10 Configuring Oracle Mobile Security Suite

This chapter explains how to configure Oracle Mobile Security Suite. It includes the following topics:

• Overview

• Important Note Before You Begin

• Configuration Roadmap for Oracle Mobile Security Suite

• Configuring Oracle Access Management in a WebLogic Domain

• About the Administrator Roles in an Oracle Mobile Security Suite Deployment

• Preparing Your LDAP Directory as the Identity Store

• Configuring Oracle Access Manager for Oracle Mobile Security Suite

• Configuring Oracle Mobile Security Manager

• Starting the Managed Servers

• Verifying Oracle Access Manager and Oracle Mobile Security Manager

• Optional: Creating Additional Administrator Groups After Configuration

• Installing Oracle Mobile Security Access Server

• Getting Started with Oracle Mobile Security Suite After Installation

10.1 Overview

For Oracle Identity and Access Management 11g Release 2 (11.1.2.3.0), Oracle Mobile Security Suite includes the following components:

• Oracle Mobile Security Manager

• Oracle Mobile Security Access Server

Note:

Oracle Mobile Security Manager is included in the Oracle Identity and Access Management Suite. When you are installing Oracle Identity and Access Management 11g Release 2 (11.1.2.3.0), only Oracle Mobile Security Manager is installed. Oracle Mobile Security Access Server has its own installer, and it is not included in the Oracle Identity and Access Management 11g Release 2 (11.1.2.3.0) installation. You must install and configure Mobile Security Manager before installing Mobile Security Access Server. For more information on installing Mobile Security Access Server, see Section 10.12, "Installing Oracle Mobile Security Access Server."

For an introduction to Oracle Mobile Security Suite, see "Understanding Oracle Mobile Security Suite" in Administering Oracle Mobile Security Suite.

10.2 Important Note Before You Begin

Before you start configuring Oracle Mobile Security Suite, note that IAM_HOME is used to refer to the Oracle Home directory that includes Oracle Identity Manager, Oracle Access Management, Oracle Adaptive Access Manager, Oracle Entitlements Server, Oracle Privileged Account Manager, Oracle Access Management Mobile and Social, and Oracle Mobile Security Suite. You can specify any path for this Oracle Home directory.

10.3 Configuration Roadmap for Oracle Mobile Security Suite

Table 10-1 lists the tasks for configuring Oracle Mobile Security Suite.

Table 10-1 Configuration Flow for Oracle Mobile Security Suite

No.	Task	Description
1	Configure Oracle Access Management in a WebLogic domain.	For more information, see Section 10.4, "Configuring Oracle Access Management in a WebLogic Domain.".
2	Prepare your LDAP directory to be used as the common identity store for Oracle WebLogic Server, Oracle Access Manager, and Oracle Mobile Security Suite.	For more information, see Section 10.6, "Preparing Your LDAP Directory as the Identity Store"
3	Configure the Oracle Access Manager Server that will be used with Oracle Mobile Security Suite.	You configure Oracle Access Manager using the idmConfigTool command. For more information, see Section 10.7, "Configuring Oracle Access Manager for Oracle Mobile Security Suite."
4	Configure the identity store, keystores, and trust stores for the Oracle Mobile Security Manager Server.	You configure Oracle Mobile Security Manager using the idmConfigTool command. For more information, see Section 10.8, "Configuring Oracle Mobile Security Manager."
5	Start the Managed Servers.	For more information, see Section 10.9, "Starting the Managed Servers."
6	Verify your configuration.	Ensure Oracle Mobile Security Suite is enabled on the Policy Manager Console. For more information, see Section 10.10, "Verifying Oracle Access Manager and Oracle Mobile Security Manager."
7	Optional: Create and add additional administrator groups after configuration.	For more information, see Section 10.11, "Optional: Creating Additional Administrator Groups After Configuration."
8	Install and configure the Oracle Mobile Security Access Server software.	For more information, see Section 10.12, "Installing Oracle Mobile Security Access Server."
9	Get started with Oracle Mobile Security Suite.	For more information, see Section 10.13, "Getting Started with Oracle Mobile Security Suite After Installation."

10.4 Configuring Oracle Access Management in a WebLogic Domain

Oracle Access Management is required to run and use Oracle Mobile Security Suite. Before you begin configuring Oracle Mobile Security Suite, you must install and configure Oracle Access Management in a WebLogic domain. When you install and configure Oracle Access Management in a WebLogic domain, the Oracle Mobile Security Manager server is installed and configured in the domain by default. To configure Oracle Access Management, follow the instructions in Chapter 5, "Configuring Oracle Access Management."

10.5 About the Administrator Roles in an Oracle Mobile Security Suite Deployment

An Oracle Mobile Security Suite deployment provides different administrator roles for the WebLogic Server, Oracle Access Manager, and Oracle Mobile Security Suite components. Before you begin configuring Oracle Mobile Security Suite, it is important to understand these roles and how to configure them.

For an Oracle Mobile Security Suite deployment, consider the following types of administrator roles:

• WebLogic Administrator Role, which provides administration privileges to configure WebLogic Server and provides authorization to access MBeans. Specifically, Mobile Security Access Server administration tasks are performed using MBeans, and therefore, this role is required.

• Oracle Access Manager Administrator Role, which provides administration privileges for the Oracle Access Manager component. This role provides authorization to perform Oracle Access Management configuration tasks on the Oracle Access Management Console.

• Oracle Mobile Security Suite Administrator Role, which provides administration privileges for Oracle Mobile Security Suite tasks, such as managing mobile devices and policies. All Oracle Mobile Security Suite tasks are performed on the Policy Manager Console running on the Policy Manager server. After Oracle Mobile Security Suite is fully configured with Oracle Access Manager, an Oracle Access Manager administrator is also configured as an Oracle Mobile Security Suite administrator.

To configure these roles for an Oracle Mobile Security Suite deployment, you need to do the following:

• Configure a common identity store, which is typically an enterprise directory.

• Create an administrator user and group in the directory, and then assign the user to the administrator group.

• Configure WebLogic Server, Oracle Access Manager, and Oracle Mobile Security Suite to use the same administrator group.

These configuration steps are described in the following tasks. These tasks must be completed to configure the required Oracle Mobile Security Suite administrator users, groups, and roles successfully.

• Preparing Your LDAP Directory as the Identity Store

• Configuring Oracle Access Manager for Oracle Mobile Security Suite

• Configuring Oracle Mobile Security Manager

As a result, once the administrator roles, users, and groups have been configured following these procedures, you will have a single admin user with full administration privileges over WebLogic Server, Oracle Access Manager, and Oracle Mobile Security Suite.

10.6 Preparing Your LDAP Directory as the Identity Store

Oracle Mobile Security Suite, along with other Oracle Identity and Access Management 11g Release 2 (11.1.2.3.0) components, relies on a specific set of user and groups to be present and correctly configured in the LDAP directory. As a result, you must prepare your LDAP directory to be able to configure a common identity store and a common administrator user and group for Oracle WebLogic Server, Oracle Access Manager, and Oracle Mobile Security Suite.

For information about preparing your LDAP directory, refer to one of the following procedures, depending on the type of LDAP directory you are using:

• To prepare Oracle Internet Directory (OID), Oracle Unified Directory (OUD), or Oracle Directory Server Enterprise Edition (ODSEE), perform the following tasks in the Integration Guide for Oracle Identity Management Suite:

  • "Extending Directory Schema for Access Manager"

  • "Creating Users and Groups for Access Manager"

  • "Creating Users and Groups for Oracle WebLogic Server"

• To prepare Microsoft Active Directory, perform the tasks described in "Preparing an Existing Microsoft Active Directory Instance for Use with Oracle Identity and Access Management" in the Deployment Guide for Oracle Identity and Access Management.

