The IdM configuration tool (idmConfigTool) performs a number of tasks to assist in installing, configuring, and integrating Oracle identity management (IdM) components. This appendix explains how to use the tool.
Notes:
idmConfigTool command syntax and related details. Use this appendix as a reference whenever you are executing idmConfigTool as directed by your integration procedure or task.Ensure that the LDAP server, as well as the admin servers hosting OAM, OIM are up before you run idmConfigTool
This appendix contains these sections:
This section contains these topics:
idmConfigTool supports these 11g components:
Oracle Internet Directory
Oracle Virtual Directory
Oracle Access Management Access Manager
Oracle Identity Manager
Oracle Unified Directory (OUD)
Oracle Access Management Mobile and Social
Use idmConfigTool in these situations:
Prior to installing Oracle Identity Manager and Oracle Access Management Access Manager
After installing Oracle Identity Manager and Oracle Access Management Access Manager
After installing Oracle Access Management Mobile and Social
When dumping the configuration of IdM components Oracle Internet Directory, Oracle Unified Directory, Oracle Virtual Directory, Oracle Identity Manager, and Oracle Access Manager
When validating the configuration parameters for Oracle Internet Directory, Oracle Virtual Directory, Oracle Identity Manager, and Oracle Access Manager
Section D.1.3 explains the tasks the tool performs in each situation.
The idmConfigTool helps you to perform the following tasks efficiently:
To validate configuration properties representing the Identity Management components Oracle Internet Directory (OID), Oracle Virtual Directory (OVD), Oracle Unified Directory (OUD), Oracle Access Management Access Manager (OAM) and Oracle Identity Manager (OIM).
To pre-configure the Identity Store components (OID, OVD, and OUD) to install the other Identity Management components, including OAM, OIM, and Oracle Access Management Mobile and Social.
To post-configure the OAM, OIM components and wiring of those components.
To extract the configuration of the Identity Management components OID, OVD, OUD, OAM, and OIM.
See Also:
Section D.3.1.The idmConfigTool is located at:
IAM_ORACLE_HOME/idmtools/bin
where IAM_ORACLE_HOME is the directory in which OIM and OAM are installed.
To execute idmConfigTool on Linux
cd <IAM_ORACLE_HOME>/idmtools/bin ./idmConfigTool.sh
To execute idmConfigTool on Windows
cd <IAM_ORACLE_HOME>\idmtools\bin idmConfigTool.cmd
The idmConfigTool supports OAM 11g Webgates by default. It also supports 10g Webgates.
The tool supports two types of scenarios with regard to Weblogic domains:
A single-domain configuration in which both Access Manager and Oracle Identity Manager servers are configured in the same Weblogic domain
A dual or cross-domain configuration in which Access Manager and Oracle Identity Manager servers are configured on separate Weblogic domains
See Also:
Section 1.2 for architecture details.You must configure the environment before running the IdM configuration tool.
Set the following variables:
Table D-1 Environment Variables for IdM Configuration Tool (idmConfigTool)
| Variable | Description |
|---|---|
|
|
This is the full path of the installation's Middleware home. Enter the path to the Oracle Middleware Home that was created when you installed Oracle WebLogic Server on your system. For example, if you install in
|
|
|
Not mandatory. It is set to See |
|
|
This is the full path of the JDK directory. If running on IBM WebSphere, this variable must point to the IBM JDK. Set the value to the full path of the JDK. For example:
Important: On IBM WebSphere, do not use a JDK other than the IBM JDK. |
|
|
|
|
|
Set to the full path of the Oracle home. For IdM integrations, set to |
|
|
Required on IBM WebSphere. Set to |
|
|
Required on IBM WebSphere. Set the value to the full path of the WebSphere application server home directory. For example:
|
|
|
Required on IBM WebSphere. Specifies the deployment manager profile home directory.The deployment manager deploys applications to a cell of application servers which it manages. A profile defines the runtime environment and includes all the configurable files that the server processes in the run-time environment. Set to an absolute path, for example:
|
This section contains these topics:
The tool has the following syntax on Linux:
idmConfigTool.sh -command input_file=filename log_file=logfileName log_level=log_level
The tool has the following syntax on Windows:
idmConfigTool.bat -command input_file=filename log_file=logfileName log_level=log_level
Values for command are as follows:
| Command | Component name | Description |
|---|---|---|
preConfigIDStore |
Identity Store | Configures the identity store and policy store by creating the groups and setting ACIs to the various containers. |
prepareIDStore mode= OAM OIM WLS FUSION OAAM APM all |
Identity Store | Configures the identity store by adding necessary users and associating users with groups. Modes enable you to configure for a specific component.
You can run this command on Oracle WebLogic Server (mode=WLS) or IBM WebSphere (mode=WAS). |
configPolicyStore |
Policy Store | Configures policy store by creating read-write user and associates them to the groups. |
configOAM |
Oracle Access Manager
Oracle Identity Manager |
Prepares Access Manager for integration with Oracle Identity Manager. |
configOIM |
Oracle Access Manager
Oracle Identity Manager |
Sets up wiring between Access Manager and Oracle Identity Manager. |
configOMSS |
Oracle Access Management Mobile and Social | Performs post-install configuration for Oracle Access Management Mobile and Social |
configOVD |
Oracle Virtual Directory | Creates OVD adapters. |
disableOVDAccessConfig |
Oracle Virtual Directory | Disables anonymous access to the OVD server. Post-upgrade command. Note: configOVD performs this task automatically when run. |
postProvConfig |
Identity Store | Performs post-provisioning configuration of the identity store. |
validate IDSTORE POLICYSTORE OAM11g OAM10g OIM |
Various | Validates the set of input properties for the named entity. |
ovdConfigUpgrade |
Oracle Virtual Directory | Updates the configuration for an upgraded OVD with split profile. |
upgradeLDAPUsersForSSO |
Oracle Identity Manager
Access Manager |
Updates existing users in OID by adding certain object classes which are needed for Oracle Identity Manager-Access Manager integration. |
upgradeOIMTo11gWebgate |
Oracle Identity Manager
Access Manager |
Upgrades an existing configuration consisting of integrated Oracle Identity Manager-Access Manager, using Webgate 10g, to use Webgate 11g |
You must run this tool as a user with administrative privileges when configuring the identity store or the policy store.
The validate command requires a component name.
Caution:
The commands cannot be run in isolation. Run them in the context of explicit integration procedures; use this appendix only as a command reference.idmConfigTool creates or updates certain files upon execution.
When you run the idmConfigTool, the tool creates or appends to the file idmDomainConfig.param in the directory from which you run the tool. To ensure that the same file is appended to each time the tool is run, always run idmConfigTool from the directory:
IAM_ORACLE_HOME/idmtools/bin
You can specify a log file using the log_file attribute of idmConfigTool.
If you do not explicitly specify a log file, a file named automation.log is created in the directory where you run the tool.
Check the log file for any errors or warnings and correct them.
This section describes the properties file that can be used with idmConfigTool.
A properties file provides a convenient way to specify command properties and enable you to save properties for reference and later use. You can specify a properties file, containing execution properties, as input command options. The properties file is a simple text file which must be available at the time the command is executed.
For security you are advised not to insert passwords into the properties file. The tool prompts you for the relevant passwords at execution.
Table D-2 lists the properties used by integration command options in the idmConfigTool command. The properties are listed in alphabetical order.
WARNING:
For security, do not put password values in your properties files. idmConfigTool prompts for passwords upon execution.
Table D-2 Properties Used in IdMConfigtool properties Files
| Parameter | Example Value | Description |
|---|---|---|
|
|
|
The Access Manager access gate ID with which Oracle Identity Manager needs to communicate. |
|
|
|
Access Manager Access Server host name |
|
|
|
Access Manager NAP port. |
|
|
/scratch/silent_omsm/keystores/APNS.p12 |
Apple Push Notification Service (APNS) keystore file; used to establish secure connection to Apple server to send notifications. |
|
|
APNS keystore password. |
|
|
|
|
File location of Apple root CA. Required during iOS device enrollment in Oracle Mobile Security Suite (OMSS). |
|
|
|
URI required by Oracle Platform Security Services (OPSS). Default value is |
|
|
|
Web domain on which the Oracle Identity Manager application resides. Specify the domain in the format |
|
|
-1 |
Cookie expiration period. Set to -1 to denote that the cookie expires when the session is closed. |
|
|
Database password, used in conjunction with JDCB_URL. |
|
|
|
|
The location of the Oracle Identity Manager domain (and OMSM, if applicable). |
|
|
|
The Oracle Identity Manager domain name. |
|
|
admin@example.com |
E-mail admin user; must be an e-mail address. |
|
|
Email admin user's password |
|
|
|
example.com |
Domain name of the exchange server. |
|
|
http://testuri.com |
URL of the exchange server. |
|
|
http://testuri.com |
URL of the exchange listener. |
|
|
2.0 |
The version of the exchange server. |
|
|
serviceuser |
Admin user of the exchange server. |
|
|
Password of the exchange server's admin user. |
|
|
|
AIzaSyCh_JALj5Y |
GCM notification API key. |
|
|
6.10046E+11 |
GCM notification sender ID. |
|
|
|
The admin port for an Oracle Unified Directory (OUD) identity store.
