How to migrate users/groups from one OID instance to the other

Requirement: Migrate users/groups from source OID to target OID instance.
How To:
Source:

• Export ORACLE_HOME env variable of OID instance.
• Run ldapsearch command for exporting users as shown below.

$ORACLE_HOME/bin/ldapsearch -x -h OID_HOST -p OID_PORT -D cn=orcladmin -w password -L -b "USERS_DN" -s one "objectclass=*" dn cn givenname ....... sn telephonenumber userpassword > oid_filteruser.txt

•  Run ldapsearch command for exporting groups as shown below.

$ORACLE_HOME/bin/ldapsearch -x -h oidserver.corp.company.com -p 389 -D cn=orcladmin -w password -L -b "GROUPS_DN" -s one "objectclass=*" > oid_filtergroup.txt

NOTE: For exporting users, specify the attributes to be exported either mandatory/optional.

Copy the files  oid_filteruser.txt and oid_filtergroup.txt to the target OID instance at location say /oracle/db/oid_files.

Destination:

•  Export ORACLE_HOME env variable of OID instance.
• Stop OID server.
• Goto $ORACLE_HOME/ldap/bin 
• Run ldapsearch command for importing users as shown below. 

 ./bulkload connect="OID_SCHEMA_NAME" generate=true load=true file="/oracle/db/oid_files/oid_filteruser.txt"

• To get the OID_SCHEMA_NAME, refer the tnsnames.ora file of OID environment. 
• It will prompt for OID schema password.
• Run ldapsearch command for importing groups as shown below.

./bulkload connect="OID_SCHEMA_NAME" generate=true load=true file="/oracle/db/oid_files/oid_filtergroup.txt"

•  It will prompt for OID schema password.
• Start OID server.
• Login to OID console to see the changes.

How to start sshd service in linux during server bootup

Hi All,

This may be trivial but believe it to be useful too. This post explains how to start sshd service in Linux OS during server bootup so that there is no need to start sshd service explicitly.

1. Login as root user.
2. chkconfig --level 2345 sshd on
3. service sshd restart
4. chkconfig sshd --list
5. service sshd status
6. Reboot Linux OS.
7. Run the command service sshd status and verify if the sshd is running.

Hope this helps.

3rd party integrations supported in OAM 11gR2

This post will detail the 3rd party integrations that OAM 11gR2 supports.

1. Microsoft Sharepoint 2010: Oracle Doc here. OAM 11gR1 also supports Sharepoint 2010 integration.
2. RSA Authentication Manager 7.1: Oracle Doc here. OAM 11gR1 does not support this integration.
3. JBoss 5.1.0: Documentation here. OAM 11gR1 does not support this integration.

However there are few integrations coming up post R2 such as MS OWA, SAP Portal and IBM WebSphere Portal.

DCC in OAM 11gR2

I did not get chance to work on OAM 11g R2 yet, but one of my friends were asking couple of weeks ago about DCC in OAM 11g.
DCC stands for Detached Credential Collector which is a new feature introducted in 11gR2, not available in 11gR1.

I've read an article about this feature which looks simpler to me. You can learn this too http://fusionsecurity.blogspot.com/2012/10/dcc-configuration-11gr2.html

Its Oracle Documentation is here.

OVD 11g performance tuning

I've read an article about OVD 11g performance tuning which is very well explained. It explains various systems and factors to be tuned in OVD environment.

http://fusionsecurity.blogspot.com/2012/09/virtual-directory-performance-tuning.html

Nice post on OES 10g vs 11g

I have started a discussion in linkedin to find out the documentation/thoughts on OES 11g and 10g comparison with respect to features like authorization and role policy models, export and import XMLs and so on.

Matthew carter has pointed out a good post on comparing OES 10g with OES 11gR2.
I'll supplement this post with some more thoughts soon here.

Upgrading OID from 10g to 11g

There is video clearly explaining the upgrade processs of OID 10g to 11g.

