Leave a Comment:
46 comments
Hi,
In OIA : Identity warehouse -> Roles -> New Role -> Ownership tab – > Add Owners.
Here at Add Owners step I can see only users which are imported from OIM (global users / end user)
And if I assign end user as owner of a role -> role membership approval task still goes to rabcxadmin.
Can we select OIA users as a Role Owner?
Is there any way to log in in OIA using global user/end user?
Please help me to understand this scenario.
Thanks,
Pallavi Chaudhari
@ Pallavi,
Is there any way to log in in OIA using global user/end user?
Yes, If you integrate OIA with Single Sign-On solution like OAM (Access Manager).
ReplyThanks Atul,
Is there any way to assign OIA user as a role owner? because whenever role membership workflow executes it always assign membership approval task to rabacxadmin or OIA user with access control permissions.
And one more thing even if I assign Role owner as a OIM User when roles pushed to OIM from OIA — role owner always reflected as a system administrator. Is the way OIA behaves?
Thanks for your time.
– Pallavi Chaudhari
ReplyResolved this issue. We have to manually create OIA User account for global user with access control enabled. Then role change and role creation request will goes to role owner – (who is global user)
Reply@ Pallavi,
Thanks for sharing information.
Have you integrated OIM 11g with OIA 11g for user provisioning ?
ReplyHi Atul,
Yes I have integrated OIM 11.1.1.5.0 with OIA 11.1.1.5.0. But not for user provising using it for RBAC , attestation process.
Reply@ Pallavi,
Thanks a lot, For some reason my OIM-OIA integration was not working earlier . This is now fixed.
Do you currently hold OIA certification 1z0-544 ? http://www.oracle.com/partners/en/knowledge-zone/middleware/identity-analytics-admin-exam-page-177476.html
I am planning to do this certification but finding it extremely difficult to do on my own. Do let me know if you can help me or would like to do group study (May be I can bring few more people each covering 1-2 topics)
Contact me on my email atul [at] onlineAppsDBA.com if interested
ReplyHello!
Need help to integrate the OIA with OIM. When you run the job to import metadata from the IOM is generated the following error.
09:12:09,271 ERROR [IamDbNamespaceImporterHelperImpl] Error connecting to OIM
Thor.API.Exceptions.tcAPIException: javax.security.auth.login.LoginException: java.lang.SecurityException: [Security:090304]Authentication Failed: User xelsysadm javax.security.auth.login.FailedLoginException: [Security:090302]Authentication Failed: User xelsysadm denied
at Thor.API.tcUtilityFactory.(tcUtilityFactory.java:166)
at com.vaau.rbacx.iam.util.oracle.oimapi.OimUtilityFactory.getUtilityFactory(OimUtilityFactory.java:67)
at com.vaau.rbacx.iam.db.helpers.IamDbNamespaceImporterHelperImpl.readNamespaces(IamDbNamespaceImporterHelperImpl.java:85)
at com.vaau.rbacx.iam.db.DBIAMSolution.readResourceMetadata(DBIAMSolution.java:697)
at com.vaau.rbacx.iam.service.impl.RbacxIAMServiceImpl.importResourceMetadata(RbacxIAMServiceImpl.java:473)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
at java.lang.reflect.Method.invoke(Method.java:597)
at org.springframework.aop.support.AopUtils.invokeJoinpointUsingReflection(AopUtils.java:307)
at org.springframework.aop.framework.ReflectiveMethodInvocation.invokeJoinpoint(ReflectiveMethodInvocation.java:182)
at org.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:149)
at org.springframework.transaction.interceptor.TransactionInterceptor.invoke(TransactionInterceptor.java:106)
at org.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:171)
at org.springframework.aop.framework.JdkDynamicAopProxy.invoke(JdkDynamicAopProxy.java:204)
at $Proxy118.importResourceMetadata(Unknown Source)
at com.vaau.rbacx.scheduling.executor.iam.IAMJobExecutor.execute(IAMJobExecutor.java:107)
at com.vaau.rbacx.scheduling.manager.providers.quartz.jobs.AbstractJob.execute(AbstractJob.java:72)
at org.quartz.core.JobRunShell.run(JobRunShell.java:202)
at org.quartz.simpl.SimpleThreadPool$WorkerThread.run(SimpleThreadPool.java:534)
09:12:09,272 ERROR [DBIAMSolution] Error Importing Namespaces : javax.security.auth.login.LoginException: java.lang.SecurityException: [Security:090304]Authentication Failed: User xelsysadm javax.security.auth.login.FailedLoginException: [Security:090302]Authentication Failed: User xelsysadm denied
The OIA is not installed on the same domain of the OIM.
If you can help me I would be very grateful
Tks
Reply@ Tariks,
Please update version of OIM and OIA you are using .
@ Tarkis,
1. Verify that you can login to OIM url http://server:14000/oim using xelsysadm password
2. Ensure that all steps mentioned in section 1.4 at http://docs.oracle.com/cd/E24179_01/doc.1111/e23377/integratingwithoimpreferred.htm#BABCDIGB are actioned.
Including creation of wlfullclient.jar and copy to OIA_staging/WEB-INF/lib
Reply@Tariks
Did you follow this step :
Copy the config folder located at /config and paste it in the Oracle Identity Analytics $RBACX_HOME/xellerate folder.
ReplyHi
The problem was the folder setting RBACX_HOME/xelerate/config
This working now. Sirs, thank you for your help
ReplyHi,I am a new entrant to OIA.Can someone tell me how can i delete the exhisting data in OIA?..
I see an exhisting data for users , roles and business units…I wanna delete it and imposrt it again just to undersatnd how it works.
thanks in advance
ReplyHi,
OIA table structure …
http://docs.oracle.com/cd/E27119_01/doc.11113/e23128/docinfo.html#scrolltoc
there must be multiple dependency of data. Study table structure
ReplyIf the interest is to get a clean fresh DB you can rerun the DB creation script to clean up the db. This script will drop the tables and relevant data associated with it. Please note this is a destructive process and appropriate back up needs to take place in the case of a production instance.
Replyhi atul/pallavi,
we are using the OIA attestation process. but the problem here is when we have create a cetification based on the resource entitlement it getting all the resorce assigned user and create a certification and mean while it automatically pulling the users manager(certifier who is now in global user’s list) in to the oia user’s list,this is fine but whats the default password it is setting to it to make it as a admin user.
please help me in this reagard
thanks
naidu
Hi,
If you still looking for answer :
Password for certifier created by OIA :
ReplyCertifier password will be :
First Name 3 letter + ‘@’ + last name 3 letters
ReplyHi naidubetha,
If you create Resource Entitlement attestation it will include all users associated with that resource for certification.
I do not have working set up of OIA right now. Can you please try to see options while creating attestation job for selecting particular user?
Replyhi pallavi,
thanks for your valuable information. it saved lot of time for me.
yes i am able to do the Resource Entitlement attestation for the selected users too but any way i need it for the user manager only. can u please how did u find this password solution? any doc..or site etc. bcz i need to do lot of r&d on this OIA
thanks a lot
Naidubetha
Hi naidubetha,
Please look into /WEB-INF/security-config-context.xml.
Search for :
Replyhello all,
please reply me for the following questions: (required to prepare for 1Z0-5454 OIA and OIM 11g certification exam):
(Best answer)
You want to trigger role membership rules manually and not through the UI. You should add the “roleMembershipRuleJob” trigger to…
XA) Scheduling-context.xml .
B) SchedulerExecutionLogRecord.xml
XC) Jobs.xml
D) Conf-context.xml
E) Search-Context.xml
Why is “role consolidation”(Role Management Engineering) an important step in an OIA implementation?
A) It helps streamline provisioning and deprovisioning processes in IDM organizations – looks valid answer , further investigation need it
the next 3 answers were ones of the following(including C)
B) Ensures compliance
C) Helps in Role Entitlement certification
D) Avoids role explosion
D) Helps in building audit policies
E) Improves system performance
Hi,
Answer to first question :
To import role membership rules manually without using UI you need to enable entry of bean ‘roleMembershipRuleJob’ in Scheduling-context.xml and in jobs.xml you need to update cron expression – to decide how frequently job will run.
ReplyAnswer to question -Why is “role consolidation”(Role Management Engineering) an important step in an OIA implementation?
– I think it is D) Avoids role explosion
ReplyHi,
I am try to import users from Global to OIA user. I heard we have to use OIA Web service for Create the user.
I enabled the web service when i see the guide the provide me the method not a class.
public boolean createUser(UserVO user) throws
RbacxServiceException
IS there you know how to right the code using this method
Regards,
L.Kesavan
1. Generate java classes from the wsdl.
wsdl URL for userservice is : http://oia-host:oia-port/youroiawebappname/ws/userService?wsdl
2. package the generated java classes from above step into the jar and add this jar into classpath.
3. Write HeaderHandlerResolver to provide the authentication information to the OIA web service.
sample code to create user in OIA:
public void sendCreateUserRequest(UserServicePortType oiaWSPort){
System.out.println(” Entering into sendCreateUserRequest() “);
try{
UserVO userVoObject = new UserVO();
userVoObject.setUsername(“WSUSER1”);
userVoObject.setFirstName(“WS”);
userVoObject.setLastName(“User1”);
userVoObject.setMiddleName(“S”);
userVoObject.setEmployeeType(“Full-Time”);
userVoObject.setEmployeeType(“Full-Time”);
boolean isUserCreated = oiaWSPort.createUser(userVoObject);
System.out.println(” User Created :: “+isUserCreated);
}catch (Exception e) {
e.printStackTrace();
}
System.out.println(” Exit from sendCreateUserRequest() “);
}
Try it out. Let me know if you need more information.