Note:

Before preparing your LDAP directory, ensure that the WebLogic Administration Server and LDAP server are running. For more information, see Appendix C, "Starting the Stack."

10.7 Configuring Oracle Access Manager for Oracle Mobile Security Suite

After you have prepared your LDAP directory, use the idmConfigTool command with the -configOAM option to configure your Oracle Access Manager Server that will be used with Oracle Mobile Security Suite. The command for running idmConfigTool is located in the IAM_HOME/idmtools/bin directory.

Note:

You should not execute the idmConfigTool command with the -configOAM option if your 11g Release 2 (11.1.2.3.0) environment was upgraded from an 11g Release 2 (11.1.2.2.0) environment where Oracle Access Manager was previously configured to use an external LDAP directory. In this case, you can skip section 10.7, but you must configure Oracle Mobile Security Manager, as described in Section 10.8, using exactly the same user, group, and LDAP directory properties that the upgraded Oracle Access Manager is already configured with.

Complete the following tasks to configure Oracle Access Manager:

• Creating the Oracle Access Manager Properties File

• Running idmConfigTool to Configure Oracle Access Manager

• Granting WebLogic Admin Role to Oracle Access Manager and WebLogic Server Groups

• Additional Task for Oracle Unified Directory

10.7.1 Creating the Oracle Access Manager Properties File

Use the guidelines below to create a properties file that will configure your Oracle Access Manager Server. You will pass this file to the idmConfigTool command in Section 10.7.2, "Running idmConfigTool to Configure Oracle Access Manager."

Create a file named oam.properties in the directory of your choice containing the properties described in Table 10-2.

Note:

For an example properties file that includes sample values, see Sample Oracle Access Manager Properties File.

Table 10-2 Oracle Access Manager Configuration Properties

Property	Description
Properties for connecting to Oracle WebLogic Server
WLSHOST	The host name of your Oracle WebLogic Administration Server.
WLSPORT	The port number of your Oracle WebLogic Administration Server.
WLSADMIN	The Oracle WebLogic Server administrator user you use to log in to the WebLogic Administration Console.
Properties for configuring and connecting to the LDAP directory
IDSTORE_HOST	The host name of your LDAP directory.
IDSTORE_PORT	The port number of your LDAP directory. This value can be a SSL port or a non-SSL port.
IDSTORE_DIRECTORYTYPE	Directory type of the LDAP server. Specify one of the following values. OID if you are using Oracle Internet Directory. OUD if you are using Oracle Unified Directory. IPLANET if you are using ODSEE/iPlanet. AD if you are using Microsoft Active Directory.
IDSTORE_BINDDN	An administrative user of the LDAP directory.
IDSTORE_USERSEARCHBASE	The location in the directory where users are stored. This property tells the directory where to search for users.
IDSTORE_SEARCHBASE	The location in the directory where users and groups are stored.
IDSTORE_GROUPSEARCHBASE	The location in the directory where groups (or roles) are stored. This property tells the directory where to search for groups or roles.
IDSTORE_SYSTEMIDBASE	The location of a container in the directory where system operations users should be stored so that they are kept separate from enterprise users stored in the main user container. The location of a container in the directory where IDSTORE_OAMSOFTWAREUSER is stored.
OAM11G_IDSTORE_ROLE_SECURITY_ADMIN	The name of the group that is used to allow access to the Oracle Access Management administration console.
OAM11G_SERVER_LOGIN_ATTRIBUTE	At a login attempt, the user name is validated against this attribute in the identity store.
OAM11G_IDSTORE_NAME	The identity store name. If you already have an identity store in place that you wish to reuse (rather than allowing the tool to create a new one for you), set this parameter to the name of the identity store you want to reuse.
OAM11G_CREATE_IDSTORE	Valid values are true or false.
IDSTORE_USERNAMEATTRIBUTE	LDAP user name attribute used to search for users in the identity store.
IDSTORE_LOGINATTRIBUTE	An attribute of a user in the identity store that contains the user's login name. This is the attribute the user uses for login. This should be set to the same value as OAM11G_SERVER_LOGIN_ATTRIBUTE.
IDSTORE_OAMSOFTWAREUSER	The user name used to establish the Oracle Access Manager identity store connection. Specify the name of the user that you created in Section 10.6, "Preparing Your LDAP Directory as the Identity Store." This user will be used by Oracle Access Manager to connect to the directory or LDAP server.
IDSTORE_OAMADMINUSER	The identity store administrator for Oracle Access Manager. Specify the name of a user that has privileges to access the Oracle Access Management Console. Specify the name of the user that you created in Section 10.6, "Preparing Your LDAP Directory as the Identity Store."
Properties for configuring WebGate
WEBGATE_TYPE	The type of WebGate agent you want to create. Set to: ohsWebGate10g if using WebGate version 10 ohsWebGate11g if using WebGate version 11
ACCESS_GATE_ID	The name you want to assign to the WebGate.
COOKIE_DOMAIN	The web domain in which the WebGate functions. Specify the domain in the format .cc.example.com.
OAM11G_WG_DENY_ON_NOT_PROTECTED	When set to false, this property allows login pages to be displayed. It should be set to true when using WebGate 11g. Valid values are true or false.
OAM_TRANSFER_MODE	The transfer mode for the Oracle Access Manager agent being configured. Valid values are OPEN, SIMPLE, or CERT.
Properties for configuring Oracle Access Manager Server
OAM11G_SSO_ONLY_FLAG	This property configures Access Manager as authentication only mode or normal mode, which supports authentication and authorization. Specifies whether Oracle Access Manager server can perform authorizations. If true, the Oracle Access Manager 11g server operates in authentication only mode, where all authorizations return true by default without any policy validations. In this mode, the server does not have the overhead of authorization handling. This is recommended for applications that do not depend on authorization policies and need only the authentication feature of the Oracle Access Manager server. If false, the server runs in default mode, where each authentication is followed by one or more authorization requests to the Oracle Access Manager server. WebGate allows the access to the requested resources or not, based on the responses from the Oracle Access Manager server. Valid values are true (no authorization) or false.
OAM11G_OAM_SERVER_TRANSFER_MODE	The security model in which the Oracle Access Manager 11g server functions. Valid values are OPEN or SIMPLE.
PRIMARY_OAM_SERVERS	A comma-separated list of your Oracle Access Manager servers and their proxy ports. For example, IDMHOST1:OAM_PROXY_PORT.
OAM11G_IMPERSONATION_FLAG	Set to true to enable the OAM Impersonation feature. If this property is not set, the default value is false.
OAM11G_IDM_DOMAIN_LOGOUT_URLS	Comma-separated list of Oracle Access Manager logout URLs.
COOKIE_EXPIRY_INTERVAL	Cookie expiration period.
OAM11G_IDM_DOMAIN_OHS_HOST	Host name of the load balancer that is in front of Oracle HTTP Server.
OAM11G_IDM_DOMAIN_OHS_PORT	Port number on which the load balancer listens.
OAM11G_IDM_DOMAIN_OHS_PROTOCOL	Protocol for Oracle HTTP Server. Valid values are http or https.
OAM11G_SERVER_LBR_HOST	Host name of the load balancer front-ending the Oracle Access Manager server. This and the following two parameters are used to construct your login URL.
OAM11G_SERVER_LBR_PORT	The port number that the load balancer front-ending the Oracle Access Manager server is listening on.
OAM11G_SERVER_LBR_PROTOCOL	Protocol of the load balancer front-ending the Oracle Access Manager server. Valid values are http or https.
SPLIT_DOMAIN	Set to true if you are creating a domain with just Oracle Access Manager or Oracle Access Manager located in a separate domain from Oracle Identity Manager (split domain). Otherwise, it is not necessary to specify this parameter. Valid values are true or false. Set to true for cross-domain deployment.
Properties needed if you are configuring Oracle Identity Manager with Oracle Access Manager
OAM11G_OIM_OHS_URL	The Oracle HTTP Server URL that front-ends the Oracle Identity Manager server. This property is only required if your topology contains Oracle Access Manager and Oracle Identity Manager.
OAM11G_OIM_INTEGRATION_REQ	This property specifies whether to integrate with Oracle Identity Manager or configure Oracle Access Manager in standalone mode. Set to true for integration. Valid values are true (integration) or false.

