Monday May 20, 2013

OIM11gR2: Issue with (request form prepop Vs process form prepop)


Pre-Populating known information on a request form during a provisioning operation is a very common need. OIM11g R2 supports request form pre-population using plug-in concept. The plug-in point is "oracle.iam.request.plugins.PrePopulationAdapter". A sample entry in plug-in.xml is shown here:

<plugin pluginclass="PrePopulateUserLogin" version="1.0" name="PrePopulateUserLogin">
   <metadata name="PrePopulationAdapater">
    <value>PrepopTestApp::User Login|FileTransfer::Account Login</value>


The class  PrePopulateUserLogin is used maintain the logic to fetch and return the value of User Login.

The returned value is populated on the attributes mentioned in the <value> element of the above seen snippet. They are 'user Login' field on the 'PrepopTestApp' application and 'Account Login' on 'FileTransfer' application.

In case the plugin class couldn't fetch a value for User Login and it is programmed in such a way that a blank/empty string is returned. In this scenario doing this may look smooth and robust enough. However, this is an issue if you also have a logic to pre-populate the same attribute using a pre-populate adapter attached on the process form.


 The User Login is returned blank by the request form pre-populate code. The request is submitted with a blank User Login value. Say the request had gone through required approvals.

The process form pre-populate adapter gets triggered because the 'User Name' attribute is blank. Any OIM developer can state that, once the pre-populate adapter is triggered and returns a value, the value is populated on the process form. Surprisingly, this doesn't happen in this case.

The adapter is triggered and a value is returned, but the form is not populated. In case your User Name attribute is mandatory on the process form, you account stands in provisioning state and you can see from the Resource History that 'System Validation' is pending. Try this out!!!


At least I felt that it is a good discovery. The solution is simple.

In your request form pre-population logic if you don't find a value to return, return null instead of blank string

Case1:   If we do this, the process form pre-pop triggers but will not a set a value . The weird thing is since it is triggered, it should set the value fetched, but it doesn’t.
if (attrValue!=null)
      return attrValue;
      return "";
Case2: The process form pre-populate gets triggered and sets a value
if (attrValue!=null)
      return attrValue;
      return null;


This means, for request form pre-populate we should return null, if the source attribute value is either blank/null. 

Friday Apr 12, 2013

OIM11gR2PS1 ( Database Schema Documentation Now Available

For anyone who is interested to know more about the OIM11gR2 database schema, OIM11gR2 DB Data Model and the Data dictionary, refer the following document on

Oracle Identity Manager 11gR2PS1 ( Database Schema Documentation [ID 1541858.1]

Thursday Mar 21, 2013

OIM11g R2: Reconciling a Disconnected System Account

Reconciliation of disconnected system account is same as reconciling a connected system account. The main difference lies in the source of reconciliation. In case of a connected system, a connection is established with the actual target system and data is pulled to OIM. Where as in case of a disconnected system, the data is made available to OIM using a CSV, Flat File or a database table. Reconciliation on both these types of systems look same in case of initial load. Some implementations make data available externally during initial load for all types of target systems.

 In any type of System's reconciliation, including IT Resource attribute among the RO attributes and recon data is mandatory. In case this information(IT Resource in the recon data) is missed in the recon data when submitting reconciliation event, the reconciliation event is created and linked successfully. The status on the recon event shows 'Creation Succeeded'. However, when navigated to the 'Accounts' tab or 'My Access' tab, the resource is not shown. The reconciliation rules are evaluated, the event gets linked, but the resource doesn't appear on the user's resource profile. Yes, you read it correctly.

Also, when another recon event is created for the same account, the event shows 'Update Succeeded' , but again no resource is seen is the user's resource profile.

The code snippet for submitting a simple recon even is here:

ReconOperationsService reconOp = client.getService(ReconOperationsService.class);

         Map<String,Object> roDataMap = new HashMap<String,Object> ();

          roDataMap.put("User Name","name");
roDataMap.put("IT Resource","ITR"); - This is most important

          try {

           EventAttributes ea=new EventAttributes();

           long eventKey = reconOp.createReconciliationEvent(RESOURCE_OBJECT, roDataMap , ea);

          } catch (Exception e) {


Wednesday Jan 23, 2013

OIM 11g R1 - Multi Valued attribute reconciliation of a child form

This topic gives a brief description on how we can do reconciliation of a child form attribute which is also multi valued from a flat file .

The format of the flat file is (an example):

ManagementDomain1|Entitlement1|DIRECTORY SERVER,EMAIL


In OIM there will be a parent form for fields Management domain and Entitlement.Reconciliation will assign Servers ( which are multi valued) to corresponding Management  Domain and Entitlement .In the flat file , multi valued fields are seperated by comma(,).

In the design console, Create a form with 'Server Name' as a field and make it a child form .

