3 Oracle Access Manager Deployment

This chapter contains a checklist for customers interested in deploying Oracle Access manager with LDAP.

Table 3-1 Oracle Access Manager Deployment Checklist

Requirement Check when Verified

Ensure that a supported Oracle Database, an Oracle Middleware Home, and an LDAP installation are available.

Checkbox

Ensure that Oracle Access Manager, OPSS, and Audit schemas are created using Repository Creation Utility (RCU).

Checkbox

Ensure that the WebLogic Domain hosting Oracle Access manager is running in Production mode instead of Development mode.

Checkbox

Ensure that Oracle Access Manager ports are not in use in addition to the HTTP/HTTPS ports used by Oracle Access Manager WebLogic Server Cluster, Oracle Access Manager also uses OAP and Coherence Ports (default value 5575, 9095 respectively).

Checkbox

Ensure that IDMDomainAgent is removed from the Weblogic Domain running Oracle Access Manager, as the WebGate setup in enterprise deployments handles single sign-on.

Checkbox

Ensure that JVM is tuned to make maximum use of machine capacity. Ensure that the XMS and XMX values are set to same level (4-8 GB depending on machine capacity).

Note: You can update JVM tuning parameters in the <Domain_HOME>/bin/setDomainEnv script. After updating the tuning parameters, you must restart Oracle Access Manager servers.

Checkbox

Ensure that your LDAP is preconfigured as an Identity Store as described in the Oracle Fusion Middleware Installation Guide for Oracle Identity and Access Management.

Checkbox

Ensure that the Identity Store has the required schemas extended.

Note: The specific schemas are loaded when the ID Store is prepared. They are also present in the $IAM_ORACLE_HOME/oam/ldap/schema directory.

Checkbox

Ensure that the Identity Store is seeded with the required users, groups, and privileges, based on the input properties passed to the idmConfigTool.

Checkbox

Ensure that the idmConfigTool is used to configure Oracle Access Manager.

Note: When you configure Oracle Access Manager by using the idmConfigTool, Oracle Access Manager is configured to use LDAP, and an Access Manager Webgate agent is created.

Checkbox

Ensure that the LDAP Identity Store is configured in the Access Management Suite by using the Oracle Access Manager Administration Console.

Checkbox

Ensure that Webgate/Agent communication to Oracle Access Manager servers is in either SIMPLE or CERT mode.

Checkbox

Ensure that Oracle HTTP Server is front ending Access Manager Admin Console and has a webgate wired to Access Manager using the WebGate Agent profile created by idmConfigTool.

Checkbox

Ensure that the Security Store is configured immediately after configuring Oracle Access Management WebLogic domain. You must do this before starting Oracle Access Manager servers.

Checkbox

Ensure that WebLogic Server providers are configured correctly with OUD Authenticator or LDAP Authenticator pointing to the OUD Store or to the LDAP Store, respectively. You must configure WLS providers in the following sequence:

  • OAMIDAsserter

  • OUD Authenticator (or LDAP Authenticator)

  • Default Authenticator

  • Default Identity Asserter

Checkbox

Ensure that the WLSAdmins Group is added to the list of WebLogic Administrators. This is the group created when the LDAP Store was prepared.

Checkbox

Ensure that Oracle Access Manager's performance is tuned based on the tuning guidelines. For more information, see ”Oracle Access Management Performance Tuning” in the Oracle Fusion Middleware Performance and Tuning Guide.

Checkbox

Ensure that you have configured a custom login and error pages to meet your deployment requirements.

Checkbox

Ensure that Webgate to Oracle Access Manager connectivity parameters are set to proper values:

Threshold Timeout: Set to 10 seconds instead of the default value of -1.

Max Session Time: Set to the half of firewall timeout between Webgate and the Oracle Access Manager server.

Checkbox

Ensure that Oracle Access Manager to LDAP connectivity parameters are set to proper values:

Connection Refresh time is set to half of the firewall timeout between Oracle Access Manager and LDAP store.

Request time out is set to 2 seconds or higher.

Checkbox

Ensure that the Load Balancer is configured to populate the IS_SSL=ssl header if terminating SSL in front of web servers where webgate is installed.

Checkbox

Ensure Oracle Access Manager front end URL that is collecting user credentials is configured for SSL.

Checkbox

Confirm that Oracle Access Manager-protected applications are not using the IAMSuiteAgent Host Identifier.

Checkbox

Confirm that common image file patterns are part of the excluded URL list (*.css, *.gif, *.png).

Checkbox

If you have excluded the 'root' patterns, '/*', '/…/*' or '/**' in an Application Domain, ensure that you fully understand the security implications.

Checkbox

If you have set 'DenyOnNotProtected' to false in Webgate profile, ensure that you fully understand the security implications.

Checkbox

If managing password policy in Oracle Access Manager, ensure that the password policy is more restrictive that the policy used at LDAP level. This will ensure that the Directory/LDAP password never supersedes enforcement at the Oracle Access Management level.

Checkbox

Ensure that you have reviewed the amount of Audit data produced for production load and adjusted settings (Low, Medium, High), so that only desired audit data is generated.

Checkbox

Ensure that you have an Audit data purge scheduled that is compliant with your data retention policies.

Checkbox