Skip Headers
Oracle® Fusion Middleware Enterprise Deployment Guide for Oracle Identity Management (Oracle Fusion Applications Edition)
11g Release 1 (11.1.3)

Part Number E21032-07
Go to Documentation Home
Home
Go to Book List
Book List
Go to Table of Contents
Contents
Go to Index
Index
Go to Feedback page
Contact Us

Go to previous page
Previous
Go to next page
Next
PDF · Mobi · ePub

11 Preparing Identity and Policy Stores

This chapter describes how to prepare the Identity and Policy Stores in an Oracle Identity Management enterprise deployment.

It contains the following sections:

11.1 Overview of Preparing Identity and Policy Stores

To prepare the Policy Store, you create a JPS Root context, and adding users and groups required to access the Policy Store, in the Policy Store directory. You also reassociate the domain's internal Policy Store to use the external LDAP Policy Store.

To prepare the Identity Store, you extends the schema in Oracle Internet Directory, create ACLs in non-OID directories, and update the Oracle Virtual Directory adapters.

11.2 Backing up the LDAP Directories

The procedures described in this chapter change the configuration of the LDAP directories that host the Identity and Policy Stores. Before performing any of these tasks, back up your LDAP directories. See Section 9.8, "Backing up the Oracle Internet Directory Configuration" and Section 12.8, "Backing Up the Oracle Virtual Directory Configuration" for more information.

11.3 Prerequisites

Before proceeding, ensure that the following statements are true:

11.4 Preparing the OPSS Policy Store

This section describes how to prepare the Oracle Platform Security Services Policy Store.

It contains the following topics:

Before you can use the Policy Store, you must prepare it. This involves creating a JPS Root context, and users and groups required to access the Policy Store, in the Policy Store directory. It also reassociates the domain's internal Policy Store to use the external LDAP Policy Store.

11.4.1 Creating Policy Store Users and the Policy Container

Perform the following tasks on IDMHOST1:

  1. Set the environment variables: MW_HOME, JAVA_HOME, IDM_HOME, and ORACLE_HOME.

    Set IDM_HOME to IDM_ORACLE_HOME

    Set ORACLE_HOME to IAM_ORACLE_HOME

    Set MW_HOME to MW_HOME.

    Set JAVA_HOME to MW_HOME/jrockit-version.

  2. Create a properties file, called policystore.props with the following contents:

    POLICYSTORE_HOST: policystore.mycompany.com
    POLICYSTORE_PORT: 389
    POLICYSTORE_BINDDN: cn=orcladmin
    POLICYSTORE_READONLYUSER: PolicyROUser
    POLICYSTORE_READWRITEUSER: PolicyRWUser
    POLICYSTORE_SEARCHBASE: dc=mycompany,dc=com
    POLICYSTORE_CONTAINER: cn=jpsroot
    

    Where:

    • POLICYSTORE_HOST and POLICYSTORE_PORT are, respectively, the host and port of your Policy Store directory.

    • POLICYSTORE_BINDDN Is an administrative user in the Policy Store directory

    • POLICYSTORE_READONLYUSER and POLICYSTORE_READWRITEUSER are the names of Users you want to create in the Policy Store with Read Only and Read/Write privileges.

    • POLICYSTORE_SEARCHBASE is the location in the directory where Users and Groups are stored.

    • POLCYSTORE_CONTAINER is the name of the container used for OPSS policy information.

    After creating the group, the tool adds the readonlyuser as a member of the OrclPolicyAndCredentialReadPrivilegeGroup and readwriteuser as a member of OrclPolicyAndCredentialWritePrivilegeGroup.

