7 Checklist for Deploying Oracle Identity Manager

This chapter contains a checklist for deploying Oracle Identity Manager with LDAP.

Table 7-1 Oracle Identity Manager Deployment Checklist

Requirement	Check when Verified
Ensure that a supported Oracle Database, an Oracle Middleware Home, and a LDAP installation are available.
During the installation phase, after the Repository Creation Utility was run to create Oracle Identity Manager and its dependent schemas, check if the authorization policies or application stripe is seeded correctly using the APM-UI cluster.
Ensure that Oracle Identity Manager and SOA ports are not in use. By default, Oracle Identity Manager Server uses `14000` and SOA Server uses `8001`.
Ensure that the database-based OPSS security store configuration is done before running the Oracle Identity Manager configuration wizard.
If large pages are supported and enabled in the Operating System, ensure that JVM is configured as follows: Arguments: `-XX:+UseLargePages` (for Hot Spot JVM) `-XX:+UseLargePagesForHeap` `-XX:+ForceLargePagesForHeap` (for JRockit JVM). In JRockit JVM, if you are enabling large pages, do not use the argument: `-XX:+UseLargePagesForCode`
Oracle Identity Manager uses ApplicationDB, oimOperationsDB, and oimJMSStoreDS data sources deployed on Oracle WebLogic Server. As a general guideline, ensure that the capacity for these data sources is increased as follows: ApplicationDB: Initial Capacity=50; Minimum Capacity=50; Max Capacity= 50; and Inactive time out seconds=300. oimOperationsDB: Initial Capacity=32: Minimum Capacity=32; Max Capacity=32; and Inactive time out seconds=300. oimJMSStoreDS: Initial Capacity=15; Minimum Capacity=15; Max Capacity=15; and Inactive time out seconds=300 For more information about determining appropriate capacity values for your environment, see "Performance Tuning Guidelines and Diagnostics Collection for Oracle Identity Manager (OIM) (Doc ID 1539554.1)" on My Oracle Support.
Ensure that default values of Message Buffer Size and Messages Maximum properties are changed to the recommended values: Message Buffer Size: 200 MB (209715200 bytes) Messages Maximum: -1 or any number not less than 400000
Ensure that the properties Maximum Threads Constraint of work managers `OIMMDBWorkManager` and `OIMUIWorkManager` are set to `6` and `10`, respectively.
Ensured that database indexes for searchable User Defined Attributes (UDF) exist.
Consider SOA JVM memory tuning recommendations described in sections "Tuning JVM Memory Settings for Oracle Identity Manager" and "Changing the Number of Open File Descriptors for UNIX (Optional)" in the Performance and Tuning Guide.
Ensure that multicasting is supported between cluster Oracle Identity Manager nodes and make sure that ports `45566` and `3121` are open.
Ensure that the JMS file store is on a shared storage or file system that is available to all Managed Servers in the Oracle Identity Manager cluster.
Ensure that the `XMLConfig.cacheConfig` Clustered MBean property is set to `true.` Use the MBean Browser in Fusion Middleware Control to locate the `XMLConfig.CacheConfig` MBean under Application Defined MBeans-->oracle.iam-->XMLConfig.CacheConfig-->Cache-->Config-->oim--><version>-->Attributes-->Clustered. You can also follow the Performance Tuning Guidelines and Diagnostics Collection for Oracle Identity Manager (Doc ID 1539554.1) for more cache tuning options.
Ensure that the `OimExternalFrontEndURL` (in the discoveryConfig section of `oim-config.xml`) is set to the external LBR URL, such as `https://sso.mycompany.com:443`. Ensure that `OimFrontEndURL` is set to an internal URL, such as `http://idminternal.mycompany.com:80`.
Ensure that each Oracle Identity Manager domain has its own unique multicast address and it is not shared with other instances in the same subnet.
Ensure that your LDAP is preconfigured as an identity store as described in the Installation Guide for Oracle Identity and Access Management.
Ensure that the identity store has the required schemas extended.
Ensure that the identity store is seeded with the required users, groups, and privileges, based on the input properties passed to the `idmConfigTool`.
Ensure that all of the prerequisites for LDAP Sync configuration, as described in the Installation Guide for Oracle Identity and Access Management, are satisfied.
Verify that the physical LDAP is not used directly with Oracle Identity Manager. Note: If you are configuring LDAP Sync after configuring Oracle Identity Manager or by manually editing IT Resource Directory Server instance, use the LDAP URL corresponding to Oracle Virtual Directory (OVD) against the Server URL, or leave it blank. In the latter case, you should configure libOVD.
Ensure that the `jpsContextName` attribute value is set to `oim` in SOA and UMS configuration MBeans.
If you are deploying Oracle Identity Manager behind a load balancer or a web server, ensure that you have configured the Oracle Identity Manager front end URL and the SOA SOAP URL with the load balancer/web server URL.
If you are using SSL in the communication between Oracle Identity Manager and SOA, ensure that the URLs are configured to use HTTPS and that the keystores in use contain the appropriate certificates.
If SPML calls are not being processed, verify that the client invoking the SPML service is using a compatible Oracle Web Services Manager (Oracle WSM) client and server security policies.
If you are going to create custom scheduled tasks or make any changes to the default configuration of Oracle Identity Manager Scheduler, review "Creating Custom Scheduled Tasks" in Administering Oracle Identity Manager.
Ensure that the system property Display Certification or Attestation is set to Certification or Both to have certification enabled.
Ensure that the log level is set to warning or lower. Note: By default, the logging level in Oracle loggers is set to notification. In most cases, this log level is unnecessary and can be changed to warning (TRACE:32) or lower.
Ensure that the Catalog synchronized with base entities.
Ensure that you have determined the frequency of running the schedule task "Evaluate User Policies". Note: By default, this scheduled task runs every 10 minutes.
Ensure that you have reviewed the Usage Recommendation guidelines in the documentation before using Oracle Identity Manager Connectors.
Ensure that the service account used for connectivity has rights to perform operations on the target.
Ensure that the appropriate firewall ports are open.
Ensure that the LDAP replication is configured in Safe-Read mode.
Ensure that the LDAP password policies are lenient when compared to Oracle Identity Manager password policies.
It is recommended that you increase the heap size and permgen memory for production environments and monitor the memory usage pattern. Based on the usage, you can choose to increase or decrease the memory settings. The following are the initial recommended values for the memory-related tuning parameters: JVM Parameter: HotSpot JVM and JRockit JVM Minimum Heap Size (Xms): 4GB Maximum Heap Size (Xmx): 4GB PermSize (-XX:PermSize): 500m (Not applicable for JRockit JVM) PermGen size (-XX:MaxPermSize): 1GB (Not applicable for JRockit JVM)
Ensure that the SOA Coherence configuration for the Coherence cluster is done correctly. For more information about updating the SOA Coherence configuration for Coherence cluster, see "Updating the Coherence Configuration for the Coherence Cluster" in the High Availability Guide.
Ensure that the User Messaging Service (UMS) mail configuration for notifications is done correctly. For more information about using UMS for notifications, see "Using UMS for Notification" in Administering Oracle Identity Manager.
Verify if the audit level system property `XL.UserProfileAuditDataCollection` is set to the correct audit level. For more information about the supported audit levels, see "Audit Levels" in Developing and Customizing Applications for Oracle Identity Manager. For more information about modifying the value of the system property, see "Managing System Properties" in Administering Oracle Identity Manager.
To avoid schema password expiration issues, verify that the password expiration policies for the database have been set appropriately. For more information, see "Options To Resolve The Expired OIM Schema Password In Oracle Database 11g (Doc ID 1326142.1)" on My Oracle Support.