2 Integrating Oracle Access Manager and LDAP
Integrating Oracle Access Manager with LDAP involves preparing the IDStore, adding the missing object classes, and configuring OAM using automated script.
2.1 Preparing IDStore Using Automated Script
Prepare IDStore using the OIGOAMIntegration.sh
automated
script for OIG-OAM integration.
Configure the identity store and policy store by creating the groups and setting
ACIs to the various containers. Add necessary users and associating users with
groups to the identity store. This step is similar to running the commands
idmConfigTool.sh -prepareIDStore
and idmConfigTool.sh
-prepareIDStore -mode=ALL
. See prepareIDStore Command.
-
Open the
prepareIDStore.all.config
file from the OIG Oracle home directory (Located atORACLE_HOME/idm/server/ssointg/config
) in a text editor and update the parameters.Example
prepareIDStore.all.config
FileIDSTORE_DIRECTORYTYPE: OID IDSTORE_HOST: idstore.example.com IDSTORE_PORT: 3060 IDSTORE_BINDDN: cn=orcladmin IDSTORE_BINDDN_PWD: <password> IDSTORE_USERNAMEATTRIBUTE: cn IDSTORE_LOGINATTRIBUTE: uid IDSTORE_SEARCHBASE: dc=example,dc=com IDSTORE_USERSEARCHBASE: cn=Users,dc=example,dc=com IDSTORE_GROUPSEARCHBASE: cn=Groups,dc=example,dc=com IDSTORE_SYSTEMIDBASE: cn=systemids,dc=example,dc=com IDSTORE_READONLYUSER: IDROUser IDSTORE_READWRITEUSER: IDRWUser IDSTORE_SUPERUSER: weblogic_fa IDSTORE_OAMSOFTWAREUSER: oamLDAP IDSTORE_OAMADMINUSER: oamAdmin IDSTORE_OIMADMINUSER: oimLDAP IDSTORE_OIMADMINGROUP: OIMAdministrators IDSTORE_WLSADMINUSER: weblogic_idm IDSTORE_WLSADMINGROUP: IDM Administrators IDSTORE_OAAMADMINUSER: oaamAdminUser ## The domain for the email - e.g. user@example.com IDSTORE_EMAIL_DOMAIN: company.com POLICYSTORE_SHARES_IDSTORE: true OAM11G_IDSTORE_ROLE_SECURITY_ADMIN: OAMAdministrators ## If you are using OUD as the identity store, then the additional properties are: #IDSTORE_ADMIN_PORT: 4444 #IDSTORE_KEYSTORE_FILE: /u01/config/instances/oud1/OUD/config/admin-keystore ## The value of the IDSTORE_KEYSTORE_PASSWORD parameter is the content of the /u01/config/instances/oud1/OUD/config/admin-keystore.pin #IDSTORE_KEYSTORE_PASSWORD: <PASSWORD>
The following table describes the parameters that you can set in the
prepareIDStore.all.config
file.Table 2-1 Parameters in
prepareIDStore.all.config
FileProperty Description Sample Value IDSTORE_DIRECTORYTYPE
Enter the identity store directory type. Valid options are OID, OUD, and AD.
OID
IDSTORE_HOST
Enter the identity store host name.
idstore.example.com
IDSTORE_PORT
Enter the identity store port.
3060
IDSTORE_BINDDN
An administrative user in Oracle Internet Directory, Oracle Unified Directory or Active Directory.
- OID:
cn=orcladmin
- OUD:
cn=oudadmin
- AD:
CN=Administrator,CN=Users,DC=example.com,DC=example,dc=com
IDSTORE_BINDDN_PWD
Enter the Password for administrative user in Oracle Internet Directory, Oracle Unified Directory or Microsoft Active Directory.
password
IDSTORE_USERNAMEATTRIBUTE
Enter the username attribute used to set and search for users in the identity store.
cn
IDSTORE_LOGINATTRIBUTE
Enter the login attribute of the identity store that contains the user's login name.
uid
IDSTORE_SEARCHBASE
Enter the location in the directory where users and groups are stored.
dc=example,dc=com
IDSTORE_USERSEARCHBASE
Enter the Container under which Access Manager searches for the users.
cn=users,dc=example,dc=com
IDSTORE_GROUPSEARCHBASE
Enter the location in the directory where groups are stored.
cn=groups,dc=example,dc=com
IDSTORE_SYSTEMIDBASE
Enter the location of a container in the directory where system-operations users are stored. There are only a few system operations users and are kept separate from enterprise users stored in the main user container.
