Oracle® Fusion Middleware Enterprise Deployment Guide for Oracle Identity Management (Oracle Fusion Applications Edition) 11g Release 1 (11.1.1.5.0) Part Number E21032-01 |
|
|
View PDF |
This chapter contains the following topics:
Section 17.2, "Integrating Oracle Identity Manager and Oracle Access Manager 11g"
Section 17.3, "Integrating Oracle Identity Federation with Oracle Access Manager 11g"
Once the complete environment is set up, perform the following step to prepare the environment for Fusion Applications provisioning.
This section contains the following topics:
In the previous chapters, when you run idmConfigTool
, the command writes the parameters that are required for Fusion Applications provisioning in the file idmDomainConfig.param
. You use this file as a input to the Fusion Applications provisioning tool.
In addition, since the Fusion Applications domain must interact with the Identity Management domain in SSL mode, you must provide a keystore containing the Trust point used by the Identity Management domain to the Fusion Applications. You do this by following the steps in the next section.
Note:
If you are using Windows, you must install a UNIX emulation package such as Cygwin in order to run the scripts contained in this section. See http://www.cygwin.com
.
When using Cygwin, ensure that you use the "/
" character in path names when exporting a variable. For example:
export ORACLE_HOME=c:/oracle/idm
To enable Fusion Applications to communicate with the Identity Management domain using SSL Server Authentication Mode, you must generate a client certificate and provide it to the Fusion Applications Provisioning process. To generate this certificate perform the following steps:
Set the ORACLE_HOME
and JAVA_HOME
variables. For example, on OIDHOST1
, issue these commands:
export ORACLE_HOME=IDM_ORACLE_HOME
export PATH=$JAVA_HOME/bin:$PATH
To generate the certificate, use the tool ./SSLClientConfig.sh
, which is located in:
ORACLE_COMMON_HOME
/bin
For example
./SSLClientConfig.sh -component cacert
As the command runs, enter the following values when prompted:
LDAP Host Name: policystore.mycompany.com
LDAP Port: 389
LDAP User: cn=orcladmin
Password: Password_for_cn=orcladmin
SSL Domain: IDMDomain
Keystore Password: Enter a password to protect the keystore
Confirm Password: Reenter the password.
The following is typical output from the command:
./SSLClientConfig.sh -component cacert SSL Automation Script: Release 11.1.1.4.0 - ProductionCopyright (c) 2010 Oracle. All rights reserved. Downloading the CA certificate from a central LDAP location Creating a common trust store in JKS and Oracle Wallet formats ... Configuring SSL clients with the common trust store... Make sure that your LDAP server is currently up and running. Downloading the CA certificate from the LDAP server... >>>Enter the LDAP hostname [oidhost1.mycompany.com]: policystore.mycompany.com >>>Enter the LDAP port: [3060]? 389 >>>Enter your LDAP user [cn=orcladmin]:>>>Enter password for cn=orcladmin: >>>Enter the sslDomain for the CA [idm]: IDMDomain >>>Searching the LDAP for the CA usercertificate ... Importing the CA certifcate into trust stores... >>>The common trust store in JKS format is located at /u01/app/oracle/product/fmw/IDM/rootCA/keystores/tmp/trust.jks >>>The common trust store in Oracle wallet format is located at /u01/app/oracle/product/fmw/IDM/rootCA/keystores/tmp/ewallet.p12 Generate trust store for the CA cert at cn=IDMDomain,cn=sslDomains >>>Enter a password to protect your truststore: >>>Enter confirmed password for your truststore: Create directory /u01/app/oracle/product/fmw/IDM/rootCA/keystores/common Importing the CA certifcate into trust stores... >>>The common trust store in JKS format is located at /u01/app/oracle/product/fmw/IDM/rootCA/keystores/common/trust.jks >>>The common trust store in Oracle wallet format is located at /u01/app/oracle/product/fmw/IDM/rootCA/keystores/common/ewallet.p12
This creates a file called trust.jks
which must be provided to the Fusion Applications Provisioning process. After creating this certificate, you must delete the private key within this key. Use the following command:
keytool -delete -keystore trust.jks -alias testkey -storepass store_password
This section describes how to integrate Oracle Identity Manager and Oracle Access Manager 11g.
This section contains the following topics:
Section 17.2.2, "Copying OAM Keystore Files to OIMHOST1 and OIMHOST2"
Section 17.2.3, "Configuring Oracle Access Manager for Oracle Identity Manager Integration"
Section 17.2.4, "Updating Existing LDAP Users with Required Object Classes"
Section 17.2.5, "Integrating Oracle Access Manager 11g with Oracle Identity Manager 11g"
Ensure that OIM11g has been installed and configured as described in Chapter 13, "Extending the Domain with Oracle Identity Manager."
Ensure that the Oracle Access Manager 11g has been installed and configured as described in Chapter 12, "Extending the Domain with Oracle Access Manager 11g."
Ensure that OHS has been installed and configured as described in Chapter 4, "Installing Oracle HTTP Server."
Ensure that the JTA Transaction Timeout for the domain is 600 seconds or greater. If required update the timeout value by following these steps:
Open a browser and go to the WebLogic Administration Console at: http://admin.mycompany.com/console
Log in to the WebLogic Administrative Console as an administrative user.
Navigate to Services -> JTA.
If the value for Timeout Seconds less than 600
, click Lock and Edit, then update the value to 600
.
Click Save.
Click Activate Changes.
Stop the Administration Server and the Managed Servers as described in Section 19.1, "Starting and Stopping Oracle Identity Management Components."
Start the Administration Server using Node Manager as described in Section 19.1, "Starting and Stopping Oracle Identity Management Components."
Start the Managed Servers in your domain using the WebLogic Administration Console as described in Section 19.1, "Starting and Stopping Oracle Identity Management Components."
If you are using Oracle Access Manager with the Simple Security Transport model, you must copy the OAM keystore files that were generated in Section 12.9, "Creating Oracle Access Manager Key Store" to OIMHOST1
and OIMHOST2
. Copy the keystore files ssoKeystore.jks
and oamclient-truststore.jks
to the directory DOMAIN_HOME
/config/fmwconfig
on OIMHOST1
and OIMHOST2
.
Before integrating Oracle Identity Manager with Oracle Access Manager 11g, you must extend Oracle Access Manager 11g to support Oracle Identity Manager.
