Skip Headers
Oracle® Access Manager Installation Guide
10g (10.1.4.3)

Part Number E12493-01
Go to Documentation Home
Home
Go to Book List
Book List
Go to Table of Contents
Contents
Go to Index
Index
Go to Feedback page
Contact Us

Go to previous page
Previous
Go to next page
Next
View PDF

4 Installing the Identity Server

The Identity System must be installed first, before installing the Access System. The Identity Server must be the first Oracle Access Manager component you install. This chapter covers the following topics:

See Also:

"Confirming Certification Requirements"

4.1 About the Identity Server and Installation

The Identity Server must be the first Oracle Access Manager component you install. The Identity Server provides applications through a Web-based interface and processes all requests related to user, group, and organization identification.

Each instance of the Identity Server receives requests through a WebPass plug-in installed on a Web server host. Each instance of the Identity Server reads and writes to your LDAP directory server across a network connection. For more information, see the Oracle Access Manager Introduction.

Separate platform-specific installation packages are provided for the Identity Server in \win32 and \solaris subdirectories. Platform differences are noted in steps as needed. For example:

Windows: \Software\Win32\OracleAccessManager\...

Solaris: /Software/Solaris/OracleAccessManager/...

Note:

If you intend to reuse a Identity Server instance name, see "Recycling an Identity Server Instance Name".

The installation process follows the same sequence regardless of the operating system and whether you choose GUI mode or Console mode.

During installation, the transport security mode you choose will impact the scope of communication details you will be asked for in a later procedure. Also, you will be asked if this is the first Identity Server being installed for the directory server. Your response will determine the scope of activities in later procedures. Any caveats are identified and may be skipped when they do not apply to your environment. For example:

Information is saved at various points during the installation. Should an error be detected in the information you supply, you will be offered the opportunity to restate information or complete a sequence again. After information is saved, you cannot return and restate information.

Two procedures are provided to guide you as you specify directory server details:

A default directory profile is created for this Identity Server based on the information you supply. This profile will be available after you setup the Identity System, as described in Chapter 6, "Setting Up the Identity System".

If you cancel the installation before completing all procedures and after being informed that the Identity Server is being installed, you must uninstall the Identity Server as described in "Uninstalling Oracle Access Manager Components".

For more information, see:

For details about removing an Identity Server instance after installation, see "Uninstalling Oracle Access Manager Components". For details about recycling an Identity Server instance name, see "Recycling an Identity Server Instance Name".

4.1.1 The Identity Server and the Software Developer Kit

Certain functions in the Identity System require the Oracle Access Manager Software Developer Kit (SDK). By default, the SDK is installed in a subdirectory under:

\IdentityServer_install_dir\identity\AccessServerSDK

Following Identity System set up, you must manually configure the SDK for the Identity System to enable the following functions:

  • Automatic cache flush between the Identity System and Access System

    The Identity System uses the AccessGate to communicate with the Access Server (using APIs available with the SDK). AccessGate uses APIs in the SDK that is bundled with the Identity Server. Ensure that the Access Management Service is On in the profiles of the Access Servers with which the AccessGate is associated.

  • Automatic login to the Access System after self-registration.

4.1.2 About Installing Multiple Identity Servers

You might want to install multiple Identity Servers, all associated with the same directory server.

Task overview: Installing additional Identity Servers

  1. Install your first Identity Server, as explained in this chapter.

  2. Install a WebPass, as explained in Chapter 5, "Installing WebPass"

  3. Set up the first Identity Server in the Identity System, as explained in Chapter 6, "Setting Up the Identity System".

  4. Add a new Identity Server instance in the Identity System Console, as described in the Oracle Access Manager Identity and Common Administration Guide.

  5. Associate the new Identity Server instance with a WebPass and specify the priority as Primary, as described in the Oracle Access Manager Identity and Common Administration Guide.

  6. Modify the WebPass instance to set the maximum connections to the appropriate number to communicate with all primary Identity Servers, as described in the Oracle Access Manager Identity and Common Administration Guide.

