18 Integrating Oracle Identity Management Components for an Enterprise Deployment

This chapter describes how to integrate Oracle Identity Management components for an enterprise deployment.

This chapter contains the following sections:

Section 18.1, "Overview of Integrating Oracle Identity Management Components"
Section 18.2, "Integrating Oracle Identity Manager and Oracle Access Manager 11g"
Section 18.3, "Preparing the Environment for Fusion Applications Provisioning"
Section 18.4, "Backing Up the Identity Management Configuration"

18.1 Overview of Integrating Oracle Identity Management Components

Now that you have finished setting up the Identity Management environment, you must perform some final tasks to ensure that the components work together.

You must also ensure that the environment is ready for Fusion Applications provisioning.

18.2 Integrating Oracle Identity Manager and Oracle Access Manager 11g

This section describes how to integrate Oracle Identity Manager and Oracle Access Manager 11g.

This section contains the following topics:

Section 18.2.1, "Prerequisites"
Section 18.2.2, "Copying OAM Keystore Files to OIMHOST1 and OIMHOST2"
Section 18.2.3, "About the Split Oracle Identity Manager Domain"
Section 18.2.4, "Updating Existing LDAP Users with Required Object Classes"
Section 18.2.5, "Integrating Oracle Access Manager 11g with Oracle Identity Manager 11g"
Section 18.2.6, "Managing the Password of the xelsysadm User"
Section 18.2.7, "Validating Integration"

18.2.1 Prerequisites

Ensure that OIM11g has been installed and configured as described in Chapter 15, "Configuring Oracle Identity Manager."
Ensure that the Oracle Access Manager 11g has been installed and configured as described in Chapter 14, "Configuring Oracle Access Manager 11g."
Ensure that OHS has been installed and configured as described in Chapter 6, "Installing Oracle HTTP Server."

18.2.2 Copying OAM Keystore Files to OIMHOST1 and OIMHOST2

If you are using Oracle Access Manager with the Simple Security Transport model, you must copy the OAM keystore files that were generated in Section 14.11, "Creating Oracle Access Manager Key Store" to OIMHOST1 and OIMHOST2. Copy the keystore files ssoKeystore.jks and oamclient-truststore.jks to the directory MSERVER_HOME/domain_name/config/fmwconfig on OIMHOST1 and OIMHOST2.

18.2.3 About the Split Oracle Identity Manager Domain

The examples in this chapter show integrating Oracle Identity Manager with other components in the domain IDMDomain to include Oracle Identity Manager. If you are building a split domain topology, substitute OIMDomain wherever you see a reference to IDMDomain and OIMADMINVHN wherever you see ADMINVHN.

18.2.4 Updating Existing LDAP Users with Required Object Classes

You must update existing LDAP users with the object classes OblixPersonPwdPolicy, OIMPersonPwdPolicy, and OblixOrgPerson.

Note:

This is not required in the case of a fresh setup where you do not have any existing users.

On IDMHOST1, create a properties file for the integration called user.props, with the following contents:

IDSTORE_HOST: idstore.mycompany.com
IDSTORE_PORT: 389
IDSTORE_ADMIN_USER: cn=orcladmin
IDSTORE_DIRECTORYTYPE:OVD
IDSTORE_USERSEARCHBASE: cn=Users,dc=mycompany,dc=com
IDSTORE_GROUPSEARCHBASE: cn=Groups,dc=mycompany,dc=com
PASSWORD_EXPIRY_PERIOD: 7300
IDSTORE_LOGINATTRIBUTE: uid

Set the environment variables: MW_HOME, JAVA_HOME, IDM_HOME and ORACLE_HOME.

Set IDM_HOME to IDM_ORACLE_HOME.

Set ORACLE_HOME to IAM_ORACLE_HOME.

Upgrade existing LDAP, using the command idmConfigTool, which is located at: IAM_ORACLE_HOME/idmtools/bin

Note:

When you run the idmConfigTool, it creates or appends to the file idmDomainConfig.param. This file is generated in the same directory that the idmConfigTool is run from. To ensure that each time the tool is run, the same file is appended to, always run the idmConfigTool from the directory:

IAM_ORACLE_HOME/idmtools/bin

The syntax of the command is:

idmConfigTool.sh -upgradeLDAPUsersForSSO input_file=configfile

on Linux and

idmConfigTool.bat -upgradeLDAPUsersForSSO input_file=configfile

on Windows.

