14.8 OAM in an Existing OIM with LDAP Sync

This section describes how to add Oracle Access Manager to an existing Oracle Identity Manager (OIM) installation, which has LDAP Sync configured. It also describes how to configure Oracle Access Manager to use Oracle Internet Directory (OID) as its LDAP provider.

It contains the following sections:

• Overview

• Prerequisites

• Scenario 1: Configuration in a New WebLogic Domain

• Scenario 2: Configuration in a Domain Containing OID and OVD

• Scenario 3: Configuration in a Domain Containing OAAM, OAPM, and OIN

14.8.1 Overview

In this section, you perform the following tasks:

1. Install and configure Oracle Internet Directory and Oracle Virtual Directory

2. Install and configure Oracle Identity Manager

3. Set up LDAP Sync for Oracle Identity Manager

4. Configure Oracle Access Manager

5. Configure Oracle Access Manager to use Oracle Internet Directory as the LDAP provider

6. Configure Oracle Identity Manager Server, Design Console (Windows only), and Remote Manager

14.8.2 Prerequisites

The following lists the prerequisites for installing and configuring Oracle Identity Manager with LDAP Synchronization to an existing Oracle Access Manager and Oracle Adaptive Access Manager installation, which has LDAP configured:

• Install a supported version of Oracle Database, as described in Installing Oracle Database.

• Create and load database schemas, as described in Creating Database Schema Using the Repository Creation Utility (RCU).

• Install Oracle WebLogic Server 10.3.3 and creating a Middleware Home, as described in Installing Oracle WebLogic Server 10.3.3 and Creating the Oracle Middleware Home

• Ensure that the Oracle Identity Management 11g Release 1 (11.1.1) suite containing Oracle Internet Directory (OID) and Oracle Virtual Directory (OVD) are installed, as described in Installing the Latest Version of Oracle Identity Management.

  An IDM_Home directory, such as Oracle_IDM1, is created. This directory is the Oracle Home for Oracle Internet Directory (OID), Oracle Virtual Directory (OVD), and Oracle Directory Services Manager (ODSM).

• Configure Oracle Internet Directory (OID) and Oracle Virtual Directory (OVD) in a WebLogic administration domain, as described in OID and OVD with ODSM in a New WebLogic Domain.

• Install Oracle Identity Management 11g Release 1 (11.1.1) suite containing Oracle Identity Manager (OIM), Oracle Access Manager (OAM) Oracle Adaptive Access Manager, Oracle Authorization Policy Manager (OAPM), and Oracle Identity Navigator (OIN), as described in Installing the Oracle Identity Management 11g Software.

  An IDM_Home directory, such as Oracle_IDM2, is created. This directory is the Oracle Home for Oracle Identity Manager (OIM) and Oracle Access Manager (OAM).

• Note:

  It is assumed that you are installing and configuring Oracle Internet Directory (OVD), Oracle Virtual Directory (OVD), Oracle Identity Manager (OIM), and Oracle Access Manager (OAM) on the same machine. Therefore, two distinct IDM_Home directories are mentioned in this chapter.

• Install the latest version of Oracle SOA Suite under the same Middleware Home, and patch the Oracle SOA Suite to the latest version, as described in Installing the Latest Version of Oracle SOA Suite (Oracle Identity Manager Users Only)

14.8.3 Scenario 1: Configuration in a New WebLogic Domain

This section discusses the following topics:

• Appropriate Deployment Environment

• Components Deployed

• Dependencies

• Procedure

14.8.3.1 Appropriate Deployment Environment

Perform configuration in this section for Oracle Identity Management environments that have the following conditions:

• Oracle Internet Directory, Oracle Virtual Directory, Oracle Access Manager, and Oracle Identity Manager are installed on the same machine.

• Oracle Identity Manager is configured in a new WebLogic domain, which is extended to support Oracle Access Manager at a later time.

• Oracle Access Manager is configured to use Oracle Internet Directory as the LDAP provider after configuring LDAP Sync for Oracle Identity Manager.

14.8.3.2 Components Deployed

Performing this configuration deploys the following:

• A WebLogic Administration Server

• Managed Servers for Oracle Identity Manager and Oracle Access Manager

• Oracle Access Manager Console on the Administration Server

• Oracle Identity Administration Console, Oracle Identity Manager Self Service Console, and Oracle Identity Manager Advanced Administration Console on the Oracle Identity Manager Managed Server

14.8.3.3 Dependencies

The configuration in this section depends on the following:

• Oracle WebLogic Server.

• Installation and configuration of Oracle Internet Directory and Oracle Virtual Directory.

• Installation of the Oracle Identity Management 11g software.

• Installation of the latest version of Oracle SOA Suite (required by Oracle Identity Manager).

• Database schemas for Oracle Identity Manager, Oracle SOA Suite, and Oracle Access Manager. For more information, see Creating Database Schema Using the Repository Creation Utility (RCU).

