Chuyển đến nội dung chính

Rich Diagnostics

Source: https://abhirockzz.wordpress.com
Oracle IDM R2 PS2 provides some really efficient troubleshooting, monitoring and diagnostic features. This post will provide a quick overview of the same and delve into using one such feature to resolve a practical issue.

New Diagnostic Features: Overview

1. Orchestration diagnostics – The EM console can be used to drill down into the Orchestration related details of events within OIM
  •      A Dashboard to view recent operations and events
orch-dashboard-1
orch-dashboard-2
  • Info regarding ALL the event handlers attached to a particular operation – including  CUSTOM developed. No more digging into XMLs form MDS !
orch-ops
  • Powerful search features for all Operations (search by Operation Type, Operation ID etc)
orch-instance

2. Dynamic Monitoring Service (DMS) is an Oracle FMW component which enables performance tracking of various OIM modules and services such as scheduled tasks, event handlers, platform resources etc. One can export DMS metrics for detailed introspection as well
3. Reconciliation Profile validation
  •      Validate Recon profiles via MBeans via EM console – great for debugging issues
  •      Also provides reconciliation tables related indices which can help compare Database tuning as per documented mandates
recon-pro-diag-feature
A detailed explanation of each of these features is difficult to cover in a single post – skipping this for a future blog post (series). For now, let us explore a real world use case where such diagnostic capability can be used
I happened to come across a particular issue and resolved it with the help one of the many OIM PS2 diagnostic features. This one happened to be related to OIM Reconciliation Profiles.
The problem statement
  • Reconciliation job execution was not resulting in event creation.
  • The server console logs pointed to a SAX parsing exception.
console-error
Note: Whenever I see an XML parsing (SAX or DOM) exception in context of reconciliation, the brain invariably gravitates towards the Reconciliation Profile XML – yes. It’s a boon in general, but a curse because it has a tendency to get corrupted (because of no apparent reason).

The investigation

Time to use the new Reconciliation Profile validation diagnostic feature in PS2 (mentioned above) which enables us to validate and detect errors in the OIM Reconciliation Profile. It does so by exposing this service as an MBean. Sweet !! 🙂

So how to go about this?

1. Log into EM console and take up the route shown in the snapshot below (yes, a picture is worth a thousand words and 10 minutes of writing something which can be easily portrayed via a visual medium!)
em-console-profile-val-1
em-console-profile-val-2
em-console-profile-val-3
2. The next obvious step was to export the Recon profile XML itself in order to further drill down on matchingRule element (since there can be multiple such elements and the error indicates that one of them might be empty – hence the schema violation error resulting in a parsing error)
Exporting the recon profile XML via EM console
Note: This is not a diagnostic feature as such or a new functionality. This is present since OIM 11g R1 era
No need to execute manual processes – use the EM GUI to get the job done fast. Follow the snapshots

recon-prof-ex-1
recon-prof-ex-2
Finally – click on the Invoke button and you should have the profile exported to the location mentioned above
Note: If required, you can easily change/modify the XML and use the importMetadata operation of the same MBean to import with a single click (try it out)
The profile was exported in order to investigate it further. Let’s see what was the issue was
profile-xml-issue

So, finally it is evident as to which matchingRule tag was empty.
Conclusion
Well, it all boiled down to a missing configuration in the Connector artifact – missing KEY field configuration for the child field (in the Process Definition).
Take away point
OIM is a feature rich product. Hence, things can get complicated at times and errors can get hard to debug. We saw how easy it was to drill down to the cause of the error and ultimately fix it
Why/How did this happen? That was not really the point of this post. In case you are inquisitive, looks like this is a bug in the connector ! 😉 That’s for a later post – maybe after further introspection
Resolution
  • Include the KEY field config for child field in Process Definition
  • Recreate the Recon Profile
  • Validate the same via EM console (already explained)
  • Move on with your life ! 😉
Remember – bugs/errors/issues are an opportunity for us to learn and doscover something new. Software can never be perfect in a single go. Be patient, try to diagnose, know your tools, know how to use them – if there are no tools, just build one and blog about it !! 😉

Nhận xét

Đăng nhận xét

Bài đăng phổ biến từ blog này

Approval specific web services in Oracle IDM

Source: https://abhirockzz.wordpress.com Oracle IDM integrates with and leverages the SOA suite for approval related features (SOA is quite rich to be honest and is utilized as the back bone for Web Services connector as well). SOA is not just for namesake – SOA suite does in fact rely on the concept of loosely coupled and independent services. The approval engine makes use of three such web services Request web service : this is deployed on the OIM server Request Callback web service : this is deployed on SOA server Provisioning Callback web service : this too is deployed on OIM and used in context of approvals related to  Disconnected application instances But how/when are these (SOA) services leveraged ? Consider an example of a basic approval process OIM approval engine calls a SOA composite (from within an approval policy) in response to evaluation of a self service request.  The internals of this call are out of scope of this post (maybe some other time!) Operati
1 nhận xét
Đọc thêm

Oracle IDM Auditing

Source: https://abhirockzz.wordpress.com Reporting  is a vital functionality in any product which deals with sensitive information. Same applies to Identity & Access Management tools. Oracle IDM’s Auditing module acts as a foundation for its OOTB Reporting capabilities. Let’s take a quick look at  Auditing engine  and how it facilitates the Reporting functionality within OIM The use case presented here is simple –  change to a user record in OIM. What are the sequence of events which get triggered from an Audit perspective? This is best explained by a diagram. I came up with the  figure below  in an attempt to better articulate the process. Although the diagram is self explanatory, a theoretical translation of the same is not going to harm us!  The updated/created user record gets pushed into the  USR  table (stores the user information) – Its a normal process by which the information gets recorded in the OIM Database The information is further propagated by the  OI
Đăng nhận xét
Đọc thêm

Allow Duplicate Emails

Version: Oracle Identity Manager 11.1.2.3.0 Step 1:  Login to Oracle Identity System Administration Step 2: On the navigation menu, select Configuration Properties under System Configuration. Step 3: Create the following System Property. Step 4: Verify using duplicate emails.
Đăng nhận xét
Đọc thêm