11 Configuring Database Security Store for an Oracle Identity and Access Management Domain

This chapter explains how to configure the database security store for an Oracle Identity and Access Management domain.

This chapter includes the following topics:

• Overview

• Before Configuring Database Security Store

• Configuring the Database Security Store

• Example Scenarios for Configuring the Database Security Store

11.1 Overview

After configuring the WebLogic Server Administration Domain for Oracle Identity and Access Management components and before starting the Oracle WebLogic Administration Server, you must run the configureSecurityStore.py script to configure the Database Security Store as it is the only security store type supported by Oracle Identity and Access Management 11g Release 2 (11.1.2.3.0).

Note:

You must create different security stores if you are installing the same product on two different domains.

The configureSecurityStore.py script is located in the IAM_HOME\common\tools directory (on Windows) and in the IAM_HOME/common/tools directory (on Linux or UNIX). You can use the -h option for help information about using the script. Note that not all arguments will apply to configuring the Database Security Store.

For example:

On Windows:

MW_HOME\oracle_common\common\bin\wlst.cmd IAM_HOME\common\tools\configureSecurityStore.py -h

On Linux or UNIX:

MW_HOME/oracle_common/common/bin/wlst.sh IAM_HOME/common/tools/configureSecurityStore.py -h

Table 11-1 describes the parameters that you can specify on the command line.

Table 11-1 Database Security Store Configuration Parameters

Parameter	Description
-d domaindir	Location of the directory containing the domain.
-m mode	create- Use create if you want to create a new database security store. join- Use join if you want to use an existing database security store for the domain. validate- Use validate to verify whether the Security Store has been configured correctly. This command validates diagnostics data created during initial creation of the Security Store. validate_fix- Use validate_fix to fix diagnostics data present in the Security Store. fixjse- Use fixjse to update the domain's Database Security Store credentials used for access by JSE tools.
-c configmode	The configuration mode of the domain. When configuring Database Security Store this value must be specified as IAM. Special Instructions for Oracle Entitlements Server Installation: If you are an Oracle Entitlements Server user, then the -c parameter is optional. In this case, the default value is None. Note: If -c config option is specified, the Oracle Entitlements Server Administration Server will be configured in mixed mode, and it can only distribute policies to Security Modules in non-controlled mode and controlled pull mode. For example: If the Oracle Entitlements Server Administration Server is deployed in the domain where other Oracle Identity and Access Management components (such as, Oracle Identity Manager, Oracle Access Manager, Oracle Adaptive Access Manager, and Oracle Privileged Account Manager) are deployed, then the domain is configured in mixed mode. In this case, the Oracle Entitlements Server Administration Server is used for managing the Oracle Identity and Access Management policies only. It should not be used to manage the policies for any other applications protected by Oracle Entitlements Server Security Modules. If -c config option is not specified, Oracle Entitlements Server Administration Server will be configured in non-controlled mode, and it can distribute policies to Security Modules in controlled push mode. For example: If you want to use Oracle Entitlements Server Administration Server to manage custom applications that are protected by Oracle Entitlements Server Security Modules, then the Oracle Entitlements Server Administration Server must be deployed in a domain with non-controlled distribution mode.
-p password	The OPSS schema password.
-k keyfilepath	The directory containing the encryption key file ewallet.p12. If -m join is specified, this option is mandatory.
-w keyfilepassword	The password used when the domain's key file was generated. If -m join is specified, this option is mandatory.
-u username	The user name of the OPSS schema. If -m fixjse is specified, this option is mandatory.

11.2 Before Configuring Database Security Store

Each Oracle Identity and Access Management 11g Release 2 (11.1.2.3.0) domain must be configured to have a Database Security Store. Before you configure the Database Security Store for an Oracle Identity and Access Management 11g Release 2 (11.1.2.3.0) domain, you must identify the products to be configured in a single-domain scenario or in a multiple-domain scenario.

11.3 Configuring the Database Security Store

Following configureSecurityStore.py options are available for configuring the domain to use the Database Security Store:

• -m create

• -m join

Configuring the Database Security Store Using Create Option

To configure a domain to use a database security store using the -m create option, you must run the configureSecurityStore.py script as follows:

On Windows:

MW_HOME\oracle_common\common\bin\wlst.cmd IAM_HOME\common\tools\configureSecurityStore.py -d DOMAIN_HOME -c 
IAM -p opss_schema_password -m create

For example:

MW_HOME\oracle_common\common\bin\wlst.cmd IAM_HOME\common\tools\configureSecurityStore.py -d 
\u01\oracle\admin\domains\base_domain -c IAM -p welcome1 -m create

On Linux or UNIX:

MW_HOME/oracle_common/common/bin/wlst.sh IAM_HOME/common/tools/configureSecurityStore.py -d DOMAIN_HOME -c 
IAM -p opss_schema_password -m create

For example:

MW_HOME/oracle_common/common/bin/wlst.sh IAM_HOME/common/tools/configureSecurityStore.py -d 
/u01/oracle/admin/domains/base_domain -c IAM -p welcome1 -m create

Configuring the Database Security Store Using the Join Option

To configure a domain to use the database security store using the -m join option, you must first export the domain encryption key from a domain in the same logical Oracle Identity and Access Management deployment already configured to work with the database security store, and then run the configureSecurityStore.py script as follows:

Note:

Exporting domain encryption key from a domain already configured to work with the Database Security Store is done via the WLST command:

exportEncryptionKey(jpsConfigFile=jpsConfigFile,keyFilePath=keyFilePath,
keyFilePassword=keyFilePassword)

where:

jpsConfigFile is the absolute location of the file jps-config.xml in the domain from which the encryption key is being exported.

keyFilePath is the directory where the file ewallet.p12 is created; note that the content of this file is encrypted and secured by keyFilePassword.

keyFilePassword is the password to secure the file ewallet.p12; note that this same password must be used when importing that file.

On Windows:

1. Export encryption keys from a domain already configured to work with the Database Security Store as follows:

   MW_HOME\oracle_common\common\bin\wlst.cmd exportEncryptionKey(jpsConfigFile=jpsConfigFile, 
   keyFilePath=keyFilePath, keyFilePassword=keyFilePassword)
   

2. Run the configureSecurityStore.py script with -m join option.

   MW_HOME\oracle_common\common\bin\wlst.cmd IAM_HOME\common\tools\configureSecurityStore.py -d DOMAIN_HOME 
   -c IAM -p opss_schema_password -m join -k keyfilepath -w keyfilepassword
   

For example:

MW_HOME\oracle_common\common\bin\wlst.cmd 
exportEncryptionKey(jpsConfigFile="\\u01\\oracle\\admin\\domains\\base_domain\\config\\fmwconfig\\jps-config.xml", 
keyFilePath="myDir\\key" , keyFilePassword="password")

MW_HOME\oracle_common\common\bin\wlst.cmd IAM_HOME\common\tools\configureSecurityStore.py -d \u01\oracle\admin\domains\base_domain -c IAM -p welcome1 -m join -k myDir -w password

On Linux or UNIX:

1. Export encryption keys from a domain already configured to work with the Database Security Store as follows:

   MW_HOME/oracle_common/common/bin/wlst.sh exportEncryptionKey(jpsConfigFile=jpsConfigFile, 
   keyFilePath=keyFilePath, keyFilePassword=keyFilePassword)
   

2. Run the configureSecurityStore.py script with -m join option.

   MW_HOME/oracle_common/common/bin/wlst.sh IAM_HOME/common/tools/configureSecurityStore.py -d DOMAIN_HOME 
   -c IAM -p opss_schema_password -m join -k keyfilepath -w keyfilepassword
   

For example:

MW_HOME/oracle_common/common/bin/wlst.sh 
exportEncryptionKey(jpsConfigFile="/u01/oracle/admin/domains/base_domain/config/fmwconfig/jps-config.xml", 
keyFilePath="myDir" , keyFilePassword="password")

MW_HOME/oracle_common/common/bin/wlst.sh IAM_HOME/common/tools/configureSecurityStore.py -d /u01/oracle/admin/domains/base_domain 
-c IAM -p welcome1 -m join -k myDir -w password

Validating the Database Security Store Configuration

To validate whether the security store has been created or joined correctly, run the configureSecurityStore.py script with -m validate option, as follows:

On Windows:

MW_HOME\oracle_common\common\bin\wlst.cmd IAM_HOME\common\tools\configureSecurityStore.py -d DOMAIN_HOME -m 
validate

For example:

MW_HOME\oracle_common\common\bin\wlst.cmd IAM_HOME\common\tools\configureSecurityStore.py -d 
\u01\oracle\admin\domains\base_domain -m validate

On Linux or UNIX:

MW_HOME/oracle_common/common/bin/wlst.sh IAM_HOME/common/tools/configureSecurityStore.py -d DOMAIN_HOME -m 
validate

For example:

MW_HOME/oracle_common/common/bin/wlst.sh IAM_HOME/common/tools/configureSecurityStore.py -d 
/u01/oracle/admin/domains/base_domain -m validate

11.4 Example Scenarios for Configuring the Database Security Store

Consider the following example scenarios:

• Example Scenario for One or More Oracle Identity and Access Management Products in the Same Domain

• Example Scenarios for Oracle Identity and Access Management Products in Different Domains

11.4.1 Example Scenario for One or More Oracle Identity and Access Management Products in the Same Domain

Note:

In a single-domain scenario, the command to create the Database Security Store is executed once after the domain is created but before the domain is started for the first time.

Scenario 1: Oracle Identity Manager, Oracle Access Management, and Oracle Adaptive Access Manager in the same WebLogic Administration Domain Sharing the same Database Security Store

To achieve this, you must complete the following tasks:

1. Create a new WebLogic domain for Oracle Identity Manager and SOA (for example, oim_dom) by completing the steps described in Table 4-1, "Configuration Flow for Oracle Identity Manager".

   After creating a new WebLogic domain for Oracle Identity Manager and SOA, run the configureSecurityStore.py script to configure the Database Security Store as follows:

   On Windows:

   MW_HOME\oracle_common\common\bin\wlst.cmd IAM_HOME\common\tools\configureSecurityStore.py -d 
   \u01\oracle\admin\domains\oim_dom -c IAM -p welcome1 -m create
   

   On Linux or UNIX:

   MW_HOME/oracle_common/common/bin/wlst.sh IAM_HOME/common/tools/configureSecurityStore.py -d 
   /u01/oracle/admin/domains/oim_dom -c IAM -p welcome1 -m create
   

2. Extend the Oracle Identity Manager domain (oim_dom) to include Oracle Access Management and Oracle Adaptive Access Manager. For more information, see "Extend an Existing Domain."

   Oracle Access Management and Oracle Adaptive Access Manager are added to the Oracle Identity Manager domain (oim_dom), and they share the same Database Security Store used by the Oracle Identity Manager domain.

11.4.2 Example Scenarios for Oracle Identity and Access Management Products in Different Domains

Note:

In a multiple-domain scenario, the command to create the Database Security Store is executed once after the first domain is created but before the domain is started for the first time.

For each subsequent domain, the command to create a new Database Security Store is executed once after the domain is created but before the domain is started for the first time.

• Scenario 1: Oracle Identity Manager and Oracle Access Management in different WebLogic Administration Domains with different Database Security Stores

  To achieve this, you must complete the following tasks:

  1. Create a new WebLogic domain for Oracle Identity Manager and SOA (for example, oim_dom) by completing the steps described in Table 4-1, "Configuration Flow for Oracle Identity Manager".

     After creating a new WebLogic domain for Oracle Identity Manager and SOA, run the configureSecurityStore.py script to configure the Database Security Store for the Oracle Identity Manager domain as follows:

     On Windows:

     MW_HOME\oracle_common\common\bin\wlst.cmd IAM_HOME\common\tools\configureSecurityStore.py -d 
     \u01\oracle\admin\domains\oim_dom -c IAM -p welcome1 -m create
     

     On Linux or UNIX:

     MW_HOME/oracle_common/common/bin/wlst.sh IAM_HOME/common/tools/configureSecurityStore.py -d 
     /u01/oracle/admin/domains/oim_dom -c IAM -p welcome1 -m create
     

  2. Create a new WebLogic domain for Oracle Access Management (for example oam_dom) by completing the steps described in Table 5-1, "Configuration Flow for Oracle Access Management".

     After creating a new WebLogic domain for Oracle Access Management, run the configureSecurityStore.py script to configure a separate Database Security Store for the Oracle Access Management domain as follows:

     On Windows:

     MW_HOME\oracle_common\common\bin\wlst.cmd IAM_HOME\common\tools\configureSecurityStore.py -d 
     \u01\oracle\admin\domains\oam_dom -c IAM -p welcome1 -m create
     

     On Linux or UNIX:

     MW_HOME/oracle_common/common/bin/wlst.sh IAM_HOME/common/tools/configureSecurityStore.py -d 
     /u01/oracle/admin/domains/oam_dom -c IAM -p welcome1 -m create
     

• Scenario 2: Extend the Oracle Access Management Domain and its previously created Database Security Store to include Oracle Adaptive Access Manager

  To achieve this, extend the Oracle Access Management domain (oam_dom) to include Oracle Adaptive Access Manager. For more information, see "Extend an Existing Domain."

  Oracle Adaptive Access Manager is added to the Oracle Access Management domain (oam_dom), and they both share the same Database Security Store used by the Oracle Access Management domain.