Oracle® Fusion Middleware Identity Management Provisioning Guide (Oracle Fusion Applications Edition) 11g Release 7 (11.1.7) Part Number E41444-02 |
|
|
PDF · Mobi · ePub |
This chapter describes tasks you must perform after you have completed Identity Management Provisioning.
This chapter contains the following sections:
Section 6.3, "Configuring SSL and Generating a Certificate (Windows)"
Section 6.4, "Using Oracle Virtual Directory as an Identity Store"
Section 6.5, "Passing Configuration Properties File to Oracle Fusion Applications"
Section 6.6, "Post-Provisioning Steps for Oracle Identity Manager"
Section 6.7, "Post-Provisioning Steps for Oracle Access Manager"
Section 6.8, "Post -Provisioning Steps for Oracle Identity Federation"
Due to Bugs 17075699 and 17076033 in Identity Management Provisioning, you must make changes to the following datasources:
EDNLocalTxDataSource-rcn
mds-oim-rcn
mds-owsm-rcn
mds-soa-rcn
oamDS-rcn
oimJMSStoreDS-rcn
OraSDPMDataSource-rcn
SOALocalTxDataSource-racn
To make the changes, proceed as follows:
Log in to the WebLogic Administration Console.
Click Lock & Edit.
Navigate to Services -> Data Sources.
Click on the data source to be updated, for example, mds-soa-rc0
Click the Transaction tab.
Deselect Supports Global Transactions.
Click Save.
Repeat Steps 4 through 7 for all the listed datasources.
Click Activate Changes.
Restart all servers.
Increase the maximum heap size for servers as follows:
Edit the file: DOMAIN_HOME
/bin/setDomainEnv.sh
Locate the last occurrence of the line:
JAVA_PROPERTIES="${JAVA_PROPERTIES} ${EXTRA_JAVA_PROPERTIES}"
Replace that line with the following lines:
if [ "${SERVER_NAME}" = "wls_oim1" -o "${SERVER_NAME}" = "wls_oim2" ] then EXTRA_JAVA_PROPERTIES="${EXTRA_JAVA_PROPERTIES} -Xmx2048m" export EXTRA_JAVA_PROPERTIES else EXTRA_JAVA_PROPERTIES="${EXTRA_JAVA_PROPERTIES} -Xmx1536m" export EXTRA_JAVA_PROPERTIES fi JAVA_PROPERTIES="${JAVA_PROPERTIES} ${EXTRA_JAVA_PROPERTIES}"
On Windows, some Identity Management Provisioning Wizard procedures are not automated because they require a UNIX shell. You must install a UNIX emulation package such as Cygwin (see http://www.cygwin.com
) and then perform these four manual procedures:
External domains communicate with the Identity Management domain using SSL Server Authentication Only Mode. To enable the Identity Management domain to support this SSL mode, you must generate a certificate and store it in the Policy Store. This adds an extra layer of security, ensuring that only those domains with access to the security certificate can communicate with the domain. The domain level certificate is generated once per domain.
To generate a certificate for the IDMDomain execute the following commands on the host.
Set ORACLE_HOME
to the ORACLE_HOME
.
Set JAVA_HOME
to JAVA_HOME
.
Generate the certificate using the SSLGenCA
command which is located in ORACLE_COMMON_HOME
/bin
For example:
cd ORACLE_COMMON_HOME/bin
./SSLGenCA.sh
When the command executes supply the following information:
LDAP host Name: The host where the policy store is located.
Note:
It is recommended that you use the Policy Store directory, not the Identity Store.
LDAP Port: 389
Admin User: cn=orcladmin
Password: admin_password
LDAP sslDomain where your CA will be stored: for example, IDMDomain
Password to protect your CA wallet: wallet_password
Confirmed password for your CA wallet: wallet_password
This script performs the following tasks:
Creates a Demo Signing CA wallet for use in the domain.
Extracts the public Demo CA Certificate from the CA wallet.
