4 Managing Oracle Identity Manager on IBM WebSphere

This chapter contains information about managing Oracle Identity Manager on IBM WebSphere Application Server. It contains the following sections:

Note:

Oracle Identity Manager does not support cross-application server communication. If the Oracle Identity Manager runs on Oracle WebLogic Server, then application clients must run on Oracle WebLogic Server. If Oracle Identity Manager runs on IBM WebSphere Application Server, then application clients must run on IBM WebSphere Application Server.

4.1 Conventions Used in this Document

Table 4-1 lists and describes conventions used in this document:

Table 4-1 Conventions Used in this Document

Convention Description

OIM_HOME

Represents the directory where the Oracle Identity Manager server is installed.

OIM_ORACLE_HOME

Represents an environment variable that identifies the directory where Oracle Identity Manager is installed. This variable is used for various Oracle Identity Manager scripts.

WAS_HOME

Represents the directory where the IBM WebSphere Application Server is installed.

WAS_CLIENT_HOME

Represents the directory where the IBM WebSphere Application Client is installed.

MW_HOME

Represents the directory where Oracle Fusion Middleware is installed.

COMMON_COMPONENTS_HOME

The Common Components home contains the binary and library files required for Fusion Middleware Control and Java Required Files (JRF). For example, MW_HOME/oracle_common.

Custom01 | Custom02

Represents the name of a custom profile.

Dmgr01 | Dmgr02

Represents the name of a Deployment Manager profile.

OIM_DC_HOME

Represents the directory where the Oracle Identity Manager Design Console is installed.

OIM_RM_HOME

Represents the directory where the Oracle Identity Manager Remote Manager is installed.

OIM_CELL_NAME

Represents the IBM WebSphere Application Server cell where the Oracle Identity Manager Server is located.

JAVA_HOME

Represents the location of the IBM Java Runtime directory for the Oracle Identity Manager server. Note that in some procedures, JAVA_HOME can represent the location of the IBM Java Runtime directory for the Oracle Identity Manager Remote Manager.

ANT_HOME

Represents the directory where Apache Ant is installed.

4.2 System Requirements and Certified Components

Before deploying and using Oracle Identity Manager, you must ensure that your environment meets the minimum installation requirements. For information about hardware and software requirements, minimum disk space and memory requirements, and required system libraries, packages, or patches, review the system requirements document at the following URL:

http://www.oracle.com/technetwork/middleware/ias/downloads/fusion-requirements-100147.html

The following URL contains information about supported installation types, platforms, operating systems, databases, JDKs, and third-party products for Oracle Fusion Middleware:

http://www.oracle.com/technetwork/middleware/ias/downloads/fusion-certification-100350.html

In addition, see "Patch Requirements" in the Oracle Fusion Middleware Release Notes for information about the patches required for Oracle Identity Manager.

Note:

  • Minimum memory requirement for setting up Oracle Identity Manager on IBM WebSphere Application Server is 8 GB.

  • BI Publisher reports on WebSphere are not certified for Oracle Identity Manager 11g Release 2 (11.1.2.2.0).

4.3 Installing Oracle Identity Manager on IBM WebSphere

This section describes how to install Oracle Identity Manager on IBM WebSphere in the following configurations:

4.3.1 Configuring Oracle Identity Manager for Single-Node Setup

To configure a single-node setup of Oracle Identity Manager on IBM WebSphere:

  1. Install IBM WebSphere Application Server Network Deployment (NDM) 7.0 and apply fix pack 27 or later, as described in Section 2.4, "Task 4: Install the IBM WebSphere Software".

  2. Create the database schema, as described in Section 2.3, "Task 3: Identify a Database and Install the Required Database Schemas".

  3. Install Oracle SOA Suite and apply SOA patches, as described in Section 2.5, "Task 5: Install Oracle SOA Suite (Oracle Identity Manager Users Only)".

  4. Install Oracle Identity and Access Management, as described in Section 2.6, "Task 6: Install Oracle Identity and Access Management Suite".

  5. Upgrade OPSS schema, as described in Section 2.8, "Task 8: Upgrading OPSS Schema using Patch Set Assistant".

  6. Use the Oracle Fusion Middleware Configuration Wizard to create the Oracle Identity Manager cell, as described in Section 2.9, "Task 9: Configure Your Oracle Identity and Access Management Components in a New IBM WebSphere Cell". To do so, create the cell in WebSphere in the following way so that Oracle Identity Manager and SOA are added to the cell:

    1. Run the ORACLE_HOME/common/bin/was_config.sh script, and select the Oracle SOA suite for WebSphere ND template.

    2. Run the was_config script again, select the existing cell, and then select the Oracle Identity Manager for WebSphere ND template.

  7. Copy the JAR files to the $WAS_HOME/lib/ext/ directory by running the copy_jars.sh script. For example:

    cd $OIM_HOME/server/wasconfig
./copy_jars.sh

    Note:

    Before you run the copy_jars.sh script, ensure the WAS_HOME, COMMON_COMPONENTS_HOME, and OIM_ORACLE_HOME variables are set. COMMON_COMPONENTS_HOME represents the location of the Oracle Fusion Middleware common directory, such as MW_HOME/oracle_common and; OIM_ORACLE_HOME represents the location where the Oracle Identity Manager Server is installed, such as MW_HOME/Oracle_IDM1. WAS_HOME represents the location where WebSphere is installed, such as IBM/WebSphere/AppServer.

  8. Start, stop, and synchronize the Node Agent as follows:

    $WAS_HOME/profiles/Custom01/bin/stopNode.sh -username WAS_ADMIN_USER -password WAS_ADMIN_PASSWORD
$WAS_HOME/profiles/Dmgr01/bin/startManager.sh
$WAS_HOME/profiles/Custom01/bin/syncNode.sh DMGR_HOST DMGR_SOAP_PORT -username WAS_ADMIN_USER -password WAS_ADMIN_PASSWORD
$WAS_HOME/profiles/Custom01/bin/startNode.sh

    Note:

    • Make sure that Node Manager and Deployment Manger are up and running without issues.

    • If the node agent does not stop on running the stopNode.sh script, then find the process of the node agent and run the kill command to stop it, as shown:

      kill -9 PROCESS_ID

  9. Stop the Node Manager and Deployment Manger for configuring DB policy store, as shown:

    $WAS_HOME/profiles/Custom01/bin/stopNode.sh -username WAS_ADMIN_USER -password WAS_ADMIN_PASSWORD
$WAS_HOME/profiles/Dmgr01/bin/stopManager.sh -username WAS_ADMIN_USER -password WAS_ADMIN_PASSWORD

  10. Perform database policy migration by referring to step 1 of Section 2.10, "Task 10: Configure the Database Security Store".

  11. Start the Deployment Manager. To do so, run the following command in the IBM WebSphere home:

    For UNIX, run:

    $WAS_HOME/profiles/dmgr_profileName/bin/startManager.sh

    For example, on UNIX operating system, run:

    /disk01/IBM/WebSphere/AppServer/profiles/Dmgr01/bin/startManager.sh

  12. Start the Node Manager by running the following command:

    $WAS_HOME/profiles/CUSTOM_PROFILE_NAME/bin/startNode.sh

    For example:

    $WAS_HOME/profiles/Custom01/bin/startNode.sh

  13. Run the seed_opss_permission.sh script as follows:

    cd OIM_HOME/server/wasconfig/
sh seed_opss_permission.sh

    Note:

    • Before you run the seed_opss_permission.sh script, ensure the WAS_HOME, COMMON_COMPONENTS_HOME, and OIM_ORACLE_HOME variables are set. COMMON_COMPONENTS_HOME represents the location of the Oracle Fusion Middleware common directory, such as IDM_HOME/oracle_common/ and; OIM_ORACLE_HOME represents the location where the Oracle Identity Manager Server is installed.

    • The script will prompt you to enter values for the following:

      Enter Deployment Manager Profile Name [Ex: Dmgr01]:
Enter Deployment Manager host name:
Enter Deployment Manager SOAP Port:
Enter WebpSphere Administrator username:
Enter the WebpSphere Administrator password:

    • On running the seed_opss_permission.sh script, you might encounter the following warning message that you can ignore:

      Failed to import script libraries modules: COMMON_COMPONENTS_HOME/common/wsadmin/wsmAgent.py; Examine the wsadmin log file to determine the problem.

  14. Stop, synchronize, and start the node, and start the SOA server. For example:

    $WAS_HOME/profiles/Custom01/bin/stopNode.sh -username WAS_ADMIN_USER -password WAS_ADMIN_PASSWORD
$WAS_HOME/profiles/Custom01/bin/syncNode.sh DMGR_HOST DMGR_SOAP_PORT -username WAS_ADMIN_USER -password WAS_ADMIN_PASSWORD
$WAS_HOME/profiles/Custom01/bin/startNode.sh 
$WAS_HOME/profiles/Custom01/bin/startServer.sh soa_server1

  15. Use the Oracle Universal Installer Configuration Assistant to configure the Oracle Identity Manager Server and Remote Manager. To do so:

    1. Start the configuration assistant as follows:

      cd $OIM_HOME/bin
./config.sh -jreLoc LOCATION_OF_IBM_JRE -DSHOW_APPSERVER_TYPE_SCREEN=true

      Note:

      You must run the Configuration Assistant on each machine where you installed an Oracle Identity Manager component. For example, on the machine hosting the Oracle Identity Manager server, the machine hosting the Oracle Identity Manager Design Console, and the machine hosting the Oracle Identity Manager Remote Manager.

    2. On the Components to Configure screen, select the components that you want to configure. On the Database screen, provide the connect string and user names and passwords for Oracle Identity Manager and MDS schema.

      Table 4-2 provides information about specific Configuration Assistant screens and appropriate information to enter on those screens—the table does not cover self-explanatory, standard screens.

      Table 4-2 Information for Specific Configuration Assistant Screens

      Screen Name Input Description

      Application Server

      Be sure to select WebSphere

      WebSphere AS Details

      • The WAS Cell home location is:

        $WAS_HOME/profiles/Dmgr01/config/cells/CELL_NAME

      • You can identify the WAS Admin URL port from the Management bootstrap port entry in the following file:

        $WAS_HOME/profiles/Dmgr01/logs/AboutThisProfile.txt

      • You can identify the WAS Admin Soap Port from the following file:

        $WAS_HOME/profiles/Dmgr01/logs/AboutThisProfile.txt

      • The WAS Admin Name and WAS Admin Password are the same as you used to create the cell.

      OIM Server

      Enter the Oracle Identity Manager server admin password, keystore password, and the URL information. Use the default value provided in the OIM HTTP URL field.

      Remote Manager

      Enter values for Service name, RMI registry port, and Listen port (SSL).

  16. Copy wf_client_config.xml.template from $OIM_HOME/server/wasconfig/ directory to $WAS_HOME/lib/ext as wf_client_config.xml. For example:

    cp $OIM_HOME/server/wasconfig/wf_client_config.xml.template $WAS_HOME/lib/ext/wf_client_config.xml

    Update the wf_client_config.xml file with SOA Server hostname and its bootstrap port under <serverURL> tag. For example:

    <serverURL>corbaloc:iiop:localhost:2800</serverURL>

    Tip:

    You can identify the SOA bootstrap port by performing the following steps:

    1. Log in to IBM WebSphere Administrative Console.

    2. Select Servers, Server Types, Web Application Servers.

    3. Click the SOA Server name.

    4. In the Communications Group area, click Ports.

      The value of BOOTSTRAP_ADDRESS is the SOA Server bootstrap port.

  17. Stop the servers if they are running. For example:

    $WAS_HOME/profiles/Custom01/bin/stopServer.sh soa_server1 -username WAS_ADMIN_USER -password WAS_ADMIN_PASSWORD
$WAS_HOME/profiles/Custom01/bin/stopNode.sh -username WAS_ADMIN_USER -password WAS_ADMIN_PASSWORD
$WAS_HOME/profiles/Dmgr01/bin/stopManager.sh -username WAS_ADMIN_USER -password WAS_ADMIN_PASSWORD

  18. Start the servers. For example:

    Note:

    Be sure to execute the syncNode script, as this will transfer xldatabasekey to Custom01 profile.
    $WAS_HOME/profiles/Dmgr01/bin/startManager.sh
$WAS_HOME/profiles/Custom01/bin/syncNode.sh DMGR_HOST DMGR_SOAP_PORT -username WAS_ADMIN_USER -password WAS_ADMIN_PASSWORD
$WAS_HOME/profiles/Custom01/bin/startNode.sh
$WAS_HOME/profiles/Custom01/bin/startServer.sh soa_server1
$WAS_HOME/profiles/Custom01/bin/startServer.sh oim_server1
$WAS_HOME/profiles/Custom01/bin/startServer.sh OracleAdminServer

  19. If Oracle Identity Manager administrator user is different than WebSphere administrator user, then perform the following steps:

    1. In the navigator pane of Enterprise Fusion Middleware Control, expand WebSphere Cell to view the cells.

    2. Select the cell on which Oracle Identity Manager and SOA are configured.

    3. Right-click the cell name, and select Web Services, Platform Policy Configuration.

    4. In the Add New Configure Property window, specify the following values, and then click OK.

      • In the Name field, enter jndi.lookup.csf.key.

      • In the Value field, enter admin-csf-key.

      Note:

      If the property is not persisted after saving the changes, then perform the following steps:

      1. On the Deployment Manager Machine, go to the Dmgr profile. For example, go to the directory path /profiles/Dmgr01/config/cells/CELL_NAME/fmwconfig/policy-accessor-config.xml.

      2. In the policy-accessor section, uncomment the jndi.lookup.key property, and replace the value {papCsfKey} value with admin-csf-key. This value is the lookup key for admin-user and its password in the credential store.

      3. Save and close the policy-accessor-config.xml file.

      4. Login to the IBM WebSphere Administrative Console, and perform a node synchronization to ensure that the changed configuration is propagated across all nodes of the cluster.

      5. To verify, connect to the nodes of the cluster and check the fmwconfig/policy-accessor-config.xml file in the nodes. The file must be updated with the new values for jndi.lookup.csf.key.

    5. Create a .py file, for example was_admin.py, with the following content:

      Opss.createCred (map='oracle.wsm.security', key='admin-csf-key',
user='ADMIN_USER_NAME', password='ADMIN_PASSWORD',
desc='wsm-pm admin user csf-key')
AdminApp.edit ('wsm-pm', '[-MapRolesToUsers [[policy.Updater
AppDeploymentOption.No AppDeploymentOption.No ADMIN_USER_NAME ""
AppDeploymentOption.No "user:ADMIN_USER_NAME" "" ]]]')
AdminApp.edit('wsm-pm', '[ -MapRolesToUsers [[policy.Accessor
AppDeploymentOption.No AppDeploymentOption.No ADMIN_USER_NAME ""
AppDeploymentOption.No " |user:ADMIN_USER_NAME" "" ]]]' )
AdminApp.edit('wsm-pm', '[ -MapRolesToUsers [[policy.User
AppDeploymentOption.No AppDeploymentOption.No ADMIN_USER_NAME ""
AppDeploymentOption.No "user:ADMIN_USER_NAME" "" ]]]' )
AdminApp.edit('wsm-pm', '[ -MapRolesToUsers [[policyViewer
AppDeploymentOption.No AppDeploymentOption.No ADMIN_USER_NAME ""
AppDeploymentOption.No " |user:ADMIN_USER_NAME" "" ]]]' )
AdminConfig.save()

      Replace ADMIN_USER_NAME and ADMIN_PASSWORD with WebSphere administrator user credentials.

    6. Run the following script:

      $COMMON_COMPONENTS_HOME/common/bin/wsadmin.sh  
-profileName DMGR_PROFILE_NAME -conntype SOAP -host DMGR_HOSTNAME -port DMGR_SOAP_PORT -user WAS_ADMIN_USER -password WAS_ADMIN_PASSWORD -f was_admin.py

    7. Restart all the servers.

  20. For additional postinstallation configuration of Oracle Identity Manager, perform the steps described in Section 4.4, "Performing Postinstallation Configuration on IBM WebSphere" and Section 4.6.1, "URL Changes Related to Oracle Identity Manager".

4.3.1.1 Installing and Configuring the Design Console

Perform the following step after the Design Console installs, but before you start it:

To install the Design Console on Microsoft Windows:

  1. Install WebSphere Application Client by referring to IBM documentation.

  2. Install fix pack 27 or later by referring to IBM documentation.

  3. Update the following properties in the WAS_CLIENT_HOME/properties/sas.client.props file.

    Edit the values as follows. Note that com.ibm.CORBA.securityServerPort represents the Oracle Identity Manager bootstrap port:

    com.ibm.CORBA.securityServerHost=OIM_HOSTNAME
com.ibm.CORBA.securityServerPort=OIM_BOOTSTRAP_PORT
com.ibm.CORBA.loginSource=none

  4. Install Design Console on Microsoft Windows. To do so:

    Note:

    Make sure that Appclient is installed.

    1. Install Oracle Identity Manager by running the installer. To do so, open a command prompt in Windows, and run the Oracle Identity Manager installer, as shown:

      c:\setup.exe -jreLoc LOCATION_OF_IBM_JDK

    2. Start the configuration assistant as follows:

      cd $OIM_HOME/bin >config.bat -jreLoc LOCATION_OF_IBM_JDK -enableWAS

    3. Configure the following:

      • Select Design Console.

      • Enter the Oracle Identity Manager server host name, server port and server bootstrap port.

        Tip:

        The port number is Oracle Identity Manager server bootstrap address. To check this:

        1. Login to WebSphere Network Deployment Manager Console.

        2. Go to Server, Server types, Websphere Application server, oim_server, Expand Port.

        3. Check for BOOTSTRAP_ADDRESS port.

      • Provide the value for WAS_CLIENT_HOME.

    4. Continue and finish the wizard.

4.3.1.2 (OPTIONAL) Installing the Oracle Identity Manager Remote Manager on a Separate System

When you install the Oracle Identity Manager Remote Manager as a part of the Oracle Identity Manager installation, the Remote Manager is installed on the same host as Oracle Identity Manager. In typical Oracle Identity Manager environments, the Remote Manager is deployed on a separate host, not on the same host as Oracle Identity Manager.

If desired, you can perform the following steps to install the Remote Manager on a separate system:

Note:

Make sure that WebSphere Application Server is installed. In addition, ensure that the separate system for the Remote Manager has the IBM JRE installed on it. If it does not, then install it.

  1. Start the installer using the following command:

    cd iamsuite/Disk1
./runInstaller -jreLoc LOCATION_OF_IBM_JRE

    Note:

    When the Install Software Updates installer screen is displayed, you must select the Skip Software Updates option.

  2. Start the configuration assistant as follows:

    cd $OIM_HOME/bin >config.bat -jreLoc LOCATION_OF_IBM_JDK -enableWAS

  3. In the Components to Configure page, select Remote Manager.

  4. Select WebSphere as the application server.

  5. Enter values for Service name, RMI registry port, and Listen port (SSL).

  6. Enter keystore passwords.

  7. Continue and finish the wizard.

4.3.1.3 Installing the Diagnostic Dashboard

To install the Diagnostic Dashboard:

  1. Login to IBM WebSphere Administrative Console.

  2. Expand Applications, and click WebSphere enterprise applications.

  3. Click Install.

  4. Select Remote file system.

  5. Enter the complete path to the XIMDD.ear file. The XIMDD.ear file is available in the $OIM_HOME/server/webapp/optional/ directory. Then, click Next.

  6. Choose Fast Path to install application.

  7. Click Next in the Select installation options.

  8. Check the Select option in the Map modules to servers page, and click Next.

  9. Select the Module (XIMDD.ear). In Clusters and Server, select the server (oim_server1), and click Apply. Then, click Next.

  10. Click Next in the Map virtual hosts for Web modules page.

  11. Click Finish in the Summary page.

  12. Save the changes.

4.3.2 Installing Oracle Identity Manager for a Clustered Configuration

This section describes how to install Oracle Identity Manager on IBM WebSphere in a clustered configuration. By performing the steps in this section, you will create a configuration as described in Table 4-3.

Table 4-3 Overview of Clustered Configuration

Deployment Manager Machine WebSphere Node 2 Machine Design Console Machine

  • WebSphere Deployment Manager

  • WebSphere Node1

  • OracleAdminServer

  • OIM_SERVER_1

  • SOA_SERVER_1

  • WebSphere Node2

  • OIM_SERVER_2

  • SOA_SERVER_2

  • Oracle Identity Manager Design Console

To install Oracle Identity Manager on IBM WebSphere in a clustered configuration:

  1. Create the database schema, as described in Section 2.3, "Task 3: Identify a Database and Install the Required Database Schemas".

  2. Create and load the Identity Management - Oracle Identity Manager schema into the database using the Oracle Fusion Middleware Repository Creation Utility (RCU). For more information, refer to the following documents:

    • Oracle Fusion Middleware Installation Guide for Oracle Identity and Access Management

    • Oracle Fusion Middleware Repository Creation Utility User's Guide

  3. Make sure to have IBM HTTP Server (IHS) available. To install and configure IHS:

    1. Install IHS on the Deployment Manager Machine with appropriate HTTP host Admin port.

    2. Provide webserver1 as the webserver name.

    3. The IHS setup prompts to configure/generate the default plug-in configuration. Select Yes to generate the default plug-in configuration.

    4. After the setup is complete, start IHS by running the following command:

      IHS_INSTALL_DIRECTORY/bin/apachectl start

    5. Verify that the IHS Welcome page is displayed by navigating to the following URL:

      http://IHS_HOSTNAME:PORT_NUMBER

      Note:

      See Section 4.4.6, "Performing Postinstallation Configuration of IHS (Optional)" for post-installation configuration of IHS.

  4. On Deployment Manager Machine and WebSphere Node 2 Machine, install IBM WebSphere Application Server Network Deployment 7.0 with fix pack 27 or later by referring to IBM documentation.

  5. On Design Console Machine, install IBM WebSphere Application Client 7.0 with fix pack 27 or later to host the Oracle Identity Manager Design Console. Refer to IBM documentation for more information about installing IBM WebSphere Application Client.

  6. On Deployment Manager Machine and WebSphere Node 2 Machine, install Oracle SOA Suite 11.1.1.7.0 and apply SOA patches be referring to Section 2.5, "Task 5: Install Oracle SOA Suite (Oracle Identity Manager Users Only)".

    Note:

    Make sure to use WebSphere Application Server JRE when installing SOA.

    The patch OIM_11.1.2.2_SOAPS6_PREREQS.zip file is available in the /iamsuite/Disk1/ directory after iamsuite1.zip is unzipped. Make sure that the directory has write permissions before unzipping the patch. Alternatively, copy the patch OIM_11.1.2.2_SOAPS6_PREREQS.zip to another directory, as follows:

    1. Unzip OIM_11.1.2.2_SOAPS6_PREREQS.zip. This creates a SOAPATCH directory. This directory contains the ZIP files for patches.

    2. Change the permission to read and write for the SOAPATCH directory by using the chmod command.

    3. Run the following command:

      SOA_HOME/OPatch/opatch napply SOAPATCH -oh SOA_HOME -jdk LOCATION_OF_IBM_JDK

  7. On Deployment Manager Machine and WebSphere Node 2 Machine, install Oracle Identity Manager. For more information about installing Oracle Identity Manager, refer to the Oracle Fusion Middleware Installation Guide for Oracle Identity and Access Management.

    To start the installer, run:

    cd iamsuite/Disk1
./runInstaller -jreLoc LOCATION_OF_IBM_JRE -DSHOW_APPSERVER_TYPE_SCREEN=true

    Note:

    When the Install Software Updates installer screen appears, you must select the Skip Software Updates option.

  8. Upgrade OPSS schema, as described in Section 2.8, "Task 8: Upgrading OPSS Schema using Patch Set Assistant".

  9. On the Deployment Manager Machine, use the Oracle Fusion Middleware Configuration Wizard to create the Oracle Identity Manager cell. By default, the Configuration Wizard is located at:

    MW_HOME/Oracle_IDM1/common/bin/was_config.sh

    You must create the cell in WebSphere in the following way so that Oracle Identity Manager and SOA are added to the cell:

    1. Run the was_config script, and select the Oracle SOA suite for WebSphere ND template.

    2. Run the was_config script again, select the existing cell, and then select the Oracle Identity Manager for WebSphere ND template.

    For more information, refer to the Oracle Fusion Middleware Configuration Guide for IBM WebSphere Application Server.

    Table 4-4 provides information about specific Configuration Wizard screens and appropriate information to enter on those screens—the table does not cover self-explanatory, standard screens.

    Table 4-4 Information for Specific Configuration Wizard Screens

    Screen Name Input Description

    Select Configuration Option

    Create and configure cell

    Add Products to Cell

    Select Oracle SOA Suite for WebSphere ND.

    Oracle Workflow Client Extension, Oracle WSM Policy Manager, and Oracle JRF for WebSphere should also be selected.

    Select Optional Configuration

    At a minimum, you must select the Application Servers, Clusters and End Points option—this is a required option.

    Configure Application Servers

    Perform the following steps:

    1. In the Name field, enter a name for the Oracle SOA Suite server, for example, SOA_SERVER_1.

    2. In the Node Name list, select the Node Agent for SOA_SERVER_1. For example: WebSphere Node1.

    Configure Clusters Screen

    Perform the following steps:

    1. Click Add.

    2. Enter a name for the cluster in the cluster name field, for example, SOACluster.

    3. Select the appropriate SOA server from the First cluster member list.

    Configure Additional Cluster Members

    Click Next, or optionally add servers to an existing system in the cluster.

    Select Configuration Option

    Run the was_config.sh script again, and select Select and Configure Existing Cell.

    Add Products to Cell

    Select Oracle Identity Manager for WebSphere ND.

    Oracle Enterprise Manager for WebSphere, Oracle Platform Security Service, and Oracle JRF Webservices Asynchronous Services should also be selected.

    Select Optional Configuration

    At a minimum, you must select the Application Servers, Clusters and End Points option—this is a required option.

    Configure Application Servers

    Perform the following steps:

    1. In the Name field, enter a name for the Oracle Identity Manager server, for example: OIM_SERVER_1.

    2. In the Node Name list, select the Node Agent for OIM_SERVER_1. For example: WebSphere Node1.

    Configure Clusters Screen

    Perform the following steps:

    1. Click Add.

    2. Enter a name for the cluster in the cluster name field, for example: OIMCluster.

    3. Select the appropriate OIM server from the First cluster member list.

    Configure Additional Cluster Members

    Click Next, or optionally, add servers to an existing system in the cluster.

  10. On the Deployment Manager Machine, execute the copy_jars.sh script. For example:

    cd $OIM_HOME/server/wasconfig
./copy_jars.sh

    Note:

    Before you execute the copy_jars.sh script, ensure the WAS_HOME, COMMON_COMPONENTS_HOME, and OIM_ORACLE_HOME variables are set. COMMON_COMPONENTS_HOME represents the location of the Oracle Fusion Middleware common directory, such as MW_HOME/oracle_common and; OIM_ORACLE_HOME represents the location where the Oracle Identity Manager Server is installed, such as MW_HOME/Oracle_IDM1. WAS_HOME represents the location where WebSphere is installed, such as IBM/WebSphere/AppServer.

  11. On the Deployment Manager Machine, start, stop, and synchronize the IBM WebSphere nodes as follows:

    $WAS_HOME/profiles/Custom01/bin/stopNode.sh -username WAS_ADMIN_USER -password WAS_ADMIN_PASSWORD
$WAS_HOME/profiles/Dmgr01/bin/startManager.sh -username WAS_ADMIN_USER -password WAS_ADMIN_PASSWORD
$WAS_HOME/profiles/Custom01/bin/syncNode.sh DMGR_HOST DMGR_SOAP_PORT -username WAS_ADMIN_USERNAME -password WAS_ADMIN_PASSWORD
$WAS_HOME/profiles/Custom01/bin/startNode.sh

    For specifying the port number for DMGR_SOAP_PORT, refer to the $WAS_HOME/profiles/Dmgr01/logs/AboutThisProfile.txt file that contains information about the ports.

    Note:

    When you start, stop, and synchronize the IBM WebSphere nodes, you must:

    • Use the user name and password that you used to create the cell.

    • Execute syncNode.sh. If you do not, some applications will not be deployed correctly.

    • Execute syncNode.sh from the following directory:

      $WAS_HOME/profiles/Custom01/bin

    • If the node agent does not stop on running the stopNode.sh script, then find the process of the node agent and run the kill command to stop it, as shown:

      kill -9 PROCESS_ID

  12. On the Deployment Manager Machine, stop the Node Manager and Deployment Manger for configuring DB policy store, as shown:

    $WAS_HOME/profiles/Custom01/bin/stopNode.sh -username WAS_ADMIN_USER -password WAS_ADMIN_PASSWORD
$WAS_HOME/profiles/Dmgr01/bin/stopManager.sh -username USER_NAME -password PASSWORD

  13. On the Deployment Manager Machine, perform database policy migration by referring to step 1 of Section 2.10, "Task 10: Configure the Database Security Store".

  14. On the Deployment Manager Machine, start the Deployment Manager. To do so, run the following command in the IBM WebSphere home:

    For UNIX, run:

    $WAS_HOME/profiles/dmgr_profileName/bin/startManager.sh

    For example, on UNIX operating system, run:

    /disk01/IBM/WebSphere/AppServer/profiles/Dmgr01/bin/startManager.sh

  15. On the Deployment Manager Machine, start the Node Manager by running the following command:

    $WAS_HOME/profiles/CUSTOM_PROFILE_NAME/bin/startNode.sh

    For example:

    $WAS_HOME/profiles/Custom01/bin/startNode.sh

  16. On the Deployment Manager Machine, execute the seed_opss_permission.sh script as follows:

    cd OIM_HOME/server/wasconfig/
sh seed_opss_permission.sh

    Note:

    • Before you execute the seed_opss_permission.sh script, ensure the WAS_HOME, COMMON_COMPONENTS_HOME, and OIM_ORACLE_HOME variables are set. COMMON_COMPONENTS_HOME represents the location of the Oracle Fusion Middleware common directory, such as IDM_HOME/oracle_common/ and; OIM_ORACLE_HOME represents the location where the Oracle Identity Manager Server is installed.

    • The script will prompt you to enter values for the following:

      Enter Deployment Manager Profile Name [Ex: Dmgr01]:
Enter Deployment Manager host name:
Enter Deployment Manager SOAP Port:
Enter WebpSphere Administrator username:
Enter the WebpSphere Administrator password:

    • On running the seed_opss_permission.sh script, you might encounter following error message:

      Failed to import script libraries modules: COMMON_COMPONENTS_HOME/common/wsadmin/wsmAgent.py; Examine the wsadmin log file to determine the problem.

      When you encounter this error, check the system-jazn-data.xml file to ensure that permission has been granted to oim_customreg.jar. If permission is not granted, then you must add the permission manually. To do so:

      i) Open the WAS_HOME/profiles/Dmgr01/config/cells/OIM_CELL_NAME/fmwconfig/system-jazn-data.xml file.

      ii) Search for following entry. If this entry does not exist in system-jazn-data.xml, then manually add it. Make sure to replace OIM_ORACLE_HOME with the actual path.

      <grant>
<grantee>
<codesource>
<url>file:OIM_ORACLE_HOME/server/loginmodule/was/oim_customreg.jar</url>
</codesource>
</grantee>
<permissions>
<permission>
<class>oracle.security.jps.service.credstore.CredentialAccessPermission</class>
<name>context=SYSTEM,mapName=oim,keyName=*</name>
<actions>read,write,delete</actions>
</permission>
<permission>
<class>oracle.security.jps.service.credstore.CredentialAccessPermission</class>
<name>context=SYSTEM,mapName=oracle.wsm.security,keyName=*</name>
<actions>read,write,delete</actions>
</permission>
</permissions>
</grant>

  17. Add the following properties by logging in to the IBM WebSphere Administrative Console and clicking System Administration, Node Agents, NAME_OF_NODE_AGENT_ON_DEPLOYMENT_MANAGER_MACHINE, Java and Process Management, Process Definition, Java Virtual Machine, Custom Properties.

    Note:

    When you create the properties:

    • An example location for the PATH_TO_jps-config.xml_IN_THE_fmwconfig_DIRECTORY is: WAS_HOME/profiles/Dmgr01/config/cells/HOST_NAME_Cell01/fmwconfig/jps-config.xml

    • An example location for the PATH_TO_THE_fmwconfig_DIRECTORY is: WAS_HOME/profiles/Dmgr01/config/cells/HOST_NAME_Cell01/fmwconfig

    Name: oracle.security.jps.config
Value: PATH_TO_jps-config.xml_IN_THE_fmwconfig_DIRECTORY
Description (optional): Adding the jpsconfig location using OPSS System Property
Name: oracle.domain.config.dir
Value: PATH_TO_THE_fmwconfig_DIRECTORY
Description (optional): Setting the Key Store Domain Config directory

    Click OK and save the changes.

  18. Configure coherence for SOA cluster. To do so, perform the following steps for SOA_SERVER1:

    1. Login to IBM WebSphere Administrative Console.

    2. Go to Servers, SOA_SERVER, Java and Process Management, Process Definition, Java Virtual Machine, Custom Properties.

    3. Add the following properties for a unicast cluster:

      tangosol.coherence.wka1 = host1
tangosol.coherence.localhost = host1

    4. Stop the Deployment Manager, as follows:

      WAS_HOME/profiles/Dmgr01/bin/stopManager.sh -username WAS_ADMIN_USER -password WAS_ADMIN_PASSWORD

  19. On the Deployment Manager Machine, stop, synchronize, and start the Node Agent, and start the SOA server. For example:

    $WAS_HOME/profiles/Custom01/bin/stopNode.sh -username WAS_ADMIN_USER -password WAS_ADMIN_PASSWORD
$WAS_HOME/profiles/Custom01/bin/syncNode.sh DMGR_HOST DMGR_SOAP_PORT -username WAS_ADMIN_USER -password WAS_ADMIN_PASSWORD
$WAS_HOME/profiles/Custom01/bin/startNode.sh
$WAS_HOME/profiles/Custom01/bin/startServer.sh soa_server1

  20. If OHS for frontending Oracle Identity Manager cluster is used, then add the following entry in the WEB_ORACLE_INSTANCE/config/OHS/component_name/moduleconf/admin_vh.conf file:

    <Location /CertificationCallbackService>
         SetHandler weblogic-handler
         WLCookieName    oimjsessionid
         WebLogicCluster OIMSERVERHOST1:LISTENPORT, OIMHOST2:LISTENPORT
         WLLogFile
    "${ORACLE_INSTANCE}/diagnostics/logs/OHS/oim_component.log"
<Location>

  21. On the Deployment Manager Machine, configure the Oracle Identity Manager server (and optionally the Oracle Identity Manager Remote Manager) using the Oracle Universal Installer Configuration Assistant.

    Note:

    You do not need to run the Configuration Assistant on the WebSphere Node 2 Machine.

    Start the configuration assistant as follows:

    cd $OIM_HOME/bin
./config.sh -jreLoc LOCATION_OF_IBM_JRE -DSHOW_APPSERVER_TYPE_SCREEN=true

    Table 4-5 provides information about specific Configuration Assistant screens and appropriate information to enter on those screens—the table does not cover self-explanatory screens.

    Table 4-5 Information for Specific Configuration Assistant Screens

    Screen Name Input Description

    Application Server

    Be sure to select WebSphere

    WebSphere AS Details

    • The WAS Cell home location is:

      $WAS_HOME/profiles/Dmgr01/config/cells/CELL_NAME

    • You can identify the WAS Admin URL port from the Management bootstrap port entry in the following file:

      $WAS_HOME/profiles/Dmgr01/logs/AboutThisProfile.txt

    • You can identify the WAS Admin Soap Port from the following file:

      $WAS_HOME/profiles/Dmgr01/logs/AboutThisProfile.txt

    • The WAS Admin Name and WAS Admin Password are the same as you used to create the cell.

    OIM Server

    In the OIM HTTP URL field, enter the HTTP URL for the IBM HTTP Server.

  22. On the Deployment Manager Machine, stop the SOA server, the Node Agent, and the Deployment Manager if they are running. For example:

    $WAS_HOME/profiles/Custom01/bin/stopServer.sh soa_server1 -username WAS_ADMIN_USER -password WAS_ADMIN_PASSWORD
$WAS_HOME/profiles/Custom01/bin/stopNode.sh -username WAS_ADMIN_USER -password WAS_ADMIN_PASSWORD
$WAS_HOME/profiles/Dmgr01/bin/stopManager.sh -username WAS_ADMIN_USER -password WAS_ADMIN_PASSWORD

  23. On the Deployment Manager Machine, start the Deployment Manager, synchronize the Node Agent, start the Node Agent, and start SOA server.

    Note:

    Be sure to execute the syncNode script, as this will transfer the required configuration information to Custom01 profile.

    For example:

    $WAS_HOME/profiles/Dmgr01/bin/startManager.sh
$WAS_HOME/profiles/Custom01/bin/syncNode.sh DMGR_HOST DMGR_SOAP_PORT -username WAS_ADMIN_USER -password WAS_ADMIN_PASSWORD
$WAS_HOME/profiles/Custom01/bin/startNode.sh

  24. On the WebSphere Node 2 Machine, launch the Oracle Fusion Middleware Configuration Wizard to federate the machine and configure its cell. By default, the Configuration Wizard is located at:

    MW_HOME/Oracle_IDM1/common/bin/was_config.sh

    For more information, refer to the Oracle Fusion Middleware Configuration Guide for IBM WebSphere Application Server.

    Table 4-6 provides information about specific Configuration Wizard screens and appropriate information to enter on those screens—the table does not cover self-explanatory, standard screens.

    Table 4-6 Information for Specific Configuration Wizard Screens

    Screen Name Input Description

    Select Configuration Option

    Select the Federate Machine and Configure Cell option.

    Specify Profile and Node Name Information

    Enter information about the profile and node names you want to create for the WebSphere Node 2 Machine.

    Specify Deployment Manager Information

    Enter information about the existing Deployment Manager system.

    Select Optional Configuration

    Be sure to select the Application Servers, Clusters and End Points option—this is a required option.

    Configure Additional Cluster Members

    Perform the following steps:

    1. Click Add.

    2. In the Name field, enter a name for the second server in the SOACluster. For example: SOA_SERVER_2.

    3. In the Node Name list, select the Node Agent for SOA_SERVER_2. For example: WebSphere Node2.

    4. In the Cluster Name list, select the SOACluster.

    5. Click Add.

    6. In the Name field, enter a name for the second server in the OIMCluster. For example: OIM_SERVER_2.

    7. In the Node Name list, select the Node Agent for OIM_SERVER_2. For example: WebSphere Node2.

    8. In the Cluster Name list, select the OIMCluster.

  25. On the WebSphere Node 2 Machine, execute the copy_jars.sh script. For example:

    cd $OIM_HOME/server/wasconfig
./copy_jars.sh

    Note:

    Before you execute the copy_jars.sh script, ensure the WAS_HOME, COMMON_COMPONENTS_HOME, and OIM_ORACLE_HOME variables are set. COMMON_COMPONENTS_HOME represents the location of the Oracle Fusion Middleware common directory, such as MW_HOME/oracle_common and; OIM_ORACLE_HOME represents the location where the Oracle Identity Manager Server is installed, such as MW_HOME/Oracle_IDM1. WAS_HOME represents the location where WebSphere is installed, such as IBM/WebSphere/AppServer.

  26. On the Deployment Manager Machine, stop the node, and stop Deployment Manager. For example:

    $WAS_HOME/profiles/Custom01/bin/stopNode.sh -username WAS_ADMIN_USER -password WAS_ADMIN_PASSWORD
$WAS_HOME/profiles/Dmgr01/bin/stopManager.sh

  27. On the Deployment Manager Machine, start the Deployment Manager, synchronize the Node Agent, and start the Node Agent. For example:

    Note:

    Be sure to execute the syncNode script as this will transfer the required configuration information to Custom01 profile.
    $WAS_HOME/profiles/Dmgr01/bin/startManager.sh
$WAS_HOME/profiles/Custom01/bin/syncNode.sh DMGR_HOST DMGR_SOAP_PORT -username WAS_ADMIN_USER -password WAS_ADMIN_PASSWORD
$WAS_HOME/profiles/Custom01/bin/startNode.sh

  28. On the WebSphere Node 2 Machine, stop, synchronize, and start the IBM WebSphere nodes as follows:

    Note:

    Be sure to execute the syncNode script, as this will transfer the required configuration information to Custom01 profile.
    $WAS_HOME/profiles/Custom01/bin/stopNode.sh -username WAS_ADMIN_USER -password WAS_ADMIN_PASSWORD
$WAS_HOME/profiles/Custom01/bin/syncNode.sh DMGR_HOST DMGR_SOAP_PORT -username WAS_ADMIN_USERNAME -password WAS_ADMIN_PASSWORD
$WAS_HOME/profiles/Custom01/bin/startNode.sh

  29. Add the following properties by logging in to the IBM WebSphere Administrative Console and clicking System Administration, Node Agents, NAME_OF_NODE_AGENT_ON_WEBSPHERE_NODE2_MACHINE, Java and Process Management, Process Definition, Java Virtual Machine, Custom Properties.

    Note:

    When you create the properties:

    • An example location for the PATH_TO_jps-config.xml_IN_THE_fmwconfig_DIRECTORY is: WAS_HOME/profiles/Custom01/config/cells/HOST_NAME_Cell01/fmwconfig/jps-config.xml

    • An example location for the PATH_TO_THE_fmwconfig_DIRECTORY is: WAS_HOME/profiles/Custom01/config/cells/HOST_NAME_Cell01/fmwconfig

    Name: oracle.security.jps.config
Value: PATH_TO_jps-config.xml_IN_THE_fmwconfig_DIRECTORY
Description (optional): Adding the jpsconfig location using OPSS System Property
Name: oracle.domain.config.dir
Value: PATH_TO_THE_fmwconfig_DIRECTORY
Description (optional): Setting the Key Store Domain Config directory

  30. Copy wf_client_config.xml.template from $OIM_HOME/server/wasconfig directory to $WAS_HOME/lib/ext as wf_client_config.xml. For example, cp $OIM_HOME/server/wasconfig/wf_client_config.xml.template $WAS_HOME/lib/ext/wf_client_config.xml.

    Note:

    Perform this step in both Deployment Manager Machine and WebSphere Node 2 Machine.

    Update the wf_client_config.xml file with SOA Server hostname and its bootstrap port under <serverURL> tag. For example:

    <serverURL>corbaloc:iiop:host1:bootstrap_port1,:host2:bootstrap_port2 </serverURL>

    Tip:

    You can identify the SOA bootstrap port by performing the following steps:

    1. Log in to IBM WebSphere Administrative Console.

    2. Select Servers, Server Types, Web Application Servers.

    3. Click the SOA Server name.

    4. In the Communications Group area, click Ports.

      The value of BOOTSTRAP_ADDRESS is the SOA Server bootstrap port.

  31. Perform the following steps to enable load balancing of JMS message processing by MDBs:

    1. Log in to IBM WebSphere Administrative Console.

    2. Click Resources, JMS, Activation Specifications, NAME_OF_OIM_ACTIVATION_SPECIFICATION. Then select Always activate MDBs in all servers.

    3. Click OK and Save the configuration.

    Note:

    You must perform this step individually for each of the following Oracle Identity Manager Activation Specifications:

    • oimAttestationQueueMDBActivationSpec

    • oimAuditQueueMDBActivationSpec

    • oimDefaultQueueMDBActivationSpec

    • oimKernelQueueMDBActivationSpec

    • oimProcessQueueMDBActivationSpec

    • oimReconQueueMDBActivationSpec

    • oimSODQueueMDBActivationSpec

  32. Configure coherence for SOA cluster. To do so, perform the following steps for each SOA server:

    1. Login to IBM WebSphere Administrative Console.

    2. Go to Servers, SOA_SERVER, Java and Process Management, Process Definition, Java Virtual Machine, Custom Properties.

    3. Add the following properties:

      • For SOA_SERVER2:

        tangosol.coherence.wka1 (=host1)
tangosol.coherence.wka2 (=host2)
tangosol.coherence.localhost=host2

      • For SOA_SERVER1:

        tangosol.coherence.wka2 (=host2)

    4. Stop the Deployment Manager, as follows:

      WAS_HOME/profiles/Dmgr01/bin/stopManager.sh -username WAS_ADMIN_USER -password WAS_ADMIN_PASSWORD

  33. On Deployment Manager Machine and WebSphere Node 2 Machine, stop, synchronize, and start the Node Agents. For example:

    $WAS_HOME/profiles/Custom01/bin/stopNode.sh -username WAS_ADMIN_USER -password WAS_ADMIN_PASSWORD
$WAS_HOME/profiles/Custom01/bin/syncNode.sh DMGR_HOST DMGR_SOAP_PORT -username WAS_ADMIN_USER -password WAS_ADMIN_PASSWORD
$WAS_HOME/profiles/Custom01/bin/startNode.sh

  34. On the Deployment Manager Machine, start the servers as follows:

    $WAS_HOME/profiles/Custom01/bin/startServer.sh SOA_SERVER_1
$WAS_HOME/profiles/Custom01/bin/startServer.sh OIM_SERVER_1
$WAS_HOME/profiles/Custom01/bin/startServer.sh OracleAdminServer

  35. On the WebSphere Node 2 Machine, start the servers as follows:

    $WAS_HOME/profiles/Custom01/bin/startServer.sh SOA_SERVER_2 
$WAS_HOME/profiles/Custom01/bin/startServer.sh OIM_SERVER_2

  36. Include soa_server2 in the existing Rmiurl of SOAconfig by referring to Section 4.6.1.4, "SOA Host and Port Changes".

  37. If Oracle Identity Manager administrator user is different than WebSphere administrator user, then perform the following steps:

    1. In the navigator pane of Enterprise Fusion Middleware Control, expand WebSphere Cell to view the cells.

    2. Select the cell on which Oracle Identity Manager and SOA are configured.

    3. Right-click the cell name, and select Web Services, Platform Policy Configuration.

    4. In the Add New Configure Property window, specify the following values, and then click OK.

      • In the Name field, enter jndi.lookup.csf.key.

      • In the Value field, enter admin-csf-key.

      Note:

      If the property is not persisted after saving the changes, then perform the following steps:

      1. On the Deployment Manager Machine, go to the Dmgr profile. For example, go to the directory path /profiles/Dmgr01/config/cells/CELL_NAME/fmwconfig/policy-accessor-config.xml.

      2. In the policy-accessor section, uncomment the jndi.lookup.key property, and replace the value {papCsfKey} value with admin-csf-key. This value is the lookup key for admin-user and its password in the credential store.

      3. Save and close the policy-accessor-config.xml file.

      4. Login to the IBM WebSphere Administrative Console, and perform a node synchronization to ensure that the changed configuration is propagated across all nodes of the cluster.

      5. To verify, connect to the nodes of the cluster and check the fmwconfig/policy-accessor-config.xml file in the nodes. The file must be updated with the new values for jndi.lookup.csf.key.

    5. Create a .py file, for example was_admin.py, with the following content:

      Opss.createCred (map='oracle.wsm.security', key='admin-csf-key',
user='ADMIN_USER_NAME', password='ADMIN_PASSWORD',
desc='wsm-pm admin user csf-key')
AdminApp.edit ('wsm-pm', '[-MapRolesToUsers [[policy.Updater
AppDeploymentOption.No AppDeploymentOption.No ADMIN_USER_NAME ""
AppDeploymentOption.No "user:ADMIN_USER_NAME" "" ]]]')
AdminApp.edit('wsm-pm', '[ -MapRolesToUsers [[policy.Accessor
AppDeploymentOption.No AppDeploymentOption.No ADMIN_USER_NAME ""
AppDeploymentOption.No " |user:ADMIN_USER_NAME" "" ]]]' )
AdminApp.edit('wsm-pm', '[ -MapRolesToUsers [[policy.User
AppDeploymentOption.No AppDeploymentOption.No ADMIN_USER_NAME ""
AppDeploymentOption.No "user:ADMIN_USER_NAME" "" ]]]' )
AdminApp.edit('wsm-pm', '[ -MapRolesToUsers [[policyViewer
AppDeploymentOption.No AppDeploymentOption.No ADMIN_USER_NAME ""
AppDeploymentOption.No " |user:ADMIN_USER_NAME" "" ]]]' )
AdminConfig.save()

      Replace ADMIN_USER_NAME and ADMIN_PASSWORD with admin user credentials.

    6. Run the following script:

      $COMMON_COMPONENTS_HOME/common/bin/wsadmin.sh  -profileName DMGR_PROFILE_NAME -conntype SOAP -host DMGR_HOSTNAME -port DMGR_SOAP_PORT -user WEBSPHERE_ADMIN -password WEBSPHERE_ADMIN_PASSWORD -f was_admin.py

    7. Restart all the servers.

  38. On the Design Console Machine, install the Oracle Identity Manager Design Console. For example:

    To start the installer:

    cd iamsuite\Disk1
setup.exe -jreLoc LOCATION_OF_IBM_JRE

    Note:

    When the Install Software Updates installer screen appears, you must select the Skip Software Updates option.

  39. On Design Console Machine, configure the Oracle Identity Manager Design Console using the Oracle Universal Installer Configuration Assistant.

    Start the configuration assistant as follows:

    cd $OIM_HOME\bin
config.bat -jreLoc LOCATION_OF_IBM_JRE

    Table 4-7 provides information about specific Configuration Assistant screens and appropriate information to enter on those screens—the table does not cover self-explanatory screens.

    Table 4-7 Information for Specific Configuration Assistant Screens

    Screen Name Input Description

    Application Server

    Be sure to select WebSphere

    OIM Server Host and Port

    • The WAS Client Home Location is $WAS_CLIENT_HOME.

    • The OIM Server Hostname is the host where OIM_SERVER_1 was created.

    • You can identify the OIM Server Port and OIM Server Bootstrap Port by performing the following steps:

      1) Log in to the IBM WebSphere administrative console.

      2) Click Servers > Server Types > Web Application Servers.

      3) Click OIM_SERVER_1.

      4) Click Ports in the Communications Group area.

      For the OIM Server Port, use the value from WC_defaulthost. For the OIM Server Bootstrap Port, use the value from BOOTSTRAP_ADDRESS.

  40. On Design Console Machine, perform the following steps after the Design Console installs, but before you start it:

    1. Update the following properties in the WAS_CLIENT_HOME/properties/sas.client.props file.

      Edit the values as follows. Note that com.ibm.CORBA.securityServerPort represents the Oracle Identity Manager bootstrap port:

      com.ibm.CORBA.securityServerHost=OIM_SERVER1_HOSTNAME|OIM_SERVER2_HOSTNAME
com.ibm.CORBA.securityServerPort=OIM_SERVER1_BOOTSTRAP_PORT|OIM_SERVER2_BOOTSTRAP_PORT
com.ibm.CORBA.loginSource=none

    2. Open the xlconfig.xml file for the Design Console and change the following values:

      Set ApplicationURL to: http://WEBSERVER_HOSTNAME:WEBSERVER_PORT/

      Set java.naming.provider.url to:corbaloc:iiop:OIM_SERVER1_HOSTNAME:OIM_SERVER1_BOOTSTRAP_PORT,:OIM_SERVER2_HOSTNAME:OIM_SERVER2_BOOTSTRAP_PORT

  41. For additional postinstallation configuration of Oracle Identity Manager, perform the steps described in Section 4.4, "Performing Postinstallation Configuration on IBM WebSphere" and Section 4.6.1, "URL Changes Related to Oracle Identity Manager".

4.3.3 Performing Oracle Identity Manager Clustered Scale Out Configuration

Perform the procedure described in this section to add additional Oracle Identity Manager and SOA server to existing Oracle Identity Manager on IBM WebSphere clustered environment.

By performing the following steps, you will create a configuration as described in Table 4-3, "Overview of Clustered Configuration".

The additional node machines required are:

  • WebSphere Node3

  • OIM_SERVER_3

  • SOA_SERVER_3

To add additional Oracle Identity Manager and SOA server, perform the following steps on the additional node machines:

  1. Install IBM WebSphere Application Server Network Deployment 7.0 with fix pack 27 or later by referring to IBM documentation.

  2. Install Oracle SOA Suite 11.1.1.7.0. For more information, refer to the "Installing Oracle SOA Suite (Oracle Identity Manager Users Only)" section of the Oracle Fusion Middleware Installation Guide for Oracle Identity and Access Management. For Oracle Identity Manager, download OIM_11.1.2.2_SOAPS6_PREREQS.zip.

  3. Install Oracle Identity Manager 11g Release 2 (11.1.2.2.0). For more information about installing Oracle Identity Manager, refer to the Oracle Fusion Middleware Installation Guide for Oracle Identity and Access Management.

    To start the installer, run the following commands:

    cd iamsuite/Disk1
./runInstaller -jreLoc LOCATION_OF_IBM_JRE -DSHOW_APPSERVER_TYPE_SCREEN=true

  4. Start the Oracle Fusion Middleware Configuration Wizard to federate the machine and configure its cell. By default, the Configuration Wizard is located at:

    MW_HOME/Oracle_IDM1/common/bin/was_config.sh

    For more information, refer to the Oracle Fusion Middleware Configuration Guide for IBM WebSphere Application Server.

    Table 4-8 provides information about specific Configuration Wizard screens and appropriate information to enter on those screens. The table does not cover self-explanatory, standard screens.

    Table 4-8 Information for Specific Configuration Wizard Screens

    Screen Name Input Description

    Select Configuration Option

    Select the Federate Machine and Configure Cell option.

    Specify Profile and Node Name Information

    Enter information about the profile and node names you want to create for Additional Node machine.

    Specify Deployment Manager Information

    Enter information about the existing Deployment Manager system.

    Select Original Configuration

    Be sure to select the Application Servers, Clusters and End Points option. This is a required option.

    Configure Additional Cluster Members

    Perform the following steps:

    1. Click Add.

    2. In the Name field, enter a name for the second server in the SOA cluster. For example: SOA_SERVER_3.

    3. In the Node Name list, select the Node Agent for SOA_SERVER_3. For example: WebSphere_Node3.

    4. In the Cluster Name list, select the SOA cluster.

    5. Click Add.

    6. In the Name field, enter a name for the second server in the OIM cluster. For example: OIM_SERVER_3.

    7. In the Node Name list, select the Node Agent for OIM_SERVER_3. For example: WebSphere Node3.

    8. In the Cluster Name list, select the OIMCluster.

  5. Run the copy_jars.sh script. For example:

    cd $OIM_HOME/server/wasconfig
./copy_jars.sh

    Note:

    Before you execute the copy_jars.sh script, ensure the WAS_HOME, COMMON_COMPONENTS_HOME, and OIM_ORACLE_HOME variables are set. COMMON_COMPONENTS_HOME represents the location of the Oracle Fusion Middleware common directory, such as MW_HOME/oracle_common. OIM_ORACLE_HOME represents the location where the Oracle Identity Manager Server is installed, such as MW_HOME/Oracle_IDM1.

  6. Add the following properties by logging in to the IBM WebSphere Administrative Console and clicking System Administration, Node Agents, NAME_OF_NODE_AGENT_ON_ADDITIONAL_NODE_MACHINE, Java and Process Management, Process Definition, Java Virtual Machine, Custom Properties.

    Note:

    When you create the properties:

    • An example location for the PATH_TO_jps-config.xml_IN_THE_fmwconfig_DIRECTORY is: WAS_HOME/profiles/Custom01/config/cells/HOST_NAME_Cell01/fmwconfig/jps-config.xml

    • An example location for the PATH_TO_THE_fmwconfig_DIRECTORY is: WAS_HOME/profiles/Custom01/config/cells/HOST_NAME_Cell01/fmwconfig

    • Name: oracle.security.jps.config

    • Value: PATH_TO_jps-config.xml_IN_THE_fmwconfig_DIRECTORY

    • Description (optional): Adding the jpsconfig location using OPSS System Property

    • Name: oracle.domain.config.dir

    • Value: PATH_TO_THE_fmwconfig_DIRECTORY

    • Description (optional): Setting the Key Store Domain Config directory

    Click OK and save the changes.

  7. Copy wf_client_config.xml.template from OIM_HOME/server/wasconfig directory to WAS_HOME/lib/ext as wf_client_config.xml. For example: cp $OIM_HOME/server/wasconfig/wf_client_config.xml.template $WAS_HOME/lib/ext/wf_client_config.xml.

    Update the wf_client_config.xml file with SOA Server hostname and its bootstrap port under <serverURL> tag. For example:

    <serverURL>corbaloc:iiop:host1:port1,:host2:port2,:host3:port3 </serverURL>

    Tip:

    You can identify the SOA bootstrap port by performing the following steps:

    1. Log in to IBM WebSphere Administrative Console.

    2. Select Servers, Server Types, Web Application Servers.

    3. Click the SOA Server name.

    4. In the Communications Group area, click Ports.

      The value of BOOTSTRAP_ADDRESS is the SOA Server bootstrap port.

  8. Stop, synchronize, and start the Node Agents, SOA Server and OIM Server. For example:

    $WAS_HOME/profiles/Custom01/bin/stopNode.sh -username WAS_ADMIN_USER -password WAS_ADMIN_PASSWORD
$WAS_HOME/profiles/Custom01/bin/syncNode.sh DMGR_HOST DMGR_SOAP_PORT -username WAS_ADMIN_USER -password WAS_ADMIN_PASSWORD
$WAS_HOME/profiles/Custom01/bin/startNode.sh
$WAS_HOME/profiles/Custom01/bin/startServer.sh SOA_SERVER_3
$WAS_HOME/profiles/Custom01/bin/startServer.sh OIM_SERVER_3

4.3.4 Performing Oracle Identity Manager Silent Installation for Single Node Setup

You can perform a silent installation of Oracle Identity Manager to avoid monitoring the installation because no graphical output is displayed and no input by the user is required. To perform a silent installation, you must invoke the Installer with the -silent flag and provide a response file from the command line. The response file is a text file containing variables and parameter values that provide input values to the Installer prompts. See "Create or Edit a Response File for Each Installation and Configuration Tool" in the Oracle Fusion Middleware Installation Planning Guide for Oracle Identity and Access Management for information about creating or editing response files.

Table 4-9 lists the response files required to perform a silent installation of Oracle Identity Manager on WebSphere.

Table 4-9 Response Files for Single-Node Silent Installation

Sample Response File Name Purpose More Information

silent-was-install.txt

To silently perform silent installation of IBM WebSphere

Step 1b

silent-wasUpdater.txt

To silently perform silent installation of WebSphere Update Installer

Step 1d

silent-was-update.txt

To silently perform silent update of IBM WebSphere

Step 1e

silent-update-jdkpatch.txt

To silently apply WebSphere JDK patch

Step 1f

SOAInstall.rsp

To silently install Oracle SOA Suite 11g Release 1 (11.1.1.7)

Step 2b

IDMInstall.rsp

To silently install Oracle Identity Manager 11g Release 2 (11.1.2.2.0)

Step 3

passwors-RCU.txt

To silently provide the password for creating RCU tables

Step 4

response_file_psa.txt

To silently upgrade OPSS schema by running the PSA upgrade utility

Step 5

create_dmgr.properties

To silently create the Deployment Manager profile

Step 6a

create_dmgr.ports.properties

To silently configure the ports specific to the Deployment Manager

Step 6a

create_custom_node.properties

To silently create the custom node

Step 6b

iamsuite_was_config_only.rsp

To silently perform Oracle Identity Manager post configuration

Step 15

Silent installation of Oracle Identity Manager requires a set of custom Python scripts that are used to configure the Oracle Identity Manager domain. Table 4-10 lists the configuration scripts.

Table 4-10 Configuration Scripts for Single-Node Silent Installation

Script Name Purpose More Information

config_soa.py

To silently add SOA template to WebSphere Cell

Step 6g

setOracleAdminServerPorts.py

To silently set OracleAdminServer ports

Step 6h

OracleAdminServer.ports.properties

To silently configure the ports of the OracleAdminServer

Step 6h

setSOAServerPorts.py

To silently set SOA server ports

Step 6i

SOA.ports.properties

To silently configure the ports for the SOA server

Step 6i

config_oim.py

To silently configure Oracle Identity Manager

Step 6j

setOIMServerPorts.py

To silently set Oracle Identity Manager server ports

Step 6k

OIM.ports.properties

To silently configure the ports for Oracle Identity Manager server

Step 6k

Note:

The response files and domain configuration scripts are available in a patch. See "Mandatory Patches Required for Installing Oracle Identity Manager" of the Oracle Fusion Middleware Release Notes for information about where and how to download the patch. The response and configuration files are available in the OIM_SILENT_INSTALL_CONFIG/WAS/SINGLENODE/ directory of the patch.

To perform a silent installation of Oracle Identity Manager on IBM WebSphere:

  1. Install IBM WebSphere Application Server. To do so:

    1. Unzip the WebSphere software package by running the following command:

      unzip -o was-nd-linux64.zip -d WAS_INSTALLER_LOCATION

    2. Perform a silent installation of IBM WebSphere Application Server by running the following command:

      WAS_INSTALLER_LOCATION/WAS/install -options WAS_REPSPONSE_FILES/silent-was-install.txt -silent -is:javaconsole

      Here, WAS_RESPONSE_FILES is the directory on which the response files are available, and silent-was-install.txt is the response file.

      Note:

      If the following error message is displayed, you can ignore and proceed with the installation: 
      WARNING: could not write using log service:
java.lang.IllegalStateException: proxy has been closed
STACK_TRACE: 15 java.lang.IllegalStateException: proxy has been closed at
com.installshield.wizard.service.LocalImplementorProxy.invoke(LocalImplementor
Proxy.java:41) at
com.installshield.wizard.service.AbstractService.invokeImpl(AbstractService.java:51)

    3. Unzip the WebSphere Update Installer package by running the following command:

      unzip -o was-updater-linux64.zip -d WAS_UPDATE_INSTALLER_LOCATION

    4. Install WebSphere Update Installer by running the following command:

      WAS_UPDATE_INSTALLER_LOCATION/UpdateInstaller/install -options WAS_RESPONSE_FILES/silent-wasUpdater.txt -silent

    5. Perform WebSphere update by running the following command:

      WAS_UPDATER_INSTALL_LOCATION/update.sh -options WAS_RESPONSE_FILES/silent-was-update.txt -silent

    6. Apply the WebSphere JDK patch by running the following command:

      WAS_UPDATER_INSTALL_LOCATION/update.sh -options WAS_RESPONSE_FILES/silent-update-jdkpatch.txt -silent

      Note:

      The 7.0.0-WS-WASSDK-LinuxX64-FP0000027.pak file, which is provided as a value for the maintenance.package parameter in the silent-update-jdkpatch.txt response file, is the Fix Pack for IBM WebSphere 7.0. See Section 2.4.1, "IBM Online Resources for Obtaining and Installing the IBM WebSphere Software" for more information.

  2. Install SOA and apply SOA patch. To do so:

    1. Unzip the SOA shiphome package by running the following command:

      unzip -o 'SOA_SHIPHOME/soa*.zip' -d SOA_UNZIP_LOCATION

    2. Install SOA by running the following command:

      ./runInstaller -invPtrLoc LOCATION_OF_oraInst.loc -jreLoc WAS_HOME/java -novalidation -ignoreSysPrereqs -nocheckForUpdates -force -silent -response WAS_RESPONSE_FILES/SOAInstall.rsp -waitforcompletion

      Tip:

      The -invPtrLoc flag is used to specify the inventory pointer file. See "UNIX Users: Creating the oraInst.loc File" in the Oracle Fusion Middleware Installation Planning Guide for Oracle Identity and Access Management for more information.

    3. Unzip the IDM shiphome by running the following command:

      unzip -o 'IDM_SHIPHOME/iamsuite*.zip' -d IDM_INSTALLER_LOCATION

    4. Unzip the SOA bundle patch that is available in the /IAM/iamsuite/Disk1/OIM_11.1.2.2_SOAPS6_PREREQS.zip file, as shown:

      unzip /IAM/iamsuite/Disk1/OIM_11.1.2.2_SOAPS6_PREREQS.zip -d SOA_PATCH_LOCATION

    5. Go to the SOA_PATCH_LOCATION/SOA_PATCH/ directory in which the contents of the OIM_11.1.2.2_SOAPS6_PREREQS.zip file has been extracted.

    6. Apply the SOA patch by running the napply command, as shown:

      /Oracle_SOA1/OPatch/opatch napply -oh /Oracle_SOA1/ -jdk WAS_HOME/java -verbose -silent

  3. Install Identity and Access Management. To do so, run the following command:

    ./runInstaller -invPtrLoc LOCATION_OF_oraInst.loc -jreLoc WAS_HOME/java -DSHOW_APPSERVER_TYPE_SCREEN=true -longterm -ignoreSysPrereqs -nocheckForUpdates -force -silent -response WAS_RESPONSE_FILES/IDMInstall.rsp -waitforcompletion

    Note:

    You can use the iamsuite_was_install_only.rsp response file available in the /iamsuite/Disk1/stage/Response/ directory.

  4. Create the RCU tables by running the following commands:

    /rcu -silent -createRepository -connectString DB_HOST:DB_PORT:DB_SID -dbUser sys -dbRole sysdba -schemaPrefix DEVMZ -component MDS -component OPSS -component OIM -component IAU -component SOAINFRA -component ORASDPM  -f < WAS_RESPONSE_FILES/passwors-RCU.txt

    For example:

    /rcu -silent -createRepository -connectString mydbhost.mydomaain.com:1234:myhost.mydomain.com -dbUser sys -dbRole sysdba -schemaPrefix DEVMZ -component MDS -component OPSS -component OIM -component IAU -component SOAINFRA -component ORASDPM  -f < WAS_RESPONSE_FILES/passwors-RCU.txt

    Here, passwors-RCU.txt is the response file with the password as the input parameter value. Password must be populated in serial manner for components, such as MDS, OPSS, and so on. The first entry in the input file must be the system administrator password.

    See Also:

    Section 2.3, "Task 3: Identify a Database and Install the Required Database Schemas" for more information about creating schemas

  5. Run the PSA upgrade utility to upgrade OPSS schema, as shown:

    /Oracle_IDM1/bin/psa -response WAS_RESPONSE_FILES/response_file_psa.txt

    Note:

    Before running the PSA upgrade utility, set the following environment variable: 
    JAVA_HOME=WAS_HOME/java

  6. Create the Cell and add SOA, OPSS, and Oracle Identity Manager templates to the Cell. To do so:

    1. Create Deployment Manager profile by running the following command:

      WAS_HOME/bin/manageprofiles.sh -response WAS_RESPONSE_FILES/create_dmgr.properties

      Note:

      The create_dmgr.ports.properties file is used in the create_dmgr.properties file. This file is available in the same patch mentioned at the beginning of this section.

    2. Create the custom node by running the following command:

      WAS_HOME/bin//manageprofiles.sh -response WAS_RESPONSE_FILES/create_custom_node.properties

    3. Start the Deployment Manager by running the following command:

      WAS_HOME/profiles/Dmgr01/bin/startManager.sh -profileName Dmgr01  -user WAS_ADMIN_USER -password WAS_ADMIN_PASSWORD

    4. Add node to the Deployment Manager by running the following command:

      WAS_HOME/bin/addNode.sh  DMGR_HOST DMGR_SOAP_PORT -user WAS_ADMIN_USER -password WAS_ADMIN_PASSWORD -profileName Custom01 -logfile WAS_LOGS/addNode1.log

      Note:

      WAS_LOGS is a temporary directory for storing the WebSphere logs.

    5. Stop the Node Manager by running the following command:

      WAS_HOME/profiles/Custom01/bin/stopNode.sh -user WAS_ADMIN_USER -password WAS_ADMIN_PASSWORD -profileName Custom01

    6. Stop the Deployment Manager by running the following command:

      WAS_HOME/profiles/Dmgr01/bin/stopManager.sh -profileName Dmgr01  -user WAS_ADMIN_USER -password WAS_ADMIN_PASSWORD

    7. Add SOA template to Cell by running the following command:

      OIM_HOME/common/bin/wsadmin.sh -f WAS_RESPONSE_FILES/config_soa.py -profileName Dmgr01 -javaoption "-Doracle.cie.log=WAS_LOGS/config_soa_cie_debug.log -Doracle.cie.log.priority=debug"

      Note:

      • Before running the script, export or set the COMMON_COMPONENTS_HOME and SOA_ORACLE_HOME environment variables.

      • If you are performing a silent installation of Identity and Access Management components on Solaris Sparc64 with WebSphere, then the configuration fails with the following error:

        Java HotSpot(TM) 64-Bit Server VM warning: Exception java.lang.OutOfMemoryError occurred dispatching signal SIGTERM to handler-the VM may need to be forcibly terminated

        To avoid this issue, add -javaoption "-XX:MaxPermSize=512m" in the wsadmin.sh command, as shown:

        OIM_HOME/common/bin/wsadmin.sh -f config_soa.py -profileName Dmgr01 -javaoption "-Doracle.cie.log=PATH/cielogs/config_soa_cie_debug.log -Doracle.cie.log.priority=debug" -javaoption "-XX:MaxPermSize=512m"

    8. Set OracleAdminServer ports by running the following command:

      OIM_HOME/common/bin/wsadmin.sh -f WAS_RESPONSE_FILES/setOracleAdminServerPorts.py -profileName Dmgr01

      Note:

      Before running the script, export the OracleAdminServer_PORTSFILE parameter with the OracleAdminServer.ports.properties fie path.

    9. Set SOA Server ports by running the following command:

      OIM_HOME/common/bin/wsadmin.sh -f WAS_RESPONSE_FILES/setSOAServerPorts.py -profileName Dmgr01

      Note:

      Before running the script, export the SOAServer_PORTSFILE parameter with the SOA.ports.properties file path.

    10. Configure Oracle Identity Manager by running the following command:

      OIM_HOME/common/bin/wsadmin.sh -f WAS_RESPONSE_FILES/config_oim.py -profileName Dmgr01 -javaoption "-Doracle.cie.log=WAS_LOGS/config_oim_cie_debug.log -Doracle.cie.log.priority=debug"

      Note:

      Before running the script, export ORACLE_HOME as IAM_HOME. For example: 
      ORACLE_HOME=OIM_HOME

    11. Set Oracle Identity Manager server ports by running the following command:

      OIM_HOME/common/bin/wsadmin.sh -f WAS_RESPONSE_FILES/setOIMServerPorts.py -profileName Dmgr01 -javaoption "-Xms512m"

      Note:

      Before running the script, export OIMServer_PORTSFILE with the OIM.ports.properties file path.

  7. Run the copy_jars script. To do so:

    1. Set the following environment variables:

      • WAS_HOME: WebSphere Application Server directory, for example, /opt/softwares/IBM/WebSphere/AppServer/

      • COMMON_COMPONENTS_HOME: Oracle Middleware common directory, for example, /opt/softwares/IBM/WebSphere/oracle_common/

      • OIM_ORACLE_HOME: OIM Oracle Home directory, for example, /opt/softwares/IBM/WebSphere/Oracle_IDM1/

    2. Run the following command:

      cd $OIM_HOME/server/wasconfig/
./copy_jars.sh

  8. Restart Deployment Manager, and stop, start, and sync node as follows:

    WAS_HOME/profiles/Dmgr01/bin/startManager.sh -username WAS_ADMIN_USER -password WAS_ADMIN_PASSWORD
WAS_HOME/profiles/Custom01/bin/syncNode.sh DMGR_HOST DMGR_SOAP_PORT -username WAS_ADMIN_USER -password WAS_ADMIN_PASSWORD
WAS_HOME/profiles/Custom01/bin/startNode.sh -username WAS_ADMIN_USER -password WAS_ADMIN_PASSWORD
WAS_HOME/profiles/Custom01/bin/stopNode.sh -username WAS_ADMIN_USER -password WAS_ADMIN_PASSWORD
WAS_HOME/profiles/Dmgr01/bin/stopManager.sh -username WAS_ADMIN_USER -password WAS_ADMIN_PASSWORD

  9. Configure security store by running the following command:

    $OIM_HOME/common/bin/wsadmin.sh -profileName Dmgr01 -f OIM_HOME/common/tools/configureSecurityStoreWas.py -d $WAS_HOME/profiles/Dmgr01/config/cells/DefaultCell01 -t DB_ORACLE -j  cn=jpsroot -m create --passcode OPSS_SCHEMA_PASSWORD --config IAM

    For example:

    OIM_HOME/common/bin/wsadmin.sh -lang jython -profileName Dmgr01 -f OIM_HOME/common/tools/configureSecurityStoreWas.py -d /Dmgr01/config/cells/Cell01/ -t DB_ORACLE -j cn=jpsroot -m create --passcode Welcome1 --config IAM

  10. Start Deployment Manager and Node Manager as follows:

    WAS_HOME/profiles/Dmgr01/bin/startManager.sh -username WAS_ADMIN_USER -password WAS_ADMIN_PASSWORD
WAS_HOME/profiles/Custom01/bin/startNode.sh -username WAS_ADMIN_USER -password WAS_ADMIN_PASSWORD

  11. Seed OPSS by running the seed_opss_permission.sh script as follows:

    OIM_HOME/server/wasconfig/seed_opss_permission.sh

    Note:

    Before running the seed_opss_permission.sh script, set the following environment variables: 
    setenv DMGR_PROFILE_NAME DMGR_PROFILE_NAME
setenv DMGR_HOSTNAME WAS_HOST_NAME
setenv DMGR_SOAP_PORT WAS_SOAP_PORT
setenv WEBSPHERE_ADMIN WAS_ADMIN_USER
setenv WEBSPHERE_ADMIN_PASSWORD WAS_ADMIN_PASSWORD

    After running the script, reset the WEBSPHERE_ADMIN_PASSWORD environment variable.

  12. Add the JPS configuration properties. To do so, add the oracle.security.jps.config and oracle.domain.config.dir properties by running the following commands:

    WAS_HOME/profiles/Dmgr01/bin/wsadmin.sh -conntype SOAP -host DMGR_HOST -port DMGR_PORT -user WAS_ADMIN_USER -password WAS_ADMIN_PASSWORD -lang jython -f WAS_RESPONSE_FILES/addJvmProperty_na.py DefaultCell01 DefaultNode01 oracle.security.jps.config PATH_TO_jps-config.xml_IN_THE_fmwconfig_DIRECTORY/jps-config.xml
 
WAS_HOME/profiles/Dmgr01/bin/wsadmin.sh -conntype SOAP -host DMGR_HOST -port DMGR_PORT -user WAS_ADMIN_USER -password WAS_ADMIN_PASSWORD -lang jython -f WAS_RESPONSE_FILES/addJvmProperty_na.py DefaultCell01 DefaultNode01 oracle.domain.config.dir PATH_TO_THE_fmwconfig_DIRECTORY

    An example location for the PATH_TO_jps-config.xml_IN_THE_fmwconfig_DIRECTORY is WAS_HOME/profiles/Dmgr01/config/cells/HOST_NAME_Cell01/fmwconfig/jps-config.xml.

    An example location for the PATH_TO_THE_fmwconfig_DIRECTORY is WAS_HOME/profiles/Dmgr01/config/cells/HOST_NAME_Cell01/fmwconfig

  13. Stop Deployment Manager, and stop, start, and sync node as follows:

    WAS_HOME/profiles/Custom01/bin/stopNode.sh -username WAS_ADMIN_USER -password WAS_ADMIN_PASSWORD
WAS_HOME/profiles/Dmgr01/bin/stopManager.sh -username WAS_ADMIN_USER -password WAS_ADMIN_PASSWORD
WAS_HOME/profiles/Dmgr01/bin/startManager.sh -username WAS_ADMIN_USER -password WAS_ADMIN_PASSWORD
WAS_HOME/profiles/Custom01/bin/syncNode.sh DMGR_HOST DMGR_SOAP_PORT -username WAS_ADMIN_USER -password WAS_ADMIN_PASSWORD
WAS_HOME/profiles/Custom01/bin/startNode.sh -username WAS_ADMIN_USER -password WAS_ADMIN_PASSWORD

  14. Start the Admin and SOA servers, as follows:

    WAS_HOME/profiles/Custom01/bin/startServer.sh OracleAdminServer -username WAS_ADMIN_USER -password WAS_ADMIN_PASSWORD
WAS_HOME/profiles/Custom01/bin/startServer.sh soa_server1 -username WAS_ADMIN_USER -password WAS_ADMIN_PASSWORD

  15. Perform Oracle Identity Manager post configuration by running the following command:

    OIM_HOME/bin/config.sh -jreLoc WAS_HOME/java -DSHOW_APPSERVER_TYPE_SCREEN=true -longterm -ignoreSysPrereqs -force -silent -response WAS_RESPONSE_FILES/iamsuite_was_config_only.rsp -waitforcompletion

    Tip:

    • You can use the iamsuite_was_config_only.rsp response file that is available in the /iamsuite/Disk1/stage/Response/ directory.

    • The WebSphere Admin URL port is the same as Management bootstrap port entry in the following file:

      $WAS_HOME/profiles/Dmgr01/logs/AboutThisProfile.txt

  16. Update the wf_client_config.xml file with SOA server hostname and bootstrap port. To do so:

    1. Copy wf_client_config.xml.template from the OIM_HOME/server/wasconfig/ directory to the WAS_HOME/lib/ext/ directory as wf_client_config.xml.

    2. Update the wf_client_config.xml file with the SOA Server hostname and its bootstrap port under the <serverURL> tag. The tag is in the following format:

      <serverURL>corbaloc:iiop:SOA_SERVER_HOSTNAME:SOA_SERVER_BOOTSTRAP_PORT</serverURL>

      For example:

      <serverURL>corbaloc:iiop:soahost.mycompany.com:2800</serverURL>

      Tip:

      You can identify the SOA bootstrap port by performing the following steps:

      1. Log in to IBM WebSphere Administrative Console.

      2. Select Servers, Server Types, Web Application Servers.

      3. Click the SOA server name.

      4. In the Communications Group area, click Ports. The value of BOOTSTRAP_ADDRESS is the SOA Server bootstrap port.

  17. Stop all servers, as shown:

    WAS_HOME/profiles/Custom01/bin/stopServer.sh soa_server1 -username WAS_ADMIN_USER -password WAS_ADMIN_PASSWORD
WAS_HOME/profiles/Custom01/bin/stopServer.sh OracleAdminServer -username WAS_ADMIN_USER -password WAS_ADMIN_PASSWORD
WAS_HOME/profiles/Custom01/bin/stopNode.sh -username WAS_ADMIN_USER -password WAS_ADMIN_PASSWORD
WAS_HOME/profiles/Dmgr01/bin/stopManager.sh -username WAS_ADMIN_USER -password WAS_ADMIN_PASSWORD

  18. Start all servers, as shown:

    WAS_HOME/profiles/Dmgr01/bin/startManager.sh -username WAS_ADMIN_USER -password WAS_ADMIN_PASSWORD
WAS_HOME/profiles/Custom01/bin/syncNode.sh DMGR_HOST DMGR_SOAP_PORT -username WAS_ADMIN_USER -password WAS_ADMIN_PASSWORD
WAS_HOME/profiles/Custom01/bin/startNode.sh -username WAS_ADMIN_USER -password WAS_ADMIN_PASSWORD
WAS_HOME/profiles/Custom01/bin/startServer.sh OracleAdminServer -username WAS_ADMIN_USER -password WAS_ADMIN_PASSWORD
WAS_HOME/profiles/Custom01/bin/startServer.sh soa_server1 -username WAS_ADMIN_USER -password WAS_ADMIN_PASSWORD
WAS_HOME/profiles/Custom01/bin/startServer.sh oim_server1 -username WAS_ADMIN_USER -password WAS_ADMIN_PASSWORD

  19. If Oracle Identity Manager administrator user is different than WebSphere administrator user, then perform step 19 in Section 4.3.1, "Configuring Oracle Identity Manager for Single-Node Setup".

  20. Change SOA host and port, as described in Section 4.6.1.4, "SOA Host and Port Changes". For additional postinstallation configuration of Oracle Identity Manager, perform the steps described in Section 4.4, "Performing Postinstallation Configuration on IBM WebSphere".

4.3.5 Performing Oracle Identity Manager Silent Installation for Clustered Configuration

This section describes how to perform a silent installation of Oracle Identity Manager on IBM WebSphere in a clustered configuration. By performing the steps in this section, you will create a configuration as described in Table 4-3, "Overview of Clustered Configuration".

Table 4-11 lists the response files required for silent installation of Oracle Identity Manager on clustered setup of IBM WebSphere.

Table 4-11 Response Files for Clustered Setup

Response File Name Purpose More Information

create_dmgr.properties

To silently create Deployment Manager profile

Step 2

create_dmgr.ports.properties

To silently configure the ports specific to the Deployment Manager

Step 2

create_custom_node.properties

To silently create custom node on the Deployment Manager Machine

Step 3

create_custom_node_remote1.properties

To silently create custom node on the WebSphere Node 2 Machine

Step 4

OIMpostconfig.rsp

To silently perform Oracle Identity Manager post configuration

Step 32

Table 4-12 lists the configuration scripts required for silent installation of Oracle Identity Manager on clustered setup of IBM WebSphere.

Table 4-12 Configuration Scripts for Clustered Setup

Script Name Purpose More Information

config_soa_host1.py

To silently add SOA templates to the WebSphere Cell

Step 11a

config_oim_host1.py

To silently add Oracle Identity Manager templates to the WebSphere Cell

Step 11a

config_soa_host2.py

To silently configure the domain for Oracle SOA Suite on the WebSphere Node 2 Machine

Step 11c

config_oim_host2.py

To silently configure the domain for Oracle Identity Manager on the WebSphere Node 2 Machine

Step 11c

setOracleAdminServerPorts.py

To silently set OracleAdminServer port on the Deployment Manager Machine

Step 12

OracleAdminServer.ports.properties

To silently configure the ports for OracleAdminServer

Step 12

setSOAServerPorts.py

To silently set SOA server port on the Deployment Manager Machine

Step 13

SOA.ports.properties

To silently configure the ports for the SOA Server

Step 13.

setOIMServerPorts.py

To silently set Oracle Identity Manager server port on the Deployment Manager Machine

Step 14

OIM.ports.properties

To silently configure the ports for Oracle Identity Manager server

Step 14

setSOAServer2Ports.py

To silently set SOA server ports on the WebSphere Node 2 Machine

Step 16

SOA2.ports.properties

To silently configure the ports for SOA_SERVER_2

Step 16

setOIMServer2Ports.py

To silently set Oracle Identity Manager ports on the WebSphere Node 2 Machine

Step 17

OIM2.ports.properties

To silently configure the ports for OIM_SERVER_2

Step 17

addJvmProperty.py

To silently add coherence setting on the Deployment Manager Machine

Step 28a

addJvmProperty_na.py

To silently add JPS configuration properties

Step 29a and 29b

OIMpostconfig.rsp

To silently perform Oracle Identity Manager post configuration

Step 31

Note:

The response files and domain configuration scripts are available in a patch. See "Mandatory Patches Required for Installing Oracle Identity Manager" of the Oracle Fusion Middleware Release Notes for information about where and how to download the patch. The response and configuration files are available in the OIM_SILENT_INSTALL_CONFIG/WAS/CLUSTER/ directory of the patch.

To perform silent installation of Oracle Identity Manager for a clustered configuration on WebSphere:

  1. On both the Deployment Manager Machine and WebSphere Node 2 Machine, install IBM WebSphere Application Server, install SOA and apply SOA patch, and install Identity and Access Management as described in steps 1 through 3 in Section 4.3.4, "Performing Oracle Identity Manager Silent Installation for Single Node Setup".

    On the Deployment Manager Machine, create the RCU tables and upgrade OPSS schema as described in steps 4 and 5 respectively in Section 4.3.4, "Performing Oracle Identity Manager Silent Installation for Single Node Setup".

  2. On the Deployment Manager Machine, create the Deployment Manager profile by running the following command:

    WAS_HOME/bin/manageprofiles.sh -response WAS_RESPONSE_FILES/create_dmgr.properties

    Note:

    The create_dmgr.ports.properties file is used in the create_dmgr.properties file. This file is available in the same patch mentioned at the beginning of this section.

  3. On the Deployment Manager Machine, create the custom node by running the following command:

    WAS_HOME/bin/manageprofiles.sh -response WAS_RESPONSE_FILES/create_custom_node.properties

  4. Similarly, on the WebSphere Node 2 Machine, create the custom node by running the following command:

    WAS_HOME/bin/manageprofiles.sh -response WAS_RESPONSE_FILES/create_custom_node_remote1.properties

  5. On the Deployment Manager Machine, start the Deployment Manager by running the following command:

    WAS_HOME/profiles/Dmgr01/bin/startManager.sh -profileName Dmgr01  -user WAS_ADMIN_USER -password WAS_ADMIN_PASSWORD

  6. On the Deployment Manager Machine, add node by running the following command:

    WAS_HOME/bin/addNode.sh DMGR_HOST DMGR_PORT -user WAS_ADMIN_USER -password WAS_ADMIN_PASSWORD -profileName Custom01 -logfile WAS_LOGS/addNode1.log

    Note:

    • WAS_LOGS is a temporary directory for storing the WebSphere logs.

    • The DMGR_PORT is the SOAP connector port.

  7. Similarly, on the WebSphere Node 2 Machine, add node by running the following command:

    WAS_HOME/bin/addNode.sh  DMGR_HOST DMGR_SOAP_PORT -user WAS_ADMIN_USER -password WAS_ADMIN_PASSWORD -profileName Custom02 -logfile WAS_LOGS/addNode2.log

  8. On the Deployment Manager Machine, stop the Node Manager by running the following command:

    WAS_HOME/profiles/Custom01/bin/stopNode.sh -user WAS_ADMIN_USER -password WAS_ADMIN_PASSWORD -profileName Custom01

  9. Similarly, on the WebSphere Node 2 Machine, stop the Node Manager by running the following command:

    WAS_HOME/profiles/Custom02/bin/stopNode.sh -user WAS_ADMIN_USER -password WAS_ADMIN_PASSWORD -profileName Custom02

  10. Stop the Deployment Manager by running the following command on the Deployment Manager Machine:

    WAS_HOME/profiles/Dmgr01/bin/stopManager.sh -profileName Dmgr01 -user WAS_ADMIN_USER -password WAS_ADMIN_PASSWORD

  11. Add SOA and Oracle Identity Manager templates to the WebSphere Cell. To do so:

    1. On the Deployment Manager Machine, run the following commands:

      OIM_HOME/common/bin/wsadmin.sh -f WAS_RESPONSE_FILES/config_soa_host1.py -profileName Dmgr01 -javaoption "-Doracle.cie.log=/WAS_LOGS/config_soa_cie_debug.log -Doracle.cie.log.priority=debug"

OIM_HOME/common/bin/wsadmin.sh -f WAS_RESPONSE_FILES/config_oim_host1.py -profileName Dmgr01 -javaoption "-Doracle.cie.log=/WAS_LOGS/config_oim_cie_debug.log -Doracle.cie.log.priority=debug" -javaoption "-Xms512m" -javaoption "-Xmx1024m"

      Note:

      • Before running the commands, export or set the WAS_HOME, MW_HOME, SOA_ORACLE_HOME, and COMMON_COMPONENTS_HOME environment variables.

      • The following environment variable must be set for config_oim_host1.py to run:

        ORACLE_HOME=MW_HOME/Oracle_IDM1

    2. Start the Deployment Manager by running the following command on the Deployment Manager Machine:

      WAS_HOME/profiles/Dmgr01/bin/startManager.sh -profileName Dmgr01 -user WAS_ADMIN_USER -password WAS_ADMIN_PASSWORD

    3. On the WebSphere Node 2 Machine, run the following commands:

      OIM_HOME/common/bin/wsadmin.sh -connType SOAP -host DMGR_HOST -port DMGR_PORT -user WAS_ADMIN_USER -password WAS_ADMIN_PASSWORD -f WAS_RESPONSE_FILES/config_soa_host2.py
 
OIM_HOME/common/bin/wsadmin.sh -connType SOAP -host DMGR_HOST -port DMGR_PORT -user WAS_ADMIN_USER -password WAS_ADMIN_PASSWORD -f WAS_RESPONSE_FILES/config_oim_host2.py

      Note:

      Before running config_soa_host2.py and config_oim_host2.py, the COMMON_COMPONENTS_HOME, SOA_ORACLE_HOME, MW_HOME, and WAS_HOME environment variables must be set.

    4. Stop the Deployment Manager by running the following command on the Deployment Manager Machine:

      WAS_HOME/profiles/Dmgr01/bin/stopManager.sh -profileName Dmgr01 -user WAS_ADMIN_USER -password WAS_ADMIN_PASSWORD

  12. On the Deployment Manager Machine, set OracleAdminServer port by running the following command:

    OIM_HOME/common/bin/wsadmin.sh -f WAS_RESPONSE_FILES/setOracleAdminServerPorts.py -profileName Dmgr01

    Note:

    Before running the wsadmin.sh script, set the SOA_ORACLE_HOME, MW_HOME, and WAS_HOME environment variables. In addition, set the OracleAdminServer_PORTSFILE environment variable as follows: 
    OracleAdminServer_PORTSFILE=WAS_RESPONSE_FILES/OracleAdminServer.ports.properties

  13. On the Deployment Manager Machine, set SOA server port by running the following command:

    OIM_HOME/common/bin/wsadmin.sh -f WAS_RESPONSE_FILES/setSOAServerPorts.py -profileName Dmgr01

    Note:

    Before running the wsadmin.sh script, set the SOA_ORACLE_HOME, MW_HOME, and WAS_HOME environment variables. In addition, set the SOAServer_PORTSFILE environment variable as follows: 
    SOAServer_PORTSFILE=WAS_RESPONSE_FILES/SOA.ports.properties

  14. On the Deployment Manager Machine, set Oracle Identity Manager server port by running the following command:

    OIM_HOME/common/bin/wsadmin.sh -f WAS_RESPONSE_FILES/setOIMServerPorts.py -profileName Dmgr01 -javaoption "-Xms512m"

    Note:

    Before running the wsadmin.sh script, set the SOA_ORACLE_HOME, MW_HOME, and WAS_HOME environment variables. In addition, set the OIMServer_PORTSFILE environment variable as follows: 
    OIMServer_PORTSFILE=WAS_RESPONSE_FILES/OIM.ports.properties

  15. Start the Deployment Manager by running the following command on the Deployment Manager Machine:

    WAS_HOME/profiles/Dmgr01/bin/startManager.sh -profileName Dmgr01 -user WAS_ADMIN_USER -password WAS_ADMIN_PASSWORD

  16. On the WebSphere Node 2 Machine, set the SOA server ports by running the following command:

    OIM_HOME/common/bin/wsadmin.sh -connType SOAP -host DMGR_HOST -port DMGR_SOAP_PORT -user WAS_ADMIN_USER -password WAS_ADMIN_PASSWORD -f WAS_RESPONSE_FILES/setSOAServer2Ports.py

    Note:

    Before running the wsadmin.sh script, set the SOA_ORACLE_HOME, MW_HOME, and WAS_HOME environment variables. In addition, set the SOAServer_PORTSFILE environment variable as follows: 
    SOAServer_PORTSFILE=WAS_RESPONSE_FILES/SOA2.ports.properties

  17. On the WebSphere Node 2 Machine, set the Oracle Identity Manager server ports by running the following command:

    OIM_HOME/common/bin/wsadmin.sh -connType SOAP -host DMGR_HOST -port DMGR_PORT -user WAS_ADMIN_USER -password WAS_ADMIN_PASSWORD -f WAS_RESPONSE_FILES/setOIMServer2Ports.py

    Note:

    Before running the wsadmin.sh script, set the SOA_ORACLE_HOME, MW_HOME, and WAS_HOME environment variables. In addition, set the OIMServer_PORTSFILE environment variable as follows: 
    OIMServer_PORTSFILE=WAS_RESPONSE_FILES/OIM2.ports.properties

  18. Stop the Deployment Manager by running the following command on the Deployment Manager Machine:

    WAS_HOME/profiles/Dmgr01/bin/stopManager.sh -profileName Dmgr01 -user WAS_ADMIN_USER -password WAS_ADMIN_PASSWORD

  19. On the Deployment Manager Machine and WebSphere Node 2 Machine, run the copy_jars script. To do so:

    1. Set the following environment variables:

      • WAS_HOME: WebSphere Application Server directory, for example, /opt/softwares/IBM/WebSphere/AppServer/

      • COMMON_COMPONENTS_HOME: Oracle Middleware common directory, for example, /opt/softwares/IBM/WebSphere/oracle_common/

      • OIM_ORACLE_HOME: OIM Oracle Home directory, for example, /opt/softwares/IBM/WebSphere/Oracle_IDM1/

    2. Run the following command:

      cd $OIM_ORACLE_HOME/server/wasconfig/
./copy_jars.sh

  20. On the Deployment Manager Machine, start the Dmgr, start/synchronize the WebSphere nodes as follows:

    $WAS_HOME/profiles/Dmgr01/bin/startManager.sh -username WAS_ADMIN_USER -password WAS_ADMIN_PASSWORD
$WAS_HOME/profiles/Custom01/bin/syncNode.sh DMGR_HOST DMGR_SOAP_PORT -username WAS_ADMIN_USER -password WAS_ADMIN_PASSWORD
$WAS_HOME/profiles/Custom01/bin/startNode.sh

    For specifying the port number for DMGR_SOAP_PORT, refer to the $WAS_HOME/profiles/Dmgr01/logs/AboutThisProfile.txt file that contains information about the ports.

  21. On the WebSphere Node2 machine, start/synchronize the WebSphere nodes as follows:

    $WAS_HOME/profiles/Custom02/bin/syncNode.sh DMGR_HOST DMGR_SOAP_PORT -username WAS_ADMIN_USER -password WAS_ADMIN_PASSWORD
$WAS_HOME/profiles/Custom02/bin/startNode.sh

  22. On the Deployment Manager Machine, stop the Node Manager and Deployment Manger for configuring DB policy store, as shown:

    $WAS_HOME/profiles/Custom01/bin/stopNode.sh -username WAS_ADMIN_USER -password WAS_ADMIN_PASSWORD
$WAS_HOME/profiles/Dmgr01/bin/stopManager.sh -username WAS_ADMIN_USER -password WAS_ADMIN_PASSWORD

  23. Stop the Node Manager on WebSphere Node2 machine:

    $WAS_HOME/profiles/Custom02/bin/stopNode.sh -username WAS_ADMIN_USER -password WAS_ADMIN_PASSWORD

  24. On the Deployment Manager Machine, configure security store by running the following command:

    $OIM_HOME/common/bin/wsadmin.sh -lang jython -profileName Dmgr01 -f OIM_HOME/common/tools/configureSecurityStoreWas.py -d $WAS_HOME/profiles/Dmgr01/config/cells/DefaultCell01 -t DB_ORACLE -j  cn=jpsroot -m create --passcode OPSS_SCHEMA_PASSWORD --config IAM

    For example:

    OIM_HOME/common/bin/wsadmin.sh -lang jython -profileName Dmgr01 -f OIM_HOME/common/tools/configureSecurityStoreWas.py -d /Dmgr01/config/cells/Cell01/ -t DB_ORACLE -j cn=jpsroot -m create --passcode OPSS_SCHEMA_PASSWORD --config IAM

  25. On the Deployment Manager Machine, start the Deployment Manager and Node Manager. To do so, run the following command in the IBM WebSphere home:

    $WAS_HOME/profiles/DMGR_PROFILE_NAME/bin/startManager.sh
$WAS_HOME/profiles/CUSTOM_PROFILE_NAME/bin/startNode.sh

  26. On the Deployment Manager Machine, run the seed_opss_permission.sh script as follows:

    Note:

    Before running the seed_opss_permission.sh script, set the WAS_HOME, COMMON_COMPONENTS_HOME, OIM_ORACLE_HOME, SOA_ORACLE_HOME, DMGR_PROFILE_NAME, DMGR_HOSTNAME, DMGR_SOAP_PORT, WEBSPHERE_ADMIN, and WEBSPHERE_ADMIN_PASSWORD environment variables.

    After running the script, reset the WEBSPHERE_ADMIN_PASSWORD environment variable.

    cd $OIM_HOME/server/wasconfig/
sh seed_opss_permission.sh

    Note:

    On running the seed_opss_permission.sh script, you might encounter the following error message: 
    Failed to import script libraries modules: COMMON_COMPONENTS_HOME/common/wsadmin/wsmAgent.py; Examine the wsadmin log file to determine the problem.

    When you encounter this error, check the system-jazn-data.xml file to ensure that permission has been granted to oim_customreg.jar. If permission is not granted, then you must add the permission manually. To do so:

    i) Open the WAS_HOME/profiles/Dmgr01/config/cells/OIM_CELL_NAME/fmwconfig/system-jazn-data.xml file.

    ii) Search for following entry. If this entry does not exist in system-jazn-data.xml, then manually add it. Make sure to replace OIM_ORACLE_HOME with the actual path.

    <grant>
<grantee>
<codesource>
<url>file:OIM_ORACLE_HOME/server/loginmodule/was/oim_customreg.jar</url>
</codesource>
</grantee>
<permissions>
<permission>
<class>oracle.security.jps.service.credstore.CredentialAccessPermission</class>
<name>context=SYSTEM,mapName=oim,keyName=*</name>
<actions>read,write,delete</actions>
</permission>
<permission>
<class>oracle.security.jps.service.credstore.CredentialAccessPermission</class>
<name>context=SYSTEM,mapName=oracle.wsm.security,keyName=*</name>
<actions>read,write,delete</actions>
</permission>
</permissions>
</grant>

  27. On the Deployment Manager Machine, stop the Node Manager by running the following command:

    $WAS_HOME/profiles/Custom01/bin/stopNode.sh -username WAS_ADMIN_USER -password WAS_ADMIN_PASSWORD

  28. Configure coherence for SOA cluster on WebSphere. To do so:

    1. On the Deployment Manager Machine, add the coherence settings by running the following commands:

      WAS_HOME/profiles/Dmgr01/bin/wsadmin.sh -conntype SOAP -host DMGR_HOST -port DMGR_PORT  -user WAS_ADMIN_USER -password WAS_ADMIN_PASSWORD -lang jython -f WAS_RESPONSE_FILES/addJvmProperty.py soa_server1 tangosol.coherence.localhost <server-host 1 or 2>
 
WAS_HOME/profiles/Dmgr01/bin/wsadmin.sh -conntype SOAP -host DMGR_HOST -port DMGR_PORT  -user WAS_ADMIN_USER -password WAS_ADMIN_PASSWORD -lang jython -f WAS_RESPONSE_FILES/addJvmProperty.py soa_server1 tangosol.coherence.wka1 <host_of_soa_server1>
 
WAS_HOME/profiles/Dmgr01/bin/wsadmin.sh -conntype SOAP -host DMGR_HOST -port DMGR_PORT  -user WAS_ADMIN_USER -password WAS_ADMIN_PASSWORD -lang jython -f WAS_RESPONSE_FILES/addJvmProperty.py soa_server1 tangosol.coherence.wka2 <host_of_soa_server2>

    2. Similarly, add the tangosol.coherence.localhost, tangosol.coherence.wka1, and tangosol.coherence.wka2 properties for SOA_SERVER_2.

  29. Add the JPS configuration properties. To do so:

    1. On the Deployment Manager Machine, add the oracle.security.jps.config and oracle.domain.config.dir properties for the first node (DefaultNode01) by running the following commands:

      WAS_HOME/profiles/Dmgr01/bin/wsadmin.sh -conntype SOAP -host DMGR_HOST -port DMGR_PORT  -user WAS_ADMIN_USER -password WAS_ADMIN_PASSWORD -lang jython -f WAS_RESPONSE_FILES/addJvmProperty_na.py DefaultCell01 DefaultNode01 oracle.security.jps.config WAS_HOME/profiles/Dmgr01/config/cells/DefaultCell01/fmwconfig/jps-config.xml
 
WAS_HOME/profiles/Dmgr01/bin/wsadmin.sh -conntype SOAP -host DMGR_HOST -port DMGR_PORT  -user WAS_ADMIN_USER -password WAS_ADMIN_PASSWORD -lang jython -f WAS_RESPONSE_FILES/addJvmProperty_na.py DefaultCell01 DefaultNode01 oracle.domain.config.dir WAS_HOME/profiles/Dmgr01/config/cells/DefaultCell01/fmwconfig

    2. Similarly, run the following commands from the Deployment Manager node for the second node:

      WAS_HOME/profiles/Dmgr01/bin/wsadmin.sh -conntype SOAP -host DMGR_HOST -port DMGR_PORT  -user WAS_ADMIN_USER -password WAS_ADMIN_PASSWORD -lang jython -f WAS_RESPONSE_FILES/addJvmProperty_na.py DefaultCell01 DefaultNode02 oracle.security.jps.config WAS_HOME/profiles/Custom02/config/cells/DefaultCell01/fmwconfig/jps-config.xml
 
WAS_HOME/profiles/Dmgr01/bin/wsadmin.sh -conntype SOAP -host DMGR_HOST -port DMGR_PORT  -user WAS_ADMIN_USER -password WAS_ADMIN_PASSWORD -lang jython -f WAS_RESPONSE_FILES/addJvmProperty_na.py DefaultCell01 DefaultNode02 oracle.domain.config.dir WAS_HOME/profiles/Custom02/config/cells/DefaultCell01/fmwconfig

    3. Stop the Deployment Manager by running the following commands on the Deployment Manager Machine:

      WAS_HOME/profiles/Dmgr01/bin/stopManager.sh -username WAS_ADMIN_USER -password WAS_ADMIN_PASSWORD

  30. Start all servers. To do so, run the following commands on the Deployment Manager Machine:

    WAS_HOME/profiles/Dmgr01/bin/startManager.sh -username WAS_ADMIN_USER -password WAS_ADMIN_PASSWORD
WAS_HOME/profiles/Custom01/bin/syncNode.sh DMGR_HOST DMGR_SOAP_PORT -username WAS_ADMIN_USER -password WAS_ADMIN_PASSWORD
WAS_HOME/profiles/Custom01/bin/startNode.sh -username WAS_ADMIN_USER -password WAS_ADMIN_PASSWORD
WAS_HOME/profiles/Custom01/bin/startServer.sh OracleAdminServer -username WAS_ADMIN_USER -password WAS_ADMIN_PASSWORD
WAS_HOME/profiles/Custom01/bin/startServer.sh soa_server1 -username WAS_ADMIN_USER -password WAS_ADMIN_PASSWORD

  31. If OHS for frontending Oracle Identity Manager cluster is used, then add the following entry in the WEB_ORACLE_INSTANCE/config/OHS/component_name/moduleconf/admin_vh.conf file:

    <Location /CertificationCallbackService>
         SetHandler weblogic-handler
         WLCookieName    oimjsessionid
         WebLogicCluster OIMSERVERHOST1:LISTENPORT, OIMHOST2:LISTENPORT
         WLLogFile
    "${ORACLE_INSTANCE}/diagnostics/logs/OHS/oim_component.log"
<Location>

  32. Perform Oracle Identity Manager post configuration by running the following command on the Dmgr node:

    OIM_HOME/bin/config.sh -jreLoc WAS_HOME/java -printtime -printmemory -printdiskusage -DSHOW_APPSERVER_TYPE_SCREEN=true -longterm -ignoreSysPrereqs -force -silent -response WAS_RESPONSE_FILES/OIMpostconfig.rsp -waitforcompletion

  33. Update the wf_client_config.xml file with SOA server hostname and bootstrap port. To do so, perform the following steps on both the hosts:

    1. Copy wf_client_config.xml.template from the OIM_HOME/server/wasconfig/ directory to the WAS_HOME/lib/ext/ directory as wf_client_config.xml.

    2. Update the wf_client_config.xml file with the SOA Server hostname and its bootstrap port under the <serverURL> tag. The tag is in the following format:

      <serverURL>corbaloc:iiop:SOA_SERVER1_HOSTNAME:SOA_SERVER1_BOOTSTRAP_PORT, :SOA_SERVER2_HOSTNAME:SOA_SERVER2_BOOTSTRAP_PORT</serverURL>

      For example:

      <serverURL>corbaloc:iiop:soahost1.mycompany.com:2800,:soahost2.mycompany.com:2800</serverURL>

      Tip:

      You can identify the SOA bootstrap port by performing the following steps:

      1. Log in to IBM WebSphere Administrative Console.

      2. Select Servers, Server Types, Web Application Servers.

      3. Click the SOA Server name.

      4. In the Communications Group area, click Ports.

        The value of BOOTSTRAP_ADDRESS is the SOA Server bootstrap port.

  34. Perform the following steps to enable load balancing of JMS message processing by MDBs:

    1. Log in to IBM WebSphere Administrative Console.

    2. Click Resources, JMS, Activation Specifications, NAME_OF_OIM_ACTIVATION_SPECIFICATION. Then select Always activate MDBs in all servers.

    3. Click OK and Save the configuration.

    Note:

    You must perform this step individually for each of the following Oracle Identity Manager Activation Specifications:

    • oimAttestationQueueMDBActivationSpec

    • oimAuditQueueMDBActivationSpec

    • oimDefaultQueueMDBActivationSpec

    • oimKernelQueueMDBActivationSpec

    • oimProcessQueueMDBActivationSpec

    • oimReconQueueMDBActivationSpec

    • oimSODQueueMDBActivationSpec

  35. On the Deployment Manager Machine, stop all servers, as follows:

    WAS_HOME/profiles/Custom01/bin/stopServer.sh soa_server1 -username WAS_ADMIN_USER -password WAS_ADMIN_PASSWORD
WAS_HOME/profiles/Custom01/bin/stopServer.sh OracleAdminServer -username WAS_ADMIN_USER -password WAS_ADMIN_PASSWORD
WAS_HOME/profiles/Custom01/bin/stopNode.sh -username WAS_ADMIN_USER -password WAS_ADMIN_PASSWORD
WAS_HOME/profiles/Dmgr01/bin/stopManager.sh -username WAS_ADMIN_USER -password WAS_ADMIN_PASSWORD

  36. On the Deployment Manager Machine, start all servers, as follows:

    WAS_HOME/profiles/Dmgr01/bin/startManager.sh -username WAS_ADMIN_USER -password WAS_ADMIN_PASSWORD
WAS_HOME/profiles/Custom01/bin/syncNode.sh DMGR_HOST DMGR_SOAP_PORT -username WAS_ADMIN_USER -password WAS_ADMIN_PASSWORD
WAS_HOME/profiles/Custom01/bin/startNode.sh -username WAS_ADMIN_USER -password WAS_ADMIN_PASSWORD
WAS_HOME/profiles/Custom01/bin/startServer.sh OracleAdminServer -username WAS_ADMIN_USER -password WAS_ADMIN_PASSWORD
WAS_HOME/profiles/Custom01/bin/startServer.sh soa_server1 -username WAS_ADMIN_USER -password WAS_ADMIN_PASSWORD
WAS_HOME/profiles/Custom01/bin/startServer.sh oim_server1 -username WAS_ADMIN_USER -password WAS_ADMIN_PASSWORD

  37. On the WebSphere Node 2 Machine, start all servers, as follows:

    WAS_HOME/profiles/Custom02/bin/syncNode.sh DMGR_HOST DMGR_SOAP_PORT -username WAS_ADMIN_USER -password WAS_ADMIN_PASSWORD
WAS_HOME/profiles/Custom02/bin/startNode.sh -username WAS_ADMIN_USER -password WAS_ADMIN_PASSWORD
WAS_HOME/profiles/Custom02/bin/startServer.sh soa_server2 -username WAS_ADMIN_USER -password WAS_ADMIN_PASSWORD
WAS_HOME/profiles/Custom02/bin/startServer.sh oim_server2 -username WAS_ADMIN_USER -password WAS_ADMIN_PASSWORD

  38. If Oracle Identity Manager administrator user is different than WebSphere administrator user, then perform step 37 in Section 4.3.2, "Installing Oracle Identity Manager for a Clustered Configuration".

  39. Change SOA host and port, as described in Section 4.6.1.4, "SOA Host and Port Changes". For additional postinstallation configuration of Oracle Identity Manager, perform the steps described in Section 4.4, "Performing Postinstallation Configuration on IBM WebSphere".

4.4 Performing Postinstallation Configuration on IBM WebSphere

This section describes the following postinstallation configuration tasks on IBM WebSphere:

4.4.1 Configuring Transaction Timeout Properties

To change the transaction timeout properties to 10 minutes:

  1. Log in to IBM WebSphere Administrative Console.

  2. Navigate to the Transaction service panel by selecting Servers, Server Types, WebSphere application servers, oim_server_name, Container Services, Transaction Service.

  3. Change the value of Total transaction lifetime timeout to 600.

    The default value is 120.

  4. Change the value of Maximum transaction timeout to 600 seconds.

    The default value is 300.

  5. Stop and restart WebSphere Application Server. In a clustered deployment, this must be done on all Oracle Identity Manager servers.

4.4.2 Updating SOA Server Default Composite (Cluster Only)

In an integrated environment, Oracle Identity Manager is front ended by HTTP Server. Therefore, all SOA server default composites must be updated.

To update the SOA server default composite:

  1. Log in to Oracle Enterprise Manager Fusion Middleware Control Console.

  2. Navigate to SOA, soa-infra (SOA server name), default.

    The following default composites are available: DefaultRequestApproval, DefaultOperationalApproval, DefaultRoleApproval, DefaultSODApproval, BeneficiaryManagerApproval, RequesterManagerApproval, CertificationProcess, DisconnectedProvisioning.

  3. For each default composite, perform the following steps:

    1. Click the composite name.

    2. From Component Metrics, click on task with Component Type as Human Workflow.

    3. Select the Administration tab and update the fields as follows:

      Host Name: HTTP Server host

      HTTP Port: If SSL mode, leave blank. If non-SSL mode, enter HTTP Server port.

      HTTPS Port: If SSL mode, enter HTTPS server port. If non-SSL mode, leave blank.

    4. Click Apply.

4.4.3 Accessing the Dynamic Monitoring Service Application (Optional)

To access the Dynamic Monitoring Service (DMS) application on IBM WebSphere:

  1. Log in to IBM WebSphere Administrative Console as the administrator.

  2. On the left pane, go to Applications, Application Types, WebSphere enterprise applications.

  3. On the right pane, click Dmgr DMS Application_11.1.1.1.0.

  4. Click Security role to user/group mapping.

  5. Select the Admin role, and click Map Users.

  6. Type wasadmin in the search string, and click Search.

  7. Select wasadmin in the Available box, and click the right arrow.

  8. Click OK to go back. Click OK again.

  9. Click Save directly to the master configuration.

  10. Start Dmgr DMS Application_11.1.1.1.0.

  11. Repeat steps 3 to 10 for DMS Application_11.1.1.1.0.

  12. Stop all servers and the Deployment Manager. Start the Deployment Manager, synchronize the nodes, start nodes, and start all servers.

You can access the DMS application from the following URL:

http://OIM_HOST:OIM_PORT/dms/Spy

4.4.4 Seeding LDAP Reconciliation Scheduled Jobs into the Database Schema

While configuring postinstallation LDAP synchronization for Oracle Identity Manager, perform the following steps to load the LDAP reconciliation scheduled jobs into the Quartz table of the Oracle Identity Manager database schema by performing the following steps:

See Also:

"Enabling LDAP Synchronization in Oracle Identity Manager" in the Oracle Fusion Middleware Integration Guide for Oracle Identity Management Suite for information about postinstallation configuration of LDAP synchronization for Oracle Identity Manager

  1. As a prerequisite, set the OIM_ORACLE_HOME environment variable. For example:

    For UNIX, run the following command:

    setenv OIM_ORACLE_HOME /u01/mwhome/Oracle_IDM

  2. Seeding the LDAP reconciliation scheduled jobs can be performed in any one of the following ways:

    Seeding LDAP reconciliation scheduled jobs with parameters:

    1. Go to the $OIM_ORACLE_HOME/server/setup/deploy-files directory.

    2. Set ant home. The following is a sample command to set ant home in UNIX:

      setenv ANT_HOME /u01/mwhome/modules/org.apache.ant_1.7.1

      Note:

      If ANT is not installed, then download and ANT from Oracle Technology Network (OTN) web site by navigating to the following URL:

      http://www.oracle.com/technetwork/index.html

      Install ANT and set the ANT_HOME. Make sure that ant executable file exists in the $ANT_HOME/bin/ant/ directory.

    3. Run the following ant command with parameters:

      $ANT_HOME/bin/ant -f setup.xml seed-ldap-recon-jobs -DoperationsDB.driver=oracle.jdbc.OracleDriver -DoperationsDB.user=SCHEMA_OWNER -DOIM.DBPassword=SCHEMA_OWNER_PASSWORD -DoperationsDB.host=SCHEMA_HOST_ADDRESS -DoperationsDB.port=SCHEMA_PORT_NUMBER -DoperationsDB.serviceName=SCHEMA_SERVICE_NAME -Dssi.provisioning=ON -Djta.location=WAS_INSTALATION_DIR/plugins/javax.j2ee.jta.jar -Dojdbc.location=OJDBC_LOCATION -Dwork.dir=seed_logs

      For example:

      $ANT_HOME/bin/ant -f setup.xml seed-ldap-recon-jobs -DoperationsDB.driver=oracle.jdbc.OracleDriver  -DoperationsDB.user=schemaowner1_OIM -DOIM.DBPassword=SCHEMA_OWNER_PASSWORD -DoperationsDB.host=myhost.mycompany.com -DoperationsDB.port=1234 -DoperationsDB.serviceName=oimdb.regress.rdbms.mycompany.com -Dssi.provisioning=ON -Djta.location=WAS_INSTALATION_DIR/plugins/javax.j2ee.jta.jar -Dojdbc.location=MW_HOME/oracle_common/inventory/Scripts/ext/jlib/ojdbc6.jar -Dwork.dir=seed_logs

    Seeding LDAP reconciliation scheduled jobs with the profile file:

    1. Set the following environment variables:

      • OIM_ORACLE_HOME to the OIM_HOME directory.

      • Set ANT_HOME to the directory on which ANT is installed.

        Note:

        If ANT is not installed, then download and ANT from Oracle Technology Network (OTN) web site by navigating to the following URL:

        http://www.oracle.com/technetwork/index.html

        Install ANT and set the ANT_HOME. Make sure that ant executable file exists in the $ANT_HOME/bin/ant/ directory.

    2. Go to the $OIM_ORACLE_HOME/server/bin/ directory.

    3. Create a property file with the properties listed in Table 4-13.

      Note:

      You can also use the appserver.profile file instead of creating a new property file. Make sure that you manually enter all the parameters listed in Table 4-13 with the values.

      Table 4-13 Parameters of the Property File

      Parameter Description

      operationsDB.user

      Oracle Identity Manager database schema owner.

      operationsDB.driver

      Constant value of oracle.jdbc.OracleDriver.

      operationsDB.host

      Oracle Identity Manager database schema host address.

      OIM.DBPassword

      Oracle Identity Manager database schema owner's password.

      operationsDB.serviceName

      Oracle Identity Manager database schema service name, for example, oimdb.regress.rdbms.mycompany.com.

      operationsDB.port

      Oracle Identity Manager database schema port number.

      ssi.provisioning

      Value must be ON.

      jta.location

      Value is WAS_INSTALLATION_DIRECTORY/plugins/javax.j2ee.jta.jar.

      ojdbc.location

      Directory on which JDBC is installed, for example, MW_HOME/oracle_common/inventory/Scripts/ext/jlib/ojdbc6.jar.

      work.dir

      Any preferred directory on which log files will be created

      After successful completion of target, you can check logs at the $WORK_DIR/seed_logs/ldap/SeedSchedulerData.log file.

    4. Go to the $OIM_ORACLE_HOME/server/setup/deploy-files/ directory.

    5. Run the following command:

      $ANT_HOME/bin/ant -f setup.xml seed-ldap-recon-jobs -propertyfile $OIM_ORACLE_HOME/server/bin/PROPERTY_FILE_NAME

4.4.5 Changing Memory Settings for Oracle Identity Manager

For staging and test deployments of Oracle Identity Manager, the maximum heap size of 2 GB is recommended. For the maximum heap size in production deployments, refer to Oracle Fusion Middleware Performance and Tuning Guide.

To change the heap setting for Oracle Identity Manager on WebSphere:

  1. Log in to the WebSphere Administrative Console.

  2. Navigate to Servers, Server Types, WebSphere application servers, server_name, Java & Process Management, Process Definition, Java Virtual Machine.

  3. Set the value of Maximum heap size to 2048.

  4. Save the changes, and restart the server.

4.4.6 Performing Postinstallation Configuration of IHS (Optional)

If IHS configuration is used in your deployment, then perform the following steps for postinstallation configuration of IHS:

  1. Configure virtual host alias for IHS, To do so:

    1. Login to IBM WebSphere Administrative Console.

    2. Select the default_host virtual host.

    3. Create the virtual host alias for IHS by providing values for IHS host and port.

  2. Configure IHS with WebSphere as follows:

    1. Copy IHS_INSTALL_DIRECTORY/Plugins/bin/configurewebserver1.sh to the WAS_HOME/bin/ directory.

    2. Run the configurewebserver1.sh script from the WAS_HOME/bin/ directory as follows:

      configurewebserver1.sh -user WAS_ADMIN_USER -password WAS_ADMIN_PASSWORD -ihsAdminPassword IHS_ADMIN_PASSWORD

      The script generates the port bindings and creates the IHS_INSTALL_DIRECTORY/Plugins/config/WEBSERVER_NAME/plugin-cfg.xml file for use by WebSphere and IHS.

    3. In the IBM WebSphere Administrative Console, go to Servers, Web server. The new webserver1 is displayed in the list.

    4. Select webserver1, and click Propagate to propagate the plug-in to IHS. Verify that the updated plugin-cfg.xml file is propagated to the IHS_INSTALL_DIR/Plugins/config/webserver1/ directory.

  3. Configure IHS port and URL as follows:

    1. Configure SOA composites to point to IHS as described in Section 4.4.2, "Updating SOA Server Default Composite (Cluster Only)".

    2. Configure Oracle Identity Manager frontend ports to point to IHS as described in Section 4.6.1.3, "Oracle Identity Manager Host and Port Changes".

  4. Restart all servers.

  5. Verify the Oracle Identity Manager URL by navigating to:

    http://HOST_NAME:PORT/identity

4.4.7 Running the LDAP Post-Configuration Utility

You must run the LDAP post-configuration utility after you have configured the Oracle Identity Manager Server and exited the Oracle Identity Manager Configuration Wizard. The LDAP configuration post-setup script enables all the LDAP Sync-related incremental reconciliation scheduled jobs, which are disabled by default.

Note:

For general steps to run the LDAP post configuration utility, see "Running the LDAP Post-Configuration Utility" in the Oracle Fusion Middleware Installation Guide for Identity and Access Management.

To run the LDAP post-configuration utility:

  1. Set the following environment variables:

    • OIM_ORACLE_HOME: The environment variable to identify the directory on which Oracle Identity Manager is installed.

    • JAVA_HOME: The location of the IBM Java Runtime directory for the Oracle Identity Manager server.

    • WAS_HOME: The directory on which WebSphere Application Server is installed.

    • APP_SERVER: The allowed values are weblogic or websphere. Here, it must be set to websphere.

    • MW_HOME: The directory path for Middleware home.

    • PROFILE_NAME: The name of the profile, such as Dmgr01.

    • WAS_CELL_HOME: The location of the cell on which Oracle Identity Manager is deployed.

  2. Edit the $WAS_HOME/profiles/Dmgr01/properties/sas.client.props file, as shown:

    com.ibm.CORBA.securityServerHost=myhost.mydomain.com
com.ibm.CORBA.securityServerPort=OIM_BOOTSTRAP_PORT
com.ibm.CORBA.loginTimeout=300
com.ibm.CORBA.loginSource=none

    An example value for OIM_BOOTSTRAP_PORT can be 2802.

  3. Edit the $ORACLE_HOME/server/ldap_config_util/ldapconfig.props file to specify the following values:

    • OIMServerType: WAS

    • OIMProviderURL: orbaloc:iiop:myhost.mydomain.com:OIM_BOOTSTRAP_PORT

    • LDAPURL: Specify the URL for the OVD instance in the following format:

      ldap://OVD_SERVER:OVD_PORT

      If OVD server is selected during Oracle Identity Manager installation, then provide the value for LDAPURL. If OVD server is not selected during Oracle Identity Manager installation, then leave LDAPURL as blank.

    • LDAPAdminUsername: Specify the user name for the OVD Administrator.

      If OVD server is selected during Oracle Identity Manager installation, then provide the Admin user name to connect to LDAP/OVD Server. For example:

      LDAPAdminUsername: cn=oimAdminUser,cn=systemids,dc=mycompany,dc=com

      If OVD server is not selected during Oracle Identity Manager installation, then leave LDAPAdminUsername blank.

    • LIBOVD_PATH_PARAM: Specify the configuration directory path of libOVD.

      If OVD server is not selected during Oracle Identity Manager installation, then provide the following value for this parameter:LIBOVD_PATH_PARAM: MIDDLEWARE_HOME/user_projects/domains/base_domain/config/fmwconfig/ovd/oim

    • ChangeLogNumber: Leave this parameter as blank.

  4. Run the LDAP configuration post setup script, as shown:

    LDAPConfigPostSetup.sh OIM_HOME/server/ldap_config_util

    When prompted, enter the Oracle Identity Manager administrator's password and the LDAP administrator password as applicable.

    When you run the LDAP configuration port setup script, some exceptions might be displayed. These exceptions are benign can be ignored. The LDAP configuration post setup run is successful if the following lines are displayed:

    Successfully Enabled Changelog based Reconciliation schedule jobs.
Successfully Updated Changelog based Reconciliation schedule jobs with last change number : dc=cn,dc=oracle,dc=com:00000141ff3ed284000100000099;

4.4.8 Deploying Oracle Identity Manager with OPAM and OAM in a Single WebSphere Cell

When you deploy Oracle Identity Manager in the same WebSphere cell with Oracle Privileged Account Manager (OPAM) and Oracle Access Manager (OAM), and Oracle Identity Manager post config is done after configuring a registry (Opss.configureIdentityStore), the LDAP registry configuration in the WebSphere cell is overridden by the custom registry when Oracle Identity Manager configuration wizard is run.

The solution to this issue is to rollback the WebSphere cell security to point to Standalone LDAP registry. To perform this manually:

  1. Login to Oracle Identity Manager or OPAM WebSphere Administration console.

  2. Navigate to Security, Global Security.

  3. In the User account repository section, from the Available realm definitions list, select Standalone LDAP registry.

    Note:

    It is assumed that the LDAP registry is already configured as part of OPAM configuration. Therefore, this step selects the existing LDAP registry.

  4. Click Apply and save the changes.

  5. Restart the complete WebSphere cell by following standard WebSphere stop/sync/start sequence.

4.4.9 Enabling the Allow Serial Access Property in Session Management Configuration

In an Oracle Identity Manager deployment on IBM WebSphere Application Server, continued usage of the Identity Self Service or Identity System Administration applications might result in two or more JVM threads in the application server to get stuck in a deadlock. This might result in any one or both of the following issues:

  • Performance of the application might be impacted because of diminishing number of available JVM threads.

  • Shutting down the application server hosting the applications by using WebSphere Administrative Console or WebSphere administration commands might not be possible as the server will continue to wait for the processing of the JVM threads to complete. As a result, shutting down the server will be possible only by killing the operating system processes corresponding to the threads.

To avoid these issues, enable the Allow Serial Access property in the Session Management configuration for Identity Self Service and Identity System Administration applications in the WebSphere instance. To do so:

  1. Navigate to the Session Management configuration for the application, as shown:

    1. Log in to the WebSphere Administrative Console.

    2. Click Applications, Application Types, WebSphere enterprise applications, APPLICATION_NAME.

      Here, APPLICATION_NAME is the Identity Self Service or Identity System Administration application for which you want to enable the Allow Serial Access property. The application files for Identity Self Service and Identity System Administration are oracle.iam.console.identity.self-service.ear and oracle.iam.console.identity.sysadmin.ear respectively.

    3. Under Web Module Properties, click Session management.

  2. Enable the Allow Serial Access property in each Session Management configuration. To do so:

    1. Under Serialize Session access, click Allow serial access.

    2. In the Maximum wait time box, enter the value as 120 seconds or 120000 milliseconds. This is the maximum time for which a servlet waits on a session before continuing or aborting execution.

    3. Verify that the Allow access on timeout option is not selected. This is to ensure that the servlet execution aborts when the session request times out.

      If this option is selected, then the servlet gains access to the session and continues normal execution even if the session is locked by another servlet.

    4. Click Apply.

    5. Click Save.

    Note:

    For a clustered deployment of Oracle Identity Manager, enable the Allow Serial Access property on all nodes in the cluster.

4.4.10 Deploying Oracle Identity Manager Custom UI Libraries on IBM WebSphere

For the purpose of customizing the Oracle Identity Manager interface, you can use the custom library to add new taskflows built by using the default libraries. On Oracle Identity Manager deployment on WebSphere, the default library is oracle.iam.ui.custom_11.1.2_11.1.2.

To deploy this library on WebSphere:

  1. Create the JAR files for model/view controller projects as described in the following sections in the Oracle Fusion Middleware Developer's Guide for Oracle Identity Manager:

  2. Copy the customization project JAR files to the IDM_HOME/server/apps/was/lib/oracle.iam.ui.custom/ directory in the WebSphere Server.

  3. Login to IBM WebSphere Administrative Console, and navigate to Environment, Shared Libraries.

  4. Open the oracle.iam.ui.custom_11.1.2_11.1.2 shared library.

  5. In the Classpath textbox, add the name of the custom JAR files copied in step 2 along with the path. For example:

    ${oracle.oim.suite_11.1.2.2.0_Oracle_IDM1_ORACLE_HOME}/server/apps/was/lib/oracle.iam.ui.custom/adflibUserCustomUI.jar

    Note:

    If there are more than one JAR files, then add them one per line.

  6. Save the changes, and then restart Oracle Identity Manager server.

4.4.11 Changing ServerIOTimeout for Oracle Identity Manager

In a clustered deployment of Oracle Identity Manager, change the default value of ServerIOTimeout to 300 seconds for Oracle Identity Manager server in the plugin-cfg.xml file. To do so:

  1. In a text editor, open the plugin-cfg.xml file.

  2. For Oracle Identity Manager server, replace the value of the ServerIOTimeout property from 60 seconds to 300 seconds. The following is a sample snippet for a clustered deployment of Oracle Identity Manager:

    <Server CloneID="CLONE_ID" ConnectTimeout="5" ExtendedHandshake="false"
LoadBalanceWeight="2" MaxConnections="-1" Name="HOST_OIM_SERVER1"
ServerIOTimeout="300" WaitForContinue="false">
 
<Server CloneID="CLONE_ID" ConnectTimeout="5" ExtendedHandshake="false"
LoadBalanceWeight="2" MaxConnections="-1" Name="HOST_OIM_SERVER2"
ServerIOTimeout="300" WaitForContinue="false">

  3. Save the plugin-cfg.xml file.

4.4.12 Adjusting Email Notification WSUrl (Cluster Only)

In a clustered deployment of Oracle Identity Manager on IBM WebSphere, perform the following steps to adjust email notification WSUrl to point to IHS:

  1. Log in to Oracle Enterprise Manager.

  2. Click Application Deployments.

  3. Right-click OIMAppMetadata(OIM_SERVER_NAME), and select System MBean Browser.

  4. In the System MBean Browser, navigate to Application Defined MBeans, oracle.iam, Server: OIM_SERVER_NAME, Application: oim, IAMAppRuntimeMBean, and select UMSEmailNotificationProviderMBean.

  5. In the Attributes tab, locate WSUrl, and replace the existing host name and port number with the host name and port number of IHS.

4.4.13 Enabling the SoD Check Application

To enable Segregation of Duties (SoD) Check application:

  1. Run the following command:

    sh $MW_HOME/oracle_common/common/bin/was_config.sh

  2. Select the Select and Configure Existing Cell option.

  3. Navigate through the pages of the wizard by clicking Next until the Select Optional Configuration page is displayed.

  4. Select JMS.

  5. In the Target JMS resources to Servers/Clusters section, make sure that the following queues are targeted to oimServer for single-node deployment or oimCluster for clustered deployment:

    • oracle.j2ee.ws.server.async.DefaultRequestQueue

    • oracle.j2ee.ws.server.async.DefaultResponseQueue

    • oracle.j2ee.ws.server.async.DefaultResponseQueue

    To do so, select oimServer or oimCluster on the left pane, and select the queues on the right pane. In addition, select OracleAdminServer on the left pane, and deselect the queues on the right pane.

  6. Ensure that the following activation specs are targeted to oimServer or oimCluster:

    • JrfAsyncErrAS

    • JrfAsyncReqAS

    • JrfAsyncRespAS

    To do so, select oimServer or oimCluster on the left pane, and select the activation specs on the right pane.

  7. Navigate through the steps of the wizard by clicking Next. In the last page, click Finish to complete the wizard.

  8. Stop and restart servers in the following sequence:

    1. Stop Oracle Identity Manager and SOA servers. For clustered deployment, stop the servers on both the nodes.

    2. Stop the OracleAdminServer.

    3. Sync the nodes.

    4. Stop/start the Manager.

    5. Start the Node.

    6. Start the servers.

    7. Verify that the servers are running.

4.4.14 Configuring WebSphere to Allow Reuse of Query Result Sets

WebSphere Application Server closes shared database connections between application-generated requests. To allow reuse of result sets, set the non-transactional datasource and DisableMultiThreadedServletConnectionMgmt properties in WebSphere. To do so:

  1. Login to IBM WebSphere Administrative Console.

  2. Navigate to Resources, JDBC, Data Sources. Click ApplicationDB datasource. Click WebSphere Application Server data source properties, and set non-transactional data-source to enabled by selecting the checkbox.

  3. Save the configuration.

  4. Navigate to Server, Server Types, WebSphere application servers, oim_Server1, Web Container Settings, Web Container, Custom Properties, and create a new property DisableMultiThreadedServletConnectionMgmt with value set to true.

  5. Repeat step 4 for all Oracle Identity Manager servers.

  6. Save the configuration.

  7. Restart all WebSphere Application Servers including Oracle Identity Manager, SOA Server, Oracle Admin Servers, Node Agents. and Deployment Manager.

4.5 Upgrading Oracle Identity Manager on IBM WebSphere

This section describes how to upgrade Oracle Identity Manager on IBM WebSphere. It contains the following topics:

4.5.1 Upgrading Oracle Identity Manager 11g Release 2 (11.1.2.1.0) to 11g Release 2 (11.1.2.2.0)

This section describes the steps required to upgrade and configure Oracle Identity Manager 11g Release 2 (11.1.2.1.0) to Oracle Identity Manager 11g Release 2 (11.1.2.2.0) on IBM WebSphere. It contains the following sections:

4.5.1.1 Prerequisites for the Upgrade

Before upgrading Oracle Identity Manager 11g Release 2 (11.1.2.1.0) to 11g Release 2 (11.1.2.2.0) on IBM WebSphere, make sure that:

  • A WAS_HOME where IBM WebSphere Application Server 7.0.0 with fixpack 27 or later has been installed.

  • A Middleware home location exists with SOA installed on it.

  • Oracle Database 11g with Oracle Identity Manager dependent schemas, such as MDS, SOAINFRA, OPSS, and ORASDPM, are created.

Perform the following prerequisite steps:

  1. Run the PreUpgradeReport Utility.

    You must run the PreUpgradeReport utility to analyze your Oracle Identity Manager environment before you begin the upgrade process. Address all issues listed as part of this report with the solution provided. After fixing the issues, run the report until no pending issues are listed in the report. See "Generating and Analyzing the Pre-Upgrade Report" in the Oracle Fusion Middleware Upgrade Guide for Oracle Identity and Access Management for information about running the PreUpgradeReport utility.

  2. Stop all servers.

    Stop the Oracle Identity Manager Server, SOA Server, Oracle Admin Server, the Node Agent, and the Deployment Manager in the same order.

  3. Upgrade Oracle Identity Manager binaries.

    Update the existing Oracle Identity and Access Management binaries to Release 11.1.2.2.0 by running the Oracle Identity and Access Management 11.1.2.2.0 installer. See "Updating Oracle Identity and Access Management Binaries to 11g Release 2 (11.1.2.2.0)" in the Oracle Fusion Middleware Upgrade Guide for Oracle Identity and Access Management for more information.

    When the installer is run from Disk1, point to the existing Middleware Home for Release 11.1.2.1.0. A prompt is displayed stating that an upgrade is detected. Click OK, and continue the installation.

  4. Upgrade SOA binaries.

    If you are not using Oracle SOA Suite 11.1.1.7.0, then you must upgrade your existing Oracle SOA Suite to 11.1.1.7.0 by completing the tasks described in "Upgrading Oracle SOA Suite Binaries to 11.1.1.7.0" of the Oracle Fusion Middleware Upgrade Guide for Oracle Identity and Access Management.

    When the installer is run from Disk1, point to the existing Middleware Home for Release 11.1.2.1.0. A prompt is displayed stating that an upgrade is detected. Click OK, and continue the installation.

  5. Apply SOA patches.

    The patch OIM_11.1.2.2_SOAPS6_PREREQS.zip file is available in the /iamsuite/Disk1/ directory after iamsuite1.zip is unzipped. Make sure that the directory has write permissions before unzipping the patch. Alternatively, copy the patch OIM_11.1.2.2_SOAPS6_PREREQS.zip to another directory, as follows:

    1. Set the ORACLE_HOME environment variable to point to SOA_HOME.

    2. Unzip OIM_11.1.2.2_SOAPS6_PREREQS.zip. This creates a SOAPATCH directory. This directory contains the ZIP files for patches. Unzip each patch file.

    3. Change the permission to read and write for the SOAPATCH directory by using the chmod command.

    4. Run the following command:

      $ORACLE_HOME/OPatch/opatch napply SOAPATCH -oh $ORACLE_HOME -jdk LOCATION_OF_IBM_JDK

  6. Apply Oracle common patch.

    To apply Oracle common patch:

    1. Go to the /SOAPATCH/17418151/ directory.

    2. Set the ORACLE_HOME environment variable to point to the oracle_common directory under MW_HOME.

    3. Run the following command:

      $OIM_HOME/OPatch/opatch apply -jdk JDK_PATH

  7. Download patch 18494370 from the following URL:

    https://support.oracle.com

    Apply the relevant patches to Oracle_IDM1 home.

  8. Apply mandatory patches for Oracle Identity Manager.

    Apply the relevant mandatory patches required for Oracle Identity Manager, as described in section "Mandatory Patches Required for Installing Oracle Identity Manager" of the Oracle Fusion Middleware Release Notes.

4.5.1.2 Upgrading Oracle Identity Manager Schema

Perform schema upgrade by running the Patch Set Assistant. See "Upgrading Schemas Using Patch Set Assistant" in the Oracle Fusion Middleware Upgrade Guide for Oracle Identity and Access Management for details. Select Oracle Identity Manager in the Select Component screen.

4.5.1.3 Upgrading OPSS Schema

To upgrade OPSS schema:

  1. Remove the following classes:

    $MW_HOME/oracle_common/common/wsadmin/Opss$py.class
$MW_HOME/oracle_common/common/script_handlers/Opss_common$py.class
$MW_HOME/oracle_common/common/script_handlers/Opss_handler$py.class

  2. Set the WAS_USER_SCRIPT environment variable to point to WAS_HOME/profiles/DMGR_NAME/bin/setupCmdLine.sh, where DMGR_NAME is the Dmgr Profile name.

  3. Run the following commands:

    $MW_HOME/oracle_common/common/bin/wsadmin.sh -username WAS_ADMIN_USER -password WAS_ADMIN_PASSWORD

    Opss.upgradeOpss(jpsConfig="PATH_TO_OLD_VERSION_jps-config.xml_FILE",
            jaznData="PATH_TO_NEW_VERSION_OOTB_JAZN_data_FILE",
            auditStore="PATH_TO_DEFAULT_audit-store.xml_FILE",
            jdbcDriver="JDBC_DRIVER",
            url="JDBC_LDAP_URL",
            user="JDBC_LDAP_USER",
            password="JDBC_LDAP_PASSWORD",
            upgradeJseStoreType="true")

    For example:

    Opss.upgradeOpss(jpsConfig="WAS_HOME/profiles/CUSTOM_PROFILE_NAME/config/cells/myhostCell03/fmwconfig/jps-config.xml",
            jaznData="MW_HOME/oracle_common/modules/oracle.jps_11.1.1/domain_config/system-jazn-data.xml",
            jdbcDriver="oracle.jdbc.OracleDriver", 
            url="jdbc:oracle:thin:@myhost.mydomain.com:PORT/SERVICE_NAME", 
            user="USER_NAME",
            password="PASSWORD",
            upgradeJseStoreType="true")

    Note:

    If the Opss.upgradeOpss command fails, then run the following queries as the system administrator: 
    ALTER SYSTEM SET PARALLEL_MAX_SERVERS=0 SCOPE=BOTH SID='*';
ALTER SYSTEM SET PARALLEL_MIN_SERVERS=0 SCOPE=BOTH SID='*';

4.5.1.4 Upgrading JRF/ADF

To upgrade Java Required Files (JRF) and Application Development Framework libraries:

  1. Run the following commands:

    $MW_HOME/oracle_common/common/bin/wsadmin.sh -profileName DEPLOYMENT_MANAGER_PROFILE_NAME -username WAS_ADMIN_USER -password WAS_ADMIN_PASSWORD
ADFAdmin.updateADFLibrary('CELL_NAME','NODE_NAME','ORACLE_ADMIN_SERVER_NAME')
ADFAdmin.updateADFLibrary('CELL_NAME','NODE_NAME','OIM_SERVER_NAME')
ADFAdmin.updateADFLibrary('CELL_NAME','NODE_NAME','SOA_SERVER_NAME')

    Tip:

    You can obtain the cell and Node Manger values by performing the following steps:

    1. Start the Deployment Manager, Node Manager, and SOA Server.

    2. Login to IBM WebSphere Administrative Console.

    3. Go to Server Types, Websphere Application Servers, soa_server1.

    4. Click the Runtime tab. The Cell name and Node name fields provide the values for the cell and Node Manager respectively.

    5. Shut down the SOA Server, Node Manager, and Deployment Manager.

  2. Start all servers, as follows:

    $WAS_HOME/profiles/Dmgr01/bin/startManager.sh
$WAS_HOME/profiles/Custom01/bin/syncNode.sh DMGR_HOST DMGR_SOAP_PORT -username WAS_ADMIN_USER -password WAS_ADMIN_PASSWORD
$WAS_HOME/profiles/Custom01/bin/startNode.sh
$WAS_HOME/profiles/Custom01/bin/startServer.sh SOA_SERVER
$WAS_HOME/profiles/Custom01/bin/startServer.sh OracleAdminServer

4.5.1.5 Perform Post Patching Tasks for SOA

The post patching tasks for SOA involve the following steps:

  1. Configure activation spec CaseEventMDB/AS. To do so:

    1. Login to the IBM WebSphere Administrative Console.

    2. Go to Resources, JMS, JMS provides.

    3. Select SOA server from the drop down. Then, select Defaultmessaging Provider, Activation specifications.

    4. Click New, and enter the following details:

      • Name: CaseEventMDB

      • JNDI name: CaseEventMDB/AS

      • Destination type: Queue

      • Destination JNDI name: jms/bpm/CaseEventQueue

      • Bus name: soajmsBus

      • Acknowledgement mode: Auto-acknowledge

      • Target type: Bus member name

      • Target siginificance: Preferred

      • Maximum batch size: 1

      • Maximum concurrent MDB invocations per endpoint: 10

      • Subscription durability: NonDurable

      • Durable subscription home: DefaultNode01.soa_server1-SoajmsBus

      • Share durable subscriptions: In Cluster

    5. Click Apply, and then click OK. Save directly to the master configuration.

  2. Configure JMS Queue jms/bpm/CaseEventQueue. To do so:

    1. In the IBM WebSphere Administrative Console, go to Resources, JMS, Queues.

    2. Select SOA server from the drop down.

    3. Click New, and select Default messaging provider. Then, enter the following details:

      • Name: CaseEventQueue

      • JNDI name: jms/bpm/CaseEventQueue

      • Bus name: soaJmsBus

      • Queue name: CaseEventQueue

        Here, select create service integration bus destination, and perform steps 2e through 2g. The main properties page will be displayed to select the Queue name that is created.

      • Read ahead: Enabled

      • Select Prefer to send messages to a local queue point

      • Select Messages may be sent to different queue points

      • Select Only messages on a single queue point are visible

    4. Click OK. The Create new queue wizard is displayed.

    5. In the Set queue attributes page, enter CaseEventQueue in the Identifier field. Then, click Next.

    6. In the Assign the queue to a bus member, select the default value in the format Node=myhostNode03:Server=soa_server1 in the Bus member field. Then, click Next.

    7. In the Confirm queue creation page, click Finish. This creates a drop down queue name as CaseEventQueue in the General Properties page.

    8. Enter other details and click Apply. Then, click OK and save directly to master configuration.

  3. Redeploy soa-infra-was.ear. To do so:

    1. In the IBM WebSphere Administrative Console, select Applications, Application Types, Websphere Enterprise Applications.

    2. Select soa-infra, and click Update.

    3. Click Browse, and select soa-infra-was.ear from the SOA_HOME/soa/applications/ directory, which has been updated by the upgrade process. Click Next.

    4. Click Next. If the Directory to Install application is empty, then enter a value similar to the following sample value:

      WAS_HOME/profiles/Dmgr01/config/cells/DefaultCell01

    5. Click Next, and make sure that all modules are targeted to the SOA server.

    6. Click Next, and then click Finish. Save directly to the master configuration.

  4. Configure serverURL in soa-infra-configbean from System MBean. To do so:

    1. Login to Oracle Enterprise Manager.

    2. Right-click Cell_WebSphere, and select System MBean Browser.

    3. Expand oracle.as.soainfra.config, Server: soa_server1, SoaInfraConfig. Click soa-infra.

    4. Set the value of Server URL in the following format, and click Apply.

      http://HOST_NAME:PORT

      Replace HOST_NAME with soa-infra and PORT with the port number of the SOA server.

    5. Restart the servers. Oracle Identity Manager server must be down.

4.5.1.6 Upgrading Features Using MT Upgrade Utility

After Oracle Identity Manager configuration is complete, you can upgrade all the features using the MT upgrade utility in post-config mode.

To upgrade the features by using the MT upgrade utility in post-config mode:

  1. Perform the following prerequisites:

    • Make sure that Oracle Identity Manager is shut down.

    • Make sure that the Admin and SOA servers are up and running.

  2. Populate the $MW_HOME/Oracle_IDM1/server/bin/oim_upgrade_input.properties file with the correct input properties. Table 4-14 lists the input parameters with sample values.

    Table 4-14 Input Parameters in the oim_upgrade_input.properties File

    Input Parameter Sample Value

    JAVA_HOME

    		 
    java.home=WAS_HOME/java

    Server type WebLogic/WebSphere

    		 
    server.type=was

    Oim Connection String

    		 
    oim.jdbcurl=myhost.mydomain.com:PORT_NUMBER:oimdb

    Oim schema owner

    		 
    oim.oimschemaowner=OIM_SCHEMA_OWNER_NAME

    MDS connection string

    		 
    oim.oimmdsjdbcurl=myhost.mydomain.com:PORT_NUMBER:oimdb

    MDS schema owner

    		 
    oim.mdsschemaowner=ws_mds

    Admin host name

    		 
    oim.adminhostname=myhost.mydomain.com

    Admin port

    		 
    oim.adminport=PORT_NUMBER

    Admin user name

    		 
    oim.adminUserName=WAS_ADMIN_USER

    SOA host name

    		 
    oim.soahostmachine=soahost.mydomain.com

    SOA port

    		 
    oim.soaportnumber=SOA_PORT

    SOA user name

    		 
    oim.soausername=WAS_ADMIN_USER

    Oracle OIM home

    		 
    oim.home=/scratch/wasr2install/mw/Oracle_IDM1

    Middleware home

    		 
    oim.mw.home=/scratch/wasr2install/mw

    SOA home

    		 
    soa.home=/scratch/wars2install/mw/Oracle_SOA1

    WebSphere domain manager cell home

    		 
    wasCellHome=WAS_HOME/profiles/Dmgr03/config/cells/HOST_NAMECell03

    MT in post-config mode

    		 
    CSFSeed=false

    When CSFSeed=false, MT is run in post-config mode, and the following properties are set:

    PRE_OIM_CONFIG=false
POST_OIMCONFIG=true

    Management booststrap port

    		 
    oim.bootstrapport=PORT

    SOA booststrap port

    		 
    soa.bootstrapport=PORT

    WebSphere home

    		 
    ws.home=/scratch/wars2Install/was

    WebSphere custom profile path

    		 
    ws.custom.path=WAS_HOME/profiles/Custom02

    Note:

    MT upgrade fails if you specify SSL ports in the oim_upgrade_input.properties file. MT upgrade is successful if you specify non-SSL ports in this file.

  3. Set the WAS_USER_SCRIPT environment variable to point to WAS_HOME/profiles/DMGR_NAME/bin/setupCmdLine.sh, where DMGR_NAME is the Dmgr Profile name.

  4. Go to the MW_HOME/Oracle_IDM1/server/bin/ directory, and run the following command:

    ./OIMUpgrade.sh

    Note:

    For Oracle Identity Manager MT Upgrade, Ant libraries are required. In Oracle Identity Manager 11g Release 2 (11.1.2.1.0) installation on WebSphere, Ant libraries are not available by default. Therefore, you must manually copy Ant libraries with version 1.7 to the OIM_HOME/server/ext/antlib/ directory. To do so:

    1. Create a directory called antlib in the OIM_HOME/server/ext/ directory.

    2. Copy the Ant 1.7 JAR files to the antlib directory.

  5. Analyze the Feature Upgrade Summary Report.

  6. Restart all servers, as follows:

    WAS_HOME/profiles/Custom01/bin/stopServer.sh SOA_SERVER -username WAS_ADMIN_USER -password WAS_ADMIN_PASSWORD
WAS_HOME/profiles/Custom01/bin/stopServer.sh OracleAdminServer -username WAS_ADMIN_USER -password WAS_ADMIN_PASSWORD
WAS_HOME/profiles/Custom01/bin/stopNode.sh -username WAS_ADMIN_USER -password WAS_ADMIN_PASSWORD
WAS_HOME/profiles/Dmgr01/bin/stopManager.sh -username WAS_ADMIN_USER -password WAS_ADMIN_PASSWORD
WAS_HOME/profiles/Dmgr01/bin/startManager.sh
WAS_HOME/profiles/Custom01/bin/syncNode.sh DMGR_HOST DMGR_SOAP_PORT -username WAS_ADMIN_USER -password WAS_ADMIN_PASSWORD
WAS_HOME/profiles/Custom01/bin/startNode.sh
WAS_HOME/profiles/Custom01/bin/startServer.sh SOA_SERVER 
WAS_HOME/profiles/Custom01/bin/startServer.sh OracleAdminServer
WAS_HOME/profiles/Custom01/bin/startServer.sh OIM_SERVER

4.5.2 Upgrading Oracle Identity Manager 11g Release 2 (11.1.2.1.0) to 11g Release 2 (11.1.2.2.0) for a Clustered Deployment

This section describes how to upgrade Oracle Identity Manager 11g Release 2 (11.1.2.1.0) to 11g Release 2 (11.1.2.2.0) on IBM WebSphere for a clustered deployment. By performing the steps in this section, you will create a configuration as described in Table 4-15.

Table 4-15 Overview of Clustered Configuration

OIM_HOST_1 OIM_HOST_2

WebSphere Deployment Manager

Node Agent

Node Agent

Oracle Identity Manager Managed Server 2

Oracle Admin Server

SOA Managed Server 2

Oracle Identity Manager Managed Server 1

  

SOA Managed Server 1

  

Here, OIM_HOST_1 is the host on which the Deployment Manager is deployed, and OIM_HOST_2 is the host on which Oracle Identity Manager and SOA Managed Servers are deployed.

Upgrading Oracle Identity Manager 11g Release 2 (11.1.2.1.0) on WebSphere for a clustered deployment involves the following topics:

4.5.2.1 Prerequisites for the Upgrade

Before you begin the upgrade process, perform the following prerequisites:

  1. Stop the Deployment Manager, Oracle Admin Server, all the Oracle Identity Manager and SOA Managed Servers, and the Node Agent on OIM_HOST_1 and OIM_HOST_2 in the following order:

    1. Stop the Oracle Identity Manager Managed Server on both OIM_HOST_1 and OIM_HOST_2.

    2. Stop the SOA Managed Server on both OIM_HOST_1 and OIM_HOST_2.

    3. Stop the Oracle Admin Server on OIM_HOST_1.

    4. Stop the Node Agent on both OIM_HOST_1 and OIM_HOST_2.

    5. Stop the Deployment Manager on OIM_HOST_1.

  2. After stopping all the servers, create a backup of the following:

    • The MW_HOME directory, including the Oracle Home directories inside Middleware home on both OIM_HOST_1 and OIM_HOST_2.

    • WebSphere Home directory on both OIM_HOST_1 and OIM_HOST_2.

    • The following database schemas:

      • Oracle Identity Manager schema

      • MDS schema

      • ORASDPM schema

      • SOAINFRA schema

      • OPSS schema

4.5.2.2 Upgrading OIM_HOST_1 to 11g Release 2 (11.1.2.2.0)

Upgrading OIM_HOST_1 to Oracle Identity Manager 11g Release 2 (11.1.2.2.0) involves the following:

4.5.2.2.1 Performing Pre-Upgrade Tasks

Perform pre-upgrade tasks, such as reviewing the changes in features of Oracle Identity Manager 11g Release 2 (11.1.2.2.0), reviewing system requirements and certifications, generating and analyzing the pre-upgrade report, and performing necessary pre-upgrade tasks described in the report, by referring to "Pre-Upgrade Steps" in the Oracle Fusion Middleware Upgrade Guide for Identity and Access Management.

4.5.2.2.2 Upgrading SOA Binaries and Applying Patches for SOA

If you are not using Oracle SOA Suite 11.1.1.7.0, then you must upgrade your existing Oracle SOA Suite to 11.1.1.7.0 by completing the tasks described in "Upgrading Oracle SOA Suite to 11.1.1.7.0" of the Oracle Fusion Middleware Upgrade Guide for Oracle Identity and Access Management.

When the installer is run from Disk1, point to the existing Middleware Home for Release 11.1.2.1.0. A prompt is displayed stating that an upgrade is detected. Click OK, and continue the installation.

The patch OIM_11.1.2.2_SOAPS6_PREREQS.zip file is available in the /iamsuite/Disk1/ directory after iamsuite1.zip is unzipped. Make sure that the directory has write permissions before unzipping the patch. Alternatively, copy the patch OIM_11.1.2.2_SOAPS6_PREREQS.zip to another directory, as follows:

  1. Set the ORACLE_HOME environment variable to point to SOA_HOME.

  2. Unzip OIM_11.1.2.2_SOAPS6_PREREQS.zip. This creates a SOAPATCH directory. This directory contains the ZIP files for patches. Unzip each patch file.

  3. Change the permission to read and write for the SOAPATCH directory by using the chmod command.

  4. Run the following command:

    $ORACLE_HOME/OPatch/opatch napply SOAPATCH -oh $ORACLE_HOME -jdk LOCATION_OF_IBM_JDK

Note:

After upgrading SOA, apply the additional SOA patch listed in "Mandatory Patches Required for Installing Oracle Identity Manager" of the Oracle Fusion Middleware Release Notes.
4.5.2.2.3 Upgrading Oracle Identity Manager Binaries and Applying Patches for Oracle Identity Manager

Update the existing Oracle Identity and Access Management binaries to Release 11.1.2.2.0 by running the Oracle Identity and Access Management 11.1.2.2.0 installer. See "Updating Oracle Identity Manager Binaries to 11.1.2.2.0" in the Oracle Fusion Middleware Upgrade Guide for Oracle Identity and Access Management for more information.

When the installer is run from Disk1, point to the existing Middleware Home for Release 11.1.2.1.0. A prompt is displayed stating that an upgrade is detected. Click OK, and continue the installation.

Apply patches for Oracle Identity Manager. To do so:

  1. Download patch 18494370 from My Oracle Support web site at:

    https://support.oracle.com

  2. Set the ORACLE_HOME environment variable to point to OIM_HOME.

  3. Unzip the patch zip file by running the following command:

    $ unzip p18494370_111220_Generic.zip

    The OIMPATCH directory is extracted with multiple patch ZIP files under it.

  4. Navigate to the OIMPATCH/ directory, and unzip all the patch ZIP files. Remove the patch ZIP files after unzipping.

  5. Run OPatch to apply the patches, as shown:

    $ORACLE_HOME/OPatch/opatch napply OIMPATCH -oh $ORACLE_HOME -jdk JDK_PATH
4.5.2.2.4 Applying Oracle Common Patch

To apply Oracle Common patch:

  1. Go to the /SOAPATCH/17418151/ directory.

  2. Set the ORACLE_HOME environment variable to point to the oracle_common directory under MW_HOME.

  3. Run the following command:

    $ORACLE_HOME/OPatch/opatch apply -oh $ORACLE_HOME -jdk JDK_PATH
4.5.2.2.5 Applying ADF Patch

After upgrading Oracle Identity Manager binaries, apply ADF patch 18373763. To do so:

  1. Download ADF patch 18373763 from My Oracle Support web site at:

    https://support.oracle.com

  2. Unzip p18373763_111170_Generic.zip. The /18373763 directory is created. Navigate to this directory.

  3. To apply the patch, run the following command:

    ORACLE_COMMON/OPatch/opatch apply -oh ORACLE_COMMON -jdk JDK_PATH
4.5.2.2.6 Applying Additional Mandatory Patches for Oracle Identity Manager

Apply the relevant mandatory patches required for Oracle Identity Manager, as described in "Mandatory Patches Required for Installing Oracle Identity Manager" of the Oracle Fusion Middleware Release Notes.

4.5.2.2.7 Upgrading Oracle Identity Manager Schema

Perform schema upgrade by running the Patch Set Assistant. See "Upgrading Schemas Using Patch Set Assistant" in the Oracle Fusion Middleware Upgrade Guide for Oracle Identity and Access Management for details. Select Oracle Identity Manager in the Select Component screen.

4.5.2.2.8 Upgrading OPSS Schema

To upgrade OPSS schema:

  1. Remove the following classes:

    $MW_HOME/oracle_common/common/wsadmin/Opss$py.class
$MW_HOME/oracle_common/common/script_handlers/Opss_common$py.class
$MW_HOME/oracle_common/common/script_handlers/Opss_handler$py.class

  2. Set the WAS_USER_SCRIPT environment variable to point to WAS_HOME/profiles/DMGR_NAME/bin/setupCmdLine.sh, where DMGR_NAME is the Dmgr Profile name.

  3. Run the following commands:

    $MW_HOME/oracle_common/common/bin/wsadmin.sh -username WAS_ADMIN_USER -password WAS_ADMIN_PASSWORD
 
Opss.upgradeOpss(jpsConfig="PATH_TO_OLD_VERSION_jps-config.xml_FILE",
            jaznData="PATH_TO_NEW_VERSION_OOTB_JAZN_data_FILE",
            auditStore="PATH_TO_DEFAULT_audit-store.xml_FILE",
            jdbcDriver="JDBC_DRIVER",
            url="JDBC_LDAP_URL",
            user="JDBC_LDAP_USER",
            password="JDBC_LDAP_PASSWORD",
            upgradeJseStoreType="true")

    For example:

    Opss.upgradeOpss(jpsConfig="WAS_HOME/profiles/CUSTOM_PROFILE_NAME/config/cells/myhostCell03/fmwconfig/jps-config.xml",
            jaznData="MW_HOME/oracle_common/modules/oracle.jps_11.1.1/domain_config/system-jazn-data.xml",
            jdbcDriver="oracle.jdbc.OracleDriver", 
            url="jdbc:oracle:thin:@myhost.mydomain.com:PORT/oimdb", 
            user="JDBC_LDAP_USER",
            password="JDBC_LDAP_PASSWORD",
            upgradeJseStoreType="true")

Note:

If the Opss.upgradeOpss command fails, then run the following queries as the system administrator: 
ALTER SYSTEM SET PARALLEL_MAX_SERVERS=0 SCOPE=BOTH SID='*';
ALTER SYSTEM SET PARALLEL_MIN_SERVERS=0 SCOPE=BOTH SID='*';
4.5.2.2.9 Upgrading JRF/ADF

To upgrade Java Required Files (JRF) and Application Development Framework libraries:

  1. Run the following command:

    $MW_HOME/oracle_common/common/bin/wsadmin.sh -profileName DEPLOYMENT_MANAGER_PROFILE_NAME -username WAS_ADMIN_USER -password WAS_ADMIN_PASSWORD

  2. For managed servers that are not on cluster, run the following command:

    ADFAdmin.updateADFLibrary(CELL_NAME, NODE_NAME, SERVER_NAME)

    For managed servers targeted on cluster, run the following command:

    ADFAdmin.updateADFLibraryOnCluster(CELL_NAME,CLUSTER_NAME)

    For example:

    ADFAdmin.updateADFLibraryOnCluster('Cell05','SOA_CLUSTER')

  3. Start all servers, as follows:

    $WAS_HOME/profiles/Dmgr01/bin/startManager.sh
$WAS_HOME/profiles/Custom01/bin/syncNode.sh DMGR_HOST DMGR_SOAP_PORT -username WAS_ADMIN_USER -password WAS_ADMIN_PASSWORD
$WAS_HOME/profiles/Custom01/bin/startNode.sh
$WAS_HOME/profiles/Custom01/bin/startServer.sh SOA_SERVER 
$WAS_HOME/profiles/Custom01/bin/startServer.sh OracleAdminServer
4.5.2.2.10 Performing Post Patching Tasks for SOA

The post patching tasks for SOA involve the following steps:

  1. Before performing post patching tasks for SOA, start the servers on OIM_HOST_1 in the following order:

    1. Start Deployment Manager.

    2. Sync the node.

    3. Start the Node Agent.

    4. Start SOA Managed Server.

    5. Start Oracle Admin Server.

  2. Configure activation spec CaseEventMDB/AS. To do so:

    1. Login to the IBM WebSphere Administrative Console.

    2. Go to Resources, JMS, JMS provides.

    3. Select SOA cluster name from the drop down. Then, select Defaultmessaging Provider, Activation specifications.

    4. Click New, and enter the following details:

      • Name: CaseEventMDB

      • JNDI name: CaseEventMDB/AS

      • Destination type: Queue

      • Destination JNDI name: jms/bpm/CaseEventQueue

      • Bus name: soajmsBus

      • Acknowledgement mode: Auto-acknowledge

      • Target type: Bus member name

      • Target significance: Preferred

      • Maximum batch size: 1

      • Maximum concurrent MDB invocations per endpoint: 10

      • Subscription durability: NonDurable

      • Durable subscription home: DefaultNode01.soa_cluster-SoajmsBus

      • Shared durable subscriptions: In Cluster

    5. Click Apply, and then click OK. Save directly to the master configuration.

  3. Configure JMS Queue jms/bpm/CaseEventQueue. To do so:

    1. In the IBM WebSphere Administrative Console, go to Resources, JMS, Queues.

    2. Select SOA cluster name from the drop down.

    3. Click New, and select Default messaging provider. Then, enter the following details:

      • Name: CaseEventQueue

      • JNDI name: jms/bpm/CaseEventQueue

      • Bus name: soaJmsBus

      • Queue name: CaseEventQueue

        Here, select create service integration bus destination, and perform steps 2e through 2g. The main properties page will be displayed to select the Queue name that is created.

      • Read ahead: Enabled

      • Select Prefer to send messages to a local queue point

      • Select Messages may be sent to different queue points

      • Select Only messages on a single queue point are visible

    4. In the Set queue attributes page, enter CaseEventQueue in the Identifier field. Then, click Next.

    5. In the Assign the queue to a bus member, from the Bus member field, select the SOA cluster name. Then, click Next.

    6. In the Confirm queue creation page, click Finish. This creates a drop down queue name as CaseEventQueue in the General Properties page.

    7. Enter other details and click Apply. Then, click OK and save directly to master configuration.

  4. Redeploy soa-infra-was.ear. To do so:

    1. In the IBM WebSphere Administrative Console, select Applications, Application Types, Websphere Enterprise Applications.

    2. Select soa-infra, and click Update.

    3. Click Browse, and select soa-infra-was.ear from the SOA_HOME/soa/applications/ directory, which has been updated by the upgrade process. Click Next.

    4. Click Next. If the Directory to Install application is empty, then enter a value similar to the following sample value:

      WAS_HOME/profiles/Dmgr01/config/cells/DefaultCell01

    5. Click Next, and make sure that all modules are targeted to the SOA cluster.

    6. Click Next, and then click Finish. Save directly to the master configuration.

  5. Configure serverURL in soa-infra-configbean from System MBean. To do so:

    1. Login to Oracle Enterprise Manager.

    2. Right-click Cell_WebSphere, and select System MBean Browser.

    3. Expand oracle.as.soainfra.config, Server: soa_server1, SoaInfraConfig. Click soa-infra.

    4. Set the value of Server URL for the IHS server, and click Apply.

    5. Restart the servers. Oracle Identity Manager server must be down.

4.5.2.2.11 Upgrading Oracle Identity Manager Middle Tier

To upgrade Oracle Identity Manager Middle Tier:

  1. On OIM_HOST_1, restart the servers in the following order:

    1. Stop SOA server.

    2. Stop Oracle Admin Server.

    3. Stop the Node Agent.

    4. Stop the Deployment Manager.

    5. Start the Deployment Manager.

    6. Sync the node.

    7. Start the Node Agent.

    8. Start SOA Managed Server.

    9. Start Oracle Admin Server.

  2. Upgrade Oracle Identity Manager features by using the MT upgrade utility in post-config mode, as described in Section 4.5.1.6, "Upgrading Features Using MT Upgrade Utility".

    Note:

    MT upgrade fails if you specify SSL ports in the oim_upgrade_input.properties file. MT upgrade is successful if you specify non-SSL ports in this file.

    MT upgrade fails if SSL for RMI/IIOP is enabled. Make RMI/IIOP non-SSL before running MT upgrade.

  3. After MT upgrade, restart the servers on OIM_HOST_1 in the following order:

    1. Stop SOA server.

    2. Stop Oracle Admin Server.

    3. Stop the Node Agent.

    4. Stop the Deployment Manager.

    5. Start the Deployment Manager.

    6. Sync the node.

    7. Start the Node Agent.

    8. Start SOA Managed Server.

    9. Start Oracle Admin Server.

    10. Start Oracle Identity Manager server.

4.5.2.2.12 Upgrading Oracle Identity Manager Installed Components

Upgrade other Oracle Identity Manager installed components, such as the Design Console and the Remote Manager.

4.5.2.2.13 Performing Mandatory Post Upgrade Tasks

After upgrading to Oracle Identity Manager 11g Release 2 (11.1.2.2.0) on OIM_HOST_1, perform the mandatory post-upgrade tasks as described in Section 4.5.3, "Performing Post-Upgrade Tasks After Upgrade From 11g Release 2 (11.1.2.1.0)".

4.5.2.3 Upgrading OIM_HOST_2 to 11g Release 2 (11.1.2.2.0)

Upgrading OIM_HOST_2 to 11g Release 2 (11.1.2.2.0) involves the following steps:

  1. Upgrade Oracle Home. To do so:

    1. Upgrade Oracle SOA Suite by referring to Section 4.5.2.2.2, "Upgrading SOA Binaries and Applying Patches for SOA".

    2. Upgrade Oracle Identity Manager binaries be referring to Section 4.5.2.2.3, "Upgrading Oracle Identity Manager Binaries and Applying Patches for Oracle Identity Manager".

    3. Apply Oracle Common patch as described in Section 4.5.2.2.4, "Applying Oracle Common Patch".

    4. Apply ADF patch as described in Section 4.5.2.2.5, "Applying ADF Patch".

  2. Restart the servers on OIM_HOST_2 in the following order:

    1. Sync the node.

    2. Start the Node Agent.

    3. Start SOA Managed Server.

    4. Start Oracle Identity Manager Managed Server.

4.5.3 Performing Post-Upgrade Tasks After Upgrade From 11g Release 2 (11.1.2.1.0)

After upgrading to Oracle Identity Manager 11g Release 2 (11.1.2.2.0), you must perform the mandatory post-upgrade steps described in "Performing Post-Upgrade Tasks" in the Oracle Fusion Middleware Upgrade Guide for Oracle Identity and Access Management. However, perform the following additional post-upgrade tasks after upgrading on IBM WebSphere:

Note:

For a clustered deployment, perform the mandatory post-upgrade tasks on OIM_HOST_1 of the cluster.

4.5.3.1 Creating New Data Source for Communication Between SOA and Oracle Identity Manager Database (Optional)

The oimOperationsDB data source is targeted to both Oracle Identity Manager server and SOA servers. SOA server uses this for user and role lookup in Oracle Identity Manager database. All the database operations from SOA server to Oracle Identity Manager database are read-only. For better monitoring and tuning purposes, a new data source must be created for communication between SOA and Oracle Identity Manager database.Therefore, when upgrading to Oracle Identity Manager 11g Release 2 (11.1.2.2.0), perform the following steps:

  1. Create a new datasource soaOIMLookupDB with Oracle Identity Manager database connection details. To do so, login to IBM WebSphere Administrative Console, and select Resources, JDBC, Data sources. Then, configure the data source as follows:

    1. For noncluster setup, select Soa server from the drop down. For clustered setup, select Soa cluster from the drop down.

    2. Click New.

    3. Enter values for the following properties:

      Data source name: soaOIMLookupDB

      JNDI name: jdbc/soaOIMLookupDB

    4. Create new JDBC provider.

    5. Enter the following details:

      Database type: Oracle

      Provider type: Oracle JDBC Driver

      Implementation type: XA data source

      Name: Oracle JDBC Driver (XA)

      Description: Oracle JDBC Driver (XA)

    6. Specify values for the database-specific properties, as follows:

      URL: jdbc:oracle:thin@HOST:PORT/SERVICE

      Data store helper class name: Oracle11g data store helper

      Note:

      The data store helper class name must be specific to the database in use.

    7. Setup security aliases be specifying the following values:

      Component-managed authentication alias: Select the alias value as used for oimOperationsDB

      Mapping-configuration alias: none

      Container-managed authentication alias: none

    8. Click Finish, and save changes to the master configuration.

    9. Select Data sources, soaOIMLookupDB, Connection pools, and specify the following values:

      Enter Maximum connections: 20

      Minimum connections: 20

    10. Click Apply, and then click OK. Save directly to the master configuration.

  2. Remove SOA server from the targets of oimOperationsDB. To do so:

    1. Select Resources, JDBC, Data sources.

    2. From the drop down, select All scopes.

    3. Select oimOperationsDB targeted to SOA server. For clustered deployment, select oimOperationsDB targeted to SOA cluster.

    4. Click Delete.

    5. Save directly to the master configuration.

  3. The DATASOURCE_NAME property of the idstore.oim element in the WAS_HOME/profiles/Dmgr01/config/cells/HOST_NAME_Cell01/fmwconfig/jps-config.xml file has the value 'jdbc/oimOperationsDB'. Change this value to 'jdbc/soaOIMLookupDB'.

    Note:

    The recommended changes are required only for performance improvement in very high load instances, and do not have any functional impact.

  4. Restart all servers including managed servers, domain manager, and node agent on all nodes of the cluster, including sync node command for node agent.

4.5.3.2 Updating the Pending Approvals View

After upgrading Oracle Identity Manager 11g Release 2 (11.1.2.1.0) to 11g Release 2 (11.1.2.2.0), the Pending Approvals view does not work. Perform the following steps for the Pending Approvals view to work:

  1. Login to SOA worklist application as SOA administrative user, and delete the Pending Approvals view.

  2. Restart Oracle Identity Manager. During the startup, the Pending Approvals view is created with filter based on the default SOA composites.

  3. Update the Pending Approvals view with all the tasks associated with custom approval SOA composites.

See Also:

"How To Create, Delete, and Customize Worklist Views" in the Oracle Fusion Middleware Developer's Guide for Oracle SOA Suite for information about managing views

4.5.3.3 Reviewing Performance Tuning Recommendations

After you upgrade to Oracle Identity Manager 11g Release 2 (11.1.2.2.0), you must review the Oracle Identity Manager specific performance tuning recommendations described in "Oracle Identity Manager Performance Tuning" in the Oracle Fusion Middleware Performance and Tuning Guide.

4.5.3.4 Running the Design Console After Upgrade

To run the Design Console after upgrading to Oracle Identity Manager 11g Release 2 (11.1.2.2.0) on IBM WebSphere:

  1. Configure the Design Console. To do so:

    1. Run the Configuration Assistant as follows:

      cd $OIM_HOME/bin
./config.sh -jreLoc LOCATION_OF_IBM_JDK -DSHOW_APPSERVER_TYPE_SCREEN=true

    2. On the Components to configure page, select the OIM Design Console option, and deselect the other options.

    3. Enter the following details, and then click Next.

      • WAS Client Home Location: WebSphere Application client home

      • OIM Server Hostname: WebSphere Application Server host name on which Oracle Identity Manager application is deployed

      • OIM Server Port: WebSphere Application Server default port on which Oracle Identity Manager application is deployed

      • OIM Server Bootstrap port: WebSphere Application Server bootstrap port on which Oracle Identity Manager application is deployed

    4. Click Configure. Complete the wizard by clicking Next.

  2. Run the Design Console, as follows:

    cd $OIM_HOME/designconsole
./wsxlclient.sh

4.5.3.5 Upgrading Request Data

You must upgrade the request data by running the request data upgrade utility. This utility updates Metadata Services (MDS) and the request tables. To upgrade the request data, refer to section "Upgrading Request Data" in the Oracle Fusion Middleware Upgrade Guide for Oracle Identity and Access Management.

If the JAVA_HOME environment variable is set to IBM JDK location, then to run the ant –f run-request-automation.xml command on WebSphere, perform the following workaround:

  1. In a text editor, open the ORACLE_HOME/server/bin/run-request-automation.xml file.

  2. Locate the following definition for util-classpath:

    <pathelement location="${dist.dir}/lib/RequestDataUpdate.jar"/>

  3. Add an additional pathelement line, which provides the location of the JAR file containing javax.servlet.ServletContext, as follows:

    <pathelement location="${mw.home}/oracle_common/modules/javax.servlet.jar"/>

  4. Edit the ORACLE_HOME/server/bin/run-request-automation.xml file, and provide the database details for Oracle Identity Manager and MDS schemas in the arguments tag by replacing the existing values. For example:

    <arg value="DB_USERNAME"/>
<arg value="${DB_PASSWORD}"/>
<arg value="MDS_USERNAME"/>
<arg value="${MDS_PASSWORD}"/>
<arg value="oim.db.example.com"/>
<arg value="PORT_NUMBER"/>
<arg value="oim.db.servicename.example.com"/>
<arg value="mds.db.example.com"/>
<arg value="PORT_NUMBER"/>
<arg value="mds.db.servicename.example.com "/>

    Note:

    You can leave the Oracle Identity Manager and MDS passwords as is. The utility will prompt for passwords.

  5. Set the following environment variables:

    export ORACLE_HOME=absolute_path_to_OIM_HOME
export MW_HOME=absolute_path_to_MIDDLEWARE_HOME
export ANT_HOME=absolute_path_to_directory_where_you_uncompressed_Ant
export JAVA_HOME=absolute_path_to_JDK_LOCATION

4.5.3.6 Configuring Nondefault Administrator User

If Oracle Identity Manager administrator user is different than WebSphere administrator user, then perform the following steps:

  1. Create a .py file, for example was_admin_postupg.py, with the following content:

    AdminApp.edit ('wsm-pm', '[-MapRolesToUsers [[policy.Updater
AppDeploymentOption.No AppDeploymentOption.No ADMIN_USER_NAME ""
AppDeploymentOption.No "user:ADMIN_USER_NAME" "" ]]]')
AdminApp.edit('wsm-pm', '[ -MapRolesToUsers [[policy.Accessor
AppDeploymentOption.No AppDeploymentOption.No ADMIN_USER_NAME ""
AppDeploymentOption.No " |user:ADMIN_USER_NAME" "" ]]]' )
AdminApp.edit('wsm-pm', '[ -MapRolesToUsers [[policy.User
AppDeploymentOption.No AppDeploymentOption.No ADMIN_USER_NAME ""
AppDeploymentOption.No "user:ADMIN_USER_NAME" "" ]]]' )
AdminApp.edit('wsm-pm', '[ -MapRolesToUsers [[policyViewer
AppDeploymentOption.No AppDeploymentOption.No ADMIN_USER_NAME ""
AppDeploymentOption.No " |user:ADMIN_USER_NAME" "" ]]]' )
AdminConfig.save()

    Replace ADMIN_USER_NAME with WebSphere administrator username.

  2. Run the following script:

    $COMMON_COMPONENTS_HOME/common/bin/wsadmin.sh -profileName DMGR_PROFILE_NAME -conntype SOAP -host DMGR_HOSTNAME -port DMGR_SOAP_PORT -user WEBSPHERE_ADMIN_USERNAME -password WEBSPHERE_ADMIN_PASSWORD -f was_admin_postupg.py

  3. Restart all the servers.

4.5.3.7 Targeting sdpmessaging.jar to Oracle Identity Manager Cluster

After upgrading Oracle Identity Manager clustered deployment from 11g Release 2 (11.1.2.1.0), perform the following steps before starting SOA_SERVER_1:

  1. Log in to Deployment Manager, and select Environment, Shared libraries.

  2. From the scope list, select Cluster=oim_cluster, and click New. The General Properties page is displayed.

  3. In the name field, enter oracle.sdp.messaging_11.1.1_11.1.1.

  4. In the Classpath field, specify the following value:

    ${oracle.sdp.messaging_11.1.1.6.0_Oracle_SOA1_ORACLE_HOME}/communications/modules/oracle.sdp.messaging_11.1.1/sdpmessaging.jar

  5. Click OK, and then click Save.

  6. Restart all managed servers.

4.5.4 Upgrading Oracle Identity Manager Release 9.x to 11g Release 2 (11.1.2.2.0)

This section describes the steps required to upgrade and configure Oracle Identity Manager Release 9.x to Oracle Identity Manager 11g Release 2 (11.1.2.2.0) on IBM WebSphere. It contains the following sections:

Note:

After upgrading features using MT Upgrade Utility in post-config mode, you must perform the post upgrade configuration steps as described in Section 4.5.6, "Performing Postupgrade Configuration After Upgrade From Release 9.x".

4.5.4.1 Prerequisites for the Upgrade

Before upgrading Oracle Identity Manager Release 9.x to 11g Release 2 (11.1.2.2.0) on IBM WebSphere, make sure that:

  • A WAS_HOME where IBM WebSphere Application Server 7.0.0 with fixpack 27 has been installed.

  • A Middleware home location exists with SOA installed on it.

  • Oracle Database 11g with Oracle Identity Manager dependent schemas, such as MDS, SOAINFRA, OPSS, and ORASDPM, are created.

Perform the following prerequisites steps:

  1. Run the PreUpgradeReport utility.

    You must run the PreUpgradeReport utility to analyze your Oracle Identity Manager environment before you begin the upgrade process. Address all issues listed as part of this report with the solution provided. After fixing the issues, run the report until no pending issues are listed in the report. See "Generating and Analyzing the Pre-Upgrade Report" in the Oracle Fusion Middleware Upgrade Guide for Oracle Identity and Access Management for information about running the PreUpgradeReport utility.

  2. Install IBM WebSphere Application Server.

    Follow the instructions in Section 2.4, "Task 4: Install the IBM WebSphere Software" for installing IBM WebSphere Application Server 7.0 and applying the latest Fix Pack for IBM WebSphere 7.0.

  3. Install Oracle SOA Suite (11.1.1.7.0).

    See "Installing Oracle SOA Suite 11.1.1.7.0 (Oracle Identity Manager Users Only)" in the Oracle Fusion Middleware Installation Guide for Oracle Identity and Access Management for information about installing SOA Suite.

    After installing Oracle SOA Suite 11.1.1.7.0, you must apply mandatory SOA patches before installing Oracle Identity Manager. For information about the patches, see "Mandatory Patches Required for Installing Oracle Identity Manager" in the Oracle Fusion Middleware Release Notes.

  4. Create the database schema.

    You must create and load the appropriate Oracle Fusion Middleware schemas in the database using Repository Creation Utility (RCU) before installing and configuring Oracle Identity Manager. See "Creating Database Schema Using the Oracle Fusion Middleware Repository Creation Utility (RCU)" in the Oracle Fusion Middleware Installation Guide for Oracle Identity and Access Management for details.

4.5.4.2 Installing Oracle Identity Manager and Applying Patches

Install Oracle Identity Manager as a part of Oracle Identity and Access Management 11g by running the Oracle Identity and Access Management Installer. To do so, follow the instructions in the following sections of the Oracle Fusion Middleware Installation Guide for Oracle Identity and Access Management:

Apply patches for Oracle Identity Manager. To do so:

  1. Download patch 18494370 from My Oracle Support web site at:

    https://support.oracle.com

  2. Unzip the patch zip file by running the following command:

    $ unzip p18494370_111220_Generic.zip

    The OIMPATCH directory is extracted with multiple patch ZIP files under it.

  3. Navigate to the OIMPATCH/ directory, and unzip all the patch ZIP files. Remove the patch ZIP files after unzipping.

  4. Run OPatch to apply the patches, as shown:

    $ opatch napply OIMPATCH -oh OIM_ORACLE_HOME

Note:

In addition, apply the relevant patches for Oracle Identity Manager, as described in section "Mandatory Patches Required for Installing Oracle Identity Manager" of the Oracle Fusion Middleware Release Notes.

4.5.4.3 Upgrading Oracle Identity Manager Schema

Before you begin:

  • Create a backup of Oracle Identity Manager Release 9.x Schema.

  • Run the OSI Data Upgrade using the OSI Data Upgrade Utility. For more information about running the OSI Data Upgrade Utility, see the technote "OSI Data Upgrade Utility for Upgrading OIM 9.1.0.x to OIM 11g Version" with ID 1303215.1 at the following URL:

    https://support.oracle.com

  • Set the JAVA_HOME environment variable.

To upgrade Oracle Identity Manager Release 9.x schema to 11g Release 2 (11.1.2.2.0):

  1. Start the Oracle Fusion Middleware Upgrade Assistant. To do so:

    1. Go to the /mw/Oracle_IDM1/bin/ directory.

    2. Run the following command:

      ./ua

      The Welcome page of the Oracle Fusion Middleware Upgrade Assistant wizard is displayed.

  2. Click Next. The Specify Operation page of the wizard is displayed.

  3. Select the Upgrade Oracle Identity Manager Schema option, and then click Next.

  4. In the Prerequisites page, select all the checkboxes to specify that the prerequisites have been met. Click Next.

  5. In the Specify OIM Database page, enter the following connection details for the source Oracle Identity Manager database, and then click Next.

    • Host: Name of the host on which the database is deployed.

    • Port: Port number to connect to the host identified in the Host field.

    • Service Name: A string that is the global database name, a name comprised of the database name and domain name, entered during installation or database creation.

    • OIM Schema: Name of the Oracle Identity Manage schema.

    • SYS Password: Database system administrator password.

  6. In the Examining Components page, a status of the examination progress is displayed. Click Next.

  7. In the Upgrade Summary page, expand the upgrade component names to display the summary information of the upgrade. When finished, click Upgrade.

  8. In the Upgrading Components page, a progress bar shows the progress of the schema upgrade. The status of the upgrade components are also displayed. When finished, click Next.

  9. In the End of Upgrade page, click Close.

Note:

After the schema upgrade is performed, you must disable workflow upgrade before proceeding to the next step. To disable workflow upgrade, connect with Oracle Identity Manager schema credentials, and run the following SQL command: 
update upgrade_feature_state set IS_FEATURE_UPGRADED='Y',FEATURE_UPGRADE_STATE='UPGRADED' where FEATURE_ID = 'OIM91UPG.Workflow'

4.5.4.4 Upgrading OPSS Schema

As a prerequisite, before upgrading the OPSS schema, set the JAVA_HOME environment variable.

To upgrade the OPSS schema:

  1. Run the Oracle Fusion Middleware Patch Set Assistant. To do so, go to the /mw/Oracle_IDM1/bin/ directory, and run the following command:

    ./psa

    The Welcome page of the Oracle Fusion Middleware Patch Set Assistant is displayed.

  2. Click Next. The Select Component page is displayed.

  3. Expand and select Oracle Platform Security Services. Verify that OPSS Schema is selected, and then click Next.

  4. In the Prerequisites page, select all the checkboxes to specify that the prerequisites have been met. Click Next.

  5. In the OPSS Schema page, enter the following connection details to specify the database containing the OPSS schema that you want to upgrade:

    • Database Type: Select Oracle Database.

    • Connect String: Enter the connection string in the following format:

      HOST_NAME:PORT_NUMBER/SERVICE_NAME

      Here, HOST_NAME is the host on which the database is running, PORT_NUMBER is the port number for connecting to the host, and SERVICE_NAME is the name of the service for Oracle Identity Manager schema.

    • DBA User Name: Enter a user name with database system administrator privilege.

    • DBA Password: Enter the database system administrator password.

    Click Connect. Then, select a user name for the schema from the Schema User Name list, and enter the schema password. When finished, click Next.

  6. Complete the remaining steps of the wizard by clicking Next.

4.5.4.5 Configuring Oracle Identity Manager

You must manually perform the following steps to configure Oracle Identity Manager:

4.5.4.5.1 Creating and Configuring a Cell

To create and/or extend a cell with the Oracle Identity Manager 11g Release 2 (11.1.2.2.0) components:

  1. Start the Fusion Middleware Configuration Wizard by running the following command:

    cd $OIM_ORACLE_HOME/common/bin
./was_config.sh -log=config.log -log_priority=debug

    The Select Configuration Option page of the Fusion Middleware Configuration Wizard is displayed.

  2. Select the Create and Configure Cell option, and click Next.

  3. In the Specify Cell, Profile and Node Information page, you can specify the default names, or you can provide new names. Enter the following values, and then click Next.

    • Cell Name: HOST_NAMECell01

    • Deployment Manager Profile Name: Dmgr01

    • Deployment Manager Node Name: HOST_NAMECellManager01

    • Application Server Profile Name: Custom01

    • Application Server Node Name: HOST_NAMENode01

  4. In the Specify Deployment Manager Information page, enter WebSphere administrator username and password. The WebSphere administrator username and password provided here will be used for logging into Oracle Identity Manager UI and for later configuration steps.

    Click Next.

  5. In the Add Products to Cell page, select the Oracle SOA Suite for WebSphere ND template, and click Next.

  6. In the Configure JDBC Component Schema page, provide the schema credentials that you created by using RCU. Complete the wizard by clicking Next till the end.

  7. Again run the Fusion Middleware Configuration Wizard. Select the Select and Configure Existing Cell option with the Dmgr profile created with the previous run.

  8. In the Add Products to Cell page, select the products that you want to add to the cell. On selecting the OIM template, the SOA/EM template and other dependent templates get selected by default. Make sure to select the correct WAS ND template for the WAS ND install. When finished, click Next.

  9. In the Configure JDBC Component Schema page, provide the Oracle Identity Manager schema credentials that you created in Oracle Identity Manager Release 9.x. Note that the connection test must succeed. If the Configuration Wizard cannot contact the database, then the Configuration Wizard might not generate the WebSphere files correctly, although an error might not be displayed.

    Click Next.

  10. Continue with the installation steps by clicking Next until the Test JDBC Component Schema page is displayed.

    The Oracle Identity Manager template and dependent templates create three servers: oim_server1, soa_server1, and OracleAdminServer. The oim, Nexaweb, OIMMetadata, and XIMDD applications are deployed on oim_server1.

4.5.4.5.2 Performing Manual Configuration Steps

Before you run the copy_jars.sh, seed_opss_permission.sh, and configure_nodeagent.sh scripts, ensure that the following variables are set to avoid or to bypass the prompting for environment variable:

  • DMGR_PROFILE_ROOT: WebSphere Deployment Manager profile directory, for example, /opt/softwares/IBM/WebSphere/AppServer/profiles/Dmgr01/.

  • OIM_ORACLE_HOME: See Table 4-1, "Conventions Used in this Document".

  • WEBSPHERE_ADMIN: WebSphere administrator username.

  • WEBSPHERE_ADMIN_PASSWORD: WebSphere administrator password.

  • CELL_HOME_LOCATION: Location of the WebSphere cell home directory, for example, /opt/softwares/IBM/WebSphere/AppServer/profiles/Dmgr01/config/cells/HOST_NAMECell01.

  • DMGR_PROFILE_NAME: WebSphere Deployment Manager profile name, for example, Dmgr01.

  • DMGR_HOSTNAME: WebSphere Deployment Manager hostname.

  • DMGR_SOAP_PORT: WebSphere Deployment Manager SOAP port.

  • WAS_HOME: See Table 4-1, "Conventions Used in this Document".

  • COMMON_COMPONENTS_HOME: Oracle Middleware common directory, for example, /opt/softwares/IBM/WebSphere/oracle_common.

To perform the manual configuration steps before you use the Configuration Assistant:

  1. Copy the JAR files to the $WAS_HOME/lib/ext/ directory. To do so:

    1. Go to the OIM_ORACLE_HOME/server/wasconfig/ directory.

    2. Run the following command:

      ./copy_jars.sh

  2. Start, stop, and synchronize the Node Agent as follows:

    $WAS_HOME/profiles/Custom01/bin/stopNode.sh -username USER_NAME -password PASSWORD
$WAS_HOME/profiles/Dmgr01/bin/startManager.sh
$WAS_HOME/profiles/Custom01/bin/syncNode.sh DMGR_HOST DMGR_SOAP_PORT -username USER_NAME -password PASSWORD
$WAS_HOME/profiles/Custom01/bin/startNode.sh

    Use the username and password that you used for cell creation. The port numbers to be used during sync node are available in the $WAS_HOME/profiles/DMGR/logs/AboutThisProfile.txt file.

  3. Stop the servers and run the database policy store. To do so:

    1. Go to the OIM_ORACLE_HOME/common/bin/ directory.

    2. Run the following command:

      /wsadmin.sh -lang jython -profileName DMGR_PROFILE -f $OIM_ORACLE_HOME/common/tools/configureSecurityStoreWas.py -d $WAS_HOME/profiles/DMGR_PROFILE/config/cells/CELL_NAME -t DB_ORACLE -j cn=jpsroot -m create --passcode OPSS_SCHEMA_PASSWORD --config IAM

      Here, replace DMGR_PROFILE, CELL_NAME, and OPSS_SCHEMA_PASSWORD with appropriate values.

  4. Make sure that the node manager and node agent are running, as follows:

    $WAS_HOME/profiles/Dmgr01/bin/startManager.sh
$WAS_HOME/profiles/Custom01/bin/startNode.sh

  5. Go to the OIM_HOME/server/wasconfig/ directory, and run the following commands:

    sh seed_opss_permission.sh

    And:

    sh configure_nodeagent.sh

    Note:

    The following error message is generated on running the seed_opss_permission.sh script: 
    WASX7487E: Failed to import script libraries modules:
/u02/Oracle/Middleware/oracle_common/common/wsadmin/wsmAgent.py; Examine the wsadmin log file to determine the problem.

    This is a benign error and can be ignored.

  6. Stop, synchronize, and start the node, as shown:

    $WAS_HOME/profiles/Custom01/bin/stopNode.sh -username USER_NAME -password PASSWORD
$WAS_HOME/profiles/Custom01/bin/syncNode.sh DMGR_HOST DMGR_SOAP_PORT -username USER_NAME -password PASSWORD
$WAS_HOME/profiles/Custom01/bin/startNode.sh
$WAS_HOME/profiles/Custom01/bin/startServer.sh SOA_SERVER

    Use the same username and password that you used for cell creation.

4.5.4.5.3 Upgrading CSF Seeding

To upgrade CSF seeding by running the MT upgrade script in pre-config mode:

  1. Perform the following as prerequisites:

    • Copy .xldatabasekey to the WAS_HOME/profiles/Dmgr/config/cells/HOST_NAMECELL_NAME/fmwconfig/ directory.

    • Populate the MW_HOME/Oracle_IDM1/server/bin/oim_upgrade_input.properties file with the correct input properties. Table 4-16 lists the input properties and sample values.

      Table 4-16 Sample Input Values for upgrade_was.properties

      Input Property Sample Value

      Server type WebLogic/WebSphere

      		 
      server.type=was

      OIM connection string

      		 
      oim.jdbcurl=myhost.mydomain.com:PORT_NUMBER:oimdb

      OIM schema owner

      		 
      oim.oimschemaowner=oim91011

      MDS connection string

      		 
      oim.oimmdsjdbcurl=myhost.mydomain.com:PORT_NUMBER:oimdb

      MDS schema owner

      		 
      oim.mdsschemaowner=ws_mds

      Admin host name

      		 
      oim.adminhostname=myhost.mydomain.com

      Admin port

      		 
      oim.adminport=PORT_NUMBER

      Admin user name

      		 
      oim.adminUserName=wasadmin

      SOA host name

      		 
      oim.soahostmachine=soahost.mydomain.com

      SOA port

      		 
      oim.soaportnumber=PORT_NUMBER

      SOA user name

      		 
      oim.soausername=wasadmin

      Oracle OIM home

      		 
      oim.home=/scratch/wars2install/mw/Oracle_IDM1

      Middleware home

      		 
      oim.mw.home=/scratch/wars2install/mw

      SOA_HOME

      		 
      soa.home=/scratch/wars2install/mw/Oracle_SOA1

      WAS domain manager cell home

      		 
      wasCellHome=/scratch/wasr2install/was/profiles/Dmgr03/config/cells/HOST_NAMECell03

      MT in pre-config mode

      		 
      CSFSeed=true

      When CSFSeed=true, MT is run is pre-config mode, and the following properties are set:

      PRE_OIM_CONFIG=true
POST_OIMCONFIG=false

      OIM 9x home location

      		 
      oim91Home=/installers/oim9101was/xellerate

      WebSphere home

      		 
      ws.home=/scratch/wars2Install/was

      WebSphere custom profile path

      		 
      ws.custom.path=WAS_HOME/profiles/Custom02

      Note:

      The WAS_HOME/profiles/Dmgr03/properties/portdef.props file contains all the port numbers relevant to the particular cell.

    • Set the JAVA_HOME environment variable to point to IBM_JDK.

  2. Go to the MW_HOME/Oracle_IDM1/server/bin/ directory, and run the OIMUpgrade.sh script, as shown:

    export JAVA_HOME=/scratch/wasr2install/was/java/
./OIMUpgrade.sh

    Note:

    • The log file for the script is MW_HOME/Oracle_IDM1/server/upgrade/logs/MT/OIMUpgradeTIME_STAMP.log.

    • Restarting any server is not required at this stage.

4.5.4.5.4 Upgrading Oracle Identity Manager Components

To upgrade Oracle Identity Manager components by running the Configuration Assistant:

  1. Start the Configuration Assistant by running the following command:

    cd $OIM_HOME/bin
./config.sh -jreLoc LOCATION_OF_IBM_JDK -DSHOW_APPSERVER_TYPE_SCREEN=true

  2. In the Components to Configure page of the Oracle Identity Management Configuration wizard, expand Oracle Identity Manager, and select OIM Server. Then, click Next.

  3. In the Database page, enter the database connect string and schema details. When finished, click Next.

  4. In the Application Server page, verify that WebSphere is selected. Then, click Next.

    Note:

    The application server type is selected by default if a SOA home has already been installed and the type has been set to WebSphere. If not, then select WebSphere as the application server type.

  5. In the WebSphere Details page, specify values for the following, and then click Next.

    • Cell Path: This is the WebSphere cell home location, which is $WAS_HOME/profiles/Dmgr01/config/cells/CELL_NAME. The default cell name is HOST_NAMECell01.

    • Admin URL: The WebSphere Admin URL port can be obtained from the Management bootstrap port entry in the $WAS_HOME/profiles/Dmgr01/logs/AboutThisProfile.txt file.

    • Admin Soap Port: This is the Admin SOAP port for the WebSphere Application Server.

    • Admin UserName: The same user name provided for cell creation.

    • Admin Password: The password provided for cell creation.

  6. In the OIM Server page, enter the Oracle Identity Manager server admin password, keystore password, and the URL information. Then, click Next.

  7. Continue with the steps of the wizard by clicking Next until the configuration completes.

  8. Copy wf_client_config.xml.template from the OIM_HOME/server/wasconfig/ directory to the WAS_HOME/lib/ext/ directory as wf_client_config.xml.

  9. Update the wf_client_config.xml file with the SOA Server hostname and its bootstrap port under the <serverURL> tag. The tag is in the following format:

    <serverURL>corbaloc:iiop:SOA_SERVER_HOSTNAME:SOA_SERVER_BOOTSTRAP_PORT</serverURL>

    For example:

    <serverURL>corbaloc:iiop:soahost.mycompany.com:2800</serverURL>

  10. Stop the node, start manager, and sync nodes, as shown:

    $WAS_HOME/profiles/Custom01/bin/stopServer.sh SOA_SERVER -username USER_NAME -password PASSWORD
$WAS_HOME/profiles/Custom01/bin/stopNode.sh -username USER_NAME -password PASSWORD
$WAS_HOME/profiles/Dmgr01/bin/stopManager.sh -username USER_NAME -password PASSWORD
$WAS_HOME/profiles/Dmgr01/bin/startManager.sh
$WAS_HOME/profiles/Custom01/bin/syncNode.sh DMGR_HOST DMGR_SOAP_PORT -username USER_NAME -password PASSWORD
$WAS_HOME/profiles/Custom01/bin/startNode.sh
$WAS_HOME/profiles/Custom01/bin/startServer.sh OracleAdminServer
$WAS_HOME/profiles/Custom01/bin/startServer.sh SOA_SERVER
$WAS_HOME/profiles/Custom01/bin/startServer.sh OIM_SERVER

    Note:

    The username and password are the same that you used during cell creation.

    When finished, make sure that you start the respective managed servers.

4.5.4.6 Upgrading Features Using MT Upgrade Utility in Post-Config Mode

After Oracle Identity Manager configuration is complete and all the servers including OIM server is up for populating default metadata, you can upgrade all the features using the MT upgrade utility in the post-config mode.

To upgrade the features by using the MT upgrade utility in the post-config mode:

  1. Perform the following prerequisites:

    • Shut down Oracle Identity Manager after populating the default metadata.

    • Make sure that the Admin and SOA servers are up and running.

    • Populate the $MW_HOME/Oracle_IDM1/server/bin/oim_upgrade_input.properties file with the correct input properties. Table 4-17 lists the input parameters with sample values.

      Table 4-17 Input Parameters for upgrade_was.properties

      Input Parameter Sample Value

      Server type WebLogic/WebSphere

      		 
      server.type=was

      OIM connection string

      		 
      oim.jdbcurl=myhost.mydomain.com:PORT_NUMBER:oimdb

      OIM schema owner

      		 
      oim.oimschemaowner=oim9101

      MDS connection string

      		 
      oim.oimmdsjdbcurl=myhost.mydomain.com:PORT_NUMBER:oimdb

      MDS schema owner

      		 
      oim.mdsschemaowner=ws_mds

      Admin host name

      		 
      oim.adminhostname=myhost.mydomain.com

      Admin port

      		 
      oim.adminport=PORT_NUMBER

      Admin user name

      		 
      oim.adminUserName=wasadmin

      SOA host name

      		 
      oim.soahostmachine=soahost.mydomain.com

      SOA port

      		 
      oim.soaportnumber=SOA_PORT

      SOA user name

      		 
      oim.soausername=wasadmin

      Oracle OIM home

      		 
      oim.home=/scratch/wasr2install/mw/Oracle_IDM1

      Middleware home

      		 
      oim.mw.home=/scratch/wasr2install/mw

      SOA home

      		 
      soa.home=/scratch/wars2install/mw/Oracle_SOA1

      WebSphere domain manager cell home

      		 
      wasCellHome=/scratch/wasr2install/was/profiles/Dmgr03/config/cells/HOST_NAMECell03

      MT in post-config mode

      		 
      CSFSeed=false

      When CSFSeed=false, MT is run in post-config mode, and the following properties are set:

      PRE_OIM_CONFIG=false
POST_OIMCONFIG=true

      Oracle Identity Manager Release 9.x home location

      		 
      oim91Home=/installers/oim9101was/xellerate

      WebSphere home

      		 
      ws.home=/scratch/wars2Install/was

      WebSphere custom profile path

      		 
      ws.custom.path=WAS_HOME/profiles/Custom02

      Note:

      The WAS_HOME/profiles/Dmgr03/properties/portdef.props file contains the port numbers relevant to the particular cell.

    • Set the JAVA_HOME and APPSERVER_TYPE environment variables. JAVA_HOME must point to IBM_JDK.

  2. Go to the MW_HOME/Oracle_IDM1/server/bin/ directory, and run the OIMUpgrade.sh script, as shown:

    export JAVA_HOME=/scratch/wasr2install/was/java/
./OIMUpgrade.sh

    Note:

    The log file for the script is MW_HOME/Oracle_IDM1/server/upgrade/logs/MT/OIMUpgradeTIME_STAMP.log.

  3. Analyze the Feature Upgrade Summary Report. Start the Oracle Identity Manager Managed Servers, and access the application.

Note:

After upgrading features using MT Upgrade Utility in post-config mode, you must perform the post upgrade configuration steps as described in Section 4.5.6, "Performing Postupgrade Configuration After Upgrade From Release 9.x".

4.5.5 Upgrading Oracle Identity Manager Release 9.x to 11g Release 2 (11.1.2.2.0) for a Clustered Deployment

This section describes how to upgrade Oracle Identity Manager Release 9.x to 11g Release 2 (11.1.2.2.0) on IBM WebSphere for a clustered deployment. By performing the steps in this section, you will create a configuration as described in Table 4-18.

Table 4-18 Overview of Clustered Configuration

Deployment Manager Machine WebSphere Node 2 Machine Design Console Machine

WebSphere Deployment Manager

WebSphere Node 2

Oracle Identity Manager Design Console

WebSphere Node 1

OIM_SERVER_2

  

Oracle AdminServer

SOA_SERVER_2

  

OIM_SERVER_1

    

SOA_SERVER_2

    

To upgrade Oracle Identity Manager Release 9.x to 11g Release 2 (11.1.2.2.0) on WebSphere for a clustered configuration:

  1. Create the database schema, as described in Section 2.3, "Task 3: Identify a Database and Install the Required Database Schemas".

  2. Create and load the Identity Management - Oracle Identity Manager dependent schema into the database by using the Oracle Fusion Middleware Repository Creation Utility (RCU). For more information, refer to the following documents:

    • Oracle Fusion Middleware Installation Guide for Oracle Identity and Access Management

    • Oracle Fusion Middleware Repository Creation Utility User's Guide

    Note:

    Make sure to create Oracle Identity Manager dependent schemas only. Oracle Identity Manager schema will be used from the 9x environment.

  3. Configure IHS, install IBM WebSphere Application Server, install IBM WebSphere Application Client, install Oracle SOA Suite 11.1.1.7.0 and apply SOA patches, and install Oracle Identity Manager, as described in steps 3 through 7 of Section 4.3.2, "Installing Oracle Identity Manager for a Clustered Configuration".

    In addition, after installing Oracle Identity Manager binaries, apply Oracle Identity Manager patches, as described in Section 4.5.4.2, "Installing Oracle Identity Manager and Applying Patches". Apply the Oracle Identity Manager patches on all nodes in the cluster on which Oracle Identity Manager is installed.

    Note:

    On all nodes in the cluster on which Oracle Identity Manager is installed, apply the relevant Oracle Identity Manager patches, as described in section "Mandatory Patches Required for Installing Oracle Identity Manager" of the Oracle Fusion Middleware Release Notes.

  4. On the Deployment Manager Machine, upgrade Oracle Identity Manager schema. To do so:

    1. Perform the following as prerequisites:

      • Create a backup of Oracle Identity Manager Release 9.x schema.

      • Run OSI DATA Upgrade by using the OSI Data Upgrade Utility.

      • Set the JAVA_HOME environment variable.

    2. Go to the ORACLE_HOME/bin/ directory, and run the ua script as follows:

      ./ua

    3. On the Specify Operation screen, select Upgrade Oracle Identity Manager Schema, and click Next.

    4. On the Specify OIM Database screen, provide the database details, and click Next.

    5. Complete the remaining steps of the wizard.

  5. Upgrade OPSS schema, create Oracle Identity Manager cell, run the copy_jars.sh script, configure database policy store, perform database policy migration, execute the seed_opss_permission.sh script, and add JVM properties, as described in steps 8 through 19 of Section 4.3.2, "Installing Oracle Identity Manager for a Clustered Configuration".

  6. On the Deployment Manager Machine, run Middle-Tier upgrade in pre-config mode (CSF seeding). To do so:

    1. Perform the following prerequisites:

      • Copy .xldatabasekey to the WAS_HOME/profiles/Dmgr/config/cells/HOST_NAMECELL_NAME/fmwconfig/ directory.

      • Make sure that the Admin and SOA servers are up and running.

      • Populate the $MW_HOME/Oracle_IDM1/server/bin/oim_upgrade_input.properties file with the correct input properties. Table 4-19 lists the input parameters with sample values.

        Table 4-19 Input Parameters for upgrade_was.properties

        Input Parameter Sample Value

        Server type WebLogic/WebSphere

        		 
        server.type=was

        OIM connection string

        		 
        oim.jdbcurl=myhost.mydomain.com:PORT_NUMBER:oimdb

        OIM schema owner

        		 
        oim.oimschemaowner=oim91011

        MDS connection string

        		 
        oim.oimmdsjdbcurl=myhost.mydomain.com:PORT_NUMBER:oimdb

        MDS schema owner

        		 
        oim.mdsschemaowner=ws_mds

        Admin host name

        		 
        oim.adminhostname=myhost.mydomain.com

        Admin port

        		 
        oim.adminport=PORT_NUMBER

        Admin user name

        		 
        oim.adminUserName=wasadmin

        SOA host name

        		 
        oim.soahostmachine=soahost.mydomain.com

        SOA port

        		 
        oim.soaportnumber=SOA_PORT

        SOA user name

        		 
        oim.soausername=wasadmin

        Oracle OIM home

        		 
        oim.home=/scratch/wasr2install/mw/Oracle_IDM1

        Middleware home

        		 
        oim.mw.home=/scratch/wasr2install/mw

        SOA home

        		 
        soa.home=/scratch/wars2install/mw/Oracle_SOA1

        WebSphere domain manager cell home

        		 
        wasCellHome=/scratch/wasr2install/was/profiles/Dmgr03/config/cells/HOST_NAMECell03

        MT in pre-config mode

        		 
        CSFSeed=true

        When CSFSeed=true, MT is run in pre-config mode, and the following properties are set:

        PRE_OIM_CONFIG=true
POST_OIMCONFIG=false

        Oracle Identity Manager Release 9.x home location

        		 
        oim91Home=/installers/oim9101was/xellerate

        Note:

        The WAS_HOME/profiles/Dmgr03/properties/portdef.props file contains the port numbers relevant to the particular cell.

      • Set the JAVA_HOME environment variable to point to IBM_JDK.

    2. Go to the MW_HOME/Oracle_IDM1/server/bin/ directory, and run the OIMUpgrade.sh script, as shown:

      ./OIMUpgrade.sh

      Note:

      • The log file for the script is MW_HOME/Oracle_IDM1/server/upgrade/logs/MT/OIMUpgradeTIME_STAMP.log.

      • Restarting any server is not required at this stage.

  7. Configure Oracle Identity Manager server and optionally the Remote Manager, as described in steps 21 through 23 of Section 4.3.2, "Installing Oracle Identity Manager for a Clustered Configuration".

  8. On the Deployment Manager Machine, run the MT Upgrade Utility in post-config mode.

    After Oracle Identity Manager configuration is complete and all the servers including OIM server is up for populating default metadata, you can upgrade all the features using the MT upgrade utility in the post-config mode.

    To upgrade the features by using the MT upgrade utility in the post-config mode:

    1. Perform the following prerequisites:

      • Shut down Oracle Identity Manager after populating the default metadata.

      • Make sure that the Admin and SOA servers are up and running.

      • Populate the $MW_HOME/Oracle_IDM1/server/bin/oim_upgrade_input.properties file with the correct input properties. Table 4-20 lists the input parameters with sample values.

        Table 4-20 Input Parameters for upgrade_was.properties

        Input Parameter Sample Value

        Server type WebLogic/WebSphere

        		 
        server.type=was

        OIM connection string

        		 
        oim.jdbcurl=myhost.mydomain.com:PORT_NUMBER:oimdb

        OIM schema owner

        		 
        oim.oimschemaowner=oim9101

        MDS connection string

        		 
        oim.oimmdsjdbcurl=myhost.mydomain.com:PORT_NUMBER:oimdb

        MDS schema owner

        		 
        oim.mdsschemaowner=ws_mds

        Admin host name

        		 
        oim.adminhostname=myhost.mydomain.com

        Admin port

        		 
        oim.adminport=PORT_NUMBER

        Admin user name

        		 
        oim.adminUserName=wasadmin

        SOA host name

        		 
        oim.soahostmachine=soahost.mydomain.com

        SOA port

        		 
        oim.soaportnumber=SOA_PORT

        SOA user name

        		 
        oim.soausername=wasadmin

        Oracle OIM home

        		 
        oim.home=/scratch/wasr2install/mw/Oracle_IDM1

        Middleware home

        		 
        oim.mw.home=/scratch/wasr2install/mw

        SOA home

        		 
        soa.home=/scratch/wars2install/mw/Oracle_SOA1

        WebSphere domain manager cell home

        		 
        wasCellHome=/scratch/wasr2install/was/profiles/Dmgr03/config/cells/HOST_NAMECell03

        MT in post-config mode

        		 
        CSFSeed=false

        When CSFSeed=false, MT is run in post-config mode, and the following properties are set:

        PRE_OIM_CONFIG=false
POST_OIMCONFIG=true

        Oracle Identity Manager Release 9.x home location

        		 
        oim91Home=/installers/oim9101was/xellerate

        WebSphere home

        		 
        ws.home=/scratch/wars2Install/was

        WebSphere custom profile path

        		 
        ws.custom.path=WAS_HOME/profiles/Custom02

        Note:

        The WAS_HOME/profiles/Dmgr03/properties/portdef.props file contains the port numbers relevant to the particular cell.

      • Set the JAVA_HOME and APPSERVER_TYPE environment variables. JAVA_HOME must point to IBM_JDK.

    2. Go to the MW_HOME/Oracle_IDM1/server/bin/ directory, and run the OIMUpgrade.sh script, as shown:

      export JAVA_HOME=/scratch/wasr2install/was/java/
./OIMUpgrade.sh

      Note:

      The log file for the script is MW_HOME/Oracle_IDM1/server/upgrade/logs/MT/OIMUpgradeTIME_STAMP.log.

    3. Analyze the Feature Upgrade Summary Report. Start the Oracle Identity Manager Managed Servers, and access the application.

  9. Perform steps 24 through 41 of Section 4.3.2, "Installing Oracle Identity Manager for a Clustered Configuration" to complete the upgrade process.

4.5.6 Performing Postupgrade Configuration After Upgrade From Release 9.x

After upgrading Oracle Identity Manager Release 9.x to Release 11g Release 2 (11.1.2.2.0), perform the mandatory post-upgrade tasks described in "Performing Post-Upgrade Tasks" in the Oracle Fusion Middleware Upgrade Guide for Oracle Identity and Access Management. However, perform the following additional post-upgrade tasks after upgrading on IBM WebSphere:

Note:

For a clustered deployment, perform the mandatory post-upgrade tasks on the first node of the cluster, which is the Deployment Manager Machine.

4.5.6.1 Customizing the UI to Mark Attributes as Required

After upgrading Oracle Identity Manager Release 9.x to 11g Release 2 (11.1.2.2.0), the upgraded metadata files have certain attributes as mandatory. But, these attributes are not marked as required in the UI. For example, the upgraded metadata files for the create user operation, such as CreateUserDataSet.xml and User.xml, have first name and user login attributes as mandatory, but these attributes are not marked as required in the UI.

For fields that you want to retain as required, such as First Name and User Login, on a screen, perform the following steps:

  1. Create a sandbox and activate it.

  2. Go to the specific screen, for example Create User, enter values in the existing mandatory fields, and then click Customize at the top.

  3. On the Composer menu, select View, Source.

  4. Click the field, and then confirm to edit taskflow. Click Edit to open the Component Properties dialog box.

  5. On the Component Properties dialog box, select the option for the Required property.

  6. For the Required property, open the Expression Editor and enter true as the value.

  7. Click Apply, and then click OK.

  8. On the Composer toolbar, click Close, and test your changes.

  9. Export and publish the sandbox.

4.5.6.2 Configuring Transaction TImeout

Verify that the transaction timeout properties are set in WebSphere for Oracle Identity Manager server. See Section 4.4.1, "Configuring Transaction Timeout Properties" for information about configuring transaction timeout properties.

4.5.6.3 Deploying the Diagnostic Dashboard

To deploy the Diagnostic Dashboard after upgrade:

  1. Login to IBM WebSphere Administrative Console.

  2. Expand Applications, and click WebSphere enterprise applications.

  3. Click Install.

  4. Select Remote file system.

  5. Enter the complete path to the XIMDD.ear file. The XIMDD.ear file is available in the $OIM_HOME/server/webapp/optional/ directory. Then, click Next.

  6. Select Fast Path to install application.

  7. Click Next in the Select installation options.

  8. Select the Select option in the Map modules to servers page, and click Next.

  9. Select Module (XIMDD.ear). In Clusters and Server section, select server (oim_server1), and click Apply. Then, click Next.

  10. Click Next in the Map virtual hosts for Web modules page.

  11. Click Finish in the Summary page.

  12. Save the changes.

4.5.6.4 Deploying SPML DSML

To deploy SPML DSML after upgrade:

  1. Login to IBM WebSphere Administrative Console.

  2. Expand Applications, and click WebSphere enterprise applications.

  3. Click Install.

  4. Select Remote file system.

  5. Enter the complete path to the spml-dsml.ear file. The spml-dsml.ear file is available in the $OIM_HOME/server/apps/was/ directory. Then, click Next.

  6. Select Fast Path to install application.

  7. Click Next in the Select installation options.

  8. Select the Select option in the Map modules to servers page, and click Next.

  9. Select Module (spml-dsml.ear). In Clusters and Server section, select the server (oim_server1), and click Apply. Then, click Next.

  10. Click Next in the Map virtual hosts for Web modules page.

  11. Click Finish in the Summary page.

  12. Save the changes.

4.6 Handling Lifecycle Management Changes on IBM WebSphere

Because of integrated deployment of Oracle Identity Manager with other applications, such as Oracle Access Management (OAM), and configuration changes in those applications, various configuration changes might be required in Oracle Identity Manager and IBM WebSphere Application Server. These configuration changes are described in the following sections:

4.6.1 URL Changes Related to Oracle Identity Manager

Oracle Identity Manger uses various hostname and port in its configuration because of the architectural and middleware requirements. This section describes ways to make the corresponding changes in Oracle Identity Manager and IBM WebSphere Application Server configuration for any change in the integrated and dependent applications.

This section contains the following topics:

4.6.1.1 Oracle Identity Manager Database Host and Port Changes

This section describes the configuration areas where database hostname and port number are used.

After installing Oracle Identity Manager, if there are any changes in the database hostname or port number, then the following changes are required:

Note:

Before making changes to the database host and port, shutdown the managed servers hosting Oracle Identity Manager. But you can keep IBM WebSphere Administrative Server running.

  • To change datasource oimJMSStoreDS configuration:

    1. Navigate to Resources, JDBC, Data Sources, and then oimJMSStoreDS.

    2. Modify the values of the URL to reflect the changes to database host and port.

  • To change datasource ApplicationDB configuration:

    1. Navigate to Resources, JDBC, Data Sources, and then applicationDB.

    2. Modify the values of the URL to reflect the changes to database host and port.

  • To change datasource oimOperationsDB configuration:

    1. Navigate to Resources, JDBC, Data Sources, and then oimOperationsDB.

    2. Modify the values of the URL to reflect the changes to database host and port.

  • To change the datasource related to Oracle Identity Manager Meta Data Store (MDS) configuration:

    1. Navigate to Services, JDBC, Data Sources, and then mds-oim.

    2. Modify the values of the URL and Properties fields to reflect the changes in the database host and port.

  • To change Custom Registry configuration:

    1. In IBM WebSphere Administrative console, navigate to Security, Global security.

    2. Click Configure next to the Standalone custom registry.

    3. Select DBUrl, and then click Edit.

    4. Modify the value of the DBUrl field to reflect the change in hostname and port.

    Note:

    If Service Oriented Architecture (SOA) and Oracle Web Services Manager (OWSM) undergo configuration changes, then you must make similar changes for datasources related to SOA or OWSM.

    After making changes in the datasources, restart the IBM WebSphere Application Server, and start the Oracle Identity Manager Managed WebSphere servers.

    Note:

    Whenever Oracle Identity Manager application configuration information is to be changed by using OIM App Config MBeans from the Enterprise Management (EM) console, at least one of the Oracle Identity Manager Managed Servers must be running. Otherwise, you cannot figure out any of the OIM App Config MBeans from the EM console.

  • To change DirectDB configuration:

    1. Log in to Enterprise Manager by using the following URL:

      http://ORACLE_ADMIN_SERVER/em

    2. Navigate to Websphere Cell, OIM server.

    3. Right-click OIM server, and select to System MBean Browser.

    4. In the System MBean Browser, navigate to Application Defined MBeans.

    5. Navigate to oracle.iam, Application:oim, XMLConfig, Config, XMLConfig.DirectDBConfig, and then DirectDB.

    6. Enter the new value for the URL attribute to reflect the changes to host and port, and then apply the changes.

    Note:

    When Oracle Identity Manager single instance deployment is changed to Oracle Real Application Clusters (Oracle RAC) or Oracle RAC is changed to single instance deployment, change the oimJMSStoreDS, oimOperationsDB, and mds-oim datasources. In addition to the generic changes to make these datasources to multidatasource configuration, change the Custom Registry and domain credential store configurations to reflect the Oracle RAC URL. For information about these generic changes, see Oracle Fusion Middleware High Availability Guide.

4.6.1.2 Oracle Virtual Directory Host and Port Changes

When LDAP synchronization is enabled, Oracle Identity Manager connects with directory servers through Oracle Virtual Directory (OVD). This connection takes place by using LDAP/LDAPS protocol.

To change OVD host and port:

  1. Log in to Oracle Identity System Administration.

  2. Under Configuration, click IT Resource.

  3. From the IT Resource Type list, select Directory Server, and click Search.

  4. Edit the Directory Server IT resource. To do so:

    1. If the value of the Use SSL field is set to False, then edit the Server URL field. If the value of the Use SSL field is set to True, then edit the Server SSL URL field.

    2. Click Update.

4.6.1.3 Oracle Identity Manager Host and Port Changes

This section consists of the following topic:

Note:

When additional Oracle Identity Manager nodes are added or removed, perform the procedures described in this section to configure Oracle Identity Manager host and port changes.
4.6.1.3.1 Changing OimFrontEndURL in Oracle Identity Manager Configuration

The OimFrontEndURL is the URL used to access the Oracle Identity Manager UI. This can be a load balancer URL or Web server URL depending on the application server is fronted with loan balancer or Web server, or single application server URL. This is used by Oracle Identity Manager in the notification e-mails as well as the callback URL for SOA calls.

The change may be necessary because of change in Web server hostname or port for Oracle Identity Manager deployment in a clustered environment, or WebSphere managed server hostname or port changes for Oracle Identity Manager deployment in a nonclustered environment.

To change the OimFronEndURL in Oracle Identity Manager configuration:

  1. Log in to Enterprise Manager by using the following URL when the Oracle Admin Server and Oracle Identity Manager managed servers, at least one of the servers in case of a clustered deployment, are running:

    http://ORACLE_ADMIN_SERVER/em

  2. Navigate to WebSphere Cell, OIM server.

  3. Right-click OIM server, and navigate to System MBean Browser.

  4. Under Application Defined MBeans, navigate to oracle.iam, Application:oim, XMLConfig, Config, XMLConfig.DiscoveryConfig, and then Discovery.

  5. Enter new value for the OimFrontEndURL attribute, and click Apply to save the changes. Example values can be:

    http://myoim.mydomain.com

    https://myoim.mydomain.com

    http://myserver.mydomain.com:7001

    Note:

    SPML clients store Oracle Identity Manager URL for invoking SPML and sending callback response. Therefore, changes are required corresponding to this. In addition, if Oracle Identity Manager is integrated with OAM, OAAM, or Oracle Identity Navigator (OIN), there may be corresponding changes necessary. For more information, refer to OAM, OAAM, and OIN documentation in the Oracle Technology Network (OTN) Web site.

4.6.1.4 SOA Host and Port Changes

To change the SOA host and port:

Note:

When additional SOA nodes are added or removed, perform this procedure to change the SOA host and port.

  1. Log in to Enterprise Manager by using the following URL when the Oracle Admin Server and Oracle Identity Manager managed servers, at least one of the servers in case of a clustered deployment, are running:

    http://ORACLE_ADMIN_SERVER/em

  2. Navigate to Websphere Cell, OIM server.

  3. Right-click OIM server, and navigate to System MBean Browser.

  4. Under Application Defined MBeans, navigate to oracle.iam, Application:oim, XMLConfig, Config, XMLConfig.SOAConfig, SOAConfig.

  5. Change the values of the Rmiurl attribute, and click Apply to save the changes.

    The Rmiurl attribute is used for accessing SOA EJBs deployed on SOA managed servers. This is the application server URL. Example values for this attribute can be:

    corbaloc:iiop:mysoa1.mydomain.com:2800
corbaloc:iiop:mysoa1.mydomain.com:2800,: mysoa2.mydomain.com:2801
corbaloc:iiop:mysoa1.mydomain.com:2800,: mysoa2.mydomain.com:2801,: mysoa3.mydomain.com:2802

    Note:

    The $WAS_HOME/lib/ext/wf_client_config.xml file must be modified with similar changes.

4.6.1.5 OAM Host and Port Changes

To change the OAM host and port:

  1. Log in to Enterprise Manager by using the following URL when the Oracle Admin Server and Oracle Identity Manager managed servers, at least one of the servers for a clustered deployment, are running:

    http://ORACLE_ADMIN_SERVER/em

  2. Navigate to Websphere Cell, and then to OIM server.

  3. Right-click OIM server, and navigate to System MBean Browser.

  4. Under Application Defined MBeans, navigate to oracle.iam, Application:oim, XMLConfig, Config, XMLConfig.SSOConfig, and then SSOConfig.

  5. Change the values of the AccessServerHost and AccessServerPort attributes and other attributes as required, and click Apply to save the changes.

4.6.2 Password Changes Related to Oracle Identity Manager

Various passwords are used for Oracle Identity Manger configuration because of the architectural and middleware requirements. This section describes the default passwords and ways to make the changes to the password in Oracle Identity Manger and Oracle WebLogic configuration for any change in the dependent or integrated products.

This section consists of the following topics:

4.6.2.1 Changing IBM WebSphere Administrator Password

To change IBM WebSphere administrator password:

  1. Log in to Oracle Identity Self Service as System Administrator.

  2. Search for WebSphere Administrator User.

  3. Click Reset Password.

  4. Enter new password and confirm new password.

  5. Click Reset Password.

4.6.2.2 Changing Oracle Identity Manager Administrator Password

During Oracle Identity Manager installation, the installer prompts for the Oracle Identity Manager administrator password. If required, you can change the administrator password after the installation is complete. To do so, you must log in to Oracle Identity Self Service as the System Administrator. In addition, change the password in CSF for entry sysadmin under the map 'oim'.

Note:

If OAM or OAAM is integrated with Oracle Identity Manager, then you might have to make corresponding changes in those applications. For more information, refer to OAM and OAAM documentation in the Oracle Documentation web site by using the following URL:

http://docs.oracle.com/

Tip:

To ensure optimum performance during password reset in Oracle Identity Manager on WebSphere, update the following JVM args for oim_server by using IBM WebSphere Administrative Console: 
-Doracle.dms.transtrace.level=NONE 
-Doracle.dms.transtrace.uri=NONE
-Doracle.dms.context.dumbasastump=true 
-Doracle.dms.sensors=none
-Doracle.dms.context=OFF

4.6.2.3 Changing Oracle Identity Manager Database Password

Oracle Identity Manager uses two database schemas for storing Oracle Identity Manager operational and configuration data. It uses Oracle Identity Manager MDS schema for storing configuration-related information and Oracle Identity Manager schema for storing other information. Any change in the schema password requires changes on Oracle Identity Manager configuration.

Changing Oracle Identity Manager database password involves the following:

Note:

Before changing the database password, shutdown the managed servers that host Oracle Identity Manager.

  • To change datasource oimJMSStoreDS configuration:

    1. Navigate to Resources, JDBC, Data Sources, oimJMSStoreDS.

    2. Click the JAAS - J2C authentication data link.

    3. Click the CELL_NAME/oimJMSStoreDS_alias link.

    4. In the Password field, enter the new Oracle Identity Manager database schema password.

    5. Click Apply to save the changes.

  • To change datasource oimOperationsDB configuration:

    1. Navigate to Resources, JDBC, Data Sources, oimJMSStoreDS.

    2. Click the JAAS - J2C authentication data link.

    3. Click the CELL_NAME/oimOperationDB_alias link.

    4. In the Password field, enter the new Oracle Identity Manager database schema password.

    5. Click Apply to save the changes.

  • To change datasource related to Oracle Identity Manager MDS configuration:

    1. Navigate to Resources, JDBC, Data Sources, mds-oim.

    2. Click the JAAS - J2C authentication data link.

    3. Click the CELL_NAME/oimJMSStoreDS_alias link.

    4. In the Password field, enter the new Oracle Identity Manager database schema password.

    5. Click Apply to save the changes.

    Note:

    • For Oracle Identity Manager deployments with Oracle Real Application Clusters (Oracle RAC) configuration, you might have to make changes in all the datasources under the respective multi-datasource configurations.

    • You might have to make similar changes for datasources related to SOA or OWSM, if required.

  • To change cell credential store configuration:

    1. Log in to Enterprise Manager by using the following URL:

      http://ADMIN_SERVER/em

    2. Click WebSphere Cell, Security, and then click Credentials.

    3. Expand oim, and select OIMSchemaPassword, and click Edit.

    4. In the Password field, enter the new password, and click OK.

After changing the Oracle Identity Manager database password, restart the WebSphere Administrative Server. Start the Oracle Identity manager Managed WebSphere Server as well.

4.6.2.4 Changing Oracle Identity Manager Passwords in the Credential Store Framework

Oracle Identity Manager installer stores several passwords during the install process. Various values are stored in Credential Store Framework (CSF) as key and value. Table 4-21 lists the keys and the corresponding values:

Table 4-21 CSF Keys

Key Description

DataBaseKey

The password for the key used to encrypt database. The password is the user input value in the installer for the Oracle Identity Manager keystore.

.xldatabasekey

The password for keystore that stores the database encryption key. The password is the user input value in the installer for the Oracle Identity Manager keystore.

xell

The password for key 'xell', which is used for securing communication between Oracle Identity Manager components. Default password generated by Oracle Identity Manager installer is xellerate.

default_keystore.jks

The password for the default_keystore.jks JKS keystore in the CELL_HOME/config/fmwconfig/ directory. The password is the user input value in the installer for the Oracle Identity Manager keystore.

SOAAdminPassword

The password is user input value in the installer for SOA Administrator Password field.

OIMSchemaPassword

The password for connecting to Oracle Identity Manager database schema. Password is user input value in the installer for OIM Database Schema Password field.

JMSKey

The password is the user input value in the installer for the Oracle Identity Manager keystore.

To change the values of the CSF keys:

  1. Log in to Enterprise Manager.

  2. Click WebSphere Cell.

  3. Navigate to Security, and then Credential.

  4. Expand oim. The list of all the key and value pairs for Oracle Identity Manager are displayed. You can edit and change the values.

4.6.2.5 Changing OVD Password

To change the OVD password:

  1. Log in to Oracle Identity System Administration.

  2. Under Configuration, click IT Resource.

  3. From the IT Resource Type list, select Directory Server.

  4. Click Search.

  5. Edit the Directory Server IT resource. To do so, in the Admin Password field, enter the new OVD password, and click Update.

4.6.3 Configuring SSL for Oracle Identity Manager

This section describes the procedure for generating keys, signing and exporting certificates, setting up SSL Configuration for Oracle Identity Manager and for the components with which Oracle Identity Manager interacts, and establish secure communication between them. It includes the following topics:

Note:

  • SSL communication between SOA Server and Oracle Identity Manager is not supported for IBM WebSphere Application Server.

  • Before configuring SSL for Oracle Identity Manager, you must generate keys, sign the certificates, and export and import the certificates. For more information about these procedures, refer to IBM WebSphere documentation, or contact IBM support.

4.6.3.1 Enabling SSL for Oracle Identity Manager

You need to perform the following configurations in Oracle Identity Manager to enable SSL:

4.6.3.1.1 Enabling SSL for Oracle Identity Manager

Enabling SSL for Oracle Identity Manager is described in the following sections:

4.6.3.1.2 Enabling SSL for Oracle Identity Manager By Using Default Setting

By default, SSL ports are enabled for all the WebSphere Application Servers.

To check SSL port:

  1. Log in to IBM WebSphere Administrative Console.

  2. Navigate to Servers, Server Types, and click the WebSphere application servers link.

  3. Click the oim servers link.

  4. Expand Ports link. WC_defaulthost_secure is the SSL port.

4.6.3.1.3 Enabling SSL for Oracle Identity Manager By Using Custom Keystore

Refer to IBM WebSphere documentation for information about changing default keystores. Otherwise, contact IBM support.

After enabling SSL on Oracle Identity Manager and SOA Servers, change OimFrontEndURL and SOA server URL to use SSL port. For details, refer to IBM WebSphere documentation.

4.6.3.1.4 Securing the Design Console with SSL

To secure the Design Console with SSL:

  1. Open the WAS_CLIENT_HOME/properties/sas.client.props file.

  2. Ensure the following properties are configured with values of true. If they are not set to true, update them to have values of true.

    com.ibm.CSI.performTransportAssocSSLTLSRequired
com.ibm.CSI.performTransportAssocSSLTLSSupported

    Note:

    • Setting com.ibm.CSI.performTransportAssocSSLTLSRequired to true configures the Design Console to server connection over SSL.

    • You can change the default keystore for IBM WebSphere by referring to WebSphere documentation provided by IBM.

4.6.3.1.5 Configuring SSL for Oracle Identity Manager Utilities

Oracle Identity Manager client utilities include PurgeCache, GenerateSnapshot, UploadJars, and UploadResources.

To configure SSL for Oracle Identity Manager utilities:

  1. Open the WAS_SERVER_HOME/profiles/DMGR_PROFILE/properties/sas.client.props file.

  2. Ensure the values of the following properties are set to true:

    com.ibm.CSI.performTransportAssocSSLTLSRequired

    com.ibm.CSI.performTransportAssocSSLTLSSupported

4.6.3.1.6 Configuring SSL for MDS Utilities

The following options must be added to all Oracle Identity Manager MDS Utilities that contains wsadmin script:

-Dcom.ibm.SSL.ConfigURL=file:DMGR_PROFILE\properties\ssl.client.props

4.6.3.2 Enabling SSL for Oracle Identity Manager DB

You need to perform the following configurations to enable SSL for Oracle Identity Manager DB:

4.6.3.2.1 Setting Up DB in Server-Authentication SSL Mode

To set up DB in Server-Authentication SSL mode:

  1. Stop the DB server and the listener.

  2. Configuring the listener.ora file as follows:

    1. Navigate to the path:

      $DB_ORACLE_HOME/network/admin directory

      For example:

      production-database/product/11.1.0/db_1/network/admin

    2. Edit the listener.ora file to include SSL listening port and Server Wallet Location.

      The following is the sample listener.ora file:

      # listener.ora Network Configuration File: /production-database/product/11.1.0/db_1/network/admin/listener.ora
# Generated by Oracle configuration tools.
 
SSL_CLIENT_AUTHENTICATION = FALSE
 
WALLET_LOCATION =
  (SOURCE =
    (METHOD = FILE)
    (METHOD_DATA =
      (DIRECTORY = /production-database/product/11.1.0/db_1/bin/server_keystore_ssl.p12)
    )
  )
 
LISTENER =
  (DESCRIPTION_LIST =
    (DESCRIPTION =
      (ADDRESS = (PROTOCOL = TCPS)(HOST = server1.mycompany.com)(PORT = 2484))
    )
    (DESCRIPTION =
      (ADDRESS = (PROTOCOL = TCP)(HOST = server1.mycompany.com)(PORT = 1521))
    )
  )
 
TRACE_LEVEL_LISTENER = SUPPORT

  3. Configure the sqlnet.ora file as follows:

    1. Navigate to the path:

      $DB_ORACLE_HOME/network/admin directory

      For example:

      /production-database/product/11.1.0/db_1/network/admin

    2. Edit sqlnet.ora file to include:

      • TCPS Authentication Services

      • SSL_VERSION

      • Server Wallet Location

      • SSL_CLIENT_AUTHENTICATION type (either true or false)

      • SSL_CIPHER_SUITES that can be allowed in the communication (optional)

      The following is the sample sqlnet.ora file:

      # sqlnet.ora Network Configuration File: /production-database/product/11.1.0/db_1/network/admin/sqlnet.ora
# Generated by Oracle configuration tools.
 
SQLNET.AUTHENTICATION_SERVICES= (BEQ, TCPS)
 
SSL_VERSION = 3.0
 
SSL_CLIENT_AUTHENTICATION = FALSE
 
WALLET_LOCATION =
  (SOURCE =
    (METHOD = FILE)
    (METHOD_DATA =
      (DIRECTORY = /production-database/product/11.1.0/db_1/bin/server_keystore_ssl.p12)
    )
  )

  4. Configure the tnsnames.ora file as follows:

    1. Navigate to the path:

      $DB_ORACLE_HOME/network/admin directory

      For example:

      /production-database/product/11.1.0/db_1/network/admin

    2. Edit the tnsnames.ora file to include SSL listening port in the description list of the service.

      The following is the sample tnsnames.ora file:

      # tnsnames.ora Network Configuration File: /production-database/product/11.1.0/db_1/network/admin/tnsnames.ora
# Generated by Oracle configuration tools.

PRODDB =
 (DESCRIPTION_LIST =
  (DESCRIPTION =
    (ADDRESS = (PROTOCOL = TCPS)(HOST = server1.mycompany.com)(PORT = 2484))
    (CONNECT_DATA =
      (SERVER = DEDICATED)
      (SERVICE_NAME = proddb)
    )
  )
  (DESCRIPTION =
    (ADDRESS = (PROTOCOL = TCP)(HOST = server1.mycompany.com)(PORT = 1521))
    (CONNECT_DATA =
      (SERVER = DEDICATED)
      (SERVICE_NAME = proddb)
    )
  )
 )

  5. Start/Stop utilities for DB server.

  6. Start the DB server.

4.6.3.2.2 Creating KeyStores and Certificates

You can create server side and client side KeyStores using the orapki utility. This utility will be shipped as a part of Oracle DB installation.

KeyStores could be of any format such as JKS and PKCS12. The format of keystore changes based on the provider implementation. For example, JKS is the implementation provided by Sun Oracle where as PKCS12 is implemented by OraclePKIProvider.

Only JKS client KeyStore is used in Oracle Identity Manager for DB server. This is because using non-JKS KeyStores format such as PKCS12 requires significant changes on the installer side at the critical release time. However, Oracle Identity Manager already has a KeyStore named default-KeyStore.jks, which is in JKS format.

The following are the KeyStores that you can create using orapki utility:

Creating a Root CA Wallet

To create a root certification authority (CA) wallet:

  1. Navigate to the following path:

    $DB_ORACLE_HOME/bin directory

  2. Create a wallet by using the command:

    ./orapki wallet create -wallet CA_keystore.p12 -pwd welcome1

  3. Add a self signed certificate to the CA wallet by using the command:

    ./orapki wallet add -wallet CA_keystore.p12 -dn 'CN=root_test,C=US' -keysize 2048 -self_signed -validity 3650 -pwd welcome1

  4. View the wallet using the command:

    ./orapki wallet display -wallet CA_keystore.p12 -pwd welcome1

  5. Export the self signed certificate from the CA wallet using the command:

    ./orapki wallet export -wallet CA_keystore.p12 -dn 'CN=root_test,C=US' -cert self_signed_CA.cert -pwd welcome1

Creating DB Server Side Wallet

To create a DB server side wallet:

  1. Create a server wallet using the command:

    ./orapki wallet create -wallet server_keystore_ssl.p12 -auto_login -pwd welcome1

  2. Add a certificate request to the server wallet using the command:

    ./orapki wallet add -wallet server_keystore_ssl.p12/ -dn 'CN=Customer,OU=Customer,O=Customer,L=City,ST=NY,C=US' -keysize 2048 -pwd welcome1

  3. Export the certificate request to a file, which will be used later for getting it signed using the root CA signature:

    ./orapki wallet export -wallet server_keystore_ssl.p12/ -dn 'CN=Customer,OU=Customer,O=Customer,L=City,ST=NY,C=US' -request server_creq.csr -pwd welcome1

  4. Get the server wallet's certificate request signed using the CA signature:

    ./orapki cert create -wallet CA_keystore.p12 -request server_creq.csr -cert server_creq_signed.cert -validity 3650 -pwd welcome1

  5. View the signed certificate using the command:

    /orapki cert display -cert server_creq_signed.cert -complete

  6. Import the trusted certificate in to the server wallet using the command:

    ./orapki wallet add -wallet server_keystore_ssl.p12 -trusted_cert -cert self_signed_CA.cert -pwd welcome1

  7. Import this newly created signed certificate (user certificate) to the server wallet using the command:

    ./orapki wallet add -wallet server_keystore_ssl.p12 -user_cert -cert server_creq_signed.cert -pwd welcome1

Creating Client Side Wallet

To create a client side (Oracle Identity Manager server) wallet:

  1. Create a client keystore using default-keystore.jks keystore which is populated in the following path:

    DMGR_PROFILE/config/cells/CELL_NAME/fmwconfig

    Note:

    You can also use Oracle PKCS12 wallet as the client keystore.

  2. Import the self-signed CA trusted certificate that you have already exported using the server side commands, to the client keystore (default-keystore.jks) by using the command:

    keytool -import -trustcacerts -alias dbtrusted -noprompt -keystore default-keystore.jks -file self_signed_CA.cert -storepass xellerate
4.6.3.2.3 Updating WebSphere Server

After enabling SSL for Oracle Identity Manager DB, you need to change the following Oracle Identity Manager datasources and custom registry to use DB SSL port:

Configuring Datasource

To configure the datasource:

  1. Log in to IBM WebSphere Administrative Console.

  2. Perform the datasource changes.

    Note:

    Before performing changes to the datasource, you must shutdown the managed servers hosting Oracle Identity Manager application.

Updating Datasource oimJMSStoreDS Configuration

To update the datasource oimJMSStoreDS configuration:

  1. Log in to IBM WebSphere Administrative Console.

  2. Navigate to Resources, JDBC, Data Sources, oimJMSStoreDS.

  3. Change the value of the URL. The following is an example URL:

    jdbc:oracle:thin:@(DESCRIPTION=(ADDRESS=(PROTOCOL=TCPS)(HOST=my.domain.com)(PORT=2484))(CONNECT_DATA=(SERVICE_NAME=proddb)))

  4. Click Apply and make sure to save the change.

  5. Go to Additional Properties, Custom Properties, and add a custom property with the following sample values:

    • Name: connectionProperties

    • Value: javax.net.ssl.trustStore=CELL_HOME/fmwconfig/default-keystore.jks;javax.net.ssl.trustStoreType=JKS;javax.net.ssl.trustStorePassword=Welcome1;oracle.net.ssl_version=3.0

    • Type: java.lang.String

Updating Datasource oimOperationsDB Configuration

To update the Change Datasource oimOperationsDB Configuration:

Note:

To add a custom property, see "Updating Datasource oimJMSStoreDS Configuration".

  1. Log in to IBM WebSphere Administrative Console.

  2. Navigate to Resources, JDBC, Data Sources, oimOperationsDB.

  3. Change the value of the URL. The following is an example URL:

    jdbc:oracle:thin:@(DESCRIPTION=(ADDRESS=(PROTOCOL=TCPS)(HOST=my.domain.com)(PORT=2484))(CONNECT_DATA=(SERVICE_NAME=proddb)))

  4. Click Apply and make sure to save the change.

Updating Datasource Related to Oracle Identity Manager MDS Configuration

To update datasource related to Oracle Identity Manager MDS configuration:

Note:

To add a custom property, see "Updating Datasource oimJMSStoreDS Configuration".

  1. Log in to IBM WebSphere Administrative Console.

  2. Navigate to Resources, JDBC, Data Sources, mds-oim.

  3. Change the value of the URL.

  4. Click Apply and make sure to save the changes.

Note:

You might have to perform similar updates for SOA/OWSM related datasources if required.

4.6.3.3 Enabling SSL for LDAP Synchronization

You need to perform the following configurations to enable Oracle Identity Manager to use SSL enabled Oracle Virtual Directory (OVD):

4.6.3.3.1 Enabling OVD-OID with SSL

To enable OVD-OID with SSL:

  1. Log in to the OVD EM console.

  2. Expand Identity and Access and navigate to ovd1, Administration, Listeners.

  3. Click Create and enter all the required fields.

    Note:

    You must select the Listener Type as LDAP.

  4. Click OK.

  5. Select the newly created LDAP listener and click Edit.

  6. In the Edit Listener - OIM SSL ENDPOINT page, edit the newly created LDAP listener.

  7. Click OK. The SSL Configuration page opens.

  8. Select the Enable SSL checkbox.

  9. In the Advanced SSL Settings section, for SSL Authentication, select No Authentication.

  10. Click OK.

  11. Stop and start the OVD server for the changes to take effect.

    Note:

    You must not use the restart option.
4.6.3.3.2 Updating Oracle Identity Manager for OVD Host/Port

When LDAP synchronization is enabled on Oracle Identity Manager, Oracle Identity Manager connects with directory servers through OVD. It connects using ldap/ldaps protocol.

To change OVD host/port:

  1. Log in to Oracle Identity Manager Administrative and User console.

  2. Navigate to Advanced and click Manage IT Resource.

  3. Select IT Resource Type as Directory Server and click Search.

  4. In the IT Resource Directory Server, edit server URL to include SSL protocol and SSL port details.

  5. Ensure that Use SSL is set to true and click Update.

4.6.3.4 Securing the Remote Manager with SSL

This section describes how to configure SSL for the Oracle Identity Manager Remote Manager on IBM WebSphere. This section includes the following topics:

4.6.3.4.1 Overview

SSL authentication can be one-way or two-way:

  • One-way: The Oracle Identity Manager Server (the SSL client application) verifies the identity of the Oracle Identity Manager Remote Manager (the SSL server application).

  • Two-way: The Oracle Identity Manager Server (the SSL client application) verifies the identity of the Remote Manager (the SSL server application) and the Remote Manager verifies the identity of the Oracle Identity Manager Server.

To establish an SSL trust relationship, you import the SSL server's (CA signed) certificate in to the SSL client's keystore. When you installed the Remote Manager, a keystore and public certificate were created. The Remote Manager's keystore is located in the OIM_RM_HOME/config/default-keystore.jks file. The certificate is located in the OIM_RM_HOME/config/xlserver.cert file.

Note:

The Remote Manager does not support non-SSL communication. By default, one-way SSL authentication is supported. Two-way SSL authentication can be enabled by performing the steps in the appropriate section below.
4.6.3.4.2 Configuring One-way SSL Authentication

One-way SSL authentication allows the Oracle Identity Manager Server to verify the identity of the Remote Manager. To configure one-way SSL authentication, the Remote Manager's certificate must be trusted in the Oracle Identity Manager Server's keystore, which is located at:

WAS_HOME/profiles/Dmgr01/config/cells/OIM_CELL_NAME/fmwconfig/default-keystore.jks

To configure one-way SSL authentication using CA certificates:

  1. Copy the Remote Manager's certificate, OIM_RM_HOME/config/xlserver.cert, to the Oracle Identity Manager Server system.

    Note:

    The Oracle Identity Manager Server certificate is also named xlserver.cert. Make sure that you do not unintentionally overwrite the server's certificate.

  2. Import the Remote Manager certificate that you copied to the Oracle Identity Manager Server's system in step 1 into the Server's keystore by executing the following shell command:

    Note:

    Set the environment variables JAVA_HOME and PATH pointing to IBM JDK, and then run the command.
    JAVA_HOME/jre/bin/keytool –import –alias TRUSTED_SERVER_CERTIFICATE \
–file RM_CERT_LOCATION/xlserver.cert \
–keystore WAS_HOME/profiles/Dmgr01/config/cells/OIM_CELL_NAME/fmwconfig/default-keystore.jks \
–trustcacerts –storepass OIM_SERVER_KEYSTORE_PASSWORD

    Note that JAVA_HOME represents the location of the IBM Java Runtime directory for the Oracle Identity Manager Server and RM_CERT_LOCATION represents the location where you copied the Remote Manager's certificate step 1.

  3. When prompted, enter Y (for Yes) to trust the certificate being imported.

  4. Restart the application servers, including the Deployment Manager.

4.6.3.4.3 Configuring Two-way SSL Authentication

Two-way SSL authentication allows the Oracle Identity Manager Server and the Remote Manager to verify each other's identities. To configure two-way SSL authentication, the Remote Manager's certificate must be trusted in the Oracle Identity Manager Server's keystore and Oracle Identity Manager Server's certificate must be trusted in Remote Manager's keystore.

The Oracle Identity Manager Server's keystore is located at:

WAS_HOME/profiles/Dmgr01/config/cells/OIM_CELL_NAME/fmwconfig/default-keystore.jks

The Oracle Identity Manager Server's certificate is located in:

WAS_HOME/profiles/Dmgr01/config/cells/OIM_CELL_NAME/fmwconfig/xlserver.cert

The Remote Manager's keystore is located in:

OIM_RM_HOME/config/default-keystore.jks

The Remote Manager's (CA signed) certificate is located in:

OIM_RM_HOME/config/xlserver.cert

To configure two-way SSL authentication using CA certificates:

  1. Copy the Remote Manager's certificate, OIM_RM_HOME/config/xlserver.cert, to the Oracle Identity Manager Server system.

    Note:

    The Oracle Identity Manager Server's certificate is also named xlserver.cert. Be sure you do not unintentionally overwrite the server's certificate.

  2. Import the Remote Manager's certificate that you copied to the Oracle Identity Manager Server's system in step 1 into the server's keystore by executing the following shell command:

    JAVA_HOME/jre/bin/keytool –import –alias TRUSTED_SERVER_CERTIFICATE \
–file RM_CERT_LOCATION/xlserver.cert \
–keystore WAS_HOME/profiles/Dmgr01/config/cells/OIM_CELL_NAME/fmwconfig/default-keystore.jks \
–trustcacerts –storepass OIM_SERVER_KEYSTORE_PASSWORD

    Note that JAVA_HOME represents the location of the IBM Java Runtime directory for the Oracle Identity Manager Server and RM_CERT_LOCATION represents the location where you copied the Remote Manager's certificate step 1.

  3. When prompted, enter Y (for Yes) to trust the certificate being imported.

  4. Restart the application servers, including the Deployment Manager.

  5. Copy the Oracle Identity Manager Server's certificate to the Remote Manager system. The Oracle Identity Manager Server's keystore is located at:

    WAS_HOME/profiles/Dmgr01/config/cells/OIM_CELL_NAME/fmwconfig/xlserver.cert

    Note:

    The Remote Manager's certificate is also named xlserver.cert. Be sure you do not unintentionally overwrite the server's certificate.

  6. Import the Oracle Identity Manager Server's certificate that you copied to the Remote Manager system in step 5 into the Remote Manager's keystore by executing the following shell command:

    JAVA_HOME/jre/bin/keytool –import –alias TRUSTED_SERVER_CERTIFICATE \
–file OIM_SERVER_CERT_LOCATION/xlserver.cert \
–keystore OIM_RM_HOME/config/default-keystore.jks –trustcacerts \
–storepass RM_KEYSTORE_PASSWORD

    Note that JAVA_HOME represents the location of the IBM Java Runtime directory for the Remote Manager and OIM_SERVER_CERT_LOCATION is the location where you copied the Oracle Identity Manager Server's certificate in step 5.

  7. When prompted, enter Y (for Yes) to trust the certificate being imported.

  8. Open the Remote Manager configuration file, OIM_RM_HOME/config/xlconfig.xml.

  9. Change the value of the <RMSecurity>.<ClientAuth> configuration parameter to true and save the file.

  10. Restart the Remote Manager.

4.7 Using Oracle Identity Manager Utilities on IBM WebSphere

This section describes how to use Oracle Identity Manager utilities on IBM WebSphere:

4.7.1 Prerequisites for Using Oracle Identity Manager Utilities on IBM WebSphere

Before running Oracle Identity Manager utilities on WebSphere, set the following environment variables:

  • OIM_ORACLE_HOME: The environment variable to identify the directory on which Oracle Identity Manager is installed.

  • JAVA_HOME: The location of the IBM Java Runtime directory for the Oracle Identity Manager server.

  • WAS_HOME: The directory on which WebSphere Application Server is installed.

  • APP_SERVER: The allowed values are weblogic or websphere. Here, it must be set to websphere.

  • MW_HOME: The directory path for Middleware home.

  • PROFILE_NAME: The name of the profile.

  • WAS_CELL_HOME: The location of the cell on which Oracle Identity Manager is deployed.

4.7.2 Using Oracle Enterprise Manager to Export Metadata Files from the MDS Database

To export metadata files from the MDS database using Oracle Enterprise Manager:

  1. Ensure that all the environment variables listed in Section 4.7.1, "Prerequisites for Using Oracle Identity Manager Utilities on IBM WebSphere" are set.

  2. Log in to Oracle Enterprise Manager using the IBM WebSphere administrator's credentials.

  3. Select System MBean Browser from the WebSphere Cell list.

  4. Expand the following entries: Application Defined MBeans, oracle.mds.lcm, Server:NAME_OF_OIM_SERVER, Application: oim, MDSAppRuntime.

  5. Click MDSAppRuntime.

  6. Click the Operations tab.

  7. Click exportMetadata.

  8. Enter a value for the toLocation property, which identifies the destination directory to which XML files will be exported. For example: /home/user/temp.

  9. Click Edit for the Docs parameter.

  10. Click Add and enter the path to the metadata file(s) you want to export. For example: /db/oim-config.xml.

  11. Click Invoke.

4.7.3 Using Oracle Enterprise Manager to Import Metadata Files into the MDS Database

To import metadata files into the MDS database using Oracle Enterprise Manager:

  1. Ensure that all the environment variables listed in Section 4.7.1, "Prerequisites for Using Oracle Identity Manager Utilities on IBM WebSphere" are set.

  2. Copy the metadata files you want to import to a temporary location. For example:

    /home/user/temp/file/ProvisionResourceADUser.xml
/home/user/temp/file/ModifyResourceADUser.xml

  3. Log in to Oracle Enterprise Manager using the IBM WebSphere administrator's credentials.

  4. Select System MBean Browser from the WebSphere Cell list.

  5. Expand the following entries: Application Defined MBeans, oracle.mds.lcm, Server:NAME_OF_OIM_SERVER, Application: oim, MDSAppRuntime.

  6. Click MDSAppRuntime.

  7. Click the Operations tab.

  8. Click importMetadata.

  9. Enter a value for the fromLocation property, which identifies the source directory from which XML files will be imported. For example: /home/user/temp.

  10. Click Edit for the Docs parameter.

  11. Click Add and enter the location of the metadata file(s) to import. For example: /file/*.xml.

  12. Click Invoke.

4.7.4 Using the PurgeCache, UploadJars, DownloadJars, DeleteJars, UploadResourceBundles, and DownLoadResourceBundles Utilities

This section describes how to use the following Oracle Identity Manager utilities on IBM WebSphere:

  • PurgeCache.sh: Purges all elements in the cache.

  • UploadJars.sh: Uploads JAR files into the database.

  • DownloadJars.sh: Downloads JAR files from the database.

  • DeleteJars.sh: Deletes JAR files from the database.

  • UploadResourceBundles.sh: Uploads the connector or custom resource bundle to the database.

  • DownLoadResourceBundles.sh: Downloads the resource bundle from the database.

To use these Oracle Identity Manager utilities on IBM WebSphere:

  1. Ensure that all the environment variables listed in Section 4.7.1, "Prerequisites for Using Oracle Identity Manager Utilities on IBM WebSphere" are set.

  2. Table 4-22 shows values you must set in the OIM_ORACLE_HOME/server/bin/websphere.properties file before using the utilities:

    Table 4-22 Values to Set in the websphere.properties File for Utilities

    Property Value

    com.ibm.ws.scripting.port

    The SOAP port of the IBM WebSphere Server where Oracle Identity Manager is installed.

    To identify the SOAP port:

    1. Log in to the WebSphere Administrative console:

    2. Click Server, Server Types, Websphere application servers, NAME_OF_OIM_SERVER.

    3. Expand the Ports entry in the Communications section.

    4. Use the value listed in the SOAP_CONNECTOR_ADDRESS entry.

    com.ibm.ws.scripting.host

    The host name of the system where Oracle Identity Manager is installed.

    was_servername

    The name of the IBM WebSphere Server where Oracle Identity Manager is installed.

    was_nodename

    The name of the IBM WebSphere node where Oracle Identity Manager is installed.

    To identify the node name:

    1. Log in to the WebSphere Administrative console:

    2. Click System Administration > Nodes.

    application_name

    The name of the application, enter oim.

  3. Open the OIM_ORACLE_HOME/server/bin/setEnv.sh file with an editor.

  4. Edit the APP_SERVER=@appserver parameter to become: APP_SERVER=websphere.

  5. Edit the PROFILE_NAME=@profilename parameter to point to the appropriate profile, for example: PROFILE_NAME=Dmgr01.

  6. Use an editor to open the sas.client.props file of the profile where Oracle Identity Manager is installed. For example:

    WAS_HOME/profiles/Dmgr01/properties/sas.client.props.

  7. Edit the following properties to become:

    Note:

    You can identify the bootstrap address for Oracle Identity Manager by performing the following steps:

    1. Log in to the WebSphere Administrative console.

    2. Click Server, Server Types, Websphere application servers, NAME_OF_OIM_SERVER.

    3. Expand the Ports entry in the Communications section.

    4. Use the value listed in the BOOT_STRAP_ADDRESS entry.

    com.ibm.CORBA.securityServerHost=OIM_HOSTNAME
com.ibm.CORBA.securityServerPort=OIM_BOOTSTRAP_ADDRESS
com.ibm.CORBA.loginSource=none

  8. Execute the utility. For example:

    ./PurgeCache.sh CATEGORY_NAME
./UploadJars.sh
./DownloadJars.sh
./DeleteJars.sh
./UploadResourceBundles.sh
./DownLoadResourceBundles.sh

    When prompted, enter information for the following:

    • Oracle Identity Manager administrator user name

    • Oracle Identity Manager administrator password

    • The service URL. For example:

      corbaloc:iiop:OIM_HOSTNAME:OIM_SERVER_BOOTSTRAP_ADDRESS

    • The context Factory:

      com.ibm.websphere.naming.WsnInitialContextFactory

    Note:

    Some of the utilities, such as Upload, Download, and Delete JARs, and UploadResourceBundles will prompt you for additional information, such as the type and name of the JAR file to execute or location of the custom resource bundle to execute on.

4.7.5 Using the Plugin Registration and Unregistration Utility

You can use the Plugin Registration Utility for registration and unregistration related tasks. The Plugin Registration Utility is located in the OIM_HOME/plugin_utility/ directory and uses the following files:

  • pluginregistration.xml

  • ant.properties

Before Using the Plugin Registration Utility:

  1. Ensure that all the environment variables listed in Section 4.7.1, "Prerequisites for Using Oracle Identity Manager Utilities on IBM WebSphere" are set. In addition, set the following environment variable:

    ANT_HOME: Identifies the directory where Apache Ant version 1.7 or higher is installed.

    Note:

    The Plugin Registration Utility requires Apache Ant version 1.7 or higher.

  2. Edit the ant.properties for WAS_HOME and OIM_HOME. For example:

    was.home=/test/WAS110912/IBM/WebSphere/AppServer
oim.home=/test/WAS110912/Oracle_IDM1/server
login.config=${oim.home}/config/authws.conf

Registering a Plug-in:

To register a plug-in, execute the ant target register command. For example:

ant -f  pluginregistration.xml register

You will be prompted for the following information:

  • Oracle Identity Manager administrator user name and password.

  • The service URL, for example:

    corbaloc:iiop:OIM_HOSTNAME:OIM_SERVER_BOOTSTRAP_ADDRESS

  • The Context Factory, for example:

    com.ibm.websphere.naming.WsnInitialContextFactory

  • The full path to and complete name of the plug-in file, for example:

    /test/pluginsfolder/plugins.zip

    Note:

    After providing the information for the plug-in file, you will be prompted for additional information, such as the oimrealm.

Unregistering a Plug-in:

To unregister a plug-in, execute the ant TARGET unregister command. For example:

ant -f  pluginregistration.xml unregister

You will be prompted for the following information:

  • Oracle Identity Manager administrator user name and password.

  • The service URL, for example:

    corbaloc:iiop:OIM_HOSTNAME:OIM_SERVER_BOOTSTRAP_ADDRESS

  • The Context Factory, for example:

    com.ibm.websphere.naming.WsnInitialContextFactory

  • The complete class name with package of the plug-in, for example:

    oracle.iam.scheduler.LongJob

    Note:

    After providing the information for the class name with package, you will be prompted for additional information, such as the oimrealm.

4.7.6 Registering a SOA Composite with Oracle Identity Manager on IBM WebSphere

Oracle SOA suite composites must be registered with Oracle Identity Manager before they can be used as an approval process. The procedure to register SOA composites is documented in the "Registering a SOA Composite with Oracle Identity Manager" section of the Oracle Fusion Middleware Developer's Guide for Oracle Identity Manager. However, this procedure was developed for Oracle Identity Manager on Oracle WebLogic Server. To use that information for Oracle Identity Manager on IBM WebSphere:

Before Registering

  1. Open the OIM_ORACLE_HOME/server/bin/setEnv.sh file with an editor.

  2. Edit the APP_SERVER=@appserver parameter to become: APP_SERVER=websphere.

  3. Edit the MW_HOME=@mwhome parameter to point to the directory where Oracle Fusion Middleware is installed.

Executing the ant Script

Execute WAS_HOME/bin/ws_ant.sh. For example:

$WAS_HOME/bin/ws_ant.sh -f registerworkflows-mp.xml register

4.7.7 Using the Form Version Control Utility

For detailed information about using the Form Version Control (FVC) utility, see "Using the Form Version Control Utility" in the Oracle Fusion Middleware Administrator's Guide for Oracle Identity Manager. Running the FVC utility on IBM WebSphere has the following differences:

4.8 Using Oracle Identity Manager Reports on IBM WebSphere

To deploy and configure Oracle BI Publisher on WebSphere, refer to section "Managing Oracle Business Intelligence on IBM WebSphere" in the Oracle Fusion Middleware Third-Party Application Server Guide for 11g Release 1 (11.1.1.7) at the following URL:

http://docs.oracle.com/cd/E28280_01/upgrade.1111/e17852/manage_was_bi.htm#CHDCFAGI

For the quick deployment steps specific to Oracle Identity Manager Reports see the technote "How to Install BI Publisher11g [11.1.1.7.0] On WebSphere (WAS) & Deployment of OIM 11gR2PS2 Reports?" with note ID 1636817.1 at the My Oracle Support website. You can access the My Oracle Support website by navigating to the following URL:

https://support.oracle.com

Note:

The technote can be referred only for deployment of BI Publisher 11.1.1.7.0 Reports for Oracle Identity Manager 11g Release 2 (11.1.2.2.0) on WebSphere. However, it is recommended that you follow the Oracle Fusion Middleware Third-Party Application Server Guide for the listed down configuration steps as the formal and supported guidelines on WebSphere deployment.

4.9 Understanding Identity Certification on IBM WebSphere

This section discusses identity certification tasks that need to be completed by an Oracle Identity Manager Certification Administrator. Prior to creating certifications, refer to Section 4.9.8, "Prerequisites for Identity Certifications" and the chapter on Access Catalog administration for more information on how to configure the business metadata of artifacts in the Access Catalog.

This section contains certification information about Oracle Identity Manager on IBM WebSphere Application Server. It contains the following topics:

4.9.1 Identity Certification Configuration

Prior to creating a new certification, certain global configuration settings that apply to all certifications created can be applied. These configuration settings can be applied by clicking the checkboxes and then clicking the Save button. Table 4-23 lists the general configuration settings. Table 4-24 lists the global configuration settings.

Note:

The general configuration settings does not impact the existing certification when modified.

Table 4-23 General Configuration Settings

Name Description

Password required on sign-off

This option when checked requires a reviewer of the certification to enter their credentials once they click the sign-off button or complete the review of the certification.

Allow comments on certify operations

This option, when checked, allows a reviewer to enter a comment in a text box after a certify decision has been made on the access details of the user, the reviewer is certifying.

Allow comments on all non-certify operations

This option, when checked, allows a reviewer to enter a comment in a text box after a non-certify decision (that is, Revoke, Unknown or Exception Allowed) has been made on the access details of the user, the reviewer is certifying.

Verify employee access

This option, when checked, causes the user certification page 1 summary view to be displayed. If it is not checked, then page 1 is not displayed to the reviewer and all users are claimed by default.

Prevent self certification

This option, when checked, ensures that the reviewers' access rights are not a part of the certification population. If indeed the reviewer is a part of the certification population, an alternative reviewer can be selected, and that reviewers access rights are automatically routed to the alternate reviewer who gets a new certification.

User and Account Selections

This option controls the presentation of users and accounts in the certification with three possible options that can be selected:

  1. Include only active users and active accounts

  2. Include any user with active accounts

  3. Include all users and all accounts

Allow advanced delegation

This option, when selected, allows the reviewer of the certification to Delegate the users to an alternate reviewer. If this option is not selected, then advanced delegation option such as Delegate is not available to the reviewer.

See Section 4.9.2.2, "Advanced Delegation" for more details.

Allow multi-phased review

This option, when selected, creates the ability to generate a multi-phased certification review campaign. This option only applies to user certifications.

See Section 4.9.2, "Multi-Phased Review and Advanced Delegation" for more details.

Allow reassignment

This option, when selected, allows the reviewer of the certification to Re-assign the users to an alternate reviewer. If this option is not selected, then advanced delegation option such as Re-assign is not available to the reviewer.

Allow auto-claim

This option, when selected, automatically claims all users in the first step of the certification. It applies to more than users, Roles in Role certification, Application Instances in application instance certification, Entitlements in entitlement certification, and users in user certification.

Perform closed loop remediation

When this option is checked, once a certification is completed, all access rights to users in the certification that are revoked are directly de-provisioned using Oracle Identity Manager, for all connected and disconnected applications and resources. When this option is unchecked, then no automatic remediation action is taken.

Note:

The global configuration settings apply to the existing certification when modified.

Table 4-24 Global Settings

Name Description

Enable Interactive Excel

This option, when selected, presents the "Download to Editable Excel" link to the reviewer in the Actions menu during certification sign-off. Clicking this button allows the reviewer to download the entire certification into an editable excel file, which can be completed offline.

4.9.2 Multi-Phased Review and Advanced Delegation

Perhaps the most significant enhancement to certification in this release is the introduction of Collaborative Certification or Multi-Phased review. Collaborative certification has two major dimensions:

4.9.2.1 Multi-Phased Review

Multi-Phased review combines the perspectives of both business-oriented and technical reviewers, so that both types of expertise are utilized. There are three possible phases in a multi-phased review:

  • Phase One: Business-review is the required, first phase. The business-reviewer, typically the manager of each user, sees all of the (certifiable) access-privileges of that user. The manager confirms first that the user is a valid holder of privileges, for example, an employee within that enterprise, and then that the user's position within the enterprise justifies the user's access-privileges, that is, role-assignments, accounts and entitlement-assignments.

  • Phase Two: Technical-review is an optional, second phase. The technical reviewer is the certifier of each privilege and reviews the members of the privilege.

  • Final Review is an optional, final phase. If the certification is configured to enable final review, then the primary reviewer from the first phase can see the decisions that reviewers made in the first two phases and can override those decisions if required.

4.9.2.2 Advanced Delegation

Advanced Delegation allows a certifier to retain overall responsibility while delegating decisions to others (for reasons of bandwidth).

The primary reviewer in Phase One or Phase Two can spread the work to other people. This can be done through delegation or reassignment. The primary reviewer can delegate any set of line-items (any item from page 1 of the certification), to any person that the primary reviewer selects. The primary reviewer can also reassign responsibility for any set of line-items to another person. Reassigned items are removed from the current certification and a new certification is generated with those items. Delegated items are still the responsibility of the primary reviewer.

4.9.3 Understanding How Risk Summaries are Calculated

You can directly assign high, medium, and low risk levels to roles, application instances, and entitlements, as well as to certain predefined risk factors. A risk-aggregation job calculates Risk Summaries for the remaining higher-order data objects that are needed to support the identity certification feature. These objects include every user, user-role assignment, account, and entitlement-assignment in the access catalog. During identity certification, certifiers or reviewers use Risk Summaries to separate high-risk certification items from medium-risk and low-risk items.

This section describes how the system processes risk levels to arrive at Risk Summaries. It also describes the risk-aggregation job, which you can run manually or on a scheduled basis.

Note:

In Oracle Identity Manager, roles, application instances, and entitlements (entitlement definitions) are metadata objects, whereas users, accounts, and entitlement-assignments are instance-data objects. Think of metadata objects as "structural" objects that represent and describe your information systems within Oracle Identity Manager, whereas instance-data objects are the individual instances of application data that populate the systems described. For example, consider a customer service application (a resource) that has a predefined role that enables users to create trouble tickets (an entitlement). In this example, a single resource object represents the application and a single entitlement object represents a specific privilege within that application. Now consider there might be thousands of user accounts on this resource, some subset of which has the entitlement-assignment that allows the user to create a trouble ticket. In the access catalog, an account object represents each user account, and an entitlement-assignment object represents each instance of the entitlement assignment. This illustrates the one-to-many relationship that exists between metadata objects and instance data objects. A single resource (metadata object) can have multiple accounts (instance-data objects), and a single entitlement (metadata object) can have multiple assignment instances (instance-data objects). The Oracle Identity Manager solution calculates the risk levels for instance-data objects because it would not be feasible for a human to process risk levels for every user, account, and entitlement-assignments in the access catalog on a recurring basis.

Item Risk refers to the risk levels that you and other administrators can assign to specific roles, application instances, and entitlements in the access catalog. There are other ways that Item Risk can be assigned to metadata objects, but direct assignment is the most common method.

Assigning an Item-Risk level to a metadata object in the UI is straightforward. To do so, you search and open the object in the access catalog and select a High, Medium, or Low risk setting from the details pane below. If you do not directly assign an Item-Risk level to a metadata object in the access catalog, the system assigns a default Item-Risk level for you. Roles, application instances, and entitlements can each have a default value. You can configure a default Item-Risk level using the Risk Mapping page.

Generally speaking, you should reserve high Item-Risk levels for metadata objects that confer highly restricted privileges to users. Note that setting a high Item-Risk level on an object will cause its parent object to also have a high Risk-Summary value. Similarly, setting a medium Item-Risk level on an object will cause its parent object to have at least a medium Risk-Summary value. In order for a higher-order object to have a low Risk-Summary value, all of the objects under it in the system hierarchy would have to have low risk settings.

Risk-Factor Mappings are settings that map risk levels to certain predefined conditions within Oracle Identity Manager. Generally speaking, you should reserve high Risk-Factor levels for conditions in which privileges are being extended to users that may be irregular or dangerous. There are two Risk-Factor categories in Oracle Identity Manager, and each category contains multiple settings. Risk-Factor categories are described as following:

Provisioning Scenarios define the risk levels that should be associated with the method or mechanism used to assign a role, account, or entitlement-assignment to a user using Oracle Identity Manager. For example, you might configure a risk level of High for objects that are provisioned directly by an administrator, and a risk level of Low for objects that are provisioned based on policies that are tied to roles.

Last Certification Action defines risk level based on the status of the last certification for the account, entitlement-assignment, or user-role assignment under consideration. For example, configure a risk level of Low for any item for which the previous certification decision was to approve, and configure a risk level of Medium for any item for which the previous certification decision was to certify conditionally. Finally, you might configure a value of High for any item for which the previous certification decision was Abstain or Revoke.

The Risk-Aggregation job processes Item-Risk levels and Risk-Factor levels, and calculates Risk Summaries for each higher-order object that supports Identity Certification.

In the first phase of risk aggregation, the Risk-Aggregation job evaluates each individual object's Item-Risk level and its three Risk Factor levels and assigns the highest of the four levels to the object's Risk Summary property. A Risk Summary value is calculated for each individual user object, user-role assignment object, account object, and entitlement-assignment object.

Once Risk Summaries are calculated for every object in the access catalog, the next phase of aggregation begins, in which the Risk Summary of each individual object rolls up to the Risk Summary of the parent object that contains it.

Above the entitlement-assignment level, each data object's Risk Summary value contributes to the Risk Summary of the parent-object that contains it. For example, account objects are one hierarchy level up from entitlement-assignment objects, and User objects are one hierarchy level up from there. So, the Risk Summary of every entitlement-assignment object within an account object contributes to the Risk Summary for that account, and, similarly, the Risk Summary for every account object within the user object contributes to the Risk Summary for that user.

User objects are also one level above user-role assignment objects, so the Risk Summary for every user-role assignment object contributes to the Risk Summary for that user. By default, the risk job is not enabled, and therefore, no risks are evaluated. In order to enable it, you need to go to the scheduler menu, find the risk job and enable it. The Job will be executed at the defined time period.

4.9.4 Creating Certifications

All certification definitions are centrally managed in the Oracle Identity Manager Administrative Console.

To create a new certification definition:

  1. Log into Oracle Identity System Administration with administrative rights.

  2. Go to Certifications, Certification Definitions, Create.

  3. Follow the steps outlined below through the wizard.

The following are the steps outlined in the wizard:

4.9.4.1 Certification Type

Enter the name of the certification, what type of Certification it is, and the Description. Four types of certification options, catered towards different reviewers, exist:

  1. User: Allows business managers to certify their direct reports and their access rights.

  2. Application Instance: Allows application instance owners to certify users with accounts in the application instances they own.

  3. Entitlement: Allows entitlement owners to review the users accessing the entitlements they own.

  4. Role: Allows Role Owners to certify role memberships and/associated role definitions (that is, access policies).

4.9.4.2 Base Selection

These options change based on the type of Certification that is selected. For User certification, users belonging to Organizations or based on a certain search criteria can be selected. Once the user population is finalized, selection constraints can be applied to the users with varying levels or Risk and Risk Summaries on the users as well as the roles, application instances and entitlements they can access.

4.9.4.3 Content Selection

Once the population is selected, content selection options allow/disallow the inclusion of users with all accounts, Roles with varying levels of risk or selected roles only, application instances with varying levels of risk or selected applications only, and entitlements with varying levels or risk or entitlements outside roles and selected entitlements only. These options control the access rights that are to be presented during the review to reviewers.

4.9.4.4 Configuration

These are configuration settings that pertain to each certification definition and are independent from the global configuration settings explained in Table 4-23, "General Configuration Settings". These are general settings that control the layout and certain actions associated to each certification definition and apply to that certification definition only.

4.9.4.5 Reviewers

This step involves the selection of Reviewers. Based on the certification type, the reviewer selection options change. For the User certification, a User manager, Organization Certifier or a selected user (using search) can be used to designate Reviewers to the certification definition. See Section 4.9.2, "Multi-Phased Review and Advanced Delegation" for information about multi-phased reviewers.

4.9.4.6 Incremental

This step controls whether the certification is of type Incremental. If Enabled is checked, then the certification definition takes into account user access rights that have changed since the previous certification cycle for that same certification definition. If Show Previous Values is Enabled, it will also show the previously certified user access rights, but they will be automatically certified. An Incremental Date Range can also be specified.

4.9.4.7 Summary

This page summarizes the various configuration options selected, as the administrator navigates the wizard, and is for review purposes. Clicking the Back button can change any configuration action. Clicking create will generate the certification definition, as well as schedule a job for running the definition, and execute that job. This will produce a certification based on the definition immediately for review.

4.9.5 Scheduling Certifications

When the certification definition is created, a job is automatically scheduled and set to run immediately. This will produce the initial certification based on the definition. If you would like to run the definition again at a later time to regenerate the certification, or to setup a scheduled run of the definition, the Scheduler page can be used.

To schedule the certification definition to run at a certain time:

  1. Navigate to System Management, Scheduler, to search for the certification definition.

  2. Select the certification definition. The right hand pane displays the various scheduling options that are available. The schedule options include:

    1. Periodic: to run the certification on a periodic basis.

    2. Cron: allows the administrator to set a cron expression to run the certification at a desired time.

    3. Single: to run the certification once.

    4. No pre-defined schedule: which does not run the certification.

    5. Run Now: which runs the certification definition job immediately.

  3. Click Apply to apply the changes to the certification definition job scheduler.

4.9.6 Understanding Closed-Loop Remediation and Remediation Tracking

Closed-loop remediation is a feature that allows you to directly revoke roles and entitlements from the Oracle Identity Manager provisioning solution as a result of roles and entitlements revoked during the certification process. The remediation status can be tracked in the remediation-tracking module for auditing purposes.

Refer to the Section 4.9.1, "Identity Certification Configuration" to view how Closed Loop Remediation can be turned on for automated remediation.

The status of remediation of all access rights revoked in completed certifications can be tracked in the Certification Dashboard with the tracking ID that, when clicked, will display the status of remediation of the certification in Oracle Identity Manager (request tracking).

For all disconnected application instances, workflows can be configured in Oracle Identity Manager to route the revoked access rights to a ticketing system or an administrator for manual revocation.

4.9.7 Installing ADFDi Plug-in for Excel-Based Certification Sign-Off

In order for identity certifications to be exported to an Excel file for offline sign-off, the ADF desktop integration plug-in must be installed on the client systems, which have the supported versions of Microsoft Excel. Instructions to download install and configure the plug-in are available here:

DI Runtime Edition Setup Instructions:

http://docs.oracle.com/cd/E26098_01/web.1112/e16180/ap_enduseractions.htm#CIHJABEJ

DI Design-time Edition setup Instructions:

http://docs.oracle.com/cd/E26098_01/web.1112/e16180/inst_conf_dev_env.htm#CHDHJIIG

4.9.8 Prerequisites for Identity Certifications

In order to create the certifications to have user accounts and entitlements, the following prerequisite steps have to be performed for each connector installed in Oracle Identity Manager:

  1. Log into Oracle Identity Manager Design Console.

  2. Under Development Tools, click Form Designer.

  3. Click Search. This will return the Form Designer table with a list of all available forms.

  4. Choose the parent forms for each connector installed in the system. A parent form has the UserID fields to store the account name in the target system. For example, UD_ADUSER, UD_EBS_USER.

  5. Choose a form and a new tab, Form Designer opens.

  6. Click Create New Version. Enter a name, for example "v2" in the popup window.

  7. Click Save and close the popup window.

  8. In the Current version drop down, make sure the newly created version "v2" is selected and click on the Properties tab.

  9. Locate the field that uniquely identifies the account in the target system, that is, UserID, UserName, AccountName are typical fields in the predefined connectors.

  10. Click Add Property and add the 'AccountName = true' property setting.

  11. Locate the ITResource field (most connectors will identify this with text ITResourceLookupField as a property) for the target system, click Add Property, and add the "ITResource = true" property setting.

  12. Save the parent form and click Make Version Active.

  13. Repeat for each resource.

4.10 Deinstalling Oracle Identity Manager on IBM WebSphere

To deinstall Oracle Identity Manager on WebSphere:

  1. Uninstall the WebSphere profiles related to Oracle Identity Manager. To do so:

    1. Stop all the servers, node managers, and deployment manager.

    2. Run the manageprofiles command of the WebSphere application server.

      Note:

      You must remove all augmentations from a profile before you delete the profile. Run the unaugment command twice before running the delete command. This ensures that the profile and all its related artefacts are deleted. After deleting a profile, manually delete the contents of the profile_root directory before attempting to re-create the profile. The commands are as shown: 
      manageprofiles -unaugment -profileName PROFILE_NAME
manageprofiles -unaugment -profileName PROFILE_NAME
manageprofiles -delete -profileName PROFILE_NAME | -profilePath PROFILE_PATH

  2. Deinstall Oracle Identity and Access Management by referring to section "Deinstalling the Oracle Identity and Access Management Oracle Home" of the Oracle Fusion Middleware Installation Guide for Oracle Identity and Access Management. The instruction and commands used in this section are specific to WebLogic Application Server but are equally applicable to WebSphere Application Server.

  3. Remove the database schemas. To do so:

    1. Run the Oracle Fusion Middleware Repository Creation Utility (RCU). For more information, refer to the following documents:

      • Oracle Fusion Middleware Installation Guide for Oracle Identity and Access Management

      • Oracle Fusion Middleware Repository Creation Utility User's Guide

    2. Click Next, and select Drop.

    3. Provide the database details.

    4. Select Oracle Identity Manager.

    5. Complete the steps in the wizard.