If you are looking for certified O.S. , JDK, Database or Web Server version for Oracle Identity & Access Management then check Certification Matrix for Fusion Middleware Components here

On Fusion Middleware Certification Matrix page, search for your Identity & Access Management version and click on XLS . For Certification Matrix for IAM version 11.1.2.2 click here

Image may be NSFW.
Clik here to view.

Image may be NSFW.
Clik here to view.

I am pretty sure you might have had the requirement to unprotect certain URI context in an application URL using OAM. This is in regards to OAM 10.1.4.3. The usual procedure to unprotect an URI context is to define the resource in OAM Policy Domain. Create a separate policy for that URI and specify Anonymous authentication scheme and corresponding authorization policy.

Although traditional OAM authentication is not performed, the authentication check and authorization calls to OAM happens and thus performance will impact.

The simple alternative is to avoid calls to OAM Webgate within http directives. When a webgate is installed on Apache Web Server (say), then webgate configurations will be updated in httpd.conf file which includes LocationMatch element as shown below:

<LocationMatch “/*”>
AuthType Oblix
require valid-user
</LocationMatch>

The above line tells WebGate to intercept the calls with root URL “/”. To unprotect a specific URI context say “public” with URL of the format say http://app:port/public then we can define LocationMatch element as shown below.

<LocationMatch “!public”>
AuthType Oblix
require valid-user
</LocationMatch>

Restart the http server. Then access the URL and see that anonymous calls to OAM will not happen and it greatly improves performance.

You can play around this feature Image may be NSFW.
Clik here to view.

I discussed about availability of IAM 11gR2 PS2 (11.1.2.2), installation changes in 11.1.2.2 here and lessons learned to upgrade to 11gR2 PS2 here .

I also discussed new feature OAM High Availability across Data Centres introduced in 11gR2 PS2 (11.1.2.2). OAMConsole (Admin Console to configure & manage OAM) has changed in OAM 11GR2 PS2 (11.1.2.2), more information here

In this post I am going to show how to enable below services in Access Management Suite.

a) Identity Federation
b) Security Token Service
c) Mobile and Social
d) Access Portal Service

Note: These services are disabled by default and you must enable them before using (More on integrating OAM with Google as Identity Provider later)

1. Login to OAM console /oamconsole (OAM console application is deployed on WebLogic Admin Server) using user defined in oam-config.xml 

Note: Identify UserIdentityStore where IsSystem is set to true and then identify User and Groups listed

_________________

<Setting Name=”LDAP” Type=”htf:map”> <Setting Name=”UserIdentityStore” Type=”htf:map”>
<Setting Name=”Name” Type=”xsd:string”>UserIdentityStore1</Setting> <Setting Name=”Type” Type=”xsd:string”>LDAP</Setting>
<Setting Name=”LDAP_URL” Type=”xsd:string”>ldap://ldap-host:7001</Setting>
<Setting Name=”SECURITY_PRINCIPAL” Type=”xsd:string”>cn=Admin</Setting>
<Setting Name=”SECURITY_CREDENTIAL” Type=”xsd:string”>{AES}F8E3A9FAD9D662F753D842979423ED3D</Setting>
<Setting Name=”USER_SEARCH_BASE” Type=”xsd:string”>ou=people,ou=myrealm,dc=base_do
main</Setting>
<Setting Name=”GROUP_SEARCH_BASE” Type=”xsd:string”>ou=groups,ou=myrealm,dc=base_d
omain</Setting>
<Setting Name=”USER_NAME_ATTRIBUTE” Type=”xsd:string”>uid</Setting>
<Setting Name=”LDAP_PROVIDER” Type=”xsd:string”>EMBEDDED_LDAP</Setting>
<Setting Name=”UserIdentityProviderType” Type=”xsd:string”>OracleUserRoleAPI</Sett
ing>
<Setting Name=”IsPrimary” Type=”xsd:boolean”>true</Setting>
<Setting Name=”IsSystem” Type=”xsd:boolean”>true</Setting>

<Setting Name=”RoleMappings” Type=”htf:map”>
<Setting Name=”Role Security Admin” Type=”htf:map”>
<Setting Name=”Groups” Type=”xsd:string”>Administrators</Setting>
<Setting Name=”Users” Type=”xsd:string”>weblogic</Setting>
</Setting>
<Setting Name=”Role System Monitor” Type=”xsd:string”>Monitors</Setting>
<Setting Name=”Role Application Administrator” Type=”xsd:string”>Operators</Sett
ing>
<Setting Name=”Role System Manager” Type=”xsd:string”>Deployers</Setting>
</Setting>
</Setting>

____________

2. Click Available Services under Configuration

Image may be NSFW.
Clik here to view.

 3. Select Enable next to service that you wish to enable

Image may be NSFW.
Clik here to view.

Image may be NSFW.
Clik here to view.

If you are working on Multi Data Center in OAM 11g R2 PS2, you would encounter the issue of updating the oracle.oam.EnableMDCReplication flag to true as per the Oracle Documentation link. However the document does not specify where to change this property.

Here is what you need to do:

1. Goto WebLogic Domain directory.
2. Take backup of setDomainEnv.sh.
3. Edit the setDomainEnv.sh file to add oracle.oam.EnableMDCReplication as Java Property as shown below. I have updated this after line export JAVA_OPTIONS. Image may be NSFW.
   Clik here to view.
4. Save the file.
5. Restart the OAM WebLogic Admin and Managed Servers.

Hope this helps.

In OAM 11g R2 PS2, I was working on Multi Data Center setup by following the documentation. I had to run the WLST command addPartnerForMultiDataCentre by giving partnerInfo.properties file as input.

What does this command do?

In MDC, when the failover happens from DC1 to DC2, all the webgate requests will be routed to DC2 to serve. The user session would have cookies/session pertaining to DC1. When the DC2 OAM servers serve the user request, then DC2 specific cookies/session has to be present. Before that, DC2 OAM servers will talk to DC1 OAM servers through back channel using Access Gate.

partnerInfo.properties contains the below details:

remoteDataCentreClusterId=DC2_CLUSTER
oamMdcAgentId=ACCESS_GATE_NAME
PrimaryHostPort=DC2_OAM_SERVER_NAME:port
SecondaryHostPort=
AccessClientPasswd=ACCESS_GATE_PASSWORD
oamMdcSecurityMode=open
agentVersion=11g
trustStorePath=
keyStorePath=
globalPassPhrase=
keystorePassword=

Let me explain every parameter:

remoteDataCentreClusterId: This is the secondary Data center Cluster Name.

oamMdcAgentId: Access Gate name which is making back channel call to DC1 for validating/requesting user session details. By default in OAM 11g R2 PS2, accessgate-oic is created. I have used this in my case. Also, ensure that Allow Management operations flag is enabled in this AG profile. For quick test, you can verify the regular webgate profiles and see that this flag is disabled by default.

PrimaryHostPort & SecondaryHostPort: Secondary DC OAM server host name and port eg., oam2.oracle.com:5575 and oam2.oracle.com:5576 respectively.

oamMdcSecurityMode: Mode in which AG is running.

agentVersion: AG version defined in profile.

trustStorePath, keyStorePath, globalPassPhrase, keystorePassword: If AG is set in simple/cert mode, provide the keystore and relevant details.

Steps to run the command:

• Run ./wlst.sh from $ORACLE_HOME/common/bin
• connect to weblogic admin server.
• Run WLST command addPartnerForMultiDataCentre(propfile=”/opt/oam/MDC/partnerInfo.properties”)
• You should see successful message as shown belowls:/oam_domain/serverConfig>addPartnerForMultiDataCentre(propfile=”/opt/oam/MDC/partnerInfo.properties”)
  Partner added successfully.
  success:

• I had executed this command in both data centers. After execution, we can verify this in oam-config.xml under the section MultiDataCenterPartners as shown below

<Setting Name=”MultiDataCenterPartners” Type=”htf:map”>
<Setting Name=”CLUSTER_NAME” Type=”htf:map”>
<Setting Name=”oamMdcSecurityMode” Type=”xsd:string”>open</Setting>
<Setting Name=”periodForWatcher” Type=”xsd:string”>2000</Setting>
<Setting Name=”maxConnPool” Type=”xsd:string”>10</Setting>
<Setting Name=”minConnPool” Type=”xsd:string”>1</Setting>
<Setting Name=”delayForWatcher” Type=”xsd:string”>1000</Setting>
<Setting Name=”oamMdcAgentId” Type=”xsd:string”>accessgate-oic</Setting>
<Setting Name=”accessClientPasswd” Type=”xsd:string”>qqwer3235123asdf</Setting>
<Setting Name=”PrimaryHostPort” Type=”xsd:string”>HOST:PORT</Setting>
<Setting Name=”agentVersion” Type=”xsd:string”>11g</Setting>
<Setting Name=”serverConnTimeout” Type=”xsd:string”>3600</Setting>
<Setting Name=”SecondaryHostPort” Type=”xsd:string”></Setting>
</Setting>

• It worked as expected in DC1. When I executed in DC2, it displayed successful message but it is not updated in oam-config.xml.

Fix:

DC2 MDC cluster is write protected. To verify, open the oam-config.xml and look for the element WriteEnabledFlag as shown below.

  <Setting Name=”WriteEnabledFlag” Type=”xsd:boolean”>false</Setting>
Since it is set to false,  any changes made through WLST will not take effect. So run below WLST command to fix this or you can manually edit the oam-config.xml carefully.

setMultiDataCenterWrite(WriteEnabledFlag = "true")

This post will give an insight into IAMSuiteAgent and how to disable it?

IAMSuiteAgent is a pre-built Java agent that comes with OAM 11g by default. Few important points of IAMSuiteAgent are:

The IAMSuiteAgent is a domain-wide agent:

• Once Access Manager is deployed, the IAMSuiteAgent is installed on every server in the domain
• Unless disabled, every request coming into the WebLogic Application Server is evaluated and processed by the IAMSuiteAgent
• Certain IAMSuiteAgent configuration elements are available in the WebLogic Administration Console (in the Security Provider section) and others in the Oracle Access Management Console.

I’d another OAM 11g R2 PS1 setup in the same node where R2 is installed. For some reason, the PS2 instance OAM Admin Console is redirecting to PS1 IAMSuiteAgent for authentication which is not expected.

So I’ve disabled IAMSuiteAgent in OAM Admin Console in PS2 instance, but of no luck. Troubleshooting why PS2 OAM console is redirecting to PS1 IAMSuiteAgent is a story for another day. Since I was running short of time, I had to disable IAMSuiteAgent. This is how I did:

1. Set the environment variable export WLSAGENT_DISABLED=true. This change can also be made in setDomainEnv.sh.
2. Restart the WebLogic Admin Server.
3. Access the OAM Admin Console and notice that IAMSuiteAgent will not intercept. Refer the below screenshot for login page.Image may be NSFW.
   Clik here to view.