Sample Oracle Access Manager Properties File

WLSHOST: examplehost.example.com
WLSPORT: 7001
WLSADMIN: weblogic
IDSTORE_HOST: idstore.example.com
IDSTORE_PORT: 1389
IDSTORE_DIRECTORYTYPE: OUD
IDSTORE_BINDDN: cn=orcladmin
IDSTORE_USERSEARCHBASE: cn=Users,dc=example,dc=com
IDSTORE_SEARCHBASE: dc=example,dc=com
IDSTORE_GROUPSEARCHBASE: cn=Groups,dc=example,dc=com
IDSTORE_SYSTEMIDBASE: cn=systemids,dc=example,dc=com
OAM11G_IDSTORE_ROLE_SECURITY_ADMIN: OAMAdministrators
OAM11G_SERVER_LOGIN_ATTRIBUTE: cn
OAM11G_CREATE_IDSTORE: true
OAM11G_IDSTORE_NAME: OAMIDSTORE
IDSTORE_USERNAMEATTRIBUTE: cn
IDSTORE_LOGINATTRIBUTE: cn
IDSTORE_OAMSOFTWAREUSER: oamLDAP
IDSTORE_OAMADMINUSER: oamadmin
WEBGATE_TYPE: ohsWebgate11g
ACCESS_GATE_ID: Webgate_IDM
COOKIE_DOMAIN: .cc.example.com
OAM11G_WG_DENY_ON_NOT_PROTECTED: true
OAM_TRANSFER_MODE: open
OAM11G_SSO_ONLY_FLAG: false
OAM11G_OAM_SERVER_TRANSFER_MODE: open
PRIMARY_OAM_SERVERS: examplehost.example.com:5575
OAM11G_IMPERSONATION_FLAG: false
OAM11G_IDM_DOMAIN_LOGOUT_URLS: /oamsso/logout.html, /console/jsp/common/logout.jsp, /em/targetauth/emaslogout.jsp
COOKIE_EXPIRY_INTERVAL: 120
OAM11G_IDM_DOMAIN_OHS_HOST: examplehost.example.com
OAM11G_IDM_DOMAIN_OHS_PORT: 7777
OAM11G_IDM_DOMAIN_OHS_PROTOCOL: http
OAM11G_SERVER_LBR_HOST: examplehost.example.com
OAM11G_SERVER_LBR_PORT: 7777
OAM11G_SERVER_LBR_PROTOCOL: http
SPLIT_DOMAIN: true
OAM11G_OIM_OHS_URL: http://examplehost.example.com:7778
OAM11G_OIM_INTEGRATION_REQ: false

10.7.2 Running idmConfigTool to Configure Oracle Access Manager

To configure Oracle Access Manager, run the idmConfigTool command with the -configOAM option as follows:

Note:

Before running idmConfigTool:

• Make sure that you have created the required properties file, as described in Section 10.7.1, "Creating the Oracle Access Manager Properties File."

• Ensure that the WebLogic Administration Server and LDAP server are running. For more information, see Appendix C, "Starting the Stack."

1. Set the following environment variables:

   • Set MW_HOME to the full path of the Oracle Identity and Access Management Middleware home. Enter the path to the Middleware home that was created when you installed Oracle WebLogic Server 11g Release 1 (10.3.6) on your system. For example, /u01/oracle/products/fmw_oam.

   • Set ORACLE_HOME to the full path of the Oracle home where Oracle Access Manager is installed. Set to the location of your IAM_HOME directory. For example, /u01/oracle/products/fmw_oam/Oracle_IDM1.

   • Set JAVA_HOME to the full path of the JDK directory.

2. Change directory to the IAM_HOME/idmtools/bin directory:

   cd IAM_HOME/idmtools/bin
   

3. Run the following command:

   idmConfigTool.sh -configOAM input_file=configfile log_level=level log_file=log_file
   

   Where

   • (Required) input_file is the full or relative path to the properties file you created in Section 10.7.1, "Creating the Oracle Access Manager Properties File."

   • (Optional) log_level is the level of logging performed by idmConfigTool. Possible values are ALL, SEVERE, WARNING, INFO, CONFIG, FINE, FINER, and FINEST. If not specified, the default is INFO.

   • (Optional) log_file is the full or relative path to the file where idmConfigTool will store the log file data. If not specified, idmConfigTool creates a log file named automation.log in the directory where you run the tool.

   For example:

   idmConfigTool.sh -configOAM input_file=oam.properties
   

   Where oam.properties is a properties file containing configuration parameters specific to your environment. For information on creating this file, see Section 10.7.1, "Creating the Oracle Access Manager Properties File."

   When the command runs, it prompts you to enter the password of the account used to connect to the identity store. It also prompts you to enter passwords for the following:

   • OAM11G_WLS_ADMIN_PASSWD: Enter the password for the WebLogic Server Administrator user (WLSADMIN).

   • OAM11G_IDM_DOMAIN_WEBGATE_PASSWD: Enter a password to be assigned to the WebGate.

   • IDSTORE_PWD_OAMSOFTWAREUSER: Enter the password for IDSTORE_OAMSOFTWAREUSER.

   • IDSTORE_PWD_OAMADMINUSER: Enter the password for IDSTORE_OAMADMINUSER.

   Sample command output, when running the command against Oracle Unified Directory:

   Enter ID Store Bind DN password:
   Enter User Password for OAM11G_WLS_ADMIN_PASSWD:
   Confirm User Password for OAM11G_WLS_ADMIN_PASSWD:
   Enter User Password for OAM11G_IDM_DOMAIN_WEBGATE_PASSWD:
   Confirm User Password for OAM11G_IDM_DOMAIN_WEBGATE_PASSWD:
   Enter User Password for IDSTORE_PWD_OAMSOFTWAREUSER:
   Confirm User Password for IDSTORE_PWD_OAMSOFTWAREUSER:
   Enter User Password for IDSTORE_PWD_OAMADMINUSER:
   Confirm User Password for IDSTORE_PWD_OAMADMINUSER:
   Connecting to t3://examplehost.example.com:7001
   Connection to domain runtime mbean server established
   Starting edit session
   Edit session started
   Connected to security realm.
   Validating provider configuration
   Validated desired authentication providers
   Created OAMIDAsserter successfuly
   Created OUDAuthenticator successfuly
   Setting attributes for OUDAuthenticator
   All attributes set. Configured inOUDAuthenticatornow
   LDAP details configured in OUDAuthenticator
   Dec 19, 2014 6:40:38 AM oracle.idm.automation.impl.oam.handlers.WLSAuthnConfigHandler logInfo
   INFO: ControlFlag for OAMIDAsserter set to REQUIRED
   Dec 19, 2014 6:40:38 AM oracle.idm.automation.impl.oam.handlers.WLSAuthnConfigHandler logInfo
   INFO: ControlFlag for OUDAuthenticator set to SUFFICIENT
   Dec 19, 2014 6:40:38 AM oracle.idm.automation.impl.oam.handlers.WLSAuthnConfigHandler logInfo
   INFO: ControlFlag for DefaultAuthenticator set to SUFFICIENT
   Control flags for authenticators set sucessfully
   Dec 19, 2014 6:40:38 AM oracle.idm.automation.impl.oam.handlers.WLSAuthnConfigHandler logInfo
   INFO: Total providers - 5
   Reordering of authenticators done sucessfully
   Saving the transaction
   Transaction saved
   Activating the changes
   Changes Activated. Edit session ended.
   Connection closed sucessfully
   The tool has completed its operation. Details have been logged to automation.log
   

