Wednesday, December 23, 2015

Migrate users from OID to OID using bulkload utility

In this post we shall see how to migrate users from one OID to another OID using bulkload utility

Step 1) Export Users from source OID :

export ORACLE_HOME=/u02/oracle/devoraidm/Oracle_IDM1
export ORACLE_INSTANCE=/u02/oracle/devoraidm/asinst_1
export TNS_ADMIN=$ORACLE_INSTANCE/config 

$ cd $ORACLE_HOME/bin
$ ldapsearch -h Hostname -p OIDPort -D "cn=orcladmin" -w Weblogic1 -L -s one -b "cn=Users,dc=*****,dc=****,dc=**" "(objectclass=*)" "*" > usersDEC23.ldif


Note: 

Prior to bulkload, edit the LDIF file to remove all lines where authpassword or orclpassword appears at the beginning of that line. For example

dn: cn=testuser,cn=users,dc=us,dc=oracle,dc=com
cn: testuser
uid: testuser
userpassword: {SHA}41vs5sXm4OhspR0EQOkigqnWrIo=
orclpassword={x- orcldbpwd}1.0:1772AD7C11B4F110   <=== REMOVE
authpassword;orclcommonpwd={X- ORCLNTV}A3A685F89364D4A5182B028FBE79AC38 <=== REMOVE
authpassword;orclcommonpwd={X- ORCLLMV}C23413A8A1E7665FC2265B23734E0DAC <=== REMOVE
authpassword;orclcommonpwd={MD5}IB8AtcpdZaHBGOXjJDFRTA==  <=== REMOVE 

Step 2) Move usersDEC23.ldif to destination OID server
Copy the usersDEC23.ldif file to $ORACLE_HOME/ldap/bin location 

Step 3) On Destination Server, set all environment variables
export ORACLE_HOME=/u02/oracle/devoraidm/Oracle_IDM1
export ORACLE_INSTANCE=/u02/oracle/devoraidm/asinst_1
export TNS_ADMIN=$ORACLE_INSTANCE/config 

Step 4) Take backup of application and database. 

Step 5) Stop OID process on destination OID Server:

$ cd $ORACLE_INSTANCE/bin
$./opmnctl stopall

 Step 6) Navigate to below location and run bulkload utility
$ cd $ORACLE_HOME/ldap/bin
$ ./bulkload connect=OIDDB check=true generate=true file=usersDEC23.ldif

Once the command completes successfully run the below command 

$ ./bulkload connect=OIDDB load=true 

Step 7) Start OID process on destination OID Server:

$ cd $ORACLE_INSTANCE/bin
$./opmnctl startall

All the users will be migrated to destination OID Server.

Use ldap modify command to bring passwords of users to new OID:

$ ldapmodify -h Hostname -p OIDPort -D “cn=orcladmin” -w Weblogic1 -f ./pwdout.ldif

where pwdout.ldif file is below:
<<
dn: cn=ucm_user1,cn=Users,dc=*****,dc=***,dc=**
changetype: modify
replace: userPassword
userPassword: abc123

dn: cn=ucm_user1,cn=Users,dc=*****,dc=***,dc=**
changetype: modify
replace: userPassword
userPassword: abc123
>>
Posted by at No comments:
Labels: , ,

Tuesday, December 8, 2015

Changing Security mode from Open to Simple for an Agent in OAM

In this post we shall see how to change security mode for an agent from OPEN to SIMPLE.
1) Login to /oamconsole with admin user:
Navigate to System Configuration-->Access Manager-->SSO Agents-->OAM Agents
Select Agent name for which you want to change security mode from Open to Simple and change as below:
 

It will generate new artifacts at below mentioned locations:
$DOMAIN_HOME/output/$AGENT_NAME
$ ls -lrth
-rw------- 1 devoam dba 3.1K Dec 8 12:17 cwallet.sso 
-rw-r----- 1 devoam dba 2.8K Dec 8 12:17 ObAccessClient.xml
-rw-r----- 1 devoam dba 272 Dec 8 12:17 password.xml
-rw-r----- 1 devoam dba 806 Dec 8 12:17 aaa_cert.pem
-rw-r----- 1 devoam dba 958 Dec 8 12:17 aaa_key.pem

2) Copy ObAccessClient.xml, password.xml and cwallet.sso to below mentioned location
$OHS_HOME/instances/$INSTANCE_NAME/config/OHS/ohs1/webgate/config
Copy aaa_cert.pem and aaa_key.pem to below mentioned location:
$OHS_HOME/instances/$INSTANCE_NAME/config/OHS/ohs1/webgate/config/simple