References:

Oracle Documentation: http://docs.oracle.com/cd/E27559_01/admin.1112/e27239/webgate.htm

We usually secure ObSSOCookie to pass this cookie in SSL environment and to avoid non-SSL applications to access. This is a very good feature to improve security in OAM. However if you also want to secure ObFormLoginCookie although you don’t find any sensitive information in this cookie, you can do so. Securing ObFormLoginCookie will allow end users to access applications in both non-SSL and SSL unlike securing ObSSOCookie. Securing ObFormLoginCookie is explained below and this is in 10g OAM version. Perhaps this would work in 11g too, I haven’t tried it albeit.

1. Login to OAM Access Console.
2. Edit form authentication scheme.
3. Specify the Challenge Parameter miscCookies:Secure along with other challenge parameters. Refer the below screenshot.Image may be NSFW.
   Clik here to view.
4. Restart the Resource Webgate for quick config refresh.
5. Access the application protected by the above Form Auth scheme.
6. Observe that when the ObFormLoginCookie is set, you will also see “secure”. For example, refer below:

Set-Cookie: ObFormLoginCookie=wh%3DRESOURCE-WEBGATE-HOST%20wu%3D%2Findex.html%20wo%3D1%20rh%3Dhttps%3A%2F%2FRESOURCE-WEBGATE-HOST%3A8080%20ru%3D%2Findex.html; Secure; path=/dummy.cgi

I’ve come across an issue in OAM 11g R2 PS2 environment. Multi Data Center is also being setup with one DC as Master and other DC as Clone. After configuring the Clone DC using T2P commands and running few WLST commands to accomplish MDC setup, the below errors were seen while starting the OAM WebLogic Admin/Managed Servers.

<Apr 8, 2014 4:28:05 PM PDT> <Warning> <oracle.oam.engine.policy> <OAMSSA-06342> <Bootstrap failed for handler oracle.security.am.common.policy.tools.upgrade.r2ps2.bootstrap.RMR2PS2BootstrapHandler!>

<Apr 8, 2014 4:28:05 PM PDT> <Error> <oracle.oam.engine.policy> <BEA-000000> <Policy store update operations are not allowed, system is write protected.

Analysis:

The OAM 11g documentation states “Clone Data Centers can be write protected so no updates can be made to the system or policy configurations”. So I had set WriteEnabledFlag flag in oam-config.xml to false. Therefore any updates to Clone DC for policy or system changes will fail.

You can verify this flag in oam-config.xml and it would look like:

<Setting Name=”WriteEnabledFlag” Type=”xsd:boolean”>true</Setting>

However the weblogic servers would start up fine.

Solution:

Even Clone DC should be Write Enabled.

Connect to weblogic admin server through wlst.sh and run commands as shown below:

wls:/oam_domain/serverConfig> domainRuntime()

Location changed to domainRuntime tree. This is a read-only tree with DomainMBean as the root.

For more help, use help(domainRuntime)

wls:/oam_domain/domainRuntime> setMultiDataCenterWrite(WriteEnabledFlag=”true”)

Data center write enable flag set successfully

wls:/oam_domain/domainRuntime>

Apache WebGate is one of the widely used webgates in most of the enterprises. Oracle has been releasing OHS 11g webgates for OAM 11gR1, R2 PS1 and R2 PS2 releases. However Oracle has released Apache 11g R2 PS1 webgate with OAM 11g R2 PS1 release and it can be downloaded from edelivery.oracle.com -> Oracle Fusion Middleware -> Oracle Fusion Middleware Identity Management 11g R2 Media Pack -> Oracle Access Manager Apache 2.2 WebGates 11.1.2.1.0

This PS1 Apache WebGate can be used with OAM 11gR2 PS1 and R2 PS2.

Apache 11.1.2.1.0 WebGate Installation:

Pre-requisites: Ensure that JRE 1.6 or higher is installed in the Webgate machine.

Silent installation procedure:

./runInstaller -jreLoc <<JRE_LOCATION>> -invPtrLoc <<ORA_INV_LOCATION>> -silent -response <<RESPONSE_FILE>>

Response File contents:

[ENGINE]

#DO NOT CHANGE THIS.
Response File Version=1.0.0.0.0

[GENERIC]

#Provide the Oracle Home location. The location has to be the immediate child under the specified Middleware Home location. The Oracle Home directory name may only contain alphanumeric , hyphen (-) , dot (.) and underscore (_) characters, and it must begin with an alphanumeric character. The total length has to be less than or equal to 128 characters.
ORACLE_HOME=/home/oracle/apache_11gR2PS1_webgate

#Provide existing Middleware Home location.
#MIDDLEWARE_HOME=/opt/

[SYSTEM]
SKIP_SOFTWARE_UPDATES=true

[APPLICATIONS]

[RELATIONSHIPS]

NOTE: Note that only ORACLE_HOME is required and not MIDDLEWARE_HOME unlike for OHS 11g webgate.

Post-Installation Steps:

1. Goto <<ORACLE_HOME>>/webgate/apache/tools/deployWebGate
2. Run the command ./deployWebGateInstance.sh -w <<WEBGATE_INSTANCE_DIR>> -oh <<ORACLE_HOME>> -ws apache
3. Goto <<ORACLE_HOME>>/webgate/apache/tools/setup/InstallTools
4. Run the command ./EditHttpConf -f <<WEBGATE_INSTANCE_DIR>>/httpd.conf -oh <<ORACLE_HOME>> -w <<WEBGATE_INSTANCE_DIR>>-ws apache
5. Copy the WebGate artifacts from OAM Server domain output folder. For example, /opt/oam/11gr2/fmw/user_projects/domains/mydomain/output/Apache_WebGate.
6. Restart the Apache web server.

