This post covers an issue that I encountered on Oracle Identity Manager (OIM) while creating new user in OIM. Error I received on screen was “Error occurred while performing create user operation. Unable to get LDAP connection, and the root cause is – null“.  OIM during installation or later can be integrated with LDAP server using LDAPSync . More on LDAP Sync here, here, and here

• On user creation in OIM, LDAPSync should create this user in LDAP Server as well.

If you hit this problem then check error in OIM diagnostic logs at $DOMAIN_HOME/servers/[oim_server1]/logs
______

[2012-10-05T18:59:03.774+00:00] [oim_server1] [ERROR] [IAM-0042002] [oracle.iam.platform.entitymgr.provider.ldap] [tid: [ACTIVE].ExecuteThread: ’5′ for queue: ‘weblogic.kernel.Default (self-tuning)’] [userId: xelsysadm] [ecid: 004mpHqz1mi6 ESgvDCtHdC0006YZ00001K,0:1] [APP: oim#11.1.1.3.0] [URI: /admin/faces/pages/Admin.jspx] An error occurred while creating the entity in LDAP, and the corresponding error is – {0}[[
oracle.iam.platform.entitymgr.vo. ConnectivityException: java.lang .NullPointerException
at oracle.iam.ldapsync.impl.repository. ITResourceRepository. getConnection (ITResourceRepository.java:39)
at oracle.iam.platform.entitymgr. provider.ldap.LDAPDataProvider. create(LDAPDataProvider.java:465)
at oracle.iam.platform.entitymgr. impl.EntityManagerImpl. createEntity(EntityManagerImpl.java:291)
at oracle.iam.ldapsync.impl. eventhandlers.user. UserCreateLDAPPreProcessHandler. createUser(UserCreateLDAP PreProcessHandler.java:193)

.
.

Caused by: java.lang.NullPointerException
at oracle.ucp. common.Universal ConnectionPoolImpl  $UniversalConnection PoolInternal. createOnePooled ConnectionInternal (UniversalConnectionPoolImpl.java:1614)
at oracle.ucp.common.UniversalConnectionPoolImpl $UniversalConnectionPoolInternal. access0(Universal ConnectionPoolImpl.java:1446)
at oracle.ucp.common. UniversalConnectionPoolImpl. createOnePooledConnection (UniversalConnectionPoolImpl.java:514)

.

________

• If you hit error like above then check  IT Resource (Manage IT Resource) in OIM Advanced Administration Console

• Search for IT Resource Type Directory Server and change Connection Pooling Supported to False   (This issue seems to be fixed in OIM BP03)

If you wish to synchronize user’s password from Microsoft Active Directory (AD) to Oracle Identity Manager (OIM) then you must install  Microsoft Active Directory Password Synchronization connector

This post covers things you must know regarding Microsoft Active Directory Password Synchronization

• For Connector basics : Resources, Reconciliation, and Provisioning click here
• For more information on type of connectors Java vs .NET (dot net) click here
• For OIM connectors for Microsoft (Active Directory, Exchange, andWindows) click here
• For OIM-OID connector architecture click here
• For OIM-Oracle eBusiness Suite connector click here

More on Microsoft Active Directory (AD) to Oracle Identity Manager (OIM) Password Synchronization: Things you must know in Part II

Share any tips/key point related to OIM’s Microsoft Active Directory Password  Synchronization by leaving comment

In this post I am going to cover issue that I encountered while assigning Microsoft Exchange Account to a user in Oracle Identity Manager (OIM). Microsoft Exchange Connector 11g (11.1.1.5) is a .NET based connector that this is required to provision a Microsoft Exchange account from OIM or reconcile an account from Microsoft Exchange to user in OIM. More on Microsoft Exchange Connector deployment with OIM here

Note: Microsoft Active Directory user Management connector is pre-requisite to install Microsoft Exchange Connector and before you provision Microsoft Exchange resource to a user in OIM, you must provision Microsoft Active Directory resource to this OIM user.

To know bore about connectors in OIM 

• For Connector basics : Resources, Reconciliation, and Provisioning click here
• For more information on type of connectors Java vs .NET (dot net) click here
• For OIM connectors for Microsoft (Active Directory, Exchange, andWindows) click here
• For OIM-OID connector architecture click here
• For OIM-Oracle eBusiness Suite connector click here
• For Microsoft Active Directory Password Synchronisation click here

I recently assigned a Microsoft Exchange resource to user in OIM (select user, then go to tab Resources and click ADD). Status of this resource was provisioning (where as Status should be Provisioned)

To find out what tasks were execute as part of assigning a resource and why status is “Provisioning“, select Exchange User row and click on Action -> Resource History (This will open new window)

If you notice, first task in Microsoft Exchange Provisioning is System Validation and then Create User. Status of Create User is Rejected so to find reason click on Create User link

As you can see – Status is Rejected, Response is CONNECTOR_EXCEPTION and Response Description is Create Object Failed

Next step is to look in to connector server log file,  More on error message in connector server log file and steps to fix in next post.

