This chapter describes tasks you must perform after Deployment.
It contains the following sections:
Section 10.2, "Post-Deployment Steps for Oracle Unified Directory"
Section 10.3, "Post-Deployment Steps for Oracle Identity Manager"
Section 10.6, "Adding a Load Balancer Certificate to Trust Stores"
In this release of Identity and Access Management, an optimized OPSS is available. In order to use this optimized OPSS, you must upgrade the OPSS schema. The deployment tool does not do this, so you must perform this step manually, by using Patch Set Assistant, at the end of provisioning.
To upgrade the OPSS schema for EDGIAD and EDGIGD:
Start the patch set assistant by running the command psa from the location IAD_MW_HOME/oracle_common/bin, for example:
./psa
On the Welcome Screen click Next.
On the Select Component Screen select Oracle Platform Security Services ONLY and click Next.
On the Prerequisites screen, specify whether or not you have a database backup and that the database version is certified.
Click Next.
On the Schema Page, Enter:
Schema User Name: For example: EDGIAD_OPSS
Password: Password supplied when RCU was run.
Database Type: Oracle Database
Connect String: IDMDB-SCANOAM :DB_LSNR_PORT/OAM_DB_SERVICENAME for example: IAMDB-SCAN.mycompany.com:1521/oamedg.mycompany.com
DBA User Name: sys as sysdba
DBA Password: PASSWORD
Click Connect.
Click Next.
On the Examine Page, verify that Successful is displayed and click Next.
On the Upgrade Summary Page verify that the information is correct and click Upgrade.
Once the upgrade is finished, click Next.
On the Upgrade Success page, click Close
Verify that the schema upgrade has been successful by checking the log files located in
IAD_MW_HOME/oracle_common/upgrade/logs/psa/psatimestamp.log
Restart the domain.
After upgrading the OPSS schema, run the following command:
SELECT VERSION, STATUS, UPGRADED FROM SCHEMA_VERSION_REGISTRY WHERE OWNER='<RCU_Prefix>_OPSS';
The version should now be 11.1.1.7.2 and the Upgrade flag is Yes.
Perform the following steps for Oracle Unified Directory.
If you are using Oracle Unified Directory and Oracle Identity Manager, grant access to the change log by performing the following steps on all OUD hosts (LDAPHOST1 and LDAPHOST2).
To grant access to the change log:
Remove the existing change log permission by issuing this command on one of the replicated OUD hosts:
OUD_ORACLE_INSTANCE/bin/dsconfig set-access-control-handler-prop \ --remove global-aci:"(target=\"ldap:///cn=changelog\")(targetattr=\"*\")(version 3.0; acl \"External changelog access\"; deny (all) userdn=\"ldap:///anyone\";)" \ --hostname OUD_HOST \ --port OUD_ADMIN_PORT \ --trustAll \ --bindDN cn=oudadmin \ --bindPasswordFile passwordfile \ --no-prompt
For example:
OUD_ORACLE_INSTANCE/bin/dsconfig set-access-control-handler-prop \
--remove global-aci:"(target=\"ldap:///cn=changelog\")(targetattr=\"*\")(version 3.0; acl \"External changelog access\"; deny (all) userdn=\"ldap:///anyone\";)" \
--hostname LDAPHOST1.mycompany.com \
--port 4444 \
--trustAll \
--bindDN cn=oudadmin \
--bindPasswordFile mypasswordfile \
--no-prompt
Then add the following new ACI:
OUD_ORACLE_INSTANCE/bin/dsconfig set-access-control-handler-prop \ --add global-aci:"(target=\"ldap:///cn=changelog\")(targetattr=\"*\")(version 3.0; acl \"External changelog access\"; allow (read,search,compare,add,write,delete,export) groupdn=\"ldap:///cn=OIMAdministrators,cn=groups,dc=mycompany,dc=com\";)" \ --hostname OUD_HOST \ --port OUD_ADMIN_PORT \ --trustAll \ --bindDN cn=oudadmin \ --bindPasswordFile passwordfile \ --no-prompt
For example:
OUD_ORACLE_INSTANCE/bin/dsconfig set-access-control-handler-prop \
--add global-aci:"(target=\"ldap:///cn=changelog\")(targetattr=\"*\")(version 3.0; acl \"External changelog access\"; allow (read,search,compare,add,write,delete,export) groupdn=\"ldap:///cn=OIMAdministrators,cn=groups,dc=mycompany,dc=com\";)" \
--hostname LDAPHOST1.mycompany.com \
--port 4444 \
--trustAll \
--bindDN cn=oudadmin \
--bindPasswordFile mypasswordfile \
--no-prompt
The following is a workaround for an Oracle Unified Directory operations failure when LDAP synchronization is enabled
In an environment in which LDAP synchronization is enabled, certain operations against Oracle Unified Directory fail with the following error in Oracle Unified Directory logs:
The request control with Object Identifier (OID) "1.2.840.113556.1.4.319" cannot be used due to insufficient access rights
To work around this issue, you must edit a configuration file on both instances of Oracle Unified Directory.
Change the ACIs on control 1.2.840.113556.1.4.319 from ldap://all to ldap://anyone in the Oracle Unified Directory config file OUD_ORACLE_INSTANCE/OUD/config/config.ldif, as shown:
Change:
ds-cfg-global-aci: (targetcontrol="1.3.6.1.1.12 || 1.3.6.1.1.13.1 || 1.3.6.1.1.13.2 || 1.2.840.113556.1.4.319 || 1.2.826.0.1.3344810.2.3 || 2.16.840.1.113730.3.4.18 || 2.16.840.1.113730.3.4.9 || 1.2.840.113556.1.4.473 || 1.3.6.1.4.1.42.2.27.9.5.9") (version 3.0; acl "Authenticated users control access"; allow(read) userdn="ldap:///all";)
To:
ds-cfg-global-aci: (targetcontrol="2.16.840.1.113730.3.4.2 || 2.16.840.1.113730.3.4.17 || 2.16.840.1.113730.3.4.19 || 1.3.6.1.4.1.4203.1.10.2 || 1.3.6.1.4.1.42.2.27.8.5.1 || 2.16.840.1.113730.3.4.16 || 2.16.840.1.113894.1.8.31 || 1.2.840.113556.1.4.319") (version 3.0; acl "Anonymous control access"; allow(read) userdn="ldap:///anyone";)
Restart the Oracle Unified Directory server as described in Section 15.1, "Starting and Stopping Components."
Perform the following post-deployment steps.
Due to a known issue, node manager SSL is not configured fully. The workaround is to perform the following steps for each administration and managed server in the deployment, in each domain.
Login to the WebLogic console for the domain using at the URL listed in Section 15.2, "About Identity and Access Management Console URLs."
Click Lock and Edit.
Navigate to Environment > Servers
Click on a server name, for example: wls_oam1
Click on the SSL tab
Expand the Advanced Options and change Hostname Verification to BEA Host Name Verifier
Click Save.
Repeat for each server in the domain.
Click Activate Changes
Restart the domain.
Repeat for the second domain
As a workaround for a known issue in the Identity and Access Management Deployment tools, you must add an Oracle Identity Manager property. Perform the following steps:
Log in to the WebLogic Console in the IAMGovernanceDomain. (The Console URLs are provided in Section 15.2, "About Identity and Access Management Console URLs.")
Navigate to Environment -> Servers.
Click Lock and Edit.
Click on the server WLS_OIM1.
Click on the Server Start subtab.
Add the following to the Arguments field:
-Djava.net.preferIPv4Stack=true
Click Save.
Repeat Steps 4-7 for the managed server WLS_OIM2.
Click Activate Changes.
If you configured an email server in Section 8.12, "Configure Oracle Identity Manager" and the mail server security is SSL, follow these additional steps:
Ensure that the proxy is set for the environment
Stop the IAMGovernanceDomain admin server and the OIM Managed Servers (wls_oim1/2).
Back up the IGD_MSERVER_HOME/bin/setDomainEnv.sh
Modify the IGD_MSERVER_HOME/bin/setDomainEnv.sh to include the proxy settings
Include this command as part of the environment setup in the setDomainEnv.sh file:
export PROXY_SETTINGS="-Dhttp.proxySet=true -Dhttp.proxyHost=www-proxy.mycompany.com -Dhttp.proxyPort=80 -Dhttp.nonProxyHosts=localhost|$.mycompany.com|.mycompany.com|.oracle.com"
For example:
export JAVA_PROPERTIES
export PROXY_SETTINGS="-Dhttp.proxySet=true -Dhttp.proxyHost=www-proxy.mycompany.com -Dhttp.proxyPort=80 -Dhttp.nonProxyHosts=localhost|${HOST}|*.mycompany.com"ARDIR="${WL_HOME}/server/lib"
export ARDIR
Remove DemoTrust store references from SOA environment. This would run SOA in non-ssl mode.
Modify the IGD_MSERVER_HOME to remove the DemoTrust references
Remove this references from setDomainEnv.sh:
-Djavax.net.ssl.trustStore=$<WL_HOME>/server/lib/DemoTrust.jks from EXTRA_JAVA_PROPERTIES
Restart both the Administration and the Managed server.
This section contains the following topics
By default the Access Manager idle timeout is set to two hours. This can cause issues with not being logged out after a session has timed out. Update this value to 15 minutes.
To update the idle timeout value:
Log in to the Access Management Console at the URL listed in Section 15.2, "About Identity and Access Management Console URLs."
Log in as the Access Manager administrator user you created in Section 8.9, "Set User Names and Passwords" for example: oamadmin.
