32 Handling Lifecycle Management Changes

Because of integrated deployment of Oracle Identity Manager with other applications, such as Oracle Access Manager (OAM), and configuration changes in those applications, various configuration changes might be required in Oracle Identity Manager and Oracle WebLogic Server. These configuration changes are described in the following sections:

32.1 URL Changes Related to Oracle Identity Manager

Oracle Identity Manager uses various hostname and port in its configuration because of the architectural and middleware requirements. This section describes ways to make the corresponding changes in Oracle Identity Manager and Oracle WebLogic configuration for any change in the integrated and dependent applications.

This section contains the following topics:

32.1.1 Oracle Identity Manager Host and Port Changes

This section consists of the following topics:

Note:

When additional Oracle Identity Manager nodes are added or removed, perform the procedures described in these sections to configure Oracle Identity Manager host and port changes.

32.1.1.1 Changing OimFrontEndURL in Oracle Identity Manager Configuration

The OimFrontEndURL is the URL used to access the Oracle Identity Manager UI. This can be a load balancer URL or Web server URL depending on the application server is fronted with loan balancer or Web server, or single application server URL. This is used by Oracle Identity Manager in the notification e-mails as well as the callback URL for SOA calls.

The change may be necessary because of change in Web server hostname or port for Oracle Identity Manager deployment in a clustered environment, or WebLogic managed server hostname or port changes for Oracle Identity Manager deployment in a nonclustered environment.

To change the OimFronEndURL in Oracle Identity Manager configuration:

  1. Login to Enterprise Manager by using the following URL when the WebLogic Administrative Server and Oracle Identity Manager managed servers, at least one of the servers in case of a clustered deployment, are running:

    http://ADMIN_SERVER/em

  2. Navigate to Identity and Access, oim.

  3. Right-click oim, and navigate to System MBean Browser.

  4. Under Application Defined MBeans, navigate to oracle.iam, Application:oim, XMLConfig, Config, XMLConfig.DiscoveryConfig, and then Discovery.

    In a clustered deployment, when you select oracle.iam under Application Defined MBeans, Oracle Identity Manager server name is displayed. Select the server and continue with the navigation.

    Note:

    In a clustered deployment, the change to the OimFrontEndURL must be made on each server in the cluster.
  5. Enter new value for the OimFrontEndURL attribute, and click Apply to save the changes. Example values can be:

    http://OIM_SERVER:OIM_PORT

    https://myoim.mydomain.com

    https://myoimserver.mydomain.com:14001

    Note:

    SPML clients store Oracle Identity Manager URL for invoking SPML and sending callback response. Therefore, changes are required corresponding to this. In addition, if Oracle Identity Manager is integrated with OAM, OAAM, or Oracle Identity Navigator (OIN), there may be corresponding changes necessary. For more information, refer to OAM, OAAM, and OIN documentation in the Oracle Technology Network (OTN) Web site.

    SOA task detail URL is set based on the OIMFrontEndURL when the SOA composite is invoked for the first time. If the OIMFrontEndURL is changed in the environment after this, then the URL for task details must also be changed for all the SOA composites by performing the following steps:

    1. Login to Oracle Enterprise Manager by using WebLogic administrator username and password.

    2. On the left menu, click SOA. Expand soa-infra, default.

    3. Click the required SOA composites under the default menu.

    4. On the right pane, in the Component Metrics section, click the approval task.

    5. Click the Administration tab.

    6. Change host name and port based on the new OIMFrontEndURL, and save the changes.

32.1.1.2 Changing backOfficeURL in Oracle Identity Manager Configuration

Changing backOfficeURL is required only for Oracle Identity Manager deployed in front-office and back-office configuration. This change does not apply for simple clustered or nonclustered deployments. This URL is used internally by Oracle Identity Manager for accessing back-office components from the front-office components. You might change the value of this attribute during the implementation of back-office and front-office configuration, for adding additional servers to back office, and for removing servers from back-office.

To change the value of the backOfficeURL attribute:

  1. Login to Enterprise Manager by using the following URL when the WebLogic Administrative Server and Oracle Identity Manager managed servers, at least one of the servers in case of a clustered deployment, are running:

    http://ADMIN_SERVER/em

  2. Navigate to Identity and Access, and then oim.

  3. Right-click oim, and navigate to System MBean Browser.

  4. Under Application Defined MBeans, navigate to oracle.iam, Application:oim, XMLConfig, Config, XMLConfig.DiscoveryConfig, Discovery.

  5. Enter a new value for the BackOfficeURL attribute, and click Apply to save the changes. Example values can be:

    t3://mywls1.mydomain.com:8001

    t3://mywls1.mydomain.com:8001,mywls2.mydomain.com:9001

    Note:

    The value of the BackOfficeURL attribute must be empty for Oracle Identity Manager nonclustered and clustered deployments.

32.1.1.3 Changing Task Details URL in Human Task Configuration

The task details URL is the URL to display the task details page for a particular human task in Inbox. This can be a load balancer URL or Web server URL depending on whether the application server is fronted with load balancer, or Web server, or single application server URL.

The change might be required because of change in Web server hostname or port for Oracle Identity Manager deployment in a clustered environment, or WebLogic managed server hostname or port changes for Oracle Identity Manager deployment in a nonclustered environment.

To change the task details URL in human task configuration:

  1. Login to Oracle Enterprise Manager by using the following URL:

    http://ADMIN_SERVER/em

    For a clustered deployment, ensure that at least one SOA server in the SOA cluster is running.

  2. Navigate to SOA, soa-infra(SOA_SERVER_NAME), default.

  3. Click DefaultRequestApproval.

  4. In the Component Metrics section, click the ApprovalTask link.

  5. Click the Administration tab.

  6. Make the required changes to Host Name, HTTP Port, and HTTPS Port.

  7. Repeat steps 5 and 6 for all other human tasks in DefaultRequestApproval, for example ChallengeTask.

  8. Repeat steps 4 to 7 for all other composites.

32.1.2 Oracle Identity Manager Database Host and Port Changes

This section describes the configuration areas where database hostname and port number are used.

After installing Oracle Identity Manager, if there are any changes in the database hostname or port number, then the following changes are required:

Note:

Before making changes to the database host and port, shutdown the managed servers hosting Oracle Identity Manager. But you can keep the Oracle WebLogic Administrative Server running.
  • To change datasource oimJMSStoreDS configuration:

    1. Navigate to Services, JDBC, Data Sources, and then oimJMSStoreDS.

    2. Click the Connection Pool tab.

    3. Modify the values of the URL and Properties fields to reflect the changes to database host and port.

  • To change datasource oimOperationsDB configuration:

    1. Navigate to Services, JDBC, Data Sources, and then oimOperationsDB.

    2. Click the Connection Pool tab.

    3. Modify the values of the URL and Properties fields to reflect the changes to database host and port.

  • To change the datasource related to Oracle Identity Manager Meta Data Store (MDS) configuration:

    1. Navigate to Services, JDBC, Data Sources, and then mds-oim.

    2. Click the Connection Pool tab.

    3. Modify the values of the URL and Properties fields to reflect the changes in the database host and port.

  • To change OIMAuthenticationProvider configuration:

    1. In the WebLogic Administrative console, navigate to Security Realms, myrealm, and then Providers.

    2. Click OIMAuthenticationProvider.

    3. Click Provider Specific.

    4. Modify the value of the DBUrl field to reflect the change in hostname and port.

    Note:

    If Service Oriented Architecture (SOA) and Oracle Web Services Manager (OWSM) undergo configuration changes, then you must make similar changes for datasources related to SOA or OWSM.

    After making changes in the datasources, restart the Oracle WebLogic Administrative Server, and start the Oracle Identity Manager managed WebLogic servers.

    Note:

    Whenever Oracle Identity Manager application configuration information is to be changed by using OIM App Config MBeans from the Enterprise Management (EM) console, at least one of the Oracle Identity Manager Managed Servers must be running. Otherwise, you cannot figure out any of the OIM App Config MBeans from the EM console.
  • To change DirectDB configuration:

    1. Login to Enterprise Manager by using the following URL:

      http://ADMIN_SERVER/em

    2. Navigate to Identity and Access, and then oim.

    3. Right-click oim, and navigate to System MBean Browser under Application Defined MBeans.

    4. Navigate to oracle.iam, Application:oim, XMLConfig, Config, XMLConfig.DirectDBConfig, and then DirectDB.

    5. Enter the new value for the URL attribute to reflect the changes to host and port, and then apply the changes.

    Note:

    When Oracle Identity Manager single instance deployment is changed to Oracle Real Application Clusters (Oracle RAC) or Oracle RAC is changed to single instance deployment, change the oimJMSStoreDS, oimOperationsDB, and mds-oim datasources. In addition to the generic changes to make these datasources to multidatasource configuration, change the OIMAuthenticationProvider and domain credential store configurations to reflect the Oracle RAC URL. For information about these generic changes, see Oracle Fusion Middleware High Availability Guide.

