OIM-OAM-OAAM integration – Account Lockout in OAM obLoginTryCount , oblockouttime, MaxRetryLimit

When you integrate OIM with OAM (and optionally OAAM) then user logon to OIM via OAM is locked by OAM after 5 continuous failed attempts. This post covers what happens behind the scene, how account lockout happens in OAM and how to unlock this.

Note: When an account gets locked in OAM (via attribute obLogintryCount in LDAP Server) and then user types correct password, user gets message on screen that Account is Disabled . This message is misleading and gives an impression that account is disabled in OIM where as in actual account is locked.

1. Oracle Access Manager is Single Sign-On product from Oracle (This product came as part of Oracle’s acquisition of company Oblix)

2.  For OIM-OAM-OAAM integration you extend LDAP server schema and add attribute ob* (representing Oblix)

3. Extension of LDAP schema for OAM is done using idmConfigTool.sh -preConfigIDStore (LDIFs for schema extension are at ORACLE_HOME/oam/server/oim-intg/schema/*.ldif). More on idmConfigTool here

4. When user logs in to application (OIM in this case) via OAM and types wrong password then value of attribute obLoginTryCount is incremented by 1

5. If user types wrong password 5 times continuously and value of obLoginTryCount reaches 5 then this account as per OAM is treated as locked

6. The limit 5 for continuous failed attempts (before treating account as locked) is set by parameter MaxRetryLimit in OAM configuration file $DOMAIN_HOME/config/fmwconfig/oam-config.xml

<Setting Name=”OAMServerProfile” Type=”htf:map”>
<Setting Name=”OAMSERVER” Type=”htf:map”>
<Setting Name=”serverhost” Type=”xsd:string”>innowave21.onlineAppsDBA.com</Setting>
<Setting Name=”serverport” Type=”xsd:string”>7777</Setting>
<Setting Name=”serverprotocol” Type=”xsd:string”>http</Setting>
<Setting Name=”MaxRetryLimit” Type=”xsd:integer”>5</Setting>
</Setting>

7. If user types wrong password assume three times, then obLoginTryCount is set to value 3. If user then types correct value for password (anytime before obLoginTryCount is set 5) then value of attribute obLoginTrycount for this user reset back to 0

8. If value of this attribute is set to 5 and then user reset password (by answering challenge questions correctly) then value of obLoginTryCount is reset back to value zero

9. To unlock this account by an administrator (locked by obLoginTryCount), administrator can either set value of obLoginTryCount and oblockouttime to NULL value (just remove any value of these two attributes) or reset password of user and ask user to login via new password. After typing new password user will be re-directed to account disable page and user can then unlock account by answering challenge questions.

10. If in OAM logs you see error like below, that means OAM Software owner (default user cn=oamLDAP,cn=Users,dc=[domain]) does not have write privileges to attribute obLoginTryCount for user (trying to login with wrong password)

<Sep 22, 2012 8:52:17 PM UTC> <Error> <oracle.oam.user.identity.provider> <OAMSSA-20023> <Authentication Failure for user : user1.>
<Sep 22, 2012 8:52:17 PM UTC> <Error> <oracle.oam.user.identity.provider> <OAMSSA-20040> <Could not modify user attribute for user : user1, attribute : obLoginTryCount, value : 1 .>

More on error “Could not modify user attribute for user obLoginTryCount” and fix in my next post

 

 

About the Author Atul Kumar

Oracle ACE, Author, Speaker and Founder of K21 Technologies & K21 Academy : Oracle Gold Partner specialising in Design, Implement, and Trainings.

follow me on:

Leave a Comment:

8 comments
Pratima says October 10, 2012

Is webgate 11g supported for OAM-OAAM integration? Also, do we need the IAMsuiteagent for integrating OAM and OAAM.

Reply
pratima says December 3, 2012

Pratima said,in October 10th, 2012 at 4:03 pm Is webgate 11g supported for OAM-OAAM integration? Also, do we need the IAMsuiteagent for integrating OAM and OAAM.

