17 Configuring Oracle Identity Governance

Configuration of Oracle Identity Governance (OIG) comprises a series of steps, including integrating OIG with Oracle SOA suite, configuring the web tier, integrating OAM and OIG, configuring OIG workflow notifications, and so on. In the end, you back up the configuration.

This chapter includes the following topics:

• Variables Used When Configuring Oracle Identity Governance
  While configuring Oracle Identity Governance, you will reference the directory variables listed in this section.
• Starting and Validating the Oracle Identity Governance Managed Servers
  Now that you have extended the domain, started the Administration Server, and propagated the domain to the other hosts, you can start the newly configured Oracle Identity Governance Managed Servers.
• Analyzing the Bootstrap Report
  When you start the Oracle Identity Governance server, the bootstrap report is generated at $IGD_ASERVER_HOME/servers/WLS_OIM1/logs/BootStrapReportPreStart.html.
• Validating the Fusion Middleware Control Application
  After the bootstrap process has been executed and validated, access to the Fusion Middleware Control application should be available.
• Configuring the Web Tier for the Domain
  Configure the web server instances on the web tier so that the instances route requests for both public and internal URLs to the proper clusters in the extended domain.
• Managing the Notification Service
  An event is an operation that occurs in Oracle Identity Manager, such as user creation, request initiation, or any custom event created by the user. These events are generated as part of the business operations or through the generation of errors. Event definition is the metadata that describes the event.
• Configuring the Messaging Drivers
  Each messaging driver needs to be configured. You have to configure this service if you want to enable OAM's forgotten password functionality.
• Increasing Database Connection Pool Size
  The default database connection pool size needs to be increased when Oracle Identity Governance is used in conjunction with a connector that allows interactions with an LDAP directory.
• Forcing Oracle Identity Governance to use Correct Multicast Address
  
• Integrating Oracle Identity Governance with LDAP
  
• Integrating Oracle Identity Governance and Oracle Access Manager
  You have to complete several tasks to integrate Oracle Identity Governance and Oracle Access Manager. These tasks include creating the WLS authentication providers, deleting OIMSignatureAuthenticator and recreating OUDAuthenticator, adding the administration role to the new administration group, and so on.
• Running the Reconciliation Jobs
  Run the Oracle Identity Governance domain to import the LDAP user names into the Oracle Identity Governance database.
• Update the SOA Integration URL
  
• Configuring OIM Workflow Notifications to be Sent by Email
  OIM uses the human workflow, which is integrated with the SOA workflow. The SOA server configures email to receive the notifications that are delivered to the user mailbox. The user can accept or reject the notifications.
• Adding the wsm-pm Role to the Administrators Group
  After you configure a new LDAP-based Authorization Provider and restart the Administration Server, add the enterprise deployment administration LDAP group (OIMAdministrators) as a member to the policy.Updater role in the wsm-pm application stripe.
• Adding the Oracle Access Manager Load Balancer Certificate to the Oracle Keystore Service
  The Oracle Identity Governance to Business Intelligence Reports link inside of the Self Service application requires that the SSL certificate used by the load balancer be added to the Oracle Keystore Service Trusted Certificates.
• Restarting the IAMGovernanceDomain
  
• Setting Challenge Questions
  If you have integrated OAM and OIM, then after the environment is ready, you need to set up the challenge questions for your system users.
• Integrating Oracle Identity Manager with Oracle Business Intelligence Publisher
  Oracle Identity Manager comes with a number of prebuilt reports that can be used to provide information about Oracle Identity and Access Management.

Variables Used When Configuring Oracle Identity Governance

While configuring Oracle Identity Governance, you will reference the directory variables listed in this section.

The values for several directory variables are defined in File System and Directory Variables Used in This Guide.

• IGD_ORACLE_HOME

• IGD_ASERVER_HOME

• IGD_MSERVER_HOME

• APPLICATION_HOME

• DEPLOY_PLAN_HOME

• JAVA_HOME

• DOMAIN_HOME

• IDSTORE_DIRECTORYTYPE

• IDSTORE_SEARCHBASE

• IDSTORE_USERSEARCHBASE

• IDSTORE_GROUPSEARCHBASE

• IDSTORE_OIMADMINUSERDN

• IDSTORE_OIMADMINUSER_PWD

• IDSTORE_EMAIL_DOMAIN

• OIM_HOST

• OIM_PORT

• WLS_OIM_SYSADMIN_USER

• WLS_OIM_SYSADMIN_USER_PWD

• OIM_WLS_HOST

• OIM_WLS_PORT

• OIM_WLS_ADMIN

• OIM_SERVER_NAME

• WL_HOME

• OAM_HOST

• OAM_PORT

• ACCESS_SERVER_HOST

• ACCESS_SERVER_PORT

• ACCESS_GATE_ID

• SSO_ACCESS_GATE_PASSWORD

• COOKIE_DOMAIN

• OAM_TRANSFER_MODE

• OIM_LOGINATTRIBUTE

• OAM11G_WLS_ADMIN_HOST

• OAM11G_WLS_ADMIN_PORT

• OIM_WLSHOST

• OIM_WLSPORT

• OIM_WLSADMIN

• OIM_WLSADMIN_PWD

• OIM_SERVER_NAME

• IDSTORE_OAMADMINUSER

• IDSTORE_OAMADMINUSER_PWD

• OAM11G_WLS_ADMIN_USER

• OAM11G_WLS_ADMIN_PASSWD

• IDSTORE_HOST

• IDSTORE_PORT

• IDSTORE_BINDDN

• IDSTORE_BINDPWD

In addition, you'll be referencing the following virtual IP (VIP) address defined in Reserving the Required IP Addresses for an Enterprise Deployment:

• ADMINVHN

Actions in this chapter will be performed on the following host computers:

• OIMHOST1

• OIMHOST2

• WEBHOST1

• WEBHOST2

Starting and Validating the Oracle Identity Governance Managed Servers

Now that you have extended the domain, started the Administration Server, and propagated the domain to the other hosts, you can start the newly configured Oracle Identity Governance Managed Servers.

This process involves three tasks as described in the following sections.

• Starting the Oracle Identity Governance Managed Servers and Bootstrapping the Domain
  Unlike previous releases you no longer need to run the Oracle Identity Governance configuration wizard to deploy the OIM artifacts into the domain. However, you are required to boot strap the domain. This automatically performs many of the actions that used to be performed by the OIM configuration wizard in previous releases.
• Starting the WLS_SOA1 and WLS_OIM1 Managed Servers
  
• Validating the Managed Server by Logging in to the Identity Console
  
• Starting and Validating WLS_SOA2, WLS_OIM2, and WLS_WSM2 Managed Servers
  After validating the successful configuration and startup of the WLS_SOA1 and WLS_OIM1 Managed Servers, you can start and validate the WLS_SOA2, WLS_OIM2, and WLS_WSM2 Managed Servers.

Starting the Oracle Identity Governance Managed Servers and Bootstrapping the Domain

Unlike previous releases you no longer need to run the Oracle Identity Governance configuration wizard to deploy the OIM artifacts into the domain. However, you are required to boot strap the domain. This automatically performs many of the actions that used to be performed by the OIM configuration wizard in previous releases.

Bootstrapping the domain is largely automatic and is performed by starting and stopping the managed servers in the domain in the following order:

1. Start the Oracle SOA Suite Managed Server WLS_SOA1.
2. Start the Oracle Identity Governance Managed Server WLS_OIM1.
   The bootstrap process starts the Managed Server, and then stops it again automatically. You may see a Failed status in the WebLogic console, which can be ignored.
3. Stop the Oracle SOA Suite Managed Server WLS_SOA1.
4. Stop WLS_OIM1.
5. Stop the WebLogic Administration Server.
6. Start the WebLogic Administration Server.
7. Start the Oracle SOA Suite Managed Servers WLS_SOA1 and WLS_SOA2.
8. Start the Oracle Identity Governance Managed Servers WLS_OIM1 and WLS_OIM2.

In order for the bootstrapping process to successfully complete, it must occur when the OIM server is started from the IGD_ASERVER_HOME directory. However, the Node Manager that runs out of the IGD_ASERVER_HOME communicates using the igdadmin address. Rather than temporarily reconfiguring the Managed Servers to use this address, the Managed Servers can be started outside of Node Manager for the bootstrap process. Once the process is complete, the Managed Servers will be moved to local storage and Node Manager configured will be able to start and stop them.

