Oracle® Identity Manager Installation and Configuration Guide for Oracle WebLogic Server Release 9.1.0.1 Part Number E14047-04 |
|
|
View PDF |
This chapter explains how to install the Oracle Identity Manager Design Console, which is a Java client. You can install the Design Console on the same computer as Oracle Identity Manager or on a different computer.
This chapter discusses the following topics:
Verify that the following requirements are met for the Design Console installation:
You must have an Oracle Identity Manager server installed and running.
If you are installing on a computer other than the host for the application server, then you must know the host name and port number of the computer hosting that application server.
The Design Console host must be able to ping the application server host by using both IP address and host name.
For clustered Oracle Identity Manager server installations, you must know the host name and port number of the Web server.
Note:
If you cannot resolve the host name of the application server, then try adding the host name and IP address in the hosts file in the following directory:C:\winnt\system32\drivers\etc\
The following procedure describes how to install the Design Console.
Note:
All Oracle Identity Manager components must be installed in different home directories. If you are installing the Design Console on a computer that is hosting another Oracle Identity Manager component, such as Oracle Identity Manager or the Remote Manager, then you must specify a different installation directory for the Design Console.To install the Design Console on a Microsoft Windows host:
Insert the Oracle Identity Manager Installation CD into your CD-ROM drive.
Using Microsoft Windows Explorer, navigate to the installServer directory on the installation CD.
Double-click the setup_client.exe file.
Specify a language from the list on the Installer page.
The Welcome page is displayed.
On the Welcome page, click Next.
On the target directory page, perform one of the following steps:
The default directory for the Design Console is C:\oracle. To install the Design Console into this directory, click Next.
To install the Design Console in another directory, specify the path of the directory in the Directory field, and then click Next.
Note:
If the directory path that you specified does not exist, then the Base Directory settings field is displayed. Click OK. This directory is automatically created. If you do not have write permission to create the default directory for Oracle Identity Manager, then a message is displayed informing you that the installer could not create the directory. Click OK to close the message, and then contact your system administrator to obtain the appropriate permissions.On the Application Server page, select Oracle WebLogic, then click Next.
The Application Client Location page is displayed.
Specify an existing JRE. Then, click Next. The Application Server configuration page is displayed.
Note:
Select the JRE for the application server that is in use.On the Application Server configuration page, enter the information appropriate for the application server hosting Oracle Identity Manager:
In the first field, enter the host name or IP address.
Note:
The host name is case-sensitive.In the second field, enter the naming port for the application server on which Oracle Identity Manager is deployed.
Click Next.
On the Graphical Workflow Rendering Information page, enter the Application server configuration information. To do so:
Enter the Oracle Identity Manager server (host) IP address.
Enter the port number.
Select Yes or No to specify whether or not the Design Console must use Secure Sockets Layer (SSL).
Click Next.
On the Shortcut page, select or clear the check boxes for the shortcut options according to your preferences:
Select the option to create a shortcut to the Design Console on the Start Menu.
Select the option to create a shortcut to the Design Console on the desktop.
Click Next to move to the next page.
On the Summary page, click Install to initiate the Design Console installation.
Click Finish to complete the installation process.
Perform the following steps after installing the Design Console:
If you are pointing the Design Console to a clustered server installation, edit the OIM_DC_HOME
\xlclient\Config\xlconfig.xml
file to add the cluster members in the URL under the <Discovery>
section, and point the Application URL for Workflow Visualization to the Web server to access the cluster.
For example:
<ApplicationURL>http://
webserver
/xlWebApp/LoginWorkflowRenderer.do</ApplicationURL>
<Discovery>.<CoreServer>.<java.naming.provider.url>t3://
192.168.50.31:7005,192.168.50.32:7005 </java.naming.provider.url>
In the configuration XML file, change the multicast address to match that of Oracle Identity Manager:
Open the following file:
OIM_HOME\xellerate\config\xlconfig.xml
Search for the <MultiCastAddress>
element, and copy the value assigned to this element.
Open the following file:
OIM_DC_HOME\xlclient\Config\xlconfig.xml
Search for the <Cache>
element, and replace the value of the <MultiCastAddress>
element inside this element with the value that you copy in Step b.
To start the Design Console, double-click OIM_DC_HOME
\xlclient\xlclient.cmd
or select Design Console from the Microsoft Windows Start menu or desktop.
In the System Configuration form of the Design Console, you must set the XL.CompilerPath
system property to include the path of the bin directory inside the JDK directory (JDK_HOME
\bin
) that is used by the application server on which Oracle Identity Manager is deployed.
Then, restart Oracle Identity Manager.
See Also:
The "Rule Elements, Variables, Data Types, and System Properties" section in Oracle Identity Manager ReferenceThe following topics provide information required for enabling SSL communication between the Design Console and Oracle WebLogic Server:
The following are the prerequisites or assumptions for enabling SSL communication:
Oracle WebLogic Server is installed.
The WebLogic Domain directory is C:\bea\user_projects\domains\oim
.
The Oracle WebLogic Server home (WL_HOME
) directory is C:\bea\wlserver_10.3
.
The identity store is support.jks
and the password is support
.
The certificate request is made for xellerate.oracle.com host and for Oracle Identity Management Group.
The self-sign certificate is named supportcert.pem
.
The private key alias is support
, and the password is weblogic
.
The setEnv.cmd
or setEnv.sh
script is run to set up PATH, CLASSPATH, and other variables.
This section discusses the following topics:
Note:
The preceding steps must be run on the Oracle WebLogic Server host.Note:
The preceding step must be run on the Design Console host.Generate private/public certificate pairs by using the keytool command provided. The following command creates an identity keystore (support.jks)
. Change the parameter values passed to the keytool command according to your requirements. Ensure that there is no line break in the keytool argument.
keytool -genkey -alias support -keyalg RSA -keysize 1024 -dname "CN=xellerate.oracle.com, OU=Identity, O=Oracle Corporation, L=RedwoodShores, S=California, C=US" -keypass weblogic -keystore C:\bea\user_projects\domains\oim\support.jks -storepass support
Note:
Use the same host name that you would use in thexlconfig.xml
file. For example, if you use https://xellerate.oracle.com:7002
and t3s://xellerate.oracle.com:7002
in the xlconfig.xml
file, then the value of CN in the keytool command must be xellerate.oracle.com
. Oracle recommends that you generate an SSL certificate by using the domain name (for example, xellerate.oracle.com
) instead of the IP address.Use the following command to sign the certificates that you created.
keytool -selfcert -alias support -sigalg MD5withRSA -validity 2000 -keypass weblogic -keystore C:\bea\user_projects\domains\oim\support.jks -storepass support
Note:
Oracle recommends that you use trusted certificate authorities, for example, VeriSign or Thawte, for signing the certificates.Use the following command to export the certificate from the identity keystore to a file, for example, supportcert.pem
:
keytool -export -alias support -file C:\bea\user_projects\domains\oim\supportcert.pem -keypass weblogic -keystore C:\bea\user_projects\domains\oim\support.jks -storepass support
To configure the trust store:
Copy the supportcert.pem
file to the following location on the Design Console: OIM_DC_HOME
\java\lib\security
.
Open a command prompt at OIM_DC_HOME
\java\lib\security
and run the following command:
cd OIM_DC_HOME\java\lib\security
keytool -import
-alias support
-trustcacerts
-file supportcert.pem
-keystore cacerts
-storepass changeit
Note:
For a clustered installation, repeat all of the steps for each of the participating nodes in the cluster. However, you do not generate keys or sign and export certificates if the other server in the cluster is located on the same host.The following sections provide information related to the configuration changes required for a successful SSL connection.
Perform the following steps:
On the computer in which the Design Console is installed, go to OIM_DC_HOME
\xlclient\Config\xlconfig.xml
.
Modify the xlconfig.xml
file to use HTTPS and T3S protocol and SSL port to connect to the server, as shown in the following element:
<ApplicationURL>https://xellerate.oracle.com:7002/xlWebApp/loginWorkflowRenderer.do</ApplicationURL>
For a clustered installation, you can send an https request to only one of the servers in the cluster, as shown in the following element:
<java.naming.provider.url>t3s://xellerate.oracle.com:7002</java.naming.provider.url>
Alternatively, you can point to the Web server SSL URL based on the Web server configuration. If you want to use the Web server URL, then repeat the steps in the "Configuring the Trust Store" section with the Web server certificate.
For a clustered installation, ensure that you add the participating nodes to the corresponding SSL port as comma-delimited values in the URL for java.naming.provider.url, as follows:
<java.naming.provider.url>t3s://node1:7002,node2:7002</java.naming.provider.url>
Perform the following steps:
In the WebLogic Server Administration Console, click Environment, Servers, Server_Name, Configuration, and then General.
Click Lock & Edit.
Select SSL listen port enabled. The default port is 7002.
Click the Keystores tab
From the Keystore list, select Custom Identity and Java Standard Trust.
In the Custom Identity Keystore field, specify C:\bea\user_projects\domains\oim\support.jks
as the custom identity keystore file name.
Specify JKS as the custom identity keystore type.
Enter the password in the Custom Identity Keystore Passphrase and Confirm Custom Identity Keystore Passphrase fields.
Click Save.
Click the SSL tab.
Enter support
as the private key alias.
Enter the password (for example, support) in the Private Key Passphrase and Confirm Private Key Passphrase fields.
Click Save.
Click Activate changes.
Restart the server for the changes to take effect.
Note:
For a clustered installation, repeat all the steps for each of the participating nodes in the cluster, and then restart the cluster.To copy the Oracle WebLogic Server license:
Copy license.bea
from WL_HOME
in the computer on which Oracle WebLogic Server is installed to OIM_DC_HOME
in the computer on which the Design Console is installed.
Open the OIM_DC_HOME
/classpath.bat
file and add OIM_DC_HOME
to the classpath at the end of the file.
Copy *webserviceclient+ssl.jar, wlcipher.jar*
, and *jsafeFIPS.jar*
from WL_HOME
\server\lib
to OIM_DC_HOME
\ext
.
Add *webserviceclient+ssl.jar*
, *wlcipher.jar*,
and *jsafeFIPS.jar*
in the classpath.bat
file.