3 Installing and Configuring Oracle Identity and Access Management (11.1.2.2.0)

This chapter includes the following topics:

3.1 Installation and Configuration Roadmap

Table 3-1 lists the general installation and configuration tasks that apply to Oracle Identity and Access Management 11g Release 2 (11.1.2.2.0) products.

Table 3-1 Installation and Configuration Flow for Oracle Identity and Access Management

No. Task Description

1

Review installation concepts in the Installation Planning Guide.

Read the Oracle Fusion Middleware Installation Planning Guide, which describes the process for various users to install or upgrade to Oracle Fusion Middleware 11g (11.1.2) depending on the user's existing environment.

2

Review the system requirements and certification documents to ensure that your environment meets the minimum installation requirements for the components you are installing.

For more information, see Section 2.1, "Reviewing System Requirements and Certification".

3

Obtain the Oracle Fusion Middleware Software.

For more information, see Section 3.2.1, "Obtaining the Oracle Fusion Middleware Software"

4

Review the Database requirements.

For more information, see Section 3.2.2, "Database Requirements".

Note: Some of the Oracle Database versions require patches. For more information, see Section 3.2.2.1, "Oracle Database Patch Requirements for Oracle Identity Manager".

5

Run Oracle Fusion Middleware Repository Creation Utility (RCU) to create and load the appropriate schemas for Oracle Identity and Access Management products.

For more information, see Section 3.2.3, "Creating Database Schema Using the Oracle Fusion Middleware Repository Creation Utility (RCU)".

6

Review WebLogic Server and Middleware Home requirements.

For more information, see Section 3.2.4, "WebLogic Server and Middleware Home Requirements".

7

For Oracle Identity Manager users only:

Install Oracle SOA Suite 11g Release 1 (11.1.1.7.0).

For more information, see Section 3.2.5, "Installing Oracle SOA Suite (Oracle Identity Manager Users Only)".

Note: After installing Oracle SOA Suite 11.1.1.7.0, you must apply mandatory SOA patches before installing Oracle Identity Manager. For more information, see "SOA Patch Requirements for Oracle Identity Manager".

8

Start the Oracle Identity and Access Management Installer.

For more information, see Section 3.2.6, "Starting the Oracle Identity and Access Management Installer".

9

Install the Oracle Identity and Access Management 11g software.

For more information, see Section 3.2.7, "Installing Oracle Identity and Access Management 11g Release 2 (11.1.2.2.0)".

10

Run the Oracle Fusion Middleware Configuration Wizard to configure your Oracle Identity and Access Management products in a new or existing WebLogic domain.

For more information, see Section 3.2.8, "Configuring Oracle Identity and Access Management (11.1.2.2.0) Products".

11

Upgrade the OPSS schema using Patch Set Assistant

For more information, see Section 3.2.9, "Upgrading OPSS Schema using Patch Set Assistant".

12

Configure the Database Security Store.

For more information, see Section 3.2.10, "Configuring Database Security Store for an Oracle Identity and Access Management Domain".

13

For Oracle Identity Manager users only:

  • Configure the Oracle Identity Manager Server by running the Oracle Identity Manager configuration wizard.

  • Optional: Configure Oracle Identity Manager Design Console.

  • Optional: Configure Oracle Identity Manager Remote Manager.

For more information, see Section 3.2.11, "Configuring Oracle Identity Manager Server, Design Console, and Remote Manager".

14

Start the servers.

You must start the Administration Server and all Managed Servers. For more information, see Section C.1, "Starting the Stack".


3.2 Installing and Configuring Oracle Identity and Access Management 11g Release 2 (11.1.2.2.0)

Follow the instructions in this section to install and configure the latest Oracle Identity and Access Management software.

Installing and configuring the latest version of Oracle Identity and Access Management 11g components involves the following steps:

3.2.1 Obtaining the Oracle Fusion Middleware Software

For installing Oracle Identity and Access Management, you must obtain the following software:

  • Oracle WebLogic Server 11g Release 1 (10.3.6)

  • Oracle Database

  • Oracle Repository Creation Utility

  • Oracle Identity and Access Management Suite

  • Oracle SOA Suite 11.1.1.7.0 (required for Oracle Identity Manager only)

  • Oracle Entitlements Server Client (required for Oracle Entitlements Server only)

For more information on obtaining Oracle Fusion Middleware 11g software, see Oracle Fusion Middleware Download, Installation, and Configuration ReadMe.

3.2.2 Database Requirements

Some Oracle Identity and Access Management components require an Oracle Database. Ensure that you have an Oracle Database installed on your system before installing Oracle Identity and Access Management. The database must be up and running to install the relevant Oracle Identity and Access Management component. The database does not have to be on the same system where you are installing the Oracle Identity and Access Management component.

Note:

For information about certified databases, see the "Database Requirements" topic in the Oracle Fusion Middleware System Requirements and Specifications for Oracle Identity and Access Management 11g Release 2 (11.1.2) document.