To do this, perform the following tasks on IDMHOST1
Set the environment variables: MW_HOME
, JAVA_HOME
, IDM_HOME
and ORACLE_HOME
.
Set IDM_HOME
to IDM_ORACLE_HOME
.
Set ORACLE_HOME
to IAM_ORACLE_HOME
.
Create a properties file called config_oam2.props
with the following contents:
WLSHOST: adminvhn.mycompany.com WLSPORT: 7001 WLSADMIN: weblogic WLSPASSWD: weblogic password IDSTORE_HOST: idstore.mycompany.com IDSTORE_PORT: 389 IDSTORE_BINDDN: cn=orcladmin IDSTORE_USERNAMEATTRIBUTE: cn IDSTORE_LOGINATTRIBUTE: uid IDSTORE_USERSEARCHBASE: cn=Users,mycompany,dc=com IDSTORE_SEARCHBASE: dc=mycompany,dc=com IDSTORE_GROUPSEARCHBASE: cn=Groups,dc=mycompany,dc=com IDSTORE_OAMSOFTWAREUSER: oamLDAP IDSTORE_OAMADMINUSER: oamadmin PRIMARY_OAM_SERVERS: oamhost1.mycompany.com:5575,oamhost2.mycompany.com:5575 WEBGATE_TYPE: ohsWebgate10g ACCESS_GATE_ID: Webgate_IDM OAM11G_IDM_DOMAIN_OHS_HOST:sso.mycompany.com OAM11G_IDM_DOMAIN_OHS_PORT:443 OAM11G_IDM_DOMAIN_OHS_PROTOCOL:https OAM11G_WG_DENY_ON_NOT_PROTECTED: false OAM_TRANSFER_MODE: simple OAM11G_OAM_SERVER_TRANSFER_MODE:simple OAM11G_IDM_DOMAIN_LOGOUT_URLS: /console/jsp/common/logout.jsp,/em/targetauth/emaslogout.jsp OAM11G_OIM_WEBGATE_PASSWD: webgate password OAM11G_SERVER_LOGIN_ATTRIBUTE: uid COOKIE_DOMAIN: .us.oracle.com OAM11G_IDSTORE_ROLE_SECURITY_ADMIN: OAMAdministrators OAM11G_SSO_ONLY_FLAG: true OAM11G_OIM_INTEGRATION_REQ: true OAM11G_IMPERSONATION_FLAG:true OAM11G_SERVER_LBR_HOST:sso.mycompany.com OAM11G_SERVER_LBR_PORT:443 OAM11G_SERVER_LBR_PROTOCOL:https COOKIE_EXPIRY_INTERVAL: 120 OAM11G_OIM_OHS_URL:https://sso.mycompany.com:443/
Where:
WLSHOST
and WLSPORT
are, respectively, the host and port of your administration server, created in Chapter 6, "Creating the WebLogic Server Domain for Identity Management." This is the virtual name.
WLSADMIN
and WLSPASSWD
are, respectively, the WebLogic administrative user and password you use to log in to the WebLogic console.
IDSTORE_HOST
and IDSTORE _PORT
are, respectively, the host and port of your Identity Store directory.
IDSTORE_BINDDN
is an administrative user in the Identity Store directory.
IDSTORE_USERSEARCHBASE
is the container under which Oracle Access Manager searches for the users.
IDSTORE_GROUPSEARCHBASE
is the location in the directory where Groups are stored.
IDSTORE_SEARCHBASE
is the location in the directory where Users and Groups are stored.
IDSTORE_OAMSOFTWAREUSER
is the name of the user you created in Section 11.4.2, "Creating Users and Groups for Oracle Access Manager" to be used to interact with LDAP.
IDSTORE_OAMADMINUSER
is the name of the user you created in Section 11.4.2, "Creating Users and Groups for Oracle Access Manager" to access your OAM Console.
PRIMARY_OAM_SERVERS
is a comma separated list of your Oracle Access Manager Servers and the proxy ports they use.
Note:
To determine the proxy ports your OAM Servers use:Log in to the OAM console at http://admin.mycompany.com:7001/oamconsole
Click the System Configuration tab.
Expand Server Instances under the Common Configuration section
Click an Oracle Access Manager server, such as WLS_OAM1, and click Open.
Proxy port is the one shown as Port.
ACCESS_GATE_ID
is the name you want to assign to the WebGate.
OAM11G_OIM_WEBGATE_PASSWD
is the password you want to assign to the WebGate.
OAM11G_IDM_DOMAIN_OHS_HOST
is the name of the load balancer which is in front of the OHS's.
OAM11G_IDM_DOMAIN_OHS_PORT
is the port that the load balancer listens on.
OAM11G_IDM_DOMAIN_OHS_PROTOCOL
is the protocol to use when directing requests at the load balancer.
OAM11G_OAM_SERVER_TRANSFER_MODE
is the security model that the Access Servers function in, as defined in Section 12.6.1, "Changing Oracle Access Manager Security Model."
OAM11G_IMPERSONATION_FLAG
is set to True
if you are using Oracle Fusion Applications.
OAM11G_IDM_DOMAIN_LOGOUT_URLS
is set to the various logout URLs.
OAM11G_SSO_ONLY_FLAG
configures Oracle Access Manager 11g as authentication only mode or normal mode, which supports authentication and authorization. This is set to true
for Fusion Applications.
If OAM11G_SSO_ONLY_FLAG
is true
, the Oracle Access Manager 11g server operates in authentication only mode, where all authorizations return true by default without any policy validations. In this mode, the server does not have the overhead of authorization handling. This is recommended for applications which do not depend on authorization policies and need only the authentication feature of the Oracle Access Manager server.
If the value is false
, the server runs in default mode, where each authentication is followed by one or more authorization requests to the Oracle Access Manager server. WebGate allows the access to the requested resources or not, based on the responses from the Oracle Access Manager server.
OAM11G_SERVER_LBR_HOST
is the name of the load balancer fronting your site. This and the following two parameters are used to construct your login URL.
OAM11G_SERVER_LBR_PORT
is the port that the load balancer is listening on.
OAM11G_SERVER_LBR_PROTOCOL
is the URL prefix to use.
COOKIE_DOMAIN
is the domain in which the WebGate functions.
WEBGATE_TYPE
is the type of WebGate agent you want to create. Valid values are ohsWebgate10g
and ohsWebgate11g
.
