18 Configuring Oracle Access Manager Using WDT
Install and configure an initial domain, which can be used as the starting point for an enterprise deployment. Later, configure the domain.
A complete Oracle Identity and Access Management uses a split domain deployment, where there is a single domain for Oracle Access Management and a different domain for Oracle Identity Governance.
In version 4.1.2 of the WebLogic Kubernetes Operator, two different methods to create Oracle WebLogic domains are available. The traditional WLST method uses WLST scripts to create the domain which is the method employed in the Enterprise Deployment Guide for several releases.
Starting with this release, the Enterprise Deployment Guide will use the Weblogic Deployment Tools (WDT) to create the domains. The WDT uses templates to create domains which simplifies the installation procedure. For more information about WebLogic deployment tools, see WebLogic Deploy Tooling
This chapter includes the following topics:
- About the Initial Infrastructure Domain
Before you create the initial Infrastructure domain, ensure that you review the key concepts. - Installing Oracle Access Manager (OAM) on the Kubernetes Infrastructure
Before creating the OAM Kubernetes infrastructure, you should have downloaded the Oracle Access Manager Image and installed the Oracle WebLogic Operator. - Creating a Namespace for Oracle Access Manager
Create a namespace to contain all the Oracle Access Manager Kubernetes objects. - Creating a Container Registry Secret
If you are using a container registry and want to pull the Oracle container images on demand, you must create a secret which contains the login details of the container registry. - Creating a Kubernetes Secret for Docker Hub Images
This secret allows Kubernetes to pull an image fromhub.docker.comwhich contains third-party images such ashelm,kubectl, andlogstashcommands. - Creating the Database Schemas for Access Manager
Oracle Fusion Middleware components require schemas in a database, these schemas are created by the WebLogic Deployment Tools at the time of deployment. - Creating the Oracle Access Manager Domain
To configure the Oracle Access Manager domain, you should configure the WebLogic Operator for the domain namespace, create the Kubernetes secrets, and then create the Access domain. - Updating the Domain
When you first create the domain, some information may be missing. You can add this information using a simplecurlscript. - Performing the Post-Configuration Tasks for Oracle Access Management Domain
The post-configuration tasks for the OAM domain include creating the server overrides file and updating the data sources. - Restarting the Domain
Restart the domain for the changes to take effect. - Validating the Administration Server
Before you perform the configuration steps, validate that the Administration Server has started successfully by ensuring that you have access to the Oracle WebLogic Server Administration Console and Oracle Enterprise Manager Fusion Middleware Control, both installed and configured on the Administration Server. - Removing OAM Server from WebLogic Server 12c Default Coherence Cluster
Exclude all Oracle Access Management (OAM) clusters (including Policy Manager and OAM runtime server) from the default WebLogic Server 12c coherence cluster by using the WebLogic Server Administration Console. - Tuning the WebLogic Server
Tune the WebLogic Server for optimum performance by adding the Minimum Thread Constraint and removing the Max Thread and Capacity constraints. - Enabling Virtualization
You can use the Fusion Middleware Control to enable virtualization. - Restarting the Domain
Restart the domain for the changes to take effect. - Configuring and Integrating with LDAP
Configuration and integration of OAM with LDAP requires you to first set a global passphrase. You then configure OAM to use the LDAP directory. In addition, create the Webgate_IDM agent if not present and finally assign administration rights to the LDAP users to access the MBeans stored in the Administration Server. - Updating WebGate Agents
When you runidmConfigTool, it changes the default OAM security model and creates a new WebGate SSO agent. However, it does not change the existing WebGate SSO agents to the new security model. After you runidmConfigTool, you must update any WebGate agents that previously existed. - Updating Host Identifiers
When you access the domain, you enter using different load balancer entry points. You must add each of these entry points (virtual hosts) to the policy list. Adding these entry points ensures that if you request access to a resource usinglogin.example.comorprov.example.com, you have access to the same set of policy rules. - Adding the Missing Policies to OAM
If any policies are missing, you have to add to ensure that Oracle Access Manager functions correctly. - Validating the Authentication Providers
Set the order of identity assertion and authentication providers in the WebLogic Server Administration Console. - Configuring Oracle ADF and OPSS Security with Oracle Access Manager
Some Oracle Fusion Middleware management consoles use Oracle Application Development Framework (Oracle ADF) security, which can integrate with Oracle Access Manager Single Sign-on (SSO). These applications can take advantage of Oracle Platform Security Services (OPSS) SSO for user authentication, but you must first configure the domain-leveljps-config.xmlfile to enable these capabilities. - Enabling Forgotten Password
This section describes how to set up the One Time Pin forgotten password functionality which is provided with Oracle Access Manager - Restarting the Access Domain
Restart the Access domain in Kubernetes for the changes to take effect. - Setting the Initial Server Count
When you first created the domain, you specified that only one Managed Server should be started. After you complete the configuration, you can increase the initial server count to the actual number you require. - Centralized Monitoring Using Grafana and Prometheus
If you are using a centralized Prometheus and Grafana deployment to monitor your infrastructure, you can send Oracle Access Management data to this application. - Centralized Log File Monitoring Using Elasticsearch and Kibana
If you are using Elasticsearch and Kibana, you can configure a Logstash pod to send the log files to the centralized Elasticsearch/Kibana console. Before you configure the Logstash pod, ensure that you have access to a centralized Elasticsearch deployment. - Backing Up the Configuration
As a best practice, Oracle recommends you to back up the configuration after you have successfully extended a domain or at another logical point. Back up only after you have verified that the installation is successful so far. This is a quick backup to enable immediate restoration in case of problems in later steps.
Parent topic: Configuring the Enterprise Deployment
About the Initial Infrastructure Domain
Before you create the initial Infrastructure domain, ensure that you review the key concepts.
- About the Software Distribution
- Characteristics of the Domain
- Variables Used in this Chapter
- Kubernetes Services
Parent topic: Configuring Oracle Access Manager Using WDT
About the Software Distribution
You create the initial infrastructure domain for an enterprise deployment by using the Oracle Weblogic Operator. The Oracle Access Manager software is distrubted as a pre-built container image. See Identifying and Obtaining Software Distributions for an Enterprise Deployment. This distribution contains all of the necessary components to install and configure Oracle Access Manager.
See Understanding Oracle Fusion Middleware Infrastructure in Understanding Oracle Fusion Middleware.
Parent topic: About the Initial Infrastructure Domain
Characteristics of the Domain
The following table lists some of the key characteristics of the domain that you are about to create. Reviewing these characteristics helps you to understand the purpose and context of the procedures that are used to configure the domain.
Many of these characteristics are described in more detail in Understanding a Typical Enterprise Deployment.
| Characteristic of the Domain | More Information |
|---|---|
|
Each WebLogic Server is placed into a pod in the Kubernetes cluster. |
|
|
Places each Kubernetes domain object in a dedicated Kubernetes namespace. |
|
|
Uses Kubernetes services to interact with the WebLogic Managed Servers. |
|
|
Uses Kubernetes persistent volumes to hold the domain configuration. |
See unresolvable-reference.html#GUID-373A3448-D7BA-41F6-BFDB-4D7DDB2B03F1. |
|
Each Kubernetes pod is built from a pre-built Oracle container image. |
See Identifying and Obtaining Software Distributions for an Enterprise Deployment. |
|
Uses a per domain Node Manager configuration. |
See About the Node Manager Configuration in a Typical Enterprise Deployment. |
|
Requires a separately installed LDAP-based authentication provider. |
|
|
Certificates are stored in Oracle Keystore Service. |
Parent topic: About the Initial Infrastructure Domain
Variables Used in this Chapter
The later sections of this chapter provide instructions to create a number of files. These sample files contain variables which you need to substitute with values applicable to your deployment.
Variables are formatted as <VARIABLE_NAME>. The following table provides the values you should set for each of these variables.
Table 18-1 The Variables to be Changed
| Variable | Sample Value(s) | Description |
|---|---|---|
|
<REGISTRY_ADDRESS> |
|
The location of the container registry. |
|
<REGISTRY_SECRET_NAME> |
|
The name of the Kubernetes secret containing the container registry credentials. Required only if you are pulling images directly from a container registry. See Creating a Container Registry Secret. |
|
<REG_USER> |
|
The name of the user you use to log in to the container registry. |
|
<REG_PWD> |
<password> |
The container registry user password. |
|
<OAM_REPOSITORY> |
|
The name of the OAM software repository. If you have downloaded and staged a container image,
this value will be: If you are using the Oracle container registry, the
value will be:
If you are using a container registry, the value
will be the name of the registry with the product name:
|
|
<OAM_VER> |
|
The version of the image you want to use. The value will be the version you have downloaded and staged either locally or in the container registry. |
|
<PVSERVER> |
|
The name or IP address of the NFS server. Note: This name should be resolvable inside the Kubernetes cluster. |
|
<OAMNS> |
oamns |
The domain namespace to be used to store OAM objects. |
|
<WORKDIR> |
|
The location where you want to create the working directory for OAM. |
|
<K8_WORKDIR> |
|
Working directory inside the Kubernetes container. |
|
<OAM_SHARE> |
|
The NFS export for the persistence store. |
|
<OAM_DB_SCAN> |
|
The SCAN address of the database cluster. |
|
<OAM_DB_LISTENER> |
|
The database listener port number. |
|
<OAM_DB_SERVICE> |
|
The name of the database service to use. |
|
<OAM_DB_SYS_PWD> |
|
The SYS password for the database. |
|
<OAM_RCU_PREFIX> |
|
The prefix used when the database schemas are created. |
|
<OAM_COOKIE_DOMAIN> |
|
The domain you want to associate the OAM cookie with this is normally the same as the <LDAP_SEARCHBASE> in the domain format. |
|
<OAM_OIG_INTEG> |
|
If you are intending Oracle Identity Governance to
handle forgotten password functionality, set this parameter to
|
|
<OAM_SCHEMA_PWD> |
|
The password you want to set for the product schemas being created. |
|
<OAM_DOMAIN_NAME> |
|
The name of the Kubernetes domain to be created. |
|
<OAM_DOMAIN_SECRET> |
|
The name of the secret you want to create, for the
namespace that is used. The name of the secret must be
|
|
<OAM_ADMIN_LBR_HOST> |
|
The virtual host of the OAM administration functions. |
|
<OAM_RCU_SECRET> |
|
The name of the RCU secret. The name of the secret
must be |
|
<OAM_LOGIN_LBR_HOST> |
|
The name of your login load balancer virtual name. |
|
<OAM_LOGIN_LBR_PROTOCOL> |
|
The type of access protocol used for the login load
balancer. In an SSL terminated environment, this value will be
|
|
<OAM_LOGIN_LBR_PORT> |
|
The port of the login load balancer virtual name. |
|
<OAM_OAP_HOST> |
|
An externally resolvable host name for legacy WebGate communications. This host can be either a Kubernetes worker node or a load balancer entry point that points to multiple Kubernetes worker nodes. If you are only interacting inside the Kubernetes
cluster, the host name will be
|
|
<OAP_MODE> |
|
The OAP security mode you want to use if you are
using the native OAP calls from WebGate. Oracle recommends that
you conduct interactions with OAM using OAP over REST, in which
case the transport mode is not used. In these scenarios, set the
<OAP_MODE> to |
|
<WG_CONNECTIONS> |
|
The maximum number of connections supported by the WebGate agent. |
|
<OAM_SERVER_COUNT> |
|
The number of Managed Servers required. Oracle highly recommends you to set this value to a number greater than the anticipated need in the system's lifetime. It creates a number of server definitions in the WebLogic domain and ensures that you have a simple mechanism to scale up the system when the demand increases. This value does not reflect the number of server instances you actually start with; it just enables you to start additional servers if your needs change. Adding additional server definitions post domain creation is a complex task and should be avoided, if possible. |
|
<OAM_INITIAL_SERVERS> |
|
The number of Managed Servers to start. Oracle recommends you to set this value to 1 for the the duration of the configuration. |
|
<OAM_MAX_CPU> |
|
The maximum number of CPUs each |
|
<OAM_CPU> |
|
The initial number of CPUs each |
|
<OAM_MAX_MEMORY> |
|
The maximum amount of memory that the |
|
<OAM_MEMORY> |
|
The initial amount of memory that the |
|
<OAMSERVER_JAVA_PARAMS> |
|
The maximum (Xmx) and minimum heap size allocated to each
OAM_SERVER. The size is represented as a
number of Mb.
