Skip Headers
Oracle® Fusion Middleware Enterprise Deployment Guide for Oracle Identity Management (Oracle Fusion Applications Edition)
11g Release 5 (11.1.5)

Part Number E21032-15
Go to Documentation Home
Home
Go to Book List
Book List
Go to Table of Contents
Contents
Go to Index
Index
Go to Feedback page
Contact Us

Go to previous page
Previous
Go to next page
Next
PDF · Mobi · ePub

13 Configuring Oracle Access Manager 11g

This chapter describes how to configure Oracle Access Manager 11.1.1 in the Oracle Identity Management enterprise deployment.

This chapter includes the following topics:

13.1 Overview of Configuring Oracle Access Manager

Oracle Access Manager enables your users to seamlessly gain access to web applications and other IT resources across your enterprise. It provides a centralized and automated single sign-on (SSO) solution, which includes an extensible set of authentication methods and the ability to define workflows around them. It also contains an authorization engine, which grants or denies access to particular resources based on properties of the user requesting access as well as based on the environment from which the request is made. Comprehensive policy management, auditing, and integration with other components of your IT infrastructure enrich this core functionality.

Oracle Access Manager consists of several components, including OAM Server, Oracle Access Manager Console, and WebGates. The OAM Server includes all the components necessary to restrict access to enterprise resources. The Oracle Access Manager Console is the administrative console to Oracle Access Manager. WebGates are web server agents that act as the actual enforcement points for Oracle Access Manager. Follow the instructions in this chapter and Chapter 19, "Configuring Single Sign-on for Administration Consoles in an Enterprise Deployment" to install and configure the Oracle Access Manager components necessary for your enterprise deployment.

13.2 About Domain URLs

Before you complete this chapter, the following URL is available:

Table 13-1 OAM URLs Before Web Tier Configuration

Component URLs

OAM Console

http://OAMADMINVHN.mycompany.com:7001/oamconsole


After you complete this chapter, the following URL will be available:

Table 13-2 OAM URLs After Web Tier Configuration

Component URLs User SSO User

OAM Console

http://oamadmin.mycompany.com/oamconsole

weblogic

oamadmin


13.3 Using Different Directory Configurations

The enterprise deployment described in this guide shows Oracle Access Manager using Oracle Internet Directory as the only LDAP repository. Oracle Access Manager uses a single LDAP for policy and configuration data. It is possible to configure another LDAP as the Identity Store where users, organizations and groups reside. For example, an Oracle Access Manager instance may use Oracle Internet Directory as its policy and configuration store and point to an instance of Microsoft Active Directory for users and groups.

In addition, the Identity Stores can potentially be front-ended by Oracle Virtual Directory to virtualize the data sources.

To learn more about the different types of directory configuration for Oracle Access Manager, consult the 11g Oracle Access Manager documentation at Oracle Technology Network. Customers considering these variations should adjust their directory tier and Oracle Access Manager deployment accordingly.

13.4 Prerequisites

Before you configure Oracle Access Manager, ensure that the following tasks have been performed on IDMHOST1 and IDMHOST2:

  1. Install Oracle WebLogic Server, Oracle Identity Management, and Oracle Identity and Access Management as described in Chapter 6, "Installing the Software for an Enterprise Deployment."

  2. Install the Identity Store, as described in Chapter 9, "Extending the Domain to Include Oracle Internet Directory" or "Configuring an Identity Store with Multiple Directories" in Oracle Fusion Middleware Integration Overview for Oracle Identity Management Suite.

  3. Prepare the Identity and Policy Stores as described in Chapter 11, "Preparing Identity and Policy Stores."

  4. Install Oracle Virtual Directory, if required, as described in Chapter 12, "Extending the Domain to Include Oracle Virtual Directory."

13.5 Starting Oracle Access Manager Managed Servers

Start the managed servers WLS_OAM1 and WLS_OAM2 by following the procedure in Section 20.1, "Starting and Stopping Oracle Identity Management Components."

13.6 Configuring Oracle Access Manager to work with the Oracle Web Tier

This section describes how to configure Oracle Access Manager to work with the Oracle Web Tier.

