Tuesday Apr 22, 2014

OIM Clustering: Keeping separate environments separate

Oracle Identity Manager 11g incorporates several clustering technologies in order to ensure high-availability across its different components. Several of these technologies use multicast to discover other cluster nodes on the same subnet. For testing and development purposes, it is common to have multiple distinct OIM environments co-existing on the same subnet. In that scenario, it is essential that the distinct environments utilise separate multicast addresses, so that they do not talk to each other – if they do, they will confuse one another, and many things can go wrong. This problem is less common with production environments, since best practice dictates that the production environment should be on a separate subnet from development and test, and multicast traffic cannot transverse subnet boundaries without special configuration.

Overview of OIM Clustering

Here’s a rough diagram of the clustering components inside OIM:

Quartz Scheduler Cluster

Data Caching Cluster

EclipseLink
(11.1.2.0.x and earlier only)

OSCache

Application Server Cluster
(WebLogic or WebSphere)

There are three basic layers of clustering in OIM:

  • Application Server Clustering: This is the clustering layer of the underlying Java EE Application Server (Oracle WebLogic or IBM WebSphere). This is responsible for replication of the JNDI tree, EJBs, HTTP sessions, etc.
  • Data Caching: This provides in-memory caching of data to improve performance, while ensuring that database updates made on one node are propagated promptly to the others. OIM uses OSCache (OpenSymphony Cache) as the underlying technology for this.
  • Scheduler Clustering: This is used to ensure that in a cluster each execution of a scheduled job only runs on one node. Otherwise, if a job is scheduled to start at 9am, every node in the cluster might try to start it at the same time, resulting in multiple simultaneous executions of that job

Clustering layers present in older versions only

  • In OIM 11gR1, and 11gR2 base release, OIM used EclipseLink data caching, which included its own multicast clustering layer. From OIM 11.1.2.1.0 onwards, while EclipseLink is still being used for data access, its caching features are no longer used, so this form of multicast clustering is no longer present.
  • As well as using JGroups for OSCache, OIM 9.x also used JGroups for a couple of additional functions (forcibly stopping scheduled tasks and diagnostic dashboard JMS test.) In OIM 11g, JGroups is now used for OSCache only.

Underlying technologies used

Different clustering components in OIM use different technologies:

Component Technology Details
Application Server Cluster Unicast or Multicast Consult Application Server documentation:
EclipseLink
(OIM 11.1.2.0.x and earlier only)
  • Multicast for node discovery
  • T3 JNDI for node-to-node communication (WebLogic)
  • RMI for node-to-node communication (WebSphere)
Multicast is only used to find other nodes in the cluster. With WLS, JNDI connections are opened between the nodes for the cache coordination traffic. On WebSphere, RMI is used instead.
OSCache
  • Multicast using JGroups package

Quartz Scheduler
  • Database tables
Unlike other clustering components, Quartz does not use direct network communication between the nodes. Database tables are used for inter-cluster communication

Relevant Configuration Settings

I’m only going to talk about the OIM-specific clustering settings here. So I won’t go into the configuration of the WebLogic/WebSphere clustering layer, only the data cache and scheduler clustering layers. All configuration relevant to these can be found in the /db/oim-config.xml file in MDS. So let’s discuss the settings in this file which are relevant to clustering.

