9 Preparing Identity Stores

This chapter describes how to prepare the Identity Store in an Oracle Identity Management enterprise deployment.

It contains the following sections:

9.1 Overview of Preparing Identity Stores

Preparing the Identity Store involves extending the schema of the directory to support Oracle Access Management Access Manager and Oracle Identity Manager, then seeding the Identity Store with system users that will be used when building the Identity Management topology.

9.2 Backing up the LDAP Directories

The procedures described in this chapter change the configuration of the LDAP directories that host the Identity Store. Before performing any of these tasks, back up your LDAP directories, as described in Section 17.6.3, "Performing Backups During Installation and Configuration."

9.3 Prerequisites

Before proceeding, ensure that the following statements are true:

  • A High Availability LDAP directory, such as Oracle Unified Directory, is available.

  • Other directories, such as Active Directory, are installed and available (if required).

9.4 Preparing the Identity Store

This section describes how to prepare the Identity Store. It contains the following topics:

9.4.1 Overview of Preparing the Identity Store

Before you can use a directory to support Access Manager, you must extend the directory to include Object classes required by Access Manager in the LDAP directory you are using.

In addition to extending the directory schema, you must create a number of users. These users are used later on in the guide for such things as:

  • Accessing the directory using a dedicated user.

  • Accessing Access Manager, the directory, and WebLogic after these products have off loaded authentication to an external directory.

9.4.2 Creating the Configuration File

Create a property file, idstore.props, on IDMHOST1 to use when preparing the Identity Store. The file will have the following structure:

Oracle Unified Directory Example

# Common
IDSTORE_HOST: IDMHOST1.mycompany.com
IDSTORE_PORT: 1389
IDSTORE_ADMIN_PORT: 4444
IDSTORE_KEYSTORE_FILE: OUD_ORACLE_INSTANCE/OUD/config/admin-keystore
IDSTORE_KEYSTORE_PASSWORD: Password key
IDSTORE_BINDDN: cn=oudadmin
IDSTORE_GROUPSEARCHBASE: cn=Groups,dc=mycompany,dc=com
IDSTORE_SEARCHBASE: dc=mycompany,dc=com
IDSTORE_USERNAMEATTRIBUTE: cn
IDSTORE_LOGINATTRIBUTE: uid
IDSTORE_USERSEARCHBASE: cn=Users, dc=mycompany,dc=com
IDSTORE_NEW_SETUP: true
POLICYSTORE_SHARES_IDSTORE: true
# OAM
IDSTORE_OAMADMINUSER:oamadmin
IDSTORE_OAMSOFTWAREUSER:oamLDAP
OAM11G_IDSTORE_ROLE_SECURITY_ADMIN:OAMAdministrators
# OAM and OIM
IDSTORE_SYSTEMIDBASE: cn=systemids,dc=mycompany,dc=com
# OIM
IDSTORE_OIMADMINGROUP: OIMAdministrators
IDSTORE_OIMADMINUSER: oimLDAP
# WebLogic
IDSTORE_WLSADMINUSER : weblogic_idm
IDSTORE_WLSADMINGROUP : WLSAdmins

Oracle Internet Directory Example

# Common
IDSTORE_HOST: OIDHOST1.mycompany.com
IDSTORE_PORT: 3060 
IDSTORE_BINDDN: cn=orcladmin
IDSTORE_GROUPSEARCHBASE: cn=Groups,dc=mycompany,dc=com
IDSTORE_SEARCHBASE: dc=mycompany,dc=com
IDSTORE_USERNAMEATTRIBUTE: cn
IDSTORE_LOGINATTRIBUTE: uid
IDSTORE_USERSEARCHBASE: cn=Users, dc=mycompany,dc=com
POLICYSTORE_SHARES_IDSTORE: true
IDSTORE_NEW_SETUP: true
# OAM
IDSTORE_OAMADMINUSER:oamadmin 
IDSTORE_OAMSOFTWAREUSER:oamLDAP 
OAM11G_IDSTORE_ROLE_SECURITY_ADMIN:OAMAdministrators
# OAM and OIM
IDSTORE_SYSTEMIDBASE: cn=systemids,dc=mycompany,dc=com 
# OIM
IDSTORE_OIMADMINGROUP: OIMAdministrators 
IDSTORE_OIMADMINUSER: oimLDAP 
# WebLogic
IDSTORE_WLSADMINUSER : weblogic_idm
IDSTORE_WLSADMINGROUP : WLSAdmins

Where:

  • IDSTORE_HOST and IDSTORE_PORT are, respectively, the host and port of your Identity Store directory. Specify the back end directory here, rather than OVD. In the case of OID and OUD, specify, respectively, one of the Oracle Internet Directory or Oracle Unified Directory instances, for example:

    OID: OIDHOST1 and 3060

    OUD: IDMHOST1 and 1389

  • IDSTORE_ADMIN_PORT (LDAP_DIR_ADMIN_PORT) is the administration port of your Oracle Unified Directory instance. If you are not using Oracle Unified Directory, you can leave out this parameter.

