Skip Headers
Oracle® Fusion Middleware Integration Guide for Oracle Identity Management Suite
11g Release 2 (11.1.2)

Part Number E27123-03
Go to Documentation Home
Home
Go to Table of Contents
Contents
Go to Index
Index
Go to Feedback page
Contact Us

Go to previous page
Previous
Go to next page
Next
PDF · Mobi · ePub

7 Integrating Access Manager and Oracle Identity Manager

This chapter explains how to integrate Oracle Access Management Access Manager (Access Manager), Oracle Identity Manager, Oracle Virtual Directory, and Oracle Internet Directory. The following configuration instructions assume these components have been installed in a single-node topology, as discussed in Chapter 1, "Introduction".

If you are integrating Access Manager with Oracle Identity Manager for an enterprise deployment, for information see the configuration scenarios described in Oracle Fusion Middleware Enterprise Deployment Guide for Oracle Identity Management.

For prerequisite and detailed instructions required for installing the components described in this example integration configuration, see Oracle Fusion Middleware Installation Guide for Oracle Identity Management and Oracle Fusion Middleware Installation Guide for Oracle Identity and Access Management.

Note:

The instructions in this chapter assumes the that Oracle Internet Directory is configured as the Identity Store and is front-ended by Oracle Virtual Directory to virtualize the data sources. Other component configurations are possible. Refer to the system requirements and certification documentation on Oracle Technology Network for more information about supported configurations.

This chapter contains these sections:

7.1 About the Integration

This integration scenario enables you to manage identities with Oracle Identity Manager and control access to resources with Access Manager. Access Manager provides a centralized and automated single sign-on (SSO) solution. Access Manager uses a database for policy and configuration data and a single directory for identity data. This integration scenario assumes a single directory server, namely Oracle Internet Directory, is front-ended by Oracle Virtual Directory. Oracle Identity Manager is a user provisioning and administration solution that automates user account management.

You can deploy the Identity Management components in a single WebLogic Server domain, which may be convenient for a development or test environment. You can also configure the components to be in a cross domain (also known as split domain) deployment where Access Manager and Oracle Identity Manager are installed in different WebLogic Server domains.

For more information about password management flows when Access Manager and Oracle Identity Manager are integrated, see Section 1.5.3, "Password Management Scenarios".

7.2 Integration Roadmap

Table 7-1 lists the high-level tasks for integrating Access Manager and Oracle Identity Manager with Oracle Virtual Directory and Oracle Internet Directory.

Table 7-1 Integration Flow for Oracle Access Manager and Oracle Identity Manager

No. Task Information

1

Verify that all required components have been installed and configured prior to integration.

For more information, see Integration Prerequisites.

2

Enable LDAP synchronization for Oracle Identity Manager.

For information, see:

in Oracle Fusion Middleware Installation Guide for Oracle Identity and Access Management.

See the Oracle Identity Manager details in Table 7-2, "Required Components for Integration Scenario".

3

Configure the Identity Store by extending the schema.

For information, see Extending Directory Schema for Access Manager.

4

Configure the Identity Store with the users required by Access Manager.

For information, see Creating Users and Groups for Access Manager.

5

Configure the Identity Store with the users required by Oracle Identity Manager.

For information, see Creating Users and Groups for Oracle Identity Manager.

6

Configure the Identity Store with the users required by Oracle WebLogic Server

For more information, see Creating Users and Groups for Oracle WebLogic Server.

7

Edit the OVD User and Changelog Adapters so the oamEnabled parameter is set to true.

For information, see "Creating Adapters in Oracle Virtual Directory" in Oracle Fusion Middleware Installation Guide for Oracle Identity and Access Management.

See Oracle Virtual Directory details in Table 7-2, "Required Components for Integration Scenario".

8

Stop the Oracle WebLogic Server managed servers for Access Manager and Oracle Identity Manager

For information, see "Starting and Stopping Oracle WebLogic Server Instances" in Oracle Fusion Middleware Administrator's Guide.

9

Extend Access Manager to support Oracle Identity Manager

For information, see Configuring Access Manager for Integration.

10

Integrate Access Manager and Oracle Identity Manager

For information, see Integrating Access Manager with Oracle Identity Manager.

11

Configure the Webgate on the OHS server to point to the 11g OAM Server

For information, see Configuring Oracle HTTP Server.

12

Configure centralized logout for the IAMSuiteAgent.

For information, see "Configuring Centralized Logout for the IAMSuiteAgent" in Oracle Fusion Middleware Administrator's Guide for Oracle Access Management.

13

Remove the IDM Domain Agent and start the Oracle WebLogic Server Administration and Managed Servers.

For information, see Starting Servers with Domain Agent Removed.

14

Test the integration.

For information, see Testing the Integration.

15

Depending upon your environment, migrate the Domain Agent to OHS 10g Webgate

For information, see Migrating from the Domain Agent to 10g Webgate with OHS 11g.

16

Depending upon your environment, update the SOA server default composites.

For information, see Updating SOA Server Default Composite.


7.3 Integration Prerequisites

Prior to configuring Access Manager with Oracle Identity Manager, you must have installed all the required components, including any dependencies, and configure the environment in preparation of the integration tasks that follow. For more information about the integration topologies, see Section 1.2, "Integration Topologies".

Note:

Key installation and configuration information is provided in this section. However, not all component prerequisite, dependency, and installation instruction is duplicated here. Adapt information as required for your environment.

For complete installation information, follow the instructions in Oracle Fusion Middleware Installation Guide for Oracle Identity Management and Oracle Fusion Middleware Installation Guide for Oracle Identity and Access Management.

Table 7-2 lists the required components that must be installed and configured before the Access Manager and Oracle Identity Manager integration tasks are performed.

Table 7-2 Required Components for Integration Scenario

Component Information

Oracle database

For more information, Oracle Fusion Middleware Installation Guide for Oracle Identity and Access Management.

Oracle WebLogic Server 10.3.6

For more information, see Oracle Fusion Middleware Installation Guide for Oracle Identity and Access Management.

Oracle Fusion Middleware Installation Guide for Oracle WebLogic Server

Repository Creation Utility (RCU)

Oracle Fusion Middleware Repository Creation Utility (RCU) is available on the Oracle Technology Network (OTN) web site. For more information about using RCU, see Oracle Fusion Middleware Repository Creation Utility User's Guide.

Note: All required schema must be created before installing some of the Oracle Identity and Access Management components. For more information, see Oracle Fusion Middleware Installation Guide for Oracle Identity and Access Management.

Access Manager

For more information, see "Installing Oracle Identity and Access Management" and "Configuring Access Manager" in Oracle Fusion Middleware Installation Guide for Oracle Identity and Access Management.

Oracle HTTP Server

For more information, see "Installing and Configuring Oracle HTTP Server 11g Webgate for OAM" in Oracle Fusion Middleware Installation Guide for Oracle Identity and Access Management.

The OHS profile must be updated so the Oracle Identity Manager administration pages launch correctly after integration with Access Manager is completed. For more information, see Configuring Oracle HTTP Server.

Oracle Identity Manager

For more information, see "Installing and Configuring Oracle Identity and Access Management" and "Configuring Oracle Identity Manager" in Oracle Fusion Middleware Installation Guide for Oracle Identity and Access Management.

Note: When configuring Oracle Identity Manager, the LDAP directory must be preconfigured before you can use it as an Identity Store. Ensure that all installation instructions are followed, including any prerequisites for enabling LDAP synchronization. For more information, see:

in Oracle Fusion Middleware Installation Guide for Oracle Identity and Access Management.

Note: You must create the wlfullclient.jar when installing Oracle Identity Manager and this file must be present before performing the integration steps. Follow the installation instructions carefully.

Oracle Virtual Directory

For more information, see "Configuring Oracle Virtual Directory" in Oracle Fusion Middleware Installation Guide for Oracle Identity Management.

Before you can start using Oracle Virtual Directory with an Identity Store, you must create adapters for each of the directories you want to use. For each adapter, the oamEnabled parameter must be set to true for this integration scenario. For more information, see "Creating Adapters in Oracle Virtual Directory" in Oracle Fusion Middleware Installation Guide for Oracle Identity and Access Management.

Oracle Internet Directory

For more information, see "Configuring Oracle Internet Directory" in Oracle Fusion Middleware Installation Guide for Oracle Identity Management.

Oracle SOA Suite

For more information, see Oracle Fusion Middleware Installation Guide for Oracle SOA Suite and Oracle Business Process Management Suite


7.4 Configuring the Identity Store

The Identity Store must be configured so it can be used by Access Manager, Oracle Identity Manager, and Oracle WebLogic Server. It must be seeded with the required users and groups.

This section contains the following topics:

7.4.1 Extending Directory Schema for Access Manager

Use idmConfigTool to configure the Identity Store to extend the schema in Oracle Internet Directory. For more information about the idmConfigTool command, see Chapter 2, "Using the idmConfigTool Command".

  1. Set the environment variables required for idmconfigtool. For information, see Section 2.2, "Set Up Environment Variables".

  2. Create a properties file, for example, named extendOAMPropertyFile, with contents similar to the following.

    IDSTORE_HOST: idstore.mycompany.com
    IDSTORE_PORT: 389
    IDSTORE_BINDDN: cn=orcladmin
    IDSTORE_USERNAMEATTRIBUTE: cn
    IDSTORE_LOGINATTRIBUTE: uid
    IDSTORE_USERSEARCHBASE: cn=Users,dc=mycompany,dc=com
    IDSTORE_GROUPSEARCHBASE: cn=Groups,dc=mycompany,dc=com
    IDSTORE_SEARCHBASE: dc=mycompany,dc=com
    IDSTORE_SYSTEMIDBASE: cn=systemids,dc=mycompany,dc=com
    

    Where:

    • IDSTORE_HOST and IDSTORE_PORT are the host and port, respectively, of your Identity Store directory. If your Identity Store is in Oracle Internet Directory, then IDSTORE_HOST should point to Oracle Internet Directory, even if you are fronting Oracle Internet Directory with Oracle Virtual Directory.

      If you are using a directory other than Oracle Internet Directory, specify the Oracle Virtual Directory host (which should be IDSTORE.mycompany.com.)

    • IDSTORE_BINDDN is an administrative user in the Identity Store directory.

    • IDSTORE_USERNAMEATTRIBUTE is used to set and search for users in the identity store.

    • IDSTORE_LOGINATTRIBUTE is the login attribute of the identity store which contains the user's login name.

    • IDSTORE_USERSEARCHBASE is the location in the directory where users are stored.

    • IDSTORE_GROUPSEARCHBASE is the location in the directory where groups are stored.

    • IDSTORE_SEARCHBASE is the location in the directory where users and groups are stored.

