25 Handling Lifecycle Management Changes

Because of integrated deployment of Oracle Identity Manager with other applications, such as Oracle Access Manager (OAM), and configuration changes in those applications, various configuration changes might be required in Oracle Identity Manager and Oracle WebLogic Server. These configuration changes are described in the following sections:

• URL Changes Related to Oracle Identity Manager

• Password Changes Related to Oracle Identity Manager

• Configuring SSL for Oracle Identity Manager

Note:

In this section there are several command examples which has, password in the command, this needs to be replaced with the actual password before executing the commands.

25.1 URL Changes Related to Oracle Identity Manager

Oracle Identity Manager uses various hostnames and ports in its configuration. This section describes ways to make the corresponding changes in Oracle Identity Manager and Oracle WebLogic configuration.

This section contains the following topics:

• Oracle Identity Manager Host and Port Changes

• Oracle Identity Manager Database Host and Port Changes

• Oracle Virtual Directory Host and Port Changes

• BI Publisher Host and Port Changes

• SOA Host and Port Changes

• OAM Host and Port Changes

25.1.1 Oracle Identity Manager Host and Port Changes

This section consists of the following topics:

• Changing OimFrontEndURL in Oracle Identity Manager Configuration

• Changing backOfficeURL in Oracle Identity Manager Configuration

• Changing Task Details URL in Human Task Configuration

Note:

• When additional Oracle Identity Manager nodes are added or removed, perform the procedures described in these sections to configure Oracle Identity Manager host and port changes.

• When Oracle Identity Manager managed server is enabled for SSL port, perform the procedures described in these sections to change the Oracle Identity Manager port and protocol, such as t3 to t3s and http to https.

25.1.1.1 Changing OimFrontEndURL in Oracle Identity Manager Configuration

The OimFrontEndURL is the URL used to access the Oracle Identity Manager UI. This can be a load balancer URL or Web server URL depending on the application server is fronted with a load balancer or web server or a single application server URL. This is used by Oracle Identity Manager in the notification e-mails as well as the callback URL for SOA calls.

The change may be necessary because of change in Web server hostname or port for Oracle Identity Manager deployment in a clustered environment, or WebLogic managed server hostname or port changes for Oracle Identity Manager deployment in a nonclustered environment.

To change the OimFronEndURL in Oracle Identity Manager configuration:

1. Login to Enterprise Manager by using the following URL when the WebLogic Administrative Server and Oracle Identity Manager managed servers, at least one of the servers in case of a clustered deployment, are running:

   http://ADMIN_SERVER/em

2. Navigate to Identity and Access, oim.

3. Right-click oim, and navigate to System MBean Browser.

4. Under Application Defined MBeans, navigate to oracle.iam, Application:oim, XMLConfig, Config, XMLConfig.DiscoveryConfig, and then Discovery.

   In a clustered deployment, when you select oracle.iam under Application Defined MBeans, Oracle Identity Manager server name is displayed. Select the server and continue with the navigation.

   Note:

   In a clustered deployment, the change to the OimFrontEndURL must be made on each server in the cluster.

5. Enter new value for the OimFrontEndURL attribute, and click Apply to save the changes. Example values can be:

   http://OIM_SERVER:OIM_PORT

   https://server1.mycompany.com

   https://server1.mycompany.com:14002

   Note:

   SPML clients store Oracle Identity Manager URL for invoking SPML and sending callback response. Therefore, changes are required corresponding to this. In addition, if Oracle Identity Manager is integrated with OAM, OAAM, or Oracle Identity Navigator (OIN), there may be corresponding changes necessary. For more information, refer to OAM, OAAM, and OIN documentation in the Oracle Technology Network (OTN) Web site.

25.1.1.2 Changing backOfficeURL in Oracle Identity Manager Configuration

Changing backOfficeURL is required only for Oracle Identity Manager deployed in front-office and back-office configuration. This change does not apply for simple clustered or nonclustered deployments. This URL is used internally by Oracle Identity Manager for accessing back-office components from the front-office components. You might change the value of this attribute during the implementation of back-office and front-office configuration, for adding additional servers to back office, and for removing servers from back-office.

To change the value of the backOfficeURL attribute:

1. Login to Enterprise Manager by using the following URL when the WebLogic Administrative Server and Oracle Identity Manager managed servers, at least one of the servers in case of a clustered deployment, are running:

   http://ADMIN_SERVER/em

2. Navigate to Identity and Access, and then oim.

3. Right-click oim, and navigate to System MBean Browser.

4. Under Application Defined MBeans, navigate to oracle.iam, Application:oim, XMLConfig, Config, XMLConfig.DiscoveryConfig, Discovery.

5. Enter a new value for the BackOfficeURL attribute, and click Apply to save the changes. Example values can be:

   t3://server1.mycompany.com:8001

   t3://server1.mycompany.com:8001,server2.mycompany.com:9001

   Note:

   • The value of the BackOfficeURL attribute must be empty for Oracle Identity Manager nonclustered and clustered deployments.

   • For SSL-enabled Oracle Identity Manager setup, BackOfficeURL attribute must be populated with the correct URL, for example:

     t3s://OIM_HOST:OIM_SSL_PORT

25.1.1.3 Changing Task Details URL in Human Task Configuration

The task details URL is the URL to display the task details page for a particular human task in Inbox. This can be a load balancer URL or Web server URL depending on whether the application server is fronted with load balancer, or Web server, or single application server URL.

The change might be required because of change in Web server hostname or port for Oracle Identity Manager deployment in a clustered environment, or WebLogic managed server hostname or port changes for Oracle Identity Manager deployment in a nonclustered environment.

To change the task details URL in human task configuration:

1. Login to Oracle Enterprise Manager by using the following URL:

   http://ADMIN_SERVER/em

   For a clustered deployment, ensure that at least one SOA server in the SOA cluster is running.

2. Navigate to SOA, soa-infra(SOA_SERVER_NAME), default.

3. Click DefaultRequestApproval.

4. In the Component Metrics section, click the ApprovalTask link.

5. Click the Administration tab.

6. Make the required changes to Host Name, HTTP Port, and HTTPS Port.

7. Repeat steps 5 and 6 for all other human tasks in DefaultRequestApproval, for example ChallengeTask.

8. Repeat steps 4 to 7 for all other composites.

25.1.2 Oracle Identity Manager Database Host and Port Changes

This section describes the configuration areas where database hostname and port number are used.

After installing Oracle Identity Manager, if there are any changes in the database hostname or port number, then the following changes are required:

Note:

• Before making changes to the database host and port, shutdown the managed servers hosting Oracle Identity Manager. But you can keep the Oracle WebLogic Administrative Server running.

• When Oracle Identity Manager database is enabled for SSL port, perform this procedure to change the Oracle Identity Manager database URL and properties accordingly.

• To change datasource oimJMSStoreDS configuration:

  1. Navigate to Services, JDBC, Data Sources, and then oimJMSStoreDS.

  2. Click the Connection Pool tab.

  3. Modify the values of the URL and Properties fields to reflect the changes to database host and port.

• To change datasource soaOIMLookupDB configuration:

  1. Navigate to Services, JDBC, Data Sources, and then soaOIMLookupDB.

  2. Click the Connection Pool tab.

  3. Modify the values of the URL and Properties fields to reflect the changes to database host and port.

• To change datasource oimOperationsDB configuration:

  1. Navigate to Services, JDBC, Data Sources, and then oimOperationsDB.

  2. Click the Connection Pool tab.

  3. Modify the values of the URL and Properties fields to reflect the changes to database host and port.

• To change datasource ApplicationDB configuration:

  1. Navigate to Services, JDBC, Data Sources, and then ApplicationDB.

  2. Click the Connection Pool tab.

  3. Modify the values of the URL and Properties fields to reflect the changes to database host and port.

• To change the datasource related to Oracle Identity Manager Meta Data Store (MDS) configuration:

  Note:

  This step is required only if database host and port of MDS schema is changed.

  1. Navigate to Services, JDBC, Data Sources, and then mds-oim.

  2. Click the Connection Pool tab.

  3. Modify the values of the URL and Properties fields to reflect the changes in the database host and port.

• To change OIMAuthenticationProvider configuration:

  1. In the WebLogic Administrative console, navigate to Security Realms, myrealm, and then Providers.

  2. Click OIMAuthenticationProvider.

  3. Click Provider Specific.

  4. Modify the value of the DBUrl field to reflect the change in hostname and port.

  Note:

  • If Service Oriented Architecture (SOA) and Oracle Web Services Manager (OWSM) undergo configuration changes, then you must make similar changes for datasources related to SOA or OWSM.

  • For SSL-enabled database, the changes described in this section are not applicable.

    For DB changes related to SSL, follow the instructions provided in "Updating Oracle Identity Manager Authenticators".

  After making changes in the datasources, restart the Oracle WebLogic Administrative Server, and start the Oracle Identity Manager managed WebLogic servers.

  Note:

  Whenever Oracle Identity Manager application configuration information is to be changed by using OIM App Config MBeans from the Enterprise Management (EM) console, at least one of the Oracle Identity Manager Managed Servers must be running. Otherwise, you cannot figure out any of the OIM App Config MBeans from the EM console.

• To change DirectDB configuration:

  1. Login to Enterprise Manager by using the following URL:

     http://ADMIN_SERVER/em

  2. Navigate to Identity and Access, and then oim.

  3. Right-click oim, and navigate to System MBean Browser under Application Defined MBeans.

  4. Navigate to oracle.iam, Application:oim, XMLConfig, Config, XMLConfig.DirectDBConfig, and then DirectDB.

  5. Enter the new value for the URL attribute to reflect the changes to host and port, and then apply the changes.

  Note:

  When Oracle Identity Manager single instance deployment is changed to Oracle Real Application Clusters (Oracle RAC) or Oracle RAC is changed to single instance deployment, change the oimJMSStoreDS, oimOperationsDB, and mds-oim datasources. In addition to the generic changes to make these datasources to multidatasource configuration, change the OIMAuthenticationProvider and domain credential store configurations to reflect the Oracle RAC URL. For information about these generic changes, see Oracle Fusion Middleware High Availability Guide.

  See "Oracle Identity Manager Database Host and Port Changes" for information about changing the port at the database.

• To change the Oracle Identity Manager database host and port in BI Publisher:

  1. Login to BI Publisher.

  2. Click the Administration tab.

  3. Click JDBC Connection under Data Sources.

  4. Click OIM JDBC, and change the database host and port.

  5. Click Test Connection. The connection is established successfully after confirmation.

  6. Click Apply.

• Perform the following additional steps if Oracle Identity Manager is made to point to another database of another Oracle Identity Manager instance instead of current database port being changed:

  1. Copy .xldatabasekey from Oracle Identity Manager that is installed on the destination DB to the source Oracle Identity Manager deployment. Copy DOMAIN_HOME/config/fmwconfig/.xldatabasekey from destination to source Oracle Identity Manager.

  2. Copy the following keys from Oracle Identity Manager deployment on the destination DB to the source deployment:

     OIMSchemaPassword

     .xldatabasekey

     DataBaseKey

  3. To get the Oracle Identity Manager credential store from Oracle Identity Manager installed on the destination DB:

     1. Login to Oracle Enterprise Manager by using the following URL:

        http://HOST:ADMIN_SERVER_PORT>/em

     2. Navigate to Weblogic Domain, right-click DOMAIN_NAME, and select System MBean Browser.

     3. Under Application Defined MBeans, navigate to com.oracle.jps, Server:OIM_SERVER_NAME, JpsCredentialStore.

     4. Go to Operations, getPortableCredentialMap. Enter the parameter value as oim and Invoke.

        This displays the oim credential map. Note the passwords for OIMSchemaPassword, .xldatabasekey, and DataBaseKey.

  4. To change the keys in the OIM credential store on the source deployment:

     1. OIMSchemaPassword: Navigate to Weblogic Domain, right-click DOMAIN_NAME, and navigate to Security, Credentials. Expand oim, and click OIMSchemaPassword. Click Edit, and enter the new password in Password and Confirm Password fields.

     2. .xldatabasekey: Repeat the same steps for .xldatabasekey.

     3. DataBaseKey: Repeat the same steps for DataBaseKey.

25.1.3 Oracle Virtual Directory Host and Port Changes

When LDAP synchronization is enabled, Oracle Identity Manager connects with directory servers through Oracle Virtual Directory (OVD). This connection takes place by using LDAP/LDAPS protocol.

To change OVD host and port:

1. Login to Oracle Identity System Administration.

2. Under Provisioning Configuration, click IT Resource.

3. From the IT Resource Type list, select Directory Server , and click Search.

4. Edit the Directory Server IT resource. To do so:

   1. If the value of the Use SSL field is set to False, then edit the Server URL field. If the value of the Use SSL field is set to True, then edit the Server SSL URL field.

   2. Click Update.

See Also:

See "Updating Oracle Identity Manager for libOVD details" for information about changing OVD port at OVD/LDAP server.

25.1.4 BI Publisher Host and Port Changes

To change BI Publisher host and port:

1. Login to Enterprise Manager by using the following URL when the WebLogic Administrative Server and Oracle Identity Manager managed servers, at least one of the servers in case of a clustered deployment, are running:

   http://ADMIN_SERVER/em

2. Navigate to Identity and Access, oim.

3. Right-click oim, and navigate to System MBean Browser.

4. Under Application Defined MBeans, navigate to oracle.iam, Application:oim, XMLConfig, Config, XMLConfig.DiscoveryConfig, Discovery.

5. Enter a new value for the BIPublisherURL attribute, and click Apply to save the changes.

6. To change the BI Publisher host and port in jms_cluster_config.properties file:

   1. Go to the DOMAIN_NAME/config/bipublisher/repository/Admin/Scheduler/ directory.

   2. In a text editor, open the jms_cluster_config.properties file, and replace the BI Publisher host and port.

   3. Save the jms_cluster_config.properties file.

   4. Restart BI Publisher server.

25.1.5 SOA Host and Port Changes

To change the SOA host and port:

Note:

• When additional SOA nodes are added or removed, perform this procedure to change the SOA host and port.

• When SOA managed server is enabled for SSL port, perform the procedure described in this section to change the SOA port and protocol, such as t3 to t3s and http to https.

1. Login to Enterprise Manager by using the following URL when the WebLogic Administrative Server and Oracle Identity Manager managed servers, at least one of the servers in case of a clustered deployment, are running:

   http://ADMIN_SERVER/em

2. Navigate to Identity and Access, oim.

3. Right-click oim, and navigate to System MBean Browser.

4. Under Application Defined MBeans, navigate to oracle.iam, Application:oim, XMLConfig, Config, XMLConfig.SOAConfig, SOAConfig.

5. Change the value of the Rmiurl attribute, and click Apply to save the changes.

   The Rmiurl attribute is used for accessing SOA EJBs deployed on SOA managed servers. This is the application server URL. For a clustered deployment of Oracle Identity Manager, it is a comma-separated list of all the SOA managed server URLs. Example values for this attribute can be:

   t3://soaserver1.mycompany.com:8001

   t3s://mysoaserver1.mycompany.com:8002,mysoa1.mycompany.com:8002

   t3://mysoa1.mycompany.com:8001,mysoa2.mycompany.com:8002,mysoa3.mycompany.com:8003

6. Change the SOA JNDIProvider host and port. To do so:

   1. Login to WebLogic Administration Console.

   2. In the Domain Structure section, navigate to OIM_DOMAIN, Services, Foreign JNDI Providers.

   3. Click ForeignJNDIProvider-SOA.

   4. In the Configuration tab, verify that the General subtab is active.

   5. Change the value of Provider URL to the Rmiurl provided in Step 5.

25.1.6 OAM Host and Port Changes

To change the OAM host and port:

1. Login to Enterprise Manager by using the following URL when the WebLogic Administrative Server and Oracle Identity Manager managed servers, at least one of the servers for a clustered deployment, are running:

   http://ADMIN_SERVER/em

2. Navigate to Identity and Access, and then to oim.

3. Right-click oim, and navigate to System MBean Browser.

4. Under Application Defined MBeans, navigate to oracle.iam, Application:oim, XMLConfig, Config, XMLConfig.SSOConfig, and then SSOConfig.

5. Change the values of the AccessServerHost and AccessServerPort attributes and other attributes as required, and click Apply to save the changes.

25.2 Password Changes Related to Oracle Identity Manager

Various passwords are used for Oracle Identity Manager configuration because of the architectural and middleware requirements. This section describes the default passwords and ways to make the changes to the password in Oracle Identity Manager and Oracle WebLogic configuration for any change in the dependent or integrated products.

This section consists of the following topics:

• Changing Oracle WebLogic Administrator Password

• Changing Oracle Identity Manager Administrator Password

• Changing Oracle Identity Manager Administrator Database Password

• Changing Oracle Identity Manager Database Password

• Changing Oracle Identity Manager Passwords in the Credential Store Framework

• Changing OVD Password

• Changing Oracle Identity Manager Administrator Password in LDAP

• Unlocking Oracle Identity Manager Administrator Password in LDAP

• Changing Schema Passwords

25.2.1 Changing Oracle WebLogic Administrator Password

To change Oracle WebLogic administrator password:

1. Login to WebLogic Administrative console.

2. Navigate to Security Realms, myrealm, Users and Groups, weblogic, Password.

3. In the New Password field, enter the new password.

4. In the Confirm New Password field, re-enter the new password.

5. Click Apply.

Weblogic credentials must be updated in the following places:

1. Foreign JNDI Provider. To do so:

   1. Login to WebLogic Administrative Console.

   2. In the Domain Structure section, navigate to OIM_DOMAIN, Services, Foreign JNDI Providers.

   3. Click ForeignJNDIProvider-SOA.

   4. In the Configuration tab, verify that the General subtab is active.

   5. Provide weblogic user's new password in the password and confirm password fields.

2. SOAAdminPassword in CSF. See "Changing Oracle Identity Manager Passwords in the Credential Store Framework" for details.

25.2.2 Changing Oracle Identity Manager Administrator Password

During Oracle Identity Manager installation, the installer prompts for the Oracle Identity Manager administrator password. If required, you can change the administrator password after the installation is complete. To do so, you must login to Oracle Identity Manager Self Service as Oracle Identity Manager administrator. For information about how to change the administrator password, see "Changing Password" in the Oracle Fusion Middleware Performing Self Service Tasks with Oracle Identity Manager.

When you change the Oracle Identity Manager system administrator password, you must also update the password in the sysadmin key under the oim map in CSF. See "Changing Oracle Identity Manager Passwords in the Credential Store Framework" for information about the CSF keys.

Note:

If OAM or OAAM is integrated with Oracle Identity Manager, then you must make corresponding changes in those applications. For more information, refer to OAM and OAAM documentation in the Oracle Technology Network (OTN) Web site by using the following URL:

http://www.oracle.com/technetwork/indexes/documentation/index.html

25.2.3 Changing Oracle Identity Manager Administrator Database Password

This section describes resetting Oracle Identity Manager password in the following types of deployments:

• Oracle Identity Manager deployment without LDAP synchronization

• Oracle Identity Manager deployment with LDAP synchronization enabled

• Oracle Identity Manager deployment that is integrated with Access Manager (OAM)

Resetting System Administrator password can be performed by using the oimadminpasswd_wls.sh utility, which is available in the OIM_HOME/server/bin/ directory. The steps to run the oimadminpasswd_wls.sh utility are the same for both types of deployment: Oracle Identity Manager with LDAP synchronization enabled and without LDAP synchronization enabled.

This section describes resetting Oracle Identity Manager password in the following topics:

• Resetting System Administrator Database Password in Oracle Identity Manager Deployment

• Resetting System Administrator Database Password When Oracle Identity Manager Deployment is Integrated With Access Manager

25.2.3.1 Resetting System Administrator Database Password in Oracle Identity Manager Deployment

To reset System Administrator database password:

1. As a prerequisite for running the oimadminpasswd_wls.sh utility, open the OIM_HOME/server/bin/oimadminpasswd_wls.properties file in a text editor, and set values for the following properties:

   • JAVA_HOME: Set this to jdk6 or later, for example:

     JAVA_HOME=/opt/softwares/shiphome/jdk170_131
     

   • COMMON_COMPONENTS_HOME: This is Oracle Middleware common home directory, for example:

     COMMON_COMPONENTS_HOME=/opt/softwares/shiphome/oracle_common
     

   • OIM_ORACLE_HOME: This is Oracle Identity Manager Oracle home directory, for example:

     OIM_ORACLE_HOME=/opt/softwares/shiphome/Oracle_IDM1
     

   • ORACLE_SECURITY_JPS_CONFIG: Specify the jps-config-jse.xml file location present in Oracle Identity Manager Domain, for example:

     ORACLE_SECURITY_JPS_CONFIG=/opt/softwares/shiphome/user_projects/domains/base_domain/config/fmwconfig/jps-config-jse.xml
     

   • DOMAIN_HOME: Specify Oracle Identity Manager Domain Home location of the Weblogic Application Server, for example:

     DOMAIN_HOME=/opt/softwares/shiphome/user_projects/domains/base_domain
     

   • DBURL: Oracle Identity Manager database URL, for example:

     DBURL=jdbc:oracle:thin:@dbhostname:5521:orclsid
     

   • DBSCHEMAUSER: Oracle Identity Manager schema username, for example:

     DBSCHEMAUSER=DEV_OIM
     

   • OIM_OAM_INTG_ENABLED: Set this to false if Oracle Identity Manager deployment is not integrated with Access Manager, for example:

     OIM_OAM_INTG_ENABLED=false
     

   Note:

   Other properties, such as LDAPURL, LDAPADMINUSER, and OIM_ADMIN_LDAP_DN can be ignored as they are used only in an integrated setup between Oracle Identity Manager and Access Manager.

2. Go to the OIM_HOME/server/bin/ directory, and run the following command:

   sh oimadminpasswd_wls.sh oimadminpasswd_wls.properties
   

   The following is a sample output:

   Enter OIM DB Schema Password :
   Enter OIM Adminstrator xelsysadm new Password:
   Re-enter OIM Adminstrator xelsysadm new Password:
   WARNING: Not able to fetch OIMPlatform instance for the given Platform. Hence defaulting to the OIMWebLogicPlatform
   
   OIM Admin user xelsysadm password reset successfully in OIMDB
   

   Note:

   The warning messages that are displayed while running the oimadminpasswd_wls.sh script can be ignored.

25.2.3.2 Resetting System Administrator Database Password When Oracle Identity Manager Deployment is Integrated With Access Manager

If Oracle Identity Manager is integrated with OAM, then LDAP directory, such as Oracle Internet Directory, is used for all authentication purposes. Therefore, Oracle Identity Manager Administrator xelsysadm password is reset in LDAP. Although the xelsysadm password present in Oracle Identity Manager database is not used in this topology, it is also reset along with LDAP directory to ensure that the passwords in both repositories are in sync.

To reset System Administrator database password when Oracle Identity Manager Deployment is Integrated With Access Manager:

1. As a prerequisite for running the oimadminpasswd_wls.sh utility, open the OIM_HOME/server/bin/oimadminpasswd_wls.properties file in a text editor, and set values for the following properties:

   • JAVA_HOME: Set this to jdk6 or later, for example:

     JAVA_HOME=/opt/softwares/shiphome/jdk170_131
     

   • COMMON_COMPONENTS_HOME: This is Oracle Middleware common home directory, for example:

     COMMON_COMPONENTS_HOME=/opt/softwares/shiphome/oracle_common
     

   • OIM_ORACLE_HOME: This is Oracle Identity Manager Oracle home directory, for example:

     OIM_ORACLE_HOME=/opt/softwares/shiphome/Oracle_IDM1
     

   • ORACLE_SECURITY_JPS_CONFIG: Specify the jps-config-jse.xml file location present in Oracle Identity Manager Domain, for example:

     ORACLE_SECURITY_JPS_CONFIG=/opt/softwares/shiphome/user_projects/domains/base_domain/config/fmwconfig/jps-config-jse.xml
     

   • DOMAIN_HOME: Specify Oracle Identity Manager Domain Home location of the Weblogic Application Server, for example:

     DOMAIN_HOME=/opt/softwares/shiphome/user_projects/domains/base_domain
     

   • DBURL: Oracle Identity Manager database URL, for example:

     DBURL=jdbc:oracle:thin:@dbhostname:5521:orclsid
     

   • DBSCHEMAUSER: Oracle Identity Manager schema username, for example:

     DBSCHEMAUSER=DEV_OIM
     

   • OIM_OAM_INTG_ENABLED: Set this to true if Oracle Identity Manager deployment is integrated with Access Manager, for example:

     OIM_OAM_INTG_ENABLED=true
     

   • LDAPURL: LDAP directory URL. Non-SSL port must be specified, for example:

     LDAPURL=ldap://LDAP_HOSTNAME:3060
     

   • LDAPADMINUSER : LDAP directory admin username, for example:

     LDAPADMINUSER=cn=orcladmin
     

   • OIM_ADMIN_LDAP_DN: Oracle Identity Manager Administrator xelsysadm complete DN in the LDAP directory, for example:

     OIM_ADMIN_LDAP_DN=cn=xelsysadm,cn=Users,dc=us,dc=mycompany,dc=com
     

2. Go to the OIM_HOME/server/bin/ directory, and run the following command:

   sh oimadminpasswd_wls.sh oimadminpasswd_wls.properties
   

   The following is a sample output:

   Enter OIM DB Schema Password :
   Enter OIM Adminstrator xelsysadm new Password:
   Re-enter OIM Adminstrator xelsysadm new Password:
   WARNING: Not able to fetch OIMPlatform instance for the given Platform. Hence defaulting to the OIMWebLogicPlatform
   
   OIM Admin user xelsysadm password reset successfully in OIMDB
   OIM Admin user cn=xelsysadm,cn=Users,dc=...,dc=...,dc=... password reset successfully in LDAP
   

   Note:

   • The warning messages that are displayed while running the oimadminpasswd_wls.sh script can be ignored.

   • The xelsysadm password expiry setting is not set to expire until 2035. During integration between Oracle Identity Manager and Access Manager, the obpasswordexpirydate setting for the xelsysadm user is set to "2035-01-01T00:00:00Z". If this value has been changed, then revert it to "2035-01-01T00:00:00Z" for xelsysadm. This value is initially loaded from a following template LDIF file:

     $OIM_ORACLE_HOME/idmtools/templates/oid/idm_xelsysadmin_user.ldif

25.2.4 Changing Oracle Identity Manager Database Password

Oracle Identity Manager uses two database schemas for storing Oracle Identity Manager operational and configuration data. It uses Oracle Identity Manager MDS schema for storing configuration-related information and Oracle Identity Manager schema for storing other information. Any change in the schema password requires changes on Oracle Identity Manager configuration.

Changing Oracle Identity Manager database password involves the following:

Note:

Before changing the database password, shutdown the managed servers that host Oracle Identity Manager. However, you can keep the Oracle WebLogic Administrative Server running.

• To change datasource oimJMSStoreDS configuration:

  1. Navigate to Services, JDBC, Data Sources, oimJMSStoreDS.

  2. Click the Connection Pool tab.

  3. In the Password and Confirm password fields, enter the new Oracle Identity Manager database schema password.

  4. Click Save to save the changes.

• To change datasource ApplicationDB configuration:

  1. Navigate to Services, JDBC, Data Sources, ApplicationDB.

  2. Click the Connection Pool tab.

  3. In the Password and Confirm password fields, enter the new Oracle Identity Manager database schema password.

  4. Click Save to save the changes.

• To change datasource soaOIMLookupDB configuration:

  1. Navigate to Services, JDBC, Data Sources, and then soaOIMLookupDB.

  2. Click the Connection Pool tab.

  3. Modify the values of the URL and Properties fields to reflect the changes to database host and port.

  4. Click Save to save the changes.

• To change datasource oimOperationsDB configuration:

  1. Navigate to Services, JDBC, Data Sources, oimJMSStoreDS.

  2. Click the Connection Pool tab.

  3. In the Password and Confirm password fields, enter the new Oracle Identity Manager database schema password.

  4. Click Save to save the changes.

• To change datasource related to Oracle Identity Manager MDS configuration:

  1. Navigate to Services, JDBC, Data Sources, mds-oim.

  2. Click the Connection Pool tab.

  3. In the Password and Confirm password fields, enter the new Oracle Identity Manager MDS database schema password.

  4. Click Save to save the changes.

  Note:

  • For Oracle Identity Manager deployments with Oracle Real Application Clusters (Oracle RAC) configuration, you might have to make changes in all the datasources under the respective multi-datasource configurations.

  • You might have to make similar changes for datasources related to SOA or OWSM, if required.

• To change OIMAuthenticationProvider configuration:

  1. In the WebLogic Administrative console, navigate to Security Realms, myrealm, and then Providers.

  2. Click OIMAuthenticationProvider.

  3. Click Provider Specific.

  4. In the DBPassword field, enter the new Oracle Identity Manager database schema password.

  5. Click Save to save the changes.

• To change domain credential store configuration:

  1. Login to Enterprise Manager by using the following URL:

     http://ADMIN_SERVER/em

  2. Navigate to Weblogic Domain, and then DOMAIN_NAME.

  3. Right click oim, and navigate to Security, Credentials, and then oim.

  4. Select OIMSchemaPassword, and click Edit.

  5. In the Password field, enter the new password, and click OK.

• To change the Oracle Identity Manager database password in BI Publisher:

  1. Login to BI Publisher.

  2. Click the Administration tab.

  3. Click JDBC Connection under Data Sources.

  4. Click OIM JDBC, and change the password in the Password field.

  5. Click Test Connection. The connection is established successfully after confirmation.

  6. Click Apply.

After changing the Oracle Identity Manager database password, restart the WebLogic Administrative Server. Start the Oracle Identity manager managed WebLogic Servers as well.

25.2.5 Changing Oracle Identity Manager Passwords in the Credential Store Framework

Oracle Identity Manager installer stores several passwords during the install process. Various values are stored in Credential Store Framework (CSF) as key and value. Table 25-1 lists the keys and the corresponding values:

Table 25-1 CSF Keys

Key	Description
DataBaseKey	The password for the key used to encrypt database. The password is the user input value in the installer for the Oracle Identity Manager keystore.
.xldatabasekey	The password for keystore that stores the database encryption key. The password is the user input value in the installer for the Oracle Identity Manager keystore.
xell	The password for key 'xell', which is used for securing communication between Oracle Identity Manager components. Default password generated by Oracle Identity Manager installer is xellerate.
default_keystore.jks	The password for the default_keystore.jks JKS keystore in the DOMAIN_HOME/config/fmwconfig/ directory. The password is the user input value in the installer for the Oracle Identity Manager keystore.
SOAAdminPassword	The password is user input value in the installer for SOA Administrator Password field.
OIMSchemaPassword	The password for connecting to Oracle Identity Manager database schema. Password is user input value in the installer for OIM Database Schema Password field.
JMSKey	The password is the user input value in the installer for the Oracle Identity Manager keystore.

To change the values of the CSF keys:

1. Login to Oracle Enterprise Manager by navigating to the following URL:

   http://ADMIN_SERVER/em

2. Navigate to Weblogic Domain, DOMAIN_NAME.

3. Right-click oim, and select Security, Credentials.

4. Edit the Directory Server IT resource. To do so, in the Admin Password field, enter the new OVD password, and click Update.

25.2.6 Changing OVD Password

To change the OVD password:

1. Login to Oracle Identity Manager Administration.

2. Click Advanced.

3. Under Configuration, click Manage IT Resource.

4. From the IT Resource Type list, select Directory Server.

5. Click Search.

6. Edit the Directory Server IT resource. To do so, in the Admin Password field, enter the new OVD password, and click Update.

25.2.7 Changing Oracle Identity Manager Administrator Password in LDAP

To change Oracle Identity Manager System Administrator password in LDAP in a Oracle Identity Manager deployment that is SSO enabled and integrated with Access Manager (OAM):

1. Look up the dn for the user from LDAP, as shown:

   $ORACLE_HOME/bin/ldapsearch -D cn=orcladmin -w fusionapps1 -h localhost -p 6501 -b dc=com "cn=SYS_ADMIN" orclaccountlocked dn
   

   Here, SYS_ADMIN is the System Administrator user login.

2. Create a file similar to the following:

   $ more /tmp/resetpassword_SYS_ADMIN
   
   dn: cn=SYS_ADMIN,cn=Users,dc=us,dc=mycompany,dc=com
   changetype: modify
   replace: userPassword
   userPassword: NEW_PASSWORD
   

   Here, NEW_PASSWORD is the password that you want in clear text.

3. Change the password, as shown:

   $ORACLE_HOME/bin/ldapmodify -D cn=orcladmin -w fusionapps1 -h localhost -p 6501 -f /tmp/ resetpassword _SYS_ADMIN
   

4. Verify that the user password is changed, as shown:

   $ORACLE_HOME/bin/ldapbind -D 'cn=SYS_ADMIN,cn=Users,dc=us,dc=mycompany,dc=com' -w NEW_PASSWORD -h localhost -p 6501
   

25.2.8 Unlocking Oracle Identity Manager Administrator Password in LDAP

To unlock Oracle Identity Manager System Administrator password in LDAP in a Oracle Identity Manager deployment that is SSO enabled and integrated with OAM:

1. Look up the dn for the user from LDAP, as shown:

   $ORACLE_HOME/bin/ldapsearch -D cn=orcladmin -w fusionapps1 -h localhost -p 6501 -b dc=com "cn=SYS_ADMIN" orclaccountlocked dn
   

   If orclaccountlocked has a value of 1, then it means that the user is locked.

2. Create a file similar to the following:

   $ more /tmp/unlock_SYS_ADMIN
   
   dn: cn=SYS_ADMIN,cn=Users,dc=us,dc=mycompany,dc=com
   changetype: modify
   replace: orclaccountlocked
   orclaccountlocked: 0
   

3. Unlock the user, as shown:

   $ORACLE_HOME/bin/ldapmodify -D cn=orcladmin -w fusionapps1 -h localhost -p 6501 -f /tmp/unlock_SYS_ADMIN
   

4. Verify that the user is unlocked, as shown:

   $ORACLE_HOME/bin/ldapsearch -D cn=orcladmin -w fusionapps1 -h localhost -p 6501 -b dc=com "cn=SYS_ADMIN" orclaccountlocked dn
   

   The value of orcladdountlocked must be 0.

25.2.9 Changing Schema Passwords

To change OIM, MDS, SOAINFRA, OPSS, ORASDPM, and BI Publisher schema passwords:

1. Stop all the Managed Servers and application server.

2. Create a backup of the entire domain and the database.

3. Start the application server.

4. Change the xxxx_OPSS user password. To do so:

   1. Run the following command:

      SQL> alter user xxxx_OPSS identified by NEW_PASSWORD;
      

   2. Go to the ORACLE_COMMON/common/bin/ directory, and run the wlst command.

   3. Run the modifyBootStrapCredential script, as shown:

      modifyBootStrapCredential(jpsConfigFile='DOMAIN_NAME/config/fmwconfig/jps-config.xml', username='xxxx_OPSS', password='NEW_PASSWORD')
      

5. Login to Weblogic Administrative Console. Navigate to Services, Data Sources.

6. Select opss-DBDS, Connection Pool, and enter the new password set to xxxx_opss in step 4a. Save the changes.

7. Restart the application server, but do not start the Managed Servers.

8. Connect to the database with sqlplus as system user, and then run the following commands:

   1. To change the password for xxx_OIM, run:

      SQL> alter user xxx_OIM identified by NEW_PASSWORD;
      

   2. To change the password for xxx_MDS, run:

      SQL> alter user xxx_MDS identified by NEW_PASSWORD;
      

   3. To change the password for xxx_SOAINFRA, run:

      SQL> alter user xxx_SOAINFRA identified by NEW_PASSWORD;
      

   4. To change the password for xxx_ORASDPM, run:

      SQL> alter user xxx_ORASDPM identified by NEW_PASSWORD;
      

   5. To change the password for xxx_BIPLATFORM, run:

      SQL> alter user xxx_BIPLATFORM identified by NEW_PASSWORD;
      

9. Verify that the passwords have been changed. To do so, login to the database with sqlplus and the four users and the new passwords.

10. Login to the WebLogic Administrative Console.

11. Go to Services, Data Sources, and then perform the following:

    1. Select soaOIMLookupDB, Connection Pool, and enter the new password set to xxx_OIM in step 12a.

    2. Select oimJMSStoreDS, Connection Pool, and enter the new password set to xxx_OIM in step 12a.

    3. Select oimOperationsDB, Connection Pool, and enter the new password set to xxx_OIM in step 12a.

    4. Select ApplicationDB, Connection Pool, and enter the new password set to xxx_OIM in step 12a.

    5. Select mds-oim, Connection Pool, and enter the new password set to xxx_MDS in step 12b.

    6. Select mds-owsm, Connection Pool, and enter the new password set to xxx_MDS in step 12b.

    7. Select mds-soa, Connection Pool, and enter the new password set to xxx_MDS in step 12b.

    8. Select EDNDataSource, Connection Pool, and enter the new password set to xxx_SOAINFRA in step 12c.

    9. Select EDNLocalTxDataSource, Connection Pool, and enter the new password set to xxx_SOAINFRA in step 12c.

    10. Select SOADataSource, Connection Pool, and enter the new password set to xxx_SOAINFRA in step 12c.

    11. Select SOALocalTxDataSource, Connection Pool, and enter the new password set to xxx_SOAINFRA in step 12c.

    12. Select OraSDPMDataSource, Connection Pool, and enter the new password set to xxx_ORASDPM in step 12d.

12. Change OIMAuthenticationProvider configuration. To do so:

    1. In the WebLogic Administrative Console, navigate to Security Realms, myrealm, and then Providers.

    2. Click OIMAuthenticationProvider.

    3. Click Provider Specific.

    4. In the DBPassword field, enter the new Oracle Identity Manager database schema password.

    5. Click Save to save the changes.

13. Change the domain credential store configuration. To do so:

    1. Login to Oracle Enterprise Manager.

    2. Navigate to Weblogic Domain, and then DOMAIN_NAME.

    3. Right-click the domain name, and select Security, Credentials, and then oim.

    4. Select OIMSchemaPassword, and click Edit.

    5. In the Password field, enter the new password, and then click OK.

14. Change the oim and soa schema password in BI Publisher. To do so:

    1. Login to BI Publisher.

    2. Click the Administration tab.

    3. Click JDBC Connection under Data Sources.

    4. Click OIM JDBC, and change the password in the Password field.

    5. Click Test Connection. The connection is established successfully after confirmation.

    6. Click Apply.

    7. Repeat the steps 14d through 14f for JDBC data source BPEL JDBC.

15. If BI Publisher schema password is changed, then perform the following steps:

    1. Login to Oracle Enterprise Manager.

    2. Expand WebLogic Domain, DOMAIN_NAME.

    3. Under the DOMAIN_NAME on the right pane, from the WebLogic Domain list, select JDBC Data Sources.

    4. Select bip_datasource in the table, and then click Edit on the toolbar.

    5. Click the Connection Pool tab. In the Database Connection Information section, change the password, and then click Apply on the upper right corner.

    6. Start BI Publisher services.

16. Restart WebLogic Admin Server.

17. Start the SOA and Oracle Identity Manager Managed Servers.

25.3 Configuring SSL for Oracle Identity Manager

This section describes the procedure for generating keys, signing and exporting certificates, setting up SSL Configuration for Oracle Identity Manager and for the components with which Oracle Identity Manager interacts, and establish secure communication between them.

A SHA-2 compliant certificate is a prerequisite for using TLS 1.2 protocol for SSL communication.

Note:

• For information related to IBM Java 7, SR4 version support of SHA-2 cipher suites and Transport Layer Security (TLS) version 1.2 refer to IBM documentation.

• In the following sections several examples are provided. They have parameters which are used to enable more debugging information and are optional. For example, -Dweblogic.StdoutDebugEnabled=true -Dssl.debug=true -Djavax.net.debug=ssl:handshake:verbose.

For Oracle JDK 7, download and apply latest Java Cryptography Extension (JCE) Unlimited Strength Jurisdiction Policy Files. Relocate the local_policy.jar and US_export_policy.jar jars files into <JAVA_HOME>/jre/lib/security directory.

Note:

If Opatch version is lesser than 12.1.0.1.10, then upgrade the OPatch utility by applying p21142429_121010_Linux-x86-64.zip patch.

Apply p23176395_121020_Generic.zip patch to DB_HOME to get the support of TLS 1.2 on Oracle 12c DB (12.1.0.2).

Apply p19030178_111190_Generic.zip patch on oracle_common directory.

Apply p13964737_1036_Generic.zip Weblogic patch via BSU if Demo Identity and Demo trust is used at Weblogic Level.

It includes the following topics:

• Generating Custom Key Stores (Optional)

• Configuring Custom Key Stores (Optional)

• Enabling SSL for Oracle Identity Manager and SOA Servers

• Enabling SSL for Oracle Identity Manager DB

• Enabling SSL for SOA Approval Composites

• Enabling SSL for LDAP Synchronization

• Configuring SSL for Design Console

• Configuring SSL for Oracle Identity Manager Utilities with TLS

Note:

• Section "Generating Custom Key Stores (Optional)" provides example commands that are used later in the document. These are for reference and not part of the mandatory steps of configuration.

• For configuring Oracle User Messaging Service (UMS) notification that is SSL-based, see "Using UMS for Notification".

  For more details on configuring UMS to connect to a mail server with SSL, see "Configuring Oracle User Messaging Service" in the Oracle Fusion Middleware Administrator's Guide for Oracle SOA Suite and Oracle Business Process Management Suite.

25.3.1 Generating Custom Key Stores (Optional)

This section includes the following topics:

• Generating Keys

• Signing the Certificates

• Exporting the Certificate

• Importing the Certificate

Note:

The procedures described in sections "Generating Keys" to "Importing the Certificate" are optional. These steps are required if you have custom identity and trust store for WebLogic servers.

SSL can be enabled with default identity and trust store as well.

25.3.1.1 Generating Keys

You can generate private and public certificate pairs by using the keytool command. The syntax is:

$JAVA_HOME/jre/bin/keytool -genkey -alias ALIAS -keyalg ALGORITHM -keysize KEY_SIZE -sigalg SIGN_ALORITHM -dname DISTINGUISHED_NAME -keypass KEY_PASSWORD -keystore KEYSTORE_NAME -storepass KEYSTORE_PASSWORD

The following example creates an identity keystore named oimsupporttrust.jks:

$JAVA_HOME/jre/bin/keytool -genkey 
-alias supportpvtkey 
-keyalg RSA -keysize 2048 
-sigalg SHA256withRSA
-dname "CN=oimhost.mycompany.com, OU=Identity, O=Oracle Corporation,C=US" 
-keypass privatepassword 
-keystore oimsupportidentity.jks 
-storepass password

When generating the certificate for Oracle Identity Manager, in CN attribute specify the host name where Oracle Identity Manager is deployed. Similarly, when generating the certificate for SOA, in CN attribute specify the host name where SOA is deployed. For example:

-dname "CN=myhost.us.example.com, OU=Identity, O=Example Corporation,C=US"

Note:

• Change the parameter values passed to the keytool command according to your requirements. Ensure that there is no line break in the keytool argument.

• The custom identity keystore, oimsupportidentity.jks must be created or copied under WL_HOME/server/lib/.

• If JDK 7u40 or later is used, then the value of the keysize option must be greater than or equal to 1024. For more information about this limitation, see "Default x.509 Certificates Have Longer Key Length" at the following URL:

  http://www.oracle.com/technetwork/java/javase/7u40-relnotes-2004172.html

25.3.1.2 Signing the Certificates

Use the following keytool command to sign the certificates that you created:

$JAVA_HOME/jre/bin/keytool -selfcert -alias supportpvtkey 
-sigalg SHA256withRSA -validity 2000 -keypass <privatepassword> 
-keystore oimsupportidentity.jks 
-storepass <password>

Note:

Change the parameter values passed to the keytool command according to your requirements. Ensure that there is no line break in the keytool argument.

25.3.1.3 Exporting the Certificate

Use the keytool command to export the certificate from the identity keystore to a file. The syntax is:

$JAVA_HOME/jre/bin/keytool -export -alias ALIAS -file FILE_TO_EXPORT -keypass KEY_PASSWORD -keystore KEYSTORE_NAME -storepass KEYSTORE_PASSWORD

For example, the following example command exports the certificate to a file named supportcert.pem:

$JAVA_HOME/jre/bin/keytool -export -alias supportpvtkey
  -file supportpvtkeycert.pem
  -keypass <password>
  -keystore oimsupportidentity.jks
  -storepass <password>

25.3.1.4 Importing the Certificate

Use the keytool command to import the certificate from a file. The syntax is:

keytool -import -alias ALIAS -trustcacerts -file FILE_TO_IMPORT -keystore KEYSTORE_NAME -storepass KEYSTORE_PASSWORD

In the following example, the certificate file supportcert.pem is imported to the identity keystore oimsupporttrust.jks with password weblogic1:

$JAVA_HOME/jre/bin/keytool -import -alias supportpvtkey -trustcacerts -file supportpvtkeycert.pem 
-keystore oimsupporttrust.jks -storepass <password>

Note:

• Change the parameter values passed to the keytool command according to your requirements. Ensure that there is no line break in the keytool argument.

• This custom trust keystore oimsupporttrust.jks must be created or copied under DOMAIN_HOME/config/fmwconfig/.

• This command loads a trusted CA certificate into a keystore. If the keystore does not exist, it is created.

25.3.2 Configuring Custom Key Stores (Optional)

Perform the following steps to configure custom key stores:

Note:

See "Generating Custom Key Stores (Optional)" for information about generating custom keys.

1. In the WebLogic Server Administration Console, click Environment, Servers, Server_Name (OIM_Server1), Configuration, and then General.

2. Click Lock & Edit.

3. Select SSL listen port enabled. The default SSL port is 14002 and 14001 for non-SSL.

4. Select the Keystores tab.

5. From the Keystore list, select Custom Identity and Custom Trust.

   Note:

   If you have created only custom identity and using java standard trust, then select the Custom Identity, Java Standard Trust option.

   If you have created custom identity and custom trust, then select the Custom Identity and Custom Trust option.

6. Copy the custom identity keystore file, say oimsupporttrust.jks, under the DOMAIN_HOME/config/fmwconfig/ directory. Enter the absolute path of this key store (DOMAIN_HOME/config/fmwconfig/oimsupporttrust.jks) in the Custom Identity Keystore field.

   Note:

   • The trust keystore created at DOMAIN_HOME/config/fmwconfig/ by Oracle Identity Manager during installation is default-keystore.jks.

   • If you are using a different name for truststore than the default name, which is default-keystore.jks, then perform the following steps:

     1. Add Oracle Identity Manager Credential store map key. If you are using any other name, such as oimsupporttrust.jks, then create a key in the credential store by using Oracle Enterprise Manager as default-keystore.jks is created with Oracle Identity Manager configuration by default. To create a key in the credential store:

        1. Login to Oracle Enterprise Manager.

        2. Expand Weblogic Domain, DOMAIN_NAME. Right-click DOMAIN_NAME, and select Security, Credentials.

        3. In the Credential Store Provider table, click oim.

        4. Create a key with type as Password and with the credentials, User Name: oimsupporttrust.jks, Password: password.

     2. Change DirectDB, SSLConfig config in the oim-Config.xml file either by exporting/importing this file from MDS or by using Enterprise Manager. For the latter, navigate to oracle.iam, XMLConfig, DirectDB, SSLConfig in Application Defined MBeans section of System Mbean Browser, and then change the SSL parameters, for example:

        SSLConfig dBTrustStore="oimsupporttrust.jks"g
        SSLConfig DBTrustStorePasswordKey = NAME_OF_CSF_KEY
        

7. Specify JKS as the custom identity keystore type.

8. Type the password (password) into the Custom Identity Keystore Passphrase and the Confirm Custom Identity Keystore Passphrase fields.

   Note:

   If you are creating a custom trust keystore, then perform the steps 6 to 8 of this section for custom trust keystore field as well.

9. Click Save.

10. Click the SSL tab.

11. Type supportpvtkey as the private key alias.

12. Type the password (password) into the Private Key Passphrase and the Confirm Private Key Passphrase fields.

13. Click Save.

14. Perform similar steps (steps 1 through 13) for Admin and SOA Servers.

15. Click Activate changes.

16. Import the certificate that you exported in "Exporting the Certificate" into the SPML client truststore and Java Standard Trust Store, and WebLogic trust store:

    MW_HOME/wlserver_10.3/server/lib/cacerts

    For example:

    ./keytool -importcert -alias startssl -keystore MW_HOME/wlserver_10.3/server/lib/cacerts -storepass <password> -file supportpvtkeycert.pemJAVA_HOME/jre/lib/security/cacerts

    For example:

    ./keytool -importcert -alias startssl -keystore JAVA_HOME/jre/lib/security/cacerts -storepass <password> -file supportpvtkeycert.pem

    Note:

    Where <password> is the default password for Java's Standard truststore (JAVA_HOME/jre/lib/security/cacerts).

    See "Importing the Certificate" for information about importing the certificate.

Note:

If the CN of the certificate is not the same as the hostname of the machine where WLS is installed, then you need to select the hostname verification as None. To do so, go to SSL tab, Advanced section, select None from the Hostname Verification list.

25.3.3 Enabling SSL for Oracle Identity Manager and SOA Servers

You need to perform the following configurations in Oracle Identity Manager and SOA servers to enable SSL:

• Enabling SSL for Oracle Identity Manager

• Changing OimFrontEndURL to Use OIM SSL Port

• Changing backOfficeURL to Use SOA SSL Port

• Changing SOA Server URL to Use SOA SSL Port

25.3.3.1 Enabling SSL for Oracle Identity Manager

Enabling SSL for Oracle Identity Manager is described in the following sections:

• Enabling SSL for Oracle Identity Manager By Using Default Setting

• Enabling SSL for Oracle Identity Manager By Using Custom Keystore

25.3.3.1.1 Enabling SSL for Oracle Identity Manager By Using Default Setting

To enable SSL for Oracle Identity Manager and SOA servers by using default setting:

1. Log in to WebLogic Server Administrative console and go to Servers, OIM_SERVER1, General. Under the general section, you can enable ssl port to any value and activate it.

2. The server will start listening and you can access the URL with HTTPS protocol.

3. Perform the same steps for Admin/SOA Servers as Oracle Identity Manager might need to interact with SSL-enabled SOA Server.

Note:

• If JDK 7u40 or later is used, then the value of the keysize option must be greater than or equal to 1024. For more information about this limitation, see "Default x.509 Certificates Have Longer Key Length" at the following URL:

  http://www.oracle.com/technetwork/java/javase/7u40-relnotes-2004172.html

• If JDK 7u40 or later is used and SSL is configured by using the default certificates as described in "Enabling SSL for Oracle Identity Manager By Using Default Setting", then apply patch 13964737. You can download this patch from the My Oracle Support web site at:

  https://support.oracle.com

25.3.3.1.2 Enabling SSL for Oracle Identity Manager By Using Custom Keystore

To enable SSL for Oracle Identity Manager by using custom keystore:

1. In the DOMAIN_HOME/bin/setDomainEnv.sh file for UNIX or DOMAIN_HOME\bin\setDomainEnv.cmd for Microsoft Windows. Locate the line # SET THE CLASSPATH and add the following:

   TLS_JAVA_OPTIONS=" -Dweblogic.management.username=username -Dweblogic.management.password=password -Djavax.net.ssl.trustStore=$TRUSTSTORE_LOCATION -Dweblogic.security.SSL.ignoreHostnameVerification=true -Dweblogic.security.SSL.enforceConstraints=off -Dweblogic.ssl.JSSEEnabled=true -Dweblogic.security.SSL.enableJSSE=true -Dweblogic.security.SSL.protocolVersion=TLSv1.2 -Dhttps.protocols=TLSv1.2 -Djdk.tls.client.protocols=TLSv1.2 -Djdk.tls.disabledAlgorithms=SSLv2Hello,SSLv3,TLSv1,TLSv1.1 -Dssl.debug=true -Djavax.net.debug=ssl:handshake:verbose "
    
   JAVA_OPTIONS="${JAVA_OPTIONS} ${TLS_JAVA_OPTIONS}"
   export JAVA_OPTIONS
   

   Here, the value of TRUSTSTORE_LOCATION in case of custom trust store is:

   DOMAIN_HOME/config/fmwconfig/oimsupporttrust.jks
   

   The value of TRUSTSTORE_LOCATION in case of Demo trust store is:

   ${WL_HOME}/server/lib/DemoTrust.jks
   

   The value of TRUSTSTORE_LOCATION in case of Java Standard Trust store is:

   $JAVA_HOME/jre/lib/security/cacerts
   

   Note:

   • These settings work with JDK7u131, Use -Dssl.debug=true -Djavax.net.debug=ssl:handshake:verbose only for enabling SSL debugging information.

   • Stop Weblogic.sh is not supporting to pass or set the trust store in use. These scripts use Java standard trust. Import certificate in Java standard trust along with custom trust store while doing the basic SSL configurations.

2. In a text editor, open the startManagedWebLogic.sh file and do the following:

   1. Change the value of ADMIN_URL to point to a SSL URL. For example:

      ADMIN_URL="https://myhost.mycompany.com:7002"

   2. Comment out below line:

      #JAVA_OPTIONS="-Dweblogic.security.SSL.trustedCAKeyStore="WL_HOME/server/lib/cacerts" ${JAVA_OPTIONS}"
      #export JAVA_OPTIONS
      

   Save the startManagedWebLogic.sh file.

3. Restart all servers for the changes to take effect.

   Ensure that when only SSL listen port is enabled on Oracle Identity Manager server and non-SSL listen port is disabled, you must set the value of the providerURL JVM system property to point to the Oracle Identity Manager RMI t3s URL, as follows:

   -DproviderURL=t3s://OIM_HOST:OIM_SSL_PORT
   

   This can be done by setting the value of the JAVA_OPTIONS environment variable before starting Oracle Identity Manager Managed Server from the command prompt.

   For instance, on Linux, if you are using csh shell, then set the environment variable in the following way:

   setenv JAVA_OPTIONS -DproviderURL=t3s://OIM_HOST:OIM_SSL_PORT
   

   For bash, set the following:

   export JAVA_OPTIONS=-DproviderURL=t3s://OIM_HOST:OIM_SSL_PORT
   

   On Microsoft Windows, set the environment variable in the following way:

   SET JAVA_OPTIONS=-DproviderURL=t3s://OIM_HOST:OIM_SSL_PORT
   

   If Oracle Identity Manager server is managed through Node Manager, then add the following as an argument under oim_server, Configuration, Server start, Arguments.

   -DproviderURL=t3s://OIM_HOST:OIM_SSL_PORT
   

   Optionally, you can set the parameters in step 17 to startWeblogic.sh as well as startmanagedWeblogic.sh to start the server via these scripts.

   Backup the WL_HOME/common/nodemanager/nodemanager.properties file. Open the file and add the following:

   KeyStores=CustomIdentityAndCustomTrust
   CustomIdentityKeyStoreType=JKS
   CustomIdentityKeyStoreFileName=DOMAIN_HOME/config/fmwconfig/oimsupporttrust.jks
   CustomIdentityAlias=supportpvtkey
   CustomIdentityKeyStorePassPhrase=password
   CustomIdentityPrivateKeyPassPhrase=privatepassword
   

   Ensure that the path, alias, and password is updated as per the AdminServer configuration.

   Note:

   Oracle Identity Manager can connect to SOA via web services. If web service invocation fails, then SOA cannot connect to Oracle Identity Manager, and as a result, requests can be stuck. For example, after a create user request is approved, the request might be stuck because the corresponding SOA composite is not able to invoke the request web service deployed on Oracle Identity Manager server, which is SSL-enabled. To avoid such issues, set JAVA_OPTIONS in the in setDomainEnv.sh file, for example, with:

   -Djavax.net.ssl.trustStore==DOMAIN_HOME/config/fmwconfig/oimsupporttrust.jks
   

After enabling SSL on Oracle Identity Manager and SOA Servers, perform the following changes for establishing secured communication between them:

• Changing OimFrontEndURL to Use OIM SSL Port

• Changing backOfficeURL to Use SOA SSL Port

• Changing SOA Server URL to Use SOA SSL Port

25.3.3.2 Changing OimFrontEndURL to Use OIM SSL Port

To change the OimFrontEndURL to use OIM SSL port:

1. When the WebLogic admin and Oracle Identity Manager managed servers (at least one of the servers in case of cluster) are running, log in to Enterprise Manager (EM).

   For example:

   http://<AdminServer>/em

2. Navigate to Identity and Access, Oracle Identity Manager, and then oim (11.1.2.0.0).

3. Right click and select System MBean Browser.

4. Under Application Defined MBeans, navigate to oracle.iam, Server:<oim_servername>, Application:oim, XMLConfig, Config, XMLConfig.DiscoveryConfig, Discovery.

   In a clustered deployment, when you select oracle.iam under Application Defined MBeans, Oracle Identity Manager server name is displayed. Select the server and continue with the navigation.

   Note:

   In a clustered deployment, the change to the OimFrontEndURL must be made on each server in the cluster.

5. Enter a new value for the "OimFrontEndURL" attribute and click Apply to save the changes.

   For example:

   https://myoimserver.mycompany.com:14002

   Note:

   Fusion Apps or SPML clients store Oracle Identity Manager URL for invoking SPML and also send callback response. Therefore, there are changes needed corresponding to this. Also, if Oracle Identity Manager is integrated with OAM/OAAM/OIN, there may be corresponding changes necessary.

25.3.3.3 Changing backOfficeURL to Use SOA SSL Port

To change the backOfficeURL to use SOA SSL port:

1. When the WebLogic admin and Oracle Identity Manager managed servers (at least one of the servers in case of cluster) are running, log in to Enterprise Manager (EM).

   For example:

   http://<AdminServer>/em

2. Navigate to Identity and Access, Oracle Identity Manager.

3. Right click and select System MBean Browser.

4. Under Application Defined MBeans, navigate to oracle.iam, Application:oim, XMLConfig, Config, XMLConfig.DiscoveryConfig, Discovery.

5. Enter a new value for the "backOfficeURL" attribute and click Apply to save the changes.

   For example:

   t3s://mywls1.mycompany.com:8002

   t3s://mywls1.mycompany.com:8002,mywls2.mycompany.com:8003

25.3.3.4 Changing SOA Server URL to Use SOA SSL Port

To change SOA server URL to use SOA SSL port:

1. When the admin server and Oracle Identity Manager managed servers are running, log in to Enterprise Manager (EM).

   For example:

   http://ADMINISTRATIVE_SERVER/em

2. Navigate to Identity and Access, Oracle Identity Manager.

3. Right click and select System MBean Browser.

4. Under Application Defined MBeans, navigate to oracle.iam, Application:oim, XMLConfig, Config, XMLConfig.SOAConfig, SOAConfig.

5. Change the values of the Rmiurl attribute.

   Note:

   Rmiurl is used for accessing SOA EJBs deployed on SOA managed servers.

   This is the application server URL. For clustered installation, it is a comma separated list of all the SOA managed server URLs.

   For example:

   t3s://mysoa1.mycompany.com:8002

   t3s://mysoa1.mycompany.com:8002,mysoa2.mycompany.com:8003,mysoa3.mycompany.com:8004

6. Change the value of the Soapurl attribute. For example:

   https://mysoa.mycompany.com:8002

   Note:

   Soapurl is used to access SOA web services deployed on SOA managed servers. This is the web server/load balancer URL, in case of a SOA cluster front ended with web server/load balancer. In case of single SOA server, it can be application server URL.

7. Click Apply to save the changes.

The SOA server URL must be enabled in ForeignJNDIProvider-SOA as well:

1. Login to WebLogic Administrative Console.

2. Navigate to domain, services, ForeignJNDIProvider.

3. Click ForeignJNDIProvider-SOA, and modify it to:

   t3s://HOST_NAME:SSL_SOA_PORT

   For example:

   t3s://mysoa.mycompany.com:8002

25.3.4 Enabling SSL for Oracle Identity Manager DB

You need to perform the following configurations to enable SSL for Oracle Identity Manager DB:

• Creating KeyStores and Certificates

• Setting Up DB in Server-Authentication SSL Mode

• Updating Oracle Identity Manager

• Updating WebLogic Server

25.3.4.1 Creating KeyStores and Certificates

You can create server side and client side KeyStores using the orapki utility. This utility is shipped as a part of Oracle DB installation.

KeyStores could be of any format such as JKS and PKCS12. The format of keystore changes based on the provider implementation. For example, JKS is the implementation provided by Sun Oracle where as PKCS12 is implemented by OraclePKIProvider.

Only JKS client KeyStore is used in Oracle Identity Manager for DB server. This is because using non-JKS KeyStores format such as PKCS12 requires significant changes on the installer side at the critical release time. However, Oracle Identity Manager already has a KeyStore named default-KeyStore.jks, which is in JKS format.

The following are the KeyStores that you can create using orapki utility:

• Creating a Root CA Wallet

• Creating DB Server Side Wallet

• Creating Client Side Wallet

  Note:

  Wallets and KeyStores are interchangeably used and they both mean the same. These refer to a repository of public/private keys and self-signed/trusted certificates.

Creating a Root CA Wallet

To create a root certification authority (CA) wallet:

1. Navigate to the following path:

   $DB_ORACLE_HOME/bin directory

2. Create a wallet by using the command:

   ./orapki wallet create -wallet CA_keystore.p12 -pwd KEYSTORE_PASSWORD
   

3. Add a self signed certificate to the CA wallet by using the command:

   ./orapki wallet add -wallet CA_keystore.p12 -dn 'CN=root_test,C=US' -keysize 2048 -self_signed -validity 3650 -pwd KEYSTORE_PASSWORD -sign_alg sha256
   

4. View the wallet using the command:

   ./orapki wallet display -wallet CA_keystore.p12 -pwd KEYSTORE_PASSWORD
   

5. Export the self signed certificate from the CA wallet using the command:

   ./orapki wallet export -wallet CA_keystore.p12 -dn 'CN=root_test,C=US' -cert self_signed_CA.cert -pwd KEYSTORE_PASSWORD
   

Creating DB Server Side Wallet

To create a DB server side wallet:

1. Create a server wallet using the command:

   ./orapki wallet create -wallet server_keystore_ssl.p12 -auto_login -pwd KEYSTORE_PASSWORD
   

2. Add a certificate request to the server wallet using the command:

   ./orapki wallet add -wallet server_keystore_ssl.p12 -dn 'CN=Customer,OU=Customer,O=Customer,L=City,ST=NY,C=US' -keysize 2048 -pwd KEYSTORE_PASSWORD -sign_alg sha256
   

3. Export the certificate request to a file, which is used later for getting it signed using the root CA signature:

   ./orapki wallet export -wallet server_keystore_ssl.p12 -dn 'CN=Customer,OU=Customer,O=Customer,L=City,ST=NY,C=US' -request server_creq.csr -pwd KEYSTORE_PASSWORD -sign_alg sha256
   

4. Get the server wallet's certificate request signed using the CA signature:

   ./orapki cert create -wallet CA_keystore.p12 -request server_creq.csr -cert server_creq_signed.cert -validity 3650 -pwd KEYSTORE_PASSWORD -sign_alg sha256
   

5. View the signed certificate using the command:

   /orapki cert display -cert server_creq_signed.cert -complete
   

6. Import the trusted certificate in to the server wallet using the command:

   ./orapki wallet add -wallet server_keystore_ssl.p12 -trusted_cert -cert self_signed_CA.cert -pwd KEYSTORE_PASSWORD -sign_alg sha256
   

7. Import this newly created signed certificate (user certificate) to the server wallet using the command:

   ./orapki wallet add -wallet server_keystore_ssl.p12 -user_cert -cert server_creq_signed.cert -pwd KEYSTORE_PASSWORD -sign_alg sha256
   

Creating Client Side Wallet

To create a client side (Oracle Identity Manager server) wallet:

1. Create a client keystore or use existing keystore default-keystore.jks at following path:

   DOMAIN_HOME/config/fmwconfig

   Note:

   You can also use Oracle PKCS12 wallet as the client keystore.

2. Import the self-signed CA trusted certificate that you have already exported using the server side commands, to the client keystore (default-keystore.jks) by using the command:

   JAVA_HOME/jre/bin/keytool -import -trustcacerts -alias dbtrusted -noprompt -keystore default-keystore.jks -file self_signed_CA.cert -storepass KEYSTORE_PASSWORD
   

   Here, KEYSTORE_PASSWORD is the password given for the keystore during Oracle Identity Manager configuration.

   Note:

   For custom trust keystore, import the self-signed CA trusted certificate to that, for example:

   JAVA_HOME/jre/bin/keytool -import -trustcacerts -alias dbtrusted -noprompt -keystore oimsupporttrust.jks -file self_signed_CA.cert -storepass KEYSTORE_PASSWORD
   

25.3.4.2 Setting Up DB in Server-Authentication SSL Mode

To set up DB in Server-Authentication SSL mode:

1. Stop the DB server and the listener.

2. Navigate to the path:

   $DB_ORACLE_HOME/network/admin directory

   For example:

   /u01/app/user1/product/12.1.0/dbhome_1/network/admin

3. Configuring the listener.ora file as follows:

   1. Edit the listener.ora file to include SSL listening port and Server Wallet Location.

      The following is the sample listener.ora file:

      # listener.ora Network Configuration File: DB_HOME/listener.ora
      # Generated by Oracle configuration tools.
       
      SSL_VERSION = 1.2
      SSL_CLIENT_AUTHENTICATION = FALSE
       
      WALLET_LOCATION =
        (SOURCE =
          (METHOD = FILE)
          (METHOD_DATA =
            (DIRECTORY = DB_HOME/server_keystore_ssl.p12)
          )
        )
       
      LISTENER =
        (DESCRIPTION_LIST =
          (DESCRIPTION =
            (ADDRESS = (PROTOCOL = TCPS)(HOST = server1.mycompany.com)(PORT = 2484))
          )
          (DESCRIPTION =
            (ADDRESS = (PROTOCOL = TCP)(HOST = server1.mycompany.com)(PORT = 1521))
          )
        )
       
      TRACE_LEVEL_LISTENER = SUPPORT
      

4. Configure the sqlnet.ora file as follows:

   1. Edit sqlnet.ora file to include:

      • TCPS Authentication Services

      • SSL_VERSION

      • Server Wallet Location

      • SSL_CLIENT_AUTHENTICATION type (either true or false)

      • SSL_CIPHER_SUITES that can be allowed in the communication (optional)

      The following is the sample sqlnet.ora file:

      # sqlnet.ora Network Configuration File: DB_HOME/sqlnet.ora
      # Generated by Oracle configuration tools.
       
      SQLNET.AUTHENTICATION_SERVICES= (BEQ, TCPS)
       
      NAMES.DIRECTORY_PATH= (TNSNAMES, EZCONNECT)
       
      WALLET_LOCATION =
        (SOURCE =
          (METHOD = FILE)
          (METHOD_DATA =
            (DIRECTORY = /u01/app/user1/product/12.1.0/dbhome_1/bin/server_keystore_ssl.p12)
          )
        )
       
      SQLNET.AUTHENTICATION_SERVICES = (TCPS,NTS,BEQ)
      SSL_CLIENT_AUTHENTICATION = FALSE
      

5. Configure the tnsnames.ora file as follows:

   1. Edit the tnsnames.ora file to include SSL listening port in the description list of the service.

      The following is the sample tnsnames.ora file:

      # tnsnames.ora Network Configuration File: DB_HOME/tnsnames.ora
      # Generated by Oracle configuration tools.
      ORCL12C =
        (DESCRIPTION =
          (ADDRESS = (PROTOCOL = TCPS)(HOST = server1.mycompany.com))(PORT = 2484))
          (CONNECT_DATA =
            (SERVER = DEDICATED)
            (SERVICE_NAME = proddb)
          )
        )
       
      LISTENER_ORCL12C =
        (ADDRESS = (PROTOCOL = TCPS)(HOST = server1.mycompany.com)(PORT = 2484))
      

6. Start/Stop utilities for DB server.

7. Start the DB server.

25.3.4.3 Updating Oracle Identity Manager

You need to perform the following steps in Oracle Identity Manager to enable Oracle Identity Manager and Oracle Identity Manager DB in SSL mode for a secure communication:

1. Log in to Enterprise Manager.

2. Navigate to Identity and Access, OIM.

3. Right click and navigate to System MBean Browser.

4. Under Application Defined MBeans, navigate to oracle.iam, Application:oim, XMLConfig, Config, XMLConfig.DirectDBConfig, and DirectDB.

5. Change the values for attributes "Sslenabled", "Url" and click Apply. If SSL mode is enabled for DB, then "Url" should contain TCPS enables and SSL port in it.

   For example:

   jdbc:oracle:thin:@(DESCRIPTION=(ADDRESS_LIST=(ADDRESS=(PROTOCOL=TCPS)(HOST=server1.mycompany.com)(PORT=2484)))(CONNECT_DATA=(SERVICE_NAME=server12c.mycompany.com))(SECURITY=(SSL_SERVER_CERT_DN="CN=root_test,C=US")))

6. Restart the Oracle Identity Manager server.

25.3.4.4 Updating WebLogic Server

After enabling SSL for Oracle Identity Manager DB, you need to change the following Oracle Identity Manager datasources and authenticators to use DB SSL port:

• Updating Datasource oimOperationsDB Configuration

• Updating Oracle Identity Manager Authenticators

Note:

Before performing changes to database host/port, you must shutdown the managed servers hosting Oracle Identity Manager application. However, you can keep the WebLogic Admin Server up and running.

Updating Datasource oimOperationsDB Configuration

To update the Change Datasource oimOperationsDB Configuration:

1. Log in to WebLogic Server.

2. Navigate to Services, JDBC, Data Sources, oimOperationsDB.

3. Click the Connection Pool tab.

4. Change the value of the URL to reflect the changes to SSl DB host/port, similar to the following example:

   jdbc:oracle:thin:@(DESCRIPTION=(ADDRESS_LIST=(ADDRESS=(PROTOCOL=TCPS)(HOST=server1.mycompany.com)(PORT=2484)))(CONNECT_DATA=(SERVICE_NAME=server12c.mycompany.com))(SECURITY=(SSL_SERVER_CERT_DN="CN=root_test,C=US")))
   

   Where SSL_SERVER_CERT_DN="CN=root_test,C=US" is DB root certificate DN.

5. Update Properties to add the following SSL-related properties:

   javax.net.ssl.trustStore=DOMAIN_HOME/config/fmwconfig/default-keystore.jks
   javax.net.ssl.trustStoreType=JKS
   javax.net.ssl.trustStorePassword=password
   

   Here, password is the password given for the keystore during Oracle Identity Manager configuration.

   Note:

   • Use default-keystore.jks or oimsupporttrust.jks based on values provided for Wallet.

   • For custom trust keystore, provide the path of keystore in the javax.net.ssl.trustStore property file. For example:

     javax.net.ssl.trustStore=DOMAIN_HOME/config/fmwconfig/oimsupporttrust.jks
     

   • If required, perform similar updates to all datasources related to SOA, OWSM, or OPSS like ApplicationDB, bip_datasource, EDNDataSource, EDNLocalTxDataSource, mds-oim, mds-owsm, mds-soa, oimJMSStoreDS, opss-DBDS, OraSDPMDataSource, SOADataSource, SOALocalTxDataSource, and soaOIMLookupDB.

Updating Oracle Identity Manager Authenticators

The existing Oracle Identity Manager authenticators in the WebLogic server are configured against Non-SSL DB details and they do not use datasources for communicating with Oracle Identity Manager DB. In order to use SSL DB details in the authenticators, you must perform the following:

1. Ensure that Datasources are configured to SSL.

2. In WebLogic Administrative console, navigate to Security Realms, myrealm, Providers.

3. Remove OIMAuthenticationProvider.

4. Create an authentication provider of type "OIMAuthenticator" and mark the control flag as SUFFICIENT.

5. Create an authentication provider of type "OIMSignatureAuthenticator" and mark the control flag as SUFFICIENT.

6. Reorder the authenticators as:

   1. DefaultAuthenticator

   2. OIMAuthenticator

   3. OIMSignatureAuthenticator

   4. Other providers if any

7. Restart all servers.

25.3.5 Enabling SSL for SOA Approval Composites

To enable SSL for SOA approval composites:

1. Ensure that the SOA Managed Server is running.

2. Log in to Oracle Enterprise Manager by using your WebLogic Server administrator credentials.

3. Expand SOA, soa-infra(soa_server1), default, and select DefaultRequestApproval [5.0]. Then, click ApprovalTask, and click the Administration tab.

4. Enter a value for the HTTPS port as appropriate, and then click Apply.

5. Repeat steps 3 and 4 for each approval composite with a Human Workflow component type, which has a valid worklist URL entry that needs to now use the HTTPS port, for example DefaultOperationalApproval [5.0].

25.3.6 Enabling SSL for LDAP Synchronization

You need to perform the following configurations to enable Oracle Identity Manager to use SSL enabled Oracle Virtual Directory (OVD):

• Enabling Oracle Internet Directory or Oracle Virtual Directory with SSL

• Configuring Oracle Internet Directory

• Configuring Oracle Unified Directory

• Updating Oracle Identity Manager for libOVD details

• Enabling SSL between libOVD and OID/OUD

25.3.6.1 Enabling Oracle Internet Directory or Oracle Virtual Directory with SSL

To enable Oracle Internet Directory or Oracle Virtual Directory with SSL:

1. Log in to the Oracle Internet Directory or Oracle Virtual Directory EM console.

2. Expand Identity and Access and navigate to oid or oud1, Administration, Listeners.

3. Click Create and enter all the required fields. Create a listener, for example OIM SSL ENDPOINT.

   Note:

   You must select the Listener Type as LDAP.

4. Click OK.

5. Select the newly created LDAP listener and click Edit.

6. In the Edit Listener - OIM SSL ENDPOINT page, edit the newly created LDAP listener.

7. Click OK. The SSL Configuration page opens.

8. Select the Enable SSL checkbox.

9. In the Advanced SSL Settings section, for SSL Authentication, select No Authentication.

10. Click OK.

11. Stop and start the Oracle Virtual Directory server for the changes to take effect.

    Note:

    You must not use the restart option.

25.3.6.2 Configuring Oracle Internet Directory

Configure Oracle Internet Directory with below properties:

1. Set environmental variables by running the below command:

   setenv PATH /u01/oimhome/Oracle_IDM2/bin:$ORACLE_HOME/bin:$JAVA_HOME/bin:$PATH
   

2. Run the below command:

   orapki wallet create -wallet oim12coidwallet -auto_login
   orapki wallet add -wallet oim12coidwallet -dn 'cn=orcladmin' -keysize 2048 -self_signed -validity 3650 -pwd password -sign_alg sha256
   

   To export the self signed certificate, run the below command:

   orapki wallet export -wallet oim12coidwallet -dn 'cn=orcladmin' -cert oid_self_signed_CA.cert -pwd password
   

3. Verify the properties with below command:

   ldapsearch -p 3060 -D cn=orcladmin -w password -b 'cn=oid1,cn=osdldapd,cn=subconfigsubentry' -s base objectclass='*' | grep -i crypto
    
   ldapsearch -p 3060 -D cn=orcladmin -w password -b 'cn=oid1,cn=osdldapd,cn=subconfigsubentry' -s base objectclass='*' | grep -i ssl
   

4. Verify binding on SSL port is successful with the below command:

   ldapbind -h server1.mycompany.com -p 3131 -D cn=orcladmin -w password -q -U 2 -W "file:/u01/oidwallet/oim12coidwallet" -P password 
   

Note:

For more information about Configuring SSL in Oracle Internet Directory, see Configuring Secure Sockets Layer (SSL) in Administrator's Guide for Oracle Internet Directory.

25.3.6.3 Configuring Oracle Unified Directory

Configure Oracle Unified Directory with below properties:

While creating Oracle Unified Directory instance, check if SSL is enabled to generate self signed certificate. By default, SSL3, TLS1.1, and TLS1.2 protocols should be enabled.

To disable other protocols and keep only TLS1.2, run the below command:

./dsconfig -h localhost -p 1444 -D "cn=oudadmin" -j pwd.txt set-connection-handler-prop --handler-name "LDAPS Connection Handler" --set ssl-protocol:TLSv1.2

Use below command to check which protocol is used:

./dsconfig -h localhost -p 1444 -D "cn=oudadmin" -j pwd.txt get-connection-handler-prop --handler-name "LDAPS Connection Handler"

By default, Admin port number is 1444.

Note:

For more information about Configuring SSL in Oracle Unified Directory, see Configuring Security Between Clients and Servers in Administering Oracle Unified Directory.

25.3.6.4 Updating Oracle Identity Manager for libOVD details

When LDAPSync is enabled, Oracle Identity Manager connects with directory servers through OVD. It connects using ldap/ldaps protocol.

To change OVD host/port:

1. Log in to Oracle Identity System Administration.

2. Navigate to Advanced and click Manage IT Resource.

3. Select IT Resource Type as Directory Server and click Search.

4. In the IT Resource Directory Server, edit the details.

   Note:

   The Server URL and SSL Server URL must be empty as they are constructed from adapter_os.xml.

5. Ensure that Use SSL is set to true and click Update.

25.3.6.5 Enabling SSL between libOVD and OID/OUD

To enable SSL between libOVD and OID/OUD perform the following:

1. To import OID/OUD's certificate to oim trust store and to libOVD keystore:

   1. To Import the exported certificate in OIM trust store, run the command:

      keytool -import -trustcacerts -alias oidtrusted -noprompt -keystore oimsupporttrust.jks -file oid_self_signed_CA.cert -storepass password
      

   2. To import the certificate in libOVD keystore, run the command:

      keytool -import -trustcacerts -alias oidtrusted -noprompt -keystore adapters.jks -file oid_self_signed_CA.cert -storepass password
      

2. Modify the $DOMAIN_HOME/config/fmwconfig/ovd/CONTEXT/adapters.os_xml file as shown below:

   • Modify the host port to ssl port.

   • Set secure to true.

   • Set protocols to TLSv1.2.

   • Add the below ciphers to cipherSuites:

                    <cipher>TLS_RSA_WITH_AES_128_CBC_SHA256</cipher>
                     <cipher>TLS_RSA_WITH_AES_256_CBC_SHA256</cipher>
                     <cipher>TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384</cipher>
     

   Note:

   Here CONTEXT is oim. We can use WLST commands to set the parameters as shown below:

   modifyLDAPAdapter(adapterName='CHANGELOG_dir1', attribute='Protocols', value='TLSv1.2', contextName='oim') 
   

25.3.7 Configuring SSL for Design Console

To change the Design console to establish secure connection between Oracle Identity Manager and Design console:

1. Copy wlthint3client.jar file from WEBLOGIC_HOME/server/lib folder to DESIGN_CONSOLE_HOME/ext folder.

2. Edit to replace ./ext/wlfullclient.jar with ./ext/wlthint3client.jar in the relevant file:

   For Linux: DESIGN_CONSOLE_HOME/classpath.sh

   For Windows: DESIGN_CONSOLE_HOME /classpath.bat

3. Copy MW_HOME/modules/cryptoj.jar to the OIM_HOME/designconsole/ext/ directory.

4. Edit the $DESIGN_CONSOLE_HOME/config/xlconfig.xml file. Make the following changes:

   Change:

   <Discovery>
               <CoreServer>
   <java.naming.provider.url>t3://HOST_NAME:OIM_PORT/oim</java.naming.provider.url>
   <java.naming.factory.initial>weblogic.jndi.WLInitialContextFactory</java.naming.factory.initial>
               </CoreServer>
   </Discovery>
   

   To:

   <Discovery>
               <CoreServer>
   <java.naming.provider.url>t3s://HOST_NAME:OIM_SSL_PORT/oim</java.naming.provider.url>
   <java.naming.factory.initial>weblogic.jndi.WLInitialContextFactory</java.naming.factory.initial>
               </CoreServer>
   </Discovery>
   

   Change:

   <ApplicationURL>http://HOST_NAME:PORT_NUMBER/xlWebApp/loginWorkflowRenderer.do</ApplicationURL>
   

   To:

   <ApplicationURL>https://HOST_NAME:OIM_SSL_PORT/xlWebApp/loginWorkflowRenderer.do</ApplicationURL>
   

5. If $DESIGN_CONSOLE_HOME/config/xl.policy does not contain the default grant policy for all, then add the following permission for cryptoj.jar at the end of the file, as shown:

   grant codeBase "file:DESIGN_CONSOLE_HOME/ext/cryptoj.jar"{  permission java.security.AllPermission;};
   

   Copy $MW_HOME/modules/cryptoj.jar to the $OIM_HOME/designconsole/ext/ directory.

   Note:

   Here, copying $MW_HOME/modules/cryptoj.jar to the $OIM_HOME/designconsole/ext/ directory is a mandatory step. Setting the permission is necessary if xl.policy does not contain the default grant policy for all.

6. In the relevant file, add the following properties:

   For Linux: DESIGN_CONSOLE_HOME/xlclient.sh

   For Windows: DESIGN_CONSOLE_HOME/xlclient.cmd

   /u01/jdks/jdk1.7.0_131/bin/java -DXL.ExtendedErrorOptions=TRUE \
      -DXL.HomeDir=. -Djava.security.policy=config/xl.policy \
      -Djava.security.manager -Djava.security.auth.login.config=config/authwl.conf \
      -Dlog4j.configuration=config/log.properties \
      -DAPPSERVER_TYPE=wls \
      -Djavax.net.ssl.trustStore=$TRUSTSTORE_LOCATION \
      -Dweblogic.security.SSL.protocolVersion=TLSv1.2 \
      -Dhttps.protocols=TLSv1.2 \
      -Dweblogic.security.SSL.minimumProtocolVersion=TLSv1.2 \
      -DproviderURL=t3s://server1.mycompany.com:14002 \
      -Dweblogic.ssl.JSSEEnabled=true \
      -Dweblogic.security.SSL.enableJSSE=true \
      -Dweblogic.security.allowCryptoJDefaultJCEVerification=true \
      -Dweblogic.security.SSL.enforceConstraints=off \
      -Dweblogic.security.SSL.ignoreHostnameVerification=true \
      -Dweblogic.StdoutDebugEnabled=true \
      -Dssl.debug=true \
      -Djavax.net.debug=ssl:handshake:verbose \
      -cp $CLASSPATH com.thortech.xl.client.base.tcAppWindow -server server
   

7. Set environment variable TRUSTSTORE_LOCATION to the location of custom/demo/Java Standard trust keystore used at server side.

   For example:

   setenv TRUSTSTORE_LOCATION DOMAIN_HOME/config/fmwconfig/oimsupporttrust.jks 
   

   Note:

   • To get trust store location, in the WebLogic Server Administration Console, click Environment, Servers. Click OIM_SERVER_NAME to view details of the Oracle Identity Manager server.

     Click KeyStores tab and note down the Trust keystore location in the Trust section.

   • If the Design Console and Oracle Identity Manager are deployed on a different host, then copy the Trust keystore to the host on which Design Console is deployed, and set the TRUSTSTORE_LOCATION environment variable to the location where Trust keystore is copied on the local host.

     For example:

     setenv TRUSTSTORE_LOCATION OIM_HOME/designconsole/DemoTrust.jks
     

25.3.8 Configuring SSL for Oracle Identity Manager Utilities with TLS

Oracle Identity Manager client utilities include PurgeCache, GenerateSnapshot, UploadJars, and UploadResources.

When Oracle Identity Manager is configured with TLS, perform the following steps to configure Oracle Identity Manager utilities:

1. Export the Oracle Identity Manager server certificate and import it into custom keystore oimsupporttrust.jks.

2. Edit the OIM_HOME/server/bin/oimClientWrapper.sh file to add the following parameters after $JAVA_HOME/bin/java -cp $CLASSPATH:

   -Dweblogic.security.SSL.trustedCAKeyStore=$TRUSTSTORE_LOCATION -Dweblogic.security.SSL.protocolVersion=TLSv1.2 -Dhttps.protocols=TLSv1.2 -Dweblogic.security.SSL.minimumProtocolVersion=TLSv1.2 -DproviderURL=t3s://server1.mycompany.com:14002 -Dweblogic.ssl.JSSEEnabled=true -Dweblogic.security.SSL.enableJSSE=true -Dweblogic.security.allowCryptoJDefaultJCEVerification=true -Dweblogic.security.SSL.enforceConstraints=off -Dweblogic.security.SSL.ignoreHostnameVerification=true -Dweblogic.StdoutDebugEnabled=true -Dssl.debug=true -Djavax.net.debug=ssl:handshake:verbose 
   

3. Before running the utilities, in the command prompt, set the TRUSTSTORE_LOCATION environment variable to pointing towards the location of custom/demo/Java Standard trust keystore used at server side. For example:

   setenv TRUSTSTORE_LOCATION DOMAIN_HOME/config/fmwconfig/oimsupporttrust.jks
   

   Note:

   Ensure that Oracle Identity Manager server certificate is already imported into above trust store.

4. For clients, such as Remote Manager, and other utilities to connect to Oracle Identity Manager in SSL/TLS way, the public key (certificate) must be made available in the keystore for clients to use it. To do so, export and import public key (certificate) as below:

   1. Export the public certificate from DemoIdentity.jks or oimsupportidentity.jks, which has private keys, by using the following command. Alternatively, you can export from the browser.

      $JAVA_HOME/jre/bin/keytool -export -file key.cer -alias demoidentity -keystore DemoIdentity.jks -storepass DemoIdentityKeyStorePassPhrase
      

      In case of custom identity store:

      $JAVA_HOME/jre/bin/keytool -export -alias supportpvtkey -file supportpvtkeycert.pem -keypass password -keystore oimsupportidentity.jks -storepass password
      

   2. Import that certificate to the client keystore, as shown:

      $JAVA_HOME/jre/bin/keytool -import -trustcacerts -file key.cer -alias qa_certgenca -keystore DemoTrust.jks -storepass DemoTrustKeyStorePassPhrase
      

      Here, it is DemoTrust.jks for demo keystore or oimsupporttrust.jks for custom key store.

   3. In clients, such as Design Console, Remote Manager, and utilities, point TRUSTSTORE_LOCATION or -Dweblogic.security.SSL.trustedCAKeyStore to this key store, as shown:

      setenv TRUSTSTORE_LOCATION WL_HOME/server/lib/DemoTrust.jks
      
      -Dweblogic.security.SSL.trustedCAKeyStore= WL_HOME/server/lib/DemoTrust.jks \
      

   4. To configure SSL using Transport Layer Security (TLS) with additional parameters for the Remote Manager scripts, in a text editor, open the following scripts:

      OIM_HOME/remotemanager/remotemanager.sh

      Add the following parameters:

       -Dweblogic.security.SSL.trustedCAKeyStore=$TRUSTSTORE_LOCATION
       -Dweblogic.security.SSL.protocolVersion=TLSv1.2 -Dhttps.protocols=TLSv1.2
       -Dweblogic.security.SSL.minimumProtocolVersion=TLSv1.2
       -DproviderURL=t3s://server1.mycompany.com:14002
       -Dweblogic.ssl.JSSEEnabled=true -Dweblogic.security.SSL.enableJSSE=true
       -Dweblogic.security.allowCryptoJDefaultJCEVerification=true
       -Dweblogic.security.SSL. enforceConstraints=off
       -Dweblogic.security.SSL.ignoreHostnameVerification=true
       -Dweblogic.StdoutDebugEnabled=true -Dssl.debug=true
       -Djavax.net.debug=ssl:handshake:verbose
       
      

      Save the changes to the scripts.