This chapter explains how to configure Oracle Access Management.
It includes the following topics:
Configuring Oracle Access Management in a New WebLogic Domain
Getting Started with Oracle Access Management After Installation
Oracle Identity and Access Management 11g Release 2 (11.1.2.3.0) contains Oracle Access Management, which includes the following services:
Oracle Access Manager
Oracle Access Management Security Token Service
Oracle Access Management Identity Federation
Oracle Access Management Mobile and Social
Note:
For an introduction to the Oracle Access Management, see "Oracle Product Introduction" in the Administrator's Guide for Oracle Access Management.Before you start configuring Oracle Access Management, note that IAM_HOME is used to refer to the Oracle home directory that includes Oracle Identity Manager, Oracle Access Management, Oracle Adaptive Access Manager, Oracle Entitlements Server, Oracle Privileged Account Manager, Oracle Access Management Mobile and Social, and Oracle Mobile Security Suite. You can specify any path for this Oracle home directory.
Table 5-1 lists the tasks for configuring Oracle Access Management.
Table 5-1 Configuration Flow for Oracle Access Management
| No. | Task | Description |
|---|---|---|
|
1 |
Run the Oracle Fusion Middleware Configuration Wizard to configure your Oracle Identity and Access Management products in a new or existing WebLogic domain. |
For more information, see Section 5.4, "Configuring Oracle Access Management in a New WebLogic Domain". |
|
2 |
Configure the Database Security Store. |
For more information, see Section 5.5, "Configuring the Database Security Store.". |
|
3 |
Start the Oracle WebLogic Administration Server. |
For more information, see Section 5.6, "Starting the Oracle WebLogic Administration Server". |
|
4 |
Complete the post-installation tasks. |
Complete the following post-installation tasks: |
This topic describes how to configure Oracle Access Management in a new WebLogic domain.
It includes the following sections:
Perform the configuration in this topic if you want to install only Oracle Access Management in an environment where you might add other Oracle Identity and Access Management 11g components, such as Oracle Identity Manager, Oracle Mobile Security Suite, or Oracle Adaptive Access Manager, at a later time in the same domain.
Performing the configuration in this section deploys the following components:
Oracle Access Manager
Oracle Access Management Security Token Service
Oracle Access Management Identity Federation
Oracle Access Management Mobile and Social
Oracle WebLogic Administration Server
Managed Servers for Oracle Access Manager, Oracle Mobile Security Manager, and Oracle Access Manager Policy Manager.
Oracle Access Management Console on the Administration Server
Oracle Access Manager Policy Manager Console on the Policy Manager Managed Server
The configuration in this section depends on the following:
Oracle WebLogic Server 11g Release 1 (10.3.6)
Installation of the Oracle Identity and Access Management 11g software.
Database schemas for Oracle Access Manager and Oracle Mobile Security Manager. For more information, see Section 3.2.5, "Creating Database Schemas Using the Oracle Fusion Middleware Repository Creation Utility (RCU)".
Perform the following steps to configure Oracle Access Management in a new WebLogic domain:
Start the Oracle Fusion Middleware Configuration Wizard by running the IAM_HOME/common/bin/config.sh script (on Linux or UNIX), or IAM_HOME\common\bin\config.cmd (on Windows).
The Welcome screen of the Oracle Fusion Middleware Configuration Wizard appears.
Note:
IAM_HOME is used as an example here. You must run this script from your Oracle Identity and Access Management Home directory that contains Oracle Identity Manager, Oracle Access Management, Oracle Adaptive Access Manager, Oracle Entitlements Server, Oracle Privileged Account Manager, Oracle Access Management Mobile and Social, and Oracle Mobile Security Suite.On the Welcome screen, select the Create a new WebLogic domain option. Click Next. The Select Domain Source screen appears.
On the Select Domain Source screen, ensure that the Generate a domain configured automatically to support the following products: option is selected. Select Oracle Access Management And Mobile Security Suite - 11.1.2.3.0 [IAM_HOME], and click Next. The Specify Domain Name and Location screen appears.
Note:
When you select the Oracle Access Management And Mobile Security Suite - 11.1.2.3.0 [IAM_HOME] option, the following options are also selected, by default:Oracle Platform Security Service 11.1.1.0 [IAM_HOME]
Oracle JRF 11.1.1.0 [oracle_common]
Oracle OPSS Metadata for JRF - 11.1.1.0 [oracle_common]
Oracle Enterprise Manager - 11.1.1.0 [oracle_common]
Oracle WSM Policy Manager - 11.1.1.0 [oracle_common]
If you are planning to configure Oracle Access Management Mobile and Social, you may optionally select Oracle Adaptive Access Manager Admin Server - 11.1.2.0.0 [IAM_HOME] if you want to add Oracle Adaptive Access Manager to the same WebLogic Administration domain containing Oracle Access Management Mobile and Social. Oracle highly recommends that you select Oracle Adaptive Access Manager for using device registration feature.
Enter a name and a location for the domain to be created.
For example,
Domain name: oam_domain
Domain location: ORACLE_BASE/admin/oam/user_projects/domains
Application location: ORACLE_BASE/admin/oam/user_projects/applications
Notes:
ORACLE_BASE is the base directory under which Oracle products are installed. For example, /u01/oracle.
The default locations for the domain home and application home are MW_HOME/user_projects/domains and MW_HOME/user_projects/applications, respectively. However, it is recommended that you create your domain and application home directories outside of both the Middleware home and Oracle home.
Click Next. The Configure Administrator User Name and Password screen appears.
Configure a user name and a password for the administrator. The default user name is weblogic. Click Next.
The Configure Server Start Mode and JDK screen appears. Choose a JDK from the Available JDKs and select a mode under WebLogic Domain Startup Mode. Click Next.
The Configure JDBC Component Schema screen appears. This screen displays a list of the following component schemas:
OAM MDS Schema
OWSM MDS Schema
OAM Infrastructure
OMSM Schema
OPSS Schema
On the Configure JDBC Component Schema screen, select a component schema, such as the OAM Infrastructure Schema or the OPSS Schema, that you want to modify.
You can set values for Schema Owner, Schema Password, Database and Service, Host Name, and Port. Click Next. The Test JDBC Component Schema screen appears.
If the test fails, click Previous, correct the issue, and try again.
After the test succeeds, click Next. The Select Optional Configuration screen appears.
On the Select Optional Configuration screen, select Administration Server and Managed Servers, Clusters and Machines.
Click Next.
Use the Configure the Administration Server screen to configure the following Administration Server parameters:
Name
Listen address
Listen port
SSL listen port
SSL enabled or disabled
Click Next.
Configure Managed Servers.
When you first enter the Configure Managed Servers screen, three default Managed Servers (oam_server1, omsm_server1, and oam_policy_mgr1) have been created for you and have been automatically assigned to default ports. Change the default Managed Server names to the following:
For the Oracle Access Manager Server entry (oam_server1), change the name to WLS_OAM1.
For the Oracle Mobile Security Manager Server entry (omsm_server1), change the name to WLS_MSM1.
For the Access Manager Policy Manager Server entry (oam_policy_mgr1), change the name to WLS_AMA1.
These server names will be referenced throughout this document. If you choose different names, then be sure to replace them as needed.
Notes:
If you want to configure the Managed Servers on the same machine as the Administration Server, ensure that the ports are different from that of the Administration Server. Modify the port numbers as needed.
The Oracle Access Management OAuth Service is deployed on the Oracle Access Manager Server (WLS_OAM1). If you want to configure the OAuth Service in SSL mode, you must enable the SSL port of the Oracle Access Manager Server.
For more information, see "Configure Managed Servers" in Creating Domains Using the Configuration Wizard.
Click Next.
On the Configure Clusters screen, click Add to create three clusters with the following names for Oracle Access Manager, Oracle Mobile Security Manager, and Oracle Access Manager Policy Manager:
oam_cluster
msm_cluster
ama_cluster
Leave all other fields at the default settings and click Next.
Note:
For more information about configuring clusters for Oracle Identity and Access Management products, see the "Configuring High Availability for Oracle Identity and Access Management Components" topic in the High Availability Guide.On the Assign Servers to Clusters screen, assign Managed Servers to clusters as follows:
Assign the Oracle Access Manager Managed Server (WLS_OAM1) to oam_cluster.
Assign the Oracle Mobile Security Manager Managed Server (WLS_MSM1) to msm_cluster.
Assign the Policy Manager Managed Server (WLS_AMA1) to ama_cluster.
Click Next.
Use the Configure Machines screen to create and configure machines in the domain, as needed. This step is useful when you want to run the Administration Server on one machine and Managed Servers on another physical machine.
Tip:
Before configuring a machine, use theping command to verify whether the machine or host name is accessible.Note:
For more information about the options on this screen, see "Configure Machines" in Creating Domains Using the Configuration Wizard.Note that if you are extending your domain over multiple machines, you should not migrate the domain to a remote machine until all configuration tasks are completed on the base machine (the machine on which the Administration Server is running).
Click Next.
On the Assign Servers to Machines screen, assign the Administration Server to a machine.
Note that deployments, such as applications and libraries, and services that are targeted to a particular cluster or server are selected, by default.
Assign the newly created Managed Servers, such as WLS_OAM1, WLS_MSM1, and WLS_AMA1, to a machine.
Click Next.
On the Configuration Summary screen, review the domain configuration, and click Create to start creating the domain.
By default, a new WebLogic domain to support Oracle Access Management is created in the MW_HOME\user_projects\domains directory.
Note:
When you configure Oracle Access Management using the Oracle Access Management template, only Oracle Access Manager is enabled by default. For enabling other services including Security Token Service, Identity Federation, and Oracle Access Management Mobile and Social, refer to "Enabling or Disabling Available Services" in the Administrator's Guide for Oracle Access Management.After configuring Oracle Access Management in a new WebLogic administration domain and before starting the Oracle WebLogic Administration Server, you must configure the Database Security Store by running the configureSecurityStore.py script. For more information, see Chapter 11, "Configuring Database Security Store for an Oracle Identity and Access Management Domain."
After installing and configuring Oracle Access Management, you must start the Oracle WebLogic Administration Server, as described in Appendix C, "Starting the Stack". Ensure that you start the Oracle Access Management Administration Server before starting the Managed Servers.
After installing and configuring Oracle Access Management, you can perform the following optional tasks:
Configure your own LDAP to use instead of the default embedded LDAP, which comes with Oracle WebLogic Server.
Configure a policy store to protect resources.
Add more Managed Servers to the existing domain.
Add a Managed Server instance.
For more information, see the Administrator's Guide for Oracle Access Management.
By default, Oracle Mobile Security Suite is installed (but not fully configured) with Oracle Access Management. To fully configure Oracle Mobile Security Suite with Oracle Access Management, follow the instructions in Chapter 10, "Configuring Oracle Mobile Security Suite."
You must start the Managed Servers for Oracle Access Manager (WLS_OAM1), Access Manager Policy Manager (WLS_AMA1), and Oracle Mobile Security Manager (WLS_MSM1). For more information, see Appendix C, "Starting the Stack."
After completing the installation process, including post-installation steps, you can verify the installation and configuration of Oracle Access Management as follows:
Ensure that the Administration Server and the Managed Servers are up and running.
Log in to the Administration Console for Oracle Access Management using the following URL:
http://adminserver_host:adminserver_port/oamconsole
You will be redirected to:
http://oamserver_host:oamserver_port/oam/server
When you access this Administration Console running on the Administration Server, you are prompted to enter a user name and password. Note that you must have Administrator's role and privileges.
Log in to the Oracle Access Manager Policy Manager Console using the following URL:
http://oam_policy_mgr_host:oam_policy_mgr_port/access
When you access the Policy Manager Console running on the Policy Manager Server, you are prompted to enter a user name and password. Note that you must have Administrator's role and privileges.
Verify the Oracle WebLogic Server Administration Console. If the installation and configuration of Oracle Access Management are successful, this console shows the Administration Server in running mode.
For information about setting up Oracle Access Manager Webgate agents, see Installing Webgates for Oracle Access Manager.
For information about setting up integration between Oracle Access Management and Oracle Identity Manager, see "Integrating Access Manager and Oracle Identity Manager" in the Integration Guide for Oracle Identity Management Suite.
After installing Oracle Access Management, refer to the "Getting Started with Common Administration and Navigation" chapter in the Administrator's Guide for Oracle Access Managementt.
Note:
When you configure Oracle Access Management using the Oracle Access Management template, only Oracle Access Manager is enabled by default. For enabling other services including Security Token Service, Identity Federation, and Oracle Access Management Mobile and Social, refer to "Enabling or Disabling Available Services" in the Administrator's Guide for Oracle Access Management.