This chapter describes tasks you must perform after deployment.
It contains the following sections:
Section 15.1, "Enabling Oracle Traffic Director as a Web Server."
Section 15.3, "Post-Deployment Steps for Oracle Unified Directory"
Section 15.4, "Post-Deployment Steps for Oracle Identity Manager"
Section 15.10, "Configuring Single Sign-on for Administration Consoles in an Enterprise Deployment"
Section 15.12, "Adding a Load Balancer Certificate to Trust Stores"
This Section describes how to enable OTD as a web server. If you are using external Oracle HTTP servers, skip this section, as the Oracle HTTP Servers are providing the web server functionality.
Stop the Oracle HTTP servers that the provisioning wizard created by executing the opmnctl
command, which is located in the directory WEB_ORACLE_INSTANCE
/bin
, as follows:
opmnctl stopall
Perform this command on WEBHOST1 and WEBHOST2.
To stop the OHS servers starting and stopping automatically, proceed as follows:
Edit the file serverInstancesInfo.txt
which is located in SHARED_CONFIG_DIR
/scripts
Comment out the following lines by placing a #
at the beginning of the line.
webhost1 OHS /u02/private/oracle/config/instances/ohs1 webhost2 OHS /u02/private/oracle/config/instances/ohs2
Repeat on each WEBHOST.
Now that provisioning is complete and the Oracle HTTP server is disabled, the OTD configuration must be updated with the OHS Listen Port. To do this perform the following steps:
Login to the OTD administration server using the URL:
https://OTDADMINVHN:8800
Click Configurations, which is at the upper left corner of the page.
A list of the available configurations is displayed.
Select the configuration which you want to amend, for example: sso.mycompany.com.
Expand Listeners in the Navigation pane.
Click http-listener-1
Set the port to WEB_HTTP_PORT
, for example 7777.
Click Save.
Click Deploy Changes.
In this release of Identity and Access Management, an optimized OPSS is available. In order to use this optimized OPSS, you must upgrade the OPSS schema. The deployment tool does not do this, so you must perform this step manually, by using Patch Set Assistant, at the end of provisioning.
To upgrade the OPSS schema for EDGIAD (IAMAccessDomain) and EDGIGD (IAMGovernanceDomain):
Start the patch set assistant by running the command psa from the location IAD_MW_HOME
/oracle_common/bin
, for example:
./psa
On the Welcome Screen click Next.
On the Select Component Screen select Oracle Platform Security Services ONLY and click Next.
On the Prerequisites screen, specify whether or not you have a database backup and that the database version is certified.
Click Next.
On the Schema Page, Enter:
Database Type: Oracle Database
Connect String: IDMDB-SCAN
OAM
:DB_LSNR_PORT
/
OAM_DB_SERVICENAME
for example: IAMDB-SCAN.mycompany.com:1521/oamedg.mycompany.com
DBA User Name: sys
DBA Password: PASSWORD
Click Connect.
Once you are connected successfully, enter the following:
Schema User Name: For example: EDGIAD_OPSS
Password: Password supplied when RCU was run.
On the Examine Page, verify that Successful is displayed and click Next.
On the Upgrade Summary Page verify that the information is correct and click Upgrade.
Once the upgrade is finished, click Next.
On the Upgrade Success page, click Close
Verify that the schema upgrade has been successful by checking the log files located in
IAD_MW_HOME/oracle_common/upgrade/logs/psa/psatimestamp.log
Restart the domain as described in Section 20.1, "Starting and Stopping Components."
After upgrading the OPSS schema, run the following command:
SELECT VERSION, STATUS, UPGRADED FROM SCHEMA_VERSION_REGISTRY WHERE OWNER='<RCU_Prefix>_OPSS';
The version should now be 11.1.1.7.2 and the Upgrade flag is Yes
.
This section describes post-deployment steps for Oracle Unified Directory.
This section contains the following topics:
Section 15.3.1, "Update Oracle Unified Directory Change Log Access"
Section 15.3.2, "Update Oracle Unified Directory ACIs for LDAP Synchronization"
If you are using Oracle Unified Directory and Oracle Identity Manager, grant access to the change log by performing the following steps on all OUD hosts (LDAPHOST1 and LDAPHOST2).
To grant access to the change log:
Create a file containing the oudadmin
password.
You can give this file any name, but for this example, name the file mypasswordfile
. You can remove it after running the commands in this section.
