This chapter describes how to prepare the Identity and Policy Stores in an Oracle Identity Management enterprise deployment.
It contains the following sections:
Preparing the Identity Store involves extending the schema of the directory to support Oracle Access Management Access Manager and Oracle Identity Manager, then seeding the Identity Store with system users that will be used when building the Identity Management topology.
The procedures described in this chapter change the configuration of the LDAP directories that host the Identity Store. Before performing any of these tasks, back up your LDAP directories. Refer to WebLogic Server Managing Server Startup and Shutdown for detailed LDAP backup procedures.
Before proceeding, ensure that Oracle Identity Management 11g is installed on IDMHOST1.
Note:
Be sure to verify you have obtained all required patches. For more info, see Section 2.5.3, "Applying Patches and Workarounds."
This section describes how to prepare the Identity Store. It contains the following topics:
Section 10.4.6, "Granting Oracle Unified Directory Change Log Access"
Section 10.4.5, "Add Missing Oracle Unified Directory Permission"
Before you can use a directory to support Access Manager, you must extend the directory to include Object classes required by these applications.
In addition to extending the directory schema, you must create a number of users. These users are used later on in the guide for such things as:
Accessing the directory using a dedicated user.
Accessing Access Manager, Oracle Identity Manager, and WebLogic after these products have offloaded authentication to an external directory.
Create a property file, oudinternal.props, to use when preparing the Identity Store. The file will have the following structure:
Oracle Unified Directory Example
# Common IDSTORE_HOST: IDMHOST1.mycompany.com IDSTORE_PORT: 1389 IDSTORE_ADMIN_PORT: 4444 IDSTORE_KEYSTORE_FILE: OUD_ORACLE_INSTANCE/OUD/config/admin-keystore IDSTORE_KEYSTORE_PASSWORD: Password key IDSTORE_BINDDN: cn=oudadmin IDSTORE_GROUPSEARCHBASE: cn=Groups,dc=mycompany,dc=com IDSTORE_SEARCHBASE: dc=mycompany,dc=com IDSTORE_USERNAMEATTRIBUTE: cn IDSTORE_LOGINATTRIBUTE: uid IDSTORE_USERSEARCHBASE: cn=Users,dc=mycompany,dc=com OUDINTERNAL_NEW_SETUP: true POLICYSTORE_SHARES_oudinternal: true # OAM OUDINTERNAL_OAMADMINUSER:oamadmin OUDINTERNAL_OAMSOFTWAREUSER:oamLDAP OAM11G_OUDINTERNAL_ROLE_SECURITY_ADMIN:OAMAdministrators # OAM and OIM OUDINTERNAL_SYSTEMIDBASE: cn=systemids,dc=mycompany,dc=com # OIM OUDINTERNAL_OIMADMINGROUP: OIMAdministrators OUDINTERNAL_OIMADMINUSER: oimLDAP # WebLogic OUDINTERNAL_WLSADMINUSER : weblogic_idm OUDINTERNAL_WLSADMINGROUP : WLSAdmins
Where:
OUDINTERNAL_HOST and OUDINTERNAL_PORT are, respectively, the host and port of your Identity Store directory. Specify the back end directory here. In the case of OUD, specify, respectively, Oracle Unified Directory instances, for example:
OUD: IDMHOST1 and 1389
OUDINTERNAL_ADMIN_PORT is the administration port of your Oracle Unified Directory instance. If you are not using Oracle Unified Directory, you can leave out this parameter.
OUDINTERNAL_KEYSTORE_FILE is the location of the Oracle Unified Directory Keystore file. It is used to enable communication with Oracle Unified Directory using the Oracle Unified Directory administration port. It is called admin-keystore and is located in OUD_ORACLE_INSTANCE/OUD/config. If you are not using Oracle Unified Directory, you can leave out this parameter.
OUDINTERNAL_KEYSTORE_PASSWORD is the encrypted password of the Oracle Unified Directory keystore. This value can be found in the file OUD_ORACLE_INSTANCE/OUD/config/admin-keystore.pin. If you are not using Oracle Unified Directory, you can leave out this parameter.
