Friday, September 28, 2012

Oracle OpenWorld 2012 is almost here

As I'm sure you're all aware OpenWorld is almost upon us. I haven't been since 2009 so I'm pretty excited to be able to go this year.

For those of you going a couple of items of interest:

There's a Meet and Greet with the Identity Management Team on Wednesday afternoon so if you're around please stop by.

My Hands On Lab (HOL10478) on Monday afternoon at the Marriott is currently fully booked but the weather looks like it's going to be amazing. If you haven't been able to get in you might want to try just showing up and see if anyone blows it off. If you're desperate to get in for some crazy reason send me an email or leave a comment here and I'll see if I can convince the room monitor to let a few extra people in.

There are a bunch of interesting sessions on the IdM track this year and unless I have booth duty or a meeting you'll probably find me sitting in the back of most those sessions. If you see me please say hi.

See you at OpenWorld!

Virtual Directory Performance Tuning Guidelines

In its simplest deployment possible, a Virtual directory has a listener, a server component and an adapter that talks to a backend target. In such a deployment, the Virtual directory only plays the role of being a proxy that receives a request, forwards it to the target and sends the response back from the target to the client.

In such a deployment, one can still encounter performance issues if OVD isn’t tuned adequately.

Wednesday, September 26, 2012

Front-ending a SAML Service Provider with OHS

This is a follow-up to one of my previous posts titled Integrating OBIEE 11g into Weblogic’s SAML SSO, where I mention the following when configuring the Service Provider:

The Published Site URL field value is the base URL for federation services on the server. For SAML2, make sure the webcontext path is saml2. This is going to be used in the metadata file as the prefix to build the ACS (Assertion Consumer Service) endpoint necessary for allowing an Identity Provider to properly communicate with this Service Provider.

When OBIEE managed servers are in a cluster, there’s typically an HTTP load balancer in front of the servers. In such case, make sure the Published Site URL refers to the name and port of the load balancer, because they are the ones the IdP needs to know.

In this post, I assume there’s an OHS (Oracle HTTP Server) proxying requests to OBIEE analytics application, which is a fairly common production scenario. Let’s take a look at the necessary configuration changes to make it work.

Tuesday, September 25, 2012

Attaching OWSM policies to JRF-based web services clients

I've recently came across a question in one of our internal mailing lists where a person was under the impression that he would have to write code to propagate the identity when making a web service call using OWSM policies. My answer was something like: "depending on the type of your client you may have to write some very small piece of code to attach a policy, but you should not write code at all to either retrieve the executing client identity or to do the propagation itself". Fortunately, I had an unpublished article that applied 100% to his use case. And here it is now (a little bit revamped).

OWSM (Oracle Web Services Manager) is Oracle's recommended method for securing SOAP web services. It provides agents that encapsulate the necessary logic to interact with the underlying software stack   on both service and client sides. Such agents have their behavior driven by policies. OWSM ships with a bunch of policies that are adequate to most common real world scenarios.

Applying policies to services and clients is usually a straightforward task and can be accomplished in different ways. This is well described in the OWSM Administrators Guide. Looking from the client perspective, the docs describe how to attach policies to SOA references, connection-based clients (typically ADF-based clients) and standard Java EE-based clients using either Enterprise Manager or wlst.

Oracle FMW components (like OWSM agents) are typically deployed on top of a thin software layer called JRF (Java Required Files), providing for the required interoperability with software stacks from different vendors.

This post is a step-by step showing how to code a JRF-based client and attach OWSM policies to it at development-time using Oracle JDeveloper.

Friday, September 21, 2012

OIM-OAM-OAAM integration using TAP

I was going to make a test post just to test our RSS feed.  However, Atul Kumar published a good introductory post today on OAM-OAAM-OIM integration.  So I figured that I would share that with you today and suggest it as a little light weekend reading.

You can find Atul's post here.

Wednesday, September 19, 2012

OIM 11g R2 Catalog Customization Example


This post shows how OIM catalog can be customized by using OIM UI capabilities such as managed beans and EL expressions. The post first describes the use case and the solution to address the use case; then it describes the solution details as well as provides links to the artifacts.

