This chapter provides step-by-step instructions for integrating Oracle Access Management Access Manager (Access Manager) and Oracle Identity Manager (Enterprise Edition). The exact details in this chapter may differ depending on your specific deployment. Adapt information as required for your environment.
The integration instructions assume Identity Management components have been configured on separate Oracle WebLogic domains, as discussed in "Basic Integration Topology." For prerequisite and detailed information on how the components were installed and configured in this example integration, see Installation Guide for Oracle Identity and Access Management.
If you are deploying Oracle Identity Management components in an enterprise integration topology, as discussed in "The Enterprise Integration Topology," see Enterprise Deployment Guide for Oracle Identity and Access Management for implementation procedures. If you are planning to design and deploy a high availability environment for Access Manager and Oracle Identity Manager, see High Availability Guide for concepts and configuration steps.
This chapter contains these sections:
About Oracle Identity Manager and Access Manager Integration
Configuring Access Manager for Oracle Identity Manager Integration
Configuring Oracle HTTP Server to Front-End Resources on Oracle Identity Manager
Functionally Testing the Access Manager and Oracle Identity Manager Integration
This section contains the following topics:
Access Manager and Oracle Identity Manager Single-Node Integration Topology
Access Manager and Oracle Identity Manager Integration Prerequisites
This integration scenario enables you to manage identities with Oracle Identity Manager and control access to resources with Oracle Access Management Access Manager. Oracle Identity Manager is a user provisioning and administration solution that automates user account management, whereas Access Manager provides a centralized and automated single sign-on (SSO) solution.
In the Oracle Access Management Access Manager (Access Manager) and Oracle Identity Manager (OIM) integration, users have the capability to:
Create and reset the password without assistance for expired and forgotten passwords
Recover passwords using challenge questions and answers
Set up challenge questions and answers
Perform self-service registration
Perform self-service profile management
Access multiple applications securely with one authentication step
For more information about password management flows when Access Manager and Oracle Identity Manager are integrated, see Section 1.5.3, "Password Management Scenarios."
You must configure Oracle Identity Management components in separate WebLogic Server domains (split domain topology), as discussed in Section 1.2.1, "Basic Integration Topology," and separate Oracle Middleware homes. Otherwise, attempts to patch or upgrade one product may be blocked by a version dependency on a component shared with another. When you install Oracle Identity Management components in a single WebLogic Server domain, there is a risk that the component (libraries, jars, utilities, and custom plug-ins) you are installing into the domain might not be compatible with other components, thereby resulting in problems across your entire domain.
Access Manager uses a database for policy data and a directory server for identity data. This integration scenario assumes a single directory server. The directory server must also be installed in a separate domain and a separate Middleware home as well.
Note:
The instructions in this chapter assume that you will use Oracle Unified Directory as the identity store. Other component configurations are possible. Refer to "Configuring the Identity Store" for more information about supported LDAP servers.Table 2-1 lists the high-level tasks for integrating Access Manager and Oracle Identity Manager with Oracle Unified Directory.
Depending on your installation path, you may already have performed some of the integration procedures listed in this table. For details on the installation roadmap, see Section 1.1.1, "Understanding the Installation Roadmap."
Table 2-1 Integration Flow for Access Manager and Oracle Identity Manager
| No. | Task | Information |
|---|---|---|
|
1 |
Verify that all required components have been installed and configured prior to integration. |
For more information, see Access Manager and Oracle Identity Manager Integration Prerequisites. |
|
2 |
Configure LDAP synchronization for Oracle Identity Manager if LDAP synchronization was not enabled during OIM installation. |
For more information, see Configuring LDAP Synchronization. |
|
3 |
Configure the identity store by extending the schema. |
For information, see Extending Directory Schema for Access Manager. |
|
4 |
Configure the identity store with the users required by Access Manager. |
For information, see Creating Users and Groups for Access Manager. |
|
5 |
Configure the identity store with the users required by Oracle Identity Manager. |
For information, see Creating Users and Groups for Oracle Identity Manager. |
|
6 |
Configure the identity store with the users required by Oracle WebLogic Server |
For more information, see Creating Users and Groups for Oracle WebLogic Server. |
|
7 |
Stop the Oracle WebLogic Server managed servers for Access Manager and Oracle Identity Manager |
For information, see "Stopping the Stack" in Installation Guide for Oracle Identity and Access Management. |
|
8 |
Extend Access Manager to support Oracle Identity Manager |
For information, see Configuring Access Manager for Oracle Identity Manager Integration. |
|
9 |
Integrate Access Manager and Oracle Identity Manager |
For information, see Integrating Access Manager with Oracle Identity Manager. |
|
10 |
Configure the WebGate on the Oracle HTTP Server (OHS) to point to the 11g OAM Server |
For information, see Configuring Oracle HTTP Server to Front-End Resources on Oracle Identity Manager. |
|
11 |
Delete IAMSuiteAgent (the IDM Domain Agent) and restart the Oracle WebLogic Server Administration and Managed Servers. |
For information, see Deleting the IAMSuiteAgent Security Provider from WebLogic. |
|
12 |
Test the integration. |
For information, see Functionally Testing the Access Manager and Oracle Identity Manager Integration. |
In the following sections it is assumed that the required components, as listed in Table 2-2, have already been installed, including any dependencies, and the environment already configured prior to the integration. For more information about the integration topologies, see Section 1.2, "Integration Topologies."
Table 2-2 Required Components for Integration Scenario
| Component | Information |
|---|---|
|
Oracle HTTP Server with 11g WebGate or 10g WebGate |
Oracle HTTP Server with 11g WebGate or 10g WebGate is installed. For information about the installation and registration of the 10g WebGates for use with Access Manager 11g, see "Registering and Managing 10g WebGates with Access Manager 11g" in Administrator's Guide for Oracle Access Management. For information about the installation and registration of the 11g WebGate for use with Access Manager 11g, see "Installing and Configuring Oracle HTTP Server 11g WebGate for OAM" in Oracle Fusion Middleware Installing Webgates for Oracle Access Manager. The Oracle HTTP Server (OHS) profile must have been updated before the Oracle Identity Manager administration pages can launch correctly after the integration with Access Manager is completed. For more information, see Configuring Oracle HTTP Server to Front-End Resources on Oracle Identity Manager. |
|
Oracle SOA Suite |
Oracle Identity Manager requires Oracle SOA Suite 11g Release 1 (11.1.1.9.0), which is exclusive to Oracle Identity and Access Management. SOA Suite is a prerequisite for Oracle Identity Manager and must be installed in the same domain as Oracle Identity Manager. If you use SOA Suite for other purposes, a separate install must be set up for running your own services, composites, BPEL processes, and so on. For more information see Oracle Fusion Middleware Installation Guide for Oracle SOA Suite and Oracle Business Process Management Suite |
|
Oracle Unified Directory |
Oracle Unified Directory is installed. The instructions in this chapter assume that you will use Oracle Unified Directory as the identity store. Other component configurations are possible. Refer to "Configuring the Identity Store" for more information about supported LDAP servers. For information on Oracle Unified Directory, see Administering Oracle Unified Directory. |
|
Access Manager |
Access Manager is already installed. For information on the configuration, see "Configuring Oracle Access Management" in Installation Guide for Oracle Identity and Access Management. |
|
Oracle Identity Manager |
Oracle Identity Manager is already installed and configured with the Enable OIM for Suite integration option selected. Ensure that you have followed the steps for the LDAP directory that you want to configure. See "Configuring Oracle Identity Manager Server" in Installation Guide for Oracle Identity and Access Management. For information on the installation of Oracle Identity Manager, see "Installing and Configuring Oracle Identity and Access Management" and "Configuring Oracle Identity Manager" in Installation Guide for Oracle Identity and Access Management. |
|
wlfullclient.jar file |
Oracle Identity Manager uses the |
LDAP synchronization is a requirement for Access Manager and Oracle Identity Manager integration.
If you selected the Enable OIM for Suite integration option during the Oracle Identity Manager Server configuration, LDAP synchronization has been enabled, Oracle Identity Manager is integrated with Oracle Unified Directory and users and groups created in Oracle Identity Manager will synchronize automatically with Oracle Unified Directory. You still need to run the LDAP Post-Configuration Utility to enable all the LDAP synchronization-related incremental Reconciliation Scheduler jobs, which are disabled by default. The LDAP Post-Configuration Utility also retrieves the last change number from the Directory Server and updates all the LDAP Sync Incremental Reconciliation jobs. For instructions on running the LDAP Post-Configuration Utility, see Section E.2.1, "Running the LDAP Post-Configuration Utility."
If you did not enable LDAP synchronization during Oracle Identity Manager Server configuration, you must manually configure LDAP Synchronization following the instructions in Section E.1, "Configuring LDAP Synchronization."
If you are integrating Access Manager with Oracle Identity Manager, you must extend the Access Manager schema to support Oracle Identity Manager and seed the identity store with users and groups for use by Access Manager, Oracle Identity Manager, and Oracle WebLogic Server.
This section contains the following topics:
Supported LDAP Servers are Oracle Internet Directory, Oracle Unified Directory, Oracle Virtual Directory (used as virtualization), Oracle Directory Server Enterprise Edition, and Active Directory.
For information on Oracle Unified Directory, Oracle Internet Directory, Oracle Virtual Directory (used as virtualization), Oracle Directory Server Enterprise Edition, and Active Directory, refer to the following:
For information on Oracle Unified Directory, see Administering Oracle Unified Directory.
For information on Oracle Internet Directory, see Oracle Fusion Middleware Administrator's Guide for Oracle Internet Directory.
For information on Oracle Virtual Directory, see Oracle Fusion Middleware Administrator's Guide for Oracle Virtual Directory.
For information on Oracle Directory Server Enterprise Edition, see Oracle Fusion Middleware Administrator's Guide for Oracle Directory Server Enterprise Edition.
For information on Active Directory, see Oracle Identity Manager Connector Guide for Microsoft Active Directory User Management.
The IdM configuration tool (idmConfigTool) supports a number of tasks to assist in installing, configuring, and integrating Oracle Identity Management (IdM) components. You can use the IdM Configuration Tool only if Oracle Internet Directory (OID) or Oracle Unified Directory (OUD) is used as the identity store or if standalone Oracle Virtual Directory (OVD) is used for virtualization. The IDM Configuration Tool does not support Oracle Directory Server Enterprise Edition (ODSEE) or Active Directory (AD) where they are used as the identity store. In these cases, you must perform manual configuration steps. For preconfigIDStore, and prepareIDStore mode=OIM, OAM and WLS commands in idmConfigTool, the equivalent manual steps are documented for AD and ODSEE in the following sections:
Note:
Ensure that the Access Manager and Oracle Identity Manager Administration servers and LDAP server are up and running before running theidmConfigTool command. For more information, see "Starting the Stack" in Installation Guide for Oracle Identity and Access Management.Before you can use your LDAP directory as an identity store, you must preconfigure it by using the IDM Configuration Tool. This extends the schema in the LDAP directory to include the object classes required by the Access Manager, Oracle Identity Manager, and WebLogic Server. Once it has been extended users are seeded into the directory for later use.
If you are using Oracle Unified Directory as the identity store, retrieve the Oracle Unified Directory keystore password from the admin-keystore.pin file located at:
OUD_ORACLE_INSTANCE/OUD/config
The keystore password is required for Oracle Unified Directory identity stores. You will use this value when you create the properties file in Step 2.
Create a properties file called extendOAMPropertyFile with contents similar to the following example. The extendOAMPropertyFile file must contain configuration information specific to your environment. You will use this file to configure the LDAP identity store when you run the idmConfigTool command.
Do not include any blank lines when creating the file.
IDSTORE_HOST: idstore.example.com IDSTORE_PORT: 389 IDSTORE_BINDDN: cn=orcladmin IDSTORE_USERNAMEATTRIBUTE: cn IDSTORE_LOGINATTRIBUTE: uid IDSTORE_USERSEARCHBASE: cn=Users,dc=example,dc=com IDSTORE_GROUPSEARCHBASE: cn=Groups,dc=example,dc=com IDSTORE_SEARCHBASE: dc=example,dc=com IDSTORE_SYSTEMIDBASE: cn=systemids,dc=example,dc=com IDSTORE_DIRECTORYTYPE: OUD IDSTORE_ADMIN_PORT : 4444 IDSTORE_KEYSTORE_FILE : /u01/config/instances/oud1/OUD/config/admin-keystore IDSTORE_KEYSTORE_PASSWORD : 4VYGtJLG61V5OjDWKe94e601x7tgLFs
Table 2-3 provides descriptions of the parameters in the extendOAMPropertyFile configuration file example.