This section contains the following topics:

13.6.1 Prerequisites

Before proceeding, ensure that the following tasks have been performed:

  1. Configure Oracle Web Tier on WEBHOST1 and WEBHOST2 as described in Chapter 7, "Configuring the Web Tier for an Enterprise Deployment."

  2. Configure the load balancer as described in Section 3.2, "About Virtual Server Names Used by the Topologies."

  3. Configure Oracle Access Manager on IDMHOST1 and IDMHOST2 as described in Section 13.11, "Updating Oracle Access Manager System Parameters" and Section 13.5, "Starting Oracle Access Manager Managed Servers."

13.6.2 Configuring Oracle HTTP Servers to Display Login Page

On each of the web servers on WEBHOST1 and WEBHOST2 edit the file ORACLE_INSTANCE/config/OHS/component/moduleconf/sso_vh.conf.

Add the following lines in the virtual host definition:

<Location /oam>
    SetHandler weblogic-handler
    WLProxySSL ON
    WLProxySSLPassThrough ON 
    WebLogicCluster IDMHOST1.mycompany.com:14100,IDMHOST2.mycompany.com:14100 
</Location>

If the END user uses the FAAuthScheme to protect its Application Domain, that is, the FusionApplication, then also add:

<Location /fusion_apps>
    SetHandler weblogic-handler
    WLProxySSL ON
    WLProxySSLPassThrough ON 
    WebLogicCluster IDMHOST1.mycompany.com:14100,IDMHOST2.mycompany.com:14100
</Location>

Ensure that the newly added lines are within the virtual host definition, like this:

<VirtualHost *:7777>
   ServerName https://sso.mycompany.com:443
   ServerAdmin you@your.address
   ...
 
   <Location /oam>
      SetHandler weblogic-handler
      WLProxySSL ON
      WLProxySSLPassThrough ON 
      WebLogicCluster IDMHOST1.mycompany.com:14100,IDMHOST2.mycompany.com:14100
   </Location>

  <Location /fusion_apps>
      SetHandler weblogic-handler
      WLProxySSL ON
      WLProxySSLPassThrough ON 
      WebLogicCluster IDMHOST1.mycompany.com:14100,IDMHOST2.mycompany.com:14100
  </Location>
 
</VirtualHost>

13.6.3 Configuring Oracle HTTP Servers to Access Oracle Access Manager Console

On each of the web servers on WEBHOST1 and WEBHOST2, a file called admin_vh.conf was created in the directory ORACLE_INSTANCE/config/OHS/component/moduleconf. (See Section 8.8, "Configuring Oracle HTTP Server for the WebLogic Domain.") Edit this file and add the following lines within the virtual host definition:

<Location /oamconsole>
   SetHandler weblogic-handler
   WebLogicHost ADMINVHN
   WebLogicPort 7001
</Location>

Ensure that the new section is within the virtual host definition, like this:

NameVirtualHost *:7777

<VirtualHost *:7777>

   ServerName admin.mycompany.com:80
   ServerAdmin you@your.address
   ...

   <Location /oamconsole>
      SetHandler weblogic-handler 
      WebLogicHost ADMINVHN
      WebLogicPort 7001
   </Location>

</VirtualHost>

Restart the Oracle HTTP Server, as described in Section 20.1, "Starting and Stopping Oracle Identity Management Components."

13.7 Configuring Oracle Access Manager

This section contains the following topics:

13.7.1 Setting a Global Passphrase

By default, Oracle Access Manager is configured to use the Open security model. If you plan to change this mode using idmConfigTool, you must set a global passphrase. Although you need not set the global passphrase and the web gate access password to be the same, it is recommended that you do.You do this by performing the following steps.

  1. Log in to the OAM console at the URL listed in Section 20.2, "About Identity Management Console URLs."

    as the WebLogic administration user.

  2. Click the System Configuration tab.

  3. Click Access Manager Settings located in the Access Manager Settings section.

  4. Select Open from the Actions menu. The access manager settings are displayed.

  5. If you plan to use Simple security mode for OAM servers, supply a global passphrase.

  6. Click Apply.

13.7.2 Configuring Oracle Access Manager by Using the IDM Automation Tool

Now that the initial installation is done and the security model set, the following tasks must be performed:

  • Oracle Access Manager must be configured to use an external LDAP Directory (idstore.mycompany.com).

