17 Configuring Oracle Identity Governance
Configuration of Oracle Identity Governance (OIG) comprises a series of steps, including integrating OIG with Oracle SOA suite, configuring the web tier, integrating OAM and OIG, configuring OIG workflow notifications, and so on. In the end, you back up the configuration.
This chapter includes the following topics:
- Variables Used When Configuring Oracle Identity Governance
While configuring Oracle Identity Governance, you will reference the directory variables listed in this section. - Starting and Validating the Oracle Identity Governance Managed Servers
Now that you have extended the domain, started the Administration Server, and propagated the domain to the other hosts, you can start the newly configured Oracle Identity Governance Managed Servers. - Analyzing the Bootstrap Report
When you start the Oracle Identity Governance server, the bootstrap report is generated at$IGD_ASERVER_HOME/servers/WLS_OIM1/logs/BootStrapReportPreStart.html
. - Validating the Fusion Middleware Control Application
After the bootstrap process has been executed and validated, access to the Fusion Middleware Control application should be available. - Configuring the Web Tier for the Domain
Configure the web server instances on the web tier so that the instances route requests for both public and internal URLs to the proper clusters in the extended domain. - Managing the Notification Service
An event is an operation that occurs in Oracle Identity Manager, such as user creation, request initiation, or any custom event created by the user. These events are generated as part of the business operations or through the generation of errors. Event definition is the metadata that describes the event. - Configuring the Messaging Drivers
Each messaging driver needs to be configured. You have to configure this service if you want to enable OAM's forgotten password functionality. - Increasing Database Connection Pool Size
The default database connection pool size needs to be increased when Oracle Identity Governance is used in conjunction with a connector that allows interactions with an LDAP directory. - Forcing Oracle Identity Governance to use Correct Multicast Address
- Integrating Oracle Identity Governance with LDAP
- Integrating Oracle Identity Governance and Oracle Access Manager
You have to complete several tasks to integrate Oracle Identity Governance and Oracle Access Manager. These tasks include creating the WLS authentication providers, deleting OIMSignatureAuthenticator and recreating OUDAuthenticator, adding the administration role to the new administration group, and so on. - Running the Reconciliation Jobs
Run the Oracle Identity Governance domain to import the LDAP user names into the Oracle Identity Governance database. - Update the SOA Integration URL
- Configuring OIM Workflow Notifications to be Sent by Email
OIM uses the human workflow, which is integrated with the SOA workflow. The SOA server configures email to receive the notifications that are delivered to the user mailbox. The user can accept or reject the notifications. - Adding the wsm-pm Role to the Administrators Group
After you configure a new LDAP-based Authorization Provider and restart the Administration Server, add the enterprise deployment administration LDAP group (OIMAdministrators) as a member to thepolicy.Updater
role in thewsm-pm
application stripe. - Adding the Oracle Access Manager Load Balancer Certificate to the Oracle Keystore Service
The Oracle Identity Governance to Business Intelligence Reports link inside of the Self Service application requires that the SSL certificate used by the load balancer be added to the Oracle Keystore Service Trusted Certificates. - Restarting the IAMGovernanceDomain
- Setting Challenge Questions
If you have integrated OAM and OIM, then after the environment is ready, you need to set up the challenge questions for your system users. - Integrating Oracle Identity Manager with Oracle Business Intelligence Publisher
Oracle Identity Manager comes with a number of prebuilt reports that can be used to provide information about Oracle Identity and Access Management.
Parent topic: Configuring the Enterprise Deployment
Variables Used When Configuring Oracle Identity Governance
While configuring Oracle Identity Governance, you will reference the directory variables listed in this section.
The values for several directory variables are defined in File System and Directory Variables Used in This Guide.
-
IGD_ORACLE_HOME
-
IGD_ASERVER_HOME
-
IGD_MSERVER_HOME
-
APPLICATION_HOME
-
DEPLOY_PLAN_HOME
-
JAVA_HOME
-
DOMAIN_HOME
-
IDSTORE_DIRECTORYTYPE
-
IDSTORE_SEARCHBASE
-
IDSTORE_USERSEARCHBASE
-
IDSTORE_GROUPSEARCHBASE
-
IDSTORE_OIMADMINUSERDN
-
IDSTORE_OIMADMINUSER_PWD
-
IDSTORE_EMAIL_DOMAIN
-
OIM_HOST
-
OIM_PORT
-
WLS_OIM_SYSADMIN_USER
-
WLS_OIM_SYSADMIN_USER_PWD
-
OIM_WLS_HOST
-
OIM_WLS_PORT
-
OIM_WLS_ADMIN
-
OIM_SERVER_NAME
-
WL_HOME
-
OAM_HOST
-
OAM_PORT
-
ACCESS_SERVER_HOST
-
ACCESS_SERVER_PORT
-
ACCESS_GATE_ID
-
SSO_ACCESS_GATE_PASSWORD
-
COOKIE_DOMAIN
-
OAM_TRANSFER_MODE
-
OIM_LOGINATTRIBUTE
-
OAM11G_WLS_ADMIN_HOST
-
OAM11G_WLS_ADMIN_PORT
-
OIM_WLSHOST
-
OIM_WLSPORT
-
OIM_WLSADMIN
-
OIM_WLSADMIN_PWD
-
OIM_SERVER_NAME
-
IDSTORE_OAMADMINUSER
-
IDSTORE_OAMADMINUSER_PWD
-
OAM11G_WLS_ADMIN_USER
-
OAM11G_WLS_ADMIN_PASSWD
-
IDSTORE_HOST
-
IDSTORE_PORT
-
IDSTORE_BINDDN
-
IDSTORE_BINDPWD
In addition, you'll be referencing the following virtual IP (VIP) address defined in Reserving the Required IP Addresses for an Enterprise Deployment:
-
ADMINVHN
Actions in this chapter will be performed on the following host computers:
-
OIMHOST1
-
OIMHOST2
-
WEBHOST1
-
WEBHOST2
Parent topic: Configuring Oracle Identity Governance
Starting and Validating the Oracle Identity Governance Managed Servers
Now that you have extended the domain, started the Administration Server, and propagated the domain to the other hosts, you can start the newly configured Oracle Identity Governance Managed Servers.