Table 2-3 extendOAMPropertyFile Properties
| Property | Description |
|---|---|
|
IDSTORE_HOST |
Identity store host name.
|
|
IDSTORE_PORT |
Identity store port. |
|
IDSTORE_BINDDN |
An administrative user in the identity store directory. |
|
IDSTORE_USERNAMEATTRIBUTE |
Username attribute used to set and search for users in the identity store. If the user DN is |
|
IDSTORE_LOGINATTRIBUTE |
Login attribute of the identity store that contains the user's login name. This is the attribute the user uses for login, for example |
|
IDSTORE_USERSEARCHBASE |
Location in the directory where users are stored. This property tells the directory where to search for users. |
|
IDSTORE_GROUPSEARCHBASE |
Location in the directory where groups (or roles) are stored. This property tells the directory where to search for groups or roles. |
|
IDSTORE_SEARCHBASE |
Location in the directory where users and groups are stored. This property is the parent location that contains the For example: IDSTORE_SEARCHBASE: cn=oracleAccounts, dc=example,dc=com IDSTORE_USERSEARCHBASE: cn=Users,cn=oracleAccounts,dc=example,dc=com IDSTORE_GROUPSEARCHBASE: cn=Groups,cn=oracleAccounts,dc=example,dc=com |
|
IDSTORE_SYSTEMIDBASE |
Location of a container in the directory where system operations users are stored. This is so they are kept separate from enterprise users stored in the main user container. There are only a few system operations users. One example is the Oracle Identity Manager reconciliation user which is also used for the bind DN user in Oracle Virtual Directory adapters. |
|
IDSTORE_DIRECTORYTYPE |
Identity store directory type.
If you are not using Oracle Unified Directory, you can leave out this parameter. |
|
IDSTORE_ADMIN_PORT |
Administration port of your Oracle Unified Directory instance. If you are not using Oracle Unified Directory, you can leave out this parameter. |
|
IDSTORE_KEYSTORE_FILE |
Location of the Oracle Unified Directory Keystore file. It is used to enable communication with Oracle Unified Directory using the Oracle Unified Directory administration port. It is called admin-keystore and is located in |
|
IDSTORE_KEYSTORE_PASSWORD |
Encrypted password of the Oracle Unified Directory keystore. This value can be found in the file |
Set the environment variables required for the idmconfigtool command. For information on setting environment variables, see Section D.2, "Set Up Environment Variables."
Change the directory to the IAM_ORACLE_HOME/idmtools/bin directory:
cd IAM_ORACLE_HOME/idmtools/bin
You will be running the idmConfigTool command from the IAM_ORACLE_HOME/idmtools/bin directory.
Configure the identity store by running the idmConfigTool command with the -preConfigIDStore command option.
IAM_ORACLE_HOME/idmtools/bin
Note:
The-preConfigIDStore command option supports Oracle Internet Directory, Oracle Unified Directory, and Oracle Virtual Directory.On Linux, the command syntax is:
idmConfigTool.sh -preConfigIDStore input_file=configfile
On Windows, the command syntax is:
idmConfigTool.bat -preConfigIDStore input_file=configfile
For example:
idmConfigTool.sh -preConfigIDStore input_file=extendOAMPropertyFile
For information on preConfigIDStore, see Section D.4.1, "preConfigIDStore Command."
When the command runs, you are prompted to enter the password of the account used to connect to the identity store.
Sample command output, when running the command against Oracle Unified Directory, is shown as follows:
Enter ID Store Bind DN password : Dec 30, 2014 1:01:52 PM oracle.ldap.util.LDIFLoader loadOneLdifFile INFO: -> LOADING: /scratch/user1/Oracle/middleware/Oracle_IDM1//oam/server/oim-intg/ldif/ojd/schema/ojd_oam_pwd_schema_add.ldif . . . This tool has completed its operation. Details have been logged to automation.log
Check the log file for any errors or warnings and correct them. The file with the name automation.log is created in the directory from where you run the idmconfigtool. The tool is reentrant and can be safely called again.
In addition to creating users, idmConfigTool creates following groups:
OrclPolicyAndCredentialWritePrivilegeGroup
OrclPolicyAndCredentialReadPrivilegeGroup
Use the IDM Configuration Tool to seed the identity store with the users required by Access Manager.
The idmConfigTool command creates:
The oamLDAP user under cn=systemids,dc=example,dc=com. The oamLDAP user is used to connect to LDAP from Access Manager.
The oamadmin user under cn=Users,dc=example,dc=com. The oamadmin user is the administrator of the Oracle Access Management Console.
The OAMAdministrators group. idmConfigTool assigns the oamadmin user to this group.
To seed the identity store, proceed as follows:
If you are using Oracle Unified Directory as the identity store, perform these steps:
Copy the Oracle Unified Directory Keystore file admin-keystore from the Oracle Unified Directory server to the OAM Admin Server machine. The file is located in the following directory on the Oracle Unified Directory server:
OUD_ORACLE_INSTANCE/OUD/config
You will use the path on the local machine when you create the properties file in Step 2.
Retrieve the Oracle Unified Directory keystore password from the admin-keystore.pin file located at:
OUD_ORACLE_INSTANCE/OUD/config
The keystore password is required for Oracle Unified Directory identity stores. You will use this value when you create the properties file in Step 2.
Create a properties file called preconfigOAMPropertyFile with contents similar to the following. The preconfigOAMPropertyFile file must contain configuration information specific to your environment. This file will be used to create the required users and groups for Access Manager when you run the idmConfigTool command.
Do not include any blank lines when creating the file.
IDSTORE_HOST : idstore.example.com IDSTORE_PORT : 389 IDSTORE_BINDDN : cn=orcladmin IDSTORE_USERNAMEATTRIBUTE: cn IDSTORE_LOGINATTRIBUTE: uid IDSTORE_USERSEARCHBASE: cn=Users,dc=example,dc=com IDSTORE_GROUPSEARCHBASE: cn=Groups,dc=example,dc=com IDSTORE_SEARCHBASE: dc=example,dc=com IDSTORE_SYSTEMIDBASE: cn=systemids,dc=example,dc=com POLICYSTORE_SHARES_IDSTORE: true OAM11G_IDSTORE_ROLE_SECURITY_ADMIN:OAMAdministrators IDSTORE_OAMSOFTWAREUSER:oamLDAP IDSTORE_OAMADMINUSER:oamadmin IDSTORE_DIRECTORYTYPE: OUD IDSTORE_ADMIN_PORT : 4444 IDSTORE_KEYSTORE_FILE : <path to file copied from oud install> IDSTORE_KEYSTORE_PASSWORD : 4VYGtJLG61V5OjDWKe94e601x7tgLFs
Table 2-4 provides descriptions of the parameters in the preconfigOAMPropertyFile configuration file example.
Table 2-4 preconfigOAMPropertyFile Properties
| Properties | Description |
|---|---|
|
IDSTORE_HOST |
Identity store host name.
|
|
IDSTORE_PORT |
Identity store port. |
|
IDSTORE_BINDDN |
An administrative user in the identity store directory. |
|
IDSTORE_USERNAMEATTRIBUTE |
Username attribute used to set and search for users in the identity store. For example, if the user DN is |
|
IDSTORE_LOGINATTRIBUTE |
Login attribute of the identity store that contains the user's login name. This is the attribute the user uses for login, for example |
|
IDSTORE_USERSEARCHBASE |
Location in the directory where users are stored. This property tells the directory where to search for users. |
|
IDSTORE_GROUPSEARCHBASE |
Location in the directory where groups (or roles) are stored. This property tells the directory where to search for groups or roles. |
|
IDSTORE_SEARCHBASE |
Location in the directory where users and groups are stored. This property is the parent location that contains the |
|
POLICYSTORE_SHARES_IDSTORE |
If not, it is set to |
|
OAM11G_IDSTORE_ROLE_SECURITY_ADMIN |
Group used to allow access to the Oracle Access Management Administration Console. |
|
IDSTORE_OAMSOFTWAREUSER |
Directory user that Access Manager will use to interact with the directory or LDAP server. This user is created by the tool. |
|
IDSTORE_OAMADMINUSER |
User you want to create as your Oracle Access Management Administrator. This user is created by the tool. |
|
IDSTORE_DIRECTORYTYPE |
Identity store directory type.
If you are not using Oracle Unified Directory, you can leave out this parameter. |
|
IDSTORE_ADMIN_PORT |
Administration port of your Oracle Unified Directory instance. If you are not using Oracle Unified Directory, you can leave out this parameter. |
|
IDSTORE_KEYSTORE_FILE |
Location of the Oracle Unified Directory Keystore file. It is used to enable communication with Oracle Unified Directory using the Oracle Unified Directory administration port. It is called admin-keystore and is located in |
|
IDSTORE_KEYSTORE_PASSWORD |
Encrypted password of the Oracle Unified Directory keystore. This value can be found in the file |
Set the environment variables required for the idmconfigtool command. For information on setting environment variables, see Section D.2, "Set Up Environment Variables."
Change the directory to the IAM_ORACLE_HOME/idmtools/bin directory:
cd IAM_ORACLE_HOME/idmtools/bin
You will be running the idmConfigTool command from the IAM_ORACLE_HOME/idmtools/bin directory.
Configure the identity store by running the idmConfigTool command with the -prepareIDStore mode=OAM command option.
On Linux, the command syntax is:
idmConfigTool.sh -prepareIDStore mode=OAM input_file=configfile
On Windows, the command syntax is:
idmConfigTool.bat -prepareIDStore mode=OAM input_file=configfile
For example:
idmConfigTool.sh -prepareIDStore mode=OAM input_file=preconfigOAMPropertyFile
For information on prepareIDStore mode=OAM, see Section D.4.2.1, "prepareIDStore mode=OAM."
The command prompts you to enter the password for the account used to connect to the identity store. You are then prompted to create passwords for the following three accounts:
oblixanonymous
The Oblix anonymous user account. It is the public user.
oamadmin
The OAM administrator account. It is used to log in to the Oracle Access Management Console.
oamLDAP
The OAM LDAP account. It is used to connect to Access Manager to the identity store for authentication.
Sample command output, when running the command against Oracle Unified Directory, is shown as follows:
Enter ID Store Bind DN password : *** Creation of Oblix Anonymous User *** Dec 30, 2014 1:53:55 PM oracle.ldap.util.LDIFLoader loadOneLdifFile INFO: -> LOADING: /scratch/user1/Oracle/middleware/Oracle_IDM1//idmtools/templates/oud/oam_10g_anonymous_user_template.ldif Enter User Password for oblixanonymous: Confirm User Password for oblixanonymous: *** Creation of oamadmin *** Dec 30, 2014 1:54:46 PM oracle.ldap.util.LDIFLoader loadOneLdifFile INFO: -> LOADING: /scratch/user1/Oracle/middleware/Oracle_IDM1//idmtools/templates/oud/oam_user_template.ldif Enter User Password for oamadmin: Confirm User Password for oamadmin: *** Creation of oamLDAP *** Dec 30, 2014 1:55:19 PM oracle.ldap.util.LDIFLoader loadOneLdifFile INFO: -> LOADING: /scratch/user1/Oracle/middleware/Oracle_IDM1//idmtools/templates/oud/oim_user_template.ldif Enter User Password for oamLDAP: Confirm User Password for oamLDAP: Dec 30, 2014 1:55:57 PM oracle.ldap.util.LDIFLoader loadOneLdifFile INFO: -> LOADING: /scratch/user1/Oracle/middleware/Oracle_IDM1//idmtools/templates/common/oam_user_group_read_acl_template.ldif . . . *** Creation of CO *** Dec 30, 2014 1:55:58 PM oracle.ldap.util.LDIFLoader loadOneLdifFile INFO: -> LOADING: /scratch/user1/Oracle/middleware/Oracle_IDM1//idmtools/templates/common/orgunit_template.ldif *** Creation of People *** Dec 30, 2014 1:55:58 PM oracle.ldap.util.LDIFLoader loadOneLdifFile INFO: -> LOADING: /scratch/user1/Oracle/middleware/Oracle_IDM1//idmtools/templates/common/orgunit_template.ldif *** Creation of vgoLocator *** Dec 30, 2014 1:55:58 PM oracle.ldap.util.LDIFLoader loadOneLdifFile INFO: -> LOADING: /scratch/user1/Oracle/middleware/Oracle_IDM1//idmtools/templates/common/orgunit_template.ldif *** Creation of default vgoLocator *** Dec 30, 2014 1:55:58 PM oracle.ldap.util.LDIFLoader loadOneLdifFile INFO: -> LOADING: /scratch/user1/Oracle/middleware/Oracle_IDM1//idmtools/templates/common/esso_default.ldif *** Creation of ESSO acl *** Dec 30, 2014 1:55:58 PM oracle.ldap.util.LDIFLoader loadOneLdifFile INFO: -> LOADING: /scratch/user1/Oracle/middleware/Oracle_IDM1//idmtools/templates/oud/esso_acl.ldif The tool has completed its operation. Details have been logged to automation.log
The automation.log file is created in the directory where you ran the tool. Check the log file for any errors or warnings and correct them. The tool is reentrant and can be safely called again.
Use the IDM Configuration Tool to create the following users:
oimLDAP
System user in LDAP under cn=systemids,dc=example,dc=com and associated with the OIMAdministrators group.