Note: The maximum amount of heap size must be less than the maximum amount allowed to be used by the Pod <OAM_MAX_MEMORY> |
|
<LDAP_HOST> |
For OUD, this value will be
|
The name of the host where the LDAP directory is running. |
|
<LDAP_PORT> |
|
The port used to connect to LDAP. If your directory is stored in a Kubernetes environment, this will be the internal Kubernetes service port. If your directory is outside of Kubernetes, it will be the regular LDAP port. |
|
<LDAP_ADMIN_USER> |
cn=oudadmin |
The user name of the directory administrator. |
|
<LDAP_SEARCHBASE> |
dc=example,dc=com |
The directory tree for your organization. This is where all the data is stored. |
|
<LDAP_GROUP_SEARCHBASE> |
cn=Groups,dc=example,dc=com |
The location in the directory where groups/roles are stored. |
|
<LDAP_USER_SEARCHBASE> |
cn=Users,dc=example,dc=com |
The location in the directory where names of users are stored. |
|
<LDAP_SYSTEMIDS> |
cn=systemids,dc=example,dc=com |
The name of a container where you want to store system ids. The user names placed in this container are not subject to OIM reconciliation or password aging. This container is reserved for users such as <LDAP_OAMLDAP_USER> and <LDAP_OIGLDAP_USER>. |
|
<LDAP_TYPE> |
|
It is the type of directory: OUD or OID. |
|
<LDAP_WLSADMIN_USER> |
weblogic_iam |
The name of the user who administers the WebLogic domain. This name is an LDAP user name used for single sign-on authentication. The <OAM_WEBLOGIC_USER> is the internal WebLogic user name assigned during the domain creation process. |
|
<LDAP_OAMADMIN_USER> |
oamadmin |
The name of the user who administers OAM. |
|
<LDAP_OAMLDAP_USER> |
oamLDAP |
The name of a user that OAM will use to connect to the directory for validating logins. |
|
<LDAP_WLSADMIN_GRP> |
WLSAdministrators |
Users assigned to this role will be able to log in to the WebLogic Administration Console and FMW Control. |
|
<LDAP_OAMADMIN_GRP> |
OAMAdministrators |
Users assigned to this role will be able to log in to the OAM Administration Console and configure OAM. |
|
<OAM_OAP_SERVICE_PORT> |
|
The Kubernetes service port for the OAM OAP requests. |
|
<OAM_ADMIN_PORT> |
|
The internal port assigned to the OAM Administration Server. |
|
<OAM_OAP_PORT> |
|
The internal OAP port number. If you are using the Kubernetes service, this value can be the internal port number. |
|
<OAP_SERVICE_PORT> |
|
The Kubernetes service port which fronts the OAM OAP cluster nodes. If you are using the Kubernetes service, this value can be the internal port number. |
|
<OAM_EXT_T3_PORT> |
|
The external T3 port. |
|
<OAM_OAM_K8> |
|
The Kubernetes service port for the OAM Managed Servers. |
|
<OAM_POLICY_K8> |
|
The Kubernetes service port for the OAM Policy Manager Servers. |
|
<OAM_ADMIN_K8> |
|
The external OAM WebLogic Kubernetes service port for the external WebLogic Administration Server. |
|
<ELK_HOST> |
|
The host and port of the centralized Elasticsearch deployment. This host can be inside the Kubernetes cluster or external to it. This host is used only when Elasticsearch is used. |
|
<ELK_VER> |
|
The version of Elasticsearch you want to use. |
Parent topic: About the Initial Infrastructure Domain
Kubernetes Services
Table 18-2 Kubernetes NodePort Services
| Service Name | Type | Service Port | Mapped Port |
|---|---|---|---|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
Note: |
|
Table 18-3 Ingress Services
| Service Name | Host Name |
|---|---|
|
|
|
|
|
|
Parent topic: About the Initial Infrastructure Domain
Installing Oracle Access Manager (OAM) on the Kubernetes Infrastructure
Before creating the OAM Kubernetes infrastructure, you should have downloaded the Oracle Access Manager Image and installed the Oracle WebLogic Operator.
- To download the Oracle Access Manager Image and load it into the container image repository (this repository must be visible to each Kubernetes node), see Identifying and Obtaining Software Distributions for an Enterprise Deployment.
- To install the Oracle WebLogic Operator, see Installing and Configuring WebLogic Kubernetes Operator.
- Prerequisites
Before creating the Oracle Access Manager (OAM) on the kubernetes infrastructure, you must download the Oracle Access Manager container image and installed the Oracle WebLogic Operator.
Parent topic: Configuring Oracle Access Manager Using WDT
Prerequisites
Before creating the Oracle Access Manager (OAM) on the kubernetes infrastructure, you must download the Oracle Access Manager container image and installed the Oracle WebLogic Operator.
- To download the Oracle Access Manager Image and load it into the Docker image repository (this repository must be visible to each Kubernetes node), see Identifying and Obtaining Software Distributions for an Enterprise Deployment.
- To install the Oracle WebLogic Operator, see Installing and Configuring WebLogic Kubernetes Operator.
Setting Up a Product Specific Work Directory
Before you begin the installation, you must have downloaded and staged the Oracle Access Manager container image and the sample code repository. See Identifying and Obtaining Software Distributions for an Enterprise Deployment.
You must also have deployed the Oracle WebLogic Operator as described in Installing the WebLogic Kubernetes Operator.
This section describes the procedure to copy the downloaded sample deployment scripts to a temporary working directory on the configuration host for OAM.
- Create a temporary working directory as the install user. The install
user should have
kubectlaccess to the Kubernetes cluster.mkdir -p /<WORKDIR>For example:mkdir -p /workdir/OAM - Change directory to this location:
cd /workdir/OAM - Copy the sample scripts to the work
directory.
cp -R <WORKDIR>/fmw-kubernetes/OracleAccessManagement/kubernetes <WORKDIR>/samplesFor example:cp -R /workdir/OAM/fmw-kubernetes/OracleAccessManagement/kubernetes /workdir/OAM/samples
Parent topic: Prerequisites
Creating a Namespace for Oracle Access Manager
Create a namespace to contain all the Oracle Access Manager Kubernetes objects.
- To create a namespace, use the following
command:
kubectl create namespace oamnsThe output appears as follows:
namespace/oamns created - Tag the namespace so that the WebLogic Kubernetes Operator can manage
it.
kubectl label namespaces oamns weblogic-operator=enabled
Parent topic: Configuring Oracle Access Manager Using WDT
Creating a Container Registry Secret
If you are using a container registry and want to pull the Oracle container images on demand, you must create a secret which contains the login details of the container registry.
If you have staged your container images locally, there is no need to perform this step.
kubectl create secret -n <OAMNS> docker-registry <REGISTRY_SECRET_NAME> --docker-server=<REGISTRY_ADDRESS> --docker-username=<REG_USER> --docker-password=<REG_PWD>kubectl create secret -n oamns docker-registry regcred --docker-server=iad.ocir.io/mytenancy --docker-username=mytenancy/oracleidentitycloudservice/myemail@email.com --docker-password=<password>Parent topic: Configuring Oracle Access Manager Using WDT
Creating a Kubernetes Secret for Docker Hub Images
This secret allows Kubernetes to pull an image from
hub.docker.com which contains third-party images such as helm, kubectl, and
logstash commands.
Note:
If you are pulling the images from your own container registry, then this step is not required.You should have an account on hub.docker.com. If you
want to stage the images in your own repository, you can do so and modify the
helm override file as appropriate.
To create a Kubernetes secret for hub.docker.com, use the following
command:
$ kubectl create secret docker-registry dockercred --docker-server="https://index.docker.io/v1/" --docker-username="<DH_USER>" --docker-password="<DH_PWD>" --namespace=<OAMNS>$ kubectl create secret docker-registry dockercred --docker-server="https://index.docker.io/v1/" --docker-username="username" --docker-password="<mypassword>" --namespace=oamnsParent topic: Configuring Oracle Access Manager Using WDT
Creating the Database Schemas for Access Manager
Oracle Fusion Middleware components require schemas in a database, these schemas are created by the WebLogic Deployment Tools at the time of deployment.
