Tuesday, February 24, 2015

Roll back/Revert a published Sandbox in OIM 11GR2

Reverting a Published Sandbox in OIM 11g R2

So many times, you would like to roll back the changes made by a published sandbox. Once published, there is no option available in OIM admin or identity interface to roll back the published sandbox. However, starting 11GR2, you could roll back the published sandbox through Enterprises Manager interface.



1. Login to Enterprise Manager(EM Console).



2> Enter into MDS schema by clicking “Identity and Access” à OIM à oim(11.1.2…..)



3> Start MBean Browser



4> Goto oracle.mds.lcm à Server: oim_server1 à Application: oracle.iam.console.identity.self-service.ear à MDSAppRuntime à MDSAppRuntime





5> On the right side, click the “listMetadataLabels”. There are 2 of them, choose the one that does not require parameter.



6> For each sandbox there will be 3 entrees, creation_<sandbox>…., pre_<sandbox>…., and post_<sandbox>…. . To go back to the oim status before the sandbox was created ( roll back the sandbox), copy the name of the SB starting with creation…..example Creation_OIM_testbox_10:30:00 . Copy the name

7> Click on “Return” to go to previous page (Operations).

Find the operation “promoteMetadataLabel”. There are 2 of them, use the one that takes one parameter only.





8> Paste the sandbax name you copied (Creation_OIM_testbox_10:30:00).

9> Click “Invoke.

10> Restart the OIM

Have fun....


Wednesday, February 18, 2015

Offloading webgate SSL to a load balancer

Offloading webgate SSL to a load balancer


A very common configuration for webservers is to proxy it behind a load balancer. More often than not, the ssl terminates at load balancer. This means that from load balancer to web server, traffic is in OPEN TEXT mode. This allows organization to be able use IDS/IPS to monitor the internal traffic.

 















The webgate is installed on web server, when webgate receives the traffic, it sees it in OPEN TEXT mode. So, it sends back the respond to forward to the next url in OPEN mode (http://<hostname>:<port>/obrar.cgi). Since load balancer is listening for https only, this url never reaches anywhere.

There are 2 possible ways to resolve it:

1>      Create a forwarder on load balance that will forward all the http traffic to https on the same load balancer. This solution is not preferred by many organization as they do not want any unsecure port on the internet facing load balancer.

2>    Set the header variable IS_SSL to the value “ssl” on the load balancer. Webgate looks for this attribute to find out if original traffic was in secured mode. If value is set to “ssl”, the resond will include “HTTPS” instead of “HTTP”.


Have fun….







Tuesday, February 17, 2015

Setting up OAM WebGate behind a Load Balancer that does context based routing


Setting up a OAM webgate behind a load balancer could pose routing issue. For example, if there is a load balancer doing a context based routing as below:



The problem starts when traffic is intercepted by webgate, OAM authentication is successful and OAM tries to set the cookie information to web server using the url that looks like:


This url will not make to the backend web server because there is no context to route this traffic. The traffic dies at the load balancer and an error message is displayed in the browser.

To resolve, create a new context on the load balancer that will send the return traffic from OAM server to web server.


Access the webserver now, after authentication, it will take to the resource successfully.


Have fun…