    You must wait at least one minute before proceeding to Step 7 to ensure that the WebPass configuration file, webpass.xml, is updated with the new instance information. Otherwise, the WebPass instance may not receive the new information and cannot connect to the new Identity Server instance.

  7. Wait at least one minute before stopping all installed Identity Servers.

  8. Install the new Identity Server and indicate that this is not the first Identity Server for this directory server.

    You do not need to update the schema again.

  9. Set up the new Identity Server, as explained in "Setting Up Other Identity Server Instances".

  10. Configure this Identity Server as a failover server, if desired, as explained in the Oracle Access Manager Deployment Guide.

4.1.3 Adding a New Identity Server to an Upgraded Environment

Starting with 10.1.4, the Identity Server uses UTF-8 encoding and plug-in data will contain UTF-8 data. Earlier plug-ins send and receive data in Latin-1 encoding.

Backward compatibility between an upgraded Identity Server and earlier Identity Event plug-ins is automatic when you upgrade an earlier Identity Server to 10.1.4. In this case, a new flag (encoding) is added to the oblixpppcatalog.lst file automatically to ensure backward compatibility with earlier plug-ins. A backward-compatible Identity Server continues to send data to earlier plug-ins in Latin-1 encoding. The format of this is as follows:

actionName;exectype;netpointparam1,...;path;execparam,...;apiVersion;encoding;

When you add a new Identity Server to an upgraded environment, you must manually set the encoding flag in the Identity Server oblixpppcatalog.lst to enable communication with earlier plug-ins and interfaces that need backward compatibility for Latin-1 data. For backward compatibility with Latin-1 data you must set the encoding flag to Latin-1. As shown in the example, this must follow the ApiVersion flag, which specifies the version of the Event API used by the event handler. If the ApiVersion parameter is set to preNP60, then Latin-1 encoding is assumed by default. If no ApiVersion flag is set, you must include an additional semi-colon before the Latin-1 flag to indicate that there is no value for ApiVersion. See the example in the following procedure to see how this is done.

Note:

Before you add a 10g (10.1.4.3) Identity Server to an upgraded environment, ensure that all Oracle Access Manager components are at release 10g (10.1.4.3). Earlier WebGates can co-exist when the Access Server is enabled for backward compatibility.

To add a new Identity Server to an upgraded environment

  1. Upgrade the environment as described in the Oracle Access Manager Upgrade Guide.

  2. Perform activities in "About Installing Multiple Identity Servers".

  3. Locate and open the new Identity Server oblixpppcatalog.lst file in IdentityServer_install_dir\identity\oblix\apps\common\bin\oblixpppcatalog.lst.

  4. Set encoding to Latin-1 after the ApiVersion flag (if there is one) to provide backward compatibility for Latin-1 data. For example:

    From:

    userservcenter_view_pre;lib;;..\..\..\unsupported\ppp\ppp_dll\
         ppp_dll.dll;Publisher_USC_PreProcessingTest_PPP_Automation;
    

    To:

    userservcenter_view_pre;lib;;..\..\..\unsupported\ppp\ppp_dll\
         ppp_dll.dll;Publisher_USC_PreProcessingTest_PPP_Automation;;Latin-1
    
  5. Repeat as needed for entries in this file.

  6. Save the file.

  7. Restart the Identity Server service.

  8. Repeat for each new Identity Server in an upgraded environment as long as backward compatibility is needed.

Note:

When all plug-ins and customizations have been successfully upgraded and backward compatibility is no longer needed, Oracle recommends that you manually reset the encoding flag in all Identity Server oblixpppcatalog.lst files.

4.2 Identity Server Prerequisites Checklist

Before you begin installing the Identity Server, check the tasks in Table 4-1 to ensure they have been completed. Failure to complete prerequisites may adversely affect your Oracle Access Manager installation.

