Where are OAM details stored in OIM (account unlock, password reset)

This post covers location of configuration details in OIM (Oracle Identity Manager) related to OAM (Oracle Access Manager).

I was debugging account unlock issue in OAM (integrated with OIM) where error message in OIM output file ($DOMAIN_HOME/ servers/ oim_server1/ logs/) was
_______

<Oct 18, 2011 6:54:52 AM CST> <Error> <Default> <BEA-000000> <Failed to communicate with any of configured Access Server, ensure that it is up and running.>
<Oct 18, 2011 6:54:52 AM CST> <Error> <OAM Autologin Logger> <BEA-000000> <Error while authentication java.lang.Exception: Failed to communicate with any of configured Access Server, ensure that it is up and running.>
<Oct 18, 2011 6:54:52 AM CST> <Error> <oracle.iam.passwordmgmt.impl> <BEA-000000> <INTERNAL ERROR: Autologin failed oracle.iam.sso.exception. AutoLoginException: Error while authentication >
javax.security.auth. login.LoginException: Error while autologin oracle.iam.sso. exception.AutoLoginException: Error while authentication
at oracle.iam.passwordmgmt.utils.
PwdMgmtAutologinHelper.
doAutologin(PwdMgmtAutologinHelper.java:137)
_______

This problem made me think, Where is OAM server details stored in OIM and at what stage?

If you check my post on IdmConfigtool here , OIM configuration is updated with OAM details during configOIM option

OIM stores OAM details in MDS (database) under /db/oim-config.xml. You can export this file from MDS to file system using steps mentioned here

After exporting oim-config.xml from MDS entry search for ssoConfig , you should see entry like

<ssoConfig>
<version>@oamVersion</version>
<accessServerHost>innowave12.com</accessServerHost>
<accessServerPort>5575</accessServerPort>
<accessGateID>Webgate_IDM</accessGateID>
<napVersion>3</napVersion>
<cookieDomain>.com</cookieDomain>
<cookieExpiryInterval>120</cookieExpiryInterval>
<transferMode>OPEN</transferMode>
<webgateType>ohsWebgate10g</webgateType>
<ssoEnabled>true</ssoEnabled>
</ssoConfig>

You can also view this information from MBean Browser in FMW Enterprise Manager (/em)

EM -> Identity and Access -> OIM -> oim(11.1.1.3.0) right click -> System MBean Browser

Application Defined MBeans -> oracle.iam -> Application:oim -> XMLConfig -> Config -> XMLConfig.SSOConfig -> SSOConfig

.

OAM Access Server (OAM Proxy-port) can listen in one of three modes – OPEN, SIMPLE, CERT .

If OAM server is running in SIMPLE or CERT mode then OIM should also store trustkeystore (JKS) password and Global Passphrase password. For steps to create keystore click here  (oamclient-truststore.jks and ssoKeystore.jks must be copied to $DOMAIN_HOME/config/fmwconfig)
.

WebGate Instance (configured for OIM) can also be protected by setting password. If password is set for WebGate instance (protecting OIM) then this password must also be stored in OIM.

Note: Truststore, global passphrase and webgate password (if set) are stored in Credential Store of Weblogic Domain on which OIM is deployed.

You can query credential store via WLST (WebLogic Scripting Tool) or Enterprise Manager

EM -> Weblogic Domain -> <domain_name> (right click) -> Security -> Credentials -> expand oim

Note: All these credentials and config (in config-oim.xml) are created automatically (depending on OAM Mode and webgate password) using idmConfigTool with option configOIM

About the Author Masroof Ahmad

Leave a Comment:

1 comments
Add Your Reply