This chapter describes how to install and configure Oracle Access Manager 11.1.1 for use in the Oracle Identity Management enterprise deployment.
This chapter includes the following topics:
Section 11.1, "Introduction to Installing Oracle Access Manager"
Section 11.3, "Configuring Oracle Access Manager on IDMHOST1"
Section 11.5, "Configuring Oracle Access Manager to work with the Oracle Web Tier"
Section 11.7, "Configuring Oracle Access Manager to use an External LDAP store"
Oracle Access Manager allows your users to seamlessly gain access to web applications and other IT resources across your enterprise. It provides a centralized and automated single sign-on (SSO) solution, which includes an extensible set of authentication methods and the ability to define workflows around them. It also contains an authorization engine, which grants or denies access to particular resources based on properties of the user requesting access as well as based on the environment from which the request is made. Comprehensive policy management, auditing, and integration with other components of your IT infrastructure enrich this core functionality.
Oracle Access Manager consists of various components including Access Server, Identity Server, WebPass, Policy Manager, WebGates, AccessGates, and Access SDK. The Access Server and Identity Server are the server components necessary to serve user requests for access to enterprise resources. Policy Manager and WebPass are the administrative consoles to the Access Server and Identity Server respectively. WebGates are web server agents that act as the actual enforcement points for Oracle Access Manager while AccessGates are the application server agents. Finally, the Access SDK is a toolkit provided for users to create their own WebGate or AccessGate should the out-of-the-box solutions be insufficient. Follow the instructions in this chapter and Chapter 19, "Configuring Single Sign-on for Administration Consoles" to install and configure the Oracle Access Manager components necessary for your enterprise deployment.
For more information about Oracle Access Manager 11.1.1 and its various components, refer to the "Road Map to Manuals" section in the Oracle Access Manager Introduction manual, which includes a description of each manual in the Oracle Access Manager 11.1.1 documentation set.
The enterprise deployment described in this guide shows Oracle Access Manager using Oracle Internet Directory as the only LDAP repository. Oracle Access Manager uses a single LDAP for policy and configuration data. It is possible to configure another LDAP as the identity store where users, organizations and groups reside. For example, an Oracle Access Manager instance may use Oracle Internet Directory as its policy and configuration store and point to an instance of Microsoft Active Directory for users and groups.
In addition, the identity stores can potentially be front-ended by Oracle Virtual Directory to virtualize the data sources.
To learn more about the different types of directory configuration for Oracle Access Manager, consult the 11g Oracle Access Manager documentation at Oracle Technology Network. Customers considering these variations should adjust their directory tier and Oracle Access Manager deployment accordingly.
Before you configure Oracle Access Manager, ensure that the following tasks have been performed on IDMHOST1 and IDMHOST2:
Install Oracle WebLogic Server as described in Section 4.5.3.
Install Oracle Identity and Access Management Suite as described in Section 4.5.5.
Install Oracle Internet Directory as described in Section 7.1 and Section 7.2.
Install Oracle Virtual Directory as described in Chapter 8.
Start the configuration wizard by executing the command:
MW_HOME/oracle_common/common/bin/config.sh
Then proceed as follows:
On the Welcome screen, select Extend an Existing WebLogic Domain. Click Next.
On the Select a WebLogic Domain screen, using the navigator, select the domain home of the admin server, for example: ORACLE_BASE/admin/IDMDomain/aserver/IDMDomain.
Click Next
On the Select Extension Source screen, select Oracle Access Manager with Database Policy Store.
Click Next
The Configure RAC Multi Datasources screen shows the Multi Datasources if you have Oracle Directory Integration Platform or ODSM configured in your domain. Do not make any changes.
Click Next.
On the Configure JDBC Data Sources screen select the datasource OAM Infrastructure.
Select Configure selected data sources as RAC multi data sources in the next panel.
Click Next.
On the Configure RAC Multi Data Sources Screen:
Service Name: Service name of the database that contains the OAM repository (idmedg.mycompany.com)
User Name: EDG_OAM
Password: Password for user EDG_OAM
In the top right box, click Add to add the second RAC node.
