This chapter describes the common configuration and management tasks an enterprise administrator will perform while using Oracle Identity Navigator.
This chapter contains the following topics:
Note:
This section provides information about configuring the domain identity store using Oracle Internet Directory or Oracle Virtual Directory with a supported LDAP-based directory server. For information about other supported identity stores, see "System Requirements and Certification".Consult the vendor product documentation for information about configuring the identity store in your environment.
You need to configure a domain identity store before you can view users when searching from the Oracle Identity Navigator Access Privileges pane. To configure the identity store as the main authentication source, you must configure the Oracle WebLogic Server domain where Oracle Identity Navigator is installed.
Configuration is done in the WebLogic Server Administration Console. Setting the Control Flag attribute for the authenticator provider determines the ordered execution of the Authentication providers. The possible values for the Control Flag attribute are:
REQUIRED - This LoginModule must succeed. Even if it fails, authentication proceeds down the list of LoginModules for the configured Authentication providers. This setting is the default.
REQUISITE - This LoginModule must succeed. If other Authentication providers are configured and this LoginModule succeeds, authentication proceeds down the list of LoginModules. Otherwise, control is returned to the application.
SUFFICIENT - This LoginModule need not succeed. If it does succeed, return control to the application. If it fails and other Authentication providers are configured, authentication proceeds down the LoginModule list.
OPTIONAL - This LoginModule can succeed or fail. However, if all Authentication providers configured in a security realm have the JAAS Control Flag set to OPTIONAL, the user must pass the authentication test of one of the configured providers.
For more information about creating a new default authenticator in Oracle WebLogic Server, see Oracle Fusion Middleware Oracle WebLogic Server Administration Console Online Help and Oracle Fusion Middleware Securing Oracle WebLogic Server.
To configure the OID authenticator in Oracle WebLogic Server:
Log in to Oracle WebLogic Server Administration Console, and click Lock & Edit in the Change Center.
In Oracle WebLogic Server Administration Console, select Security Realms from the left pane and click the realm you are configuring. For example, myrealm.
Select the Providers tab, then select the Authentication sub-tab.
Click New to launch the Create a New Authentication Provider page. Complete the fields as follows:
Name: Enter a name for the authentication provider. For example, MyOIDDirectory.
Type: Select OracleInternetDirectoryAuthenticator from the list.
Click OK. The authentication providers table is updated.
In the authentication providers table, click the newly added authenticator.
In Settings, select the Configuration tab, then select the Common tab.
Set the Control Flag to SUFFICIENT.
Click Save.
Select the Provider Specific tab and enter the following required settings using values for your environment:
Host: The host name of the Oracle Internet Directory server.
Port: The port number on which the Oracle Internet Directory server is listening.
Principal: The distinguished name (DN) of the Oracle Internet Directory user to be used to connect to the Oracle Internet Directory server. For example: cn=OIDUser,cn=users,dc=us,dc=mycompany,dc=com.
Credential: Password for the Oracle Internet Directory user entered as the Principal.
Group Base DN: The base distinguished name (DN) of the Oracle Internet Directory server tree that contains groups.
User Base DN: The base distinguished name (DN) of the Oracle Internet Directory server tree that contains users.
All Users Filter: LDAP search filter. Click More Info... for details.
User From Name Filter: LDAP search filter. Click More Info... for details.
User Name Attribute: The attribute that you want to use to authenticate (for example, cn, uid, or mail). For example, to authenticate using a user's email address you set this value to mail.
Click Save.
From the Settings for myrealm page, select the Providers tab, then select the Authentication tab.
Click Reorder.
Select the new authenticator and use the arrow buttons to move it into the first position in the list.
Click OK.
Click DefaultAuthenticator in the Authentication Providers table to display the Settings for DefaultAuthenticator page.
Select the Configuration tab, then the Common tab, and select SUFFICIENT from the Control Flag list.
In the Change Center, click Activate Changes.
Restart Oracle WebLogic Server.
To use Oracle Virtual Directory as the domain identity store, you must do the following:
Configure Oracle Virtual Directory with the LDAP-based server. For more information, see "Creating LDAP Adaptors" in Oracle Fusion Middleware Administrator's Guide for Oracle Virtual Directory.
Configure the OVD authenticator in Oracle WebLogic Server. For more information, see Oracle Fusion Middleware Oracle WebLogic Server Administration Console Online Help.
When operating in a development or test environment you might find it convenient to use the default policy store, which is the system-jazn-data.xml file. However, Oracle recommends that in a production environment the domain policy store be LDAP-based. Data from the default system-jazn-data.xml file must be migrated when moving to an LDAP-based policy store such as Oracle Internet Directory. This process is called reassociation.
To re-configure the domain to use Oracle Internet Directory as the policy store, follow the steps in "Reassociating the OPSS Security Store" in Oracle Fusion Middleware Application Security Guide.
Note:
It is important to restart the admin and managed servers for re-association to be successful.Enterprise roles must be created in the domain identity store to support the Common Admin Roles. Templates are provided for both Oracle Internet Directory and Oracle Virtual Directory configured with an LDAP-based directory server. The template is used with the ldifmigrator tool.
Pre-requisites to configuring enterprise roles for the Common Admin Roles:
The domain identity store must be configured. For more information, see "Configuring the Identity Store".
The domain policy store must be configured. For more information, see "Configuring the Policy Store".
For more information about supported identity and policy store configurations for Oracle Identity Navigator, see "System Requirements and Certification".
To configure enterprise roles in the domain identity store:
Select the template for your environment from ORACLE_HOME/common/templates.
Oracle Internet Directory: use oinav_template_oid.ldif
Oracle Virtual Directory, use oinav_template_ovd.ldif
To use the ldifmigrator tool, set $JAVA_HOME and include JAVA_HOME/bin in PATH.
Use the ldifmigrator tool to create the enterprise roles in the identity store under <GroupBase> as follows, where <ldif template> is the template name:
Run java -cp $MIDDLEWARE_HOME/oracle_common/modules/oracle.ldap_11.1.1/ldapjclnt11.jar -DORACLE_HOME=$ORACLE_HOME/oracle_common oracle.ldap.util.LDIFMigration input_file=<ldif template> output_file=<outputfile> namespace=<GroupBase> -load dn=<bindDn> password=<> host=<hostName> port=<portNumber>
When using Oracle Virtual Directory with an LDAP-based directory server, the host, port, dn, and groupbase refer to Oracle Virtual Directory and not the LDAP server.
By default, the Oracle Access Manager 11g agent provides single sign-on functionality for Oracle Identity Navigator and the following Identity Management consoles:
Oracle Identity Manager
Oracle Access Manager
Oracle Adaptive Access Manager
Oracle Authorization Policy Manager
The Oracle Access Manager agent can only protect consoles in a single domain. If your environment spans multiple domains, you can use Oracle Access Manager 11g WebGate for Oracle HTTP Server 11g. To configure Oracle Identity Navigator for WebGate-based single sign-on, see the chapter "Integrating with Oracle Identity Navigator" in Oracle Fusion Middleware Integration Guide for Oracle Access Manager.
The web.xml file provides configuration and deployment information for a Web application, such as Oracle Identity Navigator. The Oracle Identity Navigator web.xml file is in oinav.ear. The optional <user-data-constraint> element in web.xml can be used to specify a transport guarantee that prevents content from being transmitted insecurely. Within the <user-data-constraint> tag, the <transport-guarantee> tag defines how communication should be handled. There are three possible values for that tag:
NONE – the application does not require any transport guarantees.
INTEGRAL – the application requires that data sent between the client and server be sent in such a way that it cannot be changed in transit.
CONFIDENTIAL – the application requires that data be transmitted in a fashion that prevents other entities from observing the contents of the transmission.
Because Oracle Identity Navigator supports both SSL and non-SSL connections to component consoles, the web.xml attribute <user-data-constraint> is set to a default value of NONE. That is, Oracle Identity Navigator does not, by default, support a constraint for a transport guarantee. If you want such a guarantee, you can change the <transport-guarantee> tag within the <user-data-constraint> tag to either INTEGRAL or CONFIDENTIAL.
Log in as an administrator as follows:
Start the WebLogic Administration Server.
Enter the following URL in a browser:
http://host:port/oinav
where port is the Administration Server port.
Supply the Administrator Username and Password. The Administrator account must exist in the identity store and have the Oracle Identity Navigator Administrator role.
Click Log In.
You must have appropriate privileges to perform the following tasks.
Configure component categories. See "Managing the Product Launcher". Then add components manually or by using discovery. See "Adding a Component Link to the Product Launcher by Using Product Discovery".
You must be the Oracle Identity Navigator administrator or have the Application Configurator Common Admin Role to perform this task.
Configure BI Publisher. See "Configuring Oracle Business Intelligence Publisher".
You must be the Oracle Identity Navigator administrator or have the Application Configurator Common Admin Role to perform this task.
If your RSS feed is outside a firewall, configure a proxy. See "Configuring a Proxy to Access News Feeds".
You must be an administrator to perform this task.
Oracle Identity Navigator has been integrated with Oracle BI Publisher. The interface supports stronger customization than BI Publisher alone. Using the Oracle Identity Navigator interface, each administrator can customize the Dashboard as needed. The report tree is less deep than with BI Publisher alone, so you can access reports with fewer clicks.
Note:
Only one Oracle Business Intelligence Publisher instance can be connected to an Oracle Identity Navigator instance.Before you attempt to create a connection between Oracle Identity Navigator and an instance of BI Publisher, you must install BI Publisher and configure the report templates. Optionally, you can configure BI Publisher for SSL.
You must install the following components:
See Also:
Oracle Business Intelligence Publisher Installation Guide in the Oracle Business Intelligence Publisher Enterprise Version 10.1.3.4 Documentation Library for more information about installing Oracle BI Publisher.Oracle Identity Management BI Publisher report templates are installed as zip files under Oracle home directories. For 11gR1 components, all the templates are in a single zip file. These are all Audit report templates.
For 11gR1+ components, the template zip files are in specific directories under the component Oracle homes. For example:
| Component | Directory Under Oracle Home |
|---|---|
| Oracle Adaptive Access Manager | oaam/reports |
| Oracle Access Manager | oam/server/reports |
| Oracle Identity Manager | server/reports |
Copy and unzip audit report zip files to the audit report folder under the BI Publisher report root folder. Copy and unzip other report zip files to the BI Publisher report root folder. Use the BI Publisher web interface to configure data sources with report databases.
See Also:
Oracle Business Intelligence Publisher Administrator's and Developer's Guide in the Oracle Business Intelligence Publisher Enterprise Version 10.1.3.4 Documentation Library for more information about installing Oracle BI Publisher.
The chapter "Using Audit Analysis and Reporting" in Oracle Fusion Middleware Application Security Guide.
If you plan to use an SSL connection between Oracle Identity Navigator and BI Publisher, you must configure BI Publisher for SSL, as described in "Configuring BI Publisher for Secure Socket Layer (SSL) Communication" in Oracle Business Intelligence Publisher Administrator's and Developer's Guide in the Oracle Business Intelligence Publisher Enterprise Version 10.1.3.4 Documentation Library.
In addition to configuring BI Publisher for SSL, you must provision a CA certificate to Oracle Identity Navigator so it can connect to BI Publisher through SSL. Proceed as follows:
Import the BI Publisher CA certificate into the Oracle WebLogic Server trust store, using the keytool command.
keytool -keystore trust_store -export -alias alias -file certificate_file
For example:
keytool -keystore truststore.jks -export -alias cacert -file cacert.cer
If you get a hostname verification error when you issue the keystore command, disable hostname verification by adding this flag to EXTRA_JAVA_PROPERTIES in the file setDomainEnv.sh:
-Dweblogic.security.SSL.ignoreHostnameVerification=true
Then issue the keystore command again.
Restart the Weblogic server.
See Also:
Oracle Fusion Middleware Securing Oracle WebLogic Server for additional information about configuring SSL on the Oracle WebLogic Server.To create a connection, proceed as follows:
Click the Administration tab.
Expand BI Publisher.
In the right pane, enter values for Host, Port, User, and Password.
If you have configured Oracle Identity Navigator and BI Publisher to use an SSL connection, select SSL.
Under Specify BI Publisher report components, click Create.
Select a component and supply a name and path.
To limit the connection entry to a subset of the reports available for the component, click the Finder icon and navigate to the desired path. You can have more than one path for a component. Using paths in this manner can reduce the amount of text associated with a report name on the Dashboard.
Repeat for other for other components you want to add.
Click Test to verify the connection information you have supplied. A dialog will verify that the connection has succeeded or tell you why it failed.
If the test succeeds, click Apply to finish the configuration. If the test fails, consult the appropriate administrator at your site.
To delete a component, select it and click Delete, then click Apply.
After BI Publisher has been configured, the My Reports section of the Dashboard page will contain the link Click here to create reports.
Note:
If you change the name or path of a component, the new name or path will apply to new reports. The reports that are already saved are not modified.You might need to specify a proxy so that Oracle Identity Navigator can access Oracle news feeds from inside your firewall. You do this by adding lines to the setDomainEnv script, which is in the bin directory of your WebLogic domain. For example:
$MIDDLEWARE_HOME/user_projects/domains/base_domain/bin/setDomainEnv.sh
The file name is setDomainEnv.sh on Linux and UNIX systems and setDomainEnv.cmd on Windows systems. The script sets the domain-wide environment variables for starting and running a WebLogic Server instance. It is invoked by the startWebLogic and stopWebLogic commands.
Minimally, you must add the following lines to EXTRA_JAVA_PROPERTIES in the setDomainEnv file.
-Dhttp.proxyHost=proxy_server_host -Dhttp.proxyPort=proxy_server_port -Dhttp.nonProxyHosts=non_proxy_hosts
In the following example:
Oracle Identity Management components, including Oracle Identity Navigator are deployed in the Oracle WebLogic Server domain mycompany.com. The domain also contains the machines stajz18.mycompany.com and adc2170219.mycompany.com.
A firewall exists between the domain in mycompany.com and the Oracle news feed server. You must route news feed requests from Oracle Identity Navigator through the proxy server to the Oracle news feed site outside the firewall.
HTTP requests sent to servers stajz18.mycompany.com and adc2170219.mycompany.com need not be routed to the proxy server.
You would add the following lines to the setDomainEnv.sh file on the WebLogic Administration Server.
EXTRA_JAVA_PROPERTIES="-Dhttp.proxyHost=www-proxy.mycompany.com -Dhttp.proxyPort=80 -Dhttp.nonProxyHosts=stajz18.mycompany.com|adc2170219.mycompany.com ${EXTRA_JAVA_PROPERTIES}"
export EXTRA_JAVA_PROPERTIES
For completeness, you can also add the following additional lines:
-DftpProxyHost=ftp_host -DftpProxyPort=FTP_proxy_server_port -DsocksProxyHost=SOCKS_proxy_server_host -DsocksProxyPort=SOCKS_proxy_server_port
You must restart WebLogic Administration Server for the changes to take effect.
As Administrator, you can modify the list of categories and components that appear on the Product Launcher.
You can add components within a category using either of two methods
Specify component console information.
Specify host information and use product discovery to determine which component consoles are available.
From the Administration tab, you can use product discovery to discover all active Java EE components in the domain, including the Oracle WebLogic Server console and Oracle Enterprise Manager Fusion Middleware Control.
Click the Administration tab.
Under Product Registration, select Discover Product(s). The Domain Selection page of the product discovery wizard appears in the right pane.
Specify the Host, Port, User, and Password for the server from which you want to discover components. If you are using the SSL port, select SSL.
Click Next.
On the Available Products page, select the component consoles you want to add to Oracle Identity Navigator. For each console you select, specify a Display Name. If a category has not been selected automatically, select a category from the Category list.
Click Next.
On the Product Removed page, you can optionally select previously discovered components to remove.
Click Next.
Review the status of the links on the Confirmation page. If necessary, click Back and correct any errors. When the Confirmation page is correct, click Finish.
Add a link as follows:
Click the Administration tab.
Under Product Registration, click the Create Product Link icon or select Create Product Link from the Actions list.
In the New Product Registration dialog, select the type of component you want to add.
Provide values for Category, Display Name, Type, Version, Host, Port, and URL.
Click OK to add the link or Cancel to abandon adding the link.
Edit a link as follows:
Click the Administration tab.
Under Product Registration, click the product you want to edit.
On the Product Registration screen, make desired changes
Click Apply to apply the changes or Revert to remove the changes you have made.
Remove a link as follows:
Click the Administration tab.
Under Product Registration, highlight the item you want to remove.
Click the Delete Product Link icon or select Delete Product Link from the Actions list.
In the Confirmation dialog, click OK to proceed or click Cancel to cancel the deletion.
You can also use the product discovery interface to delete several links at once.
Add a component category as follows:
Click the Administration tab.
Under Product Registration, select Create Category from the Actions list.
In the right pane, enter the component category name.
Click Save.
Verify that the new category has been added to the left pane.
Edit a category as follows:
Click the Administration tab.
Under Product Registration, select a product category. The product category information appears tin the right pane.
Make the desired changes.
Click Apply.
Use the Access Privileges page to assign Common Admin Roles to users or to view role assignments. The Access Privileges Page has a Search pane on the left that enables you to search for a user or a Common Admin Role. If the search is successful and a selection from the results is made, data for that user or role appear in the right pane.
You can only view users after the domain identity store has been configured as the authentication source. For more information, see "Configuring the Identity Store".
You can the view, set, and modify access privileges for specific users using the Access Privileges page. For the Common Admin Roles, you can view which users have been assigned that role for each of the components.
When working with users, the Common Admin Roles are displayed in rows in a table on the right. The components are shown in the table columns.
Note:
The Common Admin Roles must have enterprise roles configured before they will be visible in the Access Privileges page. For more information, see "Configuring the Enterprise Roles".To view the Access Privileges page:
Click the Administration.
Click Access Privileges in the navigation panel.
Search for users or roles from the Search pane in the Access Privileges page.
To search for a user:
Select User from the Type list.
Provide a search string, which can be a user name, user ID, or email address, or a substring, of any of those.
Click the arrow. Oracle Identity Navigator displays all users who match the criteria.
Select the user from the results list whose access privileges you want to view, set, or modify. The information appears on the right.
To search for a Common Admin Role:
Select Common Admin Role from Type.
The list of roles is displayed.
Select a role from the results list to view which users are assigned to that role. The information displays on the right.
Table 2-1 provides a summary of the Oracle Identity Navigator Common Admin Roles and the access rights each provides.
Table 2-1 Oracle Identity Navigator Common Admin Roles
| Common Admin Role Name | Entitlement |
|---|---|
|
Security Admin |
|
|
Security Auditor |
|
|
Application Configurator |
|
To assign a Common Admin Role to a user:
Selecting the box for that role in the Components column.
Click Apply to save the new settings or Revert to discard them.
For information about moving Oracle Fusion Middleware components from one environment to another, see "Moving from a Test to a Production Environment" in Oracle Fusion Middleware Administrator's Guide.
For information about moving Identity Management components, including Oracle Identity Navigator, from a test environment to a production environment, see "Moving Identity Management Components to a Production Environment" in Oracle Fusion Middleware Administrator's Guide.
A component administrator has the privileges required to manage a specific Identity Management application's reports. Each component administrator can customize his or her own Dashboard page. Component administrators cannot access the Administration page of Oracle Identity Navigator.
Table 2-2 describes the Identity Management component specific Oracle Identity Navigator administrative roles and the access rights each conveys.
Table 2-2 Component Specific Administrative Roles
| Component Specific Oracle Identity Navigator Admin Role Name | Access Right Granted |
|---|---|
|
OIM_ADMIN |
|
|
OAM_ADMIN |
|
|
OAAM_ADMIN |
|
|
OWSM_ADMIN |
|
These roles enable fine grained access control for all the reports. The following enterprise roles must be created in the domain identity store before you can begin using them:
OAM_ADMIN
OIM_ADMIN
OAAM_ADMIN
OWSM_ADMIN
Users or groups that are members of the listed enterprise roles then have the appropriate access privileges.
This section describes some problems that you could encounter while configuring or using Oracle Identity Navigator.
You enter the URL for Oracle Identity Navigator into a browser and attempt to access it. You receive an error message.
In a dual-stack, IPv4 and IPv6 environment, some URLs might be inaccessible from your browser. Consult your network administrator for more information.
You cannot create a connection to BI Publisher.
Make sure the Oracle WebLogic Server and BI Publisher server are running.
You cannot create or run a report.
Remember that different login accounts might have different roles. If you log in as a user who does not have the Oracle Access Manager administrator role, for example, you will not be able to create Oracle Access Manager reports.
Make sure the Oracle WebLogic Server, BI Publisher server, and Oracle Database are running.
You can access BI Publisher reports from BI Publisher itself. Doing so can help you determine whether a configuration problem is due to Oracle Identity Navigator or BI Publisher.
Consult Oracle WebLogic Server logs.
You cannot view PDF reports with Adobe Reader in a browser.
Either upgrade to a newer version of Reader or configure Reader to run directly, not as an embedded function within the browser. See your Adobe Reader documentation for more information.
You cannot view a report in MHTML format.
Open the report in HTML format.
You cannot view the Common Admin Roles in the Oracle Identity Navigator user interface.
Verify enterprise roles have been created to support the Common Admin Roles. For more information, see "Configuring the Enterprise Roles".