|
|
|
|
Host name of the LDAP identity store directory (corresponding to the IDSTORE_DIRECTORYTYPE). If your identity store is in Oracle Unified Directory or Oracle Unified Directory, then |
|
|
|
Port number of the LDAP identity store (corresponding to the IDSTORE_DIRECTORYTYPE). |
|
|
cn=orcladmin |
Administrative user in the identity store directory. |
|
|
cn |
Username attribute used to set and search for users in the identity store. Set to part of the user DN. For example, if the user DN is |
|
|
uid or |
Login attribute of the identity store which contains the user's login name. This is the attribute the user uses for login. |
|
|
cn=Users,dc=us,dc=example,dc=com |
Location in the directory where users are stored. This property tells the directory where to search for users. |
|
|
dc=us,dc=example,dc=com |
Search base for users and groups contained in the identity store. Parent location that contains the For example: IDSTORE_SEARCHBASE: cn=oracleAccounts, dc=example,dc=com IDSTORE_USERSEARCHBASE: cn=Users,cn=oracleAccounts,dc=example,dc=com IDSTORE_GROUPSEARCHBASE: cn=Groups,cn=oracleAccounts,dc=example,dc=com |
|
|
cn=Groups,dc=us,dc=example,dc=com |
The location in the directory where groups (or roles) are stored. This property tells the directory where to search for groups or roles. |
|
|
oamLDAP |
The username used to establish the Access Manager identity store connection. This user is created by the |
|
|
oamadmin |
The identity store administrator you want to create for Access Manager. Required only if the identity store is set as the system identity store. The administrator is created by the |
|
|
oaamadmin |
The identity store administrator for Oracle Adaptive Access Manager. |
|
|
idsprofile |
Name of the identity store profile. |
|
|
cn=system, dc=test |
Location of a container in the directory where system operations users are stored so that they are kept separate from enterprise users stored in the main user container. There are only a few system operations users. One example is the Oracle Identity Manager reconciliation user which is also used for the bind DN user in Oracle Virtual Directory adapters. |
|
|
User with read-only permissions to the identity store. |
|
|
|
User with read-write permissions to the identity store. |
|
|
|
The Oracle Fusion Applications superuser in the identity store. |
|
|
|
The administrator of the xelsysadm system account. |
|
|
|
The identity store administrator for Oracle Identity Manager. User that Oracle Identity Manager uses to connect to the identity store |
|
|
|
The Oracle Identity Manager administrator group you want to create to hold your Oracle Identity Manager administrative users. |
|
|
|
Whether SSL to the identity store is enabled. Valid values: true | false |
|
|
|
|
Location of the keystore file containing identity store credentials. Applies to and required for Oracle Unified Directory identity stores. |
|
|
4VYGtJLG61V5OjDWKe94e601x7tgLFs |
Password of the identity store directory administrator. Not plain-text. Applies to and required for Oracle Unified Directory identity stores. This value can be found in the file |
|
|
Used for identity store validation. Used in Oracle Fusion Applications environment. |
|
|
|
|
Directory type of the identity store for which the authenticator must be created. Set to Set it to Set to OUD if your identity store is Oracle Unified Directory and you are accessing it directly rather than through Oracle Virtual Directory. Valid values: OID, OVD, OUD, AD |
|
|
cn=systemids,dc=example,dc=com |
The administrator of the identity store directory. Provide the complete LDAP DN of the same user specified for IDSTORE_OAMSOFTWAREUSER. The username alone is not sufficient. |
|
|
weblogic_idm |
The identity store administrator for Oracle WebLogic Server; usually |
|
|
The password of the identity store administrator for Oracle WebLogic Server. |
|
|
|
|
The identity store administrator group for Oracle WebLogic Server. |
|
|
The "wasadmin" user (IBM WebSphere). |
|
|
|
jdbc:oracle:thin:@example.com:5521:msmdb |
JDBC URL used to seed APNS/GCM data. |
|
|
. |
The host name of the LDAP server |
|
|
The LDAP server port number. |
|
|
|
. |
The bind DN for the LDAP server |
|
|
Indicates whether the connection to the LDAP server is over SSL. Valid values are True or False |
|
|
|
The base DN of the LDAP server. |
|
|
|
The OVD base DN of the LDAP server. |
|
|
|
The directory type for the LDAP server. n is 1, 2, and so on. For a single-node configuration specify LDAP1. |
|
|
|
/${app.context}/adfAuthentication |
URI required by OPSS. Default value is /${app.context}/adfAuthentication |
|
|
/oamsso/logout.html |
URI required by OPSS. Default value is /oamsso/logout.html |
|
|
jdbc:oracle:thin:@DBHOST:1521:SID |
URL of the MDS database. It represents a single instance database. The string following the ' |
|
|
edg_mds |
Username of the MDS schema user. MDS schema which Oracle Identity Manager is using. |
|
|
DEV87_OMSM |
Mobile Security Manager (MSM) database schema username. |
|
|
2048 |
Key length for the self-signed CA and generated keys for the MSM server. Defaults to 2048. |
|
|
omsm_server1 |
Name of the MSM server. Provide this only if the MSM server is renamed to a different value during domain configuration. |
|
|
server1.example.com |
MSAS server host name. |
|
|
11001 |
MSAS server's SSL port. |
|
|
10g |
Set to Required when Access Manager server does not support 11g webgate in Oracle Identity Manager-Access Manager integration. In that case, provide the value as '10g'. Valid values are 10g, 11g. |
|
|
|
The transfer mode for the Access Manager agent being configured. If your access manager servers are configured to accept requests using the simple mode, set OAM_TRANSFER_MODE to SIMPLE. Valid values are OPEN, SIMPLE or CERT. |
|
|
|
The security model in which the Access Manager 11g server functions. Valid values: OPEN or SIMPLE. |
|
|
false |
Configures Access Manager 11g as authentication only mode or normal mode, which supports authentication and authorization. Default value is If set to If the value is |
|
|
|
Name of the group that is used to allow access to the Oracle Access Management Administration Console to administer role security in identity store. |
|
|
false |
Specifies whether to integrate with Oracle Identity Manager or configure Access Manager in stand-alone mode. Set to Valid values: true (integration) | false |
|
|
sso.example.com |
Host name of the load balancer to the Oracle HTTP (OHS) server front-ending the Access Manager server. This and the following two parameters are used to construct your login URL. |
|
|
443 |
Port number of the load balancer to the OHS server front-ending the Access Manager server. |
|
|
https |
Protocol of the load balancer to the OHS server front-ending the Access Manager server. Valid values: HTTP, HTTPS |
|
|
uid |
At a login attempt, the username is validated against this attribute in the identity store. Setting to |
|
|
The global session timeout for sessions in the Access Manager server. |
|
|
|
Global session expiry time for a session in the Access Manager server. |
|
|
|
Global maximum sessions per user in the Access Manager server. |
|
|
|
The identity store name. If you already have an identity Store in place which you wish to reuse (rather than allowing the tool to create a new one for you), set this parameter to the name of the Identity Store. The default value is "OAMIDStore". |
|
|
|
Enable or disable impersonation in Access Manager server. Applicable to Oracle Fusion Applications environment. Valid values: true (enable) | false The default is false. If you are using impersonalization, you must manually set this value to true. |
|
|
|
sso.example.com |
Host name of the load balancer which is in front of OHS in a high-availability configuration. |
|
|
443 |
Port number on which the load balancer specified as OAM11G_IDM_DOMAIN_OHS_HOST listens. |
|
|
https |
Protocol for IDM OHS. Protocol to use when directing requests to the load balancer. Valid values: HTTP | HTTPS |
|
|
https://sso.example.com:443/test |
URL of the load balancer or OHS fronting the OIM server. |
|
|
true |
Deny on protected flag for 10g webgate Valid values: true | false |
|
|
simple |
Transfer mode for the IDM domain agent. Valid values: OPEN | SIMPLE | CERT |
|
|
/console/jsp/common/logout.jsp,/em/targetauth/emaslogout.jsp |
Comma-separated list of Access Manager logout URLs. |
|
|
myhost.example.com |