Uploads the wallet and the certificate to LDAP and stores them in the entry: cn=demoCA,Deployment_SSL_Domain
Creates an access group in LDAP: cn=SSLDomains,cn=IDMDomain,cn=demoCA
and grants that group administrative privileges to the parent container. All other entities are denied access. Add users to the group to give access. The Demo CA Certificate is now available for download by an anonymous or authenticated user.
The Demo CA Wallet password is stored locally in an obfuscated wallet for future use. Its path is: ORACLE_HOME
/credCA/castore
As administrator, you must secure this wallet so that only SSL administrators can read it.
The best place to locate the Certificate is in the Policy Store.
Before configuring Oracle Virtual Directory for SSL, set the ORACLE_HOME
, ORACLE_INSTANCE
and JAVA_HOME
variables. For example, you might set ORACLE_HOME
to IDM_ORACLE_HOME
, and set ORACLE_INSTANCE
to OVD_ORACLE_INSTANCE
.
Set JAVA_HOME
to JAVA_HOME
, and add JAVA_HOME
to your PATH
variable.
Start the SSL Configuration tool by issuing the command SSLServerConfig
command which is located in the directory ORACLE_COMMON_HOME
/bin
directory.
For example:
ORACLE_COMMON_HOME/bin/SSLServerConfig.sh -component ovd
When prompted, enter the following information:
LDAP Hostname: Central LDAP host, for example: POLICYSTORE.mycompany.com
Note:
It is recommended that you use the Policy Store directory, not the Identity Store.
LDAP port: LDAP port, for example: 389
Admin user DN: cn=orcladmin
Password: administrator_password
sslDomain for the CA: for example, IDMDomain
Password to protect your SSL wallet/keystore: password_for_local_keystore
Enter confirmed password for your SSL wallet/keystore: password_for_local_keystore
Password for the CA wallet: certificate_password
. This is the one created in the previous procedure, "Generating a Certificate to be Used by the Identity Management Domain."
Country Name 2 letter code: Two letter country code, such as US
State or Province Name: State or province, for example: California
Locality Name: Enter the name of your city, for example: RedwoodCity
Organization Name: Company name, for example: mycompany
Organizational Unit Name: Leave at the default
Common Name: Name of this host, for example: HOST1.mycompany.com
OVD Instance Name: for example, ovd1
. If you need to determine what your OVD component name is, execute the command:
ORACLE_INSTANCE/bin/opmnctl status
Oracle instance name: Name of your Oracle instance, for example: ovd1
WebLogic admin host: Host running the WebLogic Administration Server, for example:. ADMINVHN.mycompany.com
WebLogic admin port: WebLogic Administration Server port, for example: 7001
WebLogic admin user: Name of your WebLogic administration user, for example: weblogic
WebLogic password: password
.
SSL wallet name for OVD component [ovdks1.jks]: Accept the default
When asked if you want to restart your Oracle Virtual Directory component, enter Yes
.
When asked if you would like to test your OVD SSL connection, enter Yes
. Ensure that the test is a success.
Repeat for each Oracle Virtual Directory instance in the configuration.
If you plan to enable SSL Server Authentication Only Mode for your domain and have created a domain level SSL certificate as described in Section 6.3.1, "Generating a Certificate to be Used by the Identity Management Domain," you must perform the following to ensure that your Oracle Internet Directory instances are capable of accepting requests using this mode. You must configure each Oracle Internet Directory instance independently.
Prior to running this command ensure that:
Oracle Internet Directory is installed.
Oracle Identity Management is installed on the host.
Site certificate has been generated as described in Section 6.3.1, "Generating a Certificate to be Used by the Identity Management Domain."
If you are using Windows, you have installed a UNIX emulation package such as Cygwin in order to run the scripts contained in this section. See http://www.cygwin.com
.
To enable Oracle Internet Directory to communicate using SSL Server Authentication Mode, perform the following steps on LDAPHOST1 and LDAPHOST2:
Note:
When you perform this operation, only the Oracle Internet Directory instance you are working on should be running.
