This chapter explains how to configure Oracle Access Management. It includes the following topics:
Installation and Configuration Roadmap for Oracle Access Management
Getting Started with Oracle Access Management After Installation
Oracle Identity and Access Management 11g Release 2 (11.1.2) contains Oracle Access Management which includes the following services:
Oracle Access Manager
Oracle Access Management Security Token Service
Oracle Access Management Identity Federation
Oracle Access Management Mobile and Social
Note:
For an introduction to the Oracle Access Management, see "Oracle Product Introduction" in the Oracle Fusion Middleware Administrator's Guide for Oracle Access Management.
Before you start installing and configuring Oracle Identity and Access Management products in any of the scenarios discussed in this guide, note that IAM_Home is used to refer to the Oracle Home directory that includes Oracle Identity Manager, Oracle Access Management, Oracle Adaptive Access Manager, Oracle Entitlements Server, Oracle Identity Navigator, Oracle Privileged Account Manager, and Oracle Access Management Mobile and Social. You can specify any name for this Oracle Home directory.
Table 6-1 lists the tasks for installing and configuring Oracle Access Management.
Table 6-1 Installation and Configuration Flow for Oracle Access Management
| No. | Task | Description |
|---|---|---|
|
1 |
Review installation concepts in the Installation Planning Guide. |
Read the Oracle Fusion Middleware Installation Planning Guide, which describes the process for various users to install or upgrade to Oracle Fusion Middleware 11g (11.1.2) depending on the user's existing environment. |
|
2 |
Review the system requirements and certification documents to ensure that your environment meets the minimum installation requirements for the components you are installing. |
For more information, see Section 2.1, "Reviewing System Requirements and Certification". |
|
3 |
Obtain the Oracle Fusion Middleware Software. |
For more information, see Section 3.2.1, "Obtaining the Oracle Fusion Middleware Software" |
|
4 |
Review the Database requirements. |
For more information, see Section 3.2.2, "Database Requirements". |
|
5 |
Run Oracle Fusion Middleware Repository Creation Utility (RCU) to create and load the appropriate schemas for Oracle Identity and Access Management products. |
For more information, see Section 3.2.3, "Creating Database Schema Using the Oracle Fusion Middleware Repository Creation Utility (RCU)". |
|
6 |
Review WebLogic Server and Middleware Home requirements. |
For more information, see Section 3.2.4, "WebLogic Server and Middleware Home Requirements". |
|
7 |
Start the Oracle Identity and Access Management Installer. |
For more information, see Section 3.2.6, "Starting the Oracle Identity and Access Management Installer". |
|
8 |
Install the Oracle Identity and Access Management 11g software. |
Oracle Access Management is included in the Oracle Identity and Access Management Suite. You can use the Oracle Identity and Access Management 11g Installer to install Oracle Identity and Access Management Suite. For more information, see Section 3.2.7, "Installing Oracle Identity and Access Management (11.1.2)". |
|
9 |
Run the Oracle Fusion Middleware Configuration Wizard to configure your Oracle Identity and Access Management products in a new or existing WebLogic domain. |
For more information, see Section 6.5, "Oracle Access Management in a New WebLogic Domain". |
|
10 |
Configure the Database Security Store. |
For more information, see Section 3.2.9, "Configuring Database Security Store for an Oracle Identity and Access Management Domain". |
|
11 |
Start the servers. |
You must start the Administration Server and all Managed Servers. For more information, see Section 6.6, "Starting the Servers". |
|
12 |
Complete the post-installation tasks. |
Complete the following post-installation tasks: |
Complete the following steps to set up Transparent Data Encryption (TDE) for Oracle Access Management:
Add the ENCRYPTION_WALLET_LOCATION parameter in the sqlnet.ora file of the database.
ENCRYPTION_WALLET_LOCATION=(SOURCE=(METHOD=FILE)(METHOD_DATA= (DIRECTORY=<DB_WALLET_DIRECTORY>)))
Restart the database.