  3. Configure the Policy Store using the command idmConfigTool which is located at:

    IAM_ORACLE_HOME/idmtools/bin

    Note:

    When you run the idmConfigTool, it creates or appends to the file idmDomainConfig.param. This file is generated in the same directory that the idmConfigTool is run from. To ensure that each time the tool is run, the same file is appended to, always run the idmConfigTool from the directory:

    IAM_ORACLE_HOME/idmtools/bin

    The syntax of the command on Linux is:

    idmConfigTool.sh -configPolicyStore input_file=configfile
    

    The syntax on Windows is:

    idmConfigTool.bat -configPolicyStore input_file=configfile
    

    For example:

    idmConfigTool.sh -configPolicyStore input_file=policystore.props
    

    When the command runs you are prompted to enter the password of the account you are connecting to the Policy Store with. You are also asked to specify the passwords you want to assign to the accounts:

    • POLICYSTORE_READONLYUSER

    • POLICYSTORE_READWRITEUSER

    Sample command output:

    Enter Policy Store Bind DN password: 
    *** Creation of PolicyROUser ***
    Apr 5, 2011 4:23:49 AM oracle.ldap.util.LDIFLoader loadOneLdifFile
    INFO: -> LOADING: 
     /u01/app/oracle/product/fmw/iam/idmtools/templates/oid/policystore_user.ldif
    Enter User Password for PolicyROUser: 
    Confirm User Password for PolicyROUser: 
    *** Creation of PolicyRWUser ***
    Apr 5, 2011 4:23:58 AM oracle.ldap.util.LDIFLoader loadOneLdifFile
    INFO: -> LOADING: 
     /u01/app/oracle/product/fmw/iam/idmtools/templates/oid/policystore_user.ldif
    Enter User Password for PolicyRWUser: 
    Confirm User Password for PolicyRWUser: 
    Apr 5, 2011 4:24:07 AM oracle.ldap.util.LDIFLoader loadOneLdifFileINFO: -> LOADING: 
     /u01/app/oracle/product/fmw/iam/idmtools/templates/oid/policystore_group.ldifApr 5, 2011 4:24:07 AM oracle.ldap.util.LDIFLoader loadOneLdifFileINFO: -> LOADING: 
     /u01/app/oracle/product/fmw/iam/idmtools/templates/oid/policystore_container.ldif
    Apr 5, 2011 4:24:07 AM oracle.ldap.util.LDIFLoader loadOneLdifFileINFO: -> LOADING: 
     /u01/app/oracle/product/fmw/iam/idmtools/templates/oid/policystore_group_read_member.ldif
    Apr 5, 2011 4:24:07 AM oracle.ldap.util.LDIFLoader loadOneLdifFileINFO: -> LOADING: 
     /u01/app/oracle/product/fmw/iam/idmtools/templates/oid/policystore_group_write_member.ldif
    Apr 5, 2011 4:24:07 AM oracle.ldap.util.LDIFLoader loadOneLdifFile
    INFO: -> LOADING: 
     /u01/app/oracle/product/fmw/iam/idmtools/templates/oid/policystore_tuning.ldifApr 5, 2011 4:24:07 AM oracle.ldap.util.LDIFLoader loadOneLdifFile
    INFO: -> LOADING: 
     /u01/app/oracle/product/fmw/iam/idmtools/templates/oid/oid_schemaadmin.ldif
    Apr 5, 2011 4:24:07 AM oracle.ldap.util.LDIFLoader loadOneLdifFile
    INFO: -> LOADING: 
    /u01/app/oracle/product/fmw/iam/idmtools/templates/oid/policystore_user_aci.ldif
    The tool has completed its operation. Details have been logged to /home/oracle/idmtools/automation.log
    pr 5, 2011 4:24:07 AM oracle.ldap.util.LDIFLoader loadOneLdifFile
    INFO: -> LOADING: with /u01/app/oracle/product/fmw/iam/idmtools/templates/oid/policystore_user_priv.ldif
    
  4. Check log file for any errors or warnings and correct them. The file with the name automation.log is created in the directory from where you run the tool.

See Also:

Oracle Fusion Middleware Integration Overview for Oracle Identity Management Suite for more information about the idmConfigTool command.