    See "Oracle Identity Manager Database Host and Port Changes" for information about changing the port at the database.

32.1.3 Oracle Virtual Directory Host and Port Changes

When LDAP synchronization is enabled, Oracle Identity Manager connects with directory servers through Oracle Virtual Directory (OVD). This connection takes place by using LDAP/LDAPS protocol.

To change OVD host and port:

  1. Login to Oracle Identity System Administration.

  2. Under Configuration, click IT Resource.

  3. From the IT Resource Type list, select Directory Server , and click Search.

  4. Edit the Directory Server IT resource. To do so:

    1. If the value of the Use SSL field is set to False, then edit the Server URL field. If the value of the Use SSL field is set to True, then edit the Server SSL URL field.

    2. Click Update.

See Also:

See "Updating Oracle Identity Manager for OVD Host/Port" for information about changing OVD port at OVD/LDAP server.

32.1.4 BI Publisher Host and Port Changes

To change BI Publisher host and port:

  1. Login to Enterprise Manager by using the following URL when the WebLogic Administrative Server and Oracle Identity Manager managed servers, at least one of the servers in case of a clustered deployment, are running:

    http://ADMIN_SERVER/em

  2. Navigate to Identity and Access, oim.

  3. Right-click oim, and navigate to System MBean Browser.

  4. Under Application Defined MBeans, navigate to oracle.iam, Application:oim, XMLConfig, Config, XMLConfig.DiscoveryConfig, Discovery.

  5. Enter a new value for the BIPublisherURL attribute, and click Apply to save the changes.

32.1.5 SOA Host and Port Changes

To change the SOA host and port:

Note:

When additional SOA nodes are added or removed, perform this procedure to change the SOA host and port.
  1. Login to Enterprise Manager by using the following URL when the WebLogic Administrative Server and Oracle Identity Manager managed servers, at least one of the servers in case of a clustered deployment, are running:

    http://ADMIN_SERVER/em

  2. Navigate to Identity and Access, oim.

  3. Right-click oim, and navigate to System MBean Browser.

  4. Under Application Defined MBeans, navigate to oracle.iam, Application:oim, XMLConfig, Config, XMLConfig.SOAConfig, SOAConfig.

  5. Change the value of the Rmiurl attribute, and click Apply to save the changes.

    The Rmiurl attribute is used for accessing SOA EJBs deployed on SOA managed servers. This is the application server URL. For a clustered deployment of Oracle Identity Manager, it is a comma-separated list of all the SOA managed server URLs. Example values for this attribute can be:

    t3://mysoa1.mydomain.com:8001

    t3s://mysoaserver1.mydomain.com:8002,mysoa2.mydomain.com:8002

    t3://mysoa1.mydomain.com:8001,mysoa2.mydomain.com:8002,mysoa3.mydomain.com:8003

  6. Change the SOA JNDIProvider host and port. To do so:

    1. Login to WebLogic Administration Console.

    2. In the Domain Structure section, navigate to OIM_DOMAIN, Services, Foreign JNDI Providers.

    3. Click ForeignJNDIProvider-SOA.

    4. In the Configuration tab, verify that the General subtab is active.

    5. Change the value of Provider URL to the Rmiurl provided in Step 5.

32.1.6 OAM Host and Port Changes

To change the OAM host and port:

  1. Login to Enterprise Manager by using the following URL when the WebLogic Administrative Server and Oracle Identity Manager managed servers, at least one of the servers for a clustered deployment, are running:

    http://ADMIN_SERVER/em

  2. Navigate to Identity and Access, and then to oim.

  3. Right-click oim, and navigate to System MBean Browser.

  4. Under Application Defined MBeans, navigate to oracle.iam, Application:oim, XMLConfig, Config, XMLConfig.SSOConfig, and then SSOConfig.

  5. Change the values of the AccessServerHost and AccessServerPort attributes and other attributes as required, and click Apply to save the changes.

32.2 Password Changes Related to Oracle Identity Manager

Various passwords are used for Oracle Identity Manger configuration because of the architectural and middleware requirements. This section describes the default passwords and ways to make the changes to the password in Oracle Identity Manger and Oracle WebLogic configuration for any change in the dependent or integrated products.

This section consists of the following topics:

32.2.1 Changing Oracle WebLogic Administrator Password

To change Oracle WebLogic administrator password:

  1. Login to WebLogic Administrative console.

  2. Navigate to Security Realms, myrealm, Users and Groups, weblogic, Password.

  3. In the New Password field, enter the new password.

  4. In the Confirm New Password field, re-enter the new password.

  5. Click Apply.

Weblogic credentials must be updated in the following places:

  1. Foreign JNDI Provider. To do so:

    1. Login to WebLogic Administrative Console.

    2. In the Domain Structure section, navigate to OIM_DOMAIN, Services, Foreign JNDI Providers.

    3. Click ForeignJNDIProvider-SOA.

    4. In the Configuration tab, verify that the General subtab is active.

    5. Provide weblogic user's new password in the password and confirm password fields.

  2. SOAAdminPassword in CSF. See "Changing Oracle Identity Manager Passwords in the Credential Store Framework" for details.

32.2.2 Changing Oracle Identity Manager Administrator Password

During Oracle Identity Manager installation, the installer prompts for the Oracle Identity Manager administrator password. If required, you can change the administrator password after the installation is complete. To do so, you must login to Oracle Identity Manager Self Service as Oracle Identity Manager administrator. For information about how to change the administrator password, see "Changing Password" in the Oracle Fusion Middleware User's Guide for Oracle Identity Manager.

When you change the Oracle Identity Manager system administrator password, you must also update the password in the OIMAdmin key under the oracle.wsm.security map in CSF.

Note:

If OAM or OAAM is integrated with Oracle Identity Manager, then you must make corresponding changes in those applications. For more information, refer to OAM and OAAM documentation in the Oracle Technology Network (OTN) Web site by using the following URL:

http://www.oracle.com/technetwork/indexes/documentation/index.html

32.2.3 Changing Oracle Identity Manager Administrator Database Password

This section describes resetting Oracle Identity Manager password in the following types of deployments:

  • Oracle Identity Manager deployment without LDAP synchronization

  • Oracle Identity Manager deployment with LDAP synchronization enabled

  • Oracle Identity Manager deployment that is integrated with Access Manager (OAM)

Resetting System Administrator password can be performed by using the oimadminpasswd_wls.sh utility, which is available in the OIM_HOME/server/bin/ directory. The steps to run the oimadminpasswd_wls.sh utility are the same for both types of deployment: Oracle Identity Manager with LDAP synchronization enabled and without LDAP synchronization enabled.

This section describes resetting Oracle Identity Manager password in the following topics:

32.2.3.1 Resetting System Administrator Database Password in Oracle Identity Manager Deployment

To reset System Administrator database password:

  1. As a prerequisite for running the oimadminpasswd_wls.sh utility, open the OIM_HOME/server/bin/oimadminpasswd_wls.properties file in a text editor, and set values for the following properties:

    • JAVA_HOME: Set this to jdk6 or later, for example:

      JAVA_HOME=/opt/softwares/shiphome/jdk160_24
      
    • COMMON_COMPONENTS_HOME: This is Oracle Middleware common home directory, for example:

      COMMON_COMPONENTS_HOME=/opt/softwares/shiphome/oracle_common
      
    • OIM_ORACLE_HOME: This is Oracle Identity Manager Oracle home directory, for example:

      OIM_ORACLE_HOME=/opt/softwares/shiphome/Oracle_IDM1
      
    • ORACLE_SECURITY_JPS_CONFIG: Specify the jps-config-jse.xml file location present in Oracle Identity Manager Domain, for example:

      ORACLE_SECURITY_JPS_CONFIG=/opt/softwares/shiphome/user_projects/domains/base_domain/config/fmwconfig/jps-config-jse.xml
      
    • DOMAIN_HOME: Specify Oracle Identity Manager Domain Home location of the Weblogic Application Server, for example:

      DOMAIN_HOME=/opt/softwares/shiphome/user_projects/domains/base_domain
      
    • DBURL: Oracle Identity Manager database URL, for example:

      DBURL=jdbc:oracle:thin:@dbhostname:5521:orclsid
      
    • DBSCHEMAUSER: Oracle Identity Manager schema username, for example:

      DBSCHEMAUSER=DEV_OIM
      
    • OIM_OAM_INTG_ENABLED: Set this to false if Oracle Identity Manager deployment is not integrated with Access Manager, for example:

      OIM_OAM_INTG_ENABLED=false
      

    Note:

    Other properties, such as LDAPURL, LDAPADMINUSER, and OIM_ADMIN_LDAP_DN can be ignored as they are used only in an integrated setup between Oracle Identity Manager and Access Manager.
  2. Go to the OIM_HOME/server/bin/ directory, and run the following command:

    sh oimadminpasswd_wls.sh oimadminpasswd_wls.properties
    

    The following is a sample output:

    Enter OIM DB Schema Password :
    Enter OIM Adminstrator xelsysadm new Password:
    Re-enter OIM Adminstrator xelsysadm new Password:
    WARNING: Not able to fetch OIMPlatform instance for the given Platform. Hence defaulting to the OIMWebLogicPlatform
    
    OIM Admin user xelsysadm password reset successfully in OIMDB
    

    Note:

    The warning messages that are displayed while running the oimadminpasswd_wls.sh script can be ignored.

32.2.3.2 Resetting System Administrator Database Password When Oracle Identity Manager Deployment is Integrated With Access Manager

If Oracle Identity Manager is integrated with OAM, then LDAP directory, such as Oracle Internet Directory, is used for all authentication purposes. Therefore, Oracle Identity Manager Administrator xelsysadm password is reset in LDAP. Although the xelsysadm password present in Oracle Identity Manager database is not used in this topology, it is also reset along with LDAP directory to ensure that the passwords in both repositories are in sync.

To reset System Administrator database password when Oracle Identity Manager Deployment is Integrated With Access Manager:

  1. As a prerequisite for running the oimadminpasswd_wls.sh utility, open the OIM_HOME/server/bin/oimadminpasswd_wls.properties file in a text editor, and set values for the following properties:

    • JAVA_HOME: Set this to jdk6 or later, for example:

      JAVA_HOME=/opt/softwares/shiphome/jdk160_24
      
    • COMMON_COMPONENTS_HOME: This is Oracle Middleware common home directory, for example:

      COMMON_COMPONENTS_HOME=/opt/softwares/shiphome/oracle_common
      
    • OIM_ORACLE_HOME: This is Oracle Identity Manager Oracle home directory, for example:

      OIM_ORACLE_HOME=/opt/softwares/shiphome/Oracle_IDM1
      
    • ORACLE_SECURITY_JPS_CONFIG: Specify the jps-config-jse.xml file location present in Oracle Identity Manager Domain, for example:

      ORACLE_SECURITY_JPS_CONFIG=/opt/softwares/shiphome/user_projects/domains/base_domain/config/fmwconfig/jps-config-jse.xml
      
    • DOMAIN_HOME: Specify Oracle Identity Manager Domain Home location of the Weblogic Application Server, for example:

      DOMAIN_HOME=/opt/softwares/shiphome/user_projects/domains/base_domain
      
    • DBURL: Oracle Identity Manager database URL, for example:

      DBURL=jdbc:oracle:thin:@dbhostname:5521:orclsid
      
    • DBSCHEMAUSER: Oracle Identity Manager schema username, for example:

      DBSCHEMAUSER=DEV_OIM
      
    • OIM_OAM_INTG_ENABLED: Set this to true if Oracle Identity Manager deployment is integrated with Access Manager, for example:

      OIM_OAM_INTG_ENABLED=true
      
    • LDAPURL: LDAP directory URL. Non-SSL port must be specified, for example:

      LDAPURL=ldap://LDAP_HOSTNAME:3060
      
    • LDAPADMINUSER : LDAP directory admin username, for example:

      LDAPADMINUSER=cn=orcladmin
      
    • OIM_ADMIN_LDAP_DN: Oracle Identity Manager Administrator xelsysadm complete DN in the LDAP directory, for example:

      OIM_ADMIN_LDAP_DN=cn=xelsysadm,cn=Users,dc=us,dc=mydomain,dc=com
      
  2. Go to the OIM_HOME/server/bin/ directory, and run the following command:

    sh oimadminpasswd_wls.sh oimadminpasswd_wls.properties
    

    The following is a sample output:

    Enter OIM DB Schema Password :
    Enter OIM Adminstrator xelsysadm new Password:
    Re-enter OIM Adminstrator xelsysadm new Password:
    WARNING: Not able to fetch OIMPlatform instance for the given Platform. Hence defaulting to the OIMWebLogicPlatform
    
    OIM Admin user xelsysadm password reset successfully in OIMDB
    OIM Admin user cn=xelsysadm,cn=Users,dc=...,dc=...,dc=... password reset successfully in LDAP
    

    Note:

    • The warning messages that are displayed while running the oimadminpasswd_wls.sh script can be ignored.

    • The xelsysadm password expiry setting is not set to expire until 2035. During integration between Oracle Identity Manager and Access Manager, the obpasswordexpirydate setting for the xelsysadm user is set to "2035-01-01T00:00:00Z". If this value has been changed, then revert it to "2035-01-01T00:00:00Z" for xelsysadm. This value is initially loaded from a following template LDIF file:

      $OIM_ORACLE_HOME/idmtools/templates/oid/idm_xelsysadmin_user.ldif

32.2.4 Changing Oracle Identity Manager Database Password

Oracle Identity Manager uses two database schemas for storing Oracle Identity Manager operational and configuration data. It uses Oracle Identity Manager MDS schema for storing configuration-related information and Oracle Identity Manager schema for storing other information. Any change in the schema password requires changes on Oracle Identity Manager configuration.

Changing Oracle Identity Manager database password involves the following:

Note:

Before changing the database password, shutdown the managed servers that host Oracle Identity Manager. However, you can keep the Oracle WebLogic Administrative Server running.
  • To change datasource oimJMSStoreDS configuration:

    1. Navigate to Services, JDBC, Data Sources, oimJMSStoreDS.

    2. Click the Connection Pool tab.

    3. In the Password and Confirm password fields, enter the new Oracle Identity Manager database schema password.

    4. Click Save to save the changes.

  • To change datasource oimOperationsDB configuration:

    1. Navigate to Services, JDBC, Data Sources, oimJMSStoreDS.

    2. Click the Connection Pool tab.

    3. In the Password and Confirm password fields, enter the new Oracle Identity Manager database schema password.

    4. Click Save to save the changes.

  • To change datasource related to Oracle Identity Manager MDS configuration:

    1. Navigate to Services, JDBC, Data Sources, mds-oim.

    2. Click the Connection Pool tab.

    3. In the Password and Confirm password fields, enter the new Oracle Identity Manager MDS database schema password.

    4. Click Save to save the changes.

    Note:

    • For Oracle Identity Manager deployments with Oracle Real Application Clusters (Oracle RAC) configuration, you might have to make changes in all the datasources under the respective multi-datasource configurations.

    • You might have to make similar changes for datasources related to SOA or OWSM, if required.

  • To change OIMAuthenticationProvider configuration:

    1. In the WebLogic Administrative console, navigate to Security Realms, myrealm, and then Providers.

    2. Click OIMAuthenticationProvider.

    3. Click Provider Specific.

    4. In the DBPassword field, enter the new Oracle Identity Manager database schema password.

    5. Click Save to save the changes.

  • To change domain credential store configuration:

    1. Login to Enterprise Manager by using the following URL:

      http://ADMIN_SERVER/em

    2. Navigate to Weblogic Domain, and then DOMAIN_NAME.

    3. Right click oim, and navigate to Security, Credentials, and then oim.

    4. Select OIMSchemaPassword, and click Edit.

    5. In the Password field, enter the new password, and click OK.

After changing the Oracle Identity Manager database password, restart the WebLogic Administrative Server. Start the Oracle Identity manager managed WebLogic Servers as well.

32.2.5 Changing Oracle Identity Manager Passwords in the Credential Store Framework

Oracle Identity Manager installer stores several passwords during the install process. Various values are stored in Credential Store Framework (CSF) as key and value. Table 32-1 lists the keys and the corresponding values:

Table 32-1 CSF Keys

Key Description

DataBaseKey

The password for the key used to encrypt database. The password is the user input value in the installer for the Oracle Identity Manager keystore.