    • IDSTORE_SYSTEMIDBASE is the location of a container in the directory where users can be placed when you do not want them in the main user container. This happens rarely but one example is the Oracle Identity Manager reconciliation user which is also used for the bind DN user in Oracle Virtual Directory adapters.

  3. Configure the Identity Store by using idmConfigTool with the -preConfigIDStore command, which is located at:

    IAM_ORACLE_HOME/idmtools/bin
    

    The syntax of the command on Linux is:

    idmConfigTool.sh -preConfigIDStore input_file=configfile 
    

    The syntax on Windows is:

    idmConfigTool.bat -preConfigIDStore input_file=configfile 
    

    When the command runs, you are prompted to enter the password of the account used to connect to the Identity Store.

    Sample command output, when running the command against Oracle Virtual Directory:

    Enter ID Store Bind DN password:
    May 25, 2011 2:37:18 PM oracle.ldap.util.LDIFLoader loadOneLdifFile
    INFO: -> LOADING: /u01/app/oracle/product/fmw/iam/idmtools/templates/oid/idm_idstore_groups_template.ldif
    May 25, 2011 2:37:18 PM oracle.ldap.util.LDIFLoader loadOneLdifFile
    INFO: -> LOADING: /u01/app/oracle/product/fmw/iam/idmtools/templates/oid/idm_idstore_groups_acl_template.ldif
    May 25, 2011 2:37:18 PM oracle.ldap.util.LDIFLoader loadOneLdifFile
    INFO: -> LOADING: /u01/app/oracle/product/fmw/iam/idmtools/templates/oid/systemid_pwdpolicy.ldif
    May 25, 2011 2:37:18 PM oracle.ldap.util.LDIFLoader loadOneLdifFile
    INFO: -> LOADING: /u01/app/oracle/product/fmw/iam/idmtools/templates/oid/idstore_tuning.ldif
    May 25, 2011 2:37:18 PM oracle.ldap.util.LDIFLoader loadOneLdifFile
    INFO: -> LOADING: /u01/app/oracle/product/fmw/iam/idmtools/templates/oid/oid_schema_extn.ldif
    May 25, 2011 2:37:19 PM oracle.ldap.util.LDIFLoader loadOneLdifFile
    INFO: -> LOADING: /u01/app/oracle/product/fmw/iam/oam/server/oim-intg/schema/OID_oblix_pwd_schema_add.ldif
    May 25, 2011 2:37:19 PM oracle.ldap.util.LDIFLoader loadOneLdifFile
    INFO: -> LOADING: /u01/app/oracle/product/fmw/iam/oam/server/oim-intg/schema/OID_oim_pwd_schema_add.ldif
    May 25, 2011 2:37:19 PM oracle.ldap.util.LDIFLoader loadOneLdifFile
    INFO: -> LOADING: /u01/app/oracle/product/fmw/iam/oam/server/oim-intg/schema/OID_oblix_schema_add.ldif
    May 25, 2011 2:37:34 PM oracle.ldap.util.LDIFLoader loadOneLdifFile
    INFO: -> LOADING: /u01/app/oracle/product/fmw/iam/oam/server/oim-intg/schema/OID_oblix_schema_index_add.ldif
    The tool has completed its operation. Details have been logged to automation.log
    
  4. Check the log file for any errors or warnings and correct them. The file with the name automation.log is created in the directory from where you run the tool.

    In addition to creating users, idmConfigTool creates the groups OrclPolicyAndCredentialWritePrivilegeGroup and OrclPolicyAndCredentialReadPrivilegeGroup.

7.4.2 Creating Users and Groups for Access Manager

Use idmConfigTool to seed the Identity Store with the users required by Access Manager as follows. For more information about the idmConfigTool command, see Chapter 2, "Using the idmConfigTool Command".

  1. Set the environment variables required for idmconfigtool.

  2. Create a properties file, for example, named preconfigOAMPropertyFile, with contents similar to the following. This file will be used to preconfigure the Identity Store.

    IDSTORE_HOST : idstore.mycompany.com
    IDSTORE_PORT : 389
    IDSTORE_BINDDN : cn=orcladmin
    IDSTORE_USERNAMEATTRIBUTE: cn
    IDSTORE_LOGINATTRIBUTE: uid
    IDSTORE_USERSEARCHBASE: cn=Users,dc=mycompany,dc=com
    IDSTORE_GROUPSEARCHBASE: cn=Groups,dc=mycompany,dc=com
    IDSTORE_SEARCHBASE: dc=mycompany,dc=com
    IDSTORE_SYSTEMIDBASE: cn=systemids,dc=mycompany,dc=com
    POLICYSTORE_SHARES_IDSTORE: true
    OAM11G_IDSTORE_ROLE_SECURITY_ADMIN:OAMAdministrators
    IDSTORE_OAMSOFTWAREUSER:oamLDAP
    IDSTORE_OAMADMINUSER:oamadmin
    

    Where:

    • IDSTORE_HOST and IDSTORE_PORT are the host and port, respectively, of your Identity Store directory. If your Identity Store is in Oracle Internet Directory, then IDSTORE_HOST should point to Oracle Internet Directory, even if you are fronting Oracle Internet Directory with Oracle Virtual Directory.

      If you are using a directory other than Oracle Internet Directory, specify the Oracle Virtual Directory host.

    • IDSTORE_BINDDN is an administrative user in the Identity Store directory.

    • IDSTORE_USERNAMEATTRIBUTE is used to set and search for users in the identity store.

    • IDSTORE_LOGINATTRIBUTE is the login attribute of the identity store which contains the user's login name.

    • IDSTORE_USERSEARCHBASE is the location in the directory where users are stored.

    • IDSTORE_GROUPSEARCHBASE is the location in the directory where groups are stored.

    • IDSTORE_SEARCHBASE is the location in the directory where users and groups are stored.

    • POLICYSTORE_SHARES_IDSTORE is set to true if your Policy and Identity Stores are in the same directory. If not, it is set to false.

    • OAM11G_IDSTORE_ROLE_SECURITY_ADMIN is the name of the group which is used to allow access to the Oracle Access Management administration console.

    • IDSTORE_OAMSOFTWAREUSER is the name of the user you use to interact with the LDAP server.

    • IDSTORE_OAMADMINUSER is the name of the user you want to create as your Oracle Access Management Administrator.

  3. Configure the Identity Store by using idmConfigTool with the -prepareIDStore command, which is located at:

    IAM_ORACLE_HOME/idmtools/bin
    

    The syntax of the command on Linux is:

    idmConfigTool.sh -prepareIDStore mode=OAM input_file=configfile 
    

    The syntax on Windows is:

    idmConfigTool.bat -prepareIDStore mode=OAM input_file=configfile 
    

    When the command runs, you are prompted to enter the password of the account used to connect to the Identity Store.

    Sample command output:

    Enter ID Store Bind DN password:
    May 25, 2011 2:44:59 PM oracle.ldap.util.LDIFLoader loadOneLdifFile
    INFO: -> LOADING: /u01/app/oracle/product/fmw/iam/idmtools/templates/oid/oam_schema_extn.ldif
    *** Creation of Oblix Anonymous User ***
    May 25, 2011 2:44:59 PM oracle.ldap.util.LDIFLoader loadOneLdifFile
    INFO: -> LOADING: /u01/app/oracle/product/fmw/iam/idmtools/templates/oid/oam_10g_anonymous_user_template.ldif
    Enter User Password for oblixanonymous:
    Confirm User Password for oblixanonymous:
    *** Creation of oamadmin ***
    May 25, 2011 2:45:08 PM oracle.ldap.util.LDIFLoader loadOneLdifFile
    INFO: -> LOADING: /u01/app/oracle/product/fmw/iam/idmtools/templates/oid/oam_user_template.ldif
    Enter User Password for oamadmin:
    Confirm User Password for oamadmin:
    *** Creation of oamLDAP ***
    May 25, 2011 2:45:16 PM oracle.ldap.util.LDIFLoader loadOneLdifFile
    INFO: -> LOADING: /u01/app/oracle/product/fmw/iam/idmtools/templates/oid/oam_user_template.ldif
    Enter User Password for oamLDAP:
    Confirm User Password for oamLDAP:
    May 25, 2011 2:45:21 PM oracle.ldap.util.LDIFLoader loadOneLdifFile
    INFO: -> LOADING: /u01/app/oracle/product/fmw/iam/idmtools/templates/common/oam_user_group_read_acl_template.ldif
    May 25, 2011 2:45:21 PM oracle.ldap.util.LDIFLoader loadOneLdifFile
    INFO: -> LOADING: /u01/app/oracle/product/fmw/iam/idmtools/templates/oid/oim_group_template.ldif
    May 25, 2011 2:45:21 PM oracle.ldap.util.LDIFLoader loadOneLdifFile
    INFO: -> LOADING: /u01/app/oracle/product/fmw/iam/idmtools/templates/oid/oam_group_member_template.ldif
    May 25, 2011 2:45:21 PM oracle.ldap.util.LDIFLoader loadOneLdifFile
    INFO: -> LOADING: /u01/app/oracle/product/fmw/iam/idmtools/templates/oid/oam_config_acl.ldif
    May 25, 2011 2:45:21 PM oracle.ldap.util.LDIFLoader loadOneLdifFile
    INFO: -> LOADING: /u01/app/oracle/product/fmw/iam/idmtools/templates/oid/oid_schemaadmin.ldif
    The tool has completed its operation. Details have been logged to automation.log
    
  4. Check the log file for any errors or warnings and correct them. The automation.log file is created in the directory from where you run the tool.

7.4.3 Creating Users and Groups for Oracle Identity Manager

Use idmConfigTool to seed the Identity Store with the users required by Oracle Identity Manager as follows. For more information about the idmConfigTool command, see Chapter 2, "Using the idmConfigTool Command".

A system user is required for performing operations in Oracle Internet Directory on behalf of Oracle Identity Manager. Create this user in the system container and give it the permissions appropriate for controlling all the containers Oracle Identity Manager communicates with. Oracle Virtual Directory uses these credentials to connect to the backend directories.

  1. Set the environment variables required for idmconfigtool.

  2. Create a properties file, for example, named preconfigOIMPropertyFile, with contents similar to the following. The file will be used to preconfigure the Identity Store.

    IDSTORE_HOST: idstore.mycompany.com
    IDSTORE_PORT: 389
    IDSTORE_BINDDN: cn=orcladmin
    IDSTORE_USERNAMEATTRIBUTE: cn
    IDSTORE_LOGINATTRIBUTE: uid
    IDSTORE_USERSEARCHBASE: cn=Users,dc=mycompany,dc=com
    IDSTORE_GROUPSEARCHBASE: cn=Groups,dc=mycompany,dc=com
    IDSTORE_SEARCHBASE: dc=mycompany,dc=com
    POLICYSTORE_SHARES_IDSTORE: true
    IDSTORE_SYSTEMIDBASE: cn=systemids,dc=mycompany,dc=com
    IDSTORE_OIMADMINUSER: oimLDAP
    IDSTORE_OIMADMINGROUP: OIMAdministrators
    

    Where:

    • IDSTORE_HOST and IDSTORE_PORT are, respectively, the host and port of your Identity Store directory. If your Identity Store is in Oracle Internet Directory, then IDSTORE_HOST should point to Oracle Internet Directory, even if you are fronting Oracle Internet Directory with Oracle Virtual Directory.

