Oracle® Access Manager Deployment Guide 10g (10.1.4.2.0) Part Number E10353-01 |
|
|
View PDF |
You can change basic components that you specified during Oracle Access Manager installation, such as the person object class or the directory server host. This chapter describes system-level reconfiguration.
This chapter includes the following topics:
What Can Be Reconfigured
There are a number of basic system components that can be reconfigured:
You can configure Oracle Access Manager against a different directory server (for configuration or policy data).
You can change the class attribute for the person or group object class.
You can reconfigure the following characteristics of the directory:
The LDAP bind password
The host name
Port number
Domain name
Root DN
Root password
Configuration DN
Searchbase
Note:
All actions except changing the LDAP bind password require re-running setup.During installation, data that you specify is written to a number of areas, including the following:
setup.xml
configInfo.xml
ois_server_config.xml
The directory server
The following procedure describes how to reconfigure Oracle Access Manager so that it will work properly after you make any of the changes described in "What Can Be Reconfigured" on page 6-1.
To update the system configuration
Shut down the Web server that runs the WebPass.
Stop the Identity Server Service.
Back up your directory configuration data by exporting it to an LDIF file.
Rename the following file to ensure that you have a backup copy:
Identity_Server_install_dir
/identity/oblix/config/ois_server_config.xml.bak
From the directory that you navigated to in the preceding step, back up and then delete the following files:
setup.xml
configInfo.xml
ois_server_config.xml
Copy the file ois_server__config.bak to ois_server__config.xml.
This action allows you to change the configuration settings when you re-run the setup program later in this procedure. It causes the Identity Server to retrieve settings from ois_server__config.xml during setup instead of retrieving the settings from the directory. The information in ois_server__config.xml is migrated to the directory when the Identity Server is restarted.
In the branch of the directory where your policies are stored, locate the WebResrcDB container.
In the WebResrcDB container, delete the following entries:
The entry for WebPass.
The cn for this entry is the ID that you supplied when installing WebPass. Example: wp1_50.
The entry for the Identity Server.
The cn for this entry is the ID that you supplied when installing the Identity Server. Example: ois1_50.
The entry with a timestamp for its ID.
Example: 20010815T16221897. This entry connects the WebPass and Identity Server components.
In the branch of the directory where your policies are stored, locate the DBAgents container and delete all entries under this container.
Restart the Identity Server Service.
Restart the Web server that runs the WebPass.
From your browser, access the Identity System Console:
http://
server
:
port
/identity/oblix/
Rerun the setup program, as described in the following procedure for the Identity System and change any settings that you want to change.
The setup program will display the information that was previously configured for Oracle Access Manager. You can change the configuration information as needed when you rerun setup.
See the Oracle Access Manager Identity and Common Administration Guide for details on rerunning setup for the Access System.
Restart the Identity Server.
The information in ois_server_config.xml (the server name, port, administrator DN, password, searchbase, and configuration base) is migrated back to the directory and the information in the config.xml file is deleted.
To rerun Identity System setup
Shut down all but one Identity Server if there is more than one running.
Go to the only remaining running Identity Server host and open the setup.xml file:
IdentityServer_install_dir/identity/oblix/config/setup.xml
Remove the status parameter (or change the status parameter value from "done" to "incomplete"), as shown below:
For example:
<NameValPair ParamName="status" Value="incomplete"></NameValPair>
Save the file.
Restart the Identity Server.
From your Web browser, launch the Identity System Console.
You will see a Setup page similar to the one that appears during the initial Identity System setup.
Initiate setup again and specify the new information.
After completing the setup, restart the other Identity Servers.
The other Identity Servers should pick up the new information.
You may need to periodically update the LDAP bind password for the directory servers that communicate with Oracle Access Manager components. For example, you may want to update the LDAP bind password to comply with government regulations.
When you update the LDAP bind password for the directory server, you must also update corresponding entries in the Oracle Access Manager configuration directory. The configuration directory server stores Oracle Access Manager configuration data, including the directory server profiles that you defined in the Oracle Access Manager administrative console. Each directory server profile contains a Database Instance section that includes the password for the directory server.
Oracle Access Manager stores directory server profiles for the following components:
The Identity Server
The Policy Manager
The Access Server
The LDAP bind password is stored in encrypted format in the configuration files. The configuration data files for the directory servers and the failover directory servers are stored in the following location:
<component install dir>/config/ldap
The ModifyLDAPBindPassword command enables you to reset the LDAP bind password in the Oracle Access Manager configuration files. You can reset the LDAP bind password without restarting any servers or re-running setup.
For security purposes, the ModifyLDAPBindPassword tool checks the credentials for the directory directory server before making the changes.
The following task overview is the recommended approach for automatic periodic updates of the bind password. You can issue the ModifyLDAPBindPasswordTool interactively instead of using a script. However, if you choose to update the password interactively, you must repeat the information for each Oracle Access Manager instance in your environment.
Task overview: Updating the LDAP Bind Password
Create an encrypted file that contains the updated password.
See "Parameters for the ModifyLDAPBindPassword Tool" and "Running the ModifyLDAPBindPassword Tool" for details. Oracle recommends you use an encrypted file to provide the updated password. However, you can supply the password interactively when running the tool.
Update the LDAP bind password that is stored in the Identity Server configuration files (the config.xml files) and all directory profiles for the directory server.
See "Parameters for the ModifyLDAPBindPassword Tool" and "Running the ModifyLDAPBindPassword Tool" for details.
Update the LDAP bind password in the configuration files for each additional instance of the Identity Server, Policy Manager, and Access Server, using the -t file
option.
See "Parameters for the ModifyLDAPBindPassword Tool" and "Running the ModifyLDAPBindPassword Tool" for details.
For each directory server host name variation, re-run the tool.
For example, if you are running a host named "machine1" that resides in domain ".company.com," you can configure the host name in Oracle Access Manager as both "machine1.company.com" and "machine1." In this case, you need to run the tool twice, once for each configured host name.
See the information on using host name variations in the Oracle Access Manager Identity and Common Administration Guide for details.
Modify the bind password in the directory server itself.
Both the old and new passwords are stored in the Oracle Access Manager configuration files, so that the old password continues to be valid until you have completed all updates.
Table 6-1 illustrates the command options that you would use with the ModifyLDAPBindPassword tool to generate a password in an encrypted file.
Table 6-1 Parameters for Creating an Encrypted Password
Parameter | Description |
---|---|
|
Indicates that the tool should generate a password file. This file can be passed when you run the ModifyLDAPBindPassword tool to update the password. |
|
The name the file that contains the password. This file is encrypted. If you do not supply an .xml extension, it is supplied automatically. |
Table 6-2 lists the parameters that are required to run the ModifyLDAPBindPassword tool to update the password.
Table 6-2 Required Parameters for the ModifyLDAPBindPassword Tool
Parameter | Description |
---|---|
|
This is the installation directory for the Oracle Access Manager component for which the tool is being run. |
|
This is the type of component for which the tool is being run. The following are possible values for this parameter:
|
|
This is the target to be updated. The following are possible values:
|
Table 6-3 lists the additional parameters for the ModifyLDAPBindPassword tool. If you omit one of these parameters from the command line, the tool prompts for the parameter if it is needed. There are no default values for these parameters.
Table 6-3 Additional Parameters for Changing the LDAP Bind Password
Parameter | Description |
---|---|
|
The name of the computer that stores the directory profile where you want to update the directory server LDAP bind password. |
|
The listen port for the computer that stores the directory profile where you want to update the directory server LDAP bind password. |
|
The bind DN for the directory server that stores the configuration data. |
|
The bind password for the directory server that stores the configuration data in clear text format. Do not specify this option if you are using the |
|
Use this option if you are running the command using a script. This file contains all of the passwords that are required to update the bind password. If you use this option, the -w, |
|
The computer that contains the directory server whose bind password you are updating. Do not specify this option if you are using the |
|
The listen port for the computer that contains the directory server where you want to change the bind password. Do not specify this option if you are using the |
|
The bind DN for the directory server whose bind password you are changing. Do not specify this option if you are using the |
|
The existing bind password for the directory server whose bind password you are updating. Do not specify this option if you are using the |
|
The new bind password for the directory server whose bind password you are updating. Do not specify this option if you are using the |
|
Valid if the directory server being updated is different from the configuration directory server. If you specify this parameter, the bind occurs in SSL mode. If you omit it, open mode is used. Do not specify this option if you are using the |
You run the ModifyLDAPBindPassword tool for each instance of each relevant component. There is no rollback mechanism for this tool. You re-run the tool to ensure that the configuration files and directory server have the correct values. Errors are written to a log file, as follows:
<component_install_dir>/oblix/tools/modbinpasswd/ModifyLDAPBindPassword.log
You can run this tool from the command line or as a script. You can create a script if you want to perform periodic updates of the password. If you run the tool from the command line, the tool prompts for any needed parameters and values that you failed to provide.
