Oracle® Identity Manager Installation and Configuration Guide for IBM WebSphere Application Server Release 9.1.0.1 Part Number E14064-04 |
|
|
View PDF |
This chapter explains how to install Oracle Identity Manager Remote Manager. It discusses the following sections:
To install the Remote Manager on a Microsoft Windows host:
Note:
All Oracle Identity Manager components must be installed in different home directories. If you are installing the Remote Manager on a computer that is hosting another Oracle Identity Manager component, such as the server or the Design Console, then specify an installation directory that has not been used.Insert the Oracle Identity Manager Installation CD into your CD-ROM drive.
Using Windows Explorer, navigate to the installServer directory on the installation CD.
Double-click the setup_rm.exe file.
Choose a language from the list on the Installer page. The Welcome page is displayed.
In the Welcome page, click Next.
In the Target directory page, complete one of the following steps:
The default directory for Oracle Identity Manager products is C:\oracle
. To install the Remote Manager into this directory, click Next.
To install Remote Manager in a different directory, specify the path of the directory in the Directory name field, and then click Next.
Note:
If the directory path that you specified does not exist, then the Base Directory settings field is displayed. Click OK. The directory is automatically created. If you do not have write permission to create the default directory for Oracle Identity Manager, then a message is displayed informing you that the installer could not create the directory. Click OK to close the message, and then contact your system administrator to obtain the appropriate permissions.Select either the JRE that is installed with Oracle Identity Manager or specify an existing JRE. Click Next. The Remote Manager Configuration page is displayed.
In the Remote Manager Configuration page, enter the appropriate information for the Remote Manager:
Enter the service name. The default value is RManager.
Enter the Remote Manager binding port. The default value is 12346.
Enter the Remote Manager Secure Sockets Layer (SSL) port. The default value is 12345.
Click Next.
In the Shortcut page, select the check boxes for the shortcut options according to your preferences:
Choose to create a shortcut for the Remote Manager on the desktop.
Choose to create a shortcut for the Remote Manager on the Start Menu.
Click Next after completing the check box settings.
In the Summary page, review the configuration details, and then click Install to start the installation.
Click Finish to complete the installation.
Note:
You must configure the Remote Manager before you can start it. Refer to the "Configuring the Remote Manager" section for more information about configuring the Remote Manager.To install the Remote Manager on UNIX or Linux:
Before installing the Remote Manager, you must set the JAVA_Home variable to the appropriate JDK.
On Solaris or Linux, set JAVA_HOME to the Sun JDK. On AIX, set JAVA_HOME to the WebSphere JDK. For example, use the following commands on AIX:
export JAVA_HOME=$
WEBSPHERE_HOME
/java
Add $JAVA_HOME/bin to the $PATH
environment variable by using the following command:
export PATH=$JAVA_HOME/bin:$PATH
See Also:
Oracle Identity Manager Readme for information about the certified JDK versionsInsert the Oracle Identity Manager Installation CD into your CD-ROM drive.
Note:
If the autostart routine is enabled for your computer, proceed to Step 5.From the File Manager, access the root CD directory or the installServer directory, if you are installing from a tar file.
Run the install_rm.sh file.
The command-line installer starts.
Choose a language from the list by entering a number and then by entering 0 to apply the language.
The Welcome panel is displayed.
In the Welcome panel, enter 1 to move to the next panel.
The Target directory panel is displayed
In the Target directory panel, enter the path to the directory in which you want to install the Remote Manager. The default directory is /opt/oracle
.
Enter 1 to move to the next panel.
If the directory does not exist, then you are asked to create it. Enter y for yes.
Note:
All Oracle Identity Manager components must be installed in different home directories. If you are installing the Remote Manager on a computer that is hosting Oracle Identity Manager, then you must specify a unique installation directory.Specify the JRE to use with the Remote Manager, and then:
Enter 1 to install the JRE included with Oracle Identity Manager.
Enter 2 to use an existing JRE at a specified location.
After specifying the JRE, enter 0 to accept your selection and then enter 1 to move to the next panel.
In the Remote Manager Configuration panel, enter the Remote Manager configuration information as follows:
Enter the Service Name, or press the Enter key to accept the default.
Enter the Remote Manager binding port, or press the Enter key to accept the default.
Enter the Remote Manager SSL port, or press the Enter key to accept the default.
Enter 1 to move to the next panel.
The Remote Manager installation summary panel is displayed.
Check the information, and then:
Enter 2 to go back and make changes.
Enter 1 to start the installation.
Oracle Identity Manager installs and the Post installation summary panel is displayed.
Enter 3 to finish the Remote Manager installation.
Note:
You must configure the Remote Manager before you can start it. Refer to the "Configuring the Remote Manager" section for more information.The Remote Manager and Oracle Identity Manager communicate by using SSL. If you are using the Remote Manager, then you must enable a trust relationship between Oracle Identity Manager and the Remote Manager. The server must trust the Remote Manager certificate.
Optionally, you can enable client-side authentication in which the Remote Manager checks the server certificate. Import the Remote Manager certificate into the Oracle Identity Manager keystore and make it trusted. For client-side authentication, import the certificate for Oracle Identity Manager into the keystore for the Remote Manager, and then make that certificate trusted. You must also manually edit the configuration file associated with the server, and depending on the options you selected during Remote Manager installation, edit the Remote Manager configuration file as well.
During installation, the password for the Remote Manager keystore is set to xellerate
. Oracle recommends that changing the keystore passwords for all production installations.
To change the keystore passwords, you must change the storepass of .xlkeystore and the keypass of the xell entry in .xlkeystore, and these two values must be identical. Use the keytool and perform the following steps to change the keystore passwords:
Open a command prompt on the Oracle Identity Manager host computer.
Navigate to the OIM_RM_HOME
\xellerate\config
directory.
Run the keytool with the following options to change the storepass:
JAVA_HOME\jre\bin\keytool -storepasswd -new new_password -storepass xellerate -keystore .xlkeystore -storetype JKS
Run the keytool with the following options to change the keypass of the xell entry in .xlkeystore:
JAVA_HOME\jre\bin\keytool -keypasswd -alias xell -keypass xellerate -new new_password -keystore .xlkeystore -storepass xellerate
JAVA_HOME
represents the location of the Java installation associated with the Remote Manager installation.
In a text editor, open the OIM_RM_HOME
\xlremote\config\xlconfig.xml
file.
Edit the <RMSecurity>.<KeyStore>
section to specify the keystore password as follows:
Change the password tag to encrypted
=false
.
Enter the password, for example:
<RMSecurity>
<KeyStore>
<Location>.xlkeystore</Location>
<Password encrypted="false">new_password</Password>
<Type>JKS</Type>
<Provider>sun.security.provider.Sun</Provider>
</KeyStore>
Note:
If you are using client-side authentication for the Remote Manager, then enter the Oracle Identity Manager keystore password in the<RMSecurity>.<TrustStore>
section of OIM_RM_HOME
\xlremote\config\xlconfig.xml
as follows:
<TrustStore>
<Location>.xlkeystore</Location>
<Password encrypted="false">OIM_Server_keystore_password</Password>
<Type>JKS</Type>
<Provider>sun.security.provider.Sun</Provider>
</TrustStore>
Save and close the xlconfig.xml file.
Restart the Remote Manager.
In a text editor, open the OIM_HOME
\xellerate\config\xlconfig.xml
file.
Edit the <RMSecurity>.<TrustStore>
section to specify the new Remote Manager keystore password as follows:
Change the password tag to encrypted
=false
.
Enter the password, for example:
<TrustStore>
<Location>.xlkeystore</Location>
<Password encrypted="false">new_password</Password>
<Type>JKS</Type>
<Provider>sun.security.provider.Sun</Provider>
</TrustStore>
Save and close the xlconfig.xml file, then restart Oracle Identity Manager.
To establish a trust relationship between Oracle Identity Manager and the Remote Manager:
Copy the Remote Manager certificate to the server computer.
On the Remote Manager computer, locate the OIM_RM_HOME
\xlremote\config \xlserver.cert
file and copy it to the server computer.
Note:
The server certificate located inOIM_HOME
\config
is also named xlserver.cert
. Ensure that you do not overwrite that certificate.Open a command prompt on the server computer.
To import the certificate by using the keytool utility, use the following command:
JAVA_HOME\jre\bin\keytool -import -alias rm_trusted_cert -file RM_cert_location\xlserver.cert -trustcacerts -keystore OIM_HOME\xellerate\config\.xlkeystore -storepass xellerate
JAVA_HOME
is the location of the Java directory for the application server, the value of alias is an arbitrary name for the certificate in the store, and RM_cert_location
is the location in which you copied the certificate.
Note:
If you changed the keystore password, then substitute that value instead of xellerate for the value of the storepass variable.Enter Y at the prompt to trust the certificate.
In a text editor, open the OIM_HOME
\xellerate\config\xlconfig.xml
file.
Locate the property <RMIOverSSL>
and set it to true.
For example:
<RMIOverSSL>true</RMIOverSSL>
Locate the <KeyManagerFactory>
property.
