| Oracle® Access Manager Deployment Guide 10g (10.1.4.3) Part Number E12490-01 |
|
|
View PDF |
| Oracle® Access Manager Deployment Guide 10g (10.1.4.3) Part Number E12490-01 |
|
|
View PDF |
You can change basic components that you specified during Oracle Access Manager installation, such as the person object class or the directory server host. This chapter describes system-level reconfiguration.
This chapter includes the following topics:
What Can Be Reconfigured
There are a number of basic system components that can be reconfigured:
You can configure Oracle Access Manager against a different directory server (for configuration or policy data).
You can change the class attribute for the person or group object class.
You can reconfigure the following characteristics of the directory:
The LDAP bind password
The host name
Port number
Domain name
Root DN
Root password
Configuration DN
Searchbase
Note:
All actions except changing the LDAP bind password require re-running setup.During installation, data that you specify is written to a number of areas, including the following:
setup.xml
configInfo.xml
ois_server_config.xml
The directory server
The following procedure describes how to reconfigure Oracle Access Manager so that it works properly after you make any of the changes described in "What Can Be Reconfigured" on page 6-1.
To update the system configuration
Shut down the Web server that runs the WebPass.
Stop the Identity Server Service.
Back up your directory configuration data by exporting it to an LDIF file.
Rename the following file to ensure that you have a backup copy:
IdentityServer_install_dir/identity/oblix/config/ois_server_config.xml.bak
From the directory that you navigated to in the preceding step, back up and then delete the following files:
setup.xml
configInfo.xml
ois_server_config.xml
Copy the file ois_server__config.bak to ois_server__config.xml.
This action allows you to change the configuration settings when you re-run the setup program later in this procedure. It causes the Identity Server to retrieve settings from ois_server__config.xml during setup instead of retrieving the settings from the directory. The information in ois_server__config.xml is migrated to the directory when the Identity Server is restarted.
In the branch of the directory where your policies are stored, locate the WebResrcDB container.
In the WebResrcDB container, delete the following entries:
The entry for WebPass.
The cn for this entry is the ID that you supplied when installing WebPass. Example: wp1_50.
The entry for the Identity Server.
The cn for this entry is the ID that you supplied when installing the Identity Server. Example: ois1_50.
The entry with a timestamp for its ID.
Example: 20010815T16221897. This entry connects the WebPass and Identity Server components.
In the branch of the directory where your policies are stored, locate the DBAgents container and delete all entries under this container.
Restart the Identity Server Service.
Restart the Web server that runs the WebPass.
From your browser, access the Identity System Console:
http://server:port/identity/oblix/
Rerun the setup program, as described in the following procedure for the Identity System and change any settings that you want to change.
The setup program displays the information that was previously configured for Oracle Access Manager. You can change the configuration information as needed when you rerun setup.
See the Oracle Access Manager Identity and Common Administration Guide for details on rerunning setup for the Access System.
Restart the Identity Server.
The information in ois_server_config.xml (the server name, port, administrator DN, password, searchbase, and configuration base) is migrated back to the directory and the information in the config.xml file is deleted.
To rerun Identity System setup
Shut down all but one Identity Server if there is more than one running.
Go to the only remaining running Identity Server host and open the setup.xml file:
IdentityServer_install_dir/identity/oblix/config/setup.xml
Remove the status parameter (or change the status parameter value from "done" to "incomplete"), as shown below:
For example:
<NameValPair ParamName="status" Value="incomplete"></NameValPair>
Save the file.
Restart the Identity Server.
From your Web browser, launch the Identity System Console.
You see a Setup page similar to the one that appears during the initial Identity System setup.
Initiate setup again and specify the new information.
After completing the setup, restart the other Identity Servers.
The other Identity Servers should pick up the new information.
You may need to periodically update the LDAP bind password for the directory servers that communicate with Oracle Access Manager components. For example, you may want to update the LDAP bind password to comply with government regulations.
When you update the LDAP bind password for the directory server, you must also update corresponding entries in the Oracle Access Manager configuration directory. The configuration directory server stores Oracle Access Manager configuration data, including the directory server profiles that you defined in the Oracle Access Manager administrative console. Each directory server profile contains a Database Instance section that includes the password for the directory server.
Oracle Access Manager stores directory server profiles for the following components:
The Identity Server
The Policy Manager
The Access Server
The LDAP bind password is stored in encrypted format in the configuration files. The configuration data files for the directory servers and the failover directory servers are stored in the following location:
component install dir/config/ldap
Oracle Access Manager provides the modify LDAP bind password tool (named ModifyLDAPBindPasswd) to enable you to reset the LDAP bind password in the Oracle Access Manager configuration files. You can reset the LDAP bind password without restarting any servers or re-running setup.
The following task overview is the recommended approach for automatic periodic updates of the bind password. You can launch the ModifyLDAPBindPasswd tool interactively instead of using a script. However, if you choose to update the password interactively, you must repeat the information for each Oracle Access Manager instance in your environment.
Task overview: Updating the LDAP Bind Password
Create an encrypted file that contains the updated password, as described in"Generating the Encrypted Password File".
Oracle recommends you use an encrypted file to provide the updated password. However, you can supply the password interactively when running the tool.
Update the LDAP bind password for configuration data with the first installed Identity Server, as described in "Updating the LDAP Bind Password for Configuration Data".
Update the LDAP bind password in the configuration files for each additional instance of the Identity Server, Policy Manager, and Access Server, using slightly different options than you used in Step 2.
See "Updating the LDAP Bind Password" for details.
For each directory server host name variation, re-run the tool.
For example, if you are running a host named "computer1" that resides in domain ".company.com," you can configure the host name in Oracle Access Manager as both "computer1.company.com" and "computer1." In this case, you must run the tool once for each configured host name.
See the information on using host name variations in the Oracle Access Manager Identity and Common Administration Guide for details.
Modify the bind password in the directory server itself.
Both the old and new passwords are stored in the Oracle Access Manager configuration files, so that the old password continues to be valid until you have completed all updates.
Additional information is provided in the following topics:
You run the ModifyLDAPBindPasswd tool for each instance of each relevant component. You can run this tool from the command line or as a script.
The ModifyLDAPBindPasswd tool is available for all platforms. It is located in the following installation path of relevant Oracle Access Manager components, as follows:
component_install_dir/oblix/tools/modbinpasswd/ModifyLDAPBindPasswd
Where component_install_dir is the installation directory for the component (Identity Server, Policy Manager, and Access Server). You run the ModifyLDAPBindPasswd tool from the specific component_install_dir for which you want to update the directory bind password.
Note:
For security purposes, the ModifyLDAPBindPasswd tool checks the credentials for the directory server before making the changes.If you run the tool from the command line, the tool prompts for any needed parameters and values that you failed to provide. However, you can create a script if you want to perform periodic updates of the password.
Note:
There is no rollback mechanism for this tool. You re-run the tool to ensure that the configuration files and directory server have the correct values.If any errors occur during processing, they are written to a log file:
component_install_dir/oblix/tools/modbinpasswd/ModifyLDAPBindPasswd.log
For more information about using this tool, see the next topic, "Parameters for the ModifyLDAPBindPasswd Tool".
This topic provides tables of parameters for the ModifyLDAPBindPasswd tool. Each table focuses on a specific set of parameters, including those that are required for every procedure and use case, those that are needed in addition to required parameters for generating a password file, and those that are needed in addition to required parameters for other use cases.
Table 6-1 lists the parameters that are required to run the ModifyLDAPBindPasswd tool to update the password.
Table 6-1 Required Parameters for the ModifyLDAPBindPasswd Tool
| Parameter | Description |
|---|---|
|
|
This is the installation directory for the Oracle Access Manager component for which the tool is being run. This is the first parameter that must be specified when using this tool. |
|
|
This is the type of component for which the tool is being run. The following are possible values for this parameter:
Note: The component must be consistent with the path. A mismatch results in an error. Correct: Incorrerct: |
|
|
This is the target to be updated. The following are possible values:
|
Table 6-2 illustrates the command options that you use with the ModifyLDAPBindPasswd tool to generate a password in an encrypted file. These parameters are specified in addition to the standard required parameters in the previous table.
Table 6-2 Parameters for Creating an Encrypted Password
| Parameter | Description |
|---|---|
|
|
Indicates that the tool should generate a password file. This file can be passed when you run the ModifyLDAPBindPasswd tool to update the password. |
|
|
You can supply either the full path and name of the file that will contain the password, or just the file name. If you do not supply an .xml extension, it is supplied automatically. This file is encrypted. |
Table 6-3 lists the additional parameters for the ModifyLDAPBindPasswd tool. If you omit one of these parameters from the command line, the tool prompts for the parameter if it is needed. There are no default values for these parameters. These parameters are in addition to the standard required parameters in Table 6-1.
Table 6-3 Additional Parameters for Changing the LDAP Bind Password
| Parameter | Description and Caveats |
|---|---|
|
|
The name of the computer that stores the directory profile where you want to update the directory server LDAP bind password. |
|
|
The listen port for the computer that stores the directory profile where you want to update the directory server LDAP bind password. |
|
|
The bind DN for the directory server that stores the configuration data. |
|
|
The bind password for the directory server that stores the configuration data in clear text format. Do not specify this option if you are using the |
|
|
Use this option if you are running the command using a script. This file contains all of the passwords that are required to update the bind password. If you use this option, the -w, |
|
|
The computer that contains the directory server whose bind password you are updating. Do not specify this option if you are using the |
|
|
The listen port for the computer that contains the directory server where you want to change the bind password. Do not specify this option if you are using the |
|
|
The bind DN for the directory server whose bind password you are changing. Do not specify this option if you are using the |
|
|
The existing bind password for the directory server whose bind password you are updating. Do not specify this option if you are using the |
|
|
The new bind password for the directory server whose bind password you are updating. Do not specify this option if you are using the |
|
|
Valid if the directory server being updated is different from the configuration directory server. If you specify this parameter, the bind occurs in SSL mode. If you omit it, open mode is used. Do not specify this option if you are using the |
If you choose to create a script rather than use the modifyldapbindpasswd tool, be sure of the path to the script and ensure appropriate permissions for the owner and those who will use the script.
When using a script, you must generate the password file as described in "To generate the encrypted password file". This file contains all of the passwords that are required to update the bind password. Also, you must pass the encrypted password file using the -j file_for_bind_password parameter. In this case, the -w, -x, and -y options cannot be specified. For more information, see Table 6-3.
The following topics describe and illustrate tasks that you perform:
The procedures for updating the LDAP Bind password include individual steps to ensure that the password is updated appropriately, as follows:
First Identity Server and Directory Profiles: You must update the LDAP bind password that is stored in the Identity Server configuration files (the config.xml files) and all directory profiles for the directory server. When running the tool on the first component for the first time, you must specify the -t parameter with the all option. The all option updates the LDAP bind password for the directory server in all directory server profiles and configuration files for the Identity Server.
$ modifyldapbindpasswd -i /opt/oam/identity -c is -t all
Please enter host machine for Configuration DS : YourConfigDSName
Remaining Identity Servers, All Policy Managers and Access Servers: You must update the LDAP bind password in the configuration files for each additional instance of the Identity Server, Policy Manager, and Access Server. In this case, you use many of the same parameters as you did for the first Identity Server instance. The exception is the -t parameter which, in this case, requires the file option.
$ modifyldapbindpasswd -i /opt/oam/access -c pm -t file
Please enter host machine for Configuration DS : YourConfigDSName
Different Host Names: You must repeat the procedure for each directory server host name variation. For example, if you are running a host named computer1 that resides in domain company.com, you can configure the host name in Oracle Access Manager as both computer1 and computer1.company.com. In this case, you must run the tool once for each configured host name. With chosen options, you are prompted for the host name of the directory server containing configuration data. For example:
$ modifyldapbindpasswd -i /opt/oam/identity -c is -t all
Please enter host machine for Configuration DS : YourConfigDSName
See the information on using host name variations in the Oracle Access Manager Identity and Common Administration Guide.
Modifying the Password in the Directory Server Itself: Both the old and new passwords are stored in the Oracle Access Manager configuration files. The old password continues to be valid until you have completed all updates. To perform this task, you must run the tool with the -x and -y options as shown here:
$ modifyldapbindpasswd -i /opt/oam/identity -c is -t all -x oldpassword -y newpassword Please enter host machine for Configuration DS : YourConfigDSName
In addition to the parameters that are required for each operation in the procedures provided here, you can add additional parameters and options to suit your needs.
Oracle recommends you use an encrypted file to provide the updated password. However, you can supply the password interactively when running the tool. During this procedure you are asked to provide information through a number of questions.
When you supply the name of the encrypted file to generate, the following specifications are acceptable:
-genpasswdfile test -genpasswdfile test.xml -genpasswdfile /home/oracle/test -genpasswdfile /home/oracle/test.xml
In the filename, an .xml extension is provided automatically if you do not supply one. A separator after the filename (/ on UNIX or \ on Windows) produces an error.
Incorrect:
-genpasswdfile test/ -genpasswdfile /home/oracle/test/
Oracle recommends that you read and respond to all prompts presented during the procedure. The following procedure illustrates steps that you perform from a Windows platform.
Note:
On UNIX systems, the steps are the same; however, the tool name does not include the .exe extension. Path names might vary in your environment.To generate the encrypted password file
Access the ModifyLDAPBindPasswd tool from the following directory:
component_install_dir/oblix/tools/modbinpasswd/ModifyLDAPBindPasswd
Where component_install_dir is the installation directory for the component for which you are updating the directory bind password.
Run the ModifyLDAPBindPasswd command with the following options:
modifyldapbindpasswd.exe -i install_dir -c component -t target -genpasswdfile filename
Here file is the name of a password file. For example, you might enter myfile, which generates myfile.xml.When you do not supply an .xml extension, it is supplied automatically. See also Table 6-1, "Required Parameters for the ModifyLDAPBindPasswd Tool".
Follow the prompts that appear to fill in the appropriate information for your deployment. For example:
Please enter bind password for Configuration DS : your_bind_pw Is DS information to be updated same as Config DS? : 1(Y) 2(N) :1 Please enter New bind password for DS for which the password is updated : new_bind_pw Please confirm New bind password for DS for which the password is updated : new_bind_pw
Review the confirmation message that identifies the location and name of the generated file. For example:
Password file created: /home/oracle/myfile.xml
In this procedure, the steps that you must perform depend on whether policy data and configuration data are stored in separate directory servers or together. You can use the ModifyLDAPBindPasswd tool or create a script. Details about using a script are included in the following procedure.
Oracle recommends that you read and respond to all prompts presented during the procedure. The following procedure illustrates steps that you perform from a Windows platform.
Note:
On UNIX systems, the steps are the same; however, the tool name does not include the .exe extension. Path names might vary in your environment.To update the LDAP bind password for configuration data
Using a Script: Generate the password file as described in "To generate the encrypted password file".
Access the ModifyLDAPBindPasswd tool from the following directory:
IdentityServer_install_dir/oblix/tools/modbinpasswd/
Where IdentityServer_install_dir is the installation directory for the first Identity Server for which you are updating the directory bind password.
First Identity Server: Run the command for one Identity Server instance using the following options:
modifyldapbindpasswd.exe -i install_dir -c is -t all -options
For other options, see Table 6-1 and Table 6-3.
Using a Script: Pass the encrypted password file using the -j file_for_bind_password option.
Remaining Identity Server, Policy Managers, Access Servers: Locate the tool in the appropriate path for each remaining instance, and run the tool using these options:
modifyldapbindpasswd.exe -i install_dir -c nn -t file -options
Where nn represents the appropriate component ID from Table 6-1.
Using a Script: Pass the encrypted password file using the -j file_for_bind_password option, as described in Table 6-3.
Repeat this command for every variant of the host name that you have configured in Oracle Access Manager. For example:
modifyldapbindpasswd.exe -i install_dir -c is -t all Please enter host machine for Configuration DS : YourConfigDSName
See the information on using host name variations in the Oracle Access Manager Identity and Common Administration Guide.
Update the bind password for the directory server that stores the configuration data. For example, you can provide details interactively when you include the -i, -c, and -t options:
modifyldapbindpasswd.exe -i install_dir -c is -t all -x oldpassword -y newpassword Please enter host machine for Configuration DS : YourConfigDSName
In this procedure, the steps that you must perform depend on whether policy data and configuration data are stored in separate directory servers or together. You can use the ModifyLDAPBindPasswd tool or create a script. Details about using a script are included in the following procedure.
Different steps require different parameters. Pay close attention to the parameters that are required for the step that you are performing. You can include additional options as long as you provide the required parameters.
Oracle recommends that you read and respond to all prompts presented during the procedure. The following procedure illustrates steps that you perform from a Windows platform.
Note:
On UNIX systems, the steps are the same; however, the tool name does not include the .exe extension. Path names might vary in your environment.To update the LDAP bind password for user data
User Data and Configuration Data in Same Directory Server: Follow the procedure "To update the LDAP bind password for configuration data" .
Note:
If you have already updated the LDAP bind password for configuration data, you are finished. If user data and configuration data are in different directory servers, see Step 2.User Data and Configuration Data in Different Directory Servers: Access the ModifyLDAPBindPasswd tool from the following directory, and perform remaining steps:
component_install_dir/oblix/tools/modbinpasswd/
Where component_install_dir is the installation directory for the component for which you are updating the directory bind password.
Using a Script: Generate the password file as described in "Generating the Encrypted Password File".
Run the command with the following parameters:
modifyldapbindpasswd.exe -i install_dir -c nn -t ds -options
For other options, see Table 6-1 and Table 6-3.
Using a Script: Pass the encrypted password file using the -j file_for_bind_password option, as described in Table 6-3.
Repeat this command for every variant of the host name that you have configured in Oracle Access Manager. For example:
modifyldapbindpasswd.exe -i install_dir -c is -t all Please enter host machine for Configuration DS : YourConfigDSName
See the information on using host name variations in the Oracle Access Manager Identity and Common Administration Guide.
Update the bind password for the directory server that stores the configuration data. For example, to supply the password interactively:
modifyldapbindpasswd.exe -i install_dir -c is -t all -x oldpassword -y newpassword Please enter host machine for Configuration DS : YourConfigDSName
In this procedure, the steps that you must perform depend on whether policy data and configuration data are stored in separate directory servers or together. You can use the ModifyLDAPBindPasswd tool or create a script. Details about using a script are included in the following procedure.
Oracle recommends that you read and respond to all prompts presented during the procedure. The following procedure illustrates steps that you perform from a Windows platform.
Note:
On UNIX systems, the steps are the same; however, the tool name does not include the .exe extension. Path names might vary in your environment.To update the LDAP bind password for policy data
Policy Data and Configuration Data in Same Directory Server: Perform steps in "To update the LDAP bind password for configuration data".
Note:
If you have already updated the LDAP bind password for configuration data, you are finished. If policy data and configuration data are in different directory servers, see Step 2.Policy Data and Configuration Data in Different Directory Servers: Access the ModifyLDAPBindPasswd tool from the installation directory of the component for which you are updating the directory bind password and perform remaining steps:
component_install_dir/oblix/tools/modbinpasswd/
Using a Script: Generate the password file as described in "To generate the encrypted password file".
First Identity Server: Run the command following for the Identity Server instance:
modifyldapbindpasswd.exe -i install_dir -c is -t ds -options
For other options, see Table 6-1 and Table 6-3.
Using a Script: Pass the encrypted password file using the -j file_for_bind_password option, as described in Table 6-3.
Remaining Identity Servers, Policy Managers, Access Servers: Run the following command for the remaining instances of the Policy Manager and the Access Server:
modifyldapbindpasswd.exe -i install_dir -c nn -t file -options
For other options, see Table 6-1 and Table 6-3.
Using a Script: Pass the encrypted password file using the -j file_for_bind_password option, as described in Table 6-3.
Repeat this command for every variant of the host name that you have configured in Oracle Access Manager. For example:
modifyldapbindpasswd.exe -i install_dir -c is -t all Please enter host machine for Configuration DS : YourConfigDSName
See the information on using host name variations in the Oracle Access Manager Identity and Common Administration Guide.
Update the bind password for the directory server that stores the configuration data. For example:
modifyldapbindpasswd.exe -i install_dir -c is -t all -x oldpassword -y newpassword Please enter host machine for Configuration DS : YourConfigDSName
If the Identity Server or Access Server uses an explicit bind, you can follow the procedures to change the LDAP bind password described in previous topics. In this case, you can skip this procedure.
If you are running the Identity Server or Access Server as a user in the Active Directory domain, you update the LDAP bind password as described in the following procedure.
To update the LDAP bind password for ADSI
Change the password for the user in the Active Directory domain.
Stop the Identity Server or Access Server.
From the command line enter the following:
services.msc
A dialog box appears that lists of all running services.
To change the credential of the user in the service, right-click the service to modify, then click Properties; click the Log On tab, then click This Account.
Restart the Identity Server or Access Server.
|
 Copyright © 2000, 2009, Oracle. All rights reserved. Legal Notices |
|