Host Name: INFRADBHOST1
Instance Name: idmdb1
Port: 1521
Click Add again to add the second database host:
Host Name: INFRADBHOST2
Instance Name: idmdb2
Port: 1521
Click Next.
On the Test Component Schema screen, the Wizard attempts to validate the data sources. If the data source validation succeeds, click Next. If it fails, click Previous, correct the problem, and try again.
On the Select Optional Configuration screen, select Managed Servers, Clusters and Machines.
Click Next
On the Configure Managed Servers screen, create one entry for each IDMHOST in the topology. To do this, click Add and supply the following information:
Name: WLS_OAMn where n is a sequential number.
Listen Address: The DNS name of the server that will host the managed server.
Listen Port: 14100
Note:
When you first enter this screen the config wizard will have created a default managed server for you.Change the details of the default managed server to reflect the details above. That is, change one entry and add one new entry.
Do not change the configuration of any managed servers which have already been configured as part of previous application deployments.
Leave all the other fields at the default settings. (If any Managed servers were defined during a previous installation, leave them as defined.)
Click Next.
On the Configure Clusters screen, create a cluster by clicking Add. Supply the following information:
Name: cluster_oam
Cluster Messaging Mode:unicast
Leave all other fields at the default settings and click Next.
On the Assign Servers to Clusters screen, associate the managed servers with the cluster. Click the cluster name in the right pane. Click the managed server under Servers, then click the arrow to assign it to the cluster.
The cluster_oam will have the managed servers WLS_OAM1 and WLS_OAM2.
Note:
Do not change the configuration of any clusters which have already been configured as part of previous application deployments.Click Next.
On the Configure Machines screen, create a machine for each host in the topology. Click on the tab UNIX if your hosts use Linux or a UNIX-based operating system. Otherwise, click on machines. Supply:
Name: The name of the host. Best practice is to use the DNS name. For example: idmhost1.mycompany.com and idmhost2.mycompany.com for the first and second nodes respectively.
Node Manager Listen Address: The DNS name of the machine. For example: idmhost1.mycompany.com and idmhost2.mycompany.com for the first and second nodes respectively.
Node Manager Port: A port for node manager to use.
If you have already configured Oracle Directory Integration Platform or ODSM, machines will already exist for those hosts.
Click Next.
On the Assign Servers to Machines screen, indicate which managed servers will run on each of the machines you created.
Click a machine in the right pane.
Click the managed servers you want to run on that machine in the left pane.
Click the arrow to assign the managed servers to the machines. Repeat until all managed servers are assigned to machines. For example:
IDMHOST1: WLS_OAM1
IDMHOST2: WLS_OAM2
Click Next to continue.
On the Configuration Summary screen, click Extend to extend the domain.
Note:
If you receive a warning that says:CFGFWK: Server listen ports in your domain configuration conflict with ports in use by active processes on this host
Click OK.
This warning appears if managed servers have been defined as part of previous installs and can safely be ignored.
Restart the Administration server as described in Section 18.1, "Starting and Stopping Oracle Identity Management Components."
Start Oracle Access Manager on IDMHOST1 by following the start procedures in Section 18.1, "Starting and Stopping Oracle Identity Management Components" for:
Admin Server (Restart if already running).
Node Manager (if it is not already started)
WebLogic Managed Server WLS_OAM1
To propagate the start scripts and classpath configuration from the Administration Server's domain directory to the managed server domain directory, proceed as follows:
Run the pack command on IDMHOST to create a template pack. Type the following commands:
IDMHOST1> cd MW_HOME/common/bin IDMHOST1> ./pack.sh -managed=true -domain=ORACLE_BASE/admin/IDMDomain/aserver/IDMDomain -template=idmdomaintemplate.jar -template_name=IDMDomain_Template
Run the unpack command on IDMHOST1 to unpack the propagated template to the domain directory of the managed server. Type the following command:
IDMHOST1> ./unpack.sh -domain=ORACLE_BASE/admin/IDMDomain/mserver/IDMDomain/ -template=idmdomaintemplate.jar -overwrite_domain=true -app_dir=ORACLE_BASE/admin/IDMDomain/mserver/applications
Restart managed server WLS_OAM1.
