Oracle

Implementing #OpenID with Oracle Identity Federation #Identity #OIF


I have a customer that is an Oracle Identity Management shop. They are looking to leverage OpenID to increase the ease of collaborating with internal and external partners as well as to reduce the cost of managing passwords for non-employees. They are also implementing other strategies to reduce the use of passwords in their environment, but for today I just want to talk about how to implement OpenID.

A good starting point is Warren Strange’s (Strange Brew) “Adding an OpenID Relying Party to Oracle Identity Federation (OIF)”. In this post Warren describes, in perfect detail, how to integrate OIF with Google as your Identity Provider. As Warren points out, OIF includes a test service provider integration module that you can use to validate that you have things configured correctly. You will have to change to use another Service Provider Integration Module (OSSO, OAM or Custom) to actually leverage this in production; otherwise the user will always end up on the test results page regardless of where they were attempting to get to.

The other side to the coin is adding an OpenID Identity Provider to Oracle Identity Federation. In my customer’s use case they have internal organizations that would like to consume identity information, from my customer, but they still want to remain loosely coupled. Their choice here would be to go with SAML or OpenID. They will be supporting both options.

First, make sure that you are on at least OIF 11.1.1.4.

To enable OIF as an OpenID IdP you need to log into Enterprise Manager and go to Oracle Identity Federation >> Administration >> Identity Provider. Make sure that the Identity Provider is enabled in the Common tab, Apply (if not already enabled) and then switch to the OpenID 2.0 tab. From this tab, make sure to check Enable OpenID 2.0 Protocol then at the bottom of the screen click on the box that says Create, which is next to “Generic OpenID Service Provider”. This provides configuration for service providers that are not specifically named in the Federation. Click Apply.

Next, go to Oracle Identity Federation >> Administration >> Federations. You should see to Trusted Providers already listed. The first will have a Provider-ID of “Unknown-OpenID-RP”, which was created when you created the generic provider in the step before. The second, which will be there if you followed the steps in Warren’s blog, will have a Provider-ID of “Google” (or something like that). You will need to add a provider for your IDP. Click on “Add” and the “Add Trusted Provider” screen will open. Click the radio button next to “Add Provider Manually”. Let’s assume that we are implementing this for a company called Acme, Inc.

Complete the information as shown below, and then click “OK”.

Next, highlight the Provider you just created and click on “Edit”.

In the Trusted Provider Settings tab add the Endpoint URL and the Discovery URL:

Endpoint URL: http://fed.acme.com:7777/fed/idp

Discover URL: http://fed/acme.com:7777/fed/idp

Then, click on the Oracle Identity Federation Settings tab.

To enable a setting you have to click on the little square in the circle until it turns blue and then check the box at the end of the line. You want to enable both Map User via Federated Identity and Error when User Mapping fails. Your screen should then look like this:

Click Apply.

Optionally, you can enable the Attribute Exchange by clicking “Edit” next to Attribute Mappings and Filters.

The last thing you need to confirm that your Identity Provider has a user identity store that it will authenticate against. You can do this by clicking on Oracle Identity Federation >> Administration >> Authentication Engines. The Default Authentication Engine will be set for whatever you selected during install. The default is JAAS. I changed mine to LDAP Directory. Then click on the LDAP Directory tab. Click Enable Authentication Engine and complete the requested information. Make sure you test the LDAP connection before applying.

At this point you can test using the same steps that Warren outlined in his blog post:

Go to: http://fed.acme.com:7777/fed/user/testspsso

Select ACME from the IdP Provider ID drop-down box.

Then click on Start SSO. You should be prompted by OIF’s default IDP to authenticate

and then after successfully authenticating you will have to Accept on a User Consent page and

then you will be returned to status page showing you a successful authentication.

So, those are the basic steps. There are a number of use cases that would require additional configuration. For Federal agencies implementing this for a FICAM solution you would need to look at enabling the Provider Authentication Policy Extension (PAPE) 1.0 options on the Identity Provider configuration page.