   Sample command output, when running the command against Microsoft Active Directory:

   Enter ID Store Bind DN password:
   Enter User Password for OAM11G_WLS_ADMIN_PASSWD:
   Confirm User Password for OAM11G_WLS_ADMIN_PASSWD:
   Enter User Password for OAM11G_IDM_DOMAIN_WEBGATE_PASSWD:
   Confirm User Password for OAM11G_IDM_DOMAIN_WEBGATE_PASSWD:
   Enter User Password for IDSTORE_PWD_OAMSOFTWAREUSER:
   Confirm User Password for IDSTORE_PWD_OAMSOFTWAREUSER:
   Enter User Password for IDSTORE_PWD_OAMADMINUSER:
   Confirm User Password for IDSTORE_PWD_OAMADMINUSER:
   Connecting to t3://examplehost.example.com:7001
   Connection to domain runtime mbean server established
   Starting edit session
   Edit session started
   Connected to security realm.
   Validating provider configuration
   Validated desired authentication providers
   OAM Asserter already exists in the security realm
   Created ADAuthenticator successfuly
   Setting attributes for ADAuthenticator
   All attributes set. Configured inADAuthenticatornow
   LDAP details configured in ADAuthenticator
   Control flags for authenticators set sucessfully
   Reordering of authenticators done sucessfully
   Saving the transaction
   Transaction saved
   Activating the changes
   Changes Activated. Edit session ended.
   Connection closed sucessfully
   The tool has completed its operation. Details have been logged to oam.log
   

4. Check the log file for any errors or warnings and correct them before continuing.

5. Restart the Oracle WebLogic Administration Server, as described in Appendix C, "Restarting Servers."

10.7.3 Granting WebLogic Admin Role to Oracle Access Manager and WebLogic Server Groups

After you complete the installation process, you do not have any users or groups present with the WebLogic administrator role. Perform the following steps to grant the WebLogic Admin role to the Oracle Access Manager administrator group and to the WebLogic Server administrator group.

1. Log in to the WebLogic Server Administration Console.

2. Click Security Realms from the Domain Structure menu.

3. Click myrealm in the Realms table.

4. Click the Roles and Policies tab.

5. Expand the Global Roles entry in the Roles table. This brings up the entry for Roles.

6. Click Roles under the Global Roles entry.

7. Click the Admin role in the Global Roles table.

8. Under Role Conditions, click Add Conditions.

9. Select Group from the predicate list and click Next.

10. In the Group Argument Name field, enter the name of the Oracle Access Manager administrator group (OAM11G_IDSTORE_ROLE_SECURITY_ADMIN) that you created in Section 10.6, "Preparing Your LDAP Directory as the Identity Store." For example, OAMAdministrators.

    Click Add.

11. Click Finish.

    Role Conditions now shows the Oracle Access Manager administrator group as an entry.

12. Under Role Conditions, click Add Conditions.

13. Select Group from the predicate list and click Next.

14. In the Group Argument Name field, enter the name of the WebLogic Server administrator group (IDSTORE_WLSADMINGROUP) that you created in Section 10.6, "Preparing Your LDAP Directory as the Identity Store." For example, IDM Administrators.

    Click Add.

15. Click Finish.

    Role Conditions now shows the WebLogic Server administrator group as an entry.

16. Click Save and then restart the Administration Server.

10.7.4 Additional Task for Oracle Unified Directory

If you are using Oracle Unified Directory (OUD) as the LDAP identity store and the group object class is groupOfUniqueNames, perform the following additional steps:

1. Connect to the WebLogic Administration Server using the WLST connect command:

   IAM_HOME/common/bin/wlst.sh
   connect()
   

2. Run the following WLST commands in this order:

   Note:

   Replace domain_name with the name of the domain that you created in Section 10.4, "Configuring Oracle Access Management in a WebLogic Domain."

   edit()
   
   startEdit()
   
   cd('/SecurityConfiguration/domain_name/Realms/myrealm/AuthenticationProviders/OUDAuthenticator')
   
   cmo.setStaticMemberDNAttribute('uniquemember')
   
   cmo.setStaticGroupDNsfromMemberDNFilter('(&(uniquemember=%M)(objectclass=groupOfUniqueNames))')
   
   cmo.setStaticGroupObjectClass('groupOfUniqueNames')
   
   activate()
   

10.8 Configuring Oracle Mobile Security Manager

After you have executed the idmConfigTool -configOAM command to configure Oracle Access Manager, use idmConfigTool to configure the identity store, keystores, and trust stores for the Oracle Mobile Security Manager Server.

Complete the following tasks to configure Oracle Mobile Security Manager:

• Creating the Oracle Mobile Security Suite Properties File

• Running idmConfigTool to Configure Oracle Mobile Security Manager

10.8.1 Creating the Oracle Mobile Security Suite Properties File

Use the guidelines below to create a properties file that will configure your Oracle Mobile Security Manager Server. You will pass this file to the idmConfigTool command in Section 10.8.2, "Running idmConfigTool to Configure Oracle Mobile Security Manager."

Create a file named omss.properties in the directory of your choice containing the properties described in Table 10-3. Note that all properties are required unless marked as (Optional).

Notes:

• For an example properties file that includes sample values, see Sample Oracle Mobile Security Suite Properties File.

• Oracle Access Manager and Oracle Mobile Security Manager must point to the same identity store when you run idmConfigTool -configOAM and idmConfigTool -configOMSS mode=OMSM to configure Oracle Access Manager and Oracle Mobile Security Manager, respectively.

• Make sure to save this file. You will use this properties file later for Mobile Security Access Server configuration. To configure Mobile Security Access Server, you run the idmConfigTool command with the -configOMSS mode=OMSAS option. For more information, see "Configuring the Identity Store and Keystores for the MSAS Instance" in Installing Oracle Mobile Security Access Server.