To remove the IDM Domain Agent, do the following:
Log in to the WebLogic console using the URL: http://admin.mycompany.com/console
Then:
Select Security Realms from the Domain Structure Menu
Click myrealm.
Click the Providers tab.
Click on Lock and Edit from the Change Center.
Select IDMDomainAgent from the list of authentication providers.
Click Delete.
Click Yes to confirm the deletion.
Click Activate Changes from the Change Center.
Restart the Adminisration server and ALL running managed servers, as described in Section 18.1, "Starting and Stopping Oracle Identity Management Components."
Once the configuration has succeeded on IDMHOST1, you can propagate the configuration to IDMHOST2. You do this by packing the domain on IDMHOST1, using the pack script, and unpacking it on IDMHOST2 using the unpack script. Both scripts reside in MW_HOME/oracle_common/common/bin.
Type:
pack.sh -domain=ORACLE_BASE/admin/IDMDomain/aserver/IDMDomain/ -template=/tmp/IDMDomain.jar -template_name="OAM Domain" -managed=true
This creates a file called IDMDomain.jar in the /tmp directory. Copy this file to IDMHOST2.
Unpack the file on IDMHOST2 by using the unpack utility:
./unpack.sh -domain=ORACLE_BASE/admin/IDMDomain/mserver/IDMDomain -template=MW_HOME/templates/IDMDomain.jar -overwrite_domain=true -app_dir=ORACLE_BASE/admin/IDMDomain/mserver/applications
Before you start managed servers using the console, you must update the node manager property file to include startScript=true. You do this by running the script:
MW_HOME/oracle_common/common/bin/setNMProps.sh
Start Oracle Access Manager on IDMHOST2 by following the start procedures in Section 18.1, "Starting and Stopping Oracle Identity Management Components" for:
Node Manager
WebLogic Managed Server WLS_OAM1
This section describes how to configure Oracle Access Manager to work with the Oracle Web Tier
Before proceeding, ensure that the following tasks have been performed:
Install Oracle Web Tier on WEBHOST1 and WEBHOST2.
Install and configure Oracle Access Manager on IDMHOST1 and IDMHOST2.
Configure the loadbalancer with a virtual hostname (sso.myconpany.com) pointing to the webservers on WEBHOST1 and WEBHOST2.
Configure the loadbalancer with a virtual hostname (admin.mycompany.com) pointing to webservers WEBHOST1 and WEBHOST2.
By default, Oracle Access Manager sends requests to the login page located on the local server. In an Enterprise deployment this needs to be changed so that login page requests are sent to the load balancer. Proceed as follows:
Log in to the OAM Console at: http://IDMHOST1.mycompany.com/oamconsole as the weblogic user.
Click the System Configuration tab.
Double click Server Instances.
Click SSO Engine tab.
Enter the following information:
OAM Server Host: sso.mycompany.com
OAM Server Port: 443
OAM Server Protocol: https
Click Apply.
Restart managed servers WLS_OAM1 and WLS_OAM2, as described in Section 18.1, "Starting and Stopping Oracle Identity Management Components."
On each of the web servers on WEBHOST1 and WEBHOST2 create a file called oam.conf in the directory ORACLE_INSTANCE/config/OHS/component/moduleconf.
