Integrating Oracle Access Manager and LDAP

2 Integrating Oracle Access Manager and LDAP

Integrating Oracle Access Manager with LDAP involves preparing the IDStore, adding the missing object classes, and configuring OAM using automated script.

Topics include:

2.1 Preparing IDStore Using Automated Script

Prepare IDStore using the OIGOAMIntegration.sh automated script for OIG-OAM integration.

Configure the identity store and policy store by creating the groups and setting ACIs to the various containers. Add necessary users and associating users with groups to the identity store. This step is similar to running the commands idmConfigTool.sh -prepareIDStore and idmConfigTool.sh -prepareIDStore -mode=ALL. See prepareIDStore Command.

Open the prepareIDStore.all.config file from the OIG Oracle home directory (Located at ORACLE_HOME/idm/server/ssointg/config) in a text editor and update the parameters.

Example prepareIDStore.all.config File

IDSTORE_DIRECTORYTYPE: OID
IDSTORE_HOST: idstore.example.com
IDSTORE_PORT: 3060
IDSTORE_BINDDN: cn=orcladmin
IDSTORE_BINDDN_PWD: <password>
IDSTORE_USERNAMEATTRIBUTE: cn
IDSTORE_LOGINATTRIBUTE: uid
IDSTORE_SEARCHBASE: dc=example,dc=com
IDSTORE_USERSEARCHBASE: cn=Users,dc=example,dc=com
IDSTORE_GROUPSEARCHBASE: cn=Groups,dc=example,dc=com
IDSTORE_SYSTEMIDBASE: cn=systemids,dc=example,dc=com
IDSTORE_READONLYUSER: IDROUser
IDSTORE_READWRITEUSER: IDRWUser
IDSTORE_SUPERUSER: weblogic_fa
IDSTORE_OAMSOFTWAREUSER: oamLDAP
IDSTORE_OAMADMINUSER: oamAdmin
IDSTORE_OIMADMINUSER: oimLDAP
IDSTORE_OIMADMINGROUP: OIMAdministrators
IDSTORE_WLSADMINUSER: weblogic_idm
IDSTORE_WLSADMINGROUP: IDM Administrators
IDSTORE_OAAMADMINUSER: oaamAdminUser
## The domain for the email - e.g. user@example.com
IDSTORE_EMAIL_DOMAIN: company.com
POLICYSTORE_SHARES_IDSTORE: true
OAM11G_IDSTORE_ROLE_SECURITY_ADMIN: OAMAdministrators
## If you are using OUD as the identity store, then the additional properties are:
#IDSTORE_ADMIN_PORT: 4444
#IDSTORE_KEYSTORE_FILE: /u01/config/instances/oud1/OUD/config/admin-keystore
## The value of the IDSTORE_KEYSTORE_PASSWORD parameter is the content of the /u01/config/instances/oud1/OUD/config/admin-keystore.pin
#IDSTORE_KEYSTORE_PASSWORD: <PASSWORD>

The following table describes the parameters that you can set in the prepareIDStore.all.config file.

Table 2-1 Parameters in prepareIDStore.all.config File

Property	Description	Sample Value
`IDSTORE_DIRECTORYTYPE`	Enter the identity store directory type. Valid options are OID, OUD, and AD.	`OID`
`IDSTORE_HOST`	Enter the identity store host name.	`idstore.example.com`
`IDSTORE_PORT`	Enter the identity store port.	`3060`
`IDSTORE_BINDDN`	An administrative user in Oracle Internet Directory, Oracle Unified Directory or Active Directory.	OID: `cn=orcladmin` OUD: `cn=oudadmin` AD: `CN=Administrator,CN=Users,DC=example.com,DC=example,dc=com`
`IDSTORE_BINDDN_PWD`	Enter the Password for administrative user in Oracle Internet Directory, Oracle Unified Directory or Microsoft Active Directory.	`password`
`IDSTORE_USERNAMEATTRIBUTE`	Enter the username attribute used to set and search for users in the identity store.	`cn`
`IDSTORE_LOGINATTRIBUTE`	Enter the login attribute of the identity store that contains the user's login name.	`uid`
`IDSTORE_SEARCHBASE`	Enter the location in the directory where users and groups are stored.	`dc=example,dc=com`
`IDSTORE_USERSEARCHBASE`	Enter the Container under which Access Manager searches for the users.	`cn=users,dc=example,dc=com`
`IDSTORE_GROUPSEARCHBASE`	Enter the location in the directory where groups are stored.	`cn=groups,dc=example,dc=com`
`IDSTORE_SYSTEMIDBASE`	Enter the location of a container in the directory where system-operations users are stored. There are only a few system operations users and are kept separate from enterprise users stored in the main user container. For example, the Oracle Identity Governance reconciliation user which is also used for the bind DN user in Oracle Virtual Directory adapters.	`cn=systemids,dc=example,dc=com`
`IDSTORE_READONLYUSER`	Enter the user with read-only permissions to the identity store.	`IDROUser`
`IDSTORE_READWRITEUSER`	Enter the user with read-write permissions to the identity store.	`IDRWUser`
`IDSTORE_SUPERUSER`	Enter the Oracle Fusion Applications superuser in the identity store.	`weblogic_fa`
`IDSTORE_OAMSOFTWAREUSER`	Enter the LDAP user that OAM uses to interact with LDAP.	`oamLDAP`
`IDSTORE_OAMADMINUSER`	Enter the user you use to access your Oracle Access Management Console.	`oamAdmin`
`IDSTORE_OAMADMINUSER_PWD`	Enter the password for the user you use to access your Oracle Access Management Console. Note: All password fields are optional. If you do not enter them in the file (security issues), then you are prompted to enter them when the script runs.	`password`
`IDSTORE_OIMADMINUSER`	Enter the user that Oracle Identity Governance uses to connect to the identity store.	`oimLDAP`
`IDSTORE_OIMADMINUSER_PWD`	Enter the Password for the user that Oracle Identity Governance uses to connect to the identity store.	`password`
`IDSTORE_OIMADMINGROUP`	Enter the group you want to create to hold your Oracle Identity Governance administrative users.	`OIMAdministrators`
`IDSTORE_WLSADMINUSER`	Enter the identity store administrator for Oracle WebLogic Server.	`weblogic_idm` Note: This is default user name for the administrator user.
`IDSTORE_WLSADMINUSER_PWD`	Enter the password for Identity store administrator for Oracle WebLogic Server.	`password`
`IDSTORE_WLSADMINGROUP`	Enter the identity store administrator group for Oracle WebLogic Server.	`wlsadmingroup`
`IDSTORE_OAAMADMINUSER`	Enter the user you want to create as your Oracle Access Management Administrator. This user is created by the tool.	`oaamAdminUser`
`IDSTORE_XELSYSADMINUSER_PWD`	Enter the password of System administrator for Oracle Identity Goverance. Must match the value in Oracle Identity Governance	`password`
`POLICYSTORE_SHARES_IDSTORE`	Set it to `true` if your policy and identity stores are in the same directory. If not, it is set to `false`.	`TRUE`
`IDSTORE_ADMIN_PORT`	Enter the Administration port of your Oracle Unified Directory instance. If you are not using Oracle Unified Directory, you ignore this parameter.	`4444`
`IDSTORE_KEYSTORE_FILE`	Enter the location of the Oracle Unified Directory `Keystore` file. It is used to enable communication with Oracle Unified Directory using the Oracle Unified Directory administration port. It is called `admin-keystore` and is located in `OUD_ORACLE_INSTANCE/OUD/config`. If you are not using Oracle Unified Directory, you can ignore this parameter. This file must be located on the same host that the `OIGOAMIntegration.sh` command is running on. The command uses this file to authenticate itself with OUD.	`/u01/config/instances/oud1/OUD/config/admin-keystore`
`IDSTORE_KEYSTORE_PASSWORD`	Enter the encrypted password of the Oracle Unified Directory keystore. This value can be found in the file `OUD_ORACLE_INSTANCE/OUD/config/admin-keystore.pin`. If you are not using Oracle Unified Directory, you can ignore this parameter.	`password`

Run the automated script for OIG-OAM integration to seed the directory with Users, Roles, and ob schema extensions.
```
OIGOAMIntegration.sh -prepareIDStore
```
Note:
In case of Active Directory, grant ACLs manually after executing OIGOAMIntegration.sh -prepareIDStore command. See Granting ACLs Manually for Active Directory
You have successfully executed the automated script for preparing the IDStore.

Verifying the Identity Store and Policy Store Configuration

Do the following in your LDAP directory:

Search base for users and groups you specified in the prepareIDStore.all.config file exist in the LDAP directory.
The user container, group container, and the System ID container exist in the LDAP directory.
The systemids container includes the IDROuser, IDRWUser, oamSoftwareUser, and oimadminuser users. These are sample values provided in prepareIDStore.all.config. You can provide and use your own values.
The user container includes the oamadminuser, weblogic_fa, weblogic_idm, and xelsysadm users. These are sample values provided in prepareIDStore.all.config. You can provide and use your own values.
The group container includes the OAMadministreatrs, OIMadminsitrators, BIReportAdminnistrator, Session REST API, and wlsadmingroup, orclFAGroup, and OAAM groups.

Access is granted to the changelog for OUD:

If you are using Oracle Unified Directory, you must grant access to the changelog by performing the following steps on the single node LDAP host or on LDAPHOST1 and LDAPHOST2 for multinode LDAP instances:

Create a file called passwordfile that contains the password you use to connect to OUD.

OUD_ORACLE_INSTANCE/OUD/bin/dsconfig set-access-control-handler-prop --remove \
global-aci:"(target=\"ldap:///cn=changelog\")(targetattr=\"*\")(version 3.0; acl \"External changelog access\"; deny (all) userdn=\"ldap:///anyone\";)"  \
				--hostname OUD Host \
				--port OUD Admin Port \
				--trustAll \
				--bindDN cn=oudadmin \
                           --bindPasswordFile passwordfile \
				--no-prompt

For example:

OUD_ORACLE_INSTANCE/OUD/bin/dsconfig set-access-control-handler-prop --remove \
global-aci:"(target=\"ldap:///cn=changelog\")(targetattr=\"*\")(version 3.0; acl \"External changelog access\"; deny (all) userdn=\"ldap:///anyone\";)" \
				--hostname LDAPHOST1.example.com \
			       --port 4444 \
				--trustAll \
				--bindDN cn=oudadmin \
				--bindPasswordFile passwordfile \
				--no-prompt

Add the new act:

OUD_ORACLE_INSTANCE/OUD/bin/dsconfig set-access-control-handler-prop --add \

global-aci:"(target=\"ldap:///cn=changelog\")(targetattr=\"*\")(version 3.0; acl \"External changelog access\"; allow (read,search,compare,add,write,delete,export) groupdn=\"ldap:///cn=OIMAdministrators,cn=groups,dc=example,dc=com\";)" \
				--hostname OUD Host \
				--port OUD Admin Port \
				--trustAll \
				--bindDN cn=oudadmin \
				--bindPasswordFile passwordfile \
				--no-prompt

For example:

OUD_ORACLE_INSTANCE/OUD/bin/dsconfig set-access-control-handler-prop --add \
global-aci:"(target=\"ldap:///cn=changelog\")(targetattr=\"*\")(version 3.0; acl \"External changelog access\"; allow (read,search,compare,add,write,delete,export) groupdn=\"ldap:///cn=OIMAdministrators,cn=groups,dc=example,dc=com\";)" \
                      --hostname LDAPHOST1.example.com \
			  --port 4444 \
			  --trustAll \
			  --bindDN cn=oudadmin \
			  --bindPasswordFile passwordfile \
			  --no-prompt

Additional OUD grants are created:

Update OUD_ORACLE_INSTANCE/OUD/config/config.ldif on all OUD instances with below changes:

Look at the following line:

ds-cfg-global-aci: (targetcontrol="1.3.6.1.1.12 || 1.3.6.1.1.13.1 || 1.3.6.1.1.13.2 || 1.2.840.113556.1.4.319 || 1.2.826.0.1.3344810.2.3 || 2.16.840.1.113730.3.4.18 || 2.16.840.1.113730.3.4.9 || 1.2.840.113556.1.4.473 || 1.3.6.1.4.1.42.2.27.9.5.9") (version 3.0; acl "Authenticated users control access"; allow(read) userdn="ldap:///all";)

Remove the Object Identifier 1.2.840.113556.1.4.319 from the above aci and add it to following aci as shown:

ds-cfg-global-aci: (targetcontrol="2.16.840.1.113730.3.4.2 || 2.16.840.1.113730.3.4.17 || 2.16.840.1.113730.3.4.19 || 1.3.6.1.4.1.4203.1.10.2 || 1.3.6.1.4.1.42.2.27.8.5.1 || 2.16.840.1.113730.3.4.16 || 2.16.840.1.113894.1.8.31 || 1.2.840.113556.1.4.319") (version 3.0; acl "Anonymous control access"; allow(read) userdn="ldap:///anyone";)

Add Object Identifiers 1.3.6.1.4.1.26027.1.5.4 and 1.3.6.1.4.1.26027.2.3.4 to the following aci as shown:

ds-cfg-global-aci: (targetcontrol="1.3.6.1.1.12 || 1.3.6.1.1.13.1 || 1.3.6.1.1.13.2 || 1.2.826.0.1.3344810.2.3 || 2.16.840.1.113730.3.4.18 || 2.16.840.1.113730.3.4.9 || 1.2.840.113556.1.4.473 || 1.3.6.1.4.1.42.2.27.9.5.9 || 1.3.6.1.4.1.26027.1.5.4 || 1.3.6.1.4.1.26027.2.3.4") (version 3.0; acl "Authenticated users control access"; allow(read) userdn="ldap:///all";)

Restart the Oracle Unified Directory server on both LDAPHOSTs.

Additional OUD indexes are created:

When you ran the OIGOAMIntegration.sh -prepareIDStore script to prepare an OUD identity store, it creates indexes for the data on the instance against which it is run. These indexes must be manually created on each of the OUD instances in LDAPHOST2. To do this, run the following commands on LDAPHOST2:
```
OUD_ORACLE_INSTANCE/OUD/bin/ldapmodify -h LDAPHOST2.example.com -Z -X -p 4444 -a -D "cn=oudadmin" -j passwordfile -c \-f IAD_ORACLE_HOME/idm/oam/server/oim-intg/ldif/ojd/schema/ojd_user_index_generic.ldif
```
```
OUD_ORACLE_INSTANCE/OUD/bin/ldapmodify -h LDAPHOST2.example.com -Z -X -p 4444 -a -D "cn=oudadmin" -j  passwordfile -c \-f IAD_ORACLE_HOME/idm/idmtools/templates/oud/oud_indexes_extn.ldif
```

Granting ACLs Manually for Active Directory

For Active Directory, after running OIGOAMIntegration.sh -prepareIDStore, perform the following on the AD server machine:

Add ACLs.

dsacls /G cn=orclFAUserReadPrivilegeGroup,<IDSTORE_GROUPSEARCHBASE>:GR
dsacls /G cn=orclFAUserWritePrivilegeGroup,<IDSTORE_GROUPSEARCHBASE>:GW
dsacls /G cn=orclFAGroupReadPrivilegeGroup,<IDSTORE_GROUPSEARCHBASE>:GR
dsacls /G cn=orclFAGroupWritePrivilegeGroup,<IDSTORE_GROUPSEARCHBASE>:GW
dsacls /G cn=orclFAOAMUserWritePrivilegeGroup,<IDSTORE_GROUPSEARCHBASE>:GW

Reset User Password.

dsmod user "CN=weblogic_idm,<IDSTORE_USERSEARCHBASE>" -pwd <password> -mustchpwd no
dsmod user "CN=xelsysadm,<IDSTORE_USERSEARCHBASE>" -pwd <password> -mustchpwd no
dsmod user "CN=oamadmin,<IDSTORE_USERSEARCHBASE>" -pwd <password> -mustchpwd no
dsmod user "CN=OblixAnonymous,DC=interop,DC=example,DC=com" -pwd <password> -mustchpwd no
dsmod user "CN=oamLDAP,<IDSTORE_SYSTEMIDBASE>" -pwd <password> -mustchpwd no
dsmod user "CN=oimLDAP,<IDSTORE_SYSTEMIDBASE>" -pwd <password> -mustchpwd no

Enable user accounts.

dsmod user "CN=weblogic_idm,<IDSTORE_USERSEARCHBASE>" -disabled no
dsmod user "CN=xelsysadm,<IDSTORE_USERSEARCHBASE>" -disabled no
dsmod user "CN=oamadmin,<IDSTORE_USERSEARCHBASE>" -disabled no
dsmod user "CN=OblixAnonymous,DC=interop,DC=example,DC=com" -disabled no
dsmod user "CN=oamLDAP,<IDSTORE_SYSTEMIDBASE>" -disabled no
dsmod user "CN=oimLDAP,<IDSTORE_SYSTEMIDBASE>" -disabled no

2.2 Adding Missing Object Classes Using Automated Script

Add the Missing Object Classes using the OIGOAMIntegration.sh automated script.

When you prepare your LDAP directory for use with Oracle Access Manager, it extends the directory schema to include a number of specific object classes, which are used by Oracle Access Manager.

After the object classes are added, any new users created in the directory are automatically assigned these object classes. Once the object classes are added to the directory, it is important to ensure that any existing users also have these new object classes so that they can be successfully managed with Oracle Access Manager.

The OIGOAMIntegration.sh script checks each user in the LDAP directory to ensure that they have all of the recommended object classes.

To add the Missing Object Classes:

Note:

You can only add object classes for existing users in Oracle Internet Directory or Oracle Unified Directory. This feature is not supported in Active Directory.

Open the addMissingObjectClasses.config file from the OIG Oracle home directory (Located at ORACLE_HOME/idm/server/ssointg/config) in a text editor and update the parameters.

Example addMissingObjectClasses.config File

IDSTORE_DIRECTORYTYPE: OID
IDSTORE_HOST: idstore.example.com
IDSTORE_PORT: 3060
IDSTORE_BINDDN: cn=orcladmin
IDSTORE_BINDDN_PWD: <password>
IDSTORE_USERSEARCHBASE: cn=Users,dc=example,dc=com

The following table describes the parameters that you can set in the addMissingObjectClasses.config file.

Table 2-2 Parameters in addMissingObjectClasses.config file

Parameters	Description	Sample Value
`IDSTORE_DIRECTORYTYPE`	Enter the identity store directory type. Valid options are OID or OUD.	`OUD`
`IDSTORE_HOST`	Enter the identity store host name.	`idstore.example.com`
`IDSTORE_PORT`	Enter the identity store port.	`389`
`IDSTORE_BINDDN`	An administrative user in Oracle Internet Directory or Oracle Unified Directory.	OID: `cn=orcladmin` OUD: `cn=oudadmin`
`IDSTORE_BINDDN_PWD`	Enter the password for administrative user in Oracle Internet Directory or Oracle Unified Directory.	password
`IDSTORE_USERSEARCHBASE`	Enter the location in the directory where users are stored.	`cn=users,dc=example,dc=com`

Run the OIGOAMIntegration.sh script from the OIG Oracle home directory (Located at ORACLE_HOME/idm/server/ssointg/bin) to enable OAM notifications:
```
OIGOAMIntegration.sh -addMissingObjectClasses
```

You have successfully executed the automated script to add object classes for existing users in LDAP directory.

Note:

This step depends on the number of users in the LDAP directory. It is estimated to take 10 minutes per 10000 users in the LDAP directory.

If there are no object classes in the LDAP, then the following are added for the existing LDAP users:

OIMPersonPwdPolicy
OblixOrgPerson
OblixPersonPwdPolicy
obpasswordexpirydate

2.3 Configuring OAM Using Automated Script

Configure Oracle Access Manager using the OIGOAMIntegration.sh automated script.

Open the configOAM.config file from the OIG Oracle home directory (Located at ORACLE_HOME/idm/server/ssointg/config) in a text editor and update the parameters.

Example configOAM.config File

WLSHOST: oamadminhost.example.com
WLSPORT: 7001
WLSADMIN: weblogic
IDSTORE_HOST: idstore.example.com
IDSTORE_PORT: 3060
IDSTORE_BINDDN: cn=orcladmin
IDSTORE_USERNAMEATTRIBUTE: cn
IDSTORE_LOGINATTRIBUTE: uid
IDSTORE_SEARCHBASE: dc=example,dc=com
IDSTORE_USERSEARCHBASE: cn=Users,dc=example,dc=com
IDSTORE_GROUPSEARCHBASE: cn=Groups,dc=example,dc=com
IDSTORE_OAMSOFTWAREUSER: oamLDAP
IDSTORE_OAMADMINUSER: oamAdmin
PRIMARY_OAM_SERVERS: oamhost1.example.com:5575,oamhost2.example.com:5575
WEBGATE_TYPE: ohsWebgate11g
ACCESS_GATE_ID: Webgate_IDM
OAM11G_IDM_DOMAIN_OHS_HOST: sso.example.com
OAM11G_IDM_DOMAIN_OHS_PORT: 443
OAM11G_IDM_DOMAIN_OHS_PROTOCOL: https
OAM11G_OAM_SERVER_TRANSFER_MODE: Open
OAM11G_IDM_DOMAIN_LOGOUT_URLS: /console/jsp/common/logout.jsp,/em/targetauth/emaslogout.jsp
OAM11G_WG_DENY_ON_NOT_PROTECTED: false
OAM11G_SERVER_LOGIN_ATTRIBUTE: uid 
OAM_TRANSFER_MODE: Open
COOKIE_DOMAIN: .example.com
OAM11G_IDSTORE_ROLE_SECURITY_ADMIN: OAMAdministrators
OAM11G_SSO_ONLY_FLAG: true
OAM11G_OIM_INTEGRATION_REQ: true
OAM11G_IMPERSONATION_FLAG: true
OAM11G_SERVER_LBR_HOST: sso.example.com
OAM11G_SERVER_LBR_PORT: 443
OAM11G_SERVER_LBR_PROTOCOL: https
COOKIE_EXPIRY_INTERVAL: 120
OAM11G_OIM_OHS_URL: https://sso.example.com:443/
SPLIT_DOMAIN: true
OAM11G_IDSTORE_NAME: OAMIDSTORE
IDSTORE_SYSTEMIDBASE: cn=systemids,dc=example,dc=com

The following table describes the parameters that you can set in the configOAM.config file.

Table 2-3 Parameters in configOAM.config File

Property	Description	Sample Value
`ACCESS_GATE_ID`	Name, with which WebGate profile gets created. Its artifacts are available under `<DOMAIN_HOME>/Output/<ACCESS_GATE_ID>` This is the value specified during OAM configuration.	`Webgate_IDM`
`COOKIE_DOMAIN`	Enter the domain in which the WebGate functions.	`.example.com`
`COOKIE_EXPIRY_INTERVAL`	Enter the Cookie expiration period.	`120`
`IDSTORE_BINDDN`	An administrative user in Oracle Internet Directory, Oracle Unified Directory or Active Directory.	OID: `cn=orcladmin` OUD: `cn=oudadmin` Active Directory: `CN=Administrator,CN=Users,DC=example.com,DC=example,dc=com`
`IDSTORE_GROUPSEARCHBASE`	Enter the location in the directory where groups are stored.	`cn=groups,dc=example,dc=com`
`IDSTORE_HOST`	Enter the identity store host name.	`idstore.example.com`
`IDSTORE_LOGINATTRIBUTE`	Enter the login attribute of the identity store that contains the user's login name.	`uid`
`IDSTORE_OAMADMINUSER`	Enter the user you use to access your Oracle Access Management Console.	`oamAdmin`
`IDSTORE_OAMSOFTWAREUSER`	Enter the user you use to interact with the LDAP server.	`oamLDAP`
`IDSTORE_PORT`	Enter the identity store port.	`389`
`IDSTORE_SEARCHBASE`	Enter the location in the directory where users and groups are stored.	`dc=example,dc=com`
`IDSTORE_SYSTEMIDBASE`	Enter the location of a container in the directory where system-operations users are stored. There are only a few system operations users and are kept separate from enterprise users stored in the main user container. For example, the Oracle Identity Governance reconciliation user which is also used for the bind DN user in Oracle Virtual Directory adapters.	`cn=systemids,dc=example,dc=com`
`IDSTORE_USERNAMEATTRIBUTE`	Enter the username attribute used to set and search for users in the identity store.	`cn`
`IDSTORE_USERSEARCHBASE`	Enter the Container under which Access Manager searches for the users.	`cn=users,dc=example,dc=com`
`OAM_TRANSFER_MODE`	Enter the security mode in which the access servers function. Supported values are OPEN and SIMPLE Oracle recommends using SIMPLE. Note: If you change the security mode from Open, then update the existing agents to use the new mode.	`SIMPLE`
`OAM11G_IDM_DOMAIN_LOGOUT_URLS`	Set to the various logout URLs.	`/console/jsp/common/logout.jsp, /em/targetauth/emaslogout.jsp`
`OAM11G_IDM_DOMAIN_OHS_HOST`	Enter the load balancer that is in front of Oracle HTTP Server (OHS) in a high-availability configuration.	`login.example.com`
`OAM11G_IDM_DOMAIN_OHS_PORT`	Enter the load balancer port.	`443`
`OAM11G_IDM_DOMAIN_OHS_PROTOCOL`	Enter the Protocol to use when directing requests to the load balancer.	`https`
`OAM11G_IDSTORE_NAME`	Enter the name of the identity store configured in OAM. This will be set as the default/System ID Store in OAM.	`OAMIDSTORE`
`OAM11G_IDSTORE_ROLE_SECURITY_ADMIN`	Account to administer role security in identity store.	`OAMAdministrators`
`OAM11G_IMPERSONATION_FLAG`	It enables or disables the impersonation feature in the OAM Server.	`true`
`OAM11G_OAM_SERVER_TRANSFER_MODE`	Enter the security mode in which the access servers function. Supported values are OPEN and SIMPLE	`Open`
`OAM11G_OIM_INTEGRATION_REQ`	It specifies whether to integrate with Oracle Identity Governance or configure Access Manager in stand-alone mode. Set to `true` for integration. If you set this value to false and then add Oracle Identity Governance at a later stage, then you can rerun this script with the value set to true. This parameter controls whether or not the Oracle Identity Governance Register User, Track Requests, and Forgotten Password links are included in the Oracle Access Manager login page.	`true`
`OAM11G_OIM_OHS_URL`	Enter the URL of the load balancer or Oracle HTTP Server (OHS) fronting the OIM server.	`https://oig.example.com:443/`
`OAM11G_SERVER_LBR_HOST`	Enter the OAM Server fronting your site.	`login.example.com`
`OAM11G_SERVER_LBR_PORT`	Enter the port that the load balancer is listening on (`HTTP_SSL_PORT`).	`443`
`OAM11G_SERVER_LBR_PROTOCOL`	Enter the Protocol to use when directing requests to the load balancer.	`https`
`OAM11G_SERVER_LOGIN_ATTRIBUTE`	Setting to uid ensures the validation of the username against the uid attribute in LDAP when the user logs in.	`uid`
`OAM11G_SSO_ONLY_FLAG`	Set it to configure Access Manager 11g as authentication only mode or normal mode, which supports authentication and authorization. Default value is `true`. If value is set to `false`, access is denied to protected resources for any users.	`true`
`OAM11G_WG_DENY_ON_NOT_PROTECTED`	Set to deny on protected flag for 10g WebGate. Valid values are `true` and `false`. Set the value to `true` as a best practice.	`true`
`PRIMARY_OAM_SERVERS`	Enter comma-separated list of your Access Manager servers and the proxy ports they use.	`oamhost1.example.com:5575, oamhost2.example.com:5575`
`SPLIT_DOMAIN`	Set to `true` is required to suppress the double authentication of Oracle Access Management Console.	`true`
`WEBGATE_TYPE`	Enter the WebGate agent type you want to create. 10g is no longer supported in 12c.	`ohsWebgate12c`
`WLSADMIN`	Enter the WebLogic Server administrative user account you use to log in to the WebLogic Server Administration Console in OAM domain.	`weblogic`
`WLSHOST`	Enter the Administration server host name in OAM domain.	`oamadminhost.example.com`
`WLSPORT`	Enter the Administration server port in OAM domain.	`7001`

Stop the policy server. See Starting and Stopping Managed WebLogic Servers and Access Manager Servers.
Set the MW_HOME environment variable to OIG Middleware.
Run the automated script for OIG-OAM integration to configure OAM.
```
OIGOAMIntegration.sh -configOAM
```
You have successfully executed the automated script for configuring Oracle Access Manager.
Restart the OAM domain servers. See Starting and Stopping Managed WebLogic Servers and Access Manager Servers.

Verifying the OAM Configuration

You can verify the OAM configuration by performing the following steps:

When Single Sign-on is implemented, provide the LDAP group IDM Administrators with WebLogic administration rights, so that you can log in using one of these accounts and perform WebLogic administrative actions. To add the LDAP Groups OAMAdministrators and WLSAdministrators to the WebLogic Administrators:
1. Log in to the WebLogic Administration Server Console as the default administrative user. For example, weblogic.
2. In the left pane of the console, click Security Realms.
3. On the Summary of Security Realms page, click myrealm under the Realms table.
4. On the Settings page for myrealm, click the Roles & Policies tab.
5. On the Realm Roles page, expand the Global Roles entry under the Roles table.
6. Click the Roles link to go to the Global Roles page.
7. On the Global Roles page, click the Admin role to go to the Edit Global Roles page.
8. On the Edit Global Roles page, under the Role Conditions table, click the Add Conditions button.
9. On the Choose a Predicate page, select Group from the drop down list for predicates and click Next.
10. On the Edit Arguments Page, Specify OAMAdministrators in the Group Argument field and click Add.
11. Repeat for the group WLSAdministrators.
12. Click Finish to return to the Edit Global Roles page.
13. The Role Conditions table now shows the groups OAMAdministrators or WLSAdministrators as role conditions.
14. Click Save to finish adding the Admin role to the OAMAdministrators and IDM Administrators Groups.
Search for the WebGate name that you specified in the configOAM.config properties file:
1. Log in to the Oracle Access Management Console as the OAM admin user:
  http://oam_adminserver_host:oam_adminserver_port/oamconsole
2. From the Application Security Launch Pad, click Agents.
  
  The Search SSO Agents page is displayed.
3. In the Search field, enter the WebGate name.
  
  Note:
  This is the value you specified for ACCESS_GATE_ID in the configOAM.config properties file.
4. In the Search Result Table, you can see the agent.
Verify that the name of the identity store you specified in the configOAM.config file is automatically selected as the default store:
- Click the Configuration Launch Pad and select User Identity Stores.
- In the Default and System Store section, verify that the name of the identity store you specified in the configOAM.config file (For example, OAMIDSTORE) is selected as the Default Store and System Store.
For a clustered deployment, perform the following steps:
1. In the OAM Console, click the Agents pad on the Application Security screen.
2. Ensure that the WebGates tab is selected.
3. Click Search.
4. Click an Agent, for example: IAMSuiteAgent.
5. Set the Security value to the same value defined to OAM Transfer Mode on the Access Manager Configuration screen during response file creation.
  
  If you have changed the OAM security model using the OIGOAMIntegration tool, change the security model used by any existing Webgates to reflect this change.
  
  Click Apply.
6. In the Primary Server list, click +, and add any missing Access Manager Servers.
7. If a password has not already been assigned, enter a password into the Access Client Password field, and click Apply.
  
  Assign an Access Client Password, such as the Common IAM Password (COMMON_IDM_PASSWORD) you used during the response file creation or an Access Manager-specific password, if you have set one.
8. Set Maximum Connections to 20. This is the total maximum number of connections for the primary servers, which is 10 x WLS_OAM1 connections plus 10 x WLS_OAM2 connections.
9. If you see the following in the User Defined Parameters or the Logout redirect URL:
```
logoutRedirectUrl=http://OAMHOST1.example.com:14100/oam/server/logout
```
  Change it to:
```
logoutRedirectUrl=https://login.example.com/oam/server/logout
```
10. Click Apply.
11. Repeat the steps a through j for each WebGate.
12. Check that the security setting matches that of your Access Manager servers.