15 Configuring Oracle Identity Governance

Install and configure Oracle Identity Governance (OIG).

The following topics describe how to install and configure an initial domain, which can be used as the starting point for an enterprise deployment. Later chapters in this guide describe how to extend this initial domain with the various products and components that comprise the enterprise topology you are deploying.

A complete Oracle Identity and Access Management uses a split domain deployment, where there is a single domain for Oracle Access Management and a different one for Oracle Identity Governance. You must create a separate infrastructures for Access and Governance.

• Synchronizing the System Clocks
  Before you deploy Oracle Identity Governance, verify that the system clocks on each host computer are synchronized. You can do this by running the date command simultaneously on all the hosts in each cluster.
• About the Initial Infrastructure Domain
  Before you create the initial Infrastructure domain, ensure that you review the key concepts.
• Variables Used When Creating the Infrastructure Domain
  As you perform the tasks in this chapter, you will be referencing the variables listed in this section.
• Setting Environment Variables
  Set environment variables used in this chapter.
• URLs Used in This Chapter
  This section describes the URLs used in this chapter.
• Installing the Oracle Fusion Middleware
  Install the Oracle Fusion Middleware software in preparation for configuring a new domain for Oracle Identity Governance.
• Verifying the Installation
  After you complete the installation, you nust verify it.
• Downloading the Oracle Connector Bundle
  Download the Oracle Connector bundle.
• Installing the Oracle Identity Governance Connector
  After you download the Oracle Connector for LDAP, install it into the ORACLE_HOME directory.
• Creating the Database Schemas for Oracle Identity Governance
  Oracle Fusion Middleware components require the existence of schemas in a database before you configure a Fusion Middleware Infrastructure domain. Install the schemas listed in this topic in a certified database for use with this release of Oracle Fusion Middleware.
• Configuring the Oracle Identity Governance Domain
  The following topics provide instructions for creating an Oracle Identity Governance domain using the Fusion Middleware Configuration wizard.
• Creating Oracle Identity Manager Authenticator
  Before you start the domain, you have to run a script which creates the Oracle Identity Manager (OIM) Authenticator in the domain.
• Enabling SSL
  If you are configuring End to End SSL, you must perform additional steps.
• Configuring a Per Host Node Manager for an Enterprise Deployment
  For specific enterprise deployments, Oracle recommends that you configure a per-host Node Manager, as opposed to the default per-domain Node Manager.
• Tuning JMS Queues
  You need to tune the JMS queues to ensure maximum throughput.
• Configuring the Domain Directories and Starting the Servers
  After you have configured the domain and configured the Node Manager, you can start the Administration Server by using the Node Manager. In an enterprise deployment, the Node Manager is used to start and stop the Administration Server and all the Managed Servers in the domain.
• Creating the New Authentication Provider
  After creating the new domain, if you are using LDAP and want to log in using LDAP, then you must create an authentication provider for the directory inside the OIG domain.
• Adding a Load Balancer Certificate to Oracle Keystore Service
  Some OIG Products require that the SSL certificate used by the load balancer be added to the Oracle Keystore Service Trusted Certificates.
• Configuring the WebLogic Proxy Plug-In
  Before you can validate that requests are routed correctly through the Oracle HTTP Server instances, you must set the WebLogic Plug-In Enabled parameter.
• Modifying the Upload and Stage Directories to an Absolute Path
  
• Starting and Validating the Oracle Identity Governance Managed Servers
  Now that you have extended the domain, started the Administration Server, and propagated the domain to the other hosts, you can start the newly configured Oracle Identity Governance Managed Servers.
• Analyzing the Bootstrap Report
  When you start the Oracle Identity Governance server, the bootstrap report is generated at $IGD_ASERVER_HOME/servers/oim_server1/logs/BootStrapReportPreStart.html.
• Creating a Separate Domain Directory for Managed Servers
  When you initially create the domain for enterprise deployment, the domain directory resides on a shared disk. This default domain directory is used to run the Administration Server. You can now create a copy of the domain on the local storage for each of your managed server hosts. The domain directory on the local (or private) storage is used to run the Managed Servers.
• Validating the Fusion Middleware Control Application
  After the bootstrap process has been executed and validated, access to the Fusion Middleware Control application should be available.
• Configuring the Web Tier for the Domain
  Configure the web server instances on the web tier so that the instances route requests for both public and internal URLs to the proper clusters in the extended domain.
• Integrating Oracle Identity Governance with Oracle SOA Suite
  Oralce Identity Governance invokes Oracle SOA Suite using a number of URLs, which out of the box are wired to individual managed servers. In a High Availibility environment you need to update these URLs to use a load balancer.
• Managing the Notification Service
  An event is an operation that occurs in Oracle Identity Manager, such as user creation, request initiation, or any custom event created by the user. These events are generated as part of the business operations or through the generation of errors. Event definition is the metadata that describes the event.
• Configuring the Messaging Drivers
  Each messaging driver needs to be configured. You have to configure this service if you want to enable OAM's forgotten password functionality.
• Forcing Oracle Identity Governance to use Correct Multicast Address
  Oracle Identity Governance uses multicast for certain functions. By default, the managed servers communicate using the multi cast address assigned to the primary host name. If you wish multicast to use a different network, for example, of the internal network, you must complete additional steps.
• Integrating Oracle Identity Governance with LDAP
  Integrate Oracle Identity Governance with LDAP.
• Integrating Oracle Identity Governance and Oracle Access Manager
  You have to complete several tasks to integrate Oracle Identity Governance and Oracle Access Manager. These tasks include creating the WLS authentication providers, deleting OIMSignatureAuthenticator and recreating OUDAuthenticator, adding the administration role to the new administration group, and so on.
• Propagating the Domain and Starting the Servers on OIGHOST2
  After you start and validate the Administration Server on OIGHOST1, you can then you must propagate the domain and start the servers on OIGHOST2.
• Configuring OIG Workflow Notifications to be Sent by Email
  OIG uses the human workflow, which is integrated with the SOA workflow. The SOA server configures email to receive the notifications that are delivered to the user mailbox. The user can accept or reject the notifications.
• Adding the wsm-pm Role to the Administrators Group
  After you configure a new LDAP-based Authorization Provider and restart the Administration Server, add the enterprise deployment administration LDAP group (OIMAdministrators) as a member to the policy.Updater role in the wsm-pm application stripe.
• Adding the Oracle Access Manager Load Balancer Certificate to the Oracle Keystore Service
  The Oracle Identity Governance to Business Intelligence Reports link inside of the Self Service application requires that the SSL certificate used by the load balancer be added to the Oracle Keystore Service Trusted Certificates.
• Restarting the IAMGovernanceDomain
  Restart the domain for the configuration steps to take effect.
• Setting Challenge Questions
  If you have integrated OAM and OIG, then after the environment is ready, you need to set up the challenge questions for your system users.
• Replacing Connect Strings with the Appropriate TNS Alias
  Oracle recommends using TNS Alias in the connection strings used by FMW components instead of repeating long JDBC strings across multiple connections pools.
• Integrating Oracle Identity Manager with Oracle Business Intelligence Publisher
  Oracle Identity Manager comes with a number of prebuilt reports that can be used to provide information about Oracle Identity and Access Management.
• Verification of Manual Failover of the Administration Server
  After you configure the domain, you must test failover is working correctly.
• Backing Up the Configuration
  It is an Oracle best practices recommendation to create a backup after you successfully extended a domain or at another logical point. Create a backup after you verify that the installation so far is successful. This is a quick backup for the express purpose of immediate restoration in case of problems in later steps.

Synchronizing the System Clocks

Before you deploy Oracle Identity Governance, verify that the system clocks on each host computer are synchronized. You can do this by running the date command simultaneously on all the hosts in each cluster.

Alternatively, there are third-party and open-source utilities you can use for this purpose.

About the Initial Infrastructure Domain

Before you create the initial Infrastructure domain, ensure that you review the key concepts.

• About the Infrastructure Distribution
  
• Characteristics of the Domain
  

About the Infrastructure Distribution

You create the initial Infrastructure domain for an enterprise deployment by using the Oracle Fusion Middleware Infrastructure distribution. This distribution contains both the Oracle WebLogic Server software and the Oracle JRF software.

The Oracle JRF software consists of Oracle Web Services Manager, Oracle Application Development Framework (Oracle ADF), Oracle Enterprise Manager Fusion Middleware Control, the Repository Creation Utility (RCU), and other libraries and technologies that are required to support the Oracle Fusion Middleware products.

Note:

The Access infrastructure does not use the Web Services Manager.

See Understanding Oracle Fusion Middleware Infrastructure in Understanding Oracle Fusion Middleware.

Characteristics of the Domain

The following table lists some of the key characteristics of the domain that you are about to create. Reviewing these characteristics helps you to understand the purpose and context of the procedures that are used to configure the domain.

Many of these characteristics are described in more detail in Understanding a Typical Enterprise Deployment.

Characteristic of the Domain	More Information
Uses a separate virtual IP (VIP) address for the Administration Server.	Configuration of the Administration Server and Managed Servers Domain Directories
Uses separate domain directories for the Administration Server and the Managed Servers in the domain.	Configuration of the Administration Server and Managed Servers Domain Directories
Uses a per domain Node Manager configuration.	About the Node Manager Configuration in a Typical Enterprise Deployment
Requires a separately installed LDAP-based authentication provider.	Understanding OPSS and Requests to the Authentication and Authorization Stores

Variables Used When Creating the Infrastructure Domain

As you perform the tasks in this chapter, you will be referencing the variables listed in this section.

The following table explains the configuration file property values required in this section.

Table 15-1 LDAP Variables Used in This Chapter

Variable	Sample Value	Description
IDSTORE_HOST	idstore.example.com	The host and port of your Identity Store directory. When preparing the Identity Store these should point to one of the LDAP instances. When configuring components such as OAM or OIG they should point to the load balancer entry point.
IDSTORE_PORT	1636	The port of your Identity Store directory. When preparing the Identity Store these should point to one of the LDAP instances. When configuring components such as OAM or OIG they should point to the load balancer entry point.
IDSTORE_DIRECTORYTYPE	OUD	The type of directory you are using. Valid value is OUD.
IDSTORE_BINDDN	cn=oudadmin	An administrative user in the Identity Store Directory.
IDSTORE_BINDDN_PWD	password	The the password of IDSTORE_BINDDN. You will be prompted for the value if not supplied.
IDSTORE_SEARCHBASE	dc=example,dc=com	The location in the directory where Users and Groups are stored.
IDSTORE_SSL_ENABLED	true	Whether SSL to the identity store is enabled. Valid values: true | false.
OAM_IDSTORE_NAME	OAMIDSTORE	Name of the IDStore to create.
IDSTORE_USERSEARCHBASE	cn=Users,dc=example,dc=com	The location in the directory where Users are Stored.
IDSTORE_GROUPSEARCHBASE	cn=Groups,dc=example,dc=com	The location in the directory where Groups are Stored.
IDSTORE_SYSTEMIDBASE	cn=SystemIDs,dc=example,dc=com	The location of a container in the directory where system users can be placed when you do not want them in the main user container.
IDSTORE_KEYSTORE_FILE	/u01/oracle/config/keystores/idmTrustStore.p12	The location of the Truststore for OIG.
KEYSTORE_HOME	/u01/oracle/config/keystores	The location of the keystore home on shared storage for OIG.
LOCAL_KEYSTORE_HOME	/u02/oracle/config/keystores	The location of the keystore home on shared storage for OIG.
IDSTORE_KEYSTORE_PASSWORD	password	The password of the IDSTORE_KEYSTORE_FILE.

Table 15-2 Variables Used in This Chapter

Variable	Sample Value	Description
IGD_ORACLE_HOME	/u01/oracle/products/oig	The read-only location for the OIG product binaries stored on shared disk.
ASERVER_HOME	/u01/oracle/config/domains/oig	The Administration Server domain home, which is installed on a shared disk.
IGD_ASERVER_HOME	/u01/oracle/config/domains/oig	Should be the same value as IGD_ASERVER_HOME.
IGD_MSERVER_HOME	/u02/oracle/config/domains/oig	The Managed Server domain home, which is created by using the unpack command on the local disk of each application tier host.
MSERVER_HOME	/u02/oracle/config/domains/oig	Should be the same value as IGD_MSERVER_HOME.
APPLICATION_HOME	/u01/oracle/config/applications/oig	The Application home directory, which is installed on shared disk, so the directory is accessible by all the application tier host computers.
MS_APPLICATION_HOME	/u02/oracle/config/applications/oig	The Application home directory, which is installed on local disk, so the directory is accessible by all the application tier host computers.
JAVA_HOME	/u01/oracle/products/jdk	The location where you install the supported Java Development Kit (JDK).
ADMINVHN	igdadminvhn.example.com	The virtual host name used as the listen address for the Administration Server used by the IAMGovernanceDomain and fails over with manual failover of the Administration Server. It is enabled on the node where the Administration Server process is running.
OIGHOST1	oighost1.example.com	The hostname of OIGHOST1.
OIGHOST2	oighost2.example.com	The hostname of OIGHOST2.
SCAN_ADDRESS	db-scan.example.com	Address for the Oracle RAC Database.
WEBGATE_TYPE	ohsWebgate14c	The type of webgate profile to create. This should always be ohsWebgate14c.
COOKIE_DOMAIN	.example.com	The domain you wish to associate the OAM cookie with this is normally the same as the IDSTORE_SEARCH_BASE in domain format. The search base can be found in the worksheet (REALM_DN).
OAM_TRANSFER_MODE	open	The type of OAM security transport to be used. This should be the same as OAM_OAM_SERVER_TRANSPORT_MODE.
OAM_OIM_OHS_URL	https://oig.example.com:443/	If you are planning on using OIM for Forgotten Password functionality then you need to specify the external entry point for OIG. This is the OIG URL to which OAM directs the requests. This URL is made up of the following values from the worksheet: https://oig.example.com:IAG_HTTPS_PORT/.
IDSTORE_PWD_OAMADMINUSER	password	The password of the Admin user account (oamadmin) you are connecting to the Identity Store with.
IDSTORE_PWD_OAMSOFTWAREUSER	password	The password of the account (oamLDAP) you are connecting to the Identity Store with.
OAM_WLS_ADMIN_PASSWD	password	The password of the WLS Admin account (weblogic_iam) .
OIM_WLSHOST	IGDADMINVHN.example.com	Virtual Host name for Admin Server on OIGHOST1.
OIM_WLSPORT	9102	Corresponding port number for Admin Server on OIGHOST1.
OIM_WLSADMIN	weblogic	The weblogic administrator user in OIM domain.
OIM_WLSADMIN_PWD	password	Password for OIM_WLSADMIN.
OIM_IDSTORE_ROLE_SECURITY_ADMIN	WLSAdministrators	The group in your LDAP directory which has WebLogic administration access.
WLS_IS_SSLENABLED	true	Whether SSL to the identity store is enabled. Valid values: true | false.
WLS_SSL_HOST_VERIFICATION	true	Whether the WLS SSL host verfication is enabled or not. Valid values: true | false.
WLS_TRUSTSTORE	/u01/oracle/config/keystores/idmTrustStore.p12	The location of the WLS truststore on shared storage.
LOCAL_WLS_TRUSTSTORE	/u02/oracle/config/keystores/idmTrustStore.p12	The location of the WLS truststore on local storage.
WLS_TRUSTSTORE_PASSWORD	password	Password for the WLS truststore.

Setting Environment Variables

Set environment variables used in this chapter.

To help navigate this guide, to be able to copy sample commands without modification you can set the following environment variables, replacing the values with values appropriate to your environment.

export IGD_ORACLE_HOME=/u01/oracle/products/oig
export ORACLE_HOME=$IGD_ORACLE_HOME
export ORACLE_COMMON_HOME=$IGD_ORACLE_HOME/oracle_common
export JAVA_HOME=/u01/oracle/products/jdk
export PATH=$JAVA_HOME/bin:$PATH
export IGD_ASERVER_HOME=/u01/oracle/config/domains/oig
export DOMAIN_HOME=$IGD_ASERVER_HOME
export IGD_MSERVER_HOME=/u02/oracle/config/domains/oig
export WL_HOME=$IGD_ORACLE_HOME/wlserver
export NM_HOME=/u02/oracle/config/nodemanager
export APPLICATION_HOME=/u01/oracle/config/applications/oig
export MS_APPLICATION_HOME=/u02/oracle/config/applications/oig
export DB_HOST=db-scan.example.com
export DB_PORT=1521
export DB_SERVICE=oigsvc.example.com
export SHARED_CONFIG_DIR=/u01/oracle/config
export LOCAL_CONFIG_DIR=/u02/oracle/config

URLs Used in This Chapter

This section describes the URLs used in this chapter.

Table 15-3 SSL Termination

Function	Component URL	Load Balancer URL
Remote Console connection	http://igdadminvhn.example.com:7001/	http://igdadmin.example.com
Enterprise Manager	http://igdadminvhn.example.com:7001/em	http://igdadmin.example.com/em
OIG System Administration console	http://igdadminvhn.example.com:14000/sysadmin	http://igdadmin.example.com/sysadmin
Identity Console	http://igdadminvhn.example.com:14000/identity	https://oig.example.com/identity

Table 15-4 End to End SSL Termination

Function	Component URL	Load Balancer URL
Remote Console connection	https://igdadminvhn.example.com:9002/	https://igdadmin.example.com
Enterprise Manager	https://igdadminvhn.example.com:9002/em	https://igdadmin.example.com/em
OIG System Administration console	https://igdadminvhn.example.com:14001/sysadmin	https://igdadmin.example.com/sysadmin
Identity Console	https://igdadminvhn.example.com:14001/identity	https://oig.example.com/identity

Installing the Oracle Fusion Middleware

Install the Oracle Fusion Middleware software in preparation for configuring a new domain for Oracle Identity Governance.

• Installing the Oracle Fusion Middleware Infrastructure, SOA Suite, and Oracle Identity Governance on OIGHOST1
  Use the following sections to install the Oracle Fusion Middleware Infrastructure software in preparation for configuring a new domain for an enterprise deployment.

Installing the Oracle Fusion Middleware Infrastructure, SOA Suite, and Oracle Identity Governance on OIGHOST1

Use the following sections to install the Oracle Fusion Middleware Infrastructure software in preparation for configuring a new domain for an enterprise deployment.

• Installing a Supported JDK
  
• Starting the Oracle Identity Management Quick Installer
  
• Navigating the Installation Screens
  
• Installing the Stack Bundle Patch
  
• Installing Oracle Fusion Middleware Infrastructure on the Other Host Computers
  

Installing a Supported JDK

Oracle Fusion Middleware requires that a certified Java Development Kit (JDK) is installed on your system.