Table 10-3 Oracle Mobile Security Suite Configuration Properties

Property	Description
Properties for configuring and connecting to the LDAP directory
IDSTORE_SSL_ENABLED	(Optional) Set to true if you want to communicate with the LDAP directory using SSL. The default value is false.
IDSTORE_DIRECTORYTYPE	Directory type of the LDAP Server. Specify one of the following values. OID if you are using Oracle Internet Directory. OUD if you are using Oracle Unified Directory. ODSEE if you are using ODSEE/iPlanet. AD if you are using Microsoft Active Directory.
IDSTORE_HOST	The host name of your LDAP directory. This should be the same value that you used for this property when you created the Oracle Access Manager properties file in Section 10.7.1, "Creating the Oracle Access Manager Properties File."
IDSTORE_PORT	The port number of your LDAP directory. This value can be a SSL port or a non-SSL port. This should be the same value that you used for this property when you created the Oracle Access Manager properties file in Section 10.7.1, "Creating the Oracle Access Manager Properties File."
IDSTORE_SSL_CERT_PATH	(Optional) Specify the absolute path to the location that contains directory-specific SSL certificates. This property is applicable only if the LDAP directory communicates over a SSL port. If provided, idmConfigTool will load all the certificate files that are present in this location. These certificates should be in .cer format.
IDSTORE_BINDDN	An administrative user of the LDAP directory.
IDSTORE_USERNAMEATTRIBUTE	LDAP user name attribute used to search for users in the identity store.
IDSTORE_USERSEARCHBASE	The location in the directory where users are stored. This property tells the directory where to search for users.
IDSTORE_GROUPSEARCHBASE	The location in the directory where groups (or roles) are stored. This property tells the directory where to search for groups or roles.
IDSTORE_SEARCHBASE	The location in the directory where users and groups are stored.
IDSTORE_LOGINATTRIBUTE	An attribute of a user in the identity store that contains the user's login name. This is the attribute the user uses for login.
OMSS_OMSM_IDSTORE_PROFILENAME	Name of the identity store profile for Oracle Mobile Security Manager. The idmConfigTool command will create an identity store profile for Mobile Security Manager with this name. It is used by Mobile Security Manager to connect to the identity store.
Properties for connecting to Oracle WebLogic Server
WLSHOST	The host name of your Oracle WebLogic Administration Server.
WLSADMIN	The WebLogic Server Administrator user you use to log in to the WebLogic Administration Console.
WLSPORT	The port number of your WebLogic Administration Server.
OMSS_DOMAIN_LOCATION	The absolute path to the Oracle Mobile Security Manager domain you created in Section 10.4, "Configuring Oracle Access Management in a WebLogic Domain."
Properties for configuring Oracle Mobile Security Suite users, groups, and roles
OMSS_IDSTORE_ROLE_SECURITY_ADMIN	(Optional) Name of the administrator group whose members have administrative privileges for Oracle Mobile Security Manager operations. This group is used to allow access to the Oracle Mobile Security Manager features on the Policy Manager Console. This should be set to the same value that you provided for OAM11G_IDSTORE_ROLE_SECURITY_ADMIN in the Oracle Access Manager properties file. The default value is MSMSysAdminUsers.
OMSS_IDSTORE_ROLE_SECURITY_HELPDESK	(Optional) Name of the Oracle Mobile Security Manager helpdesk group, whose members get helpdesk privileges for Oracle Mobile Security Manager operations. This group is used to allow access to the Security Help Desk privileges in the Policy Manager Console. The default value is MSMHelpdeskUsers.
OMSS_SCEP_DYNAMIC_CHALLENGE_USER	(Optional) Oracle Mobile Security Manager uses a Simple Certificate Enrollment Protocol (SCEP) dynamic challenge for external SCEP authorization during the enrollment phase. Mobile Security Manager will use this user for authentication.
Properties for Mobile Security Manager Server and Policy Manager Server
OMSS_OMSM_SERVER_NAME	Name of the Mobile Security Manager Managed Server. By default, this is omsm_server1. Provide this only if the Oracle Mobile Security Manager Server is renamed to a different value during domain configuration. This property must match the Mobile Security Manager Server name(s) provided during domain configuration. If you have multiple Mobile Security Manager Servers, specify a comma-separated list of Managed Server names. For example, WLS_MSM1, WLS_MSM2.
OMSS_OMSM_SERVER_HOST	(Optional) A comma-separated list of the hosts on which your Mobile Security Manager Servers are assigned. The number and order of the hosts specified for OMSS_OMSM_SERVER_HOST must match the number and order of servers specified for OMSS_OMSM_SERVER_NAME. If this property is not specified in the properties file, idmConfigTool queries the WebLogic domain configuration to obtain the host information.
OMSS_OAM_POLICY_MGR_SERVER_NAME	Name of the Policy Manager Managed Server. By default, this is oam_policy_mgr1. Provide this only if the Policy Manager Server is renamed to a different value during domain configuration. This property must match the Policy Manager Server name(s) provided during domain configuration.
Properties for a cluster deployment
OMSS_OMSM_FRONT_END_URL	(Optional) For cluster deployments, provide the URL of the load balancer that front-ends the Oracle Mobile Security Manager cluster. This property is not required if Mobile Security Manager is not deployed in a cluster. It is required only if there is a cluster of Mobile Security Manager servers. The OMSS_OMSM_FRONT_END_URL is of the format http://host:port or https://host:sslport
Properties for configuring and connecting to a proxy server
OMSS_PROXY_SERVER_HOST	(Optional) If you are using a proxy server, specify the host name of the proxy server. This and the following three properties are required if the Mobile Security Manager Server will be running within an internal network and will require a proxy server to communicate to an outside network.
OMSS_PROXY_SERVER_PORT	(Optional) If you are using a proxy server, specify the port number of the proxy server.
OMSS_PROXY_USER	(Optional) The user name for connecting to the proxy server. If the proxy server is unauthenticated, then OMSS_PROXY_USER is not required.
OMSS_USE_PROXY	(Optional) Valid values are true or false. If true, proxy server will be enabled. If false, proxy server will be disabled.
Properties for connecting to the database
OMSS_JDBC_URL	Specify the JDBC URL to the Oracle Mobile Security Manager database repository, in the following format, where db_host is the host name of the machine on which the database resides, port is the listener port of the database, and service_name is the service name identified for the database. This URL will be used to seed Apple Push Notification Service (APNs)/Google Cloud Messaging (GCM) data. jdbc:oracle:thin:@db_host:port/service_name For example jdbc:oracle:thin:@examplehost.exampledomain.com:1521/orcl.example.com
OMSS_OMSM_SCHEMA_USER	The user name for the Oracle Mobile Security Manager schema, which consists of the prefix that was configured for the repository in RCU followed by _OMSM.
Properties for configuring GCM and APNs
OMSS_GCM_SENDER_ID	(Optional) Google Cloud Messaging (GCM) notification sender ID. This property is required for Android Mobile Device Management (MDM) functionality. Mobile Security Manager requires GCM credentials to connect to GCM and send push notifications to Android devices. If you are planning to use MDM, you can choose to configure GCM during configuration using idmConfigTool or configure GCM manually after configuration using the Policy Manager Console. Set this property to the project number of the Google API Project you created. For more information, including how to create a Google API Project and obtain a GCM API key, see "Configuring the GCM Entry" in Administering Oracle Mobile Security Suite.
OMSS_APNS_FILE	(Optional) The full path and file name of the Apple Push Notification Service (APNs) keystore file, which is used to establish secure connection to Apple server and to send notifications. The APNs keystore file is required for iOS Mobile Device Management (MDM) functionality. Mobile Security Manager requires an Apple MDM certificate to manage iOS devices. This certificate enables secure communication using Apple Push Notification Services (APNs). If you are planning to use MDM, you can choose to configure APNs during configuration using idmConfigTool or configure APNs manually after configuration using the Policy Manager Console. For more information, including how to obtain a APNs certificate file, see "Configuring the APNS Certificate" in Administering Oracle Mobile Security Suite.
Properties for configuring Exchange server and email settings
OMSS_EXCHANGE_DOMAIN_NAME	(Optional) Specify the domain name of the Exchange server that Oracle Mobile Security Suite will connect to. If specified, you must also enter values for the following four OMSS_EXCHANGE properties in this file.
OMSS_EXCHANGE_SERVER_URL	(Optional) Specify the URL of the Exchange server that Oracle Mobile Security Suite will connect to. If specified, you must also enter values for all the other OMSS_EXCHANGE properties.
OMSS_EXCHANGE_LISTENER_URL	(Optional) Specify the listener URL of the Exchange server that Oracle Mobile Security Suite will connect to. If specified, you must also enter values for all the other OMSS_EXCHANGE properties.
OMSS_EXCHANGE_SERVER_VERSION	(Optional) Specify the version number of the Exchange server that Oracle Mobile Security Suite will connect to. If specified, you must also enter values for all the other OMSS_EXCHANGE properties.
OMSS_EXCHANGE_ADMIN_USER	(Optional) Specify the administrative user name of the Exchange server that Oracle Mobile Security Suite will connect to. If specified, you must also enter values for all the other OMSS_EXCHANGE properties.
OMSS_EMAIL_ADMIN_USER	(Optional) Specify the Oracle Mobile Security Suite email administrator user name, which must be an email address. If specified, you must also enter values for the following two properties, which are used by Mobile Security Manager to send email invites to users.
OMSS_SMTP_HOST	(Optional) Specify the host name of the SMTP server that Oracle Mobile Security Manager will use to send email invites to users. If specified, you must also enter values for OMSS_EMAIL_ADMIN_USER and OMSS_SMTP_PORT.
OMSS_SMTP_PORT	(Optional) Specify the port number of the SMTP server that Oracle Mobile Security Manager will use to send email invites to users. If specified, you must also enter values for OMSS_EMAIL_ADMIN_USER and OMSS_SMTP_HOST.
OMSS_OMSM_SERVER_KEY_LENGTH	(Optional) The key length (in bits) for the self-signed CA and generated keys for the Oracle Mobile Security Manager server. The default value is 2048.
Properties for Mobile Security Access Server
OMSS_MSAS_SERVER_HOST	The host name for Oracle Mobile Security Access Server. If the Mobile Security Access Server instance is behind a load balancer, provide the host name of the load balancer. Note that this and the OMSS_MSAS_SERVER_PORT property are required to run the idmConfigTool -configOMSS mode=OMSM command, as described in Section 10.8.2, and the idmConfigTool -configOMSS mode=OMSAS command, as described in Installing Oracle Mobile Security Access Server.
OMSS_MSAS_SERVER_PORT	The SSL port where the Oracle Mobile Security Access Server instance will be running If the Mobile Security Access Server instance is behind a load balancer, provide the port number of the load balancer.
Properties required only for configuring Mobile Security Access Server using the idmConfigTool -configOMSS mode=OMSAS command
OMSS_OMSAS_AUX_CERTIFICATES_LOCATION	(Optional) This value should be a directory location. This location contains certificates that are used for establishing authentication and trust whenever the Mobile Security Manager Server interacts with external directories or authentication servers. All certificate files present within this location will be added to the Mobile Security Access Server trust stores. This and the following two properties are required for Mobile Security Access Server configuration. Note that these properties are required only to run the idmConfigTool -configOMSS mode=OMSAS command. For more information, see "Configuring the Identity Store and Keystores for the MSAS Instance" in Installing Oracle Mobile Security Access Server.
OMSS_OMSAS_IDSTORE_PROFILENAME	Name of the identity store profile for Oracle Mobile Security Access Server. The idmConfigTool command will create an identity store profile for Mobile Security Access Server with this name.
OMSS_GATEWAY_INSTANCE_ID	The name of the Oracle Mobile Security Access Server gateway instance. You can create and configure the Mobile Security Access Server gateway instance only after you have installed Mobile Security Access Server. For more information, see Installing Oracle Mobile Security Access Server.

