Skip Headers
Oracle® Fusion Middleware Administrator's Guide for Oracle Identity Manager
11g Release 2 (11.1.2)

Part Number E27149-04
Go to Documentation Home
Home
Go to Table of Contents
Contents
Go to Index
Index
Go to Feedback page
Contact Us

Go to previous page
Previous
Go to next page
Next
PDF · Mobi · ePub

32 Handling Lifecycle Management Changes

Because of integrated deployment of Oracle Identity Manager with other applications, such as Oracle Access Manager (OAM), and configuration changes in those applications, various configuration changes might be required in Oracle Identity Manager and Oracle WebLogic Server. These configuration changes are described in the following sections:

32.1 URL Changes Related to Oracle Identity Manager

Oracle Identity Manger uses various hostname and port in its configuration because of the architectural and middleware requirements. This section describes ways to make the corresponding changes in Oracle Identity Manager and Oracle WebLogic configuration for any change in the integrated and dependent applications.

This section contains the following topics:

32.1.1 Oracle Identity Manager Database Host and Port Changes

This section describes the configuration areas where database hostname and port number are used.

After installing Oracle Identity Manager, if there are any changes in the database hostname or port number, then the following changes are required:

Note:

Before making changes to the database host and port, shutdown the managed servers hosting Oracle Identity Manager. But you can keep the Oracle WebLogic Administrative Server running.

  • To change datasource oimJMSStoreDS configuration:

    1. Navigate to Services, JDBC, Data Sources, and then oimJMSStoreDS.

    2. Click the Connection Pool tab.

    3. Modify the values of the URL and Properties fields to reflect the changes to database host and port.

  • To change datasource oimOperationsDB configuration:

    1. Navigate to Services, JDBC, Data Sources, and then oimOperationsDB.

    2. Click the Connection Pool tab.

    3. Modify the values of the URL and Properties fields to reflect the changes to database host and port.

  • To change the datasource related to Oracle Identity Manager Meta Data Store (MDS) configuration:

    1. Navigate to Services, JDBC, Data Sources, and then mds-oim.

    2. Click the Connection Pool tab.

    3. Modify the values of the URL and Properties fields to reflect the changes in the database host and port.

  • To change OIMAuthenticationProvider configuration:

    1. In the WebLogic Administrative console, navigate to Security Realms, myrealm, and then Providers.

    2. Click OIMAuthenticationProvider.

    3. Click Provider Specific.

    4. Modify the value of the DBUrl field to reflect the change in hostname and port.

    Note:

    If Service Oriented Architecture (SOA) and Oracle Web Services Manager (OWSM) undergo configuration changes, then you must make similar changes for datasources related to SOA or OWSM.

    After making changes in the datasources, restart the Oracle WebLogic Administrative Server, and start the Oracle Identity Manager managed WebLogic servers.

    Note:

    Whenever Oracle Identity Manager application configuration information is to be changed by using OIM App Config MBeans from the Enterorise Management (EM) console, at least one of the Oracle Identity Manager Managed Servers must be running. Otherwise, you cannot figure out any of the OIM App Config MBeans from the EM console.

  • To change DirectDB configuration:

    1. Login to Enterprise Manager by using the following URL:

      http://ADMIN_SERVER/em

    2. Navigate to Identity and Access, and then oim.

    3. Right-click oim, and navigate to System MBean Browser under Application Defined MBeans.

    4. Navigate to oracle.iam, Application:oim, XMLConfig, Config, XMLConfig.DirectDBConfig, and then DirectDB.

    5. Enter the new value for the URL attribute to reflect the changes to host and port, and then apply the changes.

    Note:

    When Oracle Identity Manager single instance deployment is changed to Oracle Real Application Clusters (Oracle RAC) or Oracle RAC is changed to single instance deployment, change the oimJMSStoreDS, oimOperationsDB, and mds-oim datasources. In addition to the generic changes to make these datasources to multidatasource configuration, change the OIMAuthenticationProvider and domain credential store configurations to reflect the Oracle RAC URL. For information about these generic changes, see Oracle Fusion Middleware High Availability Guide.

32.1.2 Oracle Virtual Directory Host and Port Changes

When LDAP synchronization is enabled, Oracle Identity Manager connects with directory servers through Oracle Virtual Directory (OVD). This connection takes place by using LDAP/LDAPS protocol.

To change OVD host and port:

  1. Login to Oracle Identity Manager Administration.

  2. Click Advanced.

  3. Under Configuration, click Manage IT Resource.

  4. From the IT Resource Type list, select Directory Server , and click Search.

  5. Edit the Directory Server IT resource. To do so:

    1. If the value of the Use SSL field is set to False, then edit the Server URL field. If the value of the Use SSL field is set to True, then edit the Server SSL URL field.

    2. Click Update.

32.1.3 Oracle Identity Manager Host and Port Changes

This section consists of the following topics:

Note:

When additional Oracle Identity Manager nodes are added or removed, perform the procedures described in these sections to configure Oracle Identity Manager host and port changes.

32.1.3.1 Changing OimFrontEndURL in Oracle Identity Manager Configuration

The OimFrontEndURL is the URL used to access the Oracle Identity Manager UI. This can be a load balancer URL or Web server URL depending on the application server is fronted with loan balancer or Web server, or single application server URL. This is used by Oracle Identity Manager in the notification e-mails as well as the callback URL for SOA calls.

The change may be necessary because of change in Web server hostname or port for Oracle Identity Manager deployment in a clustered environment, or WebLogic managed server hostname or port changes for Oracle Identity Manager deployment in a nonclustered environment.