Question 1 for readers : How to find out where is connector server installed ?
Question 2 for readers : How to find out where are connector server logs configured ?

If you login to application protected by Oracle Access Manager (OAM for Single Sign-On/SSO) and you see screen like above “Your account is locked. You can unlock your account by going to Forgot Password” , This error means your account is locked in Oracle Access Manager (OAM)

Q: How OAM 11g treats account as locked ?

If value of user’s attribute obLockoutTime is set or value of obLoginTryCount is set to 5 then OAM treats this account as locked.

Q: How can an end user unlock account without contacting administrator (Self Service) ?

If OAM is integrated with Oracle Identity Manager (OIM) then clicking on Forgot Password link will take user to forgot password page in OIM. User can then answer challenge questions registered at time of first time login. After entering correct answer to challenge questions, OIM will reset password in OIM and also update password in LDAP (OID in this case) using LDAPSync (OIM should be configured with LDAPSync enabled. More on LDAPSync here, here, and here). This process will also clear two attributes obLockoutTime, and obLoginTryCount (OAM will then treat account as unlocked)

Q: How can an OIM Administrator unlock account locked in OAM via OIM ?

Once user is locked in OAM (via two attributes obLockoutTime and obLoginTryCount), LDAP User Reconciliation Job in OIM (that runs every 5 minutes) will bring user’s data in OIM and enable UNLOCK button next to this user (If you see LOCK button then user is not locked, If you see UNLOCK button that means user in Locked in OIM too). Administrator can click on UNLOCK button next to user details.

Note: If there is any problem with reconciliation job (LDAP User Reconciliation) then you can have a user that is locked in OAM but not in OIM. Workaround in such case is first LOCK the user from OIM and then UNLOCK again from OIM (This step should clear two attributes obLockoutTime and obLoginTryCount from OID)

Other issues related to Account Lockout in Oracle Stack (depending on how you login and how components are integrated with each other) are

• OIM-OAM-OAAM Account LockOut in OAM
• User is not locked after configured value
• User unable to login because of Locked Account
• How to unlock user in 10g OAM

This post covers topic 5 (Part I) of certification 1Z1-459 Oracle Identity Governance Suite 11g Essentials  i.e. Approval workflows and Requests Configuration

Topic 5 Approval workflows and Requests Configuration of certification 1Z1-459 contains following sub topics

5.1 Describe Workflow and SOA composites development using Jdeveloper and WF Composer
5.2 Create approval workflows for serial and parallel approvals
5.3 Describe Request related artifacts like datasets and profiles
5.4 Describe approval policies, approval selection methodology
5.5 Configure request for accounts and entitlements

Oracle Identity Manager (OIM) let users to request entities like roles, resources, or entitlements. OIM also enables administrator to approve or deny these requests.

1. Request : is an entity (or task) created by user in OIM to perform an action that requires permission to be approved before that action can be performed. For example request can be “granting a role to a user” or “creating a user” or “assign a resource to a user” in OIM.

2. Types of Requests : Requests in OIM are mainly of five types
a) User Management – create user, modify user etc are requests of type user management
b) Role Management – create role, modify role, assign role etc are requests of type role management
c) Account Management – enable account, disable account, modify account etc are request of type account management
d) Entitlement Management – provision entitlement and revoke entitlement are request of type entitlement management
e) Provisioning – “provision application instance” and “access policy based application instance provisioning” are requests of type Provisioning

More in detail about Request Types in Managing Requests in OIM Users Guide

3. Types of approval workflow associated with Requests: A request can contain two types of approval workflows
a) Request-level workflow : This type of approval workflow contains high-level information associated with “entire request”
b) Operation-level workflow : This type of approval workflow is associated with operation (create user, provision resource, ) that Identity Manager is to grant to a user through request.

Note: Request-level approval workflow is initiated first and then Operational-level approval workflow is initiated for a request.

4. Stages of request : Each request goes through specific lifecycle after request is created in OIM.
a) Created
b) Obtaining approval
–ba) Waiting for Request-Level Approval
–bb) Waiting for Operational-Level Approval
c) Approved
d) Rejected
e) Operation Initiated
f) Failed
g) Withdrawn
h) Completed

5. Request can have following type of users
a) Requester : User/system who raises a request. Request can be raised by system based on access policy ()
b) Beneficiary : User for whom this request is being created. Requester can request for him/her self or for others
c) Request-Level Approvers : User who approves request at request-level
d) Operation-Level Approvers : User who approves request at operation-level

6. Components that make up a request :
a) Request User – Requester , Beneficiary, Approvers (Request-Level and Operation-Level)
b) Target Entity – is entity like Role, Organization, Resource, or Entitlement for which request is being made
Request can also optionally have
c) Approval Policies – Approval policy associates a request with approval workflow (request-level and operation-level). There can be multiple approval policies for a request.
d) Email Notification – Information about event occurring in requests life cycle are sent to requester, beneficiary, approvers etc via email notification

7. Request-level approval and Operation-level approval workflows are deployed as SOA composites on SOA servers.

8. SOA composite for OIM is an application deployed on SOA server and registered with OIM server. More on SOA composite and Workflow in OIM at OIM Developer Guide – Developing Workflows for Approval and Manual Provisioning

9. You can deploy SOA composites using Jdeveloper (IDE) or ANT script . More on

10. Request Catalog : contains entities (roles, application instances, and entitlements) that user can request in Oracle Identity Manager .