Setting Explanation
<cacheConfig clustered=”…”> Must be set to true in a clustered install, and false for a single-instance install. This controls whether OSCache operates in a clustered mode.
<cacheConfig>/<xLCacheProviderProps multicastAddress=””> Multicast address which is used for OSCache. (Also used by EclipseLink in versions 11.1.2.0.x and earlier; the same address is used for both.) Make sure this address is unique for each distinct OIM environment on the same subnet.
<xLCacheProviderProps>/<properties> Can be used to manually override JGroups configuration used by OSCache. Not recommended.
<schedulerConfig clustered=”…”> Must be set to true in a clustered install, and false for a single-instance install.
<schedulerConfig multicastAddress=”…”> In OIM 9.x, JGroups was used to forcibly stop jobs. In OIM 11g, a different mechanism is used instead. This configuration setting is a left-over from OIM 9.x, and is now ignored. However, to avoid confusion, it is recommended to set this to the same multicastAddress as the xLCacheProviderProps above.
<deploymentConfig>/<deploymentMode> In a clustered install, should be set to clustered; in a single instance, should be set to simple. This is used to control whether EclipseLink operates in a clustered mode.
<SOAConfig>/<username> As its name implies, this is the username used by OIM to login to SOA. However, in OIM 11.1.2.0.0 and earlier, it also serves an additional purpose – on WebLogic, this username is used by EclipseLink clustering for inter-node communication. By default, this is weblogic; if you have renamed the weblogic user, you must change it; you are free to use another user if you wish, so long as they are a member of the Administrators group. (On WebSphere, this user is used for OIM-SOA integration only, not for EclipseLink clustering.)To change this, see “2.6 Optional: Updating the WebLogic Administrator Server User Name in Oracle Enterprise Manager Fusion Middleware Control (OIM Only)”. (If step 11 in those steps gives you a permissions error, just skip that step.)
<SOAConfig>/<passwordKey> This is the name of the CSF Credential which stores the password for the <SOAConfig> user. You should never change this setting in oim-config.xml from its default of SOAAdminPassword, but you will need to change the corresponding CSF entry whenever you change that user’s password.

What can go wrong

As I’ve mentioned, it is important that you have the correct clustering configuration for your environment. If you do not, many things can go wrong. I don’t propose to provide an exhaustive list of potential problems in this blog post, but just give one example I recently encountered at a customer site.

This customer was preparing to go live with Oracle Identity Manager 11.1.2.0. As part of their pre-production activities, they needed to document and test the procedure for periodic change of the weblogic password. They began by their testing by changing the weblogic password in one of their development environments. Restarting the OIM managed server, they saw this message multiple times in their WebLogic log: <Authentication of user weblogic failed because of invalid password>. They also found that the WEBLOGIC user in OIM was locked.

What went wrong here? Well, several things were wrong in this environment:

  • They had <SOAConfig>/<username> set to weblogic, but they had not updated the SOAAdminPassword credential in CSF to the new weblogic password. This customer does not currently use any of the OIM functionality which requires SOA, so they normally leave their SOA server down, including for this test. You would think therefore that the <SOAConfig> would not be relevant to them; but, as I have pointed out above, it is also used for EclipseLink clustering.
  • Even though their development environments were single instance installs, they all had <deploymentConfig>/<deploymentMode> set to cluster instead of simple. As a result, EclipseLink clustering was active even though it did not need to be.
  • <cacheConfig>/<xLCacheProviderProps multicastAddress=””> was set to the same address in multiple development environments on the same subnet. As a result, even though these environments were meant to be totally separate, they were formed into a single EclipseLink cluster.

So, what would happen, was that this environment (let’s call it DEV1) at startup would initialise EclipseLink clustering (since <deploymentConfig>/<deploymentMode> is set to cluster.) It would then add itself to the multicast group configured in <cacheConfig>/<xLCacheProviderProps multicastAddress=””>. At this point, DEV1 becomes visible to the other development environments (say DEV2 and DEV3). DEV2 tries to login to DEV1 over T3, using the <SOAConfig>/<username> user (weblogic) and the SOAAdminPassword password from CSF. However, the weblogic password having changed, both DEV2 and DEV3 will receive an invalid credential error, and DEV1 will experience <Authentication of user weblogic failed because of invalid password>. Setting <deploymentConfig>/<deploymentMode> to simple resolved this.

Wednesday Apr 09, 2014

Free Learning Sessions on Oracle Fusion Middleware

Free Learning Sessions on Oracle Fusion Middleware
Each session runs 2 hours and will provide an in-depth look into each topic. There will be demos, a Question and Answer session as well as a brief overview of next steps for those who require more detailed training.[Read More]

Oracle Fusion Middleware Support News : March 2014

See the latest Fusion Middleware Support News : March 2014!