About TUMY | Technology, Inc.
TUMY | technology, inc. (TTi) provides Identity & Access Management (IAM) solutions that secure and manage digital identities and applications.
In response to growing security threats and regulatory compliance mandates (HIPAA, Sarbanes-Oxley, etc.) organizations need solutions that can be implemented quickly to identify users and their entitlements before giving access to requested resources. We specialize in vendor solutions such as ForgeRock and Oracle. Our mission is to deliver secure, robust and cost-effective solutions to our clients. Please contact us at: info “at” tumy-tech.com or 1.240.215.4825

Advertisements

Using sed to clean up an LDIF file for import #Oracle #Identity #UNIX


I needed to import a group of users, into Oracle Internet Directory (OID) with attributes in a variety of backend data stores. I used Oracle Virtual Directory to virtualize the data stores into a single ldap view. I used the OVD adapter configuration to specify which attributes I wanted returned. I then exported using the export control from Apache Directory Studio. This resulted in an ldif file containing all of the records I needed with attributes. There were a few additional attributes as a result of using OVD that I now had to deal with.

I ended up with an ldif file that contained a lot of records like this:

dn: cn=Babs Jensen@ACME.GOV,ou=temp_user_load
objectclass: inetOrgPerson
objectclass: organizationalPerson
objectclass: person
objectclass: top
cn: 1234556677@ACME.GOV
cn: Babs.Jensen@ACME.gov
cn: Jensen, Babs
sn: Jensen
givenName: Babs
mail: BABS.JENSEN@ACME.GOV
vdejoindn: ou=acmeinfo_temp:cn=JENSEN\,BABS,ou=acmeinfo_temp
vdejoindn: AD_temp:CN=babs.jensen@ACME.GOV,OU=locations,OU=park,ou=ad_t
emp,dc=acme,dc=local
fascnDecoded: 1234567890987654321
guid: ABcdedghi1234567890
ssn: 12345678

Note: With the SED command you can make changes directly to the source file but I am creating a new target file with each change I can make so that I can always revert back if the command doesn’t work exactly the way I want it to.

I wanted to get rid of lines that don’t start with an attribute name (In my case I am free to get rid of lines that carry over into the second line … YMMV)

I also wanted to specifically wanted to get rid of all lines that start with “vdejoindn:” and there are also some vdejoindn lines that overrun onto a second line that won’t beremoved if I use sed to remove lines with the pattern matching vdejoindn:.

So, first I want to remove all lines that don’t contain a colon. This removes the overrun lines but also all blank lines.

$ sed ‘/:/!d’ input.ldif > tmp.ldif

this keeps the lines with a colon.

But now we don’t have breaks between the records

$ sed ‘s/^dn:/\n&/g’ tmp.ldif > tmp2.ldif

Ok, now I want to get rid of the lines that have “vdejoindn:”.

$ sed ‘/vdejoindn:/d’ tmp2.ldif > tmp3.ldif

Now at some point I ended up with “^M” at the end of each file … I don’t know if this is because I opened with VIM in Windows before moving to Linux … I am going to assume so but either way in this instance I want to remove these characters.

$ dos2unix tmp3.ldif > tmp4.ldif

Alright, Now, for me to import this into Oracle Internet Directory (OID) I’ll need to add the “changetype” directive. I am going to add the string “changetype: add” on a new line after each line with “ou=temp_user_load:” which is the temporary suffix I used in this export.

$ sed ‘/ou=temp_user_load/ a\changetype: add’ tmp4.ldif > tmp5.ldif

Now, should be the last step, prior to importing, is to correct the entries “DN” attribute. Essentially, we need to replace “ou=temp_user_load” with the correct suffix for where these users will be created.

$ sed ‘s/ou=temp_user_load/cn=Users,o=icam,dc=acme,dc=local/g’ tmp5.ldif > tmp6.ldif

At this point my ldif file (“tmp6.ldif”) is ready to import into my directory. You can use the ldapmodify command or since I am using OID you can use bulkload (which is recommended for large record sets).

Troubleshooting errors starting #OID #11g #Oracle #Identity #LDAP


I have an Oracle Identity 11g environment running on VirtualBox 4.0. This is a development environment that I use to test out various installations and configurations. I noticed the other day that I wasn’t able to start the Oracle Internet Directory (OID) instance.