11. Request Cart: contains list of items that user can select from request catalog.

Further Reading

• Chapter 7 Understanding Requests in Oracle University training “Oracle Identity Manager 11g R2: Essentials”
• Managing Requests in OIM User Guide
• Developing Workflows for Approval and Manual Provisioning in OIM developer Guide

This post covers topic 7 of certification 1Z1-459 Oracle Identity Governance Suite 11g Essentials  i.e. Bulk Load and Post Processing

Topic 7 Bulk Load and Post Processing of certification 1Z1-459 contains following sub topics

7.1 Configure Bulk Load utility
7.2 Configure post processing task for bulk load

Bulk Load Utility in Oracle Identity Manager (OIM) provides facility to load users and roles in bulk quickly.

1. Using Bulk Load Utility in OIM, data can be loaded from CSV (comma separated value) file or from Database.

2. Bulk Load Utility can be used to load following data
a) User Data that corresponds to Account Data in OIM
b) Account Data that corresponds to User Data in OIM
c) Role, Role Membership, Role Category, and Role Hierarchy Data in OIM

3. Bulk Import related files are under $ORACLE_HOME/ server/ db/ oim/ oracle/ Utilities/ oimbulkload

4. Main script that constitute bulk load is oim_blkld.sh (Unix) / oim_blkld.bat (Windows)

5. Data loaded using bulk load from CSV file loaded in to temporary table (created by bulk load tool) under OIM schema.

a) Bulk Load will create two tables for each CSV file , one with name OIM_BLKLD_TMP_[first_six_character_of_file]_[N] (containing correct data loaded in to temporary table) and second with name OIM_BLKLD_EX_[first_six_character_of_file]_[N] (containing data that fails to load in OIM temporary table)

6. Statistics about Bulk Load utility run i.e. number of records processed, loaded and rejects are recorded in file $ORACLE_HOME/ server/ db/ oim/ oracle/ Utilities/ oimbulkload/ logs_YYYYMMDD_hhmm/ oim_blkld_user_load_summary.log

7. bulk load operation progress is also recorded in table OIM_BLKLD_LOG

8. You must stop OIM server while running Bulk Load Utility

9. Bulk Load Post Process scheduled task starts post processing jobs for the Bulk Load Utility.

Further Reading

• Chapter 4 of Oracle University training “Oracle Identity Manager 11g R2: Essentials”
• Bulk Load Utility in OIM developer guide
• OIM Admin Guide

This post covers topic 6 of certification 1Z1-459 Oracle Identity Governance Suite 11g Essentials  i.e. Security

Topic 6 Security of certification 1Z1-459 contains following sub topics
6.1 Describe features of OES and how OIG leverages OES to create the security model
6.2 Configure a Delegated Administration model

1. Authentication : is the process of proving, you are who you say you are. Common method for Authentication in OIM are using username/password

2. Authorization : defines permission or access rights assigned to a user. Authorization defines what a user can see/do in OIM.

3. Role : Role are used to manage collection of users to whom you wish to permit same access rights or functionality. Role has a Category (collection of related roles in one category). By default there are two role category

a) OIM Roles: All pre-defined roles in OIM are part of OIM Roles category

b) Default:  This is the default Role Category, If during Role creation you don’t specify role category then category default is assigned to Role.

4. OIM has authorisation engine, Oracle Entitlement Server (OES) embedded, that with help of authorisation policies in OIM controls what actions user can perform in OIM.

Note: Oracle Entitlement Server (OES) is used to define the authorisation policies that controls the access rights users have.

5. Authorization Policy : determine at runtime whether or not a particular action is allowed. Policies for OIM in 11gR2 version is defined in OES

6. Authorization Policy in OIM 11gR2 are managed by OES Admin Console ( http://weblogic_host:admin_port/apm )

7. There are three types of Administrative Roles in OIM like

a) Administrator : This role manages entire life cycle of the entity
b) Viewer : can see entity and request access for entity . If the viewer request entity then approval is required for viewer to view request
c) Authorizer : can see entity and request access for entity . If the viewer request entity then approval is NOT required for viewer to view request (authorizer get access directly)

8. Admin Roles that are assigned to Authorization Policy can be Global or Scoped

a) Global : These roles can only be assigned at root of organisation (top organisation) and applicable to entire OIM system, example of global roles are System Administrator, Catalog Administrator, System Configurator etc
b) Scoped : These roles can be assigned to top Organization or any other organisation that is under top Organization.