OAM11G_IDSTORE_NAME
is the name of the Identity Store. If you already have an Identity Store in place which is different from the default created by this tool, set this parameter to the name of that Identity Store.
Configure Oracle Access Manager using the command idmConfigTool
, which is located at IAM_ORACLE_HOME
/idmtools/bin
.
Note:
When you run theidmConfigTool
, it creates or appends to the file idmDomainConfig.param
. This file is generated in the same directory that the idmConfigTool
is run from. To ensure that each time the tool is run, the same file is appended to, always run the idmConfigTool
from the directory:
IAM_ORACLE_HOME
/idmtools/bin
The syntax of the command on Linux is:
idmConfigTool.sh -configOAM input_file=configfile
The syntax on Windows is:
idmConfigTool.bat -configOAM input_file=configfile
For example:
idmConfigTool.sh -configOAM input_file=config_oam2.props
When the command runs, you are prompted to enter the password of the account you are connecting to the Identity Store with. You are also asked to specify the passwords you want to assign to the accounts:
IDSTORE_PWD_OAMSOFTWAREUSER
IDSTORE_PWD_OAMADMINUSER
Sample command output:
Enter ID Store Bind DN password : Enter User Password for IDSTORE_PWD_OAMSOFTWAREUSER: Confirm User Password for IDSTORE_PWD_OAMSOFTWAREUSER: Enter User Password for IDSTORE_PWD_OAMADMINUSER: Confirm User Password for IDSTORE_PWD_OAMADMINUSER: The tool has completed its operation. Details have been logged to automation.log
Check the log file for any errors or warnings and correct them
Restart WebLogic Administration Server, as described in Section 19.1, "Starting and Stopping Oracle Identity Management Components."
You must update existing LDAP users with the object classes OblixPersonPwdPolicy
, OIMPersonPwdPolicy
, and OblixOrgPerson
.
Note:
This is not required in the case of a fresh setup where you do not have any existing users.On IDMHOST1
, create a properties file for the integration called user.props
, with the following contents:
IDSTORE_HOST: idstore.mycompany.com IDSTORE_PORT: 389 IDSTORE_ADMIN_USER: cn=orcladmin IDSTORE_USERSEARCHBASE: cn=Users,dc=mycompany,dc=com IDSTORE_GROUPSEARCHBASE: cn=Groups,dc=mycompany,dc=com PASSWORD_EXPIRY_PERIOD : 7300
Set the environment variables: MW_HOME
, JAVA_HOME
, IDM_HOME
and ORACLE_HOME
.
Set IDM_HOME
to IDM_ORACLE_HOME
.
Set ORACLE_HOME
to IAM_ORACLE_HOME
.
Upgrade existing LDAP, using the command idmConfigTool
, which is located at: IAM_ORACLE_HOME
/idmtools/bin
Note:
When you run theidmConfigTool
, it creates or appends to the file idmDomainConfig.param
. This file is generated in the same directory that the idmConfigTool
is run from. To ensure that each time the tool is run, the same file is appended to, always run the idmConfigTool
from the directory:
IAM_ORACLE_HOME
/idmtools/bin
The syntax of the command is:
idmConfigTool.sh - upgradeLDAPUsersForSSO input_file=configfile
on Linux and UNIX-based operating systems and
idmConfigTool.bat -upgradeLDAPUsersForSSO input_file=configfile
on Windows.
For example:
idmConfigTool.sh -upgradeLDAPUsersForSSO input_file=user.props
When prompted, enter the following information:
The password of the user you are using to connect to your Identity Store.
The directory type: OVD
if you are using Oracle Virtual Directory, otherwise OID
Sample output:
Enter LDAP admin user password : ********* Upgrading LDAP Users With OAM ObjectClasses ********* Enter Directory Type[OID]: OVD Completed loading user inputs for - LDAP connection info Completed loading user inputs for - LDAP Upgrade Upgrading ldap users at - cn=Users,dc=us,dc=oracle,dc=com Parsing - cn=readOnlyUser,cn=Users,dc=us,dc=oracle,dc=com objectclass OIMPersonPwdPolicy not present in cn=readOnlyUser,cn=Users,dc=us,dc=oracle,dc=com. Seeding it objectclass OblixOrgPerson not present in cn=readOnlyUser,cn=Users,dc=us,dc=oracle,dc=com. Seeding it objectclass OblixPersonPwdPolicy not present in cn=readOnlyUser,cn=Users,dc=us,dc=oracle,dc=com. Seeding it obpasswordexpirydate added in cn=readOnlyUser,cn=Users,dc=us,dc=oracle,dc=com Parsing - cn=readWriteUser,cn=Users,dc=us,dc=oracle,dc=com objectclass OIMPersonPwdPolicy not present in cn=readWriteUser,cn=Users,dc=us,dc=oracle,dc=com. Seeding it objectclass OblixOrgPerson not present in cn=readWriteUser,cn=Users,dc=us,dc=oracle,dc=com. Seeding it objectclass OblixPersonPwdPolicy not present in cn=readWriteUser,cn=Users,dc=us,dc=oracle,dc=com. Seeding it obpasswordexpirydate added in cn=readWriteUser,cn=Users,dc=us,dc=oracle,dc=com Parsing - cn=weblogic,cn=Users,dc=us,dc=oracle,dc=com objectclass OIMPersonPwdPolicy not present in cn=weblogic,cn=Users,dc=us,dc=oracle,dc=com. Seeding it objectclass OblixOrgPerson not present in cn=weblogic,cn=Users,dc=us,dc=oracle,dc=com. Seeding it objectclass OblixPersonPwdPolicy not present in cn=weblogic,cn=Users,dc=us,dc=oracle,dc=com. Seeding it obpasswordexpirydate added in cn=weblogic,cn=Users,dc=us,dc=oracle,dc=com Parsing - cn=oamMasterAdminUser,cn=Users,dc=us,dc=oracle,dc=com objectclass OIMPersonPwdPolicy not present in