The tool creates the following schemas:
-
Metadata Services (MDS)
-
Audit Services (IAU)
-
Audit Services Append (IAU_APPEND)
-
Audit Services Viewer (IAU_VIEWER)
-
Oracle Platform Security Services (OPSS)
-
User Messaging Service (UMS)
-
WebLogic Services (WLS)
-
Common Infrastructure Services (STB)
-
Oracle Access Manager (OAM)
For more information about RCU and how the schemas are created and stored in the database, see Preparing for Schema Creation in Creating Schemas with the Repository Creation Utility.
You must install and configure a certified database and ensure that the database is up and running.
See Preparing an Existing Database for an Enterprise Deployment
Parent topic: Configuring Oracle Access Manager Using WDT
Creating the Oracle Access Manager Domain
To configure the Oracle Access Manager domain, you should configure the WebLogic Operator for the domain namespace, create the Kubernetes secrets, and then create the Access domain.
Parent topic: Configuring Oracle Access Manager Using WDT
Creating the Kubernetes Secrets
Rather than passing the credentials directly into the domain creation process, you can use the Kubernetes secrets to store the credentials in the encrypted format. The WebLogic Operator reads these secrets instead of asking for credentials.
Parent topic: Creating the Oracle Access Manager Domain
Creating the Domain Secret
The domain secret contains information about the WebLogic Administration user who creates the domain.
Parent topic: Creating the Kubernetes Secrets
Creating the RCU Secret
The RCU secret is used by the WebLogic Operator to determine how to connect to the database schemas that you have already created. See Creating the Database Schemas for Access Manager.
To create the RCU secret, perform the following steps:
Parent topic: Creating the Kubernetes Secrets
Creating the Access Domain
The procedure to create the Access domain includes creating the domain configuration file, creating the domain using the WebLogic Kubernetes Operator, setting the memory parameters, initializing the domain, and verifying the domain.
- Creating the Domain Configuration File
- Generating WDT Auxiliary Image
- Updating domain.yaml
- Creating the Domain Using the WebLogic Operator
- Verifying the Domain
Parent topic: Creating the Oracle Access Manager Domain
Creating the Domain Configuration File
A configuration file is used to tell the WebLogic Operator how to create
the domain. This configuration file is named
create-domain-wdt.yaml and is located in
<WORKDIR>/samples/create-access-domain/domain-home-on-pv/wdt-utils/generate_models_utils/create-domain-wdt.yaml.
Parent topic: Creating the Access Domain
Generating WDT Auxiliary Image
While creating a domain using the WebLogic deployment tool, a dedicated image is created that describes the deployment. This is based on the domain creation file described in Creating the Domain Configuration File. This image is then stored in a local container registry.
The benefit of using an auxiliary image with the configuration is that it can be used repeatedly to create multiple environments with slightly different properties. For example, the same image file can be used to create a development, testing, and production environment where only the database connection details vary. You need not create a new image each time you create a similar environment. This image must be stored in a registry where images are loaded, and you need have access to this registry.
The following sections describe how to generate the WDT model files, create an auxiliary image, and upload it to your repository.
Generating WDT Model Files
Perform the following steps to generate the WDT model files from the Domain Configuration file:
- Change the directory to WDT utils directory of the samples
downloaded.
cd <WORKDIR>/samples/create-access-domain/domain-home-on-pv/wdt-utils/generate_models_utilsFor Example:
cd /workdir/OAM//samples/create-access-domain/domain-home-on-pv/wdt-utils/generate_models_utils - Generate the model files using the
generate_wdt_models.shutility../generate_wdt_models.sh -i <WORKDIR>/create-domain-wdt.yaml -o <WORKDIR>Use
-ito specify the location of the Domain configuration file you created in Creating the Domain Configuration File.Use
-oto specify where the WDT Model files and templates should be created.For Example:
./generate_wdt_models.sh -i /workdir/OAM/create-domain-wdt.yaml -o /workdir/OAMAfter running the utility, a directory is created called
weblogic-domainswhich contain the generated files.
Sample Output with Input Parameters
export version="create-weblogic-sample-domain-inputs-v1"
export adminPort="7001"
export domainUID="accessdomain"
export configuredManagedServerCount="5"
export initialManagedServerReplicas="1"
export productionModeEnabled="true"
export t3ChannelPort="30012"
export datasourceType="agl"
export edgInstall="true"
export domainHome="/u01/oracle/user_projects/domains/accessdomain"
export image="iad.ocir.io/<mytenancy>/oam:12.2.1.4-jdk8-ol8-240112"
export imagePullSecretName="regcred"
export logHome="/u01/oracle/user_projects/domains/logs/accessdomain"
export exposeAdminT3Channel="true"
export adminNodePort="30701"
export exposeAdminNodePort="true"
export namespace="oamns"
javaOptions=-Dweblogic.StdoutDebugEnabled=false
export domainPVMountPath="/u01/oracle/user_projects"
export weblogicDomainStorageType="NFS"
export weblogicDomainStorageNFSServer="nfsserver.example.com"
export weblogicDomainStoragePath="/exports/IAMPVS/oampv"
export weblogicDomainStorageReclaimPolicy="Retain"
export weblogicDomainStorageSize="10Gi"
export oamServerJavaParams="-Xms2048m -Xmx8192m"
export oamMaxCPU="1"
export oamCPU="500m"
export oamMaxMemory="8Gi"
export oamMemory="2Gi"
validateWlsDomainName called with accessdomain
WDT model file, property file and sample domain.yaml are genereted successfully at /workdir/OAM/weblogic-domains/accessdomainCreating Image Property File
After the model files are created, they need to be added to an image, and uploaded to your registry which begins with describing the target registry in a property file.
Perform the following steps to create an image property file:
- Run the following command to ensure java is installed on your
machine:
which java - Copy the property file to your work
directory.
cp <WORKDIR>/samples/create-access-domain/domain-home-on-pv/wdt-utils/build-domain-creation-image/properties/build-domain-creation-image.properties <WORKDIR>For Example:
cp/workdir/OAM/samples/create-access-domain/domain-home-on-pv/wdt-utils/build-domain-creation-image/properties/build-domain-creation-image.properties /workdir/OAM - Edit the file
build-domain-creation-image.propertiesand add the following values:JAVA_HOMEset this to the location of your JAVA installation found in Step 1.For Example,
./usr-
REPOSITORYset this to the location in your registry where the image file is to reside.For Example,
.iad.ocir.io/<mytenancy>/idm/oam_wdtWhere
oam_wdtis the name of the image you wish to create. -
IMAGE_TAGused to assign a tag to the uploaded image, you can use anything here. In case of this example, we can use<OAM_DOMAIN_NAME>. -
IMAGE_PUSH_REQUIRES_AUTHmust be set to true if you do not allow non-authenticated uploads to your registry. -
REG_USERmust be set to the user in your registry where you wish to upload the image. This user must have upload privileges. -
WDT_MODEL_FILEmust be set to the fileoam.yamlwhich was generated in the step above. For example,<WORKDIR>/weblogic-domains/<OAM_DOMAIN_NAME>/oam.yaml. -
WDT_VARIABLE_FILEmust be set to the fileoam.propertieswhich was generated in the step above. For example,<WORKDIR>/weblogic-domains/<OAM_DOMAIN_NAME>/oam.properties. -
REG_PWDmust be set to the password of the above user and placed in a separate file inbuiidpwdin the<WORKDIR>as shown below:REG_PASSWORD="<mypwd>"Sample
build-domain-creation-image.properties# Copyright (c) 2024, Oracle and/or its affiliates. # Licensed under the Universal Permissive License v 1.0 as shown at https://oss.oracle.com/licenses/upl. # Input Property file for build-domain-creation-image.sh script # # set the JAVA_HOME environment variable to match the location of your Java installation. Java 8 or newer is required # JAVA_HOME=/usr # # Image Details # #Set the IMAGE_TAG, default oam-aux-v1 if not set. IMAGE_TAG=accessdomain # Set the BASE_IMAGE, default ghcr.io/oracle/oraclelinux:8-slim if not set. BASE_IMAGE=ghcr.io/oracle/oraclelinux:8-slim # # Container Registry # #Image will be created with REPOSITORY:IMAGE_TAG REPOSITORY=iad.ocir.io<mytenancy>idm/oam_wdt # Container registry username REG_USER=<mytenancy>/oracleidentitycloudservice/my.user@example.com #Set it to false if authentication is not required for pushing the image to registry, for example docker login already done in the host before invoking the script. IMAGE_PUSH_REQUIRES_AUTH=true # # WDT and WIT Variables # #Full path to wdt model files WDT_MODEL_FILE=/workdir/OAM/weblogic-domains/accessdomain/oam.yaml #Full path to wdt variable files WDT_VARIABLE_FILE=/workdir/OAM/weblogic-domains/accessdomain/oam.properties #Full path to wdt archive files WDT_ARCHIVE_FILE="" #If not set, Latest version will be used. WDT_VERSION="3.5.3" #If not set, latest will be used during every fresh run WIT_VERSION="1.12.1" #In Most cases, no need to use these parameters. Please refer https://oracle.github.io/weblogic-image-tool/userguide/tools/create-aux-image/ for details about them. TARGET="" CHOWN=""
-
Uploading WDT Auxiliary Image
Use the utility build-domain-creation-image.sh to create and upload
the Auxiliary image:
For Example:
cd <WORKDIR>/samples/create-access-domain/domain-home-on-pv/wdt-utils/build-domain-creation-image./build-domain-creation-image.sh -i <WORKDIR>/build-domain-creation-image.properties -p <WORKDIR>/.buildpwdFor Example:
cd /workdir/OAM/samples/create-access-domain/domain-home-on-pv/wdt-utils/build-domain-creation-image./build-domain-creation-image.sh -i /workdir/OAM/build-domain-creation-image.properties -p /workdir/OAM/.buildpwdExtract from Sample Output
[INFO ] Build successful. Build time=74s. Image tag=iad.ocir.io/<mytenancy>/idm/oam_wdt:accessdomain
Getting image source signatures
Copying blob sha256:432308aaf1ccdd6c69ff6e6f6d6c762e55e183284ca57d31228bd3578275f9a9
Copying blob sha256:8b4d3bacf0d79476c744efb9d80fc05c5e1298b2ce8c5ed88edc9a4a01198ba9
Copying blob sha256:c5a8db0bbcb50dce5017361d8a2c11f42b221f9e6842d439b562657a6669cc2a
Copying blob sha256:812776fce264cf4a8e82c7d839ba60603e449b47f52582b0a5d68e730fc0b01e
Copying blob sha256:0bcef3ba673ac9fd91ac95ae8c19fa3cb29a9ad107bec305e8772e2cc968ce2a
Copying blob sha256:b782e2701e7e72e55c4cd2e849f9dc9baf602d7eec7eb89ffda3329f9b784f36
Copying blob sha256:1d8523ddf53e8404bc9d4020673d36854e721cd878e209e2649acac359b2555a
Copying blob sha256:cd00e719df55595b05a92e0741a09ad88a07c0c67caa65c78902f3c00214c72f
Copying blob sha256:520d935025c94d503a6d9f31b029f5ee4c2f4b8a8326d94dbf2caa80f8c71151
Copying blob sha256:9a9ca1edb11ff224553c91c7cf5f032f68db7a5f45080b567db3d6e9dee25e4e
Copying blob sha256:1a47311837bde5a83fcb02ba004ed5f015c2c3d73172a7082126417db874bd1b
Copying config sha256:1ae5d3f21cd522491aff21083c6618f954f6a5684b31b958c28d23b7b8c096af
Writing manifest to image destination
Storing signatures
Pushed image iad.ocir.io/<mytenancy>/idm/oam_wdt:accessdomain to image repositoryParent topic: Creating the Access Domain
Updating domain.yaml
domain.yaml
was created in the directory
<WORKDIR>/weblogic-domains/<OAM_DOMAIN_NAME>. This
file is used to create the WebLogic domain. Before using this file the auxiliary image
you create must be added to the file by editing domain.yamlLocate the variable in the file %DOMAIN_CREATION_IMAGE% and replace
it with the name of your image as <REPOSITORY>:<IMAGE_TAG>
obtained from the file build-domain-creation-image.properties.
