OAM Identity Server Deletes User When RDN Modified (on OID)

This is known problem but i had trouble finding the solution so here it is re-posted from the OAS release notes for HP-UX... the resolution worked perfectly BTW.
This problem occurs when you use Oracle Internet Directory as the back-end repository. To fix this problem:

1. Edit the file ldapreferentialintegrityparams.xml in the following directory:
   

   Identity_Server_installation_directory\identity\oblix\data\common

2. Change the value of the parameter referential_integrity_using from oblix to ds, as follows:
   
3. Save the file.
   
4. Restart the Identity Server for the changes to take effect.
   You should be able to modify the RDN attribute value without any problem.
   
5. If you have multiple instances of the Identity Server installed, make this change to every instance of the Identity Server.
   

SDK-Access Server Time Difference Reminder

When using a older Access Server SDK (7.0.4) with a newer Access Server (10.1.4) running in backward compatibility mode recently, the Access Server SDK always returned cookies that were logged out. The reason turned out to be because the time was never set on the machine the SDK was installed on.

However, the Access Server SDK installed correctly when it was installed. In previous incarnations the Access Server SDK would have never been able to be configured properly if a significant time difference existed.

This definitely falls squarely in the realm of user error, as the documentation clearly stipulates that when cert or simple mode are used the times have to be synchronized between client and server. In previous releases though you would never have been able to complete the SDK configuration. I can only imagine this has something to do with "backward compatibility" mode.

Reactivate OAM User

In order to be able to search for deactivated users, the logged in user need to be a participant in a reactivate user workflow definition.

If the user is not a participant in a reactivate user workflow then the following message will be received when the "Deactivated User Identity" button is clicked:

You do not have sufficient access rights.

OID Indexes

Here are a few simple notes for handling OID indexes. If you want to search on an attribute in OAM where the data is stored in OID it must be indexed. Sometimes you might want to remove and then possible re-add an index. Index adding and removal can be handles with LDIF, however, if you need to recreate an index on existing data then you need to use a command line tool called catalog.

Index an attribute

dn: cn=catalogs
changetype: modify
add: orclindexedattribute
orclindexedattribute: attributename
-
Remove an index

dn: cn=catalogs
changetype: modify
delete: orclindexedattribute
orclindexedattribute: attributename
-
Re-index an attribute
that was previously removed. If you remove an index form an attribute and the data remains and you need to re-index the data in place then you need to use the catalog command line tool.

$ORACLE_HOME/ldap/bin/catalog connect=oiddev add=&quotTRUE" attribute="attributename"
Unwilling to perform
If after the attribute has been re-indexed the directory server will still not allow it to be searched and returns an unwilling to perform error, try restarting the OID gateway.

$ORACLE_HOME/opmn/bin/opmnctl restartproc ias-component=OID

Current Indexed AttirbutesUse ldapsearch to get the current indexed attributes

ldapsearch -h localhost -p 389 -x -s base -b "cn=catalogs" "objectclass=*"

Deleting a User with IDXML

Certain actions (such as creating or removing an LDAP entry) are only available via OAM's 'workflow' engine. A freshly installed OAM system has no workflows configured, thus, no immediate mechanism to affect such actions.

To the newly initiated, discovering the create workflow mechanisms are relatively straightforward. But the delete, however, tends to throw people for a loop at first.

The trick is to create a 'Deactivate User Workflow'. Exactly what this workflow does is up the user building the workflow. You'll find, following the definition of the initial step, three similar action choices:

• deactivate
• disable
• delete

If your goal is truly to whack the account, choose delete. Otherwise, a choice of disable will set the user account ObUserAccountControl flag to DEACTIVATED (with no human interaction required). By default, the Identity System ignores DEACTIVATED accounts in the user searchbase. The deactivate action accomplishes the same thing but it requires a human participant to actually push the button to confirm the action.

Lastly, if you want to access this 'Delete User Workflow' from IDXML you just need to keep in mind that it is a workflow you are calling. Pay close attention to:

• function="workflowDeactivateUserSave"
• and the fact that you do provide the workflow DN in the call

Here is a complete request for calling a Deactivate User Workflow:

<?xml version="1.0" encoding="UTF-8"?>
<SOAP-ENV:Envelope xmlns:SOAP-ENV="http://schemas-xmlsoap.org/soap/envelope/" xmlns:oblix="http://www.oblix.com">
<SOAP-ENV:Body>
<oblix:authentication type="basic">
<oblix:login>admin</oblix:login>
<oblix:password>test1234</oblix:password>
</oblix:authentication>
<oblix:request application="userservcenter" function="workflowDeactivateUserSave" version="NPWSDL1.0">
<oblix:params>
<oblix:ObWorkflowName>obworkflowid=c60491a5ca0a45668fff08da2f1072d2,obcontainerId=workflowDefinitions,OU=Oblix,OU=apps,DC=company,DC=com</oblix:ObWorkflowName>
<oblix:uid>UID=372af3c1-0c7e-428d-a80a-fae632211489,OU=people,DC=company,DC=com</oblix:uid>
<oblix:noOfFields>2</oblix:noOfFields>
<AttributeParams xmlns="http://www.oblix.com/">
<GenericAttribute>
<AttrName>cn</AttrName>
<AttrNewValue>test</AttrNewValue>
<AttrOperation>REPLACE_ALL</AttrOperation>
</GenericAttribute>
<GenericAttribute>
<AttrName>userStatus</AttrName>
<AttrNewValue>delete</AttrNewValue>
<AttrOperation>REPLACE_ALL</AttrOperation>
</GenericAttribute>
</AttributeParams>
</oblix:params>
</oblix:request>
</SOAP-ENV:Body>
</SOAP-ENV:Envelope>

OAM Identity XML (IDXML) via XMLHttpRequest

It makes sense that the ideal HTTP Client for IDXML processing is the authenticated user's browser. After all, it already has the ObSSOCookie.

JQuery is the Javascript library of choice for all my client work lately. You can see why in the following example of processing an IDXML request via Javascript straight from the client. The use cases for this capability are endless.

This is the proverbial 'tip of the iceberg' in utilizing OAM Identity in a modern web development context. The end result: Perfectable user experiences based on data and services made available and secured through OAM's web based configuration tools. It's a powerful combination.

Lets take a simple create user workflow request and turn out a simple Javascript templating function to build the string for us:

getSoap = function(data){
  var dat = [];
  dat[dat.length] = '<?xml version="1.0" encoding="UTF-8"?>';
  dat[dat.length] = '<SOAP-ENV:Envelope xmlns:SOAP-ENV="http://schemas-xmlsoap.org/soap/envelope/" xmlns:oblix="http://www.oblix.com">';
  dat[dat.length] = '<SOAP-ENV:Body>';
  dat[dat.length] = '<oblix:request function="workflowSaveCreateProfile" version="NPWSDL1.0">';
  dat[dat.length] = '<oblix:params>';
  dat[dat.length] = '<oblix:ObWorkflowName>obworkflowid=672fcf2e9c5946a8b5b225b349acd46b,obcontainerId=workflowDefinitions,OU=Oblix,OU=apps,DC=company,DC=com</oblix:ObWorkflowName>';
  dat[dat.length] = '<oblix:ObDomainName>OU=people,DC=company,DC=com</oblix:ObDomainName>';
  dat[dat.length] = '<oblix:noOfFields>5</oblix:noOfFields>';
  dat[dat.length] = '<AttributeParams xmlns="http://www.oblix.com/">';
  dat[dat.length] = '<GenericAttribute>';
  dat[dat.length] = '<AttrName>uid</AttrName>';
  dat[dat.length] = '<AttrNewValue>'+data.uid+'</AttrNewValue>';
  dat[dat.length] = '<AttrOperation>ADD</AttrOperation>';
  dat[dat.length] = '</GenericAttribute>';
  dat[dat.length] = '<GenericAttribute>';
  dat[dat.length] = '<AttrName>cn</AttrName>';
  dat[dat.length] = '<AttrNewValue>'+data.cn+'</AttrNewValue>';
  dat[dat.length] = '<AttrOperation>ADD</AttrOperation>';
  dat[dat.length] = '</GenericAttribute>';
  dat[dat.length] = '<GenericAttribute>';
  dat[dat.length] = '<AttrName>mail</AttrName>';
  dat[dat.length] = '<AttrNewValue>'+data.mail+'</AttrNewValue>';
  dat[dat.length] = '<AttrOperation>ADD</AttrOperation>';
  dat[dat.length] = '</GenericAttribute>';
  dat[dat.length] = '<GenericAttribute>';
  dat[dat.length] = '<AttrName>givenName</AttrName>';
  dat[dat.length] = '<AttrNewValue>'+data.givenName+'</AttrNewValue>';
  dat[dat.length] = '<AttrOperation>ADD</AttrOperation>';
  dat[dat.length] = '</GenericAttribute>';
  dat[dat.length] = '<GenericAttribute>';
  dat[dat.length] = '<AttrName>sn</AttrName>';
  dat[dat.length] = '<AttrNewValue>'+data.sn+'</AttrNewValue>';
  dat[dat.length] = '<AttrOperation>ADD</AttrOperation>';
  dat[dat.length] = '</GenericAttribute>';
  dat[dat.length] = '</AttributeParams>';
  dat[dat.length] = '<oblix:obactorcomment>IDXML from browser via Javascrip</oblix:obactorcomment>';
  dat[dat.length] = '</oblix:params>';
  dat[dat.length] = '</oblix:request>';
  dat[dat.length] = '</SOAP-ENV:Body>';
  dat[dat.length] = '</SOAP-ENV:Envelope>';

  return dat.join("");
};

