Ondaaah with OAM

Similar Questions

• Discoverer 11.1.1.7.0 against 12.1.3 with OAM 11.1.2 EBS to request the password for the user with Ondaaah

  Hello

  Oracle has not been able to help me to do this job; 2 open of SR for weeks and no good answer.  They referred me to the people of onlinappsdba and various other public Internet sites.  We run EBS 12.1.3 and Disco 11.1.1.7.0 with 10g SSO and Ondaaah and SSL.  That works very well, users, identity is established through Ondaaah on our corporate network, with zero sign - on.  I'm replacing 10gSSO by OAM 11.1.2.  OAM/OID works very well for EBS and OBIEE, always zero sign - on with the OID 11.1.1.7.0 and AccessGate piece (and a webgate for both).  (Too many servers to SSO support in my view, if something goes wrong, too many places to look.)  For Disco, I created the osso.conf in OAM 11.1.2 installed in a folder on the Disco and bounced of Disco.  This works OK if in OAM authentication method is based authentication forms, with OAM inviting the user to signon, OID and then passes the user name and password through the OID in Active Directory, and connect on Disco invites to indicate the user name, and then gives access to workbooks.  No prompt for password clubbing.  But when I try to activate Ondaaah as an authentication method in the OAM, discoverer invite first the "Oracle Applications" connection for a user name and the EUL.  But Disco then prompts the user a password, that no longer exists in fnd_user. because authentication is external.  Connections fail.  I am also unable to create a private connection; This dialog box Disco also invites a user password.  At the login page of Disco, the user session went to OAM and fact authentication successful via Ondaaah.  I can tell from follow-up to the session through Fiddler.  Transmitted to the disco but Disco missing something and password prompts.  Support OAM at Oracle seems to think that OAM is not send the cookie to Discoverer, although I'm not sure.

  First of all, Ondaaah with Disco should work with OAM, right?  Any thoughts on what might be missing?  I went through the MOS notes a few times, closely followed the tutorial onlinappsdba on it.

  Thank you very much.

  Tom

  The hotfix is described in Note 1616228.1 problem with mod_osso and custom authentication plugins.  Disco can work very well, with zero sign - we and OAM.

• BEEP 11.1.1.5 Oracle compatibility with OAM/OIM 11 g 2

  Hi Experts,

  I tried searching in the matrix certification BI for compatibility support of BEEP with OAM/OIM 11 g 2, but could not find everything concerning 11.1.1.5. All I could see is 11.1.1.7.

  Can someone let me know if BI Publisher version 11.1.1.5 is supported with OAM/OAM 11.1.1.2 BP05 (GR 11, 2)?

  Please share any related information.

  Thank you.

  Shivam

  You specify the exact version of OIM/OAM, IE 11 GR 2 PSx?

  BP5 for 11 GR 2 PS2 I guess?

  PS3 comes with BEEP automatically installed 11.1.1.7

  PS2 requires you to install + 11.1.1.6

  Ps1 requires 11.1.1.5 +

  Anyway, the integration is very loose. OAM/IOM are delivered with some reports and what is required is that BEEP can open and process these reports. I do not in anyway format of relationship between versions changes.

• Configuration of single sign on with OAM to ensure web application (no application from merger)

  Hello world

  I have configured single sign-on with OAM to guarantee a non fusion web application. But she cannot lead to the OAM sso login page. Could you please say nowhere I need to check?

  The web application deployed in a weblogic domain, the console already be configured for authentication sso OAM successfully. But the deployed web application does not can be redirected to sso login page when go to a secure page.

  The web.xml file is

  	<>login-config
  	< Auth-method >CLIENT-CERT< / auth-method >
  	< domain name > myRealm < / realm-name >
  	< / login-config >

  Thank you.

  Hello

  Assuming that you go directly to the port of the Weblogic Server and not through a web server, acting as a proxy, try to add the url of your application as a resource in the Application domain 'IAM Suite' in the /oamconsole, which gives it an authentication strategy of 'Protected level policy' to see if this changes the behavior. This is a test - if it works, it's best to create your own application domain for your resources so that they can be managed without interfering with internal policies used by OAM.

  Kind regards

  Colin

• How to reconfigure the OHS 11 g WebGate with OAM 11 g?

  Hi all
  
  Can you please let me know your opinion on below scenario?
  
  1. I set up a SST 11 g WebGate in OAM 11 g with main server with unique. WebGate works very well.
  2. in the future, I created a new OAM server with different proxy port and want to add as a secondary server to OHS 11 g webgate. To do this, my thoughts are: Goto OAM admin console and change the profile of the agent to add the secondary server. Is this all enough to make the complete work? By the way, ObAccessClient.xml no is not updated in the folder RREG_HOME/output of artifacts. If it is updated automatically after changing details in the OAM console so I can just copy to WebGate instance.
  