Add the following new ACI:
OUD_ORACLE_INSTANCE/OUD/bin/dsconfig set-access-control-handler-prop \ --add global-aci:"(target=\"ldap:///cn=changelog\")(targetattr=\"*\")(version 3.0; acl \"External changelog access\"; allow (read,search,compare,add,write,delete,export) groupdn=\"ldap:///cn=OIMAdministrators,cn=groups,dc=mycompany,dc=com\";)" \ --hostname LDAP_HOST \ --port LDAP_ADMIN_PORT \ --trustAll \ --bindDN cn=oudadmin \ --bindPasswordFile passwordfile \ --no-prompt
For example:
OUD_ORACLE_INSTANCE/OUD/bin/dsconfig set-access-control-handler-prop \
--add global-aci:"(target=\"ldap:///cn=changelog\")(targetattr=\"*\")(version 3.0; acl \"External changelog access\"; allow (read,search,compare,add,write,delete,export) groupdn=\"ldap:///cn=OIMAdministrators,cn=groups,dc=mycompany,dc=com\";)" \
--hostname LDAPHOST1.mycompany.com \
--port 4444 \
--trustAll \
--bindDN cn=oudadmin \
--bindPasswordFile mypasswordfile \
--no-prompt
The following is a workaround for an Oracle Unified Directory operations failure when LDAP synchronization is enabled
In an environment in which LDAP synchronization is enabled, certain operations against Oracle Unified Directory fail with the following error in Oracle Unified Directory logs:
The request control with Object Identifier (OID) "1.2.840.113556.1.4.319" cannot be used due to insufficient access rights
To work around this issue, you must edit a configuration file on both instances of Oracle Unified Directory.
Change the ACIs on control 1.2.840.113556.1.4.319 from ldap://all
to ldap://anyone
in the Oracle Unified Directory config file OUD_ORACLE_INSTANCE
/OUD/config/config.ldif
, as shown:
Change:
ds-cfg-global-aci: (targetcontrol="1.3.6.1.1.12 || 1.3.6.1.1.13.1 || 1.3.6.1.1.13.2 || 1.2.840.113556.1.4.319 || 1.2.826.0.1.3344810.2.3 || 2.16.840.1.113730.3.4.18 || 2.16.840.1.113730.3.4.9 || 1.2.840.113556.1.4.473 || 1.3.6.1.4.1.42.2.27.9.5.9") (version 3.0; acl "Authenticated users control access"; allow(read) userdn="ldap:///all";)
To:
ds-cfg-global-aci: (targetcontrol="2.16.840.1.113730.3.4.2 || 2.16.840.1.113730.3.4.17 || 2.16.840.1.113730.3.4.19 || 1.3.6.1.4.1.4203.1.10.2 || 1.3.6.1.4.1.42.2.27.8.5.1 || 2.16.840.1.113730.3.4.16 || 2.16.840.1.113894.1.8.31 || 1.2.840.113556.1.4.319") (version 3.0; acl "Anonymous control access"; allow(read) userdn="ldap:///anyone";)
Restart the Oracle Unified Directory server as described in Section 20.1, "Starting and Stopping Components."
In an environment in which LDAP synchronization is enabled, certain operations in OIM LDAP reconciliation tasks against Oracle Unified Directory fail with following error in the OIM logs:
java.lang.Exception: The request control with Object Identifier (OID) "1.3.6.1.4.1.26027.1.5.4" cannot be used due to insufficient access rights
To avoid this error, add the following ACI:
OUD_ORACLE_INSTANCE/bin/dsconfig set-access-control-handler-prop \ --add global-aci:"(targetcontrol=\"1.3.6.1.4.1.26027.1.5.4\")(version 3.0; acl \"OIMAdministrators control access\"; allow(read) groupdn=\"ldap:///cn=OIMAdministrators,cn=groups,dc=mycompany,dc=com\";)" \ --hostname LDAP_HOST \ --port LDAP_ADMIN_PORT \ --trustAll \ --bindDN cn=oudadmin \ --bindPasswordFile passwordfile \ --no-prompt
For example:
OUD_ORACLE_INSTANCE/bin/dsconfig set-access-control-handler-prop \
--add global-aci:"(targetcontrol=\"1.3.6.1.4.1.26027.1.5.4\")(version 3.0; acl
\"OIMAdministrators control access\"; allow(read)
groupdn=\"ldap:///cn=OIMAdministrators,cn=groups,dc=mycompany,dc=com\";)" \
--hostname IDMHOST1.mycompany.com \
--port 4444 \
--trustAll \
--bindDN cn=oudadmin \
--bindPasswordFile mypasswordfile \
--no-prompt
Restart the OUD server for the changes to take affect.
Perform the following post-deployment steps.
Section 15.4.1, "Post Deployment Steps to Address Known Issue"
Section 15.4.2, "Forcing OIM to use IPoIB for Multicast Operations"
Section 15.4.4, "Configuring Oracle Identity Manager Servers to Listen on EoIB"
Due to a known issue, node manager SSL is not configured fully. The workaround is to perform the following steps for each administration and managed server in the deployment, in each domain.
Login to the WebLogic console for the domain using at the URL listed in Section 20.2, "About Identity and Access Management Console URLs."
Click Lock and Edit.
Navigate to Environment > Servers.
Click on a server name, for example: wls_oam1.
Click on the SSL tab.
Expand the Advanced Options and change Hostname Verification to BEA Host Name Verifier.
Click Save.
Repeat for each server in the domain.
Click Activate Changes.
Restart the domain.
Repeat for the second domain.
As a workaround for a known issue in the Identity and Access Management Deployment tools, add an Oracle Identity Manager property.
To add the OIM property:
Log in to the WebLogic Console in the IAMGovernanceDomain. (The Console URLs are provided in Section 20.2, "About Identity and Access Management Console URLs.")
Navigate to Environment -> Servers.
Click Lock and Edit.
Click on the server WLS_OIM1.
Click on the Server Start subtab.
Add the following to the Arguments field:
-Dmulticast.bind.address=oimhost1.mycompany.com
Click Save.
Repeat Steps 4-7 for the managed server WLS_OIM2.
Click Activate Changes.
Note:
Instead of usingoimhost1
, use the IPoIB name for the host on which the managed server runs. For example, oimhost2
would be used for oimhost2
in a virtual deployment and iamhost1/2
would be used in a physical Exalogic deployments.As a workaround for a known issue in the Identity and Access Management Deployment tools, add an Oracle Identity Manager property.
To add the OIM property:
Log in to the WebLogic Console in the IAMGovernanceDomain. (The Console URLs are provided in Section 20.2, "About Identity and Access Management Console URLs.")
Navigate to Environment -> Servers.
Click Lock and Edit.
Click on the server WLS_OIM1.
Click on the Server Start subtab.
Add the following to the Arguments field:
-Djava.net.preferIPv4Stack=true
Click Save.
Repeat Steps 4-7 for the managed server WLS_OIM2.
Click Activate Changes.
This section is only required if the Oracle Identity Manager servers need to be accessed directly from outside the Exalogic machine. This is the case when external Oracle HTTP Servers are part of the configuration.
Create a new network channel as follows:
Log in to the WebLogic Console in the IAMGovernanceDomain.
Click Lock & Edit.
Navigate to Environment -> Servers to open the Summary of Servers page
In the Servers table, click WLS_OIM1.
Select Protocols and then Channels.
Click New to create a new channel.
Enter OIMHOST1VHN-EXTCHAN
as the name. Select HTTP as the protocol and click Next.
In the Network Channel Addressing page, enter the following information:
Listen Address: OIMHOST1VHN-EXT
This is the bond1 address assigned to OIMHOST1VHN-EXT
Listen Port: 8001
Click Next and select the following in the Network Channel Properties page:
Enabled
HTTP Enabled for this protocol
Click Finish.
Click Activate Changes.
Repeat the preceding steps, substituting WLS_OIM2 and OIMHOST2VHN-EXT
for the Server and Listen Address.
If you configured an email server in Section 13.12, "Configure Oracle Identity Manager" and the mail server security is SSL, follow these additional steps:
Ensure that the proxy is set for the environment
Stop the IAMGovernanceDomain admin server and the OIM Managed Servers (wls_oim1/2).
Back up the IGD_MSERVER_HOME
/bin/setDomainEnv.sh
Modify the IGD_MSERVER_HOME/bin/setDomainEnv.sh
to include the proxy settings
Include this command as part of the environment setup in the setDomainEnv.sh
file:
export PROXY_SETTINGS="-Dhttp.proxySet=true -Dhttp.proxyHost=www-proxy.mycompany.com -Dhttp.proxyPort=80 -Dhttp.nonProxyHosts=localhost|$.mycompany.com|.mycompany.com|.oracle.com"
For example:
export JAVA_PROPERTIES export PROXY_SETTINGS="-Dhttp.proxySet=true -Dhttp.proxyHost=www-proxy.mycompany.com -Dhttp.proxyPort=80 -Dhttp.nonProxyHosts=localhost|${HOST}|*.mycompany.com"ARDIR="${WL_HOME}/server/lib" export ARDIR
Remove DemoTrust store references from SOA environment. This would run SOA in non-ssl mode.
Modify the IGD_MSERVER_HOME
to remove the DemoTrust references
Remove this references from setDomainEnv.sh
:
-Djavax.net.ssl.trustStore=$<WL_HOME>/server/lib/DemoTrust.jks from EXTRA_JAVA_PROPERTIES
Restart both the Administration and the Managed server.
This section contains the following topics
During deployment, a number of resources are created in Access Manager with protection levels set. In order for Oracle Identity Manager to function correctly, one of these resources needs to be modified and one created.
To do this perform the following steps:
Log in to the Access Management Console at the URL listed in Section 20.2, "About Identity and Access Management Console URLs."
Click Application Domains.
Click Search.
Click IAM Suite.
Click the Resources tab.
Click New Resource and enter the following information:
Type: http
Description: provisioning-callback
Host Identifier: IAMSuiteAgent
Resource URL: /provisioning-callback/**
Protection Level: Excluded
Authentication Policy: n/a
Authorization Policy: n/a
Click Apply.
Locate the resource /identity/**
by entering /identity/*
in the Resource URL of the Resources search window.
Click Edit.
Change the Protection Level to Excluded.
Click Apply.
By default the Access Manager idle timeout is set to two hours. This can cause issues with not being logged out after a session has timed out. Update this value to 15 minutes.
To update the idle timeout value:
Log in to the Access Management Console at the URL listed in Section 20.2, "About Identity and Access Management Console URLs."
Log in as the Access Manager administrator user you created in Section 13.9, "Set User Names and Passwords" for example: oamadmin
.
Click on Common Settings under Configuration.
Change Idle Time out (minutes) to 15
.
Click Apply.
After deployment, update existing WebGate Agents. The Identity and Access Management Console URLs are provided in Section 20.2, "About Identity and Access Management Console URLs."
Update the Access Manager Security Model of all WebGate profiles, with the exception of Webgate_IDM and Webgate_IDM_11g, which should already be set. In addition, set a password for the IAMSuiteAgent
profile so that it can be used for OAAM for integration. (The IAMSuiteAgent
was created when Access Manager was installed.)
To update these WebGate agents:
Log in to the Access Management Console as the Access Management administrator user identified by the entry in Section 13.9, "Set User Names and Passwords."
Click SSO Agents in the Access Manager box.
Ensure that the WebGates tab is selected.
Click Search.
Click an Agent, for example: IAMSuiteAgent.
Set the Security value to the same value defined to OAM Transfer Mode on the Access Manager Configuration screen in Section 13.15, "Configure Oracle Access Manager."
The default setting is Open for AIX deployments and Simple for all others.
Click Apply.
In the Primary Server list, click +
and add any missing Access Manager Servers.
If a password has not already been assigned, enter a password into the Access Client Password Field and click Apply.
Assign an Access Client Password, such as the Common IAM Password (COMMON_IDM_PASSWORD
) you used in Section 13.9, "Set User Names and Passwords" or an Access Manager-specific password, if you have set one.
Set Maximum Number of Connections to 20 for all of the Access Manager Servers listed in the primary servers list. (This is the total maximum number of connections for the primary servers, which is 10 x WLS_OAM1 connections plus 10 x WLS_OAM2 connections.)
If you see the following in the User Defined Parameters:
logoutRedirectUrl=http://OAMHOST1.mycompany.com:14100/oam/server/logout
Change it to:
logoutRedirectUrl=https://sso.mycompany.com/oam/server/logout
Click Apply.
Repeat Steps through for each WebGate.
Check that the security setting matches that of your Access Manager servers.
Perform these steps to enable Exalogic optimizations:
Log in to the Oracle WebLogic Server Administration Console.
Select IAMAccessDomain in the left navigation pane.
Click Lock & Edit.
On the Settings page, click the General tab.
Select Enable Exalogic Optimizations, and click Save and Activate Changes.
Repeat the steps for the IAMGovernanceDomain.
Restart the WebLogic Administration server.
You can enable session replication enhancements for Managed Servers in a WebLogic cluster to which you will deploy a web application at a later time.
To enable session replication enhancements for oim_cluster
in the domain IAMGovernanceDomain
, use the values in the following table.
Table 15-1 Network Channel Properties
Managed Server | Name | Protocol | Listen Address | Listen Port | Additional Channel Ports |
---|---|---|---|---|---|
WLS_OIM1 |
|
t3 |
OIMHOST1VHN.mycompany.com |
7005 |
7006 to 7014 |
WLS_OIM2 |
|
t3 |
OIMHOST2VHN.mycompany.com |
7005 |
7006 to 7014 |
WLS_SOA1 |
|
t3 |
SOAHOST1VHN.mycompany.com |
7005 |
7006 to 7014 |
WLS_SOA2 |
|
t3 |
SOAHOST2VHN.mycompany.com |
7005 |
7006 to 7014 |
Proceed as follows:
Log in to the WebLogic Administration console at: http://IGDADMIN.mycompany.com/console
Ensure that Managed Servers in the oim_cluster
cluster are up and running, as described in Section 20.1, "Starting and Stopping Components."
To set replication ports for a Managed Server, use the values in Table 15-1.
To set the values for WLS_OIM1
, for example, complete the following steps:
Under Domain Structure, click Environment and Servers. The Summary of Servers page is displayed.
Click Lock & Edit.
Click WLS_OIM1
on the list of servers. The Settings for WLS_OIM1 are displayed.
Click the Cluster tab.
In the Replication Ports field, enter a range of ports for configuring multiple replication channels. For example, replication channels for Managed Servers in oim_cluster
can listen on ports starting from 7005
to 7015
. To specify this range of ports, enter 7005-7015
.
Repeat Steps a through e for each of the other managed servers in Table 15-1.
The following steps show how to create a network channel for the managed server WLS_OIM1.
Log in to the Oracle WebLogic Server Administration Console.
If you have not already done so, click Lock & Edit in the Change Center.
In the left pane of the Console, expand Environment and select Servers.
The Summary of Servers page is displayed.
In the Servers table, click WLS_OIM1 Managed Server instance.
Select Protocols, and then Channels.
Click New.
Enter ReplicationChannel as the name of the new network channel and select t3 as the protocol, then click Next.
Enter the following information:
Listen address: OIMHOST1VHN.mycompany.com
Note:
This is the WLS_OIM1 floating IP assigned to WebLogic Server.Listen port: 7005
Click Next, and in the Network Channel Properties page, select Enabled and Outbound Enabled.
Click Finish.
Click Save.
Under the Network Channels table, select ReplicationChannel, the network channel you created for the WLS_OIM1
managed server.
Expand Advanced, select Enable SDP Protocol, and click Save.
To activate these changes, in the Change Center of the Administration Console, click Activate Changes.
You must repeat the above steps to create a network channel each for the remaining Managed Servers in the cluster. Enter the required properties, as described in Table 15-1.
After creating the network channel for each of the Managed Servers in your cluster, click Environment > Clusters. The Summary of Clusters page is displayed.
Click oim_cluster. The Settings for oim_cluster page is displayed.
Click the Replication tab.
In the Replication Channel field, ensure that ReplicationChannel
is set as the name of the channel to be used for replication traffic.
In the Advanced section, select the Enable One Way RMI for Replication option.
Click Save.
Repeat these steps for the SOA cluster.
To activate these changes, in the Change Center of the Administration Console, click Activate Changes.
Manually add the system property -Djava.net.preferIPv4Stack=true
to the startWebLogic.sh script, which is located in the bin
directory of ASERVER_HOME, using a text editor as follows:
Locate the following line in the startWebLogic.sh script:
. ${DOMAIN_HOME}/bin/setDomainEnv.sh $*
Add the following property immediately after the above entry:
JAVA_OPTIONS="${JAVA_OPTIONS} -Djava.net.preferIPv4Stack=true"
Save the file and close.
Complete this procedure for each domain.
This section describes how to configure single sign-on (SSO) for administration consoles in an Identity and Access Management Enterprise deployment.
This section includes the following topics:
Section 15.10.4, "Validating WebGate and the Access Manager Single Sign-On Setup"
Section 15.10.5, "Updating OTD configuration Repository with Webgate Changes"
If you have not integrated Oracle Access Management Access Manager with Oracle Identity Manager, you must first create WebLogic Security Providers. Then proceed as follows.
You assign WebLogic Administration groups, update boot.properties, and restart the servers. Then you install and configure WebGate and validate the setup. After WebGate is installed and configured, the Oracle Traffic Director intercepts requests for the consoles and forwards them to Access Manager for validation.
The administration consoles referred to in the chapter title are:
Oracle Enterprise Manager Fusion Middleware Control
Oracle WebLogic Server Administration Console
Oracle Access Management Console
Oracle Identity Manager Console
You start the Administration Server by using WLST and connecting to Node Manager. The first start of the Administration Server with Node Manager, however, requires that you change the default username and password that the Configuration Wizard sets for Node Manager. Therefore you must use the start script for the Administration Server for the first start. Follow these steps to start the Administration Server using Node Manager. Setting the memory parameters is required only for the first start operation.
To edit the setDomainEnv.sh
file to change memory allocation setting:
Open the setDomainEnv.sh
file located in the following directory using a text editor:
ASERVER_HOME/bin
Change the following memory allocation by updating the Java maximum memory allocation pool (Xmx) to 3072m
and initial memory allocation pool (Xms) to 1024m
.
For example:
WLS_MEM_ARGS_64BIT="-Xms1024m -Xmx3072m"
or, in case of Oracle JRockit JVM:
XMS_JROCKIT_64BIT="1024" XMX_JROCKIT_64BIT="3072"
Note:
Change the values associated with the OS you are using.Start the Administration Server using the start script in the domain directory.
cd ASERVER_HOME/bin
./startWebLogic.sh
This section describes how to install and configure WebGate.
This section contains the following topics:
Install and configure the Oracle Traffic Director as described in Section 12, "Installing and Configuring Oracle Traffic Director for an Enterprise Deployment," before installing the Oracle Web Gate:
Before starting the installer ensure that Java is installed on your machine. To install Oracle WebGate, run complete the following steps on WEBHOST1 and WEBHOST2. The WebGate installer can be found in: REPOS_HOME
/installers/webgate_otd
Start the WebGate installer by issuing the command:
./runInstaller
You are asked to specify the location of the Java Development Kit for example:
WEB_MW_HOME
/jrockit_
version
On the Welcome screen, click Next.