Table 4-1 Identity Server Installation Prerequisites Checklist

Checklist Identity Server Installation Prerequisites
 

Review and complete all prerequisites and requirements that apply to your environment, as described in Part I, "Installation Planning and Prerequisites"


4.3 Installing the Identity Server

Refer to your completed installation preparation worksheets as you install the Identity Server. The installation task is divided into the following procedures:

Task overview: Installing an Identity Server

  1. Start the installation as described in "Starting the Installation".

  2. Continue by "Installing the Identity Server".

  3. Continue with "Specifying a Transport Security Mode".

  4. Identify the Identity Server, as described in "Specifying Identity Server Configuration Details".

  5. Define communication details, as described in "Defining Communication Details".

  6. Define directory server details, as described in "Defining Directory Server Details".

  7. Conclude with "Finishing the Identity Server Installation".

4.3.1 Starting the Installation

You can start the installer in either GUI or console mode, as described in:

Following the program launch, one set of procedures will be provided because the sequence is similar regardless of your platform.

Note:

Skip any details that do not apply to your installation. If you are installing with Microsoft Active Directory, see Appendix A, "Installing Oracle Access Manager with Active Directory" before proceeding.

To start the installation in GUI mode

  1. Log in as a user with administrator privileges.

  2. Copy the Oracle Access Manager packages from the installation media into a temporary directory from which you can install the component and any Language Packs together, at the same time.

  3. Locate and launch the Identity Server installer (including any Identity System Language Packs you want to install).

    For example:

    GUI Method, Windows: Oracle_Access_Manager10_1_4_3_0_Win32_Identity_Server.exe

    The Welcome screen appears.

  4. Dismiss the Welcome screen by clicking Next, then continue as described in "Installing the Identity Server".

    WARNING:

    Due to a problem with Installshield, passwords containing $ or other special character sequences may not be interpreted properly. See "GUI Method".

To start the installation in Console mode

  1. Log in as a user with administrator privileges.

  2. Copy the Oracle Access Manager packages from the installation media into a temporary directory from which you can install the component and any Language Packs.

  3. Locate and launch the Identity Server installer (including any Identity System Language Packs you want to install).

    For example:

    Console Method, Solaris: ./ Oracle_Access_Manager10_1_4_3_0_sparc-s2_Identity_Server

    The Welcome screen appears.

  4. Dismiss the Welcome screen by clicking Next, then continue as described in "Installing the Identity Server" next.

4.3.2 Installing the Identity Server

During this sequence, you must specify the installation directory for your Identity Server. If you have a Language Pack in the same directory as the Identity Server installation package, you will be asked to choose a language.

To install the Identity Server

  1. Respond to the question about administrator rights based upon your platform. For example.

    • Windows: If you are logged in with administrator rights, click Next (otherwise click Cancel, log in as a user with administrator privileges, then restart the installation).

    • UNIX: Specify the username and group that the Identity Server will use, then click Next. Typically, the defaults are "nobody".

      For HP-UX, the defaults are WWW (username) and others (group).

    You are asked to specify the installation directory for the Identity Server. When you do this and click Next, the installation will begin and you will not be able to return to restate the name.

  2. Accept the default directory by clicking Next (or change the destination, then click Next). For example:

    \OracleAccessManager

    You complete step 3 to choose a locale (base language) and other locales (languages) to install. Otherwise, skip to step 4.

  3. Language Pack: Choose a Default Locale to use for the Administrator language and any other Locales to install, then click Next. For example:


    English
    French
    Arabic

    A summary identifies the installation directory and required disk space and asks you to make a note of this information for future reference.

  4. Write the installation directory name in the preparation worksheet if you haven't already, then click Next to continue.

    You are notified that the Identity Server is being installed, which may take several seconds. On Windows systems, the Microsoft Managed Interfaces are being configured.

    Note:

    If a previous version of a Oracle Access Manager component or file is detected, you must specify a new installation directory path or uninstall the existing version.

    You are now asked to specify the transport security mode. At this point you cannot return to restate previous details.

4.3.3 Specifying a Transport Security Mode

Transport security between all Identity System components (Identity Servers and WebPass instances) must match: either all open, all Simple mode, or all Cert. For more information, see "Securing Oracle Access Manager Component Communications".

