ORACLE ACCESS MANAGEMENT INSTALLATION AND CONFIGURATION
Oracle Access Management includes components like Oracle Access Manager, Oracle Access Management Security Token Service, Oracle Access Management Identity Federation, Oracle Access Management Mobile and Social.
Following topics in this chapter provides detailed information on installing and configuring Oracle Access Management after installing Oracle Identity and Access Management:
- Creating Weblogic Domain for Oracle Access Manager
- Post-Installation Tasks
- Verifying the Installation
Creating Weblogic Domain for Oracle Access Manager
- Before you start configuring Oracle Access Management, note that the IDM HOME is the path provided during IDM installation and is used to refer to the Oracle home directory.
- Execute the below command, to launch the Weblogic Configuration Wizard:
<Oracle_Home>/wlserver_10.3/common/bin/config.sh
Note: Oracle_Home is the Middleware Home, which is the absolute path where Weblogic Server is installed.
- Follow the instructions as shown below for installation:
Welcome Screen
The Welcome screen is displayed each time you start the installer.
Click Next to continue.
Select Domain Source Screen
Use this screen to select the components that you want to configure.
For Oracle Access Manager, select the Oracle Access Management And Mobile Security Suite - 11.1.2.3.0 [IDM_HOME]
Click Next to continue.
Note: On selecting Oracle Access Management and Mobile Security Suite option, few options like Oracle Enterprise Manager, Oracle WSM Policy Manager, Oracle JRF, Oracle Platform Security Service and Oracle OPSS Metadata for JRF gets selected by-default.
Specify Domain Name and Location Screen
Specify the following locations:
- Domain name
Specify the name of the domain.
- Domain location
The default locations for the domain home is
<Oracle_HOME>/user_projects/domains
However, the domain home directory can also be created outside of Oracle home.
- Application location
The default locations for the domain home is
<Oracle_HOME>/user_projects/applications
However, the domain home directory can also be created outside of Oracle home.
Here, Oracle Home directory is where the Weblogic Server is installed.
Click on Next.
Configure AdministratorAdministrator is a set of individuals that administer the applicant/Affiliate entity. For example, Accountants, Authorized Signatories for organizations, Power of Attorney for individuals. User Name and Password Screen
This screen is to provide the username and password for the Weblogic Administrator.
The default username is weblogic. The user can provide a different username.
Then, Click on Next.
Configure Server Start Mode and JDK Screen
- Choose a JDK from the Available JDKs.
- Select a mode under the Weblogic Domain Startup Mode.
Click Next.
Configure JDBC Component Schema Screen
This screen displays a list of the following component schemas:
- OAM MDS Schema
- OWSM MDS Schema
- OAM Infrastructure
- OMSM Schema
- OPSS Schema
In-case there is any changes to Schema OwnerOwner is a set of individuals or non individuals who own the applicant or Affiliate entity. For example, Promoters and Shareholders for companies, Proprietor for proprietorship, Partner for partnership, and Trustee for a trust. Owner may or may not be a part of the account. It refers to the ownership of the entity and not that of the account. In case of Individual applicants, as the owner and applicant is the same, Owner definition is not applicable., Schema Password, Database and Service, Host Name, and Port, select that particular component schema, for example OAM Infrastructure Schema and enter the new configuration value.
Click Next.
Note: The schemas listed in this screen should be created before starting the configuration using Oracle Repository Creation Utility. RCU utility should be downloaded from Oracle website which is compatible with your Oracle Database.
Test JDBC Component Schema Screen
This screen displays the status of the DB Schema Test Connection.
- If the test fails, click Previous, correct the issue, and try again.
- After the test succeeds, click on Next.
Select Optional Configuration Screen
Choose the options to configure from the following list:
- Administration Server
- Managed Servers, Clusters and Machines
- Deployments and Services
- RDBMS Security Store
Select Administration Server and Click on Next.
Configure the Administrator Server Screen
Specify the following details of the Administration Server in this screen:
- Name
- Listen address
- Listen port
- SSL listen port (Only if SSL is enabled)
- SSL enabled
After entering the details, click on Next.
Configuration Summary Screen
Review the domain configuration on this screen.
If you want to make any changes to the configuration before creating the domain, click Previous to navigate to the selected screen where you want to edit the details.
Click Create to start creating the domain.
By default, a new Weblogic Domain to support Oracle Access Management is created in the <Oracle_Home>/user_projects/domains directory.
Creating Domain Screen
This screen summarizes the domain creation information that was just completed.
Click Done to dismiss the screen.
- After configuring Oracle Access Management in a Weblogic Administration Domain and before starting the Admin Server, you must configure the Database Security Store by executing the below command:
<Oracle_Home>/oracle_common/common/bin/wlst.sh <IDM_HOME>/common/tools/configureSecurityStore.py -d <Oracle_Home>/user_projects/domains/<OAM_domain>/ -c IAM -p <opss_schema_password> -m create
- Now, start the Admin Server using the following command to check if the Security Store is configured correctly.
<Oracle_Home>/user_projects/domains/<OAM_domain>/bin/startWeblogic.sh
Note: Oracle_Home is the Middleware Home, which is the absolute path where Weblogic Server is installed & IDM_HOME is the absolute path of the Oracle_IDM directory.
Post-Installation Tasks
After installing and configuring Oracle Access Management, the user can perform the following steps:
- Configure your own LDAP to use instead of the default embedded LDAP, which comes with Oracle Weblogic Server.
- To do this, ensure that the Admin Server is running. Login to the Weblogic Console using the following URL:
http://<hostname>:<oam_admin_port>/console
- Now, go to Security Realms > myrealm > Providers
- Click on ‘DefaultAuthenticator” provider and change the Control Flag to SUFFICIENT and Save the changes.
- Now, click on New and enter the below details and click Save.
Name : OUDAuthenticator
Type : IPlanetAuthenticator
Control Flag : SUFFICIENT
- Click on the new OUDAuthenticator Provider and under Provider Specific tab and set the details of LDAP where the server should point. Refer to the following table for more information:
Property |
Value |
---|---|
Host |
This is the LDAP Server (OUD) Hostname. |
Port |
This is the LDAP Server (OUD) Port. For example: 1389. |
Principal |
This is the Administrator Account name. For example: cn=orcladmin |
Credential |
This is the Administrator Account password. |
UserBase DN |
This is the OUD user search base cn=Users, dc=in,dc=oracle,dc=com |
GroupBase DN |
This is the OUD group search base cn=Groups, dc=in,dc=oracle,dc=com |
- Click on Save to update the changes.
- Click on Save and reorder the providers so that LDAP Provider gets highest priority followed by DefaultAuthenticator.
- Click Save to apply the changes and shutdown the Admin Server for restart.
- Now, again start the Admin Server using the command,
<Oracle_Home>/user_projects/domains/<OAM_domain>/bin/startWeblogic.sh
- Also, start the OAM Managed Server (by default it is ‘oam_server1’) as mentioned below:
<Oracle_Home>/user_projects/domains/<OAM_domain>/bin/startManagedWeblogic.sh oam_server1
(Only if Managed Server Start Fails)
- In-case Managed Server startup fails with the below error
<Info> <Security> <BEA-090065> <Getting boot identity from user.>
Enter username to boot WebLogic server:Error: Failed to get value from Standard Input
Enter password to boot WebLogic server:
<Info> <Management> <BEA-141107> <Version: WebLogic Server 10.3.6.0 Tue Nov 15 08:52:36 PST 2011 1441050 >
<Error> <Configuration Management> <BEA-150021> <The admin server failed to authenticate the identity of the user starting the managed server. The reason for the error is .>
or
<Error> <Security> <BEA-090783> <Server is Running in Development Mode and Native Library(terminalio) to read the password securely from command line is not found.>
- To fix the above problem, either create a file “boot.properties” in <OAM_domain>/servers/oam_server1/security or copy it from <OAM_domain>/servers/AdminServer/security
- If creating a new file, add the username and password as given below:
username=<domain_username>
password=<domain_password>
- After setting the values in the file, try starting the Managed Server once again.
Verifying the Installation
- You can perform any combination of the following tasks to verify that your installation was successful:
- Ensure that the Administration Server and Managed Servers are up and running.
- Verifying the installation for Oracle Access Management.
- Log in to the Administration Console for Oracle Access Management using the following URL:
http://<hostname>:<oam_admin_port>/oamconsole
- You will be redirected to:
http://<hostname>:<oamserver_port>/oam/server
When you access this Administration Console running on the Administration Server, you are prompted to enter a user name and password. Note that you must have Administrator's role and privileges.
- Verifying the installation for Weblogic Server Administration Console
If the installation and configuration of Oracle Access Management are successful, this console shows the Administration Server in running mode.