14 Configuring Oracle Access Management

Install and configure Oracle Access Management (OAM).

The following topics describe how to install and configure an initial domain, which can be used as the starting point for an enterprise deployment. Later chapters in this guide describe how to extend this initial domain with the various products and components that comprise the enterprise topology you are deploying.

A complete Oracle Identity and Access Management uses a split domain deployment, where there is a single domain for Oracle Access Management and a different one for Oracle Identity Governance. You must create a separate infrastructures for Access and Governance.

Parent topic: Configuring the Enterprise Deployment

About the Initial Infrastructure Domain

Before you create the initial Infrastructure domain, ensure that you review the key concepts.

Parent topic: Configuring Oracle Access Management

About the Infrastructure Distribution

You create the initial Infrastructure domain for an enterprise deployment by using the Oracle Fusion Middleware Infrastructure distribution. This distribution contains both the Oracle WebLogic Server software and the Oracle JRF software.

The Oracle JRF software consists of Oracle Web Services Manager, Oracle Application Development Framework (Oracle ADF), Oracle Enterprise Manager Fusion Middleware Control, the Repository Creation Utility (RCU), and other libraries and technologies that are required to support the Oracle Fusion Middleware products.

Note:

The Access infrastructure does not use the Web Services Manager.

See Understanding Oracle Fusion Middleware Infrastructure in Understanding Oracle Fusion Middleware.

Parent topic: About the Initial Infrastructure Domain

Characteristics of the Domain

The following table lists some of the key characteristics of the domain that you are about to create. Reviewing these characteristics helps you to understand the purpose and context of the procedures that are used to configure the domain.

Many of these characteristics are described in more detail in Understanding a Typical Enterprise Deployment.

Characteristic of the Domain More Information

Uses a separate virtual IP (VIP) address for the Administration Server.

Configuration of the Administration Server and Managed Servers Domain Directories

Uses separate domain directories for the Administration Server and the Managed Servers in the domain.

Configuration of the Administration Server and Managed Servers Domain Directories

Uses a per domain Node Manager configuration.

About the Node Manager Configuration in a Typical Enterprise Deployment

Requires a separately installed LDAP-based authentication provider.

Understanding OPSS and Requests to the Authentication and Authorization Stores

Parent topic: About the Initial Infrastructure Domain

Variables Used When Creating Infrastructure for Oracle Access Management

As you perform the tasks in this chapter, you will be referencing the variables listed in this section.

The following table explains the configuration file property values required in this section.

Table 14-1 LDAP Variables Used in This Chapter

Variable Sample Value Description

IDSTORE_HOST

idstore.example.com

The host and port of your Identity Store directory. When preparing the Identity Store these should point to one of the LDAP instances. When configuring components such as OAM or OIG they should point to the load balancer entry point.

IDSTORE_PORT

1636

The port of your Identity Store directory. When preparing the Identity Store these should point to one of the LDAP instances. When configuring components such as OAM or OIG they should point to the load balancer entry point.

IDSTORE_DIRECTORYTYPE

OUD

The type of directory you are using. Valid value is OUD.

IDSTORE_BINDDN

cn=oudadmin

An administrative user in the Identity Store Directory,

IDSTORE_PASSWD

password

The the password of IDSTORE_BINDDN. You will be prompted for the value if not supplied.

IDSTORE_SEARCHBASE

dc=example,dc=com

The location in the directory where Users and Groups are stored.

IDSTORE_LOGINATTRIBUTE

uid

The LDAP attribute, which contains the users Login name.

OAM_SERVER_LOGIN_ATTRIBUTE

uid

The LDAP attribute, which contains the users Login name.

OAM_IDSTORE_NAME

OAMIDSTORE

 Name of the IDStore to create.

IDSTORE_USERSEARCHBASE

cn=Users,dc=example,dc=com

The location in the directory where Users are Stored.

IDSTORE_GROUPSEARCHBASE

cn=Groups,dc=example,dc=com

The location in the directory where Groups are Stored.

IDSTORE_NEW_SETUP

true

This parameter is used when preparing a directory for the first time.

IDSTORE_SYSTEMIDBASE

cn=SystemIDs,dc=example,dc=com

The location of a container in the directory where system users can be placed when you do not want them in the main user container.

IDSTORE_USERNAMEATTRIBUTE

cn

The name of the LDAP attribute which stores a users name.

IDSTORE_KEYSTORE_FILE

/u01/oracle/config/keystores/idmTrustStore.p12

The location on the SHARED_CONFIG_DIR of the LDAP Truststore for LDAP connections.

LOCAL_KEYSTORE_FILE

/u02/oracle/config/keystores/idmTrustStore.p12

The location on the LOCAL_CONFIG_DIR of the LDAP Truststore for LDAP connections.

IDSTORE_KEYSTORE_PASSWORD

password

The password of the IDSTORE_KEYSTORE_FILE.

Table 14-2 OAM Variables Used in This Chapter

Variable Sample Value Description

IAD_ORACLE_HOME

/u01/oracle/products/oam

The read-only location for the OAM product binaries stored on shared disk.

IAD_ASERVER_HOME

/u01/oracle/config/domains/oam

The Administration Server domain home, which is installed on a shared disk.

IAD_MSERVER_HOME

/u02/oracle/config/domains/oam

The Managed Server domain home, which is created by using the unpack command on the local disk of each application tier host.

APPLICATION_HOME

/u01/oracle/config/applications/oam

The Application home directory, which is installed on shared disk, so the directory is accessible by all the application tier host computers.

MS_APPLICATION_HOME

/u02/oracle/config/applications/oam

The Application home directory, which is installed on local disk, so the directory is accessible by all the application tier host computers.

JAVA_HOME

/u01/oracle/products/jdk

The location where you install the supported Java Development Kit (JDK).

ADMINVHN

iadadminvhn.example.com

The virtual host name used as the listen address for the Administration Server used by the IAMAccessDomain and fails over with manual failover of the Administration Server. It is enabled on the node where the Administration Server process is running.

OAMHOST1

oamhost1.example.com

The hostname of OAMHOST1.

OAMHOST2

oamhost2.example.com

The hostname of OAMHOST2.

DBHOST1

dbhost1.example.com

The hostname of DBHOST1.

DBHOST2

dbhost2.example.com

The hostname of DBHOST2.

SCAN_ADDRESS

db-scan.example.com

Address for the Oracle RAC Database.

PRIMARY_OAM_SERVERS

oamhost1.example.com:5575

A comma-separated list of all of the OAM managed servers that are in the deployment. The format of this is Server Running the OAM Managed Server: OAM Proxy port. Note the proxy port used is not the OAM managed server listen port. The OAM Proxy port can be found in the worksheet (OAM_PROXY_PORT).

WEBGATE_TYPE

ohsWebgate14c

The type of webgate profile to create. This should always be ohsWebgate14c.

ACCESS_GATE_ID

Webgate_IDM

The name of the Webgate Agent to create.

OAM_OIM_WEBGATE_PASSWD

password

The password you wish to assign to the webgate agent you will be creating.

COOKIE_DOMAIN

.example.com

The domain you wish to associate the OAM cookie with this is normally the same as the IDSTORE_SEARCH_BASE in domain format. The search base can be found in the worksheet (REALM_DN).

COOKIE_EXPIRY_INTERVAL

120

The amount of time before a cookie is expired.

OAM_WG_DENY_ON_NOT_PROTECTED

true

This should always be set to true. It ensures that any attempt to access a resource not explicitly stated in the OAM Resource list will be rejected.

OAM_IDM_DOMAIN_OHS_HOST

login.example.com

The name of the Oracle HTTP Server (OHS) server which fronts the IAMAccessDomain. In the case of an enterprise deployment this will be the load balancer name.

OAM_IDM_DOMAIN_OHS_PORT

443

The port on which the OHS server fronting the IAMAccessDomain listens. In the case of an Enterprise Deployment, this will be the load balancer port. This is the IAD_HTTPS_PORT in the worksheet.

OAM_IDM_DOMAIN_OHS_PROTOCOL

https

This determines which process is being used when accessing the OHS server fronting the IAMAccessDomain. In the case of an Enterprise Deployment this will be the load balancer protocol. In the Enterprise Deployment Blueprint SSL is terminated at the load balancer. But the URL will always have the HTTPS prefix, so this value should be set to https.

OAM_SERVER_LBR_HOST

login.example.com

The name of the virtual host configured on the load balancer for logging in. This is usually the same as OAM_IDM_DOMAIN_OHS_HOST.

OAM_SERVER_LBR_PORT

443

The port of the virtual host configured on the load balancer for logging in. This is usually the same as OAM_IDM_DOMAIN_OHS_PORT.

OAM_SERVER_LBR_PROTOCOL

https

The protocol of the virtual host configured on the load balancer for logging in. This is usually the same as OAM_IDM_DOMAIN_OHS_PROTOCOL.

OAM_OAM_SERVER_TRANSFER_MODE

Open

This is the type of OAM security transport to be used. This should be set to Open. You can specify Cert if extra security is required. If you wish to use cert, refer to the Oracle Access Manager documentation for how to configure this.

OAM_TRANSFER_MODE

open

The type of OAM security transport to be used. This should be the same as OAM_OAM_SERVER_TRANSPORT_MODE.

OAM_OAM_SSLENABLED

true

Set to true if using End to End SSL, and false is using SSL Terminated.

OAM_SSO_ONLY_FLAG

false

This is used to determine whether authentication mode is going to be used. For Enterprise Deployments this should be set to false.

OAM_IMPERSONATION_FLAG

false

Determines whether OAM be configured for impersonation. Impersonation is typically used in help desk type applications where a support user "impersonates" and actual user for the purposes of providing support.

OAM_IDM_DOMAIN_LOGOUT_URLS

/console/jsp/common/logout.jsp,/em/targetauth/emaslogout.jsp

A list of URLs that various products can invoke for the purposes of logging out.

OAM_OIM_INTEGRATION_REQ

true

If you are intending Oracle Identity Governance to handle forgotten password functionality then this parameter should be set to true. If you are using the new OAM forgotten password functionality then this value should be set to false.

OAM_OIM_OHS_URL

https://oig.example.com:443/

If you are planning on using OIM for Forgotten Password functionality then you need to specify the external entry point for OIG. This is the OIG URL to which OAM directs the requests. This URL is made up of the following values from the worksheet: https://oig.example.com:IAG_HTTPS_PORT/.

IDSTORE_OAMADMINUSER

oamadmin

The user of the Admin user account you are connecting to the Identity Store with.

IDSTORE_PWD_OAMADMINUSER

password

The password of the Admin user account IDSTORE_OAMADMINUSER you are connecting to the Identity Store with.

IDSTORE_OAMSOFTWAREUSER

oamLDAP

The user of the OAM account you are connecting to the Identity Store with.

IDSTORE_PWD_OAMSOFTWAREUSER

password

The password of the account IDSTORE_OAMSOFTWAREUSER you are connecting to the Identity Store with.

OAM_IDSTORE_ROLE_SECURITY_ADMIN

 OAMAdministrators The name of the OAM Administrators security group.

OAM_WLS_ADMIN_PASSWD

password

The password of the WLS Admin account (weblogic_iam) .

IDSTORE_WLSADMINUSER

weblogic_iam

The user of the WLS account you are connecting to the Identity Store with.

IDSTORE_WLSADMINGROUP

WLSAdministrators

The name of the group you want to create to hold your WebLogic Server administrative users.

OAM_PROXY_PORT

5575

The OAM proxy port of the OAM Managed Server. The OAM Proxy port can be found in the worksheet (OAM_PROXY_PORT).

IAD_HTTP_PORT

80

The port number of the IAD Admin hostname (iadadmin.example.com)

This is 80 for SSL Terminated and 443 for End to End SSL.

WLS Properties

Table 14-3 WLS Variables Used in This Chapter

Variable Sample Value Description

WLSHOST

iadadminvhn.example.com

Is the Admin Server listen address. For OAM configuration, this will be iadadminvhn.example.com.

WLSPORT

 9002

The Administration port of the WebLogic Server when secure mode is enabled. This should always be 9002 for enterprise deployments.

This is the IAD_WLS_PORT in the worksheet.

WLSADMIN

weblogic

The user used to connect to the Admin Server.

WLSPASSWD

password

The password for the weblogic admin user.

WLS_IS_SSLENABLED

true

This flag is used to specify if the AdminServer is running in secure mode (SSL) or non-secure mode.

WLS_SSL_HOST_VERIFICATION

true

Whether to perform hostname verification with SSL certificates.

WLS_TRUSTSTORE

/u01/oracle/config/keystores/idmTrustStore.p12

The location of the WLS Truststore on shared storage.

LOCAL_WLS_TRUSTSTORE

/u02/oracle/config/keystores/idmTrustStore.p12

 The location of the WLS Truststore on local storage.

WLS_TRUSTSTORE_PASSWORD

password

The password of the WLS_TRUSTSTORE.

OIG Properties

Table 14-4 OIG Variables Used in This Chapter

Variable Sample Value Description

IDSTORE_OIMADMINGROUP

OIMAdministrators

The name of the group you want to create to hold your Oracle Identity Governance administrative users.

IDSTORE_OIMADMINUSER

oimLDAP

The user that Oracle Identity Governance uses to connect to the Identity store.

IDSTORE_PWD_OIMADMINUSER

password

The password of IDSTORE_OIMADMINUSER. If there is no value, you will be prompted for it.

Parent topic: Configuring Oracle Access Management

Setting Environment Variables

Set environment variables used in this chapter.

To help navigate this guide and so you are able to copy sample commands without modification, you can set the following environment variables replacing the values with values appropriate to your environment.

export IAD_ORACLE_HOME=/u01/oracle/products/oam
export ORACLE_HOME=$IAD_ORACLE_HOME
export ORACLE_COMMON_HOME=$IAD_ORACLE_HOME/oracle_common
export JAVA_HOME=/u01/oracle/products/jdk
export PATH=$JAVA_HOME/bin:$PATH
export IAD_ASERVER_HOME=/u01/oracle/config/domains/oam
export IAD_MSERVER_HOME=/u02/oracle/config/domains/oam
export NM_HOME=/u02/oracle/config/nodemanager
export APPLICATION_HOME=/u01/oracle/config/applications/oam
export MS_APPLICATION_HOME=/u02/oracle/config/applications/oam
export DB_HOST=db-scan.example.com
export DB_PORT=1521
export DB_SERVICE=oamsvc.example.com
export KEYSTORE_HOME=/u01/oracle/config/keystores
export LOCAL_KEYSTORE_HOME=/u02/oracle/config/keystores
export SHARED_CONFIG_DIR=/u01/oracle/config
export LOCAL_CONFIG_DIR=/u02/oracle/config

Parent topic: Configuring Oracle Access Management

URLs Used in This Chapter

This section describes the URLs used in this chapter.

Table 14-5 SSL Terminated

Function Component URL Load Balancer URL

Remote Console connection

http://iadadminvhn.example.com:7001/

http://iadadmin.example.com

Enterprise Manager

 http://iadadminvhn.example.com:7001/em

http://iadadmin.example.com/em

OAM Console

http://iadadminvhn.example.com:7001/oamconsole

http://iadadmin.example.com/oamconsole

Table 14-6 End to End SSL

Function Component URL Load Balancer URL
Remote Console connection

https://iadadminvhn.example.com:9002/

https://iadadmin.example.com
Enterprise Manager

https://iadadminvhn.example.com:9002/em

https://iadadmin.example.com/em
OAM Console

https://iadadminvhn.example.com:9002/oamconsole

https://iadadmin.example.com/oamconsole

Parent topic: Configuring Oracle Access Management

Installing the Oracle Fusion Middleware

Install the Oracle Fusion Middleware software in preparation for configuring a new domain for Oracle Access Management.

Parent topic: Configuring Oracle Access Management

Installing a Supported JDK

Oracle Fusion Middleware requires that a certified Java Development Kit (JDK) is installed on your system.

Parent topic: Installing the Oracle Fusion Middleware

Locating and Downloading the JDK Software

To find a certified JDK, see the certification document for your release on the Oracle Fusion Middleware Supported System Configurations page.

After you identify the Oracle JDK for the current Oracle Fusion Middleware release, you can download an Oracle JDK from the following location on Oracle Technology Network:

https://www.oracle.com/java/technologies/downloads/

Be sure to navigate to the download for the Java SE JDK.

Installing the JDK Software

Oracle Fusion Middleware requires you to install a certified Java Development Kit (JDK) on your system.

For more information about the recommended location for the JDK software, see Understanding the Recommended Directory Structure for an Enterprise Deployment.

To install JDK 21.0:
  1. Change directory to the location where you downloaded the JDK archive file.
    cd download_dir
  2. Unpack the archive into the JDK home directory, and then run the following commands:
    tar -xzvf jdk-21.0.4+8_linux-x64_bin.tar.gz
    Note that the JDK version listed here was accurate at the time this document was published. For the latest supported JDK, see the Oracle Fusion Middleware System Requirements and Specifications for the current Oracle Fusion Middleware release.
  3. Move the JDK directory to the recommended location in the directory structure.
    For example:
    ln -s jdk-21.0.4 /u01/oracle/products/jdk
  4. Run the following command to verify that the appropriate java executable is in the path and your environment variables are set correctly:
    java -version
    The Java version in the output should be displayed as “21.0.4”.

Installing the Oracle Fusion Middleware Infrastructure

Use the following sections to install the Oracle Fusion Middleware Infrastructure software in preparation for configuring a new domain for Oracle Access Management.

Parent topic: Installing the Oracle Fusion Middleware

Starting the Oracle Identity Management Quick Installer

To start the installation program, perform the following steps.

  1. Log into OAMHOST1.
  2. Go to the directory where you downloaded the installation program.
  3. Launch the installation program by invoking the java executable from the JDK directory on your system, as shown in the example below.
    $JAVA_HOME/bin/java -jar fmw_14.1.2.0.0_infrastructure_generic.jar

    In this example:

    • If you download the distribution from the Oracle Technology Network (OTN), then the JAR file is typically packaged inside a downloadable ZIP file.

      To install the software required for the initial Infrastructure domain, the distribution you want to install is:

      fmw_14.1.2.0.0_infrastructure_generic.jar.

      For more information about the actual file names of each distribution, see Identifying and Obtaining Software Downloads for an Enterprise Deployment.

When the installation program appears, you are ready to begin the installation. See Navigating the Installation Screens for a description of each installation program screen.

Navigating the Installation Screens

The installation program displays a series of screens, in the order listed in the following table.

If you need additional help with any of the installation screens, click the screen name or click the Help button on the screen.

Table 14-7 Navigating the Infrastructure Installation Screens

Screen Description

Installation Inventory Setup

On UNIX operating systems, this screen appears if you are installing any Oracle product on this host for the first time. Specify the location where you want to create your central inventory. Ensure that the operating system group name selected on this screen has write permissions to the central inventory location.

See Understanding the Oracle Central Inventory in Installing Software with the Oracle Universal Installer.

Note:

Oracle recommends that you configure the central inventory directory on the products shared volume. Example: /u01/oracle/products/oraInventory

You may also need to execute the createCentralinventory.sh script as root from the oraInventory folder after the installer completes.

Welcome

This screen introduces you to the product installer.

Auto Updates

Use this screen to search My Oracle Support automatically for available patches or automatically search a local directory for patches that you have already downloaded for your organization.

Installation Location

Use this screen to specify the location of your Oracle home directory.

For the purposes of an enterprise deployment, enter the value of the $ORACLE_HOME variable for the product listed in Table 8-2.

For example, /u01/oracle/products/oam

Prerequisite Checks

This screen verifies that your system meets the minimum requirements.

If there are any warning or error messages, refer to the Oracle Fusion Middleware System Requirements and Specifications document on the Oracle Technology Network (OTN).

Installation Summary

Use this screen to verify the installation options that you have selected. If you want to save these options to a response file, click Save Response File and provide the location and name of the response file. Response files can be used later in a silent installation situation.

For more information about silent or command-line installation, see Using the Oracle Universal Installer in Silent Mode in Installing Software with the Oracle Universal Installer.

Installation Progress

This screen allows you to see the progress of the installation.

Installation Complete

This screen appears when the installation is complete. Review the information on this screen, then click Finish to dismiss the installer.

Installing Oracle Fusion Middleware Infrastructure on the Other Host Computers

If you have configured a separate shared storage volume or partition for secondary hosts, then you must install the Infrastructure on one of those hosts.

See Shared Storage Recommendations When Installing and Configuring an Enterprise Deployment.

To install the software on the other host computers in the topology, log in to each host, and use the instructions in Starting the Oracle Identity Management Quick Installer and Navigating the Installation Screens to create the Oracle home on the appropriate storage device.

You must install the Stack Bundle Patch and any other mandatory patches outlined in Identifying and Obtaining Software Distributions for an Enterprise Deployment.

Checking the Directory Structure

After you install the Oracle Identity and Access Management and create the Oracle home, you should see the directory and sub-directories listed in this topic. The contents of your installation vary based on the options that you selected during the installation.

To check the directory structure:

  1. Navigate to the $ORACLE_HOME:
    cd $ORACLE_HOME
  2. Enter the following command:
    ls --format=single-column
    The directory structure on your system must match the structure shown in the following example:
    bin
cfgtoollogs
coherence
domain-registry.xml
em
envPropertiesCache
idm
install
inventory
jdeveloper
jlib
lib
mft
OPatch
opmn
oracle_common
oraInst.loc
osb
oui
root.sh
soa
wlserver
    See What are the Key Oracle Fusion Middleware Directories? in Understanding Oracle Fusion Middleware.

Installing Oracle Access Management for an Enterprise Deployment

The procedure for installing Oracle Access Management in an enterprise deployment domain is explained in this section.

This section contains the following procedures.

Parent topic: Installing the Oracle Fusion Middleware

Starting the Oracle Identity and Access Management Installation Program

To start the installation program:

  1. Log in to OAMHOST1.
  2. Go to the directory where you downloaded the installation program.
  3. Launch the installation program by invoking the java executable from the JDK directory on your system, as shown in the example below.
    $JAVA_HOME/bin/java -jar fmw_14.1.2.1.0_idm_generic.jar

When the installation program appears, you are ready to begin the installation.

Navigating the Installation Screens

The installation program displays a series of screens, in the order listed in the following table.

If you need additional help with any of the installation screens, click the screen name.

Screen Description

Installation Inventory Screen

If you did not create a central inventory when you installed the Oracle Fusion Middleware Infrastructure software, then this dialog box appears.

Edit the Inventory Directory field so it points to the location of your local inventory, and then click OK.

Welcome

This screen introduces you to the product installer.

Auto Updates

Use this screen to automatically search My Oracle Support for available patches or automatically search a local directory for patches that you’ve already downloaded for your organization.

Installation Location

Use this screen to specify the location of your Oracle home directory. For Oracle Identity and Access Management, this should be set to IAD_ORACLE_HOME.

For example, /u01/oracle/products/oam.

For more information about Oracle Fusion Middleware directory structure, see "Selecting Directories for Installation and Configuration" in Planning an Installation of Oracle Fusion Middleware.

Installation Type

Use this screen to choose the type of installation you wish to deploy.

  • Select Collocated Oracle Identity and Access Manager (Managed through WebLogic Server):

Prerequisite Checks

This screen verifies that your system meets the minimum necessary requirements.

If there are any warning or error messages, you can refer to one of the documents in the Roadmap for Verifying Your System Environment section in Planning Your Oracle Fusion Middleware Infrastructure Installation.

Installation Summary

Use this screen to verify the installation options you selected.

Click Install to begin the installation.

Installation Progress

This screen allows you to see the progress of the installation.

Click Next when the progress bar reaches 100% complete.

Installation Complete

Review the information on this screen, then click Finish to dismiss the installer.

Installing the Stack Bundle Patch

After installing the software binaries, you must apply the latest Stack Bundle Patch.

For an enterprise deployment you must download and apply the July 2025 Stack Bundle Patch or later. For more details, see Identifying and Obtaining Software Distributions for an Enterprise Deployment.

To apply the patch run the following commands:
  1. After downloading the patch, unzip it to your preferred location. For example:
    unzip p38184742_141210_Linux-x86-64.zip

    This location will be known as $PATCH_DIR.

  2. Navigate to the $PATCH_DIR:
    cd $PATCH_DIR/tools/spbat/generic/SPBAT/
  3. Apply the patch using the command:
    ./spbat.sh -type oam -phase downtime -mw_home $IAD_ORACLE_HOME -spb_download_dir $PATCH_DIR
Installing Oracle Access Management on the Other Host Computers

If you have followed the Enterprise Deployment Guide shared storage recommendations, there is a separate shared storage volume for product installations on OAMHOST2, and you must also install the software on OAMHOST2. See Shared Storage Recommendations When Installing and Configuring an Enterprise Deployment.

You must install the Stack Bundle Patch and any other mandatory patches outlined in Identifying and Obtaining Software Distributions for an Enterprise Deployment.

Verifying the Installation

After you complete the installation, you can verify it by successfully completing the following tasks.

Reviewing the Installation Log Files

Review the contents of the installation log files to make sure that no problems were encountered. For a description of the log files and where to find them, see Understanding Installation Log Files in Installing Software with the Oracle Universal Installer.

Checking the Directory Structure

The contents of your installation vary based on the options you selected during the installation.

The addition of Oracle Identity and Access Management will add the following directory and sub-directories:

$IAD_ORACLE_HOME/
OPatch
cfgtoollogs
coherence
em
idm
inventory
oraInst.loc 
oracle_common
oui
wlserver

idm/
clone
common
connectors
designconsole
idmdiag
idmtools
jlib
libovd
mbeans
modules
oam
oic
opam-connectors
plugins
remote_manager
schema
server
upgrade

For more information about the directory structure you should see after installation, see "What are the Key Oracle Fusion Middleware Directories?" in Understanding Oracle Fusion Middleware.

Viewing the Contents of Your Oracle Home

You can also view the contents of your Oracle home by using the viewInventory script. See Viewing the contents of an Oracle home in Installing Software with the Oracle Universal Installer.

Configuring LDAP

If you haven't already done so, you need to configure your LDAP directory.

To do this follow the steps in Preparing an Existing LDAP Directory.

Parent topic: Configuring Oracle Access Management

Creating the Database Schemas for Access Manager

Oracle Fusion Middleware components require the existence of schemas in a database before you configure a Fusion Middleware Infrastructure domain for Oracle Access Management.

Install the schemas listed in this topic in a certified database for use with this release of Oracle Fusion Middleware.

The tool creates the following schemas:

  • Metadata Services (MDS)

  • Audit Services (IAU)

  • Audit Services Append (IAU_APPEND)

  • Audit Services Viewer (IAU_VIEWER)

  • Oracle Platform Security Services (OPSS)

  • User Messaging Service (UMS)

  • WebLogic Services (WLS)

  • Common Infrastructure Services (STB)

  • Oracle Access Manager (OAM)

For more information about RCU and how the schemas are created and stored in the database, see Preparing for Schema Creation in Creating Schemas with the Repository Creation Utility.

Parent topic: Configuring Oracle Access Management

Installing and Configuring a Certified Database

Make sure that you have installed and configured a certified database, and that the database is up and running.

See the Preparing the Database for an Enterprise Deployment.

Parent topic: Creating the Database Schemas for Access Manager

Creating the Database Schemas Using GUI

Parent topic: Creating the Database Schemas for Access Manager

Starting the Repository Creation Utility (RCU)

To start the Repository Creation Utility (RCU):

  1. Navigate to the following directory on OAMHOST1:

    For Example

    $IAD_ORACLE_HOME/oracle_common/bin
  2. Start RCU:
    ./rcu

    Note:

    If your database has Transparent Data Encryption (TDE) enabled, and you want to encrypt your tablespaces created by the RCU, provide the -encryptTablespace true option when you start the RCU.

    This will default the appropriate RCU GUI Encrypt Tablespace checkbox selection on the Map Tablespaces screen without further effort during the RCU execution. See Encrypting Tablespaces in Creating Schemas with the Repository Creation Utility.

Navigating the RCU Screens to Create the Schemas

The RCU installation program displays a series of screens, in the order listed in the following table.

Screen Description

Introducing RCU

Review the Welcome screen and verify the version number for RCU. Click Next to begin.

Selecting a Method of Schema Creation

If you have the necessary permission and privileges to perform DBA activities on your database, select System Load and Product Load on the Create Repository screen. The procedure in this document assumes that you have the necessary privileges.

If you do not have the necessary permission or privileges to perform DBA activities in the database, you must select Prepare Scripts for System Load on this screen. This option will generate a SQL script, which can be provided to your database administrator. See Understanding System Load and Product Load in Creating Schemas with the Repository Creation Utility.

Click Next.

Tip:

For more information about the options on this screen, see Create repository in Creating Schemas with the Repository Creation Utility.

Providing Database Connection Details

Provide the database connection details for RCU to connect to your database.

  1. As Database Type, select Oracle Database enabled for edition based redefinition.
  2. In the Host Name field, enter the SCAN address of the Oracle RAC Database.
  3. Enter the Port number of the RAC database scan listener, for example 1521.
  4. Enter the RAC Service Name of the database.
  5. Enter the User Name of a user that has permissions to create schemas and schema objects, for example SYS.
  6. Enter the Password of the user name that you provided in step 5
  7. If you have selected the SYS user, ensure that you set the role to SYSDBA.
  8. Click Next to proceed, then click OK on the dialog window confirming that connection to the database was successful.

Tip:

For more information about the options on this screen, see Database Connection Details in Creating Schemas with the Repository Creation Utility.

Specifying a Custom Prefix and Selecting Schemas
  1. Specify the custom prefix you want to use to identify the Oracle Fusion Middleware schemas.

    The custom prefix is used to logically group these schemas together for use in this domain. For Oracle Access Management, use the prefix IAD.

    Tip:

    Make a note of the custom prefix you choose to enter here; you will need this later, during the domain creation process.

    For more information about custom prefixes, see Understanding Custom Prefixes in Creating Schemas with the Repository Creation Utility.

  2. Select the following schemas from the list of components:

    • AS Common Schemas

      When you select AS Common Schemas, all of the schemas in this section are automatically selected. If the schemas in this section are not automatically selected, then select the required schemas.

      • Metadata Services (MDS)

      • Audit Services (IAU)

      • Audit Services Append (IAU_APPEND)

      • Audit Services Viewer (IAU_VIEWER)

      • Oracle Platform Security Services (OPSS)

      • User Messaging Service (UMS)

      • WebLogic Services (WLS)

      • Common Infrastructure Services (STB)

    • Expand the group IDM Schemas, and then select the Oracle Access Manager schema.

There are two mandatory schemas that are selected by default. You cannot deselect them: Common Infrastructure Services (the STB schema) and WebLogic Services (the WLS schema). The Common Infrastructure Services schema enables you to retrieve information from RCU during domain configuration. See Understanding the Service Table Schema in Creating Schemas with the Repository Creation Utility.

Tip:

For more information about how to organize your schemas in a multi-domain environment, see Planning Your Schema Creation in Creating Schemas with the Repository Creation Utility.

Click Next to proceed, then click OK on the dialog window confirming that prerequisite checking for schema creation was successful.

Specifying Schema Passwords

Specify how you want to set the schema passwords on your database, then specify and confirm your passwords. Ensure that the complexity of the passwords meet the database security requirements before you continue. RCU will proceed at this point even if you do not meet the password polices. Hence, perform this check outside RCU itself..

Click Next.

Tip:

You must make a note of the passwords you set on this screen; you will need them later on during the domain creation process.

Verifying the Tablespaces for the Required Schemas

You can accept the default settings on the remaining screens, or you can customize how RCU creates and uses the required tablespaces for the Oracle Fusion Middleware schemas.

Note:

You can configure a Fusion Middleware component to use JDBC stores for JMS servers and Transaction Logs, by using the Configuration Wizard. These JDBC stores are placed in the WebLogic Services component tablespace. If your environment expects to have a high level of transactions and/or JMS activity, you can increase the default size of the <PREFIX>_WLS tablespace to better suit the environment load.

Click Next to continue, and then click OK on the dialog window to confirm the tablespace creation.

For more information about RCU and its features and concepts, see About the Repository Creation Utility in Creating Schemas with the Repository Creation Utility.

Creating Schemas

Review the summary of the schemas to be loaded and click Create to complete schema creation.

Note:

If failures occurred, review the listed log files to identify the root cause, resolve the defects, and then use RCU to drop and re-create the schemas before you continue.

Reviewing Completion Summary and Completing RCU Execution

When you reach the Completion Summary screen, verify that all schema creations have been completed successfully, and then click Close to dismiss RCU.

Creating the Database Schemas Using CLI

Run the following commands to create the database schemas using the Repository Creation Assistant CLI in silent mode:

  1. Create a password file pwd.txt that contains the the password for the database sysdba account and password assigned for the database schemas. This file should contain two lines as shown in the following example:
    sysdba_password
schema_password
  2. Run the following command to execute the RCU in silent mode:
    $ORACLE_COMMON_HOME/oracle_common/bin/rcu -silent -createRepository -databaseType ORACLE -connectString $DB_HOST:$DB_PORT/$DB_SERVICE -dbUser sys -dbRole sysdba -selectDependentsForComponents true -useSamePasswordForAllSchemaUsers true -schemaPrefix $RCU_PREFIX -component MDS -component IAU -component IAU_APPEND -component IAU_VIEWER -component OPSS -component WLS -component STB -component OAM -f < /pwd.txt

Parent topic: Creating the Database Schemas for Access Manager

Verifying Schema Access

Verify schema access by connecting to the database as the new schema users are created by the RCU. Use SQL*Plus or another utility to connect, and provide the appropriate schema names and passwords entered in the RCU.

For example:
sqlplus <RCU_PREFIX>_OAM/<PASSWORD>@//<SCAN_ADDRESS>:<PORT>/<SERVICE_NAME>
For example:
sqlplus IADEDG_OAM/<password>@//db-scan.example.com:1521/oampdb_s.example.com

The output appears as follows:


SQL*Plus: Release 23.0.0.0.0 - for Oracle Cloud and Engineered Systems on Wed Sep 11 14:20:00 2024 Version 23.5.0.24.07
Copyright (c) 1982, 2024, Oracle. All rights reserved.


Connected to:
Oracle Database 23ai EE Extreme Perf Release 23.0.0.0.0 - for Oracle Cloud and Engineered Systems
Version 23.5.0.24.07

SQL>

Parent topic: Configuring Oracle Access Management

Configuring the Oracle Access Management Domain

The following topics provide instructions for creating an Oracle Access Management domain using the Fusion Middleware Configuration wizard.

For more information on other methods available for domain creation, see Additional Tools for Creating, Extending, and Managing WebLogic Domains in Creating WebLogic Domains Using the Configuration Wizard.

Parent topic: Configuring Oracle Access Management

Starting the Configuration Wizard

To begin domain configuration, run the following command in the Oracle Fusion Middleware Oracle home.

$ORACLE_COMMON_HOME/common/bin/config.sh

Parent topic: Configuring the Oracle Access Management Domain

Navigating the Configuration Wizard Screens to Configure Oracle Access Management Domain

Follow the instructions in the following sections to create and configure the domain for the topology with static clusters.

Note:

Oracle Access Management does not support Dynamic Clusters.

Table 14-8 Navigating the Infrastructure Installation Screens

Screen Description

Selecting the Domain Type and Domain Home Location

On the Configuration Type screen, select Create a new domain.

In the Domain Location field, specify the value of the IAD_ASERVER_HOME variable, as defined in File System and Directory Variables Used in This Guide.

For example, /u01/oracle/products/oam for Oracle Access Manager.

Tip:

More information about the other options on this screen of the Configuration Wizard, see Configuration Type in Creating WebLogic Domains Using the Configuration Wizard.

Click Next.

Selecting the Configuration Templates

On the Templates screen, make sure Create Domain Using Product Templates is selected, then select the following templates:

  • Oracle Access Management Suite - [idm]

  • Selecting this template automatically selects the following dependencies:

    • Oracle Enterprise Manager - [em]

    • Oracle JRF - [oracle_common]

    • WebLogic Coherence Cluster Extension - [wlserver]

Tip:

More information about the options on this screen can be found in Templates in Creating WebLogic Domains Using the Configuration Wizard.

Click Next.

Selecting the Application Home Location

On the Application Location screen, specify the value of the APPLICATION_HOME variable, as defined in File System and Directory Variables Used in This Guide.

For example, /u01/oracle/config/applications/oam.

Tip:

More information about the options on this screen can be found in Application Location in Creating WebLogic Domains Using the Configuration Wizard.

Click Next.

Configuring the Administrator Account

On the Administrator Account screen, specify the user name (Oracle recommends using a different name from “WebLogic”) and password for the default WebLogic Administrator account for the domain.

Make a note of the user name and password specified on this screen; you will need these credentials later to boot and connect to the domain's Administration Server.

Click Next.

Specifying the Domain Mode and JDK

On the Domain Mode and JDK screen:

  • Select Production in the Domain Mode field.

    In the Enable or Disable Default Ports for your Domain field, use the default values provided for Production Mode:

    SSL Termination

    If you are using an SSL Terminated deployment, the following values must be selected:

    • Ensure that Enable Listen Ports (non-SSL Ports) is checked.

    • Ensure that Enable SSL Listen Ports is not checked.

    • Ensure that Enable Administration Port (SSL Port) is checked.

    End to End SSL Deployment

    In the Enable or Disable Default Ports for your Domain field, use the following default values provided for Production Mode:

    • Ensure that Enable Listen Ports (non-SSL Ports) is not checked.

    • Ensure that Enable SSL Listen Ports is checked.

    • Ensure that Enable Administration Port (SSL Port) is checked

    Tip:

    More information about the options on this screen, including the differences between development mode and production mode can be found in Domain Mode and JDK in Creating WebLogic Domains Using the Configuration Wizard. When you start the Administration Server, a boot identity file can be created to bypass the need to provide a username and password in the production mode.

  • Select the Oracle Hotspot JDK in the JDK field.

Selecting Production Mode on this screen gives your environment a higher degree of security, requiring a user name and password to deploy applications and to start the Administration Server.

Click Next.

Specifying the Database Configuration Type

On the Database Configuration Type screen:

  • Select RCU Data to activate the fields on this screen.

    The RCU Data option instructs the Configuration Wizard to connect to the database and Service Table (STB) schema to automatically retrieve schema information for the schemas needed to configure the domain.

  • Verify that Vendor is Oracle and Driver is *Oracle's Driver (Thin) for Service Connections; Versions: Any.

  • Verify that Connection Parameters is selected.

Note:

If you choose to select Manual Configuration on this screen, you will have to manually fill in the parameters for your schema on the JDBC Component Schema screen.

After you select RCU Data, fill in the fields as shown below:

Field Description

Host Name

Enter the Single Client Access Name (SCAN) Address for the Oracle RAC database, which you entered in the Enterprise Deployment Workbook.

For information about the Enterprise Deployment Workbook, see Using the Enterprise Deployment Workbook.

DBMS/Service

Enter the service name for the Oracle RAC database appropriate for this domain where you will install the product schemas. For example:

iamedg.example.com

Specify the service name based on the value configured earlier in the Preparing the Database for an Enterprise Deployment section.

Port

Enter the port number on which the database listens. For example, 1521.

Schema Owner

Enter the user name and password for connecting to the database's Service Table schema.

Schema Password

This is the schema user name and password that was specified for the Service Table component on the "Schema Passwords" screen in RCU (see Creating the Database Schemas).

The default user name is prefix_STB, where prefix is the custom prefix that you defined in RCU.

Click Get RCU Configuration when you are finished specifying the database connection information. The following output in the Connection Result Log indicates that the operating succeeded: 

Connecting to the database server...OK
Retrieving schema data from database server...OK
Binding local schema components with retrieved data...OK

Successfully Done.

Click Next if the connection to the database is successful.

Tip:

More information about the RCU Data option can be found in Understanding the Service Table Schema in Creating Schemas with the Repository Creation Utility.

More information about the other options on this screen can be found in Datasource Defaults in Creating WebLogic Domains Using the Configuration Wizard.

Specifying JDBC Component Schema Information

Verify that the values on the JDBC Component Schema screen are correct for all schemas.

The schema table should be populated, because you selected Get RCU Data on the previous screen. As a result, the Configuration Wizard locates the database connection values for all the schemas required for this domain.

At this point, the values are configured to connect to a single-instance database. However, for an enterprise deployment, you should use a highly available Real Application Clusters (RAC) database, as described in Preparing the Database for an Enterprise Deployment.

In addition, Oracle recommends that you use an Active GridLink datasource for each of the component schemas. For more information about the advantages of using GridLink data sources to connect to a RAC database, see Database Considerations in the High Availability Guide.

To convert the data sources to GridLink:

  1. Select all the schemas by selecting the checkbox at in the first header row of the schema table.

  2. Click Convert to GridLink and click Next.

Providing the GridLink Oracle RAC Database Connection Details
On the GridLink Oracle RAC Component Schema screen, provide the information required to connect to the RAC database and component schemas, as shown below:
Element Description and Recommended Value

Service Name

Verify that the service name for the Oracle RAC database is the appropriate.

For example: iadedg.example.com.

SCAN, Host Name, and Port

Select the SCAN check box.

In the Host Name field, enter the Single Client Access Name (SCAN) Address for the Oracle RAC database.

In the Port field, enter the SCAN listening port for the database (for example, 1521)

ONS Host and Port

Leave blank.

Enable Fan

Verify that the Enable Fan check box is selected, so the database can receive and process FAN events.

For more information about specifying the information on this screen, as well as information about how to identify the correct SCAN address, see Configuring Active GridLink Data Sources with Oracle RAC in the High Availability Guide.

You can also click Help to display a brief description of each field on the screen.

Click Next.

Testing the JDBC Connections

Use the JDBC Component Schema Test screen to test the data source connections you have just configured.

A green check mark in the Status column indicates a successful test. If you encounter any issues, see the error message in the Connection Result Log section of the screen, fix the problem, then try to test the connection again.

Tip:

More information about the other options on this screen can be found in Test Component Schema in Creating WebLogic Domains Using the Configuration Wizard

Click Next.

Selecting Advanced Configuration

To complete domain configuration for the topology, select the following options on the Advanced Configuration screen:

  • Administration Server

    This is required to properly configure the listen address of the Administration Server.

  • Node Manager

    This is required to configure Node Manager.

  • Topology

    This is required to add, delete, or modify the Settings for Server Templates, Managed Servers, Clusters, Virtual Targets, and Coherence.

Note:

When using the Advanced Configuration screen in the Configuration Wizard:

  • If any of the above options are not available on the screen, then return to the Templates screen, and be sure you selected the required templates for this topology.

  • Do not select the Domain Frontend Host Capture advanced configuration option. You will later configure the frontend host property for specific clusters, rather than for the domain.

Click Next.

Configuring the Administration Server Listen Address

On the Administration Server screen:

  1. In the Server Name field, retain the default value - AdminServer.

  2. In the Listen Address field, enter the virtual host name that corresponds to the VIP of the IADADMINVHN that you procured in Procuring Resources for an Enterprise Deployment and enabled in Preparing the Host Computers for an Enterprise Deployment.

    For more information on the reasons for using the IADADMINVHN virtual host, see Reserving the Required IP Addresses for an Enterprise Deployment.

  3. In the Configure Administration Server Ports section, perform the following steps:

    SSL Terminated Deployments

    1. Leave the Enable Listen Port field checked. The Listen Port value will be 7001.

    2. Ensure the Enable SSL Listen port field is unchecked

    3. The Listen Port value will be disabled in grey.

    4. Leave the default value as 9002 in the Administration Port.

    End to End SSL Deployments

    1. Leave the Enable Listen Port field unchecked. The Listen Port value will be disabled in grey.

    2. Ensure the Enable SSL Listen port field is checked.

    3. Leave the default value as 7002 in the SSL Listen Port field.

    4. Leave the default value as 9002 in the Administration Port.

  4. Leave the default value as Unspecified in the Server Group.

Click Next.

Configuring Node Manager

Select Manual Node Manager Setup as the Node Manager type.

WARNING:

You can ignore the warning in the bottom pane. This guide provides the required steps for the Manual Node Manager configuration.

  • Username: This is the user name used to connect to the Node Manager. For example, admin.

  • Password and Confirm Password: Enter the password you wish to associate with the Node Manager username.

Tip:

For more information about the options on this screen, see Node Manager in Creating WebLogic Domains Using the Configuration Wizard.

For more information about per domain and per host Node Manager implementations, see About the Node Manager Configuration in a Typical Enterprise Deployment.

For information about Node Manager configurations, see Configuring Node Manager on Multiple Machines in Administering Node Manager for Oracle WebLogic Server.

Click Next.

Configuring Managed Servers

On the Managed Servers screen, a new Managed Server for Oracle Access Management appears in the list of servers.

Perform the following tasks to modify the default Oracle Access Management Managed Server and create a second Managed Server:

  1. Click Add to create a new Managed Server and name it oam_server2.

    Tip:

    The server names recommended here will be used throughout this document; if you choose different names, be sure to replace them as needed.

  2. Use the information below to fill in the rest of the columns for each Oracle Access Manager Server.

    Table 14-9 SSL Terminated

    Server Name Listen Address Listen Port Enable SSL SSL Listen Port Server Groups

    oam_server1

    OAMHOST1

    14100

    Unchecked

    Disabled

    OAM-MGD-SVRS

    oam_server2

    OAMHOST2

    14100

    Unchecked

    Disabled

    OAM-MGD-SVRS

    oam_policy_mgr1

    OAMHOST1

    14150

    Unchecked

    Disabled

    OAM-POLICY-MANAGED-SERVER

    oam_policy_mgr2

    OAMHOST2

    14150

    Unchecked

    Disabled

    OAM-POLICY-MANAGED-SERVER

    Table 14-10 End to End SSL

    Server Name Listen Address Listen Port Enable SSL SSL Listen Port Server Groups

    oam_server1

    OAMHOST1

    Disabled

    Checked

    14101

    OAM-MGD-SVRS

    oam_server2

    OAMHOST2

    Disabled

    Checked

    14101

    OAM-MGD-SVRS

    oam_policy_mgr1

    OAMHOST1

    Disabled

    Checked

    14151

    OAM-POLICY-MANAGED-SERVER

    oam_policy_mgr2

    OAMHOST2

    Disabled

    Checked

    14151

    OAM-POLICY-MANAGED-SERVER

Configuring a Cluster

In this task, you create clusters of Managed Servers to which you can target the Oracle Access Manager software.

You must create the following clusters:

Table 14-11 SSL Terminated

Cluster Frontend Host Frontend HTTP Port Frontend HTTPS Port

OAM_Cluster

login.example.com

  

443

POLICY_Cluster

iadadmin.example.com

80

  

Table 14-12 End to End SSL

Cluster Frontend Host Frontend HTTP Port Frontend HTTPS Port

OAM_Cluster

login.example.com

  

443

POLICY_Cluster

iadadmin.example.com

  

443

Use the Clusters screen to create a new cluster:

  1. Click the Add button.

  2. Specify OAM_Cluster in the Cluster Name field.

  3. From the Dynamic Server Groups drop-down list, select Unspecified.

  4. Specify login.example.com for the Frontend Host field.

  5. Specify 443 for the Frontend HTTPS Port field.

    Note:

    By default, server instances in a cluster communicate with one another using unicast. If you want to change your cluster communications to use multicast, refer to Considerations for Choosing Unicast or Multicast in Administering Clusters for Oracle WebLogic Server.

    Tip:

    More information about the options on this screen can be found in Clusters in Creating WebLogic Domains Using the Configuration Wizard.

  6. Repeat the steps to create the second cluster POLICY_Cluster.

  7. Click Next.

Tips:

For more information about the options on this screen, see Clusters in Creating WebLogic Domains Using the Configuration Wizard.

Click Next.

Assigning Server Templates

Click Next to proceed to the next screen.

Configuring Dynamic Servers

Verify that all dynamic server options are disabled for clusters that are to remain as static clusters.

  1. Confirm that the Dynamic Cluster, Calculated Listen Port, and Calculated Machine Names checkboxes on this screen are unchecked.

  2. Confirm the Server Template selection is Unspecified.

  3. Click Next.

Assigning Managed Servers to the Cluster

Use the Assign Servers to Clusters screen to assign your managed servers to the clusters you have just created. At the end of this you will have the following assignments:

Cluster Managed Servers

OAM_Cluster

oam_server1

oam_server2

POLICY_Cluster

oam_policy_mgr1

oam_policy_mgr2

  1. In the Clusters pane, select the cluster to which you want to assign the servers.

  2. In the Servers pane, assign the managed servers to the clusters as in the table above, using one of the following methods:

    • Click once on the Managed Server to select it, then click on the right arrow to move it beneath the selected cluster in the Clusters pane.

    • Double-click on managed server to move it beneath the selected cluster in the clusters pane.

  3. Repeat to assign each managed server to a cluster as shown in the table.

  4. Click Next to proceed to the next screen.

Tip:

More information about the options on this screen can be found in Assign Servers to Clusters in Creating WebLogic Domains Using the Configuration Wizard.

Configuring Coherence Clusters

Use the Coherence Clusters screen to configure the Coherence cluster that is automatically added to the domain.

In the Cluster Listen Port, enter 9991.

Note:

For Coherence licensing information, Oracle Coherence Products in Oracle Fusion Middleware Licensing Information User Manual.

Click Next.

Creating Machines for Oracle Access Management Servers

Use the Machines screen to create new machines in the domain. A machine is required in order for the Node Manager to be able to start and stop the servers.

Select the Unix Machine tab.

  1. Click the Add button to create new UNIX machines.

  2. Use the values in the table below to define the Name and Node Manager Listen Address of each machine.

  3. Verify the port in the Node Manager Listen Port field.

The port number 5556, shown in this example, may be referenced by other examples in the documentation. Replace this port number with your own port number, as needed.

Table 14-13

Name Node Manager Listen Address Node Manager Listen Port

ADMINHOST

Enter the value of the IADADMINVHN variable. For example: iadadminvhn.example.com

5556

OAMHOST1

The value of the OAMHOST1 host name variable. For example, oamhost1.example.com.

5556

OAMHOST2

The value of the OAMHOST2 host name variable. For example, oamhost2.example.com.

5556

Tip:

More information about the options on this screen can be found in Machines in Creating WebLogic Domains Using the Configuration Wizard.

Assigning Servers to Machines

Use the Assign Servers to Machines screen to assign the Oracle Access Manager Managed Servers you just created to the corresponding machines in the domain. You can assign the machines as follows:

Servers Machines

AdminServer

ADMINHOST

oam_policy_mgr1

oam_server1

OAMHOST1

oam_policy_mgr2

oam_server2

OAMHOST2

Tip:

More information about the options on this screen can be found in Assign Servers to Machines in Creating WebLogic Domains Using the Configuration Wizard.

Click Next.

Creating Virtual Targets

Click Next.

Creating Partitions

Click Next.

Reviewing Your Configuration Specifications and Configuring the Domain

The Configuration Summary screen contains the detailed configuration information for the domain you are about to create. Review the details of each item on the screen and verify that the information is correct.

You can go back to any previous screen if you need to make any changes, either by using the Back button or by selecting the screen in the navigation pane.

Domain creation will not begin until you click Create.

Tip:

More information about the options on this screen can be found in Configuration Summary in Creating WebLogic Domains Using the Configuration Wizard.

Click Next.

Writing Down Your Domain Home and Administration Server URL

The Configuration Success screen will show the following items about the domain you just configured:

  • Domain Location

  • Administration Server URL

You must make a note of both items as you will need them later; the domain location is needed to access the scripts used to start the Administration Server.

Click Finish to dismiss the Configuration Wizard.

Parent topic: Configuring the Oracle Access Management Domain

Enabling SSL

If you are configuring End to End SSL, you must perform additional steps.

The steps are as follows:

Parent topic: Configuring Oracle Access Management

Adding Certificate Stores Location to the WebLogic Servers Start Scripts

Once the Identity and Trust Stores are created for the domain some Java properties must be added to the WebLogic start scripts. These properties are added to the file setUserOverridesLate.sh in $IAD_ASERVER_HOME/bin. Any customizations you add to this file are preserved during domain upgrade operations and are carried over to remote servers when using the pack and unpack commands.

Manually create the file setUserOverridesLate.sh in $IAD_ASERVER_HOME/bin. Edit the file and add the variable EXTRA_JAVA_PROPERTIES to set the javax.net.ssl.trustStore and javax.net.ssl.trustStorePassword properties with the values used by your EDG system. For example:
EXTRA_JAVA_PROPERTIES="${EXTRA_JAVA_PROPERTIES}
 -Djavax.net.ssl.trustStore=/u01/oracle/config/keystores/idmTruststore.p12
 -Djavax.net.ssl.trustStorePassword=password"
export EXTRA_JAVA_PROPERTIES

The order of the extra java properties is relevant. In case that the same property is defined more than once, the later value is used. The custom values must be defined as in the example provided.

Parent topic: Enabling SSL

Update Server's Security Settings Using the Remote Console

Parent topic: Enabling SSL

Connecting to the Remote Console Using the Administration Server’s Virtual Hostname as Provider
The following procedure temporarily starts the Administration Server with the default start script so to enable you to perform these tasks. After you perform these tasks, you can stop this temporary session and use the Node Manager to start the Administration Server.

Note:

For this Remote Console initial access to the Administration Server, it is required that the machine that runs the Remote Console can resolve and connect to the Admin Server's Listen Address. This can be done by starting the Remote Console directly in the node where the Admin Server runs or creating a tunnel to this address from the node where the remote Console is executed.
  1. Using the following default start script to start the Administration Server:
    1. Change directory to the following directory:
      cd $IAD_ASERVER_HOME/bin
    2. Run the start script:
      ./startWebLogic.sh

      Monitor the terminal till the following message is displayed:

      <Server state changed to RUNNING>

      Also you must verify that the appropriate SSL listener is available, which can be confirmed with the a message like the following displayed in output:

      <Server> <BEA-002613> <Channel "DefaultSecure" is now listening on XXXX:7002 for protocols iiops, t3s, ldaps, https.>
  2. Create a new provider in the WebLogic Remote Console as follows:
    1. Download the domain's trust keystore to the host or laptop where you run the WebLogic Remote Console. For example, when using the per-domain CA steps in previous sections, this would be located at $KEYSTORE_HOME/idmTruststore.p12.
    2. Open the Remote Console and add the domain trust store to the remote console settings. Click File > Settings and enter the following values.

      1. Trust Store type - pkcs12

      2. Trust Store Path - The path to the trust keystore file in the host where the Remote Console runs.

      3. Trust Store Key - Enter the password provided in the steps above for certificate creation.

      4. Check Disable HostName verification if you are using Demo certificates as described in the steps above.

    3. Using the Providers window in the Remote Console, create a new provider by selecting Add Admin Server Connection Provider.

      1. In the provider name, enter a name for the connection, for example oam.

      2. Enter the WebLogic Domain Administration username provided in the configuration wizard user name.

      3. Enter the password used for the domain creation.

      4. Use https protocol and the admin server listen address used in the configuration wizard as URL for access and specify port 9002.

        For example, https://iadadminvhn.example.com:9002.

      5. Check the Make Insecure Connection checkbox.

        Note:

        This provider should not be used once the front end and webtier are configured.

      The Remote Console Home Window for the domain will be displayed.

Updating the WebLogic Servers Security Settings
Perform the following steps to update the WebLogic Servers Security Settings and Administration Port:
  1. Access the Domain provider in the Remote Console and update the Administration Server and WebLogic Servers Security Settings:
    1. Click Edit Tree.
    2. Click Environment > Servers > AdminServer.
    3. Click Security tab.
    4. Change the keystores dropdown to Custom Identity and Custom Trust.
    5. In Custom Identity Keystore, enter the fully qualified path to the identity keystore as follows:
      $KEYSTORE_HOME/idmcerts.p12

      Replace $KEYSTORE_HOME with the value of the folder you use for storing keystore, as described in the Table 8-2.

    6. Set the Custom Identity Keystore Type to PKCS12.
    7. In Custom Identity Keystore Passphrase, enter the password Keystore_Password you provided in the certificate generation steps.
    8. In Custom Trust Keystore, enter the fully qualified path to the trust keystore.
      $KEYSTORE_HOME/idmTrustStore.p12

      Replace $KEYSTORE_HOME with the value of the folder you use for storing keystore, as described in the Table 8-2.

    9. Set the Custom Trust Keystore Type to PKCS12.
    10. In Custom Trust Keystore Passphrase, enter the password you provided as the <keypass> in the certificate generation steps.
    11. Click Save.
    12. Under Security settings, navigate to SSL tab.
    13. In the Server Private Key Alias filed enter the alias provided in the certificate generation steps. If you are using a SAN based certificate use the alias you used to create the certificate. If you are using host based certificates this is usually the hosts short name. For example oamhost1 for oamhost1.example.com.
    14. In the Server Private Key Pass Phrase field, enter the password provided in the certificate generation steps.
    15. Click Save.

      The cart on the top right part of the screen will show full with a yellow bag inside.

    16. Click the Cart icon on the top right and select Commit Changes.
    Repeat the above steps for each managed server in the domain changing the alias to match the alias used for the certificates.

    Note:

    For managed servers you should use $LOCAL_KEYSTORE_HOME instead of $KEYSTORE_HOME.
  2. Return to the terminal window where you started the Administration Server with the start script.
  3. Press Ctrl+C to stop the Administration Server process.

    Wait for the Administration Server process to end and for the terminal command prompt to appear.

  4. Start the Administration Server again by using the following script:
    1. Change directory to the following directory:
      cd $IAD_ASERVER_HOME/bin
    2. Run the start script:
      ./startWebLogic.sh
    3. Monitor the output in the terminal till the following output is displayed.
      <Server state changed to RUNNING>

Configuring a Per Host Node Manager for an Enterprise Deployment

For specific enterprise deployments, Oracle recommends that you configure a per-host Node Manager, as opposed to the default per-domain Node Manager.

For more information about the advantages of a per host Node Manager, see About the Node Manager Configuration in a Typical Enterprise Deployment.

Parent topic: Configuring Oracle Access Management

Creating a Per Host Node Manager Configuration

The step in configuring a per-host Node Manager is to create a configuration directory and two new node manager configuration files. You must also edit the default startNodeManager.sh file.

To create a per-host Node Manager configuration, perform the following tasks, first on OAMHOST1, and then on OAMHOST2:

  1. Log in to OAMHOST1 and create a directory for the Node Manager configuration files :

    For example:

    mkdir -p /u02/oracle/config/nodemanager

    Note that this directory should be on a local disk, because it is specific to the host. This directory location is known as the Node Manager home, and it is identified by the NM_HOME directory variable in examples in this guide.

  2. If you haven't already, copy the keystores to your local host to ensure that node manager has access to them. For example:
    mkdir -p $LOCAL_KEYSTORE_HOME
    cp -r $KEYSTORE_HOME $LOCAL_KEYSTORE_HOME
  3. Change directory to the Node Manager home directory:
    cd $NM_HOME
  4. Create a new text file called nodemanager.properties and add the values shown in Example: Contents of the nodemanager.properties File to this new file.

    Use the pertaining identity alias for the node that you are configuring. For example, oamhost1.example.com in OAMHOST1 and oamhost2.example.com in OAMHOST2.

    For more information about the properties that you can add to the nodemanager.properties file, see Node Manager Properties in Administering Node Manager for Oracle WebLogic Server.

    In the nodemanager.properties file, you enable crash recovery for servers as a part of this configuration. See Node Manager and System Crash Recovery in Administering Node Manager for Oracle WebLogic Server.

    Example: Contents of the nodemanager.properties File

    DomainsFile=/u02/oracle/config/nodemanager/nodemanager.domains
LogLimit=0
PropertiesVersion=14.1.2.0.0
AuthenticationEnabled=true
NodeManagerHome=/u02/oracle/config/nodemanager
#Include the specific JDK home
JavaHome=/u01/oracle/products/jdk
LogLevel=INFO
DomainsFileEnabled=true
StartScriptName=startWebLogic.sh
#Leave blank for listening on ANY
ListenAddress=
NativeVersionEnabled=true
ListenPort=5556
LogToStderr=true
SecureListener=true
LogCount=1
StopScriptEnabled=false
QuitEnabled=false
LogAppend=true
StateCheckInterval=500
CrashRecoveryEnabled=true
StartScriptEnabled=true
LogFile=/u02/oracle/config/nodemanager/nodemanager.log
LogFormatter=weblogic.nodemanager.server.LogFormatter
ListenBacklog=50
KeyStores=CustomIdentityAndCustomTrust 
CustomIdentityAlias=idmcerts.example.com
CustomIdentityKeyStoreFileName=/u02/oracle/config/keystores/idmTrustStore.pkcs12
CustomIdentityKeyStorePassPhrase=password
CustomIdentityPrivateKeyPassPhrase=password
  5. Locate the startNodeManager.sh file in the following directory:
    $WL_HOME/server/bin
  6. Copy the startNodeManager.sh file to the Node Manager home directory.
    cp $WL_HOME/server/bin/startNodeManager.sh $NM_HOME
  7. Edit the new startNodeManager.sh file and add the NODEMGR_HOME property as follows:
    NODEMGR_HOME="<NM_HOME>"
    For example:
    NODEMGR_HOME="/u02/oracle/config/nodemanager"
  8. Locate the stopNodeManager.sh script in the $WL_HOME/server/bin directory. Copy it to the Node Manager home directory. Edit the copied file and edit the NODEMGR_HOME property pointing to the node manager home (as it has been done for the startNodemanager.sh file):
    NODEMGR_HOME="<NM_HOME>"

    In this example, replace <NM_HOME> with the actual path to the Node Manager home.

  9. Create another new file in the Node Manager home directory, called nodemanager.domains.

    The nodemanager.domains file provides additional security by restricting Node Manager client access to the domains listed in this file.

  10. Perform steps 1 through 8 on OAMHOST2.
  11. Add the following entries to the new nodemanager.domains files:

    On OAMHOST1, add values for both the Administration Server domain home and the Managed Servers domain home:

    oam=IAD_MSERVER_HOME;IAD_ASERVER_HOME

    Note:

    The path that is mentioned first (IAD_MSERVER_HOME) is considered as the primaryDomainPath and Managed Servers are run from this location.

    On OAMHOST2, add the value for the Managed Servers domain home only:

    oam=IAD_MSERVER_HOME

    In these examples, replace IAD_ASERVER_HOME and IAD_MSERVER_HOME with the values of the respective variables, as described in File System and Directory Variables Used in This Guide.

Parent topic: Configuring a Per Host Node Manager for an Enterprise Deployment

Starting the Node Manager on OAMHOST1

After you manually set up the Node Manager to use a per-host Node Manager configuration, you can start the Node Manager on OAMHOST1, by using the startNodeManager.sh script.
To start the Node Manager on OAMHOST1:
  1. Change directory to the Node Manager home directory:
    cd $NM_HOME
  2. Run the following command to start the Node Manager and send the output of the command to an output file, rather than to the current terminal shell:
    nohup ./startNodeManager.sh > ./nodemanager.out 2>&1 &
  3. Monitor the the nodemanager.out file; make sure the NodeManager starts successfully. The output should eventually contain the following strings:
    <INFO> <Upgrade> <Encrypting NodeManager property: CustomIdentityKeyStorePassPhrase> 
<INFO> <Upgrade> <Encrypting NodeManager property: CustomIdentityPrivateKeyPassPhrase>
<Upgrade> <Saving upgraded NodeManager properties to '/u02/oracle/config/nodemanager/nodemanager.properties'>
<INFO> <Loading domains file: /u02/oracle/config/nodemanager/nodemanager.domains>
<INFO> <Loading identity key store: FileName=/u02/oracle/config/keystores/idmTrustStore.p12, Type=pkcs12, PassPhraseUsed=true>
<INFO> <Loaded NodeManager configuration properties from '/u02/oracle/config/nodemanager/nodemanager.properties'>
<INFO> <14.1.2.0.0>
<INFO> <Server Implementation Class: weblogic.nodemanager.server.NMServer$ClassicServer.>
<INFO> <Secure socket listener started on port 5556>
    You must check that the plain text used for passwords in nodemanager.properties has now been encrypted by running the following command:
    cat /u02/oracle/config/nodemanager/nodemanager.properties
    The output will look similar to the following:
    
#<DATE>
#<DATE>
DomainsFile=/u02/oracle/config/nodemanager/nodemanager.domains
LogLimit=0
PropertiesVersion=14.1.2.0.0
AuthenticationEnabled=true
NodeManagerHome=/u02/oracle/config/nodemanager
#Include the specific JDK home
JavaHome=/u01/oracle/products/jdk
LogLevel=INFO
DomainsFileEnabled=true
StartScriptName=startWebLogic.sh
#Leave blank for listening on ANY
ListenAddress=
NativeVersionEnabled=true
ListenPort=5556
LogToStderr=true
SecureListener=true
LogCount=1
StopScriptEnabled=false
QuitEnabled=false
LogAppend=true
StateCheckInterval=500
CrashRecoveryEnabled=true
StartScriptEnabled=true
LogFile=/u02/oracle/config/nodemanager/nodemanager.log
LogFormatter=weblogic.nodemanager.server.LogFormatter
ListenBacklog=50
KeyStores=CustomIdentityAndCustomTrust 
CustomIdentityAlias=idmcerts.example.com
CustomIdentityKeyStoreFileName=/u02/oracle/config/keystores/idmTrustStore.p12
CustomIdentityKeyStorePassPhrase={AES256}EMvPrOCRfN7fyv3d8JcEnttTLyneG9Su+UVK5DGEmqmqDwLkpLz9nQFZ+fL1Bidc
CustomIdentityPrivateKeyPassPhrase={AES256}O5cEJD8WVYP3aRLp9KAbFZ3CGLyxmmIWFX1YzVfJvPpl1dc5RbMksAcsBLquKcWW

Parent topic: Configuring a Per Host Node Manager for an Enterprise Deployment

Configuring the Node Manager Credentials

Perform the following steps to set the Node Manager credentials using the Remote Console:

  1. Access the Domain provider in the Remote Console.
  2. Click Edit Tree.
  3. Click Environment > Domain> Security.
  4. Check the Show Advanced Fields field.
  5. Set Node Manager Username to the same as the Weblogic Administrator, since this username will be used in other tasks mentioned in this guide.
  6. Change the NM password. Ensure the Node Manager password is set to the same as the Weblogic Administrator since this password will be used in other tasks mentioned in this guide.
  7. Click Save. The cart on the top right part of the screen will show full with a yellow bag inside.
  8. Click the Cart Icon on the top right and select Commit Changes.

Parent topic: Configuring a Per Host Node Manager for an Enterprise Deployment

Enrolling the Domain with NM

Perform the following steps in a new terminal window to enroll the domain with Node manager.

Note:

You will be unable to connect to the Node Manager and use it to start the servers in the domain without performing this step.
  1. Change directory to the following directory:
    cd $ORACLE_COMMON_HOME/common/bin
  2. Start the WebLogic Server Scripting Tool (WLST). In order to use the certificates created for the appropriate SSL handshake, the location of the stores and password of the same need to be provided to WLST. Use the following command or add these in a script that can be easily invoked: 
    export WLST_PROPERTIES="-Dweblogic.security.TrustKeyStore=CustomTrust -Dweblogic.security.CustomTrustKeyStoreFileName=/u02/oracle/config/keystores/idmTrustStore.p12 -Dweblogic.security.CustomTrustKeyStorePassPhrase=password -Dweblogic.security.SSL.ignoreHostnameVerification=true"

    Note:

    You must avoid including the password in the script.
  3. Connect to the Administration Server by using the following WLST command:
    connect('admin_user','admin_password','admin_url')

    For example:

    connect('weblogic','<password>','t3s://iadadminvhn.example.com:9002')
  4. Use the nmEnroll command to enable the Node Manager to manage servers in a specified WebLogic domain.
    nmEnroll('<IAD_ASERVER_HOME>')

    For example:

    nmEnroll('/u01/oracle/config/domains/oam')
  5. Generate startup properties for the Admin Server using the following WLST command:
    nmGenBootStartupProps('AdminServer')

    The startup.properties and boot.properties files are created in the following directory: 

    <IAD_ASERVER_HOME>/servers/AdminServer/data/nodemanager/

Parent topic: Configuring a Per Host Node Manager for an Enterprise Deployment

Adding Truststore Configuration to Node Manager

It is required to add the corresponding truststore configuration for Node Manager communication with the different WebLogic Server listeners. To do this, edit Node Manager's start script startNodeManager.sh located at $NM_HOME and add the variable JAVA_OPTIONS to set the javax.net.ssl.trustStore and javax.net.ssl.trustStorePassword properties with the values used by your EDG system. For example: 

export JAVA_OPTIONS="${JAVA_OPTIONS} -Djavax.net.ssl.trustStore=/u02/oracle/config/keystores/idmTrustStore.pkcs12 -Djavax.net.ssl.trustStorePassword=mypassword"

Parent topic: Configuring a Per Host Node Manager for an Enterprise Deployment

Configuring the Domain Directories and Starting the Servers

After you have configured the domain and configured the Node Manager, you can start the Administration Server by using the Node Manager. In an enterprise deployment, the Node Manager is used to start and stop the Administration Server and all the Managed Servers in the domain.

  • Create a ServerOverrides File
    Perform prerequisite tasks before starting the servers.
  • Starting the Administration Server Using the Node Manager
    After you have configured the domain and configured the Node Manager, you can start the Administration Server by using the Node Manager. In an enterprise deployment, the Node Manager is used to start and stop the Administration Server and all the Managed Servers in the domain.
  • Validating the Administration Server
    Before proceeding with the configuration steps, validate that the Administration Server has started successfully by making sure you have access to the Oracle Enterprise Manager Fusion Middleware Control, which is installed and configured on the Administration Servers.
  • Creating a Separate Domain Directory for Managed Servers
    When you initially create the domain for enterprise deployment, the domain directory resides on a shared disk. This default domain directory will be used to run the Administration Server. You can now create a copy of the domain on the local storage for each of your managed server hosts. The domain directory on the local (or private) storage will be used to run the Managed Servers.

Parent topic: Configuring Oracle Access Management

Create a ServerOverrides File

Perform prerequisite tasks before starting the servers.

This involves:

  • Disabling the Derby Database - Disable the embedded Derby database, which is a file-based database, packaged with Oracle WebLogic Server. The Derby database is used primarily for development environments. Therefore, you must disable it when you are configuring a production-ready enterprise deployment environment. Otherwise, the Derby database process starts automatically when you start the Managed servers.

  • Enabling IPv6 Networking if required - If the Managed Server is configured to use IPv6 networking, then you may encounter issues when you start the Managed Server.

  • Adjusting the Memory Parameters for your installation - The initial startup parameter in the IAMAccessDomain, which defines the memory usage, is insufficient. You must increase the value of this parameter and set the Java initial memory allocation pool (Xms) to 1024m, and the maximum memory allocation pool (Xmx) to 8192m.

In order to perform the above tasks, create a $IAD_ASERVER_HOME/bin/setUserOverrides.sh file with the following contents:
DERBY_FLAG=false
JAVA_OPTIONS="${JAVA_OPTIONS} -Djava.net.preferIPv4Stack=true"
MEM_ARGS="-Xms4096m -Xmx8192m"

Parent topic: Configuring the Domain Directories and Starting the Servers

Starting the Administration Server Using the Node Manager

After you have configured the domain and configured the Node Manager, you can start the Administration Server by using the Node Manager. In an enterprise deployment, the Node Manager is used to start and stop the Administration Server and all the Managed Servers in the domain.

To start the Administration Server by using the Node Manager:

  1. Ensure that the Administration Server is stopped.
  2. If your domain is SSL enabled then set the following environment variable so that your keystores are used:
    export WLST_PROPERTIES="-Dweblogic.security.TrustKeyStore=CustomTrust -Dweblogic.security.CustomTrustKeyStoreFileName=/u02/oracle/config/keystores/idmTrustStore.p12 -Dweblogic.security.CustomTrustKeyStorePassPhrase=password -Dweblogic.security.SSL.ignoreHostnameVerification=true"
  3. Start the WebLogic Scripting Tool (WLST):
    cd $IAD_ORACLE_HOME/oracle_common/common/bin
    ./wlst.sh
  4. Connect to Node Manager by using the Node Manager credentials:
    nmConnect('nodemanager_username','nodemanager_password','iadadminvhn.example.com','5556','domain_name',
            '<IAD_SERVER_HOME>','SSL')
    For example:
    nmConnect('admin','password','iadadminvhn.example.com','5556','oam',
            '/u01/oracle/config/domains/oam','SSL')

    Note:

    This user name and password are used only to authenticate connections between Node Manager and clients. They are independent of the server administrator ID and password and are stored in the nm_password.properties file located in the following directory: 

    $IAD_ASERVER_HOME/config/nodemanager
  5. Start the Administration Server:
    nmStart('AdminServer')
  6. Exit WLST:
    exit()

Parent topic: Configuring the Domain Directories and Starting the Servers

Validating the Administration Server

Before proceeding with the configuration steps, validate that the Administration Server has started successfully by making sure you have access to the Oracle Enterprise Manager Fusion Middleware Control, which is installed and configured on the Administration Servers.

To navigate to Fusion Middleware Control use the URL in URLs Used in This Chapter. Log in with the Oracle WebLogic Server administrator credentials.

You should be also able to connect to the Administration Server from the WebLogic Remote Console as before.

Parent topic: Configuring the Domain Directories and Starting the Servers

Creating a Separate Domain Directory for Managed Servers

When you initially create the domain for enterprise deployment, the domain directory resides on a shared disk. This default domain directory will be used to run the Administration Server. You can now create a copy of the domain on the local storage for each of your managed server hosts. The domain directory on the local (or private) storage will be used to run the Managed Servers.

Note:

If you are creating a domain for Oracle Access Management, it is not necessary to perform this step at this time. This is because, at the time of infrastructure creation, there are no managed servers in existence yet.

Placing the IAD_MSERVER_HOME on local storage is recommended to eliminate the potential contention and overhead cause by servers writing logs to shared storage. It is also faster to load classes and jars need from the domain directory, so any temporary or cache data that Managed Servers use from the domain directory is processed quicker.

As described in Preparing the File System for an Enterprise Deployment, the path to the Administration Server domain home is represented by the IAD_ASERVER_HOME variable, and the path to the Managed Server domain home is represented by the IAD_MSERVER_HOME variable.

To create the Managed Server domain directory:

  1. Sign in to the host running the Administration Server, for example, OAMHOST1, and run the pack command to create a template as follows:
    cd $ORACLE_COMMON_HOME/common/bin
    ./pack.sh -managed=true \ 
-domain=$IAD_ASERVER_HOME \ 
-template=$SHARED_CONFIG_DIR/domains/oamdomaintemplate.jar \
-template_name=oam_domain_template \
-log_priority=DEBUG \ 
-log=/tmp/pack.log

    In this example:

    • Replace $IAD_ASERVER_HOME with the actual path to the domain directory you created on the shared storage device.

    • Replace full_path with the complete path to the location where you want to create the domain template jar file. You will need to reference this location when you copy or unpack the domain template jar file. It is recommended to choose a shared volume other than ORACLE_HOME, or write to /tmp/ and copy the files manually between servers.

      You must specify a full path for the template jar file as part of the -template argument to the pack command: 

      $SHARED_CONFIG_DIR/domains/template_filename.jar

    • oamdomaintemplate.jar is a sample name for the jar file you are creating, which will contain the domain configuration files.

    • oam_domain_template is the label assigned to the template data stored in the template file.

  2. Make a note of the location of the oamdomaintemplate.jar file you just created with the pack command.

    Tip:

    For more information about the pack and unpack commands, see Overview of the Pack and Unpack Commands in Creating Templates and Domains Using the Pack and Unpack Commands.

  3. If you haven't already, create the recommended directory structure for the Managed Server domain on the OAMHOST1 local storage device.
  4. Run the unpack command to unpack the template in the domain directory onto the local storage, as follows:
    cd $ORACLE_COMMON_HOME/common/bin
    ./unpack.sh -domain=$IAD_MSERVER_HOME \
-overwrite_domain=true \
-template=$SHARED_CONFIG_DIR/domains/oamdomaintemplate.jar \
-log_priority=DEBUG \
-log=/tmp/unpack.log \
-app_dir=$MS_APPLICATION_HOME

    Note:

    The -overwrite_domain option in the unpack command allows unpacking a managed server template into an existing domain and existing applications directories. For any file that is overwritten, a backup copy of the original is created. If any modifications had been applied to the start scripts and ear files in the managed server domain directory, they must be restored after this unpack operation.

    Additionally, to customize server startup parameters that apply to all servers in a domain, you can create a file called setUserOverridesLate.sh and configure it to, for example, add custom libraries to the WebLogic Server classpath, specify additional JAVA command line options for running the servers, or specify additional environment variables. Any customizations you add to this file are preserved during domain upgrade operations, and are carried over to remote servers when using the pack and unpack commands.

    In this example:

    • $IAD_MSERVER_HOME is the complete path to the domain home to be created on the local storage disk. This is the location where the copy of the domain will be unpacked.

    • $SHARED_CONFIG_DIR/domains/oamdomaintemplate.jar is the complete path and file name of the domain template jar file that you created when you ran the pack command to pack up the domain on the shared storage device.

    • $MS_APPLICATION_HOME is the complete path to the Application directory for the domain on shared storage. See File System and Directory Variables Used in This Guide.

    Tip:

    For more information about the pack and unpack commands, see Overview of the Pack and Unpack Commands in Creating Templates and Domains Using the Pack and Unpack Commands.

  5. Change directory to the newly created Managed Server directory and verify that the domain configuration files were copied to the correct location on the OAMHOST1 local storage device.

Parent topic: Configuring the Domain Directories and Starting the Servers

Removing OAM Server from WebLogic Server defaultCoherenceCluster

You must exclude all Oracle Access Management (OAM) clusters (including policy manager and OAM runtime server) from the default WebLogic Server coherence cluster using the WebLogic Remote Console.

OAM server-side session management uses database and does not require coherence cluster to be established. In some environments, warnings and errors are observed due to default coherence cluster initialized by WebLogic. To avoid or fix these errors, exclude all of the OAM clusters from default WebLogic Server coherence cluster using the following steps:
  1. In WebLogic Remote Console, click Edit Tree.
  2. In the left pane of the console, expand Environment, select Coherence Clusters, and click defaultCoherenceCluster.

    The defaultCoherenceCluster page is displayed.

  3. Select the Members tab.
  4. Remove Any Items from the Chosen box.
  5. Click Save.
  6. Click the shopping cart and select Commit changes.

Parent topic: Configuring Oracle Access Management

Tuning the WebLogic Server

Tune the WebLogic Server for optimum performance by adding the Minimum Thread Constraint and removing the Max Thread and Capacity constraints.

Create A Deployment Plan

  1. Log into the WebLogic Remote Console.
  2. Select Monitoring Tree.
  3. Navigate to Deployments > Application Management > oam_server
  4. Click Create Plan and provide the following plan path if it is not already defaulted:
    $ORACLE_HOME/idm/oam/server/apps/Plan.xml
  5. Click Done.
  6. Select Deployment Tasks to verify that the plan was successfully created.

Update Deployment Plan

  1. Log into the WebLogic Remote Console.
  2. Select Monitoring Tree.
  3. Navigate to Deployments > Application Management > oam_server > Deployment Plan (Advanced).
  4. Select the Variable Assignments tab.
  5. Select Find from the Edit menu and search for /weblogic-web-app/work-manager/[name="wm/OAPOverRestWM"]/min-threads-constraint/[name="MinThreadsCount"]/count.
  6. Select the checkbox in the row and click Edit.
  7. Set the following fields:

    Value: 400

    Operation: Replace

  8. Click Done.

Deploy Plan

  1. Log into the WebLogic Remote Console.
  2. Select Monitoring Tree.
  3. Navigate to Deployments > Application Management .
  4. Check the checkbox in the oam_server row.
  5. Click Update/Redeploy.
  6. Select the third option Redeploy - Deployment Source and Plan on Server.
  7. Click Done.
  8. Click Deployment Tasks to monitor the status of the redeploy.

Verify Change

  1. To verify if the value is updated, log into the Enterprise Manager console using the URL referenced in URLs Used in This Chapter.
  2. Select System MBean Browser and search for MBean wm/OAPOverRestWM.
  3. Expand MinThreadsConstraintRuntime and then expand MinThreadsCount.
  4. Check that the value of Count is 400.

Parent topic: Configuring Oracle Access Management

Adding a Load Balancer Certificate to the Oracle Keystore Service

The Oracle Access Manager forgot password functionality requires that the SSL certificate used by the load balancer be added to the Oracle Keystore Service Trusted Certificates.

To add the certificate, do the following:
  1. Create a directory to hold user created keystores and certificates. For example:
    mkdir -p $SHARED_CONFIG_DIR/keystores
    For example:
    mkdir -p /u01/oracle/config/keystores
  2. Obtain the certificate from the load balancer. You can obtain the load balancer certificate using a browser, such as Firefox. However, the easiest way to obtain the certificate is to use the openssl command. The syntax of the command is as follows:
    openssl s_client -connect <LOADBALANCER>:<PORT> -showcerts </dev/null 2>/dev/null| sed -ne '/-BEGIN CERTIFICATE-/,/-END CERTIFICATE-/p' > $SHARED_CONFIG_DIR/keystores/<LOADBALANCER>.pem
    For example: 

    openssl s_client -connect <LOADBALANCER>:<PORT> -showcerts </dev/null 2>/dev/null| sed -ne '/-BEGIN CERTIFICATE-/,/-END CERTIFICATE-/p' > $SHARED_CONFIG_DIR/keystores/login.example.com.pem

    Note:

    This command saves the certificate to a file called login.example.com.pem in $SHARED_CONFIG_DIR/keystores .
  3. Load the certificate into the Oracle Keystore Service using WLST. Connect to WLST by using the following command:
    $IAD_ORACLE_HOME/oracle_common/common/bin/wlst.sh

    Note:

    If using End to End SSL then specify the location of your certificates first:
    export WLST_PROPERTIES="-Dweblogic.security.TrustKeyStore=CustomTrust \
-Dweblogic.security.CustomTrustKeyStoreFileName=/u02/oracle/config/keystores/idmTrustStore.p12 \
-Dweblogic.security.CustomTrustKeyStorePassPhrase=password \
-Dweblogic.security.SSL.ignoreHostnameVerification=true"
  4. Inside the WLST shell, connect to the Administration Server using the following command:
    connect('<OAM_WEBLOGIC_USER>','<OAM_WEBLOGIC_PWD>','t3://iadadminvhn.example.com:<OAM_ADMIN_PORT>')
    For example, for SSL Terminated:
    connect('weblogic','<password>','t3://iadadminvhn.example.coml:7001')
    For example, for End to End SSL:
    connect('weblogic','<password>','t3s://iadadminvhn.example.coml:7002')
  5. Download the access artifacts by using the following command: 
    downloadAccessArtifacts(domain_home="/u01/oracle/config/domains/OAM", propsFile="/u01/oracle/config/db.props"

    Note:

    For information about the contents of the properties file, see Doc ID 2318818.1 on My Oracle Support.
  6. Load the certificate using the following commands:
    svc = getOpssService(name='KeyStoreService')
svc.importKeyStoreCertificate(appStripe='system',name='trust',password='', keypassword='',alias='<CertificateName>',type='TrustedCertificate', filepath='/<SHARED_CONFIG_DIR>/keystores/<LOADBALANCER>.pem')
    For example:
    svc = getOpssService(name='KeyStoreService')
svc.importKeyStoreCertificate(appStripe='system',name='trust',password='', keypassword='',alias='login.example.com',type='TrustedCertificate', filepath='/u01/oracle/config/keystores/login.example.com.pem')
  7. Synchronize the keystore service with the file system by using the following command:
    syncKeyStores(appStripe='system', keystoreFormat='KSS')
  8. Save the access artifacts by using the following command:
    saveAccessArtifacts(domain_home="/u01/oracle/config/domains/OAM", propsFile="/u01/oracle/config/db.props"
  9. Exit the WLST shell:
    exit()
  10. You will need to restart the domain for the changes to take effect.

Parent topic: Configuring Oracle Access Management

Tuning the oamDS Data Source

For optimium performance, increase the number of connections allowed by the OAM data source.

To tune oamDS, complete the following steps:
  1. Log into the WebLogic Remote Console.
  2. Click Edit Tree.
  3. In Domain Structure, expand Services, and then click Data Sources.
  4. Click oamDS.
  5. In Settings for oamDS, click the Connection Pool tab and change the following values:
    • Initial Capacity to 800
    • Maximum Capacity to 800
    • Minimum Capacity to 800
  6. Click Save.
  7. Click the Shopping cart and select Commit changes.

Parent topic: Configuring Oracle Access Management

Configuring the WebLogic Proxy Plug-In

Before you can validate that requests are routed correctly through the Oracle HTTP Server instances, you must set the WebLogic Plug-In Enabled parameter.

It is recommended to set the WebLogic Plug-In Enabled parameter at the domain level. Any clusters or servers not using the plugin via the web-tier can have their WebLogic Plug-In Enabled parameter value set to no on an exception basis as needed.

  1. Log in to the Oracle WebLogic Remote Console.
  2. Click Edit Tree.
  3. Click Domain.

    The domain settings page is displayed.

  4. Click on the Domain Name.
  5. Click on the Web Applications tab.
  6. Locate and select the WebLogic PlugIn Enabled option.
  7. Click Save.
  8. Click the Shopping Cart and select Commit Changes.

Parent topic: Configuring Oracle Access Management

Configuring and Integrating with LDAP

Configure OAM to use the LDAP directory.

Parent topic: Configuring Oracle Access Management

Configuring Access Manager to Use the LDAP Directory

After completing the initial installation and setting the security model, you have to associate Oracle Access Manager with the LDAP directory. You can use Oracle Unified Directory (OUD) as the LDAP directory.

To associate Access Manager and the LDAP directory, perform the following tasks:

Parent topic: Configuring and Integrating with LDAP

Creating a Configuration File

Configuring Oracle Access Management to use LDAP requires running the idmConfigTool utility. Therefore, you must create a configuration file called oam.props to use during the configuration. The contents of this file will be the same as the Configuration file created in Creating a Configuration File with some additions.

For a full description of these properties and values, see Variables Used When Creating Infrastructure for Oracle Access Management. 

#LDAP Properties
IDSTORE_HOST: idstore.example.com
IDSTORE_PORT: 1636
IDSTORE_KEYSTORE_FILE: /u01/oracle/config/keystores/idmTrustStore.p12
IDSTORE_SSL_ENABLED: true
IDSTORE_NEW_SETUP: true
IDSTORE_BINDDN: cn=oudadmin
IDSTORE_GROUPSEARCHBASE: cn=Groups,dc=example,dc=com
IDSTORE_SEARCHBASE: dc=example,dc=com
IDSTORE_USERNAMEATTRIBUTE: cn
IDSTORE_LOGINATTRIBUTE: uid
OAM_SERVER_LOGIN_ATTRIBUTE: uid
IDSTORE_USERSEARCHBASE: cn=Users,dc=example,dc=com
IDSTORE_NEW_SETUP: true
IDSTORE_DIRECTORYTYPE: OUD
IDSTORE_OAMADMINUSER: oamadmin
IDSTORE_OAMSOFTWAREUSER: oamLDAP
OAM_IDSTORE_ROLE_SECURITY_ADMIN: OAMAdministrators
IDSTORE_SYSTEMIDBASE: cn=SystemIDs,dc=example,dc=com
IDSTORE_OIMADMINGROUP: OIMAdministrators
IDSTORE_WLSADMINUSER : weblogic_iam
IDSTORE_WLSADMINGROUP : WLSAdministrators
OAM_SERVER_LOGIN_ATTRIBUTE: uid
OAM_IDSTORE_NAME: OAMIDSTORE

#OAM Properties
PRIMARY_OAM_SERVERS: oamhost1.example.com:5575
WEBGATE_TYPE: ohsWebgate14c
ACCESS_GATE_ID: Webgate_IDM
COOKIE_DOMAIN: .example.com
COOKIE_EXPIRY_INTERVAL: 120
OAM_WG_DENY_ON_NOT_PROTECTED: true
OAM_IDM_DOMAIN_OHS_HOST: login.example.com
OAM_IDM_DOMAIN_OHS_PORT: 443
OAM_IDM_DOMAIN_OHS_PROTOCOL: https
OAM_SERVER_LBR_HOST: login.example.com
OAM_SERVER_LBR_PORT: 443
OAM_SERVER_LBR_PROTOCOL: https
OAM_OAM_SERVER_TRANSFER_MODE: open
OAM_OAM_SSLENABLED: true
OAM_TRANSFER_MODE: open
OAM_SSO_ONLY_FLAG: false
OAM_IMPERSONATION_FLAG: false
OAM_IDM_DOMAIN_LOGOUT_URLS: /console/jsp/common/logout.jsp,/em/targetauth/emaslogout.jsp
OAM_OIM_INTEGRATION_REQ: true
OAM_OIM_OHS_URL: https://oig.example.com:443/
# WebLogic Properties
WLSHOST: iadadminvhn.example.com
WLSPORT: 9002
WLSADMIN: weblogic
WLS_IS_SSLENABLED: true
WLS_TRUSTSTORE: /u01/oracle/config/keystores/idmTrustStore.p12

WLS_SSL_HOST_VERIFICATION: true

# Logger Properties
LOG_FILE: /home/oracle/automation_integ.log
LOG_LEVEL: ALL
SSL_DEBUG_ENABLE: FALSE

Note:

You can also specify the passwords directly in the file, if required. If you do not specify the passwords, you will be prompted for them at runtime. The parameters are:
  • IDSTORE_KEYSTORE_PASSWORD
  • IDSTORE_PASSWD
  • IDSTORE_PWD_OAMADMINUSER
  • IDSTORE_PWD_OAMSOFTWAREUSER
  • IDSTORE_PASSWD
  • OAM_OIM_WEBGATE_PASSWD
  • WLSPASSWD
  • WLS_TRUSTSTORE_PASSWORD
Integrating Access Manager and LDAP Using the idmConfigTool

This section describes how to integrate Oracle Access Manager and LDAP using the idmConfigTool.

Note:

Before running the idmconfigTool, ensure that the oam_server1 and oam_server2 Managed Servers and policy manager server are shut down.

Perform the following tasks on OAMHOST1:

  1. Set the following environment variables:
    export ORACLE_HOME=$IAD_ORACLE_HOME/idm
export DOMAIN_HOME=$IAD_ASERVER_HOME
  2. Run the idmConfigTool utility to perform the integration.

    The syntax of the command on Linux is:

    cd $IAD_ORACLE_HOME/idm/idmtools/bin
    ./idmConfigTool.sh -configOAM input_file=configfile
    For example:
    ./idmConfigTool.sh -configOAM input_file=oam.props./ infant

    When the command runs you are prompted to enter the password of the account you are connecting to the Identity Store with if you have not specified them in the property file. You are also asked to specify the passwords you want to assign to these accounts:

    • IDSTORE_PWD_OAMSOFTWAREUSER

    • IDSTORE_PWD_OAMADMINUSER

    • OAM_WLS_ADMIN_PASSWD

  3. Check the log file for any errors or warnings and correct them. A file named automation.log is created in the directory where you run the tool.
  4. Restart the Administration console along with the policy manager server.

    Note:

    After you run idmConfigTool, several files are created that you need for subsequent tasks. Keep these in a safe location.

    The following files exist in the following directory:
    $IAD_ASERVER_HOME/output/Webgate_IDM

    You need these when you install the WebGate software.

    • cwallet.sso

    • ObAccessClient.xml

    • password.xml

    • aaa_cert.pem

    • aaa_key.pem

    Note:

    If the oam_policy_mgr servers were running when configOAM was run, then the WebGate_IDM artifacts may have been created in $IAD_MSERVER_HOME/output. If this is the case, move them back to SIAD_ASERVER_HOME/output.

Validating the OAM LDAP Configuration

To validate that this has completed correctly:

  1. Log in to the OAM Console using the URL in URLs Used in This Chapter.
  2. Click Agents from the Application Security screen.
  3. When the Search SSO Agents screen appears, click Search.
  4. You should see the Web Gate agent Webgate_IDM.
  5. Log into the WebLogic Remote Console.
  6. Click Security Data tree.
  7. Navigate to Realms > myrealm > Authentication Providers > OUD Authenticator.
  8. Click Authenticator Name. For example, OUDAuthenticator.
    A summary screen is displayed. You must verify that the status is OK.
  9. Select Users or Groups to view the Users and Groups returned from the Authenticator.

    Note:

    The list of users and groups will be visible only after you restart the domain.

Updating WebGate Agents

Update the WebGate SSO Agents to use the new security model.

When the idmConfigTool is run, it changes the default OAM security model and creates a new WebGate SSO Agent. However, it does not change the existing WebGate SSO Agents to the new security model. After running the idmConfigTool, you must update any WebGate agents that previously existed. This involves the following steps:

  • Change the security mode to match that of the OAM servers. Failure to do so results in a security mismatch error.

  • When WebGates are created at first install, they are unaware that a highly available (HA) installation is performed. After enabling HA, you must ensure that all of the OAM servers are included in the agent configuration, to ensure system continuity.

  • You must check that any logout URLs are redirected to the hardware load balancer than one of the local OAM servers.

  • Update the REST points for Oracle 14c WebGate HTTP OAM APIs.

  • A WebGate agent called IAMSuiteAgent is created out of the box. This is created without any password protection and needs to have one added.

To perform these actions, complete the following steps:

  1. Access the OAM Console using the URL in URLs Used in This Chapter. Login using the OAM Administration user (oamadmin).
  2. Click Agents pad on the Application Security screen.
  3. Ensure that the WebGates tab is selected.
  4. Click Search.
  5. Click an Agent, for example: IAMSuiteAgent.
  6. Set the Security value to the same value defined to OAM Transfer Mode on the Access Manager Configuration screen during response file creation.

    If you have changed the OAM security model using the idmConfigTool, change the security model used by any existing Webgates to reflect this change.

    Click Apply.

  7. In the Primary Server list, click + and add any missing Access Manager Servers.
  8. If a password has not already been assigned, enter a password into the Access Client Password field and click Apply.
  9. Set Maximum Connections to 20. This is the total maximum number of connections for the primary servers, which is 10 x oam_server1 connections plus 10 x oam_server2 connections.
  10. If OAMRestEndPointHostName is present or missing for the WebGates IAMSuiteAgent and accessgate-oic, ensure that it is set to: login.example.com.

    If OAMRestEndPointPort is present or missing for any of the WebGates ensure that it is set to: 443.

    Without setting these two values, the 14c WebGate will not be able to use the new OAP REST APIs for authentication.

  11. Click Apply.
  12. Repeat Steps through for each WebGate.
  13. Check that the security setting matches that of your Access Manager servers.

Parent topic: Configuring Oracle Access Management

Updating Host Identifiers

When you access your domain you enter using different load balancer entry points. Each of these entry points (virtual hosts) need to be added to the Policy list.

This ensures that if you request access to a resource using login.example.com or oig.example.com, you have access to the same set of policy rules.

  1. Access the OAM Console using the URL in URLs Used in This Chapter. Login using the OAM Administration user (oamadmin).
  2. Select Launch Pad if not already displayed.
  3. Click on Host Identifiers under Access Manager.
  4. Click Search.
  5. Click on IAMSuiteAgent.
  6. Click + in the operations box.
  7. Enter the following information.

    Table 14-14 Host Name Port Values

    Host Name SSL Terminated Port End to End SSL Port

    iadadmin.example.com

    80

    443

    igdadmin.example.com

    80

    443

    igdinternal.example.com

    7777

    443

    oig.example.com

    443

    443

    login.example.com

    443

    443
  8. Click Apply.

Parent topic: Configuring Oracle Access Management

Updating Idle Timeout Value

The default timeout value set in Oracle Access Manager is often too long and can cause issues such as not logging a session out after that session has timed out. Therefore, it is recommended that this value is reduced to 15 minutes.

To update the idle timeout value:

  1. Access the OAM Console using the URL in URLs Used in This Chapter. Login using the OAM Administration user (oamadmin).
  2. Click Configuration.
  3. Select Common Settings under Settings.
  4. Change Idle Time out (minutes) to 15.
  5. Click Apply.

Parent topic: Configuring Oracle Access Management

Validating the Authentication Providers

Set the order of identity assertion and authentication providers in the WebLogic Remote Console.

  1. Log in to the WebLogic Remote Console, if not already logged in.
  2. Click on the Edit Tree.
  3. Select Security Realms.
  4. Click the myrealm default realm entry.
  5. Click the Authentication Providers tab.
  6. From the table of providers, click the DefaultAuthenticator.
  7. Set the Control Flag to SUFFICIENT.
  8. Click Save to save the settings.
  9. From the navigation breadcrumbs, click Authentication Providers to return to the list of providers.
  10. Select a provider and reorder as per the table below by clicking Move Up or Move Down

    Table 14-15 Sort order

    Sort Order Provider Control Flag

    1

    OAMIDAsserter

    REQUIRED

    2

    LDAP Authentication Provider

    SUFFICIENT

    3

    DefaultIdentityAsserter

    N/A

    4

    Trust Service Identity Asserter

    N/A

    5

    DefaultAuthenticator

    SUFFICIENT
  11. Click Shopping Cart > Commit Changes.
  12. Shut down the Administration Server, Managed Servers, and any system components, as applicable.
  13. If you are going to configure ADF consoles with SSO, you can keep the managed servers down and restart them later. If not, you need to restart managed servers now.

Parent topic: Configuring Oracle Access Management

Configuring Oracle ADF and OPSS Security with Oracle Access Manager

Some Oracle Fusion Middleware management consoles use Oracle Application Development Framework (Oracle ADF) security, which can integrate with Oracle Access Manager Single Sign-on (SSO). These applications can take advantage of Oracle Platform Security Services (OPSS) SSO for user authentication, but you must first configure the domain-level jps-config.xml file to enable these capabilities.

The domain-level jps-config.xml file is located in the following location after you create an Oracle Fusion Middleware domain:
$IAD_ASERVER_HOME/config/fmwconfig/jps-config.xml

Note:

The domain-level jps-config.xml should not be confused with the jps-config.xml that is deployed with custom applications.

  1. Change to the following directory:
    cd $ORACLE_COMMON_HOME/common/bin
  2. If your WebLogic domain is running in secure mode set the environment variable WLST_PROPERTIES to include the location of your trust store. For example:
    export WLST_PROPERTIES="-Dweblogic.security.TrustKeyStore=CustomTrust -Dweblogic.security.CustomTrustKeyStoreFileName=/u01/oracle/config/keystores/idmTrustStore.p12 -Dweblogic.security.CustomTrustKeyStorePassPhrase=password -Dweblogic.security.SSL.ignoreHostnameVerification=true"
  3. Start the WebLogic Server Scripting Tool (WLST):
    ./wlst.sh

    Note:

    If you are using an SSL enabled Admin Server, you must set the following environment variable before invoking WLST:
    export WLST_PROPERTIES="-Dweblogic.security.TrustKeyStore=CustomTrust -Dweblogic.security.CustomTrustKeyStoreFileName=/u01/oracle/config/keystores/idmTrustStore.p12 -Dweblogic.security.CustomTrustKeyStorePassPhrase=password -Dweblogic.security.SSL.ignoreHostnameVerification=true"
  4. Connect to the Administration Server, by using the following WLST command:
    connect(‘admin_user’,’admin_password’,’admin_url’)

    For example SSL Terminated

    connect('weblogic','Manager1','t3://iadadminvhn.example.com:7001')

    For example End to End SSL

    connect('weblogic','password','t3s://iadadminvhn.example.com:9002')
  5. Run the addOAMSSOProvider command, as shown:
    addOAMSSOProvider(loginuri="/${app.context}/adfAuthentication", logouturi="/oam/logout.html")

    The following table defines the expected value for each argument in the addOAMProvider command.

    Note:

    Perform this action for each domain in your configuration.

    Table 14-16 Expected Values for the Argument in the addOAMProvider command

    Argument Definition

    loginuri

    Specifies the URI of the login page

    Note:

    For ADF security enabled applications, "/context-root/adfAuthentication" should be provided for the 'loginuri' parameter.

    For example:

    /${app.context}/adfAuthentication

    Note:

    ${app.context} must be entered as shown. At runtime, the application replaces the variable appropriately.

    Here is the flow:

    1. User accesses a resource that has been protected by authorization policies in OPSS, fox example.

    2. If the user is not yet authenticated, ADF redirects the user to the URI configured in loginuri.

    3. Access Manager, should have a policy to protect the value in loginuri: for example, "/context-root/adfAuthentication".

    4. When ADF redirects to this URI, Access Manager displays a Login Page (depending on the authentication scheme configured in Access Manager for this URI).

    logouturi

    Specifies the URI of the logout page. The value of the loginurl is usually /oam/logout.html.

    autologinuri

    Specifies the URI of the autologin page. This is an optional parameter.
  6. Disconnect from the Administration Server by entering the following command:
    disconnect()
  7. Restart the Administration Server and the managed servers.

Parent topic: Configuring Oracle Access Management

Propagating the Domain to OAMHOST2

After you start and validate the Administration Server and Managed Servers on OAMHOST1, you can then perform the following tasks on OAMHOST2.

Parent topic: Configuring Oracle Access Management

Unpacking the Domain Configuration on OAMHOST2

Now that you have the Administration Server and Managed Servers running on OAMHOST1, you can configure the domain on OAMHOST2.

  1. Log into OAMHOST2.
  2. If you haven't already, create the recommended directory structure for the Managed Server domain on the OAMHOST2 storage device.
  3. Make sure the oamdomaintemplate.jar accessible to OAMHOST2.
    For example, if you are using a separate shared storage volume or partition for OAMHOST2, then copy the template to the volume or partition mounted to OAMHOST2.
  4. Run the unpack command to unpack the template in the domain directory onto the local storage, as follows:
    cd $ORACLE_COMMON_HOME/common/bin
    ./unpack.sh -domain=$IAD_MSERVER_HOME \
-overwrite_domain=true \
-template=$SHARED_CONFIG_DIR/domains/oamdomaintemplate.jar \ 
-log_priority=DEBUG
-log=/tmp/unpack.log
-app_dir=$MS_APPLICATION_HOME

    In this example:

    • $IAD_MSERVER_HOME is the complete path to the domain home to be created on the local storage disk. This is the location where the copy of the domain will be unpacked.

    • Replace full_path with the complete path and file name of the domain template jar file that you created when you ran the pack command to pack up the domain on the shared storage device.

    • Replace $MS_APPLICATION_HOME with the complete path to the Application directory for the domain on local storage. See File System and Directory Variables Used in This Guide.

    Tip:

    For more information about the pack and unpack commands, see Overview of the Pack and Unpack Commands in Creating Templates and Domains Using the Pack and Unpack Commands.

  5. Change directory to the newly created $IAD_MSERVER_HOME directory and verify that the domain configuration files were copied to the correct location on the OAMHOST2 local storage device.

Parent topic: Propagating the Domain to OAMHOST2

Starting the Node Manager on OAMHOST2

After you manually set up the Node Manager to use a per host Node Manager configuration, you can start the Node Manager by using the following commands on OAMHOST2.

  1. After you manually set up the Node Manager to use a per host Node Manager configuration, you can start the Node Manager by using the following commands on OAMHOST2: 
    cd $NM_HOME
  2. Use the following command to start the Node Manager on OAMHOST2:
    nohup ./startNodeManager.sh > nodemanager.out 2>&1 &

For information about additional Node Manager configuration options, see Administering Node Manager for Oracle WebLogic Server.

Parent topic: Propagating the Domain to OAMHOST2

Starting the Managed Servers in the Domain

Start the Managed Servers.

Parent topic: Configuring Oracle Access Management

Starting the oam_server1 Managed Server

From the Remote Console, start the oam_server1 Managed Server:

  1. Log into Enterprise Manager using the URL in URLs Used in This Chapter.
  2. Sign into the Fusion Middleware Control by using the administrator's account.
  3. Select the Servers pane to view the Managed Servers in the domain.
  4. Select the Managed Servers that you choose to start.
  5. Click Control > Start on the tool bar to start the selected Managed Server.
  6. Verify that the server status is reported as Running. If the server is shown as Starting or Resuming, wait for the server status to change to Started. If another status is reported (such as Admin or Failed), check the server output log files for errors.
  7. Repeat for each Managed Server you choose to start.

Parent topic: Starting the Managed Servers in the Domain

Validating Access Manager

You can validate Oracle Access Manager by using the oamtest tool.

To do this, perform the following steps:

  1. Ensure that the oam_server1 managed server is up and running.
  2. Naviage to the following directory:
    cd $IAD_ORACLE_HOME/idm/oam/server/tester
  3. Start the test tool in a terminal window using the command:
    java -jar oamtest.jar
  4. When the OAM test tool starts, enter the following information in the Server Connection section of the page:

    • Primary IP Address: OAMHOST1.example.com

    • Port: 5575 (OAM_PROXY_PORT)

    • Agent ID: Webgate_IDM

    • Agent Password: webgate password

    • Mode: Open

    • Global Passphrase: Enter the value you set as the global password in Setting a Global Passphrase.

  5. Click Connect.
    In the status window you’ll see: response] Connected to primary access server.
  6. In the Protected Resource URI section, enter the following information:

    • Scheme: http

    • Host: iadadmin.example.com

    • Port: 80 (IAD_HTTP_PORT)

    • Resource: /oamconsole

      Click Validate.

      In the status window you see: [request] [validate] yes.

  7. In the User Identity window, enter:

    • Username: oamadmin

    • Password: password

    • Click Authenticate.

    • In the status window, you see: [request] [authenticate] yes

    • Click Authorize.

    • In the status window you see. [request] [authorize] yes

Parent topic: Configuring Oracle Access Management

Enabling Forgotten Password

You can set up the One Time Pin forgotten password functionality which is provided with Oracle Access Manager

If you want to configure the Challenge Question forgotten password functionality, as provided by Oracle Identity Governance, see Configuring and Integrating with LDAP and Integrating Oracle Identity Governance and Oracle Access Manager.

This section contains the following topics:

Parent topic: Configuring Oracle Access Management

Prerequisites for Enabling Forgotten Password

Forgotten Password Management in Oracle Access Manager takes the form of sending an Email or SMS message with a link to reset the password.

Email or SMS is sent using the Oracle User Messaging Service. Before enabling the Oracle Forgotten Password functionality, you first need to have an Oracle User Messaging deployment. This is often located inside the Oracle Governance Domain but can be located inside the Access Domain if that is all you are installing. Alternatively, it could be a completely independent domain.

Forgotten Password functionality works only if you have successfully configured Single Sign-On as described in Configuring Single Sign-On for an Enterprise Deployment.

Adding the User Messaging Service to the Access domain or creating a User Messaging Service domain is outside of the scope of the this EDG. For more information about installing and configuring the Oracle User Messaging Service, see Installing User Messaging Service and Configuring Oracle User Messaging Service in Administering Oracle User Messaging Service.

Parent topic: Enabling Forgotten Password

Add Permissions to oamLDAP user

When created out of the box the oamLDAP user (the user used to link OAM to LDAP) is granted privileges to read the LDAP directory. It is not however granted permission to update those users. You need to add these privileges for the OAM forgotten password functionality to work.

To do this you perform the following steps on LDAPHOST1:

  1. Create a file called add_aci.ldif with the following contents: 
    dn: cn=oamLDAP,cn=systemids,dc=example,dc=com  changetype: modify add: ds-privilege-name ds-privilege-name: password-reset
dn: cn=Users,dc=example,dc=com changetype: modify add: aci aci: (targetattr = "*")(targetfilter= "(objectclass=inetorgperson)")(targetscope = "subtree") (version 3.0; acl "iam admin changepwd"; allow (compare,search,read,selfwrite,add,write,delete) userdn = "ldap:///cn=oamLDAP,cn=systemids,dc=example,dc=com";)
  2. Use the ldapmodify command to add the privileges to LDAP. For example:
On LDAPHOST1 action the file using the command:
export OUD_ORACLE_INSTANCE=/u02/oracle/config/instances/oud1
$OUD_ORACLE_INSTANCE/bin/ldapmodify -D cn=oudadmin -h LDAPHOST1 -p 1389 -f ./add_aci.ldif

Parent topic: Enabling Forgotten Password

Create an OTP Administrative Group in LDAP

In order for the oamadmin group to be able to invoke forgotten password system calls it needs to be a member of the group OTPRestUserGroup. This group is not created by idmConfigTool and must therefore be created manually.

To do this you perform the following steps on LDAPHOST1:

  1. Create a file called create_otp_group.ldif with the following contents: 
    dn: cn=OTPRestUserGroup,cn=Groups,dc=example,dc=com
changetype: add
objectClass: top
objectClass: orclgroup
objectClass: groupofuniquenames
cn: OTPRestUserGroup
description: Forgotten Password Admin group
displayName: OTPRestUserGroup
uniquemember: cn=oamadmin,cn=Users,dc=example,dc=com
  2. Use the ldapmodify command to add the group to LDAP. For example: 
    export OUD_ORACLE_INSTANCE=/u02/oracle/config/instances/oud1
    $OUD_ORACLE_INSTANCE/bin/ldapmodify -D cn=oudadmin -h LDAPHOST1 -p 1389 -f create_otp_group.ldif

Parent topic: Enabling Forgotten Password

Enabling Adaptive Authentication Service

Forgotten password requires you to enable the Adaptive Authentication Service.

To enable this service:

  1. Access the OAM Console using the URL in URLs Used in This Chapter. Login using the OAM Administration user (oamadmin).
  2. Click Configuration.
  3. Click Available Services.
  4. Click Enable Service next to Adaptive Authentication Service.
  5. When prompted, confirm that you want to enable the service.

Parent topic: Enabling Forgotten Password

Configuring Adaptive Authentication Plug-in

Now that the Authentication service is enabled, it needs to be informed about your User Messaging service.

To configure Adaptive Authentication Plug-In, perform the following steps:

  1. Access the OAM Console using the URL in URLs Used in This Chapter. Login using the OAM Administration user (oamadmin).
  2. From the Application Security Launch Pad, click Authentication Plug-ins in the Plug-ins panel. From the Authentication Plug-in tab, type Adaptive in the quick search box above the Plug-in Name column and hit Enter.
    The AdaptiveAuthenticationPlugin is displayed.
  3. Enter the following plug in properties:

    Table 14-17 AdaptiveAuthentication Plug-In Properties

    Attribute Value

    UmsAvailable

    True

    UmsClientURL

    Specify the entry point of your User Messaging service. If you have configured Oracle Identity Manager, then this will be either:

    http://igdinternal.example.com:7777/ucs/messaging/webservice

    or

    https://igdinternal.example.com:443/ucs/messaging/webservice
  4. Click Save.

Parent topic: Enabling Forgotten Password

Enabling Password Management in the Directory

By default, OAM is not set to enable password management. You have to enable it through the OAM Console.

To enable Password Management in the directory:

  1. Access the OAM Console using the URL in URLs Used in This Chapter. Login using the OAM Administration user (oamadmin).
  2. Click Configuration.
  3. Click User Identity Stores.
  4. Click the LDAP identity store in the OAM Identity Store section. For example: OAMIDSTORE.
  5. Click Edit.
  6. Select Enable Password Management.
  7. Enter the details in the User Information field.

    Table 14-18 User Information Details

    Attribute Description

    Global Common ID Attribute

    The unique identifier in LDAP for the user. For example: uid.

    First Name

    The LDAP attribute which holds the users name. For example: cn.

    Last Name

    The LDAP attribute which holds the users last name. For example: sn.

    Email Address

    The LDAP attribute which holds the user's email address. For example: mail.

  8. Click Apply.

Parent topic: Enabling Forgotten Password

Storing User Messaging Credentials in CSF

Before you can access the User Messaging Service, you need to store the credentials in the WebLogic credential store.

  1. Run the following command to start wlst:
    $ORACLE_COMMON_HOME/bin/wlst.sh

    Note:

    If your administration server is SSL enabled, set the following environment variable before starting wlst.
    export WLST_PROPERTIES="-Dweblogic.security.TrustKeyStore=CustomTrust -Dweblogic.security.CustomTrustKeyStoreFileName=/u02/oracle/config/keystores/idmTrustStore.p12 -Dweblogic.security.CustomTrustKeyStorePassPhrase=Manager1 -Dweblogic.security.SSL.ignoreHostnameVerification=true"

  2. Run the following command to Store the messaging credentials.

    For SSL Terminated:

    connect('weblogic','password','t3://iadadminvhn.example.com:7001')
    createCred(map="OAM_CONFIG", key="umsKey", user="weblogic", password="password")

    createCred(map="OAM_CONFIG", key="oam_rest_cred", user="oamadmin", password="password")
    exit ()

    For End to End SSL:

    connect('weblogic','password','t3s://iadadminvhn.example.com:9002')
    createCred(map="OAM_CONFIG", key="umsKey", user="weblogic", password="password")

    createCred(map="OAM_CONFIG", key="oam_rest_cred", user="oamadmin", password="password")
    exit ()

Parent topic: Enabling Forgotten Password

Setting Up the Forgot Password Link on the Login Page

The following REST API command enables the OTP forgot password link on the default login page in OAM. 

 curl -X -k PUT \
  https://login.example.com/oam/services/rest/access/api/v1/config/otpforgotpassword/ \
  -u oamadmin:Password \
  -H 'content-type: application/json' \
  -d '{"displayOTPForgotPassworLink":"true","defaultOTPForgotPasswordLink":"false","localToOAMServer":"true","forgotPasswordURL":"https://login.example.com/otpfp/pages/fp.jsp", "mode":"userselectchallenge"}'

Enter the required attributes and values:

Table 14-19 Forgot Password Link on Login Page

Attributes Value

ForgotPasswordURL

The OAM Forgotten Password URL. For example, https://login.example.com/otpfp/pages/fp.jsp

mode

distribution_mode

The distribution mode determines how the password reset URL is sent to the end user. Valid values are: email, sms, userchoose, userselectchallenge. The last entry enables the user to choose from masked values.

  • Email - An OTP is sent to the email configured in the mail field.

  • SMS - An OTP is sent to the mobile number configured in the mobile field.

  • Userchoose - An OTP is sent by letting the user choose either the email or the mobile option, without the exact values.

  • Userselectchallenge - User can see the masked values either as email or mobile and select one of the options.

Note:

If you are using self signed certificates in the load balancer the curl command may object with a message similar to:

curl performs SSL certificate verification by default, using a bundle of Certificate Authority (CA) public keys (CA certs). If the default bundle file isn't adequate, you can specify an alternate file using the --cacert option. If this HTTPS server uses a certificate signed by a CA represented in the bundle, the certificate verification probably failed due to a problem with the certificate (it might be expired, or the name might  not match the domain name in the URL). If you like to turn off curl's verification of the certificate, use  the -k (or --insecure) option.

If you see this message and are sure, add -k after -u oamadmin:Password.

Verify that this has succeeded by accessing the followig URL in a browser:

https://login.example.com/oam/services/rest/access/api/v1/config/otpforgotpassword

When prompted, enter your oamadmin account and password.

Note:

One of the OAM Managed Servers must be running for this command to succeed.

Parent topic: Enabling Forgotten Password

Restarting the Domain

Shutdown the Administration Server and any running managed servers and restart the Administration Server and all of the managed servers (oam_policy_mgr1, oam_policy_mgr2, oam_server1, oam_server2).

Parent topic: Enabling Forgotten Password

Validating the Forgotten Password Functionality

If you have set up the OAM Forgotten Password functionality, rather than off-loading to OIG, you can validate the forgotten password using the curl command, which shows you the password policies in force.

To validate the Forgotten Password functionality, run the following curl command: 

curl -X GET https://login.example.com/oam/services/rest/access/api/v1/pswdmanagement/UserPasswordPolicyRetriever/oamadmin?description=true  -u oamadmin:<password> -k

This command displays the password policies.

If this command works, access the Enterprise Manager URL using the URL in URLs Used in This Chapter. After you enable single sign-on, you see a link for the forgotten password on the login page. Click this link and enter the user name for which you want to reset the password. Click Generate Pin to receive an email, which enables you to change the password.

Note:

Before validating, ensure that you enable SSO as described in Configuring Single Sign-On for an Enterprise Deployment. Else, validation fails.

Parent topic: Enabling Forgotten Password

Replacing Connect Strings with the Appropriate TNS Alias

Oracle recommends using TNS Alias in the connection strings used by FMW components instead of repeating long JDBC strings across multiple connections pools.

For more information about how to use TNS alias in your Datasources, see Using TNS Alias in Connect Strings in the Common Configuration and Management Tasks for an Enterprise Deployment chapter.

Parent topic: Configuring Oracle Access Management

Backing Up the Configuration

It is an Oracle best practices recommendation to create a backup after you successfully extended a domain or at another logical point. Create a backup after you verify that the installation so far is successful. This is a quick backup for the express purpose of immediate restoration in case of problems in later steps.

The backup destination is the local disk. You can discard this backup when the enterprise deployment setup is complete. After the enterprise deployment setup is complete, you can initiate the regular deployment-specific Backup and Recovery process.

For information about backing up your configuration, see Performing Backups and Recoveries for an Enterprise Deployment.

Parent topic: Configuring Oracle Access Management