To change the OimFronEndURL in Oracle Identity Manager configuration:

  1. Login to Enterprise Manager by using the following URL when the WebLogic Administrative Server and Oracle Identity Manager managed servers, at least one of the servers in case of a clustered deployment, are running:

    http://ADMIN_SERVER/em

  2. Navigate to Identity and Access, oim.

  3. Right-click oim, and navigate to System MBean Browser.

  4. Under Application Defined MBeans, navigate to oracle.iam, Application:oim, XMLConfig, Config, XMLConfig.DiscoveryConfig, and then Discovery.

  5. Enter new value for the OimFrontEndURL attribute, and click Apply to save the changes. Example values can be:

    http://myoim.oracle.com

    https://myoim.oracle.com

    http://myserver.oracle.com:7001

    Note:

    SPML clients store Oracle Identity Manager URL for invoking SPML and sending callback response. Therefore, changes are required corresponding to this. In addition, if Oracle Identity Manager is integrated with OAM, OAAM, or Oracle Identity Navigator (OIN), there may be corresponding changes necessary. For more information, refer to OAM, OAAM, and OIN documentation in the Oracle Technology Network (OTN) Web site.

32.1.3.2 Changing backOfficeURL in Oracle Identity Manager Configuration

Changing backOfficeURL is required only for Oracle Identity Manager deployed in front-office and back-office configuration. This change does not apply for simple clustered or nonclustered deployments. This URL is used internally by Oracle Identity Manager for accessing back-office components from the front-office components. You might change the value of this attribute during the implementation of back-office and front-office configuration, for adding additional servers to back office, and for removing servers from back-office.

To change the value of the backOfficeURL attribute:

  1. Login to Enterprise Manager by using the following URL when the WebLogic Administrative Server and Oracle Identity Manager managed servers, at least one of the servers in case of a clustered deployment, are running:

    http://ADMIN_SERVER/em

  2. Navigate to Identity and Access, and then oim.

  3. Right-click oim, and navigate to System MBean Browser.

  4. Under Application Defined MBeans, navigate to oracle.iam, Application:oim, XMLConfig, Config, XMLConfig.DiscoveryConfig, Discovery.

  5. Enter a new value for the BackOfficeURL attribute, and click Apply to save the changes. Example values can be:

    t3://mywls1.oracle.com:8001

    t3://mywls1.oracle.com:8001,mywls2.oracle.com:9001

    Note:

    The value of the BackOfficeURL attribute must be empty for Oracle Identity Manager nonclustered and clustered deployments.

32.1.4 BI Publisher Host and Port Changes

BI Publisher can be accessed by clicking a simple link from Oracle Identity Manager UI for reporting purposes. This URL is based on the configuration value on Oracle Identity Manager side. If there is host and port changes for BI Publisher, then the following change must be made in Oracle Identity Manager:

  1. Login to Enterprise Manager by using the following URL when the WebLogic Administrative Server and Oracle Identity Manager managed servers, at least one of the servers in case of a clustered deployment, are running:

    http://ADMIN_SERVER/em

  2. Navigate to Identity and Access, oim.

  3. Right-click oim, and navigate to System MBean Browser.

  4. Under Application Defined MBeans, navigate to oracle.iam, Application:oim, XMLConfig, Config, XMLConfig.DiscoveryConfig, Discovery.

  5. Enter a new value for the BIPublisherURL attribute, and click Apply to save the changes.

32.1.5 SOA Host and Port Changes

To change the SOA host and port:

Note:

When additional SOA nodes are added or removed, perform this procedure to change the SOA host and port.

  1. Login to Enterprise Manager by using the following URL when the WebLogic Administrative Server and Oracle Identity Manager managed servers, at least one of the servers in case of a clustered deployment, are running:

    http://ADMIN_SERVER/em

  2. Navigate to Identity and Access, oim.

  3. Right-click oim, and navigate to System MBean Browser.

  4. Under Application Defined MBeans, navigate to oracle.iam, Application:oim, XMLConfig, Config, XMLConfig.SOAConfig, SOAConfig.

  5. Change the values of the Rmiurl and Soapurl attributes, and click Apply to save the changes.

    The Rmiurl attribute is used for accessing SOA EJBs deployed on SOA managed servers. This is the application server URL. For a clustered deployment of Oracle Identity Manager, it is a comma-separated list of all the SOA managed server URLs. Example values for this attribute can be:

    t3://mysoa1.oracle.com:8001

    t3s://mysoa1.oracle.com:8001,mysoa2.oracle.com:8002

    t3://mysoa1.oracle.com:8001,mysoa2.oracle.com:8002,mysoa3.oracle.com:8003

    The Soapurl attribute is used for accessing SOA Web services deployed on SOA managed servers. This is the Web server and load balancer URL for a SOA cluster front-ended with Web server and load balancer. It can be application server URL for a single SOA server.

    The example values for this attribute can be:

    http://myoimsoa.oracle.com

    http://mysoa.oracle.com:8001

  6. Login to WebLogic Administration Console.

  7. In the Domain Structure section, navigate to OIM_DOMAIN, Services, Foreign JNDI Providers.

  8. Click ForeignJNDIProvider-SOA.

  9. In the Configuration tab, verify that the General subtab is active.

  10. Change the value of Provider URL to the Rmiurl provided in Step 5.

32.1.6 OAM Host and Port Changes

To change the OAM host and port:

  1. Login to Enterprise Manager by using the following URL when the WebLogic Administrative Server and Oracle Identity Manager managed servers, at least one of the servers for a clustered deployment, are running:

    http://ADMIN_SERVER/em

  2. Navigate to Identity and Access, and then to oim.

  3. Right-click oim, and navigate to System MBean Browser.

  4. Under Application Defined MBeans, navigate to oracle.iam, Application:oim, XMLConfig, Config, XMLConfig.SSOConfig, and then SSOConfig.

