Wednesday, March 13, 2013

Oracle IdM New User Registration Approval - issues?

I was trying to explore the approval process in OIM.
Started with a self registration request and got into these problems.

Took some time (actually, lot of time) to resolve these issues..
Tried to find the references to these errors on OIM forums, very minimal information on these errors.

 Listing the errors and the solutions that i applied to resolve the problems.. hope this helps someone..

 Errors are:

Prior to this error, I was trying to create a new Approval policy and trying to load the approval process. The server was not loading any approval process, I tested if SOA server is up or not by going to /soa-infra web app. The server was running.

After some research, found that my system IP is dynamic, this the error in the OIM logs.

[oim_server1] [ERROR] [] [oracle.iam.platform.workflowservice] [tid: [ACTIVE].ExecuteThread: '1' for queue: 'weblogic.kernel.Default (self-tuning)'] [userId: xelsysadm] [ecid: b508518e3372808f:182ed32b:13d5b0d1b3c:-8000-000000000000004f,0] [APP: oim#11.1.2.0.0] Error occured while searching SOA composites in SOA server[[
javax.naming.CommunicationException [Root exception is java.net.ConnectException: t3:/<HOST>:8001: Destination unreachable; nested exception is:     java.net.ConnectException: Connection timed out: connect; No available router to destination]
at weblogic.jndi.internal.ExceptionTranslator.toNamingException(ExceptionTranslator.java:40)
at weblogic.jndi.WLInitialContextFactoryDelegate.toNamingException(WLInitialContextFactoryDelegate.java:792)
at weblogic.jndi.WLInitialContextFactoryDelegate.getInitialContext(WLInitialContextFactoryDelegate.java:366)
 

Followed these steps to change the SOA configuration to localhost.

Login to em as weblogic administrator (idmadmin – in my case)
http://<HOST>:7001/em

Navigate to -> weblogic domain. Go to “System MBean Browser” as shown in the picture.





Locate “Config” under XMLConfig -> Config - > SOA Config (ref: below picture)




Change the Rmiurl and soapurl to point to the local host.
Save and Restart the servers.

After the above changes and server restarts, approval processes were loading in the approval policy.

Created a new user registration request. As soon as the request is submitted, the request moves to “Request failed state” with the following error in the OIM Logs.

 [oim_server1] [NOTIFICATION] [] [oracle.iam.platform.kernel.impl] [tid: [ACTIVE].ExecuteThread: '7' for queue: 'weblogic.kernel.Default (self-tuning)'] [userId: oiminternal] [ecid: b508518e3372808f:-4c5902b8:13d5a8b5cdd:-8000-0000000000001633,0] [APP: oim#11.1.2.0.0] Orchestration process moved to failed stage, and the corresponding error is - {0}[[
oracle.iam.platform.kernel.EventFailedException: An error occurred while initiating approvals for request 30. The corresponding error message is Unable to instantiate the workflow process due to: t3://<HOST>:8001: Destination unreachable; nested exception is:
    java.net.ConnectException: Connection timed out: connect; No available router to destination.
    at oracle.iam.request.eventhandlers.InitiateApproval.execute(InitiateApproval.java:120)



Changed the IP address in the JNDI SOA configuration. Login to weblogic console http://<HOST>:7001/console
Navigate to Services -> JNDI Providers - > Select the SOA JNDI provider and change the IP address to the SOA server IP address.
















     3rd try – new user registration.
     
     This time, request is submitted correctly, was able to see the task waiting for approval from the administrator.
     
     Clicked on “Approve” and the request failed with the following error in the OIM logs.


Caused by: oracle.iam.platform.workflowservice.exception.IAMWorkflowException: Unable to instantiate the workflow process due to: Tasklist mapping failed for workflowdefinition: default/DefaultRequestApproval!1.0 due to User has insufficient privileges to update workflow runtime configuration data.
User idmadmin attempted to update runtime configuration data without having the required workflow.mapping.publicFlexField privilege.
Ensure that the user has been granted the appropriate workflow privileges before updating runtime configuration data.


Now, back to SOA Config  (Remember where the rmi and soap URL is update? Refer to the first screens)

Thought it must be the xelsysadm not idmadmin and changed the username to xelsysadm.





Restarted the servers.

Another new user registration request – tried to approve, error in the logs. 


[2013-03-12T11:19:48.428-04:00] [oim_server1] [NOTIFICATION] [] [oracle.iam.platform.kernel.impl] [tid: [ACTIVE].ExecuteThread: '3' for queue: 'weblogic.kernel.Default (self-tuning)'] [userId: oiminternal] [ecid: 67df074ec99fd5f2:-1987ba49:13d5f209cd7:-8000-000000000000011b,0] [APP: oim#11.1.2.0.0] Orchestration process moved to failed stage, and the corresponding error is - {0}[[
oracle.iam.platform.kernel.EventFailedException: An error occurred while initiating approvals for request 41. The corresponding error message is Unable to instantiate the workflow process due to: Tasklist mapping failed for workflowdefinition: default/DefaultRequestApproval!1.0 due to User has insufficient privileges to update workflow runtime configuration data.
User xelsysadm attempted to update runtime configuration data without having the required workflow.mapping.publicFlexField privilege.Ensure that the user has been granted the appropriate workflow privileges before updating runtime configuration data.

Tried hard to find a solution to this issue.

Found that, the default weblogic user id is “WEBLOGIC” and is created in OIM by default.

As I have used a different name while installing weblogic (idmadmin), this user is not part if the system Administrators 

Role in OIM and does not have all privileges to launch and edit the workflows on SOA.

There may be other solutions to grant the privileges to the idmadmin user in OIM, but I have followed these steps (Of course tried to assign the user “idmadmin” to system administrators role – did not work for me.)

Changed the USR_LOGIN name for weblogic user directly in the USR table.

Changed the usr_login for idmadmin to idmadmin1 (update USR set usr_login=’idmadmin1’ where usr_login=’idmadmin’)
And then changed the weblogic usr_login to idmadmin. (update USR set usr_login=’idmadmin’ where usr_login=’weblogic’)
Updated the username in SOAConfig back to idmadmin (this was changed to xelsysadm in the earlier try)

Restarted all the servers.

These steps resolved the issue and the approval process getting triggered and approved properly.
Posted by at No comments:

Thursday, February 28, 2013

OIM 11g R2 Generic Connector for Flatfile recon



GTC Connector recon
Flat file reconciliation.
To configure the flatfile recon, prepare the CSV file and the Stnaging and archive directories for the flatfile.
  • Staging directory: D:\OIMSTAG (directory of your choice)
  • Flatfile name –hrfeed (pick any name)
  • Archiving Director - D:\OIMSTAG\Archive (must be in the staging directory)
Contents of the CSV file hrfeed.csv

#GTC Trusted Resource
userId,firstname,lastname,email,organization,department,managerid,userType,employeeType
testFlatFile,test1,flatfile,test.flatfile@email.com,Xellerate Users,IAM,xelsysadm,End-User,Full-Time

Create a new GT connector. 
  1. Login to http://<host>:port/sysadmin 
  2.  Click on Generic Connector under Configuration tab on the left pane.

 
Connector creation page opens: Click  “Create” Button –

Enter the connector details as shown in the below screens.


Click “continue”


Click “continue”
Connector configuration page displays –
Map the attributes from the reconciliation staging to OIM
To Map the attributes, click on Edit button besides the OIM attribute name:

Eg: To map the userId -> user login
Click on User Login Edit button on the OIM table, the following screen appears.
Select matching only check box
NOTE: – Matching only is only for this field.


Select the mapping filed from the CSV.
 Click continue and Exit.

Follow the same steps to map all other attributes. Do not select Matching only for other attributes.

Map the attributes to the following OIM attributes.
userId -> user Login
firstname -> First name
lastname -> Last name
email -> Email
organization -> organization
department -> Department name
managerId -> manager
userType -> user type
employeeType - > role
Make sure that you map at least all the mandatory attributes. If you wish add any other attributes, you may add the same either by adding it in the CSV file or directly in the connector configuration page by clicking the + button on the top of the reconciliation mapping table.


Click close once the mapping in done. Review the details and SAVE the connector.

From OIM Admin console – click on Scheduler under System Management

Search for GTC* -> the result lists the schedule task for the connector that was created in the above steps.

Click Run now -> make sure the hrfeed file is in the right directory.

If the status is scuuess, search for reconciliation events. On the  same scheduler page -> click on 
reconciliation tab and click the search button.

It lists all the events generated.
If there any errors verify the errors from the OIM log file and correct them accordingly.

If the error is : No Recon profile.
Follow these steps to create a profile for this connector.

1. From design console, open the resource object for the newly created connector.
2. Click on "Object reconciliation" tab.
3. Click on "Create reconciliation profile" button.
4. Make sure all the mapped fields are listed under reconciliation Fields tab.
5. Click on reconciliation action rules tab - and make sure there are rules for "Create user if no match found"


Posted by at 2 comments:

Monday, January 28, 2013

Oracle IdM (11g R2) Installation steps

The following are the steps to install and configure Oracle IdM 11g R2.
For installing the Oracle Identity manager 11g R2, SOA is a prerequisite.
Latest version of SOA should be installed (11.1.6)
Note: Assumption is that you have the required software downloaded

1. Install Database. Oracle 11gR2
2. Run Repository Creation Utility for
 2.a) SOA 11.1.6
 2.b) OIAM 11gR2

You should download RCU for both SOA and OIAM separately

3. Install Weblogic Application server. (10.3.6)

4. Install SOA.

5. Install Oracle Identity Access Manager (OIAM).

6. Configure domain for weblogic server (select SOA and Oracle Idm applications while configuring the domain)

7. Configure Oracle IdM by running the config.bat from the following location <Oracle_IDM1>\bin\config.bat - Based on your selections this step configures the Oracle Idm server, design console, Oracle Remote manager.

8. To setup design console - follow these steps.
This step generates the "wlfullclient.jar".
 8.a) cd <Middleware_Home>\wlserver_10.3\server\lib >

Note: Make sure the JAVA_HOME variable is set either in the command prompt that you are currently using or as the environment variable.

 8.b) Run this command:
java -jar < Middleware_Home>modules/com.bea.core.jarbuilder_1.x.x.x.jar
Note: Depending on what version of Java is installed on your system that jar file name could be different, check under the modules folder/directory for the correct jar file name.
 8.c) once the above command is run, check for the wlfullclient.jar under the lib directory. Copy this jar file to <Oracle_IDM1>\designconsole\ext.

9. Run the script to configure the database security keystore - configureSecurityStore.py located at <Oracle_IDM1>\common\tools

 9.a) <Middleware_Home>/oracle_common/common/bin/wlst.cmd \
<Oracle_IDM1>/common/tools/configureSecurityStore.py \
-d <Middleware_Home>/user_projects/domains/<your_domain_name> -c IAM -p <Password that you used> -m create

Note: -c option must be IAM
Once the installation is complete start the services by runnning the following commands:
cd <Middleware_Home>\user_projects\domains\base_domain\bin
startWeblogic.cmd - to start the Weblogic Admin Server
startManagedWebLogic.cmd <soa_server1> - Start SOA Server

startManagedWebLogic.cmd <oim_server1> - Start OIM Server
Posted by at
Subscribe to: Posts (Atom)