Then, if we prep a little data object with values (presumably pulled from the user interface):

var userdata = {
  uid:"marmil",
  cn:"Mark Miller",
  mail:"mark[at]nulli.com",
  givenName:"Mark",
  sn:"Miller"
};

I can call my template and consider my soap envelope ready to go:

var createUserSoapRequest = getSoap(userdata);

All over but the sending (and response handling):

// process the request
$.ajax({
  type: "POST",
  dataType:'xml',
  url: "/identity/oblix/apps/userservcenter/bin/userservcenter.cgi",
  data: createUserSoapRequest,
  contentType:"text/xml",
  processData:false,
  success: function(idxmlResponse){
    // crude
    alert(idxmlResponse);

    // better
    $("ObConfirmation",idxmlResponse).find("ObValue").each(function(i,o){
      alert($(o).text());
    });

    // in the real world, employ dom trickery to keep the user oriented...
  }
});

Cool, no?

OAM Search Results Virtual Attribute

What if you want to include a virtual attribute in your search results that is derived form another attribute? Just create the attribute in an outbound mapper flow and add it to the search results and it should show up as expected - right? Well, maybe it will and maybe it won't; if the attribute(s) the derived value is based on is/are in the search results too then it will show up as anticipated. However, if they are not there then it won't show up as expected.

The solution is to use the OVD addReturnAttribute delivered mapper function on the reciprocal inbound request with the required source attributes. This will allow the outbound mapper to have the required data to complete the derived attribute and enable the OAM search result configuration to exist without the source attributes.

One Bad Mapper Can Spoil the Whole Bunch (if you're not careful)

Creating a mapping file for OVD to use on inbound and/or outbound LDAP transactions can sometimes be tricky to get absolutely correct the first time. Invariably, the message

Could not complete mapping

is bound to show up at least once when you are trying something new.

When a mapping file is broken it can cause a variety of problems, but most notably if your adapters for authentication are using other unrelated mappers it can cause them to fail, resulting in failed authentication. So for instance if you are working on a mapper for one object you could prevent other users from authenticating. This pitfall can be easily avoided, however, using the OVD Filters to Exclude and Filters to Include fields on the routing tab of the adapters tab in OVD Manager. For instance by exluding (objectclass=inetorgperson) from an adapter that presents site data you can prevent an authentication search request from even attempting the adapter, thus insulating you and other development users from such a problem.

However, what if you cannot authenticate to the OVD Manager console to correct a broken mapper or add a routing filter to an adapter? I had one case where I could not authenticate even as cn=admin do the OVD Manager becuase of a broken adapter. The solution to this is simple; just remove the compiled mapper jar file from the OVD Server directory. You can do so by following these steps:

1. stop ovd
2. remove bad mapper ($VDE_DIR/mappings/jars/offendingMappingFile.jar)
3. start ovd
4. log into the OVD Manager and fix the source of the problem
   

Error: Look up of symbol - ObInitEventAPI failed

If you ever receive an error like this when trying to configure an identity system .NET based PPP event, check the action; chances are it is set to lib instead of managedlib.

"Event API call for the event returned STATUS_PPP_ABORT" Error^base\obport.cpp:845: Error: Look up of symbol - ObInitEventAPI failed - The specified procedure could not be found.%0d%0a.

WebGate - Oracle Client Conflict

When installing the 10.1.4 WebGate to protect an application with web services that relied on the Oracle Client for database connectivity, the application failed to run after the install. The following message is what was received back from the application:

The provider is not compatible with the version of Oracle client

The WebGate installation went seamlessly. It seemed apparent from the message that there must be an Oracle Client dll conflict. After looking at the IIS process through Process Explorer it became apparent that the application was relying on the Oracle 10g R2 client, but that WebGate was loading the Oracle 10g R1 client prior to the Web Service. Then when the web service was invoked, it would get the wrong client and thus fail.

My first instinct was to change the Oracle Client the web appl was using to 10.1 from 10.2. This worked for a while but it turned out there was a bug in the the 10.1 client that caused one of the components of the web app to fail. I had to re-install the 10.2 client.

My next instinct was to just proxy the web application with a proxy server and take the WebGate out of the mix on the web server where the app was hosted. Then I read a MetaLink KB article that suggested using a WebGate 7.0.4 build that DOES NOT include the oracle client in it. This seemed like a good opportunity so I parked the proxy idea.

I installed the WebGate but could not configure it with the 10.1.4 Access Server. In the Access Server oblog.log there was the following message.

Client and Server's NAP versions do not match

It turns out that the the 10.1.4 Access Server IS backwards compatible but not by default. In the ..\access\oblix\apps\common\bin\globalparams.xml file

there is a parameter - IsBackwardCompatible - that needs to be set to true. Once that is set, voila, the WebGate configuration completes.

Sending "Authorization" header with initial HTTP request

If OAM protects a web resource with a basic authentication scheme, any browser request for that request returns a 401 with a "WWW-Authenticate: basic" header. This prompts the browsers to pop-up the username/password dialog box. When the user types in the username and password, these credentials are sent, base64 encoded, in the next request as part of the "Authorization: basic" header.

If one does not want the browser to pop-up the dialog, or one is using a script/client application to access that resource, the "Authorization" header should be sent with the initial HTTP request. But the correct Authorization header by itself will not submit user credentials to Webgate. It seems the script/client application will also have to send a cookie in the request to make Webgate process the Authorization header. The cookie name and value are always the same:

Cookie: OBBasicAuth=fromDialog

To summarize, with all the other required HTTP headers and data, the application should send the following (for username/password as guest/password1234):


Cookie: OBBasicAuth=fromDialog
Authorization: Basic Z3Vlc3Q6cGFzc3dvcmQxMjM0

Edit: Please note that the Authorization header has the base64 encoded version of string username:password (in this case guest:password1234 which is 'Z3Vlc3Q6cGFzc3dvcmQxMjM0') and not username/password as the article mentions above. Thanks for pointing that out Filipe.

Global Database Name in Linux OAM and DB (OCI) environment for DB auditing

When adding Database Instances with OCI DB connection type, which is the only option for *nix based OAM installs, we have to specify the Global Database Name (GDN) for the database. Ever wondered what should the correct format for GDN be?

During a deployment, I faced this question, and after some trial and error and reading Oracle Instant Client documentation, I figured it out:

<DB Host>:<DB Port>/<ORACLE_SID>

SelfSSL Connection Errors

The IIS Resource Kit's SelfSSL tool is a quick and sneaky way to get both IIS and ADAM running SSL for quick OAM sandbox environments. I've encountered ADAM connection errors if a self signing SSL had previously been generated on the same VM/server. Here's how you get a newly self signed SSL to work on the same machine:

1. Move all the old certs into an archive directory located here: C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys
2. When you run the selfssl.exe command to install the self-signed SSL certificate into IIS, you must include the fully qualified machine name in the /N:cn parameter. For example: selfssl.exe /T /V:3650 /N:cn=oam.company.com

Verify that the new cert has been generated and that your ADAM run as user has read permissions on the cert and that should solve the problem.
Test your connection using LDP.exe, also using the fully qualified host name.
This is an excellent link with step-by-step instructions, (including the download location for the IIS 6.0 Resource kit from MS): http://geekswithblogs.net/jimiz/archive/2007/02/11/106006.aspx

WebGate Installation Error - Access Server you specified is currently down

When you know that it is in fact not down, and you've checked that all your WebGate parameters are correct a million times...

The clocks of computers hosting various Oracle Access Manager components must be synchronized to within 75 or fewer seconds of each other. If the clocks are out-of-sync by more than 75 seconds, installation will fail. For installaion tasks or whenever you're attempting to connect, you will receive errors indicating that your Access Server is down if the clocks are not in sync.

Pay particular attention to this in VM environments, where system clocks may not be synchronized as they're created.

For this and other OAM installation woes, this and other useful nuggets can be found here:
http://download-uk.oracle.com/docs/cd/B28196_01/idmanage.1014/b25353/trouble.htm

Request for Feedback - Oracle Access Manager Configuration Manager

Has anyone out there deployed the Oracle Access Manager Configuration Manager?

This is Oracle's productized solution to the OAM horizontal migration challenge... The product has been out for year now but I can't find anyone who says they've used it.

Have you deployed it? Do you have any plans to deploy it?

Please leave a comment with any input.

Cheers.

Installing Oracle Directory Manager

Though there's not much you can't do via ldapmodify and the command line with OID, it can sure save a lot of time and energy to have access to the graphical user interface of the Oracle Directory Manager tool. Of course, you can pursue XWindows solutions to access the console on the Linux host, but it is quite convenient to have a local copy of the tool on your windows workstation.

Turns out it is a bit of a maze to figure out what package you really need to get to have the tool at your disposal.

Here is where I found what I was looking for:

http://www.oracle.com/technology/software/products/database/oracle10g/htdocs/10201winsoft.html

Oracle Database 10g Client Release 2 (10.2.0.1.0)
http://download.oracle.com/otn/nt/oracle10g/10201/10201_client_win32.zip
(requires OTN credentials)

Do a 'Custom' install and choose on the Directory Administration tools...