Because of integrated deployment of Oracle Identity Manager with other applications, such as Oracle Access Manager (OAM), and configuration changes in those applications, various configuration changes might be required in Oracle Identity Manager and Oracle WebLogic Server. These configuration changes are described in the following sections:
Oracle Identity Manager uses various hostname and port in its configuration because of the architectural and middleware requirements. This section describes ways to make the corresponding changes in Oracle Identity Manager and Oracle WebLogic configuration for any change in the integrated and dependent applications.
This section contains the following topics:
This section consists of the following topics:
Changing OimFrontEndURL in Oracle Identity Manager Configuration
Changing backOfficeURL in Oracle Identity Manager Configuration
Note:
When additional Oracle Identity Manager nodes are added or removed, perform the procedures described in these sections to configure Oracle Identity Manager host and port changes.The OimFrontEndURL is the URL used to access the Oracle Identity Manager UI. This can be a load balancer URL or Web server URL depending on the application server is fronted with loan balancer or Web server, or single application server URL. This is used by Oracle Identity Manager in the notification e-mails as well as the callback URL for SOA calls.
The change may be necessary because of change in Web server hostname or port for Oracle Identity Manager deployment in a clustered environment, or WebLogic managed server hostname or port changes for Oracle Identity Manager deployment in a nonclustered environment.
To change the OimFronEndURL in Oracle Identity Manager configuration:
Login to Enterprise Manager by using the following URL when the WebLogic Administrative Server and Oracle Identity Manager managed servers, at least one of the servers in case of a clustered deployment, are running:
http://ADMIN_SERVER/em
Navigate to Identity and Access, oim.
Right-click oim, and navigate to System MBean Browser.
Under Application Defined MBeans, navigate to oracle.iam, Application:oim, XMLConfig, Config, XMLConfig.DiscoveryConfig, and then Discovery.
Enter new value for the OimFrontEndURL attribute, and click Apply to save the changes. Example values can be:
http://OIM_SERVER:OIM_PORT
https://myoim.mydomain.com
https://myoimserver.mydomain.com:14001
Note:
SPML clients store Oracle Identity Manager URL for invoking SPML and sending callback response. Therefore, changes are required corresponding to this. In addition, if Oracle Identity Manager is integrated with OAM, OAAM, or Oracle Identity Navigator (OIN), there may be corresponding changes necessary. For more information, refer to OAM, OAAM, and OIN documentation in the Oracle Technology Network (OTN) Web site.Changing backOfficeURL is required only for Oracle Identity Manager deployed in front-office and back-office configuration. This change does not apply for simple clustered or nonclustered deployments. This URL is used internally by Oracle Identity Manager for accessing back-office components from the front-office components. You might change the value of this attribute during the implementation of back-office and front-office configuration, for adding additional servers to back office, and for removing servers from back-office.
To change the value of the backOfficeURL attribute:
Login to Enterprise Manager by using the following URL when the WebLogic Administrative Server and Oracle Identity Manager managed servers, at least one of the servers in case of a clustered deployment, are running:
http://ADMIN_SERVER/em
Navigate to Identity and Access, and then oim.
Right-click oim, and navigate to System MBean Browser.
Under Application Defined MBeans, navigate to oracle.iam, Application:oim, XMLConfig, Config, XMLConfig.DiscoveryConfig, Discovery.
Enter a new value for the BackOfficeURL attribute, and click Apply to save the changes. Example values can be:
t3://mywls1.mydomain.com:8001
t3://mywls1.mydomain.com:8001,mywls2.mydomain.com:9001
Note:
The value of the BackOfficeURL attribute must be empty for Oracle Identity Manager nonclustered and clustered deployments.This section describes the configuration areas where database hostname and port number are used.
After installing Oracle Identity Manager, if there are any changes in the database hostname or port number, then the following changes are required:
Note:
Before making changes to the database host and port, shutdown the managed servers hosting Oracle Identity Manager. But you can keep the Oracle WebLogic Administrative Server running.To change datasource oimJMSStoreDS configuration:
Navigate to Services, JDBC, Data Sources, and then oimJMSStoreDS.
Click the Connection Pool tab.
Modify the values of the URL and Properties fields to reflect the changes to database host and port.
To change datasource oimOperationsDB configuration:
Navigate to Services, JDBC, Data Sources, and then oimOperationsDB.
Click the Connection Pool tab.
Modify the values of the URL and Properties fields to reflect the changes to database host and port.
To change the datasource related to Oracle Identity Manager Meta Data Store (MDS) configuration:
Navigate to Services, JDBC, Data Sources, and then mds-oim.
Click the Connection Pool tab.
Modify the values of the URL and Properties fields to reflect the changes in the database host and port.
To change OIMAuthenticationProvider configuration:
In the WebLogic Administrative console, navigate to Security Realms, myrealm, and then Providers.
Click OIMAuthenticationProvider.
Click Provider Specific.
Modify the value of the DBUrl field to reflect the change in hostname and port.
Note:
If Service Oriented Architecture (SOA) and Oracle Web Services Manager (OWSM) undergo configuration changes, then you must make similar changes for datasources related to SOA or OWSM.After making changes in the datasources, restart the Oracle WebLogic Administrative Server, and start the Oracle Identity Manager managed WebLogic servers.
Note:
Whenever Oracle Identity Manager application configuration information is to be changed by using OIM App Config MBeans from the Enterprise Management (EM) console, at least one of the Oracle Identity Manager Managed Servers must be running. Otherwise, you cannot figure out any of the OIM App Config MBeans from the EM console.To change DirectDB configuration:
Login to Enterprise Manager by using the following URL:
http://ADMIN_SERVER/em
Navigate to Identity and Access, and then oim.
Right-click oim, and navigate to System MBean Browser under Application Defined MBeans.
Navigate to oracle.iam, Application:oim, XMLConfig, Config, XMLConfig.DirectDBConfig, and then DirectDB.
Enter the new value for the URL attribute to reflect the changes to host and port, and then apply the changes.
Note:
When Oracle Identity Manager single instance deployment is changed to Oracle Real Application Clusters (Oracle RAC) or Oracle RAC is changed to single instance deployment, change the oimJMSStoreDS, oimOperationsDB, and mds-oim datasources. In addition to the generic changes to make these datasources to multidatasource configuration, change the OIMAuthenticationProvider and domain credential store configurations to reflect the Oracle RAC URL. For information about these generic changes, see Oracle Fusion Middleware High Availability Guide.See "Oracle Identity Manager Database Host and Port Changes" for information about changing the port at the database.
