8 Configuring IBM WebSphere

This chapter contains procedures for configuring the IBM WebSphere application servers for Oracle Identity Manager and Oracle Role Manager in preparation for deployment of the Oracle Role Manager Integration Library. The procedures in this chapter are expected to be performed in the sequence they are presented.

This chapter includes the following sections:

• Before You Configure

• Configuring the Oracle Role Manager Server

• Configuring the Oracle Identity Manager Server

• Configuring Signer Certificates

• Deploying the Oracle Role Manager Integration Library Application on WebSphere

8.1 Before You Configure

The Oracle Role Manager Integration Library is intended to be deployed on the application server on which Oracle Identity Manager is deployed. The procedures in this chapter assume the following:

• You have the access to the files installed in ORMINT_HOME.

• You know the administrator user name and password to access the Oracle Identity Manager Administrative and User Console and the Design Console.

• You know the WebSphere administrator user name and password to run wsadmin commands.

• You have the appropriate permission to add and modify files in the application servers where Oracle Identity Manager and Oracle Role Manager are deployed.

• You have the appropriate permission to stop and start the application servers where Oracle Identity Manager and Oracle Role Manager are deployed.

• For clustered environments, the database users and aliases for JMS engines have been created following the instructions in the Oracle Role Manager Installation Guide.

8.2 Configuring the Oracle Role Manager Server

This procedure assumes that a WebSphere application server has been created for Oracle Role Manager with a host alias set for port access to Oracle Role Manager.

Note:

When configuring WebSphere, it is recommended that you save your settings after every task.

This section includes the following subsections:

• Deploying the WebSphere Configuration

• Creating the Custom User for the Integration

• Creating the Alias for Custom User for the Integration

• (Clustered Mode Only) Creating the Database Users for the JMS Engines

• (Clustered Mode Only) Creating the Aliases for the JMS Engine Database Users

• Creating the JMS Messaging Buses

• Configuring the Oracle Role Manager Bus

• Configuring the Role Update Bus

• Configuring the JMS Queue Connection Factory

• Configuring JMS Queues

• Configuring Security Credentials on the Oracle Role Manager Bus

• Configuring Security Credentials on the Role Update Bus

• Granting Sender Roles to the System User

• Disabling Transaction Security

• Modifying the Oracle Role Manager Deployment Descriptor

8.2.1 Deploying the WebSphere Configuration

The procedure in this section deploys the configuration needed to update the JNDI destinations of the Outgoing Event Manager in Oracle Role Manager, used for communication with Oracle Identity Manager.

To deploy the WebSphere configuration:

1. Stop the Oracle Role Manager application server if it is running.

2. On the Oracle Role Manager installation host, copy the websphere_config.car file from ORM_HOME/Integration_Library/config to ORM_HOME/config.

3. In a command window, navigate to ORM_HOME/bin on the Oracle Role Manager host.

4. Run the deploy command to load the WebSphere configuration to the Oracle Role Manager database.

   deploy.bat "../config/websphere_config.car" orm-owner ormapp-user admin-user
   

   In this command:

   • orm-owner is the user name of the Oracle Role Manager database owner user/schema

   • ormapp-user is the user name of the Oracle Role Manager application user/schema

   • admin-user is the user name of the Oracle Role Manager system administrator

5. At the prompts, enter the passwords of the Oracle Role Manager database owner, Oracle Role Manager application user, and Oracle Role Manager administrator.

   You should see the message "Deployment successfully completed" in the command window.

8.2.2 Creating the Custom User for the Integration

To create a custom user:

1. If not already on the WebSphere administrative console, in a Web browser, enter the URL. For example:

   http://appserverhost:9060/ibm/console
   

2. Select Users and Groups, then select Manage Users.

3. Click Create and enter the following:

   1. In the User ID field, enter ormSystem.

      Note:

      The user ID must be ormSystem.

   2. In the First name field, enter ORM.

   3. In the Last name field, enter System.

   4. In the Password field, enter a password for the user, for example, ormSystem.

   5. Click Create and then click Close.

8.2.3 Creating the Alias for Custom User for the Integration

To create alias for the custom user:

1. Click Security, then select Secure administration, applications, and infrastructure.

2. In the Authentication section, expand Java Authentication and Authorization Service, then click J2C authentication data.

3. Click New and enter the following:

   1. In the Alias field, enter OIMALIAS.

   2. In the User field, enter ormSystem.

   3. In the Password field, enter the password set in step 3 of Section 8.2.2

   4. Click OK, then save your changes.

8.2.4 (Clustered Mode Only) Creating the Database Users for the JMS Engines

For each planned server in the cluster, use this procedure to create a database user, such as WSOIMMsgEng1, WSOIMMsgEng2, and so forth.

To create the database users for the JMS engines:

1. On the Oracle Role Manager host, open a command window.

2. Using sqlplus or a similar utility, connect to the database instance into which the Oracle Role Manager schema is installed.

3. As the SYSTEM user, run the following commands:

   create user WSOIMMsgEng1 identified by password default tablespace ORM_DATA temporary tablespace ORM_TEMP;
   grant connect to WSOIMMsgEng1;
   grant create session to WSOIMMsgEng1;
   grant resource to WSOIMMsgEng1;
   commit;
   

   where WSOIMMsgEng1 is the name of the new user and password is the password for the new user.

4. Repeat these commands for additional users, as appropriate.

8.2.5 (Clustered Mode Only) Creating the Aliases for the JMS Engine Database Users

Follow this procure to create an alias for each database user created in Section 8.2.4.

To create alias for a custom database user:

1. Click Security, then select Secure administration, applications, and infrastructure.

2. In the Authentication section, expand Java Authentication and Authorization Service, then click J2C authentication data.

3. Click New and enter the following:

   1. In the Alias field, enter a name, such as WSOIMMsgEng1.

   2. In the User field, enter WSOIMMsgEng1.

      Note:

      The user entered here must match the database user name set using the commands in Section 8.2.4.