iad.ocir.io/mytenancy/idm/oam_wdt:accessdomainNote:
If the registry where your image is located is different to the registry where your OAM image is stored then create a new secret with the credentials for the Auxiliary image registry using a different name to the main registry.
For example:
kubectl create secret -n oamns docker-registry regcred2 --docker-server=iad.ocir.io/mytenancy2 --docker-username=mytenancy/oracleidentitycloudservice/myemail@email.com --docker-password=<password>Update the file domain.yaml and replace the lines with the name of
your new secret.
Add additional secret name if you are using a different registry for domain creation image.
Identify which secret contains the credentials for pulling an image.
imagePullSecrets: - name: regcred2Parent topic: Creating the Access Domain
Creating the Domain Using the WebLogic Operator
cd <WORKDIR>/weblogic-domains/<OAM_DOMAIN_NAME>kubectl create -f <WORKDIR>/weblogic-domains/<OAM_DOMAIN_NAME>/domain.yamlcd /workdir/OAM/weblogic-domains/accessdomainkubectl create -f /workdir/OAM/weblogic-domains/accessdomain/domain.yamlUse the following to monitor the domain creation:
kubectl logs -n <OAMNS> <OAM_DOMAIN_DOMAIN>-introspectorkubectl describe domain -n <OAMNS> <OAM_DOMAIN_NAME>For Example:
kubectl logs -n oamns accessdomain-introspectorkubectl describe domain -n oamns accessdomainFor more information, see the WebLogic operator logs.
For Example:
kubectl logs -n opns weblogic-operator-688f5dcdc4-qxnnz | grep <OAM_DOMAIN_NAME>After the domain is created, the OAM Kubernetes pods is started automatically and can be viewed using the command:
kubectl get pods -n <OAMNS>Parent topic: Creating the Access Domain
Verifying the Domain
To verify the creation of the domain, perform the following steps:
- To confirm that the domain is created, use the following
command:
kubectl describe domain <OAM_DOMAIN_NAME> -n <OAMNS>For example:kubectl describe domain accessdomain -n oamns - Verify that the domain pods and services have been created, using the
following
command:
kubectl get all,domains -n oamnsThe output will look similar to the following:NAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) AGE SELECTOR service/accessdomain-adminserver ClusterIP None <none> 7001/TCP 22m weblogic.createdByOperator=true,weblogic.domainUID=accessdomain,weblogic.serverName=AdminServer service/accessdomain-adminserver-external NodePort 10.97.64.5 <none> 7001:30701/TCP 3h46m weblogic.createdByOperator=true,weblogic.domainUID=accessdomain,weblogic.serverName=AdminServer service/accessdomain-cluster-oam-cluster ClusterIP 10.108.180.115 <none> 14100/TCP 3h21m weblogic.clusterName=oam_cluster,weblogic.createdByOperator=true,weblogic.domainUID=accessdomain service/accessdomain-cluster-policy-cluster ClusterIP 10.99.138.102 <none> 15100/TCP 3h21m weblogic.clusterName=policy_cluster,weblogic.createdByOperator=true,weblogic.domainUID=accessdomain service/accessdomain-oam-policy-mgr1 ClusterIP None <none> 15100/TCP 9m48s weblogic.createdByOperator=true,weblogic.domainUID=accessdomain,weblogic.serverName=oam_policy_mgr1 service/accessdomain-oam-policy-mgr2 ClusterIP 10.96.151.188 <none> 15100/TCP 9m48s weblogic.createdByOperator=true,weblogic.domainUID=accessdomain,weblogic.serverName=oam_policy_mgr2 service/accessdomain-oam-server1 ClusterIP None <none> 14100/TCP 9m48s weblogic.createdByOperator=true,weblogic.domainUID=accessdomain,weblogic.serverName=oam_server1 service/accessdomain-oam-server2 ClusterIP None <none> 14100/TCP 9m48s weblogic.createdByOperator=true,weblogic.domainUID=accessdomain,weblogic.serverName=oam_server2
Note:
kubectl logs accessdomain-adminserver -n oamns
kubectl logs accessdomain-oam-policy-mgr1 -n oamns
kubectl logs accessdomain-oam-server1 -n oamnsParent topic: Creating the Access Domain
Creating the Kubernetes Services
By default, the OAM domain gets created with all the components (except the
Administration Server) configured as ClusterIP services. This means
that the Oracle Access Manager components are visible only within the Kubernetes
cluster.
In an enterprise deployment, all interactions with the WebLogic components take place through the Oracle HTTP Server which sits outside of the Kubernetes cluster. You should expose the WebLogic components to the outside world by creating additional services. You can use either NodePort Services or an Ingress controller.
- Creating the NodePort Services
- Creating the Ingress Services
- Creating an OAM ClusterIP Service
- Validating Services
Parent topic: Creating the Oracle Access Manager Domain
Creating the NodePort Services
You should create NodePort Services for each of the following OAM components:
- Creating an OAM NodePort Service
- Creating a Policy Manager NodePort Service
- Creating an OAP Legacy NodePort Service
Parent topic: Creating the Kubernetes Services
Creating an OAM NodePort Service
Parent topic: Creating the NodePort Services
Creating a Policy Manager NodePort Service
Parent topic: Creating the NodePort Services
Creating an OAP Legacy NodePort Service
If you are using legacy WebGates which communicate with OAM using the OAP protocol, then you will need to create an additional service.
To create a OAM legacy NodePort Service:
Parent topic: Creating the NodePort Services
Creating the Ingress Services
To create Ingress services, you must first create an Ingress controller. For more information about the installation procedure, see Installing and Configuring Ingress Controller.
The Ingress service is created inside the product namespace. It tells the Ingress controller how to direct requests inside the namespace.
Note:
The example below creates two Ingress services, one for each of the OAM virtual hosts.iadadmin.example.comlogin.example.com
To create an Ingress service:
Parent topic: Creating the Kubernetes Services
Creating an OAM ClusterIP Service
Create a ClusterIP service for OAP connections.
oap_clusterip.yaml file
with the following
contents:kind: Service
apiVersion: v1
metadata:
name: <OAM_DOMAIN_NAME>-oap
namespace: <OAMNS>
spec:
type: ClusterIP
selector:
weblogic.clusterName: oam_cluster
ports:
- port: 5575
protocol: TCPCreate the service using the following command:
kubectl create -f /workdir/OAM/oap_clusterip.yamlservice/accessdomain-oap createdParent topic: Creating the Kubernetes Services
Validating Services
kubectl get service -n oamnsNAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) AGE
accessdomain-adminserver ClusterIP None <none> 30012/TCP,7001/TCP 4d15h
accessdomain-adminserver-ext NodePort 10.96.127.191 <none> 30012:30012/TCP,7001:30701/TCP 4d15h
accessdomain-cluster-oam-cluster ClusterIP 10.96.43.35 <none> 14100/TCP 4d15h
accessdomain-cluster-policy-cluster ClusterIP 10.96.8.16 <none> 15100/TCP 4d15h
accessdomain-oam-nodeport NodePort 10.96.104.168 <none> 14100:30410/TCP 4d15h
accessdomain-oam-policy-mgr1 ClusterIP None <none> 15100/TCP 4d15h
accessdomain-oam-policy-mgr2 ClusterIP None <none> 15100/TCP 4d15h
accessdomain-oam-policy-mgr3 ClusterIP 10.96.36.96 <none> 15100/TCP 4d15h
accessdomain-oam-policy-mgr4 ClusterIP 10.96.171.61 <none> 15100/TCP 4d15h
accessdomain-oam-policy-mgr5 ClusterIP 10.96.200.171 <none> 15100/TCP 4d15h
accessdomain-oam-server1 ClusterIP None <none> 14100/TCP 4d15h
accessdomain-oam-server2 ClusterIP None <none> 14100/TCP 4d15h
accessdomain-oam-server3 ClusterIP 10.96.93.51 <none> 14100/TCP 4d15h
accessdomain-oam-server4 ClusterIP 10.96.223.123 <none> 14100/TCP 4d15h
accessdomain-oam-server5 ClusterIP 10.96.143.94 <none> 14100/TCP 4d15h
accessdomain-oap ClusterIP 10.96.171.107 <none> 5575/TCP 4d15h
accessdomain-policy-nodeport NodePort 10.96.169.250 <none> 15100:30510/TCP 4d15hParent topic: Creating the Kubernetes Services
Updating the Domain
When you first create the domain, some information may be missing. You can add this
information using a simple curl script.