A system user is required for performing operations in Oracle Unified Directory or Oracle Internet Directory on behalf of Oracle Identity Manager.
The IDM Configuration Tool creates this user in the system container and gives it the permissions appropriate for controlling all the containers Oracle Identity Manager communicates with. Oracle Unified Directory or Oracle Internet Directory uses these credentials to connect to the backend directories.
The oimLDAP user credentials are used for communication to LDAP from Oracle Identity Manager.
xelsysadm
Oracle Identity Manager System Administrator in LDAP
To seed the identity store with the xelsysadm user and assign it to an Oracle Identity Manager administrative group and create the oimLDAP system user with the appropriate permissions, proceed as follows:
Note:
Skip this step if you have created the users already as part of the manual configuration of LDAP synchronization. For details, see Section E.1.1, "Completing the Prerequisites for Enabling LDAP Synchronization."If you are using Oracle Unified Directory as the identity store, perform these steps:
Copy the Oracle Unified Directory Keystore file admin-keystore from the Oracle Unified Directory server to the OIM Admin Server machine. The file is located in the following directory on the Oracle Unified Directory server:
OUD_ORACLE_INSTANCE/OUD/config
You will use the path on the local machine when you create the properties file in Step 2.
Retrieve the Oracle Unified Directory keystore password from the admin-keystore.pin file located at:
OUD_ORACLE_INSTANCE/OUD/config
The keystore password is required for Oracle Unified Directory identity stores. You will use this value when you create the properties file in Step 2.
Create a properties file called preconfigOIMPropertyFile with contents similar to the following. The preconfigOIMPropertyFile file must contain configuration information specific to your environment. This file will be used to create the required users and groups for Oracle Identity Manager when you run the idmConfigTool command.
Do not include any blank lines when creating the file.
IDSTORE_HOST: idstore.example.com IDSTORE_PORT: 389 IDSTORE_BINDDN: cn=orcladmin IDSTORE_USERNAMEATTRIBUTE: cn IDSTORE_LOGINATTRIBUTE: uid IDSTORE_USERSEARCHBASE: cn=Users,dc=example,dc=com IDSTORE_GROUPSEARCHBASE: cn=Groups,dc=example,dc=com IDSTORE_SEARCHBASE: dc=example,dc=com POLICYSTORE_SHARES_IDSTORE: true IDSTORE_SYSTEMIDBASE: cn=systemids,dc=example,dc=com IDSTORE_OIMADMINUSER: oimLDAP IDSTORE_OIMADMINGROUP: OIMAdministrators IDSTORE_DIRECTORYTYPE: OUD IDSTORE_ADMIN_PORT : 4444 IDSTORE_KEYSTORE_FILE : <path to file copied from oud install> IDSTORE_KEYSTORE_PASSWORD : 4VYGtJLG61V5OjDWKe94e601x7tgLFs
Table 2-5 provides descriptions of the parameters in the preconfigOIMPropertyFile configuration file example.
Table 2-5 preconfigOIMPropertyFile Properties
| Properties | Description |
|---|---|
|
IDSTORE_HOST |
Identity store host name.
|
|
IDSTORE_PORT |
Identity store port. |
|
IDSTORE_BINDDN |
An administrative user in the identity store directory. |
|
IDSTORE_USERNAMEATTRIBUTE |
Username attribute used to set and search for users in the identity store. |
|
IDSTORE_LOGINATTRIBUTE |
Login attribute of the identity store which contains the user's login name. |
|
IDSTORE_USERSEARCHBASE |
Location in your identity store where users are placed. |
|
IDSTORE_GROUPSEARCHBASE |
Location in your identity store where groups are placed. |
|
IDSTORE_SEARCHBASE |
Location in the directory where users and groups are stored. |
|
POLICYSTORE_SHARES_IDSTORE |
|
|
IDSTORE_SYSTEMIDBASE |
Location in your directory where the Oracle Identity Manager reconciliation user is placed. |
|
IDSTORE_OIMADMINUSER |
User that Oracle Identity Manager uses to connect to the identity store. |
|
IDSTORE_OIMADMINGROUP |
Group you want to create to hold your Oracle Identity Manager administrative users. |
|
IDSTORE_DIRECTORYTYPE |
Identity store directory type.
If you are not using Oracle Unified Directory, you can leave out this parameter. |
|
IDSTORE_ADMIN_PORT |
Administration port of your Oracle Unified Directory instance. If you are not using Oracle Unified Directory, you can leave out this parameter. |
|
IDSTORE_KEYSTORE_FILE |
Location of the Oracle Unified Directory Keystore file. It is used to enable communication with Oracle Unified Directory using the Oracle Unified Directory administration port. It is called admin-keystore and is located in |
|
IDSTORE_KEYSTORE_PASSWORD |
Encrypted password of the Oracle Unified Directory keystore. This value can be found in the file |
Set the environment variables required for the idmconfigtool command. For information on setting environment variables, see Section D.2, "Set Up Environment Variables."
Change the directory to the IAM_ORACLE_HOME/idmtools/bin directory:
cd IAM_ORACLE_HOME/idmtools/bin
You will be running the idmConfigTool command from the IAM_ORACLE_HOME/idmtools/bin directory.
Configure the identity store by using the idmConfigTool command with the -prepareIDStore mode=OIM command option.
On Linux, the command syntax is:
idmConfigTool.sh -prepareIDStore mode=OIM input_file=configfile
On Windows, the command syntax is:
idmConfigTool.bat -prepareIDStore mode=OIM input_file=configfile
For example:
idmConfigTool.sh -prepareIDStore mode=OIM input_file=preconfigOIMPropertyFile
For information on prepareIDStore mode=OIM, see Section D.4.2.2, "prepareIDStore mode=OIM."
When the command runs, you are prompted to enter the password of the account used to connect to the identity store. The command also asks you to create passwords for the following two accounts:
IDSTORE_OIMADMINUSER
xelsysadm. This value should match the value you create as part of the Oracle Identity Manager configuration.
Sample command output, when running the command against Oracle Unified Directory, is shown as follows:
Enter ID Store Bind DN password : ***Creation of oimLDAP*** Jan 28, 2015 9:27:00 PM oracle.ldap.util.LDIFLoader loadOneLdifFile INFO:-> LOADING: /scratch/user1/Oracle/middleware/Oracle_IDM1/idmtools/templates/oud/oim_user_template.ldif Enter User Password for oimLDAP: Confirm User Password for oimLDAP: ***Add password reset privilege to oimLDAP*** Jan 28, 2015 9:27:01 PM oracle.ldap.util.LDIFLoader loadOneLdifFile INFO:-> LOADING: /scratch/user1/Oracle/middleware/Oracle_IDM1/idmtools/templates/oud/add_pwd_reset_privilege.ldif . . . ***Creation of Xel Sys Admin User*** Jan 28, 2015 9:27:01 PM oracle.ldap.util.LDIFLoader loadOneLdifFile INFO: -> LOADING: /scratch/user1/Oracle/middleware/Oracle_IDM1/idmtools/templates/oud/idm_xelsysadmin_user.ldif Enter User Password for xelsysadm: Confirm User Password for xelsysadm: Jan 28, 2015 9:27:01 PM oracle.ldap.util.LDIFLoader loadOneLdifFile INFO: -> LOADING: /scratch/user1/Oracle/middleware/Oracle_IDM1/idmtools/templates/oud/oud_set_lockout_failure_count.ldif The tool has completed its operation. Details have been logged to automation.log
The automation.log file is created in the directory where you run the tool. Check the log file for any errors or warnings and correct them. The tool is reentrant and can be safely called again.
To enable single sign-on for your administration consoles, you must ensure that there is a user in your identity store who has the permissions to log in to your Oracle WebLogic Administration Console and Oracle Enterprise Manager Fusion Middleware Control. Use the IDM Configuration Tool to seed the identity store with the users required by WebLogic Server as follows.
The following steps create a domain administrator for WebLogic (weblogic_idm), whose credentials will be used to add Oracle Identity Manager resource policies to the Access Manager configuration when the configOIM command is run.
Create a properties file called preconfigWLSPropertyFile with contents similar to the following. The preconfigWLSPropertyFile file must contain configuration information specific to your environment. This file will be used to create the required users and groups for Oracle WebLogic Server when you run the idmConfigTool command.
Do not include any blank lines when creating the file.
IDSTORE_HOST : idstore.example.com IDSTORE_PORT : 389 IDSTORE_BINDDN : cn=orcladmin IDSTORE_USERNAMEATTRIBUTE: cn IDSTORE_LOGINATTRIBUTE: uid IDSTORE_WLSADMINUSER: weblogic_idm IDSTORE_WLSADMINGROUP: wlsadmingroup IDSTORE_USERSEARCHBASE: cn=Users,dc=example,dc=com IDSTORE_GROUPSEARCHBASE: cn=Groups,dc=example,dc=com IDSTORE_SEARCHBASE: dc=example,dc=com POLICYSTORE_SHARES_IDSTORE: true
Table 2-6 provides descriptions of the parameters in the preconfigWLSPropertyFile configuration file example.
Table 2-6 preconfigWLSPropertyFile Properties
| Properties | Description |
|---|---|
|
IDSTORE_HOST |
Identity store host name.
|
|
IDSTORE_PORT |
Identity store port. |
|
IDSTORE_BINDDN |
Administrative user in the identity store directory. |
|
IDSTORE_USERNAMEATTRIBUTE |
Username attribute used to set and search for users in the identity store. |
|
IDSTORE_LOGINATTRIBUTE |
Login attribute of the identity store that contains the user's login name. |
|
IDSTORE_WLSADMINUSER |
Identity store administrator for Oracle WebLogic Server. |
|
IDSTORE_WLSADMINGROUP |
Identity store administrator group for Oracle WebLogic Server. |
|
IDSTORE_USERSEARCHBASE |
Location in the directory where users are stored. |
|
IDSTORE_GROUPSEARCHBASE |
Location in the directory where groups are stored. |
|
IDSTORE_SEARCHBASE |
Location in the directory where users and groups are stored. |
|
POLICYSTORE_SHARES_IDSTORE |
If not, it is set to |
Set the environment variables required for the idmconfigtool command. For information on setting environment variables, see Section D.2, "Set Up Environment Variables."
Change the directory to the IAM_ORACLE_HOME/idmtools/bin directory:
cd IAM_ORACLE_HOME/idmtools/bin
You will be running the idmConfigTool command from the IAM_ORACLE_HOME/idmtools/bin directory.
Configure the identity store by using the idmConfigTool with the -prepareIDStore mode=WLS command option.
On Linux, the command syntax is:
idmConfigTool.sh -prepareIDStore mode=WLS input_file=configfile
On Windows, the command syntax is:
idmConfigTool.bat -prepareIDStore mode=WLS input_file=configfile
For example:
idmConfigTool.sh -prepareIDStore mode=WLS input_file=preconfigWLSPropertyFile
For information on -prepareIDStore mode=WLS, see Section D.4.2.4, "prepareIDStore mode=WLS."
The command prompts you to enter the password for the account used to connect to the identity store. You are then prompted to create a password for the following account:
WebLogic administrative user (weblogic_idm)
Sample command output, when running the command against Oracle Unified Directory, is shown as follows:
Enter ID Store Bind DN password : *** Creation of Weblogic Admin User *** Dec 10, 2014 1:43:30 PM oracle.ldap.util.LDIFLoader loadOneLdifFile INFO: -> LOADING: /scratch/user1/Oracle/middleware/Oracle_IDM1//idmtools/templates/oud/oam_user_template.ldif Enter User Password for weblogic_idm: Confirm User Password for weblogic_idm: Dec 10, 2014 1:44:12 PM oracle.ldap.util.LDIFLoader loadOneLdifFile INFO: -> LOADING: /scratch/user1/Oracle/middleware/Oracle_IDM1//idmtools/templates/oud/weblogic_admin_group.ldif Dec 10, 2014 1:44:12 PM oracle.ldap.util.LDIFLoader loadOneLdifFile INFO: -> LOADING: /scratch/user1/Oracle/middleware/Oracle_IDM1//idmtools/templates/common/group_member_template.ldif The tool has completed its operation. Details have been logged to automation.log
The automation.log file is created in the directory where you run the tool. Check the log file for any errors or warnings and correct them. The tool is reentrant and can be safely called again.
Oracle Fusion Applications requires several users and groups to be created in the Identity Store. Use the IDM Configuration Tool to seed the identity store with the readOnly user, readWrite user, and superuser and create the following groups:
orclFAGroupReadPrivilegeGroup
orclFAGroupWritePrivilegeGroup
orclFAUserReadPrivilegeGroup
orclFAUserWritePrefsPrivilegeGroup
orclFAUserWritePrivilegeGroup
In addition to creating the users and groups, idmConfigTool assigns the readOnly user to the orclFAGroupReadPrivilegeGroup, orclFAUserReadPrivilegeGroup and orclFAUserWritePrefsPrivilegeGroup groups and assigns the readWrite user to the orclFAUserWritePrivilegeGroup and orclFAGroupWritePrivilegeGroup groups.
