Table of Contents
- Title and Copyright Information
- Preface
- Revision History
-
Part I About an Enterprise Deployment
- 1 About the Enterprise Deployment
- 2 About the Kubernetes Deployment
-
3
About a Typical Enterprise Deployment
- Diagram of a Typical Enterprise Deployment
-
About the Typical Enterprise Deployment Topology Diagram
- About Firewalls and Zones of a Typical Enterprise Deployment
- About the Demilitarized Zone
- About the Elements of a Typical Enterprise Deployment Topology
- Receiving Requests Through Hardware Load Balancer
- About Web Tier
-
About the Application Tier
- Configuration of the Administration Server and Managed Servers Domain Directories
- Using Oracle Web Services Manager in the Application Tier
- Best Practices and Variations on the Configuration of the Clusters and Hosts on the Application Tier
- About the Node Manager Configuration in a Typical Enterprise Deployment
- About Using Unicast for Communications within the Application Tier
- About OPSS and Requests to the Authentication and Authorization Stores
- About the Data Tier
-
4
About the IAM Enterprise Deployment
- About the Primary and Build-Your-Own Enterprise Deployment Topologies
- Using a Demilitarized Zone
- Topology Diagrams for the Deployment of Oracle Identity and Access Management
- Topology Diagrams for the Deployment of Oracle Identity and Access Management Components on Kubernetes
-
About the Primary Oracle Identity and Access Management Topology Diagrams
- Product Separation
- About the Web Tier
- About Oracle Unified Directory Assured Replication
- About Oracle Identity Role Intelligence
- About Oracle Advanced Authentication, Oracle Adaptive Risk Management, and Oracle Universal Authenticator
- Summary of Oracle Identity and Access Management Load Balancer Virtual Server Names
- About Oracle Identity Management on Kubernetes
- Summary of the Managed Servers and Clusters on the Application Tier Hosts
- Storage Requirements for an Enterprise Deployment
- About Permissions
- Summary of Microservices and Clusters on the Application Tier
- About the Forgotten Password Functionality
- Integrating Oracle LDAP, Oracle Access Manager, and Oracle Identity Governance
- Roadmap for Implementing the Primary IAM Suite Topologies
- Building Your Own Oracle Identity and Access Management Topology
-
5
Disaster Recovery
- Kubernetes Cluster
- Oracle HTTP Server
- Ingress
- WebLogic Operator
- Oracle Unified Directory
- Oracle Access Manager
- Oracle Identity Governance
- Oracle Identity Role Intelligence
- Oracle Advanced Authentication, Oracle Adaptive Risk Management, and Oracle Universal Authenticator
- Prometheus, Grafana, Elastic Search and Grafana
- Roadmap for Setting Up Disaster Recovery
-
Part II Preparing for an Enterprise Deployment
- 6 Procuring Resources for an On-Premises Enterprise Deployment
- 7 Procuring Resources for an Oracle Cloud Infrastructure Deployment
-
8
Procuring Software for an
Enterprise Deployment
- Identifying and Obtaining Software Distributions for an Enterprise Deployment
- About Container Image Names
- Obtaining Software from the Oracle Container Registry
- Downloading Images from a Container Registry
- Staging Container Images
- Logging in to GitHub
- Staging the WebLogic Operator for Kubernetes
- Staging the Code Repository
- Downloading the Oracle Connector Bundle for Oracle Identity Governance
-
9
Preparing for an On-Premises
Enterprise Deployment
- Preparing the Load Balancer and Firewalls for an Enterprise Deployment
- Preparing a Kubernetes Cluster for the Enterprise Deployment
- Preparing Storage for an Enterprise Deployment
- Preparing the Kubernetes Host Computers for an Enterprise Deployment
- Preparing the File System for an Enterprise Deployment
- Preparing a Disaster Recovery Environment
-
10
Preparing the Oracle Cloud
Infrastructure for an Enterprise Deployment
- About the OCI Deployment
- Creating an SSH Key Pair
- Creating an OCI Compartment
- Creating an OKE Cluster in OCI
- Creating a Bastion Node
-
Creating Compute Instances for
Oracle HTTP Servers
- Creating a Service Gateway
- Creating Security Lists
- Creating an OHS Security List
- Adding the OHS Security List to the Kubernetes Subnet
- Creating a Route Table
- Creating a Subnet for Web Nodes
- Creating the OHS Compute Instances
- Editing OHS Compute Instance Fault Domain
- Connecting to the OHS Nodes
- Configuring the OHS Nodes
- Creating File Systems and Mount Targets
- Creating Load Balancers
- Creating a Network Load Balancer
- Creating a Database
- Creating a Vault
- Creating a DNS Server
- Updating Kubernetes CoreDNS
- Validating Your Environment
- Preparing a Disaster Recovery Environment
-
11
Preparing an Existing Database for an
Enterprise Deployment
- About Preparing the Database for an Enterprise Deployment
- About Database Requirements
- Adding Database Options
- Adding XA Views
- Applying the Database Patches
- Creating a PDB Using an Existing PDB as a Template
- Creating Database Services
- Preventing Password Timeouts for System Accounts
- Using SecureFiles for Large Objects (LOBs) in an Oracle Database
- About Database Backup Strategies
-
Part III Configuring the Enterprise Deployment
-
12
Installing the Monitoring and
Visualization Software
-
Installing the Logging and Visualization
Software
- Kubernetes Services
- Variables Used in this Section
- Prerequisites
-
Installing Elasticsearch (ELK) Stack and
Kibana
- Setting Up a Product Specific Work Directory
- Creating a Kubernetes Namespace
- Creating a Kubernetes Secret for Docker Hub Images
- Installing the Elasticsearch Operator
- Creating an Elasticsearch Cluster
- Creating a Kibana Cluster
- Creating the Kubernetes Services
- Granting Access to Logstash
- Accessing the Kibana Console
- Creating a Kibana Index
- Installing the Monitoring Software
-
Installing the Logging and Visualization
Software
-
13
Installing and Configuring Ingress
Controller
- Kubernetes Services
- Variables Used in this Chapter
- Creating a Kubernetes Namespace
- Creating a Registry Secret
- Adding the Ingress Image to the Helm Repository
- Installing an Ingress Controller to Support HTTPS/HTTP and LDAPS/LDAP
-
14
Installing and Configuring Oracle
Unified Directory
- Configuring Oracle Unified Directory
- Setting Up a Product Specific Work Directory
- About Deploying Oracle Unified Directory
- Creating a Kubernetes Namespace
- Creating a Container Registry Secret
- Creating a Kubernetes Secret for Docker Hub Images
- Creating Configuration Files
- Creating OUD Containers
- Creating External Access to OUD
- Centralized Monitoring Using Grafana and Prometheus
- Centralized Log File Monitoring Using Elasticsearch and Kibana
-
15
Installing and Configuring Oracle
Unified Directory Services Manager
- Configuring Oracle Unified Directory Services Manager
- Setting Up a Product Specific Work Directory
- Creating a Kubernetes Namespace
- Creating a Container Registry Secret
- Creating OUDSM Containers
- Creating External Access to OUDSM
- Configuring Oracle HTTP Server for Oracle Unified Directory Services Manager
- Centralized Log File Monitoring Using Elasticsearch and Kibana
- 16 Installing and Configuring WebLogic Kubernetes Operator
-
17
Installing and Configuring Oracle HTTP
Server
- Variables Used When Configuring the Oracle HTTP Server
- About Storage
- About the Oracle HTTP Server Domains
- Installing a Supported JDK
- Installing Oracle HTTP Server on WEBHOST1
- Creating an Oracle HTTP Server Domain on WEBHOST1
- Installing and Configuring an Oracle HTTP Server Domain on WEBHOST2
- Starting the Node Manager and Oracle HTTP Server Instances on WEBHOST1 and WEBHOST2
- Creating a Health Check
- Backing Up the Configuration
-
Configuring Oracle HTTP Server to Route Requests to the Application Tier
- About the Oracle HTTP Server Configuration for an Enterprise Deployment
- Modifying the httpd.conf File to Include Virtual Host Configuration Files
- Modifying the httpd.conf File to Set Server Runtime Parameters
- Creating an Oracle HTTP Server Wallet
- Obtaining the Port for the Kubernetes Node Port Service
- Routing Requests
- Creating the Virtual Host Configuration Files
- Configuring Oracle HTTP Server for Oracle Access Manager
- Configuring Oracle HTTP Server for Oracle Identity Governance
- Configuring Oracle HTTP Server for Oracle Identity Role Intelligence
- Configuring Oracle HTTP Server for Oracle Advanced Authentication, Oracle Adaptive Risk Management, and Oracle Universal Authenticator
- Restarting the OHS Instances
- Validating the Oracle HTTP Server Configuration
- Sample Virtual Host Files
-
18
Configuring Oracle Access Manager Using
WDT
- About the Initial Infrastructure Domain
- Installing Oracle Access Manager (OAM) on the Kubernetes Infrastructure