Reply
Atul Kumar says December 3, 2012

@ Pratima

11g supported for OAM-OAAM integration?
Yes .

Q: Do we need the IAMsuiteagent for integrating OAM and OAAM.
A: What do you mean by IAMSuiteAgent, are you talking about hostidentifer in OAM (Yes this is required) or on Weblogic Authentication Provider (No, this is not required and remove IAMSuite****)?

Reply
rnugooru says July 21, 2013

We are in the process of integrating the OAM – IDM
Created all the necessary group as per the documentation
http://docs.oracle.com/cd/E27559_01/integration.1112/e27123/oim.htm#IDMIG4000
OAM, OID & IDM are up and running on three different machines.
SSO is correctly working through the webtier, we are being able to protect and unprotect sites.
We started the integration by configuring the Identity Store using OID
idmConfigTool.sh -preConfigIDStore input_file=configfile
idmConfigTool.sh -prepareIDStore mode=OAM input_file=configfile
idmConfigTool.sh -prepareIDStore mode=OIM input_file=configfile
idmConfigTool.sh -prepareIDStore mode=WLS input_file=configfile

All the above idmConfigTool commands works fine, when run the following command, we are getting the OAM MBean Conection error.
idmConfigTool.bat -configOAM input_file=configfile

[oracle@idmhost2 bin]$ ./idmConfigTool.sh -configOAM input_file=/u01/OAMconfigProperty
File Enter ID Store Bind DN password :
Enter User Password for WLSPASSWD:
Confirm User Password for WLSPASSWD:
Enter User Password for OAM11G_OIM_WEBGATE_PASSWD:
Confirm User Password for OAM11G_OIM_WEBGATE_PASSWD:
Enter User Password for IDSTORE_PWD_OAMSOFTWAREUSER:
Confirm User Password for IDSTORE_PWD_OAMSOFTWAREUSER:
Enter User Password for IDSTORE_PWD_OAMADMINUSER:
Confirm User Password for IDSTORE_PWD_OAMADMINUSER:
oracle.idm.automation.exception.ExecutionFailedException: Error while creating OAM MBean Conection at oracle.idm.automation.impl.oam.handlers.OAM11gIntegrationHandler.getObjectName(OAM11gIntegrationHandler.java:934) at oracle.idm.automation.impl.oam.handlers.OAM11gIntegrationHandler.configOAM11gIdStore(OAM11gIntegrationHandler.java:306) at oracle.idm.automation.impl.oam.handlers.OAM11gIntegrationHandler.execute(OAM11gIntegrationHandler.java:696) at oracle.idm.automation.AutomationTool.configOAM(AutomationTool.java:593) at oracle.idm.automation.AutomationTool.parseCmdLine(AutomationTool.java:218) at oracle.idm.automation.AutomationTool.main(AutomationTool.java:132)There were errors found. Details have been logged to automation.log