Screen shot 2011-01-26 at 2.21.25 PM.png

When I checked the log file I can see that I am not able to connect to the Database. By the way, the log that is referenced doesn’t show anything of value. The log that actually contained the error is called: oidmon-0000.log

Screen shot 2011-01-26 at 2.23.11 PM.png

According to ora-code.com ora-28000 the error means that the user account that is connecting to the database ‘ODS’ is locked.

ORA-28000:

the account is locked
Cause: The user has entered wrong password consequently for maximum number of times specified by the user’s profile parameter FAILED_LOGIN_ATTEMPTS, or the DBA has locked the account
Action: Wait for PASSWORD_LOCK_TIME or contact DBA

It’s typically trivial to unlock an account from the sqlplus command line

Screen shot 2011-01-26 at 2.29.30 PM.png

So, we should be good now. I will try to start the process again.

Screen shot 2011-01-26 at 2.30.42 PM.png

But now my log shows

Screen shot 2011-01-26 at 2.31.14 PM.png

So, now I am getting an ORA-01017 error. Which means “Invalid username/password”. So, it seems that the Database doesn’t like the password that OID is supplying to connect to the ODS schema.

I’ll use SQL Developer to try and connect to the database with the ODS user

Screen shot 2011-01-26 at 2.38.10 PM.png


Interesting, SQL Developer is showing an ORA-28000 error.

Let’s try connecting using SQLPlus …

Screen shot 2011-01-26 at 2.42.11 PM.png

So, it seems we have a consensus (and yes, I did just include my password in the screenshot … it doesn’t matter)

Let’s see what the database has to say about this user. Make sure you reconnect to the DB as oracle.

Screen shot 2011-01-26 at 2.52.15 PM.png

Ok, didn’t we just unlock it? Let’s try again …

Screen shot 2011-01-26 at 3.00.20 PM.png

So, now what is the status?

Screen shot 2011-01-26 at 3.01.39 PM.png

Hey! This is good right? … the account seems to be open again.

So, let’s try to start OID again.

Screen shot 2011-01-26 at 3.15.29 PM.png

Ok, this is looking pretty ugly right about now…

Screen shot 2011-01-26 at 3.16.38 PM.png

… and the account is locked again. So, let’s see if we can figure out why this is happening.

Maybe the wallet that holds the ODS password for OID has become corrupt. We can recreate it using oidpasswd.

Note: Before you run oidpasswd it’s important to have your Oracle environment set up correctly. Here is what I am using (yours may vary):

ORACLE_SID=orcl

ORACLE_BASE=/opt/oracle

ORACLE_INSTANCE=/opt/oracle/Middleware/asisnt_1

ORACLE_HOME=/opt/oracle/Middleware/Oracle_IDM1

MW_HOME=/opt/oracle/Middleware


Screen shot 2011-01-26 at 4.14.39 PM.png

Now with this output … I have verified the location of the tnsnames.ora file and the information in it … so I am going to assume for the moment that the issue is with the password (at least until I prove otherwise).

Typically, changing the password will unlock the account

Screen shot 2011-01-26 at 4.37.18 PM.png

But here we are and the account is still locked.

… I am spending some time just fishing around on the Internet and looking around at my system

Screen shot 2011-01-26 at 5.08.25 PM.png

Wait a second … I wasn’t even thinking about ODSSM …


Screen shot 2011-01-26 at 5.11.50 PM.png

Change the ODSSM’s password and then unlock ODS.

Screen shot 2011-01-26 at 5.13.24 PM.png

So, both accounts should now be “OPEN”

Screen shot 2011-01-26 at 5.15.48 PM.png

Now restart the OIDMON process

Screen shot 2011-01-26 at 5.17.41 PM.png

What does the log say

Screen shot 2011-01-26 at 5.18.12 PM.png

Completely different error this time. At least I feel like we are making some progress …

hmmm … if the wallet can’t be read … maybe we can recreate the wallet. Let’s re-run the “create wallet” command that we tried earlier.

Screen shot 2011-01-26 at 5.29.48 PM.png

Hey! … it was successful this time. So, let’s try starting the OID processes

Screen shot 2011-01-26 at 5.31.59 PM.png

That was successful!

Now to check the status of the OPMN Processes

Screen shot 2011-01-26 at 5.33.09 PM.png

All of the OID related processes are now Alive. The ohs1 process is down because I turned it off earlier.

