Skip Headers
Oracle® Exalogic Elastic Cloud Enterprise Deployment Guide for Oracle Identity Management
Release EL X2-2 and EL X3-2

Part Number E35832-01
Go to Documentation Home
Home
Go to Book List
Book List
Go to Table of Contents
Contents
Go to Index
Index
Go to Feedback page
Contact Us

Go to previous page
Previous
Go to next page
Next
PDF · Mobi · ePub

11 Extending the Domain to Include Oracle Access Management

This chapter describes how to extend the domain to include Oracle Access Management Access Manager in the Oracle Identity Management enterprise deployment.

This chapter includes the following topics:

11.1 Overview of Extending the Domain to Include Oracle Access Management Access Manager

Access Manager enables your users to seamlessly gain access to web applications and other IT resources across your enterprise. It provides a centralized and automated single sign-on (SSO) solution, which includes an extensible set of authentication methods and the ability to define workflows around them. It also contains an authorization engine, which grants or denies access to particular resources based on properties of the user requesting access as well as based on the environment from which the request is made. Comprehensive policy management, auditing, and integration with other components of your IT infrastructure enrich this core functionality.

Access Manager consists of several components, including OAM Server, Oracle Access Management Console, and WebGates. The OAM Server includes all the components necessary to restrict access to enterprise resources. The Oracle Access Management Console is the administrative console to Access Manager. WebGates are web server agents that act as the actual enforcement points for Access Manager. Follow the instructions in this chapter and Section 15, "Configuring Single Sign-on for Administration Consoles in an Enterprise Deployment" to install and configure the Access Manager components necessary for your enterprise deployment.

11.2 About Domain URLs

Before you complete this chapter, the following URL is available:

Table 11-1 OAM URLs Before Web Tier Configuration

Component URLs

OAM Console

http://ADMINVHN.mycompany.com:7001/oamconsoleFoot 1 

Oracle Enterprise Manager Fusion Middleware Control

http://ADMINVHN.mycompany.com:7001/em

Oracle Directory Services Manager

http://ADMINVHN.mycompany.com:7001/odsm

Oracle Identity Navigator

http://ADMINVHN.mycompany.com:7001/oin

Oracle Entitlements Server Policy Manager

http://ADMINVHN.mycompany.com:7001/apm


Footnote 1 where 7001 is WLS_ADMIN_PORT in Section A.3.

After you complete this chapter, the following URL will be available:

Table 11-2 OAM URLs After Web Tier Configuration

Component URLs User SSO User

OAM Console

http://ADMIN.mycompany.com/oamconsole

weblogic

oamadmin

Oracle Enterprise Manager Fusion Middleware Control

http://ADMIN.mycompany.com/em

weblogic

weblogic_idm

Oracle Directory Services Manager

http://ADMIN.mycompany.com/odsm

weblogic

weblogic_idm

Oracle Entitlements Server Policy Manager

http://ADMIN.mycompany.com/apm

weblogic

weblogic_idm


11.3 Prerequisites

Before you configure Access Manager, ensure that the following tasks have been performed on IDMHOST1 and IDMHOST2:

  1. Prepare the Identity Store as described in Chapter 9, "Preparing Identity Stores."

  2. Configure Oracle Web Tier Directory on WEBHOST1 and WEBHOST2 as described in Chapter 7, "Installing and Configuring Oracle Traffic Director for an Enterprise Deployment."

  3. Configure the load balancer as described in Section 3.4, "Configuring the Load Balancer When Using Oracle Traffic Director as Your Web Tier."

11.4 Extending Domain with Access Manager

Start the configuration wizard on IDMHOST1 by executing the command:

IAM_MW_HOME/oracle_common/common/bin/config.sh

Then proceed as follows:

  1. On the Welcome screen, select Extend an Existing WebLogic Domain. Click Next.

  2. On the Select a WebLogic Domain screen, using the navigator, select the domain home of the WebLogic Administration Server, for example: ASERVER_HOME

    Click Next

  3. On the Select Extension Source screen, select Oracle Access Management [iam].

    Click Next

  4. On the Configure JDBC Component Schema screen, do the following:

    Select OAM Infrastructure.

    For the Oracle RAC configuration for component schemas, select Convert to GridLink.

    Click Next.

  5. The Gridlink RAC Component Schema screen appears. In this screen, enter values for the following fields, specifying the connect information for the Oracle RAC database that was seeded with RCU.