  5. Change the values of the AccessServerHost and AccessServerPort attributes and other attributes as required, and click Apply to save the changes.

32.2 Password Changes Related to Oracle Identity Manager

Various passwords are used for Oracle Identity Manger configuration because of the architectural and middleware requirements. This section describes the default passwords and ways to make the changes to the password in Oracle Identity Manger and Oracle WebLogic configuration for any change in the dependent or integrated products.

This section consists of the following topics:

32.2.1 Changing Oracle WebLogic Administrator Password

To change Oracle WebLogic administrator password:

  1. Login to WebLogic Administrative console.

  2. Navigate to Security Realms, myrealm, Users and Groups, weblogic, Password.

  3. In the New Password field, enter the new password.

  4. In the Confirm New Password field, re-enter the new password.

  5. Click Apply.

32.2.2 Changing Oracle Identity Manager Administrator Password

During Oracle Identity Manager installation, the installer prompts for the Oracle Identity Manager administrator password. If required, you can change the administrator password after the installation is complete. To do so, you must login to Oracle Identity Manager Self Service as Oracle Identity Manager administrator. For information about how to change the administrator password, see "Authenticated User Self Service" in the Oracle Fusion Middleware User's Guide for Oracle Identity Manager.

Note:

If OAM or OAAM is integrated with Oracle Identity Manager, then you might have to make corresponding changes in those applications. For more information, refer to OAM and OAAM documentation in the Oracle Technology Network (OTN) Web site by using the following URL:

http://www.oracle.com/technetwork/indexes/documentation/index.html

32.2.3 Changing Oracle Identity Manager Database Password

Oracle Identity Manager uses two database schemas for storing Oracle Identity Manager operational and configuration data. It uses Oracle Identity Manager MDS schema for storing configuration-related information and Oracle Identity Manager schema for storing other information. Any change in the schema password requires changes on Oracle Identity Manager configuration.

Changing Oracle Identity Manager database password involves the following:

Note:

Before changing the database password, shutdown the managed servers that host Oracle Identity Manager. However, you can keep the Oracle WebLogic Administrative Server running.

  • To change datasource oimJMSStoreDS configuration:

    1. Navigate to Services, JDBC, Data Sources, oimJMSStoreDS.

    2. Click the Connection Pool tab.

    3. In the Password and Confirm password fields, enter the new Oracle Identity Manager database schema password.

    4. Click Save to save the changes.

  • To change datasource oimOperationsDB configuration:

    1. Navigate to Services, JDBC, Data Sources, oimJMSStoreDS.

    2. Click the Connection Pool tab.

    3. In the Password and Confirm password fields, enter the new Oracle Identity Manager database schema password.

    4. Click Save to save the changes.

  • To change datasource related to Oracle Identity Manager MDS configuration:

    1. Navigate to Services, JDBC, Data Sources, mds-oim.

    2. Click the Connection Pool tab.

    3. In the Password and Confirm password fields, enter the new Oracle Identity Manager MDS database schema password.

    4. Click Save to save the changes.

    Note:

    • For Oracle Identity Manager deployments with Oracle Real Application Clusters (Oracle RAC) configuration, you might have to make changes in all the datasources under the respective multi-datasource configurations.

    • You might have to make similar changes for datasources related to SOA or OWSM, if required.

  • To change OIMAuthenticationProvider configuration:

    1. In the WebLogic Administrative console, navigate to Security Realms, myrealm, and then Providers.

    2. Click OIMAuthenticationProvider.

    3. Click Provider Specific.

    4. In the DBPassword field, enter the new Oracle Identity Manager database schema password.

    5. Click Save to save the changes.

  • To change domain credential store configuration:

    1. Login to Enterprise Manager by using the following URL:

      http://ADMIN_SERVER/em

    2. Navigate to Weblogic Domain, and then DOMAIN_NAME.

    3. Right click oim, and navigate to Security, Credentials, and then oim.

    4. Select OIMSchemaPassword, and click Edit.

    5. In the Password field, enter the new password, and click OK.

After changing the Oracle Identity Manager database password, restart the WebLogic Administrative Server. Start the Oracle Identity manager managed WebLogic Servers as well.

32.2.4 Changing Oracle Identity Manager Passwords in the Credential Store Framework

Oracle Identity Manager installer stores several passwords during the install process. Various values are stored in Credential Store Framework (CSF) as key and value. Table 32-1 lists the keys and the corresponding values:

Table 32-1 CSF Keys

Key Description

DataBaseKey

The password for the key used to encrypt database. The password is the user input value in the installer for the Oracle Identity Manager keystore.

.xldatabasekey

The password for keystore that stores the database encryption key. The password is the user input value in the installer for the Oracle Identity Manager keystore.

xell

The password for key 'xell', which is used for securing communication between Oracle Identity Manager components. Default password generated by Oracle Identity Manager installer is xellerate.

default_keystore.jks

The password for the default_keystore.jks JKS keystore in the DOMAIN_HOME/config/fmwconfig/ directory. The password is the user input value in the installer for the Oracle Identity Manager keystore.

SOAAdminPassword

The password is user input value in the installer for SOA Administrator Password field.

OIMSchemaPassword

The password for connecting to Oracle Identity Manager database schema. Password is user input value in the installer for OIM Database Schema Password field.

JMSKey

The password is the user input value in the installer for the Oracle Identity Manager keystore.