  • IDSTORE_KEYSTORE_FILE is the location of the Oracle Unified Directory Keystore file. It is used to enable communication with Oracle Unified Directory using the Oracle Unified Directory administration port. It is called admin-keystore and is located in OUD_ORACLE_INSTANCE/OUD/config. If you are not using Oracle Unified Directory, you can leave out this parameter. This file must be located on the same host that the idmConfigTool command is running on. The command uses this file to authenticate itself with OUD.

  • IDSTORE_KEYSTORE_PASSWORD is the encrypted password of the Oracle Unified Directory keystore. This value can be found in the file OUD_ORACLE_INSTANCE/OUD/config/admin-keystore.pin. If you are not using Oracle Unified Directory, you can leave out this parameter.

  • IDSTORE_BINDDN is an administrative user in the Identity Store Directory

  • IDSTORE_GROUPSEARCHBASE is the location in the directory where Groups are Stored.

  • IDSTORE_SEARCHBASE is the location in the directory where Users and Groups are stored.

  • IDSTORE_USERNAMEATTRIBUTE is the name of the directory attribute containing the user's name. Note that this is different from the login name.

  • IDSTORE_LOGINATTRIBUTE is the LDAP attribute which contains the users Login name.

  • IDSTORE_USERSEARCHBASE is the location in the directory where Users are Stored.

  • IDSTORE_NEW_SETUP is always set to true for Oracle Unified Directory. If you are not using OUD, you do not need to specify this attribute.

  • POLICYSTORE_SHARES_IDSTORE is set to true for IDM 11g.

  • IDSTORE_OAMADMINUSER is the name of the user you want to create as your Access Manager Administrator.

  • IDSTORE_OAMSOFTWAREUSER is a user that gets created in LDAP that is used when Access Manager is running to connect to the LDAP server.

  • OAM11G_IDSTORE_ROLE_SECURITY_ADMIN is the name of the group which is used to allow access to the OAM console.

  • IDSTORE_SYSTEMIDBASE is the location of a container in the directory where users can be placed when you do not want them in the main user container. This happens rarely but one example is the Oracle Identity Manager reconciliation user which is also used for the bind DN user in Oracle Virtual Directory adapters.

  • IDSTORE_OIMADMINGROUP Is the name of the group you want to create to hold your Oracle Identity Manager administrative users.

  • IDSTORE_OIMADMINUSER is the user that Oracle Identity Manager uses to connect to the Identity store.

  • IDSTORE_WLSADMINUSER: The username to be used for logging in to the web logic domain once it is enabled by SSO.

  • IDSTORE_WLSADMINGROUP: is the name of the group to which users who are allowed to log in to the WebLogic system components, such as the WLS Console and EM, belong.

Use OIM entries only if your topology includes Oracle Identity Manager. Use OAM entries only if your topology includes Access Manager.

9.4.3 Preparing a Directory for Access Manager and Oracle Identity Manager

This section explains how to deploy Identity Management components to support Oracle Unified Directory, Oracle Internet Directory, or Active Directory as the identity store.

It contains the following topics:

9.4.3.1 Configuring Oracle Unified Directory and Oracle Internet Directory for Use with Access Manager and Oracle Identity Manager

Pre-configuring the Identity Store extends the schema in Oracle Unified Directory or Oracle Internet Directory.

Note:

You do not need to preconfigure the Identity Store unless you are using Access Manager or Oracle Identity Manager.

To do this, perform the following tasks on IDMHOST1:

  1. Set MW_HOME to IAM_MW_HOME.

    Set ORACLE_HOME to IAM_ORACLE_HOME.

    Set JAVA_HOME to JAVA_HOME.

  2. Configure the Identity Store by using the command idmConfigTool, which is located at:

    IAM_ORACLE_HOME/idmtools/bin

    Note:

    When you run the idmConfigTool, it creates or appends to the file idmDomainConfig.param. This file is generated in the same directory that the idmConfigTool is run from. To ensure that each time the tool is run, the same file is appended to, always run the idmConfigTool from the directory:

    IAM_ORACLE_HOME/idmtools/bin

    The syntax of the command on Linux is:

    idmConfigTool.sh -preConfigIDStore input_file=configfile 
    

    For example:

    idmConfigTool.sh -preConfigIDStore input_file=idstore.props
    

    When the command runs, you are prompted to enter the password of the account you are connecting to the Identity Store with. This command might take some time to complete.

    Sample command output:

    Enter ID Store Bind DN password :
    Dec 4, 2012 11:39:19 AM oracle.ldap.util.LDIFLoader loadOneLdifFileINFO: -> LOADING: /u01/oracle/products/access/iam/idmtools/templates/oud/oud_schema_extn.ldif
    Dec 4, 2012 11:39:20 AM oracle.ldap.util.LDIFLoader loadOneLdifFileINFO: -> LOADING: /u01/oracle/products/access/iam/oam/server/oim-intg/ldif/ojd/schema/ojd_oam_pwd_schema_add.ldif
    Dec 4, 2012 11:39:20 AM oracle.ldap.util.LDIFLoader loadOneLdifFileINFO: -> LOADING: /u01/oracle/products/access/iam/oam/server/oim-intg/ldif/ojd/schema/ojd_user_schema_add.ldif
    Dec 4, 2012 11:39:20 AM oracle.ldap.util.LDIFLoader loadOneLdifFileINFO: -> LOADING: /u01/oracle/products/access/iam/oam/server/oim-intg/ldif/ojd/schema/ojd_user_index_generic.ldif
    Dec 4, 2012 11:39:21 AM oracle.ldap.util.LDIFLoader loadOneLdifFileINFO: -> LOADING: /u01/oracle/products/access/iam/idmtools/templates/oud/add_oraclecontext_container.ldif
    Dec 4, 2012 11:39:21 AM oracle.ldap.util.LDIFLoader loadOneLdifFileINFO: -> LOADING: /u01/oracle/products/access/iam/idmtools/templates/oud/oud_indexes_extn.ldif
    Dec 4, 2012 11:39:21 AM oracle.ldap.util.LDIFLoader loadOneLdifFileINFO: -> LOADING: /u01/oracle/products/access/iam/idmtools/templates/oud/idm_idstore_groups_template.ldif
    Dec 4, 2012 11:39:21 AM oracle.ldap.util.LDIFLoader loadOneLdifFileINFO: -> LOADING: /u01/oracle/products/access/iam/idmtools/templates/oud/idm_idstore_groups_acl_template.ldif
    Dec 4, 2012 11:39:21 AM oracle.ldap.util.LDIFLoader loadOneLdifFileINFO: -> LOADING: /u01/oracle/products/access/iam/idmtools/templates/oud/systemid_pwdpolicy.ldif
    Dec 4, 2012 11:39:21 AM oracle.ldap.util.LDIFLoader loadOneLdifFileINFO: -> LOADING: /u01/oracle/products/access/iam/idmtools/templates/oud/fa_pwdpolicy.ldif
    The tool has completed its operation. Details have been logged to automation.log
    
  3. Check the log file for any errors or warnings and correct them. The file with the name automation.log is created in the directory from where you run the tool.

Note:

In addition to creating users, idmConfigTool creates the following groups:

  • orclFAUserReadPrivilegeGroup

  • orclFAUserWritePrivilegeGroup

  • orclFAUserWritePrefsPrivilegeGroup

  • orclFAGroupReadPrivilegeGroup

  • orclFAGroupWritePrivilegeGroup

See Also:

Oracle Fusion Middleware Integration Overview for Oracle Identity Management Suite for more information about the idmConfigTool command.

9.4.3.2 Configuring Active Directory for Use with Access Manager and Oracle Identity Manager

This section describes how to configure Active Directory. Extend the schema in Active Directory as follows.

Note:

The order in which you perform the steps is critical!

  1. Locate the following files:

    IDM_ORACLE_HOME/oam/server/oim-intg/ldif/ad/schema/ADUserSchema.ldif

    IDM_ORACLE_HOME/oam/server/oim-intg/ldif/ad/schema/AD_oam_pwd_schema_add.ldif

  2. In both these files, replace the domain-dn with the appropriate domain-dn value

  3. Use ldapadd from the command line to load the two LDIF files, as follows.

    ldapadd -h activedirectoryhostname -p activedirectoryportnumber -D AD_administrator -q -c -f file
    

    where AD_administrator is a user which has schema extension privileges to the directory

    For example:

    ldapadd -h "ACTIVEDIRECTORYHOST.mycompany.com" -p 389 -D adminuser –q -c -f ADUserSchema.ldif
    ldapadd -h "ACTIVEDIRECTORYHOST.mycompany.com" -p 389 -D adminuser -q -c -f AD_oam_pwd_schema_add.ldif
    

    Note:

    After the -D you can specify either a DN or user@domain.com.

  4. Then go to:

    IAM_MW_HOME/oracle_common/modules/oracle.ovd_11.1.1/oimtemplates

    Run the following command to extend Active Directory schema:

    sh extendadschema.sh -h AD_host -p AD_port -D 'administrator@mydomain.com' -AD "dc=mydomain,dc=com" -OAM true
    

    The command is extendadschema.Excluding Users from OIM Reconcilliationbat on Windows.

9.4.4 Creating Users and Groups

You must seed the Identity Store with users and groups that are required by the Identity Management components.

To seed the Identity Store, perform the following tasks on IDMHOST1:

  1. Set MW_HOME to IAM_MW_HOME.

    Set ORACLE_HOME to IAM_ORACLE_HOME.

    Set JAVA_HOME to JAVA_HOME.

  2. Configure the Identity Store by using the command idmConfigTool, which is located at:

    IAM_ORACLE_HOME/idmtools/bin

    Note:

    When you run the idmConfigTool, it creates or appends to the file idmDomainConfig.param. This file is generated in the same directory that the idmConfigTool is run from. To ensure that each time the tool is run, the same file is appended to, always run the idmConfigTool from the directory:

    IAM_ORACLE_HOME/idmtools/bin

    The syntax of the command on Linux is:

    idmConfigTool.sh -prepareIDStore mode=MODE input_file=configfile 
    

    The value selected for MODE determines the type of users to be created. Possible values for MODE include: OAM, OIM, and WLS.

    Run the command once for each of the components that is in your topology.

    • In all topologies, when you enable single sign-on for your administrative consoles, you must ensure that there is a user in your Identity Store that has the permissions to log in to your WebLogic Administration Console and Oracle Enterprise Manager Fusion Middleware Control. Type:

      idmConfigTool.sh -prepareIDStore mode=WLS input_file=idstore.props
      

      Run this command first.

    • If your topology includes Access Manager, you must seed the Identity Store with users that are required by Access Manager. Type:

      idmConfigTool.sh -prepareIDStore mode=OAM input_file=idstore.props
      
    • If your topology includes Oracle Identity Manager, you must seed the Identity Store with the xelsysadm user and assign it to an Oracle Identity Manager administrative group. You must also create a user outside of the standard cn=Users location to be able to perform reconciliation. This user is also the user that should be used as the bind DN when connecting to directories with Oracle Virtual Directory. Type:

      idmConfigTool.sh -prepareIDStore mode=OIM input_file=idstore.props
      

      Note:

      This command also creates a container in your Identity Store for reservations.

      The password assigned to the xelsysadm user must conform to the following rules:

      • Six characters or more

      • One or more numeric character

      • Two or more alphabetic characters

      • Start with alphabetic character

      • One or more lowercase character

    When the command runs, you are prompted to enter the password of the account you are connecting to the Identity Store with.

  3. After running each command, check the log file for any errors or warnings and correct them. The file with the name automation.log is created in the directory from where you run the tool.

See Also:

Oracle Fusion Middleware Integration Overview for Oracle Identity Management Suite for more information about the idmConfigTool command.

9.4.5 Add Missing Oracle Internet Directory Object Class

Bug 14341069 is caused by a missing object class in Oracle Internet Directory. The workaround it is to add this object class manually.

  1. Create a file called update_oid.ldif with the following contents:

    dn: cn=subschemasubentry
    changetype: modify
    delete: objectclasses
    objectclasses: ( 2.16.840.1.113894.200.2.1 NAME 'orclIDXPerson' SUP inetorgperson AUXILIARY MAY ( middleName $ orclActiveStartDate $ orclActiveEndDate $ orclIsEnabled $ orclTimeZone $ c $ orclGenerationQualifier $ orclHireDate $ orclAccessibilityMode $ orclColorContrast $ orclFontSize $ orclnumberFormat $ orclcurrency $ orcldateFormat $ orcltimeFormat $ orclembeddedHelp $ orclFALanguage $ orclFATerritory $ orclDisplayNameLanguagePreference $ orclImpersonationGranter $ orclImpersonationGrantee $ orclMTTenantGUID $ orclMTTenantUName $ orclMTUid $ orclFAUserID $ orclFAPersonID $ orclFAPartyID ))
    
    dn: cn=subschemasubentry
    changetype: modify
    add: attributetypes
    attributetypes: ( 2.16.840.1.113894.200.1.7 NAME 'orclPwdExpirationDate' EQUALITY caseIgnoreMatch SYNTAX '1.3.6.1.4.1.1466.115.121.1.15' SINGLE-VALUE USAGE userApplications )
    
    dn: cn=subschemasubentry
    changetype: modify
    add: objectclasses
    objectclasses: ( 2.16.840.1.113894.200.2.1 NAME 'orclIDXPerson' SUP inetorgperson AUXILIARY MAY ( middleName $ orclActiveStartDate $ orclActiveEndDate $ orclIsEnabled $ orclTimeZone $ c $ orclGenerationQualifier $ orclHireDate $ orclAccessibilityMode $ orclColorContrast $ orclFontSize $ orclnumberFormat orclcurrency $ orcldateFormat $ orcltimeFormat $ orclembeddedHelp $ orclFALanguage $ orclFATerritory $ orclDisplayNameLanguagePreference $ orclImpersonationGranter $ orclImpersonationGrantee $ orclMTTenantGUID $ orclMTTenantUName $ orclMTUid $ orclFAUserID $ orclFAPersonID $ orclFAPartyID $ orclPwdExpirationDate ) )
    
  2. Update Oracle Internet Directory using the command:

    ldapmodify –D cn=orcladmin –h OIDHOST1.mycompany.com –p 3060 –f update_oid.ldif
    

9.4.6 Add Missing Oracle Unified Directory Permission

This section describes a workaround for a missing permission in Oracle Unified Directory.

Create a file called add_password_reset.ldif with the following contents:

dn: cn=oimLDAP,cn=systemids, dc=mycompany,dc=com
changetype: modify
add: ds-privilege-name
ds-privilege-name: password-reset

dn: cn=Reserve,dc=mycompany,dc=com
changetype: modify
delete: aci
aci: (version 3.0; acl "oim reserve group container acl"; allow (read,add,delete) groupdn="ldap:///cn=OIMAdministrators,cn=Groups,dc=mycompany,dc=com"; deny (all) userdn="ldap:///anyone";)

dn: cn=Reserve,dc=mycompany,dc=com
changetype: modify
add: aci
aci: (target = "ldap:///cn=Reserve,dc=mycompany,dc=com")(targetattr = "*")(version 3.0; acl "Allow OIMAdministrators Group add, read and write access to all attributes"; allow (add, read, search, compare,write, delete, import,export) (groupdn = "ldap:///cn=OIMAdministrators,cn=Groups,dc=mycompany,dc=com");)

Update Oracle Unified Directory using the command:

ldapmodify –D cn=oudadmin –h IDMHOST1.mycompany.com –p 1389 –f add_password_reset.ldif

9.4.7 Granting Oracle Unified Directory Change Log Access

If you are using Oracle Unified Directory and Oracle Identity Manager, you must now grant access to the changelog. You do this by performing the following steps on all OUD hosts, that is, on IDMHOST1 and IDMHOST2:

  1. On the host where OUD is running (for example, IDMHOST), create a file called mypasswordfile that contains the password you use to connect to OUD.

  2. Remove the existing change log permission by issuing the command on one of the replicated OUD hosts:

    OUD_ORACLE_INSTANCE/bin/dsconfig set-access-control-handler-prop \
    --remove global-aci:"(target=\"ldap:///cn=changelog\")(targetattr=\"*\")(version 3.0; acl \"External changelog access\"; deny (all) userdn=\"ldap:///anyone\";)" \
            --hostname OUD_HOST \
            --port OUD_ADMIN_PORT \
            --trustAll \
            --bindDN cn=oudadmin \
            --bindPasswordFile passwordfile \
            --no-prompt 
    

    For example:

    OUD_ORACLE_INSTANCE/bin/dsconfig set-access-control-handler-prop \
    --remove global-aci:"(target=\"ldap:///cn=changelog\")(targetattr=\"*\")(version 3.0; acl \"External changelog access\"; deny (all) userdn=\"ldap:///anyone\";)" \
            --hostname IDMHOST1.mycompany.com \
            --port 4444 \
            --trustAll  \
            --bindDN cn=oudadmin \
            --bindPasswordFile mypasswordfile \
            --no-prompt
    
  3. Then add the following new ACI:

    OUD_ORACLE_INSTANCE/bin/dsconfig set-access-control-handler-prop \
    --add global-aci:"(target=\"ldap:///cn=changelog\")(targetattr=\"*\")(version 3.0; acl \"External changelog access\"; allow (read,search,compare,add,write,delete,export) groupdn=\"ldap:///cn=OIMAdministrators,cn=groups,dc=mycompany,dc=com\";)" \
            --hostname OUD_HOST \
            --port OUD_ADMIN_PORT \
            --trustAll \
            --bindDN cn=oudadmin \
            --bindPasswordFile passwordfile \
            --no-prompt
    

    For example:

    OUD_ORACLE_INSTANCE/bin/dsconfig set-access-control-handler-prop \
    --add global-aci:"(target=\"ldap:///cn=changelog\")(targetattr=\"*\")(version 3.0; acl \"External changelog access\"; allow (read,search,compare,add,write,delete,export) groupdn=\"ldap:///cn=OIMAdministrators,cn=groups,dc=mycompany,dc=com\";)" \
            --hostname IDMHOST1.mycompany.com \
            --port 4444 \
            --trustAll \
            --bindDN cn=oudadmin \
            --bindPasswordFile mypasswordfile \
            --no-prompt
    
  4. Then add the following new ACI:

    OUD_ORACLE_INSTANCE/bin/dsconfig set-access-control-handler-prop \
    --add global-aci:"(targetcontrol=\"1.3.6.1.4.1.26027.1.5.4\")(version 3.0; acl \"OIMAdministrators control access\"; allow(read)  groupdn=\"ldap:///cn=oimAdminGroup,cn=groups,dc=mycompany,dc=com\";)" \
            --hostname OUD_HOST \
            --port OUD_ADMIN_PORT \
            --trustAll \
            --bindDN cn=oudadmin \
            --bindPasswordFile passwordfile \
            --no-prompt
    

    For example:

    OUD_ORACLE_INSTANCE/bin/dsconfig set-access-control-handler-prop \--add global-aci:"(targetcontrol="\1.3.6.1.4.1.26027.1.5.4\")(version 3.0; acl \"OIMAdministrators control access\"; allow(read)  groupdn=\"ldap:///cn=oimAdminGroup,cn=groups,dc=mycompany,dc=com\";)" \
            --hostname IDMHOST1.mycompany.com \
            --port 4444 \
            --trustAll \
            --bindDN cn=oudadmin \
            --bindPasswordFile mypasswordfile \
            --no-prompt
    
  5. Then add the following ACI:

    OUD_ORACLE_INSTANCE/bin/dsconfig set-access-control-handler-prop \
    --add global-aci:"(target=\"ldap:///\")(targetscope=\"base\")(targetattr=\"lastExternalChangelogCookie\")(version 3.0; acl \"User-Visible lastExternalChangelog\"; allow (read,search,compare) groupdn=\"ldap:///cn=OIMAdministrators,cn=groups,dc=mycompany,dc=com\";)" \
            --hostname OUD_HOST \
            --port OUD_ADMIN_PORT \
            --trustAll \
            --bindDN cn=oudadmin \
            --bindPasswordFile passwordfile \
            --no-prompt
    

    For example:

    OUD_ORACLE_INSTANCE/bin/dsconfig set-access-control-handler-prop \
    --add global-aci:"(target=\"ldap:///\")(targetscope=\"base\")(targetattr=\"lastExternalChangelogCookie\")(version 3.0; acl \"User-Visible lastExternalChangelog\"; allow (read,search,compare) groupdn=\"ldap:///cn=OIMAdministrators,cn=groups,dc=mycompany,dc=com\";)" \
            --hostname IDMHOST1.mycompany.com \
            --port 4444 \
            --trustAll \
            --bindDN cn=oudadmin \
            --bindPasswordFile mypasswordfile \
            --no-prompt
    

9.4.8 Creating Oracle Unified Directory Indexes

When you run the idmConfigTool to prepare an Oracle Unified Directory identity store, it creates indexes for the data on the instance against which it is run. You must manually create these indexes on each of the remaining Oracle Unified Directory instances in the configuration.

To do this, on IDMHOST2, issue the following commands:

OUD_ORACLE_INSTANCE/OUD/bin/ldapmodify -h IDMHOST2.mycompany.com -Z -X -p 4444 -a -D "cn=oudadmin" -j mypasswordfile -c  -f IAM_ORACLE_HOME/oam/server/oim-intg/ldif/ojd/schema/ojd_user_index_generic.ldif
OUD_ORACLE_INSTANCE/OUD/bin/ldapmodify -h IDMHOST2.mycompany.com -Z -X -p 4444 -a -D "cn=oudadmin" -j mypasswordfile -c  -f IAM_ORACLE_HOME/idmtools/templates/oud/oud_indexes_extn.ldif

Once the indexes have been created on every IDMHOST, rebuild the indexes as follows:

  1. Shut down Oracle Unified Directory by issuing the command:

    OUD_ORACLE_INSTANCE/OUD/bin/stop-ds
    
  2. Execute the command:

    OUD_ORACLE_INSTANCE/OUD/bin/rebuild-index --rebuildAll -b "dc=mycompany,dc=com"
    
  3. Restart Oracle Unified Directory by issuing the command:

    OUD_ORACLE_INSTANCE/OUD/bin/start-ds
    

Repeat Steps 1-3 to rebuild the indexes for every IDMHOST, including the host which the idmConfigTool was run against, to maintain availability only stop the directory for which you are rebuilding the indexes.

9.4.9 Creating Access Control Lists in Directories Other than Oracle Internet Directory and Oracle Unified Directory

In the preceding sections, you seeded the Identity Store with users and artifacts for the Oracle components. If your Identity Store is hosted in a directory other than Oracle Internet Directory or Oracle Unified Directory, such as Microsoft Active Directory, you must set up the access control lists (ACLs) to provide appropriate privileges to the entities you created. This section lists the artifacts created and the privileges required for the artifacts.

  • Systemids. The System ID container is created for storing all the system identifiers. If there is another container in which the users are to be created, that is specified as part of the admin.

  • Access Manager Admin User. This user is added to the OAM Administrator group, which provides permission for the administration of the Oracle Access Management Console. No LDAP schema level privileges are required, since this is just an application user.

  • Access Manager Software User. This user is added to the groups where the user gets read privileges to the container. This is also provided with schema admin privileges.

  • Oracle Identity Manager user oimLDAP under System ID container. Password policies are set accordingly in the container. The passwords for the users in the System ID container must be set up so that they do not expire.

  • Oracle Identity Manager administration group. The Oracle Identity Manager user is added as its member. The Oracle Identity Manager admin group is given complete read/write privileges to all the user and group entities in the directory.

  • WebLogic Administrator. This is the administrator of the IDM domain for Oracle Virtual Directory

  • WebLogic Administrator Group. The WebLogic administrator is added as a member. This is the administrator group of the IDM domain for Oracle Virtual Directory.

  • Reserve container. Permissions are provided to the Oracle Identity Manager admin group to perform read/write operations.

9.5 Creating Adapters in Oracle Virtual Directory

If you access your LDAP directory through Oracle Virtual Directory, you must link Oracle Virtual Directory to the back end LDAP directory by creating adapters. This section describes how.

The procedure is slightly different, depending on the directory you are connecting to. The following sections show how to create and validate adapters for supported directories:

9.5.1 Ensuring the Change Log Generation is Enabled in Oracle Internet Directory

Before you create a change log adapter in Oracle Virtual Directory, you must ensure that the back end Oracle Internet Directory servers have changelog generation enabled.

To test whether a directory server has changelog generation enabled, type:

ldapsearch -h directory_host -p ldap_port -D bind_dn -q -b '' -s base 'objectclass=*' lastchangenumber

For example:

ldapsearch -h OIDHOST1 -p 3060 -D "cn=orcladmin" -q -b '' -s base 'objectclass=*' lastchangenumber

If the command output includes lastchangenumber with a value, changelog generation is enabled. If changelog generation is not enabled, enable it as described in the "Enabling and Disabling Changelog Generation by Using the Command Line" section of Oracle Fusion Middleware Administrator's Guide for Oracle Internet Directory.

9.5.2 Creating Oracle Virtual Directory Adapters for Oracle Internet Directory and Active Directory

You can use idmConfgTool to create the Oracle Virtual Directory User and Changelog adapters for Oracle Internet Directory and Active Directory. Oracle Identity Manager requires adapters. It is highly recommended, though not mandatory, that you use Oracle Virtual Directory to connect to Oracle Internet Directory.

To do this, perform the following tasks on IDMHOST1:

  1. Set MW_HOME to IAM_MW_HOME.

    Set ORACLE_HOME to IAM_ORACLE_HOME.

    Set JAVA_HOME to JAVA_HOME.

  2. Create a properties file for the adapter you are configuring called ovd1.props. The contents of this file depends on whether you are configuring the Oracle Internet Directory adapter or the Active Directory Adapter.

    • Oracle Internet Directory adapter properties file:

      ovd.host:OVDHOST1.mycompany.com
      ovd.port:8899
      ovd.binddn:cn=orcladmin
      ovd.password:ovdpassword
      ovd.oamenabled:true
      ovd.ssl:true
      ldap1.type:OID
      ldap1.host:OIDIDSTORE.mycompany.com
      ldap1.port:3060
      ldap1.binddn:cn=oimLDAP,cn=systemids,dc=mycompany,dc=com
      ldap1.password:oidpassword
      ldap1.ssl:false
      ldap1.base:dc=mycompany,dc=com
      ldap1.ovd.base:dc=mycompany,dc=com
      usecase.type: single
      
    • Active Directory adapter properties file:

      ovd.host:OVDHOST1.mycompany.com
      ovd.port:8899
      ovd.binddn:cn=orcladmin
      ovd.password:ovdpassword
      ovd.oamenabled:true
      ovd.ssl:true
      ldap1.type:AD
      ldap1.host:ADIDSTORE.mycompany.com
      ldap1.port:636
      ldap1.binddn:cn=adminuser
      ldap1.password:adpassword
      ldap1.ssl:true
      ldap1.base:dc=mycompany,dc=com
      ldap1.ovd.base:dc=mycompany,dc=com
      usecase.type: single
      

    The following list describes the parameters used in the properties file.

    • ovd.host is the host name of a server running Oracle Virtual Directory.

    • ovd.port is the https port used to access Oracle Virtual Directory.

    • ovd.binddn is the user DN you use to connect to Oracle Virtual Directory.

    • ovd.password is the password for the DN you use to connect to Oracle Virtual Directory.

    • ovd.oamenabled is always true in Fusion Applications deployments.

    • ovd.ssl is set to true, as you are using an https port.

    • ldap1.type is set to OID for the Oracle Internet Directory back end directory or set to AD for the Active Directory back end directory.

    • ldap1.host is the host on which back end directory is located. Use the load balancer name.

    • ldap1.port is the port used to communicate with the back end directory.

    • ldap1.binddn is the bind DN of the oimLDAP user.

    • ldap1.password is the password of the oimLDAP user

    • ldap1.ssl is set to true if you are using the back end's SSL connection, and otherwise set to false. This should always be set to true when an adapter is being created for AD.

    • ldap1.base is the base location in the directory tree.

    • ldap1.ovd.base is the mapped location in Oracle Virtual Directory.

    • usecase.type is set to Single when using a single directory type.

  3. Configure the adapter by using the idmConfigTool command, which is located at:

    IAM_ORACLE_HOME/idmtools/bin

    Note:

    When you run the idmConfigTool, it creates or appends to the file idmDomainConfig.param. This file is generated in the same directory that the idmConfigTool is run from. To ensure that each time the tool is run, the same file is appended to, always run the idmConfigTool from the directory:

    IAM_ORACLE_HOME/idmtools/bin

    The syntax of the command on Linux is:

    idmConfigTool.sh -configOVD input_file=configfile [log_file=logfile]
    

    For example:

    idmConfigTool.sh -configOVD input_file=ovd1.props
    

    The command requires no input. The output looks like this:

    The tool has completed its operation. Details have been logged to logfile
    

Run this command for each Oracle Virtual Directory instance in your topology, with the appropriate value for ovd.host in the property file.

9.5.3 Validating the Oracle Virtual Directory Adapters

Perform the following tasks by using ODSM:

  1. Access ODSM at:

    http://HOSTNAME.mycompany.com:port/odsm
    
  2. Connect to Oracle Virtual Directory.

  3. Go the Data Browser tab.

  4. Expand Client View so that you can see each of your user adapter root DN's listed.

  5. Expand the user adapter root DN, if there are objects already in the back end LDAP server, you should see those objects here.

  6. ODSM doesn't support changelog query, so you cannot expand the cn=changelog subtree.

    Perform the following tasks by using the command-line:

    • Validate the user adapters by typing:

      ldapsearch -h directory_host -p ldap_port -D "cn=orcladmin" -q  -b <user_search_base> -s sub "objectclass=inetorgperson" dn
      

      For example:

      ldapsearch -h OVDHOST1.mycompany.com -p 6501 -D "cn=orcladmin" -q -b "cn=Users,dc=mycompany,dc=com" -s sub "objectclass=inetorgperson" dn
      

      Supply the password when prompted.

      You should see the user entries that already exist in the back end LDAP server.

    • Validate changelog adapters by typing:

      ldapsearch -h directory_host -p ldap_port -D "cn=orcladmin" -q  -b "cn=changelog" -s one "changenumber>=0"
      

      For example:

      ldapsearch -h OVDHOST1 -p 6501 -D "cn=orcladmin" -q -b "cn=changelog" -s one "changenumber>=0"
      

      The command returns logs of data, such as creation of all the users. It returns without error if the changelog adapters are valid.

    • Validate lastchangenumber query by typing:

      ldapsearch -h directory_host -p ldap_port -D "cn=orcladmin" -q -b "cn=changelog" -s base 'objectclass=*' lastchangenumber
      

      For example:

      ldapsearch -h OVDHOST1 -p 6501 -D "cn=orcladmin" -q -b "cn=changelog" -s base 'objectclass=*' lastchangenumber
      

      The command returns the latest change number generated in the back end LDAP server.

9.6 Backing Up the Identity Stores

Back up your LDAP directories, as described in Section 17.6.3, "Performing Backups During Installation and Configuration."