14.8.3.4 Procedure

Perform the following steps to configure Oracle Access Manager to an existing Oracle Identity Manager installation with LDAP Sync:

1. Ensure that all the prequisites, listed in Prerequisites, are satisified. In addition, see Important Notes Before You Begin.

2. Run the <Oracle_IDM2>/common/bin/config.sh script on UNIX (<Oracle_IDM2>\common\bin\config.cmd on Windows). The Oracle Fusion Middleware Configuration Wizard appears.

3. On the Welcome screen, select the Create a new WebLogic domain option. Click Next. The Select Domain Source screen is displayed.

4. On the Select Domain Source screen, ensure that the Generate a domain configured automatically to support the following products: option is selected.

   Select Oracle Identity Manager - 11.1.1.3.0 [Oracle_IDM2].

   Note:

   When you select the Oracle Identity Manager - 11.1.1.3.0 [Oracle_IDM2] option, the following options are also selected, by default:

   Oracle JRF 11.1.1.0 [Oracle_Common], Oracle Enterprise Manager - 11.1.1.0 [oracle_common], Oracle WSM Policy Manager - 11.1.1.0 [oracle_common], and Oracle SOA Suite - 11.1.1.0 [Oracle_SOA1].

5. After selecting the domain configuration options, click Next. The Specify Domain Name and Location screen is displayed.

6. On the Specify Domain Name and Location screen, enter a name and location for the domain to be created. In addition, enter a location to store applications for the domain. Click Next. The Configure Administrator User Name and Password screen is displayed.

7. Configure a user name and a password for the administrator. The default user name is weblogic. Click Next. The Configure Server Start Mode and JDK screen is displayed.

8. Choose JRockit SDK 160_17_R28.0.0-679 and Production Mode in the Configure Server Start Mode and JDK screen of the Oracle Fusion Middleware Configuration Wizard. Click Next.Tthe Configure JDBC Component Schema screen is displayed.

9. On the Configure JDBC Component Schema screen, select a component schema, such as the SOA Infrastructure Schema, the User Messaging Service Schema, the OIM MDS Schema, the OWSM MDS Schema, the SOA MDS Schema, or the OIM Schema, that you want to modify.

   You can set values for Schema Owner, Schema Password, Database and Service, Host Name, and Port. Click Next. The Test JDBC Component Schema screen appears. After the test succeeds, the Select Optional Configuration screen appears.

10. On the Select Optional Configuration screen, you can configure Administration Server, Managed Servers, Clusters, and Machines, Deployments and Services, JMS File Store, and RDBMS Security Store. Select the relevant check boxes and click Next.

    • Optional: Configure Administration Server, as required.

    • Optional: Configure Managed Servers, as required.

    • Optional: Configure Clusters, as required.

      For more information about configuring clusters for Oracle Identity Management products, see the "Configuring High Availability for Identity Management Components" topic in the guide Oracle Fusion Middleware High Availability Guide.

    • Optional: Assign Managed Servers to Clusters, as required.

    • Optional: Configure Machines, as needed. This step is useful when you want to run the Administration Server on one machine and Managed Servers on another physical machine.

      Tip:

      Before configuring a machine, use the ping command to verify whether the machine or host name is accessible.

    • Optional: Assign the Administration Server to a machine.

    • Optional: Target deployments and services to servers or clusters.

    • Optional: Configure JMS File Store, as required.

    • Optional: Configure RDBMS Security Store, as required.

11. On the Configuration Summary screen, review the domain configuration, and click Create to start creating the domain.

    A new WebLogic domain to support Oracle Identity Manager is created in the <Middleware_Home>\user_projects\domains directory (on Windows), by default. On UNIX, the domain is created in the <Middleware_Home>/user_projects/domains directory, by default.

12. Set up LDAP Synchronization for Oracle Identity Manager, as described in Setting Up LDAP Synchronization.

13. Verify LDAP Synchronization, as described in Verifying the LDAP Synchronization.

14. Run the <Oracle_IDM2>/common/bin/config.sh script (on UNIX). (<Oracle_IDM2>\common\bin\config.cmd on Windows). The Oracle Fusion Middleware Configuration Wizard appears.

15. On the Welcome screen, select the Extend an existing WebLogic domain option. Click Next. The Select a WebLogic Domain Directory screen is displayed.

16. On the Select a WebLogic Domain Directory screen, select the Oracle Identity Management domain in which you configured Oracle Identity Manager. Click Next. The Select Extension Source screen is displayed.

17. On the Select Extension Source screen, select the following domain configuration options:

    Oracle Access Manager with Database Policy Store - 11.1.1.3.0 [Oracle_IDM2]

18. After selecting the domain configuration options, click Next. The Specify Domain Name and Location screen is displayed.

19. On the Specify Domain Name and Location screen, select a location to store the applications in the domain. Click Next. The Configure JDBC Component Schema screen is displayed.

20. On the Configure JDBC Component Schema screen, select a component schema, such as the SOA Infrastructure Schema, the OAm Infrastructure Schema, the User Messaging Service Schema, the OIM MDS Schema, the OWSM MDS Schema, the SOA MDS Schema, or the OIM Schema, that you want to modify.