11.4.2 Reassociating the Policy and Credential Store

To reassociate the policy and credential store with Oracle Internet Directory, use the WLST reassociateSecurityStore command. Follow these steps:

  1. From IDMHOST1, start the wlst shell from the ORACLE_COMMON_HOME/common/bin directory. For example, on Linux and UNIX-based systems, you would type:

    ./wlst.sh
    

    On Windows you would type:

    ./wlst.cmd
    
  2. Connect to the WebLogic Administration Server using the following wlst connect command.

    connect("AdminUser","AdminUserPassword","t3://hostname:port")
    

    For example:

    connect("weblogic","admin_password","t3://ADMINVHN.mycompany.com:7001")
    
  3. Run the reassociateSecurityStore command as follows:

    Syntax:

    reassociateSecurityStore(domain="domainName",admin="cn=orcladmin",
    password="orclPassword",ldapurl="ldap://LDAPHOST:LDAPPORT",servertype="OID",
    jpsroot="cn=jpsRootContainer")
    

    Note:

    The admin value is the DN of the LDAP administrator, that is, the user that has administrative level privileges to the Oracle Internet Directory instance that is used as the Policy Store.

    For example:

    reassociateSecurityStore(domain="IDMDomain",admin="cn=orcladmin", password="password",
    ldapurl="ldap://policystore.mycompany.com:389",servertype="OID",
    jpsroot="cn=jpsroot")
    

    The output for the command is as follows:

    Location changed to domainRuntime tree. This is a read-only tree with DomainMBean as the root.
    For more help, use help(domainRuntime)
     
    Starting policy store reassociation.
    The store and ServiceConfigurator setup done.
    Schema is seeded into the store
    Data is migrated to the store. Check logs for any failures or warnings during migration.
    Data in the store after migration has been tested to be available
    Update of in-memory jps configuration is done
    Policy store reassociation done.
    Starting credential store reassociation
    The store and ServiceConfigurator setup done.
    Schema is seeded into the store
    Data is migrated to the store. Check logs for any failures or warnings during migration.
    Data in the store after migration has been tested to be available
    Update of in-memory jps configuration is done
    Audit store reassociation done
    Starting audit store reassociation
    The store and ServiceConfigurator setup done.
    Schema is seeded into the store
    Data is migrated to the store. Check logs for any failures or warnings during migration.
    Data in the store after migration has been tested to be available
    Update of in-memory jps configuration is done
    Audit store reassociation done
    Jps Configuration has been changed. Please restart the application server.
    
  4. Restart the WebLogic Administration Server, as described in Section 21.1, "Starting and Stopping Oracle Identity Management Components," after the command completes successfully.

11.4.3 Associate OIMDomain with Policy and Credential Store

In Section 11.4.2, "Reassociating the Policy and Credential Store," you reassociated the Policy and Credential Store used by IDMDomain with Oracle Internet Directory. In a split domain, you must also associate the second domain with the same policy store. To do this, proceed as follows:

  1. From OIMHOST1, start the wlst shell from the ORACLE_COMMON_HOME/common/bin directory. For example, on Linux and UNIX-based systems, you would type:

    ./wlst.sh
    

    On Windows you would type:

    ./wlst.cmd
    
  2. Connect to the WebLogic Administration Server using the following wlst connect command:

    connect("AdminUser","AdminUserPassword","t3://hostname:port")
    

    For example:

    connect("weblogic","admin_password","t3://OIMADMINVHN.mycompany.com:7001")
    
  3. Run the reassociateSecurityStore command, which has the following syntax:

    reassociateSecurityStore(domain="domainName",admin="LDAPadminDN", password="orclPassword",ldapurl="ldap://LDAPHOST:LDAPPORT",servertype="OID",jpsroot="cn=jpsRootContainer",join="true")
    

    The admin value is the DN of the LDAP administrator, that is, the user that has administrative level privileges to the Oracle Internet Directory instance that is used as the Policy Store.

    For example:

    reassociateSecurityStore(domain="IDMDomain",admin="cn=orcladmin",password="password", ldapurl="ldap://policystore.mycompany.com:389",servertype="OID",jpsroot="cn=jpsroot",join="true")
    

    The domain name specified in this invocation of the command must be the same as the domain name used during the first reassociate command.

  4. Restart the WebLogic Administration Server, as described in Section 21.1, "Starting and Stopping Oracle Identity Management Components."

