This chapter explains how to configure Oracle Mobile Security Suite. It includes the following topics:
About the Administrator Roles in an Oracle Mobile Security Suite Deployment
Configuring Oracle Access Manager for Oracle Mobile Security Suite
Verifying Oracle Access Manager and Oracle Mobile Security Manager
Optional: Creating Additional Administrator Groups After Configuration
Getting Started with Oracle Mobile Security Suite After Installation
For Oracle Identity and Access Management 11g Release 2 (11.1.2.3.0), Oracle Mobile Security Suite includes the following components:
Oracle Mobile Security Manager
Oracle Mobile Security Access Server
Note:
Oracle Mobile Security Manager is included in the Oracle Identity and Access Management Suite. When you are installing Oracle Identity and Access Management 11g Release 2 (11.1.2.3.0), only Oracle Mobile Security Manager is installed. Oracle Mobile Security Access Server has its own installer, and it is not included in the Oracle Identity and Access Management 11g Release 2 (11.1.2.3.0) installation. You must install and configure Mobile Security Manager before installing Mobile Security Access Server. For more information on installing Mobile Security Access Server, see Section 10.12, "Installing Oracle Mobile Security Access Server."For an introduction to Oracle Mobile Security Suite, see "Understanding Oracle Mobile Security Suite" in Administering Oracle Mobile Security Suite.
Before you start configuring Oracle Mobile Security Suite, note that IAM_HOME is used to refer to the Oracle Home directory that includes Oracle Identity Manager, Oracle Access Management, Oracle Adaptive Access Manager, Oracle Entitlements Server, Oracle Privileged Account Manager, Oracle Access Management Mobile and Social, and Oracle Mobile Security Suite. You can specify any path for this Oracle Home directory.
Table 10-1 lists the tasks for configuring Oracle Mobile Security Suite.
Table 10-1 Configuration Flow for Oracle Mobile Security Suite
No. | Task | Description |
---|---|---|
1 |
Configure Oracle Access Management in a WebLogic domain. |
For more information, see Section 10.4, "Configuring Oracle Access Management in a WebLogic Domain.". |
2 |
Prepare your LDAP directory to be used as the common identity store for Oracle WebLogic Server, Oracle Access Manager, and Oracle Mobile Security Suite. |
For more information, see Section 10.6, "Preparing Your LDAP Directory as the Identity Store" |
3 |
Configure the Oracle Access Manager Server that will be used with Oracle Mobile Security Suite. |
You configure Oracle Access Manager using the |
4 |
Configure the identity store, keystores, and trust stores for the Oracle Mobile Security Manager Server. |
You configure Oracle Mobile Security Manager using the |
5 |
Start the Managed Servers. |
For more information, see Section 10.9, "Starting the Managed Servers." |
6 |
Verify your configuration. |
Ensure Oracle Mobile Security Suite is enabled on the Policy Manager Console. For more information, see Section 10.10, "Verifying Oracle Access Manager and Oracle Mobile Security Manager." |
7 |
Optional: Create and add additional administrator groups after configuration. |
For more information, see Section 10.11, "Optional: Creating Additional Administrator Groups After Configuration." |
8 |
Install and configure the Oracle Mobile Security Access Server software. |
For more information, see Section 10.12, "Installing Oracle Mobile Security Access Server." |
9 |
Get started with Oracle Mobile Security Suite. |
For more information, see Section 10.13, "Getting Started with Oracle Mobile Security Suite After Installation." |
Oracle Access Management is required to run and use Oracle Mobile Security Suite. Before you begin configuring Oracle Mobile Security Suite, you must install and configure Oracle Access Management in a WebLogic domain. When you install and configure Oracle Access Management in a WebLogic domain, the Oracle Mobile Security Manager server is installed and configured in the domain by default. To configure Oracle Access Management, follow the instructions in Chapter 5, "Configuring Oracle Access Management."
An Oracle Mobile Security Suite deployment provides different administrator roles for the WebLogic Server, Oracle Access Manager, and Oracle Mobile Security Suite components. Before you begin configuring Oracle Mobile Security Suite, it is important to understand these roles and how to configure them.
For an Oracle Mobile Security Suite deployment, consider the following types of administrator roles:
WebLogic Administrator Role, which provides administration privileges to configure WebLogic Server and provides authorization to access MBeans. Specifically, Mobile Security Access Server administration tasks are performed using MBeans, and therefore, this role is required.
Oracle Access Manager Administrator Role, which provides administration privileges for the Oracle Access Manager component. This role provides authorization to perform Oracle Access Management configuration tasks on the Oracle Access Management Console.
Oracle Mobile Security Suite Administrator Role, which provides administration privileges for Oracle Mobile Security Suite tasks, such as managing mobile devices and policies. All Oracle Mobile Security Suite tasks are performed on the Policy Manager Console running on the Policy Manager server. After Oracle Mobile Security Suite is fully configured with Oracle Access Manager, an Oracle Access Manager administrator is also configured as an Oracle Mobile Security Suite administrator.
To configure these roles for an Oracle Mobile Security Suite deployment, you need to do the following:
Configure a common identity store, which is typically an enterprise directory.
Create an administrator user and group in the directory, and then assign the user to the administrator group.
Configure WebLogic Server, Oracle Access Manager, and Oracle Mobile Security Suite to use the same administrator group.
These configuration steps are described in the following tasks. These tasks must be completed to configure the required Oracle Mobile Security Suite administrator users, groups, and roles successfully.
As a result, once the administrator roles, users, and groups have been configured following these procedures, you will have a single admin user with full administration privileges over WebLogic Server, Oracle Access Manager, and Oracle Mobile Security Suite.
Oracle Mobile Security Suite, along with other Oracle Identity and Access Management 11g Release 2 (11.1.2.3.0) components, relies on a specific set of user and groups to be present and correctly configured in the LDAP directory. As a result, you must prepare your LDAP directory to be able to configure a common identity store and a common administrator user and group for Oracle WebLogic Server, Oracle Access Manager, and Oracle Mobile Security Suite.
For information about preparing your LDAP directory, refer to one of the following procedures, depending on the type of LDAP directory you are using:
To prepare Oracle Internet Directory (OID), Oracle Unified Directory (OUD), or Oracle Directory Server Enterprise Edition (ODSEE), perform the following tasks in the Integration Guide for Oracle Identity Management Suite:
To prepare Microsoft Active Directory, perform the tasks described in "Preparing an Existing Microsoft Active Directory Instance for Use with Oracle Identity and Access Management" in the Deployment Guide for Oracle Identity and Access Management.
