Skip Headers
Oracle® Exalogic Elastic Cloud Enterprise Deployment Guide for Oracle Identity and Access Management
Release EL X2-2 and EL X3-2

E35832-02
Go to Documentation Home
Home
Go to Book List
Book List
Go to Table of Contents
Contents
Go to Index
Index
Go to Feedback page
Contact Us

Go to previous page
Previous
Go to next page
Next
PDF · Mobi · ePub

10 Preparing Identity Stores

This chapter describes how to prepare the Identity and Policy Stores in an Oracle Identity Management enterprise deployment.

It contains the following sections:

10.1 Overview of Preparing Identity Stores

Preparing the Identity Store involves extending the schema of the directory to support Oracle Access Management Access Manager and Oracle Identity Manager, then seeding the Identity Store with system users that will be used when building the Identity Management topology.

10.2 Backing up the LDAP Directories

The procedures described in this chapter change the configuration of the LDAP directories that host the Identity Store. Before performing any of these tasks, back up your LDAP directories. Refer to WebLogic Server Managing Server Startup and Shutdown for detailed LDAP backup procedures.

10.3 Prerequisites

Before proceeding, ensure that Oracle Identity Management 11g is installed on IDMHOST1.

Note:

Be sure to verify you have obtained all required patches. For more info, see Section 2.5.3, "Applying Patches and Workarounds."

10.4 Preparing the Identity Store

This section describes how to prepare the Identity Store. It contains the following topics:

10.4.1 Overview of Preparing the Identity Store

Before you can use a directory to support Access Manager, you must extend the directory to include Object classes required by these applications.

In addition to extending the directory schema, you must create a number of users. These users are used later on in the guide for such things as:

  • Accessing the directory using a dedicated user.

  • Accessing Access Manager, Oracle Identity Manager, and WebLogic after these products have offloaded authentication to an external directory.

10.4.2 Creating the Configuration File

Create a property file, oudinternal.props, to use when preparing the Identity Store. The file will have the following structure:

Oracle Unified Directory Example

# Common
IDSTORE_HOST: IDMHOST1.mycompany.com
IDSTORE_PORT: 1389
IDSTORE_ADMIN_PORT: 4444
IDSTORE_KEYSTORE_FILE: OUD_ORACLE_INSTANCE/OUD/config/admin-keystore
IDSTORE_KEYSTORE_PASSWORD: Password key
IDSTORE_BINDDN: cn=oudadmin 
IDSTORE_GROUPSEARCHBASE: cn=Groups,dc=mycompany,dc=com
IDSTORE_SEARCHBASE: dc=mycompany,dc=com
IDSTORE_USERNAMEATTRIBUTE: cn
IDSTORE_LOGINATTRIBUTE: uid
IDSTORE_USERSEARCHBASE: cn=Users,dc=mycompany,dc=com
OUDINTERNAL_NEW_SETUP: true
POLICYSTORE_SHARES_oudinternal: true
# OAM
OUDINTERNAL_OAMADMINUSER:oamadmin
OUDINTERNAL_OAMSOFTWAREUSER:oamLDAP
OAM11G_OUDINTERNAL_ROLE_SECURITY_ADMIN:OAMAdministrators
# OAM and OIM
OUDINTERNAL_SYSTEMIDBASE: cn=systemids,dc=mycompany,dc=com
# OIM
OUDINTERNAL_OIMADMINGROUP: OIMAdministrators
OUDINTERNAL_OIMADMINUSER: oimLDAP
# WebLogic
OUDINTERNAL_WLSADMINUSER : weblogic_idm
OUDINTERNAL_WLSADMINGROUP : WLSAdmins

Where:

  • OUDINTERNAL_HOST and OUDINTERNAL_PORT are, respectively, the host and port of your Identity Store directory. Specify the back end directory here. In the case of OUD, specify, respectively, Oracle Unified Directory instances, for example:

    OUD: IDMHOST1 and 1389

  • OUDINTERNAL_ADMIN_PORT is the administration port of your Oracle Unified Directory instance. If you are not using Oracle Unified Directory, you can leave out this parameter.

  • OUDINTERNAL_KEYSTORE_FILE is the location of the Oracle Unified Directory Keystore file. It is used to enable communication with Oracle Unified Directory using the Oracle Unified Directory administration port. It is called admin-keystore and is located in OUD_ORACLE_INSTANCE/OUD/config. If you are not using Oracle Unified Directory, you can leave out this parameter.

