Oracle® Fusion Middleware Enterprise Deployment Guide for Oracle Identity Management (Oracle Fusion Applications Edition) 11g Release 6 (11.1.6) Part Number E21032-18 |
|
|
PDF · Mobi · ePub |
This chapter describes how to configure Oracle Identity Manager for use in the Oracle Identity Management Enterprise Deployment Topology.
This chapter contains the following topics:
Section 15.1, "Overview of Configuring Oracle Identity Manager"
Section 15.6, "Configuring Oracle Coherence for Deploying Composites"
Section 15.9, "Modifying the Oracle Identity Manager Properties to Support Active Directory"
Section 15.10, "Configuring Oracle Identity Manager to Reconcile from ID Store"
Section 15.11, "Configuring Oracle Identity Manager to Work with the Oracle Web Tier"
Section 15.12, "Configuring a Default Persistence Store for Transaction Recovery"
Section 15.13, "Configuring an IT Resource Instance for Email"
Section 15.14, "Excluding Users from Oracle Identity Manager Reconciliation."
Section 15.16, "Updating the Username Generation Policy for Active Directory"
Section 15.18, "Integrating Oracle Identity Manager and Oracle Access Manager 11g."
Oracle Identity Manager is a user provisioning and administration solution that automates the process of adding, updating, and deleting user accounts from applications and directories. It also improves regulatory compliance by providing granular reports that attest to who has access to what. Oracle Identity Manager is available as a standalone product or as part of Oracle Identity Management.
Automating user identity provisioning can reduce Information Technology (IT) administration costs and improve security. Provisioning also plays an important role in regulatory compliance. Key features of Oracle Identity Manager include password management, workflow and policy management, identity reconciliation, reporting and auditing, and extensibility through adapters.
Oracle Identity Manager provides the following key functionalities:
User Administration
Workflow and Policy
Password Management
Audit and Compliance Management
Integration Solutions
User Provisioning
Organization and Role Management
For details about Oracle Identity Manager, see the Oracle Fusion Middleware Administrator's Guide for Oracle Identity Manager.
After you complete this chapter, the following URL will be available:
Before extending the domain with Oracle Identity Manager, ensure that the following tasks have been performed:
Ensure that the virtual IP addresses for the Oracle Identity Manager and SOA managed servers have been provisioned. See Section 3.5, "About IP Addresses and Virtual IP Addresses" for details
Install and upgrade the following software as described in Chapter 6, "Installing the Software for an Enterprise Deployment."
WebLogic Server
Oracle Identity Management
Oracle SOA Suite
Oracle Identity and Access Management
Ensure that you have created the wlfullclient.jar file, as described in Section 6.3.7.3, "Creating the wlfullclient.jar File."
Ensure the Identity Store is installed and configured, as described in Chapter 10.
Provision the Oracle Identity Management users as described in Section 11.5, "Preparing the Identity Store."
Stop all the managed servers running in your domain, as described in Section 21.1, "Starting and Stopping Oracle Identity Management Components," before extending the domain with Oracle Identity Manager.
Note:
Oracle SOA deployed along with Oracle Identity Manager is used exclusively for Oracle Identity Manager work flow. It cannot be used for other purposes.
Oracle SOA uses Quartz to maintain its jobs and schedules in the database. Synchronize the system clocks for the SOA WebLogic cluster to enable proper functioning of jobs, adapters, and Oracle B2B.
You must configure the Oracle Identity Manager server instance before you can start the Oracle Identity Manager and SOA Managed Servers. This is performed on IDMHOST1. The Oracle Identity Management Configuration Wizard loads the Oracle Identity Manager metadata into the database and configures the instance.
Before proceeding, ensure that the following are true:
The Administration Server is up and running.
The environment variables DOMAIN_HOME
and WL_HOME
are not set in the current shell.
The Oracle Identity Management Configuration Wizard is located under the Identity Management Oracle home. To start the Configuration Wizard, type:
IAM_ORACLE_HOME
/bin/config.sh
Proceed as follows:
On the Welcome screen, click Next
On the Components to Configure screen, Select OIM Server.
Note:
Oracle Identity Manager Remote Manager is optional in Fusion Applications implementations
Click Next.
On the Database screen, provide the following values:
Connect String: The connect string for the Oracle Identity Manager database:
IDMDB1-VIP.mycompany.com:1521:OIMEDG1^IDMDB2-VIP.mycompany.com:1521:OIMEDG2@OIMEDG.mycompany.com
where 1521
is the DB_LSNR_PORT
port from Section A.3.
If you are using Oracle Database 11.2, replace the vip
address and port with the 11.2 SCAN address and port.
OIM Schema User Name: edg_oim
OIM Schema password: password
MDS Schema User Name: edg_mds
MDS Schema Password: password
Click Next.
On the WebLogic Administration Server screen, provide the following details for the WebLogic Administration Server:
URL: The URL to connect to the WebLogic Administration Server. For example:
t3://ADMINVHN.mycompany.com:7001
, where Port 7001
is WLS_ADMIN_PORT
UserName: weblogic
.
Password: Password for the weblogic
user
Click Next.
On the OIM Server screen, provide the following values:
OIM Administrator Password: Password for the Oracle Identity Manager Administrator. This is the password for the xelsysadm
user. The password must contain an uppercase letter and a number. Best practice is to use the same password that you assigned to the user xelsysadm
in Section 11.5, "Preparing the Identity Store."
Confirm Password: Confirm the password·
OIM HTTP URL: Proxy URL for the Oracle Identity Manager Server. This is the URL for the Hardware load balancer that is front ending the OHS servers for Oracle Identity Manager. For example: http://IDMINTERNAL.mycompany.com:80
.
Key Store Password: Key store password. The password must have an uppercase letter and a number.
Click Next.
On the BI Publisher screen, provide the following values:
Configure BI Publisher: Select if you want to Configure Oracle Identity Manager with Oracle BI Publisher. This is Optional and depends on your requirements.
BI Publisher URL: The URL of BI Publisher, if you selected it.
Enable LDAP Sync: Selected.
