12 Extending the Domain with Oracle Adaptive Access Manager

Oracle Adaptive Access Manger (OAAM) is built on a J2EE-based, multi-tiers deployment architecture that separates the platform's presentation, business logic, and data tiers. Because of this separation of tiers, OAAM can rapidly scale with the performance needs of the customer. The architecture can leverage the most flexible and supported cross-platform J2EE services available: a combination of Java, XML and object technologies. This architecture makes OAAM a scalable, fault-tolerant solution.

OAAM Apps is divided into following two components.

This chapter describes the procedure to extend an existing IDM domain to include Oracle Adaptive Access Manager.

This chapter contains the following topics:

12.1 Prerequisites

Before you extend the domain to include Oracle Adaptive Access Manger (OAAM), the following prerequisites must be in place.

  1. Create a WebLogic domain described in Chapter 6.

  2. Install Oracle WebLogic Server, Oracle Fusion Middleware for Identity Management, and Oracle Management Suite as described in Chapter 4.

  3. Create a highly available database to hold the OAAM data. Pre-seed the database with OAAM data objects using the repository creation utility as described in Section 3.3.

  4. Install and configure Oracle Internet Directory as described in Chapter 7.

  5. Install and configure Oracle Virtual Directory as described inChapter 8.

  6. Install Oracle HTTP Server on WEBHOST1 and WEBHOST2 as described in Chapter 5.

  7. Create Oracle Adaptive Access Manager Administrative groups and user in LDAP as described in Section 12.1.1.

  8. Create an Oracle Adaptive Access Manager Administration User in the WebLogic Console as described in Section 12.2.3.

12.1.1 Creating OAAM Administrative Groups and User in LDAP

Before you extend the domain with OAAM, you must add a number of OAAM groups to the External LDAP store configured in Chapter 7 and Chapter 8. In addition to creating these groups, you must create a user and assign that user to these groups to facilitate access to the OAAM Admin console.

To do this, create the following files:

oaam_user.ldif

dn:  cn=oaamadmin,cn=Users,dc=us,dc=oracle,dc=com
cn:  oaamadmin
sn:  oaamadmin
description:  oaamadmin
uid: oaamadmin
objectclass: top
objectclass: person
objectclass: organizationalPerson
objectclass: inetorgperson
objectclass: orcluser
objectclass: orcluserV2
userpassword: mypasswd

oaam_group.ldif

dn: cn=OAAMCSRGroup,cn=Groups,dc=us,dc=oracle,dc=com
cn: OAAMCSRGroup
displayname: OAAMCSRGroup
description: OAAMCSRGroup
uniquemember: cn=oaamadmin,cn=Users,dc=us,dc=oracle,dc=com
objectclass: top
objectclass: groupofuniquenames
objectclass: orclgroup

dn: cn=OAAMCSRManagerGroup,cn=Groups,dc=us,dc=oracle,dc=com
cn: OAAMCSRManagerGroup
displayname: OAAMCSRManagerGroup
description: OAAMCSRManagerGroup
uniquemember: cn=oaamadmin,cn=Users,dc=us,dc=oracle,dc=com
objectclass: top
objectclass: groupofuniquenames
objectclass: orclgroup

dn: cn=OAAMEnvAdminGroup,cn=Groups,dc=us,dc=oracle,dc=com
cn: OAAMEnvAdminGroup
displayname: OAAMEnvAdminGroup
description: OAAMEnvAdminGroup
uniquemember: cn=oaamadmin,cn=Users,dc=us,dc=oracle,dc=com
objectclass: top
objectclass: groupofuniquenames
objectclass: orclgroup

dn: cn=OAAMInvestigationManagerGroup,cn=Groups,dc=us,dc=oracle,dc=com
cn: OAAMInvestigationManagerGroup
displayname: OAAMInvestigationManagerGroup
description: OAAMInvestigationManagerGroup
uniquemember: cn=oaamadmin,cn=Users,dc=us,dc=oracle,dc=com
objectclass: top
objectclass: groupofuniquenames
objectclass: orclgroup