This file must contain the following information:
<Location /oam>
SetHandler weblogic-handler
WebLogicCluster idmhost1.mycompany.com:14100,idmhost2.mycompany.com:14100
</Location>
On each of the web servers on WEBHOST1 and WEBHOST2, a file called admin.conf was created in the directory ORACLE_INSTANCE/config/OHS/component/moduleconf. (See Section 6.9, "Configuring Oracle HTTP Server for the Administration Server".) Edit this file and add the following lines within the virtual host definition:
<Location /oamconsole> SetHandler weblogic-handler WebLogicHost ADMINVHN WebLogicPort 7001 </Location>
After editing the file should look like:
NameVirtualHost *:80 <VirtualHost *:80> ServerName admin.mycompany.com:80 ServerAdmin you@your.address RewriteEngine On RewriteOptions inherit # Admin Server and EM <Location /console> SetHandler weblogic-handler WebLogicHost ADMINVHN WeblogicPort 7001 </Location> <Location /consolehelp> SetHandler weblogic-handler WebLogicHost ADMINVHN WeblogicPort 7001 </Location> <Location /em> SetHandler weblogic-handler WebLogicHost ADMINVHN WeblogicPort 7001 </Location> <Location /oamconsole> SetHandler weblogic-handler WebLogicHost ADMINVHN WebLogicPort 7001 </Location> </VirtualHost>
Restart the Oracle HTTP Server, as described in Section 18.1, "Starting and Stopping Oracle Identity Management Components."
Attempt to access the OAM application using the URL: https://mysso.mycompany.com:443/oam
The Oracle Access Manager screen will be displayed. A message saying Action Failed will appear on the screen. You can ignore the message because all we are testing is that the OAM server can be accessed via the Load Balancer.
In High Availability configurations, you must change the Request Cache type from BASIC to COOKIE. You change it by using wlst, as follows.
Set up the environment for wlst by running the command
DOMAIN_HOME/bin/setDomainEnv.sh
Start wlst by issuing the command:
ORACLE_HOME/common/bin/wlst.sh
Connect to your domain:
wls:/IDMDomain/serverConfig> connect()
Enter WebLogic Administration username and password.
Enter the URL for the WebLogic Administration Server in the format:
t3://IDMHOST1.mycompany.com:7001
Issue the command:
wls:/IDMDomain/serverConfig> configRequestCacheType(type="COOKIE")
Verify that the command has worked by issuing the command:
wls:/IDMDomain/serverConfig> displayRequestCacheType()
Exit WLS tool by issuing the command:
wls:/IDMDomain/serverConfig> exit()
Restart managed servers WLS_OAM1 and WLS_OAM2, as described in Section 18.1, "Starting and Stopping Oracle Identity Management Components."
By default, Oracle Access Manager uses its own in built-in LDAP server. In the architecture we are building we use Oracle Virtual Directory (in front of Oracle Internet Directory) as our directory store. We modify Oracle Access Manager to use this directory store by using the Oracle Access Manager Console.
Prior to performing this step, ensure that there is a group in your LDAP store for Oracle Access Manager administrators, such as OAMAdministrator, and that a user such as oamadmin exists in that group.
To do this create the following files:
dn: cn=oamadmin,cn=Users,dc=mycompany,dc=com cn: oamadmin sn: oamadmin description: oamadmin uid: oamadmin objectclass: top objectclass: person objectclass: organizationalPerson objectclass: inetorgperson objectclass: orcluser objectclass: orcluserV2 userpassword: mypasswd
dn: cn=OAMAdministrator,cn=Groups,dc=mycompany,dc=com cn: OAMAdministrator displayname: OAMAdministrator description: OAMAdministrator uniquemember: cn=oamadmin,cn=Users,dc=mycompany,dc=com objectclass: top objectclass: groupofuniquenames objectclass: orclgroup
Load the user and group into ldap using the following commands:
ldapadd -h myoid.myompany.com -p 389 -D cn="orcladmin" -q -c -v -f oam_user.ldif ldapadd -h myoid.mycompany.com -p 389 -D cn="orcladmin" -q -c -v -f oam_group.ldif
Note:
These steps must be performed from the LDAP server.Before starting the configuration backup the current configuration, so that should anything untoward happen the original configuration can be restored.
To achieve this, make a copy of the files oam-config.xml and oam-policy.xml. These files are located in the directory: DOMAIN_HOME/config/fmwconfig.
Go to the Oracle Access Manager console at the URL: http://adminvhn.mycompany.com:7001/oamconsole
Log in using the WebLogic administration user.
Click Add User Identity Store.
