55. What is Request Profile?
56. Difference between Application Instance and Resource Object?
57. What are Admin Roles?
58. Experience with UI Customization in OIM 11g R2?
59. Experience with ICF Connector?
60. Experience in upgrading existing OIM implementation to OIM 11g R2?
61. List of connectors which you have worked on?
62. High level steps for Custom Connector?
63. What are Archival Utilities?
64. How do you hide Admin Links for End Users from Identity Console?
65. What are factors which one should keep in mind for upgrade project?
66. How will you plan an upgrade project?

Hope the above interview questions will helps you!

How do I enable Java in my web browser?

Cause

Java is not enabled in the web browser. If Java is already installed but applets do not work, you need to enable Java through your web browser.

Solution

If you recently installed Java, you may need to restart your browser (close all browser windows and re-open), in order for the browser to recognize the installation.

In addition, make sure Java content in the browser is enabled through the Java Control Panel.

Follow these instructions to enable Java though your Web browser.

Internet Explorer

1. Click Tools and then Internet Options
2. Select the Security tab, and select the Custom Level button
3. Scroll down to Scripting of Java applets
4. Make sure the Enable radio button is checked
5. Click OK to save your preference

Chrome

Chrome browser versions 42 and above. Starting with Chrome version 42 (released April 2015), Chrome has disabled the standard way in which browsers support plugins. More info

Firefox

1. Open the Firefox browser or restart it, if it is already running
2. From the Firefox menu, select Tools, then click the Add-ons option
3. In the Add-ons Manager window, select Plugins
4. Click Java (TM) Platform plugin (Windows) or Java Applet Plug-in (Mac OS X) to select it
5. Check that the option selected is Ask to Activate or Always Activate or on older Firefox versions, click on the Enable button (if the button says Disable, Java is already enabled)

Safari

1. Click on Safari and select Preferences
2. Choose the Security option
3. Select Allow Plug-ins, then click on Manage Website Settings
4. Click on the Java item, select an option (Ask, Allow or Allow Always) from the pulldown list When visiting other websites
5. Click Done, then close the Safari Preferences window

Opera 4.x and Up

1. Opera for Windows does not use Java, but an embedded version already inside the Opera Web browser.
2. Opera for other platforms may supports Java . Please consult your Opera platform documentation.
3. For further information, please review the following Opera Support article:
   Support for Java software in Opera

How do I enable Java through the Control Panel?

Cause:

The Java content in the browser is disabled in the Java Control Panel.
If Java is already installed but applets do not work, you may need to check and see if Java is enabled.

Solution:

To see whether your browser is configured to use Java, check your settings in the Java Control Panel. 

1. In the Java Control Panel, click the Security tab.
2. Select the option Enable Java content in the browser.
3. Click Apply and then OK to confirm the changes.
4. Restart the browser to enable the changes.

Note: Applicable to all Windows and Macintosh OS X environments.

How to Create Custom Scheduler Job in OIM 11g R2 PS2

Below are the high level steps to create a custom scheduler job in OIM:

      1.       Prepare a custom java code which extends TaskSupport
     2.       Make a Jar file
     3.       Prepare plugin.xml file
 
                          <?xml version="1.0" encoding="UTF-8"?>

<oimplugins xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">

    <plugins pluginpoint="oracle.iam.scheduler.vo.TaskSupport">

        <plugin pluginclass="com.test.iam.tasks. TestScheduledTask " version="1.0" name=" TestScheduledTask"/>

    </plugins>

</oimplugins>

      4.       Prepare <Classname>.xml file (Prepared as per your requirement)

                          <?xml version="1.0" encoding="UTF-8"?>

<scheduledTasks  xmlns="http://xmlns.oracle.com/oim/scheduler">

  <task>

    <name>Test Scheduled Task</name>

    <class> com.test.iam.tasks.TestScheduledTask</class>

    <description> Test Scheduled Task </description>

    <retry>1</retry>

    <parameters>

                                <string-param required="true" helpText="Input File"> Input File</string-param>

                                <string-param required="true" helpText="Delimeter">Delimeter</string-param>

   </parameters>

  </task>

</scheduledTasks>

       5.       Structure of this schedule task zip file :

                               a.       Lib/<classname.jar file>

                               b.      Plugin.xml

                              c.       META-INF/<classname.xml file>

                              d.      Create a <classname.zip> file

       6.       Move the created zip file into OIM server path ($OIM_HOME/Server/plugins)

      7.       Do Plugin Registration using “ant” utility (make sure you have set ant.properties file properly)
 

     8.       Verify plugin is successfully updated or not in OIM DB

                    Select * from plugins where NAME=’complete package name with class’;

    9.       Create a custom schedule task in OIM by login into OIM system administration console

 

     10. Go to Scheduler under System Management

 

 

 

  11.       Click on Create new as shown below

 

  

   12.       Provide required details and select Task (which will be available with name provided inside scheduler xml file)

 

   13.       It will be shown up in Scheduled Tasks and Run that job.