      If you are using a non-OID directory, then specify the Oracle Virtual Directory host (which should be IDSTORE.mycompany.com).

    • IDSTORE_BINDDN is an administrative user in the Identity Store directory.

    • IDSTORE_USERNAMEATTRIBUTE is used to set and search for users in the Identity Store.

    • IDSTORE_LOGINATTRIBUTE is the login attribute of the Identity Store which contains the user's login name.

    • IDSTORE_USERSEARCHBASE is the location in your Identity Store where users are placed.

    • IDSTORE_GROUPSEARCHBASE is the location in your Identity Store where groups are placed.

    • IDSTORE_SEARCHBASE is the location in the directory where users and groups are stored.

    • POLICYSTORE_SHARES_IDSTORE is set to true if your Policy and Identity Stores are in the same directory. If not, it is set to false.

    • IDSTORE_SYSTEMIDBASE is the location in your directory where the Oracle Identity Manager reconciliation user is placed.

    • IDSTORE_OIMADMINUSER is the user that Oracle Identity Manager uses to connect to the Identity Store.

    • IDSTORE_OIMADMINGROUP is the name of the group you want to create to hold your Oracle Identity Manager administrative users.

  3. Configure the Identity Store by using idmConfigTool with the -prepareIDStore command, which is located at:

    IAM_ORACLE_HOME/idmtools/bin
    

    The syntax of the command on Linux is:

    idmConfigTool.sh -prepareIDStore mode=OIM input_file=configfile 
    

    The syntax on Windows is:

    idmConfigTool.bat -prepareIDStore mode=OIM input_file=configfile 
    

    When the command runs, you are prompted to enter the password of the account used to connect to the Identity Store. You are also asked to create passwords for the following accounts:

    • IDSTORE_OIMADMINUSER

    • xelsysadm. It is recommended you set this to the same value as the account you create as part of the Oracle Identity Manager configuration.

    Sample command output:

    Enter ID Store Bind DN password: 
    *** Creation of oimLDAP ***
    Apr 5, 2011 4:58:51 AM oracle.ldap.util.LDIFLoader loadOneLdifFile
    INFO: -> LOADING: 
     /u01/app/oracle/product/fmw/iam/idmtools/templates/oid/oim_user_template.ldif
    Enter User Password for oimLDAP: 
    Confirm User Password for oimLDAP: 
    Apr 5, 2011 4:59:01 AM oracle.ldap.util.LDIFLoader loadOneLdifFile
    INFO: -> LOADING: 
     /u01/app/oracle/product/fmw/iam/idmtools/templates/oid/oim_group_template.ldif
    Apr 5, 2011 4:59:01 AM oracle.ldap.util.LDIFLoader loadOneLdifFileINFO: -> LOADING: 
     /u01/app/oracle/product/fmw/iam/idmtools/templates/oid/oim_group_member_template.ldif
    Apr 5, 2011 4:59:01 AM oracle.ldap.util.LDIFLoader loadOneLdifFile
    INFO: -> LOADING: 
     /u01/app/oracle/product/fmw/iam/idmtools/templates/oid/oim_groups_acl_template.ldif
    Apr 5, 2011 4:59:01 AM oracle.ldap.util.LDIFLoader loadOneLdifFile
    INFO: -> LOADING: 
     /u01/app/oracle/product/fmw/iam/idmtools/templates/oid/oim_reserve_template.ldif
    *** Creation of Xel Sys Admin User ***
    Apr 5, 2011 4:59:01 AM oracle.ldap.util.LDIFLoader loadOneLdifFileINFO: -> LOADING: 
     /u01/app/oracle/product/fmw/iam/idmtools/templates/oid/oam_user_template.ldif
    Enter User Password for xelsysadm: 
    Confirm User Password for xelsysadm: 
    The tool has completed its operation. Details have been logged to /home/oracle/idmtools/oim.log
    
  4. Check the log file for any errors or warnings and correct them. The automation.log file is created in the directory from where you run the tool.

7.4.4 Creating Users and Groups for Oracle WebLogic Server

To enable single sign-on for your administrative consoles, you must ensure that there is a user in your Identity Store that has the permissions to log in to your WebLogic Server administration console and Oracle Enterprise Manager Fusion Middleware Control. Use idmConfigTool to seed the Identity Store with the users required by WebLogic Server as follows. For more information about idmConfigTool command, see Chapter 2, "Using the idmConfigTool Command".

  1. Set the environment variables required for idmconfigtool.

  2. Create a properties file, for example, named preconfigWLSPropertyFile, with contents similar to the following. The file will be used to preconfigure the Identity Store.

    IDSTORE_HOST : idstore.mycompany.com
    IDSTORE_PORT : 389
    IDSTORE_BINDDN : cn=orcladmin
    IDSTORE_USERNAMEATTRIBUTE: cn
    IDSTORE_LOGINATTRIBUTE: uid
    IDSTORE_WLSADMINUSER: for example, weblogic_idm
    IDSTORE_WLSADMINGROUP: wlsadmingroup
    IDSTORE_USERSEARCHBASE: cn=Users,dc=mycompany,dc=com
    IDSTORE_GROUPSEARCHBASE: cn=Groups,dc=mycompany,dc=com
    IDSTORE_SEARCHBASE: dc=mycompany,dc=com
    POLICYSTORE_SHARES_IDSTORE: true
    

    Where:

    • IDSTORE_HOST and IDSTORE_PORT are the host and port, respectively, of your Identity Store directory. If your Identity Store is in Oracle Internet Directory, then IDSTORE_HOST should point to Oracle Internet Directory, even if you are fronting Oracle Internet Directory with Oracle Virtual Directory.

      If you are using a directory other than Oracle Internet Directory, specify the Oracle Virtual Directory host (which should be IDSTORE.mycompany.com.)

    • IDSTORE_BINDDN is an administrative user in the Identity Store directory.

    • IDSTORE_USERNAMEATTRIBUTE is used to set and search for users in the Identity Store.

    • IDSTORE_LOGINATTRIBUTE is the login attribute of the Identity Store which contains the user's login name.

    • IDSTORE_WLSADMINUSER is the Identity store administrator for Oracle WebLogic Server.

    • IDSTORE_WLSADMINGROUP is the Identity Store administrator group for Oracle WebLogic Server.

    • IDSTORE_USERSEARCHBASE is the location in the directory where users are stored.

    • IDSTORE_GROUPSEARCHBASE is the location in the directory where groups are stored.

    • IDSTORE_SEARCHBASE is the location in the directory where users and groups are stored.

    • POLICYSTORE_SHARES_IDSTORE is set to true if your Policy and Identity Stores are in the same directory. If not, it is set to false.

  3. Configure the Identity Store by using idmConfigTool with -prepareIDStore command, which is located at:

    IAM_ORACLE_HOME/idmtools/bin
    

    The syntax of the command on Linux is:

    idmConfigTool.sh -prepareIDStore mode=WLS input_file=configfile 
    

    The syntax on Windows is:

    idmConfigTool.bat -prepareIDStore mode=WLS input_file=configfile 
    

    When the command runs, you are prompted to enter the password of the account used to connect to the Identity Store.

    Sample command output:

    Enter ID Store Bind DN password:
    May 25, 2011 2:44:59 PM oracle.ldap.util.LDIFLoader loadOneLdifFile
    INFO: -> LOADING: /u01/app/oracle/product/fmw/iam/idmtools/templates/oid/oam_schema_extn.ldif
    *** Creation of Oblix Anonymous User ***
    May 25, 2011 2:44:59 PM oracle.ldap.util.LDIFLoader loadOneLdifFile
    INFO: -> LOADING: /u01/app/oracle/product/fmw/iam/idmtools/templates/oid/oam_10g_anonymous_user_template.ldif
    Enter User Password for oblixanonymous:
    Confirm User Password for oblixanonymous:
    *** Creation of oamadmin ***
    May 25, 2011 2:45:08 PM oracle.ldap.util.LDIFLoader loadOneLdifFile
    INFO: -> LOADING: /u01/app/oracle/product/fmw/iam/idmtools/templates/oid/oam_user_template.ldif
    Enter User Password for oamadmin:
    Confirm User Password for oamadmin:
    *** Creation of oamLDAP ***
    May 25, 2011 2:45:16 PM oracle.ldap.util.LDIFLoader loadOneLdifFile
    INFO: -> LOADING: /u01/app/oracle/product/fmw/iam/idmtools/templates/oid/oam_user_template.ldif
    Enter User Password for oamLDAP:
    Confirm User Password for oamLDAP:
    May 25, 2011 2:45:21 PM oracle.ldap.util.LDIFLoader loadOneLdifFile
    INFO: -> LOADING: /u01/app/oracle/product/fmw/iam/idmtools/templates/common/oam_user_group_read_acl_template.ldif
    May 25, 2011 2:45:21 PM oracle.ldap.util.LDIFLoader loadOneLdifFile
    INFO: -> LOADING: /u01/app/oracle/product/fmw/iam/idmtools/templates/oid/oim_group_template.ldif
    May 25, 2011 2:45:21 PM oracle.ldap.util.LDIFLoader loadOneLdifFile
    INFO: -> LOADING: /u01/app/oracle/product/fmw/iam/idmtools/templates/oid/oam_group_member_template.ldif
    May 25, 2011 2:45:21 PM oracle.ldap.util.LDIFLoader loadOneLdifFile
    INFO: -> LOADING: /u01/app/oracle/product/fmw/iam/idmtools/templates/oid/oam_config_acl.ldif
    May 25, 2011 2:45:21 PM oracle.ldap.util.LDIFLoader loadOneLdifFile
    INFO: -> LOADING: /u01/app/oracle/product/fmw/iam/idmtools/templates/oid/oid_schemaadmin.ldif
    The tool has completed its operation. Details have been logged to automation.log
    
  4. Check the log file for any errors or warnings and correct them. The automation.log file is created in the directory from where you run the tool.

7.5 Configuring Access Manager for Integration

Before integrating Oracle Identity Manager with Access Manager 11g, you must extend Access Manager 11g to support Oracle Identity Manager. For more information about idmConfigTool command, see Chapter 2, "Using the idmConfigTool Command"

  1. Set the environment variables required for idmconfigtool.

  2. Update the domain agent password as follows:

    1. Log in to the Oracle Access Management administration console:

      http://oam_adminserver_host:port/oamconsole
      
    2. Navigate to the System Configuration tab, then Access Manager Settings, then SSO Agents.

      Double-click OAM Agents. A Webgate page displays.

