5 Configuring WebLogic Server

This chapter contains procedures for configuring the WebLogic application servers for Oracle Identity Manager (Identity Manager) and Oracle Role Manager (Role Manager) in preparation for deployment of the Oracle Role Manager Integration Library (Integration Library).

This chapter includes the following sections:

• Before You Configure

• Configuring the Oracle Role Manager Server

• Configuring the Oracle Identity Manager Server

• Deploying the Role Manager Integration Library Application

5.1 Before You Configure

The Role Manager Integration Library is intended to be deployed on the application server on which Identity Manager is deployed. The procedures in this chapter assume the following:

• You have the access to the files distributed in ORMINT_HOME.

• You have the appropriate permission to add and modify files in the application servers where Identity Manager and Role Manager are deployed.

• You have the appropriate permission to stop and start the application servers where Identity Manager and Role Manager are deployed.

• You have access to the WebLogic Server Console and know the administrator user ID and password for the domains where Identity Manager and Role Manager are deployed.

• For clustered environments, the managed servers in the cluster can be started and stopped remotely on the admin console.

5.2 Configuring the Oracle Role Manager Server

This procedure assumes that a WebLogic server and domain have been created for Role Manager with a host alias set for port access to Role Manager.

This section includes the following subsections:

• Configuring the JMS Connection Factory

• Configuring the Foreign JNDI Providers

• Configuring the Security Credentials

• (Clustered Mode Only) Configuring the Subdeployment of the Connection Factory

• (Clustered Mode Only) Disabling Authentication on the Oracle Role Manager Node

5.2.1 Configuring the JMS Connection Factory

To configure the JMS module connection factory:

1. If not currently on the WebLogic Server Console, in a Web browser, enter the URL. For example:

   http://appserverhost:7001/console
   

2. From Services, select Messaging, then select JMS Modules.

3. Click ORM JMSModule.

4. Click New.

5. Select the Connection Factory option.

6. Click Next.

7. In the Name field, enter OIM ConnectionFactory.

8. In the JNDI Name field, enter external/srqueues/orm/QueueConnectionFactory.

9. Click Next, then click Finish.

5.2.2 Configuring the Foreign JNDI Providers

To configure the foreign JNDI providers:

1. From Services, select Foreign JNDI Providers.

2. Click New.

3. In the Name field, enter Remote OIM ForeignJNDIProvider.

4. Click OK.

5. To edit the settings, click Remote OIM ForeignJNDIProvider.

6. In the Initial Context Factory field, enter weblogic.jndi.WLInitialContextFactory.

7. In the Provider URL field, enter t3://oim_ipaddress:oim_port

   where

   oim_ipaddress is the IP address of the Identity Manager application server host

   oim_port is the port for access to the Identity Manager server

   Note:

   If you a configuring a clustered server environment, the URL must be in the form t3://oim_ipaddress1:port,t3://oim_ipaddress2:port

8. In the User field, enter Internal.

9. In the Password field, enter the password of the Internal user (created in Section 4.2).

10. Click Save.

11. Configure the Remote OIM Connection Factory as follows:

    1. From Services, select Foreign JNDI Providers.

    2. On the Links tab, click New.

    3. In the Name field, enter RoleUpdateQCF.

    4. In the Local JNDI Name field, enter oim/OIMserver/QueueConnectionFactory.

    5. In the Remote JNDI Name field, enter oim/OIMserver/QueueConnectionFactory.

    6. Click OK.

12. Configure the Remote OIM Queue as follows:

    1. From Services, select ForeignJNDI Providers.

    2. On the Links tab, click New.

    3. In the Name field, enter RoleUpdateQueue.

    4. In the Local JNDI Name field, enter oim/OIMserver/RoleManagerQueue.

    5. In the Remote JNDI Name field, enter oim/OIMserver/RoleManagerQueue.

    6. Click OK.

5.2.3 Configuring the Security Credentials

To configure the credentials:

1. Click the domain on which Role Manager is deployed.

2. On the Security tab, expand Advanced.

3. Clear any text in the Credential field.

4. In the Credential field, enter the domain credential of the Identity Manager server.

   Note:

   The domain credential is generated when the server is started and ensures that by default no two WebLogic server domains have the same credential. In this case, the same credentials are entered for both Identity Manager and Role Manager.

5. In the Confirm Credential field, enter the credential again.

6. Click Apply and save your changes.

7. Restart the Role Manager server for these changes to be in effect.

5.2.4 (Clustered Mode Only) Configuring the Subdeployment of the Connection Factory

Note:

In you are configuring a clustered environment, perform this procedure for each managed server.