Click on Common Settings under Configuration.
Change Idle Time out (minutes) to 15.
Click Apply.
After deployment, update existing WebGate Agents. The Identity and Access Management Console URLs are provided in Section 15.2, "About Identity and Access Management Console URLs."
Update the Access Manager Security Model of all WebGate profiles, with the exception of Webgate_IDM and Webgate_IDM_11g, which should already be set. In addition, set a password for the IAMSuiteAgent profile so that it can be used for OAAM for integration. (The IAMSuiteAgent was created when Access Manager was installed.)
To update these WebGate agents:
Log in to the Access Management Console as the Access Management administrator user identified by the entry in Section 8.9, "Set User Names and Passwords."
Click SSO Agents in the Access Manager box.
Ensure that the WebGates tab is selected.
Click Search.
Click an Agent, for example: IAMSuiteAgent.
Set the Security value to the same value defined to OAM Transfer Mode on the Access Manager Configuration screen in Section 8.15, "Configure Oracle Access Manager."
Click Apply.
In the Primary Server list, click + and add any missing Access Manager Servers.
If a password has not already been assigned, enter a password into the Access Client Password Field and click Apply.
Assign an Access Client Password, such as the Common IAM Password (COMMON_IDM_PASSWORD) you used in Section 8.9, "Set User Names and Passwords" or an Access Manager-specific password, if you have set one.
Set Maximum Number of Connections to 20 for all of the Access Manager Servers listed in the primary servers list. (This is the total maximum number of connections for the primary servers, which is 10 x WLS_OAM1 connections plus 10 x WLS_OAM2 connections.)
If you see the following in the User Defined Parameters:
logoutRedirectUrl=http://OAMHOST1.mycompany.com:14100/oam/server/logout
Change it to:
logoutRedirectUrl=https://sso.mycompany.com/oam/server/logout
Click Apply.
Repeat Steps through for each WebGate.
Check that the security setting matches that of your Access Manager servers.
Oracle Privileged Account Manager (OPAM) requires that the SSL certificate used by the load balancer be added to the trusted certificates in the JDK used by OPAM.
To add the certificate:
Obtain the certificate from the load balancer.
You can obtain the load balancer certificate from the using a browser, such as Firefox. However, the easiest way to obtain the certificate is to use the openssl command. The syntax of the command is as follows:
openssl s_client -connect LOADBALANCER -showcerts </dev/null 2>/dev/null|openssl x509 -outform PEM > SHARED_CONFIG_DIR/keystores/sso.mycompany.com.pem
For example:
openssl s_client -connect sso.mycompany.com:443 -showcerts </dev/null 2>/dev/null|openssl x509 -outform PEM > SHARED_CONFIG_DIR/keystores/sso.mycompany.com.pem
This command saves the certificate to a file called sso.mycompany.com.pem in the following directory:
SHARED_CONFIG_DIR/keystores
Load the certificate into the JDK and Node Manager Trust Stores by running the following command to import the CA certificate file, sso.mycompany.com.pem, into the IGD_MW_HOME Java, and Node Manager trust stores:
set JAVA_HOME to IGD_MW_HOME/jdk6 set PATH to include JAVA_HOME/bin keytool -importcert -file SHARED_CONFIG_DIR/keystores/sso.mycompany.com.pem -trustcacerts -keystore $JAVA_HOME/jre/lib/security/cacerts keytool -importcert -file SHARED_CONFIG_DIR/keystores/sso.mycompany.com.pem -trustcacerts -keystore SHARED_CONFIG_DIR/keystores/appTrustKeyStore-oimhost1vhn.mycompany.com.jks keytool -importcert -file SHARED_CONFIG_DIR/keystores/sso.mycompany.com.pem -trustcacerts -keystore SHARED_CONFIG_DIR/keystores/appTrustKeyStore-oimhost2vhn.mycompany.com.jks keytool -importcert -file SHARED_CONFIG_DIR/keystores/sso.mycompany.com.pem -trustcacerts -keystore SHARED_CONFIG_DIR/keystores/appTrustKeyStore-oimhost1.mycompany.com.jks keytool -importcert -file SHARED_CONFIG_DIR/keystores/sso.mycompany.com.pem -trustcacerts -keystore SHARED_CONFIG_DIR/keystores/appTrustKeyStore-oimhost2.mycompany.com.jks
Where JAVA_HOME is set to IGD_MW_HOME/jdk6
You are prompted to enter a password for the keystore. The default password for the JDK is changeit and the COMMON_IAM_PASSWORD for the node manager keystores. You are also prompted to confirm that the certificate is valid.
Note:
The names of the virtual hosts you assigned to your OIM server are oimhost1vhn and oimhost2vhn.
Restart all components, as described in Section 15.1, "Starting and Stopping Components."