Sunday Nov 24, 2013

Oracle Identity Manager Architecture

Originally Published on Oracle Fusion Middleware Blog

Oracle Identity Governance includes Oracle Identity Manager,Oracle Identity Analytics and Oracle Privileged Account Manager. I will write about Oracle Identity Manager architecture in this post. 

In basically, Oracle Identity Manager is a n-tier standard  Java EE application that is deployed on Oracle WebLogic Server and uses  a database . 

oracle identity manager architecture

Oracle Identity Manager presentation tier has three different screen. Identity Self Service and Identity System Administration are web-based thin client. Design Console is a Java Swing Client that communicates directly with the Business Service Tier.  Identity Self Service provides end-user operations and delegated administration features. System Administration provides system administration functions. And Design Console mostly use for development management operations such as  create and manage adapter and process form,notification , workflow desing, reconciliation rules etc.

Business service tier is implemented as an Enterprise JavaBeans(EJB) application. So you can extense Oracle Identity Manager capabilities. 
-The SMPL and EJB APIs allow develop custom plug-ins such as management roles or identities. 
-Identity Services allow use core business capabilites of Oracle Identity Manager such as The User provisioning or reconciliation service.
-Integration Services allow develop custom connectors or adapters for various deployment needs.
-Platform Services allow use Entitlement Servers, Scheduler or SOA composites.

The Middleware tier allows you using capabilites ADF Faces,SOA Suites, Scheduler, Entitlement Server and BI Publisher Reports. So OIM allows you to configure workflows uses Oracle SOA Suite or define authorization policies use with Oracle Entitlement Server. Also you can customization of OIM UI without need to write code and using ADF Business Editor  you can extend custom attributes to user,role,catalog and other objects.

Data tiers; Oracle Identity Manager is driven by data and metadata which provides flexibility and adaptability to Oracle Identity Manager functionlities. 
-Database has five schemas these are OIM,SOA,MDS,OPSS and OES. Oracle Identity Manager uses database to store runtime and configuration data. And all of entity, transactional and audit datas are stored in database.
-Metadata Store; customizations and personalizations are stored in file-based repository or database-based repository.And Oracle Identity Manager architecture,the metadata is in Oracle Identity Manager database to take advantage of some of the advanced performance and availability features that this mode provides.
-Identity Store; Oracle Identity Manager provides the ability to integrate an LDAP-based identity store into Oracle Identity Manager architecture. 

Oracle Identity Manager

Oracle Identity Manager uses the human workflow module of Oracle Service Oriented Architecture Suite. OIM connects to SOA using the T3 URL which is front-end URL for the SOA server.Oracle Identity Manager uses embedded Oracle Entitlement Server for authorization checks in OIM engine. 

Several Oracle Identity Manager modules use JMS queues. Each queue is processed by a separate Message Driven Bean (MDB), which is also part of the Oracle Identity Manager application. Message producers are also part of the Oracle Identity Manager application.

Oracle Identity Manager uses a scheduled jobs for some activities in the background.Some of scheduled jobs come with Out-Of-Box such as the disable users after the end date of the users or you can define your custom schedule jobs with Oracle Identity Manager APIs.

You can use Oracle BI Publisher for reporting Oracle Identity Manager transactions or audit data which are in database.

About me:

Mustafa Kaya is a Senior Consultant in Oracle Fusion Middleware Team, living in Istanbul. Before coming to Oracle, he worked in teams developing web applications and backend services at a telco company. He is a Java technology enthusiast, software engineer and addicted to learn new technologies,develop new ideas.

Follow Mustafa on Twitter,Connect on LinkedIn, and visit his site for Oracle Fusion Middleware related tips.

Monday Oct 07, 2013

[Oracle Identity Manager] 11g R2 Bundle Patch 11 is Available!

Oracle Identity Manager Bundle Patch 11 is available now. You can download BP11 from here.

 List of bugs fixed with BP11;

Bug Number Description


Date format mismatch occurs between various date fields in the manage user forms.


For the Enable User, Disable User, or Delete User request types, the approver is not able to approve the task by opening the popup for approving the task, and the page refreshes with no result.


Localization for challenge questions is not upgrade-safe.


Need to modify the Transformation and Analysis layer of SIL layer to implement SAP GRC (AC) 5.3 and 10.


On importing users, accounts, user role memberships, or entitlements, the import job fails on Oracle Identity Analytics (OIA) when the user-role memberships option is selected.


Need to modify the Transformation and Analysis layer of SIL layer to implement SAP GRC (AC) 5.3 and 10, and in SAP UM, UME, and legacy connector.


Entitlement provision date displays the account provision date.


Provisioning task status is different in the task list and task details.


Illegal state exception is thrown when cache is trying to put value to cache or to cancel update


Exceptions related to the tcDatabase close method are displayed in the logs.


Duplicate Role Names in different cases are created.


More than 25 saved request profiles are not displayed.