NOTES:

The <<WEBGATE_INSTANCE_DIR>> is location where Apache conf file is present , for example /home/apache/conf.

LD_LIBRARY_PATH variable need not be set unlike for OHS 11g webgate.

Test the WebGate:

Access the Apache home page and verify that Apache Webgate intercepting the requests.

Troubleshooting:

If the Apache webgate is not intercepting the requests, make sure that webgate.conf file is created under apache conf folder and httpd.conf is updated to include webgate.conf. Also, verify the webgate.conf file for contents and verify the ObAccessClient.xml present in Apache conf/webgate/config folder.

Hi All,

In this post I will explain how one can register a webgate from webgate host rather than registering the webgate from OAM Admin Console or OAM Admin Host.

Refer these posts 1, 2 to understand concepts of WebGate registration in OAM 11g. Inband registration mode is used when Web Server Administrator and OAM Administrator are same or managed by same team. Therefore one can register webgate through inband mode either in OAM Admin Server Host using command line or through OAM Admin Console. However these approaches would enforce Admin to copy OAM WebGate artifacts from OAM Admin Host to WebGate host. If your OAM deployment has several WebGate hosts which makes copying artifacts a challenge, then this post would help you.

To register webgate in command line, oamreg.sh script is used. This comes bundled with <<ORACLE_HOME>>/oam/server/rreg/client and the file is RREG.tar.gz.

All you need to do is to copy this zip file into a command place to be used by all webgate in your deployment.

1. Copy RREG.tar.gz to WebGate Host.
2. Unzip and untar it.
3. Set JAVA_HOME environment variable to JRE path. The WebGate host must have JRE installed prior to webgate registration.
4. Prepare the input xml located in <<RREG_HOME>>/input. <<RREG_HOME>> is the directory where zip file is extracted.
5. Ensure to update serverAddress field in XML to OAM Server URL say http://<<OAM_ADMIN_HOST>>:<<port>>
6. Goto <<RREG_HOME>>
7. Run the command ./bin/oamreg.sh inband input/<<input_xml_name>>
8. This command will prompt you to enter OAM WebLogic Admin username and password. It will also prompt you whether to set webgate password. If you select yes, it will prompt you to enter webgate password.
9. The WebGate artifacts ObAccessClient.xml along with password files based on security mode will be generated at <<RREG_HOME>>/output/<<WEBGATE_NAME>>
10. Copy these artifacts to WebServer conf/webgate/config directory and restart the web server.

Hope this helps.

Image may be NSFW.
Clik here to view.

Identity Management Jobs have grown exponentially (specially in last one year) and Oracle is among Leader in Gartner’s Magic Quadrant for IAM. In this post I am going to cover how to learn Oracle Access Manager and things you should learn for Oracle Access Manager (OAM).

What is Oracle Access Manager : If you don’t know already Oracle Access Manager (OAM) is Oracle’s recommended Single Sign-On (SSO) solution for Web Access Management.

Why should you learn OAM : Single Sign-On and Web Access Management is very important for securing applications. With Cloud bases SAAS applications, it is more important for enterprises to implement federated Sign-On (Federation is now part of OAM in 11gR2 version). Oracle Access Manager (OAM) is also mandatory in Oracle Fusion Applications.

What roles are available for OAM : You can be an OAM Architect, Administrator, Implementor, or Developer.

What should I learn in OAM : For all the OAM roles, you should have fair understanding of Architecture, Component, and functionality of OAM. If you are an Architect, Administrator or Implementor then you also know Installation, Configuration, Integration , High Availability & Disaster Recovery setup.  If you are developer then you should be able to write authentication modules, policies , custom login pages etc.

Where can I learn OAM : If you prefer self learning then you can refer to Oracle’s Documentation on OAM or attend Oracle University Course (costs 4200 USD) or attend our Online Live Training on OAM (costs 997 USD) – next batch starts on 4th July (We provide Full Money back guarantee for 7 Days) .

What topics should I look in OAM Training :  To start with , you should learn minimum

• Architecture of Oracle Access Manager (OAM)
• Overview of WebLogic Server and Fusion Middleware
• Overview of Oracle Identity & Access Management (OAM, OIM, OID, OUD, OAAM, OES..)
• Installation & Configuration of OAM
• Install & Configuration of OHS & WebGates
• Migration of OSSO 10g to OAM 11g
• Authentication & Authorization policies in OAM
• Protecting resources using SSO
• OAM Integration with LDAP Server (OID or OUD)
• Deploying OAM in High Availability
• Common Integration Scenarios for OAM
• Overview of Oracle Identity

I am Oracle Apps DBA /DBA should I also learn OAM : Yes, you should learn Oracle Access Manager (OAM) as Apps DBAs with OAM experience earn 25-40% more. Single Sign-On is quite common these days and with Oracle Fusion Applications (OAM is mandatory in Fusion Apps), it is important that you learn Oracle Access Manager (OAM).

I still have some more queries related to OAM : Contact our OAM experts for any query related to OAM training requirements or post a comment here .

Register for our Online Live Training on OAM (costs 997 USD) –batch starts on 4th July, register early to avoid disappointment as seats are limited  (Our Oracle Fusion Middleware Course was sold out long before start date)

The post How to learn Oracle Access Manager (OAM) 11gR2 appeared first on Oracle Trainings for Apps & Fusion DBA.