For example:

idmConfigTool.sh -upgradeLDAPUsersForSSO input_file=user.props

When prompted, enter the password of the user you are using to connect to your Identity Store.

Sample output:

Enter LDAP admin user password:
 
 
********* Upgrading LDAP Users With OAM ObjectClasses *********

Completed loading user inputs for - LDAP connection info
 
Completed loading user inputs for - LDAP Upgrade
 
Upgrading ldap users at - cn=Users,dc=us,dc=oracle,dc=com
 
Parsing - cn=readOnlyUser,cn=Users,dc=us,dc=oracle,dc=com
 
objectclass OIMPersonPwdPolicy not present in cn=readOnlyUser,cn=Users,dc=us,dc=oracle,dc=com. Seeding it
 
objectclass OblixOrgPerson not present in cn=readOnlyUser,cn=Users,dc=us,dc=oracle,dc=com. Seeding it
 
objectclass OblixPersonPwdPolicy not present in cn=readOnlyUser,cn=Users,dc=us,dc=oracle,dc=com. Seeding it
 
obpasswordexpirydate added in cn=readOnlyUser,cn=Users,dc=us,dc=oracle,dc=com
 
Parsing - cn=readWriteUser,cn=Users,dc=us,dc=oracle,dc=com
 
objectclass OIMPersonPwdPolicy not present in cn=readWriteUser,cn=Users,dc=us,dc=oracle,dc=com. Seeding it
 
objectclass OblixOrgPerson not present in cn=readWriteUser,cn=Users,dc=us,dc=oracle,dc=com. Seeding it
 
objectclass OblixPersonPwdPolicy not present in cn=readWriteUser,cn=Users,dc=us,dc=oracle,dc=com. Seeding it
 
obpasswordexpirydate added in cn=readWriteUser,cn=Users,dc=us,dc=oracle,dc=com
 
Parsing - cn=weblogic,cn=Users,dc=us,dc=oracle,dc=com
 
objectclass OIMPersonPwdPolicy not present in cn=weblogic,cn=Users,dc=us,dc=oracle,dc=com. Seeding it
 
objectclass OblixOrgPerson not present in cn=weblogic,cn=Users,dc=us,dc=oracle,dc=com. Seeding it
 
objectclass OblixPersonPwdPolicy not present in cn=weblogic,cn=Users,dc=us,dc=oracle,dc=com. Seeding it
 
obpasswordexpirydate added in cn=weblogic,cn=Users,dc=us,dc=oracle,dc=com
 
 
Parsing - cn=oamMasterAdminUser,cn=Users,dc=us,dc=oracle,dc=com
 
objectclass OIMPersonPwdPolicy not present in cn=oamMasterAdminUser,cn=Users,dc=us,dc=oracle,dc=com. Seeding it
 
objectclass OblixPersonPwdPolicy not present in cn=oamMasterAdminUser,cn=Users,dc=us,dc=oracle,dc=com. Seeding it
 
obpasswordexpirydate added in cn=oamMasterAdminUser,cn=Users,dc=us,dc=oracle,dc=com
 
Parsing - cn=oamSoftwareUser,cn=Users,dc=us,dc=oracle,dc=com
 
objectclass OIMPersonPwdPolicy not present in cn=oamSoftwareUser,cn=Users,dc=us,dc=oracle,dc=com. Seeding it
 
objectclass OblixOrgPerson not present in cn=oamSoftwareUser,cn=Users,dc=us,dc=oracle,dc=com. Seeding it
 
objectclass OblixPersonPwdPolicy not present in cn=oamSoftwareUser,cn=Users,dc=us,dc=oracle,dc=com. Seeding it
 
obpasswordexpirydate added in cn=oamSoftwareUser,cn=Users,dc=us,dc=oracle,dc=com
 
Parsing - cn=PolStoreROUser,cn=Users,dc=us,dc=oracle,dc=com
 
objectclass OIMPersonPwdPolicy not present in cn=PolStoreROUser,cn=Users,dc=us,dc=oracle,dc=com. Seeding it
 
objectclass OblixOrgPerson not present in cn=PolStoreROUser,cn=Users,dc=us,dc=oracle,dc=com. Seeding it
 
objectclass OblixPersonPwdPolicy not present in cn=PolStoreROUser,cn=Users,dc=us,dc=oracle,dc=com. Seeding it
 
obpasswordexpirydate added in cn=PolStoreROUser,cn=Users,dc=us,dc=oracle,dc=com
 
 
Parsing - cn=PolStoreRWUser,cn=Users,dc=us,dc=oracle,dc=com
 
objectclass OIMPersonPwdPolicy not present in cn=PolStoreRWUser,cn=Users,dc=us,dc=oracle,dc=com. Seeding it
 
objectclass OblixOrgPerson not present in cn=PolStoreRWUser,cn=Users,dc=us,dc=oracle,dc=com. Seeding it
 
objectclass OblixPersonPwdPolicy not present in cn=PolStoreRWUser,cn=Users,dc=us,dc=oracle,dc=com. Seeding it
 
obpasswordexpirydate added in cn=PolStoreRWUser,cn=Users,dc=us,dc=oracle,dc=com
 
Parsing - cn=PUBLIC, cn=Users, dc=us,dc=oracle,dc=com
 
objectclass OIMPersonPwdPolicy not present in cn=PUBLIC, cn=Users, dc=us,dc=oracle,dc=com. Seeding it
 
objectclass OblixOrgPerson not present in cn=PUBLIC, cn=Users, dc=us,dc=oracle,dc=com. Seeding it
 
objectclass OblixPersonPwdPolicy not present in cn=PUBLIC, cn=Users, dc=us,dc=oracle,dc=com. Seeding it
 
obpasswordexpirydate added in cn=PUBLIC, cn=Users, dc=us,dc=oracle,dc=com
 
Parsing - cn=orcladmin, cn=Users, dc=us,dc=oracle,dc=com
 
objectclass OIMPersonPwdPolicy not present in cn=orcladmin, cn=Users, dc=us,dc=oracle,dc=com. Seeding it
 
obpasswordexpirydate added in cn=orcladmin, cn=Users, dc=us,dc=oracle,dc=com
 
Parsing - cn=xelsysadm,cn=Users,dc=us,dc=oracle,dc=com
 
Parsing - cn=xelsysadmin,cn=Users,dc=us,dc=oracle,dc=com
 
Finished parsing LDAP
 
LDAP Users Upgraded.
 
********* ********* *********

18.2.5 Integrating Oracle Access Manager 11g with Oracle Identity Manager 11g

Integrating Oracle Identity Manager with Oracle Access Manager using a WebGate 11g profile employs an Oracle Access Manager Trusted Authentication Protocol (TAP) scheme. This is different from Webgate 10g which used Network Assertion Protocol (NAP).

To integrate Oracle Access Manager 11g with Oracle Identity Manager, perform the following steps on IDMHOST1 or OIMHOST1:

Set the Environment Variables: MW_HOME, JAVA_HOME, IDM_HOME, and ORACLE_HOME, for example:
```
export IDM_HOME=IDM_ORACLE_HOME
export ORACLE_HOME=IAM_ORACLE_HOME
```

Create a properties file for the integration called oimitg.props, with the following contents.

Single Domain

Use the following contents if all your components are in a single domain:

LOGINURI: /${app.context}/adfAuthentication
LOGOUTURI: /oamsso/logout.html
AUTOLOGINURI: None
ACCESS_SERVER_HOST: IDMHOST1.mycompany.com
ACCESS_SERVER_PORT: 5575
ACCESS_GATE_ID: Webgate_IDM
COOKIE_DOMAIN: .mycompany.com
COOKIE_EXPIRY_INTERVAL: 120
OAM_TRANSFER_MODE: simple
WEBGATE_TYPE: ohsWebgate11g
SSO_ENABLED_FLAG: true
IDSTORE_PORT: 389
IDSTORE_HOST: idstore.mycompany.com
IDSTORE_DIRECTORYTYPE: OID or OVD 
IDSTORE_ADMIN_USER: cn=oamLDAP,cn=Users,dc=mycompany,dc=com
IDSTORE_USERSEARCHBASE: cn=Users,dc=mycompany,dc=com
IDSTORE_GROUPSEARCHBASE: cn=Groups,dc=mycompany,dc=com
MDS_DB_URL: jdbc:oracle:thin:@(DESCRIPTION=(LOAD_BALANCE=on)(FAILOVER=on)(ADDRESS_LIST=(ADDRESS=(protocol=tcp)(host=OIDDBHOST1-vip.mycomapny.com)(port=1521))(ADDRESS=(protocol=tcp)(host=OIDDBHOST2-vip.mycompany.com)(port=1521)))(CONNECT_DATA=(SERVER=DEDICATED)(SERVICE_NAME=oidedg.mycompany.com)))
MDS_DB_SCHEMA_USERNAME: edg_mds
WLSHOST: adminvhn.mycompany.com
WLSPORT: 7001
WLSADMIN: weblogic
DOMAIN_NAME: IDMDomain
OIM_MANAGED_SERVER_NAME: WLS_OIM1
DOMAIN_LOCATION: ORACLE_BASE/admin/IDMDomain/aserver/IDMDomain
IDSTORE_LOGINATTRIBUTE: uid

Split Domain

Use the following contents if your Oracle Identity Manager components are in a different domain from your Oracle Access Manager components:

LOGINURI: /${app.context}/adfAuthentication
LOGOUTURI: /oamsso/logout.html
AUTOLOGINURI: None
ACCESS_SERVER_HOST: IDMHOST1.mycompany.com
ACCESS_SERVER_PORT: 5575
ACCESS_GATE_ID: Webgate_IDM
COOKIE_DOMAIN: .mycompany.com
COOKIE_EXPIRY_INTERVAL: 120
IDSTORE_LOGINATTRIBUTE: uid
OAM_TRANSFER_MODE: simple
WEBGATE_TYPE: ohsWebgate11g
SSO_ENABLED_FLAG: true
IDSTORE_PORT: 389
IDSTORE_HOST: idstore.mycompany.com
IDSTORE_DIRECTORYTYPE: OID or OVD 
IDSTORE_ADMIN_USER: cn=oamLDAP,cn=Users,dc=mycompany,dc=com
IDSTORE_USERSEARCHBASE: cn=Users,dc=mycompany,dc=com
IDSTORE_GROUPSEARCHBASE: cn=Groups,dc=mycompany,dc=com
MDS_DB_URL: jdbc:oracle:thin:@(DESCRIPTION=(LOAD_BALANCE=on)(FAILOVER=on)(ADDRESS_LIST=(ADDRESS=(protocol=tcp)(host=OIDDBHOST1-vip.mycomapny.com)(port=1521))(ADDRESS=(protocol=tcp)(host=OIDDBHOST2-vip.mycompany.com)(port=1521)))(CONNECT_DATA=(SERVER=DEDICATED)(SERVICE_NAME=oidedg.mycompany.com)))
MDS_DB_SCHEMA_USERNAME: edg_mds
WLSHOST: oimadminvhn.mycompany.com
WLSPORT: 7001
WLSADMIN: weblogic
OAM11G_WLS_ADMIN_HOST: adminvhn.mycompany.com
OAM11G_WLS_ADMIN_PORT: 7001
OAM11G_WLS_ADMIN_USER: weblogic
DOMAIN_NAME: OIMDomain
OIM_MANAGED_SERVER_NAME: WLS_OIM1
DOMAIN_LOCATION: ORACLE_BASE/admin/OIMDomain/aserver/OIMDomain

Notes:

Set IDSTORE_HOST to your Oracle Internet Directory host or load balancer name if you are using Oracle Internet Directory as your Identity Store. If not, set it to your Oracle Virtual Directory host or load balancer name.
Set IDSTORE_DIRECTORYTYPE to OVD if you are using Oracle Virtual Directory server to connect to either a non-OID directory or Oracle Internet Directory. Set it to OID if your Identity Store is in Oracle Internet Directory and you are accessing it directly rather than through Oracle Virtual Directory.
If your access manager servers are configured to accept requests using the simple mode, set OAM_TRANSFER_MODE to simple. Otherwise set OAM_TRANSFER_MODE to open
Set IDSTORE_PORT to your Oracle Internet Directory port if you are using Oracle Internet Directory as your Identity Store. If not, set it to your Oracle Virtual Directory port.
If you are using a single instance database, then set MDS_URL to: jdbc:oracle:thin:@DBHOST:1521:SID
If your Oracle Identity Manager components are in a separate domain from your Oracle Access Manager components, you must specify the details of the OAM Domain using the parameters: OAM11G_WLS_ADMIN_HOST, OAM11G_WLS_ADMIN_PORT and OAM11G_WLS_ADMIN_USER.

Integrate Oracle Access Manager with Oracle Identity Manager using the command idmConfigTool, which is located at:

IAM_ORACLE_HOME/idmtools/bin

Note:

IAM_ORACLE_HOME/idmtools/bin

The syntax of the command is

idmConfigTool.sh -configOIM input_file=configfile

on Linux and

idmConfigTool.bat -configOIM input_file=configfile

on Windows.

For example:

IAM_ORACLE_HOME/idmtools/bin/idmConfigTool.sh -configOIM input_file=oimitg.props

When the script runs you are prompted for the following information:

Access Gate Password
SSO Keystore Password
Global Passphrase
Idstore Admin Password
MDS Database schema password
Admin Server User Password

Sample output:

Enter sso access gate password :
Enter sso keystore jks password :
Enter sso global passphrase :
Enter mds db schema password :
Enter idstore admin password :
Enter admin server user password :

********* Seeding OAM Passwds in OIM *********

Completed loading user inputs for - CSF Config

Completed loading user inputs for - Dogwood Admin WLS

Connecting to t3://OAMADMINVHN.mycompany.com:7001

Connection to domain runtime mbean server established

Seeding credential :SSOAccessKey

Seeding credential :SSOGlobalPP

Seeding credential :SSOKeystoreKey

********* ********* *********

********* Activating OAM Notifications *********

Completed loading user inputs for - MDS DB Config

Apr 3, 2012 11:56:09 PM oracle.mds
NOTIFICATION: PManager instance is created without multitenancy support as JVM flag "oracle.multitenant.enabled" is not set to enable multitenancy support.
Apr 3, 2012 11:56:10 PM oracle.mds
NOTIFICATION: transfer operation started.
Apr 3, 2012 11:56:10 PM oracle.mds
NOTIFICATION: transfer is completed. Total number of documents successfully processed : 1, total number of documents failed : 0.
Upload to DB completed

Releasing all resources

Notifications activated.

********* ********* *********

********* Seeding OAM Config in OIM *********

Completed loading user inputs for - OAM Access Config

Validated input values

Initialized MDS resources

Apr 3, 2012 11:56:10 PM oracle.mds
NOTIFICATION: PManager instance is created without multitenancy support as JVM flag "oracle.multitenant.enabled" is not set to enable multitenancy support.
Apr 3, 2012 11:56:10 PM oracle.mds
NOTIFICATION: transfer operation started.
Apr 3, 2012 11:56:10 PM oracle.mds
NOTIFICATION: transfer is completed. Total number of documents successfully processed : 1, total number of documents failed : 0.
Download from DB completed

Releasing all resources

Updated /u01/app/oracle/product/fmw/iam/server/oamMetadata/db/oim-config.xml

Initialized MDS resources

Releasing all resources

OAM configuration seeded. Please restart oim server.

********* ********* *********

********* Configuring Authenticators in OIM WLS *********

Completed loading user inputs for - LDAP connection info

Connecting to t3://ADMINVHN.mycompany.com:7001

Connection to domain runtime mbean server established

Starting edit session

Edit session started

Connected to security realm.

Validating provider configuration

Validated desired authentication providers

Created OAMIDAsserter successfuly

OAMIDAsserter is already configured to support 11g webgate

Created OIMSignatureAuthenticator successfuly

Created OVDAuthenticator successfuly

Setting attributes for OVDAuthenticator

All attributes set. Configured inOVDAuthenticatornow

LDAP details configured in OVDAuthenticator

Control flags for authenticators set sucessfully

Reordering of authenticators done sucessfully

Saving the transaction

Transaction saved

Activating the changes

Changes Activated. Edit session ended.

Connection closed sucessfully

********* ********* *********

The tool has completed its operation. Details have been logged to automation.log

Note:

If you have already enabled single sign-on for your WebLogic Administration Consoles as described in Section 19.3, "Create WebLogic Security Providers" when this script is run, you might see the following errors when this script is run:

ERROR: Desired authenticators already present. [Ljava.lang.String;@7fdb492]
ERROR: Error occurred while configuration. Authentication providers to be configured already present.
ERROR: Rolling back the operation..

These errors can be ignored.

Check the log file for errors and correct them if necessary.
Restart the Administration Servers as described in Section 20.1, "Starting and Stopping Oracle Identity Management Components.". If you are using a split domain, restart both servers.

18.2.6 Managing the Password of the xelsysadm User

After you integrate Oracle Identity Manager with Oracle Access Manager, two xelsysadm accounts exist. One is the internal account created by Oracle Identity Manager. The other is the account you created in the Identity Store in Section 11.5, "Preparing the Identity Store."

The xelsysadm account located in the LDAP store is the one used to access the OIM console. If you want to change the password of this account, change it in LDAP. You can use ODSM to do this. Do not change it through the OIM console.

18.2.7 Validating Integration

To validate integration, you must assign Identity Management administrators to WebLogic security groups and install WebGate as described in Chapter 19, "Configuring Single Sign-on for Administration Consoles in an Enterprise Deployment."

To validate that the wiring of Oracle Access Manager 11g with Oracle Identity Manager 11g was successful, attempt to log in to the Oracle Identity Manager Self Service Console, as follows:

Using a browser, navigate to:

https://sso.mycompany.com/oim

This redirects you to the OAM11g single sign-on page.
Log in using the xelsysadm user account created in Section 11.5, "Preparing the Identity Store."
If you see the OIM Self Service Console Page, the integration was successful.

18.3 Preparing the Environment for Fusion Applications Provisioning

After the complete Identity Management environment is set up, prepare the environment for Fusion Applications provisioning, as described in this section.

This section contains the following topics:

Section 18.3.1, "About Input to the Fusion Applications Provisioning Tool"
Section 18.3.2, "Creating a Client Keystore"

18.3.1 About Input to the Fusion Applications Provisioning Tool

In earlier chapters, you were instructed to always run idmConfigTool from the same directory so that the tool would create or append to the file idmDomainConfig.param.in that directory. The file idmDomainConfig.param in IAM_ORACLE_HOME/idmtools/bin now contains all the parameters that are required for Fusion Applications provisioning. Use that file as input to the Fusion Applications provisioning tool.

18.3.2 Creating a Client Keystore

To enable Fusion Applications to communicate with the Identity Management domain using SSL Server Authentication Mode, you must generate a client certificate and provide it to the Fusion Applications Provisioning process. You must provide a keystore containing the Trust point used by the Identity Management domain to the Fusion Applications.

Note:

If you are using Windows, you must install a UNIX emulation package such as Cygwin in order to run the scripts contained in this section. See http://www.cygwin.com.

When using Cygwin, ensure that you use the "/" character in path names when exporting a variable. For example:

export ORACLE_HOME=c:/oracle/idm

To generate a keystore containing a client certificate, perform the following steps:

Set the ORACLE_HOME and JAVA_HOME variables. For example, on LDAPHOST1, issue these commands:
```
export ORACLE_HOME=IDM_ORACLE_HOME
export PATH=$JAVA_HOME/bin:$PATH
```

To generate the certificate, use the tool ./SSLClientConfig.sh, which is located in:

ORACLE_COMMON_HOME/bin

For example

./SSLClientConfig.sh -component cacert

As the command runs, enter the following values when prompted:

LDAP Host Name: policystore.mycompany.com
LDAP Port: 389
LDAP User: cn=orcladmin
Password: Password_for_cn=orcladmin
SSL Domain: IDMDomain
Keystore Password: Enter a password to protect the keystore
Confirm Password: Reenter the password.

The following is typical output from the command:

./SSLClientConfig.sh -component cacert
SSL Automation Script: Release 11.1.1.4.0 - ProductionCopyright (c) 2010 Oracle. All rights reserved.
Downloading the CA certificate from a central LDAP location
Creating a common trust store in JKS and Oracle Wallet formats ...
Configuring SSL clients with the common trust store...
Make sure that your LDAP server is currently up and running.
Downloading the CA certificate from the LDAP server...
>>>Enter the LDAP hostname [LDAPHOST1.mycompany.com]: policystore.mycompany.com
>>>Enter the LDAP port: [3060]? 389
>>>Enter your LDAP user [cn=orcladmin]:>>>Enter password for cn=orcladmin:
>>>Enter the sslDomain for the CA [idm]: IDMDomain
>>>Searching the LDAP for the CA usercertificate ...
Importing the CA certifcate into trust stores...
>>>The common trust store in JKS format is located at
 /u01/app/oracle/product/fmw/IDM/rootCA/keystores/tmp/trust.jks
>>>The common trust store in Oracle wallet format is located at /u01/app/oracle/product/fmw/IDM/rootCA/keystores/tmp/ewallet.p12
Generate trust store for the CA cert at cn=IDMDomain,cn=sslDomains
>>>Enter a password to protect your truststore:
>>>Enter confirmed password for your truststore:

Create directory /u01/app/oracle/product/fmw/IDM/rootCA/keystores/common
Importing the CA certifcate into trust stores...
>>>The common trust store in JKS format is located at  /u01/app/oracle/product/fmw/IDM/rootCA/keystores/common/trust.jks
>>>The common trust store in Oracle wallet format is located at /u01/app/oracle/product/fmw/IDM/rootCA/keystores/common/ewallet.p12

This creates a file called trust.jks which must be provided to the Fusion Applications Provisioning process. After creating this certificate, you must delete the private key within this key. Use the following command:

keytool -delete -keystore trust.jks -alias testkey -storepass store_password

Oracle Fusion Applications provisioning uses this file to validate that the Identity Management installation is set up appropriately before provisioning takes place. In addition to this certificate, the keystore must also contain the certificate used by the load balancer for sso.mycompany.com.

Before you start this procedure, obtain a copy of the certificate by using your browser. First access https://sso.mycompany.com:443, then follow the instructions to download the certificate to a file. (Each browser does this differently.)

After you have obtained the certificate, load it into the keystore using the following command:

keytool -import -v -noprompt -trustcacerts -alias "OIM" -file loadbalancer.cer -keystore trust.jks

where loadbalancer.cer is the name of the file where the load balancers SSL certificate is stored.

18.4 Backing Up the Identity Management Configuration

After you have verified that the extended domain is working, back up the domain configuration. This is a quick backup for the express purpose of immediate restore in case of failures in future procedures. Back up the configuration to the local disk. This backup can be discarded once you have completed the enterprise deployment. Once you have completed the enterprise deployment, you can initiate the regular deployment-specific backup and recovery process.

For information about backing up the environment, see "Backing Up Your Environment" in the Oracle Fusion Middleware Administrator's Guide. For information about recovering your information, see "Recovering Your Environment" in the Oracle Fusion Middleware Administrator's Guide.

To back up the configuration a this point:

Back up the Web tier:
1. Shut down the instance using opmnctl.
```
ORACLE_BASE/admin/instance_name/bin/opmnctl stopall
```
2. Back up the Middleware Home on the web tier using the following command (as root):
```
tar -cvpf BACKUP_LOCATION/web.tar $MW_HOME
```
3. Back up the Instance Home on the web tier using the following command (as root):
```
tar -cvpf BACKUP_LOCATION/web_instance.tar $ORACLE_INSTANCE
```
4. Start the instance using opmnctl:
```
ORACLE_BASE/admin/instance_name/bin/opmnctl startall
```
Back up the database. This is a full database backup (either hot or cold) using Oracle Recovery Manager (recommended) or OS tools such as tar for cold backups if possible.
Back up the Administration Server domain directory to save your domain configuration. The configuration files are located in the following directory:
```
ORACLE_BASE/admin/domain_name
```
To back up the Administration Server run the following command on OIMHOST1:
```
tar -cvpf edgdomainback.tar ORACLE_BASE/admin/domain_name
```