Set the ORACLE_HOME
, ORACLE_INSTANCE
and JAVA_HOME
variables. For example, on LDAPHOST1:
Set ORACLE_HOME
.
Set ORACLE_INSTANCE
to the Oracle instance directory.
Set JAVA_HOME
to the Java home.
Set the PATH
variable to include JAVA_HOME
.
To enable SSL Server Authentication use the tool SSLServerConfig which is located in:
ORACLE_COMMON_HOME
/bin
For example
$ORACLE_COMMON_HOME/bin/SSLServerConfig.sh -component oid
When prompted, enter the following information:
LDAP Hostname: Central LDAP host, for example: POLICYSTORE.mycompany.com
LDAP port: For example: 389
Admin user DN: cn=orcladmin
Password: administrator_password
sslDomain for the CA: IDMDomain
Oracle recommends that the SSLDomain name be the same as the Weblogic domain name to make reference easier.
Password to protect your SSL wallet/keystore: password_for_local_keystore
Enter confirmed password for your SSL wallet/keystore: password_for_local_keystore
Password for the CA wallet: certificate_password
. This is the one created in Section 6.3.1, "Generating a Certificate to be Used by the Identity Management Domain."
Country Name 2 letter code: Two letter country code, such as US
State or Province Name: State or province, for example: California
Locality Name: Enter the name of your city, for example: RedwoodCity
Organization Name: Company name, for example: mycompany
Organizational Unit Name: Leave at the default
Common Name: Name of this host, for example: LDAPHOST1.mycompany.com
OID component name: Name of your Oracle Instance, for example: oid1
. If you need to determine what your OID component name is, execute the command:
OID_ORACLE_INSTANCE/bin/opmnctl status
WebLogic admin host: Host running the WebLogic Administration Server.
WebLogic admin port: For example: 7001
WebLogic admin user: Name of your WebLogic administration user, for example: weblogic
WebLogic password: password
.
AS instance name: Name of the Oracle instance, for example: oid1
.
SSL wallet name for OID component [oid_wallet1]: Accept the default
Do you want to restart your OID component: Yes
Do you want to test your SSL setup? Yes
SSL Port of your OID Server: 3131
Sample output:
Server SSL Automation Script: Release 11.1.1.4.0 - Production Copyright (c) 2010 Oracle. All rights reserved. Downloading the CA wallet from the central LDAP location... >>>Enter the LDAP Hostname [SLC00DRA.mycompany.com]: POLICYSTORE.mycompany.com >>>Enter the LDAP port [3060]: 3060 >>>Enter an admin user DN [cn=orcladmin] >>>Enter password for cn=orcladmin: >>>Enter the sslDomain for the CA [idm]: IDMDomain >>>Enter a password to protect your SSL wallet/keystore: >>>Enter confirmed password for your SSL wallet/keystore: >>>Enter password for the CA wallet: >>>Searching the LDAP for the CA usercertificate ... Importing the CA certifcate into trust stores... >>>Searching the LDAP for the CA userpkcs12 ... Invoking OID SSL Server Configuration Script... Enter attribute values for your certificate DN >>>Country Name 2 letter code [US]: >>>State or Province Name [California]: >>>Locality Name(eg, city) []:Redwood >>>Organization Name (eg, company) [mycompany]: >>>Organizational Unit Name (eg, section) [oid-20110524015634]: >>>Common Name (eg, hostName.domainName.com) [SLC00XXX.mycompany.com]: The subject DN is cn=SLC00DRA.mycompany.com,ou=oid-20110524015634,l=Redwood,st=California,c=US Creating an Oracle SSL Wallet for oid instance... /u01/oracle/products/access/idm/../oracle_common/bin >>>Enter your OID component name: [oid1] >>>Enter the weblogic admin server host [SLC00XXX.mycompany.com] ADMINVHN >>>Enter the weblogic admin port: [7001] >>>Enter the weblogic admin user: [weblogic] >>>Enter weblogic password: >>>Enter your AS instance name:[asinst_1] oid1 >>>Enter an SSL wallet name for OID component [oid_wallet1] Checking the existence of oid_wallet1 in the OID server... Configuring the newly generated Oracle Wallet with your OID component... Do you want to restart your OID component?[y/n]y Do you want to test your SSL set up?[y/n]y >>>Please enter your OID ssl port:[3131] 3131 Please enter the OID hostname:[SLC00DRA.mycompany.com] LDAPHOST1.mycompany.com >>>Invoking IDM_ORACLE_HOM/bin/ldapbind -h LDAPHOST1.mycompany.com -p 3131-U 2 -D cn=orcladmin ... Bind successful Your oid1 SSL server has been set up successfully
Confirm that the script has been successful.