Metalink note: 1123963.1

TNS-12542: TNS Address already in use

While starting the Oracle DB 11g listener I am getting the error TNS-12542. Check the below screenshot.

The DB services are running in VM and network setting is applied as NAT. It was working all while until today so I verified the ip address and noticed that it is changed.
So I updated the /etc/hosts file with correct IP address and started the listener without any hiccups :)

Planning to move to other vendor products?????

With time I am getting chafed with Oracle Products and its documentation. Oracle is releasing products at a much faster rate with inadequate documentation and inadequate training programs. It is getting very difficult for programmers to adapt to new versions and implement the customer requirements.

I am planning to learn some other vendor products to shift the Oracle platform.. I can't assure whether I will quit Oracle platform.

So my next objective is to learn Novell Access Manager based on my bandwidth. I shall be writing some posts on my learning often.

Going back to OES 10g version

I am back to 10g versions which is considered as stable version compared to 10g. Working on OAM/OES/OIM 10g stuff...

OES 11g is much simpler than OES 10g and one such case is exporting and importing application specific policies.

There is small write up on exporting application specific policy in OES 10g.

Upgrade plans of OAM 10g to 11g

I presume many people are curious to know about OAM upgrade from 10g to 11g versions. Well, here is the point!!

There is no direct upgrade plan yet because the 11g version is released for OSSO customers extremely. However to upgrade OAM to 11g here are my thoughts:

1. Architecture is totally revamped in 11g. OAM server is a java based application deployed on WebLogic server. However 10g servers are stand-alone. 
2. 10g WebGates are backward compatible with OAM 11g server. 11g WebGates are provided only for OHS server. So if your environment has Apache or IHS servers then you can continue to use 10g Webgates with agent registration.
3. Policy Domains concept is enhanced with sessions. So you can pass on several session attributes in authorization actions. 
4. If there is a custom plug-in to extrapolate concurrent users scenario, then it is just a checkbox enablement in 11g - much easier, is not it!!
5. Any custom authentication plug-ins developed in 10g using C/C++ has to be rebuilt using java tech in 11g.
6. Any Identity XML features used in 10g has NO upgrade or replacement. All the identity features are part of OIM 11g.
7. If there is a password management features used, then execute the features using OIM 11g.
8. If you are using RSA token authentication then it is not certified in 11g - Oracle has plans to release this soon.
9. If you are using Sharepoint integrated with OAM 10g, then Sharepoint 2010 is certified with OAM 11g. Check out this post.
10. EBS is certified with OAM 10g and 11g versions. In 11g, it is access gate version rather than OSSO delegation.

Therefore, to upgrade OAM 10g to 11g, all the needs to be manually created/configured from the scratch.
If your environment has RSA token as main authentication, then it is better to upgrade to 11gR2 directly as OAM 11gR1 is not certified. OAM 11gR2 - RSA integration guide is here.

The latest IAM release 11.1.2 has upgrade plans from 11gR1.
Upgrading OAM 11gR1 (11.1.1.5) is here.
Unlike OIM, there is a direct upgrade plan from OAM 10g to OAM 11gR2, documentation is here.

Upgrading OIM 10g to 11g

Here is the white paper talking about upgrading Oracle Identity Manager 10g to 11g.

The upgrade plan from OIM 10g to 11gR2 made of two parts:

•  Upgrading OIM 10g to OIM 11gR1 (11.1.1.5)
• Upgrading OIM 11gR1 (11.1.1.5) to OIM 11gR2 (11.1.2)

Configuring OID 11g replication

I did a small write up on OID 11g replication concepts here and LDAP based replication setup here.

OIM 11g Configuration error

Oracle releases products oftentimes and hence it is very difficult to know which version to use and what is certified. I am talking about OIM 11gR1 version with WLS, SOA Suite and RCU.