  • Oracle Access Manager WebGate Agent must be created.

  • You perform these tasks by using idmConfigTool.

Perform the following tasks on IDMHOST1:

  1. Set the environment variables MW_HOME, JAVA_HOME, IDM_HOME and ORACLE_HOME.

    Set IDM_HOME to IDM_ORACLE_HOME.

    Set ORACLE_HOME to IAM_ORACLE_HOME.

  2. Create a properties file called config_oam1.props with the following contents:

    WLSHOST: adminvhn.mycompany.com
    WLSPORT: 7001
    WLSADMIN: weblogic
    WLSPASSWD: weblogic password
    IDSTORE_HOST: idstore.mycompany.com
    IDSTORE_PORT: 389
    IDSTORE_DIRECTORYTYPE:OVD
    IDSTORE_BINDDN: cn=orcladmin 
    IDSTORE_USERNAMEATTRIBUTE: cn
    IDSTORE_LOGINATTRIBUTE: uid
    IDSTORE_USERSEARCHBASE: cn=Users,dc=mycompany,dc=com
    IDSTORE_SEARCHBASE: dc=mycompany,dc=com
    IDSTORE_GROUPSEARCHBASE: cn=Groups,dc=mycompany,dc=com
    IDSTORE_OAMSOFTWAREUSER: oamLDAP
    IDSTORE_OAMADMINUSER: oamadmin
    PRIMARY_OAM_SERVERS: IDMHOST1.mycompany.com:5575,IDMHOST2.mycompany.com:5575
    WEBGATE_TYPE: ohsWebgate11g
    ACCESS_GATE_ID: Webgate_IDM
    OAM11G_IDM_DOMAIN_OHS_HOST:sso.mycompany.com
    OAM11G_IDM_DOMAIN_OHS_PORT:443
    OAM11G_IDM_DOMAIN_OHS_PROTOCOL:https
    OAM11G_WG_DENY_ON_NOT_PROTECTED: false
    OAM_TRANSFER_MODE: simple
    OAM11G_OAM_SERVER_TRANSFER_MODE:simple
    OAM11G_IDM_DOMAIN_LOGOUT_URLS: /console/jsp/common/logout.jsp,/em/targetauth/emaslogout.jsp
    OAM11G_OIM_WEBGATE_PASSWD: webgate password
    COOKIE_DOMAIN: .mycompany.com
    OAM11G_IDSTORE_ROLE_SECURITY_ADMIN: OAMAdministrators
    OAM11G_SSO_ONLY_FLAG: true
    OAM11G_OIM_INTEGRATION_REQ: true
    OAM11G_IMPERSONATION_FLAG:true
    OAM11G_SERVER_LBR_HOST:sso.mycompany.com
    OAM11G_SERVER_LBR_PORT:443
    OAM11G_SERVER_LBR_PROTOCOL:https
    COOKIE_EXPIRY_INTERVAL: 120
    OAM11G_OIM_OHS_URL:https://sso.mycompany.com:443/
    OAM11G_SERVER_LOGIN_ATTRIBUTE: uid
    

    Where:

    • WLSHOST and WLSPORT are, respectively, the host and port of your administration server, created in Chapter 8, "Creating Domains for an Enterprise Deployment." This is the virtual name.

    • WLSADMIN and WLSPASSWD are, respectively, the WebLogic administrative user and password you use to log in to the WebLogic console.

    • IDSTORE_HOST and IDSTORE _PORT are, respectively, the host and port of your Identity Store directory.

    • IDSTORE_BINDDN is an administrative user in the Identity Store directory.

    • IDSTORE_USERSEARCHBASE is the container under which Oracle Access Manager searches for the users.

    • IDSTORE_GROUPSEARCHBASE is the location in the directory where Groups are stored.

    • IDSTORE_SEARCHBASE is the location in the directory where Users and Groups are stored.

    • IDSTORE_OAMSOFTWAREUSER is the name of the user you created in Section 11.5, "Preparing the Identity Store" to be used to interact with LDAP.