Enable pagination in my accounts pages for performance optimization.


Ad hoc linking does not work.


Performance issues are encountered while exporting roles by using the Deployment Manager.

Sunday Sep 29, 2013

[Oracle Identity Manager] Provision Account With OIM Api

Oracle Identity Manager allows you to provision account using the OIM api. Sometimes you will need give account from remote operations (webservice or some remote connector).

For this operations , first , you have to find right application instance for provision account. You can use findApplicationInstanceByName method of oracle.iam.provisioning.api.ApplicationInstanceService service for find application instance. Then,you can provision an application instance with OIM api, using  oracle.iam.provisioning.api.ProvisioningService service.

import oracle.iam.provisioning.api.ProvisioningService;

import oracle.iam.provisioning.api.ApplicationInstanceService;

    public void provisionAccount(String userKey) throws ApplicationInstanceNotFoundException,



                                                                        GenericProvisioningException {

ProvisioningService service=getClient().getService(ProvisioningService.class); 

ApplicationInstance appInstance=findApplicationInstanceByName("Application Instance Name");

                //serverName example : UD_ADUSER_SERVER

        //itResourceName example : Active Directory

        FormInfo formInfo = appInstance.getAccountForm();

        Map parentData = new HashMap();

        parentData.put(serverName, itResourceName);

        String formKey = String.valueOf(formInfo.getFormKey());

        AccountData accountData = new AccountData(formKey, null, parentData);

        Account account = new Account(appInstance, accountData);


        service.provision(userKey, account);


    public ApplicationInstance findApplicationInstanceByName(String applicationInstanceName) throws ApplicationInstanceNotFoundException,

                                                                                                GenericAppInstanceServiceException {

ApplicationInstanceService service=getClient().getService(ApplicationInstanceService.class);

        ApplicationInstance appInstance=service.findApplicationInstanceByName(applicationInstanceName);

        return appInstance;


Wednesday Aug 21, 2013

[Oracle Identity Manager] 11g R2 Basic Performance Tuning

We have to configuration performance tuning changes for optimal performance for Oracle Identity Manager such as application server,database and etc. I'll write some basic tuning settings  recommended by Oracle.

Also, you can read this guide for other tuning settings such as caching and learn how to monitor Oracle Identiy Manager performance.

Basic UI Tuning :

Following are the recommended application module settings for OIM. Add these settings under WebLogic ServerAdministration Console>> Servers >> oim_server1>> Server Start >> Arguments and restart the admin server.

-Djbo.ampool.doampooling=true -Djbo.ampool.minavailablesize=1

-Djbo.ampool.maxavailablesize=120 -Djbo.recyclethreshold=60

-Djbo.ampool.timetolive=-1 -Djbo.load.components.lazily=true

-Djbo.doconnectionpooling=true -Djbo.txn.disconnect_level=1

-Djbo.connectfailover=false -Djbo.max.cursors=5



These recommended settings assume that 100 concurrent users per node. Use the below formula to change

Djbo.ampool.maxavailablesize if your # of concurrent users is different.

Djbo.ampool.maxavailablesize = # of concurrent users + 20%

Basic Server Tuning:

JVM Parameter HotSpot JVM JRockit JVM

Min. Heap Size (Xms) 4GB 4GB

Max Heap Size (Xmx) 4GB 4GB

PermSize (-XX:PermSize) 500m N/A

PermGen size (-XX:MaxPermSize) 1GB N/A

JDBC Connection Pool parameters: 

Parameter name Value

Initial Capacity 50

Minimum Capacity 50

Max. Capacity 150

Inactive Connectiontimeout 30

To increase the capacity of the JDBC connection pools:

Goto WebLogic Server Administration Console and then Click Services=>Data Sources.

OIM also uses DirectDB data source and you can increase its capacity as below.

Go to Enterprise Manager -> Oracle Identity Manager -> System MBean Browser -> Application Defined MBeans -> oracle.iam -

>OIM Server -> Application oim -> XMLConfig -> Config -> XMLConfig.DirectDBConfig.

Set the following values for attributes.

Attribute name Value

MinConnections 50

MaxConnections 150

Friday Aug 02, 2013

[Oracle Identity Manager] 11g R2 Bundle Patch 09 is Available!

Oracle Identity Manager Bundle Patch 09 is available now. You can download BP09 from here.

Also,there is a important recommendation for BP08!

 List of bugs fixed with BP09;

Bug:12699224 : Trusted source reconciliation fails to create users with many reconciliation field mappings.

Bug:14407437 : Provisioning through bulk request inserts null records into child tables.

Bug:14493217 : Target resource reconciliation throws ORA-06512 error when the Descriptive field is mapped to a field that does not have a reconciliation field mapping.

Bug:16044671 : User form customization fails if a UDF contains invalid character.

Bug:16545968 : Modifying any attribute on a service account changes the account type as a primary account.

Bug:16562633 : Oracle Identity Manager throws javax.el.elexceptions while viewing profile under direct report.