We recently launched Oracle Access Manager Training (next batch starting on 6th July), one question that I’ve seen quite regularly is “I am an Oracle Apps DBA and learning OAM alone (without OIM/SOA and WebLogic) with Apps DBA will give me better opportunity or is it required to learn entire Identity Management Suite”

Since OAM/OIM is very close to my heart (I wrote my first book on this topic) and I meet lot of Apps DBAs with similar question, I thought I should cover this question here .

Before I answer this question, let me first explain about OAM/OAM/SOA and other IAM products. Oracle Access Manager is recommended Web Single Sign-On product from Oracle Identity & Access Management Suite where other products include OIM, OID, OUD, OVD, OES, OMS, OAAM, OES, eSSO etc

Oracle Identity Manager is identity provisioning and management product that uses Oracle SOA Suite for approval based workflows and as Orchestration engine.

OAM and OIM products can be implemented independently and if you need just Single Sign-On (or Access Management) then Oracle Identity Manager (OIM) is not required . If you are using Oracle E-Business Suite (App R12) and just require SSO integration with Microsoft Active Directory (MS-AD)/Windows Native Authentication or with other oracle products like OBIEE, WebCenter etc then OIM/SOA is not required.

Having said that, it is better to know more so learning OIM will definitely help but I always believe in starting with small (keep things simple). I learnt OAM (Oblix that time) in 2003 and started OIM (Xelleterate at that time) 2 years later in 2005.

Note: OAM is deployed on WebLogic Server so basic WebLogic Concepts must also be learnt as part of OAM hence we cover WebLogic Domain, Admin/Managed Servers, Pack/Unpack, JDBC etc in our OAM 11gR2 Training/Workshop .

Tip for Apps DBAs to get better day rate/bigger role : Learn OAM and integrate EBS (R12) with OAM for Single Sign-On .

Having any doubt on what topics to learn then check what our OAM experts have to say  or leave a comment here for any other query .

The post Is OAM alone enough or should I also learn OIM/SOA for Apps DBA ? appeared first on Oracle Trainings for Apps & Fusion DBA.

We announced OAM Training on 4th of July (only 3 seats left) and since our announcement lot of you asked what integration we are going to cover.  Looking at kind of queries we received, I though its worth posting here. We are going to cover

• Oracle E-Business Suite (R12 – 12.1) integration with Oracle Access Manager
• Microsoft Active Directory (AD)/Windows Native Authentication (WNA) integration with Oracle Access Manager (OAM) for Zero Single Sign-On.

Register here for Oracle Access Manager Training (100 USD off if you register before 1st July, last 3 seats before we close registration)

Oracle announced OAM 11gR2 PS3 in May 2013, register here for Technical Update on OAM 11gR2 PS3.

The post OAM Training (4th July) : EBS & AD Integration : 11gR2 PS3 Launch appeared first on Oracle Trainings for Apps & Fusion DBA.

Hi All,

After long gap I’m start writing blogs and I’m feeling for that.

Today I have faced login issue in WNA setup environment.

Requirement is user would need to login via WNA fallback authentication and access to the OAM WNA protected resources but it login request landed into error page “Account locked or disabled”.

From oam-server1.out logs

Note: If you are not able to see below then you should enable Kerberos trace level.

 <Jul 21, 2015 6:27:52 PM AEST> <Error> <oracle.oam.plugin> <BEA-000000> <Defective token detected (Mechanism level: GSSHeader

did not find the right tag)

GSSException: Defective token detected (Mechanism level: GSSHeader did not find the right tag)

        at sun.security.jgss.GSSHeader.<init>(GSSHeader.java:80)

        at sun.security.jgss.GSSContextImpl.acceptSecContext(GSSContextImpl.java:287)

        at sun.security.jgss.GSSContextImpl.acceptSecContext(GSSContextImpl.java:267)

        at oracle.security.am.plugin.authn.SPNEGOLoginModule$1.run(SPNEGOLoginModule.java:139)

        at javax.security.auth.Subject.doAs(Subject.java:394)

        at oracle.security.am.plugin.authn.SPNEGOLoginModule.login(SPNEGOLoginModule.java:124)

        at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)

        at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)

Normally this issue appears to be that something different from a Kerberos or NTLM token is being sent by the Microsoft IE browser client machine.

OAM only accepts Kerberos or NTLM tokens for now.

We noticed browser was sending the following token when accessing in company network domain.

And it keeps sending this similar like “Authorization: Negotiate” string over and over.

Authorization: Negotiate

YIGeBgYrBgEFBQKggZMwgZCgGjAYBgorBgEEAYI3AgIeBgorBgEEAYI3AgIKonIEcE5FR09FWFRTAA

AAAAAAAABgAAAAcAAAAByYkcFlDJDJ1CLBKiPp1EHAWr1ZstiFepuJLBr7EduFitBaRa45+4nQ/AGW

5Jf/GwAAAAAAAAAAYAAAAAEAAAAAAAAAAAAAAEVyfDIyRYtIv9kqa6BepAo=

This is not a standard NTLM value, as normally when we review the headers we would expect to see either:

Authorization: Negotiate TlRMTVNTUAABAAA…. (NTLM)

Authorization: Negotiate YIIGeAYGK…(Kerberos)

then this will still not work for OAM WAN Fallback, since the token received by OAM Server is NOT an NTLM token like, but appears to be more related to a NEGOEXTS token, which the Windows 7 clients sometimes send.

So, the token was not sent correctly by the browser to OAM server.

