Oracle Identity Manager is a user provisioning and administration solution that automates the process of adding, updating, and deleting user accounts from applications and directories. It also improves regulatory compliance by providing granular reports that attest to who has access to what. Oracle Identity Manager is available as a standalone product or as part of Oracle Identity Management.
When you created the domain IAMGovernanceDomain in Chapter 15, "Creating Domains for an Enterprise Deployment", you created a domain containing the software parts for Oracle Identity Manager and Oracle Business Intelligence lite. Before you can use these products however you need to configure them. This chapter describes the procedures.
Automating user identity provisioning can reduce Information Technology (IT) administration costs and improve security. Provisioning also plays an important role in regulatory compliance. Key features of Oracle Identity Manager include password management, workflow and policy management, identity reconciliation, reporting and auditing, and extensibility through adapters.
Oracle Identity Manager provides the following key functionality:
User Administration
Workflow and Policy
Password management
Audit and Compliance Management
Integration Solutions
User Provisioning
Organization and Role Management
Table 19-1 lists the Domain URLs and their corresponding components and SSO Users.
Component | URL | SSO User |
---|---|---|
Self-service Console |
|
xelsysadm |
OIM Administration Console |
|
xelsysadm |
This chapter contains the following sections:
Modifying the Oracle Identity Manager Properties to Support Active Directory
Configuring Oracle Identity Manager to Reconcile from ID Store
Configuring Default Persistence Store for Transaction Recovery
Restarting the Administration Server, Oracle Identity Manager, and Oracle SOA Suite Servers
Validating Oracle Identity Manager Instance from the WebTier
Updating the Username Generation Policy for Active Directory
Although deploying composites uses multicast communication by default, Oracle recommends using unicast communication in Oracle Identity and Access Management enterprise deployments. Use unicast if you disable multicast communication for security reasons.
Unicast communication does not enable nodes to discover other cluster members in this way. Consequently, you must specify the nodes that belong to the cluster. You do not need to specify all of the nodes of a cluster, however. You need only specify enough nodes so that a new node added to the cluster can discover one of the existing nodes. As a result, when a new node has joined the cluster, it is able to discover all of the other nodes in the cluster. Additionally, in configurations such as Oracle Identity and Access Management enterprise deployments where multiple IPs are available in the same system, you must configure Oracle Coherence to use a specific host name to create the Oracle Coherence cluster.
Note:
An incorrect configuration of the Oracle Coherence framework used for deployment may prevent the Oracle Identity and Access Management system from starting. The deployment framework must be properly customized for the network environment on which the system runs. Oracle recommends the configuration described in this section.This section contains the following topics:
Section 19.1.1, "Enabling Communication for Deployment Using Unicast Communication"
Section 19.1.2, "Specifying the Host Name Used by Oracle Coherence"
Specify the nodes using the tangosol.coherence.wka<n>
system property, where <n>
is a number between 1 and 9. You can specify up to nine nodes. Start the numbering at 1. This numbering must be sequential and must not contain gaps. In addition, specify the host name used by Oracle Coherence to create a cluster through the tangosol.coherence.localhost system property. This local host name should be the virtual host name used by the SOA server as the listener addresses (OIMHOST1VHN2 and OIMHOST2VHN2). Set this property by adding the -Dtangosol.coherence.localhost
parameters to the Arguments field of the Oracle WebLogic Server Administration Console's Server Start tab.
Tip:
To guarantee high availability during deployments of SOA composites, specify enough nodes so that at least one of them is running at any given time.Note:
OIMHOST1VHN2 is the virtual host name that maps to the virtual IP where WLS_SOA1 listening (in OIMHOST1). OIMHOST2VHN2 is the virtual host name that maps to the virtual IP where WLS_SOA2 is listening (in OIMHOST2).Use the Administration Console to specify a host name used by Oracle Coherence.
To add the host name used by Oracle Coherence
Log into the Oracle WebLogic Server Administration Console.
In the Domain Structure window, expand the Environment node.
Click Servers.
The Summary of Servers page appears.
Click the name of the server (WLS_SOA1 or WLS_SOA2, which are represented as hyperlinks) in Name column of the table. The settings page for the selected server appears.
Click Lock & Edit.
Click the Server Start tab.
Enter the following for WLS_SOA1 and WLS_SOA2 into the Arguments field.
For WLS_SOA1, enter the following:
-Dtangosol.coherence.wka1=OIMHOST1VHN2 -Dtangosol.coherence.wka2=OIMHOST2VHN2 -Dtangosol.coherence.localhost=OIMHOST1VHN2
For WLS_SOA2, enter the following:
-Dtangosol.coherence.wka1=OIMHOST1VHN2 -Dtangosol.coherence.wka2=OIMHOST2VHN2 -Dtangosol.coherence.localhost=OIMHOST2VHN2
Note:
There should be no breaks in lines between the different-D
parameters. The parameters must be separated by a space character. Do not copy or paste the text to the arguments text field in the Administration Console. It may result in HTML tags being inserted in the Java arguments. The text should not contain other text characters than those included in the example above.Note:
The Coherence cluster used for deployment uses port 8088 by default. This port can be changed by specifying a different port (for example, 8089) with the-Dtangosol.coherence.wkan.port
and -Dtangosol.coherence.localport startup parameters. For example: WLS_SOA1 (enter the following into the Arguments field on a single line, without a carriage return):
-Dtangosol.coherence.wka1=OIMHOST1VHN2 -Dtangosol.coherence.wka2=OIMHOST2VHN2 -Dtangosol.coherence.localhost=OIMHOST1VHN2 -Dtangosol.coherence.localport=8089 -Dtangosol.coherence.wka1.port=8089 -Dtangosol.coherence.wka2.port=8089
WLS_SOA2 (enter the following into the Arguments field on a single line, without a carriage return):
-Dtangosol.coherence.wka1=OIMHOST1VHN2 -Dtangosol.coherence.wka2=OIMHOST2VHN2 -Dtangosol.coherence.localhost=OIMHOST2VHN2 -Dtangosol.coherence.localport=8089 -Dtangosol.coherence.wka1.port=8089 -Dtangosol.coherence.wka2.port=8089
Click Save and Activate Changes.
Restart the WebLogic administration server
Start the SOA managed servers wls_soa1
and wls_soa2
.