1347075.1

Thursday Feb 27, 2014

Sustaining Engineer Release Announcment OIM Bundle Patches Released

Oracle Sustaining Engineering
Release Announcement

Oracle Identity Manager (OIM) Bundle Patches Released

We are pleased to announce that the following Oracle Identity Manager (OIM) patches were released on February 25, 2014. Specifically:

  • Oracle Identity Manager (OIM) Bundle Patch 11.1.2.1.5
  • Oracle Identity Manager (OIM) Bundle Patch 11.1.2.0.14

For more information:

We want to acknowledge everyone's hard work to get high-quality patches out to our Customers on schedule.

Thank you,


Friday Feb 14, 2014

Olympic Athletes Wish They Knew Our Quick Training Secrets

All the talk on the planet lately is about the Olympics, everyone cheering for the individuals who have dedicated their lives to pushing the human body to its limits. We admire and respect them, sometimes wish we had a fraction of that dedication. There is no quick route to that level of fitness and skill.

Seeing snow on the ground as I look out the window, my thoughts wander toward summer, remembering the color "green", and I begin preparing for a half marathon -- just a few months of training followed by a couple of hours of stress on the race course. There will be no cheering crowd throwing me flowers as I cross the finish line, only satisfaction in achieving a goal that I worked hard for.


Do you spend a lot of time training, not just in your personal life, but also at work?


We just upgraded the MOS Communities (MOSC) to Jive, merged them with the OTN Forums, so now we are together having to learn to navigate the new interface, along with all our other tasks.


One thing that might help you quickly get up to speed with the new MOSC and other features of MOS is this article, that has short videos explaining different MOS features:

Discover how to use My Oracle Support Video Series (Doc ID 603505.1)

  • How do you stay on top of the latest patches?
  • Where can you check that products are certified to work together before you begin installing willy nilly?
  • Is there a way to access our knowledge base while you're standing in line at the grocery store?
  • Will your product really be desupported at the end of the year?

All these and more are covered. Check out the videos while you're on the treadmill, and improve your life in multiple ways simultaneously.


We also have webcasts coming up that you might be interested in:

Get Proactive Essentials Webcast Series - My Oracle Support Community (Doc ID 1615047.1)
  • Register for one of many in the timezone of your choice (through March). Lasting 40 minutes, these sessions will get you setup and using the new MOS Community in record time
Essentials Webcast: Oracle Cloud Support (Doc ID 1555872.1)
  • Thirty minute presentations, scheduled through February, will explain what Cloud Support is all about. Sign up for one today!

There are times when long trainings make enormous impact. Other times when they don't. We hope that we can streamline the work-related trainings so that you can devote more time to personal goals.

Happy Trails

Friday Feb 07, 2014

New My Oracle Support Community (MOSC) Platform

The My Oracle Support Community (MOSC) recently migrated to a new platform with a completely new look and feel and navigation.  There is a series of 5 short videos to help learn the basic features and get you started.  Please see My Oracle Support Community - New Platform Overview to start out with the first video.  Once done with that video, click on the [Watch the Next in this series ] at the bottom left and it will automatically take you to the next video in the series.  Each video page has the [ Watch the Next in this series ] link to advance to the next video.

Although it is preferable to watch the videos in sequence, you can also individually select which videos you want to watch.  For reference, here are the individual links to the five videos in the series:

My Oracle Support Community - New Platform Overview [ Video 1 ] (Doc ID 1614073.1)
My Oracle Support Community - How to complete your profile setup. [ Video 2 ] (Doc ID 1614358.1)
My Oracle Support Community - How to start a community discussion [ Video 3 ] (Doc ID 1614724.1)
My Oracle Support Community - How to reply to discussions [ Video 4 ] (Doc ID 1614734.1)
My Oracle Support Community - Participating in the community [ Video 5 ] (Doc ID 1614725.1)

Wednesday Jan 29, 2014

IMPORTANT: My Oracle Support Community and OTN Profiles Merge January 31, 2014

IMPORTANT: My Oracle Support Community and OTN Profiles Merge January 31, 2014

Dear My Oracle Support Community User,

On January 31, 2014, we plan to migrate My Oracle Support Community to the same platform used for the Oracle Technology Network (OTN) forums. This platform will bring new community features to help make it easier to find information through a more intuitive interface, and enhance the way you connect with Oracle experts and industry peers. We have identified you as a user who has the same email address to access both My Oracle Support Community and OTN forums. As part of the migration to a single platform these profiles will be merged and the following will occur:
  • Activities and points from both accounts will be combined into a single consolidated account
  • Your OTN handle will be preserved and you will continue to use your email address to access My Oracle Support Community and OTN forums
  • Your existing username will become visible to both My Oracle Support Community and OTN forum members, however, we will set all of your other profile information to be private
  • Some of your existing profile information will not be migrated and will need to be re-entered into your new account profile
We encourage you review your username and profile information once the migration is complete and make the necessary updates based on your privacy preferences.