    • IDSTORE_OAMADMINUSER is the name of the user you created in Section 11.5, "Preparing the Identity Store" to access your OAM Console.

    • PRIMARY_OAM_SERVERS is a comma separated list of your OAM Servers and the proxy ports they use.

      Note:

      To determine the proxy ports your OAM Servers use:

      1. Log in to the OAM console at the URL listed in Section 20.2, "About Identity Management Console URLs."

      2. Click the System Configuration tab.

      3. Expand Server Instances under the Common Configuration section

      4. Click an Oracle Access Manager server, such as WLS_OAM1, and click Open.

      5. Proxy port is the one shown as Port.

    • ACCESS_GATE_ID is the name you want to assign to the WebGate.

    • OAM11G_OIM_WEBGATE_PASSWD is the password you will assign to the WebGate after OIM has been configured

    • OAM11G_IDM_DOMAIN_OHS_HOST is the name of the load balancer which is in front of the OHS's.

    • OAM11G_IDM_DOMAIN_OHS_PORT is the port that the load balancer listens on.

    • OAM11G_IDM_DOMAIN_OHS_PROTOCOL is the protocol to use when directing requests at the load balancer.

    • OAM11G_OAM_SERVER_TRANSFER_MODE is the security model that the Oracle Access Manager servers function in, as defined in Section 13.7.1, "Setting a Global Passphrase."

    • OAM11G_IMPERSONATION_FLAG is set to True if you are using Oracle Fusion Applications.

    • OAM11G_IDM_DOMAIN_LOGOUT_URLS is set to the various logout URLs.

    • OAM11G_SSO_ONLY_FLAG configures Oracle Access Manager as authentication only mode or normal mode, which supports authentication and authorization. This is set to true for Fusion Applications.

      If OAM11G_SSO_ONLY_FLAG is true, the OAM Server operates in authentication only mode, where all authorizations return true by default without any policy validations. In this mode, the server does not have the overhead of authorization handling. This is recommended for applications which do not depend on authorization policies and need only the authentication feature of the OAM Server.

      If the value is false, the server runs in default mode, where each authentication is followed by one or more authorization requests to the OAM Server. WebGate allows the access to the requested resources or not, based on the responses from the OAM Server.

    • OAM11G_SERVER_LBR_HOST is the name of the load balancer fronting your site. This and the following two parameters are used to construct your login URL.

    • OAM11G_SERVER_LBR_PORT is the port that the load balancer is listening on.

    • OAM11G_SERVER_LBR_PROTOCOL is the URL prefix to use.

    • COOKIE_DOMAIN is the domain in which the WebGate functions.

    • WEBGATE_TYPE is the type of WebGate agent you want to create. In this release, the value is ohsWebgate11g.

    • OAM11G_IDSTORE_NAME is the name of the Identity Store. If you already have an Identity Store in place which is different from the default created by this tool, set this parameter to the name of that Identity Store.

    • OAM11G_OIM_OHS_URL is the URL that will be used to access OIM when accessing through the load balancer, after OIM is configured.

    • OAM11G_SERVER_LOGIN_ATTRIBUTE: Setting this to uid ensures that when users log in their username is validated against the uid attribute in LDAP.

  3. Configure Oracle Access Manager using the command idmConfigTool which is located at:

    IAM_ORACLE_HOME/idmtools/bin

    Note:

    When you run the idmConfigTool, it creates or appends to the file idmDomainConfig.param. This file is generated in the same directory that the idmConfigTool is run from. To ensure that each time the tool is run, the same file is appended to, always run the idmConfigTool from the directory:

    IAM_ORACLE_HOME/idmtools/bin

    The syntax of the command on Linux is:

    idmConfigTool.sh -configOAM input_file=configfile 
    

    The syntax on Windows is:

    idmConfigTool.bat -configOAM input_file=configfile 
    

    For example:

    idmConfigTool.sh -configOAM input_file=config_oam1.props
    

    When the command runs you are prompted to enter the password of the account you are connecting to the Identity Store with. You are also asked to specify the passwords you want to assign to these accounts:

    • IDSTORE_PWD_OAMSOFTWAREUSER

    • IDSTORE_PWD_OAMADMINUSER

  4. Check the log file for any errors or warnings and correct them. A file named automation.log is created in the directory where you run the tool.