In order to have a better understanding of the customization described in this post, one should read the posts about the catalog and about the OIM UI customization.

Tuesday, September 18, 2012

OIM 11g R2 UI customization

OIM 11g R2 new user interface is probably one of the most expected new features of this release. The main reason for that is the great customization capability provided by the underlying technologies: Oracle ADF and Oracle WebCenter Composer.

OIM user interface customizations are easier now, and they 'survive' patch applications (there is no need to reapply them after patching). Adding new artifacts,  new skins, and 'plugging' code directly into the user interface components became an easier task.

This post introduces some of the customization related concepts provided by the new OIM user interface.

Monday, September 17, 2012

Creating your first OAM 11g R2 domain

So you downloaded the Identity Management R2 release bits, spun up your little test environment and created a WebLogic domain. But the first time you sign in you get the error message "The policy store is not available; please see the log file for more details." in a pop up.

like this:

The logs aren't particularly helpful:
####<Sep 13, 2012 6:19:42 PM EDT> <Error> <oracle.oam.engine.policy> <iamr2.oracleateam.com> <AdminServer> <[ACTIVE] ExecuteThread: '7' for queue: 'weblogic.kernel.Default (self-tuning)'> <weblogic> <> <e3b75e49ebb52881:-4d179e40:139c1939ab6:-8000-00000000000005a3> <1347574782661> <BEA-000000> <The policy store is not available; please see the log file for more details.
oracle.security.am.common.policy.admin.store.PolicyStoreException: OAMSSA-06252: The policy store is not available; please see the log file for more details.
        at oracle.security.am.common.policy.util.OESUtils.checkAndThrowException(OESUtils.java:630)
        at oracle.security.am.common.policy.util.ResourceTypeHelper.setupHostIdentifierResourceType(ResourceTypeHelper.java:438)
        at oracle.security.am.common.policy.admin.provider.oes.DefaultApplicationDomain.createHostIdentifierPolicy(DefaultApplicationDomain.java:118)
        at oracle.security.am.common.policy.admin.provider.oes.DefaultApplicationDomain.<init>(DefaultApplicationDomain.java:93)
        at oracle.security.am.common.policy.admin.provider.oes.DefaultApplicationDomain.getGlobalDefault(DefaultApplicationDomain.java:461)
        at oracle.security.am.common.policy.admin.provider.oes.ApplicationManager.setupGlobalDefaultAppDomain(ApplicationManager.java:112)
        at oracle.security.am.common.policy.admin.provider.oes.ApplicationManager.<init>(ApplicationManager.java:61)
        at oracle.security.am.common.policy.admin.provider.oes.ApplicationManager.getApplicationManager(ApplicationManager.java:125)
        at oracle.security.am.common.policy.util.OESSetupHelper.loadOAMApplicationManager(OESSetupHelper.java:340)
        at oracle.security.am.common.policy.util.OESSetupHelper.loadOAMApplicationPolicies(OESSetupHelper.java:166)
        at oracle.security.am.common.policy.util.OESSetupHelper.loadApplicationPolicies(OESSetupHelper.java:154)
        at oracle.security.am.common.policy.admin.provider.oes.proxy.OESAdminProxy.init(OESAdminProxy.java:84)
        at oracle.security.am.common.policy.admin.provider.oes.OESPolicyAdminProvider.init(OESPolicyAdminProvider.java:130)
        at oracle.security.am.common.policy.admin.PolicyAdminFactory.getProvider(PolicyAdminFactory.java:241)
        at oracle.security.am.common.policy.admin.PolicyAdminFactory.init(PolicyAdminFactory.java:166)
        at oracle.security.am.common.policy.admin.PolicyAdminFactory.getPolicyAdmin(PolicyAdminFactory.java:334)
...
And in the -diagnostic log:
[2012-09-13T18:19:42.364-04:00] [AdminServer] [NOTIFICATION] [] [oracle.adfdt.model.mds.MDSApplicationService] [tid: [ACTIVE].ExecuteThread: '7' for queue: 'weblogic.kernel.Default (self-tuning)'] [userId: weblogic] [ecid: e3b75e49ebb52881:-4d179e40:139c1939ab6:-8000-00000000000005a3,0] [APP: oam_admin#11.1.2.0.0] [[
oracle.mds.exception.ReadOnlyStoreException: MDS-01273: The operation on the resource /oracle/oam/ui/adfm/DataBindings.cpx failed because source metadata store mapped to the namespace / DEFAULT is read only.
        at oracle.mds.core.MDSSession.checkAndSetWriteStoreInUse(MDSSession.java:2495)
        at oracle.mds.core.MDSSession.checkAndSetWriteStoreInUse(MDSSession.java:2548)
        at oracle.mds.core.MDSSession.getMutableMO(MDSSession.java:3493)
        at oracle.mds.core.MDSSession.getMutableMO(MDSSession.java:1660)
        at oracle.mds.core.MDSSession.getMutableMO(MDSSession.java:1546)
        at oracle.adfdt.model.mds.MDSApplicationService.findApplication(MDSApplicationService.java:57)
        at oracle.adfdt.model.mds.MDSModelDesignTimeContext.initServices(MDSModelDesignTimeContext.java:232)
        at oracle.adfdt.model.mds.MDSModelDesignTimeContext.<init>(MDSModelDesignTimeContext.java:82)
        at oracle.adfdt.mds.MDSDesignTimeContext.<init>(MDSDesignTimeContext.java:66)
        at oracle.adfinternal.view.page.editor.Page.getDesignTimeBindingContainer(Page.java:596)
        at oracle.adfinternal.view.page.editor.contextual.event.ContextualModelManager.getBindingContainerForView(ContextualModelManager.java:209)
        at oracle.adfinternal.view.page.editor.contextual.event.ContextualModelManager.getCurrentContextualResolver(ContextualModelManager.java:131)
        at oracle.adfinternal.view.page.editor.bean.ContextualWiringBean.getResolver(ContextualWiringBean.java:625)
        at oracle.adfinternal.view.page.editor.bean.ContextualWiringBean.clearSelection(ContextualWiringBean.java:594)
        at oracle.adfinternal.view.page.editor.bean.ContextualWiringBean.handlePageNavigation(ContextualWiringBean.java:130)
        at oracle.adfinternal.view.page.editor.contextual.event.EventHandler.processNavigation(EventHandler.java:92)
...