  • OUDINTERNAL_KEYSTORE_PASSWORD is the encrypted password of the Oracle Unified Directory keystore. This value can be found in the file OUD_ORACLE_INSTANCE/OUD/config/admin-keystore.pin. If you are not using Oracle Unified Directory, you can leave out this parameter.

  • OUDINTERNAL_BINDDN is an administrative user in the Identity Store Directory

  • OUDINTERNAL_GROUPSEARCHBASE is the location in the directory where Groups are Stored.

  • OUDINTERNAL_SEARCHBASE is the location in the directory where Users and Groups are stored.

  • OUDINTERNAL_USERNAMEATTRIBUTE is the name of the directory attribute containing the user's name. Note that this is different from the login name.

  • OUDINTERNAL_LOGINATTRIBUTE is the LDAP attribute which contains the users Login name.

  • OUDINTERNAL_USERSEARCHBASE is the location in the directory where Users are Stored.

  • OUDINTERNAL_NEW_SETUP is always set to true for Oracle Unified Directory. If you are not using OUD, you do not need to specify this attribute.

  • POLICYSTORE_SHARES_IDSTORE is set to true for IDM 11g.

  • OUDINTERNAL_OAMADMINUSER is the name of the user you want to create as your Access Manager Administrator.

  • OUDINTERNAL_OAMSOFTWAREUSER is a user that gets created in LDAP that is used when Access Manager is running to connect to the LDAP server.

  • OAM11G_OUDINTERNAL_ROLE_SECURITY_ADMIN is the name of the group which is used to allow access to the OAM console.

  • OUDINTERNAL_SYSTEMIDBASE is the location of a container in the directory where users can be placed when you do not want them in the main user container. This happens rarely but one example is the Oracle Identity Manager reconciliation user.

  • OUDINTERNAL_OIMADMINGROUP Is the name of the group you want to create to hold your Oracle Identity Manager administrative users.

  • OUDINTERNAL_OIMADMINUSER is the user that Oracle Identity Manager uses to connect to the Identity store.

  • OUDINTERNAL_WLSADMINUSER: The username to be used for logging in to the web logic domain once it is enabled by SSO. In the above example, weblogic_idm is used.

  • OUDINTERNAL_WLSADMINGROUP: is the name of the group to which users who are allowed to log in to the WebLogic system components, such as the WLS Console and EM, belong.

Use OIM entries only if your topology includes Oracle Identity Manager. Use OAM entries only if your topology includes Access Manager.

10.4.3 Configuring Oracle Unified Directory for Use with Oracle Access Manager and Oracle Identity Manager

This section explains how to configure Oracle Unified Directory for use with Oracle Access Manager and Oracle Identity Manager.

Pre-configuring the Identity Store extends the schema in Oracle Unified Directory.

Note:

You do not need to preconfigure the Identity Store unless you are using Access Manager or Oracle Identity Manager.

To do this, perform the following tasks on IDMHOST1:

  1. Set MW_HOME to IAM_MW_HOME.

    Set ORACLE_HOME to IAM_ORACLE_HOME.

    Set JAVA_HOME to JAVA_HOME.

  2. Configure the Identity Store by using the command idmConfigTool, which is located at:

    IAM_ORACLE_HOME/idmtools/bin

    Note:

    When you run the idmConfigTool, it creates or appends to the file idmDomainConfig.param. This file is generated in the same directory that the idmConfigTool is run from. To ensure that each time the tool is run, the same file is appended to, always run the idmConfigTool from the directory:

    IAM_ORACLE_HOME/idmtools/bin

    idmConfigTool.sh -preConfigIDStore input_file=configfile 
    

    For example:

    idmConfigTool.sh -preConfigIDStore input_file=oudinternal.props
    

    When the command runs, you are prompted to enter the password of the account you are connecting to the Identity Store with. This command might take some time to complete.

