Oracle® Fusion Middleware Enterprise Deployment Guide for Oracle Identity Management (Oracle Fusion Applications Edition) 11g Release 1 (11.1.1.5.0) Part Number E21032-01 |
|
|
View PDF |
This chapter describes how to prepare the Identity and Policy Stores. It contains the following sections:
The procedures described in this chapter change the configuration of the LDAP directories that host the Identity and Policy Stores. Before performing any of these tasks, back up your LDAP directories. See Section 7.7, "Backing up the Oracle Internet Directory Configuration" and Section 9.10, "Backing Up the Oracle Virtual Directory Configuration" for more information.
Before proceeding, ensure that the following statements are true:
Oracle Identity Management 11g (11.1.1.5) is installed on IDMHOST1
.
Oracle Internet Directory is installed and configured (if required).
Oracle Virtual Directory is installed and configured.
Non-OID directories are installed and available (if required).
This section describes how to prepare the Policy Store
It contains the following topics:
Section 11.3.1, "Creating Policy Store Users and the Policy Container,"
Section 11.3.2, "Reassociating the Policy and Credential Store,"
Before you can use the Policy Store, you must prepare it. This involves creating a JPS Root context in the Policy Store directory and reassociating the domain's internal Policy Store to use the external LDAP Policy Store.
Perform the following tasks on IDMHOST1
:
Set the environment variables: MW_HOME
, JAVA_HOME
, IDM_HOME
, and ORACLE_HOME
.
Set IDM_HOME
to IDM_ORACLE_HOME
Set ORACLE_HOME
to IAM_ORACLE_HOME
Set MW_HOME
to /u01/app/oracle/product/fmw
.
Set JAVA_HOME
to MW_HOME
/jrockit-jdk1.6.0
.
Create a properties file, called policystore.props
with the following contents:
POLICYSTORE_HOST : policystore.mycompany.com POLICYSTORE_PORT : 389 POLICYSTORE_BINDDN: cn=orcladmin POLICYSTORE_READONLYUSER: PolicyROUser POLICYSTORE_READWRITEUSER: PolicyRWUser POLICYSTORE_SEARCHBASE: dc=mycompany,dc=com POLICYSTORE_CONTAINER: cn=jpsroot
Where:
POLICYSTORE_HOST
and POLICYSTORE_PORT
are, respectively, the host and port of your Policy Store directory.
POLICYSTORE_BINDDN
Is an administrative user in the Policy Store directory
POLICYSTORE_READONLYUSER
and POLICYSTORE_READWRITEUSER
are the names of Users you want to create in the Policy Store with Read Only and Read/Write privileges.
POLICYSTORE_SEARCHBASE
is the location in the directory where Users and Groups are stored.
POLCYSTORE_CONTAINER
is the name of the container used for OPSS policy information.
In addition to creating the users, the command also creates the following groups:
OrclPolicyAndCredentialWritePrivilegeGroup
OrclPolicyAndCredentialReadPrivilegeGroup
After creating the group, the tool adds the readonlyuser
as a member of the OrclPolicyAndCredentialReadPrivilegeGroup
and readwriteuser
as a member of OrclPolicyAndCredentialWritePrivilegeGroup
.
Configure the Policy Store using the command idmConfigTool
which is located at:
IAM_ORACLE_HOME
/idmtools/bin
Note:
When you run theidmConfigTool
, it creates or appends to the file idmDomainConfig.param
. This file is generated in the same directory that the idmConfigTool
is run from. To ensure that each time the tool is run, the same file is appended to, always run the idmConfigTool
from the directory:
IAM_ORACLE_HOME
/idmtools/bin
The syntax of the command on Linux is:
idmConfigTool.sh -configPolicyStore input_file=configfile
The syntax on Windows is:
idmConfigTool.bat -configPolicyStore input_file=configfile
For example:
idmConfigTool.sh -configPolicyStore input_file=policystore.props
When the command runs you are prompted to enter the password of the account you are connecting to the Policy Store with. You are also asked to specify the passwords you want to assign to the accounts:
POLICYSTORE_READONLYUSER
POLICYSTORE_READWRITEUSER
Sample command output:
Enter Policy Store Bind DN password: *** Creation of PolicyROUser *** Apr 5, 2011 4:23:49 AM oracle.ldap.util.LDIFLoader loadOneLdifFile INFO: -> LOADING: /u01/app/oracle/product/fmw/IAM/idmtools/templates/oid/policystore_user.ldif Enter User Password for PolicyROUser: Confirm User Password for PolicyROUser: *** Creation of PolicyRWUser *** Apr 5, 2011 4:23:58 AM oracle.ldap.util.LDIFLoader loadOneLdifFile INFO: -> LOADING: /u01/app/oracle/product/fmw/IAM/idmtools/templates/oid/policystore_user.ldif Enter User Password for PolicyRWUser: Confirm User Password for PolicyRWUser: Apr 5, 2011 4:24:07 AM oracle.ldap.util.LDIFLoader loadOneLdifFileINFO: -> LOADING: /u01/app/oracle/product/fmw/IAM/idmtools/templates/oid/policystore_group.ldifApr 5, 2011 4:24:07 AM oracle.ldap.util.LDIFLoader loadOneLdifFileINFO: -> LOADING: /u01/app/oracle/product/fmw/IAM/idmtools/templates/oid/policystore_container.ldif Apr 5, 2011 4:24:07 AM oracle.ldap.util.LDIFLoader loadOneLdifFileINFO: -> LOADING: /u01/app/oracle/product/fmw/IAM/idmtools/templates/oid/policystore_group_read_member.ldif Apr 5, 2011 4:24:07 AM oracle.ldap.util.LDIFLoader loadOneLdifFileINFO: -> LOADING: /u01/app/oracle/product/fmw/IAM/idmtools/templates/oid/policystore_group_write_member.ldif Apr 5, 2011 4:24:07 AM oracle.ldap.util.LDIFLoader loadOneLdifFile INFO: -> LOADING: /u01/app/oracle/product/fmw/IAM/idmtools/templates/oid/policystore_tuning.ldifApr 5, 2011 4:24:07 AM oracle.ldap.util.LDIFLoader loadOneLdifFile INFO: -> LOADING: /u01/app/oracle/product/fmw/IAM/idmtools/templates/oid/oid_schemaadmin.ldif Apr 5, 2011 4:24:07 AM oracle.ldap.util.LDIFLoader loadOneLdifFile INFO: -> LOADING: /u01/app/oracle/product/fmw/IAM/idmtools/templates/oid/policystore_user_aci.ldif The tool has completed its operation. Details have been logged to /home/oracle/idmtools/automation.log
Check log file for any errors or warnings and correct them. The file with the name automation.log
is created in the directory from where you run the tool.
See Also:
Oracle Fusion Middleware Integration Overview for Oracle Identity Management Suite for more information about theidmConfigTool
command.To reassociate the policy and credential store with Oracle Internet Directory, use the WLST reassociateSecurityStore
command. Follow these steps:
From IDMHOST1
, start the wlst
shell from the ORACLE_COMMON_HOME
/common/bin
directory. For example, on Linux and UNIX-based systems, you would type:
./wlst.sh
On Windows you would type:
./wlst.cmd
Connect to the WebLogic Administration Server using the following wlst connect
command.
connect("AdminUser","AdminUserPassword" "t3://hostname:port")
For example:
connect("weblogic","admin_password","t3://ADMINVHN.mycompany.com:7001")
Run the reassociateSecurityStore
command as follows:
Syntax:
reassociateSecurityStore(domain="domainName",admin="cn=orcladmin", password="orclPassword",ldapurl="ldap://LDAPHOST:LDAPPORT",servertype="OID", jpsroot="cn=jpsRootContainer")
For example:
wls:/IDMDomain/serverConfig> reassociateSecurityStore(domain="IDMDomain", admin="cn=orcladmin",password="password", ldapurl="ldap://policystore.mycompany.com:389",servertype="OID", jpsroot="cn=jpsroot")
The output for the command is as follows:
{servertype=OID, jpsroot=cn=jpsroot, admin=cn=orcladmin, domain=IDMDomain, ldapurl=ldap://policystore.mycompany.com:389, password=password} Location changed to domainRuntime tree. This is a read-only tree with DomainMBean as the root. For more help, use help(domainRuntime) Starting policy store reassociation. The store and ServiceConfigurator setup done. Schema is seeded into the store Data is migrated to the store Data in the store after migration has been tested to be available Update of in-memory jps configuration is done Policy store reassociation done. Starting credential store reassociation The store and ServiceConfigurator setup done. Schema is seeded into the store Data is migrated to the store Data in the store after migration has been tested to be available Update of in-memory jps configuration is done Credential store reassociation done Starting Keystore reassociation The store and ServiceConfigurator setup done. Schema is seeded into the store Data is migrated to the store Data in the store after migration has been tested to be available Update of in-memory jps configuration is done Keystore reassociation done Jps Configuration has been changed. Please restart the application server.
Restart the WebLogic Administration Server, as described in Section 19.1, "Starting and Stopping Oracle Identity Management Components," after the command completes successfully.
This section describes how to prepare the Identity Store. It contains the following topics:
Section 11.4.1, "Extending Directory Schema for Oracle Access Manager"
Section 11.4.2, "Creating Users and Groups for Oracle Access Manager"
Section 11.4.3, "Creating Users and Groups for Oracle Identity Manager"
Section 11.4.4, "Creating Users and Groups for Oracle WebLogic Server"
Section 11.4.5, "Creating Users and Groups for Fusion Applications"
Section 11.4.6, "Creating Access Control Lists in Non-Oracle Internet Directory Directories"
Section 11.4.7, "Updating Oracle Virtual Directory Adapters"
Pre-configuring the Identity Store extends the schema in Oracle Internet Directory.