dn: cn=OAAMInvestigatorGroup,cn=Groups,dc=us,dc=oracle,dc=com
cn: OAAMInvestigatorGroup
displayname: OAAMInvestigatorGroup
description: OAAMInvestigatorGroup
uniquemember: cn=oaamadmin,cn=Users,dc=us,dc=oracle,dc=com
objectclass: top
objectclass: groupofuniquenames
objectclass: orclgroup

dn: cn=OAAMRuleAdministratorGroup,cn=Groups,dc=us,dc=oracle,dc=com
cn: OAAMRuleAdministratorGroup
displayname: OAAMRuleAdministratorGroup
description: OAAMRuleAdministratorGroup
uniquemember: cn=oaamadmin,cn=Users,dc=us,dc=oracle,dc=com
objectclass: top
objectclass: groupofuniquenames
objectclass: orclgroup

dn: cn=OAAMSOAPServicesGroup,cn=Groups,dc=us,dc=oracle,dc=com
cn: OAAMSOAPServicesGroup
displayname: OAAMSOAPServicesGroup
description: OAAMSOAPServicesGroup
uniquemember: cn=oaamadmin,cn=Users,dc=us,dc=oracle,dc=com
objectclass: top
objectclass: groupofuniquenames
objectclass: orclgroup

Load the user and group into LDAP issuing the following commands from the LDAP server:

ldapadd -h myoid.myompany.com -p 389 -D cn="orcladmin" -w mypasswd -c -v \
  -f oaam_user.ldif
ldapadd -h myoid.mycompany.com -p 389 -D cn="orcladmin" -w mypasswd -c -v \
  -f oaam_group.ldif

12.2 Configuring Oracle Adaptive Access Manager on IDMHOST1

Although OAAM will be deployed on servers dedicated to it (OAAMHOST1 and OAAMHOST2), the Weblogic domain must first be extended with OAAM on IDMHOST1. This section describes how to configure Oracle Adaptive Access manager on IDMHOST1.

This section contains the following topics:

12.2.1 Extending Domain for Oracle Adaptive Access Manager

Start the configuration wizard by executing the command:

MW_HOME/oracle_common/common/bin/config.sh

Then proceed as follows:

  1. On the Welcome Screen, select Extend an Existing WebLogic Domain. Click Next

  2. On the Select a WebLogic Domain screen, using the navigator select the domain home of the admin server, for example: ORACLE_BASE/admin/IDMDomain/aserver/IDMDomain.

    Click Next.

  3. On the Select Extension Source screen, select the following:

    • Oracle Adaptive Access Manager - Server

    • Oracle Adaptive Access Manager Admin Server

    • Oracle WSM Policy Manager

    • Oracle Identity Navigator

    Click Next

  4. On the Configure RAC Multi Datasources screen (for ODSSM) click Next.

  5. On the Configure JDBC Component Schema screen, select all of the data sources, then select Configure selected data sources as RAC multi data sources.

    Click Next.

  6. On the Configure RAC Multi Data Source Component Schema screen, select the first datasource (OAAM Admin Schema) and enter the following:

    • Data source: OAAM Admin Server

    • Service Name: oaam.mycompany.com

    • User Name: EDG_OAAM

    • Password: Password for above account.

  7. In the top right box click Add to Add the first Oracle RAC node.

    • Host Name: oaamdbhost1.mycompany.com

    • Instance Name: oaamdb1

    • Port: 1521

  8. Click Add again to add the second Oracle RAC node.

    • Host Name: oaamdbhost2.mycompany.com

    • Instance Name: oaaamdb2

    • Port:1521

  9. Deselect this data source. Select the next data source, OAAM Admin MDS Schema, and enter the following information.

    • Data source: OAAM Admin MDS Schema

    • Service Name: oaam.mycompany.com

    • User Name: EDG_MDS

    • Password: Password for EDG_MDS account.

  10. In the top right box click Add to add the first Oracle RAC node.

    • Host Name: oaamdbhost1.mycompany.com

    • Instance Name: oaamdb1

    • Port: 1521

  11. Click Add again to add the second Oracle RAC node.

    • Host Name: oaamdbhost2.mycompany.com

    • Instance Name: oaaamdb2

    • Port: 1521

  12. Deselect this data source. Select the next data source, OAAM Server Schema.

    • Data source: OAAM Server

    • Service Name: oaam.mycompany.com

    • User Name: EDG_OAAM

    • Password: Password for EDG_OAAM account.

