Thursday, October 19, 2006
WebGate Cannot Initialize
A web server with a WebGate installed on it suddenly does not serve pages and generates 500 errors. There have been no changes to the server or the web server configuration. Upon further investigation the Oracle Access Manager (formerly COREid) oblog.log of the WebGate generates a line in the WebGate initialization indicating that it is failing.
This indicates that WebGate cannot create a TLS connection to the Access Server so it cannot initialize so it leaves the web server in an unusable state. The likely cause of this is that the certificates on the WebGate have expired.
The certificate expiration dates can be checked by reading this.
The certificates can be regenerated by reading this.
This indicates that WebGate cannot create a TLS connection to the Access Server so it cannot initialize so it leaves the web server in an unusable state. The likely cause of this is that the certificates on the WebGate have expired.
The certificate expiration dates can be checked by reading this.
The certificates can be regenerated by reading this.
Policy Domain/Policy Not Enforced
Successful migrations of Oracle Access Manager (formerly COREid) configuration data rely heavily on consistent directory naming of entries between envionments. It is not enough for configuration data objects to share the same user friendly names, they must have the same RDN (Relative Distinguished Name) values in the directory server. This forms the basis of clean migrations. As well, objects must share the same properties. If this setup is performed in advance of using the COREid Migration Service or alternatively, corrected in a pre-existing environment using the COREid Migration Service migrations will run smoothly. The situation described below illustrates how having inconsistent environments can cause problems.
After copying a policy domain or policy to a new environment the resources protected by the policy domain and/or policy are not actually protected there. Checking the resources in the Oracle Access Manager Access Tester reveals that the resources are indeed not protected.
This error highlights a mismatch in host identifier data between the source and target environments. It may look the same (i.e. have the same user friendly description in the UI), however, the distinguished name (DN) that names the object in the directory is probably different.
The short term solution is to add the host identifier for that environment in all of the locations in the policy domain(s) and/or policy(ies) where resources are specified. This will get the policy domain(s) and or policy(ies) working again in the target environment. However, there is still a longer term problem that will affect future migrations of policy domain data.
This long term solution is to use the COREid Migration Service to migrate host identifiers and policy domains from a stable environment (production) to all of the other evironments (i.e. quality, test and dev) and systematically update the host identifier entries with host names specific to the environment. This will make the other environments consistent a prevent this problem from occurring in the future.
After copying a policy domain or policy to a new environment the resources protected by the policy domain and/or policy are not actually protected there. Checking the resources in the Oracle Access Manager Access Tester reveals that the resources are indeed not protected.
This error highlights a mismatch in host identifier data between the source and target environments. It may look the same (i.e. have the same user friendly description in the UI), however, the distinguished name (DN) that names the object in the directory is probably different.
The short term solution is to add the host identifier for that environment in all of the locations in the policy domain(s) and/or policy(ies) where resources are specified. This will get the policy domain(s) and or policy(ies) working again in the target environment. However, there is still a longer term problem that will affect future migrations of policy domain data.
This long term solution is to use the COREid Migration Service to migrate host identifiers and policy domains from a stable environment (production) to all of the other evironments (i.e. quality, test and dev) and systematically update the host identifier entries with host names specific to the environment. This will make the other environments consistent a prevent this problem from occurring in the future.
Anonymous Authentication Resources SLOW
Problem Oracle Access Manager (formerly COREid) is extremely slow or does not serve content from servers protected by the Anonymous Authentication Scheme (formerly Netpoint None). This can include FAQ pages, login pages, images, style sheets, etc.
Background The Anonymous Authentication scheme is used in cases where the WebGate has its DenyOnNotProtected property set to TRUE. The anonymous authentication scheme maps the OblixAnonymous user int eh credential_mapping plugin. By default this is mapped to the uid attribute. The uid attribute is indexed by default in some directory servers but not in AD/AM. In AD/AM the attribute is added as part of the iNetOrgPerson schema extension and is not indexed.
Solution If you are having a problem similar to this one, check to see if the Anonymous Authentication scheme is using the uid attribute in teh credential_mapping plugin. If it is then check to see if the attribtue is indexed in the directory server (if using AD/AM it will not be indexed by default). If it is not indexed then there are a couple of options:
Potential Cause How did this problem occur? It seemed to just appear over night. The likely cause of this problem is an increase in the amount of data in the user directory server. More data will cause a search on an unindexed attribute to yield incorrect incomplete results more frequently than if there is less data in the directory. This is because the look thur limit the directory imposes on the searhcing user may be exhausted before the entry (or entries) is located.
Background The Anonymous Authentication scheme is used in cases where the WebGate has its DenyOnNotProtected property set to TRUE. The anonymous authentication scheme maps the OblixAnonymous user int eh credential_mapping plugin. By default this is mapped to the uid attribute. The uid attribute is indexed by default in some directory servers but not in AD/AM. In AD/AM the attribute is added as part of the iNetOrgPerson schema extension and is not indexed.
Solution If you are having a problem similar to this one, check to see if the Anonymous Authentication scheme is using the uid attribute in teh credential_mapping plugin. If it is then check to see if the attribtue is indexed in the directory server (if using AD/AM it will not be indexed by default). If it is not indexed then there are a couple of options:
- index the attribute in the directory (may be harder on some directory platforms than others; very easy on AD/AM)
- change the attribute in the Anonymous Authentication Scheme's credential mapping step to an attribute that IS already indexed
Potential Cause How did this problem occur? It seemed to just appear over night. The likely cause of this problem is an increase in the amount of data in the user directory server. More data will cause a search on an unindexed attribute to yield incorrect incomplete results more frequently than if there is less data in the directory. This is because the look thur limit the directory imposes on the searhcing user may be exhausted before the entry (or entries) is located.
Friday, October 06, 2006
Can't See Workflow
Successful migrations of Oracle Access Manager (formerly COREid) configuration data rely heavily on consistent directory naming of entries between envionments. It is not enough for configuration data objects to share the same user friendly names, they must have the same RDN (Relative Distinguished Name) values in the directory server. This forms the basis of clean migrations. As well, objects must share the same properties. If this setup is performed in advance of using the COREid Migration Service or alternatively, corrected in a pre-existing environment using the COREid Migration Service migrations will run smoothly. The situation described below illustrates how having inconsistent environments can cause problems.
Have you ever copied a workflow definition from one environment to another and had the workflow not appear in the Oracle Access Manager (formerly COREid) Workflow applet? You double check the target directory server and indeed all of the entries are there so you wonder what could possibly be happening.
If this sounds familiar, then this is likely highlighting a difference between your two environments that you might not know existed. The problem is probably related to when your environments were first built manually independent of one another.
The cause is that there are different objectclasses associated with the tab_id that the workflow is meant to manage.
For instance say in the development environment the Employees tab (default user tab in Oracle Access Manager) has associated with it structural objectclasses of user and oblixOrgPerson. But in the quality assurance environment where you migrated the work flow to it has objectclasses of user, obligOrgPerson and auxCompanyPerson.
This provides an obvious barrier to performing clean migrations between environments. The way to correct this problem is to make the objectclasses look the same. The best way to do this is to get one environment in a pure state (i.e. contains all of your active development) and then migrate it to the other environments. This way all of the environments will be the same and ready to migrate information from one environment to another.
Have you ever copied a workflow definition from one environment to another and had the workflow not appear in the Oracle Access Manager (formerly COREid) Workflow applet? You double check the target directory server and indeed all of the entries are there so you wonder what could possibly be happening.
If this sounds familiar, then this is likely highlighting a difference between your two environments that you might not know existed. The problem is probably related to when your environments were first built manually independent of one another.
The cause is that there are different objectclasses associated with the tab_id that the workflow is meant to manage.
For instance say in the development environment the Employees tab (default user tab in Oracle Access Manager) has associated with it structural objectclasses of user and oblixOrgPerson. But in the quality assurance environment where you migrated the work flow to it has objectclasses of user, obligOrgPerson and auxCompanyPerson.
This provides an obvious barrier to performing clean migrations between environments. The way to correct this problem is to make the objectclasses look the same. The best way to do this is to get one environment in a pure state (i.e. contains all of your active development) and then migrate it to the other environments. This way all of the environments will be the same and ready to migrate information from one environment to another.