This process involves three tasks as described in the following sections.
- Starting the Oracle Identity Governance Managed Servers and Bootstrapping the Domain
Unlike previous releases you no longer need to run the Oracle Identity Governance configuration wizard to deploy the OIM artifacts into the domain. However, you are required to boot strap the domain. This automatically performs many of the actions that used to be performed by the OIM configuration wizard in previous releases. - Starting the WLS_SOA1 and WLS_OIM1 Managed Servers
- Validating the Managed Server by Logging in to the Identity Console
- Starting and Validating WLS_SOA2, WLS_OIM2, and WLS_WSM2 Managed Servers
After validating the successful configuration and startup of the WLS_SOA1 and WLS_OIM1 Managed Servers, you can start and validate the WLS_SOA2, WLS_OIM2, and WLS_WSM2 Managed Servers.
Parent topic: Configuring Oracle Identity Governance
Starting the Oracle Identity Governance Managed Servers and Bootstrapping the Domain
Unlike previous releases you no longer need to run the Oracle Identity Governance configuration wizard to deploy the OIM artifacts into the domain. However, you are required to boot strap the domain. This automatically performs many of the actions that used to be performed by the OIM configuration wizard in previous releases.
IGD_ASERVER_HOME
directory. However, the Node Manager that runs out of the IGD_ASERVER_HOME
communicates using the igdadmin
address. Rather than temporarily reconfiguring the Managed Servers to use this address, the Managed Servers can be started outside of Node Manager for the bootstrap process. Once the process is complete, the Managed Servers will be moved to local storage and Node Manager configured will be able to start and stop them.
IGD_ASERVER_HOME
/bin
:
-
Command for starting the Oracle SOA Suite Managed Server:
./startManagedWeblogic.sh WLS_SOA1
-
Command for starting the Oracle Identity Governance Managed Server:
./startManagedWeblogic.sh WLS_OIM1
When you execute these commands, you will be prompted to enter the WebLogic username and password. These commands run interactively, that is, after starting a Managed Server, control will not be returned to the command line. This does not matter as it is a one time operation.
Note:
You cannot perform these actions using Node Manager at this time.Starting the WLS_SOA1 and WLS_OIM1 Managed Servers
To start the WLS_SOA1 and WLS_OIM1 Managed Servers:
Validating the Managed Server by Logging in to the Identity Console
Validate the Oracle Identity Manager Server instance by bringing up the Oracle Identity Manager Console in a Web browser at:
http://OIMHOST1.example.com:14000/identity/
http://OIMHOST11.example.com:14000/sysadmin/
Log in using the xelsysadm username and password.
Validate the SOA configuration.
http://OIMHOST1.example.com:8001/soa-infra
Starting and Validating WLS_SOA2, WLS_OIM2, and WLS_WSM2 Managed Servers
After validating the successful configuration and startup of the WLS_SOA1 and WLS_OIM1 Managed Servers, you can start and validate the WLS_SOA2, WLS_OIM2, and WLS_WSM2 Managed Servers.
To start and validate the WLS_SOA2 Managed Server, use the procedure in Starting and Validating the WLS_SOA1 Managed Serverfor WLS_SOA2 Managed Server. Use the procedure to start and validate the WLS_OIM2 and WLS_WSM2 Managed Servers too.
For the validation URL, enter the following URL in your web browser and log in using the enterprise deployment administrator user:
http://OIMHOST2:14000/identity
http://OIMHOST2:14001/identity
Analyzing the Bootstrap Report
When you start the Oracle Identity Governance server, the bootstrap report is generated at $IGD_ASERVER_HOME/servers/WLS_OIM1/logs/BootStrapReportPreStart.html
.
BootStrapReportPreStart.html
is an html file that contains information about the topology that you have deployed, the system level details, the connection details like the URLs to be used, the connectivity check, and the task execution details. You can use this report to check if the system is up, and also to troubleshoot the issues, post-configuration.
Every time you start the Oracle Identity Governance server, the bootstrap report is updated.
Sections in the Bootstrap Report
-
Topology Details
This section contains information about your deployment. It shows whether you have configured a cluster setup, SSL enabled, or upgraded an Oracle Identity Manager environment from 11g to 12c.
-
System Level Details
This section contains information about the JDK version, Database version, JAVA_HOME, DOMAIN_HOME, OIM_HOME, and MIDDLEWARE_HOME.
-
Connection Details
This section contains information about the connect details like the Administration URL, OIM Front End URL, SOA URL, and RMI URL.
