6 Configuring Oracle Adaptive Access Manager

This chapter explains how to configure Oracle Adaptive Access Manager.

It includes the following topics:

6.1 Overview

For Oracle Identity and Access Management 11g Release 2 (11.1.2.3.0), Oracle Adaptive Access Manager includes two components:

  • Oracle Adaptive Access Manager (Online)

  • Oracle Adaptive Access Manager (Offline)

Note:

Oracle Adaptive Access Manager (Offline) is included in the Oracle Identity and Access Management Suite. When you are installing Oracle Identity and Access Management 11g Release 2 (11.1.2.3.0), Oracle Adaptive Access Manager (Offline) is also installed along with Oracle Adaptive Access Manager. For configuring Oracle Adaptive Access Manager (Offline), see Section 6.5, "Configuring Oracle Adaptive Access Manager (Offline)".

6.2 Important Note Before You Begin

Before you start configuring Oracle Adaptive Access Manager, note that IAM_HOME is used to refer to the Oracle Home directory that includes Oracle Identity Manager, Oracle Access Management, Oracle Adaptive Access Manager, Oracle Entitlements Server, Oracle Privileged Account Manager, Oracle Access Management Mobile and Social, and Oracle Mobile Security Suite. You can specify any path for this Oracle Home directory.

6.3 Configuration Roadmap for Oracle Adaptive Access Manager

Table 6-1 lists the tasks for configuring Oracle Adaptive Access Manager.

Table 6-1 Configuration Flow for Oracle Adaptive Access Manager

No. Task Description

1

Run the Oracle Fusion Middleware Configuration Wizard to configure your Oracle Identity and Access Management products in a new or existing WebLogic domain.

This chapter describes the following configuration scenarios:

2

Configure the Database Security Store.

For more information, see Section 6.6, "Configuring the Database Security Store."

3

Start the servers.

You must start the Administration Server and all Managed Servers. For more information, see Section 6.7, "Starting the Servers".

4

Complete the post-installation tasks.

Complete the following post-installation tasks:

6.4 Oracle Adaptive Access Manager in a New WebLogic Domain

This topic describes how to configure Oracle Adaptive Access Manager in a new WebLogic administration domain. It includes the following sections:

6.4.1 Appropriate Deployment Environment

Perform the configuration in this topic if you want to install Oracle Adaptive Access Manager in an environment where you might install other Oracle Identity and Access Management 11g components, such as Oracle Access Management or Oracle Identity Manager, at a later time in the same domain.

6.4.2 Components Deployed

Performing the configuration in this section deploys the following:

  • WebLogic Administration Server

  • Managed Servers for Oracle Adaptive Access Manager, depending on the Oracle Adaptive Access Manager Domain Configuration template you choose.

  • Oracle Adaptive Access Manager Console on the Administration Server.

6.4.3 Dependencies

The configuration in this section depends on the following:

6.4.4 Procedure

Perform the following steps to configure only Oracle Adaptive Access Manager in a new WebLogic domain:

  1. Start the Oracle Fusion Middleware Configuration Wizard by running the IAM_HOME/common/bin/config.sh script (on Linux or UNIX), or IAM_HOME\common\bin\config.cmd (on Windows).

    The Welcome screen of the Oracle Fusion Middleware Configuration Wizard appears.

    Note:

    IAM_HOME is used as an example here. You must run this script from your Oracle Identity and Access Management Home directory that contains Oracle Identity Manager, Oracle Access Management, Oracle Adaptive Access Manager, Oracle Entitlements Server, Oracle Privileged Account Manager, Oracle Access Management Mobile and Social, and Oracle Mobile Security Suite.

  2. On the Welcome screen, select the Create a new WebLogic domain option. Click Next. The Select Domain Source screen appears.

  3. On the Select Domain Source screen, ensure that the Generate a domain configured automatically to support the following products: option is selected. Select Oracle Adaptive Access Manager Admin Server - 11.1.2.0.0 [IAM_HOME].

