This chapter explains how to configure the database security store for an Oracle Identity and Access Management domain.
This chapter includes the following topics:
After configuring the WebLogic Server Administration Domain for Oracle Identity and Access Management components and before starting the Oracle WebLogic Administration Server, you must run the configureSecurityStore.py
script to configure the Database Security Store as it is the only security store type supported by Oracle Identity and Access Management 11g Release 2 (11.1.2.3.0).
Note:
You must create different security stores if you are installing the same product on two different domains.The configureSecurityStore.py
script is located in the IAM_HOME
\common\tools
directory (on Windows) and in the IAM_HOME
/common/tools
directory (on Linux or UNIX). You can use the -h
option for help information about using the script. Note that not all arguments will apply to configuring the Database Security Store.
For example:
On Windows:
MW_HOME\oracle_common\common\bin\wlst.cmd IAM_HOME\common\tools\configureSecurityStore.py -h
On Linux or UNIX:
MW_HOME/oracle_common/common/bin/wlst.sh IAM_HOME/common/tools/configureSecurityStore.py -h
Table 11-1 describes the parameters that you can specify on the command line.
Table 11-1 Database Security Store Configuration Parameters
Parameter | Description |
---|---|
|
Location of the directory containing the domain. |
|
|
|
The configuration mode of the domain. When configuring Database Security Store this value must be specified as Special Instructions for Oracle Entitlements Server Installation: If you are an Oracle Entitlements Server user, then the Note: If For example: If the Oracle Entitlements Server Administration Server is deployed in the domain where other Oracle Identity and Access Management components (such as, Oracle Identity Manager, Oracle Access Manager, Oracle Adaptive Access Manager, and Oracle Privileged Account Manager) are deployed, then the domain is configured in mixed mode. In this case, the Oracle Entitlements Server Administration Server is used for managing the Oracle Identity and Access Management policies only. It should not be used to manage the policies for any other applications protected by Oracle Entitlements Server Security Modules. If For example: If you want to use Oracle Entitlements Server Administration Server to manage custom applications that are protected by Oracle Entitlements Server Security Modules, then the Oracle Entitlements Server Administration Server must be deployed in a domain with non-controlled distribution mode. |
|
The OPSS schema password. |
|
The directory containing the encryption key file |
|
The password used when the domain's key file was generated. If |
|
The user name of the OPSS schema. If |
Each Oracle Identity and Access Management 11g Release 2 (11.1.2.3.0) domain must be configured to have a Database Security Store. Before you configure the Database Security Store for an Oracle Identity and Access Management 11g Release 2 (11.1.2.3.0) domain, you must identify the products to be configured in a single-domain scenario or in a multiple-domain scenario.
Following configureSecurityStore.py
options are available for configuring the domain to use the Database Security Store:
-m create
-m join
Configuring the Database Security Store Using Create Option
To configure a domain to use a database security store using the -m create
option, you must run the configureSecurityStore.py
script as follows:
On Windows:
MW_HOME\oracle_common\common\bin\wlst.cmd IAM_HOME\common\tools\configureSecurityStore.py -d DOMAIN_HOME -c IAM -p opss_schema_password -m create
For example:
MW_HOME\oracle_common\common\bin\wlst.cmd IAM_HOME\common\tools\configureSecurityStore.py -d \u01\oracle\admin\domains\base_domain -c IAM -p welcome1 -m create
On Linux or UNIX:
MW_HOME/oracle_common/common/bin/wlst.sh IAM_HOME/common/tools/configureSecurityStore.py -d DOMAIN_HOME -c IAM -p opss_schema_password -m create
For example:
MW_HOME/oracle_common/common/bin/wlst.sh IAM_HOME/common/tools/configureSecurityStore.py -d /u01/oracle/admin/domains/base_domain -c IAM -p welcome1 -m create
Configuring the Database Security Store Using the Join Option
To configure a domain to use the database security store using the -m join
option, you must first export the domain encryption key from a domain in the same logical Oracle Identity and Access Management deployment already configured to work with the database security store, and then run the configureSecurityStore.py
script as follows:
Note:
Exporting domain encryption key from a domain already configured to work with the Database Security Store is done via the WLST command:exportEncryptionKey(jpsConfigFile=jpsConfigFile,keyFilePath=keyFilePath, keyFilePassword=keyFilePassword)
where:
jpsConfigFile
is the absolute location of the file jps-config.xml
in the domain from which the encryption key is being exported.
keyFilePath
is the directory where the file ewallet.p12
is created; note that the content of this file is encrypted and secured by keyFilePassword
.
keyFilePassword
is the password to secure the file ewallet.p12
; note that this same password must be used when importing that file.
On Windows:
Export encryption keys from a domain already configured to work with the Database Security Store as follows:
MW_HOME\oracle_common\common\bin\wlst.cmd exportEncryptionKey(jpsConfigFile=jpsConfigFile, keyFilePath=keyFilePath, keyFilePassword=keyFilePassword)
Run the configureSecurityStore.py
script with -m join
option.
MW_HOME\oracle_common\common\bin\wlst.cmd IAM_HOME\common\tools\configureSecurityStore.py -d DOMAIN_HOME -c IAM -p opss_schema_password -m join -k keyfilepath -w keyfilepassword
For example:
MW_HOME\oracle_common\common\bin\wlst.cmd
exportEncryptionKey(jpsConfigFile="\\u01\\oracle\\admin\\domains\\base_domain\\config\\fmwconfig\\jps-config.xml",
keyFilePath="myDir\\key" , keyFilePassword="password")
MW_HOME\oracle_common\common\bin\wlst.cmd IAM_HOME\common\tools\configureSecurityStore.py -d \u01\oracle\admin\domains\base_domain -c IAM -p welcome1 -m join -k myDir -w password
On Linux or UNIX:
Export encryption keys from a domain already configured to work with the Database Security Store as follows:
MW_HOME/oracle_common/common/bin/wlst.sh exportEncryptionKey(jpsConfigFile=jpsConfigFile, keyFilePath=keyFilePath, keyFilePassword=keyFilePassword)
Run the configureSecurityStore.py
script with -m join
option.
MW_HOME/oracle_common/common/bin/wlst.sh IAM_HOME/common/tools/configureSecurityStore.py -d DOMAIN_HOME -c IAM -p opss_schema_password -m join -k keyfilepath -w keyfilepassword
For example:
MW_HOME/oracle_common/common/bin/wlst.sh
exportEncryptionKey(jpsConfigFile="/u01/oracle/admin/domains/base_domain/config/fmwconfig/jps-config.xml",
keyFilePath="myDir" , keyFilePassword="password")
MW_HOME/oracle_common/common/bin/wlst.sh IAM_HOME/common/tools/configureSecurityStore.py -d /u01/oracle/admin/domains/base_domain -c IAM -p welcome1 -m join -k myDir -w password
Validating the Database Security Store Configuration
To validate whether the security store has been created or joined correctly, run the configureSecurityStore.py
script with -m validate
option, as follows:
On Windows:
MW_HOME\oracle_common\common\bin\wlst.cmd IAM_HOME\common\tools\configureSecurityStore.py -d DOMAIN_HOME -m validate
For example:
MW_HOME\oracle_common\common\bin\wlst.cmd IAM_HOME\common\tools\configureSecurityStore.py -d \u01\oracle\admin\domains\base_domain -m validate
On Linux or UNIX:
MW_HOME/oracle_common/common/bin/wlst.sh IAM_HOME/common/tools/configureSecurityStore.py -d DOMAIN_HOME -m validate
For example:
MW_HOME/oracle_common/common/bin/wlst.sh IAM_HOME/common/tools/configureSecurityStore.py -d /u01/oracle/admin/domains/base_domain -m validate
Consider the following example scenarios:
Example Scenario for One or More Oracle Identity and Access Management Products in the Same Domain
Example Scenarios for Oracle Identity and Access Management Products in Different Domains
Note:
In a single-domain scenario, the command to create the Database Security Store is executed once after the domain is created but before the domain is started for the first time.Scenario 1: Oracle Identity Manager, Oracle Access Management, and Oracle Adaptive Access Manager in the same WebLogic Administration Domain Sharing the same Database Security Store
To achieve this, you must complete the following tasks:
Create a new WebLogic domain for Oracle Identity Manager and SOA (for example, oim_dom
) by completing the steps described in Table 4-1, "Configuration Flow for Oracle Identity Manager".
After creating a new WebLogic domain for Oracle Identity Manager and SOA, run the configureSecurityStore.py
script to configure the Database Security Store as follows:
On Windows:
MW_HOME\oracle_common\common\bin\wlst.cmd IAM_HOME\common\tools\configureSecurityStore.py -d \u01\oracle\admin\domains\oim_dom -c IAM -p welcome1 -m create
On Linux or UNIX:
MW_HOME/oracle_common/common/bin/wlst.sh IAM_HOME/common/tools/configureSecurityStore.py -d /u01/oracle/admin/domains/oim_dom -c IAM -p welcome1 -m create
Extend the Oracle Identity Manager domain (oim_dom
) to include Oracle Access Management and Oracle Adaptive Access Manager. For more information, see "Extend an Existing Domain."
Oracle Access Management and Oracle Adaptive Access Manager are added to the Oracle Identity Manager domain (oim_dom
), and they share the same Database Security Store used by the Oracle Identity Manager domain.
Note:
In a multiple-domain scenario, the command to create the Database Security Store is executed once after the first domain is created but before the domain is started for the first time.For each subsequent domain, the command to create a new Database Security Store is executed once after the domain is created but before the domain is started for the first time.
Scenario 1: Oracle Identity Manager and Oracle Access Management in different WebLogic Administration Domains with different Database Security Stores
To achieve this, you must complete the following tasks:
Create a new WebLogic domain for Oracle Identity Manager and SOA (for example, oim_dom
) by completing the steps described in Table 4-1, "Configuration Flow for Oracle Identity Manager".
After creating a new WebLogic domain for Oracle Identity Manager and SOA, run the configureSecurityStore.py
script to configure the Database Security Store for the Oracle Identity Manager domain as follows:
On Windows:
MW_HOME\oracle_common\common\bin\wlst.cmd IAM_HOME\common\tools\configureSecurityStore.py -d \u01\oracle\admin\domains\oim_dom -c IAM -p welcome1 -m create
On Linux or UNIX:
MW_HOME/oracle_common/common/bin/wlst.sh IAM_HOME/common/tools/configureSecurityStore.py -d /u01/oracle/admin/domains/oim_dom -c IAM -p welcome1 -m create
Create a new WebLogic domain for Oracle Access Management (for example oam_dom
) by completing the steps described in Table 5-1, "Configuration Flow for Oracle Access Management".
After creating a new WebLogic domain for Oracle Access Management, run the configureSecurityStore.py
script to configure a separate Database Security Store for the Oracle Access Management domain as follows:
On Windows:
MW_HOME\oracle_common\common\bin\wlst.cmd IAM_HOME\common\tools\configureSecurityStore.py -d \u01\oracle\admin\domains\oam_dom -c IAM -p welcome1 -m create
On Linux or UNIX:
MW_HOME/oracle_common/common/bin/wlst.sh IAM_HOME/common/tools/configureSecurityStore.py -d /u01/oracle/admin/domains/oam_dom -c IAM -p welcome1 -m create
Scenario 2: Extend the Oracle Access Management Domain and its previously created Database Security Store to include Oracle Adaptive Access Manager
To achieve this, extend the Oracle Access Management domain (oam_dom
) to include Oracle Adaptive Access Manager. For more information, see "Extend an Existing Domain."
Oracle Adaptive Access Manager is added to the Oracle Access Management domain (oam_dom
), and they both share the same Database Security Store used by the Oracle Access Management domain.