For example, the Oracle Identity Governance reconciliation user which is also used for the bind DN user in Oracle Virtual Directory adapters.
cn=systemids,dc=example,dc=com
IDSTORE_READONLYUSER
Enter the user with read-only permissions to the identity store.
IDROUser
IDSTORE_READWRITEUSER
Enter the user with read-write permissions to the identity store.
IDRWUser
IDSTORE_SUPERUSER
Enter the Oracle Fusion Applications superuser in the identity store.
weblogic_fa
IDSTORE_OAMSOFTWAREUSER
Enter the LDAP user that OAM uses to interact with LDAP.
oamLDAP
IDSTORE_OAMADMINUSER
Enter the user you use to access your Oracle Access Management Console.
oamAdmin
IDSTORE_OAMADMINUSER_PWD
Enter the password for the user you use to access your Oracle Access Management Console.
Note:
All password fields are optional. If you do not enter them in the file (security issues), then you are prompted to enter them when the script runs.
password
IDSTORE_OIMADMINUSER
Enter the user that Oracle Identity Governance uses to connect to the identity store.
oimLDAP
IDSTORE_OIMADMINUSER_PWD
Enter the Password for the user that Oracle Identity Governance uses to connect to the identity store.
password
IDSTORE_OIMADMINGROUP
Enter the group you want to create to hold your Oracle Identity Governance administrative users.
OIMAdministrators
IDSTORE_WLSADMINUSER
Enter the identity store administrator for Oracle WebLogic Server.
weblogic_idm
Note:
This is default user name for the administrator user.IDSTORE_WLSADMINUSER_PWD
Enter the password for Identity store administrator for Oracle WebLogic Server.
password
IDSTORE_WLSADMINGROUP
Enter the identity store administrator group for Oracle WebLogic Server.
wlsadmingroup
IDSTORE_OAAMADMINUSER
Enter the user you want to create as your Oracle Access Management Administrator. This user is created by the tool.
oaamAdminUser
IDSTORE_XELSYSADMINUSER_PWD
Enter the password of System administrator for Oracle Identity Goverance. Must match the value in Oracle Identity Governance
password
POLICYSTORE_SHARES_IDSTORE
Set it to
true
if your policy and identity stores are in the same directory. If not, it is set tofalse
.TRUE
IDSTORE_ADMIN_PORT
Enter the Administration port of your Oracle Unified Directory instance. If you are not using Oracle Unified Directory, you ignore this parameter.
4444
IDSTORE_KEYSTORE_FILE
Enter the location of the Oracle Unified Directory
Keystore
file. It is used to enable communication with Oracle Unified Directory using the Oracle Unified Directory administration port. It is calledadmin-keystore
and is located inOUD_ORACLE_INSTANCE/OUD/config
.If you are not using Oracle Unified Directory, you can ignore this parameter. This file must be located on the same host that the
OIGOAMIntegration.sh
command is running on. The command uses this file to authenticate itself with OUD./u01/config/instances/oud1/OUD/config/admin-keystore
IDSTORE_KEYSTORE_PASSWORD
Enter the encrypted password of the Oracle Unified Directory keystore. This value can be found in the file
OUD_ORACLE_INSTANCE/OUD/config/admin-keystore.pin
. If you are not using Oracle Unified Directory, you can ignore this parameter.password
- OID:
-
Run the automated script for OIG-OAM integration to seed the directory with Users, Roles, and
ob
schema extensions.OIGOAMIntegration.sh -prepareIDStore
Note:
In case of Active Directory, grant ACLs manually after executingOIGOAMIntegration.sh -prepareIDStore
command. See Granting ACLs Manually for Active DirectoryYou have successfully executed the automated script for preparing the IDStore.
