18 Integrating Components

This chapter contains the following topics:

• Section 18.1, "Migrating Policy and Credential Stores"

• Section 18.2, "Installing and Configuring WebGate"

• Section 18.3, "Integrating Oracle Access Manager 10g and Oracle Identity Manager"

• Section 18.4, "Integrating Oracle Identity Manager and Oracle Access Manager 11g"

• Section 18.5, "Integrating OAAM with OAM 11g"

• Section 18.6, "Integrating Oracle Adaptive Access Manager with Oracle Identity Manager"

• Section 18.7, "Integrating Oracle Identity Federation with Oracle Access Manager 11g"

• Section 18.8, "Auditing Identity Management"

18.1 Migrating Policy and Credential Stores

By default, policy store information is stored in a mixture of places, including the embedded LDAP directory and the file system. It is recommended that the policy store be placed into the external LDAP directory, so that:

• It is maintained in a central location

• It is included in the corporate centralized backup regime.

You begin policy and credential store migration by creating the JPS root and then you reassociate the policy and credential store with Oracle Internet Directory.

This section contains the following topics:

• Section 18.1.1, "JPS Root Creation"

• Section 18.1.2, "Reassociating the Policy and Credential Store"

18.1.1 JPS Root Creation

On OIDHOSTn, create the jpsroot in Oracle Internet Directory using the command line ldapadd command as shown in these steps:

1. Create an ldif file similar to this:

   dn: cn=jpsPolicy_edg
   cn: jpsPolicy_edg
   objectclass: top
   objectclass: orclcontainer
   

2. Use ORACLE_HOME/bin/ldapadd to add these entries to Oracle Internet Directory. For example:

   ORACLE_HOME/bin/ldapadd -h oid.mycompany.com -p 389 -D cn="orcladmin" -w
   welcome1 -c -v -f jps_root.ldif
   

18.1.2 Reassociating the Policy and Credential Store

To reassociate the policy and credential store with Oracle Internet Directory, use the WLST reassociateSecurityStore command. Follow these steps:

1. From IDMHOST1, start the wlst shell from the ORACLE_COMMON_HOME/common/bin directory. For example:

   ./wlst.sh
   

2. Connect to the WebLogic Administration Server using the wlst connect command shown below.

   connect('AdminUser',"AdminUserPassword",t3://hostname:port')
   

   For example:

   connect("weblogic,"welcome1","t3://idmhost-vip.mycompany.com:7001")
   

3. Run the reassociateSecurityStore command as shown below:

   Syntax:

   reassociateSecurityStore(domain="domainName",admin="cn=orcladmin",
   password="orclPassword",ldapurl="ldap://LDAPHOST:LDAPPORT",servertype="OID",
   jpsroot="cn=jpsRootContainer")
   

   For example:

   wls:/IDMDomain/serverConfig> reassociateSecurityStore(domain="IDMDomain",
   admin="cn=orcladmin",password="password",
   ldapurl="ldap://oid.mycompany.com:389",servertype="OID",
   jpsroot="cn=jpsPolicy_edg")
   

   The output for the command is shown below:

   {servertype=OID, jpsroot=cn=jpsroot_idm, admin=cn=orcladmin,
   domain=IDMDomain, ldapurl=ldap://oid.mycompany.com:389, password=password}
   Location changed to domainRuntime tree. This is a read-only tree with
   DomainMBean as the root.
   For more help, use help(domainRuntime)
   
   Starting Policy Store reassociation.
   LDAP server and  ServiceConfigurator setup done.
   
   Schema is seeded into LDAP server
   Data is migrated to LDAP server
   Service in LDAP server after migration has been tested to be available
   Update of jps configuration is done
   Policy Store reassociation done.
   Starting credential Store reassociation
   LDAP server and  ServiceConfigurator setup done.
   Schema is seeded into LDAP server
   Data is migrated to LDAP server
   Service in LDAP server after migration has been tested to be available
   Update of jps configuration is done
   Credential Store reassociation done
   Jps Configuration has been changed. Please restart the server.
   

4. Restart the Administration Server, as described in Section 19.1, "Starting and Stopping Oracle Identity Management Components," after the command completes successfully.

18.2 Installing and Configuring WebGate

This section describes how to install and configure WebGate. This task is not necessary for OIM11g/OAM10g integration.

This section contains the following topics:

• Section 18.2.1, "Prerequisites"

• Section 18.2.2, "Creating WebGate Agents"

• Section 18.2.3, "Installing Oracle WebGate on WEBHOST1 and WEBHOST2"

• Section 18.2.4, "Validating WebGate"

18.2.1 Prerequisites

Ensure that the following tasks have been performed before installing the Oracle Web Gate:

1. Install and configure the Oracle Web Tier as described in Chapter 5.

2. On Linux systems, make the special versions of the gcc libraries available, as described in Chapter 18.

18.2.1.1 Making Special gcc Libraries Available

Oracle Web Gate requires special versions of gcc libraries to be installed (Linux only). These library files must exist somewhere on the Linux system. The Web Gate installer asks for the location of these library files at install time. Download the libraries from http://gcc.gnu.org, as described in "Installing Third-Party GCC Libraries (Linux and Solaris Operating Systems Only)" in Oracle Fusion Middleware Installation Guide for Oracle Identity Management

See Also:

http://www.oracle.com/technetwork/middleware/ias/downloads/10gr3-webgates-integrations-readme-154689.pdf for additional information.

18.2.2 Creating WebGate Agents

Before installing WebGate into the web tier, a WebGate agent needs to be defined. This is achieved using either the remote registration agent, which is available on both IDMHOST1 and IDMHOST2 or the Oracle Access Manager Console. The following procedure should be followed to create the Web Gate agent.

• Using the Remote Registration Utility

• Using Oracle Access Manager Administration Console

18.2.2.1 Using the Remote Registration Utility

Use the remote registration utility as follows.

Creating an Agent Configuration File

The oamreg.sh script creates an agent configuration using the contents of a configuration file called OAMRequest.xml. You can find the template for this file in the directory IAM_ORACLE_HOME/oam/server/rreg/input.

Create a copy of this file on IDMHOST1, called sso.xml.

In the file supply details for the following attributes:

• serverAddress: URL of WebLogic Administration Server.

• hostIdentifier: IDMDomain

• agentBaseUrl: https://sso.mycompany.com:443

• agentName: Name used to identify the WebGate agent. Good practice is to use a name similar to Webgate_mysso.

• autoCreatePolicy: False

• primaryCookieDomain: Domain your servers reside in, for example: .mycompany.com

• logOutUrls: /oamsso/logout.html

• security: open

Here is a sample file:

<?xml version="1.0"?>
<!-- Copyright (c) 2009, 2010, Oracle and/or its affiliates. All rights reserved.

   NAME: OAMRequest.xml - Template (with all options) for OAM Agent Registration Request file
   DESCRIPTION: Modify with specific values and pass file as input to the tool
--><OAMRegRequest>

    <serverAddress>http://ADMINHOSTVHN.mycompany.com:7001</serverAddress>
    <hostIdentifier>Webgate_mysso</hostIdentifier>
    <agentName>Webgate_mysso</agentName>
    <autoCreatePolicy>false</autoCreatePolicy>
    <primaryCookieDomain>.mycompany.com</primaryCookieDomain>
    <agentBaseUrl>https://sso.mycompany.com:443</agentBaseUrl>
    <maxCacheElems>100000</maxCacheElems>
    <cacheTimeout>1800</cacheTimeout>
    <cookieSessionTime>3600</cookieSessionTime>
    <maxConnections>1</maxConnections>
    <maxSessionTime>24</maxSessionTime>
    <idleSessionTimeout>3600</idleSessionTimeout>
    <failoverThreshold>1</failoverThreshold>
    <aaaTimeoutThreshold>-1</aaaTimeoutThreshold>
    <sleepFor>60</sleepFor>
    <debug>false</debug>
    <security>open</security>
    <denyOnNotProtected>0</denyOnNotProtected>
    <cachePragmaHeader>no-cache</cachePragmaHeader>
    <cacheControlHeader>no-cache</cacheControlHeader>
    <ipValidation>0</ipValidation>
    <logOutUrls>
        <url>/oamsso/logout.html</url>
    </logOutUrls>
    <protectedResourcesList>
        <resource>/sso.html</resource>
    </protectedResourcesList>
    <publicResourcesList>
        <resource>/public/index.html</resource>
    </publicResourcesList>
    <userDefinedParameters>
        <userDefinedParam>
                <name>MaxPostDataLength</name>
                <value>750000</value>
        </userDefinedParam>
          ……..
          ………..  
  </userDefinedParameters>
</OAMRegRequest>

Creating Oracle Access Manager Agent

The agent configuration is created by running the oamreg.sh script. This is done by issuing the following commands from within the RREG_HOME directory:

export JAVA_HOME=$MW_HOME/jrockit_160_14_R27.6.5-32
./bin/oamreg.sh inband input/sso.xml

When the script runs you will be asked for the following information. Provide the values shown:

Agent User Name: oamadmin
Agent Password: oamadmin user's password
Do you want to enter a Web Gate Password: y
Enter password for webgate and confirm

Note:

Although it is not mandatory to provide a password for Web Gate, Oracle highly recommends that you do so. It is mandatory when wiring Oracle Identity Management to Oracle Access Manager.

This will then create a file called ObAccessClient.xml in the directory RREG_HOME/output/Agent_Name.

Copy this file to each webgate installation. Put it in the directory: WEBGATE_INSTALL_DIR/access/oblix/lib.

Now that you have created the agent, you must update it. Please see Section 18.2.2.3, "Update Newly-Created Agent".

18.2.2.2 Using Oracle Access Manager Administration Console

Access the Oracle Access Manager console at: http://admin.mycompany.com/oamconsole

1. Log in as the oamadmin user.

2. Click Add OAM 10g WebGate.

3. Complete the following information:

   • Agent Name: Name for this Agent, for example: Webgate_mysso

   • Access Client Password: Enter a Password for Web Gate to use

     Note:

     Although it is not mandatory to provide a password for Web Gate, Oracle highly recommends that you do so. It is mandatory when wiring Oracle Identity Management to Oracle Access Manager.

   • Agent Base URL: https://sso.mycompany.com:443

   • Host Identifier: IDMDomain

   • Ensure that Auto Create Policies is not selected.

   • Protected Resources: enter protected resources, as required

     Note:

     To make testing easier, it is useful to create a simple HTML file called sso.html in ORACLE_INSTANCE/config/OHS/ohs1/htdocs.

     Choose to protect /sso.html. This will enable you to verify that SSO is working by accessing the URL: https://sso.us.oracle.com/sso.html.

4. Click Apply.

   This will then create a file called ObAccessClient.xml in the directory DOMAIN_HOME/output/Agent Name.

18.2.2.3 Update Newly-Created Agent

After generating the initial configuration, you must edit the configuration and add advanced configuration entries.

1. Double Click IDMDomain under Host Identifiers.

2. Click + in the operations box.

3. Enter the following information:

   • Host Name: admin.mycompany.com

   • Port: 80

4. Click Apply.

5. Select System Configuration Tab

6. Select Agents - OAM Agents - 10g WebGates. from the directory tree.

7. Click the newly created agent (Webgate_mysso).

8. Select Open from the Actions Menu.

9. Verify that all of your access servers are listed in the Primary Servers List box. If any are missing, click the Add icon (+) to add a new preferred server.

10. If any access servers are missing add them to the Primary or Secondary Server list.

11. Update the following information:

    • Primary cookie domain: .mycompany.com (include the dot at the beginning).

    • Logout URL: /oamsso/logout.html

      /console/jsp/common/logout.jsp

      /em/targetauth/emaslogout.jsp

    • Deny if not Protected: Do not select.

12. Click Apply.

18.2.3 Installing Oracle WebGate on WEBHOST1 and WEBHOST2

Before you install Oracle Webgate, ensure that the managed servers WLS_OAM1 and WLS_OAM2 are started.

Install Oracle WebGate as described in the following sections.

18.2.3.1 Oracle WebGate 10g

Start the Web Gate installer by issuing the command:

Oracle_Access_Managerversion_linux_OHS11g_WebGate -gui

Then perform the following steps:

1. On the Welcome to the InstallShield Wizard for Oracle Access Manager WebGate screen.

   Click Next.

2. On the Customer Information screen, enter the username and group that the Identity Server will use. This should be the same as the user and group that installed the Oracle HTTP Server. The default value for username and group is nobody. For example, enter oracle/oinstall.

   Click Next.

3. Specify the installation directory for Oracle Access Manager Access Server. For example, enter: MW_HOME/oam/webgate.

   Click Next.

   Note:

   Oracle Access Manager WebGate is installed in the access subdirectory under /u01/app/oracle/product/fmw/oam/webgate.

4. Oracle Access Manager WebGate will be installed in: /u01/app/oracle/product/fmw/oam/webgate/

   The access directory is created by the installer automatically.

5. Specify the location of the GCC run-time libraries, for example: /u01/app/oracle/oam_lib

   Click Next.

6. The installation progress screen is shown. After the installation process completes, the WebGate Configuration screen appears.

7. On the WebGate Configuration screen, you are prompted for the transport security mode:

   The transport security between all Access System components (Policy Manager, Access Servers, and associated WebGates) must match; select one of the following: Open Mode, Simple Mode, or Cert Mode.

   Select Open Mode.

   Click Next.

8. On the next WebGate Configuration screen, specify the following WebGate details:

   • WebGate ID: The agent name used in Section 18.2.2.2, "Using Oracle Access Manager Administration Console," for example Webgate_mysso.

   • Password for Web Gate: If you entered a password when creating the agent, enter this here. Otherwise leave blank.