cn=oamMasterAdminUser,cn=Users,dc=us,dc=oracle,dc=com. Seeding it objectclass OblixPersonPwdPolicy not present in cn=oamMasterAdminUser,cn=Users,dc=us,dc=oracle,dc=com. Seeding it obpasswordexpirydate added in cn=oamMasterAdminUser,cn=Users,dc=us,dc=oracle,dc=com Parsing - cn=oamSoftwareUser,cn=Users,dc=us,dc=oracle,dc=com objectclass OIMPersonPwdPolicy not present in cn=oamSoftwareUser,cn=Users,dc=us,dc=oracle,dc=com. Seeding it objectclass OblixOrgPerson not present in cn=oamSoftwareUser,cn=Users,dc=us,dc=oracle,dc=com. Seeding it objectclass OblixPersonPwdPolicy not present in cn=oamSoftwareUser,cn=Users,dc=us,dc=oracle,dc=com. Seeding it obpasswordexpirydate added in cn=oamSoftwareUser,cn=Users,dc=us,dc=oracle,dc=com Parsing - cn=PolStoreROUser,cn=Users,dc=us,dc=oracle,dc=com objectclass OIMPersonPwdPolicy not present in cn=PolStoreROUser,cn=Users,dc=us,dc=oracle,dc=com. Seeding it objectclass OblixOrgPerson not present in cn=PolStoreROUser,cn=Users,dc=us,dc=oracle,dc=com. Seeding it objectclass OblixPersonPwdPolicy not present in cn=PolStoreROUser,cn=Users,dc=us,dc=oracle,dc=com. Seeding it obpasswordexpirydate added in cn=PolStoreROUser,cn=Users,dc=us,dc=oracle,dc=com Parsing - cn=PolStoreRWUser,cn=Users,dc=us,dc=oracle,dc=com objectclass OIMPersonPwdPolicy not present in cn=PolStoreRWUser,cn=Users,dc=us,dc=oracle,dc=com. Seeding it objectclass OblixOrgPerson not present in cn=PolStoreRWUser,cn=Users,dc=us,dc=oracle,dc=com. Seeding it objectclass OblixPersonPwdPolicy not present in cn=PolStoreRWUser,cn=Users,dc=us,dc=oracle,dc=com. Seeding it obpasswordexpirydate added in cn=PolStoreRWUser,cn=Users,dc=us,dc=oracle,dc=com Parsing - cn=PUBLIC, cn=Users, dc=us,dc=oracle,dc=com objectclass OIMPersonPwdPolicy not present in cn=PUBLIC, cn=Users, dc=us,dc=oracle,dc=com. Seeding it objectclass OblixOrgPerson not present in cn=PUBLIC, cn=Users, dc=us,dc=oracle,dc=com. Seeding it objectclass OblixPersonPwdPolicy not present in cn=PUBLIC, cn=Users, dc=us,dc=oracle,dc=com. Seeding it obpasswordexpirydate added in cn=PUBLIC, cn=Users, dc=us,dc=oracle,dc=com Parsing - cn=orcladmin, cn=Users, dc=us,dc=oracle,dc=com objectclass OIMPersonPwdPolicy not present in cn=orcladmin, cn=Users, dc=us,dc=oracle,dc=com. Seeding it obpasswordexpirydate added in cn=orcladmin, cn=Users, dc=us,dc=oracle,dc=com Parsing - cn=xelsysadm,cn=Users,dc=us,dc=oracle,dc=com Parsing - cn=xelsysadmin,cn=Users,dc=us,dc=oracle,dc=com Finished parsing LDAP LDAP Users Upgraded. ********* ********* *********
See Also:
Oracle Fusion Middleware Integration Overview for Oracle Identity Management Suite for more information about theidmConfigTool
command.This section describes how to integrate Oracle Access Manager 11g with Oracle Identity Manager
If you have previously performed the tasks in Section 18, "Configuring Single Sign-on for Administration Consoles," you must delete the security providers you created in that section.
To do this:
Log in to the WebLogic Administration Console at:
http://admin.mycompany.com/console
Click Security Realms from the Domain structure menu.
Click Lock and Edit in the Change Center.
Click myrealm.
Select the Providers tab.
Select the following providers:
OVDAuthenticator
OIDAuthenticator
OAMIDAssertor
Click Delete.
Click Yes to confirm deletion.
Restart the administration server and all managed servers, as described in Section 19.1, "Starting and Stopping Oracle Identity Management Components."
To integrate Oracle Access Manager 11g with Oracle Identity Manager perform the following steps on IDMHOST1
:
Set the Environment Variables: MW_HOME
, JAVA_HOME
, IDM_HOME
, and ORACLE_HOME
, for example:
export IDM_HOME=IDM_ORACLE_HOME export ORACLE_HOME=IAM_ORACLE_HOME
Create a properties file for the integration called oimitg.props
, with the following contents:
LOGINURI: /${app.context}/adfAuthentication LOGOUTURI: /oamsso/logout.html AUTOLOGINURI: None ACCESS_SERVER_HOST: OAMHOST1.mycompany.com ACCESS_SERVER_PORT: 5575 ACCESS_GATE_ID: Webgate_IDM COOKIE_DOMAIN: .mycompany.com COOKIE_EXPIRY_INTERVAL: 120 OAM_TRANSFER_MODE: simple WEBGATE_TYPE: ohsWebgate10g SSO_ENABLED_FLAG: true IDSTORE_PORT: 389 IDSTORE_HOST: idstore.mycompany.com IDSTORE_DIRECTORYTYPE: OID or OVD IDSTORE_ADMIN_USER: cn=oamLDAP,cn=Users,dc=mycompany,dc=com IDSTORE_USERSEARCHBASE: cn=Users,dc=mycompany,dc=com IDSTORE_GROUPSEARCHBASE: cn=Groups,dc=mycompany,dc=com MDS_DB_URL: jdbc:oracle:thin:@(DESCRIPTION=(LOAD_BALANCE=on)(FAILOVER=on)(ADDRESS_LIST=(ADDRESS=(protocol=tcp)(host=OIDDBHOST1-vip.mycomapny.com)(port=1521))(ADDRESS=(protocol=tcp)(host=OIDDBHOST2-vip.mycompany.com)(port=1521)))(CONNECT_DATA=(SERVER=DEDICATED)(SERVICE_NAME=oidedg.mycompany.com))) MDS_DB_SCHEMA_USERNAME: edg_mds WLSHOST: adminvhn.mycompany.com WLSPORT: 7001 WLSADMIN: weblogic DOMAIN_NAME: IDMDomain OIM_MANAGED_SERVER_NAME: WLS_OIM1 DOMAIN_LOCATION: ORACLE_BASE/admin/IDMDomain/aserver/IDMDomain
Notes:
Set IDSTORE_HOST
to your Oracle Internet Directory host or load balancer name if you are using Oracle Internet Directory as your Identity Store. If not, set it to your Oracle Virtual Directory host or load balancer name.