With OIM 11.1.1.5.0 it is certified with WLS 10.3.5, SOA Suite 11.1.1.5.0 and RCU 11.1.1.5. However with products releasing, they won't appear on OTN, instead you have to download from edelivery. Well, it is a problem if we don't have account.

So I downloaded WLS 10.3.6, SOA Suite 11.1.1.6.0 and Oracle IAM Suite 11.1.1.5. I installed Oracle IAM Suite 11.1.1.5 and failed at OIM configuration step. I wrote a detailed post on the error messages and action plan. Well, it is actually version mismatch. Oracle Identity Manager should be upgraded to 11.1.1.5.2 to use WLS 10.3.6, SOA Suite 11.1.1.6.0.

OAM 11g - Apex 4.1.0 Integration

I wrote a post on OAM 11g integration with APEX 4.1.0 application here. Hope this is helpful.

Small writeup on OAuth2.0

OAuth 2.0 is a new standard/technology that is being adapted by many organizations for Mobile application developments. And so Oracle used it in Oracle IDM 11gR2 release for Access Management Mobile and Social SSO. I have also seen companies using OAuth 2.0 technology in Gadget applications. So I just thought of doing a small write up on it. I have also recently read a nice post on OAuth2.0.

OAuth is an open authentication protocol which enables applications to access each others data. For instance, a game application can access users data in the Facebook Application. So user logs into Social sites and get access to other applications without need to provide credentials again.
Let me explain this with a simple diagram. 

User access gaming application. It redirects user to login to Social Site say Facebook. User logs into Facebook successfully. Now the gaming application can access users data from Facebook.

OAuth 2.0 standard support various clients which access REST APIs. This includes calling out an enterprise application to the cloud or applications getting called from mobile devices.

Check out its specifications here.
The services that OAuth 2.0 support as of today are:

• 37Signals (draft 5)
• Facebook's Graph API (see sociallipstick.com/?p=239)
• Twitter
• Foursquare
• Geoloqi
• Github
• Google
• Meetup
• Salesforce
• Windows Live

Oracle Identity Management 11gR2 softwares are available for download

Hi All,

Oracle IDM 11gR2 softwares are available in edelivery for download.

 

Oracle Identity Management 11.1.2.0 documentation is out

Oracle has released the Oracle Identity Management 11.1.2.0 documentation here. Being more of an OAM guy, it is undoubtedly said that OAM spectrum is vast now with inclusion of Mobile and Social features and Client API toolkits.

I will update you when softwares are available for download.

How to configure Apache Server with port less than 1024?

Goal: Apache Server runs on a http port and needs to be started/stopped as non-root user if Apache Server port is greater than 1024. How to make Apache server run as root user if port is less than 1024 in linux environment?

Solution:

1. Login as root user.
2. Goto Apache directory say $ORACLE_HOME/Apache/Apache/bin
3. Change ownership of apachectl as root chown root .apachectl
4. Change permission as chmod 6750 .apachectl

Oracle Identity Management 11gR2 WebCast Q&A

As a follow up for my previous post on Oracle IDM 11gR2 release web cast, I would like to let you know that QA during that session was blogged here, very informative.

Oracle Access Manager patch numbers

You can find Oracle Access Manager patch numbers for any of the versions like 10g, 11g and so on here
 Metalink note: 736372.1

Highlights of Oracle Identity Management 11gR2 release webcast

I have attended the WebCast of Oracle IDM 11gR2 release yesterday and here is an overview of the discussion. This release is majorly into supporting mobile and social applications for Web SSO. Let us see various areas that are covered in this release.