   • Access Server ID: WLS_OAM1

   • Host Name: Enter the Host name for one of the access servers for example IDMHOST1

   • Port Number the Access Server listens to: ProxyPort

   Note:

   To find the port that the Access Server is using, log into the oamconsole using the URL: http://admin.mycompany.com/oamconsole. Then perform the following steps:

   1. Select the System Configuration tab.

   2. Select Server Instances.

   3. Select Instance (WLS_OAM1) and click the View icon in the tool bar.

      The proxy entry will have host and port information.

9. On the Configure Web Server screen, click Yes to automatically update the web server, then click Next.

10. 10. On the next Configure Web Server screen, specify the full path of the directory containing the httpd.conf file. The httpd.conf file is located under the following directory:

    /u01/app/oracle/admin/ohsInstance/config/OHS/ohsComponentName

    For example:

    /u01/app/oracle/admin/ohs_instance2/config/OHS/ohs2/httpd.conf

    Click Next.

11. On the next Configure Web Server page, a message informs you that the Web Server configuration has been modified for WebGate.

    Click Next.

12. The next screen, Configure Web Server, displays the following message:

    If the web server is setup in SSL mode, then httpd.conf file needs to be configured with the SSL related parameters. To manually tune your SSL configuration, please follow the instructions that come up.
    

    Click Next.

13. The next screen, Configure Web Server, displays a message with the location of the document that has information on the rest of the product setup, as well as Web Server configuration.

    Select No and click Next.

14. The final Configure Web Server screen appears with a message to manually launch a browser and open the HTML document for further information on configuring your Web Server.

    Click Next.

15. The Oracle COREid Readme screen appears. Review the information on the screen and click Next.

16. A message appears, along with the details of the installation, informing you that the installation was successful.

    Click Finish.

17. Replace the file ObAccessClient.xml in the directory MW_HOME/webgate/access/oblix/lib/ with the file generated in Section 18.2.2.2, "Using Oracle Access Manager Administration Console."

18. Restart the web server by following the instructions in Section 19.1, "Starting and Stopping Oracle Identity Management Components."

19. Repeat for WEBHOST2

18.2.4 Validating WebGate

Assuming that you created a protected resource called sso.html in Section 11.9, "Validating Oracle Access Manager," you can test that webgate is functioning by accessing the URL:

https://sso.mycompany.com:443/sso.html

You are prompted to log in to Oracle Access Server. Once you have done so, the Oracle FMW home page is displayed.

Note:

At this point, if you attempt to access consoles such as WebLogic, OAM, or OIM, you will have to log on twice. This is because WebGate protects these resources. For this reason, you should perform the steps in Section 20.2, "Configuring SSO for Administration Consoles with OAM 11g" next.

18.3 Integrating Oracle Access Manager 10g and Oracle Identity Manager

This section describes how to integrate Oracle Access Manager and Oracle Identity Manager.

This section contains the following topics:

• Section 18.3.1, "Prerequisites"

• Section 18.3.2, "Configuring OAM for OAM -OIM Integration"

• Section 18.3.3, "Configuring OIM for OAM/OIM Integration"

• Section 18.3.4, "Update Existing LDAP Users with Required Object Classes"

18.3.1 Prerequisites

Note:

The steps in this section require the OAM-OIM integration patches for OAM 10.1.4.3.0 Access Server and OAM 10.1.4.3.0 WebGate. At the time of release of this document, however, these patches are not generally available for download. Please check My Oracle Support at https://support.oracle.com for the patch availability. Please check the "Enterprise Deployment Guide" chapter of the 11g Release 1 (11.1.1) Release Notes for the exact patch level required and additional instructions required to apply these patches.

Ensure that the following tasks have been performed before integrating OAM 10g with OIM 11g.

1. Ensure that OIM11g has been installed and configured as described in Chapter 13.

2. Ensure that the Oracle Access Manager 10g has been installed and configured as described in Chapter 10.

3. Ensure that OHS has been installed and configured as described inSection 4.4.

4. Ensure that Webgate has been installed and a Webgate 10g Agent has been configured as described in Section 18.2.

5. Ensure that the Change Log and User Adapters have been created in Oracle Virtual Directory and that the oamEnabled flag for these adapters is set to true. See Section 13.3.1.2.

6. Update the LDAP schema definitions and ACL's with the OAM and OIM password expiry schema extensions, and the OAM schema as described in Section 18.3.1.1.

7. Create a user in OIM with System Administrator privileges as described in Section 18.3.1.2.

8. Patch all the Access Server and WebGate installations in your environment as described in Section 18.3.1.3 and Section 18.3.1.4.

9. Configure the WebLogic Domain for Single Sign On as described inSection 18.3.1.5.

18.3.1.1 Update the LDAP Schema Definitions

1. Update the LDAP Schema Definitions and ACLs with the OAM and OIM password expiry schema extensions, as follows:

   1. Create an LDIF file called PasswordExpired.ldif with the following contents:

      dn: cn=subSchemaSubEntry
      changetype: modify
      add:  attributetypes
      attributetypes: ( 1.3.6.1.4.1.3831.0.0.400 NAME 'obpasswordexpirydate' DESC 'Oracle Access Manager defined attribute type' SYNTAX '1.3.6.1.4.1.1466.115.121.1.15'  X-ORIGIN 'user defined' )
      
      dn: cn=subschemasubentry
      changetype: modify
      add: objectclasses
      objectclasses: ( 1.3.6.1.4.1.3831.0.1.40 NAME 'OIMPersonPwdPolicy' DESC 'Oracle Access Manager defined objectclass' SUP top  AUXILIARY MAY ( obpasswordexpirydate ) )
      

   2. On IDMHOST1, set the ORACLE HOME to the IDM_ORACLE_HOME and ensure that the ORACLE_HOME/bin directory is in your path:

      ORACLE_HOME=/u01/app/oracle/product/fmw/idmPATH=$ORACLE_HOME/bin:$PATH
      

   3. Update the LDAP schema by using the ldapadd command. For example:

      ORACLE_HOME/bin/ldapadd -h oid.mycompany.com -p 389 -D "cn=orcladmin" -q -c -v -f /home/oracle/ PasswordExpired.ldif
      

2. Update the LDAP schema with the OAM Schema extensions, if you have not already added them.

   The OAM Schema files OID_oblix_pwd_schema_add.ldif, OID_oblix_schema_add.ldif, OID_oblix_schema_index_add.ldif, and OID_oim_pwd_schema_add.ldif are located under the IAM_ORACLE_HOME/oam/server/oim-intg/schema directory.

   Update the LDAP schema by using the ldapadd command. For example:

   ORACLE_HOME/bin/ldapmodify -h oid.mycompany.com -p 389 -D "cn=orcladmin" -q -c -v -f IAM_ORACLE_HOME/oam/server/oim-intg/schema/OID_oblix_pwd_schema_add.ldif
   
   ORACLE_HOME/bin/ldapmodify -h oid.mycompany.com -p 389 -D "cn=orcladmin" -q -c -v -f IAM_ORACLE_HOME/oam/server/oim-intg/schema/OID_oblix_schema_add.ldif
   
   ORACLE_HOME/bin/ldapmodify -h oid.mycompany.com -p 389 -D "cn=orcladmin" -q -c -v -f IAM_ORACLE_HOME/oam/server/oim-intg/schema/OID_oblix_schema_index_add.ldif
   
   ORACLE_HOME/bin/ldapmodify -h oid.mycompany.com -p 389 -D "cn=orcladmin" -q -c -v -f IAM_ORACLE_HOME/oam/server/oim-intg/schema/OID_oim_pwd_schema_add.ldif
   

18.3.1.2 Creating an Oracle Identity Manager User with Administrator Privileges

Create an OIM User with System Administrator privileges by using the Oracle Identity Manager Administration Console. This user will be used to perform administrative tasks in OAM and OIM. Follow these steps to create the user:

1. Access the Oracle Identity Manager Administration console at: http://oim_host:port/admin/faces/pages/Admin.jspx

2. Create a user called xelsysadm in LDAP, as shown in Section 18.4.5.

   Ensure that the user is created with the mail attribute by adding the following line to the LDIF file:

   mail:xelsysadm@mycompany.com

   This attribute is required by Oracle Identity Management for user reconcilation.

3. Go to Roles and add the System Administrators role to the intg_admin user.

18.3.1.3 Patching the Oracle Access Manager 10g Access Server

Follow these steps to patch the Access Server on OAMHOST1, OAMHOST2 and OAMADMINHOST:

1. Download the OAM access server patch package from My Oracle Support at https://support.oracle.com. The patch name is Oracle_Access_Manager10_1_4_3_0_BPxx_Patch_linux_Access_Server.zip

2. Shut down Oracle Access Manager 10.1.4.3.0.

3. Unzip the Oracle_Access_Manager10_1_4_3_0_BPxx_Patch_linux_Access_Server.zip to a temporary location

4. Change directory to PatchExtractLocation/Oracle_Access_Manager10_1_4_3_0_BPxx_Patch_linux_Access_Server_binary_parameter.

5. Start the patch installation tool as:

   ./patchinst -i InstallDir/access
   

   where InstallDir is the path to the Access Server install location.

   This applies the required patch for OAM-OIM integration to the OAM 10.1.4.3.0 Access Server. Please see the "Enterprise Deployment Guide" chapter of the 11g Release 1 (11.1.1) Release Notes for the exact patch level required

6. Start the access server as described in Section 19.1, "Starting and Stopping Oracle Identity Management Components."

7. Stop and start the other Oracle Access Manager components as described in Section 19.1, "Starting and Stopping Oracle Identity Management Components."

18.3.1.4 Patching the Oracle Access Manager 10g Webgates

Follow these steps to patch the Webgates in your environment:

1. Download the Oracle Access Manager OHS11g WebGate patch from My Oracle Support at https://support.oracle.com. The patch name is Oracle_Access_Manager10_1_4_3_0_BPxx_Patch_linux_OHS11g_WebGate.zip.

2. Stop the Oracle HTTP Server 11g instance as described in Section 19.1, "Starting and Stopping Oracle Identity Management Components."

3. Unzip the Oracle_Access_Manager10_1_4_3_0_BPxx_Patch_linux_OHS11g_WebGate.zip file to a temporary location. This creates the following two directories:

   • Oracle_Access_Manager10_1_4_3_0_BPxx_Patch_linux_OHS11g_WebGate_binary_parameter

   • Oracle_Access_Manager10_1_4_3_0_BPxx_Patch_linux_OHS11g_WebGate_message_en-us

4. Change directory to: PatchExtractLocation/Oracle_Access_Manager10_1_4_3_0_BPxx_Patch_linux_OHS11g_WebGate_binary_parameter

5. Start the patch installation tool by typing:

   ./patchinst -i InstallDir/access
   

   where InstallDir is the path to the Access Server install location.

   This applies the required patch for OAM-OIM integration to the OAM 10.1.4.3.0 WebGate Instance. Please see the "Enterprise Deployment Guide" chapter of the 11g Release 1 (11.1.1) Release Notes for the exact patch level required.

6. Apply this patch to all the WebGate instances in your environment.

7. On all your web hosts, copy the config.pl, loginredirect.pl, logout.pl and params.pl perl script files located under the /u01/app/oracle/product/fmw/oam/webgate/access/oblix/lib directory to the ORACLE_INSTANCE/config/OHS/InstanceName/cgi-bin directory.

   For example, on WEBHOST1:

   cp /u01/app/oracle/product/fmw/oam/webgate/access/oblix/lib/*.pl /u01/app/oracle/admin/ohs_inst1/OHS/ohs1/cgi-bin/
   

   On WEBHOST2:

   cp /u01/app/oracle/product/fmw/oam/webgate/access/oblix/lib/*.pl /u01/app/oracle/admin/ohs_inst2/OHS/ohs1/cgi-bin/
   

8. Add execute permissions to the config.pl, loginredirect.pl, and logout.pl files located under the ORACLE_INSTANCE/config/OHS/InstanceName/cgi-bin on all the webhosts. To add execute permissions run the following command on all the webhosts, run the following command:

   chmod +x ORACLE_INSTANCE/config/OHS/InstanceName/cgi-bin/*.pl
   

9. Start the OHS server as described in Section 19.1, "Starting and Stopping Oracle Identity Management Components."

18.3.1.5 Configure the WebLogic Domain for Single Sign On

Update the single sign-on provider configuration using the wlst addOAMSSOProvider command. This command configures the Oracle Access Manager JPS SSO Service Provider. It modifies domain level jps-config.xml file to add an OAM SSO service instance and required properties. The syntax for the command is:

connect()
addOAMSSOProvider(loginuri="/${app.context}/adfAuthentication", logouturi= "/cgi-bin/logout.pl", autologinuri=None)
disconnect()
exit()

addOAMSSOProvider(loginuri="login_uri", logouturi="logout_uri", autologinuri="autologin_uri")

where:

• loginuri is the login URI that triggers SSO authentication. This is a required parameter.

• logouturi is the logout URI that logs out the signed-on user. This is an Optional parameter.

• autologinuri is the auto login URI. This is an optional parameter.

Note:

This command must be executed in online mode only, that is, when the Administration Server is running.

Follow these steps to configure Oracle Access Manager for Oracle Identity Manager integration.

1. Run wlst.sh from the ORACLE_HOME/common/bin directory to invoke the WLST shell.

2. Connect to the WebLogic Administration Server using the connect command.

3. Run the addOAMSSOProvider WLST command to configure the Oracle Access Manager JPS SSO Service Provider.

For example:

Prompt> ./wlst.sh
wls:/offline>connect('weblogic',password,'t3://idmhost1-vip.mycompany.com:7001')
wls:/IDMDomain/serverConfig> addOAMSSOProvider(loginuri="/${app.context}/adfAuthentication", logouturi= "/cgi-bin/logout.pl", autologinuri=None)

Note:

The default logout URL for OAM, /cgi-bin/logout.pl, is shown in the command. Please use the appropriate logout URI for your environment.