Note:
Before preparing your LDAP directory, ensure that the WebLogic Administration Server and LDAP server are running. For more information, see Appendix C, "Starting the Stack."After you have prepared your LDAP directory, use the idmConfigTool
command with the -configOAM
option to configure your Oracle Access Manager Server that will be used with Oracle Mobile Security Suite. The command for running idmConfigTool
is located in the IAM_HOME
/idmtools/bin
directory.
Note:
You should not execute theidmConfigTool
command with the -configOAM
option if your 11g Release 2 (11.1.2.3.0) environment was upgraded from an 11g Release 2 (11.1.2.2.0) environment where Oracle Access Manager was previously configured to use an external LDAP directory. In this case, you can skip section 10.7, but you must configure Oracle Mobile Security Manager, as described in Section 10.8, using exactly the same user, group, and LDAP directory properties that the upgraded Oracle Access Manager is already configured with.Complete the following tasks to configure Oracle Access Manager:
Use the guidelines below to create a properties file that will configure your Oracle Access Manager Server. You will pass this file to the idmConfigTool
command in Section 10.7.2, "Running idmConfigTool to Configure Oracle Access Manager."
Create a file named oam.properties
in the directory of your choice containing the properties described in Table 10-2.
Note:
For an example properties file that includes sample values, see Sample Oracle Access Manager Properties File.Table 10-2 Oracle Access Manager Configuration Properties
Property | Description |
---|---|
Properties for connecting to Oracle WebLogic Server |
|
|
The host name of your Oracle WebLogic Administration Server. |
|
The port number of your Oracle WebLogic Administration Server. |
|
The Oracle WebLogic Server administrator user you use to log in to the WebLogic Administration Console. |
Properties for configuring and connecting to the LDAP directory |
|
|
The host name of your LDAP directory. |
|
The port number of your LDAP directory. This value can be a SSL port or a non-SSL port. |
|
Directory type of the LDAP server. Specify one of the following values.
|
|
An administrative user of the LDAP directory. |
|
The location in the directory where users are stored. This property tells the directory where to search for users. |
|
The location in the directory where users and groups are stored. |
|
The location in the directory where groups (or roles) are stored. This property tells the directory where to search for groups or roles. |
|
The location of a container in the directory where system operations users should be stored so that they are kept separate from enterprise users stored in the main user container. The location of a container in the directory where |
|
The name of the group that is used to allow access to the Oracle Access Management administration console. |
|
At a login attempt, the user name is validated against this attribute in the identity store. |
|
The identity store name. If you already have an identity store in place that you wish to reuse (rather than allowing the tool to create a new one for you), set this parameter to the name of the identity store you want to reuse. |
|
Valid values are |
|
LDAP user name attribute used to search for users in the identity store. |
|
An attribute of a user in the identity store that contains the user's login name. This is the attribute the user uses for login. This should be set to the same value as |
|
The user name used to establish the Oracle Access Manager identity store connection. Specify the name of the user that you created in Section 10.6, "Preparing Your LDAP Directory as the Identity Store." This user will be used by Oracle Access Manager to connect to the directory or LDAP server. |
|
The identity store administrator for Oracle Access Manager. Specify the name of a user that has privileges to access the Oracle Access Management Console. Specify the name of the user that you created in Section 10.6, "Preparing Your LDAP Directory as the Identity Store." |
Properties for configuring WebGate |
|
|
The type of WebGate agent you want to create. Set to:
|
|
The name you want to assign to the WebGate. |
|
The web domain in which the WebGate functions. Specify the domain in the format |
|
When set to Valid values are |
|
The transfer mode for the Oracle Access Manager agent being configured. Valid values are |
Properties for configuring Oracle Access Manager Server |
|
|
This property configures Access Manager as authentication only mode or normal mode, which supports authentication and authorization. Specifies whether Oracle Access Manager server can perform authorizations. If If Valid values are |
|
The security model in which the Oracle Access Manager 11g server functions. Valid values are |
|
A comma-separated list of your Oracle Access Manager servers and their proxy ports. For example, |
|
Set to |
|
Comma-separated list of Oracle Access Manager logout URLs. |
|
Cookie expiration period. |
|
Host name of the load balancer that is in front of Oracle HTTP Server. |
|
Port number on which the load balancer listens. |
|
Protocol for Oracle HTTP Server. Valid values are |
|
Host name of the load balancer front-ending the Oracle Access Manager server. This and the following two parameters are used to construct your login URL. |
|
The port number that the load balancer front-ending the Oracle Access Manager server is listening on. |
|
Protocol of the load balancer front-ending the Oracle Access Manager server. Valid values are |
|
Set to Valid values are |
Properties needed if you are configuring Oracle Identity Manager with Oracle Access Manager |
|
|
The Oracle HTTP Server URL that front-ends the Oracle Identity Manager server. This property is only required if your topology contains Oracle Access Manager and Oracle Identity Manager. |
|
This property specifies whether to integrate with Oracle Identity Manager or configure Oracle Access Manager in standalone mode. Set to Valid values are |
Sample Oracle Access Manager Properties File
WLSHOST: examplehost.example.com WLSPORT: 7001 WLSADMIN: weblogic IDSTORE_HOST: idstore.example.com IDSTORE_PORT: 1389 IDSTORE_DIRECTORYTYPE: OUD IDSTORE_BINDDN: cn=orcladmin IDSTORE_USERSEARCHBASE: cn=Users,dc=example,dc=com IDSTORE_SEARCHBASE: dc=example,dc=com IDSTORE_GROUPSEARCHBASE: cn=Groups,dc=example,dc=com IDSTORE_SYSTEMIDBASE: cn=systemids,dc=example,dc=com OAM11G_IDSTORE_ROLE_SECURITY_ADMIN: OAMAdministrators OAM11G_SERVER_LOGIN_ATTRIBUTE: cn OAM11G_CREATE_IDSTORE: true OAM11G_IDSTORE_NAME: OAMIDSTORE IDSTORE_USERNAMEATTRIBUTE: cn IDSTORE_LOGINATTRIBUTE: cn IDSTORE_OAMSOFTWAREUSER: oamLDAP IDSTORE_OAMADMINUSER: oamadmin WEBGATE_TYPE: ohsWebgate11g ACCESS_GATE_ID: Webgate_IDM COOKIE_DOMAIN: .cc.example.com OAM11G_WG_DENY_ON_NOT_PROTECTED: true OAM_TRANSFER_MODE: open OAM11G_SSO_ONLY_FLAG: false OAM11G_OAM_SERVER_TRANSFER_MODE: open PRIMARY_OAM_SERVERS: examplehost.example.com:5575 OAM11G_IMPERSONATION_FLAG: false OAM11G_IDM_DOMAIN_LOGOUT_URLS: /oamsso/logout.html, /console/jsp/common/logout.jsp, /em/targetauth/emaslogout.jsp COOKIE_EXPIRY_INTERVAL: 120 OAM11G_IDM_DOMAIN_OHS_HOST: examplehost.example.com OAM11G_IDM_DOMAIN_OHS_PORT: 7777 OAM11G_IDM_DOMAIN_OHS_PROTOCOL: http OAM11G_SERVER_LBR_HOST: examplehost.example.com OAM11G_SERVER_LBR_PORT: 7777 OAM11G_SERVER_LBR_PROTOCOL: http SPLIT_DOMAIN: true OAM11G_OIM_OHS_URL: http://examplehost.example.com:7778 OAM11G_OIM_INTEGRATION_REQ: false
To configure Oracle Access Manager, run the idmConfigTool
command with the -configOAM
option as follows:
Note:
Before running idmConfigTool
:
Make sure that you have created the required properties file, as described in Section 10.7.1, "Creating the Oracle Access Manager Properties File."
