| Oracle® Fusion Middleware Enterprise Deployment Guide for Oracle Identity Management (Oracle Fusion Applications Edition) 11g Release 1 (11.1.2) Part Number E21032-03 |
|
|
PDF · Mobi · ePub |
| Oracle® Fusion Middleware Enterprise Deployment Guide for Oracle Identity Management (Oracle Fusion Applications Edition) 11g Release 1 (11.1.2) Part Number E21032-03 |
|
|
PDF · Mobi · ePub |
This chapter describes how to install and configure Oracle Identity Manager 11.1.1 for use in the Oracle Identity Management Enterprise Deployment Topology.
This chapter contains the following topics:
Section 13.2, "Enabling Virtual IP Addresses on OIMHOST1 and OIMHOST2"
Section 13.4, "Configuring Oracle Identity Manager on IDMHOST1"
Section 13.10, "Configuring Oracle Identity Manager to Reconcile from ID Store"
Section 13.11, "Configuring Oracle Identity Manager to Work with the Oracle Web Tier"
Section 13.12, "Configuring a Default Persistence Store for Transaction Recovery"
Section 13.13, "Configuring an IT Resource Instance for Email"
Section 13.15, "Updating the Username Generation Policy for Active Directory"
Section 13.18, "Provisioning Users to the Enterprise Identity Store in a Multidirectory Scenario."
Section 13.19, "Backing Up the Application Tier Configuration"
Oracle Identity Manager is a user provisioning and administration solution that automates the process of adding, updating, and deleting user accounts from applications and directories. It also improves regulatory compliance by providing granular reports that attest to who has access to what. Oracle Identity Manager is available as a standalone product or as part of Oracle Identity Management.
Automating user identity provisioning can reduce Information Technology (IT) administration costs and improve security. Provisioning also plays an important role in regulatory compliance. Key features of Oracle Identity Manager include password management, workflow and policy management, identity reconciliation, reporting and auditing, and extensibility through adapters.
Oracle Identity Manager provides the following key functionalities:
User Administration
Workflow and Policy
Password Management
Audit and Compliance Management
Integration Solutions
User Provisioning
Organization and Role Management
For details about Oracle Identity Manager, see the Oracle Fusion Middleware System Administrator's Guide for Oracle Identity Manager.
Before extending the domain with Oracle Identity Manager, ensure that the following tasks have been performed:
Ensure that the virtual IP addresses for the Oracle Identity Manager and SOA managed servers have been provisioned. See Section 2.2.3, "Virtual IP Addresses" for details
Install and upgrade the following software on IDMHOST1, IDMHOST2, OIMHOST1 and OIMHOST2:
WebLogic Server: See Section 4.5.4.
Oracle Identity Management: See Section 4.5.5 and Section 4.5.6.
Oracle SOA Suite: See Section 4.5.7.
Oracle Identity and Access Management: See Section 4.5.8.
Ensure that you have created the wlfullclient.jar file, as described in Section 4.6.4, "Creating the wlfullclient.jar File."
Install and configure the Oracle Internet Directory instances, as described in Chapter 7.
If you are using Oracle Virtual Directory, ensure you have extended the domain with Oracle Virtual Directory as described in Chapter 9.
Provision the Oracle Identity Management users as described in Section 11.4.3, "Creating Users and Groups for Oracle Identity Manager."
On IDMHOST1, edit the file DOMAIN_HOME/config/fmwconfig/jps-config.xml. Locate the entry that looks like this:
<serviceInstance location=Path_to_Domain/config/fmwconfig/default-keystore.jks" provider="keystore.provider" name="keystore.ldap">
Remove the Path from the keystore location so that the final entry looks like this:
<serviceInstance location="./default-keystore.jks" provider="keystore.provider" name="keystore.ldap">
Save the file.
Stop all the managed servers running in your domain before extending the domain with Oracle Identity Manager.
Note:
Oracle SOA deployed along with Oracle Identity Manager is used exclusively for Oracle Identity Manager work flow. It cannot be used for other purposes.
The Identity Management domain uses virtual host names as the listen addresses for the Oracle Identity Manager and SOA managed servers. You must enable two virtual IP addresses mapping each of these host names on each of the two Oracle Identity Manager machines. Specifically, enable OIMVHN1 and SOAVHN1 on OIMHOST1 and enable OIMVHN2 and SOAVHN2 on OIMHOST2. These virtual addresses must correctly resolve to the virtual host names in the network system used by the topology, either by DNS Server or by hosts resolution.To enable the virtual IP addresses, follow the steps described in Section 6.1, "Enabling ADMINVHN on IDMHOST1." These virtual IP addresses and virtual host names are required to enable server migration for the Oracle Identity Manager and SOA servers. Server migration must be configured for the Oracle Identity Manager and SOA managed servers for high availability purposes.
See Also:
Chapter 16, "Configuring Server Migration for Oracle Identity Manager" for more details about configuring server migration for the Oracle Identity Manager and SOA Managed servers.
Although you deploy Oracle Identity Manager on servers dedicated to it (OIMHOST1 and OIMHOST2), you must first extend the WebLogic domain with Oracle Identity Manager on IDMHOST1. Configure Oracle Identity Manager on IDMHOST1 as follows.
To extend the domain with Oracle Identity Manager on IDMHOST1, start the configuration wizard by executing the command:
ORACLE_COMMON_HOME/common/bin/config.sh
Proceed as follows
On the Welcome screen, select Extend an existing WebLogic Domain.
Click Next.
On the Select WebLogic Domain Directory screen, select the location of the domain directory for the OIM domain. For Example: /u01/app/oracle/admin/IDMDomain/aserver/IDMDomain.
Click Next.
On the Select Extension Source screen, select Extend my domain automatically to support the following added products. From the list below, select: Oracle Identity Manager.
Note:
Oracle SOA Suite and Oracle WSM Policy Manager are selected automatically. If Oracle WSM Policy Manager has already been installed, the choice is not available.
Select Next.
The Configure RAC Multi Data Sources screen displays the schedulerDS Data Source configured for Oracle Directory Integration Platform and Oracle Directory Services manager (ODSM). Do not make any selections or changes on this screen.
Click Next.
On the Configure JDBC Component Schemas screen, select all the data sources listed on the page:
SOA Infrastructure
User Messaging Service
OIM MDS Schema
OWSM MDS Schema
SOA MDS Schema
OIM Schema
Select Configure selected component schemas as RAC multi data source schemas in the next panel.
Click Next.
On the Configure RAC Multi Data Source Component Schema page, select all the schemas for your component. Do not select schemas listed for previously configured components. Then enter the following information:
| Schema Name | Service Name | Host Names | Instance Names | Port | Schema Owner | Password |
|---|---|---|---|---|---|---|
|
|
|
|
|
|
|
|
|
|
|
|
||||
|
|
|
|
|
|
|
|
|
|
|
|
||||
|
|
|
|
|
|
|
|
|
|
|
|
||||
|
|
|
|
|
|
|
|
|
|
|
|
||||
|
|
|
|
|
|
|
|
|
|
|
|
||||
|
|
|
|
|
|
|
|
|
|
|
|
If you are using Oracle Database 11.2, replace the vip address and port with the 11.2 SCAN address and port.
Click Next.
On the Test Component Schema screen, the Configuration Wizard attempts to validate the data sources. If the data source validation succeeds, click Next. If it fails, click Previous, correct the problem, and try again.
Click Next.
On the Select Optional Configuration screen, Select:
JMS Distributed Destination
Managed Servers, Clusters and Machines
JMS File Store
Click Next.
On the JMS Distributed Destination screen, ensure that all the JMS system resources listed on the screen are uniform distributed destinations. If they are not, select UDD form the drop down box. Ensure that the entries look like this:
| JMS System Resource | Uniform/Weighted Distributed Destination |
|---|---|
|
UMSJMSSystemResource |
|
|
SOAJMSModule |
|
|
OIMJMSModule |
|
|
BPMJMSModule |
|
Click Next.
An Override Warning box with the following message is displayed:
CFGFWK-40915: At least one JMS system resource has been selected for conversion to a Uniform Distributed Destination (UDD). This conversion will take place only if the JMS System resource is assigned to a cluster
Click OK on the Override Warning box.
When you first enter the Configure Managed Servers screen, two managed servers called oim_server1 and soa_server1 are created automatically. Rename soa_server1 to WLS_SOA1 and oim_server1 to WLS_OIM1 and update their attributes as shown in the following table. Then, add two new managed servers called WLS_OIM2 and WLS_SOA2 with the following attributes.
| Name | Listen Address | Listen Port | SSL Listen Port | SSL Enabled |
|---|---|---|---|---|
|
|
|
|
N/A |
No |
|
|
|
|
N/A |
No |
|
|
|
|
N/A |
No |
|
|
|
|
N/A |
No |
Notes:
Do not change the configuration of the managed servers that were configured as a part of previous deployments.
Do not delete the default managed servers that are created. Rename them as described.
On the Configure Clusters screen, create two clusters, by clicking Add. Supply the following information:
OIM Cluster:
Name: cluster_oim
Cluster Messaging Mode: unicast
SOA Cluster:·
Name: cluster_soa
Cluster Messaging Mode: unicast
Leave all other fields at the default settings and click Next.
Note:
Do not change the configuration of the clusters that were configured as a part of previous deployments.
On the Assign Servers to Clusters screen, associate the managed servers with the cluster. Click the cluster name in the right pane. Click the managed server under Servers, then click the arrow to assign it to the cluster.
The cluster_oim has the managed servers WLS_OIM1 and WLS_OIM2 as members.
The cluster_soa has the managed servers WLS_SOA1 and WLS_SOA2 as members.
Click Next.
Note:
Do not make any changes to clusters that already have entries defined.
On the Configure Machines screen, create a machine for each host in the topology.
Click the tab UNIX if your hosts use Linux or a UNIX-based operating system. Otherwise, click Machines.
Name: Name of the host. Best practice is to use the DNS name.
Node Manager Listen Address: DNS name of the machine.
Node Manager Port: Port for Node Manager
Provide the information shown in the following table.
| Name | Node Manager Listen Address | Node Manager Listen Port |
|---|---|---|
|
|
|
|
|
|
|
|
Leave the default values for all other fields.
Delete the default local machine entry under the Machines tab.
Click Next.
On the Assign Servers to Machines screen, indicate which managed servers to run on each of the machines you created.
Click a machine in the right pane.
Click the managed servers you want to run on that machine in the left pane.
Click the arrow to assign the managed servers to the machines.
Repeat until all managed servers are assigned to machines.
For example:
OIMHOST1: WLS_OIM1 and WLS_SOA1
OIMHOST2: WLS_OIM2 and WLS_SOA2
Click Next to continue.
On the Configure JMS File Stores screen, update the directory locations for the JMS file stores. Provide the information shown in the following table.
| Name | Directory |
|---|---|
|
UMSJMSFileStore_auto_1 |
|
|
UMSJMSFileStore_auto_2 |
|
|
BPMJMSServer_auto_1 |
|
|
BPMJMSServer_auto_2 |
|
|
SOAJMSFileStore_auto_1 |
|
|
SOAJMSFileStore_auto_2 |
|
|
OIMJMSFileStore_auto_1 |
|
|
OIMJMSFileStore_auto_2 |
|
Click Next.
Notes:
Use /u01/app/oracle/admin/IDMDomain/soa_cluster/jms/ as the directory location for the UMSJMSFileStore_auto_1, UMSJMSFileStore_auto_2, BPMJMSServer_auto_1, BPMJMSServer_auto_2, SOAJMSFileStore_auto_1, and SOAJMSFileStore_auto_2 JMS file stores
Use /u01/app/oracle/admin/IDMDomain/oim_cluster/jms/ as the directory location for the OIMJMSFileStore_auto_1 and OIMJMSFileStore_auto_2 JMS file stores
The locations /u01/app/oracle/admin/IDMDomain/soa_cluster/jms/ and /u01/app/oracle/admin/IDMDomain/oim_cluster/jms/ are on shared storage and must be accessible from OIMHOST1 and OIMHOST2
On the Configuration Summary screen, click Extend to extend the domain.
On the Installation Complete screen, click Done.
Restart WebLogic Administration Server, as described in Section 19.1, "Starting and Stopping Oracle Identity Management Components."
You must configure the Oracle Identity Manager server instances before you can start the Oracle Identity Manager and SOA Managed Servers. The Oracle Identity Management Configuration Wizard loads the Oracle Identity Manager metadata into the database and configures the instance.
Before proceeding, ensure that the following are true:
The Administration Server is up and running.
The environment variables DOMAIN_HOME and WL_HOME are not set in the current shell.
The Oracle Identity Management Configuration Wizard is located under the Identity Management Oracle home. Type:
IAM_ORACLE_HOME/bin/config.sh
Proceed as follows:
On the Welcome screen, click Next
On the Components to Configure screen, Select OIM Server.
Note:
Oracle Identity Manager Remote Manager is optional in Fusion Applications implementations
Click Next.
On the Database screen, provide the following values:
Connect String: The connect string for the Oracle Identity Manager database:
oimdb1-vip.mycompany.com:1521:oimedg1^oimdb2-vip.mycompany.com:1521:oimedg2@oimedg.mycompany.com
If you are using Oracle Database 11.2, replace the vip address and port with the 11.2 SCAN address and port.
OIM Schema User Name: edg_oim
OIM Schema password: password
MDS Schema User Name: edg_mds
MDS Schema Password: password
Select Next.
On the WebLogic Administration Server screen, provide the following details for the WebLogic Administration Server:
URL: The URL to connect to the WebLogic Administration Server. For example: t3://OIMHOST1.mycompany.com:14000
UserName: weblogic
Password: Password for the weblogic user
Click Next.
On the OIM Server screen, provide the following values:
OIM Administrator Password: Password for the Oracle Identity Manager Administrator. This is the password for the xelsysadm user. The password must contain an uppercase letter and a number. Best practice is to use the same password that you assigned to the user xelsysadm in Section 11.4.3, "Creating Users and Groups for Oracle Identity Manager."
Confirm Password: Confirm the password·
OIM HTTP URL: Proxy URL for the Oracle Identity Manager Server. This is the URL for the Hardware load balancer that is front ending the OHS servers for Oracle Identity Manager. For example: http://oiminternal.mycompany.com:80.
Key Store Password: Key store password. The password must have an uppercase letter and a number.
Click Next.
On the BI Publisher screen, provide the following values:
Configure BI Publisher: Select if you want to Configure Oracle Identity Manager with Oracle BI Publisher. This is Optional and depends on your requirements.
BI Publisher URL: The URL of BI Publisher, if you selected it.
Enable LDAP Sync: Selected.
Notes:
BI Publisher is not a part of the IDMDomain. The steps to configure the BI Publisher are not covered in this Enterprise Deployment Guide.
Click Next.
On the LDAP Server Screen, the information you enter is dependent on your implementation. Provide the following details:
Directory Server Type:
OID, if your Identity Store is in OID.
OVD if you access your Identity Store through OVD.
Directory Server ID: A name for your Oracle Internet Directory server. For example: IdStore. This is only required if the directory type is OID.
Server URL: The LDAP server URL. For example: ldap://idstore.mycompany.com:389
Server User: The user name for connecting to the LDAP Server. For example: cn=oimLDAP,cn=systemids,dc=mycompany,dc=com
Server Password: The password for connecting to the LDAP Server.
Server Search DN: The Search DN, if you are accessing your IDStore using Oracle Virtual Directory Server. For example: dc=mycompany,dc=com.
Click Next.
On the LDAP Server Continued screen, provide the following LDAP server details:
LDAP Role Container: The DN for the Role Container. This is the container where the Oracle Identity Manager roles are stored. For example: cn=Groups,dc=mycompany,dc=com ·
LDAP User Container: The DN for the User Container. This is the container where the Oracle Identity Manager users are stored. For example: cn=Users,dc=mycompany,dc=com·
User Reservation Container: The DN for the User Reservation Container. For example: cn=Reserve,dc=mycompany,dc=com.
Click Next.
On the Configuration Summary screen, verify the summary information.
Click Configure to configure the Oracle Identity Manager instance
On the Configuration Progress screen, once the configuration completes successfully, click Next.
On the Configuration Complete screen, view the details of the Oracle Identity Manager Instance configured.
Click Finish to exit the Configuration Assistant.
Restart WebLogic Administration Server, as described in Section 19.1, "Starting and Stopping Oracle Identity Management Components."
Once the configuration has succeeded on IDMHOST1, you can propagate the configuration to OIMHOST1 and OIMHOST2 (Enterprise deployment only). You do this by packing the domain on IDMHOST1 and unpacking it on OIMHOST1 and OIMHOST2 (Enterprise deployment only).
Follow these steps to propagate the domain to IDMHOST1.
Invoke the pack utility from ORACLE_COMMON_HOME/common/bin/.
./pack.sh -domain=ORACLE_BASE/admin/IDMDomain/aserver/IDMDomain -template=/u01/app/oracle/admin/templates/oim_domain.jar -template_name="OIM Domain" -managed=true
This creates a file called oim_domain.jar in the /u01/app/oracle/admin/templates directory. Copy this file to OIMHOST1 and OIMHOST2.
On OIMHOST1, invoke the utility unpack, which is also located in the directory ORACLE_COMMON_HOME/common/bin/.
./unpack.sh -domain=/u01/app/oracle/admin/IDMDomain/mserver/IDMDomain -template=/u01/app/oracle/product/fmw/templates/oim_domain.jar -overwrite_domain=true -app_dir=/u01/app/oracle/admin/IDMDomain/mserver/applications
On OIMHOST2, invoke the utility unpack, which is also located in the directory ORACLE_COMMON_HOME/common/bin/.
./unpack.sh -domain=/u01/app/oracle/admin/IDMDomain/mserver/IDMDomain -template=/u01/app/oracle/product/fmw/templates/oim_domain.jar -overwrite_domain=true -app_dir=/u01/app/oracle/admin/IDMDomain/mserver/applications
Copy the soa directory located under the /u01/app/oracle/admin/IDMDomain/aserver/IDMDomain directory on IDMHOST1 to the /u01/app/oracle/admin/IDMDomain/mserver/IDMDomain directory on OIMHOST1 and OIMHOST2.
To copy the soa directory from IDMHOST1 to OIMHOST1:
scp -rp /u01/app/oracle/admin/IDMDomain/aserver/IDMDomain/soa user@OIMHOST1:/u01/app/oracle/admin/IDMDomain/mserver/IDMDomain/soa
To Copy the soa directory from IDMHOST1 to OIMHOST2:
scp -rp /u01/app/oracle/admin/IDMDomain/aserver/IDMDomain/soa user@OIMHOST2:/u01/app/oracle/admin/IDMDomain/mserver/IDMDomain/soa
Copy the setDomainEnv.sh and the setSOADomainEnv.sh under the
/u01/app/oracle/admin/IDMDomain/mserver/IDMDomain/bin directory on oimhost1
to the /u01/app/oracle/admin/IDMDomain/mserver/IDMDomain/bin directory on IDMHOST1 and IDMHOST2.
Start the Managed Servers in your domain, as described in Section 19.1, "Starting and Stopping Oracle Identity Management Components," except for the following servers:
WLS_OIM1
WLS_OIM2
WLS_SOA1
WLS_SOA2
This section describes post-installation steps.
This section contains the following topics:
Section 13.6.1, "Updating the Coherence Configuration for the SOA Managed Server"
Section 13.6.2, "Starting the WLS_OIM1 and WLS_SOA1 Managed Servers on OIMHOST1"
Section 13.6.3, "Validating Oracle Identity Manager Instance on OIMHOST1"
Follow these steps to update the Coherence Configuration for the WLS_SOA Server.
Log in to the Oracle WebLogic Server Administration Console.
Click Lock and Edit.
In the Domain Structure window, expand the Environment node.
Click Servers. The Summary of Servers page appears.
Click the name of the server in the Name (WLS_SOA1/WLS_SOA2) column of the table. The settings page for the selected server appears.
Click the Server Start tab.
Enter text into the Arguments field for WLS_SOA1 and WLS_SOA2.
For WLS_SOA1, enter the following text on a single line, without a carriage return:
-Dtangosol.coherence.wka1=soavhn1 -Dtangosol.coherence.wka2=soavhn2 -Dtangosol.coherence.localhost=soavhn1
For WLS_SOA2, enter the following text on a single line, without a carriage return:
-Dtangosol.coherence.wka1=soavhn1 -Dtangosol.coherence.wka2=soavhn2 -Dtangosol.coherence.localhost=soavhn2
Note:
The Coherence cluster used for deployment uses port 8088 by default. You can change this port by specifying a different port (for example, 8089) with the -Dtangosol.coherence.wkan.port and -Dtangosol.coherence.localport startup parameters. For example:
For WLS_SOA1 (on a single line):
-Dtangosol.coherence.wka1=soavhn1 -Dtangosol.coherence.wka2=soavhn2 -Dtangosol.coherence.localhost=soavhn1 -Dtangosol.coherence.localport=8089 -Dtangosol.coherence.wka1.port=8089 -Dtangosol.coherence.wka2.port=8089
For WLS_SOA2 (on a single line):
-Dtangosol.coherence.wka1=soavhn1 -Dtangosol.coherence.wka2=soavhn2 -Dtangosol.coherence.localhost=soavhn2 -Dtangosol.coherence.localport=8089 -Dtangosol.coherence.wka1.port=8089 -Dtangosol.coherence.wka2.port=8089
Click Save and activate the changes.
Note:
The multicast and unicast addresses are different from the ones used by the WebLogic Server cluster for cluster communication. SOA guarantees that composites are deployed to members of a single WebLogic Server cluster even though the communication protocol for the two entities (the WebLogic Server cluster and the groups to which composites are deployed) are different.
Do not copy the text from this section to your Administration Console's arguments text field. Doing so can cause HTML tags to be inserted in the Java arguments. The text should not include any text or characters other than the ones shown.
Follow this sequence of steps to start the WLS_OIM1 and WLS_SOA1 Managed Servers on OIMHOST1:
Stop the WebLogic Administration Server on IDMHOST1 by using the WebLogic Administration Console as described in Section 19.1, "Starting and Stopping Oracle Identity Management Components."
Start the Administration Server on IDMHOST1 using the Node Manager, as described in Section 19.1, "Starting and Stopping Oracle Identity Management Components."
Validate that the Administration Server started up successfully by bringing up the Oracle WebLogic Administration Console.
Start NodeManager on OIMHOST1. Create the nodemanager.properties file by using the startNodemanager.sh script located under the MW_HOME/wlserver_10.3/server/bin directory.
Before you can start the Managed Servers by using the console, node manager requires that the property StartScriptEnabled be set to true. You set it by running the setNMProps.sh script located under the MW_HOME/oracle_common/common/bin directory.
prompt> MW_HOME/oracle_common/common/bin/setNMProps.sh
Restart the Node Manager as described in Section 19.1, "Starting and Stopping Oracle Identity Management Components" so that the properties take effect.
Start the WLS_SOA1 Managed Server, using the WebLogic Administration Console as described in Section 19.1, "Starting and Stopping Oracle Identity Management Components."
Start the WLS_OIM1 Managed Server using the WebLogic Administration Console as described in Section 19.1, "Starting and Stopping Oracle Identity Management Components."
Validate the Oracle Identity Manager Server Instance by bringing up the Oracle Identity Manager Console in a web browser at:
http://oimvhn1.mycompany.com:14000/oim
Log in using the xelsysadm username and password.
Note:
When you log in for the first time, you are prompted to setup Challenge Questions. Please do so before proceeding further.
Validate Oracle SOA Suite using the URL:
http://soavhn1.mycompany.com:8001/soa-infra
Log in as the weblogic user.
It describes the post-installation steps on OIMHOST2.
This section contains the following topics:
Section 13.7.2, "Starting the WLS_OIM2 and WLS_SOA2 Managed Servers on OIMHOST2"
Section 13.7.3, "Validating Oracle Identity Manager Instance on OIMHOST2"
Start the Node Manager on OIMHOST2 to create the nodemanager.properties file by using the startNodemanager.sh script located under the MW_HOME/wlserver_10.3/server/bin directory.
Before you can start the Managed Servers by using the console, node manager requires that the property StartScriptEnabled is set to true. You set it by running the setNMProps.sh script located under the MW_HOME/oracle_common/common/bin directory.
prompt> MW_HOME/oracle_common/common/bin
prompt> ./setNMProps.sh
Restart the Node Manager as described in Section 19.1, "Starting and Stopping Oracle Identity Management Components"so that the properties take effect.
Follow this sequence of steps to start the WLS_OIM2 Managed Server on OIMHOST2:
Start the WLS_SOA2 Managed Server, using the WebLogic Administration Console as described in Section 19.1, "Starting and Stopping Oracle Identity Management Components."
Start the WLS_OIM2 Managed Server using the WebLogic Administration Console as described in Section 19.1, "Starting and Stopping Oracle Identity Management Components."
Validate the Oracle Identity Manager Server Instance by bringing up the Oracle Identity Manager Console in a web browser at:
http://soavhn2.mycompany.com:14000/oim/
Log in using the xelsysadm username and password
Validate SOA at:
http://oimvhn2.mycompany.com:8001/soa-infra
Log in as the weblogic user.
When first installed, Oracle Identity Manager has a set of default system properties for its operation.
If your Identity Store is in Active Directory, you must change the System property XL.DefaultUserNamePolicyImpl to oracle.iam.identity.usermgmt.impl.plugins.FirstNameLastNamePolicyForAD or oracle.iam.identity.usermgmt.impl.plugins.LastNameFirstNamePolicyForAD.
To learn how to do this, see the Administering System Properties chapter of Oracle Fusion Middleware System Administrator's Guide for Oracle Identity Manager.
The application of this patch requires a number of post installation steps to be performed. See the patch ReadMe file for details.
Note:
Where the patch talks about adding the Oracle Identity Manager server as a target, in a High Availability configuration ALL Oracle Identity Manager servers and the Oracle Identity Manager cluster must be added to the target list.
In the current release, the LDAPConfigPostSetup script enables all the LDAPSync-related incremental Reconciliation Scheduler jobs, which are disabled by default. The LDAP configuration post-setup script is located under the IAM_ORACLE_HOME/server/ldap_config_util directory. Run the Script on IDMHOST1, as follows:
Edit the ldapconfig.props file located under the IAM_ORACLE_HOME/server/ldap_config_util directory and provide the following values:
| Parameter | Value | Description |
|---|---|---|
|
|
|
Oracle Identity Manager system administrator |
|
|
|
List of Oracle Identity Manager managed servers. |
|
|
Specify the URL for the Oracle Internet Directory instance, for example: |
Identity Store URL. |
|
|
|
Name of use used to connect to Identity Store. This user should not be located in |
|
|
|
Root location in Identity Store where Users and Groups are located. |
|
|
|
cn of User location within Search base. |
|
|
|
cn of Groups location within Search base. |
|
|
|
cn of Reserve location within Search base. |
Footnote 1 If you are using Active Directory or Oracle Virtual Directory as the directory server, specify the appropriate URL
Note:
usercontainerName, rolecontainername, and reservationcontainername are not used in this step.
Save the file.
Set the JAVA_HOME and WL_HOME environment variables.
Run LDAPConfigPostSetup.sh. The script prompts for the Oracle Internet Directory admin password and the Oracle Identity Manager admin password. For example:
Prompt> ./LDAPConfigPostSetup.sh [Enter OID admin password: ] [Enter OIM admin password: ]
This section describes how to configure Oracle Identity Manager to work with the Oracle Web Tier.
This section contains the following topics:
Before configuring Oracle Identity Manager to work with the Oracle Web Tier, ensure that the following tasks have been performed:
Install Oracle Web Tier on WEBHOST1 and WEBHOST2.
Install and configure Oracle Identity Manager on IDMHOST1 and IDMHOST2.
Configure the load balancer with a virtual host name (sso.mycompany.com) pointing to the web servers on WEBHOST1 and WEBHOST2.
Configure the load balancer with a virtual host name (admin.mycompany.com) pointing to web servers WEBHOST1 and WEBHOST2.
On each of the web servers on WEBHOST1 and WEBHOST2, create a file called oim.conf in the directory ORACLE_INSTANCE/config/OHS/component/moduleconf.
This file must contain the following information:
# oim admin console(idmshell based)
<Location /admin>
SetHandler weblogic-handler
WLProxySSL ON
WLProxySSLPassThrough ON
WLCookieName oimjsessionid
WebLogicCluster oimvhn1:14000,oimvhn2:14000
WLLogFile "${ORACLE_INSTANCE}/diagnostics/logs/mod_wl/oim_component.log"
</Location>
# oim self and advanced admin webapp consoles(canonic webapp)
<Location /oim>
SetHandler weblogic-handler
WLProxySSL ON
WLProxySSLPassThrough ON
WLCookieName oimjsessionid
WebLogicCluster oimvhn1:14000,oimvhn2:14000
WLLogFile "${ORACLE_INSTANCE}/diagnostics/logs/mod_wl/oim_component.log"
</Location>
# SOA Callback webservice for SOD - Provide the SOA Managed Server Ports
<Location /sodcheck>
SetHandler weblogic-handler
WLProxySSL ON
WLProxySSLPassThrough ON
WLCookieName oimjsessionid
WebLogicCluster soavhn1:8001,soavhn2:8001
WLLogFile "${ORACLE_INSTANCE}/diagnostics/logs/mod_wl/oim_component.log"
</Location>
# Callback webservice for SOA. SOA calls this when a request is approved/rejected
# Provide the SOA Managed Server Port
<Location /workflowservice>
SetHandler weblogic-handler
WLProxySSL ON
WLProxySSLPassThrough ON
WLCookieName oimjsessionid
WebLogicCluster oimvhn1:14000,oimvhn2:14000
WLLogFile "${ORACLE_INSTANCE}/diagnostics/logs/mod_wl/oim_component.log"
</Location>
# xlWebApp - Legacy 9.x webapp (struts based)
<Location /xlWebApp>
SetHandler weblogic-handler
WLProxySSL ON
WLProxySSLPassThrough ON
WLCookieName oimjsessionid
WebLogicCluster oimvhn1:14000,oimvhn2:14000
WLLogFile "${ORACLE_INSTANCE}/diagnostics/logs/mod_wl/oim_component.log"
</Location>
# Nexaweb WebApp - used for workflow designer and DM
<Location /Nexaweb>
SetHandler weblogic-handler
WLProxySSL ON
WLProxySSLPassThrough ON
WLCookieName oimjsessionid
WebLogicCluster oimvhn1:14000,oimvhn2:14000
WLLogFile "${ORACLE_INSTANCE}/diagnostics/logs/mod_wl/oim_component.log"
</Location>
# used for FA Callback service.
<Location /callbackResponseService>
SetHandler weblogic-handler
WLProxySSL ON
WLProxySSLPassThrough ON
WLCookieName oimjsessionid
WebLogicCluster oimvhn1:14000,oimvhn2:14000
WLLogFile "${ORACLE_INSTANCE}/diagnostics/logs/mod_wl/oim_component.log"
</Location>
# spml xsd profile
<Location /spml-xsd>
SetHandler weblogic-handler
WLProxySSL ON
WLProxySSLPassThrough ON
WLCookieName oimjsessionid
WebLogicCluster oimvhn1:14000,oimvhn2:14000
WLLogFile "${ORACLE_INSTANCE}/diagnostics/logs/mod_wl/oim_component.log"
</Location>
<Location /HTTPClnt>
SetHandler weblogic-handler
WLProxySSL ON
WLProxySSLPassThrough ON
WLCookieName oimjsessionid
WebLogicCluster oimvhn1:14000,oimvhn2:14000
WLLogFile "${ORACLE_INSTANCE}/diagnostics/logs/mod_wl/oim_component.log"
</Location>
Save the file on both WEBHOST1 and WEBHOST2.
Stop and start the Oracle HTTP Server instances on both WEBHOST1 and WEBHOST2 as described in Section 19.1, "Starting and Stopping Oracle Identity Management Components."
Because the Oracle HTTP Server acts as a proxy for WebLogic, by default certain CGI environment variables are not passed through to WebLogic. These include the host and port. You must tell WebLogic that it is using a virtual site name and port so that it can generate internal URLs appropriately.
To do this, log in to the WebLogic administration console at http://admin.mycompany.com/console. Proceed as follows:
Select Clusters from the home page or, alternatively, select Environment -> Clusters from the Domain structure menu.
Click Lock and Edit in the Change Center Window to enable editing.
Click the Cluster Name (cluster_soa).
In the General tab, select the HTTP subtab.
Enter:
Frontend Host: sso.mycompany.com
Frontend HTTPS Port: 443
Click Save.
Click Activate Changes in the Change Center window to enable editing.
Restart WLS_SOA1 and WLS_SOA2 as described in Section 19.1, "Starting and Stopping Oracle Identity Management Components."
Validate the Oracle Identity Manager Server Instance by bringing up the Oracle Identity Manager Console in a web browser. at:
https://sso.mycompany.com:443/oim
Log in using the xelsysadm username and password.
The WLS_OIM and WLS_SOA Managed Servers have a transaction log that stores information about committed transactions that are coordinated by the server that might not have been completed. The WebLogic Server uses this transaction log for recovery from system crashes or network failures. To leverage the migration capability of the Transaction Recovery Service for the servers within a cluster, store the transaction log in a location accessible to a server and its backup servers.
Note:
Preferably, this location should be on a dual-ported SCSI disk or on a Storage Area Network (SAN).
Perform these steps to set the location for the default persistence stores for the Oracle Identity Manager and SOA Servers:
Create the following directories on the shared storage:
ORACLE_BASE/admin/domain_name/soa_cluster_name/tlogs
ORACLE_BASE/admin/domain_name/oim_cluster_name/tlogs
Log in to the Oracle WebLogic Server Administration Console.
Click Lock and Edit.
In the Domain Structure window, expand the Environment node and then click the Servers node.
The Summary of Servers page is displayed.
Click the name of either the Oracle Identity Manager or the SOA server (represented as a hyperlink) in the Name column of the table.
The Settings page for the selected server is displayed, and defaults to the Configuration tab.
Open the Services sub tab.
Under the Default Store section of the page, provide the path to the default persistent store on shared storage. The directory structure of the path is as follows:
For Oracle Identity Manager Servers: ORACLE_BASE/admin/domain_name/oim_cluster_name/tlogs
For SOA Servers: ORACLE_BASE/admin/domain_name/soa_cluster_name/tlogs
Note:
To enable migration of the Transaction Recovery Service, specify a location on a persistent storage solution that is available to other servers in the cluster. All the servers that are a part of the cluster must be able to access this directory.
Click Save and Activate.
Restart the Oracle Identity Manager and SOA Managed Servers, as described in Section 19.1, "Starting and Stopping Oracle Identity Management Components," to make the changes take effect.
This section describes how to set up email notification. This is mandatory for Fusion Applications. The following steps assume that an email server has been set up and that Oracle Identity Management can use it to send the email notifications.
Log in to Oracle Identity Manager Advanced Administration as system administrator.
Navigate to Configuration -> Create IT Resource.
Enter Email Server for IT Resource Name. Select Mail Server for IT Resource Type. Do not select anything for the Remote Manager field. Click Continue.
On the Step 2: Specify IT Resource Parameter Values page, provide the following values for the fields:
Authentication: False
Server Name: Email server name, for example: mail.mycompany.com
User Login: leave blank
User Password: leave blank
Click Continue.
On the Step 3: Set Access Permission to IT Resource page, do not change anything. Click Continue.
On the Step 4: Verify IT Resource Details page, check all the values you entered to verify that they are correct. Click Continue.
On the Step 5: IT Resource Connection Result page, Oracle Identity Manager checks whether it can connect to the email server provided. If the connection is successful, click Create.
On the Step 6: IT Resource Created page, click Finish.
Restart the Oracle Identity Manager server, as described in Section 19.1, "Starting and Stopping Oracle Identity Management Components," for the changes to take effect.
Oracle Identity Manager connects to SOA as SOA administrator, with the username weblogic by default. As mentioned in the previous sections, a new administrator user is provisioned in the central LDAP store to manage Identity Management Weblogic Domain.
Perform the following postinstallation steps to enable Oracle Identity Manager to work with the Oracle WebLogic Server administrator user provisioned in the central LDAP store. This enables Oracle Identity Manager to connect to SOA without any problem:
Log in to Enterprise Manager at: http://admin.mycompany.com/em
Right click Identity and Access –OIM–oim(11.1.1.3.0) and select System Mbean Browser.
Select Application-defined Mbeans–oracle.iam–Server: wls_oim1–Application: oim–XML Config–Config–XMLConfig.SOAConfig–SOAConfig
View the username attribute. By default, the value of this attribute is weblogic. Change this to the Oracle WebLogic Server administrator username provisioned in Section 11.4.3, "Creating Users and Groups for Oracle Identity Manager," for example: weblogic_idm
Click Apply.
Select Weblogic Domain–IDM Domain from the Navigator.
Select Security–Credentials from the down menu.
Expand the key oim.
Click SOAAdminPassword.
Click Edit.
Change the username to weblogic_idm and set the password to the accounts password.
Click OK.
Run the reconciliation process to enable the Oracle WebLogic Server administrator, weblogic_idm, to be visible in the OIM Console. Follow these steps:
Log in to Oracle Identity Manager at: https://sso.mycompany.com:443/oim as the user xelsysadm.
If prompted, set up challenge questions. This happens on your first login to Oracle Identity Manager.
Click Advanced.
Click the System Management tab
Click the arrow for the Search Scheduled Jobs to list all the schedulers.
Select LDAP User Create and Update Full Reconciliation.
Click Run Now to run the job.
Go to the Administration page and perform a search to verify that the user is visible in the Oracle Identity Manager console.
Select Administration.
Click Advanced Search–Roles
Search for the Administrators role.
Click the Administrators Role.
Click Open.
Click the Member tab.
Click Assign.
Type weblogic_idm in the Search box and Click ->.
Select weblogic_idm from the list of available users.
Click > to move to Selected Users.
Click Save.
Restart Oracle Identity Manager managed server.
If your back end directory is Active Directory, you must update Oracle Identity Manager so that it only allows user names with a maximum of 20 characters. This is a limitation of Active Directory. Update the username generation policy from DefaultComboPolicy to FirstnameLastnamepolicyforAD as follows.
Log in to the OIM Console at:
https://sso.mycompany.com:443/oim
Click Advanced on the top of the right pane.
Click Search System properties.
On the navigation bar in the left pane, search on Username Generation.
Click Default Policy for Username Generation.
In the Value field, update the entry from oracle.iam.identity.usermgmt.impl.plugins.DefaultComboPolicy to oracle.iam.identity.usermgmt.impl.plugins.FirstNameLastNamePolicyForAD.
Click Save.
Update Oracle Identity Manager JMS queues as follows:
Log in to the WebLogic console as the administrative user.
Select Services - Messaging - JMS Modules from the Domain Structure menu.
Click OIMJMSModule.
Click Lock & Edit.
For each of the queues, click the queue then click the Delivery Failure tab and change Redelivery Limit value from -1 to 1, then click Save.
Make sure you have performed Steps 4 and 5 for all the queues under OIMJMSModule.
Click Activate Changes.
Restart Oracle Identity Manager servers as described in Section 19.1, "Starting and Stopping Oracle Identity Management Components."
For information about tuning OPSS, see the "Oracle Fusion Middleware Security Performance Tuning" chapter in the Oracle Fusion Middleware Performance Guide.
In particular, set the following attribute values when deploying Oracle Identity Management for Fusion Applications:
| Attribute | Value |
|---|---|
|
-Djps.subject.cache.key |
5 |
|
-Djps.subject.cache.ttl |
600000 |
This section provides details for configuring Oracle Identity Manager to provision users in the enterprise identity store. It contains the following topics:
Section 13.18.2, "Updating IT Resource for Oracle Identity Manager Integration."
Section 13.18.3, "Updating the Incremental Reconciliation Changelog Number."
By default, the users created from Fusion Application are provisioned in the Enterprise Identity Store. You can also configure the users to be created in the shadow directory by configuring the Oracle Identity Manager rules appropriately.
Create LDAPContainerRules.xml with the new rules that you want to import into LDAP. This file contains the rules for user creation and role creation and corresponding containers in LDAP where they should be created. For the current split profile environment, the rules are:
<?xml version='1.0' encoding='UTF-8'?><container-rules> <user> <rule> <expression>Country=IN</expression> <container>cn=Users,dc=idm,dc=sun,dc=com</container> </rule> <rule> <expression>Default</expression> <container>cn=Users,dc=mycompany,dc=com</container> <description>UserContainer</description> </rule> </user> <role> <rule> <expression>Default</expression> <container>cn=Groups,dc=mycompany,dc=com</container> <description>RoleContainer</description> </rule> </role> </container-rules>
Import this configuration to MDS.
Modify the weblogic.properties file under OIM_ORACLE_HOME/bin as follows.
wls_servername=OIM server name
For example, WLS_OIM1.
Note:
This is only used to load the data, so it is only necessary to specify one Oracle Identity Manager server.
application_name=OIMMetadata metadata_from_loc = /u01/tmp
metadata_files=/db/LDAPContainerRules.xml
Set the OIM_ORACLE_HOME environment variable to the appropriate directory.
Run the following command to import the configuration file into MDS. The file weblogicImportMetadata.sh is located under OIM_ORACLE_HOME/bin
sh ./weblogicImportMetadata.sh
Please enter your username [weblogic] :weblogic Please enter your password [weblogic] :Weblogic user password Please enter your server URL [t3://localhost:7001 :t3://ADMINVHN.mycompany.com:7001
To activate the new rules, restart the Oracle Identity Manager Servers wls_oim1 and wls_oim2 as described in Section 19.1, "Starting and Stopping Oracle Identity Management Components."
Using the Oracle Identity Manager advanced console, update the directory server IT resource with Oracle Virtual Directory information. The steps are as follows:
Log in to the OIM Console at:
https://sso.mycompany.com:443/oim
Click Advanced to go to the advanced console.
On the advanced console page, in the Configuration section, click the link for Manage IT Resource. The Manage IT Resource window appears.
In the Manage IT Resource window, under IT Resource Type, choose Directory Server, then click Search.
In the resulting list of resources in the IT Resource Name section, choose the Directory Server link for that instance's information. The View IT Resource window appears.
Click Edit in the View IT Resource window and enter your LDAP server information.
Admin Login: Bind dn to connect to the Oracle Virtual Directory server
Admin Password: Bind password to connect to the Oracle Virtual Directory server
Search Base: LDAP Container (DefaultnamingContext) for all users and groups
Server URL: Oracle Virtual Directory host and port, ldap://idmhost1.mycompany.com:389
Server SSL URL: ldaps://idmhost1.mycompany.com:636
User Reservation Container: Container used for reserving user id, for example: l=reserve,dc=mycompany,dc=com
Click Update and close the window.
Whenever the environment is initially set up as a non-split profile and then converted to a split profile, some incremental jobs were run before the conversion. As a result, the last changelog number field is not in a format that the split profile environment can decipher. This results in all subsequent incremental jobs failing with the error message:
Failed:oracle.iam.scheduler.exception.RequiredParameterNotSetException: The value is not supported.
To resolve the error, you must update the last changelog number needs to 0, as follows:
Log in to the OIM Console at:
https://sso.mycompany.com:443/oim
Click Advanced on the top right pane.
Click Search Scheduled Jobs.
On the navigation bar in the left pane, perform a search on LDAP*.
Click LDAP User Create and Update Reconciliation Job.
Click Search Scheduled Jobs.
On the navigation bar in the left pane, perform a search on LDAP*.
Click LDAP User Create and Update Reconciliation Job.
Update the entry to 0.
Click Apply.
Click Run Now.
Repeat Steps 1-11 for all the incremental reconciliation jobs:
LDAP Role Create and Update Reconciliation
LDAP Role Membership Reconciliation
LDAP Role Hierarchy Reconciliation
LDAP User Delete Reconciliation
LDAP Role Delete Reconciliation
It is an Oracle best practices recommendation to create a backup after successfully completing the installation and configuration of each tier, or at another logical point. Create a backup after verifying that the installation so far is successful. This is a quick backup for the express purpose of immediate restoration in case of problems in later steps. The backup destination is the local disk. You can discard this backup when the enterprise deployment setup is complete. After the enterprise deployment setup is complete, you can initiate the regular deployment-specific Backup and Recovery process. For more details, see the Oracle Fusion Middleware Administrator's Guide.
For information on database backups, refer to the Oracle Database Backup and Recovery User's Guide.
To back up the installation to this point, follow these steps:
Back up the web tier as described in Section 5.5, "Backing up the Web Tier Configuration."
Back up the database. This is a full database backup, either hot or cold. The
recommended tool is Oracle Recovery Manager.
Back up the Administration Server domain directory as described in Section 6.15, "Backing Up the WebLogic Domain."
Back up the Oracle Internet Directory as described in Section 7.7, "Backing up the Oracle Internet Directory Configuration."
Back up the Oracle Virtual Directory as described in Section 9.10, "Backing Up the Oracle Virtual Directory Configuration."
For information about backing up the application tier configuration, see Section 19.4, "Performing Backups and Recoveries."
|
 Copyright © 2004, 2011, Oracle and/or its affiliates. All rights reserved. Legal Notices |
|