- Creating a Namespace for Oracle Access Manager
- Creating a Container Registry Secret
- Creating a Kubernetes Secret for Docker Hub Images
- Creating the Database Schemas for Access Manager
- Creating the Oracle Access Manager Domain
- Updating the Domain
- Performing the Post-Configuration Tasks for Oracle Access Management Domain
- Restarting the Domain
- Validating the Administration Server
- Removing OAM Server from WebLogic Server 12c Default Coherence Cluster
- Tuning the WebLogic Server
- Enabling Virtualization
- Restarting the Domain
- Configuring and Integrating with LDAP
- Updating WebGate Agents
- Updating Host Identifiers
- Adding the Missing Policies to OAM
- Validating the Authentication Providers
- Configuring Oracle ADF and OPSS Security with Oracle Access Manager
-
Enabling Forgotten Password
- Prerequisites for Enabling Forgotten Password
- Adding Permissions to the oamLDAP User
- Enabling Adaptive Authentication Service
- Configuring Adaptive Authentication Plug-in
- Enabling Password Management in the Directory
- Storing the User Messaging Credentials in CSF
- Setting Up the Forgot Password Link on the Login Page
- Adding the Oracle Access Manager Load Balancer Certificate to the Oracle Keystore Service
- Configuring a Custom Host Name Verifier
- Validating the Forgotten Password Functionality
- Restarting the Access Domain
- Setting the Initial Server Count
- Centralized Monitoring Using Grafana and Prometheus
- Centralized Log File Monitoring Using Elasticsearch and Kibana
- Backing Up the Configuration
-
19
Configuring Oracle Identity Governance Using
WDT
- Synchronizing the System Clocks
- About the Initial Infrastructure Domain
- Prerequisites
- Creating a Namespace for Oracle Identity Governance
- Creating a Container Registry Secret
- Creating a Kubernetes Secret for Docker Hub Images
- Creating the Database Schemas for Oracle Identity Governance
- Creating the Oracle Identity Governance Domain
- Creating the Kubernetes Services
- Tuning JMS Queues
- Installing the Connector Bundle
- Performing the Post-Configuration Tasks for Oracle Identity Management Domain
- Validating Identity Governance
- Analyzing the Bootstrap Report
- Configuring the Web Tier for the Domain
- Integrating Oracle Identity Governance with Oracle SOA Suite
- Managing the Notification Service
- Configuring the Messaging Drivers
- Increasing Database Connection Pool Size
- Integrating Oracle Identity Governance with LDAP
-
Integrating Oracle Identity Governance and Oracle Access Manager
- Creating WLS Authentication Providers
- Deleting OIMSignatureAuthenticator
- Recreating OUDAuthenticator
- Adding the Administration Role to the New Administration Group
- Configuring SSO Integration in the Governance Domain
- Enabling OAM Notifications
- Updating the Value of MatchLDAPAttribute in oam-config.xml
- Updating the TapEndpoint URL
- Running the Reconciliation Jobs
- Configuring OIM Workflow Notifications to be Sent by Email
- Adding the wsm-pm Role to the Administrators Group
- Adding the WebLogic Administration Group to SOA Administrators
- Adding the Oracle Access Manager Load Balancer Certificate to the Oracle Keystore Service
- Setting the Initial Server Count
- Setting Challenge Questions
-
Integrating Oracle Identity Manager with Oracle Business Intelligence Publisher
- Creating a User to Run BI Reports
- Configuring Oracle Identity Manager to Use BI Publisher
- Assigning the BIServiceAdministrator Role to idm_report
- Storing the BI Credentials in Oracle Identity Governance
- Creating OIM and BPEL Data Sources in BIP
- Deploying Oracle Identity Governance Reports to BI
- Enable Certification Reports
- Validating the Reports
- Adding the Business Intelligence Load Balancer Certificate to Oracle Keystore Trust Service
- Restarting the IAMGovernanceDomain
- Enabling Design Console Access
- Centralized Monitoring Using Grafana and Prometheus
- Centralized Log File Monitoring Using Elasticsearch and Kibana
- Backing Up the Configuration
- Running the OIM Bulkload Utility from a Container
-
20
Installing and Configuring Oracle
Identity Role Intelligence
- About Oracle Identity Role Intelligence
- Variables Used in this Chapter
- Characteristics of the OIRI Installation
- Kubernetes Services
- Before You Begin
- Setting Up a Product Specific Work Directory
- Creating User Names and Groups in Oracle Identity Governance
