OID : Deleting OID/OPMN instances

One can face weird issues due to OID Instances not being deleted the right way. Simply deleting them from the file system or from OID might not be enough as there are entries that stay on the ODS Schema of the Database.
This can cause unforseen issues like delay in OID restarts (ldapbind fails for few mins even though instance shows up as ALIVE) or weird issues like referential integrity working intermittenly in OID/OIM.

It is highly recommended to remove an Oracle Internet Directory component by using opmnctl deletecomponent. This also unregisters the component with the WebLogic server.

Syntax :

$ORACLE_INSTANCE/bin/opmnctl deletecomponent
  -adminHost webLogicHostName
  -adminPort webLogicPort
  -adminUsername weblogicAdminUsername
  -adminPasswordFile text_file_containing_admin_password
  -componentType OID
  -componentName componentName

Sample for removing an instance named oid4
export ORACLE_INSTANCE=/u01/app/oracle/admin/config/oid_inst_3/
$ORACLE_INSTANCE/bin/opmnctl deletecomponent \
  -adminHost <wl_server_Name> \
  -adminPort 7001 \
  -adminUsername weblogic \
  -adminPasswordFile adminpass.txt \
  -componentType OID \
  -componentName oid4

Reference - https://docs.oracle.com/cd/E16764_01/oid.1111/e10029/oid_server_instances.htm#BABDJABF

How to create new Admin users in Oracle Internet Directory (OID)

A lot of us end up using the superuser 'cn=orcladmin'  to connect to OID for all use-cases.

Certainly this is not the best practice as the superuser 'cn=orcladmin' is a privileged user having more privileges than are needed certain admin functions having access to multiple realms on OID. 

While there is no documented way to create a second superuser for OID, like cn=orcladmin. But, a user with the same privileges as the realm Admin (cn=orcladmin,dc=<companyName,dc=com) can be created and used for the following use cases : 

• Use in OAM Console for Identity Store credentials
• Providing ODSM login capability to admin users to view/modify the LDAP Tree for their realm
• Any kind of CRUD based LDAP APIs used in Java Code
• Separate password policies can be created for these users which are different from the cn=orcladmin superuser etc.

This user can be created as follows : 

1. Create an LDIF file with the following content
   dn: cn=myadmin,cn=Users,dc=oracle,dc=com
   givenname: myadmin
   sn: myadmin
   cn: myadmin
   uid: myadmin
   mail: myadmin@oracle.com
   objectclass: top
   objectclass: person
   objectclass: inetOrgPerson
   objectclass: orclUser
   objectclass: orclUserV2
   objectclass: organizationalPerson
   
   
   
2. Run ldapadd
   ldapadd -h <OID_host> -p <OID_port> -D "cn=orcladmin" -w <password> -f <LDIF_filename>

        Alternatively, we can use the 'Import' function available in Data Browser tab in ODSM .

3.  Confirm that you are able to bind successfully as the newly created user

  ldapbind -h <OID_host> -p <OID_port> -D      "cn=myadmin,cn=users,dc=oracle,dc=com" -w <password>

4. Get the existing group memberships for the orcladmin user

  ldapsearch -h <OID_host> -p <OID_port> -D "cn=orcladmin" -w    <password> "<DN_of_orcladmin>" "dn"

Alternatively use 'Import' feature in Data Browser tab of ODSM to import the SuperUser.ldif file attached (essentially contains the all groups to be added for a Realm Admin in LDIF format)

Reference : Doc ID 454796.1

Good reads : 

1) Creating read-only users in OID
2) How to unlock superuser cn=orcladmin account in OID

Creating Read-Only Users in Oracle Internet Directory (OID)

A lot of us end up using the superuser 'cn=orcladmin'  to connect to OID for all use-cases.

