Wednesday, March 13, 2013

Oracle IdM New User Registration Approval - issues?

I was trying to explore the approval process in OIM.
Started with a self registration request and got into these problems.

Took some time (actually, lot of time) to resolve these issues..
Tried to find the references to these errors on OIM forums, very minimal information on these errors.

Listing the errors and the solutions that i applied to resolve the problems.. hope this helps someone..

Errors are:

Prior to this error, I was trying to create a new Approval policy and trying to load the approval process. The server was not loading any approval process, I tested if SOA server is up or not by going to /soa-infra web app. The server was running.

After some research, found that my system IP is dynamic, this the error in the OIM logs.

[oim_server1] [ERROR] [] [oracle.iam.platform.workflowservice] [tid: [ACTIVE].ExecuteThread: '1' for queue: 'weblogic.kernel.Default (self-tuning)'] [userId: xelsysadm] [ecid: b508518e3372808f:182ed32b:13d5b0d1b3c:-8000-000000000000004f,0] [APP: oim#11.1.2.0.0] Error occured while searching SOA composites in SOA server[[
javax.naming.CommunicationException [Root exception is java.net.ConnectException: t3:/<HOST>:8001: Destination unreachable; nested exception is:     java.net.ConnectException: Connection timed out: connect; No available router to destination]
at weblogic.jndi.internal.ExceptionTranslator.toNamingException(ExceptionTranslator.java:40)
at weblogic.jndi.WLInitialContextFactoryDelegate.toNamingException(WLInitialContextFactoryDelegate.java:792)
at weblogic.jndi.WLInitialContextFactoryDelegate.getInitialContext(WLInitialContextFactoryDelegate.java:366)
 


Followed these steps to change the SOA configuration to localhost.

Login to em as weblogic administrator (idmadmin – in my case)
http://<HOST>:7001/em

Navigate to -> weblogic domain. Go to “System MBean Browser” as shown in the picture.





Locate “Config” under XMLConfig -> Config - > SOA Config (ref: below picture)




Change the Rmiurl and soapurl to point to the local host.
Save and Restart the servers.

After the above changes and server restarts, approval processes were loading in the approval policy.

Created a new user registration request. As soon as the request is submitted, the request moves to “Request failed state” with the following error in the OIM Logs.

 [oim_server1] [NOTIFICATION] [] [oracle.iam.platform.kernel.impl] [tid: [ACTIVE].ExecuteThread: '7' for queue: 'weblogic.kernel.Default (self-tuning)'] [userId: oiminternal] [ecid: b508518e3372808f:-4c5902b8:13d5a8b5cdd:-8000-0000000000001633,0] [APP: oim#11.1.2.0.0] Orchestration process moved to failed stage, and the corresponding error is - {0}[[
oracle.iam.platform.kernel.EventFailedException: An error occurred while initiating approvals for request 30. The corresponding error message is Unable to instantiate the workflow process due to: t3://<HOST>:8001: Destination unreachable; nested exception is:
    java.net.ConnectException: Connection timed out: connect; No available router to destination.
    at oracle.iam.request.eventhandlers.InitiateApproval.execute(InitiateApproval.java:120)



Changed the IP address in the JNDI SOA configuration. Login to weblogic console http://<HOST>:7001/console
Navigate to Services -> JNDI Providers - > Select the SOA JNDI provider and change the IP address to the SOA server IP address.
















     3rd try – new user registration.
     
     This time, request is submitted correctly, was able to see the task waiting for approval from the administrator.
     
     Clicked on “Approve” and the request failed with the following error in the OIM logs.


Caused by: oracle.iam.platform.workflowservice.exception.IAMWorkflowException: Unable to instantiate the workflow process due to: Tasklist mapping failed for workflowdefinition: default/DefaultRequestApproval!1.0 due to User has insufficient privileges to update workflow runtime configuration data.
User idmadmin attempted to update runtime configuration data without having the required workflow.mapping.publicFlexField privilege.
Ensure that the user has been granted the appropriate workflow privileges before updating runtime configuration data.



Now, back to SOA Config  (Remember where the rmi and soap URL is update? Refer to the first screens)

Thought it must be the xelsysadm not idmadmin and changed the username to xelsysadm.





Restarted the servers.

Another new user registration request – tried to approve, error in the logs. 


[2013-03-12T11:19:48.428-04:00] [oim_server1] [NOTIFICATION] [] [oracle.iam.platform.kernel.impl] [tid: [ACTIVE].ExecuteThread: '3' for queue: 'weblogic.kernel.Default (self-tuning)'] [userId: oiminternal] [ecid: 67df074ec99fd5f2:-1987ba49:13d5f209cd7:-8000-000000000000011b,0] [APP: oim#11.1.2.0.0] Orchestration process moved to failed stage, and the corresponding error is - {0}[[
oracle.iam.platform.kernel.EventFailedException: An error occurred while initiating approvals for request 41. The corresponding error message is Unable to instantiate the workflow process due to: Tasklist mapping failed for workflowdefinition: default/DefaultRequestApproval!1.0 due to User has insufficient privileges to update workflow runtime configuration data.
User xelsysadm attempted to update runtime configuration data without having the required workflow.mapping.publicFlexField privilege.Ensure that the user has been granted the appropriate workflow privileges before updating runtime configuration data.

Tried hard to find a solution to this issue.

Found that, the default weblogic user id is “WEBLOGIC” and is created in OIM by default.

As I have used a different name while installing weblogic (idmadmin), this user is not part if the system Administrators 

Role in OIM and does not have all privileges to launch and edit the workflows on SOA.

There may be other solutions to grant the privileges to the idmadmin user in OIM, but I have followed these steps (Of course tried to assign the user “idmadmin” to system administrators role – did not work for me.)

Changed the USR_LOGIN name for weblogic user directly in the USR table.

Changed the usr_login for idmadmin to idmadmin1 (update USR set usr_login=’idmadmin1’ where usr_login=’idmadmin’)
And then changed the weblogic usr_login to idmadmin. (update USR set usr_login=’idmadmin’ where usr_login=’weblogic’)
Updated the username in SOAConfig back to idmadmin (this was changed to xelsysadm in the earlier try)

Restarted all the servers.

These steps resolved the issue and the approval process getting triggered and approved properly.