Ensure that the WebLogic Administration Server and LDAP server are running. For more information, see Appendix C, "Starting the Stack."
Set the following environment variables:
Set MW_HOME
to the full path of the Oracle Identity and Access Management Middleware home. Enter the path to the Middleware home that was created when you installed Oracle WebLogic Server 11g Release 1 (10.3.6) on your system. For example, /u01/oracle/products/fmw_oam
.
Set ORACLE_HOME
to the full path of the Oracle home where Oracle Access Manager is installed. Set to the location of your IAM_HOME
directory. For example, /u01/oracle/products/fmw_oam/Oracle_IDM1
.
Set JAVA_HOME
to the full path of the JDK directory.
Change directory to the IAM_HOME
/idmtools/bin
directory:
cd IAM_HOME/idmtools/bin
Run the following command:
idmConfigTool.sh -configOAM input_file=configfile log_level=level log_file=log_file
Where
(Required) input_file
is the full or relative path to the properties file you created in Section 10.7.1, "Creating the Oracle Access Manager Properties File."
(Optional) log_level
is the level of logging performed by idmConfigTool
. Possible values are ALL
, SEVERE
, WARNING
, INFO
, CONFIG
, FINE
, FINER
, and FINEST
. If not specified, the default is INFO
.
(Optional) log_file
is the full or relative path to the file where idmConfigTool
will store the log file data. If not specified, idmConfigTool
creates a log file named automation.log
in the directory where you run the tool.
For example:
idmConfigTool.sh -configOAM input_file=oam.properties
Where oam.properties
is a properties file containing configuration parameters specific to your environment. For information on creating this file, see Section 10.7.1, "Creating the Oracle Access Manager Properties File."
When the command runs, it prompts you to enter the password of the account used to connect to the identity store. It also prompts you to enter passwords for the following:
OAM11G_WLS_ADMIN_PASSWD
: Enter the password for the WebLogic Server Administrator user (WLSADMIN
).
OAM11G_IDM_DOMAIN_WEBGATE_PASSWD
: Enter a password to be assigned to the WebGate.
IDSTORE_PWD_OAMSOFTWAREUSER
: Enter the password for IDSTORE_OAMSOFTWAREUSER
.
IDSTORE_PWD_OAMADMINUSER
: Enter the password for IDSTORE_OAMADMINUSER
.
Sample command output, when running the command against Oracle Unified Directory:
Enter ID Store Bind DN password: Enter User Password for OAM11G_WLS_ADMIN_PASSWD: Confirm User Password for OAM11G_WLS_ADMIN_PASSWD: Enter User Password for OAM11G_IDM_DOMAIN_WEBGATE_PASSWD: Confirm User Password for OAM11G_IDM_DOMAIN_WEBGATE_PASSWD: Enter User Password for IDSTORE_PWD_OAMSOFTWAREUSER: Confirm User Password for IDSTORE_PWD_OAMSOFTWAREUSER: Enter User Password for IDSTORE_PWD_OAMADMINUSER: Confirm User Password for IDSTORE_PWD_OAMADMINUSER: Connecting to t3://examplehost.example.com:7001 Connection to domain runtime mbean server established Starting edit session Edit session started Connected to security realm. Validating provider configuration Validated desired authentication providers Created OAMIDAsserter successfuly Created OUDAuthenticator successfuly Setting attributes for OUDAuthenticator All attributes set. Configured inOUDAuthenticatornow LDAP details configured in OUDAuthenticator Dec 19, 2014 6:40:38 AM oracle.idm.automation.impl.oam.handlers.WLSAuthnConfigHandler logInfo INFO: ControlFlag for OAMIDAsserter set to REQUIRED Dec 19, 2014 6:40:38 AM oracle.idm.automation.impl.oam.handlers.WLSAuthnConfigHandler logInfo INFO: ControlFlag for OUDAuthenticator set to SUFFICIENT Dec 19, 2014 6:40:38 AM oracle.idm.automation.impl.oam.handlers.WLSAuthnConfigHandler logInfo INFO: ControlFlag for DefaultAuthenticator set to SUFFICIENT Control flags for authenticators set sucessfully Dec 19, 2014 6:40:38 AM oracle.idm.automation.impl.oam.handlers.WLSAuthnConfigHandler logInfo INFO: Total providers - 5 Reordering of authenticators done sucessfully Saving the transaction Transaction saved Activating the changes Changes Activated. Edit session ended. Connection closed sucessfully The tool has completed its operation. Details have been logged to automation.log
Sample command output, when running the command against Microsoft Active Directory:
Enter ID Store Bind DN password: Enter User Password for OAM11G_WLS_ADMIN_PASSWD: Confirm User Password for OAM11G_WLS_ADMIN_PASSWD: Enter User Password for OAM11G_IDM_DOMAIN_WEBGATE_PASSWD: Confirm User Password for OAM11G_IDM_DOMAIN_WEBGATE_PASSWD: Enter User Password for IDSTORE_PWD_OAMSOFTWAREUSER: Confirm User Password for IDSTORE_PWD_OAMSOFTWAREUSER: Enter User Password for IDSTORE_PWD_OAMADMINUSER: Confirm User Password for IDSTORE_PWD_OAMADMINUSER: Connecting to t3://examplehost.example.com:7001 Connection to domain runtime mbean server established Starting edit session Edit session started Connected to security realm. Validating provider configuration Validated desired authentication providers OAM Asserter already exists in the security realm Created ADAuthenticator successfuly Setting attributes for ADAuthenticator All attributes set. Configured inADAuthenticatornow LDAP details configured in ADAuthenticator Control flags for authenticators set sucessfully Reordering of authenticators done sucessfully Saving the transaction Transaction saved Activating the changes Changes Activated. Edit session ended. Connection closed sucessfully The tool has completed its operation. Details have been logged to oam.log
Check the log file for any errors or warnings and correct them before continuing.
Restart the Oracle WebLogic Administration Server, as described in Appendix C, "Restarting Servers."
After you complete the installation process, you do not have any users or groups present with the WebLogic administrator role. Perform the following steps to grant the WebLogic Admin role to the Oracle Access Manager administrator group and to the WebLogic Server administrator group.
Log in to the WebLogic Server Administration Console.
Click Security Realms from the Domain Structure menu.
Click myrealm in the Realms table.
Click the Roles and Policies tab.
Expand the Global Roles entry in the Roles table. This brings up the entry for Roles.
Click Roles under the Global Roles entry.
Click the Admin role in the Global Roles table.
Under Role Conditions, click Add Conditions.
Select Group from the predicate list and click Next.
In the Group Argument Name field, enter the name of the Oracle Access Manager administrator group (OAM11G_IDSTORE_ROLE_SECURITY_ADMIN
) that you created in Section 10.6, "Preparing Your LDAP Directory as the Identity Store." For example, OAMAdministrators
.
Click Add.
Click Finish.
Role Conditions now shows the Oracle Access Manager administrator group as an entry.
Under Role Conditions, click Add Conditions.
Select Group from the predicate list and click Next.
In the Group Argument Name field, enter the name of the WebLogic Server administrator group (IDSTORE_WLSADMINGROUP
) that you created in Section 10.6, "Preparing Your LDAP Directory as the Identity Store." For example, IDM Administrators
.
Click Add.
Click Finish.
Role Conditions now shows the WebLogic Server administrator group as an entry.
Click Save and then restart the Administration Server.
If you are using Oracle Unified Directory (OUD) as the LDAP identity store and the group object class is groupOfUniqueNames
, perform the following additional steps:
Connect to the WebLogic Administration Server using the WLST connect
command:
IAM_HOME/common/bin/wlst.sh
connect()
Run the following WLST commands in this order:
Note:
Replacedomain_name
with the name of the domain that you created in Section 10.4, "Configuring Oracle Access Management in a WebLogic Domain."
edit()
startEdit()
cd('/SecurityConfiguration/domain_name/Realms/myrealm/AuthenticationProviders/OUDAuthenticator')
cmo.setStaticMemberDNAttribute('uniquemember')
cmo.setStaticGroupDNsfromMemberDNFilter('(&(uniquemember=%M)(objectclass=groupOfUniqueNames))')
cmo.setStaticGroupObjectClass('groupOfUniqueNames')
activate()
After you have executed the idmConfigTool -configOAM
command to configure Oracle Access Manager, use idmConfigTool
to configure the identity store, keystores, and trust stores for the Oracle Mobile Security Manager Server.
Complete the following tasks to configure Oracle Mobile Security Manager:
Use the guidelines below to create a properties file that will configure your Oracle Mobile Security Manager Server. You will pass this file to the idmConfigTool
command in Section 10.8.2, "Running idmConfigTool to Configure Oracle Mobile Security Manager."
Create a file named omss.properties
in the directory of your choice containing the properties described in Table 10-3. Note that all properties are required unless marked as (Optional).
Notes:
For an example properties file that includes sample values, see Sample Oracle Mobile Security Suite Properties File.
Oracle Access Manager and Oracle Mobile Security Manager must point to the same identity store when you run idmConfigTool -configOAM
and idmConfigTool -configOMSS mode=OMSM
to configure Oracle Access Manager and Oracle Mobile Security Manager, respectively.
Make sure to save this file. You will use this properties file later for Mobile Security Access Server configuration. To configure Mobile Security Access Server, you run the idmConfigTool
command with the -configOMSS mode=OMSAS
option. For more information, see "Configuring the Identity Store and Keystores for the MSAS Instance" in Installing Oracle Mobile Security Access Server.
Table 10-3 Oracle Mobile Security Suite Configuration Properties
Property | Description |
---|---|
Properties for configuring and connecting to the LDAP directory |
|
|
(Optional) Set to |
|
Directory type of the LDAP Server. Specify one of the following values.
|
|
The host name of your LDAP directory. This should be the same value that you used for this property when you created the Oracle Access Manager properties file in Section 10.7.1, "Creating the Oracle Access Manager Properties File." |
|
The port number of your LDAP directory. This value can be a SSL port or a non-SSL port. This should be the same value that you used for this property when you created the Oracle Access Manager properties file in Section 10.7.1, "Creating the Oracle Access Manager Properties File." |
|
(Optional) Specify the absolute path to the location that contains directory-specific SSL certificates. This property is applicable only if the LDAP directory communicates over a SSL port. If provided, These certificates should be in |
|
An administrative user of the LDAP directory. |
|
LDAP user name attribute used to search for users in the identity store. |
|
The location in the directory where users are stored. This property tells the directory where to search for users. |
|
The location in the directory where groups (or roles) are stored. This property tells the directory where to search for groups or roles. |
|
The location in the directory where users and groups are stored. |
|
An attribute of a user in the identity store that contains the user's login name. This is the attribute the user uses for login. |
|
Name of the identity store profile for Oracle Mobile Security Manager. The |
Properties for connecting to Oracle WebLogic Server |
|
|
The host name of your Oracle WebLogic Administration Server. |
|
The WebLogic Server Administrator user you use to log in to the WebLogic Administration Console. |
|
The port number of your WebLogic Administration Server. |
|
The absolute path to the Oracle Mobile Security Manager domain you created in Section 10.4, "Configuring Oracle Access Management in a WebLogic Domain." |
Properties for configuring Oracle Mobile Security Suite users, groups, and roles |
|
|
(Optional) Name of the administrator group whose members have administrative privileges for Oracle Mobile Security Manager operations. This group is used to allow access to the Oracle Mobile Security Manager features on the Policy Manager Console. This should be set to the same value that you provided for The default value is |
|
(Optional) Name of the Oracle Mobile Security Manager helpdesk group, whose members get helpdesk privileges for Oracle Mobile Security Manager operations. This group is used to allow access to the Security Help Desk privileges in the Policy Manager Console. The default value is |
|
(Optional) Oracle Mobile Security Manager uses a Simple Certificate Enrollment Protocol (SCEP) dynamic challenge for external SCEP authorization during the enrollment phase. Mobile Security Manager will use this user for authentication. |
Properties for Mobile Security Manager Server and Policy Manager Server |
|
|
Name of the Mobile Security Manager Managed Server. By default, this is This property must match the Mobile Security Manager Server name(s) provided during domain configuration. If you have multiple Mobile Security Manager Servers, specify a comma-separated list of Managed Server names. For example, |
|
(Optional) A comma-separated list of the hosts on which your Mobile Security Manager Servers are assigned. The number and order of the hosts specified for If this property is not specified in the properties file, |
|
Name of the Policy Manager Managed Server. By default, this is This property must match the Policy Manager Server name(s) provided during domain configuration. |
Properties for a cluster deployment |
|
|
(Optional) For cluster deployments, provide the URL of the load balancer that front-ends the Oracle Mobile Security Manager cluster. This property is not required if Mobile Security Manager is not deployed in a cluster. It is required only if there is a cluster of Mobile Security Manager servers. The |
Properties for configuring and connecting to a proxy server |
|
|
(Optional) If you are using a proxy server, specify the host name of the proxy server. This and the following three properties are required if the Mobile Security Manager Server will be running within an internal network and will require a proxy server to communicate to an outside network. |
|
(Optional) If you are using a proxy server, specify the port number of the proxy server. |
|
(Optional) The user name for connecting to the proxy server. If the proxy server is unauthenticated, then |
|
(Optional) Valid values are |
Properties for connecting to the database |
|
|
Specify the JDBC URL to the Oracle Mobile Security Manager database repository, in the following format, where db_host is the host name of the machine on which the database resides, port is the listener port of the database, and service_name is the service name identified for the database. This URL will be used to seed Apple Push Notification Service (APNs)/Google Cloud Messaging (GCM) data. jdbc:oracle:thin:@db_host:port/service_name For example jdbc:oracle:thin:@examplehost.exampledomain.com:1521/orcl.example.com |
|
The user name for the Oracle Mobile Security Manager schema, which consists of the prefix that was configured for the repository in RCU followed by |
Properties for configuring GCM and APNs |
|
|
(Optional) Google Cloud Messaging (GCM) notification sender ID. This property is required for Android Mobile Device Management (MDM) functionality. Mobile Security Manager requires GCM credentials to connect to GCM and send push notifications to Android devices. If you are planning to use MDM, you can choose to configure GCM during configuration using Set this property to the project number of the Google API Project you created. For more information, including how to create a Google API Project and obtain a GCM API key, see "Configuring the GCM Entry" in Administering Oracle Mobile Security Suite. |
|
(Optional) The full path and file name of the Apple Push Notification Service (APNs) keystore file, which is used to establish secure connection to Apple server and to send notifications. The APNs keystore file is required for iOS Mobile Device Management (MDM) functionality. Mobile Security Manager requires an Apple MDM certificate to manage iOS devices. This certificate enables secure communication using Apple Push Notification Services (APNs). If you are planning to use MDM, you can choose to configure APNs during configuration using For more information, including how to obtain a APNs certificate file, see "Configuring the APNS Certificate" in Administering Oracle Mobile Security Suite. |
Properties for configuring Exchange server and email settings |
|
|
(Optional) Specify the domain name of the Exchange server that Oracle Mobile Security Suite will connect to. If specified, you must also enter values for the following four |
|
(Optional) Specify the URL of the Exchange server that Oracle Mobile Security Suite will connect to. If specified, you must also enter values for all the other |
|
(Optional) Specify the listener URL of the Exchange server that Oracle Mobile Security Suite will connect to. If specified, you must also enter values for all the other |
|
(Optional) Specify the version number of the Exchange server that Oracle Mobile Security Suite will connect to. If specified, you must also enter values for all the other |
|
(Optional) Specify the administrative user name of the Exchange server that Oracle Mobile Security Suite will connect to. If specified, you must also enter values for all the other |
|
(Optional) Specify the Oracle Mobile Security Suite email administrator user name, which must be an email address. If specified, you must also enter values for the following two properties, which are used by Mobile Security Manager to send email invites to users. |
|
(Optional) Specify the host name of the SMTP server that Oracle Mobile Security Manager will use to send email invites to users. If specified, you must also enter values for |
|
(Optional) Specify the port number of the SMTP server that Oracle Mobile Security Manager will use to send email invites to users. If specified, you must also enter values for |
|
(Optional) The key length (in bits) for the self-signed CA and generated keys for the Oracle Mobile Security Manager server. The default value is |
Properties for Mobile Security Access Server |
|
|
The host name for Oracle Mobile Security Access Server. If the Mobile Security Access Server instance is behind a load balancer, provide the host name of the load balancer. Note that this and the |
|
The SSL port where the Oracle Mobile Security Access Server instance will be running If the Mobile Security Access Server instance is behind a load balancer, provide the port number of the load balancer. |
Properties required only for configuring Mobile Security Access Server using the idmConfigTool -configOMSS mode=OMSAS command |
|
|
(Optional) This value should be a directory location. This location contains certificates that are used for establishing authentication and trust whenever the Mobile Security Manager Server interacts with external directories or authentication servers. All certificate files present within this location will be added to the Mobile Security Access Server trust stores. This and the following two properties are required for Mobile Security Access Server configuration. Note that these properties are required only to run the |
|
Name of the identity store profile for Oracle Mobile Security Access Server. The |
|
The name of the Oracle Mobile Security Access Server gateway instance. You can create and configure the Mobile Security Access Server gateway instance only after you have installed Mobile Security Access Server. For more information, see Installing Oracle Mobile Security Access Server. |
Sample Oracle Mobile Security Suite Properties File
IDSTORE_SSL_ENABLED: false
IDSTORE_DIRECTORYTYPE: OUD
IDSTORE_HOST: idstore.example.com
IDSTORE_PORT: 1389
#IDSTORE_SSL_CERT_PATH: path_to_directory_containing_ssl_certificates
IDSTORE_BINDDN: cn=orcladmin
IDSTORE_USERNAMEATTRIBUTE: cn
IDSTORE_USERSEARCHBASE: cn=Users,dc=example,dc=com
IDSTORE_GROUPSEARCHBASE: cn=Groups,dc=example,dc=com
IDSTORE_SEARCHBASE: dc=example,dc=com
IDSTORE_LOGINATTRIBUTE: cn
OMSS_OMSM_IDSTORE_PROFILENAME: msmprofile
WLSHOST: examplehost.example.com
WLSADMIN: weblogic
WLSPORT: 7001
OMSS_DOMAIN_LOCATION: /u01/oracle/admin/oam/user_projects/domains/oam_domain
OMSS_IDSTORE_ROLE_SECURITY_ADMIN: OAMAdministrators
OMSS_IDSTORE_ROLE_SECURITY_HELPDESK: MSMHelpdeskUsers
OMSS_SCEP_DYNAMIC_CHALLENGE_USER: adminuser
OMSS_OMSM_SERVER_NAME: WLS_MSM1
OMSS_OMSM_SERVER_HOST: examplehost1.example.com
OMSS_OAM_POLICY_MGR_SERVER_NAME: WLS_AMA1
OMSS_OMSM_FRONT_END_URL: http://lbr-machine:7777
OMSS_PROXY_SERVER_HOST: www-proxy.example.com
OMSS_PROXY_SERVER_PORT: 80
OMSS_PROXY_USER: proxyuser
OMSS_USE_PROXY: false
OMSS_JDBC_URL: jdbc:oracle:thin:@examplehost.example.com:1521/msmdb.example.com
OMSS_OMSM_SCHEMA_USER: DEV3_OMSM
OMSS_GCM_SENDER_ID: 610046050155
OMSS_APNS_FILE: /scratch/keystores/APNS.p12
OMSS_EXCHANGE_DOMAIN_NAME: test.com
OMSS_EXCHANGE_SERVER_URL: http://testuri.com
OMSS_EXCHANGE_LISTENER_URL: http://testuri.com
OMSS_EXCHANGE_SERVER_VERSION: 2.0
OMSS_EXCHANGE_ADMIN_USER: serviceuser
OMSS_EMAIL_ADMIN_USER: admin@acme.com
OMSS_SMTP_HOST: exchangeurl.example.com
OMSS_SMTP_PORT: 80
OMSS_OMSM_SERVER_KEY_LENGTH: 2048
OMSS_MSAS_SERVER_HOST: examplehost.example.com
OMSS_MSAS_SERVER_PORT: 9001
OMSS_OMSAS_AUX_CERTIFICATES_LOCATION:
OMSS_OMSAS_IDSTORE_PROFILENAME: msasprofile
OMSS_GATEWAY_INSTANCE_ID: msas_gateway-1
Perform the steps in this section to run the idmConfigTool -configOMSS mode=OMSM
command. This command configures the identity store, keystores, and trust stores for Oracle Mobile Security Manager.
Note:
Before running idmConfigTool
:
Make sure that you have created the required properties file, as described in Section 10.8.1, "Creating the Oracle Mobile Security Suite Properties File."
Ensure that the WebLogic Administration Server and LDAP server are running. At this point, Managed Servers should be down. For more information, see Appendix C, "Starting the Stack."
Note that Oracle Access Manager and Oracle Mobile Security Manager must be configured against the same identity store when you run idmConfigTool
-configOAM
and idmConfigTool -configOMSS mode=OMSM
to configure Oracle Access Manager and Oracle Mobile Security Manager, respectively.
Set the following environment variables:
Set MW_HOME
to the full path of the Oracle Identity and Access Management Middleware home. Enter the path to the Oracle Middleware Home that was created when you installed Oracle WebLogic Server 11g Release 1 (10.3.6) on your system. For example, /u01/oracle/products/fmw_oam
.
Set ORACLE_HOME
to the full path of the Oracle home where Oracle Access Manager and Oracle Mobile Security Manager are installed. Set to the location of your IAM_HOME
directory. For example, /u01/oracle/products/fmw_oam/Oracle_IDM1
.
Set WL_HOME
to the top-level directory of your Oracle WebLogic Server installation. For example, /u01/oracle/products/fmw_oam/wlserver_10.3
.
Set JAVA_HOME
to the full path of the JDK directory.
Change directory to the IAM_HOME
/idmtools/bin
directory:
cd IAM_HOME/idmtools/bin
Run the following command:
idmConfigTool.sh -configOMSS mode=OMSM input_file=configfile log_level=level log_file=log_file
Where
(Required) input_file
is the full or relative path to the properties file you created in Section 10.8.1, "Creating the Oracle Mobile Security Suite Properties File."
(Optional) log_level
is the level of logging performed by idmConfigTool
. Possible values are ALL
, SEVERE
, WARNING
, INFO
, CONFIG
, FINE
, FINER
, and FINEST
. If not specified, the default is INFO
.
(Optional) log_file
is the full or relative path to the file where idmConfigTool
will store the log file data. If not specified, idmConfigTool
creates a log file named automation.log
in the directory where you run the tool.
For example:
idmConfigTool.sh -configOMSS mode=OMSM input_file=omss.properties
Where omss.properties
is a properties file containing configuration parameters specific to your environment. For information on creating this file, see Section 10.8.1, "Creating the Oracle Mobile Security Suite Properties File."
Note:
This command creates the following files in theDOMAIN_HOME
/config/fmwconfig
directory for the Oracle Mobile Security Manager Server:
server-identity.jks
: This keystore is used to validate the identity of the Oracle Mobile Security Manager Server when accessed by a Mobile Security Access Server instance.
wlstrust.jks
: This trust store stores trusted certificates so that Oracle Mobile Security Manager can trust other entities, such as your Mobile Security Access Server instance, database, and Directory Server. However, an administrator might still need to import additional trusted certificates into wlstrust.jks
whenever required.
When the command runs, it prompts you to enter the password of the account used to connect to the identity store. It also prompts you to enter passwords for the following:
Enter OMSS Keystore Password:
Enter a password that will be used to generate Mobile Security Manager keystores and keys.
Enter Email User Password:
This prompt is displayed only if you entered a value for OMSS_EMAIL_ADMIN_USER
in the properties file. Enter the password for the Oracle Mobile Security Suite email administrator (OMSS_EMAIL_ADMIN_USER
).
Enter Exchange User Password:
This prompt is displayed only if you entered a value for OMSS_EXCHANGE_ADMIN_USER
in the properties file. Enter the password for the Exchange server's administrative user (OMSS_EXCHANGE_ADMIN_USER
).
Enter Proxy User Password:
This prompt is displayed only if you entered a value for OMSS_PROXY_USER
in the properties file. Enter the password for connecting to the proxy server.
Enter SCEP Dynamic Challenge Password:
This prompt is displayed only if you entered a value for OMSS_SCEP_DYNAMIC_CHALLENGE_USER
in the properties file. Enter the password for the SCEP Dynamic Challenge user (OMSS_SCEP_DYNAMIC_CHALLENGE_USER
).
Enter OMSM Schema User Password:
Enter the password for the Oracle Mobile Security Manager schema.
Enter APNS Keystore Password:
This prompt is displayed only if you entered a value for OMSS_APNS_FILE
in the properties file. Enter the Apple Push Notification Service (APNs) keystore password.
Enter GCM API Key:
This prompt is displayed only if you entered a value for OMSS_GCM_SENDER_ID
in the properties file. Enter the API key value for Google Cloud Messaging (GCM) notifications.
Enter Weblogic Password:
Enter the password for the WebLogic Server Administrator user (WLSADMIN
).
Sample command output:
Enter ID Store Bind DN Password: Enter OMSS Keystore Password: Enter Email User Password: Enter Exchange User Password: Enter Proxy User Password: Enter SCEP Dynamic Challenge Password: Enter OMSM Schema User Password: Enter APNS Keystore Password: Enter GCM API Key: Enter Weblogic Password: (1/8) MSM Configurations Success (2/8) Seeding User Notification Templates Success (3/8) Seeding CSF Credentials Success (4/8) Configuring IDS Profile Success (5/8) Configuring OMSS Authentication Provider Success (6/8) Creating MSM Keystores Success (7/8) Configuring MSM Server's SSL Success (8/8) OAM Console Integration Success
Check the log file for any errors or warnings and correct them before continuing.
Restart the WebLogic Administration Server for certain changes to take effect.
Note:
After you have completed all the required configuration steps, as described in the Configuration Roadmap for Oracle Mobile Security Suite, the default administrator roles, users, and groups for your Oracle Mobile Security Suite deployment are configured as follows:The Oracle Access Manager administrator user (IDSTORE_OAMADMINUSER
) is a member of the Oracle Access Manager administrator group (OAM11G_IDSTORE_ROLE_SECURITY_ADMIN
) in the identity store.
The Oracle Access Manager administrator group (OAM11G_IDSTORE_ROLE_SECURITY_ADMIN
) is a member of the WebLogic Server administrator group (IDSTORE_WLSADMINGROUP
) in the identity store.
The WebLogic Server administrator user (IDSTORE_WLSADMINUSER
) is a member of the WebLogic Server administrator group (IDSTORE_WLSADMINGROUP
) in the identity store.
The WebLogic Server administrator group (IDSTORE_WLSADMINGROUP
) maps to the WebLogic Admin role in WebLogic Server.
The Oracle Access Manager administrator group (OAM11G_IDSTORE_ROLE_SECURITY_ADMIN
) maps to the Oracle Access Manager admin role in Oracle Access Manager.
These five statements together give you two users: IDSTORE_OAMADMINUSER
and IDSTORE_WLSADMINUSER
. These two users are granted the following privileges:
The IDSTORE_OAMADMINUSER
user has full administration privileges over Oracle WebLogic Server, Oracle Access Manager, and Oracle Mobile Security Suite components. This user can log in to the WebLogic Server Administration Console, the Oracle Access Management Console, and the Policy Manager Console (to access the Mobile Security Manager pages) without any authentication or authorization issues.
The IDSTORE_WLSADMINUSER
user has full administration privileges over WebLogic Server only. This user is granted administrator privileges on the WebLogic Server Administration Console. Note that this user can only be used for WebLogic Server administration. This user cannot be used for Oracle Access Management and Oracle Mobile Security Suite administration.
If you want to create and add additional administrator groups after configuration, see Section 10.11, "Optional: Creating Additional Administrator Groups After Configuration."
Note:
After running theidmConfigTool -configOMSS mode=OMSM
command, you can create Managed Servers on remote machines by using the pack
and unpack
commands. For more information, see "Creating and Starting a Managed Server on a Remote Machine" in Creating Templates and Domains Using the Pack and Unpack Commands.After successfully running the idmConfigTool -configOMSS mode=OMSM
command, start the Managed Servers for Oracle Access Manager (WLS_OAM1
), Access Manager Policy Manager (WLS_AMA1
), and Oracle Mobile Security Manager (WLS_MSM1
). For more information, see Appendix C, "Starting the Stack."
Verify the configuration of Oracle Mobile Security Manager and Oracle Access Manager, as follows:
Ensure that the following servers are up and running:
Oracle WebLogic Administration Server
Oracle Access Manager Managed Server (WLS_OAM1
)
Oracle Access Manager Policy Manager Managed Server (WLS_AMA1
)
Oracle Mobile Security Manager Managed Server (WLS_MSM1
)
Verify the Oracle WebLogic Server Administration Console. If the installation and configuration are successful, this console shows the Administration Server in running mode.