To generate the encrypted password file
To generate the encrypted password file:
Access this tool from the following directory:
component_install_dir/oblix/tools/modbinpasswd/
Where component_install_dir is the installation directory for the component for which you are updating the directory bind password.
Run the following command:
modifyldapbindpassword.exe -genpasswdfile
file
Where file is the name of a password file. An .xml extension is provided automatically if you do not supply one.
To update the LDAP bind password for configuration data
Access this tool from the following directory:
Identity_install_dir/oblix/tools/modbinpasswd/
Where Identity_install_dir is the installation directory for the first Identity Server for which you are updating the directory bind password.
If you are using a script, generate the password file.
Run the following command for one Identity Server instance:
modifyldapbindpassword.exe -c is -t all -
options
Use the -c is
and -t all
options for this step. For other options, see Table 6-2 and Table 6-3.
If you are using a script, pass the encrypted password file using the -j
option.
Run the following command for remaining instances of the Identity Server, the Policy Manager, and the Access Server:
modifyldapbindpassword.exe -c is -t file -
options
Use the -c is
and -t file
options for this step. For other options, see Table 6-2 and Table 6-3.
If you are using a script, pass the encrypted password file using the -j
option.
Repeat this command for every variant of the host name that you have configured in Oracle Access Manager.
Update the bind password for the directory server that stores the configuration data.
To update the LDAP bind password for policy data
If the directory server that stores the policy data also stores the configuration data, follow the procedure, "To update the LDAP bind password for configuration data" .
If you have already followed this procedure, you are done.
If the directory server that stores the policy data is different from the one that stores the configuration data, follow the procedure, access this tool from the following directory:
component_install_dir/oblix/tools/modbinpasswd/
Where component_install_dir is the installation directory for the component for which you are updating the directory bind password.
If you are using a script, generate the password file.
Run the following command for one Identity Server instance:
modifyldapbindpassword.exe -t all -
options
Specify the -t all
option. For other options, see Table 6-2 and Table 6-3.
If you are using a script, pass the encrypted password file using the -j
option.
Run the following command for the remaining instances of the Policy Manager and the Access Server:
modifyldapbindpassword.exe -t file -
options
Specify the -t file
option. For other options, see Table 6-2 and Table 6-3.
If you are using a script, pass the encrypted password file using the -j
option.
Repeat this command for every variant of the host name that you have configured in Oracle Access Manager.
Update the bind password for the directory server that stores the configuration data.
To update the LDAP bind password for user data
If the directory server that stores the user data also stores the configuration data, follow the procedure, "To update the LDAP bind password for configuration data" .
If you have already followed this procedure, you are done.
If the directory server that stores the user data is different from the one that stores the configuration data, follow the procedure, access this tool from the following directory:
component_install_dir/oblix/tools/modbinpasswd/
Where component_install_dir is the installation directory for the component for which you are updating the directory bind password.
If you are using a script, generate the password file.
Run the following command:
modifyldapbindpassword.exe -t ds -
options
Specify the -t ds
option. For other options, see Table 6-2 and Table 6-3.
If you are using a script, pass the encrypted password file using the -j
option.
Repeat this command for every variant of the host name that you have configured in Oracle Access Manager.
Update the bind password for the directory server that stores the configuration data.
If the Identity Server or Access Server uses an explicit bind, you can follow the procedures to change the LDAP bind password described in "Running the ModifyLDAPBindPassword Tool".
If you are running the Identity Server or Access Server as a user in the Active Directory domain, you update the LDAP bind password as described in the following procedure.
To update the LDAP bind password for ADSI
Change the password for the user in the Active Directory domain.
Stop the Identity Server or Access Server.
From the Start menu, select Run and enter the following:
services.msc
A dialog box appears that lists of all running services.
To change the credential of the user in the service, right-click the service you want to modify, then click Properties, then click the Log On tab, then click This Account.
Restart the Identity Server or Access Server.