2.3 Oracle ORAchk for Oracle Identity and Access Management Health Check Tool

Oracle ORAchk for Oracle Identity and Access Management proactively identifies areas to take preventive measures to keep a system healthy on an ongoing basis.

Oracle ORAchk for Oracle Identity and Access Management includes checks that cover the entire deployment stack from application tier to database tier.

2.3.1 Supported Operating Systems and Oracle Database Releases

Review the operating systems and Oracle Database requirements for deploying Oracle ORAchk for Oracle Identity and Access Management health check tool.

Only Linux is supported and in these combinations:

Table 2-3 Operating System and Database Requirements for Oracle ORAchk for Oracle Identity and Access Management health check tool

Operating System Database

Linux(Oracle Enterprise Linux/RedHat 5, 6, 7 and SuSE 9.10, 11, 12)

10g R1

Linux on System Z (RedHat 6, 7 and SuSE 12)

11g R1

11g R2

12c

12c R2

2.3.2 Supported Components and Topologies

Review the following for supported components and topologies.

Oracle ORAchk for Oracle Identity and Access Management health checks support the following components:

  • Oracle Identity Manager (11.1.2.2.x and 11.1.2.3.x)

  • Oracle Access Manager (11.1.2.2.x and 11.1.2.3.x)

  • Oracle Unified Directory (11.1.2.2.x and 11.1.2.3.x)

Based on the components, the following topologies are supported:

  • Oracle Identity Manager in single node and multi-node setup

  • Oracle Access Manager + (Any directory)* in single node and multi-node setup

    Oracle ORAchk for Oracle Identity and Access Management health checks run only on Oracle Unified Directory (OUD). If other directories are there as well, then Oracle ORAchk for Oracle Identity and Access Management skips health checks for those directories and perform health checks on Oracle Access Manager. However, Oracle Access Manager configured in embedded LDAP mode is not supported.

  • Oracle Identity Manager + Oracle Access Manager + (Any directory)** in single node and multi-node setup

    Oracle ORAchk for Oracle Identity and Access Management health checks run only on Oracle Unified Directory (OUD). If other directories are there as well, then Oracle ORAchk for Oracle Identity and Access Management skips health checks for those directories and perform health checks on Oracle Access Manager. However, Oracle Access Manager configured in embedded LDAP mode is not supported.

2.3.3 Introduction to Oracle ORAchk for Oracle Identity and Access Management Health Checks

Oracle ORAchk for Oracle Identity and Access Management health checks inspect the entire deployment stack from application tier to database tier providing a simplistic, value-added, and easy-to-use solution.

Run Oracle ORAchk for Oracle Identity and Access Management health checks before and after installing the product, and while running the product.

Table 2-4 Oracle ORAchk for Oracle Identity and Access Management health check tool Use Cases

Use Cases Description

Post-install health checks

Includes checks that are run just after a product is installed. These are mostly product focused checks, for example, for Oracle Identity Manager, Oracle Access Manager, and Oracle Unified Directory respective post-install checks.

Runtime health checks

Shows the health of the system regularly and helps you take proactive corrective actions.

2.3.3.1 Features of Oracle ORAchk for Oracle Identity and Access Management Health Check Tool

Health checks are run both at product install time as well as runtime.

Product install time checks cover the following areas:

  • System Resources

  • System Configuration

  • Software Configuration

  • Database Configuration

Table 2-5 Runtime Checks by Component

Component Modules Common Services Data Tier General

Oracle Identity Manager

Access Request and Catalog

Certification Engine

UI Category

Provisioning Engine

Reconciliation Engine

IT Admin (User/Role/Org)

Connector Framework

Identify Audit Engine

Identify Analytics Engine

Role Engine

Audit and Reports/Embedded BIP

Scheduler

Policy/Rule Engine

Workflow Engine (SOA/BPEL)

Authorization Layer

Notification Engine

Database

Overall Performance

Application Readiness

Oracle Access Manager

UI Category

Federation (Single Sign On) Engine

Authentication Engine

Admin Console

Policy Engine

oAuth

Token Processing

Session Management

Config Services

Authorization Services

Oracle Platform Security Services

Webgates

NA

Database

Overall Performance

Application Readiness

Oracle Unified Directory

Basic Sanity

Oracle Unified Directory Replication

Performance

NA

NA

NA

2.3.3.2 Auto-discovery of Oracle Identity and Access Management Environment

Oracle ORAchk framework automatically runs the Discovery tool while running Oracle ORAchk for Oracle Identity and Access Management health checks.

Auto-discovery process includes:
  1. Discovery tool Identifies the host names of the following:

    1. Oracle Identity Manager Admin server

    2. Oracle Access Manager Admin server

    3. One Oracle Unified Directory host from user ID store and system ID store Oracle Unified Directory clusters. If both ID stores are same, then the Discovery tool picks one Oracle Unified Directory host.

  2. Discovery tool stores the discovered information in a topology file and the user credentials in a wallet file.

  3. Oracle ORAchk copies the discovery executables to the target machine and runs the Discovery tool on all required machines.

  4. Discovery tool runs serially on all the required machines.

  5. Oracle ORAchk passes the same topology.xml and cwallet files to the Discovery tool on all Oracle Identity and Access Management machines.

    That is, if Oracle ORAchk runs the Discovery tool on the first machine, then the Discovery tool creates the topology.xml and cwallet.sso  files. Oracle ORAchk copies the same xml and wallet while running the Discovery tool on other Oracle Identity and Access Management machines.

  6. At the end of the discovery, the topology file contains the complete information of the entire environment and the wallet file contains the encrypted user credentials.

  7. Oracle ORAchk uses the topology file and the wallet file to run the health checks on multiple nodes.

  8. The Discovery tool validates the user credentials that it collected. If the credentials are not valid, then the tool prompts the user to enter the details again. After three unsuccessful attempts, the discovery process exits.

2.3.4 Running Oracle ORAchk for Oracle Identity and Access Management Heath Checks

Review the prerequisites before you install Oracle ORAchk for Oracle Identity and Access Management.

Provide the information that is required while running the Discovery tool for the first time.

2.3.4.1 Downloading Oracle ORAchk for Oracle Identity and Access Management

Oracle ORAchk for Oracle Identity and Access Management uses a different distribution than the standard Oracle ORAchk.

Download orachk_idm.zip for Oracle ORAchk with Oracle Identity and Access Management support, which is available at My Oracle Support Note 1268927.2.

2.3.4.2 Prerequisites for Installing Oracle ORAchk for Oracle Identity and Access Management

Review the list of prerequisites for running Oracle Identity and Access Management health checks.

  • Ensure that JDK 6 or later is set in the system path. If it is not set, then set the environment variable RAT_JAVA_HOME to the correct Java home location.

  • You must run Oracle ORAchk on the machine where the WebLogic admin server for Oracle Identity and Access Management is installed.

  • Set RAT_TMPDIR  to the location of a temporary directory, for example:
    export RAT_INV_LOC=/tmp/oracle/oraInventoryM
    

    If RAT_TMPDIR  is not set, then Oracle ORAchk uses $HOME  as the temporary directory. The temporary directory used by Oracle ORAchk must have sufficient space (20 MB) or errors can occur.

  • If the oraInst.loc file is not in the default directory, for example, /u01/app/oraInventory, then specify the exact location of the oraInventory directory using the RAC_INV_LOCAL environment variable. For example:
    export RAT_INV_LOC=/scratch/shared/oracle/oraInventory
    
  • You must run Oracle ORAchk as the same user that installed the Oracle Identity and Access Management software components.

  • Each server that is part of the Oracle Identity and Access Management topology must have secure shell (SSH) enabled. If SSH is disabled, then Oracle ORAchk cannot remotely run checks on those servers. On servers without SSH enabled you must run Oracle ORAchk individually and then combine the results.

  • Oracle ORAchk can only detect local database installations. It cannot detect databases that are installed on remote machines. In such cases, run Oracle ORAchk explicitly on the database machine and combine the results.

2.3.4.3 Inputs Required by Discovery Tool (First Time Only)

Discovery tool prompts you to answer a series of questions about your configuration when you run the tool for the first time.

Table 2-6 Discovery Tool Configuration Information

Input Description

Is this a Single Node Identity Management System (idm) [Y|N] [N] :

Checks whether your Oracle Identity Manager environment is a single node or multi-node setup.

How many Oracle Unified Directory (OUD) clusters present[0] :1

Checks for the number of Oracle Unified Directory clusters present.

Enter one of the Oracle Unified Directory (OUD) Host in cluster 1

Specify one Oracle Unified Directory host name.

Enter Oracle Identity Manager (OIM) Host (Press just ENTER to skip)

Specify one Oracle Identity Manager admin server host name.

Enter Oracle Access Manager (OAM) Host (Press just ENTER to skip) :

Specify one Oracle Access Manager admin server host name.

Enter JAVA_HOME:

The Discovery tool does not prompts this question, if you have set the RAT_JAVA_HOME environment variable.

Enter WLS Admin user name for domain IAMGovernanceDomain:

Specify WebLogic admin user name.

Enter password

Specify the password for WebLogic admin user name.

Enter Oracle Identity Manager (OIM) admin user (xelsysadm) password :

Specify the password for xelsysadm.

Enter Oracle Identity Manager (OIM) LDAP Admin user DN:

Specify the entire DN for Oracle Identity Manager LDAP admin user, for example,cn=oimLDAP,cn=SystemIDs,dc=us,dc=oracle,dc=com.

Enter password for admin user DN

Specify the password for Oracle Identity Manager LDAP DN.

Enter password for schema <OIM Schema>:

Specify the password for Oracle Identity Manager schema.

Enter OUD Admin password for cn=oudadmin:

Specify the Oracle Unified Directory admin password.

Enter OUD Admin password for cn=oudmanager,cn=Administrators, cn=admin data:

Specify the Oracle Unified Directory manager password.

Enter WLS Admin Username for domain IAMAccessDomain:

Specify the Oracle Access Manager admin user name.

Enter password:

Specify the Oracle Access Manager Admin user password.

Enter Oracle Access Manager (OAM) Admin user

Specify the Oracle Access Manager LDAP admin user name.

Enter password for admin user:

Specify the Oracle Access Manager LDAP admin password.

Enter password for schema <OAM Schema>:

Specify the password for Oracle Access Manager schema.

Database Oracle home location

If Oracle database is on the local machine, then the Discovery tool prompts you to specify the Oracle home location.

2.3.4.4 Oracle ORAchk for Oracle Identity and Access Management Health Checks

Run Oracle ORAchk for Oracle Identity and Access Management health checks as root  or the user who owns the Oracle Identity and Access Management setup.

  1. Create a new folder on a location on one of the WebLogic admin machine, for example, healthcheck IAM.
  2. Set the environment variable to run the health checks based on a specific deployment size.

    Oracle ORAchk supports four deployment sizes:

    Table 2-7 Deployment Size

    Deployment Size Directory User Size

    small

    Close to 100 K

    medium

    Close to 1 million

    large

    Close to 15 million

    extralarge

    Close to 250 million

    To specify a deployment size, before running Oracle ORAchk, set the environment variable RAT_IDM_DEPLOYMENT_SIZE.
    $ export RAT_IDM_DEPLOYMENT_SIZE=small
    

    If RAT_IDM_DEPLOYMENT_SIZE is not set, then Oracle ORAchk uses the default deployment size small .

  3. Change directories to the new directory you created in Step 1 and run Oracle ORAchk.

    Oracle ORAchk prompts the discovery questions as described in "Inputs Required by Discovery Tool (First Time Only)".

    If the database is running on the same machine where the core Oracle Identity and Access Management components are installed, then the database checks are run as well.

  4. If database is running on a remote server, then run the database checks manually:
    1. Copy the same orachk_IAM.zip to the remote server, and unzip it in any directory.

    2. Run ./orachk -idmdbruntime either as root or the user who owns the Oracle Identity and Access Management installation.

      This command generates a new Oracle ORAchk collection, for example, orachk_den00etd_orcl_100915_061616.zip.

    Oracle ORAchk runs checks on all servers that are part of the Oracle Identity and Access Management topology and generates a single report. However, in the following cases Oracle ORAchk cannot generate a single report:
    1. Oracle Identity and Access Management install is multi-node setup and SSH is disabled on machines involved. In such case Oracle ORAchk run on each node and then merge the reports.

    2. Oracle ORAchk is run on machine where WebLogic Admin server is running. If this machine doesn't have the database installed, then Oracle ORAchk does not run the database checks.. In such case run Oracle ORAchk on the database node additionally and then merge the reports.

Refer to My Oracle Support Note 2070073.1 for the latest known issues specific to Oracle ORAchk for Oracle Identity and Access Management health checks.