Sample Oracle Mobile Security Suite Properties File

IDSTORE_SSL_ENABLED: false
IDSTORE_DIRECTORYTYPE: OUD
IDSTORE_HOST: idstore.example.com
IDSTORE_PORT: 1389
#IDSTORE_SSL_CERT_PATH: path_to_directory_containing_ssl_certificates
IDSTORE_BINDDN: cn=orcladmin
IDSTORE_USERNAMEATTRIBUTE: cn
IDSTORE_USERSEARCHBASE: cn=Users,dc=example,dc=com
IDSTORE_GROUPSEARCHBASE: cn=Groups,dc=example,dc=com
IDSTORE_SEARCHBASE: dc=example,dc=com
IDSTORE_LOGINATTRIBUTE: cn
OMSS_OMSM_IDSTORE_PROFILENAME: msmprofile
WLSHOST: examplehost.example.com
WLSADMIN: weblogic
WLSPORT: 7001
OMSS_DOMAIN_LOCATION: /u01/oracle/admin/oam/user_projects/domains/oam_domain
OMSS_IDSTORE_ROLE_SECURITY_ADMIN: OAMAdministrators
OMSS_IDSTORE_ROLE_SECURITY_HELPDESK: MSMHelpdeskUsers
OMSS_SCEP_DYNAMIC_CHALLENGE_USER: adminuser
OMSS_OMSM_SERVER_NAME: WLS_MSM1
OMSS_OMSM_SERVER_HOST: examplehost1.example.com
OMSS_OAM_POLICY_MGR_SERVER_NAME: WLS_AMA1
OMSS_OMSM_FRONT_END_URL: http://lbr-machine:7777
OMSS_PROXY_SERVER_HOST: www-proxy.example.com
OMSS_PROXY_SERVER_PORT: 80
OMSS_PROXY_USER: proxyuser
OMSS_USE_PROXY: false
OMSS_JDBC_URL: jdbc:oracle:thin:@examplehost.example.com:1521/msmdb.example.com
OMSS_OMSM_SCHEMA_USER: DEV3_OMSM
OMSS_GCM_SENDER_ID: 610046050155
OMSS_APNS_FILE: /scratch/keystores/APNS.p12
OMSS_EXCHANGE_DOMAIN_NAME: test.com
OMSS_EXCHANGE_SERVER_URL: http://testuri.com
OMSS_EXCHANGE_LISTENER_URL: http://testuri.com
OMSS_EXCHANGE_SERVER_VERSION: 2.0
OMSS_EXCHANGE_ADMIN_USER: serviceuser
OMSS_EMAIL_ADMIN_USER: admin@acme.com
OMSS_SMTP_HOST: exchangeurl.example.com
OMSS_SMTP_PORT: 80
OMSS_OMSM_SERVER_KEY_LENGTH: 2048
OMSS_MSAS_SERVER_HOST: examplehost.example.com
OMSS_MSAS_SERVER_PORT: 9001
OMSS_OMSAS_AUX_CERTIFICATES_LOCATION:
OMSS_OMSAS_IDSTORE_PROFILENAME: msasprofile
OMSS_GATEWAY_INSTANCE_ID: msas_gateway-1

10.8.2 Running idmConfigTool to Configure Oracle Mobile Security Manager

Perform the steps in this section to run the idmConfigTool -configOMSS mode=OMSM command. This command configures the identity store, keystores, and trust stores for Oracle Mobile Security Manager.

Note:

Before running idmConfigTool:

• Make sure that you have created the required properties file, as described in Section 10.8.1, "Creating the Oracle Mobile Security Suite Properties File."

• Ensure that the WebLogic Administration Server and LDAP server are running. At this point, Managed Servers should be down. For more information, see Appendix C, "Starting the Stack."

• Note that Oracle Access Manager and Oracle Mobile Security Manager must be configured against the same identity store when you run idmConfigTool -configOAM and idmConfigTool -configOMSS mode=OMSM to configure Oracle Access Manager and Oracle Mobile Security Manager, respectively.

1. Set the following environment variables:

   • Set MW_HOME to the full path of the Oracle Identity and Access Management Middleware home. Enter the path to the Oracle Middleware Home that was created when you installed Oracle WebLogic Server 11g Release 1 (10.3.6) on your system. For example, /u01/oracle/products/fmw_oam.

   • Set ORACLE_HOME to the full path of the Oracle home where Oracle Access Manager and Oracle Mobile Security Manager are installed. Set to the location of your IAM_HOME directory. For example, /u01/oracle/products/fmw_oam/Oracle_IDM1.