SEPARATE MY ORACLE SUPPORT COMMUNITY AND OTN ACCOUNTS
If you prefer to maintain two separate accounts (one for OTN forums and the other for My Oracle Support Community), you will need to select a different email address to access OTN forums and update your OTN profile. You must take the following action before January 31, 2014:
  • Log into forums.oracle.com
  • Click on the arrow beside your username at the top right corner of the page
  • Click "Edit Profile and Privacy"
  • Click "Edit Manage your Oracle.com Profile account" located beside your email address
  • Select the Change Username link at the top of the page
  • Enter your current password and the new email address
  • Log out and log back in to confirm that you are able to log in with the new email address
We look for forward to enhancing your Oracle community experience and appreciate your patience as we implement these changes. For more details about My Oracle Support Community features and enhancements, please read the My Oracle Support Community Spotlight.

Sincerely,

Oracle Support

Friday Jan 17, 2014

New FMW Patches - January 2014

The first NEWLY RELEASED patches you should be aware of are the CPUs (Critical Patch Updates). These include, among others:

  • Oracle Container for Java (OC4J) 10.1.3.5.
  • Oracle HTTP Server (OHS) 12.1.2, 11.1.1.7.0, 11.1.1.6.0 , 10.1.3.5 and 1.0.2.2
  • Oracle Internet Directory (OID) 11.1.1.7.0 and 11.1.1.6.0
  • Oracle Security Service 12.1.2.0.0

Details can be found at OTN here.

In addition, there are some new Fusion Middleware Proactive Patches, which include (among others):

  • Oracle Identity Management Suite Bundle Patch 11.1.1.5.6 consisting of
    • Oracle Identity Manager (OIM) 11.1.1.5.10 bundle patch
    • Oracle Access Manager (OAM) 11.1.1.5.6 bundle patch.
    • Oracle Adaptive Access Manager (OAAM) 11.1.1.5.2 bundle patch.
    • Oracle Entitlement Server (OES) 11.1.1.5.4 bundle patch.
  • Oracle Identity Management Suite Bundle Patch 11.1.2.0.5 consisting of
    • Oracle Access Manager (OAM) 11.1.2.0.5 bundle patch.
    • Oracle Adaptive Access Manager (OAAM) 11.1.2.0.3 bundle patch.
    • Oracle Entitlement Server (OES) 11.1.2.0.2 bundle patch.
    • Note : This suite BP is delayed by few days
  • Oracle Identity Management Suite Bundle Patch 11.1.2.1.2 consisting of
    • Oracle Access Manager (OAM) 11.1.2.1.2 bundle patch.
    • Oracle Adaptive Access Manager (OAAM) 11.1.2.1.2 bundle patch.
  • Oracle Identity Manager (OIM) 11.1.2.0.13 bundle patch
  • Oracle Identity Manager (OIM) 11.1.2.1.4 bundle patch

For more information :

Where is the OUD Certification Matrix?

OUD was it's own product (separate certification matrix, download, etc.) until 11.1.2.0.0 when it was merged with the Identity and Access Management 11gR2 release. Since then, there has been an Identity and Access Management 11.1.2.1.0, and OUD continues to be part of it. It is also part of the upcoming 11.1.2.2.0 release.

Because OUD previously had its own certification matrix, it is natural to look for one in current versions, separate from the Identity and Access Management cert matrices. This is no longer the case.

Be aware that OUD certifications have been consolidated into the overall Identity and Access Management 11.1.2.0.0 certification matrix & the Identity and Access Management 11.1.2.1.0 certification matrix. Both of these are available from the Certification Central Hub on OTN. In addition, OUD details have also been loaded into MOS Certify.

Please reference the certification matrices when making decisions regarding new installations or upgrades.

Happy Trails!

Friday Dec 27, 2013

Premier Support Ends Dec 31, 2013 for the following products:

Oracle Adaptive Access Manager (OAAM) 10g

Sun Java System Access Manager 7.1

OSSO 10gR3

OIM 9x 

As of January 1, 2014, the above mentioned Oracle products are moving from the Extended stage of Lifetime Support into the Sustaining stage.

Because product releases supported by Sustaining Support are not fully supported, information and skills regarding those releases may be limited. The availability of hardware systems to run such product releases may also be limited.

For full details see the Lifetime Support Policy and the Technical Support Polices.

Per the Technical Support Polices:

  • Sustaining Support does not include the 24-hour commitment and response guidelines for Severity 1 Service Requests as defined in the Severity Level section of the Technical Support Policy.
  • Existing patches and upgrade scripts will continue to be available.
  • Support continues to be available via My Oracle Support.

Details are available here:

Oracle Adaptive Access Manager (OAAM) 10g (Doc ID 1609012.1)

Sun Java System Access Manager 7.1 (Doc ID 1608469.1)

OSSO 10gR3 (Doc ID 1608519.1)

OIM 9.x  (Doc ID 1608487.1)

Tuesday Dec 10, 2013

Oracle Fusion Middleware Support News : December 2013

See the latest Fusion Middleware Support News : December 2013!

1347075.1

Monday Nov 25, 2013

Internet Explorer 7 (IE7) De-Supported as Certified Browser

Beginning April 4, 2014, Internet Explorer 7 (IE7) will be de-supported as a certified browser for My Oracle Support (support.oracle.com) and the Cloud Support Portal, impacting both Oracle employees and customers. Customers will receive a communication (link) informing them of the IE7 changes and that they should make the transition to a higher browser version.

Please upgrade your browser version if you are currently an IE7 user. Supported browsers certified on My Oracle Support can be seen in the Supported Browser article.

IMPORTANT: It is recommended that customers do not upgrade to IE11 as it is currently not certified to run with My Oracle Support and the Cloud Support Portal. Plans to support IE11 are targeted for January 31, 2014.

Tuesday Nov 19, 2013

Did Your Question Get Answered in My Oracle Support Community?


One of the primary goals of My Oracle Support Community is answering your questions with a Correct or Helpful reply.

Correct and Helpful Responses

Sometimes it is hard to tell if you got the information you needed! As the person asking the question, you can let the community know which replies you found correct and which ones were helpful.

By marking replies correct or helpful, you make it easier for community members to find replies that might help them in a similar situation, since your designation will change the background color of the reply to make them stand out. In addition, you are rewarding the member who posted the reply with points.

A reply marked as correct adds 10 points to the person who posted the reply and a helpful reply adds 5 points. You can see more information on points and benefits in the Reward and Recognition FAQ.

How Do I Mark an Answer Correct or Helpful?

In each reply to a question, extra options are visible to the person who posted the question. At the bottom of the reply, you can select either “Helpful Answer” or “Correct Answer.”

Correct or Helpful Answer

Choosing one of these options will change the background color to make the reply stand out from the other replies. A reply marked “Helpful Answer“ has a light blue background and a “Correct Answer” has a light green background. The colors are subtle; on some monitors, the colors may vary or be very close in shade.

View this short video on how you can benefit and collaborate with others by marking your answers as correct and helpful.

Build the Community’s Knowledge and Acknowledge Members that Help You

The time you take to mark your question as answered provides value to the community and expresses appreciation to the person who provided the answer that solved your problem or gave you new insight on an approach.

You may find other members follow your example, making it easier for you to find the answers you need in discussion threads too!

Friday Nov 01, 2013

NEW - Oracle Certifications and Documentation Available for Pre-Acquisition Sun/BEA IdM Products

If you have been looking for Oracle certification information or documentation for the pre-Acquisition Sun/BEA Identity Management products, you can now find them at the Certifications Central Hub.

Use this Hub if you're looking for Sun Identity Management documentation, certified configurations for Waveset, Identity Analytics, OpenSSO, and more. Scroll down, below the bullets, to the bottom of the table to find:

Of course, you can still find a great wealth of certification information for current products at this hub, as in the past.