  The same question arises for 10g WebGate with OAM 11 g. Is it also possible to reconfigure the webgate as in the case of OAM 10 g and 10 g webgates?
  
  -Mango

  Hi Manon,.

  You only need to make the change in the oamconsole (change the agent profile as you suggest) and you do not need to re - copy the file ObAccessClient.xml. You may need to wait a few minutes for the change must be executed by the WebGate, or I expect a restart of the web server in order to acquire the new settings. Using the url of diagnosis webgate will tell you which servers OAM the WebGate is connected to (http://server:port/ohs/modules/webgate.cgi?progid=1 mfor 11 g WebGate).

  Kind regards
  Colin

• Integration of OBIEE 11.1.1.5 with OAM

  Hello
  I joined OBIEE 11.1.1.5 with OID11g (as part of the integration of the OAM), all users OID translate into obiee. IM able to connect to, in the "analytical", but not able to access reports. Also I am not able to assign groups BI for users of the OID.
  Has anyone done this kind of a scenario facing? Can someone help me please?
  If someone did obiee 11.1.1.5 integration integration with oam 11 g, please provide me with the document that you have followed.
  
  Thanks in advance,
  Faye farsatha.
  
  Published by: 927873 on July 16, 2012 12:11 AM

  Hello

  Please try to access the Web analytics services using 'Analytics-ws' instead of just 'analytical' in the URL like below,

  http://:/analytics-ws/saw.dll? WSDL

  Do a test with link below it may help you...
  http://onlineappsdba.com/index.php/2011/12/05/integrate-OBIEE-11g-with-OAM-11g-for-single-sign-on-in-13-steps/
  http://fusionsecurity.blogspot.com/2012/06/integrating-OBIEE-11g-into-weblogics.html
  http://docs.Oracle.com/CD/E23943_01/bi.1111/e10543/SSO.htm#CEGJBAED

  Thank you
  Deva

• Informatica Application with OAM 11g Setup

  Hello
  
  
  Could someone help me to protect Informatica application with OAM 11 g.
  
  
  
  
  
  Thank you
  Sony

  -First thing you can do is ask Oracle (support.oracle.com) if they have no documentation for the integration of OAM with Informatica.
  - Alternatively, you can check out the link here, which has steps of OAM integration with various third-party applications
  http://docs.Oracle.com/CD/B28196_01/idmanage.1014/b25347/Siebel.htm#Siebel

  You must have the location of the repository informatica, portnumbers etc. Try configurations by seeing examples in above link.

  Kind regards
  GP

• 10g WebGate Apache with OAM 11 g installation

  Hi all
  
  I installed Apache 10 g WebGate Oracle_Access_Manager10_1_4_3_0_linux64_APACHE22_WebGate on RHEL 64-bit machine. I OAM 11 g installed in another server and there is no time difference between webgate and machines OAM.
  
  I am following this http://docs.oracle.com/cd/E15586_01/ document doc.1111 /e15478/webgate.htm#CACHEHEC for 10 g WebGate in OAM 11 g installation. I created OAM 10 g Agent since the OAM Admin Console (do not use oamreg.sh) and ID of the host, the policy areas are created automatically without any problem.
  
  I installed the webgate thus and webgate is properly configured with the access server.
  
  In accordance with this step to install artifacts (and certificates) to Webgate 10 g in the document, I am confused as the files to be copied to WebGate location to complete the installation. What is someone is able to do this successfully? Pointers are very useful.
  
  Without webgate configuration httpd.conf of Apache, we are able to access the Console of Apache correctly. With WebGate configuration Apache COnsole throws the error as shown below.
  
  Not found
  Requested URL / was not found on this server.
  
  What is the expected behavior after completing the 10 g WebGate installation Apache? Redirect OAM Login page automatically like SST 11 g WebGate (with OAM 11 g)?
  
  Thank you
  Mahendra.
  
  Published by: 898990 on December 7, 2011 23:23

  Hi Manon,.

  The WebGate is clearly at work, because you don't get the "unable to communicate with the access servers to the" message and it meets the indicator deny not protected. It seems that there is none of the Application areas that protect resources on the WebGate (you selected the option to create policies by default when you created the WebGate?). If you have a 11g WebGate which is to protect the resources, the best way to set up the 10 g WebGate is probably to add a resource to the existing App Somain, that protects the resources of 11g, ensure that you specify a host ID that includes your 10g WebGate's favorite host.