      Click Search to list all Webgate agents.

      Double-click IAMSuiteAgent. Update the field Access Client Password with the desired password.

    3. Log in to the Oracle WebLogic Server administration console:

      http:oam_adminserver_host:port/console
      
    4. Navigate to Security Realms, then myrealm. Open the Providers tab and edit IAMSuiteAgent.

      Open the Provider Specific tab and update the agent password. Save the changes.

    5. Restart the OAM Server.

  3. Create a properties file, for example, named OAMconfigPropertyFile, with contents similar to the following:

    WLSHOST: adminvhn.mycompany.com
    WLSPORT: 7001
    WLSADMIN: weblogic
    WLSPASSWD: weblogic password
    ADMIN_SERVER_USER_PASSWORD: for example, welcome1
    IDSTORE_HOST: idstore.mycompany.com
    IDSTORE_PORT: 389
    IDSTORE_BINDDN: cn=orcladmin 
    IDSTORE_USERNAMEATTRIBUTE: cn
    IDSTORE_LOGINATTRIBUTE: uid
    IDSTORE_USERSEARCHBASE: cn=Users,mycompany,dc=com
    IDSTORE_SEARCHBASE: dc=mycompany,dc=com
    IDSTORE_SYSTEMIDBASE: cn=systemids,dc=mycompany,dc=com
    IDSTORE_GROUPSEARCHBASE: cn=Groups,dc=mycompany,dc=com
    IDSTORE_OAMSOFTWAREUSER: oamLDAP
    IDSTORE_OAMADMINUSER: oamadmin
    IDSTORE_DIRECTORYTYPE: OVD
    POLICYSTORE_SHARES_IDSTORE: true
    PRIMARY_OAM_SERVERS: oamhost1.mycompany.com:5575,oamhost2.mycompany.com:5575
    WEBGATE_TYPE: ohsWebgate10g 
    ACCESS_GATE_ID: Webgate_IDM
    OAM11G_IDM_DOMAIN_OHS_HOST:sso.mycompany.com
    OAM11G_IDM_DOMAIN_OHS_PORT:443
    OAM11G_IDM_DOMAIN_OHS_PROTOCOL:https
    OAM11G_WG_DENY_ON_NOT_PROTECTED: false
    OAM11G_IMPERSONATION_FLAG: true (if used)
    OAM_TRANSFER_MODE: simple
    OAM11G_OAM_SERVER_TRANSFER_MODE:simple
    OAM11G_IDM_DOMAIN_LOGOUT_URLS: /console/jsp/common/logout.jsp,/em/targetauth/emaslogout.jsp,/oamsso/logout.html,/cgi-bin/logout.pl
    OAM11G_OIM_WEBGATE_PASSWD: webgate password
    OAM11G_SERVER_LOGIN_ATTRIBUTE: uid 
    COOKIE_DOMAIN: .mycompany.com
    OAM11G_IDSTORE_NAME: name of ID store
    OAM11G_IDSTORE_ROLE_SECURITY_ADMIN: OAMAdministrators
    OAM11G_SSO_ONLY_FLAG: false
    OAM11G_OIM_INTEGRATION_REQ: true
    OAM11G_SERVER_LBR_HOST:sso.mycompany.com
    OAM11G_SERVER_LBR_PORT:443
    OAM11G_SERVER_LBR_PROTOCOL:https
    COOKIE_EXPIRY_INTERVAL: 120
    OAM11G_OIM_OHS_URL:https://sso.mycompany.com:443/
    SPLIT_DOMAIN: true
    

    Where:

    • WLSHOST and WLSPORT are, respectively, the host and port of your administration server, this will be the virtual name.

    • WLSADMIN and WLSPASSWD are, respectively, the WebLogic Server administrative user and password you use to log in to the WebLogic Server administration console.

    • IDSTORE_HOST and IDSTORE _PORT are, respectively, the host and port of your Identity Store directory.

      Note:

      If using a directory server other than Oracle Internet Directory, specify the Oracle Virtual Directory host and port.

    • IDSTORE_BINDDN is an administrative user in Oracle Internet Directory.

      Note:

      If using a directory server other than Oracle Internet Directory, specify an Oracle Virtual Directory administrative user.

    • IDSTORE_USERNAMEATTRIBUTE is used to set and search for users in the Identity Store.

    • IDSTORE_LOGINATTRIBUTE is the login attribute of the Identity Store which contains the user's login name.

    • IDSTORE_USERSEARCHBASE is the container under which Access Manager searches for the users.

    • IDSTORE_SEARCHBASE is the location in the directory where users and groups are stored.

    • IDSTORE_GROUPSEARCHBASE is the location in the directory where groups are stored.

    • IDSTORE_OAMSOFTWAREUSER is the name of the user you use to interact with the LDAP server.

    • IDSTORE_OAMADMINUSER is the name of the user you use to access your Oracle Access Management administration console.

    • IDSTORE_DIRECTORYTYPE is the Identity Store directory type.

    • PRIMARY_OAM_SERVERS is a comma-separated list of your Access Manager servers and the proxy ports they use.

      Note:

      To determine the proxy ports your Access Manager servers:

      1. Log into the Oracle Access Management administration console at http://admin.mycompany.com:7001/oamconsole

      2. Click the System Configuration tab.

      3. Expand Server Instances under the Common Configuration section.

      4. Click on an Access Manager server, such as WLS_OAM1, and click Open.

      5. Proxy port is shown as Port.

    • WEBGATE_TYPE is the type of Webgate agent you want to create. Valid values are ohsWebgate10g.

    • ACCESS_GATE_ID is the name you want to assign to the Webgate. Do not change the property value shown above.

    • OAM11G_IDM_DOMAIN_OHS_HOST is the name of the load balancer which is in front of OHS.

    • OAM11G_IDM_DOMAIN_OHS_PORT is the port that the load balancer listens on.

    • OAM11G_IDM_DOMAIN_OHS_PROTOCOL is the protocol to use when directing requests at the load balancer.

    • OAM11G_WG_DENY_ON_NOT_PROTECTED is set to deny on protected flag for 10g Webgate. Valid values are true and false.

    • OAM11G_IMPERSONATION_FLAG is set to enable (true) or disable (false) impersonation in the OAM Server.

    • OAM_TRANSFER_MODE is the security model in which the access servers function.

    • OAM11G_OAM_SERVER_TRANSFER_MODE is the security model for the Access Manager servers.

    • OAM11G_IDM_DOMAIN_LOGOUT_URLS is set to the various logout URLs.

    • OAM11G_OIM_WEBGATE_PASSWD is the password you want to assign to the Webgate.

    • OAM11G_SERVER_LOGIN_ATTRIBUTE setting to uid ensures that when users log in their username is validated against the uid attribute in LDAP.

    • COOKIE_DOMAIN is the domain in which the Webgate functions.

    • OAM11G_IDSTORE_NAME is the name of the Identity Store. If you already have an Identity Store in place which is different from the default created by this tool, set this parameter to the name of that Identity Store.

    • OAM11G_IDSTORE_ROLE_SECURITY_ADMIN is the account to administer role security in identity store.

    • OAM11G_SSO_ONLY_FLAG configures Access Manager 11g as authentication only mode or normal mode, which supports authentication and authorization.

      If OAM11G_SSO_ONLY_FLAG is true, the Access Manager 11g server operates in authentication only mode, where all authorizations return true by default without any policy validations. In this mode, the server does not have the overhead of authorization handling. This is recommended for applications which do not depend on authorization policies and need only the authentication feature of the Access Manager server.

      If the value is false, the server runs in default mode, where each authentication is followed by one or more authorization requests to the Access Manager server. Webgate allows the access to the requested resources or not, based on the responses from the Access Manager server.

    • OAM11G_OIM_INTEGRATION_REQ specifies whether to integrate with Oracle Identity Manager or configure Access Manager in stand-alone mode. Set to true for integration.

    • OAM11G_SSO_ONLY_FLAG determines whether Access Manager is used in authentication-only mode.

    • OAM11G_SERVER_LBR_HOST is the name of the OAM Server fronting your site. This and the following two parameters are used to construct your login URL.

    • OAM11G_SERVER_LBR_PORT is the port that the load balancer is listening on.

    • OAM11G_SERVER_LBR_PROTOCOL is the URL prefix to use.

    • COOKIE_EXPIRY_INTERVAL is the cookie expiration period.

    • OAM11G_OIM_OHS_URL is the URL of the load balancer or OHS fronting the OIM server.

    • SPLIT_DOMAIN set to true is required to suppress the double authentication of Oracle Access Management administration console in a split domain scenario.

  4. Configure the Identity Store by using idmConfigTool with the -configOAM command, which is located at:

    IAM_ORACLE_HOME/idmtools/bin
    

    The syntax of the command on Linux is:

    idmConfigTool.sh -configOAM input_file=configfile 
    

    The syntax on Windows is:

    idmConfigTool.bat -configOAM input_file=configfile 
    

    When the command runs, you are prompted to enter the password of the account used to connect to the Identity Store. You are also asked to create passwords for the following accounts:

    • IDSTORE_PWD_OAMSOFTWAREUSER

    • IDSTORE_PWD_OAMADMINUSER

    Sample command output:

    Enter ID Store Bind DN password: 
    Enter User Password for IDSTORE_PWD_OAMSOFTWAREUSER: 
    Confirm User Password for IDSTORE_PWD_OAMSOFTWAREUSER: 
    Enter User Password for IDSTORE_PWD_OAMADMINUSER: 
    Confirm User Password for IDSTORE_PWD_OAMADMINUSER: 
    The tool has completed its operation. Details have been logged to automation.log
    
  5. Check the log file for any errors or warnings and correct them.

  6. Restart WebLogic Administration Server.

7.6 Integrating Access Manager with Oracle Identity Manager

Integrate Oracle Identity Manager with Access Manager as follows. For information about idmConfigTool command, see Chapter 2, "Using the idmConfigTool Command".