Further Reading

• Chapter 6 of Oracle University training “Oracle Identity Manager 11g R2: Essentials”
• Security Architecture in OIM developer Guide
• Delegated Administration Model in OIM Users Guide

Result for beta certification  1Z1-459 (now live 1Z0-459) Oracle Identity Governance Suite 11g Essentials is out now and certification is live . More here and here

This certification is based on OIM 11gR2, OPAM 11gR2, and OIA 11gR1 . After passing exam 1Z0-459, certification you get is “Oracle Identity Manager 11g Certified Implementation Specialist”

Congratulation to all those who passed ! – I must say Exam was not easy and full credit to certification team for such an extensive set of questions.

Oracle Identity Manger (OIM) 11gR1 PS1 (11.1.1.5.0) Bundle Patch 7 (BP07) i.e. 11.1.1.5.7 is now available as patch 16097399 and is part of Oracle Identity Management Suite Bundle Patch 3 (BP03) 16209876.

• Oracle Identity & Access Management components consists of OIM, OAM, OES, OAAM, OID, OVD, OIF, OIA, GRC, eSSO, OSSO, etc.

From installation point of view there are two installers

1) Identity Management Suite – products that are part of Identity Management are OID, OVD, OIF
2) Identity & Access Management Suite – products that are part of Identity & Access Management are OIM, OAM, OES, and OAAM

More on OIM/OAM/OID/OVD versions here and here

To add further confusion Oracle Releases Bundle Patch for OIM, OAM, OAAM, OES as Oracle Identity Management Suite Bundle Patch (and not as Identity & Access Management Bundle Patches).

This post focus on Patches and products versions for OIM, OAM, OAAM & OES.

1. OIM/OAM/OES/OAAM has following base version 11.1.1.3.x (aka 11gR1), 11.1.1.5.x (aka 11gR1 PS1), and 11.1.2.x (aka 11gR2)

2. There are Bundle Patches (BP) that you can apply on top of Base version 11gR1 (11.1.1.3) or 11gR1 PS1 (11.1.1.5) or 11gR2 (11.1.2)

3. Bundle Patches are for a specific base version i.e. Bundle Patch 2 (BP02) for 11gR1 is different from Bundle Patch 2 (BP02) for 11gR1 PS1.

4. Bundle Patch usually updates 5th digit in version so BP02 for 11gR1 is 11.1.1.3.2 and BP02 for 11gR1 PS1 is 11.1.1.5.2 (fifth digit i.e. 2 represents Bundle Patch)

5. There is Bundle Patch (different patch number) for each individual products like BP02 for OIM and BP02 for OAM and Bundle Patch BP02 for OES.

6. Oracle recently combined Bundle Patch for OIM, OAM, OAAM, and OES and bundled them under Identity Management Bundle Patch .

7. Latest identity management bundle patch for 11gR1 PS1 is BP03 i.e. 11.1.1.5.3 (as of April 2013) and includes following individual Bundle Patch
a) OIM BP07 (released in April 2013) i.e. 11.1.1.5.7 for Oracle Identity Manager
b) OAM BP05 (released in Jan 2013) i.e. 11.1.1.5.5 for Oracle Access Manager
c) OES BP04 (released in Jan 2013) i.e. 11.1.1.5.4 for Oracle Entitlement Server
d) OAAM BP02 (released in Oct 2012) i.e. 11.1.1.5.2 for Oracle Adaptive Access Manager

More on OIM 11.1.1.5 BP07 installation in README of patch 16097399 (delivered as part of Identity Management Suite BP03 16209876)

References/Related 

• OIM 11.1.1.5.7 BP 07 is Available for Download [ID 1546085.1]

Oracle Enterprise Manager 12c Cloud Control is recommended tool to monitor/manage Oracle Identity & Access Management (OID, OVD, OIM, OAM etc) and WebLogic Server (steps to configure OEM 12c to monitor IAM to follow soon).

For overview of OEM Cloud Control 12c installation click here and to install OEM 12c cloud control using SIMPLE (You can use SIMPLE or ADVANCED mode to install) click here

To view Identity & Access Management dashboard , you login to OEM cloud control central console (https://OMSHost:7799/em as user sysman)  -> Targets -> Middleware -> Middleware Features -> Identity & Access

In my environment I received License Error screen

____

The page requested is part of the Management Pack Plus for Identity Management.

You are not yet licensed to use the Management Pack Plus for Identity Management. If you like this functionality, please see your super administrator about obtaining a license.

_____

Note: From OEM 12c, Identity Management Pack Plus is enabled by default and is under OEM plug-in Oracle Fusion Middleware

To view Identity & Access Management dashboard page, OEM Agent must be running on one of the Identity Management box and at least one of Identity Management component (OID, OVD, OIM etc) must be discovered .

