Oracle Access Manager cache flush issue

I have come across an issue with Oracle Access Manager and Identity XML and thought its worth sharing. The scenario is that, when you try to modify an user attribute using Identity XML and if you access any resource where the authorization is provided based on that specific attribute value, then it returns an error “Oracle Access Manager Operation Error”.

This means that the attribute updated in identity system (with backend as LDAP) using Identity XML has not been communicated to the Access Server. So when the resource is accessed where the atz is given based on the attribute, the authorization will fail and hence will result with that error. If you have specified an Authorization failure URL, then user will be taken to that URL.

The solution for this issue is to flush the access server as and when the changes happen to the identity system and there should be automatic cache flush between identity and access system.

This is done by changing the parameter value of doAccessServerFlush from ‘false’ to ‘true’ in baseddbparams.xm. This file is located in the directory Identity_server_installation_directory/oblix/data/common.

Also, the cache timeout param values present in the webgates and access gates has to be reduced (for instance, reduce from 1800 to 100), this has to be followed by Identity and Access servers restart.

Refer the Oracle Documentation for this .

About the Author Mahendra

I am engulfed in Oracle Identity & Access Management domain. I have expertise on providing the optimized solutions for user provisioning, web access management, Single Sign-On and federation capabilities etc., I am also well versed with complex integrations within Identity Management and other product domains. I have expertise on building demos and implementation experience on products Oracle Access Manager, Oracle Adaptive Access Manager, Oracle Entitlement Server, Oracle Virtual Directory, Oracle Internet Directory etc., Look @ my blog: http://talkidentity.blogspot.com

Leave a Comment:

5 comments

Bernie Jones says September 5, 2011

This is also a real problem in OAM 11g as there is no way to manually flush the user cache. Changes made directly in OID (for example user group memberships) are not deteced if OAM holds a cache entry for the user and so changes are not picked up by authz policy.

Seems that so far no-one has posted any solution for this problem.

–Bernie

Atul Kumar says September 5, 2011

@ Bernie Jones,

This is from metalink note 1339686.1 How To Refresh The OAM 11g User / Group Membership Cache?

_____
User group memberships are calculated when the user performs OAM SSO login i.e. the OAM user session is created and are cached for the duration of the user’s OAM session.

If you modify an LDAP group directly in the LDAP Server to add a user as a member after they have performed OAM SSO login, the user’s group information will not be refreshed in the OAM Server cached user data until the user either logs out or the OAM session expires and the user subsequently re-authenticates to OAM.

Enhancement Bug 12741260: ER: PUBLISH OAM USER CACHE FLUSH ASDK API FOR CUSTOMER USE is still open for this.

Bernie Jones says September 5, 2011

Thanks Atul, in my testing (11.1.1.3 BP02) however it doesn’t even clear the cache on logout or session delete. The only way is to restart the oam_server.

I’ll be keeping a lookout on metalink for progress on this as it’s a bit of a basic one!

Best regards,

Bernie

pal says October 5, 2011

Hi Mahendra,

Thanks for the above post.

Where is the baseddbparams.xm file exactly? I tried to locate it, but could not find it.

Thanks,
Paul.

Mahendra says October 6, 2011

Hi Paul,

You can locate baseddbparams.xml under Identity_server_installation_directory/oblix/data/common.

-Mahendra.

Add Your Reply