MDS-00010 DuplicateRefException Issue

When one of my team mate reported me an issue saying that they not able to modify and create user in OIM and are seeing the below exception every time they click on Create User/ Modify User link in OIM:

oracle.mds.exception.MDSRuntimeException: MDS-00010: DuplicateRefException. In document /oracle/iam/ui/runtime/form/view/pages/userCreateForm.jsff there are multiple elements with the same ID _xg_pfl0

My first impression was that I am the culprit and it’s due to some of the UDF changes I did few days back and made me curse the sandbox. I hate Sandbox. However, after ransacking all the sandboxes that I have imported in OIM and not able to find the ID _xg_pf in them. I didn't even saw the /oracle/iam/ui/runtime/form/view/pages folder. I started looking at the list of configuration changes made in the environment and found out that one of my team mate has accidentally installed Web Tier in the IAM middleware instead of IDM Middleware. Due to installation of web tier installation in IAM 11g R2 Middleware, some of the library files inside $MW_HOME/oracle_common got modified which caused this issue. I tried copying all the modified folders inside $MW_HOME/oracle_commons from another environment but that didn’t worked; the OIM Admin server didn’t get started.

Here are the list of sub-directories that got modified inside the $MW_HOME/oracle_common directory:

• bin
• modules
• common
• lib
• jlib

There were few files (I think 2) that were also modified but they were not environment specific.

I also found a note# 1615855.1 on MOS which confirms the same. However the notes tells you to run the opatch lsinventory command on $MW_HOME/oracle_common to find if any IDM component is installed in IAM but I didn’t see OUI inventory being modified. The note says the solution is to install the IDM and IAM components again but you know that’s stupid and not doable.  A file system restore has worked for us. You might need to do db restore also if you have made significant changes in database or MDS recently.

Here is the error snippet:

2013-12-04T15:41:29.938-04:00] [WLS_OIM1] [NOTIFICATION] [J2EE JSP-00008] [oracle.j2ee.jsp] [tid: [ACTIVE].ExecuteThread: '2' for queue: 'weblogic.kernel.Default (self-tuning)'] [userId: xelsysadm] [ecid: 11d1def534ea1be0:67c0781c:142bf1864c8:-8000-0000000000000050,0] [APP: oracle.iam.console.identity.self-service.ear#V2.0] unable to dispatch JSP page: The following exception occurred:.[[

oracle.mds.exception.MDSRuntimeException: MDS-00010: DuplicateRefException. In document /oracle/iam/ui/runtime/form/view/pages/userCreateForm.jsff there are multiple elements with the same ID _xg_pfl0.

at oracle.mds.internal.melement.MDocument.insertMapNode(MDocument.java:2502)

at oracle.mds.internal.melement.MDocument.insertMapNode(MDocument.java:1194)

 

....

 

Cheers!

 

Exporting all of the MDS data for OIM 11g

If you want to export/backup all the MDS configuration files for OIM, then use the below WLST command:

 

Step1: Create a directory where you want all the configuration to be exported, for example MDSExport.

 

Step2: From the shell/command prompt, navigate to $MW_HOME/oracle_common/common/bin

 

Step3: Execute the wlst.sh/wlst.cmd and issue the connect() command.

 

Step4: Provide the weblogic username, password and URL to Admin Server.

 

Step5: Execute the exportMetadata command providing at least the following arguments: application, server and toLocation.

 

For example, exportMetadata(‘OIMMedata’,’oim_server1’,’<<Full Path to MDSExport’)

 

Step6: You should see a list of the files exported, at that point you can issue the disconnect() command followed by the exit() command.

 

you can also save the above commands in a .py file, let’s say MDSExport.py and it can be executed directly without entering the credentails and URL everytime.

 

MDSExport.py

 

connect('weblogic',<<PASSWORD>>,'t3://<<server:7001>>)
exportMetadata(application='OIMMetadata', server='oim_server1', toLocation=<<Full Path to MDSExport’)
disconnect()
exit()

 

Now, you can simply run the below command:

./wlst.sh MDSExport.py

 

Note: You cannot export all the configuration files using Deployment Manager (DM) and also, DM doesn’t have version control.

