Oracle® Fusion Middleware Enterprise Deployment Guide for Oracle Identity Management (Oracle Fusion Applications Edition) 11g Release 5 (11.1.5) Part Number E21032-15 |
|
|
PDF · Mobi · ePub |
This chapter describes how to integrate Oracle Identity Management components for an enterprise deployment.
This chapter contains the following sections:
Section 18.1, "Overview of Integrating Oracle Identity Management Components"
Section 18.2, "Integrating Oracle Identity Manager and Oracle Access Manager 11g"
Section 18.3, "Preparing the Environment for Fusion Applications Provisioning"
Section 18.4, "Integrating Oracle Identity Federation with Oracle Access Manager 11g"
Section 18.5, "Backing Up the Identity Management Configuration"
Now that you have finished setting up the Identity Management environment, you must perform some final tasks to ensure that the components work together.
You must also ensure that the environment is ready for Fusion Applications provisioning.
This section describes how to integrate Oracle Identity Manager and Oracle Access Manager.
This section contains the following topics:
Section 18.2.2, "Copying OAM Keystore Files to OIMHOST1 and OIMHOST2"
Section 18.2.3, "About the Split Oracle Identity Manager Domain"
Section 18.2.4, "Updating Existing LDAP Users with Required Object Classes"
Section 18.2.5, "Integrating Oracle Access Manager 11g with Oracle Identity Manager 11g"
Section 18.2.6, "Managing the Password of the xelsysadm User"
Ensure that Oracle Identity Manager 11g has been installed and configured as described in Chapter 14, "Configuring Oracle Identity Manager."
Ensure that Oracle Access Manager 11g has been installed and configured as described in Chapter 13, "Configuring Oracle Access Manager 11g."
Ensure that OHS has been installed and configured as described in Chapter 6, "Installing Oracle HTTP Server."
If you are using Oracle Access Manager with the Simple Security Transport model, you must copy the OAM keystore files that were generated in Section 13.10, "Creating Oracle Access Manager Key Store" to OIMHOST1 and OIMHOST2. Copy the keystore files ssoKeystore.jks
and oamclient-truststore.jks
to the directory MSERVER_HOME
/
domain_name
/config/fmwconfig
on OIMHOST1 and OIMHOST2.
The examples in this chapter show integrating Oracle Identity Manager with other components in the domain IDMDomain to include Oracle Identity Manager. If you are building a split domain topology, substitute OIMDomain wherever you see a reference to IDMDomain and OIMADMINVHN wherever you see ADMINVHN.
You must update existing LDAP users with the object classes OblixPersonPwdPolicy
, OIMPersonPwdPolicy
, and OblixOrgPerson
.
Note:
This is not required in the case of a fresh setup where you do not have any existing users.
On IDMHOST1, create a properties file for the integration called user.props
, with the following contents:
IDSTORE_HOST: idstore.mycompany.com IDSTORE_PORT: 389 IDSTORE_ADMIN_USER: cn=orcladmin IDSTORE_DIRECTORYTYPE: OVD IDSTORE_USERSEARCHBASE: cn=Users,dc=mycompany,dc=com IDSTORE_GROUPSEARCHBASE: cn=Groups,dc=mycompany,dc=com PASSWORD_EXPIRY_PERIOD: 7300 IDSTORE_LOGINATTRIBUTE: uid
Where:
IDSTORE_HOST
is the name of LDAP server. For example:
idstore.mycompany.com
IDSTORE_PORT
is the port of the LDAP server.
IDSTORE_ADMIN_USER
is the bind DN of an administrative user. For example:
cn=orcladmin or cn=oudadmin
IDSTORE_DIRECTORYTYPE
is the type of directory, valid values are OID and OVD.
IDSTORE_USERSEARCHBASE
is the location of users in the directory. For example:
cn=Users,dc=mycompany,dc=com
IDSTORE_GROUPSEARCHBASE
is the location of groups in the directory. For example:
cn=Groups,dc=mycompany,dc=com
IDSTORE_LOGINATTRIBUTE
this is the directory login attribute name. For example:
uid
.
PASSWORD_EXPIRY_PERIOD
is the password expiry period.
Set the environment variables: MW_HOME, JAVA_HOME, IDM_HOME, and ORACLE_HOME.
Set IDM_HOME to IDM_ORACLE_HOME
Set ORACLE_HOME to IAM_ORACLE_HOME
Set MW_HOME to MW_HOME
.
Set JAVA_HOME to MW_HOME
/jrockit-version
.