When LDAP synchronization is enabled, Oracle Identity Manager connects with directory servers through Oracle Virtual Directory (OVD). This connection takes place by using LDAP/LDAPS protocol.
To change OVD host and port:
Login to Oracle Identity System Administration.
Under Configuration, click IT Resource.
From the IT Resource Type list, select Directory Server , and click Search.
Edit the Directory Server IT resource. To do so:
If the value of the Use SSL field is set to False
, then edit the Server URL field. If the value of the Use SSL field is set to True
, then edit the Server SSL URL field.
Click Update.
See Also:
See "Updating Oracle Identity Manager for OVD Host/Port" for information about changing OVD port at OVD/LDAP server.BI Publisher can be accessed by clicking a simple link from Oracle Identity Manager UI for reporting purposes. This URL is based on the configuration value on Oracle Identity Manager side. If there is host and port changes for BI Publisher, then the following change must be made in Oracle Identity Manager:
Login to Enterprise Manager by using the following URL when the WebLogic Administrative Server and Oracle Identity Manager managed servers, at least one of the servers in case of a clustered deployment, are running:
http://ADMIN_SERVER/em
Navigate to Identity and Access, oim.
Right-click oim, and navigate to System MBean Browser.
Under Application Defined MBeans, navigate to oracle.iam, Application:oim, XMLConfig, Config, XMLConfig.DiscoveryConfig, Discovery.
Enter a new value for the BIPublisherURL attribute, and click Apply to save the changes.
To change the SOA host and port:
Note:
When additional SOA nodes are added or removed, perform this procedure to change the SOA host and port.Login to Enterprise Manager by using the following URL when the WebLogic Administrative Server and Oracle Identity Manager managed servers, at least one of the servers in case of a clustered deployment, are running:
http://ADMIN_SERVER/em
Navigate to Identity and Access, oim.
Right-click oim, and navigate to System MBean Browser.
Under Application Defined MBeans, navigate to oracle.iam, Application:oim, XMLConfig, Config, XMLConfig.SOAConfig, SOAConfig.
Change the value of the Rmiurl attribute, and click Apply to save the changes.
The Rmiurl attribute is used for accessing SOA EJBs deployed on SOA managed servers. This is the application server URL. For a clustered deployment of Oracle Identity Manager, it is a comma-separated list of all the SOA managed server URLs. Example values for this attribute can be:
t3://mysoa1.mydomain.com:8001
t3s://mysoaserver1.mydomain.com:8002,mysoa2.mydomain.com:8002
t3://mysoa1.mydomain.com:8001,mysoa2.mydomain.com:8002,mysoa3.mydomain.com:8003
Change the value of the Soapurl attribute, and click Apply to save the changes.
The Soapurl attribute is used for accessing SOA Web services deployed on SOA managed servers. This is the Web server and load balancer URL for a SOA cluster front-ended with Web server and load balancer. It can be application server URL for a single SOA server.
The example values for this attribute can be:
http://myoimsoa.mydomain.com
https://mysoaserver.mydomain.com:8002
Change the SOA JNDIProvider host and port. To do so:
Login to WebLogic Administration Console.
In the Domain Structure section, navigate to OIM_DOMAIN, Services, Foreign JNDI Providers.
Click ForeignJNDIProvider-SOA.
In the Configuration tab, verify that the General subtab is active.
Change the value of Provider URL to the Rmiurl provided in Step 5.
To change the OAM host and port:
Login to Enterprise Manager by using the following URL when the WebLogic Administrative Server and Oracle Identity Manager managed servers, at least one of the servers for a clustered deployment, are running:
http://ADMIN_SERVER/em
Navigate to Identity and Access, and then to oim.
Right-click oim, and navigate to System MBean Browser.
Under Application Defined MBeans, navigate to oracle.iam, Application:oim, XMLConfig, Config, XMLConfig.SSOConfig, and then SSOConfig.
Change the values of the AccessServerHost and AccessServerPort attributes and other attributes as required, and click Apply to save the changes.
Various passwords are used for Oracle Identity Manger configuration because of the architectural and middleware requirements. This section describes the default passwords and ways to make the changes to the password in Oracle Identity Manger and Oracle WebLogic configuration for any change in the dependent or integrated products.
This section consists of the following topics:
Changing Oracle Identity Manager Administrator Database Password
Changing Oracle Identity Manager Passwords in the Credential Store Framework
Changing Oracle Identity Manager Administrator Password in LDAP
Unlocking Oracle Identity Manager Administrator Password in LDAP
To change Oracle WebLogic administrator password:
Login to WebLogic Administrative console.
Navigate to Security Realms, myrealm, Users and Groups, weblogic, Password.
In the New Password field, enter the new password.
In the Confirm New Password field, re-enter the new password.
Click Apply.
Weblogic credentials must be updated in the following places:
Foreign JNDI Provider. To do so:
Login to WebLogic Administrative Console.
In the Domain Structure section, navigate to OIM_DOMAIN, Services, Foreign JNDI Providers.
Click ForeignJNDIProvider-SOA.
In the Configuration tab, verify that the General subtab is active.
Provide weblogic user's new password in the password and confirm password fields.
SOAAdminPassword in CSF. See "Changing Oracle Identity Manager Passwords in the Credential Store Framework" for details.
During Oracle Identity Manager installation, the installer prompts for the Oracle Identity Manager administrator password. If required, you can change the administrator password after the installation is complete. To do so, you must login to Oracle Identity Manager Self Service as Oracle Identity Manager administrator. For information about how to change the administrator password, see "Changing Password" in the Oracle Fusion Middleware User's Guide for Oracle Identity Manager.
When you change the Oracle Identity Manager system administrator password, you must also update the password in the OIMAdmin key under the oracle.wsm.security map in CSF.
Note:
If OAM or OAAM is integrated with Oracle Identity Manager, then you must make corresponding changes in those applications. For more information, refer to OAM and OAAM documentation in the Oracle Technology Network (OTN) Web site by using the following URL:http://www.oracle.com/technetwork/indexes/documentation/index.html
This section describes resetting Oracle Identity Manager password in the following types of deployments:
Oracle Identity Manager deployment without LDAP synchronization
Oracle Identity Manager deployment with LDAP synchronization enabled
Oracle Identity Manager deployment that is integrated with Access Manager (OAM)
Resetting System Administrator password can be performed by using the oimadminpasswd_wls.sh utility, which is available in the OIM_HOME/server/bin/ directory. The steps to run the oimadminpasswd_wls.sh utility are the same for both types of deployment: Oracle Identity Manager with LDAP synchronization enabled and without LDAP synchronization enabled.
