1. Installing and Configuring Oracle Identity and Access Management
  2. Installing and Configuring the Oracle Identity Governance Software

4 Installing and Configuring the Oracle Identity Governance Software

Follow the steps in this section to install and configure the Oracle Identity Governance software.

Note:

The product Oracle Identity Manager is referred to as Oracle Identity Manager (OIM) and Oracle Identity Governance (OIG) interchangeably in the guide.

Installing the Oracle Identity Governance Software

Follow the steps in this section to install the Oracle Identity Governance software.

Before beginning the installation, ensure that you have verified the prerequisites and completed all steps covered in Preparing to Install and Configure.

Oracle Identity Governance 12c (12.2.1.4.0) can be installed by using any of the following methods:

For information about supported installation methods, see About Supported Installation Methods.

Parent topic: Installing and Configuring the Oracle Identity Governance Software

Verifying the Installation and Configuration Checklist

The installation and configuration process requires specific information.

Table 4-1 lists important items that you must know before, or decide during, Oracle Identity Governance installation and configuration.

Table 4-1 Installation and Configuration Checklist

Information Example Value Description

JAVA_HOME

/home/Oracle/Java/jdk1.8.0_211

Environment variable that points to the Java JDK home directory.

Database host

examplehost.exampledomain

Name and domain of the host where the database is running.

Database port

1521

Port number that the database listens on. The default Oracle database listen port is 1521.

Database service name

orcl.exampledomain

Oracle databases require a unique service name. The default service name is orcl.

DBA username

SYS

Name of user with database administration privileges. The default DBA user on Oracle databases is SYS.

DBA password

myDBApw957

Password of the user with database administration privileges.

ORACLE_HOME

/home/Oracle/product/ORACLE_HOME

Directory in which you will install your software.

This directory will include Oracle Fusion Middleware Infrastructure, Oracle SOA Suite, and Oracle Identity Governance, as needed.

WebLogic Server hostname

examplehost.exampledomain

Host name for Oracle WebLogic Server and Oracle Identity Governance consoles.

Console port

7001

Port for Oracle WebLogic Server and Oracle Identity Governance consoles.

DOMAIN_HOME

/home/Oracle/config/domains/idm_domain

Location in which your domain data is stored.

APPLICATION_HOME

/home/Oracle/config/applications/idm_domain

Location in which your application data is stored.

Administrator user name for your WebLogic domain

weblogic

Name of the user with Oracle WebLogic Server administration privileges. The default administrator user is weblogic.

Administrator user password

myADMpw902

Password of the user with Oracle WebLogic Server administration privileges.

RCU

ORACLE_HOME/oracle_common/bin

Path to the Repository Creation Utility (RCU).

RCU schema prefix

oim

Prefix for names of database schemas used by Oracle Identity Governance.

RCU schema password

myRCUpw674

Password for the database schemas used by Oracle Identity Governance.

Configuration utility

ORACLE_HOME/oracle_common/common/bin

Path to the Configuration Wizard for domain creation and configuration.

Parent topic: Installing the Oracle Identity Governance Software

Verifying the Memory Settings

To avoid the memory issues for Oracle Identity Manager, ensure that the memory settings are updated as per the requirements.

On Linux, do the following:
  1. Ensure that you set the following parameters in the /etc/security/limits.conf file, to the specified values:
    • FUSION_USER_ACCOUNT soft nofile 32767
    • FUSION_USER_ACCOUNT hard nofile 327679
  2. Ensure that you set UsePAM to Yes in the /etc/ssh/sshd_config file.
  3. Restart sshd.
  4. Log out (or reboot) and log in to the system again.

Note:

Before you start the Oracle Identity Governance 12c (12.2.1.4.0) Server, post configuration, run the following command to increase the limit of open files, so that you do not run into memory issues:

limit maxproc 16384

Parent topic: Installing the Oracle Identity Governance Software

Method 1: Simplified Method

You can install the Oracle Identity Governance software by using a quickstart installer.

For Oracle Identity Governance a quickstart installer is available, which installs Infrastructure, Oracle SOA Suite, and Oracle Identity Governance 12c (12.2.1.4.0) in one go. You do not have to install these softwares using separate installers.

Parent topic: Installing the Oracle Identity Governance Software

Roadmap for Installing and Configuring Oracle Identity Governance Using Simplified Installation

Use the roadmap provided in this section to install and configure Oracle Identity Governance (OIG) using the simplified installation process.

This table provides the high-level steps for installing and configuring Oracle Identity Governance.

Table 4-2 Task Roadmap for Installing and Configuring Oracle Identity Governance Using Simplified Installation

Task Description

Verify if your system meets the minimum hardware and software requirements.

See Roadmap for Verifying Your System Environment

Install Oracle Fusion Middleware Infrastructure, Oracle SOA Suite, and Oracle Identity Governance 12.2.1.4.0 using the quickstart installer.

This task involves obtaining the quickstart installer, starting the installation program, and navigating the installer screens.

See Installing Oracle Identity Governance Using Quickstart Installer

Create the database schemas using Repository Creation Utility (RCU).

See Creating the Database Schemas

Configure and update the Oracle Identity Governance domain.

See Configuring and updating the OIG domain

Perform the necessary post-configuration tasks.

See Performing Post-Configuration Tasks

Start the Node Manager, Administration Server, Oracle SOA Suite Managed Server, and the OIG Managed Server.

See Starting the Servers

Integrate Oracle Identity Governance with Oracle SOA Suite.

See Integrating Oracle Identity Governance with Oracle SOA Suite

Verify the configuration.

See Verifying the Configuration

Refer to the bootstrap report for the configuration details and for any issues or warnings thrown during the installation process.

See Analyzing the Bootstrap Report

Access the Oracle Identity Governance Design Console, if required.

See Installing and Accessing the Oracle Identity Governance Design Console
Installing Oracle Identity Governance Using Quickstart Installer

Complete the instructions in this section to install Oracle Identity Governance.

Topics:

Parent topic: Method 1: Simplified Method

Obtaining the Quickstart Installer

Obtain the quickstart installer distribution on Technical Resources from Oracle.

See Obtaining Product Distributions in Planning an Installation of Oracle Fusion Middleware.

After downloading the required .zip file, unzip the .zip file to obtain the .jar distributions.

Note:

No prerequisite software is required for qstart.
Starting the Quickstart Installation Program

Start the quickstart installation program by running the java executable from the JDK directory.

Note:

Before running the quickstart installation program, you must verify the supported JDK version is installed.
Run the following command from the JDK directory:

  • On UNIX:

    $JAVA_HOME/bin/java —jar fmw_12.2.1.4.0_idmquickstart.jar

  • On Windows:

    $JAVA_HOME\bin\java —jar fmw_12.2.1.4.0_idmquickstart.jar

Navigating the Quickstart Installation Screens

The quickstart installer shows a series of screens where you verify or enter information.

The following table lists the order in which installer screens appear. If you need additional help with an installation screen, click Help.

Table 4-3 Oracle Identity Governance Quickstart Install Screens

Screen Description

Installation Inventory Setup

On Linux or UNIX operating systems, this screen opens if this is the first time you are installing any Oracle product on this host. Specify the location where you want to create your central inventory. Make sure that the operating system group name selected on this screen has write permissions to the central inventory location.

See About the Oracle Central Inventory in Installing Software with the Oracle Universal Installer.

This screen does not appear on Windows operating systems.

Welcome

Review the information to make sure that you have met all the prerequisites, then click Next.

Auto Updates

Select to skip automatic updates, select patches, or search for the latest software updates, including important security updates, through your My Oracle Support account.

Installation Location

Specify your Oracle home directory location.

You can click View to verify and ensure that you are installing the products in the correct Oracle home.

Prerequisite Checks

This screen verifies that your system meets the minimum necessary requirements.

To view the list of tasks that gets verified, select View Successful Tasks. To view log details, select View Log. If any prerequisite check fails, then an error message appears at the bottom of the screen. Fix the error and click Rerun to try again. To ignore the error or the warning message and continue with the installation, click Skip (not recommended).

Installation Summary

Use this screen to verify installation options you selected. If you want to save these options to a response file, click Save Response File and enter the response file location and name. The response file collects and stores all the information that you have entered, and enables you to perform a silent installation (from the command line) at a later time.

Click Install to begin the installation.

Installation Progress

This screen shows the installation progress.

When the progress bar reaches 100% complete, click Finish to dismiss the installer, or click Next to see a summary.

Installation Complete

This screen displays the Installation Location and the Feature Sets that are installed. Review this information and click Finish to close the installer.

After completing installation by using the simplified method, proceed to complete the following:
  1. Verifying the Installation
  2. Configuring the Oracle Identity Governance Domain

Method 2: Traditional Method

You can install the Oracle Identity Governance software in traditional method, by individually installing required products.
Dependant Softwares for installing Oracle Identity Governance in traditional method:

Note:

Install products in the specified order.
  1. Oracle Fusion Middleware Infrastructure 12c (12.2.1.4.0)
  2. Oracle SOA Suite 12c (12.2.1.4.0)

For information about installing Oracle Fusion Middleware Infrastructure 12c (12.2.1.4.0), see Installing the Infrastructure Softwarein Installing and Configuring the Oracle Fusion Middleware Infrastructure.

