This chapter contains a checklist for customers interested in deploying Oracle Access manager with LDAP.
Table 3-1 Oracle Access Manager Deployment Checklist
Requirement | Check when Verified |
---|---|
Ensure that a supported Oracle Database, an Oracle Middleware Home, and an LDAP installation are available. |
|
Ensure that Oracle Access Manager, OPSS, and Audit schemas are created using Repository Creation Utility (RCU). |
|
Ensure that the WebLogic Domain hosting Oracle Access manager is running in Production mode instead of Development mode. |
|
Ensure that Oracle Access Manager ports are not in use in addition to the HTTP/HTTPS ports used by Oracle Access Manager WebLogic Server Cluster, Oracle Access Manager also uses OAP and Coherence Ports (default value 5575, 9095 respectively). |
|
Ensure that IDMDomainAgent is removed from the Weblogic Domain running Oracle Access Manager, as the WebGate setup in enterprise deployments handles single sign-on. |
|
Ensure that JVM is tuned to make maximum use of machine capacity. Ensure that the XMS and XMX values are set to same level (4-8 GB depending on machine capacity). Note: You can update JVM tuning parameters in the |
|
Ensure that your LDAP is preconfigured as an Identity Store as described in the Oracle Fusion Middleware Installation Guide for Oracle Identity and Access Management. |
|
Ensure that the Identity Store has the required schemas extended. Note: The specific schemas are loaded when the ID Store is prepared. They are also present in the |
|
Ensure that the Identity Store is seeded with the required users, groups, and privileges, based on the input properties passed to the idmConfigTool. |
|
Ensure that the idmConfigTool is used to configure Oracle Access Manager. Note: When you configure Oracle Access Manager by using the idmConfigTool, Oracle Access Manager is configured to use LDAP, and an Access Manager Webgate agent is created. |
|
Ensure that the LDAP Identity Store is configured in the Access Management Suite by using the Oracle Access Manager Administration Console. |
|
Ensure that Webgate/Agent communication to Oracle Access Manager servers is in either SIMPLE or CERT mode. |
|
Ensure that Oracle HTTP Server is front ending Access Manager Admin Console and has a webgate wired to Access Manager using the WebGate Agent profile created by idmConfigTool. |
|
Ensure that the Security Store is configured immediately after configuring Oracle Access Management WebLogic domain. You must do this before starting Oracle Access Manager servers. |
|
Ensure that WebLogic Server providers are configured correctly with OUD Authenticator or LDAP Authenticator pointing to the OUD Store or to the LDAP Store, respectively. You must configure WLS providers in the following sequence:
|
|
Ensure that the WLSAdmins Group is added to the list of WebLogic Administrators. This is the group created when the LDAP Store was prepared. |
|
Ensure that Oracle Access Manager's performance is tuned based on the tuning guidelines. For more information, see ”Oracle Access Management Performance Tuning” in the Oracle Fusion Middleware Performance and Tuning Guide. |
|
Ensure that you have configured a custom login and error pages to meet your deployment requirements. |
|
Ensure that Webgate to Oracle Access Manager connectivity parameters are set to proper values: Threshold Timeout: Set to 10 seconds instead of the default value of -1. Max Session Time: Set to the half of firewall timeout between Webgate and the Oracle Access Manager server. |
|
Ensure that Oracle Access Manager to LDAP connectivity parameters are set to proper values: Connection Refresh time is set to half of the firewall timeout between Oracle Access Manager and LDAP store. Request time out is set to 2 seconds or higher. |
|
Ensure that the Load Balancer is configured to populate the IS_SSL=ssl header if terminating SSL in front of web servers where webgate is installed. |
|
Ensure Oracle Access Manager front end URL that is collecting user credentials is configured for SSL. |
|
Confirm that Oracle Access Manager-protected applications are not using the IAMSuiteAgent Host Identifier. |
|
Confirm that common image file patterns are part of the excluded URL list (*.css, *.gif, *.png). |
|
If you have excluded the 'root' patterns, '/*', '/…/*' or '/**' in an Application Domain, ensure that you fully understand the security implications. |
|
If you have set 'DenyOnNotProtected' to false in Webgate profile, ensure that you fully understand the security implications. |
|
If managing password policy in Oracle Access Manager, ensure that the password policy is more restrictive that the policy used at LDAP level. This will ensure that the Directory/LDAP password never supersedes enforcement at the Oracle Access Management level. |
|
Ensure that you have reviewed the amount of Audit data produced for production load and adjusted settings (Low, Medium, High), so that only desired audit data is generated. |
|
Ensure that you have an Audit data purge scheduled that is compliant with your data retention policies. |
|