1/26
Contents
List of Figures
List of Tables
Title and Copyright Information
Preface
Audience
Documentation Accessibility
Related Documents
Conventions
What's New in This Guide
New and Changed Features for 11
g
Release 2 (11.1.2.1)
1
Enterprise Deployment Overview
1.1
About the Enterprise Deployment Guide
1.2
Enterprise Deployment Guide Conventions
1.3
Enterprise Deployment Terminology
1.4
Benefits of Oracle Recommendations
1.4.1
Built-in Security
1.4.2
High Availability
2
Introduction and Planning
2.1
Planning Your Deployment
2.1.1
Deployment Topologies
2.1.1.1
Single Domain Topology
2.1.1.2
Split Domain Topology
2.1.1.3
Three Domain Topology
2.1.2
Which Topology Should I Use?
2.1.2.1
Single Domain Topology
2.1.2.2
Split Domain Topology
2.1.2.3
Three Domain Topology
2.1.2.4
Summary
2.2
Understanding the Topologies
2.2.1
About the Web Tier
2.2.1.1
Architecture Notes
2.2.1.2
High Availability Provisions
2.2.1.3
Security Provisions
2.2.2
About the Application Tier
2.2.2.1
About WebLogic Domains
2.2.2.2
About LDAP Directories
2.2.2.2.1
About Oracle Unified Directory
2.2.2.2.2
About Oracle Internet Directory and Oracle Virtual Directory
2.2.2.2.3
High Availability Provisions
2.2.2.3
Architecture Notes
2.2.2.4
High Availability Provisions
2.2.2.5
Security Provisions
2.2.3
About the Optional Directory Tier
2.2.4
About the Database Tier
2.3
Hardware Requirements for an Enterprise Deployment
2.4
Software Components for an Enterprise Deployment
2.4.1
Software Versions
2.4.2
About Obtaining Software
2.4.3
Summary of Oracle Homes
2.4.4
About Installing Software
2.4.5
Applying Patches and Workarounds
2.5
Road Map for the Reference Topology Installation and Configuration
2.5.1
Flow Chart of the Oracle Identity Management Enterprise Deployment Process
2.5.2
Steps in the Oracle Identity Management Enterprise Deployment Process
3
Preparing the Network for an Enterprise Deployment
3.1
Overview of Preparing the Network for an Enterprise Deployment
3.2
Planning Your Network
3.3
About Virtual Server Names Used by the Topologies
3.3.1
Virtual Host Names
3.3.2
Virtual Server names
3.3.2.1
IDSTORE.mycompany.com
3.3.2.2
ADMIN.mycompany.com
3.3.2.3
IDMINTERNAL.mycompany.com
3.3.2.4
SSO.mycompany.com
3.4
Configuring the Load Balancers
3.4.1
Load Balancer Requirements
3.4.2
Load Balancer Configuration Procedures
3.4.3
Load Balancer Configuration
3.5
About IP Addresses and Virtual IP Addresses
3.6
About Firewalls and Ports
3.7
Managing Access Manager Communication Protocol
3.7.1
Access Manager Protocols
3.7.2
Overview of Integration Requests
3.7.3
Overview of User Request
3.7.4
About the Unicast Requirement for Communication
4
Preparing Storage for an Enterprise Deployment
4.1
Overview of Preparing Storage for Enterprise Deployment
4.2
Terminology for Directories and Directory Variables
4.3
About File Systems
4.4
About Recommended Locations for the Different Directories
4.4.1
Recommendations for Binary (Middleware Home) Directories
4.4.1.1
About the Binary (Middleware Home) Directories
4.4.1.2
About Sharing a Single Middleware Home for Multiple Domains
4.4.1.3
About Using Redundant Binary (Middleware Home) Directories
4.4.2
Recommendations for Domain Configuration Files
4.4.2.1
About Oracle WebLogic Server Administration and Managed Server Domain Configuration Files
4.4.2.2
Shared Storage Requirements for Administration Server Domain Configuration Files
4.4.2.3
Local Storage Requirements for Managed Server Domain Configuration Files
4.4.3
Shared Storage Recommendations for JMS File Stores and Transaction Logs
4.4.4
Recommended Directory Locations
4.4.4.1
Shared Storage
4.4.4.2
Local Storage
5
Preparing the Servers for an Enterprise Deployment
5.1
Overview of Preparing the Servers
5.2
Verifying Your Server and Operating System
5.3
Meeting the Minimum Hardware Requirements
5.4
Meeting Operating System Requirements
5.4.1
Meeting UNIX and Linux Requirements
5.4.1.1
Configure Kernel Parameters
5.4.1.2
Setting the Open File Limit
5.4.1.3
Setting Shell Limits
5.4.1.4
Configuring Local Hosts File
5.5
Enabling Unicode Support
5.6
Enabling Virtual IP Addresses
5.6.1
Virtual IP Addresses to Enable
5.6.2
Enabling Virtual Addresses by Using the Command Line
5.7
Mounting Shared Storage onto the Host
5.8
Configuring Users and Groups
5.9
Installing Oracle Software onto a Server with Multiple Network Addresses
6
Preparing the Database for an Enterprise Deployment
6.1
Overview of Preparing the Databases for an Identity Management Enterprise Deployment
6.2
Verifying the Database Requirements for an Enterprise Deployment
6.2.1
Databases Required
6.2.2
Database Host Requirements
6.2.3
Database Versions Supported
6.2.4
Patching the Oracle Database
6.2.4.1
Patch Requirements for Oracle Database 11g (11.1.0.7)
6.2.4.2
Patch Requirements for Oracle Database 11g (11.2.0.2.0)
6.2.5
About Initialization Parameters
6.3
Installing the Database for an Enterprise Deployment
6.4
Creating Database Services
6.4.1
Creating Database Services for 10.x and 11.1.x Databases
6.4.2
Creating Database Services for 11.2.x Databases
6.4.3
Database Tuning
6.5
Preparing the Database for Repository Creation Utility (RCU)
6.6
Loading the Identity Management Schemas in the Oracle RAC Database by Using RCU
6.7
Backing up the Database
7
Installing and Configuring Oracle Unified Directory
7.1
Overview of Installing and Configuring Oracle Unified Directory
7.2
Prerequisites for Configuring Oracle Unified Directory Instances
7.3
Installing Oracle Unified Directory
7.4
Configuring the Oracle Unified Directory Instances
7.4.1
Configuring Oracle Unified Directory on IDMHOST1
7.4.2
Validating Oracle Unified Directory on IDMHOST1
7.4.3
Configuring an Additional Oracle Unified Directory Instance on IDMHOST2
7.4.4
Validating Oracle Unified Directory on IDMHOST2
7.4.5
Enable Oracle Unified Directory Assured Replication
7.4.6
Relaxing Oracle Unified Directory Object Creation Restrictions
7.4.7
Validating Oracle Unified Directory Through the Load Balancer
7.5
Post-Configuration Task
7.6
Backing Up the Oracle Unified Directory installation
8
Creating a Domain for an Enterprise Deployment
8.1
Overview of Creating a Domain
8.2
Installing Oracle Fusion Middleware Home
8.2.1
Installing Oracle WebLogic Server and Creating the Fusion Middleware Home
8.2.1.1
Installing Oracle JRockit
8.2.1.2
Installing WebLogic Server Using the Generic Installer
8.2.2
Installing Oracle Identity and Access Management
8.2.3
Installing the Oracle SOA Suite
8.3
About Console URLs and Domains
8.4
Running the Configuration Wizard to Create a Domain
8.5
Post-Configuration and Verification Tasks
8.5.1
Copying OIM Adapter Template
8.5.2
Creating boot.properties for the WebLogic Administration Servers
8.5.3
Reassociate the Domain with the Existing OPSS Policy Store
8.5.4
Starting Node Manager
8.5.5
Updating the Node Manager Credentials
8.5.6
Validating the WebLogic Administration Server
8.5.7
Enabling WebLogic Plug-in
8.5.8
Disabling Host Name Verification for the Oracle WebLogic Administration Server
8.5.9
Stopping and Starting the WebLogic Administration Server
8.6
Testing Manual Failover the WebLogic Administration Server
8.7
Backing Up the WebLogic Domain
9
Preparing Identity Stores
9.1
Overview of Preparing Identity Stores
9.2
Backing up the LDAP Directories
9.3
Prerequisites
9.4
Preparing the Identity Store
9.4.1
Overview of Preparing the Identity Store
9.4.2
Creating the Configuration File
9.4.3
Preparing a Directory for Access Manager and Oracle Identity Manager
9.4.3.1
Configuring Oracle Unified Directory and Oracle Internet Directory for Use with Access Manager and Oracle Identity Manager
9.4.3.2
Configuring Active Directory for Use with Access Manager and Oracle Identity Manager
9.4.4
Creating Users and Groups
9.4.5
Add Missing Oracle Internet Directory Object Class
9.4.6
Add Missing Oracle Unified Directory Permission
9.4.7
Granting Oracle Unified Directory Change Log Access
9.4.8
Creating Oracle Unified Directory Indexes
9.4.9
Creating Access Control Lists in Directories Other than Oracle Internet Directory and Oracle Unified Directory
9.5
Creating Adapters in Oracle Virtual Directory
9.5.1
Ensuring the Change Log Generation is Enabled in Oracle Internet Directory
9.5.2
Creating Oracle Virtual Directory Adapters for Oracle Internet Directory and Active Directory
9.5.3
Validating the Oracle Virtual Directory Adapters
9.6
Backing Up the Identity Stores
10
Installing and Configuring Oracle Web Tier for an Enterprise Deployment
10.1
Overview of Installing and Configuring the Web Tier
10.2
Install and Configure the Web Tier
10.2.1
Prerequisites
10.2.2
Installing Oracle JRockit
10.2.3
Installing Oracle HTTP Server
10.2.3.1
Verifying Prerequisites
10.2.3.2
Running the Installer
10.2.4
Running the Configuration Wizard to Configure the HTTP Server
10.3
Post Configuration Tasks
10.3.1
Configuring Oracle HTTP Server to Run as Software Owner
10.3.2
Update Oracle HTTP Server Runtime Parameters
10.3.3
Creating Virtual Hosts to Support Identity Management
10.3.3.1
Enable Virtual Host Support
10.3.3.2
Create Virtual Host Definitions
10.3.3.2.1
Create Virtual Host for ADMIN.mycompany.com
10.3.3.2.2
Create Virtual Host for SSO.mycompany.com
10.3.3.2.3
Create Virtual Host for IDMINTERNAL.mycompany.com
10.4
Restart Oracle HTTP Server
10.5
Setting the Front End URL for the Administration Console
10.6
Validating the Configuration
10.7
Summary of Web Tier URLs
10.8
Backing up the Web Tier Configuration
11
Extending the Domain to Include Oracle Access Management
11.1
Overview of Extending the Domain to Include Oracle Access Management Access Manager
11.2
About Domain URLs
11.3
Using Different Directory Configurations
11.4
Prerequisites
11.5
Extending Domain with Access Manager
11.6
Configuring Access Manager
11.6.1
Removing IDM Domain Agent
11.6.2
Setting a Global Passphrase
11.6.3
Configuring Access Manager by Using the IDM Configuration Tool
11.6.4
Validating the Configuration
11.6.5
Updating Newly-Created Agent
11.6.6
Modifying Access Manager Resources
11.6.7
Updating Existing WebGate Agents
11.6.8
Perform Bug 13824816 Workaround
11.7
Configuring Access from Web Tier
11.8
Deploying Managed Server Configuration to Local Storage
11.9
Starting Managed Servers WLS_OAM1 and WLS_OAM2
11.10
Validating Access Manager
11.11
Creating a Single Keystore for Integrating Access Manager with Other Components
11.12
Backing Up the Access Manager Configuration
12
Extending the Domain to Include Oracle Identity Manager
12.1
Overview of Extending the Domain to Include Oracle Identity Manager
12.2
About Domain URLs
12.3
Prerequisites
12.4
Provisioning the OIM Login Modules Under the WebLogic Server Library Directory
12.5
Creating the wlfullclient.jar File
12.6
Synchronize System Clocks
12.7
Extending the Domain to Configure Oracle Identity Manager and Oracle SOA Suite
12.8
Deploying Oracle Identity Manager and Oracle SOA to Managed Server Domain Directory on IDMHOST1 and IDMHOST2
12.9
Configuring Oracle Coherence for Deploying Composites
12.9.1
Enabling Communication for Deployment Using Unicast Communication
12.9.2
Specifying the Host Name Used by Oracle Coherence
12.10
Configuring Oracle Identity Manager
12.11
Copy SOA Directory
12.12
Starting SOA and Oracle Identity Manager Managed Servers on IDMHOST1 and IDMHOST2
12.13
Validating Oracle Identity Manager Instance on IDMHOST1 and IDMHOST2
12.14
Configuring Oracle Identity Manager to Reconcile from ID Store
12.15
Configuring Oracle Identity Manager to Work with the Oracle Web Tier
12.15.1
Configuring Oracle HTTP Servers to Front End the Oracle Identity Manager and SOA Managed Servers
12.15.2
Changing Host Assertion in WebLogic
12.15.3
Updating SOA Endpoints
12.15.4
Validating Web Tier Integration
12.15.4.1
Validating Oracle Identity Manager Instance from the Web Tier
12.15.4.2
Validating Accessing SOA from the Web Tier
12.16
Configuring a Default Persistence Store for Transaction Recovery
12.17
Configuring UMS Email Notification
12.18
Add Load Balancer Certificate to SOA Keystore
12.19
Excluding Users from Oracle Identity Manager Reconciliation
12.19.1
Adding the orclAppIDUser Object Class to the User by Using ODSM
12.19.2
Closing Failed Reconciliation Events by Using the OIM Console
12.20
Enabling Oracle Identity Manager to Connect to SOA Using the Administrative Users Provisioned in LDAP
12.21
Modifying Oracle Identity Manager to Support Active Directory
12.21.1
Updating the Username Generation Policy for Active Directory
12.21.2
Modifying the Oracle Identity Manager Properties to Support Active Directory
12.22
Backing Up Oracle Identity Manager
12.23
Integrating Oracle Identity Manager and Oracle Access Management Access Manager
12.23.1
Prerequisites
12.23.2
Adding Forgotten Password Links to the OAM Login Page
12.23.3
Copying OAM Keystore Files to IDMHOST1 and IDMHOST2
12.23.4
Integrating Oracle Identity Manager with Oracle Access Manager Using the idmConfigTool
12.23.5
Perform Bug 13824816 Workaround, if Necessary
12.23.6
Updating Existing LDAP Users with Required Object Classes
12.23.7
Update TAP Authentication Scheme
12.23.8
Managing the Password of the xelsysadm User
12.23.9
Validating Integration
13
Setting Up Node Manager for an Enterprise Deployment
13.1
Overview of the Node Manager
13.2
Changing the Location of the Node Manager Log
13.3
Enabling Host Name Verification Certificates for Node Manager
13.3.1
Generating Self-Signed Certificates Using the utils.CertGen Utility
13.3.2
Creating an Identity Keystore Using the utils.ImportPrivateKey Utility
13.3.3
Creating a Trust Keystore Using the Keytool Utility
13.3.4
Configuring Node Manager to Use the Custom Keystores
13.3.5
Using a Common or Shared Storage Installation
13.3.6
Configuring Managed WebLogic Servers to Use the Custom Keystores
13.3.7
Changing the Host Name Verification Setting for the Managed Servers
13.4
Starting Node Manager
14
Configuring Server Migration for an Enterprise Deployment
14.1
Overview of Server Migration for an Enterprise Deployment
14.2
Setting Up a User and Tablespace for the Server Migration Leasing Table
14.3
Creating a GridLink Data Source for Leasing Using the Oracle WebLogic Administration Console
14.4
Editing Node Manager's Properties File
14.5
Setting Environment and Superuser Privileges for the wlsifconfig.sh Script
14.6
Configuring Server Migration Targets
14.7
Testing the Server Migration
14.8
Backing Up the Server Migration Configuration
15
Configuring Single Sign-on for Administration Consoles in an Enterprise Deployment
15.1
Overview of Configuring Single Sign-on for Administration Consoles in an Enterprise Deployment
15.2
Prerequisites
15.3
Configuring WebLogic Security Providers
15.3.1
Updating Oracle Unified Directory Authenticator
15.3.2
Reordering the Security Providers
15.4
Assigning WLSAdmins Group to WebLogic Administration Groups
15.5
Authorize Access Manager Administrators to Access APM Console
15.6
Updating the boot.properties File
15.6.1
Update the Administration Servers on All Domains
15.6.2
Restarting the Servers
15.7
Installing and Configuring WebGate 11
g
15.7.1
Prerequisites
15.7.2
Installing Oracle WebGate on WEBHOST1 and WEBHOST2
15.8
Validating WebGate and the Access Manager Single Sign-On Setup
15.9
Backing Up Single Sign-on
16
Creating a Split Domain Topology
16.1
Introduction to Split Domain Topology
16.2
Additional Network Requirements
16.2.1
Virtual Server Names
16.2.2
Load Balancer Configuration
16.2.3
Virtual IP Addresses
16.2.4
Configuring Servers to Listen on Virtual and Physical IP Addresses
16.2.5
Firewalls and Ports
16.3
Additional Requirements for Preparing the File System
16.4
Additional Requirement for Preparing the Servers
16.5
Requirements for Creating the Additional Domain
16.6
Additional Web Tier Requirements
16.7
Additional Access Manager Requirements
16.8
Additional Oracle Identity Manager Requirements
16.8.1
Domain URLs
16.8.2
Provisioning the Login Modules and Creating the wlfullclient.jar
16.8.3
Extending the Domain to Configure Oracle Identity Manager and Oracle SOA Suite
16.8.4
Configuring Oracle Identity Manager
16.8.5
Deploying Oracle Identity Manager and Oracle SOA
16.8.6
Enabling Oracle Identity Manager to Connect to SOA
16.8.7
Configuring Access Manager for Oracle Identity Manager Integration
16.8.8
Backing Up Oracle Identity Manager
16.9
Additional Single Sign-On Requirements
16.10
Additional Node Manager Requirements
16.11
Additional Management Requirements
16.11.1
Applying Patches
16.11.2
Performing Backups
17
Managing the Topology for an Enterprise Deployment
17.1
Starting and Stopping Oracle Identity Management Components
17.1.1
Startup Order
17.1.2
Starting and Stopping Oracle Unified Directory
17.1.2.1
Starting Oracle Unified Directory
17.1.2.2
Stopping Oracle Unified Directory
17.1.3
Starting, Stopping, and Restarting Access Manager Managed Servers
17.1.3.1
Starting an Access Manager Managed Server When None is Running
17.1.3.2
Starting an Access Manager Managed Server When Another is Running
17.1.3.3
Stopping Access Manager Managed Servers
17.1.3.4
Restarting Access Manager Managed Servers
17.1.4
Starting, Stopping, and Restarting WebLogic Administration Server
17.1.4.1
Starting WebLogic Administration Server
17.1.4.2
Stopping WebLogic Administration Server
17.1.4.3
Restarting WebLogic Administration Server
17.1.5
Starting and Stopping Node Manager
17.1.5.1
Starting Node Manager
17.1.5.2
Stopping Node Manager
17.1.5.3
Starting Node Manager for an Administration Server
17.1.6
Starting, Stopping, and Restarting Oracle HTTP Server
17.1.6.1
Starting Oracle HTTP Server
17.1.6.2
Stopping Oracle HTTP Server
17.1.6.3
Restarting Oracle HTTP Server
17.1.7
Starting, Stopping, and Restarting Oracle Identity Manager
17.1.7.1
Starting Oracle Identity Manager
17.1.7.2
Stopping Oracle Identity Manager
17.1.7.3
Restarting Oracle Identity Manager
17.2
About Identity Management Console URLs
17.3
Monitoring Enterprise Deployments
17.3.1
Monitoring WebLogic Managed Servers
17.3.2
Monitoring Oracle Unified Directory
17.4
Scaling Enterprise Deployments
17.4.1
Scaling Up the Topology
17.4.1.1
Scaling Up Oracle Unified Directory
17.4.1.2
Scaling Up Oracle Access Manager 11g
17.4.1.3
Scaling Up Oracle Identity Manager
17.4.1.4
Scaling Up Oracle HTTP Server
17.4.2
Scaling Out the Topology
17.4.2.1
Scaling Out Oracle Unified Directory
17.4.2.2
Scaling Out Oracle Access Manager 11g
17.4.2.3
Scaling Out Oracle Identity Manager
17.4.2.4
Scaling Out the Oracle HTTP Server
17.5
Auditing Identity Management
17.6
Performing Backups and Recoveries
17.6.1
Performing Baseline Backups
17.6.2
Performing Runtime Backups
17.6.3
Performing Backups During Installation and Configuration
17.6.3.1
Backing Up Middleware Home
17.6.3.2
Backing Up LDAP Directories
17.6.3.2.1
Backing Up Oracle Unified Directory
17.6.3.2.2
Backing up Oracle Internet Directory
17.6.3.2.3
Backing up Oracle Virtual Directory
17.6.3.2.4
Backing Up Third-Party Directories
17.6.3.3
Backing Up the Database
17.6.3.4
Backing Up the WebLogic Domain
17.6.3.5
Backing Up the Web Tier
17.7
Patching Enterprise Deployments
17.7.1
Patching an Oracle Fusion Middleware Source File
17.7.2
Patching Identity and Access Management
17.7.3
Patching Oracle Unified Directory Components
17.8
Preventing Timeouts for SQL
17.9
Manually Failing Over the WebLogic Administration Server
17.9.1
Failing over the Administration Server to IDMHOST2
17.9.2
Starting the Administration Server on IDMHOST2
17.9.3
Validating Access to IDMHOST2 Through Oracle HTTP Server
17.9.4
Failing the Administration Server Back to IDMHOST1
17.10
Troubleshooting
17.10.1
Troubleshooting Oracle Internet Directory
17.10.1.1
Oracle Internet Directory Server is Not Responsive.
17.10.1.2
SSO/LDAP Application Connection Times Out
17.10.1.3
LDAP Application Receives LDAP Error 53 (DSA Unwilling to Perform)
17.10.1.4
TNSNAMES.ORA, TAF Configuration, and Related Issues
17.10.2
Troubleshooting Oracle Virtual Directory
17.10.2.1
Command Not Found Error When Running SSLServerConfig.sh
17.10.2.2
Oracle Virtual Directory is Not Responsive
17.10.2.3
SSO/LDAP Application Connection Times Out
17.10.2.4
TNSNAMES.ORA, TAF Configuration, and Related Issues
17.10.2.5
SSLServerConfig.sh Fails with Error
17.10.3
Troubleshooting Access Manager 11g
17.10.3.1
User Reaches the Maximum Allowed Number of Sessions
17.10.3.2
Policies Do Not Get Created When Oracle Access Manager is First Installed
17.10.3.3
You Are Not Prompted for Credentials After Accessing a Protected Resource
17.10.3.4
Cannot Log In to OAM Console
17.10.4
Troubleshooting Oracle Identity Manager
17.10.4.1
java.io.FileNotFoundException When Running Oracle Identity Manager Configuration
17.10.4.2
ResourceConnectionValidationxception When Creating User in Oracle Identity Manager
17.10.5
Troubleshooting Oracle SOA Suite
17.10.5.1
Transaction Timeout Error
17.10.6
Using My Oracle Support for Additional Troubleshooting Information
A
Using Multi Data Sources with Oracle RAC
A.1
About Multi Data Sources and Oracle RAC
A.2
Typical Procedure for Configuring Multi Data Sources for an EDG Topology
B
Worksheets for Identity Management Topology
B.1
Hosts, Virtual Hosts, and Virtual IP Addresses for Identity Management
B.2
Directory Mapping
B.3
Port Mapping
B.4
LDAP Directory Details
B.5
Database Details
B.6
Web Tier Details
B.7
Application Tier Details
B.8
User and Group Mapping
Index
Scripting on this page enhances content navigation, but does not change the content in any way.