| Oracle® Identity Manager Installation and Configuration Guide for IBM WebSphere Application Server Release 9.1.0 Part Number E10371-05 |
|
|
View PDF |
| Oracle® Identity Manager Installation and Configuration Guide for IBM WebSphere Application Server Release 9.1.0 Part Number E10371-05 |
|
|
View PDF |
This chapter explains how to install the Oracle Identity Manager Design Console Java client. You can install the Design Console on the same computer in which Oracle Identity Manager is installed or on a separate computer.
This chapter discusses the following topics:
Verify that your system environment meets the following requirements for Design Console installation:
You must have a running installation of Oracle Identity Manager.
If you are installing on a computer other than the host for the application server, then you must know the host name and port number of the computer hosting that application server.
The Design Console host must be able to ping the application server host by using both IP and host name.
For a clustered Oracle Identity Manager installation, you must know the host name and port number of the Web server.
Note:
If you cannot resolve the host name of the application server, then try adding the host name and IP address in the hosts file in the
C:\winnt\system32\drivers\etc\ directory.The Design Console must be installed on the same computer as the IBM WebSphere Client Application.
Ensure that the WebSphere Application Client is configured with the appropriate server certificate.
Refer to the "Setting Environment Variables" section for more information.
Ensure that the complete JRE is installed for WebSphere Application Client in the same way as it is for the Application Server JRE installation. A valid and complete WebSphere Application Client installation includes a java directory. If this java directory does not exist for the WebSphere Application Client installation, then create it by copying it from the WebSphere Application Server installation.
This section describes how to install the Design Console.
Note:
All Oracle Identity Manager components must be installed in different home directories. If you are installing the Design Console on a computer that is hosting another Oracle Identity Manager component, such as Oracle Identity Manager or the Remote Manager, then you must specify a different installation directory for the Design Console.To install the Design Console on a Microsoft Windows host:
Insert the Oracle Identity Manager Installation CD into your CD-ROM drive.
Using Windows Explorer, navigate to the installServer directory on the installation CD.
Double-click the setup_client.exe file.
Choose a language from the list on the Installer page.
The Welcome page is displayed.
In the Welcome page, click Next.
In the Target directory page, complete one of the following steps:
The default directory for the Design Console is C:\oracle. To install the Design Console into this directory, click Next.
To install the Design Console into another directory, enter the path in the Directory field, then click Next. Alternatively, you can click Browse, navigate to the desired location, and then click Next.
Note:
If the directory path that you specified does not exist, then the Base Directory settings field is displayed. Click OK. The directory is automatically created. If you do not have write permission to create the default directory for Oracle Identity Manager, then a message is displayed informing you that the installer could not create the directory. Click OK to close the message, and then contact your system administrator to obtain the appropriate permissions.In the Application Server page, select WebSphere, and then click Next.
In the IBM Websphere Directory page, enter the location of Websphere Application Client directory, and then click Next.
In the Application Server configuration page, enter the information appropriate for the application server hosting Oracle Identity Manager, as follows:
In the first field, enter the host name or IP address in the upper field.
In the second field, enter the bootstrap naming port for the application server on which Oracle Identity Manager is deployed.
Note:
The host name is case-sensitive.
To find the bootstrap naming port, open AboutThisProfile.txt in WEBSPHERE_HOME/profiles/PROFILE_NAME/logs.
Click Next.
In the Graphical Workflow Rendering Information page, enter the Application server configuration information:
Enter the Oracle Identity Manager server (host) IP address. For a clustered environment, enter the IIS server IP address.
Enter the port number. For a clustered environment, enter the IIS server port number.
Select Yes or No to specify whether or not the Design Console must use Secure Sockets Layer (SSL).
Click Next.
In the Shortcut page, select the shortcut options according to your preferences:
Choose to create a shortcut to the Design Console on the Start menu.
Choose to create a shortcut to the Design Console on the desktop.
After completing the settings, click Next.
In the Summary page, click Install to start the Design Console installation.
The final installation page displays a reminder to copy certain application server-specific files to the Oracle Identity Manager installation.
Follow these instructions and then click OK.
Click Finish to complete the installation.
To run the Design Console, a JAR file must be copied from the WebSphere
Application Server installation to your Design Console installation. The jar file must be extracted from the Oracle Identity Manager EAR file. Perform the following steps:
Extract the xlDataObjectBeans.jar file from the Oracle Identity Manager EAR file.
Copy xlDataObjectBeans.jar into the following directory:
OIM_DC_HOME\xlclient\lib
Click OK to replace the old xlDataObjectBeans.jar file.
In the configuration XML file, change the multicast address to match that of Oracle Identity Manager:
Open the following file:
OIM_HOME\xellerate\config\xlconfig.xml
Search for the <MultiCastAddress> element, and copy the value assigned to this element.
Open the following file:
OIM_DC_HOME\xlclient\Config\xlconfig.xml
Search for the <Cache> element, and replace the value of the <MultiCastAddress> element inside this element with the value that you copy in Step b.
To obtain the EAR file, export it from the WebSphere server by using the WebSphere administrative console. You must also extract the xlDataObjectBeans.jar file from the EAR file so that you can copy the JAR file to the lib directory of the Oracle Identity Manager Design Console.
To extract the xlDataObjectBeans.jar file:
Using a Web browser, connect to the WebSphere administrative console by navigating to the following URL:
http://NDM_HOST/NDM_PORT/admin
Log in by using Oracle Identity Manager Administrator name and password you specified during installation.
Click Applications, and then select Enterprise Applications.
Select Xellerate application.
Click Export.
Save the EAR file.
Extract the xlDataObjectBeans.jar file. Ensure that you extract xlDataObjectBeans.jar and not xlDataObjects.jar.
The certificate for the application server must be installed in the trusted store for the WebSphere AppClient. This required step establishes a trust relationship between the WebSphere server and client. Use the keytool included with WebSphere to perform this task.
Note:
If you use the default WebSphere certificate, then this task is not necessary because the certificate is already present in the keystore of the client.To enable trust between the server and client:
Move to the WEBSPHERE_HOME\etc directory by using the following command:
cd WEBSPHERE_HOME\etc
Export the server certificate by using the following commands:
WEBSPHERE_HOME\java\jre\bin\keytool.exe -export
-alias server -keystore DummyServerKeyFile.jks
-storepass WebAS -file servercert
Copy the exported server certificate to the WEBSPHERE_CLIENT_HOME/etc directory on the client host computer. WEBSPHERE_CLIENT_HOME is the home directory of the WebSphere client. Typically, the home directory is WEBSPHERE_INSTALL_DIR/AppClient.
Import the server certificate into the trusted store for the client by using the following commands, or similar commands appropriate for your system:
Go to the WEBSPHERE_CLIENT_HOME/etc directory by using the following command:
cd WEBSPHERE_CLIENT_HOME/etc
Import the server certificate by using the following command:
WEBSPHERE_CLIENT_HOME\java\jre\bin\keytool.exe -import -alias servertrust -trustcacerts -keystore DummyClientTrustFile.jks -storepass WebAS -file servercert
Note:
If theWEBSPHERE_CLIENT_HOME directory does not contain the complete java directory when compared with the java directory inside the WebSphere Application Server installation directory, then copy the java directory from the WebSphere Application Server installation.If you are running Oracle Identity Manager in a WebSphere cluster, then you must configure the Design Console. During deployment, you update the JNDI references for each of the Nodes. You must also update the JNDI references for the Design Console.
To specify the JNDI URL for the Design Console:
On the computer that hosts the Design Console, open the OIM_DC_HOME/xlclient/Config/xlconfig.xml file.
In the <Discovery> section, locate the java.naming.provider.url property.
Set this property to the JNDI URL.
Refer to the "Updating the JNDI References" section for information about how to obtain this value. For example, you could set the property to the following:
<java.naming.provider.url>corbaloc:iiop:XL_NODE1_HOST: 9812,:XL_NODE2_HOST:9813</java.naming.provider.url>
Save the changes.
Start or restart the Design Console.
The certificate of the Node Manager must be installed in the trusted store of the WebSphere Client. This step is necessary to establish a trust relationship between the Node Manager server and WebSphere Application Client. Use the keytool included with WebSphere to perform this task.
To enable trust relationship between the Node Manager and client:
Go to the Network Deployment Manager Host and change directory to WEBSPHERE_SERVER_HOME\profiles\XL_MANAGER_PROFILES\etc by using the following command:
cd WEBSPHERE_SERVER_HOME\profiles\XL_MANAGER_PROFILES\etc
Export the server certificate by using the following commands:
WEBSPHERE SERVER_HOME\java\jre\bin\keytool.exe -export
-alias server –keystore DummyServerKeyFile.jks
-storepass WebAS -file servercert
Copy the exported server certificate to the client host computer.
Import the Node Manager certificate into the client's trusted store by using the following commands. WEBSPHERE_CLIENT_HOME is the home directory for the WebSphere Client, which is usually \WebSphere\AppClient\.
Go to the WEBSPHERE_CLIENT_HOME\etc directory by using the following command:
cd WEBSPHERE_CLIENT_HOME\etc
Import the Node Manager certificate into the client's trusted store by using the following command:
WEBSPHERE_CLIENT_HOME\java\jre\bin\keytool.exe -import
-alias servertrust -trustcacerts -keystore DummyClientTrustFile.jks
-storepass WebAS -file
servercert
To start the Design Console, double-click OIM_DC_HOME\xlclient\wsxlclient.cmd or select Design Console from the Windows Start menu or desktop.
When the design console starts for the first time, it prompts whether to import certificates from the server. At the prompt, enter y.
Note:
For non-English installations, irrespective of the prompt, only y works.For example, in German language installations, you are prompted with the options j/n, but entering j will not work.
In the System Configuration form of the Design Console, you must set the XL.CompilerPath system property to include the path of the bin directory inside the JDK directory (JDK_HOME\bin) that is used by the application server on which Oracle Identity Manager is deployed.
Then, restart Oracle Identity Manager.
See Also:
The "Rule Elements, Variables, Data Types, and System Properties" section in Oracle Identity Manager ReferenceAfter installing the Oracle Identity Manager Design Console, you might want to configure it to communicate to Oracle Identity Manager over SSL. The following sections discuss how to configure the communication from the Design Console to Oracle Identity Manager over SSL:
To configure WebSphere:
Start the WebSphere Administrative Console and log in.
Go to Security, Secure administration, applications, and infrastructure, RMI-IIOP Security Under Authentication, and then CSIv2 Inbound Transport.
For the Transport settings, select SSL-Supported.
Go to Security, Authentication Protocol, and then CSIv2 Outbound Transpot.
For the Transport settings, select SSL-Supported.
Save the configuration and then restart the application server.
To configure the Design Console:
Open the OIM_DC_HOME/xlclient/wsxlclient.cmd file.
To the existing properties, add the following or ensure that the following is already specified):
CCDcom.ibm.CORBA.ConfigURL="file:%WS_HOME%/properties/sas.client.props"
Open the "%WS_HOME%"/properties/sas.client.properties file.
Make the following changes in the properties:
com.ibm.CSI.performMessageIntegrityRequired=true
com.ibm.CSI.performMessageIntegritySupported=true
com.ibm.CSI.performTransportAssocSSLTLSSupported=true
com.ibm.CSI.performTransportAssocSSLTLSRequired=true
Open the OIM_DC_HOME/xlclient/Config/xlconfig.xml file.
Modify the <ApplicationURL> value to use SSL as in the following example:
Change:
http://WAS_HOST_NAME:9080/xlWebApp/loginWorkflowRenderer.do
To:
https://WAS_HOST_NAME:9443/xlWebApp/loginWorkflowRenderer.do
Note:
The modifications apply only to the protocol and the port number. The port number is modified assuming that the server is configured with default port numbers.If you have changed the default port numbers, then use the same port number accordingly.
To find the SSL port for the server,
Log on to the WebSphere Administrative Console.
Navigate to Servers, Application Servers, server name, Communications, and then Ports.
WC_defaulthost_secure is the SSL port, and WC_defaulthost is the non-SSL port for the application server.
Note:
For clustered installations of WebSphere with a Web server, the Web server certificate must be trusted with the Design Console trust store for enabling SSL communication. After this is done, you can select one of the servers in the cluster for HTTPS connections as follows:https://WEBSERVER_HOST_NAME:SSL_PORT/xlWebApp/loginWorkflowRenderer.do
Alternatively, you can also select one of the servers in the cluster for HTTPS connections, as follows:
https://APPSERVER1_HOST_NAME:SSL_PORT/xlWebApp/loginWorkflowRenderer.do
After configuring WebSphere and the Design Console, you can access the application by using SSL and non-SSL ports. To access the application securely by using SSL, you must use port number 9443 or WC_defaulthost_secure .Example: https://localhost:9443/xlWebApp
To access the application in a non-secure mode, use port number 9080 or WC_defaulthost.
Example: http://localhost:9080/xlWebApp
The "Configuring WebSphere", "Configuring the Design Console" section and the "Configuring the Administrative and User Console (Optional)" section describe how to configure SSL by using the default certificates provided by WebSphere.
For enhanced protection, Oracle recommends that you create new certificates (either self-signed or CA certificates) and create a separate keystore and truststore for the client and the server with different passwords. If you create a new keystore or truststore with different passwords, then you must modify the encrypted old password in sas.client.properties with the new clear-text password.
To encrypt the clear-text password, use the utility PropFilePasswordEncoder.bat available at the following location:
WebSphere_Home/bin.
Ensure that you use the SAS option.
Note:
Refer to the WebSphere documentation for more information about creating certificates and configuring trust and keystores. Otherwise, contact IBM support.
|
 Copyright © 2009, Oracle and/or its affiliates. All rights reserved. Legal Notices |
|