   3. In the Password field, enter the same password as the one set using the commands in Section 8.2.4 for this user.

   4. Click OK.

4. Repeat this procedure for additional database users created in Section 8.2.4.

8.2.6 Creating the JMS Messaging Buses

To create the JMS messaging buses:

1. Select Service integration, then select Buses.

2. Click New.

3. In the Name field, enter ORMRoleUpdateBus.

4. Select Bus security, then click Next.

5. Click Finish.

6. For clustered server environments, add the cluster to the ORMRoleUpdateBus as follows:

   1. Click ORMRoleUpdateBus, then click Bus members.

   2. Click Add.

   3. Choose the Cluster option, select the cluster for Oracle Role Manager, then click Next.

   4. In the Select the type of message store list, select Data Store, then click Next.

   5. In the Data source JNDI name field, enter orm/jdbc/WSMsgEngDS.

   6. In the Schema name field, enter WSOIMMsgEng1.

   7. In the Authentication alias list, select WSOIMMsgEng1.

   8. Ensure that Create Tables is selected.

   9. Click Next.

7. For nonclustered environments, add the server to the ORMRoleUpdateBus as follows:

   1. Click ORMRoleUpdateBus, then click Bus members.

   2. Click Add.

   3. Select the server used for Oracle Role Manager, then click Next.

   4. In the Select the type of message store list, select File Store, then click Next, then click Next again.

8. Click Finish, then save your changes.

8.2.7 Configuring the Oracle Role Manager Bus

To configure the Oracle Role Manager bus:

1. Select Service integration, then select Buses.

2. Select ORM Bus.

3. Create the foreign bus as follows:

   1. Under Topology, click Foreign buses.

   2. Click New.

   3. In the Name field, enter OIM ORM Bus, then click Next.

      Note:

      Take note of this bus name to use later when configuring buses on the Oracle Identity Manager application server.

   4. Select Direct, service Integration bus link as the routing type, then click Next.

   5. Click Next again.

   6. Click Finish, then save your changes.

   7. Click ORM Bus to return to that page.

4. Create the foreign bus link as follows:

   1. Under Topology, click Messaging engines.

   2. Select the messaging engine to which you want to add the service integration bus links.

   3. Under Additional properties, click Service integration bus links.

   4. Click New.

   5. In the Name field, enter OIM ORM Link.

   6. In the Foreign bus name list, select OIM ORM Bus.

      Note:

      Take note of this bus name to use later when configuring buses on the Oracle Identity Manager application server.

   7. In the Remote messaging engine name field, enter the messaging engine name of the OIM ORM Bus. For example:

      oim_server_node.server_name-OIM ORM Bus.

      Note:

      For nonclustered environments, the remote messaging engine name must be in the form oim_server_node_name.oim_server_name followed by a hyphen and the name of the foreign bus. For clustered environments, the name must be in the form oim_cluster_name.index-OIM ORM Bus, for example, XL_JMS_CLUSTER.000-OIM ORM Bus.

   8. Click OK, then save your changes.

8.2.8 Configuring the Role Update Bus

To configure the role update bus:

1. Click Service integration, then select Buses.

2. Click ORMRoleUpdateBus.

3. Create the foreign bus as follows:

   1. Under Topology, click Foreign buses.

   2. Click New.

   3. In the Name field, enter OIMRoleUpdateBus, then click Next.

      Note:

      Take note of this bus name to use later when configuring buses on the Oracle Identity Manager application server.

   4. Select Direct, Service Integration bus link as the routing type, then click Next.

   5. In the Outbound user ID field, enter ormSystem, then click Next.

   6. Click Finish, then save your changes.

   7. Click ORMRoleUpdateBus to return to that page.

4. Create the foreign bus link as follows:

   1. Under Topology, click Messaging engines.

   2. Select the messaging engine to which you want to add the service integration bus links. For example, orm_server_node.orm_server-ORMRoleUpdateBus.

   3. Under Additional properties, click Service integration bus links.

   4. Click New.

   5. In the Name field, enter RoleUpdateLink.

   6. In the Foreign Bus Name list, select OIMRoleUpdateBus.

      Note:

      Take note of this bus name to use later when configuring buses on the Oracle Identity Manager application server.

   7. In the Remote messaging engine name field, enter the messaging engine name of the OIMRoleUpdateBus. For example:

      oim_server_node.oim_server_name-OIMRoleUpdateBus.

      Note:

      The remote message engine name must be in the form oim_server_node_name.oim_server_name followed by a hyphen and the name of the foreign bus. For clustered environments, the name must be in the form oim_cluster_name.index-OIMRoleUpdateBus, for example, XL_JMS_CLUSTER.000-OIMRoleUpdateBus.

   8. In the Target inbound transport chain field, enter InboundSecureMessaging.

   9. In the Bootstrap endpoints field, enter the Oracle Identity Manager server's host name followed by a colon (:), the SIB endpoint secure address followed by a colon (:), then BootstrapSecureMessaging. For example, oim_host:secure_sib:BootstrapSecureMessaging

      Note:

      For clustered environments, endpoints should be in the form oim_host:secure_sib:BootstrapSecureMessaging,oim_host:secure_sib:BootstrapSecureMessaging where oim_host is the foreign server and secure_sib is the foreign server's SIB_ENDPOINT_SECURE_ADDRESS.

   10. In the Authentication alias list, select OIMALIAS.

   11. Click OK, then save your changes.

   12. Click ORMRoleUpdateBus to return to that page.

5. Create the foreign bus destination as follows:

   1. In the Destination resources area, click Destinations.

   2. Click New.

   3. Choose Foreign as the destination type, then click Next.

   4. Enter RoleUpdateDest as the identifier.

      Note:

      Take note of this destination name to use when configuring the OIM Role Update Bus on the Oracle Identity Manager application server.

