This chapter includes the following topics:
Table 3-1 lists the general installation and configuration tasks that apply to Oracle Identity and Access Management 11g Release 2 (11.1.2) products.
Table 3-1 Installation and Configuration Flow for Oracle Identity and Access Management
| No. | Task | Description |
|---|---|---|
|
1 |
Review installation concepts in the Installation Planning Guide. |
Read the Oracle Fusion Middleware Installation Planning Guide, which describes the process for various users to install or upgrade to Oracle Fusion Middleware 11g (11.1.2) depending on the user's existing environment. |
|
2 |
Review the system requirements and certification documents to ensure that your environment meets the minimum installation requirements for the components you are installing. |
For more information, see Section 2.1, "Reviewing System Requirements and Certification". |
|
3 |
Obtain the Oracle Fusion Middleware Software. |
For more information, see Section 3.2.1, "Obtaining the Oracle Fusion Middleware Software" |
|
4 |
Review the Database requirements. |
For more information, see Section 3.2.2, "Database Requirements". |
|
5 |
Run Oracle Fusion Middleware Repository Creation Utility (RCU) to create and load the appropriate schemas for Oracle Identity and Access Management products. |
For more information, see Section 3.2.3, "Creating Database Schema Using the Oracle Fusion Middleware Repository Creation Utility (RCU)". |
|
6 |
Review WebLogic Server and Middleware Home requirements. |
For more information, see Section 3.2.4, "WebLogic Server and Middleware Home Requirements". |
|
7 |
For Oracle Identity Manager users only: Install the latest version of Oracle SOA Suite 11g (11.1.1.6.0). |
For more information, see Section 3.2.5, "Installing Oracle SOA Suite 11.1.1.6.0 (Oracle Identity Manager Users Only)". |
|
8 |
Start the Oracle Identity and Access Management Installer. |
For more information, see Section 3.2.6, "Starting the Oracle Identity and Access Management Installer". |
|
9 |
Install the Oracle Identity and Access Management 11g software. |
For more information, see Section 3.2.7, "Installing Oracle Identity and Access Management (11.1.2)". |
|
10 |
Run the Oracle Fusion Middleware Configuration Wizard to configure your Oracle Identity and Access Management products in a new or existing WebLogic domain. |
For more information, see Section 3.2.8, "Configuring Oracle Identity and Access Management (11.1.2) Products". Note: If you are using Oracle Identity Manager, you must perform additional configuration after configuring Oracle Identity Manager in a WebLogic domain. For more information, see Chapter 5, "Configuring Oracle Identity Manager". |
|
11 |
Configure the Database Security Store. |
For more information, see Section 3.2.9, "Configuring Database Security Store for an Oracle Identity and Access Management Domain". |
|
12 |
Start the servers. |
You must start the Administration Server and all Managed Servers. For more information, see Section C.1, "Starting the Stack". |
Follow the instructions in this section to install and configure the latest Oracle Identity and Access Management software.
Installing and configuring the latest version of Oracle Identity and Access Management 11g components involves the following steps:
Creating Database Schema Using the Oracle Fusion Middleware Repository Creation Utility (RCU)
Installing Oracle SOA Suite 11.1.1.6.0 (Oracle Identity Manager Users Only)
Starting the Oracle Identity and Access Management Installer
Configuring Oracle Identity and Access Management (11.1.2) Products
Configuring Database Security Store for an Oracle Identity and Access Management Domain
For installing Oracle Identity and Access Management, you must obtain the following software:
Oracle WebLogic Server 11g Release 1 (10.3.6) or Oracle WebLogic Server 11g Release 1 (10.3.5)
Oracle Database
Oracle Repository Creation Utility
Oracle Identity and Access Management Suite
Oracle SOA Suite 11.1.1.6.0 (required for Oracle Identity Manager only)
For more information on obtaining Oracle Fusion Middleware 11g software, see Oracle Fusion Middleware Download, Installation, and Configuration ReadMe.
Some Oracle Identity and Access Management components require an Oracle Database. Ensure that you have an Oracle Database installed on your system before installing Oracle Identity and Access Management. The database must be up and running to install the relevant Oracle Identity and Access Management component. The database does not have to be on the same system where you are installing the Oracle Identity and Access Management component.