For information about RCU requirements for Oracle Databases, see "RCU Requirements for Oracle Databases" in the Oracle Fusion Middleware System Requirements and Specifications for Oracle Identity and Access Management 11g Release 2 (11.1.2) document.

3.2.2.1 Oracle Database Patch Requirements for Oracle Identity Manager

Some of the Oracle Database versions require patches. To identify the patches required for Oracle Identity Manager 11.1.2 configurations that use Oracle Databases, refer to the "Oracle Identity Manager" section of the 11g Release 2 Oracle Fusion Middleware Release Notes.

3.2.3 Creating Database Schema Using the Oracle Fusion Middleware Repository Creation Utility (RCU)

You must create and load the appropriate Oracle Fusion Middleware schemas in the database using RCU before installing and configuring the following Oracle Identity and Access Management components:

  • Oracle Identity Manager

  • Oracle Access Management

  • Oracle Adaptive Access Manager

  • Oracle Entitlements Server

  • Oracle Privileged Account Manager

Notes:

  • To create database schemas for Oracle Identity and Access Management 11g Release 2 (11.1.2.2.0) components, you must use the 11g Release 2 (11.1.2.2.0) version of the Oracle Fusion Middleware Repository Creation Utility.

  • For information on RCU requirements, refer to the "Repository Creation Utility (RCU) Requirements" topic in the Oracle Fusion Middleware System Requirements and Specifications for Oracle Identity and Access Management 11g Release 2 (11.1.2) document.

  • For general information about using RCU, use the Oracle Fusion Middleware Repository Creation Utility User's Guide. Ensure that the RCU version you are using matches the version number of the Oracle Fusion Middleware product you are installing.

    For information on creating schemas, see the "Creating Schemas" topic in the Oracle Fusion Middleware Repository Creation Utility User's Guide.

  • This guide lists the schemas you must install for the Identity and Access Management software. For information about using RCU, this guide references the RCU documentation in a recent Oracle Fusion Middleware 11g Release 1 (11.1.1) documentation library.

    These general instructions for using RCU are valid, as long as you download and use the specific RCU version available as part of the Oracle Identity and Access Management 11g Release 2 (11.1.2) Media Pack on the Oracle Software Delivery Cloud.

Before running RCU, ensure that you have the database connection string, port, administrator credentials, and service name ready.

When you run RCU, create and load only the following schemas for the Oracle Identity and Access Management component you are installing—do not select any other schema available in RCU:

  • For Oracle Identity Manager, select the Identity Management - Oracle Identity Manager schema. When you select the Identity Management - Oracle Identity Manager schema, the following schemas are also selected, by default:

    • SOA Infrastructure

    • User Messaging Service

    • AS Common Schemas - Oracle Platform Security Services

    • AS Common Schemas - Metadata Services

  • For Oracle Adaptive Access Manager, select the Identity Management - Oracle Adaptive Access Manager schema. When you select the Identity Management - Oracle Adaptive Access Manager schema, the following schemas are also selected, by default:

    • AS Common Schemas - Oracle Platform Security Services

    • AS Common Schemas - Metadata Services

    • AS Common Schemas - Audit Services

    For Oracle Adaptive Access Manager with partition schema support, select the Identity Management - Oracle Adaptive Access Manager (Partition Supp...) schema. When you select the Identity Management - Oracle Adaptive Access Manager (Partition Supp...) schema, the following schemas are also selected, by default:

    • AS Common Schemas - Oracle Platform Security Services

    • AS Common Schemas - Metadata Services

    • AS Common Schemas - Audit Services

    Note:

    For information about Oracle Adaptive Access Manager schema partitions, see Appendix L, "Oracle Adaptive Access Manager Partition Schema Reference".

  • For Oracle Access Management, select the Identity Management - Oracle Access Manager schema. When you select the Identity Management - Oracle Access Manager schema, the following schemas are also selected, by default:

    • AS Common Schemas - Oracle Platform Security Services

    • AS Common Schemas - Metadata Services

    • AS Common Schemas - Audit Services

    Note:

    If you want to use Transparent Data Encryption (TDE) for Oracle Access Management, you must set up TDE for Oracle Access Management before creating the Oracle Access Management schema. For more information, see Section 6.4, "Optional: Enabling TDE in Database".

  • For Oracle Entitlements Server, select the AS Common Schemas - Oracle Platform Security Services schema.

  • For Oracle Privileged Account Manager, select the Identity Management - Oracle Privileged Account Manager schema. By default, the AS Common Schemas - Oracle Platform Security Services schema is also selected.

    Note:

    Oracle Privileged Account Manager schema must be created by a Database user with SYSDBA privileges.

Note:

When you create a schema, be sure to remember the schema owner and password that is shown in RCU. You must specify the schema owner and password information when you configure the Oracle Identity and Access Management products.

If you are creating schemas on databases with Oracle Database Vault installed, note that statements, such as CREATE USER, ALTER USER, DROP USER, CREATE PROFILE, ALTER PROFILE, and DROP PROFILE can only be issued by a user with the DV_ACCTMGR role. SYSDBA can issue these statements by modifying the Can Maintain Accounts/Profiles rule set only if it is allowed.

3.2.4 WebLogic Server and Middleware Home Requirements

Before you install Oracle Identity and Access Management 11g Release 2 (11.1.2.2.0) components, you must ensure that you have installed Oracle WebLogic Server, and created a Middleware Home directory.

Note:

On 64-bit platforms, when you install Oracle WebLogic Server using the generic jar file, JDK is not installed with Oracle WebLogic Server. You must install JDK separately, before installing Oracle WebLogic Server.

Ensure that the JDK version you select is Java SE 6 Update 24 or higher.

For complete information about installing Oracle WebLogic Server, see Oracle Fusion Middleware Installation Guide for Oracle WebLogic Server.

Note:

By default, WebLogic domains are created in a directory named domains located in the user_projects directory under your Middleware Home. After you configure any of the Oracle Identity and Access Management products in a WebLogic administration domain, a new directory for the domain is created in the domains directory. In addition, a directory named applications is created in the user_projects directory. This applications directory contains the applications deployed in the domain.

3.2.5 Installing Oracle SOA Suite (Oracle Identity Manager Users Only)

If you are installing Oracle Identity Manager, you must install Oracle SOA Suite 11g Release 1 (11.1.1.7.0). Note that only Oracle Identity Manager requires Oracle SOA Suite. This step is required because Oracle Identity Manager uses process workflows in Oracle SOA Suite to manage request approvals.

For more information about installing Oracle SOA Suite, see Oracle Fusion Middleware Installation Guide for Oracle SOA Suite and Oracle Business Process Management Suite.

Note:

If you have already created a Middleware Home before installing Oracle Identity and Access Management components, do not create a new Middleware Home again. You must use the same Middleware Home for installing Oracle SOA Suite.

SOA Patch Requirements for Oracle Identity Manager

After installing Oracle SOA Suite 11.1.1.7.0, you must apply mandatory SOA patches before installing Oracle Identity Manager. For information about the patches, refer to the "Mandatory Patches Required for Installing Oracle Identity Manager" topic in the 11g Release 2 Oracle Fusion Middleware Release Notes.

3.2.6 Starting the Oracle Identity and Access Management Installer

This topic explains how to start the Oracle Identity and Access Management Installer.

Start the Installer by executing one of the following commands:

On UNIX:

cd unpacked_archive_directory/Disk1
./runInstaller -jreLoc JRE_LOCATION

On Windows:

cd unpacked_archive_directory\Disk1
setup.exe -jreLoc JRE_LOCATION

Note:

The installer prompts you to enter the absolute path of the JRE that is installed on your system. When you install Oracle WebLogic Server, the jdk directory is created under your Middleware Home. You must enter the absolute path of the JRE folder located in this JDK when launching the installer. For example, on Windows, if the JDK is located in C:\MW_HOME\jdk, then launch the installer from the command prompt as follows:

<full path to the setup.exe directory>\setup.exe -jreLoc C:\MW_HOME\jdk\jre

If you do not specify the -jreLoc option on the command line when using the Oracle JRockit JDK, the following warning message is displayed:

-XX:MaxPermSize=512m is not a valid VM option. Ignoring

This warning message does not affect the installation. You can continue with the installation.

On 64 bit platforms, when you install Oracle WebLogic Server using the generic jar file, the jdk directory will not be created under your Middleware Home. You must enter the absolute path of the JRE folder from where your JDK is located.

3.2.7 Installing Oracle Identity and Access Management 11g Release 2 (11.1.2.2.0)

This topic describes how to install the Oracle Identity and Access Management 11g software, which includes Oracle Identity Manager, Oracle Access Management, Oracle Adaptive Access Manager, Oracle Identity Navigator, Oracle Entitlements Server, Oracle Privileged Account Manager, and Oracle Access Management Mobile and Social.

It includes the following sections:

3.2.7.1 Products Installed

Performing the installation in this section installs the following products:

  • Oracle Identity Manager

  • Oracle Access Management

    Note:

    Oracle Identity and Access Management 11g Release 2 (11.1.2.2.0) contains Oracle Access Management suite which includes the following services:

    • Oracle Access Manager

    • Oracle Access Management Security Token Service

    • Oracle Access Management Identity Federation

    • Oracle Access Management Mobile and Social

    • Identity Context

    For more information about these services, see "Understanding Oracle Access Management Services" in the Oracle Fusion Middleware Administrator's Guide for Oracle Access Management.

    For an introduction to the Oracle Access Management Mobile and Social, see "Understanding Mobile and Social" chapter in the Oracle Fusion Middleware Administrator's Guide for Oracle Access Management.

  • Oracle Adaptive Access Manager

    Note:

    For Oracle Identity and Access Management 11.1.2.2.0, Oracle Adaptive Access Manager includes two components

    • Oracle Adaptive Access Manager (Online)

    • Oracle Adaptive Access Manager (Offline)

  • Oracle Identity Navigator

  • Oracle Entitlements Server

    Note:

    When you are installing Oracle Identity and Access Management, only the Administration Server of Oracle Entitlements Server is installed.

    To install and configure Oracle Entitlements Server Client, see Section 8.5, "Installing Oracle Entitlements Server Client".

  • Oracle Privileged Account Manager

    Note:

    For an introduction to the Oracle Privileged Account Manager, see "Understanding Oracle Privileged Account Manager" in the Oracle Fusion Middleware Administrator's Guide for Oracle Privileged Account Manager.

3.2.7.2 Dependencies

The installation in this section depends on the following:

  • Oracle WebLogic Server 11g Release 1 (10.3.6)

  • Oracle Database and any required patches

  • Oracle SOA Suite 11.1.1.7.0 (required for Oracle Identity Manager only)

  • JDK (Java SE 6 Update 24 or higher) or JRockit

3.2.7.3 Procedure

Complete the following steps to install the Oracle Identity and Access Management suite that contains Oracle Identity Manager, Oracle Access Management, Oracle Adaptive Access Manager, Oracle Identity Navigator, Oracle Entitlements Server, Oracle Privileged Account Manager, and Oracle Access Management Mobile and Social:

  1. Start your installation by performing all the steps in Section 3.2.6, "Starting the Oracle Identity and Access Management Installer". After you complete those steps, the Welcome screen appears.

  2. Click Next on the Welcome screen. The Install Software Updates screen appears. Select whether or not you want to search for updates. Click Next.The Prerequisite Checks screen appears. If all prerequisite checks pass inspection, click Next. The Specify Installation Location screen appears.

  3. On the Specify Installation Location screen, enter the path to the Oracle Middleware Home that was created when you installed Oracle WebLogic Server 11g Release 1 (10.3.6) on your system.

    Note:

    If you do not specify a valid Middleware Home directory on the Specify Installation Location screen, the Installer displays a message and prompts you to confirm whether you want to proceed with the installation of only Oracle Identity Manager Design Console and Oracle Identity Manager Remote Manager. These two components of Oracle Identity Manager do not require a Middleware Home directory.

    If you want to install only Oracle Identity Manager Design Console or Remote Manager, you do not need to install Oracle WebLogic Server or create a Middleware Home directory on the machine where Design Console or Remote Manager is being configured.

    Before using Oracle Identity Manager Design Console or Remote Manager, you must configure Oracle Identity Manager Server on the machine where the Administration Server is running. When configuring Design Console or Remote Manager on a different machine, you can specify the Oracle Identity Manager Server host and URL information.

  4. In the Oracle Home Directory field, enter a name for the Oracle Home folder that will be created under your Middleware Home. This directory is also referred to as IAM_HOME in this book.

    Note:

    The name that you provide for the Oracle Home for installing the Oracle Identity and Access Management suite should not be same as the Oracle Home name given for the Oracle Identity Management suite.

    Oracle Identity Management 11g Release 1 is part of Oracle Fusion Middleware and includes components like Oracle Internet Directory, Oracle Virtual Directory, Oracle Directory Services Manager, Oracle Directory Integration Platform, and Oracle Identity Federation.

    Click Next. The Installation Summary screen appears.

  5. The Installation Summary screen displays a summary of the choices that you made. Review this summary and decide whether to start the installation. If you want to modify any of the configuration settings at this stage, select a topic in the left navigation page and modify your choices.

    Click Save to save the installation response file, which contains your responses to the Installer prompts and fields. You can use this response file to perform silent installations.

    To continue installing Oracle Identity and Access Management, click Install.

  6. The Installation Progress screen appears. Monitor the progress of your installation. The location of the installation log file is listed for reference. After the installation progress reaches 100%, click OK.

    Note:

    If you cancel or abort when the installation is in progress, you must manually delete the IAM_HOME directory before you can reinstall the Oracle Identity and Access Management software.

    To invoke online help at any stage of the installation process, click the Help button on the installation wizard screens.

  7. The Installation Complete screen appears. Click Save to save the installation summary file. This file contains information about the installation, such as locations of install directories, that will help you get started with configuration and administration.

    Note:

    The installation summary file is not saved, by default—you must click Save to retain it.

    Click Finish to close and exit the Installer.

    This installation process copies the Identity Management software to your system and creates an IAM_HOME directory under your Middleware Home.

    After installing the Oracle Identity and Access Management software, you must proceed to Section 3.2.8, "Configuring Oracle Identity and Access Management (11.1.2.2.0) Products," to configure Oracle Identity and Access Management products in a new or existing WebLogic domain.

3.2.7.4 Understanding the Directory Structure After Installation

This section describes the directory structure after installation of Oracle WebLogic Server and Oracle Identity and Access Management.

After you install the Oracle Identity and Access Management suite, an Oracle Home directory for Oracle Identity and Access Management, such as Oracle_IDM1, is created under your Middleware Home. This home directory is also referred to as IAM_HOME in this guide.

For more information about identifying installation directories, see Section 2.3, "Identifying Installation Directories".

3.2.8 Configuring Oracle Identity and Access Management (11.1.2.2.0) Products

After Oracle Identity and Access Management 11g is installed, you are ready to configure the WebLogic Server Administration Domain for Oracle Identity and Access Management components. A domain includes a special WebLogic Server instance called the Administration Server, which is the central point from which you configure and manage all resources in the domain.

When you configure an Oracle Identity and Access Management 11.1.2.2.0 component, you can choose one of the following configuration options:

Note:

You should not extend the Oracle Identity Management 11g Release 1 (11.1.1.6.0) domain to support Oracle Identity and Access Management 11g Release 2 (11.1.2.2.0) products.

You can use the Oracle Fusion Middleware Configuration Wizard to create a WebLogic domain or extend an existing domain.

Start the Oracle Fusion Middleware Configuration Wizard by running the IAM_HOME/common/bin/config.sh script (on UNIX), or IAM_HOME\common\bin\config.cmd (on Windows).

Create a New Domain

Select the Create a new WebLogic domain option on the Welcome screen in the Oracle Fusion Middleware Configuration Wizard to create a new WebLogic Server domain.

Extend an Existing Domain

Select the Extend an existing WebLogic domain option on the Welcome screen in the Oracle Fusion Middleware Configuration Wizard to add Oracle Identity and Access Management components in an existing Oracle WebLogic Server administration domain.

See:

The "Understanding Oracle WebLogic Server Domains" chapter in the Oracle Fusion Middleware Understanding Domain Configuration for Oracle WebLogic Server guide for more information about Oracle WebLogic Server administration domains.

In addition, see the Oracle Fusion Middleware Creating Domains Using the Configuration Wizard guide for complete information about how to use the Configuration Wizard to create or extend WebLogic Server domains. This guide also provides the Oracle Fusion Middleware Configuration Wizard Screens.

For component-specific configuration information about Oracle Identity and Access Management products, see the following chapters:

3.2.9 Upgrading OPSS Schema using Patch Set Assistant

After configuring the Oracle Identity and Access Management (11.1.2.2.0) components, you must upgrade the Oracle Platform Security Services (OPSS) schema that you had created using the RCU in Section 3.2.3, "Creating Database Schema Using the Oracle Fusion Middleware Repository Creation Utility (RCU)".

To upgrade the schemas, complete the following steps:

3.2.9.1 Starting Patch Set Assistant

To start Patch Set Assistant, do the following:

On UNIX:

  1. Move from your present working directory to the MW_HOME/oracle_common/bin directory by running the following command on the command line:

    cd <MW_HOME>/oracle_common/bin
    
  2. Run the following command:

    ./psa
    

On Windows:

  1. Move from your present working directory to the MW_HOME\oracle_common\bin directory by running the following command on the command line:

    cd <MW_HOME>\oracle_common\bin
    
  2. Execute the following command:

    psa.bat
    

3.2.9.2 Using the Patch Set Assistant Graphical Interface

After starting the Patch Set Assistant Installer, follow the instructions in Table 3-2 to update your schemas.

Table 3-2 Patch Set Assistant Screens

Screen Description

Welcome

This page introduces you to the Patch Set Assistant.

Select Component

In the Select Component screen, you must select only the Oracle Platform Security Services schema.

NOTE: Do not select any other components that are listed on the Select Component screen.

Prerequisite

Verify that you have satisfied the database prerequisites.

Schema

Specify your database credentials to connect to your database, then select the schema you want to update.

Note that this screen appears once for each schema that must be updated as a result of the component you selected on the Select Component screen.

Examine

This page displays the status of the Patch Set Assistant as it examines each component schema. Verify that your schemas have a "successful" indicator in the Status column.

Upgrade Summary

Verify that the schemas are the ones you want to upgrade.

Upgrade Progress

This screen shows the progress of the schema upgrade.

Upgrade Success

Once the upgrade is successful, this screen is displayed.


3.2.9.3 Verifying Schema Upgrade

You can verify the schema upgrade by checking out the log files. The Patch Set Assistant writes log files in the following locations:

On UNIX:

MW_HOME/oracle_common/upgrade/logs/psa/psatimestamp.log

On Windows:

MW_HOME\oracle_common\upgrade\logs\psa\psatimestamp.log

Some components create a second log file named psatimestamp.out in the same location.

The timestamp reflects the actual date and time when Patch Set Assistant was run.

If any failures occur when running Patch Set Assistant, you can use these log files to help diagnose and correct the problem. Do not delete them. You can alter the contents of the log files by specifying a different -logLevel from the command line.

Some of the operations performed by Patch Set Assistant may take longer to complete than others. If you want to see the progress of these long operations, you can see this information in the log file, or you can use the following query:

SELECT VERSION, STATUS, UPGRADED FROM SCHEMA_VERSION_REGISTRY WHERE OWNER='schema_name';

In the query results, the STATUS field is either UPGRADING or UPGRADED during the schema patching operation, and becomes VALID when the operation is completed.

3.2.10 Configuring Database Security Store for an Oracle Identity and Access Management Domain

This section discusses the following topics:

3.2.10.1 Overview

You must run the configureSecurityStore.py script to configure the Database Security Store as it is the only security store type supported by the Oracle Identity & Access Management 11g Release 2 (11.1.2.2.0).

The configureSecurityStore.py script is located in the IAM_HOME\common\tools directory. You can use the -h option for help information about using the script. Note that not all arguments will apply to configuring the Database Security Store.

For example:

On Windows:

<MW_HOME>\oracle_common\common\bin\wlst.cmd <IAM_HOME>\common\tools\configureSecurityStore.py -h

On UNIX:

<MW_HOME>/oracle_common/common/bin/wlst.sh <IAM_HOME>/common/tools/configureSecurityStore.py -h

Table 3-3 describes the parameters you that you may specify on the command line.

Table 3-3 Database Security Store Configuration Parameters

Parameter Description

-d domaindir

Location of the directory containing the domain.

-m mode

create- Use create if you want to create a new database security store.

join- Use join if you want to use an existing database security store for the domain.

validate- Use validate to verify whether the Security Store has been configured correctly. This command validates diagnostics data created during initial creation of the Security Store.

validate_fix- Use validate_fix to fix diagnostics data present in the Security Store.

fixjse- Use fixjse to update the domain's Database Security Store credentials used for access by JSE tools.

-c configmode

The configuration mode of the domain. When configuring Database Security Store this value must be specified as IAM.

Special Instructions for OES Installation:

If you are an OES user, then the -c parameter is optional. In this case, the default value is None.

Note: If -c <config> option is specified, OES Admin Server will be configured in mixed mode, then it can only distribute policies to Security Modules in non-controlled mode and controlled pull mode.

For example: If the OES Administration Server is deployed in the domain where other Oracle Identity and Access Management components (OIM, OAM, OAAM, OPAM, or OIN) are deployed, then the domain is configured in mixed mode. In this case, the OES Administration Server is used for managing the Oracle Identity and Access Management policies only. It should not be used to manage the policies for any other applications protected by OES Security Modules.

If -c <config> option is not specified, OES Admin Server will be configured in non-controlled mode, it can distribute policies to Security Modules in controlled push mode.

For example: If you want to use OES Administration Server to manage custom applications which are protected by OES Security Modules, then the OES Administration Server must be deployed in a domain with non-controlled distribution mode.

-p password

The OPSS schema password.

-k keyfilepath

The directory containing the encryption key file ewallet.p12. If -m join is specified, this option is mandatory.

-w keyfilepassword

The password used when the domain's key file was generated. If -m join is specified, this option is mandatory.

-u username

The user name of the OPSS schema. If -m fixjse is specified, this option is mandatory.


3.2.10.2 Before Configuring Database Security Store

Each Oracle Identity and Access Management 11g Release 2 (11.1.2.2.0) domain must be configured to have a Database Security Store. Before you configure the Database Security Store for an Oracle Identity and Access Management 11g Release 2 (11.1.2.2.0) domain, you must identify the products to be configured in a single-domain scenario or in a multiple-domain scenario.

Note:

Irrespective of the number of domains in a logical Oracle Identity and Access Management 11g Release 2 (11.1.2.2.0) deployment (a logical deployment is a collection of Oracle Identity and Access Management products running in one or more domains and using a single database to hold product schemas), all domains share the same Database Security Store and use the same domain encryption key.

The Database Security Store is created at the time of creating the first domain, and then each new domain created is joined with the Database Security Store already created.

3.2.10.3 Configuring the Database Security Store

Following configureSecurityStore.py options are available for configuring the domain to use the Database Security Store:

  • -m create

  • -m join

Configuring the Database Security Store Using Create Option

To configure a domain to use a database security store using the -m create option, you must run the configureSecurityStore.py script as follows:

On Windows:

<MW_HOME>\oracle_common\common\bin\wlst.cmd <IAM_HOME>\common\tools\configureSecurityStore.py -d <domaindir> -c IAM -p <opss_schema_password> -m create

For example:

<MW_HOME>\oracle_common\common\bin\wlst.cmd <IAM_HOME>\common\tools\configureSecurityStore.py -d <MW_Home>\user_projects\domains\base_domain -c IAM -p welcome1 -m create

On UNIX:

<MW_HOME>/oracle_common/common/bin/wlst.sh <IAM_HOME>/common/tools/configureSecurityStore.py -d <domaindir> -c IAM -p <opss_schema_password> -m create

For example:

<MW_HOME>/oracle_common/common/bin/wlst.sh <IAM_HOME>/common/tools/configureSecurityStore.py -d <MW_Home>/user_projects/domains/base_domain -c IAM -p welcome1 -m create

Configuring the Database Security Store Using the Join Option

To configure a domain to use the database security store using the -m join option, you must first export the domain encryption key from a domain in the same logical Oracle Identity and Access Management deployment already configured to work with the database security store, and then run the configureSecurityStore.py script as follows:

Note:

Exporting domain encryption key from a domain already configured to work with the Database Security Store is done via the WLST command:

exportEncryptionKey(jpsConfigFile=<jpsConfigFile>,keyFilePath=<keyFilePath>,keyFilePassword=<keyFilePassword>)

where:

<jpsConfigFile> - is the absolute location of the file jps-config.xml in the domain from which the encryption key is being exported.

<keyFilePath> - is the directory where the file ewallet.p12 is created; note that the content of this file is encrypted and secured by keyFilePassword.

<keyFilePassword> - is the password to secure the file ewallet.p12; note that this same password must be used when importing that file.

On Windows:

  1. Export encryption keys from a domain already configured to work with the Database Security Store as follows:

    <MW_HOME>\oracle_common\common\bin\wlst.cmd exportEncryptionKey(jpsConfigFile=<jpsConfigFile>, keyFilePath=<keyFilePath>, keyFilePassword=<keyFilePassword>)
    
  2. Run the configureSecurityStore.py script with -m join option.

    <MW_HOME>\oracle_common\common\bin\wlst.cmd <IAM_HOME>\common\tools\configureSecurityStore.py -d <domaindir> -c IAM -p <opss_schema_password> -m join -k <keyfilepath> -w <keyfilepassword>
    

For example:

<MW_HOME>\oracle_common\common\bin\wlst.cmd exportEncryptionKey(jpsConfigFile="<MW_HOME>\\user_projects\\domains\\base_domain\\config\\fmwconfig\\jps-config.xml", keyFilePath="myDir\\key" , keyFilePassword="password")
<MW_HOME>\oracle_common\common\bin\wlst.cmd <IAM_HOME>\common\tools\configureSecurityStore.py -d <MW_Home>\user_projects\domains\base_domain1 -c IAM -p welcome1 -m join -k myDir -w password

On UNIX:

  1. Export encryption keys from a domain already configured to work with the Database Security Store as follows:

    <MW_HOME>/oracle_common/common/bin/wlst.cmd exportEncryptionKey(jpsConfigFile=<jpsConfigFile>, keyFilePath=<keyFilePath>, keyFilePassword=<keyFilePassword>)
    
  2. Run the configureSecurityStore.py script with -m join option.

    <MW_HOME>/oracle_common/common/bin/wlst.cmd <IAM_HOME>/common/tools/configureSecurityStore.py -d <domaindir> -c IAM -p <opss_schema_password> -m join -k <keyfilepath> -w <keyfilepassword>
    

For example:

<MW_HOME>/oracle_common/common/bin/wlst.cmd exportEncryptionKey(jpsConfigFile="<MW_HOME>/user_projects/domains/base_domain/config/fmwconfig/jps-config.xml", keyFilePath="myDir" , keyFilePassword="password")
<MW_HOME>/oracle_common/common/bin/wlst.cmd <IAM_HOME>/common/tools/configureSecurityStore.py -d <MW_Home>/user_projects/domains/base_domain1 -c IAM -p welcome1 -m join -k myDir -w password

Validating the Database Security Store Configuration

To validate whether the security store has been created or joined correctly, run the configureSecurityStore.py script with -m validate option, as follows:

On Windows:

<MW_HOME>\oracle_common\common\bin\wlst.cmd <IAM_HOME>\common\tools\configureSecurityStore.py -d <domaindir> -m validate

For example:

<MW_HOME>\oracle_common\common\bin\wlst.cmd <IAM_HOME>\common\tools\configureSecurityStore.py -d <MW_Home>\user_projects\domains\base_domain -m validate

On UNIX:

<MW_HOME>/oracle_common/common/bin/wlst.sh <IAM_HOME>/common/tools/configureSecurityStore.py -d <domaindir> -m validate

For example:

<MW_HOME>/oracle_common/common/bin/wlst.sh <IAM_HOME>/common/tools/configureSecurityStore.py -d <MW_Home>/user_projects/domains/base_domain -m validate

3.2.10.4 Example Scenarios for Configuring the Database Security Store

Consider the following example scenarios:

3.2.10.4.1 Example Scenario for One or More Oracle Identity and Access Management Products in the Same Domain

Note:

In a single-domain scenario, the command to create the Database Security Store is executed once after the domain is created but before the domain is started for the first time.

Scenario 1: Oracle Identity Manager, Oracle Access Management, and Oracle Adaptive Access Manager in the same WebLogic Administration Domain Sharing the same Database Security Store

To achieve this, you must complete the following tasks:

  1. Create a new WebLogic domain for Oracle Identity Manager and SOA (for example, oim_dom) by completing the steps described in Table 5-1, "Installation and Configuration Flow for Oracle Identity Manager".

    After creating a new WebLogic domain for Oracle Identity Manager and SOA, run the configureSecurityStore.py script to configure the Database Security Store as follows:

    On Windows:

    <MW_HOME>\oracle_common\common\bin\wlst.cmd <IAM_HOME>\common\tools\configureSecurityStore.py -d <MW_Home>\user_projects\domains\oim_dom -c IAM -p welcome1 -m create
    

    On UNIX:

    <MW_HOME>/oracle_common/common/bin/wlst.sh <IAM_HOME>/common/tools/configureSecurityStore.py -d <MW_Home>/user_projects/domains/oim_dom -c IAM -p welcome1 -m create
    
  2. Extend the Oracle Identity Manager domain (oim_dom) to include Oracle Access Management and Oracle Adaptive Access Manager. For more information, see "Extend an Existing Domain".

    Oracle Access Management and Oracle Adaptive Access Manager are added to the Oracle Identity Manager domain (oim_dom), and they share the same Database Security Store used by the Oracle Identity Manager domain.

3.2.10.4.2 Example Scenario for Oracle Identity and Access Management Products in Different Domains

Note:

In a multiple-domain scenario, the command to create the Database Security Store is executed once after the first domain is created but before the domain is started for the first time.

For each subsequent domain, the command to join the existing Database Security Store is executed once after the domain is created but before the domain is started for the first time.

  • Scenario 1: Oracle Identity Manager and Oracle Access Management in different WebLogic Administration Domains Sharing the same Database Security Store

    To achieve this, you must complete the following tasks:

    1. Create a new WebLogic domain for Oracle Identity Manager and SOA (for example, oim_dom) by completing the steps described in Table 5-1, "Installation and Configuration Flow for Oracle Identity Manager".

      After creating a new WebLogic domain for Oracle Identity Manager and SOA, run the configureSecurityStore.py script to configure the Database Security Store as follows:

      On Windows:

      <MW_HOME>\oracle_common\common\bin\wlst.cmd <IAM_HOME>\common\tools\configureSecurityStore.py -d <MW_Home>\user_projects\domains\oim_dom -c IAM -p welcome1 -m create
      
      

      On UNIX:

      <MW_HOME>/oracle_common/common/bin/wlst.sh <IAM_HOME>/common/tools/configureSecurityStore.py -d <MW_Home>/user_projects/domains/oim_dom -c IAM -p welcome1 -m create
      
    2. Create a new WebLogic domain for Oracle Access Management (for example oam_dom) by completing the steps described in Table 6-1, "Installation and Configuration Flow for Oracle Access Management".

      After creating a new WebLogic domain for Oracle Access Management, export the domain encryption key from the Oracle Identity Manager/SOA domain, and run the configureSecurityStore.py script to configure the Database Security Store as follows:

      On Windows:

      <MW_HOME>\oracle_common\common\bin\wlst.cmd exportEncryptionKey(jpsConfigFile="<MW_Home>\\user_projects\\domains\\oim_dom\\config\\fmwconfig\\jps-config.xml", keyFilePath="myDir" ,keyFilePassword="password")
      
      <MW_HOME>\oracle_common\common\bin\wlst.cmd <IAM_HOME>\common\tools\configureSecurityStore.py -d <MW_Home>\user_projects\domains\oam_dom -c IAM -p welcome1 -m join -k myDir -w password
      

      On UNIX:

      <MW_HOME>/oracle_common/common/bin/wlst.sh exportEncryptionKey(jpsConfigFile="<MW_Home>/user_projects/domains/oim_dom/config/fmwconfig/jps-config.xml", keyFilePath="myDir" ,keyFilePassword="password")
      
      <MW_HOME>/oracle_common/common/bin/wlst.sh <IAM_HOME>/common/tools/configureSecurityStore.py -d <MW_Home>/user_projects/domains/oam_dom -c IAM -p welcome1 -m join -k myDir -w password
      
  • Scenario 2: Extend the Oracle Access Management Domain previously joined to the Database Security Store to include Oracle Adaptive Access Manager

    To achieve this, extend the Oracle Access Management domain (oam_dom) to include Oracle Adaptive Access Manager. For more information, see "Extend an Existing Domain".

    Oracle Adaptive Access Manager is added to the Oracle Access Management domain (oam_dom), and they both share the same Database Security Store used by the Oracle Access Manager domain.

3.2.11 Configuring Oracle Identity Manager Server, Design Console, and Remote Manager

If you are configuring Oracle Identity Manager, you must run the Oracle Identity Manager Configuration Wizard to configure the Oracle Identity Manager Server. For more information, see Section 5.9, "Configuring Oracle Identity Manager Server".

You can also configure Oracle Identity Manager Design Console and Oracle Identity Manager Remote Manager, if required. For more information, see the following sections:

3.2.12 Starting the Servers

After installing and configuring Oracle Identity and Access Management, you must run the Oracle WebLogic Administration Server and various Managed Servers, as described in Section C.1, "Starting the Stack".

Note:

The WebLogic domain will not start unless the Database Security Store has already been configured.