    • Driver: Select Oracle's driver (Thin) for GridLink Connections,Versions:10 and later.

    • Select Enable FAN.

    • Do one of the following:

      • If SSL is not configured for ONS notifications to be encrypted, deselect SSL.

      • Select SSL and provide the appropriate wallet and wallet password.

    • Service Listener: Enter the SCAN address and port for the RAC database being used. You can identify this address by querying the parameter remote_listener in the database:

      SQL>show parameter remote_listener;
      NAME            TYPE   VALUE
      -------------------------------------------------------------
      remote_listener string DB-SCAN.MYCOMPANY.COM:1521
      

      Notes:

      • For Oracle Database 11g Release 1 (11.1), use the virtual IP and port of each database instance listener, for example: DBHOST1-VIP.mycompany.com (port 1521) and DBHOST2-VIP.mycompany.com (port 1521), where 1521 is DB_LSNR_PORT

      • For Oracle Database 10g, use multi data sources to connect to an Oracle RAC database. For information about configuring multi data sources see Appendix B, "Using Multi Data Sources with Oracle RAC."

    • ONS Host: Enter the SCAN address for the Oracle RAC database and the ONS remote port as reported by the database:

      srvctl config nodeapps -s
      ONS exists: Local port 6100, remote port 6200, EM port 2016
      

      Note:

      For Oracle Database 11g Release 1 (11.1), use the hostname and port of each database's ONS service, for example:

      DBHOST1.mycompany.com (port 6200)
      

      and

      DBHOST2.mycompany.com (port 6200)
      

      Enter the following RAC component schema information:

      Table 11-3 RAC Component Schema Information

      Schema Name Service Name User name Password

      Access Management

      OAMEDG.mycompany.com

      EDG_OAM

      password


  6. In the Test JDBC Data Sources screen, confirm that all connections were successful.

    The connections are tested automatically. The Status column displays the results. If all connections are not successful, click Previous to return to the previous screen and correct your entries.

    Click Next when all the connections are successful.

  7. On the Test Component Schema screen, the Wizard attempts to validate the data sources. If the data source validation succeeds, click Next. If it fails, click Previous, correct the problem, and try again.

  8. On the Select Optional Configuration screen, select Managed Servers, Clusters and Machines.

    Click Next

  9. When you first enter the Configure Managed Servers screen, a managed server called oam_server1 is created automatically. Rename oam_server1 to WLS_OAM1 and update its attributes as shown in the following table. Then, add a new managed server called WLS_OAM2 with the following attributes.

    Name Listen Address Listen Port SSL Listen Port SSL Enabled

    WLS_OAM1

    IDMHOST1.mycompany.com

    14100

    N/A

    No

    WLS_OAM2

    IDMHOST2.mycompany.com

    14100

    N/A

    No


    Notes:

    • Do not change the configuration of the managed servers that were configured as a part of previous deployments.

    • Do not delete the default managed servers that are created. Rename them as described.

    Click Next.

  10. On the Configure Clusters screen, create a cluster by clicking Add. Supply the following information:

    Table 11-4 Values for Configure Clusters Screen

    Name Cluster Messaging Mode

    oam_cluster

    Unicast


    Leave all other fields at the default settings and click Next.

  11. On the Assign Servers to Clusters screen, associate the Managed Servers with the cluster. Click the cluster name in the right pane. Click the Managed Server under Servers, then click the arrow to assign it to the cluster.

    Assign servers to the cluster as follows:

    Table 11-5 Servers to Assign to Cluster

    Cluster Server

    oam_cluster

    WLS_OAM1

     

    WLS_OAM2


    Note:

    Do not change the configuration of any clusters which have already been configured as part of previous application deployments.

    Click Next.

  12. On the Configure Machines screen, create a machine for each host in the topology. Click the Unix Machine tab and then click Add to add the following machines:

    Note:

    "Name" can be any unique string. "Node Manager Listen Address" must be a resolvable host name.

    Table 11-6 Machines

    Name Node Manager Listen Address Node manager Listen Port Port Variable

    IDMHOST1.mycompany.com

    IDMHOST1.mycompany.com

    5556

    NMGR_PORT

    IDMHOST2.mycompany.com

    IDMHOST2.mycompany.com

    5556

    NMGR_PORT


    Leave all other fields to their default values.

    Note:

    The machine name does not need to be a valid host name or listen address; it is just a unique identifier of a Node Manager location

    Click Next.