   5. Select OIMRoleUpdateBus as the bus, then click Next.

   6. Click Finish, then save your changes.

8.2.9 Configuring the JMS Queue Connection Factory

To configure JMS queue connection factory for ORM Role Update:

1. From Resources, select JMS, then select Queue connection factories.

2. For clustered configuration, select the cluster scope used previously, then click New.

3. For nonclustered configuration, select the cell scope used previously, then click New.

4. Choose Default messaging provider, then click OK.

5. In the Name field, enter RoleUpdateQCF.

6. In the JNDI name field, enter /oim/OIMserver/QueueConnectionFactory.

7. In the Bus name list, select ORMRoleUpdateBus.

8. In the Target inbound Transport chain field, enter InboundSecureMessaging.

9. In the Advanced Administration area, in the Component-managed authentication alias list, select OIMALIAS.

10. Click OK, then save your changes.

8.2.10 Configuring JMS Queues

To configure the ORM Role Update queue:

1. From Resources, select JMS, then click Queues.

2. For clustered configuration, select the cluster scope used previously, then click New.

3. For nonclustered configuration, select the cell scope used previously, then click New.

4. Choose Default messaging provider, then click OK.

5. In the Name field, enter RoleUpdateQueue.

6. In the JNDI name field, enter oim/OIMserver/RoleManagerQueue.

7. In the Bus name list, select OIMRoleUpdateBus.

8. In the Queue name list, select RoleUpdateDest.

9. Click OK, then save your changes.

8.2.11 Configuring Security Credentials on the Oracle Role Manager Bus

To configure security credentials on the Oracle Role Manager bus:

1. Click Service integration, then select Buses.

2. Click ORM Bus.

3. In the Additional Properties section, click Security.

4. Select Enable bus security if it is not already selected.

5. In the Inter-engine authentication alias field, select OIMALIAS.

6. In the Permitted transports section, select Restrict the use of defined transport channel chains to those protected by SSL.

7. Click OK.

8. Click ORM Bus to return to that page.

9. Set the foreign bus link authentication alias as follows:

   1. In the Topology section, click Messaging engines.

   2. Select the messaging engine link to which you want to add the integration bus links.

   3. In the Additional Properties section, click Service integration bus links.

   4. Select OIM ORM Link.

   5. In the Authentication alias field, select OIMALIAS.

   6. Click OK.

   7. Click ORM Bus to return to that page.

10. Configure users for the bus connector as follows:

    1. In the Additional Properties area, click Security.

    2. In the Additional Properties area, click Users and groups in the bus connector role.

    3. Click New.

    4. Select User name and enter ormSystem.

    5. Click OK.

    6. Click ORM Bus to return to that page.

11. Set the foreign bus link routing properties as follows:

    1. In the Topology section, click Foreign buses.

    2. Click OIM ORM Bus.

    3. In the Additional Properties section, click Service integration bus link routing properties.

    4. In the Inbound user ID field, enter ormserver.

       Note:

       ormserver is the user ID of the custom user associated with the Oracle Role Manager server application. If you have associated a different user, you must specify that user ID instead.

    5. Click OK, then save your changes.

8.2.12 Configuring Security Credentials on the Role Update Bus

To configure security credentials on the role update bus:

1. Click Service integration, then select Buses.

2. Click ORMRoleUpdateBus.

3. In the Additional Properties area, click Security.

4. From the Inter-engine authentication alias list, select OIMALIAS.

5. In the Permitted transports section, select Restrict the use of defined transport channel chains to those protected by SSL.

6. Click OK, then save your changes.

7. Click ORMRoleUpdateBus to return to that page.

8. Set the users for the bus connector as follows:

   1. In the Additional Properties area, click Security.

   2. In the Additional Properties area, click Users and groups in the bus connector role.

   3. Click New.

   4. Select User name, then enter ormSystem.

   5. Click OK, then save your changes.

8.2.13 Granting Sender Roles to the System User

This task must be performed using the wsadmin command-line tools provided by WebSphere. WebSphere must be running before performing this procedure.

Note:

The commands in this procedure require the WebSphere Administrator user name and password. If you do not have those values, contact a WebSphere administrator.

Note:

The user ID specified in the commands in the following procedure is ormSystem. If you have a different user associated with Oracle Role Manager or if you did not use the default bus names from this document, you must specify those values instead.

To grant the Sender roles:

1. On the host where Oracle Role Manager is deployed, run the following command:

   DEPLOYMENT_MANAGER_HOME/bin/wsadmin.bat
   

   Where DEPLOYMENT_MANAGER_HOME is the home directory of the deployment manager. For example, C:\IBM\WebSphere\AppServer\profiles\Dmgr02

2. At the prompt, grant the Sender role for the Incoming Event Queue with the following command:

   $AdminTask addUserToDestinationRole {-type Queue -bus "ORM Bus" -destination "Incoming Event Queue" -role Sender -user ormserver}
   $AdminConfig save
   

3. Grant the Sender role to foreign destinations with the following command:

   $AdminTask addUserToDestinationRole {-type foreignDestination –bus "ORMRoleUpdateBus" –destination "RoleUpdateDest" –foreignBus "OIMRoleUpdateBus" –role Sender –user ormSystem}
   
   $AdminTask addUserToForeignBusRole {-bus "ORMRoleUpdateBus" –foreignBus "OIMRoleUpdateBus" –role Sender –user ormSystem}
   $AdminConfig save
   quit
   

8.2.14 Disabling Transaction Security

To disable transaction security:

1. Log in to the WebSphere Administrative Console for the server on which Oracle Role Manager is deployed.

2. Select Servers, then select Application servers.

3. Click the server name link corresponding to the server on which Oracle Role Manager is deployed.

4. In the Container Settings section, expand Container Services, then click Transaction Service.

5. In the Additional Properties section, click Custom Properties.

6. Click New.

7. In the Name field, enter DISABLE_PROTOCOL_SECURITY.

8. In the Value field, enter true.

9. In the Description field, enter Disable transaction protocol security.

10. Click OK, then save your changes.

8.2.15 Modifying the Oracle Role Manager Deployment Descriptor

Running the Oracle Role Manager Integration Library in a secured environment requires modifying the deployment descriptor for Oracle Role Manager on the application server host before deploying the Integration Library application.

Note:

For clustered environments, perform this procedure on all managed servers.

To modify the deployment descriptor:

1. On the Oracle Role Manager host, copy the server.ear file from ORM_HOME/lib to a temporary location.

2. In the temporary location, using a utility such as WinZip or jar, extract the contents of the server.ear file.

   You should see the server.jar file.

3. Copy and extract the contents of the server.jar file to a separate temporary location.

4. In the second temporary location, navigate to the META-INF directory

   You should see the ejb-jar.xml file.

5. Open the ejb-jar.xml file with a text editor and edit it as follows:

   1. Find the session element with the ejb-name element defined as SingletonEJB.

   2. Add a resource-ref element as the last resource-ref element in the SingletonEJB session element and define it as follows:

      <resource-ref id="ResourceRef_1177777777777">
          <res-ref-name>OIM/IntegrationConnectionFactory</res-ref-name>
          <res-type>javax.jms.QueueConnectionFactory</res-type>
          <res-auth>Container</res-auth>
          <res-sharing-scope>Shareable</res-sharing-scope>
      </resource-ref>
      

      Note:

      The new resource-ref element should be the last of its type and preceding the first resource-env-ref element.

6. Using a utility such as WinZip or jar, repackage the contents of server.jar, then copy server.jar to the first temporary location to overwrite the existing server.jar file.

7. In the first temporary location, repackage the contents of server.ear, then redeploy server.ear to the application server on which Oracle Role Manager is deployed.

   For instructions on deploying the server.ear file, refer to the Oracle Role Manager Installation Guide.

   Note:

   On redeployment of the server.ear file, in the Target Resource JNDI Name field for the OIM/IntegrationConnectionFactory resource reference, browse to select RoleUpdateQCF, then click Apply.

8. Start the application server on which Oracle Role Manager is deployed.

9. Ensure that deployment descriptor changes are present for the Oracle Role Manager server follows:

   1. Log in to the WebSphere Administrative Console for the server on which Oracle Role Manager is deployed.

   2. Select Applications, then click Enterprise Applications.

   3. Click the name of the server for Oracle Role Manager, for example ORM Server.

   4. In the References area, click Resource references.

   5. Go to the table in the javax.jms.QueueConnectionFactory section.

   6. For the resource reference named OIM/IntegrationConnectionFactory, look at the value in the Target Resource JNDI Name column.

      It should be /oim/OIMserver/QueueConnectionFactory.

      If it is not, click Browse to select /oim/OIMserver/QueueConnectionFactory. Then select OIM/IntegrationConnectionFactory, then click Apply.

   7. For the resource reference named OIM/IntegrationConnectionFactory, look at the final cell in that row.

      It should contain a value similar to:

      Resource authorization:
      Container Authentication method:
      DefaultPrincipalMapping
      staco18Node01/OIMALIAS
      

      If it does not, select Use default method for authentication. Then from the Authentication data entry list, select OIMALIAS, then click Apply.

   8. If you have made any changes while verifying these settings, click OK, then save your changes.

8.3 Configuring the Oracle Identity Manager Server

This procedure assumes that a WebSphere application server has been created for Oracle Identity Manager with a host alias set for port access to Oracle Identity Manager.

Note:

When configuring WebSphere, it is recommended that you save your settings after every task.

This section includes the following subsections:

• (Clustered Mode Only) Creating the Oracle Identity Manager Database Users for the JMS Engines

• Creating the Authentication Alias for connections to Oracle Role Manager

• (Clustered Mode Only) Creating the Additional Authentication Aliases for the New Data Stores

• (Clustered Mode Only) Creating the JDBC Data Sources for the New Data Stores

• Creating the JMS Messaging Buses

• Configuring the OIM ORM Bus

• Configuring the Role Update Bus

• Configuring JMS Queue Connection Factories

• Creating the Oracle Role Manager JMS Queue

• Creating the OIM ORM JMS Queue

• Configuring JMS Activation Specifications

• Configuring Security Credentials on the Role Update Bus

• Configuring Security Credentials on the OIM ORM Bus

• Configuring Outbound Authentication

• Granting Sender Roles to the System User

• Creating the Shared Libraries

• Adding the Integration Library System Properties

8.3.1 (Clustered Mode Only) Creating the Oracle Identity Manager Database Users for the JMS Engines

To create the database user and role for the JMS engines:

1. On the Oracle Identity Manager host, open a command window.

2. Using sqlplus or a similar utility, connect to the database instance into which the Oracle Identity Manager schema is installed.

3. As the SYSTEM user, run the following commands to create the IntegrationORM user, the IntegrationRole user and the IntegrationJMS role:

   create user IntegrationORM identified by ormSystem default tablespace OIM_TABLESPACE temporary tablespace OIM_TEMP_TABLESPACE;
   create user IntegrationRole identified by ormSystem default tablespace OIM_TABLESPACE temporary tablespace OIM_TEMP_TABLESPACE;
   create role IntegrationJMS;
   grant connect, create session, resource to IntegrationJMS;
   grant create tablespace, drop any table to IntegrationJMS;
   grant unlimited tablespace to IntegrationORM;
   grant unlimited tablespace to IntegrationRole;
   grant IntegrationJMS to IntegrationORM;
   grant IntegrationJMS to IntegrationRole;
   commit;
   

   where OIM_TABLESPACE and OIM_TEMP_TABLESPACE are the appropriate tablespace names for the Oracle Identity Manager schema.

8.3.2 Creating the Authentication Alias for connections to Oracle Role Manager

Java 2 Connector authentication data entry settings are used for administrators to define authentication data, which includes user identities and passwords. Using aliases, these values can reference authentication data entries by resource adapters, data sources, and other configurations that require authentication.

To create the alias for connections to Oracle Role Manager:

1. If not already on the WebSphere administrative console, in a Web browser, enter the URL. For example:

   http://appserverhost:9060/ibm/console
   

2. Select Security, then select Secure administration, applications, and infrastructure.

3. In the Authentication area, select Java Authentication and Authorization Service, then select J2C authentication data.

4. Click New.

5. In the Alias field, enter OIMALIAS.

6. In the User ID field, enter ormSystem.

   Note:

   The user ID must be ormSystem.

7. In the Password field, enter ormSystem.

8. Click OK, then save your changes.

9. If you are configuring a nonclustered environment, skip to Section 8.3.5.

8.3.3 (Clustered Mode Only) Creating the Additional Authentication Aliases for the New Data Stores

To create the alias for connections to Oracle Role Manager:

1. If not already on the WebSphere administrative console, in a Web browser, enter the URL. For example:

   http://appserverhost:9060/ibm/console
   

2. Select Security, then select Secure administration, applications, and infrastructure.

3. In the Authentication area, select Java Authentication and Authorization Service, then select J2C authentication data.

4. Create the alias for the IntegrationORM user as follows:

   1. Click New.

   2. In the Alias field, enter IntegrationORMBus.

   3. In the User ID field, enter IntegrationORM.

   4. In the Password field, enter ormSystem.

   5. Click OK, then save your changes.

5. Create the alias for the IntegrationRole user as follows:

   1. Click New.

   2. In the Alias field, enter IntegrationRoleBus.

   3. In the User ID field, enter IntegrationRole.

   4. In the Password field, enter ormSystem.

   5. Click OK, then save your changes.

8.3.4 (Clustered Mode Only) Creating the JDBC Data Sources for the New Data Stores

To configure the data sources for the data stores:

1. In a Web browser, connect to the WebSphere administrative console.

2. Select Resources, then select JDBC.

3. Select Data Sources.

4. In the Scope list, select Cell=XL_CELL.

5. Create the data source for the IntegrationORM data store as follows:

   1. Click New.

   2. In the Data source name field, enter Integration_ORM_DS.

   3. In the JNDI name field, enter jdbc/Integration_ORM_DS.

   4. Click Next.

   5. Choose the Select an existing JDBC provider option.

   6. Select XL XA Provider from the list, then click Next.

   7. In the URL field, enter the JDBC connection string for of the XL XA Provider. For example, jdbc:oracle:thin:@ip_address:port:instance.

      Note:

      The URL entered here is the same as that entered for the XA data source for Oracle Identity Manager.

   8. In the Data store helper class name list, select either Oracle10g data store helper or Oracle11g data store helper, depending on your database.

   9. Select Use this data source in container managed persistence (CMP), then click Next.

   10. Click Finish.

   11. Click Integration_ORM_DS.

   12. In the Additional Properties section, click Connection Pool Properties.

   13. In the Maximum connections field, enter 50.

   14. In the Minimum connections field, enter 30.

   15. In the Aged Timeout field, enter 10000.

   16. Click OK.

6. Create the data source for the IntegrationRole data store as follows:

   1. Click New.

   2. In the Data source name field, enter Integration_Role_DS.

   3. In the JNDI name field, enter jdbc/Integration_Role_DS.

   4. Click Next.

   5. Choose the Select an existing JDBC provider option.

   6. Select XL XA Provider from the list, then click Next.

   7. In the URL field, enter the JDBC connection string for the data source. For example, jdbc:oracle:thin:@ip_address:port:instance.

      Note:

      The URL entered here is the same as that entered for the XA data source for Oracle Identity Manager.

   8. In the Data store helper class name list, select either Oracle10g data store helper or Oracle11g data store helper, depending on your database.

   9. Select Use this data source in container managed persistence (CMP), then click Next.

   10. Click Finish.

   11. Click Integration_Role_DS.

   12. In the Additional Properties section, click Connection Pool Properties.

   13. In the Maximum connections field, enter 50.

   14. In the Minimum connections field, enter 30.

   15. In the Aged Timeout field, enter 10000.

   16. Click OK.

8.3.5 Creating the JMS Messaging Buses

To create the JMS messaging buses:

1. Select Service integration, then select Buses.

2. Create the Role Update bus as follows:

   1. Click New.

   2. Enter OIMRoleUpdateBus as the name for the Role Update bus.

   3. Select Bus security, then click Next.

   4. Click Finish, then save your changes.

3. Create the OIM ORM bus as follows:

   This is the bus for sending messages from Oracle Identity Manager to Oracle Role Manager. For example, this bus is used for create user scenarios.

   1. Click New.

   2. Enter OIM ORM Bus as the name for the bus.

      Note:

      Bus names used here on the Oracle Identity Manager server must not duplicate the nonforeign bus names used on the Oracle Role Manager server.

   3. Select Bus security, then click Next.

   4. Click Finish, then save your changes.

4. If you are configuring a clustered server environment, add the cluster to each of the newly created buses as follows:

   1. Click the bus link, then click Bus members.

   2. Click Add.

   3. Choose the Cluster option, the cluster to use from the list, for example XL_JMS_CLUSTER.

   4. Click Next.

   5. In the Select the type of message store list, select Data Store, then click Next.

   6. In the Data source JNDI name field, enter either of following names, depending on which bus you are modifying.

      - For the OIM ORM Bus, enter jdbc/Integration_ORM_DS.

      - For the OIMRoleUpdateBus, enter jdbc/Integration_Role_DS.

   7. In the Schema Name field, enter either of the following names, depending on which bus you are modifying:

      - For the OIM ORM Bus, enter IntegrationORM.

      - For the OIMRoleUpdateBus, enter IntegrationRole.

   8. In the Authentication alias list, select either of following aliases, depending on which bus you are modifying:

      - For the OIM ORM Bus, select XL_MANAGER_NODE/IntegrationORMBus.

      - For the OIMRoleUpdateBus, select XL_MANAGER_NODE/IntegrationRoleBus.

   9. Ensure that Create Tables is selected.

   10. Click Next, click Finish, then save your changes.

5. For nonclustered environments, add the server to each of the newly created buses as follows:

   1. Click the bus link, then click Bus members.

   2. Select the server used for Oracle Identity Manager, then click Next.

   3. In the Select the type of message store list, select File Store, then click Next, then click Next again.

   4. Click Finish, then save your changes.

8.3.6 Configuring the OIM ORM Bus

To add the foreign bus to the OIM ORM Bus:

1. Click Service integration, then select Buses.

2. Select OIM ORM Bus.

3. Create the foreign bus as follows:

   1. Under Topology, click Foreign buses.

   2. Click New.

   3. In the Name field, enter ORM Bus, then click Next.

      Note:

      This foreign bus name must exactly match the bus name on the Oracle Role Manager server.

   4. Select Direct, service Integration bus link as the routing type, then click Next.

   5. Click Next again.

   6. Click Finish, then save your changes.

4. Add the foreign bus link as follows:

   1. Click OIM ORM Bus.

   2. Under Topology, click Messaging engines.

   3. Select the messaging engine to which you want to add the service integration bus links.

   4. Under Additional properties, click Service integration bus links.

   5. Click New.

   6. In the Name field, enter OIM ORM Link.

   7. In the Foreign Bus Name list, select ORM Bus.

      Note:

      This foreign bus name must exactly match the bus name on the Oracle Role Manager server.

   8. In the Remote message engine name field, enter the messaging engine name of the ORM Bus. For example, orm_server_node.orm_server-ORM Bus

      Note:

      The remote message engine name must be in the form orm_server_node_name.orm_server_name followed by a hyphen and the name of the foreign bus. For clustered environments, the name must be in the form orm_cluster_name.index-ORM Bus, for example ORM_CLUSTER.000-ORM Bus.

   9. In the Bootstrap endpoints field, enter the Oracle Role Manager server's host name followed by a colon (:), the SIB endpoint secure address followed by a colon (:), then BootstrapSecureMessaging. For example, orm_host:secure_sib:BootstrapSecureMessaging.

      Note:

      For clustered environments, endpoints should be in the form orm_host:secure_sib:BootstrapSecureMessaging,orm_host:secure_sib:BootstrapSecureMessaging where orm_host is the foreign server and secure_sib is the foreign server's SIB_ENDPOINT_SECURE_ADDRESS.

   10. In the Target inbound transport chain field, enter InboundSecureMessaging.

   11. Click OK.

5. Configure foreign bus destinations as follows:

   1. Click OIM ORM Bus, then click Destinations.

   2. Click New.

   3. Choose Foreign as the destination type, then click Next.

   4. Enter Incoming Event Queue as the identifier.

      Note:

      This name must exactly match the name of the incoming event queue destination on the Oracle Role Manager server.

   5. Specify ORM Bus as the bus member to own the queue, then click Next.

   6. Click Finish, then save your changes.

8.3.7 Configuring the Role Update Bus

To configure the role update bus:

1. Click Service integration, then select Buses.

2. Select OIMRoleUpdateBus.

3. Create the foreign bus as follows:

   1. Under Topology, click Foreign buses.

   2. Click New.

   3. In the Name field, enter ORMRoleUpdateBus, then click Next.

      Note:

      The foreign bus name must exactly match the bus name on the Oracle Role Manager server.

   4. Select Direct, service Integration bus link as the routing type, then click Next.

   5. Click Next.

   6. Click Finish, then save your changes.

4. Create the foreign bus link as follows:

   1. Click OIMRoleUpdateBus.

   2. Under Topology, click Messaging engines.

   3. Select the messaging engine to which you want to add the service integration bus links.

   4. Under Additional properties, click Service integration bus links.

   5. Click New.

   6. In the Name field, enter RoleUpdateLink.

   7. In the Foreign Bus Name list, select ORMRoleUpdateBus.

      Note:

      This foreign bus name must exactly match the bus name on the Oracle Role Manager server.

   8. In the Remote message engine name field, enter the messaging engine name of ORMRoleUpdateBus. For example: orm_server_node.orm_server-ORMRoleUpdateBus.

      Note:

      The remote message engine name must be in the form orm_server_node_name.orm_server_name followed by a hyphen and the name of the foreign bus.

   9. Click OK.

5. Configure bus destinations as follows:

   1. Click OIMRoleUpdateBus to return to that page.

   2. Click Destinations.

   3. Click New.

   4. Choose Queue as the destination type, then click Next.

   5. Enter RoleUpdateDest as the identifier, then click Next.

   6. Specify the bus member to own the queue, then click Next.

   7. Click Finish, then save your changes.

8.3.8 Configuring JMS Queue Connection Factories

To configure JMS queue connection factories:

1. From Resources, select JMS, then select Queue connection factories.

2. Select the cell scope used for Oracle Identity Manager, then click New.

3. Choose Default messaging provider, then click OK

4. In the Name field, enter ormJMSConnectionFactory.

5. In the JNDI name field, enter /oim/OIMserver/QueueConnectionFactory.

6. In the Bus name list, select OIMRoleUpdateBus.

7. In the Advanced Administration area, in the Component-managed authentication alias list, select OIMALIAS.

8. Click OK, then save your changes.

9. Click New.

10. Choose Default messaging provider, then click OK.

11. In the Name field, enter OIM ORM QCF.

12. In the JNDI name field, enter orm/jms/QueueConFac.

13. In the Bus name list, select OIM ORM Bus.

14. In the Advanced Administration area, in the Component-managed authentication alias list, select OIMALIAS.

15. In the Target inbound transport chain field, enter InboundSecureMessaging.

16. Click OK, then save your changes.

8.3.9 Creating the Oracle Role Manager JMS Queue

To configure the Oracle Role Manager queue:

1. From Resources, select JMS, then select Queues.

2. Select the cell scope used previously, then click New.

3. Choose Default messaging provider, then click OK.

4. In the Name field, enter ormJMSQueue.

5. In the JNDI name field, enter oim/OIMserver/RoleManagerQueue.

6. In the Bus name list, select OIMRoleUpdateBus.

7. In the Queue name list, select RoleUpdateDest.

8. Click OK, then save your changes.

8.3.10 Creating the OIM ORM JMS Queue

To configure the OIM ORM queue:

1. From Resources, select JMS, then select Queues.

2. Select the cell scope used previously, then click New.

3. Choose Default messaging provider, then click OK.

4. In the Name field, enter OIM ORM Queue.

5. In the JNDI name field, enter orm/jms/IncomingEventQueue.

6. In the Bus name list, select ORM Bus.

7. In the Queue name list, select Incoming Event Queue.

8. Click OK, then save your changes.

8.3.11 Configuring JMS Activation Specifications

To configure the Oracle Role Manager JMS AS:

1. From Resources, select JMS, then select Activation specifications.

2. Select the same cell scope used previously, then click New

3. Choose Default messaging provider, then click OK

4. In the Name field, enter ormJMSActiveSpec.

5. In the JNDI name field, enter orm/jms/ormJMSActiveSpec.

6. In the Destination type list, select Queue.

7. In the Destination JNDI name field, enter oim/OIMserver/RoleManagerQueue.

8. In the Bus name list, select OIMRoleUpdateBus.

9. In the Authentication Alias list, select OIMALIAS.

10. Click OK, then save your changes.

8.3.12 Configuring Security Credentials on the Role Update Bus

To configure security credentials for the Role Update Bus:

1. Configure users and authentication for the bus as follows:

   1. From Security, select Bus security.

   2. Click OIMRoleUpdateBus.

   3. In the Additional Properties area, click Security.

   4. In the Additional Properties area, select Users and groups in the bus connector role, then click New.

   5. Select User name, then enter ormSystem.

   6. Click OK, then save your changes.

2. Set the foreign bus link authentication alias as follows:

   1. Click OIMRoleUpdateBus to return to that page.

   2. In the Topology section, click Messaging engines.

   3. Select the messaging engine link to which you want to add the service integration bus links.

   4. In the Additional Properties section, click Service integration bus links.

   5. Click RoleUpdateLink.

   6. In the Authentication alias field, select OIMALIAS.

   7. Click OK.

3. Save your changes.

8.3.13 Configuring Security Credentials on the OIM ORM Bus

To configure users for the OIM ORM Bus:

1. Click Service integration, then select Buses.

2. Click OIM ORM Bus.

3. Configure users and authentication for the bus as follows:

   1. In the Additional Properties area, click Security.

   2. In the Inter-engine authentication alias field, select OIMALIAS, then click Apply.

   3. Click OK, then save your changes.

   4. Click OIM ORM Bus.

   5. In the Additional Properties area, select Security.

   6. In the Additional Properties area, select Users and groups in the bus connector role, then click New.

   7. Select User name, then enter ormSystem.

   8. Click OK, then save your changes.

4. Set the foreign bus link authentication alias as follows:

   1. Click OIM ORM Bus to return to that page.

   2. In the Topology section, click Messaging engines.

   3. Select the messaging engine link to which you want to add the service integration bus links.

   4. In the Additional Properties section, click Service integration bus links.

   5. Click OIM ORM Link.

   6. In the Authentication alias field, select OIMALIAS.

   7. Click OK, then save your changes.

8.3.14 Configuring Outbound Authentication

Configuring outbound authentication prevents the Oracle Identity Manager server from sending confidential credentials to the Oracle Role Manager server.

To configure outbound authentication:

1. From Security, select Secure administration, applications, and infrastructure.

2. Expand RMI/IIOP security, then click CSIv2 outbound authentication.

3. In the Basic authentication section, select Never.

4. Click OK, then save your changes.

8.3.15 Granting Sender Roles to the System User

This task must be performed using the wsadmin command-line tools provided by WebSphere. WebSphere must be running before performing this procedure.

Note:

The commands in this procedure require the WebSphere Administrator user name and password. If you do not have those values, contact a WebSphere administrator.

Note:

The user ID specified in the commands in the following procedure is ormSystem. If you have a different user associated with Oracle Role Manager or if you did not use the default bus names from this document, you must specify those values instead.

To grant the Sender roles:

1. On the host where Oracle Identity Manager is deployed, run the following command:

   DEPLOYMENT_MANAGER_HOME/bin/wsadmin.bat
   

   Where DEPLOYMENT_MANAGER_HOME is the home directory of the deployment manager. For example, C:\IBM\WebSphere\AppServer\profiles\XL_MANAGER_PROFILE.

2. At the prompt, grant the Sender role for foreign destinations with the following command:

   $AdminTask addUserToDestinationRole {-type foreignDestination –bus "OIM ORM Bus" –destination "Incoming Event Queue" –foreignBus "ORM Bus" –role Sender –user ormSystem}
   $AdminTask addUserToForeignBusRole {-bus "OIM ORM Bus" –foreignBus "ORM Bus" –role Sender –user ormSystem}
   $AdminConfig save
   quit
   

8.3.16 Creating the Shared Libraries

To configure the shared libraries:

1. Create the IntegrationJars shared library as follows:

   1. From Environment, select Shared Libraries, then select the same cell scope used for Oracle Identity Manager.

   2. Click New.

   3. In the Name field, enter IntegrationJars.

   4. In the Classpath field, enter the full path to the following JAR files:

      ORMINT_HOME/lib/orm_encryption.jar
      ORMINT_HOME/lib/server_api_14.jar
      ORMINT_HOME/lib/websphere_stubs.jar
      OIM_HOME/lib/xlAPI.jar
      

      Press Enter after each path to specify the class path for the next JAR file.

   5. Click OK, then save your changes.

2. Create the IntegrationSecurity shared library as follows:

   1. From Environment, select Shared Libraries, then select the same cell scope used for Oracle Identity Manager.

   2. Click New.

   3. In the Name field, enter IntegrationSecurity.

   4. In the Classpath field, enter the full path to the following JAR files, press Enter.

      ORMINT_HOME/lib/orm_encryption.jar
      

   5. Click OK, then save your changes.

3. If you are configuring a clustered server environment, copy the libraries as follows on each managed node:

   1. In the file system where Oracle Identity Manager is deployed, create the following directory if it does not exist:

      OIM_appserver/java/jre/lib/endorsed
      

      where OIM_appserver/java is the JDK directory for WebSphere. For example, C:\IBM\WebSphere\AppServer\java.

   2. Copy the following libraries into the endorsed directory:

      ORMINT_HOME/lib/xercesImpl.jar
      ORMINT_HOME/lib/xml-apis.jar
      

8.3.17 Adding the Integration Library System Properties

To add the Integration Library JVM system properties:

1. From Servers, select Application Servers, then select the server on which Oracle Identity Manager is deployed.

2. Under Server Infrastructure, expand Java and Process Management, then click Process Definition.

3. Under Additional Properties, click Java Virtual Machine.

4. Under Additional Properties, click Custom Properties.

5. Click New.

6. In the Name field, enter ORMINT_ROOT_DIR.

7. In the Value field, enter the full path to the Oracle Role Manager Integration Library home directory, for example C:/ORMINT_HOME.

8. In the Description field, enter Location of the Oracle Role Manager Integration Library home directory.

9. Click Apply, then save your changes.

10. For these changes to go into effect, restart the Oracle Identity Manager server.

11. For clustered server environments, repeat these steps for each Oracle Role Manager server in the XL_CLUSTER cluster.

8.4 Configuring Signer Certificates

Configuring signer certificates for clustered and nonclustered server environments involves exporting and importing certificates from both the target and source systems as described in this section.

In this section:

• Exporting the Oracle Role Manager Certificates

• Importing and Exporting Certificates on Oracle Identity Manager

• Importing the Oracle Identity Manager Certificates

8.4.1 Exporting the Oracle Role Manager Certificates

To export the certificates from Oracle Role Manager:

1. On the application server host for the Oracle Role Manager, connect to the WebSphere administrative console.

   Note:

   For clustered environments, connect to the WebSphere administrative console on the host server that is the primary node for the Oracle Role Manager cluster.

2. From Security, select SSL certificate and key management.

3. In the Related Items section, click Key stores and certificates.

4. For clustered environments, click CellDefaultTrustStore.

5. For nonclustered environments, click NodeDefaultTrustStore.

6. In the Additional Properties section, click Signer certificates.

7. Perform the following steps for each certificate named default or defaultx (where x is a number):

   1. Select the certificate.

   2. Click Extract.

   3. In the File name field, enter a name for the certificate file. For example, orm_signer.cer or orm_signer_x.cer.

   4. Click OK.

8. On the file system, navigate to WAS_HOME/AppServer/profiles/server/etc.

9. Copy the exported certificate to the equivalent directory on the Oracle Identity Manager host, for example, C:\IBM\WebSphere\AppServer\profiles\WL_MANAGER_PROFILE\etc.

   These certificates must be imported into the Oracle Identity Manager cluster's primary node following the steps in Section 8.4.2.

8.4.2 Importing and Exporting Certificates on Oracle Identity Manager

To import and export certificates on Oracle Identity Manager:

1. On the application server host for the Oracle Identity Manager, connect to the WebSphere administrative console.

   Note:

   For clustered environments, connect to the WebSphere administrative console on the host server that is the primary node for the Oracle Identity Manager cluster.

2. From Security, select SSL certificate and key management.

3. In the Related Items section, click Key stores and certificates.

4. For clustered environments, click CellDefaultTrustStore.

5. For nonclustered environments, click NodeDefaultTrustStore.

6. In the Additional Properties section, click Signer certificates.

7. Import each of the certificates exported from Oracle Role Manager as follows:

   1. Click Add.

   2. In the Alias field, enter a unique alias for the certificate, for example, ormcert1.

   3. In the File name field, enter the file name, for example orm_signer.cer.

   4. Click OK.

8. Export each certificate named default or defaultx (where x is a number) as follows:

   1. Select the certificate.

   2. Click Extract.

   3. In the Name field, a file name. For example, oim_signer.cer or oim_signer_x.cer.

   4. Click OK.

9. On the file system, navigate to WAS_HOME/AppServer/profiles/server/etc.

10. Copy the exported certificate to the equivalent directory on the Oracle Role Manager host.

    These certificates must be imported into the Oracle Role Manager cluster's primary node following the steps in Section 8.4.3.

8.4.3 Importing the Oracle Identity Manager Certificates

To import certificates on Oracle Role Manager:

1. On the application server host for the Oracle Role Manager, connect to the WebSphere administrative console.

   Note:

   For clustered environments, connect to the WebSphere administrative console on the host server that is the primary node for the Oracle Role Manager cluster.

2. From Security, select SSL certificate and key management.

3. In the Related Items section, click Key stores and certificates.

4. For clustered environments, click CellDefaultTrustStore.

5. For nonclustered environments, click NodeDefaultTrustStore.

6. In the Additional Properties section, click Signer certificates.

7. For each of the certificates exported from Oracle Identity Manager, do the following:

   1. Click Add.

   2. In the Alias field, enter a unique alias for the certificate, for example, oimcert1.

   3. In the File name field, enter the file name, for example oim_signer.cer.

   4. Click OK.

8.5 Deploying the Oracle Role Manager Integration Library Application on WebSphere

Note:

For clustered environments, perform this procedure on each server node, for example, XL_SERVER1_ON_NODE1, XL_SERVER2_ON_NODE2, and so forth.

Note:

For clustered environments, this procedure assumes the following:

• ORMINT_HOME exists in an identical directory on each server host.

• Each server host has the identical modified IMConfig.xml file in OIMINT_HOME/config.

To deploy the Integration Library application:

1. On the Oracle Identity Manager host, create the EAR file for the Integration Library application that contains JAR files from Oracle Identity Manager as follows:

   1. In a command window, navigate to ORMINT_HOME/bin.

   2. Run the following command:

      For UNIX-based systems:    sh create_ear.sh OIM_HOME/xellerate

      For Windows systems:    create_ear.bat OIM_HOME/xellerate

      where OIM_HOME is the root installation directory for Oracle Identity Manager.

2. Connect to the WebSphere administrative console for the Oracle Identity Manager application server. For example:

   http://appserverhost:9060/ibm/console
   

3. Select Applications, then select Install New Application.

4. Choose Remote file system, then click Browse to navigate to the ORMINT_HOME/lib directory.

5. Select roleManagerIntegration_WebSphere6.1.ear, then click Next.

6. On the Select installation options page, accept the defaults and click Next.

7. On the Map modules to servers page, select roleManagerIntegration_WebSphere6.1.ear, select the cluster or server on which to deploy the Integration Library, then click Apply.

8. Click Next.

9. Click Finish, then save your changes.

10. Add the IntegrationJars shared library (created in Section 8.3.16) to the Integration Library application as follows:

    1. Select Applications, then select Enterprise Applications.

    2. Click RoleManagerIntegration.

    3. Under references, click shared library references.

    4. Select RoleManagerIntegration and then click Reference shared libraries.

    5. Select IntegrationJars and click the right arrow button to move it from the Available list to the Selected list, then click OK.

11. Add the IntegrationSecurity shared library (created in Section 8.3.16) to the Oracle Identity Manager application as follows:

    1. Select Applications, then select Enterprise Applications.

    2. Click Xellerate.

    3. Under references, click shared library references.

    4. Select Xellerate and then click Reference shared libraries.

    5. Select IntegrationSecurity and click the right arrow button to move it from the Available list to the Selected list, then click OK.

12. Click OK, then save your changes.

13. Copy the Oracle Identity Manager xlDataObjectBeans.jar file as follows:

    Note:

    This step is necessary each time the Integration Library application is deployed. For clustered server environments, this step must be executed on each server node that is part of XL_CLUSTER.

    1. Select Applications, then select Enterprise Applications.

    2. Select RoleManagerIntegration, then click Start.

       You should see a message indicating that the application has started successfully.

    3. On the WebSphere node where Oracle Identity Manager resides, find the extracted files from the Oracle Identity Manager EAR file. For example, AppServer1\profiles\AppServer01\installedApps\localCell\Xellerate.ear.

    4. In the top level, find the library file named xlDataObjectBeans.jar.

    5. Copy the xlDataObjectBeans.jar file into the lib folder of the extracted RoleManagerIntegration.ear file. For example, AppServer1\profiles\AppServer01\installedApps\localCell\RoleManagerIntegration.ear\lib.

       Copying the JAR file to this directory overwrites the existing file of the same name with an installation-specific JAR file for Oracle Identity Manager.

14. Restart the application server.