IdM Rockstar
Adam Callen
Search Archives
"One of the top Identity Management Strategists in the market today!"
Welcome to my Identity Management blog with focus on proven implementation stratigies, best practices, product selection, and where I open my expertse to You!
Fortune 100, Higher Education, Government... I've done it all. I'm 7 feet tall, live in NYC, tattooed, and love a challenge! Here's what I've learned...
2
So you want to replicate your production data into your test environment. You understand all the reasons you shouldn’t do this, but your client wants it done anyway. Soooo, here’s a generic outline of the steps you’ll need to do. After this is done, don’t forget that you need to “refresh” all your resources (AD, OID, etc), so that all the accounts match up.
Refreshing OIM from existing environment
MUST DO THIS BEFORE YOU ERASE CURRENT ENVIRONMENT
- Stop all WebLogic Application Servers, Nodes, and Manager
- Copy the soon-to-be-refreshed environment details to an Excel sheet
- Copy all IT Resource information and details
- Copy current XELSYSADM email address
- Copy the details of the scheduled tasks that have environment specific data – Copy the details of environment specific lookup definitions
Refresh Steps
- Log into each node on environment to be refreshed and sudo into root and run the following – cd /opt/oracle/oim91/xellerate/config
- cp .xldatabasekey .xldatabasekey-STAGE
- cp /software/oracle/OIM/productionDBKey/.xldatabasekey .
- Answer ‘y’ to overwrite the old file
- Have someone rest the XELSYSADM password in OID to what the current environments password should be (OID is the repo for OAM in this instance)
- Have the DBA team change the oimuser (OIM data owner) password to what it should be for this environment
- Make sure the oimuser account is unlocked
- If any WebLogic services are up, they need to be stopped and restarted. You will have to kill them at the process level (kill -9)
- Start WebLogic
- open dev design console
- login as xelsysadm with production password – Wipe out all addresses for every IT resource
- If an application server doesn’t start, you will have to do it manually (example):
- Either have someone else change the password in OID for XELSYSADM to the production password or change it yourself if possible
- Open the OIM Web Console
- Login as XELSYSADM with the production password
- (If you login through OAM, but not into OIM, you need to disable SSO for OIM) – Click on My Account on the top left and then click Change Password
- Change the password to what the current environments password should be
Note: if the password you’re changing to doesn’t fit the password policy, you’ll have to delete the policy in the Design Console ( Resource Management > Resource Objects > Name = Xellerate User) Make sure to re-add it when done. Blue columns need to be double-clicked and selected. Not typed in. (Default | base password policy | 1)
- On the left, click Account Profile under My Account
- Modify the email address to match what it should be in the new environment
- Open the OIM Design Console and modify the IT Resources – Click on Resource Management on the left
- Click on Manage IT Resource – Click Search
- Click on OID Server
- Click the Edit button
- Fill in the correct information for this environment (See corresponding Excel document IT Resources) – Click Save
- Click on Users > Manage
- Select User ID from the first dropdown and XELSYSADM for the value
- Click on Search User button
- From the drop-down, select Resource Profile
- For OID User, click on Edit
- Change the password to the new password and click Save
- Log out of the Web console and re-login with the new password to verify that it’s working
- Open the OIM Design Console – Expand Resource Management – Open IT Resources
- Click the New icon
- Name: Test Mail Server
- Double-Click the Type field and select Mail Server
- Click the Save icon
- Double-click new test mail server to configure it
- Fill in the correct information for this environment (See corresponding Excel document IT Resources) – Click the Save icon
- Expand Administration
- Double-click System Configuration
- Click the Search icon
- Select the System Configuration Table tab at the bottom
- Double-click the number next to Email Server to configure it
- Change the value to ‘Test Mail Server’ (no quotes)
- Click the Save icon
- Open Task Scheduler on the left
- Click the Search button and then select the Task Scheduler Table tab at the bottom
- Edit all scheduled tasks that have environment specific variables from saved data
- Update the attributes for the new environment (server names) – Click Save
- Using the IT Resource information stored in the Excel doc before everything was wiped out, update the IT Resources
- Open a SQL DB Editor and login to the Database
- Run this SQL command:
- update USR SET USR_EMAIL=‘test@domain.com’; – Commit changes and then quit
- commit;
- Verify that the /etc/hosts file on each server has all the necessary host names and IP translations for this environment
- Truncate the AUD_JMS table (sql command: truncate table AUD_JMS). Restart all application servers.
- Who's got a G+ account? I wanna add ya. #
I know I can’t be the only one out there, so I gotta know, who the hell actually says “yeah, that sounds like a good deal!”?
Here’s a job description I just received:
Hello
Hope you’re doing wellTitle : ITIM resource
Location-US – New York
Duration -12 months
Rate-$40p/HrTechnical Skills:
Excellent knowledge on Tivoli –TIM/TAM
Should have knowledge on SiteMinder integration with WebServer, OID, Application Server
Good knowledge on Websphere Application and Portal Server
Should have WAS Administration Knowledge
Should have Portal administration experience.
Anyone worth their salt in this industry isn’t going to accept that. So what’s this really mean? It means that the client put out a bid for lets say $130/hr for this position because they’re smart and know they need someone half-way decent. Next comes these guys…my little Indian staffed headhunter agencies that have no problems pitching someone completely useless with the requested technology. And they get paid for this? This is bullshit! No middleman should get a chunk of the hourly just for finding a resource to do a gig. A finders fee, I understand, but this is ridiculous!
You think these guys even tech out the resources they pitch back to the client? Hell no. The only question they need answered is how much you’ll do the job for, other than that, they don’t give a rats ass. You know what I hear when I respond with, “I don’t even have experience with XXX” ? They tell me it’s ok and they’ll submit it anyway. OR(!) a couple of them even told me, “Why don’t you just add it on there, and then we’ll submit it.” !!!
Companies : ^^^^ These are the people you’re getting to staff a position you probably know little about!
It all seems normal, because it’s been going on for so long, that no one really questions it, but take a look at it from the consultants point of view. The company is paying an hourly fee for a service which is rendered by the consultant. The headhunter then takes their vig off the top before the consultant see’s a dime! It’s almost like the consultants are the one’s paying to have the gig.
Ok, I’ll subside on my rant… it’s just frustrating to get phone calls and emails every day with garbage like this. Because in the end the consultant is getting ripped off, and the client is getting a shoddy resource. Everyone looses except the scam artist in the middle.
My message to companies hiring consultants: Using headhunter agencies is fine, but make sure you’re getting a legit resource and they’re not a Visa mule, or getting suckered.
My message to the headhunters: FAIR SHARE! I get it, you definitely deserve a piece of the pie, and I have no problem giving it to you, but if you call me with a thick Indian accent and ask me to work for $40/hr, I will laugh at you and hang up.
My message to the consultants: Stick up for what you’re worth! Just because a bunch of dolts are saying yes to lower wages so that they can learn on the job and set the client back more time than they can afford, doesn’t mean you need to cave in.
You get what you pay for. So know what you’re paying for.
.: Adam
I am a dropbox user, and I love their service. That was until this security breach was found!
Here’s my interaction with Dropbox support on this one…
—————————————
| As I’m sure you’re well aware, the config.db issue is pretty big. Big enough to where I feel my data is extremely unprotected. I’m familiar with the computer security world, so I know full well the ramifications of this issue.
What I need to know is if you have any planned fix for this and how long until a patch is released. Until the software is updated, I’m afraid I have to stop using it, and if there is no response (or a “we’re working on it”), I’ll need to cancel my account and be requesting a refund. I really don’t like sugarsync, but I don’t really have a choice at the moment. Thank you, .: Adam
———————–
|
So… after a bunch of 11g attempts, turns out that OIM (Identity and Access Management) 11.1.1.4 isn’t compatible with anything in the 11.1.1.3 stack (including WebSphere 10.3.4).
Soooo… *Everything* must be at the 11.1.1.3 level! Why not release the 11.1.1.4 patches all at the same time? To easy. Why not make everything backwards compatible? It would probably put me out of a job.
Thanks Oracle!
.: Adam
One of the most pain in the ass things about Oracle software is their numbering / naming nomenclature. If OIM 9 is out now, you would expect the next version to be 10 right? Nope, it’s 11g! Because, actually, 10g is v9. Get it? Yeah… no one does. Dumbest idea ever.
Another problem is when you need to match your Design Console version to the OIM Install version after bundle patches have been installed. What, you expected it to say v9.1.0.2 BP03? Ha! Try: 9.1.0.1.1866.10. Totally understandable…
A buddy of mine just stumbled upon this little gold mine:
http://tanweerahmad.blogspot.com/2010/04/oim-builds.html
He’s listed out all the details to match up bundle patches with OIM versions, and a bunch of other juicy bits. Definitely worth a bookmark!
.: Adam
Another version question =)
You can see the generic version number in the Web console by clicking on the About link in the corner. You’ll see the build number and current version:
If you really want the nitty-gritty details of the installation though, you’ll need to turn to the OIM database. There is a table called XSD. In there are all the tasty bits:
And there ya have it!
.: Adam
I was working with a client and this error popped up at me when trying to export some configurations in OIM. Not really paying attention, I became very confused and aggravated. I clicked the Export link, the window opened, and then .. splat… nada. I see this:
Nexaweb Client failed to load. and a button telling me to click for more info… so what do I do? I click it:
This description didn’t help much either:
Your environment is supported. However the Nexaweb application failed to load. java.lang.SecurityException: sandboxed loaded attempted to load trusted resource from blah blah blah /xlWebApp/ClientClassServlet/xlWebApp/NexawebClient.jar
ok… what the hell? My connection works fine. When I copy the link and pop it into a browser, I get the JAR file no problem. So WTF?
Turns out, I hastily clicked “Yes” on this window dialog when it initially popped up:
Not reading it, I thought I was supposed to… wrong! Click “No” and the JAR file is loaded properly and the app launches…
Success!
Lesson learned? When in a hurry and simple shit stops working… slow down =)
Hope this helps all others that are as impatient as myself 
Later!
.: Adam
This is kind of a taboo topic in my industry, especially considering that I’m a consultant… freelance at that. But… here we go!
I ask my clients this all the time, but not with regards to my work, but to that of other consulting companies that I have to work with. When it comes to the circle of trust between clients and consultants, it’s never the same. Night and day differences for different clients and different consultants.
The answer to this question should always be, never. You should always have checks in place to verify your consultants work. This can either be employees, a third party consultant, logging software, or even documentation reviews.
Now, I’m not saying that all your consultants are lying to you, generally they’re trustworthy people, but most people forget that this is business, and there’s a lot of time and money on the line. I like taking someone at their word as much as the next guy, but when all hell breaks loose, all you’ll have is a, “But you said…” And that’s not something you can take to your board with.
If your consultants are on the up-and-up then they will have no problem with one of your own sitting with them, or asking them for documentation outlining all the steps taken for you to verify in a separate environment. Checks and balances exist for a reason.
Very rarely do I take anyones word on anything completely. Nine times out of ten, when I learn something new, I verify it through a second source. It doesn’t mean that I don’t believe the person or piece of information that I’m reading, but it’s a cold hard fact that people lie, forget parts, or exaggerate all the time. It’s nothing personal, but it happens.
I worked with one client where they had outsourced a huge chunk of development to a very large consulting company. They hired me to check their work. Think of it like an ongoing development assessment. It wasn’t that they had no faith in the large consulting company, it’s just that they knew that they had no clue what was technically going on and they wanted someone on their side to verify this multi-million dollar project instead of just taking their word that “it works”. By me being there, and my reputation of being a no bullshit kind of guy that only cares about my client and will easily chew out a third party when they’re caught lying to my client, their work improved greatly while I was there, and it even tightened up. No more sloppy code that’ll get the code working… barely. No more crappy documentation that’s virtually unreadable and definitely not useable. No more useless meetings that were wasting tens of thousands of dollars. And most importantly, the consulting company was being held to their word with a paper trail. All of this happened just because I sat in on a few meetings and reviewed their environments. As they say, “You can’t bullshit a bullshitter.” And I’ve seen it all, so I was the companies ace in the hole that wound up saving them a ton of cash, and even better, getting the project in on time.
At another client in a similar situation, the consulting company kept telling them that “no changes were made”, and they didn’t have a large IT staff knowledgeable to check into this. After some checking some history loggers I had setup on the servers, I was able to send them a transcript of all the commands issued, files updated, and in some cases differences in code (I had the previous versions saved elsewhere). This was especially important as it was relevant to a milestone that required payment.
Again, a lot of this comes down to standard business practices, but a lot of the time, in the niche field of Identity Management, most companies don’t have anyone on staff that knows this type of work well enough to do these checks properly.
I know that most people won’t read this and agree, but do nothing about it. I hope that it gets at least one person to follow through and save them a ton of headache down the road.
.: Adam
I’ve seen this question a lot on client sites…
When trying to install the design console for oracle identity manager, all the text in the prompt windows is missing. You can see the radio buttons and text boxes, but the descriptions are all empty.
This is most likely because you’ve copied only the setup_client.exe file to do the install.
To fix this, you need to also copy over the folder: installServer/com/oracle/xl/installer
This folder contains the text files needed =)
.: Adam
Back to top