Oracle MVA

Tales from a Jack of all trades

Archive for January 2012

SOA OIM integration and WebLogic administration port

with 2 comments

Recently I setup an Oracle Identity Manager (OIM) environment and I happened to enable the administration port. Mike Fleming wrote an excellent article about why you should enable the administration port of your weblogic domain, I won’t repeat his words. I did run into a small issue when I enabled the administration port for OIM which I figured would be interesting for other people too.

As soon as I logged into OIM and clicked on tasks the following error appeared in the oim_server1.out file:

< javax.naming.AuthenticationException [Root exception is java.lang.SecurityException: User 'principals=[weblogic, Administrators]' has administration role. All tasks by adminstrators must go through an Administration Port.]>

Now that is interesting. It seems that the OIM SOA integration stops working because of the administration port. So I started to read documentation, but found no clues here. Then I started looking some further and found this document that states:

“Connections that specify administrator credentials can use only the administration port”

Now there’s the answer for you, just as the logging states: you cannot use an administrator account to integrate OIM and SOA.

So how can I change this? First of all you need to setup a new account in weblogic. Navigate to your console and click on security realms –> myrealm –> User and Groups. Then click on new. Fill in the user details and click on ok

Do not assign any roles to the user. Next navigate to EM

First we will set the password for the soaadmin user in the credential map. Click on WebLogic Domain –> domain name. Then on WebLogic Domain –> Security –> credentials.

Select oim and then SOAAdminPassword. Click on edit and change the username from weblogic to soaadmin and the password to the password you set for the soaadmin user

Next up click on SOA –> soa-infra. Then click on SOA Infrastructure –> security –> application roles.

Now click on the button next to the the role name input box to find all roles.

Select the SOAAdmin role and click on “Add User” and select to soaadmin user.

Click on OK and you have completed the first step. Next you have to setup OIM to use this SOAAdmin user. This can be configured in EM to. Click on Identity and Access –> OIM –> oim (11.1.1.3.0). Then click on Oracle Identity Manager –> Sytem MBean Browser

Scroll al the way down and select oracle.iam –> Server: oim_server1 –> Application: oim –> XMLConfig –> Config –> XMLConfig.SOAConfig –> SOAConfig and change the username (SOA config username) from weblogic to soaadmin

Finally log into OIM and create a new user. Click on administration –> create user and fill in the form

click on save then on roles and assign the administrator role to the soaadmin user:

*presto*. Your OIM SOA integration is fully operational again.

Hope this helps.

Written by Jacco H. Landlust

January 10, 2012 at 2:41 pm