  13. In the top right box click Add to add the second Oracle RAC node.

    • Host Name: oaamdbhost1.mycompany.com

    • Instance Name: oaamdb1

    • Port: 1521

  14. Click Add again to add the second Oracle RAC node.

    • Host Name: oaamdbhost2.mycompany.com

    • Instance Name: oaaamdb2

    • Port: 1521

  15. Deselect this data source. Select the next data source, OWSM MDS Schema.

    • Data source: OWSM MDS Schema

    • Service Name: idmdb.mycompany.com

    • User Name: EDG_MDS

    • Password: Password for EDG_MDS account.

  16. In the top right box click Add to add the second Oracle RAC node.

    • Host Name: infradbhost1.mycompany.com

    • Instance Name: idmdb1

    • Port: 1521

  17. Click Add again to add the second Oracle RAC Node.

    • Host Name: infradbhost2.mycompany.com

    • Instance Name: idmdb2

    • Port: 1521

  18. Deselect this data source. Click Next

  19. On the Test Component Schema screen, the configuration wizard attempts to validate the data source. If the data source validation succeeds, click Next. If it fails, click Previous, correct the issue, and try again.

  20. On the Select Optional Configuration screen, select Managed Server Clusters and Machines. Click Next

  21. When you first enter the Configure Managed Servers screen, the configuration wizard will have created a default managed server for you. Change the details of the default managed server.

    Note:

    When you first enter this screen the config wizard will have created a default managed server for you.

    Change the details of the default managed server to reflect the following details. That is, change one entry and add one new entry.

    Do not change the configuration of any managed servers which have already been configured as part of previous application deployments.

    For the oaam_server entry, change the entry to the following values:

    • Name: WLS_OAAM1

    • Listen Address: OAAMHOST1

    • Listen Port:14300

    • SSL Listen Port: 14301

    • SSL Enabled: Selected.

    For the second OAAM Server, click Add and supply the following information:

    • Name: WLS_OAAM2

    • Listen Address: OAAMHOST2

    • Listen Port: 14300

    • SSL Listen Port: 14301

    • SSL Enabled: selected

    Select the OAAM_ADMIN_SERVER entry.

    Change the entry to the following values:

    • Name: OAAMHOST1

    • Listen Address: OAAMHOST2

    • Listen Port:14200

    • SSL Listen Port: 14201

    • SSL Enabled: Selected

    For the OAAM Admin Server, click Add and supply the following information:

    • Name: WLS_OAAM_ADMIN2

    • Listen Address: OAAMHOST2

    • Listen Port: 14200

    • SSL Listen Port: 14201

    • SSL Enabled - selected

      Leave all the other fields at the default settings and click Next.

  22. On the Configure Clusters screen, create a cluster by clicking Add.

    • Name: cluster_oaam.

    • Cluster Messaging Mode: unicast

    Create a second cluster by clicking Add.

    • Name: cluster_oaam_admin

    • Cluster Messaging Mode: unicast

    Leave all other fields at the default settings and click Next.

  23. On the Assign Servers to Clusters screen, associate the managed servers with the cluster. Click the cluster name in the right pane. Click the managed server under Servers, then click the arrow to assign it to the cluster.

    The cluster_oaam will have the managed servers WLS_OAAM1 and WLS_OAAM2

    The cluster_oaam_admin will have the managed servers WLS_OAAM_ADMIN1 and WLS_OAAM_ADMIN2

    Note:

    Do not change the configuration of any clusters which have already been configured as part of previous application deployments.

    Click Next.

  24. On the Configure Machines screen, create a machine for each host in the topology. Click the tab UNIX if your hosts use a UNIX-based operating system. Otherwise, click the Machines tab. Supply the following information:

    • Name: Name of the host. Best practice is to use the DNS name (oaamhost1.mycompany.com).

