4 Oracle Identity Manager Deployment

Ensure that a supported Oracle Database, an Oracle Middleware Home, and an LDAP installation are available.

During the installation phase, after the Repository Creation Utility was run to create Oracle Identity Manager and its dependent schemas, check if the authorization policies or application stripe is seeded correctly using the APM-UI cluster.

Ensure that Oracle Identity Manager and SOA ports are not in use. By default, Oracle Identity Manager Server uses 14000 and SOA Server uses 8001.

Ensure that the database-based OPSS security store configuration is done before running the Oracle Identity Manager configuration wizard.

If large pages are supported and enabled in the Operating System, ensure that JVM is configured as follows:

Arguments:

-XX:+UseLargePages (for HotSpot JVM)

-XX:+UseLargePagesForHeap

-XX:+ForceLargePagesForHeap (for JRockit JVM).

In JRockit JVM, if you are enabling large pages, do not use the argument:

-XX:+UseLargePagesForCode

Oracle Identity Manager uses ApplicationDB, oimOperationsDB, and oimJMSStoreDS data sources deployed on Oracle Web Logic Server. As a general guideline, ensure that the capacity for these data sources is increased as follows:

Initial Capacity=50; Minimum Capacity=50; Max Capacity=150; and Inactive time out=30.

For more information about determining appropriate capacity values for your environment, see ”Performance Tuning Guidelines and Diagnostics Collection for Oracle Identity Manager (OIM) (Doc ID 1539554.1)” on My Oracle Support.

Ensure that default values of Message Buffer Size and Messages Maximum properties are changed to the recommended values, 200MB (209715200 bytes) and 400000, respectively.

Ensure that the properties Maximum Threads Constraint of work managers OIMMDBWorkManager and OIMUIWorkManager are set to 80 and 20, respectively.

Ensured that database indexes for searchable User Defined Attributes (UDF) exist.

Consider SOA JVM memory tuning recommendations described in sections ”Tuning JVM Memory Settings for Oracle Identity Manager” and ”Changing the Number of Open File Descriptors for UNIX (Optional)” in the Oracle Fusion Middleware Performance and Tuning Guide.

Ensure that multicasting is supported between cluster Oracle Identity Manager nodes and make sure that ports 45566 and 3121 are open.

Ensure that the JMS file store is on a shared storage or file system that is available to all Managed Servers in the Oracle Identity Manager cluster.

Ensure that the XMLConfig.cacheConfig Clustered MBean property is set to true.

Use the MBean Browser in Fusion Middleware Control to locate the XMLConfig.CacheConfig MBean under Application Defined MBeans-->oracle.iam-->XMLConfig.CacheConfig-->Cache-->Config-->oim--><version>-->Attributes-->Clustered.

You can also follow the Performance Tuning Guidelines and Diagnostics Collection for Oracle Identity Manager (Doc ID 1539554.1) for more cache tuning options.

Ensure that the OimExternalFrontEndURL (in the discoveryConfig section of oim-config.xml) is set to the external LBR URL, such as https://sso.mycompany.com:443. Ensure that OimFrontEndURL is set to an internal URL, such as http://idminternal.mycompany.com:80.

Ensure that each Oracle Identity Manager domain has its own unique multicast address and it is not shared with other instances in the same subnet.

Ensure that your LDAP is preconfigured as an Identity Store as described in the Oracle Fusion Middleware Installation Guide for Oracle Identity and Access Management.

Ensure that the Identity Store has the required schemas extended.

Ensure that the Identity Store is seeded with the required users, groups, and privileges, based on the input properties passed to the idmConfigTool.

Ensure that all of the prerequisites for LDAP Sync configuration, as described in the Installation Guide for Oracle Identity and Access Management, are satisfied.

Verify that the physical LDAP is not used directly with Oracle Identity Manager.

Note: If you are configuring LDAP-Sync after configuring Oracle Identity Manager or by manually editing IT Resource Directory Server instance, use the LDAP URL corresponding to OVD against the Server URL, or leave it blank. In the latter case you should configure libOVD.

Ensure that the jpsContextName attribute value is set to oim in SOA and UMS configuration MBeans.

If you are deploying Oracle Identity Manager behind a Load Balancer or a Web Server, ensure that you have configured the Oracle Identity Manager front end URL and the SOA SOAP URL with the Load Balancer/WebServer URL.

If you are using SSL in the communication between Oracle Identity Manager and SOA, ensure that the URLs are configured to use HTTPS and that the keystores in use contain the appropriate certificates.

If SPML calls are not being processed, verify that the client invoking the SPML service is using a compatible Oracle Web Services Manager (Oracle WSM) client and server security policies.

If you are going to create custom scheduled tasks or make any changes to the default configuration of Oracle Identity Manager Scheduler, review ”Creating Custom Scheduled Tasks” in the Oracle Fusion Middleware Administrator's Guide for Oracle Identity Manager.

Ensure that the system property Display Certification or Attestation is set to Certification or Both to have certification enabled.

Ensure that the log level is set to warning or lower.

Note: By default, the logging level in Oracle loggers is set to notification. In most cases, this log level is unnecessary and can be changed to warning (TRACE:32) or lower.

Ensure that the Catalog synchronized with base entities.

Ensure that you have determined the frequency of running the schedule task ”Evaluate User Policies”.

Note: By default, this scheduled task runs every 10 minutes.

Ensure that you have reviewed the Usage Recommendation guidelines in the documentation before using Oracle Identity Manager Connectors.

Ensure that the service account used for connectivity has rights to perform operations on the target.

Ensure that the appropriate firewall ports are open.

Ensure that the LDAP replication is configured in Safe-Read mode.

Ensure that the LDAP password policies are lenient when compared to Oracle Identity Manager password policies.

It is recommended that you increase the heap size and permgen memory for production environments and monitor the memory usage pattern. Based on the usage, you can choose to increase or decrease the memory settings.

The following are the initial recommended values for the memory-related tuning parameters:

• JVM Parameter: HotSpot JVM and JRockit JVM

• Minimum Heap Size (Xms): 4GB

• Maximum Heap Size (Xmx): 4GB

• PermSize (-XX:PermSize): 500m (Not applicable for JRockit JVM)

• PermGen size (-XX:MaxPermSize): 1GB (Not applicable for JRockit JVM)

Ensure that the SOA Coherence configuration for the Coherence cluster is done correctly.

For more information about updating the SOA Coherence configuration for Coherence cluster, see ”Updating the Coherence Configuration for the Coherence Cluster” in the Oracle Fusion Middleware High Availability Guide.

Ensure that the User Messaging Service (UMS) mail configuration for notifications is done correctly.

For more information about using UMS for notifications, see ”Using UMS for Notification” in the Oracle Fusion Middleware Administrator's Guide for Oracle Identity Manager.

Verify if the audit level system property XL.UserProfileAuditDataCollection is set to the correct audit level.

For more information about the supported audit levels, see ”Audit Levels” in the Oracle Fusion Middleware Developer's Guide for Oracle Identity Manager.

For more information about modifying the value of the system property, see ”Managing System Properties” in the Oracle Fusion Middleware Administrator's Guide for Oracle Identity Manager.

To avoid schema password expiration issues, verify that the password expiration policies for the database have been set appropriately.

For more information, see ”Options To Resolve The Expired OIM Schema Password In Oracle Database 11g (Doc ID 1326142.1)” on My Oracle Support.