Skip Headers
Oracle® Fusion Middleware Installation Guide for Oracle Identity and Access Management
11g Release 2 (11.1.2)

Part Number E27301-04
Go to Documentation Home
Home
Go to Table of Contents
Contents
Go to Feedback page
Contact Us

Go to previous page
Previous
Go to next page
Next
PDF · Mobi · ePub

5 Configuring Oracle Identity Manager

This chapter explains how to configure Oracle Identity Manager.

It includes the following topics:

Note:

To invoke online help at any stage of the Oracle Identity Manager configuration process, click the Help button on the Oracle Identity Manager Configuration Wizard screens.

5.1 Important Notes Before You Start Configuring Oracle Identity Manager

Before you start configuring Oracle Identity Manager, keep the following points in mind:

5.2 Installation and Configuration Roadmap for Oracle Identity Manager

Table 5-1 lists the tasks for installing and configuring Oracle Identity Manager.

Table 5-1 Installation and Configuration Flow for Oracle Identity Manager

No. Task Description

1

Review installation concepts in the Installation Planning Guide.

Read the Oracle Fusion Middleware Installation Planning Guide, which describes the process for various users to install or upgrade to Oracle Fusion Middleware 11g (11.1.2) depending on the user's existing environment.

2

Review the system requirements and certification documents to ensure that your environment meets the minimum installation requirements for the components you are installing.

For more information, see Section 2.1, "Reviewing System Requirements and Certification".

3

Obtain the Oracle Fusion Middleware Software.

For more information, see Section 3.2.1, "Obtaining the Oracle Fusion Middleware Software"

4

Review the Database requirements.

For more information, see Section 3.2.2, "Database Requirements".

5

Run Oracle Fusion Middleware Repository Creation Utility (RCU) to create and load the appropriate schemas for Oracle Identity and Access Management products.

For more information, see Section 3.2.3, "Creating Database Schema Using the Oracle Fusion Middleware Repository Creation Utility (RCU)".

6

Review WebLogic Server and Middleware Home requirements.

For more information, see Section 3.2.4, "WebLogic Server and Middleware Home Requirements".

7

Install Oracle SOA Suite 11g (11.1.1.6.0).

Install the 11.1.1.6.0 version of Oracle SOA Suite.

For more information, see Section 3.2.5, "Installing Oracle SOA Suite 11.1.1.6.0 (Oracle Identity Manager Users Only)".

8

Start the Oracle Identity and Access Management Installer.

For more information, see Section 3.2.6, "Starting the Oracle Identity and Access Management Installer".

9

Install the Oracle Identity and Access Management 11g software.

Oracle Identity Manager is included in the Oracle Identity and Access Management Suite. You can use the Oracle Identity and Access Management 11g Installer to install Oracle Identity and Access Management Suite.

For more information, see Section 3.2.7, "Installing Oracle Identity and Access Management (11.1.2)".

10

Run the Oracle Fusion Middleware Configuration Wizard to configure your Oracle Identity and Access Management products in a new or existing WebLogic domain.

For more information, see Section 5.3, "Creating a new WebLogic Domain for Oracle Identity Manager and SOA"

11

Configure the Database Security Store.

For more information, see Section 3.2.9, "Configuring Database Security Store for an Oracle Identity and Access Management Domain".

12

Start the servers.

You must start the Administration Server.

For more information, see Section 5.4, "Starting the Servers".

13

Review the Oracle Identity Manager Server, Design Console, and Remote Manager configuration scenarios.

For more information, see Section 5.5, "Overview of Oracle Identity Manager Configuration".

14

Start the Oracle Identity Manager 11g Configuration Wizard.

For more information, see Section 5.6, "Starting the Oracle Identity Manager 11g Configuration Wizard".

15

Configure Oracle Identity Manager Server.

For more information, see Section 5.7, "Configuring Oracle Identity Manager Server".

16

Optional: Install and Configure only Oracle Identity Manager Design Console on Windows.

For more information, see Section 5.8, "Optional: Configuring Oracle Identity Manager Design Console".

17

Optional: Configure Oracle Identity Manager Remote Manager.

For more information, see Section 5.9, "Optional: Configuring Oracle Identity Manager Remote Manager".

18

Complete the post-installation tasks.

Complete the following post-installation tasks:


5.3 Creating a new WebLogic Domain for Oracle Identity Manager and SOA

This topic describes how to create a new WebLogic domain for Oracle Identity Manager and SOA. It includes the following sections:

5.3.1 Appropriate Deployment Environment

Perform the configuration in this topic if you want to install Oracle Identity Manager in an environment where you may use Oracle Identity Manager as a provisioning or request solution. This option is also appropriate for Oracle Identity Manager environments that do not use Single Sign-On (SSO) or Oracle Access Manager.

5.3.2 Components Deployed

Performing the configuration in this section installs the following components:

  • Administration Server

  • Managed Servers for Oracle Identity Manager and SOA.

  • Oracle Identity Manager System Administration Console, and Oracle Identity Manager Self Service Console on the Oracle Identity Manager Managed Server

5.3.3 Dependencies

The configuration in this section depends on the following:

  • Oracle WebLogic Server 11g Release 1 (10.3.6) or Oracle WebLogic Server 11g Release 1 (10.3.5).

  • Installation of the Oracle Identity and Access Management 11g Release 2 (11.1.2) software.

  • Installation of Oracle SOA Suite 11g (11.1.1.6.0).

  • Database schemas for Oracle Identity Manager and Oracle SOA 11g Suite.

5.3.4 Procedure

Complete the following steps to create a new WebLogic domain for Oracle Identity Manager and SOA and to configure Oracle Identity Manager Server, Design Console, and Remote Manager:

  1. Review the section Important Notes Before You Start Configuring Oracle Identity Manager.

  2. Run the <IAM_Home>/common/bin/config.sh script (on UNIX). (<IAM_Home>\common\bin\config.cmd on Windows). The Welcome screen of the Oracle Fusion Middleware Configuration Wizard appears.

  3. On the Welcome screen, select Create a new WebLogic domain, and click Next. The Select Domain Source screen appears.

  4. On the Select Domain Source screen, ensure that the Generate a domain configured automatically to support the following products: option is selected.

    Select Oracle Identity Manager - 11.1.2.0.0 [IAM_Home]. When you select the Oracle Identity Manager - 11.1.2.0.0 [IAM_Home] option, the following options are also selected, by default:

    • Oracle SOA Suite - 11.1.1.1.0 [Oracle_SOA1]

    • Oracle Enterprise Manager 11.1.1.0 [oracle_common]

    • Oracle Platform Security Service 11.1.1.0 [IAM_Home]

    • Oracle JRF 11.1.1.0 [oracle_common]

    • Oracle JRF WebServices Asynchronous services - 11.1.1.0 [oracle_common]

    • Oracle WSM Policy Manager 11.1.1.0 [oracle_common]

    Note:

    • If you want to use Authorization Policy Manager for the new WebLogic domain for Oracle Identity Manager, then you must select the Oracle Entitlements Server for Admin Server- 11.1.1.0 [IAM_Home] option.

    • If you have an existing WebLogic domain for Oracle Identity Manager, and you want to use Authorization Policy Manager, then you must peform the following steps:

      1. On the Welcome screen of the Oracle Fusion Middleware Configuration Wizard, select Extend an existing WebLogic domain, and click Next.

      2. On the Select a WebLogic Domain Directory screen, select the directory that contains the domain in which you configured Oracle Identity Manager. Click Next.

      3. On the Select Extension Source screen, ensure that the Extend my domain to automatically to support the following added products: is selected, and select Oracle Entitlements Server for Admin Server- 11.1.1.0 [IAM_Home] or Oracle Entitlements Server for Managed Server- 11.1.1.0 [IAM_Home] option. Click Next.

      4. The Configure JDBC Component Schema screen appears. Continue with step 8. Note that for step 9, Administration Server and RDBMS Security Store options are not available when you are extending a domain.

    Click Next. The Specify Domain Name and Location screen appears.

  5. Enter a name and a location for the domain to be created, and click Next. The Configure Administrator User Name and Password screen appears.

  6. Configure a user name and a password for the administrator. The default user name is weblogic. Click Next.

  7. Choose a JDK and Production Mode in the Configure Server Start Mode and JDK screen of the Oracle Fusion Middleware Configuration Wizard. Click Next. The Configure JDBC Component Schema screen appears. This screen displays a list of the following component schemas:

    • SOA Infrastructure

    • User Messaging Service

    • OIM MDS Schema

    • OWSM MDS Schema

    • SOA MDS Schema

    • OIM Infrastructure

    • OPSS Schema

  8. On the Configure JDBC Component Schema screen, select a component schema that you want to modify. You can set values for Schema Owner, Schema Password, Database and Service, Host Name, and Port. Click Next. The Test JDBC Component Schema screen appears. After the test succeeds, the Select Optional Configuration screen appears.

  9. On the Select Optional Configuration screen, you can configure the Administration Server, JMS Distributed Destination, Managed Servers, Clusters, and Machines, Deployments and Services, JMS File Store, and RDBMS Security Store. Click Next.

  10. Optional: Configure the following Administration Server parameters:

    • Name

    • Listen address

    • Listen port

    • SSL listen port

    • SSL enabled or disabled

    Click Next.

  11. Optional: Configure JMS Distributed Destination, as required. Click Next.

  12. Optional: Configure Managed Servers, as required. Click Next.

  13. Optional: Configure Clusters, as required. Click Next.

    For more information about configuring clusters for Oracle Identity and Access Management products, see the "Configuring High Availability for Identity Management Components" topic in the guide Oracle Fusion Middleware High Availability Guide.

  14. Optional: Assign Managed Servers to Clusters, as required. Click Next.

  15. Optional: Configure Machines, as needed. This step is useful when you want to run the Administration Server on one machine and Managed Servers on another physical machine. Click Next.

    Tip:

    Before configuring a machine, use the ping command to verify whether the machine or host name is accessible.

  16. Optional: Assign servers to machines. Click Next.

  17. Optional: Select Deployments, such as applications and libraries, and Services to target them to a particular cluster or server. Click Next.

  18. On the Configuration Summary screen, you can view summaries of your configuration for deployments, application, and service. Review the domain configuration, and click Create to start creating the domain.

    After the domain configuration is complete, click Done to close the configuration wizard.

    A new WebLogic domain to support Oracle Identity Manager is created in the <MW_HOME>\user_projects\domains directory (on Windows). On UNIX, the domain is created in the <MW_HOME>/user_projects/domains directory.

    Note:

    After configuring Oracle Identity Manager in a new WebLogic administration domain, you must configure the Database Security Store. For more information, see Section 3.2.9, "Configuring Database Security Store for an Oracle Identity and Access Management Domain".

  19. Start the Administration Server, as described in Appendix C, "Starting or Stopping the Oracle Stack".

  20. Start the Oracle Identity Manager Configuration Wizard, as described in Section 5.6, "Starting the Oracle Identity Manager 11g Configuration Wizard".

  21. Configure the Oracle Identity Manager Server, Design Console, or Remote Manager, as described in Section 5.7, "Configuring Oracle Identity Manager Server", Section 5.8, "Optional: Configuring Oracle Identity Manager Design Console", and Section 5.9, "Optional: Configuring Oracle Identity Manager Remote Manager".

Note:

If weblogic is not your WebLogic administrator user name, you must complete a set of manual steps after starting the servers. For more information, see Section 2.6, "Optional: Updating the WebLogic Administrator Server User Name in Oracle Enterprise Manager Fusion Middleware Control (OIM Only)".

5.4 Starting the Servers

After installing and configuring Oracle Identity Manager in a WebLogic domain, you must start the Oracle WebLogic Administration Server, as described in Appendix C, "Starting the Stack".

Notes:

5.5 Overview of Oracle Identity Manager Configuration

This section discusses the following topics:

5.5.1 Before Configuring Oracle Identity Manager Server, Design Console, or Remote Manager

Before configuring Oracle Identity Manager using the Oracle Identity Manager Wizard, ensure that you have installed and configured Oracle Identity Manager and SOA in a WebLogic Server domain.

The Oracle Identity Manager 11g Configuration Wizard prompts you to enter information about certain configurations, such as Database, Schemas, WebLogic Administrator User Name and Password, and LDAP Server. Therefore, keep this information ready with you before starting the Identity Management 11g Configuration Wizard.

This section discusses the following topics:

5.5.1.1 Prerequisites for Configuring Oracle Identity Manager Server

Before you can configure Oracle Identity Manager Server using the Oracle Identity Manager Configuration Wizard, you must complete the following prerequisites:

  1. Installing a supported version of Oracle database. For more information, see Section 3.2.2.

  2. Creating and loading the required schemas in the database. For more information, see Section 3.2.3, "Creating Database Schema Using the Oracle Fusion Middleware Repository Creation Utility (RCU)".

  3. Installing Oracle WebLogic Server and creating a Middleware Home directory. For more information, see Section 3.2.4, "WebLogic Server and Middleware Home Requirements".

  4. Installing Oracle SOA Suite 11g Release 1(11.1.1.6.0) under the same Middleware Home directory. For more information, see Section 3.2.5, "Installing Oracle SOA Suite 11.1.1.6.0 (Oracle Identity Manager Users Only)".

  5. Installing the Oracle Identity and Access Management Suite (the suite that contains Oracle Identity Manager, Oracle Access Management, Oracle Adaptive Access Manager, Oracle Entitlements Server, Oracle Privileged Account Manager, Oracle Identity Navigator, and Oracle Access Management Mobile and Social) under the Middleware Home directory. For more information, see Section 3.2.7, "Installing Oracle Identity and Access Management (11.1.2)".

  6. Creating a new WebLogic domain or extending an existing Identity Management 11.1.1.6.0 domain for Oracle Identity Manager and Oracle SOA. For more information, see Section 5.3, "Creating a new WebLogic Domain for Oracle Identity Manager and SOA".

  7. Starting the Oracle WebLogic Administration Server for the domain in which the Oracle Identity Manager application is deployed. For more information, see Appendix C, "Starting the Stack".

5.5.1.2 Prerequisites for Configuring Only Oracle Identity Manager Design Console on a Different Machine

On the machine where you are installing and configuring Design Console, you must install the Oracle Identity and Access Management 11g Release 2 (11.1.2.0.0) software containing Oracle Identity Manager, Oracle Access Management, Oracle Adaptive Access Manager, Oracle Entitlements Server, Oracle Identity Navigator, Oracle Privileged Account Manager, and Oracle Access Management Mobile and Social. For information, see Section 3.2.7, "Installing Oracle Identity and Access Management (11.1.2)".

Before you can configure Oracle Identity Manager Design Console by running the Oracle Identity Manager Configuration Wizard, you should have configured the Oracle Identity Manager Server, as described in Section 5.7, "Configuring Oracle Identity Manager Server" on a local or remote machine. In addition, the Oracle Identity Manager Server should be up and running.

Note:

Oracle Identity Manager Design Console is supported on Windows operating systems only. If you are installing and configuring only Design Console on a machine, you do not need to install Oracle WebLogic Server and create a Middleware Home directory before installing the Oracle Identity and Access Management software.

5.5.1.3 Prerequisites for Configuring Only Oracle Identity Manager Remote Manager on a Different Machine

On the machine where you are installing and configuring Remote Manager, you must install the Oracle Identity and Access Management 11g Release 2 (11.1.2.0.0) software containing Oracle Identity Manager, Oracle Access Management, Oracle Adaptive Access Manager, Oracle Entitlements Server, Oracle Identity Navigator, Oracle Privileged Account Manager, and Oracle Access Management Mobile and Social. For information, see Section 3.2.7, "Installing Oracle Identity and Access Management (11.1.2)".

Before you can configure Oracle Identity Manager Remote Manager by running the Oracle Identity Manager Configuration Wizard, you should have configured the Oracle Identity Manager Server, as described in Section 5.7, "Configuring Oracle Identity Manager Server". In addition, the Oracle Identity Manager Server should be up and running.

Note:

If you are installing and configuring only Remote Manager on a machine, you do not need to install Oracle WebLogic Server and create a Middleware Home directory before installing the Oracle Identity and Access Management software.

5.5.2 Oracle Identity Manager Configuration Scenarios

The Oracle Identity Manager 11g Configuration Wizard enables you to configure Oracle Identity Manager Server, Design Console (Windows only), and Remote Manager.

If you are configuring Oracle Identity Manager Server, you must run this configuration wizard on the machine where the Administration Server is running.

You must complete this additional configuration for Oracle Identity Manager components after configuring Oracle Identity Manager in a new or existing WebLogic administration domain.

Note:

You can run the Oracle Identity Manager Configuration Wizard to configure Oracle Identity Manager Server only once during the initial setup. After the initial setup, you cannot run the Oracle Identity Manager Configuration Wizard again to modify the configuration of Oracle Identity Manager Server, Design Console, or Remote Manager. For such modifications, you must use Oracle Enterprise Manager Fusion Middleware Control.

This section discusses the following topics:

5.5.2.1 Scope of Configuration Using the Oracle Identity Manager 11g Configuration Wizard

You can use the Oracle Identity Manager 11g Configuration Wizard to configure the non-J2EE components and elements of Oracle Identity Manager. Most of the J2EE configuration is done automatically in the domain template for Oracle Identity Manager.

5.5.2.2 Scenario 1: Oracle Identity Manager Server and Design Console on Different Machines

In this scenario, you configure Oracle Identity Manager Server on one machine, and install and configure only Oracle Identity Manager Design Console on a different Windows machine (a development or design system).

Perform the following tasks:

  1. Install and configure Oracle Identity Manager Server on a machine after completing all of the prerequisites, as described in Section 5.7, "Configuring Oracle Identity Manager Server". Ensure that the Oracle Identity Manager Server is up and running.

  2. On the Windows machine on which the Design Console is to be installed, install a JDK in a path without a space such as c:/jdk1.6.0_29.

  3. Install Oracle WebLogic Server and create a Middleware Home directory such as c:/oracle/Middleware.

  4. Run setup.exe from the installation media disk1 and follow the prompts selecting the Middleware_Home created above.

    Note:

    When you specify the location of the Middleware_Home, you will see a message "Specified middleware home is not valid. If you continue with this installation only Remote Manager and Design Console can be configured." This is a valid message if you intend to install only the Design Console.

  5. The installer will install the Oracle Identity and Access Management suite needed to install the Design Console.

  6. On the Windows machine where you installed the Oracle Identity and Access Management 11g software, run the Oracle Identity Manager Configuration Wizard to configure only Design Console. Note that you must provide the Oracle Identity Manager Server information, such as host and URL, when configuring Design Console. For more information, see Section 5.8, "Optional: Configuring Oracle Identity Manager Design Console".

5.5.2.3 Scenario 2: Oracle Identity Manager Server and Remote Manager on Different Machines

In this scenario, you configure Oracle Identity Manager Server on one machine, and install and configure only Oracle Identity Manager Remote Manager on a different machine.

The following are the high-level tasks in this scenario:

  1. Install and configure Oracle Identity Manager Server on a machine after completing all of the prerequisites, as described in Section 5.7, "Configuring Oracle Identity Manager Server". Ensure that the Oracle Identity Manager Server is up and running.

  2. On a different machine, install the Oracle Identity and Access Management 11g software containing Oracle Identity Manager, Oracle Access Management, Oracle Adaptive Access Manager, Oracle Entitlements Server, Oracle Identity Navigator, Oracle Privileged Account Manager, and Oracle Access Management Mobile and Social. For information, see Section 3.2.7, "Installing Oracle Identity and Access Management (11.1.2)".

  3. On the machine where you installed the Oracle Identity and Access Management 11g software, run the Oracle Identity Manager Configuration Wizard to configure only Remote Manager. Note that you must provide the Oracle Identity Manager Server information, such as host and URL, when configuring Remote Manager. For more information, see Section 5.9, "Optional: Configuring Oracle Identity Manager Remote Manager".

5.5.2.4 Scenario 3: Oracle Identity Manager Server, Design Console, and Remote Manager on a Single Windows Machine

In this scenario, suitable for test environments, you install and configure Oracle Identity Manager Server, Design Console, and Remote Manager on a single Windows machine.

The following are the high-level tasks in this scenario:

  1. Install and configure Oracle Identity Manager Server on a machine after completing all the prerequisites, as described in Section 5.7, "Configuring Oracle Identity Manager Server". Ensure that the Oracle Identity Manager Server is up and running.

  2. On the same machine, configure Design Console, as described in Section 5.8, "Optional: Configuring Oracle Identity Manager Design Console".

  3. On the same machine, configure Remote Manager, as described in Section 5.9, "Optional: Configuring Oracle Identity Manager Remote Manager".

5.6 Starting the Oracle Identity Manager 11g Configuration Wizard

To start the Oracle Identity Manager 11g Configuration Wizard, execute the <IAM_Home>/bin/config.sh script (on UNIX) on the machine where the Administration Server is running. (<IAM_Home>\bin\config.bat on Windows). The Oracle Identity Manager 11g Configuration Wizard starts, and the Welcome Screen appears.

Note:

If you have extended an existing WebLogic domain to support Oracle Identity Manager, you must restart the Administration Server before starting the Oracle Identity Manager Configuration Wizard to configure Oracle Identity Manager Server, Design Console, or Remote Manager.

5.7 Configuring Oracle Identity Manager Server

This topic describes how to install and configure only Oracle Identity Manager Server. It includes the following sections:

5.7.1 Appropriate Deployment Environment

Perform the configuration in this topic if you want to install Oracle Identity Manager Server on a separate host.

5.7.2 Components Deployed

Performing the configuration in this section deploys only Oracle Identity Manager Server.

5.7.3 Dependencies

The installation and configuration in this section depends on Oracle WebLogic Server, on Oracle SOA Suite, and on the installation of Oracle Identity and Access Management 11g software. For more information, see Chapter 2, "Preparing to Install" and Section 3.2.7, "Installing Oracle Identity and Access Management (11.1.2)".

5.7.4 Procedure

Perform the following steps to configure only Oracle Identity Manager Server:

  1. Ensure that all the prerequisites, described in Section 5.5.1.1, "Prerequisites for Configuring Oracle Identity Manager Server", are satisfied. In addition, see Section 5.1, "Important Notes Before You Start Configuring Oracle Identity Manager".

  2. On the machine where the Administration Server is running, start the Oracle Identity Manager Configuration Wizard, as described in Section 5.6, "Starting the Oracle Identity Manager 11g Configuration Wizard". The Welcome screen appears.

  3. On the Welcome screen, click Next. The Components to Configure screen appears.

    On the Components to Configure screen, ensure that only the OIM Server option is selected. It is selected, by default. Click Next. The Database screen appears.

  4. On the Database screen, enter the full path, listen port, and service name for the database in the Connect String field. For a single host instance, the format of connect string is hostname:port:servicename. For example, if the hostname is aaa.bbb.com, port is 1234, and the service name is xxx.bbb.com, then you must enter the connect string for a single host instance as follows:

    aaa.bbb.com:1234:xxx.bbb.com

    If you are using a Real Application Cluster database, the format of the database connect string is as follows:

    hostname1:port1:instancename1^hostname2:port2:instancename2@servicename

    Note:

    You can use the same database or different databases for creating the Oracle Identity Manager schema and the Metadata Services schema.

    Ensure that no Firewalls/Gateways are preventing the connection to the database.

  5. In the OIM Schema User Name field, enter the name of the schema that you created for Oracle Identity Manager using the Oracle Fusion Middleware Repository Creation Utility (RCU). For more information, see Section 3.2.3, "Creating Database Schema Using the Oracle Fusion Middleware Repository Creation Utility (RCU)".

  6. In the OIM Schema Password field, enter the password for the Oracle Identity Manager schema that you set while creating the schema using the Oracle Fusion Middleware Repository Creation Utility (RCU).

  7. If you want to use a different database for the Metadata Services (MDS) schema, select the Select different database for MDS Schema check box.

  8. If you choose to use a different database for MDS schema, in the MDS Connect String field, enter the full path, listen port, and service name for the database associated with the MDS schema. For the format of the connect string, see Step 4.

    In the MDS Schema User Name field, enter the name of the schema that you created for AS Common Services - Metadata Services using the Oracle Fusion Middleware Repository Creation Utility (RCU). For more information, see Section 3.2.3, "Creating Database Schema Using the Oracle Fusion Middleware Repository Creation Utility (RCU)".

    In the MDS Schema Password field, enter the password for the AS Common Services - Metadata Services schema that you set while creating the schema using the Oracle Fusion Middleware Repository Creation Utility (RCU). Click Next. The WebLogic Admin Server screen appears.

  9. On the WebLogic Admin Server screen, in the WebLogic Admin Server URL field, enter the URL of the WebLogic Administration Server of the domain in the following format:

    t3://hostname:port

    In the UserName field, enter the WebLogic administrator user name of the domain in which the Oracle Identity Manager application and the Oracle SOA Suite application are deployed. If you are setting up integration between Oracle Identity Manager and Oracle Access Manager, the Oracle Access Manager application is also configured in the same domain.

    In the Password field, enter the WebLogic administrator password of the domain in which the Oracle Identity Manager application and the Oracle SOA Suite application are deployed. Click Next.

    The OIM Server screen appears. The OIM Server screen enables you to set a password for the system administrator (xelsysadm).

  10. On the OIM Server screen, in the OIM Administrator Password field, enter a new password for the administrator. A valid password contains at least 6 characters; begins with an alphabetic character; includes at least one number, one uppercase letter, and one lowercase letter. The password cannot contain the first name, last name, or the login name for Oracle Identity Manager.

  11. In the Confirm User Password field, enter the new password again.

  12. In the OIM HTTP URL field, enter the http URL that front-ends the Oracle Identity Manager application.

    The URL is of the format: http(s)://<oim_host>:<oim_port>. For example, https://localhost:7002.

  13. In the KeyStore Password field, enter a new password for the keystore. A valid password can contain 6 to 30 characters, begin with an alphabetic character, and use only alphanumeric characters and special characters like Dollar ($), Underscore (_), and Pound (#). The password must contain at least one number.

  14. In the Confirm Keystore Password field, enter the new password again.

  15. Optional: To enable LDAP Sync, you must select the Enable LDAP Sync option on the OIM Server screen.

    Note:

    If you want to enable LDAP Sync, before enabling LDAP Sync you must complete the steps, as described in Completing the Prerequisites for Enabling LDAP Synchronization.

    Once LDAP Sync is enabled on the OIM Server screen and prerequisites are completed, you must continue to configure the Oracle Identity Manager Server. After you have configured the Oracle Identity Manager Server and exited the Oracle Identity Management Configuration Wizard, you must run the LDAP post-configuration utility as described in Running the LDAP Post-Configuration Utility.

  16. After making your selections, click Next on the OIM Server screen. If you chose to enable LDAP Sync, the LDAP Server screen appears.

    The LDAP Server screen enables you to specify the following information:

    • Directory Server Type - Select the desired Directory Server from the dropdown list. You have the following options:

      • OID

      • ACTIVE_DIRECTORY

      • IPLANET

      • OVD

      • OUD

      Notes:

      • IPLANET is also referred to as Oracle Directory Server Enterprise Edition (ODSEE) in this guide.

      • If you choose to use OID, ACTIVE_DIRECTORY, IPLANET, or OUD as the Directory Server and if you want to integrate Oracle Identity Manager and Oracle Access Management, you must set the oamEnabled parameter to true. To set the oamEnabled parameter to true in case of Identity Virtualization Library, see Setting oamEnabled Parameter for Identity Virtualization Library.

    • Directory Server ID - enter the Directory Server ID. It can be any unique value.

      For example: oid1 for OID, oud1 for OUD, iplanet1 for IPLANET, and ad1 for ACTIVE_DIRECTORY

    • Server URL - enter the LDAP URL in the format ldap://oid_host:oid_port.

    • Server User - enter the user name for Directory Server administrator.

      For example: cn=oimAdminUser,cn=systemids,dc=mycompany,dc=com

    • Server Password - enter the Oracle Identity Manager admin password.

    • Server SearchDN - enter the Distinguished Names (DN). For example, dc=exampledomain, dc=com. This is the top-level container for users and roles in LDAP, and Oracle Identity Manager uses this container for reconciliation.

    Click Next. The LDAP Server Continued screen appears.

  17. On the LDAP Server Continued screen, enter the following LDAP information:

    • LDAP RoleContainer - enter a name for the container that will be used as a default container of roles in the LDAP directory. You can configure isolation rules in Oracle Identity Manager to create roles in different containers in LDAP. For example, cn=groups,cn=oracleAccounts,dc=mycountry,dc=mycompany,dc=com.

    • LDAP RoleContainer Description - enter a description for the default role container.

    • LDAP Usercontainer - enter a name for the container that will be used as a default container of users in the LDAP directory. You can configure isolation rules in Oracle Identity Manager to create users in different containers in LDAP. For example, cn=groups,cn=oracleAccounts,dc=mycountry,dc=mycompany,dc=com.

    • LDAP Usercontainer Description - enter a description for the default user container.

    • User Reservation Container - enter a name for the container that will be used for reserving user names in the LDAP directory while their creation is being approved in Oracle Identity Manager. When the user names are approved, they are moved from the reservation container to the user container in the LDAP directory. For example, cn=reserve, dc=mycountry, dc=com.

    After enabling LDAP synchronization and after running the LDAP post-configuration utility, you can verify it by using the Oracle Identity Manager Administration Console. For more information, see Verifying the LDAP Synchronization. Click Next. The Configuration Summary screen appears.

  18. If you did not choose the Enable LDAP Sync option on the OIM Server screen, the Configuration Summary screen appears after you enter information in the OIM Server screen.

    The Configuration Summary screen lists the applications you selected for configuration and summarizes your configuration options, such as database connect string, OIM schema user name, MDS schema user name, WebLogic Admin Server URL, WebLogic Administrator user name, and OIM HTTP URL.

    Review this summary and decide whether to start the configuration. If you want to modify any of the configuration settings at this stage, select a topic in the left navigation page and modify your choices. To continue installing this configuration of the Oracle Identity Manager Server, click Configure.

    Note:

    Before configuring an application, you can save your configuration settings and preferences in a response file. Response files are text files that you can create or edit in a text editor. You can use response files to perform a silent installation or use as templates or customized settings for your environment. For more information, see Performing a Silent Installation.

    After you click Configure, the Configuration Progress screen appears. Click Next.

    A configuration log is saved to the logs directory under Oracle Inventory directory. For information about the log files, see Installation Log Files. If the Configuration Progress screen displays any errors, click Abort to stop the installation and restart the Oracle Identity Manager Configuration Wizard.

  19. Click Finish.

Note:

If the configuration fails, click Abort to stop the installation and restart the Oracle Identity Manager Configuration Wizard, as described in Starting the Oracle Identity Manager 11g Configuration Wizard.

5.7.5 Completing the Prerequisites for Enabling LDAP Synchronization

You must complete the following prerequisites:

5.7.5.1 Preconfiguring the Identity Store

Before you can use your LDAP directory as an Identity store, you must preconfigure it.

Note:

Follow the steps in this section if you are using any one of the Directory Servers mentioned below for LDAP Synchronization:

  • OID

  • Active Directory

  • iPlanet/ODSEE

  • OUD

  • OVD

The preconfiguration differs, depending on the directory store you wish to use to hold your identity information. For a sample procedure of preconfiguring the Identity Store, refer to the following:

You must complete the following steps to preconfigure the Identity Store if you have not configured already:

  1. Create User, Group and Reserve Containers.

  2. Create the proxy user for OIM, namely oimadminuser in the Directory Server outside the search base used for OIM reconciliation. This OIM proxy user should not be reconciled into OIM Database.

  3. Create the oimadmingroup and assign the oimadminuser to the group.

  4. Add the ACIs to the group and user container for the OIM proxy user to have access to all entries in those containers.

  5. Extend OIM Schema for non-OID Directory Servers.

    • For Active Directory

      • The OIM Schema for Active Directory is in the following location:

        $MW_HOME/oracle_common/modules/oracle.ovd_11.1.1/oimtemplates

      • Run the following command to extend Active Directory schema:

        On Windows:

        extendadschema.bat -h AD_host -p AD_port -D <administrator@mydomain.com> -q -AD <dc=mydomain,dc=com> -OAM true

        On UNIX:

        sh extendadschema.sh -h AD_host -p AD_port -D administrator@mydomain.com -q -AD dc=mydomain,dc=com -OAM true

      Note:

      The extendadschema script is certified only on Active Directory 2003, 2008 and 2008R2.

    • For ODSEE/iPlanet

      • The OIM Schema for iPlanet (also known as ODSEE) is in the following location:

        $MW_HOME/oracle_common/modules/oracle.ovd_11.1.1/oimtemplates/sunOneSchema.ldif

      • Run the following command to extend ODSEE schema:

        ldapmodify -h <ODSEE Server> -p <ODSEE port> -D <ODSEE Admin ID> -w <ODSEE Admin password> -f sunOneSchema.ldif

  6. If you want to enable OAM-OIM integration, extend the following OAM Schema:

    • For OID

      • To extend OAM Schema for OID, locate the following files:

        $IAM_HOME/oam/server/oim-intg/ldif/oid/schema/OID_oblix_pwd_schema_add.ldif

        $IAM_HOME/oam/server/oim-intg/ldif/oid/schema/OID_oblix_schema_add.ldif

        $IAM_HOME/oam/server/oim-intg/ldif/oid/schema/OID_oim_pwd_schema_add.ldif

        $IAM_HOME/oam/server/oim-intg/ldif/oid/schema/OID_oblix_schema_index_add.ldif

      • Use ldapmodify from the command line to load the four LDIF files:

        cd $IAM_HOME/oam/server/oim-intg/ldif/oid/schema/

        ldapmodify -h <OID Server> -p <OID port> -D <OID Admin ID> -w <OID Admin password> -f OID_oblix_pwd_schema_add.ldif

        ldapmodify -h <OID Server> -p <OID port> -D <OID Admin ID> -w <OID Admin password> -f OID_oblix_schema_add.ldif

        ldapmodify -h <OID Server> -p <OID port> -D <OID Admin ID> -w <OID Admin password> -f OID_oim_pwd_schema_add.ldif

        ldapmodify -h <OID Server> -p <OID port> -D <OID Admin ID> -w <OID Admin password> -f OID_oblix_schema_index_add.ldif

    • For Active Directory

      • To extend OAM Schema for Active Directory, locate the following files:

        $IAM_HOME/oam/server/oim-intg/ldif/ad/schema/ADUserSchema.ldif

        $IAM_HOME/oam/server/oim-intg/ldif/ad/schema/AD_oam_pwd_schema_add.ldif

        In both the above files, replace the domain-dn with the appropriate domain-dn value.

      • Use ldapadd from the command line to load the two LDIF files, as follows:

        cd $IAM_HOME/oam/server/oim-intg/ldif/ad/schema/

        ldapadd -h <activedirectoryhostname> -p <activedirectoryportnumber> -D <AD_administrator> -q -c -f ADUserSchema.ldif

        ldapadd -h <activedirectoryhostname> -p <activedirectoryportnumber> -D <AD_administrator> -q -c -f AD_oam_pwd_schema.ldif

        where AD_administrator is a user which has schema extension privileges to the directory.

        For example:

        ldapadd -h activedirectoryhost.mycompany.com -p 389 -D adminuser –q -c -f ADUserSchema.ldif

    • For ODSEE/iPlanet

      • To extend OAM Schema for ODSEE, locate the following files:

        $IAM_HOME/oam/server/oim-intg/ldif/iplanet/schema/iPlanet7_user_index_add.ldif

        $IAM_HOME/oam/server/oim-intg/ldif/iplanet/schema/iPlanet7_user_index_generic.ldif

        $IAM_HOME/oam/server/oim-intg/ldif/iplanet/schema/iPlanet_oam_pwd_schema_add.ldif

        $IAM_HOME/oam/server/oim-intg/ldif/iplanet/schema/iPlanet_user_schema_add.ldif

        $IAM_HOME/oam/server/oim-intg/ldif/iplanet/schema/iPlanet_user_index_add.ldif

        Note:

        If you are not sure about the which index-root you should use, instead of iPlanet7_user_index_add.ldif, please use iPlanet7_user_index_generic.ldif file which also has step by step instructions on finding index-root.

      • Use ldapmodify from the command line to load the four LDIF files:

        cd $IAM_HOME/oam/server/oim-intg/ldif/iplanet/schema/

        ldapadd -h <ODSEE Server> -p <ODSEE port> -D <ODSEE Admin ID> -w <ODSEE Admin password> -f iPlanet7_user_index_add.ldif

        or

        ldapadd -h <ODSEE Server> -p <ODSEE port> -D <ODSEE Admin ID> -w <ODSEE Admin password> -f iPlanet7_user_index_generic.ldif

        ldapmodify -h <ODSEE Server> -p <ODSEE port> -D <ODSEE Admin ID> -w <ODSEE Admin password> -f iPlanet_oam_pwd_schema_add.ldif

        ldapmodify -h <ODSEE Server> -p <ODSEE port> -D <ODSEE Admin ID> -w <ODSEE Admin password> -f iPlanet_user_schema_add.ldif

        ldapadd -h <ODSEE Server> -p <ODSEE port> -D <ODSEE Admin ID> -w <ODSEE Admin password> -f iPlanet_user_index_add.ldif

    • For OUD

      • To extend OAM Schema for OUD, locate the following files:

        $IAM_HOME/oam/server/oim-intg/ldif/ojd/schema/ojd_user_schema_add.ldif

        $IAM_HOME/oam/server/oim-intg/ldif/ojd/schema/ojd_user_index_generic.ldif

        $IAM_HOME/oam/server/oim-intg/ldif/ojd/schema/ojd_oam_pwd_schema_add.ldif

      • Use ldapmodify from the command line to load the following three LDIF files:

        cd $IAM_HOME/oam/server/oim-intg/ldif/ojd/schema/

        ldapmodify -h <OUD Server> -p <OUD port> -D <OUD Admin ID> -w <OUD Admin password> -f ojd_user_schema_add.ldif

        ldapmodify -h <OUD Server> -p <OUD Admin SSL port> -D <OUD Admin ID> -w <OUD Admin password> -Z -X -a -f ojd_user_index_generic.ldif

        ldapmodify -h <OUD Server> -p <OUD port> -D <OUD Admin ID> -w <OUD Admin password> -f ojd_oam_pwd_schema_add.ldif

        After all the indexes in ojd_user_index_generic.ldif are imported, the indexes must be rebuild, either online or offline.

        To rebuild the index Offline:

        1) Stop the OUD server by executing the following command:

        $MW_HOME/asinst_1/OUD/bin/stop-ds

        2) Rebuild the index one by one for all index attributes mentioned in the file ojd_user_index_generic.ldif by executing the following command:

        $MW_HOME/asinst_1/OUD/bin/rebuild-index -h <OUD Server> -p <OUD Admin SSL port> -D <OUD Admin ID> -j <passwordfile> -X --baseDN <baseDN> --index <attribute>

        For example:

        $MW_HOME/asinst_1/OUD/bin/rebuild-index -h localhost -p 5444 -D "cn=Directory Manager" -j pwd.txt -X --baseDN dc=mycompany,dc=com --index obgroupadministrator

        3) Restart the OUD server by executing the following command:

        $MW_HOME/asinst_1/OUD/bin/start-ds

        To rebuild the index Online:

        If you rebuild the index online, the OUD server need not be stopped and restarted.

        Rebuild the index one by one for all index attributes mentioned in the file ojd_user_index_generic.ldif by executing the following command:

        $MW_HOME/asinst_1/OUD/bin/rebuild-index -h <OUD Server> -p <OUD Admin SSL port> -D <OUD Admin ID> -j <passwordfile> -X --baseDN <baseDN> --index <attribute>

        For example:

        $MW_HOME/asinst_1/OUD/bin/rebuild-index -h localhost -p 5444 -D "cn=Directory Manager" -j pwd.txt -X --baseDN dc=mycompany,dc=com --index obgroupadministrator --index obid --index oblocationdn

        Note:

        To find out the OUD Admin SSL port, check the configuration in <OUD Home Directory>/config/config.ldif, under the entry cn=Administration Connector,cn=config. It is the value associated to the attribute ds-cfg-listen-port.

        For example:

        $MW_HOME/asinst_1/OUD/config/config.ldif has 5444 as OUD Admin SSL port.

        dn: cn=Administration Connector,cn=config

        objectClass: ds-cfg-administration-connector

        objectClass: top

        ds-cfg-listen-address: 0.0.0.0

        ds-cfg-listen-port: 5444

  7. If you are using Oracle Directory Server Enterprise Edition (ODSEE), you must enable moddn and Changelog properties in the ODSEE Directory Server.

    Skip this step if you are using Oracle Internet Directory (OID), Active Directory or Oracle Unified Directory (OUD).

5.7.5.2 Creating Adapters in Oracle Virtual Directory

Oracle Virtual Directory communicates with other directories through adapters.Before you can start using Oracle Virtual Directory as an identity store, you must create adapters to each of the directories you want to use.The procedure is slightly different, depending on the directory you are connecting to.

Note:

This procedure is applicable only if you are using OVD as the Directory Server. If you choose to use OID, Active Directory, Oracle Directory Server Enterprise Edition (ODSEE) or Oracle Unified Directory as the Directory Server, the required adapters are created and configured while installing and configuring the Oracle Identity Manager server. For more information on managing the adapters, see "Managing Identity Virtualization Library (libOVD) Adapters" in the Oracle Fusion Middleware Administrator's Guide for Oracle Identity Manager.

The User Management and Changelog adapters for Identity Virtualization Library configured by the Oracle Identity Manager installer are stored in adapters.os_xml file. The adapters.os_xml will be in the following location:

$DOMAIN_HOME/config/fmwconfig/ovd/<context>/

For example:

$DOMAIN_HOME/config/fmwconfig/ovd/oim1/adapters.os_xml

The following sections show how to create adapters for the respective directories:

5.7.5.2.1 Creating Adapters for Oracle Internet Directory

User Adapter

Create the user adapter for Oracle Virtual Directory. Follow the steps below to create the User Adapter in Oracle Virtual Directory using Oracle Directory Services Manager.

  1. Open a browser and bring up the ODSM console at http://hostname:port/odsm

    Note:

    The default port number is 7005.

  2. Connect to Oracle Virtual Directory by using the appropriate connection entry.

  3. On the Home page, click the Adapter tab.

  4. Start the New Adapter Wizard by clicking Create Adapter at the top of the adapter window.

  5. Create a new adapter using the New Adapter Wizard, with the following parameters:

    Table 5-2 Parameters for User Adapter Creation

    Screen Field Value/Step

    Type

    Adapter Type

    LDAP

     

    Adapter Name

    User Adapter

     

    Adapter Template

    User_OID

    Connection

    Use DNS for Auto Discovery

    No

     

    Host

    idstore.mycompany.com

     

    Port

    389

     

    Server Proxy Bind DN

    cn=oimAdminUser,cn=systemids,dc=mycompany,dc=com

     

    Proxy Password

    Password for oimadmin user.

    Connection Test

     

    Validate that the test succeeds.

    Namespace

    Remote Base

    dc=mycompany,dc=com

     

    Mapped Namespace

    dc=mycompany,dc=com


    Verify that the summary is correct and then click Finish.

  6. Edit the User Adapter as follows:

    1. Select the User Adapter.

    2. Click the Plug-ins Tab.

    3. Click the User Management Plug-in, then click Edit in the plug-ins table. The plug-in editing window appears.

    4. In the Parameters table, update the parameter values as follows:

      Table 5-3 User Adapter Parameter Values

      Parameter Value

      directoryType

      oid

      pwdMaxFailure

      10

      oamEnabled

      true or false

      Note that this parameter should be set to true only if you are setting up integration between Oracle Identity Manager and Oracle Access Manager at a later time.

      mapObjectclass

      container=orclContainer


    5. Click OK.

    6. Click Apply.

Change Log Adapter

Create the change log adapter for Oracle Virtual Directory. Follow the steps below to create the Change Log Adapter in Oracle Virtual Directory using Oracle Directory Services Manager.

  1. Open a browser and bring up the ODSM console at http://hostname:port/odsm

    Note:

    The default port number is 7005.

  2. Connect to Oracle Virtual Directory by using the appropriate connection entry.

  3. On the Home page, click on the Adapter tab.

  4. Start the New Adapter Wizard by clicking Create Adapter at the top of the adapter window.

  5. Create a new adapter using the New Adapter Wizard, with the following parameters:

    Table 5-4 Parameters for Change Log Adapter Creation

    Screen Field Value/Step

    Type

    Adapter Type

    LDAP

     

    Adapter Name

    Change Log Adapter

     

    Adapter Template

    Changelog_OID

    Connection

    Use DNS for Auto Discovery

    No

     

    Host

    policystore.mycompany.com

     

    Port

    389

     

    Server Proxy Bind DN

    cn=oimAdminUser,cn=systemids,dc=mycompany,dc=com

     

    Proxy Password

    Password for oimadmin user

    Connection Test

     

    Validate that the test succeeds

    Namespace

    Remote Base

    Remote Base should be empty

     

    Mapped Namespace

    cn=changelog


    Verify that the summary is correct, then click Finish.

  6. To edit the change adapter follow the steps below:

    1. Select the OIM Change Log Adapter.

    2. Click the Plug-ins tab.

    3. In the Deployed Plus-ins table, click the changelog plug-in, then click Edit in the plug-ins table. The plug-in editing window appears.

    4. In the Parameters table, update the parameter values.

      Edit the Change Log Adapter to either add or modify the properties so that they match the values shown in the following table. You must add the modifierDNFilter, sizeLimit, and targetDNFilter properties to the adapter.

      Table 5-5 Changelog Adapter Parameter Values

      Parameter Value

      directoryType

      oid

      mapAttribute

      targetGUID=orclguid

      requiredAttribute

      orclguid

      modifierDNFilter

      !(modifiersname=cn=oimAdminUser,cn=systemids,<root suffix>)

      Note: This is an example. This value can be of any Proxy DN that the customer defines.

      For example: rootSuffix can be dc=mycompany,dc=com

      sizeLimit

      1000

      targetDNFilter

      Optional parameter.

      For more information, see Important Notes on Changelog Plugin Configuration.

      oamEnabled

      true or false

      Note that this parameter should be set to true only if you are setting up integration between Oracle Identity Manager and Oracle Access Manager at a later time.

      mapUserState

      true

      For more information, see Important Notes on Changelog Plugin Configuration.

      virtualDITAdapterName

      Name of the OID User Management adapter.

      For more information, see Important Notes on Changelog Plugin Configuration.


    5. Click OK.

    6. Click Apply.

Note:

For more information about these plug-in parameters, refer to the Understanding the Oracle Virtual Directory Plug-ins section in the Oracle Fusion Middleware Administrator's Guide for Oracle Virtual Directory 11g Release 1 (11.1.1).

Restarting Oracle Virtual Directory

Restart Oracle Virtual Directory, as described in Starting or Stopping the Oracle Stack.

5.7.5.2.2 Creating Adapters for Microsoft Active Directory Server

User Adapter

Create the user adapter for Oracle Virtual Directory. Follow these steps to create the User Adapter in Oracle Virtual Directory using Oracle Directory Services Manager.

    1. Start the Administration Server and the ODSM Managed Server as described in Starting or Stopping the Oracle Stack.

    2. Open a browser and bring up the ODSM console at http://hostname:port/odsm

      Note:

      The default port number is 7005.

    3. Connect to Oracle Virtual Directory by using the appropriate connection entry.

    4. On the Home page, click the Adapter tab.

    5. Start the New Adapter Wizard by clicking Create Adapter at the top of the adapter window.

    6. Create a new adapter using the New Adapter Wizard, with the following parameters:

      Table 5-6 Parameters for New User Adapter Creation

      Screen Field Value/Step

      Type

      Adapter Type

      LDAP

       

      Adapter Name

      User Adapter

       

      Adapter Template

      User_ActiveDirectory

      Connection

      Use DNS for Auto Discovery

      No

       

      Host

      Active Directory host/virtual name

       

      Port

      Active Directory SSL port

       

      Server Proxy Bind DN

      cn=oimAdminUser,cn=systemids,dc=mycompany,dc=com

       

      Proxy Password

      Password for oimadmin user.

       

      User SSL/TLS

      Selected

       

      SSL Authentication Mode

      Server Only Authentication

      Connection Test

       

      Validate that the test succeeds.

      Namespace

      Remote Base

      dc=mycompany,dc=com

       

      Mapped Namespace

      dc=mycompany,dc=com


      Verify that the summary is correct and then click Finish.

    7. Edit the User Adapter as follows:

      1. Select the OIM User Adapter.

      2. Click the Plug-ins Tab.

      3. Click the User Management Plug-in, then click Edit in the plug-ins table. The plug-in editing window appears.

      4. In the Parameters table, update the parameter values as follows:

        Table 5-7 User Adapter Parameter Values

        Parameter Value

        directoryType

        activedirectory

        mapAttribute

        orclguid=objectGuid

        mapAttribute

        uniquemember=member

        addAttribute

        user,samaccountname=%uid%,%orclshortuid%

        mapAttribute

        mail=userPrincipalName

        mapAttribute

        ntgrouptype=grouptype

        mapObjectclass

        groupofUniqueNames=group

        mapObjectclass

        inetOrgPerson=user

        mapObjectclass

        orclidxperson=user

        mapPassword

        true

        exclusionMapping

        orclappiduser,uid=samaccountname

        pwdMaxFailure

        10

        oamEnabled

        true or false

        Note that this parameter should be set to true only if you are setting up integration between Oracle Identity Manager and Oracle Access Manager at a later time.

        oimLanguages

        For language support, you need to edit the User Management plugin to add a new configuration parameter oimLanguages.

        See Important Notes on User Management Plugin Configuration.


      5. Click OK.

      6. Click Apply.

Important Notes on User Management Plugin Configuration

oimLanguages attribute: For language support, you need to edit the User Management plugin to add a new configuration parameter oimLanguages.

For example, if the Managed Localization for the DisplayName while creating the User in Oracle Identity Manager is selected as French, then the value for oimLanguages in the User Management adapter plugin should be fr. If you have other languages to be supported, say Japanese, then the value for the parameter should be fr,ja.

This parameter is functional only when the directoryType parameter is set to activedirectory.

The User Management plugin has the following configuration parameters:

oimLanguages , <separated list of language codes to be used in attribute language subtypes>.

Table 5-8 Language Codes for the MLS Enabled Attributes

Objectclasses MLS Enabled Attributes Language Codes

orclIDXPerson

cn, sn, givenName, middleName, displayName, o, ou, title, postalAddress, st, description, orclGenerationQualifier

sq, ar, as, az, bn, bg, be, ca, zh-CN, zh-TW, hr, cs, da, nl, en, et, fi, fr, de, el, gu, he, hi, hu, is, id, it, ja, kn, kk, ko, lv, lt, mk, ms, ml, mr, no, or, pl, pt, pt-BR, pa, ro, ru, sr, sk, sl, es, sv, ta, te, th, tr, uk, uz, vi

orclIDXGroup

cn, displayName, description

sq, ar, as, az, bn, bg, be, ca, zh-CN, zh-TW, hr, cs, da, nl, en, et, fi, fr, de, el, gu, he, hi, hu, is, id, it, ja, kn, kk, ko, lv, lt, mk, ms, ml, mr, no, or, pl, pt, pt-BR, pa, ro, ru, sr, sk, sl, es, sv, ta, te, th, tr, uk, uz, vi


Change Log Adapter

Follow the steps below to create the Change Log Adapter in Oracle Virtual Directory using Oracle Directory Services Manager.

  1. Open a browser and bring up the ODSM console at http://hostname:port/odsm

    Note:

    The default port number is 7005.

  2. Connect to Oracle Virtual Directory by using the appropriate connection entry.

  3. On the Home page, click on the Adapter tab.

  4. Start the New Adapter Wizard by clicking Create Adapter at the top of the adapter window.

  5. Create a new adapter using the New Adapter Wizard, with the following parameters:

    Table 5-9 Parameters for New Change Log Adapter Creation

    Screen Field Value/Step

    Type

    Adapter Type

    LDAP

     

    Adapter Name

    OIM Change Log Adapter

     

    Adapter Template

    Changelog_ActiveDirectory

    Connection

    Use DNS for Auto Discovery

    No

     

    Host

    Active Directory host/virtual name

     

    Port

    389

     

    Server Proxy Bind DN

    cn=oimAdminUser,cn=systemids,dc=mycompany,dc=com

     

    Proxy Password

    Password for oimadmin user

    Connection Test

     

    Validate that the test succeeds

    Namespace

    Remote Base

    Remote Base should be empty

     

    Mapped Namespace

    cn=changelog


    Verify that the summary is correct and then click Finish.

  6. To edit the change adapter follow the steps below:

    1. Select the OIM Change Log Adapter.

    2. Click the Plug-ins tab.

    3. In the Deployed Plus-ins table, click the changelog plug-in, then click Edit in the plug-ins table. The plug-in editing window appears.

    4. In the Parameters table, update the parameter values.

      Edit the Change Log Adapter to either add or modify the properties so that they match the values shown in Table 5-10. You must add the sizeLimit, and targetDNFilter properties to the adapter.

      Table 5-10 Changelog Adapter Parameter Values

      Parameter Value

      directoryType

      activedirectory

      mapAttribute

      targetGUID=objectGuid

      requiredAttribute

      samaccountname

      sizeLimit

      1000

      targetDNFilter

      Optional parameter.

      For more information, see Important Notes on Changelog Plugin Configuration.

      oamEnabled

      true or false

      Note that this parameter should be set to true only if you are setting up integration between Oracle Identity Manager and Oracle Access Manager at a later time.

      mapUserState

      true

      For more information, see Important Notes on Changelog Plugin Configuration.

      virtualDITAdapterName

      The name of the User adapter

      For more information, see Important Notes on Changelog Plugin Configuration.


      Note:

      The parameter modifierDNFilter should not be added to Active Directory Changelog plugin adapter.

    5. Click OK.

    6. Click Apply.

5.7.5.2.3 Creating Adapters for Oracle Directory Server Enterprise Edition (ODSEE)

User Adapter

Create the user adapter for Oracle Virtual Directory. Follow the steps below to create the User Adapter in Oracle Virtual Directory using Oracle Directory Services Manager.

  1. Start the Administration Server and the ODSM Managed Server as described in Starting or Stopping the Oracle Stack.

  2. Open a browser and bring up the ODSM console at http://hostname:port/odsm

    Note:

    The default port number is 7005.

  3. Connect to Oracle Virtual Directory by using the appropriate connection entry.

  4. On the Home page, click on the Adapter tab.

  5. Start the New Adapter Wizard by clicking on Create Adapter at the top of the adapter window.

  6. Create a new adapter using the New Adapter Wizard, with the following parameters:

    Table 5-11 Parameters for New User Adapter Creation

    Screen Field Value/Step

    Type

    Adapter Type

    LDAP

     

    Adapter Name

    User Adapter

     

    Adapter Template

    User_SunOne

    Connection

    Use DNS for Auto Discovery

    No

     

    Host

    Sun Java System Directory Server host/virtual name

     

    Port

    Sun Java System Directory Server port

     

    Server Proxy Bind DN

    cn=oimAdminUser,cn=systemids,dc=mycompany,dc=com

     

    Proxy Password

    Password for oimadmin user

    (cn=oimAdminUser,cn=systemids,dc=mycompany,dc=com)

    Connection Test

     

    Validate that the test succeeds.

    Namespace

    Remote Base

    dc=mycompany,dc=com

     

    Mapped Namespace

    dc=mycompany,dc=com


    Verify that the summary is correct and then click Finish.

    Note:

    For information about creating Oracle Identity Manager user adapter by using Oracle Directory Services Manager, refer to the "Creating LDAP Adapters" topic in the Oracle Fusion Middleware Administrator's Guide for Oracle Virtual Directory.

  7. Edit the User Adapter as follows:

    1. Select the OIM User Adapter.

    2. Click the Plug-ins Tab.

    3. Click the User Management Plug-in, then click Edit in the plug-ins table. The plug-in editing window appears.

    4. In the Parameters table, update the parameter values as follows:

      Table 5-12 User Adapter Parameter Values

      Parameter Value

      directoryType

      sunone

      mapAttribute

      orclGUID=nsUniqueID

      mapObjectclass

      container=nsContainer

      pwdMaxFailure

      10

      oamEnabled

      true or false

      Note that this parameter should be set to true only if you are setting up integration between Oracle Identity Manager and Oracle Access Manager at a later time.


    5. Click OK.

    6. Click Apply.

Change Log Adapter

Follow the steps below to create the Change Log Adapter in Oracle Virtual Directory using Oracle Directory Services Manager.

  1. Open a browser and bring up the ODSM console at http://hostname:port/odsm

    Note:

    The default port number is 7005.

  2. Connect to Oracle Virtual Directory by using the appropriate connection entry.

  3. On the Home page, click on the Adapter tab.

  4. Start the New Adapter Wizard by clicking on Create Adapter at the top of the adapter window.

  5. Create a new adapter using the New Adapter Wizard, with the following parameters:

    Table 5-13 Parameters for New Change Log Adapter Creation

    Screen Field Value/Step

    Type

    Adapter Type

    LDAP

     

    Adapter Name

    OIM Change Log Adapter

     

    Adapter Template

    Changelog_SunOne

    Connection

    Use DNS for Auto Discovery

    No

     

    Host

    Sun Java System Directory Server host virtual name

     

    Port

    Sun Java System Directory Server port

     

    Server Proxy Bind DN

    cn=oimAdminUser,cn=systemids,dc=mycompany,dc=com

     

    Proxy Password

    Password for oimadmin user.

    (cn=oimAdminUser,cn=systemids,dc=mycompany,dc=com)

    Connection Test

     

    Validate that the test succeeds.

    Namespace

    Remote Base

    Remote Base should be empty

     

    Mapped Namespace

    cn=changelog


    Verify that the summary is correct, then click Finish.

    Note:

    For information about creating Oracle Identity Manager user adapter by using Oracle Directory Services Manager, refer to the "Creating LDAP Adapters" topic in the Oracle Fusion Middleware Administrator's Guide for Oracle Virtual Directory.

  6. To edit the change adapter follow the steps below:

    1. Select the OIM Change Log Adapter.

    2. Click the Plug-ins tab.

    3. In the Deployed Plus-ins table, click the changelog plug-in, then click Edit in the plug-ins table. The plug-in editing window appears.

    4. In the Parameters table, update the parameter values.

      Edit the Change Log Adapter to either add or modify the properties so that they match the values shown in the following table. You must add the mapObjectclass, modifierDNFilter, sizeLimit, and targetDNFilter properties to the adapter.

      Table 5-14 Changelog Adapter Parameter Values

      Parameter Value

      directoryType

      sunone

      mapAttribute

      targetGUID=targetUniqueID

      mapObjectclass

      changelog=changelogentry

      modifierDNFilter

      !(modifiersname=cn=oimAdminUser,cn=systemids,<root suffix>)

      Note: This is an example. This value can be of any Proxy DN that the customer defines.For example: rootSuffix can be dc=mycompany,dc=com

      sizeLimit

      1000

      virtualDITAdapterName

      Name of the iPlanet User Management adapter.

      For more information, see Important Notes on Changelog Plugin Configuration.

      targetDNFilter

      Optional parameter.

      For more information, see Important Notes on Changelog Plugin Configuration.

      oamEnabled

      true or false

      Note that this parameter should be set to true only if you are setting up integration between Oracle Identity Manager and Oracle Access Manager at a later time.

      mapUserState

      true

      For more information, see Important Notes on Changelog Plugin Configuration.


    5. Click OK.

    6. Click Apply.

    Note:

    For more information about these plug-in parameters, refer to the Understanding the Oracle Virtual Directory Plug-ins section in the Oracle Fusion Middleware Administrator's Guide for Oracle Virtual Directory 11g Release 1 (11.1.1).

5.7.5.2.4 Creating Adapters for Oracle Unified Directory (OUD)

User Adapter

Create the user adapter for Oracle Virtual Directory. Follow the steps below to create the User Adapter in Oracle Virtual Directory using Oracle Directory Services Manager.

  1. Start the Administration Server and the ODSM Managed Server as described in Starting or Stopping the Oracle Stack.

  2. Open a browser and bring up the ODSM console at http://hostname:port/odsm

    Note:

    The default port number is 7005.

  3. Connect to Oracle Virtual Directory by using the appropriate connection entry.

  4. On the Home page, click on the Adapter tab.

  5. Start the New Adapter Wizard by clicking on Create Adapter at the top of the adapter window.

  6. Create a new adapter using the New Adapter Wizard, with the following parameters:

    Table 5-15 Parameters for New User Adapter Creation

    Screen Field Value/Step

    Type

    Adapter Type

    LDAP

     

    Adapter Name

    User Adapter

     

    Adapter Template

    User_OUD

    Connection

    Use DNS for Auto Discovery

    No

     

    Host

    Oracle Unified Directory Server host/virtual name

     

    Port

    Oracle Unified Directory Server port

     

    Server Proxy Bind DN

    cn=oimAdminUser,cn=systemids,dc=mycompany,dc=com

     

    Proxy Password

    Password for oimadmin user

    (cn=oimAdminUser,cn=systemids,dc=mycompany,dc=com)

    Connection Test

     

    Validate that the test succeeds.

    Namespace

    Remote Base

    dc=mycompany,dc=com

     

    Mapped Namespace

    dc=mycompany,dc=com


    Verify that the summary is correct and then click Finish.

    Note:

    For information about creating Oracle Identity Manager user adapter by using Oracle Directory Services Manager, refer to the "Creating LDAP Adapters" topic in the Oracle Fusion Middleware Administrator's Guide for Oracle Virtual Directory.

  7. Edit the User Adapter as follows:

    1. Select the OIM User Adapter.

    2. Click the Plug-ins Tab.

    3. Click the User Management Plug-in, then click Edit in the plug-ins table. The plug-in editing window appears.

    4. In the Parameters table, update the parameter values as follows:

      Table 5-16 User Adapter Parameter Values

      Parameter Value

      directoryType

      oud

      mapObjectclass

      container=orclContainer

      pwdMaxFailure

      10

      oamEnabled

      true or false

      Note that this parameter should be set to true only if you are setting up integration between Oracle Identity Manager and Oracle Access Manager at a later time.


    5. Click OK.

    6. Click Apply.

Change Log Adapter

Follow the steps below to create the Change Log Adapter in Oracle Virtual Directory using Oracle Directory Services Manager.

  1. Open a browser and bring up the ODSM console at http://hostname:port/odsm

    Note:

    The default port number is 7005.

  2. Connect to Oracle Virtual Directory by using the appropriate connection entry.

  3. On the Home page, click on the Adapter tab.

  4. Start the New Adapter Wizard by clicking on Create Adapter at the top of the adapter window.

  5. Create a new adapter using the New Adapter Wizard, with the following parameters:

    Table 5-17 Parameters for New Change Log Adapter Creation

    Screen Field Value/Step

    Type

    Adapter Type

    LDAP

     

    Adapter Name

    OIM Change Log Adapter

     

    Adapter Template

    Changelog_OUD

    Connection

    Use DNS for Auto Discovery

    No

     

    Host

    Oracle Unified Directory Server host virtual name

     

    Port

    Oracle Unified Directory Server port

     

    Server Proxy Bind DN

    cn=oimAdminUser,cn=systemids,dc=mycompany,dc=com

     

    Proxy Password

    Password for oimadmin user.

    (cn=oimAdminUser,cn=systemids,dc=mycompany,dc=com)

    Connection Test

     

    Validate that the test succeeds.

    Namespace

    Remote Base

    Remote Base should be empty

     

    Mapped Namespace

    cn=changelog


    Verify that the summary is correct, then click Finish.

    Note:

    For information about creating Oracle Identity Manager user adapter by using Oracle Directory Services Manager, refer to the "Creating LDAP Adapters" topic in the Oracle Fusion Middleware Administrator's Guide for Oracle Virtual Directory.

  6. To edit the change adapter follow the steps below:

    1. Select the OIM Change Log Adapter.

    2. Click the Plug-ins tab.

    3. In the Deployed Plus-ins table, click the changelog plug-in, then click Edit in the plug-ins table. The plug-in editing window appears.

    4. In the Parameters table, update the parameter values.

      Edit the Change Log Adapter to either add or modify the properties so that they match the values shown in the following table. You must add the mapObjectclass, modifierDNFilter, sizeLimit, and targetDNFilter properties to the adapter.

      Table 5-18 Changelog Adapter Parameter Values

      Parameter Value

      directoryType

      oud

      mapAttribute

      targetGUID=targetuniqueid

      mapObjectclass

      changelog=changelogentry

      removeAttribute

      entryuuid

      modifierDNFilter

      !(modifiersname=cn=oimAdminUser,cn=systemids,<root suffix>)

      Note: This is an example. This value can be of any Proxy DN that the customer defines.For example: rootSuffix can be dc=mycompany,dc=com

      sizeLimit

      1000

      virtualDITAdapterName

      Name of the OUD User Management adapter.

      For more information, see Important Notes on Changelog Plugin Configuration.

      targetDNFilter

      Optional parameter.

      For more information, see Important Notes on Changelog Plugin Configuration.

      oamEnabled

      true or false

      Note that this parameter should be set to true only if you are setting up integration between Oracle Identity Manager and Oracle Access Manager at a later time.

      mapUserState

      true

      For more information, see Important Notes on Changelog Plugin Configuration.


    5. Click OK.

    6. Click Apply.

    Note:

    For more information about these plug-in parameters, refer to the Understanding the Oracle Virtual Directory Plug-ins section in the Oracle Fusion Middleware Administrator's Guide for Oracle Virtual Directory 11g Release 1 (11.1.1).

5.7.5.2.5 Important Notes on Changelog Plugin Configuration
  • The virtualDITAdapterName parameter must be added after the changelog adapter is created.

    virtualDITAdapterName identifies the corresponding user profile adapter name. For example, in a single-directory deployment, you can set this parameter value to A1, which is the user adapter name.

    If you set this parameter virtualDITAdapterName to A1, the plug-in fetches the mapAttribute and mapObjectclass configuration in the UserManagementPlugin of adapter A1, so you do not have to duplicate those configurations.

    This configuration is a must for directoryType=ActiveDirectory for the GUID mapping to happen in the case of incremental reconciliation to avoid the missing required attribute exception. (LDAP GUID=null).

    Add the attribute virtualDITAdapterName and set it to the value of the Active Directory User Management adapter name in the Active Directory changelog plugin. This is required to pick up the attribute mappings set in the Active Directory User Management adapter plugin as the Active Directory schema and OIM schema are different.

  • targetDNFilter attribute should be set if you want to perform reconciliation from a certain user container and group container instead of from the root suffix.

    These values should be the ones entered for User Container and Role Container during the configuration of Oracle Identity Manager when LDAP Sync is enabled.

    For example:

    targetDNFilter : cn=Groups,l=amer,dc=mycountry,dc=mycompany, dc=com

    targetDNFilter : cn=Groups,l=amer,dc=mycountry,dc=mycompany, dc=com

    These settings would pull in/reconcile all users and groups from the above mentioned containers in the backend Directory Server.

  • The changelog adapter plugin should always have the attribute mapUserState set to true for the attribute orclaccountenabled to return in the search result.

Note:

If you are using Identity Virtualization Library, then see "Managing Identity Virtualization Library (libOVD) Adapters" in the Oracle Fusion Middleware Administrator's Guide for Oracle Identity Manager.

For more information about these plug-in parameters, refer to the "Understanding the Oracle Virtual Directory Plug-ins" section in the Oracle Fusion Middleware Administrator's Guide for Oracle Virtual Directory 11g Release 1 (11.1.1).

5.7.6 Running the LDAP Post-Configuration Utility

You must run the LDAP post-configuration utility after you have configured the Oracle Identity Manager Server and exited the Oracle Identity Manager Configuration Wizard. The LDAP configuration post-setup script enables all the LDAP Sync-related incremental Reconciliation Scheduler jobs, which are disabled by default.

Note:

This procedure is applicable to all the Directory Server options. The LDAP post-configuration utility must be run after configuring Oracle Identity Manager Server. This procedure is required only if you chose to enable and configure LDAP Sync during the Oracle Identity Manager Server configuration.

Setting Up Environment Variables

Before you run the LDAP post-configuration utility, you must ensure that the following environment variables are set:

  • APP_SERVER - is set to the application server on which Oracle Identity Manager is running. Set APP_SERVER to weblogic.

  • JAVA_HOME - is set to the directory where the JDK is installed on your machine.

  • MW_HOME - is set to the Middleware home path provided during the Oracle Identity Manager installation.

  • OIM_ORACLE_HOME - is set to the directory where Oracle Identity Manager is deployed.

    For example:

    On UNIX, it is the <MW_HOME>/IAM_Home directory.

    On Windows, it is the <MW_HOME>\IAM_Home directory.

  • WL_HOME - is set to the wlserver_10.3 directory under your Middleware Home.

    For example:

    On UNIX, it is the <MW_HOME>/wlserver_10.3 directory.

    On Windows, it is the <MW_HOME>\wlserver_10.3 directory.

  • DOMAIN_HOME - is set to the domain of the WebLogic Server.

    For example:

    On UNIX, it is the <MW_HOME>/user_projects/domains/base_domain directory.

    On Windows, it is the <MW_HOME>\user_projects\domains\base_domain directory.

Running the LDAP Post-Configuration Utility

Run the LDAP post-configuration utility as follows:

  1. Open the ldapconfig.props file in a text editor. This file is located in the server/ldap_config_util directory under the IAM_Home for Oracle Identity and Access Management.

  2. In the ldapconfig.props file, set values for the following parameters:

    • OIMServerType - Specify the application server on which Oracle Identity Manager is deployed.

      For example:

      OIMServerType=WLS

    • OIMProviderURL - Specify the URL for the OIM provider.

      If the OIMServerType is WLS, then

      OIMProviderURL=t3://localhost:ManagedServerPort

      For example:

      OIMProviderURL=t3://localhost:14000

    • LDAPURL - Specify the URL for the OVD instance.

      If OVD server is selected during Oracle Identity Manager installation, then provide value for LDAPURL. If OVD server is not selected during Oracle Identity Manager installation, then leave LDAPURL blank.

      LDAPURL=ldap://<OVD server>:<OVD Port>

      For example:

      LDAPURL=ldap://OVDserver.examplehost.exampledomain.com:6501

      Note:

      If you have selected Active Directory or ODSEE or OUD as the directory server during Oracle Identity Manager installation, after enabling LDAPSync, do not specify the value for the LDAPURL parameter. Leave LDAPURL blank. For example: LDAPURL=

      Enter OVD server and OVD port number and specify the URL as value only if you are using Oracle Virtual Directory (OVD) as the directory server.

    • LDAPAdminUsername - Specify the user name for the OVD Administrator.

      If OVD server is selected during Oracle Identity Manager installation, then provide the Admin user name to connect to LDAP/OVD Server.

      For example:

      LDAPAdminUsername=cn=oimAdminUser,cn=systemids,dc=mycompany,dc=com

      Notes:

      • LDAPAdminUsername is the name of user used to connect to Identity Store. For example: cn=oimAdminUser,cn=systemids,dc=mycompany,dc=com

        This LDAPAdminUsername should not be located in the user container where customer's user accounts reside. For example: cn=Users,cn=oracleAccounts,dc=mycompany,dc=com. This user should be outside the search scope in order to avoid reconciliation of this user into OIM.

      • If you have selected Active Directory or ODSEE or OUD as the directory server during Oracle Identity Manager installation, after enabling LDAPSync, do not specify the value for the LDAPAdminUsername parameter. Leave LDAPAdminUsername blank. For example: LDAPAdminUsername=

        Enter the OVD user admin name as value only if you are using Oracle Virtual Directory (OVD) as the directory server.

    • LIBOVD_PATH_PARAM - Specify the configuration directory path of libOVD.

      If OVD server is not selected during Oracle Identity Manager installation, then provide the following value for this parameter:

      LIBOVD_PATH_PARAM=<Middleware_Home>/user_projects/domains/base_domain/config/fmwconfig/ovd/oim

      Notes:

      • If you have selected Active Directory or ODSEE or OUD as the directory server during Oracle Identity Manager installation, after enabling LDAPSync, specify the value for this property similar to the example given above.

      • If OVD server is selected during Oracle Identity Manager installation, then leave this parameter blank. For example: LIBOVD_PATH_PARAM=

    • ChangeLogNumber - Leave this parameter blank.

  3. Ensure the required environment variables are set, as described in "Setting Up Environment Variables".

  4. Start the Oracle Identity Manager Managed Server. For more information, see Starting the Servers.

  5. The utility and the properties files are located in the server/ldap_config_util directory under your IAM_Home. IAM_Home is the Oracle Identity and Access Management home directory for Oracle Identity Manager, Oracle Access Management, Oracle Adaptive Access Manager, Oracle Entitlements Server, Oracle Identity Navigator, Oracle Privileged Account Manager, and Oracle Access Management Mobile and Social.

    On the command line, run the LDAP configuration post-setup script as follows:

    On Windows:

    LDAPConfigPostSetup.bat <location of the directory containing the ldapconfig.props file>

    For example:

    LDAPConfigPostSetup.bat c:\Oracle\Middleware\IAM_Home\server\ldap_config_util

    On UNIX:

    LDAPConfigPostSetup.sh <location of the directory containing the ldapconfig.props file>

    For example:

    LDAPConfigPostSetup.sh <MW_Home>/IAM_Home/server/ldap_config_util

  6. When prompted, enter the OIM administrator's password and the LDAP administrator password as applicable.

    Notes:

    • If you have selected Active Directory or ODSEE or OUD as the directory server during Oracle Identity Manager installation, then after enabling LDAPSync when you run this utility, it will prompt only for the OIM admin password. This OIM admin password is the xelsyadm password.

    • If you have selected OVD as the directory server during Oracle Identity Manager installation, then after enabling LDAPSync when you run this utility, it will prompt for following passwords:

      LDAP admin password- LDAP admin password is the OVD server's admin password.

      OIM admin password- LDAP admin password is the xelsyadm password.

5.7.7 Verifying the LDAP Synchronization

To verify the configuration of LDAP with Oracle Identity Manager, complete the following steps:

  1. Ensure that the WebLogic Administration Server and the Oracle Identity Manager Managed Server is up and running.

  2. Invoke the Oracle Identity Manager Administration Console (http://<host>:<port>/sysadmin), which is deployed on the Administration Server.

  3. In this console, click Search under Configurations -> Manage IT Resource. If the LDAP information is correct, the resource information is displayed. You must verify the values provided during the Oracle Identity Manager configuration when enabling LDAPSync with the parameter values here like Search Base, Reservation Container, URL, bind DN.

    For more information, see “Managing IT Resources” in the Oracle Fusion Middleware Developer's Guide for Oracle Identity Manager.

  4. Create a normal user using the Oracle Identity Manager Self Service Console:

    http://<host>:<port>/identity

  5. If a user is created, verify the creation in the chosen LDAP store or OVD using any ldap client.

Note:

Ensure that the chosen Directory server or OVD, and Oracle Identity Manager are up and running.

5.7.8 Post-Configuration Steps

After installing and configuring Oracle Identity Manager Server, you must complete the following manual steps:

  • Set the XEL_HOME variable in the setenv script (setenv.bat on Windows, and setenv.sh on UNIX) as follows:

    On Windows:

    Open the <IAM_Home>\server\bin\setenv.bat file and search for XEL_HOME variable. Update the path of the XEL_HOME variable to the absolute path of <IAM_Home>\server.

    For example, if your IAM_Home is the C:\oracle\Middleware\IAM_Home directory, then set XEL_HOME in the setenv.bat file to the C:\oracle\Middleware\IAM_Home\server directory.

    On UNIX:

    Open the <IAM_Home>/server/bin/setenv.sh file and search for XEL_HOME variable.Update the path of the XEL_HOME variable to the absolute path of <IAM_Home>/server.

    For example, if your IAM_Home is the /test/Middleware/IAM_Home directory, then set XEL_HOME in the setenv.sh file to the /test/Middleware/IAM_Home/server directory.

  • If you are extending an Oracle Identity Manager domain to include Oracle Privileged Account Manager, you must complete the following steps:

    1. Go to <DOMAIN_HOME>/config/fmwconfig directory. Create a backup of the jps-config.xml file.

    2. Edit the jps-config.xml file. Locate the section of the file containing jpsContexts, as shown below:

      <jpsContexts default="default"> 
              <jpsContext name="default"> 
                  <serviceInstanceRef ref="credstore.db"/> 
                  <serviceInstanceRef ref="keystore.db"/> 
                  <serviceInstanceRef ref="policystore.db"/> 
                  <serviceInstanceRef ref="audit.db"/> 
                  <serviceInstanceRef ref="idstore.oim"/> 
                  <serviceInstanceRef ref="trust"/> 
                  <serviceInstanceRef ref="pdp.service"/> 
                  <serviceInstanceRef ref="attribute"/> 
                  <serviceInstanceRef ref="sso.inst.0"/> 
              </jpsContext> 
      
    3. Make a copy of the above entry and change <jpsContext name="default"> to <jpsContext name="oim">

    4. Edit the original entry and change <serviceInstanceRef ref="idstore.oim"/> to <serviceInstanceRef ref="idstore.ldap"/>

    5. After you have edited the file, the final version of the file should look like the one shown below:

      <jpsContexts default="default"> 
              <jpsContext name="default"> 
                  <serviceInstanceRef ref="credstore.db"/> 
                  <serviceInstanceRef ref="keystore.db"/> 
                  <serviceInstanceRef ref="policystore.db"/> 
                  <serviceInstanceRef ref="audit.db"/> 
                  <serviceInstanceRef ref="idstore.ldap"/> 
                  <serviceInstanceRef ref="trust"/> 
                  <serviceInstanceRef ref="pdp.service"/> 
                  <serviceInstanceRef ref="attribute"/> 
                  <serviceInstanceRef ref="sso.inst.0"/> 
              </jpsContext> 
              <jpsContext name="oim"> 
                  <serviceInstanceRef ref="credstore.db"/> 
                  <serviceInstanceRef ref="keystore.db"/> 
                  <serviceInstanceRef ref="policystore.db"/> 
                  <serviceInstanceRef ref="audit.db"/> 
                  <serviceInstanceRef ref="idstore.oim"/> 
                  <serviceInstanceRef ref="trust"/> 
                  <serviceInstanceRef ref="pdp.service"/> 
                  <serviceInstanceRef ref="attribute"/> 
                  <serviceInstanceRef ref="sso.inst.0"/> 
              </jpsContext> 
      
    6. Save the jps-config.xml file.

    7. Log in to Oracle Enterprise Manager Fusion Middleware Control using your WebLogic Server administrator credentials.

      Note:

      Before logging in to Oracle Enterprise Manager Fusion Middleware Control, ensure that the Oracle Identity Manager Managed server is up and running.

    8. Click on Identity and Access > oim > oim(11.1.1.2.0). Right-click and select System MBean Browser. The System MBean Browser page is displayed.

    9. Select Application Defined MBeans.

    10. Under Application Defined MBeans, select oracle.as.soainfra.config > Server:<soa_server> > WorkflowIdentityConfig > human-workflow > WorkflowIdentityConfig.ConfigurationType > jazn.com > WorkflowIdentityConfig.ConfigurationType.ProviderType > JpsProvider > WorkflowIdentityConfig.ConfigurationType.ProviderType.PropertyType

    11. Click on jpsContextName and change the Value to oim.

    12. Click Apply.

    13. Restart the WebLogic Administration Server, SOA Managed Server, and Oracle Identity Manager Managed Server, as described in Appendix C, "Starting the Stack"

5.7.9 Setting oamEnabled Parameter for Identity Virtualization Library

Follow these steps for setting oamEnabled parameter. You must set oamEnabled parameter to true only if you want to integrate Oracle Identity Manager and Oracle Access Management at a later time. This procedure applies only if you use Identity Virtualization Library.

  1. Log in into Oracle Enterprise Manager Fusion Middleware Control at

    http://adminvhn.mycompany.com:7001/em as user weblogic.

  2. Go to Weblogic Domain -> base_domain. Right click on Oim(11.1.1.3.0), and click System Mbean Browser.

  3. Go to: Application defined MBeans -> com.oracle -> Domain:base_domain -> OVD

  4. You will see AdaptersConfig options. Click on the one that has a plus (+) symbol, indicating a subtree. Then click on OVDAdaptersConfig. You should see CHANGELOG_oid1 and oid1.

  5. Configure oamenabled in both the adapters.

    Follow these steps to configure oamenabled in the Changelog adapter:

    1. Click on CHANGELOG_oid1 and keep going down the tree until the very end. You should see changelog with a bean symbol. Double click on changelog.

    2. Click on the operations subtab.

    3. Click on removeParam operation.

    4. Enter oamEnabled in the textbox and click invoke. It should give you a false or a true.

    5. Return to the original page with operations.

    6. Click on AddParam operation.

    7. Edit the names and values to contain oamEnabled and true.

    8. Click invoke to complete the addParam operation.

    Follow these steps to configure oamenabled in the Usermanagement adapter:

    1. Click on oid1 and keep going down the tree until the very end. You should see UserManagement with a bean symbol. Double click on UserManagement.

    2. Click on the operations subtab.

    3. Click on removeParam operation.

    4. Enter oamEnabled in the textbox and click invoke. It should give you a false or a true.

    5. Return to the original page with operations.

    6. Click on AddParam operation.

    7. Edit the names and values to contain oamEnabled and true.

    8. Click invoke to complete the addParam operation.

  6. Restart Oracle Identity Manager Managed Server and SOA Managed Server.

5.7.10 Enabling LDAP Sync after Installing and Configuring Oracle Identity Manager Server at a Later Point

LDAP Sync can be enabled at any point after installing and configuring Oracle Identity Manager Server. For more information on enabling LDAP Sync after installing and configuring Oracle Identity Manager Server, see "Enabling LDAP Synchronization in Oracle Identity Manager" in the Oracle Fusion Middleware Integration Guide for Oracle Identity Management Suite.

5.8 Optional: Configuring Oracle Identity Manager Design Console

This topic describes how to install and configure only Oracle Identity Manager Design Console, which is supported on Windows operating systems only.

It includes the following sections:

5.8.1 Appropriate Deployment Environment

Perform the installation and configuration in this topic if you want to install Oracle Identity Manager Design Console on a separate Windows machine where Oracle Identity Manager Server is not configured. For more information, see Scenario 1: Oracle Identity Manager Server and Design Console on Different Machines.

5.8.2 Components Deployed

Performing the installation and configuration in this section deploys only Oracle Identity Manager Design Console on the Windows operating system.

5.8.3 Dependencies

The installation and configuration in this section depends on the installation of Oracle Identity and Access Management 11g software and on the configuration of Oracle Identity Manager Server. For more information, see Installing Oracle Identity and Access Management (11.1.2) and Configuring Oracle Identity Manager Server.

5.8.4 Procedure

Perform the following steps to install and configure only Oracle Identity Manager Design Console on the Windows operating system:

  1. Ensure that all the prerequisites, described in Prerequisites for Configuring Only Oracle Identity Manager Design Console on a Different Machine, are satisfied. In addition, see Important Notes Before You Start Configuring Oracle Identity Manager.

  2. On the Windows machine where Oracle Identity Manager Design Console should be configured, start the Oracle Identity Manager Configuration Wizard, as described in Starting the Oracle Identity Manager 11g Configuration Wizard. The Welcome screen appears.

  3. On the Welcome screen, click Next. The Components to Configure screen appears.

    On the Components to Configure screen, select only the OIM Design Console check box. Click Next. The OIM Server Host and Port screen appears.

  4. On the OIM Server Host and Port screen, enter the host name of the Oracle Identity Server Manager Server in the OIM Server Hostname field. In the OIM Server Port field, enter the port number for the Oracle Identity Manager Server on which the Oracle Identity Manager application is running. Click Next. The Configuration Summary screen appears.

    The Configuration Summary screen lists the application that you selected for configuration and summarizes your configuration options, such as OIM Server host name and port.

    Review this summary and decide whether to start the configuration. If you want to modify any of the configuration settings at this stage, select a topic in the left navigation page and modify your choices. To continue installing this configuration of the Oracle Identity Manager Design Console, click Configure.

    Note:

    Before configuring an application, you can save your configuration settings and preferences in a response file. Response files are text files that you can create or edit in a text editor. You can use response files to perform a silent installation or use as templates or customized settings for your environment. For more information, see Performing a Silent Installation.

    After you click Configure, the Configuration Progress screen appears. A configuration log is saved to the logs directory under Oracle Inventory directory. For information about the log files, see Installation Log Files. If the Configuration Progress screen displays any errors, click Abort to stop the installation and restart the Oracle Identity Manager Configuration Wizard.

  5. Click Finish.

Note:

If the configuration fails, click Abort to stop the installation and restart the Oracle Identity Manager Configuration Wizard, as described in Starting the Oracle Identity Manager 11g Configuration Wizard.

5.8.5 Post-Configuration Steps

Complete the following steps after configuring the Oracle Identity Manager Design Console on the Windows operating system:

  1. On the machine where Oracle WebLogic Server is installed (the machine where Oracle Identity Manager Server is installed), create the wlfullclient.jar file as follows:

    1. Use the cd command to move from your present working directory to the <MW_HOME>\wlserver_10.3\server\lib directory.

    2. Ensure that JAVA_HOME is set, as in the following example:

      D:\oracle\<MW_HOME>\jdk160_24

      To set this variable, right-click the My Computer icon and select Properties. The System Properties screen is displayed. Click the Advanced tab and click the Environment Variables button. The Environment Variables screen is displayed. Ensure that the JAVA_HOME variable in the User Variables section is set to the path of the JDK directory installed on your machine.

      After setting the JAVA_HOME variable, select the Path variable in the System Variables section on the same Environment Variables screen, and click Edit. The Edit System Variable dialog box is displayed. In the variable value field, enter the complete path to your JAVA_HOME, such as D:\oracle\<MW_HOME>\jdk160_24, preceded by a semicolon (;). The semicolon is used as the delimiter for multiple paths entered in this field.

    3. After verifying the values, click OK.

  2. Use the following steps to create a wlfullclient.jar file for JDK 1.6 client application:

    1. Change directories to the server/lib directory.

      cd WL_HOME/server/lib

    2. Use the following command to create wlfullclient.jar in the server/lib directory:

      java -jar wljarbuilder.jar

      This command generates the wlfullclient.jar file.

  3. Copy the wlfullclient.jar file to the <IAM_Home>\designconsole\ext\ directory on the machine where Design Console is configured.

  4. Ensure that the Administration Server and the Oracle Identity Manager Managed Server are started. For information about starting the servers, see Starting the Stack.

  5. Start the Design Console client by running the xlclient.cmd executable script, which is available in the <IAM_Home>\designconsole\ directory.

  6. Log in to the Design Console with your Oracle Identity Manager user name and password.

5.8.6 Updating the xlconfig.xml File to Change the Port for Design Console

To update the xlconfig.xml file and start the Design Console on a new port as opposed to what was set during configuration, complete the following steps:

  1. In a text editor, open the <IAM_Home>\designconsole\config\xlconfig.xml file.

  2. Edit the following tags:

    • ApplicationURL

    • java.naming.provider.url

  3. Change the port number.

  4. Restart the Design Console.

Note:

You do not have to perform this procedure during installation. It is required if you want to change ports while using the product. You must ensure that the Oracle Identity Manager server port is changed to this new port before performing these steps.

5.8.7 Configuring Design Console to Use SSL

To configure the Design Console to use SSL, complete the following steps:

  1. Add the WebLogic Server jar files required to support SSL by copying the webserviceclient+ssl.jar file from the <WL_HOME>/server/lib directory to the <IAM_Home>/designconsole/ext directory.

  2. Use the server trust store in Design Console as follows:

    1. Log in to the Oracle WebLogic Administration Console using the WebLogic administrator credentials.

    2. Under Domain Structure, click Environment > Servers. The Summary of Servers page is displayed.

    3. Click on the Oracle Identity Manager server name (for example, oim_server1). The Settings for oim_server1 is displayed.

    4. Click the Keystores tab.

    5. From the Trust section, note down the path and file name of the trust keystore.

  3. Set the TRUSTSTORE_LOCATION environment variable as follows:

    • If Oracle Identity Manager Design Console and Oracle Identity Manager Server are installed and configured on the same machine, set the TRUSTSTORE_LOCATION environment variable to the location of the trust keystore that you noted down.

      For example, setenv TRUSTSTORE_LOCATION=/test/DemoTrust.jks

    • If Oracle Identity Manager Design Console and Oracle Identity Manager Server are installed and configured on different machines, copy the trust keystore file to the machine where Design Console is configured. Set the TRUSTSTORE_LOCATION environment variable to the location of the copied trust keystore file on the local machine.

  4. If the Design Console was installed without SSL enabled, complete the following steps:

    1. Open the <IAM_Home>/designconsole/config/xlconfig.xml file in a text editor.

    2. Edit the <ApplicationURL> entry to use HTTPS, T3S protocol, and SSL port to connect to the server, as in the following example:

      <ApplicationURL>https://<host>:<sslport>/xlWebApp/loginWorkflowRenderer.do</ApplicationURL>

      Note:

      For a clustered installation, you can send an https request to only one of the servers in the cluster, as shown in the following element:

      <java.naming.provider.url>t3s://<host>:<sslport></java.naming.provider.url>

    3. Save the file and exit.

5.9 Optional: Configuring Oracle Identity Manager Remote Manager

This topic describes how to install and configure only Oracle Identity Manager Remote Manager. It includes the following sections:

5.9.1 Appropriate Deployment Environment

Perform the installation and configuration in this topic if you want to install Oracle Identity Manager Remote Manager on a separate machine. For more information, see Scenario 2: Oracle Identity Manager Server and Remote Manager on Different Machines.

5.9.2 Components Deployed

Performing the installation and configuration in this section deploys only Oracle Identity Manager Remote Manager.

5.9.3 Dependencies

The installation and configuration in this section depends on the installation of Oracle Identity and Access Management 11g software and on the configuration of Oracle Identity Manager Server. For more information, see Installing Oracle Identity and Access Management (11.1.2) and Prerequisites for Configuring Only Oracle Identity Manager Remote Manager on a Different Machine.

5.9.4 Procedure

Perform the following steps to install and configure only Oracle Identity Manager Remote Manager:

  1. Ensure that all the prerequisites, described in Prerequisites for Configuring Only Oracle Identity Manager Remote Manager on a Different Machine, are satisfied. In addition, see Important Notes Before You Start Configuring Oracle Identity Manager.

  2. On the machine where Oracle Identity Manager Remote Manager should be configured, start the Oracle Identity Manager Configuration Wizard, as described in Starting the Oracle Identity Manager 11g Configuration Wizard. The Welcome screen appears.

  3. On the Welcome screen, click Next. The Components to Configure screen appears.

    On the Components to Configure screen, select only the OIM Remote Manager check box. Click Next. The Remote Manager screen appears.

  4. On the Remote Manager screen, enter the service name in the Service Name field. Oracle Identity Manager Remote Manager will be registered under this service name. The service name is used with the Registry URL to a build fully qualified service name, such as rmi://host:RMI Registry Port/service name.

  5. In the RMI Registry Port field, enter the port number on which the RMI registry should be started. The default port number is 12345.

  6. In the Listen Port (SSL) field, enter the port number on which a secure socket is opened to listen to client requests. The default port number is 12346. Click Next. The Keystore Password screen appears.

  7. On the KeyStore Password screen, in the KeyStore Password field, enter a new password for the keystore. A valid password contains 6 to 30 characters, begins with an alphabetic character, and uses only alphanumeric characters and special characters like Dollar ($), Underscore (_), and Pound (#). The password must contain at least one number. In the Confirm KeyStore Password field, enter the new password again. Click Next. The Configuration Summary screen appears.

  8. The Configuration Summary screen lists the application that you selected for configuration and summarizes your configuration options, such as Remote Manager Service Name, RMI Registry Port, and Remote Manager Listen Port (SSL).

    Review this summary and decide whether to start the configuration. If you want to modify any of the configuration settings at this stage, select a topic in the left navigation page and modify your choices. To continue installing this configuration of the Oracle Identity Manager Remote Manager, click Configure.

    Note:

    Before configuring an application, you can save your configuration settings and preferences in a response file. Response files are text files that you can create or edit in a text editor. You can use response files to perform a silent installation or use as templates or customized settings for your environment. For more information, see Performing a Silent Installation.

  9. After you click Configure, the Configuration Progress screen appears. A configuration log is saved to the logs directory under Oracle Inventory directory. For information about the log files, see Installation Log Files. If the Configuration Progress screen displays any errors, click Abort to stop the installation and restart the Oracle Identity Manager Configuration Wizard.

  10. Click Finish.

Note:

Oracle Identity Manager Server certificates, such as xlserver.cert, are created in the DOMAIN_HOME/config/fmwconfig/ directory. You can use these certificates if you require server-side certificates for configuring Oracle Identity Manager Remote Manager.

If the configuration fails, click Abort to stop the installation and restart the Oracle Identity Manager Configuration Wizard, as described in Starting the Oracle Identity Manager 11g Configuration Wizard.

5.10 Verifying the Oracle Identity Manager Installation

Before you can verify the Oracle Identity Manager installation, ensure that the following servers are up and running:

You can verify your Oracle Identity Manager installation by:

5.11 Setting Up Integration with Oracle Access Management

For information about setting up integration between Oracle Identity Manager and Oracle Access Manager, see "Integrating Access Manager and Oracle Identity Manager" in the Oracle Fusion Middleware Integration Guide for Oracle Identity Management Suite.

5.12 List of Supported Languages

Oracle Identity Manager supports the following languages:

Arabic, Brazilian Portuguese, Czech, Danish, Dutch, Finnish, French, German, Greek, Hebrew, Hungarian, Italian, Japanese, Korean, Norwegian, Polish, Portuguese, Romanian, Russian, Simplified Chinese, Slovak, Spanish, Swedish, Thai, Traditional Chinese, and Turkish

5.13 Using the Diagnostic Dashboard

Diagnostic Dashboard is a stand-alone application that helps you validate some of the Oracle Identity Manager prerequisites and installation.You must have the appropriate system administrator permissions for your Application Server and Oracle Identity Manager environments to use this tool. You need DBA-level permissions to execute some database-related tests.

Note:

The Diagnostic Dashboard and Oracle Identity Manager must be installed on the same application server.

For more information about installing and using the Diagnostic Dashboard for Oracle Identity Manager, see the "Working with the Diagnostic Dashboard" topic in the Oracle Fusion Middleware System Administrator's Guide for Oracle Identity Manager.

5.14 Getting Started with Oracle Identity Manager After Installation

After installing Oracle Identity Manager, refer to "Oracle Identity Manager System Administration Interface" in the Oracle Fusion Middleware Administrator's Guide for Oracle Identity Manager.