The IdM configuration tool (idmConfigTool) supports a number of tasks to assist in installing, configuring, and integrating Oracle identity management (IdM) components. This chapter explains how to use the tool.
Note:
This chapter does not contain actual integration procedures; rather, it contains idmConfigTool command syntax and related details. Use this chapter as a reference whenever you are executing idmConfigTool as directed by your integration procedure or task.
This chapter contains these sections:
This section contains these topics:
Use idmConfigTool
in these situations:
prior to installing Oracle Identity Manager and Oracle Access Management Access Manager,
after installing Oracle Identity Manager and Oracle Access Management Access Manager,
to dump the configuration of IdM components Oracle Internet Directory, Oracle Virtual Directory, Oracle Identity Manager, and Oracle Access Manager, and
to validate the configuration parameters for Oracle Internet Directory, Oracle Virtual Directory, Oracle Identity Manager, and Oracle Access Manager.
Section 2.1.2 explains the tasks the tool performs in each situation.
idmConfigTool
helps you to perform the following tasks efficiently:
Validating configuration properties representing the Identity Management components Oracle Internet Directory (OID), Oracle Virtual Directory (OVD), Oracle Access Management Access Manager (OAM-AM) and Oracle Identity Manager (OIM).
Pre-configuring the Identity Store components (Oracle Internet Directory and Oracle Virtual Directory) to install the other Identity Management components, including Access Manager and Oracle Identity Manager.
Post-configuring the Access Manager, Oracle Identity Manager components and wiring of Access Manager and Oracle Identity Manager.
Extracting the configuration of the Identity Management components Oracle Internet Directory, Oracle Virtual Directory, Access Manager and Oracle Identity Manager.
See Also:
idmConfigTool
supports these component versions:
Oracle Internet Directory 11g
Oracle Virtual Directory 11g
Oracle Access Management Access Manager 11g
Oracle Access Manager 10g
Oracle Identity Manager 11g
Oracle Unified Directory (OUD) 11g
idmConfigTool
is located at:
IAM_ORACLE_HOME
/idmtools/bin
where IAM ORACLE_HOME
is the directory in which Oracle Identity Manager and Oracle Access Manager are installed.
idmConfigTool
supports Access Manager 11g Webgates by default. It also supports 10g Webgates.
The tool supports two types of scenarios with regard to Weblogic domains:
A single-domain configuration in which both Access Manager and Oracle Identity Manager servers are configured in the same Weblogic domain
A dual or cross-domain configuration in which Access Manager and Oracle Identity Manager servers are configured on separate Weblogic domains
See Also:
Section 1.2 for architecture details.
You must configure the environment before running the IdM configuration tool.
Set the following variables:
Table 2-1 Environment Variables for IdM Configuration Tool
Variable | Description |
---|---|
|
Set the value to the full path of the installation's Middleware home. |
|
Ensure that the value contains the following directory: MW_HOME/jdkn If running on IBM WebSphere, this variable must point to the IBM JDK. Set the value to the full path of the JDK. For example:
Important: On IBM WebSphere, do not use a JDK other than the IBM JDK. |
|
|
|
Set to the full path of the Oracle home. For IdM integrations, set to |
|
Required on IBM WebSphere. Set to |
|
Required on IBM WebSphere. Set the value to the full path of the WebSphere application server home directory. For example:
|
|
Required on IBM WebSphere. Specifies the deployment manager profile home directory.The deployment manager deploys applications to a cell of application servers which it manages. A profile defines the runtime environment and includes all the configurable files that the server processes in the run-time environment. Set to an absolute path, for example:
|
This section contains these topics:
The tool has the following syntax on Linux:
idmConfigTool.sh -command input_file=filename log_file=logfileName log_level=log_level
The tool has the following syntax on Windows:
idmConfigTool.bat -command input_file=filename log_file=logfileName log_level=log_level
Values for command
are as follows:
Command | Component name | Description |
---|---|---|
|
Identity Store |
Configures the identity store and policy store by creating the groups and setting ACIs to the various containers. |
|
Identity Store |
Configures the identity store by adding necessary users and associating users with groups. Modes enable you to configure for a specific component. You can run this command on Oracle WebLogic Server (mode=WLS) or IBM WebSphere (mode=WAS). |
|
Policy Store |
Configures policy store by creating read-write user and associates them to the groups. |
|
Oracle Access Manager Oracle Identity Manager |
Prepares Access Manager for integration with Oracle Identity Manager. |
|
Oracle Access Manager Oracle Identity Manager |
Sets up wiring between Access Manager and Oracle Identity Manager. |
|
Oracle Virtual Directory |
Creates Oracle Virtual Directory adapters. |
|
Oracle Virtual Directory |
Disables anonymous access to the Oracle Virtual Directory server. Post-upgrade command. Note: |
|
Identity Store |
Performs post-provisioning configuration of the identity store. |
|
Various |
Validates the set of input properties for the named entity. |
|
Oracle Virtual Directory |
Updates the configuration for an upgraded Oracle Virtual Directory with split profile. |
|
Oracle Identity Manager Access Manager |
Updates existing users in Oracle Internet Directory by adding certain object classes which are needed for Oracle Identity Manager-Access Manager integration. |
|
Oracle Identity Manager Access Manager |
Upgrades an existing configuration consisting of integrated Oracle Identity Manager-Access Manager, using Webgate 10g, to use Webgate 11g |
You must run this tool as a user with administrative privileges when configuring the identity store or the policy store.
The validate
command requires a component name.
idmConfigTool
creates or updates certain files upon execution.
When you run the idmConfigTool, the tool creates or appends to the file idmDomainConfig.param. This file is generated in the directory from which you run the tool. To ensure that the same file is appended to each time the tool is run, always run idmConfigTool from the directory:
IAM_ORACLE_HOME/idmtools/bin
You can specify a log file using the log_file
attribute of idmConfigTool.
If you do not explicitly specify a log file, a file named automation.log
is created in the directory where you run the tool.
Check the log file for any errors or warnings and correct them.
This section describes the properties file that can be used with idmConfigTool.
A properties file provides a convenient way to specify command properties and enable you to save properties for reference and later use. You can specify a properties file, containing execution properties, as input command options. The properties file is a simple text file which must be available at the time the command is executed.
