This chapter describes how to create a deployment response file using the Oracle Identity and Access Management Deployment Wizard.
This chapter contains the following sections:
Section 25.2, "Starting the Deployment Wizard and Navigating the Common Screens"
Section 25.3, "Creating a Deployment Response File for Oracle Identity Manager (OIM) Only Topology"
Section 25.4, "Creating a Deployment Response File for Oracle Access Manager (OAM) Only Topology"
Section 25.5, "Creating a Deployment Response File for a Fully Integrated Topology"
Before you can perform deployment, you must provide information about your topology to the Oracle Identity and Access Management Deployment Wizard.
The Wizard collects all the information required to perform an Oracle Identity and Access Management deployment, such as ports, directory locations, and database schema.
Using this information, the wizard creates a deployment response file that you can later use to perform the actual deployment operation.
The default name of the deployment response file is provisioning.rsp. You can change the deployment response file name in the Summary screen of the Oracle Identity and Access Management Deployment Wizard.
The tool creates the following three types of response files:
Oracle Identity Manager (OIM) Only - Use this option for implementations that will contain only the IAM Identity Governance components.
Oracle Access Manager (OAM) and Oracle Mobile Security Suite (OMSS) Only - Use this option for implementations that will contain only the IAM Access components.
OIM - OAM - OMSS Integrated with Directory - Use this option for implementations that will contain both Identity Governance and Access components.
Note:
"Oracle Access Manager (OAM) and Oracle Mobile Security Suite (OMSS) Only", and "OIM - OAM - OMSS Integrated with Directory" solutions require that an existing LDAP directory be present.If your directory is OUD or OID, the deployment tool can prepare the directory for you, or you can prepare it yourself using the steps in the manual sections of this guide.
If your directory is Active Directory, you need to prepare the directory manually using the instructions described in Section 13.6, "Preparing an Existing Microsoft Active Directory Instance for Use with Oracle Identity and Access Management".
IDMLCM does not support the update of RSP file with a different name. If you want to update the RSP file, you must save the file with same name with which it was created.
If you are performing a modular deployment, for example, starting off with OAM, and if you wish to add OIM later, then you should first create a response file for OAM only, and follow the steps to deploy it. Then at a later time, create a deployment file for OIM only, and follow the steps to deploy that. When you have performed the second deployment, you will have to integrate the two component together manually. If this is your long term goal (using OAM and OIM together), then when configuring OIM only, you should choose to enable LDAPSYNC. If you do not do so, then extra manual steps will be required to enable that. Steps to do this are not covered in this guide.
Make sure you have installed a valid and supported Java Development Kit (JDK) and that you have set the JAVA_HOME environment variable.
For more information, see Section 24.2, "Locating the Required Java Development Kit (JDK)".
Start the Deployment Wizard:
Change directory to the following directory:
IDMLCM_HOME/provisioning/bin
In this example, IDMLCM_HOME is the directory where you installed the LCM Tools. For more information, see Section 24.1, "About the Deployment Repository and LCM Tools Directory Structure".
Enter the following command:
./iamDeploymentWizard.sh
Review the Welcome screen to learn more about the Deployment wizard and to review the prerequisites. Click Next.
If the Specify Inventory Directory screen appears:
Click OK to accept the default location of the central inventory directory and the default Operating System Group Name for the directory.
If the Central Inventory Directory field is empty, click Browse and select a local directory where your inventory of Oracle products will be stored.
In the Inventory Location Confirmation dialog box, select Continue Installation with local inventory.
If you want to create a central inventory directory or learn about the advantages of doing so, see Section 24.3.3, "Specifying an Inventory Directory".
On the Choose IAM Installation Option screen, select Create a New Identity and Access Management Environment Deployment Response File, and click Next.
Use the Specify Security Updates screen to set up a notification preference for security-related updates and installation-related information from My Oracle Support. This information is optional.
Email: Specify your e-mail address to have updates sent by this method.
I wish to receive security updates via My Oracle Support: Select this option to have updates sent directly to your My Oracle Support account. You must enter your My Oracle Support Password if you select this option.
On the Describe Response File screen, specify descriptive information to identify the response file.
The information entered on this screen is metadata information. It can be used to uniquely identify a response file if multiple response files are created.
Response File Title: Enter a new title for the response file or accept the default.
Response File Version: The Wizard provides a default value, which you can change. You can use this to keep track of different versions of the response file.
Created By: Defaults to the operating system user who invoked the Deployment Wizard. Set when the response file is initially created and cannot be modified for the current response file.
Created Date: Defaults to the date that the response file was initially created. Set when the response file was initially created and cannot be modified for the current response file.
Response File Description: Provide a description of this response file. This is an optional field.
After you enter the required information, click Next.
Depending on the Oracle Identity and Access Management topology you're deploying, proceed to the appropriate section:
Section 25.3, "Creating a Deployment Response File for Oracle Identity Manager (OIM) Only Topology"
Section 25.4, "Creating a Deployment Response File for Oracle Access Manager (OAM) Only Topology"
Section 25.5, "Creating a Deployment Response File for a Fully Integrated Topology"
Note:
Use the Enterprise Deployment Workbook for Identity Management to help you complete the information in the following sections.If you are deploying on Exalogic, for host names, use the name of the host as derived from the hostname command in the topology screens.
Complete the following steps to create a new Deployment Response File for an Oracle Identity Manager (OIM) Only highly available topology:
Ensure that you have completed the steps described in Section 25.2, "Starting the Deployment Wizard and Navigating the Common Screens".
On the Suite Selection screen, select Oracle Identity Manager (OIM) Only.
Select Enable LDAP Sync if you are integrating Oracle Identity Manager with an LDAP directory. LDAP sync synchronizes users created in OIM with users created in LDAP. If you are planning to integrate OAM with OIM, then this value should be set to true. This can be enabled post deployment, but is outside the scope of this guide.
Note:
After you select the components you want to deploy, do not click the Back button in the subsequent screens to modify your product selection. If you need to make any modification in the previous screens, click Cancel and then restart the Oracle Identity and Access Management Deployment Wizard.Click Next.
On the Directory Selection screen, choose the type of directory you wish to synchronize OIM with. This screen appears only if you selected Enable LDAP Sync. The following are the valid types of directories:
Oracle Unified Directory
Oracle Internet Directory
Microsoft Active Directory
Note:
If you are using Active Directory, you must prepare the directory before running the deployment wizard, using the instructions described in Section 13.6, "Preparing an Existing Microsoft Active Directory Instance for Use with Oracle Identity and Access Management".Click Next.
On the Select Topology screen, select Highly Available (HA).
In the Host Name fields, specify the host where you want to deploy the Identity and Access Management. You must specify a fully-qualified host name.
For example:
First Instances:
Identity and Governance: oimhost1.example.com
Web Tier: webhost1.example.com
Second Instances:
Identity and Governance: oimhost2.example.com
Web Tier: webhost2.example.com
Note:
On a multi-networked host, the host name entered (without the domain) must be same as the result returned from thehostname command issued on the machine.
If you have multiple network cards and if you wish to provision using one other than that attached to the default hostname for the duration of provisioning, you must set the hosts hostname to that associated with the value you enter here. This is particularly important on Exalogic Deployments.
Click Next.
Use the Select Installation and Configuration Locations screen to supply the location of the important directories required for installation and configuration actions. For more information about directory locations, see Chapter 7, "Preparing Storage for an Enterprise Deployment".
The following are the fields on this screen:
Lifecycle Management Store Location: LCM_HOME
Mounted on Webhosts: Select this option if LCM_HOME directory needs to be mounted on WEBHOST1 and WEBHOST2 during installation. This is the recommended approach.
Software Repository Home: REPOS_HOME
Software Installation Location: IDM_TOP
Shared Configuration Location: SHARED_CONFIG_DIR
Local Configuration Location: LOCAL_CONFIG_DIR
Note:
If you have already run the deployment tool to create a deployment and you wish to run it again to create a second deployment; for example, if you have run the tool for OAM Only and are now running the tool again for OIM Only, the Software Installation Location MUST be different for each installation, whereas the configuration directories can be the same. This is a limitation in this version of the deployment tool.Click Next.
Use the Configure Virtual Hosts screen to enter the virtual host names used by each component. For example:
Identity Governance Domain Admin Server: idgadminvhn.example.com
SOA Server 1: oimhost1vhn2.example.com
SOA Server 2: oimhost2vhn2.example.com
OIM Server 1: oimhost1vhn1.example.com
OIM Server 2: oimhost2vhn1.example.com
BIP Server 1: oimhost1vhn3.example.com
BIP Server 2: oimhost2vhn3.example.com
Click Next.
On the Directory Configuration screen, enter the details of the directory where OIM stores the user and Group information when syncing to LDAP. This section appears only if you enabled LDAP Sync. The following fields are present on this screen:
Directory Host: This is the host name of the directory. In the case of a highly available setup, this is the directory load balancer entry point. For example, idstore.example.com
Directory Port: This is the LDAP directory port. In the case of a highly available setup, this is the port on the Load Balancer, that is, LBR_LDAP_PORT from the worksheet.
Administrator: This is the LDAP administrator account. For example, cn=oudadmin
Administrator Password: The LDAP administrator password (LDAP_ADMIN_USER)
Realm DN: This is the area in the LDAP directory where users and groups are created (REALM_DN).
Users Container: This is the location in the LDAP directory where users are held (USERS_CONTAINER).
Groups Container: This is the location in the LDAP directory where groups are held (GROUPS_CONTAINER).
Click Next to continue.
Use the Configure Oracle HTTP Server screen to review or change the ports that will be used for the Oracle HTTP Server (OHS) instance.
You should be able to use the default values for these ports, unless you have similar software running on the same host and you think there might be port conflicts.
Click Next to continue.
Use the Configure Oracle Identity Manager screen to view or modify the ports that will be used by Oracle Identity Manager when you deploy the software.
Set the Location of the JMS/Tlogs to the shared storage location where you are placing runtime artifacts. For example:
RT_HOME/domains/IAMGovernanceDomain
In most cases, you can leave the remaining entries at the default values, unless you have similar software running on the same host and you think there might be port conflicts.
Select Configure Email Server if you want to identify and configure a mail server so that Oracle Identity Manager can send email notifications. If you wish to configure the Email Server, you must to provide the following information:
Outgoing Server Name: This is the name of your outgoing Email server. For example, EMAIL.example.com (EMAIL_SERVER).
Outgoing Server Port: This is the port your Email server uses, For example, 465 (EMAIL_PORT).
Outgoing Email Security: Select None, SSL, or TLS (EMAIL_PROTOCOL)
Username: This is username (EMAIL_USER) you use to authenticate with the Email server.
Password: This is the password (EMAIL_PASSWORD) for the above user.
Web Proxy Host: This is the port of your proxy server if you use one.
Web Proxy Port: This is the host name of your proxy server if you use one.
Use the Configure Oracle Identity Manager Database screen to enter information about the Database that contains (or will contain) the required schemas.
If you have already installed the schemas using the Oracle Fusion Middleware Repository Creation Utility (RCU), then do not select the Create Schema Using RCU check box. In this case, you must provide the required information to connect to the database where the schemas are installed:
If you have not installed the schemas already, then select Create Schema Using RCU. If you choose this option, the LCM Tool creates the schemas as part of the deployment process.
The following fields are present in this screen:
SYSDBA Username: This is the name of the SYSDBA account on the database. For example, sys
SYSDBA Password: This is the password for the SYSDBA account.
SYSDBA credentials are required only if you select Create Schema Using RCU option.
Schema Prefix: This is the prefix that was used when you created Database schemas using Repository Creation Utility, or the prefix that must be used when the deployment tool creates the new schemas. For example, EDGIGD
Service Name: This is the service name of the database service. For example, IGDEDG.example.com (OIM_DB_SERVICENAME)
Schema Password: This is the password you used when creating the Oracle Identity Manager schema using RCU or the password you wish to assign to the schemas as they are newly created (OIM_SCHEMA_PASSWORD).
Select RAC Database, and provide the following information:
Scan address: This is the Grid Infrastructure SCAN Address. For example, IGDDBSCAN.example.com (SCAN_ADDRESS)
Scan Port: This is the SCAN port. For example, 1521
ONS Scan Address: The default value of the Oracle Notification Server (ONS) Scan address used by Gridlink, is the Database scan address.
ONS Port: This is the port of the Oracle Notification Server (ONS). For example, 6200
Click Next.
Use the Configure SOA screen to enter the listen port for the SOA Managed Servers.
Click Next.
Use the Configure Oracle Business Intelligence Publisher screen to enter the ports to be used by the BIP Managed Servers.
Click Next.
Use the Set User Names and Passwords screen to set the passwords for the accounts that will be created during deployment. You can set a common password for all of the user accounts listed, or you can set individual passwords for each of the accounts. It is also possible to change some of the default user names.
To enter a common password for all the accounts to be created, enter the password (COMMON_IAM_PASWORD) in the Enter Common IAM Password field, and then re-enter the password in the Confirm Common IAM Password field.
If you want to create unique passwords for each account, select Modify the Username and Password for the user accounts, and select Edit next to the account you wish to modify.
Click Next.
Use the Load Balancer screen to provide the following Load Balancer Entry points for the governance domain:
Identity Governance Administration Server: igdadmin.example.com
Identity Internal Call Backs: igdinternal.example.com
Governance: prov.example.com
Click Next.
Use the Summary screen to view a summary of your selections and enter the following additional information:
Provisioning Response File Name: Provide the name of the response file to be created. The default name of the deployment response file is provisioning.rsp. You can change this value.
Provisioning Summary: Provide the name of the deployment summary file to be created.
Directory: Specify the directory where you want this Deployment Response File to be saved.
Once the response file creation process is completed, click Finish to exit the wizard.
Note:
The Identity and Access Management Deployment Wizard creates a deployment response file in the directory that you specify on the Summary screen. It also creates a folder namedresponsefilename_data. For example, provisioning_data. This folder contains the cwallet.sso file, which has encryption and decryption information. If you move or copy the deployment response file to another location, you must also move or copy the responsefilename_data folder containing the cwallet.sso file to the same location.Complete the following steps to create a new Deployment Response File for a highly available Oracle Access Manager (OAM) and Oracle Mobile Security Suite (OMSS) topology:
Perform the steps in Section 25.2, "Starting the Deployment Wizard and Navigating the Common Screens".
On the Select IAM Products screen, select Oracle Access Manager (OAM) Suite and Oracle Mobile Security Suite (OMSS)* Only.
Notes:
After you select the components you want to deploy, do not click the Back button in the subsequent screens to modify your product selection. If you need to make any modification in the previous screens, click Cancel and then restart the Oracle Identity and Access Management Deployment Wizard.On the Directory Selection screen, select Use Existing Directory. Creating a new directory is not supported for highly available deployments.
Choose the directory type from the following choices:
Oracle Unified Directory
Oracle Internet Directory
Microsoft Active Directory
Note:
If you Use Existing Directory, then you must have previously prepared the directory for use with Oracle Identity and Access Management.After you have chosen your directory type, you have the option of the LCM tool preparing the directory for you. Preparation involves adding object classes to support OAM and seeding the directory with users. If you wish to do this manually, follow the instructions described in Chapter 13, "Preparing The Identity Store".
Note:
IDMLCM prepares the directory for you only if you are performing your deployment using the singleprov_run command as described in Section 26.3.1, "Running the Deployment Commands Automatically".
If you are running the deployment commands manually, the IDMLCM will not prepare the ID store for you. You must prepare the ID store manually. You must decide which deployment method you are going to use before selecting this option. If you select this option and then choose to do the deployment manually, the deployment will fail, and the error messages will not identify this as a cause.
For this example, we will assume you wish the LCM tool to prepare the directory for you.
Click Next.
On the Select Topology screen, select Highly Available.
In the Host Name field, specify the host where you want to deploy Identity and Access Management, as a fully-qualified host name.
Note:
On a multi-networked host, the host name entered (without the domain) must be same as the result returned from thehostname command issued on the machine.
If you have multiple network cards and if you wish to provision using one other than that attached to the default hostname for the duration of provisioning, you must set the hosts hostname to that associated with the value you enter here. This is particularly important on Exalogic Deployments.
For example:
First Instances:
Directory: ldaphost1.example.com
Access Management: oamhost1.example.com
Web Tier: ohshost1.example.com
Second Instances:
Directory: ldaphost2.example.com
Access Management: oamhost2.example.com
Web Tier: ohshost2.example.com
If you are using an existing directory, you will not be asked for the directory host.
If your WEBHOSTs are in a DMZ, select Install Web Tier in DMZ. If you select this option, the Oracle Web tier binaries will be installed locally on those hosts. If you deselect it, they will be installed onto shared storage.
If your Directory Hosts are in a dedicated zone confined by a firewall, and if you have created a separate disk share for your Directory executables, then select Install Directory Into a Dedicated Zone.
If you wish to use Oracle Access Manager but not use Oracle Mobile Security suite then deselect the Enable OMSS box.
Note:
It is recommended that, if you wish to use Oracle Mobile Security Suite, create a dedicated domain for it. Therefore, select this option only for the domain where you will run OMSS.If you are deploying on Exalogic and if you are not using an External OHS, then deselect Install Directory into a dedicated zone and Install WebTier in DMZ.If you are deploying on Exalogic and if you are using an External OHS, then deselect Install Directory into a dedicated zone but select Install WebTier in DMZ.
Click Next.
Use the Select Installation and Configuration Locations screen to supply the location of the important directories required for installation and configuration actions. For more information about the directories, see Chapter 7, "Preparing Storage for an Enterprise Deployment".
The following are the fields on this screen:
Lifecycle Management Store Location: LCM_HOME
Mounted on Webhosts: Select this option if LCM_HOME directory needs to be mounted on WEBHOST1 and WEBHOST2 during installation. This is the recommended approach.
Software Repository Home: REPOS_HOME
Software Installation Location: IDM_TOP
Shared Configuration Location: SHARED_CONFIG_DIR
Local Configuration Location: LOCAL_CONFIG_DIR
Note:
: If you have already run the deployment tool to create a deployment and you wish to run it again to create a second deployment; for example, if you have run the tool for OAM Only and are now running the tool again for OIM Only, the Software Installation Location MUST be different for each installation, whereas the configuration directories can be the same. This is a limitation in this version of the deployment tool.Click Next.
Use the Configure Virtual Hosts screen to enter the virtual host names used by each component. For example:
Access Domain Admin Server: iadadminvhn.example.com
You can also change the listen address of the OAM Managed servers by specifying a virtual host name. Complete this information when the hosts physical hostname is attached to a different network from that which you wish to use. This is most likely going to be the case in Exalogic Deployments. If you are not using a different network, then you should use the physical host name of the servers hosting the OAM Managed Servers.
Click Next.
Use the Directory Configuration screen to supply the details of your LDAP directory.
First Instance Details
These are the details of the first LDAPHOST. The tool needs these details to connect to the directory host and configure the LDAP instance.
Host: This is the host name of one of the LDAP directory instances. For example, ldaphost1.example.com
Port: This is the port that the first instance is using on the server. For example, 1389 (LDAP_PORT)
AdminServer Connector Port: This is the connector port of the Administration Server. This filed is displayed if you selected existing directory as OUD, and chose to prepare directory using IDM LCM tool.
Instance Home Directory: This is the absolute path the first directory instance home. This filed is displayed if you selected existing directory as OUD, and chose to prepare directory using IDM LCM tool.
Second Instance Details
These are the details of the second LDAPHOST. The tool needs these details to connect to the directory host and configure the LDAP instance. The second instance will only appear for OUD directories.
Note:
If you have more than two directory instances, you must shutdown the remaining instances and create the indexes and ACI's on those instances manually.For more information, see Section 13.5, "Preparing OID and OUD as the Identity Store".
This configuration should be done only after provisioning has completed.
Host: This is the host name of the second directory instance. For example, ldaphost2.example.com
Port: This is the port that the first instance is using on the server. For example, 1389 (LDAP_PORT)
AdminServer Connector Port: This is the connector port of the Administration Server. This filed is displayed if you selected existing directory as OUD, and chose to prepare directory using IDM LCM tool.
Instance Home Directory: This is the absolute path the second directory instance home. This filed is displayed if you selected existing directory as OUD, and chose to prepare directory using IDM LCM tool.
Directory Details
These are the details of how applications will connect to the LDAP directory. Applications will not connect to the LDAP instances directly but via the load balancer.
Directory Host: This is the load balancer entry point for the existing directory. For example, idstore.example.com
Directory Port: This is the port on the load balancer where LDAP requests are sent. For example, 1389 (OUD), 3060 (OID), 389 (AD) (LDAP_LBR_PORT)
Administrator: This is the user name of a directory administrator. For example, cn=oudadmin
Administrator Password: This is the password of the directory administrator.
Root CA Certificate for AD: The location of the active directory certificate. This is applicable only if the directory is Active Directory.
Container Details
These are the locations in the directory where Users, Groups and System IDs are stored. System IDs are used to allow products such as, OAM to connect to the LDAP directory without using the administrator account.
Realm DN: This is the main realm of the directory. For example, dc=example,dc=com
Users Groups/Present in the Directory: Normally, this is left unchecked for a new installation. If you have prepared the installation manually, then select this option.
Users Container: This is the location within the LDAP directory tree where users are stored.
Groups Container: This is the location within the directory tree where Groups are stored.
System IDs Container: This is the location within the directory tree where system users are stored. These are users that allow OAM and OIM to connect to LDAP. They are separated from the main Users container to prevent them being reconciled into OIM.
Users/Groups Present in Directory: This checkbox is displayed if you selected existing directory as OUD, and chose to prepare directory using IDM LCM tool. Select this if users or groups are present in your directory.
Additional Details
The following are the additional details you must specify, depending on your directory selection:
OUD Replication Port: This is the replication port of OUD. This filed is displayed if you selected existing directory as OUD, and chose to prepare directory using IDM LCM tool.
SSL Enabled: This checkbox is displayed if you selected your existing directory as Active Directory. For OAM-only topology, this checkbox is unchecked by default, and is editable. For OIM-OAM integrated topology, this checkbox is checked by default, and is not editable.
If this checkbox is unchecked, the Directory Port is set to 389 by default. If this checkbox is checked, the Directory Port is replaced by SSL Port and is set to 636 by default.
After you specify the required details, click Next.
Use the Configure Oracle HTTP Server screen to review or change the ports that will be used for the Oracle HTTP Server (OHS) instance.
You should be able to use the default values for these ports, unless you have similar software running on the same host and you think there might be port conflicts.
Click Next.
Use the Configure Oracle Access Manager screen to view or modify the ports that will be used by the Oracle Access Manager Managed Servers.
In most cases you can leave the default values, unless you have similar software running on the same host and you think there might be port conflicts.
It is also possible to change the Cookie domain, although this will usually refer to the same as the Realm used in LDAP.
Click Next.
Use the Configure Oracle Mobile Security Manager screen to view or modify the ports that will be used by Oracle Mobile Security Manager Managed Servers.
In most cases you can leave the default values, unless you have similar software running on the same host and you think there might be port conflicts.
Click Next.
Use the Configure Oracle Mobile Security Access Server screen to view or modify the ports that will be used by Oracle Mobile Security Access Server (MSAS). You can also change the Gateway Instance Id.
In most cases you can leave the default values, unless you have similar software running on the same host and you think there might be port conflicts.
Click Next.
Use the Access Policy Manager screen to review or change the ports that will be used by the Oracle Access Policy Manager Managed Servers.
In most cases you can leave the default values, unless you have similar software running on the same host and you think there might be port conflicts.
Click Next.
Use the Configure Oracle Access Manager Database screen to enter information about the Database that contains (or will contain) the required schemas.
If you have already installed the schemas using the Oracle Fusion Middleware Metadata Repository Creation Utility (RCU), then do not select the Create Schema Using RCU check box.
In this case, provide the details required to connect to the database where the schemas are installed, and then enter the password you created when you installed the schemas with RCU.
If you have not already installed the schemas, then select Create Schema Using RCU. This tells the LCM Tools to create the schemas for you as part of the deployment process.
In this case, provide the details to connect to an existing, supported database. You must specify a user name with SYS privileges.
In addition, you must provide a new password that will be used for all the newly created schemas, and an extra field appears so you can confirm the password.
The following fields are present in this screen:
SYSDBA Username: This is the name of the SYSDBA account on the database. For example, sys
SYSDBA Password: This is the password for the SYSDBA account.
SYSDBA credentials are required only if you select Create Schema Using RCU option.
Schema Prefix: This is the prefix that was used when you created Database schemas using Repository Creation Utility, or the prefix that must be used when the deployment tool creates the new schemas. For example, EDGIAD
Service Name: This is the service name of the database service. For example, IADEDG.example.com (OAM_DB_SERVICENAME)
Schema Password: This is the password you used when creating the Oracle Identity Manager schema using RCU or the password you wish to assign to the schemas as they are newly created (OAM_SCHEMA_PASSWORD).
Select RAC Database, and provide the following information:
Scan address: This is the Grid Infrastructure SCAN Address. For example, IADDBSCAN.example.com (SCAN_ADDRESS)
Scan Port: This is the SCAN port. For example, 1521
ONS Scan Address: The default value of the Oracle Notification Server (ONS) Scan address used by Gridlink, is the Database scan address.
ONS Port: This is the port of the Oracle Notification Server (ONS). For example, 6200
Click Next.
Use the Set User Names and Passwords screen to set the passwords for the accounts that will be created during deployment.
You can set a common password for all of the user accounts listed, or you can set individual passwords for each of the accounts. It is also possible to change some of the default user names.
To enter a common password for all the accounts to be created, enter the password (COMMON_IAM_PASSWORD) in the Enter Common IAM Password field, and then re-enter the password in the Confirm Common Password field.
If you want to create unique passwords for each account, then select the Modify the Username and Password for the user accounts, and select Edit next to the account you wish to modify.
If you are using an existing LDAP Directory service, then this screen will also allow you to specify the details of the users and groups you created in the directory in the Preparing an Existing Directory section of this document.
Click Next.
Use the Load Balancer screen to provide the Load Balancer Entry points for the Access domain. For example:
Access Domain Administration Server: iadadmin.example.com
Access Internal Call Backs: iadinternal.example.com
Access SSO: login.example.com
Oracle Mobile Security Access Server: msas.example.com
Click Next.
Use the Summary screen to view a summary of your selections and enter additional information.
Provisioning Response File Name: Provide the name of the response file to be created. The default name of the deployment response file is provisioning.rsp. You can change this value.
Provisioning Summary: Provide the name of the deployment summary file to be created.
Directory: Specify the directory where you want this Deployment Response File to be saved.
Click Finish to exit the wizard.
Note:
The Identity and Access Management Deployment Wizard creates a deployment response file in the directory that you specify on the Summary screen. It also creates a folder named responsefilename_data, for example: provisioning_data. This folder contains the cwallet.sso file, which has encryption and decryption information.If you move or copy the deployment response file to another location, you must also move or copy the responsefilename_data folder containing the cwallet.sso file to the same location.Complete the following steps to create a new Deployment Response File for a highly available Oracle Identity Manager (OIM), Oracle Access Manager (OAM), and Oracle Mobile Security Suite (OMSS) integrated with Directory topology:
Perform the steps in Section 25.2, "Starting the Deployment Wizard and Navigating the Common Screens".
On the Select IAM Products screen, select OIM-OAM-OMSS Integrated with Directory*.
Notes:
After you select the components you want to deploy, do not click the Back button in the subsequent screens to modify your product selection.If you need to make any modification in the previous screens, click Cancel and then restart the Oracle Identity and Access Management Deployment Wizard.
On the Directory Selection screen, select Use Existing Directory. Creating a new directory is not supported for highly available deployments.
Choose the directory type from the following choices:
Oracle Unified Directory
Oracle Internet Directory
Microsoft Active Directory
After you have chosen your directory type, you have the option of the LCM tool preparing the directory for you. It is recommended that you let the tool do it. If you wish to do this manually, follow the instructions described in Chapter 13, "Preparing The Identity Store".
For this example, we will assume you wish the LCM tool to prepare the directory for you.
Note:
This is supported only if you are using theprov_run command to perform the deployment. The prov_run command performs the entire deployment automatically. If you are running the deployment manually using the runIAMDeployment commands, IDMLCM directory preparation is not supported.Click Next.
On the Select Topology screen, select Highly Available.
In the Host Name field, specify the host where you want to deploy Identity and Access Management, as a fully-qualified host name. For example:
Note:
On a multi-networked host, the host name entered (without the domain) must be same as the result returned from thehostname command issued on the machine.
If you have multiple network cards and if you wish to provision using one other than that attached to the default hostname for the duration of provisioning, you must set the hosts hostname to that associated with the value you enter here. This is particularly important on Exalogic Deployments.
First Instances:
Directory: ldaphost1.example.com
Identity and Governance: oimhost1.example.com
Access Management: oamhost1.example.com
Web Tier: ohshost1.example.com
Second Instances:
Directory: ldaphost2.example.com
Identity and Governance: oimhost2.example.com
Access Management: oamhost2.example.com
Web Tier: ohshost2.example.com
If you are using an existing directory, you will not be asked for the directory host.
If your WEBHOSTs are in a DMZ, select Install Web Tier in DMZ. If you select this option, the Oracle Web tier binaries will be installed locally on those hosts. If you deselect it, they will be installed onto shared storage.
If your Directory Hosts are in a dedicated zone confined by a firewall, and if you have created a separate disk share for your Directory executables, then select Install Directory Into a Dedicated Zone.
If you wish to use Oracle Access Manager but not use Oracle Mobile Security suite then deselect the Enable Oracle Mobile Security Suite box.
Note:
It is recommended that, if you wish to use Oracle Mobile Security Suite, create a dedicated domain for it. Therefore, select this option only for the domain where you will run OMSS.If you are deploying on Exalogic and if you are not using an External OHS, then deselect Install Directory into a dedicated zone and Install WebTier in DMZ.
If you are deploying on Exalogic and if you are using an External OHS, then deselect Install Directory into a dedicated zone but select Install WebTier in DMZ.
Click Next.
Use the Select Installation and Configuration Locations screen to supply the location of the important directories required for installation and configuration actions. For more information about the directories, see Chapter 7, "Preparing Storage for an Enterprise Deployment".
The following are the fields on this screen:
Lifecycle Management Store Location: LCM_HOME
Mounted on Webhosts: Select this option if LCM_HOME directory is mounted on WEBHOST1 and WEBHOST2 during installation. This is the recommended approach.
Software Repository Home: REPOS_HOME
Software Installation Location: IDM_TOP
Shared Configuration Location: SHARED_CONFIG_DIR
Local Configuration Location: LOCAL_CONFIG_DIR
Click Next.
Use the Configure Virtual Hosts screen to enter the virtual host names used by each component.
For example:
Access Domain Admin Server: iadadminvhn.example.com
OAM Server 1: oamhost1.example.com (*)
OAM Server 2: oamhost2.example.com (*)
OAM Policy Manager Server 1: oamhost1.example.com (*)
OAM Policy Manager Server 2: oamhost2.example.com (*)
OMSM Server 1: oamhost1.example.com (*)
OMSM Server 2: oamhost2.example.com (*)
(*) Specify the physical hostname for OAM Managed servers UNLESS you are using a multi networked computer and you wish traffic to use an alternative network. This will be the case with Exalogic.
Identity Governance Domain Admin Server: igdadminvhn.example.com
SOA Server 1: oimhost1vhn2.example.com
SOA Server 2: oimhost2vhn2.example.com
OIM Server 1: oimhost1vhn1.example.com
OIM Server 2: oimhost2vhn1.example.com
BIP Server 1: oimhost1vhn3.example.com
BIP Server 2: oimhost2vhn3.example.com
Click Next.
Use the Directory Configuration screen to supply the details of your LDAP directory.
First Instance Details
These are the details of the first LDAPHOST. The tool needs these details to connect to the directory host and configure the LDAP instance.
Host: This is the host name of one of the LDAP directory instances. For example, ldaphost1.example.com
Port: This is the port that the first instance is using on the server. For example, 1389 (LDAP_PORT)
AdminServer Connector Port: This is the connector port for the Administration Server. For example, 4444 (LDAP_ADMIN_PORT)
Instance Home Directory: This is the path to the instance home directory. For example, /u02/private/oracle/config/instances/oud1 (LDAP_ORACLE_INSTANCE)
Second Instance Details
These are the details of the second LDAPHOST. The tool needs these details to connect to the directory host and configure the LDAP instance. The second instance will only appear for OUD directories.
Note:
If you have more than two directory instances, you must shutdown the remaining instances and create the indexes and ACI's on those instances manually.For more information, see Section 13.5, "Preparing OID and OUD as the Identity Store".
This configuration should be done only after provisioning has completed.
Host: This is the host name of the second directory instance. For example, ldaphost2.example.com
Port: This is the port that the first instance is using on the server. For example, 1389 (LDAP_PORT)
AdminServer Connector Port: This is the connector port for the Administration Server. For example, 4444 (LDAP_ADMIN_PORT).
Instance Home Directory: This is the path to the instance home directory. For example, /u02/private/oracle/config/instances/oud2 (LDAP_ORACLE_INSTANCE).
Additional Details
OUD Replication Port: This is the Oracle Unified Directory replication port. For example, 8989.
Directory Details
These are the details of how applications will connect to the LDAP directory. Applications will not connect to the LDAP instances directly but via the load balancer.
Directory Host: This is the load balancer entry point for the existing directory. For example, idstore.example.com
Directory Port: This is the port on the load balancer where LDAP requests are sent. For example, 1389 (OUD), 3060 (OID), 389 (AD) (LDAP_LBR_PORT)
Administrator: This is the user name of a directory administrator. For example, cn=oudadmin
Administrator Password: This is the password of the directory administrator.
Root CA Certificate for AD: The location of the active directory certificate. This is applicable only if the directory is Active Directory.
Container Details
These are the locations in the directory where Users, Groups and System IDs are stored. System IDs are used to allow products such as OIM and OAM to connect to the LDAP directory without using the administrator account.
Realm DN: This is the main realm of the directory. For example, dc=example,dc=com
Users Groups/Present in the Directory: Normally, this is left unchecked for a new installation. If you have prepared the installation manually, then select this option.
Users Container: This is the location within the LDAP directory tree where users are stored.
Groups Container: This is the location within the directory tree where Groups are stored.
System IDs Container: This is the location within the directory tree where system users are stored. These are users that allow OAM and OIM to connect to LDAP. They are separated from the main Users container to prevent them being reconciled into OIM.
Click Next.
Use the Configure Oracle HTTP Server screen to review or change the ports that will be used for the Oracle HTTP Server (OHS) instance.
You should be able to use the default values for these ports, unless you have similar software running on the same host and you think there might be port conflicts.
Click Next.
Use the Configure Oracle Identity Manager screen to view or modify the ports that will be used by Oracle Identity Manager when you deploy the software.
Set the Location of the JMS/Tlogs to the shared storage location where you are placing runtime artifacts. For example:
RT_HOME/domains/IAMGovernanceDomain
In most cases, you can leave the remaining entries at the default values, unless you have similar software running on the same host and you think there might be port conflicts.
Select Configure Email Server if you want to identify and configure a mail server so that Oracle Identity Manager can send email notifications. If you wish to configure the Email Server, you must provide the following information:
Outgoing Server Name: This is the name of your outgoing Email server. For example, EMAIL.example.com (EMAIL_SERVER).
Outgoing Server Port: This is the port your Email server uses, For example, 465 (EMAIL_PORT).
Outgoing Email Security: Select None, SSL, or TLS (EMAIL_PROTOCOL)
Username: This is username (EMAIL_USER) you use to authenticate with the Email server.
Password: This is the password (EMAIL_PASSWORD) for the above user.
Web Proxy Host: This is the port of your proxy server if you use one.
Web Proxy Port: This is the host name of your proxy server if you use one.
Use the Configure Oracle Identity Manager Database screen to enter information about the Database that contains (or will contain) the required schemas.
If you have already installed the schemas using the Oracle Fusion Middleware Repository Creation Utility (RCU), then do not select the Create Schema Using RCU check box. In this case, you must provide the required information to connect to the database where the schemas are installed:
If you have not installed the schemas already, then select Create Schema Using RCU. If you choose this option, the LCM Tool creates the schemas as part of the deployment process.
The following fields are present in this screen:
SYSDBA Username: This is the name of the SYSDBA account on the database. For example, sys
SYSDBA Password: This is the password for the SYSDBA account.
SYSDBA credentials are required only if you select Create Schema Using RCU option.
Schema Prefix: This is the prefix that was used when you created Database schemas using Repository Creation Utility, or the prefix that must be used when the deployment tool creates the new schemas. For example, EDGIGD
Service Name: This is the service name of the database service. For example, IGDEDG.example.com (OIM_DB_SERVICENAME)
Schema Password: This is the password you used when creating the Oracle Identity Manager schema using RCU or the password you wish to assign to the schemas as they are newly created (OIM_SCHEMA_PASSWORD).
Select RAC Database, and provide the following information:
Scan address: This is the Grid Infrastructure SCAN Address. For example, IGDDBSCAN.example.com (SCAN_ADDRESS)
Scan Port: This is the SCAN port. For example, 1521
ONS Scan Address: The default value of the Oracle Notification Server (ONS) Scan address used by Gridlink, is the Database scan address.
ONS Port: This is the port of the Oracle Notification Server (ONS). For example, 6200
Click Next.
Use the Configure SOA screen to enter the listen port for the SOA Managed server.
SOA Host: This field is purely informational and displays the host on which the product will run.
Port: Specify the port number to be used by the SOA Server.
Use the Configure Oracle Business Intelligence Publisher screen to enter the ports to be used by the BIP Managed server.
BIP Host: This field is purely informational. The value is determined by the host entered in the Select Topology screen.
Port: Specify the port number to be used by the BIP Server, for example: 9704
Use the Configure Oracle Access Manager screen to view or modify the ports that will be used by Oracle Access Manager when you deploy the software.
In most cases you can leave the default values, unless you have similar software running on the same host and you think there might be port conflicts.
For the Cookie Domain field, be sure to enter a domain address appropriate for your organization. Prefix the domain address with a leading period (.), for example:
.example.com
For an explanation of the other fields, click Help.
Use the Configure Oracle Mobile Security Manager screen to view or modify the ports that will be used by Oracle Mobile Security Manager when you deploy the software.
In most cases you can leave the default values, unless you have similar software running on the same host and you think there might be port conflicts.
For an explanation of the fields on the screen, click Help.
Use the Configure Oracle Mobile Security Access Server screen to view or modify the ports that will be used by Oracle Mobile Security Access Server when you deploy the software.
Change the name of the Gateway Instance Id to EDGMSAS. For the rest of the fields, you can use the default values, unless you have similar software running on the same host and you think there might be port conflicts.
For an explanation of the fields on this screen, click Help.
Use the Configure Access Policy Manager screen to review or change the ports that will be used by the Oracle Access Policy Manager Managed Servers.
In most cases you can leave the default values, unless you have similar software running on the same host and you think there might be port conflicts.
Click Next.
Use the Configure Oracle Access Manager Database screen to enter information about the Database that contains (or will contain) the required schemas.
If you have already installed the schemas using the Oracle Fusion Middleware Metadata Repository Creation Utility (RCU), then do not select the Create Schema Using RCU check box.
In this case, provide the details required to connect to the database where the schemas are installed, and then enter the password you created when you installed the schemas with RCU.
If you have not already installed the schemas, then select Create Schema Using RCU. This tells the LCM Tools to create the schemas for you as part of the deployment process.
In this case, provide the details to connect to an existing, supported database. You must specify a user name with SYS privileges.
In addition, you must provide a new password that will be used for all the newly created schemas, and an extra field appears so you can confirm the password.
The following fields are present in this screen:
SYSDBA Username: This is the name of the SYSDBA account on the database. For example, sys
SYSDBA Password: This is the password for the SYSDBA account.
SYSDBA credentials are required only if you select Create Schema Using RCU option.
Schema Prefix: This is the prefix that was used when you created Database schemas using Repository Creation Utility, or the prefix that must be used when the deployment tool creates the new schemas. For example, EDGIAD
Service Name: This is the service name of the database service. For example, IADEDG.example.com (OAM_DB_SERVICENAME)
Schema Password: This is the password you used when creating the Oracle Identity Manager schema using RCU or the password you wish to assign to the schemas as they are newly created (OAM_SCHEMA_PASSWORD).
Select RAC Database, and provide the following information:
Scan address: This is the Grid Infrastructure SCAN Address. For example, IADDBSCAN.example.com (SCAN_ADDRESS)
Scan Port: This is the SCAN port. For example, 1521
ONS Scan Address: The default value of the Oracle Notification Server (ONS) Scan address used by Gridlink, is the Database scan address.
ONS Port: This is the port of the Oracle Notification Server (ONS). For example, 6200
Click Next.
Use the Set User Names and Passwords screen to set the passwords for the accounts that will be created during deployment. You can set a common password for all of the user accounts listed, or you can set individual passwords for each of the accounts. It is also possible to change some of the default user names.
To enter a common password for all the accounts to be created, enter the password in the Enter Common IAM Password (COMMON_IAM_PASWORD) field, and then re-enter the password in the Confirm Common IAM Password field.
If you want to create unique passwords for each account, select Modify the Username and Password for the user accounts, and select Edit next to the account you wish to modify.
If you are using an Existing LDAP directory, then this screen will also allow you to specify the details of the users and groups you created in the directory in Chapter 13, "Preparing The Identity Store".
Click Next.
Use the Load Balancer screen to provide the Load Balancer Entry points for both Access domain and Governance domain. For example:
Access Domain Administration Server: iadadmin.example.com
Identity Governance Administration Server: igdadmin.example.com
Identity Internal Call Backs: igdinternal.example.com
Access Internal Call Backs: iadinternal.example.com
Access SSO: login.example.com
Governance: prov.example.com
Oracle Mobile Security Access Server: msas.example.com
Click Next.
Use the Summary screen to view a summary of your selections and enter additional information.
Provisioning Response File Name: Provide the name of the response file to be created. The default name of the deployment response file is provisioning.rsp. You can change this value.
Provisioning Summary: Provide the name of the deployment summary file to be created.
Directory: Specify the directory where you want this Deployment Response File to be saved.
Click Finish to exit the wizard.
Note:
The Identity and Access Management Deployment Wizard creates a deployment response file in the directory that you specify on the Summary screen. It also creates a folder named responsefilename_data, for example: provisioning_data. This folder contains the cwallet.sso file, which has encryption and decryption information.If you move or copy the deployment response file to another location, you must also move or copy the responsefilename_data folder containing the cwallet.sso file to the same location.