• Find us:
    +1-669-900-5138   |   +44-203-372-5553
  • Free Newsletter

    Get Latest Updates

  • Make Training Enquiry


    Company

  • Categories

  • Archive

  • How to read session Ids of a user from OAM 11g

    Posted by "" in "idm, integration, oam, Session, sso, troubleshooting" on 2012-05-04

    Share on FacebookTweet about this on TwitterShare on Google+Share on LinkedInEmail this to someone

    We are extensively using OAM 11g API in our project out of which there is a requirement to set session attributes for a OAM user session.

    Session attributes is a concept newly introduced in OAM 11g (not there in 10g). So once OAM session is created we can retrieve the session Ids by using the API method getSessionIds of UserSession class (package is oracle.security.am.asdk). This class is available in oamasdk-api-11.1.1.5.0.jar.

    We are using Embedded Weblogic as System and default store. The concepts of these stores are well explained in this post.

    While trying to retrieve the session IDs for a user using the below code snippet.

    Hashtable<String,String> credentials = new Hashtable<String,String>();
    credentials.put(“userid”, user_login);
    credentials.put(“password”, user_passwd);
    try{
    AccessClient ac=null;
    ResourceRequest req ;
    ac = AccessClient.createDefaultInstance(Location,AccessClient.CompatibilityMode.OAM_10G);
    req = new ResourceRequest(protocol, resource,method_way);
    System.out.println(“Location–>”+Location);
    UserSession session = new UserSession(req,credentials);
    String sessionId=session.getSessionToken();
    System.out.println(sessionId);
    Set set=session.getSessionIds(user_login);
    System.out.println(“Sessionattr—>”+set);

    }catch(Exception e){}

     

    We are getting the below exception while executing the above code snippet:

    “oracle.security.am.asdk.OperationNotPermittedException: OAMAGENT-02005: Operation not permitted on this server.”

    I can read the OAM sessions from the database by logging into DB as OAM DB schema user.

    select * from oam_session;

    I have found that there is a bug related to session IDs 12972630. Fix for bug# 12972630 will return session ids of a user in the specified user identity stores. Right now only sessions with default store are returned.

    Well, the following statement is extracted from OAM documentation for default store:

    Default Store: Used by Oracle Security Token Service, and for migration purposes when patching.

    So the fix for bug is to use the user identity store as default store to retrieve the session IDs from OAM server. I can’t exactly make out the reason for bug fix and default store purpose.

    Anyhow,  I am using OVD as user identity store for OAM authentication. So I have flagged the OVD identity store as Default store and then I am able to retrieve the session IDs from OAM server.

    9 Responses to “How to read session Ids of a user from OAM 11g”

    1. […] by Session Management Engine SME. How to retrieve session IDs from OAM server are explained in post. So this post will give a sample code snippet to set and retrieve session attributes from […]

    2. tinba says:

      hi.

      i was wondering if you were able to resolve this issue. we have the same problem with our environment. initially, we want to use KerberosScheme for authentication, but for testing purposes we are just using AD.

      the AD is configured as default store in OAM and we have tested authentication against it (we are asked for username/pwd and can successfully log in with an AD-user). our code is almost the same as in your example and we are able to create an user session. we see this because we can get many of the attributes (level, start time, last use time and session token). however, getting the session id’s with method getSessionIds(…) always results in OAMAGENT-02005 error. we have tried using different combination of values for username (samaccountname, dn etc.), but the error is the same.

      our final goal is to get the session attributes with the correct session ID.

      best regards,
      tinba

    3. Mahendra says:

      @Tinba,

      I initially approached Oracle support for this and they also suggested to make Id Store as Default to resolve this issue an ER is already raised for the same.

      Hence, there is no other solution for this issue. Make AD store as default store and try retrieving session IDs. Let me know if you face any issues.

      -Mahendra

    4. tinba says:

      hi again and thank you very much for the reply.

      to remove possible errors due to bugs etc., we have patched OAM (p.nr. 13473393) and ASDK (p.nr. 14026048). we have changed the authentication scheme to form-login to AD and have made AD the Default Store in OAM. when we go via browser to the resource, we can log in with our AD-credentials.

      using ASDK via AccessClient, we still get the same errors as before (OAMAGENT-02005). this applies to the following methods: UserSession.getSessionIds(…) and UserSession.getSessionAttributes(…). for the former we have tested with different values of the userid, for the latter we have tested with values for session-IDs gathered directly from database (oam_session table).

      in addition, we see that the following methods also have issues:
      * UserSession.getLocation() is not able to read our AccessClients IP-adress.
      * UserSession.getUserIdentity() returns the DN only up to the first space in the DN (when one uses full name for CN, this is a problem since you have space between given name and surname).

      any suggestions are appreciated.

      best regards,
      tinba

    5. tinba says:

      hi again.

      have found the error. :) we overlooked configuring our AccessClient as a privileged agent (“Allow Management Operations” in OAM Console). this has to be done if the agent is going to manage sessions. fixing this, the problem was solved.

      thank you very much for the help.

      best regards,
      tinba

    6. Antony says:

      @Tinba,

      Where do we find the option?
      Can you give the path?

    7. tinba says:

      @Antony,

      i don’t have access to OAM Console, but it should be under the agent configuration. search and open the agent you created and there should be a checkbox for “Allow Management Operations”. from OAM-documentation: http://docs.oracle.com/cd/E15586_01/doc.1111/e15478/agents.htm#CIHJEBJC

      best regards,
      tinba

    8. Antony says:

      @ Tinba,

      I have 2 factor authentication. After user submits username and password and before validating OTP, i need to search for existing user sessions os user. If user has sessionId then stop him to login again. If user don’t have session Id user can proceed further for authentication.

      Can you please let me know how we can write code for this.

    9. venkat28 says:

      Hi Mahendra,
      I am getting the following error when I try to use the API UserSession.getSessionAttributes(sessionID).

      Error Message:

      Exception in thread “main” oracle.security.am.asdk.OperationNotPermittedException: OAMAGENT-02005: Operation not permitted on this server.

      at oracle.security.am.asdk.UserSession.getSessionIds(UserSession.java:863)

      at oracle.security.am.asdk.UserSession.getSessionIds(UserSession.java:784)

      at com.oam.accessgate.OAMInterceptor.__getUserSessions__(OAMInterceptor.java:46)

      at com.oam.accessgate.OAMInterceptor.main(OAMInterceptor.java:99)

      Allow Management Operations was checked. We are using ODSEE as user identity store and it has been set to default store. We also patched OAM SDK as per 14026048.

      Can you please help me with this?
      Thank you

    Leave a Reply



  • K21 Technologies is among the most experienced Oracle Gold Partner for Identity Access Management service providers. We work with application development companies and in-house technology division to help achieve significant returns on their IT security investment. Our clientele includes some of the globally renowned corporate, which speaks of our expertise in our field.

    We have the most talented and experienced team that can swiftly deploy security solutions even in complex IT ecosystem. Our clients highly appreciate our timely implementation, interactive training, on-demand support and community resources.
  • CONTACTS

    K21 Technologies
    8 Magnolia Place, Harrow,
    London, HA2 6DS

    UK: +44(0)7476444481
    USA: +1-888-414-1821

  • 2014, K21 Technologies. All rights reserved DMCA.com
  • TOP