Certainly this is not the best practice as the superuser 'cn=orcladmin' is a privileged user having way more privileges than are needed for non-admin functions. We should create read-only LDAP users for the following use cases :

• LDAP Monitoring at the F5/Load Balancer level (LDAP health check using ldapbind) 
• Use for username/password for Authenticators in Weblogic Console (which are for only authentication purposes)
• Providing ODSM login capability to non-admin users to view the LDAP Tree (based on allowed ACLs)
• Any kind of query only LDAP APIs used in Java Code
• Separate password policies can be created for read-only users which are different from superusers/realm-admins

Only three tabs are visible in ODSM for read-only users : Home, Data Browser, Schema.

Security and Advanced tabs are not visible.

One of the ways in which the read-only users can be created is : 

1. Create a text file (e.g., readonly.ldif) with the following:
   dn: cn=readonly, cn=Users,< subscriber domain >
   userpassword: < password >
   objectclass: top
   objectclass: person
   objectclass: organizationalPerson
   objectclass: inetorgperson
   objectclass: orcluser
   objectclass: orcluserV2
   mail: readonly
   givenname: readonly
   uid: readonly
   description: account to have readonly access
   sn: readonly
   cn: readonly

 2. Load the above file with ldapadd command :
ldapadd -h <OID_host> -p <OID_port> -D cn=orcladmin -w <password> -v -f readonly.ldif

Alternatively, we can use the 'Import' function available in Data Browser tab in ODSM .

The key is to make sure the user is not a member of any groups.

3. Check Group Memberships:

To verify the user is NOT a member of any group, issue the following search:

ldapsearch -h <OID_host> -p <OID_port> -D "cn=orcladmin" -w <pwd> -s sub -b "" "(uniquemember=<full_user_DN>)" "dn"

4.Confirm that you are able to bind successfully as the newly created user
ldapbind -h <OID_host> -p <OID_port> -D "cn=myadmin,cn=users,dc=oracle,dc=com" -w <password>

Reference : Doc ID 746612.1

Good read : How to unlock superuser cn=orcladmin account in OID

UCM / Webcenter Content : Configuring an Admin User for UCM which resides in OID

UseCase :

• The default install of Webcenter Content/UCM results in weblogic as the Default Content Admin which resides in the embedded LDAP.
• In our Webcenter implementations we end up using a variety of LDAP's.
• This post details how to change the Admin user for UCM to a user residing in OID which is easier to manage and the recommended approach instead of using weblogic.

Advantages : 

• This can also be extended to use any LDAP like AD, OUD, ODSEE etc.
• Another reason why this needs to be configured is so that the UCM Console can be logged in using a OHS URL or Virtual IP which has a LDAP configured as its IdentityStore instead of having to log in via the managed server port.

Configuration Steps :

1.Create a new user called ucmadmin in OID with object classes simialr to those present for orcladmin.

2.Create a new group called ucmadmingroup in OID with object classes top and groupOfUniqueNames.

3.Assign ucmadmin as a member of the ucmadmingroup.

4.Make sure the users and groups mentioned here reside in the DN hierarchy defined in the OID Authenticator(e.g. cn=Users,dc=oracle,dc=com)

5.You also need to create the Credential Maps to grant ucmadmingroup as the administrator in UCM. Then, in UCM, we mapp the OID group ucmadmin to UCM internal roles and all accounts priveliges. All the users who belong to the ucmadmin group will be automatically granted the UCM admin roles.

- Login to Content Server as weblogic and configure credential map (http://<host>:16200/cs)
  Administration -> Credential Maps, create a new map (e.g.: called "MyOIDMap")
- Add the following mapping

ucmadmingroup ,                  admin
ucmadmingroup ,                  guest
ucmadmingroup ,                  sysmanager
ucmadmingroup ,                  refineryadmin
ucmadmingroup ,                  rmaadmin
ucmadmingroup ,                  pcmadmin
ucmadmingroup ,                  ermadmin
ucmadmingroup ,                  @#all

6.Edit the provider.hda  and add the credit map "MyOIDMap" which would be at the location -
 <UCM-Domain>/ucm/cs/data/providers/jpsuserprovider/provider.hda
  Here is an example:

<feff><?hda version="11gR1-11.1.1.6.0-idcprod1-111219T111403" jcharset="UTF8" encoding="utf-8"?>
Properties LocalData
DefaultNetworkAccounts=#none
DefaultNetworkRoles=guest
PasswordScope=jpsuserprovider
ProviderClass=idc.provider.jps.JpsUserProvider
ProviderDescription=csJpsUserProviderDescription
ProviderName=JpsUserProvider
ProviderType=jpsuser
SourcePath=jpsuser
ProviderCredentialsMap=MyOIDMap
blDateFormat=M/d{/yy}{ h:mm[:ss]{ a}}!mAM,PM!tAmerica/Los_Angeles
pDescription=csJpsUserProviderDescription
end

7.Restart the UCM Managed Server.
 
8. Repeat the steps for the other machine if its a clustered environment.

9.After that , if you login to Content Server as ucmadmin, in the ucadmin profile, you should see something similar as the following:

 

 In the ucmadminprofile, you should see the "#all" in the Accounts fields. Otherwise, when users accessing documents in Spaces, it will fail the following error:
  User 'ucmadmin' does not have sufficient privileges to access the content account.

Reference : https://support.oracle.com/epmos/faces/DocumentDisplay?id=1454012.1#aref_section310

Impersonation feature for WebCenter Spaces 11.1.1.8 with Oracle Acess Mgr(OAM) 11gR2

What is Impersonation ? 

WebCenter Portal Impersonation lets a WebCenter Portal administrator or system administrator assign impersonation rights to a group of users ("impersonators"), such as support representatives or application administrators, so that they can impersonate another Portal user and perform operations as that user ("impersonatees"). This may be useful in the following instances:

• A customer support representative may want to perform actions as another user in order to understand the issues being faced by that user
• An administrator may want to perform operations on behalf of a user
• A company executive may need to delegate someone to act on his or her behalf while away. (Source : Oracle Documentation)

Pre-requisites

1) WebCenter Spaces 11.1.1.8 +

2) Oracle Access Manager(OAM) 11.1.2 (11gR2+)

3) Setups need to be done in OAM , Webcenter Spaces application using EM , and in Oracle Internet Directory(OID) for the users (OID 11.1.1.7+)

Key Advantages -

1) Feature just needs to be configured as mentioned above . Effort is markedly less than implementing this feature in a custom manner using ADF/Web Technologies.

2) Feature once configured along with OAM can be monitored using OAM.

3) Out of the box UI are available and supported by Oracle , hence the solution is standardized.

4)Feature being a very common use case can be used to sell OAM and the Security Team has expertise in implementing it within a cpl of weeks.

Note - 

• After weeks of ado , I have got this up and running in our environments for Webcenter Spaces 11.1.1.8 which is Oracle's new way of developing webcenter portal applications.

• But for a Custom Portal Application in 11.1.1.8, though Security Taskflows for Impersonation are available in Jdeveloper , Impersonation is not currently supported (Doc ID 1606526.1) but I have an ER open with Oracle [BUG 18882638 - ENABLE IMPERSONATION FOR WEBCENTER CUSTOM FRAMEWORK APS ]

Walkthrough of this new & exciting feaute via screenshots - 

1) Screen in WC Spaces / Custom Portal Security Taskflow to select impersonators. (Validations to prevent users not been setup as Impersonators available Out of the Box).

2) Search Impersonators screen .

Only those users who have been granted Impersonator access in OID can be searched here.

3)Selected Impersonator who can be given access rights for a time duration.

4) Once Switch User Link is clicked ( as in second image above) after logging in with the 
Impersonators credentials , the Impersonator is asked to enter your credentials as under.

5) Once logged in the Impersonation session is in progress. Remember - The impersonatee's credentials were not used at all !

Click on Stop Impersonation to return back 
to the Impersonator's home page.

6) Cool feature  !! Monitor the Impersonation session as an Admin in OAM Console as below

Reference - 

http://docs.oracle.com/cd/E29542_01/webcenter.1111/e27785/pers_impersonate.htm