To change the subdeployment of the Identity Manager connection factory:

1. In the domain tree, select Services, then select Messaging.

2. Select JMS Modules, then click ORM JMS Module.

3. Click OIM ConnectionFactory.

4. Deselect the Default Targeting Enabled box, then click Save.

5. Click the Subdeployment tab.

6. In the Subdeployment list, select cf-sub.

7. Click Save.

5.2.5 (Clustered Mode Only) Disabling Authentication on the Oracle Role Manager Node

This procedure disables transaction authentication for Role Manager transactions. Disabling transaction authentication is required when the node manager is not accepting connection due to wrong certificate configuration.

Note:

In you are configuring a clustered environment, perform this procedure for each managed node.

To disable authentication on the Role Manager node:

1. Navigate to WEBLOGIC_HOME\common\nodemanager folder and edit the nodemanager.properties file.

2. Change the value of the AuthenticationEnabled property to false.

3. Restart all the servers on the Role Manager domain including the admin server.

5.3 Configuring the Oracle Identity Manager Server

This procedure assumes that a WebLogic server and domain has been created for Identity Manager.

For clustered environments, it is assumed that the managed servers in the cluster can be started and stopped remotely on the admin console and that the Integration Library software has been distributed on all managed nodes.

This section includes the following subsections:

• Modifying the Identity Manager Startup Script

• Configuring the Classpath and Shared Libraries

• (Nonclustered Mode Only) Configuring JMS Queues and Connection Factories

• Configuring Foreign JMS Queues and Connection Factories

• Configuring Security Credentials

• (Clustered Mode Only) Adding the Integration Library System Properties

5.3.1 Modifying the Identity Manager Startup Script

If you are invoking Identity Manager using a startup script, you must edit the script to include the path to the Integration Library software before you can start using the Role Manager Integration Library. Making this change before the Integration Library software is deployed does not affect the operation of Identity Manager until it is restarted.

For UNIX-based systems, to modify the startup script:

1. On the Identity Manager host, navigate to the domain on which Identity Manager is deployed. For example, WEBLOGIC_HOME/user_projects/domains/mydomain.

2. Open the xlStartWLS.sh file for editing

   Note:

   If you have a managed server environment where the server is started from this script, open the xlstartManagedWebLogic.sh file instead.

3. In the entry for JAVA_OPTIONS, add a backslash (\) at the end of the -Djava.awt.headless=true argument.

4. Add the following argument to the end of the JAVA_OPTIONS entry:

   -DORMINT_ROOT_DIR=ORMINT_HOME
   

   where ORMINT_HOME is the full path to the home directory of the Role Manager Integration Library.

   The complete entry might be similar to:

   JAVA_OPTIONS="-DXL.HomeDir=$XLHOME \   -Djava.security.auth.login.config=$XLHOME/config/authwl.conf \   -Dlog4j.configuration=file:$XLHOME/config/log.properties \   -Djava.awt.headless=true \   -DORMINT_ROOT_DIR=/opt/ormintegration"
   

5. Save and close the start script.

6. Restart the Identity Manager server for these changes to be in effect.

For Windows-based systems, to modify the startup script:

1. On the Identity Manager host, navigate to the domain on which Identity Manager is deployed. For example, WEBLOGIC_HOME/user_projects/domains/mydomain.

2. Open the xlStartWLS.bat file for editing:

   Note:

   If you have a managed server environment where the server is started from this script, open the xlstartManagedWebLogic.cmd file instead.

3. In the entry for JAVA_OPTIONS, add a caret (^) at the end of the -Djava.awt.headless=true argument.

4. Add the following argument to the end of the JAVA_OPTIONS entry:

   -DORMINT_ROOT_DIR=ORMINT_HOME
   

   where ORMINT_HOME is the full path to the home directory of the Role Manager Integration Library.

   The complete entry might be similar to:

   SET JAVA_OPTIONS=-DXL.HomeDir=%XLHOME% ^
      -Djava.security.auth.login.config=%XLHOME%\config\authwl.conf ^
      -Dlog4j.configuration=file:/%XLHOME%/config/log.properties ^
      -Djava.awt.headless=true ^
      -DORMINT_ROOT_DIR=C:\ormintegration
   

5. Save and close the start script.

6. Restart the Identity Manager server for these changes to be in effect.

5.3.2 Configuring the Classpath and Shared Libraries

Some libraries must be added to either the system classpath or to the WebLogic start script. The following procedure describes how to modify the start script, although you can optionally modify the system classpath if you prefer.

Note:

In a clustered server environment, perform this procedure on all managed nodes.