Note:
You must ensure that these variables are passed to the managed server correctly. (They should be reflected in the server's output log.) Failure of the Oracle Coherence framework can prevent the soa-infra application from starting.Note:
The multicast and unicast addresses are different from the ones used by the WebLogic Server cluster for cluster communication. SOA guarantees that composites are deployed to members of a single WebLogic Server cluster even though the communication protocol for the two entities (the WebLogic Server cluster and the groups to which composites are deployed) are different.You must configure the Oracle Identity Manager server instance before you can start the Oracle Identity Manager Managed Servers. For a consolidated topology, this is performed on IAMHOST2. For a distributed topology, this is performed on OIMHOST1. The Oracle Identity Management Configuration Wizard loads the Oracle Identity Manager metadata into the database and configures the instance.
Before proceeding, ensure that the following are true:
The Administration Server is up and running.
SOA Managed Server is up and running.
The environment variables DOMAIN_HOME and WL_HOME are not set in the current shell.
The Oracle Identity Management Configuration Wizard is located under the Identity Management Oracle home.
To configure Oracle Identity Manager:
Start the Configuration Wizard by running the following command from the location IGD_ORACLE_HOME
/bin/
:
./config.sh
On the Welcome screen, click Next
On the Components to Configure screen, Select OIM Server.
Click Next.
On the Database screen, provide the following values:
Connect String: The connect string for the Oracle Identity Manager database:
igddb-scan.example.com:1521:igdedg1^igddb-scan.example.com:1521:igdedg2@igdedg.example.com
OIM Schema User Name: edgigd_oim
OIM Schema password: password
MDS Schema User Name: edgigd_mds
MDS Schema Password: password
Click Next.
On the WebLogic Administration Server screen, provide the following details for the WebLogic Administration Server:
URL: The URL to connect to the WebLogic Administration Server. For example:
t3://IGDADMINVHN.example.com:7101
Where 7101 is the IGD_WLS_PORT from the worksheet.
UserName: weblogic
Password: Password for the weblogic
user
Click Next.
On the OIM Server screen, provide the following values:
OIM Administrator Password: Password for the Oracle Identity Manager Administrator. This is the password for the xelsysadm user. The password must contain an uppercase letter and a number. Best practice is to use the same password that you assigned to the user xelsysadm in preparing the Identity Store
Confirm Password: Confirm the password·
OIM HTTP URL: Proxy URL for the Oracle Identity Manager Server. This is the URL for the Hardware load balancer that is front ending the OHS servers for Oracle Identity Manager. For example:
http://igdinternal.example.com:7777
OIM External FrontEnd URL:
https://prov.example.com:IGD_HTTPS_PORT
Key Store Password: Key store password. The password must have an uppercase letter and a number.
Enable OIM for Suite Integration: Selected.
Select this option if you plan to integrate OIM with OAM.
Click Next.
On the LDAP Server Screen, the information you enter is dependent on your implementation. Provide the following details:
Directory Server Type:
OID
if your Identity Store is in Oracle Internet Directory.
OUD
if your Identity Store is Oracle Unified Directory.
ACTIVE_DIRECTORY
if your Identity Store is Microsoft Active Directory
Directory Server ID: A name for your directory server. For example: IdStore
. This is only required if the directory type is OID
or OUD
Server URL: The LDAP server URL. For example:
ldap://idstore.example.com:1389 for OUD ldap://idstore.example.com:3060 for OID
Server User: The user name for connecting to the LDAP Server. This is the OIMLDAPUSER
from the worksheet. For example:
cn=oimLDAP,cn=systemids,dc=example,dc=com
Server Password: The password for connecting to the LDAP Server.
Server Search DN: The Search DN. This is the REALM_DN
from the worksheet. For example:
dc=example,dc=com
Click Next.
Note:
Ensure that you have configured the directory according to the documentation and click OK on the pop up message displayed:Ensure that you have a supported Directory server and that you have pre-configured the Directory as per the documentation and it is available for the installer
.On the LDAP Server Continued screen, provide the following LDAP server details:
LDAP Role Container: The DN for the Role Container. This is the container where the Oracle Identity Manager roles are stored. this is the GROUPS_CONTAINER from the worksheet. For example:
cn=Groups,dc=example,dc=com
LDAP User Container: The DN for the User Container. This is the container where the Oracle Identity Manager users are stored. This is the USERS_CONTAINER from the worksheet. For example:
cn=Users,dc=example,dc=com
User Reservation Container: The DN for the User Reservation Container. This is the RESERVE_CONTAINER from the worksheet. For example:
cn=Reserve,dc=example,dc=com
Click Next.
On the Configuration Summary screen, verify the summary information.
Click Configure to configure the Oracle Identity Manager instance
On the Configuration Progress screen, once the configuration completes successfully, click Next.
On the Configuration Complete screen, view the details of the Oracle Identity Manager Instance configured.
Click Finish to exit the Configuration Wizard.
When SOA first starts, it automatically deploys a number of applications that are located in the IGD_ASERVER_HOME
/soa
directory. Performing pack
and unpack
does not populate this directory, so you must create it manually.
Copy the soa
directory from IGD_ASERVER_HOME/IAMGovernanceDomain/soa
to IGD_MSERVER_HOME/IAMGovernanceDomain
.
For example:
cp -rp /u01/oracle/config/domains/IAMGovernanceDomain/soa /u02/private/oracle/config/domains/IAMGovernanceDomain/soa
Perform these steps on all OIMHOSTs.
Restart the WLS_SOA1 and WLS_SOA2 servers.
When first installed, Oracle Identity Manager has a set of default system properties for its operation.
If your Identity Store is in Active Directory, you must change the System property XL.DefaultUserNamePolicyImpl
to oracle.iam.identity.usermgmt.impl.plugins.FirstNameLastNamePolicyForAD
or oracle.iam.identity.usermgmt.impl.plugins.LastNameFirstNamePolicyForAD
.
To learn how to do this, see the Administering System Properties chapter of Oracle Fusion Middleware Administrator's Guide for Oracle Identity Manager.
Start the Oracle Identity Manager Managed Server on OIMHOST1. This involves the following tasks:
Starting the Node Manager on OIMHOST1, if it is not already running.
Restarting the WebLogic Administration Server on OIMHOST1.
Restarting the SOA Managed Server wls_soa1 on OIMHOST1.
Starting the OIM Managed Server wls_oim1 on OIMHOST1.
For information about starting and stopping servers, see Section 31.1.6, "Starting and Stopping IAMGovernanceDomain Services".
