This topic describes how to configure Oracle Authorization Policy Manager (OAPM) in an existing Oracle Identity Management domain that has Oracle Identity Manager (OIM) installed and configured.
It includes the following sections:
Perform the configuration in this topic if you want to install Oracle Authorization Policy Manager in an environment where Oracle Identity Manager and Oracle SOA Suite are already installed and configured. Note that Oracle Identity Manager requires Oracle SOA Suite. You may install other Oracle Identity Management products, such as Oracle Access Manager, Oracle Identity Navigator, and Oracle Adaptive Access Manager at a later time in the same domain. You can discover and launch Consoles for Oracle Identity Manager, Oracle Access Manager, Oracle Adaptive Access Manager, and Oracle Authorization Policy Manager from within the Oracle Identity Navigator user interface.
Performing the configuration in this section deploys the Oracle Authorization Policy Manager application on the existing WebLogic Administration Server.
The configuration in this section depends on the following:
Oracle WebLogic Server.
Installation of the Oracle Identity Management 11g software.
Oracle SOA Suite (required by Oracle Identity Manager).
Database schemas for Oracle Authorization Policy Manager and Metadata Services (MDS), Oracle Identity Manager, and Oracle SOA Suite. For more information, see Creating Database Schema Using the Oracle Fusion Middleware Repository Creation Utility (RCU).
To configure Oracle Authorization Policy Manager in an existing WebLogic domain that has Oracle Identity Manager configured, complete the following steps:
<Oracle_IDM2>/common/bin/config.sh (on UNIX) script. (
<Oracle_IDM2>\common\bin\config.cmd on Windows). The Oracle Fusion Middleware Configuration Wizard appears.
Configure Oracle Identity Manager in a new WebLogic domain, as described in OIM Without LDAP Sync in a New Domain.
Ensure that the WebLogic domain with Oracle Identity Manager is configured correctly. After the domain configuration is complete, on the Creating Domain screen, click Done to dismiss the Oracle Fusion Middleware Configuration Wizard.
A new WebLogic domain to support Oracle Identity Manager is created in the
<MW_HOME>\user_projects\domains directory (on Windows). On UNIX, the domain is created in the
<Oracle_IDM2>/common/bin/config.sh script (on UNIX). (<Oracle_IDM2>\common\bin\config.cmd on Windows). The Oracle Fusion Middleware Configuration Wizard appears.
On the Welcome screen, select the Extend an existing WebLogic domain option. Click Next.
On the Select a WebLogic Domain Directory screen, browse to the <MW_HOME>/user_projects/domains directory that contains your Oracle Identity Manager domain. Click Next. The Select Extension Source screen appears.
On the Select Extension Source screen, ensure that the Extend my domain automatically to support the following products: option is selected.
Select Oracle Application Authorization Policy Manager - 188.8.131.52.0 [Oracle_IDM2]. Click Next. The Configure JDBC Component Schema screen appears.
On the Configure JDBC Component Schema screen, select a component schema that you want to modify.
The screen lists the following component schemas:
User Messaging Service
APM MDS Schema
OIM MDS Schema
OWSM MDS Schema
SOA MDS Schema
You can set values for Schema Owner, Schema Password, Database and Service, Host Name, and Port. Click Next. The Test JDBC Component Schema screen appears. After the test succeeds, the Select Optional Configuration screen appears.
On the Select Optional Configuration screen, you can configure Managed Servers, Clusters, and Machines, Deployments and Services, and JMS File Store. Select the relevant check boxes, and Click Next.
Optional: Configure Managed Servers, as required.
Optional: Configure Clusters, as required.
For more information about configuring clusters for Oracle Identity Management products, see the "Configuring High Availability for Identity Management Components" topic in the guide Oracle Fusion Middleware High Availability Guide.
Optional: Assign Managed Servers to Clusters, as required.
Optional: Configure Machines, as needed. This step is useful when you want to run the Administration Server on one machine and Managed Servers on another physical machine.
Tip:Before configuring a machine, use the
pingcommand to verify whether the machine or host name is accessible.
Optional: Assign the Administration Server to a machine.
Optional: Select Deployments, such as applications and libraries, and Services to target them to a particular cluster or server, such as
oam_server1 (default value).
Optional: Configure JMS File Stores, as required.
On the Configuration Summary screen, review the domain configuration, and click Extend to start extending the Oracle Identity Manager domain to support Oracle Authorization Policy Manager.
Your existing WebLogic domain with Oracle Identity Manager is extended to support Oracle Authorization Policy Manager.
You must complete the following steps after configuring Oracle Authorization Policy Manager in an Oracle Identity Manager domain:
Browse to the
jps-config.xml file in a text editor. Be sure to back up the file before making any changes.
Search for the
jpscontexts section, with the name
default, in the file. The section looks like the following:
<jpsContexts name="default"> <!-- This is the default JPS context. All the mendatory services and Login Modules must be configured in this default context --> <jpsContext name="default"> <serviceInstanceRef ref="credstore"/> <serviceInstanceRef ref="keystore"/> <serviceInstanceRef ref="policystore.xml"/> <serviceInstanceRef ref="audit"/> <serviceInstanceRef ref="idstore.oim"/></jpsContext>
Change the last serviceInstance reference entry from <serviceInstanceRef ref="idstore.oim"/> to <serviceInstanceRef ref="idstore.ldap"/>.
<jpsContexts default="oim"> <!-- This is the default JPS context. All the mendatory services and Login Modules must be configured in this default context --> <jpsContext name="default"> <serviceInstanceRef ref="credstore"/> <serviceInstanceRef ref="keystore"/> <serviceInstanceRef ref="policystore.xml"/> <serviceInstanceRef ref="audit"/> <serviceInstanceRef ref="idstore.oim"/></jpsContext>
Save the jps-config.xml file after making the changes.
Open the Oracle Enterprise Manager MBean browser after logging in to Oracle Enterprise Manager Fusion Middleware Control
Select on the following in order:
WorkflowIdentityConfig -> human-workflow ->
WorkflowIdentityConfig.ConfigurationType -> jazn.com ->
WorkflowIdentityConfig.ConfigurationType.ProviderType -> JpsProvider ->
WorkflowIdentityConfig.ConfigurationType.ProviderType.PropertyType -> jpsContextName
Change the value of the
jpsContextName property to the
oim context created in the jps-config.xml file, as in Step 5. Click the
setValue operation, and change the value to oim.
Restart the Administration Server and all Managed Servers for the changes to take effect, as described in Starting the Servers.