For security you are advised not to insert passwords into the properties file. The tool prompts for the relevant properties at execution.
Table 2-2 lists the properties used for integration command options in the idmConfigTool command. The properties are listed in alphabetical order.
Table 2-2 Properties Used in IdM Configtool properties Files
Parameter | Example Value | Description |
---|---|---|
|
|
The Access Manager access gate ID with which Oracle Identity Manager needs to communicate. |
|
|
Access Manager Access Server hostname |
|
|
Access Manager NAP port. |
|
|
URI required by OPSS. Default value is /obrar.cgi |
|
|
Web domain on which the Oracle Identity Manager application resides. Specify the domain in the format .cc.example.com. |
|
-1 |
Cookie expiration period. Set to -1. |
|
|
The location of the Oracle Identity Manager domain. |
|
|
The Oracle Identity Manager domain name. |
|
|
The admin port for an Oracle Unified Directory (OUD) identity store. |
|
|
Host name of the LDAP identity store directory (corresponding to the IDSTORE_DIRECTORYTYPE). |
|
|
Port number of the LDAP identity store (corresponding to the IDSTORE_DIRECTORYTYPE). |
|
cn=orcladmin |
Administrative user in the identity store. |
|
cn |
Username attribute used to set and search for users in the identity store. |
|
uid |
The login attribute of the identity store which contains the user's login name. |
|
cn=Users,dc=us,dc=example,dc=com |
The location in the directory where users are stored. |
|
dc=us,dc=example,dc=com |
Search base for users and groups contained in the identity store. |
|
cn=Groups,dc=us,dc=example,dc=com |
The location in the directory where groups are stored. |
|
oamLDAP |
The username used to establish the Access Manager identity store connection. |
|
oamadmin |
The identity store administrator for Access Manager. Required only if the identity store is set as the system identity store. |
|
oaamadmin |
The identity store administrator for Oracle Adaptive Access Manager. |
|
cn=system, dc=test |
Base for all the system users. |
|
User with read-only permissions to the identity store. |
|
|
User with read-write permissions to the identity store. |
|
|
The Oracle Fusion Applications superuser in the identity store. |
|
|
The administrator of the xelsysadm system account. |
|
|
The identity store administrator for Oracle Identity Manager. |
|
|
The Oracle Identity Manager administrator group. |
|
|
Whether SSL to the identity store is enabled. Valid values: true | false |
|
|
Location of the keystore file containing identity store credentials. Applies to and required for Oracle Unified Directory identity stores. |
|
|
Used for identity store validation. Used in Oracle Fusion Applications environment. |
|
|
|
Directory type of the identity store for which the authenticator must be created. Set to Set it to Set to OUD if your identity store is Oracle Unified Directory. Valid values: OID, OVD, OUD |
|
cn=systemids,dc=example,dc=com |
The administrator of the identity store directory. Provide the complete LDAP DN of the same user specified for IDSTORE_OAMSOFTWAREUSER. The username alone is not sufficient. |
|
weblogic_idm |
The identity store administrator for Oracle WebLogic Server |
|
|
The identity store administrator group for Oracle WebLogic Server. |
|
Password of the WebLogic administrator in the identity store. |
|
|
The "wasadmin" user (IBM WebSphere). |
|
|
. |
The hostname of the LDAP server |
|
The LDAP server port number. |
|
|
. |
The bind DN for the LDAP server |
|
Indicates whether the connection to the LDAP server is over SSL. Valid values are True or False |
|
|
The base DN of the LDAP server. |
|
|
The OVD base DN of the LDAP server. |
|
|
The directory type for the LDAP server. n is 1, 2, and so on. For a single-node configuration specify LDAP1. |
|
|
/${app.context}/adfAuthentication |
URI required by OPSS. Default value is /${app.context}/adfAuthentication |
|
/oamsso/logout.html |
URI required by OPSS. Default value is /oamsso/logout.html |
|
jdbc:oracle:thin:@DBHOST:1521:SID |
URL of the MDS database. |
|
edg_mds |
Username of the MDS schema user. |
|
10g |
Required when Access Manager server does not support 11g webgate in Oracle Identity Manager-Access Manager integration. In that case, provide the value as '10g'. Valid values are 10g, 11g. |
|
|
The transfer mode for the Access Manager agent being configured. If your access manager servers are configured to accept requests using the simple mode, set OAM_TRANSFER_MODE to SIMPLE. Valid values are OPEN, SIMPLE or CERT. |
|
|
The security model in which the Access Manager 11g server functions. Valid values: OPEN or SIMPLE. |
|
Specifies whether Access Manager server can perform authorizations. If true, the Access Manager 11g server operates in authentication only mode, where all authorizations return true by default without any policy validations. If false, the server runs in default mode, where each authentication is followed by one or more authorization requests to the server. Valid values: true (no authorization) | false |
|
|
|
Specifies the account to administer role security in identity store. |
|
false |
Specifies whether to integrate with Oracle Identity Manager or configure Access Manager in stand-alone mode. Set to true for integration. Valid values: true (integration) | false |
|
sso.example.com |
Hostname of the load balancer to the Oracle HTTP (OHS) server front-ending the Access Manager server. |
|
443 |
Port number of the load balancer to the OHS server front-ending the Access Manager server. |
|
https |
Protocol of the load balancer to the OHS server front-ending the Access Manager server. Valid values: HTTP, HTTPS |
|
uid |
At a login attempt, the username is validated against this attribute in the identity store. |