    You can set values for Schema Owner, Schema Password, Database and Service, Host Name, and Port. Click Next. The Test JDBC Component Schema screen appears. After the test succeeds, the Select Optional Configuration screen appears.

21. On the Select Optional Configuration screen, you can configure Managed Servers, Clusters, and Machines, Deployments and Services, and JMS File Store. Select the relevant check boxes and click Next.

    • Optional: Configure Managed Servers, as required.

    • Optional: Configure Clusters, as required.

      For more information about configuring clusters for Oracle Identity Management products, see the "Configuring High Availability for Identity Management Components" topic in the guide Oracle Fusion Middleware High Availability Guide.

    • Optional: Assign Managed Servers to Clusters, as required.

    • Optional: Configure Machines, as needed. This step is useful when you want to run the Administration Server on one machine and Managed Servers on another physical machine.

      Tip:

      Before configuring a machine, use the ping command to verify whether the machine or host name is accessible.

    • Optional: Assign the Administration Server to a machine.

    • Optional: Select Deployments, such as applications and libraries, and Services to target them to a particular cluster or server.

    • Optional: Configure JMS File Store, as required.

22. On the Configuration Summary screen, review the domain configuration, and click Extend to start extending the domain.

    Your existing Oracle Identity Management domain with Oracle Identity Manager is extended to support Oracle Access Manager.

23. Start the WebLogic Administration Server and Managed Servers (Oracle Identity Manager and Oracle Access Manager), as described in Starting the Stack.

24. Configure Oracle Access Manager (OAM) to use Oracle Internet Directory (OID) as an LDAP provider by running the createUserIdentityStore WLST command:

    1. On the command line, use the cd command to move from your present working directory to the Oracle_IDM2/common/bin directory. Oracle_IDM2 is the IDM_Home for Oracle Identity Manager and Oracle Access Manager.

    2. Launch the WebLogic Scripting Tool (WLST) interface as follows:

       On UNIX: Run ./wlst.sh on the command line.

       On Windows: Run wlst.cmd.

       At the WLST command prompt (wls:/offline>), type the following:

       connect()

       You are prompted to enter the WebLogic Administration Server user name, password, and URL. For more information about using the WLST interface, see the topic "Using the WebLogic Scripting Tool" in the guide Oracle Fusion Middleware Oracle WebLogic Scripting Tool.

       Run the the createUserIdentityStore WLST command, as in the following example:

       createUserIdentityStore(name="OAMOIDIdStoreForOIM",principal="cn=orcladmin", credential="welcome1", type="LDAP", userAttr="uid", ldapProvider="OID", roleSecAdmin="OAMAdministrators", userSearchBase="cn=Users,dc=us,dc=oracle,dc=com" ,ldapUrl="ldap://<oid host>:<oid port>" ,isPrimary="true" ,userIDProvider="OracleUserRoleAPI" , groupSearchBase="cn=Groups,dc=us,dc=oracle,dc=com")

       Note:

       Users that are members of the group specified in the roleSecAdmin attribute are allowed access to the Oracle Access Manager Administration Console. This group must exist under the Directory Information Tree (DIT) specified in the groupSearchBase attribute. If the group is not available, you can specify the user name, such as orcladmin, who will have access to the Oracle Access Manager Administration Console. Note that only the user specified in this attribute will have access to the Oracle Access Manager Administration Console.

    Alternatively, you can use the Oracle Access Manager Administration Console, deployed on the Administration Server, to configure Oracle Internet Directory as an LDAP provider for Oracle Access Manager. For more information, see the "Managing User-Identity Store and OAM Administrator Registrations" topic in the guide Oracle Fusion Middleware Administrator's Guide for Oracle Access Manager.

25. Start the Oracle Identity Manager Configuration Wizard, as described in Starting the Oracle Identity Manager 11g Configuration Wizard.

26. Configure Oracle Identity Manager Server, as described in Configuring OIM Server. When configuring Oracle Identity Manager Server, ensure that you select the Enable LDAP Sync option on the LDAP Sync and OAM Screen in the Oracle Identity Manager Configuration Wizard.

27. Follow the wizard and the steps described in Configuring OIM Server to complete the Oracle Identity Manager Server configuration. Similarly, follow the wizard to configure Oracle Identity Manager Design Console (Windows only) and to configure Oracle Identity Manager Remote Server, as described in Configuring OIM Design Console, and Configuring OIM Remote Manager.

Note:

If weblogic is not your WebLogic administrator user name, you must complete a set of manual steps after starting the servers. For more information, see Optional: Updating the WebLogic Administrator Server User Name in Enterprise Manager (OIM Only).

14.8.4 Scenario 2: Configuration in a Domain Containing OID and OVD

This section discusses the following topics:

• Appropriate Deployment Environment

• Components Deployed

• Dependencies

• Procedure

14.8.4.1 Appropriate Deployment Environment

Perform configuration in this section for Oracle Identity Management environments that have the following conditions:

• Oracle Internet Directory, Oracle Virtual Directory, Oracle Access Manager, and Oracle Identity Manager are installed on the same machine.

• Oracle Identity Manager is configured in the existing Oracle Identity Management domain containing Oracle Internet Directory and Oracle Virtual Directory. This domain is extended to support Oracle Access Manager at a later time.

• Oracle Access Manager is configured to use Oracle Internet Directory as the LDAP provider after configuring LDAP Sync for Oracle Identity Manager.

14.8.4.2 Components Deployed

Performing this configuration deploys the following:

• Managed Servers for Oracle Access Manager and Oracle Identity Manager

• Oracle Access Manager Console on the existing Administration Server

• Oracle Identity Administration Console, Oracle Identity Manager Self Service Console, and Oracle Identity Manager Advanced Administration Console on the Oracle Identity Manager Managed Server

14.8.4.3 Dependencies

The configuration in this section depends on the following:

• Oracle WebLogic Server.

• Installation and configuration of Oracle Internet Directory and Oracle Virtual Directory.

• Installation of the Oracle Identity Management 11g software.

• Installation of the latest version of Oracle SOA Suite (required by Oracle Identity Manager).

• Database schemas for Oracle Identity Manager, Oracle SOA Suite, and Oracle Access Manager. For more information, see Creating Database Schema Using the Repository Creation Utility (RCU).

14.8.4.4 Procedure

Perform the following steps to configure Oracle Access Manager to an existing Oracle Identity Manager installation, which has LDAP Sync set up:

1. Ensure that all the prequisites, listed in Prerequisites, are satisified. In addition, see Important Notes Before You Begin.

2. Run the <Oracle_IDM1>/bin/config.sh on UNIX operating systems to start the Oracle Identity Management Configuration Wizard. On Windows, run the <Oracle_IDM1>\bin\config.bat to start the wizard.

3. On the Select Domain screen, select the Create New Domain option. Set the Administrator user name and password, as required.

4. Ensure that you select Oracle Internet Directory and Oracle Virtual Directory on the Configure Components screen.

5. Follow the wizard, provide the necessary input, and configure the domain.

   A new WebLogic domain to support Oracle Internet Directory and Oracle Virtual Directory is created in the <Middleware_Home>\user_projects\domains directory (on Windows). On UNIX, the domain is created in the <Middleware_Home>/user_projects/domains directory.

6. Ensure that your Oracle database version is supported and you have installed the necessary patches. For more information, see Installing Oracle Database.

7. Ensure that any appropriate schemas required by Oracle Identity Manager, Oracle SOA Suite, and Oracle Access Manager are created and loaded, as described in Creating Database Schema Using the Repository Creation Utility (RCU).

8. Ensure that the Oracle Identity Management 11g software is installed. Refer to Installing the Oracle Identity Management 11g Software for more information. A new Oracle Home for Oracle Identity Management, such as Oracle_IDM2, is created under the Middleware Home directory.

9. Ensure that the latest version of Oracle SOA Suite is installed under the same Middleware Home. Refer to Installing the Latest Version of Oracle SOA Suite (Oracle Identity Manager Users Only) for more information.

10. Run the <Oracle_IDM2>/common/bin/config.sh script (on UNIX). (<Oracle_IDM2>\common\bin\config.cmd on Windows). The Oracle Fusion Middleware Configuration Wizard appears.

11. On the Welcome screen, select the Extend an existing WebLogic domain option. Click Next. The Select a WebLogic Domain Directory screen is displayed.

12. On the Select a WebLogic Domain Directory screen, select the Oracle Identity Management 11.1.1.3.0 domain in which you configured Oracle Internet Directory and Oracle Virtual Directory. Click Next. The Select Extension Source screen is displayed.

13. On the Select Extension Source screen, select the following domain configuration options:

    Oracle Identity Manager - 11.1.1.3.0 [Oracle_IDM2]

    Note:

    When you select the Oracle Identity Manager - 11.1.1.3.0 [Oracle_IDM2] option, the Oracle WSM Policy Manager - 11.1.1.0 [oracle_common] option and the Oracle SOA Suite - 11.1.1.3.0 [Oracle_SOA1] option are also selected, by default.

14. After selecting the domain configuration options, click Next. The Configure JDBC Component Schema screen is displayed.

15. On the Configure JDBC Component Schema screen, select a component schema, such as the SOA Infrastructure Schema, the User Messaging Service Schema, the OIM MDS Schema, the OWSM MDS Schema, the OIM Schema, or the SOA MDS Schema, that you want to modify.

    You can set values for Schema Owner, Schema Password, Database and Service, Host Name, and Port. Click Next. The Test JDBC Component Schema screen appears. After the test succeeds, the Select Optional Configuration screen appears.

16. On the Select Optional Configuration screen, you can configure Managed Servers, Clusters, and Machines, Deployments and Services, and JMS File Store. Select the relevant check boxes and click Next.

    • Optional: Configure Managed Servers, as required.

    • Optional: Configure Clusters, as required.

      For more information about configuring clusters for Oracle Identity Management products, see the "Configuring High Availability for Identity Management Components" topic in the guide Oracle Fusion Middleware High Availability Guide.

    • Optional: Assign Managed Servers to Clusters, as required.

    • Optional: Configure Machines, as needed. This step is useful when you want to run the Administration Server on one machine and Managed Servers on another physical machine.

      Tip:

      Before configuring a machine, use the ping command to verify whether the machine or host name is accessible.

    • Optional: Assign the Administration Server to a machine.

    • Optional: Select Deployments, such as applications and libraries, and Services to target them to a particular cluster or server.

    • Optional: Configure JMS File Store, as required.

17. On the Configuration Summary screen, review the domain configuration, and click Extend to start extending the domain.

    Your existing Oracle Identity Management 11.1.1.1.3.0 domain with Oracle Internet Directory and Oracle Virtual Directory is extended to support Oracle Identity Manager.

18. Set up LDAP Synchronization for Oracle Identity Manager, as described in Setting Up LDAP Synchronization.

19. Verify LDAP Synchronization, as described in Verifying the LDAP Synchronization.

20. Run the <Oracle_IDM2>/common/bin/config.sh script (on UNIX). (<Oracle_IDM2>\common\bin\config.cmd on Windows). The Oracle Fusion Middleware Configuration Wizard appears.

21. On the Welcome screen, select the Extend an existing WebLogic domain option. Click Next. The Select a WebLogic Domain Directory screen is displayed.

22. On the Select a WebLogic Domain Directory screen, select the Oracle Identity Management domain in which you configured Oracle Identity Manager, Oracle Internet Directory, and Oracle Virtual Directory. Click Next. The Select Extension Source screen is displayed.

23. On the Select Extension Source screen, select the following domain configuration options:

    Oracle Access Manager with Database Policy Store - 11.1.1.3.0 [Oracle_IDM2]

24. After selecting the domain configuration options, click Next. The Specify Domain Name and Location screen is displayed.

25. On the Specify Domain Name and Location screen, select a location to store the applications in the domain. Click Next. The Configure JDBC Component Schema screen is displayed.

26. On the Configure JDBC Component Schema screen, select a component schema, such as the SOA Infrastructure Schema, the OAM Infrastructure Schema, the User Messaging Service Schema, the OIM MDS Schema, the OWSM MDS Schema, the OIM Schema, or the SOA MDS Schema, that you want to modify.

    You can set values for Schema Owner, Schema Password, Database and Service, Host Name, and Port. Click Next. The Test JDBC Component Schema screen appears. After the test succeeds, the Select Optional Configuration screen appears.

27. On the Select Optional Configuration screen, you can configure Managed Servers, Clusters, and Machines, Deployments and Services, and JMS File Store. Select the relevant check boxes and click Next.

    • Optional: Configure Managed Servers, as required.

    • Optional: Configure Clusters, as required.

      For more information about configuring clusters for Oracle Identity Management products, see the "Configuring High Availability for Identity Management Components" topic in the guide Oracle Fusion Middleware High Availability Guide.

    • Optional: Assign Managed Servers to Clusters, as required.

    • Optional: Configure Machines, as needed. This step is useful when you want to run the Administration Server on one machine and Managed Servers on another physical machine.

      Tip:

      Before configuring a machine, use the ping command to verify whether the machine or host name is accessible.

    • Optional: Assign the Administration Server to a machine.

    • Optional: Select Deployments, such as applications and libraries, and Services to target them to a particular cluster or server.

    • Optional: Configure JMS File Store, as required.

28. On the Configuration Summary screen, review the domain configuration, and click Extend to start extending the domain.

    Your existing Oracle Identity Management domain with Oracle Identity Manager, Oracle Internet Directory, and Oracle Virtual Directory is extended to support Oracle Access Manager.

29. Start the WebLogic Administration Server and Managed Servers (Oracle Identity Manager and Oracle Access Manager), as described in Starting the Stack.

30. Configure Oracle Access Manager (OAM) to use Oracle Internet Directory (OID) as an LDAP provider by running the createUserIdentityStore WLST command:

    1. On the command line, use the cd command to move from your present working directory to the Oracle_IDM2/common/bin directory. Oracle_IDM2 is the IDM_Home for Oracle Identity Manager and Oracle Access Manager.

    2. Launch the WebLogic Scripting Tool (WLST) interface as follows:

       On UNIX: Run ./wlst.sh on the command line.

       On Windows: Run wlst.cmd.

       At the WLST command prompt (wls:/offline>), type the following:

       connect()

       You are prompted to enter the WebLogic Administration Server user name, password, and URL. For more information about using the WLST interface, see the topic "Using the WebLogic Scripting Tool" in the guide Oracle Fusion Middleware Oracle WebLogic Scripting Tool.

       Run the the createUserIdentityStore WLST command, as in the following example:

       createUserIdentityStore(name="OAMOIDIdStoreForOIM",principal="cn=orcladmin", credential="welcome1", type="LDAP", userAttr="uid", ldapProvider="OID", roleSecAdmin="OAMAdministrators", userSearchBase="cn=Users,dc=us,dc=oracle,dc=com" ,ldapUrl="ldap://<oid host>:<oid port>" ,isPrimary="true" ,userIDProvider="OracleUserRoleAPI" , groupSearchBase="cn=Groups,dc=us,dc=oracle,dc=com")

       Note:

       Users that are members of the group specified in the roleSecAdmin attribute are allowed access to the Oracle Access Manager Administration Console. This group must exist under the Directory Information Tree (DIT) specified in the groupSearchBase attribute. If the group is not available, you can specify the user name, such as orcladmin, who will have access to the Oracle Access Manager Administration Console. Note that only the user specified in this attribute will have access to the Oracle Access Manager Administration Console.

    Alternatively, you can use the Oracle Access Manager Administration Console, deployed on the Administration Server, to configure Oracle Internet Directory as an LDAP provider for Oracle Access Manager. For more information, see the "Managing User-Identity Store and OAM Administrator Registrations" topic in the guide Oracle Fusion Middleware Administrator's Guide for Oracle Access Manager.

31. Restart the Administration Server, as described in Restarting Servers.

32. Start the Oracle Identity Manager Configuration Wizard, as described in Starting the Oracle Identity Manager 11g Configuration Wizard.

33. Configure Oracle Identity Manager Server, as described in Configuring OIM Server. When configuring Oracle Identity Manager Server, ensure that you select the Enable LDAP Sync option on the LDAP Sync and OAM Screen in the Oracle Identity Manager Configuration Wizard.

34. Follow the wizard and the steps described in Configuring OIM Server to complete the Oracle Identity Manager Server configuration. Similarly, follow the wizard to configure Oracle Identity Manager Design Console (Windows only) and to configure Oracle Identity Manager Remote Server, as described in Configuring OIM Design Console, and Configuring OIM Remote Manager.

Note:

If weblogic is not your WebLogic administrator user name, you must complete a set of manual steps after starting the servers. For more information, see Optional: Updating the WebLogic Administrator Server User Name in Enterprise Manager (OIM Only).

14.8.5 Scenario 3: Configuration in a Domain Containing OAPM, and OIN

This section discusses the following topics:

• Appropriate Deployment Environment

• Components Deployed

• Dependencies

• Procedure

14.8.5.1 Appropriate Deployment Environment

Perform configuration in this section for Oracle Identity Management environments that have the following conditions:

• Oracle Internet Directory, Oracle Virtual Directory, Oracle Access Manager, and Oracle Identity Manager are installed on the same machine.

• Oracle Identity Manager is configured in the existing Oracle Identity Management domain containing Oracle Authorization Policy Manager, Oracle Adaptive Access Manager, and Oracle Identity Navigator. This domain is extended to support Oracle Access Manager at a later time.

• Oracle Access Manager is configured to use Oracle Internet Directory as the LDAP provider after configuring LDAP Sync for Oracle Identity Manager.

14.8.5.2 Components Deployed

Performing the configuration in this section deploys the following:

• Managed Servers for Oracle Identity Manager and Oracle Access Manager

• Oracle Identity Administration Console, Oracle Identity Manager Self Service Console, and Oracle Identity Manager Advanced Administration Console on the Oracle Identity Manager Managed Server

• Oracle Access Manager Console on the existing Administration Server

14.8.5.3 Dependencies

The configuration in this section depends on the following:

• Oracle WebLogic Server.

• Installation and configuration of Oracle Internet Directory and Oracle Virtual Directory.

• Installation of the Oracle Identity Management 11g software.

• Installation of the latest version of Oracle SOA Suite (required by Oracle Identity Manager).

• Database schemas for Oracle Identity Manager, Oracle SOA Suite, Oracle Adaptive Access Manager, and Oracle Access Manager. For more information, see Creating Database Schema Using the Repository Creation Utility (RCU).

14.8.5.4 Procedure

Perform the following steps to configure Oracle Access Manager in an existing Oracle Identity Manager with LDAP Sync installation:

1. Ensure that all the prequisites, listed in Prerequisites, are satisified. In addition, see Important Notes Before You Begin.

2. Run the <Oracle_IDM2>/common/bin/config.sh script (on UNIX). (<Oracle_IDM2>\common\bin\config.cmd on Windows). The Oracle Fusion Middleware Configuration Wizard appears.

3. On the Welcome screen, select the Create a new WebLogic domain option. Click Next. The Select Domain Source screen is displayed.

4. On the Select Domain Source screen, select the following domain configuration options:

   Oracle Authorization Policy Manager - 11.1.1.3.0 [Oracle_IDM2]

   Oracle Adaptive Access Manager Admin Server - 11.1.1.3.0 [Oracle_IDM2]

   Oracle Identity Manager - 11.1.1.3.0 [Oracle_IDM2]

   Note:

   When you select the Oracle Authorization Policy Manager - 11.1.1.3.0 [Oracle_IDM2] option, the Oracle JRF - 11.1.1.0 [oracle_common] option is also selected, by default.

   When you select the Oracle Adaptive Access Manager Admin Server - 11.1.1.3.0 [Oracle_IDM2] option, the Oracle Identity Navigator - 11.1.1.3.0 [Oracle_IDM2] option is also selected, by default.

   When you select the Oracle Identity Manager - 11.1.1.3.0 [Oracle_IDM2] option, the following options are also selected, by default: Oracle Enterprise Manager - 11.1.1.0 [oracle_common], Oracle WSM Policy Manager - 11.1.1.0 [oracle_common], and Oracle SOA Suite - 11.1.1.3.0 [Oracle_SOA1]

5. After selecting the domain configuration options, click Next. The Specify Domain Name and Location screen is displayed.

6. On the Specify Domain Name and Location screen, enter a name and location for the domain to be created. In addition, enter a location to store applications for the domain. Click Next. The Configure Administrator User Name and Password screen is displayed.

7. Configure a user name and a password for the administrator. The default user name is weblogic. Click Next. The Configure Server Start Mode and JDK screen is displayed.

8. Choose JRockit SDK 160_17_R28.0.0-679 and Production Mode in the Configure Server Start Mode and JDK screen of the Oracle Fusion Middleware Configuration Wizard. Click Next.Tthe Configure JDBC Component Schema screen is displayed.

9. On the Configure JDBC Component Schema screen, select a component schema, such as the APM Schema, the SOA Infrastructure Schema, the SOA MDS Schema, the OIM MDS Schema, the OIM Schema, the OAAM Admin Schema, the OAAM Admin MDS Schema, the OWSM MDS Schema, the User Messaging Service Schema, or the APM MDS Schema, that you want to modify.

   You can set values for Schema Owner, Schema Password, Database and Service, Host Name, and Port. Click Next. The Test JDBC Component Schema screen appears. After the test succeeds, the Select Optional Configuration screen appears.

10. On the Select Optional Configuration screen, you can configure Administration Server, Managed Servers, Clusters, and Machines, Deployments and Services, JMS File Store, and RDBMS Security Store. Select the relevant check boxes and click Next.

    • Optional: Configure Administration Server, as required.

    • Optional: Configure Managed Servers, as required.

    • Optional: Configure Clusters, as required.

      For more information about configuring clusters for Oracle Identity Management products, see the "Configuring High Availability for Identity Management Components" topic in the guide Oracle Fusion Middleware High Availability Guide.

    • Optional: Assign Managed Servers to Clusters, as required.

    • Optional: Configure Machines, as needed. This step is useful when you want to run the Administration Server on one machine and Managed Servers on another physical machine.

      Tip:

      Before configuring a machine, use the ping command to verify whether the machine or host name is accessible.

    • Optional: Assign the Administration Server to a machine.

    • Optional: Select Deployments, such as applications and libraries, and Services to target them to a particular cluster or server.

    • Optional: Configure JMS File Store, as required.

    • Optional: Configure RDBMS Security Store, as required.

11. On the Configuration Summary screen, review the domain configuration, and click Create to start creating the domain. After the domain configuration is complete, click Done to dismiss the wizard.

    A new WebLogic domain to support Oracle Authorization Policy Manager, Oracle Identity Manager, Oracle Adaptive Access Manager, and Oracle Identity Navigator is created in the <Middleware_Home>\user_projects\domains directory (on Windows), by default. On UNIX, the domain is created in the <Middleware_Home>/user_projects/domains directory, by default.

12. Set up LDAP Synchronization for Oracle Identity Manager, as described in Setting Up LDAP Synchronization.

13. Verify LDAP Synchronization, as described in Verifying the LDAP Synchronization.

14. Run the <Oracle_IDM2>/common/bin/config.sh script (on UNIX). (<Oracle_IDM2>\common\bin\config.cmd on Windows). The Oracle Fusion Middleware Configuration Wizard appears.

15. On the Welcome screen, select the Extend an existing WebLogic domain option. Click Next. The Select a WebLogic Domain Directory screen is displayed.

16. On the Select a WebLogic Domain Directory screen, select the Oracle Identity Management domain in which you configured Oracle Identity Manager, Oracle Authorization Policy Manager, Oracle Adaptive Access Manager, and Oracle Identity Navigator. Click Next. The Select Extension Source screen is displayed.

17. On the Select Extension Source screen, select the following domain configuration options:

    Oracle Access Manager with Database Policy Store - 11.1.1.3.0 [Oracle_IDM2]

18. After selecting the domain configuration options, click Next. The Specify Domain Name and Location screen is displayed.

19. On the Specify Domain Name and Location screen, select a location to store the applications in the domain. Click Next. The Configure JDBC Component Schema screen is displayed.

20. On the Configure JDBC Component Schema screen, select a component schema, such as the APM Schema, the OAM Infrastructure Schema, the SOA Infrastructure Schema, the SOA MDS Schema, the OIM MDS Schema, the OIM Schema, the OAAM Admin Schema, the OAAM Admin MDS Schema, the OWSM MDS Schema, the User Messaging Service Schema, or the APM MDS Schema, that you want to modify.

    You can set values for Schema Owner, Schema Password, Database and Service, Host Name, and Port. Click Next. The Test JDBC Component Schema screen appears. After the test succeeds, the Select Optional Configuration screen appears.

21. On the Select Optional Configuration screen, you can configure Managed Servers, Clusters, and Machines, Deployments and Services, and JMS File Store. Select the relevant check boxes and click Next.

    • Optional: Configure Managed Servers, as required.

    • Optional: Configure Clusters, as required.

      For more information about configuring clusters for Oracle Identity Management products, see the "Configuring High Availability for Identity Management Components" topic in the guide Oracle Fusion Middleware High Availability Guide.

    • Optional: Assign Managed Servers to Clusters, as required.

    • Optional: Configure Machines, as needed. This step is useful when you want to run the Administration Server on one machine and Managed Servers on another physical machine.

      Tip:

      Before configuring a machine, use the ping command to verify whether the machine or host name is accessible.

    • Optional: Assign the Administration Server to a machine.

    • Optional: Select Deployments, such as applications and libraries, and Services to target them to a particular cluster or server.

    • Optional: Configure JMS File Store, as required.

22. On the Configuration Summary screen, review the domain configuration, and click Extend to start extending the domain.

    Your existing Oracle Identity Management domain with Oracle Identity Manager, Oracle Authorization Policy Manager, Oracle Adaptive Access Manager, and Oracle Identity Navigator is extended to support Oracle Access Manager.

23. Start the WebLogic Administration Server and Managed Servers (Oracle Identity Manager and Oracle Access Manager), as described in Starting the Stack.

24. Configure Oracle Access Manager (OAM) to use Oracle Internet Directory (OID) as an LDAP provider by running the createUserIdentityStore WLST command:

    1. On the command line, use the cd command to move from your present working directory to the Oracle_IDM2/common/bin directory. Oracle_IDM2 is the IDM_Home for Oracle Identity Manager and Oracle Access Manager.

    2. Launch the WebLogic Scripting Tool (WLST) interface as follows:

       On UNIX: Run ./wlst.sh on the command line.

       On Windows: Run wlst.cmd.

       At the WLST command prompt (wls:/offline>), type the following:

       connect()

       You are prompted to enter the WebLogic Administration Server user name, password, and URL. For more information about using the WLST interface, see the topic "Using the WebLogic Scripting Tool" in the guide Oracle Fusion Middleware Oracle WebLogic Scripting Tool.

       Run the the createUserIdentityStore WLST command, as in the following example:

       createUserIdentityStore(name="OAMOIDIdStoreForOIM",principal="cn=orcladmin", credential="welcome1", type="LDAP", userAttr="uid", ldapProvider="OID", roleSecAdmin="OAMAdministrators", userSearchBase="cn=Users,dc=us,dc=oracle,dc=com" ,ldapUrl="ldap://<oid host>:<oid port>" ,isPrimary="true" ,userIDProvider="OracleUserRoleAPI" , groupSearchBase="cn=Groups,dc=us,dc=oracle,dc=com")

       Note:

       Users that are members of the group specified in the roleSecAdmin attribute are allowed access to the Oracle Access Manager Administration Console. This group must exist under the Directory Information Tree (DIT) specified in the groupSearchBase attribute. If the group is not available, you can specify the user name, such as orcladmin, who will have access to the Oracle Access Manager Administration Console. Note that only the user specified in this attribute will have access to the Oracle Access Manager Administration Console.

    Alternatively, you can use the Oracle Access Manager Administration Console, deployed on the Administration Server, to configure Oracle Internet Directory as an LDAP provider for Oracle Access Manager. For more information, see the "Managing User-Identity Store and OAM Administrator Registrations" topic in the guide Oracle Fusion Middleware Administrator's Guide for Oracle Access Manager.

25. Start the Oracle Identity Manager Configuration Wizard, as described in Starting the Oracle Identity Manager 11g Configuration Wizard.

26. Configure Oracle Identity Manager Server, as described in Configuring OIM Server. When configuring Oracle Identity Manager Server, ensure that you select the Enable LDAP Sync option on the LDAP Sync and OAM Screen in the Oracle Identity Manager Configuration Wizard.

27. Follow the wizard and the steps described in Configuring OIM Server to complete the Oracle Identity ManagerServer configuration. Similarly, follow the wizard to configure Oracle Identity Manager Design Console (Windows only) and to configure Oracle Identity Manager Remote Server, as described in Configuring OIM Design Console, and Configuring OIM Remote Manager.

Note:

If weblogic is not your WebLogic administrator user name, you must complete a set of manual steps after starting the servers. For more information, see Optional: Updating the WebLogic Administrator Server User Name in Enterprise Manager (OIM Only).