OUDINTERNAL_BINDDN is an administrative user in the Identity Store Directory
OUDINTERNAL_GROUPSEARCHBASE is the location in the directory where Groups are Stored.
OUDINTERNAL_SEARCHBASE is the location in the directory where Users and Groups are stored.
OUDINTERNAL_USERNAMEATTRIBUTE is the name of the directory attribute containing the user's name. Note that this is different from the login name.
OUDINTERNAL_LOGINATTRIBUTE is the LDAP attribute which contains the users Login name.
OUDINTERNAL_USERSEARCHBASE is the location in the directory where Users are Stored.
OUDINTERNAL_NEW_SETUP is always set to true for Oracle Unified Directory. If you are not using OUD, you do not need to specify this attribute.
POLICYSTORE_SHARES_IDSTORE is set to true for IDM 11g.
OUDINTERNAL_OAMADMINUSER is the name of the user you want to create as your Access Manager Administrator.
OUDINTERNAL_OAMSOFTWAREUSER is a user that gets created in LDAP that is used when Access Manager is running to connect to the LDAP server.
OAM11G_OUDINTERNAL_ROLE_SECURITY_ADMIN is the name of the group which is used to allow access to the OAM console.
OUDINTERNAL_SYSTEMIDBASE is the location of a container in the directory where users can be placed when you do not want them in the main user container. This happens rarely but one example is the Oracle Identity Manager reconciliation user.
OUDINTERNAL_OIMADMINGROUP Is the name of the group you want to create to hold your Oracle Identity Manager administrative users.
OUDINTERNAL_OIMADMINUSER is the user that Oracle Identity Manager uses to connect to the Identity store.
OUDINTERNAL_WLSADMINUSER: The username to be used for logging in to the web logic domain once it is enabled by SSO. In the above example, weblogic_idm is used.
OUDINTERNAL_WLSADMINGROUP: is the name of the group to which users who are allowed to log in to the WebLogic system components, such as the WLS Console and EM, belong.
Use OIM entries only if your topology includes Oracle Identity Manager. Use OAM entries only if your topology includes Access Manager.
This section explains how to configure Oracle Unified Directory for use with Oracle Access Manager and Oracle Identity Manager.
Pre-configuring the Identity Store extends the schema in Oracle Unified Directory.
Note:
You do not need to preconfigure the Identity Store unless you are using Access Manager or Oracle Identity Manager.
To do this, perform the following tasks on IDMHOST1:
Set MW_HOME to IAM_MW_HOME.
Set ORACLE_HOME to IAM_ORACLE_HOME.
Set JAVA_HOME to JAVA_HOME.
Configure the Identity Store by using the command idmConfigTool, which is located at:
IAM_ORACLE_HOME/idmtools/bin
Note:
When you run the idmConfigTool, it creates or appends to the file idmDomainConfig.param. This file is generated in the same directory that the idmConfigTool is run from. To ensure that each time the tool is run, the same file is appended to, always run the idmConfigTool from the directory:
IAM_ORACLE_HOME/idmtools/bin
idmConfigTool.sh -preConfigIDStore input_file=configfile
For example:
idmConfigTool.sh -preConfigIDStore input_file=oudinternal.props
When the command runs, you are prompted to enter the password of the account you are connecting to the Identity Store with. This command might take some time to complete.
