Skip Headers
Oracle® Fusion Middleware Third-Party Application Server Guide for Oracle Identity and Access Management
11g Release 2 (11.1.2.1.0)

Part Number E28523-09
Go to Documentation Home
Home
Go to Table of Contents
Contents
Go to Feedback page
Contact Us

Go to previous page
Previous
Go to next page
Next
PDF · Mobi · ePub

4 Managing Oracle Identity Manager on IBM WebSphere

This chapter contains information about managing Oracle Identity Manager on IBM WebSphere Application Server. It contains the following sections:

4.1 Conventions Used in this Document

Table 4-1 lists and describes conventions used in this document:

Table 4-1 Conventions Used in this Document

Convention Description

OIM_HOME

Represents the directory where the Oracle Identity Manager server is installed.

OIM_ORACLE_HOME

Represents an environment variable that identifies the directory where Oracle Identity Manager is installed. This variable is used for various Oracle Identity Manager scripts.

WAS_HOME

Represents the directory where the IBM WebSphere Application Server is installed.

WAS_CLIENT_HOME

Represents the directory where the IBM WebSphere Application Client is installed.

MW_HOME

Represents the directory where Oracle Fusion Middleware is installed.

COMMON_COMPONENTS_HOME

The Common Components home contains the binary and library files required for Fusion Middleware Control and Java Required Files (JRF). For example, MW_HOME/oracle_common.

Custom01 | Custom02

Represents the name of a custom profile.

Dmgr01 | Dmgr02

Represents the name of a Deployment Manager profile.

OIM_DC_HOME

Represents the directory where the Oracle Identity Manager Design Console is installed.

OIM_RM_HOME

Represents the directory where the Oracle Identity Manager Remote Manager is installed.

OIM_CELL_NAME

Represents the IBM WebSphere Application Server cell where the Oracle Identity Manager Server is located.

JAVA_HOME

Represents the location of the IBM Java Runtime directory for the Oracle Identity Manager server. Note that in some procedures, JAVA_HOME can represent the location of the IBM Java Runtime directory for the Oracle Identity Manager Remote Manager.

RBACX_HOME

Represents the directory where Oracle Identity Analytics is installed.

ANT_HOME

Represents the directory where Apache Ant is installed.


4.2 System Requirements and Certified Components

Before deploying and using Oracle Identity Manager, you must ensure that your environment meets the minimum installation requirements. For information about hardware and software requirements, minimum disk space and memory requirements, and required system libraries, packages, or patches, review the system requirements document at the following URL:

http://www.oracle.com/technetwork/middleware/ias/downloads/fusion-requirements-100147.html

The following URL contains information about supported installation types, platforms, operating systems, databases, JDKs, and third-party products for Oracle Fusion Middleware:

http://www.oracle.com/technetwork/middleware/ias/downloads/fusion-certification-100350.html

In addition, see "Patch Requirements" in the Oracle Fusion Middleware Release Notes for information about the patches required for Oracle Identity Manager.

Note:

  • Minimum memory requirement for setting up Oracle Identity Manager on IBM WebSphere Application Server is 8 GB.

  • BI Publisher reports on WebSphere are not certified for Oracle Identity Manager 11g Release 2 (11.1.2.1.0).

4.3 Installing Oracle Identity Manager on IBM WebSphere

This section describes how to install Oracle Identity Manager on IBM WebSphere in the following configurations:

4.3.1 Configuring Oracle Identity Manager for Single-Node Setup

As a part of installing Oracle Identity Manager, after cell configuration is performed as described in Chapter 2, "Installing and Configuring Oracle Identity and Access Management on IBM WebSphere", you must configure Oracle Identity Manager. To do so:

  1. Use the Oracle Fusion Middleware Configuration Wizard to create the Oracle Identity Manager cell, as described in Section 2.8, "Task 8: Configure Your Oracle Identity and Access Management Components in a New IBM WebSphere Cell".

  2. Run the copy_jars.sh script. For example:

    cd $OIM_HOME/server/wasconfig
    ./copy_jars.sh
    

    Note:

    Before you run the copy_jars.sh script, ensure the WAS_HOME, COMMON_COMPONENTS_HOME, and OIM_ORACLE_HOME variables are set. COMMON_COMPONENTS_HOME represents the location of the Oracle Fusion Middleware common directory, such as MW_HOME/oracle_common and; OIM_ORACLE_HOME represents the location where the Oracle Identity Manager Server is installed, such as MW_HOME/Oracle_IDM1. WAS_HOME represents the location where WebSphere is installed, such as IBM/WebSphere/AppServer.

  3. Start, stop, and synchronize the Node Agent as follows:

    $WAS_HOME/profiles/Custom01/bin/stopNode.sh -username USER_NAME -password PASSWORD
    $WAS_HOME/profiles/Dmgr01/bin/startManager.sh
    $WAS_HOME/profiles/Custom01/bin/syncNode.sh DMGR_HOST DMGR_SOAP_PORT -username USER_NAME -password PASSWORD
    $WAS_HOME/profiles/Custom01/bin/startNode.sh
    

    Note:

    Make sure that Node Manager and Deployment Manger are up and running without issues.

  4. Stop the Node Manager and Deployment Manger for configuring DB policy store, as shown:

    $WAS_HOME/profiles/Custom01/bin/stopNode.sh -username USER_NAME -password PASSWORD
    $WAS_HOME/profiles/Dmgr01/bin/stopManager.sh -username USER_NAME -password PASSWORD
    
  5. Perform database policy migration by referring to Section 2.9, "Task 9: Configure the Database Security Store".

  6. Start the Deployment Manager. To do so, run the following command in the IBM WebSphere home:

    For UNIX, run:

    profiles/dmgr_profileName/bin/startManager.sh
    

    For example, on the UNIX operating system, run:

    /disk01/IBM/WebSphere/AppServer/profiles/Dmgr01/bin/startManager.sh
    
  7. Start the Node Manager by running the following command:

    $WAS_HOME/profiles/Custom01/bin/startNode.sh
    
  8. Run the seed_opss_permission.sh script as follows:

    cd OIM_HOME/server/wasconfig/
    sh seed_opss_permission.sh
    

    Note:

    • Before you run the seed_opss_permission.sh script, ensure the WAS_HOME, COMMON_COMPONENTS_HOME, and OIM_ORACLE_HOME variables are set. COMMON_COMPONENTS_HOME represents the location of the Oracle Fusion Middleware common directory, such as IDM_HOME/oracle_common/ and; OIM_ORACLE_HOME represents the location where the Oracle Identity Manager Server is installed.

    • The script will prompt you to enter values for the following:

      Enter Deployment Manager Profile Name [Ex: Dmgr01]:
      Enter Deployment Manager host name:
      Enter Deployment Manager SOAP Port:
      Enter WebpSphere Administrator username:
      Enter the WebpSphere Administrator password:
      
    • On running the seed_opss_permission.sh script, you might encounter the following warning message that you can ignore:

      Failed to import script libraries modules: COMMON_COMPONENTS_HOME/common/wsadmin/wsmAgent.py; Examine the wsadmin log file to determine the problem.
      
  9. Stop, synchronize, and start the node, and start the SOA server. For example:

    $WAS_HOME/profiles/Custom01/bin/stopNode.sh -username WAS_ADMIN_USER_NAME -password WAS_ADMIN_PASSWORD
    $WAS_HOME/profiles/Custom01/bin/syncNode.sh DMGR_HOST DMGR_SOAP_PORT WAS_ADMIN_USER_NAME -password WAS_ADMIN_PASSWORD
    $WAS_HOME/profiles/Custom01/bin/startNode.sh 
    $WAS_HOME/profiles/Custom01/bin/startServer.sh soa_server1
    
  10. Use the Oracle Universal Installer Configuration Assistant to configure the Oracle Identity Manager Server, Design Console, and Remote Manager.

    Start the configuration assistant as follows:

    cd $OIM_HOME/bin
    ./config.sh -jreLoc LOCATION_OF_IBM_JRE -DSHOW_APPSERVER_TYPE_SCREEN=true
    

    Note:

    You must run the Configuration Assistant on each machine where you installed an Oracle Identity Manager component. For example, on the machine hosting the Oracle Identity Manager server, the machine hosting the Oracle Identity Manager Design Console, and the machine hosting the Oracle Identity Manager Remote Manager.

    On the Components to Configure screen, select the components that you want to configure. On the Database screen, provide the connect string and user names and passwords for Oracle Identity Manager and MDS schema.

    Table 4-2 provides information about specific Configuration Assistant screens and appropriate information to enter on those screens—the table does not cover self-explanatory, standard screens.

    Table 4-2 Information for Specific Configuration Assistant Screens

    Screen Name Input Description

    Application Server

    Be sure to select WebSphere

    WebSphere AS Details

    • The WAS Cell home location is:

      $WAS_HOME/profiles/Dmgr01/config/cells/CELL_NAME
      
    • You can identify the WAS Admin URL port from the Management bootstrap port entry in the following file:

      $WAS_HOME/profiles/Dmgr01/logs/AboutThisProfile.txt
      
    • You can identify the WAS Admin Soap Port from the following file:

      $WAS_HOME/profiles/Dmgr01/logs/AboutThisProfile.txt
      
    • The WAS Admin Name and WAS Admin Password are the same as you used to create the cell.

    OIM Server

    Use the default value provided in the OIM HTTP URL field.


  11. On OIM Server Details page, enter the OIM Server admin password, keystore password, and the URL information. Continue until configuration has finished.

  12. Copy wf_client_config.xml.template from $OIM_HOME/server/wasconfig/ directory to $WAS_HOME/lib/ext as wf_client_config.xml. For example:

    cp $OIM_HOME/server/wasconfig/wf_client_config.xml.template $WAS_HOME/lib/ext/wf_client_config.xml

    Update the wf_client_config.xml file with SOA Server hostname and its bootstrap port under <serverURL> tag. For example:

    <serverURL>corbaloc:iiop:localhost:2800</serverURL>
    

    Tip:

    You can identify the SOA bootstrap port by performing the following steps:

    1. Log in to IBM WebSphere Administrative Console.

    2. Select Servers, Server Types, Web Application Servers.

    3. Click the SOA Server name.

    4. In the Communications Group area, click Ports.

      The value of BOOTSTRAP_ADDRESS is the SOA Server bootstrap port.

  13. Stop the servers if they are running. For example:

    $WAS_HOME/profiles/Custom01/bin/stopServer.sh soa_server1 -username WAS_ADMIN_USERNAME -password WAS_ADMIN_PASSWORD
    $WAS_HOME/profiles/Custom01/bin/stopNode.sh -username WAS_ADMIN_USERNAME -password WAS_ADMIN_PASSWORD
    $WAS_HOME/profiles/Dmgr01/bin/stopManager.sh -username WAS_ADMIN_USERNAME -password WAS_ADMIN_PASSWORD
    
  14. Start the servers. For example:

    Note:

    Be sure to execute the syncNode script, as this will transfer xldatabasekey to Custom01 profile.

    $WAS_HOME/profiles/Dmgr01/bin/startManager.sh
    $WAS_HOME/profiles/Custom01/bin/syncNode.sh DMGR_HOST DMGR_SOAP_PORT -username WAS_ADMIN_USERNAME -password WAS_ADMIN_PASSWORD
    $WAS_HOME/profiles/Custom01/bin/startNode.sh
    $WAS_HOME/profiles/Custom01/bin/startServer.sh soa_server1
    $WAS_HOME/profiles/Custom01/bin/startServer.sh oim_server1
    $WAS_HOME/profiles/Custom01/bin/startServer.sh OracleAdminServer
    
  15. If Oracle Identity Manager administrator user is different than WebSphere administrator user, then perform the following steps:

    1. In the navigator pane of Enterprise Fusion Middleware Control, expand WebSphere Cell to view the cells.

    2. Select the cell on which Oracle Identity Manager and SOA are configured.

    3. Right-click the cell name, and select Web Services, Platform Policy Configuration.

    4. In the Add New Configure Property window, specify the following values, and then click OK.

      • In the Name field, enter jndi.lookup.csf.key.

      • In the Value field, enter admin-csf-key.

    5. Crete a .py file, for example was_admin.py, with the following content:

      Opss.createCred (map='oracle.wsm.security', key='admin-csf-key',
      user='ADMIN_USER_NAME', password='ADMIN_PASSWORD',
      desc='wsm-pm admin user csf-key')
      AdminApp.edit ('wsm-pm', '[-MapRolesToUsers [[policy.Updater
      AppDeploymentOption.No AppDeploymentOption.No ADMIN_USER_NAME ""
      AppDeploymentOption.No "user:ADMIN_USER_NAME" "" ]]]')
      AdminApp.edit('wsm-pm', '[ -MapRolesToUsers [[policy.Accessor
      AppDeploymentOption.No AppDeploymentOption.No ADMIN_USER_NAME ""
      AppDeploymentOption.No " |user:ADMIN_USER_NAME" "" ]]]' )
      AdminApp.edit('wsm-pm', '[ -MapRolesToUsers [[policy.User
      AppDeploymentOption.No AppDeploymentOption.No ADMIN_USER_NAME ""
      AppDeploymentOption.No "user:ADMIN_USER_NAME" "" ]]]' )
      AdminApp.edit('wsm-pm', '[ -MapRolesToUsers [[policyViewer
      AppDeploymentOption.No AppDeploymentOption.No ADMIN_USER_NAME ""
      AppDeploymentOption.No " |user:ADMIN_USER_NAME" "" ]]]' )
      AdminConfig.save()
      

      Replace ADMIN_USER_NAME and ADMIN_PASSWORD with admin user credentials.

    6. Run the following script:

      $COMMON_COMPONENTS_HOME/common/bin/wsadmin.sh  
      -profileName DMGR_PROFILE_NAME -conntype SOAP -host DMGR_HOSTNAME -port DMGR_SOAP_PORT -user WEBSPHERE_ADMIN -password WEBSPHERE_ADMIN_PASSWORD -f was_admin.py
      
    7. Restart all the servers.

  16. For additional postinstallation configuration of Oracle Identity Manager, perform the steps described in Section 4.4, "Performing Postinstallation Configuration on IBM WebSphere" and Section 4.6.1, "URL Changes Related to Oracle Identity Manager".

4.3.1.1 Installing and Configuring the Design Console

Perform the following step after the Design Console installs, but before you start it:

To install the Design Console on Microsoft Windows:

  1. Install the App client by referring to IBM documentation.

  2. Install fix packs by referring to IBM documentation.

  3. Update the following properties in the WAS_CLIENT_HOME/properties/sas.client.props file.

    Edit the values as follows. Note that com.ibm.CORBA.securityServerPort represents the Oracle Identity Manager bootstrap port:

    com.ibm.CORBA.securityServerHost=OIM_HOSTNAME
    com.ibm.CORBA.securityServerPort=OIM_BOOTSTRAP_PORT
    com.ibm.CORBA.loginSource=none
    
  4. Install Design Console on Microsoft Windows. To do so:

    Note:

    Make sure that Appclient is installed.

    1. Install Oracle Identity Manager by running the installer. To do so, open a command prompt in Windows, and run the Oracle Identity Manager installer, as shown:

      c:\setup.exe -jreLoc LOCATION_OF_IBM_JDK
      
    2. Start the configuration assistant as follows:

      cd $OIM_HOME/bin >config.bat -jreLoc LOCATION_OF_IBM_JDK -enableWAS
      
    3. Configure the following:

      • Select Design Console.

      • Enter the Oracle Identity Manager host name and port number.

        Tip:

        The port number is Oracle Identity Manager server bootstrap address. To check this:

        1. Login to WebSphere Network Deployment Manager Console.

        2. Go to Server, Server types, Websphere Application server, oim_server, Expand Port.

        3. Check for BOOTSTRAP_ADDRESS port.

    4. Continue and finish the wizard.

4.3.1.2 (OPTIONAL) Installing the Oracle Identity Manager Remote Manager on a Separate System

When you install the Oracle Identity Manager Remote Manager as a part of the Oracle Identity Manager installation, the Remote Manager is installed on the same host as Oracle Identity Manager. In typical Oracle Identity Manager environments, the Remote Manager is deployed on a separate host, not on the same host as Oracle Identity Manager.

If desired, you can perform the following steps to install the Remote Manager on a separate system:

Note:

Make sure that WebSphere Application Server is installed. In addition, ensure that the separate system for the Remote Manager has the IBM JRE installed on it. If it does not, then install it.

  1. Start the installer using the following command:

    cd iamsuite/Disk1
    ./runInstaller -jreLoc LOCATION_OF_IBM_JRE
    

    Note:

    When the Install Software Updates installer screen is displayed, you must select the Skip Software Updates option.

  2. Start the configuration assistant as follows:

    cd $OIM_HOME/bin >config.bat -jreLoc LOCATION_OF_IBM_JDK -enableWAS
    
  3. In the Components to Configure page, select Remote Manager.

  4. Select WebSphere as the application server.

  5. Provide OIM server host and port details. Enter values for Remote Name, Listening Port number, and RMI Port number.

  6. Continue and finish the wizard.

4.3.1.3 Installing the Diagnostic Dashboard

To install the Diagnostic Dashboard:

  1. Login to IBM WebSphere Administrative Console.

  2. Expand Applications, and click WebSphere enterprise applications.

  3. Click Install.

  4. Select Remote file system.

  5. Enter the complete path to the XIMDD.ear file. The XIMDD.ear file is available in the $OIM_HOME/server/webapp/optional/ directory. Then, click Next.

  6. Choose Fast Path to install application.

  7. Click Next in the Select installation options.

  8. Check the Select option in the Map modules to servers page, and click Next.

  9. Click Next in the Map virtual hosts for Web modules page.

  10. Click Finish in the Summary page.

  11. Save the changes.

4.3.2 Installing Oracle Identity Manager for a Clustered Configuration

This section describes how to install Oracle Identity Manager on IBM WebSphere in a clustered configuration. By performing the steps in this section, you will create a configuration as described in Table 4-3.

