|Oracle® Access Manager Installation Guide
The Identity System must be installed first, before installing the Access System. The Identity Server must be the first Oracle Access Manager component you install. This chapter covers the following topics:
The Identity Server must be the first Oracle Access Manager component you install. The Identity Server provides applications through a Web-based interface and processes all requests related to user, group, and organization identification.
Each instance of the Identity Server receives requests through a WebPass plug-in installed on a Web server host. Each instance of the Identity Server reads and writes to your LDAP directory server across a network connection. For more information, see the Oracle Access Manager Introduction.
Separate platform-specific installation packages are provided for the Identity Server in \win32 and \solaris subdirectories. Platform differences are noted in steps as needed. For example:
If you intend to reuse a Identity Server instance name, see "Recycling an Identity Server Instance Name".
The installation process follows the same sequence regardless of the operating system and whether you choose GUI mode or Console mode.
During installation, the transport security mode you choose will impact the scope of communication details you will be asked for in a later procedure. Also, you will be asked if this is the first Identity Server being installed for the directory server. Your response will determine the scope of activities in later procedures. Any caveats are identified and may be skipped when they do not apply to your environment. For example:
Information is saved at various points during the installation. Should an error be detected in the information you supply, you will be offered the opportunity to restate information or complete a sequence again. After information is saved, you cannot return and restate information.
Simple: Complete step 4.
Certificate: Continue with step 5.
Two procedures are provided to guide you as you specify directory server details:
One procedure walks you through installing the first Identity Server for the directory server.
A second procedure walks you through specifying details for additional Identity Servers installed on a Windows system. When you install multiple Identity Servers on a UNIX system, no additional directory server details are needed.
A default directory profile is created for this Identity Server based on the information you supply. This profile will be available after you setup the Identity System, as described in Chapter 6, "Setting Up the Identity System".
If you cancel the installation before completing all procedures and after being informed that the Identity Server is being installed, you must uninstall the Identity Server as described in "Uninstalling Oracle Access Manager Components".
For more information, see:
For details about removing an Identity Server instance after installation, see "Uninstalling Oracle Access Manager Components". For details about recycling an Identity Server instance name, see "Recycling an Identity Server Instance Name".
Following Identity System set up, you must manually configure the SDK for the Identity System to enable the following functions:
Automatic cache flush between the Identity System and Access System
The Identity System uses the AccessGate to communicate with the Access Server (using APIs available with the SDK). AccessGate uses APIs in the SDK that is bundled with the Identity Server. Ensure that the Access Management Service is On in the profiles of the Access Servers with which the AccessGate is associated.
For information about configuring the SDK for the Identity System, see the Oracle Access Manager Identity and Common Administration Guide.
For details about installing the SDK to construct simple AccessGate servlets or applications for each of the supported development platforms, see the Oracle Access Manager Developer Guide.
Automatic login to the Access System after self-registration.
You might want to install multiple Identity Servers, all associated with the same directory server.
Install your first Identity Server, as explained in this chapter.
Install a WebPass, as explained in Chapter 5, "Installing WebPass"
Set up the first Identity Server in the Identity System, as explained in Chapter 6, "Setting Up the Identity System".
Add a new Identity Server instance in the Identity System Console, as described in the Oracle Access Manager Identity and Common Administration Guide.
Associate the new Identity Server instance with a WebPass and specify the priority as Primary, as described in the Oracle Access Manager Identity and Common Administration Guide.
Modify the WebPass instance to set the maximum connections to the appropriate number to communicate with all primary Identity Servers, as described in the Oracle Access Manager Identity and Common Administration Guide.
You must wait at least one minute before proceeding to Step 7 to ensure that the WebPass configuration file, webpass.xml, is updated with the new instance information. Otherwise, the WebPass instance may not receive the new information and cannot connect to the new Identity Server instance.
Wait at least one minute before stopping all installed Identity Servers.
Install the new Identity Server and indicate that this is not the first Identity Server for this directory server.
You do not need to update the schema again.
Set up the new Identity Server, as explained in "Setting Up Other Identity Server Instances".
Configure this Identity Server as a failover server, if desired, as explained in the Oracle Access Manager Deployment Guide.
Starting with 10.1.4, the Identity Server uses UTF-8 encoding and plug-in data will contain UTF-8 data. Earlier plug-ins send and receive data in Latin-1 encoding.
