| Oracle® Identity Manager Installation and Configuration Guide for Oracle Application Server Release 9.1.0 Part Number E10368-03 |
|
|
View PDF |
| Oracle® Identity Manager Installation and Configuration Guide for Oracle Application Server Release 9.1.0 Part Number E10368-03 |
|
|
View PDF |
This section explains how to install the Oracle Identity Manager Design Console Java client. You have the option to install the Design Console on the same computer as your Oracle Identity Manager server or on a separate computer.
This chapter contains the following topics:
Verify that your environment meets the following requirements for Design Console installation:
You must have an Oracle Identity Manager server installed and running.
If you are installing the Design Console on a computer other than the host for the application server, you must know the host name and port number of the computer hosting that application server.
The Design Console host must be able to ping the application server host by using both IP and host name.
Note:
If you cannot resolve the host name of the application server, then try adding the host name and IP address in the hosts file in the directory C:\winnt\system32\drivers\etc\.To install the Design Console on a Microsoft Windows host:
Insert the Oracle Identity Manager Installation CD into your CD-ROM drive.
Using Windows Explorer, navigate to the installServer directory on the installation CD.
Double-click the setup_client.exe file.
Choose a language from the list on the Installer page. The Welcome page is displayed.
On the Welcome page, click Next.
On the Target directory page, complete one of the following sub-steps:
Note:
All Oracle Identity Manager components must be installed in different home directories. If you are installing the Design Console on a computer that is hosting another Oracle Identity Manager component, such as Oracle Identity Manager or the Remote Manager, you must specify a different installation directory for the Design Console.The default directory for the Design Console is C:\oracle. To install the Design Console in this directory, click Next.
To install the Design Console in another directory, specify the path of the directory in the Directory field, and then click Next.
Note:
If the directory path that you select does not exist, then the Base Directory settings field is displayed. Click OK. The directory is automatically created. If you do not have write permission to create the default directory for Oracle Identity Manager, then a message is displayed informing you that the installer could not create the directory. Click OK to close the message and then contact your system administrator to obtain the appropriate permissions.On the Application Server page, select Oracle Application Server, and then click Next. The next page prompts you to specify the JRE to use with Design Console.
Select the JRE that is installed with Oracle Identity Manager or specify an existing JRE. Then, click Next. The Application Server configuration page is displayed.
On the Application Server Host Information page, enter the information appropriate for the application server hosting your Oracle Identity Manager server:
Enter the host name or IP address in the upper field.
Use the default value of 12401 for the Oracle Application Server naming port or specify the appropriate value you set for the Oracle Application Server.
Note:
The host name is case-sensitive.Click Next.
On the Graphical Workflow Rendering Information page, enter the Application server configuration information:
Enter the Oracle Identity Manager server (host) IP address.
Enter the port number at which Oracle HTTP Server is listening, the default port being 7777. To determine the port that Oracle HTTP Server is listening on, open ORACLE_HOME/install/readme.txt on UNIX or Linux, and ORACLE_HOME\install\readme.txt on Microsoft Windows.
Select No to specify whether or not the Design Console must use Secure Sockets Layer (SSL).
Click Next.
On the Shortcut page, select (or deselect) the check boxes for the shortcut options according to your preferences:
Choose to create a shortcut to the Design Console on the Start Menu.
Choose to create a shortcut to the Design Console on the desktop.
Click Next when you are satisfied with the check box settings.
On the Summary page, click Install to initiate Design Console installation.
The final installation page displays a reminder to copy certain application server-specific files to your Oracle Identity Manager server installation. Follow these instructions and then click OK.
Click Finish to complete the installation process.
After installing the Design Console, you must perform the following steps before using it for Oracle Identity Manager on Oracle Application Server:
Copy the ORACLE_HOME\j2ee\home\lib\ejb.jar file on the Oracle Application Server system to the OIM_DC_HOME\xlclient\ext directory on the Design Console system.
Copy the ORACLE_HOME\j2ee\home\oc4jclient.jar file on the Oracle Application Server system to the OIM_DC_HOME\xlclient\ext directory on the Design Console system.
In the configuration XML file, change the multicast address to match that of Oracle Identity Manager:
Open the following file:
OIM_HOME\xellerate\config\xlconfig.xml
Search for the <MultiCastAddress> element, and copy the value assigned to this element.
Open the following file:
OIM_DC_HOME\xlclient\Config\xlconfig.xml
Search for the <Cache> element, and replace the value of the <MultiCastAddress> element inside this element with the value that you copy in Step b.
To start the Design Console, double-click OIM_DC_HOME\xlclient\xlclient.cmd or select Design Console from the Windows Start menu or desktop to start the Design Console.
In the System Configuration form of the Design Console, you must set the XL.CompilerPath system property to include the path of the bin directory inside the JDK directory (JDK_HOME\bin) that is used by the application server on which Oracle Identity Manager is deployed.
Then, restart Oracle Identity Manager.
See Also:
The "Rule Elements, Variables, Data Types, and System Properties" section in Oracle Identity Manager ReferenceAfter installing the Oracle Identity Manager Design Console, you might want to configure it to communicate with Oracle Identity Manager server by using SSL. Use the following procedure to complete this task. This involves a two step process in which the communication channel to Oracle HTTP Server and Oracle Application Server instances are secured.
The following sections provide information required for enabling SSL communication between the Design Console and Oracle Application Server.
The following are the prerequisites or assumptions for enabling SSL communication:
The default certificate store ORACLE_HOME\Apache\Apache\conf\ssl.wlt\default\ewallet.p12 is being used by the Oracle HTTP Server. The password for the store must be welcome.
The certificate store is available on all the computers in which Oracle Application Server is running.
The Oracle HTTP Server is using HTTP port 80 and HTTPS port 443.
The ORMI port is 12401 and the ORMIS port is 12701 for the Oracle Application Server instances.
By default, the Oracle HTTP Server is configured with SSL and the SSL certificate store, which is located at ORACLE_HOME\Apache\Apache\conf\ssl.wlt\default\. The listen parameter in the ORACLE_HOME\Apache\Apache\conf\ssl.conf file points to the SSL port being used by the Oracle HTTP Server.
No configuration change is required for using the default certificate store that comes along with the installation.
The Design Console communicates with EJBs deployed on the Oracle Application Server instances by using the ORMI protocol, which is unsecure. For using secured ORMIS protocol for communication between Oracle Application Server and the Design Console, you must make modifications to both Oracle Application Server as well as the Design Console. The following sections provide information related to the configuration changes required for a successful SSL connection:
The following sections explain the configuration changes required for Oracle Application Server:
See Also:
The "SSL Communication" section in Oracle Containers for J2EE Security Guide for more information about configuring ORMISChanges to server.xml
To enable ORMIS in an Oracle Application Server instance, you must ensure that server.xml, the Oracle Application Server configuration file, contains an <rmi-config> element that specifies the path to rmi.xml, the Oracle Application Server RMI configuration file. To do so:
Open the ORACLE_HOME/j2ee/OC4J_INSTANCE/config/server.xml file in a text editor.
Specify the path to rmi.xml as follows:
<rmi-config path="rmi_path" />
Because both the server.xml file and the rmi.xml file are typically in the ORACLE_HOME/j2ee/OC4J_INSTANCE/config directory, the typical value for rmi_path is ./rmi.xml.
Changes to rmi.xml
To enable the server to use the ORMIS protocol as well as to specify the keystore to be used for SSL communication, you must make the following changes:
Open the ORACLE_HOME/j2ee/OC4J_INSTANCE/config/rmi.xml file in a text editor.
Modify the rmi-server element with a keystore value as follows:
<rmi-server ... ssl-port="23943">
…
…
<ssl-config keystore="ORACLE_HOME\Apache\Apache\conf\ssl.wlt\default\ewallet.p12" keystore-password="welcome" />
</rmi-server>
Note:
The default password for ewallet.p12 store iswelcome. The password for the default certificate in the store is also welcome.Note:
In case of a clustered setup, copy ewallet.p12 from the Web server to all nodes locally and specify the local path for the same.Exporting Certificate
You must export the certificate from the default Oracle wallet ORACLE_HOME\Apache\Apache\conf\ssl.wlt\default\ewallet.p12 for the Design Console. This certificate is used for the Design Console to trust Oracle Application Server. To export the certificate, you first start Oracle Wallet Manager, as follows:
For Microsoft Windows:
Click Start, Programs, Oracle-HOME_NAME, Integrated Management Tools, and then click Wallet Manager.
For UNIX:
At the command line, go to ORACLE_HOME/bin/ and enter owm.
After you have started Oracle Wallet Manager, perform the following steps:
Open the ORACLE_HOME/Apache/Apache/conf/ssl.wlt/default/ directory by using Oracle Wallet Manager.
Enter the store password as welcome when prompted.
Right click Certificate (Ready) and click Export User Certificate.
Enter the file name as server.cert and save.
This certificate is used by the Design Console to trust Oracle Application Server.
See Also:
The "Secure Sockets Layer" section in Oracle Application Server Administrator's Guide for more information about Oracle Wallet ManagerChanges to opmn.xml
You must make the following changes in the opmn.xml file:
Open the ORACLE_HOME\opmn\conf\opmn.xml file in a text editor.
Modify the following:
<port id="rmis" range="12701-12800"/>
to a single port usage as follows:
<port id="rmis" range="12701"/>
Note:
The change in the port ID is mandatory to ensure that the ORMIS port is always unique.Restart the corresponding Oracle Application Server instance.
Note:
For a clustered setup, all of these changes are required for all the nodes.The following sections provide information about the changes required for the Design Console:
Changes to xlconfig.xml
By default, the Design Console uses the ORMI port to connect to Oracle Application Server and HTTP for connecting to the Oracle HTTP Server. In order to enable SSL communication, you must configure the Design Console to use ORMIS and HTTPS connections. To do so:
Open the OIM_DC_HOME\xlclient\Config\xlconfig.xml file in a text editor.
Make the following modification:
Change
<java.naming.provider.url>ormi://SERVER_HOST:12401</java.naming.provider.url>
to
<java.naming.provider.url>ormis://SERVER_HOST:12701</java.naming.provider.url>
Note:
For a clustered installation, ensure that you add the participating nodes with corresponding SSL port as comma separated values in the URL forjava.naming.provider.url.
<java.naming.provider.url> ormis://node1:12701, ormis://node2:12702</java.naming.provider.url>
Change
<ApplicationURL>http://SERVER_HOST/xlWebApp/loginWorkflowRenderer.do </ApplicationURL>
to
<ApplicationURL>https://SERVER_HOST/xlWebApp/loginWorkflowRenderer.do </ApplicationURL>
Note:
It is assumed that 12401 is the ORMI port and 12701 is the ORMIS port of the Oracle Application Server instance. In addition, HTTP port is 80 and HTTPS port is 443 for Oracle HTTP Server. ORMI and ORMIS ports can be viewed from the Oracle Application Server Administrative Console.For more information, refer to Oracle Containers for J2EE Configuration and Administration Guide.
Configuring the Trust Store
By default, the Design Console uses the OIM_DC_HOME\java\lib\security\cacerts as the trust store for the SSL communication. The default password for the store is changeit. The server certificate must be imported to this store to make the Design Console trust Oracle Application Server. To configure the trust store:
Copy server.cert from Oracle Application Server to the Design Console at the following location:
OIM_DC_HOME\java\lib\security
Import the Oracle Application Server certificate by using the following commands::
cd OIM_DC_HOME\java\lib\security
keytool -import -trustcacerts -alias oimserver1 -keystore cacerts -file server.cert -storepass changeit -keypass welcome
Note:
For a clustered installation, repeat the "Configuring the Trust Store" step for all the Oracle Application Server instances. When you import the certificate by using keytool, ensure that you use the unique alias for each Oracle Application Server instance in a cluster.Note:
This document describes the use of the default store,ewallet.p12 for implementing SSL for the Design Console. Oracle recommends that for the use of certificate authority certificates for production implementation.
For more information refer to Oracle Application Server Administrator's Guide, Oracle Containers for J2EE Security Guide, and Oracle HTTP Server Administrator's Guide.
To remove the Design Console installation, perform the following steps:
Stop Oracle Identity Manager and the Design Console if they are running.
Stop all Oracle Identity Manager processes.
Delete the OIM_DC_HOME directory in which you installed the Design Console.