Upgrade existing LDAP, using the command idmConfigTool
, which is located at: IAM_ORACLE_HOME
/idmtools/bin
Note:
When you run the idmConfigTool
, it creates or appends to the file idmDomainConfig.param
. This file is generated in the same directory that the idmConfigTool
is run from. To ensure that each time the tool is run, the same file is appended to, always run the idmConfigTool
from the directory:
IAM_ORACLE_HOME
/idmtools/bin
The syntax of the command is:
idmConfigTool.sh -upgradeLDAPUsersForSSO input_file=configfile
on Linux and
idmConfigTool.bat -upgradeLDAPUsersForSSO input_file=configfile
on Windows.
For example:
idmConfigTool.sh -upgradeLDAPUsersForSSO input_file=user.props
When prompted, enter the password of the user you are using to connect to your Identity Store.
Sample output:
Enter LDAP admin user password: ********* Upgrading LDAP Users With OAM ObjectClasses ********* Completed loading user inputs for - LDAP connection info Completed loading user inputs for - LDAP Upgrade Upgrading ldap users at - cn=Users,dc=us,dc=oracle,dc=com Parsing - cn=readOnlyUser,cn=Users,dc=us,dc=oracle,dc=com objectclass OIMPersonPwdPolicy not present in cn=readOnlyUser,cn=Users,dc=us,dc=oracle,dc=com. Seeding it objectclass OblixOrgPerson not present in cn=readOnlyUser,cn=Users,dc=us,dc=oracle,dc=com. Seeding it objectclass OblixPersonPwdPolicy not present in cn=readOnlyUser,cn=Users,dc=us,dc=oracle,dc=com. Seeding it obpasswordexpirydate added in cn=readOnlyUser,cn=Users,dc=us,dc=oracle,dc=com Parsing - cn=readWriteUser,cn=Users,dc=us,dc=oracle,dc=com objectclass OIMPersonPwdPolicy not present in cn=readWriteUser,cn=Users,dc=us,dc=oracle,dc=com. Seeding it objectclass OblixOrgPerson not present in cn=readWriteUser,cn=Users,dc=us,dc=oracle,dc=com. Seeding it objectclass OblixPersonPwdPolicy not present in cn=readWriteUser,cn=Users,dc=us,dc=oracle,dc=com. Seeding it obpasswordexpirydate added in cn=readWriteUser,cn=Users,dc=us,dc=oracle,dc=com Parsing - cn=weblogic,cn=Users,dc=us,dc=oracle,dc=com objectclass OIMPersonPwdPolicy not present in cn=weblogic,cn=Users,dc=us,dc=oracle,dc=com. Seeding it objectclass OblixOrgPerson not present in cn=weblogic,cn=Users,dc=us,dc=oracle,dc=com. Seeding it objectclass OblixPersonPwdPolicy not present in cn=weblogic,cn=Users,dc=us,dc=oracle,dc=com. Seeding it obpasswordexpirydate added in cn=weblogic,cn=Users,dc=us,dc=oracle,dc=com Parsing - cn=oamMasterAdminUser,cn=Users,dc=us,dc=oracle,dc=com objectclass OIMPersonPwdPolicy not present in cn=oamMasterAdminUser,cn=Users,dc=us,dc=oracle,dc=com. Seeding it objectclass OblixPersonPwdPolicy not present in cn=oamMasterAdminUser,cn=Users,dc=us,dc=oracle,dc=com. Seeding it obpasswordexpirydate added in cn=oamMasterAdminUser,cn=Users,dc=us,dc=oracle,dc=com Parsing - cn=oamSoftwareUser,cn=Users,dc=us,dc=oracle,dc=com objectclass OIMPersonPwdPolicy not present in cn=oamSoftwareUser,cn=Users,dc=us,dc=oracle,dc=com. Seeding it objectclass OblixOrgPerson not present in cn=oamSoftwareUser,cn=Users,dc=us,dc=oracle,dc=com. Seeding it objectclass OblixPersonPwdPolicy not present in cn=oamSoftwareUser,cn=Users,dc=us,dc=oracle,dc=com. Seeding it obpasswordexpirydate added in cn=oamSoftwareUser,cn=Users,dc=us,dc=oracle,dc=com Parsing - cn=PolStoreROUser,cn=Users,dc=us,dc=oracle,dc=com objectclass OIMPersonPwdPolicy not present in cn=PolStoreROUser,cn=Users,dc=us,dc=oracle,dc=com. Seeding