Java Code to Create OIM 11g R1 Role Category

Here is the sample java code to create role cateogry in OIM 11gR1:


import java.util.HashMap;
import java.util.Hashtable;
import oracle.iam.identity.rolemgmt.api.RoleCategoryManager;
import oracle.iam.identity.rolemgmt.vo.RoleCategory;
import oracle.iam.identity.rolemgmt.vo.RoleManagerResult;
import oracle.iam.platform.OIMClient;

public class CreateRoleCategory {

 private static final String OIM_URL = "t3s://<>:14001";
 private static final String AUTH_CONF = "<< Path of authwl.conf File >>";
 private static final String OIM_USERNAME = "<< UserID >>";
 private static final String OIM_PASSWORD = "<< Password >>";
 private static OIMClient oimClient = null;
 Hashtable env = new Hashtable();

 public CreateRoleCategory() {
  try {
   env.put(OIMClient.JAVA_NAMING_FACTORY_INITIAL,
     "weblogic.jndi.WLInitialContextFactory");
   env.put(OIMClient.JAVA_NAMING_PROVIDER_URL, OIM_URL);
   System.setProperty("java.security.auth.login.config", AUTH_CONF);
   System.setProperty("OIM.AppServerType", "wls");
   System.setProperty("APPSERVER_TYPE", "wls");
   oimClient = new OIMClient(env);
   oimClient.login(OIM_USERNAME, OIM_PASSWORD.toCharArray());
  } catch (Exception e) {
   e.printStackTrace();
  }
 }

 public void createCategory(String categoryName, String categoryDescription) {
  try {
   RoleCategoryManager rmgr = oimClient.getService(RoleCategoryManager.class);
   RoleCategory rcategory = new RoleCategory(categoryName);
   rcategory.setDescription(categoryDescription);
   rcategory.setName(categoryName);
   RoleManagerResult result = rmgr.create(rcategory);   System.out.println(" Role Category " + categoryName + " Status " + result.getStatus());
  }catch(Exception e) {
   e.printStackTrace();
  }
 }

 public  static void main(String args[]) {
  try {
   CreateRoleCategory obj = new CreateRoleCategory();
   obj.createCategory("CategoryName","CategoryDescription");
  }catch(Exception e) {
   e.printStackTrace();
  }
 }
}

References:

http://docs.oracle.com/cd/E17904_01/apirefs.1111/e17334/toc.htm

Oracle Identity Manager 11gR2PS1 (11.1.2.1) Database Schema Documentation

Here is the Doc ID to find the Oracle Identity Manager 11gR2PS1 (11.1.2.1) Database Schema Documentation

Doc ID 1541858.1

OIM11g: Searching & retrieve Authorization Policy Data using APIs

Here is the sample code to search and retrieve "Role Management" type Authorization Policy Data:

import java.util.ArrayList;
import java.util.Hashtable;
import java.util.List;
import oracle.iam.authzpolicydefn.api.Action;
import oracle.iam.authzpolicydefn.api.AuthzPolicyConstants.AuthzPolicyAttributes;
import oracle.iam.authzpolicydefn.api.Feature;
import oracle.iam.authzpolicydefn.api.PolicyDefinitionService;
import oracle.iam.authzpolicydefn.vo.AuthzPolicy;
import oracle.iam.authzpolicydefn.vo.RoleDataConstraint;
import oracle.iam.identity.vo.Identity;
import oracle.iam.platform.OIMClient;
import oracle.iam.platform.entitymgr.vo.SearchCriteria;

 public void getPolicyDetails(String policyName) {
  try {
   PolicyDefinitionService policyService = oimClient.getService(PolicyDefinitionService.class);
   SearchCriteria criteria = new SearchCriteria(AuthzPolicyAttributes.NAME.getId(),policyName,SearchCriteria.Operator.EQUAL);
   List policies = policyService.search(criteria);
   for (AuthzPolicy policy : policies) {

// Returns Display Name of Policy
    System.out.println(" Policy Name : " + policy.getDisplayName()); 

//Returns Description of the Policy
    System.out.println(" Description : " + policy.getDescription());   

//Returns the Enabled Permissions
    List actions = policy.getActions();
    for(Action action: actions) {
     System.out.println(action.getDisplayName());
    }
  
