The IdM configuration tool (idmConfigTool) supports a number of tasks to assist in installing, configuring, and integrating Oracle identity management (IdM) components.
This chapter contains these sections:
This section contains these topics:
Use idmConfigTool in these situations:
prior to installing Oracle Identity Manager and Oracle Access Management Access Manager,
after installing Oracle Identity Manager and Oracle Access Management Access Manager,
to dump the configuration of IdM components Oracle Internet Directory, Oracle Virtual Directory, Oracle Identity Manager, and Oracle Access Manager, and
to validate the configuration parameters for Oracle Internet Directory, Oracle Virtual Directory, Oracle Identity Manager, and Oracle Access Manager.
Section 2.1.2 explains the tasks the tool performs in each situation.
idmConfigTool helps you to perform the following tasks efficiently:
Validating configuration properties representing the Identity Management components Oracle Internet Directory (OID), Oracle Virtual Directory (OVD), Oracle Access Management Access Manager (OAM-AM) and Oracle Identity Manager (OIM).
Pre-configuring the Identity Store components (Oracle Internet Directory and Oracle Virtual Directory) to install the other Identity Management components, including Access Manager and Oracle Identity Manager.
Post-configuring the Access Manager, Oracle Identity Manager components and wiring of Access Manager and Oracle Identity Manager.
Extracting the configuration of the Identity Management components Oracle Internet Directory, Oracle Virtual Directory, Access Manager and Oracle Identity Manager.
See Also:
idmConfigTool supports these component versions:
Oracle Internet Directory 11g
Oracle Virtual Directory 11g
Oracle Access Management Access Manager 11g
Oracle Access Manager 10g
Oracle Identity Manager 11g
Oracle Unified Directory (OUD) 11g
idmConfigTool is located at:
IAM_ORACLE_HOME/idmtools/bin
idmConfigTool supports Access Manager 11g Webgates by default. It also supports 10g Webgates.
The tool supports two types of scenarios with regard to Weblogic domains:
A single-domain configuration in which both Access Manager and Oracle Identity Manager servers are configured in the same Weblogic domain
A dual or cross-domain configuration in which Access Manager and Oracle Identity Manager servers are configured on separate Weblogic domains
See Also:
Section 1.2 for architecture details.
You must configure the environment before running the IdM configuration tool.
Set the following variables:
| Variable | Set to |
|---|---|
|
|
Set the value to the full path of the installation's Middleware home. |
|
|
Ensure that the value contains the following directory: MW_HOME/jdkn |
|
|
|
|
|
Set to the full path of the Oracle home. For IdM integrations, set to |
This section contains these topics:
The tool has the following syntax on Linux:
idmConfigTool.sh -command input_file=filename log_file=logfileName log_level=log_level
The tool has the following syntax on Windows:
idmConfigTool.bat -command input_file=filename log_file=logfileName log_level=log_level
Values for command are as follows:
| Command | Component name | Description |
|---|---|---|
|
|
Identity Store |
Configures the identity store and policy store by creating the groups and setting ACIs to the various containers. |
|
|
Identity Store |
Configures the identity store by adding necessary users and associating users with groups. Modes enable you to configure for a specific component. |
|
|
Policy Store |
Configures policy store by creating read-write user and associates them to the groups. |
|
|
Oracle Access Manager Oracle Identity Manager |
Prepares Access Manager for integration with Oracle Identity Manager. |
|
|
Oracle Access Manager Oracle Identity Manager |
Sets up wiring between Access Manager and Oracle Identity Manager. |
|
|
Oracle Virtual Directory |
Creates Oracle Virtual Directory adapters. |
|
|
Oracle Virtual Directory |
Disables anonymous access to the Oracle Virtual Directory server. Post-upgrade command. Note: |
|
|
Identity Store |
Performs post-provisioning configuration of the identity store. |
|
|
Various |
Validates the set of input properties for the named entity. |
|
|
Oracle Virtual Directory |
Updates the configuration for an upgraded Oracle Virtual Directory with split profile. |
|
|
Oracle Identity Manager Access Manager |
Updates existing users in Oracle Internet Directory by adding certain object classes which are needed for Oracle Identity Manager-Access Manager integration. |
|
|
Oracle Identity Manager Access Manager |
Upgrades an existing configuration consisting of integrated Oracle Identity Manager-Access Manager, using Webgate 10g, to use Webgate 11g |
You must run this tool as a user with administrative privileges when configuring the identity store or the policy store.
The validate command requires a component name.
idmConfigTool creates or updates certain files upon execution.
When you run the idmConfigTool, the tool creates or appends to the file idmDomainConfig.param. This file is generated in the directory from which you run the tool. To ensure that the same file is appended to each time the tool is run, always run idmConfigTool from the directory:
IAM_ORACLE_HOME/idmtools/bin
You can specify a log file using the log_file attribute of idmConfigTool.
If you do not explicitly specify a log file, a file named automation.log is created in the directory where you run the tool.
Check the log file for any errors or warnings and correct them.
This section describes the properties file that can be used with idmConfigTool.
A properties file provides a convenient way to specify command properties and enable you to save properties for reference and later use. You can specify a properties file, containing execution properties, as input command options. The properties file is a simple text file which must be available at the time the command is executed.
It is not necessary to provide password-related properties in the properties file. Indeed, for security you are advised not to insert passwords into the properties file. When passwords are not provided, the tool prompts for the relevant properties at execution.
Table 2-1 lists the properties used for integration command options in the idmConfigTool command. The properties are listed in alphabetical order.