  1. Set the environment variables required for idmconfigtool.

  2. Create a properties file, for example, named OIMconfigPropertyFile, with contents similar to the following:

    LOGINURI: /${app.context}/adfAuthentication
    LOGOUTURI: /oamsso/logout.html
    AUTOLOGINURI: None
    ACCESS_SERVER_HOST: OAMHOST1.mycompany.com
    ACCESS_SERVER_PORT: 5575
    ACCESS_GATE_ID: Webgate_IDM
    COOKIE_DOMAIN: .mycompany.com
    COOKIE_EXPIRY_INTERVAL: 120
    OAM_TRANSFER_MODE: SIMPLE
    WEBGATE_TYPE: ohsWebgate10g
    OAM_SERVER_VERSION: 11g (use 10g if Oracle Access Manager 10g is used)
    OAM11G_WLS_ADMIN_HOST: OAM_DOMAIN_ADMIN_HOST (if cross domain is used)
    OAM11G_WLS_ADMIN_PORT: 17001 (if cross domain is used)
    OAM11G_WLS_ADMIN_USER: weblogic (if cross domain is used)
    SSO_ENABLED_FLAG: true
    IDSTORE_PORT: 389
    IDSTORE_HOST: idstore.mycompany.com
    IDSTORE_DIRECTORYTYPE: OVD 
    IDSTORE_ADMIN_USER: oamdmin. Note that the entry contains the complete LDAP DN of the user (the username alone in insufficient). For example, cn=oamLDAP,cn=Users,dc=mycompany,dc=com
    IDSTORE_LOGINATTRIBUTE: uid
    IDSTORE_USERSEARCHBASE: cn=Users,dc=mycompany,dc=com
    IDSTORE_GROUPSEARCHBASE: cn=Groups,dc=mycompany,dc=com
    MDS_DB_URL: jdbc:oracle:thin:@DBHOST:PORT:SID
    MDS_DB_SCHEMA_USERNAME: idm_mds
    WLSHOST: adminvhn.mycompany.com
    WLSPORT: 7001
    WLSADMIN: weblogic
    DOMAIN_NAME: IDM_Domain
    OIM_MANAGED_SERVER_NAME: WLS_OIM1
    DOMAIN_LOCATION: ORACLE_BASE/admin/IDMDomain/aserver/IDMDomain
    

    Where:

    • The ACCESS_SERVER_PORT must be the Access Manager NAP port.

    • If your OAM Servers are configured to accept requests using the simple mode, set OAM_TRANSFER_MODE to SIMPLE. Otherwise set OAM_TRANSFER_MODE to OPEN.

    • Set WEBGATE_TYPE to ohsWebgate10g.

    • Set OAM_SERVER_VERSION to 10g if using a 10g Webgate.

    • For information about split domain integration topology, see Chapter 1, "Introduction".

    • Set IDSTORE_PORT to your Oracle Internet Directory port if you are using Oracle Internet Directory as your Identity Store. If not, set it to your Oracle Virtual Directory port.

    • Set IDSTORE_HOST to your Oracle Internet Directory host or load balancer name if you are using Oracle Internet Directory as your Identity Store. If not, set it to your Oracle Virtual Directory host or load balancer name.

    • Set IDSTORE_DIRECTORYTYPE to OVD if you are using Oracle Virtual Directory server to connect to either a non-OID directory or Oracle Internet Directory. Set it to OID if your Identity Store is in Oracle Internet Directory and you are accessing it directly rather than through Oracle Virtual Directory.

    • MDS_DB_URL in this case represents a single instance database. The string following the '@' symbol must have the correct values for your environment. SID must be the actual SID, not a service name. If you are using a single instance database, then set MDS_URL to: jdbc:oracle:thin:@DBHOST:1521:SID.

    • The value of IDSTORE_ADMIN_USER must contain the complete LDAP DN of the user. The entry should be similar to "cn=oamadmin,cn=Users,dc=us,dc=oracle,dc=com" instead of just "oamadmin".

  3. Configure the Identity Store by using idmConfigTool with the -configOIM command, which is located at:

    IAM_ORACLE_HOME/idmtools/bin
    

    The syntax of the command on Linux is:

    idmConfigTool.sh -configOIM input_file=configfile 
    

    The syntax on Windows is:

    idmConfigTool.bat -configOIM input_file=configfile 
    

    When the command executes you will be prompted for:

    • Access Gate Password

    • Single Sign-On (SSO) Keystore Password

    • Global Passphrase

    • Idstore Admin Password

    • MDS Database schema password

    • Admin Server User Password

    • Password to be used for Oracle Access Management administrative user

    Sample output:

    Enter sso access gate password: 
    Enter mds db schema password: 
    Enter idstore admin password: 
    Enter admin server user password: 
     
    ********* Seeding OAM Passwds in OIM *********
     
    Enter ssoKeystore.jks Password: 
    Enter SSO Global Passphrase: 
     
    Completed loading user inputs for - CSF Config
     
    Updating CSF with Access Gate Password...
     
    WLS ManagedService is not up running. Fall back to use system properties for configuration.
    Updating CSF ssoKeystore.jks Password...
     
    Updating CSF for SSO Global Passphrase Password...
     
     
    ********* ********* *********
     
     
    ********* Activating OAM Notifications *********
     
     
    Completed loading user inputs for - MDS DB Config
     
    Initialized MDS resources
     
    Apr 11, 2011 4:57:45 AM oracle.mds
    NOTIFICATION: transfer operation started.
    Apr 11, 2011 4:57:46 AM oracle.mds
    NOTIFICATION: transfer is completed. Total number of documents successfully processed: 1, total number of documents failed: 0.
    Upload to DB completed
     
     
    Releasing all resources
     
    Notifications activated.
     
     
    ********* ********* *********
     
     
    ********* Seeding OAM Config in OIM *********
     
    Completed loading user inputs for - OAM Access Config
     
    Validated input values
     
    Initialized MDS resources
     
    Apr 11, 2011 4:57:46 AM oracle.mds
    NOTIFICATION: transfer operation started.
    Apr 11, 2011 4:57:47 AM oracle.mds
    NOTIFICATION: transfer is completed. Total number of documents successfully processed: 1, total number of documents failed: 0.
    Download from DB completed
     
    Releasing all resources
     
    Updated /u01/app/oracle/product/fmw/iam/server/oamMetadata/db/oim-config.xml
     
    Initialized MDS resources
     
    Apr 11, 2011 4:57:47 AM oracle.mds
    NOTIFICATION: transfer operation started.
    Apr 11, 2011 4:57:47 AM oracle.mds
    NOTIFICATION: transfer is completed. Total number of documents successfully processed: 1, total number of documents failed: 0.
    Upload to DB completed
     
     
    Releasing all resources
     
    OAM configuration seeded. Please restart oim server.
     
     
    ********* ********* *********
     
     
    ********* Configuring Authenticators in OIM WLS *********
    Completed loading user inputs for - Dogwood Admin WLS
     
     
    Completed loading user inputs for - LDAP connection info
     
    Connecting to t3://adminvhn.mycompany.com:7001
     
    Connection to domain runtime mbean server established
     
    Starting edit session
     
    Edit session started
     
    Connected to security realm.
     
    Validating provider configuration
     
    Validated desired authentication providers
     Validated authentication provider state successfuly.Created OAMIDAsserter successfulyCreated OIDAuthenticator successfulyCreated OIMSignatureAuthenticator successfulySetting attributes for OID AuthenticatorAll attributes set. Configured in OID Authenticator nowlDAP details configured in OID authenticatorControl flags for authenticators set sucessfullyReordering of authenticators done sucessfullySaving the transactionTransaction savedActivating the changesChanges Activated. Edit session ended.Connection closed sucessfully********* ********* *********
    
  4. Check the log file for errors and correct them if necessary.

  5. Restart the Oracle Identity Manager managed server and the WebLogic Administration Server.

7.7 Configuring Oracle HTTP Server

The Oracle HTTP Server with 11g Webgate must be installed. For more information, see "Installing and Configuring Oracle HTTP Server 11g Webgate for OAM" in Oracle Fusion Middleware Installation Guide for Oracle Identity and Access Management. For information about installing with 10g Webgate, see "Managing 10g Webgates with Access Manager 11g" and "Configuring Apache, OHS, IHS for 10g Webgates" in Oracle Fusion Middleware Administrator's Guide for Oracle Access Management.

The Oracle HTTP Server (OHS) profile must be edited so the OHS server points to the OIM server that is being protected by Access Manager. Edit the OHS profile to include the following lines.

<Location /identity>
    SetHandler weblogic-handler
    WLCookieName oimjsessionid
    WebLogicHost <OIM managed server host>
WebLogicPort <OIM managed server host>
    WLLogFile "${ORACLE_INSTANCE}/diagnostics/logs/mod_wl/oim_component.log"
  </Location> 

<Location /sysadmin>
     SetHandler weblogic-handler
    WLCookieName oimjsessionid
    WebLogicHost <OIM managed server host>
    WebLogicPort <OIM managed server port>
    WLLogFile "${ORACLE_INSTANCE}/diagnostics/logs/mod_wl/oim_component.log"
</Location>

<Location /oam>
    SetHandler weblogic-handler
    WLCookieName jsessionid
    WebLogicHost <OAM managed server host>
    WebLogicPort <OAM managed server port>
    WLLogFile "${ORACLE_INSTANCE}/diagnostics/logs/mod_wl/oim_component.log"
 </Location>

<Location /admin>
SetHandler weblogic-handler
WebLogicHost <OIM managed server host>
WebLogicPort <OIM managed server host>
WLCookieName oimjsessionid
WLLogFile "${ORACLE_INSTANCE}/diagnostics/logs/mod_wl/oim_component.log"
</Location>
 
# oim self and advanced admin webapp consoles(canonic webapp)
 <Location /oim>
SetHandler weblogic-handler
WebLogicHost <OIM managed server host>
WebLogicPort <OIM managed server host>
WLCookieName oimjsessionid
WLLogFile "${ORACLE_INSTANCE}/diagnostics/logs/mod_wl/oim_component.log"
</Location>

# SOA Callback webservice for SOD - Provide the SOA Managed Server Ports
<Location /sodcheck>
SetHandler weblogic-handler
WebLogicHost <OIM managed server host>
WebLogicPort <OIM managed server host>
WLCookieName oimjsessionid
WLLogFile "${ORACLE_INSTANCE}/diagnostics/logs/mod_wl/oim_component.log"
</Location>
 
# Callback webservice for SOA. SOA calls this when a request is approved/rejected
# Provide the SOA Managed Server Port
<Location /workflowservice>
SetHandler weblogic-handler
WebLogicHost <OIM managed server host>
WebLogicPort <OIM managed server host>
WLCookieName oimjsessionid
WLLogFile "${ORACLE_INSTANCE}/diagnostics/logs/mod_wl/oim_component.log"
</Location>

# xlWebApp - Legacy 9.x webapp (struts based)
<Location /xlWebApp>
SetHandler weblogic-handler
WLCookieName oimjsessionid
WebLogicHost <OIM managed server host>
WebLogicPort <OIM managed server host>
WLLogFile "${ORACLE_INSTANCE}/diagnostics/logs/mod_wl/oim_component.log"
</Location>
 
# Nexaweb WebApp - used for workflow designer and DM
<Location /Nexaweb>
SetHandler weblogic-handler
WLCookieName oimjsessionid
WebLogicHost <OIM managed server host>
WebLogicPort <OIM managed server host>
WLLogFile "${ORACLE_INSTANCE}/diagnostics/logs/mod_wl/oim_component.log"
</Location>
 
# used for FA Callback service.
<Location /callbackResponseService>
SetHandler weblogic-handler
WLCookieName oimjsessionid
WebLogicHost <OIM managed server host>
WebLogicPort <OIM managed server host>
WLLogFile "${ORACLE_INSTANCE}/diagnostics/logs/mod_wl/oim_component.log"
</Location>
 
# spml xsd profile
<Location /spml-xsd>
SetHandler weblogic-handler
WLCookieName oimjsessionid
WebLogicHost <OIM managed server host>
WebLogicPort <OIM managed server host>
WLLogFile "${ORACLE_INSTANCE}/diagnostics/logs/mod_wl/oim_component.log"
</Location>
 
<Location /HTTPClnt>
SetHandler weblogic-handler
WLCookieName oimjsessionid
WebLogicHost <OIM managed server host>
WebLogicPort <OIM managed server host>
WLLogFile "${ORACLE_INSTANCE}/diagnostics/logs/mod_wl/oim_component.log"
</Location>

The OHS instance must be restarted afterward.