The following database versions are supported:
10.2.0.4 and higher
11.1.0.7 and higher
11.2.0.1 and higher
Note:
For information about RCU requirements for Oracle Databases, see "RCU Requirements for Oracle Databases" topic in the Oracle Fusion Middleware System Requirements and Specifications document.
To identify the patches required for Oracle Identity Manager 11.1.2 configurations that use Oracle Database 11.1.0.7, refer to the Oracle Identity Manager section of the 11g Release 2 Oracle Fusion Middleware Release Notes.
You must create and load the appropriate Oracle Fusion Middleware schemas in the database using RCU before installing and configuring the following Oracle Identity and Access Management components:
Oracle Identity Manager
Oracle Access Management
Oracle Adaptive Access Manager
Oracle Entitlements Server
Oracle Privileged Account Manager
Oracle Identity Navigator
For more information on obtaining Oracle Fusion Middleware Repository Creation Utility, see Oracle Fusion Middleware Download, Installation, and Configuration ReadMe.
Notes:
RCU is available only on Linux and Windows platforms. Use the Linux RCU to create schemas on supported UNIX databases. Use the Windows RCU to create schemas on supported Windows databases. After you extract the contents of the rcuHome.zip file to a directory, you can see the executable file rcu in the BIN directory.
For information on launching and running RCU, see the "Launching RCU with a Variety of Methods" and "Running Oracle Fusion Middleware Repository Creation Utility (RCU)" topics in the Oracle Fusion Middleware Repository Creation Utility User's Guide.
For information on creating schemas, see the "Creating Schemas" topic in the Oracle Fusion Middleware Repository Creation Utility User's Guide.
For information about troubleshooting RCU, see the "Troubleshooting Repository Creation Utility" topic in the Oracle Fusion Middleware Repository Creation Utility User's Guide.
Before running RCU, ensure that you have the database connection string, port, administrator credentials, and service name ready.
When you run RCU, create and load only the following schemas for the Oracle Identity and Access Management component you are installing—do not select any other schema available in RCU:
For Oracle Identity Manager, select the Identity Management - Oracle Identity Manager schema. When you select the Identity Management - Oracle Identity Manager schema, the following schemas are also selected, by default:
SOA Infrastructure
User Messaging Service
AS Common Schemas - Oracle Platform Security Services
AS Common Schemas - Metadata Services
For Oracle Adaptive Access Manager, select the Identity Management - Oracle Adaptive Access Manager schema. When you select the Identity Management - Oracle Adaptive Access Manager schema, the following schemas are also selected, by default:
AS Common Schemas - Oracle Platform Security Services
AS Common Schemas - Metadata Services
AS Common Schemas - Audit Services
For Oracle Adaptive Access Manager with partition schema support, select the Identity Management - Oracle Adaptive Access Manager (Partition Supp...) schema. When you select the Identity Management - Oracle Adaptive Access Manager (Partition Supp...) schema, the following schemas are also selected, by default:
AS Common Schemas - Oracle Platform Security Services
AS Common Schemas - Metadata Services
AS Common Schemas - Audit Services
Note:
For information about Oracle Adaptive Access Manager schema partitions, see Appendix J, "Oracle Adaptive Access Manager Partition Schema Reference".
For Oracle Access Management, select the Identity Management - Oracle Access Manager schema. When you select the Identity Management - Oracle Access Manager schema, the following schemas are also selected, by default:
AS Common Schemas - Oracle Platform Security Services
AS Common Schemas - Metadata Services
AS Common Schemas - Audit Services
Note:
If you want to use Transparent Data Encryption (TDE) for Oracle Access Management, you must set up TDE for Oracle Access Management before creating the Oracle Access Management schema. For more information, see Section 6.4, "Optional: Setting Up TDE for Oracle Access Management".
For Oracle Entitlements Server, select the AS Common Schemas - Oracle Platform Security Services schema. By default, the AS Common Schemas - Metadata Services schema is also selected.
For Oracle Privileged Account Manager, select the Identity Management - Oracle Privileged Account Manager schema. When you select the Identity Management - Oracle Privileged Account Manager schema, the following schemas are also selected, by default:
AS Common Schemas - Oracle Platform Security Services
AS Common Schemas - Metadata Services
For Oracle Identity Navigator, select the AS Common Schemas - Oracle Platform Security Services schema. By default, the AS Common Schemas - Metadata Services schema is also selected.
Note:
When you create a schema, be sure to remember the schema owner and password that is shown in RCU. You must specify the schema owner and password information when you configure the Oracle Identity and Access Management products.
If you are creating schemas on databases with Oracle Database Vault installed, note that statements, such as CREATE USER, ALTER USER, DROP USER, CREATE PROFILE, ALTER PROFILE, and DROP PROFILE can only be issued by a user with the DV_ACCTMGR role. SYSDBA can issue these statements by modifying the Can Maintain Accounts/Profiles rule set only if it is allowed.
Before you can install Oracle Identity and Access Management 11g Release 2 (11.1.2) components, you must ensure that you have installed Oracle WebLogic Server 11g Release 1 (10.3.6) or Oracle WebLogic Server 11g Release 1 (10.3.5), and created a Middleware Home directory.
Note:
On 64-bit platforms, when you install Oracle WebLogic Server using the generic jar file, JDK is not installed with Oracle WebLogic Server. You must install JDK separately, before installing Oracle WebLogic Server.
Ensure that the JDK version you select is Java SE 6 Update 24 or higher.
For more information, see "Install Oracle WebLogic Server" in Oracle Fusion Middleware Installation Planning Guide. In addition, see Oracle Fusion Middleware Installation Guide for Oracle WebLogic Server for complete information about installing Oracle WebLogic Server.
Note:
By default, WebLogic domains are created in a directory named domains located in the user_projects directory under your Middleware Home. After you configure any of the Oracle Identity and Access Management products in a WebLogic administration domain, a new directory for the domain is created in the domains directory. In addition, a directory named applications is created in the user_projects directory. This applications directory contains the applications deployed in the domain.
If you are installing Oracle Identity Manager, you must install Oracle SOA Suite 11.1.1.6.0. Note that only Oracle Identity Manager requires Oracle SOA Suite. This step is required because Oracle Identity Manager uses process workflows in Oracle SOA Suite to manage request approvals.
For more information about installing Oracle SOA Suite 11.1.1.6.0, see Oracle Fusion Middleware Installation Guide for Oracle SOA Suite and Oracle Business Process Management Suite.
Note:
If you have already created a Middleware Home before installing Oracle Identity and Access Management components, do not create a new Middleware Home again. You must use the same Middleware Home for installing Oracle SOA Suite.
This topic explains how to start the Oracle Identity and Access Management Installer.
Notes:
If you are installing on an IBM AIX operating system, you must run the rootpre.sh script from the Disk1 directory before you start the installer.
Starting the Installer as the root user is not supported.
Start the Installer by executing one of the following commands:
UNIX: <full path to the runInstaller directory>/runInstaller -jreLoc <full path to the JRE directory>
Windows: <full path to the setup.exe directory>\setup.exe -jreLoc <full path to the JRE directory>
Note:
The installer prompts you to enter the absolute path of the JRE that is installed on your system. When you install Oracle WebLogic Server, the jrockit_1.6.0_29 directory is created under your Middleware Home. You must enter the absolute path of the JRE folder located in this JDK when launching the installer. For example, on Windows, if the JDK is located in D:\oracle\Middleware\jrockit_1.6.0_29, then launch the installer from the command prompt as follows:
D:\setup.exe -jreLoc D:\oracle\Middleware\jrockit_1.6.0_29\jre
If you do not specify the -jreLoc option on the command line when using the Oracle JRockit JDK, the following warning message is displayed:
-XX:MaxPermSize=512m is not a valid VM option. Ignoring
This warning message does not affect the installation. You can continue with the installation.
On 64 bit platforms, when you install Oracle WebLogic Server using the generic jar file, the jrockit_1.6.0_29 directory will not be created under your Middleware Home. You must enter the absolute path of the JRE folder from where your JDK is located.
This topic describes how to install the Oracle Identity and Access Management 11g software, which includes Oracle Identity Manager, Oracle Access Management, Oracle Adaptive Access Manager, Oracle Identity Navigator, Oracle Entitlements Server, Oracle Privileged Account Manager, and Oracle Access Management Mobile and Social.
It includes the following sections:
Performing the installation in this section installs the following products:
Oracle Identity Manager
Oracle Access Management
Note:
Oracle Identity and Access Management 11g Release 2 (11.1.2) contains Oracle Access Management which includes the following services:
Oracle Access Manager
Oracle Access Management Security Token Service
Oracle Access Management Identity Federation
Oracle Access Management Mobile and Social
For more information about these services, see "Oracle Product Introduction" in the Oracle Fusion Middleware Administrator's Guide for Oracle Access Management.
Oracle Adaptive Access Manager
Note:
For Oracle Identity and Access Management 11.1.2, Oracle Adaptive Access Manager includes two components
Oracle Adaptive Access Manager (Online)
Oracle Adaptive Access Manager (Offline)
Oracle Identity Navigator
Oracle Entitlements Server
Note:
When you are installing Oracle Identity and Access Management, only the Administration Server of Oracle Entitlements Server is installed.
To install and configure Oracle Entitlements Server Client, see Section 8.6, "Installing Oracle Entitlements Server Client".
Oracle Privileged Account Manager
Note:
For an introduction to the Oracle Privileged Account Manager, see "Understanding Oracle Privileged Account Manager" in the Oracle Fusion Middleware Administrator's Guide for Oracle Privileged Account Manager.
Oracle Access Management Mobile and Social
Notes:
For an introduction to the Oracle Access Management Mobile and Social, see "Understanding Mobile and Social" chapter in the Oracle Fusion Middleware Administrator's Guide for Oracle Access Management.
Oracle Access Management Mobile and Social standalone template does not use the database security store. If Oracle Access Management Mobile and Social is deployed standalone in a domain, and if you want to extend that domain to include other Oracle Identity and Access Management 11gR2 components, you must complete the following additional steps:
Create an Oracle Platform Security Services schema using the Oracle Fusion Middleware Repository Creation Utility (RCU). For more information, see Section 3.2.3, "Creating Database Schema Using the Oracle Fusion Middleware Repository Creation Utility (RCU)".
Extend the Oracle Access Management Mobile and Social domain with Oracle Platform Security Service 11.1.1.0 [IAM_Home] template.
For information on extending WebLogic Server domains, see "Extending WebLogic Domains" chapter in the Oracle Fusion Middleware Creating Domains Using the Configuration Wizard guide.
The Oracle Access Management Mobile and Social domain can now be extended to include other Oracle Identity and Access Management 11gR2 components.
The installation in this section depends on the following:
Oracle WebLogic Server 11g Release 1 (10.3.6) or Oracle WebLogic Server 11g Release 1 (10.3.5)
Oracle Database and any required patches
Oracle SOA Suite 11.1.1.6.0 (required for Oracle Identity Manager only)
JDK (Java SE 6 Update 24 or higher) or JRockit
Complete the following steps to install the Oracle Identity and Access Management suite that contains Oracle Identity Manager, Oracle Access Management, Oracle Adaptive Access Manager, Oracle Identity Navigator, Oracle Entitlements Server, Oracle Privileged Account Manager, and Oracle Access Management Mobile and Social:
Start your installation by performing all the steps in Section 3.2.6, "Starting the Oracle Identity and Access Management Installer". After you complete those steps, the Welcome screen appears.
Click Next on the Welcome screen. The Install Software Updates screen appears. Select whether or not you want to search for updates. Click Next.The Prerequisite Checks screen appears. If all prerequisite checks pass inspection, click Next. The Specify Installation Location screen appears.
On the Specify Installation Location screen, enter the path to the Oracle Middleware Home that was created when you installed Oracle WebLogic Server 11g Release 1 (10.3.6) or Oracle WebLogic Server 11g Release 1 (10.3.5) on your system.
Note:
If you do not specify a valid Middleware Home directory on the Specify Installation Location screen, the Installer displays a message and prompts you to confirm whether you want to proceed with the installation of only Oracle Identity Manager Design Console and Oracle Identity Manager Remote Manager. These two components of Oracle Identity Manager do not require a Middleware Home directory.
If you want to install only Oracle Identity Manager Design Console or Remote Manager, you do not need to install Oracle WebLogic Server or create a Middleware Home directory on the machine where Design Console or Remote Manager is being configured.
Before using Oracle Identity Manager Design Console or Remote Manager, you must configure Oracle Identity Manager Server on the machine where the Administration Server is running. When configuring Design Console or Remote Manager on a different machine, you can specify the Oracle Identity Manager Server host and URL information.
In the Oracle Home Directory field, enter a name for the Oracle Home folder that will be created under your Middleware Home. This directory is also referred to as IAM_Home in this book.
Note:
The name that you provide for the Oracle Home for installing the Oracle Identity and Access Management suite should not be same as the Oracle Home name given for the Oracle Identity Management suite.
Oracle Identity Management 11g Release 1 is part of Oracle Fusion Middleware and includes components like Oracle Internet Directory, Oracle Virtual Directory, Oracle Directory Services Manager, Oracle Directory Integration Platform, and Oracle Identity Federation.
Click Next. The Installation Summary screen appears.
The Installation Summary screen displays a summary of the choices that you made. Review this summary and decide whether to start the installation. If you want to modify any of the configuration settings at this stage, select a topic in the left navigation page and modify your choices. To continue installing Oracle Identity and Access Management, click Install. The Installation Progress screen appears. Click Next.
Note:
If you cancel or abort when the installation is in progress, you must manually delete the <IAM_Home> directory before you can reinstall the Oracle Identity and Access Management software.
To invoke online help at any stage of the installation process, click the Help button on the installation wizard screens.
The Installation Complete screen appears. On the Installation Complete screen, click Finish.
This installation process copies the Identity Management software to your system and creates an IAM_Home directory under your Middleware Home.
After installing the Oracle Identity and Access Management software, you must proceed to Section 3.2.8, "Configuring Oracle Identity and Access Management (11.1.2) Products," to configure Oracle Identity and Access Management products in a new or existing WebLogic domain.
This section describes the directory structure after installation of Oracle WebLogic Server and Oracle Identity and Access Management.
After you install the Oracle Identity and Access Management suite, an Oracle Home directory for Oracle Identity and Access Management, such as Oracle_IDM1, is created under your Middleware Home. This home directory is also referred to as IAM_Home in this guide.
For more information about identifying installation directories, see Section 2.3, "Identifying Installation Directories".
After Oracle Identity and Access Management 11g is installed, you are ready to configure the WebLogic Server Administration Domain for Oracle Identity and Access Management components. A domain includes a special WebLogic Server instance called the Administration Server, which is the central point from which you configure and manage all resources in the domain.
When you configure an Oracle Identity and Access Management 11.1.2 component, you can choose one of the following configuration options:
Note:
You should not extend the Oracle Identity Management 11g Release 1 (11.1.1.6.0) domain to support Oracle Identity and Access Management 11g Release 2 (11.1.2) products.
You can use the Oracle Fusion Middleware Configuration Wizard to create a WebLogic domain or extend an existing domain.
Select the Create a new WebLogic domain option on the Welcome screen in the Oracle Fusion Middleware Configuration Wizard to create a new WebLogic Server domain.
Select the Extend an existing WebLogic domain option on the Welcome screen in the Oracle Fusion Middleware Configuration Wizard to add Oracle Identity and Access Management components in an existing Oracle WebLogic Server administration domain.
See:
The "Understanding Oracle WebLogic Server Domains" chapter in the Oracle Fusion Middleware Understanding Domain Configuration for Oracle WebLogic Server guide for more information about Oracle WebLogic Server administration domains.
In addition, see the Oracle Fusion Middleware Creating Domains Using the Configuration Wizard guide for complete information about how to use the Configuration Wizard to create or extend WebLogic Server domains. This guide also provides the Oracle Fusion Middleware Configuration Wizard Screens.
For component-specific configuration information about Oracle Identity and Access Management products, see the following chapters:
Chapter 8, "Installing and Configuring Oracle Entitlements Server,"
Chapter 10, "Configuring Oracle Access Management Mobile and Social"
If you are configuring Oracle Identity Manager, you must run the Oracle Identity Manager Configuration Wizard after configuring a domain, to configure Oracle Identity Manager Server, Oracle Identity Manager Design Console, and Oracle Identity Manager Remote Manager as described in Section 5.6, "Starting the Oracle Identity Manager 11g Configuration Wizard". For more information, see the following sections:
This section discusses the following topics:
You must run the configureSecurityStore.py script to configure the Database Security Store as it is the only security store type supported by the Oracle Identity & Access Management 11g Release 2 (11.1.2).
The configureSecurityStore.py script is located in the <IAM_HOME>\common\tools directory. You can use the -h option for help information about using the script. Note that not all arguments will apply to configuring the Database Security Store.
For example:
On Windows:
<MW_HOME>\oracle_common\common\bin\wlst.cmd <IAM_HOME>\common\tools\configureSecurityStore.py -h
On UNIX:
<MW_HOME>/oracle_common/common/bin/wlst.sh <IAM_HOME>/common/tools/configureSecurityStore.py -h
Table 3-2 describes the parameters you that you may specify on the command line.
Table 3-2 Database Security Store Configuration Parameters
| Parameter | Description |
|---|---|
|
|
Location of the directory containing the domain. |
|
|
|
|
|
The configuration mode of the domain. When configuring Database Security Store this value must be specified as |
|
|
The OPSS schema password. |
|
|
The directory containing the encryption key file |
|
|
The password used when the domain's key file was generated. If |
|
|
The user name of the OPSS schema. If |
Each Oracle Identity and Access Management 11g Release 2 (11.1.2) domain must be configured to have a Database Security Store. Before you configure the Database Security Store for an Oracle Identity and Access Management 11g Release 2 (11.1.2) domain, you must identify the products to be configured in a single-domain scenario or in a multiple-domain scenario.
Note:
Irrespective of the number of domains in a logical Oracle Identity and Access Management 11g Release 2 (11.1.2) deployment (a logical deployment is a collection of Oracle Identity and Access Management products running in one or more domains and using a single database to hold product schemas), all domains share the same Database Security Store and use the same domain encryption key.
The Database Security Store is created at the time of creating the first domain, and then each new domain created is joined with the Database Security Store already created.
Following configureSecurityStore.py options are available for configuring the domain to use the Database Security Store:
-m create
-m join
Configuring the Database Security Store Using Create Option
To configure a domain to use a database security store using the -m create option, you must run the configureSecurityStore.py script as follows:
On Windows:
<MW_HOME>\oracle_common\common\bin\wlst.cmd <IAM_HOME>\common\tools\configureSecurityStore.py -d <domaindir> -c IAM -p <opss_schema_password> -m create
For example:
<MW_HOME>\oracle_common\common\bin\wlst.cmd <IAM_HOME>\common\tools\configureSecurityStore.py -d <MW_Home>\user_projects\domains\base_domain -c IAM -p welcome1 -m create
On UNIX:
<MW_HOME>/oracle_common/common/bin/wlst.sh <IAM_HOME>/common/tools/configureSecurityStore.py -d <domaindir> -c IAM -p <opss_schema_password> -m create
For example:
<MW_HOME>/oracle_common/common/bin/wlst.sh <IAM_HOME>/common/tools/configureSecurityStore.py -d <MW_Home>/user_projects/domains/base_domain -c IAM -p welcome1 -m create
Configuring the Database Security Store Using the Join Option
To configure a domain to use the database security store using the -m join option, you must first export the domain encryption key from a domain in the same logical Oracle Identity and Access Management deployment already configured to work with the database security store, and then run the configureSecurityStore.py script as follows:
Note:
Exporting domain encryption key from a domain already configured to work with the Database Security Store is done via the WLST command:
exportEncryptionKey(jpsConfigFile=<jpsConfigFile>,keyFilePath=<keyFilePath>,keyFilePassword=<keyFilePassword>)
where:
<jpsConfigFile> - is the absolute location of the file jps-config.xml in the domain from which the encryption key is being exported.
<keyFilePath> - is the directory where the file ewallet.p12 is created; note that the content of this file is encrypted and secured by keyFilePassword.
<keyFilePassword> - is the password to secure the file ewallet.p12; note that this same password must be used when importing that file.
On Windows:
Export encryption keys from a domain already configured to work with the Database Security Store as follows:
<MW_HOME>\oracle_common\common\bin\wlst.cmd exportEncryptionKey(jpsConfigFile=<jpsConfigFile>, keyFilePath=<keyFilePath>, keyFilePassword=<keyFilePassword>)
Run the configureSecurityStore.py script with -m join option.
<MW_HOME>\oracle_common\common\bin\wlst.cmd <IAM_HOME>\common\tools\configureSecurityStore.py -d <domaindir> -c IAM -p <opss_schema_password> -m join -k <keyfilepath> -w <keyfilepassword>
For example:
<MW_HOME>\oracle_common\common\bin\wlst.cmd exportEncryptionKey(jpsConfigFile="<MW_HOME>\user_projects\domains\base_domain\config\fmwconfig\jps-config.xml", keyFilePath="myDir" , keyFilePassword="password")
<MW_HOME>\oracle_common\common\bin\wlst.cmd <IAM_HOME>\common\tools\configureSecurityStore.py -d <MW_Home>\user_projects\domains\base_domain1 -c IAM -p welcome1 -m join -k myDir -w password
On UNIX:
Export encryption keys from a domain already configured to work with the Database Security Store as follows:
<MW_HOME>/oracle_common/common/bin/wlst.cmd exportEncryptionKey(jpsConfigFile=<jpsConfigFile>, keyFilePath=<keyFilePath>, keyFilePassword=<keyFilePassword>)
Run the configureSecurityStore.py script with -m join option.
<MW_HOME>/oracle_common/common/bin/wlst.cmd <IAM_HOME>/common/tools/configureSecurityStore.py -d <domaindir> -c IAM -p <opss_schema_password> -m join -k <keyfilepath> -w <keyfilepassword>
For example:
<MW_HOME>/oracle_common/common/bin/wlst.cmd exportEncryptionKey(jpsConfigFile="<MW_HOME>/user_projects/domains/base_domain/config/fmwconfig/jps-config.xml", keyFilePath="myDir" , keyFilePassword="password")
<MW_HOME>/oracle_common/common/bin/wlst.cmd <IAM_HOME>/common/tools/configureSecurityStore.py -d <MW_Home>/user_projects/domains/base_domain1 -c IAM -p welcome1 -m join -k myDir -w password
Validating the Database Security Store Configuration
To validate whether the security store has been created or joined correctly, run the configureSecurityStore.py script with -m validate option, as follows:
On Windows:
<MW_HOME>\oracle_common\common\bin\wlst.cmd <IAM_HOME>\common\tools\configureSecurityStore.py -d <domaindir> -m validate
For example:
<MW_HOME>\oracle_common\common\bin\wlst.cmd <IAM_HOME>\common\tools\configureSecurityStore.py -d <MW_Home>\user_projects\domains\base_domain -m validate
On UNIX:
<MW_HOME>/oracle_common/common/bin/wlst.sh <IAM_HOME>/common/tools/configureSecurityStore.py -d <domaindir> -m validate
For example:
<MW_HOME>/oracle_common/common/bin/wlst.sh <IAM_HOME>/common/tools/configureSecurityStore.py -d <MW_Home>/user_projects/domains/base_domain -m validate
Consider the following example scenarios:
Example Scenario for One or More Oracle Identity and Access Management Products in the Same Domain
Example Scenario for Oracle Identity and Access Management Products in Different Domains
Note:
In a single-domain scenario, the command to create the Database Security Store is executed once after the domain is created but before the domain is started for the first time.
Scenario 1: Oracle Identity Manager, Oracle Access Management, and Oracle Adaptive Access Manager in the same WebLogic Administration Domain Sharing the same Database Security Store
To achieve this, you must complete the following tasks:
Create a new WebLogic domain for Oracle Identity Manager and SOA (for example, oim_dom) by completing the steps described in Table 5-1, "Installation and Configuration Flow for Oracle Identity Manager".
After creating a new WebLogic domain for Oracle Identity Manager and SOA, run the configureSecurityStore.py script to configure the Database Security Store as follows:
On Windows:
<MW_HOME>\oracle_common\common\bin\wlst.cmd <IAM_HOME>\common\tools\configureSecurityStore.py -d <MW_Home>\user_projects\domains\oim_dom -c IAM -p welcome1 -m create
On UNIX:
<MW_HOME>/oracle_common/common/bin/wlst.sh <IAM_HOME>/common/tools/configureSecurityStore.py -d <MW_Home>/user_projects/domains/oim_dom -c IAM -p welcome1 -m create
Extend the Oracle Identity Manager domain (oim_dom) to include Oracle Access Management and Oracle Adaptive Access Manager. For more information, see "Extend an Existing Domain".
Oracle Access Management and Oracle Adaptive Access Manager are added to the Oracle Identity Manager domain (oim_dom), and they share the same Database Security Store used by the Oracle Identity Manager domain.
Note:
In a multiple-domain scenario, the command to create the Database Security Store is executed once after the first domain is created but before the domain is started for the first time.
For each subsequent domain, the command to join the existing Database Security Store is executed once after the domain is created but before the domain is started for the first time.
Scenario 1: Oracle Identity Manager and Oracle Access Management in different WebLogic Administration Domains Sharing the same Database Security Store
To achieve this, you must complete the following tasks:
Create a new WebLogic domain for Oracle Identity Manager and SOA (for example, oim_dom) by completing the steps described in Table 5-1, "Installation and Configuration Flow for Oracle Identity Manager".
After creating a new WebLogic domain for Oracle Identity Manager and SOA, run the configureSecurityStore.py script to configure the Database Security Store as follows:
On Windows:
<MW_HOME>\oracle_common\common\bin\wlst.cmd <IAM_HOME>\common\tools\configureSecurityStore.py -d <MW_Home>\user_projects\domains\oim_dom -c IAM -p welcome1 -m create
On UNIX:
<MW_HOME>/oracle_common/common/bin/wlst.sh <IAM_HOME>/common/tools/configureSecurityStore.py -d <MW_Home>/user_projects/domains/oim_dom -c IAM -p welcome1 -m create
Create a new WebLogic domain for Oracle Access Management (for example oam_dom) by completing the steps described in Table 6-1, "Installation and Configuration Flow for Oracle Access Management".
After creating a new WebLogic domain for Oracle Access Management, export the domain encryption key from the Oracle Identity Manager/SOA domain, and run the configureSecurityStore.py script to configure the Database Security Store as follows:
On Windows:
<MW_HOME>\oracle_common\common\bin\wlst.cmd exportEncryptionKey(jpsConfigFile="<MW_Home>\user_projects\domains\oim_dom\config\fmwconfig\jps-config.xml", keyFilePath="myDir" ,keyFilePassword="password") <MW_HOME>\oracle_common\common\bin\wlst.cmd <IAM_HOME>\common\tools\configureSecurityStore.py -d <MW_Home>\user_projects\domains\oam_dom -c IAM -p welcome1 -m join -k myDir -w password
On UNIX:
<MW_HOME>/oracle_common/common/bin/wlst.sh exportEncryptionKey(jpsConfigFile="<MW_Home>/user_projects/domains/oim_dom/config/fmwconfig/jps-config.xml", keyFilePath="myDir" ,keyFilePassword="password") <MW_HOME>/oracle_common/common/bin/wlst.sh <IAM_HOME>/common/tools/configureSecurityStore.py -d <MW_Home>/user_projects/domains/oam_dom -c IAM -p welcome1 -m join -k myDir -w password
Scenario 2: Extend the Oracle Access Management Domain previously joined to the Database Security Store to include Oracle Adaptive Access Manager
To achieve this, extend the Oracle Access Management domain (oam_dom) to include Oracle Adaptive Access Manager. For more information, see "Extend an Existing Domain".
Oracle Adaptive Access Manager is added to the Oracle Access Management domain (oam_dom), and they both share the same Database Security Store used by the Oracle Access Manager domain.
After installing and configuring Oracle Identity and Access Management, you must run the Oracle WebLogic Administration Server and various Managed Servers, as described in Section C.1, "Starting the Stack".
Note:
The WebLogic domain will not start unless the Database Security Store has already been configured.