This also shows whether the Administration Server, Database, and SOA server is up or not.
-
Execution Details
This section lists the various tasks and their statuses.
Parent topic: Configuring Oracle Identity Governance
Validating the Fusion Middleware Control Application
After the bootstrap process has been executed and validated, access to the Fusion Middleware Control application should be available.
http://IGDADMINVHN.example.com:7101/em
Parent topic: Configuring Oracle Identity Governance
Configuring the Web Tier for the Domain
Configure the web server instances on the web tier so that the instances route requests for both public and internal URLs to the proper clusters in the extended domain.
For additional steps in preparation for possible scale-out scenarios, see Updating Cross Component Wiring Information.
- Integrating Oracle Identity Governance with Oracle SOA Suite
Use the Enterprise Manager console to integrate Oracle Identity Governance with Oracle SOA Suite. - Validating the Oracle SOA Suite URLs Through the Load Balancer
Parent topic: Configuring Oracle Identity Governance
Integrating Oracle Identity Governance with Oracle SOA Suite
Use the Enterprise Manager console to integrate Oracle Identity Governance with Oracle SOA Suite.
Parent topic: Configuring the Web Tier for the Domain
Validating the Oracle SOA Suite URLs Through the Load Balancer
To validate the configuration of the Oracle HTTP Server virtual hosts and to verify that the hardware load balancer can route requests through the Oracle HTTP Server instances to the application tier:
Parent topic: Configuring the Web Tier for the Domain
Managing the Notification Service
An event is an operation that occurs in Oracle Identity Manager, such as user creation, request initiation, or any custom event created by the user. These events are generated as part of the business operations or through the generation of errors. Event definition is the metadata that describes the event.
To define the metadata for events, you must identify all event types supported by a functional component. For example, as a part of the scheduler component, metadata is defined for a scheduled job execution failure and shutting down of the scheduler. Every time a job fails or the scheduler shuts down, the associated events get triggered, and the notifications associated with the event get sent.
The data available in the event is used to create the content of the notification. The different parameters defined for an event help the system to select the appropriate notification template. The various parameters defined for an event help the system decide which event variables should be made available at template design time.
A notification template is used to send notifications. These templates contain variables that refer to available data to provide more context to the notifications. The notification is sent through a notification provider. Examples of such channels are e-mail, Instant Messaging (IM), Short Message Service (SMS), and voice. To use these notification providers, Oracle Identity Manager uses Oracle User Messaging Service (UMS).
At the back end, the notification engine is responsible for generating the notification and utilizing the notification provider to send the notification.
Using SMTP for Notification
Using SMTP for notification involves configuring the SMTP email notification provider properties and adding the CSF key.
Configuring the SMTP Email Notification Provider Properties
To configure SMTP Email Notification Provider properties by using the EmailNotificationProviderMBean MBean :
Parent topic: Managing the Notification Service
Configuring the Messaging Drivers
Each messaging driver needs to be configured. You have to configure this service if you want to enable OAM's forgotten password functionality.
Configuring the Email Driver
To configure the driver to send and emails then you need to perform the following steps:
Parent topic: Configuring the Messaging Drivers
Increasing Database Connection Pool Size
The default database connection pool size needs to be increased when Oracle Identity Governance is used in conjunction with a connector that allows interactions with an LDAP directory.
Parent topic: Configuring Oracle Identity Governance
Forcing Oracle Identity Governance to use Correct Multicast Address
Oracle Identity Governance uses multicast for certain functions. By default, the managed servers communicate using the multi cast address assigned to the primary host name. If you wish multicast to use a different network, for example, of the internal network, you must complete the following additional steps:
Parent topic: Configuring Oracle Identity Governance
Integrating Oracle Identity Governance with LDAP
Integrating Oracle Identity Governance includes the following topics:
- Installing the Connector Bundle
- Configuring the Oracle Connector for LDAP
- Add Missing Object Classes
Parent topic: Configuring Oracle Identity Governance
Installing the Connector Bundle
-
Download the Connector bundle from the artifactory: Download Connector Bundle
-
For OID or OUD, download the Connector bundle corresponding to Oracle Internet Directory.
Note:
For all directory types, the required Connector version for OIG-OAM integration is 12.2.1.3.0. -
-
Unzip the Connector bundle to the desired connector path under
$ORACLE_HOME/idm/server/ConnectorDefaultDirectory
.For example:
$IGD_ORACLE_HOME/idm/server/ConnectorDefaultDirectory
Parent topic: Integrating Oracle Identity Governance with LDAP
Configuring the Oracle Connector for LDAP
The Oracle Connector for LDAP allows you to store users and passwords in a certified LDAP directory. Configure the connector before using it. Perform the following steps to configure the connector:
-
Change directory to
IGD_ORACLE_HOME/idm/server/ssointg/config
. -
Edit the file
configureLDAPConnector.config
shown below:##-----------------------------------------------------------## ## [configureLDAPConnector] IDSTORE_DIRECTORYTYPE=OUD IDSTORE_HOST=idstore.example.com IDSTORE_PORT=1389 IDSTORE_BINDDN=cn=oudadmin IDSTORE_OIMADMINUSERDN=cn=oimLDAP,cn=systemids,dc=example,dc=com IDSTORE_SEARCHBASE=dc=example,dc=com IDSTORE_USERSEARCHBASE=cn=Users,dc=example,dc=com IDSTORE_GROUPSEARCHBASE=cn=Groups,dc=example,dc=com IDSTORE_USERSEARCHBASE_DESCRIPTION=Default user container IDSTORE_GROUPSEARCHBASE_DESCRIPTION=Default group container IDSTORE_EMAIL_DOMAIN=example.com OIM_HOST=OIMHOST1.example.com OIM_PORT=14000 WLS_OIM_SYSADMIN_USER=xelsysadm OIM_WLSHOST=IGDADMINVHN.example.com OIM_WLSPORT=7101 OIM_WLSADMIN=weblogic OIM_SERVER_NAME=oim_server1 CONNECTOR_MEDIA_PATH=IGD_ORACLE_HOME/idm/server/ConnectorDefaultDirectory/OID-12.2.1.3.0
Note:
You can also specify the passwords directly in the file, if required. If you do not specify the passwords, you will be prompted for them at runtime.