Backward compatibility between an upgraded Identity Server and earlier Identity Event plug-ins is automatic when you upgrade an earlier Identity Server to 10.1.4. In this case, a new flag (
encoding) is added to the oblixpppcatalog.lst file automatically to ensure backward compatibility with earlier plug-ins. A backward-compatible Identity Server continues to send data to earlier plug-ins in Latin-1 encoding. The format of this is as follows:
When you add a new Identity Server to an upgraded environment, you must manually set the
encoding flag in the Identity Server oblixpppcatalog.lst to enable communication with earlier plug-ins and interfaces that need backward compatibility for Latin-1 data. For backward compatibility with Latin-1 data you must set the encoding flag to
Latin-1. As shown in the example, this must follow the
ApiVersion flag, which specifies the version of the Event API used by the event handler. If the
ApiVersion parameter is set to preNP60, then Latin-1 encoding is assumed by default. If no
ApiVersion flag is set, you must include an additional semi-colon before the
Latin-1 flag to indicate that there is no value for
ApiVersion. See the example in the following procedure to see how this is done.
Before you add a 10g (10.1.4.3) Identity Server to an upgraded environment, ensure that all Oracle Access Manager components are at release 10g (10.1.4.3). Earlier WebGates can co-exist when the Access Server is enabled for backward compatibility.
Upgrade the environment as described in the Oracle Access Manager Upgrade Guide.
Perform activities in "About Installing Multiple Identity Servers".
Set encoding to Latin-1 after the
ApiVersion flag (if there is one) to provide backward compatibility for Latin-1 data. For example:
Repeat as needed for entries in this file.
Save the file.
Restart the Identity Server service.
Repeat for each new Identity Server in an upgraded environment as long as backward compatibility is needed.
Before you begin installing the Identity Server, check the tasks in Table 4-1 to ensure they have been completed. Failure to complete prerequisites may adversely affect your Oracle Access Manager installation.
Table 4-1 Identity Server Installation Prerequisites Checklist
|Checklist||Identity Server Installation Prerequisites|
Review and complete all prerequisites and requirements that apply to your environment, as described in Part I, "Installation Planning and Prerequisites"
Refer to your completed installation preparation worksheets as you install the Identity Server. The installation task is divided into the following procedures:
Start the installation as described in "Starting the Installation".
Continue by "Installing the Identity Server".
Continue with "Specifying a Transport Security Mode".
Identify the Identity Server, as described in "Specifying Identity Server Configuration Details".
Define communication details, as described in "Defining Communication Details".
Define directory server details, as described in "Defining Directory Server Details".
Conclude with "Finishing the Identity Server Installation".
You can start the installer in either GUI or console mode, as described in:
Following the program launch, one set of procedures will be provided because the sequence is similar regardless of your platform.
Skip any details that do not apply to your installation. If you are installing with Microsoft Active Directory, see Appendix A, "Installing Oracle Access Manager with Active Directory" before proceeding.
Log in as a user with administrator privileges.
Copy the Oracle Access Manager packages from the installation media into a temporary directory from which you can install the component and any Language Packs together, at the same time.
Locate and launch the Identity Server installer (including any Identity System Language Packs you want to install).
GUI Method, Windows: Oracle_Access_Manager10_1_4_3_0_Win32_Identity_Server.exe
The Welcome screen appears.
Dismiss the Welcome screen by clicking Next, then continue as described in "Installing the Identity Server".
Due to a problem with Installshield, passwords containing $ or other special character sequences may not be interpreted properly. See "GUI Method".
Log in as a user with administrator privileges.
Copy the Oracle Access Manager packages from the installation media into a temporary directory from which you can install the component and any Language Packs.
Locate and launch the Identity Server installer (including any Identity System Language Packs you want to install).
Console Method, Solaris: ./ Oracle_Access_Manager10_1_4_3_0_sparc-s2_Identity_Server
The Welcome screen appears.
Dismiss the Welcome screen by clicking Next, then continue as described in "Installing the Identity Server" next.
During this sequence, you must specify the installation directory for your Identity Server. If you have a Language Pack in the same directory as the Identity Server installation package, you will be asked to choose a language.
Respond to the question about administrator rights based upon your platform. For example.
Windows: If you are logged in with administrator rights, click Next (otherwise click Cancel, log in as a user with administrator privileges, then restart the installation).
UNIX: Specify the username and group that the Identity Server will use, then click Next. Typically, the defaults are "nobody".
For HP-UX, the defaults are WWW (username) and others (group).
You are asked to specify the installation directory for the Identity Server. When you do this and click Next, the installation will begin and you will not be able to return to restate the name.
Accept the default directory by clicking Next (or change the destination, then click Next). For example:
A summary identifies the installation directory and required disk space and asks you to make a note of this information for future reference.
Write the installation directory name in the preparation worksheet if you haven't already, then click Next to continue.
You are notified that the Identity Server is being installed, which may take several seconds. On Windows systems, the Microsoft Managed Interfaces are being configured.
If a previous version of a Oracle Access Manager component or file is detected, you must specify a new installation directory path or uninstall the existing version.
You are now asked to specify the transport security mode. At this point you cannot return to restate previous details.
Transport security between all Identity System components (Identity Servers and WebPass instances) must match: either all open, all Simple mode, or all Cert. For more information, see "Securing Oracle Access Manager Component Communications".
Choose the desired mode to use between the Identity Server and its clients: Open, Simple, or Cert.
If you chose either Simple or Cert, you will be asked for more information later.
You are now asked for Identity Server configuration details.
You are asked to identify this Identity Server by entering a unique name that will appear in the Identity System Console. The name you specify must differ from the name of any other Identity Server that accesses the same instance of your LDAP directory server, and cannot contain any blank spaces. You may use this name as a Windows Service name for the Identity Server.
In addition, you are asked to identify the DNS hostname where this Identity Server will be installed and the port number on which this Identity Server communicates with the WebPass (and by extension, with your Web server).
After you describe the Identity Server, you will be asked if this is the first Identity Server to be installed for the directory server. Your answer will determine the scope of activities now and during the setup process after WebPass installation. Selecting Yes indicates that this is the first Identity Server and you will be asked about directory server communication, schema updates, and directory server configuration details.
Selecting Yes indicates that this is the first Identity Server. You will be asked about directory server communication, schema updates, and directory server configuration details.
Selecting No indicates that an Identity Server has already been set up with this directory server. You will be asked only about directory server communication.
On a Windows system, you will also be asked for Active Directory details.
Enter a unique name for this Identity Server that adheres to the preceding guidelines. For example:
Enter the DNS hostname where this Identity Server will be installed. For example:
Enter the port number on which this Identity Server communicates with its clients, then click Next. For example:
Respond when asked if this is the first Identity Server to be installed for the directory server, then click Next.
For example, when you are installing the first Identity Server only, choose:
Regardless of your response to the question about this being the first Identity Server, you are now asked to specify communication details for the directory server and for the transport security mode you chose earlier.
During this sequence, you are asked about securing communication between the Identity Server and your directory server. You may answer No during this installation and set up an SSL connection to the directory later as described in the Oracle Access Manager Identity and Common Administration Guide. In addition, you will be asked to specify Oracle Access Manager transport security details based on the information you supplied earlier.
UNIX Systems: If you are installing on a UNIX system using either Open or Simple transport security for the Identity Server, and this is not the first Identity Server, there are few security options and no directory server details required. In this case, complete the following steps, as needed, then skip to "Finishing the Identity Server Installation".
Check the box beside the appropriate option if you have a certificate and want to enable SSL between the Identity Server and the directory server, then click Next. For example:
Directory Server ... user data is in SSL
Directory Server ... configuration data is in SSL
Ensure you have a check mark beside each option if you have a certificate and want to enable SSL for each.
SSL: Specify the path to the root CA certificate, and click Next.
If you are installing on an Active Directory forest, enter the directory and file name of the retrieved CA certificate. See Appendix A, "Installing Oracle Access Manager with Active Directory".
Complete the transport security dialog according to the mode you chose earlier. For example:
Simple: Enter and confirm the Pass Phrase to authenticate between the Identity Server and WebPass, then click Next and continue as follows:
Certificate: Indicate if you are requesting or installing a certificate, then click Next and continue.
If you are installing a certificate, skip to step 7
If you are requesting a certificate, continue with step 6
Enter the requested information, then click Next and issue your request for a certificate to your CA.
Record certificate file locations, if they are displayed.
If you selected No, instructions are provided. You do not need a certificate in hand to finish the installation. However, the Identity System cannot be setup until the certificates are copied to \IdentityServer_install_dir\identity\oblix\config and the Identity Server is restarted. See the Oracle Access Manager Identity and Common Administration Guide for details.
