Oracle® Fusion Middleware Enterprise Deployment Guide for Oracle Identity Management (Oracle Fusion Applications Edition) 11g Release 7 (11.1.7) Part Number E21032-21 |
|
|
PDF · Mobi · ePub |
The provisioning process includes several validation checks to ensure that everything is working correctly. This chapter describes additional checks that you can perform for additional sanity checking.
This chapter contains the following sections:
Section 14.2, "Validating the Oracle Access Manager Configuration"
Section 14.3, "Validating Oracle Directory Services Manager (ODSM)"
Section 14.5, "Validating WebGate and the Oracle Access Manager Single Sign-On Setup"
Validate the WebLogic Administration Server as follows.
Verify that you can access the administration console by accessing the URL:
http://admin.mycompany.com/console and logging in as the user weblogic_idm
Verify that all managed servers are showing a status of Running.
Verify that you can access Oracle Enterprise Manager Fusion Middleware Control by accessing the URL:
http://admin.mycompany.com/em and logging in as the user weblogic_idm
Test failover of the Administration Server to IDMHOST2 and then fail back to IDMHOST1, as described in Section 16.8, "Manually Failing Over the WebLogic Administration Server."
To Validate that this has completed correctly.
Access the OAM console at: http://ADMIN.mycompany.com/oamconsole
Log in as the user identified by the entry in Section 8.2, "Update User Names in Provisioning Response File."
Click the System Configuration tab
Expand Access Manager Settings - SSO Agents - OAM Agents.
Click the open folder icon, then click Search.
You should see the WebGate agents Webgate_IDM
, Webgate_IDM_11g
and IAMSuiteAgent
.
Validate the Application Tier configuration as follows:
Follow these steps to validate that you can connect the Oracle Directory Services Manager site in a browser:
In a web browser, verify that you can connect to Oracle Directory Services Manager (ODSM) at:
http://HOSTNAME.mycompany.com:port/odsm
For example, on IDMHOST1, enter this URL, where 7005
is ODSM_PORT
in Section 6.1, "Assembling Information for Identity Management Provisioning."
http://IDMHOST1.mycompany.com:7005/odsm
and on IDMHOST2, enter this URL:
http://IDMHOST2.mycompany.com:7005/odsm
In a web browser, verify that you can access ODSM through the load balancer address:
http://ADMIN.mycompany.com/odsm
Validate that Oracle Directory Services Manager can create connections to Oracle Internet Directory.
Create a connection to the Oracle Internet Directory on each ODSM instance separately. Even though ODSM is clustered, the connection details are local to each node. Proceed as follows:
Set environment variables. Set ORACLE_HOME
to IDM_ORACLE_HOME
, ORACLE_INSTANCE
to OID_ORACLE_INSTANCE
, and JAVA_HOME
to JAVA_HOME
. Set PATH
to include JAVA_HOME
.
Launch Oracle Directory Services Manager from IDMHOST1:
http://IDMHOST1.mycompany.com:7005/odsm
Create a connection to the Oracle Internet Directory virtual host by providing the following information in ODSM:
Server: OIDSTORE.mycompany.com
Port: 636
(LDAP_LBR_SSL_PORT
)
Enable the SSL option
User: cn=orcladmin
Password: ldap-password
Launch Oracle Directory Services Manager from IDMHOST2.
Follow Step 3 to create a connection to Oracle Internet Directory from IDMHOST2
http://IDMHOST2.mycompany.com:7005/odsm
Create a connection to the Oracle Internet Directory virtual host by providing the corresponding information in ODSM
Note:
Accept the certificate when prompted.
Validate Oracle Identity Manager as follows.