- Adds an internally resolvable hostname to each OAM Server.
- Sets the OAP port number for each OAM Server.
- Changes the OAP settings replacing the local host name with the load balancer host name.
- Updates the REST points for Oracle 12c WebGate HTTP OAM APIs in the existing WebGate agents.
- Updates the federation entry points to use the load balancer.
- Changes the OAP security mode for legacy WebGates in the ready-to-use WebGate agents.
- Updates the timeout settings.
- Updates the maximum number of connections for ready-to-use WebGates.
Parent topic: Configuring Oracle Access Manager Using WDT
Performing the Post-Configuration Tasks for Oracle Access Management Domain
The post-configuration tasks for the OAM domain include creating the server overrides file and updating the data sources.
Parent topic: Configuring Oracle Access Manager Using WDT
Limiting Pods to Specific Worker Nodes
If you want to ensure that the OAM servers start only on a specific set of worker servers, complete the following steps:
Labeling the Kubernetes Worker Nodes
Label the worker nodes you want to include in scheduling. This can be as granular as
you need. For example, if you want to schedule the OAM processes to run on a set of
nodes, then label that set with a label such as oamservers. If you want
to dictate that the Administration Server runs on a specific set of worker nodes and
oam_server on a different set, then create two labels,
oamadmin and oamservers.
kubectl label node worker1 name=oamserversParent topic: Limiting Pods to Specific Worker Nodes
Restricting Processes to Labels
domain.yaml file located in the following
path:<WORKDIR>/samples/create-access-domain/domain-home-on-pv/output/weblogic-domains/<OAM_DOMAIN_NAME>//workdir/OAM/samples/create-access-domain/domain-home-on-pv/output/weblogic-domains/accessdomain/Alter the Managed Servers section for all the Managed Servers configured in the cluster and ensure that only the labeled worked nodes are used for scheduling.
oam_server1 and oam_server2, the entries will
look similar
to: managedServers:
- serverName: oam_server1
serverPod:
nodeSelector:
name: oamservers
- serverName: oam_server2
serverPod:
nodeSelector:
names: oamserversParent topic: Limiting Pods to Specific Worker Nodes
Creating the Server Overrides File
The serverOverrides file is used to set specific Java values
when the containers start. The parameters are appended to the configuration
in the setDomainEnv.sh file but unlike the
setDomainEnv.shfile, the
serverOverrides file is not overwritten during
the upgrade.
Disabling the Derby Database
Parent topic: Creating the Server Overrides File
Enabling the Managed Servers to Use IPv4 Networking
If the Managed Server is configured to use IPv6 networking, you may encounter issues when you start the Managed Server. Therefore, you must enable the Managed Servers to use IPv4 networking.
Parent topic: Creating the Server Overrides File
Setting the Memory Parameters in IAMAccessDomain
The initial startup parameter in the IAMAccessDomain, which defines the memory usage, is insufficient. You must increase the value of this parameter.
To change the memory allocation setting:
Parent topic: Creating the Server Overrides File
Copying Server Overrides to the Kubernetes Containers
In a Kubernetes environment, there is no editior inside the container. To work around this issue, create the file on the master node and copy it to the Kubernetes container using the following commands:
chmod 755 /workdir/OAM/setUserOverrides.shkubectl cp <WORKDIR>/setUserOverrides.sh <OAMNS>/<OAM_DOMAIN_NAME>-adminserver:/u01/oracle/user_projects/domains/<OAM_DOMAIN_NAME>/bin/setUserOverrides.shkubectl cp /workdir/OAM/setUserOverrides.sh oamns/accessdomain-adminserver:/u01/oracle/user_projects/domains/accessdomain/bin/setUserOverrides.shParent topic: Creating the Server Overrides File
Restarting the Domain
Restart the domain for the changes to take effect.
kubectl -n <OAMNS> patch domains <OAM_DOMAIN_NAME> --type='json' -p='[{"op": "replace", "path": "/spec/serverStartPolicy", "value": "Never" }]'kubectl -n <OAMNS> patch domains <OAM_DOMAIN_NAME> --type='json' -p='[{"op": "replace", "path": "/spec/serverStartPolicy", "value": "IfNeeded" }]'Note:
Check that all the Kubernetes pods (with the exception of the helper pod) in the namespace have stopped by using the following command:
kubectl -n <OAMNS> get allAll the Kubernetes pods (with the exception of the helper pod) in the namespace will be stopped when there are no entries for the Administration Server or the Managed Servers.
kubectl -n oamns patch domains accessdomain --type='json' -p='[{"op": "replace", "path": "/spec/serverStartPolicy", "value": "Never" }]'
kubectl -n oamns patch domains accessdomain --type='json' -p='[{"op": "replace", "path": "/spec/serverStartPolicy", "value": "IfNeeded" }]'Parent topic: Configuring Oracle Access Manager Using WDT
Validating the Administration Server
Before you perform the configuration steps, validate that the Administration Server has started successfully by ensuring that you have access to the Oracle WebLogic Server Administration Console and Oracle Enterprise Manager Fusion Middleware Control, both installed and configured on the Administration Server.
Note:
For the validation to work, you need to have a browser capable of communicating with the Kubernetes worker nodes.http://k8worker1.example.com:30701/emhttp://k8worker1.example.com:30701/consoleParent topic: Configuring Oracle Access Manager Using WDT
Removing OAM Server from WebLogic Server 12c Default Coherence Cluster
Exclude all Oracle Access Management (OAM) clusters (including Policy Manager and OAM runtime server) from the default WebLogic Server 12c coherence cluster by using the WebLogic Server Administration Console.
Parent topic: Configuring Oracle Access Manager Using WDT
Tuning the WebLogic Server
Tune the WebLogic Server for optimum performance by adding the Minimum Thread Constraint and removing the Max Thread and Capacity constraints.
Adding the Minimum Thread Constraint to Worker Manager
OAPOverRestWM
- Log in to the WebLogic Server Console at
http://k8worker1.example.com:30701/console. - Click Lock & Edit.
- In Domain Structure, click Deployments.
- On the Deployments page, click Next
until you see
oam_server. - Expand
oam_serverby clicking the + icon, and then click /iam/access/binding. - Click the Configuration tab, followed by the Workload tab.
- Click wm/OAPOverRestWM.
- Under Application Scoped Work Managed Components, click New.
- In Create a New Work Manager Component, select Minumum Threads Constraint and click Next.
- In Minimum Threads Constraint Properties, enter the Count as 400 and click Finish.
- In Save Deployment Plan, change the Path to /u01/oracle/user_projects/domains/accessdomain/Plan.xml.
- Click OK, and then click Activate Changes.
Removing the Maximum Thread Constraint and Capacity Constraint
- Log in to the WebLogic Server Console at
http://k8worker1.example.com:30701/console. - Click Lock & Edit.
- In Domain Structure, click Deployments.
- On the Deployments page, click Next
until you see
oam_server. - Expand
oam_serverby clicking the + icon, and then click /iam/access/binding. - Click the Configuration tab, followed by the Workload tab.
- Click wm/OAPOverRestWM.
- Under Application Scoped Work Managed Components, select Capacity and MaxThreadsCount, and then click Delete.
- In the Delete Work Manage Components screen, click OK to delete.
- Click Release Configuration.
Parent topic: Configuring Oracle Access Manager Using WDT
Enabling Virtualization
You can use the Fusion Middleware Control to enable virtualization.
Parent topic: Configuring Oracle Access Manager Using WDT
Restarting the Domain
Restart the domain for the changes to take effect.
kubectl -n <OAMNS> patch domains <OAM_DOMAIN_NAME> --type='json' -p='[{"op": "replace", "path": "/spec/serverStartPolicy", "value": "Never" }]'kubectl -n <OAMNS> patch domains <OAM_DOMAIN_NAME> --type='json' -p='[{"op": "replace", "path": "/spec/serverStartPolicy", "value": "IfNeeded" }]'Note:
Check that all the Kubernetes pods (with the exception of the helper pod) in the namespace have stopped by using the following command:
kubectl -n <OAMNS> get allAll the Kubernetes pods (with the exception of the helper pod) in the namespace will be stopped when there are no entries for the Administration Server or the Managed Servers.
kubectl -n oamns patch domains accessdomain --type='json' -p='[{"op": "replace", "path": "/spec/serverStartPolicy", "value": "Never" }]'
kubectl -n oamns patch domains accessdomain --type='json' -p='[{"op": "replace", "path": "/spec/serverStartPolicy", "value": "IfNeeded" }]'Parent topic: Configuring Oracle Access Manager Using WDT
Configuring and Integrating with LDAP
Configuration and integration of OAM with LDAP requires you to first set a global passphrase. You then configure OAM to use the LDAP directory. In addition, create the Webgate_IDM agent if not present and finally assign administration rights to the LDAP users to access the MBeans stored in the Administration Server.
- Obtaining a Global Passphrase
- Configuring Access Manager to Use the LDAP Directory
- Creating the Webgate_IDM Agent
- Adding LDAP Groups to WebLogic Administrators
Parent topic: Configuring Oracle Access Manager Using WDT
Obtaining a Global Passphrase
By default, Oracle Access Manager is configured to use the open security model. If
you plan to change this mode using idmConfigTool, you must know the
global passphrase. By default, Oracle creates a global passphrase for you. You can
override this value, if required.
