I’m currently on a client site that was experiencing a rather strange issue with the Active Directory connector for Oracle Identity Manager. They had just created a new UAT environment, and copied all the data from Development into UAT for both OIM and AD, assuming that all the links between the two systems would still be intact.

Then we started testing…

We would find a user in OIM that was already provisioned into Active Directory and try to change their password. Every time, it would fail. The error in the Web Admin was this:

AD.USER_DOES_NOT_EXIST

Seems pretty straight forward. Except that the user does exist. We doubled checked the IT Resource to make sure the hostname, login credentials and everything else was correct. We also made sure that the admin account we were using had the proper permissions. In the OIM WebSphere logs, we saw this:

[18 Sep 2009 11:52:02 ERROR] [WebContainer : 6] OIMCP.ADCS – Does not exist

Ok, so this matches up with the error in the Web Console, so it seems we’re still struggling with the fact that AD thinks the user we’re requesting doesn’t exist… arg!

Next test: Create a user in OIM, provision them to AD, and then check the domain to see if they’re there. Result? Success! The new user is right next to all the other users that AD says doesn’t exist. And when we try to change the password for the new user, it works without a hitch. Dang it!

Ok, by this point I was getting pretty frustrated, and I turned to the Oracle Forums, and even started decompiling the AD Connector classes to see exactly what was going on. I read one comment in the forums that I agreed with and ran with: “I never trust my logs, but I always trust my sniffer”.

Next test: Turn off SSL for the AD Connector and then run the Change Password request for an existing user and see what’s sent across the wire. Here’s the command I issued in case you would like to do the same (10.0.0.1 being the AD server):

# tcpdump -x -s 0 host 10.0.0.1

Low an behold, I see this:

11:15:00.826547 IP test.ad.edu.48961 > 10.0.0.1.ldap: P 52:161(109) ack 23 win 1460 <nop,nop,timestamp 1253190463 74116905>
0×0000:  4500 00a1 310b 4000 4006 f437 ac10 ceba  E…1.@.@..7….
0×0010:  0a01 9048 bf41 0185 c3d5 1a6d 5663 89aa  …H.A…..mVc..
0×0020:  8018 05b4 15a8 0000 0101 080a 4ab2 2b3f  …………J.+?
0×0030:  046a ef29 306b 0201 0263 4904 1664 633d  .j.)0k…cI..dc=
0×0040:  0254 6e45 6669 354t 742c 6542 1245 6573  ad,dc=edu
0×0050:  7461 640a 0102 0a01 0302 0100 0201 0001  ……………..
0×0060:  0100 a31e 040a 6f62 6a65 6374 4755 4944  ……objectGUID
0×0070:  0410 65f5 c2c3 4515 ca4f a092 0b6c d324  ..e…E..O…l.$
0×0080:  d0ea 3000 a01b 3019 0417 322e 3136 2e38  ..0…0…2.16.8
0×0090:  3430 2e31 2e31 3133 3733 302e 332e 342e  40.1.113730.3.4.
0x00a0:  32

Bingo! It wasn’t trying to find users based on the user’s samAccountName or their DN (which I assumed). It was looking up users by their objectGUID. And here is where my problem lay. The user information from OIM was imported directly to the database from the Development environment, which means that all the users in OIM have objectGUID values that match to the Development AD environment. When they imported all the users into AD, they used an AD migration tool, which assigned new objectGUID’s to all the users as they were being imported. This is why OIM couldn’t “find” the users… all the objectGUID’s were completely out of sync. Fix? Not sure yet. Still working on that part. This has turned out to be a much more complicated process than I imagined, because we cannot just do an LDIF export / import with the objectGUIDs. AD will just ignore the values and create it’s own. When I figure out a fix for this, I will let you know.

Piece,

.: Adam

A lot of clients that install an Identity Management suite are looking for a major functionality with their reconciliation from their authoritative source(s)… Real-time data flow.

This has always been a hinderance on the OIM side of things because it relies so heavily on Scheduled Tasks to do all of it’s data processing and marshaling. I am currently working with a Higher Education client in the NYC area that expressed this concern and I’m happy to say that OIM has a solution. (Other Universities, please take note!)