   • Set WL_HOME to the top-level directory of your Oracle WebLogic Server installation. For example, /u01/oracle/products/fmw_oam/wlserver_10.3.

   • Set JAVA_HOME to the full path of the JDK directory.

2. Change directory to the IAM_HOME/idmtools/bin directory:

   cd IAM_HOME/idmtools/bin
   

3. Run the following command:

   idmConfigTool.sh -configOMSS mode=OMSM input_file=configfile log_level=level log_file=log_file
   

   Where

   • (Required) input_file is the full or relative path to the properties file you created in Section 10.8.1, "Creating the Oracle Mobile Security Suite Properties File."

   • (Optional) log_level is the level of logging performed by idmConfigTool. Possible values are ALL, SEVERE, WARNING, INFO, CONFIG, FINE, FINER, and FINEST. If not specified, the default is INFO.

   • (Optional) log_file is the full or relative path to the file where idmConfigTool will store the log file data. If not specified, idmConfigTool creates a log file named automation.log in the directory where you run the tool.

   For example:

   idmConfigTool.sh -configOMSS mode=OMSM input_file=omss.properties
   

   Where omss.properties is a properties file containing configuration parameters specific to your environment. For information on creating this file, see Section 10.8.1, "Creating the Oracle Mobile Security Suite Properties File."

   Note:

   This command creates the following files in the DOMAIN_HOME/config/fmwconfig directory for the Oracle Mobile Security Manager Server:

   • server-identity.jks: This keystore is used to validate the identity of the Oracle Mobile Security Manager Server when accessed by a Mobile Security Access Server instance.

   • wlstrust.jks: This trust store stores trusted certificates so that Oracle Mobile Security Manager can trust other entities, such as your Mobile Security Access Server instance, database, and Directory Server. However, an administrator might still need to import additional trusted certificates into wlstrust.jks whenever required.

   When the command runs, it prompts you to enter the password of the account used to connect to the identity store. It also prompts you to enter passwords for the following:

   • Enter OMSS Keystore Password: Enter a password that will be used to generate Mobile Security Manager keystores and keys.

   • Enter Email User Password: This prompt is displayed only if you entered a value for OMSS_EMAIL_ADMIN_USER in the properties file. Enter the password for the Oracle Mobile Security Suite email administrator (OMSS_EMAIL_ADMIN_USER).

   • Enter Exchange User Password: This prompt is displayed only if you entered a value for OMSS_EXCHANGE_ADMIN_USER in the properties file. Enter the password for the Exchange server's administrative user (OMSS_EXCHANGE_ADMIN_USER).

   • Enter Proxy User Password: This prompt is displayed only if you entered a value for OMSS_PROXY_USER in the properties file. Enter the password for connecting to the proxy server.

   • Enter SCEP Dynamic Challenge Password: This prompt is displayed only if you entered a value for OMSS_SCEP_DYNAMIC_CHALLENGE_USER in the properties file. Enter the password for the SCEP Dynamic Challenge user (OMSS_SCEP_DYNAMIC_CHALLENGE_USER).

   • Enter OMSM Schema User Password: Enter the password for the Oracle Mobile Security Manager schema.

   • Enter APNS Keystore Password: This prompt is displayed only if you entered a value for OMSS_APNS_FILE in the properties file. Enter the Apple Push Notification Service (APNs) keystore password.

   • Enter GCM API Key: This prompt is displayed only if you entered a value for OMSS_GCM_SENDER_ID in the properties file. Enter the API key value for Google Cloud Messaging (GCM) notifications.

   • Enter Weblogic Password: Enter the password for the WebLogic Server Administrator user (WLSADMIN).

   Sample command output:

   Enter ID Store Bind DN Password:
   Enter OMSS Keystore Password:
   Enter Email User Password:
   Enter Exchange User Password:
   Enter Proxy User Password:
   Enter SCEP Dynamic Challenge Password:
   Enter OMSM Schema User Password:
   Enter APNS Keystore Password:
   Enter GCM API Key:
   Enter Weblogic Password:
   (1/8) MSM Configurations                          Success
   (2/8) Seeding User Notification Templates         Success 
   (3/8) Seeding CSF Credentials                     Success
   (4/8) Configuring IDS Profile                     Success
   (5/8) Configuring OMSS Authentication Provider    Success
   (6/8) Creating MSM Keystores                      Success
   (7/8) Configuring MSM Server's SSL                Success
   (8/8) OAM Console Integration                     Success
   

4. Check the log file for any errors or warnings and correct them before continuing.

5. Restart the WebLogic Administration Server for certain changes to take effect.

Note:

After you have completed all the required configuration steps, as described in the Configuration Roadmap for Oracle Mobile Security Suite, the default administrator roles, users, and groups for your Oracle Mobile Security Suite deployment are configured as follows:

• The Oracle Access Manager administrator user (IDSTORE_OAMADMINUSER) is a member of the Oracle Access Manager administrator group (OAM11G_IDSTORE_ROLE_SECURITY_ADMIN) in the identity store.

• The Oracle Access Manager administrator group (OAM11G_IDSTORE_ROLE_SECURITY_ADMIN) is a member of the WebLogic Server administrator group (IDSTORE_WLSADMINGROUP) in the identity store.

• The WebLogic Server administrator user (IDSTORE_WLSADMINUSER) is a member of the WebLogic Server administrator group (IDSTORE_WLSADMINGROUP) in the identity store.

• The WebLogic Server administrator group (IDSTORE_WLSADMINGROUP) maps to the WebLogic Admin role in WebLogic Server.

• The Oracle Access Manager administrator group (OAM11G_IDSTORE_ROLE_SECURITY_ADMIN) maps to the Oracle Access Manager admin role in Oracle Access Manager.

These five statements together give you two users: IDSTORE_OAMADMINUSER and IDSTORE_WLSADMINUSER. These two users are granted the following privileges:

• The IDSTORE_OAMADMINUSER user has full administration privileges over Oracle WebLogic Server, Oracle Access Manager, and Oracle Mobile Security Suite components. This user can log in to the WebLogic Server Administration Console, the Oracle Access Management Console, and the Policy Manager Console (to access the Mobile Security Manager pages) without any authentication or authorization issues.

• The IDSTORE_WLSADMINUSER user has full administration privileges over WebLogic Server only. This user is granted administrator privileges on the WebLogic Server Administration Console. Note that this user can only be used for WebLogic Server administration. This user cannot be used for Oracle Access Management and Oracle Mobile Security Suite administration.

If you want to create and add additional administrator groups after configuration, see Section 10.11, "Optional: Creating Additional Administrator Groups After Configuration."

Note:

After running the idmConfigTool -configOMSS mode=OMSM command, you can create Managed Servers on remote machines by using the pack and unpack commands. For more information, see "Creating and Starting a Managed Server on a Remote Machine" in Creating Templates and Domains Using the Pack and Unpack Commands.

10.9 Starting the Managed Servers

After successfully running the idmConfigTool -configOMSS mode=OMSM command, start the Managed Servers for Oracle Access Manager (WLS_OAM1), Access Manager Policy Manager (WLS_AMA1), and Oracle Mobile Security Manager (WLS_MSM1). For more information, see Appendix C, "Starting the Stack."

10.10 Verifying Oracle Access Manager and Oracle Mobile Security Manager

Verify the configuration of Oracle Mobile Security Manager and Oracle Access Manager, as follows:

1. Ensure that the following servers are up and running:

   • Oracle WebLogic Administration Server

   • Oracle Access Manager Managed Server (WLS_OAM1)

   • Oracle Access Manager Policy Manager Managed Server (WLS_AMA1)

   • Oracle Mobile Security Manager Managed Server (WLS_MSM1)

2. Verify the Oracle WebLogic Server Administration Console. If the installation and configuration are successful, this console shows the Administration Server in running mode.

