Unable to login to oam console with new identity store

Unable to login to OAM Console 11g:

Sometimes we get into a situation where we are unable to login to oamconsole when we change the identity store in OAM 11G oamonsole from EMBEDDED LDAP store to some other LDAP Store like OID, OVD or ODSEE etc...

In this case we should take caution by taking backup of oam-config.xml file; now the question comes in that why it is so important to take backup of this file?

This file contains all the configurations related info required for OAM Server and also it gets updated when update the server configuration.

For example: Default LDAP store configured in it will be like;

<Setting Name="UserIdentityStore" Type="htf:map">
     <Setting Name="SECURITY_PRINCIPAL" Type="xsd:string">cn=Admin</Setting>
    <Setting Name="GROUP_SEARCH_BASE" Type="xsd:string">ou=groups,ou=myrealm,dc=base_domain</Setting>
     <Setting Name="USER_NAME_ATTRIBUTE" Type="xsd:string">uid</Setting>
     <Setting Name="Type" Type="xsd:string">LDAP</Setting>
     <Setting Name="IsSystem" Type="xsd:boolean">true</Setting>
     <Setting Name="IsPrimary" Type="xsd:boolean">true</Sghetting>
     <Setting Name="Name" Type="xsd:string">UserIdentityStore1</Setting>
     <Setting Name="SECURITY_CREDENTIAL" Type="xsd:string">{AES}F8E3A9FAD9D662F753D842979423ED3D</Setting>
    <Setting Name="LDAP_PROVIDER" Type="xsd:string">EMBEDDED_LDAP</Setting>
    <Setting Name="USER_SEARCH_BASE" Type="xsd:string">ou=people,ou=myrealm,dc=base_domain</Setting>
    <Setting Name="ENABLE_PASSWORD_POLICY" Type="xsd:boolean">false</Setting>
    <Setting Name="LDAP_URL" Type="xsd:string">ldap://ldap-host:7001</Setting>
   <Setting Name="UserIdentityProviderType" Type="xsd:string">OracleUserRoleAPI</Setting>
   </Setting>

Similarly when you configure a new LDAP Store, a same sort of entry will be created where you will notice that the new IDENTITY Store will become the primary store and its flag will be set as true while the embedded ldap store isPrimary flag turns false;

<Setting Name="IsPrimary" Type="xsd:boolean">true</Setting>

Possible way outs:
1) Check whether the user you are logging with has admins rights; i.e. is that user added to the administrators group of the LDAP Store.
2) If the step 1 is fine than you might not have done proper configuration in weblogic console;

• Check for the users&groups configuration, whether the added user is present under users tab or not,
• Check for the roles&policies, i.e. under global roles->Admin-> is your admin group is present.
• Check whether the identity store is placed at the top in the providers tab, if not you need to reorder it.

3) If step 2 is ok than check oamconsole settings, now you will ask when i am not able to login than how can i check those?

• So the answer lies in below mentioned explanations.

Thus in case you are enable to login to the oamconsole than just replace the oam-config.xml file with the old one. Remember whenever you do changes in oam server configuration after applying the changes a backup file gets generated automatically.

So either replace the current oam-config.xml with the last saved auto backed up file or with the one you have saved as a copy.

Than restart the admin & manged server, you should be able to login with the default credentials of embedded ldap store. 



Enjoy :-)

[OID]: Disabling the User Account in OID

Let's disable the User Account in OID:

Note: We are considering that you have created a user account in OID. In case you have not follow  Creating User Account in OID

Follow the steps:

1) Before we lock/disable the user account, let's first access the protected resource.

• Access the url: http://<host:port>/resource

Note: I have logged in using username - clk, that i will be disabling in the OID Server.

2) Now let's log in to the OID Server:

• Log in to OID: http://<host:port>/odsm

•  Choose the OID Connection:

•  Provide the password & connect.

•  Now open the 'Data Browser' tab & expand the 'dn=com' tree.

•  Select the user you want to disable: I will be disabling 'clk' user

• Now we need to add an attribute that will disable the account. Open the 'Attributes' tab on the right pane.

• We need to add an optional attributes 'orclIsEnabled'.

       Note: Once you have added the 'orclIsEnabled' the attribute, than do 'Add Attributes'.

•  Default value of  'orclIsEnabled' attribute is 'ENABLED' but we need to set it as 'DISABLED'

Note: 

• Once you set the attribute value, click 'Apply' on the top right.
• Also remember that value of this field has to be set as 'DISABLED' even if you set as 'FALSE' it won't work. Account will be still accessible.

3) 

• Access the Protected Resource URL: http://<host:port>/resource
• Provide the credentials, here i will be using 'clk' as username that i have disabled. 
• And you see that when i tried to log in, it shows that 'User account is locked or            disabled'....

     Whooohoooh.... we have done it...

4) Now in case you need to enable the user account again, just set the attribute value:

    

    orclIsEnabled=ENABLED

Enjoy :-)

Creating User in Oracle Internet Directory(OID)

Follow below steps to create a new user in OID:

1) Log in to weblogic console & check whether ODSM (Oracle Directory Server Management) console is up & running:

    http://<host:port>/console

    Note: The console for ODSM is 'wls_ods1' in my setup & running on port 7005.

2) Now log in to the ODSM Console - http://<host:7005>/ODSM

     Note: This setup is a freshly created, so we need to create a connection first.


3) Create a User Connection:

• Provide the details such as hostname, password etc.

4) New connection is created:

5) Choose Data Browser Option:

•  Expand the tree dc=com

•  Double Click the user cn=orcladmin

6) Now we need to create a user: Here i have selected the option 'Create a new entry like this one'

7) Complete the process for new user creation:

• Choose 'Next' on first page:

•  Provide 'cn' entry name & choose the relative distinguished name as 'cn'

•  On Optional Properties page, i have provided the new user password. Although this is a non-mandatory field.

•  Choose 'Finish' to complete the process.

•  New user is created.... Hurrahhhhh !!!!!!

Enjoy :-)

Basics of OID, OVD & OIF

What is OID?

• Oracle Internet Directory is an LDAP directory that uses an Oracle Database for storage. 
• Clients communicate with a directory server by means of the Lightweight Directory Access Protocol (LDAP).

How DATA is stored in OID?

• It is stored in hierarchical format i.e. DIT (Directory Information Tree).

What all you can store in OID?

• You can store passwords, connections information etc.

What is Oracle Integration Platform?

• It enables you to sync the data to & fro between the databases. Like from OID to Finance Database.

What is the benefit of using OVD (Oracle Virtual Directory)?

• OVD acts as an interface, which has adapters to connect to multiple data sources. It basically provides an LDAP Service using which you connect to different databases, directories.....
• This adds an advantage to the organizations to use a single interface which actually in the background talking to multiple directories or databases.

What is OIF (Oracle Identity Federation)?

• Oracle Identity Federation enables companies to share the identity information with their partner organizations i.e. the end user does not need to log in again to the partner site once he/she gets logged in to his/her company account. 
• With this feature the enterprises can federate seamlessly with the partner organizations and no compromise needs to do with security checks.

Hope it solves some of your doubts......

Enjoy :-)