ReplyHi,
I have question realted to OIA(11.1.1.5.4) and OAM(11.1.1.5).
I have protected the OIA using OAM, cretaed policy, LDAP authentication scheme, OID is used as source for authentication.
ANd on OIA side have done the modification as mentioned OIA system integration guide(section4)
But facing a proble.
when I access rbacx through reverse proxy URL, i get the SSO loginpage and after entering the credential it is taking me again to OIA login page.
Any information on this??
Reply@ Vani Joshi,
What header variable you are using to pass to OIA ? Did you add Response with header variable in authentication & Authorization of your OIA policy ? Response is covered in chapter 5 of my book http://www.amazon.com/Oracle-Identity-Access-Manager-Administrators/dp/1849682682
Hi,
We are using create user API of OIA11.1.1.5, to create the logon users direcylt in OIA through OIM.
BUt getting some exceptions:
Please find the code and the exception we are getting. Any info on this will be of great help.
code :
public static void main(String[] args) {
try {
webservice.proxy.UserServiceHttpPortClient myPort = new webservice.proxy.UserServiceHttpPortClient();
System.out.println(“calling ” + myPort.getEndpoint());
// Add your own code here
myPort.setUsername(“rbacxadmin”);
myPort.setPassword(“Abs@1234”);
System.out.println(“calling ” + myPort.getPort().testConnection());
} catch (Exception ex) {
ex.printStackTrace();
}
}
Error:
calling http://kabini:7003/rbacx/ws/userService
javax.xml.rpc.soap.SOAPFaultException: ForgivingWSS4jInHandler: Error occured, and it wasn’t the one I am configured to ignore: WSS4JInHandler: Request does not contain required Security
header (WSS4JInHandler: Request does not contain required Security header)
at oracle.j2ee.ws.client.StreamingSender._raiseFault(StreamingSender.java:568)
at oracle.j2ee.ws.client.StreamingSender._sendImpl(StreamingSender.java:396)
at oracle.j2ee.ws.client.StreamingSender._send(StreamingSender.java:112)
at webservice.proxy.runtime.UserServiceHttpBinding_Stub.testConnection(UserServiceHttpBinding_Stub.java:836)
at webservice.proxy.UserServiceHttpPortClient.main(UserServiceHttpPortClient.java:31)
Process exited with exit code 0.
@Thanks
This is working now. Header variable was set correct but I had given wrong value in the resource protection..
ReplyHi,
can you please help me regarding setting of header variable in response of OAM.
I have tried one but when i hit the URL : /rbacx/j_acegi_security_check
it throws OIA login page with invalid credentials error.
Can you please tell me the names and values which i have to assign to the header variables
currently i m using :
name: preAuthUsernameHeaderKey value: $sm-user
is this correct or i have to change it? please help.
Reply[…] Sun Role Manager (SRM)and before that it was Vaau‘s RBACX. More on OIA Architecture here and high level OIA installation […]
ReplyHi,
I need to call OIA session from a java code outside the OIA application, so that I can access the OIA database and OIA API in my java code.
Could you please let me know how to acheive this functionality.
Thanks
Reply@nitinj
Check OIA API guide please
http://docs.oracle.com/cd/E24179_01/doc.1111/e23366/toc.htm
Hi Atul,
Thanks for the reply. I saw the API documentation.
Could you please share some sample code to access the OIA session from outside OIA application.
Thanks
ReplyHi,
What header variable are to be used to pass to OIA for SSO?
Thanks,
Amruta Agarwal
@ Amruta,
USe sm-user as described in http://docs.oracle.com/cd/E24179_01/doc.1111/e23377/configuringwebaccesscontrol.htm#sthref68
or You can pick any header of your choice (pass on userID in that header variable) and then replace sm-user with this header variable in file security-context.xml
I am going to soon post on OIA integration with Oracle Access Manager (OAM) 11g for Single Sing-On (SSO)
ReplyHi Guys,
Is there a way we can provision OIM users (global users) in OIA as OIA users so they can login to the rbacx console?? is any kind of OIA/DBUM connector available for it?
ReplyFigured it out 🙂
Please create a certification for the user, user will appear in OIA user list …
Thanks!
Shashikant
Hi All
I am using
OIA-11.1.1.5.4c
OIM-11.1.1.5.6
importing users from OIM to OIA and then exporting roles from OIA to OIM.
My issue is
how to delete the users in OIA??
Without getting into database.
Hi,
Has anybody posted the steps for OIA and OAM integration for SSO
Thanks,
Jatin Gupta