Run the following sql queries as SYSDBA to create the encrypted tablespace:
ALTER SYSTEM SET ENCRYPTION KEY IDENTIFIED BY "<PASSWORD>"
CREATE TABLESPACE <TABLESPACE_NAME> EXTENT MANAGEMENT LOCAL AUTOALLOCATE SEGMENT SPACE MANAGEMENT AUTO DATAFILE '<DATA_FILE_LOCATION>' SIZE 100M AUTOEXTEND ON NEXT 50M MAXSIZE UNLIMITED ENCRYPTION DEFAULT STORAGE(ENCRYPT);
Note:
For ENCRYPTION parameter, you can choose to use DEFAULT or specify any other option.
After setting up Transparent Data Encryption (TDE) for Oracle Access Management, run the Oracle Fusion Middleware Repository Creation Utility (RCU) to create Oracle Access Management schemas. For more information, see Section 3.2.3, "Creating Database Schema Using the Oracle Fusion Middleware Repository Creation Utility (RCU)".
Note:
When you create the Oracle Access Management schemas using RCU, in the Map Tablespaces screen, use the tablespace that you created for Oracle Access Management in step 3b.
For more information, see "Map Tablespaces" topic in the Oracle Fusion Middleware Repository Creation Utility User's Guide.
This topic describes how to configure Oracle Access Management in a new WebLogic domain.
It includes the following sections:
Perform the configuration in this topic if you want to install only Oracle Access Management in an environment where you may add other Oracle Identity and Access Management 11g components, such as Oracle Identity Navigator, Oracle Identity Manager, and Oracle Adaptive Access Manager at a later time in the same domain.
Performing the configuration in this section deploys the following Oracle Access Management components:
Oracle Access Manager
Oracle Access Management Security Token Service
Oracle Access Management Identity Federation
Oracle Access Management Mobile and Social
The configuration in this section depends on the following:
Oracle WebLogic Server 11g Release 1 (10.3.6) or Oracle WebLogic Server 11g Release 1 (10.3.5).
Installation of the Oracle Identity and Access Management 11g software.
Database schemas for Oracle Access Management. For more information, see Section 3.2.3, "Creating Database Schema Using the Oracle Fusion Middleware Repository Creation Utility (RCU)".
Perform the following steps to configure Oracle Access Management in a new WebLogic domain:
Start the Oracle Fusion Middleware Configuration Wizard by running the <IAM_Home>/common/bin/config.sh script (on UNIX), or <IAM_Home>\common\bin\config.cmd (on Windows).
The Oracle Fusion Middleware Configuration Wizard appears.
On the Welcome screen, select the Create a new WebLogic domain option. Click Next. The Select Domain Source screen appears.
On the Select Domain Source screen, ensure that the Generate a domain configured automatically to support the following products: option is selected. Select Oracle Access Management - 11.1.2.0.0 [IAM_Home], and click Next. The Specify Domain Name and Location screen appears.
Note:
When you select the Oracle Access Management - 11.1.2.0.0 [IAM_Home] option, the following options are also selected, by default:
Oracle Platform Security Service 11.1.1.0 [IAM_Home]
Oracle JRF 11.1.1.0 [oracle_common]
Enter a name and a location for the domain to be created, and click Next. The Configure Administrator User Name and Password screen appears.
Configure a user name and a password for the administrator. The default user name is weblogic. Click Next.
Choose a JDK and Production Mode in the Configure Server Start Mode and JDK screen of the Oracle Fusion Middleware Configuration Wizard. Click Next. The Configure JDBC Component Schema screen appears.
On the Configure JDBC Component Schema screen, select a component schema, such as the OAM Infrastructure Schema or the OPSS Schema, that you want to modify.
You can set values for Schema Owner, Schema Password, Database and Service, Host Name, and Port. Click Next. The Test JDBC Component Schema screen appears. After the test succeeds, click Next. The Select Optional Configuration screen appears.
On the Select Optional Configuration screen, you can configure the Administration Server and Managed Servers, Clusters, and Machines. Click Next.
Optional: Configure the following Administration Server parameters:
Name
Listen address
Listen port
SSL listen port
SSL enabled or disabled
Optional: Configure Managed Servers, as required.
Note:
If you want to configure the Managed Server on the same machine, ensure that the port is different from that of the Administration Server.
Optional: Configure Clusters, as required.
For more information about configuring clusters for Oracle Identity and Access Management products, see the "Configuring High Availability for Identity Management Components" topic in the guide Oracle Fusion Middleware High Availability Guide.
Optional: Assign Managed Servers to clusters, as required.
Configure Machines, as needed. This step is useful when you want to run the Administration Server on one machine and Managed Servers on another physical machine.
Tip:
Before configuring a machine, use the ping command to verify whether the machine or host name is accessible.
If the Administration Server is not assigned to a machine, you can assign it to a machine.
Note that deployments, such as applications and libraries, and services that are targeted to a particular cluster or server are selected, by default.
Assign the newly created Managed Server, such as oam_server1, to a machine.
On the Configuration Summary screen, review the domain configuration, and click Create to start creating the domain.
A new WebLogic domain to support Oracle Access Management is created in the <MW_HOME>\user_projects\domains directory (on Windows). On UNIX, the domain is created in the <MW_HOME>/user_projects/domains directory.
Notes:
After configuring Oracle Access Management in a new WebLogic administration domain, you must configure the Database Security Store. For more information, see Section 3.2.9, "Configuring Database Security Store for an Oracle Identity and Access Management Domain".
After you configure Oracle Access Management, only Oracle Access Manager is enabled by default. To enable other Oracle Access Management components, such as OSTS, OIF, and Oracle Access Management Mobile and Social, refer to "Enabling or Disabling Available Services" topic in the Oracle Fusion Middleware Administrator's Guide for Oracle Access Management.
After installing and configuring Oracle Access Management, you must run the Oracle WebLogic Administration Server and various Managed Servers, as described in Appendix C, "Starting the Stack". Ensure that you start the Oracle Access Management Administration Server before starting the Managed Servers.
After installing and configuring Oracle Access Management, you can perform the following optional tasks:
Configure your own LDAP to use instead of the default embedded LDAP, which comes with Oracle WebLogic Server.
Configure a policy store to protect resources.
Add more Managed Servers to the existing domain.
Add a Managed Server instance.
For more information, see the Oracle Fusion Middleware Administrator's Guide for Oracle Access Management.
After completing the installation process, including post-installation steps, you can verify the installation and configuration of Oracle Access Management as follows:
Ensure that the Administration Server and the Managed Server are up and running.
Log in to the Administration Console for Oracle Access Management using the URL: http://<adminserver-host>:<adminserver-port>/oamconsole
When you access this Administration Console running on the Administration Server, you are prompted to enter a user name and password. Note that you must have Administrator's role and privileges.
Verify the Oracle WebLogic Server Administration Console. If the installation and configuration of Oracle Access Management is successful, this console shows the Administration Server in running mode.
Setting up an Agent involves the following steps:
You can set up the following Agents for Oracle Access Manager.
Oracle HTTP Server WebGate
OSSO Agent (mod_osso)
OpenSSO Agents
Oracle HTTP Server WebGate is a Web server plug-in that is available with Oracle Access Manager. The Oracle HTTP Server WebGate intercepts HTTP requests from users for Web resources and forwards them to the Access Server for authentication and authorization. Oracle HTTP Server WebGate installation packages are found on media and virtual media that is separate from the core components.
You can install the following Oracle HTTP Server WebGate Agents:
Oracle HTTP Server 11g WebGate
Oracle HTTP Server 10g WebGate
To install and configure Oracle HTTP Server 11g WebGate, complete the following steps:
Install Oracle HTTP Server 11g WebGate for Oracle Access Manager, as described in Chapter 12, "Installing and Configuring Oracle HTTP Server 11g Webgate for Oracle Access Manager".
Complete the post-installation steps and the registration setup, as described in Section 12.4, "Post-Installation Steps" and Section 12.6, "Getting Started with a New Oracle HTTP Server 11g Webgate Agent for Oracle Access Manager".
To install and configure Oracle HTTP Server 10g WebGate, refer to the "About Installing Fresh OAM 10g Webgates to Use With OAM 11g" topic in the Oracle Fusion Middleware Administrator's Guide for Oracle Access Manager.
OSSO Agent (mod_osso) is used by Oracle HTTP Server to check for an existing, valid Oracle HTTP Server cookie. If necessary, it redirects to the Oracle Access Manager runtime server to communicate with the directory during authentication. In addition, it decrypts the encrypted user identity populated by the OSSO server and sets the headers with user attributes.
To install mod_osso, complete the following steps:
Install the latest version of Oracle HTTP Server. For information about installing the Web Tier, including Oracle HTTP Server, see Section 12.2.3, "Installing and Configuring Oracle HTTP Server 11g".
After patching your Oracle Web Tier software to the latest version, run the configuration tool to configure Oracle HTTP Server.
On UNIX operating systems:
<Web_Tier_ORACLE_HOME>/bin/config.sh
On Windows operating systems:
<Web_Tier_ORACLE_HOME>\bin\config.bat
For complete instructions, go to "Configuring Your Components" in Oracle Fusion Middleware Installation Guide for Oracle Web Tier.
Note:
After you configure Oracle HTTP Server, a working instance of Oracle HTTP Server is configured in an Instance Home.
Copy the mod_osso.conf file from the <ORACLE_INSTANCE>/config/OHS/<OHS_INSTANCE>/disabled directory to the <ORACLE_INSTANCE>/config/OHS/<OHS_INSTANCE>/moduleconf directory.
Register mod_osso as a Partner Application.
For information about registering mod_osso as a Partner Application, refer to the "Registering and Managing OSSO Agents Using the Console" topic in the Oracle Fusion Middleware Administrator's Guide for Oracle Access Management. Note that the Administration Server must be up and running when you are registering mod_osso as a Partner Application.
Edit the mod_osso.conf file to update the location of the osso.conf file as follows:
<IfModule osso_module>
OssoIpCheck off
OssoIdleTimeout off
OssoSecureCookies off
OssoConfigFile <location of the osso.conf>
<Location>
require valid-user
AuthType Osso
</Location>
</IfModule osso_module>
Restart Oracle HTTP Server by running the restartproc command in Oracle Process Manager and Notification Server (OPMN) or by using Oracle Fusion Middleware Control. To restart all Oracle HTTP Server components in an Oracle instance use the following command:
$ORACLE_INSTANCE/bin/opmnctl restartproc process-type=OHS
For setting up the OpenSSO Agent, refer to the appropriate guide from the following link:
http://docs.oracle.com/cd/E19681-01/index.html
Note:
OpenSSO Agents (version 2.2 and 3.0) are supported with Oracle Access Manager 11gR2.
For information about registering agents and applications by using the console, refer to the following topics in the Oracle Fusion Middleware Administrator's Guide for Oracle Access Management:
Note:
Administration Server must be up and running when you are registering the Agents as a Partner Application.
For information about restarting Managed Servers, see Appendix C, "Starting the Stack".
For information about setting up integration between Oracle Access Management and Oracle Identity Manager (OIM), see "Integrating Access Manager and Oracle Identity Manager" in the Oracle Fusion Middleware Integration Guide for Oracle Identity Management Suite.
After installing Oracle Access Management, refer to the "Getting Started with Common Administration and Navigation" chapter in the Oracle Fusion Middleware Administrator's Guide for Oracle Access Management.
Note:
When you configure Oracle Access Management using the Oracle Access Management template, only Oracle Access Manager is enabled by default. For enabling other services including Security Token Service, Identity Federation, and Oracle Access Management Mobile and Social, refer to "Enabling or Disabling Available Services" in the Oracle Fusion Middleware Administrator's Guide for Oracle Access Management.