Autologin failed in OIM/OAM Integration after password reset SSOAccessKey javax.security. auth.login. LoginException

OAM is Oracle’s recommended single sign-on (SSO) solution and OIM is recommended user management (including password) and user/role provisioning solution. It is recommended to integrate OIM with OAM so that
a) Users accessing application via OAM (Single Sign-On – SSO) can be managed via OIM (self service password reset, account unlock…)
b) Users managed by OIM (for self service password reset, account unlock…) can access OIM application using SSO (OAM)

OIM/OAM 11g installation, configuration & Administration is also covered in my book 

Test Case: On logon (after forgot password or password reset by administrator) after typing new password, user should not be prompted again for logon.

Actual Result: OAM was prompting for logon again after password reset.

Where to look for logs  If you hit issue like this then you should look OIM server log files i.e. $DOMAIN_HOME/ servers/ <oim_server>/ logs/ oim_server1.out

In my case error message was :

_____

<Feb 14, 20124:50:10 PM GMT> <Error> <OAM Autologin Logger> <BEA-000000> <OAM client not initialized>
<Feb 14, 20124:50:10 PM GMT> <Error> <OAM Autologin Logger> <BEA-000000> <Could not initialize autologin provider from oim configoracle.iam.sso.exception.AutoLoginException: aaaClient not initialized properly>
URL Index27
<Feb 14, 20124:50:10 PM GMT> <Error> <OAM Autologin Logger> <BEA-000000> <Error while authentication java.lang.NullPointerException>
<Feb 14, 20124:50:10 PM GMT> <Error> <oracle.iam.passwordmgmt.impl> <BEA-000000> <INTERNAL ERROR: Autologin failed oracle.iam.sso.exception.AutoLoginException: Error while authentication >
javax.security.auth.login.LoginException: Error while autologin oracle.iam.sso.exception.AutoLoginException: Error while authentication
        at oracle.iam.passwordmgmt.utils.PwdMgmtAutologinHelper.doAutologin(PwdMgmtAutologinHelper.java:146)

.
.
.
.
at weblogic.work.ExecuteThread.run(ExecuteThread.java:178)
Unknown Credential type to find the password for the given map : oim   key : SSOAccessKey

____

Before I jump to fix, let us understand how autologin works with OIM-OAM integration and what is significance of key SSOAccessKey.

WebGate  is Policy Enforcement Point (PEP) which protect resources protected by OAM. This WebGate can be further secured by setting passwordfor this WebGate Instance.

When you integrate Oracle Identity Manager (OIM – For user & password management) then OIM contact OAM via WebGate. If WebGate is protected by password then OIM needs this password to connect to WebGate. OIM stores this password in Credential Store (CSF) which can be managed by Enterprise Manager (EM) or WebLogic Scripting Tool (WLST).

idmConfigTool(tool to integrate OIM with OAM) should have created credential (keyName and password) for map oim as key SSOAccessKey with value as WebGate password. In my case this key SSOAccessKey for map OIM was missing.

Fix: Use EM or WLST to create key SSOAccessKey with value as password of WebGate used during OIM/OAM integration i.e. Webgate_IDM.

Steps to create key SSOAccessKey from EM
1. Login to EM http://weblogicHost:AdminPort/em
2. Navigate to WebLogic Domain -> <domain>
3. Right click on <domain> -> Security -> Credential
4. Select credential key OIM and click Create Key
5. Enter following
–Map: oim
–Key: SSOAccessKey
–Type: Password
–UserName: SSOAccessKey
–Password: <password for webgate Webgate_IDM>
–Description : OAM webgate password for webgate ID Webgate_IDM

Click Apply

Note: No re-start is required and OIM should pick password in key SSOAccessKeyon next auto login request.

About the Author Atul Kumar

Oracle ACE, Author, Speaker and Founder of K21 Technologies & K21 Academy : Specialising in Design, Implement, and Trainings.

follow me on:

Leave a Comment:

1 comments
IgnitedMind says November 23, 2012

Current System:

I have a email template which has username & password sent to customer even for reset password.

Proposed System:

I wanted to know how below approach will work?

Email contin link for reset password sent to customer. Customer clikc on that link redirect to Page where his current password appeared & he can input new password. OR

What is the best Practice to reset password without giving password in clear text in email

Help Appreciated

Reply
Add Your Reply

Not found