11.5 Preparing the Identity Store

This section describes how to prepare the Identity Store. It contains the following topics:

11.5.1 Creating the Configuration File

Use the following file, idstore.props, to create the Identity Store:

# Common
IDSTORE_BINDDN: cn=orcladmin
IDSTORE_GROUPSEARCHBASE: cn=Groups,dc=mycomapny,dc=com
IDSTORE_HOST: oidhost1.mycompany.com
IDSTORE_LOGINATTRIBUTE: uid
IDSTORE_PORT: 3060 
IDSTORE_SEARCHBASE: dc=mycompany,dc=com
IDSTORE_USERNAMEATTRIBUTE: cn
IDSTORE_USERSEARCHBASE: cn=Users, dc=mycompany,dc=com
POLICYSTORE_SHARES_IDSTORE: true
# OAM
IDSTORE_OAMADMINUSER:oamadmin 
IDSTORE_OAMSOFTWAREUSER:oamLDAP 
OAM11G_IDSTORE_ROLE_SECURITY_ADMIN:OAMAdministrators
# OAM and OIM
IDSTORE_SYSTEMIDBASE: cn=systemids,dc=mycompany,dc=com 
# OIM
IDSTORE_OIMADMINGROUP: OIMAdministrators 
IDSTORE_OIMADMINUSER: oimLDAP 

Where:

  • IDSTORE_BINDDN is an administrative user in the Identity Store Directory

  • IDSTORE_GROUPSEARCHBASE is the location in the directory where Groups are Stored.

  • IDSTORE_HOST and IDSTORE_PORT are, respectively, the host and port of your Identity Store directory. Specify the back end directory here, rather than OVD. In the case of OID, specify one of the Oracle Internet Directory instances.

  • IDSTORE_LOGINATTRIBUTE is the LDAP attribute which contains the users Login name.

  • IDSTORE_OAMADMINUSER is the name of the user you want to create as your Oracle Access Manager Administrator.

  • IDSTORE_OAMSOFTWAREUSER is a user that gets created in LDAP that is used when Oracle Access Manager is running to connect to the LDAP server.

  • IDSTORE_OIMADMINGROUP Is the name of the group you want to create to hold your Oracle Identity Manager administrative users.

  • IDSTORE_OIMADMINUSER is the user that Oracle Identity Manager uses to connect to the Identity store.

  • IDSTORE_READONLYUSER is the name of a user you want to create which has Read Only permissions on your Identity Store.

  • IDSTORE_READWRITEUSER is the name of a user you want to create which has Read/Write permissions on your Identity Store.

  • IDSTORE_SUPERUSER is the name of the administration user you want to use to log in to the WebLogic Administration Console in the Oracle Fusion Applications domain.

  • IDSTORE_SEARCHBASE is the location in the directory where Users and Groups are stored.

  • IDSTORE_SYSTEMIDBASE is the location of a container in the directory where users can be placed when you do not want them in the main user container. This happens rarely but one example is the Oracle Identity Manager reconciliation user which is also used for the bind DN user in Oracle Virtual Directory adapters.

  • IDSTORE_USERSEARCHBASE is the location in the directory where Users are Stored.

  • OAM11G_IDSTORE_ROLE_SECURITY_ADMIN is the name of the group which is used to allow access to the OAM console.

  • POLICYSTORE_SHARES_IDSTORE is set to true if your Policy and Identity Stores are in the same directory (regardless of whether you are fronting your directory with Oracle Virtual Directory or not.) If your Policy and Identity Stores are not in the same directory not, set it to false.

11.5.2 Preparing a Directory for Oracle Access Manager and Oracle Identity Manager

This section explains how to deploy Identity Management components to support Active Directory and Oracle Identity Manageras the identity store.

It contains the following topics:

11.5.2.1 Configuring Oracle Internet Directory for Use with Oracle Access Manager and Oracle Identity Manager

Pre-configuring the Identity Store extends the schema in Oracle Internet Directory.