Recover Weblogic server admin password (on Linux)


On a virtual machine that I installed Oracle Identity Federation I found that I could not remember what I  had set the Weblogic Server (WLS) password to.  I needed a way to recover this password so that I would not have to reinstall WLS.  This isn’t the first time I have forgotten the password to start and login to WLS … I needed to find a reusable solution that would give me the password quickly. I found Kenneth Xu’s blog (“Program It”) where he defined a solution, in great detail.  Kenneth’s solution was geared towards Windows … I needed a solution for Linux (fortunately there were very minor changes required).   In other words … I borrowed heavily from: http://kennethxu.blogspot.com/2006/04/how-to-recover-weblogic-admin-password.html

Update (12/15/12):  It’s important to note that this recovery process is dependent on the instance having the username and password in a boot.properties file.  For those of you that are entering the username and password on the command line at startup time … this probably won’t help you.  Also, if you get a Java NPE when running this code … come back to the java that you wrote and check the value of the BPF variable.  Make sure that points to an actual boot.properties file that has the weblogic username and password.

Step 1:  On the Linux server (I am logged in as Oracle) create a development directory

I created one called: /home/oracle/deve

Step 2:  Create a file called:  RecoverPassword.java and then copy in the following code

import weblogic.security.internal.BootProperties;
public class RecoverPassword {
public static void main(String[] args) {
String BPF =
"/opt2/oracle/Middleware/user_projects/domains/IDMDomain/servers/wls_oif1/data/
nodemanager/boot.properties";
BootProperties.load(BPF, false);
BootProperties bootp = BootProperties.getBootProperties();
System.out.println(
"##############################[" + bootp.getOneClient() +
         "/" + bootp.getTwoClient() + "]#############################");   } }

Step 3:  Compile:

javac -classpath /opt2/oracle/Middleware/wlserver_10.3/server/lib/weblogic.jar RecoverPassword.java

Step 4:  Copy WLS Startup File to development directory

cp /opt2/oracle/Middleware/user_projects/domains/IDMDomain/bin/startWebLogic.sh .

** make sure to include the period at the end of the line. This means copy “here”. The current directory that you are in.

Step 5: Rename to: recoverPassword.sh

Step 6:  Edit recoverPassword.sh

${JAVA_HOME}/bin/java ${JAVA_VM} -version // this is an existing line
### Custom Code inserted to Recover Password ###
CLASSPATH=/home/oracle/deve/:$CLASSPATH; export CLASSPATH
echo $CLASSPATH
SERVER_CLASS=RecoverPassword; export SERVER_CLASS
doExitFlag=false; export doExitFlag
if [ "${WLS_REDIRECT_LOG}" = "" ] ; then // this is en existing line

Step 7:  Change to the domain home directory

cd /opt2/oracle/Middleware/user_projects/domains/IDMDomain/

Step 8:  Run the recoverPassword.sh script

/home/oracle/deve/recoverPassword.sh

Output will look like:

ware/Oracle_IDM1 -Xms512m -Xmx1024m -Xss512K -Djava.net.preferIPv6Addresses=true -DuseIPv6Address=true -Djava.protocol.handler.pkgs=oracle.mds.net.protocol -Dweblogic.management.discover=false -Djava.net.preferIPv6Addresses=true -Dweblogic.management.discover=true  -Dwlw.iterativeDev=false -Dwlw.testConsole=false -Dwlw.logErrorsToConsole=false -Dweblogic.ext.dirs=/opt2/oracle/Middleware/patch_wls1032/profiles/default/sysext_manifest_classpath

RecoverPassword

##############################[weblogic/Passw0rd1]#############################

The password is displayed on the line with the hashmarks.

Upgrade #Oracle #OIF to 11.1.1.3 #IDM #Identity


We installed Oracle Identity Federation (OIF) 11.1.1.2 a few months ago and had to move on to some other, more pressing IDM-related issues.  We finally came back to the Federation tasks at the beginning of September.  The first thing I did was take an inventory of where we left off and compared to what the current released version was from Oracle.  I found that we were now a version behind with both Weblogic Server (WLS) and OIF.  I initially put off upgrading because we were in a hurry to integrate with one of their business partners.  We were able to configure the Circle of Trust with the Relying Party (RP, aka Service Provider) with just a few issues.   This particular partner is using OpenSAML as their software of choice.  The only issue for us is that they didn’t (or don’t) create metadata files.  This is their choice because OpenSAML has a module for doing this.  The metadata files is a feature in SAML 2.0 that allows for easy (…easier) integration with your Federation partners.  I was able to create one manually for them by using the sp.xml file that was created when using the OpenSSO Fedlet (that’s for another post).

So, finally on to the point of this post.  The only issues that we have had with OIF 11.1.1.2 is that when trying to search for local users (we are using OVD as our User Data Store … OVD front’s two different AD instances) we have some issues with the search function and not all users can authenticate.  Yes, this is actually a major problem.

I noticed via http://support.oracle.com that there are a lot of patches available for 11.1.1.2.  I ended up downloading the 11.1.1.3 version from OTN (here).

(Note:  I talked to my contact at Oracle Support who said that 11.1.1.4 is coming very soon)

This version requires that Weblogic be at least 10.1.3.  I went back to the support site and downloaded the 10.1.3 patch from there.  It’s a jar file that is run and will open up as an OUI installer.  I found this site which I used as a guide.  It’s pretty simple and painless.  Make sure that you restart WLS after upgrading and before upgrading OIF.  When the OIF upgrade is complete you should restart the managed service.

After restarting OIF I noticed in Enterprise Manager (EM) that OIF is still displaying as 11.1.1.2.  I am running the Upgrade Assistant (Oracle_Home/bin/ua).  On the second screen you can select “Verify Instance”.  This will walk you through and verify that your OIF instance is upgraded to the correct version.  In my case the status is showing as “Failed”.    One thing that seems odd to me is that the port shown (on the error message) is 7499.  It looks like it’s trying to access the URL to the metadata file and is trying to go on 7499. (i.e., http://hostname:7499/fed/idp/metadata).  I can get to the file via 7777 and not 7499.  So, I’ll need to check later as to why the Upgrade Assistant is using that port.

I just tried to re-run the 11.1.1.3 patch installer.  It complained that the patch had already been applied to this Oracle_Home.  So, now I am perplexed.  Let’s try rebooting the box and restarting the WLS and OIF services.

Interestingly, after the reboot the OIF version is still showing as 11.1.1.2 … but my OIF LDAP Authentication Engine error is no longer occurring.  So, maybe it did get patched??  I am working on confirming this … maybe the version number doesn’t get updated?  … that doesn’t sound right though.

Directory Integration Platform (DIP w/Oracle DB #oracle #idm #dip #oid


DBImport Profile: (sync w/Oracle DB table)

Important Notes:

  • Diptester utility has not been updated for 11g yet.
  • Oracle recommends setting up sync profile to DB by using command line tools instead of EM UI.

Where is the profile stored:

Profile DN: orclodipagentname=”profile name”,cn=subscriber profile,cn=changelog subscriber,cn=oracle internet directory

Which files make up the profile:

Profile Name: “Profile Name”
Properties File: “profile name”.properties (Connection Info)
Configuration: “profile name”.cfg.master (SQL Query)
Map File: “profile name”.map.master (map columns to attributes)

DIP Log Location:
[/apps/oracle/]Middleware/Oracle_IDM1/ldap/odi/conf
Updating DBImport Profile: (After making changes to the config files you will need to update the profile)

$ manageSyncProfiles update -h hostname-p 7005 -D weblogic -pF “profile name”-f “profile properties file name”

Warning : Setting an incorrect value for the last change number could cause the profile to stop working or cause undesired sync operations
Do you want to continue [Y/N] Y
[Connected Directory Password] // Source password … DB user password in this case.
[Weblogic user password]
Connection parameters initialized.
Connecting at hostname:7005, with userid “weblogic”..
Connected successfully.

Profile “profile name” successfully updated.

Activate / Deactivate Profiles:

manageSyncProfiles activate -h dip_hostname -p 7005 -D weblogic -pf “profile name”
manageSyncProfiles deactivate -h dip_hostname-p 7005 -D weblogic -pf “profile name”
View the Subscriber Profile:
ldapsearch -h dip_hostname -p 3060 -D “cn=orcladmin” -w “orcladmin_password” -b “orclodipagentname=”profile name”,cn=subscriber profile,cn=changelog subscriber,cn=oracle internet directory” -s sub ‘objectclass=*’

Update the orclodipcondirlastappliedchgnum attribute in the sync profile:

// if there are any problems with the initial sync and you have to do it over … you will need to reset the last applied change number in the profile.

ldapmodify -h [diphostname] -p 3060 -D “cn=orcladmin” -w Passw0rd1 -f update_timestamp.ldif

update_timestamp.ldif:
dn: orclodipagentname=[diphostname],cn=subscriber profile,cn=changelog subscriber,cn=oracle internet directory
changetype: modify
replace: orclodipcondirlastappliedchgnum
orclodipcondirlastappliedchgnum: 20000101120000

Installing and Configuring Sun #DSEE 6.3 #Oracle #IDM #DS


To quickly install and configure Sun’s Oracle’s Directory Server Enterprise Edition (DSEE) 6.3:

  1. Unpack the download (tar -xvzf)
  2. CD into the DSEE_ZIP_DISTRIBUTION folder
  3. Install the software:./dsee_deploy install -i /opt/ds6
  4. Create a new instance:./dsadm create -p port -P SSL-port instance-path
  5. Start the new instance:./dsadm start instance-path
  6. Modify the example.ldif and then import (to create a new suffix)./dsconf create-suffix -h localhost -p 1389 dc=example,dc=com

    ./dsconf import -h localhost -p 1389 install-path/ds6/ldif/Example.ldif \ dc=example,dc=com

Debugging OVD 11g Installation #Oracle #IdM #OVD


I am installing Oracle Virtual Directory 11g on Oracle Enterprise Linux 5.  As the OVD installer ran through it’s Configuration Tools it stumbled on the Create ASInstance step with the following error:

Error creating ASInstance asinst_1.
Cause:
An internal operation has failed.  Unable to validate
NonJ2EEManagement Application deployment on admin server.
See logs for more details.

I thought maybe I had forgotten to start Weblogic, but that is not the case.

I will be working through this issue this afternoon … possibly this evening depending on how this afternoon goes.  If you have seen this before drop a commant, I’d love to here some feedback.

<Update>

Deborah Volk pointed out that I needed to use the latest version of Weblogic server.  I believe that is cased closed.

Oracle OAM Identity Server errors starting on OEL5 #Oracle #IDM #OAM


I am installing Oracle Access Manager 10.1.4.3 on Oracle Enterprise Linux (OEL) 5.  When I tried to start the Identity Server for the first time I received the following error:

# /opt/oracle/oam/identity/oblix/apps/common/bin/start_ois_server

Using Linux Threading Library.

/opt/oracle/oam/identity/oblix/apps/common/bin/ois_server: error while loading shared libraries: libdl.so.2: cannot open shared object file: No such file or directory

rm: error while loading shared libraries: libc.so.6: cannot open shared object file: No such file or directory

OIS Server started with pid: 3344

/bin/sh: error while loading shared libraries: libdl.so.2: cannot open shared object file: No such file or directory

I found that by commenting out the following line from the start_ois_serverfile that I was able to start the identity server without errors:

#      LD_ASSUME_KERNEL=”2.4.19″;

[Update]

Commenting out that line works but another solution is to use the following Oracle provided script to start OIS instead:

./start_ois_server_nptl

I am not really sure what NPTL (Native Process Threading Library) is … but was told that NPTL runs on 64 bit.

Hardware Load Balancers #Oracle #IdM #OAM


Many people ask how they should implement hardware-based load balancers into an Oracle Access Manager (OAM) implementation. As a rule of thumb: load balancers should be placed in front of the web/application servers where the web gates are installed (i.e., between the browser and the web server) and that is it. OAM has built-in load balance functionality and can manage fail-over on its own. This is referred to as software-based load balancing.

I have seen some environments where clients have put load balancers in between the Identity/Access servers and their directory servers. With OAM this is unnecessary and not advised. According to Oracle documentation,

“performance can be negatively affected by the load balancer, which can terminate a connection but fail to trigger a response that OAM can adjust to. This can cause outages.”

– Performance Tuning 3-39,  http://download.oracle.com/docs/cd/E12530_01/oam.1014/e10353.pdf