    In addition, you can select the following:

    • Oracle Adaptive Access Manager - Server - 11.1.2.0.0 [IAM_HOME]

    • Oracle Adaptive Access Manager Offline - 11.1.2.0.0 [IAM_HOME]

    Note:

    When you select the Oracle Adaptive Access Manager Admin Server - 11.1.2.0.0 [IAM_HOME] option, the following options are also selected, by default:

    • Oracle Enterprise Manager 11.1.1.0 [oracle_common]

    • Oracle Platform Security Service 11.1.1.0 [IAM_HOME]

    • Oracle JRF 11.1.1.0 [oracle_common]

    • Oracle OPSS Metadata for JRF 11.1.1.0 [oracle_common]

    When you select the Oracle Adaptive Access Manager - Server - 11.1.2.0.0 [IAM_HOME] option, in addition to the templates mentioned above, Oracle WSM Policy Manager - 11.1.1.0 [oracle_common] is also selected, by default.

    Click Next. The Select Domain Name and Location screen appears.

  4. Enter a name and a location for the domain to be created, and click Next. The Configure Administrator User Name and Password screen appears.

    Note:

    The default locations for the domain home and application home are MW_HOME/user_projects/domains and MW_HOME/user_projects/applications, respectively. However, it is recommended that you create your domain and application home directories outside of both the Middleware home and Oracle home.

  5. Configure a user name and a password for the administrator. The default user name is weblogic. Click Next.

  6. The Configure Server Start Mode and JDK screen appears. Choose a JDK from the Available JDKs and select a mode under WebLogic Domain Startup Mode. Click Next.

  7. On the Configure JDBC Component Schema screen, select a component schema, such as the OAAM Admin Schema, the OPSS Schema, or the OAAM Admin MDS Schema, that you want to modify.

    You can set values for Schema Owner, Schema Password, Database and Service, Host Name, and Port. Click Next. The Test JDBC Component Schema screen appears.

    If the test fails, click Previous, correct the issue, and try again.

    After the test succeeds, click Next. The Select Optional Configuration screen appears.

  8. On the Select Optional Configuration screen, you can configure the Administration Server, Managed Servers, Clusters and Machines, Deployments and Services, and RDBMS Security Store. Select the relevant check boxes and click Next.

  9. Optional: Configure the following Administration Server parameters:

    • Name

    • Listen address

    • Listen port

    • SSL listen port

    • SSL enabled or disabled

  10. Optional: Configure Managed Servers, as required.

    Note:

    For more information, see "Configure Managed Servers" in Creating Domains Using the Configuration Wizard.

  11. Optional: Configure Clusters, as required.

    Note:

    For more information about configuring clusters for Oracle Identity and Access Management components, see the "Configuring High Availability for Oracle Identity and Access Management Components" topic in the High Availability Guide.

  12. Optional: Assign Managed Servers to Clusters, as required.

  13. Optional: Configure Machines, as needed. This step is useful when you want to run the Administration Server on one machine and Managed Servers on another physical machine.

    Tip:

    Before configuring a machine, use the ping command to verify whether the machine or host name is accessible.

  14. Optional: Assign the Administration Server to a machine.

  15. Optional: Assign the newly created Managed Servers to a machine.

  16. Optional: Select Deployments, such as applications and libraries, and Services to target them to a particular cluster or server.

  17. Optional: Configure RDBMS Security Store, as required.

  18. On the Configuration Summary screen, review the domain configuration, and click Create to start creating the domain.

By default, a new WebLogic domain to support Oracle Adaptive Access Manager is created in the MW_HOME\user_projects\domains directory (on Windows). On Linux or UNIX, the domain is created in the MW_HOME/user_projects/domains directory, by default.

6.5 Configuring Oracle Adaptive Access Manager (Offline)

This topic describes how to configure Oracle Adaptive Access Manager (Offline) in a new WebLogic domain. It includes the following topics:

6.5.1 Components Deployed

Performing the configuration in this section deploys the following:

  • WebLogic Administration Server

  • Oracle Adaptive Access Manager (Offline) application on the Oracle Adaptive Access Manager Managed Server

6.5.2 Dependencies

The configuration in this section depends on the following:

6.5.3 Procedure

Perform the following steps to configure Oracle Adaptive Access Manager (Offline) in a new WebLogic domain:

  1. Start the Oracle Fusion Middleware Configuration Wizard by running the IAM_HOME/common/bin/config.sh script (on Linux or UNIX), or IAM_HOME\common\bin\config.cmd (on Windows).

    The Welcome screen of the Oracle Fusion Middleware Configuration Wizard appears.

  2. On the Welcome screen, select the Create a new WebLogic domain option. Click Next. The Select Domain Source screen appears.

  3. On the Select Domain Source screen, ensure that the Generate a domain configured automatically to support the following products: option is selected. Select Oracle Adaptive Access Manager Offline - 11.1.2.0.0 [IAM_HOME].

    Note:

    When you select the Oracle Adaptive Access Manager Offline - 11.1.2.0.0 [IAM_HOME] option, the following options are also selected, by default:

    • Oracle Enterprise Manager 11.1.1.0 [oracle_common]

    • Oracle Platform Security Service 11.1.1.0 [IAM_HOME]

    • Oracle JRF 11.1.1.0 [oracle_common]

    • Oracle OPSS Metadata for JRF 11.1.1.0 [oracle_common]

    Click Next. The Specify Domain Name and Location screen appears.

  4. Enter a name and a location for the domain to be created, and click Next. The Configure Administrator User Name and Password screen appears.

  5. Configure a user name and a password for the administrator. The default user name is weblogic. Click Next. The Configure Server Start Mode and JDK screen appears.

  6. Choose a JDK and Production Mode in the Configure Server Start Mode and JDK screen. Click Next. The Configure JDBC Component Schema screen is displayed.

  7. On the Configure JDBC Component Schema screen, select a component schema, such as the OAAM Offline Schema, the OPSS Schema, or the OAAM Admin MDS Schema that you want to modify. You can set values for Schema Owner, Schema Password, Database and Service, Host Name, and Port. Click Next. The Test JDBC Component Schema screen appears.

    If the test fails, click Previous, correct the issue, and try again.

    After the test succeeds, click Next. The Select Optional Configuration screen appears.

  8. On the Select Optional Configuration screen, you can configure the Administration Server, Managed Servers, Clusters, Machines, Deployments and Services, and RDBMS Security Store. Select the relevant check boxes and click Next.

    • Optional: Configure the following Administration Server parameters:

      • Name

      • Listen Address

      • Listen Port

      • SSL Listen Port

      • SSL Enabled

    • Optional: Add and configure Managed Servers, as required.

    • Optional: Configure Clusters, as required.

      For more information about configuring clusters for Oracle Identity and Access Management products, see the "Configuring High Availability for Oracle Identity and Access Management Components" topic in the High Availability Guide.

    • Optional: Assign Managed Servers to clusters, as required.

    • Optional: Configure Machines, as needed. This step is useful when you want to run the Administration Server on one machine and Managed Servers on another physical machine.

      Tip:

      Before configuring a machine, use the ping command to verify whether the machine or host name is accessible.

    • Optional: Assign the Administration Server to a machine.

    • Optional: Assign the newly created Managed Server to a machine.

    • Optional: Select Deployments, such as applications and libraries, and Services to target them to a particular cluster or server.

    • Optional: Configure RDBMS Security Store Database, as required.

  9. On the Configuration Summary screen, review the domain configuration, and click Create to start creating the domain.

By default, a new WebLogic domain to support Oracle Adaptive Access Manager (Offline) is created in the MW_HOME\user_projects\domains directory (on Windows). On Linux or UNIX, the domain is created in the MW_HOME/user_projects/domains directory, by default.

6.6 Configuring the Database Security Store

After configuring Oracle Adaptive Access Manager in a new WebLogic administration domain and before starting the Oracle WebLogic Administration Server, you must configure the Database Security Store by running the configureSecurityStore.py script. For more information, see Chapter 11, "Configuring Database Security Store for an Oracle Identity and Access Management Domain."

6.7 Starting the Servers

After installing and configuring Oracle Adaptive Access Manager, you must run the Oracle WebLogic Administration Server and various Managed Servers, as described in Appendix C, "Starting the Stack". Ensure that you start the Oracle Adaptive Access Manager Administration Server before starting the Managed Servers.

6.8 Post-Installation Steps

After installing and configuring Oracle Adaptive Access Manager, you must complete the following tasks:

  1. Create Oracle WebLogic Server Users as follows:

    1. Log in to the Oracle WebLogic Administration Console for your WebLogic administration domain.

    2. Click Security Realms, and then click your security realm.

    3. Click the Users and Groups tab, and then click the Users tab under it.

    4. Create a user, such as user1, in the security realm.

    5. Assign the user user1 to rule administrators and environment administrators groups.

  2. Set up and back up Oracle Adaptive Access Manager Encryption Keys, as described in the "Setting Up Encryption and Database Credentials for OAAM" topic in Administering Oracle Adaptive Access Manager. Ensure that you have a backup of the Oracle Adaptive Access Manager Encryption Keys; they are required if you want to recreate the Oracle Adaptive Access Manager domain.

  3. Import Snapshot of Policies as follows:

    A full snapshot of policies, dependent components and configurations is shipped with Oracle Adaptive Access Manager. The snapshot is in the oaam_base_snapshot.zip file and located in the IAM_HOME/oaam/init directory.

    It contains the following items that must be imported into Oracle Adaptive Access Manager:

    • Challenge questions for English (United States)

      During registration, which could be enrollment, opening a new account, or another events such as a reset, the user selects different questions from a list of questions and enters answers to them. These questions, called challenge questions, are used to authenticate users.

      Questions for the languages you want to support must be in the system before users can be asked to register. These questions may also be required to log in to Oracle Adaptive Access Manager Server.

    • Entity definitions

      The actors that are tracked during authentication are called authentication entities and include user, city, device, and so on. These base entities are required to enable conditions that are used for patterns.

    • Out-of-the-box patterns

      Patterns are used by Oracle Adaptive Access Manager to either define one bucket or dynamically create buckets. Oracle Adaptive Access Manager collects data and populates these buckets with members based on pattern parameters, and rules perform risk evaluations on dynamically changing membership and distributions of the buckets.

    • Out-of-the-box configurable actions

      Configurable actions are actions that are triggered based on the result action or risk scoring or both after a checkpoint execution. The configurable actions are built using action templates.

      Note:

      If you are upgrading from Oracle Adaptive Access Manager 10.1.4.5 to Oracle Adaptive Access Manager 11g, you will see that the names and descriptions of the out-of-the-box action templates are slightly different, since the action templates in Oracle Adaptive Access Manager 11g are globalized and hence the difference.

    • Out-of-the-box policies

      Policies are designed to help evaluate and handle business activities or potentially risky activities that are encountered in day-to-day operation.

    • Any groups

      Collections of items used in rules, user groups, and action and alert groups are shipped with Oracle Adaptive Access Manager.

    Notes:

    • If you need to customize any properties, you should import the snapshot into your new test system, make the changes, export the snapshot, and import it into your new system. Alternatively, you can import the snapshot on the new system and make the property changes directly, thereby eliminating the test system completely.

    For upgrading policies, components, and configurations, perform a backup, and then import the separate file. The following are available:

    • Default questions are shipped in the oaam_kba_questions_<locale>.zip files, which are located in the IAM_HOME/oaam/init/kba_questions directory. The locale identifier <locale> specifies the language version.

    • Base policies are shipped in the oaam_sample_policies_for_uio_integration.zip file, which is located in the IAM_HOME/oaam/init directory.

    • Configurable action templates are shipped in the OOTB_Configurable_Actions.zip file, which is located in the IAM_HOME/oaam/init directory.

    • Base-authentication required entities are shipped in the Auth_EntityDefinition.zip file, which is located in the IAM_HOME/oaam/init directory.

    Note:

    For more information about policies, see "Importing the OAAM Snapshot" and "Managing Policies, Rules, and Conditions" topics in Administering Oracle Adaptive Access Manager.

  4. Load Location Data into the Oracle Adaptive Access Manager database as follows:

    1. Configure the IP Location Loader script, as described in the topics "OAAM Command Line Interface Scripts" and "Importing IP Location Data" in Administering Oracle Adaptive Access Manager.

    2. Make a copy of the sample.bharosa_location.properties file, which is located under the IAM_HOME/oaam/cli directory (on Linux or UNIX). On Windows, the sample.bharosa_location.properties file is located under the IAM_HOME\oaam\cli directory.

      Enter location data details in the location.data properties, as in the following examples:

      On Windows:

      location.data.provider=quova

      location.data.file=\\tmp\\quova\\EDITION_Gold_2008-07-22_v374.dat.gz

      location.data.ref.file=\\tmp\\quova\\EDITION_Gold_2008-07-22_v374.ref.gz

      location.data.anonymizer.file=\\tmp\\quova\\anonymizers_2008-07-09.dat.gz

      On Linux or UNIX:

      location.data.provider=quova

      location.data.file=/tmp/quova/EDITION_Gold_2008-07-22_v374.dat.gz

      location.data.ref.file=/tmp/quova/EDITION_Gold_2008-07-22_v374.ref.gz

      location.data.anonymizer.file=/tmp/quova/anonymizers_2008-07-09.dat.gz

    3. Run the loader on the command line as follows:

      On Windows: loadIPLocationData.cmd

      On Linux or UNIX: ./loadIPLocationData.sh

      Ensure that the Oracle Middleware Home (MW_HOME) environment variable is set before running the loadIPLocationData script.

Note:

If you wish to generate CSF keys or passwords manually, see the "Setting Up Encryption and Database Credentials for OAAM" topic in the Oracle Fusion Middleware Administrator's Guide for Oracle Adaptive Access Manager.

6.9 Verifying the Oracle Adaptive Access Manager Installation

After completing the installation process, including post-installation steps, you can verify the installation and configuration of Oracle Adaptive Access Manager as follows:

  1. Start the Administration Server to register the newly created Managed Servers with the domain. To start the Administration Server, run the following command:

    • On Windows: At the command prompt, run the startWebLogic script to start the Administration Server, as in the following example:

      DOMAIN_HOME\bin\startWebLogic

    • On Linux or UNIX: At the $ prompt, run the startWebLogic.sh script to start the Administration Server, as in the following example:

      DOMAIN_HOME/bin/startWebLogic.sh

  2. Start the Managed Servers, as described in Appendix C, "Starting the Stack.".

    Wait for the Administration Server and the Managed Servers to start up.

  3. Log in to the Administration Server for Oracle Adaptive Access Manager, using the admin server username and password. Log in to the Administration Server using the following URL:

    http://host:oaam_admin_server1_port/oaam_admin

  4. Log in to the Oracle Adaptive Access Manager Managed Server using the following URL:

    https://host:oaam_server_server1_sslport/oaam_server

  5. Log in to the Oracle Adaptive Access Manager Offine Server using the following URL:

    https://host:oaam_offline_server1_port/oaam_offline

6.10 Getting Started with Oracle Adaptive Access Manager After Installation

After installing Oracle Adaptive Access Manager, refer to Administering Oracle Adaptive Access Manager.