To do this, perform the following tasks on IDMHOST1:

  1. Set the environment variables: MW_HOME, JAVA_HOME, IDM_HOME and ORACLE_HOME.

    Set IDM_HOME to IDM_ORACLE_HOME

    Set ORACLE_HOME to IAM_ORACLE_HOME

  2. Configure the Identity Store by using the command idmConfigTool, which is located at:

    IAM_ORACLE_HOME/idmtools/bin

    Note:

    When you run the idmConfigTool, it creates or appends to the file idmDomainConfig.param. This file is generated in the same directory that the idmConfigTool is run from. To ensure that each time the tool is run, the same file is appended to, always run the idmConfigTool from the directory:

    IAM_ORACLE_HOME/idmtools/bin

    The syntax of the command on Linux is:

    idmConfigTool.sh -preConfigIDStore input_file=configfile 
    

    The syntax on Windows is:

    idmConfigTool.bat -preConfigIDStore input_file=configfile 
    

    For example:

    idmConfigTool.sh -preConfigIDStore input_file=idstore.props
    

    When the command runs, you are prompted to enter the password of the account you are connecting to the Identity Store with.

    Sample command output, when running the command against Oracle Virtual Directory:

    Enter ID Store Bind DN password:
    May 25, 2011 2:37:18 PM oracle.ldap.util.LDIFLoader loadOneLdifFile
    INFO: -> LOADING: /u01/app/oracle/product/fmw/iam/idmtools/templates/oid/idm_idstore_groups_template.ldif
    May 25, 2011 2:37:18 PM oracle.ldap.util.LDIFLoader loadOneLdifFile
    INFO: -> LOADING: /u01/app/oracle/product/fmw/iam/idmtools/templates/oid/idm_idstore_groups_acl_template.ldif
    May 25, 2011 2:37:18 PM oracle.ldap.util.LDIFLoader loadOneLdifFile
    INFO: -> LOADING: /u01/app/oracle/product/fmw/iam/idmtools/templates/oid/systemid_pwdpolicy.ldif
    May 25, 2011 2:37:18 PM oracle.ldap.util.LDIFLoader loadOneLdifFile
    INFO: -> LOADING: /u01/app/oracle/product/fmw/iam/idmtools/templates/oid/idstore_tuning.ldif
    May 25, 2011 2:37:18 PM oracle.ldap.util.LDIFLoader loadOneLdifFile
    INFO: -> LOADING: /u01/app/oracle/product/fmw/iam/idmtools/templates/oid/oid_schema_extn.ldif
    May 25, 2011 2:37:19 PM oracle.ldap.util.LDIFLoader loadOneLdifFile
    INFO: -> LOADING: /u01/app/oracle/product/fmw/iam/oam/server/oim-intg/schema/OID_oblix_pwd_schema_add.ldif
    May 25, 2011 2:37:19 PM oracle.ldap.util.LDIFLoader loadOneLdifFile
    INFO: -> LOADING: /u01/app/oracle/product/fmw/iam/oam/server/oim-intg/schema/OID_oim_pwd_schema_add.ldif
    May 25, 2011 2:37:19 PM oracle.ldap.util.LDIFLoader loadOneLdifFile
    INFO: -> LOADING: /u01/app/oracle/product/fmw/iam/oam/server/oim-intg/schema/OID_oblix_schema_add.ldif
    May 25, 2011 2:37:34 PM oracle.ldap.util.LDIFLoader loadOneLdifFile
    INFO: -> LOADING: /u01/app/oracle/product/fmw/iam/oam/server/oim-intg/schema/OID_oblix_schema_index_add.ldif
    The tool has completed its operation. Details have been logged to automation.log
    
  3. Check the log file for any errors or warnings and correct them. The file with the name automation.log is created in the directory from where you run the tool.

Note:

In addition to creating users, idmConfigTool creates the following groups:

  • orclFAUserReadPrivilegeGroup

  • orclFAUserWritePrivilegeGroup

  • orclFAUserWritePrefsPrivilegeGroup

  • orclFAGroupReadPrivilegeGroup

  • orclFAGroupWritePrivilegeGroup

  • orclFAOAMUserWritePrivilegeGroup

See Also:

Oracle Fusion Middleware Integration Overview for Oracle Identity Management Suite for more information about the idmConfigTool command.

11.5.2.2 Configuring Active Directory for Use with Oracle Access Manager and Oracle Identity Manager

This section describes how to configure Active Directory. Extend the schema in Active Directory as follows.

Note:

The order in which you perform the steps is critical!

  1. Locate the following files:

    IDM_ORACLE_HOME/oam/server/oim-intg/ldif/ad/schema/ADUserSchema.ldif

    IDM_ORACLE_HOME/oam/server/oim-intg/ldif/ad/schema/AD_oam_pwd_schema_add.ldif

  2. In both these files, replace the domain-dn with the appropriate domain-dn value

  3. Use ldapadd from the command line to load the two LDIF files, as follows.

    ldapadd -h activedirectoryhostname -p activedirectoryportnumber -D AD_administrator -q -c -f file
    

    where AD_administrator is a user which has schema extension privileges to the directory

    For example:

    ldapadd -h "activedirectoryhost.mycompany.com" -p 389 -D adminuser –q -c -f ADUserSchema.ldif
    ldapadd -h "activedirectoryhost.mycompany.com" -p 389 -D adminuser -q -c -f AD_oam_pwd_schema_add.ldi
    

    Note:

    After the -D you can specify either a DN or user@domain.com.

  4. Then go to:

    MW_HOME/oracle_common/modules/oracle.ovd_11.1.1/oimtemplates

    Run the following command to extend Active Directory schema:

    sh extendadschema.sh -h AD_host -p AD_port -D 'administrator@mydomain.com' -AD "dc=mydomain,dc=com" -OAM true
    

    The command is extendadschema.Excluding Users from OIM Reconcilliationbat on Windows.

11.5.3 Excluding Users from Oracle Identity Manager Reconciliation

By default Oracle Identity Management reconciles all users that are located in the LDAP container cn=Users. Once reconciled, these users are subject to the usual password ageing policies defined in Oracle Identity Manager. This is not desirable for system accounts. It is recommended that you exclude the following accounts from this reconciliation:

  • xelsysadm

  • oimLDAP

  • oamLDAP

Additionally, you might want to exclude:

  • IDROUser

  • IDRWUser

  • PolicyROUser

  • PolicyRWUser

To exclude these users from reconciliation and discard failed reconciliation events, perform the following steps, using ODSM and the OIM Console:

11.5.3.1 Adding the orclAppIDUser Object Class to the User by Using ODSM

  1. Log in to ODSM at: http://admin.mycompany.com/odsm

  2. Connect to one of the LDAP instances that hosts the user to be excluded.

  3. Select Data Browser.

  4. Enter the user name in the query box and execute the search.

  5. Click on the user to bring up the Edit window.

  6. Click Attributes.

  7. Click + in the Object Classes box to add a new class.

  8. Enter orclAppIDUser in the search box and execute the search.

  9. Click on the attribute orclAppIDUser and click OK.

  10. Click Apply.

Repeat Steps 1-10 for each user to be excluded.

11.5.3.2 Closing Failed Reconciliation Events by Using the OIM Console

  1. Log in to the OIM console as the xelsysadm user, using the URL listed in Section 21.2, "About Identity Management Console URLs."

  2. Click Advanced.

  3. From Event Management, select Search Reconciliation Events.

  4. Click Advanced Search.

  5. In the Current Status field, select Equals. In the Search box, select Creation Failed from the list.

  6. Select each of the events.

  7. From the Actions menu, select Close Event.

  8. In the Confirmation window enter a justification, such as Close Failed Reconciliation Events.

  9. Click Closed.

  10. Click OK to acknowledge the confirmation message.

11.5.4 Creating Users and Groups

Configure the Identity Store by using the command idmConfigTool, which is located at:

IAM_ORACLE_HOME/idmtools/bin

Note:

When you run the idmConfigTool, it creates or appends to the file idmDomainConfig.param. This file is generated in the same directory in which the idmConfigTool is run. To ensure that the same file is appended to every time you run the tool, always run the idmConfigTool from the directory:

IAM_ORACLE_HOME/idmtools/bin

The syntax of the command on Linux is:

idmConfigTool.sh -prepareIDStore mode=all input_file=configfile 

The syntax on Windows is:

idmConfigTool.bat -prepareIDStore mode=all input_file=configfile 

For example:

idmConfigTool.sh -prepareIDStore mode=all input_file=idstore.props

When the command runs, it prompts you to enter the password of the account you are connecting to and passwords for the accounts that are being created.

Note:

The password must conform to the following rules:

  • Six characters or more

  • One or more numeric character

  • Two or more alphabetic characters

  • Start with alphabetic character

  • One or more lowercase character

Ignore any messages in the output related to OAAM. (This command can create OAAM accounts but these are not required for Fusion Applications deployments.)

11.5.5 Creating Access Control Lists in Non-Oracle Internet Directory Directories

In the preceding sections, you seeded the Identity Store with users and artifacts for the Oracle components. If your Identity Store is hosted in a non-Oracle Internet Directory directory, such as Microsoft Active Directory, you must set up the access control information (ACIs) to provide appropriate privileges to the entities you created. This section lists the artifacts created and the privileges required for the artifacts.

  • Users and groups. ACIs to the users and groups container are provided in Oracle Internet Directory. Set them manually for other directories. The Oracle Identity Manager/Oracle Access Manager integration and Fusion Applications require the following artifacts to be created in the Identity store.

    • Group with read privileges to the users container (orclFAUserReadPrivilegeGroup). Configure the local directory ACIs so that this group has privileges to read all the attributes of the users in the Identity Store.

    • Group with read/write privileges to the users container (orclFAUserWritePrivilegeGroup)

    • Group with read privileges to the groups container (orclFAGroupReadPrivilegeGroup)

    • Group with read privileges to the groups container (orclFAGroupWritePrivilegeGroup)

    • Group with write privileges to a partial set of attributes (orclFAUserWritePrefsPrivilegeGroup)

      In multidirectory deployments where Oracle Internet Directory is used as a shadow directory, these attributes exist only in Oracle Internet Directory, so no ACI configuration is required in Active Directory. The partial set of attributes is:

      • orclAccessibilityMode

      • orclColorContrast

      • orclFontSize

      • orclNumberFormat

      • orclCurrency

      • orclDateFormat

      • orclTimeFormat

      • orclEmbeddedHelp

      • orclFALanguage

      • orclFATerritory

      • orclTimeZone

      • orclDisplayNameLanguagePreference

      • orclImpersonationGrantee

      • orclImpersonationGranter

  • The user specified by the IDSTORE_READONLYUSER parameter. When you run the preconfigIDstore command, this user is assigned to the groups orclFAUserReadPrivilegeGroup, orclFAWritePrefsPrivilegeGroup, and orclFAGroupReadPrivilegeGroup. The user also needs compare privileges to the userpassword attribute of the user entry.

  • The user specified by the IDSTORE_READWRITEUSER parameter. It is assigned to the groups orclFAUserWritePrivilegeGroup and orclFAGroupWritePrivilegeGroup.

  • Systemids. The System ID container is created for storing all the system identifiers. If there is another container in which the users are to be created, that is specified as part of the admin.

  • Oracle Access Manager Admin User. This user is added to the OAM Administrator group, which provides permission for the administration of the OAM console. No LDAP schema level privileges are required, since this is just an application user.

  • Oracle Access Manager Software User. This user is added to the groups where the user gets read privileges to the container. This is also provided with schema admin privileges.

  • Oracle Identity Manager user oimLDAP under System ID container. Password policies are set accordingly in the container. The passwords for the users in the System ID container must be set up so that they do not expire.

  • Oracle Identity Manager administration group. The Oracle Identity Manager user is added as its member. The Oracle Identity Manager admin group is given complete read/write privileges to all the user and group entities in the directory.

  • WebLogic Administrator. This is the administrator of the IDM domain for Oracle Virtual Directory

  • WebLogic Administrator Group. The WebLogic administrator is added as a member. This is the administrator group of the IDM domain for Oracle Virtual Directory.

  • Reserve container. Permissions are provided to the Oracle Identity Manager admin group to perform read/write operations.