Failed to log in OEM Cloud Control with Correct Username (sysman) and Password

In the past years, I experienced the log in issue with Oracle Enterprise Manager Cloud Control couple of times. For sure I went with correct user name (sysman) with correct password, but still get error message below.

“Authentication failed. If problem persists, contact your system administrator”

The default admin user of OEM Cloud Control is sysman, which is user of OEM repository database. Just simply log in to database as sysman with password via sql*plus, you’ll know if username and password are correct. In my case, I can log in to database via sql*plus with no issue. That meant the password to sysman is correct.

Oracle article DOC ID 1493151.1,“EM 12c, EM 13c: Login to Enterprise Manager Cloud Control with the Correct Password Fails with Error: Authentication failed. If problem persists, contact your system administrator” gives SYMPTOMS,CAUSE, and SOLUTION.


Error logged in the <gc_inst>/em/EMGC_OMS1/sysman/log/emoms.trc file:

2012-09-21 10:26:14,290 [[ACTIVE] ExecuteThread: ‘5’ for queue: ‘weblogic.kernel.Default (self-tuning)’] ERROR audit.AuditLogHandler auditLog.381 – Could not log the audit record java.sql.SQLException: ORA-14400: inserted partition key does not map to any partition
ORA-06512: at “SYSMAN.MGMT_AUDIT”, line 873
ORA-06512: at “SYSMAN.MGMT_AUDIT”, line 402
ORA-06512: at line 1


2013-12-17 12:24:49,205 [[ACTIVE] ExecuteThread: ‘0’ for queue: ‘weblogic.kernel.Default (self-tuning)’] DEBUG auth.EMLoginService _performLogin.825 – Error
java.sql.SQLException: ORA-04063: package body “SYSMAN.MGMT_AUDIT_ADMIN” has errors
ORA-06508: PL/SQL: could not find program unit being called: “SYSMAN.MGMT_AUDIT_ADMIN”
ORA-06512: at “SYSMAN.MGMT_AUDIT”, line 143
ORA-06512: at “SYSMAN.EM_USER_MODEL_UI”, line 1521
ORA-04063: package body “SYSMAN.MGMT_AUDIT_ADMIN” has errors
ORA-06508: PL/SQL: could not find program unit being called: “SYSMAN.MGMT_AUDIT_ADMIN”
ORA-06512: at line 1


The console login creates an audit entry in the EM related audit table. If this audit entry is not successful for some reason, then the console login will fail.

Case 1:

Issue was investigated in the below bugs:


It was identified that a recent upgrade / maintenance activity (for example: patching or plugin upgrade) was performed on the setup, which had set the job_queue_processes initialization parameter to 0 in the EM repository database. This had prevent the execution of the DBMS_JOBS responsible for maintenance of the repository. Console login needs to create an entry into the Audit tables but the necessary partitions had not been created for this table.

Case 2:

There is resource issue at the repository database, for example ORA-4031 or ORA-01658 due to insert into the the audit table fails.

Case 3:

The Audit related objects were invalid in the repository database.


Our issue is Case 1.

If an upgrade / maintenance activity (for example: patching or plugin upgrade) was performed recently, the job_queue_processes initialization parameter could be still set to 0 and not reset to the original value. This would prevent the DBMS Scheduler jobs related to the repository from getting executed correctly due to which the new partitions for the Audit tables entries are not created.

1. Login to the database as a SYSDBA user and set the job_queue_processes initialization parameter to a value of 20:

SQL> ALTER SYSTEM SET job_queue_processes=20 SCOPE=BOTH SID=’*’;

2. If the job_queue_processes value is already set, verify that this set to 20 or more.
    Verify that the DBMS scheduler jobs of the repository are running fine using the steps in:

Note 1470166.1 : 12c DBMS Jobs in Invalid Schedule Status in the Console Page

3. Execute the following queries in repository DB as SYSMAN user:

SQL> update mgmt_audit_master set prepopulate_days=5 where prepopulate_days is null;
SQL> exec mgmt_audit_admin.add_audit_partition;

4. Restart the OMS:

cd <OMS_HOME>/bin
./emctl stop oms -all
./emctl start oms

Note: After I figured out this issue the first time I experienced, I just simply run command exec mgmt_audit_admin.add_audit_partition; when it happened again.

