7 Postinstallation Configuration for Oracle Identity Manager and Oracle Application Server

After installing Oracle Identity Manager, you must complete some postinstallation tasks before using the application. Depending on the deployment, you might choose not to perform some of these tasks.

This chapter discusses the following topics:

• Default JMS Queue Configuration

• Required Postinstallation Tasks

• Optional Postinstallation Tasks

Note:

The examples in this chapter are Windows-based, however the postinstallation tasks apply to UNIX as well.

7.1 Default JMS Queue Configuration

In releases earlier than 9.1.0, Oracle Identity Manager uses a single JMS queue (named xlQueue) for all asynchronous operations, including, requests, reconciliation, attestation, and offline tasks. Release 9.1.0 onward, by default, Oracle Identity Manager uses separate JMS queues for specific operations to optimize JMS queue processing. The following list shows the JMS queues in the default configuration and indicates the operation related to each queue:

• xlQueue (for request operations)

• xlReconQueue (for reconciliation operations)

• xlAuditQueue (for auditing operations)

• xlAttestationQueue (for attestation operations)

• xlProcessQueue (for use in a future release)

7.2 Required Postinstallation Tasks

After you install Oracle Identity Manager on Oracle Application Server, you must perform the following tasks:

• Changing Keystore Passwords

• Setting the Path of the jgroups-core.jar File in the PurgeCache Script

• Setting Up Database-Based Storage of JMS Queues

• Setting the Compiler Path for Adapter Compilation

• Tuning JDBC Connection Pools

• Increasing the Oracle Application Server Heap Size

7.2.1 Changing Keystore Passwords

During installation, the passwords for the Oracle Identity Manager keystores are set to xellerate. The Installer scripts and installation log contain this default password. It is strongly recommended that you change the keystore passwords for all production installations.

To change the keystore passwords, you must change the storepass of .xlkeystore and the keypass of the xell entry in .xlkeystore—and these two values must be identical. Use the keytool and the following steps to change the keystore passwords:

1. Open a command prompt on the Oracle Identity Manager host computer.

2. Navigate to the OIM_HOME\xellerate\config directory.

3. Open the OIM_HOME\xellerate\config\xlconfig.xml in a text editor and verify the four URL entries starting with ormi under the tag <Discovery><CoreServer>. All these entries must have the correct RMI port mentioned.

   The RMI port for the Oracle Application Server instance that is being used can be determined by running the following command:

   ORACLE_HOME/opmn/bin/opmnctl status -l
   

4. Run the keytool with the following options to change the storepass:

   JAVA_HOME\jre\bin\keytool -storepasswd -new new_password -storepass xellerate -keystore .xlkeystore -storetype JKS
   

5. Run the keytool with the following options to change the keypass of the xell entry in .xlkeystore:

   JAVA_HOME\jre\bin\keytool -keypasswd -alias xell -keypass xellerate -new new_password -keystore .xlkeystore -storepass new_password
   

   Note:

   Replace new_password with the same password entered in step 3.

   Table 7-1 lists the options used in the preceding example of keytool usage.

   Table 7-1 Command Options for the keytool Utility

   Option	Description
   JAVA_HOME	Location of the Java directory associated with the application server
   new_password	New password for the keystore
   -keystore option	Keystore whose password you are changing (.xlkeystore for Oracle Identity Manager or .xldatabasekey for the database)
   -storetype option	JKS for .xlkeystore and JCEKS for .xldatabasekey

   
   

6. In the OIM_HOME\xellerate\config\xlconfig.xml file, edit the <xl-configuration>.<Security>.<XLPKIProvider>.<KeyStore> section, <xl-configuration>.<Security>.<XLPKIProvider>.<Keys> section, and <RMSecurity>.<KeyStore> section to specify the keystore password as follows:

   Note:

   Change the <XLSymmetricProvider>.<KeyStore> section of the configuration file to update the password for the database keystore (.xldatabasekey).

   • Change the password tag to encrypted="false".

   • Enter the password (in the clear), for example:

     <Security>
     <XLPKIProvider>
     <KeyStore>
           <Location>.xlkeystore</Location>
           <Password encrypted="false">new_password</Password>
           <Type>JKS</Type>
           <Provider>sun.security.provider.Sun</Provider>
     </KeyStore>
     <Keys> 
     <PrivateKey> 
     <Alias>xell</Alias> 
     <Password encrypted="false">new_password</Password> 
     </PrivateKey> 
     </Keys> 
     <RMSecurity> 
     <KeyStore> 
     <Location>.xlkeystore</Location> 
     <Password encrypted="false">new_password</Password> 
     <Type>JKS</Type> 
     <Provider>sun.security.provider.Sun</Provider> 
     </KeyStore>
     

7. Save and close the xlconfig.xml file.

8. Restart the application server. To do so, run the following commands:

   To stop Oracle Application Server:

   ORACLE_HOME/opmn/bin/opmnctl stopall
   

   To start Oracle Application Server:

   ORACLE_HOME/opmn/bin/opmnctl startall
   

   When you stop and start the application server, a backup of the configuration file is created. The configuration file (with the new password) is read in, and the password is encrypted in the file.

9. If all of the preceding steps have succeeded, you can delete the backup file.

   Note:

   On UNIX, you might also want to clear the shell's command history by using the following command:

   history -c

7.2.2 Setting the Path of the jgroups-core.jar File in the PurgeCache Script

To set the path of the jgroups-core.jar file in the PurgeCache script:

See Also:

Oracle Identity Manager Globalization Guide for information about the PurgeCache script

1. Search for the jgroups-core.jar file in the Oracle Application Server installation directory.

2. Open the PurgeCache file in a text editor.

   For UNIX:

   OIM_HOME/xellerate/bin/PurgeCache.sh
   

   For Microsoft Windows:

   OIM_HOME\xellerate\bin\PurgeCache.bat
   

3. Search for the CLASSPATH variable in the PurgeCache file.

4. In the value assigned to the CLASSPATH variable, add the full path and name of the jgroups-core.jar file before %XEL_EXT%\javagroups-all.jar.

7.2.3 Setting Up Database-Based Storage of JMS Queues

The Oracle Identity Manager Installer creates JMS queues for file-based storage of JMS messages. This is the default storage mechanism for JMS queues in Oracle Identity Manager. However, for production environments and clustered installations, it is strongly recommended that you set up database-based storage of JMS queues by performing the procedure described in this section.

Note:

• Refer to Chapter 4, "Using Oracle Enterprise Messaging Service" in Oracle Containers for J2EE Services Guide for information about working with Oracle Enterprise Messaging Service JMS using Advanced Queuing (AQ).

• Create a backup of the Oracle Application Server configuration before setting up database-based storage of JMS queues. For more information, see "Creating a Backup of the Oracle Application Server Configuration".

• Oracle recommends you to stop all the scheduled tasks by using the Administrative and User Console. Otherwise, you may see AuthenticationException in the server logs in between implementating the AQ instructions and restarting the servers. There is no impact of this exception to the functioning of Oracle Identity Manager, and this exception can be ignored.

• If you are using the AIX operating system, then you must manually undeploy the Xellerate application by using Oracle Application Server Administrative Console before you run the patch_oc4j.cmd or patch_oc4j.sh script.

To set up database-based storage of JMS queues, refer to Note 554624.1 in the following URL:

http://metalink.oracle.com

7.2.4 Setting the Compiler Path for Adapter Compilation

To compile adapters or import Deployment Manager XML files that have adapters, you must set the compiler path. To set the compiler path for adapter compilation, you must first install the Design Console. Refer to Chapter 10, "Installing and Configuring the Oracle Identity Manager Design Console" for instructions on installing the Design Console and then setting the compiler path for adapter compilation.

7.2.5 Tuning JDBC Connection Pools

To implement tuning for the JDBC connection pools used by Oracle Identity Manager, open ORACLE_HOME/j2ee/INSTANCE_NAME/config/data-sources.xml file and implement the following changes:

Note:

It is strongly recommended that you implement the suggested tuning for the JDBC connection pools used by Oracle Identity Manager. This can be further tuned based on the application usage.

1. For xlConnectionPool, the minimum and maximum connection pool values should be set as follows:

   min-connections="10"
   max-connections="50"
   

2. For xlXAConnectionPool, the minimum and maximum connection pool values should be set as follows:

   min-connections="30"
   max-connections="100"
   

3. Increase the Oracle Application Server heap size as outlined in the "Increasing the Oracle Application Server Heap Size" section and then restart the Oracle Application Server for the changes to take effect.

   To restart Oracle Application Server, run the following commands:

   To stop Oracle Application Server:

   ORACLE_HOME/opmn/bin/opmnctl stopall
   

   To start Oracle Application Server:

   ORACLE_HOME/opmn/bin/opmnctl startall
   

   Note:

   For clustered installation of Oracle Identity Manager on Oracle Application Server, the changes mentioned in steps 1 through 3 can be implemented for all the Oracle Application Server instances. Also make sure that the database supports the increase in the number of connections.

7.2.6 Increasing the Oracle Application Server Heap Size

After installing Oracle Identity Manager on Oracle Application Server, you must change the JVM memory settings for production environments or when you are processing large volume in non-production.

Perform the following steps to increase the Oracle Application Server heap size:

1. Open the ORACLE_HOME\opmn\conf\opmn.xml file in a text editor.

2. Change the memory setting for the OC4J instance where Oracle Identity Manager is installed from:

   -ms512M -mx1024M

   To:

   -ms1280m -mx1280m

3. Save and close the ORACLE_HOME\opmn\conf\opmn.xml file.

4. Restart Oracle Application Server. To do so, run the following commands:

   To stop Oracle Application Server:

   ORACLE_HOME/opmn/bin/opmnctl stopall
   

   To start Oracle Application Server:

   ORACLE_HOME/opmn/bin/opmnctl startall
   

7.3 Optional Postinstallation Tasks

After installing Oracle Identity Manager, consider performing the following optional postinstallation tasks documented in this section before using the application. Depending on the Oracle Identity Manager deployment, you may choose not to perform some of these tasks.

• Setting Log Levels

• Enabling Single Sign-On (SSO) for Oracle Identity Manager

• Deploying the SPML Web Service

• Changing Transaction Timeout

7.3.1 Setting Log Levels

Oracle Identity Manager uses log4j for logging. Logging levels are configured in the logging properties file, OIM_HOME/xellerate/config/log.properties. By default, the log level is set to Warning, except for DDM, for which the log level is set to Debug by default. You can change the log level universally for all components or for an individual component.

Oracle Identity Manager components are listed in the OIM_HOME\xellerate\config\log.properties file in the XELLERATE section, for example:

log4j.logger.XELLERATE=WARN
log4j.logger.XELLERATE.DDM=DEBUG
log4j.logger.XELLERATE.ACCOUNTMANAGEMENT=DEBUG
log4j.logger.XELLERATE.SERVER=DEBUG
log4j.logger.XELLERATE.RESOURCEMANAGEMENT=DEBUG
log4j.logger.XELLERATE.REQUESTS=DEBUG
log4j.logger.XELLERATE.WORKFLOW=DEBUG
log4j.logger.XELLERATE.WEBAPP=DEBUG
log4j.logger.XELLERATE.SCHEDULER=DEBUG
log4j.logger.XELLERATE.SCHEDULER.Task=DEBUG
log4j.logger.XELLERATE.ADAPTERS=DEBUG
log4j.logger.XELLERATE.JAVACLIENT=DEBUG
log4j.logger.XELLERATE.POLICIES=DEBUG
log4j.logger.XELLERATE.RULES=DEBUG
log4j.logger.XELLERATE.DATABASE=DEBUG
log4j.logger.XELLERATE.APIS=DEBUG
log4j.logger.XELLERATE.OBJECTMANAGEMENT=DEBUG
log4j.logger.XELLERATE.JMS=DEBUG
log4j.logger.XELLERATE.REMOTEMANAGER=DEBUG
log4j.logger.XELLERATE.CACHEMANAGEMENT=DEBUG
log4j.logger.XELLERATE.ATTESTATION=DEBUG
log4j.logger.XELLERATE.AUDITOR=DEBUG

To set Oracle Identity Manager log levels, edit the logging properties in the OIM_HOME\xellerate\config\log.properties file as follows:

1. Open the OIM_HOME\xellerate\config\log.properties file in a text editor. This file contains a general setting for Oracle Identity Manager and specific settings for the components and modules that comprise Oracle Identity Manager.

   By default, the log level in Oracle Identity Manager is set to Warning:

   log4j.logger.XELLERATE=WARN

   This is the general value for Oracle Identity Manager. Individual components and modules are listed following the general value in the properties file. You can set individual components and modules to different log levels. The log level for a specific component overrides the general setting.

2. Set the general value to the desired log level. The following is a list of the supported log levels, appearing in descending order of information logged (DEBUG logs the most information and FATAL logs the least information):

   • DEBUG

   • INFO

   • WARN

   • ERROR

   • FATAL

3. Set other component log levels as desired. Individual components or modules can have different log levels. For example, the following values set the log level for the Account Management module to INFO, while the server is at DEBUG and the rest of Oracle Identity Manager is at the WARN level.

   log4j.logger.XELLERATE=WARNlog4j.logger.XELLERATE.ACCOUNTMANAGEMENT=INFOlog4j.logger.XELLERATE.SERVER=DEBUG

4. Save your changes.

5. Restart your application server for the changes take effect. To do so, run the following commands:

   To stop Oracle Application Server:

   ORACLE_HOME/opmn/bin/opmnctl stopall
   

   To start Oracle Application Server:

   ORACLE_HOME/opmn/bin/opmnctl startall
   

7.3.2 Enabling Single Sign-On (SSO) for Oracle Identity Manager

The following procedure describes how to enable Single Sign-On for Oracle Identity Manager with ASCII character logins. To enable Single Sign-On with non-ASCII character logins, use the following procedure—but include the additional configuration setting described in Step 4.

See Also:

Oracle Identity Manager Best Practices Guide for additional information about configuring Single Sign-On for Oracle Identity Manager with Oracle Access Manager.

Note:

Header names comprised only of alphabetic characters are certified. Oracle recommends that for not using special characters or numeric characters in header names.

To enable Single Sign-On for Oracle Identity Manager:

1. Stop the application server gracefully.

2. Open OIM_HOME/xellerate/config/xlconfig.xml in a text editor.

3. Locate the following Single Sign-On configuration (the following are the default settings without Single Sign-On):

   <web-client>
   <Authentication>Default</Authentication>
   <AuthHeader>REMOTE_USER</AuthHeader>
   </web-client>
   

4. Edit the Single Sign-On configuration to the following and replace SSO_HEADER_NAME with the appropriate header configured in your Single Sign-On system:

   <web-client>
   <Authentication>SSO</Authentication>
   <AuthHeader>SSO_HEADER_NAME</AuthHeader>
   </web-client>
   

   To enable Single Sign-On with non-ASCII character logins, you must include a decoding class name to decode the non-ASCII header value. Add the decoding class name and edit the Single Sign-On configuration as follows:

   <web-client>
   <Authentication>SSO</Authentication>
   <AuthHeader>SSO_HEADER_NAME</AuthHeader>
   <AuthHeaderDecoder>com.thortech.xl.security.auth.CoreIDSSOAuthHeaderDecoder</AuthHeaderDecoder>
   </web-client>
   

   Replace SSO_HEADER_NAME with the appropriate header configured in your Single Sign-On system.

5. Change your application server and web server configuration to enable Single Sign-On by referring to your application and Web server vendor documentation.

6. Restart the application server. To do so, run the following commands:

   To stop Oracle Application Server:

   ORACLE_HOME/opmn/bin/opmnctl stopall
   

   To start Oracle Application Server:

   ORACLE_HOME/opmn/bin/opmnctl startall
   

7.3.3 Deploying the SPML Web Service

Organizations can have multiple provisioning systems that exchange information about the modification of user records. In addition, there can be applications that interact with multiple provisioning systems. The SPML Web Service provides a layer over Oracle Identity Manager to interpret SPML requests and convert them to Oracle Identity Manager calls.

The SPML Web Service is packaged in a deployable Enterprise Archive (EAR) file. This file is generated when you install Oracle Identity Manager.

Because the EAR file is generated while you install Oracle Identity Manager, a separate batch file in the Oracle Identity Manager home directory runs the scripts that deploy the SPML Web Service on the application server on which Oracle Identity Manager is running. You must run the batch file to deploy the SPML Web Service.

For details about the SPML Web Service, see Chapter 12, "The SPML Web Service" in Oracle Identity Manager Tools Reference.

7.3.4 Changing Transaction Timeout

The default value of import and export operations transaction timeout is 600 seconds. This timeout overrides the default global transaction timeout of 1200 seconds.To increase or modify transaction timeout for export and import operations:

1. Increase HTTP timeout. To do so:

   1. Go to the ORACLE_HOME/Apache/Apache/conf directory.

   2. Open the httpd.conf file in a text editor.

   3. Search for "Timeout".

   4. Modify the value of the Timeout property.

   5. Save and close the http.conf file.

2. Increase Global Transaction Timeout. To do so:

   1. Open the OIM_HOME/j2ee/ORACLE_HOME/config/transaction-manager.xml file.

   2. Search for the transaction-timeout property and increased the value.

3. Increase Import/Export Tansaction Timeout. To do so:

   1. Go to the OIM_HOME/xellerate/DDTemplates/DO directory.

   2. Open the orion-ejb-jar.xml file.

   3. In the orion-ejb-jar.xml file, search for transaction-timeout. You will find transaction-timeout in two places in the file, one for import and another for export.

   4. Modify the value of the transaction-timeout.

   5. Go to the OIM_HOME/xellerate/setup directory.

   6. Restart Oracle Application Server. To do so, run the following commands:

      To stop Oracle Application Server:

      ORACLE_HOME/opmn/bin/opmnctl stopall
      

      To start Oracle Application Server:

      ORACLE_HOME/opmn/bin/opmnctl startall
      

   7. Based on the operating system on which Oracle Identity Manager is installed, run patch_oc4j.sh or patch_oc4j.cmd.

      Note:

      • For a clustered installation of Oracle Identity Manager, the steps to increase or modify transaction timeout for export and import operations must be repeated for all the Oracle Application Server instances.

      • If HTTP server timeout is lower than the value you set for Oracle Identity Manager, then you might need to increase the HTTP server timeout value. The timeout value of HTTP Server must be higher then the timeout value of Oracle Identity Manager.