To change the values of the CSF keys:

  1. Login to Enterprise Manager.

  2. Right-click the domain.

  3. Navigate to Security, and then Credential.

  4. Expand oim. The list of all the key and value pairs for Oracle Identity Manager are displayed. You can edit and change the values.

32.2.5 Changing OVD Password

To change the OVD password:

  1. Login to Oracle Identity Manager Administration.

  2. Click Advanced.

  3. Under Configuration, click Manage IT Resource.

  4. From the IT Resource Type list, select Directory Server.

  5. Click Search.

  6. Edit the Directory Server IT resource. To do so, in the Admin Password field, enter the new OVD password, and click Update.

32.2.6 Changing Oracle Identity Manager Administrator Password in LDAP

To change Oracle Identity Manager System Administrator password in LDAP:

  1. Look up the dn for the user from LDAP, as shown:

    $ORACLE_HOME/bin/ldapsearch -D cn=orcladmin -w fusionapps1 -h localhost -p 6501 -b dc=com "cn=SYS_ADMIN" orclaccountlocked dn
    

    Here, SYS_ADMIN is the System Administrator user login.

  2. Create a file similar to the following:

    $ more /tmp/resetpassword_SYS_ADMIN
    
    dn: cn=SYS_ADMIN,cn=Users,dc=us,dc=oracle,dc=com
    changetype: modify
    replace: userPassword
    userPassword: NEW_PASSWORD
    

    Here, NEW_PASSWORD is the password that you want in clear text.

  3. Change the password, as shown:

    $ORACLE_HOME/bin/ldapmodify -D cn=orcladmin -w fusionapps1 -h localhost -p 6501 -f /tmp/ resetpassword _SYS_ADMIN
    
  4. Verify that the user password is changed, as shown:

    $ORACLE_HOME/bin/ldapbind -D cn=SYS_ADMIN,cn=Users,dc=us,dc=oracle,dc=com -w NEW_PASSWORD -h localhost -p 6501
    

32.2.7 Unlocking Oracle Identity Manager Administrator Password in LDAP

To unlock Oracle Identity Manager System Administrator password in LDAP:

  1. Look up the dn for the user from LDAP, as shown:

    $ORACLE_HOME/bin/ldapsearch -D cn=orcladmin -w fusionapps1 -h localhost -p 6501 -b dc=com "cn=SYS_ADMIN" orclaccountlocked dn
    

    If orclaccountlocked has a value of 1, then it means that the user is locked.

  2. Create a file similar to the following:

    $ more /tmp/unlock_SYS_ADMIN
    
    dn: cn=SYS_ADMIN,cn=Users,dc=us,dc=oracle,dc=com
    changetype: modify
    replace: orclaccountlocked
    orclaccountlocked: 0
    
  3. Unlock the user, as shown:

    $ORACLE_HOME/bin/ldapmodify -D cn=orcladmin -w fusionapps1 -h localhost -p 6501 -f /tmp/unlock_SYS_ADMIN
    
  4. Verify that the user is unlocked, as shown:

    $ORACLE_HOME/bin/ldapsearch -D cn=orcladmin -w fusionapps1 -h localhost -p 6501 -b dc=com "cn=SYS_ADMIN" orclaccountlocked dn
    

    The value of orcladdountlocked must be 0.

32.3 Configuring SSL for Oracle Identity Manager

This section describes the procedure for generating keys, signing and exporting certificates, setting up SSL Configuration for Oracle Identity Manager and for the components with which Oracle Identity Manager interacts, and establish secure communication between them. It includes the following topics:

32.3.1 Generating Keys

You can generate private and public certificate pairs by using the keytool command.

The following command creates an identity keystore (support.jks):

Note:

Change the parameter values passed to the keytool command according to your requirements. Ensure that there is no line break in the keytool argument.

keytool -genkey
-alias support
-keyalg RSA
-keysize 1024
-dname "CN=localhost, OU=Identity, O=Oracle Corporation,C=US"
-keypass weblogic1
-keystore support.jks
-storepass weblogic1

32.3.2 Signing the Certificates

Use the following keytool command to sign the certificates that you created:

Note:

Change the parameter values passed to the keytool command according to your requirements. Ensure that there is no line break in the keytool argument.

./keytool -selfcert -alias support
  -sigalg MD5withRSA -validity 2000 -keypass weblogic1
  -keystore support.jks
  -storepass weblogic1

32.3.3 Exporting the Certificate

Use the following keytool command to export the certificate from the identity keystore to a file, for example, supportcert.pem:

./keytool -export -alias support
  -file supportcert.pem
  -keypass weblogic1
  -keystore support.jks
  -storepass weblogic1

32.3.4 Importing the Certificate

Use the following keytool command to import the certificate from a file, such as wlservercert.pem, to the identity keystore:

keytool -import -alias serverwl -trustcacerts -file D:\bea\user_projects\domains\mydomain\wlservercert.pem 
-keystore CLIENT_TRUST_STORE -storepass CLIENT_TRUST_STORE_PASSWORD

32.3.5 Enabling SSL for Oracle Identity Manager and SOA Servers

You need to perform the following configurations in Oracle Identity Manager and SOA servers to enable SSL:

32.3.5.1 Enabling SSL for Oracle Identity Manager

Enabling SSL for Oracle Identity Manager is described in the following sections:

32.3.5.1.1 Enabling SSL for Oracle Identity Manager By Using Default Setting

To enable SSL for Oracle Identity Manager and SOA servers by using default setting:

  1. Log in to WebLogic Server Administrative console and go to Servers, OIM_SERVER1, General. Under the general section, you can enable ssl port to any value and activate it.

