Oracle Identity and Access Management (IAM) health check tool is a single health check solution for IAM customers to proactively identify areas where preventive and actions can be taken to keep a system healthy on an ongoing basis.
IAM health check tool includes checks that cover the entire deployment stack from application tier to database tier providing a very simplistic, value-added, and easy-to-use solution.
Review the platforms and databases requirements for deploying IAM health check tool.
Only Linux is currently supported and in these combinations:
Table 2-3 Operating System and Database Requirements for IAM Healthcheck Tool
| Operating System | Database |
|---|---|
|
Linux(Oracle Enterprise Linux/RedHat 5, 6, 7 and SuSE 9,10, 11, 12) |
10g R1 |
|
Linux on System Z (RedHat 6, 7 and SuSE 12) |
11g R1 11g R2 12c 12c R2 |
Review the following for supported components and topologies.
Oracle IAM health checks support the following components:
Oracle Identity Manager (11.1.2.2.x and 11.1.2.3.x)
Oracle Access Manager (11.1.2.2.x and 11.1.2.3.x)
Oracle Unified Directory (11.1.2.2.x and 11.1.2.3.x)
Based on the above components, the supported topologies are as follows:
Oracle Identity Manager in single node as well as in multi-node setups
Oracle Access Manager + (Any directory)* in single node as well as in multi-node setups
IAM health checks run on Oracle Unified Directory (OUD) only. If other directories are there as well, then Oracle IAM health checks skips those directories and performs health checks on Oracle Access Manager. Also, Oracle Access Manager configured in embedded LDAP mode is not supported.
Oracle Identity Manager + Oracle Access Manager + (Any directory)** in single node as well as in multi-node setups
IAM health checks run on Oracle Unified Directory (OUD) only. If other directories are there as well, then Oracle IAM health checks skips those directories and performs health checks on Oracle Access Manager. Also, Oracle Access Manager configured in embedded LDAP mode is not supported.
Oracle IAM health checks inspect the entire deployment stack from application tier to database tier providing a very simplistic, value-added, and easy-to-use solution. Run IAM health checks before and after installing the product, and while running the product.
Table 2-4 IAM Healthckeck Tool Use Cases
| Use Cases | Description |
|---|---|
|
Post-install health checks |
Includes checks that are run just after a product is installed. These are mostly product focused checks, for example, for Oracle Identity Manager, Oracle Access Manager, and Oracle Unified Directory respective post-install checks. |
|
Runtime health checks |
Show the health of the system on a regular basis and helps you take proactive corrective actions. |
Review the use cases covered in the IAM Healthcheck tool.
Health checks are run both at product install time as well as runtime.
Product install time checks cover the following areas:
System Resources
System Configuration
Software Configuration
Database Configuration
Runtime checks for Oracle Identity Manager cover the following areas:
OIM Modules
Access Request and Catalog
Certification Engine
UI Category
Provisioning Engine
Reconciliation Engine
IT Admin (User/Role/Org)
Connector Framework
Identify Audit Engine
Identify Analytics Engine
Role Engine
Common Services
Audit and Reports/Embedded BIP
Scheduler
Policy/Rule Engine
Workflow Engine (SOA/BPEL)
Authorization Layer
Notification Engine
Data Tier
Database
General
Overall Performance
Application Readiness
Runtime checks for OAM cover the following areas:
OAM Modules
UI Category
Federation (Single Sign On) Engine
Authentication Engine
Admin Console
Policy Engine
oAuth
Token Processing
Session Management
Config Services
Authorization Services
Oracle Platform Security Services
Webgates
Data Tier
Database
General
Overall Performance
Application Readiness
Runtime checks for OUD cover the following areas:
OUD Modules
Basic Sanity
OUD Replication
Performance
Oracle ORAchk framework automatically runs the Discovery tool while running IAM health checks.
Discovery tool Identifies the host name of the following:
OIM Admin server
OAM Admin server
One OUD host from user ID store and system ID store OUD clusters. If both ID stores are same, then pick one OUD host.
Discovery tool stores the discovered information in a topology file and the user credentials in a wallet file.
Oracle ORAchk copies the discovery executables to the target machine and runs the Discovery tool on all required machines.
Discovery tool runs serially on all the required machines.
Oracle ORAchk passes the same topology.xml and cwallet files to the Discovery tool on all IAM machines.
That is, if Oracle ORAchk runs the Discovery tool on the first machine, then the Discovery tool creates thetopology.xml and cwallet.sso files. Oracle ORAchk copies the same xml and wallet while running the Discovery tool on other IAM machines.
At the end of the discovery, the topology file contains the complete information of the entire environment and the wallet file contains the encrypted user credentials.
Oracle ORAchk uses the topology file and the wallet file to run the health checks on multiple nodes.
The Discovery tool validates the user credentials that it collected. If the credentials are not valid, then the tool prompts the user to enter the details again. After three unsuccessful attempts, the discovery process exits.
Crosscheck the prerequisites before you install Oracle ORAchk for IAM. Provide the information that is required while running the Discovery tool for the first time.
Oracle ORAchk for IAM uses a different distribution than standard Oracle ORAchk.
Download orachk_idm.zip for Oracle ORAchk with IAM support, which is available from My Oracle Support:
ORAchk - Health Checks for the Oracle Stack (Doc ID 1268927.2)
Review the list of prerequisites for running Oracle Identity and Access Management (IAM) health checks.
Ensure that JDK 6 or later is set in the system path. If it is not set, then set the environment variable RAT_JAVA_HOME to the correct Java home location.
You must run Oracle ORAchk on the machine where the WebLogic admin server for IAM is installed.
Oracle ORAchk uses $HOME directory as the temporary destination.
Oracle recommends to set the environment variable RAT_TMPDIR, for example, export RAT_TMPDIR=/scratch, if Oracle ORAchk picks the root location and enough space is not available, then errors can occur.
oraInst.loc file is not in the default directory, for example, /u01/app/oraInventory, then specify the exact location of the oraInventory directory using the RAC_INV_LOCAL environment variable. For example:
export RAT_INV_LOC=/scratch/shared/oracle/oraInventory
You must run Oracle ORAchk as the same user that installed the IAM software components.
Each server that is part of the IAM topology must have secure shell (SSH) enabled. If SSH is disabled, then Oracle ORAchk cannot remotely run checks on those servers. On servers without SSH enabled you must run Oracle ORAchk individually and then combine the results.
Oracle ORAchk can only detect local database installations. It cannot detect databases that are installed on remote machines. In such cases, run Oracle ORAchk explicitly on the database machine and combine the results.
The first time your run the Discovery tool you are prompted to answer a series of questions about your configuration.
Table 2-5 Inputs Required by Directory Tool (First Time Only)
| Input | Description |
|---|---|
|
Is this a Single Node Identity Management System (idm) [Y|N] [N] : |
Checks whether your IDM environment is a single node or multi-node setup. |
|
How many Oracle Unified Directory (OUD) clusters present[0] :1 |
Checks for the number of OUD clusters present. |
|
Enter one of the Oracle Unified Directory (OUD) Host in cluster 1 |
Specify one OUD host name. |
|
Enter Oracle Identity Manager(OIM) Host (Press just ENTER to skip) |
Specify one OIM admin server host name. |
|
Enter Oracle Access Manager (OAM) Host (Press just ENTER to skip) : |
Specify one OAM admin server host name. |
|
Enter |
The Discovery tool does not prompts this question, if you have set the RAT_JAVA_HOME environment variable. |
|
Enter |
Specify WebLogic admin user name. |
|
Enter password |
Specify the password for WebLogic admin user name. |
|
Enter Oracle Identity Manager (OIM) admin user (xelsysadm) password : |
Specify the password for |
|
Enter Oracle Identity Manager (OIM) LDAP Admin user DN: |
Specify the entire DN for OIM LDAP admin user, for example, |
|
Enter password for admin user DN |
Specify the password for OIM LDAP DN. |
|
Enter password for schema |
Specify the password for OIM schema. |
|
Enter OUD Admin password for |
Specify the OUD admin password. |
|
Enter OUD Admin password for |
Specify the OUD manager password. |
|
Enter WLS Admin Username for domain |
Specify the OAM admin user name. |
|
Enter password: |
Specify the OAM Admin user password. |
|
Enter Oracle Access Manager (OAM) Admin user |
Specify the OAM LDAP admin user name. |
|
Enter password for admin user: |
Specify the OAM LDAP admin password. |
|
Enter password for schema |
Specify the password for OAM schema. |
|
Database Oracle home location |
If Oracle database is on the local machine, then the Discovery tool prompts you to specify the Oracle home location. |
Run IAM health checks as root or the user who owns the IAM setup.
See Also:
My Oracle Support Note 2070073.1 for the latest known issues specific to Oracle Identity and Access Management (IAM) health checks:
Oracle Identity and Access Management Healthcheck Guide (ORAchk for IDM)