On WebLogic Server: Host name of the Access Manager domain admin server. On IBM WebSphere: The Access Manager application server host. |
|
|
7001 |
On WebLogic Server: Port on which the Access Manager domain admin server is running. On IBM WebSphere: Deployment Manager bootstrap port for Access Manager cell. |
|
|
wlsadmin, wasadmin |
On WebLogic Server: The username of the Access Manager domain administrator. On IBM WebSphere: Primary administrative user name for Access Manager cell. |
|
|
1443 |
On IBM WebSphere, OAM node's OracleAdminServer default port number |
|
|
oam_policy_mgr1 |
Name of the Access Manager policy manager server. Provide this only if the policy manager server is renamed to a different value during domain configuration. |
|
|
The URL needed to connect to the Oracle Identity Manager database. |
|
|
|
The schema user for the Oracle Identity Manager database. |
|
|
|
host123.example.com |
The host name of the LBR server front-ending Oracle Identity Manager. |
|
|
7011 |
The port number of the LBR server front-ending Oracle Identity Manager. |
|
|
|
The name of the Oracle Identity Manager managed server. If clustered, any of the managed servers can be specified. |
|
|
The host name of the Oracle Identity Manager managed server. |
|
|
|
The port number of the Oracle Identity Manager managed server. |
|
|
|
https://msm.example.com:1234/ |
The URL of the Oracle Mobile Security Manager server. Required only if MSM URL needs to be seeded in Oracle Identity Manager and the system property OMSS Enabled set. OIM_MSM_REST_SERVER_URL enables the Mobile Security Manager task flows in the Oracle Identity Manager console. If not set, configOIM will continue the configuration without configuring the Mobile Security Manager. The prerequisite for OMSS Enabled is that the Oracle Identity Manager server should be up. |
|
|
The host name for the Oracle Identity Manager T3 server. |
|
|
|
The port number of the Oracle Identity Manager T3 server. |
|
|
|
The location of the |
|
|
|
Password used to generate OMSM keystores and keys |
|
|
|
MSMAdmin |
Name of the admin group whose members have admin privileges for OMSM operations. Default is "IDM Administrators". |
|
|
MSMHelpDeskUsers |
Name of the msm helpdesk group, whose members get helpdesk privileges for OMSM operations. Default is "MSMHelpdeskUsers". |
|
|
OVD Server host name |
|
|
|
OVD Server port number |
|
|
|
OVD Server bind DN |
|
|
|
Indicates whether the connection is over SSL. Valid values are True or False |
|
|
|
Indicates whether Oracle Access Manager is enabled. Valid values are True or False |
|
|
|
true |
Denotes whether the policy store and identity store share the directory. Always Valid values: true, false |
|
|
mynode.us.example.com |
The host name of your policy store directory. |
|
|
1234 |
The port number of your policy store directory. |
|
|
cn=orcladmin |
Administrative user in the policy store directory. |
|
|
dc=example,dc=com |
The location in the directory where users and groups are stored. |
|
|
cn=systemids, dc=example,dc=com |
The read-only and read-write users for policy store are created in this location. Default value is cn=systemids, |
|
|
|
A user with read privileges in the policy store. |
|
|
|
A user with read and write privileges in the policy store. |
|
|
|
The name of the container used for OPSS policy information |
|
|
Whether the policy store is SSL-enabled. |
|
|
|
The location of the keystore file for an SSL-enabled policy store. |
|
|
|
www-proxy.example.com |
Proxy server's host name. |
|
|
80 |
Proxy server's port. |
|
|
proxyuserA |
User for proxy. |
|
|
Password for proxy user. |
|
|
|
OMSM uses a Simple Certificate Enrollment Protocol (SCEP) dynamic challenge for external SCEP authentication during the enrollment phase. This user account is used for authentication. |
|
|
|
SCEP dynamic challenge user's password |
|
|
|
true |
Flag to force Valid values are true, false. Setting to true is required to suppress the double authentication of Oracle Access Management administration console in a split domain scenario. |
|
|
false |
Flag to determine if SSO should be enabled. Valid values are true, false. |
|
|
|
The type of WebGate agent you want to create. Set to:
|
|
|
idmhost1.example.com:5575,idmhost2.example.com:5575 |
A comma-separated list of your Access Manager servers and their proxy ports. To determine the proxy ports your Access Manager servers:
|
|
|
exchangeurl.us.example.com |
E-mail host. |
|
|
80 |
E-mail port. |
|
|
com.apple.mgmt.External.2544264e-aa8a-4654-bfff-9d897ed39a87 |
Topic used in Apple's APNS certificate; used to send APNS notification. The value should match the UID of the APNS key. |
|
|
true |
Indicates whether to use a proxy. Valid values are true, false. |
|
|
|
WebLogic Server host name (host name of your administration server). |
|
|
7001 |
The WebLogic Server port number |
|
|
wlsadmin |
The administrator login, depending on the application server context. |
|
|
The WebLogic Server administrator password. |
idmConfigTool logs execution details to a file called automation.log, which is helpful in verifying the results of a run.
The log file contains initialization and informational messages:
Feb 18, 2015 8:38:14 PM oracle.idm.automation.util.Util setLogger
WARNING: Logger initialized in warning mode
Feb 18, 2015 8:38:19 PM oracle.idm.automation.impl.oim.handlers.OIMPreIntegrationHandler <init>
INFO: Appserver type: null
Feb 18, 2015 8:38:20 PM oracle.idm.automation.impl.oim.handlers.OIMPreIntegrationHandler <init>
WARNING: Cannot connect to the OUD Admin connector
Feb 18, 2015 8:38:29 PM oracle.idm.automation.impl.oim.handlers.OIMPreIntegrationHandler createOIMAdminUser
INFO: OIM Admin User has been created
Feb 18, 2015 8:38:29 PM oracle.idm.automation.impl.oim.handlers.OIMPreIntegrationHandler addPwdResetPrivilegeToOIMAdminUser
INFO: Password reset privilege added
Checking for WARNING messages after a run can help you identify potential problems with the run.
idmConfigTool appends to the log file upon each run. The presence of older entries can lead to a misunderstanding if you see an error in the log and correct it, since the original error detail is present in the log even after you rectify the error.
WARNING:
Back up existing log files frequently to avoid confusion caused by old log entries.
This section lists the properties for each command option. Topics include:
Notes:
The command options show the command syntax on Linux only. See Section D.3.1 for Windows syntax guidelines.
The tool prompts for passwords.
On Linux, the command syntax is:
idmConfigTool.sh -preConfigIDStore input_file=input_properties
On Windows, the command syntax is:
idmConfigTool.bat -preConfigIDStore input_file=input_properties
For example:
idmConfigTool.sh -preConfigIDStore input_file=extendOAMPropertyFile
Note:
The-preConfigIDStore command option supports Oracle Internet Directory, Oracle Unified Directory, and Oracle Virtual Directory.Table D-3 lists the properties for this mode:
Table D-3 Properties of preConfigIDStore
| Property | Required? |
|---|---|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
This property is required to connect to and configure OUD configuration structures:
|
|
|
Use the format: where OUD-instance-path is the path to the directory instance.
|
|
|
|
Here is a sample properties file for this option:
IDSTORE_HOST: idstore.example.com IDSTORE_PORT: 389 IDSTORE_BINDDN: cn=orcladmin IDSTORE_USERNAMEATTRIBUTE: cn IDSTORE_LOGINATTRIBUTE: uid IDSTORE_USERSEARCHBASE: cn=Users,dc=example,dc=com IDSTORE_GROUPSEARCHBASE: cn=Groups,dc=example,dc=com IDSTORE_SEARCHBASE: dc=example,dc=com IDSTORE_SYSTEMIDBASE: cn=systemids,dc=example,dc=com
If you are using Oracle Unified Directory as the identity store, include the additional properties indicated in the properties table. The sample properties file then contains the additional properties:
IDSTORE_DIRECTORYTYPE: OUD IDSTORE_ADMIN_PORT : 4444 IDSTORE_KEYSTORE_FILE : /u01/config/instances/oud1/OUD/config/admin-keystore IDSTORE_KEYSTORE_PASSWORD : K8BYCoOFHBwDYa1F6vUBgcGr1TK1Rz26W9Bz7OF0UwsZ5XLGOb
Using prepareIDStore for Oracle Unified Directory
When using prepareIDStore for Oracle Unified Directory, global ACI and indexes are re-created only in the instance(s) specified in the property file; they are not replicated by Oracle Unified Directory. You must manually re-create (remove, then create) the global ACI and indexes on all other Oracle Unified Directory instances of the replication domain.
For details, see Section D.5.
See Also:
Table D-2 for details of the properties.The prepareIDStore command takes mode as an argument to perform tasks for the specified component.
idmConfigTool.sh -prepareIDStore mode=mode input_file=filename_with_Configproperties
where mode must be one of the following:
OAM
OIM
OAAM
WLS
FUSION
WAS
APM
all (performs all the tasks of the above modes combined)
Note:
WLS mode must be run before OAM.See Also:
Table D-2 for details of the properties.The following are created in this mode:
Perform schema extensions as required by the Access Manager component
Add the oblix schema
Create the OAMSoftware User
Create OblixAnonymous User
Optionally create the Access Manager Administration User
Associate these users to their respective groups
Create the group "orclFAOAMUserWritePrivilegeGroup"
On Linux, the command syntax is:
idmConfigTool.sh -prepareIDStore mode=OAM input_file=filename_with_Configproperties
On Windows, the command syntax is:
idmConfigTool.bat -prepareIDStore mode=OAM input_file=filename_with_Configproperties
For example:
idmConfigTool.sh -prepareIDStore mode=OAM input_file=preconfigOAMPropertyFile
Table D-4 lists the properties for this mode:
Table D-4 prepareIDStore mode=OAM Properties
| Parameter | Required? |
|---|---|
|
|
If you are using a directory other than Oracle Internet Directory or Oracle Unified Directory, specify the Oracle Virtual Directory host. |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
This property is required to connect to and configure OUD configuration structures:
|
|
|
Use the format: where OUD-instance-path is the path to the directory instance.
|
|
|
|
Here is a sample properties file for this option. This parameter set would result in OAMADMINUSER and OAMSOFTWARE user being created in the identity store:
IDSTORE_HOST: idstore.example.com IDSTORE_PORT: 389 IDSTORE_BINDDN: cn=orcladmin IDSTORE_USERNAMEATTRIBUTE: cn IDSTORE_LOGINATTRIBUTE: uid IDSTORE_USERSEARCHBASE: cn=Users,dc=example,dc=com IDSTORE_GROUPSEARCHBASE: cn=Groups,dc=example,dc=com IDSTORE_SEARCHBASE: dc=example,dc=com POLICYSTORE_SHARES_IDSTORE: true OAM11G_IDSTORE_ROLE_SECURITY_ADMIN:OAMAdministrators IDSTORE_OAMSOFTWAREUSER:oamLDAP IDSTORE_OAMADMINUSER:oamadmin IDSTORE_SYSTEMIDBASE: cn=systemids,dc=example,dc=com
See Also:
Table D-2 for details of the properties.The following are created in this mode:
Create Oracle Identity Manager Administration User under SystemID container
Create Oracle Identity Manager Administration Group
Add Oracle Identity Manager Administration User to Oracle Identity Manager Administration Group
Add ACIs to Oracle Identity Manager Administration Group
Create reserve container
Create xelsysadmin user
On Linux, the command syntax is:
idmConfigTool.sh -prepareIDStore mode=OIM input_file=filename_with_Configproperties
On Windows, the command syntax is:
idmConfigTool.bat -prepareIDStore mode=OIM input_file=filename_with_Configproperties
For example:
idmConfigTool.sh -prepareIDStore mode=OIM input_file=preconfigOIMPropertyFile
Table D-5 lists the properties in this mode:
Table D-5 prepareIDStore mode=OIM Properties
| Parameter | Required? |
|---|---|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
This property is required to connect to and configure OUD configuration structures:
|
|
|
|
|
|
|
|
|
Required on IBM WebSphere. |
|
|
Required on IBM WebSphere. |
|
|
Required on IBM WebSphere. |
Here is a sample properties file for this option:
IDSTORE_HOST: idstore.example.com IDSTORE_PORT: 389 IDSTORE_BINDDN: cn=orcladmin IDSTORE_USERNAMEATTRIBUTE: cn IDSTORE_LOGINATTRIBUTE: uid IDSTORE_USERSEARCHBASE:cn=Users,dc=example,dc=com IDSTORE_GROUPSEARCHBASE: cn=Groups,dc=example,dc=com IDSTORE_SEARCHBASE: dc=example,dc=com POLICYSTORE_SHARES_IDSTORE: true IDSTORE_SYSTEMIDBASE: cn=systemids,dc=example,dc=com IDSTORE_OIMADMINUSER: oimadmin IDSTORE_OIMADMINGROUP:OIMAdministrators OIM_DB_URL: jdbc:oracle:thin:@xyz5678.us.example.com:5522:wasdb1 OIM_DB_SCHEMA_USERNAME: dev_oim OIM_WAS_CELL_CONFIG_DIR: /wassh/WebSphere/AppServer/profiles/Dmgr04/config/cells/xyz5678Cell04/fmwconfig
See Also:
Table D-2 for details of the properties.This mode:
Creates Oracle Adaptive Access Manager Administration User
Creates Oracle Adaptive Access Manager Groups
Adds the Oracle Adaptive Access Manager Administration User as a member of Oracle Adaptive Access Manager Groups
idmConfigTool.sh -prepareIDStore mode=OAAM
input_file=filename_with_Configproperties
Table D-6 shows the properties in this mode:
Table D-6 prepareIDStore mode=OAAM Properties
| Parameter | Required? |
|---|---|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
This property is required to connect to and configure OUD configuration structures:
|
|
|
Use the format: where OUD-instance-path is the path to the directory instance.
|
|
|
|
Here is a sample properties file for this option:
IDSTORE_HOST: idstore.example.com IDSTORE_PORT: 389 IDSTORE_BINDDN: cn=orcladmin IDSTORE_USERNAMEATTRIBUTE: cn IDSTORE_LOGINATTRIBUTE: uid IDSTORE_USERSEARCHBASE:cn=Users,dc=example,dc=com IDSTORE_GROUPSEARCHBASE: cn=Groups,dc=example,dc=com IDSTORE_SEARCHBASE: dc=example,dc=com IDSTORE_OAAMADMINUSER: oaamadmin POLICYSTORE_SHARES_IDSTORE: true
See Also:
Table D-2 for details of the properties.This mode:
Creates Weblogic Administration User
Creates Weblogic Administration Group
Adds the Weblogic Administration User as a member of Weblogic Administration Group
On Linux, the command syntax is:
idmConfigTool.sh -prepareIDStore mode=WLS input_file=filename_with_Configproperties
On Windows, the command syntax is:
idmConfigTool.bat -prepareIDStore mode=WLS input_file=filename_with_Configproperties
For example:
idmConfigTool.sh -prepareIDStore mode=WLS input_file=preconfigWLSPropertyFile
Table D-7 lists the properties in this mode:
Table D-7 prepareIDStore mode=WLS Properties
| Parameter | Required? |
|---|---|
|
|
If you are using a directory other than Oracle Internet Directory or Oracle Unified Directory, specify the Oracle Virtual Directory host (which should be IDSTORE. |
|
|
|
|
|
|
|
|
|
|
|
YES |
|
|
|
|
|
|
|
|
|
|
|
Do not set any default, out-of-the-box users such as weblogic/xelsysadm for this property. |
|
|
|
|
|
This property is required to connect to and configure OUD configuration structures:
|
|
|
Use the format: where OUD-instance-path is the path to the OUD instance.
|
|
|
|
Here is a sample properties file for this option. With this set of properties, the IDM Administrators group is created.
IDSTORE_HOST: idstore.example.com IDSTORE_PORT: 389 IDSTORE_BINDDN: cn=orcladmin IDSTORE_USERNAMEATTRIBUTE: cn IDSTORE_LOGINATTRIBUTE: uid IDSTORE_USERSEARCHBASE: cn=Users, dc=example,dc=com IDSTORE_GROUPSEARCHBASE: cn=Groups,dc=example,dc=com IDSTORE_SEARCHBASE: dc=example,dc=com POLICYSTORE_SHARES_IDSTORE: true IDSTORE_WLSADMINUSER: weblogic_idm IDSTORE_WLSADMINGROUP: wlsadmingroup
See Also:
Table D-2 for details of the properties.This mode:
Creates WebSphere Administration User
Creates WebSphere Administration Group
Adds the WebSphere Administration User as a member of WebSphere Administration Group
idmConfigTool.sh -prepareIDStore mode=WAS
input_file=filename_with_Configproperties
Table D-8 lists the properties in this mode:
Table D-8 prepareIDStore mode=WAS Properties
| Parameter | Required? |
|---|---|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
This property is required to connect to and configure OUD configuration structures:
|
|
|
Use the format: where OUD-instance-path is the path to the OUD instance.
|
|
|
|
Here is a sample properties file for this option, which creates the IDM Administrators group.
IDSTORE_HOST: idstore.example.com IDSTORE_PORT: 389 IDSTORE_BINDDN: cn=orcladmin IDSTORE_USERNAMEATTRIBUTE: cn IDSTORE_LOGINATTRIBUTE: uid IDSTORE_USERSEARCHBASE: cn=Users, dc=example,dc=com IDSTORE_GROUPSEARCHBASE: cn=Groups,dc=example,dc=com IDSTORE_SEARCHBASE: dc=example,dc=com POLICYSTORE_SHARES_IDSTORE: true IDSTORE_WASADMINUSER: websphere_idm
See Also:
Table D-2 for details of the properties.This mode:
Creates Oracle Privileged Account Manager Administration User
Adds the Oracle Privileged Account Manager Administration User as a member of Oracle Privileged Account Manager Groups
You are prompted to enter the password of the account that you are using to connect to the identity store.
idmConfigTool.sh -prepareIDStore mode=APM
input_file=filename_with_Configproperties
Table D-9 shows the properties in this mode:
Table D-9 prepareIDStore mode=APM Properties
| Parameter | Required? |
|---|---|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
Here is a sample properties file for this option:
IDSTORE_HOST: idstore.example.com IDSTORE_PORT: 389 IDSTORE_BINDDN: cn=orcladmin IDSTORE_USERNAMEATTRIBUTE: cn IDSTORE_LOGINATTRIBUTE: uid IDSTORE_USERSEARCHBASE: cn=Users,dc=example,dc=com IDSTORE_GROUPSEARCHBASE: cn=Groups,dc=example,dc=com IDSTORE_SEARCHBASE: dc=example,dc=com POLICYSTORE_SHARES_IDSTORE: true IDSTORE_APMUSER: opamadmin
See Also:
Table D-2 for details of the properties.This mode:.
Creates a Readonly User
Creates a ReadWrite User
Creates a Super User
Adds the readOnly user to the groups orclFAGroupReadPrivilegeGroup and orclFAUserWritePrefsPrivilegeGroup
Adds the readWrite user to the groups orclFAUserWritePrivilegeGroup and orclFAGroupWritePrivilegeGroup
idmConfigTool.sh -prepareIDStore mode=fusion
input_file=filename_with_Configproperties
Table D-10 lists the properties in this mode:
Table D-10 prepareIDStore mode=fusion Properties
| Parameter | Required? |
|---|---|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
This property is required to connect to and configure OUD configuration structures:
|
|
|
Use the format: where OUD-instance-path is the path to the OUD instance.
|
|
|
|
Here is a sample properties file for this option, which creates IDSTORE_SUPERUSER:
IDSTORE_HOST: idstore.example.com IDSTORE_PORT: 4389 IDSTORE_ADMIN_PORT: 1111 IDSTORE_BINDDN: cn=directory manager IDSTORE_READONLYUSER: IDROUser IDSTORE_READWRITEUSER: IDRWUser IDSTORE_USERSEARCHBASE:cn=Users,dc=example,dc=com IDSTORE_SEARCHBASE: dc=example,dc=com IDSTORE_GROUPSEARCHBASE: cn=Groups,dc=mycomapny,dc=com IDSTORE_SYSTEMIDBASE: cn=systemids,dc=us,dc=example,dc=com IDSTORE_SUPERUSER: weblogic_fa POLICYSTORE_SHARES_IDSTORE: true IDSTORE_SSL_ENABLED: false
See Also:
Table D-2 for details of the properties.The mode performs all the tasks that are performed in the modes OAM, OIM, WLS, WAS, OAAM, and FUSION.
idmConfigTool.sh -prepareIDStore mode=all
input_file=filename_with_Configproperties
Table D-11 lists the properties in this mode:
Table D-11 prepareIDStore mode=all Properties
| Parameter | Required? |
|---|---|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
This property is required to connect to and configure OUD configuration structures:
|
|
|
Use the format: where OUD-instance-path is the path to the OUD instance.
|
|
|
|
|
|
|
|
|
|
|
|
Required on IBM WebSphere |
|
|
Required on IBM WebSphere |
|
|
Required on IBM WebSphere |
|
|
Required on IBM WebSphere |
Here is a sample properties file for this option:
IDSTORE_HOST: node01.example.com IDSTORE_PORT: 2345 IDSTORE_BINDDN: cn=orcladmin IDSTORE_USERNAMEATTRIBUTE: cn IDSTORE_LOGINATTRIBUTE: uid IDSTORE_USERSEARCHBASE: cn=Users,dc=example,dc=com IDSTORE_SEARCHBASE: dc=example,dc=com IDSTORE_GROUPSEARCHBASE: cn=Groups,dc=example,dc=com IDSTORE_SYSTEMIDBASE: cn=systemids,dc=example,dc=com IDSTORE_READONLYUSER: IDROUser IDSTORE_READWRITEUSER: IDRWUser IDSTORE_SUPERUSER: weblogic_fa IDSTORE_OAMSOFTWAREUSER:oamSoftwareUser IDSTORE_OAMADMINUSER:oamAdminUser IDSTORE_OIMADMINUSER: oimadminuser POLICYSTORE_SHARES_IDSTORE: true OAM11G_IDSTORE_ROLE_SECURITY_ADMIN:OAMAdministrators IDSTORE_OIMADMINGROUP: OIMAdministrators IDSTORE_WLSADMINUSER: weblogic_idm IDSTORE_WLSADMINGROUP: wlsadmingroup IDSTORE_OAAMADMINUSER: oaamAdminUser OIM_DB_URL: jdbc:oracle:thin:@xyz5678.us.example.com:5522:wasdb1 OIM_DB_SCHEMA_USERNAME: dev_oim OIM_WAS_CELL_CONFIG_DIR: /wassh/WebSphere/AppServer/profiles/Dmgr04/config/cells/xyz5678Cell04/fmwconfig IDSTORE_WASADMINUSER: websphere_idm
See Also:
Table D-2 for details of the properties.
idmConfigTool.sh -configPolicyStore input_file=input_properties
Table D-12 lists the command properties.
Table D-12 Properties for ConfigPolicyStore
| Property | Required? |
|---|---|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
Here is a sample properties file for this option, which creates readonly user and writeonly user in the policy store:
POLICYSTORE_HOST: mynode.us.example.com POLICYSTORE_PORT: 3060 POLICYSTORE_BINDDN: cn=orcladmin POLICYSTORE_READONLYUSER: PolicyROUser POLICYSTORE_READWRITEUSER: PolicyRWUser POLICYSTORE_SEARCHBASE: dc=example,dc=com POLICYSTORE_CONTAINER: cn=jpsroot
See Also:
Table D-2 for details of the properties.Ensure that the administration server for the domain hosting Oracle Access Manager is running before you execute this command.
Restart all servers on the OIM domain after running configOIM.
On Linux, the command syntax is:
idmConfigTool.sh -configOAM input_file=input_properties
On Windows, the command syntax is:
idmConfigTool.bat -configOAM input_file=input_properties
For example:
idmConfigTool.sh -configOAM input_file=OAMconfigPropertyFile
Table D-13 lists the command properties.
Table D-13 Properties of configOAM
| Property | Required? |
|---|---|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
If using a directory server other than Oracle Internet Directory or Oracle Unified Directory, specify the Oracle Virtual Directory host and port. |
|
|
|
|
|
|
|
|
If using a directory server other than Oracle Internet Directory or Oracle Unified Directory, specify an Oracle Virtual Directory administrative user. |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
Access Manager must be configured for |
|
|
|
|
|
|
|
|
|
|
|
If If the value is false, the server runs in default mode, where each authentication is followed by one or more authorization requests to the Access Manager server. WebGate allows the access to the requested resources or not, based on the responses from the Access Manager server. |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
Set to
|
Here is a sample properties file for this option, which creates an entry for webgate in Access Manager:
WLSHOST: adminvhn.example.com WLSPORT: 7001 WLSADMIN: weblogic IDSTORE_HOST: idstore.example.com IDSTORE_PORT: 389 IDSTORE_BINDDN: cn=orcladmin IDSTORE_USERNAMEATTRIBUTE: cn IDSTORE_LOGINATTRIBUTE: uid IDSTORE_USERSEARCHBASE: cn=Users,dc=example,dc=com IDSTORE_SEARCHBASE: dc=example,dc=com IDSTORE_GROUPSEARCHBASE: cn=Groups,dc=example,dc=com IDSTORE_OAMSOFTWAREUSER: oamLDAP IDSTORE_OAMADMINUSER: oamadmin PRIMARY_OAM_SERVERS: oamhost1.example.com:5575,oamhost2.example.com:5575 WEBGATE_TYPE: ohsWebgate11g ACCESS_GATE_ID: Webgate_IDM OAM11G_IDM_DOMAIN_OHS_HOST:sso.example.com OAM11G_IDM_DOMAIN_OHS_PORT:443 OAM11G_IDM_DOMAIN_OHS_PROTOCOL:https OAM11G_OAM_SERVER_TRANSFER_MODE:simple OAM11G_IDM_DOMAIN_LOGOUT_URLS: /console/jsp/common/logout.jsp,/em/targetauth/emaslogout.jsp OAM11G_WG_DENY_ON_NOT_PROTECTED: false OAM11G_SERVER_LOGIN_ATTRIBUTE: uid OAM_TRANSFER_MODE: simple COOKIE_DOMAIN: .example.com OAM11G_IDSTORE_ROLE_SECURITY_ADMIN: OAMAdministrators OAM11G_SSO_ONLY_FLAG: false OAM11G_OIM_INTEGRATION_REQ: true or false OAM11G_IMPERSONATION_FLAG:true OAM11G_SERVER_LBR_HOST:sso.example.com OAM11G_SERVER_LBR_PORT:443 OAM11G_SERVER_LBR_PROTOCOL:https COOKIE_EXPIRY_INTERVAL: -1 OAM11G_OIM_OHS_URL:https://sso.example.com:443/ SPLIT_DOMAIN: true OAM11G_IDSTORE_NAME: OAMIDStore IDSTORE_SYSTEMIDBASE: cn=systemids,dc=example,dc=com
When you execute this command, the tool prompts you for:
Password of the identity store account to which you are connecting
Access Manager administrator password
Access Manager software user password
In the IBM WebSphere environment:
Run idmconfigtool from the Oracle Access Manager WebSphere cell.