Certificate file (ois_cert.pem)
Key file (ois_key.pem) the installer may know where this is.
Chain file (ois_chain.pem)
When using certificates generated by a subordinate CA, the root CA's certificate must be present in the xxx_chain.pem along with the subordinate CA certificate. Both certificates must be present to ensure appropriate verification and successful Identity System setup.
The information you provided has been saved and you are asked if you want to update the schema. You cannot return to restate details.
Continue with "Defining Directory Server Details", next.
What you see and do during this sequence depends in part upon how you responded when asked if this was the first Identity Server to be installed for this directory server. Refer to the following topics and choose the one for this installation:
If you are installing on a UNIX system and this is not the first Identity Server, skip to "Finishing the Identity Server Installation"
If you indicated that this is the first Identity Server being installed for the directory server, you will be asked if you want to update your directory server with the Oracle Access Manager schema. This will include Oracle Access Manager-specific workflow definitions, attribute policies, tab and panel configurations, configuration attributes, and the like.
Schema Extension: Oracle recommends that you automatically extend the schema during installation of the first Identity Server. You update the schema only once. Either Yes response will result in questions about directory server type and specifications.
A No response on a Windows system will lead to questions for Active Directory. A No response on a UNIX system will conclude the installation.
With Novell eDirectory, if you want to specify a domain node as the configuration base during Identity System setup, be sure to see "Novell eDirectory Issues" and complete needed tasks during Identity Server installation.
Separate Data Storage: If you plan to store user data separately from configuration data, see "Data Storage Requirements" for more information.
By default, configuration and user data are presumed to be on the same directory server. With certain directory servers, such as Sun directory servers, data may be stored either together on the same directory server or on different directory servers of the same type.
The Siemens DirX directory is not supported. However, the installation screen might display DirX as a possible option.
Select the option that describes your environment. For example:
Configuration data will be in the user data directory
Select the appropriate schema update option for your environment, then click Next. For example:
If Yes, continue with step 3.
If No and you are installing on a Windows system, skip to "Installing Additional Identity Servers on Windows"
If No and you are installing on a UNIX system, skip to "Finishing the Identity Server Installation"
Select your directory server type for automatic configuration, and click Next. For example:
You are asked for directory server configuration details. If you chose Active Directory for Windows 2003, you will be asked about dynamic auxiliary class support.
Specify your directory server configuration details, then click next. For example:
Host name: The DNS host name of the directory server computer
Port number: On which the directory server listens (for SSL connections, provide the encrypted port)
Bind DN: For the user data directory server
The distinguished name you enter as the bind DN must have full permissions for the user and configuration branches of the directory information tree (DIT). Oracle Access Manager will access the directory server as this account. Examples are provided inTable 4-2 Your directory server configuration may differ.
|Directory Server||Bind DN|
Active Directory on Windows Server 2003
Note: This information is required even if you are using ADSI with implicit bind. See Appendix A, "Installing Oracle Access Manager with Active Directory" and the Oracle Access Manager Identity and Common Administration Guide for more information.
The values represent:
A Windows security principal user name.
Domain name of the computer where ADAM is installed.
Notes: The Master Administrator must be an ADAM user with administrative privileges, not a Windows Security Principal. See Appendix B, "Installing Oracle Access Manager with ADAM" for more information.
Data Anywhere (Oracle Virtual Directory)
IBM Directory Server
Note: Perform activities in "Novell eDirectory Issues", as needed.
Oracle Internet Directory
Note: this is the default, unless you change the person object class during Identity System set up.
Sun Directory Server
Note: Oracle recommends that you do not use cn=Directory Manager. For details, see "Meeting Directory Server Requirements".
Password: The password for the user data directory server bind DN
Click Next and continue as indicated:
If Active Directory 2003: You are asked about ADSI (for user data).
If configuration data is Separate: Repeat step 4 to specify details for the configuration data directory. The SSL sequence will repeat for this directory, if needed.
If the schema cannot be updated, you are offered the opportunity to run the sequence again and restate information. If you decline, you must manually update the schema using the ldapmodify utility that ships with LDAP SDK or the following file:
All ldapmodify options can be viewed by using -H option. All ds_conf_update options can be viewed by using the --help option. Both utilities may be used with the Identity Server and Policy Manager installations.
For an example of the ldapmodify command, see "Updating the Schema and Attributes Automatically Versus Manually". If you choose to update the schema with Oracle Access Manager configuration data using ds_conf_update, the command is:
ds_conf_update -h DS_hostname -p 389 -D cn=administrator,o=my-company -w passwd -i C:\np\ois\identity -d 8 -e C:\errFile.txt -n 3
For more information on the -d option and directory server type input, see "Silent Mode Parameters".
Continue with "Finishing the Identity Server Installation"
In this sequence you are asked to supply information related to Active Directory. This sequence occurs only when:
You indicated that this is not the first Identity Server in the installation
You declined the automatic schema update on a Windows system
Your responses determine the scope of this sequence. Whenever your sequence ends, skip to "Finishing the Identity Server Installation".
Select No when asked if you want to update the schema, then click Next.
Click Yes if you are using Active Directory with ADSI (or No if you are not), then click Next. For example:
Click Yes if the computer on which you are installing this Identity Server is in a separate Active Directory domain from the Oracle Access Manager data (otherwise, click No), then click Next. For example:
Click Yes if you want to use implicit bind with the directory server (or No if you don't), then click Next. For example:
You complete the first step only if you are installing on Microsoft Windows. Otherwise, skip to step 2.
Windows: Specify a unique service name to identify your Identity Server in the Windows Services window, then click Next.
If the name is already registered as a Windows Service name on this host, you will be asked if you want to try again. In this case, you can either choose Yes to provide a unique name now or No to set this up manually using \IdentityServer_install_dir\identity\oblix\apps\common\bin\config_ois.exe.
ReadMe information appears.
Scroll through the ReadMe information.
Click Next to display an installation summary.
The installation summary provides the details that you specified during this installation and instructs you to start the Identity Server at the conclusion of this installation.
Write the details about this installation, if needed, then click Next.
Click Finish to complete the sequence.
If you installed on Linux and intend to use the Native POSIX Thread Library, see "NPTL Requirements and Post-Installation Tasks".
Ensure that the Identity Server service is started to confirm that the Identity Server is installed and operating properly:
Windows: Open the Services Window and confirm that the Identity Server service is started.
On Windows Systems by default, the Identity Server starts automatically. To change the default to manual start, see the Microsoft Windows Help for details.
UNIX: Execute the following command to start the service:
On UNIX systems, the Identity Server must be started manually.
Proceed as appropriate for your environment: in
When you have installed Oracle Access Manager 10.1.4 with Oracle Internet Directory 10.1.4, you must execute the ldapmodify command as described in the following procedure to ensure that Oracle Internet Directory is properly tuned for Oracle Access Manager components.
Oracle recommends that you use Oracle Internet Directory 10.1.4.3.0.
You can skip this procedure if you have Oracle Access Manager installed with Oracle Internet Directory 10.1.2 because the
orclinmemfiltprocess attribute is not supported in the schema until Oracle Internet Directory 10.1.4.
Oracle Internet Directory LDAP tools have been modified to disable the less secure options -w password and -P password when the environment variable LDAP_PASSWORD_PROMPTONLY is set to TRUE (or 1). When you use -q (or -Q), you are prompted for the user password (or wallet password). Oracle recommends that you set the environment variable whenever possible.
Include a space after the attribute orclinmemfiltprocess: and at the start of each continuation line of the attribute value. There is no line break between the attribute orclinmemfiltprocess: and the continuation line.
Use the appropriate step for the version of Oracle Internet Directory that you have deployed with Oracle Access Manager. For example, use Step 3 if you have Oracle Internet Directory 10.1.4.3.0.
Oracle Internet Directory 10.1.4.0.1: Run the following ldapmodify command to add orclinmemfiltprocess.
Oracle Internet Directory 10.1.4.2:
Go to My Oracle Support (formerly MetaLink) and obtain the one off patch for each of the following items:
6919419: SQL is not optimal when a filter with the NOT clause is configured in ORCLINMEMFILTPROCESS.
6994169: Some LDAP Searches are slow due to inconsistent database execution plans.
Run the following ldapmodify command to add the orclinmemfiltprocess:
Oracle Internet Directory 10.1.4.3.0: Run the following ldapmodify command to replace orclinmemfiltprocess.
After installing the first WebPass, you must ensure that you have configured full interaction between Oracle Access Manager and Oracle Internet Directory as described in Chapter 6, "Setting Up the Identity System".
In a replicated environment, repeat step 1 for each fresh Oracle Internet Directory Server that you install.