7 Configuring WebLogic Server

This chapter contains procedures for manual configuration of the WebLogic application servers for Oracle Identity Manager and Oracle Role Manager in preparation for deployment of the Oracle Role Manager Integration Library (Integration Library). The procedures in this chapter are expected to be performed in the sequence they are presented.

Note:

If you run the automated configuration scripts as described in Chapter 4, you do not need to perform the manual steps in this chapter.

This chapter includes the following sections:

• Before You Configure

• Configuring the Oracle Role Manager Server

• Configuring the Oracle Identity Manager Server

• Deploying the Oracle Role Manager Integration Library Application on WebLogic

7.1 Before You Configure

The Oracle Role Manager Integration Library is intended to be deployed on the application server on which Oracle Identity Manager is deployed. The procedures in this chapter assume the following:

• You have the access to the files in ORMINT_HOME.

• You have the appropriate permission to add and modify files in the application servers where Oracle Identity Manager and Oracle Role Manager are deployed.

• You have the appropriate permission to stop and start the application servers where Oracle Identity Manager and Oracle Role Manager are deployed.

• You have access to the WebLogic Server Administrative Console and know the administrator user ID and password for the domains where Oracle Identity Manager and Oracle Role Manager are deployed.

• For clustered environments, the managed servers in the cluster can be started and stopped remotely on the administrative console.

7.2 Configuring the Oracle Role Manager Server

This procedure assumes that a WebLogic server and domain have been created for Oracle Role Manager with a host alias set for port access to Oracle Role Manager.

This section includes the following subsections:

• Configuring the JMS Connection Factory

• Configuring the Foreign JNDI Providers

• Configuring the Security Credentials

• (Clustered Mode Only) Configuring the Subdeployment of the Connection Factory

• Disabling Authentication on the Oracle Role Manager Node

7.2.1 Configuring the JMS Connection Factory

To configure the JMS module connection factory:

1. Start the Oracle Role Manager server if it is not already started.

2. In a Web browser, log in to the WebLogic Server Console. For example:

   http://appserverhost:7001/console
   

3. From Services, select Messaging, then select JMS Modules.

4. Click ORM JMSModule.

5. Click New.

6. Select the Connection Factory option.

7. Click Next.

8. In the Name field, enter OIM ConnectionFactory.

9. In the JNDI Name field, enter external/srqueues/orm/QueueConnectionFactory.

10. Click Next, then click Finish.

11. Click OIM ConnectionFactory.

12. Ensure that Default Targeting is enabled.

13. On the Transactions tab, select XA Connection Factory Enabled.

14. Click Save.

    You should see the new connection factory in the list.

7.2.2 Configuring the Foreign JNDI Providers

To configure the foreign JNDI providers:

1. From Services, select Foreign JNDI Providers.

2. Click New.

3. In the Name field, enter Remote OIM ForeignJNDIProvider.

4. Click OK.

5. Click Remote OIM ForeignJNDIProvider.

6. In the Initial Context Factory field, enter weblogic.jndi.WLInitialContextFactory.

7. In the Provider URL field, enter t3://oim_ipaddress:oim_port

   where

   oim_ipaddress is the IP address of the Oracle Identity Manager application server host

   oim_port is the port for access to the Oracle Identity Manager server

   Note:

   If you a configuring a clustered server environment, the URL must be in the form t3://oim_ipaddress1:port,oim_ipaddress2:port

8. In the User field, enter Internal.

9. In the Password field, enter the password of the Internal user.

10. In the Confirm Password field, enter the password again.

11. Click Save.

12. Configure the Remote OIM Connection Factory as follows:

    1. From Services, select Foreign JNDI Providers.

    2. Click Remote OIM ForeignJNDIProvider.

    3. On the Links tab, click New.

    4. In the Name field, enter RoleUpdateQCF.

    5. In the Local JNDI Name field, enter oim/OIMserver/QueueConnectionFactory.

    6. In the Remote JNDI Name field, enter oim/OIMserver/QueueConnectionFactory.

    7. Click OK.

13. Configure the Remote OIM Queue as follows:

    1. On the Links tab, click New.

    2. In the Name field, enter RoleUpdateQueue.

    3. In the Local JNDI Name field, enter oim/OIMserver/RoleManagerQueue.

    4. In the Remote JNDI Name field, enter oim/OIMserver/RoleManagerQueue.

    5. Click OK.

7.2.3 Configuring the Security Credentials

To configure the credentials:

1. Click the domain on which Oracle Role Manager is deployed.

2. On the Security tab, expand Advanced.

3. Clear any value in the Credential field.

4. In the Credential field, enter the domain credential of the Oracle Identity Manager server.

   Note:

   The domain credential is generated when the server is started and ensures that by default no two WebLogic server domains have the same credential. In this case, the same credentials are entered for both Oracle Identity Manager and Oracle Role Manager.

5. In the Confirm Credential field, enter the credential again.

6. Click Save.

7. Restart the Oracle Role Manager server.

7.2.4 (Clustered Mode Only) Configuring the Subdeployment of the Connection Factory

Note:

In you are configuring a clustered environment, perform this procedure for each managed server.

To change the subdeployment of the Oracle Identity Manager connection factory:

1. In the domain tree, select Services, then select Messaging.

2. Select JMS Modules, then click ORM JMSModule.

3. Click OIM ConnectionFactory.

4. Deselect the Default Targeting Enabled box, then click Save.

5. Click the Subdeployment tab.

6. In the Subdeployment list, select cf-sub.

7. Click Save.

7.2.5 Disabling Authentication on the Oracle Role Manager Node

This procedure disables transaction authentication for Oracle Role Manager transactions. Disabling transaction authentication is required when the node manager is not accepting connection due to wrong certificate configuration.

Note:

In you are configuring a clustered environment, perform this procedure for each managed node.

To disable authentication on the Oracle Role Manager node:

1. Navigate to WEBLOGIC_HOME\common\nodemanager folder and edit the nodemanager.properties file.

2. Change the value of the AuthenticationEnabled property to false.

3. Restart all the servers on the Oracle Role Manager domain including the admin server.

7.3 Configuring the Oracle Identity Manager Server

This procedure assumes that a WebLogic server and domain has been created for Oracle Identity Manager.

For clustered environments, it is assumed that the managed servers in the cluster can be started and stopped remotely on the administrative console and that the Integration Library software has been distributed on all managed nodes.

This section includes the following subsections:

• Modifying the Oracle Identity Manager Startup Script

• Configuring the Shared Libraries

• (Clustered Mode Only) Configuring JMS Queues and Connection Factories

• (Nonclustered Mode Only) Configuring JMS Queues and Connection Factories

• Configuring Foreign JMS Queues and Connection Factories

• Configuring Security Credentials

• (Clustered Mode Only) Adding the Integration Library System Properties

7.3.1 Modifying the Oracle Identity Manager Startup Script

If you are invoking Oracle Identity Manager using a startup script, you must edit the script to include the path to the Integration Library software and add the Integration Library binaries to the classpath before you can start using the Oracle Role Manager Integration Library. Making this change before the Integration Library software is deployed does not affect the operation of Oracle Identity Manager until it is restarted.

To modify the startup script:

1. On the Oracle Identity Manager host, navigate to the bin directory on the domain on which Oracle Identity Manager is deployed. For example, WEBLOGIC_HOME/user_projects/domains/oimdomain/bin.

2. Open the start script for editing

   For UNIX-based systems, open xlStartWLS.sh.

   For Windows systems, open xlStartWLS.cmd

   Note:

   If you have a managed server environment where the server is started from this script, open the xlStartManagedWebLogic.sh or xlStartManagedWebLogic.cmd instead.

3. Add the following libraries to the CLASSPATH environment setting:

   ORMINT_HOME/lib/commons-logging.jar;ORMINT_HOME/lib/orm_encryption.jar;ORMINT_HOME/lib/server_api_14.jar
   

   where ORMINT_HOME is the full path to the home directory of the Oracle Role Manager Integration Library.

4. Modify the JAVA_OPTIONS entry as follows:

   1. For UNIX-based systems, add a backslash (\) at the end of the -Djava.awt.headless=true argument.

   2. For Windows system, add a caret (^) at the end of the -Djava.awt.headless=true argument.

   3. Add the following argument to the end of the JAVA_OPTIONS entry:

      -DORMINT_ROOT_DIR=ORMINT_HOME
      

      where ORMINT_HOME is the full path to the home directory of the Oracle Role Manager Integration Library.

   4. Optionally, to enable logging for the Integration Library, add the following argument to the end of the JAVA_OPTIONS entry:

      -Djava.util.logging.config.file=ORMINT_HOME/config/logging.properties
      

      where ORMINT_HOME is the full path to the home directory of the Oracle Role Manager Integration Library.

5. Save and close the start script.

7.3.2 Configuring the Shared Libraries

Note:

In a clustered server environment, perform this procedure on all managed nodes.

To configure the shared libraries:

1. On the file system where Oracle Identity Manager is deployed, create the following directory if it does not exist:

   OIM_appserver/jdk/jre/lib/endorsed
   

   where OIM_appserver/jdk is the JDK directory for WebLogic, either Sun JDK or WebLogic JRockit.

2. Copy the following libraries into the endorsed directory:

   ORMINT_HOME/lib/xercesImpl.jar
   ORMINT_HOME/lib/xml-apis.jar
   

3. Restart the Oracle Identity Manager server.

7.3.3 (Clustered Mode Only) Configuring JMS Queues and Connection Factories

To configure JMS queues and connection factories:

1. In a Web browser, log in to the WebLogic Server Console. For example:

   http://appserverhost:7001/console
   

2. Configure a JMS queue connection factory as follows:

   1. From Services, select Messaging, then select JMS Modules.

   2. Click New.

   3. In the Name field, enter OIM-ORM JMS Module, then click Next.

   4. Assign the JMS module to the Oracle Identity Manager cluster, for example OIM_Cluster, then click Next.

   5. Click Next.

   6. Select the Would you like to add resources box, then click Finish.

   7. On the Settings page, click New.

   8. Select ConnectionFactory, then click Next.

   9. In the Name field, enter ormJMSConnectionFactory.

   10. In the JNDI Name field, enter /oim/OIMserver/QueueConnectionFactory.

   11. Click Next, then click Finish.

   12. Click ormJMSConnectionFactory.

   13. On the Transactions tab, select XA Connection Factory Enabled.

   14. Click Save.

3. Configure a JMS server for each Oracle Identity Manager managed server as follows:

   1. From Services, select Messaging, then select JMS Servers.

   2. Click New.

   3. In the Name field, enter ORMIntegration1, then click Next.

   4. Click Finish.

   5. Click the newly created JMS server, for example ORMIntegration1.

   6. Select the Targets tab and assign the JMS server to the first Oracle Identity Manager managed server, for example, OIM_Server1.

   7. Click Save.

   8. Repeat these steps for each managed server. For example, create ORMIntegration2 and assign it to OIM_Server2, and so on.

4. Configure a distributed JMS queue as follows:

   1. From Services, select Messaging, then select JMS Modules.

   2. Click OIM-ORM JMS Module, then click New.

   3. Select Distributed Queue, then click Next.

   4. In the Name field, enter ormJMSQueue.

   5. In the JNDI Name field, enter oim/OIMserver/RoleManagerQueue.

   6. Click Next.

   7. Click Advanced Targeting.

   8. Click Create a New Subdeployment.

   9. In the Subdeployment Name field, enter ormJMSQueue subdeployment.

   10. Click OK.

   11. Select each of the JMS servers created in step 3. For example, ORMIntegration1 and ORMIntegration2.

   12. Click Finish.

7.3.4 (Nonclustered Mode Only) Configuring JMS Queues and Connection Factories

To configure JMS queues and connection factories:

1. In a Web browser, log in to the WebLogic Server Console. For example:

   http://appserverhost:7001/console
   

2. Configure a JMS queue connection factory as follows:

   1. From Services, select Messaging, then select JMS Modules.

   2. Click New.

   3. In the Name field, enter OIM-ORM JMS Module, then click Next.

   4. Select AdminServer, then click Next.

   5. Select Would you like to add resources, then click Finish.

   6. On the Settings page, click New.

   7. Choose the ConnectionFactory option, then click Next.

   8. In the Name field, enter ormJMSConnectionFactory.

   9. In the JNDI Name field, enter /oim/OIMserver/QueueConnectionFactory.

   10. Click Next, then click Finish.

   11. Click ormJMSConnectionFactory.

   12. On the Transactions tab, select XA Connection Factory Enabled.

   13. Click Save.

3. Configure a JMS server as follows:

   1. From Services, select Messaging, then select JMS Servers.

   2. Click New.

   3. In the Name field, enter ORMIntegration.

   4. Click Finish.

   5. Click ORMIntegration.

   6. On the Targets tab, select AdminServer from the Targets list.

   7. Click Save.

4. Configure a JMS queue as follows:

   1. From Services, select Messaging, then select JMS Modules.

   2. Click OIM-ORM JMS Module, then click New.

   3. Choose the Queue option, then click Next.

   4. In the Name field, enter ormJMSQueue.

   5. In the JNDI Name field, enter oim/OIMserver/RoleManagerQueue.

   6. Click Next.

   7. Click Create a New Subdeployment.

   8. In the Subdeployment Name field, enter ormJMSQueue subdeployment.

   9. Click OK, then click Next.

   10. Select ORMIntegration as the JMS Server.

   11. Click Finish.

7.3.5 Configuring Foreign JMS Queues and Connection Factories

To configure Foreign JMS queues and connection factories:

1. Configure a foreign JNDI provider as follows:

   1. From Services, select Foreign JNDI Providers, then click New.

   2. In the Name field, enter OIM ORM server.

   3. Click OK.

   4. Click OIM ORM server.

   5. In the Initial Context Factory field, enter weblogic.jndi.WLInitialContextFactory.

   6. In the Provider URL field, enter t3://orm_ipaddress:orm_port

      where

      orm_ipaddress is the IP address of the Oracle Role Manager application server host

      orm_port is the port for access to the Oracle Role Manager administrative console and Web UI.

      Note:

      If you a configuring a clustered server environment, the URL must be in the form t3://orm_ipaddress1:port,orm_ipaddress2:port

   7. In the User field, enter the user name of the WebLogic Administrator.

   8. In the Password field and Confirm Password field, enter the password of the WebLogic Administrator.

   9. Click Save.

2. Configure foreign JNDI links as follows:

   1. From Services, select Foreign JNDI Providers.

   2. Click OIM ORM server.

   3. On the Links tab, click New.

   4. In the Name field, enter OIMORMQueueConnectionFactory.

   5. In the Local JNDI Name field, enter external/srqueues/orm/QueueConnectionFactory.

   6. In the Remote JNDI Name field, enter external/srqueues/orm/QueueConnectionFactory.

      Note:

      The locale and remote JNDI names must be the same as the JNDI name set in Section 7.2.1, "Configuring the JMS Connection Factory."

   7. Click OK.

   8. On the Links tab, click New.

   9. In the Name field, enter OIM ORM Queue.

   10. In the Local JNDI Name field, enter orm/queue/IncomingEventQueue.

   11. In the Remote JNDI Name field, enter orm/queue/IncomingEventQueue.

   12. Click OK.

7.3.6 Configuring Security Credentials

To configure the credentials:

1. Click the domain where the Oracle Identity Manager server resides.

2. On the Security tab, expand the Advanced link at the bottom of the page.

3. In the Credential field, clear any existing credential, then enter the same domain credential that was used for the Oracle Role Manager server (see step 4 of Section 7.2.3).

   Note:

   The domain credential is generated when the server is started and ensures that by default no two WebLogic server domains have the same credential. In this case, the same credentials are entered for both Oracle Identity Manager and Oracle Role Manager.

4. In the Confirm Credential field, enter the credential again.

5. Click Save.

6. If you have a non-clustered server environment, restart the Oracle Identity Manager server. For clustered server environments, continue configuration steps in the next section before restarting the server.

7.3.7 (Clustered Mode Only) Adding the Integration Library System Properties

Note:

Perform this procedure on all managed nodes.

To add the Integration Library JVM system properties:

1. Log on to the WebLogic Server administrative console using a Web browser.

2. For each managed server, configure the system properties as follows:

   1. On the Oracle Identity Manager domain of the primary node, select the domain name, then select Servers.

   2. Select the first managed server, for example, OIM_Server1.

   3. On the Configuration tab, click the Server Start subtab.

   4. In the ClassPath field, add the following Integration Library paths to the existing classpath settings:

      ORMINT_HOME\lib\commons-logging.jar
      ORMINT_HOME\lib\orm_encryption.jar
      ORMINT_HOME\lib\server_api_14.jar
      

   5. In the Arguments field, append the following argument to any existing arguments:

      -DORMINT_ROOT_DIR=ORMINT_HOME
      

      where ORMINT_HOME is the Integration Library installation directory. For example, C:/ORMINT_HOME.

   6. Optionally, to enable logging for the Integration Library, in the Arguments field, add the following argument:

      -Djava.util.logging.config.file=ORMINT_HOME/config/logging.properties
      

      where ORMINT_HOME is the Integration Library installation directory. For example, C:/ORMINT_HOME.

   7. Click Save.

3. Restart the node manager on each managed server, then start each managed server.

7.4 Deploying the Oracle Role Manager Integration Library Application on WebLogic

To deploy the Integration Library application:

1. On the Oracle Identity Manager host, create the EAR file for the Integration Library application that contains JAR files from Oracle Identity Manager as follows:

   1. In a command window, navigate to ORMINT_HOME/bin.

   2. Run the following command:

      For UNIX-based systems:    sh create_ear.sh OIM_HOME/xellerate

      For Windows systems:    create_ear.bat OIM_HOME/xellerate

      where OIM_HOME is the root installation directory for Oracle Identity Manager.

2. From the Oracle Identity Manager host, connect to the WebLogic Server Console in a Web browser. For example:

   http://appserverhost:7001/console
   

3. Select Deployments.

4. Click Install.

5. Browse to navigate to the ORMINT_HOME/lib directory.

6. Choose roleManagerIntegration_WebLogic10.3.ear, then click Next.

7. Choose Install this deployment as an application, then click Next.

8. In the Target list, select the target server on which to deploy Oracle Role Manager, then click Next.

   Note:

   If you are configuring a clustered environment, select the cluster for Oracle Role Manager from the Target list.

9. Accept the defaults on the next page, then click Next.

10. Click Finish.

11. Click Deployments.

    You should see indication of successful deployment

12. If you have a clustered server environment, restart the admin server and all managed servers.