  Kind regards
  Colin

• OIM 11 g identity Administration with OAM 11 g.

  Hello
  
  After installation and configuration of OIM 11 g, configure the feature "activate with OAM administration identity"?
  
  I go to the docs, but I couldn't find how to do it after having configured the IOM Server?
  
  Concerning
  Krishna

  Krishna,

  Have a look at below article in Oracle support site:

  Integration of OIM 11g with Ldap Sync, OAM, and BI Publisher? [1225404.1 ID]

  This article tells points below:

  Goal
  It must integrate OIM 11 g with 'LDAP Sync', 'OAM' and 'BI Publisher"when the IOM set up (using config.sh or bat) for the first time, or can it be done later?

  Solution
  -BI Publisher: Yes, it is possible to integrate the IOM after IOM is configured and installed with BI publisher. You can use the Enterprise Manager (em) console to change the URL of BI Publisher to configure with the IOM.

  -Ldap Sync: it is also possible to integrate Ldap with IOM after IOM synchronization is installed. Please refer to the Note: 1272682.1 for more information.

  -OAM: This can only be configured once during the configuration of the IOM when installing the IOM for the first time. Subsequently configuration is not supported.

  Thank you
  GK

• How to protect Sun Web Server with OAM

  Hi people,
  
  I need to protect a resource on the Sun Java Web Server with OAM 7. It is similar to the OSH protection? Anyone who has tried?
  
  Thank you, novel

  WebGate plug-in for Sun Java Web Server 7.0.x are available only for environments mentioned in my previous answer. You can see the matrix of Certification and check with Oracle Support what will be the realistic solution for your environment.

  As far as I KNOW, he is there no download separated.

• OBIEE 11.1.1.6 SSO with OAM 11.1.1.5: problem of attribute OID 11.1.1.6

  Hello world!
  
  I configured an OAM (webgate) + DIO + OBIEE + OHS system.
  The OBIEE is protected via OHS(weblogic module) and webgate. It works very well.
  The CAO authenticates OID (default user identity store).
  The * "User research Base" * is the same (* "cn = Users, dc is mydomain, dc = com" *) in the store of identity and authentication provider OID of OBIEE too.
  SSO is enabled in OBIEE and suppliers are:
  OID (provider that performs authentication LDAP 1.0) JUST
  REQUIRED OAM (Oracle Access Manager identity Asserter 1.0) provider
  DefaultAuthenticator (WebLogic Authentication Provider 1.0) SUFFICIENT
  DefaultIdentityAsserter
  
  IF the * "User name attribute" * is * '' cn '' * in-store OAM of identity of the users and the provider of the OID of the OBIEE * "user name attribute" * is * "cn" * (by default) also, everything works fine.
  
  But I have to use * "orclSAMAccountName" * instead of * "cn" * (OAM and OID provider). And in this case, I have the problem.
  The OID of the OBIEE provider are:
  All users filter: (& (orclSAMAccountName = *)(objectclass=person))
  The user of the name filter: (&(orclSAMAccountName=%u)(objectclass=person)))
  Username attribute: orclSAMAccountName
  
  I did a test user:
  CN = test
  SN = test_sn
  orclsamaccountname = test_sama
  UID = test_uid
  krbprincipalname = test_krb
  I can authenticate with test_sama OAM, but OBIEE say: * "" you are not logged here: Oracle BI Server. "*"
  The bi log shows that:
  + By default (self-adjusting)' > < BISystemUser > <>< 00093dFuR ^ HFW7PMye7i6G00052S000Tt7 > < 1345642607333 > < BEA-000000 > < javax.security.auth.login.FailedLoginException: [Security: 090304] authentication failed: User test javax.security.auth.login.LoginException: identity [Security: 090300] Assertion failure: test user does not exist +.
  + oracle.security.jps.internal.api.jaas.AssertionException: javax.security.auth.login.FailedLoginException: [Security: 090304] authentication failed: User test javax.security.auth.login.LoginException: [Security: 090300] identity Assertion failure: test user does not exist.
  
  Why does search OBIEE the * '' cn '' * and why does not use the * "orclsamaccountname?"
  
  Any idea?
  
  Best regards, Jani

  Hello Joseph,.

  This is a known issue in OBIEE 11.1.1.6.0, please see: OBIEE 11.1.1.6 Agent failed with error code: IHVF6OM7:OPR4ONWY:U9IM8TAC [nQSError: 13039] the imposter does not exist in the BI [1446877.1 ID] Security Service

  We have configured OBIEE 11.1.1.6 on Linux and use Single Sign On (SSO) with authentication Native for Windows (Ondaaah).

  Configured authenticator AD, select sAMAccountName instead of CN for the attribute of the user. SSO in MS license. When you try to access the OBIEE presentation services we met the below error.

  «You are not logged here: Oracle BI Server.»

  When to check the logfile biserver1 found: failure of the Assertion of identity [Security: 090300]: user OracleSystemUser does not exist

  After you apply the hotfix 13553428 on top of 11.1.1.6.0 OBIEE we connected in OBIEE presentation services.

  It works very well with OBIEE, 11.1.1.5.0 and 11.1.1.6.1

  OBIEE fixed in 11.1.1.6.1. Apply Patch 13742915.

  If you want to stay in OBIEE 11.1.1.6.0. Apply Patch 13553428.

  Let me know if this solves the problem of Asserter.

  Pls mark so useful or response.

  Thank you
  SVS-

• Headers with OAM 11 GR 2 PS3 question

  Hello

  We are migrating OAM 11 GR 2-OAM 11 GR 2 PS3 from windows to linux. We installed the new configuration of the PS3 and migrated all the OAM configuration details. We have the user profile of authorization policies for applications protected by OAM.

  But while testing the SSO with applications, I found below questions

  1. If any attribute is null in LDAP to the user, R2 returns NOT_FOUND. But in the PS3 display headers as null. Enforcement team has a logic based on NOT_FOUND only. It's a lot of changes on the changes of app to check the value of the attribute of null NOT_FOUND. Is there a workaround for this?

  2. we have values multiple attributes for users in LDAP, in R2, these multivalued attribute values are separated by a colon(:), mais dans la PS3, elle est séparée par une virgule.)  I read the doc - id in metalink 1935703.1 , but it allows to change the comma separator. How this can be changed to the colon?

  Enjoy your entries.

  1. that is a very simple change in coding. Any decent programmer should be able to do this fairly easily.

  2. just follow the instruction and where it says ',' replace with ': '.

• IOM Setup integrated with OAM in HA using separate domains

  Must configure OAM and IOM in HA and integrated.

  Target architecture:
  1 is high availability. We have eight servers 2 for each of: level Web, OAM, OAM and OUD.
  2 OAM must be integrated with the IOM.

  3. we use two domains an OAM and another separate domain for IOM.

  4 using the version IAM 11.1.2.3
  
  We follow the high availability and guides 11.1.2.3 integration.
  On two servers with its domain, we have installed an OAM and IOM on two other servers with her owner field.

  We used the references:

  http://docs.Oracle.com/CD/E52734_01/OIM/IDMIG/OIM.htm#IDMIG32008 (Integration_guide)

  • 2.1.2 access Manager and Oracle Identity Manager integration to a single node topology

  You MUST set up the components of Oracle Identity Management in distinct areas WebLogic Server (split domain topology), as discussed in Section 1.2.1 "Integration of basic topology", otherwise, try to repair or upgrade a product can be blocked by a dependency of a component shared with another version. When you install the Oracle Identity Management components in a single WebLogic Server domain, there is a risk that you install the component (custom libraries, jars, utilities and plug-ins) in the area is perhaps not compatible with other components, resulting in problems through your domain.

  
  

  Oracle Identity Manager integration roadmap and Manager to access the section 2.1.3 Says nothing on utilization patterns separate db created by UCR and nothing on the store security DB.

  
  

  • http://docs.Oracle.com/CD/E27559_01/install.1112/e27794/configtwo.htm#OAMQI76585 (earlier version of IAM)

  3.2.9.2 article before you set up the database of store security
  Note: Regardless of the number of domains in a logic Oracle Identity and Access Management 11 g Release 2 (11.1.2) deployment (a logical deployment is a collection of products Oracle Identity and Access Management running in one or more domains and use a single database to store product schemas), all areas share the same database to store security and use the same encryption key for domain.
  The store security database is created when the first domain is created, and each new domain created is then joined with the database already created security store.

  
  

  We have already installed and configured OAM in its own domain and now wants to configure the IOM in its own domain.

  For IOM configured in its own domain and use the same DB as OAM and configured the store DB to help security configureSecurityStore.py with the option to join - Mr. Successfully completed this but OAM had a NAP error message.

  
  

  My questions:

  1. install IOM, MUST create us the separate db schemas when you use the RCU for IOM of OAM?  If so, why? Since it is in contrast with the references I listed above.   AND the need to ensure that we can OAM integrated with IOM.

  2 If can be convinced that they must be separated from the patterns which for each of the OAM and IOM?  (I am aware IOM needs: MDS, OPSS, IOM, SOAINFRA, ORASDPM, BIPLATFORM.)  But necessarily list OAM)

  3 so we can share the same patterns or if need to use a separate diagram, how we create the database of store (AKA strategies store) security?  To help create or join mode?

  Keeping in mind that we must integrate OAM and IOM.

  Not sure if someone has managed to do this configuration.

  Thank you

  If you're feeling lucky, you can try to fix your updateBIPJMSSecurity.py and then continue, however, if you want to be sure that nothing else could get broken by following the demolition, start from the beginning.

• Integrate the discoverer 11g with OAM 11 g

  Hello

  We configure SSO for Discoverer and now we want to use a VIP so our Base URL should be changed. Currently access us using discoverer the below URL: http://discovererdev01:8888/discoverer/more we use the below URL instead, rather than to use the name of the computer, we use the alias http://discod.mycomapny.com/discoverer/plus inside OAM, we changed the base URL for http://discod.mycomapny.com copied to the new mod_osso.conf to the discoverer restarted OSH OSH , but it gives us the error of SSO is not to recognize the new url.

  Is there something else we need to do. Here is the error that we

  System error. Please try your action again. If you continue to receive this error, contact the administrator.

  Thank you

  OHS is installed and where discovererdev01.mycompany.com is the real hostname of the machine running

  http://discovererdev01.mycompany.com:8888

  We have OAM SSO Agent that works very well with the above URL and hitting http://discovererdev01:8888/discoverer/more we are directly connected in

  users access disco using discoverer/more/http://discovererdev01:8888 which is a problem when we do DR, so we created a new VIP and use a Global load balancer our OSH, to transmit all requests for http://discod.mycomapny.com . In this way, we don't have to hit discoverer by using the actual host name and instead use the ALIAS discod.mycomapny.com in the case of DR only change to happen to global load balancing.

  So we updated the URL off in OAM SSO Agent of http://discovererdev01:8888 to http://discod.mycomapny.com and copied to new osso.conf to the ESO server and restarted the OHS and OAM. But when hitting http://discod.mycomapny.com/discoverer/plus get the error in the browser

  System error. Please try your action again. If you continue to receive this error, contact the administrator.

  Still the same error in FireFox as FireFox, it should pop up for the OAM login screen but looks not so it does not hit OAM when using VIP. It only works when we use the real hostname of the machine.

  Here's what we have in the file mod_wl_ohs.conf of OSH

  WebLogicCluster discovererdev01.mycompany.com:7003

  DynamicServerList off

  NameVirtualHost *: 8888

  ServerName discovererdev01.mycompany.com

  ServerAlias discod.mycomapny.com

  RewriteEngine ON

  RewriteOptions inherit

  # RewriteRule ^ / $ http://discoa/discoverer/plus [R]

  SetHandler weblogic-Manager

  WebLogicCluster discovererdev01.mycompany.com:9008

  SSLEngine off

  We've even created a new SSO Agent, but still no luck. If you're wondering how it works when using VIP instead of the host names of the real machine. Or is that what I'm missing. Whoever did this, you will appreciate any input to solve this problem.

  Thank you

• Suite of Oracle e-Business with OAM and IWA

  Hello
  
  We are about to implement a sso project to the following prescriptions.
  
  When users try to access the E-Business Suite, their windows logon is automatically recognized by OAM and they are authenticated by ad of them on target AD systems accounts.
  
  We plan to design as follows.
  
  1. users to connect on their machines and access to the eBusiness suite, you will be provided to link.
  2. this link redirects users to an IIS server that is on a separate machine that E-Business suite. WebGate and IWA is installed on the IIS server that allows to recognize the windows of the user connection and authenticates the user through OAM.
  3. after a successful authentication accesses the request without entering passwords.
  
  The question is whether this application is possible without oSSO side eBusiness suite. And do we need IIS to work as a proxy reverse to the way multi redirect? I couldn't exactly find a best practice for this scenario.
  
  Any help will be appreciated a lot!
  
  Thank you
  ECE

  I don't see how you would be able to integrate OAM with EBS, unless you have the oSSO (assuming of course that you are not on the bleeding edge, by 975182.1).

  We run the same configuration and installation in politics OAM redirects. We plant the roots of specific context for each application, then use the OAM strategy to redirect. (for example, http://iwa-server/ebs redirects to https://ebs-server)

  Rule single authorisation for each redirection, then a unique 'policy' in the 'Stratégies' tab for each redirection. Each strategy corresponds to the respective authorization rule.