it objectclass OblixOrgPerson not present in cn=PolStoreROUser,cn=Users,dc=us,dc=oracle,dc=com. Seeding it objectclass OblixPersonPwdPolicy not present in cn=PolStoreROUser,cn=Users,dc=us,dc=oracle,dc=com. Seeding it obpasswordexpirydate added in cn=PolStoreROUser,cn=Users,dc=us,dc=oracle,dc=com Parsing - cn=PolStoreRWUser,cn=Users,dc=us,dc=oracle,dc=com objectclass OIMPersonPwdPolicy not present in cn=PolStoreRWUser,cn=Users,dc=us,dc=oracle,dc=com. Seeding it objectclass OblixOrgPerson not present in cn=PolStoreRWUser,cn=Users,dc=us,dc=oracle,dc=com. Seeding it objectclass OblixPersonPwdPolicy not present in cn=PolStoreRWUser,cn=Users,dc=us,dc=oracle,dc=com. Seeding it obpasswordexpirydate added in cn=PolStoreRWUser,cn=Users,dc=us,dc=oracle,dc=com Parsing - cn=PUBLIC, cn=Users, dc=us,dc=oracle,dc=com objectclass OIMPersonPwdPolicy not present in cn=PUBLIC, cn=Users, dc=us,dc=oracle,dc=com. Seeding it objectclass OblixOrgPerson not present in cn=PUBLIC, cn=Users, dc=us,dc=oracle,dc=com. Seeding it objectclass OblixPersonPwdPolicy not present in cn=PUBLIC, cn=Users, dc=us,dc=oracle,dc=com. Seeding it obpasswordexpirydate added in cn=PUBLIC, cn=Users, dc=us,dc=oracle,dc=com Parsing - cn=orcladmin, cn=Users, dc=us,dc=oracle,dc=com objectclass OIMPersonPwdPolicy not present in cn=orcladmin, cn=Users, dc=us,dc=oracle,dc=com. Seeding it obpasswordexpirydate added in cn=orcladmin, cn=Users, dc=us,dc=oracle,dc=com Parsing - cn=xelsysadm,cn=Users,dc=us,dc=oracle,dc=com Parsing - cn=xelsysadmin,cn=Users,dc=us,dc=oracle,dc=com Finished parsing LDAP LDAP Users Upgraded. ********* ********* *********
See Also:
Oracle Fusion Middleware Integration Overview for Oracle Identity Management Suite for more information about the idmConfigTool
command.
Integrating Oracle Identity Manager with Oracle Access Manager using a WebGate profile employs an Oracle Access Manager Trusted Authentication Protocol (TAP) scheme. This is different from previous releases which used Network Assertion Protocol (NAP).
To integrate Oracle Access Manager 11g with Oracle Identity Manager, perform the following steps on IDMHOST1 or OIMHOST1:
Set the Environment Variables IDM_HOME and ORACLE_HOME, for example:
export IDM_HOME=IDM_ORACLE_HOME export ORACLE_HOME=IAM_ORACLE_HOME
Create a properties file for the integration called oimitg.props
, with the following contents.
Single Domain
Use the following contents if all your components are in a single domain:
LOGINURI: /${app.context}/adfAuthentication LOGOUTURI: /oamsso/logout.html AUTOLOGINURI: None ACCESS_SERVER_HOST: IDMHOST1.mycompany.com ACCESS_SERVER_PORT: 5575 ACCESS_GATE_ID: Webgate_IDM COOKIE_DOMAIN: .mycompany.com COOKIE_EXPIRY_INTERVAL: 120 OAM_TRANSFER_MODE: simple WEBGATE_TYPE: ohsWebgate11g SSO_ENABLED_FLAG: true IDSTORE_PORT: 389 IDSTORE_HOST: idstore.mycompany.com IDSTORE_DIRECTORYTYPE: OID or OVD IDSTORE_ADMIN_USER: cn=oamLDAP,cn=Users,dc=mycomoany,dc=com IDSTORE_USERSEARCHBASE: cn=Users,dc=mycompany,dc=com IDSTORE_GROUPSEARCHBASE: cn=Groups,dc=mycompany,dc=com MDS_DB_URL: jdbc:oracle:thin:@(DESCRIPTION=(LOAD_BALANCE=on)(FAILOVER=on)(ADDRESS_LIST=(ADDRESS=(protocol=tcp)(host=OIDDBHOST1-vip.mycompany.com)(port=1521))(ADDRESS=(protocol=tcp)(host=OIDDBHOST2-vip.mycompany.com)(port=1521)))(CONNECT_DATA=(SERVER=DEDICATED)(SERVICE_NAME=oidedg.mycompany.com))) MDS_DB_SCHEMA_USERNAME: edg_mds WLSHOST: adminvhn.mycompany.com WLSPORT: 7001 WLSADMIN: weblogic DOMAIN_NAME: IDMDomain OIM_MANAGED_SERVER_NAME: WLS_OIM1 DOMAIN_LOCATION: ORACLE_BASE/admin/IDMDomain/aserver/IDMDomain IDSTORE_LOGINATTRIBUTE: uid