Set IDSTORE_DIRECTORYTYPE
to OVD
if you are using Oracle Virtual Directory server to connect to either a non-OID directory or Oracle Internet Directory. Set it to OID
if your Identity Store is in Oracle Internet Directory and you are accessing it directly rather than through Oracle Virtual Directory.
If your access manager servers are configured to accept requests using the simple mode, set OAM_TRANSFER_MODE
to simple
. Otherwise set OAM_TRANSFER_MODE
to open
Set IDSTORE_PORT
to your Oracle Internet Directory port if you are using Oracle Internet Directory as your Identity Store. If not, set it to your Oracle Virtual Directory port.
If you are using a single instance database, then set MDS_URL
to: jdbc:oracle:thin:@DBHOST:1521:SID
Change location to: IAM_ORACLE_HOME
/server
cd IAM_ORACLE_HOME/server
Integrate Oracle Access Manager with Oracle Identity Manager using the command idmConfigTool
, which is located at:
IAM_ORACLE_HOME
/idmtools/bin
Note:
When you run theidmConfigTool
, it creates or appends to the file idmDomainConfig.param
. This file is generated in the same directory that the idmConfigTool
is run from. To ensure that each time the tool is run, the same file is appended to, always run the idmConfigTool
from the directory:
IAM_ORACLE_HOME
/idmtools/bin
The syntax of the command is
idmConfigTool.sh -configOIM input_file=configfile
on Linux and UNIX-based systems, and
idmConfigTool.bat -configOIM input_file=configfile
on Windows.
For example:
IAM_ORACLE_HOME/idmtools/bin/idmConfigTool.sh -configOIM input_file=oimitg.props
When the script runs you are prompted for:
Access Gate Password
SSO Keystore Password
Global Passphrase
Idstore Admin Password
MDS Database schema password
Admin Server User Password
Sample output:
Enter sso access gate password : Enter mds db schema password : Enter idstore admin password : Enter admin server user password : ********* Seeding OAM Passwds in OIM ********* Enter ssoKeystore.jks Password: Enter SSO Global Passphrase: Completed loading user inputs for - CSF Config Updating CSF with Access Gate Password... WLS ManagedService is not up running. Fall back to use system properties for configuration. Updating CSF ssoKeystore.jks Password... Updating CSF for SSO Global Passphrase Password... ********* ********* ********* ********* Activating OAM Notifications ********* Completed loading user inputs for - MDS DB Config Initialized MDS resources Apr 11, 2011 4:57:45 AM oracle.mds NOTIFICATION: transfer operation started. Apr 11, 2011 4:57:46 AM oracle.mds NOTIFICATION: transfer is completed. Total number of documents successfully processed : 1, total number of documents failed : 0. Upload to DB completed Releasing all resources Notifications activated. ********* ********* ********* ********* Seeding OAM Config in OIM ********* Completed loading user inputs for - OAM Access Config Validated input values Initialized MDS resources Apr 11, 2011 4:57:46 AM oracle.mds NOTIFICATION: transfer operation started. Apr 11, 2011 4:57:47 AM oracle.mds NOTIFICATION: transfer is completed. Total number of documents successfully processed : 1, total number of documents failed : 0. Download from DB completed Releasing all resources Updated /u01/app/oracle/product/fmw/IAM/server/oamMetadata/db/oim-config.xml Initialized MDS resources Apr 11, 2011 4:57:47 AM oracle.mds NOTIFICATION: transfer operation started. Apr 11, 2011 4:57:47 AM oracle.mds NOTIFICATION: transfer is completed. Total number of documents successfully processed : 1, total number of documents failed : 0. Upload to DB completed Releasing all resources OAM configuration seeded. Please restart oim server. ********* ********* ********* ********* Configuring Authenticators in OIM WLS ********* Completed loading user inputs for - Dogwood Admin WLS Completed loading user inputs for - LDAP connection info Connecting to t3://adminvhn.mycompany.com:7001 Connection to domain runtime mbean server established Starting edit session Edit session started Connected to security realm. Validating provider configuration Validated desired authentication providers Validated authentication provider state successfuly. Created OAMIDAsserter successfuly Created OIDAuthenticator successfuly Created OIMSignatureAuthenticator successfuly Setting attributes for OID Authenticator All attributes set. Configured in OID Authenticator now lDAP details configured in OID authenticator Control flags for authenticators set sucessfully Reordering of authenticators done sucessfully Saving the transaction Transaction saved Activating the changes Changes Activated. Edit session ended. Connection closed sucessfully ********* ********* *********
Note:
If you have already enabled single sign-on for your WebLogic Administration Consoles as described in Section 18.1, "Configuring Single Sign-On for Administration Consoles with Oracle Access Manager 11g" when this script is run, you might see the following errors when this script is run:ERROR: Desired authenticators already present. [Ljava.lang.String;@7fdb492] ERROR: Error occurred while configuration. Authentication providers to be configured already present. ERROR: Rolling back the operation..
These errors can be ignored.
Check the log file for errors and correct them if necessary.
Restart WLS_OIM1
, WLS_OIM2
, and the WebLogic Administration Server, as described in Section 19.1, "Starting and Stopping Oracle Identity Management Components."
To validate integration, you must assign Identity Management administrators to WebLogic security groups and install WebGate as described in Chapter 18, "Configuring Single Sign-on for Administration Consoles."
To validate that the wiring of Oracle Access Manager 11g with Oracle Identity Manager 11g was successful, attempt to log in to the Oracle Identity Manager Self Service Console, as follows:
Using a browser, navigate to https://sso.mycompany.com/oim
. This redirects you to the OAM11g single sign-on page.
Log in using the xelsysadm
user account created in Section 11.4.3, "Creating Users and Groups for Oracle Identity Manager."
If you see the OIM Self Service Console Page, the integration was successful.
Oracle Identity Federation supports two integration modes with Oracle Access Manager: authentication mode and SP mode.
Authentication Mode (IdP)
In the authentication mode, Oracle Identity Federation delegates authentication of the user to Oracle Access Manager.
The user is redirected to an Oracle Identity Federation resource protected by WebGate, that triggers the Oracle Access Manager authentication flow. Once the user is identified, it will access the resource, and WebGate will provide to Oracle Identity Federation an HTTP header containing the user's identity.
SP Mode
In the SP mode, Oracle Access Manager delegates user authentication to Oracle Identity Federation, which uses the Federation Oracle Single Sign-On protocol with a remote Identity Provider. Once the Federation Oracle Single Sign-On flow is performed, Oracle Identity Federation will create a local session and then propagates the authentication state to Oracle Access Manager, which maintains the session information.
This section provides the steps to integrate OIF with OAM11g in authentication mode and SP mode.
This section contains the following topics:
Section 17.3.3, "Integrating Oracle Identity Federation with Oracle Access Manager in SP Mode"
Section 17.3.4, "Validating Oracle Identity Federation Integration with Oracle Access Manager"
Before starting this integration, ensure that the following tasks have been performed:
Install and configure Oracle Identity Federation as described in Chapter 14, "Extending the Domain with Oracle Identity Federation."
Install and configure Oracle Access Manager as described in Chapter 12, "Extending the Domain with Oracle Access Manager 11g."
Install and configure Oracle HTTP Server as described in Section 4.4, "Installing Oracle HTTP Server."
Install and configure WebGate as described in Section 18.5, "Installing and Configuring WebGate."
This section covers the following topics:
Section 17.3.2.1, "Creating an Authorization Policy in Oracle Access Manager"
Section 17.3.2.2, "Creating a Resource in Oracle Access Manager"
Section 17.3.2.3, "Configuring the Oracle Access Manager Authentication Engine"
Create an Authorization Policy in Oracle Access Manager to enable local authorization for Oracle Identity Federation. To create an authorization policy, log in to the OAM console at http://admin.mycompany.com/oamconsole
as the OAM administration user. Then perform the following steps:
Click the Policy Configuration tab.
Expand IAM Suite under the Application Domains section.
Click Authorization Policies, and then select Create from the menu.
On the Authorization Policy page, provide the following details:
Name: The name of the authorization policy, for example: OIF Local Authorization
Description: The description for the policy
Click the Responses tab, then click +
to add the HTTP Header Attributes. Enter the following information:
Name: Enter OAM_REMOTE_USER
as the name. Make a note of this name, as it is used when configuring the Authentication Engines in the next section.
Type: Header
Value: $user.attr.uid
Click Apply.
Create a resource for the OIF URL to be protected by Oracle Access Manager for authentication. To create a resource, log in to the OAM console at http://admin.mycompany.com/oamconsole
as the OAM administration user. Then perform the following steps:
Click the Policy Configuration tab.
Expand IAM Suite under the Application Domains section.
Click Resources, and then select Open from the menu.
On the IAM Suite Resources page, Click New Resources to bring up the Resources page.
On the Resources Page, provide the following details:
Type: Select HTTP
Host Identifier: IAMSuiteAgent
Resource URL: /fed/user/authnoam
Protection Level: Protected
Authorization Policy: Select the Authorization Policy created in Section Section 17.3.2.1, "Creating an Authorization Policy in Oracle Access Manager," for example: OIF Local Authorization
.
Authentication Policy: Protected Higher Level Policy.
Query String: Leave blank
Click Apply.
Configure Oracle Identity Federation's Oracle Access Manager Authentication engine to protect Oracle Identity Federation with an Oracle Access Manager 11g WebGate. To configure the authentication engine, log in to Oracle Enterprise Manager Fusion Middleware Control at http://admin.mycompany.com/em
as the WebLogic administration user. Then perform the following steps:
Locate and select the Oracle Identity Federation instance under Identity and Access.
Navigate to Administration, then Authentication Engines.
Select Enable Authentication Engine to enable the Oracle Access Manager Authentication engine.
Enter OAM_REMOTE_USER
as the User Unique ID Header.
Select Oracle Access Manager
as the Default Authentication Engine from the list.
Do not select Logout Enabled, since the logout will be performed with the Oracle Single Sign-On SP Engine.
Click Apply to apply the changes.
You must configure the OSSO SP Engine, even though none of the SP functionality is used. This is required because the Logout flow between Oracle Identity Federation and Oracle Access Manager uses the OSSO SP Engine.
Configure the OSSO SP Engine as described in Section 17.3.3.1, "Configuring the OSSO SP Engine."
This section covers the following topics:
In SP mode, Oracle Identity Federation uses federation protocols to authenticate a user, and then requests the authentication module to create an authenticated session at Oracle Access Manager. Oracle Identity Federation's Single Sign-On SP engine is used for this purpose. The SSO SP engine also provides logout integration. The Oracle Single Sign-On SP engine must be updated with the OAM Server details to enable OIF to send assertion tokens and direct session management to OAM.
To update the Oracle Single Sign-On SP engine, log in to Oracle Enterprise Manager Fusion Middleware Control at http://admin.mycompany.com/em
as the WebLogic administration user. Then perform the following steps:
Locate and select the Oracle Identity Federation instance under Identity and Access.
Navigate to Administration, then Service Provider Integration Modules.
Select the Oracle Single Sign-On tab.
Select Enable SP Module to enable the Oracle Single Sign-On SP engine.
Provide the following details:
Username Attribute: cn
Login URL: https://sso.mycompany.com/oam/server/dap/cred_submit
Logout URL: https://sso.mycompany.com/oam/server/logout
Select Logout Enabled.
Click Apply to update the Oracle Single Sign-On SP Engine.
Click Regenerate to generate a keystore file. This keystore contains the keys used to encrypt and decrypt the tokens that are exchanged between the Oracle Access Manager and Oracle Identity Federation servers.
Save the keystore file using the Save As dialog.
Copy the keystore file to user defined location on IDMHOST1
. This keystore will be used to register Oracle Identity Federation as Delegated Authentication Protocol (DAP) partner in the next section.
Oracle Access Manager ships with an Oracle Identity Federation Authentication Scheme. This scheme needs to be updated before it can be used. To update the scheme, log in to the OAM console at http://admin.mycompany.com/oamconsole
as the OAM administration user. Then perform the following steps:
Click the Policy Configuration tab.
Expand Authentication Schemes under the Shared Components tree.
Select OIFScheme from under the Authentication Schemes and then select Open from the menu.