What did you do wrong?!

Thursday, September 13, 2012

Starting and stopping WebLogic automatically using Upstart

I've been using Unix and Linux a while. Like a while while. So long ago that the first time I installed Linux it was by floppy disk. I'm not telling you that to brag, or imply that I'm old. I say that to give you a sense of how exciting this change is for and old hat.

In the olden days when you wanted to start a program when the machine booted there were a bunch of options. You could put it in /etc/inittab and let init handle it for you; but there were a bunch of problems with that. In recent vintages of Linux we have Sys-V (pronounced System Five) style init scripts where you'd write a shell script that took a command line option "start" or "stop" and started or stopped the service, then put that script in /etc/rc3.d with a name like S99myservice. Or better yet you'd tuck it into /etc/init.d and then symlink it to the right name in /etc/rc3.d (for example). If you were reasonably smart you'd put a "chkconfig" stanza at the top and let chkconfig do the symlinking for you. You still needed to write that script which basically meant a bunch of copy/pasting the same thing over and over. And you needed to make sure the process ran "in the background" which lead to lots of people using the "&" in really awful ways that made me feel dirty to see.

But I'm here to tell you that while that's all well and good, and you can still do that if you want under Oracle or RedHat Linux 6 you no longer have to.

In Ubuntu, RedHat and Oracle Linux there's a new flavor of init called Upstart that all the kids are using and it's the new hotness when it comes to making programs into daemons and wiring them to start and stop at appropriate times.

After using it for a little bit I think I might be in love. It is a pleasure to use compared to the (now) old way.

Say you want to start Node Manager every time the machine boots. To do that you just create a file named /etc/init/nodemanager.conf and put this in it the /etc/init directory.

start on runlevel [345]
exec /bin/su - oracle -- /home/oracle/Oracle/Middleware/wlserver_10.3/server/bin/startNodeManager.sh
Substitute oracle for whichever user you run the stuff as and adjust the path as needed for your particular environment.