The following steps create users and groups and add the readOnly and readWrite users to their appropriate groups.
If you are using Oracle Unified Directory as the identity store, perform these steps:
Copy the Oracle Unified Directory Keystore file admin-keystore from the Oracle Unified Directory server to the OIM Admin Server machine. The file is located in the following directory on the Oracle Unified Directory server:
OUD_ORACLE_INSTANCE/OUD/config
You will use the path on the local machine when you create the properties file in Step 2.
Retrieve the Oracle Unified Directory keystore password from the admin-keystore.pin file located at:
OUD_ORACLE_INSTANCE/OUD/config
The keystore password is required for Oracle Unified Directory identity stores. You will use this value when you create the properties file in Step 2.
Create a preconfigFAPropertyFile properties file with contents similar to the following. The preconfigFAPropertyFile file must contain configuration information specific to your environment. This file will be used to create the required users and add them to the appropriate groups when you run the idmConfigTool command.
Do not include any blank lines when creating the file.
IDSTORE_HOST : idstore.example.com IDSTORE_PORT : 389 IDSTORE_BINDDN : cn=directory manager IDSTORE_USERNAMEATTRIBUTE: cn IDSTORE_LOGINATTRIBUTE: uid IDSTORE_USERSEARCHBASE: cn=Users,dc=example,dc=com IDSTORE_SEARCHBASE: dc=example,dc=com IDSTORE_GROUPSEARCHBASE: cn=Groups,dc=example,dc=com POLICYSTORE_SHARES_IDSTORE: true IDSTORE_SSL_ENABLED: false IDSTORE_READONLYUSER: IDROUser IDSTORE_READWRITEUSER: IDRWUser IDSTORE_SUPERUSER: weblogic_fa IDSTORE_SYSTEMIDBASE: cn=systemids,dc=example,dc=com IDSTORE_ADMIN_PORT : 4444 IDSTORE_KEYSTORE_FILE : <path to file copied from oud install> IDSTORE_KEYSTORE_PASSWORD : 4VYGtJLG61V5OjDWKe94e601x7tgLFs
Table 2-7 provides descriptions of the parameters in the configuration file example.
Table 2-7 preconfigFAPropertyFile Properties
| Properties | Description |
|---|---|
|
IDSTORE_HOST |
Host name of the LDAP identity store directory (corresponding to the If your identity store is in Oracle Internet Directory or Oracle Unified Directory, then |
|
IDSTORE_PORT |
Port number of the LDAP identity store (corresponding to the IDSTORE_DIRECTORYTYPE). |
|
IDSTORE_BINDDN |
Administrative user in the identity store directory. |
|
IDSTORE_USERNAMEATTRIBUTE |
Username attribute used to set and search for users in the identity store. Set to part of the user DN. For example, if the user DN is |
|
IDSTORE_LOGINATTRIBUTE |
Login attribute of the identity store which contains the user's login name. This is the attribute the user uses for login. |
|
IDSTORE_USERSEARCHBASE |
Location in the directory where users are stored. This property tells the directory where to search for users. |
|
IDSTORE_SEARCHBASE |
Search base for users and groups contained in the identity store. Parent location that contains the |
|
IDSTORE_GROUPSEARCHBASE |
The location in the directory where groups (or roles) are stored. This property tells the directory where to search for groups or roles. |
|
POLICYSTORE_SHARES_IDSTORE |
Denotes whether the policy store and identity store share the directory. Always Valid values: true, false |
|
IDSTORE_SSL_ENABLED |
Whether SSL to the identity store is enabled. Valid values: true | false |
|
IDSTORE_READONLYUSER |
User with read-only permissions to the identity store. |
|
IDSTORE_READWRITEUSER |
User with read-write permissions to the identity store. |
|
IDSTORE_SUPERUSER |
The Oracle Fusion Applications superuser in the identity store. |
|
IDSTORE_SYSTEMIDBASE |
Location of a container in the directory where system operations users are stored so that they are kept separate from enterprise users stored in the main user container. There are only a few system operations users. One example is the Oracle Identity Manager reconciliation user which is also used for the bind DN user in Oracle Virtual Directory adapters. |
|
IDSTORE_ADMIN_PORT |
Administration port of your Oracle Unified Directory instance. If you are not using Oracle Unified Directory, you can leave out this parameter. |
|
IDSTORE_KEYSTORE_FILE |
Location of the Oracle Unified Directory Keystore file. It is used to enable communication with Oracle Unified Directory using the Oracle Unified Directory administration port. It is called admin-keystore and is located in |
|
IDSTORE_KEYSTORE_PASSWORD |
Encrypted password of the Oracle Unified Directory keystore. This value can be found in the file |
Set the environment variables required for the idmconfigtool command. For information on setting environment variables, see Section D.2, "Set Up Environment Variables."
Change the directory to the IAM_ORACLE_HOME/idmtools/bin directory:
cd IAM_ORACLE_HOME/idmtools/bin
You will be running the idmConfigTool command from the IAM_ORACLE_HOME/idmtools/bin directory.
Configure the identity store by using the idmConfigTool with the -prepareIDStore mode=fusion command option.
On Linux, the command syntax is:
idmConfigTool.sh -prepareIDStore mode=fusion input_file=configfile
On Windows, the command syntax is:
idmConfigTool.bat -prepareIDStore mode=fusion input_file=configfile
For example:
idmConfigTool.sh -prepareIDStore mode=fusion input_file=preconfigFAPropertyFile
For information on -prepareIDStore mode=fusion, see Section D.4.2.7, "prepareIDStore mode=fusion."
The command prompts you to enter the password for the account used to connect to the identity store. You are then prompted to create passwords for the following three accounts:
IDROUser
User with read-only permissions to the identity store.
IDRWUser
User with read-write permissions to the identity store.
weblogic_fa
The Oracle Fusion Applications superuser in the identity store.
The automation.log file is created in the directory where you run the tool. Check the log file for any errors or warnings and correct them. The tool is reentrant and can be safely called again.
Before integrating Oracle Identity Manager with Access Manager 11g, you must configure Access Manager 11g for Access Manager and Oracle Identity Manager integration.
Create a properties file called OAMconfigPropertyFile with contents similar to the following:
Note:
If you already have an identity store in place that is different from the default created by this tool, add theOAM11G_IDSTORE_NAME parameter to the properties file and set the value to the name of that identity store.Do not include any blank lines when creating the file.
WLSHOST: adminvhn.example.com WLSPORT: 7001 WLSADMIN: weblogic IDSTORE_HOST: idstore.example.com IDSTORE_PORT: 389 IDSTORE_BINDDN: cn=orcladmin IDSTORE_USERNAMEATTRIBUTE: cn IDSTORE_LOGINATTRIBUTE: uid IDSTORE_USERSEARCHBASE: cn=Users,dc=example,dc=com IDSTORE_SEARCHBASE: dc=example,dc=com IDSTORE_SYSTEMIDBASE: cn=systemids,dc=example,dc=com IDSTORE_GROUPSEARCHBASE: cn=Groups,dc=example,dc=com IDSTORE_OAMSOFTWAREUSER: oamLDAP IDSTORE_OAMADMINUSER: oamadmin IDSTORE_DIRECTORYTYPE: OUD POLICYSTORE_SHARES_IDSTORE: true PRIMARY_OAM_SERVERS: oamhost1.example.com:5575 WEBGATE_TYPE: ohsWebgate11g ACCESS_GATE_ID: Webgate_IDM OAM11G_IDM_DOMAIN_OHS_HOST: sso.example.com OAM11G_IDM_DOMAIN_OHS_PORT: 443 OAM11G_IDM_DOMAIN_OHS_PROTOCOL: http OAM11G_WG_DENY_ON_NOT_PROTECTED: false OAM11G_IMPERSONATION_FLAG: false OAM_TRANSFER_MODE: Open OAM11G_OAM_SERVER_TRANSFER_MODE: open OAM11G_IDM_DOMAIN_LOGOUT_URLS: /console/jsp/common/logout.jsp,/em/targetauth/emaslogout.jsp,/oamsso/logout.html,/cgi-bin/logout.pl OAM11G_SERVER_LOGIN_ATTRIBUTE: uid COOKIE_DOMAIN: .example.com OAM11G_IDSTORE_ROLE_SECURITY_ADMIN: OAMAdministrators OAM11G_SSO_ONLY_FLAG: true OAM11G_OIM_INTEGRATION_REQ: true OAM11G_SERVER_LBR_HOST: sso.example.com OAM11G_SERVER_LBR_PORT: 443 OAM11G_SERVER_LBR_PROTOCOL: http COOKIE_EXPIRY_INTERVAL: 120 OAM11G_OIM_OHS_URL: http://sso.example.com:443/ SPLIT_DOMAIN: true
The OAMconfigPropertyFile file must contain configuration information specific to your environment. This file will be used to configure Access Manager 11g for Access Manager and Oracle Identity Manager integration when you run the idmconfigtool command.
Table 2-8 provides descriptions of the parameters in the OAMconfigPropertyFile configuration file example.
Table 2-8 OAMconfigPropertyFile Properties File
| Properties | Description |
|---|---|
|
WLSHOST |
Administration server host name. This will be the virtual name. |
|
WLSPORT |
Administration server port. |
|
WLSADMIN |
WebLogic Server administrative user account you use to log in to the WebLogic Server administration console. |
|
IDSTORE_HOST |
Identity store host name. If using a directory server other than Oracle Internet Directory or Oracle Unified Directory, specify the Oracle Virtual Directory host and port. |
|
IDSTORE _PORT |
Identity store port. |
|
IDSTORE_BINDDN |
An administrative user in Oracle Internet Directory or Oracle Unified Directory. If using a directory server other than Oracle Internet Directory or Oracle Unified Directory, specify an Oracle Virtual Directory administrative user. |
|
IDSTORE_USERNAMEATTRIBUTE |
Username attribute used to set and search for users in the identity store. |
|
IDSTORE_LOGINATTRIBUTE |
Login attribute of the identity store which contains the user's login name. |
|
IDSTORE_USERSEARCHBASE |
Container under which Access Manager searches for the users. |
|
IDSTORE_SEARCHBASE |
Location in the directory where users and groups are stored. |
|
IDSTORE_GROUPSEARCHBASE |
Location in the directory where groups are stored. |
|
IDSTORE_OAMSOFTWAREUSER |
User you use to interact with the LDAP server. |
|
IDSTORE_OAMADMINUSER |
User you use to access your Oracle Access Management Administration Console. |
|
IDSTORE_DIRECTORYTYPE |
Identity store directory type. |
|
PRIMARY_OAM_SERVERS |
Comma-separated list of your Access Manager servers and the proxy ports they use. To determine the proxy ports your Access Manager servers:
|
|
WEBGATE_TYPE |
WebGate agent type you want to create. Valid values are |
|
ACCESS_GATE_ID |
Name you want to assign to the WebGate. Do not change the property value shown above. |
|
OAM11G_IDM_DOMAIN_OHS_HOST |
Load balancer that is in front of Oracle HTTP Server (OHS) in a high-availability configuration. |
|
OAM11G_IDM_DOMAIN_OHS_PORT |
Load balancer port. |
|
OAM11G_IDM_DOMAIN_OHS_PROTOCOL |
Protocol to use when directing requests to the load balancer. |
|
OAM11G_WG_DENY_ON_NOT_PROTECTED |
Set to deny on protected flag for 10g WebGate. Valid values are |
|
OAM11G_IMPERSONATION_FLAG |
Enables or disables the impersonation feature in the OAM Server. Valid values are If you are using impersonalization, you must manually set this value to |
|
OAM_TRANSFER_MODE |
Security mode in which the access servers function. |
|
OAM11G_OAM_SERVER_TRANSFER_MODE |
Security mode for the Access Manager servers. |
|
OAM11G_IDM_DOMAIN_LOGOUT_URLS |
Set to the various logout URLs. |
|
OAM11G_SERVER_LOGIN_ATTRIBUTE |
Set to |
|
COOKIE_DOMAIN |
Domain in which the WebGate functions. |
|
OAM11G_IDSTORE_ROLE_SECURITY_ADMIN |
Account to administer role security in identity store. |
|
OAM11G_SSO_ONLY_FLAG |
Configures Access Manager 11g as authentication only mode or normal mode, which supports authentication and authorization. Default value is If set to If set to |
|
OAM11G_OIM_INTEGRATION_REQ |
Specifies whether to integrate with Oracle Identity Manager or configure Access Manager in stand-alone mode. Set to |
|
OAM11G_SERVER_LBR_HOST |
OAM Server fronting your site. This and the following two parameters are used to construct your login URL. |
|
OAM11G_SERVER_LBR_PORT |
Load balancer port. |
|
OAM11G_SERVER_LBR_PROTOCOL |
URL prefix. The default value is |
|
COOKIE_EXPIRY_INTERVAL |
Cookie expiration period. |
|
OAM11G_OIM_OHS_URL |
URL of the load balancer or Oracle HTTP Server (OHS) fronting the OIM server. |
|
SPLIT_DOMAIN |
Set to |
Set the environment variables required for the idmconfigtool command. For information on setting environment variables, see Section D.2, "Set Up Environment Variables."