Cause:

On the UNIX host, use kinit on your user account and use klist to verify that you have a ticket to the HTTP/DOMAIN.NAME@REALM.NAME principal or not.

In our cause we have encountered below exception

kinit(v5): Client not found in Kerberos database while getting initial credentials

We have found a DNS issue for application OAM hostname. OAM VIP host name was resolving to different hostname and Keytab was created based on VIP hostname not actual hostname different and frontend host which is critical specially for creating a keytab

Solution:

Re-generated the keytab for DNS resolve hostname as follow

ktpass -princ HTTP/DOMAIN.NAME@REALM.NAME

-mapuser aurdev\srv-oam-iap1 -pass <Password> -out master.keytab -kvno 0

Copy the new keytab into <Oracle Home>/server/config/ and restart OAM server.

Hope above information helped you to get out of the issues.

The post Mechanism level: GSSHeader did not find the right tag,Error when accessing OAM WNA resources appeared first on Oracle Trainings for Apps & Fusion DBA.

Image may be NSFW.
Clik here to view.

This post covers Oracle Access Manager (OAM) Architecture / components and is from our Oracle Access Manager (OAM) 11g training that I’ll personally be teaching in live virtual class (starting 20th Aug). You can register for this training here

If you wish to watch FREE Video tutorials on OAM then subscribe to our YouTube Channel by clicking here

Image may be NSFW.
Clik here to view.

Note: Image from Oracle A-Team’s blog (must read blog)

Oracle Access Manager 11g consists of

1. Database for OAM : Database hosts OAM’s metadata and policies defined by Administrators to secure business application. You use RCU to create OAM schema.
.
2. LDAP Server : This is Directory Server usually Oracle Internet Directory (OID), Oracle Unified Directory (OUD) or Microsoft Active Directory where users and groups are stored . By default OAM uses WebLogic’s embedded LDAP server but you change that to external LDAP mentioned earlier .

3. OAM Domain Admin Server : OAM is configured in WebLogic Domain (Admin & Managed Server). Admin Server hosts WebLogic Console and OAM’s Admin Console (GUI to manage OAM artefacts like Application Domain, Policies, WebGate Instance etc). We cover these OAM Artefacts on Day 4 of OAM Training

4. OAM Domain Managed Server : OAM Managed Server is run time component that acts as Policy Decision Point (PDP). WebGate (Policy Enforcement Point – PEP) connects to this server to get policy details for a resource.

5. Application : This is the resource that is protected by OAM. You can optionally configure OAM Agent on application.

6. WebServer : WebServers like OHS/Apache acts as reverse proxy to for Application and Policy Enforcement Point (WebGate) gets deployed on WebServer.

7. OAM Agents (WebGates) : are Policy Enforcement Points that are deployed on WebServer and connects to OAM Managed Server for policy decision.  We cover OHS & WebGate in detail on Day 3 of OAM Training

Stay tuned for my next post that covers, How OAM Request flow works and how all these components discussed above are used.

To know more on why you should learn Oracle Access Manager click here and what we cover in this online live virtual training click here

Quiz for you (answer under comments section or in our facebook group):

Q: OHS 12c comes with WebGate software so you don’t need to install WebGate software on OHS host
A: TRUE or FALSE

The post Oracle Access Manager (OAM) 11g : Architecture (Topic from our Training) appeared first on Oracle Trainings for Apps & Fusion DBA.

Image may be NSFW.
Clik here to view.

Last year we launched our consulting services where we design, implement and support Oracle products. This post is from issue we encountered during failover of Oracle Access Manager (OAM) from Primary site to Standby site for one of our client.

We also cover High Availability and Disaster Recovery in our Oracle Access Manager Training  agenda here (next batch starts on 2oth September 2015)

Setup at customer site: Oracle Access Manager (OAM) deployed with high availability in primary datacenter (assume DC1) and disaster recovery site in secondary datacenter (assume DC2). We used RAC database to synchronise data in database from primary site to standby site. File system on application tier (hosting OAM servers) was replicated from primary site to standby site using SAN replication (If you don’t have SAN then use O.S. utility like rsync) . There are few other steps for OAM DR setup that I am going to cover in another post.

Issue: After failover of OAM to disaster recovery site, while accessing the single sign on URL: https://sso.mycompany.com at DR Site it was showing an error

“Oracle Access Manager Operation Error
The webgate plug-in is unable to contact any access server”

Cause : Error is self explanatory that WebGate (Policy Enforcement Point) is unable to reach OAM Server (Policy Decision Point) on DR site. This error could be because of number of reasons.

Logs/Errors : To Find the root cause check OHS Error logs at $ORACLE_INSTANCE/diagnostics/logs/OHS/ohs1/ohs1.log , in my case it was showing the error as below:

“The Access Gate is unable to contact any Access Servers”

[2015-09-01T10:27:12.4327+00:00] [OHS] [ERROR:32] [OHS-9999] [core.c] [client_id: 127.0.0.1] [host_id: example.com] [host_addr: HOST_IP] [tid: 139963023050496] [user: demo] [ecid:00S7] [rid: 0] [Virtual Host: main] OBWebGate_AuthnAndAuthz: The AccessGate is unable to contact any Access servers

 [2015-09-01T10:27:12.4351+00:00] [OHS] [ERROR:32] [OHS-9999] [core.c] [client_id: 127.0.0.1] [host_id: example.com] [host_addr: HOST_IP] [tid: 139963023050496] [user: demo] [ecid:00S7] [rid: 0] [Virtual Host: main] Request Failed For: /index.html, Resp code : [500]

2. check Oblix logs (oblog.log) at $ORACLE_INSTANCE/dignostics/logs/OHS/ohs1/oblog.log and it was showing the error as below:

“Exception thrown during WebGate Initialization”

2015/09/01813:56:36.38344 21825 21849 ACCESS_GATE contact INIT config.xml FATAL 0x0000182C any Access Servers. “ERROR 0x00CONFIG ERROR 0x00000505 raw codeS’ 0 21825 21852 ACCESS_GATE FATAL 0x00001520 “Exception thrown during WebGate initialization”

Checks : For this issue, we need to check if WebGate is able to contact the OAM server on Port mentioned in primary_server_list of WebGate configuration file.

Key File : OAM server details are stored in webgate configuration file (on OHS Server) at $ORACLE_INSTANCE/config/OHS/ohs1/webgate/config/ObAccessClient.xml

We discuss lot of other important key files for OAM server, WebLogic, OHS, WebGate in our Oracle Access Manager (OAM) Training

Webgate connect to the OAM Server via OAM Proxy Port and in our case we Provided the OAM Proxy port with a different value 7009 other than the default port 5575
Root Cause : In the file ObAccessClient.xml the Proxy port was changed to the default 5575 after migration to DR site because of which the WebGate was unable to contact the OAM server.

FIX:

1.    Login to OAM Console on DR site  http://comp.example.com:7001/oamconsole
2.    Navigate to the Configuration –> Server Instances
3.    Click Search
4.    Click WLS_OAM1
5.    Change the Proxy Port to the old value that was 7009
6.    Similarly, change the Proxy Port of WLS_OAM2 (If you have two OAM nodes in DR site)
7.    Save the changes
8.    Copy the updated ObAccessClient.xml located under OAM Domain ($DOMAIN_HOME/output/<WEB_AGENT>) to OHS Server ($ORACLE_INSTANCE/config/OHS/ohs1/webgate)
9.    Bounce the services of OAM & OHS

Single sign URL: https://sso.mycompany.com should be accessible now

If you want to learn more issues like above or wish to discuss challenges you are hitting in Oracle Access Manager Implementation, register for our Oracle Access Manager Training.

We are so confident on quality and value of our trainings that We provide 100% Money back guarantee so in unlikely case of you being not happy after 2 sessions, just drop us a mail before third session and We’ll refund FULL money.

Did you subscribe to our YouTube Channel (293 already subscribed) ?

The post Oracle Access Manager on Disaster Recovery (DR) site : Operation Error appeared first on Oracle Trainings for Apps & Fusion DBA.

Image may be NSFW.
Clik here to view.

This post is related to Oracle Admin server issue from our Oracle Access Manager Training (next batch starts on 20th Sept, 2015) where we also cover High Availability & Disaster recovery  agenda here

One of the trainee from our previous batch encountered issue while accessing the oamconsole URL:   http//<Hostname>:<Admin Port>/oamconsole.

To find the root cause check the Admin Server log file located at $DOMAIN_HOME/servers/AdminServer/logs and in our case, it was showing below error messages:

<Error> <HTTP> <hostname> <AdminServer> <[ACTIVE] ExecuteThread: ’14’ for queue: ‘weblogic.kernel.Default (self-tuning)’> <<WLS Kernel>> <> <0000wJ81aCT7y0G6yzYfMG000024000F0n> <1424169946099> <BEA-101020> <[ServletContext@13260635[app:em module:/em path:/em spec-version:2.5]] Servlet failed with Exception

java.lang.OutOfMemoryError: Java heap space

at java.lang.reflect.Array.newArray(Native Method)

at java.lang.reflect.Array.newInstance(Array.java:70)

at oracle.jdbc.driver.BufferCache.get(BufferCache.java:229)

at oracle.jdbc.driver.PhysicalConnection.getCharBuffer(PhysicalConnection.java:12333)

at oracle.jdbc.driver.OracleStatement.prepareAccessors(OracleStatement.java:1112)

at oracle.jdbc.driver.T4CTTIdcb.receiveCommon(T4CTTIdcb.java:283)

at oracle.jdbc.driver.T4CTTIdcb.receive(T4CTTIdcb.java:150)

at oracle.jdbc.driver.T4C8Oall.readDCB(T4C8Oall.java:895)

at oracle.jdbc.driver.T4CTTIfun.receive(T4CTTIfun.java:389)

at oracle.jdbc.driver.T4CTTIfun.doRPC(T4CTTIfun.java:205)

at oracle.jdbc.driver.T4C8Oall.doOALL(T4C8Oall.java:548)

at oracle.jdbc.driver.T4CPreparedStatement.doOall8(T4CPreparedStatement.java:217)

at oracle.jdbc.driver.T4CPreparedStatement.executeForDescribe(T4CPrepared Statement.java:947)

Root Cause:

Since, Admin Console is deployed on Admin Server and is accessible via Admin Port /oamconsole ( http//<Hostname>:<Admin Port>/oamconsole) 

Image may be NSFW.
Clik here to view.

The jvm size at the moment  was 500 MB for Admin Server, it should be in between 1Gb to 2Gb , because we access OAM console on top of admin server.

Solution:

Temporary Fix:

Bounce the Admin server.

Permanent Fix:

1. Change the Admin server jvm settings as shown below in setDomainEnv.sh script located under $DOMAIN_HOME/bin.

if [ “${SERVER_NAME}” == “AdminServer” ] ; then

      MEM_ARGS=”-Xms2048m -Xmx2048m -XX:PermSize=128m -XX:MaxPermSize=  

      512m”

      export MEM_ARGS

fi.