Parameters are:
- OIM_WLSADMIN_PWD
- IDSTORE_BINDDN_PWD
- WLS_OIM_SYSADMIN_USER_PWD
- ADMIN_USER_PWD
- IDSTORE_OIMADMINUSER_PWD
Save the file when done.
This table lists the properties of configuring the LDAPConnector.
Table 17-4 Configure LDAPConnector Properties
Attribute Description IDSTORE_HOST
It is the Load Balancer name for the LDAP directory for example: idstore.example.com
IDSTORE_PORT
It is the LDAP port on the load balancer for example 1389 for OUD.
IDSTORE_DIRECTORYTYPE
It is the type of LDAP directory you are using OUD.
IDSTORE_BINDDN
It is the credential used to connect to the directory to perform administrative actions, for example, oudadmin for OUD.
IDSTORE_SEARCHBASE
It is the root directory tree in the directory.
IDSTORE_USERSEARCHBASE
It is the location in the directory where users are stored.
IDSTORE_GROUPSEARCHBASE
It is the location in the directory where groups are stored.
IDSTORE_OIMADMINUSERDN
It is the name of the user that OIM will use to connect to LDAP.
IDSTORE_EMAIL_DOMAIN
It is the email domain.
OIM_HOST
This the the hostname that the OIM Managed server WLS_OIM1 is listening on, for example OIMHOST1.
OIM_PORT
It is the port number of the WLS_OIM1 managed server.
WLS_OIM_SYSADMIN_USER
It is the OIM administrator account for example xelsysadm.
OIM_WLSHOST
It is the listen address of the IAMGovernanceDomain administration server, for example IGDADMINVHN
OIM_WLSPORT
It is the administration servers port for example 7101.
OIM_WLSADMIN
It is the name of the IAMGovernance Domain administration user.
For example weblogic.
CONNECTOR_MEDIA_PATH
It is the location where you have installed the connector. OIM_SERVER_NAME
It is the name of the OIM Managed server that is running. For example; wls_oim1.
Note:
You should use the same values as you specified for these parameters in Creating a Configuration File. -
Locate the properties file,
ssointg-config.properties
, available atIGD_ORACLE_HOME/idm/server/ssointg/config/
and set the configureLDAPConnector value to true. All other values should be set to false.##-----------------------------------------------------------## generateIndividualConfigFiles=false prepareIDStore=false configOAM=false addMissingObjectClasses=false populateOHSRules=false configureWLSAuthnProviders=false configureLDAPConnector=true ## configureLDAPConnector takes care of updating container rules ## Additional option is provided in case rules need to be updated again updateContainerRules=false configureSSOIntegration=false enableOAMSessionDeletion=false
-
Execute the script OIGOAMIntegration for configuring the connector.
-
For example:
cd IGD_ORACLE_HOME/idm/server/ssointg/bin export JAVA_HOME=JAVA_HOME export ORACLE_HOME=IGD_ORACLE_HOME export WL_HOME=IGD_ORACLE_HOME/wlserver chmod 750 _OIGOAMIntegration.sh OIGOAMIntegration.sh ./OIGOAMIntegration.sh -configureLDAPConnector
Parent topic: Integrating Oracle Identity Governance with LDAP
Add Missing Object Classes
Note:
To successfully execute this process, theldapsearch
binary is required to be in your user's PATH and the screen
package is required to be installed on your host.
-
Change directory to IGD_ORACLE_HOME/idm/server/ssointg/config
-
Edit the file
addMissingObjectClasses.config
updating the properties as shown below:IDSTORE_DIRECTORYTYPE: OUD IDSTORE_HOST: idstore.example.com IDSTORE_PORT: 1389 IDSTORE_BINDDN: cn=oudadmin IDSTORE_USERSEARCHBASE: cn=Users,dc=example,dc=com
Save the file when done.
Table 17-5 Properties of
addMissingObjectClasses.config
Attribute Description IDSTORE_HOST
It is the Load Balancer name for the LDAP directory. For example; idstore.example.com
IDSTORE_PORT
It is the LDAP port on the load balancer. For example; 1389 for OUD.
IDSTORE_DIRECTORYTYPE
It is the type of LDAP directory you are using (OUD).
IDSTORE_BINDDN
It is the credential used to connect to the directory to perform administrative actions, for example, oudadmin for OUD.
