| Oracle® Fusion Middleware Enterprise Deployment Guide for Oracle Identity Management (Oracle Fusion Applications Edition) 11g Release 6 (11.1.6) Part Number E21032-18 |
|
|
PDF · Mobi · ePub |
| Oracle® Fusion Middleware Enterprise Deployment Guide for Oracle Identity Management (Oracle Fusion Applications Edition) 11g Release 6 (11.1.6) Part Number E21032-18 |
|
|
PDF · Mobi · ePub |
This chapter describes how to prepare the environment for Fusion Applications provisioning
This chapter contains the following sections:
In earlier chapters, you were instructed to always run idmConfigTool from the same directory so that the tool would create or append to the file idmDomainConfig.param.in that directory. The file idmDomainConfig.param in IAM_ORACLE_HOME/idmtools/bin now contains all the parameters that are required for Fusion Applications provisioning. Use that file as input to the Fusion Applications provisioning tool.
To enable Fusion Applications to communicate with the Identity Management domain using SSL Server Authentication Mode, you must generate a client certificate and provide it to the Fusion Applications Provisioning process. You must provide a keystore containing the Trust point used by the Identity Management domain to the Fusion Applications.
Note:
If you are using Windows, you must install a UNIX emulation package such as Cygwin in order to run the scripts contained in this section. See http://www.cygwin.com.
When using Cygwin, ensure that you use the "/" character in path names when exporting a variable. For example:
export ORACLE_HOME=c:/oracle/idm
To generate a keystore containing a client certificate, perform the following steps on LDAPHOST1:
Set the ORACLE_HOME to IDM_ORACLE_HOME.
Set JAVA_HOME to JAVA_HOME.
Ensure that JAVA_HOME is in your PATH variable.
To generate the certificate, use the tool ./SSLClientConfig.sh, which is located in: ORACLE_COMMON_HOME/bin
For example
./SSLClientConfig.sh -component cacert
As the command runs, enter the following values when prompted:
LDAP Host Name: POLICYSTORE.mycompany.com
LDAP Port: 389
LDAP User: cn=orcladmin
Password: Password_for_cn=orcladmin
SSL Domain: IDMDomain
Keystore Password: Enter a password to protect the keystore
Confirm Password: Reenter the password.
The following is typical output from the command:
./SSLClientConfig.sh -component cacert SSL Automation Script: Release 11.1.1.4.0 - ProductionCopyright (c) 2010 Oracle. All rights reserved. Downloading the CA certificate from a central LDAP location Creating a common trust store in JKS and Oracle Wallet formats ... Configuring SSL clients with the common trust store... Make sure that your LDAP server is currently up and running. Downloading the CA certificate from the LDAP server... >>>Enter the LDAP hostname [LDAPHOST1.mycompany.com]: POLICYSTORE.mycompany.com >>>Enter the LDAP port: [3060]? 389 >>>Enter your LDAP user [cn=orcladmin]:>>>Enter password for cn=orcladmin: >>>Enter the sslDomain for the CA [idm]: IDMDomain >>>Searching the LDAP for the CA usercertificate ... Importing the CA certifcate into trust stores... >>>The common trust store in JKS format is located at /u01/oracle/products/access/idm/rootCA/keystores/tmp/trust.jks >>>The common trust store in Oracle wallet format is located at /u01/oracle/products/access/idm/rootCA/keystores/tmp/ewallet.p12 Generate trust store for the CA cert at cn=IDMDomain,cn=sslDomains >>>Enter a password to protect your truststore: >>>Enter confirmed password for your truststore: Create directory /u01/oracle/products/access/idm/rootCA/keystores/common Importing the CA certifcate into trust stores... >>>The common trust store in JKS format is located at /u01/oracle/products/access/idm/rootCA/keystores/common/trust.jks >>>The common trust store in Oracle wallet format is located at /u01/oracle/products/access/idm/rootCA/keystores/common/ewallet.p12
This creates a file called trust.jks which must be provided to the Fusion Applications Provisioning process. After creating this certificate, you must delete the private key within this key. Use the following command:
keytool -delete -keystore trust.jks -alias testkey -storepass store_password
Oracle Fusion Applications provisioning uses this file to validate that the Identity Management installation is set up appropriately before provisioning takes place. In addition to this certificate, the keystore must also contain the certificate used by the load balancer for SSO.mycompany.com.
Before you start this procedure, obtain a copy of the certificate by using your browser. First access https://SSO.mycompany.com:443, then follow the instructions to download the certificate to a file. (Each browser does this differently.)
After you have obtained the certificate, load it into the keystore using the following command:
keytool -import -v -noprompt -trustcacerts -alias "OIM" -file loadbalancer.cer -keystore DIR_ORACLE_HOME/rootCA/keystores/common/trust.jks
where loadbalancer.cer is the name of the file where the load balancers SSL certificate is stored. Once created, the keystore should be moved to the domain keystore location for consistency. This is ASERVER_HOME/keystores.
|
 Copyright © 2004, 2013, Oracle and/or its affiliates. All rights reserved. Legal Notices |
|