Change the directory to the IAM_ORACLE_HOME/idmtools/bin directory:
cd IAM_ORACLE_HOME/idmtools/bin
You will be running the idmConfigTool command from the IAM_ORACLE_HOME/idmtools/bin directory.
Configure the identity store by using the idmConfigTool command with the -configOAM command option.
On Linux, the command syntax is:
idmConfigTool.sh -configOAM input_file=configfile
On Windows, the command syntax is:
idmConfigTool.bat -configOAM input_file=configfile
For example:
idmConfigTool.sh -configOAM input_file=OAMconfigPropertyFile
For information on the configOAM command option, see Section D.4.4, "configOAM Command."
Before running this command, ensure that the Access Management Domain Administration Server is running.
When the command runs, it prompts you to enter the password of the account used to connect to the identity store. It also asks you to create passwords for the following three accounts:
OAM11G_WLS_ADMIN_PASSWD
IDSTORE_PWD_OAMSOFTWAREUSER
IDSTORE_PWD_OAMADMINUSER
Sample command output, when running the command against Oracle Unified Directory, is shown as follows:
Enter ID Store Bind DN password: Enter User Password for OAM11G_WLS_ADMIN_PASSWD: Confirm User Password for OAM11G_WLS_ADMIN_PASSWD: Enter User Password for IDSTORE_PWD_OAMSOFTWAREUSER: Confirm User Password for IDSTORE_PWD_OAMSOFTWAREUSER: Enter User Password for IDSTORE_PWD_OAMADMINUSER: Confirm User Password for IDSTORE_PWD_OAMADMINUSER: The tool has completed its operation. Details have been logged to automation.log
Check the log file for any errors or warnings and correct them. The tool is reentrant and can be safely called again.
Restart OAM Administration Server.
For information on restarting the WebLogic Administration Server, see "Restarting Servers" in Installation Guide for Oracle Identity and Access Management.
Integrate Oracle Identity Manager with Access Manager as follows.
Note:
Before runningconfigOIM, ensure that:
The configOAM command was successful.
The Oracle Access Management Admin Server had been restarted.
The OIM Admin and OAM Admin Servers are running.
Retrieve the random global passphrase for SIMPLE security mode communication with Access Manager.
By default, Access Manager is configured to use the OPEN security mode. If you want to use the installation default of OPEN mode, you can skip this step.
If you want idmConfigTool to change the security mode to SIMPLE mode and propagate changes to the WebGates, you must provide the global passphrase when prompted by the Access Manager and Oracle Identity Manager integration script. Artifacts generated for SIMPLE mode use the global passphrase. If you do not remember your global passphrase, you can retrieve it by using the displaySimpleModeGlobalPassphrase() command as follows:
Ensure that the Oracle Access Management Console is running.
On the computer hosting the Oracle Access Management Console, connect to the WebLogic Scripting Tool. For example:
$ORACLE_IDM_HOME/common/bin/wlst.sh
wls:/offline> connect()
where $ORACLE_IDM_HOME represents the base installation directory path.
Respond to the prompts as shown:
Please enter your username [weblogic] : Please enter your password [weblogic] : Please enter your server URL [t3://localhost:7001] : wls:/base_domain/serverConfig>
Enter the following command to change the location to the read-only domainRuntime tree:
wls:/base_domain/serverConfig>domainRuntime()
View the global passphrase by entering the following command:
wls:/base_domain/domainRuntime> displaySimpleModeGlobalPassphrase()
Make a note of this passphrase and exit WLST by using the exit command:
wls:/base_domain/domainRuntime> exit()
Create a properties file named OIMconfigPropertyFile with contents similar to the following:
Do not include any blank lines when creating the file.
LOGINURI: /${app.context}/adfAuthentication
LOGOUTURI: /oamsso/logout.html
AUTOLOGINURI: None
ACCESS_SERVER_HOST: OAMHOST1.example.com
ACCESS_SERVER_PORT: 5575
ACCESS_GATE_ID: Webgate_IDM
COOKIE_DOMAIN: .example.com
COOKIE_EXPIRY_INTERVAL: 120
OAM_TRANSFER_MODE: Open
WEBGATE_TYPE: ohsWebgate11g
OAM_SERVER_VERSION: 11g
OAM11G_WLS_ADMIN_HOST: wlsadmin.example.com
OAM11G_WLS_ADMIN_PORT: 17001
OAM11G_WLS_ADMIN_USER: weblogic
SSO_ENABLED_FLAG: true
IDSTORE_PORT: 389
IDSTORE_HOST: idstore.example.com
IDSTORE_DIRECTORYTYPE: OUD
IDSTORE_ADMIN_USER: cn=oamLDAP,cn=systemids,dc=example,dc=com
IDSTORE_LOGINATTRIBUTE: uid
IDSTORE_USERSEARCHBASE: cn=Users,dc=example,dc=com
IDSTORE_GROUPSEARCHBASE: cn=Groups,dc=example,dc=com
MDS_DB_URL: jdbc:oracle:thin:@DBHOST:PORT:SID
MDS_DB_SCHEMA_USERNAME: idm_mds
WLSHOST: adminvhn.example.com
WLSPORT: 7001
WLSADMIN: weblogic
DOMAIN_NAME: IDM_Domain
OIM_MANAGED_SERVER_NAME: WLS_OIM1
DOMAIN_LOCATION: ORACLE_BASE/admin/IDMDomain/aserver/IDMDomain
IDSTORE_WLSADMINUSER: weblogic_idm
OIM_MSM_REST_SERVER_URL: <Oracle Mobile Security Manager server URL>
The OIMconfigPropertyFile file must contain configuration information specific to your environment. This file will be used for Access Manager and Oracle Identity Manager integration.
If you are not integrating OIM with OMSS, you can leave out the OIM_MSM_REST_SERVER_URL parameter.
Table 2-9 provides descriptions of the parameters in the OIMconfigPropertyFile configuration file example.
Table 2-9 OIMconfigPropertyFile Properties
| Properties | Description |
|---|---|
|
WLSHOST, WLSPORT, WLSADMIN |
In the split domain topology where Oracle Identity Manager and Access Manager are in different domains, |
|
ACCESS_SERVER_PORT |
Access Manager OAP port. |
|
ACCESS_GATE_ID |
|
|
OAM_TRANSFER_MODE |
|
|
WEBGATE_TYPE |
Set to |
|
OAM_SERVER_VERSION |
Set to |
|
OAM11G_WLS_ADMIN_HOST,OAM11G_WLS_ADMIN_PORT, and OAM11G_WLS_ADMIN_USER. |
Set
|
|
IDSTORE_PORT |
Oracle Unified Directory or Oracle Internet Directory port if you are using Oracle Unified Directory or Oracle Internet Directory as your identity store. If not, set it to your Oracle Virtual Directory port. |
|
IDSTORE_HOST |
Oracle Unified Directory or Oracle Internet Directory host or load balancer name if you are using Oracle Unified Directory or Oracle Internet Directory as your identity store. If not, set it to your Oracle Virtual Directory host or load balancer name. |
|
IDSTORE_DIRECTORYTYPE |
|
|
IDSTORE_ADMIN_USER |
Complete LDAP DN of the administrator of the identity store directory. This should be the same user specified for |
|
MDS_DB_URL |
Single instance database. The string following the ' |
|
MDS_DB_SCHEMA_USERNAME |
MDS schema which Oracle Identity Manager is using. |
|
OIM_MSM_REST_SERVER_URL |
Oracle Mobile Security Manager server URL. https://host:port. The MSM URL is seeded in Oracle Identity Manager and the system property |
|
WLSPASSWD |
The WebLogic Server administrator password. Note: This property is required for Mobile Security Manager and Oracle Identity Manager integration. |
|
IDSTORE_WLSADMINUSER |
Value of the user which should be the same value as provided while running |
Set the environment variables required for the idmconfigtool command. For information on setting environment variables, see Section D.2, "Set Up Environment Variables."
Change the directory to the IAM_ORACLE_HOME/idmtools/bin directory:
cd IAM_ORACLE_HOME/idmtools/bin
You will be running the idmConfigTool command from the IAM_ORACLE_HOME/idmtools/bin directory.
Configure the identity store by using idmConfigTool with the -configOIM command.
On Linux, the command syntax is:
idmConfigTool.sh -configOIM input_file=configfile
On Windows, the command syntax is:
idmConfigTool.bat -configOIM input_file=configfile
For example:
idmConfigTool.sh -configOIM input_file=OIMconfigPropertyFile
For information on the configOIM command option, see Section D.4.5, "configOIM Command."
When the command executes you will be prompted for:
Access Gate Password
Single Sign-On (SSO) Keystore Password
Global Passphrase
Idstore Admin Password
MDS Database schema password
Admin Server User Password
Password to be used for Oracle Access Management administrative user
Password for IDSTORE_WLS_ADMIN_USER as provided during the prepareIdStore mode=wls command
Sample command output, when running the command against Oracle Unified Directory, is shown as follows:
Enter oam11g domain admin user password : Enter sso access gate password : Enter mds db schema password : Enter idstore admin password : Enter admin server user password : Enter IDSTORE_WLS_ADMIN_USER Password : Seeding OIM Resource Policies into OAM.... Resources Seeded!! ********* Seeding OAM Passwds in OIM ********* Completed loading user inputs for - CSF Config Completed loading user inputs for - Dogwood Admin WLS Connecting to t3://adminvhn.example.com:7001 Connection to domain runtime mbean server established Seeding credential :SSOAccessKey ********* ********* ********* ********* Activating OAM Notifications ********* Completed loading user inputs for - MDS DB Config Initialized MDS resources Jan 28, 2015 10:43:06 PM oracle.mds NOTIFICATION: MDS-10013: transfer operation started. Jan 28, 2015 10:43:06 PM oracle.mds NOTIFICATION: MDS-10014: transfer is completed. Total number of documents successfully processed : 1, total number of documents failed : 0. Upload to DB completed Releasing all resources Notifications activated. ********* ********* ********* ********* Seeding OAM Config in OIM ********* Completed loading user inputs for - OAM Access Config Validated input values Initialized MDS resources Jan 28, 2015 10:43:06 PM oracle.mds NOTIFICATION: MDS-10013: transfer operation started. Jan 28, 2015 10:43:06 PM oracle.mds NOTIFICATION: MDS-10014: transfer is completed. Total number of documents successfully processed : 1, total number of documents failed : 0. Download from DB completed Releasing all resources Updated /u01/app/oracle/product/fmw/iam/server/oamMetadata/db/oim-config.xml Initialized MDS resources Jan 28, 2015 10:43:06 PM oracle.mds NOTIFICATION: MDS-10013: transfer operation started. Jan 28, 2015 10:43:06 PM oracle.mds NOTIFICATION: MDS-10014: transfer is completed. Total number of documents successfully processed : 1, total number of documents failed : 0. Upload to DB completed Releasing all resources OAM configuration seeded. Please restart oim server. ********* ********* ********* ********* Configuring Authenticators in OIM WLS ********* Completed loading user inputs for - LDAP connection info Connecting to t3://adminvhn.example.com:7001 Connection to domain runtime mbean server established Starting edit session Edit session started Connected to security realm. Validating provider configuration Validated desired authentication providers Destroyed Authentication Provider: Security:Name=myrealmOIMAuthenticationProvider Created OAMIDAsserter successfuly OAMIDAsserter is already configured to support 11g webgate Created OIMSignatureAuthenticator successfuly Created OUDAuthenticator successfuly Setting attributes for OUDAuthenticator All attributes set. Configured inOUDAuthenticatornow LDAP details configured in OUDAuthenticator Control flags for authenticators set sucessfully Reordering of authenticators done sucessfully Saving the transaction Transaction saved Activating the changes Changes Activated. Edit session ended. Connection closed sucessfully ********* ********* ********* The tool has completed its operation. Details have been logged to automation.log
Check the log file for errors and correct them if necessary. The tool is reentrant and can be safely called again.
Restart the Oracle Identity Manager managed server and the WebLogic Administration Server.
For information, see "Starting or Stopping the Oracle Stack" in Installation Guide for Oracle Identity and Access Management.
The Oracle HTTP Server (OHS) profile must be edited so that the OHS server points to the OIM server that is being protected by Access Manager. The oim.conf profile template file is located here:
$IAM_HOME/server/setup/templates/oim.conf
Note:
WebGate installation and configuration is required.The Oracle HTTP Server with 11g WebGate must be installed. For information, see "Installing and Configuring Oracle HTTP Server 11g WebGate for OAM" in Oracle Fusion Middleware Installing Webgates for Oracle Access Manager.
For information about installing Oracle HTTP Server with a 10g WebGate, see "Registering and Managing 10g WebGates with Access Manager 11g" and "Configuring Apache, OHS, IHS for 10g WebGates" in Administrator's Guide for Oracle Access Management.
Add the following entry to the oim.conf file, if it is not already present:
<Location /reqsvc> SetHandler weblogic-handler WLCookieName oimjsessionid WebLogicHost <OIM managed server host> WebLogicPort <OIM managed server port> WLLogFile "${ORACLE_INSTANCE}/diagnostics/logs/mod_wl/oim_component.log" </Location>
Edit the oim.conf file to include the following lines:
<Location /identity> SetHandler weblogic-handler WLCookieName oimjsessionid WebLogicHost <OIM managed server host> WebLogicPort <OIM managed server port> WLLogFile "${ORACLE_INSTANCE}/diagnostics/logs/mod_wl/oim_component.log" </Location> <Location /sysadmin> SetHandler weblogic-handler WLCookieName oimjsessionid WebLogicHost <OIM managed server host> WebLogicPort <OIM managed server port> WLLogFile "${ORACLE_INSTANCE}/diagnostics/logs/mod_wl/oim_component.log" </Location> <Location /oam> SetHandler weblogic-handler WLCookieName jsessionid WebLogicHost <OAM managed server host> WebLogicPort <OAM managed server port> WLLogFile "${ORACLE_INSTANCE}/diagnostics/logs/mod_wl/oim_component.log" </Location> <Location /admin> SetHandler weblogic-handler WebLogicHost <OIM managed server host> WebLogicPort <OIM managed server port> WLCookieName oimjsessionid WLLogFile "${ORACLE_INSTANCE}/diagnostics/logs/mod_wl/oim_component.log" </Location> # oim self and advanced admin webapp consoles(canonic webapp) <Location /oim> SetHandler weblogic-handler WebLogicHost <OIM managed server host> WebLogicPort <OIM managed server port> WLCookieName oimjsessionid WLLogFile "${ORACLE_INSTANCE}/diagnostics/logs/mod_wl/oim_component.log" </Location> # SOA Callback webservice for SOD <Location /sodcheck> SetHandler weblogic-handler WebLogicHost <OIM managed server host> WebLogicPort <OIM managed server port> WLCookieName oimjsessionid WLLogFile "${ORACLE_INSTANCE}/diagnostics/logs/mod_wl/oim_component.log" </Location> # Callback webservice for SOA. SOA calls this when a request is approved/rejected # Provide the SOA Managed Server Port <Location /workflowservice> SetHandler weblogic-handler WebLogicHost <OIM managed server host> WebLogicPort <OIM managed server port> WLCookieName oimjsessionid WLLogFile "${ORACLE_INSTANCE}/diagnostics/logs/mod_wl/oim_component.log" </Location> # xlWebApp - Legacy 9.x webapp (struts based) <Location /xlWebApp> SetHandler weblogic-handler WLCookieName oimjsessionid WebLogicHost <OIM managed server host> WebLogicPort <OIM managed server port> WLLogFile "${ORACLE_INSTANCE}/diagnostics/logs/mod_wl/oim_component.log" </Location> # Nexaweb WebApp - used for workflow designer and DM <Location /Nexaweb> SetHandler weblogic-handler WLCookieName oimjsessionid WebLogicHost <OIM managed server host> WebLogicPort <OIM managed server port> WLLogFile "${ORACLE_INSTANCE}/diagnostics/logs/mod_wl/oim_component.log" </Location> # used for FA Callback service. <Location /callbackResponseService> SetHandler weblogic-handler WLCookieName oimjsessionid WebLogicHost <OIM managed server host> WebLogicPort <OIM managed server port> WLLogFile "${ORACLE_INSTANCE}/diagnostics/logs/mod_wl/oim_component.log" </Location> # spml xsd profile <Location /spml-xsd> SetHandler weblogic-handler WLCookieName oimjsessionid WebLogicHost <OIM managed server host> WebLogicPort <OIM managed server port> WLLogFile "${ORACLE_INSTANCE}/diagnostics/logs/mod_wl/oim_component.log" </Location> <Location /HTTPClnt> SetHandler weblogic-handler WLCookieName oimjsessionid WebLogicHost <OIM managed server host> WebLogicPort <OIM managed server port> WLLogFile "${ORACLE_INSTANCE}/diagnostics/logs/mod_wl/oim_component.log" </Location>
Copy the oim.conf file to the OHS moduleconf location:
INSTANCE_LOCATION/config/OHS/ohs1/moduleconf/
Restart the OHS instance. For information on restarting the OHS instance, see "Restarting Oracle HTTP Server Instances" in Oracle Fusion Middleware Administrator's Guide for Oracle HTTP Server.
The IAMSuiteAgent is installed out of the box when you install Access Manager. It is preconfigured to provide single-sign on for the IdM domain consoles, Oracle Identity Manager, Oracle Adaptive Access Manager, and other Identity Management servers created during domain creation. It is like a WebGate, but it only protects internal URLs provided by various products in the Identity and Access Management Suite.
Because this environment uses an OHS 11g WebGate to handle single sign-on, the IAMSuiteAgent is no longer necessary, so you must remove it. To do so:
Log in to the Oracle WebLogic Administration Console using the URL: http://admin.example.com/console.
Click Lock and Edit from the Change Center.
Select Security Realms from the left pane and click myrealm.
Click the Providers tab and then the Authentication tab.
In the list of authentication providers, select IAMSuiteAgent.
Click Delete to delete IAMSuiteAgent.
Click Yes to confirm the deletion.
Click Activate Changes from the Change Center.
Restart WebLogic Administration Server and all running Managed Servers.
For information on restarting the servers, see "Restarting Servers" in Installation Guide for Oracle Identity and Access Management.
This section provides steps for validating the integrated environment. Performing the following sanity checks can help you avoid some common issues that could be encountered during runtime.
In this release, Oracle Identity Manager is integrated with Access Manager when the idmconfig command is run with the configOIM option. After the command is run, the following configuration settings and files are updated:
The SSOConfig section in the oim-config.xml file, stored in the OIM Metadata store. See Section 2.8.1, "Validate Oracle Identity Manager SSOConfig."
The realm security providers in OIM_DOMAIN_HOME/config.xml. See Section 2.8.2, "Validate Security Provider Configuration."
The OIM domain credential store in OIM_DOMAIN_HOME/config/fmwconfig/cwallet.sso. See Section 2.8.3, "Validate Oracle Identity Manager Domain Credential Store."
The orchestration event-handlers required for SSO integration in Eventhandler.xml, stored in the OIM Metadata store. See Section 2.8.4, "Validate Event Handlers for SSO."
The SSO logout configuration in OIM_DOMAIN_HOME/config/fmwconfig/jps-config.xml. See Section 2.8.5, "Validate SSO Logout Configuration."
To validate the SSOConfig settings in oim-config.xml:
Log in to Oracle Enterprise Manager Fusion Middleware Control.
Select Weblogic Domain, then right-click the domain name.
Open System Mbean Browser and search for the SSOConfig Mbean.
For more information, see "Getting Started Using the Fusion Middleware Control MBean Browsers" in Administrator's Guide.
Verify the following attribute settings are correct after running idmconfig configOIM. Update any values as needed:
SsoEnabled attribute is set to true.
If using TAP communication, the TapEndpointURL attribute is present.
If using Oracle Access Protocol (OAP) communication, the following attributes are present: AccessGateID, AccessServerHost, AccessServerPort, CookieDomain, CookieExpiryInterval, NapVersion, TransferMode, WebgateType.
If Version is set to 11g, verify the TapEndpointURL attribute is set to a valid URL. Validate the URL by accessing in a web browser.
If Version is set to 10g, verify the other attributes are configured correctly.
To validate the Oracle Identity Manager security provider configuration:
In Oracle WebLogic Administration Console, navigate to the OIM domain.
Navigate to Security Realms > myrealm and then click the Providers tab.
Confirm the Authentication Providers are configured as follows.
| Authentication Provider | Control Flag |
|---|---|
| OAMIDAsserter | REQUIRED |
| OIMSignatureAuthenticator | SUFFICIENT |
| LDAP Authenticator | SUFFICIENT |
| DefaultAuthenticator | SUFFICIENT |
| DefaultIdentityAsserter | Not applicable |
The LDAP Authenticator name may vary depending on which LDAP provider you are using. For example for Oracle Unified Directory, it is OUDAuthenticator. Verify it is configured correctly by selecting Users and Groups tab, and confirming the LDAP users are listed in Users tab.
To validate the Access Manager security provider configuration:
In Oracle WebLogic Administration Console, navigate to the OAM domain.
Navigate to Security Realms > myrealm. Then, click the Providers tab.
Confirm the Authentication Providers are configured as follows.
| Authentication Provider | Control Flag |
|---|---|
| OAMIDAsserter | REQUIRED |
| DefaultAuthenticator | SUFFICIENT |
| LDAP Authenticator | SUFFICIENT |
| DefaultIdentityAsserter | Not applicable |
The LDAP authenticator varies depending upon the LDAP provider being used. Verify that it is configured correctly by clicking the Users and Groups tab, and confirming that the LDAP users are listed in Users tab.
All passwords and credentials used during communication between Oracle Identity Manager and Access Manager are stored in the domain credential store.
To validate the passwords and credentials used to communicate:
Login to Oracle Enterprise Manager Fusion Middleware Control and select WebLogic Domain.
Right-click the domain name. Navigate to Security, then Credentials.
Expand the oim instance. Verify the following credentials:
SSOAccessKey: OPEN mode only
SSOKeystoreKey: SIMPLE mode only
SSOGobalPP: SIMPLE mode only
OIM_TAP_PARTNER_KEY
A set of event handlers is uploaded to the Oracle Identity Manager MDS in order to support session termination after a user status change. These event handlers notify Access Manager when a user status is changed, which then terminates the user session. They are uploaded to MDS as part of EventHandlers.xml file, located at /db/ssointg/EventHandlers.xml.
To confirm all event handlers are configured correctly, export the EventHandlers.xml file using Oracle Enterprise Manager Fusion Middleware Control:
Log in to Oracle Enterprise Manager Fusion Middleware Control.
Navigate to Identity and Access > OIM > oim(11.1.2.0.0).
Right-click and navigate to System MBean Browser.
Under Application Defined MBeans, navigate to Oracle.mds.lcm > Server:oim_server1 > Application:OIMAppMetadata > MDSAppRuntime > MDSAppRuntime.
For more information, see "Getting Started Using the Fusion Middleware Control MBean Browsers" in Administrator's Guide.
Click the Operations tab, and then, click exportMetadata.
In toLocation, enter /tmp or the name of another directory. This is the directory where the file will be exported.
In the docs field, click Edit and then Add and enter the complete file location as the Element:
/db/oim-config.xml /db/ssointg/EventHandlers.xml
Select false for excludeAllCust, excludeBaseDocs, and excludeExtendedMetadata.
Click Invoke to export the files specified in the docs field to the directory specified in the toLocation field.
For more information, see "Deploying and Undeploying Customizations" in Developing and Customizing Applications for Oracle Identity Manager.
Oracle Identity Manager logout is configured to use single logout after the integration is complete. After a user logs out from Oracle Identity Manager, they are logged out from all the Access Manager protected applications as well.
To verify the configuration of single logout, do the following:
From your present working directory, move to the following directory:
OIM_DOMAIN_HOME/config/fmwconfig
Open the jps-config.xml file.
Ensure the <propertySet name="props.auth.uri.0"> element in the jps-config.xml file contains entries similar to the following example:
<propertySet name="props.auth.uri.0">
<property name="logout.url" value="/oamsso/logout.html"/>
<property name="autologin.url" value="None"/>
<property name="login.url.BASIC" value="/${app.context}/adfAuthentication"/>
<property name="login.url.FORM" value="/${app.context}/adfAuthentication"/>
<property name="login.url.ANONYMOUS" value="/${app.context}/adfAuthentication"/>
</propertySet>
The final task is to verify the integration by performing, in order, the steps shown in Table 2-10.
Table 2-10 Verifying Access Manager and Oracle Identity Manager Integration
| Step | Description | Expected Result |
|---|---|---|
|
1 |
Log in to the Oracle Access Management Administration Console as the http://admin_server_host:admin_server_port/oamconsole |
Provides access to the administration console. |
|
2 |
Access the Oracle Identity Manager administration page with the URL:
where hostname:port can be for either Oracle Identity Manager or OHS, depending on whether a Domain Agent or WebGate is used. |
The Oracle Access Management login page from the Access Manager managed server should display. Verify the links for "Forgot Password", "Self Register" and "Track Registration" features appear in the login page. Verify that each link works. For more information about these features, see Section 1.5.3, "Password Management Scenarios." |
|
3 |
Log in as |
The Oracle Identity Manager Admin Page should be accessible. |
|
4 |
Create a new user using Oracle Identity Self Service. Close the browser and try accessing the OIM Identity Page. When prompted for login, provide valid credentials for the newly-created user. |
You should be redirected to Oracle Identity Manager and be required to reset the password. After resetting the password and setting the challenge question, user should be automatically logged into the application. Auto-login should work. |
|
5 |
Close the browser and access Oracle Identity Self Service. |
The Oracle Access Management login page from the Access Manager managed server should display. Verify the links for "Forgot Password", "Self Register" and "Track Registration" features appear in the login page. Verify that each link works. For more information about these features, see Section 1.5.3, "Password Management Scenarios." |
|
6 |
Verify the lock/disable feature works by opening a browser and logging in as a test user. In another browser session, log in as an administrator, then lock the test user account. |
The user must be redirected back to the login page while accessing any of the links. |
|
7 |
Verify the SSO logout feature works by logging into Oracle Identity Self Service as test user or system administrator. |
Upon logout from the page, you are redirected to the SSO logout page. |
This section describes common problems you might encounter in an Oracle Identity Manager and Access Manager integrated environment and explains how to solve them. It is organized by common problem types and contains the following topics:
In addition to this section, review the Oracle Fusion Middleware Error Messages Reference for information about the error messages you may encounter.
For information about additional troubleshooting resources, see Section 1.7, "Using My Oracle Support for Additional Troubleshooting Information."
This section describes common problems and solutions relating to single sign-on in the integrated environment. Using single sign-on, a user can access Oracle Identity Manager resources after being successfully authenticated by Access Manager. When accessing any Oracle Identity Manager resource protected by Access Manager, the user is challenged for their credentials by Access Manager using the Oracle Access Management Console login page.
This section discusses the following single sign-on issues:
Oracle Access Management Console Login Page Does Not Display
Authenticated User is Redirected to Oracle Identity Manager Login Page
Checking the HTTP headers may provide diagnostic information about login issues.You can collect information from the HTTP headers for troubleshooting issues. This can be done by enabling HTTP tracing in the web browser, logging into Access Manager as a new user, and examining the headers for useful information.
After accessing an Oracle Identity Manager resource using OHS (for example, http://OHS_HOST:OHS_PORT/identity), the user is redirected to the Oracle Identity Manager login page instead of the Oracle Access Management Console login page.
The Access Manager WebGate is not deployed or configured properly.
Confirm the httpd.conf file contains the following entry at the end:
include "<ORACLE_WEBTIER_INST_HOME>/config/OHS/ohs1/webgate.conf"
where webgate.conf contains the 11g WebGate configuration.
If this entry is not found, review the 11g WebGate configuration steps to verify none were missed. For more information, see Oracle Fusion Middleware Installing Webgates for Oracle Access Manager and Administrator's Guide for Oracle Access Management.
User login fails with the following error:
An incorrect Username or Password was specified.
Access Manager is responsible for user authentication but authentication has failed. The identity store configuration may be wrong.
Check the identity store is configured correctly in the Oracle Access Management Console.
To resolve this problem:
Login to Oracle Access Management Console.
Navigate to Configuration >User Identity Stores > OAMIDStore.
Verify the Default Store and System Store configuration.
Click Test Connection to verify the connection.
User is not directed to the Oracle Access Management Console to login and the following error message displays:
Oracle Access Manager Operation Error.
The OAM Server is not running.
Start the OAM Server.
The WebGate is not correctly deployed on OHS and is not configured correctly for the 10g or 11g Agent located on the OAM Server.
An error message displays, for example: The AccessGate is unable to contact any Access Servers.
The issue may be with the SSO Agent.
To resolve this problem:
Run oamtest.jar (ORACLE_HOME/oam/server/tester) and test the connection by specifying AgentID.
The AgentID can be found in ObAccessClient.xml, located in the webgate/config directory in the WEBSERVER_HOME. For example:
<SimpleList>
<NameValPair
ParamName="id"
Value="IAMAG_11g"></NameValPair>
</SimpleList>
If the Tester fails to connect, this confirms a problem exists with the SSO Agent configuration (password/host/port) on the OAM Server.
Re-create the 10g or 11g SSO Agent and then reconfigure the WebGate to use this Agent.
Follow the instructions in Administrator's Guide for Oracle Access Management.
User authenticated using the Oracle Access Management Console but is redirected to the Oracle Identity Manager login page to enter credentials.
The security providers for the OIM domain are not configured correctly in Oracle WebLogic Server.
Verify the WebLogic security providers are configured correctly for the OIM domain security realm. Check the LDAP Authenticator setting. For more information, see Section 2.8.2, "Validate Security Provider Configuration."
OAMIDAsserter is not configured correctly in Oracle WebLogic Server.
To resolve this problem:
Log in to Oracle WebLogic Server Administration Console.
Navigate to Common tab and verify Active Types contains the correct header for the WebGate type:
OAM_REMOTE_USER, for an 11g WebGate.
ObSSOCookie, for a 10g WebGate.
Access Manager relies upon Oracle Identity Manager for password management. If the user logs in for the first time or if the user password is expired, Access Manager redirects the user to the Oracle Identity Manager First Login page.
From the Access Manager login screen, user should be able to navigate to the Oracle Identity Manager Forgot Password flow, the Self-Registration or Track Registration flows.
If there is any deviation or error thrown when performing these flows, the configuration in oam-config.xml (OAM_DOMAIN_HOME/config/fmwconfig) is incorrect.
Verify the contents of oam-config.xml resembles the following example. Specifically, that HOST and PORT corresponds to the OHS (or any supported web server) configured to front-end Oracle Identity Manager resources.
Setting Name="IdentityManagement" Type="htf:map">
<Setting Name="IdentityServiceConfiguration" Type="htf:map">
<Setting Name="IdentityServiceProvider" Type="xsd:string">oracle.security.am.engines.idm.provider.OracleIdentityServiceProvider</Setting>
<Setting Name="AnonymousAuthLevel" Type="xsd:integer">0</Setting>
<Setting Name="IdentityServiceEnabled" Type="xsd:boolean">true</Setting>
<Setting Name="IdentityServiceProviderConfiguration" Type="htf:map">
<Setting Name="AccountLockedURL" Type="xsd:string">/identity/faces/accountlocked</Setting>
<Setting Name="ChallengeSetupNotDoneURL" Type="xsd:string">/identity/faces/firstlogin</Setting>
<Setting Name="DateFormatPattern" Type="xsd:string">yyyy-MM-dd'T'HH:mm:ss'Z'</Setting>
<Setting Name="ForcedPasswordChangeURL" Type="xsd:string">/identity/faces/firstlogin</Setting>
<Setting Name="IdentityManagementServer" Type="xsd:string">OIM-SERVER-1</Setting>
<Setting Name="PasswordExpiredURL" Type="xsd:string">/identity/faces/firstlogin</Setting>
<Setting Name="LockoutAttempts" Type="xsd:integer">5</Setting>
<Setting Name="LockoutDurationSeconds" Type="xsd:long">31536000</Setting>
</Setting>
</Setting>
<Setting Name="RegistrationServiceConfiguration" Type="htf:map">
<Setting Name="RegistrationServiceProvider" Type="xsd:string">oracle.security.am.engines.idm.provider.DefaultRegistrationServiceProvider</Setting>
<Setting Name="RegistrationServiceEnabled" Type="xsd:boolean">true</Setting>
<Setting Name="RegistrationServiceProviderConfiguration" Type="htf:map">
<Setting Name="ForgotPasswordURL" Type="xsd:string">/identity/faces/forgotpassword</Setting>
<Setting Name="NewUserRegistrationURL" Type="xsd:string">/identity/faces/register</Setting>
<Setting Name="RegistrationManagementServer" Type="xsd:string">OIM-SERVER-1</Setting>
<Setting Name="TrackUserRegistrationURL" Type="xsd:string">/identity/faces/trackregistration</Setting>
</Setting>
</Setting>
<Setting Name="ServerConfiguration" Type="htf:map">
<Setting Name="OIM-SERVER-1" Type="htf:map">
<Setting Name="Host" Type="xsd:string">myhost1.example.com</Setting>
<Setting Name="Port" Type="xsd:integer">7777</Setting>
<Setting Name="SecureMode" Type="xsd:boolean">false</Setting>
</Setting>
</Setting>
</Setting>
A new user created in Oracle Identity Manager logs into Oracle Identity Manager for the first time and is not redirected to the First Login Page and prompted to change their password.
The Oracle Virtual Directory adapters (either OVD or libOVD, depending on the setup) are not configured correctly.
Locate the corresponding adapters.or_xml file and verify that the oamEnabled attribute is set to true for both the UserManagement and changelog adapters. For example:
<param name="oamEnabled" value="true"/>
Next, verify that IdentityServiceEnabled is set to true in oam-config.xml (see Section 2.10.1.5, "Authenticated User is Redirected to Oracle Identity Manager Login Page"). For example:
<Setting Name="IdentityServiceEnabled" Type="xsd:boolean">true</Setting>
A new user attempts to access Oracle Identity Manager Self-Service and after successful authentication, the user is redirected in a loop. The service page does not load and the browser continues spinning or refreshing.
OHS configuration setting for WLCookieName for front-ending identity is incorrect.
Check the OHS configuration for front-ending identity and verify that WLCookieName directive is set to oimjsessionid. If not, set this directive as oimjsessionid for each Oracle Identity Manager resource Location entry. For example:
<Location /identity> SetHandler weblogic-handler WLCookieName oimjsessionid WebLogicHost myhost1.example.com WebLogicPort 8003 WLLogFile "$ Unknown macro: {ORACLE_INSTANCE} /diagnostics/logs/mod_wl/oim_component.log" </Location>
The auto-login feature enables user login to Oracle Identity Manager after the successful completion of the Forgot Password or Forced Change Password flows, without prompting the user to authenticate using the new password.
Communication between Oracle Identity Manager and Access Manager can be configured to use Oracle Access Protocol (OAP) or TAP channels. Debugging auto-login issues is simplified if you determine which channel is being used. Determine the channel by examining the Oracle Identity Manager SSOConfig Mbean (version attribute) using the System MBean Browser in Oracle Enterprise Manager Fusion Middleware Control. For more information, see "Using the System MBean Browser" in Administrator's Guide.
Depending upon the Access Manager version being used, the following applies:
If the version is 10g, the Oracle Access Protocol (OAP) channel is used during auto-login. See Section 2.10.2.1, "TAP Protocol Issues."
After a password is reset in Oracle Identity Manager and in LDAP through LDAP-synchronization, Oracle Identity Manager will auto-login the user by redirecting to the requested resource.
If the version is 11g, the TAP channel is used during auto-login. See Section 2.10.2.2, "Oracle Access Protocol (OAP) Issues."
After a password is reset in Oracle Identity Manager and in LDAP through LDAP synchronization, Oracle Identity Manager redirects the user to the Access Manager TAP endpoint URL (SSOConfig: TAPEndpointUrl). Access Manager will auto-login the user by redirecting to the requested resource.
Note:
In an 11g R2 Oracle Identity Manager and Access Manager integrated environment, the TAP protocol is configured for auto-login by default.Check the OIM Server and Access Manager Server logs for any of the following error messages.
After resetting the password, user is redirected to a 404 Not Found error page.
The Access Manager TAP endpoint URL (SSOConfig: TAPEndpointUrl) is configured incorrectly.
Verify that TAPEndpointUrl is correctly configured in Oracle Identity Manager SSOConfig and is accessible. For example:
http://OAM_HOST:OAM_PORT/oam/server/dap/cred_submit
Or
http://OHS_HOST:OHS_PORT/oam/server/dap/cred_submit
where Access Manager is front-ended by OHS.
After resetting the password, user is redirected to Access Manager TapEndpointUrl (configured in Oracle Identity Manager SSOConfig), and the following error displays in the UI:
System error. Please re-try your action. If you continue to get this error, please contact the Administrator.
A message similar to the following displays in the Access Manager Server logs:
Sep 19, 2012 4:29:45 PM EST> <Warning> <oracle.oam.engine.authn> <BEA-000000> <DAP Token not received> <Sep 19, 2012 4:29:45 PM EST> <Error> <oracle.oam.binding> <OAM-00002> <Error occurred while handling the request. java.lang.NullPointerException at oracle.security.am.engines.enginecontroller.token.DAPTokenEncIssuerImpl.issue(DAPTokenEncIssuerImpl.java:87)
This error could be due to mis-configuration in TAPResponseOnlyScheme in Access Manager. Verify oam-config.xml (located at OAM_DOMAIN_HOME/config/fmwconfig) contains the following entry:
<Setting Name="DAPModules" Type="htf:map">
<Setting Name="7DASE52D" Type="htf:map">
<Setting Name="MAPPERCLASS" Type="xsd:string">oracle.security.am.engine.authn.internal.executor.DAPAttributeMapper</Setting>
<Setting Name="MatchLDAPAttribute" Type="xsd:string">uid</Setting>
<Setting Name="name" Type="xsd:string">DAP</Setting>
</Setting>
</Setting>
The value of MatchLDAPAttribute should be uid. If not, change the value.
