Oracle Identity Manager (OIM) Provides assigning Proxy to some other user so that when a user is on leave or out of office, user can delegated task/approvals to someone else.

 

  • To assign proxy in OIM: login to Self Service Console : My Profile -> Proxies -> Add Proxy

On Adding Proxy, users were getting error “The add proxy operation for user [user_name] failed with following error oracle. bpel. services. workflow. client. workflowServiceClientException javax.xml.ws.WebServiceException could not determine wsdl ports

 

When you assign Proxy in OIM 11g, request is fulfilled by SOA server (SOA server is mandatory in OIM 11g). If you hit this error first thing to check is that SOA server is running and there are no errors in SOA server log file. In my case SOA server was running and there were no errors related to SOA service /soa-infra (STATE of deployment soa-infra in WebLogic Console was ACTIVE )

 

Message reported in OIM server out file was

_____
<24-Mar-2013 20:47:50 o’clock UTC> <Error> <oracle.iam.configservice.impl> <IAM-3020003> <The attribute PROXY_NAME does not exist!>
<24-Mar-2013 20:47:50 o’clock UTC> <Warning> <oracle.iam.selfservice.self.agentry> <BEA-000000> <IAM-3045001>
<24-Mar-2013 20:47:51 o’clock UTC> <Error> <oracle.iam.identity.usermgmt.impl> <IAM-3050062> <Failed setting proxy in BPEL. The operation will be rolled back.>

_____

Message reported  in OIM Diagnostics log file was

_____

[2013-03-24T20:47:50.722+00:00] [WLS_OIM2] [NOTIFICATION] [IAM-1010010] [oracle.iam.platform.authz.impl] [tid: [ACTIVE].ExecuteThread: ‘1’ for queue: ‘weblogic.kernel.Default (self-tuning)’] [userId: xelsysadm] [ecid: 004qB7DDy4I7u1W5Lzl3ie00053X000M4O,0:1] [APP: oim#11.1.1.3.0] [URI: /oim/faces/pages/Self.jspx] ********** Entering the Authorization Segment with parameters:: LoggedInUserId = 30, target resourceID = null, Feature = SELF_SERVICE_USER_MANAGEMENT, Action = MODIFY_SELF_USER_PROXY_PROFILE **********

[2013-03-24T20:47:50.722+00:00] [WLS_OIM2] [NOTIFICATION] [IAM-1010033] [oracle.iam.platform.authz.impl] [tid: [ACTIVE].ExecuteThread: ‘1’ for queue: ‘weblogic.kernel.Default (self-tuning)’] [userId: xelsysadm] [ecid: 004qB7DDy4I7u1W5Lzl3ie00053X000M4O,0:1] [APP: oim#11.1.1.3.0] [URI: /oim/faces/pages/Self.jspx] OES Results are not found in cache with Key F: SELF_SERVICE_USER_MANAGEMENTS: 30P: MODIFY_SELF_USER_PROXY_PROFILEOESDefinition

[2013-03-24T20:47:51.696+00:00] [WLS_OIM2] [ERROR] [IAM-3050062] [oracle.iam.identity.usermgmt.impl] [tid: [ACTIVE].ExecuteThread: ‘1’ for queue: ‘weblogic.kernel.Default (self-tuning)’] [userId: xelsysadm] [ecid: 004qB7DDy4I7u1W5Lzl3ie00053X000M4O,0:1] [APP: oim#11.1.1.3.0] [URI: /oim/faces/pages/Self.jspx] Failed setting proxy in BPEL. The operation will be rolled back.

_____

 

Here are some of the questions that came to my mind while troubleshooting this issue

How OIM knows which SOA server to connect (Where is SOA server URL defined in OIM) ?

What user OIM server uses to connect to SOA Server ?

Where is password stored for this user (used to connect to SOA server) ?

 

_____

 

SOA URL is defined in OIM’s Application Defined MBEAN (oracle.iam -> Server: <oim_server_name>, Application: oim -> XMLConfig -> Config -> XML.Config.SOAConfig -> SOAConfig)

  • URL to connect to SOA server is defined by Attribute SoapURL and User that is used to connect is defined in attribute Username
Note: If you have two or more SOA servers (for High Availability) then deploy load balancer in front of SOA servers and change SoapURL to point to load balancer URL

 

  • Password for username defined above is stored in credential store of OIM (Map : OIM ; key : SOAAdminPassword )
Note: Credential Store and Policy Store are briefly covered in my Book OIM/OAM 11g for Administrators (available on Amazon)

 

 

 

Root Cause : In my case SOA URL ( defined by SoapURL property) was not reachable from OIM server (blocked by firewall).

 

Related/References