• First and foremost, the softwares of 11gR2 will be available in OTN/edelivery by mid of August.
• Migration/Upgrade from Sun IDM to Oracle IDM: Oracle has already brought in some customer environments in house to test the migration process using scripts and tools. So automated process can be expected in this release.
• 11gR2 with regards to cloud: Already Oracle cloud environment is being built on Oracle Identity Management stack and more features can be expected in future.
• Mobile and Social Apps: This is the highlight of this release. SSO for these applications has been brought into Web Access Management. Lots of open standards have been incorporated such as OAuth, SAML, OpenID and REST. Some of the new features includes native mobile security and SSO with social applications such as Facebook/Twitter/Yahoo etc., and REST API for cloud and mobile application development and support for multi-data center configurations. I presume multi-data center configurations was available in 11gR1 but not certified or not officially brought out. To summarize the Oracle Access Manager spectrum has increased by large volume involving STS, Mobile & Social security, new open standards etc.,
• More features of virtualization are included in Oracle Unified Directory. Undoubtedly it can be said that OUD has been more focused and will be future LDAP and virtual storage product beating OID/OVD/ODSEE - just my personal thought.
• Connector reuse for both Oracle IDM and Sun IDM will be in place for target systems.
• One of the most important integrations OIM-OIA (that leverages customers to provision the roles to downstream appplications through OIM by importing roles into OIA etc.,) has been enhanced with new feature called Entitlement Catalog in OIM that will allow us to define all business attributes and forms in catalog and be made available in recertification & approval process.
• Simplied look and feel for Identity management & Access Governance capabilities such as Access Request, Provisioning and Certification etc.,
• New product is introduced Oracle Privileged Account Manager OPAM that will be used across the entire breadth of IAM stack. OPAM is used to safely and easily manage shared and administrative passwords associated with business applications, middleware, database and operation systems. Integration is supported with Access Management and Identity Governance systems. It is very interesting to see this product playing role of automated approval of requests, change password management and so on. Eagerly waiting for this product.

Let me know if you have any comments.

"ls command not found" in linux

I want to set environment variables in my linux environment and hence I updated .bash_profile with two lines at the end of the file.

export JAVA_HOME=/u01/app/Oracle/Middleware/jrockit_160_29_D1.2.0-10/bin/java
export PATH=/u01/app/Oracle/Middleware/jrockit_160_29_D1.2.0-10/bin

After sometime I had rebooted machine for something else and I am seeing a different screen after logging into linux system, an xclock and xterm stuff which was very unusual.

Later I noticed that ls and other bash commands are also not working as non-root user for which I modified the .bash_profile. See the error message given below.

-bash: ls: command not found

So I logged in as root user and modified the non-root user .bash_profile to include the actual PATH as shown below.

export PATH=$PATH:/u01/app/Oracle/Middleware/jrockit_160_29_D1.2.0-10/bin
Actually the PATH variable was earlier set as shown below.
PATH=$PATH:$HOME/bin

I rebooted machine and it works fine!! A silly mistake killed my time :(

Oracle Identity Management 11gR2 webcast

Next big revolution release from Oracle is Oracle Identity Management 11gR2. WebCast is scheduled today IST 10.30 PM.

Register here.
I'll post the updates tomorrow after attending the webcast. Stay tuned!

Exploring OAM 11g

I am getting free time these days to explore on OAM 11g features more.
Few things I have started with are: Creating OAM 11g administrator users by configuring identity store. Logging and auditing stuff.

I am going to write up posts very soon on the above mentioned stuff. Next exploring topic is Custom Authentication plugins.
Stay tuned!!

Oracle Access Manager 11g is certified with Sharepoint 2010 server

One of the much awaited integrations in OAM 11g queue is Sharepoint 2010 server. Well, there is a good news and it is certified now. Check out the certification matrix.
Please contact me for integration documents.

Configure Node Manager for OAM Server 11g

Hi All,

Today I am going to explain the steps for configuring node manager for OAM Server 11g. In fact these steps can be used to configure node manager for any of the other managed servers too.

Before I get into the actual topic, let me explain you what a Node Manager is. Node Manager is a java utility tool that allows you to perform common operation tasks on Managed Servers. In a typical production environment where managed servers are distributed across geographic locations the Managed Servers can be operated from a single place called Node Manager.

