2 Understanding the Oracle Identity Management Installation

This chapter provides an overview of the Oracle Identity Management 11g Release 1 (11.1.1) installation. This chapter includes the following topics:

Note:

For information about installing the 11g (11.1.1.6.0) version of Oracle Internet Directory (OID), Oracle Virtual Directory (OVD), Oracle Directory Services Manager (ODSM), Oracle Directory Integration Platform (ODIP), and Oracle Identity Federation (OIF), see Overview of Oracle Identity Management (11.1.1.6.0) Installation.

For information about installing the 11g (11.1.1.5.0) version of Oracle Identity Manager (OIM), Oracle Access Manager (OAM), Oracle Adaptive Access Manager (OAAM), Oracle Entitlements Server (OES), and Oracle Identity Navigator (OIN), see Overview of Oracle Identity and Access Management (11.1.1.5.0) Installation.

2.1 Overview and Structure of Oracle Identity Management 11g Installation

This section discusses the following topics:

2.1.1 Overview

Oracle Identity Management 11g includes two distinct suites comprising the following Oracle Identity Management products:

Oracle Identity Management 11g Release 1 (11.1.1.6.0)

Oracle Identity Management 11g Release 1 (11.1.1.6.0) includes the following components:

    • Oracle Internet Directory (OID)

    • Oracle Virtual Directory (OVD)

    • Oracle Directory Services Manager (ODSM)

    • Oracle Directory Integration Platform (ODIP)

    • Oracle Identity Federation (OIF)

Note:

See Part II, "Installing and Configuring Oracle Identity Management (11.1.1.6.0)" in this guide for installing and configuring these products.

Oracle Identity and Access Management 11g Release 1 (11.1.1.5.0)

Oracle Identity and Access Management 11g Release 1 (11.1.1) includes the following components:

    • Oracle Identity Manager (OIM)

    • Oracle Access Manager (OAM)

    • Oracle Identity Navigator (OIN)

    • Oracle Adaptive Access Manager (OAAM)

    • Oracle Entitlements Server (OES)

Obtaining the Software

To obtain Oracle Identity and Access Management 11g Release 1 (11.1.1.5.0) software, refer to Oracle Fusion Middleware Download, Installation, and Configuration ReadMe available at:

https://download.oracle.com/docs/cd/E23104_01/download_readme.htm

Note:

See Part III, "Installing and Configuring Oracle Identity and Access Management (11.1.1.5.0)" in this guide for installing and configuring these products.

2.1.2 Structure of the Installation

If you install Oracle Identity Management suite and Oracle Identity and Access Management on the same machine, two Oracle Home (also referred to as IDM_Home and IAM_Home in this guide) directories are created on the machine. For information about identifying installation directories, see Section 4.1.1, "Identifying Installation Directories" and Section 4.2.4, "Identifying Installation Directories".

Note that two IDM_Home directories are mentioned in descriptions and procedures throughout this guide. For example, the first one, IDM_Home can be the IDM_Home directory for Oracle Internet Directory, Oracle Virtual Directory, Oracle Directory Services Manager, Oracle Directory Integration Platform, and Oracle Identity Federation. The second one, IAM_Home can be the IDM_Home directory for Oracle Identity Manager, Oracle Access Manager, Oracle Adaptive Access Manager, Oracle Entitlements Server, and Oracle Identity Navigator.

However, note that IDM_Home and IAM_Home are used as examples in this guide. You can specify any name for either of your IDM_Home directories. In addition, you can install the two distinct Oracle Identity Management suites in any order on your machine.

If you choose to use the default names, the first installation creates an Oracle_IDM1 directory, and the second installation creates an Oracle_IDM2 directory.

2.2 Overview of Oracle Identity Management (11.1.1.6.0) Installation

This section discusses the following topics:

2.2.1 Installation Roadmap

Table 2-1 describes the high-level tasks for installing and configuring Oracle Identity Management. The table also provides information on where to get more details about each task.

Table 2-1 Tasks in the Oracle Identity Management Installation Procedure

Task Description Documentation Mandatory or Optional?

Task 1 - Prepare your environment for installation.

Ensure that your system environment meets the general installation requirements for Oracle Fusion Middleware as well as Oracle Identity Management and RCU.

For system requirements information, go to:

http://www.oracle.com/technetwork/middleware/ias/downloads/fusion-requirements-100147.html

For certification information, go to:

http://www.oracle.com/technetwork/middleware/ias/downloads/fusion-certification-100350.html

Mandatory

Task 2 - Run RCU to create the necessary schemas.

Oracle Identity Management components require schemas that must be installed in an Oracle database. You create and load these schemas in your database by using RCU.

Make sure you have a supported Oracle database up and running. See http://www.oracle.com/technetwork/middleware/ias/downloads/fusion-certification-100350.html for more information.

Instructions for creating the schema are provided in "Running Oracle Fusion Middleware Repository Creation Utility (RCU)" in the Oracle Fusion Middleware Repository Creation Utility User's Guide. In addition, refer to Creating Database Schema Using the Oracle Fusion Middleware Repository Creation Utility (RCU) in this guide.

Mandatory

Task 3 - Install Oracle WebLogic Server 11g Release 1 (10.3.6) and create a Middleware home.

Oracle Identity Management requires a Middleware home directory. The Middleware home is created during the Oracle WebLogic Server installation.

The WebLogic Server installer also creates the WebLogic home directory within the Oracle Middleware home directory.

Installation instructions are provided in Oracle WebLogic Server Installation Guide.

For more information about the Middleware home and WebLogic home directories, see Oracle Fusion Middleware Concepts Guide.

Mandatory

Task 4 - Install Oracle Identity Management

Use the installer to install Oracle Identity Management 11.1.1.6.0

See Installing Oracle Identity Management Using "Install and Configure" Option.

For more information about the installation types, see Installation Types: "Install Software - Do Not Configure" vs. "Install and Configure".

Mandatory

Task 5 - Configure Oracle Identity Management

After installing, run the Configuration Tool to configure your Oracle Identity Management components.

Note: This step applies if you selected Install Software - Do Not Configure option in the Select Installation Type screen while installing Oracle Identity Management 11g Release 1 (11.1.1.6.0)

See the following topics in this guide:

Optional


2.2.2 Installation Types: "Install Software - Do Not Configure" vs. "Install and Configure"

The Select Installation Type screen in the Installer presents two options: Install and Configure and Install Software - Do Not Configure. This section describes both options:

2.2.2.1 Understanding the "Install Software - Do Not Configure" Option

Choose the Install Software - Do Not Configure option to install Oracle Identity Management components without configuring them during installation. If you choose the Install Software - Do Not Configure option, the Installer installs the component software and then closes. Oracle Identity Management components will not start running after deploying them using the Install Software - Do Not Configure option, as additional configuration is needed.

After you install components using the Install Software - Do Not Configure option, you can configure them at a later time using the Oracle Identity Management 11g Release 1 (11.1.1.6.0) Configuration Wizard. To start the Oracle Identity Management 11g Release 1 (11.1.1.6.0) Configuration Wizard, execute the ORACLE_HOME/bin/config.sh script (config.bat on Windows).

2.2.2.2 Understanding the "Install and Configure" Option

The Install and Configure option allows you to install Oracle Identity Management components and simultaneously configure some of their fundamental elements, such as passwords, user names, and so on. Oracle Identity Management components start running and are immediately ready for use after deploying them using the Install and Configure option.

2.2.3 Understanding Oracle WebLogic Server Administration Domain Options

During installation, you have several options for choosing how the Oracle Identity Management components are installed in relation to an Oracle WebLogic Server administration domain. A domain includes a special WebLogic Server instance called the Administration Server, which is the central point from which you configure and manage all resources in the domain.

This section describes each domain option for installing Oracle Identity Management components:

See:

The "Understanding Oracle WebLogic Server Domains" chapter in the Oracle Fusion Middleware Understanding Domain Configuration for Oracle WebLogic Server guide for more information about Oracle WebLogic Server administration domains.

2.2.3.1 Create New Domain

Select the Create New Domain option to create a new Oracle WebLogic Server administration domain and install Oracle Identity Management components in it. When you install Oracle Identity Management components in a new domain, the Fusion Middleware Control management component and the Oracle WebLogic Administration Server are automatically deployed with them.

2.2.3.2 Extend Existing Domain

Select the Extend Existing Domain option to install Oracle Identity Management components in an existing Oracle WebLogic Server administration domain. When you install Oracle Identity Management components using this option, they are essentially "joining" an existing domain.

Note:

To install Oracle Identity Management components in an existing Oracle WebLogic Server administration domain, each Oracle WebLogic Server Home, Oracle Middleware Home, and Oracle Home directory in the domain must have identical directory paths and names.

If you want to install and configure Oracle Identity Management components in an existing Oracle WebLogic Server administration domain, by using either the Installer or the Oracle Identity Management 11g Release 1 Configuration Wizard, the existing domain must have been created using the Oracle Identity Management 11g Release 1 Installer. You cannot extend an existing domain for Oracle Identity Management components if the domain was created by another program, such as the Oracle SOA Installer or the Oracle Fusion Middleware Configuration Wizard.

Note:

When you install components using the Extend Existing Domain option, you must provide some credentials for the existing domain, including the user name for the domain. You must enter the user name in ASCII characters only.

2.2.3.3 Expand Cluster

Select the Expand Cluster option to install Oracle Identity Management components in an Oracle WebLogic Server cluster for High Availability (HA). This document does not explain how to install Oracle Identity Management components in HA configurations. Refer to the following documents for more information:

2.2.3.4 Configure Without a Domain

Select the Configure without a Domain option to install Oracle Identity Management components and configure them to be without domain membership.

Note:

Only the Oracle Internet Directory and Oracle Virtual Directory components are certified for installation without a domain.

For Oracle Internet Directory, the Configure without a Domain option is appropriate for environments that have both of the following conditions:

  • You do not want to include Oracle Internet Directory in a WebLogic Server administration domain for management purposes.

  • You do not want to manage Oracle Internet Directory and Oracle Directory Services Manager using Fusion Middleware Control.

For Oracle Virtual Directory, the Configure without a Domain option is appropriate if you want to register Oracle Virtual Directory with a remote WebLogic Administration Server for management purposes, but you do not want to install Oracle WebLogic Server locally.

2.2.4 Installing Components on Separate Systems

You can install Oracle Fusion Middleware instances on separate systems. You can also distribute Oracle Fusion Middleware components over multiple systems, which is especially useful for Oracle Identity Management components. You might want to distribute components to improve performance, security, scalability, and availability of Oracle Identity Management services.

The following are two (of many) examples of Oracle Identity Management deployments that benefit from distributing components over multiple systems:

  • Oracle Internet Directory on one system, and Oracle Directory Services Manager and Oracle Directory Integration Platform on a separate system.

  • Oracle Identity Management components use an Oracle Database to contain the Oracle Metadata Repository. The Oracle Identity Management components and the Oracle Database are installed on separate systems.

    Note:

    If you install Oracle Identity Management components on a separate system from the database containing the Oracle Metadata Repository, the Oracle Identity Management components will need network access to the repository.

See:

The following documents if you want to configure more than one Oracle Internet Directory against the same Oracle Metadata Repository:

2.2.5 Executing the oracleRoot.sh Script on UNIX Platforms

During installation on UNIX platforms, the Installer prompts you to log in as the root user and run the oracleRoot.sh script. You must log in as the root user because the script creates files, edits files, and changes the permissions of certain Oracle executable files in the <Oracle_IDM_Home>/bin directory.

If the oracleRoot.sh script finds files of the same name, it prompts you to indicate whether or not to override the existing files. Back up the existing files (you can do this from another window), then overwrite them.

2.2.6 Understanding the State of Oracle Identity Management Components After Installation

This topic provides information about the state of Oracle Identity Management components after installation, including:

2.2.6.1 Default SSL Configurations

By default, Oracle Internet Directory and Oracle Virtual Directory are installed with SSL configured. You must configure SSL for the Oracle WebLogic Administration Server and Oracle WebLogic Managed Server after installation.

See:

The Oracle Fusion Middleware Administrator's Guide for more information.

2.2.6.2 Default Passwords

By default, the passwords for all Oracle Identity Management components are set to the password for the Oracle Identity Management Instance. For security reasons, after installation, you should change the passwords of the various components so they have different values.

See:

The following documents for information about changing passwords for Oracle Identity Management components:

2.2.6.3 Ports Assigned Using Auto Port Configuration

When you use the Auto Port Configuration option during installation, the Installer follows specific steps to assign ports. The following information describes the default ports and port assignment logic the Installer uses to assign ports for various Oracle Identity Management components when you use the Auto Port Configuration option during installation.

  • Oracle Virtual Directory:

    • Non-SSL port: 6501

    • SSL port: 7501

    • Admin port: 8899

    • HTTP port: 8080

    First, the Installer attempts to assign the default port. If the default port is unavailable, the Installer tries ports within a range of 50 from the default port. For example, when the Installer assigns the non-SSL port for Oracle Virtual Directory, it first attempts to assign 6501. If 6501 is unavailable, it tries ports from 6501 to 6551. The Installer uses this approach to assign all Oracle Virtual Directory ports.

  • Oracle Internet Directory:

    • Non-SSL port: 3060

    • SSL port: 3131

    First, the Installer attempts to assign default ports. If the non-SSL port is unavailable, the Installer tries ports from 3061 to 3070, then from 13060 to 13070. Similarly, the Installer first attempts to assign 3131 as the SSL port, then ports from 3132 to 3141, and then from 13131 to 13141.

  • Oracle Identity Federation: 7499

    First, the Installer attempts to assign the default port. If the default port is unavailable, the Installer tries ports in increments of one, that is: 7500, then 7501, then 7502, and so on. The Installer tries ports up until 9000 to find an available port.

  • Oracle Directory Services Manager: 7005

    First, the Installer attempts to assign the default port. If the default port is unavailable, the Installer tries ports in increments of one, that is: 7006, then 7007, then 7008, and so on. The Installer tries ports up until 9000 to find an available port.

  • Oracle WebLogic Administration Server: 7001

2.3 Overview of Oracle Identity and Access Management (11.1.1.5.0) Installation

This section discusses the following topics:

2.3.1 Installation Roadmap

Table 2-2 lists the tasks required to install and configure Oracle Identity Manager, Oracle Access Manager, Oracle Adaptive Access Manager, Oracle Entitlements Server, and Oracle Identity Navigator.

Table 2-2 Installation Flow for Oracle Identity and Access Management

No. Task Description

1

Review installation concepts in the Installation Planning Guide.

Read the Oracle Fusion Middleware Installation Planning Guide, which describes the process for various users to install or upgrade to Oracle Fusion Middleware 11g (11.1.1.5) depending on the user's existing environment.

2

Review the system requirements and certification documents to ensure that your environment meets the minimum installation requirements for the components you are installing.

Read the System Requirements and Specifications document that covers information such as hardware and software requirements, minimum disk space and memory requirements, and required system libraries, packages, or patches:

http://www.oracle.com/technetwork/middleware/ias/downloads/fusion-requirements-100147.html

Read the Certification document that covers supported installation types, platforms, operating systems, databases, JDKs, and third-party products:

http://www.oracle.com/technetwork/middleware/ias/downloads/fusion-certification-100350.html

3

Install the Oracle 11.1.1 database and any required patches.

For more information, see Installing Oracle Database.

4

Install Oracle WebLogic Server 11g Release 1 (10.3.5), and create a Middleware Home.

For more information, see Installing Oracle WebLogic Server and Creating the Oracle Middleware Home.

5

Run Oracle Fusion Middleware Repository Creation Utility (RCU) to create and load the appropriate schemas for Oracle Identity and Access Management products.

For more information, see Creating Database Schema Using the Oracle Fusion Middleware Repository Creation Utility (RCU).

6

Install the Oracle Identity and Access Management 11g software.

For more information, see Installing Oracle Identity and Access Management (11.1.1.5.0).

7

For Oracle Identity Manager users only:

Install the latest version of Oracle SOA Suite 11g (11.1.1.5.0).

Install the 11.1.1.5.0 version of Oracle SOA Suite.

For more information, see Installing the Latest Version of Oracle SOA Suite (Oracle Identity Manager Users Only).

8

Run the Oracle Fusion Middleware Configuration Wizard to configure your Oracle Identity and Access Management products in a new or existing WebLogic domain.

For more information, see the following chapters:

9

Start the servers.

For more information, see Starting the Stack.

10

For Oracle Identity Manager users only:

Run the Oracle Identity Manager Configuration Wizard to configure Oracle Identity Manager Server, Design Console, or Remote Manager.

Note that you should run the Oracle Identity Manager Server after completing this configuration.

For more information, see the following topics:


Oracle Identity and Access Management components will not start running after installing them using the Oracle Identity and Access Management 11g Installer. For information about starting the components after installation, see the Getting Started topics in specific chapters in this guide.

The following figure illustrates the process of installing the Oracle Identity and Access Management 11g software components (the suite containing OIM, OAM, OAAM, OES, and OIN).

Figure 2-1 Oracle Identity and Access Management Installation and Configuration Workflow

Description of Figure 2-1 follows
Description of "Figure 2-1 Oracle Identity and Access Management Installation and Configuration Workflow"

Table 2-3 lists the Installers and tools used to install and configure Oracle Identity and Access Management 11g components at different stages of the installation process.

Table 2-3 Installation and Configuration Tools

Task Tool

Install Oracle WebLogic Server

Oracle WebLogic Server Installer

For more information, see Installing Oracle WebLogic Server and Creating the Oracle Middleware Home.

Install Oracle SOA 11g Suite

Oracle SOA 11g Suite Installer

For more information, see Installing the Latest Version of Oracle SOA Suite (Oracle Identity Manager Users Only).

Create and load database schema

Oracle Fusion Middleware Repository Creation Utility (RCU)

For more information, see Creating Database Schema Using the Oracle Fusion Middleware Repository Creation Utility (RCU).

Upgrade your existing database schema

Oracle Fusion Middleware 11g Upgrade Assistant

For more information, see the guide Oracle Fusion Middleware Upgrade Guide for Oracle Identity Management.

Install the Oracle Identity and Access Management 11g software

Oracle Identity and Access Management 11g Installer

For more information, see Installing Oracle Identity and Access Management (11.1.1.5.0).

Create or extend a WebLogic administration domain

Oracle Fusion Middleware Configuration Wizard

For more information, see Screens in Oracle Fusion Middleware Configuration Wizard.

Install and configure Oracle Identity Manager Server, Design Console, and Remote Manager

Oracle Identity Manager 11g Configuration Wizard

For more information, see Configuring OIM Server, Design Console, and Remote Manager.


2.3.2 Prerequisite Checks Performed by the Oracle Identity and Access Management Installer

The Oracle Identity and Access Management 11g Release 1 (11.1.1) Installer ensures that your machine has a certified version of the operating system, the correct software packages (service packs), and sufficient physical memory to install the Oracle Identity and Access Management applications on your machine.

On Windows operating systems, the Installer verifies the operating system version, service pack, and physical memory (at least 1024 MB).

On UNIX operating systems, the Installer verifies the operating system version, operating system packages, kernel parameters, glibc version, and physical memory (at least 1024 MB).

See:

Oracle Fusion Middleware System Requirements and Specifications available at:

http://www.oracle.com/technetwork/middleware/ias/downloads/fusion-requirements-100147.html

2.3.3 Understanding Oracle WebLogic Server Administration Domain Options

After Oracle Identity and Access Management 11g is installed, you are ready to configure the WebLogic Server Administration Domain for Oracle Identity and Access Management components. A domain includes a special WebLogic Server instance called the Administration Server, which is the central point from which you configure and manage all resources in the domain.

This section describes each domain option for installing Oracle Identity and Access Management components:

See:

The "Understanding Oracle WebLogic Server Domains" chapter in the Oracle Fusion Middleware Understanding Domain Configuration for Oracle WebLogic Server guide for more information about Oracle WebLogic Server administration domains.

2.3.3.1 Create a New Domain

Select the Create a new WebLogic domain option on the Welcome screen in the Oracle Fusion Middleware Configuration Wizard to create a new WebLogic Server domain.

2.3.3.2 Extend an Existing Domain

Select the Extend an existing WebLogic domain option on the Welcome screen in the Oracle Fusion Middleware Configuration Wizard to add Oracle Identity and Access Management components in an existing Oracle WebLogic Server administration domain. When you add Oracle Identity and Access Management components using this option, they are essentially "joining" an existing domain.

For more information, see Understanding Domain Extension Scenarios.

2.3.4 Additional Configuration Using the Oracle Identity Manager 11g Configuration Wizard

Read this section only if you are installing Oracle Identity Manager. After you install Oracle Identity Manager by using the Oracle Identity and Access Management 11g Installer software, you can encrypt secure data in Oracle Identity Manager schema, create keystores, and so on. You can configure such elements by using the Oracle Identity Manager 11g Release 1 (11.1.1) Configuration Wizard, which is included with the release media.

On UNIX operating systems, to start the Oracle Identity Manager 11g Release 1 (11.1.1) Configuration Wizard, run the <IAM_Home>/bin/config.sh script. On Windows operating systems, run the <IAM_Home>\bin\config.bat script. Note that IAM_Home refers to your IDM_Home directory that contains Oracle Identity Manager, Oracle Access Manager, Oracle Adaptive Access Manager, Oracle Entitlements Server, and Oracle Identity Navigator.

2.3.5 Additional 11g Release 1 (11.1.1) Deployment Information

This topic describes additional sources for 11g Release 1 (11.1.1) deployment information, including documentation on the following subjects:

See Also:

The "Related Documents" section in this guide's Preface for a list of documents that provide additional information about Oracle Identity and Access Management components.

2.3.5.1 Upgrading to 11g Release 1 (11.1.1)

This guide does not explain how to upgrade previous versions of Oracle Identity and Access Management components to 11g Release 1 (11.1.1). To upgrade an Oracle Identity and Access Management component:

From Release 10g to 11g Release 1 (11.1.1), refer to: 

2.3.5.2 Installing 11g Release 1 (11.1.1) for High Availability

This guide does not explain how to install Oracle Identity and Access Management components in High Availability (HA) configurations. To install an Oracle Identity and Access Management component in a High Availability configuration, refer to the following documents:

Specifically, see the "Configuring High Availability for Identity Management Components" topic in the guide Oracle Fusion Middleware High Availability Guide.

2.3.6 Silent Installation

In addition to the standard graphical installation option, you can perform silent installation of the Oracle Identity and Access Management 11g software. A silent installation runs on its own without any intervention, and you do not have to monitor the installation and provide input to dialog boxes.

For more information, see Performing a Silent Installation.

2.3.7 Installing Components on Separate Systems

You can install Oracle Fusion Middleware instances on separate systems. You can also distribute Oracle Fusion Middleware components over multiple systems, which is especially useful for Oracle Identity and Access Management components. You might want to distribute components to improve performance, security, scalability, and availability of Oracle Identity and Access Management services.

The following are two (of many) examples of Oracle Identity and Access Management deployments that benefit from distributing components over multiple systems:

  • Oracle Identity Manager Server on one system, and Oracle Identity Manager Design Console on a different system.

  • Oracle Identity and Access Management components use an Oracle Database to contain the Oracle Metadata Repository. The Oracle Identity and Access Management components and the Oracle Database are installed on separate systems.

    Note:

    If you install Oracle Identity and Access Management components on a separate system from the database containing the Oracle Metadata Repository, the Oracle Identity and Access Management components will need network access to the repository.

2.3.8 Screens in Oracle Fusion Middleware Configuration Wizard

The Oracle Fusion Middleware Configuration Wizard displays screens based on your domain configuration options. You can use the Oracle Fusion Middleware Configuration Wizard in the following scenarios:

  • Creation of a new WebLogic administration domain, which involves the configuration of Administration Server parameters, server start mode, and so on.

  • Configuration of an existing domain to support Oracle Identity and Access Management components by extending the domain.

See:

The "Customizing the Domain Environment" chapter in the Oracle Fusion Middleware Creating Domains Using the Configuration Wizard guide for more information about configuring your domain.

2.3.9 Understanding the State of Oracle Identity and Access Management Components After Installation

This topic provides information about the state of Oracle Identity and Access Management components after installation, including:

2.3.9.1 Default SSL Configurations

By default, most of the Oracle Identity and Access Management 11g components are not installed with SSL configured. Only Oracle Adaptive Access Manager is configured with SSL. For other components, you must configure SSL for the Oracle WebLogic Administration Server and Oracle WebLogic Managed Server after installation.

2.3.9.2 Default Passwords

By default, the passwords for all Oracle Identity and Access Management components are set to the password for the Oracle Identity and Access Management Instance. For security reasons, after installation, you should change the passwords of the various components so they have different values.

See:

The following documents for information about changing passwords for Oracle Identity and Access Management components: