3 Preparing an Existing Directory Service for Oracle Identity and Access Management

Use this chapter to prepare an existing and supported LDAP directory for use with Oracle Identity and Access Management.

For information about when you need to perform the procedures in this chapter, see Section 2.3, "Understanding the Directory Server Requirements for Oracle Identity and Access Management".

This chapter contains the following sections:

• Section 3.1, "Preparing an Existing OUD or OID Directory Service for Use with an Automated Oracle Identity and Access Management Deployment"

• Section 3.2, "Preparing an Existing Microsoft Active Directory Instance for Use with Oracle Identity and Access Management"

• Section 3.3, "Configuring Active Directory in SSL Mode"

3.1 Preparing an Existing OUD or OID Directory Service for Use with an Automated Oracle Identity and Access Management Deployment

To set up the directory instances for OUD and OID, perform the following tasks:

• Section 3.1.1, "About the idmConfigTool_STA Script"

• Section 3.1.2, "Setting up Environment Variables to Run the idmConfigTool_STA Script"

• Section 3.1.3, "Editing the Properties File for the idmConfigTool_STA Script"

• Section 3.1.4, "Preparing a Password File"

• Section 3.1.5, "Running the preConfigIDStore Command"

• Section 3.1.6, "Running the prepareIDStore Command"

• Section 3.1.7, "Ensuring the Success of Running idmConfigTool"

3.1.1 About the idmConfigTool_STA Script

Before you can use an existing directory service as part of an Oracle Identity and Access Management deployment, you must prepare the directory by adding the required users, groups, containers and other required artifacts.

To perform this task, you use a special, standalone version the idmConfigTool script, which is packaged as part of the LCM Tools.

The standalone version of the idmConfigTool_STA script is called idmConfigTool_STA, and it is installed in the following location in the LCM Tools Oracle home (IDMLCM_HOME) when you install the LCM Tools:

IDMLCM_HOME/existing_directory/idmtools/bin

For more information about locating this directory and the idmConfigTool_STA script, see the following:

• Section 2.5, "About the Deployment Repository and LCM Tools Directory Structure"

• Section 2.8, "Installing the Oracle Identity and Access Management Lifecycle Tools"

3.1.2 Setting up Environment Variables to Run the idmConfigTool_STA Script

Before you can run the idmConfigTool_STA script, you must set the following operating system environment variables. Set these variables in the same terminal window you will use to run the idmConfigTool_STA script:

• ORACLE_HOME

  Set this variable to the following directory:

  IDMLCM_HOME/existing_directory
  

  In this example, replace IDMLCM_HOME with the value of the IDMLCM_HOME variable in Section 2.5, "About the Deployment Repository and LCM Tools Directory Structure".

  Note that for most LCM Tools operations, the Oracle home is typically considered the value of IDMLCM_HOME, but to run the idmConfigTool_STA script, you must set this value to the existing_directory subdirectory inside IDMLCM_HOME.

• JAVA_HOME

  The complete path to a supported Java Development Kit (JDK). Note that JDK can be obtained from repository shipped for IDMLCM.

3.1.3 Editing the Properties File for the idmConfigTool_STA Script

The LCM Tools provide a properties file that you use to provide input to the idmConfigTool_STA script. The file is installed the following location inside the LCM Oracle home:

IDMLCM_HOME/existing_directory/idmtools/input_parameters.properties

Open the input_parameters.properties file with a text editor and follow the instructions in the file.

For each parameter, provide a value, so the idmConfigTool_STA script can locate and connect to the directory service and then make the required changes to the directory.

Note that the input_parameters.properties file contains two specific sections:

• The preConfigIDStore properties

• The prepareIDStore properties

Many of the properties in the preConfigIDStore section of the file have default values, but be sure to review all the values, because some of the properties, such as the host name, must be modified. For others, you can take the default values if they apply.

Most of the values in the prepareIDStore section of the file can be left as is. They represent standard values for Directory Service data required by each of the Oracle Identity and Access Management components. For example, the default values expected for Oracle Access Manager are shown in the section marked #OAM.

3.1.4 Preparing a Password File

The idmConfigTool_STA script requires passwords to connect to the LDAP directory and to connect to the WebLogic Administration Server. It also requires you to create new passwords for the system and administrative accounts that it creates in the LDAP directory.

You can provide these passwords in one of two ways:

• You can interactively provide the passwords when prompted by idmConfigTool_STA script.

  OR

• You can create a password file that is provided an input file to the idmConfigTool_STA script.

If you decide to create a password file, you can then run the idmConfigTool script without human interaction.

To create a password file:

1. Use a text editor to create a text file.

   You can use any file name or location, as long as it is accessible to the idmConfigTool_STA script.

2. Enter the following password values in the file:

   IDSTORE_PASSWD: your_value
   IDSTORE_PWD_READONLYUSER: your_value
   IDSTORE_PWD_READWRITEUSER: your_value
   IDSTORE_PWD_SUPERUSER: your_value
   IDSTORE_PWD_OAMSOFTWAREUSER: your_value
   IDSTORE_PWD_OAMADMINUSER: your_value
   IDSTORE_PWD_OAMOBLIXUSER: your_value
   IDSTORE_PWD_OIMADMINUSER: your_value
   IDSTORE_ADMIN_PASSWD: your_value
   WLSPASSWD: your_value
   IDSTORE_PWD_XELSYSADMINUSER: your_value
   IDSTORE_PWD_WEBLOGICADMINUSER: your_value
   

Note that the values you enter in this password file will be encrypted for security purposes when you run idmConfigTool_STA script.

3.1.5 Running the preConfigIDStore Command

Running the preConfigIDStore command seeds the required objectclasses into LDAP directory.

Run the following command to perform this task:

1. Change directory to the following location in the IDM LCM Tools Oracle home:

   cd IDMLCM_HOME/existing_directory/idmtools/bin/
   

2. Run the idmConfigTool_STA script as follows:

   ./idmConfigTool_STA.sh -preConfigIDStore \
          input_file=input_parameters.properties \
          pwd_file=password_input_file \
          log_file=log_file_name
   

   Note:

   In this example, be sure to provide a name and location for the log file that will be created by the idmConfigTool_STA script. The script does not provide any errors when it is run. The only way to verify the successful completion of the script is by reviewing the log file and searching for SEVERE log entries.

3.1.6 Running the prepareIDStore Command

Running the prepareIDStore command creates the required users, groups, containers, and other required artifacts in LDAP directory.

Run the following commands to perform this task:

1. Change directory to the following location in the IDM LCM Tools Oracle home:

   cd IDMLCM_HOME/existing_directory/idmtools/bin
   

2. Run the idmConfigTool_STA script once for each of the primary components, Oracle WebLogic Server, Oracle Access Manager, and Oracle Identity Manager, as applicable to your specific topology.

   You must always run the script for Oracle WebLogic Server (WLS), but run the Oracle Access Manager (OAM) and Oracle Identity Manager commands only if they apply to your topology:

   ./idmConfigTool_STA.sh -prepareIDStore \
         mode=WLS \
         input_file=input_parameters.properties \
         pwd_file=password_input_file \
         log_file=log file
   
   ./idmConfigTool_STA.sh -prepareIDStore \
         mode=OAM \
         input_file=input_parameters.properties \
         pwd_file=password_input_file \
         log_file=log file
   
   ./idmConfigTool_STA.sh -prepareIDStore \
         mode=OIM \
         input_file=input_parameters.properties \
         pwd_file=password_input_file \
         log_file=log_file
   

   In this example, be sure to provide a name and location for the log file that will be created by the idmConfigTool script. The script does not provide any errors when it is run. The only way to verify the successful completion of the script is by reviewing the log file.

3.1.7 Ensuring the Success of Running idmConfigTool

The idmConfigTool does not display errors or provide return code. The only way to ensure that the operation is completed successfully is to ensure that there are no SEVERE tags in the logs generated.

The location of the log file is determined by the value you assigned to the log_file argument on the idmConfigTool_STA command line. For more information, see Section 3.1.5 and Section 3.1.6.

3.2 Preparing an Existing Microsoft Active Directory Instance for Use with Oracle Identity and Access Management

To set up the directory instance of Active Directory, perform the following tasks:

• Section 3.2.1, "Adding the Required Schemas to the Active Directory Instance"

• Section 3.2.2, "Creating the Required Containers in the Active Directory Instance"

• Section 3.2.3, "Adding Access Control Lists (ACLs) to the Containers in Active Directory"

• Section 3.2.4, "Creating Users in the Active Directory Instance"

• Section 3.2.5, "Adding User Memberships to Groups in an Active Directory Instance"

• Section 3.2.6, "Assigning Administrator Privileges to the OIMAdministrators Group"

• Section 3.2.7, "Resetting User Passwords in an Active Directory Instance"

• Section 3.2.8, "Enabling User Accounts for in an Active Directory Instance"

• Section 3.2.9, "Setting the LockoutThreshold in Active Directory"

About Enabling SSL for Active Directory:

If you are deploying an OAM and OMSS topology, then you can optionally enable SSL for the Active Directory, using the additional setup instructions in Section 3.3.

If you are deploying an integrated OIM, OAM, and OMSS topology, then you must enable SSL for the Active Directory, using the additoinal setup instructions in Section 3.3.

3.2.1 Adding the Required Schemas to the Active Directory Instance

The first step in preparing an existing Active Directory instance for an automatic deployment with the LCM Tools is to load the required schemas into the directory.

Oracle provides the schemas as a set of LDIF files that you can edit and then import into the Active Directory instance.

To load the schemas into the existing Active Directory instance:

1. Change directory to the following directory:in the LCM Tools home directory (IDMLCM_HOME):

   IDMLCM_HOME/existing_directories/idmtools/templates/ad/
   

   Note:

   If you are deploying Oracle Identity and Access Management manually, without the LCM Tools, then the schema LDIF files can be found in the following directory in the Oracle Identity and Access Management Oracle home after you install the software:

   IAM_ORACLE_HOME/oam/server/oim-intg/ldif/ad/schema/
   

2. Open the LDIF files required for your topology with a text editor and replace all occurrences of <domain-dn> with the distinguished name (DN) for your organization:

   • If you are planning to deploy an OAM and OMSS topology, then edit the following LDIF files:

     AD_OracleSchema.ldif
     AD_OblixSchema.ldif
     

     Note:

     If you are planning to use OMSS and Active Directory without the OAM password management functionality, then it is not mandatory to use the AD_OracleSchema and AD_OblixSchema LDIF files to extend the Active Directory schema.

   • If you are planning to deploy an integrated OIM, OAM, and OMSS topology, then edit the following LDIF files:

     AD_OracleSchema.ldif
     AD_UserSchema.ldif
     AD_oam_pwd_schema_add.ldif
     

3. Use your standard procedures to import the applicable LDIF files into the Active Directory instance.

   For more information about loading an LDIF file, refer to the Active Directory documentation.

3.2.2 Creating the Required Containers in the Active Directory Instance

After you install the required schemas in an existing Active Directory instance, you can then create the required containers within the directory instance.

To create the required containers:

1. Create a new LDIF file that can be used to create the containers required for your topology.

   • If you are planning to deploy an OAM and OMSS topology, then create an .ldif file as shown in Example 3-1.

   • If you are planning to deploy an integrated OIM, OAM, and OMSS topology, then create an .ldif file as shown in Example 3-2.

   Note that both sample .ldif files use the following as a placeholder for the actual domain container for your organization. Be sure to replace the following with the information applicable to your environment:

   dc=example,dc=com
   

2. Use your standard procedures to import the LDIF file into the Active Directory instance.

Example 3-1 Sample LDIF File Used to Create Containers for an OAM and OMSS Deployment

dn: cn=Groups,dc=example,dc=com
changetype: add
cn: Groups
objectclass: container

dn: cn=SystemIDs,dc=example,dc=com
changetype: add
cn: SystemIDs
objectclass: container

dn: cn=orclFAUserReadPrivilegeGroup,cn=Groups,dc=example,dc=com
changetype: add
cn: orclFAUserReadPrivilegeGroup
objectclass: group

dn: cn=orclFAUserWritePrivilegeGroup,cn=Groups,dc=example,dc=com
changetype: add
cn: orclFAUserWritePrivilegeGroup
objectclass: group

dn: cn=orclFAUserWritePrefsPrivilegeGroup,cn=Groups,dc=example,dc=com
changetype: add
cn: orclFAUserWritePrefsPrivilegeGroup
objectclass: group

dn: cn=orclFAGroupReadPrivilegeGroup,cn=Groups,dc=example,dc=com
changetype: add
cn: orclFAGroupReadPrivilegeGroup
objectclass: group

dn: cn=orclFAGroupWritePrivilegeGroup,cn=Groups,dc=example,dc=com
changetype: add
cn: orclFAGroupWritePrivilegeGroup
objectclass: group

dn: cn=orclFAOAMUserWritePrivilegeGroup,cn=Groups,dc=example,dc=com
changetype: add
cn: orclFAOAMUserWritePrivilegeGroup
objectclass: group

dn: cn=IDM Administrators,cn=Groups,dc=example,dc=com
changetype: add
cn: IDM Administrators
objectclass: group

dn: cn=OAMAdministrators,cn=Groups,dc=example,dc=com
changetype: add
cn: OAMAdministrators
objectclass: group

Example 3-2 Sample LDIF File to Create Containers for an Integrated OIM, OAM, and OMSS Topology

dn: cn=Groups,dc=example,dc=com
changetype: add
cn: Groups
objectclass: container

dn: cn=SystemIDs,dc=example,dc=com
changetype: add
cn: SystemIDs
objectclass: container

dn: cn=reserve,cn=Groups,dc=example,dc=com
changetype: add
cn: reserve
objectclass: container

dn: cn=orclFAUserReadPrivilegeGroup,cn=Groups,dc=example,dc=com
changetype: add
cn: orclFAUserReadPrivilegeGroup
objectclass: group

dn: cn=orclFAUserWritePrivilegeGroup,cn=Groups,dc=example,dc=com
changetype: add
cn: orclFAUserWritePrivilegeGroup
objectclass: group

dn: cn=orclFAGroupReadPrivilegeGroup,cn=Groups,dc=example,dc=com
changetype: add
cn: orclFAGroupReadPrivilegeGroup
objectclass: group

dn: cn=orclFAGroupWritePrivilegeGroup,cn=Groups,dc=example,dc=com
changetype: add
cn: orclFAGroupWritePrivilegeGroup
objectclass: group

dn: cn=orclFAOAMUserWritePrivilegeGroup,cn=Groups,dc=example,dc=com
changetype: add
cn: orclFAOAMUserWritePrivilegeGroup
objectclass: group

dn: cn=IDM Administrators,cn=Groups,dc=example,dc=com
changetype: add
cn: IDM Administrators
sAMAccountName: IDM Administrators
objectclass: group

dn: cn=OAMAdministrators,cn=Groups,dc=example,dc=com
changetype: add
cn: OAMAdministrators
sAMAccountName: OAMAdministrators
objectclass: group

dn: cn=OIMAdministrators,cn=Groups,dc=example,dc=com
changetype: add
cn: OIMAdministrators
sAMAccountName: OIMAdministrators
objectclass: group

dn: cn=BIReportAdministrator,cn=Groups,dc=example,dc=com
changetype: add
cn: BIReportAdministrator
sAMAccountName: BIReportAdministrator
objectclass: group

3.2.3 Adding Access Control Lists (ACLs) to the Containers in Active Directory

After you create the required containers in the Active Directory instance, you can then set the privileges for each container, using Access Control Lists (ACLs).

Follow the instructions in the following article on the Microsoft TechNet Web site to add the ACLs listed in Example 3-3:

http://technet.microsoft.com/en-us/library/cc757520%28v=ws.10%29.aspx

Example 3-3 List of ACLs for the Required Active Directory Containers

orclFAUserReadPrivilegeGroup : Read privileges to users container
orclFAUserWritePrivilegeGroup : Write privileges to users container
orclFAGroupReadPrivilegeGroup : Read privileges to groups container
orclFAGroupWritePrivilegeGroup : Write privileges to groups container
orclFAOAMUserWritePrivilegeGroup : Write privileges to users and groups container

3.2.4 Creating Users in the Active Directory Instance

After you have created the containers within the Active Directory instance, then you can create the required users:

1. Create a new LDIF file that can be used to create the users required for your topology:

   • If you are planning to deploy an OAM and OMSS topology, then create an .ldif file as shown in Example 3-4.

   • If you are planning to deploy an integrated OIM, OAM, and OMSS topology, then create an .ldif file as shown in Example 3-5.

   Note that both sample .ldif files use the following as a placeholder for the actual domain container for your organization. Be sure to replace the following with the information applicable to your environment:

   dc=example,dc=com
   @example.com
   

2. Use your standard procedures to import the LDIF file into the Active Directory instance.

Example 3-4 Sample LDIF File for Adding Users to the Active Directory Instance for an OAM and OMSS Topology

dn: cn=weblogic_idm,cn=Users,cd=example,dc=com
changetype: add
cn: weblogic_idm
objectClass: user
samAccountName: weblogic_idm
givenName: weblogic_idm
sn: weblogic_idm
userPrincipalName: weblogic_idm@example.com
  
dn: cn=oamadmin,cn=Users,cd=example,dc=com
changetype: add
cn: oamadmin
objectClass: user
samAccountName: oamadmin
givenName: oamadmin
sn: oamadmin
userPrincipalName: oamadmin@example.com
 
dn: cn=OblixAnonymous,cd=example,dc=com
changetype: add
cn: OblixAnonymous
objectClass: user
samAccountName: OblixAnonymous
givenName: OblixAnonymous
sn: OblixAnonymous
userPrincipalName: oblixanonymous@example.com
 
dn: cn=oamLDAP,cn=systemids,cd=example,dc=com
changetype: add
cn: oamLDAP
objectClass: user
samAccountName: oamLDAP
givenName: oamLDAP
sn: oamLDAP
userPrincipalName: oamldap@example.com

Example 3-5 Sample LDIF File to Create Users in an Active Directory Instance for an Integrated OIM, OAM, and OMSS Topology

dn: cn=weblogic_idm,cn=Users,dc=example,dc=com
changetype: add
objectClass: user
samAccountName: weblogic_idm
givenName: weblogic_idm
sn: weblogic_idm
cn: weblogic_idm
userPrincipalName: weblogic_idm@example.com
 
dn: cn=xelsysadm,cn=Users,dc=example,dc=com
changetype: add
objectClass: user
samAccountName: xelsysadm
givenName: xelsysadm
sn: xelsysadm
cn: xelsysadm
userPrincipalName: xelsysadm
 
dn: cn=oamadmin,cn=Users,dc=example,dc=com
changetype: add
objectClass: user
samAccountName: oamadmin
givenName: oamadmin
sn: oamadmin
cn: oamadmin
userPrincipalName: oamadmin@example.com
 
dn: cn=OblixAnonymous,dc=example,dc=com
changetype: add
objectClass: user
samAccountName: OblixAnonymous
givenName: OblixAnonymous
sn: OblixAnonymous
cn: OblixAnonymous
userPrincipalName: oblixanonymous@example.com
 
dn: cn=oamLDAP,cn=systemids,dc=example,dc=com
changetype: add
objectClass: user
samAccountName: oamLDAP
givenName: oamLDAP
sn: oamLDAP
cn: oamLDAP
userPrincipalName: oamLDAP@example.com
 
dn: cn=oimLDAP,cn=systemids,dc=example,dc=com
changetype: add
objectClass: user
samAccountName: oimLDAP
givenName: oimLDAP
sn: oimLDAP
cn: oimLDAP
userPrincipalName: oimLDAP@example.com

3.2.5 Adding User Memberships to Groups in an Active Directory Instance

After you have created the users in the Active Directory instance, add each user to the appropriate group:

• For an OAM and OMSS topology, the groups and their associated users are shown in Section 3.2.5.1.

• For an integrated OIM, OAM, and OMSS deployment, the groups and their associated users are shown in Section 3.2.5.2.

For instructions on adding users to groups, see the following article on the Microsoft TechNet Web site:

https://technet.microsoft.com/en-us/library/cc737130%28v=ws.10%29.aspx

3.2.5.1 Summary of the Groups and Users for an OAM and OMSS Deployment

For an OAM and OMSS deployment, use the following list to assign the required users to each group:

• cn=IDM Administrators,cn=Groups,dc=example,dc=com

  • cn=oamadministrators,cn=groups,dc=example,dc=com

  • cn=weblogic_idm,cn=users,dc=example,dc=com

• cn=OAMAdministrators,cn=Groups,dc=example,dc=com

  • cn=oamadmin,cn=users,dc=example,dc=com

• cn=orclFAGroupReadPrivilegeGroup,cn=Groups,dc=example,dc=com

  • cn=oamldap,cn=systemids,dc=example,dc=com

• cn=orclFAOAMUserWritePrivilegeGroup,cn=Groups,dc=example,dc=com

  • cn=oamldap,cn=systemids,dc=example,dc=com

• cn=orclFAUserReadPrivilegeGroup,cn=Groups,dc=example,dc=com

  • cn=oamldap,cn=systemids,dc=example,dc=com

3.2.5.2 Summary of the Groups and Users for an Integrated OIM, OAM, and OMSS Deployment

For an integrated OIM, OAM, and OMSS topology, use the following list to assign the required users to each group:

• cn=IDM Administrators,cn=Groups,dc=example,dc=com

  • cn=oamadministrators,cn=groups,dc=example,dc=com

  • cn=weblogic_idm,cn=users,dc=example,dc=com

• cn=OAMAdministrators,cn=Groups,dc=example,dc=com

  • cn=oamadmin,cn=users,dc=example,dc=com

• cn=OIMAdministrators,cn=Groups,dc=example,dc=com

  • cn=oimldap,cn=systemids,dc=example,dc=com

• cn=orclFAGroupReadPrivilegeGroup,cn=Groups,dc=example,dc=com

  • cn=oamldap,cn=systemids,dc=example,dc=com

• cn=orclFAOAMUserWritePrivilegeGroup,cn=Groups,dc=example,dc=com

  • cn=oamldap,cn=systemids,dc=example,dc=com

• cn=orclFAUserReadPrivilegeGroup,cn=Groups,dc=example,dc=com

  • cn=oamldap,cn=systemids,dc=example,dc=com

• cn=BIReportAdministrator,cn=Groups,dc=example,dc=com

  • cn=xelsysadm,cn=Users,dc=example,dc=com

3.2.6 Assigning Administrator Privileges to the OIMAdministrators Group

For integrated OIM, OAM, and OMSS deployments, add the OIMAdministors group to the Administrators group, as follows:

1. In Active Directory Users and Computers, right-click the OIMAdministrators group.

2. Select Properties from the context menu.

3. Select the Member Of tab.

4. Click Add and use the Select Groups dialog box to add Administrators.

5. Click OK to close the Select Groups dialog box.

6. Click Apply to apply your changes.

3.2.7 Resetting User Passwords in an Active Directory Instance

After you have created the required users and assigned them to the appropriate groups, you should reset the user passwords.

To reset the user passwords, see the following article on the Microsoft TechNet Web site:

http://technet.microsoft.com/en-in/library/cc782255%28v=ws.10%29.aspx

Note that when you reset the password for each of the required Oracle Identity and Access Management users in the directory, clear the User must change password at next logon check box.

3.2.8 Enabling User Accounts for in an Active Directory Instance

After you have created the containers, set the ACLs, added the users, assigned t hem to the proper groups, and reset the user passwords, you can then enable the user accounts:

1. From the Start menu, select Administrative Tools, and then Active Directory Users and Computers.

2. Click each container that contains the users you have created.

3. From the Details pane, right-click each user and select Enable Account.

3.2.9 Setting the LockoutThreshold in Active Directory

To ensure the proper behavior when a user enters the wrong password multiple times, it important that you configure the LockoutThreshold value for Active Directory to match the security settings for Oracle Identity and Access Management software.

In most cases, it is best to set the the Active Directory LockoutThreshold to 10. However, after you deploy Oracle Identity and Access Management, you should check to see if the pwdMaxFailure setting in the following Oracle Identity and Access Management configuration file is also set to 10:

DOMAIN_HOME/config/fmwconfig/ovd/oim/adapters.os_xml

In general, you should set the Active Directory LockoutThreshold to match the pwdMaxFailure setting.

For more information about the LockoutThreshold setting, see the following article on the Microsoft Technet Web site:

https://technet.microsoft.com/en-us/library/cc775412%28v=ws.10%29.aspx

3.3 Configuring Active Directory in SSL Mode

If you are deploying an OAM and OMSS environment, configuring Active Directory in SSL Mode is an optional step.

However, If you are deploying an integrated OIM, OAM, and OMSS environment, then you must configure the Active Directory instance in SSL Mode.

1. Use the Active Directory documentation to configure the directory instance in SSL Mode.

2. Make a note of the RootCA certificate that you generate while configuring Active Directory in SSL-mode.

   This certificate will be required as an input when you are deploying the software using the LCM Tools.