Notes:
BI Publisher is not a part of the IDMDomain. The steps to configure the BI Publisher are not covered in this Enterprise Deployment Guide.
Click Next.
On the LDAP Server Screen, the information you enter is dependent on your implementation. Provide the following details:
Directory Server Type:
OID
, if your Identity Store is in Oracle Internet Directory.
OVD
if you access your Identity Store through Oracle Virtual Directory.
Directory Server ID: A name for your Oracle Internet Directory server. For example: IdStore
. This is only required if the directory type is OID.
Server URL: The LDAP server URL. For example: ldap://IDSTORE.mycompany.com:389
Server User: The user name for connecting to the LDAP Server. For example: cn=oimLDAP,cn=systemids,dc=mycompany,dc=com
Server Password: The password for connecting to the LDAP Server.
Server Search DN: The Search DN, if you are accessing your IDStore using Oracle Virtual Directory Server. For example: dc=mycompany,dc=com
.
Click Next.
On the LDAP Server Continued screen, provide the following LDAP server details:
LDAP Role Container: The DN for the Role Container. This is the container where the Oracle Identity Manager roles are stored. For example: cn=Groups,dc=mycompany,dc=com
·
LDAP User Container: The DN for the User Container. This is the container where the Oracle Identity Manager users are stored. For example: cn=Users,dc=mycompany,dc=com
·
User Reservation Container: The DN for the User Reservation Container. For example: cn=Reserve,dc=mycompany,dc=com
.
Click Next.
On the Configuration Summary screen, verify the summary information.
Click Configure to configure the Oracle Identity Manager instance
On the Configuration Progress screen, once the configuration completes successfully, click Next.
On the Configuration Complete screen, view the details of the Oracle Identity Manager Instance configured.
Click Finish to exit the Configuration Wizard.
Restart WebLogic Administration Server, as described in Section 21.1, "Starting and Stopping Oracle Identity Management Components."
Although deploying composites uses multicast communication by default, Oracle recommends using unicast communication in SOA enterprise deployments. Use unicast if you disable multicast communication for security reasons.
Unicast communication does not enable nodes to discover other cluster members in this way. Consequently, you must specify the nodes that belong to the cluster. You do not need to specify all of the nodes of a cluster, however. You need only specify enough nodes so that a new node added to the cluster can discover one of the existing nodes. As a result, when a new node has joined the cluster, it is able to discover all of the other nodes in the cluster. Additionally, in configurations such as SOA enterprise deployments where multiple IPs are available in the same system, you must configure Oracle Coherence to use a specific host name to create the Oracle Coherence cluster.
Note:
An incorrect configuration of the Oracle Coherence framework used for deployment may prevent the SOA system from starting. The deployment framework must be properly customized for the network environment on which the SOA system runs. Oracle recommends the configuration described in this section.
Specify the nodes using the tangosol.coherence.wka
<n>
system property, where <n>
is a number between 1 and 9. You can specify up to 9 nodes. Start the numbering at 1. This numbering must be sequential and must not contain gaps. In addition, specify the host name used by Oracle Coherence to create a cluster through the tangosol.coherence.localhost
system property. This local host name should be the virtual host name used by the SOA server as the listener addresses (SOAHOST1VHN and SOAHOST2VHN). Set this property by adding the -Dtangosol.coherence.localhost
parameters to the Arguments field of the Oracle WebLogic Server Administration Console's Server Start tab.
Use the Administration Console to specify a host name used by Oracle Coherence.
To add the host name used by Oracle Coherence:
Log into the Oracle WebLogic Server Administration Console.
In the Domain Structure window, expand the Environment node.
Click Servers. The Summary of Servers page appears.
Click the name of the server (WLS_SOA1 or WLS_SOA2, which are represented as hyperlinks) in Name column of the table. The settings page for the selected server appears.
Click Lock & Edit.
Click the Server Start tab.
Enter the following for WLS_SOA1 and WLS_SOA2 into the Arguments field.
For WLS_SOA1, enter the following:
-Dtangosol.coherence.wka1=SOAHOST1VHN -Dtangosol.coherence.wka2=SOAHOST2VHN -Dtangosol.coherence.localhost=SOAHOST1VHN
For WLS_SOA2, enter the following:
-Dtangosol.coherence.wka1=SOAHOST1VHN -Dtangosol.coherence.wka2=SOAHOST2VHN -Dtangosol.coherence.localhost=SOAHOST2VHN
Note:
There should be no breaks in lines between the different -D
parameters. Do not copy or paste the text to your Administration Console's arguments text field. It may result in HTML tags being inserted in the Java arguments. The text should not contain other text characters than those included the example above.
Note:
The Coherence cluster used for deployment uses port 8088 by default. This port can be changed by specifying a different port (for example, 8089) with the -Dtangosol.coherence.wkan.port and -Dtangosol.coherence.localport startup parameters. For example:
WLS_SOA1 (enter the following into the Arguments field on a single line, without a carriage return):
-Dtangosol.coherence.wka1=SOAHOST1VHN -Dtangosol.coherence.wka2=SOAHOST2VHN -Dtangosol.coherence.localhost=SOAHOST1VHN -Dtangosol.coherence.localport=8089 -Dtangosol.coherence.wka1.port=8089 -Dtangosol.coherence.wka2.port=8089
WLS_SOA2 (enter the following into the Arguments field on a single line, without a carriage return):
-Dtangosol.coherence.wka1=SOAHOST1VHN -Dtangosol.coherence.wka2=SOAHOST2VHN -Dtangosol.coherence.localhost=SOAHOST2VHN -Dtangosol.coherence.localport=8089 -Dtangosol.coherence.wka1.port=8089 -Dtangosol.coherence.wka2.port=8089
For more information about Coherence Clusters see the Oracle Coherence Developer's Guide.
Click Save and Activate Changes.
Note:
You must ensure that these variables are passed to the managed server correctly. (They should be reflected in the server's output log.) Failure of the Oracle Coherence framework can prevent the soa-infra application from starting.
Note:
The multicast and unicast addresses are different from the ones used by the WebLogic Server cluster for cluster communication. SOA guarantees that composites are deployed to members of a single WebLogic Server cluster even though the communication protocol for the two entities (the WebLogic Server cluster and the groups to which composites are deployed) are different.
This section describes post-installation steps.
This section contains the following topics:
Section 15.7.1, "Starting the WLS_OIM1 and WLS_SOA1 Managed Servers"
Section 15.7.2, "Validating Oracle Identity Manager Instance on IDMHOST1"
Follow this sequence of steps to start the WLS_OIM1 and WLS_SOA1 Managed Servers:
Stop the WebLogic Administration Server on IDMHOST1. by using the WebLogic Administration Console as described in Section 21.1, "Starting and Stopping Oracle Identity Management Components."
Start the Administration Server on IDMHOST1 using the Node Manager, as described in Section 21.1, "Starting and Stopping Oracle Identity Management Components."
Validate that the Administration Server started up successfully by bringing up the Oracle WebLogic Administration Console.
Restart the Node Manager as described in Section 21.1, "Starting and Stopping Oracle Identity Management Components" so that the properties take effect.
Start the WLS_SOA1 Managed Server, using the WebLogic Administration Console as described in Section 21.1, "Starting and Stopping Oracle Identity Management Components."
Start the WLS_OIM1 Managed Server using the WebLogic Administration Console as described in Section 21.1, "Starting and Stopping Oracle Identity Management Components."
Validate the Oracle Identity Manager Server Instance by bringing up the Oracle Identity Manager Console in a web browser at:
http://OIMHOST1VHN.mycompany.com:14000/oim
Log in using the xelsysadm
username and password.
Note:
When you log in for the first time, you are prompted to setup Challenge Questions. Please do so before proceeding further.
Validate Oracle SOA Suite using the URL:
http://SOAHOST1VHN.mycompany.com:8001/soa-infra
Log in as the weblogic
user.
It describes the post-installation steps on IDMHOST2.
This section contains the following topics:
Section 15.8.1, "Starting the WLS_OIM2 and WLS_SOA2 Managed Servers"
Section 15.8.2, "Validating Oracle Identity Manager Instance on IDMHOST2"
Follow this sequence of steps to start the WLS_OIM2 Managed Server:
Start the WLS_SOA2 Managed Server, using the WebLogic Administration Console as described in Section 21.1, "Starting and Stopping Oracle Identity Management Components."
Start the WLS_OIM2 Managed Server using the WebLogic Administration Console as described in Section 21.1, "Starting and Stopping Oracle Identity Management Components."
Validate the Oracle Identity Manager Server Instance by bringing up the Oracle Identity Manager Console in a web browser at:
http://OIMHOST2VHN.mycompany.com:14000/oim/
Log in using the xelsysadm
username and password
Validate SOA at:
http://SOAHOST2VHN.mycompany.com:8001/soa-infra
Log in as the weblogic
user.
When first installed, Oracle Identity Manager has a set of default system properties for its operation.
If your Identity Store is in Active Directory, you must change the System property XL.DefaultUserNamePolicyImpl
to oracle.iam.identity.usermgmt.impl.plugins.FirstNameLastNamePolicyForAD
or oracle.iam.identity.usermgmt.impl.plugins.LastNameFirstNamePolicyForAD
.
To learn how to do this, see the Administering System Properties chapter of Oracle Fusion Middleware Administrator's Guide for Oracle Identity Manager.
In the current release, the LDAPConfigPostSetup
script enables all the LDAPSync-related incremental Reconciliation Scheduler jobs, which are disabled by default. The LDAP configuration post-setup script is located under the IAM_ORACLE_HOME
/server/ldap_config_util
directory. Run the Script on IDMHOST1, as follows:
Edit the ldapconfig.props
file located under the IAM_ORACLE_HOME
/server/ldap_config_util
directory and provide the following values:
Parameter | Value | Description |
---|---|---|
|
|
Oracle Identity Manager system administrator |
|
|
List of Oracle Identity Manager managed servers. |
|
Specify the URL for the Oracle Internet Directory instance, for example: |
Identity Store URL. |
|
|
Name of use used to connect to Identity Store. This user should not be located in |
|
|
Root location in Identity Store where Users and Groups are located. |
|
|
cn of User location within Search base. |
|
|
cn of Groups location within Search base. |
|
|
cn of Reserve location within Search base. |
Footnote 1 Where 14000
is the OIM_PORT
from Section A.3.
Footnote 2 If you are using Oracle Internet Directory, Oracle Virtual Directory, or Active Directory, specify the appropriate URL
Note:
usercontainerName
, rolecontainername
, and reservationcontainername
are not used in this step.
Save the file.
Set the JAVA_HOME
and WL_HOME
environment variables.
Run LDAPConfigPostSetup.sh
, specifying the path name of the directory containing the ldapconfig.props
file on the command line. The script prompts for the Oracle Identity Manager admin password. For example:
./LDAPConfigPostSetup.sh IAM_ORACLE_HOME/server/ldap_config_util [Enter OIM admin password: ]
This section describes how to configure Oracle Identity Manager to work with the Oracle Web Tier.
This section contains the following topics:
Before configuring Oracle Identity Manager to work with the Oracle Web Tier, ensure that the following tasks have been performed:
Install Oracle Web Tier on WEBHOST1 and WEBHOST2.
Configure the load balancer with a virtual host name (SSO.mycompany.com
) pointing to the web servers on WEBHOST1 and WEBHOST2.
Configure the load balancer with a virtual host name (IDMINTERNAL.mycompany.com
) pointing to the web servers on WEBHOST1 and WEBHOST2
Because the Oracle HTTP Server acts as a proxy for WebLogic, by default certain CGI environment variables are not passed through to WebLogic. These include the host and port. You must tell WebLogic that it is using a virtual site name and port so that it can generate internal URLs appropriately.
To do this, log in to the WebLogic administration console at: http://ADMIN.mycompany.com/console
Proceed as follows:
Select Clusters from the home page or, alternatively, select Environment -> Clusters from the Domain structure menu.
Click Lock and Edit in the Change Center Window to enable editing.
Click the Cluster Name (soa_cluster).
In the Configuration tab, select the HTTP subtab.
Enter:
Frontend Host: IDMINTERNAL.mycompany.com
Frontend HTTP Port: 80
(HTTP_PORT)
Click Save.
Click Activate Changes in the Change Center window to enable editing.
Restart WLS_SOA1 and WLS_SOA2 as described in Section 21.1, "Starting and Stopping Oracle Identity Management Components."
Validate the Oracle Identity Manager Server Instance by bringing up the Oracle Identity Manager Console in a web browser. at:
https://SSO.mycompany.com:443/oim
Log in using the xelsysadm
username and password.
Validate SOA by accessing the URL:
http://IDMINTERNAL.mycompany.com:80/soa-infra
and logging in as the WebLogic administration user.
The WLS_OIM and WLS_SOA Managed Servers have a transaction log that stores information about committed transactions that are coordinated by the server that might not have been completed. The WebLogic Server uses this transaction log for recovery from system crashes or network failures. To leverage the migration capability of the Transaction Recovery Service for the servers within a cluster, store the transaction log in a location accessible to a server and its backup servers.
Note:
Preferably, this location should be on a dual-ported SCSI disk or on a Storage Area Network (SAN).
Perform these steps to set the location for the default persistence stores for the Oracle Identity Manager and SOA Servers:
Create the following directory on the shared storage:
ASERVER_HOME
/tlogs
Log in to the Oracle WebLogic Server Administration Console.
Click Lock and Edit.
In the Domain Structure window, expand the Environment node and then click the Servers node.
The Summary of Servers page is displayed.
Click the name of either the Oracle Identity Manager or the SOA server (represented as a hyperlink) in the Name column of the table.
The Settings page for the selected server is displayed, and defaults to the Configuration tab.
Open the Services sub tab.
Under the Default Store section of the page, provide the path to the default persistent store on shared storage. The directory structure of the path is as follows:
For Oracle Identity Manager Servers: ASERVER_HOME
/tlogs
For SOA Servers: ASERVER_HOME
/tlogs
Note:
To enable migration of the Transaction Recovery Service, specify a location on a persistent storage solution that is available to other servers in the cluster. All the servers that are a part of the cluster must be able to access this directory.
Repeat these steps, selecting the other SOA server on the Summary of Servers page.
Click Save and Activate.
Restart the Oracle Identity Manager and SOA Managed Servers, as described in Section 21.1, "Starting and Stopping Oracle Identity Management Components," to make the changes take effect.
This section describes how to configure email notification. This is mandatory for Fusion Applications. The following steps assume that an email server has been set up and that Oracle Identity Management can use it to send the email notifications.
Log in to Oracle Identity Manager Advanced Administration as system administrator.
Navigate to Configuration -> Create IT Resource.
Enter Email Server
for IT Resource Name. Select Mail Server for IT Resource Type. Do not select anything for the Remote Manager field. Click Continue.
On the Step 2: Specify IT Resource Parameter Values page, provide the following values for the fields:
Authentication: False
Server Name: Email server name
, for example: MAIL.mycompany.com
User Login: leave blank
User Password: leave blank
Click Continue.
On the Step 3: Set Access Permission to IT Resource page, do not change anything. Click Continue.
On the Step 4: Verify IT Resource Details page, check all the values you entered to verify that they are correct. Click Continue.
On the Step 5: IT Resource Connection Result page, Oracle Identity Manager checks whether it can connect to the email server provided. If the connection is successful, click Create.
On the Step 6: IT Resource Created page, click Finish.
Restart the Oracle Identity Manager server, as described in Section 21.1, "Starting and Stopping Oracle Identity Management Components," for the changes to take effect.
By default Oracle Identity Management reconciles all users that are located in the LDAP container cn=Users
. Once reconciled, these users are subject to the usual password ageing policies defined in Oracle Identity Manager. This is not desirable for system accounts. It is recommended that you exclude the following accounts from this reconciliation:
xelsysadm
oimLDAP
oamLDAP
Additionally, you might want to exclude:
IDROUser
IDRWUser
PolicyROUser
PolicyRWUser
To exclude these users from reconciliation and discard failed reconciliation events, perform the following steps, using ODSM and the OIM Console:
Log in to ODSM at:
http://ADMIN.mycompany.com/odsm
Connect to one of the LDAP instances that hosts the user to be excluded.
Select Data Browser.
Enter the user name in the query box and execute the search.
Click on the user to bring up the Edit window.
Click Attributes.
Click +
in the Object Classes box to add a new class.
Enter orclAppIDUser
in the search box and execute the search.
Click on the attribute orclAppIDUser and click OK.
Click Apply.
Repeat Steps 1-10 for each user to be excluded.
This step is required to clear out failed reconciliation events. Failed reconciliation events are repeatedly retried, which puts an unecessary load on the system.
Log in to the OIM Console as the xelsysadm
user at: https://sso.mycompany.com:443/oim
Click Advanced.
From Event Management, select Search Reconciliation Events.
Click Advanced Search.
In the Current Status field, select Equals. In the Search box, select Creation Failed from the list.
Click Search.
Select each of the events.
From the Actions menu, select Close Event.
In the Confirmation window enter a justification, such as Close Failed Reconciliation Events
.
Click Closed.
Click OK to acknowledge the confirmation message.
Oracle Identity Manager connects to SOA as SOA administrator, with the username weblogic
by default. As mentioned in the previous sections, a new administrator user is provisioned in the central LDAP store to manage Identity Management Weblogic Domain.
Perform the following postinstallation steps to enable Oracle Identity Manager to work with the Oracle WebLogic Server administrator user provisioned in the central LDAP store. This enables Oracle Identity Manager to connect to SOA without any problem:
Log in to Enterprise Manager at: http://ADMIN.mycompany.com/em
Select Farm_IDMDomain –> Identity and Access –> OIM –> oim(11.1.1.3.0).
Select System MBean Browser from the menu or right click to select it.
Select Application defined Mbeans –> oracle.iam –> Server: wls_oim1 –> Application: oim –> XML Config –> Config –> XMLConfig.SOAConfig –> SOAConfig
Change the username attribute to the Oracle WebLogic Server administrator username provisioned in Section 11.5, "Preparing the Identity Store," for example: weblogic_idm
.
Change SOA Config RMI URL to:
cluster:t3://soa_cluster
Click Apply.
Select Weblogic Domain –> IDMDomain from the Navigator.
Select Security –> Credentials from the down menu.
Expand the key oim.
Click SOAAdminPassword.
Click Edit.
Change the username to weblogic_idm
and set the password to the accounts password.
Click OK.
Run the reconciliation process to enable the Oracle WebLogic Server administrator, weblogic_idm
, to be visible in the OIM Console. Follow these steps:
Log in to Oracle Identity Manager at: https://SSO.mycompany.com:443/oim
as the user xelsysadm
.
If prompted, set up challenge questions. This happens on your first login to Oracle Identity Manager.
Click Advanced.
Click the System Management tab.
Click the arrow for the Search Scheduled Jobs to list all the schedulers.
Select LDAP User Create and Update Full Reconciliation.
Click Run Now to run the job.
Go to the Administration page and perform a search to verify that the user is visible in the Oracle Identity Manager console.
Select Administration.
Click Advanced Search –> Roles
Search for the Administrators role.
Click the Administrators Role.
Click Open.
Click the Members tab.
Click Assign.
Type weblogic_idm
in the Search box and Click ->.
Select weblogic_idm from the list of available users.
Click > to move to Selected Users.
Click Save.
Restart Oracle Identity Manager managed server.
If your back end directory is Active Directory, you must update Oracle Identity Manager so that it only allows user names with a maximum of 20 characters. This is a limitation of Active Directory. Update the username generation policy from DefaultComboPolicy
to FirstnameLastnamepolicyforAD
as follows.
Log in to the OIM Console at the URL listed in Section 15.2, "About Domain URLs."
Click Advanced on the top of the right pane.
Click Search System properties.
On the navigation bar in the left pane, search on Username Generation.
Click Default Policy for Username Generation.
In the Value field, update the entry from oracle.iam.identity.usermgmt.impl.plugins.DefaultComboPolicy
to oracle.iam.identity.usermgmt.impl.plugins.FirstNameLastNamePolicyForAD
.
Click Save.
In order for Oracle Platform Security to work optimally, add tuning parameters to managed servers when they start. In particular, provide these values to the following managed servers:
Admin Server
WLS_OAM1
WLS_OAM2
WLS_OIM1
WLS_OIM2
To add these values to the server start parameters perform the following steps.
Log in to the weblogic console using at: http://ADMIN.mycompany.com/console
Click Lock and Edit.
Expand the Environment Node in the Domain Structure window.
Click Servers to open the Summary of Servers Page.
Click on a server to show the server properties page.
Click the Server Start tab.
Add the following values to the Arguments field:
-Djps.subject.cache.key=5
-Djps.subject.cache.ttl=600000
.
Click Save.
Repeat for each of the managed servers.
Click Activate Changes.
For information about tuning OPSS, see the "Oracle Fusion Middleware Security Performance Tuning" chapter in the Oracle Fusion Middleware Performance and Tuning Guide.
This section describes how to integrate Oracle Identity Manager and Oracle Access Manager
This section contains the following topics:
Section 15.18.1, "Copying OAM Keystore Files to IDMHOST1 and IDMHOST2"
Section 15.18.2, "Updating Existing LDAP Users with Required Object Classes"
Section 15.18.3, "Integrating Oracle Access Manager 11g with Oracle Identity Manager 11g"
Section 15.18.4, "Managing the Password of the xelsysadm User"
If you are using Oracle Access Manager with the Simple Security Transport model, you must copy the OAM keystore files, which were generated in Section 13.10, "Creating a Single Keystore for Integrating Oracle Access Manager with Other Components," to IDMHOST1 and IDMHOST2. Copy the keystore files ssoKeystore.jks
and oamclient-truststore.jks
to the directory MSERVER_HOME
/config/fmwconfig
on IDMHOST1 and IDMHOST2.
You must update existing LDAP users with the object classes OblixPersonPwdPolicy
, OIMPersonPwdPolicy
, and OblixOrgPerson
.
Note:
This is not required in the case of a fresh setup where you do not have any existing users.
Set ORACLE_HOME
to IAM_ORACLE_HOME
Set MW_HOME
to IAM_MW_HOME
.
Set JAVA_HOME
to JAVA_HOME
.
On IDMHOST1, create a properties file for the integration called user.props
, with the following contents:
IDSTORE_HOST: IDSTORE.mycompany.com IDSTORE_PORT: 389 IDSTORE_ADMIN_USER: cn=orcladmin IDSTORE_DIRECTORYTYPE: OVD IDSTORE_USERSEARCHBASE: cn=Users,dc=mycompany,dc=com IDSTORE_GROUPSEARCHBASE: cn=Groups,dc=mycompany,dc=com PASSWORD_EXPIRY_PERIOD: 7300 IDSTORE_LOGINATTRIBUTE: uid
Where:
IDSTORE_HOST
is the name of LDAP server. For example:
IDSTORE.mycompany.com
IDSTORE_PORT
is the port of the LDAP server (LDAP_LBR_PORT
in Section A.3).
IDSTORE_ADMIN_USER
is the bind DN of an administrative user. For example:
cn=orcladmin or cn=oudadmin
IDSTORE_DIRECTORYTYPE
is the type of directory, valid values are OID and OVD.
IDSTORE_USERSEARCHBASE
is the location of users in the directory. For example:
cn=Users,dc=mycompany,dc=com
IDSTORE_GROUPSEARCHBASE
is the location of groups in the directory. For example:
cn=Groups,dc=mycompany,dc=com
IDSTORE_LOGINATTRIBUTE
this is the directory login attribute name. For example:
uid
.
PASSWORD_EXPIRY_PERIOD
is the password expiry period.
Upgrade existing LDAP, using the command idmConfigTool
, which is located at: IAM_ORACLE_HOME
/idmtools/bin
Note:
When you run the idmConfigTool
, it creates or appends to the file idmDomainConfig.param
. This file is generated in the same directory that the idmConfigTool
is run from. To ensure that each time the tool is run, the same file is appended to, always run the idmConfigTool
from the directory:
IAM_ORACLE_HOME
/idmtools/bin
The syntax of the command is:
idmConfigTool.sh -upgradeLDAPUsersForSSO input_file=configfile
on Linux and
idmConfigTool.bat -upgradeLDAPUsersForSSO input_file=configfile
on Windows.
For example:
idmConfigTool.sh -upgradeLDAPUsersForSSO input_file=user.props
When prompted, enter the password of the user you are using to connect to your Identity Store.
Sample output:
Enter LDAP admin user password: ********* Upgrading LDAP Users With OAM ObjectClasses ********* Completed loading user inputs for - LDAP connection info Completed loading user inputs for - LDAP Upgrade Upgrading ldap users at - cn=Users,dc=us,dc=oracle,dc=com Parsing - cn=readOnlyUser,cn=Users,dc=us,dc=oracle,dc=com objectclass OIMPersonPwdPolicy not present in cn=readOnlyUser,cn=Users,dc=us,dc=oracle,dc=com. Seeding it objectclass OblixOrgPerson not present in cn=readOnlyUser,cn=Users,dc=us,dc=oracle,dc=com. Seeding it objectclass OblixPersonPwdPolicy not present in cn=readOnlyUser,cn=Users,dc=us,dc=oracle,dc=com. Seeding it obpasswordexpirydate added in cn=readOnlyUser,cn=Users,dc=us,dc=oracle,dc=com Parsing - cn=readWriteUser,cn=Users,dc=us,dc=oracle,dc=com objectclass OIMPersonPwdPolicy not present in cn=readWriteUser,cn=Users,dc=us,dc=oracle,dc=com. Seeding it objectclass OblixOrgPerson not present in cn=readWriteUser,cn=Users,dc=us,dc=oracle,dc=com. Seeding it objectclass OblixPersonPwdPolicy not present in cn=readWriteUser,cn=Users,dc=us,dc=oracle,dc=com. Seeding it obpasswordexpirydate added in cn=readWriteUser,cn=Users,dc=us,dc=oracle,dc=com Parsing - cn=weblogic,cn=Users,dc=us,dc=oracle,dc=com objectclass OIMPersonPwdPolicy not present in cn=weblogic,cn=Users,dc=us,dc=oracle,dc=com. Seeding it objectclass OblixOrgPerson not present in cn=weblogic,cn=Users,dc=us,dc=oracle,dc=com. Seeding it objectclass OblixPersonPwdPolicy not present in cn=weblogic,cn=Users,dc=us,dc=oracle,dc=com. Seeding it obpasswordexpirydate added in cn=weblogic,cn=Users,dc=us,dc=oracle,dc=com Parsing - cn=oamMasterAdminUser,cn=Users,dc=us,dc=oracle,dc=com objectclass OIMPersonPwdPolicy not present in cn=oamMasterAdminUser,cn=Users,dc=us,dc=oracle,dc=com. Seeding it objectclass OblixPersonPwdPolicy not present in cn=oamMasterAdminUser,cn=Users,dc=us,dc=oracle,dc=com. Seeding it obpasswordexpirydate added in cn=oamMasterAdminUser,cn=Users,dc=us,dc=oracle,dc=com Parsing - cn=oamSoftwareUser,cn=Users,dc=us,dc=oracle,dc=com objectclass OIMPersonPwdPolicy not present in cn=oamSoftwareUser,cn=Users,dc=us,dc=oracle,dc=com. Seeding it objectclass OblixOrgPerson not present in cn=oamSoftwareUser,cn=Users,dc=us,dc=oracle,dc=com. Seeding it objectclass OblixPersonPwdPolicy not present in cn=oamSoftwareUser,cn=Users,dc=us,dc=oracle,dc=com. Seeding it obpasswordexpirydate added in cn=oamSoftwareUser,cn=Users,dc=us,dc=oracle,dc=com Parsing - cn=PolStoreROUser,cn=Users,dc=us,dc=oracle,dc=com objectclass OIMPersonPwdPolicy not present in cn=PolStoreROUser,cn=Users,dc=us,dc=oracle,dc=com. Seeding it objectclass OblixOrgPerson not present in cn=PolStoreROUser,cn=Users,dc=us,dc=oracle,dc=com. Seeding it objectclass OblixPersonPwdPolicy not present in cn=PolStoreROUser,cn=Users,dc=us,dc=oracle,dc=com. Seeding it obpasswordexpirydate added in cn=PolStoreROUser,cn=Users,dc=us,dc=oracle,dc=com Parsing - cn=PolStoreRWUser,cn=Users,dc=us,dc=oracle,dc=com objectclass OIMPersonPwdPolicy not present in cn=PolStoreRWUser,cn=Users,dc=us,dc=oracle,dc=com. Seeding it objectclass OblixOrgPerson not present in cn=PolStoreRWUser,cn=Users,dc=us,dc=oracle,dc=com. Seeding it objectclass OblixPersonPwdPolicy not present in cn=PolStoreRWUser,cn=Users,dc=us,dc=oracle,dc=com. Seeding it obpasswordexpirydate added in cn=PolStoreRWUser,cn=Users,dc=us,dc=oracle,dc=com Parsing - cn=PUBLIC, cn=Users, dc=us,dc=oracle,dc=com objectclass OIMPersonPwdPolicy not present in cn=PUBLIC, cn=Users, dc=us,dc=oracle,dc=com. Seeding it objectclass OblixOrgPerson not present in cn=PUBLIC, cn=Users, dc=us,dc=oracle,dc=com. Seeding it objectclass OblixPersonPwdPolicy not present in cn=PUBLIC, cn=Users, dc=us,dc=oracle,dc=com. Seeding it obpasswordexpirydate added in cn=PUBLIC, cn=Users, dc=us,dc=oracle,dc=com Parsing - cn=orcladmin, cn=Users, dc=us,dc=oracle,dc=com objectclass OIMPersonPwdPolicy not present in cn=orcladmin, cn=Users, dc=us,dc=oracle,dc=com. Seeding it obpasswordexpirydate added in cn=orcladmin, cn=Users, dc=us,dc=oracle,dc=com Parsing - cn=xelsysadm,cn=Users,dc=us,dc=oracle,dc=com Parsing - cn=xelsysadmin,cn=Users,dc=us,dc=oracle,dc=com Finished parsing LDAP LDAP Users Upgraded. ********* ********* *********
See Also:
Oracle Fusion Middleware Integration Overview for Oracle Identity Management Suite for more information about the idmConfigTool
command.
Integrating Oracle Identity Manager with Oracle Access Manager using a WebGate profile employs an Oracle Access Manager Trusted Authentication Protocol (TAP) scheme. This is different from previous releases which used Network Assertion Protocol (NAP).
To integrate Oracle Access Manager 11g with Oracle Identity Manager, perform the following steps on IDMHOST1:
Set MW_HOME
to IAM_MW_HOME
.
Set JAVA_HOME
to JAVA_HOME
.
Set ORACLE_HOME
to IAM_ORACLE_HOME
Create a properties file for the integration called oimitg.props
, with the following contents.
LOGINURI: /${app.context}/adfAuthentication LOGOUTURI: /oamsso/logout.html AUTOLOGINURI: None ACCESS_SERVER_HOST: IDMHOST1.mycompany.com ACCESS_SERVER_PORT: 5575 ACCESS_GATE_ID: Webgate_IDM COOKIE_DOMAIN: .mycompany.com COOKIE_EXPIRY_INTERVAL: 120 OAM_TRANSFER_MODE: simple WEBGATE_TYPE: ohsWebgate11g SSO_ENABLED_FLAG: true IDSTORE_PORT: 389 IDSTORE_HOST: IDSTORE.mycompany.com IDSTORE_DIRECTORYTYPE: OID or OVD IDSTORE_ADMIN_USER: cn=oamLDAP,cn=Users,dc=mycomoany,dc=com IDSTORE_USERSEARCHBASE: cn=Users,dc=mycompany,dc=com IDSTORE_GROUPSEARCHBASE: cn=Groups,dc=mycompany,dc=com MDS_DB_URL: jdbc:oracle:thin:@(DESCRIPTION=(LOAD_BALANCE=on)(FAILOVER=on)(ADDRESS_LIST=(ADDRESS=(protocol=tcp)(host=OIDDBHOST1-VIP.mycompany.com)(port=1521))(ADDRESS=(protocol=tcp)(host=OIDDBHOST2-VIP.mycompany.com)(port=1521)))(CONNECT_DATA=(SERVER=DEDICATED)(SERVICE_NAME=OIDEDG.mycompany.com))) MDS_DB_SCHEMA_USERNAME: edg_mds WLSHOST: ADMINVHN.mycompany.com WLSPORT: 7001 WLSADMIN: weblogic DOMAIN_NAME: IDMDomain OIM_MANAGED_SERVER_NAME: WLS_OIM1 DOMAIN_LOCATION: ASERVER_HOME IDSTORE_LOGINATTRIBUTE: uid
where:
ACCESS_SERVER_PORT
is the Access Server Proxy port. This is OAM_PROXY_PORT
in Section A.3.
OAM_TRANSFER_MODE
is set to simple
if your access manager servers are configured to accept requests using the simple mode. Otherwise set OAM_TRANSFER_MODE
to open
SSO_ENABLED_FLAG
always set to true
.
WEBGATE_TYPE
is the type of WebGate agent you want to create. Valid values are ohsWebgate11g
and ohsWebgate10
.
IDSTORE_HOST
is the load balancer virtual host fronting your Identity store (LDAP_LBR_HOST
)
IDSTORE_PORT
is the load balancer virtual port fronting your Identity store (LDAP_LBR_PORT
).
IDSTORE_DIRECTORYTYPE
is set to OVD
if you are using Oracle Virtual Directory server to connect to either a non-OID directory or Oracle Internet Directory. Set it to OID
if your Identity Store is in Oracle Internet Directory and to OUD if you are connecting to Oracle Unified Directory.
IDSTORE_USERSEARCHBASE
is the location in the directory where Users are Stored.
IDSTORE_GROUPSEARCHBASE
is the location in the directory where Groups are Stored.
IDSTORE_LOGINATTRIBUTE
is the LDAP attribute which contains the users Login name.
MDS_DB_URL
contains the JDBC connection information for your database in the form: jdbc:oracle:thin:@(DESCRIPTION=(LOAD_BALANCE=on)(FAILOVER=on)(ADDRESS_LIST=(ADDRESS=(protocol=tcp)(host=IDMDBHOST1-VIP.mycompany.com)(port=1521))(ADDRESS=(protocol=tcp)(host=IDMDBHOST2-VIP.mycompany.com)(port=1521)))(CONNECT_DATA=(SERVER=DEDICATED)(SERVICE_NAME=OIDEDG.mycompany.com)))
where 1521
is the DB_LSNR_PORT
in Section A.3.
MDS_DB_SCHEMA_USERNAME
is the name of the schema in the Identity Management Database that holds MDS data. See Section 7.5, "Loading the Identity Management Schemas in the Oracle RAC Database by Using RCU."
OIM_MANAGED_SERVER_NAME
is the name of one of the OIM Managed Servers. It does not matter which one you use.
WLSHOST
(ADMINVHN
) is the host of your administration server, WLS_ADMIN_HOST
in Section A.3. This is the virtual name.
WLSPORT
is the port of your administration server, WLS_ADMIN_PORT
in Section A.3.
WLSADMIN
is the WebLogic administrative user you use to log in to the WebLogic console.
DOMAIN_NAME
is the name of the domain that hosts Oracle Identity Manager.
DOMAIN_LOCATION
is the path to the domain on disk, that is, ASERVER_HOME
.
Integrate Oracle Access Manager with Oracle Identity Manager using the command idmConfigTool
, which is located at:
IAM_ORACLE_HOME
/idmtools/bin
Note:
When you run the idmConfigTool
, it creates or appends to the file idmDomainConfig.param
. This file is generated in the same directory that the idmConfigTool
is run from. To ensure that each time the tool is run, the same file is appended to, always run the idmConfigTool
from the directory:
IAM_ORACLE_HOME
/idmtools/bin
The syntax of the command is
idmConfigTool.sh -configOIM input_file=configfile
on Linux and
idmConfigTool.bat -configOIM input_file=configfile
on Windows.
For example:
IAM_ORACLE_HOME/idmtools/bin/idmConfigTool.sh -configOIM input_file=oimitg.props
When the script runs you are prompted for the following information:
Access Gate Password
SSO Keystore Password
Global Passphrase
Idstore Admin Password
MDS Database schema password
Admin Server User Password
Sample output:
Enter sso access gate password :
Enter sso keystore jks password :
Enter sso global passphrase :
Enter mds db schema password :
Enter idstore admin password :
Enter admin server user password :
********* Seeding OAM Passwds in OIM *********
Completed loading user inputs for - CSF Config
Completed loading user inputs for - Dogwood Admin WLS
Connecting to t3://OAMADMINVHN.mycompany.com:7001
Connection to domain runtime mbean server established
Seeding credential :SSOAccessKey
Seeding credential :SSOGlobalPP
Seeding credential :SSOKeystoreKey
********* ********* *********
********* Activating OAM Notifications *********
Completed loading user inputs for - MDS DB Config
Apr 3, 2012 11:56:09 PM oracle.mds
NOTIFICATION: PManager instance is created without multitenancy support as JVM flag "oracle.multitenant.enabled" is not set to enable multitenancy support.
Initialized MDS resources
Apr 3, 2012 11:56:09 PM oracle.mds
NOTIFICATION: PManager instance is created without multitenancy support as JVM flag "oracle.multitenant.enabled" is not set to enable multitenancy support.
Apr 3, 2012 11:56:10 PM oracle.mds
NOTIFICATION: transfer operation started.
Apr 3, 2012 11:56:10 PM oracle.mds
NOTIFICATION: transfer is completed. Total number of documents successfully processed : 1, total number of documents failed : 0.
Upload to DB completed
Releasing all resources
Notifications activated.
********* ********* *********
********* Seeding OAM Config in OIM *********
Completed loading user inputs for - OAM Access Config
Validated input values
Initialized MDS resources
Apr 3, 2012 11:56:10 PM oracle.mds
NOTIFICATION: PManager instance is created without multitenancy support as JVM flag "oracle.multitenant.enabled" is not set to enable multitenancy support.
Apr 3, 2012 11:56:10 PM oracle.mds
NOTIFICATION: transfer operation started.
Apr 3, 2012 11:56:10 PM oracle.mds
NOTIFICATION: transfer is completed. Total number of documents successfully processed : 1, total number of documents failed : 0.
Download from DB completed
Releasing all resources
Updated IAM_ORACLE_HOME/server/oamMetadata/db/oim-config.xml
Initialized MDS resources
Apr 3, 2012 11:56:10 PM oracle.mds
NOTIFICATION: PManager instance is created without multitenancy support as JVM flag "oracle.multitenant.enabled" is not set to enable multitenancy support.
Apr 3, 2012 11:56:10 PM oracle.mds
NOTIFICATION: transfer operation started.
Apr 3, 2012 11:56:10 PM oracle.mds
NOTIFICATION: transfer is completed. Total number of documents successfully processed : 1, total number of documents failed : 0.
Upload to DB completed
Releasing all resources
OAM configuration seeded. Please restart oim server.
********* ********* *********
********* Configuring Authenticators in OIM WLS *********
Completed loading user inputs for - LDAP connection info
Connecting to t3://ADMINVHN.mycompany.com:7001
Connection to domain runtime mbean server established
Starting edit session
Edit session started
Connected to security realm.
Validating provider configuration
Validated desired authentication providers
Created OAMIDAsserter successfuly
OAMIDAsserter is already configured to support 11g webgate
Created OIMSignatureAuthenticator successfuly
Created OVDAuthenticator successfuly
Setting attributes for OVDAuthenticator
All attributes set. Configured inOVDAuthenticatornow
LDAP details configured in OVDAuthenticator
Control flags for authenticators set sucessfully
Reordering of authenticators done sucessfully
Saving the transaction
Transaction saved
Activating the changes
Changes Activated. Edit session ended.
Connection closed sucessfully
********* ********* *********
The tool has completed its operation. Details have been logged to automation.log
Check the log file for errors and correct them if necessary.
Restart the Administration Servers as described in Section 21.1, "Starting and Stopping Oracle Identity Management Components."
After you integrate Oracle Identity Manager with Oracle Access Manager, two xelsysadm
accounts exist. One is the internal account created by Oracle Identity Manager. The other is the account you created in the Identity Store in Section 11.5, "Preparing the Identity Store."
The xelsysadm
account located in the LDAP store is the one used to access the OIM console. If you want to change the password of this account, change it in LDAP. You can use ODSM to do this. Do not change it through the OIM console.
To validate integration, you must assign Identity Management administrators to WebLogic security groups and install WebGate as described in Chapter 20, "Configuring Single Sign-on for Administration Consoles in an Enterprise Deployment."
To validate that the wiring of Oracle Access Manager 11g with Oracle Identity Manager 11g was successful, attempt to log in to the Oracle Identity Manager Self Service Console, as follows:
Using a browser, navigate to:
https://SSO.mycompany.com/oim
This redirects you to the OAM11g single sign-on page.
Log in using the xelsysadm
user account created in Section 11.5, "Preparing the Identity Store."
If you see the OIM Self Service Console Page, the integration was successful.
You can perform additional validation as follows:
Log in to the OIM Console as the xelsysadmn
user.
Create a new user.
Log out as the xelsysadmn
user.
Log in as the new user you just created. As the new user, you are redirected to the Password Management page.
Enter the credentials and click Submit. If integration has been performed correctly, you arrive at the page you are trying to access.
Back up the database, the WebLogic domain, and the LDAP directories, as described in Section 21.6.3, "Performing Backups During Installation and Configuration."