This chapter explains how to configure Oracle Identity Manager.
It includes the following topics:
Important Notes Before You Start Configuring Oracle Identity Manager
Creating a new WebLogic Domain for Oracle Identity Manager, SOA, and BI Publisher
Optional: Configuring Oracle Identity Manager Design Console
Getting Started with Oracle Identity Manager After Installation
Note:
To invoke online help at any stage of the Oracle Identity Manager configuration process, click the Help button on the Oracle Identity Manager Configuration Wizard screens.Before you start configuring Oracle Identity Manager, keep the following points in mind:
IAM_HOME is used to refer to the Oracle Home directory that includes Oracle Identity Manager, Oracle Access Management, Oracle Adaptive Access Manager, Oracle Entitlements Server, Oracle Privileged Account Manager, Oracle Access Management Mobile and Social, and Oracle Mobile Security Suite. You can specify any path for this Oracle Home directory.
By performing the domain configuration procedures described in this chapter, you can create Managed Servers on a local machine (the machine on which the Administration Server is running). However, you can create and start Managed Servers for Oracle Identity and Access Management components on a remote machine. For more information, see the "Creating and Starting a Managed Server on a Remote Machine" topic in the Creating Templates and Domains Using the Pack and Unpack Commands guide.
You must use the Oracle Identity Manager Configuration Wizard to configure Oracle Identity Manager Server and Oracle Identity Manager Design Console (on Windows only).
If you are configuring Oracle Identity Manager Server, you must run the Oracle Identity Manager Configuration Wizard on the machine where the Administration Server is running. For configuring the Server, you can run the wizard only once during the initial setup of the Server. After the successful setup of Oracle Identity Manager Server, you cannot run the Oracle Identity Manager Configuration Wizard again to modify the configuration of Oracle Identity Manager Server. For such modifications, you must use Oracle Enterprise Manager Fusion Middleware Control.
If you are configuring only Design Console, you can run the Oracle Identity Manager Configuration Wizard on the machine where Design Console is being configured. You can configure Design Console after configuring the Oracle Identity Manager Server. Note that you can run the Oracle Identity Manager Configuration Wizard to configure Design Console as and when you need to configure it on new machines.
Note that Oracle Identity Manager requires Oracle SOA Suite 11g Release 1 (11.1.1.9.0), which should be exclusive to Oracle Identity and Access Management. You must install Oracle SOA Suite before configuring Oracle Identity Manager. If you are setting up integration between Oracle Identity Manager and Oracle Access Management, ensure that Oracle Identity Manager and Oracle Access Management are configured in different WebLogic Server domains (split domain).
Table 4-1 lists the tasks for configuring Oracle Identity Manager.
Table 4-1 Configuration Flow for Oracle Identity Manager
| No. | Task | Description |
|---|---|---|
|
1 |
Run the Oracle Fusion Middleware Configuration Wizard to configure your Oracle Identity and Access Management products in a new or existing WebLogic domain. |
For more information, see Section 4.3, "Creating a new WebLogic Domain for Oracle Identity Manager, SOA, and BI Publisher" |
|
2 |
Configure the Database Security Store. |
For more information, see Section 4.4, "Configuring the Database Security Store". |
|
3 |
Start the servers. |
You must start the Administration Server and the SOA Managed Server. For more information, see Section 4.5, "Starting the Servers". |
|
4 |
Review the Oracle Identity Manager Server and Design Console configuration scenarios. |
For more information, see Section 4.6, "Overview of Oracle Identity Manager Configuration". |
|
5 |
Configure Oracle Identity Manager Server. |
For more information, see Section 4.7, "Configuring Oracle Identity Manager Server". |
|
6 |
Optional: Install and Configure only Oracle Identity Manager Design Console on Windows. |
For more information, see Section 4.8, "Optional: Configuring Oracle Identity Manager Design Console". |
|
7 |
Complete the post-installation tasks. |
Complete the following post-installation tasks: |
This topic describes how to create a new WebLogic domain for Oracle Identity Manager, SOA, and BI Publisher. It includes the following sections:
Perform the configuration in this topic if you want to install Oracle Identity Manager in an environment where you might use Oracle Identity Manager as a provisioning or request solution. This option is also appropriate for Oracle Identity Manager environments that do not use Single Sign-On (SSO) or Oracle Access Manager.
Performing the configuration in this section installs the following components:
Administration Server
Managed Servers for Oracle Identity Manager, SOA, and Oracle Business Intelligence Publisher.
Oracle Identity Manager System Administration Console and Oracle Identity Manager Self Service Console on the Oracle Identity Manager Managed Server
The configuration in this section depends on the following:
Oracle WebLogic Server 11g Release 1 (10.3.6)
Installation of the Oracle Identity and Access Management 11g Release 2 (11.1.2.3.0) software
Installation of Oracle SOA Suite 11g Release 1 (11.1.1.9.0)
Database schemas for Oracle Identity Manager, Oracle SOA 11g Suite, and Oracle BI Publisher.
Complete the following steps to create a new WebLogic domain for Oracle Identity Manager, SOA, and BI Publisher.
Review the section Important Notes Before You Start Configuring Oracle Identity Manager.
Run the IAM_HOME/common/bin/config.sh script (on Linux or UNIX) or IAM_HOME\common\bin\config.cmd (on Windows). The Welcome screen of the Oracle Fusion Middleware Configuration Wizard appears.
Note:
IAM_HOME is used as an example here. You must run this script from your Oracle Identity and Access Management Home directory that contains Oracle Identity Manager, Oracle Access Management, Oracle Adaptive Access Manager, Oracle Entitlements Server, Oracle Privileged Account Manager, Oracle Access Management Mobile and Social, and Oracle Mobile Security Suite.On the Welcome screen, select Create a new WebLogic domain, and click Next. The Select Domain Source screen appears.
On the Select Domain Source screen, ensure that the Generate a domain configured automatically to support the following products: option is selected.
Select Oracle Identity Manager - 11.1.2.0.0 [IAM_HOME]. When you select the Oracle Identity Manager - 11.1.2.0.0 [IAM_HOME] option, the following options are also selected, by default:
Oracle SOA Suite - 11.1.1.1.0 [Oracle_SOA1]
Oracle Enterprise Manager 11.1.1.0 [oracle_common]
Oracle Platform Security Service 11.1.1.0 [IAM_HOME]
Oracle JRF 11.1.1.0 [oracle_common]
Oracle JRF WebServices Asynchronous services - 11.1.1.0 [oracle_common]
Oracle WSM Policy Manager 11.1.1.0 [oracle_common]
Oracle BI Publisher - 11.1.1.6.0 [oracle_bip]
Oracle BI JDBC - 11.1.1.9.0 [oracle_bip]
Oracle OPSS Metadata for JRF - 11.1.1.0 [oracle_common]
Note:
If you want to use Authorization Policy Manager for the new WebLogic domain for Oracle Identity Manager, then you must select the Oracle Entitlements Server for Admin Server- 11.1.1.0 [IAM_Home] option.
If you have an existing WebLogic domain for Oracle Identity Manager, and you want to use Authorization Policy Manager, then you must perform the following steps:
On the Welcome screen of the Oracle Fusion Middleware Configuration Wizard, select Extend an existing WebLogic domain, and click Next.
On the Select a WebLogic Domain Directory screen, select the directory that contains the domain in which you configured Oracle Identity Manager. Click Next.
On the Select Extension Source screen, ensure that the Extend my domain to automatically to support the following added products: is selected, and select Oracle Entitlements Server for Admin Server- 11.1.1.0 [IAM_Home] or Oracle Entitlements Server for Managed Server- 11.1.1.0 [IAM_Home] option. Click Next.
The Configure JDBC Component Schema screen appears. Continue with step 9. Note that for step 9, Administration Server and RDBMS Security Store options are not available when you are extending a domain.
Click Next. The Specify Domain Name and Location screen appears.
Enter a name and a location for the domain to be created.
For example,
Domain name: oim_domain
Domain location: ORACLE_BASE/admin/oim/user_projects/domains
Application location: ORACLE_BASE/admin/oim/user_projects/applications
Notes:
ORACLE_BASE is the base directory under which Oracle products are installed. For example, /u01/oracle.
The default locations for the domain home and application home are MW_HOME/user_projects/domains and MW_HOME/user_projects/applications, respectively. However, it is recommended that you create your domain and application home directories outside of both the Middleware home and Oracle home.
Click Next. The Configure Administrator User Name and Password screen appears.
Configure a user name and a password for the administrator. The default user name is weblogic. Click Next.
The Configure Server Start Mode and JDK screen appears. Choose a JDK from the Available JDKs and select a mode under WebLogic Domain Startup Mode. Click Next.
The Configure JDBC Component Schema screen appears. This screen displays a list of the following component schemas:
OIM Schema
SOA Infrastructure
User Messaging Service
BIP Schema
OIM MDS Schema
OWSM MDS Schema
SOA MDS Schema
OPSS Schema
On the Configure JDBC Component Schema screen, select a component schema that you want to modify. You can set values for Schema Owner, Schema Password, Database and Service, Host Name, and Port. Click Next. The Test JDBC Component Schema screen appears.
If the test fails, click Previous, correct the issue, and try again.
After the test succeeds, click Next. The Select Optional Configuration screen appears.
On the Select Optional Configuration screen, you can configure the Administration Server, JMS Distributed Destination, Managed Servers, Clusters and Machines, Deployments and Services, JMS File Store, and RDBMS Security Store. Select the relevant check boxes and click Next.
Use the Configure the Administration Server screen to configure the following Administration Server parameters:
Name
Listen address
Listen port
SSL listen port
SSL enabled or disabled
Click Next.
Optional: Configure JMS Distributed Destination, as required.
Configure Managed Servers.
When you first enter the Configure Managed Servers screen, three default Managed Servers (soa_server1, oim_server1, and bi_server1) have been created for you and have been automatically assigned to default ports. Change the default Managed Server names to the following:
For the SOA Server entry (soa_server1), change the name to WLS_SOA1.
For the Oracle Identity Manager Server entry (oim_server1), change the name to WLS_OIM1.
For the BI Publisher Server entry (bi_server1), change the name to WLS_BIP1
Notes:
On the Configure Managed Servers screen, if the Listen address for the SOA Managed Server and the BI Publisher Managed Server are not specified, then it is assumed that the SOA server and the BI Publisher server are running on a local host.
If you are planning to configure the SOA Managed Server and the BI Publisher Managed Server on a different host, then you must specify the Listen address for the SOA Managed Server and the BI Publisher Managed Server when you are creating a new WebLogic domain for Oracle Identity Manager and SOA.
For more information, see "Configure Managed Servers" in Creating Domains Using the Configuration Wizard.
These server names will be referenced throughout this document. If you choose different names, then be sure to replace them as needed.
Click Next.
On the Configure Clusters screen, click Add to create three clusters with the following names for SOA, Oracle Identity Manager, and BI Publisher:
soa_cluster
oim_cluster
bi_cluster
Leave all other fields at the default settings and click Next.
Note:
For more information about configuring clusters for Oracle Identity and Access Management products, see the "Configuring High Availability for Oracle Identity and Access Management Components" topic in the High Availability Guide.On the Assign Servers to Clusters screen, assign the Managed Servers to clusters as follows:
Assign the SOA Managed Server (WLS_SOA1) to soa_cluster.
Assign the Oracle Identity Manager Managed Server (WLS_OIM1) to oim_cluster.
Assign the BI Publisher Managed Server (WLS_BIP1) to bi_cluster.
Click Next.
Use the Configure Machines screen to create and configure machines in the domain, as needed. This step is useful when you want to run the Administration Server on one machine and Managed Servers on another physical machine.
Tip:
Before configuring a machine, use theping command to verify whether the machine or host name is accessible.Note:
For more information about the options on this screen, see "Configure Machines" in Creating Domains Using the Configuration Wizard.Click Next.
On the Assign Servers to Machines screen, assign the Administration Server to a machine.
Assign the newly created Managed Servers, such as WLS_OIM1, WLS_SOA1, and WLS_BIP1, to a machine.
Click Next.
Optional: Select Deployments, such as applications and libraries, and Services to target them to a particular cluster or server.
On the Configuration Summary screen, you can view summaries of your configuration for deployments, application, and service. Review the domain configuration, and click Create to start creating the domain.
After the domain configuration is complete, click Done to close the Configuration Wizard.
By default, a new WebLogic domain to support Oracle Identity Manager is created in the MW_HOME\user_projects\domains directory (on Windows). On Linux or UNIX, the domain is created in the MW_HOME/user_projects/domains directory, by default.
After configuring Oracle Identity Manager and SOA in a new WebLogic administration domain and before starting the Oracle WebLogic Administration Server, you must configure the Database Security Store by running the configureSecurityStore.py script. For more information, see Chapter 11, "Configuring Database Security Store for an Oracle Identity and Access Management Domain."
After installing and configuring Oracle Identity Manager in a WebLogic domain, you must start the Oracle WebLogic Administration Server and the SOA Managed Server. For more information, see Appendix C, "Starting the Stack".
Notes:
If weblogic is not your WebLogic administrator user name, you must complete a set of manual steps after starting the servers. For more information, see the "Updating the WebLogic Administrator Server User Name (Optional)" topic in Administering Oracle Identity Manager.
Oracle Identity Manager requires Oracle SOA Suite. In order to avoid concurrent update, Oracle Identity Manager and SOA servers should not be started simultaneously. Start the SOA server first and wait for the SOA server to come up. The SOA server is started when the following message appears: SOA Platform is running and accepting requests. Then, start the Oracle Identity Manager server.
This section discusses the following topics:
Before configuring Oracle Identity Manager using the Oracle Identity Manager Configuration Wizard, ensure that you have installed and configured Oracle Identity Manager and SOA in a WebLogic Server domain.
The Oracle Identity Manager 11g Configuration Wizard prompts you to enter information about certain configurations, such as Database, Schemas, WebLogic Administrator User Name and Password, and LDAP Server. Therefore, keep this information ready with you before starting the Oracle Identity Manager 11g Configuration Wizard.
This section discusses the following topics:
Prerequisites for Configuring Oracle Identity Manager Server
Prerequisites for Configuring Only Oracle Identity Manager Design Console on a Different Machine
Before you can configure Oracle Identity Manager Server using the Oracle Identity Manager Configuration Wizard, you must complete the following prerequisites:
Installing a supported version of Oracle database. For more information, see Section 3.2.3, "Database Requirements".
Creating and loading the required schemas in the database. For more information, see Section 3.2.5, "Creating Database Schemas Using the Oracle Fusion Middleware Repository Creation Utility (RCU)".
Installing Oracle WebLogic Server and creating a Middleware Home directory. For more information, see Section 3.2.6, "Installing Oracle WebLogic Server and Creating a Middleware Home".
Installing Oracle SOA Suite 11g Release 1 (11.1.1.9.0) under the same Middleware Home directory. For more information, see Section 3.2.7, "Installing Oracle SOA Suite (Oracle Identity Manager Users Only)".
Installing the Oracle Identity and Access Management Suite (the suite that contains Oracle Identity Manager, Oracle Access Management, Oracle Adaptive Access Manager, Oracle Entitlements Server, Oracle Privileged Account Manager, Oracle Access Management Mobile and Social, and Oracle Mobile Security Suite) under the Middleware Home directory. For more information, see Section 3.2.8, "Installing Oracle Identity and Access Management 11g Release 2 (11.1.2.3.0)".
Creating a new WebLogic domain or extending an existing Oracle Identity and Access Management domain for Oracle Identity Manager, Oracle SOA Suite, and Oracle BI Publisher. For more information, see Section 4.3, "Creating a new WebLogic Domain for Oracle Identity Manager, SOA, and BI Publisher".
Starting the Oracle WebLogic Administration Server for the domain in which the Oracle Identity Manager application is deployed. For more information, see Appendix C, "Starting the Stack".
Starting the SOA Managed Server, as described in Appendix C, "Starting the Stack".
On the machine where you are installing and configuring Design Console, you must install the Oracle Identity and Access Management 11g Release 2 (11.1.2.3.0) software containing Oracle Identity Manager, Oracle Access Management, Oracle Adaptive Access Manager, Oracle Entitlements Server, Oracle Privileged Account Manager, Oracle Access Management Mobile and Social, and Oracle Mobile Security Suite. For information, see Section 3.2.8, "Installing Oracle Identity and Access Management 11g Release 2 (11.1.2.3.0)".
Before you can configure Oracle Identity Manager Design Console by running the Oracle Identity Manager Configuration Wizard, you should have configured the Oracle Identity Manager Server, as described in Section 4.7, "Configuring Oracle Identity Manager Server" on a local or remote machine. In addition, the Oracle Identity Manager Server should be up and running.
Note:
Oracle Identity Manager Design Console is supported on Windows operating systems only. If you are installing and configuring only Design Console on a machine, you do not need to install Oracle WebLogic Server and create a Middleware Home directory before installing the Oracle Identity and Access Management software.The Oracle Identity Manager 11g Configuration Wizard enables you to configure Oracle Identity Manager Server and Design Console.
If you are configuring Oracle Identity Manager Server, you must run this Configuration Wizard on the machine where the Administration Server is running.
You must complete this additional configuration for Oracle Identity Manager components after configuring Oracle Identity Manager in a new or existing WebLogic administration domain.
Note:
You can run the Oracle Identity Manager Configuration Wizard to configure Oracle Identity Manager Server only once during the initial setup. After the initial setup, you cannot run the Oracle Identity Manager Configuration Wizard again to modify the configuration of Oracle Identity Manager Server or Design Console. For such modifications, you must use Oracle Enterprise Manager Fusion Middleware Control.This section discusses the following topics:
Scope of Configuration Using the Oracle Identity Manager 11g Configuration Wizard
Scenario 1: Oracle Identity Manager Server and Design Console on Different Machines
Scenario 2: Oracle Identity Manager Server and Design Console on a Single Windows Machine
You can use the Oracle Identity Manager 11g Configuration Wizard to configure the non-J2EE components and elements of Oracle Identity Manager. Most of the J2EE configuration is done automatically in the domain template for Oracle Identity Manager.
In this scenario, you configure Oracle Identity Manager Server on one machine, and install and configure only Oracle Identity Manager Design Console on a different Windows machine (a development or design system).
Perform the following tasks:
Install and configure Oracle Identity Manager Server on a machine after completing all of the prerequisites, as described in Section 4.7, "Configuring Oracle Identity Manager Server". Ensure that the Oracle Identity Manager Server is up and running.
On the Windows machine on which the Design Console is to be installed, install a JDK in a path without a space such as c:\jdk1.6.0_29.
Install Oracle WebLogic Server, and create a Middleware Home directory such as c:\oracle\Middleware.
Run setup.exe from the installation media disk1, and follow the prompts selecting the Middleware_Home created above.
Note:
When you specify the location of theMiddleware_Home, you will see a message "Specified middleware home is not valid. If you continue with this installation only Design Console can be configured." This is a valid message if you intend to install only the Design Console.The installer will install the Oracle Identity and Access Management suite needed to install the Design Console.
On the Windows machine where you installed the Oracle Identity and Access Management 11g software, run the Oracle Identity Manager Configuration Wizard to configure only Design Console. Note that you must provide the Oracle Identity Manager Server information, such as host and URL, when configuring Design Console. For more information, see Section 4.8, "Optional: Configuring Oracle Identity Manager Design Console".
In this scenario, suitable for test environments, you install and configure Oracle Identity Manager Server and Design Console on a single Windows machine.
The following are the high-level tasks in this scenario:
Install and configure Oracle Identity Manager Server on a machine after completing all the prerequisites, as described in Section 4.7, "Configuring Oracle Identity Manager Server". Ensure that the Oracle Identity Manager Server is up and running.
On the same machine, configure Design Console, as described in Section 4.8, "Optional: Configuring Oracle Identity Manager Design Console".
This topic describes how to install and configure only Oracle Identity Manager Server. It includes the following sections:
Completing the Prerequisites for Enabling LDAP Synchronization
Enabling LDAP Sync After Installing and Configuring Oracle Identity Manager Server at a Later Point
Perform the configuration in this topic if you want to install Oracle Identity Manager Server on a separate host.
Performing the configuration in this section deploys only Oracle Identity Manager Server.
The installation and configuration in this section depends on Oracle WebLogic Server, on Oracle SOA Suite, and on the installation of Oracle Identity and Access Management 11g software. For more information, see Chapter 2, "Preparing to Install" and Section 3.2.8, "Installing Oracle Identity and Access Management 11g Release 2 (11.1.2.3.0)".
Perform the following steps to configure only Oracle Identity Manager Server:
Ensure that all the prerequisites, described in Section 4.6.1.1, "Prerequisites for Configuring Oracle Identity Manager Server", are satisfied. In addition, see Section 4.1, "Important Notes Before You Start Configuring Oracle Identity Manager".
On the machine where the Administration Server is running, start the Oracle Identity Manager 11g Configuration Wizard by executing one of the following commands:
On Linux or UNIX:
IAM_HOME/bin/config.sh
On Windows:
IAM_HOME\bin\config.bat
Note:
If you have extended an existing WebLogic domain to support Oracle Identity Manager, you must restart the Administration Server before starting the Oracle Identity Manager Configuration Wizard to configure Oracle Identity Manager Server or Design Console.After you start the Oracle Identity Manager Configuration Wizard, the Welcome screen appears.
On the Welcome screen, click Next. The Components to Configure screen appears.
On the Components to Configure screen, ensure that only the OIM Server option is selected. It is selected, by default. Click Next. The Database screen appears.
On the Database screen, enter the full path, listen port, and service name for the database in the Connect String field. For a single host instance, the format of connect string is hostname:port:servicename. For example, if the hostname is aaa.bbb.com, port is 1234, and the service name is xxx.bbb.com, then you must enter the connect string for a single host instance as follows:
aaa.bbb.com:1234:xxx.bbb.com
If you are using a Real Application Cluster database, the format of the database connect string is as follows:
hostname1:port1:instancename1^hostname2:port2:instancename2@servicename
Note:
You can use the same database or different databases for creating the Oracle Identity Manager schema and the Metadata Services schema.Ensure that no Firewalls or Gateways are preventing the connection to the database.
In the OIM Schema User Name field, enter the name of the schema that you created for Oracle Identity Manager using the Oracle Fusion Middleware Repository Creation Utility (RCU). For more information, see Section 3.2.5, "Creating Database Schemas Using the Oracle Fusion Middleware Repository Creation Utility (RCU)".
In the OIM Schema Password field, enter the password for the Oracle Identity Manager schema that you set while creating the schema using the Oracle Fusion Middleware Repository Creation Utility (RCU).
If you want to use a different database for the Metadata Services (MDS) schema, select the Select different database for MDS Schema check box.
If you choose to use a different database for MDS schema, in the MDS Connect String field, enter the full path, listen port, and service name for the database associated with the MDS schema. For the format of the connect string, see Step 4.
In the MDS Schema User Name field, enter the name of the schema that you created for AS Common Services - Metadata Services using the Oracle Fusion Middleware Repository Creation Utility (RCU). For more information, see Section 3.2.5, "Creating Database Schemas Using the Oracle Fusion Middleware Repository Creation Utility (RCU)".
In the MDS Schema Password field, enter the password for the AS Common Services - Metadata Services schema that you set while creating the schema using the Oracle Fusion Middleware Repository Creation Utility (RCU). Click Next. The WebLogic Admin Server screen appears.
On the WebLogic Admin Server screen, in the WebLogic Admin Server URL field, enter the URL of the WebLogic Administration Server of the domain in the following format:
t3://hostname:port
In the UserName field, enter the WebLogic administrator user name of the domain in which the Oracle Identity Manager application, the Oracle SOA Suite application, and the Oracle BI Publisher application are deployed. If you are setting up integration between Oracle Identity Manager and Oracle Access Manager, then the Oracle Access Manager application is configured in a different WebLogic Server domain.
In the Password field, enter the WebLogic administrator password of the domain in which the Oracle Identity Manager application, the Oracle SOA Suite application, and the Oracle BI Publisher application are deployed. Click Next.
The OIM Server screen appears. The OIM Server screen enables you to set a password for the system administrator (xelsysadm).
On the OIM Server screen, in the OIM Administrator Password field, enter a new password for the administrator. A valid password contains at least six characters; begins with an alphabetic character; includes at least one number, one uppercase letter, and one lowercase letter. The password cannot contain the first name, last name, or the login name for Oracle Identity Manager.
In the Confirm User Password field, enter the new password again.
OIM HTTP URL
The OIM HTTP URL is of the format: http(s)://host:port. For example, https://localhost:7002.
For single node deployments where the Oracle Identity Manager Managed Server is not front-ended with Oracle HTTP Server, you can provide the Oracle Identity Manager Managed Server URL.
For single node deployments where Oracle Identity Manager Managed Server is front-ended with Oracle HTTP Server, you must provide the http URL that front-ends the Oracle Identity Manager application.
For cluster deployments, provide the load balancer URL that front-ends the Oracle Identity Manager cluster.
OIM External Front End URL
The OIM External Front End URL is of the format: http(s)://<host>:<port>. For example, https://localhost:7070
For single node deployments where the Oracle Identity Manager Managed Server is not front-ended with Oracle HTTP Server, this field can be left blank.
For deployments where there is no Single-Sign On (SSO) configured but the Oracle Identity Manager Managed Server is front-ended with Oracle HTTP Server, you must provide the http URL that front-ends the Oracle Identity Manager application.
For deployments where Single-Sign On (SSO) is configured, provide the SSO URL where the Oracle Identity Manager user interface is available.
If you are planning to integrate Oracle Identity Manager with Oracle Access Management, it is recommended that you enter a value in the OIM External Front End URL field.
In the KeyStore Password field, enter a new password for the keystore. A valid password can contain 6 to 30 characters, begin with an alphabetic character, and use only alphanumeric characters and special characters like Dollar ($), Underscore (_), and Pound (#). The password must contain at least one number.
Note:
You are not prompted to enter a password for the keystore on the OIM Server screen if thedefault-keystore.jks keystore already exists. Instead, the keystore password is already available in and automatically read from the Credential Store Framework (CSF). Specifically, you are not prompted to enter a keystore password for the following scenarios:
You are adding Oracle Identity Manager to an existing domain.
You have started the Oracle Access Management server prior to running the Oracle Identity Manager Configuration Wizard. Starting the Oracle Access Management server generates default-keystore.jks with a random password if the keystore does not exist.
In the Confirm Keystore Password field, enter the new password again.
Optional: To enable LDAP Sync, you must select the Enable OIM for Suite integration check box on the OIM Server screen. Select this check box if you are planning to integrate Oracle Identity Manager with Oracle Access Manager.
When you select this option, the Oracle Identity Manager Configuration Wizard configures LDAP sync to synchronize identity store information between the Oracle Identity Manager database store and the Oracle Access Manager LDAP directory service.
Notes:
If you are not planning to integrate Oracle Identity Manager with Oracle Access Manager, then do not select the Enable OIM for Suite integration check box.
If you want to enable LDAP Sync, before enabling LDAP Sync you must complete prerequisite steps to configure your LDAP directory. For more information, see Section 4.7.5, "Completing the Prerequisites for Enabling LDAP Synchronization."
Once LDAP Sync is enabled on the OIM Server screen and prerequisites are completed, you must continue to configure the Oracle Identity Manager Server. After you have configured the Oracle Identity Manager Server and exited the Oracle Identity Manager Configuration Wizard, you must run the LDAP Post-Configuration Utility. For more information, see Section 4.7.6, "Running the LDAP Post-Configuration Utility."
After making your selections, click Next on the OIM Server screen.
If chose to enable LDAP Sync by selecting the Enable OIM for Suite integration check box on the OIM Server screen, the LDAP Server screen appears.
The LDAP Server screen enables you to specify the following information:
Directory Server Type - Select the desired Directory Server from the drop-down list. You have the following options:
OID
ODSEE/IPLANET
OUD
ACTIVE_DIRECTORY
OVD
Note:
IPLANET is also referred to as Oracle Directory Server Enterprise Edition (ODSEE) in this guide.Directory Server ID - enter the Directory Server ID. It can be any unique value.
For example: oid1 for OID, oud1 for OUD, and iplanet1 for IPLANET.
Server URL - enter the LDAP URL in the format ldap://ldap_host:ldap_port.
For Microsoft Active Directory, the LDAP URL must be a SSL URL.
Server User - enter the user name for the Directory Server administrator.
For example: cn=oimAdminUser,cn=systemids,dc=example,dc=com
Server Password - enter the password for the Directory Server administrator.
Server SearchDN - enter the Distinguished Names (DN). For example, dc=exampledomain, dc=com. This is the top-level container for users and roles in LDAP, and Oracle Identity Manager uses this container for reconciliation.
Click Next. The LDAP Server Continued screen appears.
On the LDAP Server Continued screen, enter the following LDAP information:
LDAP RoleContainer - enter a name for the container that will be used as a default container of roles in the LDAP directory. You can configure isolation rules in Oracle Identity Manager to create roles in different containers in LDAP. For example, cn=groups,cn=oracleAccounts,dc=example,dc=com.
LDAP RoleContainer Description - enter a description for the default role container.
LDAP Usercontainer - enter a name for the container that will be used as a default container of users in the LDAP directory. You can configure isolation rules in Oracle Identity Manager to create users in different containers in LDAP. For example, cn=users,cn=oracleAccounts,dc=example,dc=com.
LDAP Usercontainer Description - enter a description for the default user container.
User Reservation Container - enter a name for the container that will be used for reserving user names in the LDAP directory while their creation is being approved in Oracle Identity Manager. When the user names are approved, they are moved from the reservation container to the user container in the LDAP directory. For example, cn=reserve,dc=example,dc=com.
After enabling LDAP synchronization for integrating Oracle Identity Manager with Oracle Access Management and after running the LDAP Post-Configuration Utility, you can verify it by using the Oracle Identity Manager Administration Console. For more information, see Section 4.7.7, "Verifying the LDAP Synchronization." Click Next.
If you did not select the Enable OIM for Suite integration check box on the OIM Server screen, the Configuration Summary screen appears after you enter information in the OIM Server screen.
The Configuration Summary screen lists the applications you selected for configuration and summarizes your configuration options, such as database connect string, OIM schema user name, MDS schema user name, WebLogic Admin Server URL, WebLogic Administrator user name, and OIM HTTP URL.
Review this summary and decide whether to start the configuration. If you want to modify any of the configuration settings at this stage, select a topic in the left navigation pane and modify your choices. To continue installing this configuration of the Oracle Identity Manager Server, click Configure.
Note:
Before configuring an application, you can save your configuration settings and preferences in a response file. Response files are text files that you can create or edit in a text editor. You can use response files to perform a silent installation or use as templates or customized settings for your environment.For information on performing silent installation, refer to the "Silent Oracle Fusion Middleware Installation and Deinstallation" topic in the Oracle Fusion Middleware Installation Planning Guide for Oracle Identity and Access Management.
After you click Configure, the Configuration Progress screen appears. Click Next.
A configuration log is saved to the logs directory under Oracle Inventory directory. For information about the log files, see Installation Log Files. If the Configuration Progress screen displays any errors, click Abort to stop the installation and restart the Oracle Identity Manager Configuration Wizard.
Click Finish.
Restart the WebLogic Administration Server and the SOA Managed Server, as described in Appendix C, "Restarting Servers".
Note:
If the configuration fails, click Abort to stop the installation and restart the Oracle Identity Manager Configuration Wizard.If you are integrating Oracle Identity Manager with Oracle Access Management and want to enable LDAP Sync, before enabling LDAP Synchronization you must complete prerequisite steps to configure your LDAP directory.
To complete the prerequisites for enabling LDAP Sync, refer to the following topics in the Integration Guide for Oracle Identity Management Suite:
If you enabled LDAP Sync during the Oracle Identity Manager Server configuration, you must run the LDAP Post-Configuration Utility after you have configured the Oracle Identity Manager Server and exited the Oracle Identity Manager Configuration Wizard. The LDAP configuration post-setup script enables all the LDAP Sync-related incremental Reconciliation Scheduler jobs, which are disabled by default. In addition, it retrieves the last change number from the Directory Server and updates all the LDAP Sync Incremental Reconciliation jobs.
For information on how to run the LDAP Post-Configuration Utility, see "Running the LDAP Post-Configuration Utility" in the Integration Guide for Oracle Identity Management Suite.
Note:
This procedure is applicable to all the Directory Server options. The LDAP Post-Configuration Utility must be run after configuring Oracle Identity Manager Server. This procedure is only required if you chose to enable LDAP Sync during the Oracle Identity Manager Server configuration.If you enabled and configured LDAP Sync during the Oracle Identity Manager Server configuration, verify the configuration of LDAP with Oracle Identity Manager. To verify the LDAP Synchronization, refer to "Verifying the LDAP Synchronization" in the Integration Guide for Oracle Identity Management Suite.
LDAP Sync can be enabled at any point after installing and configuring Oracle Identity Manager Server. For more information on enabling LDAP Sync after installing and configuring Oracle Identity Manager Server, see "Enabling LDAP Synchronization in Oracle Identity Manager" in the Integration Guide for Oracle Identity Management Suite.
This topic describes how to install and configure only Oracle Identity Manager Design Console, which is supported on Windows operating systems only.
It includes the following sections:
Perform the installation and configuration in this topic if you want to install Oracle Identity Manager Design Console on a separate Windows machine where Oracle Identity Manager Server is not configured. For more information, see Scenario 1: Oracle Identity Manager Server and Design Console on Different Machines.
Performing the installation and configuration in this section deploys only Oracle Identity Manager Design Console on the Windows operating system.
The installation and configuration in this section depends on the installation of Oracle Identity and Access Management 11g software and on the configuration of Oracle Identity Manager Server. For more information, see Installing Oracle Identity and Access Management 11g Release 2 (11.1.2.3.0) and Configuring Oracle Identity Manager Server.
Perform the following steps to install and configure only Oracle Identity Manager Design Console on the Windows operating system:
Ensure that all the prerequisites, described in Prerequisites for Configuring Only Oracle Identity Manager Design Console on a Different Machine, are satisfied. In addition, see Important Notes Before You Start Configuring Oracle Identity Manager.
On the Windows machine where Oracle Identity Manager Design Console should be configured, start the Oracle Identity Manager Configuration Wizard by executing the following command:
IAM_HOME\bin\config.bat
Note:
If you have extended an existing WebLogic domain to support Oracle Identity Manager, you must restart the Administration Server before starting the Oracle Identity Manager Configuration Wizard to configure Oracle Identity Manager Server or Design Console.After you start the Oracle Identity Manager Configuration Wizard, the Welcome screen appears.
On the Welcome screen, click Next. The Components to Configure screen appears.
On the Components to Configure screen, select only the OIM Design Console check box.
Click Next. The OIM Server Host and Port screen appears.
On the OIM Server Host and Port screen, enter the host name of the Oracle Identity Manager Managed Server in the OIM Server Hostname field. In the OIM Server Port field, enter the port number for the Oracle Identity Manager Server on which the Oracle Identity Manager application is running. Click Next. The Configuration Summary screen appears.
The Configuration Summary screen lists the application that you selected for configuration and summarizes your configuration options, such as OIM Server host name and port.
Review this summary and decide whether to start the configuration. If you want to modify any of the configuration settings at this stage, select a topic in the left navigation pane and modify your choices. To continue installing this configuration of the Oracle Identity Manager Design Console, click Configure.
Note:
Before configuring an application, you can save your configuration settings and preferences in a response file. Response files are text files that you can create or edit in a text editor. You can use response files to perform a silent installation or use as templates or customized settings for your environment.For information on performing silent installation, refer to the "Silent Oracle Fusion Middleware Installation and Deinstallation" topic in the Oracle Fusion Middleware Installation Planning Guide for Oracle Identity and Access Management.
After you click Configure, the Configuration Progress screen appears. A configuration log is saved to the logs directory under Oracle Inventory directory. For information about the log files, see Installation Log Files. If the Configuration Progress screen displays any errors, click Abort to stop the installation and restart the Oracle Identity Manager Configuration Wizard.
Click Finish.
Note:
If the configuration fails, click Abort to stop the installation and restart the Oracle Identity Manager Configuration Wizard.Complete the following steps after configuring the Oracle Identity Manager Design Console on the Windows operating system:
On the machine where Oracle WebLogic Server is installed (the machine where Oracle Identity Manager Server is installed), create the wlfullclient.jar file as follows:
Use the cd command to move from your present working directory to the MW_HOME\wlserver_10.3\server\lib directory.
Ensure that JAVA_HOME is set, as in the following example:
D:\oracle\MW_HOME\jdk160_24
To set this variable, right-click the My Computer icon and select Properties. The System Properties screen is displayed. Click the Advanced tab and click the Environment Variables button. The Environment Variables screen is displayed. Ensure that the JAVA_HOME variable in the User Variables section is set to the path of the JDK directory installed on your machine.
After setting the JAVA_HOME variable, select the Path variable in the System Variables section on the same Environment Variables screen, and click Edit. The Edit System Variable dialog box is displayed. In the variable value field, enter the complete path to your JAVA_HOME, such as D:\oracle\MW_HOME\jdk160_24, preceded by a semicolon (;). The semicolon is used as the delimiter for multiple paths entered in this field.
After verifying the values, click OK.
Use the following steps to create a wlfullclient.jar file for JDK 1.6 client application:
Change directories to the server/lib directory.
cd WL_HOME/server/lib
Use the following command to create wlfullclient.jar in the server/lib directory:
java -jar wljarbuilder.jar
This command generates the wlfullclient.jar file.
Copy the wlfullclient.jar file to the IAM_HOME\designconsole\ext\ directory on the machine where Design Console is configured.
Ensure that the Administration Server and the Oracle Identity Manager Managed Server are started. For information about starting the servers, see Starting the Stack.
Start the Design Console client by running the xlclient.cmd executable script, which is available in the IAM_HOME\designconsole\ directory.
Log in to the Design Console with your Oracle Identity Manager user name and password.
To update the xlconfig.xml file and start the Design Console on a new port as opposed to what was set during configuration, complete the following steps:
In a text editor, open the IAM_HOME\designconsole\config\xlconfig.xml file.
Edit the following tags:
ApplicationURL
java.naming.provider.url
Change the port number.
Restart the Design Console.
Note:
You do not have to perform this procedure during installation. It is required if you want to change ports while using the product. You must ensure that the Oracle Identity Manager server port is changed to this new port before performing these steps.To configure the Design Console to use SSL, complete the following steps:
Add the WebLogic Server jar files required to support SSL by copying the webserviceclient+ssl.jar file from the WL_HOME/server/lib directory to the IAM_HOME/designconsole/ext directory.
Use the server trust store in Design Console as follows:
Log in to the Oracle WebLogic Administration Console using the WebLogic administrator credentials.
Under Domain Structure, click Environment > Servers. The Summary of Servers page is displayed.
Click on the Oracle Identity Manager server name (for example, WLS_OIM1). The Settings for WLS_OIM1 is displayed.
Click the Keystores tab.
From the Trust section, note down the path and file name of the trust keystore.
Set the TRUSTSTORE_LOCATION environment variable as follows:
If Oracle Identity Manager Design Console and Oracle Identity Manager Server are installed and configured on the same machine, set the TRUSTSTORE_LOCATION environment variable to the location of the trust keystore that you noted down.
For example, setenv TRUSTSTORE_LOCATION=/test/DemoTrust.jks
If Oracle Identity Manager Design Console and Oracle Identity Manager Server are installed and configured on different machines, copy the trust keystore file to the machine where Design Console is configured. Set the TRUSTSTORE_LOCATION environment variable to the location of the copied trust keystore file on the local machine.
If the Design Console was installed without SSL enabled, complete the following steps:
Open the IAM_HOME/designconsole/config/xlconfig.xml file in a text editor.
Edit the <ApplicationURL> entry to use HTTPS, T3S protocol, and SSL port to connect to the server, as in the following example:
<ApplicationURL>https://<host>:<sslport>/xlWebApp/loginWorkflowRenderer.do</ApplicationURL>
Note:
For a clustered installation, you can send an https request to only one of the servers in the cluster, as shown in the following element:<java.naming.provider.url>t3s://<host>:<sslport></java.naming.provider.url>
Save the file and exit.
Before you can verify the Oracle Identity Manager installation, ensure that the following servers are up and running:
Administration Server for the domain in which the Oracle Identity Manager application is deployed
Managed Server hosting Oracle Identity Manager
Managed Server hosting the Oracle SOA 11g Suite
Managed Server hosting Oracle Business Intelligence Publisher
You can verify your Oracle Identity Manager installation by:
Checking the Oracle Identity Manager System Administration URL, such as http://oim_host:oim_port/sysadmin
Checking the Oracle Identity Manager Self Service URL, such as http://oim_host:oim_port/identity
Verifying the configuration between Oracle Identity Manager and Oracle SOA (BPEL Process Manager) as follows:
Log in to the SOA Infrastructure with WebLogic credentials to verify whether the composite applications are displayed.
http://host:bpel_port/soa-infra
Log in to the Oracle Identity Manager Self Service Console as an end user:
http://oim_host:oim_port/identity
Navigate to My Information on the Home page of the Self Service tab. Modify any attribute and click Apply. This should raise a request. Logout from the Oracle Identity Manager Self Service console.
Log in to the Oracle Identity Manager Self Service Console as xelsysadm:
http://oim_host:oim_port/identity
Navigate to Pending Approvals on the Home page of the Self Service tab. In the list of tasks, verify whether the request has come for approval.
Click the task, and then click Approve.
Click the refresh icon.
Navigate to Track Requests on the Home page of the Self Service tab.
Click Refresh, and verify whether the request is completed.
Click the Manage tab in the top right corner, and navigate to Users on the Home page. Verify whether the user profile is modified.
Logging in to the Design Console, with xelsysadm, and the appropriate password. A successful login indicates that the installation was successful.
For staging and test deployments of Oracle Identity Manager, the maximum heap size of 2 GB is recommended. For the maximum heap size in production deployments, refer to Oracle Fusion Middleware Performance and Tuning Guide.
To change the heap setting for Oracle Identity Manager on WebLogic Server:
Open the DOMAIN_HOME/bin/setOIMDomainEnv.sh file (on Linux or UNIX), or the DOMAIN_HOME\bin\setOIMDomainEnv.cmd file (on Windows).
Change PORT_MEM_ARGS -Xmx value to 2048m
Save the file.
Restart the Oracle Identity Manager Server. For more information, see Appendix C, "Restarting Servers".
For information about setting up integration between Oracle Identity Manager and Oracle Access Manager, see "Integrating Access Manager and Oracle Identity Manager" in the Integration Guide for Oracle Identity Management Suite.
Oracle Identity Manager supports the following languages:
Arabic, Brazilian Portuguese, Czech, Danish, Dutch, Finnish, French, German, Greek, Hebrew, Hungarian, Italian, Japanese, Korean, Norwegian, Polish, Portuguese, Romanian, Russian, Simplified Chinese, Slovak, Spanish, Swedish, Thai, Traditional Chinese, and Turkish
After installing Oracle Identity Manager, refer to "Oracle Identity System Administration Interface" in Administering Oracle Identity Manager.