13 Extending the Domain with Oracle Identity Manager

This chapter describes how to install and configure Oracle Identity Manager 11.1.1 for use in the Oracle Identity Management Enterprise Deployment Topology.

This chapter contains the following topics:

• Section 13.1, "Prerequisites"

• Section 13.2, "Extending the Domain to Configure OIM and Oracle SOA Suite on IDMHOST1"

• Section 13.3, "Configuring Oracle Identity Manager on IDMHOST1"

• Section 13.4, "Propagating the OIM and SOA Managed Servers to OIMHOST1 and OIMHOST2"

• Section 13.5, "Post-Installation Steps on OIMHOST1 and OIMHOST2"

• Section 13.6, "Post-Installation Steps on OIMHOST2"

• Section 13.8, "Configuring Oracle Identity Manager to Work with the Oracle Web Tier"

• Section 13.9, "Configuring a Shared JMS Persistence Store"

• Section 13.10, "Configuring a Default Persistence Store for Transaction Recovery"

• Section 13.11, "Adding the CSF Entries for Oracle Identity Management and WSM"

• Section 13.12, "Backing Up the Application Tier Configuration"

Oracle Identity Manager is a user provisioning and administration solution that automates the process of adding, updating, and deleting user accounts from applications and directories. It also improves regulatory compliance by providing granular reports that attest to who has access to what. Oracle Identity Manager is available as a stand-alone product or as part of Oracle Identity Management Suite.

Automating user identity provisioning can reduce Information Technology (IT) administration costs and improve security. Provisioning also plays an important role in regulatory compliance. Key features of Oracle Identity Manager include password management, workflow and policy management, identity reconciliation, reporting and auditing, and extensibility through adapters.

Oracle Identity Manager provides the following key functionalities:

• User Administration

• Workflow and Policy

• Password Management

• Audit and Compliance Management

• Integration Solutions

• User Provisioning

• Organization and Role Management

For details about Oracle Identity Manager, see the Oracle Fusion Middleware System Administrator's Guide for Oracle Identity Manager.

13.1 Prerequisites

Before extending the domain with Oracle Identity Manager, ensure that the following tasks have been performed:

1. Install and upgrade the following software on IDMHOST1, IDMHOST2, OIMHOST1 and OIMHOST2:

   • WebLogic Server: see Section 4.5.3

   • Oracle Identity Management Suite: see Section 4.6.3

   • Oracle SOA Suite: see Section 4.5.5

2. Configure the Oracle Internet Directory instances, as described inSection 7.1 and Section 7.2.

3. Extend the domain with Oracle Virtual Directory as described inChapter 8.

4. Create the Oracle Internet Directory adapter using ODSM, as described in Section 9.6.

Note:

Oracle SOA deployed along with Oracle Identity Manager is used exclusively for Oracle Identity Manager work flow. It cannot be used for other purposes.

13.2 Extending the Domain to Configure OIM and Oracle SOA Suite on IDMHOST1

Although OIM will be deployed on servers dedicated to it (OIMHOST1 and OIMHOST2), the WebLogic domain must first be extended with OIM on IDMHOST1. Configure Oracle Identity Manager on IDMHOST1 as follows.

To extend the domain on IDMHOST1, stop the WebLogic Administration Server and all the managed servers running in the domain. Then start the configuration wizard by executing the command:

MW_HOME/oracle_common/common/bin/config.sh

Proceed as follows

1. On the Welcome screen, select Extend an existing WebLogic Domain.

   Click Next.

2. On the Select WebLogic Domain Directory screen, select the location of the domain directory for the OIM domain. For Example: /u01/app/oracle/admin/IDMDomain/aserver/IDMDomain.

   Click Next.

3. On the Select Extension Source screen, select Extend my domain automatically to support the following added products. From the list below, select: Oracle Identity Manager.

   Note:

   Oracle SOA Suite and Oracle WSM Policy Manager are selected automatically.

   Select Next.

4. The Configure RAC Multi Data Sources screen displays the schedulerDS Data Source configured for Oracle Directory Integration Platform and Oracle Directory Services manager (ODSM). Do not make any selections or changes on this screen.

   Click Next.

5. On the Configure JDBC Component Schemas screen, select all the data sources listed on the page:

   • SOA Infrastructure

   • User Messaging Service

   • OIM MDS Schema

   • OWSM MDS Schema

   • SOA MDS Schema

   • OIM Schema

   Select Configure selected component schemas as RAC multi data source schemas in the next panel.

   Click Next.

6. On the Configure RAC Multi Data Source Component Schema page, select all the schemas for your component. Do not select schemas listed for previously configured components. Then enter the following information:

   Service Name: oimedg.us.oracle.com

   For the First Oracle RAC Node:

   • HostName: oimdb1.us.oracle.com

   • Instance Name: oimedg1

   • Port: 1521

   For the second Oracle RAC Node (click Add to add an additional row):

   • HostName: oimdb2.us.oracle.com

   • Instance Name: oimedg2

   • Port: 1521

   Select each schema individually to enter the user name and password. For example:

   Schema Name	Schema Owner	Password
   SOA Infrastructure	EDG_SOAINFRA	password
   User Messaging Service	EDG_ORASDPM	password
   OIM MDS Schema	EDG_MDS	password
   OWSM MDS Schema	EDG_MDS	password
   SOA MDS Schema	EDG_MDS	password
   OIM Infrastructure	EDG_OIM	password

   
   

   Click Next.

   Note:

   Do not select the OAM Infrastructure Multi Data Source Schema on this screen.

7. On the Test Component Schema screen, the Configuration Wizard attempts to validate the data sources. If the data source validation succeeds, click Next. If it fails, click Previous, correct the problem, and try again.

   Click Next.

8. On the Select Optional Configuration screen, Select:

   • JMS Distributed Destination

   • Managed Servers, Clusters and Machines

   Click Next.

9. On the JMS Distributed Destination screen, make sure that all the JMS system resources listed on the screen are uniform distributed destinations. If they are not, select UDD form the drop down box. Make sure that the entries look like this:

   JMS System Resource	Uniform/Weighted Distributed Destination
   UMSJMSSystemResource	UDD
   SOAJMSModule	UDD
   OIMJMSModule	UDD

   
   

   Click Next.

