Account Lock in OIM OAM OAAM, OID & WebLogic 11g because of Failed Login Attempts
When you integrate OAM, OIM, OID, OAAM so that
a) OAM is used as Single Sign-On for user login to OIM
b) OAAM is used to strong authentication (like multi-factor authentication, One Time Password – OTP, Knowledge Based Authentication – KBA)
c) OID is used as user store for OAM & OAAM. Users between OIM & OID are synced using libOVD or OVD . More on libOVD in OIM here and here
d) OIM is used for password reset and account unlock
More on How account lock/unlock should work in integrated environment here (Note: Some of the content in this Oracle Document is not correct like “When the number of unsuccessful user login attempts exceeds the value specified in the password policy“)
OIM – Oracle Identity Manager
OAM – Oracle Access Manager
OAAM – Oracle Adaptive Access Manager
OID – Oracle Internet Directory
WebLogic – Application Server that runs OIM, OAM & OAAM (OIM, OAM, OAAM and ODSM are Java applications where as OID is C application and does not need Application Server)
For locking an account (because of failed attempts) each component (OID, OIM, OAM, OAAM, and WebLogic) has different setting and different value
1) Account Lockout value in Oracle Identity Manager (OIM) (Default value 10):
In OIM this value is defined by system property Maximum Number of Login Attempts (XL.MaxLoginAttempts) and default value is 10. i.e. in Standalone OIM environment (when authentication happens via OIM Engine), OIM will lock user after 1o failed attempts .
In OIM when user gets locked, you should see “Unlock Account” (Currently this shows account not locked in OIM, as you can see option to lock account)
2) Account Lockout value in Oracle Access Manager (OAM) (Default value 5) :
In OAM, this value is defined in OAM configuration file oam-config.xml by setting MaxRetryLimit and value is set to 5 . When user login via OAM engine with wrong password 5 times then OAM will update two attributes obLoginTryCount and obLockOutTime (Ob stands from Oblix , company that Oracle acquired in 2005 and renamed product as OAM)
Note : For Account Lockout in OAM 10g click here
3) Account Lockout in Oracle Internet Directory (OID) (Default value 10) :
In OID this value is defined by password policy DN cn=default, cn=pwdPolicies, cn=Common, cn=Products, cn=OracleContext, dc=[domain], dc=[domain] with default value 10 . (From 10.1.4.3 OID onwards you can define multiple password policy in OID)
- More on Account Lock/Unlock in OID here
4) Account Lockout in Oracle Adaptive Access Manager (OAAM) :
Account can be locked in OAAM, if user types wrong answer to challenge question 3 times (default value 3). This is defined by Rules (More on rules in OAAM later)
4) Account Lockout in Oracle WebLogic Server (WLS) :
Account can be locked in WebLogic Server, when user login via weblogic’s default authenticator and types wrong password 5 times. This is defined in Security Realm defined for WebLogic (There can be multiple security realm in Weblogic but only one can be active at any given time). More on security in WebLogic Server here and here
- You can get more information about account lockout in OAM-OIM here
How account lock/unlock works in OAM/OIM/OAAM/OID integrated environment including options available to unlock locked user, in next post
Learn Oracle Weblogic Server Administration
Get 100 USD OFF + 100% Money Back Guarantee