Validate the Oracle Identity Manager Server Instance by bringing up the Oracle Identity Manager Console in a Web browser at:
http://OIMHOST1VHN1.example.com:14000/identity/ http://OIMHOST1VHN1.example.com:14000/sysadmin/
Log in using the xelsysadm
username and password.
Validate the SOA configuration at
http://OIMHOST1VHN2.example.com:8001/soa-infra
Log in as the weblogic user.
Start the Oracle Identity Manager Managed Server on OIMHOST2. This involves the following tasks:
Starting the Node Manager on OIMHOST2, if it is not already running.
Restarting the SOA Managed Server wls_soa2 on OIMHOST2.
Starting the OIM Managed Server wls_oim2 on OIMHOST2.
For information about starting and stopping servers, see Section 31.1.6, "Starting and Stopping IAMGovernanceDomain Services".
Validate the Oracle Identity Manager Server Instance by bringing up the Oracle Identity Manager Console in a Web browser at:
http://OIMHOST2VHN1.example.com:14000/identity/ http://OIMHOST2VHN1.example.com:14000/sysadmin/
Log in using the xelsysadm
username and password.
Validate the SOA configuration at
http://OIMHOST2VHN2.example.com:8001/soa-infra
Log in as the weblogic user.
In the current release, the LDAPConfigPostSetup
script enables all the LDAPSync-related incremental Reconciliation Scheduler jobs, which are disabled by default. The LDAP configuration post-setup script is located under the IGD_ORACLE_HOME
/server/ldap_config_util
directory. Run the Script on OIMHOST1 as follows:
Edit the ldapconfig.props
file located under the IDG_ORACLE_HOME
/server/ldap_config_util
directory and provide the following values:
Parameter | Value | Description |
---|---|---|
OIMProviderURL |
t3://OIMHOST1VHN1.example.com:14000,OIMHOST2VHN1.example.com:14000 |
List of Oracle Identity Manager managed servers |
LIBOVD_PATH_PARAM |
IGD_ASERVER_HOME/config/fmwconfig/ovd/oim |
Location of LIBOVD configuration files. |
Save the file.
Set the JAVA_HOME, WL_HOME, MW_HOME, APP_SERVER, OIM_ORACLE_HOME, and DOMAIN_HOME environment variables, where:
JAVA_HOME is set to IGD_MW_HOME/jdk
WL_HOME is set to IGD_MW_HOME/wlserver_10.3
APP_SERVER is set to weblogic
OIM_ORACLE_HOME is set to IGD_ORACLE_HOME
DOMAIN_HOME is set to IGD_ASERVER_HOME
MW_HOME is set to IGD_MW_HOME
Run LDAPConfigPostSetup.sh
. The script prompts for the Oracle Internet Directory admin password and the Oracle Identity Manager admin password. For example:
IGD_ORACLE_HOME/server/ldap_config_util/LDAPConfigPostSetup.sh path_to_property_file
For example:
cd IGD_ORACLE_HOME/server/ldap_config_util/ ./LDAPConfigPostSetup.sh IGD_ORACLE_HOME/server/ldap_config_util
If the script is executed successfully, a success message similar to following is shown:
"Successfully Enabled Changelog based Reconciliation schedule jobs. Successfully Updated Changelog based Reconciliation schedule jobs with last change number:"
Ignore the following errors:
java.lang.ClassNotFoundException: oracle.as.jmx.framework.standardmbeans.spi.JMXFrameworkProviderImpl
The WLS_OIM and WLS_SOA Managed Servers have a transaction log that stores information about committed transactions that are coordinated by the server that might not have been completed. The WebLogic Server uses this transaction log for recovery from system crashes or network failures. To leverage the migration capability of the Transaction Recovery Service for the servers within a cluster, store the transaction log in a location accessible to a server and its backup servers.
Note:
Preferably, this location should be on a dual-ported SCSI disk or on a Storage Area Network (SAN).Perform these steps to set the location for the default persistence stores for the Oracle Identity Manager and SOA Servers:
Create the following directories on the shared storage:
RT_HOME/domains/IAMGovernanceDomain/tlogs/cluster_soa RT_HOME/domains/IAMGovernanceDomain/tlogs/cluster_oim
Log in to the Oracle WebLogic Server Administration Console.
Click Lock and Edit.
In the Domain Structure window, expand the Environment node and then click the Servers node.
The Summary of Servers page appears.
Click the name of either the Oracle Identity Manager (wls_oimn) or the SOA server (wls_soan) represented as a hyperlink in the Name column of the table.
The Settings page for the selected server appears.
Go to the Configuration tab.
Click General and then go to the Services tab.
Under the Default Store section of the page, provide the path to the default persistent store on shared storage.
The directory structure of the path is as follows:
For Oracle Identity Manager Servers:
RT_HOME/domains/IAMGovernanceDomain/tlogs/cluster_oim
For SOA Servers:
RT_HOME/domains/IAMGovernanceDomain/tlogs/cluster_soa
Note:
To enable migration of the Transaction Recovery Service, specify a location on a persistent storage solution that is available to other servers in the cluster. All the servers that are a part of the cluster must be able to access this directory.Click Save.
Repeat the above steps to update Default store Directory for all OIM and SOA managed servers.
Activate the changes.
This section describes how to configure UMS email notification. This is optional. The following steps assume that an email server has been set up and that Oracle Identity Management can use it to send the email notifications.
Log in to the Oracle Enterprise Manager Fusion Middleware Control instance that is associated with Oracle Identity Manager.
Expand User Messaging Service.
Right click usermessagingdriver-email (wls_soa1) and select email driver properties.
Enter the following information:
OutgoingMailServer: name of the SMTP server, for example: smtp.example.com
OutgoingMailServerPort: port of the SMTP server, for example: 465 for SSL outgoing mail server and 25 for non-SSL
OutgoingMailServerSecurity: The security setting used by the SMTP server. Possible values can be None/TLS/SSL. If the mail server is configured to accept SSL requests, perfom these additional steps to remove DemoTrust store references from the SOA environment:
Modify the IGD_ASERVER_HOME
/domain_name/bin/setDomainEnv.sh
file to remove the DemoTrust references:
-Djavax.net.ssl.trustStore=IGD_WL_HOME/server/lib/DemoTrust.jks
from EXTRA_JAVA_PROPERTIES
.
Restart both the Administration server and the Managed server.
OutgoingUsername: Any valid username
OutgoingPassword:
Choose Indirect Password, Create New User.
Provide a unique string for Indirect Username/Key, for example: OIMEmailConfig
. This masks the password and not expose it in cleartext in the configuration file.
Provide valid password for this account.
Click Apply.
Repeat Steps 3 and 4 for each SOA server.
From the Navigator, select WebLogic Domain, and then DomainName.
From the menu, select System Mean Browser.
Expand Application Defined MBeans, oracle.iam, Server, wls_oim1, Application: oim, and then IAMAppRuntimeMBean.
Click UMSEmailNotificationProviderMBean.
Enter the following:
Web service URL: http://igdinternal.example.com:80/ucs/messaging/webservice
Policies: Leave blank.
CSFKey: Notification.Provider.Key
Click Apply.
Because the Oracle HTTP Server acts as a proxy for WebLogic, by default certain CGI environment variables are not passed through to WebLogic. These include the host and port. You must tell WebLogic that it is using a virtual site name and port so that it can generate internal URLs appropriately.
Log in to the WebLogic administration console.
Select Clusters from the home page or, alternatively, select Environment and then Clusters, from the Domain Structure menu.
Click Lock & Edit in the Change Center Window to enable editing.
Click the Cluster Name (cluster_soa).
In the Configuration tab, select the HTTP subtab and enter the following:
Frontend Host: igdinternal.example.com
Frontend HTTP Port: 7777
Click Save.
Click Activate Changes in the Change Center window.
Restart the WebLogic Administration Server, Oracle SOA Suite Managed Servers, and the Oracle Identity Manager Managed Servers on OIMHOST1 and OIMHOST2.
For information about starting and stopping servers, see Section 31.1.6, "Starting and Stopping IAMGovernanceDomain Services".
Validate the Oracle Identity Manager Server Instance by bringing up the Oracle Identity Manager Console in a web browser, at:
https://prov.example.com:443/identity
and
http://igdadmin.example.com/sysadmin
Log in using the xelsysadm
username and password.
This section describes how to integrate Identity Manager with Access Manager.
This section contains the following topics:
Section 19.13.1, "Copying OAM Keystore Files to OIMHOST1 and OIMHOST2"
Section 19.13.2, "Updating Existing LDAP Users with Required Object Classes"
Section 19.13.3, "Importing OIM certificates into Mobile Security Suite"
Section 19.13.6, "Managing the Password of the xelsysadm User"
If you are using Access Manager with the Simple Security Transport model, copy the OAM keystore files that were generated in Section 17.4, "Creating Access Manager Key Store.". Copy the keystore files SHARED_CONFIG_DIR/keystores/ssoKeystore.jks
and IAD_ASERVER_HOME/output/webgate-ssl/oamclient-truststore.jks
to the directory IGD_MSERVER_HOME/config/fmwconfig
on OIMHOST1 and OIMHOST2.
You must update existing LDAP users with the object classes OblixPersonPwdPolicy, OIMPersonPwdPolicy, and OblixOrgPerson.
Note:
This step is not required in case of a fresh setup where you do not have any existing users.To update the existing LDAP user, complete the following steps:
On OAMHOST1, create a properties file for the integration called user.props
, with the following content:
IDSTORE_HOST: idstore.example.com IDSTORE_PORT: 1389 IDSTORE_ADMIN_USER: cn=orcladmin IDSTORE_DIRECTORYTYPE:OUD, OID IDSTORE_USERSEARCHBASE: cn=Users,dc=example,dc=com IDSTORE_GROUPSEARCHBASE: cn=Groups,dc=example,dc=com PASSWORD_EXPIRY_PERIOD: 7300 IDSTORE_LOGINATTRIBUTE: uid
In this example:
IDSTORE_HOST
is the name of LDAP server. For example: idstore.example.com
IDSTORE_PORT
is the port of the LDAP server.
IDSTORE_ADMIN_USER
is the bind DN of an administrative user. For example cn=orcladmin
or cn=oudadmin
IDSTORE_DIRECTORYTYPE
is the type of directory. The valid values are OUD
and OID
.
IDSTORE_USERSEARCHBASE
is the location of users in the directory. For example cn=Users,dc=example,dc=com
IDSTORE_GROUPSEARCHBASE
is the location of groups in the directory. For example cn=Groups,dc=example,dc=com
IDSTORE_LOGINATTRIBUTE
this is the directory login attribute name. For example uid
PASSWORD_EXPIRY_PERIOD
is the password expiry period
Set the environment variables MW_HOME
, JAVA_HOME
, and ORACLE_HOME
. For example:
set ORACLE_HOME to IAM_ORACLE_HOME
Upgrade the existing LDAP by running the following command IAM_ORACLE_HOME
/idmtools/bin
:
idmConfigTool.sh -upgradeLDAPUsersForSSO input_file=
configfile
For example:
idmConfigTool.sh -upgradeLDAPUsersForSSO input_file=user.props
When prompted, enter the password of the user you are using to connect to your Identity Store.
Note:
If the following error is displayed when running the command, ignore the error:java.lang.ClassNotFoundException: oracle.as.jmx.framework.standardmbeans.spi.JMXFrameworkProviderImpl at java.net.URLClassLoader$1.run(URLClassLoader.java:202)
Mobile Security Suite must be able to trust Oracle Identity Manager. In order to do this import the IAMGovernanceDomain certificate into MSAS. To do this, perform the following steps.
Section 19.13.3.1, "Obtaining JPS Credential Store Password for IAMAccessDomain."
Section 19.13.3.2, "Exporting IAMGovernanceDomain Certificate."
Section 19.13.3.3, "Importing Certificate into IAMAccessDomain."
To obtain the JSP Credential Store Password for IAMAccessDomain:
Login to Enterprise Manager Fusion Middleware Control for the IAMAccessDomain using the WebLogic Administrators account at the following URL:
http://iadadmin.example.com/em
Navigate to Farm_IAMAccessDomain, WebLogic Domain, and then IAMAccessDomain.
Right click and click System MBean Browser.
Click the Search button and enter JpsCredentialStore
and click Search.
Click on the Operations tab.
Click on getPortableCredential.
Enter the following values:
P1: oracle.wsm.security
P2: keystore-csf-key
Click Invoke.
Make a note of the returned Password.
Export the IAMGovernanceDomain
certificate using the following keytool
command:
keytool -keystore IGD_ASERVER_HOME/config/fmwconfig/default-keystore.jks -storepass <<PASSWORD>> -exportcert -alias xell -file SHARED_CONFIG_DIR/keystores/xell.crt
Where password is the password you supplied when creating the IAMGovernanceDomain
.
Import the certificate extracted above into the IAMAccessDomain using the following command:
keytool -keystore IAD_ASERVER_HOME/config/fmwconfig/default-keystore.jks -storepass <<PASSWORD>> -importcert -alias xell -file SHARED_CONFIG/keystores/xell.crt
Where password is the password you obtained from Enterprise Manager Fusion Middleware Control above.
Integrating Oracle Identity Manager with Access Manager using a WebGate 11g profile employs an Access Manager Trusted Authentication Protocol (TAP) scheme. This is different from WebGate 10g which used Network Assertion Protocol (NAP).
To integrate Access Manager with Oracle Identity Manager, perform the following steps on OIMHOST1:
Set the Environment Variables: MW_HOME, JAVA_HOME and ORACLE_HOME. For example:
set ORACLE_HOME to IGD_ORACLE_HOME set MW_HOME to IGD_MW_HOME
Create a properties file for the integration called oimitg.props
, this file will have many of the same values as the file in Creating Configuration File the file should contain the following.
LOGINURI: /${app.context}/adfAuthentication
LOGOUTURI: /oamsso/logout.html
AUTOLOGINURI: None
ACCESS_SERVER_HOST: OAMHOST1.example.com
ACCESS_SERVER_PORT: 5575
ACCESS_GATE_ID: Webgate_IDM
COOKIE_DOMAIN: .example.com
COOKIE_EXPIRY_INTERVAL: 120
IDSTORE_LOGINATTRIBUTE: uid
OAM_TRANSFER_MODE: simple
WEBGATE_TYPE: ohsWebgate11g
SSO_ENABLED_FLAG: true
IDSTORE_PORT: 1389
IDSTORE_HOST: idstore.example.com
IDSTORE_DIRECTORYTYPE: OUD, OID or AD
IDSTORE_ADMIN_USER: cn=oamLDAP,cn=systemids,dc=example,dc=com
IDSTORE_USERSEARCHBASE: cn=Users,dc=example,dc=com
IDSTORE_GROUPSEARCHBASE: cn=Groups,dc=example,dc=com
IDSTORE_WLSADMINUSER: weblogic_idm
MDS_DB_URL: jdbc:oracle:thin:@(DESCRIPTION = (ADDRESS=(PROTOCOL=TCP)(HOST=IGDDBSCAN.example.com)(PORT=1521)) (CONNECT_DATA=(SERVICE_NAME=oimedg.example.com)))
MDS_DB_SCHEMA_USERNAME: edgigd_mds
WLSHOST: igdadminvhn.example.com
WLSPORT: 7101
WLSADMIN: weblogic
WLSPASSWD: password
OAM11G_WLS_ADMIN_HOST: IADADMINVHN.example.com
OAM11G_WLS_ADMIN_PORT: 7001
OAM11G_WLS_ADMIN_USER: weblogic
DOMAIN_NAME: IAMGovernanceDomain
OIM_MANAGED_SERVER_NAME: WLS_OIM1
DOMAIN_LOCATION: IGD_ASERVER_HOME
OIM_MSM_REST_SERVER_URL: http://iadinternal.example.com:7777/
Property Descriptions:
LOGINURI
: This is required by Oracle Platform Security Services (OPSS) and should always be set to /${app.context}/adfAuthentication
LOGOUTURI
: This is required by Oracle Platform Security Services (OPSS) and should always be set to /oamsso/logout.html
AUTOLOGINURI
: This is required by Oracle Platform Security Services (OPSS) and should always be set to None
ACCESS_SERVER_HOST
: This is the name of one of the Access Server hosts. If you have placed a load balancer in front of Oracle Access Manager Managed Servers, then specify the load balancer name for this property here. For example, OAMHOST1.example.com
ACCESS_SERVER_PORT
: This is the OAM Proxy Port (OAM_PROXY_PORT). For example, 5575
ACCESS_GATE_ID
: This is the name of the Agent that gets created in Oracle Access Manager. This can be any value. For example, Webgate_IDM
COOKIE_DOMAIN
: This is the Oracle Access Manager cookie domain and should be proceeded by a period (.
). For example, .example.com
COOKIE_EXPIRY_INTERNAL
: This is the number of seconds before a cookie expires and the user is forced to re-login. The default value is 120
. If you wish the cookie to never expire, set this value to -1
.
IDSTORE_LOGINATTRIBUTE
: This is the LDAP attribute which is used to validate login. This is typically the uid
.
OAM_TRANSFER_MODE
: This is the security mode that Oracle Access Manager is configured to work with. This is usually Simple
. It should be the same value you placed into the Oracle Access Manager property file.
WEBGATE_TYPE
: This is the type of WebGate agent you wish to create. Valid values are ohsWebgate10g
or ohsWebgate11g
.
For Oracle Identity and Access Management 11.1.2.3.0, this is usually ohsWebgate11g
. Note that, if you are using Oracle Traffic Director instead of Oracle HTTP Server, then it should still be ohsWebgate11g
.
SSO_ENABLED_FLAG
: This value should be set to true
.
IDSTORE_PORT
: This is the port on your load balancer where you are accepting LDAP requests. For example, 3060
or 1389
IDSTORE_HOST
: This is the load balancer name fronting your LDAP directory
IDSTORE_DIRECTORYTYPE
: Set this property to OID
if your Identity Store is in Oracle Internet Directory, OUD
if you are connecting to Oracle Unified Directory, or AD
if your identity Store is in Active Directory.
IDSTORE_ADMIN_USER
: This is the admin user of the ID store.
IDSTORE_USERSEARCHBASE
: This is the location in the directory where Users are Stored.
IDSTORE_GROUPSEARCHBASE
: This is the location in the directory where Groups are Stored.
IDSTORE_WLSADMINUSER
: This is the value you used when you prepared the identity store. For example weblogic_idm
.
MDS_DB_URL
: Set this to the OIM database jdbc connection details. For example:
jdbc:oracle:thin:@(DESCRIPTION = (ADDRESS=(PROTOCOL=TCP)(HOST=IGDDBSCAN.example.com)(PORT=1521)) (CONNECT_DATA=(SERVICE_NAME=oimedg.example.com)))
MDS_DB_SCHEMA_USERNAME
: This is the username of the MDS schema.
WLS_HOST
: This is the Admin Server listen address. For OAM configuration this will be the host associated with the IAMAccessDomain. For OAM/OIM integration this will be the host associated with the IAMGovernanceDomain.
WLS_PORT
: This is the Admin Server listen port. For OAM configuration this will be the port associated with the IAMAccessDomain. For OAM/OIM integration this will be the host associated with the IAMGovernanceDomain.
WLS_ADMIN
: This is the user used to connect to the Admin Server
WLSPASSWD
: This is the password of the WLS_ADMIN
account.
OAM11G_WLS_ADMIN_HOST
: This is the IAMAccessDomain Admin Server listen address.
OAM11G_WLS_ADMIN_PORT
: This is the IAMAccessDomain Admin Server listen port.
OAM11G_WLS_ADMIN_USER
: This is the IAMAccessDomain Administration User
DOMAIN_NAME
: This is the domain name. For example, IAMGovernanceDomain
OIM_MANAGED_SERVER_NAME
: This is the name of the Oracle Identity Manager Managed Server. For example, wls_oim1
DOMAIN_LOCATION
: This is the domain location. For example, IGD_ASERVER_HOME
OIM_MSM_REST_SERVER_URL
: This is the URL that the MSAS proxy server uses to invoke the MSM rest services. This is the entry point for Identity Access Domain callbacks. For example, iadinternal.example.com:7777
SPLIT_DOMAIN
: This is used when OAM and OIM are in different domains. This should always be set to true
.
Integrate Access Manager with Oracle Identity Manager by running the following command from the location IGD_ORACLE_HOME
/idmtools/bin
:
idmConfigTool.sh -configOIM input_file=
configfile
For example:
idmConfigTool.sh -configOIM input_file=oimitg.props
When prompted, enter the following information:
Password of the admin user of the IAMAccessDomain
SSO Access Gate Password
SSO Keystore Password
Global Passphrase
Idstore Admin Password
MDS Database schema password
OAM 11g Domain User Password
This is the password of the weblogic_idm user.
Restart the IAMGovernanceDomain Administration Server, and the Managed Servers - WLS_SOA1, WLS_SOA2, WLS_OIM1, and WLS_OIM2.
Once you have integrated OAM and OIM, create a user for Oracle Mobile Security Suite.
To create a user:
Log in to the OIM Self Service Console as the user xelsysadm
, using the following URL:
https://
prov.example.com
/identity
Click the Manage button on the top of the screen.
Click Users from the Launch Pad, and click Create.
Complete the information on the screen to create a user to be used for the OMSS helpdesk, and click Submit.
Go to the Home tab.
From the Launch Pad click Administration Roles, and click Create.
Enter the following Information into the Basic Information Screen:
Name: helpdesk
Display Name: helpdesk
Click Next.
On the Capabilities screen, click Add Capabilities.
Enter User - View in the Display Name field and click Search.
Select User - View / Search from the search results and click Add Selected.
Repeat steps 10 and 11 to add the capability Role - View / Search
Click Select, and then click Next.
On the Members screen, click Assign Users.
Enter the name of your helpdesk user in the Search box and click Search.
Select the helpdesk user from the search results, click Add Selected, click Select, and then click Next.
On the Scope of Control screen click Add Organizations.
Enter an Organization in the Search box and click Search.
Select the required organization, click Add Selected, click Select, and then click Next.
On the Organizations screen click Next.
On the Summary screen click Finish.
After you integrate Oracle Identity Manager with Access Manager, two xelsysadm accounts exist. One is the internal account created by Oracle Identity Manager. The other is the account you created in the Identity Store.
The xelsysadm account located in the LDAP store is the one used to access the OIM console. If you want to change the password of this account, change it in LDAP. You can use Oracle Directory Service Manager (ODSM) to do this. Do not change it through the OIM console.
To validate integration, you must assign Identity Management administrators to WebLogic security groups and install WebGate as described in Chapter 22, "Configuring Single Sign-On".
To validate that the wiring of Access Manager with Oracle Identity Manager 11g was successful, attempt to log in to the Oracle Identity Manager Self Service Console by doing the following:
Using a browser, navigate to the following URL:
https://
prov.example.com
/identity
This redirects you to the Oracle Access Manager 11g single sign-on page.
Log in using the xelsysadm user account created in Chapter 13, "Preparing The Identity Store".
If you see the OIM Self Service Console Page, the integration was successful.
Oracle Identity Manager connects to SOA as SOA administrator, with the username weblogic
by default. As mentioned in the previous sections, a new administrator user is provisioned in the central LDAP store to manage Identity Management Weblogic Domain.
Perform the following post installation steps to enable Oracle Identity Manager to work with the Oracle WebLogic Server administrator user provisioned in the central LDAP store. This enables Oracle Identity Manager to connect to SOA:
Note:
For the SOAConfig Mbean to be visible, at least one OIM Managed Server must be running.Log in to Enterprise Manager Fusion Middleware Control of the IAMGovernanceDomain, as the weblogic
user
Select Farm_IAMGovernanceDomain, WebLogic Domain, and then IAMGovernanceDomain.
Right-click and Select System MBean Browser from the menu or right-click to select it.
Select Search, enter SOAConfig
, then click Search.
Change the username attribute to the Oracle WebLogic Server administrator username provisioned in Preparing the Identity Store. For example:
weblogic_idm
Click Apply.
Select Weblogic Domain, and then IAMGovernanceDomain.
Select Security and then Credentials from the down menu.
Expand the key oim.
Click SOAAdminPassword and click Edit.
Change the username to weblogic_idm
and set the password to the accounts password and click OK.
From the navigator, click Farm_IAMGovernanceDomain and then click WebLogic Domain. Right-click on IAMGovernanceDomain, and select Application Roles from the Security menu.
Set the application stripe to soa-infr
a by selecting from the drop-down list. Click Search.
Click SOAAdmin. Ensure that you see Administrators in the membership box.
Click Edit. The Edit page is displayed.
Click Add in the Members box. The Add principal search box is displayed.
Enter the following:
Type: Group
Principal Name: starts with: IDM
Click Search.
Select IDM Administrators from the results box and click OK.
You will be redirected to the Edit screen. Ensure that the members are Administrators and IDM Administrators.
Click Ok.
Run the reconciliation process to enable the Oracle WebLogic Server administrator, weblogic_idm
, to be visible in the OIM Identity Console. Follow these steps:
Log in to the OIM System Administration Console as the user xelsysadm
.
Click Scheduler under System Configuration.
Enter LDAP*
in the search box.
Click the arrow for the Search Scheduled Jobs to list all the schedulers.
Select LDAP User Create and Update Full Reconciliation.
Click Run Now to run the job.
Repeat for the job LDAP Role Create and Update Full Reconciliation.
Log in to the OIM Identity Console and verify that the user weblogic_idm is visible.
Log in to the OIM Self service Console as the user xelsysadm
.
If prompted, set up challenge questions. This happens on your first login to Oracle Identity Manager Identity Console.
Click on Roles tab under Manage tab.
Search for the Administrators role.
Enter Administrators
into the Display Name search box and click Search.
Click the Administrators Role.
That Role's Properties page appears.
Click on Organizations tab
Click Add. Search and select the organization to which xelsysadm
belongs, example, Xellerate Users
Click Add Selected. Click Select.
Click the Members tab and click Add.
Search for the user weblogic_idm
. Select the weblogic_idm user
Click Add Selected.
Click Select, and then Apply.
To update the PIM LDAP reconciliation jobs, complete the following steps:
Open a browser and go to the following location:
http://igdadmin.example.com/sysadmin
Log in a as xelsysadm
using the COMMON_IDM_PASSWORD
.
Under System Management, click Scheduler.
Under Search Scheduled Jobs, enter LDAP *
(there is a space before *) and hit Enter.
For each job in the search results, click on the job name on the left, then click Disable on the right.
Do this for all jobs. If the job is already disabled do nothing.
Run the following commands on LDAPHOST1:
cd LDAP_ORACLE_INSTANCE/OUD/bin
./ldapsearch -h ldaphost1 -p 1389 -D "cn=oudadmin" -b "" -s base "objectclass=*" lastExternalChangelogCookie
Password for user 'cn=oudadmin': <OudAdminPwd>
dn: lastExternalChangelogCookie: dc=example,dc=com:00000140c682473c263600000862;
Copy the output string that follows lastExternalChangelogCookie:
. This value is required in the next step. For example,
dc=example,dc=com:00000140c682473c263600000862;
The Hex portion must be 28 characters long. If this value has more than one Hex portion then separate the 28char portions with spaces. For example:
dc=example,dc=com:00000140c4ceb0c07a8d00000043 00000140c52bd0b9104200000042 00000140c52bd0ba17b9000002ac 00000140c3b290b076040000012c;
Run each of the following LDAP reconciliation jobs once to reset the last change number.:
LDAP Role Delete Reconciliation
LDAP User Delete Reconciliation
LDAP Role Create and Update Reconciliation
LDAP User Create and Update Reconciliation
LDAP Role Hierarchy Reconciliation
LDAP Role Membership Reconciliation
To run the jobs:
Login to the OIM System Administration Console as the user xelsysadm
.
Under System Configuration, click Scheduler.
Under Search Scheduled Jobs, enter LDAP *
(there is a space before *) and hit Enter.
Click on the job to be run.
Set the parameter Last Change Number to the value obtained in step 6.
For example:
dc=example,dc=com:00000140c4ceb0c07a8d00000043 00000140c52bd0b9104200000042 00000140c52bd0ba17b9000002ac 00000140c3b290b076040000012c;
Click Run Now.
Repeat for each of the jobs in the list at the beginning of this step.
For each incremental recon job whose last changelog number has been reset, execute the job and check that the job now completes successfully.
After the job runs successfully, re-enable periodic running of the jobs according to your requirements.
If your back end directory is Active Directory, you must update Oracle Identity Manager so that it only allows user names with a maximum of 20 characters. This is a limitation of Active Directory. Update the username generation policy from DefaultComboPolicy to FirstnameLastnamepolicyforAD by doing the following:
Log in to the OIM Administration Console.
Go to System Configuration tab, and click Configuration Properties.
In the Search box, enter Default Policy for Username Generation and click Search.
Click Default Policy for Username Generation.
In the Value field, update the entry:
from
oracle.iam.identity.usermgmt.impl.plugins.DefaultComboPolicy
to
oracle.iam.identity.usermgmt.impl.plugins.FirstNameLastNamePolicyForAD
Click Save.
By default Oracle Identity Management reconciles all users that are located in the LDAP container cn=Users. Once reconciled, these users are subject to the usual password ageing policies defined in Oracle Identity Manager. This is not desirable for system accounts. It is recommended that you exclude the following accounts from this reconciliation:
xelsysadm
oimLDAP
oamLDAP
Additionally, you might want to exclude:
IDRUser
IDRWUser
PolicyROUser
PolicyRWUser
To exclude these users from reconciliation and discard failed reconciliation events, add orclAppIDUser
object class to each of the above users, so that they are excluded from reconciliation.
Closing Failed Reconciliation Events by Using the OIM Console
Log in to the OIM Administration Console as the xelsysadm
user.
Click Reconciliation under Provisioning Configuration.
Click Advanced Search.
In the Current Status field, select Equals. In the Search box, select Creation Failed from the list, and click Search.
Select each of the events.
From the Actions menu, select Close Event.
In the Confirmation window enter a justification, such as Close Failed Reconciliation Events and click Closed.
Click OK to acknowledge the confirmation message.
Complete the following steps to close the failed reconciliation events:
Log in to the OIM Administration Console as the xelsysadm user.
Click Reconciliation under Provisioning Configuration.
Click Advanced Search.
In the Current Status field, select Equals. In the Search box, select Creation Failed from the list.
Click Search.
For each of the events, select Close Event from the Actions menu.
In the Confirmation window, enter a justification. For example, Close Failed Reconciliation Events
.
Click Closed.
Click OK to acknowledge the confirmation message.
For information about when to use JDBC persistent stores for transaction logs (TLOGs) and JMS, and for instructions on how to configure the persistent stores for TLOGS and JMS for Oracle Identity Manager Managed Servers, see Section 15.4.10, "Using JDBC Persistent Stores for TLOGs and JMS in an Enterprise Deployment".
This section describes post-deployment steps for Exalogic implementations.
This section includes the following topics:
Configuring Oracle Identity Manager Servers to Listen on EoIB
Enabling Cluster-Level Session Replication Enhancements for Oracle Identity Manager and SOA
This section is only required if the Oracle Identity Manager servers need to be accessed directly from outside the Exalogic machine. This is the case when external Oracle HTTP Servers are part of the configuration.
Create a new network channel as follows:
Log in to the WebLogic Console in the IAMGovernanceDomain.
Click Lock & Edit.
Navigate to Environment -> Servers to open the Summary of Servers page
In the Servers table, click WLS_OIM1.
Select Protocols and then Channels.
Click New to create a new channel.
Enter OIMHOST1VHN-EXTCHAN
as the name. Select HTTP as the protocol and click Next.
In the Network Channel Addressing page, enter the following information:
Listen Address: OIMHOST1VHN-EXT
This is the bond1 address assigned to OIMHOST1VHN-EXT
Listen Port: 8001
Click Next and select the following in the Network Channel Properties page:
Enabled
HTTP Enabled for this protocol
Click Finish.
Click Activate Changes.
Repeat the preceding steps, substituting WLS_OIM2 and OIMHOST2VHN-EXT
for the Server and Listen Address.
You can enable session replication enhancements for Managed Servers in a WebLogic cluster to which you deploy a Web application at a later time.
To enable session replication enhancements for oim_cluster
in the domain IAMGovernanceDomain, use the values in Table 19-2.
Table 19-2 Network Channel Properties
Managed Server | Name | Protocol | Listen Address | Listen Port | Additional Channel Ports |
---|---|---|---|---|---|
WLS_OIM1 |
|
t3 |
OIMHOST1VHN1.example.com |
7005 |
7006 to 7014 |
WLS_OIM2 |
|
t3 |
OIMHOST2VHN1.example.com |
7005 |
7006 to 7014 |
WLS_SOA1 |
|
t3 |
OIMHOST1VHN2.example.com |
7005 |
7006 to 7014 |
WLS_SOA2 |
|
t3 |
OIMHOST2VHN2.example.com |
7005 |
7006 to 7014 |
Proceed as follows:
Log in to the WebLogic Administration console at: http://IGDADMIN.example.com/console
Ensure that Managed Servers in the oim_cluster
cluster are up and running, as described in Section 31.1, "Starting and Stopping Enterprise Deployment Components."
To set replication ports for a Managed Server, use the values in Table 19-2.
To set the values for WLS_OIM1
, for example, complete the following steps:
Under Domain Structure, click Environment and Servers. The Summary of Servers page is displayed.
Click Lock & Edit.
Click WLS_OIM1
on the list of servers. The Settings for WLS_OIM1 are displayed.
Click the Cluster tab.
In the Replication Ports field, enter a range of ports for configuring multiple replication channels. For example, replication channels for Managed Servers in oim_cluster
can listen on ports starting from 7005
to 7015
. To specify this range of ports, enter 7005-7015
.
Repeat Steps a through e for each of the other managed servers in Table 19-2.
The following steps show how to create a network channel for the managed server WLS_OIM1.
Log in to the Oracle WebLogic Server Administration Console.
If you have not already done so, click Lock & Edit in the Change Center.
In the left pane of the Console, expand Environment and select Servers.
The Summary of Servers page is displayed.
In the Servers table, click WLS_OIM1 Managed Server instance.
Select Protocols, and then Channels.
Click New.
Enter ReplicationChannel as the name of the new network channel and select t3 as the protocol, then click Next.
Enter the following information:
Listen address: OIMHOST1VHN1
Note:
This is the WLS_OIM1 floating IP assigned to WebLogic Server.Listen port: 7005
Click Next, and in the Network Channel Properties page, select Enabled and Outbound Enabled.
Click Finish.
Click Save.
Under the Network Channels table, select ReplicationChannel, the network channel you created for the WLS_OIM1 Managed Server.
Expand Advanced, select Enable SDP Protocol, and click Save.
To activate these changes, in the Change Center of the Administration Console, click Activate Changes.
You must repeat the above steps to create a network channel each for the remaining Managed Servers in the cluster. Enter the required properties, as described in Table 19-2.
After creating the network channel for each of the Managed Servers in your cluster, click Environment > Clusters. The Summary of Clusters page is displayed.
Click oim_cluster. The Settings for oim_cluster page is displayed.
Click the Replication tab.
In the Replication Channel field, ensure that ReplicationChannel
is set as the name of the channel to be used for replication traffic.
In the Advanced section, select the Enable One Way RMI for Replication option.
Click Save.
Repeat these steps for the SOA cluster and BI cluster.
To activate these changes, in the Change Center of the Administration Console, click Activate Changes.
Manually add the system property -Djava.net.preferIPv4Stack=true
to the startWebLogic.sh script, which is located in the bin
directory of IGD_ASERVER_HOME
, using a text editor as follows:
Locate the following line in the startWebLogic.sh
script:
. ${DOMAIN_HOME}/bin/setDomainEnv.sh $*
Add the following property immediately after the above entry:
JAVA_OPTIONS="${JAVA_OPTIONS} -Djava.net.preferIPv4Stack=true"
Save the file and close.
Restart the Administration Server of the IAMGovernanceDomain and the Managed Servers - WLS_OIM1, WLS_OIM2, WLS_SOA1, WLS_SOA2.
Oracle Identity Manager uses multicast for certain functions. By default, the managed servers communicate using the multi cast address assigned to the primary host name. If you wish multicast to use a different network, for example, of the internal network, you must complete the following additional steps:
Log in to the WebLogic Administration console using the following URL:
http://
IGDADMIN.example.com
/console
Under Domain Structure, click Environment and then expand Servers. The Summary of Servers page is displayed.
Click Lock & Edit.
Click the OIM Managed Server name, for example, WLS_OIM1
on the list of servers. The Settings for WLS_OIM1 are displayed.
Go to the Server Start tab.
Add the following line to the arguments field:
-Dmulticast.bind.address=oimhost1vhn1
Click Save.
Repeat for the Managed Server WLS_OIM2
. When doing so, make sure you add the following line to the arguments field:
-Dmulticast.bind.address=oimhost2vhn1
Click Activate Changes and restart the managed servers WLS_OIM1
and WLS_OIM2
.
It is an Oracle best practices recommendation to create a backup after successfully completing the installation and configuration of each tier, or at another logical point. Create a backup after verifying that the installation so far is successful. This is a quick backup for the express purpose of immediate restoration in case of problems in later steps. The backup destination is the local disk. You can discard this backup when the enterprise deployment setup is complete. After the enterprise deployment setup is complete, you can initiate the regular deployment-specific Backup and Recovery process
For information on database backups, refer to your database documentation.
To back up the installation to this point, back up the following:
The Web tier
The Access Manager database.
The Administration Server domain directory
The Managed Server domain directory
The LDAP Directory
The Keystores created