3 Installing and Configuring the Oracle Access Management Software

Follow the steps in this section to install and configure the Oracle Access Management software.

Installing the Oracle Access Management Software

Follow the steps in this section to install the Oracle Access Management software.

Before beginning the installation, ensure that you have verified the prerequisites and completed all steps covered in Preparing to Install and Configure.

The only supported method of installation for Oracle Access Management 12c (12.2.1.4.0) is the traditional method, where you individually install Oracle Fusion Middleware Infrastructure and then install Oracle Access Management.

Dependant Software for Oracle Access Management:

  • Oracle Fusion Middleware Infrastructure 12c (12.2.1.4.0)

For information about installing Oracle Fusion Middleware Infrastructure 12c (12.2.1.4.0), see Installing the Infrastructure Software in Installing and Configuring the Oracle Fusion Middleware Infrastructure.

For information about supported installation methods, see About Supported Installation Methods.

Verifying the Installation and Configuration Checklist

The installation and configuration process requires specific information.

Table 3-1 lists important items that you must know before, or decide during, Oracle Access Management installation and configuration.

Table 3-1 Installation and Configuration Checklist

Information Example Value Description

JAVA_HOME

/home/Oracle/Java/jdk1.8.0_211

Environment variable that points to the Java JDK home directory.

Database host

examplehost.exampledomain

Name and domain of the host where the database is running.

Database port

1521

Port number that the database listens on. The default Oracle database listen port is 1521.

Database service name

orcl.exampledomain

Oracle databases require a unique service name. The default service name is orcl.

DBA username

SYS

Name of user with database administration privileges. The default DBA user on Oracle databases is SYS.

DBA password

myDBApw957

Password of the user with database administration privileges.

ORACLE_HOME

/home/Oracle/product/ORACLE_HOME

Directory in which you will install your software.

This directory will include Oracle Fusion Middleware Infrastructure and Oracle Access Management, as needed.

WebLogic Server hostname

examplehost.exampledomain

Host name for Oracle WebLogic Server and Oracle Access Management consoles.

Console port

7001

Port for Oracle WebLogic Server and Oracle Access Management consoles.

DOMAIN_HOME

/home/Oracle/config/domains/idm_domain

Location in which your domain data is stored.

APPLICATION_HOME

/home/Oracle/config/applications/idm_domain

Location in which your application data is stored.

Administrator user name for your WebLogic domain

weblogic

Name of the user with Oracle WebLogic Server administration privileges. The default administrator user is weblogic.

Administrator user password

myADMpw902

Password of the user with Oracle WebLogic Server administration privileges.

RCU

ORACLE_HOME/oracle_common/bin

Path to the Repository Creation Utility (RCU).

RCU schema prefix

oam

Prefix for names of database schemas used by Oracle Access Management.

RCU schema password

myRCUpw674

Password for the database schemas used by Oracle Access Management.

Configuration utility

ORACLE_HOME/oracle_common/common/bin

Path to the Configuration Wizard for domain creation and configuration.

Starting the Installation Program

Before running the installation program, you must verify the JDK and prerequisite software is installed.

To start the installation program:

  1. Sign in to the host system.
  2. Change to the directory where you downloaded the installation program.
  3. You must have installed the Oracle Fusion Middleware Infrastructure 12c (12.2.1.4.0). For instructions, see Installing the Infrastructure Software in Installing and Configuring the Oracle Fusion Middleware Infrastructure.
  4. Start the installation program by running the java executable from the JDK directory. For example:
    • (UNIX) /home/Oracle/Java/jdk1.8.0_211/bin/java -jar fmw_12.2.1.4.0_idm.jar

    • (Windows) C:\home\Oracle\Java\jdk1.8.0_211\bin\java -jar fmw_12.2.1.4.0_idm.jar

Note:

You can also start the installer in silent mode using a saved response file instead of launching the installer screens. For more about silent or command line installation, see Using the Oracle Universal Installer in Silent Mode in Installing Software with the Oracle Universal Installer.

When the installation program appears, you are ready to begin the installation.

Navigating the Installation Screens

The installer shows a series of screens where you verify or enter information.

The following table lists the order in which installer screens appear. If you need additional help with an installation screen, click Help.

Table 3-2 Install Screens

Screen Description

Installation Inventory Setup

On Linux or UNIX operating systems, this screen opens if this is the first time you are installing any Oracle product on this host. Specify the location where you want to create your central inventory. Make sure that the operating system group name selected on this screen has write permissions to the central inventory location.

See About the Oracle Central Inventory in Installing Software with the Oracle Universal Installer.

This screen does not appear on Windows operating systems.

Welcome

Review the information to make sure that you have met all the prerequisites, then click Next.

Auto Updates

Select to skip automatic updates, select patches, or search for the latest software updates, including important security updates, through your My Oracle Support account.

Installation Location

Specify your Oracle home directory location.

This Oracle home must include Oracle Fusion Middleware Infrastructure 12c (12.2.1.4.0).

You can click View to verify and ensure that you are installing in the correct Oracle home.

Note:

Ensure that the Oracle Home path does not contain space.

Installation Type

Use the Collocated Installation Type.

Collocated mode is a type of installation that is managed through WebLogic Server. To install in collocated mode, you must have installed the required dependant softwares.

Prerequisite Checks

This screen verifies that your system meets the minimum necessary requirements.

To view the list of tasks that gets verified, select View Successful Tasks. To view log details, select View Log. If any prerequisite check fails, then an error message appears at the bottom of the screen. Fix the error and click Rerun to try again. To ignore the error or the warning message and continue with the installation, click Skip (not recommended).

Installation Summary

Use this screen to verify installation options you selected. If you want to save these options to a response file, click Save Response File and enter the response file location and name. The response file collects and stores all the information that you have entered, and enables you to perform a silent installation (from the command line) at a later time.

Click Install to begin the installation.

Installation Progress

This screen shows the installation progress.

When the progress bar reaches 100% complete, click Finish to dismiss the installer, or click Next to see a summary.

Installation Complete

This screen displays the Installation Location and the Feature Sets that are installed. Review this information and click Finish to close the installer.

Verifying the Installation

After you complete the installation, verify whether it was successful by completing a series of tasks.

Reviewing the Installation Log Files

Review the contents of the installation log files to make sure that the installer did not encounter any problems.

By default, the installer writes logs files to the Oracle_Inventory_Location/logs (on UNIX operating systems) or Oracle_Inventory_Location\logs (on Windows operating systems) directory.

For a description of the log files and where to find them, see Installation Log Files in Installing Software with the Oracle Universal Installer.

Checking the Directory Structure

The contents of your installation vary based on the options that you selected during the installation.

See What Are the Key Oracle Fusion Middleware Directories? in Understanding Oracle Fusion Middleware.

Viewing the Contents of the Oracle Home

You can view the contents of the Oracle home directory by using the viewInventory script.

See Viewing the Contents of an Oracle Home in Installing Software with the Oracle Universal Installer.

Configuring the Oracle Access Management Domain

After you have installed Oracle Access Management, you can configure the domain, which you can also extend for high availability.

The configuration steps presented here assume that you have completed the installation steps covered in:

Refer to the following sections to create the database schemas, configure a WebLogic domain, and verify the configuration:

Creating the Database Schemas

Before you can configure a domain, you must install required schemas on a certified database for use with this release of Oracle Fusion Middleware.

Installing and Configuring a Certified Database

Before you create the database schemas, you must install and configure a certified database, and verify that the database is up and running.

Note:

For an Autonomous Transaction Processing database (both Oracle Autonomous Transaction Processing-Dedicated (ATP-D) and Oracle Autonomous Transaction Processing-Shared (ATP-S)), you must modify the wallet settings and set the environment variables as described in Settings to connect to Autonomous Transaction Processing Database, and apply patches on ORACLE HOME as described in Applying Patches on ORACLE HOME.

See About Database Requirements for an Oracle Fusion Middleware Installation.

Starting the Repository Creation Utility

Start the Repository Creation Utility (RCU) after you verify that a certified JDK is installed on your system.

To start the RCU:

  1. Verify that a certified JDK already exists on your system by running java -version from the command line. For 12c (12.2.1.4.0), the certified JDK is 1.8.0_211 and later.
  2. Ensure that the JAVA_HOME environment variable is set to the location of the certified JDK. For example:
    • (UNIX) setenv JAVA_HOME /home/Oracle/Java/jdk1.8.0_211
    • (Windows) set JAVA_HOME=C:\home\Oracle\Java\jdk1.8.0_211
  3. Change to the following directory:
    • (UNIX) ORACLE_HOME/oracle_common/bin
    • (Windows) ORACLE_HOME\oracle_common\bin
  4. Enter the following command:
    • (UNIX) ./rcu
    • (Windows) rcu.bat
Navigating the Repository Creation Utility Screens to Create Schemas

Enter required information in the RCU screens to create the database schemas.

Introducing the RCU

The Welcome screen is the first screen that appears when you start the RCU.

Click Next.

Selecting a Method of Schema Creation

Use the Create Repository screen to select a method to create and load component schemas into the database.

On the Create Repository screen:
  • If you have the necessary permissions and privileges to perform DBA activities on your database, select System Load and Product Load. This procedure assumes that you have SYSDBA privileges.

  • If you do not have the necessary permissions or privileges to perform DBA activities in the database, you must select Prepare Scripts for System Load on this screen. This option generates a SQL script that you can give to your database administrator. See About System Load and Product Load in Creating Schemas with the Repository Creation Utility.

  • If the DBA has already run the SQL script for System Load, select Perform Product Load.

    Note:

    For an Autonomous Transaction Processing database (both Oracle Autonomous Transaction Processing-Dedicated (ATP-D) and Oracle Autonomous Transaction Processing-Shared (ATP-S)), you must create schemas as a Normal user, and though, you do not have full SYS or SYSDBA privileges on the database, you must select System Load and Product Load.

Providing Database Connection Details

On the Database Connection Details screen, provide the database connection details for the RCU to connect to your database.

Note:

If you are unsure of the database service name, you can obtain it from the SERVICE_NAMES parameter in the initialization parameter file of the database. If the initialization parameter file does not contain the SERVICE_NAMES parameter, then the service name is the same as the global database name, which is specified in the DB_NAME and DB_DOMAIN parameters.

For an Oracle Autonomous Transaction Processing-Shared (ATP-S) database, use the database service name, <databasename>_tpurgent or <databasename>_tp, specified in tnsnames.ora. For service name details, see Database Service Names for Autonomous Transaction Processing and Autonomous JSON Database in Using Oracle Autonomous Database on Shared Exadata Infrastructure.

To create schemas on an Autonomous Transaction Processing database (both Oracle Autonomous Transaction Processing-Dedicated (ATP-D) and Oracle Autonomous Transaction Processing-Shared (ATP-S)), you can specify the connection credentials using only the Connection String option. In this screen, a warning message is displayed. You can ignore the warning and continue with the schema creation. For more information, see SYS DBA Privileges Warning After Applying Patches.

To provide the database connection details:

  1. On the Database Connection Details screen, provide the database connection details.

    For example:

    • Database Type: Oracle Database
    • Connection String Format: Connection Parameters or Connection String
    • Connection String: examplehost.exampledomain.com:1521:Orcl.exampledomain.com
    • Host Name: examplehost.exampledomain.com
    • Port: 1521
    • Service Name: Orcl.exampledomain.com
    • User Name: sys
    • Password: ******
    • Role: SYSDBA

    For an Autonomous Transaction Processing database (both Oracle Autonomous Transaction Processing-Dedicated (ATP-D) and Oracle Autonomous Transaction Processing-Shared (ATP-S)), enter connect string in the following format:

    jdbc:oracle:thin:@TNS_alias?TNS_ADMIN=<path of the wallet files, ojdbc.properties, and tnsnames.ora>

    In the connect string, you must pass TNS_alias as the database name found in tnsnames.ora, and TNS_ADMIN property to the location of the wallet files, ojdbc.properties, and tnsnames.ora.

    Note:

    For an Oracle Autonomous Transaction Processing-Shared (ATP-S) database, you must use only one of the database service names, <databasename>_tpurgent or <databasename>_tp, specified in tnsnames.ora. For database service name details, see Database Service Names for Autonomous Transaction Processing and Autonomous JSON Database in Using Oracle Autonomous Database on Shared Exadata Infrastructure.

    Example connect string for Oracle Autonomous Transaction Processing-Dedicated (ATP-D) database::

    jdbc:oracle:thin:@dbname_medium?TNS_ADMIN=/users/test/wallet_dbname/

    Example connect string for Oracle Autonomous Transaction Processing-Shared (ATP-S) database:

    jdbc:oracle:thin:@dbname_tp?TNS_ADMIN=/users/test/wallet_dbname/

  2. Click Next to proceed, then click OK in the dialog window that confirms a successful database connection.
Specifying a Custom Prefix and Selecting Schemas

Select Create new prefix, specify a custom prefix, then expand IDM Schemas and select the Oracle Access Manager schema. This action automatically selects the following schemas as dependencies:

  • Common Infrastructure Services (STB)

  • Oracle Platform Security Services (OPSS)

  • Audit Services (IAU)

  • Audit Services Append (IAU_Append)

  • Audit Services Viewer (IAU_Viewer)

  • Metadata Services (MDS)

  • WebLogic Services (WLS)

The schema Common Infrastructure Services (STB) is automatically created. This schema is dimmed; you cannot select or deselect it. This schema enables you to retrieve information from RCU during domain configuration. For more information, see "Understanding the Service Table Schema" in Creating Schemas with the Repository Creation Utility.

The custom prefix is used to logically group these schemas together for use in this domain only; you must create a unique set of schemas for each domain. Schema sharing across domains is not supported.

Tip:

For more information about custom prefixes, see "Understanding Custom Prefixes" in Creating Schemas with the Repository Creation Utility.

For more information about how to organize your schemas in a multi-domain environment, see "Planning Your Schema Creation" in Creating Schemas with the Repository Creation Utility.

Tip:

You must make a note of the custom prefix you choose to enter here; you will need this later on during the domain creation process.

Click Next to proceed, then click OK on the dialog window confirming that prerequisite checking for schema creation was successful.

Specifying Schema Passwords

On the Schema Passwords screen, specify how you want to set the schema passwords on your database, then enter and confirm your passwords.

Note:

For an Autonomous Transaction Processing database (both Oracle Autonomous Transaction Processing-Dedicated (ATP-D) and Oracle Autonomous Transaction Processing-Shared (ATP-S)), the schema password must be minimum 12 characters, and must contain at least one uppercase, one lower case, and one number.

You must make a note of the passwords you set on this screen; you will need them later on during the domain creation process.

Click Next.

Completing Schema Creation

Navigate through the remaining RCU screens to complete schema creation.

On the Map Tablespaces screen, the Encrypt Tablespace check box appears only if you enabled Transparent Data Encryption (TDE) in the database (Oracle or Oracle EBR) when you start the RCU.

To complete schema creation:
  1. On the Map Tablespaces screen, select Encrypt Tablespace if you want to encrypt all new tablespaces that the RCU creates.
  2. In the Completion Summary screen, click Close to dismiss the RCU.

    For an Oracle Autonomous Transaction Processing-Shared (ATP-S) database, in the Map Tablespaces screen you must override the default tablespaces and the temporary tablespaces, and also override the additional tablespaces, if applicable. See Map Tablespaces.

    If you encounter any issues when you create schemas on an Autonomous Transaction Processing database (both Oracle Autonomous Transaction Processing-Dedicated (ATP-D) and Oracle Autonomous Transaction Processing-Shared (ATP-S)), see Troubleshooting Tips for Schema Creation on an Autonomous Transaction Processing Database in Creating Schemas with the Repository Creation Utility and Issues Related to Product Installation and Configuration on an Autonomous Database in Release Notes for Oracle Fusion Middleware Infrastructure.

Configuring the Domain

Use the Configuration Wizard to create and configure a domain.

For information on other methods to create domains, see Additional Tools for Creating, Extending, and Managing WebLogic Domains in Creating WebLogic Domains Using the Configuration Wizard.

Starting the Configuration Wizard

Start the Configuration Wizard to begin configuring a domain.

To start the Configuration Wizard:

  1. Change to the following directory:

    (UNIX) ORACLE_HOME/oracle_common/common/bin

    (Windows) ORACLE_HOME\oracle_common\common\bin

    where ORACLE_HOME is your 12c (12.2.1.4.0) Oracle home.

  2. Enter the following command:

    (UNIX) ./config.sh

    (Windows) config.cmd

Navigating the Configuration Wizard Screens to Create and Configure the Domain

Enter required information in the Configuration Wizard screens to create and configure the domain for the topology.

Note:

You can use this procedure to extend an existing domain. If your needs do not match the instructions in the procedure, be sure to make your selections accordingly, or see the supporting documentation for more details.

Selecting the Domain Type and Domain Home Location

Use the Configuration Type screen to select a Domain home directory location, optimally outside the Oracle home directory.

Oracle recommends that you locate your Domain home in accordance with the directory structure in What Are the Key Oracle Fusion Middleware Directories? in Understanding Oracle Fusion Middleware, where the Domain home is located outside the Oracle home directory. This directory structure helps avoid issues when you need to upgrade or reinstall software.

To specify the Domain type and Domain home directory:

  1. On the Configuration Type screen, select Create a new domain.
  2. In the Domain Location field, specify your Domain home directory.

For more details about this screen, see Configuration Type in Creating WebLogic Domains Using the Configuration Wizard.

Selecting the Configuration Templates for Oracle Access Management

On the Templates screen, make sure Create Domain Using Product Templates is selected, then select the template Oracle Access Management Suite.

Selecting this template automatically selects the following as dependencies:

  • Oracle Enterprise Manager

  • Oracle JRF

  • WebLogic Coherence Cluster Extension

Note:

The basic WebLogic domain is pre-selected.

More information about the options on this screen can be found in Templates in Creating WebLogic Domains Using the Configuration Wizard.

Selecting the Application Home Location

Use the Application Location screen to select the location to store applications associated with your domain, also known as the Application home directory.

Oracle recommends that you locate your Application home in accordance with the directory structure in What Are the Key Oracle Fusion Middleware Directories? in Understanding Oracle Fusion Middleware, where the Application home is located outside the Oracle home directory. This directory structure helps avoid issues when you need to upgrade or re-install your software.

For more about the Application home directory, see About the Application Home Directory.

For more information about this screen, see Application Location in Creating WebLogic Domains Using the Configuration Wizard.

Configuring the Administrator Account

Use the Administrator Account screen to specify the user name and password for the default WebLogic Administrator account for the domain.

Oracle recommends that you make a note of the user name and password that you enter on this screen; you need these credentials later to boot and connect to the domain's Administration Server.

For more information about this screen, see Administrator Account in Creating WebLogic Domains Using the Configuration Wizard.

Specifying the Domain Mode and JDK

Use the Domain Mode and JDK screen to specify the domain mode and Java Development Kit (JDK).

On the Domain Mode and JDK screen:

  • Select Production in the Domain Mode field.

  • Select the Oracle HotSpot JDK in the JDK field.

For more information about this screen, see Domain Mode and JDK in Creating WebLogic Domains Using the Configuration Wizard.
Specifying the Database Configuration Type

Use the Database Configuration type screen to specify details about the database and database schema.

On the Database Configuration type screen, select RCU Data. This option instructs the Configuration Wizard to connect to the database and Service Table (STB) schema to automatically retrieve schema information for schemas needed to configure the domain.

Note:

If you select Manual Configuration on this screen, you must manually fill in parameters for your schema on the next screen.

For an Autonomous Transaction Processing database, (both Oracle Autonomous Transaction Processing-Dedicated (ATP-D) and Oracle Autonomous Transaction Processing-Shared (ATP-S)), you must select only the RCU Data option.

After selecting RCU Data, specify details in the following fields:

Field Description

DBMS/Service

Enter the database DBMS name, or service name if you selected a service type driver.

Example: orcl.exampledomain.com

Host Name

Enter the name of the server hosting the database.

Example: examplehost.exampledomain.com

Port

Enter the port number on which the database listens.

Example: 1521

Schema Owner

Schema Password

Enter the username and password for connecting to the database's Service Table schema. This is the schema username and password entered for the Service Table component on the Schema Passwords screen in the RCU (see Specifying Schema Passwords).

The default username is prefix_STB, where prefix is the custom prefix that you defined in the RCU.

For an Autonomous Transaction Processing database (both Oracle Autonomous Transaction Processing-Dedicated (ATP-D) and Oracle Autonomous Transaction Processing-Shared (ATP-S)), specify the connection credentials using only the Connection URL String option, and enter the connect string in the following format:

jdbc:oracle:thin:@TNS_alias?TNS_ADMIN=<path of the wallet files, ojdbc.properties, and tnsnames.ora>

In the connect string, you must pass TNS_alias as the database name found in tnsnames.ora, and TNS_ADMIN property to the location of the wallet files, ojdbc.properties, and tnsnames.ora.

Example connect string for Oracle Autonomous Transaction Processing-Dedicated (ATP-D) database:

jdbc:oracle:thin:@dbname_medium?TNS_ADMIN=/users/test/wallet_dbname/

Example connect string for Oracle Autonomous Transaction Processing-Shared (ATP-S) database:

jdbc:oracle:thin:@dbname_tp?TNS_ADMIN=/users/test/wallet_dbname/

Click Get RCU Configuration when you finish specifying the database connection information. The following output in the Connection Result Log indicates that the operation succeeded:

Connecting to the database server...OK
Retrieving schema data from database server...OK
Binding local schema components with retrieved data...OK

Successfully Done.

For more information about the schema installed when the RCU is run, see About the Service Table Schema in Creating Schemas with the Repository Creation Utility.

See Database Configuration Type in Creating WebLogic Domains Using the Configuration Wizard .

Specifying JDBC Component Schema Information

Use the JDBC Component Schema screen to verify or specify details about the database schemas.

Verify that the values populated on the JDBC Component Schema screen are correct for all schemas. If you selected RCU Data on the previous screen, the schema table should already be populated appropriately. If you selected Manual configuration on the Database Configuration screen, you must configure the schemas listed in the table manually, before you proceed.

For an Autonomous Transaction Processing database (both Oracle Autonomous Transaction Processing-Dedicated (ATP-D) and Oracle Autonomous Transaction Processing-Shared (ATP-S)), specify the connection credentials using only the Connection URL String option, and enter the connect string in the following format:

jdbc:oracle:thin:@TNS_alias?TNS_ADMIN=<path of the wallet files, ojdbc.properties, and tnsnames.ora>

In the connect string, you must pass TNS_alias as the database service name found in tnsnames.ora, and TNS_ADMIN property to the location of the wallet files, ojdbc.properties, and tnsnames.ora.

Example connect string for Oracle Autonomous Transaction Processing-Dedicated (ATP-D) database:

jdbc:oracle:thin:@dbname_medium?TNS_ADMIN=/users/test/wallet_dbname/

Example connect string for Oracle Autonomous Transaction Processing-Shared (ATP-S) database:

jdbc:oracle:thin:@dbname_tp?TNS_ADMIN=/users/test/wallet_dbname/

For high availability environments, see the following sections in High Availability Guide for additional information on configuring data sources for Oracle RAC databases:

See JDBC Component Schema in Creating WebLogic Domains Using the Configuration Wizard for more details about this screen.

Testing the JDBC Connections

Use the JDBC Component Schema Test screen to test the data source connections.

A green check mark in the Status column indicates a successful test. If you encounter any issues, see the error message in the Connection Result Log section of the screen, fix the problem, then try to test the connection again.

By default, the schema password for each schema component is the password you specified while creating your schemas. If you want different passwords for different schema components, manually edit them in the previous screen (JDBC Component Schema) by entering the password you want in the Schema Password column, against each row. After specifying the passwords, select the check box corresponding to the schemas that you changed the password in and test the connection again.

For more information about this screen, see JDBC Component Schema Test in Creating WebLogic Domains Using the Configuration Wizard.

Selecting Advanced Configuration

Use the Advanced Configuration screen to complete the domain configuration.

On the Advanced Configuration screen, select:

  • Administration Server

    Required to properly configure the listen address of the Administration Server.

  • Node Manager

    Required to configure Node Manager.

  • Topology

    Required to configure the Oracle Access Management Managed Server.

Optionally, select other available options as required for your desired installation environment. The steps in this guide describe a standard installation topology, but you may choose to follow a different path. If your installation requirements extend to additional options outside the scope of this guide, you may be presented with additional screens to configure those options. For information about all Configuration Wizard screens, see Configuration Wizard Screens in Creating WebLogic Domains Using the Configuration Wizard.

Configuring the Administration Server Listen Address

Use the Administration Server screen to select the IP address of the host.

Select the drop-down list next to Listen Address and select the IP address of the host where the Administration Server will reside, or use the system name or DNS name that maps to a single IP address. Do not use All Local Addresses.

Do not specify any server groups for the Administration Server.

Configuring Node Manager

Use the Node Manager screen to select the type of Node Manager you want to configure, along with the Node Manager credentials.

Select Per Domain Default Location as the Node Manager type, then specify Node Manager credentials.

For more information about this screen, see Node Manager in Creating WebLogic Domains Using the Configuration Wizard.

For more about Node Manager types, see Node Manager Overview in Administering Node Manager for Oracle WebLogic Server.

Configuring Managed Servers for Oracle Access Management

On the Managed Servers screen, the new Managed Servers named oam_server_1 and oam_policy_mgr1 are displayed:

  1. In the Listen Address drop-down list, select the IP address of the host on which the Managed Server will reside or use the system name or DNS name that maps to a single IP address. Do not use "All Local Addresses."
  2. In the Server Groups drop-down list, select the server group for your managed server. By default, OAM-MGD-SVRS is selected for oam_server1 and OAM-POLICY-MANAGED-SERVER is selected for oam_policy_mgr1.

    Server groups target Fusion Middleware applications and services to one or more servers by mapping defined application service groups to each defined server group. A given application service group may be mapped to multiple server groups if needed. Any application services that are mapped to a given server group are automatically targeted to all servers that are assigned to that group. For more information, see "Application Service Groups, Server Groups, and Application Service Mappings" in Domain Template Reference.

  3. Configuring a second Managed Server is one of the steps needed to configure the standard topology for high availability. If you are not creating a highly available environment, then this step is optional.
    Click Clone and repeat this process to create a second Managed Server named oam_policy_mgr2.

    Note:

    If you wish to configure additional Managed Servers, use the Clone option and add the Managed Server. For example, if we want to configure oam_server2, click Clone and select oam_server1 to clone this server. Do not use the add option to add a new Managed Server.

    Configuring a second Managed Server is one of the steps needed to configure the standard topology for high availability. If you are not creating a highly available environment, then this step is optional.

    For more information about the high availability standard topology, see "Understanding the Fusion Middleware Standard HA Topology" in High Availability Guide.

    For more information about the next steps to prepare for high availability after your domain is configured, see Preparing Your Environment for High Availability.

These server names and will be referenced throughout this document; if you choose different names be sure to replace them as needed.

Tip:

More information about the options on this screen can be found in Managed Servers in Creating WebLogic Domains Using the Configuration Wizard.

Configuring a Cluster for Oracle Access Management

Use the Clusters screen to create a new cluster.

Note:

If you are configuring a non-clustered setup on a single node, skip this screen.

On the Clusters screen:

  1. Click Add.
  2. Specify oam_cluster_1 in the Cluster Name field for oam_server. For oam_policy_mgr server, you must create another cluster, for example, oam_policy_cluster.
  3. For the Cluster Address field, specify the ipaddress/hostname:port. For example:
    ip_address_machine1:portnumber,ip_address_machine2:portnumber

By default, server instances in a cluster communicate with one another using unicast. If you want to change your cluster communications to use multicast, see Considerations for Choosing Unicast or Multicast in Administering Clusters for Oracle WebLogic Server.

You can also create clusters using Fusion Middleware Control. In this case, you can configure cluster communication (unicast or multicast) when you create the new cluster. See Create and configure clusters in Oracle WebLogic Server Administration Console Online Help.

For more information about this screen, see Clusters in Creating WebLogic Domains Using the Configuration Wizard.

Defining Server Templates

If you are creating dynamic clusters for a high availability setup, use the Server Templates screen to define one or more server templates for domain.

To continue configuring the domain, click Next.

For steps to create a dynamic cluster for a high availability setup, see Using Dynamic Clusters in High Availability Guide.

Configuring Dynamic Servers

You can skip this screen for Oracle Access Management configuration.

Click Next and proceed.
Assigning Oracle Access Management Managed Servers to the Cluster

If you are configuring a non-clustered setup, click Next and go to next screen. Use the Assign Servers to Clusters screen to assign Managed Servers to a new configured cluster. A configured cluster is a cluster you configure manually. You do not use this screen if you are configuring a dynamic cluster, a cluster that contains one or more generated server instances that are based on a server template.

For more on configured cluster and dynamic cluster terms, see About Dynamic Clusters in Understanding Oracle WebLogic Server.

On the Assign Servers to Clusters screen:

  1. In the Clusters pane, select the cluster to which you want to assign the Managed Servers; in this case, oam_cluster_1.
  2. In the Servers pane, assign oam_server_1 to oam_cluster_1 by doing one of the following:
    • Click once on oam_server_1 to select it, then click the right arrow to move it beneath the selected cluster (oam_cluster_1) in the Clusters pane.

    • Double-click on oam_server_1 to move it beneath the selected cluster (oam_cluster_1) in the Clusters pane.

  3. Repeat to assign oam_policy_mgr to oam_policy_cluster.

For more information about this screen, see Assign Servers to Clusters in Creating WebLogic Domains Using the Configuration Wizard.

Configuring Coherence Clusters

Use the Coherence Clusters screen to configure the Coherence cluster.

Leave the default port number as the Coherence cluster listen port. After configuration, the Coherence cluster is automatically added to the domain.

Note:

Setting the unicast listen port to 0 creates an offset for the Managed Server port numbers. The offset is 5000, meaning the maximum allowed value that you can assign to a Managed Server port number is 60535, instead of 65535.

See Table 5-2 for more information and next steps for configuring Coherence.

For Coherence licensing information, see Oracle Coherence Products in Licensing Information.

Creating a New Oracle Access Management Machine

Use the Machines screen to create new machines in the domain. A machine is required so that Node Manager can start and stop servers.

If you plan to create a high availability environment and know the list of machines your target topology requires, you can follow the instructions in this section to create all the machines at this time. For more about scale out steps, see Optional Scale Out Procedure in High Availability Guide.

To create a new Oracle Access Management machine so that Node Manager can start and stop servers:
  1. Select the Machine tab (for Windows) or the UNIX Machine tab (for UNIX), then click Add to create a new machine.
  2. In the Name field, specify a machine name, such as oam_machine_1.
  3. In the Node Manager Listen Address field, select the IP address of the machine in which the Managed Servers are being configured.

    You must select a specific interface and not localhost. This allows Coherence cluster addresses to be dynamically calculated.

  4. Verify the port in the Node Manager Listen Port field.
  5. Repeat these steps to add more machines, if required.

Note:

If you are extending an existing domain, you can assign servers to any existing machine. It is not necessary to create a new machine unless your situation requires it.

For more information about this screen, see Machines in Creating WebLogic Domains Using the Configuration Wizard.

Assigning Servers to Oracle Access Management Machines

Use the Assign Servers to Machines screen to assign the Administration Server and Managed Servers to the new machine you just created.

On the Assign Servers to Machines screen:

  1. In the Machines pane, select the machine to which you want to assign the servers; in this case, oam_machine_1.
  2. In the Servers pane, assign AdminServer to oam_machine_1 by doing one of the following:
    • Click once on AdminServer to select it, then click the right arrow to move it beneath the selected machine (oam_machine_1) in the Machines pane.

    • Double-click on AdminServer to move it beneath the selected machine (oam_machine_1) in the Machines pane.

  3. Repeat these steps to assign all Managed Servers to their respective machines.

For more information about this screen, see Assign Servers to Machines in Creating WebLogic Domains Using the Configuration Wizard.

Virtual Targets

You can skip this screen for Oracle Access Management configuration.

Click Next and proceed.

Partitions

The Partitions screen is used to configure partitions for virtual targets in WebLogic Server Multitenant (MT) environments. Select Next without selecting any options.

For details about options on this screen, see Partitions in Creating WebLogic Domains Using the Configuration Wizard.

Note:

WebLogic Server Multitenant domain partitions are deprecated in WebLogic Server 12.2.1.4.0 and will be removed in the next release.
Configuring Domain Frontend Host

The Domain Frontend Host screen can be used to configure the frontend host for the domain.

Select Plain or SSL and specify the respective host value.

Click Next.

Targeting the Deployments

The Deployments Targeting screen can be used to target the available deployments to the servers.

Make the required modifications, and click Next.
Targeting the Services

The Services Targeting screen can be used to target the available services to the Servers.

Make necessary modifications, and click Next.
Reviewing Your Configuration Specifications and Configuring the Domain

The Configuration Summary screen shows detailed configuration information for the domain you are about to create.

Review each item on the screen and verify that the information is correct. To make any changes, go back to a screen by clicking the Back button or selecting the screen in the navigation pane. Domain creation does not start until you click Create.

For more details about options on this screen, see Configuration Summary in Creating WebLogic Domains Using the Configuration Wizard.

Writing Down Your Domain Home and Administration Server URL

The End of Configuration screen shows information about the domain you just configured.

Make a note of the following items because you need them later:

  • Domain Location

  • Administration Server URL

You need the domain location to access scripts that start Node Manager and Administration Server, and you need the URL to access the Administration Server.

Click Finish to dismiss the Configuration Wizard.

Updating the System Properties for SSL Enabled Servers

For SSL enabled servers, you must set the required properties in the setDomainEnv file in the domain home.

Set the following properties in the DOMAIN_HOME/bin/setDomainEnv.sh (for UNIX) or DOMAIN_HOME\bin\setDomainEnv.cmd (for Windows) file before you start the servers:
  • -Dweblogic.security.SSL.ignoreHostnameVerification=true

  • -Dweblogic.security.TrustKeyStore=DemoTrust

Starting the Servers

After a successful configuration, start all processes and servers, including the Administration Server and any Managed Servers.

The components may be dependent on each other so they must be started in the correct order.

Note:

The procedures in this section describe how to start servers and process using the WLST command line or a script. You can also use the Oracle Fusion Middleware Control and the Oracle WebLogic Server Administration Console. See Starting and Stopping Administration and Managed Servers and Node Manager in Administering Oracle Fusion Middleware.

To start your Fusion Middleware environment, follow the steps below.

Step 1: Start Node Manager

To start Node Manager, use the startNodeManager script:

  • (UNIX) EXISTING_DOMAIN_HOME/bin/startNodeManager.sh

  • (Windows) EXISTING_DOMAIN_HOME\bin\startNodeManager.cmd

Step 2: Start the Administration Server

When you start the Administration Server, you also start the processes running in the Administration Server, including the WebLogic Server Administration Console and Fusion Middleware Control.

To start the Administration Server, use the startWebLogic script:

  • (UNIX) EXISTING_DOMAIN_HOME/bin/startWebLogic.sh

  • (Windows) EXISTING_DOMAIN_HOME\bin\startWebLogic.cmd

When you created the domain, if you selected Production Mode on the Domain Mode and JDK screen, a prompt for the Administrator user login credentials is displayed. Provide the same credentials that you provided on the Administrator Account screen.

Note:

For an Autonomous Transaction Processing database (both Oracle Autonomous Transaction Processing-Dedicated (ATP-D) and Oracle Autonomous Transaction Processing-Shared (ATP-S)), a benign error message may be displayed in the Administration Server logs.

Example message:

<AdminServer> <[ACTIVE] ExecuteThread: '63' for queue: 'weblogic.kernel.Default (self-tuning)'> <weblogic> <> 
<16023522-e47f-40f4-a66f-7ea3729188d1-00000064> <1628079696204> 
<[severity-value: 8] [rid: 0] [partition-id: 0] [partition-name: DOMAIN] > 
<BEA-240003> <Administration Console encountered the following error: 
java.lang.NoSuchMethodError: 
org.glassfish.jersey.internal.LocalizationMessages.WARNING_PROPERTIES()Ljava/l ang/String; at
org.glassfish.jersey.internal.config.SystemPropertiesConfigurationModel.getProperties(SystemPropertiesConfigurationModel.java:122) at
org.glassfish.jersey.internal.config.SystemPropertiesConfigurationProvider.getProperties(SystemPropertiesConfigurationProvider.java:29) at
org.glassfish.jersey.internal.config.ExternalPropertiesConfigurationFactory.readExternalPropertiesMap(ExternalPropertiesConfigurationFactory.java:55) at
org.glassfish.jersey.internal.config.ExternalPropertiesConfigurationFactory.configure(ExternalPropertiesConfigurationFactory.java:72) at
org.glassfish.jersey.internal.config.ExternalPropertiesConfigurationFeature.configure(ExternalPropertiesConfigurationFeature.java:26) at
org.glassfish.jersey.model.internal.CommonConfig.configureFeatures(CommonConfig.java:730)

This error message does not have any functional impact and can be ignored.

Step 3: Start the Managed Servers

  • If Node Manager is not configured, start the Managed Servers using the following instructions:

    To start a WebLogic Server Managed Server, use the startManagedWebLogic script:

    • (UNIX) EXISTING_DOMAIN_HOME/bin/startManagedWebLogic.sh managed_server_name admin_url

    • (Windows) EXISTING_DOMAIN_HOME\bin\startManagedWebLogic.cmd managed_server_name admin_url

    When prompted, enter your user name and password. This is the same user name and password which you provided in administrator account screen when creating the domain.

    Note:

    The startup of a Managed Server will typically start the applications that are deployed to it. Therefore, it should not be necessary to manually start applications after the Managed Server startup.
  • If Node Manager is configured, start the Managed Servers using the following instructions:
    1. Launch the Administration Console:
      1. Using a web browser, open the following URL:
        http://hostname:port/console
        Where:
        • hostname is the administration server host.
        • port is the administration server port on which the host server is listening for requests (7001 by default)
      2. When the login page appears, enter the user name and password you used to start the Administration Server.
    2. Start Managed Servers from the Administration Console. For instructions, see Start Managed Servers from the Administration Console.

Verifying the Configuration

After completing all configuration steps, you can perform additional steps to verify that your domain is properly configured.

You can start using the functionality of Oracle Access Management after you successfully configure it. See Getting Started with Oracle Access Management in Administering Oracle Access Management.

For information about integrating Oracle Access Management with other Identity Management components, see Introduction to IdM Suite Components Integration in Integration Guide for Oracle Identity Management Suite.

For more information about performing additional domain configuration tasks, see Performing Additional Domain Configuration Tasks.

Setting the Memory Parameters for OAM Domain (Optional)

If the initial startup parameter in Oracle Access Management domain, which defines the memory usage, is insufficient, you can increase the value of this parameter.

To change the memory allocation setting, do the following:
  1. Edit the Domain_home/bin/setUserOverrides.sh file to add the following line:
    MEM_ARGS="-Xms1024m -Xmx3072m"
  2. Save and close the file.
  3. Change the following memory allocation by updating the Java maximum memory allocation pool (Xmx) to 3072m and initial memory allocation pool (Xms) to 1024m. For example, change the following line to be:
    WLS_MEM_ARGS_64BIT="-Xms1024m -Xmx3072m"
  4. Save and close the file.

Updating the java.security File (Optional)

If you wish to integrate Oracle Access Management 12c (12.2.1.4.0) with Oracle Adaptive Access Manager (OAAM) 11g Release 2 (11.1.2.3.0), you must update java.security file with the following changes, post upgrade:

To do this:
  1. Open the java.security file located at JAVA_HOME/jre/lib/security/ in an editor.
  2. Remove TLSv1, TLSv1.1, MD5withRSA from the following key:
    key - jdk.tls.disabledAlgorithms
  3. Remove MD5 from the following key:
    key - jdk.certpath.disabledAlgorithms

Troubleshooting

This section lists the common issues encountered while configuring Oracle Access Management and their workarounds.

Topics

WADL Generation Does not Show Description

Issue

WADL generation fails and a java.lang.IllegalStateException: ServiceLocatorImpl is returned.
Exception thrown when provider 
class org.glassfish.jersey.server.internal.monitoring.MonitoringFeature$StatisticsListener 
was processing MonitoringStatistics. Removing provider from further processing.
java.lang.IllegalStateException: ServiceLocatorImpl(__HK2_Generated_6,9,221656053) has been shut down 
at org.jvnet.hk2.internal.ServiceLocatorImpl.checkState(ServiceLocatorImpl.java:2393)
Also, when the WADL generation fails, the description field shows Root Resource, instead of a proper description in the following URLs.

http://<Host>:<AdminServerPort>/oam/services/rest/11.1.2.0.0/ssa/policyadmin/application.wadl
http://<Host>:<ManagedServerPort>/iam/access/api/v1/health/application.wadl

Resolution

Restart the Admin server and managed servers to resolve the wadl issue.

MDS ReadOnlyStoreException in OAM Policy Manager Diagnostic log

After you configure Oracle Access Management (OAM)12c (12.2.1.4.0), when you start the servers, the following exception is seen in the Administration Server and OAM Policy Manager diagnostic logs:

oracle.mds.exception.ReadOnlyStoreException: MDS-01273: 
The operation on the  resource /oracle/oam/ui/adfm/DataBindings.cpx 
failed because source metadata  store mapped to the namespace / DEFAULT 
is read only.

This exception does not impact the Administration Console functionality and hence can be safely ignore.

Ignorable Warnings in the Administration Server Logs

After you configure Oracle Access Management 12c (12.2.1.4.0), when you start the Administration Server, the following warning are seen in the Administration Server logs:

<Warning> <oracle.adfinternal.view.faces.renderkit.rich.NavigationPaneRenderer> 
<adc2140146> <AdminServer> <[ACTIVE] ExecuteThread: '42' for queue: 
'weblogic.kernel.Default (self-tuning)'> <weblogic> <> <b6ba191d-9c3f-44ce-ad9d-64bd7123baf5-000000e3> 
<1502889425767> <[severity-value: 16] [rid: 0] [partition-id: 0] [partition-name: DOMAIN] > 
<BEA-000000> <Warning: There are no items to render for this level> 
####<Aug 16, 2017 6:17:06,241 AM PDT> <Warning> <org.apache.myfaces.trinidad.component.UIXFacesBeanImpl>

This has no impact on the functionality, and therefore you can ignore it.

After installing Oracle Access Management, go to Chapter 5: Next Steps After Configuring the Domain.