   An Override Warning box with the following message is displayed:

   CFGFWK-40915: At least one JMS system resource has been selected for conversion to a Uniform Distributed Destination (UDD). This  conversion will take place only if the JMS System resource is assigned to a cluster
   

   Click OK on the Override Warning box.

10. When you first enter the Configure Managed Servers screen, the configuration wizard will have created a default managed server for you. Change the details of the default managed server. In addition, create a new entry by clicking Add. That is, there should be two entries for each OIMHOST in the topology.

    For the Oracle Identity Management Managed Servers:

    • Name: WLS_OIMn where n is a sequential number

    • Listen Address: The DNS name of the server that will host the managed server

    • Listen Port: 14000

    For the SOA Managed Servers:

    • Name: WLS_SOAn where n is a sequential number

    • Listen Address: The DNS name of the server that will host the managed server

    • Listen Port: 8001

    Click Next.

    Note:

    Do not change the configuration of any managed servers that have already been configured as part of previous application deployments.

11. On the Configure Clusters screen, create two clusters, by clicking Add. Supply the following information:

    OIM Cluster:

    • Name: cluster_oim

    • Cluster Messaging Mode: unicast

    SOA Cluster:·

    • Name: cluster_soa

    • Cluster Messaging Mode: unicast

    Leave all other fields at the default settings and click Next.

    Note:

    Do not make any changes to the cluster_oam and the cluster_soa entries.

12. On the Assign Servers to Clusters screen, associate the managed servers with the cluster. Click the cluster name in the right pane. Click the managed server under Servers, then click the arrow to assign it to the cluster.

    The cluster_oim will have the managed servers WLS_OIM1 and WLS_OIM2 as members.

    The cluster_soa will have the managed servers WLS_SOA1 and WLS_SOA2 as members.

    Click Next.

    Note:

    Do not make any changes to the cluster_oam and the cluster_soa entries.

13. On the Configure Machines screen, create a machine for each host in the topology. Click the tab UNIX if your hosts use Linux or a UNIX-based operating system. Otherwise, click Machines. Supply the following information:

    • Name: Name of the host. Best practice is to use the DNS name. For example: oimhost1.mycompany.com and oimhost2.mycompany.com for the first and second nodes respectively.

    • Node Manager Listen Address: DNS name of the machine. For example: oimhost1.mycompany.com and oimhost2.mycompany.com for the first and second nodes respectively.

    • Node Manager Port: Port for Node Manager

    If Oracle Identity Manager has created a local machine entry under the General Machines tab, delete it.

    Click Next.

14. On the Assign Servers to Machines screen, indicate which managed servers will run on each of the machines you created.

    Click a machine in the right pane.

    Click the managed servers you want to run on that machine in the left pane.

    Click the arrow to assign the managed servers to the machines.

    Repeat until all managed servers are assigned to machines.

    For example:

    • OIMHOST1: WLS_OIM1 and WLS_SOA1

    • OIMHOST2: WLS_OIM2 and WLS_SOA2

    Click Next to continue.

15. On the Configuration Summary screen, click Extend to extend the domain.

16. Stop and Start the Weblogic Administration Server, as described in Section 19.1, "Starting and Stopping Oracle Identity Management Components."

13.3 Configuring Oracle Identity Manager on IDMHOST1

After you have extended the domain, configure the Oracle Identity Manager and SOA Managed Servers before starting them.

This section contains the following topics:

• Section 13.3.1, "Prerequisites for Configuring Oracle Identity Manager"

• Section 13.3.2, "Running the Oracle Identity Management Configuration Wizard"

13.3.1 Prerequisites for Configuring Oracle Identity Manager

Before configuring Oracle Identity Manager, ensure that the following tasks have been performed:

1. Configure Oracle Internet Directory using the LDAP configuration pre-setup script, as described in Section 13.3.1.1.

2. Create the Adapters in Oracle Virtual Directory, as described in Section 13.3.1.2

13.3.1.1 Configuring Oracle Internet Directory using the LDAP Configuration Pre-Setup Script

The Oracle Identity Manager LDAP configuration pre-setup script adds the users, group and schemas required by OIM in OID. The LDAP configuration pre-setup script is located under the IAM_ORACLE_HOME/server/ldap_config_util directory. To run the script, follow these steps:

1. Edit the ldapconfig.props file located under the IAM_ORACLE_HOME/server/ldap_config_util directory and provide the following values:

   Parameter	Value
   OIMProviderURL	t3://oimhost1.us.oracle.com:14000,oimhost2.us.oracle.com:14000
   OIDURL	ldap://oidhost1.mycompany.com:389
   OIDAdminUsername	cn=orcladmin
   OIDSearchBase	dc=mycompany,dc=com
   UserContainerName	cn=Users
   RoleContainerName	cn=Roles
   ReservationContainerName	cn=Reserved

   
   

   Note:

   • The OIMProviderURL is not used by the LDAP configuration pre-setup script. It is only used by the LDAP configuration post-setup script.

   • The OIDURL above refers to the OID URL. Do not substitute the OVD URL.

   • The script throws a warning message if a container already exists in OID. You can safely ignore this message.

2. Save the file.

3. Set the JAVA_HOME and the WL_HOME.

   JAVA_HOME=ORACLE_BASE/product/fmw/jdk160_18
   WL_HOME=ORACLE_BASE/product/fmw/wlserver_10.3
   

   Note:

   The JAVA_HOME must be set to the SUN JDK.

4. Run LDAPConfigPreSetup.sh. The script prompts for the Oracle Internet Directory administrator password and the Oracle Identity Manager administrator password. For example:

   Prompt> ./LDAPConfigPreSetup.sh
   [Enter OID admin password:]
   [Enter OIM admin password:]
   

   Note:

   The LDAPConfigPre script creates a user called oimadmin with the following DN in Oracle Fusion Middleware Administrator's Guide for Oracle Internet Directory: dn: cn=oimadmin,cn=users,cn=oim,cn=products,cn=oraclecontext. Oracle Identity Manager uses this user for the LDAP sync operations.

   You use the credentials for the oimadmin user when you create the adapters in OVD. Please make a note of the password provided here

   The Output will be similar to this:

   ./LDAPConfigPreSetup.sh 
   [Enter OID admin password:]
   [Enter OIM admin password:]
   Jun 21, 2010 6:16:18 PM oracle.ldap.util.LDIFLoader loadOneLdifFile
   INFO: -> LOADING:  ./oimadminuser.ldif
   Jun 21, 2010 6:16:20 PM oracle.ldap.util.LDIFLoader loadOneLdifFile
   INFO: -> LOADING:  ./oimcontainers.ldif
   Jun 21, 2010 6:16:20 PM oracle.ldap.util.LDIFLoader loadOneLdifFile
   INFO: -> LOADING:  ../../oam/server/oim-intg/schema/OID_oblix_schema_add.ldif
   Jun 21, 2010 6:16:48 PM oracle.ldap.util.LDIFLoader loadOneLdifFile
   INFO: -> LOADING:  ../../oam/server/oim-intg/schema/OID_oblix_schema_index_add.ldif
   
   
   Jun 21, 2010 6:26:03 PM oracle.ldap.util.LDIFLoader loadOneLdifFile
   INFO: -> LOADING:  ../../oam/server/oim-intg/schema/OID_oblix_pwd_schema_add.ldif
   Jun 21, 2010 6:26:04 PM oracle.ldap.util.LDIFLoader loadOneLdifFile
   INFO: -> LOADING:  ../../oam/server/oim-intg/schema/OID_oim_pwd_schema_add.ldif
   

5. Validate that the script completed successfully.

13.3.1.2 Creating Adapters in Oracle Virtual Directory

OIM used OVD to connect to external LDAP stores. You must create a user adapter and a change log adapter in OVD to enable OIM to connect to the external LDAP store like OID. Follow these steps to create the adapters.

User Adapter

Create the user adapter on the OVD instances running on OVDHOST1 and OVDHOST2 individually. Follow these steps to create the User Adapter in Oracle Virtual Directory using Oracle Directory Services Manager.

1. Start the Administration Server and the WLS_ODSn Managed Servers as described in Section 19.1, "Starting and Stopping Oracle Identity Management Components."

2. Open a browser and bring up the ODSM console at http://admin.mycompany.com/odsm.

3. Create connections to each of the OVD instances running on OVDHOST1 and OVDHOST2, if they do not already exist

4. Connect to each OVD instance by using the appropriate connection entry.

5. On the Home page, click the Adapter tab.

6. Start the New Adapter Wizard by clicking Create Adapter at the top of the adapter window.

7. Create a new adapter using the New Adapter Wizard, with the following parameters:

   Note:

   If you created a User Adapter by following Section 9.6, "Creating the Oracle Internet Directory Adapter Using ODSM," skip the steps to create the Adapter and follow the steps to Edit the Adapter.

   Screen	Field	Value/Step
   Type	Adapter Type	LDAP
   	Adapter Name	User Adapter
   	Adapter Template	User_OID
   Connection	Use DNS Setting	No
   	Host	oid.mycompany.com
   	Port	389
   	Server Proxy Bind DN	cn=oimadmin,cn=users,cn=oim,cn=products,cn=oraclecontext
   	Proxy Password	oimadmin password. This is same as the password provided in Section 13.3.1.1.
   Connection Test		Validate that the test succeeds.
   Namespace	Remote Base	dc=mycompany,dc=com
   	Mapped Namespace	dc=mycompany,dc=com
   Summary		Verify that the summary is correct and then click Finish.

   
   

8. Edit the User Adapter as follows:

   1. Select the OIM User Adapter.

   2. Click the Plug-ins Tab.

   3. Click the User Management Plug-in, then click Edit in the plug-ins table. The plug-in editing window appears.

   4. In the Parameters table, update the parameter values as follows:

      Parameter	value
      directoryType	oid
      pwdMaxFailure	10
      oamEnabled	true

      
      

   5. Click OK.

   6. Click Apply.

Change Log Adapter

Create the change log adapter on the OVD instances running on OVDHOST1 and OVDHOST2 individually. Follow these steps to create the Change Log Adapter in OVD using Oracle Directory Services Manager.

1. Open a browser and bring up the ODSM console at http://admin.mycompany.com/odsm.

2. Create connections to each of the OVD instances running on OVDHOST1 and OVDHOST2, if they do not already exist.

3. Connect to an OVD instance by using the appropriate connection entry.

4. On the Home page, click on the Adapter tab.

5. Start the New Adapter Wizard by clicking Create Adapter at the top of the adapter window.

6. Create a new adapter using the New Adapter Wizard, with the following parameters:

   Screen	Field	Value/Step
   Type	Adapter Type	LDAP
   	Adapter Name	OIM Change Log Adapter
   	Adapter Template	Changelog_OID
   Connection	Use DNS Setting	No
   	Host	oid.mycompany.com
   	Port	389
   	Server Proxy Bind DN	cn=oimadmin,cn=users,cn=oim,cn=products,cn=oraclecontext
   	Proxy Password	oimadmin password. This is same as the password provided in Section 13.3.1.1.
   Connection Test		Validate that the test succeeds.
   Naming Space	Remote Base	cn=changelog
   Mapped Namespace		cn=changelog
   Summary		Verify that the summary is correct, then click Finish.

   
   

7. To edit the change adapter follow these steps.

   1. Select the OIM Change Log Adapter.

   2. Click the Plug-ins tab.

   3. In the Deployed Plus-ins table, click the changelog plug-in, then click "Edit in the plug-ins table. The plug-in editing window appears.

   4. In the Parameters table, update the parameter values.

   5. Click OK.

   6. Click Apply.

   Edit the Change Log Adapter to either add or modify the properties so that they match the values shown in the following table. You must add the mapObjectclass, modifierDNFilter, sizeLimit, and targetDNFilter properties to the adapter.

   Parameter	Value
   directoryType	oid
   mapAttribute	targetGUID=orclGUID
   mapObjectclass	changelog=changelogentry
   requiredAttribute	orclGUID
   addAttribute	orclContainerOC,changelogSupported=1
   modifierDNFilter	cn=oimadmin,cn=users,cn=OIM,cn=Products,cn=OracleContext
   sizeLimit	1000
   targetDNFilter	dc=mycompany,dc=com Search based from which reconciliation needs to happen. This value must be the same as the LDAP SearchDN that is specified during OIM installation.
   mapUserState	true
   oamEnabled	true

   
   

Stopping and Starting Oracle Internet Directory and Oracle Virtual Directory

Stop and Start:

• The OVD instances running on both OVDHOST1 and OVDHOST2.

• The OID instances running on both OIDHOST1 and OIDHOST2.

as described in Section 19.1, "Starting and Stopping Oracle Identity Management Components."

13.3.2 Running the Oracle Identity Management Configuration Wizard

You must configure the OIM server instances before you can start the OIM and SOA Managed Servers. The Oracle Identity Management Configuration Wizard loads the OIM metadata into the database and configures the instance.

Before proceeding, ensure that the following are true:

• The administration server is up and running.

• The environment variables DOMAIN_HOME and WL_HOME are not set in the current shell.

The Oracle Identity Management Configuration Wizard is located under the Identity Management Oracle home. Type:

IAM_ORACLE_HOME/bin/config.sh

Proceed as follows:

1. On the Welcome screen, click Next

2. On the Components to Configure screen, Select OIM Server and OIM Remote Manager.

   Click Next.

3. On the Database screen, provide the following values:

   • Connect String: The connect string for the OIM database. For example:

     oimdb1-vip.mycompany.com:1521:oimedg1^oimdb2-vip.mycompany.com:1521:oimedg2@oimedg.mycompany.com

   • OIM Schema User Name: edg_oim

   • OIM Schema password: password

   • MDS Schema User Name: edg_mds

   • MDS Schema Password: password

   Select Next.

4. On the WebLogic Administration Server screen, provide the following details for the WebLogic Admin Server:

   • URL: The URL to connect to the WebLogic Administration Server. For example: t3://adminvhn.mycompany.com:7001

   • UserName: weblogic

   • Password: Password for the weblogic user

   Click Next.

5. On the OIM Server screen, provide the following values:

   • OIM Administrator Password: Password for the OIM Administrator. This is the password for the xelsysadm user.

   • Confirm Password: Confirm the password·

   • OIM HTTP URL: Proxy URL for the OIM Server. This is the URL for the Hardware load balancer that is front ending the OHS servers for OIM. For example: http://oiminternal.mycompany.com:80.

   • Key Store Password: Key store password. The password must have an uppercase letter and a number. For example: MyPassword1

   Click Next.

6. On the LDAP Sync and OAM screen, select Configure BI Publisher and provide the BI Publisher URL. Enter the URL to connect to the BI Publisher in your environment.

   Select Enable LDAP Sync

   Notes:

   • Do not select Enable Identity Administration Integration with OAM. This will be configured later.

   • BI Publisher is not a part of the IDMDomain. The steps to configure the BI Publisher are not covered in this Enterprise Deployment Guide.

   Click Next.

7. On the LDAP Server screen, provide the following LDAP server details:

   • LDAP URL: The URL to access the LDAP server. For example: ldap://ovd.mycompany.com:389

   • LDAP User: The username to connect to the LDAP Server. For example: cn=orcladmin·

   • LDAP Password: The password to connect to the LDAP server.

   • LDAP SearchDN: The Search DN. For example: dc=mycompany,dc=com.

   Click Next.

8. On the LDAP Server Continued screen, provide the following LDAP server details:

   • LDAP Role Container: The DN for the Role Container. This is the container where the OIM roles are stored. For example: cn=Roles,dc=mycompany,dc=com ·

   • LDAP User Container: The DN for the User Container. This is the container where the OIM users are stored. For example: cn=Users,dc=mycompany,dc=com·

   • User Reservation Container: The DN for the User Reservation Container. For example: cn=Reserved,dc=mycompany,dc=com.

   Note:

   These container values should be the same as those used in LDAPConfigPreSetup.sh.

   Click Next.

9. On the Remote Manager screen, provider the following values:

   • Service Name: EDG_RManager

   • RMI Registry Port: 12345

   • Listen Port (SSL): 12346

10. On the Configuration Summary screen, verify the summary information.

    Click Configure to configure the Oracle Identity Manager instance

11. On the Configuration Progress screen, once the configuration completes successfully, click Next.

12. On the Configuration Complete screen, view the details of the Oracle Identity Manager Instance configured.

    Click Finish to exit the Configuration Assistant.

13. Stop the WebLogic Administration Server and all the managed servers running in the domain, as described in Section 19.1, "Starting and Stopping Oracle Identity Management Components."

14. Start the WebLogic Administration Server and all the managed servers running in the domain, as described in Section 19.1, "Starting and Stopping Oracle Identity Management Components."

13.4 Propagating the OIM and SOA Managed Servers to OIMHOST1 and OIMHOST2

Once the configuration has succeeded on IDMHOST1, you can propagate the configuration to OIMHOST1 and OIMHOST2. You do this by packing the domain on IDMHOST1 and unpacking it on OIMHOST1 and OIMHOST2.

Follow these steps to propagate the domain to IDMHOST1.

1. Invoke the pack utility from MW_HOME/oracle_common/common/bin/.

   ./pack.sh -domain=ORACLE_BASE/admin/IDMDomain/aserver/IDMDomain -template=/u01/app/oracle/admin/templates/oim_domain.jar -template_name="OIM Domain" -managed=true
   

2. This creates a file called oim_domain.jar in the /u01/app/oracle/admin/templates directory. Copy this file to OIMHOST1 and OIMHOST2.