Verifying the Identity Store and Policy Store Configuration
Do the following in your LDAP directory:
-
Search base for users and groups you specified in the
prepareIDStore.all.config
file exist in the LDAP directory. -
The user container, group container, and the System ID container exist in the LDAP directory.
-
The
systemids
container includes theIDROuser
,IDRWUser
,oamSoftwareUser
, andoimadminuser
users. These are sample values provided inprepareIDStore.all.config
. You can provide and use your own values. -
The user container includes the
oamadminuser
,weblogic_fa
,weblogic_idm
, andxelsysadm
users. These are sample values provided inprepareIDStore.all.config
. You can provide and use your own values. -
The group container includes the
OAMadministreatrs
,OIMadminsitrators
,BIReportAdminnistrator
,Session REST API
, andwlsadmingroup
,orclFAGroup
, andOAAM
groups. -
Access is granted to the changelog for OUD:
If you are using Oracle Unified Directory, you must grant access to the
changelog
by performing the following steps on the single node LDAP host or onLDAPHOST1
andLDAPHOST2
for multinode LDAP instances:-
Create a file called
passwordfile
that contains the password you use to connect to OUD.OUD_ORACLE_INSTANCE/OUD/bin/dsconfig set-access-control-handler-prop --remove \ global-aci:"(target=\"ldap:///cn=changelog\")(targetattr=\"*\")(version 3.0; acl \"External changelog access\"; deny (all) userdn=\"ldap:///anyone\";)" \ --hostname OUD Host \ --port OUD Admin Port \ --trustAll \ --bindDN cn=oudadmin \ --bindPasswordFile passwordfile \ --no-prompt
For example:
OUD_ORACLE_INSTANCE/OUD/bin/dsconfig set-access-control-handler-prop --remove \ global-aci:"(target=\"ldap:///cn=changelog\")(targetattr=\"*\")(version 3.0; acl \"External changelog access\"; deny (all) userdn=\"ldap:///anyone\";)" \ --hostname LDAPHOST1.example.com \ --port 4444 \ --trustAll \ --bindDN cn=oudadmin \ --bindPasswordFile passwordfile \ --no-prompt
-
Add the new act:
OUD_ORACLE_INSTANCE/OUD/bin/dsconfig set-access-control-handler-prop --add \ global-aci:"(target=\"ldap:///cn=changelog\")(targetattr=\"*\")(version 3.0; acl \"External changelog access\"; allow (read,search,compare,add,write,delete,export) groupdn=\"ldap:///cn=OIMAdministrators,cn=groups,dc=example,dc=com\";)" \ --hostname OUD Host \ --port OUD Admin Port \ --trustAll \ --bindDN cn=oudadmin \ --bindPasswordFile passwordfile \ --no-prompt
For example:
OUD_ORACLE_INSTANCE/OUD/bin/dsconfig set-access-control-handler-prop --add \ global-aci:"(target=\"ldap:///cn=changelog\")(targetattr=\"*\")(version 3.0; acl \"External changelog access\"; allow (read,search,compare,add,write,delete,export) groupdn=\"ldap:///cn=OIMAdministrators,cn=groups,dc=example,dc=com\";)" \ --hostname LDAPHOST1.example.com \ --port 4444 \ --trustAll \ --bindDN cn=oudadmin \ --bindPasswordFile passwordfile \ --no-prompt
-
-
Additional OUD grants are created:
Update
OUD_ORACLE_INSTANCE
/OUD/config/config.ldif
on all OUD instances with below changes:-
Look at the following line:
ds-cfg-global-aci: (targetcontrol="1.3.6.1.1.12 || 1.3.6.1.1.13.1 || 1.3.6.1.1.13.2 || 1.2.840.113556.1.4.319 || 1.2.826.0.1.3344810.2.3 || 2.16.840.1.113730.3.4.18 || 2.16.840.1.113730.3.4.9 || 1.2.840.113556.1.4.473 || 1.3.6.1.4.1.42.2.27.9.5.9") (version 3.0; acl "Authenticated users control access"; allow(read) userdn="ldap:///all";)
Remove the Object Identifier
1.2.840.113556.1.4.319
from the above aci and add it to following aci as shown:ds-cfg-global-aci: (targetcontrol="2.16.840.1.113730.3.4.2 || 2.16.840.1.113730.3.4.17 || 2.16.840.1.113730.3.4.19 || 1.3.6.1.4.1.4203.1.10.2 || 1.3.6.1.4.1.42.2.27.8.5.1 || 2.16.840.1.113730.3.4.16 || 2.16.840.1.113894.1.8.31 || 1.2.840.113556.1.4.319") (version 3.0; acl "Anonymous control access"; allow(read) userdn="ldap:///anyone";)
-
Add Object Identifiers
1.3.6.1.4.1.26027.1.5.4
and1.3.6.1.4.1.26027.2.3.4
to the following aci as shown:ds-cfg-global-aci: (targetcontrol="1.3.6.1.1.12 || 1.3.6.1.1.13.1 || 1.3.6.1.1.13.2 || 1.2.826.0.1.3344810.2.3 || 2.16.840.1.113730.3.4.18 || 2.16.840.1.113730.3.4.9 || 1.2.840.113556.1.4.473 || 1.3.6.1.4.1.42.2.27.9.5.9 || 1.3.6.1.4.1.26027.1.5.4 || 1.3.6.1.4.1.26027.2.3.4") (version 3.0; acl "Authenticated users control access"; allow(read) userdn="ldap:///all";)
-
Restart the Oracle Unified Directory server on both LDAPHOSTs.
-
-
Additional OUD indexes are created:
When you ran the
OIGOAMIntegration.sh -prepareIDStore
script to prepare an OUD identity store, it creates indexes for the data on the instance against which it is run. These indexes must be manually created on each of the OUD instances in LDAPHOST2. To do this, run the following commands on LDAPHOST2:OUD_ORACLE_INSTANCE/OUD/bin/ldapmodify -h LDAPHOST2.example.com -Z -X -p 4444 -a -D "cn=oudadmin" -j passwordfile -c \-f IAD_ORACLE_HOME/idm/oam/server/oim-intg/ldif/ojd/schema/ojd_user_index_generic.ldif
OUD_ORACLE_INSTANCE/OUD/bin/ldapmodify -h LDAPHOST2.example.com -Z -X -p 4444 -a -D "cn=oudadmin" -j passwordfile -c \-f IAD_ORACLE_HOME/idm/idmtools/templates/oud/oud_indexes_extn.ldif
Granting ACLs Manually for Active Directory
For Active Directory, after running OIGOAMIntegration.sh -prepareIDStore
, perform the following on the AD server machine:
-
Add ACLs.
dsacls /G cn=orclFAUserReadPrivilegeGroup,<IDSTORE_GROUPSEARCHBASE>:GR dsacls /G cn=orclFAUserWritePrivilegeGroup,<IDSTORE_GROUPSEARCHBASE>:GW dsacls /G cn=orclFAGroupReadPrivilegeGroup,<IDSTORE_GROUPSEARCHBASE>:GR dsacls /G cn=orclFAGroupWritePrivilegeGroup,<IDSTORE_GROUPSEARCHBASE>:GW dsacls /G cn=orclFAOAMUserWritePrivilegeGroup,<IDSTORE_GROUPSEARCHBASE>:GW
-
Reset User Password.
dsmod user "CN=weblogic_idm,<IDSTORE_USERSEARCHBASE>" -pwd <password> -mustchpwd no dsmod user "CN=xelsysadm,<IDSTORE_USERSEARCHBASE>" -pwd <password> -mustchpwd no dsmod user "CN=oamadmin,<IDSTORE_USERSEARCHBASE>" -pwd <password> -mustchpwd no dsmod user "CN=OblixAnonymous,DC=interop,DC=example,DC=com" -pwd <password> -mustchpwd no dsmod user "CN=oamLDAP,<IDSTORE_SYSTEMIDBASE>" -pwd <password> -mustchpwd no dsmod user "CN=oimLDAP,<IDSTORE_SYSTEMIDBASE>" -pwd <password> -mustchpwd no
-
Enable user accounts.
dsmod user "CN=weblogic_idm,<IDSTORE_USERSEARCHBASE>" -disabled no dsmod user "CN=xelsysadm,<IDSTORE_USERSEARCHBASE>" -disabled no dsmod user "CN=oamadmin,<IDSTORE_USERSEARCHBASE>" -disabled no dsmod user "CN=OblixAnonymous,DC=interop,DC=example,DC=com" -disabled no dsmod user "CN=oamLDAP,<IDSTORE_SYSTEMIDBASE>" -disabled no dsmod user "CN=oimLDAP,<IDSTORE_SYSTEMIDBASE>" -disabled no
2.2 Adding Missing Object Classes Using Automated Script
Add the Missing Object Classes using the
OIGOAMIntegration.sh
automated script.
When you prepare your LDAP directory for use with Oracle Access Manager, it extends the directory schema to include a number of specific object classes, which are used by Oracle Access Manager.
After the object classes are added, any new users created in the directory are automatically assigned these object classes. Once the object classes are added to the directory, it is important to ensure that any existing users also have these new object classes so that they can be successfully managed with Oracle Access Manager.
The OIGOAMIntegration.sh
script checks each user in the LDAP
directory to ensure that they have all of the recommended object classes.
To add the Missing Object Classes:
Note:
You can only add object classes for existing users in Oracle Internet Directory or Oracle Unified Directory. This feature is not supported in Active Directory.-
Open the
addMissingObjectClasses.config
file from the OIG Oracle home directory (Located atORACLE_HOME/idm/server/ssointg/config
) in a text editor and update the parameters.Example
addMissingObjectClasses.config
FileIDSTORE_DIRECTORYTYPE: OID IDSTORE_HOST: idstore.example.com IDSTORE_PORT: 3060 IDSTORE_BINDDN: cn=orcladmin IDSTORE_BINDDN_PWD: <password> IDSTORE_USERSEARCHBASE: cn=Users,dc=example,dc=com
The following table describes the parameters that you can set in the
addMissingObjectClasses.config
file.Table 2-2 Parameters in addMissingObjectClasses.config file
Parameters Description Sample Value IDSTORE_DIRECTORYTYPE
Enter the identity store directory type. Valid options are OID or OUD.
OUD
IDSTORE_HOST
Enter the identity store host name.
idstore.example.com
IDSTORE_PORT
Enter the identity store port.
389
IDSTORE_BINDDN
An administrative user in Oracle Internet Directory or Oracle Unified Directory.
- OID:
cn=orcladmin
- OUD:
cn=oudadmin
IDSTORE_BINDDN_PWD
Enter the password for administrative user in Oracle Internet Directory or Oracle Unified Directory.
password
IDSTORE_USERSEARCHBASE
Enter the location in the directory where users are stored.
cn=users,dc=example,dc=com
- OID:
-
Run the
OIGOAMIntegration.sh
script from the OIG Oracle home directory (Located atORACLE_HOME/idm/server/ssointg/bin
) to enable OAM notifications:OIGOAMIntegration.sh -addMissingObjectClasses
Note:
This step depends on the number of users in the LDAP directory. It is estimated to take 10 minutes per 10000 users in the LDAP directory.If there are no object classes in the LDAP, then the following are added for the existing LDAP users:
OIMPersonPwdPolicy
OblixOrgPerson
OblixPersonPwdPolicy
obpasswordexpirydate
2.3 Configuring OAM Using Automated Script
Configure Oracle Access Manager using the
OIGOAMIntegration.sh
automated script.
-
Open the
configOAM.config
file from the OIG Oracle home directory (Located atORACLE_HOME/idm/server/ssointg/config
) in a text editor and update the parameters.Example
configOAM.config
FileWLSHOST: oamadminhost.example.com WLSPORT: 7001 WLSADMIN: weblogic IDSTORE_HOST: idstore.example.com IDSTORE_PORT: 3060 IDSTORE_BINDDN: cn=orcladmin IDSTORE_USERNAMEATTRIBUTE: cn IDSTORE_LOGINATTRIBUTE: uid IDSTORE_SEARCHBASE: dc=example,dc=com IDSTORE_USERSEARCHBASE: cn=Users,dc=example,dc=com IDSTORE_GROUPSEARCHBASE: cn=Groups,dc=example,dc=com IDSTORE_OAMSOFTWAREUSER: oamLDAP IDSTORE_OAMADMINUSER: oamAdmin PRIMARY_OAM_SERVERS: oamhost1.example.com:5575,oamhost2.example.com:5575 WEBGATE_TYPE: ohsWebgate11g ACCESS_GATE_ID: Webgate_IDM OAM11G_IDM_DOMAIN_OHS_HOST: sso.example.com OAM11G_IDM_DOMAIN_OHS_PORT: 443 OAM11G_IDM_DOMAIN_OHS_PROTOCOL: https OAM11G_OAM_SERVER_TRANSFER_MODE: Open OAM11G_IDM_DOMAIN_LOGOUT_URLS: /console/jsp/common/logout.jsp,/em/targetauth/emaslogout.jsp OAM11G_WG_DENY_ON_NOT_PROTECTED: false OAM11G_SERVER_LOGIN_ATTRIBUTE: uid OAM_TRANSFER_MODE: Open COOKIE_DOMAIN: .example.com OAM11G_IDSTORE_ROLE_SECURITY_ADMIN: OAMAdministrators OAM11G_SSO_ONLY_FLAG: true OAM11G_OIM_INTEGRATION_REQ: true OAM11G_IMPERSONATION_FLAG: true OAM11G_SERVER_LBR_HOST: sso.example.com OAM11G_SERVER_LBR_PORT: 443 OAM11G_SERVER_LBR_PROTOCOL: https COOKIE_EXPIRY_INTERVAL: 120 OAM11G_OIM_OHS_URL: https://sso.example.com:443/ SPLIT_DOMAIN: true OAM11G_IDSTORE_NAME: OAMIDSTORE IDSTORE_SYSTEMIDBASE: cn=systemids,dc=example,dc=com
The following table describes the parameters that you can set in the
configOAM.config
file.Table 2-3 Parameters in
configOAM.config
FileProperty Description Sample Value ACCESS_GATE_ID
Name, with which WebGate profile gets created. Its artifacts are available under
<DOMAIN_HOME>/Output/<ACCESS_GATE_ID>
This is the value specified during OAM configuration.
Webgate_IDM
COOKIE_DOMAIN
Enter the domain in which the WebGate functions.
.example.com
COOKIE_EXPIRY_INTERVAL
Enter the Cookie expiration period.
120
IDSTORE_BINDDN
An administrative user in Oracle Internet Directory, Oracle Unified Directory or Active Directory.
- OID:
cn=orcladmin
- OUD:
cn=oudadmin
- Active Directory:
CN=Administrator,CN=Users,DC=example.com,DC=example,dc=com
IDSTORE_GROUPSEARCHBASE
Enter the location in the directory where groups are stored.
cn=groups,dc=example,dc=com
IDSTORE_HOST
Enter the identity store host name.
idstore.example.com
IDSTORE_LOGINATTRIBUTE
Enter the login attribute of the identity store that contains the user's login name.
uid
IDSTORE_OAMADMINUSER
Enter the user you use to access your Oracle Access Management Console.
oamAdmin
IDSTORE_OAMSOFTWAREUSER
Enter the user you use to interact with the LDAP server.
oamLDAP
IDSTORE_PORT
Enter the identity store port.
389
IDSTORE_SEARCHBASE
Enter the location in the directory where users and groups are stored.
dc=example,dc=com
IDSTORE_SYSTEMIDBASE
Enter the location of a container in the directory where system-operations users are stored. There are only a few system operations users and are kept separate from enterprise users stored in the main user container.
