25 Handling Lifecycle Management Changes
These configuration changes are described in the following sections:
Note:
In this section there are several command examples which includes, password
in the command, this needs to be replaced with the actual password before executing the commands.
25.1 URL Changes Related to Oracle Identity Governance
Oracle Identity Governance uses various host names and ports in its configuration. Corresponding changes to host names and ports are required in Oracle Identity Governance and Oracle WebLogic configuration.
This section describes ways to make the corresponding changes in Oracle Identity Governance and Oracle WebLogic configuration. It contains the following topics:
25.1.1 Oracle Identity Governance Host and Port Changes
Oracle Identity Governance host and port changes include changing OimFrontEndURL and backOfficeURL in Oracle Identity Governance configuration, changing task details URL in human task configuration, and changing OIG server port on WebLogic Administrative Console.
This section describes about Oracle Identity Governance host and port changes in the following topics:
-
Changing OimFrontEndURL in Oracle Identity Governance Configuration
-
Changing backOfficeURL in Oracle Identity Governance Configuration
Note:
When additional Oracle Identity Governance nodes are added or removed, perform the procedures described in these sections to configure Oracle Identity Governance host and port changes.
25.1.1.1 Changing OimFrontEndURL in Oracle Identity Governance Configuration
The OimFrontEndURL is the URL used to access the Oracle Identity Governance UI. This can be a load balancer URL or Web server URL depending on the application server is fronted with a load balancer or web server or a single application server URL. This is used by Oracle Identity Governance in the notification e-mails as well as the callback URL for SOA calls.
The change may be necessary because of change in Web server hostname or port for Oracle Identity Governance deployment in a clustered environment, or WebLogic managed server hostname or port changes for Oracle Identity Governance deployment in a nonclustered environment.
Note:
In order to change OimFrontEndURL, perform the steps provided in this section as well as the steps in Changing OIM Server Port on WebLogic Administrative Console.To change the OimFronEndURL in Oracle Identity Governance configuration:
25.1.1.2 Changing backOfficeURL in Oracle Identity Governance Configuration
Changing backOfficeURL is required only for Oracle Identity Governance deployed in front-office and back-office configuration. This change does not apply for simple clustered or nonclustered deployments. This URL is used internally by Oracle Identity Governance for accessing back-office components from the front-office components. You might change the value of this attribute during the implementation of back-office and front-office configuration, for adding additional servers to back office, and for removing servers from back-office.
To change the value of the backOfficeURL attribute:
25.1.1.3 Changing Task Details URL in Human Task Configuration
The task details URL is the URL of the task details page for a particular human task in the Inbox. This can be a load balancer URL or Web server URL depending on whether the application server is fronted with load balancer, or Web server, or single application server URL.
The change might be required because of change in Web server hostname or port for Oracle Identity Governance deployment in a clustered environment, or WebLogic managed server hostname or port changes for Oracle Identity Governance deployment in a nonclustered environment.
To change the task details URL in human task configuration:
25.1.2 Oracle Identity Governance Database Host and Port Changes
Database host name and port number changes can be in various configuration areas, such as datasource oimJMSStoreDS, oimAuthenticatorProvider, DirectDB, and incorrect database configurations.
This section describes the configuration areas where database hostname and port number are used.
After installing Oracle Identity Governance, if there are any changes in the database hostname or port number, then the following changes are required:
Note:
Before making changes to the database host and port, shutdown the managed servers hosting Oracle Identity Governance. But you can keep the Oracle WebLogic Administrative Server running.
25.1.2.1 Modifying Datasource oimJMSStoreDS Configuration
To change datasource oimJMSStoreDS configuration:
- Navigate to Services, JDBC, Data Sources, and then oimJMSStoreDS.
- Click the Connection Pool tab.
- Modify the values of the URL and Properties fields to reflect the changes to database host and port.
25.1.2.2 Modifying Datasource soaOIMLookupDB Configuration
To change datasource soaOIMLookupDB configuration:
- Navigate to Services, JDBC, Data Sources, and then soaOIMLookupDB.
- Click the Connection Pool tab.
- Modify the values of the URL and Properties fields to reflect the changes to database host and port.
25.1.2.3 Modifying Datasource oimOperationsDB Configuration
To change datasource oimOperationsDB configuration:
- Navigate to Services, JDBC, Data Sources, and then oimOperationsDB.
- Click the Connection Pool tab.
- Modify the values of the URL and Properties fields to reflect the changes to database host and port.
25.1.2.4 Modifying Datasource ApplicationDB Configuration
To change datasource ApplicationDB configuration:
- Navigate to Services, JDBC, Data Sources, and then ApplicationDB.
- Click the Connection Pool tab.
- Modify the values of the URL and Properties fields to reflect the changes to database host and port.
25.1.2.5 Modifying Datasource Related to Oracle Identity Governance Meta Data Store
To change the datasource related to Oracle Identity Governance Meta Data Store (MDS) configuration:
Note:
This step is required only if database host and port of MDS schema is changed.
- Navigate to Services, JDBC, Data Sources, and then mds-oim.
- Click the Connection Pool tab.
- Modify the values of the URL and Properties fields to reflect the changes in the database host and port.
25.1.2.6 Modifying OIMAuthenticationProvider Configuration
To change OIMAuthenticationProvider configuration:
- In the WebLogic Administrative console, navigate to Security Realms, myrealm, and then Providers.
- Click OIMAuthenticationProvider.
- Click Provider Specific.
- Modify the value of the DBUrl field to reflect the change in hostname and port.
Note:
If Service Oriented Architecture (SOA) and Oracle Web Services Manager (OWSM) undergo configuration changes, then you must make similar changes for datasources related to SOA or OWSM.
After making changes in the datasources, restart the Oracle WebLogic Administrative Server, and start the Oracle Identity Governance managed WebLogic servers.
Note:
Whenever Oracle Identity Governance application configuration information is to be changed by using OIM App Config MBeans from the Enterprise Management (EM) console, at least one of the Oracle Identity Governance Managed Servers must be running. Otherwise, you cannot figure out any of the OIM App Config MBeans from the EM console.
25.1.2.7 Modifying DirectDB Configuration
To change DirectDB configuration:
Note:
When Oracle Identity Governance single instance deployment is changed to Oracle Real Application Clusters (Oracle RAC) or Oracle RAC is changed to single instance deployment, change the oimJMSStoreDS, oimOperationsDB, and mds-oim datasources. In addition to the generic changes to make these datasources to multidatasource configuration, change the OIMAuthenticationProvider and domain credential store configurations to reflect the Oracle RAC URL. For information about these generic changes, see High Availability Guide for Oracle Identity and Access Management.
See Oracle Identity Governance Database Host and Port Changes for information about changing the port at the database.
25.1.2.8 Modifying the Oracle Identity Governance Database Host and Port in BI Publisher
To change the Oracle Identity Governance database host and port in BI Publisher:
- Login to BI Publisher.
- Click the Administration tab.
- Click JDBC Connection under Data Sources.
- Click OIM JDBC, and change the database host and port.
- Click Test Connection. The connection is established successfully after confirmation.
- Click Apply.
25.1.2.9 Changing Incorrect Database Configuration
Perform the following additional steps if Oracle Identity Governance is made to point to another database of another Oracle Identity Governance instance instead of current database port being changed:
-
Copy .xldatabasekey from Oracle Identity Governance that is installed on the destination DB to the source Oracle Identity Governance deployment. Copy DOMAIN_HOME/config/fmwconfig/.xldatabasekey from destination to source Oracle Identity Governance.
-
Copy the following keys from Oracle Identity Governance deployment on the destination DB to the source deployment:
OIMSchemaPassword
.xldatabasekey
DataBaseKey
-
To get the Oracle Identity Governance credential store from Oracle Identity Governance installed on the destination DB:
-
Login to Oracle Enterprise Manager by using the following URL:
http://HOST:ADMIN_SERVER_PORT>/em
-
Navigate to Weblogic Domain, right-click DOMAIN_NAME, and select System MBean Browser.
-
Under Application Defined MBeans, navigate to com.oracle.jps, Server:OIM_SERVER_NAME, JpsCredentialStore.
-
Go to Operations, getPortableCredentialMap. Enter the parameter value as
oim
andInvoke
.This displays the oim credential map. Note the passwords for OIMSchemaPassword, .xldatabasekey, and DataBaseKey.
-
-
To change the keys in the OIM credential store on the source deployment:
-
OIMSchemaPassword: Navigate to Weblogic Domain, right-click DOMAIN_NAME, and navigate to Security, Credentials. Expand oim, and click OIMSchemaPassword. Click Edit, and enter the new password in Password and Confirm Password fields.
-
.xldatabasekey: Repeat the same steps for .xldatabasekey.
-
DataBaseKey: Repeat the same steps for DataBaseKey.
-
25.1.3 Changing Oracle Virtual Directory Host and Port
When LDAP synchronization is enabled, Oracle Identity Governance connects with directory servers through Oracle Virtual Directory (OVD). This connection takes place by using LDAP/LDAPS protocol.
To change OVD host and port:
-
Login to Oracle Identity System Administration.
-
Under Provisioning Configuration, click IT Resource.
-
From the IT Resource Type list, select Directory Server , and click Search.
-
Edit the Directory Server IT resource. To do so:
-
If the value of the Use SSL field is set to
False
, then edit the Server URL field. If the value of the Use SSL field is set toTrue
, then edit the Server SSL URL field. -
Click Update.
-
25.1.4 Changing BI Publisher Host and Port
You can change the BI Publisher host and port in the jms_cluster_config.properties file, after which you must restart BI Publisher server.
To change BI Publisher host and port:
-
Login to Enterprise Manager by using the following URL when the WebLogic Administrative Server and Oracle Identity Governance managed servers, at least one of the servers in case of a clustered deployment, are running:
http://ADMIN_SERVER/em
-
Navigate to Identity and Access, oim.
-
Right-click oim, and navigate to System MBean Browser.
-
Under Application Defined MBeans, navigate to oracle.iam, Application:oim, XMLConfig, Config, XMLConfig.DiscoveryConfig, Discovery.
-
Enter a new value for the BIPublisherURL attribute, and click Apply to save the changes.
-
To change the BI Publisher host and port in jms_cluster_config.properties file:
-
Go to the DOMAIN_NAME/config/bipublisher/repository/Admin/Scheduler/ directory.
-
In a text editor, open the jms_cluster_config.properties file, and replace the BI Publisher host and port.
-
Save the jms_cluster_config.properties file.
-
Restart BI Publisher server.
-
25.1.5 Changing SOA Host and Port
You change SOA JNDIProvider host and port when additional SOA nodes are added or removed.
To change the SOA host and port:
Note:
When additional SOA nodes are added or removed, perform this procedure to change the SOA host and port.
-
Login to Enterprise Manager by using the following URL when the WebLogic Administrative Server and Oracle Identity Governance managed servers, at least one of the servers in case of a clustered deployment, are running:
http://ADMIN_SERVER/em
-
Navigate to Identity and Access, oim.
-
Right-click oim, and navigate to System MBean Browser.
-
Under Application Defined MBeans, navigate to oracle.iam, Application:oim, XMLConfig, Config, XMLConfig.SOAConfig, SOAConfig.
-
Change the value of the Rmiurl attribute, and click Apply to save the changes.
The Rmiurl attribute is used for accessing SOA EJBs deployed on SOA managed servers. This is the application server URL. For a clustered deployment of Oracle Identity Governance, it is a comma-separated list of all the SOA managed server URLs. Example values for this attribute can be:
t3://mysoa1.example.com:8001
t3s://mysoaserver1.example.com:8002,mysoa2.example.com:8002
t3://mysoa1.example.com:8001,mysoa2.example.com:8002,mysoa3.example.com:8003
-
Change the SOA JNDIProvider host and port. To do so:
-
Login to WebLogic Administration Console.
-
In the Domain Structure section, navigate to OIM_DOMAIN, Services, Foreign JNDI Providers.
-
Click ForeignJNDIProvider-SOA.
-
In the Configuration tab, verify that the General subtab is active.
-
Change the value of Provider URL to the Rmiurl provided in Step 5.
-
25.2 Password Changes Related to Oracle Identity Governance
Various passwords are used for Oracle Identity Governance configuration because of the architectural and middleware requirements.
This section describes the default passwords and ways to make the changes to the password in Oracle Identity Governance and Oracle WebLogic configuration for any change in the dependent or integrated products.
This section consists of the following topics:
25.2.1 Updating Oracle WebLogic Administrator Credentials
Oracle WebLogic credentials must be updated in Foreign JNDI Provider and SOAAdminPassword in CSF.
Weblogic credentials must be updated in the following places:
-
Foreign JNDI Provider. To do so:
-
Login to WebLogic Administrative Console.
-
In the Domain Structure section, navigate to OIM_DOMAIN, Services, Foreign JNDI Providers.
-
Click ForeignJNDIProvider-SOA.
-
In the Configuration tab, verify that the General subtab is active.
-
Provide weblogic user's new password in the password and confirm password fields.
-
-
SOAAdminPassword in CSF. See Changing Oracle Identity Governance Passwords in the Credential Store Framework for details.
25.2.2 Changing Oracle WebLogic Administrator Password
Use the WebLogic Administrative console to change the WebLogic administrator password,
To change Oracle WebLogic administrator password:
-
Login to WebLogic Administrative console.
-
Navigate to Security Realms, myrealm, Users and Groups, weblogic, Password.
-
In the New Password field, enter the new password.
-
In the Confirm New Password field, re-enter the new password.
-
Click Apply.
25.2.3 Changing Oracle Identity Governance Administrator Password
During Oracle Identity Governance installation, the installer prompts for the Oracle Identity Governance administrator password. If required, you can change the administrator password after the installation is complete.
To do so, you must login to Oracle Identity Governance Self Service as Oracle Identity Governance administrator. For information about how to change the administrator password, see Changing Enterprise Password in Performing Self Service Tasks with Oracle Identity Governance.
When you change the Oracle Identity Governance system administrator password, you must also update the password in:
-
The
OIMAdmin
CSF key under theoracle.wsm.security
map -
The
sysadmin
CSF key under theoim
map
Note:
If OAM or OAAM is integrated with Oracle Identity Governance, then you must make corresponding changes in those applications. For more information, refer to OAM and OAAM documentation in the Oracle Technology Network (OTN) Web site by using the following URL:
http://www.oracle.com/technetwork/indexes/documentation/index.html
25.2.4 Changing Oracle Identity Governance Administrator Database Password
System administrator database password can be reset in stand-alone deployment of Oracle Identity Governance and in a deployment that is integrated with OAM.
This section describes resetting Oracle Identity Governance password in the following topics:
25.2.4.1 Resetting Oracle Identity Governance Password
This section describes resetting Oracle Identity Governance password in the following types of deployments:
-
Oracle Identity Governance deployment without LDAP synchronization
-
Oracle Identity Governance deployment with LDAP synchronization enabled
-
Oracle Identity Governance deployment that is integrated with Access Manager (OAM)
Resetting System Administrator password can be performed by using the oimadminpasswd_wls.sh utility, which is available in the OIM_HOME/server/bin/ directory. The steps to run the oimadminpasswd_wls.sh utility are the same for both types of deployment: Oracle Identity Governance with LDAP synchronization enabled and without LDAP synchronization enabled.
25.2.4.2 Resetting System Administrator Database Password in Oracle Identity Governance Deployment
To reset System Administrator database password:
25.2.4.3 Resetting System Administrator Database Password When Oracle Identity Governance Deployment is Integrated With Access Manager
If Oracle Identity Governance is integrated with OAM, then LDAP directory, such as Oracle Internet Directory, is used for all authentication purposes. Therefore, Oracle Identity Governance Administrator xelsysadm password is reset in LDAP. Although the xelsysadm password present in Oracle Identity Governance database is not used in this topology, it is also reset along with LDAP directory to ensure that the passwords in both repositories are in sync.
To reset System Administrator database password when Oracle Identity Governance Deployment is Integrated With Access Manager:
25.2.5 Changing Oracle Identity Governance Database Password
Oracle Identity Governance uses two database schemas for storing Oracle Identity Governance operational and configuration data. It uses Oracle Identity Governance MDS schema for storing configuration-related information and Oracle Identity Governance schema for storing other information. Any change in the schema password requires changes on Oracle Identity Governance configuration.
Changing Oracle Identity Governance database password involves the following:
After changing the Oracle Identity Governance database password, restart the WebLogic Administrative Server. Start the Oracle Identity Governance managed WebLogic Servers as well.
Note:
Before changing the database password, shutdown the managed servers that host Oracle Identity Governance. However, you can keep the Oracle WebLogic Administrative Server running.
25.2.5.1 Changing Datasource oimJMSStoreDS Configuration
To change datasource oimJMSStoreDS configuration:
- Navigate to Services, JDBC, Data Sources, oimJMSStoreDS.
- Click the Connection Pool tab.
- In the Password and Confirm password fields, enter the new Oracle Identity Governance database schema password.
- Click Save to save the changes.
25.2.5.2 Changing Datasource ApplicationDB Configuration
To change datasource ApplicationDB configuration:
- Navigate to Services, JDBC, Data Sources, ApplicationDB.
- Click the Connection Pool tab.
- In the Password and Confirm password fields, enter the new Oracle Identity Governance database schema password.
- Click Save to save the changes.
25.2.5.3 Changing Datasource soaOIMLookupDB Configuration
To change datasource soaOIMLookupDB configuration:
- Navigate to Services, JDBC, Data Sources, and then soaOIMLookupDB.
- Click the Connection Pool tab.
- Modify the values of the URL and Properties fields to reflect the changes to database host and port.
- Click Save to save the changes.
25.2.5.4 Changing Datasource oimOperationsDB Configuration
To change datasource oimOperationsDB configuration:
- Navigate to Services, JDBC, Data Sources, oimJMSStoreDS.
- Click the Connection Pool tab.
- In the Password and Confirm password fields, enter the new Oracle Identity Governance database schema password.
- Click Save to save the changes.
25.2.5.5 Changing Datasource Related to Oracle Identity Governance Meta Data Store
To change datasource related to Oracle Identity Governance MDS configuration:
- Navigate to Services, JDBC, Data Sources, mds-oim.
- Click the Connection Pool tab.
- In the Password and Confirm password fields, enter the new Oracle Identity Governance MDS database schema password.
- Click Save to save the changes.
Note:
-
For Oracle Identity Governance deployments with Oracle Real Application Clusters (Oracle RAC) configuration, you might have to make changes in all the datasources under the respective multi-datasource configurations.
-
You might have to make similar changes for datasources related to SOA or OWSM, if required.
25.2.5.6 Changing OIMAuthenticationProvider Configuration
To change OIMAuthenticationProvider configuration:
- In the WebLogic Administrative console, navigate to Security Realms, myrealm, and then Providers.
- Click OIMAuthenticationProvider.
- Click Provider Specific.
- In the DBPassword field, enter the new Oracle Identity Governance database schema password.
- Click Save to save the changes.
25.2.5.7 Changing Domain Credential Store Configuration
To change domain credential store configuration:
25.2.5.8 Changing the Oracle Identity Governance Database Password in BI Publisher
To change the Oracle Identity Governance database password in BI Publisher:
- Login to BI Publisher.
- Click the Administration tab.
- Click JDBC Connection under Data Sources.
- Click OIM JDBC, and change the password in the Password field.
- Click Test Connection. The connection is established successfully after confirmation.
- Click Apply.
25.2.6 About Credential Store Framework Keys
Oracle Identity Governance installer stores several passwords during the install process. Various values are stored in Credential Store Framework (CSF) as key and value.
Table 25-1 lists the keys and the corresponding values:
Table 25-1 CSF Keys
Key | Description |
---|---|
DataBaseKey |
The password for the key used to encrypt database. The password is the user input value in the installer for the Oracle Identity Governance keystore. |
.xldatabasekey |
The password for keystore that stores the database encryption key. The password is the user input value in the installer for the Oracle Identity Governance keystore. |
xell |
The password for key 'xell', which is used for securing communication between Oracle Identity Governance components. Default password generated by Oracle Identity Governance installer is xellerate. |
default_keystore.jks |
The password for the default_keystore.jks JKS keystore in the DOMAIN_HOME/config/fmwconfig/ directory. The password is the user input value in the installer for the Oracle Identity Governance keystore. |
SOAAdminPassword |
The password is user input value in the installer for SOA Administrator Password field. |
OIMSchemaPassword |
The password for connecting to Oracle Identity Governance database schema. Password is user input value in the installer for OIM Database Schema Password field. |
JMSKey |
The password is the user input value in the installer for the Oracle Identity Governance keystore. |
25.2.7 Changing Oracle Identity Governance Passwords in the Credential Store Framework
To change Oracle Identity Governance password in the CSF, edit the Directory Server IT resource.
To change the values of the CSF keys:
25.2.8 Changing OVD Password
Edit the Directory Server IT resource and specify the new OVD password in the Admin Password field.
To change the OVD password:
- Login to Oracle Identity Governance Administration.
- Click Advanced.
- Under Configuration, click Manage IT Resource.
- From the IT Resource Type list, select Directory Server.
- Click Search.
- Edit the Directory Server IT resource. To do so, in the Admin Password field, enter the new OVD password, and click Update.
25.2.9 Changing Oracle Identity Governance Administrator Password in LDAP
To change Oracle Identity Governance System Administrator password in LDAP in a Oracle Identity Governance deployment that is SSO-enabled and integrated with OAM, search for the dn for the user from LDAP, create a temporary file with the new password, and then use the file to change the password.
To change Oracle Identity Governance System Administrator password in LDAP in a Oracle Identity Governance deployment that is SSO-enabled and integrated with Access Manager (OAM):
25.2.10 Unlocking Oracle Identity Governance Administrator Password in LDAP
To unlock Oracle Identity Governance System Administrator password in LDAP in a Oracle Identity Governance deployment that is SSO-enabled and integrated with OAM, search for the dn for the user from LDAP, create a temporary file for unlocking the password, and then use the file unlock the System Administrator password.
To unlock Oracle Identity Governance System Administrator password in LDAP in a Oracle Identity Governance deployment that is SSO-enabled and integrated with OAM:
25.2.11 Changing Schema Passwords
Changing schema passwords include changing the passwords for the OIG, MDS, SOAINFRA, OPSS, ORASDPM, and BI Publisher schemas.
To change OIG, MDS, SOAINFRA, OPSS, ORASDPM, and BI Publisher schema passwords:
-
Stop all the Managed Servers and application server.
-
Create a backup of the entire domain and the database.
-
Start the application server.
-
Change the xxxx_OPSS user password. To do so:
-
Run the following command:
SQL> alter user xxxx_OPSS identified by NEW_PASSWORD;
-
Go to the ORACLE_COMMON/common/bin/ directory, and run the
wlst
command. -
Run the
modifyBootStrapCredential
script, as shown:modifyBootStrapCredential(jpsConfigFile='DOMAIN_NAME/config/fmwconfig/jps-config.xml', username='xxxx_OPSS', password='NEW_PASSWORD')
-
-
Login to Weblogic Administrative Console. Navigate to Services, Data Sources.
-
Select opss-DBDS, Connection Pool, and enter the new password set to xxxx_opss in step 4a. Save the changes.
-
Restart the application server, but do not start the Managed Servers.
-
Connect to the database with sqlplus as system user, and then run the following commands:
-
To change the password for xxx_OIM, run:
SQL> alter user xxx_OIM identified by NEW_PASSWORD;
-
To change the password for xxx_MDS, run:
SQL> alter user xxx_MDS identified by NEW_PASSWORD;
-
To change the password for xxx_SOAINFRA, run:
SQL> alter user xxx_SOAINFRA identified by NEW_PASSWORD;
-
To change the password for xxx_ORASDPM, run:
SQL> alter user xxx_ORASDPM identified by NEW_PASSWORD;
-
To change the password for xxx_BIPLATFORM, run:
SQL> alter user xxx_BIPLATFORM identified by NEW_PASSWORD;
-
-
Verify that the passwords have been changed. To do so, login to the database with sqlplus and the four users and the new passwords.
-
Login to the WebLogic Administrative Console.
-
Go to Services, Data Sources, and then perform the following:
-
Select soaOIMLookupDB, Connection Pool, and enter the new password set to xxx_OIM in step 12a.
-
Select oimJMSStoreDS, Connection Pool, and enter the new password set to xxx_OIM in step 12a.
-
Select oimOperationsDB, Connection Pool, and enter the new password set to xxx_OIM in step 12a.
-
Select ApplicationDB, Connection Pool, and enter the new password set to xxx_OIM in step 12a.
-
Select mds-oim, Connection Pool, and enter the new password set to xxx_MDS in step 12b.
-
Select mds-owsm, Connection Pool, and enter the new password set to xxx_MDS in step 12b.
-
Select mds-soa, Connection Pool, and enter the new password set to xxx_MDS in step 12b.
-
Select EDNDataSource, Connection Pool, and enter the new password set to xxx_SOAINFRA in step 12c.
-
Select EDNLocalTxDataSource, Connection Pool, and enter the new password set to xxx_SOAINFRA in step 12c.
-
Select SOADataSource, Connection Pool, and enter the new password set to xxx_SOAINFRA in step 12c.
-
Select SOALocalTxDataSource, Connection Pool, and enter the new password set to xxx_SOAINFRA in step 12c.
-
Select OraSDPMDataSource, Connection Pool, and enter the new password set to xxx_ORASDPM in step 12d.
-
-
Change OIMAuthenticationProvider configuration. To do so:
-
In the WebLogic Administrative Console, navigate to Security Realms, myrealm, and then Providers.
-
Click OIMAuthenticationProvider.
-
Click Provider Specific.
-
In the DBPassword field, enter the new Oracle Identity Governance database schema password.
-
Click Save to save the changes.
-
-
Change the domain credential store configuration. To do so:
-
Login to Oracle Enterprise Manager.
-
Navigate to Weblogic Domain, and then DOMAIN_NAME.
-
Right-click the domain name, and select Security, Credentials, and then oim.
-
Select OIMSchemaPassword, and click Edit.
-
In the Password field, enter the new password, and then click OK.
-
-
Change the oim and soa schema password in BI Publisher. To do so:
-
Login to BI Publisher.
-
Click the Administration tab.
-
Click JDBC Connection under Data Sources.
-
Click OIM JDBC, and change the password in the Password field.
-
Click Test Connection. The connection is established successfully after confirmation.
-
Click Apply.
-
Repeat the steps 14d through 14f for JDBC data source
BPEL JDBC
.
-
-
If BI Publisher schema password is changed, then perform the following steps:
-
Login to Oracle Enterprise Manager.
-
Expand WebLogic Domain, DOMAIN_NAME.
-
Under the DOMAIN_NAME on the right pane, from the WebLogic Domain list, select JDBC Data Sources.
-
Select bip_datasource in the table, and then click Edit on the toolbar.
-
Click the Connection Pool tab. In the Database Connection Information section, change the password, and then click Apply on the upper right corner.
-
Start BI Publisher services.
-
-
Restart WebLogic Admin Server.
-
Start the SOA and Oracle Identity Governance Managed Servers.
25.3 Configuring SSL for Oracle Identity Governance
Configuring SSL for Oracle Identity Governance includes generating keys, signing and exporting certificates, setting up SSL Configuration for Oracle Identity Governance and for the components with which Oracle Identity Governance interacts, and establish secure communication between them.
A SHA-2 compliant certificate is a prerequisite for using TLS 1.2 protocol for SSL communication.
Note:
-
For information related to IBM Java 7, SR4 version support of SHA-2 cipher suites and Transport Layer Security (TLS) version 1.2 refer to IBM documentation.
-
In the following sections several examples are provided. They have parameters which are used to enable more debugging information and are optional. For example:
-Dweblogic.StdoutDebugEnabled=true -Dssl.debug=true -Djavax.net.debug=ssl:handshake:verbose.
For Oracle JDK 8, download and apply latest Java Cryptography Extension (JCE) Unlimited Strength Jurisdiction Policy Files. Relocate the local_policy.jar and US_export_policy.jar jars files into <JAVA_HOME>/jre/lib/security directory.
Note:
If Opatch version is lesser than 12.1.0.1.10, then upgrade the OPatch utility by applying p21142429_121010_Linux-x86-64.zip patch.
Apply p23176395_121020_Generic.zip patch to DB_HOME to get the support of TLS 1.2 on Oracle 12c DB (12.1.0.2).
Apply p13964737_1036_Generic.zip Weblogic patch via BSU if Demo Identity and Demo trust is used at Weblogic Level.
This section contains the following topics:
Note:
-
Section Generating Custom Key Stores (Optional) provides example commands that are used later in the document. These are for reference and not part of the mandatory steps of configuration.
-
For configuring Oracle User Messaging Service (UMS) notification that is SSL-based, see Using UMS for Notification.
-
For more details on configuring UMS to connect to a mail server with SSL, see Configuring Oracle User Messaging Service in Administrator's Guide for Oracle SOA Suite and Oracle Business Process Management Suite.
25.3.1 Generating Custom Key Stores (Optional)
This section includes the following topics:
Note:
The procedures described in this section are optional. These steps are required if you have custom identity and trust store for WebLogic servers. SSL can be enabled with default identity and trust store as well.
25.3.1.1 Creating the Custom Identity Store
You can generate private and public certificate pairs by using the keytool command.
The following command creates an identity keystore (oimsupportidentity.jks).
$JAVA_HOME/jre/bin/keytool -genkey -alias ALIAS -keyalg ALGORITHM -keysize KEY_SIZE -sigalg SIGN_ALORITHM -dname DISTINGUISHED_NAME -keypass KEY_PASSWORD -keystore KEYSTORE_NAME -storepass KEYSTORE_PASSWORD
For example:
$JAVA_HOME/jre/bin/keytool -genkey -alias supportpvtkey -keyalg RSA -keysize 2048 -sigalg SHA256withRSA -dname "CN=oimhost.example.com, OU=Identity, O=Oracle Corporation,C=US" -keypass privatepassword -keystore oimsupportidentity.jks -storepass password
Note:
-
Change the parameter values passed to the keytool command according to your requirements. Ensure that there is no line break in the keytool argument.
-
The custom identity keystore, oimsupportidentity.jks must be created or copied under WL_HOME/server/lib/.
-
In this is release, JDK 8u131 is used. Therefore, the value of the keysize option must be greater than or equal to 1024. For more information about this limitation, see JDK8u131 Update Release Notes.
25.3.1.2 Self Signing the Certificates of Custom identity keystore
Use the keytool command by passing the required parameter values to self sign the certificates you created.
Run the following keytool command to sign the certificates that you created:
$JAVA_HOME/jre/bin/keytool -selfcert ALIAS -keyalg ALGORITHM -keysize KEY_SIZE -sigalg SIGN_ALORITHM -dname DISTINGUISHED_NAME -keypass KEY_PASSWORD -keystore KEYSTORE_NAME -storepass KEYSTORE_PASSWORD
For example:
$JAVA_HOME/jre/bin/keytool -selfcert -alias supportpvtkey -sigalg SHA256withRSA -validity 2000 -keypass privatepassword -keystore oimsupportidentity.jks -storepass password
Note:
Change the parameter values passed to the keytool command according to your requirements. Ensure that there is no line break in the keytool argument.
25.3.1.3 Exporting the Certificate From Custom Identity Keystore
Use the keytool command to export the certificate from the identity keystore to a file, for example, supportcert.pem.
Run the following keytool command:
$JAVA_HOME/jre/bin/keytool -export -alias ALIAS -file FILE_TO_EXPORT -keypass KEY_PASSWORD -keystore KEYSTORE_NAME -storepass KEYSTORE_PASSWORD
For example, the following command exports the certificate to a file named supportpvtkeycert.pem:
$JAVA_HOME/jre/bin/keytool -export -alias supportpvtkey -file supportpvtkeycert.pem -keypass password -keystore oimsupportidentity.jks -storepass password
25.3.1.4 Importing the Certificate of Custom Identity to Trust Store
If custom trust store is used, then import the certificate in that custom trust store. If Java Standard Trust is used as trust store then import the certificate in that Java Standard Trust, such as JAVA_HOME/jre/lib/security/cacerts.
Use the keytool command to import the certificate from a file. The syntax is:
keytool -import -alias ALIAS -trustcacerts -file FILE_TO_IMPORT -keystore KEYSTORE_NAME -storepass KEYSTORE_PASSWORD
In the following example, the certificate file supportpvtkeycert.pem is imported to the identity keystore oimsupporttrust.jks:
$JAVA_HOME/jre/bin/keytool -import -alias supportpvtkey -trustcacerts -file supportpvtkeycert.pem -keystore oimsupporttrust.jks -storepass <password>
Note:
This command loads a trusted CA certificate into a custome keystore oimsupporttrust.jks. If the keystore does not exist, it is created.
This custom trust keystore oimsupporttrust.jks must be created or copied under DOMAIN_HOME/config/fmwconfig/.
Change the parameter values passed to the keytool command according to your requirements. Ensure that there is no line break in the keytool argument.
25.3.2 Configuring Custom Key Stores (Optional)
Note:
See Generating Custom Key Stores (Optional) for information about generating custom keys.
Note:
If the CN of the certificate is not the same as the hostname of the machine where WLS is installed, then you need to select the hostname verification as None. To do so, go to SSL tab, Advanced section, select None from the Hostname Verification list.
25.3.3 Enabling SSL for Oracle Identity Governance and SOA Servers
Enabling SSL for Oracle Identity Governance servers and other managed servers involves enabling SSL for Oracle Identity Governance, changing OimFrontEndURL and backOfficeURL to use SSL Port, and changing SOA server URL to use SSL port.
You need to perform the following configurations in Oracle Identity Governance and SOA servers to enable SSL:
25.3.3.1 Enabling SSL for Oracle Identity Governance
Enabling SSL for Oracle Identity Governance is described in the following sections:
25.3.3.1.1 Enabling SSL for Oracle Identity Governance By Using Default Setting
To enable SSL for Oracle Identity Governance and SOA servers by using default setting:
25.3.3.1.2 Enabling SSL for Oracle Identity Governance By Using Custom Identity and Custom Trust
Note:
See Generating Custom Key Stores (Optional) and Configuring Custom Key Stores (Optional) for information about generating custom keys.25.3.3.2 Changing OimFrontEndURL to Use Oracle Identity Governance SSL Port
To change the OimFrontEndURL to use Oracle Identity Governance SSL port:
25.3.3.3 Changing backOfficeURL to Use SOA SSL Port
To change the backOfficeURL to use SOA SSL port:
25.3.3.4 Changing SOA Server URL to Use SOA SSL Port
To change SOA server URL to use SOA SSL port:
-
When the admin server and Oracle Identity Governance managed servers are running, log in to Enterprise Manager (EM).
For example:
http://ADMINISTRATIVE_SERVER/em
-
Click WebLogic Domain, and then select System MBean Browser.
-
Under Application Defined MBeans, navigate to oracle.iam, Application:oim, XMLConfig, Config, XMLConfig.SOAConfig, SOAConfig.
-
Change the values of the Rmiurl attribute.
Note:
Rmiurl is used for accessing SOA EJBs deployed on SOA managed servers.
This is the application server URL. For clustered installation, it is a comma separated list of all the SOA managed server URLs.
For example:
t3s://mysoa1.example.com:8002 t3s://mysoa1.example.com:8002,mysoa2.example.com:8003,mysoa3.example.com:8004
-
Change the value of the Soapurl attribute. For example:
https://mysoa.example.com:8002
Note:
Soapurl is used to access SOA web services deployed on SOA managed servers. This is the web server/load balancer URL, in case of a SOA cluster front ended with web server/load balancer. In case of single SOA server, it can be application server URL.
-
Click Apply to save the changes.