3. On OIMHOST1, invoke the utility unpack, which is also located in the directory MW_HOME/oracle_common/common/bin/.

   ./unpack.sh -domain=/u01/app/oracle/admin/IDMDomain/mserver/IDMDomain -template=/u01/app/oracle/product/fmw/templates/oim_domain.jar -overwrite_domain=true -app_dir=/u01/app/oracle/admin/IDMDomain/mserver/applications
   

4. On OIMHOST2, invoke the utility unpack, which is also located in the directory MW_HOME/oracle_common/common/bin/.

   ./unpack.sh -domain=/u01/app/oracle/admin/IDMDomain/mserver/IDMDomain -template=/u01/app/oracle/product/fmw/templates/oim_domain.jar -overwrite_domain=true -app_dir=/u01/app/oracle/admin/IDMDomain/mserver/applications
   

5. Copy the soa directory located under the /u01/app/oracle/admin/IDMDomain/aserver/IDMDomain directory on IDMHOST1 to the /u01/app/oracle/admin/IDMDomain/mserver/IDMDomain directory on OIMHOST1 and OIMHOST2

   To copy the soa directory from IDMHOST1 to OIMHOST1:

   scp -rp /u01/app/oracle/admin/IDMDomain/aserver/IDMDomain/soa user@OIMHOST1:/u01/app/oracle/admin/IDMDomain/mserver/IDMDomain/soa
   

   To Copy the soa directory from IDMHOST1 to OIMHOST2:

   scp -rp /u01/app/oracle/admin/IDMDomain/aserver/IDMDomain/soa user@OIMHOST1:/u01/app/oracle/admin/IDMDomain/mserver/IDMDomain/soa
   

13.5 Post-Installation Steps on OIMHOST1 and OIMHOST2

This section describes post-installation steps.

This section contains the following topics:

• Section 13.5.1, "Updating the Coherence Configuration for the SOA Managed Server"

• Section 13.5.2, "Starting the WLS_OIM1 and WLS_SOA1 Managed Servers on OIMHOST1"

• Section 13.5.3, "Validating Oracle Identity Manager Instance on OIMHOST1"

13.5.1 Updating the Coherence Configuration for the SOA Managed Server

Follow these steps to update the Coherence Configuration for the WLS_SOA Server.

1. Log into the Oracle WebLogic Server Administration Console.

2. Click Lock and Edit.

3. In the Domain Structure window, expand the Environment node.

4. Click Servers. The Summary of Servers page appears.

5. Click the name of the server in the Name column of the table. The settings page for the selected server appears.

6. Click the Server Start tab.

7. Enter text into the Arguments field for WLS_SOA1 and WLS_SOA2.

   For WLS_SOA1, enter the following text on a single line, without a carriage return:

   -Dtangosol.coherence.wka1=oimhost1vhn1.mycompany.com -Dtangosol.coherence.wka2=oimhost2vhn1.mycompany.com -Dtangosol.coherence.localhost=oimhost1vhn1.mycompany.com
   

   For WLS_SOA2, enter the following text on a single line, without a carriage return:

   -Dtangosol.coherence.wka1=oimhost1vhn1.mycompany.com -Dtangosol.coherence.wka2=oimhost2vhn1.mycompany.com -Dtangosol.coherence.localhost=oimhost2vhn1.mycompany.com
   

   Note:

   The Coherence cluster used for deployment uses port 8088 by default. You can change this port by specifying a different port (for example, 8089) with the -Dtangosol.coherence.wkan.port and -Dtangosol.coherence.localport startup parameters. For example:

   For WLS_SOA1 (on a single line):

   -Dtangosol.coherence.wka1=oimhost1vhn1 -Dtangosol.coherence.wka2=oimhost2vhn1 -Dtangosol.coherence.localhost=oimhost1vhn1 -Dtangosol.coherence.localport=8089 -Dtangosol.coherence.wka1.port=8089 -Dtangosol.coherence.wka2.port=8089
   

   For WLS_SOA2 (on a single line):

   -Dtangosol.coherence.wka1=oimhost1vhn1 -Dtangosol.coherence.wka2=oimhost2vhn1 -Dtangosol.coherence.localhost=oimhost2vhn1 -Dtangosol.coherence.localport=8089 -Dtangosol.coherence.wka1.port=8089 -Dtangosol.coherence.wka2.port=8089
   

8. Click Save and activate the changes.

Note:

The multicast and unicast addresses are different from the ones used by the WebLogic Server cluster for cluster communication. SOA guarantees that composites are deployed to members of a single WebLogic Server cluster even though the communication protocol for the two entities (the WebLogic Server cluster and the groups to which composites are deployed) are different.

Do not copy the text from this section to your Administration Console's arguments text field. Doing so can cause HTML tags to be inserted in the Java arguments. The text should not include any text or characters other than the ones shown.

13.5.2 Starting the WLS_OIM1 and WLS_SOA1 Managed Servers on OIMHOST1

Follow this sequence of steps to start the WLS_OIM1 and WLS_SOA1 Managed Servers on OIMHOST1:

1. Stop the WebLogic Administration Server on IDMHOST1 by using the WebLogic Administration Console as described in Section 19.1, "Starting and Stopping Oracle Identity Management Components."

2. Start the Administration Server on IDMHOST1 using the node manager, as described in Section 19.1, "Starting and Stopping Oracle Identity Management Components."

3. Validate that the Administration Server started up successfully by bringing up the Oracle WebLogic Administration Console.

4. Start NodeManager on OIMHOST1. Create the nodemanager.properties file by using the startNodemanager.sh script located under the MW_HOME/wlserver_10.3/server/bin directory.

5. Before you can start the managed servers by using the console, node manger requires that the property StartScriptEnabled be set to true. You set it by running the setNMProps.sh script located under the MW_HOME/oracle_common/common/bin directory.

   prompt>  MW_HOME/oracle_common/common/binprompt> ./setNMProps.sh
   

6. Stop and Start the node manager as described in Section 19.1, "Starting and Stopping Oracle Identity Management Components" so that the properties take effect.

7. Start the WLS_SOA1 managed server, using the WebLogic Administration Console as described in Section 19.1, "Starting and Stopping Oracle Identity Management Components."

8. Start the WLS_OIM1 managed server using the WebLogic Administration Console as described in Section 19.1, "Starting and Stopping Oracle Identity Management Components."

13.5.3 Validating Oracle Identity Manager Instance on OIMHOST1

Validate the Oracle Identity Manager Server Instance by bringing up the OIM Console in a web browser at: http://oimhost1.mycompany.com:14000/oim/self.