Table 2-1 Properties Used in IdM Configtool properties Files
| Parameter | Example Value | Description |
|---|---|---|
|
|
|
The Access Manager access gate ID with which Oracle Identity Manager needs to communicate. |
|
|
|
Access Manager Access Server hostname |
|
|
|
Access Manager NAP port. |
|
|
|
URI required by OPSS. Default value is /obrar.cgi |
|
|
|
Web domain on which the Oracle Identity Manager application resides. Specify the domain in the format .cc.example.com. |
|
|
-1 |
Cookie expiration period. Set to -1. |
|
|
|
The location of the Oracle Identity Manager domain. |
|
|
|
The Oracle Identity Manager domain name. |
|
|
|
The admin port for an Oracle Unified Directory (OUD) identity store. |
|
|
|
Host name of the LDAP identity store directory (corresponding to the IDSTORE_DIRECTORYTYPE). |
|
|
|
Port number of the LDAP identity store (corresponding to the IDSTORE_DIRECTORYTYPE). |
|
|
cn=orcladmin |
Administrative user in the identity store. |
|
|
Password for the identity store bind DN. |
|
|
|
cn |
Username attribute used to set and search for users in the identity store. |
|
|
uid |
The login attribute of the identity store which contains the user's login name. |
|
|
cn=Users,dc=us,dc=example,dc=com |
The location in the directory where users are stored. |
|
|
dc=us,dc=example,dc=com |
Search base for users and groups contained in the identity store. |
|
|
cn=Groups,dc=us,dc=example,dc=com |
The location in the directory where groups are stored. |
|
|
oamLDAP |
The username used to establish the Access Manager identity store connection. |
|
|
oamadmin |
The identity store administrator for Access Manager. Required only if the identity store is set as the system identity store. |
|
|
oaamadmin |
The identity store administrator for Oracle Adaptive Access Manager. |
|
|
cn=system, dc=test |
Base for all the system users. |
|
|
User with read-only permissions to the identity store. |
|
|
|
User with read-write permissions to the identity store. |
|
|
|
The Oracle Fusion Applications superuser in the identity store. |
|
|
|
The administrator of the xelsysadm system account. |
|
|
|
The identity store administrator for Oracle Identity Manager. |
|
|
|
The Oracle Identity Manager administrator group. |
|
|
|
Whether SSL to the identity store is enabled. Valid values: true | false |
|
|
|
Location of the keystore file containing identity store credentials. Required to establish an SSL connection to the identity store. Applies to Oracle Unified Directory identity stores. |
|
|
|
Password of the keystore file containing identity store credentials ( Applies to Oracle Unified Directory identity stores. |
|
|
|
Used for identity store validation. Used in Oracle Fusion Applications environment. |
|
|
|
|
Directory type of the identity store for which the authenticator must be created. Set to Set it to Set to OUD if your identity store is Oracle Unified Directory. Valid values: OID, OVD, OUD |
|
|
cn=systemids,dc=example,dc=com |
The administrator of the identity store directory. Note that the entry must contain the complete LDAP DN of the user; the username alone is not sufficient. |
|
|
weblogic_idm |
The identity store administrator for Oracle WebLogic Server |
|
|
|
The identity store administrator group for Oracle WebLogic Server. |
|
|
Password of the identity store administrator. |
|
|
|
Password of the Access Manager software user in the identity store. |
|
|
|
Password of the Access Manager user identified as IDSTORE_OAMSOFTWAREUSER. |
|
|
|
Password of the XELSYSADMIN user in the identity store. |
|
|
|
Password of the WebLogic administrator in the identity store. |
|
|
|
Password of the OAAM administrator in the identity store. |
|
|
|
. |
The hostname of the LDAP server |
|
|
The LDAP server port number. |
|
|
|
. |
The bind DN for the LDAP server |
|
|
The LDAP server password. |
|
|
|
Indicates whether the connection to the LDAP server is over SSL. Valid values are True or False |
|
|
|
The base DN of the LDAP server. |
|
|
|
The OVD base DN of the LDAP server. |
|
|
|
The directory type for the LDAP server. n is 1, 2, and so on. For a single-node configuration specify LDAP1. |
|
|
|
/${app.context}/adfAuthentication |
URI required by OPSS. Default value is /${app.context}/adfAuthentication |
|
|
/oamsso/logout.html |
URI required by OPSS. Default value is /oamsso/logout.html |
|
|
jdbc:oracle:thin:@DBHOST:1521:SID |
URL of the MDS database. |
|
|
edg_mds |
Username of the MDS schema user. |
|
|
10g |
Required when Access Manager server does not support 11g webgate in Oracle Identity Manager-Access Manager integration. In that case, provide the value as '10g'. Valid values are 10g, 11g. |
|
|
|
The transfer mode for the Access Manager agent being configured. If your access manager servers are configured to accept requests using the simple mode, set OAM_TRANSFER_MODE to SIMPLE. Valid values are OPEN, SIMPLE or CERT. |
|
|
|
The security model in which the Access Manager 11g server functions. Valid values: OPEN or SIMPLE. |
|
|
Specifies whether Access Manager server can perform authorizations. If true, the Access Manager 11g server operates in authentication only mode, where all authorizations return true by default without any policy validations. If false, the server runs in default mode, where each authentication is followed by one or more authorization requests to the server. Valid values: true (no authorization) | false |
|
|
|
|
Specifies the account to administer role security in identity store. |
|
|
false |
Specifies whether to integrate with Oracle Identity Manager or configure Access Manager in stand-alone mode. Set to true for integration. Valid values: true (integration) | false |
|
|
sso.example.com |
Hostname of the load balancer to the Oracle HTTP (OHS) server front-ending the Access Manager server. |
|
|
443 |
Port number of the load balancer to the OHS server front-ending the Access Manager server. |
|
|
https |
Protocol of the load balancer to the OHS server front-ending the Access Manager server. Valid values: HTTP, HTTPS |
|
|
uid |
At a login attempt, the username is validated against this attribute in the identity store. |
|
|
The global session timeout for sessions in the Access Manager server. |
|
|
|
Global session expiry time for a session in the Access Manager server. |
|
|
|
Global maximum sessions per user in the Access Manager server. |
|
|
|
The identity store name. If you already have an identity Store in place which you wish to reuse (rather than allowing the tool to create a new one for you), set this parameter to the name of the Identity Store. The default value is "OAMIDStore". |
|
|
|
Enable or disable impersonation in Access Manager server. Applicable to Oracle Fusion Applications environment. Valid values: true (enable) | false |
|
|
|
sso.example.com |
Host name of the load balancer which is in front of OHS. |
|
|
443 |
Port number on which the load balancer specified as OAM11G_IDM_DOMAIN_OHS_HOST listens. |
|
|
https |
protocol for IDM OHS. Valid values: HTTP | HTTPS |
|
|
https://sso.example.com:443/test |
|
|
|
true |
Deny on protected flag for 10g webgate Valid values: true | false |
|
|
simple |
Transfer mode for the IDM domain agent. Valid values: OPEN | SIMPLE | CERT |
|
|
/console/jsp/common/logout.jsp,/em/targetauth/emaslogout.jsp |
Comma-separated list of Access Manager logout URLs. |
|
|
The Access Manager domain WebGate password. |
|
|
|
The password of the Oracle Identity Manager Webgate. |
|
|
|
myhost.example.com |
Host name of the Access Manager domain admin server. |
|
|
7001 |
Port on which the Access Manager domain admin server is running. |
|
|
wlsadmin |
The username of the Access Manager domain administrator. |
|
|
host123.example.com |
The hostname of the LBR server front-ending Oracle Identity Manager. |
|
|
7011 |
The port number of the LBR server front-ending Oracle Identity Manager. |
|
|
|
The name of the Oracle Identity Manager managed server. If clustered, any of the managed servers can be specified. |
|
|
The hostname of the Oracle Identity Manager managed server. |
|
|
|
The port number of the Oracle Identity Manager managed server. |
|
|
|
The hostname for the Oracle Identity Manager T3 server. |
|
|
|
The port number of the Oracle Identity Manager T3 server. |
|
|
|
OVD Server hostname |
|
|
|
OVD Server port number |
|
|
|
OVD Server bind DN |
|
|
|
OVD Server password |
|
|
|
Indicates whether the connection is over SSL. Valid values are True or False |
|
|
|
true |
Denotes whether the policy store and identity store share the directory. Always true in Release 11g. Valid values: true, false |
|
|
mynode.us.example.com |
The hostname of your policy store directory. |
|
|
1234 |
The port number of your policy store directory. |
|
|
cn=orcladmin |
Administrative user in the policy store directory. |
|
|
dc=example,dc=com |
The location in the directory where users and groups are stored. |
|
|
cn=systemids, dc=example,dc=com |
The read-only and read-write users for policy store are created in this location. Default value is cn=systemids, |
|
|
|
A user with read privileges in the policy store. |
|
|
|
A user with read and write privileges in the policy store. |
|
|
|
The name of the container used for OPSS policy information |
|
|
Whether the policy store is SSL-enabled. |
|
|
|
The location of the keystore file for an SSL-enabled policy store. |
|
|
|
The password of the keystore file for an SSL-enabled policy store. |
|
|
|
true |
Flag to force Valid values are true, false. |
|
|
false |
Flag to determine if SSO should be enabled. Valid values are true, false. |
|
|
|
The type of WebGate agent you want to create. Set to |
|
|
idmhost1.example.com:5575,idmhost2.example.com:5575 |
A comma-separated list of your Access Manager servers and their proxy ports. |
|
|
|
The WebLogic Server host name |
|
|
7001 |
The WebLogic Server port number |
|
|
wlsadmin |
The WebLogic Server administrator login |
|
|
The WebLogic Server administrator. |
This section explains additional tasks you may need to perform when using idmConfigTool for a target identity store which is an instance of Oracle Unified Directory (OUD). Topics include:
When you use idmConfigTool for an identity store that is an instance of OUD, the global ACI is not created. Consequently you must first grant access to the changelog, and then create the ACI. Take these steps:
Create a file called mypassword which contains the password you use to connect to OUD.
Remove the existing change log on one of the replicated OUD hosts. The command syntax is:
ORACLE_INSTANCE/bin/dsconfig set-access-control-handler-prop \ --remove \ global-aci:"(target=\"ldap:///cn=changelog\")(targetattr=\"*\")(version 3.0; acl \"External changelog access\"; deny (all) userdn=\"ldap:///anyone\";)" --hostname OUD Host \ --port OUD Admin Port \ --trustAll ORACLE_INSTANCE/config/admin-truststore \ --bindDN cn=oudadmin \ --bindPasswordFile mypassword \ --no-prompt
For example:
ORACLE_INSTANCE/bin/dsconfig set-access-control-handler-prop \ --remove global-aci:"(target=\"ldap:///cn=changelog\")(targetattr=\"*\")(version 3.0; acl \"External changelog access\"; deny (all) userdn=\"ldap:///anyone\";)" --hostname OUDHOST1.example.com \ --port 4444 \ --trustAll /u01/app/oracle/admin/oud1/OUD/config/admin-truststore \ --bindDN cn=oudadmin \ --bindPasswordFile mypassword \ --no-prompt
Add the new ACI:
dsconfig set-access-control-handler-prop \ --add global-aci:"(target=\"ldap:///cn=changelog\")(targetattr=\"*\")(version 3.0; acl \"External changelog access\"; allow (read,search,compare,add,write,delete,export) groupdn=\"ldap:///cn=oimAdminGroup,cn=groups,dc=example,dc=com\";)" \ --hostname OUD Host \ --port OUD Admin Port \ --trustAll \ --bindDN cn=oudadmin \ --bindPasswordFile password --no-prompt
For example:
dsconfig set-access-control-handler-prop \ --add --add global-aci:"(target=\"ldap:///cn=changelog\")(targetattr=\"*\")(version 3.0; acl \"External changelog access\"; allow (read,search,compare,add,write,delete,export) groupdn=\"ldap:///cn=oimAdminGroup,cn=groups,dc=example,dc=com\";)" \ --hostname OUDHOST1 \ --port 4444 \ --trustAll \ --bindDN cn=oudadmin \ --bindPasswordFile password --no-prompt
Repeat Steps 1 through 3 for each OUD instance.
When idmConfigTool prepares the identity store, it creates a number of indexes on the data. However in a high availability (HA) environment that contains replicas, these replicas are not updated with the indexes and need to be added manually.
The steps are as follows (with LDAPHOST1.example.com representing the first OUD server, LDAPHOST2.example.com the second server, and so on):
Create a file called mypassword which contains the password you use to connect to OUD.
Configure the indexes on the second OUD server:
ORACLE_INSTANCE/OUD/bin/ldapmodify -h LDAPHOST2.example.com -Z -X -p 4444 -a -D "cn=oudadmin" -j mypassword -c -f /u01/app/oracle/product/fmw/iam/oam/server/oim-intg/ldif/ojd/schema/ojd_user_index_generic.ldif
and
ORACLE_INSTANCE/OUD/bin/ldapmodify -h LDAPHOST2.example.com -Z -X -p 4444 -a -D "cn=oudadmin" -j mypassword -c -f /u01/app/oracle/product/fmw/iam/idmtools/templates/oud/oud_indexes_extn.ldif
Notes:
Repeat both commands for all OUD servers for which idmConfigTool was not run.
Execute the commands on one OUD instance at a time; that instance must be shut down while the commands are running.
Rebuild the indexes on all the servers:
ORACLE_INSTANCE/OUD/bin/bin/rebuild-index -h localhost -p 4444 -X -D "cn=oudadmin" -j mypassword --rebuildAll -b "dc=example,dc=com"
Note:
You must run this command on all OUD servers, including the first server (LDAPHOST1.example.com) for which idmConfigTool was run.
This section lists the properties for each command option. Topics include:
Notes:
The command options show the command syntax on Linux only. See Section 2.3.1 for Windows syntax guidelines.
The tool prompts for passwords. For security, it is recommended that you do not specify password attributes in the properties file.
./idmConfigTool.sh -preConfigIDStore input_file=input_properties
Table 2-2 lists the properties for this mode:
Table 2-2 Properties of preConfigIDStore
| Property | Required? |
|---|---|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
Use the format: |
|
|
|
Here is a sample properties file for this option:
IDSTORE_HOST : idstore.example.com IDSTORE_PORT : 389 IDSTORE_BINDDN : cn=orcladmin IDSTORE_USERNAMEATTRIBUTE: cn IDSTORE_LOGINATTRIBUTE: uid IDSTORE_USERSEARCHBASE: cn=Users,dc=example,dc=com IDSTORE_GROUPSEARCHBASE: cn=Groups,dc=example,dc=com IDSTORE_SEARCHBASE: dc=example,dc=com IDSTORE_SYSTEMIDBASE: cn=systemids,dc=example,dc=com
The prepareIDStore command takes mode as an argument to perform tasks for the specified component. The syntax for specifying the mode is:
./idmConfigTool.sh -prepareIDStore mode=mode input_file=filename_with_Configproperties
where mode must be one of:
OAM
OIM
OAAM
WLS
FUSION
all (performs all the tasks of the above modes combined)
Note:
WLS mode must be run before OAM.
The following are created in this mode:
Perform schema extensions as required by the Access Manager component
Add the oblix schema
Create the OAMSoftware User
Create OblixAnonymous User
Optionally create the Access Manager Administration User
Associate these users to their respective groups
Create the group "orclFAOAMUserWritePrivilegeGroup"
./idmConfigTool.sh -prepareIDStore mode=OAM
input_file=filename_with_Configproperties
Table 2-3 lists the properties for this mode:
Table 2-3 prepareIDStore mode=OAM Properties
| Parameter | Required? |
|---|---|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
Here is a sample properties file for this option. This parameter set would result in OAMADMINUSER and OAMSOFTWARE user being created in the identity store:
IDSTORE_HOST : idstore.example.com IDSTORE_PORT : 389 IDSTORE_BINDDN : cn=orcladmin IDSTORE_USERNAMEATTRIBUTE: cn IDSTORE_LOGINATTRIBUTE: uid IDSTORE_USERSEARCHBASE: cn=Users,dc=example,dc=com IDSTORE_GROUPSEARCHBASE: cn=Groups,dc=example,dc=com IDSTORE_SEARCHBASE: dc=example,dc=com POLICYSTORE_SHARES_IDSTORE: true OAM11G_IDSTORE_ROLE_SECURITY_ADMIN:OAMAdministrators IDSTORE_OAMSOFTWAREUSER:oamLDAP IDSTORE_OAMADMINUSER:oamadmin IDSTORE_SYSTEMIDBASE: cn=systemids,dc=example,dc=com
The following are created in this mode:
Create Oracle Identity Manager Administration User under SystemID container
Create Oracle Identity Manager Administration Group
Add Oracle Identity Manager Administration User to Oracle Identity Manager Administration Group
Add ACIs to Oracle Identity Manager Administration Group
Create reserve container
Create xelsysadmin user
./idmConfigTool.sh -prepareIDStore mode=OIM
input_file=filename_with_Configproperties
Table 2-4 lists the properties in this mode:
Table 2-4 prepareIDStore mode=OIM Properties
| Parameter | Required? |
|---|---|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
Here is a sample properties file for this option. With this set of properties, OIMADMINUSER is created in IDSTORE_SYSTEMIDBASE:
IDSTORE_HOST : idstore.example.com IDSTORE_PORT : 389 IDSTORE_BINDDN : cn=orcladmin IDSTORE_USERNAMEATTRIBUTE: cn IDSTORE_LOGINATTRIBUTE: uid IDSTORE_USERSEARCHBASE:cn=Users,dc=example,dc=com IDSTORE_GROUPSEARCHBASE: cn=Groups,dc=example,dc=com IDSTORE_SEARCHBASE: dc=example,dc=com POLICYSTORE_SHARES_IDSTORE: true IDSTORE_SYSTEMIDBASE: cn=systemids,dc=example,dc=com IDSTORE_OIMADMINUSER: oimadmin IDSTORE_OIMADMINGROUP:OIMAdministrators
The following are created in this mode:
Create Oracle Adaptive Access Manager Administration User
Create Oracle Adaptive Access Manager Groups
Add the Oracle Adaptive Access Manager Administration User as a member of Oracle Adaptive Access Manager Groups
./idmConfigTool.sh -prepareIDStore mode=OAAM
input_file=filename_with_Configproperties
Table 2-5 shows the properties in this mode:
Table 2-5 prepareIDStore mode=OAAM Properties
| Parameter | Required? |
|---|---|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
The following are created in the WLS (Oracle WebLogic Server) mode:
Create Weblogic Administration User
Create Weblogic Administration Group
Add the Weblogic Administration User as a member of Weblogic Administration Group
./idmConfigTool.sh -prepareIDStore mode=WLS
input_file=filename_with_Configproperties
Table 2-6 lists the properties in this mode:
Table 2-6 prepareIDStore mode=WLS Properties
| Parameter | Required? |
|---|---|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
Here is a sample properties file for this option. With this set of properties, the IDM Administrators group is created.
IDSTORE_HOST: idstore.example.com IDSTORE_PORT: 389 IDSTORE_BINDDN: cn=orcladmin IDSTORE_USERNAMEATTRIBUTE: cn IDSTORE_LOGINATTRIBUTE: uid IDSTORE_USERSEARCHBASE: cn=Users, dc=example,dc=com IDSTORE_GROUPSEARCHBASE: cn=Groups,dc=example,dc=com IDSTORE_SEARCHBASE: dc=example,dc=com POLICYSTORE_SHARES_IDSTORE: true IDSTORE_WLSADMINUSER: weblogic_idm IDSTORE_WLSADMINGROUP: wlsadmingroup
The following actions are taken in this mode:.
Create a Readonly User
Create a ReadWrite User
Create a Super User
Add the readOnly user to the groups orclFAGroupReadPrivilegeGroup and orclFAUserWritePrefsPrivilegeGroup
Add the readWrite user to the groups orclFAUserWritePrivilegeGroup and orclFAGroupWritePrivilegeGroup
./idmConfigTool.sh -prepareIDStore mode=fusion
input_file=filename_with_Configproperties
Table 2-7 lists the properties in this mode:
Table 2-7 prepareIDStore mode=fusion Properties
| Parameter | Required? |
|---|---|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
Here is a sample properties file for this option, which creates IDSTORE_SUPERUSER:
IDSTORE_HOST : idstore.example.com IDSTORE_PORT : 389 IDSTORE_BINDDN : cn=orcladmin IDSTORE_USERNAMEATTRIBUTE: cn IDSTORE_READONLYUSER: IDROUser IDSTORE_READWRITEUSER: IDRWUser IDSTORE_USERSEARCHBASE:cn=Users,dc=example,dc=com IDSTORE_SEARCHBASE: dc=example,dc=com IDSTORE_GROUPSEARCHBASE: cn=Groups,dc=mycomapny,dc=com IDSTORE_SYSTEMIDBASE: cn=systemids,dc=example,dc=com IDSTORE_SUPERUSER: weblogic_fa POLICYSTORE_SHARES_IDSTORE: true
The mode performs all the tasks that are performed in the modes OAM, OIM, WLS, OAAM, and FUSION.
./idmConfigTool.sh -prepareIDStore mode=all
input_file=filename_with_Configproperties
Table 2-8 lists the properties in this mode:
Table 2-8 prepareIDStore mode=all Properties
| Parameter | Required? |
|---|---|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
Here is a sample properties file for this option:
IDSTORE_HOST : node01.example.com IDSTORE_PORT : 2345 IDSTORE_BINDDN: cn=orcladmin IDSTORE_USERNAMEATTRIBUTE: cn IDSTORE_LOGINATTRIBUTE: uid IDSTORE_USERSEARCHBASE: cn=Users,dc=example,dc=com IDSTORE_SEARCHBASE: dc=example,dc=com IDSTORE_GROUPSEARCHBASE: cn=Groups,dc=example,dc=com IDSTORE_SYSTEMIDBASE: cn=systemids,dc=example,dc=com IDSTORE_READONLYUSER: IDROUser IDSTORE_READWRITEUSER: IDRWUser IDSTORE_SUPERUSER: weblogic_fa IDSTORE_OAMSOFTWAREUSER:oamSoftwareUser IDSTORE_OAMADMINUSER:oamAdminUser IDSTORE_OIMADMINUSER: oimadminuser POLICYSTORE_SHARES_IDSTORE: true OAM11G_IDSTORE_ROLE_SECURITY_ADMIN:OAMAdministrators IDSTORE_OIMADMINGROUP: OIMAdministrators IDSTORE_WLSADMINUSER: weblogic_idm IDSTORE_WLSADMINGROUP: wlsadmingroup IDSTORE_OAAMADMINUSER: oaamAdminUser
./idmConfigTool.sh -configPolicyStore input_file=input_properties
Table 2-9 lists the command properties.
Table 2-9 Properties for ConfigPolicyStore
| Property | Required? |
|---|---|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
Here is a sample properties file for this option, which creates readonly user and writeonly user in the policy store:
POLICYSTORE_HOST: mynode.us.example.com POLICYSTORE_PORT: 3060 POLICYSTORE_BINDDN: cn=orcladmin POLICYSTORE_READONLYUSER: PolicyROUser POLICYSTORE_READWRITEUSER: PolicyRWUser POLICYSTORE_SEARCHBASE: dc=example,dc=com POLICYSTORE_CONTAINER: cn=jpsroot
./idmConfigTool.sh -configOAM input_file=input_properties
Table 2-10 lists the command properties.
Table 2-10 Properties of configOAM
| Property | Required? |
|---|---|
|
|
|
|
|
|
|
|
|
|
I |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
YES |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
Oracle Fusion Applications only. |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
YES |
|
|
|
|
|
Note:
When you execute this command, the tool prompts you for:
Password of the identity store account to which you are connecting
Access Manager administrator password
Access Manager software user password
Here is a sample properties file for this option, which creates an entry for webgate in Access Manager:
WLSHOST: adminvhn.example.com WLSPORT: 7001 WLSADMIN: weblogic IDSTORE_HOST: idstore.example.com IDSTORE_PORT: 389 IDSTORE_BINDDN: cn=orcladmin IDSTORE_USERNAMEATTRIBUTE: cn IDSTORE_LOGINATTRIBUTE: uid IDSTORE_USERSEARCHBASE: cn=Users,dc=example,dc=com IDSTORE_SEARCHBASE: dc=example,dc=com IDSTORE_GROUPSEARCHBASE: cn=Groups,dc=example,dc=com IDSTORE_OAMSOFTWAREUSER: oamLDAP IDSTORE_OAMADMINUSER: oamadmin PRIMARY_OAM_SERVERS: oamhost1.example.com:5575,oamhost2.example.com:5575 WEBGATE_TYPE: ohsWebgate10g ACCESS_GATE_ID: Webgate_IDM OAM11G_IDM_DOMAIN_OHS_HOST:sso.example.com OAM11G_IDM_DOMAIN_OHS_PORT:443 OAM11G_IDM_DOMAIN_OHS_PROTOCOL:https OAM11G_OAM_SERVER_TRANSFER_MODE:simple OAM11G_IDM_DOMAIN_LOGOUT_URLS: /console/jsp/common/logout.jsp,/em/targetauth/emaslogout.jsp OAM11G_WG_DENY_ON_NOT_PROTECTED: false OAM11G_SERVER_LOGIN_ATTRIBUTE: uid OAM_TRANSFER_MODE: simple COOKIE_DOMAIN: .example.com OAM11G_IDSTORE_ROLE_SECURITY_ADMIN: OAMAdministrators OAM11G_SSO_ONLY_FLAG: true OAM11G_OIM_INTEGRATION_REQ: true or false OAM11G_IMPERSONATION_FLAG:true OAM11G_SERVER_LBR_HOST:sso.example.com OAM11G_SERVER_LBR_PORT:443 OAM11G_SERVER_LBR_PROTOCOL:https COOKIE_EXPIRY_INTERVAL: -1 OAM11G_OIM_OHS_URL:https://sso.example.com:443/ SPLIT_DOMAIN: true OAM11G_IDSTORE_NAME: OAMIDStore IDSTORE_SYSTEMIDBASE: cn=systemids,dc=example,dc=com
As of 11g Release 2 (11.1.2), configOIM supports 11g webgate by default. See the WEBGATE_TYPE option for details.
As indicated in the table, certain properties are required when Oracle Identity Manager and Access Manager are configured on different weblogic domains.
./idmConfigTool.sh -configOIM input_file=input_file_with_path
Table 2-11 lists the command properties.
Table 2-11 Properties for configOIM
| Property | Required? |
|---|---|
|
|
required by Oracle Platform Security Services (OPSS). |
|
|
required by OPSS. |
|
|
required by OPSS. |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
Required only when Access Manager server does not support 11g webgate in Oracle Identity Manager-Access Manager integration. In that case, value should be provided as '10g'. |
|
|
Required if Access Manager and Oracle Identity Manager servers are configured on different Weblogic domains (that is, a cross-domain setup) |
|
|
Required if Access Manager and Oracle Identity Manager servers are configured on different Weblogic domains (that is, a cross-domain setup) |
|
|
Required if Access Manager and Oracle Identity Manager servers are configured on different Weblogic domains (that is, a cross-domain setup) |
Here is a sample properties file for this option, which seeds the following keys in the credential store framework (CSF): SSOAccessKey, SSOKeystoreKey, SSOGlobalPP:
LOGINURI: /${app.context}/adfAuthentication
LOGOUTURI: /oamsso/logout.html
AUTOLOGINURI: None
ACCESS_SERVER_HOST: OAMHOST1.example.com
ACCESS_SERVER_PORT: 5575
ACCESS_GATE_ID: Webgate_IDM
COOKIE_DOMAIN: .example.com
COOKIE_EXPIRY_INTERVAL: -1
OAM_TRANSFER_MODE: simple
WEBGATE_TYPE: ohsWebgate10g
SSO_ENABLED_FLAG: true
IDSTORE_PORT: 389
IDSTORE_HOST: idstore.example.com
IDSTORE_DIRECTORYTYPE: OID
IDSTORE_ADMIN_USER: cn=oamLDAP,cn=Users,dc=example,dc=com
IDSTORE_USERSEARCHBASE: cn=Users,dc=example,dc=com
IDSTORE_GROUPSEARCHBASE: cn=Groups,dc=example,dc=com
MDS_DB_URL: jdbc:oracle:thin:DB Hostname:DB portno.:SID
MDS_DB_SCHEMA_USERNAME: edg_mds
WLSHOST: adminvhn.example.com
WLSPORT: 7001
WLSADMIN: weblogic
DOMAIN_NAME: IDMDomain
OIM_MANAGED_SERVER_NAME: WLS_OIM1
DOMAIN_LOCATION: ORACLE_BASE/admin/IDMDomain/aserver/IDMDomain
./idmConfigTool.sh -postProvConfig input_file=postProvConfig.props
The properties for this command are the same as for the preConfigIDStore command.
Here is a sample properties file for this option:
IDSTORE_HOST: host01.example.com IDSTORE_PORT: 3060 IDSTORE_BINDDN: cn=orcladmin IDSTORE_GROUPSEARCHBASE: cn=Groups,dc=example,dc=com IDSTORE_SEARCHBASE: dc=example,dc=com IDSTORE_USERSEARCHBASE: cn=systemids,dc=example,dc=com POLICYSTORE_CONTAINER: cn=FAPolicies POLICYSTORE_HOST: host01.ca.example.com POLICYSTORE_PORT: 3060 POLICYSTORE_BINDDN: cn=orcladmin POLICYSTORE_READWRITEUSER: cn=PolicyRWUser,cn=systemids,dc=example,dc=com OVD_HOST: host01.ca.example.com OVD_PORT: 6501 OVD_BINDDN: cn=orcladmin OIM_T3_URL : t3://host02.ca.example.com:14000 OIM_SYSTEM_ADMIN : abcdef
idmConfigTool.sh -upgradeLDAPUsersForSSO input_file=input_Properties
Table 2-12 lists the command properties.
Table 2-12 Properties for upgradeLDAPUsersForSSO
| Property | Required? |
|---|---|
|
|
|
|
|
|
|
|
YES |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
Here is a sample properties file for this option:
IDSTORE_HOST: idstore.example.com IDSTORE_PORT: 389 IDSTORE_ADMIN_USER: cn=orcladmin IDSTORE_DIRECTORYTYPE:OVD IDSTORE_USERSEARCHBASE: cn=Users,dc=example,dc=com IDSTORE_GROUPSEARCHBASE: cn=Groups,dc=example,dc=com PASSWORD_EXPIRY_PERIOD: 7300 IDSTORE_LOGINATTRIBUTE: uid
./idmConfigTool.sh -validate component=IDSTORE input_file=input_Properties
Table 2-13 lists the command properties.
Table 2-13 Properties for validate IDStore
| Property | Required? |
|---|---|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
Here is a sample properties file for this option:
idstore.type: OID idstore.host: acb21005.us.example.com idstore.port: 3030 idstore.sslport: 4140 idstore.ssl.enabled: false idstore.super.user: cn=weblogic_fa,cn=systemids,dc=example,dc=com idstore.readwrite.username: cn=IDRWUser,cn=systemids,dc=example,dc=com idstore.readonly.username: cn=IDROUser,cn=systemids,dc=example,dc=com idstore.user.base: cn=Users,dc=example,dc=com idstore.group.base: cn=Groups,dc=example,dc=com idstore.seeding: true idstore.post.validation: false idstore.admin.group: cn=IDM Administrators,cn=Groups,dc=example,dc=com idstore.admin.group.exists: true
./idmConfigTool.sh -validate component=POLICYSTORE input_file=input_Properties
Table 2-14 lists the command properties.
Table 2-14 Properties for validate policystore
| Property | Required? |
|---|---|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
Here is a sample properties file for this option:
POLICYSTORE_HOST: node0316.example.com POLICYSTORE_PORT: 3067 POLICYSTORE_SECURE_PORT : 3110 POLICYSTORE_IS_SSL_ENABLED: FALSE POLICYSTORE_READ_WRITE_USERNAME : cn=PolicyRWUser,cn=systemids,dc=example,dc=com POLICYSTORE_SEEDING: true POLICYSTORE_JPS_ROOT_NODE : cn=jpsroot POLICYSTORE_DOMAIN_NAME: dc=example,dc=com
./idmConfigTool.sh -validate component=OAM11g input_file=input_Properties
Note:
The tool prompts for the WebLogic administration server user password upon execution.
Table 2-15 lists the command properties.
Table 2-15 Properties for validate component=OAM11g
| Property | Required? |
|---|---|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
Here is a sample properties file for this option, which validates the Access Manager server:
admin_server_host: abc5411405.ca.example.com admin_server_port: 17001 admin_server_user: weblogic IDSTORE_HOST:abc5411405.ca.example.com IDSTORE_PORT:3060 IDSTORE_IS_SSL_ENABLED:false OAM11G_ACCESS_SERVER_HOST:abc5411405.ca.example.com OAM11G_ACCESS_SERVER_PORT:5575 OAM11G_IDSTORE_ROLE_SECURITY_ADMIN:OAMAdministrators OAM11G_OIM_OHS_URL: http://abc5411405.ca.example.com:7779/ OAM11G_OIM_INTEGRATION_REQ: true OAM11G_OAM_ADMIN_USER:oamadminuser OAM11G_SSO_ONLY_FLAG: true OAM11G_OAM_ADMIN_USER_PASSWD:
./idmConfigTool.sh -validate component=OAM10g input_file=input_Properties
Table 2-16 lists the command properties.
./idmConfigTool.sh -validate component=OIM11g input_file=input_Properties
Note:
The tool prompts for the WebLogic administration server user password upon execution.
Table 2-17 lists the command properties.
Table 2-17 Properties for validate component=OIM11g
| Property | Required? |
|---|---|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
Here is a sample properties file for this option:
admin_server_host: node06.example.com admin_server_port: 17111 admin_server_user: weblogic oam_host : node06.example.com oam_nap_port : 5575 idm.keystore.file: idm.keystore.file idstore.user.base: cn=Users,dc=example,dc=com idstore.group.base: cn=Groups,dc=example,dc=com oim_is_ssl_enabled: false OIM_HOST: node06.example.com OIM_PORT: 1400
./idmConfigTool.sh -configOVD input_file=input_Properties
Table 2-18 lists the command properties (where n=1,2..).
Table 2-18 configOVD properties
| Property | Required? |
|---|---|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
YES |
|
|
|
|
|
YES |
|
|
YES |
|
|
YES |
The content of the properties file for the configOVD command depends on the Oracle Virtual Directory configuration. This section provides some sample files.
Here is an example of the file named single.txt for a single-server configuration:
ovd.host:myhost.us.example.com ovd.port:7000 ovd.binddn:cn=orcladmin ovd.ssl:true ldap1.type:OID ldap1.host:myhost.us.example.com ldap1.port:7000 ldap1.binddn:cn=oimadmin,cn=systemids,dc=example,dc=com ldap1.ssl:false ldap1.base:dc=example,dc=com ldap1.ovd.base:dc=example,dc=com usecase.type: single
When using this file, the command is thus invoked as:
idmConfigTool -configOVD input_file=path/single.txt Enter OVD password: password Enter LDAP password: password
Here is an example of the file named split.txt for a split-profile server configuration:
ovd.host:myhost.us.example.com ovd.port:7000 ovd.binddn:cn=orcladmin ovd.ssl:true ldap1.type:AD ldap1.host:10.0.0.0 ldap1.port:7000 ldap1.binddn:administrator@idmqa.com ldap1.ssl:true ldap1.base:dc=idmqa,dc=com ldap1.ovd.base:dc=idmqa,dc=com usecase.type: split ldap2.type:OID ldap2.host:myhost.us.example.com ldap2.port:7000 ldap2.binddn:cn=oimadmin,cn=systemids,dc=example,dc=com ldap2.ssl:false ldap2.base:dc=example,dc=com ldap2.ovd.base:dc=example,dc=com
When using this file, the command is thus invoked as:
idmConfigTool -configOVD input_file=path/split.txt Enter OVD password: password Enter LDAP1 password: password Enter LDAP2 password: password
./idmConfigTool.sh -ovdConfigUpgrade input_file=input_Properties
Table 2-19 lists the command properties.
Table 2-19 ovdConfigUpgrade Properties
| Property | Required? |
|---|---|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
Here is a sample properties file for this option which upgrades the existing adapters:
ovd.host:abk005sjc.us.myhost.com ovd.port:8801 ovd.binddn:cn=orcladmin ovd.ssl:true
./idmConfigTool.sh -disableOVDAccessConfig input_file=input_Properties
Table 2-20 lists the command properties.
Table 2-20 disableOVDAccessConfig Properties
| Property | Required? |
|---|---|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
Here is a sample properties file for this option which disables the anonymous access in Oracle Virtual Directory:
ovd.host:abc00def.ca.example.com ovd.port:8501 ovd.binddn:cn=orcladmin ovd.ssl:true
./idmConfigTool.sh -upgradeOIMTo11gWebgate input_file=input_Properties
This command uses the same properties that are required for the configOIM command, so the same properties file can work for both. See Table 2-11.
As indicated in the table, certain properties are required when Oracle Identity Manager and Access Manager are configured on different weblogic domains.
For examples of idmConfigTool usage, see the individual command options in Command Options and Properties.