The SOA server URL must be enabled in ForeignJNDIProvider-SOA as well:
25.3.4 Enabling SSL for Oracle Identity Governance DB
Enabling SSL for Oracle Identity Governance database involves setting up the database in server-authentication SSL mode, creating KeyStores and certificates, updating Oracle Identity Governance, and updating WebLogic Server.
You need to perform the following configurations to enable SSL for Oracle Identity Governance database:
25.3.4.1 Creating KeyStores and Certificates
You can create server side and client side KeyStores using the orapki utility. This utility will be shipped as a part of Oracle DB installation.
KeyStores could be of any format such as JKS and PKCS12. The format of keystore changes based on the provider implementation. For example, JKS is the implementation provided by Sun Oracle where as PKCS12 is implemented by OraclePKIProvider.
Only JKS client KeyStore is used in Oracle Identity Governance for DB server. This is because using non-JKS KeyStores format such as PKCS12 requires significant changes on the installer side at the critical release time. However, Oracle Identity Governance already has a KeyStore named default-KeyStore.jks, which is in JKS format.
The following are the KeyStores that you can create using orapki utility:
25.3.4.2 Setting Up Database in Server-Authentication SSL Mode
To set up Database in Server-Authentication SSL mode:
-
Stop the Database server and the listener.
-
Configuring the listener.ora file as follows:
-
Navigate to the path:
$DB_ORACLE_HOME/network/admin directory
For example:
/u01/app/user1/product/12.1.0/dbhome_1/network/admin
-
Edit the listener.ora file to include SSL listening port and Server Wallet Location.
The following is the sample listener.ora file:
# listener.ora Network Configuration File: DB_ORACLE_HOME/listener.ora # Generated by Oracle configuration tools. SSL_VERSION = 1.2 SSL_CLIENT_AUTHENTICATION = FALSE WALLET_LOCATION = (SOURCE = (METHOD = FILE) (METHOD_DATA = (DIRECTORY = DB_ORACLE_HOME/bin/server_keystore_ssl.p12) ) ) LISTENER = (DESCRIPTION_LIST = (DESCRIPTION = (ADDRESS = (PROTOCOL = TCPS)(HOST = server1.mycompany.com)(PORT = 2484)) ) (DESCRIPTION = (ADDRESS = (PROTOCOL = TCP)(HOST = server1.mycompany.com)(PORT = 1521)) ) ) TRACE_LEVEL_LISTENER = SUPPORT
-
-
Configure the sqlnet.ora file as follows:
-
Navigate to the path:
$DB_ORACLE_HOME/network/admin directory
For example:
/u01/app/user1/product/12.1.0/dbhome_1/network/admin
-
Edit sqlnet.ora file to include:
-
TCPS Authentication Services
-
SSL_VERSION
-
Server Wallet Location
-
SSL_CLIENT_AUTHENTICATION type (either true or false)
-
SSL_CIPHER_SUITES that can be allowed in the communication (optional)
The following is the sample sqlnet.ora file:
# sqlnet.ora Network Configuration File: DB_ORACLE_HOME/sqlnet.ora # Generated by Oracle configuration tools. SQLNET.AUTHENTICATION_SERVICES= (BEQ,NTS, TCPS) SSL_VERSION = 1.2 SSL_CLIENT_AUTHENTICATION = FALSE WALLET_LOCATION = (SOURCE = (METHOD = FILE) (METHOD_DATA = (DIRECTORY = DB_ORACLE_HOME/bin/server_keystore_ssl.p12) ) )
-
-
-
Configure the tnsnames.ora file as follows:
-
Navigate to the path:
$DB_ORACLE_HOME/network/admin directory
For example:
/u01/app/user1/product/12.1.0/dbhome_1/network/admin
-
Edit the tnsnames.ora file to include SSL listening port in the description list of the service.
The following is the sample tnsnames.ora file:
# tnsnames.ora Network Configuration File: DB_ORACLE_HOME/tnsnames.ora # Generated by Oracle configuration tools. PRODDB = (DESCRIPTION_LIST = (DESCRIPTION = (ADDRESS = (PROTOCOL = TCPS)(HOST = server1.mycompany.com)(PORT = 2484)) (CONNECT_DATA = (SERVER = DEDICATED) (SERVICE_NAME = proddb) ) ) (DESCRIPTION = (ADDRESS = (PROTOCOL = TCP)(HOST = server1.mycompany.com)(PORT = 1521)) (CONNECT_DATA = (SERVER = DEDICATED) (SERVICE_NAME = proddb) ) ) )
-
-
Start/Stop utilities for Database server.
-
Start the Database server.
25.3.4.3 Updating Oracle Identity Governance
You need to perform the following steps in Oracle Identity Governance to enable Oracle Identity Governance and Oracle Identity Governance DB in SSL mode for a secure communication:
25.3.4.4 Updating WebLogic Server
After enabling SSL for Oracle Identity Governance Database, you need to change the following Oracle Identity Governance datasources and authenticators to use Database SSL port:
Note:
Before performing changes to database host/port, you must shutdown the managed servers hosting Oracle Identity Governance application. However, you can keep the WebLogic Admin Server up and running.
25.3.4.4.1 Updating Datasource oimOperationsDB Configuration
To update the Change Datasource oimOperationsDB Configuration:
25.3.4.4.2 Updating Oracle Identity Governance Authenticators
The existing Oracle Identity Governance authenticators in the WebLogic server are configured against Non-SSL DB details and they do not use datasources for communicating with Oracle Identity Governance DB. In order to use SSL DB details in the authenticators, you must perform the following:
-
Ensure that Datasources are configured to SSL.
-
In WebLogic Administrative console, navigate to Security Realms, myrealm, Providers.
-
Remove OIMAuthenticationProvider.
-
Create an authentication provider of type "OIMAuthenticator" and mark the control flag as SUFFICIENT.
-
Create an authentication provider of type "OIMSignatureAuthenticator" and mark the control flag as SUFFICIENT.
-
Reorder the authenticators as:
-
DefaultAuthenticator
-
OIMAuthenticator
-
OIMSignatureAuthenticator
-
Other providers if any
-
-
Restart all servers.
25.3.5 Enabling SSL for SOA Approval Composites
Enabling SSL for SOA approval composites involves updating the HTTPS port for each composite with a Human Workflow component type that has a valid worklist URL entry that must use the HTTPS port.
To enable SSL for SOA approval composites:
- Ensure that the SOA Managed Server is running.
- Log in to Oracle Enterprise Manager by using your WebLogic Server administrator credentials.
- Click the Target Navigation image shown on the left of the domain name in upper left corner of the Enterprise Manager console.
- Click SOA, and then select soa-infra(SOA_SERVER_NAME).
- Click the Deployed Composite tab.
- Click the DefaultOperationalApproval [6.0] composite.
- In the Components section, click the ApprovalTask link of type Human Workflow.
- Click the Administration tab.
- Make the required changes to Host Name, HTTP Port, and HTTPS Port.
- Repeat steps 7 through 9 for each composite with a Human Workflow component type that has a valid worklist URL entry that needs to now use the HTTPS port,, such as DefaultOperationalApproval [6.0].
25.3.6 Configuring SSL for Design Console
Note:
-
To get trust store location, in the WebLogic Server Administration Console, click Environment, Servers. Click OIM_SERVER_NAME to view details of the Oracle Identity Governance server.
Click KeyStores tab and note down the Trust keystore location in the Trust section.
-
If the Design Console and Oracle Identity Governance are deployed on a different host, then copy the Trust keystore to the host on which Design Console is deployed, and set the TRUSTSTORE_LOCATION environment variable to the location where Trust keystore is copied on the local host.
For example:
setenv TRUSTSTORE_LOCATION OIM_HOME/designconsole/copied_oimsupporttrust.jks
25.3.7 Configuring SSL for Oracle Identity Governance Utilities
Oracle Identity Governance client utilities include PurgeCache, GenerateSnapshot, UploadJars, and UploadResources.
25.4 Using Ready App
Understand, register, and use Ready App to allow applications that are not fully initialized at the time when WebLogic Server completes the application’s deployment to register their desire to participate in the readiness state of the server and tell the server when it is fully initialized.
This section contains the following topics:
25.4.1 About Ready App
Ready App is a mechanism within WebLogic that allows an application to influence the ready state of the server and/or partition in which it runs. This is done by registering and using the ready() and notReady() methods of the ReadyLifecycle java interface.
For a lot of applications, everything in the server is ready to receive requests if WebLogic Server (WLS) is in a RUNNING state. But for some applications, asynchronous processing may be occurring that may take longer than WebLogic Server's startup cycle. If there is a possibility that your application is not going to be ready to handle requests when WebLogic reaches the RUNNING state, then that application should register with ReadyApp. LoadBalancers and lifecycle tooling should always utilize the ReadyApp URL to determine if a WebLogic Server instance is ready to receive requests just in case one of the deployed applications may not be ready prior to reaching the RUNNING state.
During the startup process of the Fusion Middleware applications, WebLogic Server does not have the visibility of the startup processes for upper stack applications, such as SOA Suite or BPM. This creates the situation where a load balancer or other WLS instance prematurely starts routing traffic to the server that is not fully functional. In addition, it is difficult for patch tools and other lifecycle operations to determine when a server is ready during automated steps involving server restarts. This document defines a mechanism for the upper stack applications to register with WLS and to notify the WLS startup process when the application startup is complete.
The purpose of this framework is to allow applications that are not fully initialized at the time WebLogic Server completes the application’s deployment to register their intent to participate in the readiness state of the server and tell the server when it is fully initialized. This is important for the following purposes:
-
For any automation mechanisms, tools need a reliable way to determine when the server, with all of its applications, is ready to process requests. This check enables the automation tooling to know when it is safe to proceed to the next step of the process. For example, when a tool needs to perform a rolling restart of a set of servers, it is vital that the stopped server be completely available before initiating the shutdown of the next server in the domain or cluster so that the domain or cluster does not end up in the state where more than one server is unavailable (or still starting/initializing).
-
For load balancing purposes, this framework provides a reliable health-check URL for the server (and the partition in the case of multi-tenancy) so that the load balancer can reliably determine when the server is ready to accept requests.
If your application is fully initialized and ready to accept requests as soon as WebLogic Server completes the deployment of the application during startup (that is, by the time that the server listen port is opened), then there is no need for an application to participate or use this framework.
25.4.2 Registering Your Applications with Ready App
To use the Ready App feature, you have to register your application with Ready App.
META-INF\weblogic-application.xml
file:
<wls:ready-registration>true</wls:ready-registration>
Note:
Depending on the contents of yourweblogic-application.xml
file, the 'wls:' may or may not be required. If other tags do not have the prefix, then remove it from the Ready App registration tag.
Not Ready
on application startup. It also automatically unregisters your application if the application is undeployed from WebLogic.
25.4.3 Using Ready App with an EAR
To use Ready App with an EAR, register your application with Ready App and make calls to the ready()
and notready()
methods.
ready()
and notReady()
have the possibility of causing two different run time exceptions. They are:
Exception | Description |
---|---|
IllegalArgumentException | This exception occurs with the applicationId reported by the Component Invocation Context is null. |
IllegalStateException | This exception occurs when the application has not be properly registered. Check the deployment descriptor for proper setup. |
25.4.4 Using Ready App with a WAR
To use Ready App with an EAR, register your application with Ready App and make calls to the ready()
and notready()
methods.
Note:
These instructions only apply to independently deployed WAR files. If you deploy your application as a WAR inside of an EAR, then see the instructions in Using Ready App with an EAR for using Ready App with an EAR.Exception | Description |
---|---|
IllegalArgumentException | This exception occurs with the applicationId reported by the Component Invocation Context is null. |
IllegalStateException | This exception occurs when the application has not be properly registered. Check the deployment descriptor for proper setup. |
25.4.5 Testing Ready App
To test whether or not Ready App is working, login to the WebLogic Administrative Console, and enable the debug settings for DebugReadyApp.
In this example, there are three applications that are being deployed to the server; one in the global partition, and one each in the latest partitions. You can see from this the value of 1, which means not ready. If the ready()
method is called on these applications, then the value will be 0, indicating that the application is ready.
If all applications are ready, then the server is considered ready. It is possible for one partition to have all applications ready but other applications could not be ready.