  13. On the Assign Servers to Machines screen, assign servers to machines as follows:

    IDMHOST1: WLS_OAM1

    IDMHOST2: WLS_OAM2

    Click Next to continue.

  14. On the Configuration Summary screen, click Extend to extend the domain.

    Note:

    If you receive a warning that says:

    CFGFWK: Server listen ports in your domain configuration conflict with ports in use by active processes on this host
    

    Click OK.

    This warning appears if Managed Servers have been defined as part of previous installs and can safely be ignored.

  15. On the Installation Complete screen, click Done.

  16. Restart WebLogic Administration Server as described in Section 16.1, "Starting and Stopping Oracle Identity Management Components."

11.5 Configuring Access Manager

This section contains the following topics:

11.5.1 Removing IDM Domain Agent

By default, the IDMDomainAgent provides single sign-on capability for administration consoles. In enterprise deployments, WebGate handles single sign-on, so you must remove the IDMDomainAgent. Remove the IDMDomainAgent as follows:

Log in to the WebLogic console at the URL listed in Section 16.2, "About Identity Management Console URLs."

Then:

  1. Select Security Realms from the Domain Structure Menu

  2. Click myrealm.

  3. Click the Providers tab.

  4. Click Lock and Edit from the Change Center.

  5. In the list of authentication providers, select IAMSuiteAgent.

  6. Click Delete.

  7. Click Yes to confirm the deletion.

  8. Click Activate Changes from the Change Center.

  9. Restart WebLogic Adminisration Server and ALL running Managed Servers, as described in Section 16.1, "Starting and Stopping Oracle Identity Management Components."

11.5.2 Setting a Global Passphrase

By default, Access Manager is configured to use the Open security model. If you plan to change this mode using idmConfigTool, you must set a global passphrase. Although you need not set the global passphrase and the web gate access password to be the same, it is recommended that you do.You do this by performing the following steps.

  1. Log in to the OAM console at the URL listed in Section 16.2, "About Identity Management Console URLs."

    as the WebLogic administration user.

  2. Click the System Configuration tab.

  3. Click Access Manager located in the Access Manager section.

  4. Select Open from the Actions menu. The access manager settings are displayed.

  5. If you plan to use Simple security mode for OAM servers, supply a global passphrase.

  6. Click Apply.

11.5.3 Configuring Access Manager by Using the IDM Configuration Tool

Now that the initial installation is done, perform the following tasks:

  • Configure Access Manager to use an external LDAP Directory, (oudinternal.mycompany.com).

  • Create Access Manager WebGate Agent.

You perform these tasks by using idmConfigTool.

Note:

Two parameter settings determine whether you are configuring Access Manager with Oracle Identity Manager integration or Access Manager alone.

  • To configure Access Manager with Oracle Identity Manager integration, set OAM11G_OIM_INTEGRATION to true and specify a value for OAM11G_OIM_OTD_URL.

  • To configure Access Manager without Oracle Identity Manager, set OAM11G_OIM_INTEGRATION to false.

These parameters are used to add extra links, such as Forgotten Password, to the Access Manager credential collection page

If you configure Access Manager without Oracle Identity Manager, then decide to add Oracle Identity Manager at a later date, you must run this command again to configure Access Manager with Oracle Identity Manager integration.

Perform the following tasks on IDMHOST1:

  1. Set MW_HOME to IAM_MW_HOME.

    Set ORACLE_HOME to IAM_ORACLE_HOME.

    Set JAVA_HOME to JAVA_HOME.

