Patching Oracle Access Manager Server 11.1.1.5

I will detail the steps required for patching OAM from 11.1.1.5 to BP03 version. To find out all the OAM patch versions then refer the metalink note 736372.1.

The BP03 patch number is 13473393.

Patching process:

  • Stop OAM server and weblogic admin server and any other servers present in that domain.
  • Set the ORACLE_HOME env variable to point to OAM (IAM suite)
  • To find out the existing OAM version, execute the opatch lsinventory from ORACLE_HOME.
  • Goto the location $DOMAIN_HOME/config/fmwconfig/mbeans/oam. Backup the jars mapstore.jar, lifecycle.jar, mapstore-coherence.jar, config.jar.
  • Goto the location $DOMAIN_HOME/config/fmwconfig.  Backup the RequestResponseXMLSchema.xsd file.
  • Unzip patch file p13473393_111150_Generic.zip and goto the extracted folder. It contains etc and files folders.
  • Run the opatch command from the extracted patch using command $ORACLE_HOME/OPatch/opatch apply. See the below screenshot.
  • It prompts for “Is your local system ready for patching“. Answer Y and enter.
  • Wait till you see the message “OPatch succeeded
  • Export DOMAIN_HOME env variable to point to weblogic domain.
  • Goto location files /oam/server/scripts/opatch.
  • Execute domainAutomation.sh script.
  • Goto $DOMAIN_HOME/config/fmwconfig. Take backup of oam-config.xml.
  • Start only WebLogic Admin Server and not OAM Server.
  • Execute wlst.sh script from $ORACLE_HOME/common/bin.
  • Connect to weblogic admin server using connect(‘weblogic’,’password’,’t3://localhost:7001′). Change the weblogic credentials and URL details as per your environment.
  • Run the command patchUpgrade(path=”/u01/app/Oracle/Middleware/Oracle_IAM1″). Notice the message that oam-config.xml has been upgraded to new patch level. Refer the below screenshot.

 

 

 

 

 

 

 

 

  • Restart the WebLogic Admin server.
  • Start the OAM Managed server.
  • Goto $DOMAIN_HOME/config/fmwconfig and open the oam-config.xml. Goto the end of file and verify the version of PatchLevel as 11.1.1.5.3.

About the Author Mahendra

I am engulfed in Oracle Identity & Access Management domain. I have expertise on providing the optimized solutions for user provisioning, web access management, Single Sign-On and federation capabilities etc., I am also well versed with complex integrations within Identity Management and other product domains. I have expertise on building demos and implementation experience on products Oracle Access Manager, Oracle Adaptive Access Manager, Oracle Entitlement Server, Oracle Virtual Directory, Oracle Internet Directory etc., Look @ my blog: http://talkidentity.blogspot.com

Leave a Comment:

10 comments
Adam says October 3, 2012

Hi Mahendra,

I had done OAAM-OAM-OIM integration succesfully.
I even got the OAAM SSO page fronting the protected resources . But the problem is , whenever i enter the credentials to access the protected resources , am not successfully being authenticated , and a loop occurs , as am redirected again to the OAAM login page.

Is the problem incurring due to a bug related to OAM Bp02 TAP authentication scheme? Should i patch it to BP03? Will that solve the issue?

Early Help will be highly appreciated.

Thanks,
Adam

Reply
    Atul Kumar says October 3, 2012

    @ Adam,
    Yes this is BUG in OAM BP02 , apply BP03 and it should fix this re-direct issue.

    Reply
Adam says October 5, 2012

Hi Atul,

Thanks for the imminent response.
I successfully patched my current environment to BP03, but still am facing the same issue!!

Is it that , i have to create some additional rules in OAAM_Admin console, to bypass the OAAM SSO Login Page as it may be checking with its own policies in addition to the authentication policies defined in OAM?

Thanks,
Adam

Reply
Atul Kumar says October 7, 2012

@ Adam,
Are you saying that even after applying OAM BP03 you still get request redirecting (between OAM and OAAM infintely). If this is the case then ensure that you applied patch successfully.

I have OAM 11.1.1.5 BP03 and OAAM 11.1.1.5 BP01 integarted and working fine so this should work.

No additional rules are required in OAAM_Admin as default rukes in oaam_base_snapshot are enough (did you import oaam_base_snapshot )?

Share you exact issue with step by step instructions as what you see so that I can understand problem.

Reply
Adam says October 8, 2012

Hi Atul,
Thanks for the detailed response.

Yes, i did apply the patch successfully.
And I did import the oaam_base_snapshot as well!

Here’s the environment i had setup!
I had configured a domain to support OAM,OAAM,OIM.
I have the admin server running in one seperate machine.
OAM,OAAM managed servers in another machine.
And i have the LDAP store setup on another machine.
Recently i had integrated OAM with OIM , and fronted it with webgate11g .
Hence OAM was the SSO Page . But i neeeded strong authentication , hence went for OAAM integration with OAM and OIM.
Hence i get the OAAM SSO Page , but then , i face this issue that i cant bypass the SSO page with any of the credentials i have created.

Thanks,
Adam

Thanks

Reply
Adam says October 8, 2012

Hi Atul,
This is what i found in the Oaam_server_server1 log file .

[2012-10-08T03:11:44.416-07:00] [oaam_server_server1] [ERROR] [] [oracle.oaam] [tid: [ACTIVE].ExecuteThread: ‘0’ for queue: ‘weblogic.kernel.Default (self-tuning)’] [userId: ] [ecid: 562ef56db5811365:-17c3dd71:13a31635ba7:-8000-0000000000002eb7,0] [APP: oaam_server#11.1.1.3.0] Id mapping for DB_OBJ_QUERY_ERROR not found.
[2012-10-08T03:11:44.416-07:00] [oaam_server_server1] [ERROR] [] [oracle.oaam] [tid: [ACTIVE].ExecuteThread: ‘0’ for queue: ‘weblogic.kernel.Default (self-tuning)’] [userId: ] [ecid: 562ef56db5811365:-17c3dd71:13a31635ba7:-8000-0000000000002eb7,0] [APP: oaam_server#11.1.1.3.0] Caught exception. getUser() loginId=weblogic[[
DB_OBJ_QUERY_ERROR=select vcryptUser from VCryptUser vcryptUser where vcryptUser.loginId = :value_0 and vcryptUser.groupId = :value_1, java.lang.RuntimeException: javax.crypto.BadPaddingException: Given final block not properly padded
at com.bharosa.common.util.cipher.DESedeCipher.decrypt(DESedeCipher.java:137)
at com.bharosa.common.util.BharosaCipher.decrypt(BharosaCipher.java:482)
at com.bharosa.vcrypt.auth.util.VCryptPassword.decrypt(VCryptPassword.java:46)
at com.bharosa.common.toplink.TOPLinkPasswordAttributeTransformer.buildObjectValue(TOPLinkPasswordAttributeTransformer.java:16)
at com.bharosa.common.toplink.TOPLinkAttributeTransformer.convertDataValueToObjectValue(TOPLinkAttributeTransformer.java:71)
at org.eclipse.persistence.mappings.foundation.AbstractDirectMapping.valueFromRow(AbstractDirectMapping.java:1263)
at org.eclipse.persistence.mappings.DatabaseMapping.readFromRowIntoObject(DatabaseMapping.java:1283)
at org.eclipse.persistence.internal.descriptors.ObjectBuilder.buildAttributesIntoObject(ObjectBuilder.java:342)
at org.eclipse.persistence.internal.descriptors.ObjectBuilder.buildWorkingCopyCloneNormally(ObjectBuilder.java:616)
at org.eclipse.persistence.internal.descriptors.ObjectBuilder.buildObject(ObjectBuilder.java:502)
at org.eclipse.persistence.internal.descriptors.ObjectBuilder.buildObject(ObjectBuilder.java:454)
at org.eclipse.persistence.queries.ObjectLevelReadQuery.buildObject(ObjectLevelReadQuery.java:723)
at org.eclipse.persistence.queries.ReadAllQuery.executeObjectLevelReadQuery(ReadAllQuery.java:420)
at org.eclipse.persistence.queries.ObjectLevelReadQuery.executeDatabaseQuery(ObjectLevelReadQuery.java:1076)
at org.eclipse.persistence.queries.DatabaseQuery.execute(DatabaseQuery.java:740)
at org.eclipse.persistence.queries.ObjectLevelReadQuery.execute(ObjectLevelReadQuery.java:1036)
at org.eclipse.persistence.queries.ReadAllQuery.execute(ReadAllQuery.java:380)
at org.eclipse.persistence.queries.ObjectLevelReadQuery.executeInUnitOfWork(ObjectLevelReadQuery.java:1122)
at org.eclipse.persistence.internal.sessions.UnitOfWorkImpl.internalExecuteQuery(UnitOfWorkImpl.java:2910)
at com.bharosa.common.toplink.OAAMPerformanceProfiler.profileExecutionOfQuery(OAAMPerformanceProfiler.java:96)
at org.eclipse.persistence.internal.sessions.AbstractSession.executeQuery(AbstractSession.java:1289)
at org.eclipse.persistence.internal.sessions.AbstractSession.executeQuery(AbstractSession.java:1273)