Open the corresponding Resource Object and add this field for reconcilitaion.While adding , choose 'Multivalued' check box. (please find attached screen shot on how to add it , Child Table.docx)

Open process definiton and add child form fields for recociliation. Please click on the 'Create Reconcilitaion Profile' buttton on the resource object tab.

The API methods used for child form reconciliation are :

1.           reconEventKey =   reconOpsIntf.createReconciliationEvent(resObjName, reconData,


·                                    ‘False’  here tells that we are creating the recon for a child table .

2.               2.       reconOpsIntf.providingAllMultiAttributeData(reconEventKey, RECON_FIELD_IN_RO, true);

               RECON_FIELD_IN_RO is the field that we added in the Resource Object while adding for reconciliation, please refer the screen shot)

3.    reconOpsIntf.addDirectBulkMultiAttributeData(reconEventKey,RECON_FIELD_IN_RO, bulkChildDataMapList);

                bulkChildDataMapList  is coded as below :

                List<Map> bulkChildDataMapList = new ArrayList<Map>();

                  for (int i = 0; i < stokens.length; i++) {

                           Map<String, String> attributeMap = new HashMap<String, String>();

                          String serverName = stokens[i].toUpperCase();

                          attributeMap.put("Server Name", stokens[i]);



4                  4.       reconOpsIntf.finishReconciliationEvent(reconEventKey);

5.       reconOpsIntf.processReconciliationEvent(reconEventKey);

Now, we have to register the plug-in, import metadata into MDS and then create a scheduled job to execute which will run the reconciliation.

Tuesday Dec 11, 2012

Configuring Weblogic Server 10.3.6 from 32-bit mode to 64-bit mode

This post pertains to the configuration of Weblogic Server from 32-bit mode to 64-bit mode on Solaris OS. Just in case, you have WLS 10.3.6 running in 32-bit mode and the JDK being used is installed for 64-bit mode [On Solaris OS, JDK 64-bit installation comprises of installing 32-bit JDK followed by a patch for 64-bit JDK]. 

Verification of the mode being used

One can verify the mode of Weblogic Server in the following ways

  • Either check the script located at $MIDDLEWARE_HOME/wlserver_10.3/common/bin where $MIDDLEWARE_HOME refers to the install directory of Middleware. Look for the patterns - SUN_ARCH_DATA_MODEL and JAVA_USE_64BIT in the file. 
    For 32-bit mode, the parameters would appear as shown below
  • Check the server console logs; which JDK is being used during start-up
  • By checking which JDK is used by the running process of Weblogic Server

Configuration Steps

  • Take a backup of the script located at $MIDDLEWARE_HOME/wlserver_10.3/common/bin where $MIDDLEWARE_HOME refers to the install directory of Middleware
  • Modify the script for the following parameters: The values should be 64 and true respectively for 64-bit mode
  • Restart the weblogic server.

One can confirm that the JDK being used is 64-bit by looking at the Weblogic console logs during server start up or by looking at the running process.

Sunday Dec 09, 2012

OAM OVD integration - Error Encounterd while performance test "LDAP response read timed out, timeout used:2000ms"

While working on OAM OVD integration for one of my client, I have been involved in the performance test of the products wherein I encountered OAM authentication failures while talking to OVD during heavy load. OAM logs revealed the following: OAMSSA-20012: Exception in getting user attributes for user : dummy_user1, idstore MyIdentityStore with exception javax.naming.NamingException: LDAP response read timed out, timeout used:2000ms.; remaining name 'ou=people,dc=oracle,dc=com' at


During the authentication and authorization process, OAM complains that the LDAP repository is taking too long to return user attributes.The default value is 2 seconds as can be seen from the exception, "2000ms". While troubleshooting the issue, it was found that we can increase the ldap read timeout in oam-config.xml. 

For reference, the attribute to add in the oam-config.xml file is:

<Setting Name="LdapReadTimeout" Type="xsd:string">2000</Setting>

However it is not recommended to increase the time out unless it is absolutely necessary and ensure that back-end directory servers are working fine. Rather I took the path of tuning OVD in the following manner:

1) Navigate to ORACLE_INSTANCE/config/OPMN/opmn folder and edit opmn.xml. Search for <data id="java-options" ………> and edit the contents of the file with the highlighted items:

<category id="start-options"><data id="java-bin" value="$ORACLE_HOME/jdk/bin/java"/><data id="java-options" value="-server -Xms1024m -Xmx1024m -Dvde.soTimeoutBackend=0$ORACLE_HOME -Dcommon.components.home=$ORACLE_HOME/../oracle_common -XX:+PrintGCDetails -XX:+PrintGCDateStamps -Xloggc:/opt/bea/Middleware/asinst_1/diagnostics/logs/OVD/ovd1/ovdGClog.log -XX:+UseConcMarkSweepGC$ORACLE_INSTANCE/config/JPS/jps-config-jse.xml"/><data id="java-classpath" value="$ORACLE_HOME/ovd/jlib/vde.jar$:$ORACLE_HOME/jdbc/lib/ojdbc6.jar"/></category></module-data><stop timeout="120"/><ping interval="60"/></process-type>

When the system is busy, a ping from the Oracle Process Manager and Notification Server (OPMN) to Oracle Virtual Directory may fail. As a result, OPMN will restart Oracle Virtual Directory after 20 seconds (the default ping interval). To avoid this, consider increasing the ping interval to 60 seconds or more.

2) Navigate to ORACLE_INSTANCE/config/OVD/ovd1 folder.Open listeners.os_xml file and perform the following changes:

· Search for <ldap id=”Ldap Endpoint”…….> and point the cursor to that line.

· Change threads count to 200.

· Change anonymous bind to Deny.

· Change workQueueCapacity to 8096.

Add a new parameter <useNIO> and set its value to false viz: <useNIO>false</useNio>

Snippet: <ldap version="8" id="LDAP Endpoint">





Restart OVD server.

For more information on OVD tuneup refer to

Please Note: There were few patches released from OAM side for performance tune-up as well. Will provide the updates shortly !!!

WNA Configuration in OAM 11g


  1. Kerberos authentication scheme has to exist. This is usually pre-configured OAM authentication scheme. It should have Authentication Level - "2", Challenge Method - "WNA", Challenge Direct URL - "/oam/server" and Authentication Module- "Kerberos".
  2. The default authentication scheme name is "KerberosScheme", this name can be changed.
  3. The DNS name has to be resolvable on the OAM Server.
  4. The DNS name with referrals to AD have to be resolvable on OAM Server. Ensure nslookup work for the referrals.


  1. AD team to produce keytab file on the AD server by running ktpass command.
  2. Provide OAM Hostname to AD Team.
  3. Receive from AD team the following:
    • Keypass file produced when running the ktpass command
    • ktpass username
    • ktpass password
  4. Copy the keytab file to convenient location in OAM install tree and rename the file if desired. For instance where oam-policy.xml file resides. i.e. /fa_gai2_d/idm/admin/domains/idm-admin/IDMDomain/config/fmwconfig/keytab.kt

Configure WNA Authentication on OAM Server:

  1. Create config file krb.config and set the environment variable to the path to this file:
    The variable KRB_CONFIG has to be set in the profile for the user that OAM java container(i.e. Wbelogic Server) runs as, so that this setting is available to the OAM server. i.e. "applmgr" user.
  2. In the krb.conf file specify:
    default_realm= NOA.ABC.COM
    dns_lookup_realm= true
    dns_lookup_kdc= true
    ticket_lifetime= 24h
    forwardable= yes



    Where is load balanced DNS VIP name for AD Server and NOA.ABC.COM is the name of the domain.
  3. Create authentication policy to WNA protect the resource( i.e. EBSR12) and choose the "KerberosScheme" as authentication scheme.
    Login to OAM Console => Policy Configuration Tab => Browse Tab => Shared Components => Application Domains => IAM Suite => Authentication Policies => Create
    Name: ABC WNA Auth Policy
    Authentication Scheme: KerberosScheme
    Failure URL:

  4. Edit System Configuration for Kerberos
    • System Configuration Tab => Access Manager Settings => expand Authentication Modules => expand Kerberos Authentication Module => double click on Kerberos
    • Edit "Key Tab File" textbox - put in /fa_gai2_d/idm/admin/domains/idm-admin/IDMDomain/config/fmwconfig/keytab.kt
    • Edit "Principal" textbox - put in HTTP/OAM_Host@NOA.ABC.COM
    • Edit "KRB Config File" textbox - put in /fa-gai2_d/idm/admin/domains/idm-admin/IDMDomain/config/fmwconfig/krb.conf
    • Cilck "Apply"
    • In the script setting environment for the WLS server where OAM is deployed set the variable:

  5. Re-start OAM server and OAM Server Container( Weblogic Server)

Wednesday Dec 05, 2012

Using ant to register plugins and deploy metadata xmls

Ant can be used to register plugins directly to MDS.