18.3.2 Configuring OAM for OAM -OIM Integration

18.3.2.1 Creating Policies in Oracle Access Manager 10g

To protect OIM pages from unauthorized access, OAM needs to be configured to protect these pages. OAM Access Server requires that OAM Policies be defined to specify the OIM pages that need to be protected and authentication mechanism to be used for authenticating users.

Run the OAM Config Tool on OAMADMINHOST to configure OAM policies to protect OIM pages and to create the required OAM password policies to enable integration with OAM login pages for OIM password management.

Follow the steps below to create the required OAM Policies

1. Create a file with the following contents. These are the public and protected resources for OIM.

   ###########################
   #
   # OAM-OIM Integration
   #
   ###########################
   protected_uris
   ###########################
   
   #Resources protected with default authentication scheme
   /oim
   /xlWebApp
   /Nexaweb
   /workspace
   /admin
   
   ###########################
   public_uris
   ###########################
   
   #Public Policy 1
   Self-Service Operations
   /oim/faces/pages/USelf.jspx
   /admin/faces/pages/forgotpwd.jspx
   /admin/faces/pages/pwdmgmt.jspx
   /oim/afr/blank.html
   /admin/afr/blank.html
   
   #Public Policy 2
   Common JavaScripts, images and CSS
   /oim    /.../{*.js,*.css,*.png,*.gif}
   /admin  /.../{*.js,*.css,*.png,*.gif}
   

2. Run the oamcfgtool located under the ORACLE_HOME/modules/oracle.oamprovider_11.1.1/ directory with the parameters shown in the table:

   [Prompt> java -jar oamcfgtool.jar  mode=CREATE  app_domain=Policy_Domain_Name web_domain=Host_Identifier uris_file=Policy_Configuration_File ldap_host=LDAP_Host ldap_port=LDAP_Port ldap_userdn=LDAP_Bind_User_DN ldap_userpassword=LDAP_Bind_User_Password oam_aaa_host=Access_Server_Host oam_aaa_port=Access_Server_Port oam_aaa_mode={OPEN | SIMPLE | CERT} oam_aaa_passphrase=Global_Pass_Phrase -usei18nlogin  authenticating_wg_url=http://awghost.domain:port  -configOIMPwdPolicy
   

   Parameter	Description	Value
   mode	Mode in which the tool is run	CREATE
   app_domain	The Policy Domain Name	OIMPolicy_AG
   web_domain	The Host Identifier Name. Provide the same value created in Chapter 10	IDMEDG
   uris_file	Location of the file created in step1	/home/oracle/oim-oam.conf
   ldap_host	LDAP Host Name	oid.mycompany.com
   ldap_port	LDAP Port Number	389
   ldap_userdn	LDAP Admin Username	cn=orcladmin
   ldap_userpassword	LDAP Admin Userpassword	password
   oam_aaa_host	OAM10g Access Server Host Name	OAMHOST1.mycompany.com
   oam_aaa_port	OAM10g Access Server Port Number	6023
   oam_aaa_mode	OAM10g Access Server Mode	OPEN
   oam_aaa_passphrase	OAM10g Access Server Passphrase. Use the passphrase provided when creating the access server in Chapter 10	password
   usei18nlogin	Indicates that Internationalized Login Pages should be used for protecting OIM pages.
   authenticating_wg_url	Authenticating webagte URL. This is the URL frontending the OAM Servers. This should be specified when in the RWG-AWG scenario. For this EDG, both are the same.	https://sso.mycompany.com:443
   configOIMPwdPolicy

   
   

3. Update the OAM Password Policy parameters in the Oracle Access Manager Identity Console. Follow these steps:

   1. Navigate to the Oracle Access Manager 10g Identity System Console at: http://oamadminhost.mycompany.com:7777/identity/oblix

   2. Log in to the identity system console using the credentials for the orcladmin user.

   3. Click the link for Identity System Console

   4. On the System Configuration page, click the link for System Configuration.

   5. Click the Password Policy link in the left pane menu

   Update the Lost Password Redirect URL, Password Change Redirect URL, and Account Lockout Redirect URL fields by pre-pending the Single Sign On URL before the OAM Password Policy parameters.

   • Lost Password Redirect URL: https://sso.mycompany.com:443/admin/faces/pages/forgotpwd.jspx?backUrl=%HostTarget%%RESOURCE%

   • Password Change Redirect URL: https://sso.mycompany.com:443/admin/faces/pages/pwdmgmt.jspx?backUrl=%HostTarget%%RESOURCE%

   • Account Lockout Redirect URL: https://sso.mycompany.com:443/ApplicationLockoutURI

This will create the following:

• Policy Domain to protect OIM Pages from unauthenticated access. Also adds specific policies to allow anonymous access to common JavaScripts, CSS, and image files and to OIM pages responsible for providing Forgot Password, Self Registration and Track Registration functionality.

• Authentication Schemes to be used while protecting OIM Pages using OAM Policies.

• Password Policy required in OAM Identity System Console to enable OAM Access Server to redirect users to OIM Password Management pages for Force Password Reset.

• Password Policy Redirect URLs in OAM Identity System Console to specify OIM URLs for Forgot Password, Change on Password Reset and Account Lockout.

18.3.2.2 Configuring OAM 10g for Integration with OIM

There are two access servers and identity servers installed on the system. Make the following changes on both access servers and both identity servers.

1. Navigate to Access_Server_installDir/access/oblix/apps/common/bin. Edit the globalparams.xml file and add the following block to the file:

   <SimpleList>
      <NameValPair
            ParamName="OIMIntegration"
               Value="true">
      </NameValPair>
   </SimpleList>
   

2. Save the file and restart the Access Servers and Identity servers, as described in Section 19.1, "Starting and Stopping Oracle Identity Management Components."

3. Update the "OraDefaultI18NFormAuthNScheme Authentication Scheme by following these steps:

   1. Navigate to the Oracle Access Manager 10g Access System Console at: http://oamadminhost.mycompany.com:7777/access/oblix

   2. Select the Access System Configuration tab.

   3. Select the Authentication Management Link from the menu on the right side

   4. Select the OraDefaultI18NFormAuthNScheme.

   5. Click Modify on the Details for Authentication Scheme page to modify the OraDefaultI18NFormAuthNScheme.

   6. Set these values:

      Level: 5

      Challenge Parameter: OIMStepDownAuthLevel:1. Click + to add this value.

   7. Select Update Cache and Click Save to update the configuration.

4. You must configure the WebGate Login Pages for proper functioning of the Form based Authentication with Internationalization Support. Perform this task on all the WebHosts by editing the file config.js, which is located under the WebGate_HOME/access/oamsso/global directory on WEBHOST1 and WEBHOST2:

   1. Enable the Register and Track links by setting the hideRegLink variable in config.js to false.

   2. Set the value for the OimOHSHostPort variable to the host and port of the OHS instance front ending your OIM instance. For example: https://sso.mycompany.com:443

   3. In Section C of config.js, locate Parameters to specify actual redirection URLs... The entries for var lostPasswordURL, var registrationURL, and var trackRegistrationURL are located there. Ensure that the values are set as follows:

      var registrationURL = OimOHSHostPort +'/oim/faces/pages/USelf.jspx?OP_TYPE=SELF_REGISTRATION&T_ID=Self-Register%20User&E_TYPE=USELF';
      
      var lostPasswordURL = OimOHSHostPort + '/admin/faces/pages/forgotpwd.jspx';
      
      var trackRegistrationURL = OimOHSHostPort + '/oim/faces/pages/USelf.jspx?E_TYPE=USELF&OP_TYPE=UNAUTH_TRACK_REQUEST ';
      

5. Update the loginredirect.pl and the logout.pl files located under the ORACLE_INSTANCE/config/OHS/InstanceName/cgi-bin directory on WEBHOST1 and WEBHOST2 to use the correct perl Interpreter. To do this, update the first line in the file to point to the Perl Interpreter located under the Oracle home of Oracle HTTP Server.

6. On all the Webhosts, edit the config.pl file located under the ORACLE_INSTANCE/cgi-bin directory and update the defaultAWGEndURL, defaultendURL, and mapAgentIdToAgentHostPort variables with the appropriate values for your environment.

   The defaultAWGEndURL and defaultendURL parameters are used to specify default end_url to be used if none is specified in the query string.

   The mapAgentIdToAgentHostPort parameter is an array list that is used to map WebGate Identifier to the root of the web server hosting that WebGate. The agentid parameter is the Webgate Identifier you provided when you created the OIM policies in Section 18.3.2.1.

   To update these values, first locate the following snippet in the config.pl file:

   $defaultAWGEndURL = "http://AWGHost-Port/defaultEndURL_forAWG";
   
   $defaultendURL = "/defaultEndURL_forRWG";                               
   
   %mapAgentIdToAgentHostPort      = (                                "RWG1", "http://RWG1Host-Port/",
                                   "RWG2", "http://RWG2Host-Port/",
                                   "", ""                  ## Terminating entry
                                   );
   

   These entries have the following meanings:

   • defaultAWGEndURL: The end URL on the Authenticating Webgate

   • AWGHost-Port: The Authenticating Webgate Host and Port. In this EDG the Authenticating Webgate and the Resource Webgate are the same.

   • defaultEndURL_forRWG: The default End URL for the Resource Webgate. This is the URL to which the user will be redirected upon logging out

   • mapAgentIdToAgentHostPort: An array list that is used to map WebGate Identifier specified by the agentid to the WebServer hosting that Webgate

   • RWG1/RWG2: The WebGate Id on the Resource Webgate

   • RWG1Host-Port: The Resource Webgate Hostname and Port. In this EDG the resource webgate and the authentication webgate are the same.

   Change these values to look like this:

   $defaultAWGEndURL = "https://sso.mycompany.com:443/oim";
   
   $defaultendURL = "https://sso.mycompany.com:443/oim";
   
   %mapAgentIdToAgentHostPort      = (
                                   " IDMEDG_AG ",
                                   "https://sso.mycompany.com:443/",
                                   "", ""                  ## Terminating entry
                                   );
   

7. Save the file.

   Note:

   The following step sets the logoutRedirectUrl and is required in environments where the Authenticating Web Gate (AWG) and the Resource Web Gate (RWG) are different. In this deployment guide, because the AWG and the RWG are the same, this step is not required.

8. Update the Webgate entries with the logoutRedirectUrl. Follow these steps:

   1. Navigate to the Oracle Access Manager 10g Access System Console at: http://oamadminhost.mycompany.com:7777/access/oblix

   2. Select the Access System Configuration tab.

   3. Select Access Gate Configuration from the menu on the right.

   4. Specify the search criteria for the Access Gate and click Go on the Search for Access Gate to list the WebGate.

   5. Select the WebGate from the list. This is the same WebGate, OIMPolicy_AG, created in Section 18.3.2.

   6. Click Modify on the Details for Access Gate page to modify the OIMPolicy_AG WebGate.

   7. Update the User Defined Parameter section as follows:

      Parameter: logoutRedirectUrl

      Values: https://sso.mycompany.com:443/cgi-bin/logout.pl

   8. Click Save to save the configuration.

9. Stop and start the OHS Instances running on WEBHOST1 and WEBHOST2, as described in Section 19.1, "Starting and Stopping Oracle Identity Management Components."

10. Stop and start all the Identity Servers and Access Servers in your environment, as described in Section 19.1, "Starting and Stopping Oracle Identity Management Components."

18.3.3 Configuring OIM for OAM/OIM Integration

Configure Oracle Identity Manager for the OAM-OIM integration by following the steps below:

18.3.3.1 Configuring OAM 10g/OIM Authenticator

To configure auto-login for Oracle Identity Manager, update the oim-config.xml file with the required parameters. The oam-config.xml file is in the MDS repository under the /db/oim-config.xml directory. The file must be exported to the local file system from MDS, then imported back in to MDS, and the server restarted for the changes to take effect.

Note:

The files will be exported on the managed server host specified in the wls_servername parameter, to the location specified by the metadata_to_loc parameter.

1. To export the /db/oim-config.xml file from MDS to the local file system, follow these steps:

   1. Use the OIM Export Metadata tool to export the /db/oim-config.xml file from the MDS repository. The OIM Export Metadata Tool, weblogicExportMetadata.sh, is located under the IAM_ORACLE_HOME/server/bin directory.

   2. Before you attempt to execute the tool, update the weblogic.properties file under the IAM_ORACLE_HOME/server/bin directory with the following properties:

      wls_servername: Server name OIM

      application_name: OIMMetadata

      metadata_to_loc: Location on the OIMHOST to which files are exported

      metadata_files: /db/oim-config.xml

      The following is an example of the weblogic.properties file:

      # Weblogic Server Name on which OIM application is running
      
      wls_servername=WLS_OIM1
      
      # If you are importing or exporting any out of box event handlers, value is oim.
      # For rest of the out of box metadata, value is OIMMetadata.
      # If you are importing or exporting any custom data, always use application name as OIMMetadata.
      
      application_name=OIMMetadata
      
      # Directory location from which XML file should be imported.
      # Lets say I want to import User.xml and it is in the location /scratc/asmaram/temp/oim/file/User.xml,
      # I should give from location value as /scratc/asmaram/temp/oim. Make sure no other files exist
      # in this folder or in its sub folders. Import utility tries to recursively import all the files under the
      # from location folder. This property is only used by weblogicImportMetadata.sh
      
      metadata_from_loc=@metadata_from_loc
      
      # Directory location to which XML file should be exported to
      
      metadata_to_loc=/home/oracle/oim_export# For example /file/User.xml to export user entity definition. You can specify multiple xml files as comma separated values.# This property is only used by weblogicExportMetadata.sh and weblogicDeleteMetadata.sh scripts
      
      metadata_files=/db/oim-config.xml
      
      # Application versionapplication_version=11.1.1.3.0
      

   3. Set the OIM_ORACLE_HOME variable to the Identity Management Oracle home.

      prompt> export OIM_ORACLE_HOME=/u01/app/oracle/product/fmw/iam
      

   4. Run the OIM Export Metadata Tool:

      prompt>./weblogicExportMetadata.sh
      

   5. When prompted, provide the following values:

      username: The admin user name for the Weblogic Domain, for example: weblogic

      password: The password for the Admin User

      server URL: The URL to connect to the OIM managed server, for example: t3://oimhost1.mycompany.com:14000

   6. The output from the tool is similar to this:

      Initializing WebLogic Scripting Tool (WLST) ...
      