For information about installing Oracle SOA Suite 12c (12.2.1.4.0), see Installing the Oracle SOA Suite and Oracle Business Process Management Software in Installing and Configuring Oracle SOA Suite and Business Process Management.

Parent topic: Installing the Oracle Identity Governance Software

Starting the Installation Program

Before running the installation program, you must verify the JDK and prerequisite software is installed.

To start the installation program:

  1. Sign in to the host system.
  2. Change to the directory where you downloaded the installation program.
  3. You must have installed the Oracle Fusion Middleware Infrastructure 12c (12.2.1.4.0). For instructions, see Installing the Infrastructure Software in Installing and Configuring the Oracle Fusion Middleware Infrastructure.
  4. You must have installed the Oracle SOA Suite 12c (12.2.1.4.0). For instructions, see Installing the Oracle SOA Suite and Oracle Business Process Management Software in Installing and Configuring Oracle SOA Suite and Business Process Management.

    Note:

    When installing Oracle SOA Suite 12c (12.2.1.4.0), in the Installation Type screen, select the SOA Suite option.
  5. Start the installation program by running the java executable from the JDK directory. For example:

    • (UNIX) /home/Oracle/Java/jdk1.8.0_211/bin/java -jar fmw_12.2.1.4.0_idm.jar

    • (Windows) C:\home\Oracle\Java\jdk1.8.0_211\bin\java -jar fmw_12.2.1.4.0_idm.jar

Note:

You can also start the installer in silent mode using a saved response file instead of launching the installer screens. For more about silent or command line installation, see Using the Oracle Universal Installer in Silent Mode in Installing Software with the Oracle Universal Installer.

When the installation program appears, you are ready to begin the installation.

Navigating the Installation Screens

The installer shows a series of screens where you verify or enter information.

The following table lists the order in which installer screens appear. If you need additional help with an installation screen, click Help.

Table 4-4 Install Screens

Screen Description

Installation Inventory Setup

On Linux or UNIX operating systems, this screen opens if this is the first time you are installing any Oracle product on this host. Specify the location where you want to create your central inventory. Make sure that the operating system group name selected on this screen has write permissions to the central inventory location.

See About the Oracle Central Inventory in Installing Software with the Oracle Universal Installer.

This screen does not appear on Windows operating systems.

Welcome

Review the information to make sure that you have met all the prerequisites, then click Next.

Auto Updates

Select to skip automatic updates, select patches, or search for the latest software updates, including important security updates, through your My Oracle Support account.

Installation Location

Specify your Oracle home directory location.

This Oracle home must include Oracle Fusion Middleware Infrastructure 12c (12.2.1.4.0).

You can click View to verify and ensure that you are installing in the correct Oracle home.

Note:

Ensure that the Oracle Home path does not contain space.

Installation Type

Use the Collocated Installation Type.

Collocated mode is a type of installation that is managed through WebLogic Server. To install in collocated mode, you must have installed the required dependant softwares.

Prerequisite Checks

This screen verifies that your system meets the minimum necessary requirements.

To view the list of tasks that gets verified, select View Successful Tasks. To view log details, select View Log. If any prerequisite check fails, then an error message appears at the bottom of the screen. Fix the error and click Rerun to try again. To ignore the error or the warning message and continue with the installation, click Skip (not recommended).

Installation Summary

Use this screen to verify installation options you selected. If you want to save these options to a response file, click Save Response File and enter the response file location and name. The response file collects and stores all the information that you have entered, and enables you to perform a silent installation (from the command line) at a later time.

Click Install to begin the installation.

Installation Progress

This screen shows the installation progress.

When the progress bar reaches 100% complete, click Finish to dismiss the installer, or click Next to see a summary.

Installation Complete

This screen displays the Installation Location and the Feature Sets that are installed. Review this information and click Finish to close the installer.

Verifying the Installation

After you complete the installation, verify whether it was successful by completing a series of tasks.

Parent topic: Installing the Oracle Identity Governance Software

Reviewing the Installation Log Files

Review the contents of the installation log files to make sure that the installer did not encounter any problems.

By default, the installer writes logs files to the Oracle_Inventory_Location/logs (on UNIX operating systems) or Oracle_Inventory_Location\logs (on Windows operating systems) directory.

For a description of the log files and where to find them, see Installation Log Files in Installing Software with the Oracle Universal Installer.

Checking the Directory Structure

The contents of your installation vary based on the options that you selected during the installation.

See What Are the Key Oracle Fusion Middleware Directories? in Understanding Oracle Fusion Middleware.

Viewing the Contents of the Oracle Home

You can view the contents of the Oracle home directory by using the viewInventory script.

See Viewing the Contents of an Oracle Home in Installing Software with the Oracle Universal Installer.

Configuring the Oracle Identity Governance Domain

After you have installed Oracle Identity Governance, you can configure the domain, which you can also extend for high availability.

Note:

In this document, the variable OIM_HOME is used for ORACLE_HOME/idm (Unix) and ORACLE_HOME\idm (Windows).

Refer to the following sections to create the database schemas, configure a WebLogic domain, and verify the configuration:

  • Creating the Database Schemas
    Before you can configure an Oracle Identity Governance domain, you must install required schemas on a certified database for use with this release of Oracle Fusion Middleware.
  • Configuring the Domain
    Use the Configuration Wizard to create and configure a domain.
  • Performing Post-Configuration Tasks
    After you configure the Oracle Identity Governance domain, perform the necessary post-configuration tasks.
  • Starting the Servers
    After a successful configuration, start all processes and servers, including the Administration Server and any Managed Servers.
  • Integrating Oracle Identity Governance with Oracle SOA Suite
    If you wish to integrate Oracle Identity Governance with Oracle SOA Suite, use the Enterprise Manager console to do the same.
  • Verifying the Configuration
    After completing all configuration steps, you can perform additional steps to verify that your domain is properly configured.
  • Analyzing the Bootstrap Report
    When you start the Oracle Identity Governance server, the bootstrap report is generated at DOMAIN_HOME/servers/oim_server1/logs/BootStrapReportPreStart.html.
  • Installing and Accessing the Oracle Identity Governance Design Console
    If you wish to set up only the Oracle Identity Governance Design Console in a machine where OIG server is not configured, then you must install Oracle Identity Governance 12c (12.2.1.4.0) in standalone mode, and then invoke the Design Console.
  • Troubleshooting
    This section lists the common issues encountered while configuring Oracle Identity Governance and their workarounds.

Parent topic: Installing and Configuring the Oracle Identity Governance Software

Creating the Database Schemas

Before you can configure an Oracle Identity Governance domain, you must install required schemas on a certified database for use with this release of Oracle Fusion Middleware.

Parent topic: Configuring the Oracle Identity Governance Domain

Installing and Configuring a Certified Database

Before you create the database schemas, you must install and configure a certified database, and verify that the database is up and running.

Note:

For an Autonomous Transaction Processing database (both Oracle Autonomous Transaction Processing-Dedicated (ATP-D) and Oracle Autonomous Transaction Processing-Shared (ATP-S)), you must modify the wallet settings, set the environment variables, and apply patches on ORACLE HOME. For more information, see Settings to connect to an Autonomous Transaction Processing Database and Applying Patches on ORACLE HOME.

See About Database Requirements for an Oracle Fusion Middleware Installation.

Starting the Repository Creation Utility

Start the Repository Creation Utility (RCU) after you verify that a certified JDK is installed on your system.

To start the RCU:

  1. Verify that a certified JDK already exists on your system by running java -version from the command line. For 12c (12.2.1.4.0), the certified JDK is 1.8.0_211 and later.
  2. Ensure that the JAVA_HOME environment variable is set to the location of the certified JDK. For example:
    • (UNIX) setenv JAVA_HOME /home/Oracle/Java/jdk1.8.0_211
    • (Windows) set JAVA_HOME=C:\home\Oracle\Java\jdk1.8.0_211
  3. Change to the following directory:
    • (UNIX) ORACLE_HOME/oracle_common/bin
    • (Windows) ORACLE_HOME\oracle_common\bin
  4. Enter the following command:
    • (UNIX) ./rcu
    • (Windows) rcu.bat
Navigating the Repository Creation Utility Screens to Create Schemas

Enter required information in the RCU screens to create the database schemas.

Parent topic: Creating the Database Schemas

Introducing the RCU

The Welcome screen is the first screen that appears when you start the RCU.

Click Next.

Selecting a Method of Schema Creation

Use the Create Repository screen to select a method to create and load component schemas into the database.

On the Create Repository screen:

  • If you have the necessary permissions and privileges to perform DBA activities on your database, select System Load and Product Load. This procedure assumes that you have SYSDBA privileges.

  • If you do not have the necessary permissions or privileges to perform DBA activities in the database, you must select Prepare Scripts for System Load on this screen. This option generates a SQL script that you can give to your database administrator. See About System Load and Product Load in Creating Schemas with the Repository Creation Utility.

  • If the DBA has already run the SQL script for System Load, select Perform Product Load.

    Note:

    For an Autonomous Transaction Processing database (both Oracle Autonomous Transaction Processing-Dedicated (ATP-D) and Oracle Autonomous Transaction Processing-Shared (ATP-S)), you must create schemas as a Normal user, and though, you do not have full SYS or SYSDBA privileges on the database, you must select System Load and Product Load.

Providing Database Connection Details

On the Database Connection Details screen, provide the database connection details for the RCU to connect to your database.

Note:

If you are unsure of the service name for your database, you can obtain it from the SERVICE_NAMES parameter in the initialization parameter file of the database. If the initialization parameter file does not contain the SERVICE_NAMES parameter, then the service name is the same as the global database name, which is specified in the DB_NAME and DB_DOMAIN parameters.

For an Oracle Autonomous Transaction Processing-Shared (ATP-S) database, you must use only one of the database service names, <databasename>_tpurgent or <databasename>_tp, specified in tnsnames.ora. For database service name details, see Database Service Names for Autonomous Transaction Processing and Autonomous JSON Database.

To create schemas on an Autonomous Transaction Processing database (both Oracle Autonomous Transaction Processing-Dedicated (ATP-D) and Oracle Autonomous Transaction Processing-Shared (ATP-S)), you can specify the connection credentials using only the Connection String option. In this screen, a warning message is displayed. You can ignore the warning and continue with the schema creation. For more information, see SYS DBA Privileges Warning After Applying Patches.

For example:

  • Database Type: Oracle Database
  • Connection String Format: Either one of the format one can select
  • If you choose connection parameter, fill the following details:
    • Host Name: examplehost.exampledomain.com
    • Port: 1521
    • Service Name: Orcl.exampledomain.com
    • User Name: sys
    • Password: ******
    • Role: SYSDBA
  • If you choose connection string, fill the following details:
    • Connection String: examplehost.exampledomain.com:1521:Orcl.exampledomain.com
    • User Name: sys
    • Password: ******
    • Role: SYSDBA

    For an Autonomous Transaction Processing database (both Oracle Autonomous Transaction Processing-Dedicated (ATP-D) and Oracle Autonomous Transaction Processing-Shared (ATP-S)), enter connect string in the following format:

    jdbc:oracle:thin:@TNS_alias?TNS_ADMIN=<path of the wallet files, ojdbc.properties, and tnsnames.ora>

    In the connect string, you must pass TNS_alias as the database name found in tnsnames.ora, and TNS_ADMIN property to the location of the wallet files, ojdbc.properties, and tnsnames.ora.

    Note:

    For an Oracle Autonomous Transaction Processing-Shared (ATP-S) database, you must use only one of the database service names, <databasename>_tpurgent or <databasename>_tp, specified in tnsnames.ora. For database service name details, see Database Service Names for Autonomous Transaction Processing and Autonomous JSON Database.

    Example connect string for Oracle Autonomous Transaction Processing-Dedicated (ATP-D) database:

    jdbc:oracle:thin:@dbname_medium?TNS_ADMIN=/users/test/wallet_dbname/

    Example connect string for Oracle Autonomous Transaction Processing-Shared (ATP-S) database:

    jdbc:oracle:thin:@dbname_tp?TNS_ADMIN=/users/test/wallet_dbname/

Click Next to proceed, then click OK in the dialog window that confirms a successful database connection.

Specifying a Custom Prefix and Selecting Schemas

Select Create new prefix, specify a custom prefix, then expand IDM Schemas and select the Oracle Identity Manager schema. This action automatically selects the following schemas as dependencies:

  • User Messaging Service (UMS)

  • Metadata Services (MDS)

  • Oracle Platform Security Services (OPSS)

  • Audit Services (IAU)

  • Audit Services Append (IAU_Append)

  • Audit Services Viewer (IAU_Viewer)

  • WebLogic Services (WLS)

  • Common Infrastructure Services (STB)

  • SOA Infrastructure (SOAINFRA)

The schema Common Infrastructure Services (STB) is automatically created. This schema is dimmed; you cannot select or deselect it. This schema enables you to retrieve information from RCU during domain configuration. For more information, see "Understanding the Service Table Schema" in Creating Schemas with the Repository Creation Utility.

The custom prefix is used to logically group these schemas together for use in this domain only; you must create a unique set of schemas for each domain. Schema sharing across domains is not supported.

Tip:

For more information about custom prefixes, see "Understanding Custom Prefixes" in Creating Schemas with the Repository Creation Utility.

For more information about how to organize your schemas in a multi-domain environment, see "Planning Your Schema Creation" in Creating Schemas with the Repository Creation Utility.

Tip:

You must make a note of the custom prefix you choose to enter here; you will need this later on during the domain creation process.

Click Next to proceed, then click OK on the dialog window confirming that prerequisite checking for schema creation was successful.

Specifying Schema Passwords

On the Schema Passwords screen, specify how you want to set the schema passwords on your database, then enter and confirm your passwords.

Note:

For an Autonomous Transaction Processing database (both Oracle Autonomous Transaction Processing-Dedicated (ATP-D) and Oracle Autonomous Transaction Processing-Shared (ATP-S)), the schema password must be minimum 12 characters, and must contain at least one uppercase, one lower case, and one number.

You must make a note of the passwords you set on this screen; you will need them later on during the domain creation process.

Click Next.

Specifying Custom Variables

On the Custom Variables screen, accept the default values and click Next.

Tip:

For more information about options on this screen, see Custom Variables in Creating Schemas with the Repository Creation Utility.

Completing Schema Creation

Navigate through the remaining RCU screens to complete schema creation.

On the Map Tablespaces screen, the Encrypt Tablespace check box appears only if you enabled Transparent Data Encryption (TDE) in the database (Oracle or Oracle EBR) when you start the RCU.

To complete schema creation:
  1. On the Map Tablespaces screen, select Encrypt Tablespace if you want to encrypt all new tablespaces that the RCU creates.
  2. In the Completion Summary screen, click Close to dismiss the RCU.

    For an Oracle Autonomous Transaction Processing-Shared (ATP-S) database, in the Map Tablespaces screen you must override the default tablespaces and the temporary tablespaces, and also override the additional tablespaces, if applicable. See Map Tablespaces.

    If you encounter any issues when you create schemas on an Autonomous Transaction Processing database (both Oracle Autonomous Transaction Processing-Dedicated (ATP-D) and Oracle Autonomous Transaction Processing-Shared (ATP-S)), see Troubleshooting Tips for Schema Creation on an Autonomous Transaction Processing Database in Creating Schemas with the Repository Creation Utility and Issues Related to Product Installation and Configuration on an Autonomous Database in Release Notes for Oracle Fusion Middleware Infrastructure.

Configuring the Domain

Use the Configuration Wizard to create and configure a domain.

For information on other methods to create domains, see Additional Tools for Creating, Extending, and Managing WebLogic Domains in Creating WebLogic Domains Using the Configuration Wizard.

Parent topic: Configuring the Oracle Identity Governance Domain

Starting the Configuration Wizard

Start the Configuration Wizard to begin configuring a domain.

To start the Configuration Wizard:

  1. Change to the following directory:

    (UNIX) ORACLE_HOME/oracle_common/common/bin

    (Windows) ORACLE_HOME\oracle_common\common\bin

    where ORACLE_HOME is your 12c (12.2.1.4.0) Oracle home.

  2. Enter the following command:

    (UNIX) ./config.sh

    (Windows) config.cmd

Parent topic: Configuring the Domain

Navigating the Configuration Wizard Screens to Create and Configure the Domain

Enter required information in the Configuration Wizard screens to create and configure the domain for the topology.

Note:

You can use this procedure to extend an existing domain. If your needs do not match the instructions in the procedure, be sure to make your selections accordingly, or see the supporting documentation for more details.

Parent topic: Configuring the Domain

Selecting the Domain Type and Domain Home Location

Use the Configuration Type screen to select a Domain home directory location, optimally outside the Oracle home directory.

Oracle recommends that you locate your Domain home in accordance with the directory structure in What Are the Key Oracle Fusion Middleware Directories? in Understanding Oracle Fusion Middleware, where the Domain home is located outside the Oracle home directory. This directory structure helps avoid issues when you need to upgrade or reinstall software.

Note:

Use different domain_homes for Oracle Access Management and Oracle Identity Governance.

To specify the Domain type and Domain home directory:

  1. On the Configuration Type screen, select Create a new domain.
  2. In the Domain Location field, specify your Domain home directory.

For more details about this screen, see Configuration Type in Creating WebLogic Domains Using the Configuration Wizard.

Selecting the Configuration Templates for Oracle Identity Manager

On the Templates screen, make sure Create Domain Using Product Templates is selected, then select the Oracle Identity Manager template.

Selecting this template automatically selects the following as dependencies:

  • Oracle Enterprise Manager

  • Oracle WSM Policy Manager

  • Oracle JRF

  • WebLogic Coherence Cluster Extension

Note:

  • The basic WebLogic domain is pre-selected.
  • Do not select Oracle SOA Suite in this screen. Oracle SOA Suite is automatically configured.

More information about the options on this screen can be found in Templates in Creating WebLogic Domains Using the Configuration Wizard.

Configuring High Availability Options

If you are not using a high availability setup, accept the default values on this screen and then click Next to proceed to the next screen. Use this screen to configure service migration and persistence settings that affect high availability.

This screen appears for the first time when you create a cluster that uses automatic service migration, persistent stores, or both, and all subsequent clusters that are added to the domain by using the Configuration Wizard, automatically apply the selected HA options.

Enable Automatic Service Migration

Select Enable Automatic Service Migration to enable pinned services to migrate automatically to a healthy Managed Server for failover. It configures migratable target definitions that are required for automatic service migration and the cluster leasing. Choose one of these cluster leasing options:

  • Database Leasing - Managed Servers use a table on a valid JDBC System Resource for leasing. Requires that the Automatic Migration data source have a valid JDBC System Resource. If you select this option, the Migration Basis is configured to Database and the Data Source for Automatic Migration is also automatically configured by the Configuration Wizard. If you have a high availability database, such as Oracle RAC, to manage leasing information, configure the database for server migration according to steps in High-availability Database Leasing.

  • Consensus Leasing - Managed Servers maintain leasing information in-memory. You use Node Manager to control Managed Servers in a cluster. (All servers that are migratable, or which could host a migratable target, must have a Node Manager associated with them.) If you select this option, the Migration Basis is configured to Consensus by the Configuration Wizard.

See Leasing for more information on leasing.

See Service Migration for more information on Automatic Service Migration.

JTA Transaction Log Persistence

This section has two options: Default Persistent Store and JDBC TLog Store.

  • Default Persistent Store - Configures the JTA Transaction Log store of the servers in the default file store.

  • JDBC TLog Store - Configures the JTA Transaction Log store of the servers in JDBC stores.

Oracle recommends that you select JDBC TLog Store. When you complete the configuration, you have a cluster where JDBC persistent stores are set up for Transaction logs.

For more details on persistent and TLOG stores, see the following topics in Developing JTA Applications for Oracle WebLogic Server:

JMS Server Persistence

A persistent JMS store is a physical repository for storing persistent message data and durable subscribers. It can be either a disk-based file store or a JDBC-accessible database. You can use a JMS file store for paging of messages to disk when memory is exhausted.

  • JMS File Store - Configures a component to use JMS File Stores. If you select this option, you can choose the File Store option in the Advanced Configuration Screen to change the settings, if required. In the File Stores screen, you can set file store names, directories, and synchronous write policies.

  • JMS JDBC Store - Configures a component to use JDBC stores for all its JMS servers. When you complete the configuration, you have a cluster and JDBC persistent stores are configured for the JMS servers.

    This is the recommended option for Oracle Identity Governance 12c (12.2.1.4.0).

Selecting the Application Home Location

Use the Application Location screen to select the location to store applications associated with your domain, also known as the Application home directory.

Oracle recommends that you locate your Application home in accordance with the directory structure in What Are the Key Oracle Fusion Middleware Directories? in Understanding Oracle Fusion Middleware, where the Application home is located outside the Oracle home directory. This directory structure helps avoid issues when you need to upgrade or re-install your software.

For more about the Application home directory, see About the Application Home Directory.

For more information about this screen, see Application Location in Creating WebLogic Domains Using the Configuration Wizard.

Configuring the Administrator Account

Use the Administrator Account screen to specify the user name and password for the default WebLogic Administrator account for the domain.

Oracle recommends that you make a note of the user name and password that you enter on this screen; you need these credentials later to boot and connect to the domain's Administration Server.

For more information about this screen, see Administrator Account in Creating WebLogic Domains Using the Configuration Wizard.

Specifying the Domain Mode and JDK

Use the Domain Mode and JDK screen to specify the domain mode and Java Development Kit (JDK).

On the Domain Mode and JDK screen:

  • Select Production in the Domain Mode field.

  • Select the Oracle HotSpot JDK in the JDK field.

For more information about this screen, see Domain Mode and JDK in Creating WebLogic Domains Using the Configuration Wizard.
Specifying the Database Configuration Type

Use the Database Configuration type screen to specify details about the database and database schema.

On the Database Configuration type screen, select RCU Data. This option instructs the Configuration Wizard to connect to the database and Service Table (STB) schema to automatically retrieve schema information for schemas needed to configure the domain.

Note:

If you select Manual Configuration on this screen, you must manually fill in parameters for your schema on the next screen.

For an Autonomous Transaction Processing database (both Oracle Autonomous Transaction Processing-Dedicated (ATP-D) and Oracle Autonomous Transaction Processing-Shared (ATP-S)), you must select only the RCU Data option.

After selecting RCU Data, specify details in the following fields:

Field Description

DBMS/Service

Enter the database DBMS name, or service name if you selected a service type driver.

Example: orcl.exampledomain.com

Host Name

Enter the name of the server hosting the database.

Example: examplehost.exampledomain.com

Port

Enter the port number on which the database listens.

Example: 1521

Schema Owner

Schema Password

Enter the username and password for connecting to the database's Service Table schema. This is the schema username and password entered for the Service Table component on the Schema Passwords screen in the RCU (see Specifying Schema Passwords).

The default username is prefix_STB, where prefix is the custom prefix that you defined in the RCU.

For an Autonomous Transaction Processing database (both Oracle Autonomous Transaction Processing-Dedicated (ATP-D) and Oracle Autonomous Transaction Processing-Shared (ATP-S)), specify the connection credentials using only the Connection URL String option, and enter the connect string in the following format:

jdbc:oracle:thin:@TNS_alias?TNS_ADMIN=<path of the wallet files, ojdbc.properties, and tnsnames.ora>

In the connect string, you must pass TNS_alias as the database name found in tnsnames.ora, and TNS_ADMIN property to the location of the wallet files, ojdbc.properties, and tnsnames.ora.

Example connect string for Oracle Autonomous Transaction Processing-Dedicated (ATP-D) database:

jdbc:oracle:thin:@dbname_medium?TNS_ADMIN=/users/test/wallet_dbname/

Example connect string for Oracle Autonomous Transaction Processing-Shared (ATP-S) database:

jdbc:oracle:thin:@dbname_tp?TNS_ADMIN=/users/test/wallet_dbname/

Click Get RCU Configuration when you finish specifying the database connection information. The following output in the Connection Result Log indicates that the operation succeeded: 

Connecting to the database server...OK
Retrieving schema data from database server...OK
Binding local schema components with retrieved data...OK

Successfully Done.

For more information about the schema installed when the RCU is run, see About the Service Table Schema in Creating Schemas with the Repository Creation Utility.

See Database Configuration Type in Creating WebLogic Domains Using the Configuration Wizard .

Specifying JDBC Component Schema Information

Use the JDBC Component Schema screen to verify or specify details about the database schemas.

Verify that the values populated on the JDBC Component Schema screen are correct for all schemas. If you selected RCU Data on the previous screen, the schema table should already be populated appropriately. If you selected Manual configuration on the Database Configuration screen, you must configure the schemas listed in the table manually, before you proceed.

For an Autonomous Transaction Processing database (both Oracle Autonomous Transaction Processing-Dedicated (ATP-D) and Oracle Autonomous Transaction Processing-Shared (ATP-S)), specify the connection credentials using only the Connection URL String option, and enter the connect string in the following format:

jdbc:oracle:thin:@TNS_alias?TNS_ADMIN=<path of the wallet files, ojdbc.properties, and tnsnames.ora>

In the connect string, you must pass TNS_alias as the database name found in tnsnames.ora, and TNS_ADMIN property to the location of the wallet files, ojdbc.properties, and tnsnames.ora

Example connect string for Oracle Autonomous Transaction Processing-Dedicated (ATP-D) database:

jdbc:oracle:thin:@dbname_medium?TNS_ADMIN=/users/test/wallet_dbname/

Example connect string for Oracle Autonomous Transaction Processing-Shared (ATP-S) database:

jdbc:oracle:thin:@dbname_tp?TNS_ADMIN=/users/test/wallet_dbname/

For high availability environments, see the following sections in High Availability Guide for additional information on configuring data sources for Oracle RAC databases:

See JDBC Component Schema in Creating WebLogic Domains Using the Configuration Wizard for more details about this screen.

Testing the JDBC Connections

Use the JDBC Component Schema Test screen to test the data source connections.

A green check mark in the Status column indicates a successful test. If you encounter any issues, see the error message in the Connection Result Log section of the screen, fix the problem, then try to test the connection again.

By default, the schema password for each schema component is the password you specified while creating your schemas. If you want different passwords for different schema components, manually edit them in the previous screen (JDBC Component Schema) by entering the password you want in the Schema Password column, against each row. After specifying the passwords, select the check box corresponding to the schemas that you changed the password in and test the connection again.

For more information about this screen, see JDBC Component Schema Test in Creating WebLogic Domains Using the Configuration Wizard.

Entering Credentials

Use the Credentials screen to set credentials for each key in the domain.

The following table lists the key names, and the values that you must specify for their respective username and password.

Note:

Ensure that you specify keystore as the username for the key Keystore, and xelsysadm as the username for the key sysadmin.

Table 4-5 Values to be Specified on the Credentials Screen

Key Name Username Password Store Name

Keystore

keystore

Specify the password for keystore.

oim

OIMSchemaPassword

Specify the schema username for OIM operations database.

Specify the schema password of the OIM operations database schema owner.

oim

sysadmin

xelsysadm

Specify the sysadmin password.

oim

WebLogicAdminKey

Specify the username of the WebLogic administrator account for OIM domain.

Specify the password of the WebLogic administrator account for OIM domain.

oim
Specifying the Path to the Keystore Certificate or Key

Use the Keystore screen to specify either the path to the trusted certificate for each keystore, or the path to each keystore’s private key and other private key information.

When you click in the Trusted Certificate, Private Key, or Identity Certificate fields, a browse icon appears to the right of the field. Click this icon to browse to the appropriate file.

For more information about this screen, see Keystore in Creating WebLogic Domains Using the Configuration Wizard .

Selecting Advanced Configuration

Use the Advanced Configuration screen to complete the domain configuration.

On the Advanced Configuration screen, select:

  • Administration Server

    Required to properly configure the listen address of the Administration Server.

  • Node Manager

    Required to configure Node Manager.

  • Topology

    Required to configure the Oracle Identity Governance Managed Server.

Optionally, select other available options as required for your desired installation environment. The steps in this guide describe a standard installation topology, but you may choose to follow a different path. If your installation requirements extend to additional options outside the scope of this guide, you may be presented with additional screens to configure those options. For information about all Configuration Wizard screens, see Configuration Wizard Screens in Creating WebLogic Domains Using the Configuration Wizard.

Configuring the Administration Server Listen Address

Use the Administration Server screen to select the IP address of the host.

Select the drop-down list next to Listen Address and select the IP address of the host where the Administration Server will reside, or use the system name or DNS name that maps to a single IP address. Do not use All Local Addresses.

Do not specify any server groups for the Administration Server.

Configuring Node Manager

Use the Node Manager screen to select the type of Node Manager you want to configure, along with the Node Manager credentials.

Select Per Domain Default Location as the Node Manager type, then specify Node Manager credentials.

For more information about this screen, see Node Manager in Creating WebLogic Domains Using the Configuration Wizard.

For more about Node Manager types, see Node Manager Overview in Administering Node Manager for Oracle WebLogic Server.

Configuring Managed Servers for Oracle Identity Manager

On the Managed Servers screen, the new Managed Server named oim_server1 and soa_server1 are automatically created by default.

To configure Managed Servers for Oracle Identity Governance and Oracle SOA Suite:
  1. In the Listen Address drop-down list, select the IP address of the host on which the Managed Server will reside or use the system name or DNS name that maps to a single IP address. Do not use All Local Addresses.
  2. In the Server Groups drop-down list, make sure that oim_server1 is associated with OIM-MGD-SVRS group and soa_server1 is associated with SOA-MGD-SVRS group. This ensures that the correct service(s) target the Managed Servers you are creating.

    Server groups target Fusion Middleware applications and services to one or more servers by mapping defined application service groups to each defined server group. A given application service group may be mapped to multiple server groups if needed. Any application services that are mapped to a given server group are automatically targeted to all servers that are assigned to that group. For more information, see Application Service Groups, Server Groups, and Application Service Mappings in Domain Template Reference.

  3. Click Clone to create a second Managed Server oim_server2 of type oim_server1. Repeat it to create a second Managed Server soa_server2 of type soa_server1.

    Configuring a second Managed Server is one of the steps needed to configure the standard topology for high availability. If you are not creating a highly available environment, then this step is optional.

    For more information about the high availability standard topology, see Understanding the Fusion Middleware Standard HA Topology in High Availability Guide.

    For more information about the next steps to prepare for high availability after your domain is configured, see Preparing Your Environment for High Availability.

These server names are referenced throughout this document; if you choose different names be sure to replace them as needed.

Tip:

For details about options on this screen, see Managed Servers in Creating WebLogic Domains Using the Configuration Wizard.

Configuring a Cluster for Oracle Identity Manager

Use the Clusters screen to create a new cluster. This is required for an Oracle Identity Governance high availability setup.

On the Clusters screen:

  1. Click Add.
  2. Specify oim_cluster_1 in the Cluster Name field.
  3. For the Cluster Address field, specify the ipaddress/hostname:port. For example:
    ip_address_machine1:portnumber,ip_address_machine2:portnumber
  4. Repeat the steps to add soa_cluster1.

By default, server instances in a cluster communicate with one another using unicast. If you want to change your cluster communications to use multicast, see Considerations for Choosing Unicast or Multicast in Administering Clusters for Oracle WebLogic Server.

You can also create clusters using Fusion Middleware Control. In this case, you can configure cluster communication (unicast or multicast) when you create the new cluster. See Create and configure clusters in Oracle WebLogic Server Administration Console Online Help.

Tip:

For more information about this screen, see Clusters in Creating WebLogic Domains Using the Configuration Wizard.

Defining Server Templates

If you are creating dynamic clusters for a high availability setup, use the Server Templates screen to define one or more server templates for domain.

To continue configuring the domain, click Next.

For steps to create a dynamic cluster for a high availability setup, see Using Dynamic Clusters in High Availability Guide.

Configuring Dynamic Servers

If you are creating dynamic clusters for a high availability setup, use the Dynamic Servers screen to configure the dynamic servers.

If you are not configuring a dynamic cluster, click Next to continue configuring the domain.

Note:

When you create dynamic clusters, keep in mind that after you assign the Machine Name Match Expression, you do not need to create machines for your dynamic cluster.

To create a dynamic cluster for a high availability setup, see Using Dynamic Clusters in High Availability Guide.

Assigning Oracle Identity Manager Managed Servers to the Cluster

If you are configuring a single-node non-clustered setup, click Next and go to next screen. Use the Assign Servers to Clusters screen to assign Managed Servers to a new configured cluster. A configured cluster is a cluster you configure manually. You do not use this screen if you are configuring a dynamic cluster, a cluster that contains one or more generated server instances that are based on a server template.

For more on configured cluster and dynamic cluster terms, see About Dynamic Clusters in Understanding Oracle WebLogic Server.

On the Assign Servers to Clusters screen:

  1. In the Clusters pane, select the cluster to which you want to assign the Managed Servers; in this case, oim_cluster1.
  2. In the Servers pane, assign oim_server1 to oim_cluster1 by doing one of the following:

    • Click once on oim_server1 to select it, then click the right arrow to move it beneath the selected cluster (oim_cluster1) in the Clusters pane.

    • Double-click on oim_server1 to move it beneath the selected cluster (oim_cluster1) in the Clusters pane.

  3. Repeat to assign soa_server1 to soa_cluster1.

Tip:

For more information about this screen, see Assign Servers to Clusters in Creating WebLogic Domains Using the Configuration Wizard.

Configuring Coherence Clusters

Use the Coherence Clusters screen to configure the Coherence cluster.

Leave the default port number as the Coherence cluster listen port. After configuration, the Coherence cluster is automatically added to the domain.

Note:

Setting the unicast listen port to 0 creates an offset for the Managed Server port numbers. The offset is 5000, meaning the maximum allowed value that you can assign to a Managed Server port number is 60535, instead of 65535.

See Table 5-2 for more information and next steps for configuring Coherence.

For Coherence licensing information, see Oracle Coherence Products in Licensing Information.

Creating a New Oracle Identity Manager Machine

Use the Machines screen to create new machines in the domain. A machine is required so that Node Manager can start and stop servers.

Tip:

If you plan to create a high availability environment and know the list of machines your target topology requires, you can follow the instructions in this section to create all the machines at this time. For more about scale out steps, see Optional Scale Out Procedure in High Availability Guide.

To create a new Oracle Identity Governance machine so that Node Manager can start and stop servers:
  1. Select the Machine tab (for Windows) or the UNIX Machine tab (for UNIX), then click Add to create a new machine.
  2. In the Name field, specify a machine name, such as oim_machine1.
  3. In the Node Manager Listen Address field, select the IP address of the machine in which the Managed Servers are being configured. You can also specify the host name for this field.

    You must select a specific interface and not localhost. This allows Coherence cluster addresses to be dynamically calculated.

  4. Verify the port in the Node Manager Listen Port field.
  5. Repeat these steps to add more machines, if required.

Note:

If you are extending an existing domain, you can assign servers to any existing machine. It is not necessary to create a new machine unless your situation requires it.

Tip:

For more information about this screen, see Machines in Creating WebLogic Domains Using the Configuration Wizard.

Assigning Servers to Oracle Identity Manager Machines

Use the Assign Servers to Machines screen to assign the Administration Server and Managed Servers to the new machine you just created.

On the Assign Servers to Machines screen:

  1. In the Machines pane, select the machine to which you want to assign the servers; in this case, oim_machine_1.
  2. In the Servers pane, assign AdminServer to oim_machine_1 by doing one of the following:

    • Click once on AdminServer to select it, then click the right arrow to move it beneath the selected machine (oim_machine_1) in the Machines pane.

    • Double-click on AdminServer to move it beneath the selected machine (oim_machine_1) in the Machines pane.

  3. Repeat these steps to assign all Managed Servers to their respective machines.

Tip:

For more information about this screen, see Assign Servers to Machines in Creating WebLogic Domains Using the Configuration Wizard.

Virtual Targets

If you have a WebLogic Server Multitenant (MT) environment, you use the Virtual Targets screen to add or delete virtual targets. For this installation (not a WebLogic Server MT environment), you do not enter any values; just select Next.

For details about this screen, see Virtual Targets in Creating WebLogic Domains Using the Configuration Wizard.

Note:

WebLogic Server Multitenant virtual targets are deprecated in WebLogic Server 12.2.1.4.0 and will be removed in the next release.
Partitions

The Partitions screen is used to configure partitions for virtual targets in WebLogic Server Multitenant (MT) environments. Select Next without selecting any options.

For details about options on this screen, see Partitions in Creating WebLogic Domains Using the Configuration Wizard.

Note:

WebLogic Server Multitenant domain partitions are deprecated in WebLogic Server 12.2.1.4.0 and will be removed in the next release.
Configuring Domain Frontend Host

The Domain Frontend Host screen can be used to configure the frontend host for the domain.

Select Plain or SSL and specify the respective host value.

Click Next.

Targeting the Deployments

The Deployments Targeting screen can be used to target the available deployments to the servers.

Make the required modifications, and click Next.
Targeting the Services

The Services Targeting screen can be used to target the available services to the Servers.

Make necessary modifications, and click Next.
File Stores

The File Stores screen lists the available file stores.

You can specify the Synchronous Write Policy for each of the file stores. After you make the changes, click Next.
Reviewing Your Configuration Specifications and Configuring the Domain

The Configuration Summary screen shows detailed configuration information for the domain you are about to create.

Review each item on the screen and verify that the information is correct. To make any changes, go back to a screen by clicking the Back button or selecting the screen in the navigation pane. Domain creation does not start until you click Create.

For more details about options on this screen, see Configuration Summary in Creating WebLogic Domains Using the Configuration Wizard.

Writing Down Your Domain Home and Administration Server URL

The End of Configuration screen shows information about the domain you just configured.

Make a note of the following items because you need them later:

  • Domain Location

  • Administration Server URL

You need the domain location to access scripts that start Node Manager and Administration Server, and you need the URL to access the Administration Server.

Click Finish to dismiss the Configuration Wizard.

Additional Domain Configuration

Use the Configuration Wizard to update the domain.

For information on other methods to create domains, see Additional Tools for Creating, Extending, and Managing WebLogic Domains in Creating WebLogic Domains Using the Configuration Wizard.

Complete the following steps:
  1. Change to the following directory:

    (UNIX) ORACLE_HOME/oracle_common/common/bin

    (Windows) ORACLE_HOME\oracle_common\common\bin

    Where, ORACLE_HOME is your 12c (12.2.1.4.0) Oracle home.

  2. Enter the following command:

    (UNIX) ./config.sh

    (Windows) config.cmd

    The configuration screen is displayed.

  3. On the Configuration Type screen, select Update an existing domain.
  4. In the Domain Location field, specify the Domain home directory.
  5. On the Templates screen, select Update Domain Using Custom Template.
  6. In the Template location field, specify:

    ORACLE_HOME/soa/common/templates/wls/oracle.soa.classic.domain_template.jar

  7. Complete the configuration wizard by entering the required values in the respective screens. For information about the configuration screens, see Navigating the Configuration Wizard Screens to Create and Configure the Domain.

Performing Post-Configuration Tasks

After you configure the Oracle Identity Governance domain, perform the necessary post-configuration tasks.

Topics

Parent topic: Configuring the Oracle Identity Governance Domain

Running the Offline Configuration Command

After you configure the Oracle Identity Governance domain, run the offlineConfigManager script to perform post configuration tasks.

Ensure that you run this command before you start any server. To run the offlineConfigManager command, do the following:
  1. Set the following environment variables to the right values:
    • DOMAIN_HOME
    • JAVA_HOME
  2. Ensure that you have execute permissions for the file OIM_HOME/server/bin/offlineConfigManager.sh.
  3. Run the following command from the location OIM_HOME/server/bin/:
    • On Unix: ./offlineConfigManager.sh
    • On Windows: offlineConfigManager.bat

    Note:

    OIM_HOME refers to ORACLE_HOME/idm.

Starting the Servers

After a successful configuration, start all processes and servers, including the Administration Server and any Managed Servers.

The components may be dependent on each other so they must be started in the correct order.

Note:

The procedures in this section describe how to start servers and process using the WLST command line or a script. You can also use the Oracle Fusion Middleware Control and the Oracle WebLogic Server Administration Console. See Starting and Stopping Administration and Managed Servers and Node Manager in Administering Oracle Fusion Middleware.

To start your Fusion Middleware environment, follow the steps below.

Step 1: Start Node Manager

To start Node Manager, use the startNodeManager script:

  • (UNIX) EXISTING_DOMAIN_HOME/bin/startNodeManager.sh

  • (Windows) EXISTING_DOMAIN_HOME\bin\startNodeManager.cmd

Step 2: Start the Administration Server

When you start the Administration Server, you also start the processes running in the Administration Server, including the WebLogic Server Administration Console and Fusion Middleware Control.

To start the Administration Server, use the startWebLogic script:

  • (UNIX) EXISTING_DOMAIN_HOME/bin/startWebLogic.sh

  • (Windows) EXISTING_DOMAIN_HOME\bin\startWebLogic.cmd

When you created the domain, if you selected Production Mode on the Domain Mode and JDK screen, a prompt for the Administrator user login credentials is displayed. Provide the same credentials that you provided on the Administrator Account screen.

For an Autonomous Transaction Processing database (both Oracle Autonomous Transaction Processing-Dedicated (ATP-D) and Oracle Autonomous Transaction Processing-Shared (ATP-S)), when you access the Sysadmin Console (http://<machine_name>:<oim_server_port>/sysadmin) and the OIM Console (http://<machine_name>:<oim_server_port>/identity), JET UI does not work and blank pages are displayed, and the following error message may be displayed in the Administration Server logs.

Example message:

<AdminServer> <[ACTIVE] ExecuteThread: '63' for queue: 'weblogic.kernel.Default (self-tuning)'> <weblogic> <> 
<16023522-e47f-40f4-a66f-7ea3729188d1-00000064> <1628079696204> 
<[severity-value: 8] [rid: 0] [partition-id: 0] [partition-name: DOMAIN] > 
<BEA-240003> <Administration Console encountered the following error: 
java.lang.NoSuchMethodError: 
org.glassfish.jersey.internal.LocalizationMessages.WARNING_PROPERTIES()Ljava/l ang/String; at
org.glassfish.jersey.internal.config.SystemPropertiesConfigurationModel.getProperties(SystemPropertiesConfigurationModel.java:122) at
org.glassfish.jersey.internal.config.SystemPropertiesConfigurationProvider.getProperties(SystemPropertiesConfigurationProvider.java:29) at
org.glassfish.jersey.internal.config.ExternalPropertiesConfigurationFactory.readExternalPropertiesMap(ExternalPropertiesConfigurationFactory.java:55) at
org.glassfish.jersey.internal.config.ExternalPropertiesConfigurationFactory.configure(ExternalPropertiesConfigurationFactory.java:72) at
org.glassfish.jersey.internal.config.ExternalPropertiesConfigurationFeature.configure(ExternalPropertiesConfigurationFeature.java:26) at
org.glassfish.jersey.model.internal.CommonConfig.configureFeatures(CommonConfig.java:730)

Note:

If JET UI does not work, blank pages are displayed for the following screens:

  • OIM Console
    • Application onboarding (AOB)
    • Account > Resource History
    • Open Tasks
  • Sysadmin Console
    • IT Resource Create/Search
    • Manage Connector
    • Import/Export (Deployment Manager)

The workaround is to restart the servers, Administration Server, Oracle SOA Server, and Oracle Identity Manager (OIM) Server from the terminal after unsetting classpath using the command:

EXPORT CLASSPATH=

Note:

You must restart the servers in the following order:
  • Administration Server
  • Oracle SOA Server
  • Oracle OIM Server

Step 3: Start the Managed Servers

  • If Node Manager is not configured, start the Managed Servers using the following instructions:

    Start the Oracle SOA Suite Managed Server first and then the Oracle Identity Governance Managed Server.

    To start a WebLogic Server Managed Server, use the startManagedWebLogic script:

    • (UNIX) EXISTING_DOMAIN_HOME/bin/startManagedWebLogic.sh managed_server_name admin_url

    • (Windows) EXISTING_DOMAIN_HOME\bin\startManagedWebLogic.cmd managed_server_name admin_url

    When prompted, enter your user name and password. This is the same user name and password which you provided in administrator account screen when creating the domain.

    Note:

    The startup of a Managed Server will typically start the applications that are deployed to it. Therefore, it should not be necessary to manually start applications after the Managed Server startup.
  • If Node Manager is configured, start the Managed Servers using the following instructions:
    1. Launch the Administration Console:
      1. Using a web browser, open the following URL: 
        http://hostname:port/console
        Where:
        • hostname is the administration server host.
        • port is the administration server port on which the host server is listening for requests (7001 by default)
      2. When the login page appears, enter the user name and password you used to start the Administration Server.
    2. Start Managed Servers from the Administration Console. For instructions, see Start Managed Servers from the Administration Console.

Parent topic: Configuring the Oracle Identity Governance Domain

Integrating Oracle Identity Governance with Oracle SOA Suite

If you wish to integrate Oracle Identity Governance with Oracle SOA Suite, use the Enterprise Manager console to do the same.

To integrate Oracle Identity Governance with Oracle SOA Suite, do the following:
  1. Log in to Oracle Fusion Middleware Control:
    http://administration_server_host:administration_server_port/em

    The Administration Server host and port number were in the URL on the End of Configuration screen (Writing Down Your Domain Home and Administration Server URL). The default Administration Server port number is 7001.

    The login credentials were provided on the Administrator Account screen (Configuring the Administrator Account).

  2. Click weblogic_domain and then click System Mbean Browser.
  3. In the search box, enter OIMSOAIntegrationMBean, and click Search. The mbean is displayed.

    Note:

    If Oracle Identity Governance is still starting (coming up) or is just started (RUNNING MODE), the Enterprise Manager does not show any Mbeans defined by OIG. Wait for two minutes for the server to start, and then try searching for the Mbean in System Mbean Browser of the Enterprise Manager,.

  4. Go to the Operations tab of mbean, and select integrateWithSOAServer.
  5. Enter the following required attributes:
    • Weblogic Administrator User name: Weblogic Administrator User name
    • Weblogic Administrator User Password: The password for the WebLogic administrator account
    • OIM Front end URL: http://<HOSTNAME>:<OIM_server_port>
    • OIM External Front end URL: http://<HOSTNAME>:<OIM_server_port>
    • SOA SOAP URL: http://<HOSTNAME>:<SOA_server_port>
    • SOA RMI URL: t3://<HOSTNAME>:<SOA_server_port>
    • UMS Webservice URL: http://<HOSTNAME>:<SOA_server_port>/ucs/messaging/webservice

    Note:

    When there is a load balancer, the above value differs:

    • If OIM >= 11.1.2.2.0 then select OIM Front end URL.
    • If OIM < 11.1.2.2.0 then select OIM External Front end URL.
    • SOA RMI URL: t3://<soahost1>:<soalistenport1>,<soahost2>:<soalistenport2>

    The SOA SOAP URL, SOA RMI URL, and UMS Webservice URL attributes in Oracle Identity Governance with Oracle SOA Suite can be seen on the EM console only if you have applied the OPatch 28186730 and the OIM bundle patch 12.2.1.4.210428 (p32829648_122140_Generic.zip) on the 12.2.1.4.0 ORACLE_HOME.

  6. Click Invoke.

Parent topic: Configuring the Oracle Identity Governance Domain

Verifying the Configuration

After completing all configuration steps, you can perform additional steps to verify that your domain is properly configured.

By using a Web browser, go to the URL: http://HOSTNAME:PORT/identity

In this URL, HOSTNAME represents the name of the computer hosting the application server and PORT refers to the port on which the Oracle Identity Governance server is listening.

For information about integrating Oracle Identity Governance with other Identity Management components, see Introduction to IdM Suite Components Integration in Integration Guide for Oracle Identity Management Suite.

For more information about performing additional domain configuration tasks, see Performing Additional Domain Configuration Tasks.

Parent topic: Configuring the Oracle Identity Governance Domain

Analyzing the Bootstrap Report

When you start the Oracle Identity Governance server, the bootstrap report is generated at DOMAIN_HOME/servers/oim_server1/logs/BootStrapReportPreStart.html.

The bootstrap report BootStrapReportPreStart.html is an html file that contains information about the topology that you have deployed, the system level details, the connection details like the URLs to be used, the connectivity check, and the task execution details. You can use this report to check if the system is up, and also to troubleshoot the issues, post-configuration.

Every time you start the Oracle Identity Governance server, the bootstrap report is updated.

Sections in the Bootstrap Report

  • Topology Details

    This section contains information about your deployment. It shows whether you have configured a cluster setup, SSL enabled, or upgraded an Oracle Identity Manager environment from 12c (12.2.1.3.0) to 12c (12.2.1.4.0).

  • System Level Details

    This section contains information about the JDK version, Database version, JAVA_HOME, DOMAIN_HOME, OIM_HOME, and ORACLE_HOME.

  • Connection Details

    This section contains information about the connect details like the Administration URL, OIM Front End URL, SOA URL, and RMI URL.

    This also shows whether the Administration Server, Database, and SOA server is up or not.

  • Execution Details

    This section lists the various tasks and their statuses.

Parent topic: Configuring the Oracle Identity Governance Domain

Installing and Accessing the Oracle Identity Governance Design Console

If you wish to set up only the Oracle Identity Governance Design Console in a machine where OIG server is not configured, then you must install Oracle Identity Governance 12c (12.2.1.4.0) in standalone mode, and then invoke the Design Console.

To install the Oracle Identity Governance Design Console, do the following:
  1. Start the installation program by running the java executable from the JDK directory.

    Note:

    No prerequisite software is required to install Oracle Identity Governance Design Console.
    For example:

    • (UNIX) /home/Oracle/Java/jdk1.8.0_211/bin/java -jar fmw_12.2.1.4.0_idm.jar

    • (Windows) C:\home\Oracle\Java\jdk1.8.0_211\bin\java -jar fmw_12.2.1.4.0_idm.jar

  2. The installer shows a series of screens where you verify or enter information..

    The following table lists the order in which installer screens appear. If you need additional help with an installation screen, click Help.

    Table 4-6 Install Screens

    Screen Description

    Installation Inventory Setup

    On Linux or UNIX operating systems, this screen opens if this is the first time you are installing any Oracle product on this host. Specify the location where you want to create your central inventory. Make sure that the operating system group name selected on this screen has write permissions to the central inventory location.

    See About the Oracle Central Inventory in Installing Software with the Oracle Universal Installer.

    This screen does not appear on Windows operating systems.

    Welcome

    Review the information to make sure that you have met all the prerequisites, then click Next.

    Auto Updates

    Select to skip automatic updates, select patches, or search for the latest software updates, including important security updates, through your My Oracle Support account.

    Installation Location

    Specify your Oracle home directory location.

    You can click View to verify and ensure that you are installing in the correct Oracle home.

    Note:

    Ensure that the Oracle Home path does not contain space.

    Installation Type

    Use the Standalone Installation Type.

    Standalone mode is a type of installation that is managed independently of WebLogic Server. The only component that you can install using standalone mode is the Oracle Identity Governance Design Console.

    Prerequisite Checks

    This screen verifies that your system meets the minimum necessary requirements.

    To view the list of tasks that gets verified, select View Successful Tasks. To view log details, select View Log. If any prerequisite check fails, then an error message appears at the bottom of the screen. Fix the error and click Rerun to try again. To ignore the error or the warning message and continue with the installation, click Skip (not recommended).

    Installation Summary

    Use this screen to verify installation options you selected. If you want to save these options to a response file, click Save Response File and enter the response file location and name. The response file collects and stores all the information that you have entered, and enables you to perform a silent installation (from the command line) at a later time.

    Click Install to begin the installation.

    Installation Progress

    This screen shows the installation progress.

    When the progress bar reaches 100% complete, click Finish to dismiss the installer, or click Next to see a summary.

    Installation Complete

    This screen displays the Installation Location and the Feature Sets that are installed. Review this information and click Finish to close the installer.

To access the Oracle Identity Governance Design Console, do the following:
  1. Ensure that the JAVA_HOME environment variable is set to the location of the certified JDK. For example:
    • (UNIX) setenv JAVA_HOME /home/Oracle/Java/jdk1.8.0_211
    • (Windows) set JAVA_HOME=C:\home\Oracle\Java\jdk1.8.0_211
  2. Invoke the Design Console by running the following command from the location ORACLE_HOME\idm\designconsole:
    • (UNIX) sh xlclient.sh
    • (Windows) xlclient.cmd
    Enter the following details when prompted:

    • Server url: Enter the Oracle Identity Governance server URL in the format t3://oim_server_hostname:oimport.

    • User ID: Enter the OIG Administrator user login. For example, xelsysadm.

    • Password: Enter the OIG Administrator user password. For example, xelsysadm_password.

Parent topic: Configuring the Oracle Identity Governance Domain

Troubleshooting

This section lists the common issues encountered while configuring Oracle Identity Governance and their workarounds.

Topics

Parent topic: Configuring the Oracle Identity Governance Domain

Description of the Log Codes

When you encounter any error during the Oracle Identity Governance 12c (12.2.1.4.0) installation, search for the log code in the DOMAIN_HOME/servers/oim_server/logs/oim-diagnostic.log file to diagnose the issue.

The following are log codes and their descriptions for various tasks:

  • IAM-3070001 — Error loading configuration required for Bootstrap

  • IAM-3070002 — Could not connect to DB using CSF Credentials, Please verify crednetials seeded in CSF under key

  • IAM-3070003 — Could not connect to WLS using CSF credentials ,Please verify credentials seeded in CSF for

  • IAM-3070004 — Validation for CSF Credentials failed. Exiting OIM_CONFIG, Please verify and fix CSF Credentials

  • IAM-3070005 — Validation for CSF Credentials Successful

  • IAM-3070006 — Task Not Found

  • IAM-3070007 — Task failed

  • IAM-3070008 — BootStrap configuration Failed

  • IAM-3070009 — BootStrap configuration Successful

  • IAM-3070010 — Successfully completed

Parent topic: Troubleshooting

Exception in the Oracle Identity Manager Server Logs After Starting the Servers

After you configure the Oracle Identity Manager domain, when you start the servers, “Unable to resolve 'TaskQueryService’” exception is seen in the Oracle Identity Manager (OIM) Server logs, which can be ignored.

The following exception is displayed in the OIM Server logs:
javax.naming.NameNotFoundException: Unable to resolve 'TaskQueryService'. 
Resolved ''; remaining name 'TaskQueryService'

This exception can be ignored.

Parent topic: Troubleshooting

Oracle Identity Manager Bootstrap Fails with Hostname Verification Error

If the Oracle Identity Manager bootstrap fails with the following SSL hostname verification failing error, use the workaround described in this section:

<Warning> <Security> <BEA-090960> <The servers 
SSL configuration is not available. There will potentially be SSL handshake 
failures.> 
<Nov 28, 2018 9:04:32 AM PDT> <Warning> <Security> <BEA-090924> <JSSE has
been selected by default, since the SSLMBean is not available.> 
<Nov 28, 2018 9:04:32 AM PDT> <Info> <Security> <BEA-090908> <Using the
default WebLogic SSL Hostname Verifier implementation.>
<Nov 28, 2018 9:04:34 AM PDT> <Notice> <Security> <BEA-090169> <Loading
trusted certificates from the kss keystore file kss://system/trust.>
Nov 28, 2018 9:04:34 AM
oacle.security.opss.internal.runtime.ServiceContextManagerImpl getContext 
WARNING: Bootstrap services are used by OPSS internally and clients should 
never need to directly read/write bootstrap credentials. If required, use 
Wlst or configuration management interfaces. 
<Nov 28, 2018 9:04:34 AM PDT> <Notice> <Security> <BEA-090169> <Loading
trusted certificates from the jks keystore file 
/host/jdk1.8.0_171/jre/lib/security/cacerts.> 
<Nov 28, 2018 9:04:34 AM PDT> <Info> <Management> <BEA-141307> <Unable to
connect to the Administration Server. Waiting 5 second(s) to retry (attempt 
number 1 of 3).>
To resolve this issue, start the Oracle Identity Governance Managed Server using the following command:

  • On Unix:

    ./startManagedWebLogic.sh oim_server_name t3://admin_server_host:port

  • On Windows:

    startManagedWebLogic.cmd oim_server_name t3://admin_server_host:port

In this command, you must specify the non-SSL port for port.

Parent topic: Troubleshooting

Error When Accessing Pending Approvals Page in a Multinode Setup

In a Oracle Identity Governance multinode setup, the following error is displayed when you access the Pending Approvals page on a remote node:

[oim_server1] [ERROR] [] [oracle.iam] [tid: 
[ACTIVE].ExecuteThread: '0' for queue: 'weblogic.kernel.Default 
(self-tuning)'] [userId: xelsysadm] [ecid: 
cea9a502-afb8-4d3d-85a4-cb61d2878065-0000276e,0] [APP: 
oracle.iam.console.identity.self-service.ear] [partition-name: DOMAIN] 
[tenant-name: GLOBAL] [DSID: 0000LfRXW3_7Y7QLIag8yf1OmuCL000004] Unable to 
retrieve User View 
Listoracle.bpel.services.workflow.client.WorkflowServiceClientException: 
javax.naming.CommunicationException: Failed to initialize JNDI context, tried 
2 time or times totally, the interval of each time is 0ms. [[ 
t3://host.example.com:1234: Destination 10.10.10.1, 1234 
unreachable.; nested exception is: 
        java.net.ConnectException: Connection refused; No available router to 
destination.; nested exception is: 
        java.rmi.ConnectException: No available router to destination. [Root 
exception is java.net.ConnectException: t3://host.example.com:1234: 
Destination 10.10.10.1, 1234 unreachable.; nested exception is: 
        java.net.ConnectException: Connection refused; No available router to 
destination.; nested exception is: 
        java.rmi.ConnectException: No available router to destination.]

To resolve this, you must use the machine name of the second node during the domain creation step, that is, when running the configuration wizard on the first node. After this, you must proceed with the pack and unpack command.

Parent topic: Troubleshooting

OIM Gridlink Datasources Show Suspended State When 11.2.0.4.0 RAC Database is Used

When you run the Configuration Wizard to configure Oracle Identity Manager gridlink datasources with 11.2.0.4.0 RAC Database, the following warning is displayed:

<Nov 28, 2017 2:45:44,157 AM MDT> <Warning> <JDBC> <BEA-001129> <Received 
exception while creating connection for pool 
"ApplicationDB": Listener refused the connection with the following error: 
ORA-12516, TNS:listener could not find available handler with matching 
protocol stack
The data source is pushed to suspended state if the connection fails in the retry after waiting for TEST Frequency. To resolve this, you must manually resume the suspended data sources by doing the following:
  1. Navigate to the data source that you want to resume:
  2. Go to the Control tab.
  3. On the Control page, select the instances of the data source that you want to resume.
    Date source instances are listed by the server on which they are deployed.
  4. Click Resume and then click Yes to confirm the action.
Results are displayed at the top of the page, and the state of the selected data source instances is changed to Running.

Parent topic: Troubleshooting

Server Consoles are Inaccessible in a Clustered Domain

After you configure the Oracle Identity Governance domain, the Administration Server console and the managed Server consoles are inaccessible.

To resolve this, either specify the IP address of machine as listen address for machines having multiple interfaces, or disable all other interfaces.

If you wish to enter machine name as listen address in a clustered or non-clustered domain, disable all other interfaces.

Parent topic: Troubleshooting

OIM Server Fails to Come up Due to SOA Server not Completely Up

If the Oracle SOA Server (SOA) is not up completely, the Oracle Identity Manager (OIM) Server fails to start.

The following error is displayed when OIM Server fails to start if the SOA Server is not completely up:
 Could not fetch ServerRuntime mbean for 
soa_server1. Server seems to be down!

To resolve this, restart the OIM Server.

Parent topic: Troubleshooting

Oracle Identity Manager Server Throws OutOfMemoryError

After you configure Oracle Identity Manager 12c (12.2.1.4.0), when you start the OIM 12c (12.2.1.4.0) Server, OutOfMemoryError is thrown.

The following error is seen in the OIM server logs for this issue:

[oim_server1] [NOTIFICATION] [] 
[oracle.iam.oimdataproviders.impl] [tid: [ACTIVE].ExecuteThread: '9' for 
queue: 'weblogic.kernel.Default (self-tuning)'] [userId: xelsysadm] [ecid: 
5679ce10-f0df-457f-88f1-6bc04e10aa13-000013b1,0] [APP: oim-runtime] 
[partition-name: DOMAIN] [tenant-name: GLOBAL] [DSID: 
0000Lg0PPYTBd5I_Ipt1if1OpGGi00000U] RM_DEBUG_PERF - 2018-11-28 06:09:51.087 - 
search criteria = arg1 = (usr_key) EQUAL arg2 = (1)[[ 
 query = Select usr.usr_key, usr.usr_status  from usr where usr.usr_key = ? 
 time = 1 
]] 
[2018-11-28T06:09:52.286-07:00] [oim_server1] [NOTIFICATION] [] 
[oracle.iam.oimdataproviders.impl] [tid: [ACTIVE].ExecuteThread: '9' for 
queue: 'weblogic.kernel.Default (self-tuning)'] [userId: xelsysadm] [ecid: 
5679ce10-f0df-457f-88f1-6bc04e10aa13-000013b1,0] [APP: oim-runtime] 
[partition-name: DOMAIN] [tenant-name: GLOBAL] [DSID: 
0000Lg0PPYTBd5I_Ipt1if1OpGGi00000U] 
oracle.iam.oimdataproviders.impl.OIMUserDataProvider 
[2018-11-28T06:11:52.171-07:00] [oim_server1] [ERROR] [ADFC-50018] 
[oracle.adfinternal.controller.application.AdfcExceptionHandler] [tid: 
[ACTIVE].ExecuteThread: '27' for queue: 'weblogic.kernel.Default 
(self-tuning)'] [userId: xelsysadm] [ecid: 
5679ce10-f0df-457f-88f1-6bc04e10aa13-000013e0,0] [APP: 
oracle.iam.console.identity.self-service.ear] [partition-name: DOMAIN] 
[tenant-name: GLOBAL] [DSID: 0000Lg0RtM9Bd5I_Ipt1if1OpGGi00000V] ADFc: No 
exception handler was found for an application exception.[[ 
java.lang.OutOfMemoryError: GC overhead limit exceeded ]

To resolve this issue, do the following (on Linux):

  1. Ensure that you set the following parameters in the /etc/security/limits.conf file, to the specified values:
    • FUSION_USER_ACCOUNT soft nofile 32767
    • FUSION_USER_ACCOUNT hard nofile 327679
  2. Ensure that you set UsePAM to Yes in the /etc/ssh/sshd_config file.
  3. Restart sshd.
  4. Log out (or reboot) and log in to the system again.
Before you start the Oracle Identity Manager 12c (12.2.1.4.0) Server, run the following command to increase the limit of open files, so that you do not hit into memory issues:

limit maxproc 16384

Parent topic: Troubleshooting

‘ADFContext leak detected’ Message in the OIM Server Logs

When you start the Oracle Identity Manager (OIM) 12c (12.2.1.4.0) server, the following error is seen in the OIM server logs: 

2b8fd3a0-06e3-4de6-be10-801551745664-000000a5,0] [partition-name: DOMAIN]  
[tenant-name: GLOBAL] ADFContext leak detected.[[ 
oracle.adf.share.ADFContext.setAsCurrent(ADFContext.java:1501) 
oracle.adf.mbean.share.AdfMBeanInterceptor.resetADFIfNeeded(AdfMBeanInterceptor.java:140)

This has no impact on the functionality, and therefore you can ignore this error.

Parent topic: Troubleshooting

ADF Controller Exception in the SOA Server Logs

After you configure Oracle Identity Governance 12c (12.2.1.4.0), when you start the Oracle SOA Suite (SOA) server, the following exception is shown in the SOA server logs: 

oracle.adf.controller.ControllerException: ADFC-12013: Controller state has not been initialized for the current request.

This does not impact the functionality, and therefore it can be ignored.

Parent topic: Troubleshooting