26 Deploying Identity and Access Management

This chapter describes how to deploy Identity and Access Management.

It contains the following sections:

26.1 Introduction to the Deployment Process

This section introduces the deployment process. This section includes the following topics:

26.1.1 Deployment Stages

There are eight stages to Deployment. These stages are:

  1. preverify - This checks that each of the servers being used in the topology satisfies the minimum requirements of the software being installed and configured. This also checks for database connections for schemas and port availability,

  2. install - This installs all of the software required by the installation. This also includes binary patching for all of the patches included in the repository.

  3. preconfigure - This does the following:

    • Creates Oracle Unified Directory instances and seeds them with Users/Groups.

    • Creates the WebLogic domains and extends domains for various products

    • Creates OHS instance

    • Migrates the Policy Store to the database

  4. configure - This does the following:

    • Starts managed servers as necessary

    • Associates Access Manager with Oracle Unified Directory

    • Configure Oracle Identity Manager

  5. configure-secondary - This does the following:

    • Integrates Weblogic Domain with Webtier

    • Register webtier with domain

    • Integrate Access Manager and Oracle Identity Manager

  6. postconfigure - This does the following:

    • Run Oracle Identity Manager Reconciliation

    • Configure UMS Mail Server

    • Generate Access Manager Keystore

    • Configure WebGates

  7. startup - This starts up all components in the topology and applies any needed artifact patches.

  8. validate - This performs a number of checks on the built topology to ensure that everything is working as it should be.

Each stage must be completed on all hosts in a specific order, as described in the next section. Each stage must be completed on each host in the topology before the next stage can begin. Failure of a stage will necessitate a cleanup and restart.

26.1.2 Processing Order

Deployment processes the hosts in the following order:

  1. Identity Governance Host 1

  2. Identity Governance Host 2

  3. Access Management Host 1

  4. Access Management Host 2

  5. Web Host 1

  6. Web Host 2

This equates to the following order for hosts in this guide.

Consolidated Topology Processing Order



Distributed Topology Processing Order








For Exalogic Physical use the Consolidated Topology Steps.

For Exalogic Virtual use the Distributed Topology Steps.

26.2 Prerequisites for Deployment on Exalogic

Before you start the deployment on Exalogic, you must complete the following prerequisites:

  1. Install and configure Oracle Traffic Director (OTD).

    For information about installing Oracle Traffic Director, see Section 11.2.2, "Installing Oracle Traffic Director".

    For information about configuring Oracle Traffic Director, see Section 14.2, "Configuring Oracle Traffic Director".

  2. Use a dummy port number for OTD. For more information, see the Note in Section 14.2.3, "Creating a Configuration".

  3. Ensure that you create a dummy entry in the hosts file.

    In Exalogic, internal requests are load balanced by OTD. When performing a deployment using Life Cycle Management Tool, the load balancer entry points, iadinternal.example.com:7777 and igdinternal.example.com:7777 are managed by OTD. When you set OTD to use a dummy port number, those URLs become inaccessible. This does not cause an issue for Oracle Identity Manager, but Oracle MSAS configuration will fail, as it requires access to the WebLogic wls_msm Managed Servers during configuration.

    To workaround this issue, you must change the entry in the /etc/hosts file for iadinternal to point to the OTD host. This makes it look like the iadinternal.example.com exists and is working. For example:

    On WEBHOST1, the /etc/hosts file looks like: webhost1.example.com iadinternal.example.com

    Change this to: webhost1.example.com iadinternal.example.com

    This makes the MSAS configuration access the OHS server on OTD host1 which will then be able to pass on requests to the wls_msm Managed Servers.

    You must make these changes on both the WEBHOSTS. Ensure that you assign the value to the local WEBHOST. After the deployment is complete, remove the dummy entries.

26.3 Deployment Procedure

In previous releases of the configuration Wizard, each phase of the process needed to be initiated manually on each host in the topology. This is still a supported method. However, in this release, you can provision the entire environment using two simple commands. For completeness, both options are shown below:

26.3.1 Running the Deployment Commands Automatically

Choose a host to initiate provisioning from. This should be one of the application tier hosts, this will be known henceforth as the master host. The master host is the node where you are running the deployment.

This process sets up SSH equivalence on each node. This is required for the duration of the deployment. It can be disabled later if desired. Preparing the Hosts for Automated Deployment

From the master node, execute the command prov_setup_ssh.sh, which is located in the following directory:


Run the following command:

./prov_setup_ssh.sh -responseFile <Absolute_Path_to_the_deployment_file>

For example:

cd IDMLCM_HOME/provisioning/bin

./prov_setup_ssh.sh -responseFile /u01/lcm/tools/idmlcm/provisioning/bin/provisioning.rsp

When asked whether or not you wish to enable SSH, enter Yes and press Return.

The script now connects to each of the hosts in your topology. When it does, it may prompt you to verify the authenticity of the host by showing you the hosts RSA fingerprint and asking if you wish to continue connecting. Enter Yes and press Return.

It prompts you for the password of the account you are using on the remote host. It repeats this process for each host in the topology. Keep entering the passwords as prompted until the script finishes. At that time, it can remotely execute commands on those hosts without the need for a password. This is ssh equivalence.

After the deployment is complete, ssh equivalence is removed. Deploying Identity and Access Management Automatically

Now that you have set up ssh on the hosts, start the deployment. You can start the deployment by running prov_run.sh command from the same directory. For example:


cd IDMLCM_HOME/provisioning/bin

./prov_run.sh -responseFile IDMLCM_HOME/provisioning/bin/provisioning.rsp

26.3.2 Running the Deployment Commands Manually

To deploy Identity and Access Management, run the runIAMDeployment.sh a number of times on each host in the topology from the following location:


BEFORE embarking on the Deployment process, read this entire section. There are extra steps detailed below which must be performed during the process.


  • You must use the SAME version of the Deployment profile (IDMLCM_HOME/provisioning/bin/provisioning.rsp) on all targets and all hosts in the deployment.

  • You MUST run each command on each host in the topology, in the specified order, before running the next command.

Before running the Deployment tool, set the following environment variable.:

  • Set JAVA_HOME to: REPOS_HOME/jdk

The commands you must run are:

runIAMDeployment.sh -responseFile IDMLCM_HOME/provisioning/bin/provisioning.rsp -target preverify

runIAMDeployment.sh -responseFile IDMLCM_HOME/provisioning/bin/provisioning.rsp -target install

runIAMDeployment.sh -responseFile IDMLCM_HOME/provisioning/bin/provisioning.rsp -target preconfigure

runIAMDeployment.sh -responseFile IDMLCM_HOME/provisioning/bin/provisioning.rsp -target configure

runIAMDeployment.sh -responseFile IDMLCM_HOME/provisioning/bin/provisioning.rsp -target configure-secondary

runIAMDeployment.sh -responseFile IDMLCM_HOME/provisioning/bin/provisioning.rsp -target postconfigure

runIAMDeployment.sh -responseFile IDMLCM_HOME/provisioning/bin/provisioning.rsp -target startup

runIAMDeployment.sh -responseFile IDMLCM_HOME/provisioning/bin/provisioning.rsp -target validate

26.3.3 Creating Backups

It is important that you take a backup of the file systems and databases at the following points:

  1. Prior to starting Deployment.

  2. At the end of the installation phase.

  3. Upon completion of Deployment

It is not supported to restore a backup at any phase other than those three.

26.4 Check List

To help keep track of the Deployment process, print this check list from the PDF version of this guide. Run each stage on the hosts shown, and add a check mark to the corresponding row when that run is complete.


Deployment Stage Host Complete
Preverify OIMHOST1  
Install OIMHOST1  
Preconfigure OIMHOST1  
Configure OIMHOST1  
Configure Secondary OIMHOST1  
Post Configure OIMHOST1  
Startup OIMHOST1  
Validate OIMHOST1  

26.5 Deploying Identity and Access Management Without a Common LCM_HOME

The previous deployment instructions assume that the LCM_HOME directory is shared across every host in the topology for the duration of the deployment process.

If your organization does not permit this sharing, you can still run the deployment by making LCM_HOME available locally on every host. The following extra manual steps are required.

  1. Create a local version of the LCM_HOME directory, including the software repository.

  2. Copy the Deployment Response File, responsefilename_data folder, and Summary created in Chapter 25, "Creating a Deployment Response File" to the same location on each of the hosts.

  3. The deployment tool relies on the contents of the directories located under LCM_HOME/provisioning to determine what stages have run successfully. Therefore, after every command, copy the contents of this directory to every node before executing any runIAMDeployment.sh commands.

  4. Before running preconfigure on OIMHOST1, copy LCM_HOME/keystores from OAMHOST1 to OIMHOST1.

  5. If LCM_HOME is not mounted on WEBHOST1 and WEBHOST2 (or OHSHOST1/OHSHOST2 in a topology with external Oracle HTTP Servers), before execution of the postconfigure phase on WEBHOST1, copy LCM_HOME/keystores/webgate_artifacts from OAMHOST1 to WEBHOST1 and WEBHOST2

    LCM_HOME/keystores/webgate_artifacts is created after the configure-secondary phase on OAMHOST1.