|Oracle® Access Manager Installation Guide
After you install the Identity Server and the WebPass, you must set up and configure the Identity System to work within your environment.
This chapter explains how to set up the Identity System and configure the required attributes. See the following topics:
During setup, specifications are saved whenever you click the Next button. If you leave setup and restart it later, you are returned to the same place.
After the first Identity Server and WebPass are installed, you need to setup the Identity System to complete associations and make the system functional. This process is completed using a Web browser.
During the setup process, you enter information about your directory server and configure required LDAP person and group object classes with Oracle Access Manager-specific information. This associates the Identity Server with the WebPass and extends the directory server schema to include the product branch and attributes. For example, the Identity System requires attributes assigned to the Full Name, Login, and Password semantic types for Person and Group object classes. For details, see "About Oracle Access Manager Object Classes".
You must complete the entire setup process before you can use the Identity System applications. During setup, the information that you supply is saved as you progress from one page to the next. You may leave the setup process and restart it at any time. In this case, you will continue with the question that follows your last entry.
Some information may appear in the setup pages automatically based on the updated schema. If you did not automatically update your schema during Identity Server installation, a sequence of Schema Changes pages appear when you begin the setup. The pages are self explanatory and are not covered here.
The setup process described in this chapter applies only to the first Identity Server instance that connects to a given directory server. You may install multiple Identity Servers, all associated with the same directory server. The setup process for the second or successive Identity Server instances is described in "About Installing Multiple Identity Servers".
Be sure to review the following important considerations before starting to set up the Identity System
Following are important considerations that you need to be aware of before setting up the Identity System:
Certificates Generated by a Subordinate CA—The root CA's certificate must be present in the ois_chain.pem along with the subordinate CA certificate. Both certificates must be present to ensure appropriate verification for successful Identity System setup.
Multiple User Data Directories—If you intend to have more than one user data directory and searchbase, specify the main user data directory and searchbase during Identity System setup. Add one or more database profiles for the disjoint name spaces after setup is complete, as described in the Oracle Access Manager Identity and Common Administration Guide.
Active Directory— Read "Installation and Setup Considerations for Active Directory" before proceeding. When you are installing Oracle Access Manager within a Microsoft Active Directory forest, additional steps are needed during setup:
Check the box beside Dynamic Auxiliary Object Classes, to enable this feature when asked.
Ensure the semantic-type "Login" has been assigned to one attribute and that the people you select as a Master Administrator all have a value for the login attribute. For more information, see "Configuring Master Administrators" and the Oracle Access Manager Identity and Common Administration Guide.
If you are using Active Directory with ADSI, you must:
Complete the ADSI setup procedure before Identity System setup, as described in "Setting Up ADSI (Optional)".
Check the Enable ADSI option when you specify the directory server type during setup to enable native integration with Active Directory and allow implicit failover and native password changes.
This creates a default directory profile and an associated database agent. With this configuration, the directory profile (db agent) is automatically assigned a name using a default Identity-computername convention. You should modify this name to reflect your respective domain name to facilitate user authentication. The resulting directory profile enables the associated Identity Server to perform all operations with a primary domain controller in your Active Directory tree using an Implicit Bind.
Active Directory Application Mode—Read Appendix B, "Installing Oracle Access Manager with ADAM" before proceeding.
Data Anywhere (Oracle Virtual Directory Server)—inetOrgPerson and groupOfUniqueNames for person and group object classes are required when Oracle Access Manager is configured for Oracle Virtual Directory. Before you setup the Identity System for use with Data Anywhere, read Chapter 10, "Setting Up Oracle Access Manager with Oracle Virtual Directory" and complete activities as specified.
Novell eDirectory: To define "domain" as a possible CONTAINMENT object under which the "o=Oblix" (oblixconfig) objectclass can exist before browser-based setup, see "Novell eDirectory Issues".
Oracle Internet Directory: For multiple realm installations and working with multiple directory services, see theOracle Access Manager Identity and Common Administration Guide for post-installation details. See the task overview that follows for additional information about ensuring full interaction between Oracle Access Manager and Oracle Internet Directory.
Be sure that you have completed the Oracle Internet Directory tuning procedure in "Tuning for Oracle Internet Directory".
During Identity System setup, configure the orclUserV2 objectclass and associate this auxiliary object class with the Employees tab in the User Manager. This enables you to manage orclUserV2 attributes in Oracle Internet Directory user entries through the Identity System Console.
You can complete the next step either during Identity System setup or later by later adding the Oracle Internet Directory searchbases using the Identity System Console.
Configure the Identity System to use both the user and group searchbases that Oracle Internet Directory uses to ensure that both Oracle Access Manager and Oracle Internet Directory can "see" every new user or group within a given Oracle Internet Directory instance, regardless of the application (Oracle Access Manager or Oracle Internet Directory) that created the user or object.
After Identity System setup, manually configure the auxiliary class (orclGroup) through the Identity System Console.
Configure a new group type for this auxiliary objectclass using the Oracle Access Manager Group Manager interface. See the Oracle Access Manager Identity and Common Administration Guide for details about configuring a group type.
Include at least one attribute from orclGroup in the workflow defined for creating group objects through the Identity System. This ensures that groups created through the Group Manager belong to the orclGroup objectclass and can be managed through Oracle Internet Directory Oracle Delegated Administration Services.
In Oracle Internet Directory, index all the attributes previously marked as "searchable" through Oracle Access Manager. This ensures that all attributes used in an LDAP filter can be searched by Oracle Internet Directory.
Complete the following activities to determine which attributes have been marked as searchable for the User Manager, Group Manager, and Org. Manager:
From the Identity System Console, click the appropriate application's Configuration tab (User Manager Configuration, for example).
On the application's configuration page, click Tabs then click a name in the Existing Tabs list (Employees, for example).
On the View Tab page, click the View Search Attributes button.
Repeat the preceding steps for all applications (User Manager, Group Manager, and Org. Manager) and for each existing tab within the application.
Use the Oracle Directory Manager or the Oracle Internet Directory Self-Service Console to ensure that EMailAdminsGroup is not a member of UMAdminsGroup. This allows Nested Group searches, while also preventing endlessly recursive searches that may cause the Access Server to fail.
LDAP referrals and continuation references are not supported when Oracle Access Manager is used in conjunction with Oracle Internet Directory.
Before you begin installing the WebGate, confirm that you have completed the tasks in Table 6-1. Failure to complete all prerequisites may adversely affect your installation.
Table 6-1 Identity System Setup Prerequisites Checklist
|Checklist||Identity System Setup Prerequisites|
Review and complete all prerequisites and requirements that apply to your environment, as described in Part I, "Installation Planning and Prerequisites".
Complete all activities in Chapter 4, "Installing the Identity Server".
Complete all activities in Chapter 5, "Installing WebPass".
Oracle Internet Directory: Review details in "Identity System Setup Considerations" so that you can perform appropriate activities during Identity System setup.
Novel eDirectory: Review details in "Novell eDirectory Issues".
Refer to your completed installation preparation worksheets as you complete Identity Server setup. The setup process has been divided into the following procedures to help guide you
Initiate the process as described in "Starting the Setup Process"
Identify the directory server and data locations as discussed in "Specifying Directory Server and Data Location Details"
Define Person and Group object class details as explained in "Specifying Object Class Details"
Verify the changes to object classes as discussed in "Confirming Object Class Changes"
Identity the person to manage the entire system as described in "Configuring Master Administrators"
Finish setup as described in "Completing Identity System Setup"
You complete this procedure to start the Identity System setup.
If you just confirmed your WebPass installation and the Identity System Console setup page is currently available, skip to step 2.
Navigate to the Identity System Console from your browser by specifying the following URL for your environment. For example:
where hostname refers to computer that hosts the WebPass Web server; port refers to the HTTP port number of the WebPass Web server instance; /identity/oblix connects to the Identity System Console.
Click the Identity System Console link.
The System Console setup page appears.
Click the Setup button.
If You Updated the Schema During Identity Server Installation—Skip to "Specifying Directory Server and Data Location Details".
If You Did Not Update the Schema During Identity Server Installation—A Schema Changes page appears and you complete step 5. For additional information, see "Updating the Schema and Attributes Automatically Versus Manually".
Schema Changes—Complete activities described on the Schema Changes page, if this appears, then continue.
Complete the procedures in following discussions and see Chapter 21, "Important Notes" for more information.
You need to specify details about the directory server where user data and configuration data are stored.
The Data Anywhere directory server option is available for only the user data directory server and integration with Oracle Virtual Directory Server (VDS). Before you setup the first Identity Server for use with Data Anywhere, read Chapter 10, "Setting Up Oracle Access Manager with Oracle Virtual Directory" and complete activities as specified.
Typically, details about the user data are requested first, then details about configuration data. Information you supplied during the schema update usually appears on setup pages.
When user data and configuration data are stored separately, you repeat the sequence to specify directory server details.
Specify your user data directory server type. For example:
Next, you are asked for the location of the user data directory server. If you updated the schema during installation, most details will be filled in already.
Specify the user data directory server details based on your installation, then click Next. For example:
Host—The user data directory server DNS host name
Port Number—The user data directory server port number
Root DN—The user data directory server bind DN
Root Password—Password for the bind DN
Directory Server Security Mode—Unsecured or SSL-enabled between the user data directory server and Identity Server
Is Oracle data stored in this directory also?—Yes (default) or No
If user data is stored separately from configuration data, a similar page appears where you can enter information for the configuration data directory. However, that sequence is not repeated here.
A new page asks you to specify the location of user and configuration data.
Enter the configuration bind DN and user data searchbase to be used.
For example, when the data is stored in the same directory:
When user data and configuration data are stored separately, the configuration DN and searchbase must be unique. Also, you will see details about each directory to the right of each field.
Click Next and continue with "Specifying Object Class Details".
The next sequence in the Identity System setup process asks for details about your Person and Group object classes. This discussion is divided into the topics:
About Oracle Access Manager Object Classes provides an overview, which you may skip if you are already familiar with these concepts.
Specifying Person and Group Object Classes provides the procedure to accomplish this task.
For details about setting up the Identity System to operate with Oracle Internet Directory, see "Task overview: Ensuring full interaction between Oracle Access Manager and Oracle Internet Directory".
In the directory server, Oracle Access Manager stores data as objects. Each object is composed of attributes and their values, which are displayed on Profile pages for each application in the Identity System. All objects are associated with an object class.
The Identity System includes its own object classes, which must be added to your directory server schema. These object classes begin with the prefix "ob" and contain functional information for the Identity System. You may configure additional object classes after you setup the Identity System.
Oracle Access Manager requires at least one Person object class and one Group object class, which must be setup before you can log in to Identity Systems applications. For more information, see "About Person and Group Object Classes" .
To save time and avoid errors, Oracle recommends that you automatically configure both the person and Group object classes during Identity System setup.
Automatic configuration adds attributes to the Person and Group object classes. Specifically, the attributes for default display name, semantic type, and display type are added. Before you can log in to Identity System applications, attributes must be assigned to the following semantic types: Full Name, Login, and Password.
You may reconfigure attributes after setup, if needed, to define your own object classes and attributes and to incorporate unique requirements for your enterprise.
You complete the following procedure to specify Person and Group object class details. If you do not use the recommended Auto configure option, you must do this manually, as described in "Configuring Attributes Manually". Only partial pages are shown here to illustrate a completed setup page.
inetOrgPerson and groupOfUniqueNames are required for user and group object classes when Oracle Access Manager is configured for Oracle Virtual Directory.
Enter your Person object class for the User Manager. For example:
As shown, the Auto configure objectclass feature is enabled by default to help streamline the configuration process. Later during this setup process, you can verify and accept, or change, the automatic configuration. You may disable this feature to manually configure the object class.
These instructions are based on automatic configuration of both Person and Group object classes.
Click Next to complete the Person object class configuration (or disable Auto configure object class, then click Next).
The Group object class page appears.
Enter your Group object class for the Group Manager, then click Next to complete the Group object class configuration. For example:
The next page that appears asks you to restart your Identity System. The time it takes for the Identity Server to automatically configure object classes may exceed your Web browser's timeout. If your browser times out waiting for the Identity Server, wait a minute or two and click your browser's Refresh button to continue.
Stop the WebPass Web server instance.
Stop, then restart the Identity Server service.
Start the WebPass Web server instance.
Return to the Identity System setup window and click Next.
What you do after restarting the Identity System depends upon the update method you chose earlier in the setup. For example:
You are presented with object class changes made automatically during this setup. Just review the changes for the specified object class, then click Yes to accept them. You may click No to launch the Configure Attributes function where you can make any corrections.
The following procedure presumes that you enabled automatic configuration for both the Person and Group object classes:
Review the Person object class attribute list.
Click Yes to accept the changes (or No to launch the Configure Attributes function).
If Yes, continue with step 3.
If No, continue with "Configuring Attributes Manually"..
Review the Group object class attribute list, then click Yes to accept the changes (or click No to decline the changes) and continue as follows:
After you configure object classes and attributes, you are asked to identify one or more people as a Master Administrator for the entire installation and system.
Be sure to select a person with the appropriate Person object class as the Master Administrator.
The Master Administrator has access to all configuration and management functions. This includes the rights to assign other administrators and perform all tasks other administrators can perform. For example, after the set up process a Master Administrator can assign one or more:
Master Access Administrators who have rights to configure the Access System, including WebGates, Access Servers, authentication parameters, and the initial set of policy domains. This includes the rights to assign individuals to the role of Delegated Access Administrators.
For more information, see the Oracle Access Manager Identity and Common Administration Guide and Oracle Access Manager Access Administration Guide.
On the Configure Administrators setup page, click the Select User button beside Administrators.
The Selector page appears providing two search criteria lists, an empty field where you enter at least three characters on which to search, and buttons to display results.
Locate the person or persons you want by choosing search criteria from the two drop-down lists on the top left (Full Name and That Contains, for example), then entering at least three characters in the empty field, and click the Go button.
The results of your search appear beneath the criteria. By default, 8 results are listed (as indicated in the field beside the Go button). You can use the Previous and Next buttons to navigate through the results, if needed.
Included on the left are control buttons that you can use to add everyone in the list (Add all), or add individuals (by choosing the Add button beside the desired name). When you choose one of these buttons, the name or names you add will appear on the right side of the window under "Selected".
Click the Add button beside the name of the person you want to assign as a Master Administrator.
Confirm that the name you added now appears on both the right side of the window under "Selected", and on the left side.
You may continue to add names as you did in step 3. Also, you can remove names from the "Selected" list using the DEL button beside the name or using the Delete All button.
Click Done to return to the original Configure Administrators page and confirm that the person or persons you wanted to add appear beside Administrators.
The Securing Data Directories page appears explaining things to do following Identity System setup.
The Securing Data Directories page lists the Oracle Access Manager directories that you should protect to maintain the security of the Identity System and to both:
Restrict access both from browsers and network users who access the directory through the file system. See the documentation for your Web server and operating system if you need instructions on how to protect directories.
Protect the Identity System within a Oracle Access Manager policy domain. See the Oracle Access Manager Access Administration Guide for more information.
Click Done to complete Identity System setup.
The login page for the Identity System appears. Your Identity System setup and minimum configuration are complete.
A default directory profile for this Identity Server is available in the Identity System Console.
Perform any of the following tasks.
Set up more than one Identity Server instance, as described under "Setting Up Other Identity Server Instances".
Install the first Access System component as described in "Installing the Policy Manager" .
Log in to the Identity System as a Master Administrator and complete any of the following tasks, as described in the Oracle Access Manager Identity and Common Administration Guide.
View the directory server profile for this Identity Server by selecting Identity System Console, System Configuration, Directory Profiles, link_to_this_profile.
Set up panels in the User Manager, Group Manager, Organization Manager.
Set up object-based searchbases in the User Manager.
Set up access controls in the User Manager, Group Manager, or Organization Manager.
Create workflow definitions.
Configure options such as the mail server and session settings.
The attribute configuration function helps you either manually complete the minimum configuration necessary to make the Identity System functional or fine-tune attributes that were configured automatically during setup. You can use the procedures here to modify attributes at any time after setup.
The Configure Attributes page appears in the following situations:
You disabled Auto configure object class during Identity System setup, and restart your Identity Server and Web server.
You enabled Auto configure object classes during Identity System setup, restart your Identity Server and Web server, then click No when asked if the configuration is correct.
You navigated to the Modify Attributes page after setup by selecting Identity System Console, select Common Configuration, select Object Classes, then select object_class_link, and select Modify Attributes.
Novell Directory Server (NDS) maps attribute and object class names from the native directory server to the LDAP layer of NDS. Some attributes or object classes will have multiple mappings (aliases) in the LDAP layer. For example, the native NDS object class is Group, while the LDAP layer of NDS maps two aliases called GroupofNames and GroupofUniqueNames.
Confirm that the object class or attribute name you provide during configuration is the one that occurs ahead of the other mappings for the same object class or attribute.
Check the mapping order through consoleOne.
Use these instructions to manually setup Person and Group object classes.
To define the minimum Person object class attribute set
On the Configure Attributes page, Attribute list, select or enter the following Person object class attribute details:
Attribute—The class attribute for your Person object class; often cn.
Display Name—Name or Full Name
Semantic Type—DN Prefix and Full Name
Display Type—Single Line Text
Click Save, then click OK to close the confirmation message.
In the Attribute List, select or enter the following details to define the login ID attribute:
Attribute—The attribute that defines the login ID of your users; often the uid attribute.
Display Name—Such as Login ID
Display Type—Single Line Text
Click Save, then click OK to close the confirmation message.
In the Attribute List, select or enter the following details to define the surname attribute:
Attribute—The attribute that defines the surname of your users; often sn.
Display Name—(such as Last Name)
Display Type—Single Line Text
Do not specify a Semantic Type
Click Save, the click OK to close the confirmation message.
In the Attribute List, select or enter the following details to define the user password attribute:
Attribute—The attribute that defines the user password; often the password or userPassword attribute.
Display Name—Such as Password
Click Save, then click OK to close the confirmation message.
Click Next to proceed to the page where you configure the Group object class.
To specify the minimum set of Group object class attributes
In the Attribute List, select or enter the following details:
Attribute—The attribute that defines the Group name; often the cn attribute.
Display Name—Such as Group Name
Semantic Type—DN Prefix and Full Name
Display Type—Single Line Text
Click Save, then click OK.
Continue with the following, as needed:
Configuring the Access Manager SDK for the Identity System, as described in the Oracle Access Manager Identity and Common Administration Guide.
Certain functions in the Identity System require the Access Manager SDK. By default, the Access Manager SDK is installed in a subdirectory under \IdentityServer_install_dir\identity\AccessServerSDK. After Identity System set up, you must manually configure the SDK for the Identity System to enable these functions.
Table 6-2 lists the tasks that should be completed before you set up additional Identity Server instances.
Table 6-2 Preparing to Set Up Additional Identity Servers
|Checklist||Setting Up Additional Identity Server Prerequisites|
Review and complete all prerequisites and requirements that apply to your environment, as described in Part I, "Installation Planning and Prerequisites"
Install Identity Servers, as described in Part II, "Identity System Installation and Setup"
Complete all activities in "Setting up the Identity System"
Install additional Identity Servers, as described in "Installing the Identity Server"
Setting up additional Identity Servers that are installed involves only a subset of the original setup process.
Stop all Identity Server services, if you haven't already done so.
Start only the new Identity Server service.
Navigate to the Identity System Console.
The WebPass will attempt to connect to the original Identity Server. When it is unavailable, the WebPass will connect to the new Identity Server and launch the setup page.
Click Setup and follow the instructions to set up the Identity Server, as described in "Setting up the Identity System".
Restart the new Identity Server service when instructed to do so during setup.
Restart other Identity Server services.
Repeat as needed for each additional Identity Server that is installed.