• Locating and Downloading the JDK Software
  
• Installing the JDK Software
  Oracle Fusion Middleware requires you to install a certified Java Development Kit (JDK) on your system.

Locating and Downloading the JDK Software

To find a certified JDK, see the certification document for your release on the Oracle Fusion Middleware Supported System Configurations page.

After you identify the Oracle JDK for the current Oracle Fusion Middleware release, you can download an Oracle JDK from the following location on Oracle Technology Network:

https://www.oracle.com/java/technologies/downloads/

Be sure to navigate to the download for the Java SE JDK.

Installing the JDK Software

Oracle Fusion Middleware requires you to install a certified Java Development Kit (JDK) on your system.

For more information about the recommended location for the JDK software, see Understanding the Recommended Directory Structure for an Enterprise Deployment.

To install JDK 21.0:

1. Change directory to the location where you downloaded the JDK archive file.

   cd download_dir

2. Unpack the archive into the JDK home directory, and then run the following commands:

   tar -xzvf jdk-21.0.4+8_linux-x64_bin.tar.gz

   Note that the JDK version listed here was accurate at the time this document was published. For the latest supported JDK, see the Oracle Fusion Middleware System Requirements and Specifications for the current Oracle Fusion Middleware release.
3. Move the JDK directory to the recommended location in the directory structure.
   For example:

   ln -s jdk-21.0.4 /u01/oracle/products/jdk

   See File System and Directory Variables Used in This Guide.
4. Run the following command to verify that the appropriate java executable is in the path and your environment variables are set correctly:

   java -version

   The Java version in the output should be displayed as “21.0.4”.

Starting the Oracle Identity Management Quick Installer

The Quick Installer installs the Oracle Fusion Middleware Infrastructure, Oracle SOA Suite, and Oracle Identity and Access Management.

To start the installation program, perform the following steps.

1. Log in to OIGHOST1.
2. Go to the directory where you downloaded the installation program.
3. Launch the installation program by invoking the java executable from the JDK directory on your system, as shown in the example below.

   $JAVA_HOME/bin/java  -jar fmw_14.1.2.1.0_idmquickstart_generic.jar
   

   In this example:

   • Replace distribution_file_name with the actual name of the distribution JAR file.

     If you download the distribution from the Oracle Technology Network (OTN), then the JAR file is typically packaged inside a downloadable ZIP file.

     To install the software required for the initial Infrastructure domain, the distribution you want to install is:

     fmw_14.1.2.1.0_idmquickstart_generic.jar

     For more information about the actual file names of each distribution, see Identifying and Obtaining Software Downloads for an Enterprise Deployment.

When the installation program appears, you are ready to begin the installation. See Navigating the Installation Screens for a description of each installation program screen.

Navigating the Installation Screens

The installation program displays a series of screens, in the order listed in the following table.

If you need additional help with any of the installation screens, click the screen name or click the Help button on the screen.

Table 15-5 Navigating the Infrastructure Installation Screens

Screen	Description
Installation Inventory Setup	On UNIX operating systems, this screen appears if you are installing any Oracle product on this host for the first time. Specify the location where you want to create your central inventory. Ensure that the operating system group name selected on this screen has write permissions to the central inventory location. See Understanding the Oracle Central Inventory in Installing Software with the Oracle Universal Installer. Note: Oracle recommends that you configure the central inventory directory on the products shared volume. Example: /u01/oracle/products/oraInventory You may also need to execute the createCentralinventory.sh script as root from the oraInventory folder after the installer completes.
Welcome	This screen introduces you to the product installer.
Auto Updates	Use this screen to search My Oracle Support automatically for available patches or automatically search a local directory for patches that you have already downloaded for your organization.
Installation Location	Use this screen to specify the location of your Oracle home directory. For the purposes of an enterprise deployment, enter the value of the $ORACLE_HOME variable for the product listed in Table 8-2. For example, /u01/oracle/products/oig
Prerequisite Checks	This screen verifies that your system meets the minimum requirements. If there are any warning or error messages, refer to the Oracle Fusion Middleware System Requirements and Specifications document on the Oracle Technology Network (OTN).
Installation Summary	Use this screen to verify the installation options that you have selected. If you want to save these options to a response file, click Save Response File and provide the location and name of the response file. Response files can be used later in a silent installation situation. For more information about silent or command-line installation, see Using the Oracle Universal Installer in Silent Mode in Installing Software with the Oracle Universal Installer.
Installation Progress	This screen allows you to see the progress of the installation.
Installation Complete	This screen appears when the installation is complete. Review the information on this screen, then click Finish to dismiss the installer.

Installing the Stack Bundle Patch

After installing the software binaries, you must apply the latest Stack Bundle Patch.

For an enterprise deployment you must download and apply the July 2025 Stack Bundle Patch or later. For more details, see Identifying and Obtaining Software Distributions for an Enterprise Deployment.

To apply the patch run the following commands:

1. After downloading the patch, unzip it to your preferred location. For example:

   unzip p38184742_141210_Linux-x86-64.zip

   This location will be known as $PATCH_DIR.

2. Navigate to the $PATCH_DIR:

   cd $PATCH_DIR/tools/spbat/generic/SPBAT/

3. Apply the patch using the command:

   ./spbat.sh -type oig -phase downtime -mw_home $IGD_ORACLE_HOME -spb_download_dir $PATCH_DIR

Installing Oracle Fusion Middleware Infrastructure on the Other Host Computers

If you have configured a separate shared storage volume or partition for secondary hosts, then you must install the Infrastructure on one of those hosts.

See Shared Storage Recommendations When Installing and Configuring an Enterprise Deployment.

To install the software on the other host computers in the topology, log in to each host, and use the instructions in Starting the Oracle Identity Management Quick Installer and Navigating the Installation Screens to create the Oracle home on the appropriate storage device.

You must install the Stack Bundle Patch and any other mandatory patches outlined in Identifying and Obtaining Software Distributions for an Enterprise Deployment.

Verifying the Installation

After you complete the installation, you nust verify it.

Perform the following tasks:

• Reviewing the Installation Log Files
  
• Checking the Directory Structure
  
• Viewing the Contents of Your Oracle Home
  

Reviewing the Installation Log Files

Review the contents of the installation log files to make sure that no problems were encountered. For a description of the log files and where to find them, see Understanding Installation Log Files in Installing Software with the Oracle Universal Installer.

Checking the Directory Structure

The contents of your installation vary based on the options that you select during the installation.

The addition of Oracle Identity Governance adds the following directory and sub-directories. Use the following command to verify the directory structure:

1. Navigate to the $ORACLE_HOME:

   cd $ORACLE_HOME

2. Enter the following command:

   ls --format=single-column

   The directory structure on your system must match the structure shown in the following example:

   bin
   cfgtoollogs
   coherence
   domain-registry.xml
   em
   envPropertiesCache
   idm
   install
   inventory
   jdeveloper
   jlib
   lib
   mft
   OPatch
   opmn
   oracle_common
   oraInst.loc
   osb
   oui
   root.sh
   soa
   wlserver

For more information about the directory structure you should see after installation, see What are the Key Oracle Fusion Middleware Directories? in Understanding Oracle Fusion Middleware.

Viewing the Contents of Your Oracle Home

You can also view the contents of your Oracle home by using the viewInventory script. See Viewing the contents of an Oracle home in Installing Software with the Oracle Universal Installer.

Downloading the Oracle Connector Bundle

Download the Oracle Connector bundle.

Download the Oracle Connector bundle from the following location:

http://www.oracle.com/technetwork/middleware/id-mgmt/downloads/connectors-101674.html

Copy the connector bundle for Oracle Internet Directory (it covers OUD as well) to the following directory:

$IGD_ORACLE_HOME/idm/server/ConnectorDefaultDirectory

Installing the Oracle Identity Governance Connector

After you download the Oracle Connector for LDAP, install it into the ORACLE_HOME directory.

To do this perform the following steps:

1. Go to the following directory:

   cd $IGD_ORACLE_HOME/idm/server/ConnectorDefaultDirectory

2. Unzip the LDAP directory using the following command:

   unzip oid_<version>.zip

Creating the Database Schemas for Oracle Identity Governance

Oracle Fusion Middleware components require the existence of schemas in a database before you configure a Fusion Middleware Infrastructure domain. Install the schemas listed in this topic in a certified database for use with this release of Oracle Fusion Middleware.

• Oracle Identity Manager

  This automatically selects Oracle SOA Suite schemas along with the following ones:

  • Metadata Services (MDS)

  • Audit Services (IAU)

  • Audit Services Append (IAU_APPEND)

  • Audit Services Viewer (IAU_VIEWER)

  • Oracle Platform Security Services (OPSS)

  • User Messaging Service (UMS)

  • WebLogic Services (WLS)

  • Common Infrastructure Services (STB)

Use the Repository Creation Utility (RCU) to create the schemas. This utility is installed in the Oracle home for each Oracle Fusion Middleware product. For more information about RCU and how the schemas are created and stored in the database, see Preparing for Schema Creation in Creating Schemas with the Repository Creation Utility.

Complete the following steps to install the required schemas:

• Installing and Configuring a Certified Database
  
• Verifying Schema Access
  
• Creating the Database Schemas Using GUI
  
• Creating the Database Schemas Using CLI
  

Installing and Configuring a Certified Database

Make sure that you have installed and configured a certified database, and that the database is up and running.

See the Preparing the Database for an Enterprise Deployment.

Verifying Schema Access

Verify schema access by connecting to the database as the new schema users created by the RCU. Use SQL*Plus or another utility to connect, and provide the appropriate schema names and passwords entered in the RCU.

For example:

sqlplus <RCU_PREFIX>_OIM/<PASSWORD>@//<SCAN_ADDRESS>:<PORT>/<SERVICE_NAME>

For example:

sqplus IGDEDG_OIM/<password>@//db-scan.example.com:1521/oigpdb_s.example.com

The output appears as follows:

SQL*Plus: Release 23.0.0.0.0 - for Oracle Cloud and Engineered Systems on Wed Sep 11 14:20:00 2024 Version 23.5.0.24.07
Copyright (c) 1982, 2024, Oracle. All rights reserved.


Connected to:
Oracle Database 23ai EE Extreme Perf Release 23.0.0.0.0 - for Oracle Cloud and Engineered Systems
Version 23.5.0.24.07

SQL>

Creating the Database Schemas Using GUI

• Starting the Repository Creation Utility (RCU)
  
• Navigating the RCU Screens to Create the Schemas
  

Starting the Repository Creation Utility (RCU)

To start the Repository Creation Utility (RCU):

1. Navigate to the following directory on OIGHOST1:

   cd $ORACLE_COMMON_HOME/bin

2. Start RCU:

   ./rcu

   Note:

   If your database has Transparent Data Encryption (TDE) enabled, and you want to encrypt your tablespaces created by the RCU, provide the -encryptTablespace true option when you start the RCU.

   This will default the appropriate RCU GUI Encrypt Tablespace checkbox selection on the Map Tablespaces screen without further effort during the RCU execution. See Encrypting Tablespaces in Creating Schemas with the Repository Creation Utility.

Navigating the RCU Screens to Create the Schemas

Schema creation involves the following tasks:

Screen	Description
Introducing RCU	Review the Welcome screen and verify the version number for RCU. Click Next to begin.
Selecting a Method of Schema Creation	If you have the necessary permission and privileges to perform DBA activities on your database, select System Load and Product Load on the Create Repository screen. The procedure in this document assumes that you have the necessary privileges. If you do not have the necessary permission or privileges to perform DBA activities in the database, you must select Prepare Scripts for System Load on this screen. This option will generate a SQL script, which can be provided to your database administrator. See Understanding System Load and Product Load in Creating Schemas with the Repository Creation Utility. Click Next. Tip: For more information about the options on this screen, see Create repository in Creating Schemas with the Repository Creation Utility.
Providing Database Connection Details	Provide the database connection details for RCU to connect to your database. As Database Type, select Oracle Database enabled for edition based redefinition. In the Host Name field, enter the SCAN address of the Oracle RAC Database. Enter the Port number of the RAC database scan listener, for example 1521. Enter the RAC Service Name of the database. Enter the User Name of a user that has permissions to create schemas and schema objects, for example SYS. Enter the Password of the user name that you provided in step 5 If you have selected the SYS user, ensure that you set the role to SYSDBA. Click Next to proceed, then click OK on the dialog window confirming that connection to the database was successful. Tip: For more information about the options on this screen, see Database Connection Details in Creating Schemas with the Repository Creation Utility.
Specifying a Custom Prefix and Selecting Schemas	Specify the custom prefix you want to use to identify the Oracle Fusion Middleware schemas. The custom prefix is used to logically group these schemas together for use in this domain. For Oracle Identity Governance, use the prefix IGD. Tip: Make a note of the custom prefix you choose to enter here; you will need this later, during the domain creation process. For more information about custom prefixes, see Understanding Custom Prefixes in Creating Schemas with the Repository Creation Utility. Expand the group IDM Schemas, and then select the Oracle Identity Manager schema. All the relative schemas will be selected: Common infrastructure Services Oracle Platform Security Services User Messaging Service Audit Services Audit Services Append Audit Services Viewer Metadata Services SOA Infrastructure Weblogic Services There are two mandatory schemas that are selected by default. You cannot deselect them: Common Infrastructure Services (the STB schema) and WebLogic Services (the WLS schema). The Common Infrastructure Services schema enables you to retrieve information from RCU during domain configuration. See Understanding the Service Table Schema in Creating Schemas with the Repository Creation Utility. Tip: For more information about how to organize your schemas in a multi-domain environment, see Planning Your Schema Creation in Creating Schemas with the Repository Creation Utility. Click Next to proceed, then click OK on the dialog window confirming that prerequisite checking for schema creation was successful.
Specifying Schema Passwords	Specify how you want to set the schema passwords on your database, then specify and confirm your passwords. Ensure that the complexity of the passwords meet the database security requirements before you continue. RCU will proceed at this point even if you do not meet the password polices. Hence, perform this check outside RCU itself.. Click Next. Tip: You must make a note of the passwords you set on this screen; you will need them later on during the domain creation process.
Verifying the Tablespaces for the Required Schemas	You can accept the default settings on the remaining screens, or you can customize how RCU creates and uses the required tablespaces for the Oracle Fusion Middleware schemas. Note: You can configure a Fusion Middleware component to use JDBC stores for JMS servers and Transaction Logs, by using the Configuration Wizard. These JDBC stores are placed in the WebLogic Services component tablespace. If your environment expects to have a high level of transactions and/or JMS activity, you can increase the default size of the <PREFIX>_WLS tablespace to better suit the environment load. Click Next to continue, and then click OK on the dialog window to confirm the tablespace creation. For more information about RCU and its features and concepts, see About the Repository Creation Utility in Creating Schemas with the Repository Creation Utility.
Creating Schemas	Review the summary of the schemas to be loaded and click Create to complete schema creation. Note: If failures occurred, review the listed log files to identify the root cause, resolve the defects, and then use RCU to drop and re-create the schemas before you continue.
Reviewing Completion Summary and Completing RCU Execution	When you reach the Completion Summary screen, verify that all schema creations have been completed successfully, and then click Close to dismiss RCU.

Creating the Database Schemas Using CLI

Run the following commands to create the database schemas using the Repository Creation Assistant CLI in silent mode:

1. Create a password file pwd.txt that contains the the password for the database sysdba account and password assigned for the database schemas. This file should contain two lines as shown in the following example:

   sysdba_password
   schema_password

2. Run the following command to execute the RCU in silent mode:

    cd $ORACLE_COMMON_HOME/bin

   ./rcu -silent -createRepository -databaseType ORACLE -connectString $DB_HOST:$DB_PORT/$DB_SERVICE -dbUser sys -dbRole sysdba -selectDependentsForComponents true -useSamePasswordForAllSchemaUsers true -schemaPrefix $RCU_PREFIX --component MDS -component IAU -component SOAINFRA -component IAU_APPEND -component IAU_VIEWER -component OPSS -component WLS -component STB -component OIM -component UCSUMS -f < /pwd.txt

Configuring the Oracle Identity Governance Domain

The following topics provide instructions for creating an Oracle Identity Governance domain using the Fusion Middleware Configuration wizard.

For more information on the other methods that are available for creating a domain, see Additional Tools for Creating, Extending, and Managing WebLogic Domains in Creating WebLogic Domains Using the Configuration Wizard.

• Starting the Configuration Wizard
  
• Navigating the Configuration Wizard Screens to Configure the Oracle Identity Governance Domain
  

Starting the Configuration Wizard

To begin domain configuration, run the following command in the Oracle Fusion Middleware Oracle home.

$ORACLE_COMMON_HOME/common/bin/config.sh

Navigating the Configuration Wizard Screens to Configure the Oracle Identity Governance Domain

Follow the instructions in the following sections to create and configure the domain for the topology, with static clusters.

Table 15-6 Navigating the Infrastructure Installation Screens

Screen	Description
Selecting the Domain Type and Domain Home Location	On the Configuration Type screen, select Create a new domain. In the Domain Location field, specify the value of the IGD_ASERVER_HOME variable, as defined in File System and Directory Variables Used in This Guide. For example, /u01/oracle/products/oig for Oracle Identity Governance. Tip: More information about the other options on this screen of the Configuration Wizard, see Configuration Type in Creating WebLogic Domains Using the Configuration Wizard. Click Next.
Selecting the Configuration Templates	On the Templates screen, make sure Create Domain Using Product Templates is selected, then select the following templates: Oracle Identity Manager - [idm] Selecting this template automatically selects the following dependencies: Oracle Enterprise Manager - [em] Oracle WSM Policy Manager - [wsm] Oracle JRF - [oracle_common] WebLogic Coherence Cluster Extension - [wlserver] Oracle SOA Suite - [soa] Tip: More information about the options on this screen can be found in Templates in Creating WebLogic Domains Using the Configuration Wizard. Click Next.
Configuring High Availability Options	This screen appears for the first time when you create a cluster that uses Automatic Service Migration or JDBC stores or both. After you select HA Options for a cluster, all subsequent clusters that are added to the domain by using the Configuration Wizard, automatically apply HA options (that is, the Configuration Wizard creates the JDBC stores and configures ASM for them). On the High Availability Options screen: Select Enable Automatic Service Migration with Database Leasing. Set JTA Transaction Log Persistence to JDBC TLog Store. Set JMS Server Persistence to JMS JDBC Store. Click Next. Note: Oracle recommends that you use JDBC stores, which leverage the consistency, data protection, and high availability features of an oracle database and makes resources available for all the servers in the cluster. So, the Configuration Wizard steps assume that the JDBC persistent stores are used along with Automatic Service Migration. When you choose JDBC persistent stores, additional unused File Stores are automatically created but are not targeted to your clusters. Ignore these File Stores.
Selecting the Application Home Location	On the Application Location screen, specify the value of the APPLICATION_HOME variable, as defined in File System and Directory Variables Used in This Guide. For example, /u01/oracle/config/applications/oig. Tip: More information about the options on this screen can be found in Application Location in Creating WebLogic Domains Using the Configuration Wizard. Click Next.
Configuring the Administrator Account	On the Administrator Account screen, specify the user name (Oracle recommends using a different name from “WebLogic”) and password for the default WebLogic Administrator account for the domain. Make a note of the user name and password specified on this screen; you will need these credentials later to boot and connect to the domain's Administration Server. Click Next.
Specifying the Domain Mode and JDK	On the Domain Mode and JDK screen: Select Production in the Domain Mode field. In the Enable or Disable Default Ports for your Domain field, use the default values provided for Production Mode: SSL Termination If you are using an SSL Terminated deployment, the following values must be selected: Ensure that Enable Listen Ports (non-SSL Ports) is checked. Ensure that Enable SSL Listen Ports is not checked. Ensure that Enable Administration Port (SSL Port) is checked. End to End SSL Deployment In the Enable or Disable Default Ports for your Domain field, use the following default values provided for Production Mode: Ensure that Enable SSL Listen Ports (non-SSL Ports) is not checked. Ensure that Enable SSL Listen Ports is checked. Ensure that Enable Administration Port (SSL Port) is checked. Tip: More information about the options on this screen, including the differences between development mode and production mode can be found in Domain Mode and JDK in Creating WebLogic Domains Using the Configuration Wizard. When you start the Administration Server, a boot identity file can be created to bypass the need to provide a username and password in the production mode. Select the Oracle Hotspot JDK in the JDK field. Selecting Production Mode on this screen gives your environment a higher degree of security, requiring a user name and password to deploy applications and to start the Administration Server. Click Next.
Specifying the Database Configuration Type	On the Database Configuration Type screen: Select RCU Data to activate the fields on this screen. The RCU Data option instructs the Configuration Wizard to connect to the database and Service Table (STB) schema to automatically retrieve schema information for the schemas needed to configure the domain. Verify that Vendor is Oracle and Driver is *Oracle's Driver (Thin) for Service Connections; Versions: Any. Verify that Connection Parameters is selected. Note: If you choose to select Manual Configuration on this screen, you will have to manually fill in the parameters for your schema on the JDBC Component Schema screen. After you select RCU Data, fill in the fields as shown below: Field Description Host Name Enter the Single Client Access Name (SCAN) Address for the Oracle RAC database, which you entered in the Enterprise Deployment Workbook. For information about the Enterprise Deployment Workbook, see Using the Enterprise Deployment Workbook. DBMS/Service Enter the service name for the Oracle RAC database appropriate for this domain where you will install the product schemas. For example: iamedg.example.com Specify the service name based on the value configured earlier in the Preparing the Database for an Enterprise Deployment section. Port Enter the port number on which the database listens. For example, 1521. Schema Owner Enter the user name and password for connecting to the database's Service Table schema. Schema Password This is the schema user name and password that was specified for the Service Table component on the "Schema Passwords" screen in RCU (see Creating the Database Schemas). The default user name is prefix_STB, where prefix is the custom prefix that you defined in RCU. Click Get RCU Configuration when you are finished specifying the database connection information. The following output in the Connection Result Log indicates that the operating succeeded: Connecting to the database server...OK Retrieving schema data from database server...OK Binding local schema components with retrieved data...OK Successfully Done. Click Next if the connection to the database is successful. Tip: More information about the RCU Data option can be found in Understanding the Service Table Schema in Creating Schemas with the Repository Creation Utility. More information about the other options on this screen can be found in Datasource Defaults in Creating WebLogic Domains Using the Configuration Wizard.
Specifying JDBC Component Schema Information	Verify that the values on the JDBC Component Schema screen are correct for all schemas. The schema table should be populated, because you selected Get RCU Data on the previous screen. As a result, the Configuration Wizard locates the database connection values for all the schemas required for this domain. At this point, the values are configured to connect to a single-instance database. However, for an enterprise deployment, you should use a highly available Real Application Clusters (RAC) database, as described in Preparing the Database for an Enterprise Deployment. In addition, Oracle recommends that you use an Active GridLink datasource for each of the component schemas. For more information about the advantages of using GridLink data sources to connect to a RAC database, see Database Considerations in the High Availability Guide. To convert the data sources to GridLink: Select all the schemas by selecting the checkbox at in the first header row of the schema table. Click Convert to GridLink and click Next.
Providing the GridLink Oracle RAC Database Connection Details	On the GridLink Oracle RAC Component Schema screen, provide the information required to connect to the RAC database and component schemas, as shown below: Element Description and Recommended Value Service Name Verify that the service name for the Oracle RAC database is the appropriate. For example,oigsvc.example.com. SCAN, Host Name, and Port Select the SCAN check box. In the Host Name field, enter the Single Client Access Name (SCAN) Address for the Oracle RAC database. In the Port field, enter the SCAN listening port for the database (for example, 1521) ONS Host and Port Leave blank. Enable Fan Verify that the Enable Fan check box is selected, so the database can receive and process FAN events. For more information about specifying the information on this screen, as well as information about how to identify the correct SCAN address, see Configuring Active GridLink Data Sources with Oracle RAC in the High Availability Guide. You can also click Help to display a brief description of each field on the screen. Click Next.
Testing the JDBC Connections	Use the JDBC Component Schema Test screen to test the data source connections you have just configured. A green check mark in the Status column indicates a successful test. If you encounter any issues, see the error message in the Connection Result Log section of the screen, fix the problem, then try to test the connection again. Tip: More information about the other options on this screen can be found in Test Component Schema in Creating WebLogic Domains Using the Configuration Wizard Click Next.
Entering Credentials	Enter the credentials you wish to use for the Oracle Identity Governance components. You have the choice of choosing both a username and a password for the various objects. keystore: Set the username to "keystore" and the password to the password you wish to use for all automatically created keystores. OIMSchemaPassword: Set the username to the OIG schema which you created in the earlier sections. For example, IGD_OIM (username) and its associated password. Sysadmin: This is the administrative user you will use for OIG. This is typically xelsysadm, but can be anything. Set the password to a value you wish to use for this account. WebLogicAdminKey: This is the domain admin username and password. For example, weblogic. Click Next.
Keystore	Use this screen to specify details about the keystore to be used in the domain. For a typical enterprise deployment, you can leave the default values. See Keystore in Creating WebLogic Domains Using the Configuration Wizard. Click Next.
Selecting Advanced Configuration	To complete domain configuration for the topology, select the following options on the Advanced Configuration screen: Administration Server This is required to properly configure the listen address of the Administration Server. Node Manager This is required to configure Node Manager. Topology This is required to add, delete, or modify the Settings for Server Templates, Managed Servers, Clusters, Virtual Targets, and Coherence. Note: When using the Advanced Configuration screen in the Configuration Wizard, if any of the above options are not available on the screen, then return to the Templates screen, and be sure you selected the required templates for this topology. Click Next.
Configuring the Administration Server Listen Address	On the Administration Server screen: In the Server Name field, retain the default value - AdminServer. In the Listen Address field, enter the virtual host name that corresponds to the VIP of the IGDADMINVHN that you procured in Procuring Resources for an Enterprise Deployment and enabled in Preparing the Host Computers for an Enterprise Deployment. For more information on the reasons for using the IGDADMINVHN virtual host, see Reserving the Required IP Addresses for an Enterprise Deployment. In the Configure Administration Server Ports section, perform the following steps: SSL Terminated Deployment Set the value of the listen port to 7101. Ensure the Enable SSL Listen port field is unchecked. Set the value of Administration Port to 9102. End to End SSL Deployment Leave the Enable Listen Port field unchecked. The Listen Port value will be disabled in grey. Ensure the Enable SSL Listen port field is checked. Set the value of SSL Listen Port to 7102 Set the value Administration Port to 9102. Note: The default values are not used to ensure that there is no port conflict if Oracle Access Manager and Oracle Identity Governance run on the same host . In the Listen Port field, enter the port number to access the administration server. This guide recommends you to use the default port 7101 for Oracle Identity Governance. Leave the other fields at their default values. In particular, be sure that no server groups are assigned to the Administration Server. Click Next.
Configuring Node Manager	Select Manual Node Manager Setup as the Node Manager type. WARNING: You can ignore the warning in the bottom pane. This guide provides the required steps for the Manual Node Manager configuration. Tip: For more information about the options on this screen, see Node Manager in Creating WebLogic Domains Using the Configuration Wizard. For more information about per domain and per host Node Manager implementations, see About the Node Manager Configuration in a Typical Enterprise Deployment. For information about Node Manager configurations, see Configuring Node Manager on Multiple Machines in Administering Node Manager for Oracle WebLogic Server. Click Next.
Configuring Managed Servers	Use the Managed Servers screen to create two new Managed Servers: Update the existing managed server oim_server1 and set the Listen address to oighost1.example.com. Update the existing managed server soa_server1 and set the Listen address to oighost1.example.com. Click the Add button to create a new Managed Server. Specify oim_server2 in the Server name column. In the SSL Listen Port column, enter the same port used by oim_server1. For example, 14001. Be sure to enter the host name that corresponds to oighost2.example.com; do not use the IP address. In the Listen Port column, enter the same port used by oim_server1. For example, 14000. In the Server Groups drop down, ensure the same server groups as oim_server1 are selected. Repeat this process for soa_server2. The following table summarises the managed servers to be created. Table 15-7 SSL Terminated Deployments Server Name Listen Address Enable Listen Port Listen Port Enable SSL SSL Listen Port Server Groups oim_server1 oighost1.example.com Yes 14000 No 14001 OIM-MGD-SVRS oim_server2 oighost2.example.com Yes 14000 No 14001 OIM-MGD-SVRS soa_server1 oighost1.example.com Yes 7003 No 7004 SOA-MGD-SVRS soa_server2 oighost2.example.com Yes 7003 No 7004 SOA-MGD-SVRS Table 15-8 End to End SSL Deployments Server Name Listen Address Enable Listen Port Listen Port Enable SSL SSL Listen Port Server Groups oim_server1 oighost1.example.com No 14000 Yes 14001 OIM-MGD-SVRS oim_server2 oighost2.example.com No 14000 Yes 14001 OIM-MGD-SVRS soa_server1 oighost1.example.com No 7003 Yes 7004 SOA-MGD-SVRS soa_server2 oighost2.example.com No 7003 Yes 7004 SOA-MGD-SVRS The Managed Server names suggested in this procedure are referenced throughout this document, if you choose different names then ensure to replace them as needed. Click Next.
Configuring a Cluster	In this task, you create a cluster for each set of Managed Servers. You can then target the Oracle Identity Governance and Oracle SOA Suite components to the relevant cluster. Create the following clusters: oim_cluster soa_cluster Use the Clusters screen to create a new cluster: Click the Add button. Specify the cluster name in the Cluster Name field. Repeat the steps to create all of the clusters. Note: By default, server instances in a cluster communicate with one another using unicast. If you want to change your cluster communications to use multicast, refer to Considerations for Choosing Unicast or Multicast in Administering Clusters for Oracle WebLogic Server. Click Next. For more information about the options on this screen, see Clusters in Creating WebLogic Domains Using the Configuration Wizard.
Assigning Server Templates	Click Next to proceed to the next screen.
Configuring Dynamic Servers	Verify that all dynamic server options are disabled for clusters that are to remain as static clusters. Confirm that the Dynamic Cluster, Calculated Listen Port, and Calculated Machine Names checkboxes on this screen are unchecked. Confirm the Server Template selection is Unspecified. Click Next.
Assigning Managed Servers to the Cluster	Use the Assign Servers to Clusters screen to assign your managed servers to the clusters you have just created. At the end of this you will have the following assignments: Cluster Managed Servers oim_cluster oim_server1 oim_server2 soa_cluster soa_server1 soa_server1 In the Clusters pane, select the cluster to which you want to assign the servers. In the Servers pane, assign the managed servers to the clusters as in the table above, using one of the following methods: Click once on the Managed Server to select it, then click on the right arrow to move it beneath the selected cluster in the Clusters pane. Double-click on managed server to move it beneath the selected cluster in the clusters pane. Repeat to assign each managed server to a cluster as shown in the table. Click Next to proceed to the next screen. Tip: More information about the options on this screen can be found in Assign Servers to Clusters in Creating WebLogic Domains Using the Configuration Wizard.
Configuring Coherence Clusters	Use the Coherence Clusters screen to configure the Coherence cluster that is automatically added to the domain. In the Cluster Listen Port, enter 9991. Note: For Coherence licensing information, Oracle Coherence Products in Oracle Fusion Middleware Licensing Information User Manual. Click Next.
Creating Machines	Use the Machines screen to create new machines in the domain. A machine is required in order for the Node Manager to be able to start and stop the servers. You must create a machine even if your topology contains just the Administration Server. Select the Unix Machine tab. Click the Add button to create new UNIX machines. Use the values in Values to Use When Creating Unix Machines to define the Name and Node Manager Listen Address of each machine. Verify the port in the Node Manager Listen Port field. The port number 5556, shown in this example, may be referenced by other examples in the documentation. Replace this port number with your own port number as needed. Table 15-9 Values to Use When Creating Unix Machines Name Node Manager Listen Address Node Manager Type Node Manager Listen Port ADMINHOST Enter the value of the IGDADMINVHN variable. SSL 5556 OIGHOST1 The hostname of the server that will run the managed servers. For example, oighost1.example.com. SSL 5556 OIGHOST2 The hostname of the server that will run the managed servers. For example, oighost2.example.com. SSL 5556 Note: If you are installing OIG on the same host as Oracle Access Management (OAM), ensure that the Node Manager ports are unique to each deployment. Tip: More information about the options on this screen can be found in Machines in Creating WebLogic Domains Using the Configuration Wizard. Click Next.
Assigning Servers to Machines	Use the Assign Servers to Machines screen to assign the Oracle Identity Governance Managed Servers to the corresponding machines in the domain. Assign the machines as shown in the following table: Servers Machines AdminHost AdminServer oim_server1 soa_server1 OIGHOST1 oim_server2 soa_server2 OIGHOST2 In the Machines pane, select the machine to which you want to assign the servers. In the Servers pane, assign the Managed Servers to the machine as in the table above, using one of the following methods: Click on the Managed Server to select it, and then click on the right arrow to move it beneath the selected machines in the machines pane. Double-click on the Managed Server to move it beneath the selected machine in the machines pane. Repeat to assign each of the Managed Server to the respective machine. Click Next. For more information about the options on this screen, see Assign Servers to Machines in Creating WebLogic Domains Using the Configuration Wizard.
Creating Virtual Targets	Click Next.
Creating Partitions	Click Next.
Configuring Domain Front End Host	In the Domain Front End host screen you specify the main entry point for OIG. This will equate to the name on the load balancer. For example, set Plain to http://oig.example.com. Note: Even though you are specifying this value it will never be used. SSL: https://oig.example.com Default: SSL Click Next.
Reviewing Your Configuration Specifications and Configuring the Domain	The Configuration Summary screen contains the detailed configuration information for the domain you are about to create. Review the details of each item on the screen and verify that the information is correct. You can go back to any previous screen if you need to make any changes, either by using the Back button or by selecting the screen in the navigation pane. Domain creation will not begin until you click Create. Tip: More information about the options on this screen can be found in Configuration Summary in Creating WebLogic Domains Using the Configuration Wizard. Click Next.
Writing Down Your Domain Home and Administration Server URL	The Configuration Success screen will show the following items about the domain you just configured: Domain Location Administration Server URL You must make a note of both items as you will need them later; the domain location is needed to access the scripts used to start the Administration Server. Click Finish to dismiss the Configuration Wizard.

Creating Oracle Identity Manager Authenticator

Before you start the domain, you have to run a script which creates the Oracle Identity Manager (OIM) Authenticator in the domain.

To do this, complete the following steps:

1. Navigate to the $IGD_ORACLE_HOME/idm/server/bin directory.

   cd $IGD_ORACLE_HOME/idm/server/bin

2. Run the following command:

   ./offlineConfigManager.sh

   Note:

   If you do not have execute permissions for this file, add it using the following command:

   chmod 750 offlineConfigManager.sh

Enabling SSL

If you are configuring End to End SSL, you must perform additional steps.

The steps are as follows:

• Adding Certificate Stores Location to the WebLogic Servers Start Scripts
  
• Update Server's Security Settings Using the Remote Console
  

Adding Certificate Stores Location to the WebLogic Servers Start Scripts

Once the Identity and Trust Stores are created for the domain some Java properties must be added to the WebLogic start scripts. These properties are added to the file setUserOverridesLate.sh in $IGD_ASERVER_HOME/bin. Any customizations you add to this file are preserved during domain upgrade operations and are carried over to remote servers when using the pack and unpack commands.

Manually create the file setUserOverridesLate.sh in $IGD_ASERVER_HOME/bin. Edit the file and add the variable EXTRA_JAVA_PROPERTIES to set the javax.net.ssl.trustStore and javax.net.ssl.trustStorePassword properties with the values used by your EDG system. For example:

EXTRA_JAVA_PROPERTIES="${EXTRA_JAVA_PROPERTIES}
 -Djavax.net.ssl.trustStore=/u01/oracle/config/keystores/idmTruststore.p12
 -Djavax.net.ssl.trustStorePassword=password"
export EXTRA_JAVA_PROPERTIES

The order of the extra java properties is relevant. In case that the same property is defined more than once, the later value is used. The custom values must be defined as in the example provided.

Update Server's Security Settings Using the Remote Console

• Connecting to the Remote Console Using the Administration Server’s Virtual Hostname as Provider
  
• Updating the WebLogic Servers Security Settings
  

Connecting to the Remote Console Using the Administration Server’s Virtual Hostname as Provider

The following procedure temporarily starts the Administration Server with the default start script so to enable you to perform these tasks. After you perform these tasks, you can stop this temporary session and use the Node Manager to start the Administration Server.

Note:

For this Remote Console initial access to the Administration Server, it is required that the machine that runs the Remote Console can resolve and connect to the Admin Server's Listen Address. This can be done by starting the Remote Console directly in the node where the Admin Server runs or creating a tunnel to this address from the node where the remote Console is executed.

1. Using the following default start script to start the Administration Server:
   1. Change directory to the following directory:

      cd $IGD_ASERVER_HOME/bin

   2. Run the start script:

      ./startWebLogic.sh

      Monitor the terminal till the following message is displayed:

      <Server state changed to RUNNING>

      Also you must verify that the appropriate SSL listener is available, which can be confirmed with the a message like the following displayed in output:

      <Server> <BEA-002613> <Channel "DefaultSecure" is now listening on XXXX:7002 for protocols iiops, t3s, ldaps, https.>

2. Create a new provider in the WebLogic Remote Console as follows:
   1. Download the domain's trust keystore to the host or laptop where you run the WebLogic Remote Console. For example, when using the per-domain CA steps in previous sections, this would be located at $KEYSTORE_HOME/idmTrustStore.p12.
   2. Open the Remote Console and add the domain trust store to the remote console settings. Click File > Settings and enter the following values.

      1. Trust Store type - pkcs12

      2. Trust Store Path - The path to the trust keystore file in the host where the Remote Console runs.

      3. Trust Store Key - Enter the password provided in the steps above for certificate creation.

      4. Check Disable HostName verification if you are using Demo certificates as described in the steps above.

   3. Using the Providers window in the Remote Console, create a new provider by selecting Add Admin Server Connection Provider.

      1. In the provider name, for example oig.

      2. Enter the WebLogic Domain Administration username provided in the configuration wizard user name.

      3. Enter the password used for the domain creation.

      4. Use https protocol and the admin server listen address used in the configuration wizard as URL for access and specify port 9002.

         For example, https://igdadminvhn.example.com:9002.

      5. Check the Make Insecure Connection checkbox.

         Note:

         This provider should not be used once the front end and webtier are configured.

      The Remote Console Home Window for the domain will be displayed.

Updating the WebLogic Servers Security Settings

Perform the following steps to update the WebLogic Servers Security Settings and Administration Port:

1. Access the Domain provider in the Remote Console and update the Administration Server and WebLogic Servers Security Settings:
   1. Click Edit Tree.
   2. Click Environment > Servers > AdminServer.
   3. Click Security tab.
   4. Change the keystores dropdown to Custom Identity and Custom Trust.
   5. In Custom Identity Keystore, enter the fully qualified path to the identity keystore as follows:
      $KEYSTORE_HOME/idmcerts.pkcs12

      Replace $KEYSTORE_HOME with the value of the folder you use for storing keystore, as described in the Table 8-2.

   6. Set the Custom Identity Keystore Type to PKCS12.
   7. In Custom Identity Keystore Passphrase, enter the password Keystore_Password you provided in the certificate generation steps.
   8. In Custom Trust Keystore, enter the fully qualified path to the trust keystore.
      $KEYSTORE_HOME/idmTrustStore.pkcs12

      Replace $KEYSTORE_HOME with the value of the folder you use for storing keystore, as described in the Table 8-2.

   9. Set the Custom Trust Keystore Type to PKCS12.
   10. In Custom Trust Keystore Passphrase, enter the password you provided as the <keypass> in the certificate generation steps.
   11. Click Save.
   12. Under Security settings, navigate to SSL tab.
   13. In the Server Private Key Alias filed enter the alias provided in the certificate generation steps. If you are using a SAN based certificate use the alias you used to create the certificate. If you are using host based certificates this is usually the hosts short name. For example oighost1 for oighost1.example.com..
   14. In the Server Private Key Pass Phrase field, enter the password provided in the certificate generation steps.
   15. Click Save.

       The cart on the top right part of the screen will show full with a yellow bag inside.

   16. Click the Cart icon on the top right and select Commit Changes.
   Repeat the above steps for each managed server in the domain changing the alias to match the alias used for the certificates.

   Note:

   For managed servers you should use $LOCAL_KEYSTORE_HOME instead of $KEYSTORE_HOME.
2. Return to the terminal window where you started the Administration Server with the start script.
3. Press Ctrl+C to stop the Administration Server process.

   Wait for the Administration Server process to end and for the terminal command prompt to appear.

4. Start the Administration Server again by using the following script:
   1. Change directory to the following directory:

      cd $IGD_ASERVER_HOME/bin

   2. Run the start script:

      ./startWebLogic.sh

   3. Monitor the output in the terminal till the following output is displayed.

      <Server state changed to RUNNING>

Configuring a Per Host Node Manager for an Enterprise Deployment

For specific enterprise deployments, Oracle recommends that you configure a per-host Node Manager, as opposed to the default per-domain Node Manager.

For more information about the advantages of a per host Node Manager, see About the Node Manager Configuration in a Typical Enterprise Deployment

• Creating a Per Host Node Manager Configuration
  
• Starting the Node Manager on OIGHOST1
  
• Configuring the Node Manager Credentials
  
• Enrolling the Domain with NM
  
• Adding Truststore Configuration to Node Manager
  

Creating a Per Host Node Manager Configuration

The step in configuring a per-host Node Manager is to create a configuration directory and two new node manager configuration files. You must also edit the default startNodeManager.sh file.

To create a per-host Node Manager configuration, perform the following tasks, first on OIGHOST1, and then on OIGHOST2:

1. Log in to OIGHOST1 and create a directory for the Node Manager configuration files :

   For example:

   mkdir -p /u02/oracle/config/nodemanager

   Note that this directory should be on a local disk, because it is specific to the host. This directory location is known as the Node Manager home, and it is identified by the NM_HOME directory variable in examples in this guide.

2. Change directory to the Node Manager home directory:

   cd $NM_HOME

3. If you haven't already, copy the keystores to your local host to ensure that node manager has access to them. For example:

   mkdir -p $LOCAL_KEYSTORE_HOME

   cp -r $KEYSTORE_HOME $LOCAL_KEYSTORE_HOME

4. Change directory to the Node Manager home directory:

   cd $NM_HOME

5. Create a new text file called nodemanager.properties and add the values shown in Example: Contents of the nodemanager.properties File to this new file.

   Use the pertaining identity alias for the node that you are configuring. For example, oighost1.example.com in OIGHOST1 and oighost2.example.com in OIGHOST2.

   For more information about the properties that you can add to the nodemanager.properties file, see Node Manager Properties in Administering Node Manager for Oracle WebLogic Server.

   In the nodemanager.properties file, you enable crash recovery for servers as a part of this configuration. See Node Manager and System Crash Recovery in Administering Node Manager for Oracle WebLogic Server.

   Example: Contents of the nodemanager.properties File

   DomainsFile=/u02/oracle/config/nodemanager/nodemanager.domains
   LogLimit=0
   PropertiesVersion=14.1.2.0.0
   AuthenticationEnabled=true
   NodeManagerHome=/u02/oracle/config/nodemanager
   #Include the specific JDK home
   JavaHome=/u01/oracle/products/jdk
   LogLevel=INFO
   DomainsFileEnabled=true
   StartScriptName=startWebLogic.sh
   #Leave blank for listening on ANY
   ListenAddress=
   NativeVersionEnabled=true
   ListenPort=5556
   LogToStderr=true
   SecureListener=true
   LogCount=1
   StopScriptEnabled=false
   QuitEnabled=false
   LogAppend=true
   StateCheckInterval=500
   CrashRecoveryEnabled=true
   StartScriptEnabled=true
   LogFile=/u02/oracle/config/nodemanager/nodemanager.log
   LogFormatter=weblogic.nodemanager.server.LogFormatter
   ListenBacklog=50
   KeyStores=CustomIdentityAndCustomTrust 
   CustomIdentityAlias=idmcerts.example.com
   CustomIdentityKeyStoreFileName=/u02/oracle/config/keystores/idmTrustStore.pkcs12
   CustomIdentityKeyStorePassPhrase=password
   CustomIdentityPrivateKeyPassPhrase=password

6. Locate the startNodeManager.sh file in the following directory:

   $WL_HOME/server/bin

7. Copy the startNodeManager.sh file to the Node Manager home directory.

   cp $WL_HOME/server/bin/startNodeManager.sh $NM_HOME

8. Edit the new startNodeManager.sh file and add the NODEMGR_HOME property as follows:

   NODEMGR_HOME="<NM_HOME>"

   For example:

   NODEMGR_HOME="/u02/oracle/config/nodemanager"

9. Locate the stopNodeManager.sh script in the $WL_HOME/server/bin directory. Copy it to the Node Manager home directory. Edit the copied file and edit the NODEMGR_HOME property pointing to the node manager home (as it has been done for the startNodemanager.sh file):

   NODEMGR_HOME="<NM_HOME>"

   In this example, replace <NM_HOME> with the actual path to the Node Manager home.

10. Create another new file in the Node Manager home directory, called nodemanager.domains.

    The nodemanager.domains file provides additional security by restricting Node Manager client access to the domains listed in this file.

11. Perform steps 1 through 8 on OIGHOST2.
12. Add the following entries to the new nodemanager.domains files:

    On OIGHOST1, add values for both the Administration Server domain home and the Managed Servers domain home:

    oig=IGD_MSERVER_HOME;IGD_ASERVER_HOME

    Note:

    The path that is mentioned first (IGD_MSERVER_HOME) is considered as the primaryDomainPath and Managed Servers are run from this location.

    On OIGHOST2, add the value for the Managed Servers domain home only:

    oig=IGD_MSERVER_HOME

    In these examples, replace IGD_ASERVER_HOME and IGD_MSERVER_HOME with the values of the respective variables, as described in File System and Directory Variables Used in This Guide.

Starting the Node Manager on OIGHOST1

After you manually set up the Node Manager to use a per-host Node Manager configuration, you can start the Node Manager on OIGHOST1, by using the startNodeManager.sh script.

To start the Node Manager on OIGHOST1:

1. Change directory to the Node Manager home directory:

   cd $NM_HOME

2. Run the following command to start the Node Manager and send the output of the command to an output file, rather than to the current terminal shell:

   nohup ./startNodeManager.sh > ./nodemanager.out 2>&1 &

3. Monitor the the nodemanager.out file; make sure the NodeManager starts successfully. The output should eventually contain the following strings:

   <INFO> <Upgrade> <Encrypting NodeManager property: CustomIdentityKeyStorePassPhrase> 
   <INFO> <Upgrade> <Encrypting NodeManager property: CustomIdentityPrivateKeyPassPhrase>
   <Upgrade> <Saving upgraded NodeManager properties to '/u02/oracle/config/nodemanager/nodemanager.properties'>
   <INFO> <Loading domains file: /u02/oracle/config/nodemanager/nodemanager.domains>
   <INFO> <Loading identity key store: FileName=/u02/oracle/config/keystores/idmTrustStore.p12, Type=pkcs12, PassPhraseUsed=true>
   <INFO> <Loaded NodeManager configuration properties from '/u02/oracle/config/nodemanager/nodemanager.properties'>
   <INFO> <14.1.2.0.0>
   <INFO> <Server Implementation Class: weblogic.nodemanager.server.NMServer$ClassicServer.>
   <INFO> <Secure socket listener started on port 5556>

   You must check that the plain text used for passwords in nodemanager.properties has now been encrypted by running the following command:

   cat /u02/oracle/config/nodemanager/nodemanager.properties

   The output will look similar to the following:

   #<DATE>
   #<DATE>
   DomainsFile=/u02/oracle/config/nodemanager/nodemanager.domains
   LogLimit=0
   PropertiesVersion=14.1.2.0.0
   AuthenticationEnabled=true
   NodeManagerHome=/u02/oracle/config/nodemanager
   #Include the specific JDK home
   JavaHome=/u01/oracle/products/jdk
   LogLevel=INFO
   DomainsFileEnabled=true
   StartScriptName=startWebLogic.sh
   #Leave blank for listening on ANY
   ListenAddress=
   NativeVersionEnabled=true
   ListenPort=5556
   LogToStderr=true
   SecureListener=true
   LogCount=1
   StopScriptEnabled=false
   QuitEnabled=false
   LogAppend=true
   StateCheckInterval=500
   CrashRecoveryEnabled=true
   StartScriptEnabled=true
   LogFile=/u02/oracle/config/nodemanager/nodemanager.log
   LogFormatter=weblogic.nodemanager.server.LogFormatter
   ListenBacklog=50
   KeyStores=CustomIdentityAndCustomTrust 
   CustomIdentityAlias=idmcerts.example.com
   CustomIdentityKeyStoreFileName=/u02/oracle/config/keystores/idmTrustStore.p12
   CustomIdentityKeyStorePassPhrase={AES256}EMvPrOCRfN7fyv3d8JcEnttTLyneG9Su+UVK5DGEmqmqDwLkpLz9nQFZ+fL1Bidc
   CustomIdentityPrivateKeyPassPhrase={AES256}O5cEJD8WVYP3aRLp9KAbFZ3CGLyxmmIWFX1YzVfJvPpl1dc5RbMksAcsBLquKcWW
   

Configuring the Node Manager Credentials

Perform the following steps to set the Node Manager credentials using the Remote Console:

1. Access the Domain provider in the Remote Console.
2. Click Edit Tree.
3. Click Environment > Domain> Security.
4. Check the Show Advanced Fields field.
5. Set Node Manager Username to the same as the Weblogic Administrator, since this username will be used in other tasks mentioned in this guide.
6. Change the NM password. Ensure the Node Manager password is set to the same as the Weblogic Administrator since this password will be used in other tasks mentioned in this guide.
7. Click Save. The cart on the top right part of the screen will show full with a yellow bag inside.
8. Click the Cart Icon on the top right and select Commit Changes.

Enrolling the Domain with NM

Perform the following steps in a new terminal window to enroll the domain with Node manager.

Note:

You will be unable to connect to the Node Manager and use it to start the servers in the domain without performing this step.

1. Change directory to the following directory:

   cd $ORACLE_COMMON_HOME/common/bin

2. Start the WebLogic Server Scripting Tool (WLST). In order to use the certificates created for the appropriate SSL handshake, the location of the stores and password of the same need to be provided to WLST. Use the following command or add these in a script that can be easily invoked:

   export WLST_PROPERTIES="-Dweblogic.security.TrustKeyStore=CustomTrust -Dweblogic.security.CustomTrustKeyStoreFileName=/u02/oracle/config/keystores/idmTrustStore.p12 -Dweblogic.security.CustomTrustKeyStorePassPhrase=password -Dweblogic.security.SSL.ignoreHostnameVerification=true"

   Note:

   You must avoid including the password in the script.
3. Connect to the Administration Server by using the following WLST command:

   connect('admin_user','admin_password','admin_url')

   For example:

   connect('weblogic','<password>','t3s://igdadminvhn.example.com:9002')

4. Use the nmEnroll command to enable the Node Manager to manage servers in a specified WebLogic domain.

   nmEnroll('<IGD_ASERVER_HOME>')

   For example:

   nmEnroll('/u01/oracle/config/domains/oig')

5. Generate startup properties for the Admin Server using the following WLST command:

   nmGenBootStartupProps('AdminServer')

   The startup.properties and boot.properties files are created in the following directory:

   <IGD_ASERVER_HOME>/servers/AdminServer/data/nodemanager/

Adding Truststore Configuration to Node Manager

It is required to add the corresponding truststore configuration for Node Manager communication with the different WebLogic Server listeners. To do this, edit Node Manager's start script startNodeManager.sh located at $NM_HOME and add the variable JAVA_OPTIONS to set the javax.net.ssl.trustStore and javax.net.ssl.trustStorePassword properties with the values used by your EDG system. For example:

export JAVA_OPTIONS="${JAVA_OPTIONS} -Djavax.net.ssl.trustStore=/u02/oracle/config/keystores/idmTrustStore.pkcs12 -Djavax.net.ssl.trustStorePassword=mypassword"

Tuning JMS Queues

You need to tune the JMS queues to ensure maximum throughput.

Perform the following steps from the WebLogic Remote Console to tune the JMS queues:

1. Click Edit Tree.
2. Navigate to Services > JMS Servers.
3. Click OIMJMSServer.

   Set the Message Buffer Size to 1073741824 (1GB).

4. Click Save.
5. Click Thresholds tab.

   Set Messages Maximum to 1000000.

6. Click Save.
7. Click Shopping Cart and select Commit Changes.

Configuring the Domain Directories and Starting the Servers

After you have configured the domain and configured the Node Manager, you can start the Administration Server by using the Node Manager. In an enterprise deployment, the Node Manager is used to start and stop the Administration Server and all the Managed Servers in the domain.

• Create a ServerOverrides File
  
• Starting the Administration Server Using the Node Manager
  After you have configured the domain and configured the Node Manager, you can start the Administration Server by using the Node Manager. In an enterprise deployment, the Node Manager is used to start and stop the Administration Server and all the Managed Servers in the domain.
• Validating the Administration Server
  Before you proceed with the configuration steps, validate that the Administration Server has started successfully by making sure that you have access to the Oracle Enterprise Manager Fusion Middleware Control; this is installed and configured on the Administration Servers.
• Starting and Validating the soa_server1 Managed Server on OIGHOST1
  After you have configured Node Manager and created the Managed Server domain directory, you can use WebLogic Administration Console to start the soa_server1 Managed Server on OIGHOST1.

Create a ServerOverrides File

The following prerequisites must be completed before starting the Servers:

• Disable the Derby Database - Disable the embedded Derby database, which is a file-based database, packaged with Oracle WebLogic Server. The Derby database is used primarily for development environments. Therefore, you must disable it when you are configuring a production-ready enterprise deployment environment. Otherwise, the Derby database process starts automatically when you start the Managed servers.

• Enable IPv6 Networking if required - If the Managed Server is configured to use IPv6 networking, then you may encounter issues when you start the Managed Server.

• Adjust the Memory Parameters for your installation - The initial startup parameter in the IAMGovernanceDomain, which defines the memory usage, is insufficient. You must increase the value of this parameter and set the Java initial memory allocation pool (Xms) to 1024m, and the maximum memory allocation pool (Xmx) to 8192m.

In order to perform the above tasks, create a $IGD_ASERVER_HOME/bin/setUserOverrides.sh file with the following contents:

DERBY_FLAG=false
JAVA_OPTIONS="${JAVA_OPTIONS} -Djava.net.preferIPv4Stack=true"
MEM_ARGS="-Xms4096m -Xmx8192m"

Starting the Administration Server Using the Node Manager

After you have configured the domain and configured the Node Manager, you can start the Administration Server by using the Node Manager. In an enterprise deployment, the Node Manager is used to start and stop the Administration Server and all the Managed Servers in the domain.

To start the Administration Server by using the Node Manager:

1. Ensure that the Administration Server is stopped.
2. If your domain is SSL enabled then set the following environment variable so that your keystores are used:

   export WLST_PROPERTIES="-Dweblogic.security.TrustKeyStore=CustomTrust -Dweblogic.security.CustomTrustKeyStoreFileName=/u02/oracle/config/keystores/idmTrustStore.p12 -Dweblogic.security.CustomTrustKeyStorePassPhrase=password -Dweblogic.security.SSL.ignoreHostnameVerification=true"

3. Start the WebLogic Scripting Tool (WLST):

   cd $IGD_ORACLE_HOME/oracle_common/common/bin

   ./wlst.sh

4. Connect to Node Manager by using the Node Manager credentials:

   nmConnect('nodemanager_username',password','igdadminvhn.example.com','5556','domain_name','<IGD_ASERVER_HOME>','SSL')

   For example:

   nmConnect('admin','password','igdadminvhn.example.com','5556','oig','/u01/oracle/config/domains/oig','SSL')

   Note:

   This user name and password are used only to authenticate connections between Node Manager and clients. They are independent of the server administrator ID and password and are stored in the nm_password.properties file located in the following directory:

   $IAD_ASERVER_HOME/config/nodemanager

5. Start the Administration Server:

   nmStart('AdminServer')
   

6. Exit WLST:

   exit()

Validating the Administration Server

Before you proceed with the configuration steps, validate that the Administration Server has started successfully by making sure that you have access to the Oracle Enterprise Manager Fusion Middleware Control; this is installed and configured on the Administration Servers.

To navigate to Fusion Middleware Control use the URL in URLs Used in This Chapter. Log in with the Oracle WebLogic Server administrator credentials.

You should be able to connect to the Admin Server from the Remote Console as before.

Starting and Validating the soa_server1 Managed Server on OIGHOST1

After you have configured Node Manager and created the Managed Server domain directory, you can use WebLogic Administration Console to start the soa_server1 Managed Server on OIGHOST1.

1. Access Fusion Middleware Control using the URL in URLs Used in This Chapter. Log in with the Oracle WebLogic Server administrator credentials.
2. Select the Servers pane to view the Managed Servers in the domain.
3. Select only the soa_server1 Managed Server, and note the assigned port number.
4. Click Control > Start on the tool bar to start the selected Managed Server.
5. To verify that the Managed Server is working correctly, open your browser and enter the following URL:
   For End to End SSL:

   https://oighost1.example.com:7004/soa-infra

   For SSL Terminated:

   http://oighost1.example.com:7003/soa-infra

Creating the New Authentication Provider

After creating the new domain, if you are using LDAP and want to log in using LDAP, then you must create an authentication provider for the directory inside the OIG domain.

To create a new LDAP-based authentication provider:

1. Change directory to $IGD_ORACLE_HOME/idm/server/ssointg/config
2. Edit the configureWLSAuthnProviders.config file as shown below. For more details on these parameters, see Variables Used When Creating the Infrastructure Domain:

   OIM_WLSHOST: IGDADMINVHN.example.com
   OIM_WLSPORT: 9102
   OIM_WLSADMIN: weblogic
   OIM_IDSTORE_ROLE_SECURITY_ADMIN: WLSAdministrators
   WLS_IS_SSLENABLED: true
   WLS_TRUSTSTORE: /u01/oracle/config/keystores/idmTrustStore.p12
   WLS_SSL_HOST_VERIFICATION: true
   IDSTORE_DIRECTORYTYPE: OUD
   IDSTORE_HOST: idstore.example.com
   IDSTORE_PORT: 1636
   IDSTORE_SSL_ENABLED: true
   IDSTORE_KEYSTORE_FILE: /u01/oracle/config/keystores/idmTrustStore.p12
   IDSTORE_BINDDN: cn=oimLDAP,cn=systemids,dc=example,dc=com
   IDSTORE_USERSEARCHBASE: cn=Users,dc=example,dc=com
   IDSTORE_GROUPSEARCHBASE: cn=Groups,dc=example,dc=com

   Note:

   You can also specify the passwords directly in the file, if required. If you do not specify the passwords, you will be prompted for them at runtime. The parameters are:

   • IDSTORE_BINDDN_PWD
   • IDSTORE_KEYSTORE_PASSWORD
   • OIM_WLSADMIN_PWD
   • WLS_TRUSTSTORE_PASSWORD

   Save the file when done.

3. Before you can use the integration scripts, you must grant execute permissions on the file by running the following commands:

   chmod 750 $IGD_ORACLE_HOME/idm/server/ssointg/bin/OIGOAMIntegration.sh

   chmod 750 $IGD_ORACLE_HOME/idm/server/ssointg/bin/OIGOAMIntegration.sh

4. Execute the OIGOAMIntegration.sh script for creating the authenticator. For example:

   cd $IGD_ORACLE_HOME/idm/server/ssointg/bin

5. Make sure the environment variables are set as per Setting Environment Variables
6. Execute the OIGOAMIntegration.sh script for configuring the authentication provider. For example:

   ./OIGOAMIntegration.sh -configureWLSAuthnProviders

7. Verify that there are no errors.

Adding a Load Balancer Certificate to Oracle Keystore Service

Some OIG Products require that the SSL certificate used by the load balancer be added to the Oracle Keystore Service Trusted Certificates.

To add the certificate, do the following:

1. Obtain the certificate from the load balancer. You can obtain the load balancer certificate using a browser, such as Firefox. However, the easiest way to obtain the certificate is to use the openssl command. The syntax of the command is as follows:

   openssl s_client -connect <LOADBALANCER>:<PORT> -showcerts </dev/null 2>/dev/null| sed -ne '/-BEGIN CERTIFICATE-/,/-END CERTIFICATE-/p' > $SHARED_CONFIG_DIR/keystores/<LOADBALANCER>.pem

   For example:

   openssl s_client -connect <LOADBALANCER>:<PORT> -showcerts </dev/null 2>/dev/null| sed -ne '/-BEGIN CERTIFICATE-/,/-END CERTIFICATE-/p' > $SHARED_CONFIG_DIR/keystores/login.example.com.pem

   Note:

   This command saves the certificate to a file called login.example.com.pem in $SHARED_CONFIG_DIR/keystores .
2. Load the certificate into the Oracle Keystore Service using WLST. Connect to WLST by using the following command:

   $IGD_ORACLE_HOME/oracle_common/common/bin/wlst.sh

   Note:

   If using End to End SSL then specify the location of your certificates first:

   export WLST_PROPERTIES="-Dweblogic.security.TrustKeyStore=CustomTrust \
   -Dweblogic.security.CustomTrustKeyStoreFileName=/u02/oracle/config/keystores/idmTrustStore.p12 \
   -Dweblogic.security.CustomTrustKeyStorePassPhrase=password \
   -Dweblogic.security.SSL.ignoreHostnameVerification=true"

3. Inside the WLST shell, connect to the Administration Server using the following command:

   connect('<OIG_WEBLOGIC_USER>','<OIG_WEBLOGIC_PWD>','t3://igdadminvhn.example.com:<OIG_ADMIN_PORT>')

   For example, for SSL Terminated:

   connect('weblogic','<password>','t3://igdadminvhn.example.coml:7101')

   For example, for End to End SSL:

   connect('weblogic','<password>','t3s://igdadminvhn.example.coml:9201')

4. Download the access artifacts by using the following command:

   downloadAccessArtifacts(domain_home="/u01/oracle/config/domains/OIG", propsFile="/u01/oracle/config/db.props"

   Note:

   For information about the contents of the properties file, see Doc ID 2318818.1 on My Oracle Support.
5. Load the certificate using the following commands:

   svc = getOpssService(name='KeyStoreService')
   svc.importKeyStoreCertificate(appStripe='system',name='trust',password='', keypassword='',alias='<CertificateName>',type='TrustedCertificate', filepath='/<SHARED_CONFIG_DIR>/keystores/<LOADBALANCER>.pem')

   For example:

   svc = getOpssService(name='KeyStoreService')
   svc.importKeyStoreCertificate(appStripe='system',name='trust',password='', keypassword='',alias='login.example.com',type='TrustedCertificate', filepath='/u01/oracle/config/keystores/login.example.com.pem')

6. Synchronize the keystore service with the file system by using the following command:

   syncKeyStores(appStripe='system', keystoreFormat='KSS')

7. Save the access artifacts by using the following command:

   saveAccessArtifacts(domain_home="/u01/oracle/config/domains/OIG", propsFile="/u01/oracle/config/db.props"

8. Exit the WLST shell:

   exit()

9. You will need to restart the domain for the changes to take effect.

Configuring the WebLogic Proxy Plug-In

Before you can validate that requests are routed correctly through the Oracle HTTP Server instances, you must set the WebLogic Plug-In Enabled parameter.

It is recommended to set the WebLogic Plug-In Enabled parameter at the domain level. Any clusters or servers not using the plugin via the web-tier can have their WebLogic Plug-In Enabled parameter value set to no on an exception basis as needed.

1. Log in to the Oracle WebLogic Remote Console.
2. Click Edit Tree.
3. Click Domain.

   The domain settings page is displayed.

4. Click on the Domain Name.
5. Click on the Web Applications tab.
6. Locate and select the WebLogic PlugIn Enabled option.
7. Click Save.
8. Click the Shopping Cart and select Commit Changes.

Modifying the Upload and Stage Directories to an Absolute Path

After you configure the domain and unpack it to the Managed Server domain directories on all the hosts, verify and update the upload and stage directories for Managed Servers in the new clusters. See Modifying the Upload and Stage Directories to an Absolute Path in an Enterprise Deployment.

Starting and Validating the Oracle Identity Governance Managed Servers

Now that you have extended the domain, started the Administration Server, and propagated the domain to the other hosts, you can start the newly configured Oracle Identity Governance Managed Servers.

This process involves three tasks as described in the following sections.

• Starting the Oracle Identity Governance Managed Servers and Bootstrapping the Domain
  You are required to boot strap the OIG domain to deploy the OIG artifacts into the domain.
• Starting the soa_server1 and oim_server1 Managed Servers
  
• Validating the Managed Server by Logging in to the Identity Console
  
• Starting and Validating soa_server2 and oim_server2 Managed Servers
  

Starting the Oracle Identity Governance Managed Servers and Bootstrapping the Domain

You are required to boot strap the OIG domain to deploy the OIG artifacts into the domain.

Bootstrapping the domain is largely automatic and is performed by starting and stopping the managed servers in the domain in the following order:

1. Start the Oracle SOA Suite Managed Server soa_server1 if not already started.
2. Start the Oracle Identity Governance Managed Server oim_server1.
   The bootstrap process starts the Managed Server, and then stops it again automatically. You may see a Failed status in the WebLogic console, which can be ignored.
3. Stop the Oracle SOA Suite Managed Server soa_server1.
4. Stop oim_server1.
5. Stop the WebLogic Administration Server.
6. Start the WebLogic Administration Server.
7. Start the Oracle SOA Suite Managed Servers soa_server1 and soa_server2.
8. Start the Oracle Identity Governance Managed Servers oim_server1 and oim_server2.

In order for the bootstrapping process to successfully complete, it must occur when the OIM server is started from the IGD_ASERVER_HOME directory. However, the Node Manager that runs out of the IGD_ASERVER_HOME communicates using the igdadmin address. Rather than temporarily reconfiguring the Managed Servers to use this address, the Managed Servers can be started outside of Node Manager for the bootstrap process. Once the process is complete, the Managed Servers will be moved to local storage and Node Manager configured will be able to start and stop them.

Starting the soa_server1 and oim_server1 Managed Servers

To start the soa_server1 and oim_server1 Managed Servers:

1. Access Fusion Middleware Control using the URLs in URLs Used in This Chapter. Log in using the Administration Server credentials.
2. In the Target Navigation pane, expand the domain to view the Managed Servers in the domain.
3. Select only the soa_server1 Managed Server and click Start Up on the Oracle WebLogic Server toolbar.
4. When the startup operation is complete, navigate to the Domain home page and verify that the soa_server1 Managed Server is up and running.
5. Repeat for oim_server1.

Validating the Managed Server by Logging in to the Identity Console

Validate the Oracle Identity Manager Server instance by accessing the Oracle Identity Manager Consoles in a Web browser. See URLs Used in This Chapter. Log in using the xelsysadm username and password.

Validate the SOA configuration:

For SSL Terminated:

• Component URL: http://oighost1.example.com:7003/soa-infra
• Load Balancer URL: http://igdinternal.example.com:7777/soa-infra

For End to End SSL:

• Component URL: https://oighost1.example.com:7004/soa-infra
• Load Balancer URL: https://igdinternal.example.com/soa-infra

Starting and Validating soa_server2 and oim_server2 Managed Servers

After validating the successful configuration and startup of the soa_server1 and oim_server1 Managed Servers, you can start and validate the soa_server2 and oim_server2 Managed Servers.

To start and validate the soa_server2 Managed Server, use the procedure in Starting and Validating the soa_server1 Managed Server on OIGHOST1 for soa_server2 Managed Server. Use the procedure to start and validate the oim_server2 Managed Servers too.

For the validation URL, enter the following URL into the Identity your web browser and log in using the enterprise deployment administrator user:

For SSL Terminated:

http://oighost2.example.com:14000/identity

For End to End SSL:

https://oighost2.example.com:14001/identity

Analyzing the Bootstrap Report

When you start the Oracle Identity Governance server, the bootstrap report is generated at $IGD_ASERVER_HOME/servers/oim_server1/logs/BootStrapReportPreStart.html.

The bootstrap report BootStrapReportPreStart.html is an html file that contains information about the topology that you have deployed, the system level details, the connection details like the URLs to be used, the connectivity check, and the task execution details. You can use this report to check if the system is up, and also to troubleshoot the issues, post-configuration.

Every time you start the Oracle Identity Governance server, the bootstrap report is updated.

Sections in the Bootstrap Report

• Topology Details

  This section contains information about your deployment. It shows whether you have configured a cluster setup, SSL enabled, or upgraded an Oracle Identity Manager environment from an earlier release.

• System Level Details

  This section contains information about the JDK version, Database version, JAVA_HOME, DOMAIN_HOME and OIG_HOME.

• Connection Details

  This section contains information about the connect details like the Administration URL, OIM Front End URL, SOA URL, and RMI URL.

  This also shows whether the Administration Server, Database, and SOA server is up or not.

• Execution Details

  This section lists the various tasks and their statuses.

Creating a Separate Domain Directory for Managed Servers

When you initially create the domain for enterprise deployment, the domain directory resides on a shared disk. This default domain directory is used to run the Administration Server. You can now create a copy of the domain on the local storage for each of your managed server hosts. The domain directory on the local (or private) storage is used to run the Managed Servers.

• Stopping the Managed Servers
  
• Packing the Domain
  
• Unpacking the Domain
  

Stopping the Managed Servers

Before you move the managed servers to a separate directory you must first stop any managed servers which are currently running.

Perform the following tasks:

1. Login to Fusion Middleware Control as an Administrator using the URL outlined in URLs Used in This Chapter.
2. In the Target Navigation pane, expand the domain to view the Managed Servers in the domain.
3. Select any running Managed Servers and click Shutdown on the Oracle WebLogic Server toolbar.
4. Wait for the shutdown operation to complete.
5. Repeat the above for all other managed servers.

Packing the Domain

Placing the IGD_MSERVER_HOME on local storage is recommended to eliminate the potential contention and overhead caused by servers writing logs to shared storage. It is also faster to load classes and jars need from the domain directory, so any temporary or cache data that the Managed Servers use from the domain directory is processed quicker.

As described in Preparing the File System for an Enterprise Deployment, the path to the Administration Server domain home is represented by the IGD_ASERVER_HOME variable, and the path to the Managed Server domain home is represented by the IGD_MSERVER_HOME variable.

To create the Managed Server domain directory:

1. Sign in to the host running the Administration Server, for example, OIGHOST1, and run the pack command to create a template as follows:

   cd $ORACLE_COMMON_HOME/common/bin

   ./pack.sh -managed=true \ 
   -domain=$IGD_ASERVER_HOME \ 
   -template=/full_path/edgdomaintemplate.jar \ 
   -template_name=edg_domain_template \
   -log_priority=DEBUG \ 
   -log=/tmp/pack.log

   In this example:

   • Replace $IGD_ASERVER_HOME with the actual path to the domain directory you created on the shared storage device.

   • Replace full_path with the complete path to the location where you want to create the domain template jar file. You need to reference this location when you copy or unpack the domain template jar file. It is recommended to choose a shared volume other than ORACLE_HOME, or write to /tmp/ and copy the files manually between servers.

     You must specify a full path for the template jar file as part of the -template argument to the pack command:

     $SHARED_CONFIG_DIR/domains/template_filename.jar

   • The edgdomaintemplate.jar file is a sample name for the jar file that you create, which contains the domain configuration files.

   • The edg_domain_template label is the label is assigned to the template data stored in the template file.

     For Example:

     cd $ORACLE_COMMON_HOME/common/bin

     ./pack.sh -managed=true \
     -domain=$IGD_ASERVER_HOME \
     -template=/tmp/edgdomaintemplate.jar \
     -template_name=edg_domain_template \
     -log_priority=DEBUG \
     -log=/tmp/pack.log

2. Make a note of the location of the edgdomaintemplate.jar file that you just created with the pack command.

   Tip:

   For more information about the pack and unpack commands, see Overview of the Pack and Unpack Commands in Creating Templates and Domains Using the Pack and Unpack Commands.

3. If you have not already, create the recommended directory structure for the Managed Server domain on the OIGHOST1 local storage device.

   Use the examples in File System and Directory Variables Used in This Guide as a guide.

Unpacking the Domain

To unpack the domain on local storage:

1. Run the unpack command to unpack the template in the domain directory onto the local storage, as follows:

   cd $ORACLE_COMMON_HOME/common/bin

   ./unpack.sh -domain=$IGD_MSERVER_HOME \
   -overwrite_domain=true \
   -template=/full_path/edgdomaintemplate.jar \
   -log_priority=DEBUG \
   -log=/tmp/unpack.log \
   -app_dir=$MS_APPLICATION_HOME

   For Example:

   cd $ORACLE_COMMON_HOME/common/bin

   ./unpack.sh -domain=$IGD_MSERVER_HOME \
   -overwrite_domain=true \
   -template=/tmp/edgdomaintemplate.jar \
   -log_priority=DEBUG \
   -log=/tmp/unpack.log \
   -app_dir=$MS_APPLICATION_HOME

   Note:

   The -overwrite_domain option in the unpack command allows you to unpack a managed server template into an existing domain and existing applications directories. For any file that is overwritten, a backup copy of the original is created. If any modifications had been applied to the start scripts and ear files in the managed server domain directory, they must be restored after this unpack operation.

   Additionally, to customize server startup parameters that apply to all servers in a domain, you can create a file called setUserOverridesLate.sh and configure it to, for example, add custom libraries to the WebLogic Server classpath, specify additional JAVA command-line options for running the servers, or specify additional environment variables. Any customizations that you add to this file are preserved during domain upgrade operations, and are carried over to remote servers when you use the pack and unpack commands.

   In this example:

   • Replace IGD_MSERVER_HOME with the complete path to the domain home to be created on the local storage disk. This is the location where the copy of the domain is unpacked.

   • Replace /full_path/edgdomaintemplate.jar with the complete path and file name of the domain template jar file that you created when you ran the pack command to pack the domain on the shared storage device.

   • Replace $MS_APPLICATION_HOME with the complete path to the Application directory for the domain on shared storage. See File System and Directory Variables Used in This Guide.

   Tip:

   For more information about the pack and unpack commands, see Overview of the Pack and Unpack Commands in Creating Templates and Domains Using the Pack and Unpack Commands.

2. Change directory to the newly created Managed Server directory and verify that the domain configuration files were copied to the correct location on the OIGHOST1 local storage device.

Validating the Fusion Middleware Control Application

After the bootstrap process has been executed and validated, access to the Fusion Middleware Control application should be available.

To navigate to the Fusion Middleware Control application, use the URL in the URLs Used in This Chapter section.

Configuring the Web Tier for the Domain

Configure the web server instances on the web tier so that the instances route requests for both public and internal URLs to the proper clusters in the extended domain.

For additional steps in preparation for possible scale-out scenarios, see Updating Cross Component Wiring Information.

• Validating the Oracle SOA Suite URLs Through the Load Balancer
  

Validating the Oracle SOA Suite URLs Through the Load Balancer

To validate the configuration of the Oracle HTTP Server virtual hosts and to verify that the external load balancer can route requests through the Oracle HTTP Server instances to the application tier:

1. Verify that the server status is reported as Running in the Administration Console.

   If the server is shown as Starting or Resuming, wait for the server status to change to Started. If another status is reported (such as Admin or Failed), check the server output log files for errors.

2. Verify that you can access these URLs:

   Note:

   It is not necessary at this stage to attempt to login to the individual pages. All you are checking is that the pages can be accessed through the load balancer and the web server.

   SSL Terminated Deployments

   • http://igdinternal.example.com:7777/soa-infra

   • http://igdinternal.example.com:7777/integration/worklistapp

   • http://igdinternal.example.com:7777/soa/composer

   End to End SSL Deployments

   • https://igdinternal.example.com/soa-infra

   • https://igdinternal.example.com/integration/worklistapp

   • https://igdinternal.example.com/soa/composer

Integrating Oracle Identity Governance with Oracle SOA Suite

Oralce Identity Governance invokes Oracle SOA Suite using a number of URLs, which out of the box are wired to individual managed servers. In a High Availibility environment you need to update these URLs to use a load balancer.

To do this perform the following steps:

1. Change directory to $IGD_ORACLE_HOME/idm/server/ssointg/config.

   cd $IGD_ORACLE_HOME/idm/server/ssointg/config

2. Edit the file configureSOAConnector.config as shown below. Save when complete:

   OIM_HOST: oighost1.example.com
   OIM_PORT: 14001
   OIM_WLSADMIN: weblogic
   OIM_WLSADMIN_PWD: password
   WLS_TRUSTSTORE: /u02/oracle/config/keystores/idmTrustStore.p12
   WLS_TRUSTSTORE_PASSWORD: password
   WLS_IS_SSLENABLED: true
   
   OIM_FRONTEND_URL: https://igdinternal.example.com:443/
   OIM_EXTERNAL_FE_URL: https://oig.edg.com:443/
   SOA_SOAP_URL: https://igdinternal.example.com:443/
   SOA_RMI_URL: cluster:t3s://soa_cluster
   UMS_WS_URL: https://igdinternal.example.com:443/ucs/messaging/webservice/
   

3. Run the following command:

   ./OIGOAMIntegration.sh -configureSOAIntegration

   Note:

   If you do not specify the passwords, you will be prompted for them at runtime.

Managing the Notification Service

An event is an operation that occurs in Oracle Identity Manager, such as user creation, request initiation, or any custom event created by the user. These events are generated as part of the business operations or through the generation of errors. Event definition is the metadata that describes the event.

To define the metadata for events, you must identify all event types supported by a functional component. For example, as a part of the scheduler component, metadata is defined for a scheduled job execution failure and shutting down of the scheduler. Every time a job fails or the scheduler shuts down, the associated events get triggered, and the notifications associated with the event get sent.

The data available in the event is used to create the content of the notification. The different parameters defined for an event help the system to select the appropriate notification template. The various parameters defined for an event help the system decide which event variables should be made available at template design time.

A notification template is used to send notifications. These templates contain variables that refer to available data to provide more context to the notifications. The notification is sent through a notification provider. Examples of such channels are e-mail, Instant Messaging (IM), Short Message Service (SMS), and voice. To use these notification providers, Oracle Identity Manager uses Oracle User Messaging Service (UMS).

At the back end, the notification engine is responsible for generating the notification and utilizing the notification provider to send the notification.

• Using SMTP for Notification
  
• Adding a CSF Key
  

Using SMTP for Notification

Using SMTP for notification involves configuring the SMTP email notification provider properties and adding the CSF key.

Configuring the SMTP Email Notification Provider Properties

To configure SMTP Email Notification Provider properties by using the EmailNotificationProviderMBean MBean :

1. Log into the Oracle Fusion Middleware Control using the URL in the URLs Used in This Chapter section.

   The Administration Server host and port number were in the URL on the End of Configuration screen (Writing Down Your Domain Home and Administration Server URL). The default Administration Server port number is 7001.

   The login credentials were provided on the Administrator Account screen (Configuring the Administrator Account).

2. Click weblogic_domain, and then click System Mbean Browser.
3. In the search box, enter EmailNotificationProviderMBean, and click Search. The mbean is displayed.

   Note:

   If Oracle Identity Governance still starting (coming up) or is just started (RUNNING MODE), the Enterprise Manager does not show any Mbeans defined by OIM. Wait for two minutes for the server to start, and then try searching for the Mbean in System Mbean Browser of the Enterprise Manager.
4.  Ensure that the correct information is entered for your email server in particular:

   Table 15-10 SMTP Email Notification Provider Properties

   Attribute	Value
   CSFKey	Set this to a name of a CSF credential, this can be any name and will be used while adding a CSF key. For example; mailUser
   Enabled	Set to true.
   MailServerName	Set to the host name of your email server.
   WSUrl	http://igdinternal.example.com/ucs/messaging/webservice (SSL Terminated) https://igdinternal.example.com/ucs/messaging/webservice (End to End SSL)

5. Click Apply to save the changes.

Adding a CSF Key

To add a CSF key:

1. Login to Oracle Enterprise Manager.
2. Click WebLogic Domain and select Security>Credentials.
3. Expand oracle.wsm.security and click Create Key.
4. Enter the following information.

   Table 15-11 CSF Key Properties

   Attribute	Value
   Key name	Enter the value of the credential Key, this must be the same value as defined in Using SMTP for Notification for example; mailUser.
   Username	Enter the name of the user you use to authenticate with your email server.
   Password/Confirm Password	Enter the password of the user you use to authenticate with your email server.
   Description	Provide a description of the key being created. For example, Mail Server Credentials

5. Click OK.

Configuring the Messaging Drivers

Each messaging driver needs to be configured. You have to configure this service if you want to enable OAM's forgotten password functionality.

• Configuring the Email Driver
  

Configuring the Email Driver

To configure the driver to send and emails then you need to perform the following steps:

1.  Log in to the Oracle Fusion Middleware Control.
2. Click the Target Navigation icon next to the Domain name.
3. Click usermessagingserver (soa_server1) under User Messaging Service. A list of all the drivers will be shown.
4. Click Configure Driver next to the User Messaging Email Driver.
5.  If a configuration does not exist then click Create. If the configuration exists, click Edit.
6. Update the attributes with the required details.

   Table 15-12 Configuring the Email Driver Attributes

   Attributes	Values
   Name	MyemailServer
   Sender Address	Enter the From email address for the emails you wish to send in the format: EMAIL: myuser@example.com
   Capability	Choose whether you are going to send or receive emails. Complete the following Email Properties using the values specific to your organisation. Contact your email administrator for details, the details below are for Sending only. Refer to the documentation for receiving email details. Outdoing Mail server. Outgoing Mail server port Outgoing email Server Security Outgoing User name and password, if your email server requires it.

7. Click Test to validate the information.
8. Click OK to save the information.

Forcing Oracle Identity Governance to use Correct Multicast Address

Oracle Identity Governance uses multicast for certain functions. By default, the managed servers communicate using the multi cast address assigned to the primary host name. If you wish multicast to use a different network, for example, of the internal network, you must complete additional steps.

1. Log into the Oracle WebLogic Remote console using the URL in the URLs Used in This Chapter section.
2. Click Edit Tree.
3. Under Domain Structure, click Environment and then expand Servers. The Summary of Servers page is displayed.
4. Click the OIM Managed Server name, for example, oim_server1 on the list of servers. The Settings for oim_server1 are displayed.
5. Click the Advanced tab followed by the Node Manager tab.
6. Go to the Server Start tab.
7. Add the following line to the arguments field:

   -Dmulticast.bind.address=oighost1.example.com

8. Click Save.
9. Repeat for the Managed Server oim_server2. When doing so, make sure you add the following line to the arguments field:

   -Dmulticast.bind.address=oighost2.example.com

10. Click the Shopping Cart and select Activate Changes.
11. Restart the managed servers oim_server1 and oim_server2.

Integrating Oracle Identity Governance with LDAP

Integrate Oracle Identity Governance with LDAP.

This section includes the following topics:

• Variables Used in OIG Integration with LDAP
  
• Installing the Connector Bundle
  
• Configuring the Oracle Connector for LDAP
  
• Restarting the Domains
  

Variables Used in OIG Integration with LDAP

As you perform the tasks in this section, you will be referencing the variables listed below.

The following table explains the configuration file property values required in this section.

Table 15-13 OIG Integration with LDAP Variables Used in This Chapter

Variable	Sample Value	Description
IDSTORE_DIRECTORYTYPE	OUD	The type of directory you are using. Valid value is OUD.
IDSTORE_HOST	idstore.example.com	The host and port of your Identity Store directory. When preparing the Identity Store these should point to one of the LDAP instances. When configuring components such as OAM or OIG they should point to the load balancer entry point.
IDSTORE_PORT	1636	The port of your Identity Store directory. When preparing the Identity Store these should point to one of the LDAP instances. When configuring components such as OAM or OIG they should point to the load balancer entry point.
IDSTORE_BINDDN	cn=oudadmin	An administrative user in the Identity Store Directory.
IDSTORE_BINDDN_PASSWD	password	The the password of IDSTORE_BINDDN. You will be prompted for the value if not supplied.
IDSTORE_SSL_ENABLED	true	Whether SSL to the identity store is enabled. Valid values: true | false.
IDSTORE_KEYSTORE_FILE	/u01/oracle/config/keystores/idmTrustStore.p12	The location of the LDAP Truststore for LDAP connections.
IDSTORE_KEYSTORE_PASSWORD	password	The password of the IDSTORE_KEYSTORE_FILE.
IDSTORE_OIMADMINUSERDN	cn=oimLDAP,cn=systemids,dc=example,dc=com	The location of a container in the directory where system-operations users are stored. There are only a few system-operations users and are kept separate from enterprise users stored in the main user container. For example, the Oracle Identity Governance reconciliation user which is also used for the bind DN user in Oracle Virtual Directory adapters.
IDSTORE_SEARCHBASE	dc=example,dc=com	The location in the directory where Users and Groups are stored.
IDSTORE_USERSEARCHBASE	cn=Users,dc=example,dc=com	The location in the directory where Users are Stored.
IDSTORE_GROUPSEARCHBASE	cn=Groups,dc=example,dc=com	The location in the directory where Groups are Stored.
IDSTORE_USERSEARCHBASE_DESCRIPTION	Default user container	Description for the directory user search base.
IDSTORE_GROUPSEARCHBASE_DESCRIPTION	Default group container	Description for the directory group search base.
IIDSTORE_EMAIL_DOMAIN	example.com	The domain used for e-mail For example, example.com.
OIM_HOST	oighost1.example.com	Host name for oim_server1 on OIGHOST1.
OIM_PORT	14000	Port number for oim_server1 on OIGHOST1.
WLS_OIM_SYSADMIN_USER	xelsysadm	The system admin user to be used to connect to OIG while configuring SSO. This user needs to have system admin role.
WLS_OIM_SYSADMIN_USER_PWD	password	Enter the password for OIG system administrator user.
OIM_WLSHOST	igdadminvhn.example.com	Virtual Host name for Admin Server on OIGHOST1.
OIM_WLSPORT	9102	Corresponding port number for Admin Server on OIGHOST1.
WLS_IS_SSLENABLED	true	Whether SSL to the identity store is enabled. Valid values: true | false.
WLS_TRUSTSTORE	/u01/oracle/config/keystores/idmTrustStore.p12	The location of the WLS truststore.
WLS_TRUSTSTORE_PASSWORD	password	Password for the WLS truststore.
OIM_WLSADMIN	weblogic	The weblogic administrator user in OIM domain.
OIM_SERVER_NAME	oim_server1	The OIG server name.
CONNECTOR_MEDIA_PATH	OID/OUD =IGD_ORACLE_HOME/idm/server/ConnectorDefaultDirectory/OID-12.2.1.3.0 AD = IGD_ORACLE_HOME/idm/server/ConnectorDefaultDirectory/activedirectory-12.2.1.3.0	The location of the Connector bundle downloaded and unzipped. Oracle Identity Governance would use this location to pick the Connector bundle to be installed.
IS_LDAP_SECURE	false	It indicates the usage of SSL for LDAP Communication. Use yes or no for ActiveDirectory.
LOG_FILE	/home/oracle/workdir/logs/configure_ldap.log	Location of log file to be created.
SSO_TARGET_APPINSTANCE_NAME	SSOTarget	The Target application instance name used for provisioning account to target LDAP.

Table 15-14 Active Directory Variables

Variable	Sample Value	Description
AD_CONNECTORSERVER_HOST	192.0.2.1	the host name or IP address of the computer hosting the connector server.
AD_CONNECTORSERVER_KEY	<connectorserverkey>	Enter the key for the connector server.
AD_CONNECTORSERVER_PORT	8759	Enter the number of the port at which the connector server is listening.
AD_CONNECTORSERVER_TIMEOUT	0	Enter an integer value that specifies the number of milliseconds after which the connection between the connector server and the Oracle Identity Governance times out. A value of 0 means that the connection never times out.
AD_CONNECTORSERVER_USESSL	true (or false)	Enter true to specify that you will configure SSL between Oracle Identity Governance or Oracle Unified Directory and the Connector Server. Otherwise, enter false. For Active Directory, the value should be yes or no. The default value is false Note: It is recommended that you configure SSL to secure communication with the connector server.
AD_DOMAIN_NAME	example.com	Enter the domain name configured in Microsoft Active Directory.

Installing the Connector Bundle

1. Download the Connector bundle from the artifactory: Download Connector Bundle

   • For OID or OUD, download the Connector bundle corresponding to Oracle Internet Directory.

   Note:

   For all directory types, the required Connector version for OIG-OAM integration is 12.2.1.3.0.

2. Unzip the Connector bundle to the desired connector path under $ORACLE_HOME/idm/server/ConnectorDefaultDirectory.

   For example:

   $IGD_ORACLE_HOME/idm/server/ConnectorDefaultDirectory

Configuring the Oracle Connector for LDAP

The Oracle Connector for LDAP allows you to store users and passwords in a certified LDAP directory. Configure the connector before using it. Perform the following steps to configure the connector:

1. Change directory to $IGD_ORACLE_HOME/idm/server/ssointg/config.

2. Edit the file configureLDAPConnector.config as shown below. For an explanation of the parameters, see Variables Used in OIG Integration with LDAP:

   ##-----------------------------------------------------------##
   ## [configureLDAPConnector]
   IDSTORE_DIRECTORYTYPE=OUD
   IDSTORE_HOST=idstore.example.com
   IDSTORE_PORT=1636
   IDSTORE_BINDDN=cn=oudadmin
   IDSTORE_SSL_ENABLED: true
   IDSTORE_KEYSTORE_FILE: /u02/oracle/config/keystores/idmTrustStore.p12
   IDSTORE_OIMADMINUSERDN=cn=oimLDAP,cn=systemids,dc=example,dc=com
   IDSTORE_SEARCHBASE=dc=example,dc=com
   IDSTORE_USERSEARCHBASE=cn=Users,dc=example,dc=com
   IDSTORE_GROUPSEARCHBASE=cn=Groups,dc=example,dc=com
   IDSTORE_USERSEARCHBASE_DESCRIPTION=Default user container
   IDSTORE_GROUPSEARCHBASE_DESCRIPTION=Default group container
   IDSTORE_EMAIL_DOMAIN=example.com
   OIM_HOST=oighost1.example.com
   OIM_PORT=14000
   WLS_OIM_SYSADMIN_USER=xelsysadm
   WLS_IS_SSLENABLED: true
   WLS_TRUSTSTORE: /u02/oracle/config/keystores/idmTrustStore.p12
   OIM_WLSHOST=igdadminvhn.example.com
   OIM_WLSPORT=9102
   OIM_WLSADMIN=weblogic
   OIM_SERVER_NAME=oim_server1
   CONNECTOR_MEDIA_PATH=IGD_ORACLE_HOME/idm/server/ConnectorDefaultDirectory/OID-12.2.1.3.0
   IS_LDAP_SECURE: true
   LOG_FILE: /home/oracle/workdir/logs/configure_ldap.log
   SSO_TARGET_APPINSTANCE_NAME: SSOTarget
   

   Note:

   You can also specify the passwords directly in the file, if required. If you do not specify the passwords, you will be prompted for them at runtime. The parameters are:

   • IDSTORE_BINDDN_PWD
   • IDSTORE_KEYSTORE_PASSWORD
   • IDSTORE_OIMADMINUSER_PWD
   • WLS_OIM_SYSADMIN_USER_PWD
   • OIM_WLSADMIN_PWD
   • WLS_TRUSTSTORE_PASSWORD

   Save the file when done.

3. Make sure the environment variables are set as per Setting Environment Variables.
4. Execute the OIGOAMIntegration.sh script for configuring the connector. For example:

   cd $IGD_ORACLE_HOME/idm/server/ssointg/bin

   ./OIGOAMIntegration.sh -configureLDAPConnector

Restarting the Domains

You must restart the IAMAccessDomain and the IAMGovernanceDomain domains.

Integrating Oracle Identity Governance and Oracle Access Manager

You have to complete several tasks to integrate Oracle Identity Governance and Oracle Access Manager. These tasks include creating the WLS authentication providers, deleting OIMSignatureAuthenticator and recreating OUDAuthenticator, adding the administration role to the new administration group, and so on.

• Variables Used in OIG and OAM Integration
  
• Configuring SSO Integration in the IAMGovernanceDomain
  
• Restarting the Domains
  
• Enable OAM Notifications
  

Variables Used in OIG and OAM Integration

As you perform the tasks in this section, you will be referencing the variables listed below.

The following tables explains the configuration file property values required in this section.

Table 15-15 OIG and OAM Integration Variables Used in This Section

Variable	Sample Value	Description
OAM_HOST	login.example.com	The listen address of the front end load balancer for the OAM cluster.
OAM_PORT	443	The port of the front end load balancer for the OAM cluster.
OAM_SSL_FLAG	true	Select true if the OAM domain is SSL or Secure Mode enabled. Otherwise set to false.
ACCESS_SERVER_HOST	oamhost1.example.com	Should be set to the value as OAM_HOST.
ACCESS_SERVER_PORT	5575	It is the port number for OAM PROXY PORT.
WEBGATE_PWD	password	Password for the WebGate.
COOKIE_DOMAIN	.example.com	The value assigned for the domain in Creating a Configuration File.
OAM_TRANSFER_MODE	open	The value assigned for the transfer mode in Creating a Configuration File.
OIM_LOGINATTRIBUTE	uid	The LDAP field containing the users login attribute, usually uid or cn.
SSO_INTEGRATION_MODE	CQR	The integration mode with OAM. With Challenge Question Response (CQR) mode, OIG will handle the password policy and password operations. With One Time Password (OTP) mode, any password operations will be handled by OAM itself and there will be no password change or reset in OIG.
SSO_ENABLED_FLAG	true	Set it to true to enable OIG-OAM integration is enabled.
OAM_WLS_ADMIN_HOST	iadadminvhn.example.com	The listen address of the Administration Server in the domain IAMAccessDomain.
OAM_WLS_ADMIN_PORT	9002	The listen port of the OAM_WLS_ADMIN_HOST. For example: 9002 for End to End SSL, or 7001 for SSL Terminated.
OAM_WLSHOST	iadadminvhn.example.com	The virtual hostname for the Admin Server on OAMHOST1.
OAM_WLSPORT	7002	The listen port for the Admin Server on OAMHOST1.
OAM_WLS_ADMIN_USER	weblogic	The Administration User of the IAD Administration Server.
OAM_WLS_ADMIN_PASSWD	password	Password for OAM_WLS_ADMIN_USER.
OAM_WLS_IS_SSLENABLED	true	Whether the OAM domain is SSL enabled.
OAM_IDSTORE_NAME	OAMIDSTORE	The value assigned for the idstore in Creating a Configuration File .
OIM_WLSHOST	igdadminvhn.example.com	Virtual Host name for Admin Server on OIGHOST1.
OIM_WLSPORT	7102	Corresponding port number for OIM_WLSHOST. If you have administration ports enabled in your OIG domain then set this to the administration port of the admin server 9102, otherwise set it to the Admin Server port 7101 or 7102 (SSL).
OIM_WLS_IS_SSLENABLED	true	Specifies whether the OIM domain is SSL enabled.
OIM_WLSADMIN	weblogic	The weblogic administrator user in OIM domain.
OIM_WLSADMIN_PWD	password	The password for the OIM_WLSADMIN user.
OIM_SERVER_NAME	oim_server1	The server name of the oim server.
IDSTORE_OAMADMINUSER	oamadmin	The user you use to access your Oracle Access Management Console.
IDSTORE_OAMADMINUSER_PWD	oim_server1	The name of the oim_server1.
IDSTORE_OAMSOFTWAREUSER	oamLDAP	The OAM software user account in LDAP.
IDSTORE_PWD_OAMSOFTWAREUSER	password	The password of the account (oamLDAP) you are connecting to the Identity Store with.
IDSTORE_HOST	idstore.example.com	The host and port of your Identity Store directory. When preparing the Identity Store these should point to one of the LDAP instances. When configuring components such as OAM or OIG they should point to the load balancer entry point.
IDSTORE_PORT	1636	The port of your Identity Store directory. When preparing the Identity Store these should point to one of the LDAP instances. When configuring components such as OAM or OIG they should point to the load balancer entry point.
IDSTORE_DIRECTORYTYPE	OUD	The type of directory you are using. Valid value is OUD.
IDSTORE_BINDDN	cn=oudadmin	An administrative user in the Identity Store Directory.
IDSTORE_BINDDN_PASSWD	password	The the password of IDSTORE_BINDDN. You will be prompted for the value if not supplied.
IDSTORE_USERSEARCHBASE	cn=Users,dc=example,dc=com	The location in the directory where Users are Stored.
IDSTORE_GROUPSEARCHBASE	cn=Groups,dc=example,dc=com	The location in the directory where Groups are Stored.
IDSTORE_SYSTEMIDBASE	cn=SystemIDs,dc=example,dc=com	The location of a container in the directory where system users can be placed when you do not want them in the main user container.
IS_LDAP_SECURE	true	Whether the connection to LDAP uses SSL or not.
WLS_IS_SSLENABLED	true	Whether SSL to the identity store is enabled. Valid values: true | false.
WLS_TRUSTSTORE	/u01/oracle/config/keystores/idmTrustStore.p12	The location of the WLS truststore.
WLS_TRUSTSTORE_PASSWORD	password	Password for the WLS truststore.
WLS_SSL_HOST_VERIFICATION	true	Whether the WLS SSL host verfication is enabled or not. Valid values: true | false.
OIM_TRUST_LOC	/u01/oracle/config/keystores/idmTrustStore.p12	The location of the OIG truststore.
OIM_TRUST_PWD	password	Password for the OIG truststore.
OIM_TRUST_TYPE	PKCS12	JKS or PKCS12.
OIM_WLS_SSL_IGNORE_HOST_VERIFICATION	true	Specify whether to ignore SSL Host name verification, this is often the case where wildcard certificates are used.

Configuring SSO Integration in the IAMGovernanceDomain

Having deployed the connector the next step in the process is the configuration of SSO in the domain. In order to do this you need to perform the following steps:

1. Change directory to $IGD_ORACLE_HOME/idm/server/ssointg/config:
2. Edit the file configureSSOIntegration.config updating the properties in the section configureSSOIntegration as shown below. For an explanation of the parameters, see Variables Used in OIG and OAM Integration:

   ##-----------------------------------------------------------##
   ## [configureSSOIntegration]
   OAM_HOST: login.example.com
   OAM_PORT: 443
   OAM_SSL_FLAG: true
   ACCESS_SERVER_HOST: oamhost1.example.com
   ACCESS_SERVER_PORT: 5575
   COOKIE_DOMAIN: example.com
   OAM_TRANSFER_MODE: open
   OIM_LOGINATTRIBUTE: uid
   SSO_INTEGRATION_MODE: CQR
   SSO_ENABLED_FLAG: true
   OAM_WLS_ADMIN_HOST: igdadminvhn.example.com
   OAM_WLS_ADMIN_PORT: 9002
   OAM_WLSPORT: 7002
   
   OAM_WLS_ADMIN_USER: weblogic
   OAM_WLS_IS_SSLENABLED: true
   OAM_IDSTORE_NAME: OAMIDSTORE
   OIM_WLSHOST: igdadminvhn.example.com
   OIM_WLS_IS_SSLENABLED: true
   OIM_WLSPORT: 7102
   OIM_WLSADMIN: weblogic
   OIM_SERVER_NAME: oim_server1
   IDSTORE_OAMADMINUSER: oamadmin
   OIM_TRUST_LOC:/u01/oracle/config/keystores/idmTrustStore.p12
   OIM_TRUST_TYPE:PKCS12
   OIM_WLS_SSL_IGNORE_HOST_VERIFICATION:true
   

   Note:

   You can also specify the passwords directly in the file, if required. If you do not specify the passwords, you will be prompted for them at runtime. The parameters are:

   • WEBGATE_PWD
   • OAM_WLS_ADMIN_PASSWD
   • OIM_WLSADMIN_PWD
   • IDSTORE_OAMADMINUSER_PWD
   • OIM_TRUST_PWD

   Save the file when done.

   Note:

   If required you can also specify the passwords directly in the file. If you do not specify the passwords, you will be prompted for them at runtime.
3. Make sure the environment variables are set as per Setting Environment Variables.
4. Execute the OIGOAMIntegration.sh script for configuring the connector. For example:

   cd $IGD_ORACLE_HOME/idm/server/ssointg/bin

   ./OIGOAMIntegration.sh -configureSSOIntegration

Restarting the Domains

You must restart the IAMAccessDomain and the IAMGovernanceDomain domains.

Enable OAM Notifications

Having deployed the connector the next step in the process is to tell OIG how to interact with OAM for terminating a user session after a user has been expired or terminated. In order to do this you need to perform the following steps:

1. Navigate to the following directory:

   $IGD_ORACLE_HOME/idm/server/ssointg/config

2. Edit the file enableOAMSessionDeletion.config updating the properties in the section enableOAMNotifications as shown below:

   ##-----------------------------------------------------------##
   
   ## [enableOAMNotifications]
   OIM_WLSHOST: oighost1.example.com
   OIM_WLSPORT: 7002
   WLS_IS_SSLENABLED: true
   WLS_TRUSTSTORE: /u01/oracle/config/keystores/idmTrustStore.p12
   WLS_SSL_HOST_VERIFICATION: true
   OIM_WLSADMIN: weblogic
   IDSTORE_DIRECTORYTYPE: OUD
   IDSTORE_HOST:idstore.example.com
   IDSTORE_PORT: 1636
   IDSTORE_KEYSTORE_FILE: /u01/oracle/config/keystores/idmTrustStore.p12
   IDSTORE_KEYSTORE_PASSWORD: password
   IDSTORE_SSL_ENABLED: true
   IS_LDAP_SECURE: true
   IDSTORE_BINDDN: cn=oudadmin
   IDSTORE_GROUPSEARCHBASE: cn=Groups,dc=example,dc=com
   IDSTORE_SYSTEMIDBASE: cn=systemids,dc=example,dc=com
   IDSTORE_OAMADMINUSER: oamadmin
   IDSTORE_OAMSOFTWAREUSER: oamLDAP
   IDSTORE_USERSEARCHBASE: cn=Users,dc=example,dc=com
   OIM_SERVER_NAME: oim_server1
   

   Note:

   You can also specify the passwords directly in the file, if required. If you do not specify the passwords, you will be prompted for them at runtime. The parameters are:

   • WLS_TRUSTSTORE_PASSWORD
   • OIM_WLSADMIN_PWD
   • IDSTORE_KEYSTORE_PASSWORD
   • IDSTORE_BINDDN_PWD
   • IDSTORE_OIMADMINUSER_PWD
   • IDSTORE_OAMSOFTWAREUSER_PWD

   Save the file when done.

3. Make sure the environment variables are set as per Setting Environment Variables.

   Execute the OIGOAMIntegration script for enabling notifications. For example:

   cd $IGD_ORACLE_HOME/idm/server/ssointg/bin

   ./OIGOAMIntegration.sh -enableOAMSessionDeletion

Propagating the Domain and Starting the Servers on OIGHOST2

After you start and validate the Administration Server on OIGHOST1, you can then you must propagate the domain and start the servers on OIGHOST2.

• Unpacking the Domain Configuration on OIGHOST2
  
• Starting the Node Manager in the Managed Server Domain Directory OIGHOST2
  
• Starting and Validating the soa_server2 and oim_server2 Managed Servers on OIGHOST2
  

Unpacking the Domain Configuration on OIGHOST2

Now that you have the Administration Server running on OIGHOST1, you can configure the domain on OIGHOST2.

1. Log in to OIGHOST2.
2. If you haven't already, create the recommended directory structure for the Managed Server domain on the OIGHOST2 storage device.

   Use the examples in File System and Directory Variables Used in This Guide as a guide.

3. Make sure the edgdomaintemplate.jar accessible to OIGHOST2.
   For example, if you are using a separate shared storage volume or partition for OIGHOST2, then copy the template to the volume or partition mounted to OIGHOST2.
4. Run the unpack command to unpack the template in the domain directory onto the local storage, as follows:

   cd $ORACLE_COMMON_HOME/common/bin

   ./unpack.sh -domain=$IGD_MSERVER_HOME
   -overwrite_domain=true
   -template=/full_path/edgdomaintemplate.jar 
   -log_priority=DEBUG
   -log=/tmp/unpack.log
   -app_dir=$MS_APPLICATION_HOME

   For Example:

   cd $ORACLE_COMMON_HOME/common/bin

   ./unpack.sh -domain=$IGD_MSERVER_HOME \
   -overwrite_domain=true \
   -template=/tmp/edgdomaintemplate.jar \
   -log_priority=DEBUG \
   -log=/tmp/unpack.log \
   -app_dir=$MS_APPLICATION_HOME

   In this example:

   • Replace IGD_MSERVER_HOME with the complete path to the domain home to be created on the local storage disk. This is the location where the copy of the domain will be unpacked.

   • Replace full_path with the complete path and file name of the domain template jar file that you created when you ran the pack command to pack up the domain on the shared storage device.

   • Replace $MS_APPLICATION_HOME with the complete path to the Application directory for the domain on shared storage. See File System and Directory Variables Used in This Guide.

   Tip:

   For more information about the pack and unpack commands, see Overview of the Pack and Unpack Commands in Creating Templates and Domains Using the Pack and Unpack Commands.

5. Change directory to the newly created $IGD_MSERVER_HOME directory and verify that the domain configuration files were copied to the correct location on the OIGHOST2 local storage device.

Starting the Node Manager in the Managed Server Domain Directory OIGHOST2

After you manually set up the Node Manager to use a per host Node Manager configuration, you can start the Node Manager by using the following commands onOIGHOST2:

1. Change directory to the Node Manager home directory:

   cd $NM_HOME

2. Run the following command to start the Node Manager and send the output of the command to an output file, rather than to the current terminal shell:

   nohup ./startNodeManager.sh > nodemanager.out 2>&1 &

Starting and Validating the soa_server2 and oim_server2 Managed Servers on OIGHOST2

Use the procedure in Starting and Validating the soa_server1 Managed Server on OIGHOST1 to start and validate the Managed Servers on OIGHOST2

1. Login to the WebLogic Remote Console.
2. Click Monitoring Tree and expand the Environment node, then select Servers.
3. From the Servers page, select soa_server2 from the Servers column of the table and click Start.
4. Select soa_server2 from the Servers column of the table and click Start.

Configuring OIG Workflow Notifications to be Sent by Email

OIG uses the human workflow, which is integrated with the SOA workflow. The SOA server configures email to receive the notifications that are delivered to the user mailbox. The user can accept or reject the notifications.

Both incoming and outgoing email addresses and mailboxes dedicated to the portal workflow are required for the full functionality. See Configuring Human Workflow Notification Properties in Administering Oracle SOA Suite and Oracle Business Process Management Suite.

To configure the OIG workflow notifications:

1. Log in to the Fusion Middleware Control by using the administrators account. For example, weblogic_iam.
2. Expand the Target Navigation panel and navigate to SOA > soa-infra (soa_server1) service.
3. From the SOA infrastructure drop-down, select SOA Administration > Workflow Properties.
4. Set the Notification mode to Email. Provide the correct e-mail address for the notification service.
5. Click Apply and confirm when prompted.
6. Verify the changes.
7. Expand Target Navigation, select User Messaging Service, and then usermessagingdriver-email (soa_servern). Each SOA Managed Server that is running will have a driver. Only one of these entries should be selected.
8. From the User Messaging Email Driver drop-down list, select Email Driver Properties.
9. Click Create if the email driver does not exist already.
10. Click Test and verify the changes.
11. Click OK to save the email driver configuration.
12. Restart the SOA cluster. No configuration or restart is required for OIG.

Adding the wsm-pm Role to the Administrators Group

After you configure a new LDAP-based Authorization Provider and restart the Administration Server, add the enterprise deployment administration LDAP group (OIMAdministrators) as a member to the policy.Updater role in the wsm-pm application stripe.

1. Sign in to the Fusion Middleware Control by using the administrator's account. For example: weblogic_iam.
2. From the WebLogic Domain menu, select Security, and then Application Roles.
3. Select the wsm-pm application stripe from the Application Stripe drop-down menu.
4. Click the triangular icon next to the role name text box to search for all role names in the wsm-pm application stripe.
5. Select the row for the policy.Updater role to be edited.
6. Click the Application Role Edit icon to edit the role.
7. Click the Application Role Add icon on the Edit Application Role page.
8. In the Add Principal dialog box, select Group from the Type drop-down menu.
9. To search for the enterprise deployment administrators group, enter the group name WLSAdministrators in the Principal Name Starts With field and click the right arrow to start the search.
10. Select the appropriate administrators group in the search results and click OK.
11. Click OK on the Edit Application Role page.

Adding the Oracle Access Manager Load Balancer Certificate to the Oracle Keystore Service

The Oracle Identity Governance to Business Intelligence Reports link inside of the Self Service application requires that the SSL certificate used by the load balancer be added to the Oracle Keystore Service Trusted Certificates.

To add the certificate, do the following:

1. Create a directory to hold user created keystores and certificates if it doesn't already exist.
   For example:

   mkdir $SHARED_CONFIG_DIR/keystores

2. Obtain the certificate from the load balancer. You can obtain the load balancer certificate from using a browser, such as Firefox. However, the easiest way to obtain the certificate is to use the openssl command. The syntax of the command is as follows:

   openssl s_client -connect <LOADBALANCER>:<PORT> -showcerts </dev/null 2>/dev/null| sed -ne '/-BEGIN CERTIFICATE-/,/-END CERTIFICATE-/p' > LOADBALANCER.pem

   For example:

   openssl s_client -connect login.example.com:443 -showcerts </dev/null 2>/dev/null| sed -ne '/-BEGIN CERTIFICATE-/,/-END CERTIFICATE-/p' > login.example.com.pem

   The openssl command saves the certificate to a file called login.example.com.pem in $SHARED_CONFIG_DIR/keystores.

3. Load the certificate into the Oracle Keystore Service using WLST.
   1. Connect to WLST using the following command:

      $ORACLE_COMMON_HOME/common/bin/wlst.sh

   2. Connect to the Administration Server using the following command:

      connect('<AdminUser>','<AdminPwd>','t3://<Adminserverhost>:<Adminserver port>')

   3. Load the certificate using the following commands:

      svc = getOpssService(name='KeyStoreService')
      svc.importKeyStoreCertificate(appStripe='system',name='trust',password='', keypassword='',alias='<CertificateName>',type='TrustedCertificate', filepath='/<SHARED_CONFIG_DIR>/keystores/<LOADBALANCER>.pem')

   4. Synchronize the Keystore Service with the file system using the following command:

      syncKeyStores(appStripe='system', keystoreFormat='KSS')

      For example:

      connect('weblogic','password','t3://igdadminvhn.example.com:7101')
      svc = getOpssService(name='KeyStoreService')
      svc.importKeyStoreCertificate(appStripe='system',name='trust',password='', keypassword='',alias='login.example.com',type='TrustedCertificate', filepath='/u01/oracle/config/keystores/login.example.com.pem')
      syncKeyStores(appStripe='system',keystoreFormat='KSS')
      exit()

You will need to restart the domain for the changes to take effect. The default password for the Node Manager keystores is COMMON_IAM_PASSWORD. You will be prompted to confirm that the certificate is valid.

Restarting the IAMGovernanceDomain

Restart the domain for the configuration steps to take effect.

1. Shut down the Managed Servers oim_server1 and oim_server2.
2. Shut down the Managed Servers soa_server1 and soa_server2.
3. Shut down the Administration Server.
4. Restart the Administration Server.
5. Start the Managed Servers soa_server1 and soa_server2.
6. Start the Managed Servers oim_server1 and oim_server2.

Setting Challenge Questions

If you have integrated OAM and OIG, then after the environment is ready, you need to set up the challenge questions for your system users.

To set up the challenge questions, log in to Identity Self Service using the URL outlined in URLs Used in This Chapter.

Log in with your user name and when prompted, add the challenge questions. You should set up these questions for the following users:

• xelsysadm
• weblogic_iam
• oamadmin

Replacing Connect Strings with the Appropriate TNS Alias

Oracle recommends using TNS Alias in the connection strings used by FMW components instead of repeating long JDBC strings across multiple connections pools.

For more information about how to use TNS alias in your Datasources, see Using TNS Alias in Connect Strings in the Common Configuration and Management Tasks for an Enterprise Deployment chapter.

Integrating Oracle Identity Manager with Oracle Business Intelligence Publisher

Oracle Identity Manager comes with a number of prebuilt reports that can be used to provide information about Oracle Identity and Access Management.

Oracle Identity Manager reports are classified based on the functional areas such as Access Policy Reports, Request and Approval Reports, Password Reports, and so on. It is no longer named Operational and Historical. These reports are not generated through Oracle Identity Manager but by the Oracle Business Intelligence Publisher (BIP). Oracle Identity Manager reports provide a restriction for Oracle BI Publisher.

The setup of a highly available enterprise deployment of Oracle BI Publisher is beyond the scope of this document. For more information, see Understanding the Business Intelligence Enterprise Deployment Topology in the Enterprise Deployment Guide for Business Intelligence.

Note:

During BI configuration for Oracle Identity Manager, you must configure only Business Intelligence Publisher. If you select other components during BI Publisher configuration, such as Business Intelligence Enterprise Edition and Essbase, the integration with Oracle Identity Manager may not work. See Configuring Reports in Developing and Customizing Applications for Oracle Identity Manager

• Creating a User to Run BI Reports
  
• Configuring Oracle Identity Manager to Use BI Publisher
  
• Assigning the BIServiceAdministrator Role to idm_report
  
• Storing the BI Credentials in Oracle Identity Governance
  
• Creating OIM and BPEL Data Sources in BIP
  
• Deploying Oracle Identity Governance Reports to BI
  
• Enable Certification Reports
  
• Validating the Reports
  

Creating a User to Run BI Reports

You may ignore this section if you already have a user to run reports in your Business Intelligence domain.

If you need to create a user in your BI Publisher domain to run reports, use the following LDIF command to create a user in the LDAP directory.

1. Create a file called report_user.ldif with the following contents:

   dn: cn=idm_report,cn=Users,dc=example,dc=com
   changetype: add
   orclsamaccountname: idm_report
   givenname: idm_report
   sn: idm_report
   userpassword: <password>
   mail: idm_report
   objectclass: top
   objectclass: person
   objectclass: organizationalPerson
   objectclass: inetorgperson
   objectclass: orcluser
   objectclass: orcluserV2
   uid: idm_report
   cn: idm_report

2. Save the file.
3. Load the file into the LDAP directory using the following command:

   ldapmodify -D cn=oudadmin -h idstore.example.com -p 1389 report_user.ldif

Configuring Oracle Identity Manager to Use BI Publisher

You can set up Oracle BI Publisher to generate Oracle Identity Manager reports.

To configure Oracle Identity Manager to use the BI Publisher:

1. Log in to Oracle Enterprise Manager Fusion Middleware Control using the URL outlined in URLs Used in This Chapter.
2. Click WebLogic Domain, and then select System MBean Browser.
3. Enter XMLConfig.DiscoveryConfig as the search criteria and click Search.
   The XMLConfig.DiscoveryConfig MBean is displayed.
4. Update the value of the Discovery Config BI publisher URL to the BIP URL. For example, http://bi.example.com
5. Click Apply.

Assigning the BIServiceAdministrator Role to idm_report

If you are using LDAP as your identity store in the Business Intelligence (BI) domain, you must have created an LDAP authenticator in the BI domain. You can view the user and group names stored within LDAP.

The Oracle Identity Manager (OIM) system administration account (for example, idm_report) needs to be assigned the BIServiceAdministrator role, to generate reports.

To assign this role:

1. Ensure that the OIM administrator user is visible in the domain by logging in to the BI publisher WebLogic Console using the following URL:

   http://biadmin.example.com/console

2. Click Security Realms, and then click myrealm.
3. Go to the Users and Groups tab.
4. Look at the list of users and ensure that the user OIM Administration User (idm_report) is in the list of users.
5. Sign in to the BI Fusion Middleware Control by using the URL http://biadmin.example.com/em and the administrator's account. For example: weblogic_bi.
6. From the WebLogic Domain menu, select Security, and then Application Roles.
7. From the Application Stripe drop-down list, select obi.
8. Click the triangular icon next to the role name text box to search for all role names in the obi application stripe.
9. Select the row for the BIServiceAdministrator role to edit.
10. Click the Application Role Edit icon to edit the role.
11. Click the Application Role Add icon on the Edit Application Role page.
12. In the Add Principal dialog box, select User from the Type drop-down menu.
13. To search for the idm_report user, enter the user name idm_report in the Principal Name Starts With field and click the right arrow to start the search.
14. Select the appropriate user in the search results and click OK.
15. Click OK on the Edit Application Role page.

Storing the BI Credentials in Oracle Identity Governance

To configure BIP credentials in Oracle Identity Governance:

1. Log in to the Oracle Enterprise Manager using the using the URL outlined in URLs Used in This Chapter.
2. In the left pane, expand the  Weblogic Domain. The domain name is displayed.
3. Right-click the domain name, and navigate to Security, and then Credentials. A list of maps in the credential store, including the oim map, is displayed.
4. Expand the oim map. A list of entries of type Password is displayed.
5. Edit the BIPWSKey key if it already exists, or create a new one with the following values:

   Table 15-16 Properties of a new CSF entry

   Attribute	Value
   Select Map	oim
   Key	BIPWSKey
   Type	Password
   Username	idm_report
   Password	idm_report password
   Description	Login credentials for BI Publisher web service

Creating OIM and BPEL Data Sources in BIP

Create OIM Datasource

Oracle BIP must be connected to the OIM and SOA database schemas to run a report.

In order to do this you need to create BIP datasources using the following procedure:

1. Login to the BI Publisher Home page using the URL https://bi.example.com/xmlpserver

2. Click the Administration link on the top of the BI Publisher Home page. The BI Publisher Administration page is displayed.

3. Under Data Sources, click JDBC Connection link. The Data Sources page is displayed.

4. In the JDBC tab, click Add Data Source to create a JDBC connection to your database. The Add Data Source page is displayed.

5. Enter values in the following fields:

   Table 15-17 OIM Add Data Source Attributes

   Attributes	Value
   Data Source Name	Specify the Oracle Identity Governance JDBC connection name. For example, OIM JDBC.
   Driver Type	Select the driver type appropriate to the database version you are using
   Database Driver Class	Specify a driver class to suit your database, such as oracle.jdbc.OracleDriver
   Connection String	Specify the database connection details in the format jdbc:oracle:thin:@HOST_NAME:PORT_NUMBER/SID. For example, jdbc:oracle:thin:@igddbscan:1521/oim.example.com
   User name	Specify the Oracle Identity Governance database user name for example IGD_OIM
   Password	Specify the Oracle Identity Governance database user password.

6. Click Test Connection to verify the connection.

7. Click Apply to establish the connection.

8. If the connection to the database is established, a confirmation message is displayed indicating the success.

9. Click Apply.

In the JDBC page, you can see the newly defined Oracle Identity Governance JDBC connection in the list of JDBC data sources.

Create BPEL Datasource

1. Login to the BI Publisher Home page using the URL https://bi.example.com/xmlpserver.

2. Click the Administration link on the BI Publisher home page. The BI Publisher Administration page is displayed.

3. Under Data Sources, click JDBC Connection link. The Data Sources page is displayed.

4. In the JDBC tab, click Add Data Source to create a JDBC connection to your database. The Add Data Source page is displayed.

5. Enter values in the following fields:

   Table 15-18 JDBC Add Data Source Attributes

   Attributes	Value
   Data Source Name	Specify the Oracle Identity Governance JDBC connection name. For example, BPEL JDBC.
   Driver Type	Select the Driver for the database version you are using.
   Database Driver Class	Specify a driver class to suit your database, such as oracle.jdbc.OracleDriver
   Connection String	Specify the database connection details in the format jdbc:oracle:thin:@HOST_NAME:PORT_NUMBER/SID. For example, jdbc:oracle:thin:@igddbscan:1521/oim.example.com
   User name	Specify the Oracle Identity Governance database user name for example IGD_SOAINFRA.
   Password	Specify the Oracle Identity Governance database user password.

6. Click Test Connection to verify the connection.

7. Click Apply to establish the connection.

8. If the connection to the database is established, a confirmation message is displayed indicating the success.

9. Click Apply.

In the JDBC page, you can see the newly defined Oracle Identity Governance JDBC connection in the list of JDBC data sources.

Deploying Oracle Identity Governance Reports to BI

After BI Publisher is integrated with Oracle Identity Governance, you can deploy the predefined reports for using them. To deploy Oracle Identity Manager reports:

1. Copy and unzip the predefined report $IGD_ORACLE_HOME/idm/server/reports/oim_product_BIPReports_12c.zip located on OIGHOST1 file to the directory $SHARED_CONFIG_DIR/biconfig/bidata.

   Note:

   The $SHARED_CONFIG_DIR is defined in the $IGD_ASERVER_HOME/config/fmwconfig/bienv/core/bi-environment.xml file.
2. Add folder level permission to the BIServiceAdministrator BI application role to view and run the predefined Oracle Identity Governance reports. To do so:

   • Login to Oracle BI Publisher https://bi.example.com/xmlpserver by using the WebLogic admin credentials.

   • Click the Catalog link at the top. The Oracle Identity Manager named folder under shared folders is displayed in the left pane. Select the Oracle Identity Manager named folder.

   • Click Permissions option under the Tasks window on the bottom left.

   • Click the plus sign and perform a blank search on the available role.

   • Select the BI Service Administrator role, and add to the right panel.

   • Click Ok.

3. Logout as WebLogic user.
4. Login as the Oracle Identity Manager system administrator user to BI Publisher console.
5. Run the Oracle Identity Manager reports.

Enable Certification Reports

Select or deselect the Enable Certification Reports option to enable or disable the certification reports. To enable the generation of certification reports, after configuring the BI Publisher credentials and URL, perform the following:

1. Log in to the Oracle Identity Self Service using the URL outlined in URLs Used in This Chapter.
2. Click the Compliance tab.
3. Click the Identity Certification box.
4. Select Certification Configuration. The Certification Configuration page is displayed.
5. Select the Enable Certification Reports.
6. Click Save.

Note:

By default, the Compliance tab is not shown. If you want to enable compliance functionality, you must fist set the OIGIsIdentityAuditorEnabled property to true in the Sysadmin Console (located in the Configuration Properties section).

Validating the Reports

We need to create the sample data source to generate reports against the sample data source.

Creating the Sample Reports

To view an example report data without running a report against the production JDBC Data Source, generate a sample report against the sample data source. Create the sample data source before you can generate the sample reports.

• Generating Reports Against the Sample Data Source
  
• Generating Reports Against the Oracle Identity Manager JDBC Data Source
  
• Generating Reports Against the BPEL-Based JDBC Data Source
  

Generating Reports Against the Sample Data Source

After you create the sample data source, you can generate sample reports against it by performing the following steps:

1. Login to Oracle BI Publisher using the url : https://bi.example.com/xmlpserver.
2. Click Shared Folders.
3. In the Templates screen, ensure Create Domain Using Product Templates is selected and then select the Oracle Identity Manager template.
4. Select Sample Reports.
5. Click View for the sample report you want to generate.
6. Select an output format for the sample report and click View.

The sample report is generated.

Generating Reports Against the Oracle Identity Manager JDBC Data Source

To generate reports against the OIM JDBC data source, navigate to the Oracle Identity Manager reports by logging in to the Oracle BI Publisher, and select an output format for the report you want to generate.

To generate reports against the Oracle Identity Manager JDBC data source:

1. Log in to Oracle BI Publisher using the URL: https://bi.example.com/xmlpserver.
2. Navigate to Oracle Identity Manager reports. To do so:

   • In the BI Publisher home page, under Browse or Manage, click Catalog Folders. Alternatively, you can click Catalog at the top of the page.

     The Catalog page is displayed with a tree structure on the left side of the page and the details on the right.

   • On the left pane, expand Shared Folders, and navigate to the Oracle Identity Manager. All the objects in the Oracle Identity Manager folder are displayed.

     You are ready to navigate to BI Publisher and use the Oracle Identity Manager BI Publisher reports.

3. Click View under the report you want to generate.
4. Select an output format for the report and click View.

The report is generated.

Generating Reports Against the BPEL-Based JDBC Data Source

Some reports have a secondary data source, which is BPEL-based JDBC data source. This section describes how to generate reports against the BPEL-based JDBC data source.

Reports With Secondary Data Source

The following four reports have a secondary data source, which connects to the BPEL database to retrieve the BPEL data:

• Task Assignment History

• Request Details

• Request Summary

• Approval Activity

These reports have a secondary data source (BPEL-based JDBC data source) called BPEL JDBC. To generate reports against the BPEL-based JDBC data source:

1. Log in to Oracle BI Publisher using the url: https://bi.example.com/xmlpserver.
2. Navigate to the Oracle Identity Manager reports. To do so:

   • In the BI Publisher home page, under Browse or Manage, click Catalog Folders. Alternatively, you can click Catalog at the top of the page.

     The catalog page is displayed with a tree structure on the left side of the page and the details on the right.

   • On the left pane, expand Shared Folders, and navigate to the Oracle Identity Manager. All the objects in the Oracle Identity Manager folder is displayed.

     Navigate to the BI Publisher 12c and use the Oracle Identity Manager BI Publisher reports.

3. Select the report you want to generate and click Open.
4. Select an output format for the report, and click Apply.

The report is generated based on the BPEL-based JDBC data source.

• Adding the Business Intelligence Load Balancer Certificate to Oracle Keystore Trust Service
  

Adding the Business Intelligence Load Balancer Certificate to Oracle Keystore Trust Service

The Oracle Identity Governance to Business Intelligence Reports link inside of the Self Service application requires that the SSL certificate used by the load balancer be added to the Oracle Keystore Service Trusted Certificates.

To add the certificate:

1. Create a directory to hold user created keystores and certificates if it doesn't already exist.
   For example:

   mkdir $SHARED_CONFIG_DIR/keystores

2. Obtain the certificate from the load balancer. You can obtain the load balancer certificate from using a browser, such as Firefox. However, the easiest way to obtain the certificate is to use the openssl command. The syntax of the command is as follows:

   openssl s_client -connect LOADBALANCER -showcerts </dev/null 2>/dev/null|openssl x509 -outform PEM>SHARED_CONFIG_DIR/keystores/LOADBALANCER.pem

   For example:

   openssl s_client -connect bi.example.com:443 -showcerts </dev/null 2>/dev/null|openssl x509 -outform PEM>$SHARED_CONFIG_DIR/keystores/bi.example.com.pem

   The openssl command saves the certificate to a file called bi.example.com.pem in $SHARED_CONFIG_DIR/keystores.

3. Load the certificate into the Oracle Keystore Service using WLST.
   1. Connect to WLST using the following command:

      $ORACLE_COMMON_HOME/common/bin/wlst.sh

   2. Connect to the Administration Server using the following command:

      connect('<AdminUser>','<AdminPwd>','t3://<Adminserverhost>:<Adminserver port>')

   3. Load the certificate using the following commands:

      svc = getOpssService(name='KeyStoreService')
      svc.importKeyStoreCertificate(appStripe='system',name='trust',password='', keypassword='',alias='<CertificateName>',type='TrustedCertificate', filepath='/<SHARED_CONFIG_DIR>/keystores/<LOADBALANCER>.pem')

   4. Synchronize the Keystore Service with the file system using the following command:

      syncKeyStores(appStripe='system', keystoreFormat='KSS')

      For example:

      connect('weblogic','password','t3://IGDADMINVHN.example.coml:7101')
      svc = getOpssService(name='KeyStoreService')
      svc.importKeyStoreCertificate(appStripe='system',name='trust',password='', keypassword='',alias='bi.example.com',type='TrustedCertificate', filepath='/u01/oracle/config/keystores/bi.example.com.pem')
      syncKeyStores(appStripe='system',keystoreFormat='KSS')
      exit()

You will need to restart the domain for the changes to take effect. The default password for the JDK is changeit. The default password for the Node Manager keystores is COMMON_IAM_PASSWORD. You will be prompted to confirm that the certificate is valid.

Verification of Manual Failover of the Administration Server

After you configure the domain, you must test failover is working correctly.

Perform the steps described in Verifying Manual Failover of the Administration Server.

Backing Up the Configuration

It is an Oracle best practices recommendation to create a backup after you successfully extended a domain or at another logical point. Create a backup after you verify that the installation so far is successful. This is a quick backup for the express purpose of immediate restoration in case of problems in later steps.

The backup destination is the local disk. You can discard this backup when the enterprise deployment setup is complete. After the enterprise deployment setup is complete, you can initiate the regular deployment-specific Backup and Recovery process.

For information about backing up your configuration, see Performing Backups and Recoveries for an Enterprise Deployment.