Let's see how we can do this.

1. Create a machine where Managed servers are running. If there are 3 managed servers present in a cluster, then 3 machines with respective hostnames has to be created in WebLogic Admin console. Specify the machine name as you like, but should be meaningful :)
2. Specify the Type of Node Manager and machine hostname and listening port that the node manager has to communicate with.
3. Specify a Managed server to associate with this machine.
4. Execute the setDomainEnv.sh script and connect to WebLogic Admin server using WLST java command.
5. Execute nmEnroll script to enroll the node manager for a specific weblogic domain
6. Edit the nodemanager.properties file and set parameter SecureListener=false. This file is located at $MW_HOME/wlserver_10.3/common/nodemanager
7. Start the node manager using script startNodeManager.sh located at $MW_HOME/wlserver_10.3/server/bin. Wait for the message "Plain socket started listener on port 5556". You will see the port that was specified in step 2.
8. 
9. Goto WLS Admin console and check the status of Node Manager in the machine.
10. Now, its time to start managed server using node manager. Goto WLS Admin console and traverse to Environment -> Servers -> oam_server1 -> Control. Goto the end of the page and select the checkbox and click Start.
11. Wait till the status appears RUNNING.

Planning to install Oracle Identity Management 11.1.1.6?

I have written few posts here on planning the installation of Oracle Identity Management 11.1.1.6 for various scenarios. The post also covers the installation steps with detailed screenshots.

Hope this helps!

Please get back to me in case of any queries/suggestions.

Updates on OES 11g with Java SM in Tomcat Server

Earlier I had written my comments about OES 11g with java SM in Tomcat container in this post. I'd like to redefine this with some changes.

First of all, OES 11.1.1.5.0 is not supported on Tomcat Server 6.x. However if your client have no choice other than using Tomcat and there is an application to be protected against OES 11g, then here is what you can do:

Assuming that OES server and client + Java SM is installed and up and running.

• Goto Tomcat install directory, edit the setclasspath.sh or setclasspath.bat and update the Tomcat Classpath with oes-client.jar as export CLASSPATH=$CLASSPATH:$OES_CLIENT_HOME/modules/oracle.oes.sm_11.1.1/oes-client.jar.
• Specify the Java SM jps-config.xml in the Java OPTIONS (in the same file setclasspath.sh or setclasspath.bat) as export JAVA_OPTS= $JAVA_OPTS -Doracle.security.jps.config=$OES_CLIENT_HOME/oes_sm_instances//config/jps-config.xml.

Test the Tomcat application with some authorization policies and it works!

Exceptions: In my case, our enterprise application was using xml parser jars which was conflicting with xmlparserv2.jar located under $OES_CLIENT_HOME/modules/...

Experiences of Oracle Entitlement Server 11g Java SM

Since 2 months I have had the opportunity to work on Oracle Entitlement Server 11g on various requirements and would like to put my experiences here.

Java SM: The Java SM instance creation is very simple using a command line script with few input parameters. All this SM requires is the jps-config.xml present in $JAVA_SM/config location. The contents of this XML would be identity store, policy store, credentials store and so on. I am not going into details of the backend stores specified in this XML. You can use Java SM to execute java code on a stand-alone mode. There is an application Server JBOSS which is supported (atleast the steps are known to the world - detailed in fusionsecurity.blogspot.com). However if you want to use Java SM in the famous Tomcat container, then it is not supported in this current release which I think is very big lag. In general there are two types of calls you can make out to OES 11g - Authorization Calls, Policy Management calls.

In our case, we have developed an enterprise application and deployed in Tomcat container. We have to make authorization calls from the application in a dynamic manner for protecting the fine grained elements. We have tried N no. of ways to achieve this but could not make it work. However we are able to make policy management calls to OES Server just using jps-config.xml file. Policy Management calls include creating applications, resources, policies etc.,