Be sure to check before you install!

In case you haven't used this page before, notice that you can get to the documentation, certifications and downloads for IdM products by clicking on "Identity Management" in the leftmost pane.

In the new screen, you will see each IdM product, along with tabs for Downloads, Documentation, Community, and Learn More.

Let us know if you don't find what you are looking for.

Happy Trails.

Wednesday Oct 16, 2013

October 2013 Fusion Middleware (FMW) Proactive Patches released

We are glad to announce that the following Fusion Middleware (FMW) Proactive  patches were released on October 15, 2013.

Bundle Patches
Bundle patches are collections of controlled, well tested critical bug fixes for a specific product  which may include security contents and occasionally minor enhancements. These are cumulative in nature meaning the latest bundle patch in a particular series includes the contents of the previous bundle patches released.  A suite bundle patch is an aggregation of multiple product  bundle patches that are part of a product suite.
  • Oracle Identity Management Suite Bundle Patch 11.1.1.5.5 consisting of
    • Oracle Identity Manager (OIM) 11.1.1.5.9 bundle patch
    • Oracle Access Manager (OAM) 11.1.1.5.6 bundle patch.
    • Oracle Adaptive Access Manager (OAAM) 11.1.1.5.2 bundle patch.
    • Oracle Entitlement Server (OES) 11.1.1.5.4 bundle patch.
  • Oracle Identity Management Suite Bundle Patch 11.1.2.0.4 consisting of
    • Oracle Access Manager (OAM) 11.1.2.0.4 bundle patch.
    • Oracle Adaptive Access Manager (OAAM) 11.1.2.0.2 bundle patch.
    • Oracle Entitlement Server (OES) 11.1.2.0.2 bundle patch.
  • Oracle Identity Analytics (OIA ) 11.1.1.5.6  bundle patch.
  • Oracle GlassFish Server (OGFS) 2.1.1.22, 3.0.1.8 and 3.1.2.7 bundle patches.
  • Oracle iPlanet Web Server (OiWS) 7.0.18 bundle patch
  • Oracle SOA Suite (SOA) 11.1.1.7.1 bundle patch
  • Oracle WebCenter Portal (WCP) 11.1.1.8.1 bundle patch
  • Sun Role Manager (SRM) 4.1.7 and 5.0.3.2 bundle patches.

Patch Set Updates (PSU)
Patch Set Updates (PSU)  are collections of well controlled, well tested critical bug fixes for a specific product  that have been proven in customer environments. PSUs  may include security contents but no  enhancements are included. These are cumulative in nature meaning the latest PSU  in a particular series includes the contents of the previous PSUs  released.
  • Oracle Exalogic 2.0.3.0.4 Physical Linux x86-64 and 2.0.4.0.4 Physical Solaris x86-64 PSUs.
  • Oracle WebLogic Server 10.3.6.0.6 and 12.1.1.0.6 PSUs.

Critical Patch Update (CPU)
The Critical Patch Update program is Oracle's quarterly release of security fixes.

The following additional patches were released as part of Oracle's Critical Patch Update program:
  • Oracle JDeveloper 11.1.2.3.0, 11.1.2.4.0 and 12.1.2.0.0
  • Oracle Outside In Technology 8.4.0 and  8.4.1
  • Oracle Portal 11.1.1.6.0
  • Oracle Security Service  11.1.1.6.0, 11.1.1.7.0 and 12.1.2.0.0
  • Oracle WebCache 11.1.1.6.0 and 11.1.1.7.0
  • Oracle WebCenter Content 10.1.3.5.1, 11.1.1.6.0, 11.1.1.7.0 and 11.1.1.8.0
  • Oracle WebServices 10.1.3.5.0 and 11.1.1.6.0

For more information:

About


This is the official blog of the Proactive Support Team for Identity Management: OIM, OAM, OID, OVD, OUD, DSEE, etc. Find information about our activities, publications, product related information and more.

Search

Archives
« April 2014
SunMonTueWedThuFriSat
  
1
2
3
4
5
6
7
8
10
11
12
13
14
15
16
17
18
19
20
21
23
24
25
26
27
28
29
30
   
       
Today