Note:
You do not need to preconfigure the Identity Store unless you are using Oracle Access Manager or Oracle Identity Manager.To do this, perform the following tasks on IDMHOST1
:
Set the environment variables: MW_HOME
, JAVA_HOME
, IDM_HOME
and ORACLE_HOME
.
Set IDM_HOME
to IDM_ORACLE_HOME
Set ORACLE_HOME
to IAM_ORACLE_HOME
Create a properties file, called extend.props
with the following contents:
IDSTORE_HOST : idstore.mycompany.com IDSTORE_PORT : 389 IDSTORE_BINDDN : cn=orcladmin IDSTORE_USERNAMEATTRIBUTE: cn IDSTORE_LOGINATTRIBUTE: uid IDSTORE_USERSEARCHBASE: cn=Users,dc=mycompany,dc=com IDSTORE_GROUPSEARCHBASE: cn=Groups,dc=mycompany,dc=com IDSTORE_SEARCHBASE: dc=mycompany,dc=com IDSTORE_SYSTEMIDBASE: cn=systemids,dc=mycompany,dc=com
Where:
IDSTORE_HOST
and IDSTORE_PORT
are, respectively, the host and port of your Identity Store directory. If you are using a non-OID directory, then specify the Oracle Virtual Directory host (which should be IDSTORE.mycompany.com
.)
IDSTORE_BINDDN
Is an administrative user in the Identity Store Directory
IDSTORE_USERSEARCHBASE
is the location in the directory where Users are Stored.
IDSTORE_GROUPSEARCHBASE
is the location in the directory where Groups are Stored.
IDSTORE_SEARCHBASE
is the location in the directory where Users and Groups are stored.
IDSTORE_SYSTEMIDBASE
is the location of a container in the directory where users can be placed when you do not want them in the main user container. This happens rarely but one example is the Oracle Identity Manager reconciliation user which is also used for the bind DN user in Oracle Virtual Directory adapters.
Configure the Identity Store by using the command idmConfigTool
, which is located at:
IAM_ORACLE_HOME
/idmtools/bin
Note:
When you run theidmConfigTool
, it creates or appends to the file idmDomainConfig.param
. This file is generated in the same directory that the idmConfigTool
is run from. To ensure that each time the tool is run, the same file is appended to, always run the idmConfigTool
from the directory:
IAM_ORACLE_HOME
/idmtools/bin
The syntax of the command on Linux is:
idmConfigTool.sh -preConfigIDStore input_file=configfile
The syntax on Windows is:
idmConfigTool.bat -preConfigIDStore input_file=configfile
For example:
idmConfigTool.sh -preConfigIDStore input_file=extend.props
When the command runs, you are prompted to enter the password of the account you are connecting to the ID Store with.
Sample command output:
[orcl@rws3450009 dw_users]$ /u01/app/oracle/product/fmw/iam/idmtools/bin/idmConfigTool.sh -preConfigIDStore input_file=/scratch/orcl/dw_users/extend.props Enter ID Store Bind DN password : May 25, 2011 2:37:18 PM oracle.ldap.util.LDIFLoader loadOneLdifFile INFO: -> LOADING: /u01/app/oracle/product/fmw/iam/idmtools/templates/oid/idm_idstore_groups_template.ldif May 25, 2011 2:37:18 PM oracle.ldap.util.LDIFLoader loadOneLdifFile INFO: -> LOADING: /u01/app/oracle/product/fmw/iam/idmtools/templates/oid/idm_idstore_groups_acl_template.ldif May 25, 2011 2:37:18 PM oracle.ldap.util.LDIFLoader loadOneLdifFile INFO: -> LOADING: /u01/app/oracle/product/fmw/iam/idmtools/templates/oid/systemid_pwdpolicy.ldif May 25, 2011 2:37:18 PM oracle.ldap.util.LDIFLoader loadOneLdifFile INFO: -> LOADING: /u01/app/oracle/product/fmw/iam/idmtools/templates/oid/idstore_tuning.ldif May 25, 2011 2:37:18 PM oracle.ldap.util.LDIFLoader loadOneLdifFile INFO: -> LOADING: /u01/app/oracle/product/fmw/iam/idmtools/templates/oid/oid_schema_extn.ldif May 25, 2011 2:37:19 PM oracle.ldap.util.LDIFLoader loadOneLdifFile INFO: -> LOADING: /u01/app/oracle/product/fmw/iam/oam/server/oim-intg/schema/OID_oblix_pwd_schema_add.ldif May 25, 2011 2:37:19 PM oracle.ldap.util.LDIFLoader loadOneLdifFile INFO: -> LOADING: /u01/app/oracle/product/fmw/iam/oam/server/oim-intg/schema/OID_oim_pwd_schema_add.ldif May 25, 2011 2:37:19 PM oracle.ldap.util.LDIFLoader loadOneLdifFile INFO: -> LOADING: /u01/app/oracle/product/fmw/iam/oam/server/oim-intg/schema/OID_oblix_schema_add.ldif May 25, 2011 2:37:34 PM oracle.ldap.util.LDIFLoader loadOneLdifFile INFO: -> LOADING: /u01/app/oracle/product/fmw/iam/oam/server/oim-intg/schema/OID_oblix_schema_index_add.ldif The tool has completed its operation. Details have been logged to automation.log
Check the log file for any errors or warnings and correct them. The file with the name automation.log is created in the directory from where you run the tool.
See Also:
Oracle Fusion Middleware Integration Overview for Oracle Identity Management Suite for more information about theidmConfigTool
command.If you plan to implement Oracle Access Manager in your topology, you must seed the Identity Store with users that are required by Oracle Access Manager.
To do this, perform the following tasks on IDMHOST1
Set the Environment Variables: MW_HOME
, JAVA_HOME
, IDM_HOME
and ORACLE_HOME
.
Set IDM_HOME
to IDM_ORACLE_HOME
.
Set ORACLE_HOME
to IAM_ORACLE_HOME
.
Create a properties file, called oam.props
with the following contents:
IDSTORE_HOST : idstore.mycompany.com IDSTORE_PORT : 389 IDSTORE_BINDDN : cn=orcladmin IDSTORE_USERNAMEATTRIBUTE: cn IDSTORE_LOGINATTRIBUTE: uid IDSTORE_USERSEARCHBASE: cn=Users,dc=mycompany,dc=com IDSTORE_GROUPSEARCHBASE: cn=Groups,dc=mycompany,dc=com IDSTORE_SEARCHBASE: dc=mycompany,dc=com POLICYSTORE_SHARES_IDSTORE: true OAM11G_IDSTORE_ROLE_SECURITY_ADMIN:OAMAdministrators IDSTORE_OAMSOFTWAREUSER:oamLDAP IDSTORE_OAMADMINUSER:oamadmin
Where:
IDSTORE_HOST
and IDSTORE_PORT
are, respectively, the host and port of your Identity Store Directory.
IDSTORE_BINDDN
is an administrative user in the Identity Store Directory.
IDSTORE_USERSEARCHBASE
is the location in the directory where Users are Stored.
IDSTORE_GROUPSEARCHBASE
is the location in the directory where Groups are Stored.
IDSTORE_SEARCHBASE
is the location in the directory where Users and Groups are stored.
POLICYSTORE_SHARES_IDSTORE
is set to true
if your Policy and Identity Stores are in the same directory. If not, it is set to false
.
OAM11G_IDSTORE_ROLE_SECURITY_ADMIN
is the name of the group which is used to allow access to the OAM console.
IDSTORE_OAMADMINUSER
is the name of the user you want to create as your Oracle Access Manager Administrator.
IDSTORE_OAMSOFTWAREUSER
is a user that gets created in LDAP that is used when Oracle Access Manager is running to connect to the LDAP server.
Configure the Identity Store by using the command idmConfigTool
, which is located at:
IAM_ORACLE_HOME
/idmtools/bin
Note:
When you run theidmConfigTool
, it creates or appends to the file idmDomainConfig.param
. This file is generated in the same directory that the idmConfigTool
is run from. To ensure that each time the tool is run, the same file is appended to, always run the idmConfigTool
from the directory:
IAM_ORACLE_HOME
/idmtools/bin
The syntax of the command on Linux is:
idmConfigTool.sh -prepareIDStore mode=OAM input_file=configfile
The syntax on Windows is:
idmConfigTool.bat -prepareIDStore mode=OAM input_file=configfile
For example:
idmConfigTool.sh -prepareIDStore mode=OAM input_file=oam.props
When the command runs, you are prompted to enter the password of the account you are connecting to the Identity Store with.
Sample command output:
[orcl@rws3450009 dw_users]$ /u01/app/oracle/product/fmw/iam/idmtools/bin/idmConfigTool.sh -prepareIDStore mode=OAM input_file=/scratch/orcl/dw_users/oam.props Enter ID Store Bind DN password : May 25, 2011 2:44:59 PM oracle.ldap.util.LDIFLoader loadOneLdifFile INFO: -> LOADING: /u01/app/oracle/product/fmw/iam/idmtools/templates/oid/oam_schema_extn.ldif *** Creation of Oblix Anonymous User *** May 25, 2011 2:44:59 PM oracle.ldap.util.LDIFLoader loadOneLdifFile INFO: -> LOADING: /u01/app/oracle/product/fmw/iam/idmtools/templates/oid/oam_10g_anonymous_user_template.ldif Enter User Password for oblixanonymous: Confirm User Password for oblixanonymous: *** Creation of oamadmin *** May 25, 2011 2:45:08 PM oracle.ldap.util.LDIFLoader loadOneLdifFile INFO: -> LOADING: /u01/app/oracle/product/fmw/iam/idmtools/templates/oid/oam_user_template.ldif Enter User Password for oamadmin: Confirm User Password for oamadmin: *** Creation of oamLDAP *** May 25, 2011 2:45:16 PM oracle.ldap.util.LDIFLoader loadOneLdifFile INFO: -> LOADING: /u01/app/oracle/product/fmw/iam/idmtools/templates/oid/oam_user_template.ldif Enter User Password for oamLDAP: Confirm User Password for oamLDAP: May 25, 2011 2:45:21 PM oracle.ldap.util.LDIFLoader loadOneLdifFile INFO: -> LOADING: /u01/app/oracle/product/fmw/iam/idmtools/templates/common/oam_user_group_read_acl_template.ldif May 25, 2011 2:45:21 PM oracle.ldap.util.LDIFLoader loadOneLdifFile INFO: -> LOADING: /u01/app/oracle/product/fmw/iam/idmtools/templates/oid/oim_group_template.ldif May 25, 2011 2:45:21 PM oracle.ldap.util.LDIFLoader loadOneLdifFile INFO: -> LOADING: /u01/app/oracle/product/fmw/iam/idmtools/templates/oid/oam_group_member_template.ldif May 25, 2011 2:45:21 PM oracle.ldap.util.LDIFLoader loadOneLdifFile INFO: -> LOADING: /u01/app/oracle/product/fmw/iam/idmtools/templates/oid/oam_config_acl.ldif May 25, 2011 2:45:21 PM oracle.ldap.util.LDIFLoader loadOneLdifFile INFO: -> LOADING: /u01/app/oracle/product/fmw/iam/idmtools/templates/oid/oid_schemaadmin.ldif The tool has completed its operation. Details have been logged to automation.log
Check the log file for any errors or warnings and correct them. The file with the name automation.log
is created in the directory from where you run the tool.
See Also:
Oracle Fusion Middleware Integration Overview for Oracle Identity Management Suite for more information about theidmConfigTool
command.If you plan to implement Oracle Identity Manager in your topology, you must seed the Identity Store with the xelsysadm
user and assign it to an Oracle Identity Manager administrative group. You must also create a user outside of the standard cn=Users
location to be able to perform reconciliation. This user is also the user that should be used as the bind DN when connecting to directories with Oracle Virtual Directory.
Note:
This command also creates a container in your Identity Store for reservations.To do this, perform the following tasks on IDMHOST1
:
Set the Environment Variables: MW_HOME
, JAVA_HOME
, IDM_HOME
and ORACLE_HOME
.
Set IDM_HOME
to IDM_ORACLE_HOME
.
Set ORACLE_HOME
to IAM_ORACLE_HOME
.
Create a properties file, called oim.props
, with the following contents:
IDSTORE_HOST : idstore.mycompany.com IDSTORE_PORT : 389 IDSTORE_BINDDN : cn=orcladmin IDSTORE_USERNAMEATTRIBUTE: cn IDSTORE_LOGINATTRIBUTE: uid IDSTORE_USERSEARCHBASE:cn=Users,dc=mycompany,dc=com IDSTORE_GROUPSEARCHBASE: cn=Groups,dc=us,dc=oracle,dc=com IDSTORE_SEARCHBASE: dc=mycompany,dc=com POLICYSTORE_SHARES_IDSTORE: true IDSTORE_SYSTEMIDBASE: cn=systemids,dc=mycompany,dc=com IDSTORE_OIMADMINUSER: oimadmin IDSTORE_OIMADMINGROUP:OIMAdministrators
Where:
IDSTORE_HOST
and IDSTORE_PORT
are, respectively, the host and port of your Identity Store directory.
IDSTORE_BINDDN
is an administrative user in the Identity Store directory.
IDSTORE_OIMADMINUSER
is the name of the administration user you would like to use to log in to the Oracle Identity Manager console.
IDSTORE_OIMADMINGROUP
Is the name of the group you want to create to hold your Oracle Identity Manager administrative users.
IDSTORE_USERSEARCHBASE
is the location in your Identity Store where users are placed.
IDSTORE_GROUPSEARCHBASE
is the location in your Identity Store where groups are placed.
IDSTORE_SYSTEMIDBASE
is the location in your directory where the Oracle Identity Manager reconciliation user are placed.
POLICYSTORE_SHARES_IDSTORE
is set to true
if your Policy and Identity stores are in the same directory. If not, it is set to false
.
Configure the Identity Store by using the command idmConfigTool
, which is located at: IAM_ORACLE_HOME
/idmtools/bin
Note:
When you run theidmConfigTool
, it creates or appends to the file idmDomainConfig.param
. This file is generated in the same directory that the idmConfigTool
is run from. To ensure that each time the tool is run, the same file is appended to, always run the idmConfigTool
from the directory:
IAM_ORACLE_HOME
/idmtools/bin
The syntax of the command on Linux is:
idmConfigTool.sh -prepareIDStore mode=OIM input_file=configfile
The syntax on Windows is:
idmConfigTool.bat -prepareIDStore mode=OIM input_file=configfile
For example:
idmConfigTool.sh -prepareIDStore mode=OIM input_file=oim.props
When the command runs, you are prompted to enter the password of the account you are connecting to the Identity Store with. You are also asked to specify the passwords you want to assign to the accounts:
IDSTORE_OIMADMINUSER
xelsysadm
(It is recommended you set this to the same value as the account you create as part of the Oracle Identity Manager configuration.)
Sample command output:
Enter ID Store Bind DN password : *** Creation of oimadmin *** Apr 5, 2011 4:58:51 AM oracle.ldap.util.LDIFLoader loadOneLdifFile INFO: -> LOADING: /u01/app/oracle/product/fmw/IAM/idmtools/templates/oid/oim_user_template.ldif Enter User Password for oimadmin: Confirm User Password for oimadmin: Apr 5, 2011 4:59:01 AM oracle.ldap.util.LDIFLoader loadOneLdifFile INFO: -> LOADING: /u01/app/oracle/product/fmw/IAM/idmtools/templates/oid/oim_group_template.ldif Apr 5, 2011 4:59:01 AM oracle.ldap.util.LDIFLoader loadOneLdifFileINFO: -> LOADING: /u01/app/oracle/product/fmw/IAM/idmtools/templates/oid/oim_group_member_template.ldif Apr 5, 2011 4:59:01 AM oracle.ldap.util.LDIFLoader loadOneLdifFile INFO: -> LOADING: /u01/app/oracle/product/fmw/IAM/idmtools/templates/oid/oim_groups_acl_template.ldif Apr 5, 2011 4:59:01 AM oracle.ldap.util.LDIFLoader loadOneLdifFile INFO: -> LOADING: /u01/app/oracle/product/fmw/IAM/idmtools/templates/oid/oim_reserve_template.ldif *** Creation of Xel Sys Admin User *** Apr 5, 2011 4:59:01 AM oracle.ldap.util.LDIFLoader loadOneLdifFileINFO: -> LOADING: /u01/app/oracle/product/fmw/IAM/idmtools/templates/oid/oam_user_template.ldif Enter User Password for xelsysadm: Confirm User Password for xelsysadm: The tool has completed its operation. Details have been logged to /home/oracle/idmtools/oim.log
Check the log file for any errors or warnings and correct them. The file with the name automation.log
is created in the directory from where you run the tool.
See Also:
Oracle Fusion Middleware Integration Overview for Oracle Identity Management Suite for more information about theidmConfigTool
command.When you enable single sign-on for your administrative consoles, you must ensure that there is a user in your Identity Store that has the permissions to log in to your WebLogic Administration Console and Oracle Enterprise Manager Fusion Middleware Control.
To do this, perform the following tasks on IDMHOST1
:
Set the environment variables: MW_HOME
, JAVA_HOME
, IDM_HOME
and ORACLE_HOME
.
Set IDM_HOME
to IDM_ORACLE_HOME
.
Set ORACLE_HOME
to IAM_ORACLE_HOME
.
Create a properties file, called wls.props
with the following contents:
IDSTORE_HOST: idstore.mycompany.com IDSTORE_PORT: 389 IDSTORE_BINDDN: cn=orcladmin IDSTORE_USERNAMEATTRIBUTE: cn IDSTORE_LOGINATTRIBUTE: uid IDSTORE_USERSEARCHBASE: cn=Users, dc=mycompany,dc=com IDSTORE_GROUPSEARCHBASE: cn=Groups,dc=mycompany,dc=com IDSTORE_SEARCHBASE: dc=mycompany,dc=com POLICYSTORE_SHARES_IDSTORE: true
Where:
IDSTORE_HOST
and IDSTORE_PORT are, respectively, the host and port of your Identity Store Directory.
IDSTORE_BINDDN
Is an administrative user in the Identity Store directory.
IDSTORE_USERSEARCHBASE
is the location in the directory where Users are Stored.
IDSTORE_GROUPSEARCHBASE
is the location in the directory where Groups are Stored.
IDSTORE_SEARCHBASE
is the location in the directory where Users and Groups are stored.
POLICYSTORE_SHARES_IDSTORE
is set to true
if your Policy and Identity Stores are in the same directory. If not, it is set to false
.
The command creates a user called weblogic_idm
and assigns it to a group called IDM Administrators
.
Configure the Identity Store by using the command idmConfigTool
, which is located at IAM_ORACLE_HOME
/idmtools/bin
Note:
When you run theidmConfigTool
, it creates or appends to the file idmDomainConfig.param
. This file is generated in the same directory that the idmConfigTool
is run from. To ensure that each time the tool is run, the same file is appended to, always run the idmConfigTool
from the directory:
IAM_ORACLE_HOME
/idmtools/bin
The syntax of the command on Linux is:
idmConfigTool.sh -prepareIDStore mode=WLS input_file=configfile
The syntax on Windows is:
idmConfigTool.bat -prepareIDStore mode=WLS input_file=configfile
For example:
idmConfigTool.sh -prepareIDStore mode=WLS input_file=wls.props
When the command runs you are prompted to enter the password of the account you are connecting to the Identity Store with. You are also asked to specify the passwords you want to assign to the account weblogic_idm
.
Sample command output:
Enter ID Store Bind DN password : *** Creation of Weblogic Admin User *** Apr 5, 2011 5:52:04 AM oracle.ldap.util.LDIFLoader loadOneLdifFile INFO: -> LOADING: /u01/app/oracle/product/fmw/IAM/idmtools/templates/oid/oam_user_template.ldif Enter User Password for weblogic_idm: Confirm User Password for weblogic_idm: Apr 5, 2011 5:52:12 AM oracle.ldap.util.LDIFLoader loadOneLdifFileINFO: -> LOADING: /u01/app/oracle/product/fmw/IAM/idmtools/templates/oid/weblogic_admin_group.ldif The tool has completed its operation. Details have been logged to automation.log
Check the log file for any errors or warnings and correct them.
See Also:
Oracle Fusion Middleware Integration Overview for Oracle Identity Management Suite for more information about theidmConfigTool
command.Oracle Fusion Applications requires several users and groups to be created in the Identity Store.
To do this perform the following tasks on IDMHOST1
:
Set the Environment variables: MW_HOME
, JAVA_HOME
, IDM_HOME
and ORACLE_HOME
.
Set IDM_HOME
to IDM_ORACLE_HOME
.
Set ORACLE_HOME
to IAM_ORACLE_HOME
.
Create a properties file, called fusion.props
with the following contents:
IDSTORE_HOST : idstore.mycompany.com IDSTORE_PORT : 389 IDSTORE_BINDDN : cn=orcladmin IDSTORE_USERNAMEATTRIBUTE: cn IDSTORE_READONLYUSER: IDROUser IDSTORE_READWRITEUSER: IDRWUser IDSTORE_USERSEARCHBASE:cn=Users,dc=mycompany,dc=com IDSTORE_SEARCHBASE: dc=mycompany,dc=com IDSTORE_GROUPSEARCHBASE: cn=Groups,dc=mycomapny,dc=com IDSTORE_SUPERUSER: weblogic_fa POLICYSTORE_SHARES_IDSTORE: true
Where:
IDSTORE_HOST
and IDSTORE_PORT
are, respectively, the host and port of your Identity Store directory.
IDSTORE_BINDDN
is an administrative user in the Identity Store directory.
IDSTORE_READONLYUSER
is the name of a user you want to create which has Read Only permissions on your Identity Store.
IDSTORE_READWRITEUSER
is the name of a user you want to create which has Read/Write permissions on your Identity Store.
IDSTORE_SUPERUSER
is the name of the administration user you want to use to log in to the WebLogic Administration Console in the Oracle Fusion Applications domain.
POLICYSTORE_SHARES_IDSTORE
is set to true
if your Policy and Identity stores are in the same directory. If not, it is set to false
.
In addition to creating the users, the command also creates the following groups:
orclFAGroupReadPrivilegeGroup
orclFAGroupWritePrivilegeGroup
orclFAUserReadPrivilegeGroup
orclFAUserWritePrefsPrivilegeGroup
orclFAUserWritePrivilegeGroup
Configure the Identity Store by using the command idmConfigTool
, which is located at:
IAM_ORACLE_HOME
/idmtools/bin
Note:
When you run theidmConfigTool
, it creates or appends to the file idmDomainConfig.param
. This file is generated in the same directory that the idmConfigTool
is run from. To ensure that each time the tool is run, the same file is appended to, always run the idmConfigTool
from the directory:
IAM_ORACLE_HOME
/idmtools/bin
The syntax of the command on Linux is:
idmConfigTool.sh -prepareIDStore mode=fusion input_file=configfile
The syntax on Windows is:
idmConfigTool.bat -prepareIDStore mode=fusion input_file=configfile
For example:
idmConfigTool.sh -prepareIDStore mode=fusion input_file=fusion.props
The command prompts you to enter the password of the account you are connecting to the Identity Store with. You are also asked to specify the passwords you want to assign to the accounts:
IDSTORE_READONLYUSER
IDSTORE_READWRITEUSER
Sample command output:
Enter ID Store Bind DN password : *** Creation of IDROUser *** Apr 5, 2011 9:05:52 AM oracle.ldap.util.LDIFLoader loadOneLdifFile INFO: -> LOADING: /u01/app/oracle/product/fmw/IAM/idmtools/templates/oid/oam_user_template.ldif Enter User Password for IDROUser: Confirm User Password for IDROUser: *** Creation of IDRWUser *** Apr 5, 2011 9:06:00 AM oracle.ldap.util.LDIFLoader loadOneLdifFile INFO: -> LOADING: /u01/app/oracle/product/fmw/IAM/idmtools/templates/oid/oam_user_template.ldif Enter User Password for IDRWUser: Confirm User Password for IDRWUser: Apr 5, 2011 9:06:08 AM oracle.ldap.util.LDIFLoader loadOneLdifFile INFO: -> LOADING: /u01/app/oracle/product/fmw/IAM/idmtools/templates/common/oam_user_read_acl_template.ldif Apr 5, 2011 9:06:08 AM oracle.ldap.util.LDIFLoader loadOneLdifFile INFO: -> LOADING: /u01/app/oracle/product/fmw/IAM/idmtools/templates/common/oam_user_read_write_acl_template.ldif The tool has completed its operation. Details have been logged to automation.log
Check the log file for any errors or warnings and correct them.
See Also:
Oracle Fusion Middleware Integration Overview for Oracle Identity Management Suite for more information about theidmConfigTool
command.In the preceding sections, you seeded the Identity Store with users and artifacts for the Oracle components. If your Identity Store is hosted in a non-Oracle Internet Directory directory, such as Microsoft Active Directory, you must set up the access control information (ACIs) to provide appropriate privileges to the entities you created. This section lists the artifacts on which the ACIs need to be set.
Users and groups. ACIs to the users and groups container are provided in Oracle Internet Directory. Set them manually for other directories. The Oracle Identity Manager/Oracle Access Manager integration and Fusion Applications require the following artifacts to be created in the Identity store.
Group with read privileges to the users container (orclFAUserReadPrivilegeGroup
)
Group with read/write privileges to the users container (orclFAUserWritePrivilegeGroup
)
Group with read privileges to the groups container (orclFAGroupReadPrivilegeGroup
)
Group with read privileges to the groups container (orclFAGroupWritePrivilegeGroup
)
Group with write privileges to a partial set of attributes (orclFAUserWritePrefsPrivilegeGroup
)
The user specified by the IDSTORE_READONLYUSER
parameter. It is assigned to the groups orclFAUserReadPrivilegeGroup
and orclFAGroupReadPrivilegeGroup
.
The user specified by the IDSTORE_READWRITEUSER
parameter. It is assigned to the groups orclFAUserWritePrivilegeGroup
and orclFAGroupWritePrivilegeGroup
.
The user specified by IDSTORE_READONLYUSER
. It is assigned to OrclFAUserWritePrefPrivilegeGroup
.
Systemids. The System ID container is created for storing all the system identifiers. If there is another container in which the users are to be created, that is specified as part of the admin.
Oracle Access Manager Admin User
Oracle Access Manager Software User. This is added to the groups where the user gets read privileges to the container. This is also provided with schema admin privileges.
Oracle Identity Manager user under System ID container. Password policies are set accordingly in the container.
Oracle Identity Manager administration group. The Oracle Identity Manager user is added as its member. The Oracle Identity Manager admin group is given complete read/write privileges to all the user and group entities in the directory.
Reserve container. Permissions are provided to the Oracle Identity Manager admin group to perform read/write operations.
Oracle recommends that, after creating the artifacts in the Identity Store, you update the Oracle Virtual Directory adapters you set up in Section 9.8, "Creating Adapters in Oracle Virtual Directory" so that they have a less privileged user. The following procedure is recommended, but not mandatory.
Change the value of Server Proxy Bind DN to cn=oimAdmin,cn=systemids,dc=mycompany,dc=com
.
To do this, perform the following steps:
In a web browser, go to Oracle Directory Services Manager (ODSM) at: http://admin.mycompany.com/odsm
.
Connect to each Oracle Virtual Directory instance by using the appropriate connection entry.
On the Home page, click the Adapter tab.
Click User Adapter.
On the General tab in the Credential Processing section, make the following changes:
Proxy DN: cn=oimAdmin,cn=systemids,dc=mycompany,dc=com
Proxy Password: The password of the Proxy DN account.
Click Apply.
Click Change Log Adapter.
On the General tab in the Credential Processing section, make the following changes:
Proxy DN: cn=oimAdmin,cn=systemids,dc=mycompany,dc=com
Proxy Password: The password of the Proxy DN account.
Click Apply.
Click the Plug-Ins tab.
Click Changelog Plug-in.
Click Edit.
Change ModifierDNFilter to:
!(modifiersname=cn=oimAdmin,cn=systemids,dc=mycompany,dc=com)
Click OK.
Click Apply.
Repeat for each Oracle Virtual Directory connection.