config File details
WLSHOST: admin.eskribe.com
WLSPORT: 7001
WLSADMIN: weblogic
WLSPASSWD: ******
ADMIN_SERVER_USER_PASSWORD: ******
IDSTORE_HOST: idmhost1.eskribe.com
IDSTORE_PORT: 3060
IDSTORE_BINDDN: cn=orcladmin
IDSTORE_USERNAMEATTRIBUTE: cn
IDSTORE_LOGINATTRIBUTE: uid
IDSTORE_USERSEARCHBASE: cn=Users,dc=eskribe,dc=com
IDSTORE_SEARCHBASE: dc=eskribe,dc=com
IDSTORE_SYSTEMIDBASE: cn=systemids,dc=eskribe,dc=com
IDSTORE_GROUPSEARCHBASE: cn=Groups,dc=eskribe,dc=com
IDSTORE_OAMSOFTWAREUSER: oam
LDAP IDSTORE_OAMADMINUSER: oamadmin
IDSTORE_DIRECTORYTYPE: OID
POLICYSTORE_SHARES_IDSTORE: true
PRIMARY_OAM_SERVERS: idmhost2.eskribe.com:5575
WEBGATE_TYPE: ohsWebgate11g
ACCESS_GATE_ID: OAM11G_WEBGATE
OAM11G_IDM_DOMAIN_OHS_HOST:admin.eskribe.com
OAM11G_IDM_DOMAIN_OHS_PORT:7777
OAM11G_IDM_DOMAIN_OHS_PROTOCOL:http
OAM11G_WG_DENY_ON_NOT_PROTECTED: false
OAM11G_IMPERSONATION_FLAG: true
OAM_TRANSFER_MODE: open OAM11G_OAM_SERVER_TRANSFER_MODEpen OAM11G_IDM_DOMAIN_LOGOUT_URLS: /console/jsp/common/logout.jsp,/em/targetauth/emaslogout.jsp,/oamsso/logout.html,/cgi-bin/logout.pl
OAM11G_OIM_WEBGATE_PASSWD: eSkribe007
OAM11G_SERVER_LOGIN_ATTRIBUTE: uid
COOKIE_DOMAIN: .eskribe.com
OAM11G_IDSTORE_NAME: esk_identityStore
OAM11G_IDSTORE_ROLE_SECURITY_ADMIN: OAMAdministrators
OAM11G_SSO_ONLY_FLAG: false
OAM11G_OIM_INTEGRATION_REQ: true
OAM11G_SERVER_LBR_HOST:admin.eskribe.com
OAM11G_SERVER_LBR_PORT:7777
OAM11G_SERVER_LBR_PROTOCOL:http
COOKIE_EXPIRY_INTERVAL: 120
OAM11G_OIM_OHS_URL:http://admin.eskribe.com:7777/
SPLIT_DOMAIN: false

Reply
    Atul Kumar says July 22, 2013

    @ rnugooru

    What services are running on IDM host ?
    Check OAM admin server log file and paste error message from Admin Server of OAM here. Error must be reported in Admin Server log file

    Reply
rnugooru says July 24, 2013

When you say IDM host do mean OAM or IDM?
OAM is running on a separate machine
OVD-OID are running on one machine
IDM is running on separate machine

The log file oam_server1-diagnostic has the following output.

[2013-07-22T12:59:26.887+05:30] [oam_server1] [NOTIFICATION] [OAM-04007] [oracle.oam.proxy.oam] [tid: NioProcessor-1] [userId: ] [ecid: 445c654c9d2a8632:-43fcd070:14001aa0c4f:-8000-0000000000000013,0] [APP: oam_server] Message received from client. Message OpCode = 30 [UNKNOWN], SeqNo = 0 Message = bi=ad%3dOAM11G_WEBGATE%20ax%3d/u01/app/oracle/middleware/Oracle_OAMWebGate1/webgate/ohs%20az%3d/u01/app/oracle/middleware/Oracle_WT1/instances/instance1/config/OHS/ohs1%20ag%3dWebGate%20av%3d11.1.1.3.0%2520M%25201%20wr%3dOHS11g%20ab%3d2013/07/20@15:49:00%2520UTC%20ui%3dOracle-Application-Server-11g/Worker%20hs%3dwebhost1.eskribe.com%20oi%3dLinux%25202.6.32-300.10.1.el5uek%2520#1%2520SMP%2520Wed%2520Feb%252022%252017:37:40%2520EST%25202012%2520x86_64, Host : 192.168.0.17 Port : 64,529.
[2013-07-22T12:59:33.238+05:30] [oam_server1] [NOTIFICATION] [OAM-04005] [oracle.oam.proxy.oam] [tid: NioProcessor-1] [userId: ] [ecid: 445c654c9d2a8632:-43fcd070:14001aa0c4f:-8000-0000000000000013,0] [APP: oam_server] Client connection accepted.
[2013-07-22T12:59:33.238+05:30] [oam_server1] [NOTIFICATION] [OAM-04007] [oracle.oam.proxy.oam] [tid: NioProcessor-1] [userId: ] [ecid: 445c654c9d2a8632:-43fcd070:14001aa0c4f:-8000-0000000000000013,0] [APP: oam_server] Message received from client. Message NMP, Host : 192.168.0.17 Port : 64,531.
[2013-07-22T12:59:33.239+05:30] [oam_server1] [NOTIFICATION] [OAM-04008] [oracle.oam.proxy.oam] [tid: NioProcessor-1] [userId: ] [ecid: 445c654c9d2a8632:-43fcd070:14001aa0c4f:-8000-0000000000000013,0] [APP: oam_server] Message sent to client. Message NMP, Host : 192.168.0.17 Port : 64,531.
[2013-07-22T12:59:33.239+05:30] [oam_server1] [NOTIFICATION] [OAM-04007] [oracle.oam.proxy.oam] [tid: NioProcessor-1] [userId: ] [ecid: 445c654c9d2a8632:-43fcd070:14001aa0c4f:-8000-0000000000000013,0] [APP: oam_server] Message received from client. Message OpCode = 13 [InitNAP], SeqNo = 0 Message = protocol=NAP version=4 oldest=1, Host : 192.168.0.17 Port : 64,531.
[2013-07-22T12:59:33.240+05:30] [oam_server1] [NOTIFICATION] [OAM-04008] [oracle.oam.proxy.oam] [tid: NioProcessor-1] [userId: ] [ecid: 445c654c9d2a8632:-43fcd070:14001aa0c4f:-8000-0000000000000013,0] [APP: oam_server] Message sent to client. Message OpCode = 13 [InitNAP], SeqNo = 0 Message = protocol=NAP version=4 oldest=1, Host : 192.168.0.17 Port : 64,531.
[2013-07-22T12:59:33.240+05:30] [oam_server1] [NOTIFICATION] [OAM-04007] [oracle.oam.proxy.oam] [tid: NioProcessor-1] [userId: ] [ecid: 445c654c9d2a8632:-43fcd070:14001aa0c4f:-8000-0000000000000013,0] [APP: oam_server] Message received from client. Message OpCode = 0 [ServerDiagnosticEvent], SeqNo = 0 Message = sts=open, Host : 192.168.0.17 Port : 64,531.
[2013-07-22T12:59:33.240+05:30] [oam_server1] [NOTIFICATION] [OAM-04008] [oracle.oam.proxy.oam] [tid: NioProcessor-1] [userId: ] [ecid: 445c654c9d2a8632:-43fcd070:14001aa0c4f:-8000-0000000000000013,0] [APP: oam_server] Message sent to client. Message OpCode = 0 [ServerDiagnosticEvent], SeqNo = 0 Message = sts=open, Host : 192.168.0.17 Port : 64,531.
[2013-07-22T12:59:33.241+05:30] [oam_server1] [NOTIFICATION] [OAM-04007] [oracle.oam.proxy.oam] [tid: NioProcessor-1] [userId: ] [ecid: 445c654c9d2a8632:-43fcd070:14001aa0c4f:-8000-0000000000000013,0] [APP: oam_server] Message received from client. Message OpCode = 14 [NAPAuthnChallengeReq], SeqNo = 0 Message = cm=OAM11G_WEBGATE challenge=dc4eeda5c2bf536d, Host : 192.168.0.17 Port : 64,531.
[2013-07-22T12:59:33.241+05:30] [oam_server1] [NOTIFICATION] [OAM-04008] [oracle.oam.proxy.oam] [tid: NioProcessor-1] [userId: ] [ecid: 445c654c9d2a8632:-43fcd070:14001aa0c4f:-8000-0000000000000013,0] [APP: oam_server] Message sent to client. Message OpCode = 14 [NAPAuthnChallengeReq], SeqNo = 0 Message = cm=AccessServerConfigProxy challenge=cf6c20b90e0f2f70 st=ma%3d25%20mi%3d2%20sg%3d1%20sm%3d rt=1, Host : 192.168.0.17 Port : 64,531.
[2013-07-22T12:59:33.242+05:30] [oam_server1] [NOTIFICATION] [OAM-04007] [oracle.oam.proxy.oam] [tid: NioProcessor-1] [userId: ] [ecid: 445c654c9d2a8632:-43fcd070:14001aa0c4f:-8000-0000000000000013,0] [APP: oam_server] Message received from client. Message OpCode = 15 [NAPAuthnChallengeResponse], SeqNo = 0 Message = response=52b124233051e4aa2bf0eb56f6db7cc7, Host : 192.168.0.17 Port : 64,531.
[2013-07-22T12:59:33.242+05:30] [oam_server1] [NOTIFICATION] [OAM-04008] [oracle.oam.proxy.oam] [tid: NioProcessor-1] [userId: ] [ecid: 445c654c9d2a8632:-43fcd070:14001aa0c4f:-8000-0000000000000013,0] [APP: oam_server] Message sent to client. Message OpCode = 15 [NAPAuthnChallengeResponse], SeqNo = 0 Message = response=ed8c3fe9e53991c6b5523a143a49ce93 st=ma%3d25%20mi%3d2%20sg%3d1%20sm%3d rt=1, Host : 192.168.0.17 Port : 64,531.
[2013-07-22T12:59:33.243+05:30] [oam_server1] [NOTIFICATION] [OAM-04007] [oracle.oam.proxy.oam] [tid: NioProcessor-1] [userId: ] [ecid: 445c654c9d2a8632:-43fcd070:14001aa0c4f:-8000-0000000000000013,0] [APP: oam_server] Message received from client. Message OpCode = 30 [UNKNOWN], SeqNo = 0 Message = bi=ad%3dOAM11G_WEBGATE%20ax%3d/u01/app/oracle/middleware/Oracle_OAMWebGate1/webgate/ohs%20az%3d/u01/app/oracle/middleware/Oracle_WT1/instances/instance1/config/OHS/ohs1%20ag%3dWebGate%20av%3d11.1.1.3.0%2520M%25201%20wr%3dOHS11g%20ab%3d2013/07/20@15:49:00%2520UTC%20ui%3dOracle-Application-Server-11g/Worker%20hs%3dwebhost1.eskribe.com%20oi%3dLinux%25202.6.32-300.10.1.el5uek%2520#1%2520SMP%2520Wed%2520Feb%252022%252017:37:40%2520EST%25202012%2520x86_64, Host : 192.168.0.17 Port : 64,531.
[2013-07-22T12:59:43.243+05:30] [oam_server1] [NOTIFICATION] [OAM-04006] [oracle.oam.proxy.oam] [tid: [ACTIVE].ExecuteThread: ‘2’ for queue: ‘weblogic.kernel.Default (self-tuning)’] [userId: ] [ecid: 445c654c9d2a8632:-43fcd070:14001aa0c4f:-8000-0000000000000013,0] [APP: oam_server] Client connection closed. Connection id 192.168.0.17.
[2013-07-22T13:02:10.955+05:30] [oam_server1] [NOTIFICATION] [OAM-04007] [oracle.oam.proxy.oam] [tid: [ACTIVE].ExecuteThread: ‘2’ for queue: ‘weblogic.kernel.Default (self-tuning)’] [userId: ] [ecid: 445c654c9d2a8632:-43fcd070:14001aa0c4f:-8000-0000000000000013,0] [APP: oam_server] Message received from client. Message OpCode = 12 [GetAuthnScheme], SeqNo = 0 Message = sc=LDAPScheme, Host : 192.168.0.17 Port : 64,529.
[2013-07-22T13:02:10.956+05:30] [oam_server1] [NOTIFICATION] [OAM-02086] [oracle.oam.controller] [tid: [ACTIVE].ExecuteThread: ‘2’ for queue: ‘weblogic.kernel.Default (self-tuning)’] [userId: ] [ecid: 445c654c9d2a8632:-43fcd070:14001aa0c4f:-8000-0000000000000013,0] [APP: oam_server] Master Controller: processing Event:get_authn_scheme.
[2013-07-22T13:02:10.961+05:30] [oam_server1] [NOTIFICATION] [OAMSSA-12127] [oracle.oam.engine.authn] [tid: [ACTIVE].ExecuteThread: ‘2’ for queue: ‘weblogic.kernel.Default (self-tuning)’] [userId: ] [ecid: 445c654c9d2a8632:-43fcd070:14001aa0c4f:-8000-0000000000000013,0] [APP: oam_server] Retrieved Authentication Scheme LDAPScheme.
[2013-07-22T13:02:10.961+05:30] [oam_server1] [NOTIFICATION] [OAMSSA-12128] [oracle.oam.engine.authn] [tid: [ACTIVE].ExecuteThread: ‘2’ for queue: ‘weblogic.kernel.Default (self-tuning)’] [userId: ] [ecid: 445c654c9d2a8632:-43fcd070:14001aa0c4f:-8000-0000000000000013,0] [APP: oam_server] Runtime Authentication Scheme: Scheme name: = LDAPScheme[[
Scheme Challenge URL: = /oam/server/
Scheme Challenge Mec: = FORM
Scheme Challenge Par: = {contextType=default, username=string, contextValue=/oam, password=secure_string, challenge_url=/pages/login.jsp}
Authentication Module Name: = LDAP
.
]]
[2013-07-22T13:02:10.961+05:30] [oam_server1] [NOTIFICATION] [OAM-02099] [oracle.oam.controller] [tid: [ACTIVE].ExecuteThread: ‘2’ for queue: ‘weblogic.kernel.Default (self-tuning)’] [userId: ] [ecid: 445c654c9d2a8632:-43fcd070:14001aa0c4f:-8000-0000000000000013,0] [APP: oam_server] Master Controller: Event processing finished :get_authn_scheme with status success.
[2013-07-22T13:02:10.962+05:30] [oam_server1] [NOTIFICATION] [OAM-02086] [oracle.oam.controller] [tid: [ACTIVE].ExecuteThread: ‘2’ for queue: ‘weblogic.kernel.Default (self-tuning)’] [userId: ] [ecid: 445c654c9d2a8632:-43fcd070:14001aa0c4f:-8000-0000000000000013,0] [APP: oam_server] Master Controller: processing Event:PBL_auth_scheme_response.
[2013-07-22T13:02:10.962+05:30] [oam_server1] [NOTIFICATION] [OAM-02099] [oracle.oam.controller] [tid: [ACTIVE].ExecuteThread: ‘2’ for queue: ‘weblogic.kernel.Default (self-tuning)’] [userId: ] [ecid: 445c654c9d2a8632:-43fcd070:14001aa0c4f:-8000-0000000000000013,0] [APP: oam_server] Master Controller: Event processing finished :PBL_auth_scheme_response with status success.
[2013-07-22T13:02:10.963+05:30] [oam_server1] [NOTIFICATION] [OAM-04008] [oracle.oam.proxy.oam] [tid: [ACTIVE].ExecuteThread: ‘2’ for queue: ‘weblogic.kernel.Default (self-tuning)’] [userId: ] [ecid: 445c654c9d2a8632:-43fcd070:14001aa0c4f:-8000-0000000000000013,0] [APP: oam_server] Message sent to client. Message OpCode = 12 [GetAuthnScheme], SeqNo = 0 Message = as=asm%3d4%20asl%3d2%20asi%3dLDAPScheme%20asn%3dLDAPScheme%20asp%3dcontextType%253ddefault%2520username%253dstring%2520contextValue%253d/oam%2520password%253dsecure_string%2520challenge_url%253d/pages/login.jsp%2520realm%253dLDAPScheme%2520creds%253dPlaceHolder%20asr%3dhttp://idmhost2.eskribe.com:14100/oam/server/ st=ma%3d2%20mi%3d2%20sg%3d1%20sm%3d rt=1, Host : 192.168.0.17 Port : 64,529.

Reply
David Richardson says August 21, 2013

Is it true that a non null oblockouttime value does NOT determine that a user is locked out and this only currently determined by oblockedon being non null?

Reply
Tamil Haman says February 12, 2014

Hi,

When the Account gets Locked, How to trigger an event, which means sending notification to the user once the account gets locked ?

Reply
Add Your Reply