Log in to the Administration Console for Oracle Access Management using the following URL:
http://adminserver_host:adminserver_port/oamconsole
When you access this Administration Console running on the Administration Server, you are prompted to enter a user name and password. Log in as the Oracle Access Manager administrator user (IDSTORE_OAMADMINUSER
) you created in Section 10.6, "Preparing Your LDAP Directory as the Identity Store." Note that you must have Administrator's role and privileges.
Log in to the Oracle Access Manager Policy Manager Console using the following URL:
http://oam_policy_mgr_host:oam_policy_mgr_port/access
When you access the Policy Manager Console running on the Policy Manager Server, you are prompted to enter a user name and password. Log in as the Oracle Access Manager administrator user (IDSTORE_OAMADMINUSER
) you created in Section 10.6, "Preparing Your LDAP Directory as the Identity Store."
For more information about the Policy Manager Server, see the "Unified Access Console" topic in Administering Oracle Mobile Security Suite.
From the Policy Manager Console, click the Configuration tab in the top right corner.
In the Configuration Launch Pad, click Available Services.
On the Available Services page, ensure that the status of Mobile Security Service has a green check mark. If not, click Enable Service next to Mobile Security Service to enable the status of Mobile Security Service.
After you enable Mobile Security Service, you can access the Mobile Security Manager pages on the Policy Manager Console
To access the Mobile Security Manager console pages, click the Mobile Security tab in the top right corner.
The Mobile Security Launch Pad opens. Under Mobile Security Manager, click View to choose from the Mobile Security Manager console pages in the menu.
For more information about these pages, see "Working With the Mobile Security Manager Console Pages" in Administering Oracle Mobile Security Suite.
After the installation and configuration process, specific users, groups, and roles for your Oracle Mobile Security Suite deployment have been set up in the LDAP directory, by default. If you want to create and add additional administrator groups for Oracle Access Manager and Oracle Mobile Security Suite administration, see to the following topics:
After configuration, the Oracle Access Manager administrator group, OAM11G_IDSTORE_ROLE_SECURITY_ADMIN
, is configured as the default administrator group that has administrator privileges over both Oracle Access Manager and Oracle Mobile Security Suite.
To assign full Oracle Access Manager and Oracle Mobile Security Suite administrator privileges to an additional LDAP group:
Create a group in the LDAP directory or use an existing group that you have already created.
Log in to the Policy Manager Console as the Oracle Access Manager administrator user, IDSTORE_OAMADMINUSER
.
http://oam_policy_mgr_host:oam_policy_mgr_port/access
Grant Oracle Access Manager administrator group privileges to the new group.
Click the Configuration tab in the top right corner.
In the Configuration Launch Pad, click Administration.
On the Administration page, click Grant.
Enter the name of the group in the Name field and click Search.
In the search results, select the name of the group.
For Role, select System Administrator.
Click Add selected.
If Oracle Mobile Security Manager configuration, as described in Section 10.8, "Configuring Oracle Mobile Security Manager," is already complete, then this new group will be automatically added as an Oracle Mobile Security Suite administrator group as well.
However, if Oracle Mobile Security Manager is not yet configured, then you must manually assign the group to be an Oracle Mobile Security Suite administrator group. To do this, perform the following steps:
Navigate to the Configuration Launch Pad in the Configuration tab.
Under Settings, click View and select Mobile Security Manager Settings.
On the Mobile Security Settings page, select Identity Store Settings.
Under System Admin Groups, click Add.
In the Group Name field, enter the name of the LDAP group to be added as an Oracle Mobile Security Suite administrator group.
Click Apply.
Grant WebLogic administrator privileges to the new administrator group.
To do this, you can either make this group a member of the WebLogic Server administrator group, IDSTORE_WLSADMINGROUP
.
OR
You can grant WebLogic administrator privileges through the WebLogic Server Administration Console as follows:
Log in to the WebLogic Server Administration Console.
Click Security Realms from the Domain Structure menu.
Click myrealm in the Realms table.
Click the Roles and Policies tab.
Expand the Global Roles entry in the Roles table. This brings up the entry for Roles.
Click Roles under the Global Roles entry.
Click the Admin role in the Global Roles table.
Under Role Conditions, click Add Conditions.
Select Group from the predicate list and click Next.
In the Group Argument Name field, enter the name of the new group.
Click Add.
Click Finish.
Role Conditions now shows the new administrator group as an entry.
Click Save, and then restart the Administration Server and Managed Servers.
After configuration, the Oracle Mobile Security Suite help desk role, OMSS_IDSTORE_ROLE_SECURITY_HELPDESK
, is configured as the default administrator role that provides help desk administrative privileges for some Oracle Mobile Security Suite operations. A help desk role is associated with a directory group, which has limited administrator privileges. This group has to be created manually.
To assign help desk privileges to a LDAP group:
Create a group in the LDAP directory or use an existing group that you have already created.
Log in to the Policy Manager Console as the Oracle Access Manager administrator user, IDSTORE_OAMADMINUSER
.
http://oam_policy_mgr_host:oam_policy_mgr_port/access
Grant Oracle Access Manager help desk administrator privileges to the group.
Click the Configuration tab in the top right corner.
In the Configuration Launch Pad, click Administration.
On the Administration page, click Grant.
Enter the name of the group in the Name field and click Search.
In the search results, select the name of the group.
For Role, select Help Desk Administrator.
Click Add selected.
If Oracle Mobile Security Manager configuration, as described in Section 10.8, "Configuring Oracle Mobile Security Manager," is already complete, then this new group will be automatically added as an Oracle Mobile Security Suite help desk administrator group as well.
However, if Oracle Mobile Security Manager is not yet configured, then you must manually assign the group to be an Oracle Mobile Security Suite help desk group. To do this, perform the following steps:
Navigate to the Configuration Launch Pad in the Configuration tab.
Under Settings, click View and select Mobile Security Manager Settings.
On the Mobile Security Settings page, select Identity Store Settings.
Under Helpdesk Groups, click Add.
In the Group Name field, enter the name of the LDAP group to be added as an Oracle Mobile Security Suite help desk administrator group.
Click Apply.
After installing and configuring Oracle Mobile Security Manager with Oracle Access Manager, you need to install and configure the Oracle Mobile Security Access Server component. This document does not cover the information for installing Mobile Security Access Server. To install Mobile Security Access Server, follow the instructions in Installing Oracle Mobile Security Access Server.
After installing Oracle Mobile Security Suite, refer to the following links to get started working with the Oracle Mobile Security Suite components: