4 Installing and Configuring the Oracle Identity Governance Software
Note:
The product Oracle Identity Manager is referred to as Oracle Identity Manager (OIM) and Oracle Identity Governance (OIG) interchangeably in the guide.
- Installing the Oracle Identity Governance Software
Follow the steps in this section to install the Oracle Identity Governance software. - Configuring the Oracle Identity Governance Domain
After you have installed Oracle Identity Governance, you can configure the domain, which you can also extend for high availability.
Installing the Oracle Identity Governance Software
Before beginning the installation, ensure that you have verified the prerequisites and completed all steps covered in Preparing to Install and Configure.
- Method 1: Simplified method - by using an quick start installer to install all the products in one go. See Method 1: Simplified Method.
- Method 2: Traditional Method - by individually installing the required products. See Method 2: Traditional Method.
For information about supported installation methods, see About Supported Installation Methods.
- Verifying the Installation and Configuration Checklist
The installation and configuration process requires specific information. - Verifying the Memory Settings
To avoid the memory issues for Oracle Identity Manager, ensure that the memory settings are updated as per the requirements. - Method 1: Simplified Method
You can install the Oracle Identity Governance software by using a quickstart installer. - Method 2: Traditional Method
You can install the Oracle Identity Governance software in traditional method, by individually installing required products. - Verifying the Installation
After you complete the installation, verify whether it was successful by completing a series of tasks.
Verifying the Installation and Configuration Checklist
The installation and configuration process requires specific information.
Table 4-1 lists important items that you must know before, or decide during, Oracle Identity Governance installation and configuration.
Table 4-1 Installation and Configuration Checklist
Information | Example Value | Description |
---|---|---|
|
|
Environment variable that points to the Java JDK home directory. |
Database host |
|
Name and domain of the host where the database is running. |
Database port |
|
Port number that the database listens on. The default Oracle database listen port is |
Database service name |
|
Oracle databases require a unique service name. The default service name is |
DBA username |
|
Name of user with database administration privileges. The default DBA user on Oracle databases is |
DBA password |
|
Password of the user with database administration privileges. |
|
|
Directory in which you will install your software. This directory will include Oracle Fusion Middleware Infrastructure, Oracle SOA Suite, and Oracle Identity Governance, as needed. |
WebLogic Server hostname |
|
Host name for Oracle WebLogic Server and Oracle Identity Governance consoles. |
Console port |
|
Port for Oracle WebLogic Server and Oracle Identity Governance consoles. |
|
|
Location in which your domain data is stored. |
|
|
Location in which your application data is stored. |
Administrator user name for your WebLogic domain |
|
Name of the user with Oracle WebLogic Server administration privileges. The default administrator user is |
Administrator user password |
|
Password of the user with Oracle WebLogic Server administration privileges. |
RCU |
|
Path to the Repository Creation Utility (RCU). |
RCU schema prefix |
|
Prefix for names of database schemas used by Oracle Identity Governance. |
RCU schema password |
|
Password for the database schemas used by Oracle Identity Governance. |
Configuration utility |
|
Path to the Configuration Wizard for domain creation and configuration. |
Parent topic: Installing the Oracle Identity Governance Software
Verifying the Memory Settings
To avoid the memory issues for Oracle Identity Manager, ensure that the memory settings are updated as per the requirements.
- Ensure that you set the following parameters in the
/etc/security/limits.conf
file, to the specified values:FUSION_USER_ACCOUNT soft nofile 32767
FUSION_USER_ACCOUNT hard nofile 327679
- Ensure that you set
UsePAM
toYes
in the /etc/ssh/sshd_config file. - Restart
sshd
. - Log out (or reboot) and log in to the system again.
Note:
Before you start the Oracle Identity Governance 12c (12.2.1.4.0) Server, post configuration, run the following command to increase the limit of open files, so that you do not run into memory issues:limit maxproc 16384
Parent topic: Installing the Oracle Identity Governance Software
Method 1: Simplified Method
For Oracle Identity Governance a quickstart installer is available, which installs Infrastructure, Oracle SOA Suite, and Oracle Identity Governance 12c (12.2.1.4.0) in one go. You do not have to install these softwares using separate installers.
- Roadmap for Installing and Configuring Oracle Identity Governance Using Simplified Installation
Use the roadmap provided in this section to install and configure Oracle Identity Governance (OIG) using the simplified installation process. - Installing Oracle Identity Governance Using Quickstart Installer
Complete the instructions in this section to install Oracle Identity Governance.
Parent topic: Installing the Oracle Identity Governance Software
Roadmap for Installing and Configuring Oracle Identity Governance Using Simplified Installation
Use the roadmap provided in this section to install and configure Oracle Identity Governance (OIG) using the simplified installation process.
This table provides the high-level steps for installing and configuring Oracle Identity Governance.
Table 4-2 Task Roadmap for Installing and Configuring Oracle Identity Governance Using Simplified Installation
Task | Description |
---|---|
Verify if your system meets the minimum hardware and software requirements. |
|
Install Oracle Fusion Middleware Infrastructure, Oracle SOA Suite, and Oracle Identity Governance 12.2.1.4.0 using the quickstart installer. This task involves obtaining the quickstart installer, starting the installation program, and navigating the installer screens. |
See Installing Oracle Identity Governance Using Quickstart Installer |
Create the database schemas using Repository Creation Utility (RCU). |
|
Configure and update the Oracle Identity Governance domain. |
|
Perform the necessary post-configuration tasks. |
|
Start the Node Manager, Administration Server, Oracle SOA Suite Managed Server, and the OIG Managed Server. |
|
Integrate Oracle Identity Governance with Oracle SOA Suite. |
See Integrating Oracle Identity Governance with Oracle SOA Suite |
Verify the configuration. |
|
Refer to the bootstrap report for the configuration details and for any issues or warnings thrown during the installation process. |
|
Access the Oracle Identity Governance Design Console, if required. |
See Installing and Accessing the Oracle Identity Governance Design Console |
Parent topic: Method 1: Simplified Method
Installing Oracle Identity Governance Using Quickstart Installer
Complete the instructions in this section to install Oracle Identity Governance.
Topics:
- Obtaining the Quickstart Installer
Obtain the quickstart installer distribution on Technical Resources from Oracle. - Starting the Quickstart Installation Program
Start the quickstart installation program by running the java executable from the JDK directory. - Navigating the Quickstart Installation Screens
The quickstart installer shows a series of screens where you verify or enter information.
Parent topic: Method 1: Simplified Method
Obtaining the Quickstart Installer
Obtain the quickstart installer distribution on Technical Resources from Oracle.
See Obtaining Product Distributions in Planning an Installation of Oracle Fusion Middleware.
After downloading the required .zip
file, unzip the .zip
file to obtain the .jar
distributions.
Note:
No prerequisite software is required forqstart
.
Starting the Quickstart Installation Program
Start the quickstart installation program by running the java executable from the JDK directory.
Note:
Before running the quickstart installation program, you must verify the supported JDK version is installed.-
On UNIX:
$JAVA_HOME/bin/java —jar fmw_12.2.1.4.0_idmquickstart.jar
-
On Windows:
$JAVA_HOME\bin\java —jar fmw_12.2.1.4.0_idmquickstart.jar
Navigating the Quickstart Installation Screens
The quickstart installer shows a series of screens where you verify or enter information.
The following table lists the order in which installer screens appear. If you need additional help with an installation screen, click Help.
Table 4-3 Oracle Identity Governance Quickstart Install Screens
Screen | Description |
---|---|
Installation Inventory Setup |
On Linux or UNIX operating systems, this screen opens if this is the first time you are installing any Oracle product on this host. Specify the location where you want to create your central inventory. Make sure that the operating system group name selected on this screen has write permissions to the central inventory location. See About the Oracle Central Inventory in Installing Software with the Oracle Universal Installer. This screen does not appear on Windows operating systems. |
Welcome |
Review the information to make sure that you have met all the prerequisites, then click Next. |
Auto Updates |
Select to skip automatic updates, select patches, or search for the latest software updates, including important security updates, through your My Oracle Support account. |
Installation Location |
Specify your Oracle home directory location. You can click View to verify and ensure that you are installing the products in the correct Oracle home. |
Prerequisite Checks |
This screen verifies that your system meets the minimum necessary requirements. To view the list of tasks that gets verified, select View Successful Tasks. To view log details, select View Log. If any prerequisite check fails, then an error message appears at the bottom of the screen. Fix the error and click Rerun to try again. To ignore the error or the warning message and continue with the installation, click Skip (not recommended). |
Installation Summary |
Use this screen to verify installation options you selected. If you want to save these options to a response file, click Save Response File and enter the response file location and name. The response file collects and stores all the information that you have entered, and enables you to perform a silent installation (from the command line) at a later time. Click Install to begin the installation. |
Installation Progress |
This screen shows the installation progress. When the progress bar reaches 100% complete, click Finish to dismiss the installer, or click Next to see a summary. |
Installation Complete |
This screen displays the Installation Location and the Feature Sets that are installed. Review this information and click Finish to close the installer. |
Method 2: Traditional Method
Note:
Install products in the specified order.- Oracle Fusion Middleware Infrastructure 12c (12.2.1.4.0)
- Oracle SOA Suite 12c (12.2.1.4.0)
For information about installing Oracle Fusion Middleware Infrastructure 12c (12.2.1.4.0), see Installing the Infrastructure Softwarein Installing and Configuring the Oracle Fusion Middleware Infrastructure.
For information about installing Oracle SOA Suite 12c (12.2.1.4.0), see Installing the Oracle SOA Suite and Oracle Business Process Management Software in Installing and Configuring Oracle SOA Suite and Business Process Management.
- Starting the Installation Program
Before running the installation program, you must verify the JDK and prerequisite software is installed. - Navigating the Installation Screens
The installer shows a series of screens where you verify or enter information.
Parent topic: Installing the Oracle Identity Governance Software
Starting the Installation Program
Before running the installation program, you must verify the JDK and prerequisite software is installed.
To start the installation program:
Note:
You can also start the installer in silent mode using a saved response file instead of launching the installer screens. For more about silent or command line installation, see Using the Oracle Universal Installer in Silent Mode in Installing Software with the Oracle Universal Installer.
When the installation program appears, you are ready to begin the installation.
Parent topic: Method 2: Traditional Method
Navigating the Installation Screens
The installer shows a series of screens where you verify or enter information.
The following table lists the order in which installer screens appear. If you need additional help with an installation screen, click Help.
Table 4-4 Install Screens
Screen | Description |
---|---|
Installation Inventory Setup |
On Linux or UNIX operating systems, this screen opens if this is the first time you are installing any Oracle product on this host. Specify the location where you want to create your central inventory. Make sure that the operating system group name selected on this screen has write permissions to the central inventory location. See About the Oracle Central Inventory in Installing Software with the Oracle Universal Installer. This screen does not appear on Windows operating systems. |
Welcome |
Review the information to make sure that you have met all the prerequisites, then click Next. |
Auto Updates |
Select to skip automatic updates, select patches, or search for the latest software updates, including important security updates, through your My Oracle Support account. |
Installation Location |
Specify your Oracle home directory location. This Oracle home must include Oracle Fusion Middleware Infrastructure 12c (12.2.1.4.0). You can click View to verify and ensure that you are installing in the correct Oracle home. Note: Ensure that the Oracle Home path does not contain space. |
Installation Type |
Use the Collocated Installation Type. Collocated mode is a type of installation that is managed through WebLogic Server. To install in collocated mode, you must have installed the required dependant softwares. |
Prerequisite Checks |
This screen verifies that your system meets the minimum necessary requirements. To view the list of tasks that gets verified, select View Successful Tasks. To view log details, select View Log. If any prerequisite check fails, then an error message appears at the bottom of the screen. Fix the error and click Rerun to try again. To ignore the error or the warning message and continue with the installation, click Skip (not recommended). |
Installation Summary |
Use this screen to verify installation options you selected. If you want to save these options to a response file, click Save Response File and enter the response file location and name. The response file collects and stores all the information that you have entered, and enables you to perform a silent installation (from the command line) at a later time. Click Install to begin the installation. |
Installation Progress |
This screen shows the installation progress. When the progress bar reaches 100% complete, click Finish to dismiss the installer, or click Next to see a summary. |
Installation Complete |
This screen displays the Installation Location and the Feature Sets that are installed. Review this information and click Finish to close the installer. |
Parent topic: Method 2: Traditional Method
Verifying the Installation
After you complete the installation, verify whether it was successful by completing a series of tasks.
- Reviewing the Installation Log Files
Review the contents of the installation log files to make sure that the installer did not encounter any problems. - Checking the Directory Structure
The contents of your installation vary based on the options that you selected during the installation. - Viewing the Contents of the Oracle Home
You can view the contents of the Oracle home directory by using theviewInventory
script.
Parent topic: Installing the Oracle Identity Governance Software
Reviewing the Installation Log Files
Review the contents of the installation log files to make sure that the installer did not encounter any problems.
By default, the installer writes logs files to the Oracle_Inventory_Location/logs
(on UNIX operating systems) or Oracle_Inventory_Location\logs
(on Windows operating systems) directory.
For a description of the log files and where to find them, see Installation Log Files in Installing Software with the Oracle Universal Installer.
Parent topic: Verifying the Installation
Checking the Directory Structure
The contents of your installation vary based on the options that you selected during the installation.
See What Are the Key Oracle Fusion Middleware Directories? in Understanding Oracle Fusion Middleware.
Parent topic: Verifying the Installation
Viewing the Contents of the Oracle Home
You can view the contents of the Oracle home directory by using the viewInventory
script.
See Viewing the Contents of an Oracle Home in Installing Software with the Oracle Universal Installer.
Parent topic: Verifying the Installation
Configuring the Oracle Identity Governance Domain
After you have installed Oracle Identity Governance, you can configure the domain, which you can also extend for high availability.
Note:
In this document, the variableOIM_HOME
is used for ORACLE_HOME/idm
(Unix) and ORACLE_HOME\idm
(Windows).
Refer to the following sections to create the database schemas, configure a WebLogic domain, and verify the configuration:
- Creating the Database Schemas
Before you can configure an Oracle Identity Governance domain, you must install required schemas on a certified database for use with this release of Oracle Fusion Middleware. - Configuring the Domain
Use the Configuration Wizard to create and configure a domain. - Performing Post-Configuration Tasks
After you configure the Oracle Identity Governance domain, perform the necessary post-configuration tasks. - Starting the Servers
After a successful configuration, start all processes and servers, including the Administration Server and any Managed Servers. - Integrating Oracle Identity Governance with Oracle SOA Suite
If you wish to integrate Oracle Identity Governance with Oracle SOA Suite, use the Enterprise Manager console to do the same. - Verifying the Configuration
After completing all configuration steps, you can perform additional steps to verify that your domain is properly configured. - Analyzing the Bootstrap Report
When you start the Oracle Identity Governance server, the bootstrap report is generated atDOMAIN_HOME/servers/oim_server1/logs/BootStrapReportPreStart.html
. - Installing and Accessing the Oracle Identity Governance Design Console
If you wish to set up only the Oracle Identity Governance Design Console in a machine where OIG server is not configured, then you must install Oracle Identity Governance 12c (12.2.1.4.0) in standalone mode, and then invoke the Design Console. - Troubleshooting
This section lists the common issues encountered while configuring Oracle Identity Governance and their workarounds.
Creating the Database Schemas
Before you can configure an Oracle Identity Governance domain, you must install required schemas on a certified database for use with this release of Oracle Fusion Middleware.
- Installing and Configuring a Certified Database
Before you create the database schemas, you must install and configure a certified database, and verify that the database is up and running. - Starting the Repository Creation Utility
Start the Repository Creation Utility (RCU) after you verify that a certified JDK is installed on your system. - Navigating the Repository Creation Utility Screens to Create Schemas
Enter required information in the RCU screens to create the database schemas.
Parent topic: Configuring the Oracle Identity Governance Domain
Installing and Configuring a Certified Database
Before you create the database schemas, you must install and configure a certified database, and verify that the database is up and running.
Note:
For an Autonomous Transaction Processing database (both Oracle Autonomous Transaction Processing-Dedicated
(ATP-D)
and Oracle Autonomous Transaction Processing-Shared
(ATP-S)), you must modify the wallet settings, set the environment
variables, and apply patches on ORACLE HOME
. For more
information, see Settings to connect to an Autonomous
Transaction Processing Database and Applying Patches on ORACLE
HOME.
See About Database Requirements for an Oracle Fusion Middleware Installation.
Parent topic: Creating the Database Schemas
Starting the Repository Creation Utility
Start the Repository Creation Utility (RCU) after you verify that a certified JDK is installed on your system.
To start the RCU:
Parent topic: Creating the Database Schemas
Navigating the Repository Creation Utility Screens to Create Schemas
Enter required information in the RCU screens to create the database schemas.
- Introducing the RCU
The Welcome screen is the first screen that appears when you start the RCU. - Selecting a Method of Schema Creation
Use the Create Repository screen to select a method to create and load component schemas into the database. - Providing Database Connection Details
On the Database Connection Details screen, provide the database connection details for the RCU to connect to your database. - Specifying a Custom Prefix and Selecting Schemas
- Specifying Schema Passwords
On the Schema Passwords screen, specify how you want to set the schema passwords on your database, then enter and confirm your passwords. - Specifying Custom Variables
- Completing Schema Creation
Navigate through the remaining RCU screens to complete schema creation.
Parent topic: Creating the Database Schemas
Introducing the RCU
The Welcome screen is the first screen that appears when you start the RCU.
Click Next.
Selecting a Method of Schema Creation
Use the Create Repository screen to select a method to create and load component schemas into the database.
-
If you have the necessary permissions and privileges to perform DBA activities on your database, select System Load and Product Load. This procedure assumes that you have SYSDBA privileges.
-
If you do not have the necessary permissions or privileges to perform DBA activities in the database, you must select Prepare Scripts for System Load on this screen. This option generates a SQL script that you can give to your database administrator. See About System Load and Product Load in Creating Schemas with the Repository Creation Utility.
-
If the DBA has already run the SQL script for System Load, select Perform Product Load.
Note:
For an Autonomous Transaction Processing database (both Oracle Autonomous Transaction Processing-Dedicated (ATP-D) and Oracle Autonomous Transaction Processing-Shared (ATP-S)), you must create schemas as a
Normal
user, and though, you do not have full SYS or SYSDBA privileges on the database, you must select System Load and Product Load.
Providing Database Connection Details
On the Database Connection Details screen, provide the database connection details for the RCU to connect to your database.
Note:
If you are unsure of the service name for your database, you can
obtain it from the SERVICE_NAMES
parameter in the
initialization parameter file of the database. If the initialization parameter
file does not contain the SERVICE_NAMES
parameter, then the
service name is the same as the global database name, which is specified in the
DB_NAME
and DB_DOMAIN
parameters.
For an Oracle Autonomous Transaction Processing-Shared
(ATP-S)
database, you must use only one of the database service names,
<databasename>_tpurgent
or
<databasename>_tp
, specified in
tnsnames.ora
. For database service name details, see Database Service Names for Autonomous
Transaction Processing and Autonomous JSON Database.
To create schemas on an Autonomous Transaction Processing database (both Oracle Autonomous Transaction Processing-Dedicated (ATP-D) and Oracle Autonomous Transaction Processing-Shared (ATP-S)), you can specify the connection credentials using only the Connection String option. In this screen, a warning message is displayed. You can ignore the warning and continue with the schema creation. For more information, see SYS DBA Privileges Warning After Applying Patches.
For example:
- Database Type: Oracle Database
- Connection String Format: Either one of the format one can select
- If you choose connection parameter, fill the following details:
- Host Name: examplehost.exampledomain.com
- Port: 1521
- Service Name: Orcl.exampledomain.com
- User Name: sys
- Password: ******
- Role: SYSDBA
- If you choose connection string, fill the following details:
- Connection String: examplehost.exampledomain.com:1521:Orcl.exampledomain.com
- User Name: sys
- Password: ******
- Role: SYSDBA
For an Autonomous Transaction Processing database (both Oracle Autonomous Transaction Processing-Dedicated (ATP-D) and Oracle Autonomous Transaction Processing-Shared (ATP-S)), enter connect string in the following format:
jdbc:oracle:thin:@TNS_alias?TNS_ADMIN=<path of the wallet files, ojdbc.properties, and tnsnames.ora>
In the connect string, you must pass
TNS_alias
as the database name found intnsnames.ora
, andTNS_ADMIN
property to the location of the wallet files,ojdbc.properties
, andtnsnames.ora
.Note:
For an Oracle Autonomous Transaction Processing-Shared (ATP-S) database, you must use only one of the database service names,<databasename>_tpurgent
or<databasename>_tp
, specified intnsnames.ora
. For database service name details, see Database Service Names for Autonomous Transaction Processing and Autonomous JSON Database.Example connect string for Oracle Autonomous Transaction Processing-Dedicated (ATP-D) database:
jdbc:oracle:thin:@dbname_medium?TNS_ADMIN=/users/test/wallet_dbname/
Example connect string for Oracle Autonomous Transaction Processing-Shared (ATP-S) database:
jdbc:oracle:thin:@dbname_tp?TNS_ADMIN=/users/test/wallet_dbname/
Click Next to proceed, then click OK in the dialog window that confirms a successful database connection.
Specifying a Custom Prefix and Selecting Schemas
Select Create new prefix, specify a custom prefix, then expand IDM Schemas and select the Oracle Identity Manager schema. This action automatically selects the following schemas as dependencies:
-
User Messaging Service (UMS)
-
Metadata Services (MDS)
-
Oracle Platform Security Services (OPSS)
-
Audit Services (IAU)
-
Audit Services Append (IAU_Append)
-
Audit Services Viewer (IAU_Viewer)
-
WebLogic Services (WLS)
-
Common Infrastructure Services (STB)
-
SOA Infrastructure (SOAINFRA)
The schema Common Infrastructure Services (STB) is automatically created. This schema is dimmed; you cannot select or deselect it. This schema enables you to retrieve information from RCU during domain configuration. For more information, see "Understanding the Service Table Schema" in Creating Schemas with the Repository Creation Utility.
The custom prefix is used to logically group these schemas together for use in this domain only; you must create a unique set of schemas for each domain. Schema sharing across domains is not supported.
Tip:
For more information about custom prefixes, see "Understanding Custom Prefixes" in Creating Schemas with the Repository Creation Utility.
For more information about how to organize your schemas in a multi-domain environment, see "Planning Your Schema Creation" in Creating Schemas with the Repository Creation Utility.
Tip:
You must make a note of the custom prefix you choose to enter here; you will need this later on during the domain creation process.
Click Next to proceed, then click OK on the dialog window confirming that prerequisite checking for schema creation was successful.
Specifying Schema Passwords
On the Schema Passwords screen, specify how you want to set the schema passwords on your database, then enter and confirm your passwords.
Note:
For an Autonomous Transaction Processing database (both Oracle Autonomous Transaction Processing-Dedicated (ATP-D) and Oracle Autonomous Transaction Processing-Shared (ATP-S)), the schema password must be minimum 12 characters, and must contain at least one uppercase, one lower case, and one number.
You must make a note of the passwords you set on this screen; you will need them later on during the domain creation process.
Click Next.
Specifying Custom Variables
On the Custom Variables screen, accept the default values and click Next.
Tip:
For more information about options on this screen, see Custom Variables in Creating Schemas with the Repository Creation Utility.
Completing Schema Creation
Navigate through the remaining RCU screens to complete schema creation.
On the Map Tablespaces screen, the Encrypt Tablespace check box appears only if you enabled Transparent Data Encryption (TDE) in the database (Oracle or Oracle EBR) when you start the RCU.
To complete schema creation:Configuring the Domain
Use the Configuration Wizard to create and configure a domain.
For information on other methods to create domains, see Additional Tools for Creating, Extending, and Managing WebLogic Domains in Creating WebLogic Domains Using the Configuration Wizard.
- Starting the Configuration Wizard
Start the Configuration Wizard to begin configuring a domain. - Navigating the Configuration Wizard Screens to Create and Configure the Domain
Enter required information in the Configuration Wizard screens to create and configure the domain for the topology.
Parent topic: Configuring the Oracle Identity Governance Domain
Starting the Configuration Wizard
Start the Configuration Wizard to begin configuring a domain.
To start the Configuration Wizard:
Parent topic: Configuring the Domain
Navigating the Configuration Wizard Screens to Create and Configure the Domain
Enter required information in the Configuration Wizard screens to create and configure the domain for the topology.
Note:
You can use this procedure to extend an existing domain. If your needs do not match the instructions in the procedure, be sure to make your selections accordingly, or see the supporting documentation for more details.
- Selecting the Domain Type and Domain Home Location
Use the Configuration Type screen to select a Domain home directory location, optimally outside the Oracle home directory. - Selecting the Configuration Templates for Oracle Identity Manager
- Configuring High Availability Options
If you are not using a high availability setup, accept the default values on this screen and then click Next to proceed to the next screen. Use this screen to configure service migration and persistence settings that affect high availability. - Selecting the Application Home Location
Use the Application Location screen to select the location to store applications associated with your domain, also known as the Application home directory. - Configuring the Administrator Account
Use the Administrator Account screen to specify the user name and password for the default WebLogic Administrator account for the domain. - Specifying the Domain Mode and JDK
Use the Domain Mode and JDK screen to specify the domain mode and Java Development Kit (JDK). - Specifying the Database Configuration Type
Use the Database Configuration type screen to specify details about the database and database schema. - Specifying JDBC Component Schema Information
Use the JDBC Component Schema screen to verify or specify details about the database schemas. - Testing the JDBC Connections
Use the JDBC Component Schema Test screen to test the data source connections. - Entering Credentials
Use the Credentials screen to set credentials for each key in the domain. - Specifying the Path to the Keystore Certificate or Key
- Selecting Advanced Configuration
Use the Advanced Configuration screen to complete the domain configuration. - Configuring the Administration Server Listen Address
Use the Administration Server screen to select the IP address of the host. - Configuring Node Manager
Use the Node Manager screen to select the type of Node Manager you want to configure, along with the Node Manager credentials. - Configuring Managed Servers for Oracle Identity Manager
- Configuring a Cluster for Oracle Identity Manager
Use the Clusters screen to create a new cluster. This is required for an Oracle Identity Governance high availability setup. - Defining Server Templates
If you are creating dynamic clusters for a high availability setup, use the Server Templates screen to define one or more server templates for domain. - Configuring Dynamic Servers
If you are creating dynamic clusters for a high availability setup, use the Dynamic Servers screen to configure the dynamic servers. - Assigning Oracle Identity Manager Managed Servers to the Cluster
If you are configuring a single-node non-clustered setup, click Next and go to next screen. Use the Assign Servers to Clusters screen to assign Managed Servers to a new configured cluster. A configured cluster is a cluster you configure manually. You do not use this screen if you are configuring a dynamic cluster, a cluster that contains one or more generated server instances that are based on a server template. - Configuring Coherence Clusters
Use the Coherence Clusters screen to configure the Coherence cluster. - Creating a New Oracle Identity Manager Machine
Use the Machines screen to create new machines in the domain. A machine is required so that Node Manager can start and stop servers. - Assigning Servers to Oracle Identity Manager Machines
Use the Assign Servers to Machines screen to assign the Administration Server and Managed Servers to the new machine you just created. - Virtual Targets
If you have a WebLogic Server Multitenant (MT) environment, you use the Virtual Targets screen to add or delete virtual targets. For this installation (not a WebLogic Server MT environment), you do not enter any values; just select Next. - Partitions
The Partitions screen is used to configure partitions for virtual targets in WebLogic Server Multitenant (MT) environments. Select Next without selecting any options. - Configuring Domain Frontend Host
The Domain Frontend Host screen can be used to configure the frontend host for the domain. - Targeting the Deployments
The Deployments Targeting screen can be used to target the available deployments to the servers. - Targeting the Services
The Services Targeting screen can be used to target the available services to the Servers. - File Stores
The File Stores screen lists the available file stores. - Reviewing Your Configuration Specifications and Configuring the Domain
The Configuration Summary screen shows detailed configuration information for the domain you are about to create. - Writing Down Your Domain Home and Administration Server URL
The End of Configuration screen shows information about the domain you just configured. - Additional Domain Configuration
Use the Configuration Wizard to update the domain.
Parent topic: Configuring the Domain
Selecting the Domain Type and Domain Home Location
Use the Configuration Type screen to select a Domain home directory location, optimally outside the Oracle home directory.
Note:
Use different domain_homes for Oracle Access Management and Oracle Identity Governance.To specify the Domain type and Domain home directory:
- On the Configuration Type screen, select Create a new domain.
- In the Domain Location field, specify your Domain home directory.
For more details about this screen, see Configuration Type in Creating WebLogic Domains Using the Configuration Wizard.
Selecting the Configuration Templates for Oracle Identity Manager
On the Templates screen, make sure Create Domain Using Product Templates is selected, then select the Oracle Identity Manager template.
Selecting this template automatically selects the following as dependencies:
-
Oracle Enterprise Manager
-
Oracle WSM Policy Manager
-
Oracle JRF
-
WebLogic Coherence Cluster Extension
Note:
- The basic WebLogic domain is pre-selected.
- Do not select Oracle SOA Suite in this screen. Oracle SOA Suite is automatically configured.
More information about the options on this screen can be found in Templates in Creating WebLogic Domains Using the Configuration Wizard.
Configuring High Availability Options
If you are not using a high availability setup, accept the default values on this screen and then click Next to proceed to the next screen. Use this screen to configure service migration and persistence settings that affect high availability.
This screen appears for the first time when you create a cluster that uses automatic service migration, persistent stores, or both, and all subsequent clusters that are added to the domain by using the Configuration Wizard, automatically apply the selected HA options.
Enable Automatic Service Migration
Select Enable Automatic Service Migration to enable pinned services to migrate automatically to a healthy Managed Server for failover. It configures migratable target definitions that are required for automatic service migration and the cluster leasing. Choose one of these cluster leasing options:
-
Database Leasing - Managed Servers use a table on a valid JDBC System Resource for leasing. Requires that the Automatic Migration data source have a valid JDBC System Resource. If you select this option, the Migration Basis is configured to Database and the Data Source for Automatic Migration is also automatically configured by the Configuration Wizard. If you have a high availability database, such as Oracle RAC, to manage leasing information, configure the database for server migration according to steps in High-availability Database Leasing.
-
Consensus Leasing - Managed Servers maintain leasing information in-memory. You use Node Manager to control Managed Servers in a cluster. (All servers that are migratable, or which could host a migratable target, must have a Node Manager associated with them.) If you select this option, the Migration Basis is configured to Consensus by the Configuration Wizard.
See Leasing for more information on leasing.
See Service Migration for more information on Automatic Service Migration.
JTA Transaction Log Persistence
-
Default Persistent Store - Configures the JTA Transaction Log store of the servers in the default file store.
-
JDBC TLog Store - Configures the JTA Transaction Log store of the servers in JDBC stores.
Oracle recommends that you select JDBC TLog Store. When you complete the configuration, you have a cluster where JDBC persistent stores are set up for Transaction logs.
JMS Server Persistence
A persistent JMS store is a physical repository for storing persistent message data and durable subscribers. It can be either a disk-based file store or a JDBC-accessible database. You can use a JMS file store for paging of messages to disk when memory is exhausted.
-
JMS File Store - Configures a component to use JMS File Stores. If you select this option, you can choose the File Store option in the Advanced Configuration Screen to change the settings, if required. In the File Stores screen, you can set file store names, directories, and synchronous write policies.
-
JMS JDBC Store - Configures a component to use JDBC stores for all its JMS servers. When you complete the configuration, you have a cluster and JDBC persistent stores are configured for the JMS servers.
This is the recommended option for Oracle Identity Governance 12c (12.2.1.4.0).
Selecting the Application Home Location
Use the Application Location screen to select the location to store applications associated with your domain, also known as the Application home directory.
Oracle recommends that you locate your Application home in accordance with the directory structure in What Are the Key Oracle Fusion Middleware Directories? in Understanding Oracle Fusion Middleware, where the Application home is located outside the Oracle home directory. This directory structure helps avoid issues when you need to upgrade or re-install your software.
For more about the Application home directory, see About the Application Home Directory.
For more information about this screen, see Application Location in Creating WebLogic Domains Using the Configuration Wizard.
Configuring the Administrator Account
Use the Administrator Account screen to specify the user name and password for the default WebLogic Administrator account for the domain.
Oracle recommends that you make a note of the user name and password that you enter on this screen; you need these credentials later to boot and connect to the domain's Administration Server.
For more information about this screen, see Administrator Account in Creating WebLogic Domains Using the Configuration Wizard.
Specifying the Domain Mode and JDK
Use the Domain Mode and JDK screen to specify the domain mode and Java Development Kit (JDK).
On the Domain Mode and JDK screen:
-
Select Production in the Domain Mode field.
-
Select the Oracle HotSpot JDK in the JDK field.
Specifying the Database Configuration Type
Use the Database Configuration type screen to specify details about the database and database schema.
On the Database Configuration type screen, select RCU Data. This option instructs the Configuration Wizard to connect to the database and Service Table (STB) schema to automatically retrieve schema information for schemas needed to configure the domain.
Note:
If you select Manual Configuration on this screen, you must manually fill in parameters for your schema on the next screen.
For an Autonomous Transaction Processing database (both Oracle Autonomous Transaction Processing-Dedicated (ATP-D) and Oracle Autonomous Transaction Processing-Shared (ATP-S)), you must select only the RCU Data option.
After selecting RCU Data, specify details in the following fields:
Field | Description |
---|---|
DBMS/Service |
Enter the database DBMS name, or service name if you selected a service type driver. Example: |
Host Name |
Enter the name of the server hosting the database. Example:
|
Port |
Enter the port number on which the database listens. Example: |
Schema Owner Schema Password |
Enter the username and password for connecting to the database's Service Table schema. This is the schema username and password entered for the Service Table component on the Schema Passwords screen in the RCU (see Specifying Schema Passwords). The default username is
|
For an Autonomous Transaction Processing database (both Oracle Autonomous Transaction Processing-Dedicated (ATP-D) and Oracle Autonomous Transaction Processing-Shared (ATP-S)), specify the connection credentials using only the Connection URL String option, and enter the connect string in the following format:
jdbc:oracle:thin:@TNS_alias?TNS_ADMIN=<path of the wallet
files, ojdbc.properties, and tnsnames.ora>
In the connect string, you must pass TNS_alias
as the
database name found in tnsnames.ora
, and TNS_ADMIN
property to the location of the wallet files, ojdbc.properties
, and
tnsnames.ora
.
Example connect string for Oracle Autonomous Transaction Processing-Dedicated (ATP-D) database:
jdbc:oracle:thin:@dbname_medium?TNS_ADMIN=/users/test/wallet_dbname/
Example connect string for Oracle Autonomous Transaction Processing-Shared (ATP-S) database:
jdbc:oracle:thin:@dbname_tp?TNS_ADMIN=/users/test/wallet_dbname/
Click Get RCU Configuration when you finish specifying the database connection information. The following output in the Connection Result Log indicates that the operation succeeded:
Connecting to the database server...OK Retrieving schema data from database server...OK Binding local schema components with retrieved data...OK Successfully Done.
For more information about the schema installed when the RCU is run, see About the Service Table Schema in Creating Schemas with the Repository Creation Utility.
See Database Configuration Type in Creating WebLogic Domains Using the Configuration Wizard .
Specifying JDBC Component Schema Information
Use the JDBC Component Schema screen to verify or specify details about the database schemas.
Verify that the values populated on the JDBC Component Schema screen are correct for all schemas. If you selected RCU Data on the previous screen, the schema table should already be populated appropriately. If you selected Manual configuration on the Database Configuration screen, you must configure the schemas listed in the table manually, before you proceed.
For an Autonomous Transaction Processing database (both Oracle Autonomous Transaction Processing-Dedicated (ATP-D) and Oracle Autonomous Transaction Processing-Shared (ATP-S)), specify the connection credentials using only the Connection URL String option, and enter the connect string in the following format:
jdbc:oracle:thin:@TNS_alias?TNS_ADMIN=<path of the wallet
files, ojdbc.properties, and tnsnames.ora>
In the connect string, you must pass TNS_alias
as the
database name found in tnsnames.ora
, and TNS_ADMIN
property to the location of the wallet files, ojdbc.properties
, and
tnsnames.ora
Example connect string for Oracle Autonomous Transaction Processing-Dedicated (ATP-D) database:
jdbc:oracle:thin:@dbname_medium?TNS_ADMIN=/users/test/wallet_dbname/
Example connect string for Oracle Autonomous Transaction Processing-Shared (ATP-S) database:
jdbc:oracle:thin:@dbname_tp?TNS_ADMIN=/users/test/wallet_dbname/
For high availability environments, see the following sections in High Availability Guide for additional information on configuring data sources for Oracle RAC databases:
See JDBC Component Schema in Creating WebLogic Domains Using the Configuration Wizard for more details about this screen.
Testing the JDBC Connections
Use the JDBC Component Schema Test screen to test the data source connections.
A green check mark in the Status column indicates a successful test. If you encounter any issues, see the error message in the Connection Result Log section of the screen, fix the problem, then try to test the connection again.
By default, the schema password for each schema component is the password you specified while creating your schemas. If you want different passwords for different schema components, manually edit them in the previous screen (JDBC Component Schema) by entering the password you want in the Schema Password column, against each row. After specifying the passwords, select the check box corresponding to the schemas that you changed the password in and test the connection again.
For more information about this screen, see JDBC Component Schema Test in Creating WebLogic Domains Using the Configuration Wizard.
Entering Credentials
Use the Credentials screen to set credentials for each key in the domain.
Note:
Ensure that you specify keystore
as the username for the key Keystore, and xelsysadm
as the username for the key sysadmin.
Table 4-5 Values to be Specified on the Credentials Screen
Key Name | Username | Password | Store Name |
---|---|---|---|
Keystore |
|
Specify the password for keystore. |
|
OIMSchemaPassword |
Specify the schema username for OIM operations database. |
Specify the schema password of the OIM operations database schema owner. |
|
sysadmin |
|
Specify the sysadmin password. |
|
WebLogicAdminKey |
Specify the username of the WebLogic administrator account for OIM domain. |
Specify the password of the WebLogic administrator account for OIM domain. |
|
Specifying the Path to the Keystore Certificate or Key
Use the Keystore screen to specify either the path to the trusted certificate for each keystore, or the path to each keystore’s private key and other private key information.
When you click in the Trusted Certificate, Private Key, or Identity Certificate fields, a browse icon appears to the right of the field. Click this icon to browse to the appropriate file.
For more information about this screen, see Keystore in Creating WebLogic Domains Using the Configuration Wizard .
Selecting Advanced Configuration
Use the Advanced Configuration screen to complete the domain configuration.
On the Advanced Configuration screen, select:
-
Administration Server
Required to properly configure the listen address of the Administration Server.
-
Node Manager
Required to configure Node Manager.
-
Topology
Required to configure the Oracle Identity Governance Managed Server.
Optionally, select other available options as required for your desired installation environment. The steps in this guide describe a standard installation topology, but you may choose to follow a different path. If your installation requirements extend to additional options outside the scope of this guide, you may be presented with additional screens to configure those options. For information about all Configuration Wizard screens, see Configuration Wizard Screens in Creating WebLogic Domains Using the Configuration Wizard.
Configuring the Administration Server Listen Address
Use the Administration Server screen to select the IP address of the host.
Select the drop-down list next to Listen Address and select the IP address of the host where the Administration Server will reside, or use the system name or DNS name that maps to a single IP address. Do not use All Local Addresses
.
Do not specify any server groups for the Administration Server.
Configuring Node Manager
Use the Node Manager screen to select the type of Node Manager you want to configure, along with the Node Manager credentials.
Select Per Domain Default Location as the Node Manager type, then specify Node Manager credentials.
For more information about this screen, see Node Manager in Creating WebLogic Domains Using the Configuration Wizard.
For more about Node Manager types, see Node Manager Overview in Administering Node Manager for Oracle WebLogic Server.
Configuring Managed Servers for Oracle Identity Manager
On the Managed Servers screen, the new Managed Server named oim_server1
and soa_server1
are automatically created by default.
These server names are referenced throughout this document; if you choose different names be sure to replace them as needed.
Tip:
For details about options on this screen, see Managed Servers in Creating WebLogic Domains Using the Configuration Wizard.
Configuring a Cluster for Oracle Identity Manager
Use the Clusters screen to create a new cluster. This is required for an Oracle Identity Governance high availability setup.
On the Clusters screen:
By default, server instances in a cluster communicate with one another using unicast. If you want to change your cluster communications to use multicast, see Considerations for Choosing Unicast or Multicast in Administering Clusters for Oracle WebLogic Server.
You can also create clusters using Fusion Middleware Control. In this case, you can configure cluster communication (unicast or multicast) when you create the new cluster. See Create and configure clusters in Oracle WebLogic Server Administration Console Online Help.
Tip:
For more information about this screen, see Clusters in Creating WebLogic Domains Using the Configuration Wizard.
Defining Server Templates
If you are creating dynamic clusters for a high availability setup, use the Server Templates screen to define one or more server templates for domain.
For steps to create a dynamic cluster for a high availability setup, see Using Dynamic Clusters in High Availability Guide.
Configuring Dynamic Servers
If you are creating dynamic clusters for a high availability setup, use the Dynamic Servers screen to configure the dynamic servers.
If you are not configuring a dynamic cluster, click Next to continue configuring the domain.
Note:
When you create dynamic clusters, keep in mind that after you assign the Machine Name Match Expression, you do not need to create machines for your dynamic cluster.To create a dynamic cluster for a high availability setup, see Using Dynamic Clusters in High Availability Guide.
Assigning Oracle Identity Manager Managed Servers to the Cluster
If you are configuring a single-node non-clustered setup, click Next and go to next screen. Use the Assign Servers to Clusters screen to assign Managed Servers to a new configured cluster. A configured cluster is a cluster you configure manually. You do not use this screen if you are configuring a dynamic cluster, a cluster that contains one or more generated server instances that are based on a server template.
For more on configured cluster and dynamic cluster terms, see About Dynamic Clusters in Understanding Oracle WebLogic Server.
On the Assign Servers to Clusters screen:
Tip:
For more information about this screen, see Assign Servers to Clusters in Creating WebLogic Domains Using the Configuration Wizard.
Configuring Coherence Clusters
Use the Coherence Clusters screen to configure the Coherence cluster.
Leave the default port number as the Coherence cluster listen port. After configuration, the Coherence cluster is automatically added to the domain.
Note:
Setting the unicast listen port to 0
creates an offset for the Managed Server port numbers. The offset is 5000
, meaning the maximum allowed value that you can assign to a Managed Server port number is 60535
, instead of 65535
.
See Table 5-2 for more information and next steps for configuring Coherence.
For Coherence licensing information, see Oracle Coherence Products in Licensing Information.
Creating a New Oracle Identity Manager Machine
Use the Machines screen to create new machines in the domain. A machine is required so that Node Manager can start and stop servers.
Tip:
If you plan to create a high availability environment and know the list of machines your target topology requires, you can follow the instructions in this section to create all the machines at this time. For more about scale out steps, see Optional Scale Out Procedure in High Availability Guide.
Note:
If you are extending an existing domain, you can assign servers to any existing machine. It is not necessary to create a new machine unless your situation requires it.
Tip:
For more information about this screen, see Machines in Creating WebLogic Domains Using the Configuration Wizard.
Assigning Servers to Oracle Identity Manager Machines
Use the Assign Servers to Machines screen to assign the Administration Server and Managed Servers to the new machine you just created.
On the Assign Servers to Machines screen:
Tip:
For more information about this screen, see Assign Servers to Machines in Creating WebLogic Domains Using the Configuration Wizard.
Virtual Targets
If you have a WebLogic Server Multitenant (MT) environment, you use the Virtual Targets screen to add or delete virtual targets. For this installation (not a WebLogic Server MT environment), you do not enter any values; just select Next.
For details about this screen, see Virtual Targets in Creating WebLogic Domains Using the Configuration Wizard.
Note:
WebLogic Server Multitenant virtual targets are deprecated in WebLogic Server 12.2.1.4.0 and will be removed in the next release.Partitions
The Partitions screen is used to configure partitions for virtual targets in WebLogic Server Multitenant (MT) environments. Select Next without selecting any options.
For details about options on this screen, see Partitions in Creating WebLogic Domains Using the Configuration Wizard.
Note:
WebLogic Server Multitenant domain partitions are deprecated in WebLogic Server 12.2.1.4.0 and will be removed in the next release.Configuring Domain Frontend Host
The Domain Frontend Host screen can be used to configure the frontend host for the domain.
Select Plain or SSL and specify the respective host value.
Click Next.
Targeting the Deployments
The Deployments Targeting screen can be used to target the available deployments to the servers.
Targeting the Services
The Services Targeting screen can be used to target the available services to the Servers.
File Stores
The File Stores screen lists the available file stores.
Reviewing Your Configuration Specifications and Configuring the Domain
The Configuration Summary screen shows detailed configuration information for the domain you are about to create.
Review each item on the screen and verify that the information is correct. To make any changes, go back to a screen by clicking the Back button or selecting the screen in the navigation pane. Domain creation does not start until you click Create.
For more details about options on this screen, see Configuration Summary in Creating WebLogic Domains Using the Configuration Wizard.
Writing Down Your Domain Home and Administration Server URL
The End of Configuration screen shows information about the domain you just configured.
Make a note of the following items because you need them later:
-
Domain Location
-
Administration Server URL
You need the domain location to access scripts that start Node Manager and Administration Server, and you need the URL to access the Administration Server.
Click Finish to dismiss the Configuration Wizard.
Additional Domain Configuration
Use the Configuration Wizard to update the domain.
For information on other methods to create domains, see Additional Tools for Creating, Extending, and Managing WebLogic Domains in Creating WebLogic Domains Using the Configuration Wizard.
- Change to the following directory:
(UNIX)
ORACLE_HOME/oracle_common/common/bin
(Windows)
ORACLE_HOME\oracle_common\common\bin
Where,
ORACLE_HOME
is your 12c (12.2.1.4.0) Oracle home. - Enter the following command:
(UNIX)
./config.sh
(Windows)
config.cmd
The configuration screen is displayed.
- On the Configuration Type screen, select Update an existing domain.
- In the Domain Location field, specify the Domain home directory.
- On the Templates screen, select Update Domain Using Custom Template.
- In the Template location field, specify:
ORACLE_HOME/soa/common/templates/wls/oracle.soa.classic.domain_template.jar
- Complete the configuration wizard by entering the required values in the respective screens. For information about the configuration screens, see Navigating the Configuration Wizard Screens to Create and Configure the Domain.
Performing Post-Configuration Tasks
After you configure the Oracle Identity Governance domain, perform the necessary post-configuration tasks.
Topics
- Running the Offline Configuration Command
After you configure the Oracle Identity Governance domain, run theofflineConfigManager
script to perform post configuration tasks.
Parent topic: Configuring the Oracle Identity Governance Domain
Running the Offline Configuration Command
After you configure the Oracle Identity Governance domain, run the offlineConfigManager
script to perform post configuration tasks.
offlineConfigManager
command, do the following:
Parent topic: Performing Post-Configuration Tasks
Starting the Servers
After a successful configuration, start all processes and servers, including the Administration Server and any Managed Servers.
The components may be dependent on each other so they must be started in the correct order.
Note:
The procedures in this section describe how to start servers and process using the WLST command line or a script. You can also use the Oracle Fusion Middleware Control and the Oracle WebLogic Server Administration Console. See Starting and Stopping Administration and Managed Servers and Node Manager in Administering Oracle Fusion Middleware.To start your Fusion Middleware environment, follow the steps below.
Step 1: Start Node Manager
To start Node Manager, use the startNodeManager
script:
-
(UNIX)
EXISTING_DOMAIN_HOME/bin/startNodeManager.sh
-
(Windows)
EXISTING_DOMAIN_HOME\bin\startNodeManager.cmd
Step 2: Start the Administration Server
When you start the Administration Server, you also start the processes running in the Administration Server, including the WebLogic Server Administration Console and Fusion Middleware Control.
To start the Administration Server, use the
startWebLogic
script:
-
(UNIX)
EXISTING_DOMAIN_HOME/bin/startWebLogic.sh
-
(Windows)
EXISTING_DOMAIN_HOME\bin\startWebLogic.cmd
When you created the domain, if you selected Production Mode on the Domain Mode and JDK screen, a prompt for the Administrator user login credentials is displayed. Provide the same credentials that you provided on the Administrator Account screen.
For an Autonomous Transaction Processing database (both Oracle Autonomous Transaction Processing-Dedicated
(ATP-D) and Oracle Autonomous Transaction Processing-Shared
(ATP-S)), when you access the
Sysadmin Console
(http://<machine_name>:<oim_server_port>/sysadmin
)
and the OIM Console
(http://<machine_name>:<oim_server_port>/identity
),
JET UI does not work and blank pages are displayed, and the following error message
may be displayed in the Administration Server logs.
Example message:
<AdminServer> <[ACTIVE] ExecuteThread: '63' for queue: 'weblogic.kernel.Default (self-tuning)'> <weblogic> <>
<16023522-e47f-40f4-a66f-7ea3729188d1-00000064> <1628079696204>
<[severity-value: 8] [rid: 0] [partition-id: 0] [partition-name: DOMAIN] >
<BEA-240003> <Administration Console encountered the following error:
java.lang.NoSuchMethodError:
org.glassfish.jersey.internal.LocalizationMessages.WARNING_PROPERTIES()Ljava/l ang/String; at
org.glassfish.jersey.internal.config.SystemPropertiesConfigurationModel.getProperties(SystemPropertiesConfigurationModel.java:122) at
org.glassfish.jersey.internal.config.SystemPropertiesConfigurationProvider.getProperties(SystemPropertiesConfigurationProvider.java:29) at
org.glassfish.jersey.internal.config.ExternalPropertiesConfigurationFactory.readExternalPropertiesMap(ExternalPropertiesConfigurationFactory.java:55) at
org.glassfish.jersey.internal.config.ExternalPropertiesConfigurationFactory.configure(ExternalPropertiesConfigurationFactory.java:72) at
org.glassfish.jersey.internal.config.ExternalPropertiesConfigurationFeature.configure(ExternalPropertiesConfigurationFeature.java:26) at
org.glassfish.jersey.model.internal.CommonConfig.configureFeatures(CommonConfig.java:730)
Note:
If JET UI does not work, blank pages are displayed for the following screens:
- OIM Console
- Application onboarding (AOB)
- Account > Resource History
- Open Tasks
- Sysadmin Console
- IT Resource Create/Search
- Manage Connector
- Import/Export (Deployment Manager)
The workaround is to restart the servers, Administration Server, Oracle SOA Server, and Oracle Identity Manager (OIM) Server from the terminal after unsetting classpath using the command:
EXPORT CLASSPATH=
Note:
You must restart the servers in the following order:- Administration Server
- Oracle SOA Server
- Oracle OIM Server
Step 3: Start the Managed Servers
- If Node Manager is not configured, start the Managed
Servers using the following instructions:
Start the Oracle SOA Suite Managed Server first and then the Oracle Identity Governance Managed Server.
To start a WebLogic Server Managed Server, use the
startManagedWebLogic
script:-
(UNIX)
EXISTING_DOMAIN_HOME/bin/startManagedWebLogic.sh managed_server_name admin_url
-
(Windows)
EXISTING_DOMAIN_HOME\bin\startManagedWebLogic.cmd managed_server_name admin_url
When prompted, enter your user name and password. This is the same user name and password which you provided in administrator account screen when creating the domain.
Note:
The startup of a Managed Server will typically start the applications that are deployed to it. Therefore, it should not be necessary to manually start applications after the Managed Server startup. -
- If Node Manager is configured, start the Managed Servers using
the following instructions:
- Launch the Administration Console:
- Using a web browser, open the following URL:
http://hostname:port/console
Where:- hostname is the administration server host.
- port is the administration server port on which the host server is listening for requests (7001 by default)
- When the login page appears, enter the user name and password you used to start the Administration Server.
- Using a web browser, open the following URL:
- Start Managed Servers from the Administration Console. For instructions, see Start Managed Servers from the Administration Console.
- Launch the Administration Console:
Parent topic: Configuring the Oracle Identity Governance Domain
Integrating Oracle Identity Governance with Oracle SOA Suite
If you wish to integrate Oracle Identity Governance with Oracle SOA Suite, use the Enterprise Manager console to do the same.
Parent topic: Configuring the Oracle Identity Governance Domain
Verifying the Configuration
After completing all configuration steps, you can perform additional steps to verify that your domain is properly configured.
By using a Web browser, go to the URL: http://HOSTNAME:PORT/identity
In this URL, HOSTNAME
represents the name of the computer hosting the application server and PORT
refers to the port on which the Oracle Identity Governance server is listening.
For information about integrating Oracle Identity Governance with other Identity Management components, see Introduction to IdM Suite Components Integration in Integration Guide for Oracle Identity Management Suite.
For more information about performing additional domain configuration tasks, see Performing Additional Domain Configuration Tasks.
Parent topic: Configuring the Oracle Identity Governance Domain
Analyzing the Bootstrap Report
When you start the Oracle Identity Governance server, the bootstrap report is generated at DOMAIN_HOME/servers/oim_server1/logs/BootStrapReportPreStart.html
.
BootStrapReportPreStart.html
is an html file that contains information about the topology that you have deployed, the system level details, the connection details like the URLs to be used, the connectivity check, and the task execution details. You can use this report to check if the system is up, and also to troubleshoot the issues, post-configuration.
Every time you start the Oracle Identity Governance server, the bootstrap report is updated.
Sections in the Bootstrap Report
-
Topology Details
This section contains information about your deployment. It shows whether you have configured a cluster setup, SSL enabled, or upgraded an Oracle Identity Manager environment from 12c (12.2.1.3.0) to 12c (12.2.1.4.0).
-
System Level Details
This section contains information about the JDK version, Database version, JAVA_HOME, DOMAIN_HOME, OIM_HOME, and ORACLE_HOME.
-
Connection Details
This section contains information about the connect details like the Administration URL, OIM Front End URL, SOA URL, and RMI URL.
This also shows whether the Administration Server, Database, and SOA server is up or not.
-
Execution Details
This section lists the various tasks and their statuses.
Parent topic: Configuring the Oracle Identity Governance Domain
Installing and Accessing the Oracle Identity Governance Design Console
If you wish to set up only the Oracle Identity Governance Design Console in a machine where OIG server is not configured, then you must install Oracle Identity Governance 12c (12.2.1.4.0) in standalone mode, and then invoke the Design Console.
- Start the installation program by running the
java
executable from the JDK directory.Note:
No prerequisite software is required to install Oracle Identity Governance Design Console.For example:-
(UNIX)
/home/Oracle/Java/jdk1.8.0_211/bin/java -jar
fmw_12.2.1.4.0_idm.jar
-
(Windows)
C:\home\Oracle\Java\jdk1.8.0_211\bin\java -jar
fmw_12.2.1.4.0_idm.jar
-
- The installer shows a series of screens where you verify or enter information..
The following table lists the order in which installer screens appear. If you need additional help with an installation screen, click Help.
Table 4-6 Install Screens
Screen Description Installation Inventory Setup
On Linux or UNIX operating systems, this screen opens if this is the first time you are installing any Oracle product on this host. Specify the location where you want to create your central inventory. Make sure that the operating system group name selected on this screen has write permissions to the central inventory location.
See About the Oracle Central Inventory in Installing Software with the Oracle Universal Installer.
This screen does not appear on Windows operating systems.
Welcome
Review the information to make sure that you have met all the prerequisites, then click Next.
Auto Updates
Select to skip automatic updates, select patches, or search for the latest software updates, including important security updates, through your My Oracle Support account.
Installation Location
Specify your Oracle home directory location.
You can click View to verify and ensure that you are installing in the correct Oracle home.
Note:
Ensure that the Oracle Home path does not contain space.
Installation Type
Use the Standalone Installation Type.
Standalone mode is a type of installation that is managed independently of WebLogic Server. The only component that you can install using standalone mode is the Oracle Identity Governance Design Console.
Prerequisite Checks
This screen verifies that your system meets the minimum necessary requirements.
To view the list of tasks that gets verified, select View Successful Tasks. To view log details, select View Log. If any prerequisite check fails, then an error message appears at the bottom of the screen. Fix the error and click Rerun to try again. To ignore the error or the warning message and continue with the installation, click Skip (not recommended).
Installation Summary
Use this screen to verify installation options you selected. If you want to save these options to a response file, click Save Response File and enter the response file location and name. The response file collects and stores all the information that you have entered, and enables you to perform a silent installation (from the command line) at a later time.
Click Install to begin the installation.
Installation Progress
This screen shows the installation progress.
When the progress bar reaches 100% complete, click Finish to dismiss the installer, or click Next to see a summary.
Installation Complete
This screen displays the Installation Location and the Feature Sets that are installed. Review this information and click Finish to close the installer.
Parent topic: Configuring the Oracle Identity Governance Domain
Troubleshooting
This section lists the common issues encountered while configuring Oracle Identity Governance and their workarounds.
Topics
- Description of the Log Codes
When you encounter any error during the Oracle Identity Governance 12c (12.2.1.4.0) installation, search for the log code in theDOMAIN_HOME/servers/oim_server/logs/oim-diagnostic.log
file to diagnose the issue. - Exception in the Oracle Identity Manager Server Logs After Starting the Servers
After you configure the Oracle Identity Manager domain, when you start the servers,“Unable to resolve 'TaskQueryService’”
exception is seen in the Oracle Identity Manager (OIM) Server logs, which can be ignored. - Oracle Identity Manager Bootstrap Fails with Hostname Verification Error
If the Oracle Identity Manager bootstrap fails with the following SSL hostname verification failing error, use the workaround described in this section: - Error When Accessing Pending Approvals Page in a Multinode Setup
In a Oracle Identity Governance multinode setup, the following error is displayed when you access the Pending Approvals page on a remote node: - OIM Gridlink Datasources Show Suspended State When 11.2.0.4.0 RAC Database is Used
When you run the Configuration Wizard to configure Oracle Identity Manager gridlink datasources with 11.2.0.4.0 RAC Database, the following warning is displayed: - Server Consoles are Inaccessible in a Clustered Domain
After you configure the Oracle Identity Governance domain, the Administration Server console and the managed Server consoles are inaccessible. - OIM Server Fails to Come up Due to SOA Server not Completely Up
If the Oracle SOA Server (SOA) is not up completely, the Oracle Identity Manager (OIM) Server fails to start. - Oracle Identity Manager Server Throws OutOfMemoryError
After you configure Oracle Identity Manager 12c (12.2.1.4.0), when you start the OIM 12c (12.2.1.4.0) Server,OutOfMemoryError
is thrown. - ‘ADFContext leak detected’ Message in the OIM Server Logs
When you start the Oracle Identity Manager (OIM) 12c (12.2.1.4.0) server, the following error is seen in the OIM server logs: - ADF Controller Exception in the SOA Server Logs
After you configure Oracle Identity Governance 12c (12.2.1.4.0), when you start the Oracle SOA Suite (SOA) server, the following exception is shown in the SOA server logs:
Parent topic: Configuring the Oracle Identity Governance Domain
Description of the Log Codes
When you encounter any error during the Oracle Identity Governance 12c (12.2.1.4.0) installation, search for the log code in the DOMAIN_HOME/servers/oim_server/logs/oim-diagnostic.log
file to diagnose the issue.
-
IAM-3070001 — Error loading configuration required for Bootstrap
-
IAM-3070002 — Could not connect to DB using CSF Credentials, Please verify crednetials seeded in CSF under key
-
IAM-3070003 — Could not connect to WLS using CSF credentials ,Please verify credentials seeded in CSF for
-
IAM-3070004 — Validation for CSF Credentials failed. Exiting OIM_CONFIG, Please verify and fix CSF Credentials
-
IAM-3070005 — Validation for CSF Credentials Successful
-
IAM-3070006 — Task Not Found
-
IAM-3070007 — Task failed
-
IAM-3070008 — BootStrap configuration Failed
-
IAM-3070009 — BootStrap configuration Successful
-
IAM-3070010 — Successfully completed
Parent topic: Troubleshooting
Exception in the Oracle Identity Manager Server Logs After Starting the Servers
After you configure the Oracle Identity Manager domain, when you start the servers, “Unable to resolve 'TaskQueryService’”
exception is seen in the Oracle Identity Manager (OIM) Server logs, which can be ignored.
javax.naming.NameNotFoundException: Unable to resolve 'TaskQueryService'.
Resolved ''; remaining name 'TaskQueryService'
This exception can be ignored.
Parent topic: Troubleshooting
Oracle Identity Manager Bootstrap Fails with Hostname Verification Error
If the Oracle Identity Manager bootstrap fails with the following SSL hostname verification failing error, use the workaround described in this section:
<Warning> <Security> <BEA-090960> <The servers
SSL configuration is not available. There will potentially be SSL handshake
failures.>
<Nov 28, 2018 9:04:32 AM PDT> <Warning> <Security> <BEA-090924> <JSSE has
been selected by default, since the SSLMBean is not available.>
<Nov 28, 2018 9:04:32 AM PDT> <Info> <Security> <BEA-090908> <Using the
default WebLogic SSL Hostname Verifier implementation.>
<Nov 28, 2018 9:04:34 AM PDT> <Notice> <Security> <BEA-090169> <Loading
trusted certificates from the kss keystore file kss://system/trust.>
Nov 28, 2018 9:04:34 AM
oacle.security.opss.internal.runtime.ServiceContextManagerImpl getContext
WARNING: Bootstrap services are used by OPSS internally and clients should
never need to directly read/write bootstrap credentials. If required, use
Wlst or configuration management interfaces.
<Nov 28, 2018 9:04:34 AM PDT> <Notice> <Security> <BEA-090169> <Loading
trusted certificates from the jks keystore file
/host/jdk1.8.0_171/jre/lib/security/cacerts.>
<Nov 28, 2018 9:04:34 AM PDT> <Info> <Management> <BEA-141307> <Unable to
connect to the Administration Server. Waiting 5 second(s) to retry (attempt
number 1 of 3).>
To resolve this issue, start the Oracle Identity Governance Managed Server using the following command:-
On Unix:
./startManagedWebLogic.sh oim_server_name t3://admin_server_host:port
-
On Windows:
startManagedWebLogic.cmd oim_server_name t3://admin_server_host:port
In this command, you must specify the non-SSL port for port
.
Parent topic: Troubleshooting
Error When Accessing Pending Approvals Page in a Multinode Setup
In a Oracle Identity Governance multinode setup, the following error is displayed when you access the Pending Approvals page on a remote node:
[oim_server1] [ERROR] [] [oracle.iam] [tid:
[ACTIVE].ExecuteThread: '0' for queue: 'weblogic.kernel.Default
(self-tuning)'] [userId: xelsysadm] [ecid:
cea9a502-afb8-4d3d-85a4-cb61d2878065-0000276e,0] [APP:
oracle.iam.console.identity.self-service.ear] [partition-name: DOMAIN]
[tenant-name: GLOBAL] [DSID: 0000LfRXW3_7Y7QLIag8yf1OmuCL000004] Unable to
retrieve User View
Listoracle.bpel.services.workflow.client.WorkflowServiceClientException:
javax.naming.CommunicationException: Failed to initialize JNDI context, tried
2 time or times totally, the interval of each time is 0ms. [[
t3://host.example.com:1234: Destination 10.10.10.1, 1234
unreachable.; nested exception is:
java.net.ConnectException: Connection refused; No available router to
destination.; nested exception is:
java.rmi.ConnectException: No available router to destination. [Root
exception is java.net.ConnectException: t3://host.example.com:1234:
Destination 10.10.10.1, 1234 unreachable.; nested exception is:
java.net.ConnectException: Connection refused; No available router to
destination.; nested exception is:
java.rmi.ConnectException: No available router to destination.]
To resolve this, you must use the machine name of the second node during the domain creation step, that is, when running the configuration wizard on the first node. After this, you must proceed with the pack and unpack command.
Parent topic: Troubleshooting
OIM Gridlink Datasources Show Suspended State When 11.2.0.4.0 RAC Database is Used
When you run the Configuration Wizard to configure Oracle Identity Manager gridlink datasources with 11.2.0.4.0 RAC Database, the following warning is displayed:
<Nov 28, 2017 2:45:44,157 AM MDT> <Warning> <JDBC> <BEA-001129> <Received
exception while creating connection for pool
"ApplicationDB": Listener refused the connection with the following error:
ORA-12516, TNS:listener could not find available handler with matching
protocol stack
The data source is pushed to suspended state if the connection fails in the retry after waiting for TEST Frequency. To resolve this, you must manually resume the suspended data sources by doing the following:Parent topic: Troubleshooting
Server Consoles are Inaccessible in a Clustered Domain
After you configure the Oracle Identity Governance domain, the Administration Server console and the managed Server consoles are inaccessible.
If you wish to enter machine name as listen address in a clustered or non-clustered domain, disable all other interfaces.
Parent topic: Troubleshooting
OIM Server Fails to Come up Due to SOA Server not Completely Up
If the Oracle SOA Server (SOA) is not up completely, the Oracle Identity Manager (OIM) Server fails to start.
Could not fetch ServerRuntime mbean for
soa_server1. Server seems to be down!
To resolve this, restart the OIM Server.
Parent topic: Troubleshooting
Oracle Identity Manager Server Throws OutOfMemoryError
After you configure Oracle Identity Manager 12c (12.2.1.4.0), when you start the OIM 12c (12.2.1.4.0) Server, OutOfMemoryError
is thrown.
The following error is seen in the OIM server logs for this issue:
[oim_server1] [NOTIFICATION] []
[oracle.iam.oimdataproviders.impl] [tid: [ACTIVE].ExecuteThread: '9' for
queue: 'weblogic.kernel.Default (self-tuning)'] [userId: xelsysadm] [ecid:
5679ce10-f0df-457f-88f1-6bc04e10aa13-000013b1,0] [APP: oim-runtime]
[partition-name: DOMAIN] [tenant-name: GLOBAL] [DSID:
0000Lg0PPYTBd5I_Ipt1if1OpGGi00000U] RM_DEBUG_PERF - 2018-11-28 06:09:51.087 -
search criteria = arg1 = (usr_key) EQUAL arg2 = (1)[[
query = Select usr.usr_key, usr.usr_status from usr where usr.usr_key = ?
time = 1
]]
[2018-11-28T06:09:52.286-07:00] [oim_server1] [NOTIFICATION] []
[oracle.iam.oimdataproviders.impl] [tid: [ACTIVE].ExecuteThread: '9' for
queue: 'weblogic.kernel.Default (self-tuning)'] [userId: xelsysadm] [ecid:
5679ce10-f0df-457f-88f1-6bc04e10aa13-000013b1,0] [APP: oim-runtime]
[partition-name: DOMAIN] [tenant-name: GLOBAL] [DSID:
0000Lg0PPYTBd5I_Ipt1if1OpGGi00000U]
oracle.iam.oimdataproviders.impl.OIMUserDataProvider
[2018-11-28T06:11:52.171-07:00] [oim_server1] [ERROR] [ADFC-50018]
[oracle.adfinternal.controller.application.AdfcExceptionHandler] [tid:
[ACTIVE].ExecuteThread: '27' for queue: 'weblogic.kernel.Default
(self-tuning)'] [userId: xelsysadm] [ecid:
5679ce10-f0df-457f-88f1-6bc04e10aa13-000013e0,0] [APP:
oracle.iam.console.identity.self-service.ear] [partition-name: DOMAIN]
[tenant-name: GLOBAL] [DSID: 0000Lg0RtM9Bd5I_Ipt1if1OpGGi00000V] ADFc: No
exception handler was found for an application exception.[[
java.lang.OutOfMemoryError: GC overhead limit exceeded ]
To resolve this issue, do the following (on Linux):
- Ensure that you set the following parameters in the
/etc/security/limits.conf
file, to the specified values:FUSION_USER_ACCOUNT soft nofile 32767
FUSION_USER_ACCOUNT hard nofile 327679
- Ensure that you set
UsePAM
toYes
in the /etc/ssh/sshd_config file. - Restart
sshd
. - Log out (or reboot) and log in to the system again.
limit maxproc 16384
Parent topic: Troubleshooting
‘ADFContext leak detected’ Message in the OIM Server Logs
When you start the Oracle Identity Manager (OIM) 12c (12.2.1.4.0) server, the following error is seen in the OIM server logs:
2b8fd3a0-06e3-4de6-be10-801551745664-000000a5,0] [partition-name: DOMAIN]
[tenant-name: GLOBAL] ADFContext leak detected.[[
oracle.adf.share.ADFContext.setAsCurrent(ADFContext.java:1501)
oracle.adf.mbean.share.AdfMBeanInterceptor.resetADFIfNeeded(AdfMBeanInterceptor.java:140)
This has no impact on the functionality, and therefore you can ignore this error.
Parent topic: Troubleshooting
ADF Controller Exception in the SOA Server Logs
After you configure Oracle Identity Governance 12c (12.2.1.4.0), when you start the Oracle SOA Suite (SOA) server, the following exception is shown in the SOA server logs:
oracle.adf.controller.ControllerException: ADFC-12013: Controller state has not been initialized for the current request.
This does not impact the functionality, and therefore it can be ignored.
Parent topic: Troubleshooting