Account Lock in OIM OAM OAAM, OID & WebLogic 11g because of Failed Login Attempts

When you integrate OAM, OIM, OID, OAAM so that

a) OAM is used as Single Sign-On for user login to OIM
b) OAAM is used to strong authentication (like multi-factor authentication, One Time Password – OTP, Knowledge Based Authentication – KBA)
c) OID is used as user store for OAM & OAAM. Users between OIM & OID are synced using libOVD or OVD . More on libOVD in OIM here and here
d) OIM is used for password reset and account unlock

More on How account lock/unlock should work in integrated environment  here (Note: Some of the content in this Oracle Document is not correct like “When the number of unsuccessful user login attempts exceeds the value specified in the password policy)

OIM – Oracle Identity Manager
OAM – Oracle Access Manager
OAAM – Oracle Adaptive Access Manager
OID – Oracle Internet Directory
WebLogic – Application Server that runs OIM, OAM & OAAM (OIM, OAM, OAAM and ODSM are Java applications where as OID is C application and does not need Application Server)

 

For locking an account (because of failed attempts) each component (OID, OIM, OAM, OAAM, and WebLogic) has different setting and different value

1) Account Lockout value in Oracle Identity Manager (OIM)  (Default value 10):

In OIM this value is defined by system property Maximum Number of Login Attempts (XL.MaxLoginAttempts) and default value is 10. i.e. in Standalone OIM environment (when authentication happens via OIM Engine), OIM will lock user after 1o failed attempts .

In OIM when user gets locked, you should see “Unlock Account” (Currently this shows account not locked in OIM, as you can see option to lock account)

 

2) Account Lockout value in Oracle Access Manager (OAM) (Default value 5) :

In OAM, this value is defined in OAM configuration file oam-config.xml by setting MaxRetryLimit and value is set to 5 . When user login via OAM  engine with wrong password 5 times then OAM will update two attributes obLoginTryCount and obLockOutTime (Ob stands from Oblix , company that Oracle acquired in 2005 and renamed product as OAM)

 

Note : For Account Lockout in OAM 10g click here

 

3) Account Lockout in Oracle Internet Directory (OID) (Default value 10) :

In OID this value is defined by password policy  DN cn=default, cn=pwdPolicies, cn=Common, cn=Products, cn=OracleContext, dc=[domain], dc=[domain] with default value 10 . (From 10.1.4.3 OID onwards you can define multiple password policy in OID)

  • More on Account Lock/Unlock in OID here

4) Account Lockout in Oracle Adaptive Access Manager (OAAM) :

Account can be locked in OAAM, if user types wrong answer to challenge question 3 times (default value 3). This is defined by Rules (More on rules in OAAM later)

 

4) Account Lockout in Oracle WebLogic Server (WLS) :

Account can be locked in WebLogic Server, when user login via weblogic’s default authenticator and types wrong password 5 times. This is defined in Security Realm defined for WebLogic (There can be multiple security realm in Weblogic but only one can be active at any given time). More on security in WebLogic Server here and here

 

 

  • You can get more information about account lockout in OAM-OIM here

 

How account lock/unlock works in OAM/OIM/OAAM/OID integrated environment including options available to unlock locked user, in next post

 

Learn Oracle Weblogic Server Administration

 

Get 100 USD OFF + 100% Money Back Guarantee

Click here to get Early Bird Discounts

About the Author Atul Kumar

Oracle ACE, Author, Speaker and Founder of K21 Technologies & K21 Academy : Specialising in Design, Implement, and Trainings.

follow me on:

Leave a Comment:

4 comments
David Richardson says December 4, 2012

“How account lock/unlock works in OAM/OIM/OAAM/OID integrated environment including options available to unlock locked user, in next post”

I am working on an OAM/OIM/OAAM/OID environment where we are assigning different password policies to specific organizations/sets of organizations (we’ve extended org types).

How does one assign different lockout times for the different policies using Design Console?

Reply
Atul Kumar says December 5, 2012

@ David Richardson,

When you say lockout –
a) Is this lockout because of failed attempts or
b) Lockout bacsue of lifetime (after 180 days) of password

If this is a then that is controlled by OAM and for b this is controllled by OIM.

For Lockout at number of attempts it is sytem wide property and can’t be contrrolled for specific organization.

Things are slightly different in OAM 11g R2 (above note is for OAM 11gR1)

Atul

Reply
sunil says January 6, 2014

Hi Atul,
I have manually entered the wrong answer for user challenge question so that it get lock but when I tried to find the status of the user using VCryptUser.isLocked() method it shows me false. expected result is true. when I login to OAAM_ADMIN server I can see the session of the user nad the User is LOCKED. How can I find whether user is locked or blocked using APIs. Any input will be very help full.

Thanks,
Sunil Sharma

Reply
Tamil Haman says February 12, 2014

Hi,

When the Account gets Locked, How to trigger an event, which means sending notification to the user once the account gets locked ?

Reply
Add Your Reply

Not found