  2. Create a properties file called config_oam1.props with the following contents:

    WLSHOST: ADMINVHN.mycompany.com
    WLSPORT: 7001
    WLSADMIN: weblogic
    WLSPASSWD: Admin Password
    IDSTORE_DIRECTORYTYPE: OUD
    IDSTORE_HOST: OUDINTERNAL.mycompany.com
    IDSTORE_PORT: 1489
    IDSTORE_BINDDN: cn=oudadmin 
    IDSTORE_USERNAMEATTRIBUTE: cn
    IDSTORE_LOGINATTRIBUTE: uid
    OAM11G_SERVER_LOGIN_ATTRIBUTE: uid
    IDSTORE_USERSEARCHBASE: cn=Users,dc=mycompany,dc=com
    IDSTORE_SEARCHBASE: dc=mycompany,dc=com
    IDSTORE_GROUPSEARCHBASE: cn=Groups,dc=mycompany,dc=com
    IDSTORE_SYSTEMIDBASE: cn=systemids,dc=mycompany,dc=com
    IDSTORE_OAMSOFTWAREUSER: oamLDAP
    IDSTORE_OAMADMINUSER: oamadmin
    PRIMARY_OAM_SERVERS: IDMHOST1.mycompany.com:5575,IDMHOST2.mycompany.com:5575
    WEBGATE_TYPE: otdWebgate11g
    ACCESS_GATE_ID: Webgate_IDM
    OAM11G_OIM_WEBGATE_PASSWD: password to be assigned to WebGate
    COOKIE_DOMAIN: .mycompany.com
    OAM11G_WG_DENY_ON_NOT_PROTECTED: true
    OAM11G_IDM_DOMAIN_OTD_HOST: sso.mycompany.com
    OAM11G_IDM_DOMAIN_OTD_PORT: 443
    OAM11G_IDM_DOMAIN_OTD_PROTOCOL: https
    OAM11G_SERVER_LBR_HOST: sso.mycompany.com
    OAM11G_SERVER_LBR_PORT: 443
    OAM11G_SERVER_LBR_PROTOCOL: https
    OAM11G_OAM_SERVER_TRANSFER_MODE: simple
    OAM_TRANSFER_MODE: simple
    OAM11G_IDM_DOMAIN_LOGOUT_URLS: /console/jsp/common/logout.jsp,/em/targetauth/emaslogout.jsp
    OAM11G_IDSTORE_ROLE_SECURITY_ADMIN: OAMAdministrators
    OAM11G_SSO_ONLY_FLAG: false
    COOKIE_EXPIRY_INTERVAL: 120
    OAM11G_IMPERSONATION_FLAG: false 
    OAM11G_OIM_INTEGRATION_REQ: false
    OAM11G_OIM_OTD_URL:https://SSO.mycompany.com:443
    

    Where:

    • WLSHOST (ADMINVHN) is the host of your administration server. This is the virtual name.

    • WLSPORT is the port of your administration server, WLS_ADMIN_PORT in Section A.3, "Port Mapping".

    • WLSADMIN is the WebLogic administrative user you use to log in to the WebLogic console.

    • WLSPASSWD is the WebLogic administrator password.

    • IDSTORE_DIRECTORYTYPE is OUD.

    • IDSTORE_HOST and IDSTORE_PORT are the host and port of the Identity Store directory when accessed through Oracle Traffic Director. These are LDAP_LBR_HOST and LDAP_LBR_PORT in the Section A.3, "Port Mapping" worksheet.

    • IDSTORE_BINDDN is an administrative user in the Identity Store directory.

    • IDSTORE_USERSEARCHBASE is the location in the directory where Users are stored.

    • IDSTORE_GROUPSEARCHBASE is the location in the directory where Groups are stored.

    • IDSTORE_SEARCHBASE is the location in the directory where Users and Groups are stored.

    • IDSTORE_SYSTEMIDBASE is the location of a container in the directory where the user oamLDAP is stored.

    • IDSTORE_OAMSOFTWAREUSER is the name of the user you created in Section 9.4, "Preparing the Identity Store" to be used to interact with LDAP.

    • IDSTORE_OAMADMINUSER is the name of the user you created in Section 9.4, "Preparing the Identity Store" to access your OAM Console.

    • PRIMARY_OAM_SERVERS is a comma separated list of your OAM Servers and the proxy ports they use, for example: IDMHOST1:OAM_PROXY_PORT

      Note:

      To determine the proxy ports your OAM Servers use:

      1. Log in to the OAM console at the URL listed in Section 16.2, "About Identity Management Console URLs."

      2. Click the System Configuration tab.

      3. Expand Server Instances under the Common Configuration section

      4. Click an OAM Server, such as WLS_OAM1, and select Open from the Actions menu.

      5. Proxy port is the one shown as Port.

    • ACCESS_GATE_ID is the name you want to assign to the WebGate.

    • OAM11G_OIM_WEBGATE_PASSWD is the password to be assign to the WebGate.

    • OAM11G_IDM_DOMAIN_OTD_HOST is the name of the load balancer which is in front of the OTD's.

    • OAM11G_IDM_DOMAIN_OTD_PORT is the port that the load balancer listens on (HTTP_SSL_PORT).

    • OAM11G_IDM_DOMAIN_OTD_PROTOCOL is the protocol to use when directing requests at the load balancer.

    • OAM11G_WG_DENY_ON_NOT_PROTECTED, when set to false, allows login pages to be displayed. It should be set to true when using webgate11g.

    • OAM_TRANSFER_MODE is the security model that the Oracle Access Manager Servers function in. Valid values are simple and open. If you use the simple mode, you must define a global passphrase, as defined in Section 11.5.2, "Setting a Global Passphrase."

    • OAM11G_OAM_SERVER_TRANSFER_MODE is the security model that the OAM Servers function in, as defined in Section 11.5.2, "Setting a Global Passphrase."

    • OAM11G_IDM_DOMAIN_LOGOUT_URLS is set to the various logout URLs.

    • OAM11G_SSO_ONLY_FLAG confgures Access Manager as authentication only mode or normal mode, which supports authentication and authorization.

      If OAM11G_SSO_ONLY_FLAG is true, the OAM Server operates in authentication only mode, where all authorizations return true by default without any policy validations. In this mode, the server does not have the overhead of authorization handling. This is recommended for applications which do not depend on authorization policies and need only the authentication feature of the OAM Server.

      If the value is false, the server runs in default mode, where each authentication is followed by one or more authorization requests to the OAM Server. WebGate allows the access to the requested resources or not, based on the responses from the OAM Server.

    • OAM11G_IMPERSONATION_FLAG is set to true if you are configuring OAM Impersonation.

    • OAM11G_SERVER_LBR_HOST is the name of the load balancer fronting your site. This and the following two parameters are used to construct your login URL.

    • OAM11G_SERVER_LBR_PORT is the port that the load balancer is listening on (HTTP_SSL_PORT).

    • OAM11G_SERVER_LBR_PROTOCOL is the URL prefix to use.

    • OAM11G_OIM_INTEGRATION_REQ should be set to true if you are building a topology which contains both OAM and OIM. Otherwise set to false at this point. This value is only set to true when performing Access Manager/Oracle Identity Manager integration and is set during the integration phase.

    • OAM11G_OIM_OTD_URL should be set to the URL of your load balancer. This parameter is only required if your topology contains OAM and OIM.

    • COOKIE_DOMAIN is the domain in which the WebGate functions.

    • WEBGATE_TYPE is the type of WebGate agent you want to create.

    • OAM11G_IDSTORE_NAME is the Identity Store name. If you already have an Identity Store in place which you wish to reuse (rather than allowing the tool to create a new one for you), then set the value of this parameter to the name of the Identity Store you wish to reuse.

    • OAM11G_SERVER_LOGIN_ATTRIBUTE when set to uid, ensures that when users log in, their username is validated against the uid attribute in LDAP.

  3. Configure Access Manager using the command idmConfigTool which is located at:

    IAM_ORACLE_HOME/idmtools/bin

    Note:

    When you run the idmConfigTool, it creates or appends to the file idmDomainConfig.param. This file is generated in the same directory that the idmConfigTool is run from. To ensure that each time the tool is run, the same file is appended to, always run the idmConfigTool from the directory:

    IAM_ORACLE_HOME/idmtools/bin

    idmConfigTool.sh -configOAM input_file=configfile 
    

    For example:

    idmConfigTool.sh -configOAM input_file=config_oam1.props
    

    When the command runs you are prompted to enter the password of the account you are connecting to the Identity Store with. You are also asked to specify the passwords you want to assign to these accounts:

    • IDSTORE_PWD_OAMSOFTWAREUSER

    • IDSTORE_PWD_OAMADMINUSER

  4. Check the log file for any errors or warnings and correct them. A file named automation.log is created in the directory where you run the tool.

  5. Restart WebLogic Administration Server as described in Section 16.1, "Starting and Stopping Oracle Identity Management Components."

Note:

After you run idmConfigTool, several files are created that you need for subsequent tasks. Keep these in a safe location.

Two 11g WebGate profiles are created: Webgate_IDM, which is used for intercomponent communication and Webgate_IDM_11g, which is used by 11g Webgates.

The following files exist in the directory ASERVER_HOME/output/Webgate_IDM_11g. You need these when you install the WebGate software.

  • cwallet.sso

  • ObAccessClient.xml

  • password.xml

Additionally, you need the files aaa_cert.pem and aaa_key.pem, which are located in the directory ASERVER_HOME/output/Webgate_IDM.

11.5.4 Validating the Configuration

To Validate that this has completed correctly.

  1. Access the OAM console at: http://ADMIN.mycompany.com/oamconsole

  2. Log in as the Access Manager administration user you created in Section 9.4, "Preparing the Identity Store," for example, oamadmin.