  5. Restart WebLogic Administration Server as described in Section 20.1, "Starting and Stopping Oracle Identity Management Components."

Note:

After you run idmConfigTool, several files are created that you need for subsequent tasks. Keep these in a safe location.

Two WebGate profiles are created: Webgate_IDM, which is a 10g profile, and Webgate_IDM_11g, which is an 11g profile. Webgate_IDM is used for intercomponent communication and Webgate_IDM_11g is used by 11g Webgates.

The following files exist in the directory ASERVER_HOME/domain_name/output/Webgate_IDM_11g. You need these when you install the WebGate software.

  • cwallet.sso

  • ObAccessClient.xml

  • password.xml

Additionally, you need the files aaa_cert.pem and aaa_key.pem, which are located in the directory ASERVER_HOME/domain_name/output/Webgate_IDM.

13.7.3 Validating the Configuration

To Validate that this has completed correctly.

  1. Access the OAM console at the URL listed in Section 20.2, "About Identity Management Console URLs."

  2. Log in as the Oracle Access Manager administration user you created in Section 11.5, "Preparing the Identity Store."

  3. Click the System Configuration tab

  4. Expand Access Manager Settings - SSO Agents - OAM Agents.

  5. Click the open folder icon, then click Search.

  6. You should see the WebGate agents Webgate_IDM and Webgate_IDM_11g, which you created in Section 13.7.2, "Configuring Oracle Access Manager by Using the IDM Automation Tool."

13.7.4 Updating Newly-Created Agent

After generating the initial configuration, you must edit the configuration and add advanced configuration entries.

  1. Select System Configuration Tab

  2. Select Access Manager Settings - SSO Agents - OAM Agent from the directory tree. Double-click or select the open folder icon.

  3. On the displayed search page click Search to perform an empty search.

  4. Click the Agent Webgate_IDM.

  5. Select Open from the Actions menu.

  6. Set Max Connections to 4 for all of the OAM Servers listed in the primary servers list.

  7. Click Apply.

  8. Repeat Steps 4 through 7 for the WebGate agent Webgate_IDM_11g.

  9. Click Policy Configuration tab.

  10. Double Click IAMSuiteAgent under Host Identifiers.

  11. Click + in the operations box.

  12. Enter the following information:

    Table 13-3 Host Name and Port Values

    Host Name Port

    admin.mycompany.com

    80

    oimadmin.mycompany.com

    80


  13. Click Apply.

13.7.5 Updating Existing WebGate Agents

If you have changed the OAM security model using the idmConfigTool you must change the security model used by any existing Webgates to reflect this change.

To do this, perform the following steps:

  1. Log in to the Oracle Access Manager Console as the Oracle Access Manager administration user you created in Section 11.5, "Preparing the Identity Store," at the URL listed in Section 20.2, "About Identity Management Console URLs."

  2. Click the System Configuration tab.

  3. Expand Access Manager Settings - SSO Agents.

  4. Click OAM Agents and select Open from the Actions menu.

  5. In the Search window, click Search.

  6. Click each Agent that was not created by idmconfigTool in Section 13.7.2, "Configuring Oracle Access Manager by Using the IDM Automation Tool", for example: IAMSuiteAgent.

  7. Set the Security value to the new security model.

    Click Apply.

  8. Restart the managed servers WLS_OAM1 and WLS_OAM2 as described in Section 20.1, "Starting and Stopping Oracle Identity Management Components."

13.7.6 Perform Bug 13824816 Workaround

Perform the following workaround for Bug 13824816:

  1. Log in to the WebLogic Administration Server Console at the URL listed in Section 20.2, "About Identity Management Console URLs."

  2. In the left pane of the console, click Security Realms.

  3. On the Summary of Security Realms page, click myrealm under the Realms table.

  4. On the Settings page for myrealm, click the Roles & Policies tab.

  5. On the Realm Roles page, expand the Global Roles entry under the Roles table. This brings up the entry for Roles.

  6. Click the Roles link to go to the Global Roles page.

  7. On the Global Roles page, click the Admin role to go to the Edit Global Role page:

  8. On the Edit Global Roles page, under the Role Conditions table, click Add Conditions.

  9. On the Choose a Predicate page, select Group from the predicates list and click Next.

  10. On the Edit Arguments Page, specify OAMAdministrators in the Group Argument field and click Add.

  11. Click Finish to return to the Edit Global Rule page.

    The Role Conditions table now shows the OAMAdministrators Group as an entry.

  12. Click Save to finish adding the Admin role to the OAMAdministrators Group.

13.7.7 Configuring Oracle Access Manager for Multidirectory Support

Ensure that the data store configured in Oracle Access Manager refers to the search base used in Oracle Virtual Directory, dc=mycompany,dc=com.

Follow these steps to update the search base:

  1. Log in to the OAM console at the URL listed in Section 20.2, "About Identity Management Console URLs."

  2. Click System Configuration.

  3. Expand Common Configuration.

  4. Expand Data Sources.

  5. Expand User Identity Stores.

  6. Double click the store used with Oracle Virtual Directory.

  7. Ensure that the User search base and Group search base fields have the value dc=mycompany,dc=com.

13.8 Adding the oamadmin Account to Access System Administrators

The oamadmin user is assigned to the Oracle Access Manager Administrators group, which is in turn assigned to the Access System Administrators group. Fusion Applications, however, requires the oamadmin user to be explicitly added to that role. To do this perform the following steps:

  1. Log in to the oamconsole at the URL listed in Section 20.2, "About Identity Management Console URLs."

  2. Click the System Configuration tab.

  3. Expand Data Sources - User Identity Stores.

  4. Click OIMIDStore.

  5. Click Open.

  6. Click the + symbol next to Access System Adminsitrators.

  7. Type oamadmin in the search box and click Search.

  8. Click the returned oamadmin row, then click Add Selected.

  9. Click Apply.

13.9 Create Oracle Access Manager Policies for WebGate 11g

In order to allow WebGate 11g to display the credential collector, you must add /oam to the list of public policies.

Proceed as follows:

  1. Log in to the OAM console at the URL listed in Section 20.2, "About Identity Management Console URLs."

  2. Select the Policy Configuration tab.

  3. Expand Application Domains - IAM Suite

  4. Click Resources.

  5. Click Open.

  6. Click New resource.

  7. Provide the following values:

    • Type: HTTP

    • Description: OAM Credential Collector

    • Host Identifier: IAMSuiteAgent

    • Resource URL: /oam

    • Protection Level: Unprotected

    • Authentication Policy: Public Policy

  8. Click Apply.

13.10 Creating Oracle Access Manager Key Store

If you are integrating other components, such as Oracle Identity Manager and Oracle Adaptive Access Manager, with Oracle Access Manager and Oracle Access Manager is using the simple security transport model, you must generate a keystore that can be used with those components. The procedure to do this is outlined in this section. Run it on IDMHOST1.

This section contains the following topics:

13.10.1 Creating an Empty Trust Store File Named oamclient-truststore.jks

To create this file, you use a tool called keytool that comes with the JDK (Java Development Kit). Before running any of the following commands, ensure that the JDK is in your path. For example

export JAVA_HOME=MW_HOME/jrockit_version
export PATH=$JAVA_HOME/bin:$PATH
  1. First, execute the command:

    keytool -genkey -alias alias_name -keystore PathName_to_Keystore -storetype JKS
    

    The command prompts you for a keystore password. This password MUST be same as the global pass phrase used in the Oracle Access Manager server. The command also prompts for information about the user and organization. Enter relevant information.

    Example:

    keytool -genkey -alias oam -keystore oamclient-truststore.jks -storetype JKS
    

    Sample output:

    Enter keystore password:
    Re-enter new password:
    What is your first and last name?
    [Unknown]: John Doe
    What is the name of your organizational unit?
    [Unknown]: MAA
    What is the name of your organization?
    [Unknown]: Oracle
    What is the name of your City or Locality?
    [Unknown]: Redwood Shores
    What is the name of your State or Province?
    [Unknown]: CA
    What is the two-letter country code for this unit?
    [Unknown]: US
    Is CN=John Doe, OU=MAA, O=Oracle, L=Redwood Shores, ST=CA, C=US correct?
    [no]: yes
     
    Enter key password for <oam>
    (RETURN if same as keystore password):
    Re-enter new password:
    
  2. Then execute the command:

    keytool -delete -alias alias_name -keystore oamclient-truststore.jks -storetype JKS
    

    For example:

    keytool -delete -alias oam -keystore oamclient-truststore.jks -storetype JKS
    

    The command prompts for the keystore password you entered previously.

13.10.2 Importing the CA Certificate into the Trust Store

Oracle Access Manager 11g comes with a self-signed Certificate Authority that is used in Simple mode to issue certificates for the Access Client. This certificate must be added to the keystore you just created.

The certificate resides in the file cacert.der, which is located in the directory IAM_ORACLE_HOME/oam/server/config. Execute the following command to import a PEM/DER format CA certificate into the trust store. On Linux, type:

keytool -importcert -file IAM_ORACLE_HOME/oam/server/config/cacert.der -trustcacerts -keystore PathName_to_keystore -storetype JKS

On Windows, type:

keytool -import -file IAM_ORACLE_HOME\oam\server\config\cacert.der -trustcacerts -keystore PathName_to_keystore -storetype JKS

Enter keystore password when prompted.

Example:

keytool -importcert -file /IAM_ORACLE_HOME/oam/server/config/cacert.der -trustcacerts -keystore oamclient-truststore.jks -storetype JKS

Sample output:

Enter keystore password:  
Owner: CN=NetPoint Simple Security CA - Not for General Use, OU=NetPoint, O="Oblix, Inc.", L=Cupertino, ST=California, C=US
Issuer: CN=NetPoint Simple Security CA - Not for General Use, OU=NetPoint, O="Oblix, Inc.", L=Cupertino, ST=California, C=US
Serial number: 0
Valid from: Wed Apr 01 05:57:22 PDT 2009 until: Thu Mar 28 05:57:22 PDT 2024
Certificate fingerprints:
MD5:  05:F4:8C:84:85:37:DB:E3:66:87:EF:39:E0:E6:B2:3F
SHA1: 97:B0:F8:19:7D:0E:22:6B:40:2A:73:73:1B:27:B2:7B:8D:64:82:21
Signature algorithm name: MD5withRSA
Version: 1
Trust this certificate? [no]:  yes
Certificate was added to keystore

13.10.3 Setting up Keystore with the SSL Certificate and Private Key File of the Access Client

An SSL certificate and private key were generated when you ran the idmConfigTool command in Section 13.7.2, "Configuring Oracle Access Manager by Using the IDM Automation Tool." The SSL certificate and key are required for clients to communicate with Oracle Access Manager in Simple mode. The names of these files are, respectively, aaa_cert.pem and aaa_key.pem. They are located in the directory ASERVER_HOME/domain_name/output/Webgate_IDM on IDMHOST1, where ASERVER_HOME is the Administration Server Domain home.

Execute the following commands to import the certificate and key file into the keystore file ssoKeystore.jsk.

  1. Unzip the file importcert.zip, which is located in the directory:

    IAM_ORACLE_HOME/oam/server/tools/importcert

    For example:

    cd IAM_ORACLE_HOME/oam/server/tools/importcert
    unzip importcert.zip
    
  2. Execute the command:

    openssl pkcs8 -topk8 -nocrypt -in ASERVER_HOME/domain_name/output/Webgate_IDM/aaa_key.pem -inform PEM -out aaa_key.der -outform DER
    

    The command prompts for a passphrase. Enter the password, which must be the WebGate access password. This command creates the aaa_key.der file in the directory where the command is run

    Example:

    openssl pkcs8 -topk8 -nocrypt -in /u01/app/oracle/admin/IDMDomain/aserver/IDMDomain/output/Webgate_IDM/aaa_key.pem -inform PEM -out aaa_key.der -outform DER
    Enter pass phrase for /u01/app/oracle/admin/IDMDomain/aserver/IDMDomain/output/Webgate_IDM/aaa_key.pem:
    
  3. Then execute:

    openssl x509 -in /u01/app/oracle/admin/IDMDomain/aserver/IDMDomain/output/Webgate_IDM/aaa_cert.pem -inform PEM -out aaa_cert.der -outform DER
    

    This command creates the aaa_cert.der file in the directory where the command is run. This command does not generate any output.