3) Restart OHS
$OHS_HOME/instances/$INSTANCE_NAME/bin
$./opmnctl stopall
$./opmnctl startall

4) Test URL ( Protected by that agent)
Note : In case aaa_key.pem and aaa_cert.pem are not copied properly , then below error will be observed while accessing any resource.
ERROR:
[2015-12-08T12:44:57.2391+03:00] [OHS] [ERROR:32] [OHS-9999] [core.c] [client_id: 127.0.0.1] [host_id: localhost] [host_addr: HOSTNAME] [tid: 29] [user: devoam] [ecid: 0004pZYc0vjCwkG6yzfd6G0003UW000006] [rid: 0] [VirtualHost: main] OBWebGate_AuthnAndAuthz: Oracle AccessGate API is not initialized.
[2015-12-08T12:44:57.2401+03:00] [OHS] [ERROR:32] [OHS-9999] [core.c] [client_id: 127.0.0.1] [host_id:localhost] [host_addr: HOSTNAME] [tid: 29] [user: devoam] [ecid: 0004pZYc0vjCwkG6yzfd6G0003UW000006] [rid: 0] [VirtualHost: main] Request Failed for : /index.html, Resp Code : [500]
Doc id: Setting the OAM Agent’s Communication Mode with the OAM Server Set to Simple, returns HTTP-500 Error (Doc ID 1378237.1)


Posted by at No comments:
Labels: , , , , ,

Monday, December 7, 2015

DIP is Started but Quartz Scheduler and MBeans showing down in EM Console


ISSUE:


While checking status of DIP from EM console ,we were getting below error.

<<
Configuration settings are unavailable. The profile management interfaces for the target /Farm_IDMDomain/IDMDomain/wls_ods1/DIP(11.1.1.2.0) are currently unavailable.
>>

CAUSE:


DIP was not restarted properly the previous time.

SOLUTION:


A complete restart of entire environment resolved the issue.

Stop the services in below order:


1)wls_ods managed server
2)OPMN Processes
3)Admin Server
4)Node Manager Process
5)Oracle Database + Listener

Start the services in below order:


1)Oracle Database + Listener
2)Admin Server
3)Node Manager process
4)wls_ods manage server
5)OPMN Processes.

Once the processes were restarted in above order,issue was re-solved.

Posted by at No comments:
Labels: , ,

Wednesday, December 2, 2015

Oracle Identity Manager(OIM) start up error

ISSUE:


While starting OIM Server from Weblogic console ,below error was observed.

<<
<Error> <Security> <BEA-090870> <The realm "myrealm" failed to be loaded: weblogic.security.service.SecurityServiceException: com.bea.common.engine.ServiceInitializationException: com.bea.common.engine.SecurityServiceRuntimeException: [Security:097533]SecurityProvider service class name for WSRPIdentityAsserter is not specified..
weblogic.security.service.SecurityServiceException: com.bea.common.engine.ServiceInitializationException: com.bea.common.engine.SecurityServiceRuntimeException: [Security:097533]SecurityProvider service class name for WSRPIdentityAsserter is not specified.
at weblogic.security.service.CSSWLSDelegateImpl.initializeServiceEngine(CSSWLSDelegateImpl.java:342)
at weblogic.security.service.CSSWLSDelegateImpl.initialize(CSSWLSDelegateImpl.java:221)
at weblogic.security.service.CommonSecurityServiceManagerDelegateImpl.InitializeServiceEngine(CommonSecurityServiceManagerDelegateImpl.java:1783)
at weblogic.security.service.CommonSecurityServiceManagerDelegateImpl.initializeRealm(CommonSecurityServiceManagerDelegateImpl.java:442)
at weblogic.security.service.CommonSecurityServiceManagerDelegateImpl.loadRealm(CommonSecurityServiceManagerDelegateImpl.java:840)
>>

REASON:


Node Manager was not configured properly to use the required startup script for the managed(OIM) server.
Before start of  OIM Server from console(for first time) setNMProps.sh was not executed.

SOLUTION:


1) Stop the node manager process if it is already running.
2) Edit nodemanager.properties file and edit below parameter:
  StartScriptName=startWebLogic.sh
  StopScriptEnabled=true
  StartScriptEnabled=true

Note: You can execute setNMProps.sh also from below location:
$MW_HOME/oracle_common/common/bin

3) Save the file.
4) Start Node Manager Process and try starting OIM Server from console.
$WL_HOME/server/bin
$nohup ./startNodeManager.sh &

Server starts up without nay issues.

Posted by at No comments:
Labels: , , , ,
Subscribe to: Posts (Atom)

Other Posts