On the Install Software Updates screen, choose whether to skip updates, check with Oracle Support for updates, or search for updates locally.
Click Next.
On the Specify Security Updates screen, specify these values:
Email Address: The email address for your My Oracle Support account.
Oracle Support Password: The password for your My Oracle Support account.
Select: I wish to receive security updates via My Oracle Support.
Click Next.
If the prerequisites fail because of missing 32-bit libraries, you can safely ignore this failure.
Click Next.
On the Installation Location Screen, enter the following information:
Oracle Home Directory: OTD_WEBGATE_ORACLE_HOME
Click Next.
On the installation summary screen, click Install.
Click Next.
Click Finish.
Execute the deployWebGateInstance.sh
command from the following directory:
OTD_WEBGATE_ORACLE_HOME/webgate/iplanet/tools/deployWebGate
Make sure this tool has executable permission.
For example:
OTD_WEBGATE_ORACLE_HOME/webgate/iplanet/tools/deployWebGate ./deployWebGateInstance.sh -w LOCAL_CONFIG_DIR/webgate/ -oh OTD_WEBGATE_ORACLE_HOME -ws otd
Expected output:
Copying files from WebGate Oracle Home to WebGate Instancedir
Note:
The deployment directory must be the same on every host.Set the environment variable LD_LIBRARY_PATH to:
OTD_WEBGATE_ORACLE_HOME/lib
For example:
export LD_LIBRARY_PATH=WEB_ORACLE_HOME/webgate/lib
Edit the properties in the sso.mycompany.com-obj.conf
and admin.mycompany.com-obj.conf
files using the EditObjConf
tool located in the following directory:
OTD_WEBGATE_ORACLE_HOME/webgate/iplanet/tools/setup/InstallTools
For example, on WEBHOST1, run the following:
./EditObjConf -f WEB_ORACLE_INSTANCE/net-IDM/config/sso.mycompany.com-obj.conf -oh OTD_WEBGATE_ORACLE_HOME -w LOCAL_CONFIG_DIR/webgate -ws otd ./EditObjConf -f WEB_ORACLE_INSTANCE/net-IDM/config/iadadmin.mycompany.com-obj.conf -oh OTD_WEBGATE_ORACLE_HOME -w LOCAL_CONFIG_DIR/webgate -ws otd ./EditObjConf -f WEB_ORACLE_INSTANCE/net-IDM/config/igdadmin.mycompany.com-obj.conf -oh OTD_WEBGATE_ORACLE_HOME -w LOCAL_CONFIG_DIR/webgate -ws otd ./EditObjConf -f WEB_ORACLE_INSTANCE/net-IDM/config/idminternal.mycompany.com-obj.conf -oh OTD_WEBGATE_ORACLE_HOME -w LOCAL_CONFIG_DIR/webgate -ws otd
Expected output:
WEB_ORACLE_INSTANCE/config/magnus.conf has been backed up as WEB_ORACLE_INSTANCE/config/magnus.conf.ORIG WEB_ORACLE_INSTANCE/config/instance_config_name-obj.conf has been backed up as WEB_ORACLE_INSTANCE/instance_config_name-obj.conf.ORIG
Register WebGate to the Access Manager 11g Server by copying the WebGate artifacts Located in the following directory:
IAD_ASERVER_HOME/output/Webgate_IDM_11g
to the following directories.
Copy aaa_cert.pem and aaa_key.pem to:
LOCAL_CONFIG_DIR/webgate/webgate/config/simple
Copy cwallet.sso, ObAccessClient.xml and password.xml to:
LOCAL_CONFIG_DIR/webgate/webgate/config
To copy the artifacts run the following commands:
cp IAD_ASERVER_HOME/output/Webgate_IDM_11g/aaa* to LOCAL_CONFIG_DIR/webgate/webgate/config/simple cp IAD_ASERVER_HOME/output/Webgate_IDM_11g/password.xml to LOCAL_CONFIG_DIR/webgate/webgate/config/ cp IAD_ASERVER_HOME/output/Webgate_IDM_11g/ObAccessClient.xml to LOCAL_CONFIG_DIR/webgate/webgate/config/ cp IAD_ASERVER_HOME/output/Webgate_IDM_11g/cwallet.sso to LOCAL_CONFIG_DIR/webgate/webgate/config/
Add LD_LIBRARY_PATH to Oracle Traffic Director Start Scripts.
To prevent you having to enter the LD_LIBRARY_PATH each time you start Oracle traffic Director, add it to the OTD start script:
Edit the startserv
file located in the following directory
WEB_ORACLE_INSTANCE/net-IDM/bin
Locate the following line:
# Set LD_LIBRARY_PATH for Solaris and Linux LD_LIBRARY_PATH="${SERVER_LIB_PATH}:${LD_LIBRARY_PATH}"; export LD_LIBRARY_PATH
Add the following line immediately after:
LD_LIBRARY_PATH=$LD_LIBRARY_PATH:OTD_WEBGATE_ORACLE_HOME/lib:${LD_LIBRARY_PATH}; export LD_LIBRARY_PATH
After editing, the file appears as follows:
# Set LD_LIBRARY_PATH for Solaris and Linux
LD_LIBRARY_PATH="${SERVER_LIB_PATH}:${LD_LIBRARY_PATH}"; export LD_LIBRARY_PATH
LD_LIBRARY_PATH=$LD_LIBRARY_PATH:OTD_WEBGATE_ORACLE_HOME/lib:${LD_LIBRARY_PATH}; export LD_LIBRARY_PATH
Save this file.
Repeat this procedure for each WEBHOST.
Note:
Configuring WebGate in this way directly modifies the Oracle Traffic Director configuration files. These changes are not reflected in the OTD configuration store. The next time you go into OTD and modify the configuration, OTD it will indicate that there is a discrepancy between that config store and the values on disk. It will ask you what you want to do. YOU MUST tell OTD to pull the configuration from the files rather than push the configuration back to the files. Selecting the wrong option will remove the WebGate configuration you just performed.Use the startserv
command to start or stopserv
command to stop your Oracle Traffic Director instance.
If you did not install Oracle Traffic Director as root. Stop the failover groups using the following command as root:
OTD_ORACLE_HOME/bin/tadm stop-failover --instance-home=WEB_INSTANCE_HOME/ --config=sso.mycompany.com
To stop the server, run the following command:
WEB_ORACLE_INSTANCE/net-IDM/bin/stopserv
To start the server, run the following command:
export LD_LIBRARY_PATH=OTD_WEBGATE_ORACLE_HOME/lib WEB_ORACLE_INSTANCE/net-IDM/bin/startserv
If you did not install Oracle Traffic Director as root. Start the failover groups using the following command as root:
OTD_ORACLE_HOME/bin/tadm start-failover --instance-home=WEB_INSTANCE_HOME/ --config=sso.mycompany.com
To restart the Oracle Traffic Director instance, stop all running instances, and then run the start command.
To prevent you having to enter the LD_LIBRARY_PATH
each time you start OTD, you can add it to the OTD start script.
To do this, proceed as follows:
Edit the file startserv
, which is located in the directory: WEB_ORACLE_INSTANCE
/net-IDM/bin
Locate the line that looks like this:
# Set LD_LIBRARY_PATH for Solaris and Linux LD_LIBRARY_PATH="${SERVER_LIB_PATH}:${LD_LIBRARY_PATH}"; export LD_LIBRARY_PATH
Add the following line afterwards:
LD_LIBRARY_PATH=$LD_LIVRARY_PATH:OTD_WEBGATE_ORACLE_HOME/lib; export LD_LIBRARY_PATH
Save the file.
To validate that WebGate is functioning correctly, open a web browser and go the Access Management Console URL listed in Section 20.1, "Starting and Stopping Components."
You now see the Oracle Access Management Login page displayed. Enter your Access Manager administrator user name (for example, oamadmin
) and password and click Login. Then you see theOracle Access Management console displayed.
To validate the single sign-on setup, open a web browser and go the WebLogic Administration Console and to Oracle Enterprise Manager Fusion Middleware Control at the URLs listed in Section 20.2, "About Identity and Access Management Console URLs."
The Oracle Access Management Single Sign-On page displays. Provide the credentials for the weblogic_idm
user to log in.
The commands in previous sections manually update the Oracle Traffic Director configuration files. After the files are updated, the OTD configuration is inconsistent with the information in the files. Subsequent deployments would therefore erase the new configuration. Therefore, you must update the OTD configuration with the manual changes made in the previous sections.
To update the OTD configuration:
Log in to the OTD Administration Console using the following URL:
https://OTDADMINVHN:OTD_ADMIN_PORT
Click the Deploy button at the top of the screen.
A message box appears stating that the administration server has detected configuration modifications on some instances.
Select the option Pull and deploy configuration and click OK.
And click OK
Back up the Web Tier and WebLogic domain, as described in Section 20.5, "Performing Backups and Recoveries."
If you Exalogic Machine is connected to an Exadata Machine which is hosting your database, you must update your JDBC connections to utilise the SDP protocol. Then you must tell the managed servers that SDP is in use. Proceed as follows:
Note:
Perform the steps below for each datasource in each domain that accesses the database using SDP.Log into the WebLogic Administration console at the URL listed in Section 20.2, "About Identity and Access Management Console URLs."
Click Lock and Edit.
Expand Services in the Domain Structure window.
Click Data sources.
Click on a data source, for example: oamDS.
Select the Connection Pool tab.
Update the value of the URL. Instead of using SCAN and TCP, the URL should be an SDP connection to the listeners on each of the Database Servers.
For example, if the TCP URL is of the form:
jdbc:oracle:thin:@(DESCRIPTION=(ADDRESS_LIST=(ADDRESS=(PROTOCOL=TCP)(HOST=IAMDBSCAN)(PORT=1521)))(CONNECT_DATA=(SERVICE_NAME=oamedg.mycompany.com)))
Change it to:
jdbc:oracle:thin:@(DESCRIPTION=(ADDRESS_LIST=(ADDRESS=(PROTOCOL=SDP)(HOST=IAMDBHOST01ib-vip.mycompany.com)(PORT=1522))(ADDRESS=(PROTOCOL=SDP)(HOST=IAMDBHOST02ib-vip.mycompany.com)(PORT=1522)))(CONNECT_DATA=(SERVICE_NAME=oamedg.mycompany.com)))
In this case, IAMDBHOST01ib-vip and IAMDBHOST02ib-vip are the listen addresses on the individual RAC nodes. The HOST and PORT should correspond to those of the IB Listener on each machine.
Click Save.
Repeat for each data source.
Now that the JDBC data sources have been updated, tell the managed servers that SDP is in use.
Now that the JDBC data sources have been updated, tell the managed servers that SDP is in use, as follows.
Expand Environment from the Domain Structure menu.
Click Servers. The Server summary page is displayed.
Click on a server name, for example: AdminServer
Note:
If you are intending to start your administration server using thestartWeblogic.sh
script, also add this parameter to that file in the JAVA_OPTIONS
.Click on the server start sub tab
Add the following to the arguments field if not already present:
-Doracle.net.SDP=true -Djava.net.preferIPv4Stack=true
Click Save.
Repeat for each Managed Server.
When finished, click Activate Changes.
Validate the data sources connection, after restarting all components, as described in section Section 15.13, "Restarting All Components."
Through the WebLogic Administration Console, using the steps described in Section 15.11, "Enable SDP Support for JDBC Connections," select Services, Data Sources, Data Source, the Monitoring tab, and then the Testing subtab.
Select a server from the list and click Test Data Source.
The response should be successful.
SSL certificates used by the load balancer must be added to the trusted certificates in the JDK.
To add the certificate:
Obtain the certificate from the load balancer.
You can obtain the load balancer certificate from the using a browser, such as Firefox. However, the easiest way to obtain the certificate is to use the openssl
command. The syntax of the command is as follows:
openssl s_client -connect LOADBALANCER -showcerts </dev/null 2>/dev/null|openssl x509 -outform PEM > SHARED_CONFIG_DIR/keystores/sso.mycompany.com.pem
For example:
openssl s_client -connect sso.mycompany.com:443 -showcerts </dev/null 2>/dev/null|openssl x509 -outform PEM > SHARED_CONFIG_DIR/keystores/sso.mycompany.com.pem
This command saves the certificate to a file called sso.mycompany.com.pem
in the following directory:
SHARED_CONFIG_DIR/keystores
Load the certificate into the JDK and Node Manager Trust Stores by running the following command to import the CA certificate file, sso.mycompany.com.pem
, into the IGD_MW_HOME Java, and Node Manager trust stores:
set JAVA_HOME to IGD_MW_HOME/jdk6 set PATH to include JAVA_HOME/bin keytool -importcert -file SHARED_CONFIG_DIR/keystores/sso.mycompany.com.pem -trustcacerts -keystore $JAVA_HOME/jre/lib/security/cacerts keytool -importcert -file SHARED_CONFIG_DIR/keystores/sso.mycompany.com.pem -trustcacerts -keystore SHARED_CONFIG_DIR/keystores/appTrustKeyStore-oimhost1vhn.mycompany.com.jks keytool -importcert -file SHARED_CONFIG_DIR/keystores/sso.mycompany.com.pem -trustcacerts -keystore SHARED_CONFIG_DIR/keystores/appTrustKeyStore-oimhost2vhn.mycompany.com.jks keytool -importcert -file SHARED_CONFIG_DIR/keystores/sso.mycompany.com.pem -trustcacerts -keystore SHARED_CONFIG_DIR/keystores/appTrustKeyStore-oimhost1.mycompany.com.jks keytool -importcert -file SHARED_CONFIG_DIR/keystores/sso.mycompany.com.pem -trustcacerts -keystore SHARED_CONFIG_DIR/keystores/appTrustKeyStore-oimhost2.mycompany.com.jks
Where JAVA_HOME is set to IGD_MW_HOME/jdk6
You are prompted to enter a password for the keystore. The default password for the JDK is changeit
and the COMMON_IAM_PASSWORD
for the node manager keystores. You are also prompted to confirm that the certificate is valid.
Note:
The names of the virtual hosts you assigned to your OIM server areoimhost1vhn
and oimhost2vhn
.Restart all components, as described in Section 20.1, "Starting and Stopping Components."