8 Postinstallation Configuration for Oracle Identity Manager and JBoss Application Server

After you install Oracle Identity Manager, you may have to perform certain postinstallation tasks before you can use the application. Some of the postinstallation tasks are optional, depending on your deployment and requirement.

This chapter discusses the following topics:

• Starting Oracle Identity Manager

• Stopping Oracle Identity Manager

• Accessing the Administrative and User Console

• Using the Diagnostic Dashboard to Verify Installation

• Removing Backup xlconfig.xml Files After Starting or Restarting

• Changing Keystore Passwords

• Tuning JDBC Connection Pools

• Reserving JBoss Application Server Ports on Microsoft Windows Installation

• Increasing the Transaction Timeout

• Cleaning Up the JBoss Application Server Installation

• Setting the Compiler Path for Adapter Compilation

• Configuring Proxies to Access Web Application URLs (Optional)

• Setting Log Levels (Optional)

• Enabling Single Sign-On (SSO) for Oracle Identity Manager (Optional)

• Configuring Custom Authentication (Optional)

• Protecting the JNDI Namespace (Optional)

• Deploying the SPML Web Service (Optional)

Note:

The examples in this chapter are Microsoft Windows based. However, the postinstallation tasks also apply to UNIX.

8.1 Starting Oracle Identity Manager

This section describes how to start Oracle Identity Manager on Microsoft Windows, UNIX.

To start Oracle Identity Manager:

1. Verify that your database is up and running.

2. Start Oracle Identity Manager by running one of the following scripts. Running the Oracle Identity Manager start script also starts JBoss Application Server.

   On Microsoft Windows

   OIM_HOME\xellerate\bin\xlStartServer.bat

   On UNIX

   OIM_HOME/xellerate/bin/xlStartServer.sh

8.2 Stopping Oracle Identity Manager

To stop Oracle Identity Manager gracefully, you stop the JBoss Application Server by running one of the following scripts:

On Microsoft Windows

JBOSS_HOME\bin\shutdown.bat -S

On UNIX

JBOSS_HOME/bin/shutdown.sh -S

8.3 Accessing the Administrative and User Console

After starting the JBoss Application Server and Oracle Identity Manager, you can access the Administrative and User Console.

To access the Administrative and User Console:

1. Browse to the following URL by using a Web browser:

   http://hostname:port/xlWebApp
   

   In this URL, hostname represents the name of the computer hosting the application server and port refers to the port on which the server is listening. The default port number for JBoss Application Server is 8080.

   Note:

   The application name, xlWebApp, is case-sensitive.

   For example:

   http://localhost:8080/xlWebApp
   

2. After the Oracle Identity Manager login page is displayed, log in with your user name and password.

8.4 Using the Diagnostic Dashboard to Verify Installation

The Diagnostic Dashboard verifies each component in your postinstallation environment by testing for the following components:

• Trusted store

• Single Sign-On Configuration

• Messaging capability

• Task scheduler

• Remote Manager

The Diagnostic Dashboard also checks for all supported versions of components along with their packaging.

Note:

See "Using the Diagnostic Dashboard" for more information.

8.5 Removing Backup xlconfig.xml Files After Starting or Restarting

After you start any Oracle Identity Manager component for the first time, or after you change any passwords in the xlconfig.xml file, Oracle Identity Manager encrypts and saves the passwords. Oracle Identity Manager also creates a backup copy of the xlconfig.xml file before saving changes to the file. These backup files contain old passwords in plaintext. The backup file are named xlconfig.xml.x, where x is the latest available number, for example xlconfig.xml.0, xlconfig.xml.1, and so on.

Note:

You must remove these backup files after starting any Oracle Identity Manager component for the first time, or on restarting after changing any passwords in xlconfig.xml after you have established that the new password is working correctly.

8.6 Changing Keystore Passwords

During installation, the passwords for the Oracle Identity Manager keystores are set to xellerate. The Installer scripts and installation log contain this default password. It is strongly recommended that you change the keystore passwords for all production installations.

To change the keystore passwords, you must change the storepass of .xlkeystore and the keypass of the xell entry in .xlkeystore—and these two values must be identical. Use the keytool and the following steps to change the keystore passwords:

1. Open a command prompt on the Oracle Identity Manager host computer.

2. Navigate to the OIM_HOME\xellerate\config directory.

3. Run the keytool with the following options to change the storepass:

   JAVA_HOME\jre\bin\keytool -storepasswd -new new_password -storepass xellerate -keystore .xlkeystore -storetype JKS
   

4. Run the keytool with the following options to change the keypass of the xell entry in .xlkeystore:

   JAVA_HOME\jre\bin\keytool -keypasswd -alias xell -keypass xellerate -new new_password -keystore .xlkeystore -storepass new_password
   

   Note:

   Replace new_password with the same password entered in Step 3.

   Table 8-1 lists the options used in the preceding example of keytool usage.

   Table 8-1 Command Options for the keytool Utility

   Option	Description
   JAVA_HOME	Location of the Java directory associated with the application server
   new_password	New password for the keystore
   -keystore option	Keystore whose password you are changing (.xlkeystore for Oracle Identity Manager or .xldatabasekey for the database)
   -storetype option	JKS for .xlkeystore and JCEKS for .xldatabasekey

   
   

5. Open t he OIM_HOME\xellerate\config\xlconfig.xml file in a text editor.

6. Edit the <xl-configuration>.<Security>.<XLPKIProvider>.<KeyStore> section, <xl-configuration>.<Security>.<XLPKIProvider>.<Keys> section, and <RMSecurity>.<KeyStore> section to specify the keystore password as follows:

   Note:

   Change the <XLSymmetricProvider>.<KeyStore> section of the configuration file to update the password for the database keystore (.xldatabasekey).

   • Change the password tag to encrypted="false".

   • Enter the password in clear text. For example:

     <Security>
     <XLPKIProvider>
     <KeyStore>
           <Location>.xlkeystore</Location>
           <Password encrypted="false">new_password</Password>
           <Type>JKS</Type>
           <Provider>sun.security.provider.Sun</Provider>
     </KeyStore>
     <Keys> 
     <PrivateKey> 
     <Alias>xell</Alias> 
     <Password encrypted="false">new_password</Password> 
     </PrivateKey> 
     </Keys> 
     <RMSecurity> 
     <KeyStore> 
     <Location>.xlkeystore</Location> 
     <Password encrypted="false">new_password</Password> 
     <Type>JKS</Type> 
     <Provider>sun.security.provider.Sun</Provider> 
     </KeyStore>
     

7. Save and close the xlconfig.xml file.

8. Restart the application server.

   When you stop and start the application server, a backup of the configuration file is created. The configuration file (with the new password) is read in, and the password is encrypted in the file.

9. If all of the preceding steps have succeeded, you can delete the backup file.

   Note:

   On UNIX, you might also want to clear the command history of the shell by using the following command:

   history -c

8.7 Tuning JDBC Connection Pools

To implement tuning for the JDBC connection pools used by Oracle Identity Manager, open the JBOSS_HOME/server/default/deploy/xell-ds.xml file and implement the following changes:

Note:

For clustered installation of Oracle Identity Manager on JBoss Application Server, the xell-ds.xml file can be located at JBOSS_HOME/server/all/farm.

It is strongly recommended that you implement the suggested tuning for the JDBC connection pools used by Oracle Identity Manager. This can be further tuned based on the application usage.

1. For the jdbc/xlDS pool, insert the following before the </local-tx-datasource> line:

   <min-pool-size>30</min-pool-size>
   <max-pool-size>50</max-pool-size>
   <blocking-timeout-millis>15000</blocking-timeout-millis>
   <idle-timeout-minutes>15</idle-timeout-minutes>
   

2. For the jdbc/xlXADS pool, insert the code mentioned in Step 1 before the </xa-datasource> line.

3. Restart JBoss Application Server.

8.8 Reserving JBoss Application Server Ports on Microsoft Windows Installation

To reserve the necessary ports for JBoss Application Server on Microsoft Windows installation:

1. Select Run from the Windows Start menu. The Run dialog box is displayed.

2. Enter regedt32 in the Run dialog box and click OK. The Registry Editor window is displayed.

3. Navigate to the following registry key:

   HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters
   

4. If it does not already exist, create a ReservedPorts value, as follows:

   1. Point to New on the Edit menu and then click Multi-String Value.

   2. Enter ReservedPorts as the value name and then press Enter.

5. Double-click the ReservedPorts value. The Edit Multi-String dialog box is displayed.

6. In the Edit Multi-String dialog box, enter 1098-1434 in the Value data box.

7. Click OK to close the Edit Multi-String dialog box, and then close the Registry Editor window.

8.9 Increasing the Transaction Timeout

You might have to increase the transaction timeout values for JBoss Application Server because the default values can be low for certain transactions. Oracle recommends the values specified in the following step:

Open the JBOSS_HOME\server\default\conf\jboss-service.xml file and ensure that the transaction timeout attribute value is set to 1200 as follows:

<attribute name="TransactionTimeout">1200</attribute>

Note:

For clustered JBoss Application Server, the corresponding file is located at JBOSS_HOME\server\all\conf\jboss-service.xml.

See Also:

Appendix B for information about additional postinstallation tasks

8.10 Cleaning Up the JBoss Application Server Installation

This section discusses the following topics:

• Removing JBoss Application Server Components

• Removing Files and Directories

8.10.1 Removing JBoss Application Server Components

For a JBoss Application Server installation, some JBoss components are not required by Oracle Identity Manager. These files vary for standalone and clustered installations.

You can remove the following components:

• Cache invalidation service (retain this for a clustered installation)

• J2EE client deployer service

• Integrated HAR deployer and Hibernate session Management services

• JMX Console

• Management console

• Console/e-mail monitor alerts

• UUID key Generation

• JBoss scheduler manager

• Scheduler service

• Test queues and topics

• Mail service

• HTTP Invoker

• CORBA/IIOP

• AOP Application

• Web services support

8.10.2 Removing Files and Directories

The following sections list the files and directories that you can remove after installing Oracle Identity Manager.

8.10.2.1 Nonclustered Installations

Remove the following files from the JBOSS_HOME/server/default/deploy directory:

• cache-invalidation-service.xml

• client-deployer-service.xml

• monitoring-service.xml

• scheduler-service.xml

• schedule-manager-service.xml

• mail-service.xml

• uuid-key-generator.sar

Remove the following directories from the JBOSS_HOME/server/default/deploy directory:

• jboss-hibernate.deployer

  Note:

  Remove this directory only if it exists.

• jmx-console.war

• management

• http-invoker.sar

• jboss-aop-jdk50.deployer

• jbossws.sar

Remove the following file:

JBOSS_HOME/server/default/deploy/jms/jbossmq-destinations-service.xml.

Open the JBOSS_HOME/server/default/conf/jboss-service.xml file and remove the following attribute:

<attribute name'"RMI_IIOPService">jboss:service=CorbaORB</attribute>

8.10.2.2 Clustered Installations

Remove the following files from the JBOSS_HOME/server/all/deploy directory:

• client-deployer-service.xml

• monitoring-service.xml

• scheduler-service.xml

• schedule-manager-service.xml

• mail-service.xml

• jboss-aop-jdk50.deployer

• jbossws.sar

Remove the following directories from the JBOSS_HOME/server/all/deploy directory:

• httpha-invoker.sar

• jboss-hibernate.deployer

• jmx-console.war

• management

• uuid-key-generator.sar

Remove the following file:

JBOSS_HOME/server/all/deploy-hasingleton/jms/jbossmq-destinations-service.xml

Open the JBOSS_HOME/server/all/conf/jboss-service.xml file and remove the following attribute:

<attribute name'"RMI_IIOPService">jboss:service=CorbaORB</attribute>

8.11 Setting the Compiler Path for Adapter Compilation

To compile adapters or import Deployment Manager XML files that have adapters, you must set the compiler path. To set the compiler path for adapter compilation, you must first install the Design Console. See Chapter 9, "Installing and Configuring the Oracle Identity Manager Design Console" for instructions on installing the Design Console and then setting the compiler path for adapter compilation.

8.12 Encrypting Oracle Identity Manager Database Password in the xell-ds.xml File for JBoss Application Server

By default, JBoss Application Server does not encrypt data source passwords, as described in the JBoss document at

http://wiki.jboss.org/wiki/Wiki.jsp?page=EncryptingDataSourcePasswords

This section describes how to encrypt the Oracle Identity Manager database password in JBoss Application Server deployments. Specifically, you must perform the following steps to manually encrypt a password, and then modify the xell-ds.xml and login-config.xml files so that they can access the encrypted form of the password instead of the clear text version:

Note:

For a clustered installation, repeat this procedure on all the nodes of the cluster.

1. Open a console window and navigate to the JBOSS_HOME directory.

2. Run one of the following commands to encrypt the Oracle Identity Manager database password. In this command, replace password with the actual password that you want to encrypt.

   UNIX/Linux

   java -cp "JBOSS_HOME/lib/jboss-jmx.jar:lib/jboss-common.jar:server/ default/lib/jboss-jca.jar:server/default/lib/jbosssx.jar"org.jboss.resource.security.SecureIdentityLoginModule password
   

   Microsoft Windows

   java -cp "JBOSS_HOME/lib/jboss-jmx.jar;lib/jboss-common.jar;server/ default/lib/jboss-jca.jar;server/default/lib/jbosssx.jar" org.jboss.resource.security.SecureIdentityLoginModule password
   

3. The command you run in the previous step returns an encoded form of the password you specify. For example, the password Welcome1 is encoded as 3146f9cc50afd6a6df8592078de921bc. Highlight and copy the encoded password.

4. Open the JBOSS_HOME/server/default/deploy/xell-ds.xml file in a text editor.

5. Delete the <user-name> and <password> elements from the <local-tx-datasource> element.

6. Add the following <security-domain> element to the end of the <local-tx-datasource> element:

   <security-domain>EncryptDBPassword</security-domain>
   

7. Delete the <xa-datasource-property name="User"> and <xa-datasource-property name="Password"> elements from the <xa-datasource> element.

8. Add the following <security-domain> element to the end of the <xa-datasource> element:

   <security-domain>EncryptXADBPassword</security-domain>
   

9. Save and close the JBOSS_HOME/server/default/deploy/xell-ds.xml file.

10. Open the JBOSS_HOME/server/default/conf/login-config.xml file in a text editor.

11. Add the following elements to the <application-policy> element:

    Note:

    Replace datasource_username with the datasource user name and encoded_password with the encoded password you copy in Step 3.

    <application-policy name = "EncryptDBPassword">
     <authentication>
      <login-module code = "org.jboss.resource.security.SecureIdentityLoginModule" flag = "required">
       <module-option name = "username">datasource_username</module-option>
       <module-option name = "password">encoded_password</module-option>
       <module-option name = "managedConnectionFactoryName">jboss.jca:service=LocalTxCM,name=jdbc/xlDS</module-option>
      </login-module>
     </authentication>
    </application-policy>
    

    <application-policy name = "EncryptXADBPassword">
     <authentication>
      <login-module code = "org.jboss.resource.security.SecureIdentityLoginModule" flag = "required">
       <module-option name = "username">datasource_username</module-option>
       <module-option name = "password">encoded_password</module-option>
       <module-option name = "managedConnectionFactoryName">jboss.jca:service=XATxCM,name=jdbc/xlXADS</module-option>
      </login-module>
     </authentication>
    </application-policy>
    

12. Save and close the JBOSS_HOME/server/default/deploy/login-config.xml file.

8.13 Configuring Proxies to Access Web Application URLs (Optional)

By default, Oracle Identity Manager uses the following Web application URLs. You may have to configure proxies to allow access to the following URLs:

• /xlWebApp

• /xlScheduler

• /Nexaweb

• /spmlws

8.14 Setting Log Levels (Optional)

Oracle Identity Manager uses log4j for logging. For JBoss-based installations, logging is configured in the jboss-log4j.xml file.

By default, the log level is set to Warning, except for DDM, for which the log level is set to Debug by default. You can change the log level universally for all components or for an individual component. For normal operation of Oracle Identity Manager, this postinstallation configuration step is not required.

8.14.1 Oracle Identity Manager Component Logging

The components are listed in the OIM_HOME\xellerate\config\log.properties file in the XELLERATE section. They are as follows:

log4j.logger.XELLERATE=WARN
log4j.logger.XELLERATE.DDM=DEBUG
log4j.logger.XELLERATE.ACCOUNTMANAGEMENT=DEBUG
log4j.logger.XELLERATE.SERVER=DEBUG
log4j.logger.XELLERATE.RESOURCEMANAGEMENT=DEBUG
log4j.logger.XELLERATE.REQUESTS=DEBUG
log4j.logger.XELLERATE.WORKFLOW=DEBUG
log4j.logger.XELLERATE.WEBAPP=DEBUG
log4j.logger.XELLERATE.SCHEDULER=DEBUG
log4j.logger.XELLERATE.SCHEDULER.Task=DEBUG
log4j.logger.XELLERATE.ADAPTERS=DEBUG
log4j.logger.XELLERATE.JAVACLIENT=DEBUG
log4j.logger.XELLERATE.POLICIES=DEBUG
log4j.logger.XELLERATE.RULES=DEBUG
log4j.logger.XELLERATE.DATABASE=DEBUG
log4j.logger.XELLERATE.APIS=DEBUG
log4j.logger.XELLERATE.OBJECTMANAGEMENT=DEBUG
log4j.logger.XELLERATE.JMS=DEBUG
log4j.logger.XELLERATE.REMOTEMANAGER=DEBUG
log4j.logger.XELLERATE.CACHEMANAGEMENT=DEBUG
log4j.logger.XELLERATE.ATTESTATION=DEBUG
log4j.logger.XELLERATE.AUDITOR=DEBUG

8.14.2 Setting Log Levels for JBoss Application Server

The jboss-log4j.xml file is used for all logging with JBoss Application Server. Therefore, Oracle Identity Manager components use an Xellerate tag. The jboss-log4j.xml file contains a general setting for Xellerate:

<category name="XELLERATE">
  <priority value="WARN" />
</category>

You can change the log level for all components by editing the priority value of the general setting, or for a specific component by adding a new logging category element.

The available categories are listed in the XELLERATE section of the log.properties file. See Oracle Identity Manager Component Logging for more information.

For example, to change the level for Oracle Identity Manager, add the following element to the jboss-log4j.xml file:

<category name="XELLERATE.SERVER">
  <priority value="WARN" />
  <appender-ref ref="FILE"/>
</category>

To set Oracle Identity Manager log levels in JBoss Application Server:

1. Open the JBOSS_HOME\server\default\conf\jboss-log4j.xml file in a text editor.

   For a clustered installation, open the JBOSS_HOME\server\all\conf\jboss-log4j.xml file in a text editor.

2. Insert an element for the required component.

3. Set the priority value to the appropriate level for the required components.

   The following is a list of the supported log levels, appearing in descending order of information logged (DEBUG logs the most information and FATAL logs the least information):

   • DEBUG

   • INFO

   • WARN

   • ERROR

   • FATAL

4. Save your changes.

8.15 Enabling Single Sign-On (SSO) for Oracle Identity Manager (Optional)

The following procedure describes how to enable Single Sign-On for Oracle Identity Manager with ASCII character logins. To enable Single Sign-On with non-ASCII character logins, use the following procedure—but include the additional configuration setting described in Step 4.

See Also:

Oracle Identity Manager Best Practices Guide for additional information about configuring Single Sign-On for Oracle Identity Manager with Oracle Access Manager

Note:

Header names consisting only of alphabetic characters (letters) are certified. Oracle recommends that you do not use special characters or numeric characters in header names.

To enable Single Sign-On for Oracle Identity Manager:

1. Stop the application server gracefully.

2. Open the OIM_HOME/xellerate/config/xlconfig.xmlfile in a text editor.

3. Locate the following Single Sign-On configuration (the following are the default settings without Single Sign-On):

   <web-client>
   <Authentication>Default</Authentication>
   <AuthHeader>REMOTE_USER</AuthHeader>
   </web-client>
   

4. Edit the Single Sign-On configuration to the following and replace SSO_HEADER_NAME with the appropriate header configured in your Single Sign-On system:

   <web-client>
   <Authentication>SSO</Authentication>
   <AuthHeader><SSO_HEADER_NAME></AuthHeader>
   </web-client>
   

   To enable Single Sign-On with non-ASCII character logins, you must include a decoding class name to decode the non-ASCII header value. Add the decoding class name and edit the Single Sign-On configuration as follows:

   <web-client>
   <Authentication>SSO</Authentication>
   <AuthHeader>SSO_HEADER_NAME</AuthHeader>
   <AuthHeaderDecoder>com.thortech.xl.security.auth.CoreIDSSOAuthHeaderDecoder</AuthHeaderDecoder>
   </web-client>
   

   Replace SSO_HEADER_NAME with the appropriate header configured in your Single Sign-On system.

5. Change your application server and Web server configuration to enable Single Sign-On by referring to your application and Web server vendor documentation.

6. Restart the application server.

8.16 Configuring Custom Authentication (Optional)

This section describes how to use custom authentication solutions with Oracle Identity Manager.

Oracle Identity Manager deploys a Java Authentication and Authorization Service (JAAS) module to authenticate users. For unattended logins, which require offline message processing and scheduled task execution, Oracle Identity Manager uses signature-based authentication. Although you should use JAAS to handle signature-based authentication, you can create a custom authentication solution to handle standard authentication requests.

Note:

The Oracle Identity Manager JAAS module must be deployed on your application server and must be the first invoked authenticator.

To enable custom authentication on JBoss Application Server, you implement a custom authentication module class. Oracle Identity Manager will then delegate standard authentication requests to the custom authentication module.

To implement custom authentication for JBoss Application Server:

1. Open the OIM_HOME\config\xlconfig.xml file in a text editor and add the following element, replacing CustomLoginModule with the name of your custom login module class.

   <login-module>
        <thirdPartyLoginModule>CustomLoginModule</thirdPartyLoginModule>
   </login-module>
   

2. (Optional) Specify configuration properties for the custom authentication module by first opening the JBOSS_HOME\server\default\conf\login-config.xml file in a text editor.

   Note:

   For a clustered installation, open the JBOSS_HOME\server\all\conf\login-config.xml file in a text editor.

   Then, add a module option within the <login-module> element for the com.thortech.xl.security.jboss.UsernamePasswordLoginModule package. Oracle Identity Manager will delegate the specified properties to the custom authentication module class. For example, the following rolesProperties module option will be delegated to the custom authentication module class.

   <application-policy name = "xellerate">
       <authentication>
         <login-module
           code="com.thortech.xl.security.jboss.XLClientLoginModule"
           flag="required">
         </login-module>
         <login-module code=
             "com.thortech.xl.security.jboss.UsernamePasswordLoginModule"
              flag = "required" >
            <module-option name =
              "unauthenticatedIdentity">Unknown</module-option>
            <module-option name = 
              "data-source">java:/jdbc/xlDS</module-option>
            <module-option name = 
              "rolesProperties">customRoleProperties</module-option>
         </login-module>    </authentication>
     </application-policy>      
   

3. Copy the custom authentication JAR file to the JBOSS_HOME\server\default\lib directory.

8.17 Protecting the JNDI Namespace (Optional)

When you specify a custom authentication solution, you must also protect the Java Naming and Directory Interface (JNDI) namespace to ensure that only designated users have permission to view resources. The primary purpose of protecting the JNDI namespace is to protect Oracle Identity Manager from any malicious applications that might be installed in the same application server instance. Even if no other applications, malicious or otherwise, are installed in the same application server instance as Oracle Identity Manager, you must protect your JNDI namespace as a routine security measure.

To protect your JNDI namespace and configure Oracle Identity Manager to access it:

1. Open the OIM_HOME\config\xlconfig.xml file in a text editor and add the following elements to the <Discovery> element:

   <java.naming.security.principal>
   <java.naming.security.credentials>
   

2. Optionally, to encrypt the JNDI password, add an encrypted attribute that is assigned a value of true to the <java.naming.security.credentials> element, and assign the password as the element's value, as follows:

   <java.naming.security.credentials
     encrypted="true">password</java.naming.security.credentials>
   

3. Add the following elements to the <Scheduler> element:

   <CustomProperties>
     <org.quartz.dataSource.OracleDS.java.naming.security.principal>user
     </org.quartz.dataSource.OracleDS.java.naming.security.principal>
     <org.quartz.dataSource.OracleDS.java.naming.security.credentials>pwd
     </org.quartz.dataSource.OracleDS.java.naming.security.credentials></CustomProperties>
   

8.18 Deploying the SPML Web Service (Optional)

Organizations can have multiple provisioning systems that exchange information about the modification of user records. In addition, there can be applications that must interact with multiple provisioning systems. The SPML Web Service provides a layer over Oracle Identity Manager to interpret SPML requests and convert them to Oracle Identity Manager calls.

The SPML Web Service is packaged in a deployable Enterprise Archive (EAR) file. This file is generated when you install Oracle Identity Manager.

Because the EAR file is generated while you install Oracle Identity Manager, a separate batch file in the Oracle Identity Manager home directory runs the scripts that deploy the SPML Web Service on the application server on which Oracle Identity Manager is running. You must run the batch file to deploy the SPML Web Service.

For details about the SPML Web Service, see Chapter 12, "The SPML Web Service" in Oracle Identity Manager Tools Reference.