12 Extending the Domain to Include Oracle Identity Manager

This chapter describes how to install and configure Oracle Identity Manager for use in the Oracle Identity Management Enterprise Deployment Topology.

This chapter contains the following topics:

12.1 Overview of Extending the Domain to Include Oracle Identity Manager

Oracle Identity Manager is a user provisioning and administration solution that automates the process of adding, updating, and deleting user accounts from applications and directories. It also improves regulatory compliance by providing granular reports that attest to who has access to what. Oracle Identity Manager is available as a standalone product or as part of Oracle Identity Management.

Automating user identity provisioning can reduce Information Technology (IT) administration costs and improve security. Provisioning also plays an important role in regulatory compliance. Key features of Oracle Identity Manager include password management, workflow and policy management, identity reconciliation, reporting and auditing, and extensibility through adapters.

Oracle Identity Manager provides the following key functionalities:

  • User Administration

  • Workflow and Policy

  • Password Management

  • Audit and Compliance Management

  • Integration Solutions

  • User Provisioning

  • Organization and Role Management

For details about Oracle Identity Manager, see the Oracle Fusion Middleware Administrator's Guide for Oracle Identity Manager.

12.2 About Domain URLs

After you complete this chapter, the following URL will be available:

Table 12-1 OIM URLs

Component URLs SSO User

Self-service Console

https://SSO.mycompany.com/identity

xelsysadm

OIM Administration Console

http://ADMIN.mycompany.com/sysadmin

xelsysadm

12.3 Prerequisites

Before extending the domain with Oracle Identity Manager, ensure that the following tasks have been performed:

  1. Ensure that the virtual IP addresses for the Oracle Identity Manager and SOA managed servers have been provisioned and enabled. See Section 3, "Configuring the Network for an Enterprise Deployment" for details

  2. Ensure that you have created the wlfullclient.jar file, as described in Section 12.5, "Creating the wlfullclient.jar File."

  3. Ensure the Identity Store is installed and configured.

  4. Provision the Oracle Identity Management users as described in Section 10.4, "Preparing the Identity Store."

  5. Stop all the managed servers running in your domain, as described in Section 16.1, "Starting and Stopping Oracle Identity Management Components." before extending the domain with Oracle Identity Manager.

Note:

Oracle SOA deployed along with Oracle Identity Manager is used exclusively for Oracle Identity Manager work flow. It cannot be used for other purposes.

Note:

Be sure to verify you have obtained all required patches. For more info, see Section 2.5.3, "Applying Patches and Workarounds."

12.4 Provisioning the OIM Login Modules Under the WebLogic Server Library Directory

Due to issues with versions of the configuration wizard, some environmental variables are not added to the ASERVER_HOME/bin/setDomainenv.sh script. This causes certain install sequences to fail. This section is a temporary workaround for that problem. The steps in this section must be performed on all MW_HOMEs that are associated with the domain hosting Oracle Identity Manager, that is, IAM_MW_HOME.

Apply the following steps across all the WebLogic Server homes in the domain.

  1. Copy the OIMAuthenticator.jar, oimmbean.jar, oimsigmbean.jar and oimsignaturembean.jar files located under the IAM_ORACLE_HOME/server/loginmodule/wls directory to the IAM_MW_HOME/wlserver_10.3/server/lib/mbeantypes directory.

    cp IAM_ORACLE_HOME/server/loginmodule/wls/* IAM_MW_HOME/wlserver_10.3/server/lib/mbeantypes

  2. Change directory to MW_HOME/wlserver_10.3/server/lib/mbeantypes/

    cd IAM_MW_HOME/wlserver_10.3/server/lib/mbeantypes

  3. Change the permissions on these files to 750 by using the chmod command.

    chmod 750 *

12.5 Creating the wlfullclient.jar File

Oracle Identity Manager uses the wlfullclient.jar library for certain operations. Oracle does not ship this library, so you must create this library manually. Oracle recommends creating this library under the IAM_MW_HOME/wlserver_10.3/server/lib directory on all the machines hosting Oracle Identity Manager in the application tier of your environment, such as IAM_MW_HOME and OIM_MW_HOME.

Follow these steps to create the wlfullclient.jar file:

  1. Navigate to the IAM_MW_HOME/wlserver_10.3/server/lib directory

  2. Set your JAVA_HOME environment variable and ensure that the JAVA_HOME/bin directory is in your path.

  3. Create the wlfullclient.jar file by running:

    java -jar wljarbuilder.jar

12.6 Synchronize System Clocks

Oracle SOA uses Quartz to maintain its jobs and schedules in the database. Synchronize the system clocks for the SOA WebLogic cluster to enable proper functioning of jobs, adapters, and Oracle B2B.

12.7 Extending the Domain to Configure Oracle Identity Manager and Oracle SOA Suite

You must extend your domain to include Oracle Identity Manager. When extending the domain, you must do so from the host that is running the domain's Administration Server. This is the domain IDMDomain on IDMHOST1.

To extend the domain with Oracle Identity Manager, start the configuration wizard on IDMHOST1 by executing the command:

ORACLE_COMMON_HOME/common/bin/config.sh

Proceed as follows

  1. On the Welcome screen, select Extend an existing WebLogic Domain.

    Click Next.

  2. On the Select WebLogic Domain Directory screen, select the location of the domain directory for IDMDomain, for example: /u01/oracle/config/domains/IDMDomain

    Click Next.

  3. On the Select Extension Source screen, select Extend my domain automatically to support the following added products. From the list below, select: Oracle Identity Manager.

    Note:

    Oracle SOA Suite, Oracle JRF Webservices Asynchronous Services, and Oracle WSM Policy Manager are selected automatically. If Oracle WSM Policy Manager has already been installed, the choice is not available.

    Select Next.

  4. On the Configure JDBC Component Schemas screen, do the following.

    Select all the data sources listed on the page:

    • SOA Infrastructure

    • User Messaging Service

    • OIM MDS Schema

    • OWSM MDS Schema

    • SOA MDS Schema

    • OIM Schema

    Select Convert to GridLink.

    Click Next.

  5. The Gridlink RAC Component Schema screen appears. In this screen, enter values for the following fields, specifying the connect information for the Oracle RAC database that was seeded with RCU.

    Select all the schemas for your component. Do not select schemas listed for previously configured components.

    For each entry provide the following common information.

    • Driver: Select Oracle's driver (Thin) for GridLink Connections,Versions:10 and later.

    • Select Enable FAN.

    • Do one of the following:

      • If SSL is not configured for ONS notifications to be encrypted, deselect SSL.

      • Select SSL and provide the appropriate wallet and wallet password.

    • Service Listener: Enter the SCAN address and port for the RAC database being used. You can identify this address by querying the parameter remote_listener in the database:

      SQL>show parameter remote_listener;

NAME            TYPE   VALUE
-------------------------------------------------------------
remote_listener string DB-SCAN.mycompany.com:1521

      Note:

      For Oracle Database 11g Release 1 (11.1), use the virtual IP and port of each database instance listener, for example:

      DBHOST1-vip.mycompany.com (port 1521)

      and

      DBHOST2-vip.mycompany.com (port 1521)

      For Oracle Database 10g, use multi data sources to connect to an Oracle RAC database. For information about configuring multi data sources see "Verifying Adapters for Multiple Directory Identity Stores by Using ODSM" in Oracle Fusion Middleware Integration Guide for Oracle Identity Management Suite.

    • ONS Host: Enter the SCAN address for the Oracle RAC database and the ONS remote port as reported by the database:

      srvctl config nodeapps -s
ONS exists: Local port 6100, remote port 6200, EM port 2016

      Note:

      For Oracle Database 11g Release 1 (11.1), use the hostname and port of each database's ONS service, for example:

      DBHOST1.mycompany.com (port 6200)

      and

      DBHOST2.mycompany.com (port 6200)

    Enter the following RAC component schema information:

    Table 12-2 RAC Component Schema Information

    Schema Name Service Name User Name Password

    OIM Schema

    oimedg.mycompany.com

    EDG_OIM

    password
           

    SOA Infrastructure

    oimedg.mycompany.com

    EDG_SOAINFRA

    password
           

    User Messaging Service

    oimedg.mycompany.com

    EDG_ORASDPM

    password
           

    OIM MDS Schema

    oimedg.mycompany.com

    EDG_MDS

    password
           

    SOA MDS Schema

    oimedg.mycompany.com

    EDG_MDS

    password
           

    OPSS Schema

    oimedg.mycompany.com

    EDG_OPSS

    password
           

    If you prefer to use RAC multi datasources, see "Verifying Adapters for Multiple Directory Identity Stores by Using ODSM" in Oracle Fusion Middleware Integration Guide for Oracle Identity Management Suite.

    Click Next.

  6. On the Test Component Schema screen, the Configuration Wizard attempts to validate the data sources. If the data source validation succeeds, click Next. If it fails, click Previous, correct the problem, and try again.

    Click Next.

  7. On the Select Optional Configuration screen, Select:

    • JMS Distributed Destination

    • Managed Servers, Clusters and Machines

    • JMS File Store

    Click Next.

  8. On the JMS Distributed Destination screen, ensure that all the JMS system resources listed on the screen are uniform distributed destinations. If they are not, select UDD form the drop down box. Ensure that the entries look like this:

    JMS System Resource Uniform/Weighted Distributed Destination

    UMSJMSSystemResource

    UDD

    SOAJMSModule

    UDD

    OIMJMSModule

    UDD

    BPMJMSModule

    UDD

    Click Next.

    An Override Warning box with the following message is displayed:

    CFGFWK-40915: At least one JMS system resource has been selected for conversion to a Uniform Distributed Destination (UDD). This  conversion will take place only if the JMS System resource is assigned to a cluster

    Click OK on the Override Warning box.

  9. When you first enter the Configure Managed Servers screen, two managed servers called oim_server1 and soa_server1 are created automatically. Rename soa_server1 to WLS_SOA1 and oim_server1 to WLS_OIM1 and update their attributes as shown in the following table. Then, add two new managed servers called WLS_OIM2 and WLS_SOA2 with the following attributes.

    Name Listen Address Listen Port SSL Listen Port SSL Enabled

    WLS_SOA1

    SOAHOST1VHN

    8001

    N/A

    No

    WLS_SOA2

    SOAHOST2VHN

    8001

    N/A

    No

    WLS_OIM1

    OIMHOST1VHN

    14000

    N/A

    No

    WLS_OIM2

    OIMHOST2VHN

    14000

    N/A

    No

    To keep track of ports, host names, and other details for your enterprise deployment, see Appendix A, "Worksheet for Identity Management Topology.".

    Notes:

    • Do not change the configuration of the managed servers that were configured as a part of previous deployments.

    • Do not delete the default managed servers that are created. Rename them as described.

  10. On the Configure Clusters screen, create each cluster by clicking Add. Supply the following information:

    Table 12-3 Cluster Configurations

    Name Messaging Mode Multicast Address Multicast Port Cluster Address

    oim_cluster

    unicast

    n/a

    n/a

    OIMHOST1VHN:14000,OIMHOST2VHN:14000

    soa_cluster

    unicast

    n/a

    n/a

    SOAHOST1VHN:8001,SOAHOST2VHN:8001

    Leave all other fields at the default settings and click Next.

    Note:

    Do not change the configuration of the clusters that were configured as a part of previous deployments.

  11. On the Assign Servers to Clusters screen, associate the managed servers with the cluster. Click the cluster name in the right pane. Click the managed server under Servers, then click the arrow to assign it to the cluster. Assign the following values:

    Table 12-4 Servers to Assign to Clusters

    Cluster Server

    oim_cluster

    WLS_OIM1
     

    WLS_OIM2

    soa_cluster

    WLS_SOA1
     

    WLS_SOA2

    Note:

    Do not make any changes to clusters that already have entries defined.

    Click Next.

  12. On the Configure Machines screen, create a machine for each host in the topology.

    1. Click the Unix Machine tab.

    2. Name: Name of the host. Best practice is to use the DNS name.

    3. Node Manager Listen Address: DNS name of the machine.

    4. Node Manager Port: Port for Node Manager

    Provide the information shown in the following table.

    Name Node Manager Listen Address Node Manager Listen Port

    IDMHOST1

    IDMHOST1

    5556

    IDMHOST2

    IDMHOST2

    5556

    Leave the default values for all other fields.

    Delete the default local machine entry under the Machines tab.

    Click Next.

  13. On the Assign Servers to Machines screen, assign servers to machines as follows:

    • IDMHOST1: WLS_OIM1 and WLS_SOA1

    • IDMHOST2: WLS_OIM2 and WLS_SOA2

    Click Next to continue.

  14. On the Configure JMS File Stores screen, update the directory locations for the JMS file stores. Provide the information shown in the following table.

    Name Directory

    UMSJMSFileStore_auto_1

    ASERVER_HOME/jms/UMSJMSFileStore_auto_1

    UMSJMSFileStore_auto_2

    ASERVER_HOME/jms/UMSJMSFileStore_auto_2

    BPMJMSServer_auto_1

    ASERVER_HOME/jms/BPMJMSServer_auto_1

    BPMJMSServer_auto_2

    ASERVER_HOME/jms/BPMJMSServer_auto_2

    SOAJMSFileStore_auto_1

    ASERVER_HOME/jms/SOAJMSFileStore_auto_1

    SOAJMSFileStore_auto_2

    ASERVER_HOME/jms/SOAJMSFileStore_auto_2

    OIMJMSFileStore_auto_1

    ASERVER_HOME/jms/OIMJMSFileStore_auto_1

    OIMJMSFileStore_auto_2

    ASERVER_HOME/jms/OIMJMSFileStore_auto_2

    Click Next.

  15. On the Configuration Summary screen, click Extend to extend the domain.

  16. On the Installation Complete screen, click Done.

  17. Restart WebLogic Administration Server, as described in Section 16.1, "Starting and Stopping Oracle Identity Management Components."

12.8 Deploying Oracle Identity Manager and Oracle SOA to Managed Server Domain Directory on IDMHOST1 and IDMHOST2

Once the configuration is complete, you must propagate the Oracle Identity Manager configuration to the managed server directory on IDMHOST1 and IDMHOST2.

You do this by packing and unpacking the domain. You pack the domain first on IDMDomain on IDMHOST1, then unpack it on IDMHOST1 and IDMHOST2.

Follow these steps to propagate the domain to the managed server domain directory.

  1. Invoke the pack utility from ORACLE_COMMON_HOME/common/bin/ on IDMHOST1.

    ./pack.sh -domain=ASERVER_HOME -template=oim_domain.jar -template_name="OIM Domain" -managed=true

  2. This creates a file called oim_domain.jar. Copy this file to IDMHOST2.

  3. On IDMHOST1 and IDMHOST2, invoke the utility unpack, which is also located in the directory: ORACLE_COMMON_HOME/common/bin/

    ./unpack.sh -domain=MSERVER_HOME -template=oim_domain.jar -overwrite_domain=true -app_dir=MSERVER_HOME/applications

12.9 Configuring Oracle Coherence for Deploying Composites

Although deploying composites uses multicast communication by default, Oracle recommends using unicast communication in SOA enterprise deployments. Use unicast if you disable multicast communication for security reasons.

Unicast communication does not enable nodes to discover other cluster members in this way. Consequently, you must specify the nodes that belong to the cluster. You do not need to specify all of the nodes of a cluster, however. You need only specify enough nodes so that a new node added to the cluster can discover one of the existing nodes. As a result, when a new node has joined the cluster, it is able to discover all of the other nodes in the cluster. Additionally, in configurations such as SOA enterprise deployments where multiple IPs are available in the same system, you must configure Oracle Coherence to use a specific host name to create the Oracle Coherence cluster.

Note:

An incorrect configuration of the Oracle Coherence framework used for deployment may prevent the SOA system from starting. The deployment framework must be properly customized for the network environment on which the SOA system runs. Oracle recommends the configuration described in this section.

This section contains the following topics:

12.9.1 Enabling Communication for Deployment Using Unicast Communication

Specify the nodes using the tangosol.coherence.wka<n> system property, where <n> is a number between 1 and 9. You can specify up to 9 nodes. Start the numbering at 1. This numbering must be sequential and must not contain gaps. In addition, specify the host name used by Oracle Coherence to create a cluster through the tangosol.coherence.localhost system property. This local host name should be the virtual host name used by the SOA server as the listener addresses (SOAHOST1VHN and SOAHOST2VHN). Set this property by adding the -Dtangosol.coherence.localhost parameters to the Arguments field of the Oracle WebLogic Server Administration Console's Server Start tab.

Tip:

To guarantee high availability during deployments of SOA composites, specify enough nodes so that at least one of them is running at any given time.

Note:

SOAHOST1VHN is the virtual host name that maps to the virtual IP where WLS_SOA1 listening (in SOAHOST1). SOAHOST2VHN is the virtual host name that maps to the virtual IP where WLS_SOA2 is listening (in SOAHOST2).

12.9.2 Specifying the Host Name Used by Oracle Coherence

Use the Administration Console to specify a host name used by Oracle Coherence.

To add the host name used by Oracle Coherence:

  1. Log into the Oracle WebLogic Server Administration Console.

  2. In the Domain Structure window, expand the Environment node.

  3. Click Servers. The Summary of Servers page appears.

  4. Click the name of the server (WLS_SOA1 or WLS_SOA2, which are represented as hyperlinks) in Name column of the table. The settings page for the selected server appears.

  5. Click Lock & Edit.

  6. Click the Server Start tab.

  7. Enter the following for WLS_SOA1 and WLS_SOA2 into the Arguments field.

    For WLS_SOA1, enter the following:

    -Dtangosol.coherence.wka1=SOAHOST1VHN
-Dtangosol.coherence.wka2=SOAHOST2VHN
-Dtangosol.coherence.localhost=SOAHOST1VHN

    For WLS_SOA2, enter the following:

    -Dtangosol.coherence.wka1=SOAHOST1VHN
-Dtangosol.coherence.wka2=SOAHOST2VHN
-Dtangosol.coherence.localhost=SOAHOST2VHN

    Note:

    There should be no breaks in lines between the different -D parameters. Do not copy or paste the text to your Administration Console's arguments text field. It may result in HTML tags being inserted in the Java arguments. The text should not contain other text characters than those included the example above.

    Note:

    The Coherence cluster used for deployment uses port 8088 by default. This port can be changed by specifying a different port (for example, 8089) with the -Dtangosol.coherence.wkan.port and -Dtangosol.coherence.localport startup parameters. For example:

    WLS_SOA1 (enter the following into the Arguments field on a single line, without a carriage return):

    -Dtangosol.coherence.wka1=SOAHOST1VHN
-Dtangosol.coherence.wka2=SOAHOST2VHN
-Dtangosol.coherence.localhost=SOAHOST1VHN
-Dtangosol.coherence.localport=8089
-Dtangosol.coherence.wka1.port=8089
-Dtangosol.coherence.wka2.port=8089

    WLS_SOA2 (enter the following into the Arguments field on a single line, without a carriage return):

    -Dtangosol.coherence.wka1=SOAHOST1VHN
-Dtangosol.coherence.wka2=SOAHOST2VHN
-Dtangosol.coherence.localhost=SOAHOST2VHN
-Dtangosol.coherence.localport=8089
-Dtangosol.coherence.wka1.port=8089
-Dtangosol.coherence.wka2.port=8089

    For more information about Coherence Clusters see the Oracle Coherence Developer's Guide.

  8. Click Save and Activate Changes.

    Note:

    You must ensure that these variables are passed to the managed server correctly. (They should be reflected in the server's output log.) Failure of the Oracle Coherence framework can prevent the soa-infra application from starting.

    Note:

    The multicast and unicast addresses are different from the ones used by the WebLogic Server cluster for cluster communication. SOA guarantees that composites are deployed to members of a single WebLogic Server cluster even though the communication protocol for the two entities (the WebLogic Server cluster and the groups to which composites are deployed) are different.

  9. Stop the WebLogic Administration Server on IDMHOST1. by using the WebLogic Administration Console as described in Section 16.1, "Starting and Stopping Oracle Identity Management Components."

  10. Start the Administration Server on IDMHOST1 using the Node Manager, as described in Section 16.1, "Starting and Stopping Oracle Identity Management Components."

  11. Start SOA server WLS_SOA1.

  12. If desired, start other servers that you shut down in Section 12.3, "Prerequisites."

12.10 Configuring Oracle Identity Manager

You must configure the Oracle Identity Manager server instance before you can start the Oracle Identity Manager and SOA Managed Servers. This is performed on IDMHOST1. The Oracle Identity Management Configuration Wizard loads the Oracle Identity Manager metadata into the database and configures the instance.

Before proceeding, ensure that the following are true:

  • The Administration Server is up and running.

  • The environment variables MSERVER_HOME and WL_HOME are not set in the current shell.

The Oracle Identity Management Configuration Wizard is located under the Identity Management Oracle home. To start the Configuration Wizard, type:

IAM_ORACLE_HOME/bin/config.sh

Proceed as follows:

  1. On the Welcome screen, click Next

  2. On the Components to Configure screen, Select OIM Server.

    Click Next.

  3. On the Database screen, provide the following values:

    • Connect String: The connect string for the Oracle Identity Manager database:

      IDMDB1-VIP.mycompany.com:1521:OIMEDG1^IDMDB2-VIP.mycompany.com:1521:OIMEDG2@OIMEDG.mycompany.com

      Where 1521 is the DB_LSNR_PORT port from Section A.3.

      If you are using Oracle Database 11.2, replace the vip address and port with the 11.2 SCAN address and port.

    • OIM Schema User Name: EDG_OIM

    • OIM Schema password: password

    • MDS Schema User Name: EDG_MDS

    • MDS Schema Password: password

    Click Next.

  4. On the WebLogic Administration Server screen, provide the following details for the WebLogic Administration Server:

    • URL: The URL to connect to the WebLogic Administration Server. For example:

      t3://ADMINVHN.mycompany.com:7001

      Where Port 7001 is WLS_ADMIN_PORT

    • UserName: weblogic

    • Password: Password for the weblogic user

    Click Next.

  5. On the OIM Server screen, provide the following values:

    • OIM Administrator Password: Password for the Oracle Identity Manager Administrator. This is the password for the xelsysadm user. The password must contain an uppercase letter and a number. Best practice is to use the same password that you assigned to the user xelsysadm in Section 10.4, "Preparing the Identity Store."

    • Confirm Password: Confirm the password·

    • OIM HTTP URL: Proxy URL for the Oracle Identity Manager Server. For example: http://IDMINTERNAL.mycompany.com:7777.

    • Enable LDAP Sync: Selected.

    Click Next.

  6. On the LDAP Server Screen, the information you enter is dependent on your implementation. Provide the following details:

    • Directory Server Type: OUD, if your Identity Store is Oracle Unified Directory.

    • Directory Server ID: A name for your directory server. For example: IdStore. This is only required if the directory type is OUD.

    • Server URL: The LDAP server URL. For example: ldap://OUDINTERNAL.mycompany.com:1489

    • Server User: The user name for connecting to the LDAP Server. For example: cn=oimLDAP,cn=systemids,dc=mycompany,dc=com

    • Server Password: The password for connecting to the LDAP Server.

    • Server Search DN: The Search DN, if you are accessing your IDStore using Oracle Unified Directory Server. For example: dc=mycompany,dc=com.

    Click Next.

  7. On the LDAP Server Continued screen, provide the following LDAP server details:

    • LDAP Role Container: The DN for the Role Container. This is the container where the Oracle Identity Manager roles are stored. For example: cn=Groups,dc=mycompany,dc=com

    • LDAP User Container: The DN for the User Container. This is the container where the Oracle Identity Manager users are stored. For example: cn=Users,dc=mycompany,dc=com

    • User Reservation Container: The DN for the User Reservation Container. For example: cn=Reserve,dc=mycompany,dc=com.

    Click Next.

  8. On the Configuration Summary screen, verify the summary information.

    Click Configure to configure the Oracle Identity Manager instance

  9. On the Configuration Progress screen, once the configuration completes successfully, click Next.

  10. On the Configuration Complete screen, view the details of the Oracle Identity Manager Instance configured.

    Click Finish to exit the Configuration Wizard.

  11. Restart WebLogic Administration Server, as described in Section 16.1, "Starting and Stopping Oracle Identity Management Components."

12.11 Copy SOA Directory

Copy the soa directory located under ASERVER_HOME on IDMHOST1 to MSERVER_HOME directory on IDMHOST1 and IDMHOST2.

For example:

scp -rp ASERVER_HOME/soa user@IDMHOST2:MSERVER_HOME

12.12 Starting SOA and Oracle Identity Manager Managed Servers on IDMHOST1 and IDMHOST2

Follow this sequence of steps to start the WLS_OIM1 and WLS_SOA1 Managed Servers on IDMHOST1:

  1. Validate that the Administration Server started up successfully by bringing up the Oracle WebLogic Administration Console.

  2. If it is not already started, start the WLS_SOA1 Managed Server, using the WebLogic Administration Console as described in Section 16.1, "Starting and Stopping Oracle Identity Management Components."

  3. Start the WLS_OIM1 Managed Server using the WebLogic Administration Console as described in Section 16.1, "Starting and Stopping Oracle Identity Management Components."

Follow this sequence of steps to start the WLS_OIM2 and WLS_SOA2 Managed Servers on IDMHOST2:

  1. Validate that the Administration Server started up successfully by bringing up the Oracle WebLogic Administration Console.

  2. Start the WLS_SOA2 Managed Server, using the WebLogic Administration Console as described in Section 16.1, "Starting and Stopping Oracle Identity Management Components."

  3. Start the WLS_OIM2 Managed Server using the WebLogic Administration Console as described in Section 16.1, "Starting and Stopping Oracle Identity Management Components."

12.13 Validating Oracle Identity Manager Instance on IDMHOST1 and IDMHOST2

Validate the Oracle Identity Manager Server Instances by bringing up the Oracle Identity Manager Console in a web browser at:

http://OIMHOST1VHN.mycompany.com:14000/identity

http://OIMHOST1VHN.mycompany.com:14000/sysadmin

http://OIMHOST2VHN.mycompany.com:14000/identity

http://OIMHOST2VHN.mycompany.com:14000/sysadmin

Log in using the xelsysadm username and password.

Note:

When you log in for the first time, you are prompted to setup Challenge Questions. Please do so before proceeding further.

Validate Oracle SOA Suite using the URLs:

http://SOAHOST1VHN.mycompany.com:8001/soa-infra

http://SOAHOST2VHN.mycompany.com:8001/soa-infra

Log in as the weblogic user.

12.14 Configuring Oracle Identity Manager to Reconcile from OUDINTERNAL

In the current release, the LDAPConfigPostSetup script enables all the LDAPSync-related incremental Reconciliation Scheduler jobs, which are disabled by default. The LDAP configuration post-setup script is located under the IAM_ORACLE_HOME/server/ldap_config_util directory. Run the Script on IDMHOST1, as follows:

  1. Edit the ldapconfig.props file located under the IAM_ORACLE_HOME/server/ldap_config_util directory and provide the following values:

    Parameter Value Description

    OIMProviderURL

    t3://OIMHOST1VHN.mycompany.com:14000,OIMHOST2VHN.mycompany.com:14000Foot 1 

    List of Oracle Identity Manager managed servers.

    LIBOVD_PATH_PARAM

    MSERVER_HOME/config/fmwconfig/ovd/oim

    Required unless you access your identity store using Oracle Virtual Directory.

    Footnote 1 Where 14000 is the OIM_PORT from Section A.3 .

    Note:

    usercontainerName, rolecontainername, and reservationcontainername are not used in this step.

  2. Save the file.

  3. Set MW_HOME to IAM_MW_HOME.

    Set ORACLE_HOME to IAM_ORACLE_HOME.

    Set JAVA_HOME to JAVA_HOME.

    Set WL_HOME to MW_HOME/wlserver_10.3.

    Set APP_SERVER to weblogic.

    Set OIM_ORACLE_HOME to IAM_ORACLE_HOME.

    Set DOMAIN_HOME set MSERVER_HOME.

  4. Run LDAPConfigPostSetup.sh. The script prompts for the LDAP admin password and the Oracle Identity Manager admin password. For example:

    IAM_ORACLE_HOME/server/ldap_config_util/LDAPConfigPostSetup.sh path_to_property_file

    For example:

    IAM_ORACLE_HOME/server/ldap_config_util/LDAPConfigPostSetup.sh IAM_ORACLE_HOME/server/ldap_config_util

    Example output:

    Successfully Enabled Changelog based Reconciliation schedule jobs.

12.15 Configuring Oracle Identity Manager to Work with the Oracle Web Tier

This section describes how to configure Oracle Identity Manager to work with the Oracle Web Tier.

This section contains the following topics:

12.15.1 Configuring Oracle Traffic Director to Front End the Oracle Identity Manager and SOA Managed Servers

If you are adding OIM to an existing domain you must include OIM in the Web Tier configuration. For more information see Section 7.7, "Defining the Required Oracle Traffic Director Virtual Servers for an Enterprise Deployment."

12.15.2 Changing Host Assertion in WebLogic

Because the Oracle HTTP Server acts as a proxy for WebLogic, by default certain CGI environment variables are not passed through to WebLogic. These include the host and port. You must tell WebLogic that it is using a virtual site name and port so that it can generate internal URLs appropriately.

To do this, log in to the WebLogic administration console at the URL listed in Section 16.2, "About Identity Management Console URLs." Proceed as follows:

  1. Select Clusters from the home page or, alternatively, select Environment -> Clusters from the Domain structure menu.

  2. Click Lock and Edit in the Change Center Window to enable editing.

  3. Click the Cluster Name (soa_cluster).

  4. In the Configuration tab, select the HTTP subtab.

    Enter:

    • Frontend Host: IDMINTERNAL.mycompany.com

    • Frontend HTTP Port: 7777 (HTTP_PORT)

  5. Click Save.

  6. Click Activate Changes in the Change Center window to enable editing.

  7. Restart WLS_SOA1 and WLS_SOA2 as described in Section 16.1, "Starting and Stopping Oracle Identity Management Components."

12.15.3 Updating SOA Endpoints

Update SOA endpoints, as follows:

  1. Log in to Oracle Enterprise Manager Fusion Middleware Control at the address listed in Section 16.2, "About Identity Management Console URLs."

  2. Expand the SOA folder in the Navigation pane and right click soa-infra

  3. Select SOA Administration -> Common Properties

  4. Click on the link More SOA Infra Advanced Configuration Properties.

  5. Edit the following properties and apply the changes:

    • ServerURL: http://idminternal.mycompany.com:7777

    • CallbackServerURL: http://idminternal.mycompany.com:7777

    • HttpServerURL: http://idminternal.mycompany.com:7777

  6. Click Apply.

  7. Restart WLS_SOA1 and WLS_SOA2 as described in Section 16.1, "Starting and Stopping Oracle Identity Management Components."

12.15.4 Validating Web Tier Integration

Validate web tier integration as follows:

12.15.4.1 Validating Oracle Identity Manager Instance from the Web Tier

Validate the Oracle Identity Manager Server Instance by bringing up the Oracle Identity Manager Console in a web browser. at:

https://sso.mycompany.com/identity

and

http://ADMIN.mycompany.com/sysadmin

Log in using the xelsysadm username and password.

12.15.4.2 Validating Accessing SOA from the Web Tier

Validate SOA by accessing the URL:

http://IDMINTERNAL.mycompany.com:7777/soa-infra

and logging in as the WebLogic administration user.

Note:

After WebGate is enabled, soa-infra is not available.

12.16 Configuring a Default Persistence Store for Transaction Recovery

The WLS_OIM and WLS_SOA Managed Servers have a transaction log that stores information about committed transactions that are coordinated by the server that might not have been completed. The WebLogic Server uses this transaction log for recovery from system crashes or network failures. To leverage the migration capability of the Transaction Recovery Service for the servers within a cluster, store the transaction log in a location accessible to a server and its backup servers.

Note:

Preferably, this location should be on a dual-ported SCSI disk or on a Storage Area Network (SAN).

Perform these steps to set the location for the default persistence stores for the Oracle Identity Manager and SOA Servers:

  1. Create the following directory on the shared storage:

    ASERVER_HOME/tlogs

  2. Log in to the Oracle WebLogic Server Administration Console.

  3. Click Lock and Edit.

  4. In the Domain Structure window, expand the Environment node and then click the Servers node.

    The Summary of Servers page is displayed.

  5. Click the name of either the Oracle Identity Manager or the SOA server (represented as a hyperlink) in the Name column of the table.

  6. The Settings page for the selected server is displayed, and defaults to the Configuration tab.

  7. Open the Services sub tab.

  8. Under the Default Store section of the page, provide the path to the default persistent store on shared storage. The directory structure of the path is as follows:

    • For Oracle Identity Manager Servers: ASERVER_HOME/tlogs

    • For SOA Servers: ASERVER_HOME/tlogs

    Note:

    To enable migration of the Transaction Recovery Service, specify a location on a persistent storage solution that is available to other servers in the cluster. All the servers that are a part of the cluster must be able to access this directory.

  9. Click Save and Activate.

  10. Repeat these steps, selecting the other SOA server on the Summary of Servers page.

  11. Restart the Oracle Identity Manager and SOA Managed Servers, as described in Section 16.1, "Starting and Stopping Oracle Identity Management Components." to make the changes take effect.

12.17 Configuring UMS Email Notification

This section describes how to configure UMS email notification. This is optional. The following steps assume that an email server has been set up and that Oracle Identity Management can use it to send the email notifications.

  1. Log in to the Oracle Enterprise Manager Fusion Middleware Control instance that is associated with Oracle Identity Manager, at the URL listed in Section 16.2, "About Identity Management Console URLs.".

  2. Expand User Messaging Service.

  3. Right click usermessagingdriver-email (wls_soa1) and select email driver properties.

  4. Enter the following information:

    • OutgoingMailServer: name of the SMTP server, for example: SMTP.mycompany.com

    • OutgoingMailServerPort: port of the SMTP server, for example: 465 for SSL outgoing mail server and 25 for non-SSL

    • OutgoingMailServerSecurity: The security setting used by the SMTP server Possible values can be None/TLS/SSL. If the mail server is configured to accept SSL requests, perform these additional steps to remove DemoTrust store references from the SOA environment:

      1. Modify the ASERVER_HOME/bin/setDomainEnv.sh file to remove the DemoTrust references -Djavax.net.ssl.trustStore=WL_HOME/server/lib/DemoTrust.jks from EXTRA_JAVA_PROPERTIES.

      2. Modify the startManagedWeblogic.sh file on IDMHOST1 and IDMHOST2. Remove the weblogic.security.SSL.trustedCAKeyStore property set in JAVA_OPTIONS from this file. That is, remove the line that looks like this:

        JAVA_OPTIONS="-Dweblogic.security.SSL.trustedCAKeyStore="{MW_HOME}/server/server/lib/cacerts" ${JAVA_OPTIONS}"

      3. Restart Oracle Identity Manager and the OIM and SOA managed servers.

    • OutgoingUsername: Any valid username

    • OutgoingPassword:

      1. Choose Indirect Password, Create New User

      2. Provide a unique string for Indirect Username/Key, for example: OIMEmailConfig. This will mask the password and not expose it in clear text in the configuration file.

      3. Provide valid password for this account.

    Click Apply.

    Repeat Steps 3 and 4 for each SOA server.

  5. From the Navigator Select WebLogic Domain -> DomainName.

  6. From the menu, select System Mean Browser.

  7. Expand Application Defined MBeans -> oracle.iam -> Server: wls_oim1 -> Application: oim -> IAMAppRuntimeMBean.

  8. Click UMSEmailNotificationProviderMBean.

  9. Enter:

    • WSUrl: http://IDMINTERNAL.mycompany.com:7777/ucs/messaging/webservice

    • Policies: Leave blank.

    • CSFKey: Notification.Provider.Key

  10. Click Apply.

12.18 Add Load Balancer Certificate to SOA Keystore

Using a browser, obtain the certificate for SSO.mycompany.com. (Refer to your browser documentation to determine how to do this.) Save the file to IDMHOST1 in the .pem format, for example: /tmp/sso.pem.

Then import the certificate into the SOA keystore using the keytool command, which is provided as part of the JDK (Java Development Kit). Proceed as follows:

  1. Set the environment variables.

    • Set JAVA_HOME to JAVA_HOME.

    • Set PATH to JAVA_HOME/bin:$PATH.

  2. Change directory to WL_HOME/server/lib.

    cd WL_HOME/server/lib

  3. Add the certificate to the SOA keystore using the following command:

    keytool -import -file /tmp/sso.pem -alias SSOAlias -keystore DemoTrust.jks -storepass DemoTrustKeyStorePassPhrase

    To add this ceritifcate using CLI commands, run the following:

    openssl x509 -in <(openssl s_client -connect SSO.mycompany.com:443 -prexit 2>/dev/null) > /tmp/sso.pem

12.19 Excluding Users from Oracle Identity Manager Reconciliation

By default Oracle Identity Management reconciles all users that are located in LDAP. Once reconciled, these users are subject to the usual password ageing policies defined in Oracle Identity Manager. This is not desirable for system accounts. It is recommended that you exclude the following accounts from this reconciliation:

In the container cn=Users:

  • xelsysadm

In the container cn=systemids:

  • oimLDAP

  • oamLDAP

To exclude these users from reconciliation and discard failed reconciliation events, perform the following steps, using ODSM and the OIM Console:

12.19.1 Adding the orclAppIDUser Object Class to the User by Using ODSM

Users can be excluded from OIM reconciliation by attaching the object class orclAppIDUser to each of the users.

The example below is for Oracle Unified Directory using ODSM for Oracle Unified Directory. For directories other than Oracle Unified Directory refer to your system documentation for information on how to do this.

  1. Log in to ODSM at:

    http://admin.mycompany.com/odsm

  2. Connect to one of the LDAP instances that hosts the user to be excluded.

    • Server: One of the Oracle Unified Directory hosts, for example: IDMHOST1.mycompany.com

    • Administration Port: The Oracle Unified Directory administration port, for example: 4444

    • User Name: Directory Administrator, for example: cn=oudadmin

    If prompted, trust the server certificate.

  3. Select Data Browser.

  4. Navigate to the user you wish to exclude in the data tree. For example:

    Root -> dc=mycompany,dc=com -> cn=systemids -> cn=UserId

  5. Click on the user to bring up the Edit window.

  6. Click Attributes.

  7. Click + in the Object Classes box to add a new class.

  8. Click Advanced Search, enter orclAppIDUser in the search box, and click Search.

  9. Click on the attribute orclAppIDUser and click OK.

  10. Click Apply.

Repeat Steps 2-10 for each user to be excluded.

12.19.2 Closing Failed Reconciliation Events by Using the OIM Console

This step is required to clear out failed reconciliation events. Failed reconcilation events are repeatedly retried, which puts an unecessary load on the system.

  1. Log in to the OIM Administration Console as the xelsysadm user, using the URL: http://admin.mycompany.com/sysadmin

  2. Click Reconciliation under Event Management.

  3. Click Advanced Search.

  4. In the Current Status field, select Equals. In the Search box, select Creation Failed from the list.

  5. Click Search.

  6. Select each of the events.

  7. From the Actions menu, select Close Event.

  8. In the Confirmation window enter a justification, such as Close Failed Reconciliation Events.

  9. Click Closed.

  10. Click OK to acknowledge the confirmation message.

12.20 Backing Up Oracle Identity Manager

Perform a backup of the Oracle Identity Manager configuration at this point. Back up the database, the WebLogic domain, and the LDAP directories, as described in Section 16.6, "Backing Up the Oracle IDM Enterprise Deployment."

12.21 Integrating Oracle Identity Manager and Oracle Access Management Access Manager

This section describes how to integrate Oracle Identity Manager and Oracle Access Management Access Manager.

Note:

If you are adding Oracle Identity Manager to an existing domain that already has Access Manager, then if you have not already done so run the command as described in Section 11.5.3, "Configuring Access Manager by Using the IDM Configuration Tool" with the Oracle Identity Manager integration parameters

This section contains the following topics:

12.21.1 Prerequisites

  1. Ensure that OIM11g has been installed and configured as described in Chapter 12, "Extending the Domain to Include Oracle Identity Manager."

  2. Ensure that Oracle Access Management has been installed and configured as described in Chapter 11, "Extending the Domain to Include Oracle Access Management."

  3. Ensure that Oracle Traffic Director has been installed and configured as described in Chapter 7, "Installing and Configuring Oracle Traffic Director for an Enterprise Deployment." Or, Ensure that Oracle Traffic Director has been installed and configured as described in Section 7.2, "Installing Oracle Traffic Director on WEBHOST1 and WEBHOST2."

12.21.2 Adding Forgotten Password Links to the OAM Login Page

If you ran idmConfigTool in Section 11.5.3, "Configuring Access Manager by Using the IDM Configuration Tool" with the parameter OAM11G_OIM_INTEGRATION_REQ is set to true, you can skip this step.

If you ran the command with OAM11G_INTEGRATION_FLAG set to false, you must now rerun the command, this time setting OAM11G_OIM_INTEGRATION_REQ to true and specifying a value for OAM11G_OIM_OHS_URL.

12.21.3 Copying OAM Keystore Files to IDMHOST1 and IDMHOST2

If you are using Access Manager with the Simple Security Transport model, you must copy the OAM keystore files that were generated in Section 11.9, "Creating a Single Keystore for Integrating Access Manager with Other Components" to IDMHOST1 and IDMHOST2. Copy the keystore files ssoKeystore.jks and oamclient-truststore.jks from the directory ASERVER_HOME/output/webgate-sslto the directory MSERVER_HOME/config/fmwconfig on IDMHOST1 and IDMHOST2.

12.21.4 Integrating Oracle Identity Manager with Oracle Access Manager Using the idmConfigTool

Integrating Oracle Identity Manager with Access Manager using a WebGate profile employs an Access Manager Trusted Authentication Protocol (TAP) scheme. This is different from previous releases which used Network Assertion Protocol (NAP).

To integrate Access Manager with Oracle Identity Manager, perform the following steps on IDMHOST1:

  1. Set MW_HOME to IAM_MW_HOME.

    Set ORACLE_HOME to IAM_ORACLE_HOME.

    Set JAVA_HOME to JAVA_HOME.

  2. Create a properties file for the integration called oimitg.props, with the following contents.

    LOGINURI: /${app.context}/adfAuthentication
LOGOUTURI: /oamsso/logout.html
AUTOLOGINURI: None
ACCESS_SERVER_HOST: IDMHOST1.mycompany.com
ACCESS_SERVER_PORT: 5575
ACCESS_GATE_ID: Webgate_IDM
COOKIE_DOMAIN: .mycompany.com
COOKIE_EXPIRY_INTERVAL: 120
OAM_TRANSFER_MODE: simple
WEBGATE_TYPE: ohsWebgate11g
SSO_ENABLED_FLAG: true
IDSTORE_PORT: 1489
IDSTORE_HOST: oudinternal.mycompany.com
IDSTORE_DIRECTORYTYPE: OUD 
IDSTORE_ADMIN_USER: cn=oamLDAP,cn=systemids,dc=mycompany,dc=com
IDSTORE_USERSEARCHBASE: cn=Users,dc=mycompany,dc=com
IDSTORE_GROUPSEARCHBASE: cn=Groups,dc=mycompany,dc=com
IDSTORE_LOGINATTRIBUTE: uid
MDS_DB_URL: jdbc:oracle:thin:@(DESCRIPTION=(LOAD_BALANCE=on)(FAILOVER=on)(ADDRESS_LIST=(ADDRESS=(protocol=tcp)(host=IDMDBHOST1-VIP.mycompany.com)(port=1521))(ADDRESS=(protocol=tcp)(host=IDMDBHOST2-VIP.mycompany.com)(port=1521)))(CONNECT_DATA=(SERVER=DEDICATED)(SERVICE_NAME=OIMEDG.mycompany.com)))
MDS_DB_SCHEMA_USERNAME: EDG_MDS
OIM_MANAGED_SERVER_NAME: WLS_OIM1
WLSADMIN: weblogic
WLSPORT: 7001
WLSHOST: ADMINVHN.mycompany.com
DOMAIN_NAME: IDMDomain
DOMAIN_LOCATION: ASERVER_HOME

    where:

    • ACCESS_SERVER_PORT is the Access Server Proxy port. This is OAM_PROXY_PORT in Section A.3.

    • OAM_TRANSFER_MODE is set to simple if your access manager servers are configured to accept requests using the simple mode. Otherwise set OAM_TRANSFER_MODE to open

    • SSO_ENABLED_FLAG always set to true.

    • WEBGATE_TYPE is the type of WebGate agent you want to create. Valid values are otdWebgate11g and otdWebgate10.

    • IDSTORE_HOST is the load balancer virtual host fronting your Identity store (LDAP_LBR_HOST)

    • IDSTORE_PORT is the load balancer virtual port fronting your Identity store (LDAP_LBR_PORT).

    • IDSTORE_DIRECTORYTYPE Set it to OUD.

    • IDSTORE_USERSEARCHBASE is the location in the directory where Users are Stored.

    • IDSTORE_GROUPSEARCHBASE is the location in the directory where Groups are Stored.

    • IDSTORE_LOGINATTRIBUTE is the LDAP attribute which contains the users Login name.

    • MDS_DB_URL contains the JDBC connection information for your database in the form: jdbc:oracle:thin:@(DESCRIPTION=(LOAD_BALANCE=on)(FAILOVER=on)(ADDRESS_LIST=(ADDRESS=(protocol=tcp)(host=IDMDBHOST1-VIP.mycompany.com)(port=1521))(ADDRESS=(protocol=tcp)(host=IDMDBHOST2-VIP.mycompany.com)(port=1521)))(CONNECT_DATA=(SERVER=DEDICATED)(SERVICE_NAME=OIMEDG.mycompany.com))) where 1521 is the DB_LSNR_PORT in Section A.3.

    • MDS_DB_SCHEMA_USERNAME is the name of the schema in the Identity Management Database that holds MDS data. See Section 6.5, "Loading the Identity Management Schemas in the Oracle RAC Database by Using RCU."

    • OIM_MANAGED_SERVER_NAME is the name of one of the OIM Managed Servers. It does not matter which one you use.

    • WLSHOST (ADMINVHN) is the host of your administration server, WLS_ADMIN_HOST in Section A.3. This is the virtual name.

    • WLSPORT is the port of your administration server, WLS_ADMIN_PORT in Section A.3.

    • WLSADMIN is the WebLogic administrative user you use to log in to the WebLogic console.

    • DOMAIN_NAME is the name of the domain that hosts Oracle Identity Manager.

    • DOMAIN_LOCATION is the path to the domain on disk, that is, ASERVER_HOME.

  3. Integrate Access Manager with Oracle Identity Manager using the command idmConfigTool, which is located at:

    IAM_ORACLE_HOME/idmtools/bin

    Note:

    When you run the idmConfigTool, it creates or appends to the file idmDomainConfig.param. This file is generated in the same directory that the idmConfigTool is run from. To ensure that each time the tool is run, the same file is appended to, always run the idmConfigTool from the directory:

    IAM_ORACLE_HOME/idmtools/bin

    The syntax of the command is

    idmConfigTool.sh -configOIM input_file=configfile

    For example:

    IAM_ORACLE_HOME/idmtools/bin/idmConfigTool.sh -configOIM input_file=oimitg.props

    When the script runs you are prompted for the following information:

    • Access Gate Password

    • SSO Keystore Password

    • Global Passphrase

    • Idstore Admin Password

    • MDS Database schema password

    • Admin Server User Password

    Sample output:

    Enter sso access gate password : 
Enter sso keystore jks password : 
Enter sso global passphrase : 
Enter mds db schema password : 
Enter idstore admin password : 
Enter admin server user password : 
 
 
********* Seeding OAM Passwds in OIM *********
 
 
Completed loading user inputs for - CSF Config
 
 
Completed loading user inputs for - Dogwood Admin WLS
 
Connecting to t3://ADMINVHN.mycompany.com:7001
 
Connection to domain runtime mbean server established
 
Seeding credential :SSOAccessKey
 
Seeding credential :SSOGlobalPP
 
Seeding credential :SSOKeystoreKey
 
 
********* ********* *********
 
 
********* Activating OAM Notifications *********
 
 
Completed loading user inputs for - MDS DB Config
 
Apr 3, 2012 11:56:09 PM oracle.mds
NOTIFICATION: PManager instance is created without multitenancy support as JVM flag "oracle.multitenant.enabled" is not set to enable multitenancy support.
Initialized MDS resources
 
Apr 3, 2012 11:56:09 PM oracle.mds
NOTIFICATION: PManager instance is created without multitenancy support as JVM flag "oracle.multitenant.enabled" is not set to enable multitenancy support.
Apr 3, 2012 11:56:10 PM oracle.mds
NOTIFICATION: transfer operation started.
Apr 3, 2012 11:56:10 PM oracle.mds
NOTIFICATION: transfer is completed. Total number of documents successfully processed : 1, total number of documents failed : 0.
Upload to DB completed
 
 
Releasing all resources
 
Notifications activated.
 
 
********* ********* *********
 
 
********* Seeding OAM Config in OIM *********
 
 
Completed loading user inputs for - OAM Access Config
 
Validated input values
 
Initialized MDS resources
 
Apr 3, 2012 11:56:10 PM oracle.mds
NOTIFICATION: PManager instance is created without multitenancy support as JVM flag "oracle.multitenant.enabled" is not set to enable multitenancy support.
Apr 3, 2012 11:56:10 PM oracle.mds
NOTIFICATION: transfer operation started.
Apr 3, 2012 11:56:10 PM oracle.mds
NOTIFICATION: transfer is completed. Total number of documents successfully processed : 1, total number of documents failed : 0.
Download from DB completed
 
Releasing all resources
 
Updated /u01/oracle/products/access/iam/server/oamMetadata/db/oim-config.xml
 
Initialized MDS resources
 
Apr 3, 2012 11:56:10 PM oracle.mds
NOTIFICATION: PManager instance is created without multitenancy support as JVM flag "oracle.multitenant.enabled" is not set to enable multitenancy support.
Apr 3, 2012 11:56:10 PM oracle.mds
NOTIFICATION: transfer operation started.
Apr 3, 2012 11:56:10 PM oracle.mds
NOTIFICATION: transfer is completed. Total number of documents successfully processed : 1, total number of documents failed : 0.
Upload to DB completed
 
 
Releasing all resources
 
OAM configuration seeded. Please restart oim server.
 
 
********* ********* *********
 
 
********* Configuring Authenticators in OIM WLS *********
 
 
Completed loading user inputs for - LDAP connection info
 
Connecting to t3://ADMINVHN.mycompany.com:7001
 
Connection to domain runtime mbean server established
 
Starting edit session
 
Edit session started
 
Connected to security realm.
 
Validating provider configuration
 
Validated desired authentication providers
 
Created OAMIDAsserter successfuly
 
OAMIDAsserter is already configured to support 11g webgate
 
Created OIMSignatureAuthenticator successfuly
 
Control flags for authenticators set sucessfully
 
Reordering of authenticators done sucessfully
 
Saving the transaction
 
Transaction saved
 
Activating the changes
 
Changes Activated. Edit session ended.
 
Connection closed sucessfully
 
 
********* ********* *********
 
The tool has completed its operation. Details have been logged to automation.log

    Note:

    If you have already enabled single sign-on for your WebLogic Administration Consoles as described in Section 13.3, "Enabling Host Name Verification Certificates for Node Manager" when this script is run, you might see the following errors when this script is run:

    ERROR: Desired authenticators already present. [Ljava.lang.String;@7fdb492]
ERROR: Error occurred while configuration. Authentication providers to be configured already present.
ERROR: Rolling back the operation..

    These errors can be ignored.

  4. Check the log file for errors and correct them if necessary.

  5. Restart the Administration Servers as described in Section 16.1, "Starting and Stopping Oracle Identity Management Components."

12.21.5 Updating Existing LDAP Users with Required Object Classes

You must update existing LDAP users with the object classes OblixPersonPwdPolicy, OIMPersonPwdPolicy, and OblixOrgPerson.

Note:

This is not required in the case of a fresh setup where you do not have any existing users.

  1. On IDMHOST1, create a properties file for the integration called user.props, with the following contents:

    IDSTORE_HOST: oudinternal.mycompany.com
IDSTORE_PORT: 1489
IDSTORE_ADMIN_USER: cn=oudadmin
IDSTORE_DIRECTORYTYPE: OUD
IDSTORE_USERSEARCHBASE: cn=Users,dc=mycompany,dc=com
IDSTORE_GROUPSEARCHBASE: cn=Groups,dc=mycompany,dc=com
PASSWORD_EXPIRY_PERIOD: 7300
IDSTORE_LOGINATTRIBUTE: uid

    Where:

    • OUDINTERNAL_HOST is the name of LDAP server. For example:

      oudinternal.mycompany.com

    • IDSTORE_PORT is the port of the LDAP server.

    • IDSTORE_ADMIN_USER is the bind DN of an administrative user. For example:

      cn=oudadmin

    • IDSTORE_DIRECTORYTYPE is the type of directory, valid value is OUD.

    • IDSTORE_USERSEARCHBASE is the location of users in the directory. For example:

      cn=Users,dc=mycompany,dc=com

    • IDSTORE_GROUPSEARCHBASE is the location of groups in the directory. For example:

      cn=Groups,dc=mycompany,dc=com

    • IDSTORE_LOGINATTRIBUTE this is the directory login attribute name. For example:

      uid.

    • PASSWORD_EXPIRY_PERIOD is the password expiry period.

  2. Set ORACLE_HOME to IAM_ORACLE_HOME.

    Set MW_HOME to MW_HOME.

    Set JAVA_HOME to JAVA_HOME.

  3. Upgrade existing LDAP, using the command idmConfigTool, which is located at: IAM_ORACLE_HOME/idmtools/bin

    Note:

    When you run the idmConfigTool, it creates or appends to the file idmDomainConfig.param. This file is generated in the same directory that the idmConfigTool is run from. To ensure that each time the tool is run, the same file is appended to, always run the idmConfigTool from the directory:

    IAM_ORACLE_HOME/idmtools/bin

    The syntax of the command is:

    idmConfigTool.sh -upgradeLDAPUsersForSSO input_file=configfile

    For example:

    idmConfigTool.sh -upgradeLDAPUsersForSSO input_file=user.props

    When prompted, enter the password of the user you are using to connect to your Identity Store.

    Sample output:

    Enter IDSTORE_ADMIN_PASSWD :
********* Upgrading LDAP Users With OAM ObjectClasses *********
 
 
Completed loading user inputs for - LDAP connection info
 
 
Completed loading user inputs for - LDAP Upgrade
 
Upgrading ldap users at - cn=Users,dc=mycompany,dc=com
 
Parsing - cn=weblogic_idm,cn=Users,dc=mycompany,dc=com
 
objectclass OIMPersonPwdPolicy not present in cn=weblogic_idm,cn=Users,dc=mycompany,dc=com. Seeding it
 
obpasswordexpirydate added in cn=weblogic_idm,cn=Users,dc=mycompany,dc=com
 
 
Parsing - cn=oamadmin,cn=Users,dc=mycompany,dc=com
 
objectclass OIMPersonPwdPolicy not present in cn=oamadmin,cn=Users,dc=mycompany,dc=com. Seeding it
 
obpasswordexpirydate added in cn=oamadmin,cn=Users,dc=mycompany,dc=com
 
 
Finished parsing LDAP
 
 
LDAP Users Upgraded.

See Also:

Oracle Fusion Middleware Integration Overview for Oracle Identity Management Suite for more information about the idmConfigTool command.

12.21.6 Update TAP Authentication Scheme

After integrating Oracle Access Management Access Manager with Oracle Identity Manager, you must update the TAP authentication scheme to perform user validation using the LDAP attribute uid.

Proceed as follows:

  1. Log in to the OAM console at: http://ADMIN.mycompany.com/oamconsole

  2. Click Policy Configuration.

  3. Click TAPResponseOnlyScheme under Authentication Schemes.

  4. Click Open.

  5. Add MatchLDAPAttribute=uid to the Challenge Parameters field.

  6. Click Apply.

  7. Restart the Administration Server and the Access Manager managed servers as described in Section 16.1, "Starting and Stopping Oracle Identity Management Components."

12.21.7 Managing the Password of the xelsysadm User

After you integrate Oracle Identity Manager with Access Manager, two xelsysadm accounts exist. One is the internal account created by Oracle Identity Manager. The other is the account you created in the Identity Store in Section 10.4, "Preparing the Identity Store."

The xelsysadm account located in the LDAP store is the one used to access the OIM console. If you want to change the password of this account, change it in LDAP. You can use ODSM to do this. Do not change it through the OIM console.

12.21.8 Enabling Cluster-Level Session Replication Enhancements for OIM and SOA

You can enable session replication enhancements for Managed Servers in a WebLogic cluster to which you will deploy a web application at a later time.

To enable session replication enhancements for oim_cluster:

  1. Log in to the Oracle WebLogic console at: http://ADMIN.mycompany.com/oamconsole

  2. Ensure that Managed Servers in the oim_cluster cluster are up and running, as described in Section 12.12, "Starting SOA and Oracle Identity Manager Managed Servers on IDMHOST1 and IDMHOST2.".

  3. To set replication ports for a Managed Server, such as WLS_OIM1, complete the following steps:

    1. Under Domain Structure, click Environment and Servers. The Summary of Servers page is displayed.

    2. Click Lock & Edit.

    3. Click WLS_OIM1 on the list of servers. The Settings for WLS_OIM1 are displayed.

    4. Click the Cluster tab.

    5. In the Replication Ports field, enter a range of ports for configuring multiple replication channels. For example, replication channels for Managed Servers in oim_cluster can listen on ports starting from 7005 to 7015. To specify this range of ports, enter 7005-7015.

    6. Click Save.

    7. Select Protocols, and then Channels.

    8. Click New.

    9. Enter ReplicationChannel as the name of the new network channel and select t3 as the protocol, then click Next.

    10. Enter the following information:

      Listen address: OIMHOST1VHN.mycompany.com

      Note:

      This is the WLS_OIM1 floating IP assigned to WebLogic Server.

      Listen port: 7005

    11. Click Next, and in the Network Channel Properties page, select Enabled and Outbound Enabled.

    12. Click Finish.

    13. Click Save.

    You must repeat the above steps to create a network channel each for the remaining Managed Servers in the cluster. Enter the required properties, as described in Table 12-5.

    Table 12-5 Network Channels Properties

    Managed Server Name Protocol Listen Address Listen Port Additional Channel Ports

    WLS_OIM2

    ReplicationChannel

    t3

    OIMHOST2VHN.mycompany.com

    7005

    7006 to 7014

    WLS_SOA1

    ReplicationChannel

    t3

    SOAHOST1VHN.mycompany.com

    7005

    7006 to 7014

    WLS_SOA2

    ReplicationChannel

    t3

    SOAHOST2VHN.mycompany.com

    7005

    7006 to 7014

  4. After creating the network channel for each of the Managed Servers in your cluster, click Environment > Clusters. The Summary of Clusters page is displayed.

  5. Click oim_cluster.

    The Settings for oim_cluster page is displayed.

  6. Click the Replication tab.

  7. In the Replication Channel field, ensure that ReplicationChannel is set as the name of the channel to be used for replication traffic.

  8. In the Advanced section, select the Enable One Way RMI for Replication option.

  9. Click Save.

  10. Repeat the steps above for the soa_cluster.

  11. To activate these changes, in the Change Center of the Administration Console, click Activate Changes.

  12. Manually add the system property -Djava.net.preferIPv4Stack=true to the startWebLogic.sh script, which is located in the bin directory of ASERVER_HOME, using a text editor as follows:

    1. Locate the following line in the startWebLogic.sh script:

      . ${DOMAIN_HOME/bin/setDomainEnv.sh $*

    2. Add the following property immediately after the above entry:

      JAVA_OPTIONS="${JAVA_OPTIONS} -Djava.net.preferIPv4Stack=true"

    3. Save the file and close.

  13. Restart the Administration Server and the Access Manager managed servers as described in Section 16.1, "Starting and Stopping Oracle Identity Management Components."

12.21.9 Validating Integration

To validate integration, you must assign Identity Management administrators to WebLogic security groups and install WebGate as described in Chapter 15, "Configuring Single Sign-on for Administration Consoles in an Enterprise Deployment."

To validate that the wiring of Access Manager with Oracle Identity Manager 11g was successful, attempt to log in to the Oracle Identity Manager Self Service Console, as follows:

  1. Using a browser, navigate to:

    https://SSO.mycompany.com/identity

    This redirects you to the OAM11g single sign-on page.

  2. Log in using the xelsysadm user account created in Section 10.4, "Preparing the Identity Store."

  3. If you see the OIM Self Service Console Page, the integration was successful.

You can perform additional validation as follows:

  1. Log in to the OIM Console as the xelsysadm user.

  2. Create a new user.

  3. Log out as the xelsysadm user.

  4. Log in as the new user you just created. As the new user, you are redirected to the Password Management page.

  5. Enter the credentials and click Submit. If integration has been performed correctly, you arrive at the page you are trying to access.

12.22 Enabling Oracle Identity Manager to Connect to SOA Using the Administrative Users Provisioned in LDAP

Oracle Identity Manager connects to SOA as SOA administrator, with the username weblogic by default. As mentioned in the previous sections, a new administrator user is provisioned in the central LDAP store to manage Identity Management Weblogic Domain.

Perform the following postinstallation steps to enable Oracle Identity Manager to work with the Oracle WebLogic Server administrator user provisioned in the central LDAP store. This enables Oracle Identity Manager to connect to SOA without any problem:

  1. Log in to Enterprise Manager at the URL listed in Section 16.2, "About Identity Management Console URLs."

  2. Select Farm_IDMDomain –> Identity and Access –> OIM –> oim(11.1.2.0.0).

  3. Select System MBean Browser from the menu or right click to select it.

  4. Select Application defined Mbeans –> oracle.iam –> Server: wls_oim1 –> Application: oim –> XML Config –> Config –> XMLConfig.SOAConfig –> SOAConfig

  5. Change the username attribute to the Oracle WebLogic Server administrator username provisioned in Section 10.4, "Preparing the Identity Store" for example: weblogic_idm.

    Change SOA Config RMI URL to:

    cluster:t3://soa_cluster

    Change SOA Config SOAP URL to:

    http://IDMINTERNAL.mycompany.com:7777

  6. Click Apply.

  7. Select Weblogic Domain –> IDMDomain from the Navigator.

  8. Select Security –> Credentials from the down menu.

  9. Expand the key oim.

  10. Click SOAAdminPassword.

  11. Click Edit.

  12. Change the username to weblogic_idm and set the password to the accounts password.

  13. Click OK.

  14. Add the WLSAdmins group as a member of SOAAdmin application role using the following WLST command:

    ORACLE_COMMON_HOME/wlst.sh
MW_HOME/oracle_common/modules/oracle.jps_11.1.1/common/wlstscripts/grantAppRole.py -principalClass weblogic.security.principal.WLSGroupImpl -appStripe soa-infra -appRoleName SOAAdmin -principalName "WLSAdmins"

    Where WLSADMINS is the group created in Section 10.4, "Preparing the Identity Store" (IDSTORE_WLSADMINGROUP).

  15. Run the reconciliation process to enable the Oracle WebLogic Server administrator, weblogic_idm, to be visible in the OIM Identity Console. Follow these steps:

    1. Log in to the OIM Administration Console at the URL http://ADMIN.mycompany.com/sysadmin as the user xelsysadm.

    2. Click Scheduler under System Management.

    3. Enter LDAP* in the search box.

    4. Click the arrow for the Search Scheduled Jobs to list all the schedulers.

    5. Select LDAP User Create and Update Full Reconciliation.

    6. Click Run Now to run the job.

    7. Repeat for the job Append and LDAP Role Membership Full Reconciliation.

    8. Log in to the OIM Identity Console at the URL listed in Section 16.2, "About Identity Management Console URLs." Perform a search to verify that the user weblogic_idm is visible.

  16. Restart WLS_SOA1 and WLS_SOA2 as described in Section 16.1, "Starting and Stopping Oracle Identity Management Components."

  17. Log in to the WebLogic Console.

  18. Click Lock & Edit in the Change Center.

  19. Navigate to IDMDomain -> Services -> Foreign JNDI Providers

  20. Click on ForeignJNDIProvider-SOA

  21. Under the Configuration -> General tab, change the username to weblogic_idm and specify the corresponding password.

  22. Click Save and Ativate Changes.