Provide details of the IBM WebSphere server by specifying the following in the properties file:
WLSHOST - The WebSphere Application Server host
WLSPORT - The WebSphere Application Server bootstrap port
WLSADMIN - Login ID for the Oracle Access Manager Admin console.
See Also:
Table D-2 for details of the properties.As of 11g Release 2 (11.1.2), configOIM supports 11g webgate by default. See the WEBGATE_TYPE option for details.
As indicated in the table, certain properties are required when Oracle Identity Manager and Access Manager are configured on different weblogic domains.
Prior to running configOIM:
configOAM must run successfully
the admin server hosting OAM has to be restarted
the admin server(s) hosting OIM and OAM must be running
if using the OIM_MSM_REST_SERVER_URL property, in addition to the above, ensure that the URL is seeded in credential msmLoginConfig, and the system property'OMSS Enabled' is set to true.
On Linux, the command syntax is:
idmConfigTool.sh -configOIM input_file=configfile
On Windows, the command syntax is:
idmConfigTool.bat -configOIM input_file=configfile
For example:
idmConfigTool.sh -configOIM input_file=OIMconfigPropertyFile
Table D-14 lists the command properties.
Table D-14 Properties for configOIM
| Property | Required? |
|---|---|
|
|
Required by Oracle Platform Security Services (OPSS). |
|
|
Required by OPSS. |
|
|
Required by OPSS. |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
Set |
|
|
Set |
|
|
|
|
|
Set |
|
|
|
|
|
Set |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
Required only when Access Manager server does not support 11g webgate in Oracle Identity Manager-Access Manager integration. In that case, provide the value '10g'. |
|
|
Required if Access Manager and Oracle Identity Manager servers are configured on different Weblogic domains (cross-domain setup) |
|
|
Required if Access Manager and Oracle Identity Manager servers are configured on different Weblogic domains (cross-domain setup) |
|
|
Required if Access Manager and Oracle Identity Manager servers are configured on different Weblogic domains (cross-domain setup) |
|
|
Required for OMSM-OIM. |
|
|
Required on IBM WebSphere. |
|
|
Required on IBM WebSphere, must be OAM node's OracleAdminServer default port number. To find this port number:
|
|
|
S |
Note:
If Access Manager and Oracle Identity Manager are on separate WebLogic domains, setOAM11G_WLS_ADMIN_HOST,OAM11G_WLS_ADMIN_PORT, and OAM11G_WLS_ADMIN_USER. OAM11G_WLS_ADMIN_HOST, OAM11G_WLS_ADMIN_PORT, and OAM11G_WLS_ADMIN_USER properties are related to Access Manager. For information about split domain integration topology, see Chapter 1.Here is a sample properties file for this option, which seeds the SSOAccessKey, SSOKeystoreKey, SSOGlobalPP keys in the credential store framework (CSF):
LOGINURI: /${app.context}/adfAuthentication
LOGOUTURI: /oamsso/logout.html
AUTOLOGINURI: None
ACCESS_SERVER_HOST: OAMHOST1.example.com
ACCESS_SERVER_PORT: 5575
ACCESS_GATE_ID: Webgate_IDM
COOKIE_DOMAIN: .example.com
COOKIE_EXPIRY_INTERVAL: -1
OAM_TRANSFER_MODE: simple
WEBGATE_TYPE: ohsWebgate11g
SSO_ENABLED_FLAG: true
IDSTORE_PORT: 389
IDSTORE_HOST: idstore.example.com
IDSTORE_DIRECTORYTYPE: OVD
IDSTORE_ADMIN_USER: cn=oamLDAP,cn=systemids,dc=example,dc=com
IDSTORE_USERSEARCHBASE: cn=Users,dc=example,dc=com
IDSTORE_GROUPSEARCHBASE: cn=Groups,dc=example,dc=com
MDS_DB_URL: jdbc:oracle:thin:DB Hostname:DB portno.:SID
MDS_DB_SCHEMA_USERNAME: edg_mds
WLSHOST: adminvhn.example.com
WLSPORT: 7001
WLSADMIN: weblogic
DOMAIN_NAME: IDMDomain
OIM_MANAGED_SERVER_NAME: WLS_OIM1
DOMAIN_LOCATION: ORACLE_BASE/admin/IDMDomain/aserver/IDMDomain
IDSTORE_LOGINATTRIBUTE: uid
IDSTORE_SEARCHBASE: dc=us,dc=example,dc=com
IDSTORE_WLSADMINUSER: weblogic_idm
OIM_WEB_SERVER_HOST: tx401alu.us.example.com
OIM_WEB_SERVER_PORT: 7777
OAM11G_WLS_ADMIN_HOST: abc1234.us.example.com
OAM11G_WLS_ADMIN_PORT: 9810
OAM11G_WLS_ADMIN_USER: wasadmin
OAM_ADMIN_WAS_DEFAULT_PORT: 7443
When integrating Oracle Mobile Security Suite (MSM) with OIM, you may see the error:
SEVERE: System property OMSS Enabled could not be changed null
To work around this issue, provide the value of WLSPASSWD in the property file to seed the MSM URL.
In the IBM WebSphere environment:
If Oracle Identity Manager (OIM) and Access Manager (OAM) are configured in two different WebSphere cells, you must specify the following properties:
OAM11G_WLS_ADMIN_HOST (OAM host on the Websphere application server)
OAM11G_WLS_ADMIN_PORT (Websphere Deployment Manager bootstrap port for the OAM cell)
OAM11G_WLS_ADMIN_USER (primary administrative user name for OAM Websphere cell (For example, wasadmin)
If OIM and OAM are part of the same WebSphere cell, you do not have to specify the above properties.
The following configOIM command properties are specific to WebSphere:
IDSTORE_SEARCHBASE - The identity store search base
OIM_WEB_SERVER_HOST - The IBM HTTP Server (IHS) host or Oracle HTTP Server (OHS) host
OIM_WEB_SERVER_PORT - The IBM HTTP Server (IHS) port or OHS port.
OAM_ADMIN_WAS_DEFAULT_PORT - The OAM node's OracleAdminServer default port number. To determine the port number:
Navigate to OAM admin console of WebSphere.
Go to Servers -> Server Types -> WebSphere application servers
click on 'OracleAdminServer'
Under 'Communications', expand 'Ports'.
'WC_defaulthost' port is the OAM Node's OracleAdminServer default port number.
See Also:
Table D-2 for details of the properties.
idmConfigTool.sh -configOMSS input_file=input_file_with_path
If a log for running the script is required, you can alternatively run the command as follows:
idmConfigTool.sh -configOMSS input_file=input_file_with_path log_level=FINEST log_file=log_file_with_path
Table D-15 lists the command properties.
Table D-15 Properties for configOMSS
| Property | Required? |
|---|---|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
Note:
It is recommended that you not specify passwords within properties files. Upon execution, the command will prompt you for passwords.Here is a sample properties file for this option:
# LDAP IDSTORE_SSL_ENABLED: false IDSTORE_DIRECTORYTYPE: AD IDSTORE_HOST: qadc2.domain2.testqa1.com IDSTORE_PASSWD: IDSTORE_PORT: 389 IDSTORE_BINDDN: CN=Administrator,CN=Users,DC=domain2,DC=testqa1,DC=com IDSTORE_USERNAMEATTRIBUTE: cn IDSTORE_USERSEARCHBASE: OU=Users,OU=msm,DC=domain2,DC=testqa1,DC=com IDSTORE_GROUPSEARCHBASE: OU=Roles,OU=msm,DC=domain2,DC=testqa1,DC=com IDSTORE_SEARCHBASE: OU=msm,DC=domain2,DC=testqa1,DC=com IDSTORE_SYSTEMIDBASE: OU=SystemIDS,OU=msm,DC=domain2,DC=testqa1,DC=com IDSTORE_LOGINATTRIBUTE: cn OMSS_OMSM_IDSTORE_PROFILENAME: idsprofile_test2 # Weblogic WLSHOST: wlshost01.us.example.com WLSPORT: 7001 WLSADMIN: weblogic WLSPASSWD: OMSS_DOMAIN_LOCATION: /scratch/domains/base_domain # Keystore related config OMSS_KEYSTORE_PASSWORD: SCEP_DYNAMIC_CHALLENGE_USER: adminuser SCEP_DYNAMIC_CHALLENGE_PASSWD: OMSM_IDSTORE_ROLE_SECURITY_ADMIN: MSMAdmin # MSAS and PROXY OMSS_MSAS_SERVER_HOST:host02.us.example.com OMSS_MSAS_SERVER_PORT:14181 PROXY_SERVER_HOST:www-proxy.us.example.com PROXY_SERVER_PORT:80 #PROXY_USER: #PROXY_PASSWD: USE_PROXY:true # DB JDBC_URL:jdbc:oracle:thin:@host02.us.example.com:5521:msmdb MSM_SCHEMA_USER: DEV_OMSM DB_PASSWD: # APNS/GCM APNS_FILE: /scratch/APNS.p12 APNS_KEYSTORE_PASSWD: GCM_API_KEY:AIzaSyCh_JALj5YBAIy7Ekyw9LzovHqJ2YMGk2c GCM_SENDER_ID:610046050155 #TOPIC:com.apple.mgmt.External.2544264e-aa8a-4654-bfff-9d897ed39a87 #Exchange & Email settings EXCHANGE_SERVER_URL:http://testuri.com EXCHANGE_LISTENER_URL:http://testuri.com EXCHANGE_DOMAIN_NAME:test.com EXCHANGE_ADMIN_USER: serviceuser EXCHANGE_SERVER_VERSION:2.0 EXCHANGE_ADMIN_PASSWD: EMAIL_ADMIN_USER: admin@acme.com EMAIL_ADMIN_PASSWD: SMTP_HOST:exchangeurl.us.example.com SMTP_PORT:80
See Also:
Table D-2 for details of the properties.
idmConfigTool.sh -postProvConfig input_file=postProvConfig.props
The properties for this command are the same as for the preConfigIDStore command.
Here is a sample properties file for this option:
IDSTORE_HOST: host01.example.com IDSTORE_PORT: 3060 IDSTORE_BINDDN: cn=orcladmin IDSTORE_GROUPSEARCHBASE: cn=Groups,dc=example,dc=com IDSTORE_SEARCHBASE: dc=example,dc=com IDSTORE_USERSEARCHBASE: cn=systemids,dc=example,dc=com POLICYSTORE_CONTAINER: cn=FAPolicies POLICYSTORE_HOST: host01.ca.example.com POLICYSTORE_PORT: 3060 POLICYSTORE_BINDDN: cn=orcladmin POLICYSTORE_READWRITEUSER: cn=PolicyRWUser,cn=systemids,dc=example,dc=com ovd.host: host01.ca.example.com ovd.port: 6501 ovd.binddn: cn=orcladmin OIM_T3_URL: t3://host02.ca.example.com:14000 OIM_SYSTEM_ADMIN: abcdef
See Also:
Table D-2 for details of the properties.
idmConfigTool.sh -upgradeLDAPUsersForSSO input_file=input_Properties
Table D-16 lists the command properties.
Table D-16 Properties for upgradeLDAPUsersForSSO
| Property | Required? |
|---|---|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
Here is a sample properties file for this option:
IDSTORE_HOST: idstore.example.com IDSTORE_PORT: 389 IDSTORE_ADMIN_USER: cn=orcladmin IDSTORE_DIRECTORYTYPE:OVD IDSTORE_USERSEARCHBASE: cn=Users,dc=example,dc=com IDSTORE_GROUPSEARCHBASE: cn=Groups,dc=example,dc=com PASSWORD_EXPIRY_PERIOD: 7300 IDSTORE_LOGINATTRIBUTE: uid
See Also:
Table D-2 for details of the properties.
idmConfigTool.sh -validate component=IDSTORE input_file=input_Properties
Table D-17 lists the command properties.
Table D-17 Properties for validate IDStore
| Property | Required? |
|---|---|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
Here is a sample properties file for this option:
idstore.type: OID idstore.host: acb21005.us.example.com idstore.port: 3030 idstore.sslport: 4140 idstore.ssl.enabled: false idstore.super.user: cn=weblogic_fa,cn=systemids,dc=example,dc=com idstore.readwrite.username: cn=IDRWUser,cn=systemids,dc=example,dc=com idstore.readonly.username: cn=IDROUser,cn=systemids,dc=example,dc=com idstore.user.base: cn=Users,dc=example,dc=com idstore.group.base: cn=Groups,dc=example,dc=com idstore.seeding: true idstore.post.validation: false idstore.admin.group: cn=IDM Administrators,cn=Groups,dc=example,dc=com idstore.admin.group.exists: true
See Also:
Table D-2 for details of the properties.
idmConfigTool.sh -validate component=POLICYSTORE input_file=input_Properties
Table D-18 lists the command properties.
Table D-18 Properties for validate policystore
| Property | Required? |
|---|---|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
Here is a sample properties file for this option:
POLICYSTORE_HOST: node0316.example.com POLICYSTORE_PORT: 3067 POLICYSTORE_SECURE_PORT: 3110 POLICYSTORE_IS_SSL_ENABLED: FALSE POLICYSTORE_READ_WRITE_USERNAME: cn=PolicyRWUser,cn=systemids,dc=example,dc=com POLICYSTORE_SEEDING: true POLICYSTORE_JPS_ROOT_NODE: cn=jpsroot POLICYSTORE_DOMAIN_NAME: dc=example,dc=com
See Also:
Table D-2 for details of the properties.Ensure that the administration server and managed servers hosting Oracle Access Manager components are running before you execute this command.
idmConfigTool.sh -validate component=OAM11g input_file=input_Properties
Note:
The tool prompts for the WebLogic administration server user password upon execution.Table D-19 lists the command properties.
Table D-19 Properties for validate component=OAM11g
| Property | Required? |
|---|---|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
Here is a sample properties file for this option, which validates the Access Manager server:
admin_server_host: abc5411405.ca.example.com admin_server_port: 17001 admin_server_user: weblogic IDSTORE_HOST:abc5411405.ca.example.com IDSTORE_PORT:3060 IDSTORE_IS_SSL_ENABLED:false OAM11G_ACCESS_SERVER_HOST:abc5411405.ca.example.com OAM11G_ACCESS_SERVER_PORT:5575 OAM11G_IDSTORE_ROLE_SECURITY_ADMIN:OAMAdministrators OAM11G_OIM_OHS_URL: http://abc5411405.ca.example.com:7779/ OAM11G_OIM_INTEGRATION_REQ: true OAM11G_OAM_ADMIN_USER:oamadminuser OAM11G_SSO_ONLY_FLAG: false OAM11G_OAM_ADMIN_USER_PASSWD:
See Also:
Table D-2 for details of the properties.
idmConfigTool.sh -validate component=OAM10g input_file=input_Properties
Table D-20 lists the command properties.
Table D-20 Properties for validate component=OAM10g
| Property | Required? |
|---|---|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
See Also:
Table D-2 for details of the properties.Ensure that the administration server and managed servers hosting Oracle Access Manager components are running before you execute this command.
idmConfigTool.sh -validate component=OIM11g input_file=input_Properties
Note:
The tool prompts for the WebLogic administration server user password upon execution.Table D-21 lists the command properties.
Table D-21 Properties for validate component=OIM11g
| Property | Required? |
|---|---|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
Here is a sample properties file for this option:
admin_server_host: node06.example.com admin_server_port: 17111 admin_server_user: weblogic oam_host: node06.example.com oam_nap_port: 5575 idm.keystore.file: idm.keystore.file idstore.user.base: cn=Users,dc=example,dc=com idstore.group.base: cn=Groups,dc=example,dc=com oim_is_ssl_enabled: false OIM_FRONT_END_URL: http://node06.example.com:14000 OIM_T3_URL: t3://node06.example.com:14000
See Also:
Table D-2 for details of the properties.
idmConfigTool.sh -configOVD input_file=input_Properties
Table D-22 lists the command properties (in ldapn properties, n=1,2..).
Table D-22 configOVD properties
| Property | Required? |
|---|---|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
The content of the properties file for the configOVD command depends on the Oracle Virtual Directory configuration. This section provides some sample files.
Here is an example of the file named single.txt for a single-server configuration:
ovd.host:myhost.us.example.com ovd.port:7000 ovd.binddn:cn=orcladmin ovd.ssl:true ldap1.type:OID ldap1.host:myhost.us.example.com ldap1.port:7000 ldap1.binddn:cn=oimadmin,cn=systemids,dc=example,dc=com ldap1.ssl:false ldap1.base:dc=example,dc=com ldap1.ovd.base:dc=example,dc=com usecase.type: single
The user referenced in the ldap1.binddn: parameter is the proxy user for Oracle Identity Manager, created when you pre-configure the identity store.