2. Bounce the Admin server and you should be able to access the OAM console.

Note: You can see the modified jvm settings in Admin server Log.

If you want to learn more issues like above or wish to discuss challenges you are hitting in Oracle Access Manager Implementation, register for our Oracle Access Manager Training.

We are so confident on quality and value of our trainings that We provide 100% Money back guarantee so in unlikely case of you being not happy after 2 sessions, just drop us a mail before third session and We’ll refund FULL money.

Did you subscribe to our YouTube Channel (293 already subscribed) ?

The post Oracle Access Manager: java.lang.OutOfMemoryError appeared first on Oracle Trainings for Apps & Fusion DBA.

OAM stores the web server host and port information in Host Identifiers configuration. You will get the above error message when the information provided in host identifiers is not correct. The host identifier entry need not be the same as the one you enter in the browser to access protected resource especially when you have multiple network interfaces on the web server machine. To get the exact host name that the OAM server expects, you can enable the OAM logs in Trace mode. It will give you the host name as well as the port number for which the error is logged. In order to fix this problem, you need to provide the correct host name and port number combination entry in Host Identifier for  the configured OAM Agent.

The post Solution for OAM Error code OAM-02073 status fail is Excluded false appeared first on Oracle Trainings for Apps & Fusion DBA.

Image may be NSFW.
Clik here to view.

Oracle Access Manager (OAM) is Oracle’s recommended Single Sign-On (SSO) solution and mandatory for Oracle Fusion Applications. Apps DBA’s and Fusion Middleware Administrator with OAM skills have better chances of any opportunities in to Oracle and are always paid higher.

Oracle Access Manager 11g includes:

If you have any Question related to OAM that you want us to cover in our FREE Webinar on OAM then post it below as comment or ask in our Private Facebook Group

The post FREE Live Webinar: Learn Oracle Access Manager (OAM) 11g R2 from team K21 appeared first on Oracle Trainings for Apps & Fusion DBA.

This post is related to OAM Managed server issue from our Oracle Access Manager Training (next batch starts on 29th Nov, 2015 – Register now for early bird discount, limited time only) where apart from Architecture, Installation, Configuration, Integration we also cover High Availability & Disaster Recovery.

As OAM is deployed on Weblogic Server, We cover  WebLogic Concepts like Domain, Admin & Managed Server and Clusters.

One of the trainee from our previous batch encountered issue while starting OAM Managed server (oam_server1) from WebLogic Administration Console (/console). When a server is started using Console, a utility called Node Manager is used in the background. Make sure that Node Manager is running and Machine is associated with Managed Server

If you see node manager is fine and still startup fails then check the Managed Server log file located at $DOMAIN_HOME/ servers/ [oam_server1]/ logs and in our case, it was showing below error messages:

Caused By: com.bea.common.engine.ServiceInitializationException: com.bea.common.engine.SecurityServiceRuntimeException: [Security:097533]Security Provider service class name for IAMSuiteAgent is not specified.
at com.bea.common.engine. internal.ServiceEngineImpl. findOrStartService (ServiceEngineImpl.java:365)
at com.bea.common. engine.internal. ServiceEngineImpl. findOrStartService (ServiceEngineImpl.java:315)
at com.bea.common. engine.internal. ServiceEngineImpl. lookupService (ServiceEngineImpl.java:257)
at com.bea.common. engine.internal. ServicesImpl. getService(ServicesImpl.java:72)
at weblogic.security. service.internal. WLSIdentityServiceImpl. initialize(WLSIdentityServiceImpl.java:46)
at weblogic.security. service. CSSWLSDelegateImpl. initializeServiceEngine(CSSWLSDelegateImpl.java:299)
at weblogic. security.service. CSSWLSDelegateImpl. initialize(CSSWLSDelegateImpl.java:220)
at weblogic.security. service. CommonSecurityServiceManagerDelegateImpl. InitializeServiceEngine (CommonSecurity ServiceManagerDelegateImpl.java:1789)

Root Cause:

In the nodemanager.properties file (configuration file that is used to start node manager), the value of the flag StartScriptEnabled was set to false (by default) because of which the parameters that are provided in startWeblogic.sh was not provided to JVM and therefore, resulting in the error as specified above.

Fix:

1. Stop Node Manager: Exit from the terminal in which node manager started.

Note: there is no script to stop Node Manager so just kill the process

2. Run setNMProps.sh script located under $MW_HOME/oracle_common/common/bin
./setNMProps.sh (This will enable the StartScriptEnabled flag in nodemanager.properties)

You should get the output as:  “Appending required nodemanager.properties”

3. Start Node manager ./startNodeManager located under $WL_HOME/server/bin

./startNodeManager.sh

4. Start Managed Server using Administration Console. It should be RUNNING now.

If you want to learn more issues like above or wish to discuss challenges you are hitting in Oracle Access Manager Implementation, register for our Oracle Access Manager Training (next batch starts on 29th Nov, 2015 – Register now for early bird discount, limited time only).

We are so confident on quality and value of our training that We provide 100% Money back guarantee so in unlikely case of you being not happy after 2 sessions, just drop us a mail before third session and We’ll refund FULL money (or ask us from our happy trainees in our private Facebook Group).

Did you subscribe to our YouTube Channel (375 already subscribed) ?

The post Starting OAM Managed Server from Weblogic Console, Check This ? appeared first on Oracle Trainings for Apps & Fusion DBA.