    • Node Manager Listen Address: The DNS name of the machine (oaamhost1.mycompany.com)

    • Node Manager Port: A port for node manager to use

    Click Next.

  25. On the Assign Servers to Machines screen, indicate which managed servers will run on each of the machines you created.

    Click a machine in the right pane.

    Click the managed servers you want to run on that machine in the left pane.

    Click the arrow to assign the managed servers to the machines.

    Repeat until all managed servers are assigned to machines.

    For example:

    oaamhost1: WLS_OAAM1 and WLS_OAAM_ADMIN1

    oaamhost2:WLS_OAAM2 and WLS_OAAM_ADMIN2

    Click Next to continue.

  26. On the Configuration Summary screen, click Extend to extend the domain.

    Note:

    Note: If you receive a warning that says:
    CFGFWK: Server listen ports in your domain configuration conflict with ports in use by active processes on this host
    

    click OK.

    This warning appears if managed servers have been defined as part of previous installs and can safely be ignored.

12.2.2 Starting Admin Server on IDMHOST1

Restart the Administration Server on IDM Host 1. See Section 19.1, "Starting and Stopping Oracle Identity Management Components."

12.2.3 Creating OAAM Administration User in WebLogic Console

Before you can access the OAAM administration console, you must create an administration user. Creating this user here allows you to use the OAAM administration console at this point. If you wire OAAM to OAM or you configure the Default Authenticator as described in chapter 19 then this user becomes redundant and if desired can be removed.

You create an administration user as follows:

  1. Log in to Oracle WebLogic console at the URL: http://idmhost1.mycompany.com:7001/console as the weblogic user.

  2. From the domain structure menu, select Security Realms

  3. Click myrealm.

  4. Click the Users and Groups tab.

  5. Click New.

  6. Enter the following information:

    • Name: oaamadmin

    • Description: OAAM Administrative user.

    • Provider: DefaultAuthenticator

    • Password/Confirmation: The password you want to assign to the user.

  7. Click OK.

  8. Click the newly created user oaamadmin.

  9. Click the Groups tab.

  10. Assign all groups with the OAAM prefix to the user. Do this by selecting each group and clicking > to move it to the chosen group. The groups are:

    • OAAMCSRGroup

    • OAAMCSRInvestigatorGroup

    • OAAMCSRManagerGroup

    • OAAMEnvAdminGroup

    • OAAMInvestigationManagerGroup

    • OAAMRuleAdministratorGroup

    • OAAMSOAPServicesGroup

  11. Click Save.

12.2.4 Configuring Oracle Adaptive Access Manager on OAAMHOST1

Once the configuration has succeeded on IDMHOST1, you can propagate it to OAAMHOST1. You do this by packing the domain on IDMHOST1, using the pack script, and unpacking it on OAAMHOST1 using the unpack script. Both scripts reside in MW_HOME/oracle_common/common/bin.

On IDMHOST1, type:

pack.sh -domain=ORACLE_BASE/admin/IDMDomain/aserver/IDMDomain -template=/tmp/IDMDomain.jar -template_name="OAAM Domain" -managed=true

This creates a file called IDMDomain.jar in the /tmp directory. Copy this file to OAAMHOST1.

On OAAMHOST1, type:

unpack.sh -domain=ORACLE_BASE/admin/IDMDomain/mserver/IDMDomain -template=/tmp/IDMDomain.jar -app_dir=ORACLE_BASE/admin/IDMDomain/mserver/applications

12.3 Starting and Validating OAAMHOST1

This section contains the following topics:

12.3.1 Creating Node Manager Properties File on OAAMHOST1

  1. Start the Node Manager to create the nodemanager.properties file on OAAMHOST1 by using the startNodemanager.sh script located under the MW_HOME/wlserver_10.3/server/bin directory.

  2. Before you can start the managed servers by using the console, node manger requires that the property StartScriptEnabled is set to true. You set it by running the setNMProps.sh script located under the MW_HOME/oracle_common/common/bin directory.

    prompt>  MW_HOME/oracle_common/common/bin
    prompt> ./setNMProps.sh
    
  3. Stop and Start the node manager as described in Section 19.1, "Starting and Stopping Oracle Identity Management Components"so that the properties take effect.

12.3.2 Starting Oracle Adaptive Access Manager on OAAMHOST1

Start Oracle Access Manager on IDMHOST1 by following the start procedures in Section 19.1, "Starting and Stopping Oracle Identity Management Components" for:

  • Node Manager

  • WebLogic Managed Servers WLS_OAAM1 and WLS_OAAM_ADMIN1

12.3.3 Validating OAAMHOST1

Validate the implementation by connecting to the OAAM Administration Server at http://OAAMHOST1.mycompany.com:14200/oaam_admin.

The implementation is valid if OAAM Admin console login page is displayed and you can login using the oaamadmin account you created in Section 12.1.1, "Creating OAAM Administrative Groups and User in LDAP".

Validate the implementation by connecting to the OAAM Server at: http://OAAMHOST1.mycompany.com:14300/oaam_server.

The implementation is valid if the OAAM Server login page is displayed.

12.4 Configuring Oracle Adaptive Access Manager on OAAMHOST2

This section describes how to configure Oracle Adaptive Access Manager on OAAMHOST2.

This section contains the following topics:

12.4.1 Deploying Domain on OAAMHOST2

Once the configuration has succeeded on IDMHOST1, you can propagate it to OAAMHOST2. You do this by packing the domain, using the pack script, on IDMHOST1 and unpacking it, using the unpack script on OAAMHOST2.

Both scripts reside in MW_HOME/oracle_common/common/bin.

On IDMHOST1, type:

pack.sh -domain=ORACLE_BASE/admin/IDMDomain/aserver/IDMDomain -template =/tmp/IDMDomain.jar -template_name="OAAM Domain" -managed=true

This creates a file called IDMDomain.jar in the /tmp directory. Copy this file to OAAMHOST2.

On OAAMHOST2, type:

unpack.sh -domain=ORACLE_BASE/admin/IDMDomain/mserver/IDMDomain -template=/tmp/IDMDomain.jar -template_name="OAAM Domain" -app_dir=ORACLE_BASE/admin/IDMDomain/mserver/applications

12.4.2 Starting OAAMHOST2

Start OAAMHOST2 from the console as follows.

12.4.2.1 Creating Node Manager Properties File on OAAMHOST2

  1. Start the Node Manager to create the nodemanager.properties file on OAAMHOST2 by using the startNodemanager.sh script located under the MW_HOME/wlserver_10.3/server/bin directory.

  2. Before you can start the managed servers by using the console, node manger requires that the property StartScriptEnabled is set to true. You set it by running the setNMProps.sh script located under the MW_HOME/oracle_common/common/bin directory.

    prompt>  MW_HOME/oracle_common/common/bin
    prompt> ./setNMProps.sh
    
  3. Stop and Start the node manager as described in Section 19.1, "Starting and Stopping Oracle Identity Management Components"so that the properties take effect.

12.4.2.2 Starting Oracle Adaptive Access Manager on OAAMHOST2

Start Oracle Adaptive Access Manager on OAAMHOST2 by following the start procedures in Section 19.1, "Starting and Stopping Oracle Identity Management Components" for:

  • Admin Server

  • Node Manager

  • WebLogic Managed Servers WLS_OAAM1 and WLS_OAAM_ADMIN1

12.4.3 Validating OAAMHOST2

Validate the implementation by connecting to the OAAM Administration Server at http://OAAMHOST2.mycompany.com:14200/oaam_admin. The implementation is valid if OAAM Admin console login page is displayed and you can login using the oaamadmin account you created in Section 12.1.1, "Creating OAAM Administrative Groups and User in LDAP".

Validate the implementation by connecting to the OAAM Server at: http://OAAMHOST2.mycompany.com:14300/oaam_server The implementation is valid if the OAAM Server login page is displayed.

12.5 Configuring OAAM to Work with the Oracle HTTP Server

This section describes how to configure Oracle Adaptive Access Manager to work with the Oracle HTTP Server.