On the Authentication Schemes page, provide the following information
Challenge URL: https://sso.mycompany.com:443/fed/user/sposso
Context Type: Select external from the list.
Accept the defaults for all other values
Click Apply to update the OIFScheme
.
Create an authentication policy in Oracle Access Manager to enable OIF to authenticate the user. To create an authentication policy, log in to the OAM console at http://admin.mycompany.com/oamconsole
as the OAM administration user. Then perform the following steps:
Click the Policy Configuration tab.
Expand IAM Suite under the Application Domains section.
Click Authentication Policies, and then select Create from the menu.
On the Authentication Policy page, provide the following details:
Name: The name of the authentication policy, for example: OIF Policy
.
Description: The description for the policy
Authentication Scheme: Select OIF Scheme from the menu
Click Apply.
Create a resource for the Oracle Identity Federation URL to be protected by Oracle Access Manager. In SP mode, Oracle Identity Federation authenticates the user and then propagates the authentication state to Oracle Access Manager. The resource created here is for the purposes of testing.
To create a resource, log in to the OAM console at http://admin.mycompany.com/oamconsole
as the OAM administration user. Then perform the following steps:
Click the Policy Configuration tab.
Expand IAM Suite under the Application Domains section.
Click Resources, and then select Open from the menu.
On the IAM Suite Resources page, click New Resources to bring up the Resources page.
On the Resources page, provide the following details:
Type: Select HTTP
Host Identifier: IAMSuiteAgent
Resource URL: /sso.html
Protection Level: Protected
Authorization Policy: Protected Resource Policy
Authentication Policy: Select the Authentication Policy created in Section 17.3.3.3, "Creating an Oracle Identity Federation Authentication Policy in Oracle Access Manager," for example: OIF Policy.
Click Apply.
The Oracle Identity Federation resources protected by Oracle WebGate are directed to Oracle Access Manager for authentication. In SP Mode, Oracle Identity Federation authenticates the user and propagates the authentication state to Oracle Access Manager. To enable Oracle Identity Federation to authenticate the user, Oracle Access Manager must be configured to redirect the user to Oracle Identity Federation for authentication. This is done by registering Oracle Identity Federation as Delegated Authentication Protocol (DAP) partner with Oracle Access Manager.
Proceed as follows on IDMHOST1
to register Oracle Identity Federation as DAP Partner with Oracle Access Manager:
Ensure that the keystore generated in the previous section is available on IDMHOST1
.
Start the wlst
shell from the IAM_ORACLE_HOME
/common/bin
directory. For example, on Linux and UNIX-based systems, you would type:
./wlst.sh
On Windows you would type:
./wlst.cmd
Connect to the WebLogic Administration Server using the following wlst connect
command:
connect('AdminUser',"AdminUserPassword",t3://hostname:port')
For example:
connect("weblogic","admin_password","t3://ADMINVHN.mycompany.com:7001")
Use the registerOIFDAPPartner
command to register Oracle Identity Federation as a DAP partner with Oracle Access Manager.
The syntax is:
registerOIFDAPPartner(keystoreLocation="path_to_keystore", logoutURL="OIF_logout_URL", rolloverTime="")
where:
path_to_keystore
is the location of the Keystore file on IDMHOST1
, for example: /home/oracle/keystore
OIF_logout_URL
is the OIF Server's logout URL. Use
https://
oifhost
:
oifport
/fed/user/sploosso?doneURL=https://
oamhost
:
oam port
/oam/logout.jsp
as the logout URL
Use sso.mycompany.com
as the value for oifhost
and oamhost
.
Use 443
as the value for oifport
and oamport
.
rollover_time
is the rollover interval for the keys used to encrypt ordecrypt SASSO tokens.
For example:
wls:/IDMDomain/serverConfig> registerOIFDAPPartner(keystoreLocation="/home/oracle/keystore", logoutURL="https://sso.mycompany.com/fed/user/spsloosso?doneURL=https://sso.mycompany.com/oam/logout.jsp") Registration Successful
Restart the Administration Server and the Oracle Access Manager and Oracle Identity Federation Managed Servers by following the steps in Section 19.1, "Starting and Stopping Oracle Identity Management Components."
Before the configuration can be validated, obtain the provider metadata and register the providers. For the purposes of validating, Oracle Identity Federation will act as both an Identity Provider and a Service Provider.
Proceed as follows to generate the IdP and SP metadata.
Log in to Oracle Enterprise Manager Fusion Middleware Control at http://admin.mycompany.com/em
as the WebLogic administration user. Then perform the following steps:
Locate and select the Oracle Identity Federation instance under Identity and Access.
Navigate to Administration, then Security and Trust.
Select the Provider Metadata tab.
Under the Generate Metadata section:
Select Service Provider from the Provider Type list.
Click to Generate metadata for the service provider.
Save the generated file using the Save File option.
Select Identity Provider from the Provider Type list.
Click to Generate metadata for the identity provider.
Save the generated file using the Save File option.
Proceed as follows to register the IdP and SP providers using the metadata generated in the previous section.
Log in to Oracle Enterprise Manager Fusion Middleware Control at http://admin.mycompany.com/em
as the WebLogic administration user. Then perform the following steps:
Locate and select the Oracle Identity Federation instance under Identity and Access.
Navigate to Administration, then Federations.
Under Trusted Providers, click Add to add the Trusted Provider.
On the Add Trusted Provider page:
Select Load Metadata.
Click Choose File and select the SP and IdP metadata files generated in Section 17.3.4.1, "Generating Provider Metadata."
On the Federations page, verify that both the providers appear in the list of Trusted Providers.
Proceed as follows to set the Identity Provider registered in the previous section as the default IdP.
Log in to Oracle Enterprise Manager Fusion Middleware Control at http://admin.mycompany.com/em
as the WebLogic administration user. Then perform the following steps:
Locate and select the Oracle Identity Federation instance under Identity and Access.
Navigate to Administration, then Service Provider.
For the Default SSO Identity Provider, select the IdP registered above from the list. The Default SSO Identity Provider is under the Protocol Settings section.
When testing integration with Oracle Access Manager in the SP Mode, you cannot configure Oracle Identity Federation as both the Service Provider and Identity Provider for the same resource at the same time. When you test the SP mode configuration, you must set the Default Authentication Engine to the LDAP Engine. You reset it to the Oracle Access Manager once the testing is complete.