|
The global session timeout for sessions in the Access Manager server. |
|
|
Global session expiry time for a session in the Access Manager server. |
|
|
Global maximum sessions per user in the Access Manager server. |
|
|
The identity store name. If you already have an identity Store in place which you wish to reuse (rather than allowing the tool to create a new one for you), set this parameter to the name of the Identity Store. The default value is "OAMIDStore". |
|
|
Enable or disable impersonation in Access Manager server. Applicable to Oracle Fusion Applications environment. Valid values: true (enable) | false |
|
|
sso.example.com |
Host name of the load balancer which is in front of OHS. |
|
443 |
Port number on which the load balancer specified as OAM11G_IDM_DOMAIN_OHS_HOST listens. |
|
https |
protocol for IDM OHS. Valid values: HTTP | HTTPS |
|
https://sso.example.com:443/test |
|
|
true |
Deny on protected flag for 10g webgate Valid values: true | false |
|
simple |
Transfer mode for the IDM domain agent. Valid values: OPEN | SIMPLE | CERT |
|
/console/jsp/common/logout.jsp,/em/targetauth/emaslogout.jsp |
Comma-separated list of Access Manager logout URLs. |
|
myhost.example.com |
Host name of the Access Manager domain admin server. |
|
7001 |
Port on which the Access Manager domain admin server is running. |
|
wlsadmin |
The username of the Access Manager domain administrator. |
|
The URL needed to connect to the Oracle Identity Manager database. |
|
|
The schema user for the Oracle Identity Manager database. |
|
|
host123.example.com |
The hostname of the LBR server front-ending Oracle Identity Manager. |
|
7011 |
The port number of the LBR server front-ending Oracle Identity Manager. |
|
|
The name of the Oracle Identity Manager managed server. If clustered, any of the managed servers can be specified. |
|
The hostname of the Oracle Identity Manager managed server. |
|
|
The port number of the Oracle Identity Manager managed server. |
|
|
The hostname for the Oracle Identity Manager T3 server. |
|
|
The port number of the Oracle Identity Manager T3 server. |
|
|
The location of the |
|
|
OVD Server hostname |
|
|
OVD Server port number |
|
|
OVD Server bind DN |
|
|
Indicates whether the connection is over SSL. Valid values are True or False |
|
|
true |
Denotes whether the policy store and identity store share the directory. Always true in Release 11g. Valid values: true, false |
|
mynode.us.example.com |
The hostname of your policy store directory. |
|
1234 |
The port number of your policy store directory. |
|
cn=orcladmin |
Administrative user in the policy store directory. |
|
dc=example,dc=com |
The location in the directory where users and groups are stored. |
|
cn=systemids, dc=example,dc=com |
The read-only and read-write users for policy store are created in this location. Default value is cn=systemids, |
|
|
A user with read privileges in the policy store. |
|
|
A user with read and write privileges in the policy store. |
|
|
The name of the container used for OPSS policy information |
|
Whether the policy store is SSL-enabled. |
|
|
The location of the keystore file for an SSL-enabled policy store. |
|
|
true |
Flag to force Valid values are true, false. |
|
false |
Flag to determine if SSO should be enabled. Valid values are true, false. |
|
|
The type of WebGate agent you want to create. Set to:
|
|
idmhost1.example.com:5575,idmhost2.example.com:5575 |
A comma-separated list of your Access Manager servers and their proxy ports. |
|
|
The WebLogic Server host name |
|
7001 |
The WebLogic Server port number |
|
wlsadmin |
The administrator login, depending on the application server context. |
idmConfigTool logs execution details to a file called to automation.log. Upon each run, it appends to automation.log. This can lead to a misunderstanding if you see an error in the log and correct it, since the error detail is present in the log even after you rectify it.
Back up existing log files frequently to avoid confusion caused by old log entries.
This section lists the properties for each command option. Topics include:
Notes:
The command options show the command syntax on Linux only. See Section 2.3.1 for Windows syntax guidelines.
The tool prompts for passwords.
./idmConfigTool.sh -preConfigIDStore input_file=input_properties
Table 2-3 lists the properties for this mode:
Table 2-3 Properties of preConfigIDStore
Property | Required? |
---|---|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
Use the format: where OUD-instance-path is the path to the Oracle Unified Directory instance. |
Here is a sample properties file for this option:
IDSTORE_HOST : idstore.example.com IDSTORE_PORT : 389 IDSTORE_BINDDN : cn=orcladmin IDSTORE_USERNAMEATTRIBUTE: cn IDSTORE_LOGINATTRIBUTE: uid IDSTORE_USERSEARCHBASE: cn=Users,dc=example,dc=com IDSTORE_GROUPSEARCHBASE: cn=Groups,dc=example,dc=com IDSTORE_SEARCHBASE: dc=example,dc=com IDSTORE_SYSTEMIDBASE: cn=systemids,dc=example,dc=com
Using preconfigIDStore for Oracle Unified Directory
When using preconfigIDStore
for Oracle Unified Directory, global ACI and indexes are re-created only in the instance(s) specified in the property file; they are not replicated by Oracle Unified Directory. You must manually re-create (remove, then create) the global ACI and indexes on all other Oracle Unified Directory instances of the replication domain.
For details, see Section 2.5.
The prepareIDStore command takes mode
as an argument to perform tasks for the specified component. The syntax for specifying the mode is:
./idmConfigTool.sh -prepareIDStore mode=mode input_file=filename_with_Configproperties
where mode must be one of:
OAM
OIM
OAAM
WLS
FUSION
WAS
APM
all (performs all the tasks of the above modes combined)
Note:
WLS mode must be run before OAM.