7.8 Configuring Centralized Logout

For information, see "Configuring Centralized Logout for the IAMSuiteAgent" in Oracle Fusion Middleware Administrator's Guide for Oracle Access Management.

7.9 Starting Servers with Domain Agent Removed

The IDMDomain Agent provides single sign-on capability for administration consoles. The Webgate handles single sign-on, so you must remove the IDMDomain Agent and restart the Oracle WebLogic Server Administration Server and all running Managed Servers.

  1. Log in to the WebLogic Server administration console using the URL: http://admin.mycompany.com/console.

  2. Select Security Realms from the Domain Structure menu.

  3. Click myrealm.

  4. Click the Providers tab.

  5. Click Lock and Edit from the Change Center.

  6. In the list of authentication providers, select IAMSuiteAgent.

  7. Click Delete.

  8. Click Yes to confirm the deletion.

  9. Click Activate Changes from the Change Center.

  10. Restart WebLogic Administration Server and all running Managed Servers.

    For information, see "Starting and Stopping Oracle WebLogic Server Instances" in Oracle Fusion Middleware Administrator's Guide

7.10 Additional Configuration Tasks

This section describes additional configuration that you may need to perform depending on your requirements.

This section contains the following topics:

7.10.1 Migrating from the Domain Agent to 10g Webgate with OHS 11g

Perform this task only if you want to use Oracle HTTP Server 10g Webgate for Access Manager after setting up integration between Oracle Identity Manager and Access Manager. Follow the instructions in "Migrating from Domain Agent to Oracle HTTP Server 10g Webgate for OAM" in Oracle Fusion Middleware Installation Guide for Oracle Identity and Access Management.

Next, complete the configuration by performing these actions:

7.10.1.1 Update Webgate Type and ID

Perform these steps to update the Webgate Type and Webgate ID using Oracle Enterprise Manager Fusion Middleware Control:

  1. Navigate to Identity and Access, then OIM, then oim(11.1.1.3.0).

  2. Right-click on oim (11.1.1.3.0) and select System Mbean Browser.

  3. Navigate to Application Defined Mbeans, then oracle.iam, then Server: oim_server1, then Application:oim, then XMLConfig, then Config, then XMLConfig.SSOConfig, then SSOConfig.

7.10.1.2 Set the Webgate Preferred Host

This step is required to redirect users to the Oracle Access Management login page for Oracle Identity Manager if they type in a URL of the form:

http://OHS_HOST:OHS_PORT/admin/faces/pages/Admin.jspx

Perform these steps to set the preferred Webgate host:

  1. Log in to the Oracle Access Management administration console, click System Configuration tab, and navigate to Access Manager Settings, then SSO Agents, then OAM Agent.

  2. Click the Search button. A list of Webgate IDs appears. Open the desired registration page.

  3. Update the Preferred Host field and set it to IAMSuiteAgent.

  4. Click Apply.

  5. Restart Oracle HTTP Server.

7.10.1.3 Create the Oracle Identity Manager SSO Keystore

Note:

This step is needed if WebGate is configured in simple mode.

Follow the instructions in "Creating Oracle Identity Manager SSO Keystore" in Oracle Fusion Middleware Enterprise Deployment Guide for Oracle Identity Management.

7.10.2 Updating SOA Server Default Composite

In an integrated environment, Oracle Identity Manager is front ended by OHS. All SOA server default composites must be updated. Perform the following steps:

  1. Log in to Oracle Enterprise Manager Fusion Middleware Control Console.

  2. Navigate to SOA, then soa-infra (SOA server name), then default.

    Update the composite types applicable to your environment. For example: ApprovalTask, Human Workflow, DisconnectedProvisiong, etc.

    See Also:

    The Fusion Middleware Control online help and SOA Suite documentation

  3. For each default composite, perform the following:

    1. Click the composite name.

    2. From Component Metrics select the composite type. For example, click ApprovalTask.

    3. Select the Administration tab and update the fields as follows:

      Host Name: OHS host name

      HTTP Port: If SSL mode, leave blank. If non-SSL mode, enter OHS HTTP port.

      HTTPS Port: If SSL mode, enter OHS HTTS port. If non-SSL mode, leave blank.

    4. Click Apply.

Note:

If the values are not updated correctly, the composite page in Oracle Identity Manager will open as a blank page.

7.11 Validating the Integration

This section provides steps for validating the integrated environment. Performing the following sanity checks can help you avoid some common issues that could be encountered during runtime.

In this release, Oracle Identity Manager is integrated with Access Manager when the idmconfig command is run with the configOIM option. After the command is run, the following configuration settings and files are updated:

7.11.1 Validate OIM SSOConfig

To validate the SSOConfig settings in oim-config.xml:

  1. Log into Oracle Enterprise Manager Fusion Middleware Control.

  2. Select Weblogic Domain, then right-click the domain name.

  3. Open the System Mbean Browser and search for the ssoconfig Mbean.

    For more information, see "Getting Started Using the Fusion Middleware Control MBean Browsers" in Oracle Fusion Middleware Administrator's Guide.

  4. Verify the following attribute settings are correct after running idmconfig configOIM. Update any values as needed:

    • SsoEnabled attribute is set to true.

    • If using TAP communication, the TapEndpoinURL attribute is present.

    • If using NAP communication, the following attributes are present: AccessGateID, AccessServerHost, AccessServerPort, CookieDomain, CookieExpiryInterval, NapVersion, TransferMode, WebgateType.

    • If Version is set to 11g, verify the TapEndpointURL attribute is set to a valid URL. Validate the URL by accessing in a web browser.

    • If Version is set to 10g, verify the other attributes are configured correctly.

7.11.2 Validate Security Provider Configuration

To validate the security provider configuration:

  1. In WebLogic Server Administration Console, navigate to the OIM domain.

  2. Navigate to Security Realms, myrealm, then Providers tab.

  3. Confirm the Authentication Providers are configured as follows.

    Authentication Provider Control Flag

    OAM ID Asserter

    REQUIRED

    DefaultAuthenticator

    SUFFICIENT

    OIM Signature Authenticator

    SUFFICIENT

    OIM Authenticator

    OPTIONAL

    LDAP Authenticator

    SUFFICIENT


  4. Navigate to OIM Authenticator, Provider Specific. Verify that the SSOMode checkbox is selected.

  5. The LDAP Authenticator varies depending upon which LDAP provider is being used. Verify it is configured correctly by selecting Users and Groups tab, and confirming the LDAP users are listed in Users tab.

7.11.3 Validate OIM Domain Credential Store

All passwords and credentials used during communication between Oracle Identity Manager and Access Manager are stored in the domain credential store.

To validate the passwords and credentials used to communicate:

  1. Login to Oracle Enterprise Manager Fusion Middleware Control and select WebLogic Domain.

  2. Right-click the domain name. Navigate to Security, then Credentials.

  3. Expand the oim instance. Verify the following credentials:

    • SSOAccessKey: OPEN mode only

    • SSOKeystoreKey: SIMPLE mode only

    • SSOGobalPP: SIMPLE mode only

    • OIM_TAP_PARTNER_KEY

7.11.4 Validate Event Handlers for SSO

A set of event handlers is uploaded to the Oracle Identity Manager MDS in order to support session termination after a user status change. These event handlers notify Access Manager when a user status is changed, which then terminates the user session. They are uploaded to MDS as part of EventHanlders.xml file, located at /db/ssointg/EventHandlers.xml.

To confirm all event handlers are configured correctly, do the following:

  • Connect to the OIM MDS scheme and look for /db/ssointg/EventHandlers.xml in the MDS_PATHS table, PATH_FULLNAME column.

  • Export the EventHandlers.xml file. For more information, see 'Deploying and Undeploying Customizations" in Oracle Fusion Middleware Developer's Guide for Oracle Identity Manager.

7.11.5 Validate SSO Logout Configuration

Oracle Identity Manager logout is configured to use single logout after the integration is complete. After a user logs out from Oracle Identity Manager, they are logged out from all the Access Manager protected applications as well.

The following example is of the single logout configuration in OIM_DOMAIN_HOME/config/fmwconfig/jps-config.xml file:

<propertySet name="props.auth.uri.0">
            <property name="logout.url" value="/oamsso/logout.html"/>
            <property name="autologin.url" value="None"/>
            <property name="login.url.BASIC" value="/${app.context}/adfAuthentication"/>
            <property name="login.url.FORM" value="/${app.context}/adfAuthentication"/>
            <property name="login.url.ANONYMOUS" value="/${app.context}/adfAuthentication"/>
        </propertySet>

7.12 Testing the Integration

The final task is to verify the integration by performing, in order, the steps shown in Table 7-3.

Table 7-3 Verifying Access Manager-Oracle Identity Manager Integration

Step Description Expected Result

1

Access the Oracle Access Management administration console using the URL:

http://admin_server_host:admin_server_port/oamconsole

Provides access to the administration console.

2

Access the Oracle Identity Manager administration page with the URL:

  • For Oracle Identity Self Service:

    http://hostname:port/identity/faces/home
    
  • For Oracle Identity System Administration:

    http://hostname:port/sysadmin/faces/home
    

where hostname:port can be for either OIM or OHS, depending on whether a Domain Agent or Webgate is used.

The Oracle Access Management login page should appear.

Verify the links for "Forgot Password", "Self Register" and "Track Registration" features appear in the login page. For more information about these features, see Section 1.5.3, "Password Management Scenarios".

3

Log in as an Oracle Identity Manager administrator.

The Oracle Identity Manager Admin Page should be accessible.

4

Create a new user using Oracle Identity Self Service.

Close the browser and try accessing the OIM Identity Page. When prompted for login, provide valid credentials for the newly-created user.

You should be redirected to Oracle Identity Manager and be required to reset the password.

After resetting the password and setting the challenge question, user should be automatically logged into the application. Auto-login should work.

5

Close the browser and access Oracle Identity Self Service.

The Oracle Access Management login page from the Access Manager managed server should display.

Verify the links for "Forgot Password", "Self Register" and "Track Registration" features appear in the login page. Verify that each link works. For more information about these features, see Section 1.5.3, "Password Management Scenarios".

6

Verify the lock/disable feature works by opening a browser and logging in as a test user.

In another browser session, log in as a test user, then lock the test user account. Click the Logout link on the OIM console.

The user must be logged out and redirected back to the login page.

7

Verify the SSO logout feature works by logging into Oracle Identity Self Service as test user or system administrator.

Upon logout from the page, you are redirected to the SSO logout page.


7.13 Troubleshooting Common Problems

This section describes common problems you might encounter in an Oracle Identity Manager and Access Manager integrated environment and explains how to solve them. It is organized by common problem types and contains the following topics:

In addition to this section, review the Oracle Fusion Middleware Error Messages Reference for information about the error messages you may encounter.

For information about additional troubleshooting resources, see Section 1.7, "Using My Oracle Support for Additional Troubleshooting Information."

7.13.1 Single Sign-On Issues

This section describes common problems and solutions relating to single sign-on in the integrated environment. Using single sign-on, a user can access Oracle Identity Manager resources after being successfully authenticated by Access Manager. When accessing any Oracle Identity Manager resource protected by Access Manager, the user is challenged for their credentials by Access Manager using the Oracle Access Management Console login page.

This section discusses the following single sign-on issues:

7.13.1.1 Checking HTTP Headers

Checking the HTTP headers may provide diagnostic information about login issues.You can collect information from the HTTP headers for troubleshooting issues. This can be done by enabling HTTP tracing in the web browser, logging into Access Manager as a new user, and examining the headers for useful information.

7.13.1.2 User is Re-Directed to Wrong Login Page

After accessing an Oracle Identity Manager resource using OHS (for example, http://OHS_HOST:OHS_PORT/identity), the user is re-directed to the Oracle Identity Manager login page instead of the Oracle Access Management Console login page.

Cause

The Access Manager Webgate is not deployed or configured properly.

Solution

Confirm the httpd.conf file contains the following entry at the end:

include  "<ORACLE_WEBTIER_INST_HOME>/config/OHS/ohs1/webgate.conf"

where webgate.conf contains the 11g Webgate configuration.

If this entry is not found, review the 11g Webgate configuration steps to verify none were missed. For more information, see Oracle Fusion Middleware Installation Guide for Oracle Identity and Access Management and Oracle Fusion Middleware Administrator's Guide for Oracle Access Management.

7.13.1.3 Login Fails

User login fails with the following error:

An incorrect Username or Password was specified.

Cause

Access Manager is responsible for user authentication but authentication has failed. The identity store configuration may be wrong.

Solution

Check the identity store is configured correctly in the Oracle Access Management Console.

To resolve this problem:

  1. Login to Oracle Access Management Console.

  2. Navigate to System Configuration, Data Sources, OIMIDStore.

  3. Verify the Default Store and System Store configuration.

  4. Click Test Connection to verify the connection.

7.13.1.4 Oracle Access Management Console Login Page Does Not Display

User is not directed to the Oracle Access Management Console to login and the following error message displays:

Oracle Access Manager Operation Error.

Cause 1

The OAM Server is not running.

Solution 1

Restart the OAM Server.

Cause 2

The Webgate is not correctly deployed on OHS and is not configured correctly for the 10g or 11g Agent located on the OAM Server.

An error message displays, for example: The AccessGate is unable to contact any Access Servers.

The issue may be with the SSO Agent.

Solution 2

To resolve this problem:

  1. Run oamtest.jar (ORACLE_HOME/oam/server/tester) and test the connection by specifying AgentID.

    The AgentID can be found in ObAccessClient.xml, located in the webgate/config directory in the WEBSERVER_HOME. For example:

    <SimpleList>
     
            <NameValPair
     
                ParamName="id"
     
                Value="IAMAG_11g"></NameValPair>
     
        </SimpleList>
    

    If the Tester fails to connect, this confirms a problem exists with the SSO Agent configuration (password/host/port) on the OAM Server.

  2. Re-create the 10g or 11g SSO Agent and then re-configure Webgate to use this Agent.

    Follow the instructions in Oracle Fusion Middleware Administrator's Guide for Oracle Access Management.

7.13.1.5 Authenticated User is Re-Directed to Oracle Identity Manager Login Page

User authenticated using the Oracle Access Management Console but is re-directed to the Oracle Identity Manager login page to enter credentials.

Cause 1

The security providers for the OIM domain are not configured correctly in Oracle WebLogic Server.

Solution 1

Verify the Weblogic security providers are configured correctly for the OIM domain security realm. Check the LDAP Authenticator setting. For more information, see Section 7.11.2.

Cause 2

OAMIDAsserter is not configured correctly in Oracle WebLogic Server.

Solution 2

To resolve this problem:

  1. Log into Oracle WebLogic Server Administration Console.

  2. Navigate to Common tab and verify Active Types contains the correct header for Webgate type:

    • OAM_REMOTE_USER, for an 11g Webgate.

    • ObSSOCookie, for a 10g Webgate.

7.13.1.6 User is Re-Directed to Oracle Identity Manager Login Page

Access Manager relies upon Oracle Identity Manager for password management. If the user logs in for the first time or if the user password is expired, Access Manager re-directs the user to the Oracle Identity Manager First Login page.

From the Access Manager login screen, user should be able to navigate to the Oracle Identity Manager Forgot Password flow, the Self-Registration or Track Registration flows.

Cause

If there is any deviation or error thrown when performing these flows, the configuration in oam-config.xml (OAM_DOMAIN_HOME/config/fmwconfig) is incorrect.

Solution

Verify the contents of oam-config.xml resembles the following example. Specifically, that HOST and PORT corresponds to the OHS (or any supported web server) configured to front-end Oracle Identity Manager resources.

Setting Name="IdentityManagement" Type="htf:map">
 
             <Setting Name="IdentityServiceConfiguration" Type="htf:map">
 
               <Setting Name="IdentityServiceProvider" Type="xsd:string">oracle.security.am.engines.idm.provider.OracleIdentityServiceProvider</Setting>
 
               <Setting Name="AnonymousAuthLevel" Type="xsd:integer">0</Setting>
 
                <Setting Name="IdentityServiceEnabled" Type="xsd:boolean">true</Setting>
 
               <Setting Name="IdentityServiceProviderConfiguration" Type="htf:map">
 
                 <Setting Name="AccountLockedURL" Type="xsd:string">/identity/faces/accountlocked</Setting>
 
                 <Setting Name="ChallengeSetupNotDoneURL" Type="xsd:string">/identity/faces/firstlogin</Setting>
 
                 <Setting Name="DateFormatPattern" Type="xsd:string">yyyy-MM-dd'T'HH:mm:ss'Z'</Setting>
 
                 <Setting Name="ForcedPasswordChangeURL" Type="xsd:string">/identity/faces/firstlogin</Setting>
 
                  <Setting Name="IdentityManagementServer" Type="xsd:string">OIM-SERVER-1</Setting>
 
                 <Setting Name="PasswordExpiredURL" Type="xsd:string">/identity/faces/firstlogin</Setting>
 
                 <Setting Name="LockoutAttempts" Type="xsd:integer">5</Setting>
 
                 <Setting Name="LockoutDurationSeconds" Type="xsd:long">31536000</Setting>
 
               </Setting>
 
             </Setting>
 
             <Setting Name="RegistrationServiceConfiguration" Type="htf:map">
 
               <Setting Name="RegistrationServiceProvider" Type="xsd:string">oracle.security.am.engines.idm.provider.DefaultRegistrationServiceProvider</Setting>
 
                <Setting Name="RegistrationServiceEnabled" Type="xsd:boolean">true</Setting>
 
               <Setting Name="RegistrationServiceProviderConfiguration" Type="htf:map">
 
                 <Setting Name="ForgotPasswordURL" Type="xsd:string">/identity/faces/forgotpassword</Setting>
 
                 <Setting Name="NewUserRegistrationURL" Type="xsd:string">/identity/faces/register</Setting>
 
                 <Setting Name="RegistrationManagementServer" Type="xsd:string">OIM-SERVER-1</Setting>
 
                 <Setting Name="TrackUserRegistrationURL" Type="xsd:string">/identity/faces/trackregistration</Setting>
 
               </Setting>
 
             </Setting>
 
             <Setting Name="ServerConfiguration" Type="htf:map">
 
               <Setting Name="OIM-SERVER-1" Type="htf:map">
 
                 <Setting Name="Host" Type="xsd:string">myhost1.mycompany.com</Setting>
 
                  <Setting Name="Port" Type="xsd:integer">7777</Setting>
 
                 <Setting Name="SecureMode" Type="xsd:boolean">false</Setting>
 
</Setting>
 
             </Setting>
 
           </Setting>

7.13.1.7 New User is Not Re-Directed to Change Password

A new user created in Oracle Identity Manager logs into Oracle Identity Manager for the first time and is not re-directed to the First Login Page and prompted to change their password.

Cause

The Oracle Virtual Directory adapters are not configured correctly.

Solution

Locate the corresponding adapters.or_xml file and verify that the oamEnabled attribute is set to true for both the UserManagement and changelog adapters. For example:

<param name="oamEnabled" value="true"/>

Next, verify that IdentityServiceEnabled is set to true in oam-config.xml (see Section 7.13.1.5). For example:

<Setting Name="IdentityServiceEnabled" Type="xsd:boolean">true</Setting>

7.13.1.8 User is Re-Directed in a Loop

A new user attempts to access Oracle Identity Manager Self-Service and after successful authentication, the user is re-directed in a loop. The service page does not load and the browser continues spinning or refreshing.

Cause

OHS configuration setting for WLCookieName for front-ending identity is incorrect.

Solution

Check the OHS configuration for front-ending identity and verify that WLCookieName directive is set to oimjsessionid. If not, set this directive as oimjsessionid for each Oracle Identity Manager resource Location entry. For example:

<Location /identity>
 
  SetHandler weblogic-handler
 
  WLCookieName oimjsessionid
 
  WebLogicHost myhost1.mycompany.com
 
  WebLogicPort 8003
 
  WLLogFile "$
Unknown macro: {ORACLE_INSTANCE}
/diagnostics/logs/mod_wl/oim_component.log"
 
  </Location>

7.13.2 Auto-Login Issues

The auto-login feature enables user login to Oracle Identity Manager after the successful completion of the Forgot Password or Forced Change Password flows, without prompting the user to authenticate using the new password.

Communication between Oracle Identity Manager and Access Manager can be configured to use NAP or TAP channels. Debugging auto-login issues is simplified if you determine which channel is being used. Determine the channel by examining the Oracle Identity Manager SSOConfig Mbean (version attribute) using the System MBean Browser in Oracle Enterprise Manager Fusion Middleware Control. For more information, see "Using the System MBean Browser" in Oracle Fusion Middleware Administrator's Guide.

Depending upon the Access Manager version being used, the following applies:

  • If the version is 10g, the NAP channel is used during auto-login. See Section 7.13.2.1, "TAP Protocol Issues".

    After a password is reset in Oracle Identity Manager and in LDAP through LDAP-sync, Oracle Identity Manager will auto-login the user by re-directing to the requested resource.

  • If the version is 11g, the TAP channel is used during auto-login. See Section 7.13.2.2, "NAP Protocol Issues",

    After a password is reset in Oracle Identity Manager and in LDAP through LDAP sync, Oracle Identity Manager re-directs the user to the Access Manager TAP endpoint URL (SSOConfig: TAPEndpointUrl). Access Manager will auto-login the user by re-directing to the requested resource.

Note:

In an 11gR2 Oracle Identity Manager and Access Manager integrated environment, the TAP protocol is configured for auto-login by default.

7.13.2.1 TAP Protocol Issues

Check the OIM Server and OAM Server logs for any of the following error messages.

7.13.2.1.1 404 Not Found Error

After re-setting the password, user is re-directed to a 404 Not Found error page.

Cause

The Access Manager TAP endpoint URL (SSOConfig: TAPEndpointUrl) is configured incorrectly.

Solution

Verify that TAPEndpointUrl is correctly configured in Oracle Identity Manager SSOConfig and is accessible. For example:

http://OAM_HOST:OAM_PORT/oam/server/dap/cred_submit

Or

http://OHS_HOST:OHS_PORT/oam/server/dap/cred_submit

where Access Manager is front-ended by OHS.

7.13.2.1.2 System Error

After re-setting the password, user is re-directed to Access Manager TapEndpointUrl (configured in Oracle Identity Manager SSOConfig), and the following error displays in the UI:

System error. Please re-try your action. If you continue to get this error, please contact the Administrator.

Cause 1

A message similar to the following displays in the OAM Server logs:

Sep 19, 2012 4:29:45 PM EST> <Warning> <oracle.oam.engine.authn>
 
<BEA-000000> <DAP Token not received>
 
<Sep 19, 2012 4:29:45 PM EST> <Error> <oracle.oam.binding> <OAM-00002>
 
<Error occurred while handling the request.
 
java.lang.NullPointerException
 
at
 
oracle.security.am.engines.enginecontroller.token.DAPTokenEncIssuerImpl.issue(DAPTokenEncIssuerImpl.java:87)

Solution 1

This error could be due to mis-configuration in TAPResponseOnlyScheme in Access Manager. Verify oam-config.xml (located at OAM_DOMAIN_HOME/config/fmwconfig) contains the following entry:

<Setting Name="DAPModules" Type="htf:map">
 
     <Setting Name="7DASE52D" Type="htf:map">
 
         <Setting Name="MAPPERCLASS" Type="xsd:string">oracle.security.am.engine.authn.internal.executor.DAPAttributeMapper</Setting>
 
          <Setting Name="MatchLDAPAttribute" Type="xsd:string">uid</Setting>
 
          <Setting Name="name" Type="xsd:string">DAP</Setting>
 
     </Setting>
 
</Setting>

The value of MatchLDAPAttribute should be uid. If not, change the value.

To resolve the problem:

  1. Login to Oracle Access Management Console.

  2. Navigate to TapResponseOnlyScheme. Add the following as Challenge parameter:

    MatchLDAPAttribute=uid
    
  3. Save the changes.

Cause 2

The following error displays in the OAM Server logs:

javax.crypto.BadPaddingException: Given final block not properly padded

This may occur if OIM_TAP_PARTNER_KEY is not include in the OIM credential map in the credential store, or if an invalid key is present.

Solution 2

Re-register Oracle Identity Manager as a TAP partner with Access Manager by re-running the idmConfigTool -configOIM option. After the -configOIM option is run, you must restart the complete OIM domain.

Cause 3

After re-setting the password, if auto-login is not successful, the OIM server logs contain the following error:

Error occured while retrieving TAP partner key from Credential store

Solution 3

To resolve the problem:

  1. Using Fusion Middleware Control, verify the OIM_TAP_PARTNER_KEY generic credential is present in the OIM credential map in the credential store.

  2. If OIM_TAP_PARTNER_KEY is present, verify that LDAP sync is configured correctly, and that the password is reset in LDAP provider. Check this by issuing an ldapbind command with the user and the new/reset password.

Cause 4

After re-setting the password, if auto-login is not successful, the OIM server logs have the following error:

Error occured while retrieving DAP token from OAM due to invalid TAP partner key

The OIM_TAP_PARTNER_KEY present in the OIM credential map of credential store is not valid.

Solution 4

Re-register Oracle Identity Manager as a TAP partner with Access Manager by re-running idmConfigTool -configOIM option. After the -configOIM option is run, you must restart the complete OIM domain.

7.13.2.2 NAP Protocol Issues

Check the OIM Server logs for any of the following types of error messages.

Cause 1

The resource URL is not protected.

Solution 1

Verify that the correct host:port combination is configured in the Access Manager host identifier configuration.

To resolve this problem:

  1. Login to Oracle Access Management Console.

  2. Navigate to the IAMSuiteAgent.

  3. Check the host identifiers for host:port combination in the identifier. For example: IAMSuiteAgent:/oim

  4. For the correct host:port combination, check the OIM logs for "Setting web resource url ". This statement will be above "Resource not protected URL" statement.

    In general, Host Identifier should have a combination of OHS (webserver) host:port which is front-ending Oracle Identity Manager.

Cause 2

aaaClient is not initialized.

Solution 2

Verify that the passwords seeded into OIM domain credential store are correct. For OPEN mode, check for the Webgate password. For SIMPLE mode, check that SSO keystore password and SSO global pass phrase are seeded in correctly. For more information, see Section 7.11.3.

Cause 3

Failed to communicate with any of configured OAM Server. Verify that it is up and running.

Solution 3

Verify that the passwords seeded into OIM domain credential store are correct. For OPEN mode, check for the Webgate password. For SIMPLE mode, check that SSO keystore password and SSO global pass phrase also are seeded in correctly. For more information, see Section 7.11.3.

Cause 4

SSOKeystore tampered or password is incorrect.

Solution 4

Check that the keystore file ssoKeystore.jks is present in OIM_DOMAIN_HOME/config/fmwconfig. If present, then check if the keystore password is seeded properly into OIM domain credential store. For more information, see Section 7.11.3.

Cause 5

Oracle Identity Manager logs do not have any information about the failure.

Solution 5

To resolve this problem:

  1. Enable HTTP headers and capture the headers while running through the First Login, Forgot Password flows. See Section 7.13.1.1.

  2. In the HTTP headers, look for Set-Cookie: ObSSOCookie after the POST method on the First Login, Forgot Password page. Check the domain of the cookie. It should match with the domain for the protected resource URL.

    • If cookie domain is different, update the CookieDomain in the Oracle Identity Manager SSO configuration using Fusion Middleware Control. See Section 7.11.1.

    • If cookie domain is correct, then check for any time differences on the machines which host the OIM and OAM Servers.

7.13.3 Session Termination Issues

The session termination feature enables the termination of all active user sessions after the user status is modified by an Oracle Identity Manager administrator. The following Oracle Identity Manager operations lead to session termination: user lock or unlock, enable or disable, modify or delete.

Session termination is triggered by Oracle Identity Manager invoking the Access Manager NAP APIs to terminate the session. Communication is over the NAP channel.

To troubleshoot session termination issues:

  1. Verify the NAP-related configuration is stored in Oracle Identity Manager SSOConfig. See Section 7.11.1.

  2. Verify /db/sssointg/EvenHandlers.xml is in Oracle Identity Manager MDS. See Section 7.11.4.

  3. Verify that AccessGateID attribute in Oracle Identity Manager SSOConfig points to a 10g SSO Agent hosted by OAM Server.

  4. If SSOConfig points to an 11g Agent ID:

    1. Create a new 10g SSO Agent.

    2. Set its ID in AccessGateID attribute.

    3. Update the agent password (SSOAccessKey) in the OIM domain credential store.

    4. If the communication mode is SIMPLE, a new keystore file (ssoKeystore.jks) must be created using the agent's aaa_cert.pem and aaa_key.pem, and copied to OIM_DOMAIN_HOME/config/fmwconfig directory.

    5. In SIMPLE mode, update the SSO keystore key (SSOKeystoreKey) and the SSO global pass phrase (SSOGobalPP) in the OIM domain credential store.

    For information about creating a new 10g SSO Agent or ssoKeyStore.jks, see Oracle Fusion Middleware Administrator's Guide for Oracle Access Management.

7.13.4 Account Self-Locking Issues

If the user account is self-locked due to multiple invalid login attempts, the user can unlock it by logging in later with the correct password and then re-setting the password in Oracle Identity Manager.

If the user reset password operation fails:

  1. Check if the user is locked in Oracle Identity Manager:

    1. Login to Identity Self service application as Oracle Identity Manager administrator.

    2. Navigate to Users section, then search for the user.

    3. Check if the Identity status is locked.

  2. If the status is not locked, run an LDAP User Create and Update Reconciliation scheduled job, and then confirm that the user status is locked.

7.13.5 Miscellaneous Issues

This provides solutions for the following miscellaneous issues:

7.13.5.1 Client Based Login to Oracle Identity Manager Fails

For successful client-based login to Oracle Identity Manager:

  • The client-based login user must be present in the LDAP provider.

  • An LDAP Authenticator must be configured in the OIM domain security realm corresponding to the LDAP provider where the user is present. See Section 7.11.2.

7.13.5.2 Logout Throws 404 Error

If logging out of an Oracle Identity Manager protected application throws a 404 error, verify that the logout configuration is present in jps-config.xml. See Section 7.11.5.

If needed, the JPS configuration can be fixed by editing the jps-configuration file located in $DOMAIN_HOME/config/fmwconfig and then restarting all the servers.

To resolve a misconfiguration in jps-config.xml:

  1. In a terminal window issue the following commands: cd $DW_ORACLE_HOME/common/bin

  2. ./wlst.sh

  3. connect()

  4. addOAMSSOProvider(loginuri="/${app.context}/adfAuthentication", logouturi="/oamsso/logout.html", autologinuri="/obrar.cgi")

  5. exit

  6. Restart all servers in the domain