Name: LDAP_DIR
Ldap Provider: OVD
LDAP URL: ldap://ovd.mycompany.com:389
Principal: cn=orcladmin
Credential: orcladmin password
User Search Base: cn=Users,dc=mycompany,dc=com
Group Search Base: cn=Groups,dc=mycompany,dc=com
User Name Attribute: uid
OAM Administrator's Role: OAMAdministrator
Click Apply.
Click Test Connection to Validate the connection to the LDAP server.
Now that you have defined the LDAP identity store, you must set it as the primary authentication store. You do this by using the Oracle Access Manager console, as follows:
Click the System Configuration Tab
Select Data Sources - User Identity Stores from the navigation pane.
Click LDAP_DIR
Select Open from the Actions menu.
Click Set as Primary
Test the connection by clicking Test Connection
Restart the managed servers Admin Server, WLS_OAM1 and WLS_OAM2, as described in Section 18.1, "Starting and Stopping Oracle Identity Management Components."
Out of the box the Identity Management Domain comes preconfigured with a number of default policies to protect such things as administration consoles. In addition it is recommended that Policy Groups be created to hold any policies which you may wish to create.
The policy groups you create are largely dependent on your environment and the way you wish to store your policy information. In this section of the guide, we will create two Policy Groups:
Oracle Access Manager-Protected Resources: This policy group is used to hold details of resources that are protected by the OAM user/password policy.
Oracle Adaptive Access Manager-Protected Resources: This policy group is used to hold details of resourcesthat are protected using OAAM.
To create the OAM Policy Group perform the following steps:
Log in to the OAM console at: http://admin.mycompany.com using the oamadmin account created previously.
From the Navigation Window expand: Application Domains > IDMDomainAgent.
Click Authentication Policies
Click Create on the tool bar below the Browse tab).
Enter the following information:
Name: OAM Protected Resources
Authentication Scheme: LDAPScheme
Click Apply.
From the Navigation Window expand: Application Domains > IDMDomainAgent.
Click Authentication Policies.
ClickCreate on the tool bar below the Browse tab).
Enter the following information:
Name: OAAM Protected Resources
Authentication Scheme: OAAMAdvanced
Click Apply.
Validate Oracle Access Manager by protecting a simple resource.
For testing purposes it is good practice to create a simple HTML page, which you can use to test the functionality of OAM.
Create a test page called sso.html on WEBHOST1 and WEBHOST2. The easiest way to do this is to create a file called sso.html in the directory ORACLE_INSTANCE/config/OHS/component/htdocs with the following content:
<html> <body> <center> <p> <h2> SSO Protected Resource </h2> </p> </center> </body> </html>
Now that you have something to protect, you need to create a resource in OAM and assign it to one of the policy groups you created above.
Log in to the OAM console at: http://admin.mycompany.com using the oamadmin account created previously.
From the Navigation window expand: Application Domains > IDMDomainAgent.
Click Resources.
Click Create on the tool bar below the Browse tab).
Enter the following information:
Type: http
Host Identifier: IDMDomain
Resource URL: /sso.html
Click Apply.
Now that the resource exists, assign it to one of the policy groups you just created.
Log in to the OAM console at: http://admin.mycompany.com using the oamadmin account created previously.
From the Navigation window expand: Application Domains > IDMDomainAgent > Authentication Policies.
Click OAM Protected Resources.
Click Edit on the tool bar below the Browse tab.
In the Resources box, click +.
From the list, select the resource you created above.
Click Apply.
All that remains is to add the resource to the list of protected resources. To do this, log in to the OAM console at: http://admin.mycompany.com using the oamadmin account created previously.
From the Navigation window expand: Application Domains > IDMDomainAgent > Authorization Policies.
Click Protected Resource Policy.
Click Edit on the tool bar below the Browse tab.
In the Resources box, click +.
From the list, select the resource you just created.
Click Apply.
To validate that Oracle Access Manager is working correctly:
Install Oracle Webgate as described in Section 17.2, "Installing and Configuring WebGate".
Access your protected resource using the URL: https://sso.mycompany.com:443/sso.html.
The OAM Login page is displayed. Log in as an authorised OAM user, for example: oamadmin. Once you are logged in, the oam protected resource is displayed.