To specify a transport security mode

  1. Choose the desired mode to use between the Identity Server and its clients: Open, Simple, or Cert.

    If you chose either Simple or Cert, you will be asked for more information later.

  2. Click Next.

    You are now asked for Identity Server configuration details.

4.3.4 Specifying Identity Server Configuration Details

You are asked to identify this Identity Server by entering a unique name that will appear in the Identity System Console. The name you specify must differ from the name of any other Identity Server that accesses the same instance of your LDAP directory server, and cannot contain any blank spaces. You may use this name as a Windows Service name for the Identity Server.

In addition, you are asked to identify the DNS hostname where this Identity Server will be installed and the port number on which this Identity Server communicates with the WebPass (and by extension, with your Web server).

After you describe the Identity Server, you will be asked if this is the first Identity Server to be installed for the directory server. Your answer will determine the scope of activities now and during the setup process after WebPass installation. Selecting Yes indicates that this is the first Identity Server and you will be asked about directory server communication, schema updates, and directory server configuration details.

  • Selecting Yes indicates that this is the first Identity Server. You will be asked about directory server communication, schema updates, and directory server configuration details.

  • Selecting No indicates that an Identity Server has already been set up with this directory server. You will be asked only about directory server communication.

  • On a Windows system, you will also be asked for Active Directory details.

To identify this Identity Server

  1. Enter a unique name for this Identity Server that adheres to the preceding guidelines. For example:

    IdentityServer_1014_6025

  2. Enter the DNS hostname where this Identity Server will be installed. For example:

    DNS_hostname.domain.com

  3. Enter the port number on which this Identity Server communicates with its clients, then click Next. For example:

    6025

  4. Respond when asked if this is the first Identity Server to be installed for the directory server, then click Next.

    For example, when you are installing the first Identity Server only, choose:

    Yes

Regardless of your response to the question about this being the first Identity Server, you are now asked to specify communication details for the directory server and for the transport security mode you chose earlier.

4.3.5 Defining Communication Details

During this sequence, you are asked about securing communication between the Identity Server and your directory server. You may answer No during this installation and set up an SSL connection to the directory later as described in the Oracle Access Manager Identity and Common Administration Guide. In addition, you will be asked to specify Oracle Access Manager transport security details based on the information you supplied earlier.

UNIX Systems: If you are installing on a UNIX system using either Open or Simple transport security for the Identity Server, and this is not the first Identity Server, there are few security options and no directory server details required. In this case, complete the following steps, as needed, then skip to "Finishing the Identity Server Installation".

To define communication details

  1. Check the box beside the appropriate option if you have a certificate and want to enable SSL between the Identity Server and the directory server, then click Next. For example:

    Directory Server ... user data is in SSL

    Directory Server ... configuration data is in SSL

    Note:

    Ensure you have a check mark beside each option if you have a certificate and want to enable SSL for each.
  2. SSL: Specify the path to the root CA certificate, and click Next.

    If you are installing on an Active Directory forest, enter the directory and file name of the retrieved CA certificate. See Appendix A, "Installing Oracle Access Manager with Active Directory".

  3. Complete the transport security dialog according to the mode you chose earlier. For example:

  4. Simple: Enter and confirm the Pass Phrase to authenticate between the Identity Server and WebPass, then click Next and continue as follows:

  5. Certificate: Indicate if you are requesting or installing a certificate, then click Next and continue.

    • If you are installing a certificate, skip to step 7

    • If you are requesting a certificate, continue with step 6

  6. Request Certificate: Complete the following activities:

    • Enter the requested information, then click Next and issue your request for a certificate to your CA.

    • Record certificate file locations, if they are displayed.

    • Click Yes if your certificates are available and continue with step 7 (otherwise click No and skip to "Defining Directory Server Details").