This section describes resetting Oracle Identity Manager password in the following topics:
To reset System Administrator database password:
As a prerequisite for running the oimadminpasswd_wls.sh utility, open the OIM_HOME/server/bin/oimadminpasswd_wls.properties file in a text editor, and set values for the following properties:
JAVA_HOME: Set this to jdk6 or later, for example:
JAVA_HOME=/opt/softwares/shiphome/jdk160_24
COMMON_COMPONENTS_HOME: This is Oracle Middleware common home directory, for example:
COMMON_COMPONENTS_HOME=/opt/softwares/shiphome/oracle_common
OIM_ORACLE_HOME: This is Oracle Identity Manager Oracle home directory, for example:
OIM_ORACLE_HOME=/opt/softwares/shiphome/Oracle_IDM1
ORACLE_SECURITY_JPS_CONFIG: Specify the jps-config-jse.xml file location present in Oracle Identity Manager Domain, for example:
ORACLE_SECURITY_JPS_CONFIG=/opt/softwares/shiphome/user_projects/domains/base_domain/config/fmwconfig/jps-config-jse.xml
DOMAIN_HOME: Specify Oracle Identity Manager Domain Home location of the Weblogic Application Server, for example:
DOMAIN_HOME=/opt/softwares/shiphome/user_projects/domains/base_domain
DBURL: Oracle Identity Manager database URL, for example:
DBURL=jdbc:oracle:thin:@dbhostname:5521:orclsid
DBSCHEMAUSER: Oracle Identity Manager schema username, for example:
DBSCHEMAUSER=DEV_OIM
OIM_OAM_INTG_ENABLED: Set this to false if Oracle Identity Manager deployment is not integrated with Access Manager, for example:
OIM_OAM_INTG_ENABLED=false
Note:
Other properties, such as LDAPURL, LDAPADMINUSER, and OIM_ADMIN_LDAP_DN can be ignored as they are used only in an integrated setup between Oracle Identity Manager and Access Manager.Go to the OIM_HOME/server/bin/ directory, and run the following command:
sh oimadminpasswd_wls.sh oimadminpasswd_wls.properties
The following is a sample output:
Enter OIM DB Schema Password : Enter OIM Adminstrator xelsysadm new Password: Re-enter OIM Adminstrator xelsysadm new Password: WARNING: Not able to fetch OIMPlatform instance for the given Platform. Hence defaulting to the OIMWebLogicPlatform OIM Admin user xelsysadm password reset successfully in OIMDB
Note:
The warning messages that are displayed while running the oimadminpasswd_wls.sh script can be ignored.If Oracle Identity Manager is integrated with OAM, then LDAP directory, such as Oracle Internet Directory, is used for all authentication purposes. Therefore, Oracle Identity Manager Administrator xelsysadm password is reset in LDAP. Although the xelsysadm password present in Oracle Identity Manager database is not used in this topology, it is also reset along with LDAP directory to ensure that the passwords in both repositories are in sync.
To reset System Administrator database password when Oracle Identity Manager Deployment is Integrated With Access Manager:
As a prerequisite for running the oimadminpasswd_wls.sh utility, open the OIM_HOME/server/bin/oimadminpasswd_wls.properties file in a text editor, and set values for the following properties:
JAVA_HOME: Set this to jdk6 or later, for example:
JAVA_HOME=/opt/softwares/shiphome/jdk160_24
COMMON_COMPONENTS_HOME: This is Oracle Middleware common home directory, for example:
COMMON_COMPONENTS_HOME=/opt/softwares/shiphome/oracle_common
OIM_ORACLE_HOME: This is Oracle Identity Manager Oracle home directory, for example:
OIM_ORACLE_HOME=/opt/softwares/shiphome/Oracle_IDM1
ORACLE_SECURITY_JPS_CONFIG: Specify the jps-config-jse.xml file location present in Oracle Identity Manager Domain, for example:
ORACLE_SECURITY_JPS_CONFIG=/opt/softwares/shiphome/user_projects/domains/base_domain/config/fmwconfig/jps-config-jse.xml
DOMAIN_HOME: Specify Oracle Identity Manager Domain Home location of the Weblogic Application Server, for example:
DOMAIN_HOME=/opt/softwares/shiphome/user_projects/domains/base_domain
DBURL: Oracle Identity Manager database URL, for example:
DBURL=jdbc:oracle:thin:@dbhostname:5521:orclsid
DBSCHEMAUSER: Oracle Identity Manager schema username, for example:
DBSCHEMAUSER=DEV_OIM
OIM_OAM_INTG_ENABLED: Set this to true if Oracle Identity Manager deployment is integrated with Access Manager, for example:
OIM_OAM_INTG_ENABLED=true
LDAPURL: LDAP directory URL. Non-SSL port must be specified, for example:
LDAPURL=ldap://LDAP_HOSTNAME:3060)
LDAPADMINUSER : LDAP directory admin username, for example:
LDAPADMINUSER=cn=orcladmin
OIM_ADMIN_LDAP_DN: Oracle Identity Manager Administrator xelsysadm complete DN in the LDAP directory, for example:
OIM_ADMIN_LDAP_DN=cn=xelsysadm,cn=Users,dc=us,dc=mydomain,dc=com
Go to the OIM_HOME/server/bin/ directory, and run the following command:
sh oimadminpasswd_wls.sh oimadminpasswd_wls.properties
The following is a sample output:
Enter OIM DB Schema Password : Enter OIM Adminstrator xelsysadm new Password: Re-enter OIM Adminstrator xelsysadm new Password: WARNING: Not able to fetch OIMPlatform instance for the given Platform. Hence defaulting to the OIMWebLogicPlatform OIM Admin user xelsysadm password reset successfully in OIMDB OIM Admin user cn=xelsysadm,cn=Users,dc=...,dc=...,dc=... password reset successfully in LDAP
Note:
The warning messages that are displayed while running the oimadminpasswd_wls.sh script can be ignored.Oracle Identity Manager uses two database schemas for storing Oracle Identity Manager operational and configuration data. It uses Oracle Identity Manager MDS schema for storing configuration-related information and Oracle Identity Manager schema for storing other information. Any change in the schema password requires changes on Oracle Identity Manager configuration.
Changing Oracle Identity Manager database password involves the following:
Note:
Before changing the database password, shutdown the managed servers that host Oracle Identity Manager. However, you can keep the Oracle WebLogic Administrative Server running.To change datasource oimJMSStoreDS configuration:
Navigate to Services, JDBC, Data Sources, oimJMSStoreDS.