  3. Click the System Configuration tab

  4. Expand Access Manager - SSO Agents - OAM Agents.

  5. Click the open folder icon, then click Search.

  6. You should see the WebGate agents Webgate_IDM and Webgate_IDM_11g, which you created in Section 11.5.3, "Configuring Access Manager by Using the IDM Configuration Tool."

11.5.5 Enabling Cluster-Level Session Replication Enhancements

You can enable session replication enhancements for Managed Servers in a WebLogic cluster to which you will deploy a web application at a later time.

To enable session replication enhancements for oam_cluster:

  1. Ensure that Managed Servers in the oam_cluster cluster are up and running, as described in Section 11.7, "Starting Managed Servers WLS_OAM1 and WLS_OAM2.".

  2. To set replication ports for a Managed Server, such as WLS_OAM1, complete the following steps:

    1. Under Domain Structure, click Environment and Servers. The Summary of Servers page is displayed.

    2. Click Lock & Edit.

    3. Click WLS_OAM1 on the list of servers. The Settings for WLS_OAM1 is displayed.

    4. Click the Cluster tab.

    5. In the Replication Ports field, enter a range of ports for configuring multiple replication channels. For example, replication channels for Managed Servers in oam_cluster can listen on ports starting from 7005 to 7015. To specify this range of ports, enter 7005-7015.

  3. Create a custom network channel for each Managed Server in the cluster (for example, WLS_OAM1) as follows:

    1. Log in to the Oracle WebLogic Server Administration Console.

    2. If you have not already done so, click Lock & Edit in the Change Center.

    3. In the left pane of the Console, expand Environment and select Servers.

      The Summary of Servers page is displayed.

    4. In the Servers table, click WLS_OAM1 Managed Server instance.

    5. Select Protocols, and then Channels.

    6. Click New.

    7. Enter ReplicationChannel as the name of the new network channel and select t3 as the protocol, then click Next.

    8. Enter the following information:

      Listen address: 10.0.0.1

      Note:

      This is the floating IP assigned to WebLogic Server.

      Listen port: 7005

    9. Click Next, and in the Network Channel Properties page, select Enabled and Outbound Enabled.

    10. Click Finish.

    11. Under the Network Channels table, select ReplicationChannel, the network channel you created for the WLS_OAM1 Managed Server.

    12. Expand Advanced, and select Enable SDP Protocol.

    13. Click Save.

    14. To activate these changes, in the Change Center of the Administration Console, click Activate Changes.

    You must repeat the above steps to create a network channel each for the remaining Managed Servers in the cluster. Enter the required properties, as described in Table 11-7.

    Table 11-7 Network Channels Properties

    Managed Server Name Protocol Listen Address Listen Port Additional Channel Ports

    WLS_OAM2

    ReplicationChannel

    t3

    10.0.0.2

    7005

    7006 to 7014


  4. After creating the network channel for the OAM Managed Servers in your cluster, click Environment > Clusters. The Summary of Clusters page is displayed.

  5. Click (this is the example cluster to which you will deploy a web application at a later time). The Settings for oam_cluster page is displayed.

  6. Click the Replication tab.

  7. In the Replication Channel field, ensure that ReplicationChannel is set as the name of the channel to be used for replication traffic.

  8. In the Advanced section, select the Enable One Way RMI for Replication option.

  9. Click Save.

  10. Activate changes, and restart all Managed Servers.

  11. Manually add the system property -Djava.net.preferIPv4Stack=true to the startWebLogic.sh script, which is located in the bin directory of IDMDomain, using a text editor as follows:

    1. Locate the following line in the startWebLogic.sh script:

      . {DOMAIN_HOME}/bin/setDomainEnv.sh $*

    2. Add the following property immediately after the above entry:

      JAVA_OPTIONS="${JAVA_OPTIONS} -Djava.net.preferIPv4Stack=true"

    3. Save the file and close.

  12. Restart all Managed Servers as follows:

    1. In the administration console, click Environment > Servers. The Summary of Servers page is displayed.

    2. Select a Managed Server, such as WLS_OAM1, by clicking WLS1. The Settings for WLS_OAM1 page is displayed.

    3. Click the Control tab. Select WLS_OAM1 in the Server Status table. Click Start.

    4. Repeat these steps for each of the Managed Servers in the WebLogic cluster.

    Note:

    To verify that multiple listening ports were opened, you can either run the netstat -na command on the command line or check the Managed Server logs.