Want to start the OAM Admin and Managed servers on boot?



Create a file named /etc/init/oamadminserver.conf:

start on runlevel [345]
exec /bin/su - oracle -- /home/oracle/Oracle/Middleware/user_projects/domains/OAMDomain/bin/startWebLogic.sh
And /etc/init/oamserver1.conf:
start on runlevel [345]
exec /bin/su - oracle -- /home/oracle/Oracle/Middleware/user_projects/domains/OAMDomain/bin/startManagedWebLogic.sh oam_server1

Reboot the machine and the OAM AdminServer and the Managed Server will come up automatically.


If you want to start, check the status of, or stop the service? It's super simple:

[root@r2d2 init]# start oamserver1
oamserver1 start/running, process 5573
[root@r2d2 init]# status oamserver1
oamserver1 start/running, process 5573
[root@r2d2 init]# stop oamserver1
oamserver1 stop/waiting
And this is just scratching the surface of what you can do with Upstart.

You've got to try it out!

Wednesday, September 12, 2012

Oracle IAM 11g R2 docs are now available

The docs for the OAM 11g R2 release are now up and available either online at http://docs.oracle.com/cd/E27559_01/index.htm or as a download on via eDelivery.


To get your very own copy from eDelivery:

  1. go to http://edelivery.oracle.com/
  2. Sign in
  3. Pick "Oracle Fusion Middleware" as the Product Pack
  4. Pick Linux x86-64 as the Platform (or pick Windows if that's your thing!)
  5. hit Go
You should get a list that includes "Oracle Fusion Middleware Identity Management 11g R2 Media Pack":

Click that and scroll down to the bottom and you'll see the doc set:

One of the great things about the new doc set is the inclusion of ePub files. This means that if you have an iPad you can load up the doc library onto that and read the docs on the couch. On on a plane.
Or on the throne!
(just don't lend me your iPad afterwards please!)

You can pull the ePubs out of the zip directly or you can get them by opening the library's index, picking one of the docs inside and then looking in the upper right hand corner:

ENJOY!

Tuesday, September 11, 2012

OIM 11g R2 Catalog

The Catalog is one of most commented new features in OIM 11g. It introduces a new way to search items and to create access requests and it also introduces the ‘shopping cart’ experience.

The request process was drastically simplified with the Catalog. Whereas in OIM 11g R1 users have to go through a multiple step wizard to create a request, in OIM 11g R2 the work is done in two pages: the catalog search and the shopping cart summary.

Friday, September 7, 2012

Identity and Access Management at Oracle Open World 2012

Oracle Open World 2012 is fast approaching. This year Open World will run September 30 – October 4th.

As usual, there will be lots of great Identity and Access Management events and activities to participate in.

There is a dynamically updated document entitled Focus On: Identity Management which highlights all the Identity Management related sessions, events, and activities.

That being said, there are three events that I’d like to highlight.

1) It almost goes without saying that the highlight of Open World (yes even more than Larry’s key note or all the cool concerts that they are throwing) will be the hands-on lab run by our very own Chris Johnson on Complete Access Management. The schedule says that Chris’s lab will be on Monday Oct 1, 1:45 @ Marriot Marquis. There are people who would give their right arms for a chance to interact in person with Chris on the latest trends and best practices in Access Management. So, do not miss out on this opportunity.

2) Amit Jasuja, Senior Vice President, Oracle Identity Management and Security will be giving a session entitled Trends in Identity Management. This session focuses on how the latest release of Oracle Identity Management addresses emerging identity management requirements for mobile, social, and cloud computing and reduces TCO for organizations. Amit is a great guy, a great speaker, and a visionary in IDM and middleware security in general. So, I recommend that you definitely attend this event. Amit’s session will be on Monday Oct 1, 10:45AM @ Moscone West L3, Room 3003.

3) There is another hands-on lab led by Javed Beg on Integrated Identity Governance. The schedule says that this lab will be on Thursday, Oct 4, 12:45 @ Marriot Marquis. These hands-on IDM labs should be some of the most instructive and informative events at OOW and Javed is a seasoned expert in the space. So, I encourage you to attend.