at org.eclipse.persistence.internal.sessions.AbstractSession.executeQuery(AbstractSession.java:1247)
at org.eclipse.persistence.internal.jpa.EJBQueryImpl.executeReadQuery(EJBQueryImpl.java:479)
at org.eclipse.persistence.internal.jpa.EJBQueryImpl.getResultList(EJBQueryImpl.java:714)
at com.bharosa.common.toplink.TopLink11gBaseDAO$ExecuteDBQueryAction.internalPerformAction(TopLink11gBaseDAO.java:197)
at com.bharosa.common.toplink.TopLink11gBaseDAO$DBAction.performAction(TopLink11gBaseDAO.java:100)
at com.bharosa.common.toplink.TopLink11gDBMgr.executeDBQuery(TopLink11gDBMgr.java:238)
at com.bharosa.vcrypt.dataaccess.impl.VCryptUserDataAccessImpl.getVCryptUserByLoginId(VCryptUserDataAccessImpl.java:493)
at com.bharosa.vcrypt.auth.impl.VCryptAuthImpl.createUser(VCryptAuthImpl.java:586)
at com.bharosa.vcrypt.auth.impl.VCryptAuthMonitorImpl$13.perform(VCryptAuthMonitorImpl.java:134)
at com.bharosa.common.monitoring.MonitorInterceptor.performAction(MonitorInterceptor.java:331)
at com.bharosa.common.monitoring.MonitorInterceptor.performActionNoFingerprint(MonitorInterceptor.java:371)
at com.bharosa.vcrypt.auth.impl.VCryptAuthMonitorImpl.createUser(VCryptAuthMonitorImpl.java:137)
at com.bharosa.vcrypt.auth.impl.VCryptAuthFilterImpl.createUser(VCryptAuthFilterImpl.java:119)
at com.bharosa.vcryptclient.proxy.impl.BharosaProxyImpl.createUser(BharosaProxyImpl.java:265)
at com.bharosa.uio.actions.LoginAction.initUser(LoginAction.java:296)
at com.bharosa.uio.actions.LoginAction.bharosaExecute(LoginAction.java:78)
at com.bharosa.uio.actions.UIOBaseAction.execute(UIOBaseAction.java:81)
at org.apache.struts.action.RequestProcessor.processActionPerform(RequestProcessor.java:421)
at org.apache.struts.action.RequestProcessor.process(RequestProcessor.java:226)
at org.apache.struts.action.ActionServlet.process(ActionServlet.java:1166)
at org.apache.struts.action.ActionServlet.doPost(ActionServlet.java:417)
at javax.servlet.http.HttpServlet.service(HttpServlet.java:727)
at javax.servlet.http.HttpServlet.service(HttpServlet.java:821)
at weblogic.servlet.internal.StubSecurityHelper$ServletServiceAction.run(StubSecurityHelper.java:227)
at weblogic.servlet.internal.ServletStubImpl.execute(ServletStubImpl.java:300)
at weblogic.servlet.internal.TailFilter.doFilter(TailFilter.java:27)
at weblogic.servlet.internal.FilterChainImpl.doFilter(FilterChainImpl.java:57)
at oracle.security.wls.filter.SSOSessionSynchronizationFilter.doFilter(SSOSessionSynchronizationFilter.java:277)
at weblogic.servlet.internal.FilterChainImpl.doFilter(FilterChainImpl.java:57)
at oracle.security.jps.ee.http.JpsAbsFilter$1.run(JpsAbsFilter.java:111)
at oracle.security.jps.util.JpsSubject.doAsPrivileged(JpsSubject.java:313)
at oracle.security.jps.ee.util.JpsPlatformUtil.runJaasMode(JpsPlatformUtil.java:413)
at oracle.security.jps.ee.http.JpsAbsFilter.runJaasMode(JpsAbsFilter.java:94)
at oracle.security.jps.ee.http.JpsAbsFilter.doFilter(JpsAbsFilter.java:161)
at oracle.security.jps.ee.http.JpsFilter.doFilter(JpsFilter.java:71)
at weblogic.servlet.internal.FilterChainImpl.doFilter(FilterChainImpl.java:57)
at oracle.dms.servlet.DMSServletFilter.doFilter(DMSServletFilter.java:136)
at weblogic.servlet.internal.WebAppServletContext$ServletInvocationAction.run(WebAppServletContext.java:3681)
at weblogic.security.acl.internal.AuthenticatedSubject.doAs(AuthenticatedSubject.java:321)
at weblogic.servlet.internal.WebAppServletContext.execute(WebAppServletContext.java:2183)
at weblogic.servlet.internal.ServletRequestImpl.run(ServletRequestImpl.java:1454)
at weblogic.work.ExecuteThread.execute(ExecuteThread.java:209)
at weblogic.work.ExecuteThread.run(ExecuteThread.java:178)
Caused by: java.lang.RuntimeException: javax.crypto.BadPaddingException: Given final block not properly padded
… 65 more
Caused by: javax.crypto.BadPaddingException: Given final block not properly padded
at com.sun.crypto.provider.SunJCE_f.b(DashoA13*..)
at com.sun.crypto.provider.SunJCE_f.b(DashoA13*..)
at com.sun.crypto.provider.DESedeCipher.engineDoFinal(DashoA13*..)
at javax.crypto.Cipher.doFinal(DashoA13*..)
at com.bharosa.common.util.cipher.DESedeCipher.decrypt(DESedeCipher.java:128)
… 64 more

]]
[2012-10-08T03:11:44.416-07:00] [oaam_server_server1] [WARNING] [] [oracle.oaam] [tid: [ACTIVE].ExecuteThread: ‘0’ for queue: ‘weblogic.kernel.Default (self-tuning)’] [userId: ] [ecid: 562ef56db5811365:-17c3dd71:13a31635ba7:-8000-0000000000002eb7,0] [APP: oaam_server#11.1.1.3.0] Error creating user, requestId=56_5890da09c0a2953baac663197f8f5e1eb4201e364ded6037070def276051dee5
[2012-10-08T03:11:44.416-07:00] [oaam_server_server1] [ERROR] [] [oracle.oaam] [tid: [ACTIVE].ExecuteThread: ‘0’ for queue: ‘weblogic.kernel.Default (self-tuning)’] [userId: ] [ecid: 562ef56db5811365:-17c3dd71:13a31635ba7:-8000-0000000000002eb7,0] [APP: oaam_server#11.1.1.3.0] Unable to find client user in session. Sending user to login page.
[2012-10-08T03:11:44.416-07:00] [oaam_server_server1] [NOTIFICATION] [] [oracle.oaam] [tid: [ACTIVE].ExecuteThread: ‘0’ for queue: ‘weblogic.kernel.Default (self-tuning)’] [userId: ] [ecid: 562ef56db5811365:-17c3dd71:13a31635ba7:-8000-0000000000002ebb,0] [APP: oaam_server#11.1.1.3.0] getURLFromCookie Cookie is null
[2012-10-08T03:11:44.416-07:00] [oaam_server_server1] [NOTIFICATION] [] [oracle.oaam] [tid: [ACTIVE].ExecuteThread: ‘0’ for queue: ‘weblogic.kernel.Default (self-tuning)’] [userId: ] [ecid: 562ef56db5811365:-17c3dd71:13a31635ba7:-8000-0000000000002ebb,0] [APP: oaam_server#11.1.1.3.0] OAM Redirect URL not found in request parameter or in cookie.
[2012-10-08T03:11:44.431-07:00] [oaam_server_server1] [NOTIFICATION] [] [oracle.oaam] [tid: [ACTIVE].ExecuteThread: ‘0’ for queue: ‘weblogic.kernel.Default (self-tuning)’] [userId: ] [ecid: 562ef56db5811365:-17c3dd71:13a31635ba7:-8000-0000000000002ebb,0] [APP: oaam_server#11.1.1.3.0] Returning InitStatus as [true]
[2012-10-08T03:12:31.729-07:00] [oaam_server_server1] [NOTIFICATION] [] [oracle.oaam] [tid: Timer-5] [userId: ] [ecid: 562ef56db5811365:-17c3dd71:13a31635ba7:-8000-0000000000000002,1:22761] [APP: oaam_server#11.1.1.3.0] com.bharosa.common.db.BharosaDBMgr: current queue size=0, processed 3 in 60 seconds with per second=0.05, total till now=10, reseted 0 times
[2012-10-08T03:12:31.729-07:00] [oaam_server_server1] [NOTIFICATION] [] [oracle.oaam] [tid: Timer-5] [userId: ] [ecid: 562ef56db5811365:-17c3dd71:13a31635ba7:-8000-0000000000000002,1:22761] [APP: oaam_server#11.1.1.3.0] DynamicActionsExecutor_0: current queue size=0, processed 2 in 60 seconds with per second=0.03333333333333333, total till now=6, total processed till now=6, reseted 0 times
[2012-10-08T03:12:31.729-07:00] [oaam_server_server1] [NOTIFICATION] [] [oracle.oaam] [tid: Timer-5] [userId: ] [ecid: 562ef56db5811365:-17c3dd71:13a31635ba7:-8000-0000000000000002,1:22761] [APP: oaam_server#11.1.1.3.0] com.bharosa.vcrypt.tracker.rules.logs.data.AsyncDBLogger: current queue size=0, processed 6 in 60 seconds with per second=0.1, total till now=18, reseted 0 times
[2012-10-08T03:16:57.668-07:00] [oaam_server_server1] [NOTIFICATION] [] [oracle.oaam] [tid: Timer-5] [userId: ] [ecid: 562ef56db5811365:-17c3dd71:13a31635ba7:-8000-0000000000000002,1:22761] [APP: oaam_server#11.1.1.3.0] Removed 1 requestIds from cache. There are 0 sessions in the cache. Cache time to live is 5 minutes

Thanks,
Adam

Reply
Ashutosh says December 7, 2012

Hi Adam,

Is your problem resolved or still getting issues?
What Authentication scheme you are using? If using Basic, then there is an issue with Basic authentication scheme, after applying BP02 and BP03 patch.
It’s manual work around is to make some entries in Basic authentication scheme on OAMCONSOLE as mentioned below and it will work.

1. Access OAM Console from a browser by going to the OAM Admin URL. (Eg: http://:/oamconsole )
Make sure the Admin server is up
2. Click on ‘Policy Configuration’

3. Double click on ‘BasicScheme’ from the section ‘Authentication Schemes’

4. Update this scheme based on the below parameters:

Add the following to the text field called ‘Challenge Parameters’:

contextType=default
contextValue=/oam
challenge_url=/CredCollectServlet/BASIC

and apply the changes.
Hope it will work for you as well !!!

Reply
Me says February 16, 2013

Hi,
Will this patch permit us to install Oracle Forms and Reports 11g R2 with SSO without any problem; Because I am facing this bug :
Bug 14053429 : FORMS 11.1.2.0.0 UNABLE TO CONNECT TO OAM 11.1.1.5.0BP02.

Did you try to installa F&R 11gR2 with SSO and get this problem ?

Regards,

Amine

Reply
vihangastik says October 3, 2013

Hi Atul,

How can I determine which version of OAM and OIM have been installed on server?

Thanks,

Reply
    Atul Kumar says October 6, 2013

    @ vihangastik,
    For 11gR1 onwards of IAM (OAM/OIM) – Login to server on whoch OAM/OIM is installed and then run “opatch lsinventory”

    $ORACLE_HOME/OPatch/opatch lsinventory

    This will give you base version and patch number installed on top. Path numbers will give you patchset version.

    Reply
Add Your Reply

Not found