Sample command output:
Enter ID Store Bind DN password: Apr 3, 2013 3:47:37 AM oracle.ldap.util.LDIFLoader loadOneLdifFile INFO: -> LOADING: /u01/oracle/products/access/iam/idmtools/templates/oud/oud_schema_extn.ldif Apr 3, 2013 3:47:38 AM oracle.ldap.util.LDIFLoader loadOneLdifFile INFO: -> LOADING: /u01/oracle/products/access/iam/oam/server/oim-intg/ldif/ojd/schema/ojd_oam_pwd_schema_add.ldif Apr 3, 2013 3:47:38 AM oracle.ldap.util.LDIFLoader loadOneLdifFile INFO: -> LOADING: /u01/oracle/products/access/iam/oam/server/oim-intg/ldif/ojd/schema/ojd_user_schema_add.ldif Apr 3, 2013 3:47:38 AM oracle.ldap.util.LDIFLoader loadOneLdifFile INFO: -> LOADING: /u01/oracle/products/access/iam/oam/server/oim-intg/ldif/ojd/schema/ojd_user_index_generic.ldif Apr 3, 2013 3:47:39 AM oracle.ldap.util.LDIFLoader loadOneLdifFile INFO: -> LOADING: /u01/oracle/products/access/iam/idmtools/templates/oud/add_oraclecontext_container.ldif Apr 3, 2013 3:47:39 AM oracle.ldap.util.LDIFLoader loadOneLdifFile INFO: -> LOADING: /u01/oracle/products/access/iam/idmtools/templates/oud/oud_indexes_extn.ldif Apr 3, 2013 3:47:39 AM oracle.ldap.util.LDIFLoader loadOneLdifFile INFO: -> LOADING: /u01/oracle/products/access/iam/idmtools/templates/oud/idm_idstore_groups_template.ldif Apr 3, 2013 3:47:39 AM oracle.ldap.util.LDIFLoader loadOneLdifFile INFO: -> LOADING: /u01/oracle/products/access/iam/idmtools/templates/oud/idm_idstore_groups_acl_template.ldif Apr 3, 2013 3:47:39 AM oracle.ldap.util.LDIFLoader loadOneLdifFile INFO: -> LOADING: /u01/oracle/products/access/iam/idmtools/templates/oud/systemid_pwdpolicy.ldif Apr 3, 2013 3:47:39 AM oracle.ldap.util.LDIFLoader loadOneLdifFile INFO: -> LOADING: /u01/oracle/products/access/iam/idmtools/templates/oud/fa_pwdpolicy.ldif The tool has completed its operation. Details have been logged to automation.log
Check the log file for any errors or warnings and correct them. The file with the name automation.log is created in the directory from where you run the tool.
Note:
In addition to creating users, idmConfigTool creates the following groups:
orclFAUserReadPrivilegeGroup
orclFAUserWritePrivilegeGroup
orclFAUserWritePrefsPrivilegeGroup
orclFAGroupReadPrivilegeGroup
orclFAGroupWritePrivilegeGroup
See Also:
Oracle Fusion Middleware Integration Overview for Oracle Identity Management Suite for more information about the idmConfigTool command.
You must seed the Identity Store with users and groups that are required by the Identity Management components.
To seed the Identity Store, perform the following tasks on IDMHOST1:
Set MW_HOME to IAM_MW_HOME.
Set ORACLE_HOME to IAM_ORACLE_HOME.
Set JAVA_HOME to JAVA_HOME.
Configure the Identity Store by using the command idmConfigTool, which is located at:
IAM_ORACLE_HOME/idmtools/bin
Note:
When you run the idmConfigTool, it creates or appends to the file idmDomainConfig.param. This file is generated in the same directory that the idmConfigTool is run from. To ensure that each time the tool is run, the same file is appended to, always run the idmConfigTool from the directory:
IAM_ORACLE_HOME/idmtools/bin
The syntax of the command on Linux is:
idmConfigTool.sh -prepareIDStore mode=MODE input_file=configfile
The value selected for MODE determines the type of users to be created. Possible values for MODE include: OAM, OIM, and WLS.
Run the command once for each of the components that is in your topology.
In all topologies, when you enable single sign-on for your administrative consoles, you must ensure that there is a user in your Identity Store that has the permissions to log in to your WebLogic Administration Console and Oracle Enterprise Manager Fusion Middleware Control. Type:
idmConfigTool.sh -prepareIDStore mode=WLS input_file=oudinternal.props
Run this command first.
If your topology includes Access Manager, you must seed the Identity Store with users that are required by Access Manager. Type:
idmConfigTool.sh -prepareIDStore mode=OAM input_file=oudinternal.props
If your topology includes Oracle Identity Manager, you must seed the Identity Store with the xelsysadm user and assign it to an Oracle Identity Manager administrative group. You must also create a user outside of the standard cn=Users location to be able to perform reconciliation. This user is also the user that should be used as the bind DN when connecting to directories with Oracle Virtual Directory. Type:
idmConfigTool.sh -prepareIDStore mode=OIM input_file=oudinternal.props
Note:
This command also creates a container in your Identity Store for reservations.
When the command runs, you are prompted to enter the password of the account you are connecting to the Identity Store with.
After running each command, check the log file for any errors or warnings and correct them. The file with the name automation.log is created in the directory from where you run the tool.
See Also:
Oracle Fusion Middleware Integration Overview for Oracle Identity Management Suite for more information about the idmConfigTool command.
This section describes a workaround for a missing permission in Oracle Unified Directory.
Create a file called add_aci.ldif with the following contents:
dn: cn=Reserve,dc=mycompany,dc=com changetype: modify delete: aci aci: (version 3.0; acl "oim reserve group container acl"; allow (read,add,delete) groupdn="ldap:///cn=OIMAdministrators,cn=Groups,dc=mycompany,dc=com"; deny (all) userdn="ldap:///anyone";) dn: cn=Reserve,dc=mycompany,dc=com changetype: modify add: aci aci: (target = "ldap:///cn=Reserve,dc=mycompany,dc=com")(targetattr = "*")(version 3.0; acl "Allow OIMAdministrators Group add, read and write access to all attributes"; allow (add, read, search, compare,write, delete, import,export) (groupdn = "ldap:///cn=OIMAdministrators,cn=Groups,dc=mycompany,dc=com");)
Update Oracle Unified Directory using the command:
ldapmodify –D cn=oudadmin –h IDMHOST1.mycompany.com –p 1389 –f add_aci.ldif
If you are using Oracle Unified Directory and Oracle Identity Manager, you must now grant access to the changelog. You do this by performing the following steps on all OUD hosts, that is, on IDMHOST1 and IDMHOST2:
On the host where OUD is running (for example, IDMHOST), create a file called mypasswordfile that contains the password you use to connect to OUD.
Remove the existing change log permission by issuing the command on one of the replicated OUD hosts:
OUD_ORACLE_INSTANCE/bin/dsconfig set-access-control-handler-prop \ --remove global-aci:"(target=\"ldap:///cn=changelog\")(targetattr=\"*\")(version 3.0; acl \"External changelog access\"; deny (all) userdn=\"ldap:///anyone\";)" \ --hostname OUD_HOST \ --port OUD_ADMIN_PORT \ --trustAll \ --bindDN cn=oudadmin \ --bindPasswordFile passwordfile \ --no-prompt
For example:
OUD_ORACLE_INSTANCE/bin/dsconfig set-access-control-handler-prop \
--remove global-aci:"(target=\"ldap:///cn=changelog\")(targetattr=\"*\")(version 3.0; acl \"External changelog access\"; deny (all) userdn=\"ldap:///anyone\";)" \
--hostname IDMHOST1.mycompany.com \
--port 4444 \
--trustAll \
--bindDN cn=oudadmin \
--bindPasswordFile mypasswordfile \
--no-prompt
Then add the following new ACI:
OUD_ORACLE_INSTANCE/bin/dsconfig set-access-control-handler-prop \ --add global-aci:"(target=\"ldap:///cn=changelog\")(targetattr=\"*\")(version 3.0; acl \"External changelog access\"; allow (read,search,compare,add,write,delete,export) groupdn=\"ldap:///cn=OIMAdministrators,cn=groups,dc=mycompany,dc=com\";)" \ --hostname OUD_HOST \ --port OUD_ADMIN_PORT \ --trustAll \ --bindDN cn=oudadmin \ --bindPasswordFile passwordfile \ --no-prompt
For example:
OUD_ORACLE_INSTANCE/bin/dsconfig set-access-control-handler-prop \
--add global-aci:"(target=\"ldap:///cn=changelog\")(targetattr=\"*\")(version 3.0; acl \"External changelog access\"; allow (read,search,compare,add,write,delete,export) groupdn=\"ldap:///cn=OIMAdministrators,cn=groups,dc=mycompany,dc=com\";)" \
--hostname IDMHOST1.mycompany.com \
--port 4444 \
--trustAll \
--bindDN cn=oudadmin \
--bindPasswordFile mypasswordfile \
--no-prompt
Then add the following new ACI:
OUD_ORACLE_INSTANCE/bin/dsconfig set-access-control-handler-prop \ --add ds-cfg-global-aci: (targetcontrol=1.3.6.1.4.1.26027.1.5.4)(version 3.0; acl "OIMAdministrators control access"; allow(read) userdn="ldap:///anyone";) \ --hostname OUD_HOST \ --port OUD_ADMIN_PORT \ --trustAll \ --bindDN cn=oudadmin \ --bindPasswordFile passwordfile \ --no-prompt
For example:
OUD_ORACLE_INSTANCE/bin/dsconfig set-access-control-handler-prop \
--add ds-cfg-global-aci: (targetcontrol=1.3.6.1.4.1.26027.1.5.4)(version 3.0; acl "OIMAdministrators control access"; allow(read) userdn="ldap:///anyone";) \
--hostname IDMHOST1.mycompany.com \
--port 4444 \
--trustAll \
--bindDN cn=oudadmin \
--bindPasswordFile mypasswordfile \
--no-prompt
Then add the following ACI:
OUD_ORACLE_INSTANCE/bin/dsconfig set-access-control-handler-prop \
--add global-aci:"(target=\"ldap:///\")(targetscope=\"base\")(targetattr=\"lastExternalChangelogCookie\")(version 3.0; acl \"User-Visible lastExternalChangelog\"; allow (read,search,compare) groupdn=\"ldap:///cn=OIMAdministrators,cn=groups,dc=mycompany,dc=com\";)" \
--hostname OUD_HOST \
--port OUD_ADMIN_PORT \
--trustAll \
--bindDN cn=oudadmin \
--bindPasswordFile passwordfile \
--no-prompt
For example:
OUD_ORACLE_INSTANCE/bin/dsconfig set-access-control-handler-prop \
--add global-aci:"(target=\"ldap:///\")(targetscope=\"base\")(targetattr=\"lastExternalChangelogCookie\")(version 3.0; acl \"User-Visible lastExternalChangelog\"; allow (read,search,compare) groupdn=\"ldap:///cn=OIMAdministrators,cn=groups,dc=mycompany,dc=com\";)" \
--hostname IDMHOST1.mycompany.com \
--port 4444 \
--trustAll \
--bindDN cn=oudadmin \
--bindPasswordFile mypasswordfile \
--no-prompt
When you run the idmConfigTool to prepare an Oracle Unified Directory identity store, it creates indexes for the data on the instance against which it is run. You must manually create these indexes on each of the remaining Oracle Unified Directory instances in the configuration.
To do this, on IDMHOST2, issue the following commands:
ORACLE_INSTANCE/OUD/bin/ldapmodify -h IDMHOST2.mycompany.com -Z -X -p 4444 -a -D "cn=oudadmin" -j mypasswordfile -c -f IAM_ORACLE_HOME/oam/server/oim-intg/ldif/ojd/schema/ojd_user_index_generic.ldif
ORACLE_INSTANCE/OUD/bin/ldapmodify -h IDMHOST2.mycompany.com -Z -X -p 4444 -a -D "cn=oudadmin" -j mypasswordfile -c -f IAM_ORACLE_HOME/idmtools/templates/oud/oud_indexes_extn.ldif
Once the indexes have been created on every IDMHOST, rebuild the indexes as follows:
Shut down Oracle Unified Directory by issuing the command:
OUD_ORACLE_INSTANCE/OUD/bin/stop-ds
Execute the command:
OUD_ORACLE_INSTANCE/OUD/bin/rebuild-index --rebuildAll -b "dc=mycompany,dc=com"
Restart Oracle Unified Directory by issuing the command:
OUD_ORACLE_INSTANCE/OUD/bin/start-ds
Repeat Steps 1-3 to rebuild the indexes for every IDMHOST, including the host which the idmConfigTool was run against, to maintain availability only stop the directory for which you are rebuilding the indexes.
Back up your LDAP directories, as described in Section 16.6, "Backing Up the Oracle IDM Enterprise Deployment."