The following are created in this mode:
Perform schema extensions as required by the Access Manager component
Add the oblix schema
Create the OAMSoftware User
Create OblixAnonymous User
Optionally create the Access Manager Administration User
Associate these users to their respective groups
Create the group "orclFAOAMUserWritePrivilegeGroup"
./idmConfigTool.sh -prepareIDStore mode=OAM
input_file=filename_with_Configproperties
Table 2-4 lists the properties for this mode:
Table 2-4 prepareIDStore mode=OAM Properties
Parameter | Required? |
---|---|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
Here is a sample properties file for this option. This parameter set would result in OAMADMINUSER and OAMSOFTWARE user being created in the identity store:
IDSTORE_HOST : idstore.example.com IDSTORE_PORT : 389 IDSTORE_BINDDN : cn=orcladmin IDSTORE_USERNAMEATTRIBUTE: cn IDSTORE_LOGINATTRIBUTE: uid IDSTORE_USERSEARCHBASE: cn=Users,dc=example,dc=com IDSTORE_GROUPSEARCHBASE: cn=Groups,dc=example,dc=com IDSTORE_SEARCHBASE: dc=example,dc=com POLICYSTORE_SHARES_IDSTORE: true OAM11G_IDSTORE_ROLE_SECURITY_ADMIN:OAMAdministrators IDSTORE_OAMSOFTWAREUSER:oamLDAP IDSTORE_OAMADMINUSER:oamadmin IDSTORE_SYSTEMIDBASE: cn=systemids,dc=example,dc=com
The following are created in this mode:
Create Oracle Identity Manager Administration User under SystemID container
Create Oracle Identity Manager Administration Group
Add Oracle Identity Manager Administration User to Oracle Identity Manager Administration Group
Add ACIs to Oracle Identity Manager Administration Group
Create reserve container
Create xelsysadmin user
./idmConfigTool.sh -prepareIDStore mode=OIM
input_file=filename_with_Configproperties
Table 2-5 lists the properties in this mode:
Table 2-5 prepareIDStore mode=OIM Properties
Parameter | Required? |
---|---|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
Required on IBM WebSphere. |
|
Required on IBM WebSphere. |
|
Required on IBM WebSphere. |
Here is a sample properties file for this option. With this set of properties, OIMADMINUSER
is created in IDSTORE_SYSTEMIDBASE
:
IDSTORE_HOST : idstore.example.com IDSTORE_PORT : 389 IDSTORE_BINDDN : cn=orcladmin IDSTORE_USERNAMEATTRIBUTE: cn IDSTORE_LOGINATTRIBUTE: uid IDSTORE_USERSEARCHBASE:cn=Users,dc=example,dc=com IDSTORE_GROUPSEARCHBASE: cn=Groups,dc=example,dc=com IDSTORE_SEARCHBASE: dc=example,dc=com POLICYSTORE_SHARES_IDSTORE: true IDSTORE_SYSTEMIDBASE: cn=systemids,dc=example,dc=com IDSTORE_OIMADMINUSER: oimadmin IDSTORE_OIMADMINGROUP:OIMAdministrators OIM_DB_URL: jdbc:oracle:thin:@xyz5678.us.example.com:5522:wasdb1 OIM_DB_SCHEMA_USERNAME: dev_oim OIM_WAS_CELL_CONFIG_DIR: /wassh/WebSphere/AppServer/profiles/Dmgr04/config/cells/xyz5678Cell04/fmwconfig
The following are created in this mode:
Create Oracle Adaptive Access Manager Administration User
Create Oracle Adaptive Access Manager Groups
Add the Oracle Adaptive Access Manager Administration User as a member of Oracle Adaptive Access Manager Groups
./idmConfigTool.sh -prepareIDStore mode=OAAM
input_file=filename_with_Configproperties
Table 2-6 shows the properties in this mode:
Table 2-6 prepareIDStore mode=OAAM Properties
Parameter | Required? |
---|---|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
The following are created in the WLS (Oracle WebLogic Server) mode:
Create Weblogic Administration User
Create Weblogic Administration Group
Add the Weblogic Administration User as a member of Weblogic Administration Group
./idmConfigTool.sh -prepareIDStore mode=WLS
input_file=filename_with_Configproperties
Table 2-7 lists the properties in this mode:
Table 2-7 prepareIDStore mode=WLS Properties
Parameter | Required? |
---|---|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
Here is a sample properties file for this option. With this set of properties, the IDM Administrators group is created.
IDSTORE_HOST: idstore.example.com IDSTORE_PORT: 389 IDSTORE_BINDDN: cn=orcladmin IDSTORE_USERNAMEATTRIBUTE: cn IDSTORE_LOGINATTRIBUTE: uid IDSTORE_USERSEARCHBASE: cn=Users, dc=example,dc=com IDSTORE_GROUPSEARCHBASE: cn=Groups,dc=example,dc=com IDSTORE_SEARCHBASE: dc=example,dc=com POLICYSTORE_SHARES_IDSTORE: true IDSTORE_WLSADMINUSER: weblogic_idm IDSTORE_WLSADMINGROUP: wlsadmingroup
The following actions occur in the WAS (IBM WebSphere) mode:
Create WebSphere Administration User
Create WebSphere Administration Group
Add the WebSphere Administration User as a member of WebSphere Administration Group
./idmConfigTool.sh -prepareIDStore mode=WAS
input_file=filename_with_Configproperties
Table 2-8 lists the properties in this mode:
Table 2-8 prepareIDStore mode=WAS Properties
Parameter | Required? |
---|---|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
Here is a sample properties file for this option. With this set of properties, the IDM Administrators group is created.
IDSTORE_HOST: idstore.example.com IDSTORE_PORT: 389 IDSTORE_BINDDN: cn=orcladmin IDSTORE_USERNAMEATTRIBUTE: cn IDSTORE_LOGINATTRIBUTE: uid IDSTORE_USERSEARCHBASE: cn=Users, dc=example,dc=com IDSTORE_GROUPSEARCHBASE: cn=Groups,dc=example,dc=com IDSTORE_SEARCHBASE: dc=example,dc=com POLICYSTORE_SHARES_IDSTORE: true IDSTORE_WASADMINUSER: websphere_idm
The following are created in this mode:
Create Oracle Privileged Account Manager Administration User
Add the Oracle Privileged Account Manager Administration User as a member of Oracle Privileged Account Manager Groups
You are prompted to enter the password of the account that you are using to connect to the identity store.
./idmConfigTool.sh -prepareIDStore mode=APM
input_file=filename_with_Configproperties
Table 2-6 shows the properties in this mode:
Table 2-9 prepareIDStore mode=APM Properties
Parameter | Required? |
---|---|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
Here is a sample properties file for this option:
IDSTORE_HOST: idstore.example.com IDSTORE_PORT: 389 IDSTORE_BINDDN: cn=orcladmin IDSTORE_USERNAMEATTRIBUTE: cn IDSTORE_LOGINATTRIBUTE: uid IDSTORE_USERSEARCHBASE: cn=Users,dc=example,dc=com IDSTORE_GROUPSEARCHBASE: cn=Groups,dc=example,dc=com IDSTORE_SEARCHBASE: dc=example,dc=com POLICYSTORE_SHARES_IDSTORE: true IDSTORE_APMUSER: opamadmin
The following actions are taken in this mode:.
Create a Readonly User
Create a ReadWrite User
Create a Super User
Add the readOnly user to the groups orclFAGroupReadPrivilegeGroup
and orclFAUserWritePrefsPrivilegeGroup
Add the readWrite
user to the groups orclFAUserWritePrivilegeGroup
and orclFAGroupWritePrivilegeGroup
./idmConfigTool.sh -prepareIDStore mode=fusion
input_file=filename_with_Configproperties
Table 2-10 lists the properties in this mode:
Table 2-10 prepareIDStore mode=fusion Properties
Parameter | Required? |
---|---|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
Here is a sample properties file for this option, which creates IDSTORE_SUPERUSER
:
IDSTORE_HOST : idstore.example.com IDSTORE_PORT : 389 IDSTORE_BINDDN : cn=orcladmin IDSTORE_USERNAMEATTRIBUTE: cn IDSTORE_READONLYUSER: IDROUser IDSTORE_READWRITEUSER: IDRWUser IDSTORE_USERSEARCHBASE:cn=Users,dc=example,dc=com IDSTORE_SEARCHBASE: dc=example,dc=com IDSTORE_GROUPSEARCHBASE: cn=Groups,dc=mycomapny,dc=com IDSTORE_SYSTEMIDBASE: cn=systemids,dc=example,dc=com IDSTORE_SUPERUSER: weblogic_fa POLICYSTORE_SHARES_IDSTORE: true
The mode performs all the tasks that are performed in the modes OAM
, OIM
, WLS
, WAS,
OAAM
, and FUSION
.
./idmConfigTool.sh -prepareIDStore mode=all
input_file=filename_with_Configproperties
Table 2-11 lists the properties in this mode:
Table 2-11 prepareIDStore mode=all Properties
Parameter | Required? |
---|---|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
Required on IBM WebSphere |
|
Required on IBM WebSphere |
|
Required on IBM WebSphere |
|
Required on IBM WebSphere |
Here is a sample properties file for this option:
IDSTORE_HOST : node01.example.com IDSTORE_PORT : 2345 IDSTORE_BINDDN: cn=orcladmin IDSTORE_USERNAMEATTRIBUTE: cn IDSTORE_LOGINATTRIBUTE: uid IDSTORE_USERSEARCHBASE: cn=Users,dc=example,dc=com IDSTORE_SEARCHBASE: dc=example,dc=com IDSTORE_GROUPSEARCHBASE: cn=Groups,dc=example,dc=com IDSTORE_SYSTEMIDBASE: cn=systemids,dc=example,dc=com IDSTORE_READONLYUSER: IDROUser IDSTORE_READWRITEUSER: IDRWUser IDSTORE_SUPERUSER: weblogic_fa IDSTORE_OAMSOFTWAREUSER:oamSoftwareUser IDSTORE_OAMADMINUSER:oamAdminUser IDSTORE_OIMADMINUSER: oimadminuser POLICYSTORE_SHARES_IDSTORE: true OAM11G_IDSTORE_ROLE_SECURITY_ADMIN:OAMAdministrators IDSTORE_OIMADMINGROUP: OIMAdministrators IDSTORE_WLSADMINUSER: weblogic_idm IDSTORE_WLSADMINGROUP: wlsadmingroup IDSTORE_OAAMADMINUSER: oaamAdminUser OIM_DB_URL: jdbc:oracle:thin:@xyz5678.us.example.com:5522:wasdb1 OIM_DB_SCHEMA_USERNAME: dev_oim OIM_WAS_CELL_CONFIG_DIR: /wassh/WebSphere/AppServer/profiles/Dmgr04/config/cells/xyz5678Cell04/fmwconfig IDSTORE_WASADMINUSER: websphere_idm
./idmConfigTool.sh -configPolicyStore input_file=input_properties
Table 2-12 lists the command properties.
Table 2-12 Properties for ConfigPolicyStore
Property | Required? |
---|---|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
Here is a sample properties file for this option, which creates readonly user and writeonly user in the policy store:
POLICYSTORE_HOST: mynode.us.example.com POLICYSTORE_PORT: 3060 POLICYSTORE_BINDDN: cn=orcladmin POLICYSTORE_READONLYUSER: PolicyROUser POLICYSTORE_READWRITEUSER: PolicyRWUser POLICYSTORE_SEARCHBASE: dc=example,dc=com POLICYSTORE_CONTAINER: cn=jpsroot
./idmConfigTool.sh -configOAM input_file=input_properties
Table 2-13 lists the command properties.
Table 2-13 Properties of configOAM
Property | Required? |
---|---|
|
|
|
|
|
|
I |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
YES |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
Oracle Fusion Applications only. |
|
|
|
|
|
|
|
|
|
YES |
|
|
|
Here is a sample properties file for this option, which creates an entry for webgate in Access Manager:
WLSHOST: adminvhn.example.com WLSPORT: 7001 WLSADMIN: weblogic IDSTORE_HOST: idstore.example.com IDSTORE_PORT: 389 IDSTORE_BINDDN: cn=orcladmin IDSTORE_USERNAMEATTRIBUTE: cn IDSTORE_LOGINATTRIBUTE: uid IDSTORE_USERSEARCHBASE: cn=Users,dc=example,dc=com IDSTORE_SEARCHBASE: dc=example,dc=com IDSTORE_GROUPSEARCHBASE: cn=Groups,dc=example,dc=com IDSTORE_OAMSOFTWAREUSER: oamLDAP IDSTORE_OAMADMINUSER: oamadmin PRIMARY_OAM_SERVERS: oamhost1.example.com:5575,oamhost2.example.com:5575 WEBGATE_TYPE: ohsWebgate11g ACCESS_GATE_ID: Webgate_IDM OAM11G_IDM_DOMAIN_OHS_HOST:sso.example.com OAM11G_IDM_DOMAIN_OHS_PORT:443 OAM11G_IDM_DOMAIN_OHS_PROTOCOL:https OAM11G_OAM_SERVER_TRANSFER_MODE:simple OAM11G_IDM_DOMAIN_LOGOUT_URLS: /console/jsp/common/logout.jsp,/em/targetauth/emaslogout.jsp OAM11G_WG_DENY_ON_NOT_PROTECTED: false OAM11G_SERVER_LOGIN_ATTRIBUTE: uid OAM_TRANSFER_MODE: simple COOKIE_DOMAIN: .example.com OAM11G_IDSTORE_ROLE_SECURITY_ADMIN: OAMAdministrators OAM11G_SSO_ONLY_FLAG: true OAM11G_OIM_INTEGRATION_REQ: true or false OAM11G_IMPERSONATION_FLAG:true OAM11G_SERVER_LBR_HOST:sso.example.com OAM11G_SERVER_LBR_PORT:443 OAM11G_SERVER_LBR_PROTOCOL:https COOKIE_EXPIRY_INTERVAL: -1 OAM11G_OIM_OHS_URL:https://sso.example.com:443/ SPLIT_DOMAIN: true OAM11G_IDSTORE_NAME: OAMIDStore IDSTORE_SYSTEMIDBASE: cn=systemids,dc=example,dc=com
When you execute this command, the tool prompts you for:
Password of the identity store account to which you are connecting
Access Manager administrator password
Access Manager software user password
In the IBM WebSphere environment:
Run idmconfigtool
from the Oracle Access Manager WebSphere cell.
Provide details of the IBM WebSphere server by specifying the following in the properties file:
WLSHOST
- The WebSphere Application Server host
WLSPORT
- The WebSphere Application Server bootstrap port
WLSADMIN
- Login ID for the Oracle Access Manager Admin console.
As of 11g Release 2 (11.1.2), configOIM
supports 11g webgate by default. See the WEBGATE_TYPE
option for details.
As indicated in the table, certain properties are required when Oracle Identity Manager and Access Manager are configured on different weblogic domains.
./idmConfigTool.sh -configOIM input_file=input_file_with_path
Table 2-14 lists the command properties.
Table 2-14 Properties for configOIM
Property | Required? |
---|---|
|
Required by Oracle Platform Security Services (OPSS). |
|
Required by OPSS. |
|
Required by OPSS. |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
Required only when Access Manager server does not support 11g webgate in Oracle Identity Manager-Access Manager integration. In that case, provide the value as '10g'. |
|
Required if Access Manager and Oracle Identity Manager servers are configured on different Weblogic domains (that is, a cross-domain setup) |
|
Required if Access Manager and Oracle Identity Manager servers are configured on different Weblogic domains (that is, a cross-domain setup) |
|
Required if Access Manager and Oracle Identity Manager servers are configured on different Weblogic domains (that is, a cross-domain setup) |
|
Required on IBM WebSphere. |
|
Required on IBM WebSphere. |
Here is a sample properties file for this option, which seeds the following keys in the credential store framework (CSF): SSOAccessKey
, SSOKeystoreKey
, SSOGlobalPP
:
LOGINURI: /${app.context}/adfAuthentication LOGOUTURI: /oamsso/logout.html AUTOLOGINURI: None ACCESS_SERVER_HOST: OAMHOST1.example.com ACCESS_SERVER_PORT: 5575 ACCESS_GATE_ID: Webgate_IDM COOKIE_DOMAIN: .example.com COOKIE_EXPIRY_INTERVAL: -1 OAM_TRANSFER_MODE: simple WEBGATE_TYPE: ohsWebgate11g SSO_ENABLED_FLAG: true IDSTORE_PORT: 389 IDSTORE_HOST: idstore.example.com IDSTORE_DIRECTORYTYPE: OVD IDSTORE_ADMIN_USER: cn=oamLDAP,cn=Users,dc=example,dc=com IDSTORE_USERSEARCHBASE: cn=Users,dc=example,dc=com IDSTORE_GROUPSEARCHBASE: cn=Groups,dc=example,dc=com MDS_DB_URL: jdbc:oracle:thin:DB Hostname:DB portno.:SID MDS_DB_SCHEMA_USERNAME: edg_mds WLSHOST: adminvhn.example.com WLSPORT: 7001 WLSADMIN: weblogic DOMAIN_NAME: IDMDomain OIM_MANAGED_SERVER_NAME: WLS_OIM1 DOMAIN_LOCATION: ORACLE_BASE/admin/IDMDomain/aserver/IDMDomain IDSTORE_LOGINATTRIBUTE: uid IDSTORE_SEARCHBASE: dc=us,dc=example,dc=com OIM_WEB_SERVER_HOST: tx401alu.us.example.com OIM_WEB_SERVER_PORT: 7777 OAM11G_WLS_ADMIN_HOST: abc1234.us.example.com OAM11G_WLS_ADMIN_PORT: 9810 OAM11G_WLS_ADMIN_USER: wasadmin
In the IBM WebSphere environment:
If Oracle Identity Manager (OIM) and Oracle Access Management (OAM) are configured in two different WebSphere cells, you must specify the following properties:
OAM11G_WLS_ADMIN_HOST
OAM11G_WLS_ADMIN_PORT
OAM11G_WLS_ADMIN_USER
If OIM and OAM are part of the same WebSphere cell, you do not have to specify the above properties.
The following configOIM
command properties are specific to WebSphere:
IDSTORE_SEARCHBASE
- The identity store search base
OIM_WEB_SERVER_HOST
- The IBM HTTP Server (IHS) host or Oracle HTTP Server (OHS) host
OIM_WEB_SERVER_PORT
- The IBM HTTP Server (IHS) port or Oracle HTTP Server (OHS) port.
./idmConfigTool.sh -postProvConfig input_file=postProvConfig.props
The properties for this command are the same as for the preConfigIDStore
command.
Here is a sample properties file for this option:
IDSTORE_HOST: host01.example.com IDSTORE_PORT: 3060 IDSTORE_BINDDN: cn=orcladmin IDSTORE_GROUPSEARCHBASE: cn=Groups,dc=example,dc=com IDSTORE_SEARCHBASE: dc=example,dc=com IDSTORE_USERSEARCHBASE: cn=systemids,dc=example,dc=com POLICYSTORE_CONTAINER: cn=FAPolicies POLICYSTORE_HOST: host01.ca.example.com POLICYSTORE_PORT: 3060 POLICYSTORE_BINDDN: cn=orcladmin POLICYSTORE_READWRITEUSER: cn=PolicyRWUser,cn=systemids,dc=example,dc=com OVD_HOST: host01.ca.example.com OVD_PORT: 6501 OVD_BINDDN: cn=orcladmin OIM_T3_URL : t3://host02.ca.example.com:14000 OIM_SYSTEM_ADMIN : abcdef
idmConfigTool.sh -upgradeLDAPUsersForSSO input_file=input_Properties
Table 2-15 lists the command properties.
Table 2-15 Properties for upgradeLDAPUsersForSSO
Property | Required? |
---|---|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
Here is a sample properties file for this option:
IDSTORE_HOST: idstore.example.com IDSTORE_PORT: 389 IDSTORE_ADMIN_USER: cn=orcladmin IDSTORE_DIRECTORYTYPE:OVD IDSTORE_USERSEARCHBASE: cn=Users,dc=example,dc=com IDSTORE_GROUPSEARCHBASE: cn=Groups,dc=example,dc=com PASSWORD_EXPIRY_PERIOD: 7300 IDSTORE_LOGINATTRIBUTE: uid
./idmConfigTool.sh -validate component=IDSTORE input_file=input_Properties
Table 2-16 lists the command properties.
Table 2-16 Properties for validate IDStore
Property | Required? |
---|---|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
Here is a sample properties file for this option:
idstore.type: OID idstore.host: acb21005.us.example.com idstore.port: 3030 idstore.sslport: 4140 idstore.ssl.enabled: false idstore.super.user: cn=weblogic_fa,cn=systemids,dc=example,dc=com idstore.readwrite.username: cn=IDRWUser,cn=systemids,dc=example,dc=com idstore.readonly.username: cn=IDROUser,cn=systemids,dc=example,dc=com idstore.user.base: cn=Users,dc=example,dc=com idstore.group.base: cn=Groups,dc=example,dc=com idstore.seeding: true idstore.post.validation: false idstore.admin.group: cn=IDM Administrators,cn=Groups,dc=example,dc=com idstore.admin.group.exists: true
./idmConfigTool.sh -validate component=POLICYSTORE input_file=input_Properties
Table 2-17 lists the command properties.
Table 2-17 Properties for validate policystore
Property | Required? |
---|---|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
Here is a sample properties file for this option:
POLICYSTORE_HOST: node0316.example.com POLICYSTORE_PORT: 3067 POLICYSTORE_SECURE_PORT : 3110 POLICYSTORE_IS_SSL_ENABLED: FALSE POLICYSTORE_READ_WRITE_USERNAME : cn=PolicyRWUser,cn=systemids,dc=example,dc=com POLICYSTORE_SEEDING: true POLICYSTORE_JPS_ROOT_NODE : cn=jpsroot POLICYSTORE_DOMAIN_NAME: dc=example,dc=com
./idmConfigTool.sh -validate component=OAM11g input_file=input_Properties
Note:
The tool prompts for the WebLogic administration server user password upon execution.
Table 2-18 lists the command properties.
Table 2-18 Properties for validate component=OAM11g
Property | Required? |
---|---|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
Here is a sample properties file for this option, which validates the Access Manager server:
admin_server_host: abc5411405.ca.example.com admin_server_port: 17001 admin_server_user: weblogic IDSTORE_HOST:abc5411405.ca.example.com IDSTORE_PORT:3060 IDSTORE_IS_SSL_ENABLED:false OAM11G_ACCESS_SERVER_HOST:abc5411405.ca.example.com OAM11G_ACCESS_SERVER_PORT:5575 OAM11G_IDSTORE_ROLE_SECURITY_ADMIN:OAMAdministrators OAM11G_OIM_OHS_URL: http://abc5411405.ca.example.com:7779/ OAM11G_OIM_INTEGRATION_REQ: true OAM11G_OAM_ADMIN_USER:oamadminuser OAM11G_SSO_ONLY_FLAG: true OAM11G_OAM_ADMIN_USER_PASSWD:
./idmConfigTool.sh -validate component=OAM10g input_file=input_Properties
Table 2-19 lists the command properties.
./idmConfigTool.sh -validate component=OIM11g input_file=input_Properties
Note:
The tool prompts for the WebLogic administration server user password upon execution.
Table 2-20 lists the command properties.
Table 2-20 Properties for validate component=OIM11g
Property | Required? |
---|---|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
Here is a sample properties file for this option:
admin_server_host: node06.example.com admin_server_port: 17111 admin_server_user: weblogic oam_host : node06.example.com oam_nap_port : 5575 idm.keystore.file: idm.keystore.file idstore.user.base: cn=Users,dc=example,dc=com idstore.group.base: cn=Groups,dc=example,dc=com oim_is_ssl_enabled: false OIM_HOST: node06.example.com OIM_PORT: 1400
./idmConfigTool.sh -configOVD input_file=input_Properties
Table 2-21 lists the command properties (where n=1,2..).
Table 2-21 configOVD properties
Property | Required? |
---|---|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
YES |
|
|
|
YES |
|
YES |
|
YES |
The content of the properties file for the configOVD command depends on the Oracle Virtual Directory configuration. This section provides some sample files.
Here is an example of the file named single.txt for a single-server configuration:
ovd.host:myhost.us.example.com ovd.port:7000 ovd.binddn:cn=orcladmin ovd.ssl:true ldap1.type:OID ldap1.host:myhost.us.example.com ldap1.port:7000 ldap1.binddn:cn=oimadmin,cn=systemids,dc=example,dc=com ldap1.ssl:false ldap1.base:dc=example,dc=com ldap1.ovd.base:dc=example,dc=com usecase.type: single
When using this file, the command is thus invoked as:
idmConfigTool -configOVD input_file=path/single.txt Enter OVD password: password Enter LDAP password: password
Here is an example of the file named split.txt for a split-profile server configuration:
ovd.host:myhost.us.example.com ovd.port:7000 ovd.binddn:cn=orcladmin ovd.ssl:true ldap1.type:AD ldap1.host:10.0.0.0 ldap1.port:7000 ldap1.binddn:administrator@idmqa.com ldap1.ssl:true ldap1.base:dc=idmqa,dc=com ldap1.ovd.base:dc=idmqa,dc=com usecase.type: split ldap2.type:OID ldap2.host:myhost.us.example.com ldap2.port:7000 ldap2.binddn:cn=oimadmin,cn=systemids,dc=example,dc=com ldap2.ssl:false ldap2.base:dc=example,dc=com ldap2.ovd.base:dc=example,dc=com
When using this file, the command is thus invoked as:
idmConfigTool -configOVD input_file=path/split.txt Enter OVD password: password Enter LDAP1 password: password Enter LDAP2 password: password
./idmConfigTool.sh -ovdConfigUpgrade input_file=input_Properties
Table 2-22 lists the command properties.
Table 2-22 ovdConfigUpgrade Properties
Property | Required? |
---|---|
|
|
|
|
|
|
|
|
|
|
|
Here is a sample properties file for this option which upgrades the existing adapters:
ovd.host:abk005sjc.us.myhost.com ovd.port:8801 ovd.binddn:cn=orcladmin ovd.ssl:true
./idmConfigTool.sh -disableOVDAccessConfig input_file=input_Properties
Table 2-23 lists the command properties.
Table 2-23 disableOVDAccessConfig Properties
Property | Required? |
---|---|
|
|
|
|
|
|
|
|
|
|
|
Here is a sample properties file for this option which disables the anonymous access in Oracle Virtual Directory:
ovd.host:abc00def.ca.example.com ovd.port:8501 ovd.binddn:cn=orcladmin ovd.ssl:true
./idmConfigTool.sh -upgradeOIMTo11gWebgate input_file=input_Properties
This command uses the same properties that are required for the configOIM
command, so the same properties file can work for both. See Table 2-14.
As indicated in the table, certain properties are required when Oracle Identity Manager and Access Manager are configured on different weblogic domains.
This section explains additional tasks you may need to perform when using idmConfigTool
for a target Oracle Unified Directory (OUD) identity store in a high-availability environment. Topics include:
When you use idmConfigTool
for an OUD identity store in a high availability (HA) environment that contains replicas, global ACI and indexes are created only in the instance(s) specified in the property file; they are not replicated. You must manually re-create (remove then create) these global ACI and indexes on all other OUD instances of the replication domain.
Consequently you must first grant access to the changelog, and then create the ACI. Take these steps:
Create a file called mypassword
which contains the password you use to connect to OUD.
Remove the existing change log on one of the replicated OUD hosts. The command syntax is:
ORACLE_INSTANCE/bin/dsconfig set-access-control-handler-prop \ --remove \ global-aci:"(target=\"ldap:///cn=changelog\")(targetattr=\"*\")(version 3.0; acl \"External changelog access\"; deny (all) userdn=\"ldap:///anyone\";)" --hostname OUD Host \ --port OUD Admin Port \ --trustAll ORACLE_INSTANCE/config/admin-truststore \ --bindDN cn=oudadmin \ --bindPasswordFile mypassword \ --no-prompt
For example:
ORACLE_INSTANCE/bin/dsconfig set-access-control-handler-prop \ --remove global-aci:"(target=\"ldap:///cn=changelog\")(targetattr=\"*\")(version 3.0; acl \"External changelog access\"; deny (all) userdn=\"ldap:///anyone\";)" --hostname OUDHOST1.example.com \ --port 4444 \ --trustAll /u01/app/oracle/admin/oud1/OUD/config/admin-truststore \ --bindDN cn=oudadmin \ --bindPasswordFile mypassword \ --no-prompt
Add the new ACI:
dsconfig set-access-control-handler-prop \ --add global-aci:"(target=\"ldap:///cn=changelog\")(targetattr=\"*\")(version 3.0; acl \"External changelog access\"; allow (read,search,compare,add,write,delete,export) groupdn=\"ldap:///cn=oimAdminGroup,cn=groups,dc=example,dc=com\";)" \ --hostname OUD Host \ --port OUD Admin Port \ --trustAll \ --bindDN cn=oudadmin \ --bindPasswordFile password --no-prompt
For example:
dsconfig set-access-control-handler-prop \ --add --add global-aci:"(target=\"ldap:///cn=changelog\")(targetattr=\"*\")(version 3.0; acl \"External changelog access\"; allow (read,search,compare,add,write,delete,export) groupdn=\"ldap:///cn=oimAdminGroup,cn=groups,dc=example,dc=com\";)" \ --hostname OUDHOST1 \ --port 4444 \ --trustAll \ --bindDN cn=oudadmin \ --bindPasswordFile password --no-prompt
Repeat Steps 1 through 3 for each OUD instance.
When idmConfigTool
prepares the identity store, it creates a number of indexes on the data. However in a high availability (HA) environment that contains replicas, global ACI and indexes are created only in the instance(s) specified in the property file; the replicas are not updated with the indexes which need to be added manually.
The steps are as follows (with LDAPHOST1.example.com
representing the first OUD server, LDAPHOST2.example.com
the second server, and so on):
Create a file called mypassword
which contains the password you use to connect to OUD.
Configure the indexes on the second OUD server:
ORACLE_INSTANCE/OUD/bin/ldapmodify -h LDAPHOST2.example.com -Z -X -p 4444 -a -D "cn=oudadmin" -j mypassword -c -f /u01/app/oracle/product/fmw/iam/oam/server/oim-intg/ldif/ojd/schema/ojd_user_index_generic.ldif
and
ORACLE_INSTANCE/OUD/bin/ldapmodify -h LDAPHOST2.example.com -Z -X -p 4444 -a -D "cn=oudadmin" -j mypassword -c -f /u01/app/oracle/product/fmw/iam/idmtools/templates/oud/oud_indexes_extn.ldif
Notes:
Repeat both commands for all OUD servers for which idmConfigTool was not run.
Execute the commands on one OUD instance at a time; that instance must be shut down while the commands are running.
Rebuild the indexes on all the servers:
ORACLE_INSTANCE/OUD/bin/bin/rebuild-index -h localhost -p 4444 -X -D "cn=oudadmin" -j mypassword --rebuildAll -b "dc=example,dc=com"
Note:
You must run this command on all OUD servers, including the first server (LDAPHOST1.example.com
) for which idmConfigTool
was run.