10 Preparing Identity and Policy Stores

This chapter describes how to prepare the Identity and Policy Stores. It contains the following sections:

Section 10.1, "Backing up the LDAP Directories"
Section 10.2, "Prerequisites"
Section 10.3, "Preparing the OPSS Policy Store"
Section 10.4, "Preparing the Identity Store"

10.1 Backing up the LDAP Directories

The procedures described in this chapter change the configuration of the LDAP directories that host the Identity and Policy Stores. Before performing any of these tasks, back up your LDAP directories. See Section 7.7, "Backing up the Oracle Internet Directory Configuration" and Section 9.10, "Backing Up the Oracle Virtual Directory Configuration" for more information.

10.2 Prerequisites

Before proceeding, ensure that the following statements are true:

Oracle Identity Management 11g (11.1.1.5) is installed on IDMHOST1.
Oracle Internet Directory is installed and configured (if required).
Non-Oracle Internet Directory directories are installed and available (if required).
Oracle Virtual Directory is installed and configured.

10.3 Preparing the OPSS Policy Store

This section describes how to prepare the Oracle Platform Security Services Policy Store.

It contains the following topics:

Section 10.3.1, "Creating Policy Store Users and the Policy Container,"
Section 10.3.2, "Reassociating the Policy and Credential Store,"

Before you can use the Policy Store, you must prepare it. This involves creating a JPS Root context, and users and groups required to access the Policy Store, in the Policy Store directory. It also reassociates the domain's internal Policy Store to use the external LDAP Policy Store.

10.3.1 Creating Policy Store Users and the Policy Container

Perform the following tasks on IDMHOST1:

Set the environment variables: MW_HOME, JAVA_HOME, IDM_HOME, and ORACLE_HOME.

Set IDM_HOME to IDM_ORACLE_HOME

Set ORACLE_HOME to IAM_ORACLE_HOME

Set MW_HOME to MW_HOME.

Set JAVA_HOME to MW_HOME/jrockit-jdk1.6.0.
Create a properties file, called policystore.props with the following contents:
```
POLICYSTORE_HOST: policystore.mycompany.com
POLICYSTORE_PORT: 389
POLICYSTORE_BINDDN: cn=orcladmin
POLICYSTORE_READONLYUSER: PolicyROUser
POLICYSTORE_READWRITEUSER: PolicyRWUser
POLICYSTORE_SEARCHBASE: dc=mycompany,dc=com
POLICYSTORE_CONTAINER: cn=jpsroot
```
Where:
- POLICYSTORE_HOST and POLICYSTORE_PORT are, respectively, the host and port of your Policy Store directory.
- POLICYSTORE_BINDDN Is an administrative user in the Policy Store directory
- POLICYSTORE_READONLYUSER and POLICYSTORE_READWRITEUSER are the names of Users you want to create in the Policy Store with Read Only and Read/Write privileges.
- POLICYSTORE_SEARCHBASE is the location in the directory where Users and Groups are stored.
- POLCYSTORE_CONTAINER is the name of the container used for OPSS policy information.
After creating the group, the tool adds the readonlyuser as a member of the OrclPolicyAndCredentialReadPrivilegeGroup and readwriteuser as a member of OrclPolicyAndCredentialWritePrivilegeGroup.

Configure the Policy Store using the command idmConfigTool which is located at:

IAM_ORACLE_HOME/idmtools/bin

Note:

When you run the idmConfigTool, it creates or appends to the file idmDomainConfig.param. This file is generated in the same directory that the idmConfigTool is run from. To ensure that each time the tool is run, the same file is appended to, always run the idmConfigTool from the directory:

IAM_ORACLE_HOME/idmtools/bin

The syntax of the command on Linux is:

idmConfigTool.sh -configPolicyStore input_file=configfile

The syntax on Windows is:

idmConfigTool.bat -configPolicyStore input_file=configfile

For example:

idmConfigTool.sh -configPolicyStore input_file=policystore.props

When the command runs you are prompted to enter the password of the account you are connecting to the Policy Store with. You are also asked to specify the passwords you want to assign to the accounts:

POLICYSTORE_READONLYUSER
POLICYSTORE_READWRITEUSER

Sample command output:

Enter Policy Store Bind DN password: 
*** Creation of PolicyROUser ***
Apr 5, 2011 4:23:49 AM oracle.ldap.util.LDIFLoader loadOneLdifFile
INFO: -> LOADING: 
 /u01/app/oracle/product/fmw/iam/idmtools/templates/oid/policystore_user.ldif
Enter User Password for PolicyROUser: 
Confirm User Password for PolicyROUser: 
*** Creation of PolicyRWUser ***
Apr 5, 2011 4:23:58 AM oracle.ldap.util.LDIFLoader loadOneLdifFile
INFO: -> LOADING: 
 /u01/app/oracle/product/fmw/iam/idmtools/templates/oid/policystore_user.ldif
Enter User Password for PolicyRWUser: 
Confirm User Password for PolicyRWUser: 
Apr 5, 2011 4:24:07 AM oracle.ldap.util.LDIFLoader loadOneLdifFileINFO: -> LOADING: 
 /u01/app/oracle/product/fmw/iam/idmtools/templates/oid/policystore_group.ldifApr 5, 2011 4:24:07 AM oracle.ldap.util.LDIFLoader loadOneLdifFileINFO: -> LOADING: 
 /u01/app/oracle/product/fmw/iam/idmtools/templates/oid/policystore_container.ldif
Apr 5, 2011 4:24:07 AM oracle.ldap.util.LDIFLoader loadOneLdifFileINFO: -> LOADING: 
 /u01/app/oracle/product/fmw/iam/idmtools/templates/oid/policystore_group_read_member.ldif
Apr 5, 2011 4:24:07 AM oracle.ldap.util.LDIFLoader loadOneLdifFileINFO: -> LOADING: 
 /u01/app/oracle/product/fmw/iam/idmtools/templates/oid/policystore_group_write_member.ldif
Apr 5, 2011 4:24:07 AM oracle.ldap.util.LDIFLoader loadOneLdifFile
INFO: -> LOADING: 
 /u01/app/oracle/product/fmw/iam/idmtools/templates/oid/policystore_tuning.ldifApr 5, 2011 4:24:07 AM oracle.ldap.util.LDIFLoader loadOneLdifFile
INFO: -> LOADING: 
 /u01/app/oracle/product/fmw/iam/idmtools/templates/oid/oid_schemaadmin.ldif
Apr 5, 2011 4:24:07 AM oracle.ldap.util.LDIFLoader loadOneLdifFile
INFO: -> LOADING: 
/u01/app/oracle/product/fmw/iam/idmtools/templates/oid/policystore_user_aci.ldif
The tool has completed its operation. Details have been logged to /home/oracle/idmtools/automation.log

Check log file for any errors or warnings and correct them. The file with the name automation.log is created in the directory from where you run the tool.

See Also:

Oracle Fusion Middleware Integration Overview for Oracle Identity Management Suite for more information about the idmConfigTool command.

10.3.2 Reassociating the Policy and Credential Store

To reassociate the policy and credential store with Oracle Internet Directory, use the WLST reassociateSecurityStore command. Follow these steps:

From IDMHOST1, start the wlst shell from the ORACLE_COMMON_HOME/common/bin directory. For example, on Linux and UNIX-based systems, you would type:
```
./wlst.sh
```
On Windows you would type:
```
./wlst.cmd
```

Connect to the WebLogic Administration Server using the following wlst connect command.

connect("AdminUser","AdminUserPassword","t3://hostname:port")

For example:

connect("weblogic","admin_password","t3://ADMINVHN.mycompany.com:7001")

Run the reassociateSecurityStore command as follows:

Syntax:

reassociateSecurityStore(domain="domainName",admin="cn=orcladmin",
password="orclPassword",ldapurl="ldap://LDAPHOST:LDAPPORT",servertype="OID",
jpsroot="cn=jpsRootContainer")

Note:

The admin value is the DN of the LDAP administrator, that is, the user that has administrative level privileges to the Oracle Internet Directory instance that is used as the Policy Store.

For example:

wls:/IDMDomain/serverConfig> reassociateSecurityStore(domain="IDMDomain",
admin="cn=orcladmin",password="password",
ldapurl="ldap://policystore.mycompany.com:389",servertype="OID",
jpsroot="cn=jpsroot")

The output for the command is as follows:

{servertype=OID, jpsroot=cn=jpsroot, admin=cn=orcladmin,
domain=IDMDomain, ldapurl=ldap://policystore.mycompany.com:389, password=password}
Location changed to domainRuntime tree. This is a read-only tree with
DomainMBean as the root.
For more help, use help(domainRuntime)

Starting policy store reassociation.
The store and ServiceConfigurator setup done.
Schema is seeded into the store
Data is migrated to the store
Data in the store after migration has been tested to be available
Update of in-memory jps configuration is done
Policy store reassociation done.
Starting credential store reassociation
The store and ServiceConfigurator setup done.
Schema is seeded into the store
Data is migrated to the store
Data in the store after migration has been tested to be available
Update of in-memory jps configuration is done
Credential store reassociation done
Starting Keystore reassociation
The store and ServiceConfigurator setup done.
Schema is seeded into the store
Data is migrated to the store
Data in the store after migration has been tested to be available
Update of in-memory jps configuration is done
Keystore reassociation done
Jps Configuration has been changed. Please restart the application server.

Restart the WebLogic Administration Server, as described in Section 20.1, "Starting and Stopping Oracle Identity Management Components," after the command completes successfully.

10.4 Preparing the Identity Store

This section describes how to prepare the Identity Store. It contains the following topics:

Section 10.4.1, "Extending Directory Schema for Oracle Access Manager"
Section 10.4.2, "Creating Users and Groups for Oracle Access Manager"
Section 10.4.3, "Creating Users and Groups for Oracle Adaptive Access Manager"
Section 10.4.4, "Creating Users and Groups for Oracle Identity Manager"
Section 10.4.5, "Creating Users and Groups for Oracle WebLogic Server"
Section 10.4.6, "Disable Anonymous Binds to Oracle Virtual Directory LDAP Ports"
Section 10.4.7, "Set Up Oracle Virtual Directory–Oracle Identity Manager Access Control Lists"
Section 10.4.8, "Creating Access Control Lists in Non-Oracle Internet Directory Directories"
Section 10.4.9, "Updating Oracle Virtual Directory Adapters"

10.4.1 Extending Directory Schema for Oracle Access Manager

Pre-configuring the Identity Store extends the schema in Oracle Internet Directory.

Note:

You do not need to preconfigure the Identity Store unless you are using Oracle Access Manager or Oracle Identity Manager.

To do this, perform the following tasks on IDMHOST1:

Set the environment variables: MW_HOME, JAVA_HOME, IDM_HOME and ORACLE_HOME.

Set IDM_HOME to IDM_ORACLE_HOME

Set ORACLE_HOME to IAM_ORACLE_HOME
Create a properties file, called extend.props with the following contents:
```
IDSTORE_HOST: idstore.mycompany.com
IDSTORE_PORT: 389
IDSTORE_BINDDN: cn=orcladmin
IDSTORE_USERNAMEATTRIBUTE: cn
IDSTORE_LOGINATTRIBUTE: uid
IDSTORE_USERSEARCHBASE: cn=Users,dc=mycompany,dc=com
IDSTORE_GROUPSEARCHBASE: cn=Groups,dc=mycompany,dc=com
IDSTORE_SEARCHBASE: dc=mycompany,dc=com
IDSTORE_SYSTEMIDBASE: cn=systemids,dc=mycompany,dc=com
```
Where:
- IDSTORE_HOST and IDSTORE_PORT are, respectively, the host and port of your Identity Store directory. If you are using a non-OID directory, then specify the Oracle Virtual Directory host (which should be IDSTORE.mycompany.com). If your Identity Store is in Oracle Internet Directory, then IDSTORE_HOST should point to Oracle Internet Directory, even if you are fronting Oracle Internet Directory with Oracle Virtual Directory.
- IDSTORE_BINDDN Is an administrative user in the Identity Store Directory
- IDSTORE_USERSEARCHBASE is the location in the directory where Users are Stored.
- IDSTORE_GROUPSEARCHBASE is the location in the directory where Groups are Stored.
- IDSTORE_SEARCHBASE is the location in the directory where Users and Groups are stored.
- IDSTORE_SYSTEMIDBASE is the location of a container in the directory where users can be placed when you do not want them in the main user container. This happens rarely but one example is the Oracle Identity Manager reconciliation user which is also used for the bind DN user in Oracle Virtual Directory adapters.
- IDSTORE_USERNAMEATTRIBUTE is the LDAP attribute which contains the username this is usually CN
- IDSTORE_LOGINATTRIBUTE is the LDAP attribute which contains the users Login name.

Configure the Identity Store by using the command idmConfigTool, which is located at:

IAM_ORACLE_HOME/idmtools/bin

Note:

IAM_ORACLE_HOME/idmtools/bin

The syntax of the command on Linux is:

idmConfigTool.sh -preConfigIDStore input_file=configfile

The syntax on Windows is:

idmConfigTool.bat -preConfigIDStore input_file=configfile

For example:

idmConfigTool.sh -preConfigIDStore input_file=extend.props

When the command runs, you are prompted to enter the password of the account you are connecting to the Identity Store with.

Sample command output, when running the command against Oracle Virtual Directory:

Enter ID Store Bind DN password:
May 25, 2011 2:37:18 PM oracle.ldap.util.LDIFLoader loadOneLdifFile
INFO: -> LOADING: /u01/app/oracle/product/fmw/iam/idmtools/templates/oid/idm_idstore_groups_template.ldif
May 25, 2011 2:37:18 PM oracle.ldap.util.LDIFLoader loadOneLdifFile
INFO: -> LOADING: /u01/app/oracle/product/fmw/iam/idmtools/templates/oid/idm_idstore_groups_acl_template.ldif
May 25, 2011 2:37:18 PM oracle.ldap.util.LDIFLoader loadOneLdifFile
INFO: -> LOADING: /u01/app/oracle/product/fmw/iam/idmtools/templates/oid/systemid_pwdpolicy.ldif
May 25, 2011 2:37:18 PM oracle.ldap.util.LDIFLoader loadOneLdifFile
INFO: -> LOADING: /u01/app/oracle/product/fmw/iam/idmtools/templates/oid/idstore_tuning.ldif
May 25, 2011 2:37:18 PM oracle.ldap.util.LDIFLoader loadOneLdifFile
INFO: -> LOADING: /u01/app/oracle/product/fmw/iam/idmtools/templates/oid/oid_schema_extn.ldif
May 25, 2011 2:37:19 PM oracle.ldap.util.LDIFLoader loadOneLdifFile
INFO: -> LOADING: /u01/app/oracle/product/fmw/iam/oam/server/oim-intg/schema/OID_oblix_pwd_schema_add.ldif
May 25, 2011 2:37:19 PM oracle.ldap.util.LDIFLoader loadOneLdifFile
INFO: -> LOADING: /u01/app/oracle/product/fmw/iam/oam/server/oim-intg/schema/OID_oim_pwd_schema_add.ldif
May 25, 2011 2:37:19 PM oracle.ldap.util.LDIFLoader loadOneLdifFile
INFO: -> LOADING: /u01/app/oracle/product/fmw/iam/oam/server/oim-intg/schema/OID_oblix_schema_add.ldif
May 25, 2011 2:37:34 PM oracle.ldap.util.LDIFLoader loadOneLdifFile
INFO: -> LOADING: /u01/app/oracle/product/fmw/iam/oam/server/oim-intg/schema/OID_oblix_schema_index_add.ldif
The tool has completed its operation. Details have been logged to automation.log

Check the log file for any errors or warnings and correct them. The file with the name automation.log is created in the directory from where you run the tool.

Note:

In addition to creating users, idmConfigTool creates the groups OrclPolicyAndCredentialWritePrivilegeGroup and OrclPolicyAndCredentialReadPrivilegeGroup.

See Also:

Oracle Fusion Middleware Integration Overview for Oracle Identity Management Suite for more information about the idmConfigTool command.

10.4.2 Creating Users and Groups for Oracle Access Manager

If you plan to implement Oracle Access Manager in your topology, you must seed the Identity Store with users that are required by Oracle Access Manager.

To do this, perform the following tasks on IDMHOST1

Set the Environment Variables: MW_HOME, JAVA_HOME, IDM_HOME and ORACLE_HOME.

Set IDM_HOME to IDM_ORACLE_HOME.

Set ORACLE_HOME to IAM_ORACLE_HOME.
Create a properties file, called oam.props with the following contents:
```
IDSTORE_HOST: idstore.mycompany.com
IDSTORE_PORT: 389
IDSTORE_BINDDN: cn=orcladmin
IDSTORE_USERNAMEATTRIBUTE: cn
IDSTORE_LOGINATTRIBUTE: uid
IDSTORE_USERSEARCHBASE: cn=Users,dc=mycompany,dc=com
IDSTORE_GROUPSEARCHBASE: cn=Groups,dc=mycompany,dc=com
IDSTORE_SEARCHBASE: dc=mycompany,dc=com
POLICYSTORE_SHARES_IDSTORE: true
OAM11G_IDSTORE_ROLE_SECURITY_ADMIN:OAMAdministrators
IDSTORE_OAMSOFTWAREUSER:oamLDAP
IDSTORE_OAMADMINUSER:oamadmin
```
Where:
- IDSTORE_HOST and IDSTORE_PORT are, respectively, the host and port of your Identity Store directory. If you are using a non-OID directory, then specify the Oracle Virtual Directory host (which should be IDSTORE.mycompany.com). If your Identity Store is in Oracle Internet Directory, then IDSTORE_HOST should point to Oracle Internet Directory, even if you are fronting Oracle Internet Directory with Oracle Virtual Directory.
- IDSTORE_BINDDN is an administrative user in the Identity Store Directory.
- IDSTORE_USERSEARCHBASE is the location in the directory where Users are Stored.
- IDSTORE_GROUPSEARCHBASE is the location in the directory where Groups are Stored.
- IDSTORE_SEARCHBASE is the location in the directory where Users and Groups are stored.
- POLICYSTORE_SHARES_IDSTORE is set to true if your Policy and Identity Stores are in the same directory. If not, it is set to false.
- OAM11G_IDSTORE_ROLE_SECURITY_ADMIN is the name of the group which is used to allow access to the OAM console.
- IDSTORE_OAMADMINUSER is the name of the user you want to create as your Oracle Access Manager Administrator.
- IDSTORE_OAMSOFTWAREUSER is a user that gets created in LDAP that is used when Oracle Access Manager is running to connect to the LDAP server.
In addition to creating the users, the command also assigns the users to the groups created in Section 10.4.1, "Extending Directory Schema for Oracle Access Manager."

Configure the Identity Store by using the command idmConfigTool, which is located at:

IAM_ORACLE_HOME/idmtools/bin

Note:

IAM_ORACLE_HOME/idmtools/bin

The syntax of the command on Linux is:

idmConfigTool.sh -prepareIDStore mode=OAM input_file=configfile

The syntax on Windows is:

idmConfigTool.bat -prepareIDStore mode=OAM input_file=configfile

For example:

idmConfigTool.sh -prepareIDStore mode=OAM input_file=oam.props

When the command runs, you are prompted to enter the password of the account you are connecting to the Identity Store with.

Sample command output:

Enter ID Store Bind DN password:
May 25, 2011 2:44:59 PM oracle.ldap.util.LDIFLoader loadOneLdifFile
INFO: -> LOADING: /u01/app/oracle/product/fmw/iam/idmtools/templates/oid/oam_schema_extn.ldif
*** Creation of Oblix Anonymous User ***
May 25, 2011 2:44:59 PM oracle.ldap.util.LDIFLoader loadOneLdifFile
INFO: -> LOADING: /u01/app/oracle/product/fmw/iam/idmtools/templates/oid/oam_10g_anonymous_user_template.ldif
Enter User Password for oblixanonymous:
Confirm User Password for oblixanonymous:
*** Creation of oamadmin ***
May 25, 2011 2:45:08 PM oracle.ldap.util.LDIFLoader loadOneLdifFile
INFO: -> LOADING: /u01/app/oracle/product/fmw/iam/idmtools/templates/oid/oam_user_template.ldif
Enter User Password for oamadmin:
Confirm User Password for oamadmin:
*** Creation of oamLDAP ***
May 25, 2011 2:45:16 PM oracle.ldap.util.LDIFLoader loadOneLdifFile
INFO: -> LOADING: /u01/app/oracle/product/fmw/iam/idmtools/templates/oid/oam_user_template.ldif
Enter User Password for oamLDAP:
Confirm User Password for oamLDAP:
May 25, 2011 2:45:21 PM oracle.ldap.util.LDIFLoader loadOneLdifFile
INFO: -> LOADING: /u01/app/oracle/product/fmw/iam/idmtools/templates/common/oam_user_group_read_acl_template.ldif
May 25, 2011 2:45:21 PM oracle.ldap.util.LDIFLoader loadOneLdifFile
INFO: -> LOADING: /u01/app/oracle/product/fmw/iam/idmtools/templates/oid/oim_group_template.ldif
May 25, 2011 2:45:21 PM oracle.ldap.util.LDIFLoader loadOneLdifFile
INFO: -> LOADING: /u01/app/oracle/product/fmw/iam/idmtools/templates/oid/oam_group_member_template.ldif
May 25, 2011 2:45:21 PM oracle.ldap.util.LDIFLoader loadOneLdifFile
INFO: -> LOADING: /u01/app/oracle/product/fmw/iam/idmtools/templates/oid/oam_config_acl.ldif
May 25, 2011 2:45:21 PM oracle.ldap.util.LDIFLoader loadOneLdifFile
INFO: -> LOADING: /u01/app/oracle/product/fmw/iam/idmtools/templates/oid/oid_schemaadmin.ldif
The tool has completed its operation. Details have been logged to automation.log

Check the log file for any errors or warnings and correct them. The file with the name automation.log is created in the directory from where you run the tool.

See Also:

Oracle Fusion Middleware Integration Overview for Oracle Identity Management Suite for more information about the idmConfigTool command.

10.4.3 Creating Users and Groups for Oracle Adaptive Access Manager

If you plan to implement Oracle Adaptive Access Manager in your topology, you must seed the Identity Store with users that are required by OAAM.

To do this perform the following tasks on IDMHOST1:

Set the Environment Variables: MW_HOME, JAVA_HOME, IDM_HOME and ORACLE_HOME.

Set IDM_HOME to IDM_ORACLE_HOME.

Set ORACLE_HOME to IAM_ORACLE_HOME.
Create a properties file, called oaam.props, with the following contents:
```
IDSTORE_HOST: idstore.mycompany.com
IDSTORE_PORT: 389
IDSTORE_BINDDN: cn=orcladmin
IDSTORE_USERNAMEATTRIBUTE: cn
IDSTORE_LOGINATTRIBUTE: uid
IDSTORE_USERSEARCHBASE: cn=Users, dc=mycompany,dc=com
IDSTORE_GROUPSEARCHBASE: cn=Groups,dc=mycompany,dc=com
IDSTORE_SEARCHBASE: dc=mycompany,dc=com
POLICYSTORE_SHARES_IDSTORE: true
```
Where:
- IDSTORE_HOST and IDSTORE_PORT are, respectively, the host and port of your Identity Store directory. If you are using a non-OID directory, then specify the Oracle Virtual Directory host (which should be IDSTORE.mycompany.com). If your Identity Store is in Oracle Internet Directory, then IDSTORE_HOST should point to Oracle Internet Directory, even if you are fronting Oracle Internet Directory with Oracle Virtual Directory.
- IDSTORE_BINDDN is an administrative user in the Identity Store directory.
- IDSTORE_USERSEARCHBASE is the location in the directory where Users are stored.
- IDSTORE_GROUPSEARCHBASE is the location in the directory where Groups are stored.
- IDSTORE_SEARCHBASE is the location in the directory where Users and Groups are stored.
- POLICYSTORE_SHARES_IDSTORE is set to true if your Policy and Identity stores are in the same directory. If not, it is set to false.

Configure the Identity Store by using the command idmConfigTool, which is located at:

IAM_ORACLE_HOME/idmtools/bin

Note:

IAM_ORACLE_HOME/idmtools/bin

The syntax of the command on Linux is:

idmConfigTool.sh -prepareIDStore mode=OAAM input_file=configfile

The syntax on Windows is:

idmConfigTool.bat -prepareIDStore mode=OAAM input_file=configfile

For example:

idmConfigTool.sh -prepareIDStore mode=OAAM input_file=oaam.props

When the command runs, you are prompted to enter the password of the account you are connecting to the Identity Store with. You are also asked to specify the passwords you want to assign to the account oaamadmin.

Sample command output:

Enter ID Store Bind DN password: 
*** Creation of OAAM User ***
Apr 5, 2011 5:08:39 AM oracle.ldap.util.LDIFLoader loadOneLdifFile
INFO: -> LOADING: 
 /u01/app/oracle/product/fmw/iam/idmtools/templates/oid/oam_user_template.ldif
Enter User Password for oaamadmin: 
Confirm User Password for oaamadmin: 
Apr 5, 2011 5:08:49 AM oracle.ldap.util.LDIFLoader loadOneLdifFile
INFO: -> LOADING: 
 /u01/app/oracle/product/fmw/iam/idmtools/templates/oid/oaam_group.ldif
The tool has completed its operation. Details have been logged to automation.log

Check the log file for any errors or warnings and correct them. The file with the name automation.log is created in the directory from where you run the tool.

See Also:

Oracle Fusion Middleware Integration Overview for Oracle Identity Management Suite for more information about the idmConfigTool command.

10.4.4 Creating Users and Groups for Oracle Identity Manager

If you plan to implement Oracle Identity Manager in your topology, you must seed the Identity Store with the xelsysadm user and assign it to an Oracle Identity Manager administrative group. You must also create a user outside of the standard cn=Users location to be able to perform reconciliation. This user is also the user that should be used as the bind DN when connecting to directories with Oracle Virtual Directory.

Note:

This command also creates a container in your Identity Store for reservations.

To do this, perform the following tasks on IDMHOST1:

Set the Environment Variables: MW_HOME, JAVA_HOME, IDM_HOME and ORACLE_HOME.

Set IDM_HOME to IDM_ORACLE_HOME.

Set ORACLE_HOME to IAM_ORACLE_HOME.
Create a properties file, called oim.props, with the following contents:
```
IDSTORE_HOST: idstore.mycompany.com
IDSTORE_PORT: 389
IDSTORE_BINDDN: cn=orcladmin
IDSTORE_USERNAMEATTRIBUTE: cn
IDSTORE_LOGINATTRIBUTE: uid
IDSTORE_USERSEARCHBASE: cn=Users,dc=mycompany,dc=com
IDSTORE_GROUPSEARCHBASE: cn=Groups,dc=us,dc=oracle,dc=com
IDSTORE_SEARCHBASE: dc=mycompany,dc=com
POLICYSTORE_SHARES_IDSTORE: true
IDSTORE_SYSTEMIDBASE: cn=systemids,dc=mycompany,dc=com
IDSTORE_OIMADMINUSER: oimLDAP
IDSTORE_OIMADMINGROUP: OIMAdministrators
```
Where:
- IDSTORE_HOST and IDSTORE_PORT are, respectively, the host and port of your Identity Store directory. If you are using a non-OID directory, then specify the Oracle Virtual Directory host (which should be IDSTORE.mycompany.com). If your Identity Store is in Oracle Internet Directory, then IDSTORE_HOST should point to Oracle Internet Directory, even if you are fronting Oracle Internet Directory with Oracle Virtual Directory.
- IDSTORE_BINDDN is an administrative user in the Identity Store directory.
- IDSTORE_OIMADMINUSER is the user that Oracle Identity Manager uses to connect to the Identity store.
- IDSTORE_OIMADMINGROUP Is the name of the group you want to create to hold your Oracle Identity Manager administrative users.
- IDSTORE_USERSEARCHBASE is the location in your Identity Store where users are placed.
- IDSTORE_GROUPSEARCHBASE is the location in your Identity Store where groups are placed.
- IDSTORE_SYSTEMIDBASE is the location in your directory where the Oracle Identity Manager reconciliation user are placed.
- POLICYSTORE_SHARES_IDSTORE is set to true if your Policy and Identity stores are in the same directory. If not, it is set to false.

Configure the Identity Store by using the command idmConfigTool, which is located at: IAM_ORACLE_HOME/idmtools/bin

Note:

IAM_ORACLE_HOME/idmtools/bin

The syntax of the command on Linux is:

idmConfigTool.sh -prepareIDStore mode=OIM input_file=configfile

The syntax on Windows is:

idmConfigTool.bat -prepareIDStore mode=OIM input_file=configfile

For example:

idmConfigTool.sh -prepareIDStore mode=OIM input_file=oim.props

IDSTORE_OIMADMINUSER
xelsysadm (It is recommended you set this to the same value as the account you create as part of the Oracle Identity Manager configuration.)

Sample command output:

Enter ID Store Bind DN password: 
*** Creation of oimLDAP ***
Apr 5, 2011 4:58:51 AM oracle.ldap.util.LDIFLoader loadOneLdifFile
INFO: -> LOADING: 
 /u01/app/oracle/product/fmw/iam/idmtools/templates/oid/oim_user_template.ldif
Enter User Password for oimLDAP: 
Confirm User Password for oimLDAP: 
Apr 5, 2011 4:59:01 AM oracle.ldap.util.LDIFLoader loadOneLdifFile
INFO: -> LOADING: 
 /u01/app/oracle/product/fmw/iam/idmtools/templates/oid/oim_group_template.ldif
Apr 5, 2011 4:59:01 AM oracle.ldap.util.LDIFLoader loadOneLdifFileINFO: -> LOADING: 
 /u01/app/oracle/product/fmw/iam/idmtools/templates/oid/oim_group_member_template.ldif
Apr 5, 2011 4:59:01 AM oracle.ldap.util.LDIFLoader loadOneLdifFile
INFO: -> LOADING: 
 /u01/app/oracle/product/fmw/iam/idmtools/templates/oid/oim_groups_acl_template.ldif
Apr 5, 2011 4:59:01 AM oracle.ldap.util.LDIFLoader loadOneLdifFile
INFO: -> LOADING: 
 /u01/app/oracle/product/fmw/iam/idmtools/templates/oid/oim_reserve_template.ldif
*** Creation of Xel Sys Admin User ***
Apr 5, 2011 4:59:01 AM oracle.ldap.util.LDIFLoader loadOneLdifFileINFO: -> LOADING: 
 /u01/app/oracle/product/fmw/iam/idmtools/templates/oid/oam_user_template.ldif
Enter User Password for xelsysadm: 
Confirm User Password for xelsysadm: 
The tool has completed its operation. Details have been logged to /home/oracle/idmtools/oim.log

Check the log file for any errors or warnings and correct them. The file with the name automation.log is created in the directory from where you run the tool.

See Also:

Oracle Fusion Middleware Integration Overview for Oracle Identity Management Suite for more information about the idmConfigTool command.

10.4.5 Creating Users and Groups for Oracle WebLogic Server

When you enable single sign-on for your administrative consoles, you must ensure that there is a user in your Identity Store that has the permissions to log in to your WebLogic Administration Console and Oracle Enterprise Manager Fusion Middleware Control.

To do this, perform the following tasks on IDMHOST1:

Set the environment variables: MW_HOME, JAVA_HOME, IDM_HOME and ORACLE_HOME.

Set IDM_HOME to IDM_ORACLE_HOME.

Set ORACLE_HOME to IAM_ORACLE_HOME.
Create a properties file, called wls.props with the following contents:
```
IDSTORE_HOST: idstore.mycompany.com
IDSTORE_PORT: 389
IDSTORE_BINDDN: cn=orcladmin
IDSTORE_USERNAMEATTRIBUTE: cn
IDSTORE_LOGINATTRIBUTE: uid
IDSTORE_USERSEARCHBASE: cn=Users, dc=mycompany,dc=com
IDSTORE_GROUPSEARCHBASE: cn=Groups,dc=mycompany,dc=com
IDSTORE_SEARCHBASE: dc=mycompany,dc=com
POLICYSTORE_SHARES_IDSTORE: true
```
Where:
- IDSTORE_HOST and IDSTORE_PORT are, respectively, the host and port of your Identity Store directory. If you are using a non-OID directory, then specify the Oracle Virtual Directory host (which should be IDSTORE.mycompany.com). If your Identity Store is in Oracle Internet Directory, then IDSTORE_HOST should point to Oracle Internet Directory, even if you are fronting Oracle Internet Directory with Oracle Virtual Directory.
- IDSTORE_BINDDN Is an administrative user in the Identity Store directory.
- IDSTORE_USERSEARCHBASE is the location in the directory where Users are Stored.
- IDSTORE_GROUPSEARCHBASE is the location in the directory where Groups are Stored.
- IDSTORE_SEARCHBASE is the location in the directory where Users and Groups are stored.
- POLICYSTORE_SHARES_IDSTORE is set to true if your Policy and Identity Stores are in the same directory. If not, it is set to false.
The command creates a user called weblogic_idm and assigns it to a group called IDM Administrators.

Configure the Identity Store by using the command idmConfigTool, which is located at IAM_ORACLE_HOME/idmtools/bin

Note:

IAM_ORACLE_HOME/idmtools/bin

The syntax of the command on Linux is:

idmConfigTool.sh -prepareIDStore mode=WLS input_file=configfile

The syntax on Windows is:

idmConfigTool.bat -prepareIDStore mode=WLS input_file=configfile

For example:

idmConfigTool.sh -prepareIDStore mode=WLS input_file=wls.props

When the command runs you are prompted to enter the password of the account you are connecting to the Identity Store with. You are also asked to specify the passwords you want to assign to the account weblogic_idm.

Sample command output:

Enter ID Store Bind DN password: 
*** Creation of Weblogic Admin User ***
Apr 5, 2011 5:52:04 AM oracle.ldap.util.LDIFLoader loadOneLdifFile
INFO: -> LOADING: 
 /u01/app/oracle/product/fmw/iam/idmtools/templates/oid/oam_user_template.ldif
Enter User Password for weblogic_idm: 
Confirm User Password for weblogic_idm: 
Apr 5, 2011 5:52:12 AM oracle.ldap.util.LDIFLoader loadOneLdifFileINFO: -> LOADING: 
 /u01/app/oracle/product/fmw/iam/idmtools/templates/oid/weblogic_admin_group.ldif
The tool has completed its operation. Details have been logged to automation.log

Check the log file for any errors or warnings and correct them.

See Also:

Oracle Fusion Middleware Integration Overview for Oracle Identity Management Suite for more information about the idmConfigTool command.

10.4.6 Disable Anonymous Binds to Oracle Virtual Directory LDAP Ports

For security, you must disable anonymous binds to Oracle Virtual Directory's LDAP ports by editing a configuration file. Proceed as follows:

Stop Oracle Virtual Directory by typing:

ORACLE_INSTANCE/bin/opmnctl stopproc ias-component=ovd1

Edit the file:

ORACLE_INSTANCE/config/OVD/component/listeners.os_xml

Locate the section for the LDAP Endpoint listener, which looks like this:

<ldap id="LDAP Endpoint" version="1">
<port>6501</port>
......
<anonymousBind>Allow </anonymousBind>
......
</ldap>

Modify this section so that it looks like this:

<ldap id="LDAP Endpoint" version="1">
<port>6501</port>
......
<anonymousBind>Deny </anonymousBind>
......
</ldap>

Locate the similar section for the LDAP SSL Endpoint listener and make the same change.
Save the file.

Restart Oracle Virtual Directory using the command:

ORACLE_INSTANCE/bin/opmnctl startproc ias-component=ovd1

Repeat these steps for each Oracle Virtual Directory instance.

10.4.7 Set Up Oracle Virtual Directory–Oracle Identity Manager Access Control Lists

In addition to the steps described previously, you must update the access permissions of the following users. The users are the values you assigned to the parameters:

IDSTORE_OIMADMINUSER

To do this you must create an LDIF file for the user being updated. The file must have the format:

dn: %s_SearchBase%
changetype: modify
add: subtreeACI
subtreeACI: grant:b,t,a,d,n#[entry]#authzID-dn:%s_NamingAttr%=%s_UserName%,%s_SystemIDBase%
subtreeACI: grant:s,r,w,o,c,m#[all]#authzID-dn:%s_NamingAttr%=%s_UserName%,%s_SystemIDBase%

dn: cn=changelog
changetype: modify
add: subtreeACI
subtreeACI: grant:b,t,a,d,n#[entry]#authzID-dn:%s_NamingAttr%=%s_UserName%,%s_SystemIDBase%
subtreeACI: grant:s,r,w,o,c,m#[all]#authzID-dn:%s_NamingAttr%=%s_UserName%,%s_SystemIDBase%

For example:

dn: dc=mycompany,dc=com
changetype: modify
add: subtreeACI
subtreeACI: grant:b,t,a,d,n#[entry]#authzID-dn:cn=oimLDAP,cn=systemids,dc=mycompany,dc=com
subtreeACI: grant:s,r,w,o,c,m#[all]#authzID-dn:cn=oimLDAP,cn=systemids,dc=mycompany,dc=com

dn: cn=changelog
changetype: modify
add: subtreeACI
subtreeACI: grant:b,t,a,d,n#[entry]#authzID-dn:cn=oimLDAP,cn=systemids,dc=mycompany,dc=com
subtreeACI: grant:s,r,w,o,c,m#[all]#authzID-dn:cn=oimLDAP,cn=systemids,dc=mycompany,dc=com

Once you have created the file, load it into Oracle Virtual Directory using the command:

ldapmodify -h ovdhost1.mycompany.com -p 389 -D cn=orcladmin -q -f filename.ldif
ldapmodify -h ovdhost2.mycompany.com -p 389 -D cn=orcladmin -q -f filename.ldif

Note:

If you get the error:

LDAP Error 32 : No Such Object

verify the DN. If the DN is correct, you can ignore the error.

10.4.8 Creating Access Control Lists in Non-Oracle Internet Directory Directories

In the preceding sections, you seeded the Identity Store with users and artifacts for the Oracle components. If your Identity Store is hosted in a non-Oracle Internet Directory directory, such as Microsoft Active Directory or Oracle Directory Server Enterprise Edition, you must set up the access control information (ACIs) to provide appropriate privileges to the entities you created. This section lists the artifacts created and the privileges required for the artifacts.

Systemids. The System ID container is created for storing all the system identifiers. If there is another container in which the users are to be created, that is specified as part of the admin.
Oracle Access Manager Admin User. This user is added to the OAM Administrator group, which provides permission for the administration of the OAM console. No LDAP schema level privileges are required, since this is just an application user.
Oracle Access Manager Software User. This user is added to the groups where the user gets read privileges to the container. This is also provided with schema admin privileges.
Oracle Identity Manager user oimLDAP under System ID container. Password policies are set accordingly in the container. The passwords for the users in the System ID container must be set up so that they do not expire.
Oracle Identity Manager administration group. The Oracle Identity Manager user is added as its member. The Oracle Identity Manager admin group is given complete read/write privileges to all the user and group entities in the directory.
WebLogic Administrator. This is the administrator of the IDM domain for Oracle Virtual Directory
WebLogic Administrator Group. The WebLogic administrator is added as a member. This is the administrator group of the IDM domain for Oracle Virtual Directory.
Reserve container. Permissions are provided to the Oracle Identity Manager admin group to perform read/write operations.

10.4.9 Updating Oracle Virtual Directory Adapters

Oracle recommends that, after creating the artifacts in the Identity Store, you update the Oracle Virtual Directory adapters you set up in Section 9.8, "Creating Adapters in Oracle Virtual Directory" so that they have a less privileged user. The following procedure is recommended, but not mandatory.

Change the value of Server Proxy Bind DN to cn=oimLDAP,cn=systemids,dc=mycompany,dc=com.

To do this, perform the following steps:

In a web browser, go to Oracle Directory Services Manager (ODSM) at: http://admin.mycompany.com/odsm.
Connect to each Oracle Virtual Directory instance by using the appropriate connection entry.
On the Home page, click the Adapter tab.
Click User Adapter.
On the General tab in the Credential Processing section, make the following changes:
- Proxy DN: cn=oimLDAP,cn=systemids,dc=mycompany,dc=com
- Proxy Password: The password of the Proxy DN account.
Click Apply.
Click Changelog Adapter.
On the General tab in the Credential Processing section, make the following changes:
- Proxy DN: cn=oimLDAP,cn=systemids,dc=mycompany,dc=com
- Proxy Password: The password of the Proxy DN account.
Click Apply.
Click the Plug-Ins tab.
Click Changelog Plug-in.
Click Edit.
Change ModifierDNFilter to:

!(modifiersname=cn=oimLDAP,cn=systemids,dc=mycompany,dc=com)
Click OK.
Click Apply.
Repeat for each Oracle Virtual Directory connection.