- Ensuring that OIG Compliance Mode is Enabled
- Creating Kubernetes Namespaces
- Creating Container Registry Secrets
- Creating a Kubernetes Secret for Docker Hub Images
- Starting the Administration CLI
- Granting the CLI Access to the Kubernetes Cluster
- Creating the Configuration Files
- Creating the OIRI Keystore
- Loading the OIG Certificates into OIRI
- Creating Wallets
- Creating the Database Schemas
- Verifying the Wallet
- Deploying OIRI Using Helm
- Verifying that OIRI is Running
- Creating the Kubernetes NodePort Services
- Updating the OHS Configuration
- Performing an Initial Data Load Using the Data Ingester
-
21
Installing and Configuring Oracle
Advanced Authentication, Oracle Adaptive Risk Management, and Oracle Universal
Authenticator
- About Oracle Advanced Authentication
- About Oracle Adaptive Risk Management (OARM)
- About Oracle Universal Authenticator (OUA)
- Variables Used in this Chapter
- Characteristics of the OAA Installation
- Kubernetes Services
- Before You Begin
- Creating Kubernetes Namespaces
- Creating a Container Registry Secret
- Creating a Kubernetes Secret for Docker Hub Images
- Creating a GitHub Secret
- Creating the Management Container
- Copying Production Certificates to the Management Container
- Starting the Management Container
- Obtaining the OAM Certificate
- Registering OAM TAP Partners
- Creating the OAA Property File
- Creating the OAA Override File
- Creating the Database Schemas
- Deploying Oracle Advanced Authentication
- Resolving Timeouts
- Configuring Email/SMS Servers and Automatic User Creation
- Validating OAA
- Configuring Oracle Universal Authentication
-
22
Configuring Disaster
Recovery
- Generic Disaster Recovery Processes
- Configuring Disaster Recovery for Oracle Unified Directory
- Configuring Disaster Recovery for Oracle Access Manager
- Configuring Disaster Recovery for Oracle Identity Governance
- Configuring Disaster Recovery for Oracle Identity Role Intelligence
- Configuring Disaster Recovery for Oracle Advanced Authentication
-
12
Installing the Monitoring and
Visualization Software
-
Part IV Common Configuration and Management Procedures for an Enterprise Deployment
-
23
Common Configuration and Management Tasks for an Enterprise Deployment
- Configuration and Management Tasks for All Enterprise Deployments
- Starting and Stopping Components
- Patching an Enterprise Deployment
- Performing Backup and Restore Operations
- Performing Maintenance on a Kubernetes Worker Node
- Adjusting the Server Pods Liveness Probe
- Considerations for Cross-Component Wiring
-
24
Using Whole Server Migration and Service Migration in an Enterprise Deployment
- About Whole Server Migration and Automatic Service Migration in an Enterprise Deployment
- Creating a GridLink Data Source for Leasing
- Configuring Whole Server Migration for an Enterprise Deployment
-
Configuring Automatic Service Migration in an Enterprise Deployment
- Setting the Leasing Mechanism and Data Source for an Enterprise Deployment Cluster
-
Configuring Automatic Service Migration for Static Clusters
- Changing the Migration Settings for the Managed Servers in the Cluster
- About Selecting a Service Migration Policy
- Setting the Service Migration Policy for Each Managed Server in the Cluster
- Validating Automatic Service Migration in Static Clusters
- Failing Back Services After Automatic Service Migration
- 25 Centralized Monitoring Using Grafana and Prometheus
- 26 Centralized Log File Monitoring Using Elasticsearch and Kibana
- 27 Scaling Procedures for an Enterprise Deployment
-
28
Configuring Single Sign-On for an Enterprise Deployment
- About Oracle WebGate
- General Prerequisites for Configuring Oracle HTTP Server WebGate
- Configuring Oracle HTTP Server 12c WebGate for an Enterprise Deployment
- Enabling OAM Rest OAP Calls and Health Check
- Adding a Load Balancer Certificate to WebGate
- Copying WebGates Artifacts to Web Tier
- Restarting the Oracle HTTP Server Instance
- Setting Up the WebLogic Server Authentication Providers
- Configuring Oracle ADF and OPSS Security with Oracle Access Manager
- Backing Up the Configuration Files
-
29
Sanity Checks
-
Sanity Checks for Oracle Access Management
- Verifying LDAP Authentication for OAM Agent Protected Application for Valid User
- Verifying LDAP Authentication Failure for OAM Agent Protected Application for Invalid Password