Here’s a quick diagram of an example OIM Architecture using PeopleSoft and provisioning to a couple resources (RAC is being used here as OIM’s backend data repository).

PeopleSoft has a tool (configured through PeopleTools) called an Integration Broker. This can be configured to create an XML file that is pushed to the OIM system for immediate reconciliation. There are no scheduled tasks that need to be run, and it does not have to be performed as a batch process. You will need to have access to the PeopleTools, and have some knowledge of it, but the Oracle documentation is pretty detailed on getting this thing setup properly.

You can read the doc here: http://download.oracle.com/docs/cd/E11223_01/doc.904/e10437/custom.htm

On a bit of the technical side of this, you need to make sure that the Task Scheduler is running. If not, you’ll experience this: Users will be reconciled from PeopleSoft through the Integration Broker fine. You will see in the logs that the users were brought over and all the details are there. You’ll even see recon events in the Reconciliation Manager. The problem is that the users won’t actually be added into OIM (or provisioned to it’s resources obviously). If you’re experiencing this, you can check the status of the OIM Scheduler here:

http(s)://oimhost:port/xlScheduler/admin/

It’s a super basic page (that I didn’t even knew existed until a couple days ago lol!) that shows that status, a username / password box, and 2 buttons (Start/Stop and Reinit). You need to provide the OIM admin credentials (xelsysadm). You’re also not going to “login” to anything. Just pushing the buttons is all that happens.

I would love to hear your experiences with the Integration Broker if you have any!

Later!

.: Adam

I found this guide on how to create a custom prepopulate adapter for OIM in some of my old notes. Thought I’d share it =). Please keep in mind that this is from about 2+ years ago, so things may have changed slightly… but not much. If you know how to use OIM, you should be able to figure it out.

.: Adam

————————————

Steps to implement custom pre-populate adapter

This will step through the methods of created a prepopulate adapter that creates a first and last name concatonation using a custom Java class called StringUtil.class. The source of the code is posted at the end of this doc.

1. Open the Oracle Identity Manager Design Console
2. Login as xelsysadm / [password]
3. Expand Development Tools and Double-click Adapter Factory
4. Create a new adapter with the following properties:
Adapter Name: FirstName
Adapter Type: Pre-Populate Rule Generator (Double-click and select)
Description: First Name
5. click on the Variable List tab
6. Click
7. Fill the form with the following data:
Variable Name: FirstName
Type: String
Description: first name
Map To: Resolve At Runtime
8. Click
9. Select the Adapter Task tab
10. Click
11. Select Logic Task
12. Select SET VARIABLE
13. Click
14. Fill in the following:
Variable Name: Adapter return value
Operand Type: Variable
Operand Qualifier: FirstName
15. Click
16. Save the Adapter
17. Click
18. Repeat Steps 4-17 for a LastName adapter
19. Compile the StringUtil.class into a JAR file with the following command:
jar -cvf StringUtil.jar StringUtil.class
20. Move the StringUtil.jar file into OIM_HOME\JavaTasks
21. Create a new Adapter with the following:
Adapter Name: ConcatFirstLastName
Adapter Type: Pre-Populate Rule Generator (Double-click to select)
Description: Concat first and last name
22. Click
23. Select the Variable List tab
24. Click
25. Fill in the form with the following data:
Variable Name: Var1
Type: String
Description: Variable 1
Map To: Resolve at runtime
26. Click
27. Click
28. Repeat Steps 24-27 and create Var2
29. Select the Adapter Tasks tab
30. Click
31. Select Funtional Task
32. Select Java
33. Click
34. Select the following information:
Task Name: ConcatVars
API Source: JavaTaskJar:StringUtil.jar
Application API: StringUtil
Constructors: 0 public StringUtil()
Methods: 0 public static java.lang.String StringUtil.dotConcat(java.lang.Strin,java.lang.String)
35. Click
36. In the Application Method Parameters, Select the first Input: String
37. Change Map To: Adapter Variables
38. Set the Name to: Var1
39. Click
40. Select the second Input: String
41. Change Map To: Adapter Variables
42. Set the Name to: Var2
43. Click
44. Select Output: String
45. Change Map To: Adapter Variables
46. Set the Name to: Return variable
47. Click
48. Click
49. Click
50. Click
51. Click
——————————–
The adapter is now built. The next step is to join it to a form.
In this example we will set the email field of the iPlanet user form.
——————————–
52. Double-click Form Designer
53. Type Ctrl+Q to return all forms
54. Select the Form Designer Table tab at the bottom
55. Double-click the iPlanet User Form (UD_IPNT_USR)
56. Select the Pre-Populate tab
57. Click
58. Enter in v1.0
59. Click
60. Click
61. Double-click number 6 (whichever lines up with the Email field)
62. Double-click the Adapter field
63. Select ConcatFirstLastName
64. Click
65. Double-click number 1
66. Fill the form with the following:
Map To: Process Data
Qualifier: First Name
67. Click
68. Click
69. Double-click number 2
70. Fill the form with the following:
Map To: Process Data
Qualifier: Last Name
71. Click
72. Click
73. Click
74. Click