    Sample command output:

    Enter ID Store Bind DN password:
    Apr 3, 2013 3:47:37 AM oracle.ldap.util.LDIFLoader loadOneLdifFile
    INFO: -> LOADING: /u01/oracle/products/access/iam/idmtools/templates/oud/oud_schema_extn.ldif
    Apr 3, 2013 3:47:38 AM oracle.ldap.util.LDIFLoader loadOneLdifFile
    INFO: -> LOADING: /u01/oracle/products/access/iam/oam/server/oim-intg/ldif/ojd/schema/ojd_oam_pwd_schema_add.ldif
    Apr 3, 2013 3:47:38 AM oracle.ldap.util.LDIFLoader loadOneLdifFile
    INFO: -> LOADING: /u01/oracle/products/access/iam/oam/server/oim-intg/ldif/ojd/schema/ojd_user_schema_add.ldif
    Apr 3, 2013 3:47:38 AM oracle.ldap.util.LDIFLoader loadOneLdifFile
    INFO: -> LOADING: /u01/oracle/products/access/iam/oam/server/oim-intg/ldif/ojd/schema/ojd_user_index_generic.ldif
    Apr 3, 2013 3:47:39 AM oracle.ldap.util.LDIFLoader loadOneLdifFile
    INFO: -> LOADING: /u01/oracle/products/access/iam/idmtools/templates/oud/add_oraclecontext_container.ldif
    Apr 3, 2013 3:47:39 AM oracle.ldap.util.LDIFLoader loadOneLdifFile
    INFO: -> LOADING: /u01/oracle/products/access/iam/idmtools/templates/oud/oud_indexes_extn.ldif
    Apr 3, 2013 3:47:39 AM oracle.ldap.util.LDIFLoader loadOneLdifFile
    INFO: -> LOADING: /u01/oracle/products/access/iam/idmtools/templates/oud/idm_idstore_groups_template.ldif
    Apr 3, 2013 3:47:39 AM oracle.ldap.util.LDIFLoader loadOneLdifFile
    INFO: -> LOADING: /u01/oracle/products/access/iam/idmtools/templates/oud/idm_idstore_groups_acl_template.ldif
    Apr 3, 2013 3:47:39 AM oracle.ldap.util.LDIFLoader loadOneLdifFile
    INFO: -> LOADING: /u01/oracle/products/access/iam/idmtools/templates/oud/systemid_pwdpolicy.ldif
    Apr 3, 2013 3:47:39 AM oracle.ldap.util.LDIFLoader loadOneLdifFile
    INFO: -> LOADING: /u01/oracle/products/access/iam/idmtools/templates/oud/fa_pwdpolicy.ldif
    The tool has completed its operation. Details have been logged to automation.log
    
  3. Check the log file for any errors or warnings and correct them. The file with the name automation.log is created in the directory from where you run the tool.

Note:

In addition to creating users, idmConfigTool creates the following groups:

  • orclFAUserReadPrivilegeGroup

  • orclFAUserWritePrivilegeGroup

  • orclFAUserWritePrefsPrivilegeGroup

  • orclFAGroupReadPrivilegeGroup

  • orclFAGroupWritePrivilegeGroup

See Also:

Oracle Fusion Middleware Integration Overview for Oracle Identity Management Suite for more information about the idmConfigTool command.

10.4.4 Creating Users and Groups

You must seed the Identity Store with users and groups that are required by the Identity Management components.

To seed the Identity Store, perform the following tasks on IDMHOST1:

  1. Set MW_HOME to IAM_MW_HOME.

    Set ORACLE_HOME to IAM_ORACLE_HOME.

    Set JAVA_HOME to JAVA_HOME.

  2. Configure the Identity Store by using the command idmConfigTool, which is located at:

    IAM_ORACLE_HOME/idmtools/bin

    Note:

    When you run the idmConfigTool, it creates or appends to the file idmDomainConfig.param. This file is generated in the same directory that the idmConfigTool is run from. To ensure that each time the tool is run, the same file is appended to, always run the idmConfigTool from the directory:

    IAM_ORACLE_HOME/idmtools/bin

    The syntax of the command on Linux is:

    idmConfigTool.sh -prepareIDStore mode=MODE input_file=configfile 
    

    The value selected for MODE determines the type of users to be created. Possible values for MODE include: OAM, OIM, and WLS.

    Run the command once for each of the components that is in your topology.

    • In all topologies, when you enable single sign-on for your administrative consoles, you must ensure that there is a user in your Identity Store that has the permissions to log in to your WebLogic Administration Console and Oracle Enterprise Manager Fusion Middleware Control. Type:

      idmConfigTool.sh -prepareIDStore mode=WLS input_file=oudinternal.props
      

      Run this command first.

    • If your topology includes Access Manager, you must seed the Identity Store with users that are required by Access Manager. Type:

      idmConfigTool.sh -prepareIDStore mode=OAM input_file=oudinternal.props
      
    • If your topology includes Oracle Identity Manager, you must seed the Identity Store with the xelsysadm user and assign it to an Oracle Identity Manager administrative group. You must also create a user outside of the standard cn=Users location to be able to perform reconciliation. This user is also the user that should be used as the bind DN when connecting to directories with Oracle Virtual Directory. Type:

      idmConfigTool.sh -prepareIDStore mode=OIM input_file=oudinternal.props
      

      Note:

      This command also creates a container in your Identity Store for reservations.

    When the command runs, you are prompted to enter the password of the account you are connecting to the Identity Store with.

  3. After running each command, check the log file for any errors or warnings and correct them. The file with the name automation.log is created in the directory from where you run the tool.

See Also:

Oracle Fusion Middleware Integration Overview for Oracle Identity Management Suite for more information about the idmConfigTool command.

10.4.5 Add Missing Oracle Unified Directory Permission

This section describes a workaround for a missing permission in Oracle Unified Directory.

Create a file called add_aci.ldif with the following contents:

dn: cn=Reserve,dc=mycompany,dc=com
changetype: modify
delete: aci
aci: (version 3.0; acl "oim reserve group container acl"; allow (read,add,delete) groupdn="ldap:///cn=OIMAdministrators,cn=Groups,dc=mycompany,dc=com"; deny (all) userdn="ldap:///anyone";)
dn: cn=Reserve,dc=mycompany,dc=com
changetype: modify
add: aci
aci: (target = "ldap:///cn=Reserve,dc=mycompany,dc=com")(targetattr = "*")(version 3.0; acl "Allow OIMAdministrators Group add, read and write access to all attributes"; allow (add, read, search, compare,write, delete, import,export) (groupdn = "ldap:///cn=OIMAdministrators,cn=Groups,dc=mycompany,dc=com");)

Update Oracle Unified Directory using the command:

ldapmodify –D cn=oudadmin –h IDMHOST1.mycompany.com –p 1389 –f add_aci.ldif

10.4.6 Granting Oracle Unified Directory Change Log Access

If you are using Oracle Unified Directory and Oracle Identity Manager, you must now grant access to the changelog. You do this by performing the following steps on all OUD hosts, that is, on IDMHOST1 and IDMHOST2:

  1. On the host where OUD is running (for example, IDMHOST), create a file called mypasswordfile that contains the password you use to connect to OUD.

  2. Remove the existing change log permission by issuing the command on one of the replicated OUD hosts:

    OUD_ORACLE_INSTANCE/bin/dsconfig set-access-control-handler-prop \
    --remove global-aci:"(target=\"ldap:///cn=changelog\")(targetattr=\"*\")(version 3.0; acl \"External changelog access\"; deny (all) userdn=\"ldap:///anyone\";)" \
            --hostname OUD_HOST \
            --port OUD_ADMIN_PORT \
            --trustAll \
            --bindDN cn=oudadmin \
            --bindPasswordFile passwordfile \
            --no-prompt 
    

    For example:

    OUD_ORACLE_INSTANCE/bin/dsconfig set-access-control-handler-prop \
    --remove global-aci:"(target=\"ldap:///cn=changelog\")(targetattr=\"*\")(version 3.0; acl \"External changelog access\"; deny (all) userdn=\"ldap:///anyone\";)" \
            --hostname IDMHOST1.mycompany.com \
            --port 4444 \
            --trustAll  \
            --bindDN cn=oudadmin \
            --bindPasswordFile mypasswordfile \
            --no-prompt
    
  3. Then add the following new ACI:

    OUD_ORACLE_INSTANCE/bin/dsconfig set-access-control-handler-prop \
    --add global-aci:"(target=\"ldap:///cn=changelog\")(targetattr=\"*\")(version 3.0; acl \"External changelog access\"; allow (read,search,compare,add,write,delete,export) groupdn=\"ldap:///cn=OIMAdministrators,cn=groups,dc=mycompany,dc=com\";)" \
            --hostname OUD_HOST \
            --port OUD_ADMIN_PORT \
            --trustAll \
            --bindDN cn=oudadmin \
            --bindPasswordFile passwordfile \
            --no-prompt
    

    For example:

    OUD_ORACLE_INSTANCE/bin/dsconfig set-access-control-handler-prop \
    --add global-aci:"(target=\"ldap:///cn=changelog\")(targetattr=\"*\")(version 3.0; acl \"External changelog access\"; allow (read,search,compare,add,write,delete,export) groupdn=\"ldap:///cn=OIMAdministrators,cn=groups,dc=mycompany,dc=com\";)" \
            --hostname IDMHOST1.mycompany.com \
            --port 4444 \
            --trustAll \
            --bindDN cn=oudadmin \
            --bindPasswordFile mypasswordfile \
            --no-prompt
    
  4. Then add the following new ACI:

    OUD_ORACLE_INSTANCE/bin/dsconfig set-access-control-handler-prop \
    --add ds-cfg-global-aci: (targetcontrol=1.3.6.1.4.1.26027.1.5.4)(version 3.0; acl "OIMAdministrators control access"; allow(read) userdn="ldap:///anyone";) \
            --hostname OUD_HOST \
            --port OUD_ADMIN_PORT \
            --trustAll \
            --bindDN cn=oudadmin \
            --bindPasswordFile passwordfile \
            --no-prompt
    

    For example:

    OUD_ORACLE_INSTANCE/bin/dsconfig set-access-control-handler-prop \
    --add ds-cfg-global-aci: (targetcontrol=1.3.6.1.4.1.26027.1.5.4)(version 3.0; acl "OIMAdministrators control access"; allow(read) userdn="ldap:///anyone";) \
            --hostname IDMHOST1.mycompany.com \
            --port 4444 \
            --trustAll \
            --bindDN cn=oudadmin \
            --bindPasswordFile mypasswordfile \
            --no-prompt
    
  5. Then add the following ACI:

    OUD_ORACLE_INSTANCE/bin/dsconfig set-access-control-handler-prop \
    --add global-aci:"(target=\"ldap:///\")(targetscope=\"base\")(targetattr=\"lastExternalChangelogCookie\")(version 3.0; acl \"User-Visible lastExternalChangelog\"; allow (read,search,compare) groupdn=\"ldap:///cn=OIMAdministrators,cn=groups,dc=mycompany,dc=com\";)" \
            --hostname OUD_HOST \
            --port OUD_ADMIN_PORT \
            --trustAll \
            --bindDN cn=oudadmin \
            --bindPasswordFile passwordfile \
            --no-prompt
    

    For example:

    OUD_ORACLE_INSTANCE/bin/dsconfig set-access-control-handler-prop \
    --add global-aci:"(target=\"ldap:///\")(targetscope=\"base\")(targetattr=\"lastExternalChangelogCookie\")(version 3.0; acl \"User-Visible lastExternalChangelog\"; allow (read,search,compare) groupdn=\"ldap:///cn=OIMAdministrators,cn=groups,dc=mycompany,dc=com\";)" \
            --hostname IDMHOST1.mycompany.com \
            --port 4444 \
            --trustAll \
            --bindDN cn=oudadmin \
            --bindPasswordFile mypasswordfile \
            --no-prompt
    

10.4.7 Creating Oracle Unified Directory Indexes

When you run the idmConfigTool to prepare an Oracle Unified Directory identity store, it creates indexes for the data on the instance against which it is run. You must manually create these indexes on each of the remaining Oracle Unified Directory instances in the configuration.

To do this, on IDMHOST2, issue the following commands:

ORACLE_INSTANCE/OUD/bin/ldapmodify -h IDMHOST2.mycompany.com -Z -X -p 4444 -a -D "cn=oudadmin" -j mypasswordfile -c  -f IAM_ORACLE_HOME/oam/server/oim-intg/ldif/ojd/schema/ojd_user_index_generic.ldif
ORACLE_INSTANCE/OUD/bin/ldapmodify -h IDMHOST2.mycompany.com -Z -X -p 4444 -a -D "cn=oudadmin" -j mypasswordfile -c  -f IAM_ORACLE_HOME/idmtools/templates/oud/oud_indexes_extn.ldif

Once the indexes have been created on every IDMHOST, rebuild the indexes as follows:

  1. Shut down Oracle Unified Directory by issuing the command:

    OUD_ORACLE_INSTANCE/OUD/bin/stop-ds
    
  2. Execute the command:

    OUD_ORACLE_INSTANCE/OUD/bin/rebuild-index --rebuildAll -b "dc=mycompany,dc=com"
    
  3. Restart Oracle Unified Directory by issuing the command:

    OUD_ORACLE_INSTANCE/OUD/bin/start-ds
    

Repeat Steps 1-3 to rebuild the indexes for every IDMHOST, including the host which the idmConfigTool was run against, to maintain availability only stop the directory for which you are rebuilding the indexes.

10.4.8 Backing Up the Identity Stores

Back up your LDAP directories, as described in Section 16.6, "Backing Up the Oracle IDM Enterprise Deployment."