Following is the ant script to register plugin zip:

<target name="register_plugin" depends="compile_package">
    <echo> Register Plugin : ${plugin.base}/${}.zip</echo>
    <java classname="oracle.iam.platformservice.utils.PluginUtility" classpathref="classpath" fork="true">
        <sysproperty key="XL.HomeDir" value="${oim.home.server}"/>
        <sysproperty key="OIM.Username" value="${oim.username}"/>    
        <sysproperty key="OIM.UserPassword" value="${oim.password}"/>
        <sysproperty key="ServerURL" value="${oim.url}"/>
       <sysproperty key="PluginZipToRegister" value="${plugin.base}/${}.zip"/>
        <sysproperty key="" value="${oim.home}\designconsole\config\authwl.conf"/>
        <arg value="REGISTER"/>
        <redirector error="redirector.err" errorproperty="redirector.err" output="redirector.out" outputproperty="redirector.out"/>
    <copy file="${plugin.base}/${}.zip" todir="${oim.home.server}\plugins"/>

This script requires following properties:





You can either define a properties file for these properties or define them directly in build.xml. will look like:

# Set the OIM home here


# Set the weblogic home here



# e.g.: used in building the jar and zip files

#Note : no spaces in the project name

#Set the oim username


# set the oim password




#set the oim URL here



#Location from where the metadata files are pickedup for MDS import

metadata.location=C:/Project /src/ScheduledTask_Sample /metaxml/

Following is the ANT script to import metadata xml:

<target name="ImportMetadata">
                <echo> Preparing for MDS xmls Upload...</echo>
                <copy file="${oim.home}/bin/" todir="."/>
                <replaceregexp file="" match="wls_servername=(.*)" replace="wls_servername=${OIM.ServerName}" byline="true"/>
                <replaceregexp file="" match="application_name=(.*)" replace="application_name=OIMMetadata" byline="true"/>
                <replaceregexp file="" match="metadata_from_loc=(.*)" replace="metadata_from_loc=${metadata.location}" byline="true"/>
                <copy file="${oim.home}/bin/" todir="."/>
                <replace file="">
                     <replacefilter token="connect()" value="connect('${wl.username}', '${wl.password}', '${wl.url}')"/>
                <echo> Importing metadata xmls to MDS... </echo>
                <exec dir="." vmlauncher="false" executable="${oim.home}/../common/bin/">
                        <arg value="-loadProperties"/>
                        <arg value=""/>
                        <arg value=""/>
                        <redirector output="deletemd_redirector.out" logerror="true" outputproperty="deletemd_redirector.out" />
                <echo>Completed metadata xmls import to MDS</echo>

Monday Dec 03, 2012

OAM11gR2: Enabling SSL in the Data Store

Enabling SSL in the Data Store of OAM11gR2 comprises of the below mentioned steps.

  • Import the certificate/s required for establishing the trust with the Store(backend) in the keystore(cacerts) on the machine hosting OAM's Weblogic Admin server
  • Restart the Weblogic Admin server
  • Specify the <Hostname>:<SSL port> in the "Location" field of the Data Store and select the "Enable SSL" checkbox


  • Certificate/s to be imported are available for import
  • Data Store has already been created using OAM admin console and the connection to the store is successful on non-SSL port( though one can always create a Data Store with SSL settings on the first go)

Steps for importing the certificate/s:-

One can use the keytool utility that comes bundled with JDK to import the certificate. The step for importing the certificate would be same for self-signed and third party certificates (like VeriSign)

$JAVA_HOME/bin/keytool -import -v -noprompt -trustcacerts -alias <aliasname> -file <Path to the certificate file> -keystore $JAVA_HOME/jre/lib/security/cacerts

Here $JAVA_HOME refers to the path of JDK install directory

Note: In case multiple certificates are required for establishing the trust, import all those certificates using the same keytool command mentioned above 

One can verify the import of the certificate/s by using the below mentioned command

$JAVA_HOME/bin/keytool -list -alias <aliasname>-v -keystore $JAVA_HOME/jre/lib/security/cacerts

When the trust gets established for the SSL communication, specifying the SSL specific settings in the Data Store (via OAM admin console) wouldn't result into the previously seen error (when Certificates are yet to be imported) and the "Test Connection" would be successful.

E-Business Integration with SSO using AccessGate

Moving away from the legacy Oracle SSO, Oracle E-Business Suite (EBS) came up with EBS AccessGate as the way forward to provide Single Sign On with Oracle Access Manager (OAM). As opposed to AccessGate in OAM terminology, EBS AccessGate has no specific connection with OAM with respect to configuration. Instead, EBS AccessGate uses the header variables sent from the SSO system to create the native user-session, like any other SSO enabled web application.

E-Business Suite Integration with Oracle Access Manager

It is a known fact that E-Business suite requires Oracle Internet Directory (OID) as the user repository to enable Single Sign On. This is due to the fact that E-Business Suite needs to be registered with OID to for Single Sign On. Additionally, E-Business Suite uses “orclguid” in OID to map the Single Sign On user with the corresponding local user profile. During authentication, EBS AccessGate expects SSO system to return orclguid and EBS username (stored as a user-attribute in SSO user store) in two header variables USER_ORCLGUID and USER_NAME respectively.

Following diagram depicts the authentication flow once SSO system returns EBS Username and orclguid after successful authentication:

EBS AccessGate and OAM


OIM11gR2 Blog by NA-TAG Offshore IDAM team


« May 2016