- Verifying LDAP Authentication Failure for OAM Agent Protected Application for Invalid Username
- Verifying Access of OAM Agent Protected Unavailable Resource
- Verifying Access of Resource that was Recently Deleted or Replaced from the Policy
-
Sanity Checks for Oracle Identity Governance
- Creating Organization
- Creating a User Name
- Creating Role
- Managing Sandboxes
- Publishing a Sandbox
- Adding User Defined Field (UDF) for a User
- Creating a Disconnected Application and Provision
- Importing and Configuring DB User Management
- Creating an Access Policy and Provision
- Creating End User Request for Accounts, Entitlements, and Roles
- Resetting Account Password
- Creating a Certification and Approving
- Creating Identity Audit Scan Definitions and Viewing its Results
- Testing Identity Audit
- Sanity Checks for Oracle Advanced Authentication
-
Sanity Checks for Oracle Access Management
-
30
Troubleshooting
-
Troubleshooting Oracle Access Management Access Manager
- Access Manager Runs out of Memory
- Access Domain Creation Times Out
- User Reaches the Maximum Allowed Number of Sessions
- Policies Do Not Get Created When Oracle Access Management Access Manager is First Installed
- You Are Not Prompted for Credentials After Accessing a Protected Resource
- Cannot Log In to Access Management Console
- Oracle Coherence Cluster Startup Errors in oam_policy_mgr Server Logs
- Errors in Log File When Starting OAM Servers
- Too Many Redirects Error in Browser
-
Troubleshooting Oracle Identity Governance
- OIM Bootstrap Process Fails
- java.io.FileNotFoundException When Running Oracle Identity Governance Configuration
- ResourceConnectionValidationxception When Creating User in Oracle Identity Governance
- OIG Managed Servers Fail to Join Coherence Cluster
- Oracle Identity Manager Reconciliation Jobs Fail
- OIM Reconciliation Jobs Fail When Running Against Oracle Unified Directory
- Cannot Open Reports from OIM Self Service Console
- Pending Violations Not Displaying the Correct List
- Domain Patching Failure
- Troubleshooting Oracle SOA Suite
- Troubleshooting Coherence Clusters
- Troubleshooting OAM/OIG Integration
- Troubleshooting Oracle Advanced Authentication
- General Troubleshooting
- Troubleshooting Kubernetes Domains
-
Troubleshooting Oracle Access Management Access Manager
-
23
Common Configuration and Management Tasks for an Enterprise Deployment
- A Sample of the Schema Extension File and the Seeding File
- B Using an OCI Container Registry
-
C
Automating the Identity and Access
Management Enterprise Deployment
- Obtaining the Scripts
- Scope of Scripts
- Key Concepts of the Scripts
- Directory Structure
- Getting Started
- Creating a Response File
- Validating Your Environment
- Provisioning the Environment
- Log Files
- Files You Need to Keep
- Archiving Files After Installation/Configuration
- Oracle HTTP Server Configuration Files
- Utilities
-
Reference - Response File
- Products to Deploy
- Control Parameters
- Registry Parameters
- Image Parameters
- Generic Parameters
- Ingress Parameters
- Elasticsearch Parameters
- Prometheus Parameters
- OHS Parameters
- OUD Parameters
- OUDSM Parameters
- LDAP Parameters
- SSL Parameters
- WebLogic Operator for Kubernetes Parameters
- OAM Parameters
- OIG Parameters
- OIRI Parameters
- OAA Parameters
- Port Mappings
- Components of the Deployment Scripts
- D Cleaning Up After a Failed Installation
-
E
Automating the OCI Infrastructure Creation for the Identity and Access Management Kubernetes Cluster
- Obtaining the Scripts
- Scope of Scripts
- Key Concepts of the Scripts
- Prerequisites
- Creating a Response File
- Provisioning the Environment
- Log Files
- Output Files
-
Reference - Response File
- Parameters that Must be Reviewed, Set, and Modified
- OCI Command-Line Interface Region
- Port Numbers
- Subnet Configuration
- DNS Zone Configuration
- VCN Configuration
- OKE Cluster Configuration
- Bastion Host Configuration
- OHS and Web Tier Configuration
- NFS and Persistent Volume Configuration
- SSL Configuration
- Load Balancer Configuration
- Load Balancer Log Group Configuration
- Public Load Balancer Configuration
- Internal Load Balancer Configuration
- Network Load Balancer Configuration
- OCI Tags Configuration
- Database Configuration
- Components of the Deployment Scripts
- F Automating the Disaster Recovery Setup