Oracle Access Manager (OAM) Nitty-Gritty

PeopleTools 8.51 SSO using Oracle Access Manager 11g (11.1.1.3)

2011-08-15T11:31:00.007-06:00

For many years, OAM has provided a well documented SSO solution for PeopleSoft using typical header variable integration. However, PeopleBooks for PeopleTools 8.51 has become so, shall we say, refined, it's now harder to acheive success with such time-tested integration steps.

My hard-fought, but successful integration attempt rested on 3 key things:

Turning on Allow Public Access in the PeopleSoft PIA Web Profile - still required.

I realize this was done in previous Tools versions, but I don't find it as clearly documented by Oracle for Tools 8.51. The Web Profile screen shot is gone and they no longer refer to the checkbox "Allow Public Access"; they simply say you have to set up the "public access user ID". So you have to make a small inference as to what to configure.

Using "cmd=start", and not cmd=login. E.G. http://myhost:8080/psp/mypsoftdb/?cmd=start.

cmd=login just gave me the PeoplSoft login page after authenticating through OAM, rather than the user's home page in PeopleSoft. Again, this was documented more clearly in the past, but not for the latest Tools versions. An experienced colleague, as well as an OAM 10g/PeopleTools 8.50 example from Metalink, pointed me to using cmd=start.

Lowercasing header variable names when using Signon PeopleCode to retrieve them from the session. E.G. &userID = %Request.GetHeader("ps_sso_uid");

This was the most important nuance. Although PeopleSoft conveniently provides Signon PeopleCode for this integration out-of-the-box, it does not hint that the header variable name containing the OPRID might need to be lowercased.

The header var "PS_SSO_UID" is delivered in Signon PeopleCode, as the variable that PeopleSoft expects OAM to provide. I could dump the headers from the request object to prove that Signon PeopleCode could indeed see that header variable, but somehow it still could not read the value it contained. A colleague mentioned that another one of our customers integrated a home-grown app with OAM and had the same problem...until they tried lowercasing the header! Replacing "PS_SSO_UID" with "ps_sso_uid" did the trick. OAM 11g-PeopleTools 8.51 SSO --- done!

My Environment:
- Apache 2.2 on Solaris, as reverse proxy for a PeopleTools 8.51 PIA instance
- Webgate 10.1.4.3 for Apache
- OAM 11.1.1.3

It could be that you don't need to lowercase your PS_SSO_UID header var name in your environment. Or maybe this will change in future patches of OAM 11g. But, if you figure you did everything else correctly, then give this a try! I hope it helps.

Update 06-Jan-2012:

I have been asked if any official PS-OAM integration docs or white-papers exist. Sorry, I have not found any silver bullet document yet. What I use is a combination of the following docs:

- PeopleTools 8.51 Security Admin

- Oracle Access Manager 11g Policy Management

Unable to open wallet error while bringing up OVD11g

2011-07-29T14:57:00.003-06:00

OVD 11g installed on Windows 2008 workstation fails to start with the error below in diagnostic log

Error:

PKI-02002: Unable to open the wallet. Check password

Reason:

There is a variable-id called "TEMP" in opmn.xml that holds the location where a couple .tmp files are created when OVD wallet file cwallet.sso is accessed.

Our opmn.xml has the following value for TEMP :

C:\Users\ADMINI~1\AppData\Local\Temp\1

Somehow the directory "1" was missing on our server. Since there was no directory to create the files, OVD refused to start.

Solution:

Creating an empty folder called 1 and attempting to start OVD created the required .tmp files and folders needed to store the wallet information

Good ol' Oblix schema alive and well in OAM11g

2011-05-27T15:30:00.007-06:00

While preparing to install OAM 11g, some of us were curious whether all the "ob..." attributes would remain intact or if they would be renamed with, for instance, an "orcl..." prefix. It struck one of my colleagues that the "ob" attributes would survive, if only to facilitate a workable upgrade path or to ease product development.

Whatever the case, it turns out that the attributes we've all known since the days of NetPoint and COREid have endured and can be found in OAM 11g after all.

During the LDAP pre-configuration step - one of the many, many steps required to get OAM installed - an LDAPConfigPreSetup.sh script is run, which performs the following:

Creates the Roles and Reservation User containers in OID, if they do not already exist.
Loads Identity product specific schema into the Directory

The LDIFs used to load the schema into OID contain all the old Oblix attribute names, and in my environment they are found in [MW_HOME]/Oracle_IDM[x]/oam/server/oim-intg/schema.

OID_oblix_pwd_schema_add.ldif
OID_oim_pwd_schema_add.ldif
OID_oblix_schema_add.ldif
OID_oblix_schema_index_add.ldif

This is great, because it should mean that we can count on using familiar attributes like obuseraccountcontrol and obusersessiontimeout.

Some things just don't change...at least not for another 6 months or so...

EM Console 11g shows OID is down

2011-05-20T09:26:00.002-06:00

The Enterprise Manager Fusion Middleware Control 11g shows OID is down even though opmnctl shows OID is up.

The EM console also displays the following error while trying to access the OID instance under Farm_IDMDomain -> Identity and Access -> oid1 or while trying to create a wallet for SSL

Error:

Information Configuration settings are unavailable because /Farm_IDMDomain/OID_Inst/oid1 is down.

There could be 2 reasons for this.

Reason1:

The WebLogic user password used by EM Console to monitor OID is not correct.

Solution:

Go to the Farm drop down menu on the top of EM Console -> Agent Monitored Targets -> Configure . Verify if the Weblogic Monitoring User Name is correct and Change the WebLogic Monitoring Password to the correct password. Click Ok.
Check the OID status now.

Reason2:

The IP address/hostname given in the Middleware Administration Server Service URL is wrong.

The following is an example of the Middleware Administration Server Service URL

service:jmx:t3://your_ip_address:7002/jndi/weblogic.management.mbeanservers.domainruntime

Solution:

Go to the Farm drop down menu on the top of EM Console -> Agent Monitored Targets -> Configure .
Try using hostname instead of IP address. Click OK and verify the status of OID from EM console.

Resources Missing After Upgrade

2010-12-21T15:37:00.004-07:00

It is unlikely that many will have this problem, but if you do this could save some time and headache troubleshooting...

When you upgrade from 7.x to 10.1.4.0.1 the resources on policy domains and policies go missing. It appears that the only known fix for this is to manually recreate this data using the UI after the upgrade.

The other approach would be to proactively take them out of the directory server before you do the upgrade and then simply add them back afterward.

The resources themselves are still there after the upgrade. All that is really missing is the pointer from the resource action object to the resource.

These can be found by performing an ldapsearch with the following criteria:

search base: obapp=PSC,OU=oblix root,DC=,DC=com
filter: (&(objectClass=oblixWRSCAction)(obResourceID=*))
attributes: obResourceID

This will return all of the objects that have this value set.

After the upgrade run the same search and compare the results. Those values should be missing. If so, prepare an LDIF file to update the entries.

An LDIF entry to fix the missing obResourceID could take this form...

dn: obname=,obname=,obapp=PSC,OU=oblix,DC=,DC=
changetype: modify
replace: obResourceID
obResourceID:

replace the tags with the appropriate value for your environment based on the LDIF you extracted.

Simple Mode Root CA Strikes Again

2010-11-25T15:51:00.003-07:00

We discussed the expiration of this cert already in this post. I never thought i would see this problem again. Ahhh, was i wrong. When upgrading from COREid 7 to OAM 10, the 10.1.4.0.1 upgrade drops the old (now expired) root CA over the updated ones.

If you keep the faith and keep going the 10.1.4.3 patch set replaces it with the new one that is good until 2024.

transfilter.dll disappears and won't load

2010-11-11T09:38:00.004-07:00

I just had the most frustrating experience. I am in the midst of upgrading OAM 7.x to 10.1.4.3. I had all the components upgraded to 10.1.4.0.1 so I got backups taken. Afterwards one of the webpass instances did not work. Upon further inspection transfilter.dll was actually removed form the file system. Strange, but no problem, i grabbed a copy from another 10.1.4.0.1 webpass.

The transfilter.dll still didn't get loaded by IIS and it still did not work. I ended up trying numerour different things. I added and re-added transfilter.dll to the Default Web Site multiple times. I uninstalled 10.1.4.0.1 and re-upgrade; still go the same behaviour. I uninstalled webpass alltogether (purged registry, etc) and installed 10.1.4.0.1 instead of upgrading an old one; still got the same behaviour.

I had given up home when i decided to try adding transfilter.dll at "Web Sites" instead of "Default Web Site". Low and behold it took and loaded. Then I tried moving it back to "Default Web Site" and it worked there too. I was back! Frustrated, but back.

I have no idea what caused transfilter.dll to disappear in the first place. I have no idea why it would not load in IIS after it was replaced. I have no idea why moving it in IIS fixed the problem. I am thankful though and if this strange occurence ever recurs I will have a strategy.

SAML Back Inside?

2010-09-20T14:33:00.002-06:00

What's old is new again. Remember SAML Service in CoreID 5x? Sounds like OIF will be merged back into OAM in a future release.

OAM 11g R1

2010-09-20T14:29:00.002-06:00

AuthN and AuthZ responses support much more options for returning user data. It appears that the need to create plugins to return more complex data has been eliminated.

Will your OAM installation fail in July 2010?

2010-04-28T16:23:00.003-06:00

Is your OAM installation setup in simple mode? Then chances are your installation is going to break on July 25, 2010. You may have heard a faint ticking every time you got near one of your OAM machines, but never had a chance to figure out where this impending failure was going to come from. As you know,~~according to Mayan Calendar, in 2012~~ in simple mode OAM generates certificates for you using the simpleCA root CA (tools\openssl\simpleCA). This root certificate is also used to complete the chain of trust when establishing SSL connections.

But did you know that root CA certificates expire? The OAM certificate expires Jul 25 18:03:57 2010 GMT after which your OAM components will no longer be able to communicate with each other

How do I fix this?

Luckily the fix is extremely easy.

If you have an account for support.oracle.com, log in and search for ID 811105.1, which will instruct you to download a new cacert.pem and place it in all your simpleCA folders. Don't forget to include any AccessSDK installations, and make sure the new cacert.pem has the correct permissions.

If you don't have an account with support.oracle.com, then the release notes (bug 8556756) for OAM have instructions for extending the life of the Simple mode certificate. Once extended you can copy the new cacert.pem everywhere that it's needed and restart all components.

How do I know if I am affected?

You can browse to tools\openssl and use the openssl command to check the expiration date of the certificate.

openssl.exe x509 -in simpleCA\cacert.pem -noout -enddate

notAfter=Jul 25 18:03:57 2010 GMT

Oracle says the expiration date is July 5th, 2010 in their release notes. What is the real date?

Yes it does say that and we're not sure why. Feel free to update your cacert.pem prior to July 5th - no need to wait until the last minute.

What errors might I see if I did nothing?

WebGate protected pages will say they can't contact the access server.

You may see webgate errors like

2010/07/26@18:03:00.718000 3728 3240 CONN_MGMT ERROR 0x00001C08 \Oblix\coreid\palantir\aaa_client\src\watcher_thread.cpp:84 "NAP initialization failed"

2010/07/26@18:03:00.718000 3728 3256 CONFIG INFO 0x0000182C \Oblix\coreid\palantir\access_api\src\obconfig.cpp:865 "ObAccessException_ENGINE_DOWN" raw_code^301

or if your certificate permissions are wrong

2010/07/26@18:04:59.796000 3712 300 ACCESS_SDK FATAL 0x0000181C \Oblix\coreid\palantir\access_api\src\obconfig.cpp:422 "ObAccessException_NOT_INITIALIZED" raw_code^204

2010/07/26@18:04:59.796000 3712 300 ACCESS_GATE FATAL 0x00001520 \Oblix\coreid\palantir\webgate2\src\iisentry_web_gate.cpp:183 "Exception thrown during WebGate initialization" Error^Oracle AccessGate API is not initialized.

UTF-8 and Oracle Access Manager

2010-01-04T15:39:00.002-07:00

OAM supports UTF-8 in incoming data, and can generate HTML pages encoded with UTF-8, but what about internally? Is UTF-8 data available in plugins? In HTTP header variables? We tested 10.1.4.3 on Windows and were surprised that our UTF-8 data was being interpretted incorrectly in our managed plugins (though exec ppp plugins worked as expected).

The character Û ( U with a circumflex) has a code point value of 219 (all numbers are decimal). In UTF-8 this is encoded as the bytes 195 & 155. However, when this text reaches our plugin it appears as Ã› (A with tilde & single right-pointing angle quotation mark). In .NET Strings are in unicode, so we know something is happening with the identity server to re-interpret the bytes 195 & 155 as some other encoding and then to provide us that String as unicode. That encoding turns out to be Windows-1252 - the default code page on our Windows system. 195 is Ã, while 155 is ›. Luckily there is a simple workaround – we get the Windows-1252 byte value of the string and then interpet those bytes at UTF-8.

Encoding encoding_1252 = Encoding.GetEncoding("Windows-1252");
string utf8String = Encoding.UTF8.GetString(encoding_1252.GetBytes(windows1252String))

Using Reflector I can see a few calls to StringToHGlobalAnsi in the managed library, and I would guess a similar call like PtrToStringAnsi is used for converting between unmanaged and managed memory, and this may be a cause of the issue.

This issue also exists in the Access Server. If you want to send a UTF-8 attribute value in a header, OAM is smart enough to base 64 encode it (according to RFC 2047 ). So our value should be encoded useing this format "=?UTF-8?B?" base64-encoded-text "?=". Unfortunately, the text to be encoded is incorrect – the access server is B64 encoding the Windows-1252 interpretation of the UTF-8 bytes. You'll need to B64 decode the header text and then use the re-encoding code shown earlier to get the real value.

One thing to note is that if your default code page is something other then Windows-1252, you'll proably have to interpret the string using that code page.

Setting Permissions for your Oracle Access Manager Bind Account in OID

2009-12-02T20:44:00.005-07:00

The bind account that OAM uses to connect to OID directory services needs to have full rights over the portion of the DIT that you intend to manage with OAM.

It is considered a best practice to avoid using the root user (cn=orcladmin) who has rights over the whole context and the rest of the server. It's also a good practice to avoid the use of cn=orcladmin,cn=users,dc=company,dc=com to preserve it for general context administration.

An efficient way of making sure your new OAM service account has the right stuff is to set the user up with the same group memberships as the context administrator account (that's the cn=orcladmin,cn=users,... guy).

ldapsearch -h hostname -p 389 -D cn=orcladmin -w [password] -x -b "cn=groups,cn=OracleContext,dc=company,dc=com" "(uniquemember=cn=orcladmin,cn=users,dc=company,dc=com)" uniquemember

# OracleContextAdmins, Groups, OracleContext, company.com
dn: cn=OracleContextAdmins,cn=Groups,cn=OracleContext,dc=company,dc=com
uniquemember: cn=orcladmin
uniquemember: cn=oraclecontextadmins,cn=groups,cn=oraclecontext
uniquemember: cn=orcladmin,cn=users,dc=company,dc=com
uniquemember: cn=ovd.service,ou=service,dc=company,dc=com
uniquemember: cn=oam.service,ou=service,dc=company,dc=com

# OracleUserSecurityAdmins, Groups, OracleContext, company.com
dn: cn=OracleUserSecurityAdmins,cn=Groups,cn=OracleContext,dc=company,dc=com
uniquemember: cn=orcladmin
uniquemember: cn=oracleusersecurityadmins,cn=groups,cn=oraclecontext
uniquemember: cn=orcladmin,cn=users,dc=company,dc=com
uniquemember: cn=ovd.service,ou=service,dc=company,dc=com
uniquemember: cn=oam.service,ou=service,dc=company,dc=com

# iASAdmins, Groups, OracleContext, company.com
dn: cn=iASAdmins, cn=Groups,cn=OracleContext,dc=company,dc=com
uniquemember: cn=orcladmin
uniquemember: cn=ias & user mgmt application admins,cn=groups,cn=oraclecontext,dc=company,dc=com
uniquemember: cn=iasadmins,cn=groups,cn=oraclecontext
uniquemember: cn=orcladmin,cn=users,dc=company,dc=com
uniquemember: cn=ovd.service,ou=service,dc=company,dc=com
uniquemember: cn=oam.service,ou=service,dc=company,dc=com
... etc.

which gives you a good starting point for a file of modifications to add your new account into the right groups to achieve general context admin rights without having to fuss with ACLs.

# OracleContextAdmins, Groups, OracleContext, company.com
dn: cn=OracleContextAdmins,cn=Groups,cn=OracleContext,dc=company,dc=com
changetype: modify
add: uniquemember
uniquemember: cn=ovd.service,ou=service,dc=company,dc=com
uniquemember: cn=oam.service,ou=service,dc=company,dc=com
-

# OracleUserSecurityAdmins, Groups, OracleContext, company.com
dn: cn=OracleUserSecurityAdmins,cn=Groups,cn=OracleContext,dc=company,dc=com
changetype: modify
add: uniquemember
uniquemember: cn=ovd.service,ou=service,dc=company,dc=com
uniquemember: cn=oam.service,ou=service,dc=company,dc=com
-

# iASAdmins, Groups, OracleContext, company.com
dn: cn=iASAdmins, cn=Groups,cn=OracleContext,dc=company,dc=com
changetype: modify
add: uniquemember
uniquemember: cn=ovd.service,ou=service,dc=company,dc=com
uniquemember: cn=oam.service,ou=service,dc=company,dc=com
-

You get the idea... (there are more than are listed in this post)

I'm sure there are other ways. This has worked well for me.

OAM and OSSO Integrated in 11g

2009-10-12T14:41:00.002-06:00

OAM and OSSO have been integrated in 11g R2 and the integrated product is backwards compatible to both old OAM and OSSO enabled products. Oracle is delivering on a promise to converge applications for the better. This will enable the reduction of authentication complexity.

Forcing OAM Browser Based Setup

2009-09-10T07:45:00.003-06:00

One of the key tasks during development and deployment of OAM is running the product browser-based-setup process. It is this process that results in the initial 'oblix branch' being written to the directory service. So, when a customer wants to start again, the question is, "How do I make that setup process happen again?"

There are two browser-based-setup processes:

1) Identity System
This is the process that writes the initial o=oblix branch. To force this process again, locate the file [identity server install]/identity/oblix/config/setup.xml and locate the line indicating the current step - it should have a value of 'done'. Edit this value to 'incomplete' and save the file. Restart the webserver and identity server and navigate in a browser to /identity/oblix and request the Identity System Console. The Setup screen should appear.

Note that you can run this setup process with or without major underlying directory changes. Also note that (depending on what you are changing) you may also need to reconfigure individual software components using each one's command line configuration program (found in some form at .../oblix/tools/[setup|configure]).

2) Policy Manager (Access System)
The setup process for the Access System results in the writing of the obapp=PSC branch of the directory. To force this process find the file [policy manager install]/access/oblix/config/setup.xml and rename the file to something else. Then restart the webserver and navigate a browser to the /access/oblix. Request the Access System Console and you should see the setup button.

As on the identity side, depending on what you are doing, you may need to reconfigure the software components installed using their command line setup utilities.

That should be enough information to get you going in the right direction.

VDE Shadow Object LDIF

2009-08-05T19:28:00.002-06:00

If you are using the OVD Shadow Joiner feature then you will need to add the vdeShadowObject object class to the directory hosting the shadow objects. Here is a little LDIF file for just such a need...

# Description: contains vdeshadowobject vdeprimaryref for use with shadow joiners
#
dn: cn=subschemasubentry
changetype: modify
add: attributetypes
attributetypes: ( 1.3.6.1.4.1.17119.1.0.1 NAME 'vdeprimaryref' DESC 'This attribute contains an MD5 hash of a primary adapter' EQUALITY 'caseIgnoreMatch' SYNTAX '1.3.6.1.4.1.1466.115.121.1.15' X-ORIGIN 'user defined' )
-

dn: cn=catalogs
changetype: modify
add: orclindexedattribute
orclindexedattribute: vdeprimaryref
-

# ObjectClass Definitions
dn: cn=subschemasubentry
changetype: modify
add: objectclasses
objectclasses: ( 1.3.6.1.4.1.17119.1.1.1 NAME 'vdeShadowObject' DESC 'This object is used by VDE Shadow Joiner to store a shadow object to a primary entry in another directory. This objectclass normally used in conjunction with the extensibleObject object class to hold local attributes. vdeprimaryref is a hash of a DN that points to a primary object in an alternate adapter.' SUP top AUXILIARY MUST ( vdeprimaryref ) MAY ( description ) )
-

OAS 10.1.4 Installation Hangs

2009-07-08T18:42:00.003-06:00

I was installing OAS 10.1.4.0.1 today as I needed to use OID for an OAM deployment. I had a brand new linux vm, all of the pre-installation check list items (kernel tuning et al) were complete and all that was left was to install the software. So, I ran the installer. It ran very, very slowly but still ran. It eventually just hung when it got down to actually copying files. There was no failure message in the log file, it just seemed to be paused. The installer appeared to still be running but nothing was happening. Being the glutton for punishment I am, I deleted everything and re-ran the installer and was met with the same result (big surprise).

I scoured metalink, but to no avail so I started poking around though and found a completely obscure line in the /etc/hosts file. The DNS server had the IP address of the new vm right, but the /etc/hosts file contained an Internet addressable IP for the new vm (weird). Anyway, removing that line and trying again corrected the problem. I probably should have checked that first; next time I will.

Introducing Stitcher - OAM Configuration Migration Solution

2009-07-03T09:52:00.003-06:00

Many of our readers are aware that we have had the "COREid Migration Service" available for public use for the past three years. This service has been a resounding success with several high profile North American OAM customers relying on it to maintain consistency across their environments. The expression, "If it ain't broke, don't fix it." best describes our attitude towards the initial release.

But the time was right for a platform upgrade, some rebranding, and some minor issue fixes.

Stitcher lives at the same address as the original service. If it sounds like something you've been missing, check it out.

Credential Mapping Error

2009-06-12T10:16:00.001-06:00

Setting up IWA is a fairly straight forward task. All you need are an OAM environment, an IIS server with WebGate installed and special IWA Authentication Scheme. The IWA specific authentication scheme requires a credential mapping plugin to map the REMOTE_USER HTTP header variable set by IIS to a user attribute in the OAM user directory. WebGate even takes care of parsing the domain name from REMOTE_USER for you, what could be easier?

So assuming you followed all of hte instructions and everything is set up perfectly, or at least you think it is, what do you do if you still have a problem. Specifically, what could be wrong if are getting a credential mapping error in the web browser and the access server oblog.log file.

I recently encountered just such a problem. I used the search base and filter from the credential mapping plugin and conducted my own search against the directory as the OAM service account and it worked perfectly. This was so puzzling. I looked for trailing spaces in the credential mapping plugin because I know that can occur with resource patterns and ldap urls in other parts of Policy Manager. I finally compared a working credential mapping plugin to the IWA one. The different was in the quotation marks. The IWA credential mapping had been copied and pasted from the Metalink article discussing how to set up IWA in OAM. They were obviously from the wrong character set. Replacing the quotation marks solved the problem.

Panels in User Manager's Employees tab

2009-02-11T14:26:00.008-07:00

The "Employees" tab of user manager can have multiple panels in it:

The defaultPanel
The Header Panel
The Search Results panel
Any other user defined panels

The header panel, the defaultPanel and any user defined panels appear under "obpanelid=Employees, obapp=userservcenter, o=Oblix,<Config Base>" in the LDAP as "obpanelid=<some timestamp as ID>".

The header panel has its obpaneltype value as "headerPanel".

The value of "defaultPanel" for obpaneltype is for the default user profile panel. The user can change its name from "defaultPanel" to any other value, but the obpaneltype remains "defaultPanel".

Ever wondered what the third panel type, obpaneltype of jCardPanel? Its the panel for the search results!

Just because it does not show up as a "panel" on Identity System console can sometimes create confusion. For example when once because of some buggy horizontal migration, we eneded up with two objects with obpaneltype=jCardPanel and any change we attepted on the user manager tab profile, resulted in the error "This panel is already configured". From the Identity System console we could not see any duplicate panel information, it was only when we looked closely in LDAP, we saw two objects with obpaneltype=jCardPanel. Once we deleted the un-needed object and restarted ois server, things started working.

OAM Identity Server Deletes User When RDN Modified (on OID)

2008-11-19T16:38:00.003-07:00

This is known problem but i had trouble finding the solution so here it is re-posted from the OAS release notes for HP-UX... the resolution worked perfectly BTW.

This problem occurs when you use Oracle Internet Directory as the back-end repository. To fix this problem:

Edit the file ldapreferentialintegrityparams.xml in the following directory:
```
Identity_Server_installation_directory\identity\oblix\data\common
```
Change the value of the parameter referential_integrity_using from oblix to ds, as follows:
Save the file.
Restart the Identity Server for the changes to take effect.

You should be able to modify the RDN attribute value without any problem.
If you have multiple instances of the Identity Server installed, make this change to every instance of the Identity Server.

SDK-Access Server Time Difference Reminder

2008-08-20T17:43:00.003-06:00

When using a older Access Server SDK (7.0.4) with a newer Access Server (10.1.4) running in backward compatibility mode recently, the Access Server SDK always returned cookies that were logged out. The reason turned out to be because the time was never set on the machine the SDK was installed on.

However, the Access Server SDK installed correctly when it was installed. In previous incarnations the Access Server SDK would have never been able to be configured properly if a significant time difference existed.

This definitely falls squarely in the realm of user error, as the documentation clearly stipulates that when cert or simple mode are used the times have to be synchronized between client and server. In previous releases though you would never have been able to complete the SDK configuration. I can only imagine this has something to do with "backward compatibility" mode.

IdXml Change Attribute WF Does Not Run

2008-08-19T21:12:00.003-06:00

You create a change attribute workflow. Call it as a portal insert and it works. By work i mean updates the user's entry in the underlying directory when you change the value and click the save button in the OAM UI.

Having demonstrated successful configuration, your real objective is to invoke this through IdXml. So you create the IdXml and test it out. It seems to work, however, the attribute in the underlying directory is not changed.

It turns out if you cannot read the attribute you cannot request it to be changed via IdXml. However, it works if you request the change attribute using a portal insert instead. Sure enough if you test it with a canIRequestUserAttrModification request it will return Denied if you do not have read access.

This is an odd problem. And I am not going to dump any more time into it. But if you change the attribute so that the participant has read access on the attribute everything works as expected.

My specific situation involved a change attribute workflow where the participant was self.

Reactivate OAM User

2008-08-07T10:43:00.003-06:00

In order to be able to search for deactivated users, the logged in user need to be a participant in a reactivate user workflow definition.

If the user is not a participant in a reactivate user workflow then the following message will be received when the "Deactivated User Identity" button is clicked:

You do not have sufficient access rights.

OID Indexes

2008-08-06T22:14:00.004-06:00

Here are a few simple notes for handling OID indexes. If you want to search on an attribute in OAM where the data is stored in OID it must be indexed. Sometimes you might want to remove and then possible re-add an index. Index adding and removal can be handles with LDIF, however, if you need to recreate an index on existing data then you need to use a command line tool called catalog.

Index an attribute


dn: cn=catalogs
changetype: modify
add: orclindexedattribute
orclindexedattribute: attributename
-

Remove an index


dn: cn=catalogs
changetype: modify
delete: orclindexedattribute
orclindexedattribute: attributename
-

Re-index an attribute
that was previously removed. If you remove an index form an attribute and the data remains and you need to re-index the data in place then you need to use the catalog command line tool.


$ORACLE_HOME/ldap/bin/catalog connect=oiddev add=&quotTRUE" attribute="attributename"

Unwilling to perform
If after the attribute has been re-indexed the directory server will still not allow it to be searched and returns an unwilling to perform error, try restarting the OID gateway.


$ORACLE_HOME/opmn/bin/opmnctl restartproc ias-component=OID

Current Indexed Attirbutes
Use ldapsearch to get the current indexed attributes

ldapsearch -h localhost -p 389 -x -s base -b "cn=catalogs"  "objectclass=*"

Deleting a User with IDXML

2008-07-26T11:54:00.004-06:00

Certain actions (such as creating or removing an LDAP entry) are only available via OAM's 'workflow' engine. A freshly installed OAM system has no workflows configured, thus, no immediate mechanism to affect such actions.

To the newly initiated, discovering the create workflow mechanisms are relatively straightforward. But the delete, however, tends to throw people for a loop at first.

The trick is to create a 'Deactivate User Workflow'. Exactly what this workflow does is up the user building the workflow. You'll find, following the definition of the initial step, three similar action choices:

deactivate
disable
delete

If your goal is truly to whack the account, choose delete. Otherwise, a choice of disable will set the user account ObUserAccountControl flag to DEACTIVATED (with no human interaction required). By default, the Identity System ignores DEACTIVATED accounts in the user searchbase. The deactivate action accomplishes the same thing but it requires a human participant to actually push the button to confirm the action.

Lastly, if you want to access this 'Delete User Workflow' from IDXML you just need to keep in mind that it is a workflow you are calling. Pay close attention to:

function="workflowDeactivateUserSave"
and the fact that you do provide the workflow DN in the call

Here is a complete request for calling a Deactivate User Workflow:


<?xml version="1.0" encoding="UTF-8"?>
<SOAP-ENV:Envelope xmlns:SOAP-ENV="http://schemas-xmlsoap.org/soap/envelope/" xmlns:oblix="http://www.oblix.com">
<SOAP-ENV:Body>
<oblix:authentication type="basic">
<oblix:login>admin</oblix:login>
<oblix:password>test1234</oblix:password>
</oblix:authentication>
<oblix:request application="userservcenter" function="workflowDeactivateUserSave" version="NPWSDL1.0">
<oblix:params>
<oblix:ObWorkflowName>obworkflowid=c60491a5ca0a45668fff08da2f1072d2,obcontainerId=workflowDefinitions,OU=Oblix,OU=apps,DC=company,DC=com</oblix:ObWorkflowName>
<oblix:uid>UID=372af3c1-0c7e-428d-a80a-fae632211489,OU=people,DC=company,DC=com</oblix:uid>
<oblix:noOfFields>2</oblix:noOfFields>
<AttributeParams xmlns="http://www.oblix.com/">
<GenericAttribute>
<AttrName>cn</AttrName>
<AttrNewValue>test</AttrNewValue>
<AttrOperation>REPLACE_ALL</AttrOperation>
</GenericAttribute>
<GenericAttribute>
<AttrName>userStatus</AttrName>
<AttrNewValue>delete</AttrNewValue>
<AttrOperation>REPLACE_ALL</AttrOperation>
</GenericAttribute>
</AttributeParams>
</oblix:params>
</oblix:request>
</SOAP-ENV:Body>
</SOAP-ENV:Envelope>

OAM Identity XML (IDXML) via XMLHttpRequest

2008-07-22T12:00:00.004-06:00

It makes sense that the ideal HTTP Client for IDXML processing is the authenticated user's browser. After all, it already has the ObSSOCookie.

JQuery is the Javascript library of choice for all my client work lately. You can see why in the following example of processing an IDXML request via Javascript straight from the client. The use cases for this capability are endless.

This is the proverbial 'tip of the iceberg' in utilizing OAM Identity in a modern web development context. The end result: Perfectable user experiences based on data and services made available and secured through OAM's web based configuration tools. It's a powerful combination.

Lets take a simple create user workflow request and turn out a simple Javascript templating function to build the string for us:


getSoap = function(data){
  var dat = [];
  dat[dat.length] = '<?xml version="1.0" encoding="UTF-8"?>';
  dat[dat.length] = '<SOAP-ENV:Envelope xmlns:SOAP-ENV="http://schemas-xmlsoap.org/soap/envelope/" xmlns:oblix="http://www.oblix.com">';
  dat[dat.length] = '<SOAP-ENV:Body>';
  dat[dat.length] = '<oblix:request function="workflowSaveCreateProfile" version="NPWSDL1.0">';
  dat[dat.length] = '<oblix:params>';
  dat[dat.length] = '<oblix:ObWorkflowName>obworkflowid=672fcf2e9c5946a8b5b225b349acd46b,obcontainerId=workflowDefinitions,OU=Oblix,OU=apps,DC=company,DC=com</oblix:ObWorkflowName>';
  dat[dat.length] = '<oblix:ObDomainName>OU=people,DC=company,DC=com</oblix:ObDomainName>';
  dat[dat.length] = '<oblix:noOfFields>5</oblix:noOfFields>';
  dat[dat.length] = '<AttributeParams xmlns="http://www.oblix.com/">';
  dat[dat.length] = '<GenericAttribute>';
  dat[dat.length] = '<AttrName>uid</AttrName>';
  dat[dat.length] = '<AttrNewValue>'+data.uid+'</AttrNewValue>';
  dat[dat.length] = '<AttrOperation>ADD</AttrOperation>';
  dat[dat.length] = '</GenericAttribute>';
  dat[dat.length] = '<GenericAttribute>';
  dat[dat.length] = '<AttrName>cn</AttrName>';
  dat[dat.length] = '<AttrNewValue>'+data.cn+'</AttrNewValue>';
  dat[dat.length] = '<AttrOperation>ADD</AttrOperation>';
  dat[dat.length] = '</GenericAttribute>';
  dat[dat.length] = '<GenericAttribute>';
  dat[dat.length] = '<AttrName>mail</AttrName>';
  dat[dat.length] = '<AttrNewValue>'+data.mail+'</AttrNewValue>';
  dat[dat.length] = '<AttrOperation>ADD</AttrOperation>';
  dat[dat.length] = '</GenericAttribute>';
  dat[dat.length] = '<GenericAttribute>';
  dat[dat.length] = '<AttrName>givenName</AttrName>';
  dat[dat.length] = '<AttrNewValue>'+data.givenName+'</AttrNewValue>';
  dat[dat.length] = '<AttrOperation>ADD</AttrOperation>';
  dat[dat.length] = '</GenericAttribute>';
  dat[dat.length] = '<GenericAttribute>';
  dat[dat.length] = '<AttrName>sn</AttrName>';
  dat[dat.length] = '<AttrNewValue>'+data.sn+'</AttrNewValue>';
  dat[dat.length] = '<AttrOperation>ADD</AttrOperation>';
  dat[dat.length] = '</GenericAttribute>';
  dat[dat.length] = '</AttributeParams>';
  dat[dat.length] = '<oblix:obactorcomment>IDXML from browser via Javascrip</oblix:obactorcomment>';
  dat[dat.length] = '</oblix:params>';
  dat[dat.length] = '</oblix:request>';
  dat[dat.length] = '</SOAP-ENV:Body>';
  dat[dat.length] = '</SOAP-ENV:Envelope>';

  return dat.join("");
};

Then, if we prep a little data object with values (presumably pulled from the user interface):


var userdata = {
  uid:"marmil",
  cn:"Mark Miller",
  mail:"mark[at]nulli.com",
  givenName:"Mark",
  sn:"Miller"
};

I can call my template and consider my soap envelope ready to go:


var createUserSoapRequest = getSoap(userdata);

All over but the sending (and response handling):


// process the request
$.ajax({
  type: "POST",
  dataType:'xml',
  url: "/identity/oblix/apps/userservcenter/bin/userservcenter.cgi",
  data: createUserSoapRequest,
  contentType:"text/xml",
  processData:false,
  success: function(idxmlResponse){
    // crude
    alert(idxmlResponse);

    // better
    $("ObConfirmation",idxmlResponse).find("ObValue").each(function(i,o){
      alert($(o).text());
    });

    // in the real world, employ dom trickery to keep the user oriented...
  }
});

Cool, no?

OAM Search Results Virtual Attribute

2008-07-22T07:52:00.004-06:00

What if you want to include a virtual attribute in your search results that is derived form another attribute? Just create the attribute in an outbound mapper flow and add it to the search results and it should show up as expected - right? Well, maybe it will and maybe it won't; if the attribute(s) the derived value is based on is/are in the search results too then it will show up as anticipated. However, if they are not there then it won't show up as expected.

The solution is to use the OVD addReturnAttribute delivered mapper function on the reciprocal inbound request with the required source attributes. This will allow the outbound mapper to have the required data to complete the derived attribute and enable the OAM search result configuration to exist without the source attributes.

One Bad Mapper Can Spoil the Whole Bunch (if you're not careful)

2008-07-22T07:07:00.010-06:00

Creating a mapping file for OVD to use on inbound and/or outbound LDAP transactions can sometimes be tricky to get absolutely correct the first time. Invariably, the message

Could not complete mapping

is bound to show up at least once when you are trying something new.

When a mapping file is broken it can cause a variety of problems, but most notably if your adapters for authentication are using other unrelated mappers it can cause them to fail, resulting in failed authentication. So for instance if you are working on a mapper for one object you could prevent other users from authenticating. This pitfall can be easily avoided, however, using the OVD Filters to Exclude and Filters to Include fields on the routing tab of the adapters tab in OVD Manager. For instance by exluding (objectclass=inetorgperson) from an adapter that presents site data you can prevent an authentication search request from even attempting the adapter, thus insulating you and other development users from such a problem.

However, what if you cannot authenticate to the OVD Manager console to correct a broken mapper or add a routing filter to an adapter? I had one case where I could not authenticate even as cn=admin do the OVD Manager becuase of a broken adapter. The solution to this is simple; just remove the compiled mapper jar file from the OVD Server directory. You can do so by following these steps:

stop ovd
remove bad mapper ($VDE_DIR/mappings/jars/offendingMappingFile.jar)
start ovd
log into the OVD Manager and fix the source of the problem

Error: Look up of symbol - ObInitEventAPI failed

2008-07-03T15:13:00.004-06:00

If you ever receive an error like this when trying to configure an identity system .NET based PPP event, check the action; chances are it is set to lib instead of managedlib.

"Event API call for the event returned STATUS_PPP_ABORT"    Error^base\obport.cpp:845: Error: Look up of symbol - ObInitEventAPI failed - The specified procedure could not be found.%0d%0a.

WebGate - Oracle Client Conflict

2008-05-22T12:36:00.006-06:00

When installing the 10.1.4 WebGate to protect an application with web services that relied on the Oracle Client for database connectivity, the application failed to run after the install. The following message is what was received back from the application:

The provider is not compatible with the version of Oracle client

The WebGate installation went seamlessly. It seemed apparent from the message that there must be an Oracle Client dll conflict. After looking at the IIS process through Process Explorer it became apparent that the application was relying on the Oracle 10g R2 client, but that WebGate was loading the Oracle 10g R1 client prior to the Web Service. Then when the web service was invoked, it would get the wrong client and thus fail.

My first instinct was to change the Oracle Client the web appl was using to 10.1 from 10.2. This worked for a while but it turned out there was a bug in the the 10.1 client that caused one of the components of the web app to fail. I had to re-install the 10.2 client.

My next instinct was to just proxy the web application with a proxy server and take the WebGate out of the mix on the web server where the app was hosted. Then I read a MetaLink KB article that suggested using a WebGate 7.0.4 build that DOES NOT include the oracle client in it. This seemed like a good opportunity so I parked the proxy idea.

I installed the WebGate but could not configure it with the 10.1.4 Access Server. In the Access Server oblog.log there was the following message.

Client and Server's NAP versions do not match

It turns out that the the 10.1.4 Access Server IS backwards compatible but not by default. In the ..\access\oblix\apps\common\bin\globalparams.xml file

there is a parameter - IsBackwardCompatible - that needs to be set to true. Once that is set, voila, the WebGate configuration completes.

Sending "Authorization" header with initial HTTP request

2008-01-29T15:09:00.004-07:00

If OAM protects a web resource with a basic authentication scheme, any browser request for that request returns a 401 with a "WWW-Authenticate: basic" header. This prompts the browsers to pop-up the username/password dialog box. When the user types in the username and password, these credentials are sent, base64 encoded, in the next request as part of the "Authorization: basic" header.

If one does not want the browser to pop-up the dialog, or one is using a script/client application to access that resource, the "Authorization" header should be sent with the initial HTTP request. But the correct Authorization header by itself will not submit user credentials to Webgate. It seems the script/client application will also have to send a cookie in the request to make Webgate process the Authorization header. The cookie name and value are always the same:

Cookie: OBBasicAuth=fromDialog

To summarize, with all the other required HTTP headers and data, the application should send the following (for username/password as guest/password1234):


Cookie: OBBasicAuth=fromDialog
Authorization: Basic Z3Vlc3Q6cGFzc3dvcmQxMjM0

Edit: Please note that the Authorization header has the base64 encoded version of string username:password (in this case guest:password1234 which is 'Z3Vlc3Q6cGFzc3dvcmQxMjM0') and not username/password as the article mentions above. Thanks for pointing that out Filipe.

Global Database Name in Linux OAM and DB (OCI) environment for DB auditing

2008-01-29T14:49:00.000-07:00

When adding Database Instances with OCI DB connection type, which is the only option for *nix based OAM installs, we have to specify the Global Database Name (GDN) for the database. Ever wondered what should the correct format for GDN be?

During a deployment, I faced this question, and after some trial and error and reading Oracle Instant Client documentation, I figured it out:

<DB Host>:<DB Port>/<ORACLE_SID>

SelfSSL Connection Errors

2008-01-17T15:12:00.000-07:00

The IIS Resource Kit's SelfSSL tool is a quick and sneaky way to get both IIS and ADAM running SSL for quick OAM sandbox environments. I've encountered ADAM connection errors if a self signing SSL had previously been generated on the same VM/server. Here's how you get a newly self signed SSL to work on the same machine:

Move all the old certs into an archive directory located here: C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys
When you run the selfssl.exe command to install the self-signed SSL certificate into IIS, you must include the fully qualified machine name in the /N:cn parameter. For example: selfssl.exe /T /V:3650 /N:cn=oam.company.com

Verify that the new cert has been generated and that your ADAM run as user has read permissions on the cert and that should solve the problem.

Test your connection using LDP.exe, also using the fully qualified host name.

This is an excellent link with step-by-step instructions, (including the download location for the IIS 6.0 Resource kit from MS): http://geekswithblogs.net/jimiz/archive/2007/02/11/106006.aspx

WebGate Installation Error - Access Server you specified is currently down

2008-01-17T14:50:00.000-07:00

When you know that it is in fact not down, and you've checked that all your WebGate parameters are correct a million times...

The clocks of computers hosting various Oracle Access Manager components must be synchronized to within 75 or fewer seconds of each other. If the clocks are out-of-sync by more than 75 seconds, installation will fail. For installaion tasks or whenever you're attempting to connect, you will receive errors indicating that your Access Server is down if the clocks are not in sync.

Pay particular attention to this in VM environments, where system clocks may not be synchronized as they're created.

For this and other OAM installation woes, this and other useful nuggets can be found here:
http://download-uk.oracle.com/docs/cd/B28196_01/idmanage.1014/b25353/trouble.htm

Request for Feedback - Oracle Access Manager Configuration Manager

2008-01-04T09:27:00.000-07:00

Has anyone out there deployed the Oracle Access Manager Configuration Manager?

This is Oracle's productized solution to the OAM horizontal migration challenge... The product has been out for year now but I can't find anyone who says they've used it.

Have you deployed it? Do you have any plans to deploy it?

Please leave a comment with any input.

Cheers.

Installing Oracle Directory Manager

2008-01-02T15:22:00.000-07:00

Though there's not much you can't do via ldapmodify and the command line with OID, it can sure save a lot of time and energy to have access to the graphical user interface of the Oracle Directory Manager tool. Of course, you can pursue XWindows solutions to access the console on the Linux host, but it is quite convenient to have a local copy of the tool on your windows workstation.

Turns out it is a bit of a maze to figure out what package you really need to get to have the tool at your disposal.

Here is where I found what I was looking for:

http://www.oracle.com/technology/software/products/database/oracle10g/htdocs/10201winsoft.html

Oracle Database 10g Client Release 2 (10.2.0.1.0)
http://download.oracle.com/otn/nt/oracle10g/10201/10201_client_win32.zip
(requires OTN credentials)

Do a 'Custom' install and choose on the Directory Administration tools...

Invalid Parameter: ObWorkflowName

2007-03-09T10:21:00.000-07:00

This is a simple one, but a nuisance none-the-less. Usually when you see this message it is because you have prepared the WorkflowName for a portal insert or IdXml incorrectly. You get the message once and figure out the correct value and life is good. However, what if you have been using a workflow for some time and then all of a sudden you get this message after moving environments. Chances are all that is different is the namespace of the directory entry where the workflow is defined. For instance the namespace could contain DC=DEV versus DC=PRD. Change the namespace and voila - the world is right again.

IIS6 and Tomcat

2007-01-29T09:40:00.000-07:00

This is a little bit off topic as OAM goes but everytime I want a quick OAM / Servlet container working environment, it takes me too long to discover this info. So, here it is in a nutshell:

The quickest, cheapest, most readily available solution to getting OAM up and running with a servlet container as the server side technology is to use IIS6 on Win2K3 and Tomcat 5.5. The crux is that you want to be able to stick a webgate in front of the container resources (by default, on port 8080). Now, there is a ton of info on the web about how to do this. But the one resource that you need is here:

http://wiki.apache.org/tomcat/Tomcat_and_IIS_Howto

There is an MSI package that will do most of the picky IIS and registry config for you (link near the top of the page)

http://www.apache.org/dist/tomcat/tomcat-connectors/jk/binaries/win32/jk-1.2.15/isapi_redirect.msi

The setup program is a great help but there is one final detail (mentioned thanks to someone who added a note to the page) that reads:

The setup file included here and the script to add the ISAPI filter work just fine in IIS6, but there is one additional step needed. You must also allow access to the filter through the Web Service Extensions part of IIS. To do this graphically, do the following:

1) open the IIS Manager and go to the Web Service Extensions item under the appropriate server 2) Click the "Add a new Web service extension" item under "Tasks" 3) Give it a name like "jakarta" 4) Browse to the isapi_redirect.dll file you installed above as a "Required File" 5) Check the box to enable this extension.

This detail is there in the docs as point #8 on the IIS How-To but it is easy to miss.

The only other note I have is that all the documentation talks about the workers.properties file. Be aware that the setup program referenced here creates a file called workers.properties-minimal. This is ok as it also writes the same filename value into the registry. Just good to be aware that both the registry key and the filename need to jive before you go renaming it.

Dot Net Parsing Oracle Access Manager XML

2006-11-26T21:50:00.000-07:00

This is slightly off topic, and extends well beyond just Oracle Access Manager but was a little less than obvious to me the first time I had to do this in .NET (well, also the second time). If the XML you are trying to process with SelectNodes or SelectSingleNode contains a namespace then you need to associate that namespace with a namespace manager and include it in the SelectNodes or SelectSingleNode statement (see example below).

XmlDocument xml = new XmlDocument();
xml.LoadXml(someXmlString);
XmlNamespaceManager ns = new XmlNamespaceManager(xml.NameTable);
ns.AddNamespace("default", "http://www.oblix.com/");
attrNodes=xml.SelectNodes("/default:ObEventParams/default:ObParamList[@name='WfAttribute']/default:ObParam", ns);

IDXML - There is no profile configured for this kind of user

2006-11-24T22:40:00.000-07:00

IDXML can be cool. It can also cause one to question one's future in front of a keyboard.

Take, for example, the error message: "There is no profile configured for this kind of user". This is usually a very helpful message that tips you off that you have a typo in the DN value of the UID parameter.

But if you are getting this message and you are sure that your request looks perfect there can be another simple explanation for the error: your HTTP client might be sending the request to the wrong application.

That's right - if you send a perfect Modify User request to /identity/oblix/apps/objservcenter/bin/objservcenter.cgi instead of /identity/oblix/apps/userservcenter/bin/userservcenter.cgi, you will find that 'There is no profile configured for this kind of user'...

Don't let this happen to you. Life is short.

Creating Custom Style Shared Folder

2006-11-03T12:03:00.000-07:00

When creating a custom style for Oracle Access Manager (formerly COREid) the product creates a localized directory for you in the default language, but all of the files in the localized copy point back to the main style sheets in the shared directory. In order to keep the vanilla sheets for style0 (Classic Style) intact it is advisable to create a duplicate shared directory (i.e. newstyle_shared).

In order to let this all hang together, however, one must update all of the references in the new styles localized directory (created by the product as part of the new style function) so that they point to the new shared directory (created by you).

As there are many files to update it is adviseable to use a batch search and replace tool for this task.

On a unix system with perl installed this is a very easy proposition. The following command will suffice...

However, on windows it is a little trickier at the windows shell does not like the *.xsl reference. Therefore, a small change is required to make it work in the windows shell...

WebGate Cannot Initialize

2006-10-19T17:45:00.000-06:00

A web server with a WebGate installed on it suddenly does not serve pages and generates 500 errors. There have been no changes to the server or the web server configuration. Upon further investigation the Oracle Access Manager (formerly COREid) oblog.log of the WebGate generates a line in the WebGate initialization indicating that it is failing.

This indicates that WebGate cannot create a TLS connection to the Access Server so it cannot initialize so it leaves the web server in an unusable state. The likely cause of this is that the certificates on the WebGate have expired.

The certificate expiration dates can be checked by reading this.

The certificates can be regenerated by reading this.

Policy Domain/Policy Not Enforced

2006-10-19T15:07:00.000-06:00

Successful migrations of Oracle Access Manager (formerly COREid) configuration data rely heavily on consistent directory naming of entries between envionments. It is not enough for configuration data objects to share the same user friendly names, they must have the same RDN (Relative Distinguished Name) values in the directory server. This forms the basis of clean migrations. As well, objects must share the same properties. If this setup is performed in advance of using the COREid Migration Service or alternatively, corrected in a pre-existing environment using the COREid Migration Service migrations will run smoothly. The situation described below illustrates how having inconsistent environments can cause problems.

After copying a policy domain or policy to a new environment the resources protected by the policy domain and/or policy are not actually protected there. Checking the resources in the Oracle Access Manager Access Tester reveals that the resources are indeed not protected.

This error highlights a mismatch in host identifier data between the source and target environments. It may look the same (i.e. have the same user friendly description in the UI), however, the distinguished name (DN) that names the object in the directory is probably different.

The short term solution is to add the host identifier for that environment in all of the locations in the policy domain(s) and/or policy(ies) where resources are specified. This will get the policy domain(s) and or policy(ies) working again in the target environment. However, there is still a longer term problem that will affect future migrations of policy domain data.

This long term solution is to use the COREid Migration Service to migrate host identifiers and policy domains from a stable environment (production) to all of the other evironments (i.e. quality, test and dev) and systematically update the host identifier entries with host names specific to the environment. This will make the other environments consistent a prevent this problem from occurring in the future.

Anonymous Authentication Resources SLOW

2006-10-19T10:32:00.000-06:00

Problem Oracle Access Manager (formerly COREid) is extremely slow or does not serve content from servers protected by the Anonymous Authentication Scheme (formerly Netpoint None). This can include FAQ pages, login pages, images, style sheets, etc.

Background The Anonymous Authentication scheme is used in cases where the WebGate has its DenyOnNotProtected property set to TRUE. The anonymous authentication scheme maps the OblixAnonymous user int eh credential_mapping plugin. By default this is mapped to the uid attribute. The uid attribute is indexed by default in some directory servers but not in AD/AM. In AD/AM the attribute is added as part of the iNetOrgPerson schema extension and is not indexed.

Solution If you are having a problem similar to this one, check to see if the Anonymous Authentication scheme is using the uid attribute in teh credential_mapping plugin. If it is then check to see if the attribtue is indexed in the directory server (if using AD/AM it will not be indexed by default). If it is not indexed then there are a couple of options:

index the attribute in the directory (may be harder on some directory platforms than others; very easy on AD/AM)

change the attribute in the Anonymous Authentication Scheme's credential mapping step to an attribute that IS already indexed

Potential Cause How did this problem occur? It seemed to just appear over night. The likely cause of this problem is an increase in the amount of data in the user directory server. More data will cause a search on an unindexed attribute to yield incorrect incomplete results more frequently than if there is less data in the directory. This is because the look thur limit the directory imposes on the searhcing user may be exhausted before the entry (or entries) is located.

Can't See Workflow

2006-10-06T15:29:00.000-06:00

Successful migrations of Oracle Access Manager (formerly COREid) configuration data rely heavily on consistent directory naming of entries between envionments. It is not enough for configuration data objects to share the same user friendly names, they must have the same RDN (Relative Distinguished Name) values in the directory server. This forms the basis of clean migrations. As well, objects must share the same properties. If this setup is performed in advance of using the COREid Migration Service or alternatively, corrected in a pre-existing environment using the COREid Migration Service migrations will run smoothly. The situation described below illustrates how having inconsistent environments can cause problems.

Have you ever copied a workflow definition from one environment to another and had the workflow not appear in the Oracle Access Manager (formerly COREid) Workflow applet? You double check the target directory server and indeed all of the entries are there so you wonder what could possibly be happening.

If this sounds familiar, then this is likely highlighting a difference between your two environments that you might not know existed. The problem is probably related to when your environments were first built manually independent of one another.
The cause is that there are different objectclasses associated with the tab_id that the workflow is meant to manage.

For instance say in the development environment the Employees tab (default user tab in Oracle Access Manager) has associated with it structural objectclasses of user and oblixOrgPerson. But in the quality assurance environment where you migrated the work flow to it has objectclasses of user, obligOrgPerson and auxCompanyPerson.

This provides an obvious barrier to performing clean migrations between environments. The way to correct this problem is to make the objectclasses look the same. The best way to do this is to get one environment in a pure state (i.e. contains all of your active development) and then migrate it to the other environments. This way all of the environments will be the same and ready to migrate information from one environment to another.

COREid Migration Service

2006-09-11T14:17:00.001-06:00

Although we are continuing our invitation only pre-beta phase, all are welcome to peruse the information now publicly available.

https://extranet.nulli.com/migration/

COREid Migration Service Preview

2006-08-17T21:31:00.000-06:00

For the folks that have been wanting a closer look at the migration service here is a quick run down with screen shots.

This should give you a pretty good idea what this is looks like.

The Nulli Professional Services team is using this in the the field today and our pre-beta invitees are taking their first steps on their own.

Thanks for your interest so far.

COREid Migration Service Enters Pre-Beta Phase

2006-07-22T14:44:00.000-06:00

Nulli Secundus is pleased to announce that our COREid Migration Service has entered a pre-beta (invitation only) phase. We are currently inviting a small group of Nulli customers to begin to use the tool.

The COREid Migration Service is a Nulli hosted web application to which users may upload COREid configuration data in LDIF format. The service processes the data from the source and target environments and returns a single LDIF file suitable for import into the target system. The goal of the Migration Service is to support COREid administrators in duplicating COREid Identity and Access application behavior across separate COREid installations.

The COREid Migration Service will be available at no cost to registered users.

If you would like to be notified upon general release of the service or if you would like to be considered for the pre-beta invitee pool, please send an email stating your interest to mark at nulli dot com.

Create Clean Schema File from AD/AM

2006-07-20T14:17:00.000-06:00

Have you ever wanted to get a nice clean schema file containing all of your custom attirbutes and object class entries but exluding the special microsofty attributes from and AD/AM (or AD) instance so that you can archive it off into a source control system or just simply migrate it to another environment? You dread the task becuase you never took the time to automate it so you always edit the file by hand. Well here is a simple regex that you can use to clean up the file after you extract it. The regex as written works in editplus (by far the best editor I have ever used, come on buy it, you know you want to), but can can be easily tweaked to work in other editors, scripts, etc.

Anyway, there are three steps...

Extract your data... here is the ldifde way

ldifde -f {filename} -s {server} -t {port}
-d "CN=schema,CN=configuration,CN={adam_guid}"
-r {custom object searhc filter}

Prune the unwanted attributes
In the following section it should all be read as a single regex (ignore line breaks). It should be used in a substitution statement where nothing is substituted for the match.
```
^(distinguishedname|instancetype|whencreated|whenchanged|
usncreated|usnchanged|name|objectguid|schemaidguid|objectcategory|msds-intid)
::? [^\n]*\n( [^\n]+\n)*
```

Replace the AD/AM GUID to make it really easy to import into a target environment change the GUID in the file to something easy to type that is not repeated elsewhere in the file.

WebGate and the IE / CSS Flicker Bug

2006-05-10T16:56:00.000-06:00

Gettng quite specific here - but if you have this problem, you'll appreciate the info...

There is an annoying behavior that can occur in Internet Explorer. It is referred to as the 'IE CSS Flicker Bug'. This bug manifests as repeated requests being issued for the exact same resource (like a gif image). The result is a very slow or, sometimes, unusably slow user interface as the browser bogs down under (sometimes hundreds) of identical requests. For whatever reason, the IE fails to inspect its own cache for image resources that are defined in a CSS declaration and always issues a new request for each instance of the same resource.

Of course, there is a resolution to the issue. This involves tuning some specific settings on the webserver that serves image files.

IIS Webserver Configuration to Correct IE Flicker

The trick is to specifically set some content expiration and cache control headers that trigger IE to look into its own cache before issuing a new request.

On the directory that contains the resources in question configure: (the following is IIS specific but you can extend the same concept to Apache, etc.)

Enable Content Expiration
Expire after 30 days
Cache-Control: max-age=2592000;

! note: there is a typo in the screen shot where the dash character is missing from CacheControl. Should read Cache-Control.

Where the WebGate Fits In

That's all the info you can find about this issue on the web. But if the UI in question is protected by a WebGate, you might apply the above mentioned measures only to find no improvement in the browser behavior. By default, the COREid WebGate is configured to apply two HTTP headers to each response it handles. Out of the box, the value for both CachePragmaHeader and CacheControlHeader is no-cache. Because the WebGate is always the last component to apply headers, it effectively overrides the headers supplied by the web server.

In the WebGateStatic.lst file, change both the CachePragmaHeader and CacheControlHeader to 'public'. (Yes, this may have other consequences so test carefully.)

That should be all that is needed to end any issues with the IE CSS Flicker bug if it, one day, plagues you.

COREid services start before LDAP

2006-05-08T20:35:00.000-06:00

In COREid deployments where the Access and/or Identity services are installed on the same box as the LDAP server, the COREid service(s) sometimes start faster than LDAP. This behavior will cause errors in the oblogs (ie Directory is unreachable, down, or incorrect connection parameters were specified) after a reboot, and will cause the service(s) to stop (when the LDAP in question contains the COREid configuration container).

To avoid this problem on Windows platform installations, dependencies between the services can be created:

Locate Registry Entry for LDAP Service and note name: (ie HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\ADAM_*)
Locate Registry Entry for COREid Service(s): (HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\ObAAAServer-*, HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\ObOISServer-*)
In each, add a Multi-String Value called DependOnService with a value that is the name of the LDAP service (ie ADAM_*)
Reboot

After rebooting, the COREid service(s) will wait until the LDAP service has sucessfully started before starting.

Additional Notes:

This type of configuration is only useful when the COREid service(s) are configured to ONLY connect to one LDAP instance (no failover or redundancy) that is located on the same server (ie development/test environments)
Multiple LDAP service names can be added to these registry keys (if using seperate LDAP directories for user, policy, or config containers)
This dependency relationship will also cause COREid service(s) to restart/stop when restarting/stoping LDAP service

Simplifying COREid Identity System Menus

2006-04-25T00:10:00.000-06:00

A common request for COREid customization is removing unused menu options in the User Manager, Group Manager, and Org. Manager applications (like Create User Identity, Deactivated User Identities, Configuration, etc). Some of these customization tasks can be achieved by defining custom user types in obnavigation.xml, avoiding the need for XSL customization.

Unwanted menu options can be removed from a user type or multiple user types can be defined. Choosing one of these defined user types can be done in the following manners (in order of increasing weight):

Set the default userType in obnavigation.xml

Define an action to pass an attribute or value from the Access System containing the name of the user type as a header variable (named HTTP_OBLIX_USER_TYPE by default)

Add a userType=[name] query string parameter to any URL within the User Manager, Group Manager, or Org. Manager

Note: userTypes are different from Styles in COREid, and customizations to each will function independently from the other.

Simple Mode Cert Regeneration (Access)

2006-04-16T07:58:00.000-06:00

<coreid_install_dir>\oblix\tools\configureAAAServer
<coreid_install_dir>\oblix\tools\configureWebGate
<coreid_install_dir>\oblix\tools\configureAccessGate

Access Server
configureAAAServer reconfig "c:\Program Files\coreid\access"

WebGate
configureWebGate -i "c:\Program Files\coreid\WebComponent\access" -t WebGate -R

AccessGate
configureAccessGate -i "c:\Program Files\coreid\WebComponent\access" -t AccessGate -R

Restart the COREid component to get it to bind to TCP/IP port with the new certificate.

See Also: Simple Mode Cert Regeneration (Identity)

Simple Mode Cert Regeneration (Identity)

2006-04-16T07:39:00.001-06:00

When simple mode certificates are going to expire, they need to be regenerated so the component(s) that have the old certificates may still communicate with other COREid components. The method for regenerating certificates varies between the COREid Access and Identity Systems. The Identity Server and WebPass (and Access Manager too) have a utility called gencert. The gencert utility is located in:

<coreid_install_dir>\oblix\tools\gencert

to use the tool to regenerate certificates, execute gencert as follows:

gencert.exe "c:\Program Files\COREid\identity"
OR
gencert.exe "c:\Program Files\COREid\WebComponent\identity"

Restart the COREid component to get it to bind to TCP/IP port with the new certificate.

See also: Certificate Expiration Dates #2

AD/AM Unsecured Passwords

2006-04-06T23:05:00.000-06:00

Have you ever needed to bulk load AD/AM with a bunch of LDIF users for testing or conversion purposes, but been frustrated by its inability to allow password changes over an unsecured port? Well this is can be easily remedied using the dsmgmt tool that is installed with AD/AM. The tool is located in c:\WINDOWS\ADAM. Here is an example of making the change to an AD/AM instance:

C:\WINDOWS\ADAM>dsmgmt
dsmgmt: ds behavior

ds behavior: Connections

server connections: connect to server localhost:389
Binding to localhost:389 ...
Connected to localhost:389 using credentials of locally logged on user.

server connections: quit

ds behavior: Allow passwd op on unsecured connection
Successfully modified DS Behavior to reset password over unsecured network.

Now entries can be added to the directory with clear text passwords. The setting can be just as easily reversed after the changes are made.

NOTE: making this change will not permit the COREid identity system to change passwords in AD/AM over an unsecured port. I am not sure why, but something in the application prevents it even though the AD/AM instance is configured to allow it.

Access Manager Looping

2006-04-05T23:13:00.000-06:00

Ever enabled the NetPoint Identity Domain policy domain but not NetPoint Access Manager? It’s a good way to lock yourself out of the Access Manager with a looping redirection behavior. To fix this problem, identify the LDAP objects in your COREid policy container that represent these policy domains, enable or disable one (obEnabled attribute), and restart the AAA service and web server.

They will be located in OBAPP=PSC,OU=oblix,[Policy Container]
They will be an objectClass of oblixSiteDomain
OBNAME will likely start with OBAutoSSO (if they were created by the access system install)
Check the obdisplayname

Certificate Expiration Dates #2

2006-04-05T22:14:00.000-06:00

A quick fix for an expired simple mode cert is to simply copy the 3 .pem files from the ../config/simple directory of a component that is still working, and restart the service. These certificate files are completely interchangeable within an environment (I think that the only requirement is that they need to be generated using the same passphrase). When copying between Access and Identity components, be sure to change the file name prefix (ois/aaa).

To quickly identify the expiry date of a simple mode certificate on a Windows system, make a copy of the cert file (ois_cert.pem or aaa_cert.pem), rename the extension to .cer, and double-click it.

Also see: NulliBlogs - COREid Nitty-Gritty: Certificate Expiration Dates

COREid Dual Transport Mode Operation

2006-04-04T21:05:00.000-06:00

There is a little known, unsupported feature of COREid that allows server components to listen in two transport modes at once: either open/simple or open/cert. I had the good fortune of discovering this feature about 5 years ago. I had to convert a live production system that was installed in open mode to cert mode. We were looking at taking downtime to do the change, but by pure chance I stumbled accross another solution. I had reconfigured an identity server component, to listen in cert mode and it was late a night and I forgot to switch the transport mode in the COREid UI to cert from open. I started the identity server without making the switch and tested the port to see if it was listening in cert mode. When you telnet to the identity server port it responds with the mode in which it is listening.

I was expecting to see the word

CERT

but what I saw instead was

OPEN
CERT

This was a welcome surprise for us. It meant that we could convert the identity and access servers one at a time to listen in both modes without taking the entire service down. Then after giving all of the application owners sufficient time to reconfigure their Webpasses, WebGates and AccessGates we could turn open mode off (by switching the transport in the UI to cert). This worked very effectively.

Simple Mode Certificate Duration

2006-04-04T20:53:00.000-06:00

By default Oracle COREid simple mode certificates are issued for 1 year (365 days) by default. If you would prefer a different expiration time you can change the setting that controls the certificate's duration. There are two files that control the duration, each is used depending on the certificate (re)generation situation. I think it is best to just change both files to cover your bases.

<coreid_install_dir>/oblix/tools/openssl/openssl.cnf
<coreid_install_dir>/oblix/tools/openssl/openssl_silent.cnf

The paramater to change is "default days"...

default_days = 365 # Duration to certify for

Change this to the desired number and regenerate your simple mode certificate.

Ultimate COREid XSL Customization Development Environment

2006-04-01T09:44:00.000-07:00

Some people look at the vanilla COREid interface and make a quick decision that they don't like it, or that it's not what they hoped it to be. These people fail to recognize is that the original designers were only trying to deliver a functional starting point for all. The designers knew that they could not build to satisfy everyone's specific business cases.

But behind this vanilla first impression is flexibility and power that goes unrecognized by many customers. To access it, you need a web developer who is willing to tackle the reasonably short learning curve of XSL 1.0. It is a slightly different programming paradigm - but once you're there, it's quite simple.

These days, everyone is talking about Web 2.0 and AJAX. Well, there's nothing stopping you. If you want a GMail like experience backed by COREid Identity services, it is there for the taking.

If you are this web developer working to make your Identity interface do backflips, here is a recommended development set up that will help speed you on your way to success.

The key to XSL development is the ability to iterate rapidy. This is the main reason that you should not do your customization work against a live COREid server. Even if you dial the stylesheet cache down to 1 you still lose time bumping the cached sheet with every change.

What you want to do is craft a representative development environment on your local machine. Here is what you need: Inside a root folder of your choice create three sub folders; client, server, source. From your WebPass installation copy the /identity/oblix/lang folder into the local 'client' folder. From the COREid Identity server installation copy the /identity/oblix/lang folder to the local 'server' folder. Also, under the local 'client' folder, create three more folders nested (step1/step2/step3). Now, capture some Presentation XML from the user stories that you are customizing and drop these files into the local 'source' folder. Take your XML editor of choice (we recommend Oxygen XML) and configure your transformation scenarios to output html into the local 'step3' folder. Finally, run a local webserver and configure it to allow directory browsing at the root of the 'client' folder. Now, after doing a transformation, you can browse to http://localhost/client (or whatever you called it...) and then navigate down to /step1/step2/step3/my.html and view your results.

With this structure intact, you should find that, not only is your iteration speed increased, but that you also have intact references to all images and client side JavaScript which enables development on this front as well.

Happy customizing!

Certificate Expiration Dates

2006-03-29T16:27:00.000-07:00

have you ever had a certificate expire and COREid components stop functioning on you. Once you figured out that it was a certificate you were like, "oh-oh, there might be a few more expiring in the next few minutes, hours, days, etc." This is one of those things that us mere mortals re-learn how to do once a year and then promptly re-forget immediately afterwards.

The openssl tool installed alongside each COREid component can be used to determine the valid dates for a certificate. The following example examines a self signed COREid certificate ("simple mode") . The same example holds true for all COREid components: Identity Server, Access Server, WebPass, WebGate and Access Manager (frequently installed alongside WebGate).

C:\>cd \Program Files\COREid\WebComponent\access\oblix\tools\openssl
C:\>openssl x509 -in ..\..\config\simple\aaa_cert.pem -noout -dates
notBefore=Mar 28 22:23:15 2005 GMT
notAfter=Mar 28 22:23:15 2006 GMT

Access Server SDK on IIS5 / IIS6 (Part 2)

2006-03-28T18:20:00.000-07:00

so we got the COREid AccessServerSDK working from ASP pages (part 1 here), but then we roled out to ASPX pages and low and behold we had the same problem. checked the permissions for IWAM_ and they were ok. then it dawned on Mark to check the permissions for the ASPNET user. We set those the same as for the IWAM_ user and sure enough success!

Access Server SDK on IIS5 / IIS6

2006-03-28T10:45:00.000-07:00

One of the simplest things you should ever need to do with COREid in to install the Access Server SDK and access its functionality via ASP or ASP.NET on IIS6.

The key word here is should.

Sometimes you do everything right:

Install the binary (theoretically no location requirement)
Create the AccessGate profile
Associate the profile with an Access Server
Run configureaccessgate.exe
Set OBACCESS_INSTALL_DIR
Add %OBACCESS_INSTALL_DIR%\oblix\lib to the PATH
Register the DLLs

And then something like:

validateSDKinstall.asp

< % @LANGUAGE="VBSCRIPT" % >
< % OPTION EXPLICIT % >
< %
dim accessgate
Set accessgate = CreateObject("Netpoint.ObAccessAPI")
accessgate.Initialize
Response.Write "If you see this, all is well"
% >

should run without error. Should.

Sometimes it doesn't.

We've seen a couple of instances lately (7.0.2 / IIS6) where things just don't pan out. The error code that shows up in the IIS logs is 80010105 and in the browser is Error '80010105'. Some googling reveals this is generally, maybe, a network security/permission problem. However, that is not the case with the AccessServerSDK. Upon turning up the log levels on the AccessGate we discovered file system permission errors. Not by what showed up in the oblog.log, but by what did not. Specifically, the log write could not initialize (FileLogWriter::initializeWriter() is the source of the error in the event viewer). This was the first clue that the problem was related to file permissions. The local IWAM account did not have the necessary permissions to write to oblog.log. Once this was corrected, oblog.log started logging and revealed that there still was not sufficient permission to create the necessary lock files.

So, if you run into something like this - check your FS security on AccessServerSDK/oblix.

Horizontal Migration of COREid Configuration Data

2006-03-25T21:43:00.000-07:00

The professional services consultants at Nulli Secundus live and breathe COREid on a day to day basis. And we do so in a wide variety of customer environments. It goes without saying that we are always learning and improving the patterns we employ to achieve success with Oracle COREid Identity and Access.

One common customer question that comes up with every engagement is, "How do we move this stuff?". Meaning- "We're following best practices by staging our environments but we don't see a good way to move development to quality assurance, and quality assurance to load testing and on to production...".

Pam Dingle started working on this problem at Nulli Secundus some time ago. Janelle Jowsey took me under her wing as she turned Pam's invention into a software product that worked magic on COREid configuration across staged tiers. The result of all this thought and effort is the fact that there is literally nothing we do not know about the inner workings of the COREid configuration data.

At this point in our history with COREid we know exactly how it should be deployed and staged, and we have the knowledge and tools to efficiently migrate COREid configuration data across enviroments. We can demonstrate perfection in the movement of any Identity or Access application configuration data and we can do so measured in a scale of minutes.

We're in the process of formalizing the ways that we can share our knowledge and tools most effectively with the COREid customer population. Watch for more information on our web site coming in the second quarter of 2006.

If you're really keen to put an effective system around this challenge in your environment and you want a hand in shaping some of the stuff we're working on, please get in touch with us. We'd be pleased to talk with you and would welcome your input.

New Response Phrase - No Old Response

2006-03-23T12:29:00.000-07:00

Have you ever wanted to let users update their challenge response phrase in COREid without requiring them to enter their old response? There are two requirements to make it happen: (1) workflow for updating challenge response for the user class in question and (2) no read/modify AAC on the challenge response attribute for that user class.

Substitution Syntax in Search Base and Attribute Access Control

2006-03-23T11:17:00.000-07:00

Have you ever got confused when using substitution syntax in COREid search base and attribute access control settings? They natural thing to get backwards since they are backwards (from each other that is). Question is, which one is which? Does the logged in user go in the left hand side ot the right hand side? Does the substitution go in the left or right? Well, that one at least is easy; the substitution attribute $attributename$ always goes on the left, errr, I mean right. I just can never remember which one it belongs to: logged in user or objects being searched/viewed/edited/notified?

Well, this is how it works:

Search Base gets set up so that the logged in user's information goes on the right side of the equation, the substitution side. For instance, the substitution might look like this...

org=$myorg$

This basiccally says that the search is restricted to all of the objects that have an org that is the same as $myorg$, where $myorg$ is an attribute in my profile and org is an attribute on another object.

Well, is that is how search base works then AAC must be the opposite.

Attribute Access Control gets set up so that the logged in user's information goes on the left side of the equation, the non-substituion side. For instance, the substitution might look like this for a rule that allows a manager permission to a particular attribute and right...

distinguishedname=$manager$

This essentially says give me (distinguishedname - MS centric example) permission to do this (right) for this attribute where I am the manager. Although I do not know why you would do this explicit thing since COREid already supplies a role for DN based attributes (like manager) that accomplishes the same thing.

ADAM Changing Page (Search) Limit

2006-03-22T22:53:00.000-07:00

Ever wanted to reduce or increase the AD/AM search limit (page size)? For instance you are doing a COREid upgrade and part way through the directory update portion it fails with a directory error. It was not able to extract all of the COREid meta data because the search limit was exceeded. The solution is to ramp up the page size in AD/AM even if it is just for the upgrade.

C:\WINDOWS\ADAM>dsmgmt
dsmgmt: LDAP Policies

ldap policy: connections

server connections: server connections: set creds [domain] [user] *

Please enter password for [domain]\[user]: ********
server connections: connect to server localhost:389
Binding to localhost:389 as [domain]\[user]...
Connected to localhost:389 as [domain]\[user].
server connections: quit
ldap policy: show values

Policy Current(New)

MaxPoolThreads 4
MaxDatagramRecv 4096
MaxReceiveBuffer 10485760
InitRecvTimeout 120
MaxConnections 5000
MaxConnIdleTime 900
MaxPageSize 1000
MaxQueryDuration 120
MaxTempTableSize 10000
MaxResultSetSize 262144
MaxNotificationPerConn 5
MaxValRange 0

ldap policy: set maxpagesize to 3000
ldap policy: commit changes
ldap policy:

HeaderVar Not Showing Up Or Wrong Value

2006-03-22T22:34:00.000-07:00

Have you ever had some header variables show up and not others? You think to yourself, " I must have a different authorization rules or expression that is being invoked and returning different headers." But when you go check in the Access Tester it is the rule that you are thinking of that is being tripped and there are no different actions on the authorization expression.

This is a peculiar problem that sometimes occurs and as near as I can tell this is what causes the problem. Why this seems to be the case, I have no idea. The problem occurs when one header variable name is competely encompassed in anothers name. For example the variable MYNAME is fully encompassed by MYNAMEPREFIX. If MYNAME comes first (or is it the other way around?) in the header variable list then strange things will happen and the results viewable in the header will not be what you expect .

There seem to be two resultions to this: (1) ensure the longer one shows up in the list first OR (2) given them completely disimilar names. I personally think that option 2 is the way to go. Option 1 can be fraught with more heartache if the orders get reversed down the road in a different environment.

I have only witnissed this behaviour on COREid 7 WebGate for IIS 5/6 . It has been repordoced accross separate installations. I have not tried to reproduce it elsewhere yet.

Disappearing Workflows During Horizontal Migration

2006-03-22T18:15:00.000-07:00

If you work safely within the confines of the COREid Identity admin ui then you are protected by a friendly message that pops up when you add an objectclass to a tab. The message tells you that the operation will fail if you have any pending workflow tickets.

What happens behind the scenes as you add the new objectclass to the tab is that the system also adds the same objectclass to all the workflow definitions associated with that tab.

The take away here is that if you are manually migrating tab definitions from one environment into another you will break workflow definitions in the target environment if there is an objectclass difference contained in the new tab data. When this situation arises the rule is that the tab and all the workflow definitions for that tab must move as a unit.

[RFE]Regex Capturing In Policies - Nice to Have!

2006-03-22T13:37:00.000-07:00

OK, so COREid supports rudimentary pattern matching in policy patterns. For instance, one can create a URL pattern in a policy definition that matches multiple URLs with a single policy (pattern). The following URL pattern matches the three separate set of subdirectories.

/applications/{app1,app2,app3}/.../*

This allows a company to set up a single policy for multiple resources that are not identical but have the same access rules. This can help to stem mass profilferation of policies in the system. Many policies can make it more difficult to administer a system. As well, the more policies that exist in a system the longer it can take COREid to evaluate which policy or policy domain matches a particular request as policies are always evaluated first.

This is great functionality, but it could be a lot more powerful with additional regular expression capabilities. I am not advocating dumping the way current pattern matching works to replace it with a veriosn of the full blown regular expression language many have come to rely upon. I expect features such as look ahead could have potentially disasterous results on the Access Server's ability to evaluate policies in a timely fashion. I do, however, think that adding a capturing feature would lend a powerful and useful capability without significantly degrading performance (then again I could be wrong).

Consider an instance whereby an authenticated user accesses a resource protected by an authorization policy with a URL pattern like the one above. What if there was a authorization rule that caught users that had not updated their profile to accept the latest terms and conditions. The authorization rule would have a action to redirect the user to the new Update Terms and Conditions function, but once they were complete the site would not know what resource to which the user had wanted to go originally. If regex capturing were introduced, however, COREid could capture and store the URL pattern that was matched. This is only part of the solution though; COREid would also need to make the captured pattern available to the authorization rule for use as a parameter in the action. This way the Update Terms and Conditions functionality could be configured to return the user to their originally requested URL.

Search Results Counter

2006-03-22T13:18:00.000-07:00

Every COREid search creates a set of 0 to many entries. If you look in the XML, you can see that the system knows the size of the result set, but that it does not report it by default.
To display this data in style0, simply edit / identity /oblix /apps /common /bin /oblixappparams.xml and change the value of search_result_show_count to true.

Unable to initiate workflow Status Code 1

2006-03-20T19:44:00.000-07:00

Ever get this message?
Unable to initiate workflow obworkflowid=96ab611fb664414abd219e7c1c4e6b92,obcontainerid=workflowdefinitions,ou=oblix,ou=apps,dc=dev,dc=company,dc=com. Status code 1.

When you get the status code of '1', chances are you are doing some manual LDIF migration activities and you accidentally lost the obWorkflowInstances container.