Split Domain
Use the following contents if your Oracle Identity Manager components are in a different domain from your Oracle Access Manager components:
LOGINURI: /${app.context}/adfAuthentication
LOGOUTURI: /oamsso/logout.html
AUTOLOGINURI: None
ACCESS_SERVER_HOST: IDMHOST1.mycompany.com
ACCESS_SERVER_PORT: 5575
ACCESS_GATE_ID: Webgate_IDM
COOKIE_DOMAIN: .mycompany.com
COOKIE_EXPIRY_INTERVAL: 120
IDSTORE_LOGINATTRIBUTE: uid
OAM_TRANSFER_MODE: simple
WEBGATE_TYPE: ohsWebgate11g
SSO_ENABLED_FLAG: true
IDSTORE_PORT: 389
IDSTORE_HOST: idstore.mycompany.com
IDSTORE_DIRECTORYTYPE: OID or OVD
IDSTORE_ADMIN_USER: cn=oamLDAP,cn=Users,dc=mycompany,dc=com
IDSTORE_USERSEARCHBASE: cn=Users,dc=mycompany,dc=com
IDSTORE_GROUPSEARCHBASE: cn=Groups,dc=mycompany,dc=com
MDS_DB_URL: jdbc:oracle:thin:@(DESCRIPTION=(LOAD_BALANCE=on)(FAILOVER=on)(ADDRESS_LIST=(ADDRESS=(protocol=tcp)(host=OIDDBHOST1-vip.mycompany.com)(port=1521))(ADDRESS=(protocol=tcp)(host=OIDDBHOST2-vip.mycompany.com)(port=1521)))(CONNECT_DATA=(SERVER=DEDICATED)(SERVICE_NAME=oidedg.mycompany.com)))
MDS_DB_SCHEMA_USERNAME: edg_mds
WLSHOST: oimadminvhn.mycompany.com
WLSPORT: 7001
WLSADMIN: weblogic
OAM11G_WLS_ADMIN_HOST: adminvhn.mycompany.com
OAM11G_WLS_ADMIN_PORT: 7001
OAM11G_WLS_ADMIN_USER: weblogic
DOMAIN_NAME: OIMDomain
OIM_MANAGED_SERVER_NAME: WLS_OIM1
DOMAIN_LOCATION: ORACLE_BASE/admin/OIMDomain/aserver/OIMDomain
Notes:
Set IDSTORE_HOST
to your Oracle Internet Directory host or load balancer name if you are using Oracle Internet Directory as your Identity Store. If not, set it to your Oracle Virtual Directory host or load balancer name.
Set IDSTORE_DIRECTORYTYPE
to OVD
if you are using Oracle Virtual Directory server to connect to either a non-OID directory or Oracle Internet Directory. Set it to OID
if your Identity Store is in Oracle Internet Directory and you are accessing it directly rather than through Oracle Virtual Directory.
If your access manager servers are configured to accept requests using the simple mode, set OAM_TRANSFER_MODE
to simple
. Otherwise set OAM_TRANSFER_MODE
to open
Set IDSTORE_PORT
to your Oracle Internet Directory port if you are using Oracle Internet Directory as your Identity Store. If not, set it to your Oracle Virtual Directory port.
If you are using a single instance database, then set MDS_URL
to: jdbc:oracle:thin:@DBHOST:1521:SID
If your Oracle Identity Manager components are in a separate domain from your Oracle Access Manager components, you must specify the details of the OAM Domain using the parameters: OAM11G_WLS_ADMIN_HOST
, OAM11G_WLS_ADMIN_PORT
and OAM11G_WLS_ADMIN_USER
.
Integrate Oracle Access Manager with Oracle Identity Manager using the command idmConfigTool
, which is located at:
IAM_ORACLE_HOME
/idmtools/bin
Note:
When you run the idmConfigTool
, it creates or appends to the file idmDomainConfig.param
. This file is generated in the same directory that the idmConfigTool
is run from. To ensure that each time the tool is run, the same file is appended to, always run the idmConfigTool
from the directory:
IAM_ORACLE_HOME
/idmtools/bin
The syntax of the command is
idmConfigTool.sh -configOIM input_file=configfile
on Linux and
idmConfigTool.bat -configOIM input_file=configfile
on Windows.