For example, the Oracle Identity Governance reconciliation user which is also used for the bind DN user in Oracle Virtual Directory adapters.
cn=systemids,dc=example,dc=com
IDSTORE_USERNAMEATTRIBUTE
Enter the username attribute used to set and search for users in the identity store.
cn
IDSTORE_USERSEARCHBASE
Enter the Container under which Access Manager searches for the users.
cn=users,dc=example,dc=com
OAM_TRANSFER_MODE
Enter the security mode in which the access servers function. Supported values are OPEN and SIMPLE Oracle recommends using SIMPLE.
Note:
If you change the security mode from Open, then update the existing agents to use the new mode.SIMPLE
OAM11G_IDM_DOMAIN_LOGOUT_URLS
Set to the various logout URLs.
/console/jsp/common/logout.jsp, /em/targetauth/emaslogout.jsp
OAM11G_IDM_DOMAIN_OHS_HOST
Enter the load balancer that is in front of Oracle HTTP Server (OHS) in a high-availability configuration.
login.example.com
OAM11G_IDM_DOMAIN_OHS_PORT
Enter the load balancer port.
443
OAM11G_IDM_DOMAIN_OHS_PROTOCOL
Enter the Protocol to use when directing requests to the load balancer. https
OAM11G_IDSTORE_NAME
Enter the name of the identity store configured in OAM. This will be set as the default/System ID Store in OAM.
OAMIDSTORE
OAM11G_IDSTORE_ROLE_SECURITY_ADMIN
Account to administer role security in identity store.
OAMAdministrators
OAM11G_IMPERSONATION_FLAG
It enables or disables the impersonation feature in the OAM Server.
true
OAM11G_OAM_SERVER_TRANSFER_MODE
Enter the security mode in which the access servers function. Supported values are OPEN and SIMPLE
Open
OAM11G_OIM_INTEGRATION_REQ
It specifies whether to integrate with Oracle Identity Governance or configure Access Manager in stand-alone mode. Set to
true
for integration.If you set this value to false and then add Oracle Identity Governance at a later stage, then you can rerun this script with the value set to true.
This parameter controls whether or not the Oracle Identity Governance Register User, Track Requests, and Forgotten Password links are included in the Oracle Access Manager login page.
true
OAM11G_OIM_OHS_URL
Enter the URL of the load balancer or Oracle HTTP Server (OHS) fronting the OIM server.
https://oig.example.com:443/
OAM11G_SERVER_LBR_HOST
Enter the OAM Server fronting your site.
login.example.com
OAM11G_SERVER_LBR_PORT
Enter the port that the load balancer is listening on (
HTTP_SSL_PORT
).443
OAM11G_SERVER_LBR_PROTOCOL
Enter the Protocol to use when directing requests to the load balancer.
https
OAM11G_SERVER_LOGIN_ATTRIBUTE
Setting to uid ensures the validation of the username against the uid attribute in LDAP when the user logs in.
uid
OAM11G_SSO_ONLY_FLAG
Set it to configure Access Manager 11g as authentication only mode or normal mode, which supports authentication and authorization. Default value is
true
.If value is set to
false
, access is denied to protected resources for any users.true
OAM11G_WG_DENY_ON_NOT_PROTECTED
Set to deny on protected flag for 10g WebGate. Valid values are
true
andfalse
. Set the value totrue
as a best practice.true
PRIMARY_OAM_SERVERS
Enter comma-separated list of your Access Manager servers and the proxy ports they use.
oamhost1.example.com:5575, oamhost2.example.com:5575
SPLIT_DOMAIN
Set to
true
is required to suppress the double authentication of Oracle Access Management Console.true
WEBGATE_TYPE
Enter the WebGate agent type you want to create. 10g is no longer supported in 12c.
ohsWebgate12c
WLSADMIN
Enter the WebLogic Server administrative user account you use to log in to the WebLogic Server Administration Console in OAM domain.
weblogic
WLSHOST
Enter the Administration server host name in OAM domain.
oamadminhost.example.com
WLSPORT
Enter the Administration server port in OAM domain.
7001
- OID:
-
Stop the policy server. See Starting and Stopping Managed WebLogic Servers and Access Manager Servers.
- Set the
MW_HOME
environment variable to OIG Middleware. -
Run the automated script for OIG-OAM integration to configure OAM.
OIGOAMIntegration.sh -configOAM
You have successfully executed the automated script for configuring Oracle Access Manager. - Restart the OAM domain servers. See Starting and Stopping Managed WebLogic Servers and Access Manager Servers.
Verifying the OAM Configuration
You can verify the OAM configuration by performing the following steps:
-
When Single Sign-on is implemented, provide the LDAP group IDM Administrators with WebLogic administration rights, so that you can log in using one of these accounts and perform WebLogic administrative actions. To add the LDAP Groups OAMAdministrators and WLSAdministrators to the WebLogic Administrators:
- Log in to the WebLogic Administration Server Console as the default
administrative user. For example,
weblogic
. - In the left pane of the console, click Security Realms.
- On the Summary of Security Realms page, click myrealm under the Realms table.
- On the Settings page for myrealm, click the Roles & Policies tab.
- On the Realm Roles page, expand the Global Roles entry under the Roles table.
- Click the Roles link to go to the Global Roles page.
- On the Global Roles page, click the Admin role to go to the Edit Global Roles page.
- On the Edit Global Roles page, under the Role Conditions table, click the Add Conditions button.
- On the Choose a Predicate page, select Group from the drop down list for predicates and click Next.
- On the Edit Arguments Page, Specify OAMAdministrators in the Group Argument field and click Add.
- Repeat for the group WLSAdministrators.
- Click Finish to return to the Edit Global Roles page.
- The Role Conditions table now shows the groups OAMAdministrators or WLSAdministrators as role conditions.
- Click Save to finish adding the Admin role to the OAMAdministrators and IDM Administrators Groups.
- Log in to the WebLogic Administration Server Console as the default
administrative user. For example,
-
Search for the WebGate name that you specified in the
configOAM.config
properties file:-
Log in to the Oracle Access Management Console as the OAM admin user:
http://oam_adminserver_host:oam_adminserver_port/oamconsole
-
From the Application Security Launch Pad, click Agents.
The Search SSO Agents page is displayed.
-
In the Search field, enter the WebGate name.
Note:
This is the value you specified forACCESS_GATE_ID
in theconfigOAM.config
properties file. -
In the Search Result Table, you can see the agent.
-
-
Verify that the name of the identity store you specified in the
configOAM.config
file is automatically selected as the default store:-
Click the Configuration Launch Pad and select User Identity Stores.
-
In the Default and System Store section, verify that the name of the identity store you specified in the
configOAM.config
file (For example,OAMIDSTORE
) is selected as the Default Store and System Store.
-
-
For a clustered deployment, perform the following steps:
-
In the OAM Console, click the Agents pad on the Application Security screen.
-
Ensure that the WebGates tab is selected.
-
Click Search.
-
Click an Agent, for example: IAMSuiteAgent.
-
Set the Security value to the same value defined to OAM Transfer Mode on the Access Manager Configuration screen during response file creation.
If you have changed the OAM security model using the
OIGOAMIntegration
tool, change the security model used by any existing Webgates to reflect this change.Click Apply.
-
In the Primary Server list, click +, and add any missing Access Manager Servers.
-
If a password has not already been assigned, enter a password into the Access Client Password field, and click Apply.
Assign an Access Client Password, such as the Common IAM Password (
COMMON_IDM_PASSWORD
) you used during the response file creation or an Access Manager-specific password, if you have set one. -
Set Maximum Connections to 20. This is the total maximum number of connections for the primary servers, which is 10 x WLS_OAM1 connections plus 10 x WLS_OAM2 connections.
-
If you see the following in the User Defined Parameters or the Logout redirect URL:
logoutRedirectUrl=http://OAMHOST1.example.com:14100/oam/server/logout
Change it to:
logoutRedirectUrl=https://login.example.com/oam/server/logout
-
Click Apply.
-
Repeat the steps a through j for each WebGate.
-
Check that the security setting matches that of your Access Manager servers.
-