    //Returns Type of Policy i.e., Role Management
    Feature features = policy.getFeature();
    System.out.println(" Entity Name : " + features.getDisplayName());
  
    //Returns the Assignment i.e., roles that are added to the Policy
    ArrayList userList = policy.getRoleAssignees();
  for(Identity id: userList) {
   System.out.println(" Assign by Role : " + id.getAttribute("Role Name"));
  }

// Data Constraints i.e., Returns the Role Name attached with Policy
 RoleDataConstraint rDataConstraint = (RoleDataConstraint) policy.getDataSecurity();
 ArrayList roles = rDataConstraint.getRoles();
 for(Identity role: roles) {
  System.out.println(role.getAttribute("Role Name"));
 }
}
}
  } catch (Exception e) {
   e.printStackTrace();
  }
 }
}

Note: The APIs used above are not documented by Oracle.

OIM11g PostProcess EventHandler on RoleMembership

Below is the PostProcess Event Handler that I wrote to update a Custom UDF in OIM with the list of Roles assigned to the user (seperate by delimiter ','). This EventHandler is triggered every time a role is assigned/revoked to the user. The EventHandler for entity-type='RoleUser' actually calls the BulkEventResult execute() method, not the EventResult execute() method [ Oracle Doc ID: 1461252.1 ].


package oracle.oim.extensions.postprocess;
import java.util.HashMap;
import java.util.HashSet;
import java.util.Iterator;
import java.util.List;
import java.util.Set;
import java.io.Serializable;
import Thor.API.tcResultSet;
import Thor.API.Operations.tcLookupOperationsIntf;
import oracle.iam.identity.rolemgmt.api.RoleManager;
import oracle.iam.identity.rolemgmt.vo.Role;
import oracle.iam.identity.usermgmt.api.UserManager;
import oracle.iam.identity.usermgmt.vo.User;
import oracle.iam.identity.usermgmt.vo.UserManagerResult;
import oracle.iam.platform.Platform;
import oracle.iam.platform.kernel.spi.PostProcessHandler;
import oracle.iam.platform.kernel.vo.AbstractGenericOrchestration;
import oracle.iam.platform.kernel.vo.BulkEventResult;
import oracle.iam.platform.kernel.vo.BulkOrchestration;
import oracle.iam.platform.kernel.vo.EventResult;
import oracle.iam.platform.kernel.vo.Orchestration;
import oracle.iam.platform.entitymgr.vo.SearchCriteria;

public class RoleProcessor implements PostProcessHandler {

 private static final String LOOKUP_COLUMN_DECODE = "Lookup Definition.Lookup Code Information.Decode";

 public BulkEventResult execute(long processId, long eventId,
   BulkOrchestration orchestration) {
  // TODO Auto-generated method stub
  try {
   String userKey = null;
   String operation = orchestration.getOperation().trim().toString();
   System.out.println("<---------- br="" bulkeventresult="">     + getClass().getName() + ": Operation[" + operation + "] Execute ---------->");
   HashMap[] bulkParameters = orchestration
     .getBulkParameters();
   for (int j = 0; j < bulkParameters.length; j++) {
    Set set = bulkParameters[j].keySet();
    Iterator itr = set.iterator();
    while (itr.hasNext()) {
     String key = itr.next().toString();
     if ("userKeys".equalsIgnoreCase(key)) {
     //Value of UserKey comes as [6088]. So below is the regex to replace special character from the Userkey.
      // Regular Expression to replace Special Character '[' & ']' from the UserKey
       userKey = bulkParameters[j].get(key).toString().replaceAll("[\\[\\]]", "");
       System.out.println("userKey ->" + userKey);
     }
    }
   }
  
   // Get List of  Roles to be Filtered
   HashSet removeRoles = readLookup();

   // Find List of Roles assigned to the user in OIM
   StringBuffer stringBuffer = new StringBuffer();
   RoleManager rolemanager = Platform.getService(RoleManager.class);
   List groupList = rolemanager
     .getUserMemberships(userKey, true);
   HashSet roleList = new HashSet();
   for (Role role : groupList) {
    String roleName = role.getAttribute("Role Name").toString();
    System.out.println("RoleName :" + roleName);
    roleList.add(roleName);
   }

