13 Replies Latest reply: Dec 13, 2012 9:44 PM by Kevin Pinsky RSS

    OIM 11g OIm & soa server

    880250
      Hi All,
      I installed OIM11gr2 on RHEL x64.I tried to assign roles to users ,aprrovals been sent to xelsysadm.I'm trying to approve pending approvals and oim is trying soa server on ssl port 8002 instead of non-ssl port 8001

      On soa_server1,I'm getting message as below.

      UNKNOWN_CA alert received from 192.168.14.2 - 192.168.14.2. The peer is rejecting the certificate chain as being untrusted or incomplete.


      Kindly let me know how to make oim server to contact soa server on non-ssl port.

      Regards,
      Krish.
        • 1. Re: OIM 11g OIm & soa server
          Nishith Nayan
          hope other software is running on the same machine which is stopping OIM. It may be some Anti Virus or any. Make sure you kill all the process accept OIM and DB.

          Even try changing JDK version if above doesn't work
          • 2. Re: OIM 11g OIm & soa server
            idamGod
            Two solutions for this.

            1) You need to disable ssl port for soa & oim by logging into weblogic console and restart them.
            2) Try this in firefox browser, it will ask you to add exception related to certificate and trust it. You should be able to approve even on ssl port in this case.
            • 3. Re: OIM 11g OIm & soa server
              880250
              Hi,

              If I disable ssl ports,webapplications deployment is getting failed.I have done fresh installation on windows but same issue repeated.

              I have created one cluster in which oim_server1(14000/14001) and soa_server1(8001/8002) are assigned.

              Below is the error,I'm getting

              The webpage at https://win11gr2:8002/identity/faces/adf.task-flow?bpmWorklistTaskId=cf63dd9f-e2b7-42e8-946b-3b04fedf8319&bpmWorklistContext=9cbf9d78-e4bd-4650-80aa-22228b5b8315%3B%3B5uPzXYlnSV%2BGY3PGn1hbwvhkwJBwgxA%2FRQQVa3Rrp%2FkggbWCdKuRELOCd%2Fk%2BTbXM9gA29hz8Q%2F39IOdkRgZcDoklzwOJ8z2HgpEqs1MIdUgfX0qhOWK%2BbQdsxFW%2FW20YpOeixUtOdNx1vPeh7fWkC8pkRBPfMz09Ypl2ufpjOaF27DPQ7FhRQB477eOgiM2ynu2ps2FXHZtmi6BxaeGrDH2IhbhOBW4MRaAToqW1uaObFj8s%2BYlBX%2FLfWqiWMG1d&bpmWorklistHttpURL=http%3A%2F%2F192.168.14.4%3A14000%2Fidentity%2Ffaces&bpmWorklistHome=home.jspx&bpmWorklistReassign=reassignTask.jspx&bpmWorklistRoute=routeTask.jspx&bpmWorklistRequestInfo=requestInfo.jspx&bpmWorklistSecurity=signTask.jspx&tz=Asia%2FCalcutta&lg=en&cy=US&vr=&dispNameLg=en&dispNameCy=US&dispNameVr=&df=medium&dt=both&tf=short&bpmWorklistSessionTimeoutInterval=2100&soaUrl=https%3A%2F%2Fwin11gr2%3A14001&bpmBrowserWindowStatus=taskFlowReturn&adf.tfDoc=%2FWEB-INF%2FApprovalTask_TaskFlow.xml&adf.tfId=ApprovalTask_TaskFlow&_task-flow-return=http%3A%2F%2F192.168.14.4%3A14000%2Fidentity%2Ffaces%2Fadf.task-flow-return%3F_adf.ctrl-state%3D15hm1209mp_450&_adf.winId=15hm1209mp_441&_afrLoop=7584567473729 might be temporarily down or it may have moved permanently to a new web address.
              Error 501 (net::ERR_INSECURE_RESPONSE): Unknown error.

              Please help me.

              Regards,
              Krish
              • 4. Re: OIM 11g OIm & soa server
                880250
                877247 wrote:
                Hi,

                If I disable ssl ports,webapplications deployment is getting failed.I have done fresh installation on windows but same issue repeated.

                I have created one cluster in which oim_server1(14000/14001) and soa_server1(8001/8002) are assigned.

                Below is the error,I'm getting

                The webpage at https://win11gr2:8002/identity/faces/adf.task-flow?bpmWorklistTaskId=cf63dd9f-e2b7-42e8-946b-3b04fedf8319&bpmWorklistContext=9cbf9d78-e4bd-4650-80aa-22228b5b8315%3B%3B5uPzXYlnSV%2BGY3PGn1hbwvhkwJBwgxA%2FRQQVa3Rrp%2FkggbWCdKuRELOCd%2Fk%2BTbXM9gA29hz8Q%2F39IOdkRgZcDoklzwOJ8z2HgpEqs1MIdUgfX0qhOWK%2BbQdsxFW%2FW20YpOeixUtOdNx1vPeh7fWkC8pkRBPfMz09Ypl2ufpjOaF27DPQ7FhRQB477eOgiM2ynu2ps2FXHZtmi6BxaeGrDH2IhbhOBW4MRaAToqW1uaObFj8s%2BYlBX%2FLfWqiWMG1d&bpmWorklistHttpURL=http%3A%2F%2F192.168.14.4%3A14000%2Fidentity%2Ffaces&bpmWorklistHome=home.jspx&bpmWorklistReassign=reassignTask.jspx&bpmWorklistRoute=routeTask.jspx&bpmWorklistRequestInfo=requestInfo.jspx&bpmWorklistSecurity=signTask.jspx&tz=Asia%2FCalcutta&lg=en&cy=US&vr=&dispNameLg=en&dispNameCy=US&dispNameVr=&df=medium&dt=both&tf=short&bpmWorklistSessionTimeoutInterval=2100&soaUrl=https%3A%2F%2Fwin11gr2%3A14001&bpmBrowserWindowStatus=taskFlowReturn&adf.tfDoc=%2FWEB-INF%2FApprovalTask_TaskFlow.xml&adf.tfId=ApprovalTask_TaskFlow&_task-flow-return=http%3A%2F%2F192.168.14.4%3A14000%2Fidentity%2Ffaces%2Fadf.task-flow-return%3F_adf.ctrl-state%3D15hm1209mp_450&_adf.winId=15hm1209mp_441&_afrLoop=7584567473729 might be temporarily down or it may have moved permanently to a new web address.
                Error 501 (net::ERR_INSECURE_RESPONSE): Unknown error.

                Please help me.

                Regards,
                Krish
                Hi All,

                OIM is running on port *14000* but when I click on pending approval item, a popup is coming which is tying to contact soa port *8002* and accessing identity.

                Please help me on this.


                Regards,
                Krish
                • 5. Re: OIM 11g OIm & soa server
                  Kevin Pinsky
                  You can change the port being used by exporting /db/oim-config.xml file and changing the target for the soapurl to be the non ssl. Then import and restart.

                  -Kevin
                  • 6. Re: OIM 11g OIm & soa server
                    idamGod
                    Take a look on the Metalink ID: 1502680.1 as well.
                    • 7. Re: OIM 11g OIm & soa server
                      880250
                      Hi Kevin,

                      It would be great if you provide steps or a link.

                      Thanks alot.

                      Regards,
                      Krish
                      • 8. Re: OIM 11g OIm & soa server
                        Kevin Pinsky
                        It's all available in the documentation. Just do some searching for oim-config.xml. I can't provide all the direct answers or you won't ever learn anything.

                        -Kevin
                        • 9. Re: OIM 11g OIm & soa server
                          880250
                          Kevin Pinsky wrote:
                          It's all available in the documentation. Just do some searching for oim-config.xml. I can't provide all the direct answers or you won't ever learn anything.

                          -Kevin
                          HI Kevin,

                          I have exported oim-config.xml .Please check & correct if anything is wrong.

                          <?xml version='1.0' encoding='UTF-8'?>
                          <xmlConfig xmlns="http://www.oracle.com/schema/oracle/iam/platform/config" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://www.oracle.com/schema/oracle/iam/platform/config oim-config.xsd ">
                          <discoveryConfig>
                          <directDBConfigParams driver="oracle.jdbc.OracleDriver" url="jdbc:oracle:thin:@domain:1521/orcl" username="dev_oim" passwordKey="OIMSchemaPassword" checkoutTimeout="1200" idleTimeout="360" maxCheckout="1000" maxConnections="5" sslEnabled="false" connectionFactoryClassName="oracle.jdbc.pool.OracleDataSource" validateConnectionOnBorrow="true" minConnections="2" connectionPoolName="OIM_JDBC_UCP">
                          <SSLConfig dBTrustStore="default-keystore.jks" dBTrustStorePasswordKey="default-keystore.jks" dBTrustStoreType="JKS"/>
                          <connectionProperties/>
                          </directDBConfigParams>
                          <bIPublisherURL>http://localhost:9704</bIPublisherURL>
                          <oimFrontEndURL>http://win11gr2:14000</oimFrontEndURL>
                          <oimJNDIURL>@oimJNDIURL</oimJNDIURL>
                          <backOfficeURL/>
                          </discoveryConfig>
                          <cacheConfig clustered="false" enabled="false" expirationTime="144000" provider="oracle.iam.platform.utils.cache.OSCacheProvider" threadLocalCacheEnabled="false">
                          <cacheCategoriesConfig>
                          <cacheCategoryConfig name="DataObjectEventHandlers" enabled="false" expirationTime="14400"/>
                          <cacheCategoryConfig name="ProcessDefinition" enabled="false" expirationTime="14400"/>
                          <cacheCategoryConfig name="EmailDefinition" enabled="false" expirationTime="14400"/>
                          <cacheCategoryConfig name="RuleDefinition" enabled="true" expirationTime="14400"/>
                          <cacheCategoryConfig name="FormDefinition" enabled="false" expirationTime="14400"/>
                          <cacheCategoryConfig name="ColumnMap" enabled="true" expirationTime="14400"/>
                          <cacheCategoryConfig name="UserDefinedColumns" enabled="false" expirationTime="14400"/>
                          <cacheCategoryConfig name="ObjectDefinition" enabled="false" expirationTime="14400"/>
                          <cacheCategoryConfig name="StoredProcAPI" enabled="false" expirationTime="600"/>
                          <cacheCategoryConfig name="NoNeedToFlush" enabled="true" expirationTime="-1"/>
                          <cacheCategoryConfig name="MetaData" enabled="true" expirationTime="14400"/>
                          <cacheCategoryConfig name="User" enabled="true" expirationTime="14400"/>
                          <cacheCategoryConfig name="AdapterInformation" enabled="false" expirationTime="14400"/>
                          <cacheCategoryConfig name="OrgnizationName" enabled="true" expirationTime="14400"/>
                          <cacheCategoryConfig name="Reconciliation" enabled="true" expirationTime="14400"/>
                          <cacheCategoryConfig name="SystemProperties" enabled="true" expirationTime="14400"/>
                          <cacheCategoryConfig name="LookupDefinition" enabled="false" expirationTime="14400"/>
                          <cacheCategoryConfig name="UserGroups" enabled="false" expirationTime="14400"/>
                          <cacheCategoryConfig name="LookupValues" enabled="false" expirationTime="14400"/>
                          <cacheCategoryConfig name="ITResourceKey" enabled="false" expirationTime="14400"/>
                          <cacheCategoryConfig name="RecordExists" enabled="false" expirationTime="14400"/>
                          <cacheCategoryConfig name="ServerProperties" enabled="true" expirationTime="14400"/>
                          <cacheCategoryConfig name="ColumnMetaData" enabled="false" expirationTime="14400"/>
                          <cacheCategoryConfig name="API" enabled="false" expirationTime="14400"/>
                          <cacheCategoryConfig name="Catalog" enabled="true" expirationTime="14400"/>
                          <cacheCategoryConfig name="CustomResourceBundle" enabled="true" expirationTime="-1"/>
                          <cacheCategoryConfig name="CustomDefaultBundle" enabled="true" expirationTime="-1"/>
                          <cacheCategoryConfig name="ConnectorResourceBundle" enabled="true" expirationTime="-1"/>
                          <cacheCategoryConfig name="LinguisticSort" enabled="true" expirationTime="-1"/>
                          <cacheCategoryConfig name="GenericConnector" enabled="false" expirationTime="14400"/>
                          <cacheCategoryConfig name="GenericConnectorProviders" enabled="false" expirationTime="-1"/>
                          <cacheCategoryConfig name="AccessPolicyDefinition" enabled="false" expirationTime="14400"/>
                          <cacheCategoryConfig name="UserConfig" enabled="true" expirationTime="-1"/>
                          <cacheCategoryConfig name="OESDefinition" enabled="true" expirationTime="14400"/>
                          <cacheCategoryConfig name="RoleContainerToDescrMap" enabled="true" expirationTime="-1"/>
                          <cacheCategoryConfig name="PluginFramework" enabled="true" expirationTime="14400"/>
                          <cacheCategoryConfig name="CallbackConfiguration" enabled="true" expirationTime="14400"/>
                          <cacheCategoryConfig name="SchedulerTaskDefinition" enabled="true" expirationTime="14400"/>
                          <cacheCategoryConfig name="UserStatus" enabled="true" expirationTime="14400"/>
                          <cacheCategoryConfig name="LocaleCodeLanguageMapping" enabled="true" expirationTime="14400"/>
                          <cacheCategoryConfig name="TenantRegistry" enabled="true" expirationTime="14400"/>
                          <cacheCategoryConfig name="LocalizedResource" enabled="true" expirationTime="14400"/>
                          </cacheCategoriesConfig>
                          <xLCacheProviderProps multicastAddress="236.17.242.46" size="5000">
                          <properties/>
                          </xLCacheProviderProps>
                          </cacheConfig>
                          <pluginConfig storeType="common">
                          <storeConfig reloadingEnabled="true" reloadingInterval="20"/>
                          </pluginConfig>
                          <schedulerConfig DSJndiURL="jdbc/operationsDB" nonTxnDSJndiURL="jdbc/oimJMSStoreDS" clustered="true" databaseDelegate="org.quartz.impl.jdbcjobstore.StdJDBCDelegate" implementationClass="oracle.iam.scheduler.impl.quartz.QuartzSchedulerImpl" instanceID="AUTO" quartzTablePrefix="QRTZ92_" startOnDeploy="true" threadPoolSize="10" dataBasePoolSize="10" multicastAddress="234.175.78.74" schedulerUser="oiminternal">
                          <pluggableParams>
                          <PluggableParam parameterName="ITResource" value="oracle.iam.pluggabletaskparamsupport.impl.ITResourceLookupImpl"/>
                          </pluggableParams>
                          <properties/>
                          </schedulerConfig>
                          <cryptoConfigParams>
                          <HashingAlgorithm>SHA-256</HashingAlgorithm>
                          <PKIProviderConfigParams signatureAlgorithm="SHA1withRSA" signatureProvider="sun.security.rsa.SunRsaSign" pKIProviderName="com.thortech.xl.crypto.tcDefaultSignatureImpl">
                          <keyStoreConfigParams provider="sun.security.rsa.SunRsaSign" type="JKS" name="default-keystore.jks"/>
                          <KeysConfigParams>
                          <keyConfigParams alias="xell" blockMode="" name="xell" padding=""/>
                          </KeysConfigParams>
                          </PKIProviderConfigParams>
                          <symmetricProviderConfig signatureAlgorithm="SHA1withDSA" signatureProvider="sun.security.rsa.SunRsaSign" verifySigner="false" symmetricProviderName="com.thortech.xl.crypto.tcDefaultDBEncryptionImpl">
                          <keyStoreConfigParams provider="com.sun.crypto.provider.SunJCE" type="JCEKS" name=".xldatabasekey"/>
                          <KeysConfigParams>
                          <keyConfigParams alias="DataBaseKey" blockMode="CBC" name="DBSecretKey" padding="PKCS5Padding"/>
                          </KeysConfigParams>
                          </symmetricProviderConfig>
                          </cryptoConfigParams>
                          <ADPClassLoaderConfig adapterReloadingEnabled="true" loadingStyle="ParentFirst" reloadInterval="15" reloadingEnabled="true">
                          <javaTaskDirectory>JavaTasks</javaTaskDirectory>
                          <thirdPartyDirectory>ThirdParty</thirdPartyDirectory>
                          <scheduleTaskDirectory>ScheduleTask</scheduleTaskDirectory>
                          <integrationsDirectory>XLIntegrations</integrationsDirectory>
                          <adapterDirectory>adapters</adapterDirectory>
                          <eventHandlerDirectory>EventHandlers</eventHandlerDirectory>
                          <icfIntgDirectory>icf/intg</icfIntgDirectory>
                          <properties/>
                          </ADPClassLoaderConfig>
                          <loginMapper>oracle.iam.platform.auth.impl.DefaultMapper</loginMapper>
                          <runAsUser>internal</runAsUser>
                          <deploymentConfig>
                          <appServerName>weblogic</appServerName>
                          <initialContextFactory>weblogic.jndi.WLInitialContextFactory</initialContextFactory>
                          <dataBaseType>oracle</dataBaseType>
                          <deploymentMode>simple</deploymentMode>
                          </deploymentConfig>
                          <miscellaneousConfig>
                          <properties>
                          <property name="SecurityLevel" value="0"/>
                          <property name="EncodeInput" value="true"/>
                          </properties>
                          </miscellaneousConfig>
                          <ssoConfig>
                          <version>@oamVersion</version>
                          <accessServerHost>@oamAccessServerHost</accessServerHost>
                          <accessServerPort>@oamAccessServerPort</accessServerPort>
                          <accessGateID>IdentityManagerAccessGate</accessGateID>
                          <napVersion>3</napVersion>
                          <cookieDomain>@oamCookieDomain</cookieDomain>
                          <cookieExpiryInterval>120</cookieExpiryInterval>
                          <transferMode>OPEN</transferMode>
                          <webgateType>javaWebgate</webgateType>
                          <ssoEnabled>false</ssoEnabled>
                          <tapEndpointUrl>@tapEndpointUrl</tapEndpointUrl>
                          </ssoConfig>
                          <callbackOwsmSecurityPolicy>oracle/wss_username_token_client_policy</callbackOwsmSecurityPolicy>
                          <SOAConfig>
                          <username>weblogic</username>
                          <passwordKey>SOAAdminPassword</passwordKey>
                          <type>rmi</type>
                          *<soapurl>http://win11gr2:14000</soapurl>*
                          *<rmiurl>t3://win11gr2:14000,win11gr2:8001,win11gr2:14600</rmiurl>*
                          </SOAConfig>
                          <oaacgConfig>
                          <host>@oaacghost</host>
                          <port>@oaacgport</port>
                          <username>@oaacgadminusername</username>
                          <passwordKey>OAACGAdminPassword</passwordKey>
                          <serviceURL>@oaacgserviceurl</serviceURL>
                          <responseTimeout>240</responseTimeout>
                          <fusionAdapterDatasourceName>@faDataSrcName</fusionAdapterDatasourceName>
                          <compositeName>default/OAACGRoleAssignSODCheck!1.0</compositeName>
                          <sodEnabled>false</sodEnabled>
                          </oaacgConfig>
                          <remoteManagerConfig>
                          <SSLContextAlgorithm>TLS</SSLContextAlgorithm>
                          <KeyManagerFactory>SUNX509</KeyManagerFactory>
                          </remoteManagerConfig>
                          <OAMConfig>
                          <XEEnabled>true</XEEnabled>
                          </OAMConfig>
                          </xmlConfig>


