| Oracle® Identity Manager Installation Guide for WebLogic Release 9.0.3.1 Part Number B32461-03 |
|
|
View PDF |
| Oracle® Identity Manager Installation Guide for WebLogic Release 9.0.3.1 Part Number B32461-03 |
|
|
View PDF |
After you have installed Oracle Identity Manager, you must complete some post-installation tasks before you can use the application. Some of the post-installation tasks are optional, depending on your deployment, before using the applications.
This chapter discusses the following topics:
After you install the Oracle Identity Manager software on WebLogic, you must perform the tasks in this section for Oracle Identity Manager to operate properly.
After you install Oracle Identity Manager, you must set the memory size, set up the authentication information for Oracle Identity Manager, then create and configure an XML registry.
Note:
If you are configuring WebLogic for Oracle Identity manager in a clustered environment, start the following procedure on step 7.To configure WebLogic for Oracle Identity Manager:
Use the WebLogic administration console to shut down the application server gracefully.
Navigate to <BEA_HOME>\user_projects\domains\<domain_name> (for example, C:\bea\user_projects\domains\mydomain).
Open the WebLogic start script file in a text editor. The start script is:
For Windows:
startWebLogic.cmd
For UNIX or Linux:
startWebLogic.sh
Edit the script to specify memory options:
For Windows:
Locate the line that starts with the following:
%JAVA_HOME%\bin\java %JAVA_VM% %MEM_ARGS% %JAVA_OPTIONS%
Add the following line just before it:
set MEM_ARGS=-Xmx1024m -XX:PermSize=128m
For UNIX or Linux:
Locate the line that starts with the following:
${JAVA_HOME}/bin/java ${JAVA_VM} ${MEM_ARGS} ${JAVA_OPTIONS}
Add the following lines just before it:
MEM_ARGS="-Xmx1024m -XX:PermSize=128m" export MEM_ARGS
Save and close the file.
Stop the application server using Admin Console and then start the WebLogic server by navigating to the following directory:
<XL_HOME>\xellerate\bin\
Run the following command on Windows:
xlStartServer.bat
Run the following command on UNIX or Linux:
xlStartServer.sh
Log in to the WebLogic administration console.
In the left frame, select Security, select Realms, select myrealms, select Providers, then select Authentication.
Click Configure a new OIM Authenticator.
Leave Name as the default.
Set the Control Flag to Sufficient, then click Create.
In the left frame, click Authentication and select DefaultAuthenticator.
Set the Control Flag to Sufficient, then click Apply.
In the left frame, click Services.
Right-click XML, then select Configure a new XMLRegistry from the short-cut menu.
Enter the registry information:
Enter a unique name, for example, Oracle Identity Manager XML registry.
Use default values for the other fields, then click Create.
Click the Target and Deploy tab.
Click the server check box to select it (myserver is the default server name).
Click Apply.
Note:
For clustered environments, be sure perform this step on all cluster members.In the left-hand frame, click XML, then click your new XML registry entry to expand it.
Right-click Parser Select Entries, then select Configure a New XMLPareserSelectRegistryEntry from the short-cut menu.
Enter the configuration information:
Make sure the Public ID field is blank.
Make sure the System ID field is blank.
In the Root Element Tag field, enter the word "database" without quotation marks.
In the Document Builder Factory field, enter the following string:
org.apache.crimson.jaxp.DocumentBuilderFactoryImpl
Make sure the Parser Class Name field is blank.
In the SAX Parser Factory field, enter the following string:
org.apache.xerces.jaxp.SAXParserFactoryImpl
Click Create.
Stop the WebLogic application server gracefully.
Restart the WebLogic Server for the new configuration to become active.
Note:
If you are using SQL Server as your database and the Oracle Identity Manager server log shows traces of exceptions related to MS JDBC classes, you must add three MS JDBC files to the beginning of CLASSPATH in the startWebLogic script located in the domain directory and restart the server.Add the following three files, located in the /weblogic81/server/lib/ directory, to the beginning of CLASSPATH in the startWebLogic script and restart the server:
mssqlserver.jar
msbase.jar
msutil.jar
In a clustered environment, add these three .jar files in the Class Path field in the Remote Start tab of all Managed Servers.
After you install Oracle Identity Manager on WebLogic, you must set up an XA connection.
To set up an XA connection:
Log in to the WebLogic administrative console and select Services.
Select JDBC on the Services page.
Select Connection Pools on the JDBC page.
Select xlXAConnectionPool on the Connection Pools page.
Select the Connections tab.
Select Show under Advanced Options.
Select Keep XA Connection Till Transaction Complete.
Click Apply to commit your changes.
Restart your WebLogic application server.
Before deploying Oracle Identity Manager into production environments on WebLogic application servers, you should verify certain WebLogic configuration settings. While Oracle Identity Manager will operate properly on WebLogic application servers if the following settings are not enabled, you should verify the following for production environments to ensure you realize the proper performance typically not encountered in simulated test or development environments. Use the WebLogic Administrative Console to verify the following settings:
Connection Pool settings for both the Oracle Identity Manager JDBC Connection pools, xlConnectionPool and xlXAConnectionPool, are set as follows:
Initial Capacity: 30
Maximum Capacity: 50
Capacity Increment: 5
Test Reserved Connections is enabled for both xlConnectionPool and xlXAConnectionPool and the test table name is XSD.
Keep XA Connection Till Transaction Complete is enabled for xlXAConnectionPool.
The JMS server affinity of the JMS Connection Factory, xlConnectionFactory, is disabled.
The Redelivery Limit for JMS Queue (xlQueue) is set to 1.
Note:
In a WebLogic cluster, verify this setting for all physical queues that are part of the queue/xlqueue distributed queue.The Error Destination for JMS Queue (xlQueue) is set to the proper error queues. For the default queue (xlQueue), the error queue name is queue/xlErrorQueue.
Note:
In a WebLogic cluster, verify this setting for all physical queues that are part of the queue/xlqueue distributed queue. The Error Destination will be different for the different physical queues participating in the distributed queue.The Replicate JNDI Name In Cluster setting for JMS Queues (xlQueue and xlErrorQueue) are enabled.
Note:
In a WebLogic cluster, verify this setting for all physical queues that are part of the queue/xlqueue and queue/xlErrorQueue distributed queue.After installing Oracle Identity Manager, you should considering performing the optional post-installation tasks documented in this section before using the application. Depending on your Oracle Identity Manager deployment, you may choose not to perform some of these tasks.
Oracle Identity Manager has two keystores: one for the Oracle Identity Manager server and one for the database. During installation, the passwords for both are set to xellerate. Oracle recommends changing the keystore passwords for all production installations. You can use the keytool to change the keystore password for either keystore.
To change the keystore password:
Open a command prompt on the Oracle Identity Manager host computer.
Navigate to the <XL_HOME>\xellerate\config directory.
Run the keytool with the following options:
<JAVA_HOME>\jre\bin\keytool -storepasswd -new <new_password> -storepass xellerate -keystore .xlkeystore -storetype JKS
Table 7-1 lists the options used in the preceding example of keytool usage:
Table 7-1 Command Options for keytool
| Option | Description |
|---|---|
|
|
Location of the Java directory associated with the application server |
|
|
New password for the keystore |
|
|
Keystore whose password you are changing (.xlkeystore for the Oracle Identity Manager server or .xldatabasekey for the database) |
|
|
JKS for .xlkeystore and JCEKS for .xldatabasekey |
Launch a plain-text editor, then open the <XL_HOME>\xellerate\config\xlconfig.xml.
Edit the <xl-configuration>.<Security>.<XLPKIProvider>.<KeyStore> section to specify the keystore password.
Note:
Change the <XLSymmetricProvider>.<KeyStore> section of the configuration file to update the password for the database keystore (.xldatabasekey).Change the password tag to encrypted="false".
Enter the password (in the clear). For example, you could change the following block:
<Security>
<XLPKIProvider>
<KeyStore>
<Location>.xlkeystore</Location>
<Password encrypted="true">xYr5V2FfkRYHxKXHeT9dDg==</Password>
<Type>JKS</Type>
<Provider>sun.security.provider.Sun</Provider>
</KeyStore>
To the following:
<Security>
<XLPKIProvider>
<KeyStore>
<Location>.xlkeystore</Location>
<Password encrypted="false">newpassword
</Password>
<Type>JKS</Type>
<Provider>sun.security.provider.Sun</Provider>
</KeyStore>
Restart your application server.
When you stop and start the application server, a backup of the configuration file is created. The configuration file (with the new password) is read in, and the password is encrypted in the file.
If all of the preceding steps have succeeded, you can delete the backup file.
Note:
On UNIX or Linux, you may also want to clear the shell's command history by using the following command:history -c
Oracle Identity Manager uses log4j for logging. Logging levels are configured in the logging properties file, <XL_HOME>/xellerate/config/log.properties.
The following is a list of the supported log levels, appearing in descending order of information logged (DEBUG logs the most information and FATAL logs the least information):
DEBUG
INFO
WARN
ERROR
FATAL
By default, Oracle Identity Manager is configured to output at the Warning level—except for DDM, which is configured to output at the Debug level by default. You can change the log level universally for all components or for an individual component.
Oracle Identity Manager components are listed in the <XL_HOME>\xellerate\config\log.properties file in the XELLERATE section, for example:
log4j.logger.XELLERATE=WARN log4j.logger.XELLERATE.DDM=DEBUG log4j.logger.XELLERATE.ACCOUNTMANAGEMENT=DEBUG log4j.logger.XELLERATE.SERVER=DEBUG log4j.logger.XELLERATE.RESOURCEMANAGEMENT=DEBUG log4j.logger.XELLERATE.REQUESTS=DEBUG log4j.logger.XELLERATE.WORKFLOW=DEBUG log4j.logger.XELLERATE.WEBAPP=DEBUG log4j.logger.XELLERATE.SCHEDULER=DEBUG log4j.logger.XELLERATE.SCHEDULER.Task=DEBUG log4j.logger.XELLERATE.ADAPTERS=DEBUG log4j.logger.XELLERATE.JAVACLIENT=DEBUG log4j.logger.XELLERATE.POLICIES=DEBUG log4j.logger.XELLERATE.RULES=DEBUG log4j.logger.XELLERATE.DATABASE=DEBUG log4j.logger.XELLERATE.APIS=DEBUG log4j.logger.XELLERATE.OBJECTMANAGEMENT=DEBUG log4j.logger.XELLERATE.JMS=DEBUG log4j.logger.XELLERATE.REMOTEMANAGER=DEBUG log4j.logger.XELLERATE.CACHEMANAGEMENT=DEBUG log4j.logger.XELLERATE.ATTESTATION=DEBUG log4j.logger.XELLERATE.AUDITOR=DEBUG
To set Oracle Identity Manager log levels, edit the logging properties in the <XL_HOME>\xellerate\config\log.properties file as follows:
Open the <XL_HOME>\xellerate\config\log.properties file in a text editor.
This file contains a general setting for Oracle Identity Manager and specific settings for the components and modules that comprise Oracle Identity Manager.
By default, Oracle Identity Manager is configured to output at the Warning level:
log4j.logger.XELLERATE=WARN
This is the general value for Oracle Identity Manager. Individual components and modules are listed following the general value in the properties file. You can set individual components and modules to different log levels. The log level for a specific component overrides the general setting.
Set the general value to the desired log level.
Set other component log levels as desired.
Individual components or modules can have different log levels. For example, the following values set the log level for the Account Management module to INFO, while the server is at DEBUG and the rest of Oracle Identity Manager is at the WARN level.
log4j.logger.XELLERATE=WARNlog4j.logger.XELLERATE.ACCOUNTMANAGEMENT=INFOlog4j.logger.XELLERATE.SERVER=DEBUG
Save your changes.
Restart your application server so that the changes take effect.
The following procedure describes how to enable Single Sign-On for Oracle Identity Manager with ASCII character logins. To enable Single Sign-On with non-ASCII character logins, use the following procedure—but include the additional configuration setting described in step 4.
See Also:
Oracle Identity Manager Best Practices Guide for additional information about configuring Single Sign-On for Oracle Identity Manager with Oracle Access Manager.Note:
Header names comprised only of alphabetic characters are certified. Oracle recommends not using special characters or numeric characters in header names.To enable Single Sign-On for Oracle Identity Manager:
Stop the application server gracefully.
Launch a plain-text editor and open the following file:
<XL_HOME>\xellerate\config\xlconfig.xml
Locate the following Single Sign-On configuration (the following are the default settings without Single Sign-On):
<web-client> <Authentication>Default</Authentication> <AuthHeader>REMOTE_USER</AuthHeader> </web-client>
Edit the Single Sign-On configuration to be the following and replace <SSO_HEADER_NAME> with the appropriate header configured in your Single Sign-On system:
<web-client>
<Authentication>SSO</Authentication>
<AuthHeader><SSO_HEADER_NAME></AuthHeader>
</web-client>
To enable Single Sign-On with non-ASCII character logins you must include a decoding class name to decode the non-ASCII header value. Add the decoding class name and edit the Single Sign-On configuration as follows:
<web-client>
<Authentication>SSO</Authentication>
<AuthHeader><SSO_HEADER_NAME></AuthHeader>
<AuthHeaderDecoder>com.thortech.xl.security.auth.CoreIDSSOAuthHeaderDecoder</AuthHeaderDecoder>
</web-client>
Replace <SSO_HEADER_NAME> with the appropriate header configured in your Single Sign-On system
Change your application server and web server configuration to enable Single Sign-On by referring to your application and web server vendor documentation.
Restart the application server.
This section describes how to use custom authentication solutions with Oracle Identity Manager.
Oracle Identity Manager deploys a Java Authentication and Authorization Service (JAAS) module to authenticate users. For unattended logins, which require offline message processing and scheduled task execution, Oracle Identity Manager uses signature-based authentication. Although you should use JAAS to handle signature-based authentication, you can create a custom authentication solution to handle standard authentication requests.
Note:
The Oracle Identity Manager JAAS module must be deployed on your application server and should be the first invoked authenticator.To enable custom authentication on WebLogic application server, you use the WebLogic Server Console, which allows you to add multiple authentication providers and invoke them in a specific order. The custom authentication provider you specify will handle standard authentication requests and the Oracle Identity Manager JAAS module will continue to handle signature-based authentication.
Note:
The custom authentication provider you specify must come after the Oracle Identity Manager JAAS module in the WebLogic Server Console's list of authentication providers.To specify a custom authentication provider for WebLogic:
Start the WebLogic Server Console and open the Authentication Providers page from domain/Security/Realms/realm name/Providers/Authentication.
On the Authentication Providers page, select Oracle Identity Manager Authenticator from the table at the bottom of the page. The Oracle Identity Manager Authenticator page appears.
On the Oracle Identity Manager Authenticator page, select the Allow Custom Authentication check box on the Details tab, and then click Apply.
On the Authentication Providers page, configure a new authentication provider by clicking the Configure a new ... link for the custom authentication provider you want to add.
When you are finished configuring the new authentication provider, be sure that it is listed after Oracle Identity Manager Authenticator (which is the Oracle Identity Manager JAAS module) in the list of authentication providers. If the Oracle Identity Manager Authenticator is not listed above your custom authentication provider, click Re-order the Configured Authentication Providers.
Restart the WebLogic application server.
When you specify a custom authentication solution, you should also protect the Java Naming and Directory Interface (JNDI) namespace to ensure that only designated users have permission to view resources. The primary purpose of protecting the JNDI namespace is to protect Oracle Identity Manager from any malicious applications that may be installed in the same application server instance. Even if no other applications, malicious or otherwise, are installed in the same application server instance as Oracle Identity Manager, you should protect your JNDI namespace as a routine security measure.
To protect your JNDI namespace and configure Oracle Identity Manager to access it:
Open the <XL_HOME>/config/xlconfig.xml file in a text editor and add the following elements to the <Discovery> element:
<java.naming.security.principal> <java.naming.security.credentials>
To optionally encrypt the JNDI password, add an encrypted attribute that is assigned a value of true to the <java.naming.security.credentials> element, and assign the password as the element's value, as follows:
<java.naming.security.credentials
encrypted="true">password</java.naming.security.credentials>
Add the following elements to the <Scheduler> element:
<CustomProperties> <org.quartz.dataSource.OracleDS.java.naming.security.principal>user </org.quartz.dataSource.OracleDS.java.naming.security.principal> <org.quartz.dataSource.OracleDS.java.naming.security.credentials>pwd </org.quartz.dataSource.OracleDS.java.naming.security.credentials></CustomProperties>
Restart the server.
If you created a user that is the only user that can perform lookups, you may see the following exception when attempting to start the Oracle Identity Manager server where <user_name> represents the user you created to perform lookups:
[XELLERATE.ACCOUNTMANAGEMENT],Class/Method: Authenticate/connect User with ID: <user_name> was not found in Xellerate. [XELLERATE.ACCOUNTMANAGEMENT],Class/Method: Authenticate/connect User with ID: <user_name> was not found in Xellerate. [XELLERATE.ACCOUNTMANAGEMENT],Class/Method: XellerateLoginModuleImpl/login encounter some problems: com.thortech.xl.security.tcLoginException: at com.thortech.xl.security.tcLoginExceptionUtil.createException(Unknown Source) at com.thortech.xl.security.tcLoginExceptionUtil.createException(Unknown Source) at com.thortech.xl.security.Authenticate.connect(Unknown Source) at com.thortech.xl.security.wl.XellerateLoginModuleImpl.login(Unknown Source) at weblogic.security.service.DelegateLoginModuleImpl.login(DelegateLoginModuleImpl.java:71)
To resolve this issue, refresh the embedded LDAP directory in the Managed Server with the LDAP directory in the Admin Server after starting the Oracle Identity Manager server by using the following steps:
Log in to the WebLogic Admin Console.
Click the domain name for the Managed Server.
Click View Domain-wide security settings.
Click the Embedded LDAP tab.
Select the Refresh replica at startup option and click Apply.
Restart the Admin and Managed Servers.
Note:
You should only need to perform these steps once to resolve this issue and you can disable the Refresh replica at startup option after restarting the Admin and Managed Servers.