| Oracle® Role Manager Integration Guide Release 10g (10.1.4.2) Part Number E14611-07 |
|
|
View PDF |
| Oracle® Role Manager Integration Guide Release 10g (10.1.4.2) Part Number E14611-07 |
|
|
View PDF |
This chapter describes the steps to use the automated scripts to configure Oracle Role Manager for the Oracle Role Manager Integration Library and the application servers for both Oracle Role Manager and Oracle Identity Manager. The procedures in this chapter are expected to be performed in the sequence they are presented.
Note:
This chapter assumes that an instance of Oracle Role Manager is installed with the standard model following the instructions in Oracle Role Manager Installation Guide.This chapter includes the following sections:
Configuring and deploying Oracle Role Manager Integration Library on Oracle WebLogic Server using the automated configuration scripts involves the following high-level steps:
Checking prerequisites
Setting values in the properties files used by the script
Running the scripts
Performing the required manual procedures
The automated scripts use values that are set in properties files to configure your environment as described in the following sections.
The script used to configure Oracle Identity Manager does the following configuration:
Creates and configures the System User and User Group system identity on the Oracle Identity Manager system for access to Oracle Role Manager.
Imports the prepared configuration from an XML file into the Oracle Identity Manager system.
Modifies the Oracle Identity Manager startup script with the Integration Library classpath and other system properties.
Copies shared libraries to the Oracle Identity Manager file system.
Configures the following on the Oracle Identity Manager application server:
JMS queues and connection factories
Security credentials
System properties
Deploys the Oracle Role Manager Integration Library EAR file on the application server.
The script used to configure Oracle Role Manager does the following configuration:
Deploys the Integration Library base model and default component configuration to the Oracle Role Manager database.
Creates and configures the oimSystem system identity on the Oracle Role Manager database to be used for access by Oracle Identity Manager.
Sets the Oracle Identity Manager home directory for the Integration Library in the IMConfig.xml file.
Creates and copies key store information for signed messages (encryption).
Configures the following on the Oracle Role Manager application server:
JMS connection factory
Foreign JNDI providers
Security credentials
Node manager authentication
Starts the Oracle Identity Manager application server.
This chapter assumes that all of the prerequisites described in this section have been met.
Ensure that the following prerequisites for Oracle Identity Manager are met:
The WebLogic Node Manager is running.
The Oracle Identity Manager application server is installed and running.
You know the name of the domain credential to be shared between Oracle Role Manager and Oracle Identity Manager application servers.
You know the Oracle Identity Manager user/schema name and password.
You have the appropriate permission to stop and start the application server on which Oracle Identity Manager is deployed.
You know the administrator user name and password to access the Oracle Identity Manager Administrative and User Console and the Oracle Identity Manager Design Console.
You have the appropriate permission to modify files in the ORMINT_HOME directory on the Oracle Identity Manager host.
Ensure that the following prerequisites for Oracle Role Manager are met:
You have the access to the files in ORM_HOME/Integration_Library on the Oracle Role Manager installation host.
You have the appropriate permission to add and modify files in the application server host where Oracle Role Manager is deployed.
You have the appropriate permission to stop and start the application server where Oracle Role Manager is deployed.
You know the name of the application server where Oracle Role Manager is deployed.
You know the names of the Oracle Role Manager JMS module on the application server.
You know the URL to the JNDI server for Oracle Identity Manager.
You know the ID and password for the Oracle Role Manager owner and application user schemas.
You know the JDBC connection string of the Oracle Role Manager database instance.
You have access to the WebLogic Server Administrative Console and know the administrator user ID and password for the domains where Oracle Identity Manager and Oracle Role Manager are deployed.
The WebLogic Node Manager is running.
The configuration of signed messages in Oracle Role Manager and Oracle Identity Manager must be done manually prior to running the scripts for automated configuration. Complete the steps described in Section 5.5, "Configuring Signed Messages (Encryption)."
To configure Oracle Identity Manager and its application server:
Set the environment variables for the setup script as follows:
Navigate to ORMINT_HOME/tools/WebLogic_Automation.
Open the following file with a text editor:
For UNIX-based systems: oim-setup.sh
For Windows systems: oim-setup.bat
Set the values of the following environment variables to match your environment:
WLSHOME JAVA_HOME OIM_HOME
Navigate to ORMINT_HOME/tools/WebLogic_Automation/properties.
Open the OIMConfig.properties file with a text editor and edit values to match your environment as follows:
In the wlshost value, enter the host name or IP address of WebLogic host where Oracle Identity Manager is deployed.
In the wlsport value, enter the port used to access the WebLogic administrative console.
In the wlsadmin value, enter the ID of the WebLogic administrator.
In the oimdomain value, enter the name of the domain for Oracle Identity Manager as configured in WebLogic.
In the oimadminserver value, enter the name of the server where Oracle Identity Manager admin server is deployed.
In the OIM_WEBLOGIC_HOME value, enter the full path to the WebLogic installation directory.
In the OIM_APPSERVER_JDK_HOME value, enter the full path to the JDK being used to run the Oracle Identity Manager application server.
In the ormwlshost value, enter the host name or IP address of the WebLogic host where Oracle Role Manager is deployed.
In the ormwlsport value, enter the port used to access the Oracle Role Manager administrative console.
In the ORMINT_HOME value, enter the full path to the Oracle Role Manager Integration Library root directory.
In the XLHOMEDIR value, enter the full path to the Oracle Identity Manager xellerate directory.
In the xladminuser value, enter the ID of the Oracle Identity Manager administrator.
In the xeldbhost value, enter the host name or IP address of the Oracle Identity Manager database host.
In the xeldbuser value, enter the name of the Oracle Identity Manager database user/schema. By default, this is xladm.
In the xeldbsid value, enter the database instance service name for the Oracle Identity Manager schema.
In the xeldbport value, enter the port to access the database instance for the Oracle Identity Manager schema.
If you want to repeat only certain steps using the configuration, at the bottom of the file, uncomment the steps that you want to skip, leaving the ones you want to run commented out.
For example, to run only the step to deploy the Integration Library application to the application server, the comments should be as follows:
done.copy-oim-binaries=true done.domain-credential-setup=true done.startup-script-preparation=true done.update-IMConfig-oimRootdir=true done.create-jms-resources=true done.create-user-group=true done.import-prepared-configuration=true done.create-itresource-systemproperty=true #done.deploy-integration-library-ear=true
Save and close the OIMConfig.properties file.
In a command window, navigate to ORMINT_HOME/tools/WebLogic_Automation and run the following command:
For UNIX-based systems: sh oim-setup.sh
For Windows systems: oim-setup.bat
At the prompt, enter a value to use as the domain credential that is shared between Oracle Role Manager and Oracle Identity Manager application servers.
At the prompt, enter the a password to use for the oimSystem system identity created by the configuration script.
Make a note of this password. You will need to provide it later when running the configuration script and when configuring the IT resource manually.
At the prompt, enter the password of the WebLogic administrator for the server where Oracle Identity Manager is deployed.
At the prompt, enter the password of the Oracle Identity Manager user/schema.
At the prompt, enter the password of the Oracle Identity Manager system administrator.
Restart the Oracle Identity Manager server.
Proceed with the manual steps described in this chapter.
To configure Oracle Role Manager and its application server:
Stop the Oracle Role Manager server if it is running by using the Shutdown When work completes option.
Ensure the shutdown has completed and there are no connections open to the Oracle Role Manager Web application or Oracle Role Manager administrative console before proceeding.
Note:
For clarification, the WebLogic admin server must be running, but with the Oracle Role Manager server stopped.If you require any customizations to configurable components, such as setting custom timer intervals, follow the procedures in Section 5.6 to create a custom CAR file that includes your changes.
Note:
You can make customizations to the configurable components at any time. For more information, see Section 5.6, "Modifying Component Configuration."On the Oracle Role Manager host, set the environment variables as follows:
Navigate to ORM_HOME/Integration_Library/tools/WebLogic_Automation
Open the following file with a text editor:
For UNIX-based systems: orm-setup.sh
For Windows systems: orm-setup.bat
Set the values of the following environment variables to match your environment:
ORM_INSTALL_ROOT WEBLOGIC_INSTALL_ROOT JAVA_HOME ORMINT_HOME
Save and close the setup file.
Navigate to ORM_HOME/Integration_Library/tools/WebLogic_Automation/properties.
Open the ORMConfig.properties file with a text editor and edit values to match your environment as follows:
In the ormdb.url value, enter the JDBC connection string for the database instance for Oracle Role Manager.
In the ormdb.driverclass value, accept the default value of oracle.jdbc.OracleDriver.
In the ormdb.dbowner value, enter the name of the database owner user/schema created during installation of Oracle Role Manager.
In the ormdb.appuser value, enter the name of the database application user user/schema created during installation of Oracle Role Manager.
In the ormadm value, enter the ID of the Oracle Role Manager system administrator as set during installation of Oracle Role Manager.
This is the user to connect to the Oracle Role Manager administrative console.
In the ormurl value, enter the address of the application server where Oracle Role Manager administrative console is deployed. For example, http://host_name_or_ip_address:port.
Optionally, if you have created a custom CAR file to deploy, for the configurations value, replace oim_integration.car with the name of your custom CAR file.
In the weblogic.adminurl value, enter the address of the WebLogic Server administrative console.
In the weblogic.username value, enter the ID of the WebLogic Server administrator.
In the weblogic.servername value, enter the name given to the Oracle Role Manager server when deploying to WebLogic Server during installation of Oracle Role Manager.
In the weblogic.jmsmodule value, ensure the value is the same as what was configured during installation of Oracle Role Manager.
In the weblogic.remote.url value, enter the address to the remote JNDI server for Oracle Identity Manager.
If you want to repeat only certain steps using the configuration, at the bottom of the file, uncomment the steps that you want to skip, leaving the ones you want to run commented out.
For example, to redeploy modified configuration to the Oracle Role Manager database, the comments should be as follows:
#done.configurations=true done.appserver=true done.encryption_config=true done.datafile=true
Save and close the ORMConfig.properties file.
In a command window, navigate to ORM_HOME/Integration_Library/tools/WebLogic_Automation and run the following command:
For UNIX-based systems: csh orm-setup.sh
For Windows systems: orm-setup.bat
At the prompt, enter the password of the WebLogic administrator for the server where Oracle Role Manager is deployed.
At the prompt, enter the same value used when running the setup script for Oracle Identity Manager to use as the WebLogic shared domain credential.
At the prompt, re-enter the WebLogic shared domain credential.
At the prompt, enter the password of the Oracle Role Manager database user/schema.
At the prompt, enter the password of the Oracle Role Manager administrator.
At the prompt, enter the same password for the oimSystem system user as was set in Section 4.3
Make note of this password because you will provide it when configuring the IT resource in Section 6.9.
At the prompt, re-enter the password for the oimSystem system user.
At the prompt, enter the Oracle Role Manager key store password (created in Step 10 of Section 5.5).
The automated configuration can take a few moments while configuration files are deployed into the Oracle Role Manager database and the WebLogic server is configured.
At the prompt, restart the WebLogic server.
Once the server has started, press any key to continue the automated configuration.
Proceed with the manual steps described in this chapter.
This section contains the procedures that must be performed both after running the WebLogic automation scripts on Oracle Identity Manager and Oracle Role Manager.
This section contains the following manual steps:
Configuring the JMS Connection Factory for XA on the Oracle Role Manager Server
Configuring the JMS Connection Factory for XA on the Oracle Identity Manager Server
Configuration of the IT resource in Oracle Identity Manager must be done manually. Complete the steps described in Section 6.9, "Configuring the IT Resource."
The oimORMUser ID is by default set to ormSystem. For WebLogic, it must be changed to Internal as described in the procedure in this section.
Note:
If you have a clustered server configuration, this procedure must be performed on all managed nodes.To set the oimORMUser ID:
On the Oracle Identity Manager host, navigate to ORMINT_HOME/config.
Open the IMConfig.xml file for editing.
In the policies section, edit the oimORMUser policy to change ormSystem to Internal as follows:
<policy>
<parameters>
<parameter>
<id>oimORMUser</id>
<string>Internal</string>
</parameter>
</parameters>
</policy>
Save and close the IMConfig.xml file.
The automated configuration script for configuring Oracle Identity Manager creates two system users: the Internal user and the ormProxyUser. By default, these users are assigned the same password as the one provided for the Oracle Identity Manager administrator. It is recommended that these passwords be reset as described in this section.
To reset the system user passwords:
Start the application server for Oracle Identity Manager if it is not running.
In a Web browser, connect to the Oracle Identity Manager Administrative and User Console. For example:
http://appserverhost:7001/xlWebApp
Reset the password for the Internal user as follows:
In the User ID field, enter Internal.
In the Password field, enter the password of the Oracle Identity Manager system administrator.
In the Manage Your Account area, click Change Password.
In the Old Password field, enter the password you just used to log in.
In the New Password field, enter a new password.
In the Confirm Password field, enter the password again.
Click Save, then log out.
Reset the password for the ormProxyUser user as follows:
Click Click here to log in to Oracle Identity Manager.
In the User ID field, enter ormProxyUser.
In the Password field, enter the password of the Oracle Identity Manager system administrator.
In the Manage Your Account area, click Change Password.
In the Old Password field, enter the password you just used to log in.
In the New Password field, enter a new password.
In the Confirm Password field, enter the password again.
Click Save, then log out.
Reset the password of the Internal in WebLogic as follows:
In a Web browser, connect to the WebLogic Server Console for Oracle Role Manager. For example:
http://orm_appserverhost:7001/console
From Services, select Foreign JNDI Providers.
Click Remote OIM ForeignJNDIProvider.
In the User field, ensure the value is Internal.
In the Password field, enter the new password of the Internal user.
In the Confirm Password field, enter the password again.
Click Save.
To configure the JMS connection factory:
Start the Oracle Role Manager Admin server if it is not already started.
In a Web browser, log in to the WebLogic Server Console for Oracle Role Manager. For example:
http://orm_appserverhost:7001/console
From Services, select Messaging, then select JMS Modules.
Click ORM JMSModule.
Click OIM ConnectionFactory.
On the Transactions tab, select XA Connection Factory Enabled.
Click Save.
To configure the JMS connection factory:
Start the Oracle Identity Manager Admin server if it is not already started.
In a Web browser, log in to the WebLogic Server Console for Oracle Identity Manager. For example:
http://oim_appserverhost:7001/console
From Services, select Messaging, then select JMS Modules.
Click OIM-ORM JMS Module.
Click ormJMSConnectionFactory.
On the Transactions tab, select XA Connection Factory Enabled.
Click Save.
Disabling transaction authentication for Oracle Role Manager transactions must be done manually. Disabling transaction authentication is required when the node manager is not accepting connection due to wrong certificate configuration. Complete the steps described in Section 7.2.5, "Disabling Authentication on the Oracle Role Manager Node."
Configuration for role grant approval workflow must be done manually. Complete the steps described in Section 6.10, "Configuring Role Grant Approval Workflow."
Test the installation by following the steps in Chapter 10, "Testing the Oracle Role Manager Integration Library Installation."
|
 Copyright © 2010, Oracle and/or its affiliates. All rights reserved. Legal Notices |
|