After I configured WNA with weblogic/OAM and successfully tested it with a WNA enabled browser, I found that when a user tried to login with a browser that did not support WNA, he got two login screens, one for OAM11g and one for Weblogic. It appears that with the fallback login, the basic authentication scheme is used. This scheme is checked by OAM, but there is a second check by default, performed by Weblogic. If your user is not a weblogic user, authetication will fail.
I found that a setting must be added in config.xml in the security-settings section:
If it is not there, it will be defaulted to TRUE.
In weblogic 11g, the admin server port (default 7001) can be changed from the EM console. No restarts are necessary.
==> Correction: it may be necessary to restart the admin server. I have had cases where one did not need to, and cases where a restart had to be done.
After changing the admin server port, all managed servers can still be started from the console. Starting managed servers with the startManagedWebLogic.sh script fails however. This is caused by the definition of the admin server url in the startManagedWebLogic.sh script.Change it in the line:
If a scheduled job via dbms_job won’t start, allthough job_queue_processes > 0:
1: kill the ora-cjq0-[SID] process on the OS
2: change job_queue_processes to 0 and back to 10 (or other value)
The ora-cjq0 process will restart to serve dbms_jobs
It is possible to change the OID ports from the Enterprise manager console. Unfortunately, after changing the ports, EM will not be able to change server properties like ports (!).
After changing the ports, an OPMN command must be run to update EM with the right settings:
$ORACLE_INSTANCE/bin/opmnctl updatecomponentregistration -componentType OID -componentName oid1 -adminHost myoidhostname -adminPort 7001 -adminUsername weblogic -Port 3060 -Sport 3131
(change parameters as suited and restart OPMN)
If you are using DIP (Directory Integration Platform) as well, you will have to change the (SSL) port accordingly in …../config/fmwconfig/servers/wls_ods1/applications/DIP_22.214.171.124.0/configuration/dip-config.xml
It took some time for me to find out how to debug the Oracle Internet Directory plug-in for Active Directory (oidexplg). Finally found this:
To debug operations for oidexplg.jar, use the following ldif file:
#———–end of debugon.ldif———–
and use ldapmodify –f <this file> to set the debug flags.
Note: your instance name may differ from the one used here (oid1)
orcldebugflag value =
1 Signature (Heavy Trace Debugging in 10.1.X) +
134217728 (PlugIn Internal) + 268435456 (PlugIn External)
orcldebugop value =
1 (ldapbind) + 64 (ldapcompare)
Debug info is in file(s) oidldapd01s*.log
For less intensive logging use 64 in stead of 65 (a lot of binds are logged)
Actually, the same values go for OID 11g!