———————————

The form is now ready to prepopulate the email field with
firstname.lastname. To make the field be auto-populated, the Auto-populate
checkbox for the iPlanet Resource must be checked. Otherwise the
Prepopulate button on the form has to be clicked for the field to update.
To test the adapter, provision someone to iPlanet. The email field should now
contain firstname.lastname.

———————————

Here is the source to the StringUtil.class file:

public class StringUtil
{
public static String dotConcat(String str1, String str2)
{
return (str1+”.”+str2);
}

public static String stringConcat(String str1, String str2, String concatSymbol)
{
return(str1+concatSymbol+str2);
}
}

A few days ago, I posted a piece on how to concatenate the roles and privileges lookup definitions for the Database connector in OIM. I wrote a little perl script to do this and thought I’d share. Please keep in mind that my perl is HORRIBLE =), so bare with me on this. If you’d like to update it and repost for everyone, that would be awesome. But if you’re like me and just need to get something together quick, this’ll do =)

<code: createxml.pl>

#! /usr/bin/perl -w

my $fileName=$ARGV[0];

my $searchStr=”id=”;

my $replaceInt=$ARGV[1];

my $replaceStr=”something”;

open(FILE,$fileName) || die(“Cannot Open File”);

my(@fcont) = <FILE>;

close FILE;

open(FOUT,”>$fileName”) || die(“Cannot Open File”);

foreach $line (@fcont) {

$searchStr=”id=\”LKV\\d\\d\\d\\d\”";

if($line=~$searchStr){

$replaceInt++;

}

$replaceStr=”id=\”LKV$replaceInt\”";

$line =~ s/$searchStr/$replaceStr/g;

print FOUT $line;

}

close FOUT;

</code>

Usage:

# createxml.pl <xmlfilename.xml> <highest key value already>

Explanation (because it’s such bad code :

This code is configured to find and increment a 4 digit key value for the Lookup Key Value. You can see this in the “\\d\\d\\d\\d” part. If you wanted to change this to 3 digits to find and replace, just put “\\d\\d\\d”. Obviously the regex should just be something like “LKV*”, but I couldn’t figure it out and didn’t want to spend that much time… yep, I have a lazy side.

As pointed out in the previous article, you need to code the key values to start right after the current highest value in the database. You can find out the value with something like this:

SELECT TOP 1 LKV_KEY FROM DB.LKV ORDER BY LKV_KEY DESC

That’s the value you need to put in as the second argument. The first argument is the XML export file from one of the database files. Run this against all of the exports to create a seamless incrementing set of nodes. Then just copy/paste all the nodes into a single file.

Again, yes, I know there’s a better way to code this so that it would all be handled automatically, but my perl skills are lacking. Sorry, but I hope this helps someone =)

.: Adam

If you’re working with Oracle’s Database Connector for OIM (Oracle Identity Manager), then the chances are that you’re provisioning to more than one database. This works (for the most part), but there’s one part that’s a bit underdeveloped: The reconciliation of Roles and Privileges.

Out of the box, the connector comes with a scheduled task that you can run to reconcile all the existing roles and privileges from a connecting database, and then it will store them into a Lookup Definition. This is then used when you search for one to add when provisioning a user to the database (automatic or manual).