      Note:

      If you selected No, instructions are provided. You do not need a certificate in hand to finish the installation. However, the Identity System cannot be setup until the certificates are copied to \IdentityServer_install_dir\identity\oblix\config and the Identity Server is restarted. See the Oracle Access Manager Identity and Common Administration Guide for details.
  7. Install Certificate: Specify the full paths to the following three files, then click Next:

    IdentityServer_install_dir\identity\oblix\config

    • Certificate file (ois_cert.pem)

    • Key file (ois_key.pem) the installer may know where this is.

    • Chain file (ois_chain.pem)

    Note:

    When using certificates generated by a subordinate CA, the root CA's certificate must be present in the xxx_chain.pem along with the subordinate CA certificate. Both certificates must be present to ensure appropriate verification and successful Identity System setup.

    The information you provided has been saved and you are asked if you want to update the schema. You cannot return to restate details.

  8. Continue with "Defining Directory Server Details", next.

4.3.6 Defining Directory Server Details

What you see and do during this sequence depends in part upon how you responded when asked if this was the first Identity Server to be installed for this directory server. Refer to the following topics and choose the one for this installation:

Note:

If you are installing on a UNIX system and this is not the first Identity Server, skip to "Finishing the Identity Server Installation"

4.3.6.1 Installing the First Identity Server

If you indicated that this is the first Identity Server being installed for the directory server, you will be asked if you want to update your directory server with the Oracle Access Manager schema. This will include Oracle Access Manager-specific workflow definitions, attribute policies, tab and panel configurations, configuration attributes, and the like.

Schema Extension: Oracle recommends that you automatically extend the schema during installation of the first Identity Server. You update the schema only once. Either Yes response will result in questions about directory server type and specifications.

A No response on a Windows system will lead to questions for Active Directory. A No response on a UNIX system will conclude the installation.

Note:

With Novell eDirectory, if you want to specify a domain node as the configuration base during Identity System setup, be sure to see "Novell eDirectory Issues" and complete needed tasks during Identity Server installation.

Separate Data Storage: If you plan to store user data separately from configuration data, see "Data Storage Requirements" for more information.

By default, configuration and user data are presumed to be on the same directory server. With certain directory servers, such as Sun directory servers, data may be stored either together on the same directory server or on different directory servers of the same type.

Note:

The Siemens DirX directory is not supported. However, the installation screen might display DirX as a possible option.

To specify directory server details for the first Identity Server

  1. Select the option that describes your environment. For example:

    Configuration data will be in the user data directory

  2. Select the appropriate schema update option for your environment, then click Next. For example:

    Yes

  3. Select your directory server type for automatic configuration, and click Next. For example:

    Sun

    You are asked for directory server configuration details. If you chose Active Directory for Windows 2003, you will be asked about dynamic auxiliary class support.

  4. Specify your directory server configuration details, then click next. For example:

    • Host name: The DNS host name of the directory server computer

    • Port number: On which the directory server listens (for SSL connections, provide the encrypted port)

    • Bind DN: For the user data directory server

      Note:

      The distinguished name you enter as the bind DN must have full permissions for the user and configuration branches of the directory information tree (DIT). Oracle Access Manager will access the directory server as this account. Examples are provided inTable 4-2 Your directory server configuration may differ.

      Table 4-2 Bind DN for Various Directory Servers

      Directory Server Bind DN

      Active Directory

      or

      Active Directory on Windows Server 2003

      cn=administrator,cn=users,<domain DN>

      Note: This information is required even if you are using ADSI with implicit bind. See Appendix A, "Installing Oracle Access Manager with Active Directory" and the Oracle Access Manager Identity and Common Administration Guide for more information.

      ADAM

      cn=administrator,o=domain.com

      The values represent:

      A Windows security principal user name.

      Domain name of the computer where ADAM is installed.

      Notes: The Master Administrator must be an ADAM user with administrative privileges, not a Windows Security Principal. See Appendix B, "Installing Oracle Access Manager with ADAM" for more information.

      Data Anywhere (Oracle Virtual Directory)

      cn=admin

      IBM Directory Server

      cn=root

      NDS

      cn=admin,o=nds

      Note: Perform activities in "Novell eDirectory Issues", as needed.

      Oracle Internet Directory

      cn=orcladmin

      Note: this is the default, unless you change the person object class during Identity System set up.

      Sun Directory Server

      cn=administrator

      Note: Oracle recommends that you do not use cn=Directory Manager. For details, see "Meeting Directory Server Requirements".


    • Password: The password for the user data directory server bind DN

  5. Click Next and continue as indicated:

    • If Active Directory 2003: You are asked about ADSI (for user data).

    • If configuration data is Separate: Repeat step 4 to specify details for the configuration data directory. The SSL sequence will repeat for this directory, if needed.

    If the schema cannot be updated, you are offered the opportunity to run the sequence again and restate information. If you decline, you must manually update the schema using the ldapmodify utility that ships with LDAP SDK or the following file:

    \IdentityServer_install_dir\identity\oblix\tools\ldap_tools\ds_conf_update.exe

    Note:

    All ldapmodify options can be viewed by using -H option. All ds_conf_update options can be viewed by using the --help option. Both utilities may be used with the Identity Server and Policy Manager installations.

    For an example of the ldapmodify command, see "Updating the Schema and Attributes Automatically Versus Manually". If you choose to update the schema with Oracle Access Manager configuration data using ds_conf_update, the command is:

    ds_conf_update -h DS_hostname -p 389 -D cn=administrator,o=my-company -w passwd
     -i C:\np\ois\identity -d 8 -e C:\errFile.txt -n 3
    

    For more information on the -d option and directory server type input, see "Silent Mode Parameters".

  6. Continue with "Finishing the Identity Server Installation"

4.3.6.2 Installing Additional Identity Servers on Windows

In this sequence you are asked to supply information related to Active Directory. This sequence occurs only when:

  • You indicated that this is not the first Identity Server in the installation

  • You declined the automatic schema update on a Windows system

Note:

Your responses determine the scope of this sequence. Whenever your sequence ends, skip to "Finishing the Identity Server Installation".

To specify Active Directory details on a Windows system

  1. Select No when asked if you want to update the schema, then click Next.

  2. Click Yes if you are using Active Directory with ADSI (or No if you are not), then click Next. For example:

    Yes

    If Yes, continue with step 3. If No, skip to "Finishing the Identity Server Installation"

  3. Click Yes if the computer on which you are installing this Identity Server is in a separate Active Directory domain from the Oracle Access Manager data (otherwise, click No), then click Next. For example:

    No

    If No, continue with step 4 If Yes, skip to "Finishing the Identity Server Installation".

  4. Click Yes if you want to use implicit bind with the directory server (or No if you don't), then click Next. For example:

    Yes

4.3.7 Finishing the Identity Server Installation

You complete the first step only if you are installing on Microsoft Windows. Otherwise, skip to step 2.

To finish the installation

  1. Windows: Specify a unique service name to identify your Identity Server in the Windows Services window, then click Next.

    If the name is already registered as a Windows Service name on this host, you will be asked if you want to try again. In this case, you can either choose Yes to provide a unique name now or No to set this up manually using \IdentityServer_install_dir\identity\oblix\apps\common\bin\config_ois.exe.

    ReadMe information appears.

  2. Scroll through the ReadMe information.

  3. Click Next to display an installation summary.

    The installation summary provides the details that you specified during this installation and instructs you to start the Identity Server at the conclusion of this installation.

  4. Write the details about this installation, if needed, then click Next.

  5. Click Finish to complete the sequence.

    Note:

    If you installed on Linux and intend to use the Native POSIX Thread Library, see "NPTL Requirements and Post-Installation Tasks".
  6. Ensure that the Identity Server service is started to confirm that the Identity Server is installed and operating properly:

    • Windows: Open the Services Window and confirm that the Identity Server service is started.

      On Windows Systems by default, the Identity Server starts automatically. To change the default to manual start, see the Microsoft Windows Help for details.

    • UNIX: Execute the following command to start the service:

      /IdentityServer_install_dir/identity/oblix/apps/common/bin/start_ois_server

      On UNIX systems, the Identity Server must be started manually.

  7. Proceed as appropriate for your environment: in

4.4 Tuning for Oracle Internet Directory

When you have installed Oracle Access Manager 10.1.4 with Oracle Internet Directory 10.1.4, you must execute the ldapmodify command as described in the following procedure to ensure that Oracle Internet Directory is properly tuned for Oracle Access Manager components.

Guidelines

To tune Oracle Internet Directory for Oracle Access Manager

  1. Oracle Internet Directory 10.1.4.0.1: Run the following ldapmodify command to add orclinmemfiltprocess.


    ldapmodify -D "cn=orcladmin" -q -h <OID_host> -p <OID_port> << EOF
    dn: cn=dsaconfig, cn=configsets, cn=oracle internet directory
    changetype: modify
    add: orclinmemfiltprocess
    orclinmemfiltprocess: (|(obuseraccountcontrol=activated)(!(obuseraccountcontrol=*)))
    orclinmemfiltprocess: (|(!(obuseraccountcontrol=*))(obuseraccountcontrol=activated))
    orclinmemfiltprocess: (obapp=groupservcenter) (!(obdynamicparticipantsset=*))
    EOF
  2. Oracle Internet Directory 10.1.4.2:

    1. Go to My Oracle Support (formerly MetaLink) and obtain the one off patch for each of the following items: http://metalink.oracle.com

      6919419: SQL is not optimal when a filter with the NOT clause is configured in ORCLINMEMFILTPROCESS.

      6994169: Some LDAP Searches are slow due to inconsistent database execution plans.

    2. Run the following ldapmodify command to add the orclinmemfiltprocess:


    $ORACLE_HOME/bin/ldapmodify -h <OID_host> -p <OID_port> -D "cn=orcladmin"
    -q -v <<EOF
    dn: cn=dsaconfig, cn=configsets, cn=oracle internet directory
    changetype: modify
    add: orclinmemfiltprocess
    orclinmemfiltprocess: (|(obuseraccountcontrol=activated)(!(obuseraccountcontrol=*)))
    orclinmemfiltprocess: (|(!(obuseraccountcontrol=*))(obuseraccountcontrol=activated))
    orclinmemfiltprocess: (obapp=groupservcenter) (!(obdynamicparticipantsset=*))
    orclinmemfiltprocess: (objectclass==oblixorgperson)
    orclinmemfiltprocess: (objectclass==initorgperson)
    orclinmemfiltprocess: (objectclass==oblixworkflowinstance)
    orclinmemfiltprocess: (objectclass==oblixworkflowstepinstance)
    EOF
  3. Oracle Internet Directory 10.1.4.3.0: Run the following ldapmodify command to replace orclinmemfiltprocess.


    $ORACLE_HOME/bin/ldapmodify -h <OID_host> -p <OID_port> -D "cn=orcladmin"
    -q -v <<EOF
    dn: cn=dsaconfig, cn=configsets, cn=oracle internet directory
    changetype: modify
    replace: orclinmemfiltprocess
    orclinmemfiltprocess: (|(obuseraccountcontrol=activated)(!(obuseraccountcontrol=*)))
    orclinmemfiltprocess: (|(!(obuseraccountcontrol=*))(obuseraccountcontrol=activated))
    orclinmemfiltprocess: (obapp=groupservcenter) (!(obdynamicparticipantsset=*))
    orclinmemfiltprocess: (objectclass==oblixorgperson)
    orclinmemfiltprocess: (objectclass==initorgperson)
    orclinmemfiltprocess: (objectclass==oblixworkflowinstance)
    orclinmemfiltprocess: (objectclass==oblixworkflowstepinstance)
    EOF
  4. After installing the first WebPass, you must ensure that you have configured full interaction between Oracle Access Manager and Oracle Internet Directory as described in Chapter 6, "Setting Up the Identity System".

  5. In a replicated environment, repeat step 1 for each fresh Oracle Internet Directory Server that you install.