This section contains the following topics:

12.5.1 Updating Oracle HTTP Server configuration

On each WEBHOST, create a file in ORACLE_INSTANCE/config/OHS/ohs1/moduleconf called oaam.conf with the following lines:

<Location /oaam_server>
  SetHandler weblogic-handler
  WebLogicCluster oaamhost1.mycompany.com:14300,oaamhost2.mycompany.com:14300
</Location>

The OAAM Admin console must only be available through the admin.mycompany.com site. You achieve this by editing the file ORACLE_INSTANCE/config/OHS/component/moduleconf/admin.conf. (You created admin.conf in Section 6.9, "Configuring Oracle HTTP Server for the Administration Server").

Edit the virtual host definition in admin.conf.

After editing the file should look like this:

NameVirtualHost *:80

<VirtualHost *:80>

    ServerName admin.mycompany.com:80
    ServerAdmin you@your.address
    RewriteEngine On
    RewriteOptions inherit

   # Admin Server and EM
   <Location /console>
       SetHandler weblogic-handler
       WebLogicHost ADMINVHN
       WeblogicPort 7001
   </Location>

   <Location /consolehelp>
       SetHandler weblogic-handler
       WebLogicHost ADMINVHN
       WeblogicPort 7001
   </Location>

   <Location /em>
       SetHandler weblogic-handler
       WebLogicHost ADMINVHN
       WeblogicPort 7001
   </Location>

   <Location /oaam_admin>
       SetHandler weblogic-handler
       WebLogicCluster oaamhost1.mycompany.com:14200,oaamhost2.mycompany.com:14200
   </Location>
</VirtualHost>

12.5.2 Restarting Oracle HTTP Server

Restart the Oracle HTTP Server on WEBHOST1 and WEBHOST2, as described in Section 19.1, "Starting and Stopping Oracle Identity Management Components."

12.5.3 Changing Host Assertion in WebLogic

Because the Oracle HTTP Server acts as a proxy for WebLogic, by default certain CGI environment variables are not passed through to WebLogic. These include the host and port. You must tell WebLogic that it is using a virtual site name and port so that it can generate internal URLs appropriately.

To do this, log into the WebLogic administration console at http://admin.mycompany.com/console. Proceed as follows:

  1. Select Clusters from the home page or, alternatively, select Environment -> Clusters from the Domain structure menu.

  2. Click Lock and Edit in the Change Center Window to enable editing.

  3. Click the Cluster Name (cluster_oaam).

  4. In the General tab set WebLogic Plug in to Enabled by checking the box in the Advanced Properties section.

  5. Click Save.

  6. Select HTTP and enter the following values:

    • Frontend Host: sso.mycompany.com

    • Frontend HTTP Port: 80

    • Frontend HTTPS Port: 443

    This ensures that any HTTPS URLs created from within WebLogic are directed to port 443 on the load balancer.

  7. Click Save.

  8. Select Clusters from the home page or, alternatively, select Environment -> Clusters from the Domain structure menu.

  9. Click the Cluster Name (cluster_oaam_admin).

  10. In the General tab, enable WebLogic Plug in Enabled by checking the box in the Advanced Properties section.

  11. Click Save.

  12. Select HTTP and enter the following values:

    • Frontend Host: admin.mycompany.com

    • Frontend HTTP Port: 80

  13. Click Save.

  14. Click Activate Changes in the Change Center window to enable editing.

Restart Managed servers WLS_OAAM1, WLS_OAAM2, WLS_OAAM_ADMIN1 and WLS_OAAM_ADMIN2 as described in Section 19.1, "Starting and Stopping Oracle Identity Management Components."

12.5.4 Validating Oracle Adaptive Access Manager

Log into the Oracle Adaptive Access Manager admin console, at http://admin.mycompany.com/oaam_admin using the oaamadmin account you created in Section 12.1.1, "Creating OAAM Administrative Groups and User in LDAP"

Also log into the Oracle Adaptive Access Manager server at https://sso.mycompany.com/oam_server in using the account oaamadmin account and the password test.

Check that the following URL can be accessed:

https://sso.mycompany.com:443/oaam_server/oamLoginPage.jsp

12.6 Loading Oracle Adaptive Access Manager Seed Data

This section describes how to load seed data into Oracle Adaptive Access Manager.