Posted in My Reference | Tagged , | Leave a comment

Ellucian Identity Service (Part 7)-Banner 8 INB/SSB Single SIgn On with BEIS SSO Manager

My prior series talks about how to establish Single Sign On environment for Banner XE modules by using Ellucian Identity Service. In Banner 8, we need to add one more component on top of EIS to implement Single Sign On. That’s SSO Manager of Banner Enterprise Identity Service (BEIS).

SSO Manager is one of modules of BEIS and it’s based on Oracle Weblogic Server. The basic steps are listed below.

  1. Oracle Weblogic Server (WLS) installation
  2. Create basic domain and Install admin server
  3. Start basic domain
  4. Create machine definition
  5. Start and Stop weblogic node manager
  6. Create managed server for SSO Manager
  7. Deploy SSO Manager
  8. Create EIS service provider
  9. Configure Banner 8 INB/SSB for EIS
  10. Add LDAP users to banner table GOBUMAP for single sign on

The first two steps are very generic and the good source is “Oracle WebLogic Server (WLS) 11gR1 (10.3.5 and 10.3.6) Installation on Oracle Linux 5 and 6pdf.

Once the oracle weblogic server and admin server are installed (Step 1 and 2), the next step is to start basic domain (Step 3).

1.On the server where oracle weblogic server is installed, set two environment parameters


2.Start the domain’s Admin Server interactively


3.create new file $DOMAIN_HOME/servers/AdminServer/security/ and input username weblogic with password like


4.Start Admin Server

   nohup $DOMAIN_HOME/ > startWebLogic.log 2>&1 &

5.Wait 60 seconds, then test the WebLogic Console’s URL


6.Login to the console using “weblogic” and password

Step 4. Create machine definition

In the base domain panel, go to Environment –> Machine, and accept all defaults to create new machine.


Step 5. Start and Stop weblogic node manager

1.Start Node Manager

nohup $WL_HOME/server/bin/ > startNodeManager.log 2>&1 &

2.Check the NodeManger’s availability within WebLogic Console

In the base domain panel, go to Environment -> Machine -> ‘Click on ssomanager (machine)’ -> Monitoring -> Node Manager Status
The proper Status should be ‘Reachable’

3.In the shell session, Stop Node Manager and check that it is stopped:

pkill -f weblogic.NodeManager
pgrep -f weblogic.NodeManager


Step 6. Create Managed Server for SSO Manager

In the base domain panel, go to Environment –> Servers –> Create new Server called ssomanager.


Select the Name (ssomanager) in the ‘Server Start’ tab, Click in the Arguments box and make proper setting for your environment.

in SSL tab –> Advance, and make sure the check box of “Use JSSE SSL” box is checked.

Step 7. Deploy SSO Manager

1. download sso-manager-weblogic-installer.jar from ellucian website

2. create new user ssomgr and new tablespace ssomgr_tbls by using provided script ssomgr_user.sql

3. before running automated installer to generate ear file, data sources to target banner 8 database are required to be created. Otherwise, the sso manager can not be deployed on weblogic .




4. run command:  $ java -jar sso-manager-weblogic-installer.jar
Loading self extractor…

Note: Above command requires X windows to generate ear file. Please refer to Windows and X11 forwarding with Xming on Unix/Linux

5. follow steps below to generate sso_manager ear file














6. deploy sso_manager.ear on base domain created earlier






7. start sso-manager and it should be ‘Active’


8. Also, make sure jass.conf file existing in the following folder $BASE_DOMAIN/config/security. if it is not in there, create one with followings.

myrealm {



Step 8. Create EIS service provider

create service provider for Banner 8 INB and SSB similarly (refer to post Ellucian Identity Service (Part 5) – EIS Configuration for Banner XE SSO).

once created, go to ‘Edit” –> “Inbound Authentication Configuration”-> “CAS Configuration”, define “Service URL” for Banner 8 INB and SSB like below.



Step 9. Configure Banner 8 INB/SSB for EIS

once deployed you should be able to connect to SSOManager with URL http://weblogic-server:8890/ssomanager and you need to do configuration as below.



Additionally, more configuration need to be done for INB and SSB, respectively.

