How to read session Ids of a user from OAM 11g

We are extensively using OAM 11g API in our project out of which there is a requirement to set session attributes for a OAM user session.

Session attributes is a concept newly introduced in OAM 11g (not there in 10g). So once OAM session is created we can retrieve the session Ids by using the API method getSessionIds of UserSession class (package is oracle.security.am.asdk). This class is available in oamasdk-api-11.1.1.5.0.jar.

We are using Embedded Weblogic as System and default store. The concepts of these stores are well explained in this post.

While trying to retrieve the session IDs for a user using the below code snippet.

Hashtable<String,String> credentials = new Hashtable<String,String>();
credentials.put(“userid”, user_login);
credentials.put(“password”, user_passwd);
try{
AccessClient ac=null;
ResourceRequest req ;
ac = AccessClient.createDefaultInstance(Location,AccessClient.CompatibilityMode.OAM_10G);
req = new ResourceRequest(protocol, resource,method_way);
System.out.println(“Location–>”+Location);
UserSession session = new UserSession(req,credentials);
String sessionId=session.getSessionToken();
System.out.println(sessionId);
Set set=session.getSessionIds(user_login);
System.out.println(“Sessionattr—>”+set);

}catch(Exception e){}

 

We are getting the below exception while executing the above code snippet:

“oracle.security.am.asdk.OperationNotPermittedException: OAMAGENT-02005: Operation not permitted on this server.”

I can read the OAM sessions from the database by logging into DB as OAM DB schema user.

select * from oam_session;

I have found that there is a bug related to session IDs 12972630. Fix for bug# 12972630 will return session ids of a user in the specified user identity stores. Right now only sessions with default store are returned.

Well, the following statement is extracted from OAM documentation for default store:

Default Store: Used by Oracle Security Token Service, and for migration purposes when patching.

So the fix for bug is to use the user identity store as default store to retrieve the session IDs from OAM server. I can’t exactly make out the reason for bug fix and default store purpose.

Anyhow,  I am using OVD as user identity store for OAM authentication. So I have flagged the OVD identity store as Default store and then I am able to retrieve the session IDs from OAM server.

About the Author Mahendra

I am engulfed in Oracle Identity & Access Management domain. I have expertise on providing the optimized solutions for user provisioning, web access management, Single Sign-On and federation capabilities etc., I am also well versed with complex integrations within Identity Management and other product domains. I have expertise on building demos and implementation experience on products Oracle Access Manager, Oracle Adaptive Access Manager, Oracle Entitlement Server, Oracle Virtual Directory, Oracle Internet Directory etc., Look @ my blog: http://talkidentity.blogspot.com

Leave a Comment:

9 comments
» How to set and get session attributes in OAM 11g Online Apps DBA: One Stop Shop for Apps DBA’s says May 4, 2012

[…] by Session Management Engine SME. How to retrieve session IDs from OAM server are explained in post. So this post will give a sample code snippet to set and retrieve session attributes from […]

Reply
tinba says July 5, 2012

hi.

i was wondering if you were able to resolve this issue. we have the same problem with our environment. initially, we want to use KerberosScheme for authentication, but for testing purposes we are just using AD.

the AD is configured as default store in OAM and we have tested authentication against it (we are asked for username/pwd and can successfully log in with an AD-user). our code is almost the same as in your example and we are able to create an user session. we see this because we can get many of the attributes (level, start time, last use time and session token). however, getting the session id’s with method getSessionIds(…) always results in OAMAGENT-02005 error. we have tried using different combination of values for username (samaccountname, dn etc.), but the error is the same.

our final goal is to get the session attributes with the correct session ID.

best regards,
tinba

Reply
Mahendra says July 5, 2012

@Tinba,

I initially approached Oracle support for this and they also suggested to make Id Store as Default to resolve this issue an ER is already raised for the same.

Hence, there is no other solution for this issue. Make AD store as default store and try retrieving session IDs. Let me know if you face any issues.

-Mahendra

Reply
tinba says July 6, 2012

hi again and thank you very much for the reply.

to remove possible errors due to bugs etc., we have patched OAM (p.nr. 13473393) and ASDK (p.nr. 14026048). we have changed the authentication scheme to form-login to AD and have made AD the Default Store in OAM. when we go via browser to the resource, we can log in with our AD-credentials.

using ASDK via AccessClient, we still get the same errors as before (OAMAGENT-02005). this applies to the following methods: UserSession.getSessionIds(…) and UserSession.getSessionAttributes(…). for the former we have tested with different values of the userid, for the latter we have tested with values for session-IDs gathered directly from database (oam_session table).

in addition, we see that the following methods also have issues:
* UserSession.getLocation() is not able to read our AccessClients IP-adress.
* UserSession.getUserIdentity() returns the DN only up to the first space in the DN (when one uses full name for CN, this is a problem since you have space between given name and surname).

any suggestions are appreciated.

best regards,
tinba

Reply
tinba says July 6, 2012

hi again.

have found the error. 🙂 we overlooked configuring our AccessClient as a privileged agent (“Allow Management Operations” in OAM Console). this has to be done if the agent is going to manage sessions. fixing this, the problem was solved.

thank you very much for the help.

best regards,
tinba

Reply
Antony says August 7, 2013

@Tinba,

Where do we find the option?
Can you give the path?

Reply
tinba says August 7, 2013

@Antony,

i don’t have access to OAM Console, but it should be under the agent configuration. search and open the agent you created and there should be a checkbox for “Allow Management Operations”. from OAM-documentation: http://docs.oracle.com/cd/E15586_01/doc.1111/e15478/agents.htm#CIHJEBJC

best regards,
tinba

Reply
Antony says August 14, 2013

@ Tinba,

I have 2 factor authentication. After user submits username and password and before validating OTP, i need to search for existing user sessions os user. If user has sessionId then stop him to login again. If user don’t have session Id user can proceed further for authentication.

Can you please let me know how we can write code for this.

Reply
venkat28 says September 11, 2013

Hi Mahendra,
I am getting the following error when I try to use the API UserSession.getSessionAttributes(sessionID).

Error Message:

Exception in thread “main” oracle.security.am.asdk.OperationNotPermittedException: OAMAGENT-02005: Operation not permitted on this server.

at oracle.security.am.asdk.UserSession.getSessionIds(UserSession.java:863)

at oracle.security.am.asdk.UserSession.getSessionIds(UserSession.java:784)

at com.oam.accessgate.OAMInterceptor.__getUserSessions__(OAMInterceptor.java:46)

at com.oam.accessgate.OAMInterceptor.main(OAMInterceptor.java:99)

Allow Management Operations was checked. We are using ODSEE as user identity store and it has been set to default store. We also patched OAM SDK as per 14026048.

Can you please help me with this?
Thank you

Reply
Add Your Reply

Not found