This chapter explains how to configure Oracle Adaptive Access Manager (OAAM). It includes the following topics:
For Oracle Identity and Access Management 11.1.1.5.0, Oracle Adaptive Access Manager includes two components:
Oracle Adaptive Access Manager (Online)
Oracle Adaptive Access Manager (Offline)
Note:
Oracle Adaptive Access Manager (Offline) is included in the Oracle Identity and Access Management Suite. When you are installing Oracle Identity and Access Management 11.1.1.5.0, Oracle Adaptive Access Manager (Offline) is also installed along with Oracle Adaptive Access Manager (OAAM). For configuring Oracle Adaptive Access Manager (Offline), see Configuring Oracle Adaptive Access Manager (Offline).
The following are the prerequisites for installing and configuring Oracle Identity and Access Management 11g Release 1 (11.1.1) products:
Installing Oracle Database, as described in Installing Oracle Database.
Installing Oracle WebLogic Server and creating a Middleware Home, as described in Installing Oracle WebLogic Server and Creating the Oracle Middleware Home.
Creating and loading schemas using Oracle Fusion Middleware Repository Creation Utility (RCU), as described in Creating Database Schema Using the Oracle Fusion Middleware Repository Creation Utility (RCU).
Installing the Oracle Identity and Access Management 11g Release 1 (11.1.1.5.0) suite, as described in Installing Oracle Identity and Access Management (11.1.1.5.0). The Oracle Identity and Access Management suite contains Oracle Identity Manager (OIM), Oracle Access Manager (OAM), Oracle Adaptive Access Manager (OAAM), Oracle Entitlements Server (OES), and Oracle Identity Navigator (OIN).
Before you start installing and configuring Oracle Identity and Access Management products in any of the scenarios discussed in this chapter, keep the following points in mind:
It is assumed that you are installing Oracle Internet Directory, Oracle Virtual Directory, Oracle Identity Manager, Oracle Access Manager, Oracle Adaptive Access Manager, and Oracle Identity Navigator on the same machine.
Note:
In this chapter, two IDM_Home directories are mentioned in descriptions and procedures. For example, the first one, IDM_Home can be the IDM_Home directory for Oracle Internet Directory, Oracle Virtual Directory, Oracle Directory Services Manager, Oracle Directory Integration Platform, and Oracle Identity Federation. The second one, IAM_Home can be the IDM_Home directory for Oracle Identity Manager, Oracle Access Manager, Oracle Adaptive Access Manager, Oracle Entitlements Server, and Oracle Identity Navigator.
However, note that IDM_Home and IAM_Home are used as examples in this document. You can specify any name for either of your IDM_Home directories. In addition, you can install the two Oracle Identity Management suites (one containing Oracle Internet Directory, Oracle Virtual Directory, Oracle Directory Services Manager, Oracle Directory Integration Platform, and Oracle Identity Federation; another containing Oracle Identity Manager, Oracle Access Manager, Oracle Adaptive Access Manager, Oracle Entitlements Server, and Oracle Identity Navigator) in any order on your machine.
For more information, see Overview and Structure of Oracle Identity Management 11g Installation.
Oracle Adaptive Access Manager (OAAM) is included in the Oracle Identity and Access Management 11g Release 1 (11.1.1) Suite. You can use the Oracle Identity and Access Management 11g Installer to install the Oracle Identity and Access Management Suite. For more information, see Preparing to Install and Installing Oracle Identity and Access Management (11.1.1.5.0).
This topic describes how to configure Oracle Adaptive Access Manager (OAAM) in a new WebLogic administration domain. It includes the following sections:
Perform the configuration in this topic if you want to install Oracle Adaptive Access Manager in an environment where you may install other Oracle Identity and Access Management 11g components, such as Oracle Identity Navigator, Oracle Access Manager, or Oracle Identity Manager at a later time in the same domain.
You can use the Oracle Identity Navigator interface and dashboard to discover and launch the Oracle Adaptive Access Manager console from within Oracle Identity Navigator.
Performing the configuration in this section deploys the following:
WebLogic Administration Server
Managed Servers for Oracle Adaptive Access Manager, depending on the Oracle Adaptive Access Manager Domain Configuration template you choose.
Oracle Adaptive Access Manager Console and Oracle Identity Navigator application on the Administration Server.
The configuration in this section depends on the following:
Oracle WebLogic Server.
