Skip Headers
Oracle® Access Manager Identity and Common Administration Guide
10
g
(10.1.4.0.1)
Part Number B25343-01
Home
Book List
Index
Master Index
Contact Us
Next
View PDF
Contents
List of Examples
List of Figures
List of Tables
Title and Copyright Information
Preface
Audience
Documentation Accessibility
Related Documents
Conventions
What's New in Oracle Access Manager?
Product and Component Name Changes
Globalization
Password Policies and Lost Password Management
Configuring Multiple Searchbases
Configuring Workflows
Auditing
Logging
Configuring the Directory Server
Active Directory
Troubleshooting
Part I Introducing Oracle Access Manager Administration
1
Preparing for Administration
1.1
Prerequisites
1.2
About Identity System Configuration and Administration
1.2.1
Identity System Components
1.2.1.1
Review of Identity System Installation and Setup
1.2.1.2
About Configuring the Identity System
1.2.1.3
About Managing the Identity System
1.3
Introduction to Using Oracle Access Manager
1.3.1
Login
1.3.1.1
Logging In to the Identity System
1.3.1.2
Logging into the Access System
1.3.2
Functional Areas on a page
1.3.2.1
Navigation Elements
1.3.2.2
Search Functionality
1.3.3
The Selector
1.3.4
Online Help
1.3.5
The About Page Link
1.3.6
Logging Out
1.3.6.1
To log out
2
Specifying Identity System Administrators
2.1
About Identity System Administrators
2.2
Specifying Administrators
2.2.1
Deleting Administrators
2.3
Delegating Administration
2.3.1
About Delegating Administration
2.3.2
Delegated Administration Models
2.3.2.1
Extranet Model
2.3.2.2
Intranet Model
2.3.2.3
ASP Model
2.3.3
Adding Delegated Administrators
2.3.4
Adding Substitute Administrators
Part II Configuring the Identity System
3
Making Schema Data Available to the Identity System
3.1
About Object Classes
3.1.1
About Sending Data to External Systems Using Template Objects
3.1.2
The Process for Configuring Schema Data
3.1.3
Objects Configured During Installation
3.1.4
Structural and Auxiliary Object Classes in the Identity System
3.1.5
Template Object Classes
3.1.6
Object Class Types
3.2
Viewing Object Classes
3.3
Modifying Object Classes
3.3.1
Selecting a Class Attribute
3.3.2
Changing the Structural Object Class
3.4
Adding Object Classes
3.4.1
How Auxiliary Classes Are Used
3.5
Deleting Object Classes
3.6
About Object Class Attributes
3.6.1
About Configuring Attributes
3.6.2
Attribute Data Types
3.6.3
Attribute Semantic Types
3.6.3.1
Semantic Types Defined During Setup
3.6.3.2
Semantic Types Used in Profile Pages
3.6.3.3
Semantic Types Used in the Group Manager
3.6.3.4
Location Coordinates Semantic Type
3.6.3.5
Semantic Types for Managing Lost Passwords
3.6.3.6
Other Semantic Types
3.6.4
Attribute Display Types
3.7
Viewing Attributes
3.8
Configuring Attributes
3.8.1
Using Rules and Lists
3.8.1.1
Defining a Rule
3.8.1.2
Defining a List
3.8.2
Localizing Attribute Display Names
3.8.3
Search Filters for the Object Selector Display Type
3.8.4
Creating a Search Filter for the Object Selector Display Type
3.8.5
Search Filters for Multiple Target Object Classes
3.8.6
Deleting a Search Filter
3.8.7
Usage of Rules and Filters
3.8.7.1
Static LDAP Search Filters
3.8.7.2
Static Searches Using Wild Cards
3.8.7.3
Static Searches Using Multiple Target Object Classes
3.8.7.4
Substitution Syntax: Returning Targets that Match the DN of the Logged In User
3.8.7.5
Examples of Dynamic LDAP Search Filters
3.8.7.6
Dynamic Searches Using Wild Cards
3.8.7.7
Dynamic Searches Using Multiple Values
3.8.7.8
Use of the Not Operator
3.8.8
Configuring Other Display Types
3.9
Configuring Derived Attributes: Matching Values from Different Attributes
3.9.1
Example of a Derived Attribute
3.9.2
Assigning a Derived Attribute to a User Manager Tab
3.9.3
Permissions for Derived Attributes
3.10
Attributes Configured for an Individual Application
4
Configuring User, Group, and Organization Manager
4.1
About User, Group, and Organization Manager
4.2
Configuring Tabs
4.2.1
Viewing and Modifying Tab Configuration Information
4.2.2
Localizing Tabs
4.2.3
Adding a Tab to the Organization Manager
4.2.4
Specifying the Search Attributes on a Tab
4.2.5
Viewing, Modifying, and Localizing Attributes that Appear in Search Results
4.2.6
Adding Auxiliary and Template Object Classes to a User or Org. Manager Tab
4.2.7
Adding Auxiliary and Template Object Classes to a Group Tab
4.2.8
Configuring Group Manager Tab Options
4.2.9
Deleting a Tab in Organization Manager
4.2.10
Ordering the Tabs in Organization Manager
4.3
Configuring Tab Profile Pages and Panels
4.3.1
Use of LDAP and Template Objects on a Panel
4.3.2
Configuring the Header Panel
4.3.3
Viewing Panels That You Have Configured in the End User Application
4.3.4
Adding, Modifying, Localizing, and Deleting a Panel
4.3.5
Ordering the Panels
4.3.6
Viewing Group Type Panels
4.3.7
Adding, Modifying, Localizing, and Deleting a Group Type Panel
4.3.8
Modifying and Localizing Attributes Displayed on a Panel
4.4
Allowing Users to View and Change LDAP Data
4.4.1
About the Searchbase
4.4.2
Guidelines for Setting the Searchbase
4.4.2.1
If You Need to Modify a Searchbase
4.4.3
Indexing and the Searchbase
4.4.3.1
Indexing Requirements for Oracle Internet Directory
4.4.4
Setting the Searchbase
4.4.4.1
If You Set a Searchbase for a Group
4.4.5
Configuring and Deleting Disjoint Searchbases
4.4.6
Writing LDAP Filters Using Query Builder
4.4.6.1
Methods for Retrieving Matches
4.4.7
Building Advanced LDAP Filters Using QueryBuilder
4.4.8
About View and Modify Permissions
4.4.9
Setting and Modifying LDAP Attribute Permissions
4.4.10
Keys for Selecting Multiple Attributes
4.4.11
Evaluation of LDAP Attribute Permissions
4.5
Examples of Configuring an Application
4.5.1
Displaying Photos in User Profiles
4.5.1.1
Importing and Storing Photos in a Directory
4.5.1.2
Referencing Photos in a File System
4.5.1.3
The Default Photo Image
4.5.2
Enabling the Location Tab in Organization Manager
4.5.3
The Right to Create Groups in Group Manager
4.6
End-User Scenarios
4.6.1
Managing Group Members in Group Manager
4.6.2
Searching for Group Members
4.6.3
Deleting Group Members
4.6.4
Adding Group Members
4.6.5
Managing Group Subscriptions
4.6.6
Subscribing to Groups
4.7
Configuring Auditing Policies
4.7.1
Viewing Auditing Policies
4.7.2
Modifying Auditing Policies
4.8
Generating Reports
4.8.1
Configuring Reports
4.8.2
Viewing, Modifying, Localizing, and Deleting Reports
4.9
Advanced Configuration
4.9.1
Expanding Dynamic Groups
4.9.2
Modifying the Default Searchbase Scope
4.9.3
Simplified Attribute Permissions for a Group
4.9.3.1
Implementing Simplified Permissions
4.9.3.2
Sample gscaclparams.xml File
4.9.3.3
Simplified Permissions Reserved Words
4.9.4
Setting Container Limits in Organization Manager
4.9.4.1
Copying Container Limits
4.9.4.2
Modifying Container Limits
5
Chaining Identity Functions Into Workflows
5.1
About Workflows
5.1.1
How Workflows Are Initiated
5.1.2
Typical Workflow Examples
5.1.3
Advanced Workflow Options
5.1.4
Workflow Types
5.1.5
Creating Workflows
5.1.6
How Users Access Workflows in an Identity System Application
5.1.6.1
About Workflow Tickets
5.1.6.2
A Workflow Scenario
5.1.7
LDAP Versus Template Attributes in a Workflow
5.1.8
Workflow Types, Steps, and Actions
5.1.9
About Workflow Steps
5.1.10
About Step Actions
5.1.11
Descriptions of Step Actions
5.1.12
About Subflows
5.2
Using the QuickStart Tool
5.2.1
Creating a Self-Registration Workflow Using the Quickstart Tool
5.3
Using the Workflow Applet
5.3.1
Starting a New Workflow Definition
5.3.2
Defining an LDAP Target for Create Object Workflows
5.3.3
Defining the First Step in a Workflow
5.3.4
Defining Step Attributes
5.3.5
Defining Subsequent Steps
5.3.6
Committing Workflow Steps
5.3.7
Enabling a Workflow
5.3.8
Testing a Workflow
5.3.9
Example of Defining a Workflow
5.4
Defining a Subflow
5.4.1
Associating a Subflow with a Workflow
5.4.2
Approving Subflow Steps
5.5
Advanced Workflow Ticket Routing
5.5.1
Configuring Workflow Actions for Advanced Ticket Routing
5.5.2
About Notifying Newly Assigned Step Participants
5.5.3
Specifying Dynamic Participants
5.5.3.1
About Workflow Participants
5.5.3.2
About Workflow Ticket Routing
5.5.3.3
About Dynamic Participants
5.5.3.4
About Static Participants
5.5.3.5
About the Static Participants Not Available Button
5.5.3.6
Enabling Dynamic Participants
5.5.4
Specifying Surrogates
5.5.5
Enabling Time-based Escalation
5.6
Performing Asynchronous Operations
5.6.1
Notes on Asynchronous Workflows
5.7
Using a Workflow
5.7.1
Invoking a Workflow
5.7.2
Finding and Processing a Ticket
5.7.3
Deactivating and Reactivating Users
5.7.4
Reactivating a Deactivated User
5.7.5
Monitoring a Workflow
5.7.6
Archiving Requests
5.7.7
Deleting Requests
5.7.8
Preventing Other Administrators from Working on a Workflow Ticket
5.8
Managing Workflows
5.8.1
Viewing and Exporting a Workflow Summary
5.8.2
Copying a Workflow
5.8.3
Modifying a Workflow
5.8.4
Deleting a Workflow
5.8.5
Exporting Workflows
5.8.6
Viewing Workflow Panel Settings
5.8.7
Modifying the Appearance of Workflow Panels
5.8.8
Localizing Workflow Panels
5.8.9
Workflow Performance
5.8.10
The Identity Administrator's Modify Rights
5.9
Advanced Workflow Options
5.9.1
Pre and Post Actions
5.9.2
External Actions
5.9.3
Customization of Data and Actions in a Workflow
5.9.4
Adding Roles to a Workflow
5.10
Creating a Self-Registration Workflow
5.11
Creating a Location Workflow
6
Sending Non-LDAP Data to External Applications
6.1
About Configuring Non-LDAP Data
6.2
Summary of Using Non-LDAP Data in a Workflow
6.3
About Template Objects
6.4
About Template Object Data and Workflows
6.5
Object Template Configuration
6.5.1
Format of the Object Template File
6.5.2
How Template Objects Appear in the Identity System
6.5.3
Elements in an Object Template File
6.6
Sample Object Template File
6.7
Creating an Identity Event Plug-In for Template Attributes
7
Configuring Global Settings
7.1
Configuring Styles for Identity System Applications
7.1.1
Viewing a Style
7.1.2
Adding a Custom Style Directory
7.1.3
Deploying a Style
7.1.4
Changing a Style Name
7.1.5
Modifying a Style
7.1.6
Deleting a Style
7.1.7
Setting the Default Style
7.2
Configuring Multiple Languages for Oracle Access Manager
7.2.1
Selecting a Language for Administrative Pages
7.2.2
Language Evaluation Order for End-User Applications
7.3
Configuring Identity Server Settings
7.3.1
Configuring Session Timeout
7.3.2
Customizing Email Destinations
7.3.3
Configuring a Mail Server
7.3.4
Managing Caches
7.3.5
Managing Multiple Languages
7.4
Managing Identity Servers
7.4.1
Setting Up Multiple Identity Servers
7.4.2
Adding an Identity Server
7.4.3
Viewing and Modifying Identity Server Parameters
7.4.4
Deleting Identity Server Parameters
7.4.5
Managing an Identity Server Service from the Command Line
7.5
Managing Directory Server Profiles
7.5.1
About LDAP Directory Server Profiles
7.5.2
Creating an LDAP Directory Server Profile
7.5.3
Viewing an LDAP Directory Server Profile
7.5.4
Modifying an LDAP Directory Server Profile
7.5.5
Rerunning Setup Manually
7.5.5.1
Rerunning Identity System Setup
7.5.5.2
Rerunning Policy Manager Setup
7.5.5.3
Reconfiguring the Access Server
7.5.6
Adding Database Instances to LDAP Directory Server Profiles
7.5.6.1
LDAP Referrals
7.5.7
Deleting an LDAP Directory Server Instance
7.5.8
Working With Multiple Directory Searchbases
7.6
Managing RDBMS Profiles
7.6.1
Adding or Modifying an RDBMS Profile
7.6.2
Adding or Modifying an RDBMS Database Instance
7.7
Configuring WebPass
7.7.1
Viewing a Configured WebPass
7.7.2
Adding or Modifying a WebPass
7.7.3
Removing a WebPass
7.7.4
Modifying a WebPass from a Command Line
7.7.5
Managing Associations Between Identity Servers and WebPass
7.7.5.1
To view Identity Servers associated with a WebPass
7.7.5.2
To modify an Identity Server's connections to a WebPass
7.7.5.3
To associate an Identity Server with a WebPass
7.7.6
Disassociating a WebPass from an Identity Server
7.8
Configuring Password Policies
7.8.1
Order of Password Policy Evaluation
7.8.2
Managing Password Policies
7.8.2.1
Viewing Password Policies
7.8.2.2
Setting the Defaults for Different Types of Password Policies
7.8.2.3
Creating Password Policies for a Specific Domain
7.8.2.4
Modifying Password Policies
7.8.2.5
Deleting a Password Policy
7.8.3
Lost Password Management
7.8.3.1
Syntax for the Lost Password Management URL
7.8.3.2
About Presenting Challenge Phrases to Users
7.8.3.3
About Other Aspects of the Challenge and Response Page
7.8.3.4
How the User Experiences Lost Password Management with Multiple Challenges
7.8.3.5
Viewing and Configuring Lost Password Management Policies
7.8.4
Implementing Password Policies in the Access System
7.8.4.1
Modifying Authentication Schemes to Include a Password Policy
7.8.5
Configuring Password Redirect URLs
7.8.5.1
Configuring Redirection to a Password Reset Page After Password Expiry
7.8.5.2
Setting Up Password Expiry Warning Redirect URLs
7.8.5.3
Setting Up Redirect URLs for Account Lockout
7.8.6
Updates to the Access Server Cache
7.9
Configuring the Access Manager SDK for the Identity System
7.10
Cloned and Synchronized Components
Part III Performing Common Administrative Tasks
8
Changing Transport Security Modes
8.1
About Transport Security Modes
8.1.1
Transport Security Mode Between Components
8.1.2
About CA Certificates
8.2
Changing Transport Security for the Identity System
8.2.1
Transport Security Mode Changes for the Identity System
8.2.2
Changing to Simple Transport Security Mode
8.2.3
Changing to Cert Transport Security Mode
8.3
Changing Transport Security Modes for the Access System
8.3.1
Transport Security Mode Changes for the Access System
8.3.2
Changing to Open Transport Security Mode
8.3.3
Changing to Simple Transport Security Mode
8.3.4
Changing to Cert Transport Security Mode
8.4
Transport Security Changes for Directory Servers
8.5
Changing Transport Security Passwords
8.6
Importing Multiple CA Certificates
8.7
Changing Access Server Security Password
9
Reporting
9.1
About Reporting
9.1.1
Report Types
9.1.2
Data Sources
9.1.3
Data Output
9.1.4
Output Configuration
9.1.5
Data Uses
9.2
Summary of Reporting Features
10
Logging
10.1
About Logging and Log Levels
10.1.1
Log Levels
10.2
About Log Configuration Files
10.2.1
Log Configuration File Paths
10.2.2
Log Configuration File Names
10.2.3
Modifying a Log Configuration File
10.2.3.1
About Embedded Comments
10.3
About Log Writers
10.4
Log Configuration File Structure
10.4.1
About XML Element Order
10.5
Controlling Logging Levels
10.5.1
About Log Handler Precedence
10.5.1.1
Ensuring That Your Edits Take Effect
10.6
Log Configuration Parameters
10.6.1
Default Log Settings
10.6.1.1
Parsing the Default Log Configuration File
10.7
Configuring Logs in the Identity System Console
11
Auditing
11.1
About Auditing
11.2
Audit Output Considerations
11.2.1
Audit Security Considerations
11.2.2
Audit Performance Considerations
11.2.3
Static Audit Reports
11.2.4
Dynamic Audit Reports
11.2.5
Controlling Audit Output
11.2.6
About Audit Options
11.3
Auditing Requirements
11.3.1
Audit-to-Database Requirements
11.3.1.1
Special Components for Database Auditing
11.3.1.2
Updates to Supported Versions and Platforms
11.4
Audit-to-Database Architecture
11.4.1
About OCI Settings
11.4.2
About ODBC Data Source Definitions
11.4.3
About ODBC Drivers
11.4.3.1
About the Windows ODBC Driver
11.4.4
About RDBMS Profiles for Database Auditing
11.4.4.1
About Profiles For Databases That Use an ODBC Connection Type
11.4.4.2
About Profiles For Databases That Use an OCI Connection Type
11.4.5
About the Audit Database
11.4.6
About the Crystal Repository
11.4.6.1
About Audit Reports
11.5
Setting Up File-Based Auditing
11.6
Setting Up Database Auditing
11.6.1
Setting Up Your System for Database Auditing
11.6.2
Setting up the Audit Database
11.6.2.1
Installing the Database Server
11.6.2.2
Creating the Audit Database
11.6.2.3
Uploading the Audit Schema
11.6.2.4
Enabling Access and Identity Servers to Connect to the Audit Database
11.6.3
Configuring Auditing
11.7
Setting up Audit Reports
12
SNMP Monitoring
12.1
Prerequisites
12.2
About Oracle Access Manager SNMP Monitoring and Agents
12.2.1
The SNMP Agent
12.3
About the Oracle Access Manager MIB and Objects
12.3.1
MIB Index Fields
12.3.2
Identity Server MIB Objects
12.3.3
Access Server MIB Objects
12.4
Enabling and Disabling SNMP Monitoring
12.5
Setting Up SNMP Agent and Trap Destinations
12.6
Changing SNMP Configuration Settings
12.7
Logging for SNMP
12.8
SNMP Messages
12.9
Discrepancies Between Netstat and SNMP Values
12.10
Configuring the Shutdown Interval
Part IV Appendices
A
Deploying with Active Directory
A.1
Setting Up Directory Profiles and Searchbases
A.1.1
Defining Directory Server Profiles for Remaining Domains
A.1.2
Setting Up Disjoint Searchbases
A.1.2.1
About Deleting a Disjoint Searchbase
A.1.3
Configuring Group-Search Read Operations (Optional)
A.2
Authentication and Authorization with Active Directory
A.2.1
Parent-Child Authentication
A.2.2
Parent-Child Authorization
A.2.3
ObMyGroups Action Attribute
A.3
Configuring the credential_mapping Plug-In
A.4
Configuring Single Sign-On for Use with Active Directory
A.5
About Search Filters
A.6
About the Length of the SAMAccountName
A.7
Configuring for .NET Features
A.8
Troubleshooting
A.9
Microsoft Resources
B
Configuring for ADSI
B.1
About ADSI with Oracle Access Manager
B.1.1
Recommendation
B.2
Identity System ADSI Configurations
B.2.1
Pure ADSI with ADSI Authentication
B.2.2
Mixed ADSI with LDAP Authentication
B.2.3
Bind Mechanisms for the Identity Server
B.2.4
Oracle Access Manager ADSI Configuration Files
B.2.4.1
About globalparams
B.2.4.2
About adsi_params
B.3
Access System ADSI Configurations
B.3.1
Pure ADSI with ADSI Authentication
B.3.2
Access System ADSI Configuration Files
B.4
Configuring ADSI for the Identity System
B.5
Enabling ADSI for a Default Directory Profile
B.6
Enabling ADSI for Other Directory Profiles
B.7
Configuring ADSI for the Access System
B.8
Changing the pageSize Parameter
B.9
Troubleshooting
C
Configuring for Active Directory with LDAP
C.1
Overview
C.2
Setting Up the Policy Manager for LDAP
C.3
Setting Up the Access Server for LDAP
C.4
Setting Active Directory Timeouts for LDAP
C.5
Enabling LDAP Authentication with ADSI
D
Implementing .NET Features
D.1
Resolving Ambiguous Names
D.1.1
About ANR Attributes, Searches, and Results
D.1.2
Configuring for ANR
D.1.2.1
Updating Configuration Data
D.1.2.2
Configuring ANR in Identity System Panels
D.1.2.3
Verifying ANR Attribute Access Control
D.1.2.4
Using ANR in Identity System Searches
D.2
Configuring for Dynamically Linked Auxiliary Classes
D.2.1
Adding Attributes Dynamically
D.2.2
Adding Attributes for a Group
D.3
Enabling Fast Bind for Access System Authentication
D.4
Enabling Impersonation
D.5
Setting Up Integrated Windows Authentication
D.5.1
Enabling IWA on the WebGate Web Server
D.5.2
Configuring the WebGate for IWA
D.5.3
Creating an IWA Authentication Scheme in Oracle Access Manager
D.5.4
Testing IWA Implementation
D.6
Using Access System Password Management
D.7
Using Managed Code and Helper Classes
D.8
Integrating with Authorization Manager Services
D.9
Integrating with Smart Card Authentication
D.10
Integrating the Security Connector for ASP.NET
D.11
Troubleshooting
D.12
Microsoft Resources
E
Oracle Access Manager Parameter Files
E.1
File Categories
E.2
For More Information on the Parameter Files
F
Troubleshooting Oracle Access Manager
F.1
Problems and Solutions
F.1.1
Memory Usage Rises for an Identity Server After Configuring a Directory Server Profile
F.1.1.1
Problem
F.1.1.2
Solution
F.1.2
Unable to Save a Directory Server Profile
F.1.2.1
Problem
F.1.2.2
Solution
F.1.3
Active Directory: Adding Members Causes the Group Size to Shrink
F.1.4
ADSI Cannot Be Enabled for a Directory Profile
F.1.4.1
Problem
F.1.4.2
Solution
F.1.5
Database Validation Fails
F.1.5.1
Problem
F.1.5.2
Solution
F.1.6
Simple Transport Security Mode Expires After One Year
F.1.6.1
Problem
F.1.6.2
Solution
F.1.7
Style Sheet Validation Fails
F.1.7.1
Problem
F.1.7.2
Solution
F.1.8
"Cannot Find xenroll.cab" Error Is Issued When Using a Workflow
F.1.8.1
Problem
F.1.8.2
Solution
F.1.9
"Enable Failed" Error Is Issued When Using a Workflow
F.1.9.1
Problem
F.1.9.2
Solution
F.1.10
JPEG Photo Images Are Not Updated
F.1.10.1
Problem
F.1.10.2
Solution
F.2
Need More Help?
Index