To fix above issue install OEM agent on one of IAM servers, discover IAM target and prompte them to managed component status (Steps to follow soon)

Identity & Access Management Dashboard should look like below

Steps to configure OEM 12c cloud control to manage Identity Management component coming soon !!

I discussed about OIM connectors available for Microsoft Products(AD User Management, Microsoft Windows, Microsoft Exchange, and Password Synchronization), I also posted about  Password Synchronization for Active Directory that must be installed on all Microsoft Active Directory Domain Controllers, and is used to sync password updated on AD to OIM (Note: Passwords are syncronized by default from OIM to AD using MS-AD User Management Connector).

What is latest version of Active Directory Password Synchronization software ?

Well if you follow  OIM Server connectors download page, it says latest version is 9.1.1.5 and “Please apply AD Password Sync connector patch 14627510 after downloading from MOS (My Oracle Support).”

• As per My Oracle Support, patch 14627510 released on 18th Sep 2012 that brings Password Sync connector to version 9.1.1.5.6
• [updated on Nov 03, 2013 with latest patch set as 9.1.1.5.10 ] However while doing my research I found another patch 16911683 released on 10th Jun 2013 that brings Microsoft AD Password Synchronization to version 9.1.1.5.10  (Its more than an year since Support updated download page to include 9.1.1.5.10 as latest patch, My Oracle Support : Is anyone listening ?)

Quiz for readers :  How to find version of Microsoft AD Password Synchronization connector for OIM installed on your domain controller (hint above screenshot) ?

Oracle Identity & Access Management (IAM) 11gR2 PS2 (11.1.2.2) is now available to download here

Following IAM products are available as part of 11gR2 PS2

• Oracle Identity Manager (OIM)
• Oracle Access Manager (OAM), OAM SDK, WebGates
• Oracle Entitlement Server (OES) & Security Modules (OES SM)
• Oracle Adaptive Access Manager (OAAM)
• Oracle Privileged Account Manager (OPAM)
• Oracle Unified Directory (OUD)*
• Oracle Enterprise Single Sign-On (eSSO)*

Note: For complete list of all Oracle IAM components click here

• Documentation for IAM 11gR2 PS2 (11.1.2.2) version including release note is available here

If you are confused like many others about various Oracle IAM component version then check my previous post here

Stay tuned for how to upgrade Oracle IAM ….

If you are looking for certified O.S. , JDK, Database or Web Server version for Oracle Identity & Access Management then check Certification Matrix for Fusion Middleware Components here

On Fusion Middleware Certification Matrix page, search for your Identity & Access Management version and click on XLS . For Certification Matrix for IAM version 11.1.2.2 click here

This post is from our demo environment to configure Segregation of Duties (SoD) in EBS using GRC/OAACG/OIM. Contact Us if you are interested in demo of GRC/OAACG/OIM/EBS integration for SoD.

I discussed about Oracle EBS (R12/11i) integration with Oracle Identity Manager (OIM) here, and two type of connectors available for EBS integration are

a) EBS UM Connector : User Management to provisioning Accounts in EBS (FND_USER)

b) EBS ER Connector : Employee Reconciliation to create users in OIM from EBS EMployee record (PER_ALL_PEOPLE_F).

In this post I am going to share an issue I encountered in EBS-ER connector during reconciliation of Employee record from EBS to OIM.

For reconciliation of Employee Record from EBS to OIM, you run schedule job eBusiness Suite HRMS Trusted Reconciliation in OIM.

When I run this scheduled job I encountered error like

___

<Apr 10, 2014 11:24:03 PM BST> <Error> <OIMCP.EBSER> <BEA-000000> <================= Start Stack Trace =======================>
<Apr 10, 2014 11:24:03 PM BST> <Error> <OIMCP.EBSER> <BEA-000000> <oracle.iam.connectors.ebs.hrms.tasks.EmployeeReconciliationTask : execute>
<Apr 10, 2014 11:24:03 PM BST> <Error> <OIMCP.EBSER> <BEA-000000> <Query execution failed>
<Apr 10, 2014 11:24:03 PM BST> <Error> <OIMCP.EBSER> <BEA-000000> <Description : Failed to execute the query>
<Apr 10, 2014 11:24:03 PM BST> <Error> <OIMCP.EBSER> <BEA-000000> <oracle.iam.connectors.ebs.common.TargetOperationException: Failed to execute the query
at oracle.iam.connectors.ebs.common.dao.DBUtil.getFirstPage(Unknown Source)
at oracle.iam.platform.tx.OIMTransaction CallbackWithoutResult.process (OIMTransactionCallbackWithoutResult.java:9)
at oracle.iam.platform.tx.OIMTransactionCallback. doInTransaction(OIMTransactionCallback.java:13)
at org.springframework.transaction.support. TransactionTemplate.execute(TransactionTemplate.java:128)
at oracle.iam.platform.tx.OIMTransactionManager. execute(OIMTransactionManager.java:22)
ActionExecutorWrapper.execute(AbstractSubjectSecurity.java:228)
at oracle.security.jps.internal.jaas.CascadeActionExecutor$ SubjectPrivilegedAction.run(CascadeActionExecutor.java:68)
at weblogic.security.acl.internal.AuthenticatedSubject.doAs(AuthenticatedSubject.java:321)