Bug:16662834 : User not reprovisoned after user is deleted and created in the target with the same orclguid.

Bug:16662905 : If an LOV field is required on an Application Instance form, no validation is enforced on the LOV field although it is required.

Bug:16701873 : The Members tab of a role displays only enabled users and does not display disabled users.

Bug:16862846 : When a notification is being sent, the mail ID in the Reply To field is set as the recipient's mail ID instead of the sender's mail ID.

Bug:16824062 : When you use API to fetch or delete child data from an account, the child data row value is null. Therefore, child data is not returned.

Bug:16912736 : There is a performance issue when the provisioned application instance details is opened for a user.

Tuesday Jul 16, 2013

[Oracle Identity Manager] Send Notificiation With OIM Api

Oracle Identity Manager notifications used to send information after user create,password reset or your custom operation.

In some case, you need a custom notificaion process such as you can send notification after Active Directory Create User. I want to explain how you can send a notification any time with oim api.

1-) Create a notification template from Oracle Identity Manager.

2-) Develop send notification adapter code. (Add your classpath: oimclient.jar)

  private NotificationService notificationService;

  public NotificationService getNotificationService()
    if (this.notificationService == null) {
      this.notificationService = ((NotificationService)Platform.getService(NotificationService.class));
    return this.notificationService;

  public void sendNotification(String receiverUserId, String templateName, HashMap<String, Object> templateParams)
    throws EventException, UnresolvedNotificationDataException, TemplateNotFoundException, MultipleTemplateException, NotificationResolverNotFoundException, UserDetailsNotFoundException, NotificationException

    NotificationEvent event = new NotificationEvent();
    event.setUserIds(receiverUserId); // set OIM User Login parameter
    event.setTemplateName(templateName); // set OIM Notification template name. 

    event.setParams(templateParams); // it's used for set some parameters in template.

    getNotificationService().notify(event); // send notification

Template params use for send some dynamic variable in notificiation template. if you want to send information such as user login,password etc in notification, first you have to add variable with "$" character in notification template ($userLoginId) then set this variable with a HashMap in code.

3-) Create a process task adapter from design console and assign it after "AD User" Process Form, "Create User" task ,"SUCCESS" response.

Tuesday Jul 09, 2013

Oracle Identity Manager 11g R2 Bundle Patch 08 is Available!

Oracle Identity Manager 11g R2 Bundle Patch 08 is available for download. Bundle patch is cumulative and you can apply it directly to the any of previous version of (BP01,BP02,...,BP07).

You can download from here

List of bugs fixed with this patch;

Bug:12336826 : When an error occurs during the DSML SPML login process, the request is echoed back, but the client does not get the error.
Bug:14352701 : Oracle Identity Manager performance is very slow when running on SPARC T3 server.
Bug:14352701 : Oracle Identity Manager performance is very slow when running on SPARC T3 server.
Bug:14381593 : Delete reconciliation fails when the IT Resource Name is passed in the data map.
Bug:16215306 : User profile history report displays incorrect identity creation date.
Bug:16317298 : NPE error is thrown while saving a Generic Technology Connector (GTC) connector during the Edit operation.
Bug:16545749 : PNG files are intermittently not rendered in Oracle Identity Manager UI when Windows Internet Explorer 8 or FireFox are used and when clients connect via HTTPS.
Bug:16741450 : When the value of the PCQ.NO_OF_CORRECT_ANSWERS system property is set to 2, Oracle Identity Manager does not allow you to retrieve forgotten password by answering the first two challenge questions.
Internal bugs not visible via My Oracle Support:
Unpublished Bug: 13015601: Implement a maximum number of times a AUD_JMS record will be re-processed after a failure occurs. If a message cannot be processed after two tries, then it is skipped so as not to prevent new records from being processed.
Unpublished Bug: 14260898: Date type attribute cannot be returned via a process task adapter.
Unpublished Bug: 15892556: Clicking the User Details link results in primary key error.
Unpublished Bug: 16202621: Organization is not created when organization type is extended.
Unpublished Bug: 16304540: Reconciliation child table column lengths are not in sync with the column lengths of the corresponding child UD table.
Unpublished Bug: 16324315: All the values from one child table is not removed if another child table has some value.
Unpublished Bug: 16438746: Notification from SOA contains incorrect Oracle Identity Manager URL.
Unpublished Bug: 16468431: Manager data is not shown in the selected users list in the user search dialog box.
Unpublished Bug: 16698892: Updating any field with no value on OID provisioning form generates NPE error.
Unpublished Bug: 16922050: Stack overflow errors are thrown in Oracle Identity System Administration.

Türkçe versiyon için tıklayınız.

profile image
Welcome to my blog, a space for me to share information on various Oracle middleware technology issues. My day job as a consultant within Oracle Consulting Fusion Middleware Team.I will share some of these issues and solutions here in the hope that it will help you out some day!


« April 2014