When you integrate OAM, OIM, OID, OAAM so that
a) OAM is used as Single Sign-On for user login to OIM
b) OAAM is used to strong authentication (like multi-factor authentication, One Time Password – OTP, Knowledge Based Authentication – KBA)
c) OID is used as user store for OAM & OAAM. Users between OIM & OID are synced using libOVD or OVD . More on libOVD in OIM here and here
d) OIM is used for password reset and account unlock
OIM – Oracle Identity Manager
OAM – Oracle Access Manager
OAAM – Oracle Adaptive Access Manager
OID – Oracle Internet Directory
WebLogic – Application Server that runs OIM, OAM & OAAM (OIM, OAM, OAAM and ODSM are Java applications where as OID is C application and does not need Application Server)
For locking an account (because of failed attempts) each component (OID, OIM, OAM, OAAM, and WebLogic) has different setting and different value
1) Account Lockout value in Oracle Identity Manager (OIM) (Default value 10):
In OIM this value is defined by system property Maximum Number of Login Attempts (XL.MaxLoginAttempts) and default value is 10. i.e. in Standalone OIM environment (when authentication happens via OIM Engine), OIM will lock user after 1o failed attempts .
In OIM when user gets locked, you should see “Unlock Account” (Currently this shows account not locked in OIM, as you can see option to lock account)
2) Account Lockout value in Oracle Access Manager (OAM) (Default value 5) :
In OAM, this value is defined in OAM configuration file oam-config.xml by setting MaxRetryLimit and value is set to 5 . When user login via OAM engine with wrong password 5 times then OAM will update two attributes obLoginTryCount and obLockOutTime (Ob stands from Oblix , company that Oracle acquired in 2005 and renamed product as OAM)
Note : For Account Lockout in OAM 10g click here
3) Account Lockout in Oracle Internet Directory (OID) (Default value 10) :
In OID this value is defined by password policy DN cn=default, cn=pwdPolicies, cn=Common, cn=Products, cn=OracleContext, dc=[domain], dc=[domain] with default value 10 . (From 10.1.4.3 OID onwards you can define multiple password policy in OID)
- More on Account Lock/Unlock in OID here
4) Account Lockout in Oracle Adaptive Access Manager (OAAM) :
Account can be locked in OAAM, if user types wrong answer to challenge question 3 times (default value 3). This is defined by Rules (More on rules in OAAM later)
4) Account Lockout in Oracle WebLogic Server (WLS) :
Account can be locked in WebLogic Server, when user login via weblogic’s default authenticator and types wrong password 5 times. This is defined in Security Realm defined for WebLogic (There can be multiple security realm in Weblogic but only one can be active at any given time). More on security in WebLogic Server here and here
- You can get more information about account lockout in OAM-OIM here
How account lock/unlock works in OAM/OIM/OAAM/OID integrated environment including options available to unlock locked user, in next post
Related Posts for IdM
- Oracle Identity & Access Management II
- Upgrade Oracle Internet Directory/IdM Suite to 10.1.4.2
- Oracle Launches Oracle Access Management Suite
- Installing Oracle Fusion Middleware (FMW) 11g – Identity Management Components (OID, DIP, OVD, OIF)
- Oracle Identity Management Products – OID, OVD, OAM, OIM, ORM, OWSM, OIF, eSSO, OES, OAAM
- #OracleIdM 11g webinar : Is this for OAM (Oracle Access Manager) & OIM (Oracle Identity Manager) 11g ?
- Installing Oracle Identity Management (OIM & OAM) 11g R1 PS2 (11.1.1.3) : High Level Steps
- #OracleIdM 11g : Step by Step Installation of OAM, OIM, OAAM, OAPM, OIN (11.1.1.3.0) – Part I : Load Schema
- Part II – Install WebLogic 10.3.3 : #OracleIdM 11g : Step by Step Installation of OAM, OIM, OAAM, OAPM, OIN (11.1.1.3.0)
- Part III – Install SOA 11.1.1.2 & Upgrade to 11.1.1.3 : #OracleIdM 11g : Step by Step Installation of OAM, OIM, OAAM, OAPM, OIN (11.1.1.3.0)
- Part IV – Install IDAM 11.1.1.3 : #OracleIdM 11g : Step by Step Installation of OAM, OIM, OAAM, OAPM, OIN
- Part V : Create Domain : #OracleIdM 11g : Step by Step Installation of OAM, OIM, OAAM, OAPM, OIN
- Part VI : Configure Identity Manager (OIM) : #OracleIdM 11g : Step by Step Installation of OAM, OIM, OAAM, OAPM, OIN
- Part VII : Install & Configure OIM Design Console : #OracleIdM 11g : Step by Step Installation of OAM, OIM, OAAM, OAPM, OIN
- OAM 11g / OIM 11g High Availability (Active / Active) Architecture Documentation
- Part VIII (Optional) Configure LDAP Sync with OIM 11g (OIM 11g Integration with OVD/OID)
- Looking for Technical Reviewer for Oracle Identity & Access Management Book (OIM/OAM Administration)
- My Book “Oracle Identity & Access Manager 11g for Administrators” is now available in RAW format
- Install Oracle Identity Management (OIM/IDM) 11.1.1.4 – OID / OVD / OIF : High Level Steps
- Oracle IDentity & Access Management (OAM, OIM, OAAM & OES) 11.1.1.5 is available now : 12575064
- Password Policy in OAM-OIM-OID Integration : User not locked after configured value
- IdmConfigTool : OIM/OAM/FusionApps Integration – preConfigIDStore, prepareIDStore, configOAM, configOIM
- Autologin failed in OIM/OAM Integration after password reset SSOAccessKey javax.security. auth.login. LoginException
- OIM 11.1.1.5 BP02 (13399365) and OAM 11.1.1.5 BP02 (13115859)
- Confused about Oracle IAM software version & release number ?
- Oracle Identity Management 11g R2 #oracleidm : Webcast
- Oracle Identity Management 11g R2 documentation now available
- Oracle Identity & Access Management 11gR2 Software is now available to download
- Oracle Identity & Access Management 11gR2 : Installation & Configuration in 12 Steps
- OIM-OAM-OAAM integration using TAP – Request Flow you must understand !!
- Account Lock in OIM OAM OAAM, OID & WebLogic 11g because of Failed Login Attempts
- User not synced from OID (LDAP) to OIM (LDAPsync) : Account Locked in OAM is not locked in OIM
Oracle WebLogic Administrator [USD 399]- 03rd Dec, 2011
Good hands-on exercises (installation, patching, cloning), very experienced trainer worth every penny 
2 users commented in " Account Lock in OIM OAM OAAM, OID & WebLogic 11g because of Failed Login Attempts "
Follow-up comment rss or Leave a Trackback“How account lock/unlock works in OAM/OIM/OAAM/OID integrated environment including options available to unlock locked user, in next post”
I am working on an OAM/OIM/OAAM/OID environment where we are assigning different password policies to specific organizations/sets of organizations (we’ve extended org types).
How does one assign different lockout times for the different policies using Design Console?
@ David Richardson,
When you say lockout –
a) Is this lockout because of failed attempts or
b) Lockout bacsue of lifetime (after 180 days) of password
If this is a then that is controlled by OAM and for b this is controllled by OIM.
For Lockout at number of attempts it is sytem wide property and can’t be contrrolled for specific organization.
Things are slightly different in OAM 11g R2 (above note is for OAM 11gR1)
Atul
Leave A Reply