11.5.6 Updating Newly-Created Agent

After generating the initial configuration, you must edit the configuration and add advanced configuration entries.

  1. Select System Configuration Tab

  2. Select Access Manager - SSO Agents - OAM Agent from the directory tree. Double-click or select the open folder icon.

  3. On the displayed search page click Search to perform an empty search.

  4. Click the Agent Webgate_IDM.

  5. Select Open from the Actions menu.

  6. Set Maximum Number of Connections to 4 for all of the OAM Servers listed in the primary servers list.

  7. If the following Logout URLs are not listed, add them:

    • /oamsso/logout.html

    • /console/jsp/common/logout.jsp

    • /em/targetauth/emaslogout.jsp

  8. Click Apply.

  9. Repeat Steps 4 through 7 for the WebGate agent Webgate_IDM_11g.

  10. Click Policy Configuration tab.

  11. Click Host Identifiers.

  12. Click Open.

  13. Click Search.

  14. Click IAMSuiteAgent.

  15. Click + in the Host Name Variations box.

  16. Enter the following information:

    • Host Name: ADMIN.mycompany.com

    • Port: 80(HTTP_PORT)

  17. Click Apply.

11.5.7 Updating Existing WebGate Agents

If you have changed the OAM security model using the idmConfigTool you must change the security model used by any existing Webgates to reflect this change.

To do this, perform the following steps:

  1. Log in to the Oracle Access Management Console as the Access Manager administration user you created in Section 9.4, "Preparing the Identity Store," at the URL listed in Section 16.2, "About Identity Management Console URLs."

  2. Click the System Configuration tab.

  3. Expand Access Manager - SSO Agents.

  4. Click OAM Agents and select Open from the Actions menu.

  5. In the Search window, click Search.

  6. Click each Agent that was not created by idmconfigTool in Section 11.5.3, "Configuring Access Manager by Using the IDM Configuration Tool", for example: IAMSuiteAgent.

  7. Set the Security value to the new security model. Add any missing Access Manager servers to the displayed list.

    Click Apply.

11.5.8 Adding Conditions to the Admin Role

Perform the following workaround for Bug 13824816:

  1. Log in to the WebLogic Administration Server Console at the URL listed in Section 16.2, "About Identity Management Console URLs."

  2. In the left pane of the console, click Security Realms.

  3. On the Summary of Security Realms page, click myrealm under the Realms table.

  4. On the Settings page for myrealm, click the Roles & Policies tab.

  5. On the Realm Roles page, expand the Global Roles entry under the Roles table. This brings up the entry for Roles.

  6. Click the Roles link to go to the Global Roles page.

  7. On the Global Roles page, click the Admin role to go to the Edit Global Role page:

  8. On the Edit Global Roles page, under the Role Conditions table, click Add Conditions.

  9. On the Choose a Predicate page, select Group from the predicates list and click Next.

  10. On the Edit Arguments Page, specify OAMAdministrators in the Group Argument field and click Add.

  11. Click Finish to return to the Edit Global Rule page.

    The Role Conditions table now shows the OAMAdministrators Group as an entry.

  12. Click Save to finish adding the Admin role to the OAMAdministrators Group.

11.6 Deploying Managed Server Configuration to Local Storage

Once the configuration is complete, you must propagate the Oracle Identity Manager configuration to the managed server directory on IDMHOST1 and IDMHOST2.

You do this by packing and unpacking the domain, you pack the domain first on IDMDomain on IDMHOST1 then unpack it on IDMHOST1 and IDMHOST2.

Follow these steps to propagate the domain to the managed server domain directory.

  1. Invoke the pack utility from ORACLE_COMMON_HOME/common/bin/ on IDMHOST1.

    ./pack.sh -domain=ASERVER_HOME -template=iam_domain.jar  -template_name="IAM Domain" -managed=true
    

    This creates a file called iam_domain.jar. Copy this file to IDMHOST2.

  2. On IDMHOST1 and IDMHOST2, invoke the utility unpack, which is also located in the directory: ORACLE_COMMON_HOME/common/bin/

    ./unpack.sh -domain=MSERVER_HOME -template=iam_domain.jar -overwrite_domain=true -app_dir=MSERVER_HOME/applications
    

11.7 Starting Managed Servers WLS_OAM1 and WLS_OAM2

Start the managed servers WLS_OAM1 and WLS_OAM2 as described in Section 16.1, "Starting and Stopping Oracle Identity Management Components."

11.8 Add Missing Access Manager Policies

In order to use Identity Management products when WebGate is enabled, you must manually add a number of Access Manager policies. To do this, perform the following steps:

  1. Log in to the OAM console using the URL http://admin.mycompany.com/oamconsole.

  2. Click the Policy Configuration tab.

  3. Click Application Domains

  4. Click Open. The Search Application Domains screen is displayed.

  5. Click Search.

  6. Click IAM Suite.

  7. Click the Resources tab.

  8. Click New Resource and enter the following information:

    Product Type Description Host Identifier Resource URL Protection Level

    ODSM

    http

    ODSM Console

    IAMSuiteAgent

    /odsm/**

    excluded

    OIM

    http

    OIM Email Notifications

    IAMSuiteAgent

    /ucs/**

    excluded


  9. Click Apply.

11.9 Validating Access Manager

You can validate Access Manager by using the oamtest tool. To do this, perform the following steps:

  1. Ensure that JAVA_HOME is set in your environment.

  2. Add JAVA_HOME/bin to your PATH, for example:

    export PATH=$JAVA_HOME/bin:$PATH
    
  3. Change directory to:

    IAM_ORACLE_HOME/oam/server/tester

  4. Start the test tool in a terminal window using the command:

    java -jar oamtest.jar
    
  5. When the OAM test tool starts, enter the following information in the Server Connection section of the page:

    • Primary IP Address: IDMHOST1.mycompany.com

    • Port: 5575 (OAM_PROXY_PORT)

    • Agent ID: Webgate_IDM_11g

    • Agent Password: webgate password

    Note:

    if you configured simple mode, you must select Simple and provide the global passphrase.

    Click Connect.

    In the status window you see:

    [reponse] Connected to primary access server

  6. In the Protected Resource URI section enter:

    • Scheme: http

    • Host: ADMIN.mycompany.com

    • Port: 80 (HTTP_PORT)

    • Resource: /oamconsole

    Click Validate.

    In the status widow you see:

    [request][validate] yes

  7. In the User Identity window, enter:

    • Username: oamadmin

    • Password: oamadmin password

    Click Authenticate.

    In the status window, you see:

    [request] [authenticate] yes

    Click Authorize.

    In the status window you see.

    [request] [authenticate] yes

The following is an example of a test:


Repeat this test for each access server in the topology, remembering to change the connection details for each server.

11.10 Creating a Single Keystore for Integrating Access Manager with Other Components

When you configure Access Manager to work using the simple transport protocol, all traffic to Access Manager is encrypted. When you integrate Access Manager with other components, such as Oracle Identity Manager, you must enable the product being integrated to understand this encryption (This is not necessary when the transport model is open.). You do this by using a keystore.

When you change Access Manager to use the simple protocol, keystores are created automatically in the directory ASERVER_HOME/output/webgate-ssl. This directory contains the following files:

These files are accessed using the Global Passphrase defined at the time of enabling Access Manager in simple mode.

Some products require configuring with both of the files above and some products, such as Oracle Identity Manager require a single consolidated keystore.

To create a keystore suitable for use by Oracle Identity Manager, perform the following steps.

  1. Change directory to ASERVER_HOME/output/webgate-ssl, for example:

    cd ASERVER_HOME/output/webgate-ssl
    
  2. Copy the file oamclient-keystore.jks to ssoKeystore.jks, for example

    cp oamclient-keystore.jks ssoKeystore.jks
    
  3. Import the trust store into the new keystore ssoKeystore.jks using the command:

    keytool -importcert -file IAM_ORACLE_HOME/oam/server/config/cacert.der -trustcacerts -keystore PathName_to_keystore -storetype JKS
    

    Enter the keystore password when prompted. For example:

    keytool -importcert -file IAM_ORACLE_HOME/oam/server/config/cacert.der -trustcacerts -keystore ssoKeystore.jks -storetype JKS
    

Note:

The files ssoKeystore.jks and oamclient-truststore.jks are required when you integrate Access Manager running in Simple mode with Oracle Identity Manager. When you integrate these components, you are asked to copy these files to the ASERVER_HOME/config/fmwconfig directory. If you subsequently extend the domain on machines where these files have been placed using pack/unpack, you must recopy ssoKeystore.jks and oamclient-truststore.jks after unpacking.

11.11 Backing Up the Application Tier Configuration

Back up the database, the WebLogic domain, and the LDAP directories, as described in Section 16.6, "Performing Backups and Recoveries."