Oracle® Fusion Middleware Enterprise Deployment Guide for Oracle Identity Management (Oracle Fusion Applications Edition) 11g Release 6 (11.1.6) Part Number E21032-18 |
|
|
PDF · Mobi · ePub |
This chapter describes how to prepare the Identity and Policy Stores in an Oracle Identity Management enterprise deployment.
It contains the following sections:
Before you can use the Policy Store, you must prepare it. This involves creating a JPS Root context, and users and groups required to access the Policy Store, in the Policy Store directory. It also reassociates the domain's internal Policy Store to use the external LDAP Policy Store.
Oracle Platform Security Services uses the Policy Store to hold policy information common to all of the applications in the deployment.
Preparing the Policy Store consists of the following steps:
Creating a JPS Root container in Oracle Internet Directory
Creating users with permissions to access the policy store
Informing the domain to use the centralized policy store rather than the default, file-based store.
The policy store can be in the same Oracle Internet Directory as identity information or in a separate, dedicated Oracle Internet Directory. The choice is up to the user. If you store identity information in a third party directory accessed through Oracle Virtual Directory, the policy store must still be in Oracle Internet Directory.
Preparing the Identity Store involves extending the schema of the directory to support Oracle Access Manager and Oracle Identity Manager, then seeding the Identity Store with system users that will be used when building the Identity Management topology.
The procedures described in this chapter change the configuration of the LDAP directories that host the Identity and Policy Stores. Before performing any of these tasks, back up your Oracle Internet Directory instances, Oracle Internet Directory database, and any third party directories used for identity information, as described in Section 21.6.3, "Performing Backups During Installation and Configuration."
Before proceeding, ensure that the following statements are true:
Oracle Identity Management 11g is installed on IDMHOST1, as described in Chapter 6, "Installing the Software for an Enterprise Deployment."
Oracle Internet Directory is installed and configured (if required) as described in Chapter 10, "Extending the Domain to Include Oracle Internet Directory."
Non-Oracle Internet Directory directories are installed and available (if required).
This section describes how to prepare the Oracle Platform Security Services Policy Store.
It contains the following topics:
Section 11.4.1, "Creating Policy Store Users and the Policy Container"
Section 11.4.2, "Reassociating the Policy and Credential Store"
Perform the following tasks on IDMHOST1:
Set the environment variables: MW_HOME, JAVA_HOME, and ORACLE_HOME.
Set ORACLE_HOME
to IAM_ORACLE_HOME
Set MW_HOME
to IAM_MW_HOME
.
Set JAVA_HOME
to IAM_MW_HOME
/jrockit-
version
.
Create a properties file, called policystore.props
with the following contents:
POLICYSTORE_HOST: POLICYSTORE.mycompany.com POLICYSTORE_PORT: 389 POLICYSTORE_BINDDN: cn=orcladmin POLICYSTORE_READONLYUSER: PolicyROUser POLICYSTORE_READWRITEUSER: PolicyRWUser POLICYSTORE_SEARCHBASE: dc=mycompany,dc=com POLICYSTORE_CONTAINER: cn=idm_jpsroot
Where:
POLICYSTORE_HOST
and POLICYSTORE_PORT
are, respectively, the host and port of your Policy Store directory.
POLICYSTORE_BINDDN
Is an administrative user in the Policy Store directory
POLICYSTORE_READONLYUSER
and POLICYSTORE_READWRITEUSER
are the names of Users you want to create in the Policy Store with Read Only and Read/Write privileges.
POLICYSTORE_SEARCHBASE
is the location in the directory where Users and Groups are stored.
POLCYSTORE_CONTAINER
is the name of the container used for OPSS policy information.
After creating the group, the tool adds the readonlyuser
as a member of the OrclPolicyAndCredentialReadPrivilegeGroup
and readwriteuser
as a member of OrclPolicyAndCredentialWritePrivilegeGroup
.
Configure the Policy Store using the command idmConfigTool
which is located at:
IAM_ORACLE_HOME
/idmtools/bin
Note:
When you run the idmConfigTool
, it creates or appends to the file idmDomainConfig.param
. This file is generated in the same directory that the idmConfigTool
is run from. To ensure that each time the tool is run, the same file is appended to, always run the idmConfigTool
from the directory:
IAM_ORACLE_HOME
/idmtools/bin
The syntax of the command on Linux is:
idmConfigTool.sh -configPolicyStore input_file=configfile
The syntax on Windows is:
idmConfigTool.bat -configPolicyStore input_file=configfile
For example:
idmConfigTool.sh -configPolicyStore input_file=policystore.props
When the command runs you are prompted to enter the password of the account you are connecting to the Policy Store with. You are also asked to specify the passwords you want to assign to the accounts:
POLICYSTORE_READONLYUSER
POLICYSTORE_READWRITEUSER
Sample command output:
Enter Policy Store Bind DN password:
*** Creation of PolicyROUser ***
Apr 5, 2011 4:23:49 AM oracle.ldap.util.LDIFLoader loadOneLdifFile
INFO: -> LOADING:
IAM_ORACLE_HOME/idmtools/templates/oid/policystore_user.ldif
Enter User Password for PolicyROUser:
Confirm User Password for PolicyROUser:
*** Creation of PolicyRWUser ***
Apr 5, 2011 4:23:58 AM oracle.ldap.util.LDIFLoader loadOneLdifFile
INFO: -> LOADING:
IAM_ORACLE_HOME/idmtools/templates/oid/policystore_user.ldif
Enter User Password for PolicyRWUser:
Confirm User Password for PolicyRWUser:
Apr 5, 2011 4:24:07 AM oracle.ldap.util.LDIFLoader loadOneLdifFileINFO: -> LOADING:
IAM_ORACLE_HOME/idmtools/templates/oid/policystore_group.ldifApr 5, 2011 4:24:07 AM oracle.ldap.util.LDIFLoader loadOneLdifFileINFO: -> LOADING:
IAM_ORACLE_HOME/idmtools/templates/oid/policystore_container.ldif
Apr 5, 2011 4:24:07 AM oracle.ldap.util.LDIFLoader loadOneLdifFileINFO: -> LOADING:
IAM_ORACLE_HOME/idmtools/templates/oid/policystore_group_read_member.ldif
Apr 5, 2011 4:24:07 AM oracle.ldap.util.LDIFLoader loadOneLdifFileINFO: -> LOADING:
IAM_ORACLE_HOME/idmtools/templates/oid/policystore_group_write_member.ldif
Apr 5, 2011 4:24:07 AM oracle.ldap.util.LDIFLoader loadOneLdifFile
INFO: -> LOADING:
IAM_ORACLE_HOME/idmtools/templates/oid/policystore_tuning.ldifApr 5, 2011 4:24:07 AM oracle.ldap.util.LDIFLoader loadOneLdifFile
INFO: -> LOADING:
IAM_ORACLE_HOME/idmtools/templates/oid/oid_schemaadmin.ldif
Apr 5, 2011 4:24:07 AM oracle.ldap.util.LDIFLoader loadOneLdifFile
INFO: -> LOADING:
IAM_ORACLE_HOME/idmtools/templates/oid/policystore_user_aci.ldif
The tool has completed its operation. Details have been logged to /home/oracle/idmtools/automation.log
pr 5, 2011 4:24:07 AM oracle.ldap.util.LDIFLoader loadOneLdifFile
INFO: -> LOADING: with IAM_ORACLE_HOME/idmtools/templates/oid/policystore_user_priv.ldif
Note:
While running this command, you might see the following error message:
WARNING: Error in adding in-memory OID search filters.
You may safely ignore this error.
Check log file for any errors or warnings and correct them. The file with the name automation.log
is created in the directory from where you run the tool.
See Also:
Oracle Fusion Middleware Integration Overview for Oracle Identity Management Suite for more information about the idmConfigTool
command.
To reassociate the policy and credential store with Oracle Internet Directory, use the WLST reassociateSecurityStore
command. Follow these steps:
From IDMHOST1, start the WLST shell from the ORACLE_COMMON_HOME
/common/bin
directory. For example, on Linux systems, you would type:
./wlst.sh
On Windows you would type:
./wlst.cmd
Connect to the WebLogic Administration Server using the following wlst connect
command.
connect("AdminUser","AdminUserPassword","t3://hostname:port")
For example:
connect("weblogic","admin_password","t3://ADMINVHN.mycompany.com:7001")
Run the reassociateSecurityStore
command as follows:
Syntax:
reassociateSecurityStore(domain="domain_name",admin="cn=orcladmin", password="orclPassword",ldapurl="ldap://LDAPHOST:LDAPPORT",servertype="OID", jpsroot="cn=jpsRootContainer")
Note:
The admin
value is the DN of the LDAP administrator, that is, the user that has administrative level privileges to the Oracle Internet Directory instance that is used as the Policy Store.
For example:
reassociateSecurityStore(domain="IDMDomain",admin="cn=orcladmin", password="password", ldapurl="ldap://POLICYSTORE.mycompany.com:389",servertype="OID", jpsroot="cn=idm_jpsroot")
The output for the command is as follows:
Location changed to domainRuntime tree. This is a read-only tree with DomainMBean as the root. For more help, use help(domainRuntime) Starting policy store reassociation. The store and ServiceConfigurator setup done. Schema is seeded into the store Data is migrated to the store. Check logs for any failures or warnings during migration. Data in the store after migration has been tested to be available Update of in-memory jps configuration is done Policy store reassociation done. Starting credential store reassociation The store and ServiceConfigurator setup done. Schema is seeded into the store Data is migrated to the store. Check logs for any failures or warnings during migration. Data in the store after migration has been tested to be available Update of in-memory jps configuration is done Audit store reassociation done Starting audit store reassociation The store and ServiceConfigurator setup done. Schema is seeded into the store Data is migrated to the store. Check logs for any failures or warnings during migration. Data in the store after migration has been tested to be available Update of in-memory jps configuration is done Audit store reassociation done Jps Configuration has been changed. Please restart the application server.
Restart the WebLogic Administration Server, as described in Section 21.1, "Starting and Stopping Oracle Identity Management Components," after the command completes successfully.
This section describes how to prepare the Identity Store. It contains the following topics:
Section 11.5.3, "Preparing a Directory for Oracle Access Manager and Oracle Identity Manager"
Section 11.5.5, "Creating Access Control Lists in Non-Oracle Internet Directory Directories"
Before you can use a directory to support Oracle Access Manager and Oracle Identity Manager, you must extend the directory to include Object classes required by these applications.
In addition to extending the directory schema, you must create a number of users. These users are used later on in the guide for such things as:
Accessing the directory using a dedicated user.
Accessing Oracle Access Manager, Oracle Identity Manager and WebLogic after these products have off loaded authentication to an external directory.
Create a property file, idstore.props
, to use when preparing the Identity Store. The file will have the following structure:
Oracle Internet Directory Example
# Common IDSTORE_HOST: LDAPHOST1.mycompany.com IDSTORE_PORT: 3060 IDSTORE_BINDDN: cn=orcladmin IDSTORE_GROUPSEARCHBASE: cn=Groups,dc=mycompany,dc=com IDSTORE_SEARCHBASE: dc=mycompany,dc=com IDSTORE_USERNAMEATTRIBUTE: cn IDSTORE_LOGINATTRIBUTE: uid IDSTORE_USERSEARCHBASE: cn=Users, dc=mycompany,dc=com POLICYSTORE_SHARES_IDSTORE: true # OAM IDSTORE_OAMADMINUSER:oamadmin IDSTORE_OAMSOFTWAREUSER:oamLDAP OAM11G_IDSTORE_ROLE_SECURITY_ADMIN:OAMAdministrators # OAM and OIM IDSTORE_SYSTEMIDBASE: cn=systemids,dc=mycompany,dc=com # OIM IDSTORE_OIMADMINGROUP: OIMAdministrators IDSTORE_OIMADMINUSER: oimLDAP # Required due to bug IDSTORE_OAAMADMINUSER : oaamadmin # Fusion Applications IDSTORE_READONLYUSER: IDROUser IDSTORE_READWRITEUSER: IDRWUser IDSTORE_SUPERUSER: weblogic_fa # Weblogic IDSTORE_WLSADMINUSER : weblogic_idm
Where:
IDSTORE_BINDDN
is an administrative user in the Identity Store Directory
IDSTORE_GROUPSEARCHBASE
is the location in the directory where Groups are Stored.
IDSTORE_HOST
and IDSTORE_PORT
are, respectively, the host and port of your Identity Store directory. Specify the back end directory here, rather than OVD. In the case of OID, specify one of the Oracle Internet Directory instances, for example:
OID: LDAPHOST1
and 3060
IDSTORE_LOGINATTRIBUTE
is the LDAP attribute which contains the users Login name.
IDSTORE_OAMADMINUSER
is the name of the user you want to create as your Oracle Access Manager Administrator.
IDSTORE_OAMSOFTWAREUSER
is a user that gets created in LDAP that is used when Oracle Access Manager is running to connect to the LDAP server.
IDSTORE_OIMADMINGROUP
Is the name of the group you want to create to hold your Oracle Identity Manager administrative users.
IDSTORE_OIMADMINUSER
is the user that Oracle Identity Manager uses to connect to the Identity store.
IDSTORE_READONLYUSER
is the name of a user you want to create which has Read Only permissions on your Identity Store.
IDSTORE_READWRITEUSER
is the name of a user you want to create which has Read/Write permissions on your Identity Store.
IDSTORE_SUPERUSER
is the name of the administration user you want to use to log in to the WebLogic Administration Console in the Oracle Fusion Applications domain.
IDSTORE_SEARCHBASE
is the location in the directory where Users and Groups are stored.
IDSTORE_SYSTEMIDBASE
is the location of a container in the directory where users can be placed when you do not want them in the main user container. This happens rarely but one example is the Oracle Identity Manager reconciliation user which is also used for the bind DN user in Oracle Virtual Directory adapters.
IDSTORE_USERSEARCHBASE
is the location in the directory where Users are Stored.
OAM11G_IDSTORE_ROLE_SECURITY_ADMIN
is the name of the group which is used to allow access to the OAM console.
POLICYSTORE_SHARES_IDSTORE
is set to true
for IDM 11g.
IDSTORE_OAAMADMINUSER
is required because of a bug in idmConfigTool
.
This section explains how to deploy Identity Management components to support Active Directory and Oracle Internet Directory as the identity store.
It contains the following topics:
Pre-configuring the Identity Store extends the schema in Oracle Internet Directory.
To do this, perform the following tasks on IDMHOST1:
Set MW_HOME
to IAM_MW_HOME
.
Set JAVA_HOME
to JAVA_HOME
.
Set ORACLE_HOME
to IAM_ORACLE_HOME
Configure the Identity Store by using the command idmConfigTool
, which is located at:
IAM_ORACLE_HOME
/idmtools/bin
Note:
When you run the idmConfigTool
, it creates or appends to the file idmDomainConfig.param
. This file is generated in the same directory that the idmConfigTool
is run from. To ensure that each time the tool is run, the same file is appended to, always run the idmConfigTool
from the directory:
IAM_ORACLE_HOME
/idmtools/bin
The syntax of the command on Linux is:
idmConfigTool.sh -preConfigIDStore input_file=configfile
The syntax on Windows is:
idmConfigTool.bat -preConfigIDStore input_file=configfile
For example:
idmConfigTool.sh -preConfigIDStore input_file=idstore.props
When the command runs, you are prompted to enter the password of the account you are connecting to the Identity Store with. This command might take some time to complete.
Sample command output:
Enter ID Store Bind DN password: May 25, 2011 2:37:18 PM oracle.ldap.util.LDIFLoader loadOneLdifFile INFO: -> LOADING: IAM_ORACLE_HOME/idmtools/templates/oid/idm_idstore_groups_template.ldif May 25, 2011 2:37:18 PM oracle.ldap.util.LDIFLoader loadOneLdifFile INFO: -> LOADING: IAM_ORACLE_HOME/idmtools/templates/oid/idm_idstore_groups_acl_template.ldif May 25, 2011 2:37:18 PM oracle.ldap.util.LDIFLoader loadOneLdifFile INFO: -> LOADING: IAM_ORACLE_HOME/idmtools/templates/oid/systemid_pwdpolicy.ldif May 25, 2011 2:37:18 PM oracle.ldap.util.LDIFLoader loadOneLdifFile INFO: -> LOADING: IAM_ORACLE_HOME/idmtools/templates/oid/idstore_tuning.ldif May 25, 2011 2:37:18 PM oracle.ldap.util.LDIFLoader loadOneLdifFile INFO: -> LOADING: IAM_ORACLE_HOME/idmtools/templates/oid/oid_schema_extn.ldif May 25, 2011 2:37:19 PM oracle.ldap.util.LDIFLoader loadOneLdifFile INFO: -> LOADING: IAM_ORACLE_HOME/oam/server/oim-intg/schema/OID_oblix_pwd_schema_add.ldif May 25, 2011 2:37:19 PM oracle.ldap.util.LDIFLoader loadOneLdifFile INFO: -> LOADING: IAM_ORACLE_HOME/oam/server/oim-intg/schema/OID_oim_pwd_schema_add.ldif May 25, 2011 2:37:19 PM oracle.ldap.util.LDIFLoader loadOneLdifFile INFO: -> LOADING: IAM_ORACLE_HOME/oam/server/oim-intg/schema/OID_oblix_schema_add.ldif May 25, 2011 2:37:34 PM oracle.ldap.util.LDIFLoader loadOneLdifFile INFO: -> LOADING: IAM_ORACLE_HOME/oam/server/oim-intg/schema/OID_oblix_schema_index_add.ldif The tool has completed its operation. Details have been logged to automation.log
Check the log file for any errors or warnings and correct them. The file with the name automation.log is created in the directory from where you run the tool.
Note:
In addition to creating users, idmConfigTool
creates the following groups:
orclFAUserReadPrivilegeGroup
orclFAUserWritePrivilegeGroup
orclFAUserWritePrefsPrivilegeGroup
orclFAGroupReadPrivilegeGroup
orclFAGroupWritePrivilegeGroup
See Also:
Oracle Fusion Middleware Integration Overview for Oracle Identity Management Suite for more information about the idmConfigTool
command.
This section describes how to configure Active Directory. Extend the schema in Active Directory as follows.
Note:
The order in which you perform the steps is critical!
Locate the following files:
IDM_ORACLE_HOME
/oam/server/oim-intg/ldif/ad/schema/ADUserSchema.ldif
IDM_ORACLE_HOME
/oam/server/oim-intg/ldif/ad/schema/AD_oam_pwd_schema_add.ldif
In both these files, replace the domain-dn
with the appropriate domain-dn
value
Use ldapadd
from the command line to load the two LDIF files, as follows.
ldapadd -h activedirectoryhostname -p activedirectoryportnumber -D AD_administrator -q -c -f file
where AD_administrator
is a user which has schema extension privileges to the directory
For example:
ldapadd -h "ACTIVEDIRECTORYHOST.mycompany.com" -p 389 -D adminuser –q -c -f ADUserSchema.ldif ldapadd -h "ACTIVEDIRECTORYHOST.mycompany.com" -p 389 -D adminuser -q -c -f AD_oam_pwd_schema_add.ldif
Note:
After the -D
you can specify either a DN or user@domain.com
.
Then go to:
IAM_MW_HOME
/oracle_common/modules/oracle.ovd_11.1.1/oimtemplates
Run the following command to extend Active Directory schema:
sh extendadschema.sh -h AD_host -p AD_port -D 'administrator@mydomain.com' -AD "dc=mydomain,dc=com" -OAM true
The command is extendadschema.Excluding Users from OIM Reconcilliationbat
on Windows.
Configure the Identity Store by using the command idmConfigTool
, which is located at:
IAM_ORACLE_HOME
/idmtools/bin
Note:
When you run the idmConfigTool
, it creates or appends to the file idmDomainConfig.param
. This file is generated in the same directory in which the idmConfigTool
is run. To ensure that the same file is appended to every time you run the tool, always run the idmConfigTool
from the directory:
IAM_ORACLE_HOME
/idmtools/bin
The syntax of the command on Linux is:
idmConfigTool.sh -prepareIDStore mode=all input_file=configfile
The syntax on Windows is:
idmConfigTool.bat -prepareIDStore mode=all input_file=configfile
For example:
idmConfigTool.sh -prepareIDStore mode=all input_file=idstore.props
When the command runs, it prompts you to enter the password of the account you are connecting to and passwords for the accounts that are being created.
Note:
The password must conform to the following rules:
Six characters or more
One or more numeric character
Two or more alphabetic characters
Start with alphabetic character
One or more lowercase character
Note:
This invocation of idmConfigTool
creates the group orclFAOAMUserWritePrivilegeGroup
.
In the preceding sections, you seeded the Identity Store with users and artifacts for the Oracle components. If your Identity Store is hosted in a non-Oracle Internet Directory directory, such as Microsoft Active Directory, you must set up the access control lists (ACLs) to provide appropriate privileges to the entities you created. This section lists the artifacts created and the privileges required for the artifacts.
Users and groups. ACLs to the users and groups container are provided in Oracle Internet Directory. Set them manually for other directories. The Oracle Identity Manager/Oracle Access Manager integration and Fusion Applications require the following artifacts to be created in the Identity store.
Group with read privileges to the users container (orclFAUserReadPrivilegeGroup
). Configure the local directory ACLs so that this group has privileges to read all the attributes of the users in the Identity Store.
Group with read/write privileges to the users container (orclFAUserWritePrivilegeGroup
)
Group with read privileges to the groups container (orclFAGroupReadPrivilegeGroup
)
Group with read privileges to the groups container (orclFAGroupWritePrivilegeGroup
)
Group with write privileges to a partial set of attributes (orclFAUserWritePrefsPrivilegeGroup
)
The user specified by the IDSTORE_READONLYUSER
parameter. When you run the preconfigIDstore
command, this user is assigned to the groups orclFAUserReadPrivilegeGroup
, orclFAWritePrefsPrivilegeGroup
, and orclFAGroupReadPrivilegeGroup
. The user also needs compare privileges to the userpassword
attribute of the user entry.
The user specified by the IDSTORE_READWRITEUSER
parameter. It is assigned to the groups orclFAUserWritePrivilegeGroup
and orclFAGroupWritePrivilegeGroup
.
Systemids. The System ID container is created for storing all the system identifiers. If there is another container in which the users are to be created, that is specified as part of the admin.
Oracle Access Manager Admin User. This user is added to the OAM Administrator group, which provides permission for the administration of the Oracle Access Manager Console. No LDAP schema level privileges are required, since this is just an application user.
Oracle Access Manager Software User. This user is added to the groups where the user gets read privileges to the container. This is also provided with schema admin privileges.
Oracle Identity Manager user oimLDAP
under System ID container. Password policies are set accordingly in the container. The passwords for the users in the System ID container must be set up so that they do not expire.
Oracle Identity Manager administration group. The Oracle Identity Manager user is added as its member. The Oracle Identity Manager admin group is given complete read/write privileges to all the user and group entities in the directory.
WebLogic Administrator. This is the administrator of the IDM domain for Oracle Virtual Directory
WebLogic Administrator Group. The WebLogic administrator is added as a member. This is the administrator group of the IDM domain for Oracle Virtual Directory.
Reserve container. Permissions are provided to the Oracle Identity Manager admin group to perform read/write operations.
Back up your Oracle Internet Directory instances, Oracle Internet Directory database, and any third party directories used for identity information, as described in Section 21.6.3, "Performing Backups During Installation and Configuration."