| Oracle® Fusion Middleware Administrator's Guide for Oracle Identity Navigator 11g Release 1 (11.1.1) E15481-01 |
|
 Previous |
 Next |
| Oracle® Fusion Middleware Administrator's Guide for Oracle Identity Navigator 11g Release 1 (11.1.1) E15481-01 |
|
Previous |
Next |
This chapter describes the tasks performed by an enterprise administrator.
It contains the following topics:
Start the WebLogic Administration Server.
Enter the following URL in a browser:
http://host:port/oinav
where port is the Administration Server port.
Supply the Administrator Username and Password. The Administrator account must exist in the identity store and have the Oracle Identity Navigator Administrator role.
Click Log In.
As the Enterprise Administrator, perform the following tasks.
Configure component categories. See "Managing the Product Launcher". Then add components manually or by using discovery. See "Adding a Component Link to the Product Launcher by Using Product Discovery".
Configure BI Publisher. See "Configuring Oracle Business Intelligence Publisher".
If your RSS feed is outside a firewall, configure a proxy. See "Configuring a Proxy to Access News Feeds".
By default, the Oracle Access Manager agent provides single sign-on functionality for Oracle Identity Navigator and the following Identity Management consoles:
Oracle Identity Manager
Oracle Access Manager
Oracle Adaptive Access Manager
Oracle Authorization Policy Manager
The Oracle Access Manager agent can only protect consoles in a single domain. If your environment spans multiple domains, you can use Oracle Access Manager 11g WebGate for Oracle HTTP Server 11g. To configure Oracle Identity Navigator for WebGate-based single sign-on, see the chapter "Integrating with Oracle Identity Navigator" in Oracle Access Manager Integration Guide.
The web.xml file provides configuration and deployment information for a Web application, such as Oracle Identity Navigator. The Oracle Identity Navigator web.xml is in oinav.ear. The optional <user-data-constraint> element in web.xml can be used to specify a transport guarantee that prevents content from being transmitted insecurely. Within the <user-data-constraint> tag, the <transport-guarantee> tag defines how communication should be handled. There are three possible values for that tag:
NONE–the application does not require any transport guarantees.
INTEGRAL–the application requires that data sent between the client and server be sent in such a way that it cannot be changed in transit.
CONFIDENTIAL–the application requires that data be transmitted in a fashion that prevents other entities from observing the contents of the transmission.
Because Oracle Identity Navigator supports both SSL and non-SSL connections to component consoles, the web.xml attribute <user-data-constraint> is set to a default value of NONE. That is, Oracle Identity Navigator does not, by default, support a constraint for a transport guarantee. If you want such a guarantee, you can change the <transport-guarantee> tag within the <user-data-constraint> tag to either INTEGRAL or CONFIDENTIAL.
Oracle Identity Navigator has been integrated with Oracle BI Publisher. The interface supports stronger customization than BI Publisher alone. Using the Oracle Identity Navigator interface, each administrator can customize his or her Dashboard as needed. The report tree is less deep than with BI Publisher alone, so you can access reports with fewer clicks.
|
Note: Only one Oracle Business Intelligence Publisher instance can be connected to an Oracle Identity Navigator instance. |
Before you attempt to create a connection between Oracle Identity Navigator and an instance of BI Publisher, you must install BI Publisher and configure report templates. Optionally, you can configure BI Publisher for SSL.
You must install the following components:
|
See Also: Oracle Business Intelligence Publisher Installation Guide in the Oracle Business Intelligence Publisher Enterprise Version 10.1.3.4 Documentation Library for more information about installing Oracle BI Publisher. |
Oracle Identity Management BI Publisher report templates are installed as zip files under Oracle home directories. For 11gR1 components, all the templates are in a single zip file. These are all Audit report templates.
For 11gR1+ components, the template zip files are in specific directories under the component Oracle homes. For example:
| Component | Directory Under Oracle Home |
|---|---|
| Oracle Adaptive Access Manager | oaam/reports |
| Oracle Access Manager |
oam/server/reports |
| Oracle Identity Manager |
server/reports |
Copy and unzip audit report zip files to the audit report folder under the BI Publisher report root folder. Copy and unzip other report zip files to the BI Publisher report root folder. Use the BI Publisher web interface to configure data sources with report databases.
|
See Also:
|
If you plan to use an SSL connection between Oracle Identity Navigator and BI Publisher, you must configure BI Publisher for SSL, as described in "Configuring BI Publisher for Secure Socket Layer (SSL) Communication" in Oracle Business Intelligence Publisher Administrator's and Developer's Guide in the Oracle Business Intelligence Publisher Enterprise Version 10.1.3.4 Documentation Library.
In addition to configuring BI Publisher for SSL, you must provision a CA certificate to Oracle Identity Navigator so it can connect to BI Publisher through SSL. Proceed as follows:
Import the BI Publisher CA certificate into the Oracle WebLogic Server trust store, using the keytool command.
keytool -keystore trust_store -export -alias alias -file certificate_file
For example:
keytool -keystore truststore.jks -export -alias cacert -file cacert.cer
If you get a hostname verification error when you issue the keystore command, disable hostname verification by adding this flag to EXTRA_JAVA_PROPERTIES in the file setDomainEnv.sh:
-Dweblogic.security.SSL.ignoreHostnameVerification=true
Then issue the keystore command again.
Restart the Weblogic server.
|
See Also: Oracle Fusion Middleware Securing Oracle WebLogic Server for additional information about configuring SSL on the Oracle WebLogic Server. |
To create a connection, proceed as follows:
Click the Administration tab.
Expand BI Publisher.
In the right pane, enter values for Host, Port, User, and Password.
If you have configured Oracle Identity Navigator and BI Publisher to use an SSL connection, select SSL.
Under Specify BI Publisher report components, click Create.
Select a component and supply a name and path.
To limit the connection entry to a subset of the reports available for the component, click the Finder icon and navigate to the desired path. You can have more than one path for a component. Using paths in this manner can reduce the amount of text associated with a report name on the Dashboard.
Repeat for other for other components you want to add.
Click Test to verify the connection information you have supplied. A dialog will verify that the connection has succeeded or tell you why it failed.
If the test succeeds, click Apply to finish the configuration. If the test fails, consult the appropriate administrator at your site.
To delete a component, select it and click Delete, then click Apply.
After BI Publisher has been configured, the My Reports section of the Dashboard page will contain the link Click here to create reports.
|
Note: If you change the name or path of a component, the new name or path will apply to new reports. The reports that are already saved are not modified. |
Oracle Identity Navigator supports two types of administrative role: the Oracle Identity Navigator administrator and the component administrators. Actions that an authenticated user can perform are based on the roles assigned.
Oracle Identity Navigator Administrator–Configures Oracle Identity Navigator to make Oracle Identity Management component consoles accessible through Navigator, sets up news links, assign roles to administrative users, and performs other Navigator administration tasks. The Oracle Identity Navigator administrator can also perform all the tasks that the component administrators can perform.
Component Administrator– Manages a specific Identity Management component. Each component administrator can customize his or her own Dashboard page. Component administrators cannot access the Administration page of Oracle Identity Navigator.There are predefined administration roles for individual Oracle Identity Management components. A user that has administration role for the Oracle Identity Manager component, for example, might not be able to access the Administration console for Oracle Access Manager.
Only the Oracle Identity Navigator administrator can see the Administration page. In some companies certain tasks might span the two roles.
By default, Oracle Identity Navigator maps the Oracle WebLogic Server Administrators group to its application administrator role, NavAdmin. You can create a different administration group name in the Oracle WebLogic Server console and map that group to the Oracle Identity Navigator administrator role using APM.
The roles are implemented as groups that you configure using the WebLogic Server Administration Console, under Security Realms, Users and Groups. You must enable the groups that define the component administrator roles. Then you can add users and other groups to the predefined groups.
If Single Sign-on has been configured, when you access a console from the Product Launcher while logged in as an administrator for that component, or as Oracle Identity Navigator administrator, you are automatically authenticated.
This section describes how to configure users and groups that Oracle WebLogic Server stores in its default authenticator.
To enable predefined component administrator groups:
Enter the Oracle WebLogic Server Administration console URL in a browser.
http://hostname:port_number/console
The port number is the number of the Administration Server. By default, the port number is 7001.
The Login Page is displayed.
Log in using the user name and password supplied during installation or another administrative user that you created.
Oracle WebLogic Server Administration Console is displayed:
Under Domain Structure, click Security Realms.
Select the appropriate realm
Click Users and Groups.
Click Group.
Click New.
Provide the predefined name, a description, and a password. Confirm the password.
The predefined group names are:
OAAMadmin
OAMadmin
OIMadmin
DSAdmin
Leave the Provider set to DefaultAuthenticator.
Click Save.
The new group appears on the Users and Groups Page.
Next, add an administrative user to the group. If you need to create the user, proceed as follows:
From the Users and Groups Page, click User.
Click New.
Provide a name, description, password. Confirm the password.
Click Save.
Assign the user to a group or groups as follows:
From the User page, click the user's name.
Use the arrows to assign the desired group or groups to the user.
Click Save.
You can add an existing group to an administrative group. The procedure is the same, except that you click the group's name instead of a user's name.
If you already have a group defined, you can configure it to be a component administrator group in either of two ways.
Add the group to a predefined component administrator group. This is the preferred method.
Change the name of the predefined group using Authorization Policy Manager.
If you want to use names other than the predefined names for the groups that define component administrator roles, you can change the names by using the Authorization Policy Manager. See Oracle Fusion Middleware Authorization Policy Manager Administrator's Guide for more information.
If you are configure Oracle Internet Directory as authentication provider in addition to the Oracle WebLogic Server default provider, to provision users and groups, you must configure the OID authenticator in Oracle Weblogic Server, and then manager users and groups in Oracle Internet Directory.
To enable the OID Authenticator:
Enter the Oracle WebLogic Server Administration console URL in a browser.
http://hostname:port_number/console
The port number is the number of the Administration Server. By default, the port number is 7001.
The Login Page is displayed.
Log in using the user name and password supplied during installation or another administrative user that you created.
Oracle WebLogic Server Administration Console is displayed:
Under Domain Structure, click Security Realms.
Select the appropriate realm
Click Providers.
Click OIDAuthenticator.
Click Provider Specific.
On the Provider Specific page, specify the configuration information for your Oracle Internet Directory instance. The meaning of each term is provided on the Provider Specific page.
Click Save.
To enable predefined component administrator groups:
Enter the Oracle WebLogic Server Administration console URL in a browser.
http://hostname:port_number/console
The port number is the number of the Administration Server. By default, the port number is 7001.
The Login Page is displayed.
Log in using the user name and password supplied during installation or another administrative user that you created.
Oracle WebLogic Server Administration Console is displayed:
Under Domain Structure, click Security Realms.
Select the appropriate realm
Click Users and Groups.
Click Group.
Click New.
Provide the predefined name, a description, and a password. Confirm the password.
The predefined group names are:
OAAMadmin
OAMadmin
OIMadmin
DSAdmin
Select OIDAuthenticator in the Provider list.
Click Save.
The new group appears on the Users and Groups Page.
Next, add an administrative user to the group. If you need to create the user, proceed as follows:
From the Users and Groups Page, click User.
Click New.
Provide a name, description, password. Confirm the password.
Select DefaultAuthenticator in the Provider list.
Click Save.
Assign the user to a group or groups as follows:
From the User page, click the user's name.
Use the arrows to assign the desired group or groups to the user.
Click Save.
You can add an existing group to an administrative group. The procedure is the same, except that you click the group's name instead of a user's name.
Use Oracle Directory Services Manager to create the groups, then create users and add them as members of the groups. In addition to the component administrator groups, you must add the Administrators group for Oracle Identity Navigator administrators.
You must add the following groups under the group base DN:
Administrators
OAAMAdmin
OAMAdmin
OIMAdmin
DSAdmin
Users or groups that are members of those Oracle Internet Directory groups then have appropriate access privileges to Oracle Identity Navigator.
Add users under the user base DN and add groups under the group base DN specified in the OID authenticator configuration.
For more information, see the chapters "Managing Directory Entries" and "Managing Dynamic and Static Groups" in Oracle Fusion Middleware Administrator's Guide for Oracle Internet Directory.
As Administrator, you can modify the list of categories and components that appear on the Product Launcher.
You can add components within a category using either of two methods
Specify component console information.
Specify host information and use product discovery to determine which component consoles are available.
From the Administration tab, you can use product discovery to discover all active J2EE components in the domain, including the Oracle WebLogic Server console and Oracle Enterprise Manager Fusion Middleware Control.
Click the Administration tab.
Under Product Registration, select Discover Product(s). The Domain Selection page of the product discovery wizard appears in the right pane.
Specify the Host, Port, User, and Password for the server from which you want to discover components. If you are using the SSL port, select SSL.
Click Next.
On the Available Products page, select the component consoles you want to add to Oracle Identity Navigator. For each console you select, specify a Display Name. If a category has not been selected automatically, select a category from the Category list.
Click Next.
On the Product Removed page, you can optionally select previously discovered components to remove.
Click Next.
Review the status of the links on the Confirmation page. If necessary, click Back and correct any errors. When the Confirmation page is correct, click Finish.
Add a link as follows:
Click the Administration tab.
Under Product Registration, click the Create Product Link icon or select Create Product Link from the Actions list.
In the New Product Registration dialog, select the type of component you want to add.
Provide values for Category, Display Name, Type, Version, Host, Port, and URL.
Click OK to add the link or Cancel to abandon adding the link.
Edit a link as follows:
Click the Administration tab.
Under Product Registration, click the product you want to edit.
On the Product Registration screen, make desired changes
Click Apply to apply the changes or Revert to remove the changes you have made.
Click the Administration tab.
Under Product Registration, highlight the item you want to remove.
Click the Delete Product Link icon or select Delete Product Link from the Actions list.
In the Confirmation dialog, click OK to proceed or click Cancel to cancel the deletion.
You can also use the product discovery interface to delete several links at once.
Add a component category as follows:
Click the Administration tab.
Under Product Registration, select Create Category from the Actions list.
In the right pane, enter the component category name.
Click Save.
Verify that the new category has been added to the left pane.
Edit a category as follows:
Click the Administration tab.
Under Product Registration, select a product category. The product category information appears tin the right pane.
Make the desired changes.
Click Apply.
You might need to specify a proxy so that Oracle Identity Navigator can access Oracle news feeds from inside your firewall. You do this by adding lines to the setDomainEnv script, which is in the bin directory of your WebLogic domain. For example:
user_projects/domains/base_domain/bin/setDomainEnv.sh
The file name is setDomainEnv.sh on Linux and UNIX systems and setDomainEnv.cmd on Windows systems. The script sets the domain-wide environment variables for starting and running a WebLogic Server instance. It is invoked by the startWebLogic and stopWebLogic commands.
Minimally, you must add the following lines to EXTRA_JAVA_PROPERTIES in the setDomainEnv file.
-Dhttp.proxyHost=proxy_server_host -Dhttp.proxyPort=proxy_server_port -Dhttp.nonProxyHosts=non_proxy_hosts
In the following example:
Oracle Identity Management components, including Oracle Identity Navigator are deployed in the Oracle WebLogic Server domain mycompany.com. The domain also contains the machines stajz18.mycompany.com and adc2170219.mycompany.com.
A firewall exists between the domain in mycompany.com and the Oracle news feed server. You must route news feed requests from Oracle Identity Navigator through the proxy server to the Oracle news feed site outside the firewall.
HTTP requests sent to servers stajz18.mycompany.com and adc2170219.mycompany.com need not be routed to the proxy server.
You would add the following lines to the setDomainEnv.sh file on the WebLogic Administration Server.
EXTRA_JAVA_PROPERTIES="-Dhttp.proxyHost=www-proxy.mycompany.com -Dhttp.proxyPort=80 -Dhttp.nonProxyHosts=stajz18.mycompany.com|adc2170219.mycompany.com ${EXTRA_JAVA_PROPERTIES}"
export EXTRA_JAVA_PROPERTIES
For completeness, you can also add the following additional lines:
-DftpProxyHost=ftp_host -DftpProxyPort=FTP_proxy_server_port -DsocksProxyHost=SOCKS_proxy_server_host -DsocksProxyPort=SOCKS_proxy_server_port
You must restart WebLogic Administration Server for the changes to take effect.
This section describes how to migrate Oracle Identity Navigator from one domain to another.
Install and Configure Oracle Identity Navigator in a domain, such as dom1.
Run wlst.sh:
ORACLE_COMMON_HOME/common/bin/wlst.sh
Connect to the administration server in dom1 using wlst:
connect('weblogic','password','t3://admin_server_host:<admin_server_port')
For example:
connect('weblogic','password','t3://stads75:7001')
Export Oracle Identity Navigator metadata from the domain to an export directory:
exportMetadata(application='oinav',server='AdminServer',toLocation='export_directory')
where export_directory is the location you want to export the metadata to.
Install and configure Oracle Identity Navigator in a domain, such as dom2.
Run wlst.sh and connect to the administration server in dom2, using the same commands you used for dom1.
To migrate Oracle Identity Navigator metadata from dom1 to dom2, use the following import command:
importMetadata(application='oinav', server='AdminServer', fromLocation='export_directory')
Restart dom2.
|
Note: This procedure does not migrate the Oracle BI Publisher user password or the SSL certificate information. These need to be configured again for the new instance. |
|
See Also: The chapter "Moving from a Test to a Production Environment" in Oracle Fusion Middleware Administrator's Guide for complete information about migrating Oracle Fusion Middleware components. |
This section describes some problems that you could encounter while configuring or using Oracle Identity Navigator.
Problem
You enter the URL for Oracle Identity Navigator into a browser and attempt to access it. You receive an error message.
Solution
In a dual-stack, IPv4 and IPv6 environment, some URLs might be inaccessible from your browser. Consult your network administrator for more information.
Problem
You cannot create a connection to BI Publisher.
Solution
Make sure the Oracle WebLogic Server and BI Publisher server are running.
Problem
You cannot create or run a report
Solution
Remember that different login accounts might have different roles. If you log in as a user who does not have the Oracle Access Manager administrator role, for example, you will not be able to create Oracle Access Manager reports.
Make sure the Oracle WebLogic Server, BI Publisher server, and Oracle Database are running.
You can access BI Publisher reports from BI Publisher itself. Doing so can help you determine whether a configuration problem is due to Oracle Identity Navigator or BI Publisher.
Consult Oracle WebLogic Server logs.
Problem
You cannot view PDF reports with Adobe Reader in a browser.
Solution
Either upgrade to a newer version of Reader or configure Reader to run directly, not as an embedded function within the browser. See your Adobe Reader documentation for more information.
Problem
You cannot view a report in MHTML format.
Solution
Open the report in HTML format.
|
 Copyright © 2010, Oracle and/or its affiliates. All rights reserved. Legal Notices |
|