CascadeActionExecutor.execute(CascadeActionExecutor.java:50)

at oracle.security.jps.internal.jaas.AbstractSubjectSecurity

$ActionExecutorWrapper.execute(AbstractSubjectSecurity.java:228)
at Thor.API.Security.LoginHandler.Assertion

LoginSession.runAs(AssertionLoginSession.java:93)
at oracle.iam.scheduler.impl.quartz.QuartzJob.execute(QuartzJob.java:77)
Caused by: oracle.iam.connectors.ebs.common.TargetOperationException: Failed to get the paged records
at oracle.iam.connectors.ebs.common.dao.DBUtil.getPagedRecords(Unknown Source)
… 32 more
Caused by: oracle.iam.connectors.ebs.common.TargetOperationException: Invalid format of NUMBER value
at oracle.iam.connectors.ebs.common.dao.DBUtil.setNamedParameters(Unknown Source)
… 33 more
Caused by: java.lang.NumberFormatException: For input string: “BUSINESS_GROUP_ID”
at java.lang.NumberFormatException.forInputString(NumberFormatException.java:65)
… 34 more
>
<Apr 10, 2014 11:24:03 PM BST> <Error> <OIMCP.EBSER> <BEA-000000> <================= End Stack Trace =======================>

________

Import message in the whole error stack was Caused by: java.lang.NumberFormatException: For input string: “BUSINESS_GROUP_ID”

When reconciliation Job eBusiness Suite HRMS Trusted Reconciliation is run, it runs SQL query that fetches data from table PER_ALL_PEOPLE_F table of EBS and look for column BUSINESS_GROUP_ID 

Query : Table PER_ALL_PEOPLE_F (search for BUSINESS_GROUP_ID and CURRENT_EMPLOYEE_FLAG, EFFECTIVE_START_DATE)

Fix : Set lookup Lookup.EBS.HRMS.QueryFilters in OIM Design Console

Log into OIM Design Console -> Administration=>Lookup Definition and search for Lookup.EBS.HRMS.QueryFilters

Enter the following Values…

fromDate = 01-Jan-2012|Date|DD-Mon-YYYY
businessGroupID = 202|number
toDate = 12-Apr-2014|Date|DD-Mon-YYYY

Save the Changes

(Here 202 is BUSINESS_GROUP_ID from PER_ALL_PEOPLE_F table)

Run the schedule job eBusiness Suite HRMS Trusted Reconciliation this should now create users in OIM (from EBS Employee)

This post is from our demo environment to configure Segregation of Duties (SoD) in Oracle eBusiness Suite (R12) using GRC/OAACG/OIM. Contact Us if you are interested in demo of GRC/OAACG/OIM/EBS integration for SoD.

I discussed about Oracle EBS (R12/11i) integration with Oracle Identity Manager(OIM) here, and two type of connectors available for EBS integration are

a) EBS UM Connector : User Management to provisioning Accounts in EBS (FND_USER)

b) EBS ER Connector : Employee Reconciliation to create users in OIM from EBS EMployee record (PER_ALL_PEOPLE_F).

Before EBS Responsibility (treated as entitlement in OIM) can be provisioned via OIM, these responsibility must be visible in OIM as lookup. Schedule Job lookup of EBS Responsibility fethches these responsibility from EBS and store them as lookup in OIM. In this post I am going to share an issue I encountered in EBS-UM connector while running schedule job  lookup of EBS Responsibility.

.

Schedule job failed with error in OIM logs as

_______

<Apr 22, 2014 11:26:22 PM BST> <Error> <OIMCP.EBSUM> <BEA-000000> <====================================================>
<Apr 22, 2014 11:26:22 PM BST> <Error> <OIMCP.EBSUM> <BEA-000000> <oracle.iam.connectors.ebs.usermgmt.tasks.UserMgmtLookupReconciliationTask : initializeAndValidateTaskParams : Please provide a valid value to Scheduled Task attribute: IT Resource Name>
<Apr 22, 2014 11:26:22 PM BST> <Error> <OIMCP.EBSUM> <BEA-000000> <====================================================
>
<Apr 22, 2014 11:26:22 PM BST> <Error> <OIMCP.EBSUM> <BEA-000000> <================= Start Stack Trace =======================>
<Apr 22, 2014 11:26:22 PM BST> <Error> <OIMCP.EBSUM> <BEA-000000> <oracle.iam.connectors.ebs.usermgmt.tasks.UserMgmtLookupReconciliationTask : init>
<Apr 22, 2014 11:26:22 PM BST> <Error> <OIMCP.EBSUM> <BEA-000000> <Invalid Schedule Task Parameter>
<Apr 22, 2014 11:26:22 PM BST> <Error> <OIMCP.EBSUM> <BEA-000000> <Description : Invalid Schedule Task Parameter>
<Apr 22, 2014 11:26:22 PM BST> <Error> <OIMCP.EBSUM> <BEA-000000> <oracle.iam.connectors.common.ConnectorException: Invalid Schedule Task Parameter
at oracle.iam.connectors.ebs.usermgmt.tasks.UserMgmtLookupReconciliationTask.init(Unknown Source)
at com.thortech.xl.scheduler.tasks.SchedulerBaseTask.execute(SchedulerBaseTask.java:382)