When using this file, the command is invoked as:
idmConfigTool -configOVD input_file=path/single.txt Enter OVD password: password Enter LDAP password: password
Here is an example of the file named split.txt for a split-profile server configuration:
ovd.host:myhost.us.example.com ovd.port:7000 ovd.binddn:cn=orcladmin ovd.ssl:true ldap1.type:AD ldap1.host:10.0.0.0 ldap1.port:7000 ldap1.binddn:administrator@idmqa.com ldap1.ssl:true ldap1.base:dc=idmqa,dc=com ldap1.ovd.base:dc=idmqa,dc=com usecase.type: split ldap2.type:OID ldap2.host:myhost.us.example.com ldap2.port:7000 ldap2.binddn:cn=oimadmin,cn=systemids,dc=example,dc=com ldap2.ssl:false ldap2.base:dc=example,dc=com ldap2.ovd.base:dc=example,dc=com
When using this file, the command is thus invoked as:
idmConfigTool -configOVD input_file=path/split.txt Enter OVD password: password Enter LDAP1 password: password Enter LDAP2 password: password
See Also:
Table D-2 for details of the properties.
idmConfigTool.sh -ovdConfigUpgrade input_file=input_Properties
Table D-23 lists the command properties.
Table D-23 ovdConfigUpgrade Properties
| Property | Required? |
|---|---|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
Here is a sample properties file for this option which upgrades the existing adapters:
ovd.host:abk005sjc.us.myhost.com ovd.port:8801 ovd.binddn:cn=orcladmin ovd.ssl:true
See Also:
Table D-2 for details of the properties.
idmConfigTool.sh -disableOVDAccessConfig input_file=input_Properties
Table D-24 lists the command properties.
Table D-24 disableOVDAccessConfig Properties
| Property | Required? |
|---|---|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
l |
Here is a sample properties file for this option which disables the anonymous access in Oracle Virtual Directory:
ovd.host:abc00def.ca.example.com ovd.port:8501 ovd.binddn:cn=orcladmin ovd.ssl:true
See Also:
Table D-2 for details of the properties.
idmConfigTool.sh -upgradeOIMTo11gWebgate input_file=input_Properties
This command uses the same properties that are required for the configOIM command, so the same properties file can work for both. See Table D-14.
As indicated in the table, certain properties are required when Oracle Identity Manager and Access Manager are configured on different weblogic domains.
See Also:
Table D-2 for details of the properties.This section explains additional tasks you may need to perform when using idmConfigTool for a target Oracle Unified Directory (OUD) identity store in a high-availability environment. Topics include:
Global ACI and indexes are not replicated when you use idmConfigTool for an Oracle Unified Directory (OUD) identity store in a high availability (HA) environment that contains replicas. Global ACI and indexes are created ONLY in the instance(s) specified in the property file. You must manually re-create (remove then create) them on all other OUD instances of the replication domain.
Consequently you must first grant access to the change log, and then create the ACIs. Take these steps:
Create a file called mypassword which contains the password you use to connect to OUD.
Remove the existing change log on one of the replicated OUD hosts. The command syntax is:
OUD_ORACLE_INSTANCE/bin/dsconfig set-access-control-handler-prop \ --remove \ global-aci:"(target=\"ldap:///cn=changelog\")(targetattr=\"*\")(version 3.0; acl \"External changelog access\"; deny (all) userdn=\"ldap:///anyone\";)" --hostname OUD Host \ --port OUD Admin Port \ --trustAll ORACLE_INSTANCE/config/admin-truststore \ --bindDN cn=oudadmin \ --bindPasswordFile mypassword \ --no-prompt
For example:
OUD_ORACLE_INSTANCE/bin/dsconfig set-access-control-handler-prop \
--remove
global-aci:"(target=\"ldap:///cn=changelog\")(targetattr=\"*\")(version 3.0;
acl \"External changelog access\"; deny (all) userdn=\"ldap:///anyone\";)"
--hostname OUDHOST1.example.com \
--port 4444 \
--trustAll /u01/app/oracle/admin/oud1/OUD/config/admin-truststore \
--bindDN cn=oudadmin \
--bindPasswordFile mypassword \
--no-prompt
Add the new ACI for the changelog:
OUD_ORACLE_INSTANCE/bin/dsconfig set-access-control-handler-prop \
--add global-aci:"(target=\"ldap:///cn=changelog\")(targetattr=\"*\")(version
3.0; acl \"External changelog access\"; allow
(read,search,compare,add,write,delete,export)
groupdn=\"ldap:///cn=oimAdminGroup,cn=groups,dc=example,dc=com\";)" \
--hostname OUD Host \
--port OUD Admin Port \
--trustAll \
--bindDN cn=oudadmin \
--bindPasswordFile password
--no-prompt
For example:
OUD_ORACLE_INSTANCE/bin/dsconfig set-access-control-handler-prop \
--add
--add global-aci:"(target=\"ldap:///cn=changelog\")(targetattr=\"*\")(version
3.0; acl \"External changelog access\"; allow
(read,search,compare,add,write,delete,export)
groupdn=\"ldap:///cn=oimAdminGroup,cn=groups,dc=example,dc=com\";)" \
--hostname OUDHOST1 \
--port 4444 \
--trustAll \
--bindDN cn=oudadmin \
--bindPasswordFile password
--no-prompt
Then add the ACI:
OUD_ORACLE_INSTANCE/bin/dsconfig set-access-control-handler-prop \ --add global-aci:"(targetcontrol=\"1.3.6.1.4.1.26027.1.5.4 || 1.3.6.1.4.1.26027.2.3.4\")(version 3.0; acl \"OIMAdministrators control access\"; allow(read) groupdn=\"<ldap:///cn=OIMAdministrators,cn=groups,dc=mycompany,dc=com\";)" \ --hostname OUD_HOST \ --port OUD_ADMIN_PORT \ --trustAll \ --bindDN cn=oudadmin \ --bindPasswordFile passwordfile \ --no-prompt
For example:
OUD_ORACLE_INSTANCE/bin/dsconfig set-access-control-handler-prop \
--add global-aci:"(targetcontrol=\"1.3.6.1.4.1.26027.1.5.4 || 1.3.6.1.4.1.26027.2.3.4\")(version 3.0; acl \"OIMAdministrators control access\"; allow(read) groupdn=\"ldap:///cn=OIMAdministrators,cn=groups,dc=mycompany,dc=com\";)" \
--hostname IDMHOST1.mycompany.com \
--port 4444 \
--trustAll \
--bindDN cn=oudadmin \
--bindPasswordFile mypasswordfile \
--no-prompt
Finally add the ACI:
OUD_ORACLE_INSTANCE/bin/dsconfig set-access-control-handler-prop \
--add global-aci:"(target=\"ldap:///\")(targetscope=\"base\")(targetattr=\"lastExternalChangelogCookie\")(version 3.0; acl \"User-Visible lastExternalChangelog\"; allow (read,search,compare) groupdn=\"ldap:///cn=OIMAdministrators,cn=groups,dc=mycompany,dc=com\";)" \
--hostname OUD_HOST \
--port OUD_ADMIN_PORT \
--trustAll \
--bindDN cn=oudadmin \
--bindPasswordFile passwordfile \
--no-prompt
For example:
OUD_ORACLE_INSTANCE/bin/dsconfig set-access-control-handler-prop \
--add global-aci:"(target=\"ldap:///\")(targetscope=\"base\")(targetattr=\"lastExternalChangelogCookie\")(version 3.0; acl \"User-Visible lastExternalChangelog\"; allow (read,search,compare) groupdn=\"ldap:///cn=OIMAdministrators,cn=groups,dc=mycompany,dc=com\";)" \
--hostname IDMHOST1.mycompany.com \
--port 4444 \
--trustAll \
--bindDN cn=oudadmin \
--bindPasswordFile mypasswordfile \
--no-prompt
Repeat Steps 1 through 5 for each OUD instance.
When idmConfigTool prepares the identity store, it creates a number of indexes on the data. However in a high availability (HA) environment that contains replicas, global ACI and indexes are created only in the instance(s) specified in the property file; the replicas are not updated with the indexes which need to be added manually.
The steps are as follows (with LDAPHOST1.example.com representing the first OUD server, LDAPHOST2.example.com the second server, and so on):
Create a file called mypassword which contains the password you use to connect to OUD.
Configure the indexes on the second OUD server:
ORACLE_INSTANCE/OUD/bin/ldapmodify -h LDAPHOST2.example.com -Z -X -p 4444 -a -D "cn=oudadmin" -j mypassword -c -f /u01/app/oracle/product/fmw/iam/oam/server/oim-intg/ldif/ojd/schema/ojd_user_index_generic.ldif
and
ORACLE_INSTANCE/OUD/bin/ldapmodify -h LDAPHOST2.example.com -Z -X -p 4444 -a -D "cn=oudadmin" -j mypassword -c -f /u01/app/oracle/product/fmw/iam/idmtools/templates/oud/oud_indexes_extn.ldif
Notes:
Repeat both commands for all OUD servers for which idmConfigTool was not run.
Execute the commands on one OUD instance at a time; that instance must be shut down while the commands are running.
Rebuild the indexes on all the servers:
ORACLE_INSTANCE/OUD/bin/bin/rebuild-index -h localhost -p 4444 -X -D "cn=oudadmin" -j mypassword --rebuildAll -b "dc=example,dc=com"
Note:
You must run this command on all OUD servers, including the first server (LDAPHOST1.example.com) for which idmConfigTool was run.