IDSTORE_USERSEARCHBASE
It is the location in the directory where user information is stored.
-
Execute the script OIGOAMIntegration.
-
For example:
cd IGD_ORACLE_HOME/idm/server/ssointg/bin export JAVA_HOME=JAVA_HOME export ORACLE_HOME=IGD_ORACLE_HOME export WL_HOME=IGD_ORACLE_HOME/wlserver ./OIGOAMIntegration.sh -addMissingObjectClasses
You will be prompted to enter the password of the LDAP directory administrator account.
Restart Domains
Restart the IAMAccessDomain and the IAMGovernanceDomain domains.
Parent topic: Integrating Oracle Identity Governance with LDAP
Integrating Oracle Identity Governance and Oracle Access Manager
You have to complete several tasks to integrate Oracle Identity Governance and Oracle Access Manager. These tasks include creating the WLS authentication providers, deleting OIMSignatureAuthenticator and recreating OUDAuthenticator, adding the administration role to the new administration group, and so on.
- Configuring SSO Integration in the IAMGovernanceDomain
- Enable OAM Notifications
- Update Value of MatchLDAPAttribute in oam-config.xml
- Update TapEndpoint URL
Parent topic: Configuring Oracle Identity Governance
Configuring SSO Integration in the IAMGovernanceDomain
Having deployed the connector the next step in the process is the configuration of SSO in the domain. In order to do this you need to perform the following steps:
-
Change directory to
IGD_ORACLE_HOME/idm/server/ssointg/config
-
Edit the file
configureSSOIntegration.config
updating the properties in the section configureSSOIntegration as shown below:##-----------------------------------------------------------## ## [configureSSOIntegration] OAM_HOST: login.example.com OAM_PORT: 443 OAM_PORT: 80 ACCESS_SERVER_HOST:OAMHOST1.example.com ACCESS_SERVER_PORT: 5575 OAM_SERVER_VERSION: 12c WEBGATE_TYPE: ohsWebgate12c COOKIE_DOMAIN: example.com OAM_TRANSFER_MODE: open OIM_LOGINATTRIBUTE: uid SSO_INTEGRATION_MODE: CQR OAM11G_WLS_ADMIN_HOST: IADADMINVHN.example.com OAM11G_WLS_ADMIN_PORT: 7001 OAM11G_WLS_ADMIN_USER: weblogic OAM11G_WLS_ADMIN_PASSWD: <PASSWORD> OAM11G_IDSTORE_NAME: OAMIDSTORE ## Required if OAM_TRANSFER_MODE is not OPEN OIM_WLSHOST:IGDADMINVHN.example.com OIM_WLSPORT: 7101 OIM_WLSADMIN: weblogic IDSTORE_OAMADMINUSER_PWD: <password> OIM_SERVER_NAME: WLS_OIM1 IDSTORE_OAMADMINUSER: oamadmin
Save the file when done.
Where:
Table 17-6 Configure SSOIntegration Properties
Attribute Description OAM_HOST
It is the listen address of the front end load balancer for the OAM cluster.
OAM_PORT
It is the port of the front end load balancer for the OAM cluster.
ACCESS_SERVER_HOST
It is always the same as the OAM_HOST.
ACCESS_SERVER_PORT
It is the port number for
OAM PROXY PORT
.ACCESS_GATE_ID
It is the name of the WebGate agent created in Creating a Configuration File.
COOKIE_DOMAIN
It is the value assigned in Creating a Configuration File.
OAM_TRANSFER_MODE
It is the value assigned in Creating a Configuration File.
OIM_LOGINATTRIBUTE
It is the LDAP field containing the users login attribute usually uid or cn.
OAM11G_WLS_ADMIN_HOST
It is the listen address of the Administration Server in the domain
IAMAccessDomain
. For example:IADADMINVHN
.OAM11G_WLS_ADMIN_PORT
It is the listen port of the Administration Server in the domain
IAMAccessDomain
. For example: 7001.OAM11G_WLS_ADMIN_PASSWD
Optional password for OAM11G_WLS_ADMIN_USER.
OAM11G_WLS_ADMIN_USER
It is the Administration User of the IAD Administration Server.
OIM_WLSHOST
The listen address of the OIM Administration server for example
IGDADMINVHN.example.com
OIM_WLSPORT
The listen port of the OIM Administration Server. For example: 7101.
OIM_WLSADMIN
The administration user of the OIM Administration Server. For example: weblogic.
OIM_SERVER_NAME
It is the name of the OIM Managed Server that is running. For example: WLS_OIM1.
IDSTORE_OAMADMINUSER
The value assigned to IDSTORE_OAMADMINUSER in Creating a Configuration File.
IDSTORE_OAMADMINUSER_PWD
It is optional. It contains the password of the IDSTORE_OAMADMINUSER account.
OAM_SERVER_VERSION
It is the version of OAM used for the integration.
WEBGATE_TYPE
It is the type of WebGate used for the integration.
OAM11G_IDSTORE_NAME
The name of the IDStore configured in OAM, the default name is
OAMIDSTORE
. -
Execute the script OIGOAMIntegration for configuring SSO Integration.
For example:
cd IGD_ORACLE_HOME/idm/servers/ssointg/bin export JAVA_HOME=JAVA_HOME export ORACLE_HOME=IGD_ORACLE_HOME export WL_HOME=IGD_ORACLE_HOME/wlserver ./OIGOAMIntegration.sh -configureSSOIntegration
-
Restart the domains IAMAccessDomain and IAMGovernanceDomain.
