Monday, July 29, 2013
Nulli Gives Back to the Community – Floods Can’t Dampen Our Spirit!
Flooded Neighbourhood - Sunnyside |
Nulli Team in High River |
Labels: #YYCRecovers, Nulli
Friday, June 14, 2013
Nulli - Keeping IAM Simple Stupid - ForgeRock Open Identity Summit
ForgeRock Open Identity Stack running on Raspberry Pi |
Truly lightweight, elegant and effective. Want to learn more about our POC showcased in the IAM world? Give me a shout at dsmall@nulli.com.
Many thanks to Ludo Poitou for the encouragement and congratulations to Rob who made it all happen.
Labels: ForgeRock, OpenAM, OpenDJ, OpenIDM
Monday, August 15, 2011
PeopleTools 8.51 SSO using Oracle Access Manager 11g (11.1.1.3)
My hard-fought, but successful integration attempt rested on 3 key things:
- Turning on Allow Public Access in the PeopleSoft PIA Web Profile - still required.
I realize this was done in previous Tools versions, but I don't find it as clearly documented by Oracle for Tools 8.51. The Web Profile screen shot is gone and they no longer refer to the checkbox "Allow Public Access"; they simply say you have to set up the "public access user ID". So you have to make a small inference as to what to configure. - Using "cmd=start", and not cmd=login. E.G. http://myhost:8080/psp/mypsoftdb/?cmd=start.
cmd=login just gave me the PeoplSoft login page after authenticating through OAM, rather than the user's home page in PeopleSoft. Again, this was documented more clearly in the past, but not for the latest Tools versions. An experienced colleague, as well as an OAM 10g/PeopleTools 8.50 example from Metalink, pointed me to using cmd=start. - Lowercasing header variable names when using Signon PeopleCode to retrieve them from the session. E.G. &userID = %Request.GetHeader("ps_sso_uid");
This was the most important nuance. Although PeopleSoft conveniently provides Signon PeopleCode for this integration out-of-the-box, it does not hint that the header variable name containing the OPRID might need to be lowercased.
The header var "PS_SSO_UID" is delivered in Signon PeopleCode, as the variable that PeopleSoft expects OAM to provide. I could dump the headers from the request object to prove that Signon PeopleCode could indeed see that header variable, but somehow it still could not read the value it contained. A colleague mentioned that another one of our customers integrated a home-grown app with OAM and had the same problem...until they tried lowercasing the header! Replacing "PS_SSO_UID" with "ps_sso_uid" did the trick. OAM 11g-PeopleTools 8.51 SSO --- done!
My Environment:
- Apache 2.2 on Solaris, as reverse proxy for a PeopleTools 8.51 PIA instance
- Webgate 10.1.4.3 for Apache
- OAM 11.1.1.3
It could be that you don't need to lowercase your PS_SSO_UID header var name in your environment. Or maybe this will change in future patches of OAM 11g. But, if you figure you did everything else correctly, then give this a try! I hope it helps.
Update 06-Jan-2012:
I have been asked if any official PS-OAM integration docs or white-papers exist. Sorry, I have not found any silver bullet document yet. What I use is a combination of the following docs:
- PeopleTools 8.51 Security Admin
- Oracle Access Manager 11g Policy Management
Labels: PeopleTools 8.51 SSO OAM 11g header variable integration
Friday, July 29, 2011
Unable to open wallet error while bringing up OVD11g
Friday, May 27, 2011
Good ol' Oblix schema alive and well in OAM11g
Whatever the case, it turns out that the attributes we've all known since the days of NetPoint and COREid have endured and can be found in OAM 11g after all.
During the LDAP pre-configuration step - one of the many, many steps required to get OAM installed - an
LDAPConfigPreSetup.sh
script is run, which performs the following:- Creates the Roles and Reservation User containers in OID, if they do not already exist.
- Loads Identity product specific schema into the Directory
- OID_oblix_pwd_schema_add.ldif
- OID_oim_pwd_schema_add.ldif
- OID_oblix_schema_add.ldif
- OID_oblix_schema_index_add.ldif
Some things just don't change...at least not for another 6 months or so...
Labels: OAM 11g, Oblix schema, obuseraccountcontrol
Friday, May 20, 2011
EM Console 11g shows OID is down
- Go to the Farm drop down menu on the top of EM Console -> Agent Monitored Targets -> Configure . Verify if the Weblogic Monitoring User Name is correct and Change the WebLogic Monitoring Password to the correct password. Click Ok.
- Check the OID status now.
- Go to the Farm drop down menu on the top of EM Console -> Agent Monitored Targets -> Configure .
- Try using hostname instead of IP address. Click OK and verify the status of OID from EM console.
Tuesday, December 21, 2010
Resources Missing After Upgrade
When you upgrade from 7.x to 10.1.4.0.1 the resources on policy domains and policies go missing. It appears that the only known fix for this is to manually recreate this data using the UI after the upgrade.
The other approach would be to proactively take them out of the directory server before you do the upgrade and then simply add them back afterward.
The resources themselves are still there after the upgrade. All that is really missing is the pointer from the resource action object to the resource.
These can be found by performing an ldapsearch with the following criteria:
search base: obapp=PSC,OU=oblix root,DC=
filter: (&(objectClass=oblixWRSCAction)(obResourceID=*))
attributes: obResourceID
This will return all of the objects that have this value set.
After the upgrade run the same search and compare the results. Those values should be missing. If so, prepare an LDIF file to update the entries.
An LDIF entry to fix the missing obResourceID could take this form...
dn: obname=
replace: obResourceID
obResourceID:
replace the
Thursday, November 25, 2010
Simple Mode Root CA Strikes Again
If you keep the faith and keep going the 10.1.4.3 patch set replaces it with the new one that is good until 2024.
Labels: OAM, Root CA, Simple Mode