10 Performing Post-Provisioning Configuration

This chapter describes tasks you must perform after provisioning.

It contains the following sections:

• Section 10.1, "Correcting Datasource Configuration"

• Section 10.2, "Updating Oracle HTTP Server Runtime Parameters"

• Section 10.3, "Creating ODSM Connections to Oracle Virtual Directory"

• Section 10.4, "Post-Provisioning Steps for Oracle Identity Manager"

• Section 10.5, "Post-Provisioning Steps for Oracle Access Manager"

• Section 10.6, "Passing Configuration Properties File to Oracle Fusion Applications"

10.1 Correcting Datasource Configuration

Due to Bugs 17075699 and 17076033 in Identity Management Provisioning, you must make changes to the following datasources:

• EDNLocalTxDataSource-rcn

• mds-oim-rcn

• mds-owsm-rcn

• mds-soa-rcn

• oamDS-rcn

• oimJMSStoreDS-rcn

• OraSDPMDataSource-rcn

• SOALocalTxDataSource-racn

To make the changes, proceed as follows:

1. Log in to the WebLogic Administration Console at the URL listed in Section 16.2, "About Identity Management Console URLs."

2. Click Lock & Edit.

3. Navigate to Services -> Data Sources.

4. Click on the data source to be updated, for example, mds-soa-rc0

5. Click the Transaction tab.

6. Deselect Supports Global Transactions.

7. Click Save.

8. Repeat Steps 4 through 7 for all the listed datasources.

9. Click Activate Changes.

10. Restart all servers.

10.2 Updating Oracle HTTP Server Runtime Parameters

By default, the Oracle HTTP Server contains parameter values that are suitable for most applications. These values, however, must be adjusted in IDM Deployments, on both WEBHOST1 and WEBHOST2.

Proceed as follows:

1. Edit the file httpd.conf, which is located in:

   WEB_ORACLE_INSTANCE/config/OHS/component_name

2. Find the entry that looks like this:

   <IfModule mpm_worker_module>
   

3. Update the values in this section as follows:

   <IfModule mpm_worker_module>
     ServerLimit 20
     MaxClients 1000
     MinSpareThreads 200
     MaxSpareThreads 800
     ThreadsPerChild 50
     MaxRequestsPerChild 10000 
     AcceptMutex fcntl
   </IfModule>
   

4. Leave all remaining values unchanged.

5. Save the file.

10.3 Creating ODSM Connections to Oracle Virtual Directory

Before you can manage Oracle Virtual Directory you must create connections from ODSM to each of your Oracle Virtual Directory instances. To do this, proceed as follows:

1. Access ODSM through the load balancer at: http://ADMIN.mycompany.com/odsm

2. Follow these steps to create connections to Oracle Virtual Directory:

   To create connections to Oracle Virtual Directory, follow these steps. Create connections to each Oracle Virtual Directory node separately. Using the Oracle Virtual Directory load balancer virtual host from ODSM is not supported:

   1. Create a direct connection to Oracle Virtual Directory on LDAPHOST1 providing the following information in ODSM:

      Host: LDAPHOST1.mycompany.com

      Port: 8899 (The Oracle Virtual Directory proxy port, OVD_ADMIN_PORT in Section 3.7, "Fixed Ports Used by the Provisioning Wizard.")

      Enable the SSL option.

      User: cn=orcladmin

      Password: password_to_connect_to_OVD

   2. Create a direct connection to Oracle Virtual Directory on LDAPHOST2 providing the following information in ODSM:

      Host: LDAPHOST2.mycompany.com

      Port: 8899 (The Oracle Virtual Directory proxy port)

      Enable the SSL option.

      User: cn=orcladmin

      Password: password_to_connect_to_OVD

10.4 Post-Provisioning Steps for Oracle Identity Manager

Perform the following task to ensure that Oracle Identity Manager works correctly after provisioning.

• Section 10.4.1, "Add an Oracle Identity Manager Property"

10.4.1 Add an Oracle Identity Manager Property

As a workaround for a bug in the Identity Management Provisioning tools (Bug 16667037), you must add an Oracle Identity Manager property. Perform the following steps:

1. Log in to the WebLogic Console. (The Console URLs are provided in Section 16.2, "About Identity Management Console URLs.")

2. Navigate to Environment -> Servers.

3. Click Lock and Edit.

4. Click on the server WLS_OIM1.

5. Click on the Server Start subtab

6. Add the following to the Arguments field:

   -Djava.net.preferIPv4Stack=true
   

7. Click Save.

8. Repeat Steps 4-7 for the managed server WLS_OIM2.

9. Click Activate Changes.

10. Restart the managed servers WLS_OIM1 and WLS_OIM2, as described in Section 16.1, "Starting and Stopping Components."

10.5 Post-Provisioning Steps for Oracle Access Manager

Perform the tasks in the following sections.

• Section 10.5.1, "Updating Existing WebGate Agents"

• Section 10.5.2, "Update WebGate Configuration"

• Section 10.5.3, "Creating Oracle Access Manager Policies for WebGate 11g"

The Identity Management Console URLs are provided in Section 16.2, "About Identity Management Console URLs."

10.5.1 Updating Existing WebGate Agents

Update the OAM Security Model of all WebGate profiles, with the exception of Webgate_IDM and Webgate_IDM_11g, which should already be set

To do this, perform the following steps:

1. Log in to the Oracle Access Manager Console as the Oracle Access Manager administration user identified by the entry in Section 8.2, "Update User Names in Provisioning Response File."

2. Click the System Configuration tab.

3. Expand Access Manager Settings - SSO Agents.

4. Click OAM Agents and select Open from the Actions menu.

5. In the Search window, click Search.

6. Click an Agent, for example: IAMSuiteAgent.

7. Set the Security value to the security model in the OAM Configuration screen of the Identity Management Provisioning Wizard, as described in Section 8.1, "Running the Identity Management Provisioning Wizard to Create a Profile.".

   Click Apply.

8. Restart the managed servers WLS_OAM1 and WLS_OAM2 as described in Section 16.1, "Starting and Stopping Components."

10.5.2 Update WebGate Configuration

To update the maximum number of WebGate connections, proceed as follows.

1. In the Oracle Access Manager Console, select the System Configuration tab.

2. Select Access Manager -> SSO Agents -> OAM Agent from the directory tree. Double-click or select the Open Folder icon.

3. On the displayed search page, click Search to perform an empty search.

4. Click the Agent Webgate_IDM.

5. Select Open from the Actions menu.

6. Set Maximum Number of Connections to 20. (This is the total maximum number of connections for the primary servers, which is 10 wls_oam1 connections plus 10 wls_oam2 connections.)

7. Set AAA Timeout Threshold to 5.

8. In the User Defined Parameters box, set client_request_retry_attempts to 11.

9. If the following Logout URLs are not listed, add them:

   • /oamsso/logout.html

   • /console/jsp/common/logout.jsp

   • /em/targetauth/emaslogout.jsp

10. Click Apply.

Repeat Steps 4 through 7 for each WebGate

10.5.3 Creating Oracle Access Manager Policies for WebGate 11g

In order to allow WebGate 11g to display the credential collector, you must add /oam to the list of public policies.

Proceed as follows:

1. Log in to the OAM console at: http://ADMIN.mycompany.com/oamconsole

2. Select the Policy Configuration tab.

3. Expand Application Domains - IAM Suite

4. Click Resources.

5. Click Open.

6. Click New resource.

7. Provide the following values:

   • Type: HTTP

   • Description: OAM Credential Collector

   • Host Identifier: IAMSuiteAgent

   • Resource URL: /oam

   • Protection Level: Unprotected

   • Authentication Policy: Public Policy

8. Leave all other fields at their default values.

9. Click Apply.

10.6 Passing Configuration Properties File to Oracle Fusion Applications

Oracle Fusion Applications requires a property file which details the IDM deployment. After provisioning, this file can be found at the following location:

SHARED_CONFIG_DIR/fa/idmsetup.properties