  4. Execute the command:

    java -cp IAM_ORACLE_HOME/oam/server/tools/importcert/importcert.jar oracle.security.am.common.tools.importcerts.CertificateImport -keystore ssoKeystore.jks -privatekeyfile aaa_key.der -signedcertfile aaa_cert.der -storetype jks -genkeystore yes
    

    This command creates the ssoKeystore.jks file in the directory where the command is run.

    In this command, aaa_key.der and aaa_cert.der are, respectively, the private key and certificate pair in DER format.

    Sample output:

    Enter Keystore password:
    Certificates imported to ssoKeystore.jks
    
  5. Add the CA certificate to the newly generated ssoKeystore.jks. On Linux, type:

    keytool -importcert -file IAM_ORACLE_HOME/oam/server/config/cacert.der -trustcacerts -keystore PathName_to_keystore -storetype JKS
    

    On Windows, type:

    keytool -import -file IAM_ORACLE_HOME\oam\server\config\cacert.der -trustcacerts -keystore PathName_to_keystore -storetype JKS
    

    Enter keystore password when prompted. For example:

    keytool -importcert -file /IAM_ORACLE_HOME/oam/server/config/cacert.der -trustcacerts -keystore ssoKeystore.jks -storetype JKS
    

    Note:

    The files ssoKeystore.jks and oamclient-truststore.jks are required when you integrate Oracle Access Manager running in Simple mode with Oracle Identity Manager. When you integrate these components, you are asked to copy these files to the ASERVER_HOME/config/fmwconfig directory. If you subsequently extend the domain on machines where these files have been placed using pack/unpack, you must recopy ssoKeystore.jks and oamclient-truststore.jks after unpacking.

13.11 Updating Oracle Access Manager System Parameters

Update ASERVER_HOME/config/fmwconfig/oam-config.xml in the administration server domain home.

Set the parameters Timeout, Expiry, and MaxSessionsPerUser as follows:

  1. Log in to the OAM console at the URL listed in Section 20.2, "About Identity Management Console URLs." as the WebLogic administration user.

  2. Select the System Configuration tab.

  3. Click Common Settings under the Common Configuration entry.

  4. Click Open.

  5. Set the following values:

    • Idle Timeout (minutes): 120

    • Session Lifetime: 120

    • Maximum Number of Sessions per user: 200

  6. Click Apply.

13.12 Backing Up the Application Tier Configuration

It is an Oracle best practices recommendation to create a backup after successfully completing the installation and configuration of each tier, or at another logical point. Create a backup after verifying that the installation so far is successful. This is a quick backup for the express purpose of immediate restoration in case of problems in later steps. The backup destination is the local disk. You can discard this backup when the enterprise deployment setup is complete. After the enterprise deployment setup is complete, you can initiate the regular deployment-specific Backup and Recovery process. For more details, see the Oracle Fusion Middleware Administrator's Guide.

For information on database backups, refer to the Oracle Database Backup and Recovery User's Guide.

To back up the installation to this point, follow these steps:

  1. Back up the web tier as described in Section 7.6, "Backing up the Web Tier Configuration."

  2. Back up the Oracle Access Manager database. This is a full database backup, either hot or cold. The recommended tool is Oracle Recovery Manager.

  3. Back up the Administration Server domain directory as described in Section 8.10, "Backing Up the WebLogic Domain."

  4. Back up the Oracle Internet Directory as described in Section 9.8, "Backing up the Oracle Internet Directory Configuration."

  5. Back up the Oracle Virtual Directory as described in Section 12.9, "Backing Up the Oracle Virtual Directory Configuration."

For information about backing up the application tier configuration, see Section 20.6, "Performing Backups and Recoveries."