  
   // Remove Roles like "ALL Users" and other default roles that are assigned to users. Requirement was to store only business/functional/applciation specific roles in Custom UDF.
   roleList.removeAll(removeRoles);
  
   Iterator iterator = roleList.iterator();
   String role = null;
   System.out.println("Role To Be Assigned Count is: " + roleList.size());
   int counter = 1;
   while (iterator.hasNext()) {
    role = iterator.next().toString();
    stringBuffer.append(role);
    if (counter != roleList.size()) {
     stringBuffer.append(",");
    }
    counter++;
   }
   String RoleList = stringBuffer.toString();
   System.out.println("Role List: " + RoleList );

   // Updating UDF
   HashMap mapAttrs = new HashMap();
   mapAttrs.put("Role List", RoleList);
   executeEvent(bulkParameters, orchestration.getTarget().getType(),
     userKey, RoleList);
  } catch (Exception e) {
   e.printStackTrace();
  }
  return new BulkEventResult();
 }


 public HashSet readLookup() {
 
  System.out.println("Reading Lookup");
  String lookupDecode = "Lookup.RoleProcessor.IgnoreRole";
  HashSet filterRoles = new HashSet();
  try {
  //Read Lookup to Find FilteredRoles
  tcLookupOperationsIntf lookupOps = Platform.getService(tcLookupOperationsIntf.class);
  tcResultSet lookupResultSet = lookupOps.getLookupValues(lookupDecode);
  for (int i = 0; i < lookupResultSet.getRowCount(); i++) {
   lookupResultSet.goToRow(i);
   String decode = lookupResultSet.getStringValue(
     LOOKUP_COLUMN_DECODE).trim();
   filterRoles.add(decode);
  }
  }catch(Exception e) {
   e.printStackTrace();
  }
  return filterRoles;
 }
 private void executeEvent(HashMap[] parameterHashMap, String targetType,
   String userKey, String RoleList) {
  try {
   System.out.println("Inside executeEvent () ");
   System.out.println("userKey " + userKey);
   System.out.println("Role List for UDF: " + RoleList);
   HashMap mapAttrs = new HashMap();
   mapAttrs.put("Role List", RoleList);

  // Finding User Login using usr_key as UserManager modify() expect User Login Name as one of the input parameters
   String username = null;
   UserManager userService = Platform.getService(UserManager.class);
   SearchCriteria criteria = new SearchCriteria("usr_key", userKey,
     SearchCriteria.Operator.EQUAL);
   Set attrNames = null;
   HashMap parameters = null;
   HashMap attributes = null;
   attrNames = new HashSet();
   attrNames.add("User Login");
   List users = null;
   //Set keys = null;
   users = userService.search(criteria, attrNames, parameters);
            System.out.println("Searching User_Login  based on USR_KEY");
  
   if (users != null && !users.isEmpty()) {
    System.out.println("search results, quantity=" + users.size());
    for (User user : users) {
     attributes = user.getAttributes();
     //keys = attributes.keySet();
     username = attributes.get("User Login").toString();
     System.out.println("User Login " + username);
    }
   }
  
   System.out.println("Updating UDF using UserManager");
   User user = null;
   user = new User(username,mapAttrs);
   UserManagerResult result = userService.modify("User Login",username,user);
            System.out.println( "Modification Status " + result.getStatus());
  
  } catch (Exception e) {
   System.out.println(e.getMessage());
   e.printStackTrace();
  }
 }
 @Override
 public void initialize(HashMap arg0) {
  // TODO Auto-generated method stub
  System.out
    .println("Initialize  RoleProcessor OIM PostProcess EventHandler");
 }
 @Override
 public boolean cancel(long arg0, long arg1,
   AbstractGenericOrchestration arg2) {
  System.out.println("Inside  cancel() method");
  // TODO Auto-generated method stub
  return false;
 }
 @Override
 public void compensate(long arg0, long arg1,
   AbstractGenericOrchestration arg2) {
  System.out.println("Inside  compensate() method");
  // TODO Auto-generated method stub
 }
 @Override
 public EventResult execute(long arg0, long arg1, Orchestration arg2) {
  // TODO Auto-generated method stub
  System.out.println("Inside EventResult execute ");
  return null;
 }
}

Note: This blog is just for my record keeping and contains my views/experience but if it helps someone, then I will be very glad.