To start the Managed Servers without Node Manager, you must run the following command from the directory IGD_ASERVER_HOME/bin:

• Command for starting the Oracle SOA Suite Managed Server: ./startManagedWeblogic.sh WLS_SOA1

• Command for starting the Oracle Identity Governance Managed Server: ./startManagedWeblogic.sh WLS_OIM1

When you execute these commands, you will be prompted to enter the WebLogic username and password. These commands run interactively, that is, after starting a Managed Server, control will not be returned to the command line. This does not matter as it is a one time operation.

Note:

You cannot perform these actions using Node Manager at this time.

Starting the WLS_SOA1 and WLS_OIM1 Managed Servers

To start the WLS_SOA1 and WLS_OIM1 Managed Servers:

1. Enter the following URL into a browser to display the Fusion Middleware Control login screen:

   http://igdadmin.example.com/em
   

   Note:

   If you have already configured Web tier, use http://igdadmin.example.com/em.

2. Log in to Fusion Middleware Control using the Administration Server credentials.
3. In the Target Navigation pane, expand the domain to view the Managed Servers in the domain.
4. Select only the WLS_WSM1 Managed Server and click Start Up on the Oracle WebLogic Server toolbar.
5. When the startup operation is complete, navigate to the Domain home page and verify that the WLS_WSM1 Managed Server is up and running.
6. Start the managed servers one after the other. Ensure one is started and then start the next one. Repeat for the servers WLS_SOA1 and WLS_OIM1.

Validating the Managed Server by Logging in to the Identity Console

Validate the Oracle Identity Manager Server instance by bringing up the Oracle Identity Manager Console in a Web browser at:

http://OIMHOST1.example.com:14000/identity/ 

http://OIMHOST11.example.com:14000/sysadmin/

Log in using the xelsysadm username and password.

Validate the SOA configuration.

http://OIMHOST1.example.com:8001/soa-infra

Starting and Validating WLS_SOA2, WLS_OIM2, and WLS_WSM2 Managed Servers

After validating the successful configuration and startup of the WLS_SOA1 and WLS_OIM1 Managed Servers, you can start and validate the WLS_SOA2, WLS_OIM2, and WLS_WSM2 Managed Servers.

To start and validate the WLS_SOA2 Managed Server, use the procedure in Starting and Validating the WLS_SOA1 Managed Serverfor WLS_SOA2 Managed Server. Use the procedure to start and validate the WLS_OIM2 and WLS_WSM2 Managed Servers too.

For the validation URL, enter the following URL in your web browser and log in using the enterprise deployment administrator user:

For Static cluster:

http://OIMHOST2:14000/identity

For Dynamic cluster:

http://OIMHOST2:14001/identity

Analyzing the Bootstrap Report

When you start the Oracle Identity Governance server, the bootstrap report is generated at $IGD_ASERVER_HOME/servers/WLS_OIM1/logs/BootStrapReportPreStart.html.

The bootstrap report BootStrapReportPreStart.html is an html file that contains information about the topology that you have deployed, the system level details, the connection details like the URLs to be used, the connectivity check, and the task execution details. You can use this report to check if the system is up, and also to troubleshoot the issues, post-configuration.

Every time you start the Oracle Identity Governance server, the bootstrap report is updated.

Sections in the Bootstrap Report

• Topology Details

  This section contains information about your deployment. It shows whether you have configured a cluster setup, SSL enabled, or upgraded an Oracle Identity Manager environment from 11g to 12c.

• System Level Details

  This section contains information about the JDK version, Database version, JAVA_HOME, DOMAIN_HOME, OIM_HOME, and MIDDLEWARE_HOME.

• Connection Details

  This section contains information about the connect details like the Administration URL, OIM Front End URL, SOA URL, and RMI URL.

  This also shows whether the Administration Server, Database, and SOA server is up or not.

• Execution Details

  This section lists the various tasks and their statuses.

Validating the Fusion Middleware Control Application

After the bootstrap process has been executed and validated, access to the Fusion Middleware Control application should be available.

To navigate to the Fusion Middleware Control application, enter the following URL, and log in with the Oracle WebLogic Server administrator credentials:

http://IGDADMINVHN.example.com:7101/em

Configuring the Web Tier for the Domain

Configure the web server instances on the web tier so that the instances route requests for both public and internal URLs to the proper clusters in the extended domain.

For additional steps in preparation for possible scale-out scenarios, see Updating Cross Component Wiring Information.

• Integrating Oracle Identity Governance with Oracle SOA Suite
  Use the Enterprise Manager console to integrate Oracle Identity Governance with Oracle SOA Suite.
• Validating the Oracle SOA Suite URLs Through the Load Balancer
  

Integrating Oracle Identity Governance with Oracle SOA Suite

Use the Enterprise Manager console to integrate Oracle Identity Governance with Oracle SOA Suite.

To integrate Oracle Identity Governance with Oracle SOA suite:

1. Log in to Oracle Fusion Middleware Control using the following URL:

   http://igdadmin.example.com/em

   or

   http://IGDADMINVHN.example.com:7101/em

   The Administration Server host and port number were in the URL on the End of Configuration screen (Writing Down Your Domain Home and Administration Server URL). The default Administration Server port number is 7101.

   The login credentials were provided on the Administrator Account screen (Configuring the Administrator Account).

2. Click weblogic_domain, and then click System Mbean Browser.
3. In the search box, enter OIMSOAIntegrationMBean, and click Search. The mbean is displayed.

   Note:

   If Oracle Identity Governance still starting (coming up) or is just started (RUNNING MODE), the Enterprise Manager does not show any Mbeans defined by OIM. Wait for two minutes for the server to start, and then try searching for the Mbean in System Mbean Browser of the Enterprise Manager.

4. Go to the Operations tab of mbean, and select integrateWithSOAServer.
5. Enter the following information:
   • Weblogic Administrator User Name: Enter the name of the WebLogic domain administrator account. For example, weblogic.
   • Weblogic Administrator Password: Enter the password for the above account.
   • OIM Front end URL: Set this to the load balancer virtual host used for internal call backs. For example:

     http://igdinternal.example.com:7777/

   • OIM External Front End URL: Set this URL to the main load balancer virtual host used for Oracle Identity Governance. For example:

     https://prov.example.com:443/

   • SOA SOAP URL: Set this URL to the load balancer virtual host used for internal call backs. For example:

     http://igdinternal.example.com:7777/

   • SOA RMI URL: Set this URL to the load balancer virtual host used for internal call backs. For example:

     http://igdinternal.example.com:7777/

   • UMS Webservice URL: Set this URL to the load balancer virtual host used for internal call backs. For example:

     http://igdinternal.example.com:7777/ucs/messaging/webservice

6. Click Invoke.

Validating the Oracle SOA Suite URLs Through the Load Balancer

To validate the configuration of the Oracle HTTP Server virtual hosts and to verify that the hardware load balancer can route requests through the Oracle HTTP Server instances to the application tier:

1. Verify that the server status is reported as Running in the Administration Console.

   If the server is shown as Starting or Resuming, wait for the server status to change to Started. If another status is reported (such as Admin or Failed), check the server output log files for errors.

2. Verify that you can access these URLs:

   Note:

   It is not necessary at this stage to attempt to login to the individual pages. All you are checking is that the pages can be accessed through the load balancer and the web server.

   • http://igdinternal.example.com:7777/soa-infra

   • http://igdinternal.example.com:7777/integration/worklistapp

   • http://igdinternal.example.com:7777/soa/composer

Managing the Notification Service

An event is an operation that occurs in Oracle Identity Manager, such as user creation, request initiation, or any custom event created by the user. These events are generated as part of the business operations or through the generation of errors. Event definition is the metadata that describes the event.

To define the metadata for events, you must identify all event types supported by a functional component. For example, as a part of the scheduler component, metadata is defined for a scheduled job execution failure and shutting down of the scheduler. Every time a job fails or the scheduler shuts down, the associated events get triggered, and the notifications associated with the event get sent.

The data available in the event is used to create the content of the notification. The different parameters defined for an event help the system to select the appropriate notification template. The various parameters defined for an event help the system decide which event variables should be made available at template design time.

A notification template is used to send notifications. These templates contain variables that refer to available data to provide more context to the notifications. The notification is sent through a notification provider. Examples of such channels are e-mail, Instant Messaging (IM), Short Message Service (SMS), and voice. To use these notification providers, Oracle Identity Manager uses Oracle User Messaging Service (UMS).

At the back end, the notification engine is responsible for generating the notification and utilizing the notification provider to send the notification.