Caused By: oracle.iam.connectors.common.ConnectorException: Invalid Schedule Task Parameter
at oracle.iam.connectors.ebs.usermgmt.tasks.UserMgmtLookupReconciliationTask.init(Unknown Source)

_______
Fix is to populate two parameters of scheduled job (IT Resource Name and Query Property File)

This schedule job uses a properties file ebsUMLookupQuery.properties (that comes as part of EBS-UM connector).  This properties file has entry like below to get list of all the responsibility in EBS

____

Lookup.EBS.Application=SELECT fa.application_id AS CODE, fa.application_short_name AS DECODE FROM fnd_application fa

Lookup.EBS.UMX.Roles=SELECT (CONCAT(fa.application_id || ‘~’, b.name)) AS CODE, (b.display_name) AS DECODE FROM fnd_application fa, wf_local_roles b WHERE b.orig_system = ‘UMX’ AND b.status = ‘ACTIVE’ AND fa.application_short_name = b.owner_tag

Lookup.EBS.Responsibility=SELECT (CONCAT(fa.application_id || ‘~’, fr.responsibility_id)) AS CODE, fr.responsibility_name AS DECODE FROM fnd_application fa, fnd_responsibility_tl fr WHERE fa.application_id = fr.application_id

Lookup.EBS.SecurityGroup=SELECT security_group_id AS CODE, security_group_key AS DECODE FROM fnd_security_groups

_____

Fix is to populate two parameters of scheduled job (IT Resource Name and Query Property File)

Contact Us if you are interested in demo of OIM/EBS integration or integration of OIM/EBS/GRC.

I am presenting paper Integrating Oracle E-Business Suite with Identity & Access Management & Lessons Learned with Neha Mittal.

Presentation in on 8th December Monday 4:30 PM at Liverpool (UK) covering

• Overview of Oracle Identity & Access Management 
• Integration options including OAM (SSO), OIM (Provisioning & Reconciliation) & GRC (SoD)
• High level lessons learned from our various implementations 

If you are at #UKOUG_APPS14 or #UKOUG_TECH14 in liverpool on 8th Dec or any help/suggestion in implementing Oracle Identity & Access Management then contact myself or Neha Mittal.

This post covers topic 6 of certification 1Z1-459 Oracle Identity Governance Suite 11g Essentials  i.e. Security

Topic 6 Security of certification 1Z1-459 contains following sub topics
6.1 Describe features of OES and how OIG leverages OES to create the security model
6.2 Configure a Delegated Administration model

1. Authentication : is the process of proving, you are who you say you are. Common method for Authentication in OIM are using username/password

2. Authorization : defines permission or access rights assigned to a user. Authorization defines what a user can see/do in OIM.

3. Role : Role are used to manage collection of users to whom you wish to permit same access rights or functionality. Role has a Category (collection of related roles in one category). By default there are two role category

a) OIM Roles: All pre-defined roles in OIM are part of OIM Roles category

b) Default:  This is the default Role Category, If during Role creation you don’t specify role category then category default is assigned to Role.

4. OIM has authorisation engine, Oracle Entitlement Server (OES) embedded, that with help of authorisation policies in OIM controls what actions user can perform in OIM.

Note: Oracle Entitlement Server (OES) is used to define the authorisation policies that controls the access rights users have.

5. Authorization Policy : determine at runtime whether or not a particular action is allowed. Policies for OIM in 11gR2 version is defined in OES

6. Authorization Policy in OIM 11gR2 are managed by OES Admin Console ( http://weblogic_host:admin_port/apm )

7. There are three types of Administrative Roles in OIM like

a) Administrator : This role manages entire life cycle of the entity
b) Viewer : can see entity and request access for entity . If the viewer request entity then approval is required for viewer to view request
c) Authorizer : can see entity and request access for entity . If the viewer request entity then approval is NOT required for viewer to view request (authorizer get access directly)

8. Admin Roles that are assigned to Authorization Policy can be Global or Scoped

a) Global : These roles can only be assigned at root of organisation (top organisation) and applicable to entire OIM system, example of global roles are System Administrator, Catalog Administrator, System Configurator etc
b) Scoped : These roles can be assigned to top Organization or any other organisation that is under top Organization.