Table 4-3 Overview of Clustered Configuration

Deployment Manager Machine WebSphere Node 2 Machine Design Console Machine
  • WebSphere Deployment Manager

  • WebSphere Node1

  • OracleAdminServer

  • OIM_SERVER_1

  • SOA_SERVER_1

  • WebSphere Node2

  • OIM_SERVER_2

  • SOA_SERVER_2

  • Oracle Identity Manager Design Console


To install Oracle Identity Manager on IBM WebSphere in a clustered configuration:

  1. Install and patch Oracle Database. For Oracle Database patch requirements, see "Patch Requirements" in the Oracle Fusion Middleware Release Notes.

  2. Install the Oracle Fusion Middleware Repository Creation Utility (RCU). For more information, see "Obtaining and Running Repository Creation Utility" in the Oracle Fusion Middleware Repository Creation Utility User's Guide.

  3. Create and load the Identity Management - Oracle Identity Manager schema into the database using the Oracle Fusion Middleware Repository Creation Utility (RCU). For more information, refer to the following documents:

    • Oracle Fusion Middleware Installation Guide for Oracle Identity and Access Management

    • Oracle Fusion Middleware Repository Creation Utility User's Guide

  4. Make sure to have IBM HTTP Server (IHS) available. To install and setup IHS:

    1. Install IHS on the Deployment Manager Machine with appropriate HTTP host Admin port.

    2. Provide webserver1 as the webserver name.

    3. The IHS setup prompts to configure/generate the default plug-in configuration. Select Yes to generate the default plug-in configuration.

    4. After the setup is complete, start IHS by running the following command:

      IHS_INSTALL_DIRECTORY/bin/apachectl start
      
    5. Verify that the IHS Welcome page is displayed by navigating to the following URL:

      http://IHS_HOSTNAME:PORT_NUMBER

    Note:

    See Section 4.4.6, "Performing Postinstallation Configuration of IHS (Optional)" for post-installation configuration of IHS.

  5. On Deployment Manager Machine and WebSphere Node 2 Machine, install IBM WebSphere Application Server Network Deployment 7.0 with fix pack 23 by referring to IBM documentation.

  6. On Design Console Machine, install IBM WebSphere Application Client 7.0 with fix pack 23 to host the Oracle Identity Manager Design Console. Refer to IBM documentation for more information about installing IBM WebSphere Application Client.

  7. On Deployment Manager Machine and WebSphere Node 2 Machine, install Oracle SOA Suite 11.1.1.6.0. For more information, refer to the "Installing Oracle SOA Suite (Oracle Identity Manager Users Only)" section of the Oracle Fusion Middleware Installation Guide for Oracle Identity and Access Management. In addition, apply the SOA patches listed in "Mandatory Patches Required for Installing Oracle Identity Manager" of the Oracle Fusion Middleware Release Notes.

    Note:

    Make sure to use WebSphere Application Server JRE when installing SOA.

  8. On Deployment Manager Machine and WebSphere Node 2 Machine, install Oracle Identity Manager. For more information about installing Oracle Identity Manager, refer to the Oracle Fusion Middleware Installation Guide for Oracle Identity and Access Management.

    To start the installer, run:

    cd iamsuite/Disk1
    ./runInstaller -jreLoc LOCATION_OF_IBM_JRE -DSHOW_APPSERVER_TYPE_SCREEN=true
    

    Note:

    When the Install Software Updates installer screen appears, you must select the Skip Software Updates option.

  9. On the Deployment Manager Machine, use the Oracle Fusion Middleware Configuration Wizard to create the Oracle Identity Manager cell. By default, the Configuration Wizard is located at:

    MW_HOME/Oracle_IDM1/common/bin/was_config.sh

    For more information, refer to the Oracle Fusion Middleware Configuration Guide for IBM WebSphere Application Server.

    Table 4-4 provides information about specific Configuration Wizard screens and appropriate information to enter on those screens—the table does not cover self-explanatory, standard screens.

    Table 4-4 Information for Specific Configuration Wizard Screens

    Screen Name Input Description

    Select Configuration Option

    Create and configure cell.

    Add Products to Cell

    Select Oracle Identity Manager for WebSphere ND.

    The SOA/EM template and other dependent templates should also be selected.

    Select Optional Configuration

    At a minimum, you must select the Application Servers, Clusters and End Points option—this is a required option.

    Configure Application Servers

    Perform the following steps:

    1. In the Name field, enter a name for the Oracle Identity Manager server, for example, OIM_SERVER_1.

    2. In the Node Name list, select the Node Agent for OIM_SERVER_1. For example: WebSphere Node1.

    3. In the Name field, enter a name for the Oracle SOA Suite server, for example, SOA_SERVER_1.

    4. In the Node Name list, select the Node Agent for SOA_SERVER_1. For example: WebSphere Node1.

    Configure Clusters Screen

    Perform the following steps:

    1. Click Add.

    2. Enter a name for the cluster in the cluster name field, for example: SOACluster.

    3. Select the appropriate SOA server from the First cluster member list.

    4. Click Add.

    5. Enter a name for the cluster in the cluster name field, for example: OIMCluster.

    6. Select the appropriate Oracle Identity Manager server from the First cluster member list.

    Configure Additional Cluster Members

    Click Next, or optionally, add servers to an existing system in the cluster.


  10. On the Deployment Manager Machine, execute the copy_jars.sh script. For example:

    cd $OIM_HOME/server/wasconfig
    ./copy_jars.sh
    

    Note:

    Before you execute the copy_jars.sh script, ensure the WAS_HOME, COMMON_COMPONENTS_HOME, and OIM_ORACLE_HOME variables are set. COMMON_COMPONENTS_HOME represents the location of the Oracle Fusion Middleware common directory, such as MW_HOME/oracle_common and; OIM_ORACLE_HOME represents the location where the Oracle Identity Manager Server is installed, such as MW_HOME/Oracle_IDM1. WAS_HOME represents the location where WebSphere is installed, such as IBM/WebSphere/AppServer.

  11. On the Deployment Manager Machine, start, stop, and synchronize the IBM WebSphere nodes as follows:

    $WAS_HOME/profiles/Custom01/bin/stopNode.sh
    $WAS_HOME/profiles/Dmgr01/bin/startManager.sh
    $WAS_HOME/profiles/Custom01/bin/syncNode.sh DMGR_HOST DMGR_SOAP_PORT
    $WAS_HOME/profiles/Custom01/bin/startNode.sh
    

    For specifying the port number for DMGR_SOAP_PORT, refer to the $WAS_HOME/profiles/Dmgr01/logs/AboutThisProfile.txt file that contains information about the ports.

    Note:

    When you start, stop, and synchronize the IBM WebSphere nodes, you must:

    • Use the user name and password that you used to create the cell.

    • Execute syncNode.sh. If you do not, some applications will not be deployed correctly.

    • Execute syncNode.sh from the following directory:

      $WAS_HOME/profiles/Custom01/bin
      
  12. On the Deployment Manager Machine, perform database policy migration by referring to step 1 of Section 2.9, "Task 9: Configure the Database Security Store".

  13. Start, stop, and synchronize the WebSphere nodes by running the following commands:

    $WAS_HOME/profiles/Custom01/bin/stopNode.sh
    $WAS_HOME/profiles/Dmgr01/bin/stopManager.sh
    $WAS_HOME/profiles/Dmgr01/bin/startManager.sh
    $WAS_HOME/profiles/Custom01/bin/syncNode.sh DMGR_HOST DMGR_SOAP_PORT
    $WAS_HOME/profiles/Custom01/bin/startNode.sh
    
  14. On the Deployment Manager Machine, execute the seed_opss_permission.sh script as follows:

    cd OIM_HOME/server/wasconfig/
    sh seed_opss_permission.sh
    

    Note:

    • Before you execute the seed_opss_permission.sh script, ensure the WAS_HOME, COMMON_COMPONENTS_HOME, and OIM_ORACLE_HOME variables are set. COMMON_COMPONENTS_HOME represents the location of the Oracle Fusion Middleware common directory, such as IDM_HOME/oracle_common/ and; OIM_ORACLE_HOME represents the location where the Oracle Identity Manager Server is installed.

    • The script will prompt you to enter values for the following:

      Enter Deployment Manager Profile Name [Ex: Dmgr01]:
      Enter Deployment Manager host name:
      Enter Deployment Manager SOAP Port:
      Enter WebpSphere Administrator username:
      Enter the WebpSphere Administrator password:
      
    • On running the seed_opss_permission.sh script, you might encounter following error message:

      Failed to import script libraries modules: COMMON_COMPONENTS_HOME/common/wsadmin/wsmAgent.py; Examine the wsadmin log file to determine the problem.
      

      When you encounter this error, check the system-jazn-data.xml file to ensure that permission has been granted to oim_customreg.jar. If permission is not granted, then you must add the permission manually. To do so:

      i) Open the WAS_HOME/profiles/Dmgr01/config/cells/OIM_CELL_NAME/fmwconfig/system-jazn-data.xml file.

      ii) Search for following entry. If this entry does not exist in system-jazn-data.xml, then manually add it. Make sure to replace OIM_ORACLE_HOME with the actual path.

      <grant>
      <grantee>
      <codesource>
      <url>file:OIM_ORACLE_HOME/server/loginmodule/was/oim_customreg.jar</url>
      </codesource>
      </grantee>
      <permissions>
      <permission>
      <class>oracle.security.jps.service.credstore.CredentialAccessPermission</class>
      <name>context=SYSTEM,mapName=oim,keyName=*</name>
      <actions>read,write,delete</actions>
      </permission>
      <permission>
      <class>oracle.security.jps.service.credstore.CredentialAccessPermission</class>
      <name>context=SYSTEM,mapName=oracle.wsm.security,keyName=*</name>
      <actions>read,write,delete</actions>
      </permission>
      </permissions>
      </grant>
      
  15. Add the following properties by logging in to the IBM WebSphere Administrative Console and clicking System Administration, Node Agents, NAME_OF_NODE_AGENT_ON_DEPLOYMENT_MANAGER_MACHINE, Java and Process Management, Process Definition, Java Virtual Machine, Custom Properties.

    Note:

    When you create the properties:

    • An example location for the PATH_TO_jps-config.xml_IN_THE_fmwconfig_DIRECTORY is: WAS_HOME/profiles/Dmgr01/config/cells/HOST_NAME_Cell01/fmwconfig/jps-config.xml

    • An example location for the PATH_TO_THE_fmwconfig_DIRECTORY is: WAS_HOME/profiles/Dmgr01/config/cells/HOST_NAME_Cell01/fmwconfig

    Name: oracle.security.jps.config
    Value: PATH_TO_jps-config.xml_IN_THE_fmwconfig_DIRECTORY
    Description (optional): Adding the jpsconfig location using OPSS System Property
     
    Name: oracle.domain.config.dir
    Value: PATH_TO_THE_fmwconfig_DIRECTORY
    Description (optional): Setting the Key Store Domain Config directory
    

    Click OK and save the changes.

  16. On the Deployment Manager Machine, stop, synchronize, and start the Node Agent. For example:

    $WAS_HOME/profiles/Custom01/bin/stopNode.sh
    $WAS_HOME/profiles/Custom01/bin/syncNode.sh DMGR_HOST DMGR_SOAP_PORT
    $WAS_HOME/profiles/Custom01/bin/startNode.sh
    $WAS_HOME/profiles/Custom01/bin/startServer.sh soa_server1
    
  17. On the Deployment Manager Machine, configure the Oracle Identity Manager server (and optionally the Oracle Identity Manager Remote Manager) using the Oracle Universal Installer Configuration Assistant.

    Note:

    You do not need to run the Configuration Assistant on the WebSphere Node 2 Machine.

    Start the configuration assistant as follows:

    cd $OIM_HOME/bin
    ./config.sh -jreLoc LOCATION_OF_IBM_JRE -DSHOW_APPSERVER_TYPE_SCREEN=true
    

    Table 4-5 provides information about specific Configuration Assistant screens and appropriate information to enter on those screens—the table does not cover self-explanatory screens.

    Table 4-5 Information for Specific Configuration Assistant Screens

    Screen Name Input Description

    Application Server

    Be sure to select WebSphere

    WebSphere AS Details

    • The WAS Cell home location is:

      $WAS_HOME/profiles/Dmgr01/config/cells/CELL_NAME
      
    • You can identify the WAS Admin URL port from the Management bootstrap port entry in the following file:

      $WAS_HOME/profiles/Dmgr01/logs/AboutThisProfile.txt
      
    • You can identify the WAS Admin Soap Port from the following file:

      $WAS_HOME/profiles/Dmgr01/logs/AboutThisProfile.txt
      
    • The WAS Admin Name and WAS Admin Password are the same as you used to create the cell.

    OIM Server

    In the OIM HTTP URL field, enter the HTTP URL for the IBM HTTP Server.


  18. On the Deployment Manager Machine, stop the SOA server, the Node Agent, and the Deployment Manager if they are running. For example:

    $WAS_HOME/profiles/Custom01/bin/stopServer.sh soa_server1
    $WAS_HOME/profiles/Custom01/bin/stopNode.sh
    $WAS_HOME/profiles/Dmgr01/bin/stopManager.sh
    
  19. On the Deployment Manager Machine, start the Deployment Manager, synchronize the Node Agent, and start the Node Agent.

    Note:

    Be sure to execute the syncNode script, as this will transfer the required configuration information to Custom01 profile.

    For example:

    $WAS_HOME/profiles/Dmgr01/bin/startManager.sh
    $WAS_HOME/profiles/Custom01/bin/syncNode.sh DMGR_HOST DMGR_SOAP_PORT
    $WAS_HOME/profiles/Custom01/bin/startNode.sh
    
  20. On the WebSphere Node 2 Machine, launch the Oracle Fusion Middleware Configuration Wizard to federate the machine and configure its cell. By default, the Configuration Wizard is located at:

    MW_HOME/Oracle_IDM1/common/bin/was_config.sh

    For more information, refer to the Oracle Fusion Middleware Configuration Guide for IBM WebSphere Application Server.

    Table 4-6 provides information about specific Configuration Wizard screens and appropriate information to enter on those screens—the table does not cover self-explanatory, standard screens.

    Table 4-6 Information for Specific Configuration Wizard Screens

    Screen Name Input Description

    Select Configuration Option

    Select the Federate Machine and Configure Cell option.

    Specify Profile and Node Name Information

    Enter information about the profile and node names you want to create for the WebSphere Node 2 Machine.

    Specify Deployment Manager Information

    Enter information about the existing Deployment Manager system.

    Select Optional Configuration

    Be sure to select the Application Servers, Clusters and End Points option—this is a required option.

    Configure Additional Cluster Members

    Perform the following steps:

    1. Click Add.

    2. In the Name field, enter a name for the second server in the SOACluster. For example: SOA_SERVER_2.

    3. In the Node Name list, select the Node Agent for SOA_SERVER_2. For example: WebSphere Node2.

    4. In the Cluster Name list, select the SOACluster.

    5. Click Add.

    6. In the Name field, enter a name for the second server in the OIMCluster. For example: OIM_SERVER_2.

    7. In the Node Name list, select the Node Agent for OIM_SERVER_2. For example: WebSphere Node2.

    8. In the Cluster Name list, select the OIMCluster.


  21. On the WebSphere Node 2 Machine, execute the copy_jars.sh script. For example:

    cd $OIM_HOME/server/wasconfig
    ./copy_jars.sh
    

    Note:

    Before you execute the copy_jars.sh script, ensure the WAS_HOME, COMMON_COMPONENTS_HOME, and OIM_ORACLE_HOME variables are set. COMMON_COMPONENTS_HOME represents the location of the Oracle Fusion Middleware common directory, such as MW_HOME/oracle_common and; OIM_ORACLE_HOME represents the location where the Oracle Identity Manager Server is installed, such as MW_HOME/Oracle_IDM1. WAS_HOME represents the location where WebSphere is installed, such as IBM/WebSphere/AppServer.

  22. On the Deployment Manager Machine, stop the SOA server, the Node Agent, and the Deployment Manager if they are running. For example:

    $WAS_HOME/profiles/Custom01/bin/stopServer.sh soa_server1
    $WAS_HOME/profiles/Custom01/bin/stopNode.sh
    $WAS_HOME/profiles/Dmgr01/bin/stopManager.sh
    
  23. On the Deployment Manager Machine, start the Deployment Manager, synchronize the Node Agent, and start the Node Agent.

    Note:

    Be sure to execute the syncNode script, as this will transfer the required configuration information to Custom01 profile.

    For example:

    $WAS_HOME/profiles/Dmgr01/bin/startManager.sh
    $WAS_HOME/profiles/Custom01/bin/syncNode.sh DMGR_HOST DMGR_SOAP_PORT
    $WAS_HOME/profiles/Custom01/bin/startNode.sh
    
  24. On the WebSphere Node 2 Machine, stop, synchronize, and start the IBM WebSphere nodes as follows:

    $WAS_HOME/profiles/Custom01/bin/stopNode.sh
    $WAS_HOME/profiles/Custom01/bin/syncNode.sh DMGR_HOST DMGR_SOAP_PORT
    $WAS_HOME/profiles/Custom01/bin/startNode.sh
    
  25. Add the following properties by logging in to the IBM WebSphere Administrative Console and clicking System Administration, Node Agents, NAME_OF_NODE_AGENT_ON_WEBSPHERE_NODE2_MACHINE, Java and Process Management, Process Definition, Java Virtual Machine, Custom Properties.

    Note:

    When you create the properties:

    • An example location for the PATH_TO_jps-config.xml_IN_THE_fmwconfig_DIRECTORY is: WAS_HOME/profiles/Custom01/config/cells/HOST_NAME_Cell01/fmwconfig/jps-config.xml

    • An example location for the PATH_TO_THE_fmwconfig_DIRECTORY is: WAS_HOME/profiles/Custom01/config/cells/HOST_NAME_Cell01/fmwconfig

    Name: oracle.security.jps.config
    Value: PATH_TO_jps-config.xml_IN_THE_fmwconfig_DIRECTORY
    Description (optional): Adding the jpsconfig location using OPSS System Property
     
    Name: oracle.domain.config.dir
    Value: PATH_TO_THE_fmwconfig_DIRECTORY
    Description (optional): Setting the Key Store Domain Config directory
    

    Click OK and save the changes.

  26. Copy wf_client_config.xml.template from $OIM_HOME/server/wasconfig directory to $WAS_HOME/lib/ext as wf_client_config.xml. For example, cp $OIM_HOME/server/wasconfig/wf_client_config.xml.template $WAS_HOME/lib/ext/wf_client_config.xml.

    Note:

    Perform this step in both Deployment Manager Machine and WebSphere Node 2 Machine.

    Update the wf_client_config.xml file with SOA Server hostname and its bootstrap port under <serverURL> tag. For example:

    <serverURL>corbaloc:iiop:host1:bootstrap_port1,:host2:bootstrap_port2 </serverURL>
    
    

    Tip:

    You can identify the SOA bootstrap port by performing the following steps:

    1. Log in to IBM WebSphere Administrative Console.

    2. Select Servers, Server Types, Web Application Servers.

    3. Click the SOA Server name.

    4. In the Communications Group area, click Ports.

      The value of BOOTSTRAP_ADDRESS is the SOA Server bootstrap port.

  27. Perform the following steps to enable load balancing of JMS message processing by MDBs:

    1. Log in to IBM WebSphere Administrative Console.

    2. Click Resources, JMS, Activation Specifications, NAME_OF_OIM_ACTIVATION_SPECIFICATION. Then select Always activate MDBs in all servers.

    3. Click OK and Save the configuration.

    Note:

    You must perform this step individually for each of the following Oracle Identity Manager Activation Specifications:

    • oimAttestationQueueMDBActivationSpec

    • oimAuditQueueMDBActivationSpec

    • oimDefaultQueueMDBActivationSpec

    • oimKernelQueueMDBActivationSpec

    • oimProcessQueueMDBActivationSpec

    • oimReconQueueMDBActivationSpec

    • oimSODQueueMDBActivationSpec

  28. On Deployment Manager Machine and WebSphere Node 2 Machine, stop, synchronize, and start the Node Agents. For example:

    $WAS_HOME/profiles/Custom01/bin/stopNode.sh
    $WAS_HOME/profiles/Custom01/bin/syncNode.sh DMGR_HOST DMGR_SOAP_PORT
    $WAS_HOME/profiles/Custom01/bin/startNode.sh
    
  29. On the Deployment Manager Machine, start the servers as follows:

    $WAS_HOME/profiles/Custom01/bin/startServer.sh SOA_SERVER_1
    $WAS_HOME/profiles/Custom01/bin/startServer.sh OIM_SERVER_1
    $WAS_HOME/profiles/Custom01/bin/startServer.sh OracleAdminServer
    
  30. On the WebSphere Node 2 Machine, start the servers as follows:

    $WAS_HOME/profiles/Custom01/bin/startServer.sh SOA_SERVER_2 
    $WAS_HOME/profiles/Custom01/bin/startServer.sh OIM_SERVER_2
    
  31. If Oracle Identity Manager administrator user is different than WebSphere administrator user, then perform the following steps:

    1. In the navigator pane of Enterprise Fusion Middleware Control, expand WebSphere Cell to view the cells.

    2. Select the cell on which Oracle Identity Manager and SOA are configured.

    3. Right-click the cell name, and select Web Services, Platform Policy Configuration.

    4. In the Add New Configure Property window, specify the following values, and then click OK.

      • In the Name field, enter jndi.lookup.csf.key.

      • In the Value field, enter admin-csf-key.

        Note:

        If the property is not persisted after saving the changes, then perform the following steps:

        1. On the Deployment Manager Machine, go to the Dmgr profile. For example, go to the directory path /profiles/Dmgr01/config/cells/CELL_NAME/fmwconfig/policy-accessor-config.xml.

        2. In the policy-accessor section, uncomment the jndi.lookup.key property, and replace the value {papCsfKey} value with admin-csf-key. This value is the lookup key for admin-user and its password in the credential store.

        3. Save and close the policy-accessor-config.xml file.

        4. Login to the IBM WebSphere Administrative Console, and perform a node synchronization to ensure that the changed configuration is propagated across all nodes of the cluster.

        5. To verify, connect to the nodes of the cluster and check the fmwconfig/policy-accessor-config.xml file in the nodes. The file must be updated with the new values for jndi.lookup.csf.key.

    5. Create a .py file, for example was_admin.py, with the following content:

      Opss.createCred (map='oracle.wsm.security', key='admin-csf-key',
      user='ADMIN_USER_NAME', password='ADMIN_PASSWORD',
      desc='wsm-pm admin user csf-key')
      AdminApp.edit ('wsm-pm', '[-MapRolesToUsers [[policy.Updater
      AppDeploymentOption.No AppDeploymentOption.No ADMIN_USER_NAME ""
      AppDeploymentOption.No "user:ADMIN_USER_NAME" "" ]]]')
      AdminApp.edit('wsm-pm', '[ -MapRolesToUsers [[policy.Accessor
      AppDeploymentOption.No AppDeploymentOption.No ADMIN_USER_NAME ""
      AppDeploymentOption.No " |user:ADMIN_USER_NAME" "" ]]]' )
      AdminApp.edit('wsm-pm', '[ -MapRolesToUsers [[policy.User
      AppDeploymentOption.No AppDeploymentOption.No ADMIN_USER_NAME ""
      AppDeploymentOption.No "user:ADMIN_USER_NAME" "" ]]]' )
      AdminApp.edit('wsm-pm', '[ -MapRolesToUsers [[policyViewer
      AppDeploymentOption.No AppDeploymentOption.No ADMIN_USER_NAME ""
      AppDeploymentOption.No " |user:ADMIN_USER_NAME" "" ]]]' )
      AdminConfig.save()
      

      Replace ADMIN_USER_NAME and ADMIN_PASSWORD with admin user credentials.

    6. Run the following script:

      $COMMON_COMPONENTS_HOME/common/bin/wsadmin.sh  
      -profileName DMGR_PROFILE_NAME -conntype SOAP -host DMGR_HOSTNAME -port DMGR_SOAP_PORT -user WEBSPHERE_ADMIN -password WEBSPHERE_ADMIN_PASSWORD -f was_admin.py
      
    7. Restart all the servers.

  32. On the Design Console Machine, install the Oracle Identity Manager Design Console. For example:

    To start the installer:

    cd iamsuite\Disk1
    setup.exe -jreLoc LOCATION_OF_IBM_JRE
    

    Note:

    When the Install Software Updates installer screen appears, you must select the Skip Software Updates option.

  33. On Design Console Machine, configure the Oracle Identity Manager Design Console using the Oracle Universal Installer Configuration Assistant.

    Start the configuration assistant as follows:

    cd $OIM_HOME\bin
    config.bat -jreLoc LOCATION_OF_IBM_JRE
    

    Table 4-7 provides information about specific Configuration Assistant screens and appropriate information to enter on those screens—the table does not cover self-explanatory screens.

    Table 4-7 Information for Specific Configuration Assistant Screens

    Screen Name Input Description

    Application Server

    Be sure to select WebSphere

    OIM Server Host and Port

    • The WAS Client Home Location is $WAS_CLIENT_HOME.

    • The OIM Server Hostname is the host where OIM_SERVER_1 was created.

    • You can identify the OIM Server Port and OIM Server Bootstrap Port by performing the following steps:

      1) Log in to the IBM WebSphere administrative console.

      2) Click Servers > Server Types > Web Application Servers.

      3) Click OIM_SERVER_1.

      4) Click Ports in the Communications Group area.

      For the OIM Server Port, use the value from WC_defaulthost. For the OIM Server Bootstrap Port, use the value from BOOTSTRAP_ADDRESS.


  34. On Design Console Machine, perform the following steps after the Design Console installs, but before you start it:

    1. Update the following properties in the WAS_CLIENT_HOME/properties/sas.client.props file.

      Edit the values as follows. Note that com.ibm.CORBA.securityServerPort represents the Oracle Identity Manager bootstrap port:

      com.ibm.CORBA.securityServerHost=OIM_SERVER1_HOSTNAME|OIM_SERVER2_HOSTNAME
      com.ibm.CORBA.securityServerPort=OIM_SERVER1_BOOTSTRAP_PORT|OIM_SERVER2_BOOTSTRAP_PORT
      com.ibm.CORBA.loginSource=none
      
    2. Open the xlconfig.xml file for the Design Console and change the following values:

      Set ApplicationURL to: http://WEBSERVER_HOSTNAME:WEBSERVER_PORT/

      Set java.naming.provider.url to:corbaloc:iiop:OIM_SERVER1_HOSTNAME:OIM_SERVER1_BOOTSTRAP_PORT,:OIM_SERVER2_HOSTNAME:OIM_SERVER2_BOOTSTRAP_PORT

  35. For additional postinstallation configuration of Oracle Identity Manager, perform the steps described in Section 4.4, "Performing Postinstallation Configuration on IBM WebSphere" and Section 4.6.1, "URL Changes Related to Oracle Identity Manager".

Note:

After the installation is complete, the Segregation of Duties (SoD) Check application is successfully enabled on the primary node, but the application fails to deploy on the second node. For more information about this issue, refer to My Oracle Support web site at the following URL:

https://support.oracle.com/

4.3.3 Performing Oracle Identity Manager Clustered Scale Out Configuration

Perform the procedure described in this section to add additional Oracle Identity Manager and SOA server to existing Oracle Identity Manager on IBM WebSphere clustered environment.

By performing the following steps, you will create a configuration as described in Table 4-3, "Overview of Clustered Configuration".

The additional node machines required are:

  • WebSphere Node3

  • OIM_SERVER_3

  • SOA_SERVER_3

To add additional Oracle Identity Manager and SOA server, perform the following steps on the additional node machines:

  1. Install IBM WebSphere Application Server Network Deployment 7.0 with fix pack 23 by referring to IBM documentation.

  2. Install Oracle SOA Suite 11.1.1.6.0. For more information, refer to the "Installing Oracle SOA Suite (Oracle Identity Manager Users Only)" section of the Oracle Fusion Middleware Installation Guide for Oracle Identity and Access Management.

  3. Install Oracle Identity Manager 11g Release 2 (11.1.2.1.0). For more information about installing Oracle Identity Manager, refer to the Oracle Fusion Middleware Installation Guide for Oracle Identity and Access Management.

    To start the installer, run the following commands:

    cd iamsuite/Disk1
    ./runInstaller -jreLoc LOCATION_OF_IBM_JRE -DSHOW_APPSERVER_TYPE_SCREEN=true
    
  4. Start the Oracle Fusion Middleware Configuration Wizard to federate the machine and configure its cell. By default, the Configuration Wizard is located at:

    MW_HOME/Oracle_IDM1/common/bin/was_config.sh

    For more information, refer to the Oracle Fusion Middleware Configuration Guide for IBM WebSphere Application Server.

    Table 4-8 provides information about specific Configuration Wizard screens and appropriate information to enter on those screens. The table does not cover self-explanatory, standard screens.

    Table 4-8 Information for Specific Configuration Wizard Screens

    Screen Name Input Description

    Select Configuration Option

    Select the Federate Machine and Configure Cell option.

    Specify Profile and Node Name Information

    Enter information about the profile and node names you want to create for Additional Node machine.

    Specify Deployment Manager Information

    Enter information about the existing Deployment Manager system.

    Select Original Configuration

    Be sure to select the Application Servers, Clusters and End Points option. This is a required option.

    Configure Additional Cluster Members

    Perform the following steps:

    1. Click Add.

    2. In the Name field, enter a name for the second server in the SOA cluster. For example: SOA_SERVER_3.

    3. In the Node Name list, select the Node Agent for SOA_SERVER_3. For example: WebSphere_Node3.

    4. In the Cluster Name list, select the SOA cluster.

    5. Click Add.

    6. In the Name field, enter a name for the second server in the OIM cluster. For example: OIM_SERVER_3.

    7. In the Node Name list, select the Node Agent for OIM_SERVER_3. For example: WebSphere Node3.

    8. In the Cluster Name list, select the OIMCluster.


  5. Run the copy_jars.sh script. For example:

    cd $OIM_HOME/server/wasconfig
    ./copy_jars.sh
    

    Note:

    Before you execute the copy_jars.sh script, ensure the WAS_HOME, COMMON_COMPONENTS_HOME, and OIM_ORACLE_HOME variables are set. COMMON_COMPONENTS_HOME represents the location of the Oracle Fusion Middleware common directory, such as MW_HOME/oracle_common. OIM_ORACLE_HOME represents the location where the Oracle Identity Manager Server is installed, such as MW_HOME/Oracle_IDM1.

  6. Add the following properties by logging in to the IBM WebSphere Administrative Console and clicking System Administration, Node Agents, NAME_OF_NODE_AGENT_ON_ADDITIONAL_NODE_MACHINE, Java and Process Management, Process Definition, Java Virtual Machine, Custom Properties.

    Note:

    When you create the properties:

    • An example location for the PATH_TO_jps-config.xml_IN_THE_fmwconfig_DIRECTORY is: WAS_HOME/profiles/Custom01/config/cells/HOST_NAME_Cell01/fmwconfig/jps-config.xml

    • An example location for the PATH_TO_THE_fmwconfig_DIRECTORY is: WAS_HOME/profiles/Custom01/config/cells/HOST_NAME_Cell01/fmwconfig

    • Name: oracle.security.jps.config

    • Value: PATH_TO_jps-config.xml_IN_THE_fmwconfig_DIRECTORY

    • Description (optional): Adding the jpsconfig location using OPSS System Property

    • Name: oracle.domain.config.dir

    • Value: PATH_TO_THE_fmwconfig_DIRECTORY

    • Description (optional): Setting the Key Store Domain Config directory

    Click OK and save the changes.

  7. Copy wf_client_config.xml.template from OIM_HOME/server/wasconfig directory to WAS_HOME/lib/ext as wf_client_config.xml. For example: cp $OIM_HOME/server/wasconfig/wf_client_config.xml.template $WAS_HOME/lib/ext/wf_client_config.xml.

    Update the wf_client_config.xml file with SOA Server hostname and its bootstrap port under <serverURL> tag. For example:

    <serverURL>corbaloc:iiop:host1:port1,:host2:port2,:host3:port3 </serverURL>
    

    Tip:

    You can identify the SOA bootstrap port by performing the following steps:

    1. Log in to IBM WebSphere Administrative Console.

    2. Select Servers, Server Types, Web Application Servers.

    3. Click the SOA Server name.

    4. In the Communications Group area, click Ports.

      The value of BOOTSTRAP_ADDRESS is the SOA Server bootstrap port.

  8. Stop, synchronize, and start the Node Agents, SOA Server and OIM Server. For example:

    $WAS_HOME/profiles/Custom01/bin/stopNode.sh
    $WAS_HOME/profiles/Custom01/bin/syncNode.sh DMGR_HOST DMGR_SOAP_PORT
    $WAS_HOME/profiles/Custom01/bin/startNode.sh
    $WAS_HOME/profiles/Custom01/bin/startServer.sh SOA_SERVER_3
    $WAS_HOME/profiles/Custom01/bin/startServer.sh OIM_SERVER_3
    

4.4 Performing Postinstallation Configuration on IBM WebSphere

This section describes the following postinstallation configuration tasks on IBM WebSphere:

4.4.1 Configuring Transaction Timeout Properties

To change the transaction timeout properties to 10 minutes:

  1. Log in to IBM WebSphere Administrative Console.

  2. Navigate to the Transaction service panel by selecting Servers, Server Types, WebSphere application servers, oim_server_name, Container Services, Transaction Service.

  3. Change the value of Total transaction lifetime timeout to 600.

    The default value is 120.

  4. Change the value of Maximum transaction timeout to 600 seconds.

    The default value is 300.

  5. Stop and restart WebSphere Application Server. In a clustered deployment, this must be done on all Oracle Identity Manager servers.

4.4.2 Updating SOA Server Default Composite (Cluster Only)

In an integrated environment, Oracle Identity Manager is front ended by HTTP Server. Therefore, all SOA server default composites must be updated.

To update the SOA server default composite:

  1. Log in to Oracle Enterprise Manager Fusion Middleware Control Console.

  2. Navigate to SOA, soa-infra (SOA server name), default.

    The following default composites are available: DefaultRequestApproval, DefaultOperationalApproval, DefaultRoleApproval, DefaultSODApproval, BeneficiaryManagerApproval, RequesterManagerApproval, CertificationProcess, DisconnectedProvisioning.

  3. For each default composite, perform the following steps:

    1. Click the composite name.

    2. From Component Metrics, click on task with Component Type as Human Workflow.

    3. Select the Administration tab and update the fields as follows:

      Host Name: HTTP Server host

      HTTP Port: If SSL mode, leave blank. If non-SSL mode, enter HTTP Server port.

      HTTPS Port: If SSL mode, enter HTTPS server port. If non-SSL mode, leave blank.

    4. Click Apply.

4.4.3 Accessing the Dynamic Monitoring Service Application (Optional)

To access the Dynamic Monitoring Service (DMS) application on IBM WebSphere:

  1. Log in to IBM WebSphere Administrative Console as the administrator.

  2. On the left pane, go to Applications, Application Types, WebSphere enterprise applications.

  3. On the right pane, click Dmgr DMS Application_11.1.1.1.0.

  4. Click Security role to user/group mapping.

  5. Select the Admin role, and click Map Users.

  6. Type wasadmin in the search string, and click Search.

  7. Select wasadmin in the Available box, and click the right arrow.

  8. Click OK to go back. Click OK again.

  9. Click Save directly to the master configuration.

  10. Start Dmgr DMS Application_11.1.1.1.0.

  11. Repeat steps 3 to 10 for DMS Application_11.1.1.1.0.

  12. Stop all servers and the Deployment Manager. Start the Deployment Manager, synchronize the nodes, start nodes, and start all servers.

You can access the DMS application from the following URL:

http://OIM_HOST:OIM_PORT/dms/Spy

4.4.4 Seeding LDAP Reconciliation Scheduled Jobs into the Database Schema

While configuring postinstallation LDAP synchronization for Oracle Identity Manager, perform the following steps to load the LDAP reconciliation scheduled jobs into the Quartz table of the Oracle Identity Manager database schema by performing the following steps:

See Also:

"Enabling LDAP Synchronization in Oracle Identity Manager" in the Oracle Fusion Middleware Integration Guide for Oracle Identity Management Suite for information about postinstallation configuration of LDAP synchronization for Oracle Identity Manager

  1. As a prerequisite, set the OIM_ORACLE_HOME environment variable. For example:

    For UNIX, run the following command:

    setenv OIM_ORACLE_HOME /u01/mwhome/Oracle_IDM
    
  2. Seeding the LDAP reconciliation scheduled jobs can be performed in any one of the following ways:

    Seeding LDAP reconciliation scheduled jobs with parameters:

    1. Go to the $OIM_ORACLE_HOME/server/setup/deploy-files directory.

    2. Set ant home. The following is a sample command to set ant home in UNIX:

      setenv ANT_HOME /u01/mwhome/modules/org.apache.ant_1.7.1
      

      Note:

      If ANT is not installed, then download and ANT from Oracle Technology Network (OTN) web site by navigating to the following URL:

      http://www.oracle.com/technetwork/index.html

      Install ANT and set the ANT_HOME. Make sure that ant executable file exists in the $ANT_HOME/bin/ant/ directory.

    3. Run the following ant command with parameters:

      $ANT_HOME/bin/ant -f setup.xml seed-ldap-recon-jobs -DoperationsDB.driver=oracle.jdbc.OracleDriver -DoperationsDB.user=SCHEMA_OWNER -DOIM.DBPassword=SCHEMA_OWNER_PASSWORD -DoperationsDB.host=SCHEMA_HOST_ADDRESS -DoperationsDB.port=SCHEMA_PORT_NUMBER -DoperationsDB.serviceName=SCHEMA_SERVICE_NAME -Dssi.provisioning=ON -Djta.location=WAS_INSTALATION_DIR/plugins/javax.j2ee.jta.jar -Dojdbc.location=OJDBC_LOCATION -Dwork.dir=seed_logs
      

      For example:

      $ANT_HOME/bin/ant -f setup.xml seed-ldap-recon-jobs -DoperationsDB.driver=oracle.jdbc.OracleDriver  -DoperationsDB.user=schemaowner1_OIM -DOIM.DBPassword=SCHEMA_OWNER_PASSWORD -DoperationsDB.host=myhost.mycompany.com -DoperationsDB.port=1234 -DoperationsDB.serviceName=oimdb.regress.rdbms.mycompany.com -Dssi.provisioning=ON -Djta.location=WAS_INSTALATION_DIR/plugins/javax.j2ee.jta.jar -Dojdbc.location=MW_HOME/oracle_common/inventory/Scripts/ext/jlib/ojdbc6.jar -Dwork.dir=seed_logs
      

    Seeding LDAP reconciliation scheduled jobs with the profile file:

    1. Set the following environment variables:

      • OIM_ORACLE_HOME to the OIM_HOME directory.

      • Set ANT_HOME to the directory on which ANT is installed.

        Note:

        If ANT is not installed, then download and ANT from Oracle Technology Network (OTN) web site by navigating to the following URL:

        http://www.oracle.com/technetwork/index.html

        Install ANT and set the ANT_HOME. Make sure that ant executable file exists in the $ANT_HOME/bin/ant/ directory.

    2. Go to the $OIM_ORACLE_HOME/server/bin/ directory.

    3. Create a property file with the properties listed in Table 4-9.

      Note:

      You can also use the appserver.profile file instead of creating a new property file. Make sure that the properties listed in this step are present with the values.

      Table 4-9 Parameters of the Property File

      Parameter Description

      operationsDB.user

      Oracle Identity Manager database schema owner.

      operationsDB.driver

      Constant value of oracle.jdbc.OracleDriver.

      operationsDB.host

      Oracle Identity Manager database schema host address.

      OIM.DBPassword

      Oracle Identity Manager database schema owner's password.

      operationsDB.serviceName

      Oracle Identity Manager database schema service name, for example, oimdb.regress.rdbms.mycompany.com.

      operationsDB.port

      Oracle Identity Manager database schema port number.

      ssi.provisioning

      Value must be ON.

      jta.location

      Value is WAS_INSTALLATION_DIRECTORY/plugins/javax.j2ee.jta.jar.

      ojdbc.location

      Directory on which JDBC is installed, for example, MW_HOME/oracle_common/inventory/Scripts/ext/jlib/ojdbc6.jar.

      work.dir

      Any preferred directory on which log files will be created

      After successful completion of target, you can check logs at the $WORK_DIR/seed_logs/ldap/SeedSchedulerData.log file.


    4. Go to the $OIM_ORACLE_HOME/server/setup/deploy-files/ directory.

    5. Run the following command:

      $ANT_HOME/bin/ant -f setup.xml seed-ldap-recon-jobs -propertyfile $OIM_ORACLE_HOME/server/bin/PROPERTY_FILE_NAME 
      

4.4.5 Changing Memory Settings for Oracle Identity Manager

For staging and test deployments of Oracle Identity Manager, the maximum heap size of 2 GB is recommended. For the maximum heap size in production deployments, refer to Oracle Fusion Middleware Performance and Tuning Guide.

To change the heap setting for Oracle Identity Manager on WebSphere:

  1. Log in to the WebSphere Administrative Console.

  2. Navigate to Servers, Server Types, WebSphere application servers, server_name, Java & Process Management, Process Definition, Java Virtual Machine.

  3. Set the value of Maximum heap size to 2048.

  4. Save the changes, and restart the server.

4.4.6 Performing Postinstallation Configuration of IHS (Optional)

If IHS configuration is used in your deployment, then perform the following steps for postinstallation configuration of IHS:

  1. Configure virtual host alias for IHS. To do so:

    1. Login to IBM WebSphere Administrative Console.

    2. Select the default_host virtual host.

    3. Create the virtual host alias for IHS by providing values for IHS host and port.

  2. Configure IHS with WebSphere as follows:

    1. Copy IHS_INSTALL_DIRECTORY/Plugins/bin/configurewebserver1.sh to the WAS_HOME/bin/ directory.

    2. Run the configurewebserver1.sh script from the WAS_HOME/bin/ directory as follows:

      configurewebserver1.sh -user WAS_ADMIN_USER -password WAS_ADMIN_PASSWORD -ihsAdminPassword IHS_ADMIN_PASSWORD
      

      The script generates the port bindings and creates the plugin-cfg.xml file for use by WebSphere and IHS.

    3. In the IBM WebSphere Administrative Console, go to Servers, Web server. The new webserver1 is displayed in the list.

    4. Select webserver1, and click Propagate to propagate the plug-in to IHS. Verify that the updated plugin-cfg.xml file is propagated to the IHS_INSTALL_DIR/Plugins/config/webserver1/ directory.

  3. Configure IHS port and URL as follows:

    1. Configure SOA composites to point to IHS as described in Section 4.4.2, "Updating SOA Server Default Composite (Cluster Only)".

    2. Configure Oracle Identity Manager frontend ports to point to IHS as described in Section 4.6.1.3, "Oracle Identity Manager Host and Port Changes".

  4. Restart all servers.

  5. Verify the Oracle Identity Manager URL by navigating to:

    http://HOST_NAME:PORT/identity

4.4.7 Adjusting Email Notification WSUrl (Cluster Only)

In a clustered deployment of Oracle Identity Manager on IBM WebSphere, perform the following steps to adjust email notification WSUrl to point to IHS:

  1. Login to Oracle Enterprise Manager.

  2. Click Application Deployments.

  3. Right-click OIMAppMetadata(OIM_SERVER_NAME), and select System MBean Browser.

  4. In the System MBean Browser, navigate to Application Defined MBeans, oracle.iam, Server: OIM_SERVER_NAME, Application: oim, IAMAppRuntimeMBean, and select UMSEmailNotificationProviderMBean.

  5. In the Attributes tab, locate WSUrl, and replace the existing host name and port number with the host name and port number of IHS.

4.5 Upgrading Oracle Identity Manager on IBM WebSphere

This section describes the steps required to upgrade and configure Oracle Identity Manager Release 9.x to Oracle Identity Manager 11g Release 2 (11.1.2.1.0) on IBM WebSphere. It contains the following sections:

4.5.1 Prerequisites for the Upgrade

Before upgrading Oracle Identity Manager Release 9.x to 11g Release 2 (11.1.2.1.0) on IBM WebSphere, make sure that:

  • A WAS_HOME where IBM WebSphere Application Server 7.0.0 with fixpack 19 has been installed.

  • A Middleware home location exists with SOA installed on it.

  • Oracle Database 11g with Oracle Identity Manager dependent schemas, such as MDS, SOAINFRA, OPSS, and ORASDPM, are created.

Perform the following prerequisites steps:

  1. Run the PreUpgradeReport utility.

    You must run the PreUpgradeReport utility to analyze your Oracle Identity Manager environment before you begin the upgrade process. Address all issues listed as part of this report with the solution provided. After fixing the issues, run the report until no pending issues are listed in the report. See "Pre-Upgrade" in the Oracle Fusion Middleware Upgrade and Migration Guide for Oracle Identity and Access Management for information about running the PreUpgradeReport utility.

  2. Install IBM WebSphere Application Server.

    Follow the instructions in Section 2.4, "Task 4: Install the IBM WebSphere Software" for installing IBM WebSphere Application Server 7.0 and applying the latest Fix Pack for IBM WebSphere 7.0.

  3. Install Oracle SOA Suite (11.1.1.6.0).

    See "Installing Oracle SOA Suite 11.1.1.6.0 (Oracle Identity Manager Users Only)" in the Oracle Fusion Middleware Installation Guide for Oracle Identity and Access Management for information about installing SOA Suite.

  4. Create the database schema.

    You must create and load the appropriate Oracle Fusion Middleware schemas in the database using Repository Creation Utility (RCU) before installing and configuring Oracle Identity Manager. See "Creating Database Schema Using the Oracle Fusion Middleware Repository Creation Utility (RCU)" in the Oracle Fusion Middleware Installation Guide for Oracle Identity and Access Management for details.

4.5.2 Installing Oracle Identity Manager

Install Oracle Identity Manager as a part of Oracle Identity and Access Management 11g by running the Oracle Identity and Access Management Installer. To do so, follow the instructions in the following sections of the Oracle Fusion Middleware Installation Guide for Oracle Identity and Access Management:

4.5.3 Upgrading Oracle Identity Manager Schema

Before you begin:

  • Create a backup of Oracle Identity Manager Release 9.x Schema.

  • Run the OSI Data Upgrade using the OSI Data Upgrade Utility. For more information about running the OSI Data Upgrade Utility, see the technote "OSI Data Upgrade Utility for Upgrading OIM 9.1.0.x to OIM 11g Version" with ID 1303215.1 at the following URL:

    https://support.oracle.com

  • Set the JAVA_HOME environment variable.

To upgrade Oracle Identity Manager Release 9.x schema to 11g Release 2 (11.1.2.1.0):

  1. Start the Oracle Fusion Middleware Upgrade Assistant by running the following command:

    ./ua
    

    The Welcome page of the Oracle Fusion Middleware Upgrade Assistant wizard is displayed.

  2. Click Next. The Specify Operation page of the wizard is displayed.

  3. Select the Upgrade Oracle Identity Manager Schema option, and then click Next.

  4. In the Prerequisites page, select all the checkboxes to specify that the prerequisites have been met. Click Next.

  5. In the Specify OIM Database page, enter the following connection details for the source Oracle Identity Manager database, and then click Next.

    • Host: Name of the host on which the database is deployed.

    • Port: Port number to connect to the host identified in the Host field.

    • Service Name: A string that is the global database name, a name comprised of the database name and domain name, entered during installation or database creation.

    • OIM Schema: Name of the Oracle Identity Manage schema.

    • SYS Password: Database system administrator password.

  6. In the Upgrading Components page, a progress bar shows the progress of the schema upgrade. The status of the upgrade components are also displayed. When finished, click Next.

  7. In the Upgrade Summary page, expand the upgrade component names to display the summary information of the upgrade. When finished, click Upgrade.

Note:

After the schema upgrade is performed, you must disable workflow upgrade before proceeding to the next step. To disable workflow upgrade, run the following SQL command:

update upgrade_feature_state set IS_FEATURE_UPGRADED='Y',FEATURE_UPGRADE_STATE='UPGRADED' where FEATURE_ID = 'OIM91UPG.Workflow'

4.5.4 Configuring Oracle Identity Manager

You must manually perform the following steps to configure Oracle Identity Manager:

4.5.4.1 Creating and Configuring a Cell

To create and/or extend a cell with the Oracle Identity Manager 11g Release 2 (11.1.2.1.0) components:

  1. Start the Fusion Middleware Configuration Wizard by running the following command:

    cd $OIM_ORACLE_HOME/common/bin
    ./was_config.sh -log=config.log -log_priority=debug
    

    The Select Configuration Option page of the Fusion Middleware Configuration Wizard is displayed.

  2. Select the Create and Configure Cell option, and click Next.

  3. In the Specify Cell, Profile and Node Information page, you can specify the default names, or you can provide new names. Enter the following values, and then click Next.

    • Cell Name: HOST_NAMECell01

    • Deployment Manager Profile Name: Dmgr01

    • Deployment Manager Node Name: HOST_NAMECellManager01

    • Application Server Profile Name: Custom01

    • Application Server Node Name: HOST_NAMENode01

  4. In the Specify Deployment Manager Information page, enter WebSphere administrator username and password. The WebSphere administrator username and password provided here will be used for logging into Oracle Identity Manager UI and for later configuration steps.

    Click Next.

  5. In the Add Products to Cell page, select the products that you want to add to the cell. Make sure to select the correct WAS ND template for the WAS ND install and not the WAS AS template. When finished, click Next.

  6. In the Configure JDBC Component Schema page, note that the connection test must succeed. If the Configuration Wizard cannot contact the database, then the Configuration Wizard might not generate the WAS files correctly, though an error might not be displayed.

    Click Next.

  7. Continue with the installation steps by clicking Next until the Test JDBC Component Schema page is displayed.

    The Oracle Identity Manager template and dependent templates create three servers: oim_server1, soa_server1, and OracleAdminServer. The oim, Nexaweb, OIMMetadata, and XIMDD applications are deployed on oim_server1.

4.5.4.2 Performing Manual Configuration Steps

Before you run the copy_jars.sh, seed_opss_permission.sh, and configure_nodeagent.sh scripts, ensure that the following variables are set to avoid or to bypass the prompting for environment variable:

  • DMGR_PROFILE_ROOT: WebSphere Deployment Manager profile directory, for example, /opt/softwares/IBM/WebSphere/AppServer/profiles/Dmgr01/.

  • OIM_ORACLE_HOME : See Table 4-1, "Conventions Used in this Document".

  • WEBSPHERE_ADMIN : WebSphere administrator username.

  • WEBSPHERE_ADMIN_PASSWORD : WebSphere administrator password.

  • CELL_HOME_LOCATION : Location of the WebSphere cell home directory, for example, /opt/softwares/IBM/WebSphere/AppServer/profiles/Dmgr01/config/cells/HOST_NAMECell01.

  • DMGR_PROFILE_NAME : WebSphere Deployment Manager profile name, for example, Dmgr01.

  • DMGR_HOSTNAME : WebSphere Deployment Manager hostname.

  • DMGR_SOAP_PORT : WebSphere Deployment Manager SOAP port.

  • WAS_HOME: See Table 4-1, "Conventions Used in this Document".

  • COMMON_COMPONENTS_HOME : Oracle Middleware common directory, for example, /opt/softwares/IBM/WebSphere/oracle_common.

To perform the manual configuration steps before you use the Configuration Assistant:

  1. Copy the JAR files to Copy the jar files to $WAS_HOME/lib/ext/ by running the following command:

    ./copy_jars.sh
    
  2. Start, stop, and synchronize the Node Agent as follows:

    $WAS_HOME/profiles/Custom01/bin/stopNode.sh -username USER_NAME -password PASSWORD
    $WAS_HOME/profiles/Dmgr01/bin/startManager.sh
    $WAS_HOME/profiles/Custom01/bin/syncNode.sh DMGR_HOST DMGR_SOAP_PORT -username USER_NAME -password PASSWORD
    $WAS_HOME/profiles/Custom01/bin/startNode.sh
    

    Use the username and password that you used for cell creation. The port numbers to be used during sync node are available in the $WAS_HOME/profiles/DMGR/logs/AboutThisProfile.txt file.

  3. Go to the OIM_HOME/server/wasconfig/ directory, and run the following commands:

    sh seed_opss_permission.sh
    

    And:

    sh configure_nodeagent.sh
    

    Note:

    The following error message is generated on running the seed_opss_permission.sh script:

    WASX7487E: Failed to import script libraries modules:
    /u02/Oracle/Middleware/oracle_common/common/wsadmin/wsmAgent.py; Examine the wsadmin log file to determine the problem.
    

    This is a benign error and can be ignored.

  4. Stop, synchronize, and start the node, as shown:

    $WAS_HOME/profiles/Custom01/bin/stopNode.sh -username USER_NAME -password PASSWORD
    $WAS_HOME/profiles/Custom01/bin/syncNode.sh DMGR_HOST DMGR_SOAP_PORT -username USER_NAME -password PASSWORD
    $WAS_HOME/profiles/Custom01/bin/startNode.sh
    $WAS_HOME/profiles/Custom01/bin/startServer.sh SOA_SERVER
    

    Use the same username and password that you used for cell creation.

4.5.4.3 Upgrading CSF Seeding

To upgrade CSF seeding by running the MT upgrade script in pre-config mode:

  1. Perform the following as prerequisites:

    • Copy .xldatabasekey to the WAS_HOME/profiles/Dmgr/config/cells/HOST_NAMECell/fmwconfig/ directory.

    • Populate the MW_HOME/Oracle_IDM1/server/bin/upgrade_was.properties file with the correct input properties. Table 4-10 lists the input properties and sample values.

      Table 4-10 Sample Input Values for upgrade_was.properties

      Input Property Sample Value

      Oracle Identity Manager Release 9.x home location

      oim91Home=/scratch/oim9101was/xellerate
      

      Oracle Identity Manager schema JDBC URL

      oimSchemaJDBCURL=HOST_NAME:PORT:oimdb
      

      Oracle Identity Manager schema name

      oimSchemaName=oim91011
      

      Oracle Identity Manager MDS schema JDBC URL

      mdsSchemaURL=HOST_NAME:PORT:oimdb
      

      Oracle Identity Manager MDS schema

      mdsSchemaName=Sample_MDS
      

      Oracle OIM home

      oracleOIMHome=/scratch/wasr2install/mw/Oracle_IDM1
      

      Middleware home

      middleWareHome=/scratch/wasr2install/mw
      

      SOA host name

      soaHost=soahost.mycompany.com
      

      SOA port number

      soaPort=PORT_NUMBER
      

      SOA user name

      soaUserName=wasadmin
      

      WAS domain manager cell home

      wasCellHome=/scratch/wasr2install/was/profiles/Dmgr03/config/cells/HOST_NAMECell02
      

      MT in pre-config mode

      CSFSeed=true
      

      When CSFSeed=true, MT is run is pre-config mode, and the following properties are set:

      PRE_OIM_CONFIG=true
      POST_OIMCONFIG=false
      

      Note:

      The WAS_HOME/profiles/Dmgr03/properties/portdef.props file contains all the port numbers relevant to the particular cell.

    • Set the JAVA_HOME and APPSERVER_TYPE environment variables. JAVA_HOME must point to IBM_JDK.

  2. Go to the MW_HOME/Oracle_IDM1/server/bin/ directory, and run the OIMMTUpgrade_WS.sh script, as shown:

    export JAVA_HOME=/scratch/wasr2install/was/java/
    export APPSERVER_TYPE='was'
    ./OIMMTUpgrade_WS.sh
    

    Note:

    The log file for the script is MW_HOME/Oracle_IDM1/server/upgrade/logs/MT/ua-TIME_STAMP.log.

4.5.4.4 Upgrading Oracle Identity Manager Components

To upgrade Oracle Identity Manager components by running the Configuration Assistant:

  1. Start the Configuration Assistant by running the following command:

    cd $OIM_HOME/bin
    ./config.sh -jreLoc LOCATION_OF_IBM_JDK -DSHOW_APPSERVER_TYPE_SCREEN=true
    
  2. In the Components to Configure page of the Oracle Identity Management Configuration wizard, expand Oracle Identity Manager, and select OIM Server. Then, click Next.

  3. In the Database page, enter the database connect string and schema details. When finished, click Next.

  4. In the Application Server page, verify that WebSphere is selected. Then, click Next.

    Note:

    The application server type is selected by default if a SOA home has already been installed and the type has been set to WebSphere. If not, then select WebSphere as the application server type.

  5. In the WebSphere Details page, specify values for the following:

    • Cell Path: This is the WebSphere cell home location, which is $WAS_HOME/profiles/Dmgr01/config/cells/CELL_NAME. The default cellname is HOST_NAMECell01.

    • Admin URL: The WebSphere Admin URL port can be obtained from the Management bootstrap port entry in the $WAS_HOME/profiles/Dmgr01/logs/AboutThisProfile.txt file.

    • Admin Soap Port: This is the Admin SOAP port for the WebSphere Application Server.

    • Admin UserName: The same user name provided for domain creation.

    • Admin Password: The password provided for domain creation.

  6. In the OIM Server page, enter the Oracle Identity Manager server admin password, keystore password, and the URL information. Then, click Next.

  7. Continue with the steps of the wizard by clicking Next until the configuration completes.

  8. Copy wf_client_config.xml.template from the OIM_HOME/server/wasconfig/ directory to the WAS_HOME/lib/ext/ directory as wf_client_config.xml.

  9. Update the wf_client_config.xml file with the SOA Server hostname and its bootstrap port under the <serverURL> tag. The tag is in the following format:

    <serverURL>corbaloc:iiop:SOA_SERVER_HOSTNAME:SOA_SERVER_BOOTSTRAP_PORT</serverURL>
    

    For example:

    <serverURL>corbaloc:iiop:myhost.mycompany.com:2800</serverURL>
    
  10. Stop the node, start manager, and sync nodes, as shown:

    $WAS_HOME/profiles/Custom01/bin/stopServer.sh SOA_SERVER -username USER_NAME -password PASSWORD
    $WAS_HOME/profiles/Custom01/bin/stopNode.sh -username USER_NAME -password PASSWORD
    $WAS_HOME/profiles/Dmgr01/bin/stopManager.sh -username USER_NAME -password PASSWORD
    $WAS_HOME/profiles/Dmgr01/bin/startManager.sh
    $WAS_HOME/profiles/Custom01/bin/syncNode.sh DMGR_HOST DMGR_SOAP_PORT -username USER_NAME -password PASSWORD
    $WAS_HOME/profiles/Custom01/bin/startNode.sh
    $WAS_HOME/profiles/Custom01/bin/startServer.sh OracleAdminServer
    $WAS_HOME/profiles/Custom01/bin/startServer.sh SOA_SERVER
    $WAS_HOME/profiles/Custom01/bin/startServer.sh OIM_SERVER
    

    Note:

    The username and password are the same that you used during cell creation.

    When finished, make sure that you start the respective managed servers.

4.5.5 Upgrading Features Using MT Upgrade Utility in Post-Config Mode

After Oracle Identity Manager configuration is complete and all the servers including OIM server is up for populating default metadata, you can upgrade all the features using the MT upgrade utility in the post-config mode.

To upgrade the features by using the MT upgrade utility in the post-config mode:

  1. Perform the following prerequisites:

    • Shut down Oracle Identity Manager after populating the default metadata.

    • Make sure that the Admin and SOA servers are up and running.

    • Populate the $MW_HOME/Oracle_IDM1/server/bin/upgrade_was.properties file with the correct input properties. Table 4-11 lists the input parameters with sample values.

      Table 4-11 Input Parameters for upgrade_was.properties

      Input Parameter Sample Value

      Oracle Identity Manager Release 9.x home location

      oim91Home=/scratch/oim9101was/xellerate
      

      Oracle Identity Manager schema JDBC URL

      oimSchemaJDBCURL=HOST_NAME:PORT:oimdb
      

      Oracle Identity Manager schema name

      oimSchemaName=oim91011
      

      Oracle Identity Manager MDS schema JDBC URL

      mdsSchemaURL=HOST_NAME:PORT:oimdb
      

      Oracle Identity Manager MDS schema name

      mdsSchemaName=Sample_MDS
      

      Oracle OIM home

      oracleOIMHome=/scratch/wasr2install/mw/Oracle_IDM1
      

      Middleware home

      middleWareHome=/scratch/wasr2install/mw
      

      SOA host name

      soaHost=soahost.mycompany.com
      

      SOA port number

      soaPort=SOA_PORT
      

      SOA user name

      soaUserName=wasadmin
      

      WebSphere domain manager cell home

      wasCellHome=/scratch/wasr2install/was/profiles/Dmgr03/config/cells/HOST_NAMECell02
      

      MT in post-config mode

      CSFSeed=false
      

      When CSFSeed=false, MT is run is pre-config mode, and the following properties are set:

      PRE_OIM_CONFIG=false
      POST_OIMCONFIG=true
      

      Note:

      The WAS_HOME/profiles/Dmgr03/properties/portdef.props file contains the port numbers relevant to the particular cell.

    • Set the JAVA_HOME and APPSERVER_TYPE environment variables. JAVA_HOME must point to IBM_JDK.

  2. Go to the MW_HOME/Oracle_IDM1/server/bin/ directory, and run the OIMMTUpgrade_WS.sh script, as shown:

    export JAVA_HOME=/scratch/wasr2install/was/java/
    export APPSERVER_TYPE='was'
    ./OIMMTUpgrade_WS.sh
    

    Note:

    The log file for the script is MW_HOME/Oracle_IDM1/server/upgrade/logs/MT/ua-TIME_STAMP.log.

  3. Analyze the Feature Upgrade Summary Report. Start the Oracle Identity Manager Managed Servers, and access the application.

4.5.6 Performing Postupgrade Configuration

After upgrading Oracle Identity Manager Release 9.x to Release 11g Release 2 (11.1.2.1.0), perform the following postupgrade configuration:

4.5.6.1 Customizing the UI to Mark Attributes as Required

After upgrading Oracle Identity Manager Release 9.x to 11g Release 2 (11.1.2.1.0), the upgraded metadata files have certain attributes as mandatory. But, these attributes are not marked as required in the UI. For example, the upgraded metadata files for the create user operation, such as CreateUserDataSet.xml and User.xml, have first name and user login attributes as mandatory, but these attributes are not marked as required in the UI.

For fields that you want to retain as required, such as First Name and User Login, on a screen, perform the following steps:

  1. Create a sandbox and activate it.

  2. Go to the specific screen, for example Create User, enter values in the existing mandatory fields, and then click Customize at the top.

  3. On the Composer menu, select View, Source.

  4. Click the field, and then confirm to edit taskflow. Click Edit to open the Component Properties dialog box.

  5. On the Component Properties dialog box, select the option for the Show Required property.

  6. For the Required property, open the Expression Editor and enter true as the value.

  7. Click Apply, and then click OK.

  8. On the Composer toolbar, click Close, and test your changes.

  9. Export and publish the sandbox.

4.6 Handling Lifecycle Management Changes on IBM WebSphere

Because of integrated deployment of Oracle Identity Manager with other applications, such as Oracle Access Management (OAM), and configuration changes in those applications, various configuration changes might be required in Oracle Identity Manager and IBM WebSphere Application Server. These configuration changes are described in the following sections:

4.6.1 URL Changes Related to Oracle Identity Manager

Oracle Identity Manger uses various hostname and port in its configuration because of the architectural and middleware requirements. This section describes ways to make the corresponding changes in Oracle Identity Manager and IBM WebSphere Application Server configuration for any change in the integrated and dependent applications.

This section contains the following topics:

4.6.1.1 Oracle Identity Manager Database Host and Port Changes

This section describes the configuration areas where database hostname and port number are used.

After installing Oracle Identity Manager, if there are any changes in the database hostname or port number, then the following changes are required:

Note:

Before making changes to the database host and port, shutdown the managed servers hosting Oracle Identity Manager. But you can keep IBM WebSphere Administrative Server running.

  • To change datasource oimJMSStoreDS configuration:

    1. Navigate to Resources, JDBC, Data Sources, and then oimJMSStoreDS.

    2. Modify the values of the URL to reflect the changes to database host and port.

  • To change datasource ApplicationDB configuration:

    1. Navigate to Resources, JDBC, Data Sources, and then applicationDB.

    2. Modify the values of the URL to reflect the changes to database host and port.

  • To change datasource oimOperationsDB configuration:

    1. Navigate to Resources, JDBC, Data Sources, and then oimOperationsDB.

    2. Modify the values of the URL to reflect the changes to database host and port.

  • To change the datasource related to Oracle Identity Manager Meta Data Store (MDS) configuration:

    1. Navigate to Services, JDBC, Data Sources, and then mds-oim.

    2. Modify the values of the URL and Properties fields to reflect the changes in the database host and port.

  • To change Custom Registry configuration:

    1. In IBM WebSphere Administrative console, navigate to Security, Global security.

    2. Click Configure next to the Standalone custom registry.

    3. Select DBUrl, and then click Edit.

    4. Modify the value of the DBUrl field to reflect the change in hostname and port.

    Note:

    If Service Oriented Architecture (SOA) and Oracle Web Services Manager (OWSM) undergo configuration changes, then you must make similar changes for datasources related to SOA or OWSM.

    After making changes in the datasources, restart the IBM WebSphere Application Server, and start the Oracle Identity Manager Managed WebSphere servers.

    Note:

    Whenever Oracle Identity Manager application configuration information is to be changed by using OIM App Config MBeans from the Enterprise Management (EM) console, at least one of the Oracle Identity Manager Managed Servers must be running. Otherwise, you cannot figure out any of the OIM App Config MBeans from the EM console.

  • To change DirectDB configuration:

    1. Log in to Enterprise Manager by using the following URL:

      http://ORACLE_ADMIN_SERVER/em

    2. Navigate to Websphere Cell, OIM server.

    3. Right-click OIM server, and select to System MBean Browser.

    4. In the System MBean Browser, navigate to Application Defined MBeans.

    5. Navigate to oracle.iam, Application:oim, XMLConfig, Config, XMLConfig.DirectDBConfig, and then DirectDB.

    6. Enter the new value for the URL attribute to reflect the changes to host and port, and then apply the changes.

    Note:

    When Oracle Identity Manager single instance deployment is changed to Oracle Real Application Clusters (Oracle RAC) or Oracle RAC is changed to single instance deployment, change the oimJMSStoreDS, oimOperationsDB, and mds-oim datasources. In addition to the generic changes to make these datasources to multidatasource configuration, change the Custom Registry and domain credential store configurations to reflect the Oracle RAC URL. For information about these generic changes, see Oracle Fusion Middleware High Availability Guide.

4.6.1.2 Oracle Virtual Directory Host and Port Changes

When LDAP synchronization is enabled, Oracle Identity Manager connects with directory servers through Oracle Virtual Directory (OVD). This connection takes place by using LDAP/LDAPS protocol.

To change OVD host and port:

  1. Log in to Oracle Identity System Administration.

  2. Under Configuration, click IT Resource.

  3. From the IT Resource Type list, select Directory Server , and click Search.

  4. Edit the Directory Server IT resource. To do so:

    1. If the value of the Use SSL field is set to False, then edit the Server URL field. If the value of the Use SSL field is set to True, then edit the Server SSL URL field.

    2. Click Update.

4.6.1.3 Oracle Identity Manager Host and Port Changes

This section consists of the following topic:

Note:

When additional Oracle Identity Manager nodes are added or removed, perform the procedures described in this section to configure Oracle Identity Manager host and port changes.

4.6.1.3.1 Changing OimFrontEndURL in Oracle Identity Manager Configuration

The OimFrontEndURL is the URL used to access the Oracle Identity Manager UI. This can be a load balancer URL or Web server URL depending on the application server is fronted with loan balancer or Web server, or single application server URL. This is used by Oracle Identity Manager in the notification e-mails as well as the callback URL for SOA calls.

The change may be necessary because of change in Web server hostname or port for Oracle Identity Manager deployment in a clustered environment, or WebSphere managed server hostname or port changes for Oracle Identity Manager deployment in a nonclustered environment.

To change the OimFronEndURL in Oracle Identity Manager configuration:

  1. Log in to Enterprise Manager by using the following URL when the Oracle Admin Server and Oracle Identity Manager managed servers, at least one of the servers in case of a clustered deployment, are running:

    http://ORACLE_ADMIN_SERVER/em

  2. Navigate to WebSphere Cell, OIM server.

  3. Right-click OIM server, and navigate to System MBean Browser.

  4. Under Application Defined MBeans, navigate to oracle.iam, Application:oim, XMLConfig, Config, XMLConfig.DiscoveryConfig, and then Discovery.

  5. Enter new value for the OimFrontEndURL attribute, and click Apply to save the changes. Example values can be:

    http://myoim.mydomain.com

    https://myoim.mydomain.com

    http://myserver.mydomain.com:7001

    Note:

    SPML clients store Oracle Identity Manager URL for invoking SPML and sending callback response. Therefore, changes are required corresponding to this. In addition, if Oracle Identity Manager is integrated with OAM, OAAM, or Oracle Identity Navigator (OIN), there may be corresponding changes necessary. For more information, refer to OAM, OAAM, and OIN documentation in the Oracle Technology Network (OTN) Web site.

4.6.1.4 SOA Host and Port Changes

To change the SOA host and port:

Note:

When additional SOA nodes are added or removed, perform this procedure to change the SOA host and port.

  1. Log in to Enterprise Manager by using the following URL when the Oracle Admin Server and Oracle Identity Manager managed servers, at least one of the servers in case of a clustered deployment, are running:

    http://ORACLE_ADMIN_SERVER/em

  2. Navigate to Websphere Cell, OIM server.

  3. Right-click OIM server, and navigate to System MBean Browser.

  4. Under Application Defined MBeans, navigate to oracle.iam, Application:oim, XMLConfig, Config, XMLConfig.SOAConfig, SOAConfig.

  5. Change the values of the Rmiurl and Soapurl attributes, and click Apply to save the changes.

    The Rmiurl attribute is used for accessing SOA EJBs deployed on SOA managed servers. This is the application server URL. Example values for this attribute can be:

    corbaloc:iiop:mysoa1.mydomain.com:2800
    corbaloc:iiop:mysoa1.mydomain.com:2800,: mysoa2.mydomain.com:2801
    corbaloc:iiop:mysoa1.mydomain.com:2800,: mysoa2.mydomain.com:2801,: mysoa3.mydomain.com:2802
    

    Note:

    The $WAS_HOME/lib/ext/wf_client_config.xml file must be modified with similar changes.

4.6.1.5 OAM Host and Port Changes

To change the OAM host and port:

  1. Log in to Enterprise Manager by using the following URL when the Oracle Admin Server and Oracle Identity Manager managed servers, at least one of the servers for a clustered deployment, are running:

    http://ORACLE_ADMIN_SERVER/em

  2. Navigate to Websphere Cell, and then to OIM server.

  3. Right-click OIM server, and navigate to System MBean Browser.

  4. Under Application Defined MBeans, navigate to oracle.iam, Application:oim, XMLConfig, Config, XMLConfig.SSOConfig, and then SSOConfig.

  5. Change the values of the AccessServerHost and AccessServerPort attributes and other attributes as required, and click Apply to save the changes.

4.6.2 Password Changes Related to Oracle Identity Manager

Various passwords are used for Oracle Identity Manger configuration because of the architectural and middleware requirements. This section describes the default passwords and ways to make the changes to the password in Oracle Identity Manger and Oracle WebLogic configuration for any change in the dependent or integrated products.

This section consists of the following topics:

4.6.2.1 Changing IBM WebSphere Administrator Password

To change IBM WebSphere administrator password:

  1. Log in to Oracle Identity Self Service as System Administrator.

  2. Search for WebSphere Administrator User.

  3. Click Reset Password.

  4. Enter new password and confirm new password.

  5. Click Reset Password.

4.6.2.2 Changing Oracle Identity Manager Administrator Password

During Oracle Identity Manager installation, the installer prompts for the Oracle Identity Manager administrator password. If required, you can change the administrator password after the installation is complete. To do so, you must log in to Oracle Identity Self Service as the System Administrator. In addition, change the password in CSF for entry sysadmin under the map 'oim'.

Note:

If OAM or OAAM is integrated with Oracle Identity Manager, then you might have to make corresponding changes in those applications. For more information, refer to OAM and OAAM documentation in the Oracle Documentation web site by using the following URL:

http://docs.oracle.com/

Tip:

To ensure optimum performance during password reset in Oracle Identity Manager on WebSphere, update the following JVM args for oim_server by using IBM WebSphere Administrative Console:

-Doracle.dms.transtrace.level=NONE 
-Doracle.dms.transtrace.uri=NONE
-Doracle.dms.context.dumbasastump=true 
-Doracle.dms.sensors=none
-Doracle.dms.context=OFF

4.6.2.3 Changing Oracle Identity Manager Database Password

Oracle Identity Manager uses two database schemas for storing Oracle Identity Manager operational and configuration data. It uses Oracle Identity Manager MDS schema for storing configuration-related information and Oracle Identity Manager schema for storing other information. Any change in the schema password requires changes on Oracle Identity Manager configuration.

Changing Oracle Identity Manager database password involves the following:

Note:

Before changing the database password, shutdown the managed servers that host Oracle Identity Manager.

  • To change datasource oimJMSStoreDS configuration:

    1. Navigate to Resources, JDBC, Data Sources, oimJMSStoreDS.

    2. Click the JAAS - J2C authentication data link.

    3. Click the CELL_NAME/oimJMSStoreDS_alias link.

    4. In the Password field, enter the new Oracle Identity Manager database schema password.

    5. Click Apply to save the changes.

  • To change datasource oimOperationsDB configuration:

    1. Navigate to Resources, JDBC, Data Sources, oimJMSStoreDS.

    2. Click the JAAS - J2C authentication data link.

    3. Click the CELL_NAME/oimOperationDB_alias link.

    4. In the Password field, enter the new Oracle Identity Manager database schema password.

    5. Click Apply to save the changes.

  • To change datasource related to Oracle Identity Manager MDS configuration:

    1. Navigate to Resources, JDBC, Data Sources, mds-oim.

    2. Click the JAAS - J2C authentication data link.

    3. Click the CELL_NAME/oimJMSStoreDS_alias link.

    4. In the Password field, enter the new Oracle Identity Manager database schema password.

    5. Click Apply to save the changes.

    Note:

    • For Oracle Identity Manager deployments with Oracle Real Application Clusters (Oracle RAC) configuration, you might have to make changes in all the datasources under the respective multi-datasource configurations.

    • You might have to make similar changes for datasources related to SOA or OWSM, if required.

  • To change cell credential store configuration:

    1. Log in to Enterprise Manager by using the following URL:

      http://ADMIN_SERVER/em

    2. Click WebSphere Cell, Security, and then click Credentials.

    3. Expand oim, and select OIMSchemaPassword, and click Edit.

    4. In the Password field, enter the new password, and click OK.

After changing the Oracle Identity Manager database password, restart the WebSphere Administrative Server. Start the Oracle Identity manager Managed WebSphere Server as well.

4.6.2.4 Changing Oracle Identity Manager Passwords in the Credential Store Framework

Oracle Identity Manager installer stores several passwords during the install process. Various values are stored in Credential Store Framework (CSF) as key and value. Table 4-12 lists the keys and the corresponding values:

Table 4-12 CSF Keys

Key Description

DataBaseKey

The password for the key used to encrypt database. The password is the user input value in the installer for the Oracle Identity Manager keystore.

.xldatabasekey

The password for keystore that stores the database encryption key. The password is the user input value in the installer for the Oracle Identity Manager keystore.

xell

The password for key 'xell', which is used for securing communication between Oracle Identity Manager components. Default password generated by Oracle Identity Manager installer is xellerate.

default_keystore.jks

The password for the default_keystore.jks JKS keystore in the CELL_HOME/config/fmwconfig/ directory. The password is the user input value in the installer for the Oracle Identity Manager keystore.

SOAAdminPassword

The password is user input value in the installer for SOA Administrator Password field.

OIMSchemaPassword

The password for connecting to Oracle Identity Manager database schema. Password is user input value in the installer for OIM Database Schema Password field.

JMSKey

The password is the user input value in the installer for the Oracle Identity Manager keystore.


To change the values of the CSF keys:

  1. Log in to Enterprise Manager.

  2. Click WebSphere Cell.

  3. Navigate to Security, and then Credential.

  4. Expand oim. The list of all the key and value pairs for Oracle Identity Manager are displayed. You can edit and change the values.

4.6.2.5 Changing OVD Password

To change the OVD password:

  1. Log in to Oracle Identity System Administration.

  2. Under Configuration, click IT Resource.

  3. From the IT Resource Type list, select Directory Server.

  4. Click Search.

  5. Edit the Directory Server IT resource. To do so, in the Admin Password field, enter the new OVD password, and click Update.

4.6.3 Configuring SSL for Oracle Identity Manager

This section describes the procedure for generating keys, signing and exporting certificates, setting up SSL Configuration for Oracle Identity Manager and for the components with which Oracle Identity Manager interacts, and establish secure communication between them. It includes the following topics:

Note:

Before configuring SSL for Oracle Identity Manager, you must generate keys, sign the certificates, and export and import the certificates. For more information about these procedures, refer to IBM WebSphere documentation, or contact IBM support.

4.6.3.1 Enabling SSL for Oracle Identity Manager and SOA Servers

You need to perform the following configurations in Oracle Identity Manager and SOA servers to enable SSL:

4.6.3.1.1 Enabling SSL for Oracle Identity Manager

Enabling SSL for Oracle Identity Manager is described in the following sections:

4.6.3.1.2 Enabling SSL for Oracle Identity Manager By Using Default Setting

By default, SSL ports are enabled for all the WebSphere Application Servers.

To check SSL port:

  1. Log in to IBM WebSphere Administrative Console.

  2. Navigate to Servers, Server Types, and click the WebSphere application servers link.

  3. Click the oim servers link.

  4. Expand Ports link. WC_defaulthost_secure is the SSL port.

4.6.3.1.3 Enabling SSL for Oracle Identity Manager By Using Custom Keystore

Refer to IBM WebSphere documentation for information about changing default keystores. Otherwise, contact IBM support.

After enabling SSL on Oracle Identity Manager and SOA Servers, change OimFrontEndURL and SOA server URL to use SSL port. For details, refer to IBM WebSphere documentation.

4.6.3.1.4 Securing the Design Console with SSL

To secure the Design Console with SSL:

  1. Open the WAS_CLIENT_HOME/properties/sas.client.props file.

  2. Ensure the following properties are configured with values of true. If they are not set to true, update them to have values of true.

    com.ibm.CSI.performTransportAssocSSLTLSRequired
    com.ibm.CSI.performTransportAssocSSLTLSSupported
    

    Note:

    • Setting com.ibm.CSI.performTransportAssocSSLTLSRequired to true configures the Design Console to server connection over SSL.

    • You can change the default keystore for IBM WebSphere by referring to WebSphere documentation provided by IBM.

4.6.3.1.5 Configuring SSL for Oracle Identity Manager Utilities

Oracle Identity Manager client utilities include PurgeCache, GenerateSnapshot, UploadJars, and UploadResources.

To configure SSL for Oracle Identity Manager utilities:

  1. Open the WAS_SERVER_HOME/profiles/DMGR_PROFILE/properties/sas.client.props file.

  2. Ensure the values of the following properties are set to true:

    com.ibm.CSI.performTransportAssocSSLTLSRequired

    com.ibm.CSI.performTransportAssocSSLTLSSupported

4.6.3.1.6 Configuring SSL for MDS Utilities

The following options must be added to all Oracle Identity Manager MDS Utilities that contains wsadmin script:

-Dcom.ibm.SSL.ConfigURL=file:DMGR_PROFILE\properties\ssl.client.props

4.6.3.2 Enabling SSL for Oracle Identity Manager DB

You need to perform the following configurations to enable SSL for Oracle Identity Manager DB:

4.6.3.2.1 Setting Up DB in Server-Authentication SSL Mode

To set up DB in Server-Authentication SSL mode:

  1. Stop the DB server and the listener.

  2. Configuring the listener.ora file as follows:

    1. Navigate to the path:

      $DB_ORACLE_HOME/network/admin directory

      For example:

      /scratch/user1/production-database/product/11.1.0/db_1/network/admin

    2. Edit the listener.ora file to include SSL listening port and Server Wallet Location.

      The following is the sample listener.ora file:

      # listener.ora Network Configuration File: /scratch/rbijja/production-database/product/11.1.0/db_1/network/admin/listener.ora
      # Generated by Oracle configuration tools.
       
      SSL_CLIENT_AUTHENTICATION = FALSE
       
      WALLET_LOCATION =
        (SOURCE =
          (METHOD = FILE)
          (METHOD_DATA =
            (DIRECTORY = /scratch/rbijja/production-database/product/11.1.0/db_1/bin/server_keystore_ssl.p12)
          )
        )
       
      LISTENER =
        (DESCRIPTION_LIST =
          (DESCRIPTION =
            (ADDRESS = (PROTOCOL = TCPS)(HOST = server1.mycompany.com)(PORT = 2484))
          )
          (DESCRIPTION =
            (ADDRESS = (PROTOCOL = TCP)(HOST = server1.mycompany.com)(PORT = 1521))
          )
        )
       
      TRACE_LEVEL_LISTENER = SUPPORT
      
  3. Configure the sqlnet.ora file as follows:

    1. Navigate to the path:

      $DB_ORACLE_HOME/network/admin directory

      For example:

      /scratch/user1/production-database/product/11.1.0/db_1/network/admin

    2. Edit sqlnet.ora file to include:

      • TCPS Authentication Services

      • SSL_VERSION

      • Server Wallet Location

      • SSL_CLIENT_AUTHENTICATION type (either true or false)

      • SSL_CIPHER_SUITES that can be allowed in the communication (optional)

      The following is the sample sqlnet.ora file:

      # sqlnet.ora Network Configuration File: /scratch/rbijja/production-database/product/11.1.0/db_1/network/admin/sqlnet.ora
      # Generated by Oracle configuration tools.
       
      SQLNET.AUTHENTICATION_SERVICES= (BEQ, TCPS)
       
      SSL_VERSION = 3.0
       
      SSL_CLIENT_AUTHENTICATION = FALSE
       
      WALLET_LOCATION =
        (SOURCE =
          (METHOD = FILE)
          (METHOD_DATA =
            (DIRECTORY = /scratch/rbijja/production-database/product/11.1.0/db_1/bin/server_keystore_ssl.p12)
          )
        )
      
  4. Configure the tnsnames.ora file as follows:

    1. Navigate to the path:

      $DB_ORACLE_HOME/network/admin directory

      For example:

      /scratch/user1/production-database/product/11.1.0/db_1/network/admin

    2. Edit the tnsnames.ora file to include SSL listening port in the description list of the service.

      The following is the sample tnsnames.ora file:

      # tnsnames.ora Network Configuration File: /scratch/user1/production-database/product/11.1.0/db_1/network/admin/tnsnames.ora
      # Generated by Oracle configuration tools.
      
      PRODDB =
       (DESCRIPTION_LIST =
        (DESCRIPTION =
          (ADDRESS = (PROTOCOL = TCPS)(HOST = server1.mycompany.com)(PORT = 2484))
          (CONNECT_DATA =
            (SERVER = DEDICATED)
            (SERVICE_NAME = proddb)
          )
        )
        (DESCRIPTION =
          (ADDRESS = (PROTOCOL = TCP)(HOST = server1.mycompany.com)(PORT = 1521))
          (CONNECT_DATA =
            (SERVER = DEDICATED)
            (SERVICE_NAME = proddb)
          )
        )
       )
      
  5. Start/Stop utilities for DB server.

  6. Start the DB server.

4.6.3.2.2 Creating KeyStores and Certificates

You can create server side and client side KeyStores using the orapki utility. This utility will be shipped as a part of Oracle DB installation.

KeyStores could be of any format such as JKS and PKCS12. The format of keystore changes based on the provider implementation. For example, JKS is the implementation provided by Sun Oracle where as PKCS12 is implemented by OraclePKIProvider.

Only JKS client KeyStore is used in Oracle Identity Manager for DB server. This is because using non-JKS KeyStores format such as PKCS12 requires significant changes on the installer side at the critical release time. However, Oracle Identity Manager already has a KeyStore named default-KeyStore.jks, which is in JKS format.

The following are the KeyStores that you can create using orapki utility:

Creating a Root CA Wallet

To create a root certification authority (CA) wallet:

  1. Navigate to the following path:

    $DB_ORACLE_HOME/bin directory

  2. Create a wallet by using the command:

    ./orapki wallet create -wallet CA_keystore.p12 -pwd welcome1
    
  3. Add a self signed certificate to the CA wallet by using the command:

    ./orapki wallet add -wallet CA_keystore.p12 -dn 'CN=root_test,C=US' -keysize 2048 -self_signed -validity 3650 -pwd welcome1
    
  4. View the wallet using the command:

    ./orapki wallet display -wallet CA_keystore.p12 -pwd welcome1
    
  5. Export the self signed certificate from the CA wallet using the command:

    ./orapki wallet export -wallet CA_keystore.p12 -dn 'CN=root_test,C=US' -cert self_signed_CA.cert -pwd welcome1
    

Creating DB Server Side Wallet

To create a DB server side wallet:

  1. Create a server wallet using the command:

    ./orapki wallet create -wallet server_keystore_ssl.p12 -auto_login -pwd welcome1
    
  2. Add a certificate request to the server wallet using the command:

    ./orapki wallet add -wallet server_keystore_ssl.p12/ -dn 'CN=Customer,OU=Customer,O=Customer,L=City,ST=NY,C=US' -keysize 2048 -pwd welcome1
    
  3. Export the certificate request to a file, which will be used later for getting it signed using the root CA signature:

    ./orapki wallet export -wallet server_keystore_ssl.p12/ -dn 'CN=Customer,OU=Customer,O=Customer,L=City,ST=NY,C=US' -request server_creq.csr -pwd welcome1
    
  4. Get the server wallet's certificate request signed using the CA signature:

    ./orapki cert create -wallet CA_keystore.p12 -request server_creq.csr -cert server_creq_signed.cert -validity 3650 -pwd welcome1
    
  5. View the signed certificate using the command:

    /orapki cert display -cert server_creq_signed.cert -complete
    
  6. Import the trusted certificate in to the server wallet using the command:

    ./orapki wallet add -wallet server_keystore_ssl.p12 -trusted_cert -cert self_signed_CA.cert -pwd welcome1
    
  7. Import this newly created signed certificate (user certificate) to the server wallet using the command:

    ./orapki wallet add -wallet server_keystore_ssl.p12 -user_cert -cert server_creq_signed.cert -pwd welcome1
    

Creating Client Side Wallet

To create a client side (Oracle Identity Manager server) wallet:

  1. Create a client keystore using default-keystore.jks keystore which is populated in the following path:

    DMGR_PROFILE/config/cells/CELL_NAME/fmwconfig

    Note:

    You can also use Oracle PKCS12 wallet as the client keystore.

  2. Import the self-signed CA trusted certificate that you have already exported using the server side commands, to the client keystore (default-keystore.jks) by using the command:

    keytool -import -trustcacerts -alias dbtrusted -noprompt -keystore default-keystore.jks -file self_signed_CA.cert -storepass xellerate
    
4.6.3.2.3 Updating Oracle Identity Manager

You need to perform the following steps in Oracle Identity Manager to enable Oracle Identity Manager and Oracle Identity Manager DB in SSL mode for a secure communication:

  1. Import the trusted certificate into the default-keystore.jks keystore of Oracle Identity Manager.

  2. Log in to Enterprise Manager.

  3. Click WebSphere Cell, and select System MBean Browser.

  4. Under Application Defined MBeans, navigate to oracle.iam, Application:oim, XMLConfig, Config, XMLConfig.DirectDBConfig, and DirectDB.

  5. Change the values for attributes "Sslenabled", "Url" and click Apply. If SSL mode is enabled for DB, then "Url" should contain TCPS enables and SSL port in it.

    For example:

    url="jdbc:oracle:thin:@(DESCRIPTION=(ADDRESS=(PROTOCOL=TCPS)(HOST=my.domain.com)(PORT=2484))(CONNECT_DATA=(SERVICE_NAME=proddb)))"

  6. Restart the Oracle Identity Manager server.

4.6.3.2.4 Updating WebSphere Server

After enabling SSL for Oracle Identity Manager DB, you need to change the following Oracle Identity Manager datasources and custom registry to use DB SSL port:

Configuring Datasource

To configure the datasource:

  1. Log in to IBM WebSphere Administrative Console.

  2. Perform the datasource changes.

    Note:

    Before performing changes to the datasource, you must shutdown the managed servers hosting Oracle Identity Manager application.

Updating Datasource oimJMSStoreDS Configuration

To update the datasource oimJMSStoreDS configuration:

  1. Log in to IBM WebSphere Administrative Console.

  2. Navigate to Resources, JDBC, Data Sources, oimJMSStoreDS.

  3. Change the value of the URL. The following is an example URL:

    jdbc:oracle:thin:@(DESCRIPTION=(ADDRESS=(PROTOCOL=TCPS)(HOST=my.domain.com)(PORT=2484))(CONNECT_DATA=(SERVICE_NAME=proddb)))
    
  4. Click Apply and make sure to save the change.

  5. Go to Additional Properties, Custom Properties, and add a custom property with the following details:

    • Name: connectionProperties

    • Value: javax.net.ssl.trustStore=CELL_HOME/fmwconfig/default-keystore.jks;javax.net.ssl.trustStoreType=JKS;javax.net.ssl.trustStorePassword=Welcome1;oracle.net.ssl_version=3.0

    • Type: java.lang.String

Updating Datasource oimOperationsDB Configuration

To update the Change Datasource oimOperationsDB Configuration:

Note:

To add a custom property, see "Updating Datasource oimJMSStoreDS Configuration".

  1. Log in to IBM WebSphere Administrative Console.

  2. Navigate to Resources, JDBC, Data Sources, oimOperationsDB.

  3. Change the value of the URL. The following is an example URL:

    jdbc:oracle:thin:@(DESCRIPTION=(ADDRESS=(PROTOCOL=TCPS)(HOST=my.domain.com)(PORT=2484))(CONNECT_DATA=(SERVICE_NAME=proddb)))
    
  4. Click Apply and make sure to save the change.

Updating Datasource Related to Oracle Identity Manager MDS Configuration

To update datasource related to Oracle Identity Manager MDS configuration:

Note:

To add a custom property, see "Updating Datasource oimJMSStoreDS Configuration".

  1. Log in to IBM WebSphere Administrative Console.

  2. Navigate to Resources, JDBC, Data Sources, mds-oim.

  3. Change the value of the URL.

  4. Click Apply and make sure to save the changes.

Note:

You might have to perform similar updates for SOA/OWSM related datasources if required.

Updating Oracle Identity Manager Custom Registry

The existing Oracle Identity Manager custom registry in WebSphere Application Server is configured against non-SSL DB details. In order to user SSL DB details, you must perform the following:

  1. Log in to IBM WebSphere Administrative Console.

  2. Expand Security.

  3. Click the Global security link.

  4. Click Configure.

  5. Edit DBUrl.

  6. Click Apply and make sure to save the change.

4.6.3.3 Enabling SSL for LDAP Synchronization

You need to perform the following configurations to enable Oracle Identity Manager to use SSL enabled Oracle Virtual Directory (OVD):

4.6.3.3.1 Enabling OVD-OID with SSL

To enable OVD-OID with SSL:

  1. Log in to the OVD EM console.

  2. Expand Identity and Access and navigate to ovd1, Administration, Listeners.

  3. Click Create and enter all the required fields.

    Note:

    You must select the Listener Type as LDAP.

  4. Click OK.

  5. Select the newly created LDAP listener and click Edit.

  6. In the Edit Listener - OIM SSL ENDPOINT page, edit the newly created LDAP listener.

  7. Click OK. The SSL Configuration page opens.

  8. Select the Enable SSL checkbox.

  9. In the Advanced SSL Settings section, for SSL Authentication, select No Authentication.

  10. Click OK.

  11. Stop and start the OVD server for the changes to take effect.

    Note:

    You must not use the restart option.

4.6.3.3.2 Updating Oracle Identity Manager for OVD Host/Port

When LDAP synchronization is enabled on Oracle Identity Manager, Oracle Identity Manager connects with directory servers through OVD. It connects using ldap/ldaps protocol.

To change OVD host/port:

  1. Log in to Oracle Identity Manager Administrative and User console.

  2. Navigate to Advanced and click Manage IT Resource.

  3. Select IT Resource Type as Directory Server and click Search.

  4. In the IT Resource Directory Server, edit server URL to include SSL protocol and SSL port details.

  5. Ensure that Use SSL is set to true and click Update.

4.6.3.4 Securing the Remote Manager with SSL

This section describes how to configure SSL for the Oracle Identity Manager Remote Manager on IBM WebSphere. This section includes the following topics:

4.6.3.4.1 Overview

SSL authentication can be one-way or two-way:

  • One-way: The Oracle Identity Manager Server (the SSL client application) verifies the identity of the Oracle Identity Manager Remote Manager (the SSL server application).

  • Two-way: The Oracle Identity Manager Server (the SSL client application) verifies the identity of the Remote Manager (the SSL server application) and the Remote Manager verifies the identity of the Oracle Identity Manager Server.

To establish an SSL trust relationship, you import the SSL server's (CA signed) certificate in to the SSL client's keystore. When you installed the Remote Manager, a keystore and public certificate were created. The Remote Manager's keystore is located in the OIM_RM_HOME/config/default-keystore.jks file. The certificate is located in the OIM_RM_HOME/config/xlserver.cert file.

Note:

The Remote Manager does not support non-SSL communication. By default, one-way SSL authentication is supported. Two-way SSL authentication can be enabled by performing the steps in the appropriate section below.

4.6.3.4.2 Configuring One-way SSL Authentication

One-way SSL authentication allows the Oracle Identity Manager Server to verify the identity of the Remote Manager. To configure one-way SSL authentication, the Remote Manager's certificate must be trusted in the Oracle Identity Manager Server's keystore, which is located at:

WAS_HOME/profiles/Dmgr01/config/cells/OIM_CELL_NAME/fmwconfig/default-keystore.jks

To configure one-way SSL authentication using CA certificates:

  1. Copy the Remote Manager's certificate, OIM_RM_HOME/config/xlserver.cert, to the Oracle Identity Manager Server system.

    Note:

    The Oracle Identity Manager Server certificate is also named xlserver.cert. Make sure that you do not unintentionally overwrite the server's certificate.

  2. Import the Remote Manager certificate that you copied to the Oracle Identity Manager Server's system in step 1 into the Server's keystore by executing the following shell command:

    JAVA_HOME/jre/bin/keytool –import –alias TRUSTED_SERVER_CERTIFICATE \
    –file RM_CERT_LOCATION/xlserver.cert \
    –keystore WAS_HOME/profiles/Dmgr01/config/cells/OIM_CELL_NAME/fmwconfig/default-keystore.jks \
    –trustcacerts –storepass OIM_SERVER_KEYSTORE_PASSWORD
    

    Note that JAVA_HOME represents the location of the IBM Java Runtime directory for the Oracle Identity Manager Server and RM_CERT_LOCATION represents the location where you copied the Remote Manager's certificate step 1.

  3. When prompted, enter Y (for Yes) to trust the certificate being imported.

  4. Restart the application servers, including the Deployment Manager.

4.6.3.4.3 Configuring Two-way SSL Authentication

Two-way SSL authentication allows the Oracle Identity Manager Server and the Remote Manager to verify each other's identities. To configure two-way SSL authentication, the Remote Manager's certificate must be trusted in the Oracle Identity Manager Server's keystore and Oracle Identity Manager Server's certificate must be trusted in Remote Manager's keystore.

The Oracle Identity Manager Server's keystore is located at:

WAS_HOME/profiles/Dmgr01/config/cells/OIM_CELL_NAME/fmwconfig/default-keystore.jks

The Oracle Identity Manager Server's certificate is located in:

WAS_HOME/profiles/Dmgr01/config/cells/OIM_CELL_NAME/fmwconfig/xlserver.cert

The Remote Manager's keystore is located in:

OIM_RM_HOME/config/default-keystore.jks

The Remote Manager's (CA signed) certificate is located in:

OIM_RM_HOME/config/xlserver.cert

To configure two-way SSL authentication using CA certificates:

  1. Copy the Remote Manager's certificate, OIM_RM_HOME/config/xlserver.cert, to the Oracle Identity Manager Server system.

    Note:

    The Oracle Identity Manager Server's certificate is also named xlserver.cert. Be sure you do not unintentionally overwrite the server's certificate.

  2. Import the Remote Manager's certificate that you copied to the Oracle Identity Manager Server's system in step 1 into the server's keystore by executing the following shell command:

    JAVA_HOME/jre/bin/keytool –import –alias TRUSTED_SERVER_CERTIFICATE \
    –file RM_CERT_LOCATION/xlserver.cert \
    –keystore WAS_HOME/profiles/Dmgr01/config/cells/OIM_CELL_NAME/fmwconfig/default-keystore.jks \
    –trustcacerts –storepass OIM_SERVER_KEYSTORE_PASSWORD
    

    Note that JAVA_HOME represents the location of the IBM Java Runtime directory for the Oracle Identity Manager Server and RM_CERT_LOCATION represents the location where you copied the Remote Manager's certificate step 1.

  3. When prompted, enter Y (for Yes) to trust the certificate being imported.

  4. Restart the application servers, including the Deployment Manager.

  5. Copy the Oracle Identity Manager Server's certificate to the Remote Manager system. The Oracle Identity Manager Server's keystore is located at:

    WAS_HOME/profiles/Dmgr01/config/cells/OIM_CELL_NAME/fmwconfig/xlserver.cert
    

    Note:

    The Remote Manager's certificate is also named xlserver.cert. Be sure you do not unintentionally overwrite the server's certificate.

  6. Import the Oracle Identity Manager Server's certificate that you copied to the Remote Manager system in step 5 into the Remote Manager's keystore by executing the following shell command:

    JAVA_HOME/jre/bin/keytool –import –alias TRUSTED_SERVER_CERTIFICATE \
    –file OIM_SERVER_CERT_LOCATION/xlserver.cert \
    –keystore OIM_RM_HOME/config/default-keystore.jks –trustcacerts \
    –storepass RM_KEYSTORE_PASSWORD
    

    Note that JAVA_HOME represents the location of the IBM Java Runtime directory for the Remote Manager and OIM_SERVER_CERT_LOCATION is the location where you copied the Oracle Identity Manager Server's certificate in step 5.

  7. When prompted, enter Y (for Yes) to trust the certificate being imported.

  8. Open the Remote Manager configuration file, OIM_RM_HOME/config/xlconfig.xml.

  9. Change the value of the <RMSecurity>.<ClientAuth> configuration parameter to true and save the file.

  10. Restart the Remote Manager.

4.7 Using Oracle Identity Manager Utilities on IBM WebSphere

This section describes how to use Oracle Identity Manager utilities on IBM WebSphere:

4.7.1 Prerequisites for Using Oracle Identity Manager Utilities on IBM WebSphere

Before running Oracle Identity Manager utilities on WebSphere, set the following environment variables:

  • OIM_ORACLE_HOME: The environment variable to identify the directory on which Oracle Identity Manager is installed.

  • JAVA_HOME: The location of the IBM Java Runtime directory for the Oracle Identity Manager server.

  • WAS_HOME: The directory on which WebSphere Application Server is installed.

  • APP_SERVER: The allowed values are weblogic or websphere. Here, it must be set to websphere.

  • MW_HOME: The directory path for Middleware home.

  • PROFILE_NAME: The name of the profile.

  • WAS_CELL_HOME: The location of the cell on which Oracle Identity Manager is deployed.

4.7.2 Using Oracle Enterprise Manager to Export Metadata Files from the MDS Database

To export metadata files from the MDS database using Oracle Enterprise Manager:

  1. Log in to Oracle Enterprise Manager using the IBM WebSphere administrator's credentials.

  2. Select System MBean Browser from the WebSphere Cell list.

  3. Expand the following entries: Application Defined MBeans, oracle.mds.lcm, Server:NAME_OF_OIM_SERVER, Application: oim, MDSAppRuntime.

  4. Click MDSAppRuntime.

  5. Click the Operations tab.

  6. Click exportMetadata.

  7. Enter a value for the toLocation property, which identifies the destination directory to which XML files will be exported. For example: /home/user/temp.

  8. Click Edit for the Docs parameter.

  9. Click Add and enter the path to the metadata file(s) you want to export. For example: /db/oim-config.xml.

  10. Click Invoke.

4.7.3 Using Oracle Enterprise Manager to Import Metadata Files into the MDS Database

To import metadata files into the MDS database using Oracle Enterprise Manager:

  1. Copy the metadata files you want to import to a temporary location. For example:

    /home/user/temp/file/ProvisionResourceADUser.xml
    /home/user/temp/file/ModifyResourceADUser.xml
    
  2. Log in to Oracle Enterprise Manager using the IBM WebSphere administrator's credentials.

  3. Select System MBean Browser from the WebSphere Cell list.

  4. Expand the following entries: Application Defined MBeans, oracle.mds.lcm, Server:NAME_OF_OIM_SERVER, Application: oim, MDSAppRuntime.

  5. Click MDSAppRuntime.

  6. Click the Operations tab.

  7. Click importMetadata.

  8. Enter a value for the fromLocation property, which identifies the source directory from which XML files will be imported. For example: /home/user/temp.

  9. Click Edit for the Docs parameter.

  10. Click Add and enter the location of the metadata file(s) to import. For example: /file/*.xml.

  11. Click Invoke.

4.7.4 Using the PurgeCache, UploadJars, DownloadJars, DeleteJars, UploadResourceBundles, and DownLoadResourceBundles Utilities

This section describes how to use the following Oracle Identity Manager utilities on IBM WebSphere:

  • PurgeCache.sh: Purges all elements in the cache.

  • UploadJars.sh: Uploads JAR files into the database.

  • DownloadJars.sh: Downloads JAR files from the database.

  • DeleteJars.sh: Deletes JAR files from the database.

  • UploadResourceBundles.sh: Uploads the connector or custom resource bundle to the database.

  • DownLoadResourceBundles.sh: Downloads the resource bundle from the database.

To use these Oracle Identity Manager utilities on IBM WebSphere:

  1. Set the following environment variables:

    • OIM_ORACLE_HOME: Identifies the directory where you installed the Oracle Identity Manager Server.

    • WAS_HOME: Identifies the directory where you installed IBM WebSphere Network Deployment Manager.

    • JAVA_HOME: Identifies the IBM Java Runtime directory for the Oracle Identity Manager Server.

  2. Table 4-13 shows values you must set in the OIM_ORACLE_HOME/server/bin/websphere.properties file before using the utilities:

    Table 4-13 Values to Set in the websphere.properties File for Utilities

    Property Value

    com.ibm.ws.scripting.port

    The SOAP port of the IBM WebSphere Server where Oracle Identity Manager is installed.

    To identify the SOAP port:

    1. Log in to the WebSphere Administrative console:

    2. Click Server, Server Types, Websphere application servers, NAME_OF_OIM_SERVER.

    3. Expand the Ports entry in the Communications section.

    4. Use the value listed in the SOAP_CONNECTOR_ADDRESS entry.

    com.ibm.ws.scripting.host

    The host name of the system where Oracle Identity Manager is installed.

    was_servername

    The name of the IBM WebSphere Server where Oracle Identity Manager is installed.

    was_nodename

    The name of the IBM WebSphere node where Oracle Identity Manager is installed.

    To identify the node name:

    1. Log in to the WebSphere Administrative console:

    2. Click System Administration > Nodes.

    application_name

    The name of the application, enter oim.


  3. Open the OIM_ORACLE_HOME/server/bin/setEnv.sh file with an editor.

  4. Edit the APP_SERVER=@appserver parameter to become: APP_SERVER=websphere.

  5. Edit the PROFILE_NAME=@profilename parameter to point to the appropriate profile, for example: PROFILE_NAME=Dmgr01.

  6. Use an editor to open the sas.client.props file of the profile where Oracle Identity Manager is installed. For example:

    WAS_HOME/profiles/Dmgr01/properties/sas.client.props.

  7. Edit the following properties to become:

    Note:

    You can identify the bootstrap address for Oracle Identity Manager by performing the following steps:

    1. Log in to the WebSphere Administrative console.

    2. Click Server, Server Types, Websphere application servers, NAME_OF_OIM_SERVER.

    3. Expand the Ports entry in the Communications section.

    4. Use the value listed in the BOOT_STRAP_ADDRESS entry.

    com.ibm.CORBA.securityServerHost=OIM_HOSTNAME
    com.ibm.CORBA.securityServerPort=OIM_BOOTSTRAP_ADDRESS
    com.ibm.CORBA.loginSource=none
    
  8. Execute the utility. For example:

    ./PurgeCache.sh CATEGORY_NAME
    ./UploadJars.sh
    ./DownloadJars.sh
    ./DeleteJars.sh
    ./UploadResourceBundles.sh
    ./DownLoadResourceBundles.sh
    

    When prompted, enter information for the following:

    • Oracle Identity Manager administrator user name

    • Oracle Identity Manager administrator password

    • The service URL. For example:

      corbaloc:iiop:OIM_HOSTNAME:OIM_SERVER_BOOTSTRAP_ADDRESS

    • The context Factory:

      com.ibm.websphere.naming.WsnInitialContextFactory

    Note:

    Some of the utilities, such as Upload, Download, and Delete JARs, and UploadResourceBundles will prompt you for additional information, such as the type and name of the JAR file to execute or location of the custom resource bundle to execute on.

4.7.5 Using the Plugin Registration and Unregistration Utility

You can use the Plugin Registration Utility for registration and unregistration related tasks. The Plugin Registration Utility is located in the OIM_HOME/plugin_utility/ directory and uses the following files:

  • pluginregistration.xml

  • ant.properties

Before Using the Plugin Registration Utility:

  1. Set the following environment variables:

    • JAVA_HOME: Identifies the IBM Java Runtime directory for the Oracle Identity Manager Server.

    • ANT_HOME: Identifies the directory where Apache Ant version 1.7 or higher is installed.

      Note:

      The Plugin Registration Utility requires Apache Ant version 1.7 or higher.

    • WAS_CELL_HOME: Represents the WebSphere cell.

    • PROFILE_NAME: Represents the custom profile name.

  2. Edit the ant.properties for WAS_HOME and OIM_HOME. For example:

    was.home=/test/WAS110912/IBM/WebSphere/AppServer
    oim.home=/test/WAS110912/Oracle_IDM1/server
    login.config=${oim.home}/config/authws.conf
    

Registering a Plug-in:

To register a plug-in, execute the ant target register command. For example:

ant -f  pluginregistration.xml register

You will be prompted for the following information:

  • Oracle Identity Manager administrator user name and password.

  • The service URL, for example:

    corbaloc:iiop:OIM_HOSTNAME:OIM_SERVER_BOOTSTRAP_ADDRESS
    
  • The Context Factory, for example:

    com.ibm.websphere.naming.WsnInitialContextFactory
    
  • The full path to and complete name of the plug-in file, for example:

    /test/pluginsfolder/plugins.zip
    

    Note:

    After providing the information for the plug-in file, you will be prompted for additional information, such as the oimrealm.

Unregistering a Plug-in:

To unregister a plug-in, execute the ant target unregister command. For example:

ant -f  pluginregistration.xml unregister

You will be prompted for the following information:

  • Oracle Identity Manager administrator user name and password.

  • The service URL, for example:

    corbaloc:iiop:OIM_HOSTNAME:OIM_SERVER_BOOTSTRAP_ADDRESS
    
  • The Context Factory, for example:

    com.ibm.websphere.naming.WsnInitialContextFactory
    
  • The complete class name with package of the plug-in, for example:

    oracle.iam.scheduler.LongJob
    

    Note:

    After providing the information for the class name with package, you will be prompted for additional information, such as the oimrealm.

4.7.6 Registering a SOA Composite with Oracle Identity Manager on IBM WebSphere

Oracle SOA suite composites must be registered with Oracle Identity Manager before they can be used as an approval process. The procedure to register SOA composites is documented in the "Registering a SOA Composite with Oracle Identity Manager" section of the Oracle Fusion Middleware Developer's Guide for Oracle Identity Manager. However, this procedure was developed for Oracle Identity Manager on Oracle WebLogic Server. To use that information for Oracle Identity Manager on IBM WebSphere:

Before Registering

  1. Open the OIM_ORACLE_HOME/server/bin/setEnv.sh file with an editor.

  2. Edit the APP_SERVER=@appserver parameter to become: APP_SERVER=websphere.

  3. Edit the MW_HOME=@mwhome parameter to point to the directory where Oracle Fusion Middleware is installed.

Executing the ant Script

Execute WAS_HOME/bin/ws_ant.sh. For example:

$WAS_HOME/bin/ws_ant.sh -f registerworkflows-mp.xml register 

4.7.7 Using the Form Version Control Utility

For detailed information about using the Form Version Control (FVC) utility, see "Using the Form Version Control Utility" in the Oracle Fusion Middleware Administrator's Guide for Oracle Identity Manager. Running the FVC utility on IBM WebSphere has the following differences:

4.8 Understanding Identity Certification on IBM WebSphere

This section discusses identity certification tasks that need to be completed by an Oracle Identity Manager Certification Administrator. Prior to creating certifications, refer to Section 4.8.8, "Pre-Requisites for Identity Certifications" and the chapter on Access Catalog administration for more information on how to configure the business metadata of artifacts in the Access Catalog.

This section contains certification information about Oracle Identity Manager on IBM WebSphere Application Server. It contains the following topics:

4.8.1 Identity Certification Configuration

Prior to creating a new certification, certain global configuration settings that apply to all certifications created can be applied. These configuration settings can be applied by clicking the checkboxes and then clicking the Save button. Table 4-14 lists the general configuration settings. Table 4-15 lists the global configuration settings.

Note:

The general configuration settings does not impact the existing certification when modified.

Table 4-14 General Configuration Settings

Name Description

Password required on sign-off

This option when checked requires a reviewer of the certification to enter their credentials once they click the sign-off button or complete the review of the certification.

Allow comments on certify operations

This option, when checked, allows a reviewer to enter a comment in a text box after a certify decision has been made on the access details of the user, the reviewer is certifying.

Allow comments on all non-certify operations

This option, when checked, allows a reviewer to enter a comment in a text box after a non-certify decision (that is, Revoke, Unknown or Exception Allowed) has been made on the access details of the user, the reviewer is certifying.

Verify employee access

This option, when checked, causes the user certification page 1 summary view to be displayed. If it is not checked, then page 1 is not displayed to the reviewer and all users are claimed by default.

Prevent self certification

This option, when checked, ensures that the reviewers' access rights are not a part of the certification population. If indeed the reviewer is a part of the certification population, an alternative reviewer can be selected, and that reviewers access rights are automatically routed to the alternate reviewer who gets a new certification.

User and Account Selections

This option controls the presentation of users and accounts in the certification with three possible options that can be selected:

  1. Include only active users and active accounts

  2. Include any user with active accounts

  3. Include all users and all accounts

Allow advanced delegation

This option, when selected, allows the reviewer of the certification to Delegate the users to an alternate reviewer. If this option is not selected, then advanced delegation option such as Delegate is not available to the reviewer.

See Section 4.8.2.2, "Advanced Delegation" for more details.

Allow multi-phased review

This option, when selected, creates the ability to generate a multi-phased certification review campaign. This option only applies to user certifications.

See Section 4.8.2, "Multi-Phased Review and Advanced Delegation" for more details.

Allow reassignment

This option, when selected, allows the reviewer of the certification to Re-assign the users to an alternate reviewer. If this option is not selected, then advanced delegation option such as Re-assign is not available to the reviewer.

Allow auto-claim

This option, when selected, automatically claims all users in the first step of the certification. It applies to more than users, Roles in Role certification, Application Instances in application instance certification, Entitlements in entitlement certification, and users in user certification.

Perform closed loop remediation

When this option is checked, once a certification is completed, all access rights to users in the certification that are revoked are directly de-provisioned using Oracle Identity Manager, for all connected and disconnected applications and resources. When this option is unchecked, then no automatic remediation action is taken.


Note:

The global configuration settings apply to the existing certification when modified.

Table 4-15 Global Settings

Name Description

Enable Interactive Excel

This option, when selected, presents the "Download to Editable Excel" link to the reviewer in the Actions menu during certification sign-off. Clicking this button allows the reviewer to download the entire certification into an editable excel file, which can be completed offline.


4.8.2 Multi-Phased Review and Advanced Delegation

Perhaps the most significant enhancement to certification in this release is the introduction of Collaborative Certification or Multi-Phased review. Collaborative certification has two major dimensions:

4.8.2.1 Multi-Phased Review

Multi-Phased review combines the perspectives of both business-oriented and technical reviewers, so that both types of expertise are utilized. There are three possible phases in a multi-phased review:

  • Phase One: Business-review is the required, first phase. The business-reviewer, typically the manager of each user, sees all of the (certifiable) access-privileges of that user. The manager confirms first that the user is a valid holder of privileges, for example, an employee within that enterprise, and then that the user's position within the enterprise justifies the user's access-privileges, that is, role-assignments, accounts and entitlement-assignments.

  • Phase Two: Technical-review is an optional, second phase. The technical reviewer is the certifier of each privilege and reviews the members of the privilege.

  • Final Review is an optional, final phase. If the certification is configured to enable final review, then the primary reviewer from the first phase can see the decisions that reviewers made in the first two phases and can override those decisions if required.

4.8.2.2 Advanced Delegation

Advanced Delegation allows a certifier to retain overall responsibility while delegating decisions to others (for reasons of bandwidth).

The primary reviewer in Phase One or Phase Two can spread the work to other people. This can be done through delegation or reassignment. The primary reviewer can delegate any set of line-items (any item from page 1 of the certification), to any person that the primary reviewer selects. The primary reviewer can also reassign responsibility for any set of line-items to another person. Reassigned items are removed from the current certification and a new certification is generated with those items. Delegated items are still the responsibility of the primary reviewer.

4.8.3 Understanding How Risk Summaries are Calculated

You can directly assign high, medium, and low risk levels to roles, application instances, and entitlements, as well as to certain predefined risk factors. A risk-aggregation job calculates Risk Summaries for the remaining higher-order data objects that are needed to support the identity certification feature. These objects include every user, user-role assignment, account, and entitlement-assignment in the access catalog. During identity certification, certifiers or reviewers use Risk Summaries to separate high-risk certification items from medium-risk and low-risk items.

This section describes how the system processes risk levels to arrive at Risk Summaries. It also describes the risk-aggregation job, which you can run manually or on a scheduled basis.

Note:

In Oracle Identity Manager, roles, application instances, and entitlements (entitlement definitions) are metadata objects, whereas users, accounts, and entitlement-assignments are instance-data objects. Think of metadata objects as "structural" objects that represent and describe your information systems within Oracle Identity Manager, whereas instance-data objects are the individual instances of application data that populate the systems described. For example, consider a customer service application (a resource) that has a predefined role that enables users to create trouble tickets (an entitlement). In this example, a single resource object represents the application and a single entitlement object represents a specific privilege within that application. Now consider there might be thousands of user accounts on this resource, some subset of which has the entitlement-assignment that allows the user to create a trouble ticket. In the access catalog, an account object represents each user account, and an entitlement-assignment object represents each instance of the entitlement assignment. This illustrates the one-to-many relationship that exists between metadata objects and instance data objects. A single resource (metadata object) can have multiple accounts (instance-data objects), and a single entitlement (metadata object) can have multiple assignment instances (instance-data objects). The Oracle Identity Manager solution calculates the risk levels for instance-data objects because it would not be feasible for a human to process risk levels for every user, account, and entitlement-assignments in the access catalog on a recurring basis.

Item Risk refers to the risk levels that you and other administrators can assign to specific roles, application instances, and entitlements in the access catalog. There are other ways that Item Risk can be assigned to metadata objects, but direct assignment is the most common method.

Assigning an Item-Risk level to a metadata object in the UI is straightforward. To do so, you search and open the object in the access catalog and select a High, Medium, or Low risk setting from the details pane below. If you do not directly assign an Item-Risk level to a metadata object in the access catalog, the system assigns a default Item-Risk level for you. Roles, application instances, and entitlements can each have a default value. You can configure a default Item-Risk level using the Risk Mapping page.

Generally speaking, you should reserve high Item-Risk levels for metadata objects that confer highly restricted privileges to users. Note that setting a high Item-Risk level on an object will cause its parent object to also have a high Risk-Summary value. Similarly, setting a medium Item-Risk level on an object will cause its parent object to have at least a medium Risk-Summary value. In order for a higher-order object to have a low Risk-Summary value, all of the objects under it in the system hierarchy would have to have low risk settings.

Risk-Factor Mappings are settings that map risk levels to certain predefined conditions within Oracle Identity Manager. Generally speaking, you should reserve high Risk-Factor levels for conditions in which privileges are being extended to users that may be irregular or dangerous. There are two Risk-Factor categories in Oracle Identity Manager, and each category contains multiple settings. Risk-Factor categories are described as following:

Provisioning Scenarios define the risk levels that should be associated with the method or mechanism used to assign a role, account, or entitlement-assignment to a user using Oracle Identity Manager. For example, you might configure a risk level of High for objects that are provisioned directly by an administrator, and a risk level of Low for objects that are provisioned based on policies that are tied to roles.

Last Certification Action defines risk level based on the status of the last certification for the account, entitlement-assignment, or user-role assignment under consideration. For example, configure a risk level of Low for any item for which the previous certification decision was to approve, and configure a risk level of Medium for any item for which the previous certification decision was to certify conditionally. Finally, you might configure a value of High for any item for which the previous certification decision was Abstain or Revoke.

The Risk-Aggregation job processes Item-Risk levels and Risk-Factor levels, and calculates Risk Summaries for each higher-order object that supports Identity Certification.

In the first phase of risk aggregation, the Risk-Aggregation job evaluates each individual object's Item-Risk level and its three Risk Factor levels and assigns the highest of the four levels to the object's Risk Summary property. A Risk Summary value is calculated for each individual user object, user-role assignment object, account object, and entitlement-assignment object.

Once Risk Summaries are calculated for every object in the access catalog, the next phase of aggregation begins, in which the Risk Summary of each individual object rolls up to the Risk Summary of the parent object that contains it.

Above the entitlement-assignment level, each data object's Risk Summary value contributes to the Risk Summary of the parent-object that contains it. For example, account objects are one hierarchy level up from entitlement-assignment objects, and User objects are one hierarchy level up from there. So, the Risk Summary of every entitlement-assignment object within an account object contributes to the Risk Summary for that account, and, similarly, the Risk Summary for every account object within the user object contributes to the Risk Summary for that user.

User objects are also one level above user-role assignment objects, so the Risk Summary for every user-role assignment object contributes to the Risk Summary for that user. By default, the risk job is not enabled, and therefore, no risks are evaluated. In order to enable it, you need to go to the scheduler menu, find the risk job and enable it. The Job will be executed at the defined time period.

4.8.4 Creating Certifications

All certification definitions are centrally managed in the Oracle Identity Manager Administrative Console.

To create a new certification definition:

  1. Log into Oracle Identity System Administration with administrative rights.

  2. Go to Certifications, Certification Definitions, Create.

  3. Follow the steps outlined below through the wizard.

The following are the steps outlined in the wizard:

4.8.4.1 Certification Type

Enter the name of the certification, what type of Certification it is, and the Description. Four types of certification options, catered towards different reviewers, exist:

  1. User: Allows business managers to certify their direct reports and their access rights.

  2. Application Instance: Allows application instance owners to certify users with accounts in the application instances they own.

  3. Entitlement: Allows entitlement owners to review the users accessing the entitlements they own.

  4. Role: Allows Role Owners to certify role memberships and/associated role definitions (that is, access policies).

4.8.4.2 Base Selection

These options change based on the type of Certification that is selected. For User certification, users belonging to Organizations or based on a certain search criteria can be selected. Once the user population is finalized, selection constraints can be applied to the users with varying levels or Risk and Risk Summaries on the users as well as the roles, application instances and entitlements they can access.

4.8.4.3 Content Selection

Once the population is selected, content selection options allow/disallow the inclusion of users with all accounts, Roles with varying levels of risk or selected roles only, application instances with varying levels of risk or selected applications only, and entitlements with varying levels or risk or entitlements outside roles and selected entitlements only. These options control the access rights that are to be presented during the review to reviewers.

4.8.4.4 Configuration

These are configuration settings that pertain to each certification definition and are independent from the global configuration settings explained in Table 4-14, "General Configuration Settings". These are general settings that control the layout and certain actions associated to each certification definition and apply to that certification definition only.

4.8.4.5 Reviewers

This step involves the selection of Reviewers. Based on the certification type, the reviewer selection options change. For the User certification, a User manager, Organization Certifier or a selected user (using search) can be used to designate Reviewers to the certification definition. See Section 4.8.2, "Multi-Phased Review and Advanced Delegation" for information about multi-phased reviewers.

4.8.4.6 Incremental

This step controls whether the certification is of type Incremental. If Enabled is checked, then the certification definition takes into account user access rights that have changed since the previous certification cycle for that same certification definition. If Show Previous Values is Enabled, it will also show the previously certified user access rights, but they will be automatically certified. An Incremental Date Range can also be specified.

4.8.4.7 Summary

This page summarizes the various configuration options selected, as the administrator navigates the wizard, and is for review purposes. Clicking the Back button can change any configuration action. Clicking create will generate the certification definition, as well as schedule a job for running the definition, and execute that job. This will produce a certification based on the definition immediately for review.

4.8.5 Scheduling Certifications

When the certification definition is created, a job is automatically scheduled and set to run immediately. This will produce the initial certification based on the definition. If you would like to run the definition again at a later time to regenerate the certification, or to setup a scheduled run of the definition, the Scheduler page can be used.

To schedule the certification definition to run at a certain time:

  1. Navigate to System Management, Scheduler, to search for the certification definition.

  2. Select the certification definition. The right hand pane displays the various scheduling options that are available. The schedule options include:

    1. Periodic: to run the certification on a periodic basis.

    2. Cron: allows the administrator to set a cron expression to run the certification at a desired time.

    3. Single: to run the certification once.

    4. No pre-defined schedule: which does not run the certification.

    5. Run Now: which runs the certification definition job immediately.

  3. Click Apply to apply the changes to the certification definition job scheduler.

4.8.6 Understanding Closed-Loop Remediation and Remediation Tracking

Closed-loop remediation is a feature that allows you to directly revoke roles and entitlements from the Oracle Identity Manager provisioning solution as a result of roles and entitlements revoked during the certification process. The remediation status can be tracked in the remediation-tracking module for auditing purposes.

Refer to the Section 4.8.1, "Identity Certification Configuration" to view how Closed Loop Remediation can be turned on for automated remediation.

The status of remediation of all access rights revoked in completed certifications can be tracked in the Certification Dashboard with the tracking ID that, when clicked, will display the status of remediation of the certification in Oracle Identity Manager (request tracking).

For all disconnected application instances, workflows can be configured in Oracle Identity Manager to route the revoked access rights to a ticketing system or an administrator for manual revocation.

4.8.7 Installing ADFDi Plug-in for Excel-Based Certification Sign-Off

In order for identity certifications to be exported to an Excel file for offline sign-off, the ADF desktop integration plug-in must be installed on the client systems, which have the supported versions of Microsoft Excel. Instructions to download install and configure the plug-in are available here:

DI Runtime Edition Setup Instructions:

http://docs.oracle.com/cd/E26098_01/web.1112/e16180/ap_enduseractions.htm#CIHJABEJ

DI Design-time Edition setup Instructions:

http://docs.oracle.com/cd/E26098_01/web.1112/e16180/inst_conf_dev_env.htm#CHDHJIIG

4.8.8 Pre-Requisites for Identity Certifications

In order to create the certifications to have user accounts and entitlements, the following pre-requisite steps have to be performed for each connector installed in Oracle Identity Manager:

  1. Log into Oracle Identity Manager Design Console.

  2. Under Development Tools, click Form Designer.

  3. Click Search. This will return the Form Designer table with a list of all available forms.

  4. Choose the parent forms for each connector installed in the system. A parent form has the UserID fields to store the account name in the target system. For example, UD_ADUSER, UD_EBS_USER.

  5. Choose a form and a new tab, Form Designer opens.

  6. Click Create New Version. Enter a name, for example "v2" in the popup window.

  7. Click Save and close the popup window.

  8. In the Current version drop down, make sure the newly created version "v2" is selected and click on the Properties tab.

  9. Locate the field that uniquely identifies the account in the target system, that is, UserID, UserName, AccountName are typical fields in the predefined connectors.

  10. Click Add Property and add the 'AccountName = true' property setting.

  11. Locate the ITResource field (most connectors will identify this with text ITResourceLookupField as a property) for the target system, click Add Property, and add the "ITResource = true" property setting.

  12. Save the parent form and click Make Version Active.

  13. Repeat for each resource.

4.9 Deinstalling Oracle Identity Manager on IBM WebSphere

The procedure to deinstall Oracle Identity Manager on WebSphere is same as deinstalling Oracle Identity Manager on Oracle WebLogic Application Server, which is described in section "Deinstalling Oracle Identity and Access Management" of the Oracle Fusion Middleware Installation Guide for Oracle Identity and Access Management.