• Using SMTP for Notification
  
• Adding a CSF Key
  

Using SMTP for Notification

Using SMTP for notification involves configuring the SMTP email notification provider properties and adding the CSF key.

Configuring the SMTP Email Notification Provider Properties

To configure SMTP Email Notification Provider properties by using the EmailNotificationProviderMBean MBean :

1. Log in to the Oracle Fusion Middleware Control using the following URL:

   http://igdadmin.example.com/em

   or

   http://igdadmin.example.com:7101/em

   The Administration Server host and port number were in the URL on the End of Configuration screen (Writing Down Your Domain Home and Administration Server URL). The default Administration Server port number is 7001.

   The login credentials were provided on the Administrator Account screen (Configuring the Administrator Account).

2. Click weblogic_domain, and then click System Mbean Browser.
3. In the search box, enter EmailNotificationProviderMBean, and click Search. The mbean is displayed.

   Note:

   If Oracle Identity Governance still starting (coming up) or is just started (RUNNING MODE), the Enterprise Manager does not show any Mbeans defined by OIM. Wait for two minutes for the server to start, and then try searching for the Mbean in System Mbean Browser of the Enterprise Manager.
4.  Ensure that the correct information is entered for your email server in particular:

   Table 17-1 SMTP Email Notification Provider Properties

   Attribute	Value
   CSFKey	Set this to a name of a CSF credential, this can be any name and will be used while adding a CSF key. For example; mailUser
   Enabled	Set to true.
   MailServerName	Set to the host name of your email server.
   WSUrl	http://igdinternal.example.com/ucs/messaging/webservice

5. Click Apply to save the changes.

Adding a CSF Key

To add a CSF key:

1. Login to Oracle Enterprise Manager.
2. Click WebLogic Domain and select Security>Credentials.
3. Expand oracle.wsm.security and click Create Key.
4. Enter the following information.

   Table 17-2 CSF Key Properties

   Attribute	Value
   Key name	Enter the value of the credential Key, this must be the same value as defined in Using SMTP for Notification for example; mailUser.
   Username	Enter the name of the user you use to authenticate with your email server.
   Password/Confirm Password	Enter the password of the user you use to authenticate with your email server.
   Description	Provide a description of the key being created. For example, Mail Server Credentials

5. Click OK.

Configuring the Messaging Drivers

Each messaging driver needs to be configured. You have to configure this service if you want to enable OAM's forgotten password functionality.

• Configuring the Email Driver
  

Configuring the Email Driver

To configure the driver to send and emails then you need to perform the following steps:

1.  Log in to the Oracle Fusion Middleware Control.
2. Click the Target Navigation icon next to the Domain name.
3. Click usermessagingserver (WLS_SOA1) under User Messaging Service. A list of all the drivers will be shown.
4. Click Configure Driver next to the User Messaging Email Driver.
5.  If a configuration does not exist then click Create. If the configuration exists, click Edit.
6. Update the attributes with the required details.

   Table 17-3 Configuring the Email Driver Attributes

   Attributes	Values
   Name	MyemailServer
   Sender Address	Enter the From email address for the emails you wish to send in the format: EMAIL:myuser@example.com
   Capability	Choose whether you are going to send or receive emails. Complete the following Email Properties using the values specific to your organisation. Contact your email administrator for details, the details below are for Sending only. Refer to the documentation for receiving email details. Outdoing Mail server. Outgoing Mail server port Outgoing email Server Security Outgoing User name and password, if your email server requires it.

7. Click Test to validate the information.
8. Click OK to save the information.

Increasing Database Connection Pool Size

The default database connection pool size needs to be increased when Oracle Identity Governance is used in conjunction with a connector that allows interactions with an LDAP directory.

To do this, complete the following steps:

1. Log in to the WebLogic Server Administration Console in IAMGovernanceDomain.
2. Click Lock & Edit.
3. Click Services and then click Data Sources.
4. Click the data source mds-oim.
5. Go to the Connection Pool tab.
6. Modify the following properties with the values specified:
   • Initial Capacity: 50
   • Maximum Capacity: 150
   • Minimum Capacity: 50
   • Inactive Connection Timeout value to 30 from any other value

   Note:

   Inactive Connection Timeout is in the Advanced section.
7. Click Save.
8. Click Activate Changes.
9. You will receive a message All changes have been activated. No restarts are necessary.

Forcing Oracle Identity Governance to use Correct Multicast Address

Oracle Identity Governance uses multicast for certain functions. By default, the managed servers communicate using the multi cast address assigned to the primary host name. If you wish multicast to use a different network, for example, of the internal network, you must complete the following additional steps:

1. Log in to the WebLogic Administration console using the following URL:

   http://IGDADMIN.example.com/console

2. Under Domain Structure, click Environment and then expand Servers. The Summary of Servers page is displayed.
3. Click Lock & Edit.
4. Click the OIM Managed Server name, for example, WLS_OIM1 on the list of servers. The Settings for WLS_OIM1 are displayed.
5. Go to the Server Start tab.
6. Add the following line to the arguments field:

   -Dmulticast.bind.address=OIMHOST1

7. Click Save.
8. Repeat for the Managed Server WLS_OIM2. When doing so, make sure you add the following line to the arguments field:

   -Dmulticast.bind.address=OIMHOST2

9. Click Activate Changes and restart the managed servers WLS_OIM1 and WLS_OIM2.

Integrating Oracle Identity Governance with LDAP

Integrating Oracle Identity Governance includes the following topics:

• Installing the Connector Bundle
  
• Configuring the Oracle Connector for LDAP
  
• Add Missing Object Classes
  

Installing the Connector Bundle

1. Download the Connector bundle from the artifactory: Download Connector Bundle

   • For OID or OUD, download the Connector bundle corresponding to Oracle Internet Directory.

   Note:

   For all directory types, the required Connector version for OIG-OAM integration is 12.2.1.3.0.

2. Unzip the Connector bundle to the desired connector path under $ORACLE_HOME/idm/server/ConnectorDefaultDirectory.

   For example:

   $IGD_ORACLE_HOME/idm/server/ConnectorDefaultDirectory

Configuring the Oracle Connector for LDAP

The Oracle Connector for LDAP allows you to store users and passwords in a certified LDAP directory. Configure the connector before using it. Perform the following steps to configure the connector:

1. Change directory to IGD_ORACLE_HOME/idm/server/ssointg/config.

2. Edit the file configureLDAPConnector.config shown below:

   ##-----------------------------------------------------------##
   ## [configureLDAPConnector]
   IDSTORE_DIRECTORYTYPE=OUD
   IDSTORE_HOST=idstore.example.com
   IDSTORE_PORT=1389
   IDSTORE_BINDDN=cn=oudadmin
   IDSTORE_OIMADMINUSERDN=cn=oimLDAP,cn=systemids,dc=example,dc=com
   IDSTORE_SEARCHBASE=dc=example,dc=com
   IDSTORE_USERSEARCHBASE=cn=Users,dc=example,dc=com
   IDSTORE_GROUPSEARCHBASE=cn=Groups,dc=example,dc=com
   IDSTORE_USERSEARCHBASE_DESCRIPTION=Default user container
   IDSTORE_GROUPSEARCHBASE_DESCRIPTION=Default group container
   IDSTORE_EMAIL_DOMAIN=example.com
   OIM_HOST=OIMHOST1.example.com
   OIM_PORT=14000
   WLS_OIM_SYSADMIN_USER=xelsysadm
   OIM_WLSHOST=IGDADMINVHN.example.com
   OIM_WLSPORT=7101
   OIM_WLSADMIN=weblogic
   OIM_SERVER_NAME=oim_server1
   CONNECTOR_MEDIA_PATH=IGD_ORACLE_HOME/idm/server/ConnectorDefaultDirectory/OID-12.2.1.3.0

   Note:

   You can also specify the passwords directly in the file, if required. If you do not specify the passwords, you will be prompted for them at runtime.

   Parameters are:

   • OIM_WLSADMIN_PWD
   • IDSTORE_BINDDN_PWD
   • WLS_OIM_SYSADMIN_USER_PWD
   • ADMIN_USER_PWD
   • IDSTORE_OIMADMINUSER_PWD

   Save the file when done.

   This table lists the properties of configuring the LDAPConnector.

   Table 17-4 Configure LDAPConnector Properties

   Attribute	Description
   IDSTORE_HOST	It is the Load Balancer name for the LDAP directory for example: idstore.example.com
   IDSTORE_PORT	It is the LDAP port on the load balancer for example 1389 for OUD.
   IDSTORE_DIRECTORYTYPE	It is the type of LDAP directory you are using OUD.
   IDSTORE_BINDDN	It is the credential used to connect to the directory to perform administrative actions, for example, oudadmin for OUD.
   IDSTORE_SEARCHBASE	It is the root directory tree in the directory.
   IDSTORE_USERSEARCHBASE	It is the location in the directory where users are stored.
   IDSTORE_GROUPSEARCHBASE	It is the location in the directory where groups are stored.
   IDSTORE_OIMADMINUSERDN	It is the name of the user that OIM will use to connect to LDAP.
   IDSTORE_EMAIL_DOMAIN	It is the email domain.
   OIM_HOST	This the the hostname that the OIM Managed server WLS_OIM1 is listening on, for example OIMHOST1.
   OIM_PORT	It is the port number of the WLS_OIM1 managed server.
   WLS_OIM_SYSADMIN_USER	It is the OIM administrator account for example xelsysadm.
   OIM_WLSHOST	It is the listen address of the IAMGovernanceDomain administration server, for example IGDADMINVHN
   OIM_WLSPORT	It is the administration servers port for example 7101.
   OIM_WLSADMIN	It is the name of the IAMGovernance Domain administration user. For example weblogic.
   CONNECTOR_MEDIA_PATH	It is the location where you have installed the connector.
   OIM_SERVER_NAME	It is the name of the OIM Managed server that is running. For example; wls_oim1.

   Note:

   You should use the same values as you specified for these parameters in Creating a Configuration File.

3. Locate the properties file, ssointg-config.properties, available at IGD_ORACLE_HOME/idm/server/ssointg/config/ and set the configureLDAPConnector value to true. All other values should be set to false.

   ##-----------------------------------------------------------##
   
   generateIndividualConfigFiles=false
   prepareIDStore=false
   configOAM=false
   addMissingObjectClasses=false
   populateOHSRules=false
   configureWLSAuthnProviders=false
   configureLDAPConnector=true
   ## configureLDAPConnector takes care of updating container rules
   ## Additional option is provided in case rules need to be updated again
   updateContainerRules=false
   configureSSOIntegration=false
   enableOAMSessionDeletion=false

4. Execute the script OIGOAMIntegration for configuring the connector.

5. For example:

   cd IGD_ORACLE_HOME/idm/server/ssointg/bin
   export JAVA_HOME=JAVA_HOME
   export ORACLE_HOME=IGD_ORACLE_HOME
   export WL_HOME=IGD_ORACLE_HOME/wlserver
   chmod 750 _OIGOAMIntegration.sh OIGOAMIntegration.sh
   ./OIGOAMIntegration.sh -configureLDAPConnector

Add Missing Object Classes

If any users existed in LDAP prior to enabling the Oracle Identity Manager, then these new users may be missing the object classes used to control OIM/OAM integration. To add these missing object classes to these users, run the following commands:

Note:

To successfully execute this process, the ldapsearch binary is required to be in your user's PATH and the screen package is required to be installed on your host.

1. Change directory to IGD_ORACLE_HOME/idm/server/ssointg/config

2. Edit the file addMissingObjectClasses.config updating the properties as shown below:

   IDSTORE_DIRECTORYTYPE: OUD
   IDSTORE_HOST: idstore.example.com
   IDSTORE_PORT: 1389
   IDSTORE_BINDDN: cn=oudadmin
   IDSTORE_USERSEARCHBASE: cn=Users,dc=example,dc=com

   Save the file when done.

   Table 17-5 Properties of addMissingObjectClasses.config

   Attribute	Description
   IDSTORE_HOST	It is the Load Balancer name for the LDAP directory. For example; idstore.example.com
   IDSTORE_PORT	It is the LDAP port on the load balancer. For example; 1389 for OUD.
   IDSTORE_DIRECTORYTYPE	It is the type of LDAP directory you are using (OUD).
   IDSTORE_BINDDN	It is the credential used to connect to the directory to perform administrative actions, for example, oudadmin for OUD.
   IDSTORE_USERSEARCHBASE	It is the location in the directory where user information is stored.

3. Execute the script OIGOAMIntegration.

4. For example:

   cd IGD_ORACLE_HOME/idm/server/ssointg/bin
   export JAVA_HOME=JAVA_HOME
   export ORACLE_HOME=IGD_ORACLE_HOME
   export WL_HOME=IGD_ORACLE_HOME/wlserver
   ./OIGOAMIntegration.sh -addMissingObjectClasses

   You will be prompted to enter the password of the LDAP directory administrator account.

Restart Domains

Restart the IAMAccessDomain and the IAMGovernanceDomain domains.

Integrating Oracle Identity Governance and Oracle Access Manager

You have to complete several tasks to integrate Oracle Identity Governance and Oracle Access Manager. These tasks include creating the WLS authentication providers, deleting OIMSignatureAuthenticator and recreating OUDAuthenticator, adding the administration role to the new administration group, and so on.

• Configuring SSO Integration in the IAMGovernanceDomain
  
• Enable OAM Notifications
  
• Update Value of MatchLDAPAttribute in oam-config.xml
  
• Update TapEndpoint URL
  

Configuring SSO Integration in the IAMGovernanceDomain

Having deployed the connector the next step in the process is the configuration of SSO in the domain. In order to do this you need to perform the following steps:

1. Change directory to IGD_ORACLE_HOME/idm/server/ssointg/config

2. Edit the file configureSSOIntegration.config updating the properties in the section configureSSOIntegration as shown below:

   ##-----------------------------------------------------------##
   ## [configureSSOIntegration]
   OAM_HOST: login.example.com
   OAM_PORT: 443
   OAM_PORT: 80
   ACCESS_SERVER_HOST:OAMHOST1.example.com
   ACCESS_SERVER_PORT: 5575
   OAM_SERVER_VERSION: 12c
   WEBGATE_TYPE: ohsWebgate12c
   COOKIE_DOMAIN: example.com
   OAM_TRANSFER_MODE: open
   OIM_LOGINATTRIBUTE: uid
   SSO_INTEGRATION_MODE: CQR
   OAM11G_WLS_ADMIN_HOST: IADADMINVHN.example.com
   OAM11G_WLS_ADMIN_PORT: 7001
   OAM11G_WLS_ADMIN_USER: weblogic
   OAM11G_WLS_ADMIN_PASSWD: <PASSWORD>
   OAM11G_IDSTORE_NAME: OAMIDSTORE
   ## Required if OAM_TRANSFER_MODE is not OPEN
   OIM_WLSHOST:IGDADMINVHN.example.com
   OIM_WLSPORT: 7101
   OIM_WLSADMIN: weblogic
   IDSTORE_OAMADMINUSER_PWD: <password>
   OIM_SERVER_NAME: WLS_OIM1
   IDSTORE_OAMADMINUSER: oamadmin
   

   Save the file when done.

   Where:

   Table 17-6 Configure SSOIntegration Properties

   Attribute	Description
   OAM_HOST	It is the listen address of the front end load balancer for the OAM cluster.
   OAM_PORT	It is the port of the front end load balancer for the OAM cluster.
   ACCESS_SERVER_HOST	It is always the same as the OAM_HOST.
   ACCESS_SERVER_PORT	It is the port number for OAM PROXY PORT.
   ACCESS_GATE_ID	It is the name of the WebGate agent created in Creating a Configuration File.
   COOKIE_DOMAIN	It is the value assigned in Creating a Configuration File.
   OAM_TRANSFER_MODE	It is the value assigned in Creating a Configuration File.
   OIM_LOGINATTRIBUTE	It is the LDAP field containing the users login attribute usually uid or cn.
   OAM11G_WLS_ADMIN_HOST	It is the listen address of the Administration Server in the domain IAMAccessDomain. For example: IADADMINVHN.
   OAM11G_WLS_ADMIN_PORT	It is the listen port of the Administration Server in the domain IAMAccessDomain. For example: 7001.
   OAM11G_WLS_ADMIN_PASSWD	Optional password for OAM11G_WLS_ADMIN_USER.
   OAM11G_WLS_ADMIN_USER	It is the Administration User of the IAD Administration Server.
   OIM_WLSHOST	The listen address of the OIM Administration server for example IGDADMINVHN.example.com
   OIM_WLSPORT	The listen port of the OIM Administration Server. For example: 7101.
   OIM_WLSADMIN	The administration user of the OIM Administration Server. For example: weblogic.
   OIM_SERVER_NAME	It is the name of the OIM Managed Server that is running. For example: WLS_OIM1.
   IDSTORE_OAMADMINUSER	The value assigned to IDSTORE_OAMADMINUSER in Creating a Configuration File.
   IDSTORE_OAMADMINUSER_PWD	It is optional. It contains the password of the IDSTORE_OAMADMINUSER account.
   OAM_SERVER_VERSION	It is the version of OAM used for the integration.
   WEBGATE_TYPE	It is the type of WebGate used for the integration.
   OAM11G_IDSTORE_NAME	The name of the IDStore configured in OAM, the default name is OAMIDSTORE.

3. Execute the script OIGOAMIntegration for configuring SSO Integration.

   For example:

   cd IGD_ORACLE_HOME/idm/servers/ssointg/bin
   export JAVA_HOME=JAVA_HOME
   export ORACLE_HOME=IGD_ORACLE_HOME
   export WL_HOME=IGD_ORACLE_HOME/wlserver
   ./OIGOAMIntegration.sh -configureSSOIntegration

4. Restart the domains IAMAccessDomain and IAMGovernanceDomain.

Enable OAM Notifications

Having deployed the connector the next step in the process is to tell OIM how to interact with OAM for terminating a user session after a user has been expired or terminated. In order to do this you need to perform the following steps:

1. Change directory to IGD_ORACLE_HOME/idm/server/ssointg/config.

2. Edit the file enableOAMSessionDeletion.config updating the properties in the section enableOAMNotifications as shown below:

   ##-----------------------------------------------------------##
   
   ## [enableOAMNotifications]
   OIM_WLSHOST: IGDADMINVHN.example.com
   OIM_WLSPORT: 7101
   OIM_WLSADMIN: weblogic
   IDSTORE_DIRECTORYTYPE: OUD
   IDSTORE_HOST: idstore.example.com
   IDSTORE_PORT: 1389
   IDSTORE_BINDDN: cn=oudadmin
   IDSTORE_GROUPSEARCHBASE: cn=Groups,dc=example,dc=com 
   IDSTORE_SYSTEMIDBASE: cn=systemids,dc=example,dc=com 
   IDSTORE_OAMADMINUSER: oamAdmin 
   IDSTORE_OAMSOFTWAREUSER: oamLDAP
   IDSTORE_USERSEARCHBASE: cn=Users,dc=example,dc=com
   OIM_SERVER_NAME: WLS_OIM1

   Where:

   Table 17-7 Properties of enableOAMSessionDeletion

   Attribute	Description
   OIM_WLSHOST	It is the listen address of the Administration Server in the domain IAMGovernanceDomain. For example: IGDADMINVHN.example.com.
   OIM_WLSPORT	It is the port of the Administration Server in the domain IAMGovernanceDomain. For example: 7101.
   OIM_WLSADMIN	It is the name of the WebLogic administrator in the IAMGovernanceDomain. For example: weblogic.
   IDSTORE_HOST	It is the load balancer name for the LDAP directory. For example: idstore.example.com.
   IDSTORE_PORT	It is the LDAP port of the load balancer. For example: 1389 for OUD.
   IDSTORE_BINDDN	It is the credential used to connect to the directory to perform administrative actions. For example: oudadmin for OUD.
   IDSTORE_GROUPSEARCHBASE	It is the location in the directory where Groups are Stored.
   IDSTORE_SYSTEMIDBASE	It is the location of a container in the directory where system users can be placed when you do not want them in the main user container.
   IDSTORE_OAMADMINUSER	It is the name of the user you want to create as your Access Manager Administrator.
   IDSTORE_OAMSOFTWAREUSER	A user that gets created in LDAP that is used when Access Manager is running to connect to the LDAP server.
   IDSTORE_USERSEARCHBASE	It is the location in the directory where users are stored.
   OIM_SERVER_NAME	The name of the OIM server. For example: oim_server1.

3. Execute the script OIGOAMIntegration for enabling notifications.

   For example:

   cd IGD_ORACLE_HOME/idm/servers/sointg/bin
   export JAVA_HOME=JAVA_HOME
   export ORACLE_HOME=IGD_ORACLE_HOME
   export WL_HOME=IGD_ORACLE_HOME/wlserver
   ./OIGOAMIntegration.sh -enableOAMSessionDeletion

Update Value of MatchLDAPAttribute in oam-config.xml

To complete the Oracle Identity Governance integration with Oracle Access Manager, one of the settings in the Oracle Access Manager's oam-config.xml file needs to be changed. As of version 12c, this file is stored in the database and should not be edited directly.

The procedure below shows how to use the REST API to change one of the values in the oam-config.xml file:

Note:

Ensure that the cURL package has been added to the host by executing which curl at the command line. If the package is not installed, an administrator must install the package by executing yum install curl.

1. Find the component number of the DAPModule, by executing the following:

   curl -i -u weblogic:<password> http://IADADMINVHN:7001/iam/admin/config/api/v1/config?path=/DeployedComponent/Server/NGAMServer/Profile/AuthenticationModules/DAPModules

   where:

   • weblogic: The WebLogic administrative user configured in OUD.
   • <password>: The above user's password.
   • IADADMINVHN: The VIP at which the Access Manager domain Admin Console runs.
   • 7001: The port at which the Access Manager domain Admin Console runs.

   Example output:

   HTTP/1.1 200 OK
   Date: Tue, 09 Jul 2019 20:30:33 GMT
   Content-Length: 625
   Content-Type: text/xml
   X-ORACLE-DMS-ECID: 6f9baf65-751b-4fc9-b2e1-ade5b38063ff-00000427
   X-ORACLE-DMS-RID: 0
   Set-Cookie: JSESSIONID=g3LYbkLA2bs5-9zfoMBqKTBbk0mky_8URGgzFnbNkm8n3tK63tq4!1064195705; path=/; HttpOnly

   <Configuration xmlns="http://www.w3.org/2001/XMLSchema" schemaLocation="http://higgins.eclipse.org/sts/Configuration Configuration.xsd" Path="/DeployedComponent/Server/NGAMServer/Profile/AuthenticationModules/DAPModules">

   <Setting Name="DAPModules" Type="htf:map">
       <Setting Name="7DASE52D" Type="htf:map">
         <Setting Name="MAPPERCLASS" Type="xsd:string">oracle.security.am.engine.authn.internal.executor.DAPAttributeMapper</Setting>
         <Setting Name="MatchLDAPAttribute" Type="xsd:string”>User Name</Setting>
         <Setting Name="name" Type="xsd:string">DAP</Setting>
       </Setting>
     </Setting>

   Note:

   The component number under the line that reads: "<Setting Name="DAPModules" Type="htf:map">" This will need to be used for the configuration change. In the above example, "7DASE52D" is the component number. The value which will need to be changed is the value of MatchLDAPAttribute. In the above example, "User Name" is the current value.
2. Change directory to /tmp and create a configuration file MatchLDAPAttribute_input.xml with the following contents:

   <Configuration>
     <Setting Name="MatchLDAPAttribute" Type="xsd:string" Path="/DeployedComponent/Server/NGAMServer/Profile/AuthenticationModules/DAPModules/7DASE52D/MatchLDAPAttribute">uid</Setting>
   </Configuration>

   Note:

   The component number noted from above is inserted between DAPModules and the MatchLDAPAttribute portions of the path. The configuration file will change the value of MatchLDAPAttribute from User Name to uid.
3. Insert the change back into the OAM configuration, by executing the following:

   curl -u weblogic:<password> -H 'Content-Type: text/xml' -X PUT http://IAMADMINVHN:7001/iam/admin/config/api/v1/config -d @MatchLDAPAttribute_input.xml

4. Validate the change with the same command you originally used to query the component, noting the value of the MatchLDAPAttribute tag:

   curl -i -u weblogic:<password> http://IADADMINVHN:7001/iam/admin/config/api/v1/config?path=/DeployedComponent/Server/NGAMServer/Profile/AuthenticationModules/DAPModules

   Example output:

   HTTP/1.1 200 OK
   Date: Tue, 09 Jul 2019 20:30:33 GMT
   Content-Length: 625
   Content-Type: text/xml
   X-ORACLE-DMS-ECID: 6f9baf65-751b-4fc9-b2e1-ade5b38063ff-00000427
   X-ORACLE-DMS-RID: 0
   Set-Cookie: JSESSIONID=g3LYbkLA2bs5-9zfoMBqKTBbk0mky_8URGgzFnbNkm8n3tK63tq4!1064195705; path=/; HttpOnly

   <Configuration xmlns="http://www.w3.org/2001/XMLSchema" schemaLocation="http://higgins.eclipse.org/sts/Configuration Configuration.xsd" Path="/DeployedComponent/Server/NGAMServer/Profile/AuthenticationModules/DAPModules">

   <Setting Name="DAPModules" Type="htf:map">
       <Setting Name="7DASE52D" Type="htf:map">
         <Setting Name="MAPPERCLASS" Type="xsd:string">oracle.security.am.engine.authn.internal.executor.DAPAttributeMapper</Setting>
         <Setting Name="MatchLDAPAttribute" Type="xsd:string”>uid</Setting>
         <Setting Name="name" Type="xsd:string">DAP</Setting>
       </Setting>
     </Setting>

Update TapEndpoint URL

For OAM/OIM integration to work you must update the OAM TapEndpoint URL you do this by performing the following steps.

1. Log in to Oracle Fusion Middleware Control using the following URL:

   http://igdadmin.example.com/em

   OR

   http://IGDADMINVHN.example.com:7101/em

   The Administration Server host and port number were in the URL on the End of Configuration screen (Writing Down Your Domain Home and Administration Server URL). The default Administration Server port number is 7101.

2. Click WebLogic Domain, and click System MBean Browser.

   In the search box, enter SSOIntegrationMXBean, and click Search. The mbean is displayed.

3. Set the value of TapEndpointURL to

   https://login.example.com/oam/server/dap/cred_submit

4. Click Apply.

Running the Reconciliation Jobs

Run the Oracle Identity Governance domain to import the LDAP user names into the Oracle Identity Governance database.

To run the reconciliation jobs:

1. Log in to the OIM System Administration Console as the user xelsysadm.
2. Click Scheduler under System Configuration.
3. Enter SSO* in the search box.
4. Click the arrow for the Search Scheduled Jobs to list all the schedulers.
5. Select SSO User Full Reconciliation.
6. Click Run Now to run the job.
7. Repeat for SSO Group Create And Update Full Reconciliation.
8. Log in to the OIM System Administration Console and verify that the user weblogic_iam is visible.

Update the SOA Integration URL

Oracle Identity Manager connects to SOA as SOA administrator, with the username weblogic.

Perform the following post installation steps to enable Oracle Identity Manager to work with the Oracle WebLogic Server administrator user. This enables Oracle Identity Manager to connect to SOA:

Note:

For the SOAConfig Mbean to be visible, at least one OIM Managed Server must be running.

1. Log in to Enterprise Manager Fusion Middleware Control of the IAMGovernanceDomain, as the weblogic user

2. Click WebLogic Domain, and click System MBean Browser.

3. Select Search, enter SOAConfig, and click Search.

4. Ensure that the username is set to weblogic.

5. Update the SOAP URL to the following:

   http://igdinternal.example.com:7777/

6. Update the SOA Config RMI URL to the following:

   http://igdinternal.example.com:7777/

7. Click Apply.

Configuring OIM Workflow Notifications to be Sent by Email

OIM uses the human workflow, which is integrated with the SOA workflow. The SOA server configures email to receive the notifications that are delivered to the user mailbox. The user can accept or reject the notifications.

Both incoming and outgoing email addresses and mailboxes dedicated to the portal workflow are required for the full functionality. See Configuring Human Workflow Notification Properties in Administering Oracle SOA Suite and Oracle Business Process Management Suite.

To configure the OIM workflow notifications:

1. Log in to the Fusion Middleware Control by using the administrators account. For example, weblogic_iam.
2. Expand the Target Navigation panel and navigate to SOA > soa-infra (soa_server1) service.
3. From the SOA infrastructure drop-down, select SOA Administration > Workflow Properties.
4. Set the Notification mode to Email. Provide the correct e-mail address for the notification service.
5. Click Apply and confirm when prompted.
6. Verify the changes.
7. Expand Target Navigation, select User Messaging Service, and then usermessagingdriver-email (soa_servern). Each SOA Managed Server that is running will have a driver. Only one of these entries should be selected.
8. From the User Messaging Email Driver drop-down list, select Email Driver Properties.
9. Click Create if the email driver does not exist already.
10. Click Test and verify the changes.
11. Click OK to save the email driver configuration.
12. Restart the SOA cluster. No configuration or restart is required for OIM.

Adding the wsm-pm Role to the Administrators Group

After you configure a new LDAP-based Authorization Provider and restart the Administration Server, add the enterprise deployment administration LDAP group (OIMAdministrators) as a member to the policy.Updater role in the wsm-pm application stripe.

1. Sign in to the Fusion Middleware Control by using the administrator's account. For example: weblogic_iam.
2. From the WebLogic Domain menu, select Security, and then Application Roles.
3. Select the wsm-pm application stripe from the Application Stripe drop-down menu.
4. Click the triangular icon next to the role name text box to search for all role names in the wsm-pm application stripe.
5. Select the row for the policy.Updater role to be edited.
6. Click the Application Role Edit icon to edit the role.
7. Click the Application Role Add icon on the Edit Application Role page.
8. In the Add Principal dialog box, select Group from the Type drop-down menu.
9. To search for the enterprise deployment administrators group, enter the group name WLSAdministrators in the Principal Name Starts With field and click the right arrow to start the search.
10. Select the appropriate administrators group in the search results and click OK.
11. Click OK on the Edit Application Role page.

Adding the Oracle Access Manager Load Balancer Certificate to the Oracle Keystore Service

The Oracle Identity Governance to Business Intelligence Reports link inside of the Self Service application requires that the SSL certificate used by the load balancer be added to the Oracle Keystore Service Trusted Certificates.

To add the certificate, do the following:

1. Create a directory to hold user created keystores and certificates.
   For example:

   mkdir SHARED_CONFIG_DIR/keystores

2. Obtain the certificate from the load balancer. You can obtain the load balancer certificate from using a browser, such as Firefox. However, the easiest way to obtain the certificate is to use the openssl command. The syntax of the command is as follows:

   openssl s_client -connect LOADBALANCER -showcerts </dev/null 2>/dev/null|openssl x509 -outform PEM>SHARED_CONFIG_DIR/keystores/LOADBALANCER.pem

   For example:

   openssl s_client -connect login.example.com:443 -showcerts </dev/null 2>/dev/null|openssl x509 -outform PEM >SHARED_CONFIG_DIR/keystores/login.example.com.pem

   The openssl command saves the certificate to a file called login.example.com.pem in SHARED_CONFIG_DIR/keystores.

3. Load the certificate into the Oracle Keystore Service using WLST.
   1. Connect to WLST using the following command:

      ORACLE_HOME/oracle_common/common/bin/wlst.sh

   2. Connect to the Administration Server using the following command:

      connect('<AdminUser>','<AdminPwd>','t3://<Adminserverhost>:<Adminserver port>')

   3. Load the certificate using the following commands:

      svc = getOpssService(name='KeyStoreService')
      svc.importKeyStoreCertificate(appStripe='system',name='trust',password='', keypassword='',alias='<CertificateName>',type='TrustedCertificate', filepath='/<SHARED_CONFIG_DIR>/keystores/<LOADBALANCER>.pem')

   4. Synchronize the Keystore Service with the file system using the following command:

      syncKeyStores(appStripe='system', keystoreFormat='KSS')

      For example:

      connect('weblogic','password','t3://IGDADMINVHN.example.coml:7101')
      svc = getOpssService(name='KeyStoreService')
      svc.importKeyStoreCertificate(appStripe='system',name='trust',password='', keypassword='',alias='login.example.com',type='TrustedCertificate', filepath='/u01/oracle/config/keystores/login.example.com.pem')
      syncKeyStores(appStripe='system',keystoreFormat='KSS')
      exit()

You will need to restart the domain for the changes to take effect. The default password for the Node Manager keystores is COMMON_IAM_PASSWORD. You will be prompted to confirm that the certificate is valid.

Restarting the IAMGovernanceDomain

For the above changes to take effect, you must restart the domain.

1. Shut down the Managed Servers WLS_OIM1 and WLS_OIM2.
2. Shut down the Managed Servers WLS_SOA1 and WLS_SOA2.
3. Shut down the Managed Servers WLS_WSM1 and WLS_WSM2.
4. Shut down the Administration Server.
5. Restart the Administration Server.
6. Start the Managed Servers WLS_SOA1 and WLS_SOA2.
7. Start the Managed Servers WLS_OIM1 and WLS_OIM2.
8. Start the Managed Servers WLS_WSM1 and WLS_WSM2.

   If you have performed the workaround as described in the Update Value of MatchLDAPAttribute in oam-config.xml, then you must also restart the OAM domain.

   Shut down and restart the Administration Server and all the Managed Servers (WLS_AMA1, WLS_AMA2, WLS_OAM1, WLS_OAM2).

Setting Challenge Questions

If you have integrated OAM and OIM, then after the environment is ready, you need to set up the challenge questions for your system users.

To set up the challenge questions, log in to Identity Self Service using the URL: https://prov.example.com/identity.

Log in with your user name and when prompted, add the challenge questions. You should set up these questions for the following users:

• xelsysadm
• weblogic_iam
• oamadmin

Integrating Oracle Identity Manager with Oracle Business Intelligence Publisher

Oracle Identity Manager comes with a number of prebuilt reports that can be used to provide information about Oracle Identity and Access Management.

Oracle Identity Manager reports are classified based on the functional areas such as Access Policy Reports, Request and Approval Reports, Password Reports, and so on. It is no longer named Operational and Historical. These reports are not generated through Oracle Identity Manager but by the Oracle Business Intelligence Publisher (BIP). Oracle Identity Manager reports provide a restriction for Oracle BI Publisher.

The setup of a highly available enterprise deployment of Oracle BI Publisher is beyond the scope of this document. For more information, see Understanding the Business Intelligence Enterprise Deployment Topology in the Enterprise Deployment Guide for Business Intelligence.

Note:

During BI configuration for Oracle Identity Manager, you must configure only Business Intelligence Publisher. If you select other components during BI Publisher configuration, such as Business Intelligence Enterprise Edition and Essbase, the integration with Oracle Identity Manager may not work. See Configuring Reports in Developing and Customizing Applications for Oracle Identity Manager

• Creating a User to Run BI Reports
  
• Configuring Oracle Identity Manager to Use BI Publisher
  You can set up Oracle BI Publisher to generate Oracle Identity Manager reports.
• Assigning the BIServiceAdministrator Role to idm_report
  
• Storing the BI Credentials in Oracle Identity Governance
  
• Creating OIM and BPEL Data Sources in BIP
  
• Deploying Oracle Identity Governance Reports to BI
  
• Enable Certification Reports
  
• Validating the Reports
  

Creating a User to Run BI Reports

You may ignore this section if you already have a user to run reports in your Business Intelligence domain.

If you need to create a user in your BI Publisher domain to run reports, use the following LDIF command to create a user in the LDAP directory.

1. Create a file called report_user.ldif with the following contents:

   dn: cn=idm_report,cn=Users,dc=example,dc=com
   changetype: add
   orclsamaccountname: idm_report
   givenname: idm_report
   sn: idm_report
   userpassword: <password>
   mail: idm_report
   objectclass: top
   objectclass: person
   objectclass: organizationalPerson
   objectclass: inetorgperson
   objectclass: orcluser
   objectclass: orcluserV2
   uid: idm_report
   cn: idm_report

2. Save the file.
3. Load the file into the LDAP directory using the following command:

   ldapmodify -D cn=oudadmin -h idstore.example.com -p 1389 report_user.ldif

Configuring Oracle Identity Manager to Use BI Publisher

You can set up Oracle BI Publisher to generate Oracle Identity Manager reports.

To configure Oracle Identity Manager to use the BI Publisher:

1. Log in to Oracle Enterprise Manager Fusion Middleware Control using the URL:
   http://igdadmin.example.com/em
2. Click WebLogic Domain, and then select System MBean Browser.
3. Enter XMLConfig.DiscoveryConfig as the search criteria and click Search.
   The XMLConfig.DiscoveryConfig MBean is displayed.
4. Update the value of the Discovery Config BI publisher URL to the BIP URL. For example, http://bi.example.com
5. Click Apply.

Assigning the BIServiceAdministrator Role to idm_report

If you are using LDAP as your identity store in the Business Intelligence (BI) domain, you must have created an LDAP authenticator in the BI domain. You can view the user and group names stored within LDAP.

The Oracle Identity Manager (OIM) system administration account (for example, idm_report) needs to be assigned the BIServiceAdministrator role, to generate reports.

To assign this role:

1. Ensure that the OIM administrator user is visible in the domain by logging in to the BI publisher WebLogic Console using the following URL:

   http://biadmin.example.com/console

2. Click Security Realms, and then click myrealm.
3. Go to the Users and Groups tab.
4. Look at the list of users and ensure that the user OIM Administration User (idm_report) is in the list of users.
5. Sign in to the BI Fusion Middleware Control by using the URL http://biadmin.example.com/em and the administrator's account. For example: weblogic_bi.
6. From the WebLogic Domain menu, select Security, and then Application Roles.
7. From the Application Stripe drop-down list, select obi.
8. Click the triangular icon next to the role name text box to search for all role names in the obi application stripe.
9. Select the row for the BIServiceAdministrator role to edit.
10. Click the Application Role Edit icon to edit the role.
11. Click the Application Role Add icon on the Edit Application Role page.
12. In the Add Principal dialog box, select User from the Type drop-down menu.
13. To search for the idm_report user, enter the user name idm_report in the Principal Name Starts With field and click the right arrow to start the search.
14. Select the appropriate user in the search results and click OK.
15. Click OK on the Edit Application Role page.

Storing the BI Credentials in Oracle Identity Governance

To configure BIP credentials in Oracle Identity Manager:

1. Log in to the Oracle Enterprise Manager using the url
   http://igdadmin.example.com/em
2. In the left pane, expand the  Weblogic Domain. The domain name is displayed.
3. Right-click the domain name, and navigate to Security, and then Credentials. A list of maps in the credential store, including the oim map, is displayed.
4. Expand the oim map. A list of entries of type Password is displayed.
5. Edit the BIPWSKey key if it already exists, or create a new one with the following values:

   Table 17-8 Properties of a new CSF entry

   Attribute	Value
   Select Map	oim
   Key	BIPWSKey
   Type	Password
   Username	idm_report
   Password	idm_report password
   Description	Login credentials for BI Publisher web service

Creating OIM and BPEL Data Sources in BIP

Create OIM Datasource

Oracle BIP must be connected to the OIM and SOA database schemas to run a report.

In order to do this you need to create BIP datasources using the following procedure:

1. Login to the BI Publisher Home page using the URL https://bi.example.com/xmlpserver

2. Click the Administration link on the top of the BI Publisher Home page. The BI Publisher Administration page is displayed.

3. Under Data Sources, click JDBC Connection link. The Data Sources page is displayed.

4. In the JDBC tab, click Add Data Source to create a JDBC connection to your database. The Add Data Source page is displayed.

5. Enter values in the following fields:

   Table 17-9 OIM Add Data Source Attributes

   Attributes	Value
   Data Source Name	Specify the Oracle Identity Governance JDBC connection name. For example, OIM JDBC.
   Driver Type	Select Oracle 11g for an 11g database and Oracle 12c for a 12c database
   Database Driver Class	Specify a driver class to suit your database, such as oracle.jdbc.OracleDriver
   Connection String	Specify the database connection details in the format jdbc:oracle:thin:@HOST_NAME:PORT_NUMBER/SID. For example, jdbc:oracle:thin:@igddbscan:1521/oim.example.com
   User name	Specify the Oracle Identity Governance database user name for example IGD_OIM
   Password	Specify the Oracle Identity Governance database user password.

6. Click Test Connection to verify the connection.

7. Click Apply to establish the connection.

8. If the connection to the database is established, a confirmation message is displayed indicating the success.

9. Click Apply.

In the JDBC page, you can see the newly defined Oracle Identity Governance JDBC connection in the list of JDBC data sources.

Create BPEL Datasource

1. Login to the BI Publisher Home page using the URL https://bi.example.com/xmlpserver.

2. Click the Administration link on the BI Publisher home page. The BI Publisher Administration page is displayed.

3. Under Data Sources, click JDBC Connection link. The Data Sources page is displayed.

4. In the JDBC tab, click Add Data Source to create a JDBC connection to your database. The Add Data Source page is displayed.

5. Enter values in the following fields:

   Table 17-10 JDBC Add Data Source Attributes

   Attributes	Value
   Data Source Name	Specify the Oracle Identity Governance JDBC connection name. For example, BPEL JDBC.
   Driver Type	Oracle 12c
   Database Driver Class	Specify a driver class to suit your database, such as oracle.jdbc.OracleDriver
   Connection String	Specify the database connection details in the format jdbc:oracle:thin:@HOST_NAME:PORT_NUMBER/SID. For example, jdbc:oracle:thin:@igddbscan:1521/oim.example.com
   User name	Specify the Oracle Identity Governance database user name for example IGD_SOAINFRA.
   Password	Specify the Oracle Identity Governance database user password.

6. Click Test Connection to verify the connection.

7. Click Apply to establish the connection.

8. If the connection to the database is established, a confirmation message is displayed indicating the success.

9. Click Apply.

In the JDBC page, you can see the newly defined Oracle Identity Governance JDBC connection in the list of JDBC data sources.

Deploying Oracle Identity Governance Reports to BI

After BI Publisher is integrated with Oracle Identity Governance, you can deploy the predefined reports for using them. To deploy Oracle Identity Manager reports:

1. Copy and unzip the predefined report IGD_ORACLE_HOME/idm/server/reports/oim_product_BIPReports_12c.zip located on OIMHOST1 file to the directory Shared_Storage_location/biconfig/bidata.

   Note:

   The Shared_Storage_Location is defined in the ASERVER_HOME/config/fmwconfig/bienv/core/bi-environment.xml file.
2. Add folder level permission to the BIServiceAdministrator BI application role to view and run the predefined Oracle Identity Governance reports. To do so:

   • Login to Oracle BI Publisher https://bi.example.com/xmlpserver by using the WebLogic admin credentials.

   • Click the Catalog link at the top. The Oracle Identity Manager named folder under shared folders is displayed in the left pane. Select the Oracle Identity Manager named folder.

   • Click Permissions option under the Tasks window on the bottom left.

   • Click the plus sign and perform a blank search on the available role.

   • Select the BI Service Administrator role, and add to the right panel.

   • Click Ok.

3. Logout as WebLogic user.
4. Login as the Oracle Identity Manager system administrator user to BI Publisher console.
5. Run the Oracle Identity Manager reports.

Enable Certification Reports

Select or deselect the Enable Certification Reports option to enable or disable the certification reports. To enable the generation of certification reports, after configuring the BI Publisher credentials and URL, perform the following:

1. Log in to the Oracle Identity Self Service using the url: https://prov.example.com/identity.
2. Click the Compliance tab.
3. Click the Identity Certification box.
4. Select Certification Configuration. The Certification Configuration page is displayed.
5. Select the Enable Certification Reports.
6. Click Save.

Note:

By default, the Compliance tab is not shown. If you want to enable compliance functionality, you must fist set the OIGIsIdentityAuditorEnabled property to true in the Sysadmin Console (located in the Configuration Properties section).

Validating the Reports

We need to create the sample data source to generate reports against the sample data source.

Creating the Sample Reports

To view an example report data without running a report against the production JDBC Data Source, generate a sample report against the sample data source. Create the sample data source before you can generate the sample reports.

• Generating Reports Against the Sample Data Source
  
• Generating Reports Against the Oracle Identity Manager JDBC Data Source
  
• Generating Reports Against the BPEL-Based JDBC Data Source
  

Generating Reports Against the Sample Data Source

After you create the sample data source, you can generate sample reports against it by performing the following steps:

1. Login to Oracle BI Publisher using the url : https://bi.example.com/xmlpserver.
2. Click Shared Folders.
3. Click  Oracle Identity Manager Reports.
4. Select Sample Reports.
5. Click View for the sample report you want to generate.
6. Select an output format for the sample report and click View.

The sample report is generated.

Generating Reports Against the Oracle Identity Manager JDBC Data Source

To generate reports against the OIM JDBC data source, navigate to the Oracle Identity Manager reports by logging in to the Oracle BI Publisher, and select an output format for the report you want to generate.

To generate reports against the Oracle Identity Manager JDBC data source:

1. Log in to Oracle BI Publisher using the url :https://bi.example.com/xmlpserver.
2. Navigate to Oracle Identity Manager reports. To do so:

   • In the BI Publisher home page, under Browse or Manage, click Catalog Folders. Alternatively, you can click Catalog at the top of the page.

     The Catalog page is displayed with a tree structure on the left side of the page and the details on the right.

   • On the left pane, expand Shared Folders, and navigate to the Oracle Identity Manager. All the objects in the Oracle Identity Manager folder are displayed.

     You are ready to navigate to BI Publisher 12c and use the Oracle Identity Manager BI Publisher reports.

3. Click View under the report you want to generate.
4. Select an output format for the report and click View.

The report is generated.

Generating Reports Against the BPEL-Based JDBC Data Source

Some reports have a secondary data source, which is BPEL-based JDBC data source. This section describes how to generate reports against the BPEL-based JDBC data source.

Reports With Secondary Data Source

The following four reports have a secondary data source, which connects to the BPEL database to retrieve the BPEL data:

• Task Assignment History

• Request Details

• Request Summary

• Approval Activity

These reports have a secondary data source (BPEL-based JDBC data source) called BPEL JDBC. To generate reports against the BPEL-based JDBC data source:

1. Log in to Oracle BI Publisher using the url: https://bi.example.com/xmlpserver.
2. Navigate to the Oracle Identity Manager reports. To do so:

   • In the BI Publisher home page, under Browse or Manage, click Catalog Folders. Alternatively, you can click Catalog at the top of the page.

     The catalog page is displayed with a tree structure on the left side of the page and the details on the right.

   • On the left pane, expand Shared Folders, and navigate to the Oracle Identity Manager. All the objects in the Oracle Identity Manager folder is displayed.

     Navigate to the BI Publisher 12c and use the Oracle Identity Manager BI Publisher reports.

3. Select the report you want to generate and click Open.
4. Select an output format for the report, and click Apply.

The report is generated based on the BPEL-based JDBC data source.

• Adding the Business Intelligence Load Balancer Certificate to Oracle Keystore Trust Service
  

Adding the Business Intelligence Load Balancer Certificate to Oracle Keystore Trust Service

The Oracle Identity Governance to Business Intelligence Reports link inside of the Self Service application requires that the SSL certificate used by the load balancer be added to the Oracle Keystore Service Trusted Certificates.

To add the certificate:

1. Create a directory to hold user created keystores and certificates.
   For example:

   mkdir SHARED_CONFIG_DIR/keystores

2. Obtain the certificate from the load balancer. You can obtain the load balancer certificate from using a browser, such as Firefox. However, the easiest way to obtain the certificate is to use the openssl command. The syntax of the command is as follows:

   openssl s_client -connect LOADBALANCER -showcerts </dev/null 2>/dev/null|openssl x509 -outform PEM>SHARED_CONFIG_DIR/keystores/LOADBALANCER.pem

   For example:

   openssl s_client -connect bi.example.com:443 -showcerts </dev/null 2>/dev/null|openssl x509 -outform PEM>SHARED_CONFIG_DIR/keystores/bi.example.com.pem

   The openssl command saves the certificate to a file called bi.example.com.pem in SHARED_CONFIG_DIR/keystores.

3. Load the certificate into the Oracle Keystore Service using WLST.
   1. Connect to WLST using the following command:

      ORACLE_HOME/oracle_common/common/bin/wlst.sh

   2. Connect to the Administration Server using the following command:

      connect('<AdminUser>','<AdminPwd>','t3://<Adminserverhost>:<Adminserver port>')

   3. Load the certificate using the following commands:

      svc = getOpssService(name='KeyStoreService')
      svc.importKeyStoreCertificate(appStripe='system',name='trust',password='', keypassword='',alias='<CertificateName>',type='TrustedCertificate', filepath='/<SHARED_CONFIG_DIR>/keystores/<LOADBALANCER>.pem')

   4. Synchronize the Keystore Service with the file system using the following command:

      syncKeyStores(appStripe='system', keystoreFormat='KSS')

      For example:

      connect('weblogic','password','t3://IGDADMINVHN.example.coml:7101')
      svc = getOpssService(name='KeyStoreService')
      svc.importKeyStoreCertificate(appStripe='system',name='trust',password='', keypassword='',alias='bi.example.com',type='TrustedCertificate', filepath='/u01/oracle/config/keystores/bi.example.com.pem')
      syncKeyStores(appStripe='system',keystoreFormat='KSS')
      exit()

You will need to restart the domain for the changes to take effect. The default password for the JDK is changeit. The default password for the Node Manager keystores is COMMON_IAM_PASSWORD. You will be prompted to confirm that the certificate is valid.