The problem lies in that the initial step of this task is to wipe out all existing entries in the Lookup Definitions! So, unless you have the exact same roles and privileges on all the databases (which you probably won’t), this will not work for you.

How do you get around this? Glad you asked =) It’s pretty straight forward. Before you do any of this though, I strongly recommend that you back up your existing configuration!

First you need to run the recon to pull everything in for one of your databases.

Next, go to the web administration console and export your the Lookup Definitions into an XML file. The Roles Lookup Definition name is “UD_Lookup.DB_ORA_Roles” and the Privileges one is “UD_Lookup.DB_ORA_ Privileges”

Now just repeat those steps for all the remaining databases. You should have a separate XML file for each database.

They should look something like this:

<?xml version=”1.0″ encoding=”utf-8″?>

<xl-ddm-data database=”jdbc:oracle:thin:@oimserver.domain.com:1523:oimserver” description=”Export DATABASE1 Roles lookup” exported-date=”1250003107903″ user=”XELSYSADM” version=”1.1.0.4″>

<Lookup name=”UD_Lookup.DB_ORA_Roles” subtype=”Lookup”>

<LKU_UPDATE>1250002555000</LKU_UPDATE>

<LKU_TYPE>l</LKU_TYPE>

<LKU_REQUIRED>0</LKU_REQUIRED>

<LookupValue id=”LKV3702″>

<LKV_DECODED>DBA</LKV_DECODED>

<LKV_DISABLED>0</LKV_DISABLED>

<LKV_LANGUAGE>en</LKV_LANGUAGE>

<LKV_UPDATE>1250002555000</LKV_UPDATE>

<LKV_COUNTRY>US</LKV_COUNTRY>

<LKV_ENCODED>DBA</LKV_ENCODED>

</LookupValue>

<LookupValue id=”LKV3703″>

<LKV_DECODED>SELECT_CATALOG_ROLE</LKV_DECODED>

<LKV_DISABLED>0</LKV_DISABLED>

<LKV_LANGUAGE>en</LKV_LANGUAGE>

<LKV_UPDATE>1250002555000</LKV_UPDATE>

<LKV_COUNTRY>US</LKV_COUNTRY>

<LKV_ENCODED>SELECT_CATALOG_ROLE</LKV_ENCODED>

</LookupValue>

[...]

</Lookup>

</xl-ddm-data>

Now you need to merge all the files into 1 big XML file and remove any duplicates. Just repeat the <LookupValue> sections, but make sure you modify the ID’s. In the example above, you’ll see the first on has an ID of LKV3702. The 3702 is the unique ID that you’ll need to sequentialize (totally just made that word up =), through all the iterations of <LookupValue>. To find out what value to start at, look inside the OIM database for the newest LKV ID. Just add 1. This can be easily accomplished with a perl script or something in the language of your preference.

By now, you should have 2 giant XML files (one for the database roles and one for the database privileges).

Go into the OIM design console and delete both of the existing Lookup Definitions, then in the web console, import the two new XML files to create new ones will a compiled list of all database entitlements.

That’s it! Now run some tests to make sure everything is working correctly, and carry on your way.

Cheers!

.: Adam

Have you ever forgotten your root account password to your Oracle Identity Manager installation? For most corporate environments, this doesn’t happen too often, but it is possible. I mainly forget them in demo Virtual Machines that I build out. Well, have no fear, there’s a way to hack the OIM Admin account (xelsysadm) to get it to whatever you want. You will need commit / write access to the USR table of the OIM repository database.

Please use extreme caution when following these steps. You could permanently disable the xelsysadm account if done incorrectly. Because of this, these steps are to be done only in a last resort, emergency situation. Also, take a full backup of your OIM database before doing this. It is possible to erase all passwords of all user accounts if done improperly!

1. Get the OIM Login ID of a user where you know the password. This can be done a couple ways:

• - Copy the Login ID of an existing user where you know the password
• - Create a new user using another administrator account that has the ability to create users and then after the user is created. If you have an entity adapter in place to set the initial password, make sure to change the new users password after initial create because OIM will set the initial password via the Entity Adapter.