Further Reading

• Chapter 6 of Oracle University training “Oracle Identity Manager 11g R2: Essentials”
• Security Architecture in OIM developer Guide
• Delegated Administration Model in OIM Users Guide

Result for beta certification  1Z1-459 (now live 1Z0-459) Oracle Identity Governance Suite 11g Essentials is out now and certification is live . More here and here

This certification is based on OIM 11gR2, OPAM 11gR2, and OIA 11gR1 . After passing exam 1Z0-459, certification you get is “Oracle Identity Manager 11g Certified Implementation Specialist”

Congratulation to all those who passed ! – I must say Exam was not easy and full credit to certification team for such an extensive set of questions.

Oracle Identity Manger (OIM) 11gR1 PS1 (11.1.1.5.0) Bundle Patch 7 (BP07) i.e. 11.1.1.5.7 is now available as patch 16097399 and is part of Oracle Identity Management Suite Bundle Patch 3 (BP03) 16209876.

• Oracle Identity & Access Management components consists of OIM, OAM, OES, OAAM, OID, OVD, OIF, OIA, GRC, eSSO, OSSO, etc.

From installation point of view there are two installers

1) Identity Management Suite – products that are part of Identity Management are OID, OVD, OIF
2) Identity & Access Management Suite – products that are part of Identity & Access Management are OIM, OAM, OES, and OAAM

More on OIM/OAM/OID/OVD versions here and here

To add further confusion Oracle Releases Bundle Patch for OIM, OAM, OAAM, OES as Oracle Identity Management Suite Bundle Patch (and not as Identity & Access Management Bundle Patches).

This post focus on Patches and products versions for OIM, OAM, OAAM & OES.

1. OIM/OAM/OES/OAAM has following base version 11.1.1.3.x (aka 11gR1), 11.1.1.5.x (aka 11gR1 PS1), and 11.1.2.x (aka 11gR2)

2. There are Bundle Patches (BP) that you can apply on top of Base version 11gR1 (11.1.1.3) or 11gR1 PS1 (11.1.1.5) or 11gR2 (11.1.2)

3. Bundle Patches are for a specific base version i.e. Bundle Patch 2 (BP02) for 11gR1 is different from Bundle Patch 2 (BP02) for 11gR1 PS1.

4. Bundle Patch usually updates 5th digit in version so BP02 for 11gR1 is 11.1.1.3.2 and BP02 for 11gR1 PS1 is 11.1.1.5.2 (fifth digit i.e. 2 represents Bundle Patch)

5. There is Bundle Patch (different patch number) for each individual products like BP02 for OIM and BP02 for OAM and Bundle Patch BP02 for OES.

6. Oracle recently combined Bundle Patch for OIM, OAM, OAAM, and OES and bundled them under Identity Management Bundle Patch .

7. Latest identity management bundle patch for 11gR1 PS1 is BP03 i.e. 11.1.1.5.3 (as of April 2013) and includes following individual Bundle Patch
a) OIM BP07 (released in April 2013) i.e. 11.1.1.5.7 for Oracle Identity Manager
b) OAM BP05 (released in Jan 2013) i.e. 11.1.1.5.5 for Oracle Access Manager
c) OES BP04 (released in Jan 2013) i.e. 11.1.1.5.4 for Oracle Entitlement Server
d) OAAM BP02 (released in Oct 2012) i.e. 11.1.1.5.2 for Oracle Adaptive Access Manager

More on OIM 11.1.1.5 BP07 installation in README of patch 16097399 (delivered as part of Identity Management Suite BP03 16209876)

References/Related 

• OIM 11.1.1.5.7 BP 07 is Available for Download [ID 1546085.1]

Oracle Enterprise Manager 12c Cloud Control is recommended tool to monitor/manage Oracle Identity & Access Management (OID, OVD, OIM, OAM etc) and WebLogic Server (steps to configure OEM 12c to monitor IAM to follow soon).

For overview of OEM Cloud Control 12c installation click here and to install OEM 12c cloud control using SIMPLE (You can use SIMPLE or ADVANCED mode to install) click here

To view Identity & Access Management dashboard , you login to OEM cloud control central console (https://OMSHost:7799/em as user sysman)  -> Targets -> Middleware -> Middleware Features -> Identity & Access

In my environment I received License Error screen

____

The page requested is part of the Management Pack Plus for Identity Management.

You are not yet licensed to use the Management Pack Plus for Identity Management. If you like this functionality, please see your super administrator about obtaining a license.

_____

Note: From OEM 12c, Identity Management Pack Plus is enabled by default and is under OEM plug-in Oracle Fusion Middleware

To view Identity & Access Management dashboard page, OEM Agent must be running on one of the Identity Management box and at least one of Identity Management component (OID, OVD, OIM etc) must be discovered .

To fix above issue install OEM agent on one of IAM servers, discover IAM target and prompte them to managed component status (Steps to follow soon)

Identity & Access Management Dashboard should look like below

Steps to configure OEM 12c cloud control to manage Identity Management component coming soon !!