Oracle MVA

Tales from a Jack of all trades

Archive for the ‘OIM’ Category

setting mBean attributes after securing OIM with SSL

with 2 comments

When you setup SSL for Oracle Identity Manager, you have to click through a pretty complicated mBean path. Since I am all about scripting deployments, I created a small WLST script that sets the appropriate mBean attributes for me. Creating this script was easier because of one of Edwin Biemond’s posts.

The specific attributes are:

  • OimFrontEndURL: The URL the end-user uses to access the OIM application, usually a VIP on a http-loadbalancer
  • Rmiurl: The URL the OIM application uses to contact SOA over RMI. This is a comma separated list of SOA servers available to OIM
  • Soapurl: The URL on which the OIM application can invoke services on SOA, usually a VIP on a http-loadbalancer

Please keep in mind that you might have to set up mod_wl_ohs on an http server. Also keep in mind that you have to choose the correct ports, in my case default https for OIM and SOA SOAP (with mod_wl_ohs in place) plus 8002 for t3s for SOA RMI.

Anyway, here’s the script (and yet again: sorry for the fubar layout):

connect('weblogic','Welkom01','t3s://oim.area51.local:7002')

domainRuntime()

oimBean = ObjectName('oracle.iam:Location=oim_server1,name=Discovery,type=XMLConfig.DiscoveryConfig,XMLConfig=Config,Application=oim,ApplicationVersion=11.1.1.3.0')
fUrl=Attribute('OimFrontEndURL','https://oim.area51.local')
mbs.setAttribute(oimBean,fUrl)

soaBean = ObjectName('oracle.iam:Location=oim_server1,name=SOAConfig,type=XMLConfig.SOAConfig,XMLConfig=Config,Application=oim,ApplicationVersion=11.1.1.3.0')

soaConfigRmiURL=Attribute('Rmiurl','t3s://oim1.area51.local:8002,t3s://oim2.area51.local:8002')
soaConfigSoapUrl=Attribute('Soapurl','https://oim.area51.local')

mbs.setAttribute(soaBean,soaConfigRmiURL)
mbs.setAttribute(soaBean,soaConfigSoapUrl)

disconnect()

After you have configured SSL correctly, I suggest you also enable the SSL port for OIM. How this can be done I explained here.

P.S. if you would setup OIM on a cluster, you would need to setup these attributes too.

Hope this helps.

Advertisements

Written by Jacco H. Landlust

July 5, 2012 at 9:05 pm

SOA OIM integration and WebLogic administration port

with 2 comments

Recently I setup an Oracle Identity Manager (OIM) environment and I happened to enable the administration port. Mike Fleming wrote an excellent article about why you should enable the administration port of your weblogic domain, I won’t repeat his words. I did run into a small issue when I enabled the administration port for OIM which I figured would be interesting for other people too.

As soon as I logged into OIM and clicked on tasks the following error appeared in the oim_server1.out file:

< javax.naming.AuthenticationException [Root exception is java.lang.SecurityException: User 'principals=[weblogic, Administrators]' has administration role. All tasks by adminstrators must go through an Administration Port.]>

Now that is interesting. It seems that the OIM SOA integration stops working because of the administration port. So I started to read documentation, but found no clues here. Then I started looking some further and found this document that states:

“Connections that specify administrator credentials can use only the administration port”

Now there’s the answer for you, just as the logging states: you cannot use an administrator account to integrate OIM and SOA.

So how can I change this? First of all you need to setup a new account in weblogic. Navigate to your console and click on security realms –> myrealm –> User and Groups. Then click on new. Fill in the user details and click on ok

Do not assign any roles to the user. Next navigate to EM

First we will set the password for the soaadmin user in the credential map. Click on WebLogic Domain –> domain name. Then on WebLogic Domain –> Security –> credentials.

Select oim and then SOAAdminPassword. Click on edit and change the username from weblogic to soaadmin and the password to the password you set for the soaadmin user

Next up click on SOA –> soa-infra. Then click on SOA Infrastructure –> security –> application roles.

Now click on the button next to the the role name input box to find all roles.

Select the SOAAdmin role and click on “Add User” and select to soaadmin user.

Click on OK and you have completed the first step. Next you have to setup OIM to use this SOAAdmin user. This can be configured in EM to. Click on Identity and Access –> OIM –> oim (11.1.1.3.0). Then click on Oracle Identity Manager –> Sytem MBean Browser

Scroll al the way down and select oracle.iam –> Server: oim_server1 –> Application: oim –> XMLConfig –> Config –> XMLConfig.SOAConfig –> SOAConfig and change the username (SOA config username) from weblogic to soaadmin

Finally log into OIM and create a new user. Click on administration –> create user and fill in the form

click on save then on roles and assign the administrator role to the soaadmin user:

*presto*. Your OIM SOA integration is fully operational again.

Hope this helps.

Written by Jacco H. Landlust

January 10, 2012 at 2:41 pm