19 Configuring Oracle Identity Manager

Oracle Identity Manager is a user provisioning and administration solution that automates the process of adding, updating, and deleting user accounts from applications and directories. It also improves regulatory compliance by providing granular reports that attest to who has access to what. Oracle Identity Manager is available as a standalone product or as part of Oracle Identity Management.

When you created the domain IAMGovernanceDomain in Chapter 15, "Creating Domains for an Enterprise Deployment", you created a domain containing the software parts for Oracle Identity Manager and Oracle Business Intelligence lite. Before you can use these products however you need to configure them. This chapter describes the procedures.

Automating user identity provisioning can reduce Information Technology (IT) administration costs and improve security. Provisioning also plays an important role in regulatory compliance. Key features of Oracle Identity Manager include password management, workflow and policy management, identity reconciliation, reporting and auditing, and extensibility through adapters.

Oracle Identity Manager provides the following key functionality:

  • User Administration

  • Workflow and Policy

  • Password management

  • Audit and Compliance Management

  • Integration Solutions

  • User Provisioning

  • Organization and Role Management

About Domain URLs

Table 19-1 lists the Domain URLs and their corresponding components and SSO Users.

Table 19-1 Domain URL Details

Component URL SSO User

Self-service Console

https://prov.example.com/identity

xelsysadm

OIM Administration Console

http://igdadmin.example.com/sysadmin

xelsysadm

This chapter contains the following sections:

19.1 Configuring Oracle Coherence for Oracle SOA Suite

Although deploying composites uses multicast communication by default, Oracle recommends using unicast communication in Oracle Identity and Access Management enterprise deployments. Use unicast if you disable multicast communication for security reasons.

Unicast communication does not enable nodes to discover other cluster members in this way. Consequently, you must specify the nodes that belong to the cluster. You do not need to specify all of the nodes of a cluster, however. You need only specify enough nodes so that a new node added to the cluster can discover one of the existing nodes. As a result, when a new node has joined the cluster, it is able to discover all of the other nodes in the cluster. Additionally, in configurations such as Oracle Identity and Access Management enterprise deployments where multiple IPs are available in the same system, you must configure Oracle Coherence to use a specific host name to create the Oracle Coherence cluster.

Note:

An incorrect configuration of the Oracle Coherence framework used for deployment may prevent the Oracle Identity and Access Management system from starting. The deployment framework must be properly customized for the network environment on which the system runs. Oracle recommends the configuration described in this section.

This section contains the following topics:

19.1.1 Enabling Communication for Deployment Using Unicast Communication

Specify the nodes using the tangosol.coherence.wka<n> system property, where <n> is a number between 1 and 9. You can specify up to nine nodes. Start the numbering at 1. This numbering must be sequential and must not contain gaps. In addition, specify the host name used by Oracle Coherence to create a cluster through the tangosol.coherence.localhost system property. This local host name should be the virtual host name used by the SOA server as the listener addresses (OIMHOST1VHN2 and OIMHOST2VHN2). Set this property by adding the -Dtangosol.coherence.localhost parameters to the Arguments field of the Oracle WebLogic Server Administration Console's Server Start tab.

Tip:

To guarantee high availability during deployments of SOA composites, specify enough nodes so that at least one of them is running at any given time.

Note:

OIMHOST1VHN2 is the virtual host name that maps to the virtual IP where WLS_SOA1 listening (in OIMHOST1). OIMHOST2VHN2 is the virtual host name that maps to the virtual IP where WLS_SOA2 is listening (in OIMHOST2).

19.1.2 Specifying the Host Name Used by Oracle Coherence

Use the Administration Console to specify a host name used by Oracle Coherence.

To add the host name used by Oracle Coherence

  1. Log into the Oracle WebLogic Server Administration Console.

  2. In the Domain Structure window, expand the Environment node.

  3. Click Servers.

    The Summary of Servers page appears.

  4. Click the name of the server (WLS_SOA1 or WLS_SOA2, which are represented as hyperlinks) in Name column of the table. The settings page for the selected server appears.

  5. Click Lock & Edit.

  6. Click the Server Start tab.

  7. Enter the following for WLS_SOA1 and WLS_SOA2 into the Arguments field.

    For WLS_SOA1, enter the following:

    -Dtangosol.coherence.wka1=OIMHOST1VHN2
-Dtangosol.coherence.wka2=OIMHOST2VHN2
-Dtangosol.coherence.localhost=OIMHOST1VHN2

    For WLS_SOA2, enter the following:

    -Dtangosol.coherence.wka1=OIMHOST1VHN2
-Dtangosol.coherence.wka2=OIMHOST2VHN2
-Dtangosol.coherence.localhost=OIMHOST2VHN2

    Note:

    There should be no breaks in lines between the different -D parameters. The parameters must be separated by a space character. Do not copy or paste the text to the arguments text field in the Administration Console. It may result in HTML tags being inserted in the Java arguments. The text should not contain other text characters than those included in the example above.

    Note:

    The Coherence cluster used for deployment uses port 8088 by default. This port can be changed by specifying a different port (for example, 8089) with the -Dtangosol.coherence.wkan.port and -Dtangosol.coherence.localport startup parameters. For example: WLS_SOA1 (enter the following into the Arguments field on a single line, without a carriage return): 
    -Dtangosol.coherence.wka1=OIMHOST1VHN2
-Dtangosol.coherence.wka2=OIMHOST2VHN2
-Dtangosol.coherence.localhost=OIMHOST1VHN2
-Dtangosol.coherence.localport=8089
-Dtangosol.coherence.wka1.port=8089
-Dtangosol.coherence.wka2.port=8089

    WLS_SOA2 (enter the following into the Arguments field on a single line, without a carriage return):

    -Dtangosol.coherence.wka1=OIMHOST1VHN2
-Dtangosol.coherence.wka2=OIMHOST2VHN2
-Dtangosol.coherence.localhost=OIMHOST2VHN2
-Dtangosol.coherence.localport=8089
-Dtangosol.coherence.wka1.port=8089
-Dtangosol.coherence.wka2.port=8089

  8. Click Save and Activate Changes.

  9. Restart the WebLogic administration server

  10. Start the SOA managed servers wls_soa1 and wls_soa2.

Note:

You must ensure that these variables are passed to the managed server correctly. (They should be reflected in the server's output log.) Failure of the Oracle Coherence framework can prevent the soa-infra application from starting.

Note:

The multicast and unicast addresses are different from the ones used by the WebLogic Server cluster for cluster communication. SOA guarantees that composites are deployed to members of a single WebLogic Server cluster even though the communication protocol for the two entities (the WebLogic Server cluster and the groups to which composites are deployed) are different.

19.2 Configuring Oracle Identity Manager

You must configure the Oracle Identity Manager server instance before you can start the Oracle Identity Manager Managed Servers. For a consolidated topology, this is performed on IAMHOST2. For a distributed topology, this is performed on OIMHOST1. The Oracle Identity Management Configuration Wizard loads the Oracle Identity Manager metadata into the database and configures the instance.

Before proceeding, ensure that the following are true:

  • The Administration Server is up and running.

  • SOA Managed Server is up and running.

  • The environment variables DOMAIN_HOME and WL_HOME are not set in the current shell.

  • The Oracle Identity Management Configuration Wizard is located under the Identity Management Oracle home.

To configure Oracle Identity Manager:

  1. Start the Configuration Wizard by running the following command from the location IGD_ORACLE_HOME/bin/:

    ./config.sh

  2. On the Welcome screen, click Next

  3. On the Components to Configure screen, Select OIM Server.

    Click Next.

  4. On the Database screen, provide the following values:

    • Connect String: The connect string for the Oracle Identity Manager database:

      igddb-scan.example.com:1521:igdedg1^igddb-scan.example.com:1521:igdedg2@igdedg.example.com

    • OIM Schema User Name: edgigd_oim

    • OIM Schema password: password

    • MDS Schema User Name: edgigd_mds

    • MDS Schema Password: password

    Click Next.

  5. On the WebLogic Administration Server screen, provide the following details for the WebLogic Administration Server:

    • URL: The URL to connect to the WebLogic Administration Server. For example:

      t3://IGDADMINVHN.example.com:7101

      Where 7101 is the IGD_WLS_PORT from the worksheet.

    • UserName: weblogic

    • Password: Password for the weblogic user

    Click Next.

  6. On the OIM Server screen, provide the following values:

    • OIM Administrator Password: Password for the Oracle Identity Manager Administrator. This is the password for the xelsysadm user. The password must contain an uppercase letter and a number. Best practice is to use the same password that you assigned to the user xelsysadm in preparing the Identity Store

    • Confirm Password: Confirm the password·

    • OIM HTTP URL: Proxy URL for the Oracle Identity Manager Server. This is the URL for the Hardware load balancer that is front ending the OHS servers for Oracle Identity Manager. For example:

      http://igdinternal.example.com:7777

    • OIM External FrontEnd URL:

      https://prov.example.com:IGD_HTTPS_PORT

    • Key Store Password: Key store password. The password must have an uppercase letter and a number.

    • Enable OIM for Suite Integration: Selected.

      Select this option if you plan to integrate OIM with OAM.

    Click Next.

  7. On the LDAP Server Screen, the information you enter is dependent on your implementation. Provide the following details:

    • Directory Server Type:

      • OID if your Identity Store is in Oracle Internet Directory.

      • OUD if your Identity Store is Oracle Unified Directory.

      • ACTIVE_DIRECTORY if your Identity Store is Microsoft Active Directory

    • Directory Server ID: A name for your directory server. For example: IdStore. This is only required if the directory type is OID or OUD

    • Server URL: The LDAP server URL. For example:

      ldap://idstore.example.com:1389 for OUD
ldap://idstore.example.com:3060 for OID

    • Server User: The user name for connecting to the LDAP Server. This is the OIMLDAPUSER from the worksheet. For example:

      cn=oimLDAP,cn=systemids,dc=example,dc=com

    • Server Password: The password for connecting to the LDAP Server.

    • Server Search DN: The Search DN. This is the REALM_DN from the worksheet. For example:

      dc=example,dc=com

    Click Next.

    Note:

    Ensure that you have configured the directory according to the documentation and click OK on the pop up message displayed: Ensure that you have a supported Directory server and that you have pre-configured the Directory as per the documentation and it is available for the installer.

  8. On the LDAP Server Continued screen, provide the following LDAP server details:

    • LDAP Role Container: The DN for the Role Container. This is the container where the Oracle Identity Manager roles are stored. this is the GROUPS_CONTAINER from the worksheet. For example:

      cn=Groups,dc=example,dc=com

    • LDAP User Container: The DN for the User Container. This is the container where the Oracle Identity Manager users are stored. This is the USERS_CONTAINER from the worksheet. For example:

      cn=Users,dc=example,dc=com

    • User Reservation Container: The DN for the User Reservation Container. This is the RESERVE_CONTAINER from the worksheet. For example:

      cn=Reserve,dc=example,dc=com

    Click Next.

  9. On the Configuration Summary screen, verify the summary information.

    Click Configure to configure the Oracle Identity Manager instance

  10. On the Configuration Progress screen, once the configuration completes successfully, click Next.

  11. On the Configuration Complete screen, view the details of the Oracle Identity Manager Instance configured.

    Click Finish to exit the Configuration Wizard.

19.3 Copying SOA Composites to Managed Server Directory

When SOA first starts, it automatically deploys a number of applications that are located in the IGD_ASERVER_HOME/soa directory. Performing pack and unpack does not populate this directory, so you must create it manually.

Copy the soa directory from IGD_ASERVER_HOME/IAMGovernanceDomain/soa to IGD_MSERVER_HOME/IAMGovernanceDomain.

For example:

cp -rp /u01/oracle/config/domains/IAMGovernanceDomain/soa /u02/private/oracle/config/domains/IAMGovernanceDomain/soa

Perform these steps on all OIMHOSTs.

Restart the WLS_SOA1 and WLS_SOA2 servers.

19.4 Modifying the Oracle Identity Manager Properties to Support Active Directory

When first installed, Oracle Identity Manager has a set of default system properties for its operation.

If your Identity Store is in Active Directory, you must change the System property XL.DefaultUserNamePolicyImpl to oracle.iam.identity.usermgmt.impl.plugins.FirstNameLastNamePolicyForAD or oracle.iam.identity.usermgmt.impl.plugins.LastNameFirstNamePolicyForAD.

To learn how to do this, see the Administering System Properties chapter of Oracle Fusion Middleware Administrator's Guide for Oracle Identity Manager.

19.5 Starting and Validating Oracle Identity Manager on OIMHOST1

Start the Oracle Identity Manager Managed Server on OIMHOST1. This involves the following tasks:

  1. Starting the Node Manager on OIMHOST1, if it is not already running.

  2. Restarting the WebLogic Administration Server on OIMHOST1.

  3. Restarting the SOA Managed Server wls_soa1 on OIMHOST1.

  4. Starting the OIM Managed Server wls_oim1 on OIMHOST1.

For information about starting and stopping servers, see Section 31.1.6, "Starting and Stopping IAMGovernanceDomain Services".

Validate the Oracle Identity Manager Server Instance by bringing up the Oracle Identity Manager Console in a Web browser at:

http://OIMHOST1VHN1.example.com:14000/identity/
http://OIMHOST1VHN1.example.com:14000/sysadmin/

Log in using the xelsysadm username and password.

Validate the SOA configuration at

http://OIMHOST1VHN2.example.com:8001/soa-infra

Log in as the weblogic user.

19.6 Starting and Validating Oracle Identity Manager on OIMHOST2

Start the Oracle Identity Manager Managed Server on OIMHOST2. This involves the following tasks:

  1. Starting the Node Manager on OIMHOST2, if it is not already running.

  2. Restarting the SOA Managed Server wls_soa2 on OIMHOST2.

  3. Starting the OIM Managed Server wls_oim2 on OIMHOST2.

For information about starting and stopping servers, see Section 31.1.6, "Starting and Stopping IAMGovernanceDomain Services".

Validate the Oracle Identity Manager Server Instance by bringing up the Oracle Identity Manager Console in a Web browser at:

http://OIMHOST2VHN1.example.com:14000/identity/
http://OIMHOST2VHN1.example.com:14000/sysadmin/

Log in using the xelsysadm username and password.

Validate the SOA configuration at

http://OIMHOST2VHN2.example.com:8001/soa-infra

Log in as the weblogic user.

19.7 Configuring Oracle Identity Manager to Reconcile from ID Store

In the current release, the LDAPConfigPostSetup script enables all the LDAPSync-related incremental Reconciliation Scheduler jobs, which are disabled by default. The LDAP configuration post-setup script is located under the IGD_ORACLE_HOME/server/ldap_config_util directory. Run the Script on OIMHOST1 as follows:

  1. Edit the ldapconfig.props file located under the IDG_ORACLE_HOME/server/ldap_config_util directory and provide the following values:

    Parameter Value Description
    OIMProviderURL t3://OIMHOST1VHN1.example.com:14000,OIMHOST2VHN1.example.com:14000 List of Oracle Identity Manager managed servers
    LIBOVD_PATH_PARAM IGD_ASERVER_HOME/config/fmwconfig/ovd/oim Location of LIBOVD configuration files.

  2. Save the file.

  3. Set the JAVA_HOME, WL_HOME, MW_HOME, APP_SERVER, OIM_ORACLE_HOME, and DOMAIN_HOME environment variables, where:

    • JAVA_HOME is set to IGD_MW_HOME/jdk

    • WL_HOME is set to IGD_MW_HOME/wlserver_10.3

    • APP_SERVER is set to weblogic

    • OIM_ORACLE_HOME is set to IGD_ORACLE_HOME

    • DOMAIN_HOME is set to IGD_ASERVER_HOME

    • MW_HOME is set to IGD_MW_HOME

  4. Run LDAPConfigPostSetup.sh. The script prompts for the Oracle Internet Directory admin password and the Oracle Identity Manager admin password. For example:

    IGD_ORACLE_HOME/server/ldap_config_util/LDAPConfigPostSetup.sh path_to_property_file

    For example:

    cd  IGD_ORACLE_HOME/server/ldap_config_util/
./LDAPConfigPostSetup.sh IGD_ORACLE_HOME/server/ldap_config_util

    If the script is executed successfully, a success message similar to following is shown:

    "Successfully Enabled Changelog based Reconciliation schedule jobs.
Successfully Updated Changelog based Reconciliation schedule jobs with last change number:"

  5. Ignore the following errors:

    java.lang.ClassNotFoundException: oracle.as.jmx.framework.standardmbeans.spi.JMXFrameworkProviderImpl

19.8 Configuring Default Persistence Store for Transaction Recovery

The WLS_OIM and WLS_SOA Managed Servers have a transaction log that stores information about committed transactions that are coordinated by the server that might not have been completed. The WebLogic Server uses this transaction log for recovery from system crashes or network failures. To leverage the migration capability of the Transaction Recovery Service for the servers within a cluster, store the transaction log in a location accessible to a server and its backup servers.

Note:

Preferably, this location should be on a dual-ported SCSI disk or on a Storage Area Network (SAN).

Perform these steps to set the location for the default persistence stores for the Oracle Identity Manager and SOA Servers:

  1. Create the following directories on the shared storage:

    RT_HOME/domains/IAMGovernanceDomain/tlogs/cluster_soa
RT_HOME/domains/IAMGovernanceDomain/tlogs/cluster_oim

  2. Log in to the Oracle WebLogic Server Administration Console.

  3. Click Lock and Edit.

  4. In the Domain Structure window, expand the Environment node and then click the Servers node.

    The Summary of Servers page appears.

  5. Click the name of either the Oracle Identity Manager (wls_oimn) or the SOA server (wls_soan) represented as a hyperlink in the Name column of the table.

    The Settings page for the selected server appears.

  6. Go to the Configuration tab.

  7. Click General and then go to the Services tab.

  8. Under the Default Store section of the page, provide the path to the default persistent store on shared storage.

    The directory structure of the path is as follows:

    For Oracle Identity Manager Servers:

    RT_HOME/domains/IAMGovernanceDomain/tlogs/cluster_oim

    For SOA Servers:

    RT_HOME/domains/IAMGovernanceDomain/tlogs/cluster_soa

    Note:

    To enable migration of the Transaction Recovery Service, specify a location on a persistent storage solution that is available to other servers in the cluster. All the servers that are a part of the cluster must be able to access this directory.

  9. Click Save.

  10. Repeat the above steps to update Default store Directory for all OIM and SOA managed servers.

  11. Activate the changes.

19.9 Configuring UMS Email

This section describes how to configure UMS email notification. This is optional. The following steps assume that an email server has been set up and that Oracle Identity Management can use it to send the email notifications.

  1. Log in to the Oracle Enterprise Manager Fusion Middleware Control instance that is associated with Oracle Identity Manager.

  2. Expand User Messaging Service.

  3. Right click usermessagingdriver-email (wls_soa1) and select email driver properties.

  4. Enter the following information:

    • OutgoingMailServer: name of the SMTP server, for example: smtp.example.com

    • OutgoingMailServerPort: port of the SMTP server, for example: 465 for SSL outgoing mail server and 25 for non-SSL

    • OutgoingMailServerSecurity: The security setting used by the SMTP server. Possible values can be None/TLS/SSL. If the mail server is configured to accept SSL requests, perfom these additional steps to remove DemoTrust store references from the SOA environment:

      Modify the IGD_ASERVER_HOME/domain_name/bin/setDomainEnv.sh file to remove the DemoTrust references:

      -Djavax.net.ssl.trustStore=IGD_WL_HOME/server/lib/DemoTrust.jks

      from EXTRA_JAVA_PROPERTIES.

      Restart both the Administration server and the Managed server.

    • OutgoingUsername: Any valid username

    • OutgoingPassword:

      Choose Indirect Password, Create New User.

      Provide a unique string for Indirect Username/Key, for example: OIMEmailConfig. This masks the password and not expose it in cleartext in the configuration file.

      Provide valid password for this account.

      Click Apply.

      Repeat Steps 3 and 4 for each SOA server.

  5. From the Navigator, select WebLogic Domain, and then DomainName.

  6. From the menu, select System Mean Browser.

  7. Expand Application Defined MBeans, oracle.iam, Server, wls_oim1, Application: oim, and then IAMAppRuntimeMBean.

  8. Click UMSEmailNotificationProviderMBean.

    Enter the following:

    • Web service URL: http://igdinternal.example.com:80/ucs/messaging/webservice

    • Policies: Leave blank.

    • CSFKey: Notification.Provider.Key

    Click Apply.

19.10 Changing Host Assertion in WebLogic

Because the Oracle HTTP Server acts as a proxy for WebLogic, by default certain CGI environment variables are not passed through to WebLogic. These include the host and port. You must tell WebLogic that it is using a virtual site name and port so that it can generate internal URLs appropriately.

  1. Log in to the WebLogic administration console.

  2. Select Clusters from the home page or, alternatively, select Environment and then Clusters, from the Domain Structure menu.

  3. Click Lock & Edit in the Change Center Window to enable editing.

  4. Click the Cluster Name (cluster_soa).

  5. In the Configuration tab, select the HTTP subtab and enter the following:

    Frontend Host: igdinternal.example.com

    Frontend HTTP Port: 7777

  6. Click Save.

  7. Click Activate Changes in the Change Center window.

19.11 Restarting the Administration Server, Oracle Identity Manager, and Oracle SOA Suite Servers

Restart the WebLogic Administration Server, Oracle SOA Suite Managed Servers, and the Oracle Identity Manager Managed Servers on OIMHOST1 and OIMHOST2.

For information about starting and stopping servers, see Section 31.1.6, "Starting and Stopping IAMGovernanceDomain Services".

19.12 Validating Oracle Identity Manager Instance from the WebTier

Validate the Oracle Identity Manager Server Instance by bringing up the Oracle Identity Manager Console in a web browser, at:

https://prov.example.com:443/identity

and

http://igdadmin.example.com/sysadmin

Log in using the xelsysadm username and password.

19.13 Integrating Identity Manager with Access Manager

This section describes how to integrate Identity Manager with Access Manager.

This section contains the following topics:

19.13.1 Copying OAM Keystore Files to OIMHOST1 and OIMHOST2

If you are using Access Manager with the Simple Security Transport model, copy the OAM keystore files that were generated in Section 17.4, "Creating Access Manager Key Store.". Copy the keystore files SHARED_CONFIG_DIR/keystores/ssoKeystore.jks and IAD_ASERVER_HOME/output/webgate-ssl/oamclient-truststore.jks to the directory IGD_MSERVER_HOME/config/fmwconfig on OIMHOST1 and OIMHOST2.

19.13.2 Updating Existing LDAP Users with Required Object Classes

You must update existing LDAP users with the object classes OblixPersonPwdPolicy, OIMPersonPwdPolicy, and OblixOrgPerson.

Note:

This step is not required in case of a fresh setup where you do not have any existing users.

To update the existing LDAP user, complete the following steps:

  1. On OAMHOST1, create a properties file for the integration called user.props, with the following content:

    IDSTORE_HOST: idstore.example.com
IDSTORE_PORT: 1389
IDSTORE_ADMIN_USER: cn=orcladmin
IDSTORE_DIRECTORYTYPE:OUD, OID
IDSTORE_USERSEARCHBASE: cn=Users,dc=example,dc=com
IDSTORE_GROUPSEARCHBASE: cn=Groups,dc=example,dc=com
PASSWORD_EXPIRY_PERIOD: 7300
IDSTORE_LOGINATTRIBUTE: uid

    In this example:

    • IDSTORE_HOST is the name of LDAP server. For example: idstore.example.com

    • IDSTORE_PORT is the port of the LDAP server.

    • IDSTORE_ADMIN_USER is the bind DN of an administrative user. For example cn=orcladmin or cn=oudadmin

    • IDSTORE_DIRECTORYTYPE is the type of directory. The valid values are OUD and OID.

    • IDSTORE_USERSEARCHBASE is the location of users in the directory. For example cn=Users,dc=example,dc=com

    • IDSTORE_GROUPSEARCHBASE is the location of groups in the directory. For example cn=Groups,dc=example,dc=com

    • IDSTORE_LOGINATTRIBUTE this is the directory login attribute name. For example uid

    • PASSWORD_EXPIRY_PERIOD is the password expiry period

  2. Set the environment variables MW_HOME, JAVA_HOME, and ORACLE_HOME. For example:

    set ORACLE_HOME to IAM_ORACLE_HOME

  3. Upgrade the existing LDAP by running the following command IAM_ORACLE_HOME/idmtools/bin:

    idmConfigTool.sh -upgradeLDAPUsersForSSO input_file=configfile

    For example:

    idmConfigTool.sh -upgradeLDAPUsersForSSO input_file=user.props

    When prompted, enter the password of the user you are using to connect to your Identity Store.

    Note:

    If the following error is displayed when running the command, ignore the error: 
    java.lang.ClassNotFoundException:
oracle.as.jmx.framework.standardmbeans.spi.JMXFrameworkProviderImpl 
at java.net.URLClassLoader$1.run(URLClassLoader.java:202)

19.13.3 Importing OIM certificates into Mobile Security Suite

Mobile Security Suite must be able to trust Oracle Identity Manager. In order to do this import the IAMGovernanceDomain certificate into MSAS. To do this, perform the following steps.

19.13.3.1 Obtaining JPS Credential Store Password for IAMAccessDomain

To obtain the JSP Credential Store Password for IAMAccessDomain:

  1. Login to Enterprise Manager Fusion Middleware Control for the IAMAccessDomain using the WebLogic Administrators account at the following URL:

    http://iadadmin.example.com/em

  2. Navigate to Farm_IAMAccessDomain, WebLogic Domain, and then IAMAccessDomain.

  3. Right click and click System MBean Browser.

  4. Click the Search button and enter JpsCredentialStore and click Search.

  5. Click on the Operations tab.

  6. Click on getPortableCredential.

  7. Enter the following values:

    P1: oracle.wsm.security

    P2: keystore-csf-key

  8. Click Invoke.

  9. Make a note of the returned Password.

19.13.3.2 Exporting IAMGovernanceDomain Certificate

Export the IAMGovernanceDomain certificate using the following keytool command:

keytool  -keystore IGD_ASERVER_HOME/config/fmwconfig/default-keystore.jks -storepass <<PASSWORD>>  -exportcert -alias xell -file SHARED_CONFIG_DIR/keystores/xell.crt

Where password is the password you supplied when creating the IAMGovernanceDomain.

19.13.3.3 Importing Certificate into IAMAccessDomain

Import the certificate extracted above into the IAMAccessDomain using the following command:

keytool -keystore IAD_ASERVER_HOME/config/fmwconfig/default-keystore.jks -storepass <<PASSWORD>> -importcert -alias xell -file SHARED_CONFIG/keystores/xell.crt

Where password is the password you obtained from Enterprise Manager Fusion Middleware Control above.

19.13.4 Integrating Access Manager and Mobile Security Suite with Oracle Identity Manager 11g

Integrating Oracle Identity Manager with Access Manager using a WebGate 11g profile employs an Access Manager Trusted Authentication Protocol (TAP) scheme. This is different from WebGate 10g which used Network Assertion Protocol (NAP).

To integrate Access Manager with Oracle Identity Manager, perform the following steps on OIMHOST1:

  1. Set the Environment Variables: MW_HOME, JAVA_HOME and ORACLE_HOME. For example:

    set ORACLE_HOME to IGD_ORACLE_HOME
set MW_HOME to IGD_MW_HOME

  2. Create a properties file for the integration called oimitg.props, this file will have many of the same values as the file in Creating Configuration File the file should contain the following.

    LOGINURI: /${app.context}/adfAuthentication
LOGOUTURI: /oamsso/logout.html
AUTOLOGINURI: None
ACCESS_SERVER_HOST: OAMHOST1.example.com
ACCESS_SERVER_PORT: 5575
ACCESS_GATE_ID: Webgate_IDM
COOKIE_DOMAIN: .example.com
COOKIE_EXPIRY_INTERVAL: 120
IDSTORE_LOGINATTRIBUTE: uid
OAM_TRANSFER_MODE: simple
WEBGATE_TYPE: ohsWebgate11g
SSO_ENABLED_FLAG: true
IDSTORE_PORT: 1389
IDSTORE_HOST: idstore.example.com
IDSTORE_DIRECTORYTYPE: OUD, OID or AD 
IDSTORE_ADMIN_USER: cn=oamLDAP,cn=systemids,dc=example,dc=com
IDSTORE_USERSEARCHBASE: cn=Users,dc=example,dc=com
IDSTORE_GROUPSEARCHBASE: cn=Groups,dc=example,dc=com
IDSTORE_WLSADMINUSER: weblogic_idm
MDS_DB_URL: jdbc:oracle:thin:@(DESCRIPTION = (ADDRESS=(PROTOCOL=TCP)(HOST=IGDDBSCAN.example.com)(PORT=1521)) (CONNECT_DATA=(SERVICE_NAME=oimedg.example.com)))
MDS_DB_SCHEMA_USERNAME: edgigd_mds
WLSHOST: igdadminvhn.example.com
WLSPORT: 7101
WLSADMIN: weblogic
WLSPASSWD: password
OAM11G_WLS_ADMIN_HOST: IADADMINVHN.example.com
OAM11G_WLS_ADMIN_PORT: 7001
OAM11G_WLS_ADMIN_USER: weblogic
DOMAIN_NAME: IAMGovernanceDomain
OIM_MANAGED_SERVER_NAME: WLS_OIM1
DOMAIN_LOCATION: IGD_ASERVER_HOME
OIM_MSM_REST_SERVER_URL: http://iadinternal.example.com:7777/

    Property Descriptions:

    • LOGINURI: This is required by Oracle Platform Security Services (OPSS) and should always be set to /${app.context}/adfAuthentication

    • LOGOUTURI: This is required by Oracle Platform Security Services (OPSS) and should always be set to /oamsso/logout.html

    • AUTOLOGINURI: This is required by Oracle Platform Security Services (OPSS) and should always be set to None

    • ACCESS_SERVER_HOST: This is the name of one of the Access Server hosts. If you have placed a load balancer in front of Oracle Access Manager Managed Servers, then specify the load balancer name for this property here. For example, OAMHOST1.example.com

    • ACCESS_SERVER_PORT: This is the OAM Proxy Port (OAM_PROXY_PORT). For example, 5575

    • ACCESS_GATE_ID: This is the name of the Agent that gets created in Oracle Access Manager. This can be any value. For example, Webgate_IDM

    • COOKIE_DOMAIN: This is the Oracle Access Manager cookie domain and should be proceeded by a period (.). For example, .example.com

    • COOKIE_EXPIRY_INTERNAL: This is the number of seconds before a cookie expires and the user is forced to re-login. The default value is 120. If you wish the cookie to never expire, set this value to -1.

    • IDSTORE_LOGINATTRIBUTE: This is the LDAP attribute which is used to validate login. This is typically the uid.

    • OAM_TRANSFER_MODE: This is the security mode that Oracle Access Manager is configured to work with. This is usually Simple. It should be the same value you placed into the Oracle Access Manager property file.

    • WEBGATE_TYPE: This is the type of WebGate agent you wish to create. Valid values are ohsWebgate10g or ohsWebgate11g.

      For Oracle Identity and Access Management 11.1.2.3.0, this is usually ohsWebgate11g. Note that, if you are using Oracle Traffic Director instead of Oracle HTTP Server, then it should still be ohsWebgate11g.

    • SSO_ENABLED_FLAG: This value should be set to true.

    • IDSTORE_PORT: This is the port on your load balancer where you are accepting LDAP requests. For example, 3060 or 1389

    • IDSTORE_HOST: This is the load balancer name fronting your LDAP directory

    • IDSTORE_DIRECTORYTYPE: Set this property to OID if your Identity Store is in Oracle Internet Directory, OUD if you are connecting to Oracle Unified Directory, or AD if your identity Store is in Active Directory.

    • IDSTORE_ADMIN_USER: This is the admin user of the ID store.

    • IDSTORE_USERSEARCHBASE: This is the location in the directory where Users are Stored.

    • IDSTORE_GROUPSEARCHBASE: This is the location in the directory where Groups are Stored.

    • IDSTORE_WLSADMINUSER: This is the value you used when you prepared the identity store. For example weblogic_idm.

    • MDS_DB_URL: Set this to the OIM database jdbc connection details. For example:

      jdbc:oracle:thin:@(DESCRIPTION = (ADDRESS=(PROTOCOL=TCP)(HOST=IGDDBSCAN.example.com)(PORT=1521)) (CONNECT_DATA=(SERVICE_NAME=oimedg.example.com)))

    • MDS_DB_SCHEMA_USERNAME: This is the username of the MDS schema.

    • WLS_HOST: This is the Admin Server listen address. For OAM configuration this will be the host associated with the IAMAccessDomain. For OAM/OIM integration this will be the host associated with the IAMGovernanceDomain.

    • WLS_PORT: This is the Admin Server listen port. For OAM configuration this will be the port associated with the IAMAccessDomain. For OAM/OIM integration this will be the host associated with the IAMGovernanceDomain.

    • WLS_ADMIN: This is the user used to connect to the Admin Server

    • WLSPASSWD: This is the password of the WLS_ADMIN account.

    • OAM11G_WLS_ADMIN_HOST: This is the IAMAccessDomain Admin Server listen address.

    • OAM11G_WLS_ADMIN_PORT: This is the IAMAccessDomain Admin Server listen port.

    • OAM11G_WLS_ADMIN_USER: This is the IAMAccessDomain Administration User

    • DOMAIN_NAME: This is the domain name. For example, IAMGovernanceDomain

    • OIM_MANAGED_SERVER_NAME: This is the name of the Oracle Identity Manager Managed Server. For example, wls_oim1

    • DOMAIN_LOCATION: This is the domain location. For example, IGD_ASERVER_HOME

    • OIM_MSM_REST_SERVER_URL: This is the URL that the MSAS proxy server uses to invoke the MSM rest services. This is the entry point for Identity Access Domain callbacks. For example, iadinternal.example.com:7777

    • SPLIT_DOMAIN: This is used when OAM and OIM are in different domains. This should always be set to true.

  3. Integrate Access Manager with Oracle Identity Manager by running the following command from the location IGD_ORACLE_HOME/idmtools/bin:

    idmConfigTool.sh -configOIM input_file=configfile

    For example:

    idmConfigTool.sh -configOIM input_file=oimitg.props

    When prompted, enter the following information:

    • Password of the admin user of the IAMAccessDomain

    • SSO Access Gate Password

    • SSO Keystore Password

    • Global Passphrase

    • Idstore Admin Password

    • MDS Database schema password

    • OAM 11g Domain User Password

      This is the password of the weblogic_idm user.

  4. Restart the IAMGovernanceDomain Administration Server, and the Managed Servers - WLS_SOA1, WLS_SOA2, WLS_OIM1, and WLS_OIM2.

19.13.5 Creating OMSS Helpdesk User and Roles

Once you have integrated OAM and OIM, create a user for Oracle Mobile Security Suite.

To create a user:

  1. Log in to the OIM Self Service Console as the user xelsysadm, using the following URL:

    https://prov.example.com/identity

  2. Click the Manage button on the top of the screen.

  3. Click Users from the Launch Pad, and click Create.

  4. Complete the information on the screen to create a user to be used for the OMSS helpdesk, and click Submit.

  5. Go to the Home tab.

  6. From the Launch Pad click Administration Roles, and click Create.

  7. Enter the following Information into the Basic Information Screen:

    • Name: helpdesk

    • Display Name: helpdesk

    Click Next.

  8. On the Capabilities screen, click Add Capabilities.

  9. Enter User - View in the Display Name field and click Search.

  10. Select User - View / Search from the search results and click Add Selected.

  11. Repeat steps 10 and 11 to add the capability Role - View / Search

  12. Click Select, and then click Next.

  13. On the Members screen, click Assign Users.

  14. Enter the name of your helpdesk user in the Search box and click Search.

  15. Select the helpdesk user from the search results, click Add Selected, click Select, and then click Next.

  16. On the Scope of Control screen click Add Organizations.

  17. Enter an Organization in the Search box and click Search.

  18. Select the required organization, click Add Selected, click Select, and then click Next.

  19. On the Organizations screen click Next.

  20. On the Summary screen click Finish.

19.13.6 Managing the Password of the xelsysadm User

After you integrate Oracle Identity Manager with Access Manager, two xelsysadm accounts exist. One is the internal account created by Oracle Identity Manager. The other is the account you created in the Identity Store.

The xelsysadm account located in the LDAP store is the one used to access the OIM console. If you want to change the password of this account, change it in LDAP. You can use Oracle Directory Service Manager (ODSM) to do this. Do not change it through the OIM console.

19.13.7 Validating Integration

To validate integration, you must assign Identity Management administrators to WebLogic security groups and install WebGate as described in Chapter 22, "Configuring Single Sign-On".

To validate that the wiring of Access Manager with Oracle Identity Manager 11g was successful, attempt to log in to the Oracle Identity Manager Self Service Console by doing the following:

  1. Using a browser, navigate to the following URL:

    https://prov.example.com/identity

    This redirects you to the Oracle Access Manager 11g single sign-on page.

  2. Log in using the xelsysadm user account created in Chapter 13, "Preparing The Identity Store".

  3. If you see the OIM Self Service Console Page, the integration was successful.

19.14 Enabling OIM to Connect to SOA Using LDAP User

Oracle Identity Manager connects to SOA as SOA administrator, with the username weblogic by default. As mentioned in the previous sections, a new administrator user is provisioned in the central LDAP store to manage Identity Management Weblogic Domain.

Perform the following post installation steps to enable Oracle Identity Manager to work with the Oracle WebLogic Server administrator user provisioned in the central LDAP store. This enables Oracle Identity Manager to connect to SOA:

Note:

For the SOAConfig Mbean to be visible, at least one OIM Managed Server must be running.

  1. Log in to Enterprise Manager Fusion Middleware Control of the IAMGovernanceDomain, as the weblogic user

  2. Select Farm_IAMGovernanceDomain, WebLogic Domain, and then IAMGovernanceDomain.

  3. Right-click and Select System MBean Browser from the menu or right-click to select it.

  4. Select Search, enter SOAConfig, then click Search.

  5. Change the username attribute to the Oracle WebLogic Server administrator username provisioned in Preparing the Identity Store. For example:

    weblogic_idm

    Click Apply.

  6. Select Weblogic Domain, and then IAMGovernanceDomain.

  7. Select Security and then Credentials from the down menu.

  8. Expand the key oim.

  9. Click SOAAdminPassword and click Edit.

  10. Change the username to weblogic_idm and set the password to the accounts password and click OK.

  11. From the navigator, click Farm_IAMGovernanceDomain and then click WebLogic Domain. Right-click on IAMGovernanceDomain, and select Application Roles from the Security menu.

  12. Set the application stripe to soa-infra by selecting from the drop-down list. Click Search.

  13. Click SOAAdmin. Ensure that you see Administrators in the membership box.

  14. Click Edit. The Edit page is displayed.

  15. Click Add in the Members box. The Add principal search box is displayed.

    Enter the following:

    • Type: Group

    • Principal Name: starts with: IDM

    Click Search.

  16. Select IDM Administrators from the results box and click OK.

    You will be redirected to the Edit screen. Ensure that the members are Administrators and IDM Administrators.

    Click Ok.

  17. Run the reconciliation process to enable the Oracle WebLogic Server administrator, weblogic_idm, to be visible in the OIM Identity Console. Follow these steps:

    1. Log in to the OIM System Administration Console as the user xelsysadm.

    2. Click Scheduler under System Configuration.

    3. Enter LDAP* in the search box.

    4. Click the arrow for the Search Scheduled Jobs to list all the schedulers.

    5. Select LDAP User Create and Update Full Reconciliation.

    6. Click Run Now to run the job.

    7. Repeat for the job LDAP Role Create and Update Full Reconciliation.

    8. Log in to the OIM Identity Console and verify that the user weblogic_idm is visible.

  18. Log in to the OIM Self service Console as the user xelsysadm.

    If prompted, set up challenge questions. This happens on your first login to Oracle Identity Manager Identity Console.

  19. Click on Roles tab under Manage tab.

  20. Search for the Administrators role.

    Enter Administrators into the Display Name search box and click Search.

  21. Click the Administrators Role.

    That Role's Properties page appears.

  22. Click on Organizations tab

  23. Click Add. Search and select the organization to which xelsysadm belongs, example, Xellerate Users

  24. Click Add Selected. Click Select.

  25. Click the Members tab and click Add.

  26. Search for the user weblogic_idm . Select the weblogic_idm user

  27. Click Add Selected.

  28. Click Select, and then Apply.

19.15 Updating OIM LDAP Reconciliation Jobs

To update the PIM LDAP reconciliation jobs, complete the following steps:

  1. Open a browser and go to the following location:

    http://igdadmin.example.com/sysadmin

  2. Log in a as xelsysadm using the COMMON_IDM_PASSWORD.

  3. Under System Management, click Scheduler.

  4. Under Search Scheduled Jobs, enter LDAP * (there is a space before *) and hit Enter.

  5. For each job in the search results, click on the job name on the left, then click Disable on the right.

    Do this for all jobs. If the job is already disabled do nothing.

  6. Run the following commands on LDAPHOST1:

    cd LDAP_ORACLE_INSTANCE/OUD/bin
./ldapsearch -h ldaphost1 -p 1389 -D "cn=oudadmin" -b "" -s base "objectclass=*" lastExternalChangelogCookie

Password for user 'cn=oudadmin': <OudAdminPwd>
dn: lastExternalChangelogCookie: dc=example,dc=com:00000140c682473c263600000862;

    Copy the output string that follows lastExternalChangelogCookie:. This value is required in the next step. For example,

    dc=example,dc=com:00000140c682473c263600000862;

    The Hex portion must be 28 characters long. If this value has more than one Hex portion then separate the 28char portions with spaces. For example:

    dc=example,dc=com:00000140c4ceb0c07a8d00000043 00000140c52bd0b9104200000042 00000140c52bd0ba17b9000002ac 00000140c3b290b076040000012c;

  7. Run each of the following LDAP reconciliation jobs once to reset the last change number.:

    • LDAP Role Delete Reconciliation

    • LDAP User Delete Reconciliation

    • LDAP Role Create and Update Reconciliation

    • LDAP User Create and Update Reconciliation

    • LDAP Role Hierarchy Reconciliation

    • LDAP Role Membership Reconciliation

    To run the jobs:

    1. Login to the OIM System Administration Console as the user xelsysadm.

    2. Under System Configuration, click Scheduler.

    3. Under Search Scheduled Jobs, enter LDAP * (there is a space before *) and hit Enter.

    4. Click on the job to be run.

    5. Set the parameter Last Change Number to the value obtained in step 6.

      For example:

      dc=example,dc=com:00000140c4ceb0c07a8d00000043 00000140c52bd0b9104200000042 00000140c52bd0ba17b9000002ac 00000140c3b290b076040000012c;

    6. Click Run Now.

    7. Repeat for each of the jobs in the list at the beginning of this step.

  8. For each incremental recon job whose last changelog number has been reset, execute the job and check that the job now completes successfully.

  9. After the job runs successfully, re-enable periodic running of the jobs according to your requirements.

19.16 Updating the Username Generation Policy for Active Directory

If your back end directory is Active Directory, you must update Oracle Identity Manager so that it only allows user names with a maximum of 20 characters. This is a limitation of Active Directory. Update the username generation policy from DefaultComboPolicy to FirstnameLastnamepolicyforAD by doing the following:

  1. Log in to the OIM Administration Console.

  2. Go to System Configuration tab, and click Configuration Properties.

  3. In the Search box, enter Default Policy for Username Generation and click Search.

  4. Click Default Policy for Username Generation.

  5. In the Value field, update the entry:

    from

    oracle.iam.identity.usermgmt.impl.plugins.DefaultComboPolicy

    to

    oracle.iam.identity.usermgmt.impl.plugins.FirstNameLastNamePolicyForAD

  6. Click Save.

19.17 Excluding Users from Oracle Identity Manager Reconciliation

By default Oracle Identity Management reconciles all users that are located in the LDAP container cn=Users. Once reconciled, these users are subject to the usual password ageing policies defined in Oracle Identity Manager. This is not desirable for system accounts. It is recommended that you exclude the following accounts from this reconciliation:

  • xelsysadm

  • oimLDAP

  • oamLDAP

Additionally, you might want to exclude:

  • IDRUser

  • IDRWUser

  • PolicyROUser

  • PolicyRWUser

To exclude these users from reconciliation and discard failed reconciliation events, add orclAppIDUser object class to each of the above users, so that they are excluded from reconciliation.

Closing Failed Reconciliation Events by Using the OIM Console

  1. Log in to the OIM Administration Console as the xelsysadm user.

  2. Click Reconciliation under Provisioning Configuration.

  3. Click Advanced Search.

  4. In the Current Status field, select Equals. In the Search box, select Creation Failed from the list, and click Search.

  5. Select each of the events.

  6. From the Actions menu, select Close Event.

  7. In the Confirmation window enter a justification, such as Close Failed Reconciliation Events and click Closed.

  8. Click OK to acknowledge the confirmation message.

19.18 Closing Failed Reconciliation Events Using OIM Console

Complete the following steps to close the failed reconciliation events:

  1. Log in to the OIM Administration Console as the xelsysadm user.

  2. Click Reconciliation under Provisioning Configuration.

  3. Click Advanced Search.

  4. In the Current Status field, select Equals. In the Search box, select Creation Failed from the list.

  5. Click Search.

  6. For each of the events, select Close Event from the Actions menu.

  7. In the Confirmation window, enter a justification. For example, Close Failed Reconciliation Events.

  8. Click Closed.

  9. Click OK to acknowledge the confirmation message.

19.19 Using JDBC Persistent Stores for TLOGs and JMS

For information about when to use JDBC persistent stores for transaction logs (TLOGs) and JMS, and for instructions on how to configure the persistent stores for TLOGS and JMS for Oracle Identity Manager Managed Servers, see Section 15.4.10, "Using JDBC Persistent Stores for TLOGs and JMS in an Enterprise Deployment".

19.20 Enabling Exalogic Optimizations

This section describes post-deployment steps for Exalogic implementations.

This section includes the following topics:

19.20.1 Configuring Oracle Identity Manager Servers to Listen on EoIB

This section is only required if the Oracle Identity Manager servers need to be accessed directly from outside the Exalogic machine. This is the case when external Oracle HTTP Servers are part of the configuration.

Create a new network channel as follows:

  1. Log in to the WebLogic Console in the IAMGovernanceDomain.

  2. Click Lock & Edit.

  3. Navigate to Environment -> Servers to open the Summary of Servers page

  4. In the Servers table, click WLS_OIM1.

  5. Select Protocols and then Channels.

  6. Click New to create a new channel.

  7. Enter OIMHOST1VHN-EXTCHAN as the name. Select HTTP as the protocol and click Next.

  8. In the Network Channel Addressing page, enter the following information:

    • Listen Address: OIMHOST1VHN-EXT

      This is the bond1 address assigned to OIMHOST1VHN-EXT

    • Listen Port: 8001

  9. Click Next and select the following in the Network Channel Properties page:

    • Enabled

    • HTTP Enabled for this protocol

  10. Click Finish.

  11. Click Activate Changes.

Repeat the preceding steps, substituting WLS_OIM2 and OIMHOST2VHN-EXT for the Server and Listen Address.

19.20.2 Enabling Cluster-Level Session Replication Enhancements for Oracle Identity Manager and SOA

You can enable session replication enhancements for Managed Servers in a WebLogic cluster to which you deploy a Web application at a later time.

To enable session replication enhancements for oim_cluster in the domain IAMGovernanceDomain, use the values in Table 19-2.

Table 19-2 Network Channel Properties

Managed Server Name Protocol Listen Address Listen Port Additional Channel Ports

WLS_OIM1

ReplicationChannel

t3

OIMHOST1VHN1.example.com

7005

7006 to 7014

WLS_OIM2

ReplicationChannel

t3

OIMHOST2VHN1.example.com

7005

7006 to 7014

WLS_SOA1

ReplicationChannel

t3

OIMHOST1VHN2.example.com

7005

7006 to 7014

WLS_SOA2

ReplicationChannel

t3

OIMHOST2VHN2.example.com

7005

7006 to 7014

Proceed as follows:

  1. Log in to the WebLogic Administration console at: http://IGDADMIN.example.com/console

  2. Ensure that Managed Servers in the oim_cluster cluster are up and running, as described in Section 31.1, "Starting and Stopping Enterprise Deployment Components."

  3. To set replication ports for a Managed Server, use the values in Table 19-2.

    To set the values for WLS_OIM1, for example, complete the following steps:

    1. Under Domain Structure, click Environment and Servers. The Summary of Servers page is displayed.

    2. Click Lock & Edit.

    3. Click WLS_OIM1 on the list of servers. The Settings for WLS_OIM1 are displayed.

    4. Click the Cluster tab.

    5. In the Replication Ports field, enter a range of ports for configuring multiple replication channels. For example, replication channels for Managed Servers in oim_cluster can listen on ports starting from 7005 to 7015. To specify this range of ports, enter 7005-7015.

    6. Repeat Steps a through e for each of the other managed servers in Table 19-2.

  4. The following steps show how to create a network channel for the managed server WLS_OIM1.

    1. Log in to the Oracle WebLogic Server Administration Console.

    2. If you have not already done so, click Lock & Edit in the Change Center.

    3. In the left pane of the Console, expand Environment and select Servers.

      The Summary of Servers page is displayed.

    4. In the Servers table, click WLS_OIM1 Managed Server instance.

    5. Select Protocols, and then Channels.

    6. Click New.

    7. Enter ReplicationChannel as the name of the new network channel and select t3 as the protocol, then click Next.

    8. Enter the following information:

      Listen address: OIMHOST1VHN1

      Note:

      This is the WLS_OIM1 floating IP assigned to WebLogic Server.

      Listen port: 7005

    9. Click Next, and in the Network Channel Properties page, select Enabled and Outbound Enabled.

    10. Click Finish.

    11. Click Save.

    12. Under the Network Channels table, select ReplicationChannel, the network channel you created for the WLS_OIM1 Managed Server.

      Expand Advanced, select Enable SDP Protocol, and click Save.

    13. To activate these changes, in the Change Center of the Administration Console, click Activate Changes.

    You must repeat the above steps to create a network channel each for the remaining Managed Servers in the cluster. Enter the required properties, as described in Table 19-2.

  5. After creating the network channel for each of the Managed Servers in your cluster, click Environment > Clusters. The Summary of Clusters page is displayed.

  6. Click oim_cluster. The Settings for oim_cluster page is displayed.

  7. Click the Replication tab.

  8. In the Replication Channel field, ensure that ReplicationChannel is set as the name of the channel to be used for replication traffic.

  9. In the Advanced section, select the Enable One Way RMI for Replication option.

  10. Click Save.

  11. Repeat these steps for the SOA cluster and BI cluster.

  12. To activate these changes, in the Change Center of the Administration Console, click Activate Changes.

  13. Manually add the system property -Djava.net.preferIPv4Stack=true to the startWebLogic.sh script, which is located in the bin directory of IGD_ASERVER_HOME, using a text editor as follows:

    1. Locate the following line in the startWebLogic.sh script:

      . ${DOMAIN_HOME}/bin/setDomainEnv.sh $*

    2. Add the following property immediately after the above entry:

      JAVA_OPTIONS="${JAVA_OPTIONS} -Djava.net.preferIPv4Stack=true"

    3. Save the file and close.

  14. Restart the Administration Server of the IAMGovernanceDomain and the Managed Servers - WLS_OIM1, WLS_OIM2, WLS_SOA1, WLS_SOA2.

19.21 Forcing OIM to use Correct Multicast Address

Oracle Identity Manager uses multicast for certain functions. By default, the managed servers communicate using the multi cast address assigned to the primary host name. If you wish multicast to use a different network, for example, of the internal network, you must complete the following additional steps:

  1. Log in to the WebLogic Administration console using the following URL:

    http://IGDADMIN.example.com/console

  2. Under Domain Structure, click Environment and then expand Servers. The Summary of Servers page is displayed.

  3. Click Lock & Edit.

  4. Click the OIM Managed Server name, for example, WLS_OIM1 on the list of servers. The Settings for WLS_OIM1 are displayed.

  5. Go to the Server Start tab.

  6. Add the following line to the arguments field:

    -Dmulticast.bind.address=oimhost1vhn1

  7. Click Save.

  8. Repeat for the Managed Server WLS_OIM2. When doing so, make sure you add the following line to the arguments field:

    -Dmulticast.bind.address=oimhost2vhn1

  9. Click Activate Changes and restart the managed servers WLS_OIM1 and WLS_OIM2.

19.22 Backing Up the Application Tier Configuration

It is an Oracle best practices recommendation to create a backup after successfully completing the installation and configuration of each tier, or at another logical point. Create a backup after verifying that the installation so far is successful. This is a quick backup for the express purpose of immediate restoration in case of problems in later steps. The backup destination is the local disk. You can discard this backup when the enterprise deployment setup is complete. After the enterprise deployment setup is complete, you can initiate the regular deployment-specific Backup and Recovery process

For information on database backups, refer to your database documentation.

To back up the installation to this point, back up the following:

  • The Web tier

  • The Access Manager database.

  • The Administration Server domain directory

  • The Managed Server domain directory

  • The LDAP Directory

  • The Keystores created