Enable OAM Notifications
Having deployed the connector the next step in the process is to tell OIM how to interact with OAM for terminating a user session after a user has been expired or terminated. In order to do this you need to perform the following steps:
-
Change directory to IGD_ORACLE_HOME/idm/server/ssointg/config.
-
Edit the file
enableOAMSessionDeletion.config
updating the properties in the section enableOAMNotifications as shown below:##-----------------------------------------------------------## ## [enableOAMNotifications] OIM_WLSHOST: IGDADMINVHN.example.com OIM_WLSPORT: 7101 OIM_WLSADMIN: weblogic IDSTORE_DIRECTORYTYPE: OUD IDSTORE_HOST: idstore.example.com IDSTORE_PORT: 1389 IDSTORE_BINDDN: cn=oudadmin IDSTORE_GROUPSEARCHBASE: cn=Groups,dc=example,dc=com IDSTORE_SYSTEMIDBASE: cn=systemids,dc=example,dc=com IDSTORE_OAMADMINUSER: oamAdmin IDSTORE_OAMSOFTWAREUSER: oamLDAP IDSTORE_USERSEARCHBASE: cn=Users,dc=example,dc=com OIM_SERVER_NAME: WLS_OIM1
Where:
Table 17-7 Properties of enableOAMSessionDeletion
Attribute Description OIM_WLSHOST
It is the listen address of the Administration Server in the domain
IAMGovernanceDomain
. For example:IGDADMINVHN.example.com
.OIM_WLSPORT
It is the port of the Administration Server in the domain
IAMGovernanceDomain
. For example: 7101.OIM_WLSADMIN
It is the name of the WebLogic administrator in the
IAMGovernanceDomain
. For example: weblogic.IDSTORE_HOST
It is the load balancer name for the LDAP directory. For example:
idstore.example.com
.IDSTORE_PORT
It is the LDAP port of the load balancer. For example: 1389 for OUD.
IDSTORE_BINDDN
It is the credential used to connect to the directory to perform administrative actions. For example: oudadmin for OUD.
IDSTORE_GROUPSEARCHBASE
It is the location in the directory where Groups are Stored.
IDSTORE_SYSTEMIDBASE
It is the location of a container in the directory where system users can be placed when you do not want them in the main user container.
IDSTORE_OAMADMINUSER
It is the name of the user you want to create as your Access Manager Administrator.
IDSTORE_OAMSOFTWAREUSER
A user that gets created in LDAP that is used when Access Manager is running to connect to the LDAP server.
IDSTORE_USERSEARCHBASE
It is the location in the directory where users are stored.
OIM_SERVER_NAME
The name of the OIM server. For example:
oim_server1
. -
Execute the script
OIGOAMIntegration
for enabling notifications.For example:
cd IGD_ORACLE_HOME/idm/servers/sointg/bin export JAVA_HOME=JAVA_HOME export ORACLE_HOME=IGD_ORACLE_HOME export WL_HOME=IGD_ORACLE_HOME/wlserver ./OIGOAMIntegration.sh -enableOAMSessionDeletion
Update Value of MatchLDAPAttribute in oam-config.xml
To complete the Oracle Identity Governance integration with Oracle Access Manager, one of
the settings in the Oracle Access Manager's oam-config.xml
file needs
to be changed. As of version 12c, this file is stored in the database and should not be
edited directly.
oam-config.xml
file:
Note:
Ensure that the cURL package has been added to the host by executingwhich curl
at the command line.
If the package is not installed, an administrator must install the package by executing
yum install curl
.
Update TapEndpoint URL
For OAM/OIM integration to work you must update the OAM TapEndpoint URL you do this by performing the following steps.
-
Log in to Oracle Fusion Middleware Control using the following URL:
http://igdadmin.example.com/em
OR
http://IGDADMINVHN.example.com:7101/em
The Administration Server host and port number were in the URL on the End of Configuration screen (Writing Down Your Domain Home and Administration Server URL). The default Administration Server port number is 7101.
-
Click WebLogic Domain, and click System MBean Browser.
In the search box, enter SSOIntegrationMXBean, and click Search. The mbean is displayed.
-
Set the value of TapEndpointURL to
https://login.example.com/oam/server/dap/cred_submit
-
Click Apply.
Running the Reconciliation Jobs
Run the Oracle Identity Governance domain to import the LDAP user names into the Oracle Identity Governance database.
To run the reconciliation jobs:
- Log in to the OIM System Administration Console as the user
xelsysadm
. - Click Scheduler under System Configuration.
- Enter
SSO*
in the search box. - Click the arrow for the Search Scheduled Jobs to list all the schedulers.
- Select SSO User Full Reconciliation.
- Click Run Now to run the job.
- Repeat for SSO Group Create And Update Full Reconciliation.
- Log in to the OIM System Administration Console and verify that the user
weblogic_iam
is visible.
Parent topic: Configuring Oracle Identity Governance
Update the SOA Integration URL
Oracle Identity Manager connects to SOA as SOA administrator, with the username
weblogic
.
Perform the following post installation steps to enable Oracle Identity Manager to work with the Oracle WebLogic Server administrator user. This enables Oracle Identity Manager to connect to SOA:
Note:
For the SOAConfig Mbean to be visible, at least one OIM Managed Server must be running.
-
Log in to Enterprise Manager Fusion Middleware Control of the IAMGovernanceDomain, as the
weblogic
user -
Click WebLogic Domain, and click System MBean Browser.
-
Select Search, enter
SOAConfig
, and click Search. -
Ensure that the username is set to
weblogic
. - Update the SOAP URL to the
following:
http://igdinternal.example.com:7777/
- Update the SOA Config RMI URL to the
following:
http://igdinternal.example.com:7777/
-
Click Apply.
Parent topic: Configuring Oracle Identity Governance
Configuring OIM Workflow Notifications to be Sent by Email
OIM uses the human workflow, which is integrated with the SOA workflow. The SOA server configures email to receive the notifications that are delivered to the user mailbox. The user can accept or reject the notifications.
Both incoming and outgoing email addresses and mailboxes dedicated to the portal workflow are required for the full functionality. See Configuring Human Workflow Notification Properties in Administering Oracle SOA Suite and Oracle Business Process Management Suite.
To configure the OIM workflow notifications:
- Log in to the Fusion Middleware Control by using the administrators account. For example,
weblogic_iam
. - Expand the Target Navigation panel and navigate to SOA > soa-infra (soa_server1) service.
- From the SOA infrastructure drop-down, select SOA Administration > Workflow Properties.
- Set the Notification mode to Email. Provide the correct e-mail address for the notification service.
- Click Apply and confirm when prompted.
- Verify the changes.
- Expand Target Navigation, select User Messaging Service, and then usermessagingdriver-email (soa_servern). Each SOA Managed Server that is running will have a driver. Only one of these entries should be selected.
- From the User Messaging Email Driver drop-down list, select Email Driver Properties.
- Click Create if the email driver does not exist already.
- Click Test and verify the changes.
- Click OK to save the email driver configuration.
- Restart the SOA cluster. No configuration or restart is required for OIM.
Parent topic: Configuring Oracle Identity Governance
Adding the wsm-pm Role to the Administrators Group
After you configure a new LDAP-based Authorization Provider and restart the Administration Server, add the enterprise deployment administration LDAP group (OIMAdministrators) as a member to the policy.Updater
role in the wsm-pm
application stripe.
Parent topic: Configuring Oracle Identity Governance
Adding the Oracle Access Manager Load Balancer Certificate to the Oracle Keystore Service
The Oracle Identity Governance to Business Intelligence Reports link inside of the Self Service application requires that the SSL certificate used by the load balancer be added to the Oracle Keystore Service Trusted Certificates.
Parent topic: Configuring Oracle Identity Governance
Restarting the IAMGovernanceDomain
For the above changes to take effect, you must restart the domain.
Parent topic: Configuring Oracle Identity Governance
Setting Challenge Questions
If you have integrated OAM and OIM, then after the environment is ready, you need to set up the challenge questions for your system users.
To set up the challenge questions, log in to Identity Self Service using the URL: https://prov.example.com/identity.
Log in with your user name and when prompted, add the challenge questions. You should set up these questions for the following users:
xelsysadm
weblogic_iam
oamadmin
Parent topic: Configuring Oracle Identity Governance
Integrating Oracle Identity Manager with Oracle Business Intelligence Publisher
Oracle Identity Manager comes with a number of prebuilt reports that can be used to provide information about Oracle Identity and Access Management.
Oracle Identity Manager reports are classified based on the functional areas such as Access Policy Reports, Request and Approval Reports, Password Reports, and so on. It is no longer named Operational and Historical. These reports are not generated through Oracle Identity Manager but by the Oracle Business Intelligence Publisher (BIP). Oracle Identity Manager reports provide a restriction for Oracle BI Publisher.
The setup of a highly available enterprise deployment of Oracle BI Publisher is beyond the scope of this document. For more information, see Understanding the Business Intelligence Enterprise Deployment Topology in the Enterprise Deployment Guide for Business Intelligence.
Note:
During BI configuration for Oracle Identity Manager, you must configure only Business Intelligence Publisher. If you select other components during BI Publisher configuration, such as Business Intelligence Enterprise Edition and Essbase, the integration with Oracle Identity Manager may not work. See Configuring Reports in Developing and Customizing Applications for Oracle Identity Manager- Creating a User to Run BI Reports
- Configuring Oracle Identity Manager to Use BI Publisher
You can set up Oracle BI Publisher to generate Oracle Identity Manager reports. - Assigning the BIServiceAdministrator Role to idm_report
- Storing the BI Credentials in Oracle Identity Governance
- Creating OIM and BPEL Data Sources in BIP
- Deploying Oracle Identity Governance Reports to BI
- Enable Certification Reports
- Validating the Reports
Parent topic: Configuring Oracle Identity Governance
Creating a User to Run BI Reports
You may ignore this section if you already have a user to run reports in your Business Intelligence domain.
If you need to create a user in your BI Publisher domain to run reports, use the
following LDIF
command to create a user in the LDAP
directory.
Configuring Oracle Identity Manager to Use BI Publisher
You can set up Oracle BI Publisher to generate Oracle Identity Manager reports.
Assigning the BIServiceAdministrator Role to idm_report
If you are using LDAP as your identity store in the Business Intelligence (BI) domain, you must have created an LDAP authenticator in the BI domain. You can view the user and group names stored within LDAP.
The Oracle Identity Manager (OIM) system administration account (for example,
idm_report
) needs to be assigned the
BIServiceAdministrator
role, to generate reports.
To assign this role:
Storing the BI Credentials in Oracle Identity Governance
Creating OIM and BPEL Data Sources in BIP
Create OIM Datasource
Oracle BIP must be connected to the OIM and SOA database schemas to run a report.
In order to do this you need to create BIP datasources using the following procedure:
-
Login to the BI Publisher Home page using the URL
https://bi.example.com/xmlpserver
-
Click the Administration link on the top of the BI Publisher Home page. The BI Publisher Administration page is displayed.
-
Under Data Sources, click JDBC Connection link. The Data Sources page is displayed.
-
In the JDBC tab, click Add Data Source to create a JDBC connection to your database. The Add Data Source page is displayed.
-
Enter values in the following fields:
Table 17-9 OIM Add Data Source Attributes
Attributes Value Data Source Name
Specify the Oracle Identity Governance JDBC connection name. For example, OIM JDBC.
Driver Type
Select Oracle 11g for an 11g database and Oracle 12c for a 12c database
Database Driver Class
Specify a driver class to suit your database, such as
oracle.jdbc.OracleDriver
Connection String
Specify the database connection details in the format
jdbc:oracle:thin:@HOST_NAME:PORT_NUMBER/SID
.For example,
jdbc:oracle:thin:@igddbscan:1521/oim.example.com
User name
Specify the Oracle Identity Governance database user name for example IGD_OIM
Password
Specify the Oracle Identity Governance database user password.
-
Click Test Connection to verify the connection.
-
Click Apply to establish the connection.
-
If the connection to the database is established, a confirmation message is displayed indicating the success.
-
Click Apply.
In the JDBC page, you can see the newly defined Oracle Identity Governance JDBC connection in the list of JDBC data sources.
Create BPEL Datasource
-
Login to the BI Publisher Home page using the URL
https://bi.example.com/xmlpserver
. -
Click the Administration link on the BI Publisher home page. The BI Publisher Administration page is displayed.
-
Under Data Sources, click JDBC Connection link. The Data Sources page is displayed.
-
In the JDBC tab, click Add Data Source to create a JDBC connection to your database. The Add Data Source page is displayed.
-
Enter values in the following fields:
Table 17-10 JDBC Add Data Source Attributes
Attributes Value Data Source Name
Specify the Oracle Identity Governance JDBC connection name. For example, BPEL JDBC.
Driver Type
Oracle 12c
Database Driver Class
Specify a driver class to suit your database, such as
oracle.jdbc.OracleDriver
Connection String
Specify the database connection details in the format
jdbc:oracle:thin:@HOST_NAME:PORT_NUMBER/SID
.For example,
jdbc:oracle:thin:@igddbscan:1521/oim.example.com
User name
Specify the Oracle Identity Governance database user name for example IGD_SOAINFRA.
Password
Specify the Oracle Identity Governance database user password.
-
Click Test Connection to verify the connection.
-
Click Apply to establish the connection.
-
If the connection to the database is established, a confirmation message is displayed indicating the success.
-
Click Apply.
In the JDBC page, you can see the newly defined Oracle Identity Governance JDBC connection in the list of JDBC data sources.
Deploying Oracle Identity Governance Reports to BI
Enable Certification Reports
- Log in to the Oracle Identity Self Service using the url:
https://prov.example.com/identity
. - Click the Compliance tab.
- Click the Identity Certification box.
- Select Certification Configuration. The Certification Configuration page is displayed.
- Select the Enable Certification Reports.
- Click Save.
Note:
By default, the Compliance tab is not shown. If you want to enable compliance functionality, you must fist set theOIGIsIdentityAuditorEnabled
property to
true in the Sysadmin Console (located in the
Configuration Properties section).
Validating the Reports
We need to create the sample data source to generate reports against the sample data source.
Creating the Sample Reports
To view an example report data without running a report against the production JDBC Data Source, generate a sample report against the sample data source. Create the sample data source before you can generate the sample reports.
Generating Reports Against the Sample Data Source
- Login to Oracle BI Publisher using the url :
https://bi.example.com/xmlpserver
. - Click Shared Folders.
- Click Oracle Identity Manager Reports.
- Select Sample Reports.
- Click View for the sample report you want to generate.
- Select an output format for the sample report and click View.
The sample report is generated.
Parent topic: Validating the Reports
Generating Reports Against the Oracle Identity Manager JDBC Data Source
Parent topic: Validating the Reports
Generating Reports Against the BPEL-Based JDBC Data Source
Reports With Secondary Data Source
The following four reports have a secondary data source, which connects to the BPEL database to retrieve the BPEL data:
-
Task Assignment History
-
Request Details
-
Request Summary
-
Approval Activity
These reports have a secondary data source (BPEL-based JDBC data source) called BPEL JDBC. To generate reports against the BPEL-based JDBC data source:
Parent topic: Validating the Reports
Adding the Business Intelligence Load Balancer Certificate to Oracle Keystore Trust Service
The Oracle Identity Governance to Business Intelligence Reports link inside of the Self Service application requires that the SSL certificate used by the load balancer be added to the Oracle Keystore Service Trusted Certificates.
To add the certificate: