Oracle® Identity Manager Installation and Configuration Guide for JBoss Application Server Release 9.1.0.1 Part Number E14046-03 |
|
|
View PDF |
After you install Oracle Identity Manager, you may have to perform certain postinstallation tasks before you can use the application. Some of the postinstallation tasks are optional, depending on your deployment and requirement.
This chapter discusses the following topics:
Removing Backup xlconfig.xml Files After Starting or Restarting
Reserving JBoss Application Server Ports on Microsoft Windows Installation
Configuring Proxies to Access Web Application URLs (Optional)
Enabling Single Sign-On (SSO) for Oracle Identity Manager (Optional)
Note:
The examples in this chapter are Microsoft Windows based. However, the postinstallation tasks also apply to UNIX.This section describes how to start Oracle Identity Manager on Microsoft Windows, UNIX.
To start Oracle Identity Manager:
Verify that your database is up and running.
Start Oracle Identity Manager by running one of the following scripts. Running the Oracle Identity Manager start script also starts JBoss Application Server.
On Microsoft Windows
OIM_HOME
\xellerate\bin\xlStartServer.bat
On UNIX
OIM_HOME
/xellerate/bin/xlStartServer.sh
To stop Oracle Identity Manager gracefully, you stop the JBoss Application Server by running one of the following scripts:
On Microsoft Windows
JBOSS_HOME
\bin\shutdown.bat -S
On UNIX
JBOSS_HOME
/bin/shutdown.sh -S
After starting the JBoss Application Server and Oracle Identity Manager, you can access the Administrative and User Console.
To access the Administrative and User Console:
Browse to the following URL by using a Web browser:
http://hostname:port/xlWebApp
In this URL, hostname
represents the name of the computer hosting the application server and port
refers to the port on which the server is listening. The default port number for JBoss Application Server is 8080.
Note:
The application name, xlWebApp, is case-sensitive.For example:
http://localhost:8080/xlWebApp
After the Oracle Identity Manager login page is displayed, log in with your user name and password.
The Diagnostic Dashboard verifies each component in your postinstallation environment by testing for the following components:
Trusted store
Single Sign-On Configuration
Messaging capability
Task scheduler
Remote Manager
The Diagnostic Dashboard also checks for all supported versions of components along with their packaging.
Note:
See "Using the Diagnostic Dashboard" for more information.After you start any Oracle Identity Manager component for the first time, or after you change any passwords in the xlconfig.xml file, Oracle Identity Manager encrypts and saves the passwords. Oracle Identity Manager also creates a backup copy of the xlconfig.xml file before saving changes to the file. These backup files contain old passwords in plaintext. The backup file are named xlconfig.xml.x, where x is the latest available number, for example xlconfig.xml.0, xlconfig.xml.1, and so on.
Note:
You must remove these backup files after starting any Oracle Identity Manager component for the first time, or on restarting after changing any passwords in xlconfig.xml after you have established that the new password is working correctly.During installation, the passwords for the Oracle Identity Manager keystores are set to xellerate
. The Installer scripts and installation log contain this default password. It is strongly recommended that you change the keystore passwords for all production installations.
To change the keystore passwords, you must change the storepass of .xlkeystore and the keypass of the xell entry in .xlkeystore—and these two values must be identical. Use the keytool and the following steps to change the keystore passwords:
Open a command prompt on the Oracle Identity Manager host computer.
Navigate to the OIM_HOME
\xellerate\config
directory.
Run the keytool with the following options to change the storepass:
JAVA_HOME\jre\bin\keytool -storepasswd -new new_password -storepass xellerate -keystore .xlkeystore -storetype JKS
Run the keytool with the following options to change the keypass of the xell entry in .xlkeystore:
JAVA_HOME\jre\bin\keytool -keypasswd -alias xell -keypass xellerate -new new_password -keystore .xlkeystore -storepass new_password
Note:
Replacenew_password
with the same password entered in Step 3.Table 8-1 lists the options used in the preceding example of keytool usage.
Table 8-1 Command Options for the keytool Utility
Option | Description |
---|---|
|
Location of the Java directory associated with the application server |
|
New password for the keystore |
|
Keystore whose password you are changing (.xlkeystore for Oracle Identity Manager or .xldatabasekey for the database) |
|
JKS for .xlkeystore and JCEKS for .xldatabasekey |
Open t he OIM_HOME
\xellerate\config\xlconfig.xml
file in a text editor.
Edit the <xl-configuration>.<Security>.<XLPKIProvider>.<KeyStore> section, <xl-configuration>.<Security>.<XLPKIProvider>.<Keys> section, and <RMSecurity>.<KeyStore> section to specify the keystore password as follows:
Note:
Change the <XLSymmetricProvider>.<KeyStore> section of the configuration file to update the password for the database keystore (.xldatabasekey).Change the password tag to encrypted
="false
".
Enter the password in clear text. For example:
<Security> <XLPKIProvider> <KeyStore> <Location>.xlkeystore</Location> <Password encrypted="false">new_password</Password> <Type>JKS</Type> <Provider>sun.security.provider.Sun</Provider> </KeyStore> <Keys> <PrivateKey> <Alias>xell</Alias> <Password encrypted="false">new_password</Password> </PrivateKey> </Keys> <RMSecurity> <KeyStore> <Location>.xlkeystore</Location> <Password encrypted="false">new_password</Password> <Type>JKS</Type> <Provider>sun.security.provider.Sun</Provider> </KeyStore>
Save and close the xlconfig.xml file.
Restart the application server.
When you stop and start the application server, a backup of the configuration file is created. The configuration file (with the new password) is read in, and the password is encrypted in the file.
If all of the preceding steps have succeeded, you can delete the backup file.
Note:
On UNIX, you might also want to clear the command history of the shell by using the following command:history -c
To implement tuning for the JDBC connection pools used by Oracle Identity Manager, open the JBOSS_HOME
/server/default/deploy/xell-ds.xml
file and implement the following changes:
Note:
For clustered installation of Oracle Identity Manager on JBoss Application Server, thexell-ds.xml
file can be located at JBOSS_HOME
/server/all/farm
.
It is strongly recommended that you implement the suggested tuning for the JDBC connection pools used by Oracle Identity Manager. This can be further tuned based on the application usage.
For the jdbc/xlDS
pool, insert the following before the </local-tx-datasource>
line:
<min-pool-size>30</min-pool-size> <max-pool-size>50</max-pool-size> <blocking-timeout-millis>15000</blocking-timeout-millis> <idle-timeout-minutes>15</idle-timeout-minutes>
For the jdbc/xlXADS
pool, insert the code mentioned in Step 1 before the </xa-datasource>
line.
Restart JBoss Application Server.
To reserve the necessary ports for JBoss Application Server on Microsoft Windows installation:
Select Run from the Windows Start menu. The Run dialog box is displayed.
Enter regedt32
in the Run dialog box and click OK. The Registry Editor window is displayed.
Navigate to the following registry key:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters
If it does not already exist, create a ReservedPorts value, as follows:
Point to New on the Edit menu and then click Multi-String Value.
Enter ReservedPorts
as the value name and then press Enter.
Double-click the ReservedPorts value. The Edit Multi-String dialog box is displayed.
In the Edit Multi-String dialog box, enter 1098-1434
in the Value data box.
Click OK to close the Edit Multi-String dialog box, and then close the Registry Editor window.
You might have to increase the transaction timeout values for JBoss Application Server because the default values can be low for certain transactions. Oracle recommends the values specified in the following step:
Open the JBOSS_HOME
\server\default\conf\jboss-service.xml
file and ensure that the transaction timeout attribute value is set to 1200
as follows:
<attribute name="TransactionTimeout">1200</attribute>
Note:
For clustered JBoss Application Server, the corresponding file is located atJBOSS_HOME
\server\all\conf\jboss-service.xml
.See Also:
Appendix B for information about additional postinstallation tasksThis section discusses the following topics:
For a JBoss Application Server installation, some JBoss components are not required by Oracle Identity Manager. These files vary for standalone and clustered installations.
You can remove the following components:
Cache invalidation service (retain this for a clustered installation)
J2EE client deployer service
Integrated HAR deployer and Hibernate session Management services
JMX Console
Management console
Console/e-mail monitor alerts
UUID key Generation
JBoss scheduler manager
Scheduler service
Test queues and topics
Mail service
HTTP Invoker
CORBA/IIOP
AOP Application
Web services support
The following sections list the files and directories that you can remove after installing Oracle Identity Manager.
Remove the following files from the JBOSS_HOME
/server/default/deploy
directory:
cache-invalidation-service.xml
client-deployer-service.xml
monitoring-service.xml
scheduler-service.xml
schedule-manager-service.xml
mail-service.xml
uuid-key-generator.sar
Remove the following directories from the JBOSS_HOME
/server/default/deploy
directory:
jboss-hibernate.deployer
Note:
Remove this directory only if it exists.jmx-console.war
management
http-invoker.sar
jboss-aop-jdk50.deployer
jbossws.sar
Remove the following file:
JBOSS_HOME
/server/default/deploy/jms/jbossmq-destinations-service.xml
.
Open the JBOSS_HOME
/server/default/conf/jboss-service.xml
file and remove the following attribute:
<attribute name'"RMI_IIOPService">jboss:service=CorbaORB</attribute>
Remove the following files from the JBOSS_HOME
/server/all/deploy
directory:
client-deployer-service.xml
monitoring-service.xml
scheduler-service.xml
schedule-manager-service.xml
mail-service.xml
jboss-aop-jdk50.deployer
jbossws.sar
Remove the following directories from the JBOSS_HOME
/server/all/deploy
directory:
httpha-invoker.sar
jboss-hibernate.deployer
jmx-console.war
management
uuid-key-generator.sar
Remove the following file:
JBOSS_HOME
/server/all/deploy-hasingleton/jms/jbossmq-destinations-service.xml
Open the JBOSS_HOME
/server/all/conf/jboss-service.xml
file and remove the following attribute:
<attribute name'"RMI_IIOPService">jboss:service=CorbaORB</attribute>
To compile adapters or import Deployment Manager XML files that have adapters, you must set the compiler path. To set the compiler path for adapter compilation, you must first install the Design Console. See Chapter 9, "Installing and Configuring the Oracle Identity Manager Design Console" for instructions on installing the Design Console and then setting the compiler path for adapter compilation.
By default, JBoss Application Server does not encrypt data source passwords, as described in the JBoss document at
http://wiki.jboss.org/wiki/Wiki.jsp?page=EncryptingDataSourcePasswords
This section describes how to encrypt the Oracle Identity Manager database password in JBoss Application Server deployments. Specifically, you must perform the following steps to manually encrypt a password, and then modify the xell-ds.xml
and login-config.xml
files so that they can access the encrypted form of the password instead of the clear text version:
Note:
For a clustered installation, repeat this procedure on all the nodes of the cluster.Open a console window and navigate to the JBOSS_HOME
directory.
Run one of the following commands to encrypt the Oracle Identity Manager database password. In this command, replace password
with the actual password that you want to encrypt.
UNIX/Linux
java -cp "JBOSS_HOME/lib/jboss-jmx.jar:lib/jboss-common.jar:server/ default/lib/jboss-jca.jar:server/default/lib/jbosssx.jar"org.jboss.resource.security.SecureIdentityLoginModule password
Microsoft Windows
java -cp "JBOSS_HOME/lib/jboss-jmx.jar;lib/jboss-common.jar;server/ default/lib/jboss-jca.jar;server/default/lib/jbosssx.jar" org.jboss.resource.security.SecureIdentityLoginModule password
The command you run in the previous step returns an encoded form of the password you specify. For example, the password Welcome1
is encoded as 3146f9cc50afd6a6df8592078de921bc
. Highlight and copy the encoded password.
Open the JBOSS_HOME
/server/default/deploy/xell-ds.xml
file in a text editor.
Delete the <user-name>
and <password>
elements from the <local-tx-datasource>
element.
Add the following <security-domain>
element to the end of the <local-tx-datasource>
element:
<security-domain>EncryptDBPassword</security-domain>
Delete the <xa-datasource-property name="User">
and <xa-datasource-property name="Password">
elements from the <xa-datasource>
element.
Add the following <security-domain>
element to the end of the <xa-datasource>
element:
<security-domain>EncryptXADBPassword</security-domain>
Save and close the JBOSS_HOME
/server/default/deploy/xell-ds.xml
file.
Open the JBOSS_HOME
/server/default/conf/login-config.xml
file in a text editor.
Add the following elements to the <application-policy>
element:
Note:
Replacedatasource_username
with the datasource user name and encoded_password
with the encoded password you copy in Step 3.<application-policy name = "EncryptDBPassword"> <authentication> <login-module code = "org.jboss.resource.security.SecureIdentityLoginModule" flag = "required"> <module-option name = "username">datasource_username</module-option> <module-option name = "password">encoded_password</module-option> <module-option name = "managedConnectionFactoryName">jboss.jca:service=LocalTxCM,name=jdbc/xlDS</module-option> </login-module> </authentication> </application-policy>
<application-policy name = "EncryptXADBPassword"> <authentication> <login-module code = "org.jboss.resource.security.SecureIdentityLoginModule" flag = "required"> <module-option name = "username">datasource_username</module-option> <module-option name = "password">encoded_password</module-option> <module-option name = "managedConnectionFactoryName">jboss.jca:service=XATxCM,name=jdbc/xlXADS</module-option> </login-module> </authentication> </application-policy>
Save and close the JBOSS_HOME
/server/default/deploy/login-config.xml
file.
By default, Oracle Identity Manager uses the following Web application URLs. You may have to configure proxies to allow access to the following URLs:
/xlWebApp
/xlScheduler
/Nexaweb
/spmlws
Oracle Identity Manager uses log4j for logging. For JBoss-based installations, logging is configured in the jboss-log4j.xml file.
By default, the log level is set to Warning, except for DDM, for which the log level is set to Debug by default. You can change the log level universally for all components or for an individual component. For normal operation of Oracle Identity Manager, this postinstallation configuration step is not required.
The components are listed in the OIM_HOME
\xellerate\config\log.properties
file in the XELLERATE section. They are as follows:
log4j.logger.XELLERATE=WARN log4j.logger.XELLERATE.DDM=DEBUG log4j.logger.XELLERATE.ACCOUNTMANAGEMENT=DEBUG log4j.logger.XELLERATE.SERVER=DEBUG log4j.logger.XELLERATE.RESOURCEMANAGEMENT=DEBUG log4j.logger.XELLERATE.REQUESTS=DEBUG log4j.logger.XELLERATE.WORKFLOW=DEBUG log4j.logger.XELLERATE.WEBAPP=DEBUG log4j.logger.XELLERATE.SCHEDULER=DEBUG log4j.logger.XELLERATE.SCHEDULER.Task=DEBUG log4j.logger.XELLERATE.ADAPTERS=DEBUG log4j.logger.XELLERATE.JAVACLIENT=DEBUG log4j.logger.XELLERATE.POLICIES=DEBUG log4j.logger.XELLERATE.RULES=DEBUG log4j.logger.XELLERATE.DATABASE=DEBUG log4j.logger.XELLERATE.APIS=DEBUG log4j.logger.XELLERATE.OBJECTMANAGEMENT=DEBUG log4j.logger.XELLERATE.JMS=DEBUG log4j.logger.XELLERATE.REMOTEMANAGER=DEBUG log4j.logger.XELLERATE.CACHEMANAGEMENT=DEBUG log4j.logger.XELLERATE.ATTESTATION=DEBUG log4j.logger.XELLERATE.AUDITOR=DEBUG
The jboss-log4j.xml file is used for all logging with JBoss Application Server. Therefore, Oracle Identity Manager components use an Xellerate tag. The jboss-log4j.xml file contains a general setting for Xellerate:
<category name="XELLERATE"> <priority value="WARN" /> </category>
You can change the log level for all components by editing the priority value
of the general setting, or for a specific component by adding a new logging category element.
The available categories are listed in the XELLERATE section of the log.properties file. See Oracle Identity Manager Component Logging for more information.
For example, to change the level for Oracle Identity Manager, add the following element to the jboss-log4j.xml file:
<category name="XELLERATE.SERVER"> <priority value="WARN" /> <appender-ref ref="FILE"/> </category>
To set Oracle Identity Manager log levels in JBoss Application Server:
Open the JBOSS_HOME
\server\default\conf\jboss-log4j.xml
file in a text editor.
For a clustered installation, open the JBOSS_HOME
\server\all\conf\jboss-log4j.xml
file in a text editor.
Insert an element for the required component.
Set the priority value
to the appropriate level for the required components.
The following is a list of the supported log levels, appearing in descending order of information logged (DEBUG logs the most information and FATAL logs the least information):
DEBUG
INFO
WARN
ERROR
FATAL
Save your changes.
The following procedure describes how to enable Single Sign-On for Oracle Identity Manager with ASCII character logins. To enable Single Sign-On with non-ASCII character logins, use the following procedure—but include the additional configuration setting described in Step 4.
See Also:
Oracle Identity Manager Best Practices Guide for additional information about configuring Single Sign-On for Oracle Identity Manager with Oracle Access ManagerNote:
Header names consisting only of alphabetic characters (letters) are certified. Oracle recommends that you do not use special characters or numeric characters in header names.To enable Single Sign-On for Oracle Identity Manager:
Stop the application server gracefully.
Open the OIM_HOME
/xellerate/config/xlconfig.xml
file in a text editor.
Locate the following Single Sign-On configuration (the following are the default settings without Single Sign-On):
<web-client> <Authentication>Default</Authentication> <AuthHeader>REMOTE_USER</AuthHeader> </web-client>
Edit the Single Sign-On configuration to the following and replace SSO_HEADER_NAME
with the appropriate header configured in your Single Sign-On system:
<web-client>
<Authentication>SSO</Authentication>
<AuthHeader><SSO_HEADER_NAME></AuthHeader>
</web-client>
To enable Single Sign-On with non-ASCII character logins, you must include a decoding class name to decode the non-ASCII header value. Add the decoding class name and edit the Single Sign-On configuration as follows:
<web-client>
<Authentication>SSO</Authentication>
<AuthHeader>SSO_HEADER_NAME</AuthHeader>
<AuthHeaderDecoder>com.thortech.xl.security.auth.CoreIDSSOAuthHeaderDecoder</AuthHeaderDecoder>
</web-client>
Replace SSO_HEADER_NAME
with the appropriate header configured in your Single Sign-On system.
Change your application server and Web server configuration to enable Single Sign-On by referring to your application and Web server vendor documentation.
Restart the application server.
This section describes how to use custom authentication solutions with Oracle Identity Manager.
Oracle Identity Manager deploys a Java Authentication and Authorization Service (JAAS) module to authenticate users. For unattended logins, which require offline message processing and scheduled task execution, Oracle Identity Manager uses signature-based authentication. Although you should use JAAS to handle signature-based authentication, you can create a custom authentication solution to handle standard authentication requests.
Note:
The Oracle Identity Manager JAAS module must be deployed on your application server and must be the first invoked authenticator.To enable custom authentication on JBoss Application Server, you implement a custom authentication module class. Oracle Identity Manager will then delegate standard authentication requests to the custom authentication module.
To implement custom authentication for JBoss Application Server:
Open the OIM_HOME
\config\xlconfig.xml
file in a text editor and add the following element, replacing CustomLoginModule with the name of your custom login module class.
<login-module>
<thirdPartyLoginModule>CustomLoginModule</thirdPartyLoginModule>
</login-module>
(Optional) Specify configuration properties for the custom authentication module by first opening the JBOSS_HOME
\server\default\conf\login-config.xml
file in a text editor.
Note:
For a clustered installation, open theJBOSS_HOME
\server\all\conf\login-config.xml
file in a text editor.Then, add a module option within the <login-module>
element for the com.thortech.xl.security.jboss.UsernamePasswordLoginModule
package. Oracle Identity Manager will delegate the specified properties to the custom authentication module class. For example, the following rolesProperties
module option will be delegated to the custom authentication module class.
<application-policy name = "xellerate"> <authentication> <login-module code="com.thortech.xl.security.jboss.XLClientLoginModule" flag="required"> </login-module> <login-module code= "com.thortech.xl.security.jboss.UsernamePasswordLoginModule" flag = "required" > <module-option name = "unauthenticatedIdentity">Unknown</module-option> <module-option name = "data-source">java:/jdbc/xlDS</module-option> <module-option name = "rolesProperties">customRoleProperties</module-option> </login-module> </authentication> </application-policy>
Copy the custom authentication JAR file to the JBOSS_HOME
\server\default\lib
directory.
When you specify a custom authentication solution, you must also protect the Java Naming and Directory Interface (JNDI) namespace to ensure that only designated users have permission to view resources. The primary purpose of protecting the JNDI namespace is to protect Oracle Identity Manager from any malicious applications that might be installed in the same application server instance. Even if no other applications, malicious or otherwise, are installed in the same application server instance as Oracle Identity Manager, you must protect your JNDI namespace as a routine security measure.
To protect your JNDI namespace and configure Oracle Identity Manager to access it:
Open the OIM_HOME
\config\xlconfig.xml
file in a text editor and add the following elements to the <Discovery>
element:
<java.naming.security.principal> <java.naming.security.credentials>
Optionally, to encrypt the JNDI password, add an encrypted attribute that is assigned a value of true
to the <java.naming.security.credentials>
element, and assign the password as the element's value, as follows:
<java.naming.security.credentials
encrypted="true">password</java.naming.security.credentials>
Add the following elements to the <Scheduler>
element:
<CustomProperties> <org.quartz.dataSource.OracleDS.java.naming.security.principal>user </org.quartz.dataSource.OracleDS.java.naming.security.principal> <org.quartz.dataSource.OracleDS.java.naming.security.credentials>pwd </org.quartz.dataSource.OracleDS.java.naming.security.credentials></CustomProperties>
Organizations can have multiple provisioning systems that exchange information about the modification of user records. In addition, there can be applications that must interact with multiple provisioning systems. The SPML Web Service provides a layer over Oracle Identity Manager to interpret SPML requests and convert them to Oracle Identity Manager calls.
The SPML Web Service is packaged in a deployable Enterprise Archive (EAR) file. This file is generated when you install Oracle Identity Manager.
Because the EAR file is generated while you install Oracle Identity Manager, a separate batch file in the Oracle Identity Manager home directory runs the scripts that deploy the SPML Web Service on the application server on which Oracle Identity Manager is running. You must run the batch file to deploy the SPML Web Service.
For details about the SPML Web Service, see Chapter 12, "The SPML Web Service" in Oracle Identity Manager Tools Reference.