Note:
If you are using the latest 12c WebGate functionality using OAP over REST calls, it is not important to change the security mode because REST calls do not use the OAP transport mode.Obtaining the Default Global Passphrase
You will need the global passphrase while creating the WebGate agents. To obtain the global passphrase:
Parent topic: Obtaining a Global Passphrase
Configuring Access Manager to Use the LDAP Directory
After completing the initial installation and setting the security model, you have to associate Oracle Access Manager with the LDAP directory. You can use Oracle Unified Directory (OUD) as the LDAP directory.
To associate Access Manager and the LDAP directory, perform the following tasks:
- Creating a Configuration File
- Integrating Oracle Access Manager and LDAP Using the idmConfigTool
- Validating the OAM LDAP Integration
Parent topic: Configuring and Integrating with LDAP
Creating a Configuration File
Configuring Oracle Access Management to use LDAP requires
you to run the idmConfigTool utility. Therefore, you must create a
configuration file called oam.props to use during the
configuration. The contents of this file are:
#IDSTORE PROPERTIES
IDSTORE_HOST: <LDAP_HOSTNAME>
IDSTORE_PORT: <LDAP_PORT>
IDSTORE_BINDDN:<LDAP_ADMIN_USER>
IDSTORE_SEARCHBASE: <LDAP_SEARCHBASE>
IDSTORE_GROUPSEARCHBASE: <LDAP_GROUP_SEARCHBASE>
IDSTORE_USERNAMEATTRIBUTE: cn
IDSTORE_LOGINATTRIBUTE: uid
IDSTORE_USERSEARCHBASE: <LDAP_USER_SEARCHBASE>
IDSTORE_SYSTEMIDBASE: <LDAP_SYSTEMIDS>
IDSTORE_NEW_SETUP: true
IDSTORE_DIRECTORYTYPE: <LDAP_TYPE>
IDSTORE_WLSADMINUSER: <LDAP_WLSADMIN_USER>
IDSTORE_WLSADMINGROUP: <LDAP_WLSADMIN_GRP>
IDSTORE_OAMADMINUSER: <LDAP_OAMADMIN_USER>
IDSTORE_OAMSOFTWAREUSER: <LDAP_OAMLDAP_USER>
# OAM Properties
OAM11G_SERVER_LOGIN_ATTRIBUTE: uid
OAM11G_IDSTORE_NAME: OAMIDSTORE
OAM11G_IDSTORE_ROLE_SECURITY_ADMIN: <LDAP_OAMADMIN_GRP>
PRIMARY_OAM_SERVERS: <OAM_DOMAIN_NAME>-oap.<OAMNS>.svc.cluster.local:<OAM_OAP_PORT>
WEBGATE_TYPE: ohsWebgate12c
ACCESS_GATE_ID: Webgate_IDM
OAM11G_OIM_WEBGATE_PASSWD: <LDAP_USER_PWD>
COOKIE_DOMAIN: <OAM_COOKIE_DOMAIN>
COOKIE_EXPIRY_INTERVAL: 120
OAM11G_WG_DENY_ON_NOT_PROTECTED: true
OAM11G_IDM_DOMAIN_OHS_HOST: <OAM_LOGIN_LBR_HOST>
OAM11G_IDM_DOMAIN_OHS_PORT: <OAM_LOGIN_LBR_PORT>
OAM11G_IDM_DOMAIN_OHS_PROTOCOL: <OAM_LOGIN_LBR_PROTOCOL>
OAM11G_SERVER_LBR_HOST: <OAM_LOGIN_LBR_HOST>
OAM11G_SERVER_LBR_PORT: <OAM_LOGIN_LBR_PORT>
OAM11G_SERVER_LBR_PROTOCOL: <OAM_LOGIN_LBR_PROTOCOL>
OAM11G_OAM_SERVER_TRANSFER_MODE: open
OAM_TRANSFER_MODE: open
OAM11G_SSO_ONLY_FLAG: false
OAM11G_IMPERSONATION_FLAG: false
OAM11G_IDM_DOMAIN_LOGOUT_URLS: /console/jsp/common/logout.jsp,/em/targetauth/emaslogout.jsp
OAM11G_OIM_INTEGRATION_REQ: <OAM_OIG_INTEG>
OAM11G_OIM_OHS_URL: <OIG_LBR_PROTOCOL>://<OIG_LBR_HOST>:<OIG_LBR_PORT>/
# WebLogic Properties
WLSHOST:<OAM_DOMAIN_NAME>-adminserver.<OAMNS>.svc.cluster.local
WLSPORT: 7001
WLSADMIN: <OAM_WEBLOGIC_USER>#IDSTORE PROPERTIES
IDSTORE_HOST: edg-oud-ds-rs-lbr-ldap.oudns.svc.cluster.local
IDSTORE_PORT: 1389
IDSTORE_BINDDN: cn=oudadmin
IDSTORE_SEARCHBASE: dc=example,dc=com
IDSTORE_GROUPSEARCHBASE: cn=Groups,dc=example,dc=com
IDSTORE_USERNAMEATTRIBUTE: cn
IDSTORE_LOGINATTRIBUTE: uid
IDSTORE_USERSEARCHBASE: cn=Users,dc=example,dc=com
IDSTORE_SYSTEMIDBASE: cn=systemids,dc=example,dc=com
IDSTORE_NEW_SETUP: true
IDSTORE_DIRECTORYTYPE: OUD
IDSTORE_WLSADMINUSER: weblogic_iam
IDSTORE_WLSADMINGROUP: WLSAdministrators
IDSTORE_OAMADMINUSER: oamadmin
IDSTORE_OAMSOFTWAREUSER: oamLDAP
# OAM Properties
OAM11G_SERVER_LOGIN_ATTRIBUTE: uid
OAM11G_IDSTORE_NAME: OAMIDSTORE
OAM11G_IDSTORE_ROLE_SECURITY_ADMIN: OAMAdministrators
PRIMARY_OAM_SERVERS: accessdomain-oap.oamns.svc.cluster.local:5575
WEBGATE_TYPE: ohsWebgate12c
ACCESS_GATE_ID: Webgate_IDM
OAM11G_OIM_WEBGATE_PASSWD: Password
COOKIE_DOMAIN: .example.com
COOKIE_EXPIRY_INTERVAL: 120
OAM11G_WG_DENY_ON_NOT_PROTECTED: true
OAM11G_IDM_DOMAIN_OHS_HOST: login.example.com
OAM11G_IDM_DOMAIN_OHS_PORT: 443
OAM11G_IDM_DOMAIN_OHS_PROTOCOL: https
OAM11G_SERVER_LBR_HOST: login.example.com
OAM11G_SERVER_LBR_PORT: 443
OAM11G_SERVER_LBR_PROTOCOL: https
OAM11G_OAM_SERVER_TRANSFER_MODE: open
OAM_TRANSFER_MODE: open
OAM11G_SSO_ONLY_FLAG: false
OAM11G_IMPERSONATION_FLAG: false
OAM11G_IDM_DOMAIN_LOGOUT_URLS: /console/jsp/common/logout.jsp,/em/targetauth/emaslogout.jsp
OAM11G_OIM_INTEGRATION_REQ: false
OAM11G_OIM_OHS_URL: https://prov.example.com:443/
# WebLogic Properties
WLSHOST:accessdomain-adminserver.oamns.svc.cluster.local
WLSPORT: 7001
WLSADMIN: weblogicNote:
It is not possible to use vi or similar commands
in a WebLogic Kubernetes container. Therefore, this file should be created
outside of the container, and then copied into the container.
/u01/oracle/user_projects/workdir directory. If this
directory does not exist inside the container, you will first need to create
it.kubectl exec -n <OAMNS>-ti accessdomain-adminserver mkdir <K8_WORKDIR>kubectl exec -n oamns -ti accessdomain-adminserver mkdir /u01/oracle/user_projects/workdirAfter you create the directory, copy the file to this directory.
kubectl cp /workdir/OAM/oam.props oamns/accessdomain-adminserver:/u01/oracle/user_projects/workdirParent topic: Configuring Access Manager to Use the LDAP Directory
Integrating Oracle Access Manager and LDAP Using the idmConfigTool
Note:
Before running the idmconfigTool, ensure that the
oam_server1 and oam_server2 Managed
Servers are shut down.
cd /workdir/OPER/samples/domain-lifecycle./stopCluster.sh -c oam_cluster -d accessdomain -n oamns -vTo integrate Oracle Access Manager with the LDAP directory:
Note:
After you run idmConfigTool, several files are created that you
need for subsequent tasks. Keep these in a safe location.
The following files exist in this directory:
/u01/oracle/user_projects/domains/accessdomain/output/Webgate_IDM
.
You will require these files when you install the WebGate software.
cwallet.ssoObAccessClient.xmlpassword.xmlaaa_cert.pemaaa_key.pem
Parent topic: Configuring Access Manager to Use the LDAP Directory
Validating the OAM LDAP Integration
To validate that the OAM LDAP integration has completed correctly:
Parent topic: Configuring Access Manager to Use the LDAP Directory
Creating the Webgate_IDM Agent
If you discover that the idmConfigTool has not created the
Webgate_IDM agent, you can create it.
To create a Webgate_IDM agent:
Parent topic: Configuring and Integrating with LDAP
Adding LDAP Groups to WebLogic Administrators
Oracle Access Manager requires access to the MBeans stored within the Administration Server. To enable the LDAP users to log in to the WebLogic Console and Fusion Middleware Control, you must assign them the WebLogic administration rights. For Oracle Access Manager to invoke these Mbeans, users in the OAMAdministrators group must have the WebLogic administration rights.
Using the WebLogic Console
To add the LDAP Groups OAMAdministrators and
WLSAdministrators to the WebLogic Administrators:
- Log in to the WebLogic Administration Server Console as the default
administrative user. For example,
weblogic. - In the left pane of the console, click Security Realms.
- On the Summary of Security Realms page, click myrealm under the Realms table.
- On the Settings page for myrealm, click the Roles & Policies tab.
- On the Realm Roles page, expand the Global Roles entry under the Roles table.
- Click the Roles link to go to the Global Roles page.
- On the Global Roles page, click the Admin role to go to the Edit Global Roles page.
- On the Edit Global Roles page, under the Role Conditions table, click the Add Conditions button.
- On the Choose a Predicate page, select Group from the drop down list for predicates and click Next.
- On the Edit Arguments Page, Specify OAMAdministrators in the Group Argument field and click Add.