Log in using the xelsysadm username and password.

Note:

When you log in for the first time, you will prompted to setup Challenge Questions. Please do so before proceeding further.

13.6 Post-Installation Steps on OIMHOST2

This section describes the post-installation steps on OIMHOST2.

This section contains the following topics:

• Section 13.6.1, "Starting Node Manager on OIMHOST2"

• Section 13.6.2, "Starting the WLS_OIM2 and WLS_SOA2 Managed Servers on OIMHOST2"

• Section 13.6.3, "Validating Oracle Identity Manager Instance on OIMHOST2"

13.6.1 Starting Node Manager on OIMHOST2

1. Start the Node Manager on OIMHOST2 to create the nodemanager.properties file by using the startNodemanager.sh script located under the MW_HOME/wlserver_10.3/server/bin directory.

2. Before you can start the managed servers by using the console, node manger requires that the property StartScriptEnabled is set to true. You set it by running the setNMProps.sh script located under the MW_HOME/oracle_common/common/bin directory.

   prompt>  MW_HOME/oracle_common/common/bin
   prompt> ./setNMProps.sh
   

3. Stop and Start the node manager as described in Section 19.1, "Starting and Stopping Oracle Identity Management Components"so that the properties take effect.

13.6.2 Starting the WLS_OIM2 and WLS_SOA2 Managed Servers on OIMHOST2

Follow this sequence of steps to start the WLS_OIM1 Managed Server on OIMHOST1:

1. Start the WLS_SOA2 managed server, using the WebLogic Administration Console as described in Section 19.1, "Starting and Stopping Oracle Identity Management Components."

2. Start the WLS_OIM2 managed server using the WebLogic Administration Console as described in Section 19.1, "Starting and Stopping Oracle Identity Management Components."

13.6.3 Validating Oracle Identity Manager Instance on OIMHOST2

Validate the Oracle Identity Manager Server Instance by bringing up the OIM Console in a web browser at: http://oimhost2.mycompany.com:14000/oim/.

Log in using the xelsysadm username and password

13.7 Configuring Oracle Internet Directory using the LDAP Configuration Post-Setup Script

The OIM LDAP configuration post-setup script updates the OIM LDAP Sync scheduled jobs with the last change number from OID. The LDAP configuration post-setup script is located under the IAM_ORACLE_HOME/server/ldap_config_util directory. Run the Script on IDMHOST1, as follows:

1. Edit the ldapconfig.props file located under the IAM_ORACLE_HOME/server/ldap_config_util directory and provide the following values:

   Parameter	Value
   OIMProviderURL	t3://oimhost1.us.oracle.com:14000,oimhost2.us.oracle.com:14000
   OIDURL	ldap://oidhost1.mycompany.com:389
   OIDAdminUsername	cn=orcladmin
   OIDSearchBase	dc=mycompany,dc=com
   UserContainerName	cn=Users
   RoleContainerName	cn=Roles
   ReservationContainerName	cn=Reserved

   
   

   Note:

   • usercontainerName, rolecontainername, and reservationcontainername are not used in this step.

   • These values might have already been set when you ran the LDAPConfigPreSetup.sh script in Section 13.3.1.1.

2. Save the file.

3. Set the JAVA_HOME and WL_HOME:

   JAVA_HOME=ORACLE_BASE/product/fmw/jdk160_18WL_HOME=ORACLE_BASE/product/fmw/wlserver_10.3
   

   Note:

   The JAVA_HOME must be set to the SUN JDK.

4. Run LDAPConfigPostSetup.sh. The script prompts for the OID Admin Password and the OIM Admin Password. For example:

   Prompt> ./LDAPConfigPostSetup.sh
   [Enter OID admin password: ]
   [Enter password for xelsysadm: ]
   

13.8 Configuring Oracle Identity Manager to Work with the Oracle Web Tier

This section describes how to configure Oracle Identity Manager to work with the Oracle Web Tier.

This section contains the following topics:

• Section 13.8.1, "Prerequisites"

• Section 13.8.2, "Configuring Oracle HTTP Servers to Front End the OIM & SOA Managed Servers."

• Section 13.8.3, "Changing Host Assertion in WebLogic"

• Section 13.8.4, "Validating Oracle Identity Manager Instance from the WebTier"

13.8.1 Prerequisites

Before configuring Oracle Identity Manager to work with the Oracle Web Tier, ensure that the following tasks have been performed:

1. Install Oracle Web Tier on WEBHOST1 and WEBHOST2.

2. Install and configure Oracle Identity Manageron IDMHOST1 and IDMHOST2.

3. Configure the load balancer with a virtual hostname (sso.mycompany.com) pointing to the web servers on WEBHOST1 and WEBHOST2.

4. Configure the load balancer with a virtual hostname (admin.mycompany.com) pointing to web servers WEBHOST1 and WEBHOST2.

13.8.2 Configuring Oracle HTTP Servers to Front End the OIM & SOA Managed Servers.

1. On each of the web servers on WEBHOST1 and WEBHOST2, create a file called oim.conf in the directory ORACLE_INSTANCE/config/OHS/component/moduleconf. This file must contain the following information:

   # oim admin console(idmshell based)
      <Location /admin>
       SetHandler weblogic-handler
       WLCookieName    oimjsessionid
       WebLogicCluster oimhost1.us.oracle.com:14000,oimhost2.us.oracle.com:14000
       WLLogFile "${ORACLE_INSTANCE}/diagnostics/logs/mod_wl/oim_component.log"
      </Location>
    
   # oim self and advanced admin webapp consoles(canonic webapp)
    
     <Location /oim>
       SetHandler weblogic-handler
       WLCookieName    oimjsessionid
       WebLogicCluster oimhost1.us.oracle.com:14000,oimhost2.us.oracle.com:14000
       WLLogFile "${ORACLE_INSTANCE}/diagnostics/logs/mod_wl/oim_component.log"
      </Location>
   
   # SOA Callback webservice for SOD - Provide the SOA Managed Server Ports
     <Location /sodcheck>
       SetHandler weblogic-handler
       WLCookieName    oimjsessionid
       WebLogicCluster oimhost1.us.oracle.com:8001,oimhost2.us.oracle.com:8001
       WLLogFile "${ORACLE_INSTANCE}/diagnostics/logs/mod_wl/oim_component.log"
      </Location>
   
   # Callback webservice for SOA. SOA calls this when a request is approved/rejected
   # Provide the SOA Managed Server Port
     <Location /workflowservice>
       SetHandler weblogic-handler
       WLCookieName    oimjsessionid
       WebLogicCluster oimhost1.us.oracle.com:14000,oimhost2.us.oracle.com:14000
       WLLogFile "${ORACLE_INSTANCE}/diagnostics/logs/mod_wl/oim_component.log"
     </Location>
   
   # xlWebApp - Legacy 9.x webapp (struts based)
      <Location /xlWebApp>
       SetHandler weblogic-handler
       WLCookieName    oimjsessionid
       WebLogicCluster oimhost1.us.oracle.com:14000,oimhost2.us.oracle.com:14000
       WLLogFile "${ORACLE_INSTANCE}/diagnostics/logs/mod_wl/oim_component.log"
     </Location>
   
   # Nexaweb WebApp - used for workflow designer and DM
     <Location /Nexaweb>
       SetHandler weblogic-handler
       WLCookieName    oimjsessionid
       WebLogicCluster oimhost1.us.oracle.com:14000,oimhost2.us.oracle.com:14000
       WLLogFile "${ORACLE_INSTANCE}/diagnostics/logs/mod_wl/oim_component.log"
     </Location>
   
   # used for FA Callback service.
     <Location /callbackResponseService>
       SetHandler weblogic-handler
       WLCookieName    oimjsessionid
       WebLogicCluster oimhost1.us.oracle.com:14000,oimhost2.us.oracle.com:14000
       WLLogFile "${ORACLE_INSTANCE}/diagnostics/logs/mod_wl/oim_component.log"
     </Location>
   
   # spml xsd profile
     <Location /spml-xsd>
       SetHandler weblogic-handler
       WLCookieName    oimjsessionid
       WebLogicCluster oimhost1.us.oracle.com:14000,oimhost2.us.oracle.com:14000
       WLLogFile "${ORACLE_INSTANCE}/diagnostics/logs/mod_wl/oim_component.log"
     </Location>
   
     <Location /HTTPClnt>
       SetHandler weblogic-handler
       WLCookieName    oimjsessionid
       WebLogicCluster 
   oimhost1.us.oracle.com:14000,oimhost2.us.oracle.com:14000
       WLLogFile "${ORACLE_INSTANCE}/diagnostics/logs/mod_wl/oim_component.log"
     </Location>
   
   

2. Save the file on both WEBHOST1 and WEBHOST2.

3. Stop and start the Oracle HTTP Server instances on both WEBHOST1 and WEBHOST2 as described in Section 19.1, "Starting and Stopping Oracle Identity Management Components."

13.8.3 Changing Host Assertion in WebLogic

Because the Oracle HTTP Server acts as a proxy for WebLogic, by default certain CGI environment variables are not passed through to WebLogic. These include the host and port. You must tell WebLogic that it is using a virtual site name and port so that it can generate internal URLs appropriately.

To do this, log into the WebLogic administration console at http://admin.mycompany.com/console. Proceed as follows:

1. Select Clusters from the home page or, alternatively, select Environment -> Clusters from the Domain structure menu.

2. Click Lock and Edit in the Change Center Window to enable editing.

3. Click the Cluster Name (cluster_soa).

4. In the General tab, select WebLogic Plug-in Enabled in the Advanced Properties section.

5. Click Save.

6. Select Clusters from the home page or, alternatively, select Environment -> Clusters from the Domain structure menu.

7. Click the Cluster Name (cluster_oim).

8. In the General tab, select WebLogic Plug-in Enabled in the Advanced Properties section.

9. Click Save.

10. Click Activate Changes in the Change Center window to enable editing.

13.8.4 Validating Oracle Identity Manager Instance from the WebTier

Validate the Oracle Identity Manager Server Instance by bringing up the OIM Console in a web browser. at: http://sso.mycompany.com/oim. Log in using the xelsysadm username and password.

Note:

If you have installed Oracle Access Manager 11g, you might have to log in twice, first as an OAM administrative user, such as oamadmin, at the OAM login page, then as xelsysadm at the OIM login page.

13.9 Configuring a Shared JMS Persistence Store

You must configure a shared JMS persistence store to enable the resumption of pending JMS messages. Specify a location on a NAS or SAN storage device that is available to other servers in the cluster. Refer to Section 2.4, "Shared Storage and Recommended Directory Structure" for more information. Configure the location for all of the persistence stores as a directory that is visible from both nodes and change all of the persistent stores to use this shared base directory.

Follow these steps to configure a Shared JMS Persistence Store:

1. Log in to the Oracle WebLogic Server Administration Console.

2. Click Lock and Edit.

3. In the Domain Structure window, expand the Services node and then click the Persistence Stores node. The Summary of Persistence Stores page is displayed.

4. Select the persistence store (represented as a hyperlink) from the Name column of the table. The Settings page for the persistence store is displayed.

   1. On the Configuration tab, in the Directory field, enter the location of a persistent storage solution (such as NAS or SAN) that is available to other servers in the cluster. Specifying this location enables pending JMS messages to be sent.

   2. The location should have the following directory structure:

      For the SOAJMSFileStore_auto_1, SOAJMSFileStore_auto_2, UMSJMSFileStore_auto_1, and UMSJMSFileStore_auto_2 persistence stores, use a directory structure similar to ORACLE_BASE/admin/domain_name/soa_cluster_name/jms.

      For the OIMJMSFileStore_auto_1 and OIMJMSFileStore_auto_2 persistence stores use a directory structure similar to ORACLE_BASE/admin/domain_name/oim_cluster_name/jms.

      Note:

      • The WLS_OIM1 and WLS_OIM2 servers must be able to access this directory.

      • The WLS_SOA1 and WLS_SOA2 servers must be able to access this directory.

      • This directory must exist before you restart the server.

   3. Click Save to save the changes.

   Repeat for each persistence store.

5. Click Activate Changes from the change center.

6. Do not restart the OIM and SOA managed servers. They will be restarted after performing the steps in Section 13.10, "Configuring a Default Persistence Store for Transaction Recovery."

13.10 Configuring a Default Persistence Store for Transaction Recovery

The WLS_OIM and WLS_SOA Managed Servers have a transaction log that stores information about committed transactions that are coordinated by the server that might not have been completed. The WebLogic Server uses this transaction log for recovery from system crashes or network failures. To leverage the migration capability of the Transaction Recovery Service for the servers within a cluster, store the transaction log in a location accessible to a server and its backup servers.

Note:

Preferably, this location should be on a dual-ported SCSI disk or on a Storage Area Network (SAN).

Perform these steps to set the location for the default persistence stores for the OIM and SOA Servers:

1. Log in to the Oracle WebLogic Server Administration Console.

2. Click Lock and Edit.

3. In the Domain Structure window, expand the Environment node and then click the Servers node.

   The Summary of Servers page is displayed.

4. Click the name of either the OIM or the SOA server (represented as a hyperlink) in the Name column of the table.

5. The Settings page for the selected server is displayed, and defaults to the Configuration tab.

6. Open the Services sub tab.

7. In the Default Store section of the page, enter the path to the folder where the default persistent stores will store its data files. The directory structure of the path is as follows:

   • For OIM Servers: ORACLE_BASE/admin/domain_name/oim_cluster_name/tlogs

   • For SOA Servers: ORACLE_BASE/admin/domain_name/soa_cluster_name/tlogs

   Note:

   To enable migration of the Transaction Recovery Service, specify a location on a persistent storage solution that is available to other servers in the cluster. All the servers that are a part of the cluster must be able to access this directory.

8. Click Save and Activate.

9. Restart the OIM and SOA managed servers as described in Section 19.1, "Starting and Stopping Oracle Identity Management Components," to make the changes take effect.

13.11 Adding the CSF Entries for Oracle Identity Management and WSM

If you extend your domain with Oracle Identity Manager after the domain has been associated with an external LDAP store, the OIM configuration wizard does not populate the Credential Store Framework with the appropriate key-value pairs required for the Oracle Identity Manager and Oracle SOA Suite managed servers to start up. To work around this issue, you must create the required entries manually, by using Oracle Enterprise Manager Fusion Middleware Control. This is a temporary workaround.

Follow these steps to create the entries:

1. Open a browser and bring up Fusion Middleware Control at: http://admin.mycompany.com/em.

2. Log in as the Weblogic user.

3. Expand Farm_DomainName in the left pane and navigate to Weblogic Domain > Domain Name. For Example if IDMDomain is the name your domain, navigate to Farm_IDMDomain > Weblogic Domain > IDMDomain

4. The IDMDomain Page appears in the right pane.

5. Navigate to IDMDomain > Security > Credential to bring up the Credentials Page.

6. On the Credentials page, Click Create Map to create a map. Create a map called oim for the Oracle Identity Manager entries and a map called oracle.wsm.security for the WSM entries.

7. Create the entries for the maps in the table. Select the map where you want to add entries and click Create Key to create a key.

   Enter the following values on the Create Key page:

   • Select Map: Map Name

   • Key: Key Name

   • Type: Password

   • User Name: User Name

   • Password: Password

   • Description: Description for the Key

   Click OK.

   Refer to the following table to create the keys required for Oracle Identity Manager and the oracle.wsm.security maps.

   Select Map	Key	Type	User Name	Password
   oim	OIMSchemaPassword	Password	OIMSchemaPassword	Password for OIM DB
   oim	xell	Password	xell	Password for Keystore
   oim	DataBaseKey	Password	DataBaseKey	Password for Keystore
   oim	JMSKey	Password	JMSKey	Password for Keystore
   oim	.xldatabasekey	Password	.xldatabasekey	Password for Keystore
   oim	default-keystore.jks	Password	default-keystore.jks	Password for Keystore
   oim	SOAAdminPassword	Password	SOAAdminPassword	Password for Keystore
   oracle.wsm.security	keystore-csf-key	Password	owsm	Password for weblogic user
   oracle.wsm.security	enc-csf-key	Password	xell	Password for Keystore
   oracle.wsm.security	sign-csf-key	Password	xell	Password for Keystore
   oracle.wsm.security	recipient-alias-key	Password	xell	not used

   
   

   Password For Key Store is the key store password provided when running the OIM Configuration Wizard

8. Stop and Start the Administration Server.

9. Start the Oracle Identity Management and Oracle SOA Suite Managed Servers using the WebLogic Admin Console.

10. The Oracle Identity Management and Oracle SOA Suite Managed Servers start up correctly after you create the maps.

13.12 Backing Up the Application Tier Configuration

It is an Oracle best practices recommendation to create a backup after successfully completing the installation and configuration of each tier, or at another logical point. Create a backup after verifying that the installation so far is successful. This is a quick backup for the express purpose of immediate restoration in case of problems in later steps. The backup destination is the local disk. You can discard this backup when the enterprise deployment setup is complete. After the enterprise deployment setup is complete, you can initiate the regular deployment-specific Backup and Recovery process. For more details, see the Oracle Fusion Middleware Administrator's Guide.

For information on database backups, refer to the Oracle Database Backup and Recovery Advanced User's Guide.

To back up the installation to this point, follow these steps:

1. Back up the web tier as described in Section 5.6, "Backing up the Web Tier Configuration."

2. Back up the database. This is a full database backup, either hot or cold. The recommended tool is Oracle Recovery Manager. You can also use operating system tools such as tar for cold backups.

3. Back up the Administration Server domain directory as described in Section 6.14, "Backing Up the WebLogic Domain."

4. Back up the Oracle Internet Directory as described in Section 7.5, "Backing up the OID Configuration."

5. Back up the Oracle Virtual Directory as described in Section 8.5, "Backing Up the Oracle Virtual Directory Configuration."

For information about backing up the application tier configuration, see Section 19.4, "Performing Backups and Recoveries."