Click the Connection Pool tab.
In the Password and Confirm password fields, enter the new Oracle Identity Manager database schema password.
Click Save to save the changes.
To change datasource oimOperationsDB configuration:
Navigate to Services, JDBC, Data Sources, oimJMSStoreDS.
Click the Connection Pool tab.
In the Password and Confirm password fields, enter the new Oracle Identity Manager database schema password.
Click Save to save the changes.
To change datasource related to Oracle Identity Manager MDS configuration:
Navigate to Services, JDBC, Data Sources, mds-oim.
Click the Connection Pool tab.
In the Password and Confirm password fields, enter the new Oracle Identity Manager MDS database schema password.
Click Save to save the changes.
Note:
For Oracle Identity Manager deployments with Oracle Real Application Clusters (Oracle RAC) configuration, you might have to make changes in all the datasources under the respective multi-datasource configurations.
You might have to make similar changes for datasources related to SOA or OWSM, if required.
To change OIMAuthenticationProvider configuration:
In the WebLogic Administrative console, navigate to Security Realms, myrealm, and then Providers.
Click OIMAuthenticationProvider.
Click Provider Specific.
In the DBPassword field, enter the new Oracle Identity Manager database schema password.
Click Save to save the changes.
To change domain credential store configuration:
Login to Enterprise Manager by using the following URL:
http://ADMIN_SERVER/em
Navigate to Weblogic Domain, and then DOMAIN_NAME.
Right-click DOMAIN_NAME, and select Security, Credentials, and then oim.
Select OIMSchemaPassword, and click Edit.
In the Password field, enter the new password, and click OK.
After changing the Oracle Identity Manager database password, restart the WebLogic Administrative Server. Start the Oracle Identity manager managed WebLogic Servers as well.
Oracle Identity Manager installer stores several passwords during the install process. Various values are stored in Credential Store Framework (CSF) as key and value. Table 33-1 lists the keys and the corresponding values:
Key | Description |
---|---|
DataBaseKey |
The password for the key used to encrypt database. The password is the user input value in the installer for the Oracle Identity Manager keystore. |
.xldatabasekey |
The password for keystore that stores the database encryption key. The password is the user input value in the installer for the Oracle Identity Manager keystore. |
xell |
The password for key 'xell', which is used for securing communication between Oracle Identity Manager components. Default password generated by Oracle Identity Manager installer is xellerate. |
default_keystore.jks |
The password for the default_keystore.jks JKS keystore in the DOMAIN_HOME/config/fmwconfig/ directory. The password is the user input value in the installer for the Oracle Identity Manager keystore. |
SOAAdminPassword |
The password is user input value in the installer for SOA Administrator Password field. |
OIMSchemaPassword |
The password for connecting to Oracle Identity Manager database schema. Password is user input value in the installer for OIM Database Schema Password field. |
JMSKey |
The password is the user input value in the installer for the Oracle Identity Manager keystore. |
To change the values of the CSF keys:
Login to Oracle Enterprise Manager by navigating to the following URL:
http://ADMIN_SERVER/em
Navigate to Weblogic Domain, DOMAIN_NAME.
Right-click DOMAIN_NAME, and select Security, Credentials, and then oim.
Select the key that you want to modify.
Login to Oracle Identity Manager Administration.
Click Advanced.
Under Configuration, click Manage IT Resource.
From the IT Resource Type list, select Directory Server.
Click Search.
Edit the Directory Server IT resource. To do so, in the Admin Password field, enter the new OVD password, and click Update.
To change Oracle Identity Manager System Administrator password in LDAP:
Look up the dn for the user from LDAP, as shown:
$ORACLE_HOME/bin/ldapsearch -D cn=orcladmin -w fusionapps1 -h localhost -p 6501 -b dc=com "cn=SYS_ADMIN" orclaccountlocked dn
Here, SYS_ADMIN is the System Administrator user login.
Create a file similar to the following:
$ more /tmp/resetpassword_SYS_ADMIN dn: cn=SYS_ADMIN,cn=Users,dc=us,dc=mydomain,dc=com changetype: modify replace: userPassword userPassword: NEW_PASSWORD
Here, NEW_PASSWORD is the password that you want in clear text.
Change the password, as shown:
$ORACLE_HOME/bin/ldapmodify -D cn=orcladmin -w fusionapps1 -h localhost -p 6501 -f /tmp/ resetpassword _SYS_ADMIN
Verify that the user password is changed, as shown:
$ORACLE_HOME/bin/ldapbind -D cn=SYS_ADMIN,cn=Users,dc=us,dc=mydomain,dc=com -w NEW_PASSWORD -h localhost -p 6501
To unlock Oracle Identity Manager System Administrator password in LDAP:
Look up the dn for the user from LDAP, as shown:
$ORACLE_HOME/bin/ldapsearch -D cn=orcladmin -w fusionapps1 -h localhost -p 6501 -b dc=com "cn=SYS_ADMIN" orclaccountlocked dn
If orclaccountlocked has a value of 1, then it means that the user is locked.
Create a file similar to the following:
$ more /tmp/unlock_SYS_ADMIN dn: cn=SYS_ADMIN,cn=Users,dc=us,dc=mydomain,dc=com changetype: modify replace: orclaccountlocked orclaccountlocked: 0
Unlock the user, as shown:
$ORACLE_HOME/bin/ldapmodify -D cn=orcladmin -w fusionapps1 -h localhost -p 6501 -f /tmp/unlock_SYS_ADMIN
Verify that the user is unlocked, as shown:
$ORACLE_HOME/bin/ldapsearch -D cn=orcladmin -w fusionapps1 -h localhost -p 6501 -b dc=com "cn=SYS_ADMIN" orclaccountlocked dn
The value of orcladdountlocked must be 0.
This section describes the procedure for generating keys, signing and exporting certificates, setting up SSL Configuration for Oracle Identity Manager and for the components with which Oracle Identity Manager interacts, and establish secure communication between them. It includes the following topics:
Note:
Sections "Generating Keys" through "Importing the Certificate" provide example commands that will be used later in the document. These are for reference and not part of the mandatory steps of configuration.You can generate private and public certificate pairs by using the keytool command.