For example:
IAM_ORACLE_HOME/idmtools/bin/idmConfigTool.sh -configOIM input_file=oimitg.props
When the script runs you are prompted for the following information:
Access Gate Password
SSO Keystore Password
Global Passphrase
Idstore Admin Password
MDS Database schema password
Admin Server User Password
Sample output:
Enter sso access gate password : Enter sso keystore jks password : Enter sso global passphrase : Enter mds db schema password : Enter idstore admin password : Enter admin server user password : ********* Seeding OAM Passwds in OIM ********* Completed loading user inputs for - CSF Config Completed loading user inputs for - Dogwood Admin WLS Connecting to t3://OAMADMINVHN.mycompany.com:7001 Connection to domain runtime mbean server established Seeding credential :SSOAccessKey Seeding credential :SSOGlobalPP Seeding credential :SSOKeystoreKey ********* ********* ********* ********* Activating OAM Notifications ********* Completed loading user inputs for - MDS DB Config Apr 3, 2012 11:56:09 PM oracle.mds NOTIFICATION: PManager instance is created without multitenancy support as JVM flag "oracle.multitenant.enabled" is not set to enable multitenancy support. Initialized MDS resources Apr 3, 2012 11:56:09 PM oracle.mds NOTIFICATION: PManager instance is created without multitenancy support as JVM flag "oracle.multitenant.enabled" is not set to enable multitenancy support. Apr 3, 2012 11:56:10 PM oracle.mds NOTIFICATION: transfer operation started. Apr 3, 2012 11:56:10 PM oracle.mds NOTIFICATION: transfer is completed. Total number of documents successfully processed : 1, total number of documents failed : 0. Upload to DB completed Releasing all resources Notifications activated. ********* ********* ********* ********* Seeding OAM Config in OIM ********* Completed loading user inputs for - OAM Access Config Validated input values Initialized MDS resources Apr 3, 2012 11:56:10 PM oracle.mds NOTIFICATION: PManager instance is created without multitenancy support as JVM flag "oracle.multitenant.enabled" is not set to enable multitenancy support. Apr 3, 2012 11:56:10 PM oracle.mds NOTIFICATION: transfer operation started. Apr 3, 2012 11:56:10 PM oracle.mds NOTIFICATION: transfer is completed. Total number of documents successfully processed : 1, total number of documents failed : 0. Download from DB completed Releasing all resources Updated /u01/app/oracle/product/fmw/iam/server/oamMetadata/db/oim-config.xml Initialized MDS resources Apr 3, 2012 11:56:10 PM oracle.mds NOTIFICATION: PManager instance is created without multitenancy support as JVM flag "oracle.multitenant.enabled" is not set to enable multitenancy support. Apr 3, 2012 11:56:10 PM oracle.mds NOTIFICATION: transfer operation started. Apr 3, 2012 11:56:10 PM oracle.mds NOTIFICATION: transfer is completed. Total number of documents successfully processed : 1, total number of documents failed : 0. Upload to DB completed Releasing all resources OAM configuration seeded. Please restart oim server. ********* ********* ********* ********* Configuring Authenticators in OIM WLS ********* Completed loading user inputs for - LDAP connection info Connecting to t3://ADMINVHN.mycompany.com:7001 Connection to domain runtime mbean server established Starting edit session Edit session started Connected to security realm. Validating provider configuration Validated desired authentication providers Created OAMIDAsserter successfuly OAMIDAsserter is already configured to support 11g webgate Created OIMSignatureAuthenticator successfuly Created OVDAuthenticator successfuly Setting attributes for OVDAuthenticator All attributes set. Configured inOVDAuthenticatornow LDAP details configured in OVDAuthenticator Control flags for authenticators set sucessfully Reordering of authenticators done sucessfully Saving the transaction Transaction saved Activating the changes Changes Activated. Edit session ended. Connection closed sucessfully ********* ********* ********* The tool has completed its operation. Details have been logged to automation.log
Note:
If you have already enabled single sign-on for your WebLogic Administration Consoles as described in Section 19.3, "Create WebLogic Security Providers" when this script is run, you might see the following errors when this script is run:
ERROR: Desired authenticators already present. [Ljava.lang.String;@7fdb492] ERROR: Error occurred while configuration. Authentication providers to be configured already present. ERROR: Rolling back the operation..
These errors can be ignored.
Note:
You might see the following error messages:
SEVERE: Registering OIM as a TAP partner with OAM... SEVERE: Registering OIM as a TAP partner with OAM was successful!! SEVERE: Seeded OIM TAP partner key into Credential store successfully...javax.crypto.spec.SecretKeySpec@fffe873d SEVERE: Getting OAM/TAP Endpoint URL... SEVERE: Getting OAM/TAP Endpoint URL was successful!!
These messages can be ignored.
Check the log file for errors and correct them if necessary.
Restart the Administration Servers as described in Section 20.1, "Starting and Stopping Oracle Identity Management Components.". If you are using a split domain, restart both servers.
After you integrate Oracle Identity Manager with Oracle Access Manager, two xelsysadm
accounts exist. One is the internal account created by Oracle Identity Manager. The other is the account you created in the Identity Store in Section 11.5, "Preparing the Identity Store."
The xelsysadm
account located in the LDAP store is the one used to access the OIM console. If you want to change the password of this account, change it in LDAP. You can use ODSM to do this. Do not change it through the OIM console.
To validate integration, you must assign Identity Management administrators to WebLogic security groups and install WebGate as described in Chapter 19, "Configuring Single Sign-on for Administration Consoles in an Enterprise Deployment."
To validate that the wiring of Oracle Access Manager 11g with Oracle Identity Manager 11g was successful, attempt to log in to the Oracle Identity Manager Self Service Console, as follows:
Using a browser, navigate to:
https://sso.mycompany.com/oim
This redirects you to the OAM11g single sign-on page.
Log in using the xelsysadm
user account created in Section 11.5, "Preparing the Identity Store."
If you see the OIM Self Service Console Page, the integration was successful.
You can perform additional validation as follows:
Log in to the OIM Console as the xelsysadmn
user.
Create a new user.
Log out as the xelsysadmn
user.
Log in as the new user you just created. As the new user, you are redirected to the Password Management page.
Enter the credentials and click Submit. If integration has been performed correctly, you arrive at the page you are trying to access.
After the complete Identity Management environment is set up, prepare the environment for Fusion Applications provisioning, as described in this section.
This section contains the following topics:
In earlier chapters, you were instructed to always run idmConfigTool
from the same directory so that the tool would create or append to the file idmDomainConfig.param
.in that directory. The file idmDomainConfig.param
in IAM_ORACLE_HOME
/idmtools/bin
now contains all the parameters that are required for Fusion Applications provisioning. Use that file as input to the Fusion Applications provisioning tool.
To enable Fusion Applications to communicate with the Identity Management domain using SSL Server Authentication Mode, you must generate a client certificate and provide it to the Fusion Applications Provisioning process. You must provide a keystore containing the Trust point used by the Identity Management domain to the Fusion Applications.
Note:
If you are using Windows, you must install a UNIX emulation package such as Cygwin in order to run the scripts contained in this section. See http://www.cygwin.com
.
When using Cygwin, ensure that you use the "/
" character in path names when exporting a variable. For example:
export ORACLE_HOME=c:/oracle/idm
To generate a keystore containing a client certificate, perform the following steps:
Set the ORACLE_HOME
and JAVA_HOME
variables. For example, on LDAPHOST1, issue these commands:
export ORACLE_HOME=IDM_ORACLE_HOME
export PATH=$JAVA_HOME/bin:$PATH
To generate the certificate, use the tool ./SSLClientConfig.sh
, which is located in:
ORACLE_COMMON_HOME
/bin
For example
./SSLClientConfig.sh -component cacert
As the command runs, enter the following values when prompted:
LDAP Host Name: policystore.mycompany.com
LDAP Port: 389
LDAP User: cn=orcladmin
Password: Password_for_cn=orcladmin
SSL Domain: IDMDomain
Keystore Password: Enter a password to protect the keystore
Confirm Password: Reenter the password.
The following is typical output from the command:
./SSLClientConfig.sh -component cacert SSL Automation Script: Release 11.1.1.4.0 - ProductionCopyright (c) 2010 Oracle. All rights reserved. Downloading the CA certificate from a central LDAP location Creating a common trust store in JKS and Oracle Wallet formats ... Configuring SSL clients with the common trust store... Make sure that your LDAP server is currently up and running. Downloading the CA certificate from the LDAP server... >>>Enter the LDAP hostname [LDAPHOST1.mycompany.com]: policystore.mycompany.com >>>Enter the LDAP port: [3060]? 389 >>>Enter your LDAP user [cn=orcladmin]:>>>Enter password for cn=orcladmin: >>>Enter the sslDomain for the CA [idm]: IDMDomain >>>Searching the LDAP for the CA usercertificate ... Importing the CA certifcate into trust stores... >>>The common trust store in JKS format is located at /u01/app/oracle/product/fmw/IDM/rootCA/keystores/tmp/trust.jks >>>The common trust store in Oracle wallet format is located at /u01/app/oracle/product/fmw/IDM/rootCA/keystores/tmp/ewallet.p12 Generate trust store for the CA cert at cn=IDMDomain,cn=sslDomains >>>Enter a password to protect your truststore: >>>Enter confirmed password for your truststore: Create directory /u01/app/oracle/product/fmw/IDM/rootCA/keystores/common Importing the CA certifcate into trust stores... >>>The common trust store in JKS format is located at /u01/app/oracle/product/fmw/IDM/rootCA/keystores/common/trust.jks >>>The common trust store in Oracle wallet format is located at /u01/app/oracle/product/fmw/IDM/rootCA/keystores/common/ewallet.p12
This creates a file called trust.jks
which must be provided to the Fusion Applications Provisioning process. After creating this certificate, you must delete the private key within this key. Use the following command:
keytool -delete -keystore trust.jks -alias testkey -storepass store_password
Oracle Fusion Applications provisioning uses this file to validate that the Identity Management installation is set up appropriately before provisioning takes place. In addition to this certificate, the keystore must also contain the certificate used by the load balancer for sso.mycompany.com
.
Before you start this procedure, obtain a copy of the certificate by using your browser. First access https://sso.mycompany.com:443
, then follow the instructions to download the certificate to a file. (Each browser does this differently.)
After you have obtained the certificate, load it into the keystore using the following command:
keytool -import -v -noprompt -trustcacerts -alias "OIM" -file loadbalancer.cer -keystore trust.jks
where loadbalancer.cer
is the name of the file where the load balancers SSL certificate is stored.
In Service Provider (SP) mode, Oracle Access Manager delegates user authentication to Oracle Identity Federation, which uses the Federation Oracle Single Sign-On protocol with a remote Identity Provider. Once the Federation Oracle Single Sign-On flow is performed, Oracle Identity Federation will create a local session and then propagates the authentication state to Oracle Access Manager, which maintains the session information.
This section provides the steps to integrate OIF with OAM11g in authentication mode and SP mode.
This section contains the following topics:
Before starting this integration, ensure that the following tasks have been performed:
Install and configure Oracle Identity Federation as described in Chapter 15, "Extending the Domain to Include Oracle Identity Federation."
Install and configure Oracle Access Manager as described in Chapter 13, "Configuring Oracle Access Manager 11g."
Install and configure Oracle HTTP Server as described in Section 6.2, "Installing Oracle HTTP Server."
Install and configure WebGate as described in Section 19.7, "Installing and Configuring WebGate 11g."
This section covers the following topics:
In SP mode, Oracle Identity Federation uses federation protocols to authenticate a user, and then requests the authentication module to create an authenticated session at Oracle Access Manager. Oracle Access Manager 11g SP engine is used for this purpose. The engine also provides logout integration. To configure the SP engine, run the setupOIFOAMConfig
script from IDMHOST1.
To perform the integration proceed as follows:
On IDMHOST1, set the DOMAIN_HOME and IDM_ORACLE_HOME environment variables. Then, set the environment by running the setOIFEnv.sh
script in the current shell. The script resides at IDM_ORACLE_HOME
/fed/scripts
.
For example:
export DOMAIN_HOME=/u01/app/oracle/admin/IDMDomain/aserver/IDMDomain export IDM_ORACLE_HOME=IDM_ORACLE_HOME cd $IDM_ORACLE_HOME/fed/scripts . setOIFEnv.sh
Edit the file setupOIFOAMIntegration.py
, which is located in: IDM_ORACLE_HOME
/fed/scripts/oam
Locate the line :
setConfigProperty("spengines","oam11guniqueuserid","cn","string")
Change the line to read:
setConfigProperty("spengines","oam11guniqueuserid","uid","string")
Save the file.
Change Directory to IDM_ORACLE_HOME
/fed/scripts/oam
.
Execute the setupOIFOAMConfig
script providing the following input parameters:
oifHost
: Hostname of one off the OIF managed servers
oifPort
: Port number of OIF Managed server
oifAdminHost
: Hostname of WebLogic Admin server
oifAdminPort
: Port number of WebLogic Admin server
oamAdminHost
: Hostname of WebLogic Admin Server
oamAdminPort
: Port number of WebLogic Admin server
agentType
: The agent type used, for example, webgate11g
For Linux, the syntax is:
oifHost=myhost oifPort=portnum oamAdminHost=myhost2 oamAdminPort=portnum2 agentType=webgate11g ./setupOIFOAMConfig.sh
For Windows, the syntax is:
setupOIFOAMConfig.cmd "oifHost=myhost" "oifPort=portnum" "oamAdminHost=myhost2" "oamAdminPort=portnum2" "agentType=webgate11g"
For example:
oifHost=IDMHOST1 oifAdminHost=ADMINVHN oamAdminHost=ADMINVHN oifPort=7499 oifAdminPort=7001 oamAdminPort=7001 agentType=webgate11g ./setupOIFOAMConfig.sh
The script prompts you for the username and password you use to connect to the WebLogic Administration Server, for example, weblogic
.
Sample Output:
Initializing WebLogic Scripting Tool (WLST) ... Welcome to WebLogic Server Administration Scripting Shell Type help() for help on available commands OIF admin user : weblogic_idm *OIF admin password:********* OAM admin user : oamadmin *OAM admin password:********* Connecting to t3://ADMINVHN:7001 with userid weblogic ... Successfully connected to Admin Server 'AdminServer' that belongs to domain 'IDMDomain'. Warning: An insecure protocol was used to connect to the server. To ensure on-the-wire security, the SSL port orAdmin port should be used instead. Location changed to domainRuntime tree. This is a read-only tree with DomainMBean as the root. For more help, use help(domainRuntime) Already in Domain Runtime Tree Already in Domain Runtime Tree Disconnected from weblogic server: AdminServer Connecting to t3://ADMINVHN:7001 with userid weblogic ... Successfully connected to Admin Server 'AdminServer' that belongs to domain 'IDMDomain'. Warning: An insecure protocol was used to connect to the server. To ensure on-the-wire security, the SSL port orAdmin port should be used instead. Disconnected from weblogic server: AdminServer Connecting to t3://IDMHOST1:7499 with userid weblogic ... Successfully connected to managed Server 'wls_oif1' that belongs to domain 'IDMDomain'. Warning: An insecure protocol was used to connect to the server. To ensure on-the-wire security, the SSL port orAdmin port should be used instead. Disconnected from weblogic server: wls_oif1 Connecting to t3://ADMINVHN:7001 with userid weblogic ... Successfully connected to Admin Server 'AdminServer' that belongs to domain 'IDMDomain'. Warning: An insecure protocol was used to connect to the server. To ensure on-the-wire security, the SSL port orAdmin port should be used instead. Disconnected from weblogic server: AdminServerConnecting to t3://ADMINVHN:7001 with userid weblogic ...Successfully connected to Admin Server 'AdminServer' that belongs to domain 'IDMDomain'. Warning: An insecure protocol was used to connect to the server. To ensure on-the-wire security, the SSL port orAdmin port should be used instead. Registration SuccessfulDisconnected from weblogic server: AdminServer
Restart Managed servers WLS_OIF1 and WLS_OIF2 as described in Section 20.1, "Starting and Stopping Oracle Identity Management Components."
Oracle Access Manager ships with an Oracle Identity Federation Authentication Scheme. This scheme needs to be updated before it can be used. To update the scheme, log in to the OAM console as the OAM administration user. Use the URL listed in Section 20.2, "About Identity Management Console URLs." Then perform the following steps:
Click the Policy Configuration tab.
Expand Authentication Schemes under the Shared Components tree.
Select OIFScheme from under the Authentication Schemes and then select Open from the menu.
On the Authentication Schemes page, provide the following information
Challenge URL: https://sso.mycompany.com:443/fed/user/spoam11g
Context Type: Select external from the list.
Accept the defaults for all other values
Click Apply to update the OIFScheme
.
Note:
Before you perform this operation, Oracle Identity Federation must already be configured for Federation SSO with a Federation IdP, and that IdP must be set as the Default SSO IdP in the OIF Administration Console Service Provider section.
To switch the authentication of the Oracle Access Manager security domain from local authentication to Federation SSO, proceed as follows:
Log in to the OAM console as the OAM administration user.
Navigate to Policy Configuration -> Authentication Schemes -> FAAuthScheme.
Change Challenge Method from FORM
to DAP
.
Set the Authentication Module to DAP
.
Change Challenge URL from /pages/login.jsp
to:
https://sso.mycompany.com:443/fed/user/spoam11g
Change Context Type from customWar
to external
.
Set the Challenge Parameters field to TAPPartnerId=OIFDAPPartner
.
Click Apply.
After you perform these steps, accessing a Fusion Applications resource protected by the FAAuthScheme triggers the Federation SSO flow and redirects the user to the IdP for authentication. An example of such a Fusion Applications resource might be: https://fs.mycompany.com:443/homePage/faces/AtkHomePageWelcome
After you have verified that the extended domain is working, back up the domain configuration. This is a quick backup for the express purpose of immediate restore in case of failures in future procedures. Back up the configuration to the local disk. This backup can be discarded once you have completed the enterprise deployment. Once you have completed the enterprise deployment, you can initiate the regular deployment-specific backup and recovery process.
For information about backing up the environment, see "Backing Up Your Environment" in the Oracle Fusion Middleware Administrator's Guide. For information about recovering your information, see "Recovering Your Environment" in the Oracle Fusion Middleware Administrator's Guide.
To back up the configuration a this point:
Back up the Web tier:
Shut down the instance using opmnctl
.
ORACLE_BASE/admin/instance_name/bin/opmnctl stopall
Back up the Middleware Home on the web tier using the following command (as root):
tar -cvpf BACKUP_LOCATION/web.tar $MW_HOME
Back up the Instance Home on the web tier using the following command (as root):
tar -cvpf BACKUP_LOCATION/web_instance.tar $ORACLE_INSTANCE
Start the instance using opmnctl
:
ORACLE_BASE/admin/instance_name/bin/opmnctl startall
Back up the database. This is a full database backup (either hot or cold) using Oracle Recovery Manager (recommended) or OS tools such as tar
for cold backups if possible.
Back up the Administration Server domain directory to save your domain configuration. The configuration files are located in the following directory:
ORACLE_BASE/admin/domain_name
To back up the Administration Server run the following command on OIMHOST1:
tar -cvpf edgdomainback.tar ORACLE_BASE/admin/domain_name