To validate the Oracle Internet Directory instances, ensure that you can connect to each Oracle Internet Directory instance and the load balancing router using these commands:
Note:
Ensure that the following environment variables are set before using ldapbind
:
ORACLE_HOME
(set to IDM_ORACLE_HOME
)
OID_ORACLE_INSTANCE
PATH
- The following directory locations should be in your PATH
:
ORACLE_HOME
/bin
ORACLE_HOME
/ldap/bin
ORACLE_HOME
/ldap/admin
ldapbind -h LDAPHOST1.mycompany.com -p 3060 -D "cn=orcladmin" -q ldapbind -h LDAPHOST1.mycompany.com -p 3131-D "cn=orcladmin" -q -U 1 ldapbind -h LDAPHOST2.mycompany.com -p 3060 -D "cn=orcladmin" -q ldapbind -h LDAPHOST2.mycompany.com -p 3131-D "cn=orcladmin" -q -U 1
ldapbind -h OIDIDSTORE.mycompany.com -p 389 -D "cn=orcladmin" -q ldapbind -h OIDIDSTORE.mycompany.com -p 636 -D "cn=orcladmin" -q -U 1
Note:
The -q
option prompts the user for a password. LDAP Tools have been modified to disable the options -w
password
and -P
password
when the environment variable LDAP_PASSWORD_PROMPTONLY
is set to TRUE
or 1
. Use this feature whenever possible.
To validate the Oracle Virtual Directory instances, ensure that you can connect to each Oracle Virtual Directory instance and the load balancing router using these ldapbind
commands:
ldapbind -h LDAPHOST1.mycompany.com -p 6501 -D "cn=orcladmin" -q ldapbind -h LDAPHOST2.mycompany.com -p 6501 -D "cn=orcladmin" -q ldapbind -h IDSTORE.mycompany.com -p 389 -D "cn=orcladmin" -q ldapbind -h LDAPHOST1.mycompany.com -p 7501 -D "cn=orcladmin" -q -U 1 ldapbind -h LDAPHOST2.mycompany.com -p 7501 -D "cn=orcladmin" -q -U 1
You can manually verify that the SSL connection has been set up correctly by generating a wallet and then using that wallet to access Oracle Internet Directory. Proceed as follows:
Execute the command
cd ORACLE_COMMON_HOME/bin
./SSLClientConfig.sh -component cacert
providing the following inputs:
LDAP host name: Name of the Oracle Internet Directory server containing the Domain Certificate
LDAP port: Port used to access Oracle Internet Directory (OID_LDAP_PORT
), for example: 3060
LDAP User: Oracle Internet Directory admin user, for example: cn=orcladmin
Password: Oracle Internet Directory admin user password
SSL Domain for CA: This is IDMDomain
.
Password for truststore: This is the password you want to assign to your wallet.
When the command executes, it generates wallets in the directory IDM_ORACLE_HOME
/rootCA/keystores/common
Now that you have a wallet, you can test that authentication is working by executing the command:
ldapbind -h LDAPHOST1.mycompany.com -p 3131 -U 2 -D cn=orcladmin -q -W "file:IDM_ORACLE_HOME/rootCA/keystores/common" -Q
You will be prompted for your Oracle Internet Directory password and for the wallet password. If the bind is successful, the SSL connection has been set up correctly.
Validate the Oracle Identity Manager Server Instance by bringing up the Oracle Identity Manager Console in a web browser. at:
https://SSO.mycompany.com:443/oim
Log in using the xelsysadm
username and password.
Validate SOA by accessing the URL:
http://IDMINTERNAL.mycompany.com:80/soa-infra
and logging in using the xelsysadm
username and password.
Validate the Oracle Identity Manager Server Instance by bringing up the Oracle Identity Manager Console in a web browser at:
https://SSO.mycompany.com/oim
Log in using the xelsysadm
username and password.
Note:
When you log in for the first time, you are prompted to setup Challenge Questions. Please do so before proceeding further.
Validate Oracle SOA Suite using the URL:
http://IDMINTERNAL.mycompany.com/soa-infra
Log in as the weblogic_idm
user.
To validate that WebGate is functioning correctly, open a web browser and go the OAM console at: http://ADMIN.mycompany.com/oamconsole
You now see the Oracle Access Manager Login page displayed. Enter your OAM administrator user name (for example, oamadmin
) and password and click Login. Then you see the Oracle Access Manager console displayed.
To validate the single sign-on setup, open a web browser and go the WebLogic Administration Console at http://ADMIN.mycompany.com/console
and to Oracle Enterprise Manager Fusion Middleware Control at: http://ADMIN.mycompany.com/em
The Oracle Access Manager Single Sign-On page displays. Provide the credentials for the weblogic_idm
user to log in.