.xldatabasekey

The password for keystore that stores the database encryption key. The password is the user input value in the installer for the Oracle Identity Manager keystore.

xell

The password for key 'xell', which is used for securing communication between Oracle Identity Manager components. Default password generated by Oracle Identity Manager installer is xellerate.

default_keystore.jks

The password for the default_keystore.jks JKS keystore in the DOMAIN_HOME/config/fmwconfig/ directory. The password is the user input value in the installer for the Oracle Identity Manager keystore.

SOAAdminPassword

The password is user input value in the installer for SOA Administrator Password field.

OIMSchemaPassword

The password for connecting to Oracle Identity Manager database schema. Password is user input value in the installer for OIM Database Schema Password field.

JMSKey

The password is the user input value in the installer for the Oracle Identity Manager keystore.


To change the values of the CSF keys:

  1. Login to Oracle Enterprise Manager by navigating to the following URL:

    http://ADMIN_SERVER/em

  2. Navigate to Weblogic Domain, DOMAIN_NAME.

  3. Right-click oim, and select Security, Credentials.

  4. Edit the Directory Server IT resource. To do so, in the Admin Password field, enter the new OVD password, and click Update.

32.2.6 Changing OVD Password

To change the OVD password:

  1. Login to Oracle Identity Manager Administration.

  2. Click Advanced.

  3. Under Configuration, click Manage IT Resource.

  4. From the IT Resource Type list, select Directory Server.

  5. Click Search.

  6. Edit the Directory Server IT resource. To do so, in the Admin Password field, enter the new OVD password, and click Update.

32.2.7 Changing Oracle Identity Manager Administrator Password in LDAP

To change Oracle Identity Manager System Administrator password in LDAP:

  1. Look up the dn for the user from LDAP, as shown:

    $ORACLE_HOME/bin/ldapsearch -D cn=orcladmin -w fusionapps1 -h localhost -p 6501 -b dc=com "cn=SYS_ADMIN" orclaccountlocked dn
    

    Here, SYS_ADMIN is the System Administrator user login.

  2. Create a file similar to the following:

    $ more /tmp/resetpassword_SYS_ADMIN
    
    dn: cn=SYS_ADMIN,cn=Users,dc=us,dc=mydomain,dc=com
    changetype: modify
    replace: userPassword
    userPassword: NEW_PASSWORD
    

    Here, NEW_PASSWORD is the password that you want in clear text.

  3. Change the password, as shown:

    $ORACLE_HOME/bin/ldapmodify -D cn=orcladmin -w fusionapps1 -h localhost -p 6501 -f /tmp/ resetpassword _SYS_ADMIN
    
  4. Verify that the user password is changed, as shown:

    $ORACLE_HOME/bin/ldapbind -D cn=SYS_ADMIN,cn=Users,dc=us,dc=mydomain,dc=com -w NEW_PASSWORD -h localhost -p 6501
    

32.2.8 Unlocking Oracle Identity Manager Administrator Password in LDAP

To unlock Oracle Identity Manager System Administrator password in LDAP:

  1. Look up the dn for the user from LDAP, as shown:

    $ORACLE_HOME/bin/ldapsearch -D cn=orcladmin -w fusionapps1 -h localhost -p 6501 -b dc=com "cn=SYS_ADMIN" orclaccountlocked dn
    

    If orclaccountlocked has a value of 1, then it means that the user is locked.

  2. Create a file similar to the following:

    $ more /tmp/unlock_SYS_ADMIN
    
    dn: cn=SYS_ADMIN,cn=Users,dc=us,dc=mydomain,dc=com
    changetype: modify
    replace: orclaccountlocked
    orclaccountlocked: 0
    
  3. Unlock the user, as shown:

    $ORACLE_HOME/bin/ldapmodify -D cn=orcladmin -w fusionapps1 -h localhost -p 6501 -f /tmp/unlock_SYS_ADMIN
    
  4. Verify that the user is unlocked, as shown:

    $ORACLE_HOME/bin/ldapsearch -D cn=orcladmin -w fusionapps1 -h localhost -p 6501 -b dc=com "cn=SYS_ADMIN" orclaccountlocked dn
    

    The value of orcladdountlocked must be 0.

32.2.9 Changing Schema Passwords

To change OIM, MDS, SOAINFRA, OPSS, and ORASDPM schema passwords:

  1. Stop all the Managed Servers and application server.

  2. Create a backup of the entire domain and the database.

  3. Start the application server.

  4. Change the xxxx_OPSS user password. To do so:

    1. Run the following command:

      SQL> alter user xxxx_OPSS identified by NEW_PASSWORD;
      SQL>commit;
      
    2. Go to the ORACLE_COMMON/common/bin/ directory, and run the wlst command.

    3. Run the modifyBootStrapCredential script, as shown:

      modifyBootStrapCredential(jpsConfigFile='DOMAIN_NAME/config/fmwconfig/jps-config.xml', username='xxxx_OPSS', password='NEW_PASSWORD')
      

      Note:

      For detailed information about the modifyBootStrapCredential script, see "modifyBootStrapCredential" in the Oracle Fusion Middleware Application Security Guide.
  5. Go to the bin/ directory of the domain, and run the following command:

    ./setDomainEnv.sh
    
  6. Run the following command:

    bin/java weblogic.security.Encrypt
    password:NEW_PASSWORD
    {AES}JHyrhOMB5hVRuDU/pV0qX86qz98ZV0xWXBSEAANA4Gs >>>>>>>>>>>>> This is your new encrypted password
    
  7. In a text editor, open the DOMAIN_NAME\Config\jdbc\OPSSdbs.xml file. Replace the current encrypted password with the newly encrypted password value.

  8. Save the OPSSdbs.xml file.

  9. Login to Weblogic Administrative Console. Navigate to Services, Data Sources.

  10. Select opss-DBDS, Connection Pool, and enter the new password set to xxxx_opss in step 4a. Save the changes.

  11. Restart the application server, but do not start the Managed Servers.

  12. Connect to the database with sqlplus as system user, and then run the following commands:

    1. To change the password for xxx_OIM, run:

      SQL> alter user xxx_OIM identified by NEW_PASSWORD;
      SQL>commit
      
    2. To change the password for xxx_MDS, run:

      SQL> alter user xxx_MDS identified by NEW_PASSWORD;
      SQL>commit;
      
    3. To change the password for xxx_SOAINFRA, run:

      SQL> alter user xxx_SOAINFRA identified by NEW_PASSWORD;
      SQL>commit
      
    4. To change the password for xxx_ORASDPM, run:

      SQL> alter user xxx_ORASDPM identified by NEW_PASSWORD;
      SQL>commit;
      
  13. Verify that the passwords have been changed. To do so, login to the database with sqlplus and the four users and the new passwords.

  14. Login to the WebLogic Administrative Console.

  15. Go to Services, Data Sources, and then perform the following:

    1. Select oimJMSStoreDS, Connection Pool, and enter the new password set to xxx_OIM in step 12a.

    2. Select oimOperationsDB, Connection Pool, and enter the new password set to xxx_OIM in step 12a.

    3. Select ApplicationDB, Connection Pool, and enter the new password set to xxx_OIM in step 12a.

    4. Select mds-oim, Connection Pool, and enter the new password set to xxx_MDS in step 12b.

    5. Select mds-owsm, Connection Pool, and enter the new password set to xxx_MDS in step 12b.

    6. Select mds-soa, Connection Pool, and enter the new password set to xxx_MDS in step 12b.

    7. Select EDNDataSource, Connection Pool, and enter the new password set to xxx_SOAINFRA in step 12c.

    8. Select EDNLocalTxDataSource, Connection Pool, and enter the new password set to xxx_SOAINFRA in step 12c.

    9. Select SOADataSource, Connection Pool, and enter the new password set to xxx_SOAINFRA in step 12c.

    10. Select SOALocalTxDataSource, Connection Pool, and enter the new password set to xxx_SOAINFRA in step 12c.

    11. Select OraSDPMDataSource, Connection Pool, and enter the new password set to xxx_ORASDPM in step 12d.

  16. Change OIMAuthenticationProvider configuration. To do so:

    1. In the WebLogic Administrative Console, navigate to Security Realms, myrealm, and then Providers.

    2. Click OIMAuthenticationProvider.

    3. Click Provider Specific.

    4. In the DBPassword field, enter the new Oracle Identity Manager database schema password.

    5. Click Save to save the changes.

  17. Change the domain credential store configuration. To do so:

    1. Login to Oracle Enterprise Manager.

    2. Navigate to Weblogic Domain, and then DOMAIN_NAME.

    3. Right-click the domain name, and select Security, Credentials, and then oim.

    4. Select OIMSchemaPassword, and click Edit.

    5. In the Password field, enter the new password, and then click OK.

  18. Restart WebLogic Admin Server.

  19. Start the SOA and Oracle Identity Manager Managed Servers.

32.3 Configuring SSL for Oracle Identity Manager

This section describes the procedure for generating keys, signing and exporting certificates, setting up SSL Configuration for Oracle Identity Manager and for the components with which Oracle Identity Manager interacts, and establish secure communication between them. It includes the following topics:

Note:

  • Sections "Generating Keys" through "Importing the Certificate" provide example commands that will be used later in the document. These are for reference and not part of the mandatory steps of configuration.