INB Configuration for EIS

1. Locate the file ssoclient.jar, that was created correctly during the BEIS – SSOMANAGER installation. For example, /oracle/Middleware/BEIS-Deployables/ssoclient.jar

2. Copy the file ssoclient.jar into ORACLE_HOME/forms/java on the INB WebLogic/OFM server

Login to oracle forms admin Console, Open the Forms Folder and Click on Forms, Click on Environment Configuration.


Locate the active ENV setting,   Show = “baxe.env”
add highlighted file to
CLASSPATH = C:\Oracle\Middleware\as_1\forms\j2ee\frmsrv.jar;
Click Apply

Click “Forms”, Click “Web Configuration”, Locate the INB Web Configuration “baxe, Show = advanced, Click “Override” tab, Locate parameter
otherparams = obr=%obr% record=%record% tracegroup=%tracegroup% log=%log% term=%term% ssoProxyConnect=%ssoProxyConnect%
Change to
otherparams = obr=%obr% record=%record% tracegroup=%tracegroup% log=%log% term=%term% ssoProxyConnect=%ssoProxyConnect% iamticket=%iamticket%
Click Apply



SSB Configuration for EIS

Login to SSB as a Web Tailor admin account, From the Web Tailor Menu, select Web Tailor Parameters. To find which user is assigned the web tailor administrator role, refer to


Change these settings
IDMLOGINURI         = https://eis-server:9443/cas/login
IDMLOGOUTURI        = https://eis-server.9443/cas/logout
IDMTIMEOUT         = 0
IDMSSO         = Y
IDMCOOKIEPATH         =  /

Step 10. Add LDAP users to banner table GOBUMAP for single sign on

Depending on how the $EIS_HOME/repository/conf/user-mgt.xml LDAP file is configured to search for users when a user logs in, in our case, EIS is configured to search for users via the “sAMAccountName” attribute.

As Banner SSB and INB are two different systems, separate users need to be created for Banner INB  access. Unlike Banner SSB, Banner INB uses Oracle users.

The good thing is that, in our system, ad account and oracle users are same. So we can easily add it to banner table GOBUMAP. For Banner SSB, the banner id (for example 300011111) is “sAMAccountName” in ad. That means adding it to banner table GOBUMAP works to Banner SSB.


At time of writing, that’s the only place for us to do in banner database to implement single sign on for Banner 8 INB/SSB and Banner xe.

Posted in Ellucian | Tagged , , | 4 Comments

Ellucian Identify Service (Part 6)–Banner XE Configuration for Single Sign On with EIS

The Steps below outline implementing this with the Banner XE StudentClassSchedule module. The steps would be similar for other Banner XE modules.

Step 1.

Edit the file $TOMCAT_HOME/ban9temp/banner_test_homes/StudentClassSchedule/current/instance/ config/StudentClassSchedule_configuration.groovy

Locate this
banner {
sso {
authenticationProvider           = ‘default’ //  Valid values are: ‘default’, ‘cas’
authenticationAssertionAttribute = ‘UDC_IDENTIFIER’

Change to

banner {
sso {
authenticationProvider           = ‘cas’ //  Valid values are: ‘default’, ‘cas’
authenticationAssertionAttribute = ‘UDC_IDENTIFIER’

Step 2.

Edit the same file
$TOMCAT_HOME/ban9temp/banner_test_homes/StudentClassSchedule/current/instance/ config/StudentClassSchedule_configuration.groovy
Locate this and change the highlighted items with proper EIS server name, banner xe app host, bannxe xe app name, and port number.

grails {
plugins {
springsecurity {
cas {
serverUrlPrefix  = http://CAS_HOST:PORT/cas’
serviceUrl       = http://BANNER9_HOST:PORT/APP_NAME/j_spring_cas_security_check’
serverName       =http://BANNER9_HOST:PORT’
proxyCallbackUrl = http://BANNER9_HOST:PORT/APP_NAME/secure/receptor’
loginUri         = ‘/login’
sendRenew        = false
proxyReceptorUrl = ‘/secure/receptor’
useSingleSignout = true
key = ‘grails-spring-security-cas’
artifactParameter = ‘ticket’
serviceParameter = ‘service’
filterProcessesUrl = ‘/j_spring_cas_security_check’
logout {
afterLogoutUrl    = https://cas-server/logout?url=http://myportal/main_page.html’

Step 3.