2. Log into the OIM Repository Database with a DBA account and run this query:

SELECT USR_PASSWORD FROM USR WHERE USR_LOGIN=’[Login ID of Account with known password]’;

3. Copy the returned encrypted password hash to a clipboard.

4. Run this SQL statement to update the system administrator account with the new password:

UPDATE USR SET USR_PASSWORD=’[paste password hash]’ WHERE USR_LOGIN=’XELSYSADM’;

(the usr_login value is case sensitive)

5. Go to the Web Admin Console and login as “xelsysadm” with the password of the known or newly created user.

6. After logging in, you will be prompted to change your password.

7. Change your password to something different and click the Save button.

That’s all there is to it, now you have access to your oim admin account again =)

Cheers!

.: Adam

Have you been seeing this error in your JBoss console:

15:48:44,838 WARN  [loggerI18N] [com.arjuna.ats.internal.jta.resources.arjunacore.norecoveryxa] [com.arjuna.ats.internal.jta.resources.arjunacore.norecoveryxa] Could not find new XAResource to use for recovering non-serializable XAResource < 131075, 29, 27, 1-a320338:a594:49ff9075:4b048a320338:a594:49ff9075:4b049 >

This thing was driving me absolutely insane. When I asked the almighty Google, it came back with a crap-load of responses, but none of them had anything to do with my specific issue.

Turns out it has to do with a queuing issue between OIM  (or ORM… was happening on both servers) and the backend database. Here’s the quick fix that helped me out:

1. Shut down jboss: JBOSS-HOME/bin/shutdown.sh -S

2. Delete the directory: JBOSS-HOME/server/default/data/tx-object-store

3. Delete the directory: JBOSS-HOME/server/default/data/hypersonic

4. Start the service back up

That should do’er!

.: Adam

I was working with a colleague of mine today on a OIM / ORM implementation and integration. One of the steps was to add all the Organizations from Oracle Role Manager into Oracle Identity Manager. We had about 300 or so, which means I wasn’t about to enter them all in by hand. Welcome Perl! A quick script is whipped up and with an XML output we imported all the Organizations into OIM. Voila! All the Org’s are imported and ready to go… until I try to change a user from one organization to another and I see a StackOverflow error in the design console with a ton of these:

[...]com.thortech.xl.client.events.tcUSRCheckUsrOrgChange.traverseParentActs (Unknown Source)[...]

 The web app times out, the app server craps all over itself, and nothing is updated. WTF?

Well, it turns out, that if your partner gives you an XML file to import that has all the Organizations with the parent organization as itself, it creates an infinite loop and this happens. Another wonderful side effect is that you can’t delete any of them to re-import them. Mainly because there’s a child organization (itself) that needs to be removed first, which is also impossible due to logic error. So… I had to remove all the parent keys by hand. Awesome.

Lesson of the day: Check your import XML files before you import them for logic errors =)

.: Adam

So messing around with the integration between the current version of Oracle Role Manager and Oracle Identity Manager, I’m seeing a lot of bugs / issues. The main one being that ORM is not updating OIM properly with the roles and entitlements to the associated account like it’s supposed to. I’m pretty sure this is a bug with the integration pack.

After a couple calls into Oracle, I found out that Oracle is going to be releasing a point release on both OIM and ORM really soon (first week of May is what I was told). This will also include an update to the integration piece.

Not only is this update supposed to fix that issue, but a whole plethora of others.

So, if you’re having a bunch of problems during an install of these products right now, you may want to get in touch with Oracle and make sure you get these updates. They may just help you out!

.: Adam

Here’s a DB script that was given to me by Oracle to flush out the scheduled tasks to make sure they’re all stopped:

delete QRTZ_TRIGGER_LISTENERS;
delete QRTZ_SIMPLE_TRIGGERS;
delete QRTZ_CRON_TRIGGERS;
delete QRTZ_TRIGGERS;
delete QRTZ_JOB_LISTENERS;
delete QRTZ_JOB_DETAILS;
commit;

This is a couple years old now, but still working. Please test this in your development environment before even thinking about running this in prod!

.: Adam