The following command creates an identity keystore (support.jks):
$JAVA_HOME/jre/bin/keytool -genkey -alias support -keyalg RSA -keysize 1024 -dname "CN=localhost, OU=Identity, O=Oracle Corporation,C=US" -keypass KEYSTORE_PASSWORD -keystore support.jks -storepass weblogic1
Note:
Change the parameter values passed to the keytool command according to your requirements. Ensure that there is no line break in the keytool argument.Use the following keytool command to sign the certificates that you created:
$JAVA_HOME/jre/bin/keytool -selfcert -alias support -sigalg MD5withRSA -validity 2000 -keypass weblogic1 -keystore support.jks -storepass KEYSTORE_PASSWORD
Note:
Change the parameter values passed to the keytool command according to your requirements. Ensure that there is no line break in the keytool argument.Use the following keytool command to export the certificate from the identity keystore to a file, for example, supportcert.pem:
$JAVA_HOME/jre/bin/keytool -export -alias support -file supportcert.pem -keypass weblogic1 -keystore support.jks -storepass KEYSTORE_PASSWORD
Note:
Change the parameter values passed to the keytool command according to your requirements. Ensure that there is no line break in the keytool argument.Use the following keytool command to import the certificate from a file, such as wlservercert.pem, to the identity keystore:
$JAVA_HOME/jre/bin/keytool -import -alias serverwl -trustcacerts -file D:\bea\user_projects\domains\mydomain\wlservercert.pem -keystore CLIENT_TRUST_STORE -storepass CLIENT_TRUST_STORE_PASSWORD
Note:
Change the parameter values passed to the keytool command according to your requirements. Ensure that there is no line break in the keytool argument.You need to perform the following configurations in Oracle Identity Manager and SOA servers to enable SSL:
Enabling SSL for Oracle Identity Manager By Using Default Setting
Enabling SSL for Oracle Identity Manager By Using Custom Keystore
Enabling SSL for Oracle Identity Manager is described in the following sections:
Enabling SSL for Oracle Identity Manager By Using Default Setting
Enabling SSL for Oracle Identity Manager By Using Custom Keystore
To enable SSL for Oracle Identity Manager and SOA servers by using default setting:
Log in to WebLogic Server Administrative console and go to Servers, OIM_SERVER1, General. Under the general section, you can enable ssl port to any value and activate it.
The server will start listening and you can access the URL with HTTPS protocol.
Perform the same steps for Admin/SOA Servers as Oracle Identity Manager might need to interact with SSL-enabled SOA Server.
To enable SSL for Oracle Identity Manager by using custom keystore:
Note:
See "Generating Keys" for information about generating custom keys.In the WebLogic Server Administration Console, click Environment, Servers, Server_Name (OIM_Server1), Configuration, and then General.
Click Lock & Edit.
Select SSL listen port enabled. The default port is 14001.
Select the Keystores tab.
From the Keystore list, select Custom Identity, Java Standard Trust.
In the Custom Identity Keystore field, enter the absolute path of custom identity keystore filename. For example:
DOMAIN_HOME/config/fmwconfig/support.jks
Note:
The keystore created at DOMAIN_HOME/config/fmwconfig/ by Oracle Identity Manager during installation is default-keystore.jks.Specify JKS as the custom identity keystore type.
Type the password (weblogic1) into the Custom Identity Keystore Passphrase and the Confirm Custom Identity Keystore Passphrase fields.
Click Save.
Click the SSL tab.
Type support
as the private key alias.
Type the password (weblogic1) into the Private Key Passphrase and the Confirm Private Key Passphrase fields.
Click Save.
Click Activate changes.
Restart all servers for these changes to take effect.
Import the certificate that you exported in "Exporting the Certificate" into the SPML client truststore.
See "Importing the Certificate" for information about importing the certificate.
After enabling SSL on Oracle Identity Manager and SOA Servers, perform the following changes for establishing secured communication between them:
OimFrontEndURL is used to access the oim application UI. This can be a load balancer URL or web server URL (in case application server is fronted with load balancer or web server) or single application server URL. This is generally used by Oracle Identity Manager in the notification emails or to send a call back web service from SOA to Oracle Identity Manager.
To change the OimFrontEndURL to use SSL port:
When the WebLogic admin and Oracle Identity Manager managed servers (at least one of the servers in case of cluster) are running, log in to Enterprise Manager (EM).
For example:
http://<AdminServer>/em
Navigate to Identity and Access, Oracle Identity Manager.
Right click and select System MBean Browser.
Under Application Defined MBeans, navigate to oracle.iam, Application:oim, XMLConfig, Config, XMLConfig.DiscoveryConfig, Discovery.
Enter a new value for the "OimFrontEndURL" attribute and click Apply to save the changes.
For example:
http://myoim.mydomain.com
https://myoim.mydomain.com
http://myoimserver.mydomain.com:14002
Note:
Fusion Apps or SPML clients store Oracle Identity Manager URL for invoking SPML and also send callback response. Therefore, there will be changes needed corresponding to this. Also, if Oracle Identity Manager is integrated with OAM/OAAM/OIN, there may be corresponding changes necessary. Refer to Chapter 32, "Integrating with Other Oracle Components" for detailed information about the integration with other components.backOfficeURL change is required only for Oracle Identity Manager deployed in front-office/back-office configuration. For simple cluster or non-cluster installations the following does not apply. This URL is used internally by Oracle Identity Manager for accessing back-office components from the front-office components. This value needs to be changed initially during the implementation of back-office/front-office configuration, for adding additional servers to back office, and for removing servers from back-office.
To change the backOfficeURL to use SSL port:
When the WebLogic admin and Oracle Identity Manager managed servers (at least one of the servers in case of cluster) are running, log in to Enterprise Manager (EM).
For example:
http://<AdminServer>/em
Navigate to Identity and Access, Oracle Identity Manager.
Right click and select System MBean Browser.
Under Application Defined MBeans, navigate to oracle.iam, Application:oim, XMLConfig, Config, XMLConfig.DiscoveryConfig, Discovery.
Enter a new value for the "backOfficeURL" attribute and click Apply to save the changes.
For example:
t3://mywls1.mydomain.com:8001
t3://mywls1.mydomain.com:8001,mywls2.mydomain.com:9001
Note:
For simple cluster and non-cluster installations the value must be empty.To change SOA server URL to use SSL port:
When the admin server and Oracle Identity Manager managed servers are running, log in to Enterprise Manager (EM).
For example:
http://ADMINISTRATIVE_SERVER/em
Navigate to Identity and Access, Oracle Identity Manager.
Right click and select System MBean Browser.
Under Application Defined MBeans, navigate to oracle.iam, Application:oim, XMLConfig, Config, XMLConfig.SOAConfig, SOAConfig.
Change the values of the Rmiurl attribute.
Note:
Rmiurl is used for accessing SOA EJBs deployed on SOA managed servers.This is the application server URL. For clustered installation, it is a comma separated list of all the SOA managed server URLs.
For example:
t3://mysoa1.mydomain.com:8001
t3s://mysoaserver1.mydomain.com:8002
t3://mysoa1.mydomain.com:8001,mysoa2.mydomain.com:8002,mysoa3.com:8003
Change the value of the Soapurl attribute. For example:
http://myoimsoa.mydomain.com
https://mysoa.mydomain.com: 8001
Note:
Soapurl is used to access SOA web services deployed on SOA managed servers. This is the web server/load balancer URL, in case of a SOA cluster front ended with web server/load balancer. In case of single SOA server, it can be application server URL.Click Apply to save the changes.
To change the Design console to establish secure connection between Oracle Identity Manager and Design console:
Generate and make sure that wlfullclient.jar is in the $OIM_HOME/designconsole/ext/ directory. To do so:
Go to the WL_HOME/server/lib/ directory.
Run the following command:
java -jar wlfullclient.jar
Copy wlfullclient.jar from:
$WL_HOME/server/lib/To:$OIM_HOME/designconsole/ext/
Copy webserviceclient+ssl.jar from:
$WL_HOME/server/lib
to
$OIM_HOME/designconsole/ext/
Copy OIMlMiddleware/modules/cryptoj.jar to the OIM_HOME/designconsole/ext/ directory.
Edit the $DESIGN_CONSOLE_HOME/config/xlconfig.xml file. Make the following changes:
Change:
<Discovery> <CoreServer> <java.naming.provider.url>t3://HOST_NAME:PORT_NUMBER/oim</java.naming.provider.url> <java.naming.factory.initial>weblogic.jndi.WLInitialContextFactory</java.naming.factory.initial> </CoreServer> </Discovery>
To:
<Discovery> <CoreServer> <java.naming.provider.url>t3s://HOST_NAME:OIM_SSL_PORT/oim</java.naming.provider.url> <java.naming.factory.initial>weblogic.jndi.WLInitialContextFactory</java.naming.factory.initial> </CoreServer> </Discovery>
Change:
<ApplicationURL>http://HOST_NAME:PORT_NUMBER/xlWebApp/loginWorkflowRenderer.do</ApplicationURL>
To:
<ApplicationURL>https://HOST_NAME:OIM_SSL_PORT/xlWebApp/loginWorkflowRenderer.do</ApplicationURL>
Use the Server trust store in the Design console. To access this:
Go to WebLogic Server Administrative console, Environment, Servers.
Click on <OIM_SERVER_NAME> to view details of the Oracle Identity Manger server.
Click the KeyStores tab and note down the "Trust keystore" location in the "Trust" section.
If the Design Console is deployed on the Oracle Identity Manager host, then set the TRUSTSTORE_LOCATION environment variable to the location of the "Trust keystore" location noted above. For example:
setenv TRUSTSTORE_LOCATION WL_HOME//server/lib/DemoTrust.jks
If the Design Console is deployed on a different host than Oracle Identity Manager, then copy the "Trust keystore" to the host on which Design Console is deployed, and set the TRUSTSTORE_LOCATION env variable to the location where "Trust keystore" is copied on the local host. For example:
setenv TRUSTSTORE_LOCATION OIM_HOME/designconsole/DemoTrust.jks
If $DESIGN_CONSOLE_HOME/config/xl.policy does not contain the default grant policy for all, then add the following permission for cryptoj.jar at the end of the file, as shown:
grant codeBase "file:DIRECTORY_PATH_TO_cryptoj.jar"{ permission java.security.AllPermission;};
Copy $MW_HOME/modules/cryptoj.jar to the $OIM_HOME/designconsole/ext/ directory.
Note:
Here, copying $MW_HOME/modules/cryptoj.jar to the $OIM_HOME/designconsole/ext/ directory is a mandatory step. Setting the permission is necessary if xl.policy does not contain the default grant policy for all.Oracle Identity Manager client utilities include PurgeCache, GenerateSnapshot, UploadJars, and UploadResources.
Set the TRUSTSTORE_LOCATION environment variable to the location of the "Trust keystore" location.
Note:
See "Configuring SSL for Design Console" for details about setting the TRUSTSTORE_LOCATION environment variable to the location of the 'Trust keystore' location.For example:
setenv TRUSTSTORE_LOCATION WL_HOME/server/lib/DemoTrust.jks
To configure SSL for SPML/callback domain:
Ensure that Oracle Identity Manager port is SSL enabled with HostName verification set to false.
Enable SSL on Fusion Applications including callback domain.
See Also:
"Enabling SSL for Oracle Identity Manager By Using Custom Keystore" for information about enabling SSL for Oracle Identity Manager by using custom keystoreIf you are using WebLogic default trust store, you must not change anything other than enabling the SSL mode.
If you have certificates other than default, then the trusted certificates should be exchanged between them to establish two-way trust. See "Signing the Certificates" and "Exporting the Certificate" for information about signing and exporting certificates.
See Also:
"Configuring SSL" in the Oracle Fusion Middleware Securing Oracle WebLogic Server for detailed information about configuring SSL for Oracle WebLogic ServerIf you are using a stand-alone client for sending SPML requests for testing purpose, then you must:
Add the following system properties to SPML client command to send the request to SSL enabled OIM port.
Djavax.net.ssl.trustStore=D:\Oracle\Middleware1\wlserver_10.3\server\lib\DemoTrust.jks
Note:
Change the value of the Djavax.net.ssl.trustStore parameter to point to the truststore used to configure SSL.See "Configuring SSL for Design Console" for information about the location of the trust store used in WebLogic to configure SSL.
-Djava.protocol.handler.pkgs=weblogic.net
-Dweblogic.security.TrustKeyStore=DemoTrust
Add webserviceclient+ssl.jar to your client classpath.
SOA can connect to Oracle Identity Manager via web services. If web service invocation fails, then SOA cannot connect to Oracle Identity Manager, and as a result, requests can be stuck. For example, after a create user request is approved at request level, the request might be stuck because the corresponding SOA composite is not able to invoke the request web service deployed on Oracle Identity Manager server, which is SSL enabled. To avoid such issues, in setDomainEnv.sh, set JAVA_OPTIONS. For example:
-Djavax.net.ssl.trustStore=WL_HOME/server/lib/DemoTrust.jks
You need to perform the following configurations to enable SSL for Oracle Identity Manager DB:
To set up DB in Server-Authentication SSL mode:
Stop the DB server and the listener.
Configuring the listener.ora file as follows:
Navigate to the path:
$DB_ORACLE_HOME/network/admin directory
For example:
/scratch/user1/production-database/product/11.1.0/db_1/network/admin
Edit the listener.ora file to include SSL listening port and Server Wallet Location.
The following is the sample listener.ora file:
# listener.ora Network Configuration File: DB_HOME/listener.ora # Generated by Oracle configuration tools. SSL_CLIENT_AUTHENTICATION = FALSE WALLET_LOCATION = (SOURCE = (METHOD = FILE) (METHOD_DATA = (DIRECTORY = DB_HOME/server_keystore_ssl.p12) ) ) LISTENER = (DESCRIPTION_LIST = (DESCRIPTION = (ADDRESS = (PROTOCOL = TCPS)(HOST = server1.mycompany.com)(PORT = 2484)) ) (DESCRIPTION = (ADDRESS = (PROTOCOL = TCP)(HOST = server1.mycompany.com)(PORT = 1521)) ) ) TRACE_LEVEL_LISTENER = SUPPORT
Configure the sqlnet.ora file as follows:
Navigate to the path:
$DB_ORACLE_HOME/network/admin directory
For example:
/scratch/user1/production-database/product/11.1.0/db_1/network/admin
Edit sqlnet.ora file to include:
TCPS Authentication Services
SSL_VERSION
Server Wallet Location
SSL_CLIENT_AUTHENTICATION type (either true or false)
SSL_CIPHER_SUITES that can be allowed in the communication (optional)
The following is the sample sqlnet.ora file:
# sqlnet.ora Network Configuration File: DB_HOME/sqlnet.ora # Generated by Oracle configuration tools. SQLNET.AUTHENTICATION_SERVICES= (BEQ, TCPS) SSL_VERSION = 3.0 SSL_CLIENT_AUTHENTICATION = FALSE WALLET_LOCATION = (SOURCE = (METHOD = FILE) (METHOD_DATA = (DIRECTORY = DB_HOME/server_keystore_ssl.p12) ) )
Configure the tnsnames.ora file as follows:
Navigate to the path:
$DB_ORACLE_HOME/network/admin directory
For example:
/scratch/user1/production-database/product/11.1.0/db_1/network/admin
Edit the tnsnames.ora file to include SSL listening port in the description list of the service.
The following is the sample tnsnames.ora file:
# tnsnames.ora Network Configuration File: DB_HOME/tnsnames.ora
# Generated by Oracle configuration tools.
PRODDB =
(DESCRIPTION_LIST =
(DESCRIPTION =
(ADDRESS = (PROTOCOL = TCPS)(HOST = server1.mycompany.com)(PORT = 2484))
(CONNECT_DATA =
(SERVER = DEDICATED)
(SERVICE_NAME = proddb)
)
)
(DESCRIPTION =
(ADDRESS = (PROTOCOL = TCP)(HOST = server1.mycompany.com)(PORT = 1521))
(CONNECT_DATA =
(SERVER = DEDICATED)
(SERVICE_NAME = proddb)
)
)
)
Start/Stop utilities for DB server.
Start the DB server.
You can create server side and client side KeyStores using the orapki utility. This utility will be shipped as a part of Oracle DB installation.
KeyStores could be of any format such as JKS and PKCS12. The format of keystore changes based on the provider implementation. For example, JKS is the implementation provided by Sun Oracle where as PKCS12 is implemented by OraclePKIProvider.
Only JKS client KeyStore is used in Oracle Identity Manager for DB server. This is because using non-JKS KeyStores format such as PKCS12 requires significant changes on the installer side at the critical release time. However, Oracle Identity Manager already has a KeyStore named default-KeyStore.jks, which is in JKS format.
The following are the KeyStores that you can create using orapki utility:
Note:
Wallets and KeyStores are interchangeably used and they both mean the same. These refer to a repository of public/private keys and self-signed/trusted certificates.To create a root certification authority (CA) wallet:
Navigate to the following path:
$DB_ORACLE_HOME/bin directory
Create a wallet by using the command:
./orapki wallet create -wallet CA_keystore.p12 -pwd KEYSTORE_PASSWORD
Add a self signed certificate to the CA wallet by using the command:
./orapki wallet add -wallet CA_keystore.p12 -dn 'CN=root_test,C=US' -keysize 2048 -self_signed -validity 3650 -pwd KEYSTORE_PASSWORD
View the wallet using the command:
./orapki wallet display -wallet CA_keystore.p12 -pwd KEYSTORE_PASSWORD
Export the self signed certificate from the CA wallet using the command:
./orapki wallet export -wallet CA_keystore.p12 -dn 'CN=root_test,C=US' -cert self_signed_CA.cert -pwd KEYSTORE_PASSWORD
Creating DB Server Side Wallet
To create a DB server side wallet:
Create a server wallet using the command:
./orapki wallet create -wallet server_keystore_ssl.p12 -auto_login -pwd KEYSTORE_PASSWORD
Add a certificate request to the server wallet using the command:
./orapki wallet add -wallet server_keystore_ssl.p12/ -dn 'CN=Customer,OU=Customer,O=Customer,L=City,ST=NY,C=US' -keysize 2048 -pwd KEYSTORE_PASSWORD
Export the certificate request to a file, which will be used later for getting it signed using the root CA signature:
./orapki wallet export -wallet server_keystore_ssl.p12/ -dn 'CN=Customer,OU=Customer,O=Customer,L=City,ST=NY,C=US' -request server_creq.csr -pwd KEYSTORE_PASSWORD
Get the server wallet's certificate request signed using the CA signature:
./orapki cert create -wallet CA_keystore.p12 -request server_creq.csr -cert server_creq_signed.cert -validity 3650 -pwd KEYSTORE_PASSWORD
View the signed certificate using the command:
/orapki cert display -cert server_creq_signed.cert -complete
Import the trusted certificate in to the server wallet using the command:
./orapki wallet add -wallet server_keystore_ssl.p12 -trusted_cert -cert self_signed_CA.cert -pwd KEYSTORE_PASSWORD
Import this newly created signed certificate (user certificate) to the server wallet using the command:
./orapki wallet add -wallet server_keystore_ssl.p12 -user_cert -cert server_creq_signed.cert -pwd KEYSTORE_PASSWORD
To create a client side (Oracle Identity Manager server) wallet:
Create a client keystore using default-keystore.jks keystore which is populated in the following path:
DOMAIN_HOME/config/fmwconfig
Note:
You can also use Oracle PKCS12 wallet as the client keystore.Import the self-signed CA trusted certificate that you have already exported using the server side commands, to the client keystore (default-keystore.jks) by using the command:
JAVA_HOME/jre/bin/keytool -import -trustcacerts -alias dbtrusted -noprompt -keystore default-keystore.jks -file self_signed_CA.cert -storepass xellerate
You need to perform the following steps in Oracle Identity Manager to enable Oracle Identity Manager and Oracle Identity Manager DB in SSL mode for a secure communication:
Import the trusted certificate into the default-keystore.jks keystore of Oracle Identity Manager.
Log in to Enterprise Manager.
Navigate to Identity and Access, OIM.
Right click and navigate to System MBean Browser.
Under Application Defined MBeans, navigate to oracle.iam, Application:oim, XMLConfig, Config, XMLConfig.DirectDBConfig, and DirectDB.
Change the values for attributes "Sslenabled", "Url" and click Apply. If SSL mode is enabled for DB, then "Url" should contain TCPS enables and SSL port in it.
For example:
url="jdbc:oracle:thin:@(DESCRIPTION=(ADDRESS=(PROTOCOL=TCPS)(HOST=my.domain.com)(PORT=2484))(CONNECT_DATA=(SERVICE_NAME=proddb)))"
Restart the Oracle Identity Manager server.
After enabling SSL for Oracle Identity Manager DB, you need to change the following Oracle Identity Manager datasources and authenticators to use DB SSL port:
Note:
Before performing changes to database host/port, you must shutdown the managed servers hosting Oracle Identity Manager application. However, you can keep the WebLogic Admin Server up and running.Updating Datasource oimJMSStoreDS Configuration
To update the datasource oimJMSStoreDS configuration:
Log in to WebLogic Server.
Navigate to Services, JDBC, Data Sources, oimJMSStoreDS.
Click the Connection Pool tab.
Change the value of the URL to reflect the changes to SSl DB host/port, similar to the following example:
jdbc:oracle:thin:@(DESCRIPTION=(ADDRESS=(PROTOCOL=TCPS)(HOST=myhost.mydomain.com)(PORT=2484))(CONNECT_DATA=(SERVICE_NAME=myhost1.mydomain.com)))
Update Properties to add the following SSL-related properties:
javax.net.ssl.trustStore=DOMAIN_HOME/default-keystore.jks javax.net.ssl.trustStoreType=JKS EncryptionMethod=SSL oracle.net.ssl_version=3.0 javax.net.ssl.trustStorePassword=PASSWORD
Updating Datasource oimOperationsDB Configuration
To update the Change Datasource oimOperationsDB Configuration:
Log in to WebLogic Server.
Navigate to Services, JDBC, Data Sources, oimJMSStoreDS.
Click the Connection Pool tab.
Change the value of the URL to reflect the changes to SSl DB host/port, similar to the following example:
jdbc:oracle:thin:@(DESCRIPTION=(ADDRESS=(PROTOCOL=TCPS)(HOST=myhost.mydomain.com)(PORT=2484))(CONNECT_DATA=(SERVICE_NAME=myhost1.mydomain.com)))
Update Properties to add the following SSL-related properties:
javax.net.ssl.trustStore=DOMAIN_HOME/default-keystore.jks javax.net.ssl.trustStoreType=JKS EncryptionMethod=SSL oracle.net.ssl_version=3.0 javax.net.ssl.trustStorePassword=PASSWORD
Updating Datasource Related to Oracle Identity Manager MDS Configuration
To update datasource related to Oracle Identity Manager MDS configuration:
Log in to WebLogic Server.
Navigate to Services, JDBC, Data Sources, mds-oim.
Click the Connection Pool tab.
Change the value of the URL to reflect the changes to SSl DB host/port, similar to the following example:
jdbc:oracle:thin:@(DESCRIPTION=(ADDRESS=(PROTOCOL=TCPS)(HOST=myhost.mydomain.com)(PORT=2484))(CONNECT_DATA=(SERVICE_NAME=myhost1.mydomain.com)))
Update Properties to add the following SSL-related properties:
javax.net.ssl.trustStore=DOMAIN_HOME/default-keystore.jks javax.net.ssl.trustStoreType=JKS EncryptionMethod=SSL oracle.net.ssl_version=3.0 javax.net.ssl.trustStorePassword=PASSWORD
Note:
You might have to perform similar updates for SOA/OWSM related datasources if required.Updating Oracle Identity Manager Authenticators
The existing Oracle Identity Manager authenticators in the WebLogic server are configured against Non-SSL DB details and they do not use datasources for communicating with Oracle Identity Manager DB. In order to use SSL DB details in the authenticators, you must perform the following:
Ensure that Datasources are configured to SSL.
In WebLogic Administrative console, navigate to Security Realms, myrealm, Providers.
Remove OIMAuthenticationProvider.
Create an authentication provider of type "OIMAuthenticator" and mark the control flag as SUFFICIENT.
Create an authentication provider of type "OIMSignatureAuthenticator" and mark the control flag as SUFFICIENT.
Reorder the authenticators as:
DefaultAuthenticator
OIMAuthenticator
OIMSignatureAuthenticator
Other providers if any
Restart all servers.
You need to perform the following configurations to enable Oracle Identity Manager to use SSL enabled Oracle Virtual Directory (OVD):
To enable OVD-OID with SSL:
Log in to the OVD EM console.
Expand Identity and Access and navigate to ovd1, Administration, Listeners.
Click Create and enter all the required fields.
Note:
You must select the Listener Type as LDAP.Click OK.
Select the newly created LDAP listener and click Edit.
In the Edit Listener - OIM SSL ENDPOINT page, edit the newly created LDAP listener.
Click OK. The SSL Configuration page opens.
Select the Enable SSL checkbox.
In the Advanced SSL Settings section, for SSL Authentication, select No Authentication.
Click OK.
Stop and start the OVD server for the changes to take effect.
Note:
You must not use the restart option.When LDAPSync is enabled, Oracle Identity Manager connects with directory servers through OVD. It connects using ldap/ldaps protocol.
To change OVD host/port:
Log in to Oracle Identity System Administration.
Navigate to Advanced and click Manage IT Resource.
Select IT Resource Type as Directory Server and click Search.
In the IT Resource Directory Server, edit "server URL" to include SSL protocol and SSL port details.
Ensure that Use SSL is set to true and click Update.
To enable Managed WebLogic Server with SSL:
In a text editor, open the startManagedWebLogic.sh file.
Change the value of ADMIN_URL to point to a SSL URL, as shown in the following example:
ADMIN_URL="https://myhost.mydomain.com:7002"
Save the startManagedWebLogic.sh file.
Start all servers.