This chapter explains how to configure Oracle Access Manager (OAM). It includes the following topics:
The following are the prerequisites for installing and configuring Oracle Identity and Access Management 11g Release 1 (11.1.1) products:
Installing Oracle Database, as described in Installing Oracle Database.
Installing Oracle WebLogic Server 11g Release 1 (10.3.5) and creating a Middleware Home, as described in Installing Oracle WebLogic Server and Creating the Oracle Middleware Home.
Creating and loading schemas using Oracle Fusion Middleware Repository Creation Utility (RCU), as described in Creating Database Schema Using the Oracle Fusion Middleware Repository Creation Utility (RCU).
Installing the Oracle Identity and Access Management 11g Release 1 (11.1.1.5.0) suite, as described in Installing Oracle Identity and Access Management (11.1.1.5.0). The Oracle Identity and Access Management suite contains Oracle Identity Manager (OIM), Oracle Access Manager (OAM), Oracle Adaptive Access Manager (OAAM), Oracle Entitlements Server (OES), and Oracle Identity Navigator (OIN).
Before you start installing and configuring Oracle Identity and Access Management products in any of the scenarios discussed in this chapter, keep the following points in mind:
It is assumed that you are installing Oracle Internet Directory, Oracle Virtual Directory, Oracle Identity Manager, Oracle Access Manager, Oracle Adaptive Access Manager, and Oracle Identity Navigator on the same machine.
Note:
In this chapter, two IDM_Home directories are mentioned in descriptions and procedures. For example, the first one, IDM_Home can be the IDM_Home directory for Oracle Internet Directory, Oracle Virtual Directory, Oracle Directory Services Manager, Oracle Directory Integration Platform, and Oracle Identity Federation. The second one, IAM_Home can be the IDM_Home directory for Oracle Identity Manager, Oracle Access Manager, Oracle Adaptive Access Manager, Oracle Entitlements Server, and Oracle Identity Navigator.
However, note that IDM_Home and IAM_Home are used as examples in this document. You can specify any name for either of your IDM_Home directories. In addition, you can install the two Oracle Identity Management suites (one containing Oracle Internet Directory, Oracle Virtual Directory, Oracle Directory Services Manager, Oracle Directory Integration Platform, and Oracle Identity Federation; another containing Oracle Identity Manager, Oracle Access Manager, Oracle Adaptive Access Manager, Oracle Entitlements Server, and Oracle Identity Navigator) in any order on your machine.
For more information, see Overview and Structure of Oracle Identity Management 11g Installation.
Oracle Access Manager (OAM) is included in the Oracle Identity and Access Management Suite. You can use the Oracle Identity and Access Management 11g Installer to install the Oracle Identity and Access Management Suite. For more information, see Preparing to Install and Installing Oracle Identity and Access Management (11.1.1.5.0).
Note:
When you are installing Oracle Access Manager, Oracle Secure Token Service will also be installed. For more information on Oracle Secure Token Service, see Oracle Fusion Middleware Administrator's Guide for Oracle Access Manager with Oracle Security Token Service.
When configuring Oracle Access Manager in a new or existing WebLogic administration domain, you must choose Oracle Access Manager with Database Policy Store - 11.1.1.3.0 [Oracle_IDM2] as the domain configuration template on the Select Domain Source screen in the Oracle Fusion Middleware Configuration Wizard.
A database policy store offers more security measures that can be layered based on the storage, thereby ensuring higher resiliency to corruption and better high availability.
To configure Oracle Access Manager with a database policy store, choose the Oracle Access Manager with Database Policy Store - 11.1.1.3.0 [Oracle_IDM2] option on the Select Domain Source screen in the Oracle Fusion Middleware Configuration Wizard.
Note:
It is recommended that you use a database policy store in production environments.
For a list of screens in the Oracle Fusion Middleware Configuration Wizard, see Screens in Oracle Fusion Middleware Configuration Wizard.
This topic describes how to configure Oracle Access Manager (OAM) in a new WebLogic domain.
It includes the following sections:
Perform the configuration in this topic if you want to install only Oracle Access Manager in an environment where you may add other Oracle Identity and Access Management 11g components, such as Oracle Identity Navigator, Oracle Identity Manager, and Oracle Adaptive Access Manager at a later time in the same domain.
Performing the configuration in this section deploys the following:
WebLogic Administration Server
Managed Server for Oracle Access Manager
Oracle Access Manager Console on the Administration Server
The configuration in this section depends on the following:
Oracle WebLogic Server
Installation of the Oracle Identity and Access Management 11g software
Database schemas for Oracle Access Manager. For more information, see Creating Database Schema Using the Oracle Fusion Middleware Repository Creation Utility (RCU).
Perform the following steps to configure Oracle Access Manager in a new WebLogic domain:
Ensure that all prerequisites, listed in Prerequisites, are satisfied. In addition, see Important Notes Before You Begin.
Run the <IAM_Home>/common/bin/config.sh
script (on UNIX). (<IAM_Home>\common\bin\config.cmd
on Windows). The Oracle Fusion Middleware Configuration Wizard appears.
On the Welcome screen, select the Create a new WebLogic domain option. Click Next. The Select Domain Source screen appears.
On the Select Domain Source screen, ensure that the Generate a domain configured automatically to support the following products: option is selected. Select Oracle Access Manager with Database Policy Store - 11.1.1.3.0 [Oracle_IDM2], and click Next. The Select Domain Name and Location screen appears.
Note:
When you select the Oracle Access Manager with Database Policy Store - 11.1.1.3.0 [Oracle_IDM2] option, the Oracle JRF 11.1.1.0 [Oracle_Common] option is also selected, by default.
Enter a name and a location for the domain to be created, and click Next. The Configure Administrator User Name and Password screen appears.
Configure a user name and a password for the administrator. The default user name is weblogic
. Click Next.
Choose JRockit SDK 1.6.0_24
and Production Mode in the Configure Server Start Mode and JDK screen of the Oracle Fusion Middleware Configuration Wizard. Click Next. The Configure JDBC Component Schema screen appears.
On the Configure JDBC Component Schema screen, select a component schema, such as the OAM Infrastructure Schema that you want to modify.
You can set values for Schema Owner, Schema Password, Database and Service, Host Name, and Port. Click Next. The Test JDBC Component Schema screen appears. After the test succeeds, the Select Optional Configuration screen appears.
On the Select Optional Configuration screen, you can configure the Administration Server and Managed Servers, Clusters, and Machines. Click Next.
Optional: Configure the following Administration Server parameters:
Name
Listen address
Listen port
SSL listen port
SSL enabled or disabled
Optional: Configure Managed Servers, as required.
Note:
If you want to configure the Managed Server on the same machine, ensure that the port is different from that of the Administration Server.
Optional: Configure Clusters, as required.
For more information about configuring clusters for Oracle Identity and Access Management products, see the "Configuring High Availability for Identity Management Components" topic in the guide Oracle Fusion Middleware High Availability Guide.
Optional: Assign Managed Servers to clusters, as required.
Configure Machines, as needed. This step is useful when you want to run the Administration Server on one machine and Managed Servers on another physical machine.
Tip:
Before configuring a machine, use the ping
command to verify whether the machine or host name is accessible.
If the Administration Server is not assigned to a machine, you can assign it to a machine.
Note that deployments, such as applications and libraries, and services that are targeted to a particular cluster or server are selected, by default.
Assign the newly created Managed Server, such as oam_server1
, to a machine.
On the Configuration Summary screen, review the domain configuration, and click Create to start creating the domain.
A new WebLogic domain to support Oracle Access Manager is created in the <MW_HOME>\user_projects\domains
directory (on Windows). On UNIX, the domain is created in the <MW_HOME>/user_projects/domains
directory.
This topic describes how to configure Oracle Access Manager (OAM) and Oracle Identity Navigator (OIN) together in a new WebLogic domain. It includes the following sections:
Perform the configuration in this topic if you want to install Oracle Access Manager in an environment where you may add other Oracle Identity and Access Management products, such as Oracle Identity Access Manager and Oracle Adaptive Access Manager, at a later time. You can use Oracle Identity Navigator to discover and launch the Oracle Access Manager Console from within the Oracle Identity Navigator user interface.
Performing the configuration in this section deploys the following:
Administration Server
Managed Server for Oracle Access Manager
Oracle Access Manager Console and Oracle Identity Navigator application on the Administration Server
The configuration in this section depends on the following:
Oracle WebLogic Server.
Installation of the Oracle Identity and Access Management 11g software.
Database schemas for Oracle Access Manager. For more information, see Creating Database Schema Using the Oracle Fusion Middleware Repository Creation Utility (RCU).
Perform the following steps to configure Oracle Access Manager and Oracle Identity Navigator in a new WebLogic domain:
Ensure that all prerequisites, listed in Prerequisites, are satisfied. In addition, see Important Notes Before You Begin.
Run the <IAM_Home>/common/bin/config.sh
script (on UNIX). (<IAM_Home>\common\bin\config.cmd
on Windows). The Oracle Fusion Middleware Configuration Wizard appears.
On the Welcome screen, select the Create a new WebLogic domain option. Click Next. The Select Domain Source screen is displayed.
On the Select Domain Source screen, select the Generate a domain configured automatically to support the following products: option.
Select the following domain configuration options:
Oracle Access Manager with Database Policy Store - 11.1.1.3.0 [Oracle_IDM2]
Note:
When you select the Oracle Access Manager with Database Policy Store - 11.1.1.3.0 [Oracle_IDM2] option, the Oracle JRF - 11.1.1.0 [oracle_common] option is also selected, by default.
Oracle Identity Navigator - 11.1.1.3.0 [Oracle_IDM2]
After selecting the domain configuration options, click Next. The Specify Domain Name and Location screen is displayed.
On the Specify Domain Name and Location screen, enter a name and location for the domain to be created. In addition, enter a location to store applications for the domain. Click Next. The Configure Administrator User Name and Password screen is displayed.
Configure a user name and a password for the administrator. The default user name is weblogic. Click Next. The Configure Server Start Mode and JDK screen is displayed.
Choose JRockit SDK 1.6.0_24
and Production Mode in the Configure Server Start Mode and JDK screen of the Oracle Fusion Middleware Configuration Wizard. Click Next. The Configure JDBC Data Sources Screen is displayed.
On the Configure JDBC Sources screen, configure the oamDS
data source, as required. After the test succeeds, the Select Optional Configuration screen is displayed.
On the Select Optional Configuration screen, you can configure Administration Server, Managed Servers, Clusters, and Machines, Deployments and Services, and RDBMS Security Store. Select the relevant check boxes and click Next.
Optional: Configure Administration Server, as required.
Optional: Configure Managed Servers, as required.
Optional: Configure Clusters, as required.
For more information about configuring clusters for Oracle Identity and Access Management products, see the "Configuring High Availability for Identity Management Components" topic in the guide Oracle Fusion Middleware High Availability Guide.
Optional: Assign Managed Servers to Clusters, as required.
Optional: Configure Machines, as needed. This step is useful when you want to run the Administration Server on one machine and Managed Servers on another physical machine.
Tip:
Before configuring a machine, use the ping
command to verify whether the machine or host name is accessible.
Optional: Assign the Administration Server to a machine.
Optional: Select Deployments, such as applications and libraries, and Services to target them to a particular cluster or server.
Optional: Configure RDBMS Security Store, as required.
On the Configuration Summary screen, review the domain configuration, and click Create to start creating the domain.
A new WebLogic domain to support Oracle Access Manager and Oracle Identity Navigator is created in the <MW_HOME>\user_projects\domains
directory (on Windows). On UNIX, the domain is created in the <MW_HOME>/user_projects/domains
directory.
This topic describes how to configure Oracle Access Manager (OAM) in an Oracle Identity and Access Management domain that has Oracle Adaptive Access Manager (OAAM) and Oracle Identity Navigator (OIN) installed. It includes the following sections:
Perform the configuration in this topic if you want to install Oracle Access Manager in an environment where Oracle Adaptive Access Manager and Oracle Identity Navigator are already installed. At a later time, you may install Oracle Identity Manager in the same domain and set up integration between Oracle Access Manager and Oracle Identity Manager. You can also set up integration between Oracle Adaptive Access Manager and Oracle Access Manager, as described in the "Integrating OIM, OAM, and OAAM" topic in the Oracle Fusion Middleware Developer's Guide for Oracle Adaptive Access Manager.
You can use Oracle Identity Navigator to discover and launch Consoles for Oracle Access Manager, Oracle Adaptive Access Manager, and Oracle Identity Manager from within the Oracle Identity Navigator user interface
Performing the configuration in this section deploys the following:
Managed Server for Oracle Access Manager
Oracle Access Manager Console on the existing Administration Server
The configuration in this section depends on the following:
Oracle WebLogic Server.
Installation of the Oracle Identity and Access Management 11g software.
Database schemas for Oracle Access Manager and Oracle Adaptive Access Manager. For more information, see Creating Database Schema Using the Oracle Fusion Middleware Repository Creation Utility (RCU).
Installation and configuration of Oracle Adaptive Access Manager with Oracle Identity Navigator in a new WebLogic domain, as described in OAAM in a New WebLogic Domain.
Perform the following steps to configure Oracle Access Manager in an Oracle Identity and Access Management domain that has Oracle Adaptive Access Manager and Oracle Identity Navigator installed:
Ensure that all prerequisites, listed in Prerequisites, are satisfied. In addition, see Important Notes Before You Begin.
Configure Oracle Adaptive Access Manager and Oracle Identity Navigator in a new WebLogic domain, as described in OAAM in a New WebLogic Domain. A new WebLogic domain to support Oracle Adaptive Access Manager and Oracle Identity Navigator is created in the <MW_HOME>\user_projects\domains
directory (on Windows). On UNIX, the domain is created in the <MW_HOME>/user_projects/domains
directory.
Run the <IAM_Home>/common/bin/config.sh
script (on UNIX). (<IAM_Home>\common\bin\config.cmd
on Windows). The Oracle Fusion Middleware Configuration Wizard appears.
On the Welcome screen, select the Extend an existing WebLogic domain option. Click Next.
On the Select a WebLogic Domain Directory screen, browse to the directory that contains the WebLogic domain in which you configured Oracle Adaptive Access Manager and Oracle Identity Navigator. Click Next. The Select Extension Source screen appears.
On the Select Extension Source screen, select the Oracle Access Manager with Database Policy Store - 11.1.1.3.0 [Oracle_IDM2] domain configuration option.
After selecting the domain configuration options, click Next. The Configure JDBC Data Sources Screen is displayed. Configure the oamDS
data source, as required. After the test succeeds, the Configure JDBC Component Schema screen is displayed.
On the Configure JDBC Component Schema screen, select a component schema, such as the OAAM Admin Server Schema, the OAAM Admin MDS Schema, the User Messaging Service Schema, the OWSM MDS Schema, the OIM MDS Schema, or the SOA MDS Schema, that you want to modify.
You can set values for Schema Owner, Schema Password, Database and Service, Host Name, and Port. Click Next. The Test JDBC Component Schema screen appears. After the test succeeds, the Select Optional Configuration screen appears.
On the Select Optional Configuration screen, you can configure Managed Servers, Clusters, and Machines and Deployments and Services. Select the relevant check boxes and click Next.
Optional: Configure Managed Servers, as required.
Optional: Configure Clusters, as required.
For more information about configuring clusters for Oracle Identity and Access Management products, see the "Configuring High Availability for Identity Management Components" topic in the guide Oracle Fusion Middleware High Availability Guide.
Optional: Assign Managed Servers to Clusters, as required.
Optional: Configure Machines, as needed. This step is useful when you want to run the Administration Server on one machine and Managed Servers on another physical machine.
Tip:
Before configuring a machine, use the ping
command to verify whether the machine or host name is accessible.
Optional: Assign the Administration Server to a machine.
Optional: Select Deployments, such as applications and libraries, and Services to target them to a particular cluster or server.
On the Configuration Summary screen, review the domain configuration, and click Extend to start extending the domain.
Your existing domain with Oracle Adaptive Access Manager and Oracle Identity Navigator is extended to support Oracle Access Manager.
After configuring Oracle Access Manager in a new or existing domain, you must start the Oracle WebLogic Administration Server and various Managed Servers, as described in Starting or Stopping the Oracle Stack.
After installing and configuring Oracle Access Manager, you can perform the following optional tasks:
Configure your own LDAP to use instead of the default embedded LDAP, which comes with Oracle WebLogic Server.
Configure a policy store to protect resources.
Add more Managed Servers to the existing domain.
Add a Managed Server instance.
For more information, see the Oracle Fusion Middleware Administrator's Guide for Oracle Access Manager with Oracle Security Token Service.
After completing the installation process, including post-installation steps, you can verify the installation and configuration of Oracle Access Manager (OAM) as follows:
Ensure that the Administration Server and the Managed Server are up and running.
Log in to the Administration Console for Oracle Access Manager using the URL: http://<adminserver-host>:<adminserver-port>/oamconsole
When you access this Administration Console running on the Administration Server, you are prompted to enter a user name and password. Note that you must have Administrator's role and privileges.
Verify the Oracle WebLogic Server Administration Console. If the installation and configuration of Oracle Access Manager is successful, this console shows the Administration Server (for example, oam_admin
) and the Managed Server (for example, oam_server) in the running mode. In addition, if you check Application Deployments in this console, both oam_admin
and oam_server must be in active state.
You can set up either Oracle HTTP Server WebGate or mod_OSSO as an Agent for Oracle Access Manager (OAM). Setting up an Agent involves the following steps:
Installing and Configuring the Agent (WebGate or mod_osso)
Registering the Agent as a Partner Application
Restarting the WebLogic Managed Servers
Oracle HTTP Server WebGate is a Web server plug-in that is shipped out-of-the-box with Oracle Access Manager. The Oracle HTTP Server WebGate intercepts HTTP requests from users for Web resources and forwards them to the Access Server for authentication and authorization. Oracle HTTP Server WebGate installation packages are found on media and virtual media that is separate from the core components.
To install and configure Oracle HTTP Server WebGate, complete the following steps:
Install Oracle HTTP Server 11g WebGate for Oracle Access Manager, as described in Installing and Configuring Oracle HTTP Server 11g Webgate for OAM.
Complete the post-installation steps and the registration setup, as described in Post-Installation Steps and Getting Started with a New Oracle HTTP Server 11g Webgate Agent for Oracle Access Manager.
For information about registering WebGate as a Partner Application, refer to the "Agent Registration" topic and the "Managing Agents: OAM (WebGate) and OSSO (mod_osso)" chapter in the Oracle Fusion Middleware Administrator's Guide for Oracle Access Manager. Note that the Administration Server must be up and running when you are registering WebGate as a Partner Application.
For information about restarting Managed Servers, see Starting the Stack.
OSSO Agent (mod_osso) is used by Oracle HTTP Server to check for an existing, valid Oracle HTTP Server cookie. If necessary, it redirects to the Oracle Access Manager runtime server to communicate with the directory during authentication. In addition, it decrypts the encrypted user identity populated by the OSSO server and sets the headers with user attributes.
To install mod_osso, complete the following steps:
Install the latest version of Oracle HTTP Server. For information about installing the Web Tier, including Oracle HTTP Server, see Installing and Configuring Oracle HTTP Server 11g.
After patching your Oracle Web Tier software to the latest version, run the configuration tool to configure Oracle HTTP Server.
On UNIX operating systems:
<Web_Tier_ORACLE_HOME>/bin/config.sh
On Windows operating systems:
<Web_Tier_ORACLE_HOME>\bin\config.bat
For complete instructions, go to "Configuring Your Components" in Oracle Fusion Middleware Installation Guide for Oracle Web Tier.
Note:
After you configure Oracle HTTP Server, a working instance of Oracle HTTP Server is configured in an Instance Home.
Copy the mod_osso.conf
file from the <ORACLE_INSTANCE>/config/OHS/<OHS_INSTANCE>/disabled
directory to the <ORACLE_INSTANCE>/config/OHS/<OHS_INSTANCE>/moduleconf
directory.
Register mod_osso as a Partner Application.
For information about registering mod_osso as a Partner Application, refer to the "Agent Registration" topic and the "Managing Agents: OAM (WebGate) and OSSO (mod_osso)" chapter in the Oracle Fusion Middleware Administrator's Guide for Oracle Access Manager. Note that the Administration Server must be up and running when you are registering mod_osso as a Partner Application.
Edit the mod_osso.conf
file to update the location of the osso.conf
file as follows:
<IfModule osso_module> OssoIpCheck off OssoIdleTimeout off OssoSecureCookies off OssoConfigFile <location of the osso.conf> <Location> require valid-user AuthType Osso </Location> </IfModule osso_module>
Restart Oracle HTTP Server by running the restartproc
command in Oracle Process Manager and Notification Server (OPMN) or by using Oracle Fusion Middleware Control.
For information about restarting Managed Servers, see Starting the Stack.
For information about setting up integration between Oracle Access Manager and Oracle Identity Manager (OIM), see "Integrating Oracle Access Manager and Oracle Identity Manager" in the Oracle Fusion Middleware Integration Guide for Oracle Access Manager.
After installing Oracle Access Manager (OAM), refer to the "Getting Started with Administering Oracle Access Manager" chapter in the Oracle Fusion Middleware Administrator's Guide for Oracle Access Manager.