To configure the classpath in the WebLogic start script

1. On the file system where Identity Manager is deployed, create the following directory if it does not exist:

   OIM_appserver/jdk/jre/lib/endorsed
   

   where OIM_appserver/jdk is the JDK directory for WebLogic, either Sun JDK or WebLogic JRockit.

2. Copy the following libraries into the endorsed directory:

   ORMINT_HOME/lib/xercesImpl.jar
   ORMINT_HOME/lib/xml-apis.jar
   

3. On the file system where Identity Manager is deployed, navigate to the domain directory that contains the server for Identity Manager. For example, OIM_appserver/user_projects/domains/oimdomain.

4. For Windows systems, open the xlStartWLS.cmd file for editing.

   Note:

   If you have a managed server environment, open the xlstartManagedWebLogic.cmd file instead.

5. For UNIX-based systems, open the xlstartWLS.sh file for editing.

   Note:

   If you have a managed server environment , open the xlstartManagedWebLogic.sh ifile nstead.

6. Add the following libraries to the CLASSPATH environment setting:

   ORMINT_HOME/lib/commons-logging.jar
   ORMINT_HOME/lib/orm_encryption.jar
   ORMINT_HOME/lib/server_api_14.jar
   

7. Save and close the start script.

8. Restart the Identity Manager server.

5.3.3 (Clustered Mode Only) Configuring JMS Queues and Connection Factories

To configure JMS queues and connection factories:

1. Configure a JMS queue connection factory as follows:

   1. From Services, select Messaging, then select JMS Modules.

   2. Click New.

   3. In the Name field, enter OIM-ORM JMS Module, then click Next.

   4. Assign the new JMS module to the Identity Manager cluster, for example OIM_Cluster, then click Next.

   5. Click Next.

   6. Select the Would you like to add resources box, then click Finish.

   7. On the Settings page, click New.

   8. Select ConnectionFactory, then click Next.

   9. In the Name field, enter ormJMSConnectionFactory.

   10. In the JNDI Name field, enter /oim/OIMserver/QueueConnectionFactory.

   11. Click Next, then click Finish.

   12. Select the Identity Manager cluster as the target, for example, OIM_Cluster, then click Apply.

2. Configure a JMS server for each Identity Manager managed server as follows:

   1. From Services, select Messaging, then select JMS Servers.

   2. Click New.

   3. In the Name field, enter ORMIntegration1, then click Next.

   4. Click Finish.

   5. Select the Targets tab and assign the JMS server to the first Identity Manager managed server, for example, OIM_Server1.

   6. Click Save.

   7. Repeat these steps for each managed server. For example, create ORMIntegration2 and assign it to OIM_Server2, and so on.

3. Configure a distributed JMS queue as follows:

   1. From Services, select Messaging, then select JMS Modules.

   2. Click OIM-ORM JMS Module, then click New.

   3. Select Distributed Queue, then click Next.

   4. In the Name field, enter ormJMSQueue.

   5. In the JNDI Name field, enter oim/OIMserver/RoleManagerQueue.

   6. Click Next.

   7. Click Advanced Targeting.

   8. Click Create a New Subdeployment.

   9. In the Subdeployment Name field, enter ormJMSQueue subdeployment.

   10. Click Next.

   11. Select the Targets tab select each of the JMS servers created in step 2. For example, ORMIntegration1 and ORMIntegration2.

   12. Click Finish.

5.3.4 (Nonclustered Mode Only) Configuring JMS Queues and Connection Factories

To configure JMS queues and connection factories:

1. Configure a JMS queue connection factory as follows:

   1. From Services, select Messaging, then select JMS Modules.

   2. Click New.

   3. In the Name field, enter OIM-ORM JMS Module, then click Next.

   4. Assign the new module to AdminServer, then click Next.

   5. Select the Would you like to add resources box, then click Finish.

   6. On the Settings page, click New.

   7. Select ConnectionFactory, then click Next.

   8. In the Name field, enter ormJMSConnectionFactory.

   9. In the JNDI Name field, enter /oim/OIMserver/QueueConnectionFactory.

   10. Click Next, then click Finish.

2. Configure a JMS server as follows:

   1. From Services, select Messaging, then select JMS Servers.

   2. Click New.

   3. In the Name field, enter ORMIntegration, then click Next.

   4. Click Finish.

   5. Click ORMIntegration.

   6. Select the Targets tab and assign the new server to AdminServer.

   7. Click Save.

3. Configure a JMS queue as follows:

   1. From Services, select Messaging, then select JMS Modules.

   2. Click OIM-ORM JMS Module, then click New.

   3. Select Queue, then click Next.

   4. In the Name field, enter ormJMSQueue.

   5. In the JNDI Name field, enter oim/OIMserver/RoleManagerQueue.

   6. Click Next.

   7. Click Create a New Subdeployment.

   8. In the Subdeployment Name field, enter ormJMSQueue subdeployment.

   9. Click Next.

   10. Select the Targets tab select ORMIntegration as the JMS Server.

   11. Click Finish.

5.3.5 Configuring Foreign JMS Queues and Connection Factories

To configure Foreign JMS queues and connection factories:

1. Configure a foreign JNDI provider as follows:

   1. From Services, select Foreign JNDI Providers, then click New.

   2. In the Name field, enter OIM ORM server.

   3. Click OK.

   4. Click OIM ORM server.

   5. In the JNDI Initial Context Factory field, enter weblogic.jndi.WLInitialContextFactory.

   6. In the Provider URL field, enter t3://orm_ipaddress:orm_port

      where

      orm_ipaddress is the IP address of the Role Manager application server host

      orm_port is the port for access to the Role Manager server.

      Note:

      If you a configuring a clustered server environment, the URL must be in the form t3://oim_ipaddress1:port,t3://oim_ipaddress2:port

   7. In the User field, enter the user name of the WebLogic Administrator.

   8. In the Password field and Confirm Password field, enter the password of the WebLogic Administrator.

   9. Click Save.

2. Configure foreign JNDI links as follows:

   1. From Services, select Foreign JNDI Providers.

   2. Click OIM ORM server.

   3. On the Links tab, click New.

   4. In the Name field, enter OIMORMQueueConnectionFactory.

   5. In the Local JNDI Name field, enter external/srqueues/orm/QueueConnectionFactory.

   6. In the Remote JNDI Name field, enter external/srqueues/orm/QueueConnectionFactory.

      Note:

      The locale and remote JNDI names must be the same as the JNDI name set in Section 5.2.1, "Configuring the JMS Connection Factory."

   7. Click OK.

   8. On the Links tab, click New.

   9. In the Name field, enter OIM ORM Queue.

   10. In the Local JNDI Name field, enter orm/queue/IncomingEventQueue.

   11. In the Remote JNDI Name field, enter orm/queue/IncomingEventQueue.

   12. Click OK.

5.3.6 Configuring Security Credentials

To configure the credentials:

1. Click the domain where the Identity Manager server resides.

2. On the Security tab, expand the Advanced link at the bottom of the page.

3. In the Credential field, clear any existing credential, then enter the same domain credential that was used for the Role Manager server (see step 4 of Section 5.2.3).

   Note:

   The domain credential is generated when the server is started and ensures that by default no two WebLogic server domains have the same credential. In this case, the same credentials are entered for both Identity Manager and Role Manager.

4. In the Confirm Credential field, enter the credential again.

5. Click Save.

5.3.7 (Clustered Mode Only) Adding the Integration Library System Properties

Note:

Perform this procedure on all managed nodes.

To add the Integration Library JVM system properties:

1. Log on to the WebLogic Server Console using a Web browser.

2. For each managed server, configure the system properties as follows:

   1. On the Identity Manager domain of the primary node, select the domain name, then select Servers.

   2. Select the first managed server, for example, OIM_Server1.

   3. On the Configuration tab, click the Server Start subtab.

   4. In the ClassPath field, add the following Integration Library paths to the existing classpath settings:

      <ORMINT_HOME>\lib\commons-logging.jar
      <ORMINT_HOME>\lib\orm-encryption.jar
      <ORMINT_HOME>\lib\server_api_14.jar
      

   5. In the Arguments field, append the following argument to any existing arguments:

      -DORMINT_ROOT_DIR=ORMINT_HOME
      

      where ORMINT_HOME is the Integration Library installation directory. For example, C:/ORMINT_HOME.

   6. Click Apply and save your changes.

3. Start the node manager on each managed server, then start each managed server.

5.4 Deploying the Role Manager Integration Library Application

To deploy the Integration Library application:

1. From the Identity Manager host, connect to the WebLogic Server Console in a Web browser. For example:

   http://appserverhost:7001/console
   

2. Select Deployments, then select Applications.

3. Click Deploy a new Application.

4. Choose Upload your Files, then click Browse to navigate to the ORMINT_HOME/lib directory.

5. Select roleManagerIntegration_WebLogic10.3.ear, then click Continue.

6. If you are configuring a clustered server environment, in the Target list, select OIM cluster.

7. Ensure that the name in the Name field is set as roleManagerIntegration, then click Deploy.

   In the Status of Last Action column, you should see indication of successful deployment

8. If you have a clustered server environment, restart the admin server and all managed servers.