OIM Issues after installing ORACLE IDENTITY MANAGEMENT SUITE BUNDLE PATCH 11.1.2.0.2 (BP02)


16/02/2013

After installing Patch 14760806 also called ORACLE IDENTITY MANAGEMENT SUITE BUNDLE PATCH 11.1.2.0.2 (BP02),  to fix a few existing issues with OIM 11.1.2.0.1, we saw “access denied” issues while accessing OIM Identity Console as an “End User”.   “System Administrator” users could access the console with out any issues.  The reason for this is that an OOTB Authorization plugin that allows an “End User” to access his/ her profile is not applied after applying the patch and it has to be manually deployed.  The same plugin is also responsible for allowing a user to request roles using Catalog tool.  This post describes the error messages displayed, the worked around (suggested by Oracle) and a few missing instructions in Oracle documentation for the plugin deployment.

After installing Patch 14760806 for OIM, end users could not access “My Information” and “Catalog” tabs in OIM Identity Console

Environment

Windows 2008 R2 Standard Edition (64 Bit), OIM 11.1.2.0.2, OVD 11.1.1.6, WebLogic 10.3.6

Problem Description

After successfully installing Patch 14760806 on top of BP01 to fix too many emails generated for a Role request issue discussed in another post here, we tried to test if the issue was fixed.  For this we performed the following steps.

  • Access OIM Identity console http://hostname:port/identity
  • Log in as “testuser” whose user type is “End User”
  • Click Catalog tab
  • Search for roles
  • Select required role and Add to the Cart

To our surprise at this moment we saw a pop up that said “Localized message not available.  Error returned is: You do not have permission to view details of user – 102”

The next step we did was to try to access “My Information” tab and it also failed to display the user profile information with the same error as above.  We were pretty sure that we did not modify any of the user permission (Authorization policies) before and after applying the patch.

This problem did not arise when we logged in to Identity console as XELSYSADM or other SYTEM ADMINISTRATORS.   Only users with User Type “End User” had permission issues. 

Other errors you might see:

  • JBO-29000: Unexpected exception caught: oracle.iam.ui.platform.exception.OIMRuntimeException, msg=JBO-29000: Unexpected exception caught oracle.iam.selfservice.exception.UserLookupException, msg=You do not have permission to view details of user 102
  • JBO-29000: Unexpected exception caught: oracle.iam.selfservice.exception.UserLookupException, msg=You do not have permission to view details of user 102

Cause

There are certain OOTB Authorization plugins deployed with OIM which take care of what permissions each user has on the OIM Console.  While applying the BP02 one such plugin which is available as authorization-plugin.zip, is not deployed (a BUG in the patch).  Without this plugin, OIM was not able to find relevant permissions for “End User” to allow access tabs in Identity Console and hence the user was denied access.

Workaround

Oracle suggested to deploy authorization-plugin.zip plugin manually and said that would fix the problem with End User permissions.

How to register a plugin?

Here is Oracle documentation that describes plugin registration using command line.  Make sure that your OIM Managed Server is up and running while you perform the registration. 

Missing Steps

Even though we followed steps described in the above link, our plugin was still not being registered.   It was failing with error: “[echo] Error: Could not find or load main class oracle.iam.platformservice.utils.PluginUtility”

This was fixed by:

  • adding ..\Oracle_IAM1\\server\client\oimclient.jar to CLASSPATH

If you still see errors:

  • Try replacing ${oim.home}/config/authwl.conf of login.config with the actual path in ant.properties file
  • Also if you are using Windows replace all ‘/’ in the paths of ant.properties with ‘//’

A successful plugin registration displays “[echo] Plugin oracle.iam.platform.authopss.plugin.impl.AttributeResolverImpl version 1.0 Registered”

Restart OIM Managed Server.

Result

This fixed the access denied errors for end users.  Could access “My Information” and request roles using “Catalog”.  The number of emails were also reduced as discussed here if you are interested to take a look at.

Hope this helps somebody out there. 

Have a great Family Day Weekend!

No Results