To resolve the problem:
Login to Oracle Access Management Console.
Navigate to TapResponseOnlyScheme. Add the following as Challenge parameter:
MatchLDAPAttribute=uid
Save the changes.
The following error displays in the Access Manager Server logs:
javax.crypto.BadPaddingException: Given final block not properly padded
This may occur if OIM_TAP_PARTNER_KEY is not include in the OIM credential map in the credential store, or if an invalid key is present.
Reregister Oracle Identity Manager as a TAP partner with Access Manager by rerunning the idmConfigTool -configOIM option. After the -configOIM option is run, you must restart the complete OIM domain.
After resetting the password, if auto-login is not successful, the OIM server logs contain the following error:
Error occured while retrieving TAP partner key from Credential store
To resolve the problem:
Using Fusion Middleware Control, verify the OIM_TAP_PARTNER_KEY generic credential is present in the OIM credential map in the credential store.
If OIM_TAP_PARTNER_KEY is present, verify that LDAP synchronization is configured correctly, and that the password is reset in LDAP provider. Check this by issuing an ldapbind command with the user and the new/reset password.
After resetting the password, if auto-login is not successful, the OIM server logs have the following error:
Error occured while retrieving DAP token from OAM due to invalid TAP partner key
The OIM_TAP_PARTNER_KEY present in the OIM credential map of credential store is not valid.
Reregister Oracle Identity Manager as a TAP partner with Access Manager by rerunning idmConfigTool -configOIM option. After the -configOIM option is run, you must restart the complete OIM domain.
Check the OIM Server logs for any of the following types of error messages.
The resource URL is not protected.
Verify that the correct host:port combination is configured in the Access Manager host identifier configuration.
To resolve this problem:
Log in to the Oracle Access Management Administration Console:
http://oam_adminserver_host:oam_adminserver_port/oamconsole
In the Oracle Access Management Administration Console, click Application Security at the top of the window.
In the Application Security console, click Agents in the Agents section.
The Search SSO Agents page opens with the WebGates tab active.
In the Search SSO Agents page that appears, enter IAMSuiteAgent as the name of the Agent you want to find.
Click Search to initiate the search.
Click IAMSuiteAgent in the Search Results table.
Check the host identifiers for host:port combination in the identifier. For example: IAMSuiteAgent:/oim
For the correct host:port combination, check the OIM logs for "Setting web resource url ". This statement will be above "Resource not protected URL" statement.
In general, Host Identifier should have a combination of OHS (webserver) host:port which is front-ending Oracle Identity Manager.
aaaClient is not initialized.
Verify that the passwords seeded into OIM domain credential store are correct. For OPEN mode, check for the WebGate password. For SIMPLE mode, check that SSO keystore password and SSO global passphrase are seeded in correctly. For more information, see Section 2.8.3, "Validate Oracle Identity Manager Domain Credential Store."
Failed to communicate with any of configured OAM Server. Verify that it is up and running.
Verify that the passwords seeded into OIM domain credential store are correct. For OPEN mode, check for the WebGate password. For SIMPLE mode, check that SSO keystore password and SSO global passphrase also are seeded in correctly. For more information, see Section 2.8.3, "Validate Oracle Identity Manager Domain Credential Store."
SSOKeystore tampered or password is incorrect.
Check that the keystore file ssoKeystore.jks is present in OIM_DOMAIN_HOME/config/fmwconfig. If present, then check if the keystore password is seeded properly into OIM domain credential store. For more information, see Section 2.8.3, "Validate Oracle Identity Manager Domain Credential Store."
Oracle Identity Manager logs do not have any information about the failure.
To resolve this problem:
Enable HTTP headers and capture the headers while running through the First Login, Forgot Password flows. See Section 2.10.1.1, "Checking HTTP Headers."
In the HTTP headers, look for Set-Cookie: ObSSOCookie after the POST method on the First Login, Forgot Password page. Check the domain of the cookie. It should match with the domain for the protected resource URL.
If cookie domain is different, update the CookieDomain in the Oracle Identity Manager SSO configuration using Fusion Middleware Control. See Section 2.8.1, "Validate Oracle Identity Manager SSOConfig."
If cookie domain is correct, then check for any time differences on the machines which host the OIM and OAM Servers.
The session termination feature enables the termination of all active user sessions after the user status is modified by an Oracle Identity Manager administrator. The following Oracle Identity Manager operations lead to session termination: user lock or unlock, enable or disable, modify or delete.
Session termination is triggered by Oracle Identity Manager invoking the Access Manager OAP APIs to terminate the session. Communication is over the OAP channel.
To troubleshoot session termination issues:
Verify the OAP-related configuration is stored in Oracle Identity Manager SSOConfig. See Section 2.8.1, "Validate Oracle Identity Manager SSOConfig."
Verify /db/sssointg/EvenHandlers.xml is in Oracle Identity Manager MDS. See Section 2.8.4, "Validate Event Handlers for SSO."
Verify that AccessGateID attribute in Oracle Identity Manager SSOConfig points to a 10g SSO Agent hosted by OAM Server.
If SSOConfig points to an 11g Agent ID:
Create a new 10g SSO Agent.
Set its ID in AccessGateID attribute.
Update the agent password (SSOAccessKey) in the OIM domain credential store.
If the communication mode is SIMPLE, a new keystore file (ssoKeystore.jks) must be created using the agent's aaa_cert.pem and aaa_key.pem, and copied to OIM_DOMAIN_HOME/config/fmwconfig directory.
In SIMPLE mode, update the SSO keystore key (SSOKeystoreKey) and the SSO global passphrase (SSOGobalPP) in the OIM domain credential store.
For information about creating a new 10g SSO Agent or ssoKeyStore.jks, see Administrator's Guide for Oracle Access Management.
Both LDAP store and Access Manager lock out the user due to multiple failed login attempts. The user attempts to reset his or her password using the Oracle Identity Manager (OIM) "Forgot Password" page, but the reset operation fails.
The user's locked status has not yet propagated to Oracle Identity Manager.
Check if the user is locked in Oracle Identity Manager:
Log in to the Identity Self Service application as an Oracle Identity Manager administrator.
Navigate to the Users section, then search for the user.
Check if the Identity status is locked.
If the status is not locked, run an LDAP User Create and Update Reconciliation scheduled job, and then confirm that the user status is locked.
The user account self-locks due to multiple invalid credentials login attempts. Later, when the user attempts to log in with the correct credentials, he or she is not able to log in. The user expects to log in first and then change the password, but login fails consistently.
Both LDAP directory and Access Manager may have locked the user account. In this case the user cannot log in to Oracle Identity Manager or to any protected page. The user has to use the Forgot Password flow to reset the password.
Note that if only Access Manager locks out the user, the user can log in to Oracle Identity Manager and change the password immediately.
The LDAP directory pwdMaxFailure count of three is less than the oblogintrycount value of five. The LDAP directory locks out the user due to multiple invalid credentials login attempts (in this case, three attempts). Later, when the user tries to log in with the correct credentials, on the fourth attempt the user still cannot log in. The user expects to log in first and then change the password, but login fails consistently.
LDAP directory locked out the user, but Access Manager did not. The user cannot log in with the correct password even though the oblogintrycount is less than five, but following the Forgot Password flow works and resets the password.
Note that when LDAP directory locks out the user there is nothing to reconcile into Oracle Identity Manager because Oracle Identity Manager does not reconcile user accounts that are locked in LDAP store. When LDAP store locks the user, Oracle Identity Manager shows the user as active. Following the Forgot Password flow is the only way to reset the password.
The LDAP directory pwdMaxFailure count value of seven is less than the oblogintrycount value of five. Access Manager locked out the user due to multiple invalid credentials login attempts. Later, when the user tries to login with the correct credentials, the user is able to log in and is redirected to change the password, but the reset password operation fails.
The user locked status has not yet propagated to Oracle Identity Manager.
Check if the user is locked in Oracle Identity Manager:
Login to Identity Self Service application as an Oracle Identity Manager administrator.
Navigate to Users section, then search for the user.
Check if the Identity status is locked.
If the status is not locked, run an LDAP User Create and Update Reconciliation scheduled job, and then confirm that the user status is locked.
Note that use case one and this use case look similar. In use case one, both LDAP directory and Access Manager locked the user account, whereas in this use case only Access Manager locks the user. The remedy for both use cases is the same, however.
The user cannot remember his or her password and tries to reset the password using the Forgot Password flow. The user provides his or her user login, provides a new password, and provides incorrect challenge answers. After three failure attempts, both LDAP directory and Access Manager lock the user. The user expects to get locked out after five attempts instead of three attempts because the oblogintrycount value is 5.
The password reset attempts in the Oracle Identity Manager Reset/Forgot Password flow are governed by the Oracle Identity Manager system property XL.MaxPasswordResetAttempts and the default value is 3. Consequently, the user is locked out immediately after three attempts. Oracle Identity Manager locks the user natively in LDAP directory and in Access Manager.
Note that password reset attempts are different from login attempts. Login attempts are governed by Access Manager (oblogintrycount=5) and password reset attempts by Oracle Identity Manager (XL.MaxPasswordResetAttempts=3).
LDAP directory locks the user because some constant LDAP binding used incorrect credentials. Access Manager does not lock out the user. When the user tries to log in with the correct credentials, he is not able to log in.
LDAP directory locks the user out in this use case, not Access Manager. The user cannot log in with the correct password even if the oblogintrycount is still less than 5, but the user can reset his or her password by following the Forgot Password flow.
Note that when a user is only locked out by LDAP directory, the user's lock-out status is not reconciled into Oracle Identity Manager. Consequently, the user shows up as still active in Oracle Identity Manager even though the user is locked in LDAP directory.
For Access Manager and Oracle Identity Manager integrated environments prior to 11.1.2.1, the automatic unlocking of users does not work.
For the automatic unlocking feature to work, additional patches to Oracle Access Manager, Oracle Identity Manager and Oracle Virtual Directory are required.
For a list of patches and instructions to configure automatic unlocking, see My Oracle Support document ID 1496808.1.
When the user resets his password, the password reset is not immediate.
The user account self-locks due to multiple invalid credentials login attempts.
The user uses the Forgot Password flow to reset the password.
The user account is still locked, and he is not able to login to Oracle Identity Manager.
The user's locked status has not yet propagated to Oracle Identity Manager.
Check if the user is locked in Oracle Identity Manager:
Login to Identity Self service application as an Oracle Identity Manager administrator.
Navigate to the Users section, and then search for the user.
Check if the Identity status is locked.
If the status is not locked, run an LDAP User Create and Update Reconciliation scheduled job, and then confirm that the user status is locked.
This provides solutions for the following miscellaneous issues:
For successful client-based login to Oracle Identity Manager:
The client-based login user must be present in the LDAP provider.
An LDAP Authenticator must be configured in the OIM domain security realm corresponding to the LDAP provider where the user is present. See Section 2.8.2, "Validate Security Provider Configuration."
If logging out of an Oracle Identity Manager protected application throws a 404 error, verify that the logout configuration is present in jps-config.xml. See Section 2.8.5, "Validate SSO Logout Configuration."
If needed, the JPS configuration can be fixed by editing the jps-configuration file located in $DOMAIN_HOME/config/fmwconfig and then restarting all the servers.
To resolve a misconfiguration in jps-config.xml:
In a terminal window issue the following commands: cd $DW_ORACLE_HOME/common/bin
./wlst.sh
connect()
addOAMSSOProvider(loginuri="/${app.context}/adfAuthentication", logouturi="/oamsso/logout.html", autologinuri="/obrar.cgi")
exit
Restart all servers in the domain.
For information, see "Starting or Stopping the Oracle Stack" in Installation Guide for Oracle Identity and Access Management.
In Active Directory environments, old passwords can remain active for up to one hour after a password reset. During this interval, both the old and new password can successfully bind to the Active Directory server. This is the expected behavior.
As part of running configOIM, Oracle Identity Manager policies are seeded into Access Manager using the Access Management exposed REST endpoint.
An exception while seeding Oracle Identity Manager policies occurs when the user credentials used for accessing Access Manager exposed endpoint does not have enough privileges to perform the operation.
The solution is as follows:
Make sure IDSTORE_WLSADMINUSER is the same user which was used while running the prepareIdStore mode=wls command.
Try to access the Access Manager REST endpoint using curl command:
curl -u weblogic_idm:Welcome1 "http://OAM_ADMIN_HOST:OAM_ADMIN_PORT/oam/services/rest/11.1.2.0.0/ssa/policyadmin/appdomain"
Where:
weblogic_idm is the user as mentioned for IDSTORE_WLSADMINUSER and Welcome1 is the password for the user.
If this command fails to return the list of application domains present in Access Manager, then make sure configOAM is run properly and the Access Manager admin server is restarted before running configOIM.