  • See "Enabling SSL Communication" in the Oracle Fusion Middleware Developer's Guide for Oracle Identity Manager for information about enabling Secure Sockets Layer (SSL) communication for various Segregation of Duties (SoD) purposes.

32.3.1 Generating Keys

You can generate private and public certificate pairs by using the keytool command.

The following command creates an identity keystore (support.jks):

$JAVA_HOME/jre/bin/keytool -genkey
-alias support
-keyalg RSA
-keysize 1024
-dname "CN=localhost, OU=Identity, O=Oracle Corporation,C=US"
-keypass KEYSTORE_PASSWORD
-keystore support.jks
-storepass weblogic1

Note:

  • Change the parameter values passed to the keytool command according to your requirements. Ensure that there is no line break in the keytool argument.

  • If JDK 7u40 or later is used, then the value of the keysize option must be greater than or equal to 1024. For more information about this limitation, see "Default x.509 Certificates Have Longer Key Length" at the following URL:

    http://www.oracle.com/technetwork/java/javase/7u40-relnotes-2004172.html

32.3.2 Signing the Certificates

Use the following keytool command to sign the certificates that you created:

$JAVA_HOME/jre/bin/keytool -selfcert -alias support
  -sigalg MD5withRSA -validity 2000 -keypass weblogic1
  -keystore support.jks
  -storepass KEYSTORE_PASSWORD

Note:

Change the parameter values passed to the keytool command according to your requirements. Ensure that there is no line break in the keytool argument.

32.3.3 Exporting the Certificate

Use the following keytool command to export the certificate from the identity keystore to a file, for example, supportcert.pem:

$JAVA_HOME/jre/bin/keytool -export -alias support
  -file supportcert.pem
  -keypass weblogic1
  -keystore support.jks
  -storepass KEYSTORE_PASSWORD

Note:

Change the parameter values passed to the keytool command according to your requirements. Ensure that there is no line break in the keytool argument.

32.3.4 Importing the Certificate

Use the following keytool command to import the certificate from a file, such as wlservercert.pem, to the identity keystore:

$JAVA_HOME/jre/bin/keytool -import -alias serverwl -trustcacerts -file D:\bea\user_projects\domains\mydomain\wlservercert.pem 
-keystore CLIENT_TRUST_STORE -storepass CLIENT_TRUST_STORE_PASSWORD

Note:

Change the parameter values passed to the keytool command according to your requirements. Ensure that there is no line break in the keytool argument.

32.3.5 Enabling SSL for Oracle Identity Manager and SOA Servers

You need to perform the following configurations in Oracle Identity Manager and SOA servers to enable SSL:

32.3.5.1 Enabling SSL for Oracle Identity Manager

Enabling SSL for Oracle Identity Manager is described in the following sections:

32.3.5.1.1 Enabling SSL for Oracle Identity Manager By Using Default Setting

To enable SSL for Oracle Identity Manager and SOA servers by using default setting:

  1. Log in to WebLogic Server Administrative console and go to Servers, OIM_SERVER1, General. Under the general section, you can enable ssl port to any value and activate it.

  2. The server will start listening and you can access the URL with HTTPS protocol.

  3. Perform the same steps for Admin/SOA Servers as Oracle Identity Manager might need to interact with SSL-enabled SOA Server.

32.3.5.1.2 Enabling SSL for Oracle Identity Manager By Using Custom Keystore

To enable SSL for Oracle Identity Manager by using custom keystore:

Note:

See "Generating Keys" for information about generating custom keys.
  1. In the WebLogic Server Administration Console, click Environment, Servers, Server_Name (OIM_Server1), Configuration, and then General.

  2. Click Lock & Edit.

  3. Select SSL listen port enabled. The default port is 14001.

  4. Select the Keystores tab.

  5. From the Keystore list, select Custom Identity, Java Standard Trust.

  6. In the Custom Identity Keystore field, enter the absolute path of custom identity keystore filename. For example:

    DOMAIN_HOME/config/fmwconfig/support.jks

    Note:

    • The keystore created at DOMAIN_HOME/config/fmwconfig/ by Oracle Identity Manager during installation is default-keystore.jks.

    • If you are using a different name for truststore than the default name, which is default-keystore.jks, then perform the following steps:

      1. Add Oracle Identity Manager Credential store map key. If you are using any other name, such as support.jks, then create a key in the credential store by using Oracle Enterprise Manager as default-keystore.jks is created with Oracle Identity Manager configuration by default.

      2. Change DirectDB config in the oim-Config.xml file either by exporting/importing this file from MDS or by using Enterprise Manager. For the latter, navigate to XMLConfig in Application Defined MBeans section of System Mbean Browser, and then change the SSL parameters, for example:

        SSLConfig dBTrustStore="support.jks"
        
  7. Specify JKS as the custom identity keystore type.

  8. Type the password (weblogic1) into the Custom Identity Keystore Passphrase and the Confirm Custom Identity Keystore Passphrase fields.

  9. Click Save.

  10. Click the SSL tab.

  11. Type support as the private key alias.

  12. Type the password (weblogic1) into the Private Key Passphrase and the Confirm Private Key Passphrase fields.

  13. Click Save.

  14. Perform similar steps (steps 1 through 13) for Admin and SOA Servers.

  15. Click Activate changes.

  16. Import the certificate that you exported in "Exporting the Certificate" into the SPML client truststore and Java Standard Trust Store:

    JAVA_HOME/jre/lib/security/cacerts

    Note:

    The default password for Java's Standard truststore (JAVA_HOME/jre/lib/security/cacerts) is changeit.

    See "Importing the Certificate" for information about importing the certificate.

  17. In the DOMAIN_HOME/bin/setDomainEnv.sh file for UNIX or DOMAIN_HOME\bin\setDomainEnv.cmd for Microsoft Windows, append the following in JAVA_PROPERTIES:

    -Djavax.net.ssl.trustStore=$JAVA_HOME/jre/lib/security/cacerts
    
  18. Restart all servers for the changes to take effect.

Note:

After enabling SSL on Oracle Identity Manager and SOA Servers, perform the following changes for establishing secured communication between them:

32.3.5.2 Changing OimFrontEndURL to Use SSL Port

OimFrontEndURL is used to access the oim application UI. This can be a load balancer URL or web server URL (in case application server is fronted with load balancer or web server) or single application server URL. This is generally used by Oracle Identity Manager in the notification emails or to send a call back web service from SOA to Oracle Identity Manager.

To change the OimFrontEndURL to use SSL port:

  1. When the WebLogic admin and Oracle Identity Manager managed servers (at least one of the servers in case of cluster) are running, log in to Enterprise Manager (EM).

    For example:

    http://<AdminServer>/em

  2. Navigate to Identity and Access, Oracle Identity Manager, and then oim (11.1.2.0.0).

  3. Right click and select System MBean Browser.

  4. Under Application Defined MBeans, navigate to oracle.iam, Server:<oim_servername>, Application:oim.

    In a clustered deployment, when you select oracle.iam under Application Defined MBeans, Oracle Identity Manager server name is displayed. Select the server and continue with the navigation.

    Note:

    In a clustered deployment, the change to the OimFrontEndURL must be made on each server in the cluster.
  5. Enter a new value for the "OimFrontEndURL" attribute and click Apply to save the changes.

    For example:

    http://myoim.mydomain.com

    https://myoim.mydomain.com

    http://myoimserver.mydomain.com:14002

    Note:

    Fusion Apps or SPML clients store Oracle Identity Manager URL for invoking SPML and also send callback response. Therefore, there will be changes needed corresponding to this. Also, if Oracle Identity Manager is integrated with OAM/OAAM/OIN, there may be corresponding changes necessary. Refer to Chapter 31, "Integrating with Other Oracle Components" for detailed information about the integration with other components.