Recreate WAR file and redeploy it in Tomcat

change directory to  $TOMCAT_HOME/ban9temp/banner_test_homes/StudentClassSchedule/current/installer

Recreate WAR file  ant bin\systool war

Copy regenerated WAR to $TOMCAT_HOME/webapps

cp $TOMCAT_HOME/ban9temp/banner_test_homes/StudentClassSchedule/current/dist/   StudentClassSchedule-9.3.war $TOMCAT_HOME/webapps

Step 4.

once it’s deployed, confirm the access to it via browser

Step 5.

EIS service provider for this Banner XE module is created already in prior post Ellucian Identity Service (Part 5) – EIS Configuration for Banner XE SSO.

Step 6.

It should log you into the XE StudentClassSchedule using the LDAP credentials Click “Sign Out” and it should log you out of Banner XE StudentClassSchedule and redirect the browser to your defined portal URL.

Posted in Ellucian | Tagged , | 2 Comments

Ellucian Identity Service (Part 5) – EIS Configuration for Banner XE SSO

In the first four parts of this series, I talked about installation, preparation, troubleshooting and dealing with LDAP of Ellucian Identity Service. Upon this point, EIS is ready for further configuration to provide Single Sign On for Banner XE modules along with Banner 8 INB/SSB (requires SSO Manager of Banner Enterprise Identity Service).

Configuration the UDC_IDENTIFIER Claim

A UDC_IDENTIFIER claim dialect needs to be created in the EIS Admin Console for a local claim mapping. This UDCID claim will map to the “cn” LDAP attribute, which will contain the user’s UDC_IDENTIFIER from Banner.

1. Navigate to the EIS Admin Console (ex. http(s)://<host>:<port>/carbon)

2. On the EIS Admin Console, select Configure > Claim Management >


3. On the page, select “Add New Claim Mapping”

4. Configure the new claim mapping, as follows:


5. Verify that the claim has been added on the “Available Claims for” page within Home > Configure > Claim Management >

Once the UDC_IDENTIFIER claim is created, we can start to configure the integration between EIS identity provider and the Banner XE modules via CAS single sign on standard.

EIS Service Provider Configuration

The first step is to create a service provider to represent Banner XE module in EIS.

1. Create a Service Provider in EIS for Application Navigator:


2. On the EIS Management Console, Navigate to Main > Service Provider List > then select the newly registered “Banner XE StudentClassSchedule” service provider and click “Edit” link.

3. Click on the “Claim Configuration” drop down and configure the claims as follows in order to map a Banner user’s UDCID from the EIS LDAP user store to Banner XE modules. Also, configure the Inbound Authentication for CAS Configuration. The service URL here is the URL itself of Banner XE module.


Posted in Ellucian | Tagged , | Leave a comment

Ellucian Identity Service (Part 4) – Dealing with LDAP

The proper configuration on EIS side to connect LDAP overwrites the EIS admin console credential, which means default account “admin”  won’t work. Instead, LDAP account defined in $EIS_HOME/repository/conf/user-mgt.xml is the one to log in EIS admin console. For instance, I simply replaced with my ad account “wangr”. The password change is not required as ad account password will be used.


This is the change you need to do to have ad account as admin. This adding can’t be applied by using “ant config-all-xml” commands described in my prior post “Ellucian Identify Server (Part 2) – Preparation”, it need to be changed manually.

Also, if the LDAP setting the only one need to be changes, it’s no need to reapply all properties from $EIS_HOME/config/  One option is to update directly in $EIS_HOME/repository/conf/user-mgt.xml. Doing that means setting in $EIS_HOME/config/ is not updated one.


As “Single Sign On” usually works for multiple applications, EIS needs to deal with distinct user groups  in LDAP. For instance, in our organization, ad accounts for employees and students are using different types of account. Thus, that requires proper setting for listed three property names below:

  • UserSearchBase
  • UserNameSearchFilter
  • UserNameAttribute

One more thing is that if you are using ldaps (secured) to connect to the Active Directory, you need to import the certificate of Active Directory to the client-truststore.jks of the WSO2 product. More details can be found at my prior post “Ellucian Identity Service (Part 2) – Preparation”.

Posted in Ellucian | Tagged , | Leave a comment