This chapter explains how to integrate Oracle Access Management Access Manager (Access Manager), Oracle Identity Manager, Oracle Virtual Directory, and Oracle Internet Directory. The following configuration instructions assume these components have been installed in a single-node topology, as discussed in Chapter 1, "Introduction."
If you are integrating Access Manager with Oracle Identity Manager for an enterprise deployment, see the configuration scenarios described in Oracle Fusion Middleware Enterprise Deployment Guide for Oracle Identity Management.
For instructions about how to install the components described in this example integration, see Oracle Fusion Middleware Installation Guide for Oracle Identity and Access Management.
Note:
The instructions in this chapter assume that Oracle Internet Directory is configured as the Identity Store and is front-ended by Oracle Virtual Directory to virtualize the data sources. Other component configurations are possible. Refer to the system requirements and certification documentation on Oracle Technology Network for more information about supported configurations.
This chapter contains these sections:
Section 7.6, "Integrating Access Manager with Oracle Identity Manager"
Section 7.7, "Configuring Oracle HTTP Server to Front-End Resources on OIM"
This integration scenario enables you to manage identities with Oracle Identity Manager and control access to resources with Access Manager. Oracle Identity Manager is a user provisioning and administration solution that automates user account management, whereas Access Manager provides a centralized and automated single sign-on (SSO) solution.
Access Manager uses a database for policy and configuration data and a single directory for identity data. This integration scenario assumes a single directory server, namely Oracle Internet Directory, is front-ended by Oracle Virtual Directory.
You can deploy the Identity Management components in a single WebLogic Server domain, which may be convenient for a development or test environment. You can also configure the components to be in a cross domain (also known as split domain) deployment where Access Manager and Oracle Identity Manager are installed in different WebLogic Server domains.
For more information about password management flows when Access Manager and Oracle Identity Manager are integrated, see Section 1.5.3, "Password Management Scenarios."
Table 7-1 lists the high-level tasks for integrating Access Manager and Oracle Identity Manager with Oracle Virtual Directory and Oracle Internet Directory.
Table 7-1 Integration Flow for Oracle Access Manager and Oracle Identity Manager
No. | Task | Information |
---|---|---|
1 |
Verify that all required components have been installed and configured prior to integration. |
For more information, see Integration Prerequisites. |
2 |
Enable LDAP synchronization for Oracle Identity Manager. |
For information, see: in Oracle Fusion Middleware Installation Guide for Oracle Identity and Access Management. See Table 7-2, "Required Components for Integration Scenario" for Oracle Identity Manager details. |
3 |
Configure the Identity Store by extending the schema. |
For information, see Extending Directory Schema for Access Manager. |
4 |
Configure the Identity Store with the users required by Access Manager. |
For information, see Creating Users and Groups for Access Manager. |
5 |
Configure the Identity Store with the users required by Oracle Identity Manager. |
For information, see Creating Users and Groups for Oracle Identity Manager. |
6 |
Configure the Identity Store with the users required by Oracle WebLogic Server |
For more information, see Creating Users and Groups for Oracle WebLogic Server. |
7 |
Edit the OVD User and Changelog Adapters so the |
For information, see "Creating Adapters in Oracle Virtual Directory" in Oracle Fusion Middleware Installation Guide for Oracle Identity and Access Management. See Table 7-2, "Required Components for Integration Scenario" for Oracle Virtual Directory details. |
8 |
Stop the Oracle WebLogic Server managed servers for Access Manager and Oracle Identity Manager |
For information, see "Starting and Stopping Oracle WebLogic Server Instances" in Oracle Fusion Middleware Administrator's Guide. |
9 |
Extend Access Manager to support Oracle Identity Manager |
For information, see Configuring Access Manager for Integration. |
10 |
Integrate Access Manager and Oracle Identity Manager |
For information, see Integrating Access Manager with Oracle Identity Manager. |
11 |
Configure the WebGate on the OHS server to point to the 11g OAM Server |
For information, see Configuring Oracle HTTP Server to Front-End Resources on OIM. |
12 |
Remove the IDM Domain Agent and start the Oracle WebLogic Server Administration and Managed Servers. |
For information, see Starting Servers with Domain Agent Removed. |
13 |
Test the integration. |
For information, see Testing the Integration. |
14 |
Depending upon your environment, migrate the Domain Agent to OHS 10g WebGate |
For information, see Migrating from the Domain Agent to 10g WebGate with OHS 11g. |
15 |
Depending upon your environment, update the SOA server default composites. |
For information, see Updating the Out-of-the-box SOA Server Composite. |
Prior to configuring Access Manager with Oracle Identity Manager, you must install the required components listed in this section, including any dependencies, and configure the environment. For more information about the integration topologies, see Section 1.2, "Integration Topologies."
Note:
For installation information, follow the instructions in the following publication:
Table 7-2 lists the required components that must be installed and configured before the Access Manager and Oracle Identity Manager integration tasks are performed.
Table 7-2 Required Components for Integration Scenario
Component | Information |
---|---|
Oracle database |
For more information seeOracle Fusion Middleware Installation Guide for Oracle Identity and Access Management. |
Oracle WebLogic Server 10.3.6 |
For more information see Oracle Fusion Middleware Installation Guide for Oracle Identity and Access Management. Oracle Fusion Middleware Installation Guide for Oracle WebLogic Server |
Repository Creation Utility (RCU) |
Oracle Fusion Middleware Repository Creation Utility (RCU) is available on the Oracle Technology Network (OTN) web site. For more information about using RCU, see Oracle Fusion Middleware Repository Creation Utility User's Guide. Note: All required schema must be created before installing some of the Oracle Identity and Access Management components. For more information, see Oracle Fusion Middleware Installation Guide for Oracle Identity and Access Management. |
Access Manager |
For more information see "Installing Oracle Identity and Access Management" and "Configuring Access Manager" in Oracle Fusion Middleware Installation Guide for Oracle Identity and Access Management. |
Oracle HTTP Server with 11g WebGate or 10g WebGate |
For more information see "Installing and Configuring Oracle HTTP Server 11g WebGate for OAM" in Oracle Fusion Middleware Installing WebGates for Oracle Access Manager. The OHS profile must be updated so the Oracle Identity Manager administration pages launch correctly after integration with Access Manager is completed. For more information, see Configuring Oracle HTTP Server to Front-End Resources on OIM. |
Oracle Identity Manager |
For more information see "Installing and Configuring Oracle Identity and Access Management" and "Configuring Oracle Identity Manager" in Oracle Fusion Middleware Installation Guide for Oracle Identity and Access Management. Note: When configuring Oracle Identity Manager, the LDAP directory must be preconfigured before you can use it as an Identity Store. Ensure that all installation instructions are followed, including any prerequisites for enabling LDAP synchronization. For more information see: in Oracle Fusion Middleware Installation Guide for Oracle Identity and Access Management. Note: You must create the wlfullclient.jar when installing Oracle Identity Manager and this file must be present before performing the integration steps. Follow the installation instructions carefully. |
Oracle Virtual Directory |
For more information see "Configuring Oracle Virtual Directory" in Oracle Fusion Middleware Installation Guide for Oracle Identity Management. Before you can start using Oracle Virtual Directory with an Identity Store, you must create adapters for each of the directories you want to use. For each adapter, the |
Oracle Internet Directory |
For more information see "Configuring Oracle Internet Directory" in Oracle Fusion Middleware Installation Guide for Oracle Identity Management. |
Oracle SOA Suite |
For more information see Oracle Fusion Middleware Installation Guide for Oracle SOA Suite and Oracle Business Process Management Suite |
The Identity Store must be configured so that it can be used by Access Manager, Oracle Identity Manager, and Oracle WebLogic Server. It must be seeded with the required users and groups.
This section contains the following topics:
Use idmConfigTool
to configure the Identity Store to extend the schema in Oracle Internet Directory. For more information about the idmConfigTool
command, see Chapter 2, "Using the idmConfigTool Command."
Set the environment variables required for idmconfigtool
. For information, see Section 2.2, "Set Up Environment Variables."
Create a properties file, for example, named extendOAMPropertyFile
, with contents similar to the following.
IDSTORE_HOST: idstore.example.com IDSTORE_PORT: 389 IDSTORE_BINDDN: cn=orcladmin IDSTORE_USERNAMEATTRIBUTE: cn IDSTORE_LOGINATTRIBUTE: uid IDSTORE_USERSEARCHBASE: cn=Users,dc=example,dc=com IDSTORE_GROUPSEARCHBASE: cn=Groups,dc=example,dc=com IDSTORE_SEARCHBASE: dc=example,dc=com IDSTORE_SYSTEMIDBASE: cn=systemids,dc=example,dc=com
Where:
IDSTORE_HOST
and IDSTORE_PORT
are the host and port, respectively, of your Identity Store directory. If your Identity Store is in Oracle Internet Directory, then IDSTORE_HOST
should point to Oracle Internet Directory, even if you are fronting Oracle Internet Directory with Oracle Virtual Directory.
If you are using a directory other than Oracle Internet Directory, specify the Oracle Virtual Directory host (which should be IDSTORE
.example
.com
.)
IDSTORE_BINDDN
is an administrative user in the Identity Store directory.
IDSTORE_USERNAMEATTRIBUTE
is used to set and search for users in the identity store. This property should be set to part of the user DN. For example, if the user DN is cn=orcladmin,cn=Users,dc=us,dc=example,dc=com
, this property should be set to cn
.
IDSTORE_LOGINATTRIBUTE
is the login attribute of the identity store that contains the user's login name. This is the attribute the user uses for login, for example uid
or email
.
IDSTORE_USERSEARCHBASE
should be set to the location in the directory where users are stored. This property tells the directory where to search for users.
IDSTORE_GROUPSEARCHBASE
should be set to the location in the directory where groups (or roles) are stored. This property tells the directory where to search for groups or roles.
IDSTORE_SEARCHBASE
should be set to the location in the directory where users and groups are stored. This property is the parent location that contains the USERSEARCHBASE
and the GROUPSEARCHBASE
.
For example:
IDSTORE_SEARCHBASE: cn=oracleAccounts, dc=example,dc=com IDSTORE_USERSEARCHBASE: cn=Users,cn=oracleAccounts,dc=example,dc=com IDSTORE_GROUPSEARCHBASE: cn=Groups,cn=oracleAccounts,dc=example,dc=com
IDSTORE_SYSTEMIDBASE
is the location of a container in the directory where system operations users should be stored so that they are kept separate from enterprise users stored in the main user container. There are only a few system operations users. One example is the Oracle Identity Manager reconciliation user which is also used for the bind DN user in Oracle Virtual Directory adapters.
Configure the Identity Store by using idmConfigTool
with the -preConfigIDStore
command, which is located at:
IAM_ORACLE_HOME/idmtools/bin
The -preConfigIDStore
command supports Oracle Internet Directory, Oracle Unified Directory, and Oracle Virtual Directory.
The syntax of the command on Linux is:
idmConfigTool.sh -preConfigIDStore input_file=configfile
The syntax on Windows is:
idmConfigTool.bat -preConfigIDStore input_file=configfile
When the command runs, you are prompted to enter the password of the account used to connect to the Identity Store.
Sample command output, when running the command against Oracle Virtual Directory:
Enter ID Store Bind DN password: May 25, 2011 2:37:18 PM oracle.ldap.util.LDIFLoader loadOneLdifFile INFO: -> LOADING: /u01/app/oracle/product/fmw/iam/idmtools/templates/oid/idm_idstore_groups_template.ldif May 25, 2011 2:37:18 PM oracle.ldap.util.LDIFLoader loadOneLdifFile INFO: -> LOADING: /u01/app/oracle/product/fmw/iam/idmtools/templates/oid/idm_idstore_groups_acl_template.ldif May 25, 2011 2:37:18 PM oracle.ldap.util.LDIFLoader loadOneLdifFile INFO: -> LOADING: /u01/app/oracle/product/fmw/iam/idmtools/templates/oid/systemid_pwdpolicy.ldif May 25, 2011 2:37:18 PM oracle.ldap.util.LDIFLoader loadOneLdifFile INFO: -> LOADING: /u01/app/oracle/product/fmw/iam/idmtools/templates/oid/idstore_tuning.ldif May 25, 2011 2:37:18 PM oracle.ldap.util.LDIFLoader loadOneLdifFile INFO: -> LOADING: /u01/app/oracle/product/fmw/iam/idmtools/templates/oid/oid_schema_extn.ldif May 25, 2011 2:37:19 PM oracle.ldap.util.LDIFLoader loadOneLdifFile INFO: -> LOADING: /u01/app/oracle/product/fmw/iam/oam/server/oim-intg/schema/OID_oblix_pwd_schema_add.ldif May 25, 2011 2:37:19 PM oracle.ldap.util.LDIFLoader loadOneLdifFile INFO: -> LOADING: /u01/app/oracle/product/fmw/iam/oam/server/oim-intg/schema/OID_oim_pwd_schema_add.ldif May 25, 2011 2:37:19 PM oracle.ldap.util.LDIFLoader loadOneLdifFile INFO: -> LOADING: /u01/app/oracle/product/fmw/iam/oam/server/oim-intg/schema/OID_oblix_schema_add.ldif May 25, 2011 2:37:34 PM oracle.ldap.util.LDIFLoader loadOneLdifFile INFO: -> LOADING: /u01/app/oracle/product/fmw/iam/oam/server/oim-intg/schema/OID_oblix_schema_index_add.ldif The tool has completed its operation. Details have been logged to automation.log
The automation.log
file is created in the directory where you run the tool. Check the log file for any errors or warnings and correct them. The tool is reentrant and can be safely called again.
In addition to creating users, idmConfigTool
creates the groups OrclPolicyAndCredentialWritePrivilegeGroup
and OrclPolicyAndCredentialReadPrivilegeGroup
.
Use idmConfigTool
to seed the Identity Store with the users required by Access Manager as follows. For more information about the idmConfigTool
command, see Chapter 2, "Using the idmConfigTool Command."
Set the environment variables required for idmconfigtool
.
Create a properties file, for example, named preconfigOAMPropertyFile
, with contents similar to the following. This file will be used to preconfigure the Identity Store.
IDSTORE_HOST : idstore.example.com IDSTORE_PORT : 389 IDSTORE_BINDDN : cn=orcladmin IDSTORE_USERNAMEATTRIBUTE: cn IDSTORE_LOGINATTRIBUTE: uid IDSTORE_USERSEARCHBASE: cn=Users,dc=example,dc=com IDSTORE_GROUPSEARCHBASE: cn=Groups,dc=example,dc=com IDSTORE_SEARCHBASE: dc=example,dc=com IDSTORE_SYSTEMIDBASE: cn=systemids,dc=example,dc=com POLICYSTORE_SHARES_IDSTORE: true OAM11G_IDSTORE_ROLE_SECURITY_ADMIN:OAMAdministrators IDSTORE_OAMSOFTWAREUSER:oamLDAP IDSTORE_OAMADMINUSER:oamadmin
Where:
IDSTORE_HOST
and IDSTORE_PORT
are the host and port, respectively, of your Identity Store directory. If your Identity Store is in Oracle Internet Directory, then IDSTORE_HOST
should point to Oracle Internet Directory, even if you are fronting Oracle Internet Directory with Oracle Virtual Directory.
If you are using a directory other than Oracle Internet Directory, specify the Oracle Virtual Directory host.
IDSTORE_BINDDN
is an administrative user in the Identity Store directory.
IDSTORE_USERNAMEATTRIBUTE
is used to set and search for users in the identity store. This property should be set to part of the user DN. For example, if the user DN is cn=orcladmin,cn=Users,dc=us,dc=example,dc=com
, this property should be set to cn
.
IDSTORE_LOGINATTRIBUTE
is the login attribute of the identity store that contains the user's login name. This is the attribute the user uses for login, for example uid
or email
.
IDSTORE_USERSEARCHBASE
should be set to the location in the directory where users are stored. This property tells the directory where to search for users.
IDSTORE_GROUPSEARCHBASE
should be set to the location in the directory where groups (or roles) are stored. This property tells the directory where to search for groups or roles.
IDSTORE_SEARCHBASE
should be set to the location in the directory where users and groups are stored. This property is the parent location that contains the USERSEARCHBASE
and the GROUPSEARCHBASE
.
POLICYSTORE_SHARES_IDSTORE
is set to true
if your Policy and Identity Stores are in the same directory. If not, it is set to false
.
OAM11G_IDSTORE_ROLE_SECURITY_ADMIN
is the name of the group that is used to allow access to the Oracle Access Management administration console.
IDSTORE_OAMSOFTWAREUSER
is the name of the directory user that Access Manager will use to interact with the directory or LDAP server. This user is created by the tool.
IDSTORE_OAMADMINUSER
is the name of the user you want to create as your Oracle Access Management Administrator. This user is created by the tool.
Configure the Identity Store by using idmConfigTool
with the -prepareIDStore
command, which is located at:
IAM_ORACLE_HOME/idmtools/bin
The syntax of the command on Linux is:
idmConfigTool.sh -prepareIDStore mode=OAM input_file=configfile
The syntax on Windows is:
idmConfigTool.bat -prepareIDStore mode=OAM input_file=configfile
The command prompts you to enter the password for the account used to connect to the Identity Store. You are then prompted to create passwords for the following three accounts:
The Oblix anonymous user account
The OAM administrator account
The OAM LDAP account
Sample command output:
Enter ID Store Bind DN password: May 25, 2011 2:44:59 PM oracle.ldap.util.LDIFLoader loadOneLdifFile INFO: -> LOADING: /u01/app/oracle/product/fmw/iam/idmtools/templates/oid/oam_schema_extn.ldif *** Creation of Oblix Anonymous User *** May 25, 2011 2:44:59 PM oracle.ldap.util.LDIFLoader loadOneLdifFile INFO: -> LOADING: /u01/app/oracle/product/fmw/iam/idmtools/templates/oid/oam_10g_anonymous_user_template.ldif Enter User Password for oblixanonymous: Confirm User Password for oblixanonymous: *** Creation of oamadmin *** May 25, 2011 2:45:08 PM oracle.ldap.util.LDIFLoader loadOneLdifFile INFO: -> LOADING: /u01/app/oracle/product/fmw/iam/idmtools/templates/oid/oam_user_template.ldif Enter User Password for oamadmin: Confirm User Password for oamadmin: *** Creation of oamLDAP *** May 25, 2011 2:45:16 PM oracle.ldap.util.LDIFLoader loadOneLdifFile INFO: -> LOADING: /u01/app/oracle/product/fmw/iam/idmtools/templates/oid/oam_user_template.ldif Enter User Password for oamLDAP: Confirm User Password for oamLDAP: May 25, 2011 2:45:21 PM oracle.ldap.util.LDIFLoader loadOneLdifFile INFO: -> LOADING: /u01/app/oracle/product/fmw/iam/idmtools/templates/common/oam_user_group_read_acl_template.ldif May 25, 2011 2:45:21 PM oracle.ldap.util.LDIFLoader loadOneLdifFile INFO: -> LOADING: /u01/app/oracle/product/fmw/iam/idmtools/templates/oid/oim_group_template.ldif May 25, 2011 2:45:21 PM oracle.ldap.util.LDIFLoader loadOneLdifFile INFO: -> LOADING: /u01/app/oracle/product/fmw/iam/idmtools/templates/oid/oam_group_member_template.ldif May 25, 2011 2:45:21 PM oracle.ldap.util.LDIFLoader loadOneLdifFile INFO: -> LOADING: /u01/app/oracle/product/fmw/iam/idmtools/templates/oid/oam_config_acl.ldif May 25, 2011 2:45:21 PM oracle.ldap.util.LDIFLoader loadOneLdifFile INFO: -> LOADING: /u01/app/oracle/product/fmw/iam/idmtools/templates/oid/oid_schemaadmin.ldif The tool has completed its operation. Details have been logged to automation.log
The automation.log
file is created in the directory where you run the tool. Check the log file for any errors or warnings and correct them. The tool is reentrant and can be safely called again.
Use idmConfigTool
to seed the Identity Store with the users required by Oracle Identity Manager as follows. For more information about the idmConfigTool
command, see Chapter 2, "Using the idmConfigTool Command."
A system user is required for performing operations in Oracle Internet Directory on behalf of Oracle Identity Manager. Create this user in the system container and give it the permissions appropriate for controlling all the containers Oracle Identity Manager communicates with. Oracle Virtual Directory uses these credentials to connect to the backend directories.
Set the environment variables required for idmconfigtool
.
Create a properties file, for example, named preconfigOIMPropertyFile
, with contents similar to the following. The file will be used to preconfigure the Identity Store.
IDSTORE_HOST: idstore.example.com IDSTORE_PORT: 389 IDSTORE_BINDDN: cn=orcladmin IDSTORE_USERNAMEATTRIBUTE: cn IDSTORE_LOGINATTRIBUTE: uid IDSTORE_USERSEARCHBASE: cn=Users,dc=example,dc=com IDSTORE_GROUPSEARCHBASE: cn=Groups,dc=example,dc=com IDSTORE_SEARCHBASE: dc=example,dc=com POLICYSTORE_SHARES_IDSTORE: true IDSTORE_SYSTEMIDBASE: cn=systemids,dc=example,dc=com IDSTORE_OIMADMINUSER: oimLDAP IDSTORE_OIMADMINGROUP: OIMAdministrators
Where:
IDSTORE_HOST
and IDSTORE_PORT
are, respectively, the host and port of your Identity Store directory. If your Identity Store is in Oracle Internet Directory, then IDSTORE_HOST
should point to Oracle Internet Directory, even if you are fronting Oracle Internet Directory with Oracle Virtual Directory.
If you are using a non-OID directory, then specify the Oracle Virtual Directory host (which should be IDSTORE
.example
.com
).
IDSTORE_BINDDN
is an administrative user in the Identity Store directory.
IDSTORE_USERNAMEATTRIBUTE
is used to set and search for users in the Identity Store.
IDSTORE_LOGINATTRIBUTE
is the login attribute of the Identity Store which contains the user's login name.
IDSTORE_USERSEARCHBASE
is the location in your Identity Store where users are placed.
IDSTORE_GROUPSEARCHBASE
is the location in your Identity Store where groups are placed.
IDSTORE_SEARCHBASE
is the location in the directory where users and groups are stored.
POLICYSTORE_SHARES_IDSTORE
is set to true
if your Policy and Identity Stores are in the same directory. If not, it is set to false
.
IDSTORE_SYSTEMIDBASE
is the location in your directory where the Oracle Identity Manager reconciliation user is placed.
IDSTORE_OIMADMINUSER
is the user that Oracle Identity Manager uses to connect to the Identity Store.
IDSTORE_OIMADMINGROUP
is the name of the group you want to create to hold your Oracle Identity Manager administrative users.
Configure the Identity Store by using idmConfigTool
with the -prepareIDStore
command, which is located at:
IAM_ORACLE_HOME/idmtools/bin
The syntax of the command on Linux is:
idmConfigTool.sh -prepareIDStore mode=OIM input_file=configfile
The syntax on Windows is:
idmConfigTool.bat -prepareIDStore mode=OIM input_file=configfile
When the command runs, you are prompted to enter the password of the account used to connect to the Identity Store. The command also asks you to create passwords for the following two accounts:
IDSTORE_OIMADMINUSER
xelsysadm
. This value should match the value you create as part of the Oracle Identity Manager configuration.
Sample command output:
Enter ID Store Bind DN password: *** Creation of oimLDAP *** Apr 5, 2011 4:58:51 AM oracle.ldap.util.LDIFLoader loadOneLdifFile INFO: -> LOADING: /u01/app/oracle/product/fmw/iam/idmtools/templates/oid/oim_user_template.ldif Enter User Password for oimLDAP: Confirm User Password for oimLDAP: Apr 5, 2011 4:59:01 AM oracle.ldap.util.LDIFLoader loadOneLdifFile INFO: -> LOADING: /u01/app/oracle/product/fmw/iam/idmtools/templates/oid/oim_group_template.ldif Apr 5, 2011 4:59:01 AM oracle.ldap.util.LDIFLoader loadOneLdifFileINFO: -> LOADING: /u01/app/oracle/product/fmw/iam/idmtools/templates/oid/oim_group_member_template.ldif Apr 5, 2011 4:59:01 AM oracle.ldap.util.LDIFLoader loadOneLdifFile INFO: -> LOADING: /u01/app/oracle/product/fmw/iam/idmtools/templates/oid/oim_groups_acl_template.ldif Apr 5, 2011 4:59:01 AM oracle.ldap.util.LDIFLoader loadOneLdifFile INFO: -> LOADING: /u01/app/oracle/product/fmw/iam/idmtools/templates/oid/oim_reserve_template.ldif *** Creation of Xel Sys Admin User *** Apr 5, 2011 4:59:01 AM oracle.ldap.util.LDIFLoader loadOneLdifFileINFO: -> LOADING: /u01/app/oracle/product/fmw/iam/idmtools/templates/oid/oam_user_template.ldif Enter User Password for xelsysadm: Confirm User Password for xelsysadm: The tool has completed its operation. Details have been logged to /home/oracle/idmtools/oim.log
The automation.log
file is created in the directory where you run the tool. Check the log file for any errors or warnings and correct them. The tool is reentrant and can be safely called again.
To enable single sign-on for your administrative consoles, you must ensure that there is a user in your Identity Store who has the permissions to log in to your WebLogic Server administration console and Oracle Enterprise Manager Fusion Middleware Control. Use idmConfigTool
to seed the Identity Store with the users required by WebLogic Server as follows. For more information about the idmConfigTool
command, see Chapter 2, "Using the idmConfigTool Command."
Set the environment variables required for idmconfigtool
.
Create a properties file named preconfigWLSPropertyFile
(for example) with contents similar to the following. The file will be used to preconfigure the Identity Store.
IDSTORE_HOST : idstore.example.com IDSTORE_PORT : 389 IDSTORE_BINDDN : cn=orcladmin IDSTORE_USERNAMEATTRIBUTE: cn IDSTORE_LOGINATTRIBUTE: uid IDSTORE_WLSADMINUSER: weblogic_idm IDSTORE_WLSADMINGROUP: wlsadmingroup IDSTORE_USERSEARCHBASE: cn=Users,dc=example,dc=com IDSTORE_GROUPSEARCHBASE: cn=Groups,dc=example,dc=com IDSTORE_SEARCHBASE: dc=example,dc=com POLICYSTORE_SHARES_IDSTORE: true
Where:
IDSTORE_HOST
and IDSTORE_PORT
are the host and port, respectively, of your Identity Store directory. If your Identity Store is in Oracle Internet Directory, then IDSTORE_HOST
should point to Oracle Internet Directory, even if you are fronting Oracle Internet Directory with Oracle Virtual Directory.
If you are using a directory other than Oracle Internet Directory, specify the Oracle Virtual Directory host (which should be IDSTORE
.example
.com
.)
IDSTORE_BINDDN
is an administrative user in the Identity Store directory.
IDSTORE_USERNAMEATTRIBUTE
is used to set and search for users in the Identity Store.
IDSTORE_LOGINATTRIBUTE
is the login attribute of the Identity Store that contains the user's login name.
IDSTORE_WLSADMINUSER
is the Identity store administrator for Oracle WebLogic Server.
IDSTORE_WLSADMINGROUP
is the Identity Store administrator group for Oracle WebLogic Server.
IDSTORE_USERSEARCHBASE
is the location in the directory where users are stored.
IDSTORE_GROUPSEARCHBASE
is the location in the directory where groups are stored.
IDSTORE_SEARCHBASE
is the location in the directory where users and groups are stored.
POLICYSTORE_SHARES_IDSTORE
is set to true
if your Policy and Identity Stores are in the same directory. If not, it is set to false
.
Configure the Identity Store by using the idmConfigTool
with the -prepareIDStore
command, which is located at:
IAM_ORACLE_HOME/idmtools/bin
The syntax of the command on Linux is:
idmConfigTool.sh -prepareIDStore mode=WLS input_file=configfile
The syntax on Windows is:
idmConfigTool.bat -prepareIDStore mode=WLS input_file=configfile
The command prompts you to enter the password for the account used to connect to the Identity Store. You are then prompted to create a password for the following account:
WebLogic administrative user (weblogic_idm
)
Sample command output:
Enter ID Store Bind DN password : *** Creation of Weblogic Admin User *** Jul 28, 2013 10:16:30 PM oracle.ldap.util.LDIFLoader loadOneLdifFile INFO: -> LOADING: /scratch/binojose/Oracle/ipftest/Oracle_IDM1/idmtools/templates/oid/oam_user_template.ldif Enter User Password for weblogic_idm: Confirm User Password for weblogic_idm: Jul 28, 2013 10:16:38 PM oracle.ldap.util.LDIFLoader loadOneLdifFile INFO: -> LOADING: /scratch/binojose/Oracle/ipftest/Oracle_IDM1/idmtools/templates/oid/fa_add_pwdpolicy.ldif Jul 28, 2013 10:16:38 PM oracle.ldap.util.LDIFLoader loadOneLdifFile INFO: -> LOADING: /scratch/binojose/Oracle/ipftest/Oracle_IDM1/idmtools/templates/oid/weblogic_admin_group.ldif Jul 28, 2013 10:16:39 PM oracle.ldap.util.LDIFLoader loadOneLdifFile INFO: -> LOADING: /scratch/binojose/Oracle/ipftest/Oracle_IDM1/idmtools/templates/common/group_member_template.ldif The tool has completed its operation. Details have been logged to automation.log
The automation.log
file is created in the directory where you run the tool. Check the log file for any errors or warnings and correct them. The tool is reentrant and can be safely called again.
Before integrating Oracle Identity Manager with Access Manager 11g, you must extend Access Manager 11g to support Oracle Identity Manager. For more information about the idmConfigTool
command, see Chapter 2, "Using the idmConfigTool Command."
Set the environment variables required for idmconfigtool
.
Set a global passphrase.
By default, Oracle Access Manager is configured to use the Open security model. In the following steps you will use the idmConfigTool to change the security model, consequently you must set a global passphrase. Although you do not need to set the global passphrase and the WebGate access password to be the same, it is recommended that you do so. Proceed as follows.
Log in to the Oracle Access Management administration console as the WebLogic administration user:
http://
oam_adminserver_host:port
/oamconsole
Click the System Configuration tab.
Click Access Manager Settings located in the Access Manager section.
Select Open from the Actions menu. The access manager settings are displayed.
If you plan to use Simple security mode for OAM servers, supply a global passphrase.
Click Apply.
Create a properties file, for example, named OAMconfigPropertyFile
, with contents similar to the following:
Note:
If you already have an Identity Store in place that is different from the default created by this tool, add the OAM11G_IDSTORE_NAME
parameter to the properties file and set the value to the name of that Identity Store.
WLSHOST: adminvhn.example.com WLSPORT: 7001 WLSADMIN: weblogic IDSTORE_HOST: idstore.example.com IDSTORE_PORT: 389 IDSTORE_BINDDN: cn=orcladmin IDSTORE_USERNAMEATTRIBUTE: cn IDSTORE_LOGINATTRIBUTE: uid IDSTORE_USERSEARCHBASE: cn=Users,dc=example,dc=com IDSTORE_SEARCHBASE: dc=example,dc=com IDSTORE_SYSTEMIDBASE: cn=systemids,dc=example,dc=com IDSTORE_GROUPSEARCHBASE: cn=Groups,dc=example,dc=com IDSTORE_OAMSOFTWAREUSER: oamLDAP IDSTORE_OAMADMINUSER: oamadmin IDSTORE_DIRECTORYTYPE: OVD POLICYSTORE_SHARES_IDSTORE: true PRIMARY_OAM_SERVERS: oamhost1.example.com:5575 WEBGATE_TYPE: ohsWebgate10g ACCESS_GATE_ID: Webgate_IDM OAM11G_IDM_DOMAIN_OHS_HOST: sso.example.com OAM11G_IDM_DOMAIN_OHS_PORT: 443 OAM11G_IDM_DOMAIN_OHS_PROTOCOL: https OAM11G_WG_DENY_ON_NOT_PROTECTED: false OAM11G_IMPERSONATION_FLAG: true OAM_TRANSFER_MODE: simple OAM11G_OAM_SERVER_TRANSFER_MODE: simple OAM11G_IDM_DOMAIN_LOGOUT_URLS: /console/jsp/common/logout.jsp,/em/targetauth/emaslogout.jsp,/oamsso/logout.html,/cgi-bin/logout.pl OAM11G_SERVER_LOGIN_ATTRIBUTE: uid COOKIE_DOMAIN: .example.com OAM11G_IDSTORE_ROLE_SECURITY_ADMIN: OAMAdministrators OAM11G_SSO_ONLY_FLAG: false OAM11G_OIM_INTEGRATION_REQ: true OAM11G_SERVER_LBR_HOST: sso.example.com OAM11G_SERVER_LBR_PORT: 443 OAM11G_SERVER_LBR_PROTOCOL: https COOKIE_EXPIRY_INTERVAL: 120 OAM11G_OIM_OHS_URL: https://sso.example.com:443/ SPLIT_DOMAIN: true
Where:
WLSHOST
and WLSPORT
are, respectively, the host and port of your administration server, this will be the virtual name.
WLSADMIN
is the WebLogic Server administrative user account you use to log in to the WebLogic Server administration console.
IDSTORE_HOST
and IDSTORE _PORT
are, respectively, the host and port of your Identity Store directory.
Note:
If using a directory server other than Oracle Internet Directory, specify the Oracle Virtual Directory host and port.
IDSTORE_BINDDN
is an administrative user in Oracle Internet Directory.
Note:
If using a directory server other than Oracle Internet Directory, specify an Oracle Virtual Directory administrative user.
IDSTORE_USERNAMEATTRIBUTE
is used to set and search for users in the Identity Store.
IDSTORE_LOGINATTRIBUTE
is the login attribute of the Identity Store which contains the user's login name.
IDSTORE_USERSEARCHBASE
is the container under which Access Manager searches for the users.
IDSTORE_SEARCHBASE
is the location in the directory where users and groups are stored.
IDSTORE_GROUPSEARCHBASE
is the location in the directory where groups are stored.
IDSTORE_OAMSOFTWAREUSER
is the name of the user you use to interact with the LDAP server.
IDSTORE_OAMADMINUSER
is the name of the user you use to access your Oracle Access Management administration console.
IDSTORE_DIRECTORYTYPE
is the Identity Store directory type.
PRIMARY_OAM_SERVERS
is a comma-separated list of your Access Manager servers and the proxy ports they use.
Note:
To determine the proxy ports your Access Manager servers:
Log in to the Oracle Access Management administration console at http://admin.example.com:7001/oamconsole
Click the System Configuration tab.
Expand Server Instances under the Common Configuration section.
Click on an Access Manager server, such as WLS_OAM1, and click Open.
Proxy port is shown as Port.
WEBGATE_TYPE
is the type of WebGate agent you want to create. Valid values are ohsWebgate11g
if WebGate version 11 is used, or ohsWebgate10g
if WebGate version 10 is used.
ACCESS_GATE_ID
is the name you want to assign to the WebGate. Do not change the property value shown above.
OAM11G_IDM_DOMAIN_OHS_HOST
is the name of the load balancer that is in front of OHS in a high-availability configuration.
OAM11G_IDM_DOMAIN_OHS_PORT
is the port that the load balancer listens on.
OAM11G_IDM_DOMAIN_OHS_PROTOCOL
is the protocol to use when directing requests to the load balancer.
OAM11G_WG_DENY_ON_NOT_PROTECTED
is set to deny on protected flag for 10g WebGate. Valid values are true
and false
.
OAM11G_IMPERSONATION_FLAG
enables or disables the impersonation feature in the OAM Server. Valid values are true
(enable) and false
(disable).
OAM_TRANSFER_MODE
is the security model in which the access servers function.
OAM11G_OAM_SERVER_TRANSFER_MODE
is the security model for the Access Manager servers.
OAM11G_IDM_DOMAIN_LOGOUT_URLS
is set to the various logout URLs.
OAM11G_SERVER_LOGIN_ATTRIBUTE
setting to uid
ensures that when users log in their username is validated against the uid
attribute in LDAP.
COOKIE_DOMAIN
is the domain in which the WebGate functions.
OAM11G_IDSTORE_ROLE_SECURITY_ADMIN
is the account to administer role security in identity store.
OAM11G_SSO_ONLY_FLAG
configures Access Manager 11g as authentication only mode or normal mode, which supports authentication and authorization.
If OAM11G_SSO_ONLY_FLAG
is true
, the Access Manager 11g server operates in authentication only mode, where all authorizations return true by default without any policy validations. In this mode, the server does not have the overhead of authorization handling. This is recommended for applications which do not depend on authorization policies and need only the authentication feature of the Access Manager server.
If the value is false
, the server runs in default mode, where each authentication is followed by one or more authorization requests to the Access Manager server. WebGate allows the access to the requested resources or not, based on the responses from the Access Manager server.
OAM11G_OIM_INTEGRATION_REQ
specifies whether to integrate with Oracle Identity Manager or configure Access Manager in stand-alone mode. Set to true
for integration.
OAM11G_SSO_ONLY_FLAG
determines whether Access Manager is used in authentication-only mode.
OAM11G_SERVER_LBR_HOST
is the name of the OAM Server fronting your site. This and the following two parameters are used to construct your login URL.
OAM11G_SERVER_LBR_PORT
is the port that the load balancer is listening on.
OAM11G_SERVER_LBR_PROTOCOL
is the URL prefix to use.
COOKIE_EXPIRY_INTERVAL
is the cookie expiration period.
OAM11G_OIM_OHS_URL
is the URL of the load balancer or OHS fronting the OIM server.
SPLIT_DOMAIN
set to true
is required to suppress the double authentication of Oracle Access Management administration console in a split domain scenario.
Configure the Identity Store by using idmConfigTool
with the -configOAM
command, which is located at:
IAM_ORACLE_HOME/idmtools/bin
The syntax of the command on Linux is:
idmConfigTool.sh -configOAM input_file=configfile
The syntax on Windows is:
idmConfigTool.bat -configOAM input_file=configfile
When the command runs, it prompts you to enter the password of the account used to connect to the Identity Store. It also asks you to create passwords for the following three accounts:
OAM11G_WLS_ADMIN_PASSWD
IDSTORE_PWD_OAMSOFTWAREUSER
IDSTORE_PWD_OAMADMINUSER
Sample command output:
Enter ID Store Bind DN password: Enter User Password for OAM11G_WLS_ADMIN_PASSWD: Confirm User Password for OAM11G_WLS_ADMIN_PASSWD: Enter User Password for IDSTORE_PWD_OAMSOFTWAREUSER: Confirm User Password for IDSTORE_PWD_OAMSOFTWAREUSER: Enter User Password for IDSTORE_PWD_OAMADMINUSER: Confirm User Password for IDSTORE_PWD_OAMADMINUSER: The tool has completed its operation. Details have been logged to automation.log
Check the log file for any errors or warnings and correct them. The tool is reentrant and can be safely called again.
Restart WebLogic Administration Server.
Integrate Oracle Identity Manager with Access Manager as follows. For information about idmConfigTool
command, see Chapter 2, "Using the idmConfigTool Command."
Set the environment variables required for idmconfigtool
.
Create a properties file named OIMconfigPropertyFile
with contents similar to the following:
LOGINURI: /${app.context}/adfAuthentication LOGOUTURI: /oamsso/logout.html AUTOLOGINURI: None ACCESS_SERVER_HOST: OAMHOST1.example.com ACCESS_SERVER_PORT: 5575 ACCESS_GATE_ID: Webgate_IDM COOKIE_DOMAIN: .example.com COOKIE_EXPIRY_INTERVAL: 120 OAM_TRANSFER_MODE: SIMPLE WEBGATE_TYPE: ohsWebgate10g OAM_SERVER_VERSION: 11g OAM11G_WLS_ADMIN_HOST: wlsadmin.example.com OAM11G_WLS_ADMIN_PORT: 17001 OAM11G_WLS_ADMIN_USER: weblogic SSO_ENABLED_FLAG: true IDSTORE_PORT: 389 IDSTORE_HOST: idstore.example.com IDSTORE_DIRECTORYTYPE: OVD IDSTORE_ADMIN_USER: cn=oamLDAP,cn=Users,dc=example,dc=com IDSTORE_LOGINATTRIBUTE: uid IDSTORE_USERSEARCHBASE: cn=Users,dc=example,dc=com IDSTORE_GROUPSEARCHBASE: cn=Groups,dc=example,dc=com MDS_DB_URL: jdbc:oracle:thin:@DBHOST:PORT:SID MDS_DB_SCHEMA_USERNAME: idm_mds WLSHOST: adminvhn.example.com WLSPORT: 7001 WLSADMIN: weblogic DOMAIN_NAME: IDM_Domain OIM_MANAGED_SERVER_NAME: WLS_OIM1 DOMAIN_LOCATION: ORACLE_BASE/admin/IDMDomain/aserver/IDMDomain
Where:
The ACCESS_SERVER_PORT
must be the Access Manager NAP port.
If your OAM Servers are configured to accept requests using the simple mode, set OAM_TRANSFER_MODE
to SIMPLE
. Otherwise set OAM_TRANSFER_MODE
to OPEN
.
Set WEBGATE_TYPE
to ohsWebgate11g
if WebGate version 11 is used, or ohsWebgate10g
if WebGate version 10 is used.
Set OAM_SERVER_VERSION
to 10g
if using Oracle Access Manager 10g, or 11g
if using Access Manager 11g.
If OAM and OIM are on separate WebLogic domains, set OAM11G_WLS_ADMIN_HOST
,OAM11G_WLS_ADMIN_PORT
, and OAM11G_WLS_ADMIN_USER
. For information about split domain integration topology, see Chapter 1, "Introduction."
Set IDSTORE_PORT
to your Oracle Internet Directory port if you are using Oracle Internet Directory as your Identity Store. If not, set it to your Oracle Virtual Directory port.
Set IDSTORE_HOST
to your Oracle Internet Directory host or load balancer name if you are using Oracle Internet Directory as your Identity Store. If not, set it to your Oracle Virtual Directory host or load balancer name.
Set IDSTORE_DIRECTORYTYPE
to OVD
if you are using Oracle Virtual Directory server to connect to either a non-OID directory or Oracle Internet Directory. Set it to OID
if your Identity Store is in Oracle Internet Directory and you are accessing it directly rather than through Oracle Virtual Directory.
Set IDSTORE_ADMIN_USER
to the complete LDAP DN of the administrator of the identity store directory. This should be the same user specified for IDSTORE_OAMSOFTWAREUSER
(if specified).
MDS_DB_URL
in this case represents a single instance database. The string following the '@
' symbol must have the correct values for your environment. SID must be the actual SID, not a service name. If you are using a single instance database, then set MDS_URL to: jdbc:oracle:thin:@DBHOST:1521:SID
.
Configure the Identity Store by using idmConfigTool
with the -configOIM
command, which is located at:
IAM_ORACLE_HOME/idmtools/bin
The syntax of the command on Linux is:
idmConfigTool.sh -configOIM input_file=configfile
The syntax on Windows is:
idmConfigTool.bat -configOIM input_file=configfile
When the command executes you will be prompted for:
Access Gate Password
Single Sign-On (SSO) Keystore Password
Global Passphrase
Idstore Admin Password
MDS Database schema password
Admin Server User Password
Password to be used for Oracle Access Management administrative user
Sample output:
Enter sso access gate password: Enter mds db schema password: Enter idstore admin password: Enter admin server user password: ********* Seeding OAM Passwds in OIM ********* Enter ssoKeystore.jks Password: Enter SSO Global Passphrase: Completed loading user inputs for - CSF Config Updating CSF with Access Gate Password... WLS ManagedService is not up running. Fall back to use system properties for configuration. Updating CSF ssoKeystore.jks Password... Updating CSF for SSO Global Passphrase Password... ********* ********* ********* ********* Activating OAM Notifications ********* Completed loading user inputs for - MDS DB Config Initialized MDS resources Apr 11, 2011 4:57:45 AM oracle.mds NOTIFICATION: transfer operation started. Apr 11, 2011 4:57:46 AM oracle.mds NOTIFICATION: transfer is completed. Total number of documents successfully processed: 1, total number of documents failed: 0. Upload to DB completed Releasing all resources Notifications activated. ********* ********* ********* ********* Seeding OAM Config in OIM ********* Completed loading user inputs for - OAM Access Config Validated input values Initialized MDS resources Apr 11, 2011 4:57:46 AM oracle.mds NOTIFICATION: transfer operation started. Apr 11, 2011 4:57:47 AM oracle.mds NOTIFICATION: transfer is completed. Total number of documents successfully processed: 1, total number of documents failed: 0. Download from DB completed Releasing all resources Updated /u01/app/oracle/product/fmw/iam/server/oamMetadata/db/oim-config.xml Initialized MDS resources Apr 11, 2011 4:57:47 AM oracle.mds NOTIFICATION: transfer operation started. Apr 11, 2011 4:57:47 AM oracle.mds NOTIFICATION: transfer is completed. Total number of documents successfully processed: 1, total number of documents failed: 0. Upload to DB completed Releasing all resources OAM configuration seeded. Please restart oim server. ********* ********* ********* ********* Configuring Authenticators in OIM WLS ********* Completed loading user inputs for - Dogwood Admin WLS Completed loading user inputs for - LDAP connection info Connecting to t3://adminvhn.example.com:7001 Connection to domain runtime mbean server established Starting edit session Edit session started Connected to security realm. Validating provider configuration Validated desired authentication providers Validated authentication provider state successfuly.Created OAMIDAsserter successfulyCreated OIDAuthenticator successfulyCreated OIMSignatureAuthenticator successfulySetting attributes for OID AuthenticatorAll attributes set. Configured in OID Authenticator nowlDAP details configured in OID authenticatorControl flags for authenticators set sucessfullyReordering of authenticators done sucessfullySaving the transactionTransaction savedActivating the changesChanges Activated. Edit session ended.Connection closed sucessfully********* ********* *********
Check the log file for errors and correct them if necessary. The tool is reentrant and can be safely called again.
Restart the Oracle Identity Manager managed server and the WebLogic Administration Server.
The Oracle HTTP Server with 11g WebGate must be installed. For information, see "Installing and Configuring Oracle HTTP Server 11g WebGate for OAM" in Oracle Fusion Middleware Installing WebGates for Oracle Access Manager.
For information about installing Oracle HTTP Server with a 10g WebGate, see "Registering and Managing 10g WebGates with Access Manager 11g" and "Configuring Apache, OHS, IHS for 10g WebGates" in Oracle Fusion Middleware Administrator's Guide for Oracle Access Management.
Note:
WebGate installation and configuration is required.
The Oracle HTTP Server (OHS) profile must be edited so that the OHS server points to the OIM server that is being protected by Access Manager. The profile file is located here:
$IAM_HOME
/server/setup/templates/oim.conf
Use this file as a template file. Edit the OHS profile, then copy it to the OHS moduleconf
location:
INSTANCE_LOCATION
/config/OHS/ohs1/moduleconf/
Edit the OHS profile to include the following lines:
<Location /identity> SetHandler weblogic-handler WLCookieName oimjsessionid WebLogicHost <OIM managed server host> WebLogicPort <OIM managed server port> WLLogFile "${ORACLE_INSTANCE}/diagnostics/logs/mod_wl/oim_component.log" </Location> <Location /sysadmin> SetHandler weblogic-handler WLCookieName oimjsessionid WebLogicHost <OIM managed server host> WebLogicPort <OIM managed server port> WLLogFile "${ORACLE_INSTANCE}/diagnostics/logs/mod_wl/oim_component.log" </Location> <Location /oam> SetHandler weblogic-handler WLCookieName jsessionid WebLogicHost <OAM managed server host> WebLogicPort <OAM managed server port> WLLogFile "${ORACLE_INSTANCE}/diagnostics/logs/mod_wl/oim_component.log" </Location> <Location /admin> SetHandler weblogic-handler WebLogicHost <OIM managed server host> WebLogicPort <OIM managed server port> WLCookieName oimjsessionid WLLogFile "${ORACLE_INSTANCE}/diagnostics/logs/mod_wl/oim_component.log" </Location> # oim self and advanced admin webapp consoles(canonic webapp) <Location /oim> SetHandler weblogic-handler WebLogicHost <OIM managed server host> WebLogicPort <OIM managed server port> WLCookieName oimjsessionid WLLogFile "${ORACLE_INSTANCE}/diagnostics/logs/mod_wl/oim_component.log" </Location> # SOA Callback webservice for SOD - Provide the SOA Managed Server Ports <Location /sodcheck> SetHandler weblogic-handler WebLogicHost <OIM managed server host> WebLogicPort <OIM managed server port> WLCookieName oimjsessionid WLLogFile "${ORACLE_INSTANCE}/diagnostics/logs/mod_wl/oim_component.log" </Location> # Callback webservice for SOA. SOA calls this when a request is approved/rejected # Provide the SOA Managed Server Port <Location /workflowservice> SetHandler weblogic-handler WebLogicHost <OIM managed server host> WebLogicPort <OIM managed server port> WLCookieName oimjsessionid WLLogFile "${ORACLE_INSTANCE}/diagnostics/logs/mod_wl/oim_component.log" </Location> # xlWebApp - Legacy 9.x webapp (struts based) <Location /xlWebApp> SetHandler weblogic-handler WLCookieName oimjsessionid WebLogicHost <OIM managed server host> WebLogicPort <OIM managed server port> WLLogFile "${ORACLE_INSTANCE}/diagnostics/logs/mod_wl/oim_component.log" </Location> # Nexaweb WebApp - used for workflow designer and DM <Location /Nexaweb> SetHandler weblogic-handler WLCookieName oimjsessionid WebLogicHost <OIM managed server host> WebLogicPort <OIM managed server port> WLLogFile "${ORACLE_INSTANCE}/diagnostics/logs/mod_wl/oim_component.log" </Location> # used for FA Callback service. <Location /callbackResponseService> SetHandler weblogic-handler WLCookieName oimjsessionid WebLogicHost <OIM managed server host> WebLogicPort <OIM managed server port> WLLogFile "${ORACLE_INSTANCE}/diagnostics/logs/mod_wl/oim_component.log" </Location> # spml xsd profile <Location /spml-xsd> SetHandler weblogic-handler WLCookieName oimjsessionid WebLogicHost <OIM managed server host> WebLogicPort <OIM managed server port> WLLogFile "${ORACLE_INSTANCE}/diagnostics/logs/mod_wl/oim_component.log" </Location> <Location /HTTPClnt> SetHandler weblogic-handler WLCookieName oimjsessionid WebLogicHost <OIM managed server host> WebLogicPort <OIM managed server port> WLLogFile "${ORACLE_INSTANCE}/diagnostics/logs/mod_wl/oim_component.log" </Location>
The OHS instance must be restarted afterward.
The IDMDomain Agent provides single sign-on capability for administration consoles. The WebGate handles single sign-on, so you must remove the IDMDomain Agent and restart the Oracle WebLogic Server Administration Server and all running Managed Servers.
Log in to the WebLogic Server administration console using the URL: http://admin.
example.com
/console
.
Select Security Realms from the Domain Structure menu.
Click myrealm.
Click the Providers tab.
Click Lock and Edit from the Change Center.
In the list of authentication providers, select IAMSuiteAgent.
Click Delete.
Click Yes to confirm the deletion.
Click Activate Changes from the Change Center.
Restart WebLogic Administration Server and all running Managed Servers.
For information, see "Starting and Stopping Oracle WebLogic Server Instances" in Oracle Fusion Middleware Administrator's Guide.
This section describes additional configuration that you may need to perform depending on your requirements.
This section contains the following topics:
Perform this task only if you want to use Oracle HTTP Server 10g WebGate for Access Manager after setting up integration between Oracle Identity Manager and Access Manager. Follow the instructions in "Migrating from Domain Agent to Oracle HTTP Server 10g WebGate for OAM" in Oracle Fusion Middleware Installation Guide for Oracle Identity and Access Management.
Next, complete the steps in the following section to create a keystore to integrate Access Manager with Oracle Identity Manager.
Note:
This step is required because the WebGate was configured to use simple mode in Section 7.5, "Configuring Access Manager for Integration."
When you configure Access Manager to work using the simple transport protocol, all traffic to Access Manager is encrypted. When you integrate Access Manager with other components, such as Oracle Identity Manager, you must enable the product being integrated to understand this encryption. (This is not necessary when the transport model is open.) You do this by using a keystore.
When you change Access Manager to use the simple protocol, keystores are created automatically in the directory ASERVER_HOME
/output/webgate-ssl
. This directory contains the following files:
oamclient-keystore.jks
–contains the private key.
oamclient-truststore.jks
–contains the Access Manager simple mode CA certificate
These files are accessed using the Global Passphrase defined at the time of enabling Access Manager in simple mode.
Some products require configuring with both of the files above and some products, such as Oracle Identity Manager require a single consolidated keystore.
To create a keystore suitable for use by Oracle Identity Manager, perform the following steps.
Change directory to ASERVER_HOME
/output/webgate-ssl
, for example:
cd ASERVER_HOME/output/webgate-ssl
Copy the file oamclient-keystore.jks
to ssoKeystore.jks
, for example
cp oamclient-keystore.jks ssoKeystore.jks
Import the trust store into the new keystore ssoKeystore.jks
using the command:
keytool -importcert -file IAM_ORACLE_HOME/oam/server/config/cacert.der -trustcacerts -keystore PathName_to_keystore -storetype JKS
Enter the keystore password when prompted.
For example:
keytool -importcert -file IAM_ORACLE_HOME/oam/server/config/cacert.der -trustcacerts -keystore ssoKeystore.jks -storetype JKS
Note:
The files ssoKeystore.jks
and oamclient-truststore.jks
are required when you integrate Access Manager running in Simple mode with Oracle Identity Manager. When you integrate these components, you are asked to copy these files to the ASERVER_HOME
/config/fmwconfig
directory. If you subsequently extend the domain on machines where these files have been placed using pack
/unpack
, you must recopy ssoKeystore.jks
and oamclient-truststore.jks
after unpacking.
In an integrated environment, Oracle Identity Manager is front ended by Oracle HTTP Server (OHS). All SOA server default composites must be updated. Perform the following steps:
See Also:
The Fusion Middleware Control online help and SOA Suite documentation
Log in to Oracle Enterprise Manager Fusion Middleware Control Console.
Navigate to SOA, then soa-infra (SOA server name), then default.
Update the composite types applicable to your environment. For example: ApprovalTask
, Human Workflow
, DisconnectedProvisioning
, and so on.
For each default composite, do the following:
Click the composite name.
From Component Metrics select the composite type. For example, click ApprovalTask.
Select the Administration tab and update the fields as follows:
Host Name: OHS host name
HTTP Port: If SSL mode, leave blank. If non-SSL mode, enter the OHS HTTP port.
HTTPS Port: If SSL mode, enter the OHS HTTPS port. If non-SSL mode, leave blank.
Click Apply.
Note:
If the values are not updated correctly, the composite page in Oracle Identity Manager will open as a blank page.
This section provides steps for validating the integrated environment. Performing the following sanity checks can help you avoid some common issues that could be encountered during runtime.
In this release, Oracle Identity Manager is integrated with Access Manager when the idmconfig
command is run with the configOIM
option. After the command is run, the following configuration settings and files are updated:
The SSOConfig
section in the oim-config.xml
file, stored in the OIM Metadata store. See Section 7.10.1, "Validate OIM SSOConfig."
The realm security providers in OIM_DOMAIN_HOME
/config.xml
. See Section 7.10.2, "Validate Security Provider Configuration."
The OIM domain credential store in OIM_DOMAIN_HOME
/config/fmwconfig/cwallet.sso
. See Section 7.10.3, "Validate OIM Domain Credential Store."
The orchestration event-handlers required for SSO integration in Eventhandler.xml
, stored in the OIM Metadata store. See Section 7.10.4, "Validate Event Handlers for SSO."
The SSO logout configuration in OIM_DOMAIN_HOME
/config/fmwconfig/jps-config.xml
. See Section 7.10.5, "Validate SSO Logout Configuration."
To validate the SSOConfig
settings in oim-config.xml
:
Log in to Oracle Enterprise Manager Fusion Middleware Control.
Select Weblogic Domain, then right-click the domain name.
Open the System Mbean Browser and search for the ssoconfig
Mbean.
For more information, see "Getting Started Using the Fusion Middleware Control MBean Browsers" in Oracle Fusion Middleware Administrator's Guide.
Verify the following attribute settings are correct after running idmconfig configOIM
. Update any values as needed:
SsoEnabled
attribute is set to true
.
If using TAP communication, the TapEndpoinURL
attribute is present.
If using NAP communication, the following attributes are present: AccessGateID
, AccessServerHost
, AccessServerPort
, CookieDomain
, CookieExpiryInterval
, NapVersion
, TransferMode
, WebgateType
.
If Version
is set to 11g
, verify the TapEndpointURL
attribute is set to a valid URL. Validate the URL by accessing in a web browser.
If Version
is set to 10g
, verify the other attributes are configured correctly.
To validate the security provider configuration:
In WebLogic Server Administration Console, navigate to the OIM domain.
Navigate to Security Realms, myrealm, then Providers tab.
Confirm the Authentication Providers are configured as follows.
Authentication Provider | Control Flag |
---|---|
OAM ID Asserter |
REQUIRED |
DefaultAuthenticator |
SUFFICIENT |
OIM Signature Authenticator |
SUFFICIENT |
OIM Authenticator |
OPTIONAL |
LDAP Authenticator |
SUFFICIENT |
Navigate to OIM Authenticator, Provider Specific. Verify that the SSOMode checkbox is selected.
The LDAP Authenticator varies depending upon which LDAP provider is being used. Verify it is configured correctly by selecting Users and Groups tab, and confirming the LDAP users are listed in Users tab.
All passwords and credentials used during communication between Oracle Identity Manager and Access Manager are stored in the domain credential store.
To validate the passwords and credentials used to communicate:
Login to Oracle Enterprise Manager Fusion Middleware Control and select WebLogic Domain.
Right-click the domain name. Navigate to Security, then Credentials.
Expand the oim instance. Verify the following credentials:
SSOAccessKey
: OPEN mode only
SSOKeystoreKey
: SIMPLE mode only
SSOGobalPP
: SIMPLE mode only
OIM_TAP_PARTNER_KEY
A set of event handlers is uploaded to the Oracle Identity Manager MDS in order to support session termination after a user status change. These event handlers notify Access Manager when a user status is changed, which then terminates the user session. They are uploaded to MDS as part of EventHanlders.xml
file, located at /db/ssointg/EventHandlers.xml
.
To confirm all event handlers are configured correctly, do the following:
Connect to the OIM MDS scheme and look for /db/ssointg/EventHandlers.xml
in the MDS_PATHS
table, PATH_FULLNAME
column.
Export the EventHandlers.xml
file. For more information, see 'Deploying and Undeploying Customizations" in Oracle Fusion Middleware Developer's Guide for Oracle Identity Manager.
Oracle Identity Manager logout is configured to use single logout after the integration is complete. After a user logs out from Oracle Identity Manager, they are logged out from all the Access Manager protected applications as well.
The following example is of the single logout configuration in OIM_DOMAIN_HOME
/config/fmwconfig/jps-config.xml
file:
<propertySet name="props.auth.uri.0"> <property name="logout.url" value="/oamsso/logout.html"/> <property name="autologin.url" value="None"/> <property name="login.url.BASIC" value="/${app.context}/adfAuthentication"/> <property name="login.url.FORM" value="/${app.context}/adfAuthentication"/> <property name="login.url.ANONYMOUS" value="/${app.context}/adfAuthentication"/> </propertySet>
The final task is to verify the integration by performing, in order, the steps shown in Table 7-3.
Table 7-3 Verifying Access Manager-Oracle Identity Manager Integration
Step | Description | Expected Result |
---|---|---|
1 |
Access the Oracle Access Management administration console using the URL: http://admin_server_host:admin_server_port/oamconsole |
Provides access to the administration console. |
2 |
Access the Oracle Identity Manager administration page with the URL:
where hostname:port can be for either OIM or OHS, depending on whether a Domain Agent or WebGate is used. |
The Oracle Access Management login page should appear. Verify the links for "Forgot Password", "Self Register" and "Track Registration" features appear in the login page. For more information about these features, see Section 1.5.3, "Password Management Scenarios." |
3 |
Log in as an Oracle Identity Manager administrator. |
The Oracle Identity Manager Admin Page should be accessible. |
4 |
Create a new user using Oracle Identity Self Service. Close the browser and try accessing the OIM Identity Page. When prompted for login, provide valid credentials for the newly-created user. |
You should be redirected to Oracle Identity Manager and be required to reset the password. After resetting the password and setting the challenge question, user should be automatically logged into the application. Auto-login should work. |
5 |
Close the browser and access Oracle Identity Self Service. |
The Oracle Access Management login page from the Access Manager managed server should display. Verify the links for "Forgot Password", "Self Register" and "Track Registration" features appear in the login page. Verify that each link works. For more information about these features, see Section 1.5.3, "Password Management Scenarios." |
6 |
Verify the lock/disable feature works by opening a browser and logging in as a test user. In another browser session, log in as a test user, then lock the test user account. Click the Logout link on the OIM console. |
The user must be logged out and redirected back to the login page. |
7 |
Verify the SSO logout feature works by logging into Oracle Identity Self Service as test user or system administrator. |
Upon logout from the page, you are redirected to the SSO logout page. |
This section describes common problems you might encounter in an Oracle Identity Manager and Access Manager integrated environment and explains how to solve them. It is organized by common problem types and contains the following topics:
In addition to this section, review the Oracle Fusion Middleware Error Messages Reference for information about the error messages you may encounter.
For information about additional troubleshooting resources, see Section 1.7, "Using My Oracle Support for Additional Troubleshooting Information."
This section describes common problems and solutions relating to single sign-on in the integrated environment. Using single sign-on, a user can access Oracle Identity Manager resources after being successfully authenticated by Access Manager. When accessing any Oracle Identity Manager resource protected by Access Manager, the user is challenged for their credentials by Access Manager using the Oracle Access Management Console login page.
This section discusses the following single sign-on issues:
Oracle Access Management Console Login Page Does Not Display
Authenticated User is Re-Directed to Oracle Identity Manager Login Page
Checking the HTTP headers may provide diagnostic information about login issues.You can collect information from the HTTP headers for troubleshooting issues. This can be done by enabling HTTP tracing in the web browser, logging into Access Manager as a new user, and examining the headers for useful information.
After accessing an Oracle Identity Manager resource using OHS (for example, http://
OHS_HOST:OHS_PORT
/identity)
, the user is re-directed to the Oracle Identity Manager login page instead of the Oracle Access Management Console login page.
The Access Manager WebGate is not deployed or configured properly.
Confirm the httpd.conf file contains the following entry at the end:
include "<ORACLE_WEBTIER_INST_HOME>/config/OHS/ohs1/webgate.conf"
where webgate.conf contains the 11g WebGate configuration.
If this entry is not found, review the 11g WebGate configuration steps to verify none were missed. For more information, see Oracle Fusion Middleware Installation Guide for Oracle Identity and Access Management and Oracle Fusion Middleware Administrator's Guide for Oracle Access Management.
User login fails with the following error:
An incorrect Username or Password was specified.
Access Manager is responsible for user authentication but authentication has failed. The identity store configuration may be wrong.
Check the identity store is configured correctly in the Oracle Access Management Console.
To resolve this problem:
Login to Oracle Access Management Console.
Navigate to System Configuration, Data Sources, OIMIDStore.
Verify the Default Store and System Store configuration.
Click Test Connection to verify the connection.
User is not directed to the Oracle Access Management Console to login and the following error message displays:
Oracle Access Manager Operation Error.
The OAM Server is not running.
Restart the OAM Server.
The WebGate is not correctly deployed on OHS and is not configured correctly for the 10g or 11g Agent located on the OAM Server.
An error message displays, for example: The AccessGate is unable to contact any Access Servers.
The issue may be with the SSO Agent.
To resolve this problem:
Run oamtest.jar
(ORACLE_HOME/oam/server/tester) and test the connection by specifying AgentID
.
The AgentID
can be found in ObAccessClient.xml, located in the webgate/config directory in the WEBSERVER_HOME. For example:
<SimpleList> <NameValPair ParamName="id" Value="IAMAG_11g"></NameValPair> </SimpleList>
If the Tester fails to connect, this confirms a problem exists with the SSO Agent configuration (password/host/port) on the OAM Server.
Re-create the 10g or 11g SSO Agent and then re-configure the WebGate to use this Agent.
Follow the instructions in Oracle Fusion Middleware Administrator's Guide for Oracle Access Management.
User authenticated using the Oracle Access Management Console but is re-directed to the Oracle Identity Manager login page to enter credentials.
The security providers for the OIM domain are not configured correctly in Oracle WebLogic Server.
Verify the Weblogic security providers are configured correctly for the OIM domain security realm. Check the LDAP Authenticator setting. For more information, see Section 7.10.2.
OAMIDAsserter
is not configured correctly in Oracle WebLogic Server.
To resolve this problem:
Log in to Oracle WebLogic Server Administration Console.
Navigate to Common tab and verify Active Types contains the correct header for the WebGate type:
OAM_REMOTE_USER
, for an 11g WebGate.
ObSSOCookie
, for a 10g WebGate.
Access Manager relies upon Oracle Identity Manager for password management. If the user logs in for the first time or if the user password is expired, Access Manager re-directs the user to the Oracle Identity Manager First Login page.
From the Access Manager login screen, user should be able to navigate to the Oracle Identity Manager Forgot Password flow, the Self-Registration or Track Registration flows.
If there is any deviation or error thrown when performing these flows, the configuration in oam-config.xml (OAM_DOMAIN_HOME/config/fmwconfig) is incorrect.
Verify the contents of oam-config.xml resembles the following example. Specifically, that HOST
and PORT
corresponds to the OHS (or any supported web server) configured to front-end Oracle Identity Manager resources.
Setting Name="IdentityManagement" Type="htf:map"> <Setting Name="IdentityServiceConfiguration" Type="htf:map"> <Setting Name="IdentityServiceProvider" Type="xsd:string">oracle.security.am.engines.idm.provider.OracleIdentityServiceProvider</Setting> <Setting Name="AnonymousAuthLevel" Type="xsd:integer">0</Setting> <Setting Name="IdentityServiceEnabled" Type="xsd:boolean">true</Setting> <Setting Name="IdentityServiceProviderConfiguration" Type="htf:map"> <Setting Name="AccountLockedURL" Type="xsd:string">/identity/faces/accountlocked</Setting> <Setting Name="ChallengeSetupNotDoneURL" Type="xsd:string">/identity/faces/firstlogin</Setting> <Setting Name="DateFormatPattern" Type="xsd:string">yyyy-MM-dd'T'HH:mm:ss'Z'</Setting> <Setting Name="ForcedPasswordChangeURL" Type="xsd:string">/identity/faces/firstlogin</Setting> <Setting Name="IdentityManagementServer" Type="xsd:string">OIM-SERVER-1</Setting> <Setting Name="PasswordExpiredURL" Type="xsd:string">/identity/faces/firstlogin</Setting> <Setting Name="LockoutAttempts" Type="xsd:integer">5</Setting> <Setting Name="LockoutDurationSeconds" Type="xsd:long">31536000</Setting> </Setting> </Setting> <Setting Name="RegistrationServiceConfiguration" Type="htf:map"> <Setting Name="RegistrationServiceProvider" Type="xsd:string">oracle.security.am.engines.idm.provider.DefaultRegistrationServiceProvider</Setting> <Setting Name="RegistrationServiceEnabled" Type="xsd:boolean">true</Setting> <Setting Name="RegistrationServiceProviderConfiguration" Type="htf:map"> <Setting Name="ForgotPasswordURL" Type="xsd:string">/identity/faces/forgotpassword</Setting> <Setting Name="NewUserRegistrationURL" Type="xsd:string">/identity/faces/register</Setting> <Setting Name="RegistrationManagementServer" Type="xsd:string">OIM-SERVER-1</Setting> <Setting Name="TrackUserRegistrationURL" Type="xsd:string">/identity/faces/trackregistration</Setting> </Setting> </Setting> <Setting Name="ServerConfiguration" Type="htf:map"> <Setting Name="OIM-SERVER-1" Type="htf:map"> <Setting Name="Host" Type="xsd:string">myhost1.example.com</Setting> <Setting Name="Port" Type="xsd:integer">7777</Setting> <Setting Name="SecureMode" Type="xsd:boolean">false</Setting> </Setting> </Setting> </Setting>
A new user created in Oracle Identity Manager logs into Oracle Identity Manager for the first time and is not re-directed to the First Login Page and prompted to change their password.
The Oracle Virtual Directory adapters are not configured correctly.
Locate the corresponding adapters.or_xml file and verify that the oamEnabled
attribute is set to true
for both the UserManagement
and changelog
adapters. For example:
<param name="oamEnabled" value="true"/>
Next, verify that IdentityServiceEnabled
is set to true
in oam-config.xml (see Section 7.12.1.5). For example:
<Setting Name="IdentityServiceEnabled" Type="xsd:boolean">true</Setting>
A new user attempts to access Oracle Identity Manager Self-Service and after successful authentication, the user is re-directed in a loop. The service page does not load and the browser continues spinning or refreshing.
OHS configuration setting for WLCookieName
for front-ending identity
is incorrect.
Check the OHS configuration for front-ending identity
and verify that WLCookieName
directive is set to oimjsessionid
. If not, set this directive as oimjsessionid
for each Oracle Identity Manager resource Location
entry. For example:
<Location /identity> SetHandler weblogic-handler WLCookieName oimjsessionid WebLogicHost myhost1.example.com WebLogicPort 8003 WLLogFile "$ Unknown macro: {ORACLE_INSTANCE} /diagnostics/logs/mod_wl/oim_component.log" </Location>
The auto-login feature enables user login to Oracle Identity Manager after the successful completion of the Forgot Password or Forced Change Password flows, without prompting the user to authenticate using the new password.
Communication between Oracle Identity Manager and Access Manager can be configured to use NAP or TAP channels. Debugging auto-login issues is simplified if you determine which channel is being used. Determine the channel by examining the Oracle Identity Manager SSOConfig
Mbean (version attribute) using the System MBean Browser in Oracle Enterprise Manager Fusion Middleware Control. For more information, see "Using the System MBean Browser" in Oracle Fusion Middleware Administrator's Guide.
Depending upon the Access Manager version being used, the following applies:
If the version is 10g, the NAP channel is used during auto-login. See Section 7.12.2.1, "TAP Protocol Issues".
After a password is reset in Oracle Identity Manager and in LDAP through LDAP-sync, Oracle Identity Manager will auto-login the user by re-directing to the requested resource.
If the version is 11g, the TAP channel is used during auto-login. See Section 7.12.2.2, "NAP Protocol Issues",
After a password is reset in Oracle Identity Manager and in LDAP through LDAP sync, Oracle Identity Manager re-directs the user to the Access Manager TAP endpoint URL (SSOConfig: TAPEndpointUrl
). Access Manager will auto-login the user by re-directing to the requested resource.
Note:
In an 11gR2 Oracle Identity Manager and Access Manager integrated environment, the TAP protocol is configured for auto-login by default.
Check the OIM Server and OAM Server logs for any of the following error messages.
After re-setting the password, user is re-directed to a 404 Not Found error page.
The Access Manager TAP endpoint URL (SSOConfig: TAPEndpointUrl)
is configured incorrectly.
Verify that TAPEndpointUrl
is correctly configured in Oracle Identity Manager SSOConfig
and is accessible. For example:
http://OAM_HOST:OAM_PORT/oam/server/dap/cred_submit
Or
http://OHS_HOST:OHS_PORT/oam/server/dap/cred_submit
where Access Manager is front-ended by OHS.
After re-setting the password, user is re-directed to Access Manager TapEndpointUrl
(configured in Oracle Identity Manager SSOConfig
), and the following error displays in the UI:
System error. Please re-try your action. If you continue to get this error, please contact the Administrator.
A message similar to the following displays in the OAM Server logs:
Sep 19, 2012 4:29:45 PM EST> <Warning> <oracle.oam.engine.authn> <BEA-000000> <DAP Token not received> <Sep 19, 2012 4:29:45 PM EST> <Error> <oracle.oam.binding> <OAM-00002> <Error occurred while handling the request. java.lang.NullPointerException at oracle.security.am.engines.enginecontroller.token.DAPTokenEncIssuerImpl.issue(DAPTokenEncIssuerImpl.java:87)
This error could be due to mis-configuration in TAPResponseOnlyScheme
in Access Manager. Verify oam-config.xml (located at OAM_DOMAIN_HOME/config/fmwconfig) contains the following entry:
<Setting Name="DAPModules" Type="htf:map"> <Setting Name="7DASE52D" Type="htf:map"> <Setting Name="MAPPERCLASS" Type="xsd:string">oracle.security.am.engine.authn.internal.executor.DAPAttributeMapper</Setting> <Setting Name="MatchLDAPAttribute" Type="xsd:string">uid</Setting> <Setting Name="name" Type="xsd:string">DAP</Setting> </Setting> </Setting>
The value of MatchLDAPAttribute
should be uid
. If not, change the value.
To resolve the problem:
Login to Oracle Access Management Console.
Navigate to TapResponseOnlyScheme
. Add the following as Challenge
parameter:
MatchLDAPAttribute=uid
Save the changes.
The following error displays in the OAM Server logs:
javax.crypto.BadPaddingException: Given final block not properly padded
This may occur if OIM_TAP_PARTNER_KEY
is not include in the OIM credential map in the credential store, or if an invalid key is present.
Re-register Oracle Identity Manager as a TAP partner with Access Manager by re-running the idmConfigTool -configOIM
option. After the -configOIM
option is run, you must restart the complete OIM domain.
After re-setting the password, if auto-login is not successful, the OIM server logs contain the following error:
Error occured while retrieving TAP partner key from Credential store
To resolve the problem:
Using Fusion Middleware Control, verify the OIM_TAP_PARTNER_KEY
generic credential is present in the OIM credential map in the credential store.
If OIM_TAP_PARTNER_KEY
is present, verify that LDAP sync is configured correctly, and that the password is reset in LDAP provider. Check this by issuing an ldapbind
command with the user and the new/reset password.
After re-setting the password, if auto-login is not successful, the OIM server logs have the following error:
Error occured while retrieving DAP token from OAM due to invalid TAP partner key
The OIM_TAP_PARTNER_KEY
present in the OIM credential map of credential store is not valid.
Re-register Oracle Identity Manager as a TAP partner with Access Manager by re-running idmConfigTool -configOIM
option. After the -configOIM
option is run, you must restart the complete OIM domain.
Check the OIM Server logs for any of the following types of error messages.
The resource URL is not protected.
Verify that the correct host:port
combination is configured in the Access Manager host identifier configuration.
To resolve this problem:
Login to Oracle Access Management Console.
Navigate to the IAMSuiteAgent.
Check the host identifiers for host:port
combination in the identifier. For example: IAMSuiteAgent:/oim
For the correct host:port
combination, check the OIM logs for "Setting web resource url ". This statement will be above "Resource not protected URL" statement.
In general, Host Identifier should have a combination of OHS (webserver) host:port
which is front-ending Oracle Identity Manager.
aaaClient
is not initialized.
Verify that the passwords seeded into OIM domain credential store are correct. For OPEN mode, check for the WebGate password. For SIMPLE mode, check that SSO keystore password and SSO global pass phrase are seeded in correctly. For more information, see Section 7.10.3.
Failed to communicate with any of configured OAM Server. Verify that it is up and running.
Verify that the passwords seeded into OIM domain credential store are correct. For OPEN mode, check for the WebGate password. For SIMPLE mode, check that SSO keystore password and SSO global pass phrase also are seeded in correctly. For more information, see Section 7.10.3.
SSOKeystore
tampered or password is incorrect.
Check that the keystore file ssoKeystore.jks is present in OIM_DOMAIN_HOME/config/fmwconfig. If present, then check if the keystore password is seeded properly into OIM domain credential store. For more information, see Section 7.10.3.
Oracle Identity Manager logs do not have any information about the failure.
To resolve this problem:
Enable HTTP headers and capture the headers while running through the First Login, Forgot Password flows. See Section 7.12.1.1.
In the HTTP headers, look for Set-Cookie: ObSSOCookie
after the POST method on the First Login, Forgot Password page. Check the domain of the cookie. It should match with the domain for the protected resource URL.
If cookie domain is different, update the CookieDomain
in the Oracle Identity Manager SSO configuration using Fusion Middleware Control. See Section 7.10.1.
If cookie domain is correct, then check for any time differences on the machines which host the OIM and OAM Servers.
The session termination feature enables the termination of all active user sessions after the user status is modified by an Oracle Identity Manager administrator. The following Oracle Identity Manager operations lead to session termination: user lock or unlock, enable or disable, modify or delete.
Session termination is triggered by Oracle Identity Manager invoking the Access Manager NAP APIs to terminate the session. Communication is over the NAP channel.
To troubleshoot session termination issues:
Verify the NAP-related configuration is stored in Oracle Identity Manager SSOConfig
. See Section 7.10.1.
Verify /db/sssointg/EvenHandlers.xml is in Oracle Identity Manager MDS. See Section 7.10.4.
Verify that AccessGateID
attribute in Oracle Identity Manager SSOConfig
points to a 10g SSO Agent hosted by OAM Server.
If SSOConfig
points to an 11g Agent ID:
Create a new 10g SSO Agent.
Set its ID in AccessGateID
attribute.
Update the agent password (SSOAccessKey
) in the OIM domain credential store.
If the communication mode is SIMPLE, a new keystore file (ssoKeystore.jks) must be created using the agent's aaa_cert.pem and aaa_key.pem, and copied to OIM_DOMAIN_HOME/config/fmwconfig directory.
In SIMPLE mode, update the SSO keystore key (SSOKeystoreKey
) and the SSO global pass phrase (SSOGobalPP
) in the OIM domain credential store.
For information about creating a new 10g SSO Agent or ssoKeyStore.jks, see Oracle Fusion Middleware Administrator's Guide for Oracle Access Management.
Both Oracle Internet Directory(OID) and Access Manager (OAM) lock out the user due to multiple failed login attempts. The user attempts to reset his or her password using the Oracle Identity Manager (OIM) "Forgot Password" page, but the reset operation fails.
The user's locked status has not yet propagated to Oracle Identity Manager.
Check if the user is locked in Oracle Identity Manager:
Login to Identity Self service application as Oracle Identity Manager administrator.
Navigate to the Users section, then search for the user.
Check if the Identity status is locked
.
If the status is not locked
, run an LDAP User Create and Update Reconciliation scheduled job, and then confirm that the user status is locked
.
The user account self-locks due to multiple invalid credentials login attempts. Later, when the user attempts to log in with the correct credentials, he or she is not able to log in. The user expects to log in first and then change the password, but login fails consistently.
Both Oracle Internet Directory and Access Manager may have locked the user account. In this case the user cannot log in to Oracle Identity Manager or to any protected page. The user has to use the Forgot Password flow to reset the password.
Note that if only Access Manager locks out the user, the user can log in to Oracle Identity Manager and change the password immediately.
The Oracle Internet Directory pwdMaxFailure
count of three is less than the oblogintrycount
value of five. Oracle Internet Directory locks out the user due to multiple invalid credentials login attempts (in this case, three attempts). Later, when the user tries to log in with the correct credentials, on the fourth attempt the user still cannot log in. The user expects to log in first and then change the password, but login fails consistently.
Oracle Internet Directory locked out the user, but Access Manager did not. The user cannot log in with the correct password even though the oblogintrycount
is less than five, but following the Forgot Password flow works and resets the password.
Note that when Oracle Internet Directorylocks out the user there is nothing to reconcile into Oracle Identity Manager because OIM does not reconcile user accounts that are locked in Oracle Internet Directory. When Oracle Internet Directory locks the user, Oracle Identity Manager shows the user as active. Following the Forgot Password flow is the only way to reset the password.
The Oracle Internet Directory pwdMaxFailure
count value of seven is less than the oblogintrycount
value of five. Access Manager locked out the user due to multiple invalid credentials login attempts. Later, when the user tries to login with the correct credentials, the user is able to log in and is redirected to change the password, but the reset password operation fails.
The user locked status has not yet propagated to Oracle Identity Manager.
Check if the user is locked in Oracle Identity Manager:
Login to Identity Self service application as Oracle Identity Manager administrator.
Navigate to Users section, then search for the user.
Check if the Identity status is locked
.
If the status is not locked
, run an LDAP User Create and Update Reconciliation scheduled job, and then confirm that the user status is locked
.
Note that use case one and this use case look similar. In use case one, both Oracle Internet Directory and Access Manager locked the user account, whereas in this use case only Access Manager locks the user. The remedy for both use cases is the same, however.
The user cannot remember his or her password and tries to reset the password using the Forgot Password flow. The user provides his or her user login, provides a new password, and provides incorrect challenge answers. After three failure attempts, both Oracle Internet Directory and Access Manager lock the user. The user expects to get locked out after five attempts instead of three attempts because the oblogintrycount
value is 5.
The password reset attempts in the Oracle Identity Manager Reset/Forgot Password flow are governed by the Oracle Identity Manager system property XL.MaxPasswordResetAttempts
and the default value is 3. Consequently, the user is locked out immediately after three attempts. Oracle Identity Manager locks the user natively in Oracle Internet Directory and in Access Manager.
Note that password reset attempts are different from login attempts. Login attempts are governed by Access Manager (oblogintrycount=5
) and password reset attempts by Oracle Identity Manager (XL.MaxPasswordResetAttempts=3
).
Oracle Internet Directory locks the user because some constant LDAP binding used incorrect credentials. Access Manager does not lock out the user. When the user tries to log in with the correct credentials, he is not able to log in.
Oracle Internet Directory locks the user out in this use case, not Access Manager. The user cannot log in with the correct password even if the oblogintrycount
is still less than 5, but the user can reset his or her password by following the Forgot Password flow.
Note that when a user is only locked out by Oracle Internet Directory, the user's lock-out status is not reconciled into Oracle Identity Manager. Consequently, the user shows up as still active in Oracle Identity Manager even though the user is locked in Oracle Internet Directory.
This provides solutions for the following miscellaneous issues:
For successful client-based login to Oracle Identity Manager:
The client-based login user must be present in the LDAP provider.
An LDAP Authenticator must be configured in the OIM domain security realm corresponding to the LDAP provider where the user is present. See Section 7.10.2.
If logging out of an Oracle Identity Manager protected application throws a 404 error, verify that the logout configuration is present in jps-config.xml. See Section 7.10.5.
If needed, the JPS configuration can be fixed by editing the jps-configuration file located in $DOMAIN_HOME/config/fmwconfig and then restarting all the servers.
To resolve a misconfiguration in jps-config.xml:
In a terminal window issue the following commands: cd $DW_ORACLE_HOME/common/bin
./wlst.sh
connect()
addOAMSSOProvider(loginuri="/${app.context}/adfAuthentication", logouturi="/oamsso/logout.html", autologinuri="/obrar.cgi")
exit
Restart all servers in the domain