32.3.5.3 Changing backOfficeURL to Use SSL Port

backOfficeURL change is required only for Oracle Identity Manager deployed in front-office/back-office configuration. For simple cluster or non-cluster installations the following does not apply. This URL is used internally by Oracle Identity Manager for accessing back-office components from the front-office components. This value needs to be changed initially during the implementation of back-office/front-office configuration, for adding additional servers to back office, and for removing servers from back-office.

To change the backOfficeURL to use SSL port:

  1. When the WebLogic admin and Oracle Identity Manager managed servers (at least one of the servers in case of cluster) are running, log in to Enterprise Manager (EM).

    For example:

    http://<AdminServer>/em

  2. Navigate to Identity and Access, Oracle Identity Manager.

  3. Right click and select System MBean Browser.

  4. Under Application Defined MBeans, navigate to oracle.iam, Application:oim, XMLConfig, Config, XMLConfig.DiscoveryConfig, Discovery.

  5. Enter a new value for the "backOfficeURL" attribute and click Apply to save the changes.

    For example:

    t3://mywls1.mydomain.com:8001

    t3://mywls1.mydomain.com:8001,mywls2.mydomain.com:9001

    Note:

    For simple cluster and non-cluster installations the value must be empty.

32.3.5.4 Changing SOA Server URL to Use SSL Port

To change SOA server URL to use SSL port:

  1. When the admin server and Oracle Identity Manager managed servers are running, log in to Enterprise Manager (EM).

    For example:

    http://ADMINISTRATIVE_SERVER/em

  2. Navigate to Identity and Access, Oracle Identity Manager.

  3. Right click and select System MBean Browser.

  4. Under Application Defined MBeans, navigate to oracle.iam, Application:oim, XMLConfig, Config, XMLConfig.SOAConfig, SOAConfig.

  5. Change the values of the Rmiurl attribute.

    Note:

    Rmiurl is used for accessing SOA EJBs deployed on SOA managed servers.

    This is the application server URL. For clustered installation, it is a comma separated list of all the SOA managed server URLs.

    For example:

    t3://mysoa1.mydomain.com:8001

    t3s://mysoaserver1.mydomain.com:8002

    t3://mysoa1.mydomain.com:8001,mysoa2.mydomain.com:8002,mysoa3.com:8003

  6. Change the value of the Soapurl attribute. For example:

    http://myoimsoa.mydomain.com

    https://mysoa.mydomain.com: 8001

    Note:

    Soapurl is used to access SOA web services deployed on SOA managed servers. This is the web server/load balancer URL, in case of a SOA cluster front ended with web server/load balancer. In case of single SOA server, it can be application server URL.
  7. Click Apply to save the changes.

32.3.5.5 Configuring SSL for Design Console

To change the Design console to establish secure connection between Oracle Identity Manager and Design console:

  1. Generate and make sure that wlfullclient.jar is in the $OIM_HOME/designconsole/ext/ directory. To do so:

    1. Go to the WL_HOME/server/lib/ directory.

    2. Run the following command:

      java -jar wlfullclient.jar
      
    3. Copy wlfullclient.jar from:

      $WL_HOME/server/lib/To:$OIM_HOME/designconsole/ext/

  2. Copy webserviceclient+ssl.jar from:

    $WL_HOME/server/lib

    to

    $OIM_HOME/designconsole/ext/

  3. Copy MW_HOME/modules/cryptoj.jar to the OIM_HOME/designconsole/ext/ directory.

  4. Edit the $DESIGN_CONSOLE_HOME/config/xlconfig.xml file. Make the following changes:

    Change:

    <Discovery>
                <CoreServer>
    <java.naming.provider.url>t3://HOST_NAME:OIM_PORT/oim</java.naming.provider.url>
    <java.naming.factory.initial>weblogic.jndi.WLInitialContextFactory</java.naming.factory.initial>
                </CoreServer>
    </Discovery>
    

    To:

    <Discovery>
                <CoreServer>
    <java.naming.provider.url>t3s://HOST_NAME:OIM_SSL_PORT/oim</java.naming.provider.url>
    <java.naming.factory.initial>weblogic.jndi.WLInitialContextFactory</java.naming.factory.initial>
                </CoreServer>
    </Discovery>
    

    Change:

    <ApplicationURL>http://HOST_NAME:PORT_NUMBER/xlWebApp/loginWorkflowRenderer.do</ApplicationURL>
    

    To:

    <ApplicationURL>https://HOST_NAME:OIM_SSL_PORT/xlWebApp/loginWorkflowRenderer.do</ApplicationURL>
    
  5. Use the Server trust store in the Design console. To access this:

    1. Go to WebLogic Server Administrative console, Environment, Servers.

    2. Click on <OIM_SERVER_NAME> to view details of the Oracle Identity Manger server.

    3. Click the KeyStores tab and note down the "Trust keystore" location in the "Trust" section.

    4. If the Design Console is deployed on the Oracle Identity Manager host, then set the TRUSTSTORE_LOCATION environment variable to the location of the "Trust keystore" location mentioned in step 5c. For example:

      setenv TRUSTSTORE_LOCATION WL_HOME//server/lib/DemoTrust.jks
      
    5. If the Design Console is deployed on a different host than Oracle Identity Manager, then copy the "Trust keystore" to the host on which Design Console is deployed, and set the TRUSTSTORE_LOCATION env variable to the location where "Trust keystore" is copied on the local host. For example:

      setenv TRUSTSTORE_LOCATION OIM_HOME/designconsole/DemoTrust.jks
      
  6. If $DESIGN_CONSOLE_HOME/config/xl.policy does not contain the default grant policy for all, then add the following permission for cryptoj.jar at the end of the file, as shown:

    grant codeBase "file:DIRECTORY_PATH_TO_cryptoj.jar"{  permission java.security.AllPermission;};
    

    Copy $MW_HOME/modules/cryptoj.jar to the $OIM_HOME/designconsole/ext/ directory.

    Note:

    Here, copying $MW_HOME/modules/cryptoj.jar to the $OIM_HOME/designconsole/ext/ directory is a mandatory step. Setting the permission is necessary if xl.policy does not contain the default grant policy for all.

32.3.5.6 Configuring SSL for Oracle Identity Manager Utilities

Oracle Identity Manager client utilities include PurgeCache, GenerateSnapshot, UploadJars, and UploadResources.

Set the TRUSTSTORE_LOCATION environment variable to the location of the "Trust keystore" location.

Note:

See "Configuring SSL for Design Console" for details about setting the TRUSTSTORE_LOCATION environment variable to the location of the 'Trust keystore' location.

For example:

setenv TRUSTSTORE_LOCATION WL_HOME/server/lib/DemoTrust.jks

32.3.5.7 Configuring SSL for SPML/Callback Domain

To configure SSL for SPML/callback domain:

  1. Ensure that Oracle Identity Manager port is SSL enabled with HostName verification set to false.

  2. Enable SSL on Fusion Applications including callback domain.

    See Also:

    "Enabling SSL for Oracle Identity Manager By Using Custom Keystore" for information about enabling SSL for Oracle Identity Manager by using custom keystore
  3. If you are using WebLogic default trust store, you must not change anything other than enabling the SSL mode.

  4. If you have certificates other than default, then the trusted certificates should be exchanged between them to establish two-way trust. See "Signing the Certificates" and "Exporting the Certificate" for information about signing and exporting certificates.

    See Also:

    "Configuring SSL" in the Oracle Fusion Middleware Securing Oracle WebLogic Server for detailed information about configuring SSL for Oracle WebLogic Server
  5. If you are using a stand-alone client for sending SPML requests for testing purpose, then you must:

    1. Add the following system properties to SPML client command to send the request to SSL enabled OIM port.

      • Djavax.net.ssl.trustStore=D:\Oracle\Middleware1\wlserver_10.3\server\lib\DemoTrust.jks

        Note:

        Change the value of the Djavax.net.ssl.trustStore parameter to point to the truststore used to configure SSL.

        See "Configuring SSL for Design Console" for information about the location of the trust store used in WebLogic to configure SSL.

      • -Djava.protocol.handler.pkgs=weblogic.net

      • -Dweblogic.security.TrustKeyStore=DemoTrust

    2. Add webserviceclient+ssl.jar to your client classpath.

32.3.6 Enabling SSL for Oracle Identity Manager DB

You need to perform the following configurations to enable SSL for Oracle Identity Manager DB:

32.3.6.1 Setting Up DB in Server-Authentication SSL Mode

To set up DB in Server-Authentication SSL mode:

  1. Stop the DB server and the listener.

  2. Configuring the listener.ora file as follows:

    1. Navigate to the path:

      $DB_ORACLE_HOME/network/admin directory

      For example:

      /scratch/user1/production-database/product/11.1.0/db_1/network/admin

    2. Edit the listener.ora file to include SSL listening port and Server Wallet Location.

      The following is the sample listener.ora file:

      # listener.ora Network Configuration File: DB_HOME/listener.ora
      # Generated by Oracle configuration tools.
       
      SSL_CLIENT_AUTHENTICATION = FALSE
       
      WALLET_LOCATION =
        (SOURCE =
          (METHOD = FILE)
          (METHOD_DATA =
            (DIRECTORY = DB_HOME/server_keystore_ssl.p12)
          )
        )
       
      LISTENER =
        (DESCRIPTION_LIST =
          (DESCRIPTION =
            (ADDRESS = (PROTOCOL = TCPS)(HOST = server1.mycompany.com)(PORT = 2484))
          )
          (DESCRIPTION =
            (ADDRESS = (PROTOCOL = TCP)(HOST = server1.mycompany.com)(PORT = 1521))
          )
        )
       
      TRACE_LEVEL_LISTENER = SUPPORT
      
  3. Configure the sqlnet.ora file as follows:

    1. Navigate to the path:

      $DB_ORACLE_HOME/network/admin directory

      For example:

      /scratch/user1/production-database/product/11.1.0/db_1/network/admin

    2. Edit sqlnet.ora file to include:

      • TCPS Authentication Services

      • SSL_VERSION

      • Server Wallet Location

      • SSL_CLIENT_AUTHENTICATION type (either true or false)

      • SSL_CIPHER_SUITES that can be allowed in the communication (optional)

      The following is the sample sqlnet.ora file:

      # sqlnet.ora Network Configuration File: DB_HOME/sqlnet.ora
      # Generated by Oracle configuration tools.
       
      SQLNET.AUTHENTICATION_SERVICES= (BEQ, TCPS)
       
      SSL_VERSION = 3.0
       
      SSL_CLIENT_AUTHENTICATION = FALSE
       
      WALLET_LOCATION =
        (SOURCE =
          (METHOD = FILE)
          (METHOD_DATA =
            (DIRECTORY = DB_HOME/server_keystore_ssl.p12)
          )
        )
      
  4. Configure the tnsnames.ora file as follows:

    1. Navigate to the path:

      $DB_ORACLE_HOME/network/admin directory

      For example:

      /scratch/user1/production-database/product/11.1.0/db_1/network/admin

    2. Edit the tnsnames.ora file to include SSL listening port in the description list of the service.

      The following is the sample tnsnames.ora file:

      # tnsnames.ora Network Configuration File: DB_HOME/tnsnames.ora
      # Generated by Oracle configuration tools.
      
      PRODDB =
       (DESCRIPTION_LIST =
        (DESCRIPTION =
          (ADDRESS = (PROTOCOL = TCPS)(HOST = server1.mycompany.com)(PORT = 2484))
          (CONNECT_DATA =
            (SERVER = DEDICATED)
            (SERVICE_NAME = proddb)
          )
        )
        (DESCRIPTION =
          (ADDRESS = (PROTOCOL = TCP)(HOST = server1.mycompany.com)(PORT = 1521))
          (CONNECT_DATA =
            (SERVER = DEDICATED)
            (SERVICE_NAME = proddb)
          )
        )
       )
      
  5. Start/Stop utilities for DB server.

  6. Start the DB server.

32.3.6.2 Creating KeyStores and Certificates

You can create server side and client side KeyStores using the orapki utility. This utility will be shipped as a part of Oracle DB installation.

KeyStores could be of any format such as JKS and PKCS12. The format of keystore changes based on the provider implementation. For example, JKS is the implementation provided by Sun Oracle where as PKCS12 is implemented by OraclePKIProvider.

Only JKS client KeyStore is used in Oracle Identity Manager for DB server. This is because using non-JKS KeyStores format such as PKCS12 requires significant changes on the installer side at the critical release time. However, Oracle Identity Manager already has a KeyStore named default-KeyStore.jks, which is in JKS format.

The following are the KeyStores that you can create using orapki utility:

Creating a Root CA Wallet

To create a root certification authority (CA) wallet:

  1. Navigate to the following path:

    $DB_ORACLE_HOME/bin directory

  2. Create a wallet by using the command:

    ./orapki wallet create -wallet CA_keystore.p12 -pwd KEYSTORE_PASSWORD
    
  3. Add a self signed certificate to the CA wallet by using the command:

    ./orapki wallet add -wallet CA_keystore.p12 -dn 'CN=root_test,C=US' -keysize 2048 -self_signed -validity 3650 -pwd KEYSTORE_PASSWORD
    
  4. View the wallet using the command:

    ./orapki wallet display -wallet CA_keystore.p12 -pwd KEYSTORE_PASSWORD
    
  5. Export the self signed certificate from the CA wallet using the command:

    ./orapki wallet export -wallet CA_keystore.p12 -dn 'CN=root_test,C=US' -cert self_signed_CA.cert -pwd KEYSTORE_PASSWORD
    

Creating DB Server Side Wallet

To create a DB server side wallet:

  1. Create a server wallet using the command:

    ./orapki wallet create -wallet server_keystore_ssl.p12 -auto_login -pwd KEYSTORE_PASSWORD
    
  2. Add a certificate request to the server wallet using the command:

    ./orapki wallet add -wallet server_keystore_ssl.p12/ -dn 'CN=Customer,OU=Customer,O=Customer,L=City,ST=NY,C=US' -keysize 2048 -pwd KEYSTORE_PASSWORD
    
  3. Export the certificate request to a file, which will be used later for getting it signed using the root CA signature:

    ./orapki wallet export -wallet server_keystore_ssl.p12/ -dn 'CN=Customer,OU=Customer,O=Customer,L=City,ST=NY,C=US' -request server_creq.csr -pwd KEYSTORE_PASSWORD
    
  4. Get the server wallet's certificate request signed using the CA signature:

    ./orapki cert create -wallet CA_keystore.p12 -request server_creq.csr -cert server_creq_signed.cert -validity 3650 -pwd KEYSTORE_PASSWORD
    
  5. View the signed certificate using the command:

    /orapki cert display -cert server_creq_signed.cert -complete
    
  6. Import the trusted certificate in to the server wallet using the command:

    ./orapki wallet add -wallet server_keystore_ssl.p12 -trusted_cert -cert self_signed_CA.cert -pwd KEYSTORE_PASSWORD
    
  7. Import this newly created signed certificate (user certificate) to the server wallet using the command:

    ./orapki wallet add -wallet server_keystore_ssl.p12 -user_cert -cert server_creq_signed.cert -pwd KEYSTORE_PASSWORD
    

Creating Client Side Wallet

To create a client side (Oracle Identity Manager server) wallet:

  1. Create a client keystore using default-keystore.jks keystore which is populated in the following path:

    DOMAIN_HOME/config/fmwconfig

    Note:

    You can also use Oracle PKCS12 wallet as the client keystore.
  2. Import the self-signed CA trusted certificate that you have already exported using the server side commands, to the client keystore (default-keystore.jks) by using the command:

    JAVA_HOME/jre/bin/keytool -import -trustcacerts -alias dbtrusted -noprompt -keystore default-keystore.jks -file self_signed_CA.cert -storepass xellerate
    

32.3.6.3 Updating Oracle Identity Manager

You need to perform the following steps in Oracle Identity Manager to enable Oracle Identity Manager and Oracle Identity Manager DB in SSL mode for a secure communication:

  1. Import the trusted certificate into the default-keystore.jks keystore of Oracle Identity Manager.

  2. Log in to Enterprise Manager.

  3. Navigate to Identity and Access, OIM.

  4. Right click and navigate to System MBean Browser.

  5. Under Application Defined MBeans, navigate to oracle.iam, Application:oim, XMLConfig, Config, XMLConfig.DirectDBConfig, and DirectDB.

  6. Change the values for attributes "Sslenabled", "Url" and click Apply. If SSL mode is enabled for DB, then "Url" should contain TCPS enables and SSL port in it.

    For example:

    url="jdbc:oracle:thin:@(DESCRIPTION=(ADDRESS=(PROTOCOL=TCPS)(HOST=my.domain.com)(PORT=2484))(CONNECT_DATA=(SERVICE_NAME=proddb)))"

  7. Restart the Oracle Identity Manager server.

32.3.6.4 Updating WebLogic Server

After enabling SSL for Oracle Identity Manager DB, you need to change the following Oracle Identity Manager datasources and authenticators to use DB SSL port:

Note:

Before performing changes to database host/port, you must shutdown the managed servers hosting Oracle Identity Manager application. However, you can keep the WebLogic Admin Server up and running.

Updating Datasource oimJMSStoreDS Configuration

To update the datasource oimJMSStoreDS configuration:

  1. Log in to WebLogic Server.

  2. Navigate to Services, JDBC, Data Sources, oimJMSStoreDS.

  3. Click the Connection Pool tab.

  4. Change the value of the URL to reflect the changes to SSl DB host/port, similar to the following example:

    jdbc:oracle:thin:@(DESCRIPTION=(ADDRESS=(PROTOCOL=TCPS)(HOST=myhost.mydomain.com)(PORT=2484))(CONNECT_DATA=(SERVICE_NAME=myhost1.mydomain.com)))
    
  5. Update Properties to add the following SSL-related properties:

    javax.net.ssl.trustStore=DOMAIN_HOME/default-keystore.jks
    javax.net.ssl.trustStoreType=JKS
    EncryptionMethod=SSL
    oracle.net.ssl_version=3.0
    javax.net.ssl.trustStorePassword=PASSWORD
    

Updating Datasource oimOperationsDB Configuration

To update the Change Datasource oimOperationsDB Configuration:

  1. Log in to WebLogic Server.

  2. Navigate to Services, JDBC, Data Sources, oimJMSStoreDS.

  3. Click the Connection Pool tab.

  4. Change the value of the URL to reflect the changes to SSl DB host/port, similar to the following example:

    jdbc:oracle:thin:@(DESCRIPTION=(ADDRESS=(PROTOCOL=TCPS)(HOST=myhost.mydomain.com)(PORT=2484))(CONNECT_DATA=(SERVICE_NAME=myhost1.mydomain.com)))
    
  5. Update Properties to add the following SSL-related properties:

    javax.net.ssl.trustStore=DOMAIN_HOME/default-keystore.jks
    javax.net.ssl.trustStoreType=JKS
    EncryptionMethod=SSL
    oracle.net.ssl_version=3.0
    javax.net.ssl.trustStorePassword=PASSWORD
    

Updating Datasource Related to Oracle Identity Manager MDS Configuration

To update datasource related to Oracle Identity Manager MDS configuration:

  1. Log in to WebLogic Server.

  2. Navigate to Services, JDBC, Data Sources, mds-oim.

  3. Click the Connection Pool tab.

  4. Change the value of the URL to reflect the changes to SSl DB host/port, similar to the following example:

    jdbc:oracle:thin:@(DESCRIPTION=(ADDRESS=(PROTOCOL=TCPS)(HOST=myhost.mydomain.com)(PORT=2484))(CONNECT_DATA=(SERVICE_NAME=myhost1.mydomain.com)))
    
  5. Update Properties to add the following SSL-related properties:

    javax.net.ssl.trustStore=DOMAIN_HOME/default-keystore.jks
    javax.net.ssl.trustStoreType=JKS
    EncryptionMethod=SSL
    oracle.net.ssl_version=3.0
    javax.net.ssl.trustStorePassword=PASSWORD
    

    Note:

    You might have to perform similar updates for SOA/OWSM related datasources if required.

Updating Oracle Identity Manager Authenticators

The existing Oracle Identity Manager authenticators in the WebLogic server are configured against Non-SSL DB details and they do not use datasources for communicating with Oracle Identity Manager DB. In order to use SSL DB details in the authenticators, you must perform the following:

  1. Ensure that Datasources are configured to SSL.

  2. In WebLogic Administrative console, navigate to Security Realms, myrealm, Providers.

  3. Remove OIMAuthenticationProvider.

  4. Create an authentication provider of type "OIMAuthenticator" and mark the control flag as SUFFICIENT.

  5. Create an authentication provider of type "OIMSignatureAuthenticator" and mark the control flag as SUFFICIENT.

  6. Reorder the authenticators as:

    1. DefaultAuthenticator

    2. OIMAuthenticator

    3. OIMSignatureAuthenticator

    4. Other providers if any

  7. Restart all servers.

32.3.7 Enabling SSL for LDAP Synchronization

You need to perform the following configurations to enable Oracle Identity Manager to use SSL enabled Oracle Virtual Directory (OVD):

32.3.7.1 Enabling OVD-OID with SSL

To enable OVD-OID with SSL:

  1. Log in to the OVD EM console.

  2. Expand Identity and Access and navigate to ovd1, Administration, Listeners.

  3. Click Create and enter all the required fields.

    Note:

    You must select the Listener Type as LDAP.
  4. Click OK.

  5. Select the newly created LDAP listener and click Edit.

  6. In the Edit Listener - OIM SSL ENDPOINT page, edit the newly created LDAP listener.

  7. Click OK. The SSL Configuration page opens.

  8. Select the Enable SSL checkbox.

  9. In the Advanced SSL Settings section, for SSL Authentication, select No Authentication.

  10. Click OK.

  11. Stop and start the OVD server for the changes to take effect.

    Note:

    You must not use the restart option.

32.3.7.2 Updating Oracle Identity Manager for OVD Host/Port

When LDAPSync is enabled, Oracle Identity Manager connects with directory servers through OVD. It connects using ldap/ldaps protocol.

To change OVD host/port:

  1. Log in to Oracle Identity System Administration.

  2. Navigate to Advanced and click Manage IT Resource.

  3. Select IT Resource Type as Directory Server and click Search.

  4. In the IT Resource Directory Server, edit "server URL" to include SSL protocol and SSL port details.

  5. Ensure that Use SSL is set to true and click Update.

32.3.7.3 Enabling Managed WebLogic Server with SSL

To enable Managed WebLogic Server with SSL:

  1. In a text editor, open the startManagedWebLogic.sh file.

  2. Change the value of ADMIN_URL to point to a SSL URL, as shown in the following example:

    ADMIN_URL="https://myhost.mydomain.com:7002"
    
  3. Save the startManagedWebLogic.sh file.

  4. Start all servers.

32.4 Updating the WebLogic Administrator Server User Name (Optional)

If the user name for the WebLogic administrator for the domain is not weblogic, then you must update the WebLogic administrator user name by using Oracle Enterprise Manager. To do so:

  1. Update Oracle Identity Manager configuration as follows:

    1. Ensure that the Oracle Identity Manager Managed server is up and running.

    2. Log in to Oracle Enterprise Manager Fusion Middleware Control by using your WebLogic Server administrator credentials.

    3. Expand Identity and Access, oim. Right-click oim(11.1.2.0.0), and select System MBean Browser. The System MBean Browser page is displayed.

    4. Under Application Defined MBeans, select oracle.iam, Server:oim_server1, Application: oim, XMLConfig, config, XMLConfig.SOAConfig, SOAConfig.

    5. View the username attribute. By default, the value of the attribute is weblogic. Change this value to your WebLogic administrator user name.

    6. Click Apply.

    7. Change the WebLogic administrator credentials in the Credential Store as follows:

      i. Expand Weblogic Domain, DOMAIN_NAME. Right-click DOMAIN_NAME, and select Security, Credentials.

      ii. In the Credential Store Provider table, expand oim map.

      iii. Select the SOAAdminPassword key, and then click Edit.

      iv. Change the username and password to your WebLogic administrator's username and password.

      v. Click OK.

      vi. Exit the Oracle Enterprise Manager Fusion Middleware Control.

  2. Create a user in Oracle Identity Manager and assign the Administrators role to the user as follows:

    1. Log in to Oracle Identity Self Service with system administrator credentials.

    2. Create a new user with the user name of your WebLogic administrator.

    3. Click Add Rule.

    4. Select User Login from the Select Operand Value section, and click Add.

    5. In the Value box, enter the login ID of the WebLogic administrator.

    6. Click Add.

    7. Click Save.

    8. Click Apply and Evaluate.

    9. Add the newly created user (the one with your WebLogic administrator user name) as a member of the Administrators role.

    10. Restart Oracle Identity Manager, as described in "Starting the Stack" in the Oracle Fusion Middleware Installation Guide for Oracle Identity and Access Management.

  3. Update the WebLogic Administrator user name in Foreign JNDI Provider as follows:

    1. Login to WebLogic Administrative Console.

    2. In the Domain Structure section, navigate to OIM_DOMAIN, Services, Foreign JNDI Providers.

    3. Click ForeignJNDIProvider-SOA.

    4. In the Configuration tab, verify that the General subtab is active.

    5. Provide the username of the weblogic user in the User name field.