Repeat all the steps in this section for each Oracle Internet Directory instance.
To enable Fusion Applications to communicate with the Identity Management domain using SSL Server Authentication Mode, you must generate a client certificate and provide it to the Fusion Applications Provisioning process. You must provide a keystore containing the Trust point used by the Identity Management domain to the Fusion Applications.
To generate a keystore containing a client certificate, perform the following steps on LDAPHOST1:
Set the ORACLE_HOME
to the Oracle home directory.
Set JAVA_HOME
to JAVA_HOME
.
Ensure that JAVA_HOME
is in your PATH
variable.
To generate the certificate, use the tool ./SSLClientConfig.sh
, which is located in: ORACLE_COMMON_HOME
/bin
For example
./SSLClientConfig.sh -component cacert
As the command runs, enter the following values when prompted:
LDAP Host Name: Name of the host where the policy store is located.
LDAP Port: 389
LDAP User: cn=orcladmin
Password: Password_for_cn=orcladmin
SSL Domain: Domain name.
Keystore Password: Enter a password to protect the keystore
Confirm Password: Reenter the password.
This creates a file called trust.jks
which must be provided to the Fusion Applications Provisioning process. After creating this certificate, you must delete the private key within this key. Use the following command:
keytool -delete -keystore trust.jks -alias testkey -storepass store_password
Oracle Fusion Applications provisioning uses this file to validate that the Identity Management installation is set up appropriately before provisioning takes place. In addition to this certificate, the keystore must also contain the certificate used by the load balancer for SSO.mycompany.com
.
Before you start this procedure, obtain a copy of the certificate by using your browser. First access https://SSO.mycompany.com:4443
, then follow the instructions to download the certificate to a file. (Each browser does this differently.)
After you have obtained the certificate, load it into the keystore using the following command:
keytool -import -v -noprompt -trustcacerts -alias "OIM" -file loadbalancer.cer -keystore ORACLE_HOME/rootCA/keystores/common/trust.jks
where ORACLE_HOME
is the Oracle home directory and loadbalancer.cer
is the name of the file where the load balancers SSL certificate is stored. Once created, the keystore should be moved to the domain keystore location for consistency.
Identity Management Provisioning installs a single node environment with Oracle Internet Directory as the Identity Store in Oracle Access Manager. If you want to use Oracle Virtual Directory as the Identity Store instead of Oracle Internet Directory, proceed as follows:
Log in to the OAM Console, http://
host
:
port
/oamconsole
, as the OAM administrator.
Click on the System Configuration tab at the top.
Navigate to Data Sources -> User Identity Stores -> OIMIDStore.
In the Store Type dropdown menu, select OVD: Oracle Virtual Directory
In the Location field, provide the correct port number for OVD. Usually it is 6501
. Leave the Host field unchanged
Click Test Connection at the top right corner to validate the change.
If you get the Connection to the User Identity Store successful! message, click Apply to commit the change.
Restart the WebLogic Administration Server and the OAM Managed Server or use the stopall
and startall
scripts to restart the environment.
Oracle Fusion Applications requires a property file which details the IDM deployment. After provisioning, this file can be found at the following location:
SHARED_CONFIG_DIR/fa/idmsetup.properties
where SHARED_CONFIG_DIR
is the Shared Configuration Location you specified on the Install Location Configuration Page.
Perform the following task to ensure that Oracle Identity Manager works correctly after provisioning.
