Home / Middleware / Oracle Fusion Middleware Online Documentation Library, 11g Release 1 (11.1.1.1) / Administration Guides
Fusion Middleware Enterprise Deployment Guide for Oracle Identity Management
ContentsOpens a new window
Opens a new window
Page 18 of 25

13 Extending the Domain with Oracle Identity Manager

This chapter describes how to install and configure Oracle Identity Manager 11.1.1 for use in the Oracle Identity Management Enterprise Deployment Topology.

This chapter contains the following topics:

Oracle Identity Manager is a user provisioning and administration solution that automates the process of adding, updating, and deleting user accounts from applications and directories. It also improves regulatory compliance by providing granular reports that attest to who has access to what. Oracle Identity Manager is available as a stand-alone product or as part of Oracle Identity and Access Management Suite.

Automating user identity provisioning can reduce Information Technology (IT) administration costs and improve security. Provisioning also plays an important role in regulatory compliance. Key features of Oracle Identity Manager include password management, workflow and policy management, identity reconciliation, reporting and auditing, and extensibility through adapters.

Oracle Identity Manager provides the following key functionalities:

For details about Oracle Identity Manager, see the Oracle Fusion Middleware System Administrator's Guide for Oracle Identity Manager.Opens a new window

13.1 Prerequisites

Before extending the domain with Oracle Identity Manager, ensure that the following tasks have been performed:

  1. Install and upgrade the following software on IDMHOST1, IDMHOST2, OIMHOST1 and OIMHOST2:

  2. Configure the Oracle Internet Directory instances, as described inSection 7.1Opens a new window and Section 7.2Opens a new window.

  3. Extend the domain with Oracle Virtual Directory as described inChapter 8Opens a new window.

  4. Create the Oracle Internet Directory adapter using ODSM, as described in Section 9.5Opens a new window.

Note:

Oracle SOA deployed along with Oracle Identity Manager is used exclusively for Oracle Identity Manager work flow. It cannot be used for other purposes.

13.2 Extending the Domain to Configure Oracle Identity Manager and Oracle SOA Suite on IDMHOST1

Although OIM will be deployed on servers dedicated to it (OIMHOST1 and OIMHOST2), the WebLogic domain must first be extended with OIM on IDMHOST1. Configure Oracle Identity Manager on IDMHOST1 as follows.

To extend the domain on IDMHOST1, stop the WebLogic Administration Server and all the managed servers running in the domain. Then start the configuration wizard by executing the command:

MW_HOME/oracle_common/common/bin/config.sh

Proceed as follows

  1. On the Welcome screen, select Extend an existing WebLogic Domain.

    Click Next.

  2. On the Select WebLogic Domain Directory screen, select the location of the domain directory for the OIM domain. For Example: /u01/app/oracle/admin/IDMDomain/aserver/IDMDomain.

    Click Next.

  3. On the Select Extension Source screen, select Extend my domain automatically to support the following added products. From the list below, select: Oracle Identity Manager.

    Note:

    Oracle SOA Suite and Oracle WSM Policy Manager are selected automatically.

    Select Next.

  4. The Configure RAC Multi Data Sources screen displays the schedulerDS Data Source configured for Oracle Directory Integration Platform and Oracle Directory Services manager (ODSM). Do not make any selections or changes on this screen.

    Click Next.

  5. On the Configure JDBC Component Schemas screen, select all the data sources listed on the page:

    • SOA Infrastructure

    • User Messaging Service

    • OIM MDS Schema

    • OWSM MDS Schema

    • SOA MDS Schema

    • OIM Schema

    Select Configure selected component schemas as RAC multi data source schemas in the next panel.

    Click Next.

  6. On the Configure JDBC Data Source Component Schemas page, select all except the OAM Infrastructure Multi Data Source Schemas listed and then enter the following information:

    Service Name: oimedg.us.oracle.com

    For the First RAC Node:

    • HostName: oimdb1.us.oracle.com

    • Instance Name: oimedg1

    • Port: 1521

    For the second RAC Node (click Add to add an additional row):

    • HostName: oimdb2.us.oracle.com

    • Instance Name: oimedg2

    • Port: 1521

    Select each schema individually to enter the user name and password. For example:

    Schema Name Schema Owner Password
    SOA Infrastructure EDG_SOAINFRA password
    User Messaging Service EDG_ORASDPM password
    OIM MDS Schema EDG_MDS password
    OWSM MDS Schema EDG_MDS password
    SOA MDS Schema EDG_MDS password
    OIM Infrastructure EDG_OIM password

    Click Next.

    Note:

    Do not select the OAM Infrastructure Multi Data Source Schema on this screen.

  7. On the Test Component Schema screen, the Configuration Wizard attempts to validate the data sources. If the data source validation succeeds, click Next. If it fails, click Previous, correct the problem, and try again.

    Click Next.

  8. On the Select Optional Configuration screen, Select:

    • JMS Distributed Destination

    • Managed Servers, Clusters and Machines

    Click Next.

  9. On the JMS Distributed Destination screen, make sure that all the JMS system resources listed on the screen are uniform distributed destinations. If they are not, select UDD form the drop down box. Make sure that the entries look like this:

    JMS System Resource Uniform/Weighted Distributed Destination
    UMSJMSSystemResource UDD
    SOAJMSModule UDD
    OIMJMSModule UDD

    Click Next.

    An Override Warning box with the following message is displayed:

    CFGFWK-40915: At least one JMS system resource has been selected for conversion to a Uniform Distributed Destination (UDD). This  conversion will take place only if the JMS System resource is assigned to a cluster

    Click OK on the Override Warning box.

  10. When you first enter the Configure Managed Servers screen, the configuration wizard will have created a default managed server for you. Change the details of the default managed server. In addition, create a new entry by clicking Add. That is, there should be two entries for each OIMHOST in the topology.

    For the Oracle Identity Management Managed Servers:

    • Name: WLS_OIMn where n is a sequential number

    • Listen Address: The DNS name of the server that will host the managed server

    • Listen Port: 14000

    For the SOA Managed Servers:

    • Name: WLS_SOAn where n is a sequential number

    • Listen Address: The DNS name of the server that will host the managed server

    • Listen Port: 8001

    Click Next.

    Note:

    Do not change the configuration of any managed servers that have already been configured as part of previous application deployments.

  11. On the Configure Clusters screen, create two clusters, by clicking Add. Supply the following information:

    OIM Cluster:

    • Name: cluster_oim

    • Cluster Messaging Mode: unicast

    SOA Cluster:·

    • Name: cluster_soa

    • Cluster Messaging Mode: unicast

    Leave all other fields at the default settings and click Next.

    Note:

    Do not make any changes to the cluster_oam and the cluster_soa entries.

  12. On the Assign Servers to Clusters screen, associate the managed servers with the cluster. Click the cluster name in the right pane. Click the managed server under Servers, then click the arrow to assign it to the cluster.

    The cluster_oim will have the managed servers WLS_OIM1 and WLS_OIM2 as members.

    The cluster_soa will have the managed servers WLS_SOA1 and WLS_SOA2 as members.

    Click Next.

    Note:

    Do not make any changes to the cluster_oam and the cluster_soa entries.

  13. On the Configure Machines screen, create a machine for each host in the topology. Click the tab UNIX if your hosts use Linux or a UNIX-based operating system. Otherwise, click Machines. Supply the following information:

    • Name: Name of the host. Best practice is to use the DNS name. For example: oimhost1.mycompany.com and oimhost2.mycompany.com for the first and second nodes respectively.

    • Node Manager Listen Address: DNS name of the machine. For example: oimhost1.mycompany.com and oimhost2.mycompany.com for the first and second nodes respectively.

    • Node Manager Port: Port for Node Manager

    Click Next.

  14. On the Assign Servers to Machines screen, indicate which managed servers will run on each of the machines you created.

    Click a machine in the right pane.

    Click the managed servers you want to run on that machine in the left pane.

    Click the arrow to assign the managed servers to the machines.

    Repeat until all managed servers are assigned to machines.

    For example:

    • OIMHOST1: WLS_OIM1 and WLS_SOA1

    • OIMHOST2: WLS_OIM2 and WLS_SOA2

    Click Next to continue.

  15. On the Configuration Summary screen, click Extend to extend the domain.

13.3 Configuring Oracle Identity Manager on IDMHOST1

After you have extended the domain, configure the Oracle Identity Manager and SOA Managed Servers before starting them.

13.3.1 Prerequisites for Configuring Oracle Identity Manager

Before configuring Oracle Identity Manager, ensure that the following tasks have been performed:

  1. Configure Oracle Internet Directory using the LDAP configuration pre-setup script, as described in Section 13.3.1.1Opens a new window.

  2. Create the Adapters in Oracle Virtual Directory, as described in Section 13.3.1.2Opens a new window

13.3.1.1 Configuring Oracle Internet Directory using the LDAP Configuration Pre-setup Script

The Oracle Identity Manager LDAP configuration pre-setup script adds the users, group and schemas required by OIM in OID. The LDAP configuration pre-setup script is located under the IAM_ORACLE_HOME/server/ldap_config_util directory. To run the script, follow these steps:

  1. Edit the ldapconfig.props file located under the IAM_ORACLE_HOME/server/ldap_config_util directory and provide the following values:

    Parameter Value
    OIMProviderURL t3://oimhost1.us.oracle.com:14000, t3://oimhost2.us.oracle.com:14000
    OIDURL oid.mycompany.com
    OIDAdminUsername cn=orcladmin
    OIDSearchBase dc=mycompany,dc=com
    UserContainerName cn=OIMUsers
    RoleContainerName cn=OIMRoles
    ReservationContainerName ReservationContainerName

    Note:

    • The OIMProviderURL is not used by the LDAP configuration pre-setup script. It is only used by the LDAP configuration post-setup script.

    • The OIDURL above refers to the OID URL. Do not substitute the OVD URL.

  2. Save the file.

  3. Set the JAVA_HOME and the WL_HOME.

    JAVA_HOME=ORACLE_BASE/product/fmw//jdk160_18
WL_HOME=ORACLE_BASE/product/fmw/wlserver_10.3

    Note:

    The JAVA_HOME must be set to the SUN JDK.

  4. Run LDAPConfigPreSetup.sh. The script prompts for the Oracle Internet Directory administrator password and the Oracle Identity Manager administrator password. For example:

    Prompt> ./LDAPConfigPreSetup.sh
[Enter OID admin password:]
[Enter OIM admin password:]

    Note:

    The OIM Admin Password provided here is for the oimadmin user that is created in OID and used for LDAP sync operations.

    The Output will be similar to this:

    ./LDAPConfigPreSetup.sh 
[Enter OID admin password:]
[Enter OIM admin password:]
Jun 21, 2010 6:16:18 PM oracle.ldap.util.LDIFLoader loadOneLdifFile
INFO: -> LOADING:  ./oimadminuser.ldif
Jun 21, 2010 6:16:20 PM oracle.ldap.util.LDIFLoader loadOneLdifFile
INFO: -> LOADING:  ./oimcontainers.ldif
Jun 21, 2010 6:16:20 PM oracle.ldap.util.LDIFLoader loadOneLdifFile
INFO: -> LOADING:  ../../oam/server/oim-intg/schema/OID_oblix_schema_add.ldif
Jun 21, 2010 6:16:48 PM oracle.ldap.util.LDIFLoader loadOneLdifFile
INFO: -> LOADING:  ../../oam/server/oim-intg/schema/OID_oblix_schema_index_add.ldif


Jun 21, 2010 6:26:03 PM oracle.ldap.util.LDIFLoader loadOneLdifFile
INFO: -> LOADING:  ../../oam/server/oim-intg/schema/OID_oblix_pwd_schema_add.ldif
Jun 21, 2010 6:26:04 PM oracle.ldap.util.LDIFLoader loadOneLdifFile
INFO: -> LOADING:  ../../oam/server/oim-intg/schema/OID_oim_pwd_schema_add.ldif

  5. Validate that the script completed successfully.

13.3.1.2 Creating Adapters in Oracle Virtual Directory

OIM used OVD to connect to external LDAP stores. You must create a user adapter and a change log adapter in OVD to enable OIM to connect to the external LDAP store like OID. Follow these steps to create the adapters.

User Adapter

Create the user adapter on the OVD instances running on OVDHOST1 and OVDHOST2 individually. Follow these steps to create the User Adapter in Oracle Virtual Directory using Oracle Directory Services Manager.

  1. Open a browser and bring up the ODSM console at http://admin.mycompany.com/odsm.

  2. Create connections to each of the OVD instances running on OVDHOST1 and OVDHOST2, if they do not already exist

  3. Connect to each OVD instance by using the appropriate connection entry.

  4. On the Home page, click the Adapter tab.

  5. Create a new adapter using the New Adapter Wizard, with the following parameters:

    Screen Field Value/Step
    Type Adapter Type LDAP
      Adapter Name OIM User Adapter
      Adapter Template User_OID
    Connection Use DNS Setting No
      Host oid.mycompany.com
      Port 389
      Server Proxy Bind DN cn=oimadmin,cn=users,cn=oim,cn=products,cn=oraclecontext
      Proxy Password oimadmin password. This is same as the password provided in Section 13.3.1.1Opens a new window.
    Connection Test   Validate that the test succeeds.
    Namespace Remote Base dc=mycompany,dc=com
      Mapped Namespace dc=mycompany,dc=com
    Summary   Verify that the summary is correct and then click Finish.

  6. Edit the User Adapter to match the values shown in the following table.

    Parameter value
    directoryType oid
    pwdMaxFailure 10
    oamEnabled True

    To edit the user adapter follow these steps:

    1. Select the OIM User Adapter.

    2. Click the Plug-ins Tab.

    3. Click the Plug-in, then click Edit in the plug-ins table. The plug-in editing window appears.

    4. In the Parameters table, update the parameter values if needed.

    5. Click OK.

    6. Click Apply.

Change Log Adapter

Create the change log adapter on the OVD instances running on OVDHOST1 and OVDHOST2 individually. Follow these steps to create the Change Log Adapter in OVD using Oracle Directory Services Manager.

  1. Open a browser and bring up the ODSM console at http://admin.mycompany.com/odsm.

  2. Create connections to each of the OVD instances running on OVDHOST1 and OVDHOST2, if they do not already exist.

  3. Connect to an OVD instance by using the appropriate connection entry.

  4. On the Home page, click on the Adapter tab.

  5. Create a new adapter using the New Adapter Wizard, with the following parameters:

    Screen Field Value/Step
    Type Adapter Type LDAP
      Adapter Name OIM Change Log Adapter
      Adapter Template Changelog_OID
    Connection Use DNS Setting No
      Host oid.mycompany.com
      Port 389
      Server Proxy Bind DN cn=oimadmin,cn=users,cn=oim,cn=products,cn=oraclecontext
      Proxy Password oimadmin password. This is same as the password provided in Section 13.3.1.1Opens a new window.
    Connection Test   Validate that the test succeeds.
    Naming Space Remote Base cn=changelog
    Mapped Namespace   cn=changelog
    Summary   Verify that the summary is correct, then click Finish.

  6. Edit the Change Log Adapter to match the values shown in the following table.

    Parameter Value
    directoryType oid
    mapAttribute targetGUID=orclGUID
    mapObjectclass changelog=changelogentry
    requiredAttribute orclGUID
    addAttribute orclContainerOC,changelogSupported=1
    modifierDNFilter cn=oimadmin,cn=users,cn=OIM,cn=Products,cn=OracleContext
    sizeLimit 1000
    targetDNFilter dc=mycompany,dc=com

    Search based from which reconciliation needs to happen. This value must be the same as the LDAP SearchDN that is specified during OIM installation.
    mapUserState True
    oamEnabled True or false depending on whether OAM integration with OIM is enabled or not.

    To edit the change adapter follow these steps.

    1. Select the OIM Change Log Adapter.

    2. Click the Plug-ins tab.

    3. In the Deployed Plus-ins table, click the changelog plug-in, then click "Edit in the plug-ins table. The plug-in editing window appears.

    4. In the Parameters table, update the parameter values.

    5. Click OK.

    6. Click Apply.

Stopping and Starting Oracle Internet Directory and Oracle Virtual Directory

Stop and Start:

  • The OVD instances running on both OVDHOST1 and OVDHOST2.

  • The OID instances running on both OIDHOST1 and OIDHOST2.

as described in Section 18.1, "Starting and Stopping Oracle Identity Management Components."Opens a new window

13.3.2 Running the Oracle Identity Management Configuration Wizard

You must configure the OIM server instances before you can start the OIM and SOA Managed Servers. The Oracle Identity Management Configuration Wizard loads the OIM metadata into the database and configures the instance.

Make sure that following env variables are not set in the current shell: DOMAIN_HOME, WL_HOME.

Start the Web Logic Administration Server, then follow these steps on IDMHOST1.

The Oracle Identity Management Configuration Wizard is located under the Identity Management Oracle Home. Type:

MW_HOME/iam/bin/config.sh

Proceed as follows:

  1. On the Welcome screen, click Next

  2. On the Components to Configure screen, Select OIM Server and OIM Remote Manager.

    Click Next.

  3. On the Database screen, provide the following values:

    • Connect String: The connect string for the OIM database. For example:

      oimdb1-vip.mycompany.com:1521:oimedg1 oimdb2-vip.mycompany.com:1521:oimedg2@oimedg.mycompany.com

    • OIM Schema User Name: edg_oim

    • OIM Schema password: password

    • MDS Schema User Name: edg_mds

    • MDS Schema Password: password

    Select Next.

  4. On the WebLogic Administration Server screen, provide the following details for the WebLogic Admin Server:

    • URL: The URL to connect to the WebLogic Administration Server. For example: t3://adminvhn.mycompany.com:7001

    • UserName: weblogic

    • Password: Password for the weblogic user

    Click Next.

  5. On the OIM Server screen, provide the following values:

    • OIM Administrator Password: Password for the OIM Administrator. This is the password for the xelsysadm user.

    • Confirm Password: Confirm the password·

    • OIM HTTP URL: Proxy URL for the OIM Server. This is the URL for the Hardware load balancer that is front ending the OHS servers for OIM. For example: https://sso.mycompany.com:443.

    • Key Store Password: Key store password. The password must have an uppercase letter and a number. For example: MyPassword1

    Click Next.

  6. On the LDAP Sync and OAM screen, select Configure BI Publisher and provide the BI Publisher URL: http://bipublisher.mycompany.com/bipublisher.

    Select Enable LDAP Sync

    Notes:

    • Do not select Enable Identity Administration Integration with OAM. This will be configured later.

    • BI Publisher is not a part of the IDMDomain. The steps to configure the BI Publisher are not covered in this Enterprise Deployment Guide.

    Click Next.

  7. On the LDAP Server screen, provide the following LDAP server details:

    • LDAP URL : The URL to access the LDAP server. For example: ldap://ovd.mycompany.com:389

    • LDAP User : The username to connect to the LDAP Server. For example: cn=orcladmin·

    • LDAP Password: The password to connect to the LDAP server.

    • LDAP SearchDN: The Search DN. For example: dc=mycompany,dc=com.

    Click Next.

  8. On the LDAP Server Continued screen, provide the following LDAP server details:

    • LDAP Role Container: The DN for the Role Container. This is the container where the OIM roles are stored. For example: cn=oimroles,dc=mycompany,dc=com ·

    • LDAP User Container: The DN for the User Container. This is the container where the OIM users are stored. For example: cn=oimusers,dc= mycompany,dc=com·

    • User Reservation Container: The DN for the User Reservation Container. For example: cn=oimreserved, dc=mycompany,dc=com.

    Note:

    These container values should be the same as those used in LDAPConfigPreSetup.sh.

    Click Next.

  9. On the Remote Manager screen, provider the following values:

    • Service Name: EDG_RManager

    • RMI Registry Port: 12345

    • Listen Port (SSL): 12346

  10. On the Configuration Summary screen, verify the summary information.

    Click Configure to configure the Oracle Identity Manager instance

  11. On the Configuration Progress screen, once the configuration completes successfully, click Next.

  12. On the Configuration Complete screen, view the details of the Oracle Identity Manager Instance configured.

    Click Finish to exit the Configuration Assistant.

13.4 Propagating the Oracle Identity Manager and SOA Managed Servers to OIMHOST1 and OIMHOST2

Once the configuration has succeeded on IDMHOST1, you can propagate the configuration to OIMHOST1 and OIMHOST2. You do this by packing the domain on IDMHOST1 and unpacking it on OIMHOST1 and OIMHOST2.

Follow these steps to propagate the domain to IDMHOST1.

  1. Invoke the pack utility from MW_HOME/oracle_common/common/bin/.

    pack.sh -domain=ORACLE_BASE/admin/IDMDomain/aserver/IDMDomain -template =/u01/app/oracle/admin/templates/oim_domain.jar -template_name="OIM Domain" -managed=true

  2. This creates a file called oim_domain.jar in the /u01/app/oracle/admin/templates directory. Copy this file to OIMHOST1 and OIMHOST2.

  3. On OIMHOST1, invoke the utility unpack, which is also located in the directory MW_HOME/oracle_common/common/bin/.

    ./unpack.sh -domain=/u01/app/oracle/admin/IDMDomain/mserver/IDMDomain -template=/u01/app/oracle/product/fmw/templates/oim_domain.jar -overwrite_domain=true -app_dir=/u01/app/oracle/admin/IDMDomain/mserver/applications

  4. On OIMHOST2, invoke the utility unpack, which is also located in the directory MW_HOME/oracle_common/common/bin/.

    unpack.sh -domain=ORACLE_BASE/admin/IDMDomain/aserver/IDMDomain -template=/tmp/oim_domain.jar -template_name="OIM Domain"

13.5 Post-Installation Steps on OIMHOST1 and OIMHOST2

Perform the following post-installation steps.

13.5.1 Updating the Coherence Configuration for the SOA Managed Server

Follow these steps to update the Coherence Coniguration for the WLS_SOA Server.

  1. Log into the Oracle WebLogic Server Administration Console.

  2. In the Domain Structure window, expand the Environment node.

  3. Click Servers. The Summary of Servers page appears.

  4. Click the name of the server in the Name column of the table. The settings page for the selected server appears.

  5. Click the Server Start tab.

  6. Enter text into the Arguments field for WLS_SOA1 and WLS_SOA2 .

    For WLS_SOA1, enter the following text on a single line, without a carriage return:

    -Dtangosol.coherence.wka1=oimhost1vhn1 -Dtangosol.coherence.wka2=oimhost2vhn1 -Dtangosol.coherence.localhost=oimhost1vhn1

    For WLS_SOA2, enter the following text on a single line, without a carriage return:

    -Dtangosol.coherence.wka1=oimhost1vhn1 -Dtangosol.coherence.wka2=oimhost2vhn1 -Dtangosol.coherence.localhost=oimhost2vhn1

    Note:

    The Coherence cluster used for deployment uses port 8088 by default. You can change this port by specifying a different port (for example, 8089) with the -Dtangosol.coherence.wkan.port and -Dtangosol.coherence.localport startup parameters. For example:

    For WLS_SOA1 (on a single line):

    -Dtangosol.coherence.wka1=oimhost1vhn1 -Dtangosol.coherence.wka2=oimhost2vhn1 -Dtangosol.coherence.localhost=oimhost1vhn1 -Dtangosol.coherence.localport=8089 -Dtangosol.coherence.wka1.port=8089 -Dtangosol.coherence.wka2.port=8089

    For WLS_SOA2 (on a single line):

    -Dtangosol.coherence.wka1=oimhost1vhn1 -Dtangosol.coherence.wka2=oimhost2vhn1 -Dtangosol.coherence.localhost=oimhost2vhn1 -Dtangosol.coherence.localport=8089 -Dtangosol.coherence.wka1.port=8089 -Dtangosol.coherence.wka2.port=8089

  7. Click Save and activate the changes.

  8. Restart the Oracle SOA Suite servers.

Note:

The multicast and unicast addresses are different from the ones used by the WebLogic Server cluster for cluster communication. SOA guarantees that composites are deployed to members of a single WebLogic Server cluster even though the communication protocol for the two entities (the WebLogic Server cluster and the groups to which composites are deployed) are different.

Do not copy the text from this section to your Administration Console's arguments text field. Doing so can cause HTML tags to be inserted in the Java arguments. The text should not include any text or characters other than the ones shown.

13.5.2 Starting the WLS_OIM1 and WLS_SOA1 Managed Servers on OIMHOST1

Follow this sequence of steps to start the WLS_OIM1 Managed Server on OIMHOST1:

  1. Stop the WebLogic Administration Server on OIMHOST1 by using the WebLogic Administration Console as described in Section 18.1, "Starting and Stopping Oracle Identity Management Components."Opens a new window

  2. Start the Administration Server on OIMHOST1 using the node manager, as described in Section 18.1, "Starting and Stopping Oracle Identity Management Components."Opens a new window

  3. Validate that the Administration Server started up successfully by bringing up the Oracle WebLogic Administration Console.

  4. Start NodeManager on OIMHOST1.

  5. Start the WLS_SOA1 managed server, using the WebLogic Administration Console as described in Section 18.1, "Starting and Stopping Oracle Identity Management Components."Opens a new window

  6. Start the WLS_OIM1 managed server using the WebLogic Administration Console. The WLS_OIM1 managed server must be started only after starting the WLS_SOA1 managed server.

13.5.3 Validating Oracle Identity Manager Instance on OIMHOST1

Validate the Oracle Identity Manager Server Instance by bringing up the OIM Console in a web browser at: http://oimhost1.mycompany.com:8001/oim/self.

Log in using the xelsysadm username and password.

Note:

When you log in for the first time, you will prompted to setup Challenge Questions. Please do so before proceeding further.

13.6 Post Installation Steps on OIMHOST2

Perform the following post-installation steps on OIMHOST2.

13.6.1 Starting Node Manager on OIMHOST2

  1. Start the Node Manager on OIMHOST2 to create the nodemanger.properties file by using the startNodemanager.sh script located under the MW_HOME/wlserver_10.3/server/bin directory.

  2. Before you can start the managed servers by using the console, node manger requires that the property StartScriptEnabled is set to true. You set it by running the setNMProps.sh script located under the MW_HOME/oracle_common/common/bin directory.

    prompt>  $MW_HOME/oracle_common/common/bin
prompt> . /setNMProps.sh

  3. Stop and Start the node manager as described in Section 18.1, "Starting and Stopping Oracle Identity Management Components"Opens a new windowso that the properties take effect.

13.6.2 Starting the WLS_OIM2 and WLS_SOA2 Managed Servers on OIMHOST2

Follow this sequence of steps to start the WLS_OIM1 Managed Server on OIMHOST1:

  1. Validate that the Administration Server started up successfully by bringing up the Administration Console.

  2. Start the WLS_SOA1 managed server using the WebLogic Administration Console.

  3. Start the WLS_OIM1 managed server using the WebLogic Administration Console. The WLS_OIM1 managed server must be started only after starting the WLS_SOA1 managed server

13.6.3 Validating Oracle Identity Manager Instance on OIMHOST2

Validate the Oracle Identity Manager Server Instance by bringing up the OIM Console in a web browser at: http://oimhost2.mycompany.com:8001/oim/.

Log in using the xelsysadm username and password

13.7 Configuring Oracle Internet Directory using the LDAP Configuration Post setup Script

The OIM LDAP configuration post-setup script updates the OIM LDAP Sync scheduled jobs with the last change number from OID. The LDAP configuration post-setup script is located under the IAM_ORACLE_HOME/server/ldap_config_util directory. To run the script, follow these steps:

  1. Edit the ldapconfig.props file located under the IAM_ORACLE_HOME/server/ldap_config_util directory and provide the following values:

    • OIMProviderURL: "t3://oimhost1.us.oracle.com:14000,oimhost2.us.oracle.com:14000"

    • OIDURL: ldap://oidhost1.mycompany.com:389

    • OIDAdminUsername: cn=orcladmin

    • OIDSearchBase: mycompany.com

    • UserContainerName : cn=OIMUsers

    • RoleContainerName: cn=OIMRoles

    • ReservationContainerName: cn=OIMReserve

    Note:

    usercontainerName, rolecontainername, and

    reservationcontainername are not used in this step.

  2. Save the file.

  3. Set the WL_HOME and JAVA_HOME environment variables.

  4. Run LDAPConfigPostSetup.sh. The script prompts for the OID Admin Password and the OIM Admin Password. For example:

    Prompt> ./LDAPConfigPostSetup.sh
[Enter OID admin password: ]
[Enter OIM admin password: ]

13.8 Configuring Oracle Identity Manager to Work with the Oracle Web Tier

This section describes how to configure Oracle Access Manager to work with the Oracle Web Tier

13.8.1 Prerequisites

Before configuring Oracle Access Manager to work with the Oracle Web Tier, ensure that the following tasks have been performed:

  1. Install Oracle Web Tier on WEBHOST1 and WEBHOST2.

  2. Install and configure Oracle Access Manager on IDMHOST1 and IDMHOST2.

  3. Configure the load balancer with a virtual hostname (sso.mycompany.com) pointing to the webservers on WEBHOST1 and WEBHOST2.

  4. Configure the load balancer with a virtual hostname (admin.mycompany.com) pointing to webservers WEBHOST1 and WEBHOST2.

13.8.2 Configuring Oracle HTTP Servers to front end the OIM & SOA Managed Servers.

  1. On each of the web servers on WEBHOST1 and WEBHOST2, create a file called oim.conf in the directory ORACLE_INSTANCE/config/OHS/component/moduleconf. This file must contain the following information:

    # oim admin console(idmshell based)
   <Location /admin>
    SetHandler weblogic-handler
    WLCookieName    oimjsessionid
    WebLogicCluster oimhost1.us.oracle.com:14000,oimhost2.us.oracle.com:14000
    WLLogFile "${ORACLE_INSTANCE}/diagnostics/logs/mod_wl/oim_component.log"
   </Location>
 
# oim self and advanced admin webapp consoles(canonic webapp)
 
  <Location /oim>
    SetHandler weblogic-handler
    WLCookieName    oimjsessionid
    WebLogicCluster oimhost1.us.oracle.com:14000,oimhost2.us.oracle.com:14000
    WLLogFile "${ORACLE_INSTANCE}/diagnostics/logs/mod_wl/oim_component.log"
   </Location>

# SOA Callback webservice for SOD - Provide the SOA Managed Server Ports
  <Location /sodcheck>
    SetHandler weblogic-handler
    WLCookieName    oimjsessionid
    WebLogicCluster oimhost1.us.oracle.com:8001,oimhost2.us.oracle.com:8001
    WLLogFile "${ORACLE_INSTANCE}/diagnostics/logs/mod_wl/oim_component.log"
   </Location>

# Callback webservice for SOA. SOA calls this when a request is approved/rejected
# Provide the SOA Managed Server Port
  <Location /workflowservice>
    SetHandler weblogic-handler
    WLCookieName    oimjsessionid
    WebLogicCluster oimhost1.us.oracle.com:14000,oimhost2.us.oracle.com:14000
    WLLogFile "${ORACLE_INSTANCE}/diagnostics/logs/mod_wl/oim_component.log"
  </Location>

# xlWebApp - Legacy 9.x webapp (struts based)
   <Location /xlWebApp>
    SetHandler weblogic-handler
    WLCookieName    oimjsessionid
    WebLogicCluster oimhost1.us.oracle.com:14000,oimhost2.us.oracle.com:14000
    WLLogFile "${ORACLE_INSTANCE}/diagnostics/logs/mod_wl/oim_component.log"
  </Location>

# Nexaweb WebApp - used for workflow designer and DM
  <Location /Nexaweb>
    SetHandler weblogic-handler
    WLCookieName    oimjsessionid
    WebLogicCluster oimhost1.us.oracle.com:14000,oimhost2.us.oracle.com:14000
    WLLogFile "${ORACLE_INSTANCE}/diagnostics/logs/mod_wl/oim_component.log"
  </Location>

# used for FA Callback service.
  <Location /callbackResponseService>
    SetHandler weblogic-handler
    WLCookieName    oimjsessionid
    WebLogicCluster oimhost1.us.oracle.com:14000,oimhost2.us.oracle.com:14000
    WLLogFile "${ORACLE_INSTANCE}/diagnostics/logs/mod_wl/oim_component.log"
  </Location>

# spml xsd profile
  <Location /spml-xsd>
    SetHandler weblogic-handler
    WLCookieName    oimjsessionid
    WebLogicCluster oimhost1.us.oracle.com:14000,oimhost2.us.oracle.com:14000
    WLLogFile "${ORACLE_INSTANCE}/diagnostics/logs/mod_wl/oim_component.log"
  </Location>

  <Location /HTTPClnt>
    SetHandler weblogic-handler
    WLCookieName    oimjsessionid
    WebLogicCluster 
oimhost1.us.oracle.com:14000,oimhost2.us.oracle.com:14000
    WLLogFile "${ORACLE_INSTANCE}/diagnostics/logs/mod_wl/oim_component.log"
  </Location>

  2. Save the file on both WEBHOST1 and WEBHOST2.

  3. Stop and start the Oracle HTTP Server instances on both WEBHOST1 and WEBHOST2 as described in Section 18.1, "Starting and Stopping Oracle Identity Management Components."Opens a new window

13.8.3 Validating Oracle Identity Manager Instance from the WebTier

Validate the OIM Server Instance by bringing up the OIM Console in a web browser. at: http://sso.mycompany.com/oim. Log in using the xelsysadm username and password.

13.9 Configuring a Shared JMS Persistence Store

Configure the location for all of the persistence stores as a directory that is visible from both nodes. See Section 2.4, "Shared Storage and Recommended Directory Structure"Opens a new window for more information. Change all of the persistent stores to use this shared base directory as follows:

  1. Log in to the Oracle WebLogic Server Administration Console.

  2. Click Lock and Edit.

  3. In the Domain Structure window, expand the Services node and then click the Persistence Stores node. The Summary of Persistence Stores page is displayed.

  4. Select the persistence store (represented as a hyperlink) from the Name column of the table. The Settings page for the persistence store is displayed.

  5. On the Configuration tab, in the Directory field, enter the location of a persistent storage solution (such as NAS or SAN) that is available to other servers in the cluster. Specifying this location enables pending JMS messages to be sent.

  6. The location should have the following directory structure.

    For the WLS_SOA1 and WLS_SOA2 servers, use a directory structure similar to ORACLE_BASE/admin/domain_name/soa_cluster_name/jms.

    For the WLS_OIM1 and WLS_OIM2 servers use a directory structure similar to ORACLE_BASE/admin/domain_name/oim_cluster_name/jms.

    Note:

    • The WLS_OIM1 and WLS_OIM2 servers must be able to access this directory.

    • The WLS_SOA1 and WLS_SOA2 servers must be able to access this directory.

    • This directory must also exist before you restart the server.

  7. Click Save.

  8. Click Activate Changes from the change center.

  9. Do not restart the OIM and SOA managed servers. They will be restarted after performing the steps in Section 13.10, "Configuring a Default Persistence Store for Transaction Recovery."Opens a new window

13.10 Configuring a Default Persistence Store for Transaction Recovery

The WLS_OIM and WLS_SOA Managed Servers have a transaction log that stores information about committed transactions that are coordinated by the server that might not have been completed. The WebLogic Server uses this transaction log for recovery from system crashes or network failures. To leverage the migration capability of the Transaction Recovery Service for the servers within a cluster, store the transaction log in a location accessible to a server and its backup servers.

Note:

Preferably, this location should be on a dual-ported SCSI disk or on a Storage Area Network (SAN).

Perform these steps to set the location for the default persistence stores for the OIM and SOA Servers:

  1. Log in to the Oracle WebLogic Server Administration Console.

  2. Click Lock and Edit.

  3. In the Domain Structure window, expand the Environment node and then click the Servers node.

    The Summary of Servers page is displayed.

  4. Click the name of the server (represented as a hyperlink) in the Name column of the table.

  5. The Settings page for the selected server is displayed, and defaults to the Configuration tab.

  6. Open the Services sub tab.

  7. In the Default Store section of the page, enter the path to the folder where the default persistent stores will store its data files. The directory structure of the path is as follows:

    • For OIM Servers: ORACLE_BASE/admin/domain_name/oim_cluster_name/tlogs

    • For SOA Servers: ORACLE_BASE/admin/domain_name/soa_cluster_name/tlogs

  8. Click Save and Activate.

  9. Restart the OIM and SOA managed serversas described in Section 18.1, "Starting and Stopping Oracle Identity Management Components,"Opens a new window to make the changes take effect.

Note:

To enable migration of the Transaction Recovery Service, specify a location on a persistent storage solution that is available to other servers in the cluster. All the servers that are a part of the cluster must be able to access this directory.

13.11 Adding the CSF Entries for Oracle Identity Management and WSM

If you extend your domain with Oracle Identity Manager after the domain has been associated with an external LDAP store, the OIM configuration wizard does not populate the Credential Store Framework with the appropriate key-value pairs required for the Oracle Identity Manager and Oracle SOA Suite managed servers to start up. To work around this issue, you must create the required entries manually, by using Oracle Enterprise Manager Fusion Middleware Control. This is a temporary workaround.

Follow these steps to create the entries:

  1. Open a browser and bring up Fusion Middleware Control at: http://admin.mycompany.com/em.

  2. Log in as the Weblogic user.

  3. Expand Farm_DomainName in the left pane and navigate to Weblogic Domain > Domain Name. For Example if IDMDomain is the name your domain, navigate to Farm_IDMDomain > Weblogic Domain > IDMDomain

  4. The IDMDomain Page appears in the right pane.

  5. Navigate to Weblogic Domain > Security > Credential to bring up the Credentials Page.

  6. On the Credentials page, Click Create Map to create a map. Create a map called oim for the Oracle Identity Manager entries and a map called oracle.wsm.security for the WSM entries.

  7. Create the entries for the maps in the table. Select the map where you want to add entries and click Create Key to create a key.

    Enter the following values on the Create Key page:

    • Select Map: Map Name

    • Key: Key Name

    • Type: Password

    • User Name: User Name

    • Password: Password

    • Description: Description for the Key

    Click OK.

    Refer to the following table to create the keys required for Oracle Identity Manager and the oracle.wsm.security maps.

    Select Map Key Type User Name Password
    oim OIMSchemaPassword Password OIMSchemaPassword Password for OIM DB
    oim xell Password xell Password for Keystore
    oim DataBaseKey Password DataBaseKey Password for Keystore
    oim JMSKey Password JMSKey Password for Keystore
    oim .xldatabasekey Password .xldatabasekey Password for Keystore
    oim default-keystore.jks Password default-keystore.jks Password for Keystore
    oim SOAAdminPassword Password SOAAdminPassword Password for Keystore
    oracle.wsm.security keystore-csf-key Password owsm Password for weblogic user
    oracle.wsm.security enc-csf-key Password xell Password for Keystore
    oracle.wsm.security sign-csf-key Password xell Password for Keystore
    oracle.wsm.security recipient-alias-key Password xell not used

    Password For Key Store is the key store password provided when running the OIM Configuration Wizard

  8. Stop and Start the Administration Server.

  9. Start the Oracle Identity Management and Oracle SOA Suite Managed Servers using the WebLogic Admin Console.

  10. The Oracle Identity Management and Oracle SOA Suite Managed Servers start up correctly after you create the maps.