                          Regards,
                          Krish
                          • 10. Re: OIM 11g OIm & soa server
                            880250
                            Srini Bellamkonda wrote:
                            Take a look on the Metalink ID: 1502680.1 as well.
                            HI Srini,

                            I followed metalink document,now it is showing blank popup.Earlier,it was trying to reach sever on 8002.

                            In soa server logs

                            Dec 13, 2012 11:10:16 AM IST> <Warning> <HTTP Session> <BEA-100094> <The session id: TTMNQJqF9vyhjvXg9k62xhHp6Xt3CQVYXjK20gCzJrkV63yPGWrS has been accessed f
                            om -8872684280673458796S::192.168.14.4:14000,192.168.14.4:8001,92.168.14.4:14600:oimdomain:soa_server1, a server that is not the primary (-454235376631138036
                            S:192.168.14.4:[14000,14000,-1,-1,-1,-1,-1]:192.168.14.4:14000,192.168.14.4:8001,92.168.14.4:14600:oimdomain:oim_server1). The request URL was: http://null:0/identity/faces/adf.task-flow>


                            In OIM server logs

                            6S:192.168.14.4:[8001,8001,-1,-1,-1,-1,-1]:192.168.14.4:14000,192.168.14.4:8001,92.168.14.4:14600:oimdomain:soa_server1). The request URL was: https://null:14001/identity/faces/home>


                            Regards,
                            Krish
                            • 11. Re: OIM 11g OIm & soa server
                              880250
                              Hi Srini,

                              I have followed the given metalink and tried to access oim with hostname which was used at the time of configuration.Issue is resolved on IE but on Chrome,Firefox still exists


                              Thanks

                              Regards,
                              Krish
                              • 12. Re: OIM 11g OIm & soa server
                                idamGod
                                Did you disable SSL ports?

                                Disable ssl ports (oim & soa only but not on admin server) and try again. It should resolve your issue.
                                • 13. Re: OIM 11g OIm & soa server
                                  Kevin Pinsky
                                  This is not correct:

                                  <soapurl>http://win11gr2:14000</soapurl>
                                  <rmiurl>t3://win11gr2:14000,win11gr2:8001,win11gr2:14600</rmiurl>

                                  These needs to be your soa server(s);

                                  <soapurl>http://win11gr2:8001</soapurl>
                                  <rmiurl>t3://win11gr2:8001</rmiurl>

                                  They are not your oim servers.

                                  -Kevin