OAM Error, MBean operation access denied. MBean: oracle.oam:type=Config Operation: retrieveMapPropertyArray(java.lang.String) Detail: Access denied. Required roles: Admin, executing subject: principals=[eidmwebadmin, OAMAdministrators, OAMSystemAdminGroup]

Error: java.lang.SecurityException: MBean operation access denied. MBean: oracle.oam:type=Config Operation: retrieveMapPropertyArray(java.lang.String) Detail: Access denied. Required roles: Admin, executing subject: principals=[eidmwebadmin, OAMAdministrators, OAMSystemAdminGroup]

This error comes because you choose to create an Admin group for OAM administration and named it something other than Administrators. The group has to be included in the WebLogic Roles and Policies to be allowed to have admin privileges to all MBEANS.

1>     Login to Weblogic à Click on “Security Realm”

2>     Click on myrealm

3>     Select “Roles and Policies”, expand Global Roles à Roles

4>     Select “Vie Role Conditions” for “Admin Roles.

The following screen shows an already added group “OAMAdministrators”. But you will need to select Add Conditions à Group à Provide Group Name in “Group Argument Name” à Finish

 

5>     Save. Restart the OAM Domain.

Have Fun....

Create an OVD changelog adapter

Changelog is needed for many application such as OIM that use the changelog to keep data between OIM and OID in sunc. To create a changelog adapter,

1>     Make sure that change log.

To confirm, run

ldapsearch –D orcladmin –w <password> -h <server> -p <port> -b ‘’ –s base objectclass=* lastchangenumber

2>     Login to ODSM, http://<server>:<port>/odsm

3>     Connect to the OVD using ODSM.

4>     Click on the Tab “Adapter”.

5>     Create a new adapter.

This will start the wizard. Create adapter using the following parameters.

Type	Adapter Type	LDAP
	Adapter Name	Changelog Adapter
	Adapter Template	Changelog_OID
Connection	Use DNS for Auto Discovery	No
	Host	<oid server>
	Port	<oid port>
	Server Proxy Bind DN	cn=orcladmin
	Proxy Password	Password for orcladmin user.
Connection Test		Validate that the test succeeds.
Namespace	Remote Base	(Do not assign.)
	Mapped Namespace	cn=changelog
Summary		Verify that the summary is correct, then click Finish.

Have fun ...

Enable/Disable the OID changelog

OID uses the changelog to keep track of the changes performed. It is used by application such as OIM to keep the OIM and OID in sync. By default, when you install OID, changelog is enabled. For some reason, if it not enabled, you could enable it using quickly using the procedure below.

Set the value for the attribute orclgeneratechangelog to enable or disable the change log. Create a LDIF file to set the value for above property

dn: cn=componentname,cn=osdldapd,cn=subconfigsubentry

changetype: modify

replace: orclgeneratechangelog

orclgeneratechangelog: 1

A value of “1” will enable the changelog whereas, “0” will disable it.

Modify by running

Ldapmodify –D cn=orcladmin –w <password> -h  <oid Server> -p <oid port> -f <ldif file name>

Viewing the Changelog

Use ldapsearch to view the changelogs.

Use different filters to view the log, for example:

1.    For example, to view a range of change logs that have been transported from the supplier to the local node, use filter:

   "(&(objectclass=changeLogEntry)(servername=SUPPLIER_REPLICAID)\

   (changeNumber>=FROMCHGNO)(changeNumber<=TOCHGNO))"

2.    To view a single change log that has been transported from the supplier to the local node, use:

   "(&(objectclass=changeLogEntry)(servername=SUPPLIER_REPLICAID)\

   (changeNumber=CHGNO))" 

3.    To view a range change logs that have been generated at the local node, use:

"(&(objectclass=changeLogEntry)(changeNumber>=FROMCHGNO)(changeNumber<=TOCHGNO))"

4.    To view a single change log that has been generated at the local node, use:

   "(&(objectclass=changeLogEntry)(changeNumber=CHGNO))" 

Have fun...

Roll back/Revert a published Sandbox in OIM 11GR2

Reverting a Published Sandbox in OIM 11g R2

So many times, you would like to roll back the changes made by a published sandbox. Once published, there is no option available in OIM admin or identity interface to roll back the published sandbox. However, starting 11GR2, you could roll back the published sandbox through Enterprises Manager interface.

1. Login to Enterprise Manager(EM Console).

2> Enter into MDS schema by clicking “Identity and Access” à OIM à oim(11.1.2…..)

3> Start MBean Browser

4> Goto oracle.mds.lcm à Server: oim_server1 à Application: oracle.iam.console.identity.self-service.ear à MDSAppRuntime à MDSAppRuntime

5> On the right side, click the “listMetadataLabels”. There are 2 of them, choose the one that does not require parameter.

6> For each sandbox there will be 3 entrees, creation_<sandbox>…., pre_<sandbox>…., and post_<sandbox>…. . To go back to the oim status before the sandbox was created ( roll back the sandbox), copy the name of the SB starting with creation…..example Creation_OIM_testbox_10:30:00 . Copy the name

7> Click on “Return” to go to previous page (Operations).

Find the operation “promoteMetadataLabel”. There are 2 of them, use the one that takes one parameter only.

8> Paste the sandbax name you copied (Creation_OIM_testbox_10:30:00).

9> Click “Invoke.

10> Restart the OIM

Have fun....

Offloading webgate SSL to a load balancer

A very common configuration for webservers is to proxy it behind a load balancer. More often than not, the ssl terminates at load balancer. This means that from load balancer to web server, traffic is in OPEN TEXT mode. This allows organization to be able use IDS/IPS to monitor the internal traffic.

 

The webgate is installed on web server, when webgate receives the traffic, it sees it in OPEN TEXT mode. So, it sends back the respond to forward to the next url in OPEN mode (http://<hostname>:<port>/obrar.cgi). Since load balancer is listening for https only, this url never reaches anywhere.

There are 2 possible ways to resolve it:

1>      Create a forwarder on load balance that will forward all the http traffic to https on the same load balancer. This solution is not preferred by many organization as they do not want any unsecure port on the internet facing load balancer.

2>    Set the header variable IS_SSL to the value “ssl” on the load balancer. Webgate looks for this attribute to find out if original traffic was in secured mode. If value is set to “ssl”, the resond will include “HTTPS” instead of “HTTP”.

Have fun….