This section contains the following topics:

12.6.1 Loading Default Policies into OAAM Repository

Once OAAM has been installed, you must load default policies into the OAAM repository, as follows:

Log into the OAAM admin console at http://admin.mycompany.com/oaam_admin using the oaamadmin account you created in Section 12.1.1, "Creating OAAM Administrative Groups and User in LDAP".

Proceed as follows:

  1. Double Click Policies.

  2. Click Import Policies.

  3. Click Browse and then select the file ORACLE_HOME/oaam/init/oaam_sample_policies_for_uio_integration.zip. Click Open.

  4. Click Import.

12.6.2 Updating Default Policies to Force Challenge Questions

When you first access an account, you must set up security questions in case you forget your password. The following steps ensure that whenever an account is used for the first time, the user is prompted to setup these challenge questions.

You do so as follows:

Log into the OAAM admin console at http://admin.mycompany.com/oaam_admin using the oaamadmin account you created in Section 12.1.1, "Creating OAAM Administrative Groups and User in LDAP."

Then perform these steps:

  1. Click Policies from the Navigation menu.

  2. Select list policies from the actions menu.

  3. Click Search. An empty search is performed.

  4. Click Pre Auth Flow Phase 2 and Phase 3.

  5. Click the Group Linking tab.

  6. Change Run Mode to All Users.

  7. Click Apply.

  8. Click Policies from the Navigation menu.

  9. Select list policies from the actions menu.

  10. Click Search. An empty search is performed.

  11. Click Post Auth Flow Phase 2.

  12. Click Group Linking tab.

  13. Change Run Mode to All Users.

  14. Click Apply.

12.6.3 Loading Knowledge-Based Authentication Questions into OAAM Repository

Once OAAM has been installed, you must load default knowledge-based authentication questions into the OAAM repository. Log into the OAAM admin console at http://admin.mycompany.com/oaam_admin using the oaam_admin account you created. Proceed as follows:

  1. Double click KBA - Questions.

  2. Click Import Questions.

  3. Click Browse and then select the file IAM_ORACLE_HOME/oaam/kba_questions/oaam_kba_questions_en.zip. Click Browse and then select the file IAM_ORACLE_HOME/oaam/kba_questions/oaam_kba_questions_en.zip. Click Open.

  4. Click Import.

12.7 Oracle Adaptive Access Manager Integration

At this point Oracle Adaptive Access Manager is installed and configured.

If you have also configured Oracle Access Manager, then you may want to Integrate OAAM to OAM. See Section 18.5, "Integrating OAAM with OAM 11g" for more information.

If you have also configured Oracle Identity Manager then you may want to Integrate OAAM to OIM. See Section 18.6, "Integrating Oracle Adaptive Access Manager with Oracle Identity Manager" for more information.

12.8 Backing Up the Application Tier Configuration

It is an Oracle best practices recommendation to create a backup after successfully completing the installation and configuration of each tier, or at another logical point. Create a backup after verifying that the installation so far is successful. This is a quick backup for the express purpose of immediate restoration in case of problems in later steps. The backup destination is the local disk. You can discard this backup when the enterprise deployment setup is complete. After the enterprise deployment setup is complete, you can initiate the regular deployment-specific Backup and Recovery process. For more details, see the Oracle Fusion Middleware Administrator's Guide.

For information on database backups, refer to the Oracle Database Backup and Recovery Advanced User's Guide.

To back up the installation to this point, follow these steps:

  1. Back up the web tier as described in Section 5.6, "Backing up the Web Tier Configuration."

  2. Back up the database. This is a full database backup, either hot or cold. The recommended tool is Oracle Recovery Manager. You can also use operating system tools such as tar for cold backups.

  3. Back up the Administration Server domain directory as described in Section 6.14, "Backing Up the WebLogic Domain."

  4. Back up the Oracle Internet Directory as described in Section 7.5, "Backing up the OID Configuration."

  5. Back up the Oracle Virtual Directory as described in Section 8.5, "Backing Up the Oracle Virtual Directory Configuration."

For information about backing up the application tier configuration, see Section 19.4, "Performing Backups and Recoveries."