If you are using the IBM JRE, then set the value to IBMX509
. For all other JREs, set the value to SUNX509
. For example:
<KeyManagerFactory>IBMX509</KeyManagerFactory>
Or:
<KeyManagerFactory>SUNX509</KeyManagerFactory>
Save the file.
Restart Oracle Identity Manager.
To configure the Remote Manager by using your own certificate on the Remote Manager system:
Import your custom key in a new keystore (new_keystore_name) other than .xlkeystore. Remember the password (new_keystore_pwd) that you use for the new keystore.
Copy this new keystore to the OIM_RM_HOME
\xlremote\config\
directory.
In a text editor, open the OIM_RM_HOME
\xlremote\config\xlconfig.xml
file.
Locate the <RMSecurity>
tag and change the value in the <Location>
and <Password>
tags as follows:
If you are using the IBM JRE, then change the values to:
<KeyStore> <Location>new_keystore_name</Location> <Password encrypted="false">new_keystore_pwd</Password> <Type>JKS</Type> <Provider>com.ibm.crypto.provider.IBMJCE</Provider> </KeyStore>
For all other JREs, change the values to:
<KeyStore> <Location>new_keystore_name</Location> <Password encrypted="false">new_keystore_pwd</Password> <Type>JKS</Type> <Provider>sun.security.provider.Sun</Provider> </KeyStore>
Restart the Remote Manager server, and open the xlconfig.xml
file to ensure that the password for the new keystore was encrypted.
To configure the Remote Manager by using your own certificate on the Oracle Identity Manager server:
Import the same certificate key used in the Remote Manager system to a new keystore (new_svrkeystore_name) other than .xlkeystore. Remember the password (new_svrkeystor_pwd) that you use for the new keystore.
Copy this new keystore to the OIM_HOME
\xellerate\config
directory.
In a text editor, open the OIM_HOME
\xellerate\config\xlconfig.xml
file.
Locate the <RMSecurity>
tag and change the value in the <Location>
and <Password>
tags as follows:
If you are using the IBM JRE, then change the values to:
<KeyStore> <Location>new_keystore_name</Location> <Password encrypted="false">new_keystore_pwd</Password> <Type>JKS</Type> <Provider>com.ibm.crypto.provider.IBMJCE</Provider> </KeyStore>
For all other JREs, change the values to:
<KeyStore> <Location>new_keystore_name</Location> <Password encrypted="false">new_keystore_pwd</Password> <Type>JKS</Type> <Provider>sun.security.provider.Sun</Provider> </KeyStore>
Restart Oracle Identity Manager and open the xlconfig.xml
file to ensure that the password for the new keystore is encrypted.
To enable client-side authentication:
On the computer hosting the Remote Manager, in a text editor, open the OIM_RM_HOME
\xlremote\config\xlconfig.xml
file.
Locate the <ClientAuth>
property and set it to true, for example:
<ClientAuth>true</ClientAuth>
Locate the <RMIOverSSL>
property and verify it is set to true, for example:
<RMIOverSSL>true</RMIOverSSL>
Locate the <KeyManagerFactory>
property.
If you are using the IBM JRE, then set the value to IBMX509
. For all other JREs, set the value to SUNX509
. For example:
<KeyManagerFactory>IBMX509</KeyManagerFactory>
Or:
<KeyManagerFactory>SUNX509</KeyManagerFactory>
Save the OIM_RM_HOME
\xlremote\config\xlconfig.xml
file.
Copy the server certificate to the Remote Manager computer.
On the server computer, locate the OIM_HOME
\xellerate\config\xlserver.cert
file and copy it to the Remote Manager computer.
Note:
The Remote Manager certificate is also named xlserver.cert. Ensure that you do not overwrite that certificate.Open a command prompt on the Remote Manager computer.
Import the certificate by using the following keytool command:
JAVA_HOME\jre\bin\keytool -import -alias trusted_server_cert -file server_cert_location\xlserver.cert -trustcacerts -keystore OIM_RM_HOME\xlremote\config\.xlkeystore -storepass xellerate
JAVA_HOME
is the location of the Java directory for the Remote Manager, the value of alias is an arbitrary name for the certificate in the store, OIM_RM_HOME
is the home directory for the Remote Manager, and server_cert_location
is the location in which you copied the server certificate.
Note:
If you changed the keystore password, then substitute that value for xellerate, which is the default value of the storepass variable.Enter Y at the prompt to trust the certificate.
Restart the Remote Manager.
Use the following script to start the Remote Manager:
On Microsoft Windows:
OIM_RM_HOME\xlremote\remotemanager.bat
On UNIX:
OIM_RM_HOME/xlremote/remotemanager.sh