      Welcome to WebLogic Server Administration Scripting Shell
      
      Type help() for help on available commands
      
      Starting export metadata script ....
      Please enter your username [weblogic] :weblogic
      Please enter your password [welcome1] :
      Please enter your server URL [t3://localhost:7001] :t3://oimhost1.mycompany.com:14000
      Connecting to t3:// oimhost1.mycompany.com:14000 with userid weblogic ...
      Successfully connected to managed Server 'WLS_OIM2' that belongs to domain 'IDMDomain'.
      
      Warning: An insecure protocol was used to connect to theserver. To ensure on-the-wire security, the SSL port orAdmin port should be used instead.
      Location changed to custom tree. This is a writable tree with No root.
      For more help, use help(custom)
      
      Disconnected from weblogic server: WLS_OIM2
      End of export metadata script ...
      
      Exiting WebLogic Scripting Tool.
      

   7. Edit the oim-config.xml file created under the /home/oracle/oim_export/db directory and update the values as shown

      <ssoConfig>
         <version>@oamVersion</version>
         <accessServerHost>@oamAccessServerHost</accessServerHost>
         <accessServerPort>@oamAccessServerPort</accessServerPort>
         <accessGateID>@oamAccessGateID</accessGateID>
         <cookieDomain>@oamcookiedomain</cookieDomain>
         <napVersion>3</napVersion>
         <transferMode>OPEN</transferMode>  
         <webgateType>ohsWebgate10g</webgateType
         <ssoEnabled>false</ssoEnabled>
      </ssoConfig>
      

      For Example:

      <ssoConfig>
          <version>10.1.4.3</version>
          <accessServerHost>sso.mycompany.com</accessServerHost>
          <accessServerPort>443</accessServerPort>
          <accessGateID>IDMEDG_AG</accessGateID>
          <napVersion>3</napVersion>
          <cookieDomain>.mycompany.com</cookieDomain>
          <transferMode>open</transferMode>
          <webgateType>ohsWebgate10g</webgateType>
          <ssoEnabled>true</ssoEnabled>
      </ssoConfig>   
      

      Note:

      • oamAccessServerHost: Specify the VIP that front ends the OAM servers

      • oamAccessServerPort: Specify the port for the VIP

      • oamAccessGateID: Specify the Access Gate associated with the policy domain. Provide the same Access Gate id that was used to configure the policies for OIM in Section 18.3.2, "Configuring OAM for OAM -OIM Integration."

   8. Save the file.

2. For the changes to take effect, import the file into MDS by following these steps:

   1. Update the weblogic.properties file under the IAM_ORACLE_HOME/server/bin directory as shown here:

      wls_servername: Server name OIM

      application_name: application_name=OIMMetadata

      metadata_from_loc: Location on the OIMHOST from which files are imported

      metadata_files: /db/oim-config.xml

      The following is an example of the weblogic.properties file:

      # Weblogic Server Name on which OIM application is running
      
      wls_servername=WLS_OIM1
      
      # If you are importing or exporting any out of box event handlers, value is oim.
      # For rest of the out of box metadata, value is OIMMetadata.
      # If you are importing or exporting any custom data, always use application name as OIMMetadata.
      
      application_name=oim
      
      # Directory location from which XML file should be imported.
      # Lets say I want to import User.xml and it is in the location /scratc/asmaram/temp/oim/file/User.xml,
      # I should give from location value as /scratc/asmaram/temp/oim. Make sure no other files exist
      # in this folder or in its sub folders. Import utility tries to recursively import all the files under the
      # from location folder. This property is only used by weblogicImportMetadata.sh
      
      metadata_from_loc=/home/oracle/oim_export
      
      # Directory location to which XML file should be exported to
      
      metadata_to_loc=/home/oracle/oim_export
      
      # For example /file/User.xml to export user entity definition. You can specify multiple xml files as comma separated values.
      # This property is only used by weblogicExportMetadata.sh and weblogicDeleteMetadata.sh scripts
      
      metadata_files=/db/oim-config.xml
      
      # Application version
      application_version=11.1.1.3.0
      

   2. Run the OIM Import Metadata Tool:

      prompt>./weblogicImportMetadata.sh
      

      Provide the values for the username, password and the server URL when prompted.

      username: The admin user name for the Weblogic Domain, for example: weblogic

      password: The password for the Admin User

      server URL: The URL to connect to OIM managed server, for Example: t3://oimhost1.mycompany.com:7001

      The output from the tool is similar to this:

      Initializing WebLogic Scripting Tool (WLST) ...
      
      Welcome to WebLogic Server Administration Scripting Shell
      
      Type help() for help on available commands
      
      Starting import metadata script ....
      Please enter your username [weblogic] :weblogic
      Please enter your password [welcome1] :
      Please enter your server URL [t3://localhost:7001] :t3:// oimhost1.mycompany.com:14000
      Connecting to t3://oimhost1.mycompany.com:14000 with userid weblogic ...
      Successfully connected to managed Server 'WLS_OIM1' that belongs to domain 'IDMDomain'.
      
      Warning: An insecure protocol was used to connect to theserver. To ensure on-the-wire security, the SSL port or Admin port should be used instead.
      
      Location changed to custom tree. This is a writable tree with No root.
      For more help, use help(custom)
      Disconnected from weblogic server: WLS_OIM2
      End of import metadata script ...
      Exiting WebLogic Scripting Tool.
      

18.3.3.2 Seeding Access Gate Password in CSF

You must seed the Access Gate Password in the Credential Store Framework. Follow the steps in this section to seed the access gate password.

Note:

The steps shown here are for Open security mode. If the security mode is set to Simple, configure the keystore as described in Oracle Access Manager Access Administration Guide in the Oracle Access Manager 10g (10.1.4.3) Documentation Library.

Seed Access gate password in CSF against Map name oim and key name SSOAccessKey. This CSF is cwallet.sso in the directory DOMAIN_HOME/config/fmwconfig. Run ORACLE_HOME/common/bin/wlst.sh

connect()
createCred(map="oim", key="SSOAccessKey",user="SSOAccessKey",password="welcome1",desc="OAMAccessGatePassword")
listCred(map="oim",key="SSOAccessKey")

18.3.3.3 Enable WLS Plug-ins

Enable the Weblogic Server Plug-ins for OIM using the WLS Admin Console by following these steps:

1. Go to the WebLogic Administration Console at: http://ADMINHOSTVHN.mycompany.com/console

2. Log in to the WebLogic Administration Console using the credentials for the weblogic user

3. Navigate to Environment > servers > WLS_OIM1 > Advanced and select WebLogic Plug-In Enabled if not selected already.

18.3.3.4 Import the SSO Notfication Eventhandlers into the MDS Repository

You must import the SSO notification handler entries for Oracle Access Manager into the Oracle Identity Manager MDS repository. The notification handler entries are in the EventHandlers.xml file located under the IAM_ORACLE_HOME/server/oamMetadata/db/ssointg directory. Import the notification events into the MDS repository using the OIM Import Metadata Tool by following these steps:

1. Use the OIM Import Metadata tool to import the EventHandlers.xml file into the MDS repository. The OIM Import Metadata Tool, weblogicImportMetadata.sh is located under the IAM_ORACLE_HOME/server/bin directory.

2. Before you attempt to execute the tool, update the weblogic.properties file under the IAM_ORACLE_HOME/server/bin directory with the following properties:

   wls_servername: Server name OIM

   application_name: OIMMetadata

   metadata_from_loc: Location on the OIMHOST from which files are imported

   file_names: /db/ssointg/EventHandlers.xml

   The following is an example of the weblogic.properties file:

   # Weblogic Server Name on which OIM application is running
   
   wls_servername=WLS_OIM1
   
   # If you are importing or exporting any out of box event handlers, value is oim.
   # For rest of the out of box metadata, value is OIMMetadata.
   # If you are importing or exporting any custom data, always use application name as OIMMetadata.
   
   application_name=oim
   
   # Directory location from which XML file should be imported.
   # Lets say I want to import User.xml and it is in the location /scratc/asmaram/temp/oim/file/User.xml,
   # I should give from location value as /scratc/asmaram/temp/oim. Make sure no other files exist
   # in this folder or in its sub folders. Import utility tries to recursively import all the files under the
   # from location folder. This property is only used by weblogicImportMetadata.sh
   
   metadata_from_loc=/home/oracle/oim_export
   
   # Directory location to which XML file should be exported to
   
   metadata_to_loc=/home/oracle/oim_export
   
   # For example /file/User.xml to export user entity definition. You can specify multiple xml files as comma separated values.
   
   # This property is only used by weblogicExportMetadata.sh and weblogicDeleteMetadata.sh scripts
   
   metadata_files=/db/ssointg/EventHandlers.xml
   
   # Application version
   application_version=11.1.1.3.0
   

3. Copy IAM_ORACLE_HOME/server/oamMetadata/db/ssointg/EventHandlers.xml to the location provided in the metadata_from_loc parameter.

   For example:

   cp IAM_ORACLE_HOME/server/oamMetadata/db/ssointg/EventHandlers.xml /home/oracle/db/ssointg/EventHandlers.xml
   

4. Copy IAM_ORACLE_HOME/server/oamMetadata/db/ssointg/EventHandlers.xml to the location provided in the metadata_from_loc parameter.

   Run the OIM Import Metadata Tool:

   prompt>./weblogicImportMetadata.sh
   

   Provide the values for the username, password and the server URL when prompted.

   username: The admin user name for the Weblogic Domain, for example: weblogic

   password: The password for the Admin User

   server URL: The URL to connect to OIM managed server, for example: t3://oimhost1.mycompany.com:7001

   The output from the tool is similar to this:

   Initializing WebLogic Scripting Tool (WLST) ...
   
   Welcome to WebLogic Server Administration Scripting Shell
   
   Type help() for help on available commands
   
   Starting import metadata script ....
   Please enter your username [weblogic] :weblogic
   Please enter your password [welcome1] :
   Please enter your server URL [t3://localhost:7001] :t3:// oimhost1.mycompany.com:14000
   Connecting to t3://oimhost1.mycompany.com:14000 with userid weblogic ...
   Successfully connected to managed Server 'WLS_OIM1' that belongs to domain 'IDMDomain'.
   
   Warning: An insecure protocol was used to connect to theserver. To ensure on-the-wire security, the SSL port or Admin port should be used instead.
   
   Location changed to custom tree. This is a writable tree with No root.
   For more help, use help(custom)
   
   Disconnected from weblogic server: WLS_OIM2
   End of import metadata script ...
   

5. Exit the WebLogic Scripting Tool.

18.3.3.5 Configuring OAM 10g/OIM Authenticator

1. Create the Oracle Internet Directory Authenticator as described in Section 20.1.5.1, "Setting Up the Oracle Internet Directory Authenticator."

2. Create the Oracle Access Manager Identity Asserter as described in Section 20.1.5.2, "Setting Up the Oracle Access Manager Identity Asserter."

3. Create the OIMSignature Authenticator as follows

   1. Log in to the WebLogic Administration Console at: http://ADMINHOSTVHN.mycompany.com/console

   2. Click Security Realms from the Domain structure menu.

   3. Click Lock and Edit in the Change Center.

   4. Click myrealm.

   5. Select the Providers tab.

   6. Click New.

   7. Supply the following information:

      Name: OIMSignatureAuthenticator

      Type: OIMSignatureAuthenticator

   8. Click OK.

   9. Click the link for the newly created OIMSignatureAuthenticator provider

   10. Under the Common tab, set the Control Flag as Sufficient.

   11. Click Save

   12. Click Activate Changes to activate the change.

   13. Do not restart the Administration Server or the managed servers; that is done at the end of this section.

4. Set the Control Flag for the OIM Authenticator to Optional. Follow these steps:

   1. Log in to the WebLogic Administration Console at: http://ADMINHOSTVHN.mycompany.com/console

   2. Click Security Realms from the Domain structure menu.

   3. Click Lock and Edit in the Change Center.

   4. Click myrealm.

   5. Select the Providers tab.

   6. Click the OIMAuthenticationProvider link

   7. Under the Common tab, set the Control Flag to Optional.

   8. Click Save.

   9. Click Activate Changes to activate the change.

   10. Do not restart the Administration Server or the managed servers; that is done at the end of this section.

5. Reorder the Authenticator Providers as shown in the table. Follow these steps to reorder the providers:

   1. Log in to the WebLogic Administration Console at: http://ADMINHOSTVHN.mycompany.com/console

   2. Click Security Realms from the Domain structure menu.

   3. Click Lock and Edit in the Change Center.

   4. Click myrealm.

   5. Select the Providers tab.

   6. Click Reorder.

   7. On the Reorder Authentication Providers page, reorder the providers as shown in the following table. Ensure that the Control Flags are as shown in the table.

      Name	Control Flag
      OAMIdentityAsserter	REQUIRED
      Default Authenticator	SUFFICIENT
      OIMSignatureAuthenticator	SUFFICIENT
      OIMAuthentication Provider	OPTIONAL
      OIDAuthenticator	SUFFICIENT
      Default Identity Asserter	SUFFICIENT

      
      

6. Restart the Administration Server and the managed servers in the domain, as described in Section 19.1, "Starting and Stopping Oracle Identity Management Components."

18.3.4 Update Existing LDAP Users with Required Object Classes

Existing LDAP users must be updated with the OblixPersonPwdPolicy, the OIMPersonPwdPolicy, and the OblixOrgPerson object classes. The users must be updated using the OIM Configuration Tool, oimcfgtool.jar, under the IAM_ORACLE_HOME/server/ssointg directory. Run this command on IDMHOST1 (the Admin server host). For complete information about the tool, see "Configuring the Authentication Scheme for the Identity Asserter" in Oracle Fusion Middleware Application Security Guide.

18.3.4.1 Prerequisites

Ensure that the following criteria have been met before running oimcfgtool:

1. The wlfullclient.jar file exists under the MW_HOME/wlserver_10.3/server/lib directory. If the jar file not present, generate the jar file by following the steps in Section 4.7.7, "Creating the wlfullclient.jar File."

2. You are running oimcfgtool from the IAM_ORACLE_HOME/server/ssointg directory. Do not copy this tool to a different location.

3. Set the JAVA_HOME and the WL_HOME:

   JAVA_HOME=ORACLE_BASE/product/fmw/jdk160_18
   WL_HOME=ORACLE_BASE/product/fmw/wlserver_10.3
   PATH=JAVA_HOME/bin:$PATH
   

   Note:

   The JAVA_HOME must be set to the SUN JDK

18.3.4.2 Using OIM Configuration Tool

Follow these steps to integrate Oracle Access Manager with Oracle Identity Manager using oimcfgtool.

Note:

· Ensure that the LDAP Servers are up and running before you run oimcfgtool.

1. Set your ORACLE_HOME to the IAM_ORACLE_HOME, the JAVA_HOME to the SUN JDK directory and make sure that PATH includes JAVA_HOME.

   prompt>export MW_HOME=/opt/maa/oracle/plus/product/fmw
   prompt>export ORACLE_HOME=/opt/maa/oracle/plus/product/fmw/iam
   prompt>export JAVA_HOME=/opt/maa/oracle/plus/product/fmw/jdk160_18
   prompt>export PATH=$JAVA_HOME/bin:$PATH
   

2. Change directory to

   ORACLE_HOME/server/ssointg

   Run the oimcfgtool with the generate-profile option to create the sso-config.profile file. Provide your inputs in sso-config.profile. You will be prompted for required inputs not provided in the profile file. Run the tool as follows:

   java -jar oimcfgtool.jar generate-profile
   

   The output is similar to this:

   Turning off debug logs
   
   Generating sso-config.profile...
   
   Generated sso-config.profile
   

3. Edit the sso-config.profile file created under the IAM_ORACLE_HOME/server/ssointg directory. Provide the following values. The remaining values in the file are not required to update existing LDAP users.

   • LDAP Host: The hostname for the LDAP Server

   • LDAP Port: The port for the LDAP Server

   • LDAP Root DN: The Administrator DN to connect the LDAP Server

   • User Search Base: The LDAP Search Base for the OIM Users

   • Group Search Base: The LDAP Search Base for the OIM Groups

   • Password Expiry Period in Days: The Password Expiry Period in Days. The default value is 7300.

   The following is an example of the sso-config.profile file.

   LDAP Host :-oid.mycompany.com
   LDAP Port :-389
   LDAP Root DN :-cn=orcladmin
   User Search Base :-cn=Users,dc=mycompany,dc=com
   Group Search Base :-cn=Groups,dc=mycompany,dc=com
   Password Expiry Period in Days :-7300
   

4. Run oimcfgtool with the option to update the access server information in the oim-config.xml file. Run the tool as follows and provide the password for the LDAP Root DN when queried:

   java -jar oimcfgtool.jar upgrade-ldap-users
   

   The output will be similar to this:

   [orcl@strasha07 ssointg]$ java -jar oimcfgtool.jar upgrade-ldap-users
   Turning off debug logs
   
   
   ********* Upgrading LDAP Users With OAM ObjectClasses *********
   
   Loading inputs from sso-config.profile
   
   Completed loading inputs from sso-config.profile
   
   Remaining inputs will be queried from console.
   
   Enter LDAP Root DN Password: 
   
   
   Completed loading user inputs for - LDAP connection info
   
   
   
   Completed loading user inputs for - LDAP Upgrade
   
   Upgrading ldap users at - cn=Users,dc=mycompany,dc=com
   
   Parsing - cn=Users,dc=mycompany,dc=com
   
   objectclass OIMPersonPwdPolicy not present in cn=weblogic_idm,cn=users,dc=mycompany,dc=com. Seeding it
   
   objectclass OblixOrgPerson not present in cn=weblogic_idm,cn=users,dc=mycompany,dc=com. Seeding it
   
   objectclass OblixPersonPwdPolicy not present in cn=weblogic_idm,cn=users,dc=mycompany,dc=com. Seeding it
   
   obpasswordexpirydate added in cn=weblogic_idm,cn=users,dc=mycompany,dc=com
   
   Finished parsing LDAP
   
   LDAP Users Upgraded.
   
   ********* ********* *********
   
   Operation completed. Please restart all servers.
   

5. Stop and Start the WLS Administration Server and all the Managed Servers in the domain as described in Section 19.1, "Starting and Stopping Oracle Identity Management Components."

18.4 Integrating Oracle Identity Manager and Oracle Access Manager 11g

This section describes how to integrate Oracle Identity Manager and Oracle Access Manager 11g.

This section contains the following topics:

• Section 18.4.1, "Prerequisites"

• Section 18.4.2, "Updating Single Sign-on Provider Configuration"

• Section 18.4.3, "Configure Oracle Access Manager for Oracle Identity Manager Integration"

• Section 18.4.4, "Integrating OAM with OIM using the OIM Configuration Tool"

• Section 18.4.5, "Seeding the xelsysadm User in Oracle Internet Directory"

• Section 18.4.6, "Updating Oracle Identity Manager Configuration"

18.4.1 Prerequisites

1. Ensure that OIM11g has been installed and configured as described in Chapter 13.

2. Ensure that the Oracle Access Manager 11g has been installed and configured as described in Chapter 11.

3. Ensure that OHS has been installed and configured as described in Section 4.4.

4. Ensure that Webgate has been installed and a Webgate 10g Agent has been configured as described in Section 18.2.

5. Ensure that you have configured single sign-on for the administration consoles as described in Section 20.2, "Configuring SSO for Administration Consoles with OAM 11g."

6. Ensure that you have provisioned the administrator users as described in Section 20.3, "Administrator Provisioning."

7. Ensure that the JTA Transaction Timeout for the domain is 600 seconds or greater. If required update the timeout value by following the steps below:

   1. Open a browser and bring up the WebLogic Admin Console by going to: http://admin.mycompany.com/console

   2. Log in to the WebLogic Administrative Console as an admin user.

   3. Click Lock and Edit.

   4. Navigate to Services -> JTA.

   5. Ensure that the value for Timeout Seconds is 600 or greater.

   6. Click Save.

   7. Click Activate Changes.

   8. Stop the Administration Server and the Managed Servers as described in Section 19.1, "Starting and Stopping Oracle Identity Management Components."

   9. Start the Administration Server using Node Manager as described in Section 19.1, "Starting and Stopping Oracle Identity Management Components."

   10. Start the Managed Servers in your domain using the WebLogic Admin Console as described in Section 19.1, "Starting and Stopping Oracle Identity Management Components."

18.4.2 Updating Single Sign-on Provider Configuration

Update the single sign-on provider configuration using the wlst addOAMSSOProvider command. This command configures the Oracle Access Manager JPS SSO Service Provider. It modifies domain level jps-config.xml file to add an OAM SSO service instance and required properties. The syntax for the command is:

addOAMSSOProvider(loginuri="login_uri", logouturi="logout_uri", autologinuri="autologin_uri")

where:

• loginuri is the login URI that triggers SSO authentication. This is a required parameter.

• logouturi is the logout URI that logs out the signed-on user. This is an Optional parameter.

• autologinuri is the auto login URI. This is an optional parameter.

Note:

This command must be executed in online mode only, that is, when the Administration Server is running.

Follow these steps to configure Oracle Access Manager for Oracle Identity Manager integration.

1. Run wlst.sh from the IAM_ORACLE_HOME/common/bin directory to invoke the WLST shell.

2. Connect to the WebLogic Administration Server using the connect command

3. Run the addOAMSSOProvider WLST command to configure the Oracle Access Manager JPS SSO Service Provider.

   For example:

   Prompt> ./wlst.sh
   wls:/offline>connect('weblogic',password,'t3://idmhost1-vip.mycompany.com:7001')
   
   wls:/IDMDomain/serverConfig> 
    addOAMSSOProvider(loginuri="/${app.context}/adfAuthentication",logouturi="/oamsso/logout.html", autologinuri="/obrar.cgi")
   

4. Disconnect from the WLST tool using the exit() command:

   wls:/IDMDomain/serverConfig>exit()
   

18.4.3 Configure Oracle Access Manager for Oracle Identity Manager Integration

Update the configuration for the Oracle Access Manager managed servers using the wlst updateOIMHostPort command. This command updates the IdentityManagement, ServerConfiguration sections of the oam-config.xml file with host and port details for Oracle Identity Manager. The syntax for the command is:

 updateOIMHostPort(hostName = "host_name", port = "port_number", secureProtocol = "[ true | false ]") 

where:

• hostname is the Load Balancer VIP configured to route traffic to the OIM Managed Servers in this enterprise topology. This is a required parameter. For example: https://sso.mycompany.com.

• port is the listen port for the load balancer. This is a required parameter.

• secureProtocol: specifies whether or not the communication protocol is secure. This is a required parameter. Set this to true when using https and false when using http. Please note that

Note:

This command must be executed in online mode only, that is, when the Administration Server is running.

Follow these steps to configure Oracle Access Manager for Oracle Identity Manager integration.

1. Run the wlst.sh script under ORACLE_HOME/common/bin to invoke the WLST shell.

2. Connect to the WebLogic Administration Server using the connect command.

3. Run the updateOIMHostPort() WLST command to update the OAM configuration.

   For example:

   Prompt> ./wlst.sh 
   wls:/offline> connect('weblogic',password,'t3://idmhost1-vip.mycompany.com:7001')
   wls:/IDMDomain/serverConfig> updateOIMHostPort(hostName = "sso.mycompany.com" , port = "443", secureProtocol = "true")
   

4. Disconnect from the WLST tool using the exit() command:

   wls:/IDMDomain/serverConfig>exit()
   

5. Validate that the command completed successfully by checking the IdentityManagement, ServerConfiguration sections of the oam-config.xml file under the DOMAIN_HOME/config/fmwconfig directory. The IdentityManagement, ServerConfiguration should look similar to this snippet:

   <Setting Name="IdentityManagement" Type="htf:map">
                 <Setting Name="ServerConfiguration" Type="htf:map">
                   <Setting Name="OIM-SERVER-1" Type="htf:map">
                     <Setting Name="Host"
    Type="xsd:string">sso.mycompany.com</Setting>
                     <Setting Name="Port" Type="xsd:integer">443</Setting>
                     <Setting Name="SecureMode" Type="xsd:boolean">True</Setting>
                  </Setting>
                 </Setting> 
   

18.4.4 Integrating OAM with OIM using the OIM Configuration Tool

Use the OIM Configuration tool, oimcfgtool.jar, under the IAM_ORACLE_HOME/server/ssointg directory to wire Oracle Access Manager with Oracle Identity Manager. Run this command on IDMHOST1 (the Admin server host). For complete information about the tool, see "Configuring the Authentication Scheme for the Identity Asserter " in Oracle Fusion Middleware Application Security Guide.

18.4.4.1 Prerequisites

Ensure that the following criteria have been met before running oimcfgtool:

1. The wlfullclient.jar file exists under the MW_HOME/wlserver_10.3/server/lib directory. If the jar file not present, generate the jar file by following the steps in Section 4.7.7, "Creating the wlfullclient.jar File."

2. You are running oimcfgtool from the IAM_ORACLE_HOME/server/ssointg directory. Do not copy this tool to a different location.

3. Set the JAVA_HOME and the WL_HOME:

   JAVA_HOME=ORACLE_BASE/product/fmw/jdk160_18
   WL_HOME=ORACLE_BASE/product/fmw/wlserver_10.3
   
   PATH=JAVA_HOME/bin:$PATH
   

   Note:

   The JAVA_HOME must be set to the SUN JDK.

18.4.4.2 Using OIM Configuration Tool

Follow these steps to integrate OAM with OIM using oimcfgtool.

Notes:

• Ensure that the OIM and SOA Managed Servers are up and running before you run OIMCFGTOOL.

• Do not restart any of the servers until all the steps in this section are completed.

1. Set your ORACLE_HOME to the IAM_ORACLE_HOME, the JAVA_HOME to the SUN JDK directory and make sure that PATH includes JAVA_HOME.

   prompt>export MW_HOME=/opt/maa/oracle/plus/product/fmw
   prompt>export ORACLE_HOME=/opt/maa/oracle/plus/product/fmw/iam
   prompt>export JAVA_HOME=/opt/maa/oracle/plus/product/fmw/jdk160_18
   prompt>export PATH=$JAVA_HOME/bin:$PATH
   

2. Run the oimcfgtool with the generate-profile option to create the sso-config.profile file. Provide your inputs in sso-config.profile. You will be prompted for required inputs not provided in profile file. Run the tool as follows:

   java -jar oimcfgtool.jar generate-profile
   

   The output is similar to this:

   java -jar oimcfgtool.jar generate-profile
   Turning off debug logs
   
   Generating sso-config.profile...
   
   Generated sso-config.profile
   

3. Edit the sso-config.profile file created under IAM_ORACLE_HOME/server/ssointg directory. Provide the values as shown:

   • Access Server Host: The port for LoadBalancer virtual IP address front ending the Oracle Access Manager servers

   • Access Server Port: The port for LoadBalancer virtual IP address fronting the Oracle Access Manager servers

   • Access Gate ID: The Name of the Access Gate. Provide the Webgate Gate ID that was configured in Section 18.2.2, "Creating WebGate Agents."

   • Cookie Domain: The cookie domain for your environment. Make sure to use the "." before the domain name

   • Cookie Expiry Interval: The Cookie Expiry Interval. The default value is 120 minutes.

   • OAM Transfer Mode OPEN/SIMPLE/CERT: The OAM Transfer Mode. The default value is OPEN

   • Webgate type javaWebgate/ohsWebgate10g/ohsWebgate11g: The WebGate type. The value used in this deployment guide is ohsWebgate10g.

   • SSO Enabled Flag: True or False. For this deployment guide, it is True.

   • MDS DB Url: The JDBC URL to connect to the MDS database, For Oracle RAC databases, you can specify the URL to connect to a single instance. Use the format: jdbc:oracle:thin:@host:port:sid

   • MDS DB Schema Username: The DB Schema Username for the MDS Database, EDG_MDS

   • Domain Location: The domain directory location for the Administration Server

   • WLS Server URL: The URL to connect to the WebLogic Administration Server. The format is: t3://host:port

   • WLS Username: The username for the WebLogic Administrator

   • Domain Name: The Domain name

   • OIM Managed Server Name: The OIM Managed Server Name

   • LDAP Host: The hostname for the LDAP Server

   • LDAP Port: The port for the LDAP Server

   • LDAP Root DN: The Administrator DN to connect the LDAP Server

   • User Search Base: The LDAP Search Base for the OIM Users

   • Group Search Base: The LDAP Search Base for the OIM Groups

   • Password Expiry Period in Days: The Password Expiry Period in Days. The default value is 7300.

   The following is an example of the sso-config.profile file.

   Access Server Host :- sso.mycompany.com
   Access Server Port :-443
   Access Gate ID :-Webgate_sso
   Cookie Domain :-.mycompany.com
   Cookie Expiry Interval :-120
   OAM Transfer Mode OPEN/SIMPLE/CERT :-OPEN
   Webgate type javaWebgate/ohsWebgate10g/ohsWebgate11g :-ohsWebgate10g
   SSO Enabled Flag :-true
   MDS DB Url :-jdbc:oracle:thin:@oimdb1-vip.mycompany.com:1521:oimdb1
   MDS DB Schema Username :-EDG_MDS
   Domain Location :-/u01/app/oracle/admin/IDMDomain/aserver/IDMDomain
   WLS Server URL :-t3://ADMINHOSTVHN.mycompany.com:7001
   WLS Username :-weblogic
   Domain Name :-IDMDomain
   OIM Managed Server Name :-WLS_OIM1
   LDAP Host :-oid.mycompany.com
   LDAP Port :-389
   LDAP Root DN :-cn=orcladmin
   User Search Base :-cn=Users,dc=mycompany,dc=com
   Group Search Base :-cn=Groups,dc=mycompany,dc=com
   Password Expiry Period in Days :-7300
   

4. Run oimcfgtool with the option to update the access server information in the oim-config.xml file. Run the tool as follows and provide the schema password for the MDS Database when queried:

   java -jar oimcfgtool.jar update-oim-config
   

   The output will be similar to this:

   java -jar oimcfgtool.jar update-oim-config
   Turning off debug logs
   ********* Seeding OAM Config in OIM *********
   Loading inputs from sso-config.profile
   Completed loading inputs from sso-config.profile
   Remaining inputs will be queried from console.
   Completed loading user inputs for - OAM Access Config
   Enter MDS DB Schema Password: 
   Completed loading user inputs for - MDS DB Config
   Validated input values
   Initialized MDS resources
   
   Jun 25, 2010 1:30:50 PM oracle.mds
   NOTIFICATION: transfer operation started.
   Jun 25, 2010 1:30:51 PM oracle.mds
   NOTIFICATION: transfer is completed. Total number of documents successfully processed : 1, total number of documents failed : 0.
   Download from DB completed
   Releasing all resources
   Updated oamMetadata/db/oim-config.xml
   Initialized MDS resources
   
   Jun 25, 2010 1:30:51 PM oracle.mds
   NOTIFICATION: transfer operation started.
   Jun 25, 2010 1:30:53 PM oracle.mds
   NOTIFICATION: transfer is completed. Total number of documents successfully processed : 1, total number of documents failed : 0.
   Upload to DB completed
   
   Releasing all resourcesOAM configuration seeded. Please restart oim server.********* ********* *********Operation completed. Please restart all servers.
   

5. Run the oimcfgtool with the seed-oam-passwords option to seed the OAM webgate passwords in the Credential Store. Run the tool as follows and provide the SSO Access Gate password and the domain location for the Admin Server when queried. This is the same password you provided when you created the Webgate Agents in Section 18.2.2, "Creating WebGate Agents." Leave the ssoKeystore.jks and the SSO Global Passphrase blank. These values are not required when the OAM Transfer Mode is Open:

   java -jar oimcfgtool.jar seed-oam-passwords
   

   The output is similar to this:

   java -jar oimcfgtool.jar seed-oam-passwords
   Turning off debug logs
   ********* Seeding OAM Passwds in OIM *********
   Loading inputs from sso-config.profile
   Completed loading inputs from sso-config.profile
   Remaining inputs will be queried from console.
   
   Enter SSO Access Gate Password: 
   Enter ssoKeystore.jks Password: 
   Enter SSO Global Passphrase: 
   Enter Domain Location: /u01/app/oracle/admin/IDMDomain/aserver/IDMDomain
   
   Completed loading user inputs for - CSF Config
   Updating CSF with Access Gate Password...
   Updating CSF ssoKeystore.jks Password...
   Updating CSF for SSO Global Passphrase Password...
   ********* ********* *********
   Operation completed. Please restart all servers.
   

6. Run the oimcfgtool with the seed-oam-metadata option to upload the OAM notification handlers. Run the tool as follows and provide the schema password for the MDS Database when queried:

   java -jar oimcfgtool.jar seed-oam-metadata
   

   The output is similar to this:

   java -jar oimcfgtool.jar seed-oam-metadata
   Turning off debug logs
   ********* Activating OAM Notifications *********
   Loading inputs from sso-config.profile
   Completed loading inputs from sso-config.profile
   Remaining inputs will be queried from console.
   Enter MDS DB Schema Password: 
   
   Completed loading user inputs for - MDS DB Config
   Initialized MDS resources
   Jun 25, 2010 1:40:58 PM oracle.mds
   NOTIFICATION: transfer operation started.
   Jun 25, 2010 1:40:59 PM oracle.mds
   NOTIFICATION: transfer is completed. Total number of documents successfully processed : 1, total number of documents failed : 0.
   Upload to DB completed
   Releasing all resources
   Notifications activated.
   ********* ********* *********
   Operation completed. Please restart all servers.
   

7. Create the OIMSignature Authenticator as follows:

   1. Log in to the WebLogic Administration Console at: http://admin.mycompany.com/console

   2. Click Security Realms from the Domain structure menu.

   3. Click Lock and Edit in the Change Center.

   4. Click myrealm.

   5. Select the Providers tab.

   6. Click New.

   7. Supply the following information:

      Name: OIMSignatureAuthenticator

      Type: OIMSignatureAuthenticator

   8. Click OK.

   9. Click the link for the newly created OIMSignatureAuthenticator provider.

   10. Under the Common tab, Set the Control Flag to Sufficient.

   11. Click Save.

   12. Click Activate Changes to activate the change.

   13. Do not restart the Administration Server or the managed servers; that is done at the end of this section.

8. Set the Control Flag for the OIM Authentication Provider to Optional. Follow these steps:

   1. Log in to the WebLogic Administration Console at: http://admin.mycompany.com/console

   2. Click Security Realms from the Domain structure menu.

   3. Click Lock and Edit in the Change Center.

   4. Click myrealm.

   5. Select the Providers tab.

   6. Click the OIMAuthenticationProvider link.

   7. Under the Common tab, set the Control Flag to Optional.

   8. Click Save.

   9. Click Activate Changes to activate the change.

   10. Do not restart the Administration Server or the managed servers; that is done at the end of this section.

9. Reorder the Authenticator Providers as shown in the table. Follow these steps to reorder the providers:

   1. Log in to the WebLogic Administration Console at: http://admin.mycompany.com/console

   2. Click Security Realms from the Domain structure menu.

   3. Click Lock and Edit in the Change Center.

   4. Click myrealm.

   5. Select the Providers tab.

   6. Click Reorder

   7. On the Reorder Authentication Providers page, reorder the providers as shown in the following table. Ensure that the Control Flags are set as show in the table.

      Name	Control Flag
      OAM Identity Asserter	REQUIRED
      Default Authenticator	SUFFICIENT
      OIM Signature Authenticator	SUFFICIENT
      OIM Authentication Provider	OPTIONAL
      OVD Authenticator	SUFFICIENT
      Default Identity Asserter	SUFFICIENT

      
      

10. Stop and Start the WLS Administration Server and all the Managed Servers in the domain as described in Section 19.1, "Starting and Stopping Oracle Identity Management Components."

18.4.5 Seeding the xelsysadm User in Oracle Internet Directory

Create the xelsyadm user manually in Oracle Internet Directory. Run the ldapadd command, however, against Oracle Virtual Directory.

1. Create a file called xelsysadm.ldif with the following contents:

   dn: cn=xelsysadm, cn=Users, dc=mycompany,dc=com
   orclPwdChangeRequired: false
   orclPwdExpirationDate: 2035-01-01T00:00:00Z
   sn: admin
   uid: xelsysadm
   givenname: xelsysadm
   displayname: xelsysadm
   mail:xelsysadm@mycompany.com
   cn: xelsysadm
   objectclass: orclIDXPerson
   objectclass: inetOrgPerson
   objectclass: organizationalPerson
   objectclass: person
   objectclass: top
   userpassword: xelsysadm password
   orclAccountEnabled: activated
   orclisenabled: ENABLED
   

   Ensure that the user is created with the mail attribute. This attribute is required by Oracle Identity Management for user reconcilation.

2. Use the ldapadd command seed the xelsysadm in LDAP. Run the ldapadd command against OVD to create the user.

   ldapadd -h ovd.mycompany.com -p 389 -D cn="orcladmin" -q -f xelsysadm.ldif
   

18.4.6 Updating Oracle Identity Manager Configuration

Update the Oracle Identity Manager configuration with the Webgate Agent Type. This value must be updated in the oim-config.xml file.

Execute these steps on IDMHOST1, the host where the administration server is running:

1. Use the OIM Export Metadata tool to export the /db/oim-config.xml from the MDS repository. The OIM Export Metadata Tool, weblogicExportMetadata.sh is located under the IAM_ORACLE_HOME/server/bin directory.

   The oim-config.xml file is exported to the directory specified by metadata_to_loc on the host where the managed server specified by wls_servername is running.

2. Before you attempt to execute the tool, update the weblogic.properties file under the IAM_ORACLE_HOME/server/bin directory as follows:

   # Weblogic Server Name on which OIM application is running
   
   wls_servername=WLS_OIM1
   
   # If you are importing or exporting any out of box event handlers, value is oim.
   # For rest of the out of box metadata, value is OIMMetadata.
   # If you are importing or exporting any custom data, always use application name as OIMMetadata.
   
   application_name=oim
   
   # Directory location from which XML file should be imported.
   # Lets say I want to import User.xml and it is in the location /scratc/asmaram/temp/oim/file/User.xml,
   # I should give from location value as /scratc/asmaram/temp/oim. Make sure no other files exist
   # in this folder or in its sub folders. Import utility tries to recursively import all the files under the
   # from location folder. This property is only used by weblogicImportMetadata.sh
   
   metadata_from_loc=@metadata_from_loc
   
   # Directory location to which XML file should be exported to
   
   metadata_to_loc=/home/oracle/oim_export
   
   # For example /file/User.xml to export user entity definition. You can specify multiple xml files as comma separated values.# This property is only used by weblogicExportMetadata.sh and weblogicDeleteMetadata.sh scripts
   metadata_files=/db/oim-config.xml
   
   # Application version
   application_version=11.1.1.3.0
   

3. Set the OIM_ORACLE_HOME variable to the Identity Management Oracle home.

   prompt> export OIM_ORACLE_HOME=/u01/app/oracle/product/fmw/iam
   

4. Run the OIM Export Metadata Tool:

    prompt>./weblogicExportMetadata.sh
   

5. Provide the values for the username, password and the server URL when prompted.

   Please enter your username [weblogic] :Enter the admin user name for the Weblogic Domain, For Example: weblogic
   Please enter your password [welcome1] : Enter the password for the Admin User
   Please enter your server URL [t3://localhost:7001]  Enter the URL to connect to the OIM Managed Server. For Example:t3://oimhost1.mycompany.com:14000
   

6. The output from the tool will be similar to this:

   Initializing WebLogic Scripting Tool (WLST) ...
   
   Welcome to WebLogic Server Administration Scripting Shell
   
   Type help() for help on available commands
   
   Starting export metadata script ....
   Please enter your username [weblogic] :weblogic
   Please enter your password [welcome1] :
   Please enter your server URL [t3://localhost:7001] 
   :t3://strasha14.us.oracle.com:14000
   Connecting to t3://strasha14.us.oracle.com:14000 with userid weblogic ...
   Successfully connected to managed Server 'WLS_OIM1' that belongs to domain 'IDMDomain'.
   
   Warning: An insecure protocol was used to connect to theserver. To ensure on-the-wire security, the SSL port orAdmin port should be used instead.
   
   Location changed to custom tree. This is a writable tree with No root.
   For more help, use help(custom)
   
   
   Disconnected from weblogic server: WLS_OIM2
   End of export metadata script ...
   
   
   Exiting WebLogic Scripting Tool.
   

7. Edit the oim-config.xml file created under the /home/oracle/oim_export/db directory and update the value of webgateType to ohsWebgate10g as shown:

   <webgateType>ohsWebgate10g</webgateType>
   

   Note:

   The oim-config.xml file was exported to the directory specified by metadata_to_loc on the host where the managed server specified by wls_servername is running.

8. Update the weblogic.properties file under the IAM_ORACLE_HOME/server/bin directory as shown here:

   # Weblogic Server Name on which OIM application is running
   
   wls_servername=WLS_OIM1
   
   # If you are importing or exporting any out of box event handlers, value is oim.
   # For rest of the out of box metadata, value is OIMMetadata.
   # If you are importing or exporting any custom data, always use application name as OIMMetadata.
   
   application_name=oim
   
   # Directory location from which XML file should be imported.
   # Lets say I want to import User.xml and it is in the location /scratc/asmaram/temp/oim/file/User.xml,
   # I should give from location value as /scratc/asmaram/temp/oim. Make sure no other files exist
   # in this folder or in its sub folders. Import utility tries to recursively import all the files under the
   # from location folder. This property is only used by weblogicImportMetadata.sh
   
   metadata_from_loc=/home/oracle/oim_export/db
   
   # Directory location to which XML file should be exported to
   
   metadata_to_loc=/home/oracle/oim_export
   
   # For example /file/User.xml to export user entity definition. You can specify multiple xml files as comma separated values.
   # This property is only used by weblogicExportMetadata.sh and weblogicDeleteMetadata.sh scripts
   
   metadata_files=/db/oim-config.xml
   
   # Application version
   application_version=11.1.1.3.0
   

9. Run the OIM Import Metadata Tool:

    prompt>./weblogicImportMetadata.sh
   

10. Provide the values for the username, password and the server URL when prompted.

    Please enter your username [weblogic] :Enter the admin user name for the Weblogic Domain, For Example: weblogic
    Please enter your password [welcome1] : Enter the password for the Admin User
    Please enter your server URL [t3://localhost:7001] Enter the URL to connect to OIM Managed Server. For Example:t3://oimhost1.mycompany.com:7001
    

11. The output from the tool will be similar to this:

    Initializing WebLogic Scripting Tool (WLST) ...
    
    Welcome to WebLogic Server Administration Scripting Shell
    
    Type help() for help on available commands
    
    Starting import metadata script ....
    Please enter your username [weblogic] :weblogic
    Please enter your password [welcome1] :
    Please enter your server URL [t3://localhost:7001] :t3://strasha14.us.oracle.com:14000
    Connecting to t3://OIMHOST1.mycompany.com:14000 with userid weblogic ...
    Successfully connected to managed Server 'WLS_OIM1' that belongs to domain 'IDMDomain'.
    
    Warning: An insecure protocol was used to connect to theserver. To ensure on-the-wire security, the SSL port or Admin port should be used instead.
    
    Location changed to custom tree. This is a writable tree with No root.
    For more help, use help(custom)
    
    Disconnected from weblogic server: WLS_OIM2
    End of import metadata script ...
    Exiting WebLogic Scripting Tool.
    

12. Stop and Start the Oracle Identity Management Managed Servers as described in Section 19.1, "Starting and Stopping Oracle Identity Management Components."

18.4.7 Validating Integration

To validate that the wiring of OAM11g with OIM11g was successful, attempt to log in to the Oracle Identity Manager Self Service Console, as follows:

1. Using a browser, navigate to https://sso.mycompany.com/oim. This will redirect you to the OAM11g single sign-on page.

2. Log in using the xelsysadm user account created in Section 18.4.5, "Seeding the xelsysadm User in Oracle Internet Directory".

3. If you see the OIM Self Service Console Page, the login was successful.

18.5 Integrating OAAM with OAM 11g

This section describes how to integrate OAAM with OAM and OIM. Once OAAM has been integrated with OAM, you can use OAAM instead of the standard OAM login to validate access to resources. Even though OAAM is performing the authentication, it is authenticating against users in OAM.

When OAAM is integrated with OIM, OIM is used to help users who have forgotten their username or password.

This section contains the following topics:

• Section 18.5.1, "Prerequisites"

• Section 18.5.2, "Configuring OAM Encryption Keys in CSF"

• Section 18.5.3, "Configuring OAM Policy Authentication Scheme"

• Section 18.5.4, "Setting OAAM properties for OAM"

• Section 18.5.5, "Validating OAAM/OIM Integration"

18.5.1 Prerequisites

Before starting this association, ensure that the following tasks have been performed:

1. Install and configure Oracle Access Manager (OAM) as described in Chapter 11.

2. Configure Oracle Access Manager to work with an LDAP store as described in Section 11.7.

3. Install Oracle Adaptive Access Manager as described in Chapter 12

18.5.2 Configuring OAM Encryption Keys in CSF

1. Go to the Oracle Fusion Middleware Enterprise Manager console at http://adminhost.us.oracle.com/em using a web browser.

2. Log in using the WebLogic administrator account, for example WebLogic.

3. Expand the WebLogic Domain icon in the navigation tree in the left pane.

4. Select the IDMDomain, right click, and select the menu option Security and then the option "Credentials in the sub menu.

5. Click oaam to select the map, then click Create Key.

6. In the pop-up window make sure Select Map is oaam.

7. Enter:

   • Key Name: oam.credentials

   • Type: Password

   • UserName: OAM

   • Password: Password for OAM webgate

8. Click OK to save the secret key to the Credential Store Framework.

18.5.3 Configuring OAM Policy Authentication Scheme

1. Log in to the OAM console at http://admin.mycompany.com/oamconsole as the oamadmin user.

2. Click the Policy Configuration tab.

3. Double click OAAMAdvanced under Authentication Schemes.

4. Enter the following information:

   Challenge URL: https://sso.mycompany.com:443/oaam_server/oamLoginPage.jsp

5. Click Apply.

18.5.4 Setting OAAM properties for OAM

Oracle Adaptive Access Manager can use LDAP for user authentication. You enable this integration by using the OAAM administration console at http://admin.mycompany.com/oaam_admin.

Log in using the oaamadmin account you created in Section 12.1.1, "Creating OAAM Administrative Groups and User in LDAP". Then proceed as follows:

1. In the Navigation Tree, click Environment and double click Properties.

   The properties search page is displayed.

2. To set a property value, enter its name in the Name field and click Search

   The current value is shown in the search results window.

3. Click Value.

   Enter the new value and click Save.

4. Set the following properties to enable OAAM to integrate with OAM:

   • bharosa.uio.default.password.auth.provider.classname: com.bharosa.vcrypt.services.OAMOAAMAuthProvider

   • bharosa.uio.default.is_oam_integrated: true

   • oaam.uio.oam.host: idmhost1.mycompany.com

   • oaam.uio.oam.port: OAM server proxy port, for example: 5574

   • oaam.uio.oam.obsso_cookie_domain: mycompany.com

   • oaam.uio.oam.webgate_id: Webgate_mysso

   • oaam.uio.oam.secondary.host: idmhost2.mycompany.com

   • oaam.uio.oam.secondary.host.port: 3004

   • oaam.oam.csf.credentials.enabled: true

   • oaam.uio.login.page: /oamLoginPage.jsp

5. Restart Managed Servers: Admin Server, WLS_OAM1, WLS_OAM2, WLS_OAAM1, and WLS_OAAM2, as described in Section 19.1, "Starting and Stopping Oracle Identity Management Components."

18.5.5 Validating OAAM/OIM Integration

To perform this validation, first create a test resource

Create a test page called oaam_sso.html on WEBHOST1 and WEBHOST2. The easiest way to do this is to create a file called oaam_sso.html in the directory ORACLE_INSTANCE/config/OHS/component/htdocs with the following:

<html>
<body>
<center>
<p>
<h2>
OAAM Protected Resource
</h2>
</p>
</center>
</body>
</html>

18.5.5.1 Creating a Resource

Now that you have something to protect, create a resource in OAM and assign it to the OAAM policy group you created in Section 11.8.2, "Creating Oracle Adaptive Access Manager Policy Group"

Log in to the OAM console at: http://admin.mycompany.com/oamconsole. Log in using the oamadmin account created previously.

1. From the Navigation window expand: Application Domains > IDMDomainAgent.

2. Click Resources.

3. Click Create on the tool bar below the Browse tab.

4. Enter the following information:

   • Type: http

   • Host Identifier: IDMDomain

   • Resource URL: /oaam_sso.html

5. Click Apply.

18.5.5.2 Assigning Resource to Policy Group

Now that the resource exists, assign it to one of the policy groups you created.

Log in to the OAM console at: http://admin.mycompany.com/oamconsole using the oamadmin account you previously created.

1. From the Navigation window, expand: Application Domains > IDMDomainAgent > Authentication Policies.

2. Click OAAM Protected Resources.

3. Click Edit on the tool bar below the Browse tab.

4. In the Resources box, click +.

5. From the list select, the resource you created.

6. Click Apply.

18.5.5.3 Adding Resource to Protected Resources

All that remains is to add the resource to the list of protected resources. To do this, log in to the OAM console at: http://admin.mycompany.com using the oamadmin account you created.

1. From the Navigation window expand: Application Domains > IDMDomainAgent > Authorization Policies.

2. Click Protected Resource Policy.

3. Click Edit on the tool bar below the Browse tab.

4. In the Resources box, click +.

5. From the list, select the resource you created.

6. Click Apply.

18.5.5.4 Validating Oracle Access Manager

Install Oracle WebGate as described in Section 18.2, "Installing and Configuring WebGate".

Access your protected resource using the URL: https://sso.mycompany.com:443/oaam_sso.html. The OAAM Login page is displayed. Log in using an authorized OAM user such as oamadmin. Once you are logged in, the oaam protected resource is displayed.

18.6 Integrating Oracle Adaptive Access Manager with Oracle Identity Manager

OAAM provides a comprehensive set of challenge questions. Its functionality includes:

• Challenging the user before and after authentication, as required, with a series of questions.

• Presenting the questions as images and seeking answers through various input devices.

• Asking questions one after another, revealing subsequent questions only if correct answers are provided.

Oracle Identity Manager also has basic challenge question functionality. It allows users to answer a set of configurable questions and reset their password if they forgot the password. Unlike OAAM, Oracle Identity Manager also has a rich set of password validation capabilities, and it allows policies to be set based on the accounts owned, in addition to simple attributes.

In an Identity Management Suite deployment, best practice is to register only a single set of challenge questions, and to use a single set of password policies. OAAM can be integrated with Oracle Identity Manager so that OAAM provides the challenge questions and Oracle Identity Manager provides password validation, storage and propagation. This allows you to use OAAM fraud prevention at the same time you use Oracle Identity Manager for password validation. When OAAM is integrated with Oracle Identity Manager, Oracle Identity Manager is used to help users who have forgotten their username or password.

This section contains the following topics:

• Section 18.6.1, "Prerequisites"

• Section 18.6.2, "Configuring OIM Encryption Keys in CSF"

• Section 18.6.3, "Setting OAAM properties for OIM"

• Section 18.6.4, "Setting OIM properties for OAAM"

• Section 18.6.5, "Changing Domain to OAAM Advanced Protection"

• Section 18.6.6, "Creating Logout Page"

• Section 18.6.7, "Restarting Oracle Adaptive Access Manager and Oracle Identity Manager"

• Section 18.6.8, "Validating OIM/OAAM Integration"

18.6.1 Prerequisites

Before starting this association, ensure that the following tasks have been performed:

1. Install and configure Oracle Identity Management.

2. Install Oracle Adaptive Access Manager.

3. Install and configure Oracle Access Manager.

4. Integrate Oracle Identity Manager with Oracle Access Manager, as described in Section 18.3c

5. Integrate Oracle Access Manager with Oracle Adaptive Access Manager as described in Section 18.5.

18.6.2 Configuring OIM Encryption Keys in CSF

1. Go to Oracle Enterprise Manager Fusion Middleware Control at http://adminhost.us.oracle.com/em using a web browser.

2. Log in using the WebLogic administrator account, for example WebLogic.

3. Expand the weblogic_domain icon in the navigation tree in the left pane.

4. Select the IDM domain, right click, and select the menu option Security and then the option Credentials in the sub menu.

5. Click Create Map

6. Click oaam to select the map and then click Create Key.

7. In the pop-up window, make sure Select Map is oaam.

8. Enter:

   • Key Name: oim.credentials

   • Type: Password

   • UserName: xelsysadm

   • Password: Password for xelsysadm account,

9. Click OK to save the secret key to the Credential Store Framework

18.6.3 Setting OAAM properties for OIM

Go to the OAAM Administration Console at: http://OAAMHOST2.mycompany.com:14200/oaam_admin. Log in using the oaamadmin account you created inSection 12.1.1, "Creating OAAM Administrative Groups and User in LDAP." Then proceed as follows:

1. In the navigation tree, click Environment and double click Properties. The properties search page is displayed.

2. To set a property value, enter its name in the Name field and click Search. The current value is shown in the search results window.

3. Click Value. Enter the new value and click Save.

4. Set the following properties to enable OAAM to integrate with OIM:

   • bharosa.uio.default.user.management.provider.classname: com.bharosa.vcrypt.services.OAAMUserMgmtOIM

   • bharosa.uio.default.signon.links.enum.selfregistration.url: https://sso.mycompany.com:443/oim/faces/pages/USelf.jspx?E_TYPE=USELF&OP_TYPE=SELF_REGISTRATION&backUrl=https://sso.us.oracle.com:443/oim/faces/pages/Self.jspx

   • bharosa.uio.default.signon.links.enum.trackregistration.enabled: true

   • bharosa.uio.default.signon.links.enum.selfregistration.enabled: true

   • bharosa.uio.default.signon.links.enum.trackregistration.url: https://sso.mycompany.com:443/oim/faces/pages/USelf.jspx?E_TYPE=USELF&OP_TYPE=UNAUTH_TRACK_REQUEST&backUrl=https://sso.us.oracle.com:443/oim/faces/pages/Self.jspx

5. • oaam.oim.csf.credentials.enabled: true

   • oaam.oim.auth.login.config: ${oracle.oaam.home}/../designconsole/config/authwl.conf

   • oaam.oim.url: t3://oimhost1.mycompany.com:14000,oimhost2.mycompany.com:14000

   • oaam.oim.xl.homedir: ${oracle.oaam.home}/../designconsole

18.6.4 Setting OIM properties for OAAM

1. Log in to the OIM administrative console using the URL http://oimhost1.mycompany.com:14000/oim/self.

2. Click the Advanced link on the self-service console

3. Click Search System Properties in the System Management Box.

4. Click Advanced Search below the System Configuration search box.

5. When the advanced search screen appears click the right arrow (->). Perform a general search. Do not provide a search string.

6. Click each of the properties shown, then select Open from the Actions menu. Set the value of each property as shown and click Save to save the value.

   Note:

   The property name appears in the keyword column.

   • OIM.DisableChallengeQuestions: TRUE

   • OIM.ChangePasswordURL: https://sso.mycompany.com:443/oaam_server/oimChangePassword.jsp

   • OIM.ForgotPasswordURL: https://sso.mycompany.com:443/oaam_server/oimForgotPassword.jsp

   • OIM.ChallengeQuestionModificationURL: https://sso.mycompany.com:443/oaam_server/oimResetChallengeQuestions.jsp

18.6.5 Changing Domain to OAAM Advanced Protection

Log in to the OAM console at: http://admin.us.oracle.com/oamconsole

1. From the Navigation Window, expand: Application Domains > IDMDomainAgent.

2. Click Authentication Policies.

3. Double click the policy Protected HigherLevel Policy.

4. Change Authentication Scheme to OAAMAdvanced.

5. Click Apply.

18.6.6 Creating Logout Page

You must create a logout page to allow applications to log out. A default page exists, but you must edit it and copy it to the WebGate installation on WEBHOST1 and WEBHOST2.

1. Copy the file logout.html from the directory IDM_ORACLE_HOME/oam/server/oamsso on IDMHOST1 to MW_HOME/webgate/access/oamsso on WEBHOST1 and WEBHOST2.

2. Edit the file on WEBHOST1. Change SERVER_LOGOUTURL to https://sso.mycompany.com:443/oam/server/logout.

   After editing the entry looks like this:

   ///////////////////////////////////////////////////////////////////////////////
   var SERVER_LOGOUTURL = "https://sso.mycompany.com:443/oam/server/logout";
   ///////////////////////////////////////////////////////////////////////////////
   

   Save the file.

   Make the same change to the file on WEBHOST2.

3. Now that you have your own logout page on the web server, you must remove the default entry.

   Edit the file httpd.conf located in the directory ORACLE_INSTANCE/config/OHS/component name/.

   Comment out the following lines by adding a # at the beginning. The edited lines look like this:

   #*******Default Login page alias***Alias /oamsso "/u01/app/oracle/product/fmw/webgate/access/oamsso"
   
   #<LocationMatch "/oamsso/*">
   #Satisfy any
   #</LocationMatch>
   #**********************************
   

   Save the file.

4. Restart the Oracle HTTP server as described in Section 19.1, "Starting and Stopping Oracle Identity Management Components."

18.6.7 Restarting Oracle Adaptive Access Manager and Oracle Identity Manager

Restart the following managed servers as described in Section 19.1, "Starting and Stopping Oracle Identity Management Components."

• Admin Server

• WLS_OAM1 and WLS_OAM2

• WLS_OIM1 and WLS_OIM2

• WLS_OAAM1 and WLS_OAAM2

18.6.8 Validating OIM/OAAM Integration

Validate that OIM is integrated with OAAM as follows:

• Log in to OIM console at the URL: http://sso.mycompany.com:443/oim/self.

  The OAM login page is displayed.

• Log in to the OIM console as the xelsysadm user.

  You are prompted to set up challenge questions and OAAM-specific security pictures.

18.7 Integrating Oracle Identity Federation with Oracle Access Manager 11g

This section describes how to integrate Oracle Identity Federation with Oracle Access Manager.

This section contains the following topics:

• Section 18.7.1, "Configure Oracle Identity Federation Server"

• Section 18.7.2, "Configuring Oracle Access Manager Server"

18.7.1 Configure Oracle Identity Federation Server

You configure the Oracle Identity Federation server by using Oracle Enterprise Manager Fusion Middleware Control. Select the OIF target.

18.7.1.1 Generating and Configuring Identity Provider and Service Provider Modules

First, generate metadata.

1. From the OIF menu, select Administration, then Security And Trust and click the Provider Metadata tab.

2. In the Generate Metadata section of the page, select Service Provider and click Generate to generate metadata for the Service Provider.

3. Save the metadata file to a directory on the local disk of the client machine.

4. Then select Identity Provider and click Generate to generate metadata for the Identity Provider.

Next, register the Service Provider and the Identity Provider by loading the metadata.

1. From the OIF menu, select Administration, then Federations.

2. Click Add to load the metadata you just generated.

3. Select Enable Provider and Load Metadata.

Both the Service Provider and the Identity Provider should now be listed on the Federations page.

18.7.1.2 Configuring the Data Stores

1. From the OIF menu, select Administration, then Data Stores.

2. Click Edit, select the Repository Type, and furnish the DataStore details in the User Data Store section of the page.

18.7.1.3 Configuring the Authentication Engines

1. From the OIF menu, select Administration, then Authentication Engines.

2. Furnish the Data Store settings configured in Section 18.7.1.2, "Configuring the Data Stores" here, so that the authentication engine has the details of the user data store to authenticate the user against.

3. Choose LDAP Directory in the Default Authentication Engine list. Click Apply.

4. From the OIF menu, select Administration, then Service Provider. On the Common tab, enable the Service Provider and choose the Service provider that was registered in Section 18.7.1.1, "Generating and Configuring Identity Provider and Service Provider Modules" as the Default Service Provider.

5. Similarly, from the OIF menu, select Administration, then Identity Provider. On the Common tab, enable the Identity Provider and choose the Identity provider that was registered in Section 18.7.1.1, "Generating and Configuring Identity Provider and Service Provider Modules" as the Default Identity Provider.

18.7.1.4 Configuring the OIF Server in Service Provider Mode

Now configure Oracle Identity Federation with the Oracle Access Manager Server details, so that it can send assertion tokens and leverage the session management to the Oracle Access Manager Server.

1. From the OIF menu, select Administration, then Service Provider Integration Modules.

2. Select Oracle Single Sign-On from the list.

3. On the Oracle Single Sign-On tab, select Logout Enabled and configure the following details:

   • Login URL: https://sso.mycompany.com/oam/server/dap/cred_submit

   • Logout URL: https://sso.mycompany.com/oam/server/logout

4. Next to Oracle Single Sign-On Secret, click Regenerate. This generates a file called keystore which contains the keys used to encrypt and decrypt tokens that pass between the Oracle Access Manager Server and the Oracle Identity Federation Server.

5. Generate the keystore file. Save the file when you get the Save As dialog box. Save the keystore file into a location on your localhost.

You will need to furnish the full path of the keystore file when you use the wlst command, as described in the next section.

18.7.2 Configuring Oracle Access Manager Server

In the previous section, you configured the OAM server to protect a resource. Now, whenever a user attempts to access the resource, the OAM Server challenges the user to furnish credentials. The next task is to configure OAM Server to leverage the authentication to the OIF Server.

Protect the resource with OIFScheme.

1. Copy the keystore file to a directory under the Middleware home in which the OAM Server is installed.

2. Invoke WLST under IAM_ORACLE_HOME/common/bin and use the registerOIFDAPPartner command to update the OIFDAPPartner block in the oamconfig.xml, as follows:

   registerOIFDAPPartner(keystoreLocation=location_of_keystore_file, logoutURL=OIF_logout_URL)  
   

   where OIF_logout_URL is the URL to invoke when the Oracle Access Manager server logs out. For example:

   registerOIFDAPPartner(keystoreLocation="/home/vaselvar/keystore", logoutURL="http://sso.mycompany.com/fed/user/spsloosso?doneURL=http:/sso.mycompany.com/oam/logout.jsp ")
   

3. To validate, open the oam-config.xml file, locate OIFDAPPartner and verify that the properties in that block are updated with those you supplied with the wlst command.

4. Next, edit the oam-policy.xml file in the DOMAIN_HOME/config/fmwconfig directory. Change the OIFHost:OIFPort to the relvant host port detail in the OIFScheme.

   <authn-scheme version="1" type="allow" name="OIFScheme" id="4bbbf36c-1781-49e0-bb42-7a5e8316450c" description="OIFScheme" auth-level="2">
                   <challenge-redirect-url>/ngam/server/</challenge-redirect-url>
                   <challenge-mechanism>DAP</challenge-mechanism>
                   <challenge-param>
                       <param type="external" optional="false" name="contextType"/>
                       <param type="string" optional="false" name="daptoken"/>
                       <param type="http://<OIFHost>:<OIF Port>/fed/user/sposso" optional="false" name="challenge_url"/>
                   </challenge-param> 
                  <authn-module name="DAP"/>
               </authn-scheme>
   

5. Now add the federated user into the OAM Server's embedded LDAP.

   Access the Administration Console at: http://admin.mycompany.com/console

   Select Security Realms > Users and Groups > New then Create a new user.

6. Restart the Administration server and managed servers as described in Section 19.1, "Starting and Stopping Oracle Identity Management Components"

18.8 Auditing Identity Management

Oracle Fusion Middleware Audit Framework is a new service in Oracle Fusion Middleware 11g, designed to provide a centralized audit framework for the middleware family of products. The framework provides audit service for platform components such as Oracle Platform Security Services (OPSS) and Oracle Web Services. It also provides a framework for JavaEE applications, starting with Oracle's own JavaEE components. JavaEE applications will be able to create application-specific audit events. For non-JavaEE Oracle components in the middleware such as C or JavaSE components, the audit framework also provides an end-to-end structure similar to that for JavaEE applications.

Figure 18-1 is a high-level architectural diagram of the Oracle Fusion Middleware Audit Framework.

Figure 18-1 Audit Event Flow

The Oracle Fusion Middleware Audit Framework consists of the following key components:

• Audit APIs

  These are APIs provided by the audit framework for any audit-aware components integrating with the Oracle Fusion Middleware Audit Framework. During run-time, applications may call these APIs where appropriate to audit the necessary information about a particular event happening in the application code. The interface allows applications to specify event details such as username and other attributes needed to provide the context of the event being audited.

• Audit Events and Configuration

  The Oracle Fusion Middleware Audit Framework provides a set of generic events for convenient mapping to application audit events. Some of these include common events such as authentication. The framework also allows applications to define application-specific events.

  These event definitions and configurations are implemented as part of the audit service in Oracle Platform Security Services. Configurations can be updated through Enterprise Manager (UI) and WLST (command-line tool).

• The Audit Bus-stop

  Bus-stops are local files containing audit data before they are pushed to the audit repository. In the event where no database repository is configured, these bus-stop files can be used as a file-based audit repository. The bus-stop files are simple text files that can be queried easily to look up specific audit events. When a DB-based repository is in place, the bus-stop acts as an intermediary between the component and the audit repository. The local files are periodically uploaded to the audit repository based on a configurable time interval.

• Audit Loader

  As the name implies, audit loader loads the files from the audit bus-stop into the audit repository. In the case of platform and JavaEE application audit, the audit loader is started as part of the JavaEE container start-up. In the case of system components, the audit loader is a periodically spawned process.

• Audit Repository

  Audit Repository contains a pre-defined Oracle Fusion Middleware Audit Framework schema, created by Repository Creation Utility (RCU). Once configured, all the audit loaders are aware of the repository and upload data to it periodically. The audit data in the audit repository is expected to be cumulative and will grow overtime. Ideally, this should not be an operational database used by any other applications - rather, it should be a standalone RDBMS used for audit purposes only. In a highly available configuration, Oracle recommends that you use an Oracle Real Application Clusters (Oracle RAC) database as the audit data store.

• Oracle Business Intelligence Publisher

  The data in the audit repository is exposed through pre-defined reports in Oracle Business Intelligence Publisher. The reports allow users to drill down the audit data based on various criteria. For example:

  • Username

  • Time Range

  • Application Type

  • Execution Context Identifier (ECID)

For more introductory information for the Oracle Fusion Middleware Audit Framework, see the "Introduction to Oracle Fusion Middleware Audit Framework" chapter in the Oracle Fusion Middleware Application Security Guide.

For information on how to configure the repository for Oracle Fusion Middleware Audit Framework, see the "Configuring and Managing Auditing" chapter in the Oracle Fusion Middleware Application Security Guide.

The EDG topology does not include Oracle Fusion Middleware Audit Framework configuration. The ability to generate audit data to the bus-stop files and the configuration of the audit loader will be available once the products are installed. The main consideration is the audit database repository where the audit data is stored. Because of the volume and the historical nature of the audit data, it is strongly recommended that customers use a separate database from the operational store or stores being used for other middleware components.