  2. The server will start listening and you can access the URL with HTTPS protocol.

  3. Perform the same steps for Admin/SOA Servers as Oracle Identity Manager might need to interact with SSL-enabled SOA Server.

32.3.5.1.2 Enabling SSL for Oracle Identity Manager By Using Custom Keystore

To enable SSL for Oracle Identity Manager by using custom keystore:

Note:

  • Change the parameter values passed to the keytool command according to your requirements. Ensure that there is no line break in the keytool argument.

  • See "Generating Keys" for information about generating custom keys.

  1. In the WebLogic Server Administration Console, click Environment, Servers, Server_Name (OIM_Server1), Configuration, and then General.

  2. Click Lock & Edit.

  3. Select SSL listen port enabled. The default port is 14001.

  4. Select the Keystores tab.

  5. From the Keystore list, select Custom Identity, Java Standard Trust.

  6. In the Custom Identity Keystore field, enter the absolute path of custom identity keystore filename. For example:

    DOMAIN_HOME/config/fmwconfig/support.jks

  7. Specify JKS as the custom identity keystore type.

  8. Type the password (weblogic1) into the Custom Identity Keystore Passphrase and the Confirm Custom Identity Keystore Passphrase fields.

  9. Click Save.

  10. Click the SSL tab.

  11. Type support as the private key alias.

  12. Type the password (weblogic1) into the Private Key Passphrase and the Confirm Private Key Passphrase fields.

  13. Click Save.

  14. Click Activate changes.

  15. Restart all servers for these changes to take effect.

  16. Import the certificate that you exported in "Exporting the Certificate" into the SPML client truststore.

    See "Importing the Certificate" for information about importing the certificate.

After enabling SSL on Oracle Identity Manager and SOA Servers, perform the following changes for establishing secured communication between them:

32.3.5.2 Changing OimFrontEndURL to Use SSL Port

OimFrontEndURL is used to access the oim application UI. This can be a load balancer URL or web server URL (in case application server is fronted with load balancer or web server) or single application server URL. This is generally used by Oracle Identity Manager in the notification emails or to send a call back web service from SOA to Oracle Identity Manager.

To change the OimFrontEndURL to use SSL port:

  1. When the WebLogic admin and Oracle Identity Manager managed servers (at least one of the servers in case of cluster) are running, log in to Enterprise Manager (EM).

    For example:

    http://<AdminServer>/em

  2. Navigate to Identity and Access, Oracle Identity Manager.

  3. Right click and select System MBean Browser.

  4. Under Application Defined MBeans, navigate to oracle.iam, Application:oim, XMLConfig, Config, XMLConfig.DiscoveryConfig, Discovery.

  5. Enter a new value for the "OimFrontEndURL" attribute and click Apply to save the changes.

    For example:

    http://myoim.oracle.com

    https://myoim.oracle.com

    http://myserver.oracle.com:7001

    Note:

    Fusion Apps or SPML clients store Oracle Identity Manager URL for invoking SPML and also send callback response. Therefore, there will be changes needed corresponding to this. Also, if Oracle Identity Manager is integrated with OAM/OAAM/OIN, there may be corresponding changes necessary. Refer to Chapter 31, "Integrating with Other Oracle Components" for detailed information about the integration with other components.

32.3.5.3 Changing backOfficeURL to Use SSL Port

backOfficeURL change is required only for Oracle Identity Manager deployed in front-office/back-office configuration. For simple cluster or non-cluster installations the following does not apply. This URL is used internally by Oracle Identity Manager for accessing back-office components from the front-office components. This value needs to be changed initially during the implementation of back-office/front-office configuration, for adding additional servers to back office, and for removing servers from back-office.

To change the backOfficeURL to use SSL port:

  1. When the WebLogic admin and Oracle Identity Manager managed servers (at least one of the servers in case of cluster) are running, log in to Enterprise Manager (EM).

    For example:

    http://<AdminServer>/em

  2. Navigate to Identity and Access, Oracle Identity Manager.

  3. Right click and select System MBean Browser.

  4. Under Application Defined MBeans, navigate to oracle.iam, Application:oim, XMLConfig, Config, XMLConfig.DiscoveryConfig, Discovery.

  5. Enter a new value for the "backOfficeURL" attribute and click Apply to save the changes.

    For example:

    t3://mywls1.oracle.com:8001

    t3://mywls1.oracle.com:8001,mywls2.oracle.com:9001

    Note:

    For simple cluster and non-cluster installations the value must be empty.

32.3.5.4 Changing SOA Server URL to Use SSL Port

To change SOA server URL to use SSL port:

  1. When the admin server and Oracle Identity Manager managed servers are running, log in to Enterprise Manager (EM).

    For example:

    http://ADMINISTRATIVE_SERVER/em

  2. Navigate to Identity and Access, Oracle Identity Manager.

  3. Right click and select System MBean Browser.

  4. Under Application Defined MBeans, navigate to oracle.iam, Application:oim, XMLConfig, Config, XMLConfig.SOAConfig, SOAConfig.

  5. Change the values for attributes "Rmiurl", "Soapurl", and click Apply to save the changes.

    Note:

    Rmiurl is used for accessing SOA EJBs deployed on SOA managed servers.

    This is the application server URL. (For clustered installation, it is a comma separated list of all the SOA managed server URLs)

    For example:

    t3://mysoa1.oracle.com:8001

    t3s://mysoa1.oracle.com:8001,mysoa2.oracle.com:8002

    t3://mysoa1.oracle.com:8001,mysoa2.oracle.com:8002,mysoa3.com:8003

    Note:

    Soapurl is used to access SOA web services deployed on SOA managed servers. This is the web server/load balancer URL, in case of a SOA cluster front ended with web server/load balancer. In case of single SOA server, it can be application server URL.

    For example,

    http://myoimsoa.oracle.com

    https://mysoa.oracle.com: 8001

32.3.5.5 Configuring SSL for Design Console

To change the Design console to establish secure connection between Oracle Identity Manager and Design console:

  1. Add WebLogic server jars required to support SSL.

  2. Copy webserviceclient+ssl.jar from:

    $WL_HOME/server/lib

    to

    $OIM_HOME/designconsole/ext directory.

  3. Use the Server trust store in the Design console. To access this:

    1. Go to WebLogic Server Administrative console, Environment, Servers.

    2. Click on <OIM_SERVER_NAME> to view details of the Oracle Identity Manger server.

    3. Click the KeyStores tab and note down the "Trust keystore" location in the "Trust" section.

If Design Console is Deployed on the Oracle Identity Manager Host

Set the TRUSTSTORE_LOCATION environment variable to the location of the "Trust keystore" location noted above.

For example:

setenv TRUSTSTORELOCATION/scratch/user1/dogwoodsh100520/beahome/wlserver_10.3/server/lib/DemoTrust.jks

If Design Console is Deployed on a Different Computer than Oracle Identity Manager

Copy the "Trust keystore" to the box in which Design console is present and set the TRUSTSTORE_LOCATION env variable to the location where "Trust keystore" is copied on the local box.

32.3.5.6 Configuring SSL for Oracle Identity Manager Utilities

Oracle Identity Manager client utilities include PurgeCache, GenerateSnapshot, UploadJars, and UploadResources.

Set the TRUSTSTORE_LOCATION environment variable to the location of the "Trust keystore" location.

Note:

See "Configuring SSL for Design Console" for details about setting the TRUSTSTORE_LOCATION environment variable to the location of the 'Trust keystore' location.

For example:

setenv TRUSTSTORE_LOCATION/scratch/user1/dogwoodsh100520/beahome/wlserver_10.3/server/lib/DemoTrust.jks

32.3.5.7 Configuring SSL for MDS Utilities

All Oracle Identity Manager MDS Utilities which contains WLST scripts must be set to the following environment variable in the shell in which you are running the script:

WLST_PROPERTIES=-Dweblogic.security.SSL.ignoreHostnameVerification=true-Dweblogic.security.TrustKeyStore=DemoTrust

Note:

Once this property is set, WLST works fine. You will see INFO/NOTICE messages, which you can ignore.

32.3.5.8 Configuring SSL for SPML/Callback Domain

To configure SSL for SPML/callback domain:

  1. Ensure that Oracle Identity Manager port is SSL enabled with HostName verification set to false.

  2. Enable SSL on Fusion Applications including callback domain.

    See Also:

    "Enabling SSL for Oracle Identity Manager By Using Custom Keystore" for information about enabling SSL for Oracle Identity Manager by using custom keystore

  3. If you are using WebLogic default trust store, you must not change anything other than enabling the SSL mode.

  4. If you have certificates other than default, then the trusted certificates should be exchanged between them to establish two-way trust. See "Signing the Certificates" and "Exporting the Certificate" for information about signing and exporting certificates.

    See Also:

    "Configuring SSL" in the Oracle Fusion Middleware Securing Oracle WebLogic Server for detailed information about configuring SSL for Oracle WebLogic Server

  5. If you are using a stand-alone client for sending SPML requests for testing purpose, then you must:

    1. Add the following system properties to SPML client command to send the request to SSL enabled OIM port.

      • Djavax.net.ssl.trustStore=D:\Oracle\Middleware1\wlserver_10.3\server\lib\DemoTrust.jks

        Note:

        Change the value of the Djavax.net.ssl.trustStore parameter to point to the truststore used to configure SSL.

        See "Configuring SSL for Design Console" for information about the location of the trust store used in WebLogic to configure SSL.

      • -Djava.protocol.handler.pkgs=weblogic.net

      • -Dweblogic.security.TrustKeyStore=DemoTrust

    2. Add webserviceclient+ssl.jar to your client classpath.

32.3.6 Enabling SSL for Oracle Identity Manager DB

You need to perform the following configurations to enable SSL for Oracle Identity Manager DB:

32.3.6.1 Setting Up DB in Server-Authentication SSL Mode

To set up DB in Server-Authentication SSL mode:

  1. Stop the DB server and the listener.

  2. Configuring the listener.ora file as follows:

    1. Navigate to the path:

      $DB_ORACLE_HOME/network/admin directory

      For example:

      /scratch/user1/production-database/product/11.1.0/db_1/network/admin

    2. Edit the listener.ora file to include SSL listening port and Server Wallet Location.

      The following is the sample listener.ora file:

      # listener.ora Network Configuration File: /scratch/rbijja/production-database/product/11.1.0/db_1/network/admin/listener.ora
      # Generated by Oracle configuration tools.
       
      SSL_CLIENT_AUTHENTICATION = FALSE
       
      WALLET_LOCATION =
        (SOURCE =
          (METHOD = FILE)
          (METHOD_DATA =
            (DIRECTORY = /scratch/rbijja/production-database/product/11.1.0/db_1/bin/server_keystore_ssl.p12)
          )
        )
       
      LISTENER =
        (DESCRIPTION_LIST =
          (DESCRIPTION =
            (ADDRESS = (PROTOCOL = TCPS)(HOST = server1.mycompany.com)(PORT = 2484))
          )
          (DESCRIPTION =
            (ADDRESS = (PROTOCOL = TCP)(HOST = server1.mycompany.com)(PORT = 1521))
          )
        )
       
      TRACE_LEVEL_LISTENER = SUPPORT
      
  3. Configure the sqlnet.ora file as follows:

    1. Navigate to the path:

      $DB_ORACLE_HOME/network/admin directory

      For example:

      /scratch/user1/production-database/product/11.1.0/db_1/network/admin

    2. Edit sqlnet.ora file to include:

      • TCPS Authentication Services

      • SSL_VERSION

      • Server Wallet Location

      • SSL_CLIENT_AUTHENTICATION type (either true or false)

      • SSL_CIPHER_SUITES that can be allowed in the communication (optional)

      The following is the sample sqlnet.ora file:

      # sqlnet.ora Network Configuration File: /scratch/rbijja/production-database/product/11.1.0/db_1/network/admin/sqlnet.ora
      # Generated by Oracle configuration tools.
       
      SQLNET.AUTHENTICATION_SERVICES= (BEQ, TCPS)
       
      SSL_VERSION = 3.0
       
      SSL_CLIENT_AUTHENTICATION = FALSE
       
      WALLET_LOCATION =
        (SOURCE =
          (METHOD = FILE)
          (METHOD_DATA =
            (DIRECTORY = /scratch/rbijja/production-database/product/11.1.0/db_1/bin/server_keystore_ssl.p12)
          )
        )
      
  4. Configure the tnsnames.ora file as follows:

    1. Navigate to the path:

      $DB_ORACLE_HOME/network/admin directory

      For example:

      /scratch/user1/production-database/product/11.1.0/db_1/network/admin

    2. Edit the tnsnames.ora file to include SSL listening port in the description list of the service.

      The following is the sample tnsnames.ora file:

      # tnsnames.ora Network Configuration File: /scratch/user1/production-database/product/11.1.0/db_1/network/admin/tnsnames.ora
      # Generated by Oracle configuration tools.
      
      PRODDB =
       (DESCRIPTION_LIST =
        (DESCRIPTION =
          (ADDRESS = (PROTOCOL = TCPS)(HOST = server1.mycompany.com)(PORT = 2484))
          (CONNECT_DATA =
            (SERVER = DEDICATED)
            (SERVICE_NAME = proddb)
          )
        )
        (DESCRIPTION =
          (ADDRESS = (PROTOCOL = TCP)(HOST = server1.mycompany.com)(PORT = 1521))
          (CONNECT_DATA =
            (SERVER = DEDICATED)
            (SERVICE_NAME = proddb)
          )
        )
       )
      
  5. Start/Stop utilities for DB server.

  6. Start the DB server.

32.3.6.2 Creating KeyStores and Certificates

You can create server side and client side KeyStores using the orapki utility. This utility will be shipped as a part of Oracle DB installation.

KeyStores could be of any format such as JKS and PKCS12. The format of keystore changes based on the provider implementation. For example, JKS is the implementation provided by Sun Oracle where as PKCS12 is implemented by OraclePKIProvider.

Only JKS client KeyStore is used in Oracle Identity Manager for DB server. This is because using non-JKS KeyStores format such as PKCS12 requires significant changes on the installer side at the critical release time. However, Oracle Identity Manager already has a KeyStore named default-KeyStore.jks, which is in JKS format.

The following are the KeyStores that you can create using orapki utility:

Creating a Root CA Wallet

To create a root certification authority (CA) wallet:

  1. Navigate to the following path:

    $DB_ORACLE_HOME/bin directory

  2. Create a wallet by using the command:

    ./orapki wallet create -wallet CA_keystore.p12 -pwd welcome1
    
  3. Add a self signed certificate to the CA wallet by using the command:

    ./orapki wallet add -wallet CA_keystore.p12 -dn 'CN=root_test,C=US' -keysize 2048 -self_signed -validity 3650 -pwd welcome1
    
  4. View the wallet using the command:

    ./orapki wallet display -wallet CA_keystore.p12 -pwd welcome1
    
  5. Export the self signed certificate from the CA wallet using the command:

    ./orapki wallet export -wallet CA_keystore.p12 -dn 'CN=root_test,C=US' -cert self_signed_CA.cert -pwd welcome1
    

Creating DB Server Side Wallet

To create a DB server side wallet:

  1. Create a server wallet using the command:

    ./orapki wallet create -wallet server_keystore_ssl.p12 -auto_login -pwd welcome1
    
  2. Add a certificate request to the server wallet using the command:

    ./orapki wallet add -wallet server_keystore_ssl.p12/ -dn 'CN=Customer,OU=Customer,O=Customer,L=City,ST=NY,C=US' -keysize 2048 -pwd welcome1
    
  3. Export the certificate request to a file, which will be used later for getting it signed using the root CA signature:

    ./orapki wallet export -wallet server_keystore_ssl.p12/ -dn 'CN=Customer,OU=Customer,O=Customer,L=City,ST=NY,C=US' -request server_creq.csr -pwd welcome1
    
  4. Get the server wallet's certificate request signed using the CA signature:

    ./orapki cert create -wallet CA_keystore.p12 -request server_creq.csr -cert server_creq_signed.cert -validity 3650 -pwd welcome1
    
  5. View the signed certificate using the command:

    /orapki cert display -cert server_creq_signed.cert -complete
    
  6. Import the trusted certificate in to the server wallet using the command:

    ./orapki wallet add -wallet server_keystore_ssl.p12 -trusted_cert -cert self_signed_CA.cert -pwd welcome1
    
  7. Import this newly created signed certificate (user certificate) to the server wallet using the command:

    ./orapki wallet add -wallet server_keystore_ssl.p12 -user_cert -cert server_creq_signed.cert -pwd welcome1
    

Creating Client Side Wallet

To create a client side (Oracle Identity Manager server) wallet:

  1. Create a client keystore using default-keystore.jks keystore which is populated in the following path:

    DOMAIN_HOME/config/fmwconfig

    Note:

    You can also use Oracle PKCS12 wallet as the client keystore.

  2. Import the self-signed CA trusted certificate that you have already exported using the server side commands, to the client keystore (default-keystore.jks) by using the command:

    keytool -import -trustcacerts -alias dbtrusted -noprompt -keystore default-keystore.jks -file self_signed_CA.cert -storepass xellerate
    

32.3.6.3 Updating Oracle Identity Manager

You need to perform the following steps in Oracle Identity Manager to enable Oracle Identity Manager and Oracle Identity Manager DB in SSL mode for a secure communication:

  1. Import the trusted certificate into the default-keystore.jks keystore of Oracle Identity Manager.

  2. Log in to Enterprise Manager.

  3. Navigate to Identity and Access, OIM.

  4. Right click and navigate to System MBean Browser.

  5. Under Application Defined MBeans, navigate to oracle.iam, Application:oim, XMLConfig, Config, XMLConfig.DirectDBConfig, and DirectDB.

  6. Change the values for attributes "Sslenabled", "Url" and click Apply. If SSL mode is enabled for DB, then "Url" should contain TCPS enables and SSL port in it.

    For example:

    url="jdbc:oracle:thin:@(DESCRIPTION=(ADDRESS=(PROTOCOL=TCPS)(HOST=my.domain.com)(PORT=2484))(CONNECT_DATA=(SERVICE_NAME=proddb)))"

  7. Restart the Oracle Identity Manager server.

32.3.6.4 Updating WebLogic Server

After enabling SSL for Oracle Identity Manager DB, you need to change the following Oracle Identity Manager datasources and authenticators to use DB SSL port:

Configuring Datasource

To configure the datasource:

  1. Log in to Enterprise Manager.

  2. Perform the host/port changes.

    Note:

    Before performing changes to database host/port, you must shutdown the managed servers hosting Oracle Identity Manager application. However, you can keep the WebLogic Admin Server up and running.

Updating Datasource oimJMSStoreDS Configuration

To update the datasource oimJMSStoreDS configuration:

  1. Log in to WebLogic Server.

  2. Navigate to Services, JDBC, Data Sources, oimJMSStoreDS.

  3. Click the Connection Pool tab and change the value of the URL and Properties to reflect the changes to DB host/port.

Updating Datasource oimOperationsDB Configuration

To update the Change Datasource oimOperationsDB Configuration:

  1. Log in to Enterprise Manager.

  2. Navigate to Services, JDBC, Data Sources, oimJMSStoreDS.

  3. Click the Connection Pool tab and change the value of the URL and Properties to reflect the changes to DB host/port.

Updating Datasource Related to Oracle Identity Manager MDS Configuration

To update datasource related to Oracle Identity Manager MDS configuration:

  1. Log in to Enterprise Manager.

  2. Navigate to Services, JDBC, Data Sources, mds-oim.

  3. Click the Connection Pool tab and change the value of the URL and Properties to reflect the changes to DB host/port.

    Note:

    You might have to perform similar updates for SOA/OWSM related datasources if required.

Updating Oracle Identity Manager Authenticators

The existing Oracle Identity Manager authenticators in the WebLogic server are configured against Non-SSL DB details and they do not use datasources for communicating with Oracle Identity Manager DB. In order to use SSL DB details in the authenticators, you must perform the following:

  1. Ensure that Datasources are configured to SSL.

  2. In WebLogic Administrative console, navigate to Security Realms, myrealm, Providers.

  3. Remove OIMAuthenticationProvider.

  4. Create an authentication provider of type "OIMAuthenticator" and mark the control flag as SUFFICIENT.

  5. Create an authentication provider of type "OIMSignatureAuthenticator" and mark the control flag as SUFFICIENT.

  6. Reorder the authenticators as:

    1. DefaultAuthenticator

    2. OIMAuthenticator

    3. OIMSignatureAuthenticator

    4. Other providers if any

  7. Restart all servers.

32.3.7 Enabling SSL for LDAP Synchronization

You need to perform the following configurations to enable Oracle Identity Manager to use SSL enabled Oracle Virtual Directory (OVD):

32.3.7.1 Enabling OVD-OID with SSL

To enable OVD-OID with SSL:

  1. Log in to the OVD EM console.

  2. Expand Identity and Access and navigate to ovd1, Administration, Listeners.

  3. Click Create and enter all the required fields.

    Note:

    You must select the Listener Type as LDAP.

  4. Click OK.

  5. Select the newly created LDAP listener and click Edit.

  6. In the Edit Listener - OIM SSL ENDPOINT page, edit the newly created LDAP listener.

  7. Click OK. The SSL Configuration page opens.

  8. Select the Enable SSL checkbox.

  9. In the Advanced SSL Settings section, for SSL Authentication, select No Authentication.

  10. Click OK.

  11. Stop and start the OVD server for the changes to take effect.

    Note:

    You must not use the restart option.

32.3.7.2 Updating Oracle Identity Manager for OVD Host/Port

When LDAPSync is enabled on Oracle Identity Manager, Oracle Identity Manager connects with directory servers through OVD. It connects using ldap/ldaps protocol.

To change OVD host/port:

  1. Log in to Oracle Identity System Administration.

  2. Navigate to Advanced and click Manage IT Resource.

  3. Select IT Resource Type as Directory Server and click Search.

  4. In the IT Resource Directory Server, edit "server URL" to include SSL protocol and SSL port details.

  5. Ensure that Use SSL is set to true and click Update.