As a workaround for a bug in the Identity Management Provisioning tools, you must add an Oracle Identity Manager property. Perform the following steps:
Log in to the WebLogic Console.
Navigate to Environment -> Servers.
Click Lock and Edit.
Click on the server WLS_OIM1.
Click on the managed WebLogic server.
Click on the Server Start subtab
Add the following to the Arguments field:
-Djava.net.preferIPv4Stack=true
Click Save.
Repeat Steps 4-7 for the managed server WLS_OIM2.
Click Activate Changes.
Restart the managed servers WLS_OIM1 and WLS_OIM2, as described in Section 16.1, "Starting and Stopping Components."
Restart the managed WebLogic server.
Perform the tasks in the following sections:
Update the OAM Security Model of all WebGate profiles, with the exception of Webgate_IDM and Webgate_IDM_11g, which should already be set
To do this, perform the following steps:
Log in to the Oracle Access Manager Console as the administration user.
Click the System Configuration tab.
Expand Access Manager Settings - SSO Agents.
Click OAM Agents and select Open from the Actions menu.
In the Search window, click Search.
Click an Agent, for example: IAMSuiteAgent.
Set the Security value to the security model in the OAM Configuration screen of the Identity Management Provisioning Wizard. Select Simple for the security model, except on AIX, where only Open mode is supported.
Click Apply.
Restart the managed WebLogic server.
In order to allow WebGate 11g to display the credential collector, you must add /oam
to the list of public policies.
Proceed as follows:
Log in to the OAM console.
Select the Policy Configuration tab.
Expand Application Domains - IAM Suite
Click Resources.
Click Open.
Click New resource.
Provide the following values:
Type: HTTP
Description: OAM Credential Collector
Host Identifier: IAMSuiteAgent
Resource URL: /oam
Protection Level: Unprotected
Authentication Policy: Public Policy
Leave all other fields at their default values.
Click Apply.
Perform the tasks in the following sections:
Start the managed WebLogic server, as follows:
Stop all the components.
Update the Oracle Identity Federation Property File oif_startup.conf
to automatically start Oracle Identity Federation. To do this, edit the file oif_startup.conf
.
Edit the file so that it looks like this:
# # OIF is enabled OOTB for Shared IDM # # OIF_ENABLED indicates whether or not OIF should be started/stopped # as part of the startoif.sh/stopoif.sh scripts. Valid values are true or false # If false, the OIF will not be started or stopped OIF_ENABLED=true # OPMN_EMAGENT_MANAGED_BY_OIF_SCRIPT indicates whether or not OPMN and # the EMAgent components for the OIM domain should be started, when OIF is enabled. # Valid values are true or false. If false, OPMN and the EMAgent components will not # be started or stopped when OIF is enabled. # If OIF is disabled, OPMN and the EMAgent components will not be started or stopped OPMN_EMAGENT_MANAGED_BY_OIF_SCRIPT=true
Save the file.
Start all the components.
In Service Provider (SP) mode, Oracle Access Manager delegates user authentication to Oracle Identity Federation, which uses the Federation Oracle Single Sign-On protocol with a remote Identity Provider. Once the Federation Oracle Single Sign-On flow is performed, Oracle Identity Federation will create a local session and then propagates the authentication state to Oracle Access Manager, which maintains the session information.
This section provides the steps to integrate OIF with OAM11g in authentication mode and SP mode.
This section contains the following topics:
Oracle Access Manager ships with an Oracle Identity Federation Authentication Scheme. This scheme needs to be updated before it can be used. To update the scheme, log in to the OAM console as the OAM administration user.
Then perform the following steps:
Click the Policy Configuration tab.
Expand Authentication Schemes under the Shared Components tree.
Select OIFScheme from under the Authentication Schemes and then select Open from the menu.
On the Authentication Schemes page, provide the following information
Challenge URL: https://SSO.mycompany.com:443/fed/user/spoam11g
Context Type: Select external from the list.
Accept the defaults for all other values
Click Apply to update the OIFScheme
.