Installation of the Oracle Identity and Access Management 11g software.
Database schema for Oracle Adaptive Access Manager. For more information about schemas specific to Oracle Adaptive Access Manager, see Creating Database Schema Using the Oracle Fusion Middleware Repository Creation Utility (RCU).
Perform the following steps to configure only Oracle Adaptive Access Manager in a new WebLogic domain:
Ensure that all prerequisites, listed in Prerequisites, are satisfied. In addition, see Important Notes Before You Begin.
Run the <IAM_Home>/common/bin/config.sh
script (on UNIX). (<IAM_Home>\common\bin\config.cmd
on Windows). The Fusion Middleware Configuration Wizard appears.
On the Welcome screen, select the Create a new WebLogic domain option. Click Next. The Select Domain Source screen appears.
On the Select Domain Source screen ensure that the Generate a domain configured automatically to support the following products: option is selected. Select Oracle Adaptive Access Manager Admin Server - 11.1.1.3.0 [Oracle_IDM2], which is mandatory.
In addition, you can select Oracle Adaptive Access Manager - Server Offline - 11.1.1.3.0, which is optional. Click Next. The Select Domain Name and Location screen appears.
Note:
When you select the Oracle Adaptive Access Manager Admin Server - 11.1.1.3.0 [Oracle_IDM2], the following options are also selected, by default:
Oracle Enterprise Manager 11.1.1.0 [oracle_common]
Oracle JRF 11.1.1.0 [oracle_common]
Oracle Identity Navigator - 11.1.1.3.0 [Oracle_IDM2]
Enter a name and a location for the domain to be created, and click Next. The Configure Administrator User Name and Password screen appears.
Configure a user name and a password for the administrator. The default user name is weblogic
. Click Next.
Choose JRockit SDK 1.6.0_24
and Production Mode in the Configure Server Start Mode and JDK screen of the Oracle Fusion Middleware Configuration Wizard. Click Next. The Configure JDBC Component Schema screen is displayed.
On the Configure JDBC Component Schema screen, select a component schema, such as the OAAM Admin Server Schema or the OAAM Admin MDS Schema, that you want to modify.
You can set values for Schema Owner, Schema Password, Database and Service, Host Name, and Port. Click Next. The Test JDBC Component Schema screen appears. After the test succeeds, the Select Optional Configuration screen appears.
On the Select Optional Configuration screen, you can configure the Administration Server and Managed Servers, Clusters, and Machines, and Deployments and Services, and RDBMS Security Store. Click Next.
Optional: Configure the following Administration Server parameters:
Name
Listen address
Listen port
SSL listen port
SSL enabled or disabled
On the Select Optional Configuration screen, select Managed Servers, Clusters and Machines to configure the managed server. For more information, see "Configure Managed Servers" in the Oracle Fusion Middleware Creating Domains Using the Configuration Wizard.
Optional: Configure Clusters, as required.
For more information about configuring clusters for Oracle Identity and Access Management products, see the "Configuring High Availability for Identity Management Components" topic in the guide Oracle Fusion Middleware High Availability Guide.
Optional: Assign Managed Servers to Clusters, as required.
Optional: Configure Machines, as needed. This step is useful when you want to run the Administration Server on one machine and Managed Servers on another physical machine.
Tip:
Before configuring a machine, use the ping
command to verify whether the machine or host name is accessible.
Optional: Assign the Administration Server to a machine.
Optional: Select Deployments, such as applications and libraries, and Services to target them to a particular cluster or server.
Optional: Configure RDBMS Security Store, as required.
On the Configuration Summary screen, review the domain configuration, and click Create to start creating the domain.
A new WebLogic domain to support Oracle Adaptive Access Manager is created in the <MW_HOME>\user_projects\domains
directory (on Windows). On UNIX, the domain is created in the <MW_HOME>/user_projects/domains
directory.
This topic describes how to configure Oracle Adaptive Access Manager (Offline) in a new WebLogic domain. It includes the following topics:
Performing the configuration in this section deploys the following:
WebLogic Administration Server
Oracle Adaptive Access Manager (Offline) application on the Administration Server
The configuration in this section depends on the following:
Oracle WebLogic Server.
Installation of the Oracle Identity and Access Management 11g software.
Database schema for Oracle Adaptive Access Manager (Offline).
Perform the following steps to configure Oracle Adaptive Access Manager (Offline) in a new WebLogic domain:
Ensure that all prerequisites, listed in Prerequisites, are satisfied.
Run the <IAM_Home>/common/bin/config.sh
script (on UNIX). (<IAM_Home>\common\bin\config.cmd
on Windows). The Oracle Fusion Middleware Configuration Wizard appears.
On the Welcome screen, select the Create a new WebLogic domain option. Click Next. The Select Domain Source screen appears.
On the Select Domain Source screen, ensure that the Generate a domain configured automatically to support the following products: option is selected.
Select the Oracle Adaptive Access Manager Offline - 11.1.3.0 [Oracle_IDM2] option. When you select this option, the following options are also selected by default:
Oracle Enterprise Manger - 11.1.1.0 [oracle_common]
Oracle Identity Navigator - 11.1.1.3.0 [Oracle_IDM2]
Oracle JRF 11.1.1.0 [oracle_common]
Click Next. The Specify Domain Name and Location screen appears.
Enter a name and a location for the domain to be created, and click Next. The Configure Administrator User Name and Password screen appears.
Configure a user name and a password for the administrator. The default user name is weblogic
. Click Next. The Configure Server Start Mode and JDK screen appears.
Choose JRockit SDK 1.6.0_24
and Production Mode in the Configure Server Start Mode and JDK screen. Click Next. The Configure JDBC Component Schema screen is displayed.
On the Configure JDBC Component Schema screen, select a component schema, such as the OAAM Offline MDS Schema or the OAAM Offline Schema that you want to modify. You can set values for Schema Owner, Schema Password, Database and Service, Host Name, and Port. Click Next. The Test JDBC Component Schema screen appears. After the test succeeds, click Next. The Select Optional Configuration screen appears.
On the Select Optional Configuration screen, you can configure the Administration Server, Managed Servers, Clusters, Machines, Deployments and Services, and RDBMS Security Store. Select the relevant check boxes and click Next.
Optional: Configure the following Administration Server parameters:
Name
Listen Address
Listen Port
SSL Listen Port
SSL Enabled
Optional: Add and configure Managed Servers, as required. Note that Oracle Entitlements Server does not require a Managed Server because the application is deployed on the WebLogic Administration Server.
Optional: Configure Clusters, as required.
For more information about configuring clusters for Oracle Identity and Access Management products, see the "Configuring High Availability for Identity Management Components" topic in the Oracle Fusion Middleware High Availability Guide.
Optional: Configure Machines, as needed. This step is useful when you want to run the Administration Server on one machine and Managed Servers on another physical machine.
Tip:
Before configuring a machine, use the ping
command to verify whether the machine or host name is accessible.
Optional: Assign the Administration Server to a machine.
Optional: Select Deployments, such as applications and libraries, and Services to target them to a particular cluster or server.
Optional: Configure RDBMS Security Store Database, as required.
On the Configuration Summary screen, review the domain configuration, and click Create to start creating the domain.
A new WebLogic domain to support Oracle Adaptive Access Manager (Offline) is created in the <MW_HOME>\user_projects\domains
directory (on Windows). On UNIX, the domain is created in the <MW_HOME>/user_projects/domains
directory.
After installing and configuring Oracle Adaptive Access Manager, you must run the Oracle WebLogic Administration Server and various Managed Servers, as described in Starting the Stack.
Note:
If you are upgrading from Oracle Adaptive Access Manager 10g to Oracle Adaptive Access Manager 11g, do not start Oracle Adaptive Access Manager Managed Servers until you have performed the Oracle Adaptive Access Manager Middle Tier Upgrade using the Upgrade Assistant tool. For more information, see the Oracle Fusion Middleware Upgrade Guide for Oracle Identity Management.
After installing and configuring Oracle Adaptive Access Manager, you must complete the following tasks:
Create Oracle WebLogic Server Users as follows:
Log in to the Oracle WebLogic Administration Console for your WebLogic administration domain.
Click on Security Realms, and then click on your security realm.
Click the Users and Groups tab, and then click the Users tab under it.
Create a user, such as user1
, in the security realm.
Assign the user user1
to rule administrators and environment administrators groups.
Set up and back up Oracle Adaptive Access Manager Encryption Keys, as described in the "Setting Up Encryption and Database Credentials for OAAM" topic in the Oracle Fusion Middleware Administrator's Guide for Oracle Adaptive Access Manager. Ensure that you have a backup of the Oracle Adaptive Access Manager Encryption Keys; they are required if you want to re-create the Oracle Adaptive Access Manager domain.
Import Snapshot of Policies as follows:
A full snapshot of policies, dependent components and configurations is shipped with Oracle Adaptive Access Manager. The snapshot is in the oaam_base_snapshot.zip
file and located in the MW_HOME/IAM_ORACLE_HOME/oaam/init
directory.
It contains the following items that must be imported into OAAM:
Challenge questions for English (United States)
During registration, which could be enrollment, opening a new account, or another events such as a reset, the user selects different questions from a list of questions and enters answers to them. These questions, called challenge questions, are used to authenticate users.
Questions for the languages you want to support must be in the system before users can be asked to register. These questions may also be required to log in to OAAM Server.
Entity definitions
The actors that are tracked during authentication are called authentication entities and include user, city, device, and so on. These base entities are required to enable conditions that are used for patterns.
Out-of-the-box patterns
Patterns are used by Oracle Adaptive Access Manager to either define one bucket or dynamically create buckets. Oracle Adaptive Access Manager collects data and populates these buckets with members based on pattern parameters, and rules perform risk evaluations on dynamically changing membership and distributions of the buckets.
Out-of-the-box configurable actions
Configurable actions are actions that are triggered based on the result action or risk scoring or both after a checkpoint execution. The configurable actions are built using action templates.
Note:
If you are upgrading from Oracle Adaptive Access Manager 10.1.4.5 to Oracle Adaptive Access Manager 11g, you will see that the names and descriptions of the out-of-the-box action templates are slightly different, since the action templates in Oracle Adaptive Access Manager 11g are globalized and hence the difference.
Out-of-the-box policies
Policies are designed to help evaluate and handle business activities or potentially risky activities that are encountered in day-to-day operation.
Any groups
Collections of items used in rules, user groups, and action and alert groups are shipped with OAAM.
Notes:
If you need to customize any properties, you should import the snapshot into your new test system, make the changes, export the snapshot, and import it into your new system. Alternatively you can import the snapshot on the new system and make the property changes directly, thereby eliminating the test system completely.
For customers who are upgrading from 11.1.1.3.0 to 11.1.1.5.0: Do not import the snapshot. This procedure is only for first time initial setup. Importing a snapshot wipes out the existing environment and replaces it with a new one. For upgrades, import separate zip files for the entities, definitions, or policies.
For upgrading policies, components, and configurations, perform a backup, and then import the separate file. The following are available:
Default questions are shipped in the oaam_kba_questions_<locale>.zip
files, which are located in the <MW_HOME>/<IAM_ORACLE_HOME>/oaam/init/kba_questions
directory. The locale identifier <locale> specifies the language version.
Base policies are shipped in the oaam_sample_policies_for_uio_integration.zip
file, which is located in the <MW_HOME>/<IAM_ORACLE_HOME>/oaam/init
directory.
Configurable action templates are shipped in the OOTB_Configurable_Actions.zip
file, which is located in the <MW_HOME>/<IAM_ORACLE_HOME>/oaam/init
directory.
Base-authentication required entities are shipped in the Auth_EntityDefinition.zip
file, which is located in the <MW_HOME>/<IAM_ORACLE_HOME>/oaam/init
directory.
Note:
For more information about policies, see "Importing the OAAM Snapshot" and "Managing Policies, Rules, and Conditions" topics in the Oracle Fusion Middleware Administrator's Guide for Oracle Adaptive Access Manager.
Load Location Data into the Oracle Adaptive Access Manager database as follows:
Configure the IP Location Loader script, as described in the topics "OAAM Command Line Interface Scripts" and "Importing IP Location Data" in the Oracle Fusion Middleware Administrator's Guide for Oracle Adaptive Access Manager.
Make a copy of the sample.bharosa_location.properties
file, which is located under the <MW_HOME>/<IAM_Home>/oaam/cli
directory. Enter location data details in the location.data
properties, as in the following examples:
location.data.provider=quova
location.data.file=/tmp/quova/EDITION_Gold_2008-07-22_v374.dat.gz
location.data.ref.file=/tmp/quova/EDITION_Gold_2008-07-22_v374.ref.gz
location.data.anonymizer.file=/tmp/quova/anonymizers_2008-07-09.dat.gz
Run the loader on the command line as follows:
On Windows: loadIPLocationData.cmd
On UNIX: ./loadIPLocationData.sh
Ensure that the Oracle Middleware Home (MW_HOME) environment variable is set before running the loadIPLocationData
script.
Note:
If you wish to generate CSF keys or passwords manually, see the "Setting Up Encryption and Database Credentials for OAAM" topic in the Oracle Fusion Middleware Administrator's Guide for Oracle Adaptive Access Manager.
After completing the installation process, including post-installation steps, you can verify the installation and configuration of Oracle Adaptive Access Manager (OAAM) as follows:
Start the Administration Server to register the newly created managed servers with the domain. To start the Administration Server, run the following command:
On Windows: At the command prompt, run the startWebLogic
script to start the Administration Server, as in the following example:
\middleware\user_projects\domains\base_domain\bin\startWebLogic
On UNIX: At the $ prompt, run the startWebLogic.sh script, as in the following example:
sh /MW_HOME/user_projects/domains/base_domain/bin/startWebLogic.sh
Start the Managed Server, as described in Starting the Servers.
Wait for the Administration Server and the Managed Server to start up.
Log in to the Administration Server for Oracle Adaptive Access Manager, using the admin server username and password. Log in to the Administration Server using the following URL:
http://<host>:<oaam_admin_server1_port>/oaam_admin
Log in to the Oracle Adaptive Access Managed Server using the following URL:
https://<host>:<oaam_server_server1_sslport>:oaam_server
You begin policy and credential store migration by creating the JPS root and then you reassociate the policy and credential store with Oracle Internet Directory.
Migrating policy and credential stores involves the following steps:
Create the jpsroot in Oracle Internet Directory using the command line ldapadd
command as shown in these steps:
Create an ldif
file similar to this:
dn: cn=jpsroot_iam cn: jpsroot_iam_iam objectclass: top objectclass: orclcontainer
Use ORACLE_HOME
/bin/ldapadd
to add these entries to Oracle Internet Directory. For example:
ORACLE_HOME/bin/ldapadd -h oid.mycompany.com -p 389 -D cn="orcladmin" -w
welcome1 -c -v -f jps_root.ldif
To reassociate the policy and credential store with Oracle Internet Directory, use the WLST reassociateSecurityStore
command. Follow these steps:
From IAMHOST1, start the wlst
shell from the ORACLE_HOME
/common/bin
directory. For example:
./wlst.sh
Connect to the WebLogic Administration Server using the wlst connect
command shown below.
connect('AdminUser',"AdminUserPassword",t3://hostname:port')
For example:
connect("weblogic_iam,"welcome1","t3://iamhost-vip.mycompany.com:7001")
Run the reassociateSecurityStore
command as shown below:
Syntax:
reassociateSecurityStore(domain="domainName",admin="cn=orcladmin", password="orclPassword",ldapurl="ldap://LDAPHOST:LDAPPORT",servertype="OID", jpsroot="cn=jpsRootContainer")
For example:
wls:/IAMDomain/serverConfig> reassociateSecurityStore(domain="IAMDomain",
admin="cn=orcladmin",password="password",
ldapurl="ldap://oid.mycompany.com:389",servertype="OID",
jpsroot="cn=jpsroot_iam_iamhost1")
The output for the command is as follows:
{servertype=OID, jpsroot=cn=jpsroot_iam, admin=cn=orcladmin,
domain=IAMDomain, ldapurl=ldap://oid.mycompany.com:389, password=password}
Location changed to domainRuntime tree. This is a read-only tree with
DomainMBean as the root.
For more help, use help(domainRuntime)
Starting Policy Store reassociation.
LDAP server and ServiceConfigurator setup done.
Schema is seeded into LDAP server
Data is migrated to LDAP server
Service in LDAP server after migration has been tested to be available
Update of jps configuration is done
Policy Store reassociation done.
Starting credential Store reassociation
LDAP server and ServiceConfigurator setup done.
Schema is seeded into LDAP server
Data is migrated to LDAP server
Service in LDAP server after migration has been tested to be available
Update of jps configuration is done
Credential Store reassociation done
Jps Configuration has been changed. Please restart the server.
Restart the Administration Server after the command completes successfully. For information about restarting the Administration Server, see Starting the Servers.
After installing Oracle Adaptive Access Manager (OAAM), refer to the Oracle Fusion Middleware Administrator's Guide for Oracle Adaptive Access Manager.