|Oracle® Access Manager Installation Guide
Part Number E12493-01
Before starting activities in this guide, be sure to read the Oracle Access Manager Introduction.
This section provides information and distinctions on the following Oracle-provided product packages:
Oracle provides full Oracle Access Manager 10g (10.1.4.3) installers. Each full installer package includes the libraries and files that implement all product functionality. This is a complete software distribution and includes packages for every component on supported platforms. All of the components have been tested and are certified to work with one another across supported platforms.
Note:You can use 10g (10.1.4.3) installers to create a fresh Oracle Access Manager installation only. For details about upgrading, see "Packages for Upgrading".
An Oracle Media Pack is an electronic version of Oracle software products on physical media (DVDs).
Note:Oracle products that are intended for use with a third party product are not available on physical media. For example, WebGate for Oracle HTTP Server is available on Oracle media; however, WebGate for Apache is available only on virtual media.
Physical Oracle Media Packs are available to any customer working with a Sales Representative. In addition, you can order a physical Media Pack from the Oracle store. Shop online at:
Virtual DVDs and Media Packs are available as follows:
From Oracle Technology Network (OTN) at:
OTN provides links to all Oracle Access Manager components (provided as virtual DVDs) including those that operate with Oracle and third party products:
Oracle Access Manager Core Components (10.1.4.3.0): Identity Server, Access Server, Software Developer Kit; WebPass and Policy Manager (including WebPass and Policy Manager for Oracle HTTP Server 11g); SNMP agent.
Oracle Access Manager WebGate (10.1.4.3.0): WebGates, including those for Oracle HTTP Server 11g; Connectors for Oracle and third-party applications and products. For more information, see "Confirming Certification Requirements".
Oracle Access Manager NLS Packages (10.1.4.3.0): Language Pack installers. For more information, see Chapter 3, "About Multi-Language Environments".
From Oracle edelivery at:
Oracle edelivery provides access to Oracle Fusion Middleware Media Packs that mirror the contents of the physical Media Pack bundle.
When upgrading from Oracle Access Manager release 6.x or 7.x, you must use either:
In-Place Component Upgrade Method with 10g (10.1.4.0.1) installers available on OTN, and then apply the 10g (10.1.4.2.0) patch and then apply the 10g (10.1.4.3) patch.
Zero Downtime Upgrade Method using both 10g (10.1.4.0.1) installers available on OTN and 10g (10.1.4.2.0) patch set packages available on My Oracle Support (formerly MetaLink), and then apply the 10g (10.1.4.3) patch.
For more information, see the Oracle Access Manager Upgrade Guide for details about upgrading earlier instances to 10.1.4.
A patch set is a mechanism for delivering fully tested and integrated product fixes. Patch sets include all of the fixes available in previous bundle patches and patch sets for a particular release. A patch set can also include new functionality. For example, release 10g (10.1.4.3) includes all fixes available in 10g (10.1.4.2.0) and bundle patches up to and including 10g (10.1.4.2.0)-BP07, as well as all enhancements for 10g (10.1.4.3).
Each patch set includes the libraries and files that have been rebuilt to implement bug fixes and new functions. All of the fixes in the patch set have been tested and are certified to work with one another on the specified platforms. However, a patch set might not be a complete software distribution and might not include packages for every component on every platform.
10g (10.1.4.3) patch set packages will be available on My Oracle Support (formerly MetaLink) at:
You can apply the 10g (10.1.4.3) patch set to only 10g (10.1.4.2.0) components. The entire10g (10.1.4.3) patch set, including patch set notes, 10g (10.1.4.3) manuals, and an updated Oracle Access Manager Upgrade Guide will be available on My Oracle Support (formerly MetaLink).
Note:You cannot use 10g (10.1.4.3) patch set packages for a fresh installation nor an upgrade.
A bundle patch is an official Oracle patch for Oracle Access Manager components. Each bundle patch includes the libraries and files that have been rebuilt to implement one or more fixes. All of the fixes in the bundle patch have been tested and are certified to work with one another.
Bundle patches are available following one patch set release and before the next. 10g (10.1.4.3) bundle patches will be available on My Oracle Support (formerly MetaLink) following release of 10g (10.1.4.3) full installers and before the next major Oracle Access Manager release or patch set. See:
Each bundle patch has a unique number so that you can locate it on My Oracle Support (formerly MetaLink). Each bundle patch is cumulative: the latest bundle patch includes all fixes in earlier bundle patches. For example, Oracle Access Manager 10g (10.1.4.3) bundle patch 02 includes all fixes available in 10g (10.1.4.3) bundle patch 01.
See Also:"Obtaining the Latest Bundle Patch"
Oracle provides packages for Oracle Access Manager 10.1.4 components on newly certified platforms. These packages are available under the Oracle Access Manager 3rd Party Integration link on the Oracle Technology Network (OTN) at:
The Readme in the 3rd Party Integration section of the table on OTN describes the contents of virtual CDs that contain Oracle Access Manager 10.1.4.x third-party and Oracle integration components. These are companions to the Oracle Access Manager release CDs containing the base product. 3rd Party packages can include WebGate, WebPass, Application Server Connectors, and Policy Manager packages. For more information, see "Confirming Certification Requirements".
Note:You cannot use third-party integration packages to upgrade earlier components. Oracle Access Manager 10g (10.1.4.3) WebGate packages are released as full-installers.
The Identity System is required in all installations. The Access System is optional. For an overview of both the Identity System and the Access System, including a look at a simple installation and an overview of how each system operates, see the Oracle Access Manager Introduction.
The sequence of tasks you must complete to install and set up Oracle Access Manager components is outlined in Figure 1-1 and the expanded task overview that follows it.
Figure 1-1 Installation Task Overview
Complete all prerequisites in Chapter 2, "Preparing for Installation" and review the following information as needed for your environment.
If you are using Oracle Internet Directory in this installation, see also:
If you are using Oracle Virtual Directory in this installation, see also Chapter 10, "Setting Up Oracle Access Manager with Oracle Virtual Directory" and complete all prerequisite tasks before you setup the Identity System.
If you are using Active Directory in this installation, see also Appendix A, "Installing Oracle Access Manager with Active Directory".
If you are including Active Directory Application Mode (ADAM) in this installation, see also Appendix B, "Installing Oracle Access Manager with ADAM".
If you have a multi-language environment, review information on this in Chapter 3, "About Multi-Language Environments".
Install the first Identity Server, as described in Chapter 4, "Installing the Identity Server".
Install the first WebPass, as described in Chapter 5, "Installing WebPass".
Set up the Identity System to ensure that object classes and attributes appear in the directory server and that the Identity Server is working correctly with the WebPass, and assign a Master Administrator who has access to the entire system, as described in Chapter 6, "Setting Up the Identity System".
Install other Identity Servers if needed in this environment, as described in Chapter 4, "Installing the Identity Server".
Install other WebPass instances if needed in this environment, as described in Chapter 5, "Installing WebPass".
Note:If you are installing multiple instances of any component, you can do this automatically after the first instance is installed and set up. See Chapter 15, "Replicating Components" for information about automated installation, cloning, and synchronizing components.
Start configuring and customizing your Identity System now (or after installing optional components). For example:
Define administrators; configure workflows, auditing, and profiles; use applications (User Manager, Group Manager, Organization Manager), configure the system to use installed languages, as described in the Oracle Access Manager Identity and Common Administration Guide.
Configure failover, load balancing, caching; performance tune the Identity System; and take a look at migration planning for a production environment as described in the Oracle Access Manager Deployment Guide.
Explore how to build and deploy Identity Event Plug-ins using the software developer kit (SDK) and APIs, and how to access Identity System functionality programmatically using IdentityXML and WSDL, as described in the Oracle Access Manager Developer Guide.
Install and set up the optional Access System, as follows:
Install and setup the Policy Manager, as described in Chapter 7, "Installing the Policy Manager".
Install the Access Server, which includes adding an Access Server instance in the Access System Console, as described in Chapter 8, "Installing the Access Server".
Install the WebGate, which includes adding a WebGate instance in the Access System Console and associating the WebGate with an Access Server before installation, as described in Chapter 9, "Installing the WebGate".
Start configuring the Access System now (or install other optional components first), as follows:
Define policy domains, authentication schemes, and authorization schemes; allow users to access multiple resources with a single login by configuring single- and multi-domain single sign-on; and design custom login forms as described in the Oracle Access Manager Access Administration Guide.
Configure the Access System for auditing, as described in the Oracle Access Manager Identity and Common Administration Guide.
Create custom WebGates (known as AccessGates), and develop custom authentication and authorization plug-ins using the software developer kit and APIs, as described in the Oracle Access Manager Developer Guide.
Install any other optional Oracle Access Manager components you'd like to use, such as:
SNMP monitoring, as discussed in Chapter 11, "Installing the SNMP Agent"
Oracle-provided Language Packs, which may be installed independently, after component installation, as described in Chapter 12, "Installing Language Packs Independently"
This discussion identifies the options available to you during installation, and tells you where to find more information.
Before installation, decide whether to install components using GUI method or the command line method, as described in "Installation Methods".
During installation you can choose to enable automatic updates of the schema using system-provided defaults, or input your own values for attributes during Identity System and Policy Manager setup, as described in "Updating the Schema and Attributes Automatically Versus Manually".
After installation of the first instance of a component, you can choose to install multiple instances of a component manually or use an automated installation method for multiple instances, as described in "Replicating an Installed Oracle Access Manager Component".
If you have older component files in the installation directory that you specify, you are asked if you want to upgrade to the later release. See "Upgrading an Earlier Release".
During Identity Server and Policy Manager installation, you are asked if you want to automatically update the schema with the configuration data branch. The schema update must occur before you begin the setup process.
Note:Oracle recommends that you update the schema automatically during installation to obtain product-specific object classes and attributes. If you decline the automatic update during installation, a Schema Changes page appears at the beginning of the Identity System and Policy Manager setup process. The automatic schema update is not supported for the ADAM directory.
Custom schema changes must be added after the installation because the Identity Server installation changes the schema. During Identity System and Policy Manager setup, you are prompted to configure various object classes. For example, the Identity System requires attributes assigned to the Full Name, Login, and Password semantic types for Person and Group object classes. Oracle recommends that you automatically configure attributes using the Auto Configure option during setup to save time and avoid errors. You can reconfigure the attributes afterward if needed.
Automatically configuring attributes is a single step in the installation and setup processes, as shown in Table 1-1. With the ADAM directory, however, you must manually update the schema and data after Oracle Access Manager component installation, as described in Appendix B, "Installing Oracle Access Manager with ADAM".
Table 1-1 Automatically Configure the Schema for All Except the ADAM Directory
|Component||Automatic Schema Configuration for All Except ADAM|
Identity Server installation
During the first Identity Server installation, select "Yes" to automatically update the schema.
For second and subsequent Identity Servers, select No.
There are no options for the schema.
Identity System set up
After setup, you may reconfigure attributes, if needed.
Policy Manager installation and set up
Select "Auto Configure" when the option is offered.
After setup, you may reconfigure attributes, if needed.
Access Server installation
There are no options for the schema update.
There are no options for the schema.
Each ldif file is prefixed with a specific directory server type, as shown in Table 1-2. In most cases, you use the ldapmodify tool to perform the update. For example:
ldapmodify –h DS_hostname -p DS_port_number -D bind_dn -q -a –c -f DS_type_oblix_schema_add.ldif Please enter bind password: bind successful
Note:The Oracle Internet Directory LDAP tools have been modified to disable the less secure options -w password and -P password when the environment variable LDAP_PASSWORD_PROMPTONLY is set to TRUE or 1. When you use -q (or -Q), the command will prompt you for the user password (or wallet password). Oracle recommends that you set this variable whenever possible.
Table 1-2 provides details about the schema update files needed for each directory server type. Included are any index files required for configuration data or user data.
For more information about directory requirements, see "Meeting Directory Server Requirements".
|Directory Server Type||Manual Schema Update Files|
Note: The Active Directory schema is extensible using Ldifde.exe. For more information, see Appendix A, "Installing Oracle Access Manager with Active Directory".
You must manually update the ADAM schema when installing Oracle Access Manager.
The ADAM schema is extensible using Ldifde.exe. For more information, see Appendix B, "Installing Oracle Access Manager with ADAM".
See Chapter 10, "Setting Up Oracle Access Manager with Oracle Virtual Directory" for details about:
Rather than manually installing every instance of a component, you can replicate the configuration of one instance to another after installation and setup of the first instance of a particular component.
There are three methods to choose from:
Automate the installation process using a file that contains installation parameters (known as installing in silent mode).
Clone the configuration.
Synchronize two components or parts of two components.
Silent mode permits installation without user intervention. The Oracle Access Manager installation script takes option and configuration information from a silent mode option file.
Silent mode is intended for new installations only.
For more information on silent mode, see Chapter 15, "Replicating Components".
You can also replicate an installed component by cloning it, or you can synchronize two components or parts of two components.
For more information, see "Cloning and Synchronizing Installed Components".
As described earlier, Oracle Access Manager 10g (10.1.4.3) installers can be used for only a fresh installation. The 10g (10.1.4.3) patch set can be applied to only 10g (10.1.4.2.0) instances.
10g (10.1.4.2.0) Patch Set: This patch set includes utilities that enable you to upgrade 6.x and 7.x components using the zero downtime upgrade method and tools. For more information, see the Oracle Access Manager Upgrade Guide.
10g (10.1.4.0.1) Installers: These packages can be used to install a fresh 10g (10.1.4.0.1) instance and are also needed when you choose to upgrade 6.x and 7.x components using the zero downtime method. You can also use 10g (10.1.4.0.1) installers to upgrade 6.x and 7.x components in place. With the in-place upgrade method, you start installing the component and specify a target directory containing an earlier instance. The earlier component is detected and you are asked if you want to upgrade. For more information, see the Oracle Access Manager Upgrade Guide.
After upgrading, you can apply the latest patches: 10g (10.1.4.2.0) and 10g (10.1.4.3) patch. For more information, see "Obtaining the Latest Installers, Patch Set, Bundle Patch, and Certified Agents".
You may choose to install Oracle Access Manager components using the graphical user interface (GUI method) or using the command-line console (Console method). Regardless of the method you choose, the process is similar. The sequence and prompts detailed in this manual use GUI method. Any differences will be identified as they occur. For more information, see:
Different installation packages are available for Oracle Access Manager components, depending on your platform and Web server. The sequence of events and messages are the same regardless of the method you choose when launching the installation.
You obtain the Oracle Access Manager installation media from Oracle. GUI method is the default for Windows systems when you select the installation package. For example:
Due to known problems with the third-party Installshield's ISMP framework, if any inputs supplied during installation contain the character $, the installer might interpret it unpredictably. For example, if the bind password supplied during the schema update for the first Identity Server is Admin$$, ISMP interprets this as Admin$ while invoking the schema update tool and the update fails citing a "bad credentials error(49)". If this problem is observed during invocation of a particular tool, you may run that tool from the command line.
Note:Every Oracle Access Manager installer that uses the same password may also fail with a credential problem of some type.
See Also:Appendix E for troubleshooting tips
You may use the command-line console method when installing Oracle Access Manager components on UNIX platforms. Console method is the default for UNIX systems. For example:
Note:When using the console method for component installation, you are instructed to:
Press 1 for Next—1 is the default if you press the Enter key.
Press 3 to Cancel
Press 4 to Re-display the information
Occasionally, you will be asked to specify an option number then enter zero, 0, to confirm your choice.