3. Log in to the Administration Console for Oracle Access Management using the following URL:

   http://adminserver_host:adminserver_port/oamconsole
   

   When you access this Administration Console running on the Administration Server, you are prompted to enter a user name and password. Log in as the Oracle Access Manager administrator user (IDSTORE_OAMADMINUSER) you created in Section 10.6, "Preparing Your LDAP Directory as the Identity Store." Note that you must have Administrator's role and privileges.

4. Log in to the Oracle Access Manager Policy Manager Console using the following URL:

   http://oam_policy_mgr_host:oam_policy_mgr_port/access
   

   When you access the Policy Manager Console running on the Policy Manager Server, you are prompted to enter a user name and password. Log in as the Oracle Access Manager administrator user (IDSTORE_OAMADMINUSER) you created in Section 10.6, "Preparing Your LDAP Directory as the Identity Store."

   For more information about the Policy Manager Server, see the "Unified Access Console" topic in Administering Oracle Mobile Security Suite.

5. From the Policy Manager Console, click the Configuration tab in the top right corner.

6. In the Configuration Launch Pad, click Available Services.

7. On the Available Services page, ensure that the status of Mobile Security Service has a green check mark. If not, click Enable Service next to Mobile Security Service to enable the status of Mobile Security Service.

   After you enable Mobile Security Service, you can access the Mobile Security Manager pages on the Policy Manager Console

8. To access the Mobile Security Manager console pages, click the Mobile Security tab in the top right corner.

   The Mobile Security Launch Pad opens. Under Mobile Security Manager, click View to choose from the Mobile Security Manager console pages in the menu.

   For more information about these pages, see "Working With the Mobile Security Manager Console Pages" in Administering Oracle Mobile Security Suite.

10.11 Optional: Creating Additional Administrator Groups After Configuration

After the installation and configuration process, specific users, groups, and roles for your Oracle Mobile Security Suite deployment have been set up in the LDAP directory, by default. If you want to create and add additional administrator groups for Oracle Access Manager and Oracle Mobile Security Suite administration, see to the following topics:

• Creating Additional System Administrator Groups After Configuration

• Creating Help Desk Administrator Groups After Configuration

10.11.1 Creating Additional System Administrator Groups After Configuration

After configuration, the Oracle Access Manager administrator group, OAM11G_IDSTORE_ROLE_SECURITY_ADMIN, is configured as the default administrator group that has administrator privileges over both Oracle Access Manager and Oracle Mobile Security Suite.

To assign full Oracle Access Manager and Oracle Mobile Security Suite administrator privileges to an additional LDAP group:

1. Create a group in the LDAP directory or use an existing group that you have already created.

2. Log in to the Policy Manager Console as the Oracle Access Manager administrator user, IDSTORE_OAMADMINUSER.

   http://oam_policy_mgr_host:oam_policy_mgr_port/access
   

3. Grant Oracle Access Manager administrator group privileges to the new group.

   1. Click the Configuration tab in the top right corner.

   2. In the Configuration Launch Pad, click Administration.

   3. On the Administration page, click Grant.

   4. Enter the name of the group in the Name field and click Search.

   5. In the search results, select the name of the group.

   6. For Role, select System Administrator.

   7. Click Add selected.

4. If Oracle Mobile Security Manager configuration, as described in Section 10.8, "Configuring Oracle Mobile Security Manager," is already complete, then this new group will be automatically added as an Oracle Mobile Security Suite administrator group as well.

   However, if Oracle Mobile Security Manager is not yet configured, then you must manually assign the group to be an Oracle Mobile Security Suite administrator group. To do this, perform the following steps:

   1. Navigate to the Configuration Launch Pad in the Configuration tab.

   2. Under Settings, click View and select Mobile Security Manager Settings.

   3. On the Mobile Security Settings page, select Identity Store Settings.

   4. Under System Admin Groups, click Add.

   5. In the Group Name field, enter the name of the LDAP group to be added as an Oracle Mobile Security Suite administrator group.

   6. Click Apply.

5. Grant WebLogic administrator privileges to the new administrator group.

   To do this, you can either make this group a member of the WebLogic Server administrator group, IDSTORE_WLSADMINGROUP.

   OR

   You can grant WebLogic administrator privileges through the WebLogic Server Administration Console as follows:

   1. Log in to the WebLogic Server Administration Console.

   2. Click Security Realms from the Domain Structure menu.

   3. Click myrealm in the Realms table.

   4. Click the Roles and Policies tab.

   5. Expand the Global Roles entry in the Roles table. This brings up the entry for Roles.

   6. Click Roles under the Global Roles entry.

   7. Click the Admin role in the Global Roles table.

   8. Under Role Conditions, click Add Conditions.

   9. Select Group from the predicate list and click Next.

   10. In the Group Argument Name field, enter the name of the new group.

       Click Add.

   11. Click Finish.

       Role Conditions now shows the new administrator group as an entry.

   12. Click Save, and then restart the Administration Server and Managed Servers.

10.11.2 Creating Help Desk Administrator Groups After Configuration

After configuration, the Oracle Mobile Security Suite help desk role, OMSS_IDSTORE_ROLE_SECURITY_HELPDESK, is configured as the default administrator role that provides help desk administrative privileges for some Oracle Mobile Security Suite operations. A help desk role is associated with a directory group, which has limited administrator privileges. This group has to be created manually.

To assign help desk privileges to a LDAP group:

1. Create a group in the LDAP directory or use an existing group that you have already created.

2. Log in to the Policy Manager Console as the Oracle Access Manager administrator user, IDSTORE_OAMADMINUSER.

   http://oam_policy_mgr_host:oam_policy_mgr_port/access
   

3. Grant Oracle Access Manager help desk administrator privileges to the group.

   1. Click the Configuration tab in the top right corner.

   2. In the Configuration Launch Pad, click Administration.

   3. On the Administration page, click Grant.

   4. Enter the name of the group in the Name field and click Search.

   5. In the search results, select the name of the group.

   6. For Role, select Help Desk Administrator.

   7. Click Add selected.

4. If Oracle Mobile Security Manager configuration, as described in Section 10.8, "Configuring Oracle Mobile Security Manager," is already complete, then this new group will be automatically added as an Oracle Mobile Security Suite help desk administrator group as well.

   However, if Oracle Mobile Security Manager is not yet configured, then you must manually assign the group to be an Oracle Mobile Security Suite help desk group. To do this, perform the following steps:

   1. Navigate to the Configuration Launch Pad in the Configuration tab.

   2. Under Settings, click View and select Mobile Security Manager Settings.

   3. On the Mobile Security Settings page, select Identity Store Settings.

   4. Under Helpdesk Groups, click Add.

   5. In the Group Name field, enter the name of the LDAP group to be added as an Oracle Mobile Security Suite help desk administrator group.

   6. Click Apply.

10.12 Installing Oracle Mobile Security Access Server

After installing and configuring Oracle Mobile Security Manager with Oracle Access Manager, you need to install and configure the Oracle Mobile Security Access Server component. This document does not cover the information for installing Mobile Security Access Server. To install Mobile Security Access Server, follow the instructions in Installing Oracle Mobile Security Access Server.

10.13 Getting Started with Oracle Mobile Security Suite After Installation

After installing Oracle Mobile Security Suite, refer to the following links to get started working with the Oracle Mobile Security Suite components:

• Administering Oracle Mobile Security Suite

• Administering Mobile Security Access Server