This step is not required when configuring the Oracle Identity Federation instances to protect a resource only in the SP mode or in the IdP mode.
To set the Default Authentication Engine, log in to Oracle Enterprise Manager Fusion Middleware Control at http://admin.mycompany.com/em
as the WebLogic administration user. Then perform the following steps:
Locate and select the Oracle Identity Federation instance under Identity and Access.
Navigate to Administration, then Authentication Engines.
Select LDAP Directory as the Default Authentication Engine from the list.
Click Apply to save the changes.
By default, the Default SSO Response Binding is set to use the SOAP protocol. For ease of testing, Oracle recommends updating this parameter to HTTP POST.
To set the Default SSO Response Binding, log in to Oracle Enterprise Manager Fusion Middleware Control at http://admin.mycompany.com/em as the WebLogic administration user. Then perform the following steps:
Navigate to Administration, then Service Provider.
On the Service Provider page, select the SAML 2.0 tab.
Change the value for Default SSO Response Binding to HTTP POST. The Default SSO Response Binding is under the Protocol Settings section.
Click Apply to save the changes.
Follow these steps to validate the SP mode configuration
Using a browser, access the protected resource created in Section 17.3.2.2, "Creating a Resource in Oracle Access Manager," for example: https://sso.mycompany.com/sso.html
.
Enter the credentials of the weblogic_idm
user on the Login page.
Note:
This user must have an email address in themail
attribute of the LDAP user record, because the email address is the default NameID
format used.The protected resource is displayed.
In Section 17.3.4.4, "Updating the Default Authentication Engine to LDAP Engine," you set the Default Authentication Engine to LDAP Engine for validating the SP Mode configuration. You must set it back to Oracle Access Manager.
This step is not required when the Oracle Identity Federation instances are configured to protect a resource only in the SP mode or in the IdP mode.
To set the Default Authentication Engine, log in to the Oracle Enterprise Manager Fusion Middleware Control at http://admin.mycompany.com/em as the WebLogic administration user. Then perform the following steps:
Locate and select the Oracle Identity Federation instance under Identity and Access.
Navigate to Administration, then Authentication Engines.
Select Oracle Access Manager as the Default Authentication Engine from the list.
Click Apply to save the changes.
Follow these steps to validate the Authentication mode configuration:
Access the Test SP SSO page at: https://sso.mycompany.com/fed/user/testspsso
Make the following selections on the Initiate Federation SSO page:
Set the value for the IdP Provider ID from the list, for example: Default
Set the value for Authn Request Binding to HTTP POST from the list.
Select Use Default Configuration.
Click Start SSO.
Enter the credentials of the weblogic_idm
user on the Oracle Access Manager login page.
The Federation SSO Operation Result page is displayed. Validate that the SSO Authentication Result is successful for the user.
Oracle Fusion Middleware Audit Framework is a new service in Oracle Fusion Middleware 11g, designed to provide a centralized audit framework for the middleware family of products. The framework provides audit service for platform components such as Oracle Platform Security Services (OPSS) and Oracle Web Services. It also provides a framework for JavaEE applications, starting with Oracle's own JavaEE components. JavaEE applications are able to create application-specific audit events. For non-JavaEE Oracle components in the middleware such as C or JavaSE components, the audit framework also provides an end-to-end structure similar to that for JavaEE applications.
Figure 17-1 is a high-level architectural diagram of the Oracle Fusion Middleware Audit Framework.
The Oracle Fusion Middleware Audit Framework consists of the following key components:
Audit APIs
These are APIs provided by the audit framework for any audit-aware components integrating with the Oracle Fusion Middleware Audit Framework. During run-time, applications may call these APIs where appropriate to audit the necessary information about a particular event happening in the application code. The interface enables applications to specify event details such as username and other attributes needed to provide the context of the event being audited.
Audit Events and Configuration
The Oracle Fusion Middleware Audit Framework provides a set of generic events for convenient mapping to application audit events. Some of these include common events such as authentication. The framework also enables applications to define application-specific events.
These event definitions and configurations are implemented as part of the audit service in Oracle Platform Security Services. Configurations can be updated through Enterprise Manager (UI) and WLST (command-line tool).
The Audit Bus-stop
Bus-stops are local files containing audit data before they are pushed to the audit repository. In the event where no database repository is configured, these bus-stop files can be used as a file-based audit repository. The bus-stop files are simple text files that can be queried easily to look up specific audit events. When a DB-based repository is in place, the bus-stop acts as an intermediary between the component and the audit repository. The local files are periodically uploaded to the audit repository based on a configurable time interval.
Audit Loader
As the name implies, audit loader loads the files from the audit bus-stop into the audit repository. In the case of platform and JavaEE application audit, the audit loader is started as part of the JavaEE container start-up. In the case of system components, the audit loader is a periodically spawned process.
Audit Repository
Audit Repository contains a pre-defined Oracle Fusion Middleware Audit Framework schema, created by Repository Creation Utility (RCU). Once configured, all the audit loaders are aware of the repository and upload data to it periodically. The audit data in the audit repository is expected to be cumulative and grow over time. Ideally, this should not be an operational database used by any other applications - rather, it should be a standalone RDBMS used for audit purposes only. In a highly available configuration, Oracle recommends that you use an Oracle Real Application Clusters (Oracle RAC) database as the audit data store.
Oracle Business Intelligence Publisher
The data in the audit repository is exposed through pre-defined reports in Oracle Business Intelligence Publisher. The reports enable users to drill down the audit data based on various criteria. For example:
Username
Time Range
Application Type
Execution Context Identifier (ECID)
For more introductory information for the Oracle Fusion Middleware Audit Framework, see the "Introduction to Oracle Fusion Middleware Audit Framework" chapter in the Oracle Fusion Middleware Application Security Guide.
For information on how to configure the repository for Oracle Fusion Middleware Audit Framework, see the "Configuring and Managing Auditing" chapter in the Oracle Fusion Middleware Application Security Guide.
The EDG topology does not include Oracle Fusion Middleware Audit Framework configuration. The ability to generate audit data to the bus-stop files and the configuration of the audit loader are available once the products are installed. The main consideration is the audit database repository where the audit data is stored. Because of the volume and the historical nature of the audit data, it is strongly recommended that customers use a separate database from the operational store or stores being used for other middleware components.