- Repeat for the Group WLSAdministrators.
- Click Finish to return to the Edit Global Roles page.
- The Role Conditions table now shows the groups OAMAdministrators or WLSAdministrators as role conditions.
- Click Save to finish adding the Admin role to the OAMAdministrators and IDM Administrators Groups.
Parent topic: Adding LDAP Groups to WebLogic Administrators
Using WLST
Parent topic: Adding LDAP Groups to WebLogic Administrators
Updating WebGate Agents
When you run idmConfigTool, it changes the default OAM security
model and creates a new WebGate SSO agent. However, it does not change the existing WebGate
SSO agents to the new security model. After you run idmConfigTool, you
must update any WebGate agents that previously existed.
To update the WebGate agents:
-
Change the security mode to match that of the OAM servers. Failure to do so will result in a security mismatch error.
-
When WebGates are created at first install, they are unaware that a highly available (HA) installation is performed. After enabling HA, you must ensure that all of the OAM servers are included in the agent configuration, to ensure system continuity.
-
When WebGates are created at first install, they are unaware that a highly available (HA) install is performed. You must check that any logout URLs are redirected to the hardware load balancer than one of the local OAM servers.
-
A WebGate agent called IAMSuiteAgent is created out of the box. This is created without any password protection and needs to have one added.
To perform these actions, complete the following steps:
Parent topic: Configuring Oracle Access Manager Using WDT
Updating Host Identifiers
When you access the domain, you enter using different load balancer entry
points. You must add each of these entry points (virtual hosts) to the policy list. Adding
these entry points ensures that if you request access to a resource using
login.example.com or prov.example.com, you have access
to the same set of policy rules.
To update the host identifiers:
Parent topic: Configuring Oracle Access Manager Using WDT
Adding the Missing Policies to OAM
If any policies are missing, you have to add to ensure that Oracle Access Manager functions correctly.
You need to add the following additional policies:
Table 18-5 OAM Policy Information
| Product | Resource Type | Host Identifier | Resource URL | Protection Level | Authentication Policy | Authorization Policy |
|---|---|---|---|---|---|---|
|
ALL |
HTTP |
IAMSuiteAgent |
|
Excluded |
||
|
ALL |
HTTP |
IAMSuiteAgent |
|
Excluded |
||
|
ALL |
HTTP |
IAMSuiteAgent |
|
Excluded |
||
|
ALL |
HTTP |
IAMSuiteAgent |
|
Excluded |
||
|
OIG |
HTTP |
IAMSuiteAgent |
|
Protected |
Protected Higher Level Policy |
Protected Resource Policy |
|
OAM |
HTTP |
IAMSuiteAgent |
|
Excluded |
||
|
OAM |
HTTP |
IAMSuiteAgent |
|
Excluded |
||
|
OAM |
HTTP |
IAMSuiteAgent |
|
Excluded |
||
|
OAM |
HTTP |
IAMSuiteAgent |
|
Excluded |
||
|
OAM |
HTTP |
IAMSuiteAgent |
|
Excluded |
||
|
OIG |
HTTP |
IAMSuiteAgent |
|
Protected |
Protected Higher Level Policy |
Protected Resource Policy |
|
OIG |
HTTP |
IAMSuiteAgent |
|
Excluded |
|
|
|
OIG |
HTTP |
IAMSuiteAgent |
|
Protected |
Protected Higher Level Policy |
Protected Resource Policy |
|
OIG |
HTTP |
IAMSuiteAgent |
|
Excluded |
|
|
|
OIG |
HTTP |
IAMSuiteAgent |
|
Protected |
Protected Higher Level Policy |
Protected Resource Policy |
|
OIG |
HTTP |
IAMSuiteAgent |
|
Protected |
Protected Higher Level Policy |
Protected Resource Policy |
|
OIG |
HTTP |
IAMSuiteAgent |
|
Protected |
Protected Higher Level Policy |
Protected Resource Policy |
|
OUDSM |
HTTP |
IAMSuiteAgent |
|
Excluded |
||
|
OIRI |
HTTP |
IAMSuiteAgent |
|
Excluded |
||
|
OIRI |
HTTP |
IAMSuiteAgent |
|
Excluded |
||
|
OAA |
HTTP |
IAMSuiteAgent |
|
Excluded |
||
|
OAA |
HTTP |
IAMSuiteAgent |
|
Excluded |
||
|
OAA |
HTTP |
IAMSuiteAgent |
|
Excluded |
||
|
OAA |
HTTP |
IAMSuiteAgent |
|
Excluded |
||
|
OAA |
HTTP |
IAMSuiteAgent |
|
Excluded |
||
|
OAA |
HTTP |
IAMSuiteAgent |
|
Excluded |
||
|
OAA |
HTTP |
IAMSuiteAgent |
|
Excluded |
||
|
OAA |
HTTP |
IAMSuiteAgent |
|
Excluded |
||
|
OAA |
HTTP |
IAMSuiteAgent |
|
Excluded |
||
|
OAA |
HTTP |
IAMSuiteAgent |
/fido/** |
Excluded |
||
|
OAA |
HTTP |
IAMSuiteAgent |
|
Excluded |
||
|
OAA |
HTTP |
IAMSuiteAgent |
|
Excluded |
||
|
OARM |
HTTP |
IAMSuiteAgent |
|
Excluded |
||
|
OARM |
HTTP |
IAMSuiteAgent |
|
Excluded |
||
|
OUA |
HTTP |
IAMSuiteAgent |
|
Excluded |
||
|
OUA |
HTTP |
IAMSuiteAgent |
|
Excluded |
||
|
OUA |
HTTP |
IAMSuiteAgent |
/oaa-drss/** |
Excluded |
Note:
/otpfp is only required if you have implemented the OAM
forgotten password functionality.
/management is only required if you are using the WebLogic
Remote Console.
To add these policies:
Parent topic: Configuring Oracle Access Manager Using WDT
Validating the Authentication Providers
Set the order of identity assertion and authentication providers in the WebLogic Server Administration Console.
To set the order:
Parent topic: Configuring Oracle Access Manager Using WDT
Configuring Oracle ADF and OPSS Security with Oracle Access Manager
Some Oracle Fusion Middleware management consoles use Oracle Application
Development Framework (Oracle ADF) security, which can integrate with Oracle Access Manager
Single Sign-on (SSO). These applications can take advantage of Oracle Platform Security
Services (OPSS) SSO for user authentication, but you must first configure the domain-level
jps-config.xml file to enable these capabilities.
The domain-level jps-config.xml file is located in the following location after you create an Oracle Fusion Middleware domain:
/u01/oracle/user_projects/domain/<OAM_DOMAIN_NAME>/config/fmwconfig/jps-config.xml
Note:
The domain-level jps-config.xml should not be confused with the jps-config.xml that is deployed with custom applications.
Parent topic: Configuring Oracle Access Manager Using WDT
Enabling Forgotten Password
This section describes how to set up the One Time Pin forgotten password functionality which is provided with Oracle Access Manager
If you want to configure the Challenge Question forgotten password functionality, as provided by Oracle Identity Governance, see Configuring and Integrating with LDAP and Integrating Oracle Identity Governance and Oracle Access Manager.
- Prerequisites for Enabling Forgotten Password
- Adding Permissions to the oamLDAP User
- Enabling Adaptive Authentication Service
- Configuring Adaptive Authentication Plug-in
- Enabling Password Management in the Directory
- Storing the User Messaging Credentials in CSF
- Setting Up the Forgot Password Link on the Login Page
- Adding the Oracle Access Manager Load Balancer Certificate to the Oracle Keystore Service
- Configuring a Custom Host Name Verifier
- Validating the Forgotten Password Functionality
Parent topic: Configuring Oracle Access Manager Using WDT
Prerequisites for Enabling Forgotten Password
Forgotten Password Management in Oracle Access Manager takes the form of sending an Email or SMS message with a link to reset the password.
Email or SMS is sent using the Oracle User Messaging Service. Before enabling the Oracle Forgotten Password functionality, you first need to have an Oracle User Messaging deployment. This is often located inside the Oracle Governance Domain but can be located inside the Access Domain if that is all you are installing. Alternatively, it could be a completely independent domain.
Forgotten Password functionality works only if you have successfully configured Single Sign-On as described in Configuring Single Sign-On for an Enterprise Deployment.
Adding the User Messaging Service to the Access domain or creating a User Messaging Service domain is outside of the scope of the this EDG. For more information about installing and configuring the Oracle User Messaging Service, see Installing User Messaging Service and Configuring Oracle User Messaging Service in Administering Oracle User Messaging Service.
Parent topic: Enabling Forgotten Password
Adding Permissions to the oamLDAP User
When created out of the box, the oamLDAP user (the user who links OAM to LDAP) is granted privileges to read user data in the LDAP directory. However, the oamLDAP user is not granted permission to update users information. You need to add these privileges for the OAM forgotten password functionality to work.
- Create the
ldiffile outside of the OUD host, using your preferred text editor, and then copy the file to the LDAPHOST1 machine.This file has the following content:
dn: cn=Users,dc=example,dc=com changetype: modify add: aci aci: (targetattr = "*")(targetfilter= "(objectclass=inetorgperson)")(targetscope = "subtree") (version 3.0; acl "iam admin changepwd"; allow (compare,search,read,selfwrite,add,write,delete) userdn = "ldap:///cn=oamLDAP,cn=systemids,dc=example,dc=com";) - Save the file.
Note:
You should create this file outside of the 'oud' container, and then copy it into the container.
If you have mounted the OUD config persistent volume to your install host, you can directly create the file in that location. To mount the config file, see Installing and Configuring Oracle Unified Directory.
kubectl cp add_aci.ldif oudns/edg-oud-ds-rs-0:add_aci.ldifldapmodify command, using the
following
command:kubectl exec -it edg-oud-ds-rs-0 -n oudns -- /bin/bashAdd the ACI to OUD by using the following command:
/u01/oracle/user_projects/edg-oud-ds-rs-0/OUD/bin/ldapmodify -c -D cn=oudadmin -h edg-oud-ds-rs-lbr-ldap.oudns.svc.cluster.local -p 1389 -f /u01/oracle/config-input/add_aci.ldifParent topic: Enabling Forgotten Password
Enabling Adaptive Authentication Service
Forgotten password requires you to enable the Adaptive Authentication Service.
To enable this service:
Parent topic: Enabling Forgotten Password
Configuring Adaptive Authentication Plug-in
After you enable the Adaptive Authentication Service, it needs to be informed about the User Messaging Service.
To configure the Adaptive Authentication Plug-in:
Parent topic: Enabling Forgotten Password
Enabling Password Management in the Directory
By default, OAM is not set to enable password management. You have to enable it through the OAM Console.
To enable Password Management in the directory:
Parent topic: Enabling Forgotten Password
Storing the User Messaging Credentials in CSF
Before you can access the User Messaging Service, you need to store the credentials in the WebLogic credential store.
To store the credentials:
Parent topic: Enabling Forgotten Password
Setting Up the Forgot Password Link on the Login Page
The following REST API command enables the OTP forgot password link on the default login page in OAM.
curl -X -k PUT \
https://login.example.com/oam/services/rest/access/api/v1/config/otpforgotpassword/ \
-u oamadmin:Password \
-H 'content-type: application/json' \
-d '{"displayOTPForgotPassworLink":"true","defaultOTPForgotPasswordLink":"false","localToOAMServer":"true","forgotPasswordURL":"https://login.example.com/otpfp/pages/fp.jsp", "mode":"userselectchallenge"}'Enter the required attributes and values:
Table 18-9 Forgot Password Link on Login Page
| Attributes | Value |
|---|---|
|
ForgotPasswordURL |
The OAM Forgotten Password URL. For example, https://login.example.com/otpfp/pages/fp.jsp |
|
mode |
distribution_mode The distribution mode determines how the password reset URL is sent to the end user. Valid values are: email, sms, userchoose, userselectchallenge. The last entry enables the user to choose from masked values.
|
Note:
If you are using self signed certificates in the load balancer the curl command may object with a message similar to:curl performs SSL certificate verification by default, using a bundle of Certificate Authority (CA) public keys (CA certs). If the default bundle file isn't adequate, you can specify an alternate file using the --cacert option. If this HTTPS server uses a certificate signed by a CA represented in the bundle, the certificate verification probably failed due to a problem with the certificate (it might be expired, or the name might not match the domain name in the URL). If you like to turn off curl's verification of the certificate, use the -k (or --insecure) option.
If you see this message and are sure, add -k after -u oamadmin:Password.
Verify that this has succeeded by accessing the followig URL in a browser:
https://login.example.com/oam/services/rest/access/api/v1/config/otpforgotpasswordWhen prompted, enter your oamadmin account and
password.
Note:
One of the OAM Managed Servers must be running for this command to succeed.
Parent topic: Enabling Forgotten Password
Adding the Oracle Access Manager Load Balancer Certificate to the Oracle Keystore Service
The Oracle Access Manager forgot password functionality requires that the SSL certificate used by the load balancer be added to the Oracle Keystore Service Trusted Certificates.
To add the certificate, do the following:
Parent topic: Enabling Forgotten Password
Configuring a Custom Host Name Verifier
If using a wildcard certificate, you have to change the default value for the host name verifier from BEA Hostname Verifier to the custom value weblogic.security.utils.SSLWLSWildcardHostnameVerifier.
To change the default value of the host name verifier:
- Log in to the WebLogic Server Administration Console.
- Click Lock & Edit.
- Navigate to Summary of Servers and click oam_server1.
- Click the SSL tab, expand the Advanced section.
- Set the Hostname Verification field to Custom Hostname Verifier.
- In the Custom Hostname Verifier field, enter weblogic.security.utils.SSLWLSWildcardHostnameVerifier.
- Click Save.
Note:
Follow these steps to change the host name verifier for all the OAM Managed Servers.Parent topic: Enabling Forgotten Password
Validating the Forgotten Password Functionality
If you have set up the OAM Forgotten Password functionality, rather than off-loading to OIM, you can validate the forgotten password using the curl command, which shows you the password policies in force.
To validate the Forgotten Password functionality, run the following curl command:
curl -X GET https://login.example.com/oam/services/rest/access/api/v1/pswdmanagement/UserPasswordPolicyRetriever/oamadmin?description=true -u oamadmin:<password> -k
This command displays the password policies.
If this command works, access the protected URL listed below. After you enable single sign-on, you see a link for the forgotten password on the login page. Click this link and enter the user name for which you want to reset the password. Click Generate Pin to receive an email, which enables you to change the password.
http://iadadmin.example.com/console
Note:
Before validating, ensure that you enable SSO as described in Configuring Single Sign-On for an Enterprise Deployment. Else, validation fails.Parent topic: Enabling Forgotten Password
Restarting the Access Domain
Restart the Access domain in Kubernetes for the changes to take effect.
Parent topic: Configuring Oracle Access Manager Using WDT
Setting the Initial Server Count
When you first created the domain, you specified that only one Managed Server should be started. After you complete the configuration, you can increase the initial server count to the actual number you require.
kubectl patch cluster -n <OAMNS> <OAM_DOMAIN_NAME>-${CLUSTER_NAME} --type=merge -p '{"spec":{"replicas":<INITIAL_SERVER_COUNT>}}'kubectl patch cluster -n oamns accessedomain-oam-cluster --type=merge -p '{"spec":{"replicas":2}}'kubectl patch cluster -n oamns accessdomain-policy-cluster --type=merge -p '{"spec":{"replicas":2}}'Parent topic: Configuring Oracle Access Manager Using WDT
Centralized Monitoring Using Grafana and Prometheus
To use the centralized Prometheus and Grafana for monitoring your infrastructure, perform the following steps:
- Downloading and Compiling the Monitoring Application
- Deploying the Monitoring Application into the WebLogic Domain
- Configuring the Prometheus Operator
- Discovering the Prometheus Service
Parent topic: Configuring Oracle Access Manager Using WDT
Downloading and Compiling the Monitoring Application
Parent topic: Centralized Monitoring Using Grafana and Prometheus
Deploying the Monitoring Application into the WebLogic Domain
The earlier section created a number of WAR files containing the monitoring application. See Downloading and Compiling the Monitoring Application. These files need to be deployed inside the WebLogic domain. Oracle provides a script to deploy the files. Before you run the script, copy the files to the container containing the WebLogic Administration Server.
To deploy the application:
Parent topic: Centralized Monitoring Using Grafana and Prometheus
Configuring the Prometheus Operator
Prometheus enables you to collect metrics from the WebLogic Monitoring Exporter. The Prometheus Operator identifies the targets by using service discovery. To get the WebLogic Monitoring Exporter end point discovered as a target, you must create a service monitor that points to the service.
The exporting of metrics from wls-exporter requires
basicAuth. Therefore, a Kubernetes secret is created with the
user name and password that are base64 encoded. This secret is used
in the ServiceMonitor deployment. The
wls-exporter-ServiceMonitor.yaml file has
basicAuth with credentials as username:
<OAM_WEBLOGIC_USER> and password:
<OAM_WEBLOGIC_PWD> in
base64 encoded.
Parent topic: Centralized Monitoring Using Grafana and Prometheus
Discovering the Prometheus Service
ServiceMonitor,
wls-exporter is discovered by Prometheus and is able to collect the
metrics.
Parent topic: Centralized Monitoring Using Grafana and Prometheus
Centralized Log File Monitoring Using Elasticsearch and Kibana
- OAM persistent volume, so it can be loaded by the Logstash pod to hunt for log files.
- The location of the log files in the persistent volumes.
- The location of the centralized Elasticsearch.
To configure the Logstash pod, perform the following steps. The assumption
is that you have an Elasticsearch running inside the Kubernetes cluster, in a namespace
called elkns.
- Creating a Secret for Elasticsearch
- Creating a Configuration Map for ELK Certificate
- Creating a Configuration Map for Logstash
- Creating a Logstash Deployment
Parent topic: Configuring Oracle Access Manager Using WDT
Creating a Secret for Elasticsearch
Logstash requires credentials to connect to the elasticsearch deployment. These credentials are stored in Kubernetes as a secret.
kubectl create secret generic elasticsearch-pw-elastic -n <OAMNS> --from-literal password=<ELK_APIKEY>kubectl create secret generic elasticsearch-pw-elastic -n oamns --from-literal password=afshfashfkahf5fkubectl create secret generic elasticsearch-pw-elastic -n <OAMNS> --from-literal password=<ELK_PWD>kubectl create secret generic elasticsearch-pw-elastic -n oamns --from-literal password=mypasswordkubectl get secret elasticsearch-es-elastic-user -n <ELKNS> -o go-template='{{.data.elastic | base64decode}}'Creating a Configuration Map for ELK Certificate
If you have configured a production ready Elasticsearch deployment, you would have configured SSL. Logstash needs to trust the Elasticsearch certificate to be able to communicate with it. To enable this trust, you should create a configuration map with the contents of the Elasticsearch certificate.
You would have already saved the Elasticsearch self-signed certificate. See Copying the Elasticsearch Certificate. If you have a production certificate you can use that instead.
Create the configuration map using the certificate by running the following command:
kubectl create configmap elk-cert --from-file=<WORKDIR>/ELK/elk.crt -n <OAMNS>kubectl create configmap elk-cert --from-file=/workdir/ELK/elk.crt -n oamnsCreating a Configuration Map for Logstash
Logstash looks for log files in the OAM installations and sends them to the centralized Elasticsearch. The configuration map is used to instruct Logstash where the log files reside and where to send them.
Backing Up the Configuration
As a best practice, Oracle recommends you to back up the configuration after you have successfully extended a domain or at another logical point. Back up only after you have verified that the installation is successful so far. This is a quick backup to enable immediate restoration in case of problems in later steps.
In a Kubernetes environment, it is sufficient to back up the persistent volume and the database.
The backup destination is the local disk. You can discard this backup when the enterprise deployment setup is complete. After the enterprise deployment setup is complete, you can initiate the regular deployment-specific Backup and Recovery process.
For information about backing up your configuration, see Performing Backups and Recoveries for an Enterprise Deployment.
Parent topic: Configuring Oracle Access Manager Using WDT