Oracle® Fusion Middleware Enterprise Deployment Guide for Oracle Identity Management (Oracle Fusion Applications Edition) 11g Release 1 (11.1.3) Part Number E21032-07 |
|
|
PDF · Mobi · ePub |
This chapter describes how to integrate Oracle Identity Management components for an enterprise deployment.
This chapter contains the following sections:
Section 19.1, "Overview of Integrating Oracle Identity Management Components"
Section 19.2, "Integrating Oracle Identity Manager and Oracle Access Manager 11g"
Section 19.3, "Preparing the Environment for Fusion Applications Provisioning"
Section 19.4, "Integrating Oracle Identity Federation with Oracle Access Manager 11g"
Section 19.5, "Backing Up the Identity Management Configuration"
Now that you have finished setting up the Identity Management environment, you must perform some final tasks to ensure that the components work together.
You must also ensure that the environment is ready for Fusion Applications provisioning.
This section describes how to integrate Oracle Identity Manager and Oracle Access Manager 11g.
This section contains the following topics:
Section 19.2.2, "Copying OAM Keystore Files to OIMHOST1 and OIMHOST2"
Section 19.2.3, "About the Split Oracle Identity Manager Domain"
Section 19.2.4, "Updating Existing LDAP Users with Required Object Classes"
Section 19.2.5, "Integrating Oracle Access Manager 11g with Oracle Identity Manager 11g"
Section 19.2.7, "Updating Oracle Virtual Directory Authenticator"
Section 19.2.8, "Managing the Password of the xelsysadm User"
Ensure that OIM11g has been installed and configured as described in Chapter 15, "Configuring Oracle Identity Manager."
Ensure that the Oracle Access Manager 11g has been installed and configured as described in Chapter 14, "Configuring Oracle Access Manager 11g."
Ensure that OHS has been installed and configured as described in Chapter 6, "Installing Oracle HTTP Server."
If you are using Oracle Access Manager with the Simple Security Transport model, you must copy the OAM keystore files that were generated in Section 14.10, "Creating Oracle Access Manager Key Store" to OIMHOST1 and OIMHOST2. Copy the keystore files ssoKeystore.jks
and oamclient-truststore.jks
to the directory DOMAIN_HOME
/config/fmwconfig
on OIMHOST1 and OIMHOST2.
The examples in this chapter show integrating Oracle Identity Manager with other components in the domain IDMDomain to include Oracle Identity Manager. If you are building a split domain topology, substitute OIMDomain wherever you see a reference to IDMDomain and OIMADMINVHN wherever you see ADMINVHN.
You must update existing LDAP users with the object classes OblixPersonPwdPolicy
, OIMPersonPwdPolicy
, and OblixOrgPerson
.
Note:
This is not required in the case of a fresh setup where you do not have any existing users.
On IDMHOST1, create a properties file for the integration called user.props
, with the following contents:
IDSTORE_HOST: idstore.mycompany.com IDSTORE_PORT: 389 IDSTORE_ADMIN_USER: cn=orcladmin IDSTORE_DIRECTORYTYPE:OVD IDSTORE_USERSEARCHBASE: cn=Users,dc=mycompany,dc=com IDSTORE_GROUPSEARCHBASE: cn=Groups,dc=mycompany,dc=com PASSWORD_EXPIRY_PERIOD: 7300
Set the environment variables: MW_HOME
, JAVA_HOME
, IDM_HOME
and ORACLE_HOME
.
Set IDM_HOME
to IDM_ORACLE_HOME
.
Set ORACLE_HOME
to IAM_ORACLE_HOME
.
Upgrade existing LDAP, using the command idmConfigTool
, which is located at: IAM_ORACLE_HOME
/idmtools/bin
Note:
When you run the idmConfigTool
, it creates or appends to the file idmDomainConfig.param
. This file is generated in the same directory that the idmConfigTool
is run from. To ensure that each time the tool is run, the same file is appended to, always run the idmConfigTool
from the directory:
IAM_ORACLE_HOME
/idmtools/bin
The syntax of the command is:
idmConfigTool.sh - upgradeLDAPUsersForSSO input_file=configfile
on Linux and UNIX-based operating systems and
idmConfigTool.bat -upgradeLDAPUsersForSSO input_file=configfile
on Windows.
For example:
idmConfigTool.sh -upgradeLDAPUsersForSSO input_file=user.props
When prompted, enter the following information:
The password of the user you are using to connect to your Identity Store.
The directory type: OVD
if you are using Oracle Virtual Directory, otherwise OID
Sample output:
Enter LDAP admin user password: ********* Upgrading LDAP Users With OAM ObjectClasses ********* Enter Directory Type[OID]: OVD Completed loading user inputs for - LDAP connection info Completed loading user inputs for - LDAP Upgrade Upgrading ldap users at - cn=Users,dc=us,dc=oracle,dc=com Parsing - cn=readOnlyUser,cn=Users,dc=us,dc=oracle,dc=com objectclass OIMPersonPwdPolicy not present in cn=readOnlyUser,cn=Users,dc=us,dc=oracle,dc=com. Seeding it objectclass OblixOrgPerson not present in cn=readOnlyUser,cn=Users,dc=us,dc=oracle,dc=com. Seeding it objectclass OblixPersonPwdPolicy not present in cn=readOnlyUser,cn=Users,dc=us,dc=oracle,dc=com. Seeding it obpasswordexpirydate added in cn=readOnlyUser,cn=Users,dc=us,dc=oracle,dc=com Parsing - cn=readWriteUser,cn=Users,dc=us,dc=oracle,dc=com objectclass OIMPersonPwdPolicy not present in cn=readWriteUser,cn=Users,dc=us,dc=oracle,dc=com. Seeding it objectclass OblixOrgPerson not present in cn=readWriteUser,cn=Users,dc=us,dc=oracle,dc=com. Seeding it objectclass OblixPersonPwdPolicy not present in cn=readWriteUser,cn=Users,dc=us,dc=oracle,dc=com. Seeding it obpasswordexpirydate added in cn=readWriteUser,cn=Users,dc=us,dc=oracle,dc=com Parsing - cn=weblogic,cn=Users,dc=us,dc=oracle,dc=com objectclass OIMPersonPwdPolicy not present in cn=weblogic,cn=Users,dc=us,dc=oracle,dc=com. Seeding it objectclass OblixOrgPerson not present in cn=weblogic,cn=Users,dc=us,dc=oracle,dc=com. Seeding it objectclass OblixPersonPwdPolicy not present in cn=weblogic,cn=Users,dc=us,dc=oracle,dc=com. Seeding it obpasswordexpirydate added in cn=weblogic,cn=Users,dc=us,dc=oracle,dc=com Parsing - cn=oamMasterAdminUser,cn=Users,dc=us,dc=oracle,dc=com objectclass OIMPersonPwdPolicy not present in cn=oamMasterAdminUser,cn=Users,dc=us,dc=oracle,dc=com. Seeding it objectclass OblixPersonPwdPolicy not present in cn=oamMasterAdminUser,cn=Users,dc=us,dc=oracle,dc=com. Seeding it obpasswordexpirydate added in cn=oamMasterAdminUser,cn=Users,dc=us,dc=oracle,dc=com Parsing - cn=oamSoftwareUser,cn=Users,dc=us,dc=oracle,dc=com objectclass OIMPersonPwdPolicy not present in cn=oamSoftwareUser,cn=Users,dc=us,dc=oracle,dc=com. Seeding it objectclass OblixOrgPerson not present in cn=oamSoftwareUser,cn=Users,dc=us,dc=oracle,dc=com. Seeding it objectclass OblixPersonPwdPolicy not present in cn=oamSoftwareUser,cn=Users,dc=us,dc=oracle,dc=com. Seeding it obpasswordexpirydate added in cn=oamSoftwareUser,cn=Users,dc=us,dc=oracle,dc=com Parsing - cn=PolStoreROUser,cn=Users,dc=us,dc=oracle,dc=com objectclass OIMPersonPwdPolicy not present in cn=PolStoreROUser,cn=Users,dc=us,dc=oracle,dc=com. Seeding it objectclass OblixOrgPerson not present in cn=PolStoreROUser,cn=Users,dc=us,dc=oracle,dc=com. Seeding it objectclass OblixPersonPwdPolicy not present in cn=PolStoreROUser,cn=Users,dc=us,dc=oracle,dc=com. Seeding it obpasswordexpirydate added in cn=PolStoreROUser,cn=Users,dc=us,dc=oracle,dc=com Parsing - cn=PolStoreRWUser,cn=Users,dc=us,dc=oracle,dc=com objectclass OIMPersonPwdPolicy not present in cn=PolStoreRWUser,cn=Users,dc=us,dc=oracle,dc=com. Seeding it objectclass OblixOrgPerson not present in cn=PolStoreRWUser,cn=Users,dc=us,dc=oracle,dc=com. Seeding it objectclass OblixPersonPwdPolicy not present in cn=PolStoreRWUser,cn=Users,dc=us,dc=oracle,dc=com. Seeding it obpasswordexpirydate added in cn=PolStoreRWUser,cn=Users,dc=us,dc=oracle,dc=com Parsing - cn=PUBLIC, cn=Users, dc=us,dc=oracle,dc=com objectclass OIMPersonPwdPolicy not present in cn=PUBLIC, cn=Users, dc=us,dc=oracle,dc=com. Seeding it objectclass OblixOrgPerson not present in cn=PUBLIC, cn=Users, dc=us,dc=oracle,dc=com. Seeding it objectclass OblixPersonPwdPolicy not present in cn=PUBLIC, cn=Users, dc=us,dc=oracle,dc=com. Seeding it obpasswordexpirydate added in cn=PUBLIC, cn=Users, dc=us,dc=oracle,dc=com Parsing - cn=orcladmin, cn=Users, dc=us,dc=oracle,dc=com objectclass OIMPersonPwdPolicy not present in cn=orcladmin, cn=Users, dc=us,dc=oracle,dc=com. Seeding it obpasswordexpirydate added in cn=orcladmin, cn=Users, dc=us,dc=oracle,dc=com Parsing - cn=xelsysadm,cn=Users,dc=us,dc=oracle,dc=com Parsing - cn=xelsysadmin,cn=Users,dc=us,dc=oracle,dc=com Finished parsing LDAP LDAP Users Upgraded. ********* ********* *********
See Also:
Oracle Fusion Middleware Integration Overview for Oracle Identity Management Suite for more information about the idmConfigTool
command.
To integrate Oracle Access Manager 11g with Oracle Identity Manager perform the following steps on IDMHOST1 or OIMHOST1:
Set the Environment Variables: MW_HOME
, JAVA_HOME
, IDM_HOME
, and ORACLE_HOME
, for example:
export IDM_HOME=IDM_ORACLE_HOME export ORACLE_HOME=IAM_ORACLE_HOME
Create a properties file for the integration called oimitg.props
, with the following contents.
Single Domain
Use the following contents if all your components are in a single domain:
LOGINURI: /${app.context}/adfAuthentication LOGOUTURI: /oamsso/logout.html AUTOLOGINURI: None ACCESS_SERVER_HOST: OAMHOST1.mycompany.com ACCESS_SERVER_PORT: 5575 ACCESS_GATE_ID: Webgate_IDM COOKIE_DOMAIN: .mycompany.com COOKIE_EXPIRY_INTERVAL: 120 OAM_TRANSFER_MODE: simple WEBGATE_TYPE: ohsWebgate10g SSO_ENABLED_FLAG: true IDSTORE_PORT: 389 IDSTORE_HOST: idstore.mycompany.com IDSTORE_DIRECTORYTYPE: OID or OVD IDSTORE_ADMIN_USER: cn=oamLDAP,cn=Users,dc=mycompany,dc=com IDSTORE_USERSEARCHBASE: cn=Users,dc=mycompany,dc=com IDSTORE_GROUPSEARCHBASE: cn=Groups,dc=mycompany,dc=com MDS_DB_URL: jdbc:oracle:thin:@(DESCRIPTION=(LOAD_BALANCE=on)(FAILOVER=on)(ADDRESS_LIST=(ADDRESS=(protocol=tcp)(host=OIDDBHOST1-vip.mycomapny.com)(port=1521))(ADDRESS=(protocol=tcp)(host=OIDDBHOST2-vip.mycompany.com)(port=1521)))(CONNECT_DATA=(SERVER=DEDICATED)(SERVICE_NAME=oidedg.mycompany.com))) MDS_DB_SCHEMA_USERNAME: edg_mds WLSHOST: adminvhn.mycompany.com WLSPORT: 7001 WLSADMIN: weblogic DOMAIN_NAME: IDMDomain OIM_MANAGED_SERVER_NAME: WLS_OIM1 DOMAIN_LOCATION: ORACLE_BASE/admin/IDMDomain/aserver/IDMDomain
Split Domain
Use the following contents if your Oracle Identity Manager components are in a different domain from your Oracle Access Manager components:
LOGINURI: /${app.context}/adfAuthentication LOGOUTURI: /oamsso/logout.html AUTOLOGINURI: None ACCESS_SERVER_HOST: OAMHOST1.mycompany.com ACCESS_SERVER_PORT: 5575 ACCESS_GATE_ID: Webgate_IDM COOKIE_DOMAIN: .mycompany.com COOKIE_EXPIRY_INTERVAL: 120 OAM_TRANSFER_MODE: simple WEBGATE_TYPE: ohswebgate10g SSO_ENABLED_FLAG: true IDSTORE_PORT: 389 IDSTORE_HOST: idstore.mycompany.com IDSTORE_DIRECTORYTYPE: OID or OVD IDSTORE_ADMIN_USER: cn=oamLDAP,cn=Users,dc=mycompany,dc=com IDSTORE_USERSEARCHBASE: cn=Users,dc=mycompany,dc=com IDSTORE_GROUPSEARCHBASE: cn=Groups,dc=mycompany,dc=com MDS_DB_URL: jdbc:oracle:thin:@(DESCRIPTION=(LOAD_BALANCE=on)(FAILOVER=on)(ADDRESS_LIST=(ADDRESS=(protocol=tcp)(host=OIDDBHOST1-vip.mycomapny.com)(port=1521))(ADDRESS=(protocol=tcp)(host=OIDDBHOST2-vip.mycompany.com)(port=1521)))(CONNECT_DATA=(SERVER=DEDICATED)(SERVICE_NAME=oidedg.mycompany.com))) MDS_DB_SCHEMA_USERNAME: edg_mds WLSHOST: oimadminvhn.mycompany.com WLSPORT: 7001 WLSADMIN: weblogic OAM11G_WLS_ADMIN_HOST: adminvhn.mycompany.com OAM11G_WLS_ADMIN_PORT: 7001 OAM11G_WLS_ADMIN_USER: weblogic DOMAIN_NAME: OIMDomain OIM_MANAGED_SERVER_NAME: WLS_OIM1 DOMAIN_LOCATION: ORACLE_BASE/admin/OIMDomain/aserver/OIMDomain
Notes:
Set IDSTORE_HOST
to your Oracle Internet Directory host or load balancer name if you are using Oracle Internet Directory as your Identity Store. If not, set it to your Oracle Virtual Directory host or load balancer name.
Set IDSTORE_DIRECTORYTYPE
to OVD
if you are using Oracle Virtual Directory server to connect to either a non-OID directory or Oracle Internet Directory. Set it to OID
if your Identity Store is in Oracle Internet Directory and you are accessing it directly rather than through Oracle Virtual Directory.
If your access manager servers are configured to accept requests using the simple mode, set OAM_TRANSFER_MODE
to simple
. Otherwise set OAM_TRANSFER_MODE
to open
Set IDSTORE_PORT
to your Oracle Internet Directory port if you are using Oracle Internet Directory as your Identity Store. If not, set it to your Oracle Virtual Directory port.
If you are using a single instance database, then set MDS_URL
to: jdbc:oracle:thin:@DBHOST:1521:SID
If your Oracle Identity Manager components are in a separate domain from your Oracle Access Manager components, you must specify the details of the OAM Domain using the parameters: OAM11G_WLS_ADMIN_HOST
, OAM11G_WLS_ADMIN_PORT
and OAM11G_WLS_ADMIN_USER
.
Integrate Oracle Access Manager with Oracle Identity Manager using the command idmConfigTool
, which is located at:
IAM_ORACLE_HOME
/idmtools/bin
Note:
When you run the idmConfigTool
, it creates or appends to the file idmDomainConfig.param
. This file is generated in the same directory that the idmConfigTool
is run from. To ensure that each time the tool is run, the same file is appended to, always run the idmConfigTool
from the directory:
IAM_ORACLE_HOME
/idmtools/bin
The syntax of the command is
idmConfigTool.sh -configOIM input_file=configfile
on Linux and UNIX-based systems, and
idmConfigTool.bat -configOIM input_file=configfile
on Windows.
For example:
IAM_ORACLE_HOME/idmtools/bin/idmConfigTool.sh -configOIM input_file=oimitg.props
When the script runs you are prompted for the following information:
Access Gate Password
SSO Keystore Password
Global Passphrase
Idstore Admin Password
MDS Database schema password
Admin Server User Password
Sample output:
Enter sso access gate password: Enter sso keystore jks password: Enter sso global passphrase: Enter mds db schema password: Enter idstore admin password: Enter admin server user password: ********* Seeding OAM Passwds in OIM ********* Enter ssoKeystore.jks Password: Enter SSO Global Passphrase: Completed loading user inputs for - CSF Config Updating CSF with Access Gate Password... WLS ManagedService is not up running. Fall back to use system properties for configuration. Updating CSF ssoKeystore.jks Password... Updating CSF for SSO Global Passphrase Password... ********* ********* ********* ********* Activating OAM Notifications ********* Completed loading user inputs for - MDS DB Config Initialized MDS resources Apr 11, 2011 4:57:45 AM oracle.mds NOTIFICATION: transfer operation started. Apr 11, 2011 4:57:46 AM oracle.mds NOTIFICATION: transfer is completed. Total number of documents successfully processed: 1, total number of documents failed: 0. Upload to DB completed Releasing all resources Notifications activated. ********* ********* ********* ********* Seeding OAM Config in OIM ********* Completed loading user inputs for - OAM Access Config Validated input values Initialized MDS resources Apr 11, 2011 4:57:46 AM oracle.mds NOTIFICATION: transfer operation started. Apr 11, 2011 4:57:47 AM oracle.mds NOTIFICATION: transfer is completed. Total number of documents successfully processed: 1, total number of documents failed: 0. Download from DB completed Releasing all resources Updated /u01/app/oracle/product/fmw/iam/server/oamMetadata/db/oim-config.xml Initialized MDS resources Apr 11, 2011 4:57:47 AM oracle.mds NOTIFICATION: transfer operation started. Apr 11, 2011 4:57:47 AM oracle.mds NOTIFICATION: transfer is completed. Total number of documents successfully processed: 1, total number of documents failed: 0. Upload to DB completed Releasing all resources OAM configuration seeded. Please restart oim server. ********* ********* ********* ********* Configuring Authenticators in OIM WLS ********* Completed loading user inputs for - Dogwood Admin WLS Completed loading user inputs for - LDAP connection info Connecting to t3://adminvhn.mycompany.com:7001 Connection to domain runtime mbean server established Starting edit session Edit session started Connected to security realm. Validating provider configuration Validated desired authentication providers Validated authentication provider state successfuly. Created OAMIDAsserter successfuly Created OIDAuthenticator successfuly Created OIMSignatureAuthenticator successfuly Setting attributes for OID Authenticator All attributes set. Configured in OID Authenticator now lDAP details configured in OID authenticator Control flags for authenticators set sucessfully Reordering of authenticators done sucessfully Saving the transaction Transaction saved Activating the changes Changes Activated. Edit session ended. Connection closed sucessfully ********* ********* *********
Note:
If you have already enabled single sign-on for your WebLogic Administration Consoles as described in Section 20.3, "Create WebLogic Security Providers" when this script is run, you might see the following errors when this script is run:
ERROR: Desired authenticators already present. [Ljava.lang.String;@7fdb492] ERROR: Error occurred while configuration. Authentication providers to be configured already present. ERROR: Rolling back the operation..
These errors can be ignored.
Check the log file for errors and correct them if necessary.
After integrating Oracle Access Manager with Oracle Identity Manager, you must update the TAP authentication scheme to perform user validation using the LDAP attribute uid
.
Proceed as follows:
Log in to the OAM console at the URL listed in Section 21.2, "About Identity Management Console URLs."
Click Policy Configuration.
Click TAPResponseOnlyScheme under Authentication Schemes.
Click Open.
Add MatchLDAPAttribute=uid
to the Challenge Parameters field.
Click Apply.
Restart the Administration server and the Oracle Access Manager managed servers as described in Section 21.1, "Starting and Stopping Oracle Identity Management Components."
When configOIM
has finished, it will have created an Oracle Virtual Directory authenticator (if you are using Oracle Virtual Directory) in the domain where Oracle Identity Manager is installed. Update this authenticator as follows.
Log in to WebLogic console at the URL listed in Section 21.2, "About Identity Management Console URLs."
Click Security Realms from the domain structure.
Click My Realm.
Click the Providers tab.
Click the OVDAuthenticator provider.
Click Lock and Edit.
Click Provider Specific tab.
Change the following values:
All Users Filter: (&(uid=*)(objectclass=person))
User From Name Filter: (&(uid=%u)(objectclass=person))
Click Save.
Click Activate Changes.
Restart the Administration Servers and any other managed servers that are running in the domain, as described in Section 21.1, "Starting and Stopping Oracle Identity Management Components."
After you integrate Oracle Identity Manager with Oracle Access Manager, two xelsysadm
accounts exist. One is the internal account created by Oracle Identity Manager. The other is the account you created in the Identity Store in Section 11.5, "Preparing the Identity Store."
The xelsysadm
account located in the LDAP store is the one used to access the OIM console. If you want to change the password of this account, change it in LDAP. You can use ODSM to do this. Do not change it through the OIM console.
To validate integration, you must assign Identity Management administrators to WebLogic security groups and install WebGate as described in Chapter 20, "Configuring Single Sign-on for Administration Consoles in an Enterprise Deployment."
To validate that the wiring of Oracle Access Manager 11g with Oracle Identity Manager 11g was successful, attempt to log in to the Oracle Identity Manager Self Service Console, as follows:
Using a browser, navigate to https://sso.mycompany.com/oim
. This redirects you to the OAM11g single sign-on page.
Log in using the xelsysadm
user account created in Section 11.5, "Preparing the Identity Store."
If you see the OIM Self Service Console Page, the integration was successful.
After the complete Identity Management environment is set up, prepare the environment for Fusion Applications provisioning, as described in this section.
This section contains the following topics:
In earlier chapters, you were instructed to always run idmConfigTool
from the same directory so that the tool would create or append to the file idmDomainConfig.param
.in that directory. The file idmDomainConfig.param
in IAM_ORACLE_HOME
/idmtools/bin
now contains all the parameters that are required for Fusion Applications provisioning. Use that file as input to the Fusion Applications provisioning tool.
To enable Fusion Applications to communicate with the Identity Management domain using SSL Server Authentication Mode, you must generate a client certificate and provide it to the Fusion Applications Provisioning process. You must provide a keystore containing the Trust point used by the Identity Management domain to the Fusion Applications.
Note:
If you are using Windows, you must install a UNIX emulation package such as Cygwin in order to run the scripts contained in this section. See http://www.cygwin.com
.
When using Cygwin, ensure that you use the "/
" character in path names when exporting a variable. For example:
export ORACLE_HOME=c:/oracle/idm
To generate a keystore containing a client certificate, perform the following steps:
Set the ORACLE_HOME
and JAVA_HOME
variables. For example, on OIDHOST1, issue these commands:
export ORACLE_HOME=IDM_ORACLE_HOME
export PATH=$JAVA_HOME/bin:$PATH
To generate the certificate, use the tool ./SSLClientConfig.sh
, which is located in:
ORACLE_COMMON_HOME
/bin
For example
./SSLClientConfig.sh -component cacert
As the command runs, enter the following values when prompted:
LDAP Host Name: policystore.mycompany.com
LDAP Port: 389
LDAP User: cn=orcladmin
Password: Password_for_cn=orcladmin
SSL Domain: IDMDomain
Keystore Password: Enter a password to protect the keystore
Confirm Password: Reenter the password.
The following is typical output from the command:
./SSLClientConfig.sh -component cacert SSL Automation Script: Release 11.1.1.4.0 - ProductionCopyright (c) 2010 Oracle. All rights reserved. Downloading the CA certificate from a central LDAP location Creating a common trust store in JKS and Oracle Wallet formats ... Configuring SSL clients with the common trust store... Make sure that your LDAP server is currently up and running. Downloading the CA certificate from the LDAP server... >>>Enter the LDAP hostname [oidhost1.mycompany.com]: policystore.mycompany.com >>>Enter the LDAP port: [3060]? 389 >>>Enter your LDAP user [cn=orcladmin]:>>>Enter password for cn=orcladmin: >>>Enter the sslDomain for the CA [idm]: IDMDomain >>>Searching the LDAP for the CA usercertificate ... Importing the CA certifcate into trust stores... >>>The common trust store in JKS format is located at /u01/app/oracle/product/fmw/IDM/rootCA/keystores/tmp/trust.jks >>>The common trust store in Oracle wallet format is located at /u01/app/oracle/product/fmw/IDM/rootCA/keystores/tmp/ewallet.p12 Generate trust store for the CA cert at cn=IDMDomain,cn=sslDomains >>>Enter a password to protect your truststore: >>>Enter confirmed password for your truststore: Create directory /u01/app/oracle/product/fmw/IDM/rootCA/keystores/common Importing the CA certifcate into trust stores... >>>The common trust store in JKS format is located at /u01/app/oracle/product/fmw/IDM/rootCA/keystores/common/trust.jks >>>The common trust store in Oracle wallet format is located at /u01/app/oracle/product/fmw/IDM/rootCA/keystores/common/ewallet.p12
This creates a file called trust.jks
which must be provided to the Fusion Applications Provisioning process. After creating this certificate, you must delete the private key within this key. Use the following command:
keytool -delete -keystore trust.jks -alias testkey -storepass store_password
Oracle Fusion Applications provisioning uses this file to validate that the Identity Management installation is set up appropriately before provisioning takes place. In addition to this certificate, the keystore must also contain the certificate used by the load balancer for sso.mycompany.com
.
Before you start this procedure, obtain a copy of the certificate by using your browser. First access https://sso.mycompany.com:443
, then follow the instructions to download the certificate to a file. (Each browser does this differently.)
After you have obtained the certificate, load it into the keystore using the following command:
keytool -import -v -noprompt -trustcacerts -alias "OIM" -file loadbalancer.cer -keystore trust.jks
where loadbalancer.cer
is the name of the file where the load balancers SSL certificate is stored.
In Service Provider (SP) mode, Oracle Access Manager delegates user authentication to Oracle Identity Federation, which uses the Federation Oracle Single Sign-On protocol with a remote Identity Provider. Once the Federation Oracle Single Sign-On flow is performed, Oracle Identity Federation will create a local session and then propagates the authentication state to Oracle Access Manager, which maintains the session information.
This section provides the steps to integrate OIF with OAM11g in authentication mode and SP mode.
This section contains the following topics:
Before starting this integration, ensure that the following tasks have been performed:
Install and configure Oracle Identity Federation as described in Chapter 16, "Extending the Domain to Include Oracle Identity Federation."
Install and configure Oracle Access Manager as described in Chapter 14, "Configuring Oracle Access Manager 11g."
Install and configure Oracle HTTP Server as described in Section 6.2, "Installing Oracle HTTP Server."
Install and configure WebGate as described in
This section covers the following topics:
In SP mode, Oracle Identity Federation uses federation protocols to authenticate a user, and then requests the authentication module to create an authenticated session at Oracle Access Manager. Oracle Access Manager 11g SP engine is used for this purpose. The engine also provides logout integration. To configure the SP engine, run the setupOIFOAMConfig
script from IDMHOST1.
To perform the integration proceed as follows:
On IDMHOST1, set the DOMAIN_HOME and IDM_ORACLE_HOME environment variables. Then, set the environment by running the setOIFEnv.sh
script in the current shell. The script resides at IDM_ORACLE_HOME
/fed/scripts
.
For example:
export DOMAIN_HOME=/u01/app/oracle/admin/IDMDomain/aserver/IDMDomain export IDM_ORACLE_HOME=IDM_ORACLE_HOME cd $IDM_ORACLE_HOME/fed/scripts . setOIFEnv.sh
Change Directory to IDM_ORACLE_HOME
/fed/scripts/oam
.
Execute the setupOIFOAMConfig
script providing the following input parameters:
oifHost
: Hostname of one off the OIF managed servers
oifPort
: Port number of OIF Managed server
oifAdminHost
: Hostname of WebLogic Admin server
oifAdminPort
: Port number of WebLogic Admin server
oamAdminHost
: Hostname of WebLogic Admin Server
oamAdminPort
: Port number of WebLogic Admin server
agentType
: The agent type used, for example, webgate10g
For UNIX and Linux, the syntax is:
oifHost=myhost oifPort=portnum oamAdminHost=myhost2 oamAdminPort=portnum2 agentType=webgate10g ./setupOIFOAMConfig.sh
For Windows, the syntax is:
setupOIFOAMConfig.cmd "oifHost=myhost" "oifPort=portnum" "oamAdminHost=myhost2" "oamAdminPort=portnum2" "agentType=webgate10g"
For example:
oifHost=idmhost1 oifAdminHost=adminvhn oamAdminHost=oamhost1 oifPort=7499 oifAdminPort=7001 oamAdminPort=7001 agentType=webgate10g ./setupOIFOAMConfig.sh
The script prompts you for the username and password you use to connect to the WebLogic Administration Server, for example, weblogic
.
Sample Output:
Initializing WebLogic Scripting Tool (WLST) ... Welcome to WebLogic Server Administration Scripting Shell Type help() for help on available commands OIF admin user : weblogic_idm *OIF admin password:********* OAM admin user : oamadmin *OAM admin password:********* Connecting to t3://ADMINVHN:7001 with userid weblogic ... Successfully connected to Admin Server 'AdminServer' that belongs to domain 'IDMDomain'. Warning: An insecure protocol was used to connect to the server. To ensure on-the-wire security, the SSL port orAdmin port should be used instead. Location changed to domainRuntime tree. This is a read-only tree with DomainMBean as the root. For more help, use help(domainRuntime) Already in Domain Runtime Tree Already in Domain Runtime Tree Disconnected from weblogic server: AdminServer Connecting to t3://ADMINVHN:7001 with userid weblogic ... Successfully connected to Admin Server 'AdminServer' that belongs to domain 'IDMDomain'. Warning: An insecure protocol was used to connect to the server. To ensure on-the-wire security, the SSL port orAdmin port should be used instead. Disconnected from weblogic server: AdminServer Connecting to t3://IDMHOST1:7499 with userid weblogic ... Successfully connected to managed Server 'wls_oif1' that belongs to domain 'IDMDomain'. Warning: An insecure protocol was used to connect to the server. To ensure on-the-wire security, the SSL port orAdmin port should be used instead. Disconnected from weblogic server: wls_oif1 Connecting to t3://ADMINVHN:7001 with userid weblogic ... Successfully connected to Admin Server 'AdminServer' that belongs to domain 'IDMDomain'. Warning: An insecure protocol was used to connect to the server. To ensure on-the-wire security, the SSL port orAdmin port should be used instead. Disconnected from weblogic server: AdminServerConnecting to t3://ADMINVHN:7001 with userid weblogic ...Successfully connected to Admin Server 'AdminServer' that belongs to domain 'IDMDomain'. Warning: An insecure protocol was used to connect to the server. To ensure on-the-wire security, the SSL port orAdmin port should be used instead. Registration SuccessfulDisconnected from weblogic server: AdminServer
Restart Managed servers WLS_OIF1 and WLS_OIF2 as described in Section 21.1, "Starting and Stopping Oracle Identity Management Components."
Oracle Access Manager ships with an Oracle Identity Federation Authentication Scheme. This scheme needs to be updated before it can be used. To update the scheme, log in to the OAM console as the OAM administration user. Use the URL listed in Section 21.2, "About Identity Management Console URLs." Then perform the following steps:
Click the Policy Configuration tab.
Expand Authentication Schemes under the Shared Components tree.
Select OIFScheme from under the Authentication Schemes and then select Open from the menu.
On the Authentication Schemes page, provide the following information
Challenge URL: https://sso.mycompany.com:443/fed/user/sposso
Context Type: Select external from the list.
Accept the defaults for all other values
Click Apply to update the OIFScheme
.
After you have verified that the extended domain is working, back up the domain configuration. This is a quick backup for the express purpose of immediate restore in case of failures in future procedures. Back up the configuration to the local disk. This backup can be discarded once you have completed the enterprise deployment. Once you have completed the enterprise deployment, you can initiate the regular deployment-specific backup and recovery process.
For information about backing up the environment, see "Backing Up Your Environment" in the Oracle Fusion Middleware Administrator's Guide. For information about recovering your information, see "Recovering Your Environment" in the Oracle Fusion Middleware Administrator's Guide.
To back up the configuration a this point:
Back up the Web tier:
Shut down the instance using opmnctl
.
ORACLE_BASE/admin/instance_name/bin/opmnctl stopall
Back up the Middleware Home on the web tier using the following command (as root):
tar -cvpf BACKUP_LOCATION/web.tar $MW_HOME
Back up the Instance Home on the web tier using the following command (as root):
tar -cvpf BACKUP_LOCATION/web_instance.tar $ORACLE_INSTANCE
Start the instance using opmnctl
:
ORACLE_BASE/admin/instance_name/bin/opmnctl startall
Back up the database. This is a full database backup (either hot or cold) using Oracle Recovery Manager (recommended) or OS tools such as tar
for cold backups if possible.
Back up the Administration Server domain directory to save your domain configuration. The configuration files are located in the following directory:
ORACLE_BASE/admin/domain_name
To back up the Administration Server run the following command on OIMHOST1:
tar -cvpf edgdomainback.tar ORACLE_BASE/admin/domain_name